Models and proofs for security protocols eronique Cortier 1 V 1 - - PowerPoint PPT Presentation

▶

Oct 13, 2023 25 likes •300 views

Terms Intruder Decidability Models and proofs for security protocols eronique Cortier 1 V 1 LORIA, CNRS - INRIA Cassis project, Universit e de Lorraine 1/13 Terms Intruder Decidability Messages Messages are abstracted by terms. Agents

SLIDE 1

Terms Intruder Decidability

Models and proofs for security protocols

V´ eronique Cortier1

1LORIA, CNRS - INRIA Cassis project, Universit´

e de Lorraine

1/13

SLIDE 2

Terms Intruder Decidability

Messages

Messages are abstracted by terms. Agents : a, b, . . . Nonces : n1, n2, . . . Keys : k1, k2, . . Cyphertext : enc(m, k) Concatenation : pair(m1, m2) Example : The message {A, Na}K is represented by : enc(pair(A, Na), K)

{}

A Na

Intuition : only the structure of the message is kept.

2/13

SLIDE 3

Terms Intruder Decidability

More formally - Signature

Definition (Signature) A signature is a couple (F, arity) where F is a finite set of function symbols and arity : F → N associates an arity to each symbol. Symbols of arity 0 are called constants.

3/13

SLIDE 4

Terms Intruder Decidability

More formally - Signature

Definition (Signature) A signature is a couple (F, arity) where F is a finite set of function symbols and arity : F → N associates an arity to each symbol. Symbols of arity 0 are called constants. Example : F = {enc; pair; a; k; n1; n2} with arity(enc) = 2 arity(pair) = 2 arity(a) = arity(k) = arity(n1) = arity(n2) = We may write t1, t2 instead of pair(t1, t2).

3/13

SLIDE 5

Terms Intruder Decidability

More formally - Terms

Given a signature F of symbols with an arity e.g. {enc; pair; a; k; n1; n2} and a set X of variables, the set of terms T(F, X) is inductively defined as follows : constants terms (e.g. a, k, n1, n2) are terms variables are terms f (t1, . . . , tn) is a term whenever t1, . . . , tn are terms. Intuition : from words to trees. → There exists automata on trees instead of (classical) automata

n words, see e.g. TATA http ://tata.gforge.inria.fr/

4/13

SLIDE 6

Terms Intruder Decidability

Subterms

The set of positions of a term t is a finite set of sequence of integers. pos(f (t1, . . . , tn)) = {ǫ} ∪

n

i · pos(ti)

5/13

SLIDE 7

Terms Intruder Decidability

Subterms

The set of positions of a term t is a finite set of sequence of integers. pos(f (t1, . . . , tn)) = {ǫ} ∪

n

i · pos(ti) Definition The subterm t|p of t at position p ∈ pos(t) is : t|ǫ = t ti·p = ti|p if t = f (t1, . . . , tn), 1 ≤ i ≤ n = arity(f ) undefined otherwise.

5/13

SLIDE 8

Terms Intruder Decidability

Subterms

The set of positions of a term t is a finite set of sequence of integers. pos(f (t1, . . . , tn)) = {ǫ} ∪

n

i · pos(ti) Definition The subterm t|p of t at position p ∈ pos(t) is : t|ǫ = t ti·p = ti|p if t = f (t1, . . . , tn), 1 ≤ i ≤ n = arity(f ) undefined otherwise. Definition The term t′ is a subterm of t if there exists p ∈ pos(t) such that t′ = t|p. The set of subterms of t is denoted by st(t).

5/13

SLIDE 9

Terms Intruder Decidability

Substitution

Definition A substitution σ is a function from a finite subset (called domain, noted dom(σ)) of X to T(F, X). The application of a substitution to a term is defined as follows. σ(x) = x if x / ∈ dom(σ) σ(f (t1, . . . , tn)) = f (σ(t1), . . . , σ(tn)) We will write tσ instead of σ(t).

6/13

SLIDE 10

Terms Intruder Decidability

Inference rules

Definition An inference rule is a rule of the form T1 · · · Tn T with T1, . . . , Tn, T ∈ T(F, X).

