Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protocol Verification by the Inductive Method John Mitchell CS 259.

Published byFelix Baldwin Modified over 9 years ago

Similar presentations

Presentation on theme: "Protocol Verification by the Inductive Method John Mitchell CS 259."— Presentation transcript:

1 Protocol Verification by the Inductive Method John Mitchell CS 259

2 Analysis Techniques Crypto Protocol Analysis Formal ModelsComputational Models Modal LogicsModel Checking Inductive Proofs Dolev-Yao (perfect cryptography) Random oracle Probabilistic process calculi Probabilistic I/O automata … Finite processes, finite attacker Process Calculi … Finite processes, infinite attacker Spi-calculusBAN logic

3 Recall: protocol state space uParticipant + attacker actions define a state transition graph uA path in the graph is a trace of the protocol uGraph can be Finite if we limit number of agents, size of message, etc. Infinite otherwise...

4 Analysis using theorem proving uCorrectness instead of bugs Use higher-order logic to reason about possible protocol executions uNo finite bounds Any number of interleaved runs Algebraic theory of messages No restrictions on attacker uMechanized proofs Automated tools can fill in parts of proofs Proof checking can prevent errors in reasoning [Paulson]

5 Inductive proofs uDefine set of traces Given protocol, a trace is one possible sequence of events, including attacks uProve correctness by induction For every state in every trace, no security condition fails –Works for safety properties only Proof by induction on the length of trace

6 Two forms of induction uUsual form for  n  Nat. P(n) Base case: P(0) Induction step: P(x)  P(x+1) Conclusion:  n  Nat. P(n) uMinimial counterexample form Assume:  x [  P(x)   y<x. P(y) ] Prove: contraction Conclusion:  n  Nat. P(n) Both equivalent to “the natural numbers are well-ordered”

7 Use second form uGiven set of traces Choose shortest sequence to bad state Assume all steps before that OK Derive contradiction –Consider all possible steps All states are goodBad state

8 Sample Protocol Goals uAuthenticity: who sent it? Fails if A receives message from B but thinks it is from C u Integrity: has it been altered? Fails if A receives message from B but message is not what B sent u Secrecy: who can receive it? Fails if attacker knows message that should be secret u Anonymity Fails if attacker or B knows action done by A These are all safety properties

9 Inductive Method in a Nutshell Attacker inference rules Abstract trace model Informal Protocol Description Theorem is correct Try to prove the theorem Correctness theorem about traces same for all protocols!

10 Work by Larry Paulson uIsabelle theorem prover General tool; protocol work since 1997 uPapers describing method uMany case studies Verification of SET protocol (6 papers) Kerberos (3 papers) TLS protocol Yahalom protocol, smart cards, etc http://www.cl.cam.ac.uk/users/lcp/papers/protocols.html Stanford Phd 1981

11

12 Isabelle uAutomated support for proof development Higher-order logic Serves as a logical framework Supports ZF set theory & HOL Generic treatment of inference rules uPowerful simplifier & classical reasoner uStrong support for inductive definitions

13 Agents and Messages agent A,B,…=Server | Friend i | Spy msg X,Y,…=Agent A |Nonce N |Key K |{ X, Y } |Crypt X K Typed, free term algebra, …

14 Protocol semantics uTraces of events: A sends X to B uOperational model of agents uAlgebraic theory of messages (derived) uA general attacker uProofs mechanized using Isabelle/HOL

15 Define sets inductively uTraces Set of sequences of events Inductive definition involves implications if ev 1, …, ev n  evs, then add ev’ to evs uInformation from a set of messages parts H : parts of messages in H analz H : information derivable from H synth H : msgs constructible from H

16 Protocol events in trace uSeveral forms of events A sends B message X A receives X A stores X If ev is a trace and Na is unused, add Says A B Crypt(pk B){A,Na} AB {A,N A } pk(B) BA {N B,N A } pk(A) If Says A’ B Crypt(pk B){A,X}  ev and Nb is unused, add Says B A Crypt(pk A){Nb,X} AB {N B } pk(B) If Says...{X,Na}...  ev, add Says A B Crypt(pk B){X}

