security protocol verification symbolic and computational
play

Security Protocol Verification: Symbolic and Computational Models - PowerPoint PPT Presentation

Apr 04, 2023 •368 likes •905 views

Introduction Symbolic Model Computational Model Implementations Conclusion Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA, Ecole Normale Sup erieure, CNRS Bruno.Blanchet@ens.fr March 2012

  1. Introduction Symbolic Model Computational Model Implementations Conclusion Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA, ´ Ecole Normale Sup´ erieure, CNRS Bruno.Blanchet@ens.fr March 2012 Bruno Blanchet (INRIA, ENS, CNRS) ETAPS March 2012 1 / 48

  2. Introduction Symbolic Model Computational Model Implementations Conclusion Outline 1 Introduction to security protocols 2 Verifying protocols in the symbolic model 3 Verifying protocols in the computational model 4 Verifying protocol implementations 5 Conclusion and future challenges Bruno Blanchet (INRIA, ENS, CNRS) ETAPS March 2012 2 / 48

  3. Introduction Symbolic Model Computational Model Implementations Conclusion Communications over a secure network secure network A (Alice) B (Bob) Bruno Blanchet (INRIA, ENS, CNRS) ETAPS March 2012 3 / 48

  4. Introduction Symbolic Model Computational Model Implementations Conclusion Communications over an insecure network insecure network A (Alice) B (Bob) C (attacker) A talks to B on an insecure network ⇒ need for cryptography in order to make communications secure for instance, encrypt messages to preserve secrets. Bruno Blanchet (INRIA, ENS, CNRS) ETAPS March 2012 4 / 48

  5. Introduction Symbolic Model Computational Model Implementations Conclusion Cryptographic primitives Definition (Cryptographic primitives) Basic cryptographic algorithms, used as building blocks for protocols, e.g. encryption and signatures. Bruno Blanchet (INRIA, ENS, CNRS) ETAPS March 2012 5 / 48

  6. Introduction Symbolic Model Computational Model Implementations Conclusion Cryptographic primitives Definition (Cryptographic primitives) Basic cryptographic algorithms, used as building blocks for protocols, e.g. encryption and signatures. Shared-key encryption encryption decryption Bruno Blanchet (INRIA, ENS, CNRS) ETAPS March 2012 5 / 48

  7. Introduction Symbolic Model Computational Model Implementations Conclusion Cryptographic primitives Definition (Cryptographic primitives) Basic cryptographic algorithms, used as building blocks for protocols, e.g. encryption and signatures. Public-key encryption encryption decryption public key private key Bruno Blanchet (INRIA, ENS, CNRS) ETAPS March 2012 5 / 48

  8. Introduction Symbolic Model Computational Model Implementations Conclusion Cryptographic primitives Definition (Cryptographic primitives) Basic cryptographic algorithms, used as building blocks for protocols, e.g. encryption and signatures. Signatures signature verification signature ok? private key public key Bruno Blanchet (INRIA, ENS, CNRS) ETAPS March 2012 5 / 48

  9. Introduction Symbolic Model Computational Model Implementations Conclusion Example Denning-Sacco key distribution protocol [Denning, Sacco, 1981] (simplified) k fresh {{ k } sk A } pk B { s } k A (Alice) B (Bob) The goal of the protocol is that the key k should be a secret key, shared between A and B . So s should remain secret. Bruno Blanchet (INRIA, ENS, CNRS) ETAPS March 2012 6 / 48

  10. Introduction Symbolic Model Computational Model Implementations Conclusion The attack The (well-known) attack against this protocol. k fresh {{ k } sk A } pk C {{ k } sk A } pk B { s } k A (Alice) C (attacker) B (Bob) as A (Alice) The attacker C impersonates A and obtains the secret s . Bruno Blanchet (INRIA, ENS, CNRS) ETAPS March 2012 7 / 48

  11. Introduction Symbolic Model Computational Model Implementations Conclusion The corrected protocol k fresh {{ A , B , k } sk A } pk B { s } k A (Alice) B (Bob) Now C cannot impersonate A because in the previous attack, the first message is {{ A , C , k } sk A } pk B , which is not accepted by B . Bruno Blanchet (INRIA, ENS, CNRS) ETAPS March 2012 8 / 48

