SLIDE 1
Presentation of the ProVerif tool St ephanie Delaune January 2018 - - PowerPoint PPT Presentation
Presentation of the ProVerif tool St ephanie Delaune January 2018 - - PowerPoint PPT Presentation
Presentation of the ProVerif tool St ephanie Delaune January 2018 ProVerif [Blanchet, 01] ProVerif is a verifier for cryptographic protocols that may prove that a protocol is secure or exhibit attacks. http://proverif.inria.fr Advantages
SLIDE 2
SLIDE 3
ProVerif [Blanchet, 01]
ProVerif is a verifier for cryptographic protocols that may prove that a protocol is secure or exhibit attacks. http://proverif.inria.fr Advantages
◮ fully automatic, and quite efficient ◮ a rich process algebra: replication, else branches, . . . ◮ handles many cryptographic primitives ◮ various security properties: secrecy, correspondences,
equivalences No miracle
◮ the tool can say “can not be proved”; ◮ termination is not guaranteed
SLIDE 4
How does ProVerif work?
SLIDE 5
Some vocabulary
First order logic Atoms P(t1, . . . , tn) where ti are terms, P is a predicate Literals P(t1, . . . , tn) or ¬P(t1, . . . , tn) closed under ∨, ∧, ¬, ∃, ∀ Clauses: Only universal quantifiers Horn Clauses: at most one positive literal (where Ai, B are atoms.) ∀˜
- x. A1, . . . , An ⇒ B
SLIDE 6
Modelling using Horn clauses
SLIDE 7
Modelling the attacker
Horn clauses Catt reflects the capabilities of the attacker. att(x), att(y) ⇒ att(x, y) pairing att(x, y) ⇒ att(x) projection att(x, y) ⇒ att(y) projection att(x), att(y) ⇒ att({x}y) encryption att({x}y), att(y) ⇒ att(x) decryption
SLIDE 8
Modelling the protocol (on an example)
{pin}Ka {{pin}Ka}Kb {pin}Kb − → {{pin}Ka}Kb = {{pin}Kb}Ka.
SLIDE 9
Modelling the protocol (on an example)
{pin}Ka {{pin}Ka}Kb {pin}Kb This protocol does not work! (authentication problem)
SLIDE 10
Modelling the protocol (on an example)
{pin}Ka {{pin}Ka}Kb {pin}Kb This protocol does not work! (authentication problem) {pin}Ka {{pin}Ka}Ki {pin}Ki
SLIDE 11
Modelling the protocol (using Horn clauses)
Protocol: A → B : {pin}Ka B → A : {{pin}Ka}Kb A → B : {pin}Kb Horn clauses CP: ⇒ att({pin}Ka) att(x) ⇒ att({x}Kb) att({x}Ka) ⇒ att(x) − → These clauses model an arbitrary number of executions of the protocol between the two honest participants A and B.
SLIDE 12
Modelling the security property
We consider secrecy as a reachability (accessibility) property, and we consider the Horn clause ¬att(pin) There exists an attack (in this model) iff Catt + Cprot + ¬att(pin) is NOT satisfiable.
SLIDE 13
Modelling the security property
We consider secrecy as a reachability (accessibility) property, and we consider the Horn clause ¬att(pin) There exists an attack (in this model) iff Catt + Cprot + ¬att(pin) is NOT satisfiable. Exercise Do you think that Cprot + Catt + ¬att(pin) is satisfiable or not? Justify your answer. What about Cprot + Catt? and Cprot?
SLIDE 14
How to decide satisfiability?
− → using resolution techniques
SLIDE 15
Binary resolution
¬A ∨ C B ∨ D θ = mgu(A, B) Cθ ∨ Dθ Binary resolution
Theorem (Soundness and Completeness)
Binary resolution is sound and refutationally complete for Horn clauses, i.e. a set of Horn clauses C is not satisfiable if and only if (the empty clause) can be obtained from C by binary resolution.
SLIDE 16
Example
C = {¬att(s), att(k1), att({s}k1,k1), att({x}y), att(y) ⇒ att(x), att(x), att(y) ⇒ att(x, y)}
SLIDE 17
Example
C = {¬att(s), att(k1), att({s}k1,k1), att({x}y), att(y) ⇒ att(x), att(x), att(y) ⇒ att(x, y)}
¬att(s) att({s}k1,k1) att({x}y ), att(y) ⇒ att(x) att(k1, k1) ⇒ att(s) att(k1) att(k1) att(x), att(y) ⇒ att(x, y) att(y) ⇒ att(k1, y) att(k1, k1) att(s)
SLIDE 18
But it is not terminating!
att(y) ⇒ att(s, y) att(y) ⇒ att(s, y) att(s) att(s) att(x), att(y) ⇒ att(x, y) att(y) ⇒ att(s, y) att(s, s) att(s, s, s) att(s, s, s, s) · · ·
→ This does not yield any decidability result.
