formalizing and analyzing the needham schroeder symmetric
play

Formalizing and Analyzing the Needham-Schroeder Symmetric-Key - PowerPoint PPT Presentation

Jun 09, 2023 •160 likes •670 views

Formalizing and Analyzing the Needham-Schroeder Symmetric-Key Protocol by Rewriting Monica Nesi Giuseppina Rucci Dipartimento di Informatica Universit di L' Aquila (Italy) ARSPA05 p.1 Protocol Verification Aim: formally prove

  1. Formalizing and Analyzing the Needham-Schroeder Symmetric-Key Protocol by Rewriting Monica Nesi Giuseppina Rucci Dipartimento di Informatica Università di L' Aquila (Italy) ARSPA’05 – p.1

  2. Protocol Verification • Aim: formally prove properties of security protocols (e.g. authentication, secrecy or confidentiality, freshness, . . . ) • Rewriting techniques and strategies • Case studies • the Needham-Schroeder Public-Key protocol (NSPK) • the Needham-Schroeder Symmetric-Key protocol (NSSK) ARSPA’05 – p.2

  3. Related Work • Model checking • FDR ( Lowe 1996 ) • Murphi ( Mitchell-Mitchell-Stern 1997 ) . . . • Theorem proving • NRL ( Meadows 1996 ) • Isabelle ( Paulson 1997, 1998, . . . ) • SPASS ( Weidenbach 1999 ) . . . ARSPA’05 – p.3

  4. Related Work • Rewriting techniques and strategies • ELAN ( Cirstea 2001 ) • Maude ( Denker-Meseguer-Talcott 1998 ) • CASRUL ( Jacquemard-Rusinowitch-Vigneron 2000 ) . . . • Rewriting + abstract interpretation ( Monniaux 1999 ) ARSPA’05 – p.4

  5. Related Work • Rewriting + tree automata in Timbuk ( Genet-Viet Triem Tong 2001 ) • Combination of different approaches • the combination of Genet-Klay' s approximation technique and Paulson' s inductive method ( Oehl-Sinclair 2001, 2002 ) • AVISPA project ARSPA’05 – p.5

  6. Outline of the Talk • The approximation technique by Genet and Klay • The formalization for NSSK (insecure version) through rewrite systems and tree automata • The basic ingredients of the rewriting strategy ARSPA’05 – p.6

  7. Outline of the Talk • The rewriting strategy and its properties • A verification example: authentication attacks in insecure NSSK • Conclusions + current and future work ARSPA’05 – p.7

  8. Approximation Technique Aim: finding that there are no attacks on a protocol ( Genet-Klay 2000 ). • The protocol is operationally specified by a TRS R . • The initial set E of communication requests and an intruder' s initial knowledge are described through a tree automaton A such that L ( A ) ⊇ E . ARSPA’05 – p.8

  9. Approximation Technique • The property p to be proved is given through a tree automaton A p that models the negation of p . • The approximation technique builds an over-approximation of the set R ∗ ( E ) of all R -descendants of the set E . • Result: an approximation automaton T R ↑ ( A ) such that L ( T R ↑ ( A )) ⊇ R ∗ ( E ) . ARSPA’05 – p.9

  10. Approximation Technique A finite number of tree automata A i = �F , Q , Q f , ∆ i � is built as follows: 1. A 0 = A ; 2. A i +1 is constructed from A i by computing a critical pair between a rule in R and the transitions in ∆ i . The rule derived from the critical pair is a new transition that is normalized using an approximation function γ and then added to ∆ i , thus yielding ∆ i +1 . It follows that L ( A i ) ⊂ L ( A i +1 ) . ARSPA’05 – p.10

  11. Approximation Technique Step 2 is repeated until an automaton A k is obtained such that L ( A k ) ⊇ R ∗ ( L ( A 0 )) , i.e. L ( A k ) ⊇ R ∗ ( E ) . • Quality of the approximation depends on γ . • Reachability properties on R and E are proved by checking whether L ( T R ↑ ( A )) ∩ L ( A p ) = ∅ . Empty intersection means that property p is satisfied. ARSPA’05 – p.11

  12. Our Approach As in Genet-Klay' s approximation technique, • the protocol is operationally specified by a TRS R • the intruder' s initial knowledge is described through a tree automaton A The approximation technique is a particular completion process using an approximation function. ARSPA’05 – p.12

  13. Our Approach • Aim: prove or disprove properties. • No approximation function. • Idea: rewriting strategy simulating the critical pairs computed in the completion process in a bottom-up manner. • Based on a rewriting strategy for dealing with the divergence of completion ( Inverardi-Nesi 1992, 1996 ). ARSPA’05 – p.13