  12. Introduction Symbolic Model Computational Model Implementations Conclusion Examples Many protocols exist, for various goals: secure channels: SSH (Secure SHell); SSL (Secure Socket Layer), renamed TLS (Transport Layer Security); IPsec e-voting contract signing certified email wifi (WEP/WPA/WPA2) banking mobile phones . . . Bruno Blanchet (INRIA, ENS, CNRS) ETAPS March 2012 9 / 48

  13. Introduction Symbolic Model Computational Model Implementations Conclusion Why verify security protocols ? The verification of security protocols has been and is still a very active research area. Their design is error prone. Security errors not detected by testing: appear only in the presence of an attacker. Errors can have serious consequences. Bruno Blanchet (INRIA, ENS, CNRS) ETAPS March 2012 10 / 48

  14. Introduction Symbolic Model Computational Model Implementations Conclusion Models of protocols Active attacker: The attacker can intercept all messages sent on the network He can compute messages He can send messages on the network Bruno Blanchet (INRIA, ENS, CNRS) ETAPS March 2012 11 / 48

  15. Introduction Symbolic Model Computational Model Implementations Conclusion Models of protocols: the symbolic model The symbolic model or “Dolev-Yao model” is due to Needham and Schroeder (1978) and Dolev and Yao (1983). Cryptographic primitives are blackboxes. sencrypt Messages are terms on these primitives. sencrypt( Hello , k ) The attacker is restricted to compute only using these primitives. ⇒ perfect cryptography assumption So the definitions of primitives specify what the attacker can do. One can add equations between primitives. Hypothesis: the only equalities are those given by these equations. This model makes automatic proofs relatively easy. Bruno Blanchet (INRIA, ENS, CNRS) ETAPS March 2012 12 / 48

  16. Introduction Symbolic Model Computational Model Implementations Conclusion Models of protocols: the computational model The computational model has been developped at the beginning of the 1980’s by Goldwasser, Micali, Rivest, Yao, and others. Messages are bitstrings. 01100100 Cryptographic primitives are functions on bitstrings. sencrypt(011 , 100100) = 111 The attacker is any probabilistic polynomial-time Turing machine. The security assumptions on primitives specify what the attacker cannot do. This model is much more realistic than the symbolic model, but until recently proofs were only manual. Bruno Blanchet (INRIA, ENS, CNRS) ETAPS March 2012 13 / 48

  17. Introduction Symbolic Model Computational Model Implementations Conclusion Models of protocols: side channels The computational model is still just a model, which does not exactly match reality. In particular, it ignores side channels: timing power consumption noise physical attacks against smart cards which can give additional information. Bruno Blanchet (INRIA, ENS, CNRS) ETAPS March 2012 14 / 48

  18. Introduction Symbolic Model Computational Model Implementations Conclusion Security properties: trace and equivalence properties Trace properties: properties that can be defined on a trace. Symbolic model: they hold when they are true for all traces. Computational model: they hold when they are true except for a set of traces of negligible probability. Equivalence (or indistinguishability) properties: the attacker cannot distinguish two protocols (with overwhelming probability) Give compositional proofs. Hard to prove in the symbolic model. Bruno Blanchet (INRIA, ENS, CNRS) ETAPS March 2012 15 / 48

  19. Introduction Symbolic Model Computational Model Implementations Conclusion Security properties: secrecy The attacker cannot obtain information on the secrets. Symbolic model: (syntactic) secrecy: the attacker cannot obtain the secret (trace property) strong secrecy: the attacker cannot distinguish when the value of the secrecy changes (equivalence property) Computational model: the attacker can distinguish the secret from a random number only with negligible probability (equivalence property) Bruno Blanchet (INRIA, ENS, CNRS) ETAPS March 2012 16 / 48