SLIDE 19
How does ProVerif work?
SLIDE 20
ProVerif in a nutshell
Two main ideas (extending [Weidenbach, CADE’99]):
- 1. a simple abstract representation of these protocols, by a set of
Horn clauses; − → relying on parametrized terms (called patterns)
- 2. an efficient solving algorithm based on resolution to find
which facts can be derived from these clauses. − → ordered resolution with selection Using this, ProVerif can prove secrecy properties of protocols, or exhibit attacks showing why a message is not secret.
SLIDE 21
Modelling the attacker using Horn clauses
Public key encryption att(x) ⇒ att(pk(x)) att(x), att(pk(y)) ⇒ att(aenc(x, pk(y))) att((aenc(x, pk(y))), att(y) ⇒ att(x)
SLIDE 22
Modelling the attacker using Horn clauses
Public key encryption att(x) ⇒ att(pk(x)) att(x), att(pk(y)) ⇒ att(aenc(x, pk(y))) att((aenc(x, pk(y))), att(y) ⇒ att(x) Signature att(x), att(y) ⇒ att(sign(x, y)) att(sign(x, y)) ⇒ att(x) Symmetric encryption att(x), att(y) ⇒ att(senc(x, y)) att((senc(x, y)), att(y) ⇒ att(x) Initial knowledge ⇒ att(pk(skA)) ⇒ att(skI) ⇒ att(pk(skB))
SLIDE 23
Modelling the protococol using Horn clauses
Denning-Sacco protocol . . . A → B : aenc(sign(k, priv(A)), pub(B)) B → A : senc(s, k) . . . using Horn clauses
SLIDE 24
Modelling the protococol using Horn clauses
Denning-Sacco protocol . . . A → B : aenc(sign(k, priv(A)), pub(B)) B → A : senc(s, k) . . . using Horn clauses
◮ A talks with any principal represented by its public key pk(x).
att(pk(x)) ⇒ att(aenc(sign(k, skA), pk(x)))
SLIDE 25
Modelling the protococol using Horn clauses
Denning-Sacco protocol . . . A → B : aenc(sign(k, priv(A)), pub(B)) B → A : senc(s, k) . . . using Horn clauses
◮ A talks with any principal represented by its public key pk(x).
att(pk(x)) ⇒ att(aenc(sign(k, skA), pk(x)))
◮ When B receives a message of the expected form, he replies
accordingly att(aenc(sign(y, skA), pk(skB))) ⇒ att(senc(s, y))
SLIDE 26
Modelling the protococol using Horn clauses
Denning-Sacco protocol . . . A → B : aenc(sign(k, priv(A)), pub(B)) B → A : senc(s, k) . . . using Horn clauses
◮ A talks with any principal represented by its public key pk(x).
att(pk(x)) ⇒ att(aenc(sign(k[x], skA), pk(x)))
◮ When B receives a message of the expected form, he replies
accordingly att(aenc(sign(y, skA), pk(skB))) ⇒ att(senc(s, y)) − → names are parametrized to partially modelled their freshness
SLIDE 27
Modelling the security property using Horn clauses
We consider secrecy as a reachability (accessibility) property. Is Catt + Cprot + ¬att(s) satisfiable or not?