  14. The NSSK Protocol Given agents A and B and a server S , the NSSK protocol can be described as follows: 1 . A − → S : A, B, N A 2 . S − → A : { N A , B, K AB , { K AB , A } K BS } K AS 3 . A − → B : { K AB , A } K BS 4 . B − → A : { N B } K AB 5 . A − → B : { N B − 1 } K AB Insecure version! ARSPA’05 – p.14

  15. The NSSK Protocol Authentication attack ( Denning-Sacco 1981 ): Hp: an intruder has recorded session ( i ) and the key K ′ AB , created in session ( i ) , has been compromised and is known to the intruder. Session ( ii ) can develop as follows: ii. 1 . A − → S : A, B, N A ii. 2 . S − → A : { N A , B, K AB , { K AB , A } K BS } K AS → B : { K ′ ii. 3 . I ( A ) − AB , A } K BS ii. 4 . B − → I ( A ) : { N B } K ′ AB ii. 5 . I ( A ) − → B : { N B − 1 } K ′ AB ARSPA’05 – p.15

  16. Formalizing the Protocol A protocol is formalized through a rewrite system R = R P ∪ R I , where • R P describes the steps of the protocol and the properties to be verified, • R I defines an intruder' s ability of decomposing and decrypting messages. ARSPA’05 – p.16

  17. A TRS R P for NSSK goal ( agt ( a ) , agt ( b ) , r ( j )) (1) → mesg ( agt ( a ) , serv ( S ) , cons ( N ( agt ( a ) , serv ( S ) , r ( j )) , cons ( agt ( a ) , agt ( b ))) , r ( j )) mesg ( a 2 , a 3 , cons ( N ( agt ( a ) , serv ( S ) , r ( j )) , cons ( agt ( a ) , agt ( b ))) , r ( j )) (2) → mesg ( serv ( S ) , agt ( a ) , encr ( ltk ( agt ( a ) , serv ( S )) , serv ( S ) , cons ( N ( agt ( a ) , serv ( S ) , r ( j )) , cons ( agt ( b ) , cons ( sk ( agt ( a ) , agt ( b ) , r ( j )) , encr ( ltk ( agt ( b ) , serv ( S )) , serv ( S ) , cons ( sk ( agt ( a ) , agt ( b ) , r ( j )) , agt ( a ))))))) , r ( j )) ARSPA’05 – p.17

  18. A TRS R P for NSSK mesg ( a 4 , a 5 , (3) encr ( ltk ( agt ( a ) , serv ( S )) , a 3 , cons ( N ( agt ( a ) , serv ( S ) , r ( j )) , cons ( agt ( b ) , cons ( sk ( agt ( a ) , agt ( b ) , r ( i 1 )) , encr ( ltk ( agt ( b ) , serv ( S )) , a 1 , cons ( sk ( agt ( a ) , agt ( b ) , r ( i 2 )) , agt ( a ))))))) , r ( j )) → mesg ( agt ( a ) , agt ( b ) , encr ( ltk ( agt ( b ) , serv ( S )) , a 1 , cons ( sk ( agt ( a ) , agt ( b ) , r ( i 2 )) , agt ( a ))) , r ( j )) ARSPA’05 – p.18

  19. A TRS R P for NSSK mesg ( a 6 , a 7 , (4) encr ( ltk ( agt ( b ) , serv ( S )) , a 5 , cons ( sk ( agt ( a ) , agt ( b ) , r ( i )) , agt ( a ))) , r ( j )) → mesg ( a 7 , a 6 , encr ( sk ( agt ( a ) , agt ( b ) , r ( i )) , a 7 , N ( agt ( b ) , agt ( a ) , r ( j ))) , r ( j )) mesg ( a 8 , a 6 , (5) encr ( sk ( agt ( a ) , agt ( b ) , r ( i )) , a 7 , N ( agt ( b ) , agt ( a ) , r ( j ))) , r ( j )) → mesg ( a 6 , a 8 , encr ( sk ( agt ( a ) , agt ( b ) , r ( i )) , a 6 , N ( agt ( b ) , agt ( a ) , r ( j ))) , r ( j )) ARSPA’05 – p.19