  20. Introduction Symbolic Model Computational Model Implementations Conclusion Security properties: authentication If A thinks she is talking to B , then B thinks he is talking to A , with the same protocol parameters. Symbolic model: formalized using correspondence assertions of the form “if some event has been executed, then some other events have been executed” (trace property). Computational model: matching conversations or session identifiers, which essentially require that the messages exchanged by A and B are the same up to negligible probability (trace property). Bruno Blanchet (INRIA, ENS, CNRS) ETAPS March 2012 17 / 48

  21. Introduction Symbolic Model Computational Model Implementations Conclusion Verifying protocols in the symbolic model Main idea (for most verifiers): Compute the knowledge of the attacker. Difficulty: security protocols are infinite state. The attacker can create messages of unbounded size. Unbounded number of sessions of the protocol. Bruno Blanchet (INRIA, ENS, CNRS) ETAPS March 2012 18 / 48

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Computational Verification of C Protocol Implementations by Symbolic Execution Mihhail Aizatulin 1

Computational Verification of C Protocol Implementations by Symbolic Execution Mihhail Aizatulin 1

Computational Verification of C Protocol Implementations by Symbolic Execution Mihhail Aizatulin 1 Andrew Gordon 23 urjens 4 Jan J 1 The Open University 2 Microsoft Research Cambridge 3 University of Edinburgh 4 Dortmund University October 2012

426 views • 28 slides
Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018

1.23k views • 78 slides
Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH

Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH

Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH Zurich Road map Motivation Basic notions Problems Symbolic models 1 Security protocols Omnipresent Authentication:

827 views • 37 slides
Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef @vanhoefm USENIX WOOT, Baltimore, US, 14 August 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic

446 views • 41 slides
Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security Ahmed Rezine IDA, Linkpings Universitet Hsttermin 2020 Outline Overview Symbolic Execution Hoare Triples and Deductive Reasoning Outline

767 views • 33 slides
Leonardo de Moura Microsoft Research Verification/Analysis tools need some form of Symbolic

Leonardo de Moura Microsoft Research Verification/Analysis tools need some form of Symbolic

Leonardo de Moura Microsoft Research Verification/Analysis tools need some form of Symbolic Reasoning Logic is The Calculus of Computer Science (Z. Manna). High computational complexity Test case generation Verifying Compilers

1.73k views • 161 slides
Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90: Software Security Symbolic Execution Ahmed Rezine Hoare Triples and Deductive Reasoning IDA, Linkpings Universitet Hsttermin 2014 Static

373 views • 6 slides
Leonardo de Moura Microsoft Research Verification/Analysis tools need some form of Symbolic

Leonardo de Moura Microsoft Research Verification/Analysis tools need some form of Symbolic

Leonardo de Moura Microsoft Research Verification/Analysis tools need some form of Symbolic Reasoning Satisfiability Modulo Theories: An Appetizer Logic is The Calculus of Computer Science (Z. Manna). High computational complexity

1.35k views • 116 slides
1 Use second form Sample Protocol Goals Given set of traces Authenticity: who sent it?

1 Use second form Sample Protocol Goals Given set of traces Authenticity: who sent it?

TECS Week 2005 Analysis Techniques Protocol Verification by the Inductive Method Crypto Protocol Analysis Dolev-Yao Formal Models Computational Models (perfect cryptography) Random oracle Probabilistic process calculi John Mitchell

63 views • 4 slides
Comparing State Spaces in Automatic Security Protocol Verification Pascal Lafourcade & Cas

Comparing State Spaces in Automatic Security Protocol Verification Pascal Lafourcade & Cas

Comparing State Spaces in Automatic Security Protocol Verification Comparing State Spaces in Automatic Security Protocol Verification Pascal Lafourcade & Cas Cremers Comparing State Spaces in Automatic Security Protocol Verification

831 views • 45 slides
Formal Verification Methods 2: Symbolic Simulation John Harrison Intel Corporation

Formal Verification Methods 2: Symbolic Simulation John Harrison Intel Corporation

Formal Verification Methods 2: Symbolic Simulation Formal Verification Methods 2: Symbolic Simulation John Harrison Intel Corporation Simulation Symbolic and ternary simulation BDDs Quaternary lattice Symbolic trajectory