17 Dolev-Yao Attacker Model uAttacker is a nondeterministic process uAttacker can Intercept any message, decompose into parts Decrypt if it knows the correct key Create new message from data it has observed uAttacker cannot Gain partial knowledge Perform statistical tests Stage timing attacks, …

18 Attacker Capabilities: Analysis X  H  X  analz H {X,Y}  analz H  X  analz H {X,Y}  analz H  Y  analz H Crypt X K  analz H & K -1  analz H  X  analz H analz H is what attacker can learn from H

19 Attacker Capabilities: Synthesis X  H  X  synth H X  synth H & Y  synth H  {X,Y}  synth H X  synth H & K  synth H  Crypt X K  synth H synth H is what attacker can create from H infinite set!

20 Equations and implications analz(analz H) = analz H synth(synth H) = synth H analz(synth H) = analz H  synth H synth(analz H) = ??? Nonce N  synth H  Nonce N  H Crypt K X  synth H  Crypt K X  H or X  synth H & K  H

21 Attacker and correctness conditions If X  synth(analz(spies evs)), add Says Spy B X X is not secret because attacker can construct it from the parts it learned from events If Says B A {N b,X} pk(A)  evs & Says A’ B {N b } pk(B)  evs, Then Says A B {N b } pk(B)  evs If B thinks he’s talking to A, then A must think she’s talking to B

22 Secure Electronic Transactions (SET) uCardholders and Merchants register uThey receive electronic credentials Proof of identity Evidence of trustworthiness uPayment goes via the parties’ banks Merchants don’t need card details Bank does not see what you buy Isabelle verification by Larry Paulson, Giampaolo Bella, and Fabio Massacci

23 Root CA (SET Co) Geo-Political CA (optional) (only for VISA) Brand CA (MasterCard, Visa) Merchant CA (Banesto) Cardholder CA (Banesto) Cardholder Payment Gateway CA ( MasterCard, Banesto in VISA) Merchant Payment Gateway SET Certificate Hierarchy SOURCE: INZA.COMINZA.COM

24 Dual Signatures (idea used in SET) uLink two messages sent to different receivers uEach receiver can only read one message Alice checks (message1, digest2, dual sig) Bob checks (message2, digest1, dual sig) MESSAGE 1 DIGEST 1 NEW DIGEST HASH 1 & 2 WITH SHA MESSAGE 2 DIGEST 2 CONCATENATE DIGESTS TOGETHER HASH WITH SHA TO CREATE NEW DIGEST DUAL SIGNATURE PRIVATE KEY SIGN NEW DIGEST WITH SIGNER’S PRIVATE KEY

25 Verifying the SET Protocols uSeveral sub-protocols uComplex cryptographic primitives uMany types of principals Cardholder, Merchant, Payment Gateway, CAs uDual signatures: partial sharing of secrets u1000 pages of specification and description uThe upper limit of realistic verification

26 SET terminology uIssuer cardholder’s bank uAcquirer merchant’s bank uPayment gateway pays the merchant uCertificate authority (CA) issues electronic credentials uTrust hierarchy top CAs certify others

27 Players Issuing Bank Issues card Extends credit Assumes risk of card Cardholder reporting Card Associations Merchant Merchant Bank (Acquirer) Sets up merchant Extends credit Assumes risk of merchant Funds merchant Consumer Processor SOURCE: Michael I Shamos

28 1. Customer pays with card card swiped mag data read (get signature) 5. Merchant stores authorizations and sales conducted captures sales (at end of day) submits batch for funding Authorizations Batch Settlement 2.Card Authorization via dial, lease line, satellite 3. Acquiring Bank’s Processor direct connections to MC /VI obtains authorization from Issuer returns response to merchant five digit number that must be stored 6. Acquiring Bank / Processor scans settlement file verifies authorizations match captured data prepares file for MC/VI prepares funding file records txs for reporting 4. Issuing Bank / Processor receives auth request verifies available funds places hold on funds 7. Issuing Bank / Processor receives settlement file from MC / VI funds MC / VI matches txs to auths post txs to cardholder records transactions for reporting 8. MC / VI debit issuers / credit acquirers 9. Acquiring Bank funds merchant SOURCE: Michael I Shamos