7/13

SLIDE 11

Terms Intruder Decidability

Intruder abilities

Composition rules x y pair(x, y) x y enc(x, y) x y enca(x, y)

8/13

SLIDE 12

Terms Intruder Decidability

Intruder abilities

Composition rules x y pair(x, y) x y enc(x, y) x y enca(x, y) Decomposition rules pair(x, y) x pair(x, y) y enc(x, y) y x enca(x, pub(y)) priv(y) x

8/13

SLIDE 13

Terms Intruder Decidability

Intruder abilities

Composition rules x y pair(x, y) x y enc(x, y) x y enca(x, y) Decomposition rules pair(x, y) x pair(x, y) y enc(x, y) y x enca(x, pub(y)) priv(y) x Deducibility relation A term u is deducible from a set of terms T, denoted by T ⊢ u, if there exists a prooftree witnessing this fact.

8/13

SLIDE 14

Terms Intruder Decidability

A simple protocol

Bob, k Alice, enc(s, k)

9/13

SLIDE 15

Terms Intruder Decidability

A simple protocol

Bob, k Alice, enc(s, k) Question ? Can the attacker learn the secret s ?

9/13

SLIDE 16

Terms Intruder Decidability

A simple protocol

Bob, k Alice, enc(s, k) Answer : Of course, Yes ! Alice, enc(s, k) enc(s, k) Bob, k k s

9/13

SLIDE 17

Terms Intruder Decidability

More formally - derivability

Definition (One step) A term t is derivable in one step from a set S and an inference system I, notd S ⊢1

I t if there exists T1

· · · Tn T , t1, . . . , tn ∈ S, and a substitution θ such that ti = Tiθ t = Tθ

10/13

SLIDE 18

Terms Intruder Decidability

More formally - derivability

Definition (One step) A term t is derivable in one step from a set S and an inference system I, notd S ⊢1

I t if there exists T1

· · · Tn T , t1, . . . , tn ∈ S, and a substitution θ such that ti = Tiθ t = Tθ Definition (Derivable) A term t is derivable from a set of terms S, noted S ⊢I t if t ∈ S

r there exist terms t1, . . . , tn such that tn = t and ti+1 is

derivable in one step from S ∪ {t1, . . . , ti}. The sequence t1, . . . , tn is called proof of S ⊢I t.

10/13

SLIDE 19

Terms Intruder Decidability

Examples

S =

{a, k3, k4}k1,k2, a, k1, {k3}k1,k1
11/13

SLIDE 20

Terms Intruder Decidability

Examples

S =

{a, k3, k4}k1,k2, a, k1, {k3}k1,k1
S

?

⊢ k1

11/13

SLIDE 21

Terms Intruder Decidability

Examples

S =

{a, k3, k4}k1,k2, a, k1, {k3}k1,k1
S

?

⊢ k1 S

?

⊢ k3

11/13

SLIDE 22

Terms Intruder Decidability

Examples

S =

{a, k3, k4}k1,k2, a, k1, {k3}k1,k1
S

?

⊢ k1 S

?

⊢ k3 S

?

⊢ a, k3

11/13

SLIDE 23

Terms Intruder Decidability

Examples

S =

{a, k3, k4}k1,k2, a, k1, {k3}k1,k1
S

?

⊢ k1 S

?

⊢ k3 S

?

⊢ a, k3 S

?

⊢ k4

11/13

SLIDE 24

Terms Intruder Decidability

Examples

S =

{a, k3, k4}k1,k2, a, k1, {k3}k1,k1
S

?

⊢ k1 S

?

⊢ k3 S

?

⊢ a, k3 S

?

⊢ k4 S

?

⊢ a, k4

11/13

SLIDE 25

Terms Intruder Decidability

Decidability

What is it ?

12/13

SLIDE 26

Terms Intruder Decidability

Decision of the intruder problem

Given A set of messages S and a message m Question Can the intruder learn m from S that is S ⊢ m ? This problem is decidable in polynomial time. Let’s prove it !

13/13

SLIDE 27

Terms Intruder Decidability

Decision of the intruder problem

Given A set of messages S and a message m Question Can the intruder learn m from S that is S ⊢ m ? This problem is decidable in polynomial time. Let’s prove it ! Lemma (Locality) If there is a proof of S ⊢ m then there is a proof that only uses the subterms of S and m.

13/13