presentation of the proverif tool
play

Presentation of the ProVerif tool St ephanie Delaune January 2018 - PowerPoint PPT Presentation

Feb 23, 2023 •330 likes •727 views

Presentation of the ProVerif tool St ephanie Delaune January 2018 ProVerif [Blanchet, 01] ProVerif is a verifier for cryptographic protocols that may prove that a protocol is secure or exhibit attacks. http://proverif.inria.fr Advantages

  1. Presentation of the ProVerif tool St´ ephanie Delaune January 2018

  2. ProVerif [Blanchet, 01] ProVerif is a verifier for cryptographic protocols that may prove that a protocol is secure or exhibit attacks. http://proverif.inria.fr Advantages ◮ fully automatic, and quite efficient ◮ a rich process algebra: replication, else branches, . . . ◮ handles many cryptographic primitives ◮ various security properties: secrecy, correspondences, equivalences

  3. ProVerif [Blanchet, 01] ProVerif is a verifier for cryptographic protocols that may prove that a protocol is secure or exhibit attacks. http://proverif.inria.fr Advantages ◮ fully automatic, and quite efficient ◮ a rich process algebra: replication, else branches, . . . ◮ handles many cryptographic primitives ◮ various security properties: secrecy, correspondences, equivalences No miracle ◮ the tool can say “can not be proved”; ◮ termination is not guaranteed

  4. How does ProVerif work?

  5. Some vocabulary First order logic Atoms P ( t 1 , . . . , t n ) where t i are terms, P is a predicate Literals P ( t 1 , . . . , t n ) or ¬ P ( t 1 , . . . , t n ) closed under ∨ , ∧ , ¬ , ∃ , ∀ Clauses: Only universal quantifiers Horn Clauses: at most one positive literal (where A i , B are atoms.) ∀ ˜ x . A 1 , . . . , A n ⇒ B

  6. Modelling using Horn clauses

  7. Modelling the attacker Horn clauses C att reflects the capabilities of the attacker. att( x ) , att( y ) ⇒ att( � x , y � ) pairing att( � x , y � ) ⇒ att( x ) projection att( � x , y � ) ⇒ att( y ) projection att( x ) , att( y ) ⇒ att( { x } y ) encryption att( { x } y ) , att( y ) ⇒ att( x ) decryption

  8. Modelling the protocol (on an example) { pin } Ka {{ pin } Ka } Kb { pin } Kb − → {{ pin } Ka } Kb = {{ pin } Kb } Ka .

  9. Modelling the protocol (on an example) { pin } Ka {{ pin } Ka } Kb { pin } Kb This protocol does not work! (authentication problem)

  10. Modelling the protocol (on an example) { pin } Ka {{ pin } Ka } Kb { pin } Kb This protocol does not work! (authentication problem) { pin } Ka {{ pin } Ka } Ki { pin } Ki

  11. Modelling the protocol (using Horn clauses) Protocol: Horn clauses C P : A → B : { pin } K a ⇒ att( { pin } K a ) B → A : {{ pin } K a } K b att( x ) ⇒ att( { x } K b ) A → B : { pin } K b att( { x } K a ) ⇒ att( x ) − → These clauses model an arbitrary number of executions of the protocol between the two honest participants A and B .

  12. Modelling the security property We consider secrecy as a reachability (accessibility) property, and we consider the Horn clause ¬ att(pin) There exists an attack (in this model) iff C att + C prot + ¬ att(pin) is NOT satisfiable.

  13. Modelling the security property We consider secrecy as a reachability (accessibility) property, and we consider the Horn clause ¬ att(pin) There exists an attack (in this model) iff C att + C prot + ¬ att(pin) is NOT satisfiable. Exercise Do you think that C prot + C att + ¬ att(pin) is satisfiable or not? Justify your answer. What about C prot + C att ? and C prot ?

  14. How to decide satisfiability? − → using resolution techniques

  15. Binary resolution ¬ A ∨ C B ∨ D Binary resolution θ = mgu( A , B ) C θ ∨ D θ Theorem (Soundness and Completeness) Binary resolution is sound and refutationally complete for Horn clauses, i.e. a set of Horn clauses C is not satisfiable if and only if � (the empty clause) can be obtained from C by binary resolution.