  20. A TRS R P for NSSK mesg ( a 8 , a 6 , (6) encr ( sk ( agt ( a ) , agt ( b ) , r ( i )) , a 7 , N ( agt ( b ) , agt ( a ) , r ( j ))) , r ( j )) → c init ( agt ( a ) , agt ( b ) , a 7 , r ( j )) mesg ( a 10 , a 6 , (7) encr ( sk ( agt ( a ) , agt ( b ) , r ( i )) , a 9 , N ( agt ( b ) , agt ( a ) , r ( j ))) , r ( j )) → c resp ( agt ( b ) , agt ( a ) , a 9 , r ( j )) ARSPA’05 – p.20

  21. A TRS R I for NSSK cons ( x, y ) → x (8) cons ( x, y ) → y (9) encr ( sk ( agt (0) , agt ( x ) , w ) , y, z ) → z (10) encr ( sk ( agt ( x ) , agt (0) , w ) , y, z ) → z (11) encr ( sk ( agt ( s ( x 1 )) , agt ( x ) , w ) , y, z ) → z (12) encr ( sk ( agt ( x ) , agt ( s ( x 1 )) , w ) , y, z ) → z (13) encr ( ltk ( agt (0) , serv ( S )) , y, z ) → z (14) encr ( ltk ( agt ( s ( x 1 )) , serv ( S )) , y, z ) → z (15) mesg ( x, y, z, w ) → z (16) ARSPA’05 – p.21

  22. The Intruder' s Knowledge A tree automaton A = �F , Q , Q f , ∆ � , where Q f = { q f } and ∆ is as follows: 0 → q int s ( q int ) → q int agt ( q int ) → q agtI 0 → q 0 A → q A agt ( q A ) → q agtA s ( q 0 ) → q 1 B → q B agt ( q B ) → q agtB r ( q 0 ) → q r 0 S → q S serv ( q S ) → q serv r ( q 1 ) → q r 1 ARSPA’05 – p.22

  23. The Intruder' s Knowledge communication requests goal ( q agtA , q agtB , q f ) → q f goal ( q agtA , q agtA , q f ) → q f goal ( q agtB , q agtA , q f ) → q f goal ( q agtB , q agtB , q f ) → q f goal ( q agtA , q agtI , q f ) → q f goal ( q agtI , q agtA , q f ) → q f goal ( q agtB , q agtI , q f ) → q f goal ( q agtI , q agtB , q f ) → q f goal ( q agtI , q agtI , q f ) → q f ARSPA’05 – p.23

  24. The Intruder' s Knowledge intruder' s initial knowledge agt ( q int ) → q f sk ( q agtI , q agtI , q f ) → q f agt ( q A ) → q f sk ( q agtI , q agtA , q f ) → q f agt ( q B ) → q f sk ( q agtI , q agtB , q f ) → q f serv ( q S ) → q f ltk ( q agtI , q serv ) → q f r ( q 0 ) → q f r ( q 1 ) → q f ARSPA’05 – p.24

  25. The Intruder' s Knowledge intruder' s initial knowledge mesg ( q f , q f , q f , q f ) → q f N ( q agtI , q agtI , q f ) → q f cons ( q f , q f ) → q f N ( q agtI , q agtA , q f ) → q f encr ( q f , q agtI , q f ) → q f N ( q agtI , q agtB , q f ) → q f N ( q agtI , q serv , q f ) → q f ARSPA’05 – p.25

  26. Strategy: Basic Ingredients • Simulation of critical pairs through a bottom-up strategy • Expansion of terms • Well-formedness of terms (to ensure termination of the expansion process) • Recognizability by the intruder ARSPA’05 – p.26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Part 2: Finding Protocol Flaws with Symbolic Analysis The Needham-Schroeder problem In Using

Part 2: Finding Protocol Flaws with Symbolic Analysis The Needham-Schroeder problem In Using

Part 2: Finding Protocol Flaws with Symbolic Analysis The Needham-Schroeder problem In Using encryption for authentication in large networks of computers (CACM 1978) , Needham and Schroeder didnt just initiate a field that led to widely

1.32k views • 104 slides
Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos4 1 Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure network: listen, modify secret key login session : from login to logout Version 5: more complex, not just TCP/IP, greater

98 views • 7 slides
Handout 7 Summary of this handout: Key Exchange Protocols Wide-Mouth Frog Needham-Schroeder

Handout 7 Summary of this handout: Key Exchange Protocols Wide-Mouth Frog Needham-Schroeder

06-20008 Cryptography The University of Birmingham Autumn Semester 2012 School of Computer Science Eike Ritter 8 November, 2012 Handout 7 Summary of this handout: Key Exchange Protocols Wide-Mouth Frog Needham-Schroeder Kerberos