SLIDE 28
Modelling the security property using Horn clauses
We consider secrecy as a reachability (accessibility) property. Is Catt + Cprot + ¬att(s) satisfiable or not? Denning Sacco protocol
- 1. att(skI)
initial knowledge
SLIDE 29
Modelling the security property using Horn clauses
We consider secrecy as a reachability (accessibility) property. Is Catt + Cprot + ¬att(s) satisfiable or not? Denning Sacco protocol
- 1. att(skI)
initial knowledge
- 2. att(pk(skI))
using attacker rules on 1
SLIDE 30
Modelling the security property using Horn clauses
We consider secrecy as a reachability (accessibility) property. Is Catt + Cprot + ¬att(s) satisfiable or not? Denning Sacco protocol
- 1. att(skI)
initial knowledge
- 2. att(pk(skI))
using attacker rules on 1
- 3. att(aenc(sign(k[skI], skA), pk(skI)))
using protocol (rule 1) on 2
SLIDE 31
Modelling the security property using Horn clauses
We consider secrecy as a reachability (accessibility) property. Is Catt + Cprot + ¬att(s) satisfiable or not? Denning Sacco protocol
- 1. att(skI)
initial knowledge
- 2. att(pk(skI))
using attacker rules on 1
- 3. att(aenc(sign(k[skI], skA), pk(skI)))
using protocol (rule 1) on 2
- 4. att(pk(skB))
initial knowledge
SLIDE 32
Modelling the security property using Horn clauses
We consider secrecy as a reachability (accessibility) property. Is Catt + Cprot + ¬att(s) satisfiable or not? Denning Sacco protocol
- 1. att(skI)
initial knowledge
- 2. att(pk(skI))
using attacker rules on 1
- 3. att(aenc(sign(k[skI], skA), pk(skI)))
using protocol (rule 1) on 2
- 4. att(pk(skB))
initial knowledge
- 5. att(aenc(sign(k[skI], skA), pk(skB))
using attacker rules on 3 with 1/4
SLIDE 33
Modelling the security property using Horn clauses
We consider secrecy as a reachability (accessibility) property. Is Catt + Cprot + ¬att(s) satisfiable or not? Denning Sacco protocol
- 1. att(skI)
initial knowledge
- 2. att(pk(skI))
using attacker rules on 1
- 3. att(aenc(sign(k[skI], skA), pk(skI)))
using protocol (rule 1) on 2
- 4. att(pk(skB))
initial knowledge
- 5. att(aenc(sign(k[skI], skA), pk(skB))
using attacker rules on 3 with 1/4
- 6. att(senc(s, k[skI]))
using protocol (rule 2) on 5
SLIDE 34
Modelling the security property using Horn clauses
We consider secrecy as a reachability (accessibility) property. Is Catt + Cprot + ¬att(s) satisfiable or not? Denning Sacco protocol
- 1. att(skI)
initial knowledge
- 2. att(pk(skI))
using attacker rules on 1
- 3. att(aenc(sign(k[skI], skA), pk(skI)))
using protocol (rule 1) on 2
- 4. att(pk(skB))
initial knowledge
- 5. att(aenc(sign(k[skI], skA), pk(skB))
using attacker rules on 3 with 1/4
- 6. att(senc(s, k[skI]))
using protocol (rule 2) on 5
- 7. att(k[skI])
using attacker rules on 3 with 1
SLIDE 35
Modelling the security property using Horn clauses
We consider secrecy as a reachability (accessibility) property. Is Catt + Cprot + ¬att(s) satisfiable or not? Denning Sacco protocol
- 1. att(skI)
initial knowledge
- 2. att(pk(skI))
using attacker rules on 1
- 3. att(aenc(sign(k[skI], skA), pk(skI)))
using protocol (rule 1) on 2
- 4. att(pk(skB))
initial knowledge
- 5. att(aenc(sign(k[skI], skA), pk(skB))
using attacker rules on 3 with 1/4
- 6. att(senc(s, k[skI]))
using protocol (rule 2) on 5
- 7. att(k[skI])
using attacker rules on 3 with 1
- 8. att(s)
attacker rule on 6 with 7.
SLIDE 36
Modelling the security property using Horn clauses
We consider secrecy as a reachability (accessibility) property. Is Catt + Cprot + ¬att(s) satisfiable or not? Denning Sacco protocol
- 1. att(skI)
initial knowledge
- 2. att(pk(skI))
using attacker rules on 1
- 3. att(aenc(sign(k[skI], skA), pk(skI)))
using protocol (rule 1) on 2
- 4. att(pk(skB))
initial knowledge
- 5. att(aenc(sign(k[skI], skA), pk(skB))
using attacker rules on 3 with 1/4
- 6. att(senc(s, k[skI]))
using protocol (rule 2) on 5
- 7. att(k[skI])
using attacker rules on 3 with 1
- 8. att(s)
attacker rule on 6 with 7.
Contradiction ! Catt + Cprot + ¬att(s) is not satisfiable. − → This derivation corresponds to an attack.
SLIDE 37
Exercise
Consider the Horn clauses given on the previous slides to model the Denning Sacco protocol. Exercise Apply binary resolution to derive the empty clause.
SLIDE 38
ProVerif
ProVerif implements a resolution strategy well-adapted to cryptographic protocols.
- rdered resolution with selection
Approximation of the translation in Horn clauses:
◮ the freshness of nonces is partially modeled; ◮ the number of times a message appears is ignored, only the
fact that is has appeared is taken into account;
◮ the state of the principals is not fully modeled.
− → These approximations are keys for an efficient verification.
SLIDE 39