  16. Example C = {¬ att( s ) , att( k 1 ) , att( { s } � k 1 , k 1 � ) , att( { x } y ) , att( y ) ⇒ att( x ) , att( x ) , att( y ) ⇒ att( � x , y � ) }

  17. Example C = {¬ att( s ) , att( k 1 ) , att( { s } � k 1 , k 1 � ) , att( { x } y ) , att( y ) ⇒ att( x ) , att( x ) , att( y ) ⇒ att( � x , y � ) } att( k 1 ) att( x ) , att( y ) ⇒ att( � x , y � ) att( { s } � k 1 , k 1 � ) att( { x } y ) , att( y ) ⇒ att( x ) att( k 1 ) att( y ) ⇒ att( � k 1 , y � ) att( � k 1 , k 1 � ) ⇒ att( s ) att( � k 1 , k 1 � ) ¬ att( s ) att( s ) �

  18. But it is not terminating! att( s ) att( x ) , att( y ) ⇒ att( � x , y � ) att( s ) att( y ) ⇒ att( � s , y � ) att( y ) ⇒ att( � s , y � ) att( � s , s � ) att( y ) ⇒ att( � s , y � ) att( � s , � s , s �� ) att( � s , � s , � s , s ��� ) · · · → This does not yield any decidability result.

  19. How does ProVerif work?

  20. ProVerif in a nutshell Two main ideas (extending [Weidenbach, CADE’99]): 1. a simple abstract representation of these protocols, by a set of Horn clauses; − → relying on parametrized terms (called patterns) 2. an efficient solving algorithm based on resolution to find which facts can be derived from these clauses. − → ordered resolution with selection Using this, ProVerif can prove secrecy properties of protocols, or exhibit attacks showing why a message is not secret.

  21. Modelling the attacker using Horn clauses Public key encryption att( x ) ⇒ att(pk( x )) att( x ) , att(pk( y )) ⇒ att(aenc( x , pk( y ))) att((aenc( x , pk( y ))) , att( y ) ⇒ att( x )

  22. Modelling the attacker using Horn clauses Public key encryption att( x ) ⇒ att(pk( x )) att( x ) , att(pk( y )) ⇒ att(aenc( x , pk( y ))) att((aenc( x , pk( y ))) , att( y ) ⇒ att( x ) Signature att( x ) , att( y ) ⇒ att(sign( x , y )) att(sign( x , y )) ⇒ att( x ) Symmetric encryption att( x ) , att( y ) ⇒ att(senc( x , y )) att((senc( x , y )) , att( y ) ⇒ att( x ) Initial knowledge ⇒ att(pk( sk A )) ⇒ att( sk I ) ⇒ att(pk( sk B ))

  23. Modelling the protococol using Horn clauses Denning-Sacco protocol . . . A → B : aenc(sign( k , priv( A )) , pub( B )) B → A : senc( s , k ) . . . using Horn clauses

  24. Modelling the protococol using Horn clauses Denning-Sacco protocol . . . A → B : aenc(sign( k , priv( A )) , pub( B )) B → A : senc( s , k ) . . . using Horn clauses ◮ A talks with any principal represented by its public key pk( x ). att(pk( x )) ⇒ att(aenc(sign( k , sk A ) , pk( x )))

  25. Modelling the protococol using Horn clauses Denning-Sacco protocol . . . A → B : aenc(sign( k , priv( A )) , pub( B )) B → A : senc( s , k ) . . . using Horn clauses ◮ A talks with any principal represented by its public key pk( x ). att(pk( x )) ⇒ att(aenc(sign( k , sk A ) , pk( x ))) ◮ When B receives a message of the expected form, he replies accordingly att(aenc(sign( y , sk A ) , pk( sk B ))) ⇒ att(senc( s , y ))

  26. Modelling the protococol using Horn clauses Denning-Sacco protocol . . . A → B : aenc(sign( k , priv( A )) , pub( B )) B → A : senc( s , k ) . . . using Horn clauses ◮ A talks with any principal represented by its public key pk( x ). att(pk( x )) ⇒ att(aenc(sign( k [ x ] , sk A ) , pk( x ))) ◮ When B receives a message of the expected form, he replies accordingly att(aenc(sign( y , sk A ) , pk( sk B ))) ⇒ att(senc( s , y )) − → names are parametrized to partially modelled their freshness

  27. Modelling the security property using Horn clauses We consider secrecy as a reachability (accessibility) property. Is C att + C prot + ¬ att( s ) satisfiable or not?