477 views • 10 slides
Needham Public Schools Superintendents FY21 Operating Budget Request Needham School Committee

Needham Public Schools Superintendents FY21 Operating Budget Request Needham School Committee

Needham Public Schools Superintendents FY21 Operating Budget Request Needham School Committee December 10, 2019 Portrait of a Needham Graduate Portrait of a Needham Graduate Strategic Priorities 2020-2025 PRIORITY #2 PRIORITY #1 ALL

535 views • 32 slides
Green Needham Collaborative Solar 101 Solar 101 An Introduction for Homeowners March 20,

Green Needham Collaborative Solar 101 Solar 101 An Introduction for Homeowners March 20,

Green Needham Collaborative Solar 101 Solar 101 An Introduction for Homeowners March 20, 2013 Presented by the The Green Needham Collaborative , in collaboration with Needham Community Education About Green Needham Green Needham

211 views • 19 slides
Solar 101 An Introduction for Homeowners March 20, 2013 Presented by the The Green Needham

Solar 101 An Introduction for Homeowners March 20, 2013 Presented by the The Green Needham

Green Needham Collaborative Solar 101 Solar 101 An Introduction for Homeowners March 20, 2013 Presented by the The Green Needham Collaborative , in collaboration with Needham Community Education About Green Needham Green Needham

339 views • 29 slides
Needham Market Flooding Group Meeting The Limes Hotel, Needham Market 28 April 2014 To

Needham Market Flooding Group Meeting The Limes Hotel, Needham Market 28 April 2014 To

Needham Market Flooding Group Meeting The Limes Hotel, Needham Market 28 April 2014 To explain modelling and results of investigations and ensure a common agreement of the facts Discuss options for reducing the flood risk in the town

540 views • 34 slides
Needham Public Schools Superintendents FY20 Operating Budget Request Needham School Committee

Needham Public Schools Superintendents FY20 Operating Budget Request Needham School Committee

Needham Public Schools Superintendents FY20 Operating Budget Request Needham School Committee December 11, 2018 Eq.ui.ty e-kw -t noun Just and fair access, inclusion, and participation; the practice of nurturing a learning

314 views • 30 slides
Needham Public Schools Superintendents FY19 Opera3ng Budget Request Needham School CommiAee

Needham Public Schools Superintendents FY19 Opera3ng Budget Request Needham School CommiAee

Needham Public Schools Superintendents FY19 Opera3ng Budget Request Needham School CommiAee December 11, 2017 2017-2018 District Goals Goal One: Advance learning for all students To refine and con3nue to put into prac3ce a system of

597 views • 27 slides
Needham Public Schools Superintendents FY21 Operating Budget Request FY21 Budget Hearing

Needham Public Schools Superintendents FY21 Operating Budget Request FY21 Budget Hearing

Needham Public Schools Superintendents FY21 Operating Budget Request FY21 Budget Hearing Needham School Committee January 21, 2020 Portrait of a Needham Graduate Portrait of a Needham Graduate Strategic Priorities 2020-2025 PRIORITY #2

477 views • 32 slides
Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva,

Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva,

Ciphertext Fragmentation and Related Problems Formalizing Fragmentation Security Notions Constructions and Comparison Security of Symmetric Encryption in the Presence of Ciphertext Fragmentation Alexandra Boldyreva, Jean Paul Degabriele , Kenny

924 views • 43 slides
0 c Inte fere n eXP 6 et2 Co n n r Todd Needham Sr. Program Manager Microsoft

0 c Inte fere n eXP 6 et2 Co n n r Todd Needham Sr. Program Manager Microsoft

0 c Inte fere n eXP 6 et2 Co n n r Todd Needham Sr. Program Manager Microsoft Research todd.needham@microsoft.com What Keeps Me Excited! Scalable, High Fidelity, Multi-party, Real Time Conferencing Capture and

455 views • 28 slides
Needham Public Schools Superintendents FY18 Opera3ng Budget

Needham Public Schools Superintendents FY18 Opera3ng Budget

Needham Public Schools Superintendents FY18 Opera3ng Budget Request Needham School CommiAee December 6, 2016 2016-2017 District Goals Goal One:

1.15k views • 35 slides
Programming for Bioinformatics Michael Schroeder BIOTEC TU Dresden ms@biotec.tu-dresden.de

Programming for Bioinformatics Michael Schroeder BIOTEC TU Dresden ms@biotec.tu-dresden.de