29 SET Documentation uBusiness Description General overview 72 pages uProgrammer’s Guide Message formats & English description of actions 619 pages uFormal Protocol Definition Message formats & the equivalent ASN.1 definitions 254 pages Total: 945 pages

30 The 5 sub-protocols of SET uCardholder registration uMerchant registration uPurchase request uPayment authorization uPayment capture Will look at these two briefly

31 Cardholder Registration uTwo parties Cardholder C Certificate authority CA uC delivers credit card number uC completes registration form Inserts security details Discloses his public signature key uOutcomes C’s bank can vet the registration CA associates C’s signing key with card details

32 SET messages

33 Message 5 in Isabelle

34 Secrecy of Session Keys uThree keys, created for digital envelopes Dependency: one key protects another Main theorem on this dependency relation Generalizes an approach used for simpler protocols (Yahalom) uSimilarly, prove secrecy of Nonces

35 Purchase Phase

36 Use SET Dual Signature u3-way agreement with partial knowledge Cardholder shares Order Information (OI) only with Merchant Cardholder shares Payment Information (PI) only with Payment Gateway uCardholder signs hashes of OI, PI uNon-repudiation All parties sign messages

37 Messages

38 The Purchase Request message

39 Complications in SET proofs uMassive redundancy Caused by hashing and dual signature E.g. 9 copies of “purchase amount” in one message! uMulti-page subgoals uInsufficient redundancy (no explicitness), failure of one agreement property uMany digital envelopes

40 Inductive Method: Pros & Cons uAdvantages Reason about infinite runs, message spaces Trace model close to protocol specification Can “prove” protocol correct uDisadvantages Does not always give an answer Failure does not always yield an attack Still trace-based properties only Labor intensive –Must be comfortable with higher-order logic

41 Caveat uQuote from Paulson (J Computer Security, 2000) The Inductive Approach to Verifying Cryptographic Protocols The attack on the recursive protocol [40] is a sobering reminder of the limitations of formal methods… Making the model more detailed makes reasoning harder and, eventually, infeasible. A compositional approach seems necessary uReference [40] P.Y.A. Ryan and S.A. Schneider, An attack on a recursive authentication protocol: A cautionary tale. Information Processing Letters 65, 1 (January 1998) pp 7 – 10.

42

Download ppt "Protocol Verification by the Inductive Method John Mitchell CS 259."

Similar presentations

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Cryptography and Network Security

Cryptography and Network Security
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.

Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.

Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.

Department of Information Engineering1 Major Concerns in Electronic Commerce Authentication –there must be proof of identity of the parties in an electronic.
Computer Security Key Management. Introduction We distinguish between a session key and a interchange key ( long term key ). The session key is associated.

Computer Security Key Management. Introduction We distinguish between a session key and a interchange key ( long term key ). The session key is associated.
Computer Security Key Management

Computer Security Key Management
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17
Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Protocol Verification by the Inductive Method John Mitchell Stanford TECS Week2005.

Protocol Verification by the Inductive Method John Mitchell Stanford TECS Week2005.
Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C. Mitchell, D. Pavlovic CS259: Security Analysis of Network Protocols,

Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C. Mitchell, D. Pavlovic CS259: Security Analysis of Network Protocols,
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
Chapter 8 Web Security.

Chapter 8 Web Security.
Inductive Verification of Protocols Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Inductive Verification of Protocols Anupam Datta CMU Fall A: Foundations of Security and Privacy.
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 4 Data Authentication Part II.

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 4 Data Authentication Part II.
Secure Electronic Transactions (SET). SET SET is an encryption and security specification designed to protect credit card transactions on the Internet.

Secure Electronic Transactions (SET). SET SET is an encryption and security specification designed to protect credit card transactions on the Internet.

Similar presentations

Ads by Google