  28. Modelling the security property using Horn clauses We consider secrecy as a reachability (accessibility) property. Is C att + C prot + ¬ att( s ) satisfiable or not? Denning Sacco protocol 1 . att( sk I ) initial knowledge

  29. Modelling the security property using Horn clauses We consider secrecy as a reachability (accessibility) property. Is C att + C prot + ¬ att( s ) satisfiable or not? Denning Sacco protocol 1 . att( sk I ) initial knowledge 2 . att(pk( sk I )) using attacker rules on 1

  30. Modelling the security property using Horn clauses We consider secrecy as a reachability (accessibility) property. Is C att + C prot + ¬ att( s ) satisfiable or not? Denning Sacco protocol 1 . att( sk I ) initial knowledge 2 . att(pk( sk I )) using attacker rules on 1 3 . att(aenc(sign( k [ sk I ] , sk A ) , pk( sk I ))) using protocol (rule 1) on 2

  31. Modelling the security property using Horn clauses We consider secrecy as a reachability (accessibility) property. Is C att + C prot + ¬ att( s ) satisfiable or not? Denning Sacco protocol 1 . att( sk I ) initial knowledge 2 . att(pk( sk I )) using attacker rules on 1 3 . att(aenc(sign( k [ sk I ] , sk A ) , pk( sk I ))) using protocol (rule 1) on 2 4 . att(pk( sk B )) initial knowledge

  32. Modelling the security property using Horn clauses We consider secrecy as a reachability (accessibility) property. Is C att + C prot + ¬ att( s ) satisfiable or not? Denning Sacco protocol 1 . att( sk I ) initial knowledge 2 . att(pk( sk I )) using attacker rules on 1 3 . att(aenc(sign( k [ sk I ] , sk A ) , pk( sk I ))) using protocol (rule 1) on 2 4 . att(pk( sk B )) initial knowledge 5 . att(aenc(sign( k [ sk I ] , sk A ) , pk( sk B )) using attacker rules on 3 with 1/4

  33. Modelling the security property using Horn clauses We consider secrecy as a reachability (accessibility) property. Is C att + C prot + ¬ att( s ) satisfiable or not? Denning Sacco protocol 1 . att( sk I ) initial knowledge 2 . att(pk( sk I )) using attacker rules on 1 3 . att(aenc(sign( k [ sk I ] , sk A ) , pk( sk I ))) using protocol (rule 1) on 2 4 . att(pk( sk B )) initial knowledge 5 . att(aenc(sign( k [ sk I ] , sk A ) , pk( sk B )) using attacker rules on 3 with 1/4 6 . att(senc( s , k [ sk I ])) using protocol (rule 2) on 5

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif

Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif

Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif Bruno Blanchet INRIA, Ecole Normale Sup erieure, CNRS blanchet@di.ens.fr September 2011 Bruno Blanchet (INRIA) ProVerif September 2011

1.55k views • 143 slides
EX-ANTE CARBON BALANCE TOOL PRESENTATION OF THE TOOL AND SOME APPLICATIONS JUNE 2020 EX-ACT

EX-ANTE CARBON BALANCE TOOL PRESENTATION OF THE TOOL AND SOME APPLICATIONS JUNE 2020 EX-ACT

EX-ANTE CARBON BALANCE TOOL PRESENTATION OF THE TOOL AND SOME APPLICATIONS JUNE 2020 EX-ACT FAO Regional Office for Africa Team LOUIS BOCKEL PADMINI GOPAL OUTLINE Presentation of the tool Role of the tool Why using EX-ACT?

974 views • 51 slides
Free presentation tool for mac Free presentation tool for mac.zip Which Prezi plan is right for

Free presentation tool for mac Free presentation tool for mac.zip Which Prezi plan is right for

Free presentation tool for mac Free presentation tool for mac.zip Which Prezi plan is right for you? Try FREE; Unlimited presentations: along with powerful analytics and collaboration tools.as iWork, and it's free to anyone who owns a post-2013

580 views • 4 slides
RELIEF TOOL OVERVIEW PRESENTATION OVERVIEW The RC2 Relief Tool is a customized application

RELIEF TOOL OVERVIEW PRESENTATION OVERVIEW The RC2 Relief Tool is a customized application

RC 2 RELIEF TOOL OVERVIEW PRESENTATION OVERVIEW The RC2 Relief Tool is a customized application built on the ODK-X Tool Suite. It facilitates the collection, storage, analysis, and visualization of data more quickly and efficiently. This

699 views • 30 slides
Automatic Verification of Cryptographic Protocols in the Symbolic Model Automatic Verifier

Automatic Verification of Cryptographic Protocols in the Symbolic Model Automatic Verifier