Programming for Bioinformatics Michael Schroeder BIOTEC TU Dresden ms@biotec.tu-dresden.de Organization Lectures: Thursday 9:20 10:50, Auditorium right CRTD Prof. Michael Schroeder: michael.schroeder@tu-dresden.de Predoc Melissa

360 views • 32 slides
Formalizing Dijkstra John Harrison Intel Corporation A Discipline of Programming

Formalizing Dijkstra John Harrison Intel Corporation A Discipline of Programming

Formalizing Dijkstra 1 Formalizing Dijkstra John Harrison Intel Corporation A Discipline of Programming Mechanizing programming logics Relational semantics Weakest preconditions Guarded commands Theorems about loops

299 views • 18 slides
CSE 116: Fall 2019 Introduction to Functional Programming Formalizing Nano Owen Arden

CSE 116: Fall 2019 Introduction to Functional Programming Formalizing Nano Owen Arden

CSE 116: Fall 2019 Introduction to Functional Programming Formalizing Nano Owen Arden UC Santa Cruz Based on course materials developed by Nadia Polikarpova Formalizing Nano Goal: we want to guarantee properties about programs, such

426 views • 10 slides
Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator

Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator

Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator developed by Dennis Frezzo and his team at Cisco Systems. Packet Tracer (PT) is a powerful and dynamic tool that displays the various protocols used in

419 views • 17 slides
Computer Communication Networks Application ICEN/ICSI 416 Fall 2017 Prof. Dola Saha 1

Computer Communication Networks Application ICEN/ICSI 416 Fall 2017 Prof. Dola Saha 1

Computer Communication Networks Application ICEN/ICSI 416 Fall 2017 Prof. Dola Saha 1 Problem Applications need their own protocols. These applications are part network protocol (in the sense that they exchange messages with their

1.27k views • 115 slides
Bchain Byzantine Replication with high throughput and embedded reconfiguration Sisi Duan, Hein

Bchain Byzantine Replication with high throughput and embedded reconfiguration Sisi Duan, Hein

Bchain Byzantine Replication with high throughput and embedded reconfiguration Sisi Duan, Hein Meling, Sean Peisert, and Haibin Zhang Presented by Ruben Romero BChain Protocols Bchain3: 3f+1 replicas Sub protocols: (1) Chaining,

376 views • 26 slides
in Distributed Computation Michael Ben-Or The Hebrew University Michael Rabins Birthday

in Distributed Computation Michael Ben-Or The Hebrew University Michael Rabins Birthday

Randomized and Quantum Protocols in Distributed Computation Michael Ben-Or The Hebrew University Michael Rabins Birthday Celebration Randomized Protocols Power of Randomization Exponential speedup for known algorithms Complexity

341 views • 16 slides
Converting LIBOR Contracts to New Benchmarks: An Auction-and-Protocol Approach Darrell Duffie

Converting LIBOR Contracts to New Benchmarks: An Auction-and-Protocol Approach Darrell Duffie

Converting LIBOR Contracts to New Benchmarks: An Auction-and-Protocol Approach Darrell Duffie Graduate School of Business, Stanford University GRI and IEOR Financial Engineering Practitioners Seminar A joint event of the Global Risk Institute,

370 views • 21 slides
Step Therapy Enforcement John A. Wylam, Esq. Staff Attorney Aimed Alliance Who Are We?

Step Therapy Enforcement John A. Wylam, Esq. Staff Attorney Aimed Alliance Who Are We?

Step Therapy Enforcement John A. Wylam, Esq. Staff Attorney Aimed Alliance Who Are We? 501(c)(3) nonprofit organization that seeks to protect and enhance the rights of health care consumers and providers Conduct legal analysis,

376 views • 12 slides
ASCO Update Amanda Schwartz, MPS Director, Congressional Affairs Federal Legislative

ASCO Update Amanda Schwartz, MPS Director, Congressional Affairs Federal Legislative

3/21/18 ASCO Update Amanda Schwartz, MPS Director, Congressional Affairs Federal Legislative Issues 1 3/21/18 340B ASCO Recommendations Greater transparency on use of funds. Require 340B covered entities to account for

387 views • 20 slides
Probability and Delaunay triangulations 1 Randomized algorithms for Delaunay triangulations

Probability and Delaunay triangulations 1 Randomized algorithms for Delaunay triangulations

Probability and Delaunay triangulations 1 Randomized algorithms for Delaunay triangulations Poisson Delaunay triangulation 2 - 1 Randomized algorithms for Delaunay triangulations Randomized backward analysis of binary trees Randomized

1.99k views • 121 slides

More recommend