Automatic Verification of Cryptographic Protocols in the Symbolic Model Automatic Verifier ProVerif Bruno Blanchet INRIA Paris-Rocquencourt Bruno.Blanchet@inria.fr September 2013 Bruno Blanchet (INRIA) ProVerif September 2013 1 / 114

1.56k views • 132 slides
Tool session NSV 3 FLOC 2010, Edinburgh Tool session Organisation Quick presentation of an

Tool session NSV 3 FLOC 2010, Edinburgh Tool session Organisation Quick presentation of an

Tool session NSV 3 FLOC 2010, Edinburgh Tool session Organisation Quick presentation of an initial set of benchmarks 30 minutes break, except for tool owners Quick demo/synthesis of the benchmarks for each tool (5 minutes each)

367 views • 10 slides
Digital Tool Kit Training The Crunch Digital Tool Kit is one of the most advanced

Digital Tool Kit Training The Crunch Digital Tool Kit is one of the most advanced

Digital Tool Kit Training The Crunch Digital Tool Kit is one of the most advanced fully integrated sales presentation platforms ever created in the fitness industry. Its designed to do one thing: HELP YOU MAKE MONEY. Craig

919 views • 40 slides
MEDICAL LEADERSHIP DEVELOPMENT TOOL PRESENTATION SKILLS The Presentation Skills Medical Leadership

MEDICAL LEADERSHIP DEVELOPMENT TOOL PRESENTATION SKILLS The Presentation Skills Medical Leadership

MEDICAL LEADERSHIP DEVELOPMENT TOOL PRESENTATION SKILLS The Presentation Skills Medical Leadership Development Tool has been designed to help you develop techniques to deliver a presentation effectively. You could use this tool in various ways:

475 views • 3 slides
Digital Tool Kit Training The Crunch Digital Tool Kit is one of the most advanced fully

Digital Tool Kit Training The Crunch Digital Tool Kit is one of the most advanced fully

Digital Tool Kit Training The Crunch Digital Tool Kit is one of the most advanced fully integrated sales presentation platforms ever created in the fitness industry. Its designed to do one thing: HELP YOU MAKE MONEY. NO JUDGMENTS

771 views • 64 slides
SynAthina Onli line Tools 1. . A mapping tool 2. A Community Tool 3. An Archive Tool 3. An

SynAthina Onli line Tools 1. . A mapping tool 2. A Community Tool 3. An Archive Tool 3. An

SynAthina Onli line Tools 1. . A mapping tool 2. A Community Tool 3. An Archive Tool 3. An Archive Tool 4. A Booking Tool 5. A Connecting Tool 5. A Connecting Tool 6. A Crowdsourcing Tool 7. A Data Collection Tool 7. A Data Collection

313 views • 14 slides
Workflow Plus Signature Capture Tool for Synergy Enterprise What is This Tool ? This tool

Workflow Plus Signature Capture Tool for Synergy Enterprise What is This Tool ? This tool

Workflow Plus Signature Capture Tool for Synergy Enterprise What is This Tool ? This tool allows 10 signatures to be captured within a single workflow request Example How Can I Use This Tool ? Create a workflow, and in the definition

247 views • 8 slides
Com m ission (CRC) Feedback on Com m unity of Interest (COI) Tool Name for the tool

Com m ission (CRC) Feedback on Com m unity of Interest (COI) Tool Name for the tool

Com m ission (CRC) Feedback on Com m unity of Interest (COI) Tool Name for the tool Questions to explain the Communities of Interest in tool Requested user information Desired language translation options SWDB Reporting and

204 views • 5 slides
Visualization as an Analysis Tool: Presentation Supplement Tis document is a supplement to the

Visualization as an Analysis Tool: Presentation Supplement Tis document is a supplement to the

Visualization as an Analysis Tool: Presentation Supplement Tis document is a supplement to the presentation Visualization as an Analysis Tool given by Phil Groce and Jeff Janies on January 9, 2008 as part of FloCon 2008. Te intent of the

440 views • 5 slides
Using the Tool Information Requirements To complete this tool, you will need to have access to the

Using the Tool Information Requirements To complete this tool, you will need to have access to the

Using the Tool Information Requirements To complete this tool, you will need to have access to the following information: Your proposed output measure - the unit costing tool is available for 'hours' and 'places' measures. Refer to the

324 views • 13 slides
General Tool Maintenance Oiling is the most important step in tool maintenance Blow out moisture

General Tool Maintenance Oiling is the most important step in tool maintenance Blow out moisture

General Tool Maintenance Oiling is the most important step in tool maintenance Blow out moisture in air line BEFORE connecting the tool Examine tool for loose bolts, nuts, handles, side-rods, retainers Check air connections / fittings for

553 views • 8 slides
Black Box Scanning Tool + White Box Testing Tool Toshis Black Box Scanning Tool Same

Black Box Scanning Tool + White Box Testing Tool Toshis Black Box Scanning Tool Same

Toshis Approach to Runtime Analysis Black Box Scanning Tool + White Box Testing Tool Toshis Black Box Scanning Tool Same approach as: Cenzic SPI Dynamics Watchfire Toshis tool is unique because: Built on Microsoft Visual Studio

583 views • 18 slides
,r1 \ netc /\ skng t l Figure 3,1 Tree representation of the list I ann, tennis, tom,

,r1 \ netc /\ skng t l Figure 3,1 Tree representation of the list I ann, tennis, tom,

Lists in Prolog 3.1 Representation of lists 61 ann ,/\ tennis ,r1 \ netc /\ skng t l Figure 3,1 Tree representation of the list I ann, tennis, tom, skiing] combined into a structure by the functor '.' .(ann, .(tennis,

453 views • 7 slides
Motivation Argumentation is the support of (or a reason for) one statement by Bayesian

Motivation Argumentation is the support of (or a reason for) one statement by Bayesian

Motivation Argumentation is the support of (or a reason for) one statement by Bayesian Argumentation another statement (or a set of statements). The latter are called premisses, the former is the conclusion. There are several well-known

349 views • 9 slides
Tonights agenda Welcome Skiing around CNY & beyond The Lodge Past events Tailwater,

Tonights agenda Welcome Skiing around CNY & beyond The Lodge Past events Tailwater,

Tonights agenda Welcome Skiing around CNY & beyond The Lodge Past events Tailwater, Garnet Hill, Zermatt, NASTAR The Calendar Day Trip to Bristol Big Sky in 2020 Nominations & Bylaws Forums New Classified Forum The

267 views • 24 slides
ME MECH CHANI NICA CAL DE DETER ERMI MINA NANT NTS S OF OF S SPR PRINT NTING NG ACC

ME MECH CHANI NICA CAL DE DETER ERMI MINA NANT NTS S OF OF S SPR PRINT NTING NG ACC

ME MECH CHANI NICA CAL DE DETER ERMI MINA NANT NTS S OF OF S SPR PRINT NTING NG ACC CCEL ELER ERATION N IN N RUG UGBY BY ATHL HLET ETES ES Matt R. Cross, MSpEx Scott R. Brown, PhD Jean-Benot Morin, PhD Matt Brughelli,

420 views • 12 slides
USES OF COUNTERFACTUALS John McCarthy Computer Science Department Stanford University

USES OF COUNTERFACTUALS John McCarthy Computer Science Department Stanford University

USES OF COUNTERFACTUALS John McCarthy Computer Science Department Stanford University jmc@cs.stanford.edu http://www-formal.stanford.edu/jmc/ September 25, 2002 Tom Costello, now at IBM Almaden Research Center co-author of the article on

695 views • 17 slides
cProbLog: Restricting the Possible Worlds of Probabilistic Logic Programs Dimitar Shterionov

cProbLog: Restricting the Possible Worlds of Probabilistic Logic Programs Dimitar Shterionov

cProbLog: Restricting the Possible Worlds of Probabilistic Logic Programs Dimitar Shterionov Prof. Gerda Janssens 1 Weight: 3 Weight: 4 Weight: 8 Weight: 6 2 Weight: 3 Weight: 4 0.33 Weight: 8 Weight: 6 0.25 0.125 0.16 3 Weight:

671 views • 63 slides
I-70 East Bound Peak Period Shoulder Lane April 23, 2019 Interstate 70-West of Denver Heavy

I-70 East Bound Peak Period Shoulder Lane April 23, 2019 Interstate 70-West of Denver Heavy

I-70 East Bound Peak Period Shoulder Lane April 23, 2019 Interstate 70-West of Denver Heavy Recreational Traffic on Weekends Travel from the City to the Mountains 30,000 ADTPeak Weekend Traffic 50,000+ Twelve Mile Bottleneck-

763 views • 17 slides
New Researcher Symposium: How to Fail L. Haas Failure is

New Researcher Symposium: How to Fail L. Haas Failure is

New Researcher Symposium: How to Fail L. Haas Failure is not always a bad thing! It s a learning experience Like ice skaAng or skiing

321 views • 3 slides

More recommend