334 views • 14 slides
PhD Defense Symbolic Proofs of Computational Indistinguishability Adrien Koutsos Thse

PhD Defense Symbolic Proofs of Computational Indistinguishability Adrien Koutsos Thse

PhD Defense Symbolic Proofs of Computational Indistinguishability Adrien Koutsos Thse prpare au sein du LSV, ENS Paris-Saclay September 27, 2019 Introduction Motivation Security Protocols Distributed programs which aim at providing some

1.55k views • 142 slides
Symbolic Polytopes for Quantitative Interpolation and Verification Klaus v. Gleissenthall, TU

Symbolic Polytopes for Quantitative Interpolation and Verification Klaus v. Gleissenthall, TU

Symbolic Polytopes for Quantitative Interpolation and Verification Klaus v. Gleissenthall, TU Munich joint work with Andrey Rybalchenko, Microsoft Research and Boris Kpf, IMDEA Verification Quantitative verification Quantitative

599 views • 16 slides
Decidability Decidability and Symbolic Symbolic Verification Symbolic Symbolic Verification

Decidability Decidability and Symbolic Symbolic Verification Symbolic Symbolic Verification

Decidability Decidability and Symbolic Symbolic Verification Symbolic Symbolic Verification Verification Verification Kim G. Larsen Kim G. Larsen Aalborg Aalborg University Aalborg Aalborg University University DENMARK University, ,

682 views • 46 slides
Symbolic String Verification: An Automata-based Approach Fang Yu Tevfik Bultan Marco Cova

Symbolic String Verification: An Automata-based Approach Fang Yu Tevfik Bultan Marco Cova

Outline Motivation Symbolic String Verification Experiments Conclusion Symbolic String Verification: An Automata-based Approach Fang Yu Tevfik Bultan Marco Cova Oscar H. Ibarra Dept. of Computer Science University of California Santa

465 views • 35 slides
The Road to Modernization How Insurance Core Technology is Changing Dan Woods CEO, Socotra

The Road to Modernization How Insurance Core Technology is Changing Dan Woods CEO, Socotra

o PRESENTATION: The road to modernization: how insurance core technology is changing Dan Woods, ceo, Socotra The Road to Modernization How Insurance Core Technology is Changing Dan Woods CEO, Socotra Component Library What Everyone Knows:

803 views • 16 slides
O bject-O riented Systems Development: Survey of Structured Method A.G. Sutcliffe, 1991

O bject-O riented Systems Development: Survey of Structured Method A.G. Sutcliffe, 1991

O bject-O riented Systems Development: Survey of Structured Method A.G. Sutcliffe, 1991 Object-Oriented Concepts Object-Oriented Concepts Evaluation of modeling components Evaluation of modeling components

449 views • 18 slides
M M O R R I S O N H E R S H F I R R I S O R S H F I E L D Consulting Engineers and Managers M M

M M O R R I S O N H E R S H F I R R I S O R S H F I E L D Consulting Engineers and Managers M M

Washington, DC Washington, DC M M O R R I S O N H E R S H F I R R I S O R S H F I E L D Consulting Engineers and Managers M M O R R I S O N H E R S H F I R R I S O R S H F I E L D Consulting Engineers and Managers Intelligent

1.04k views • 64 slides
Tests of the Scarlet and Multi-object Fitting Deblenders for Weak Lensing Shear Recovery Erin

Tests of the Scarlet and Multi-object Fitting Deblenders for Weak Lensing Shear Recovery Erin

Tests of the Scarlet and Multi-object Fitting Deblenders for Weak Lensing Shear Recovery Erin Sheldon and Lorena Mezini Brookhaven National Laboratory, Stony Brook University August 15, 2018 Testing Scarlet for Shear Recovery Motivation was

680 views • 20 slides
Blockchain and Accounting By: Jamie Freiman Rutgers University Overview What is Blockchain?

Blockchain and Accounting By: Jamie Freiman Rutgers University Overview What is Blockchain?

Blockchain and Accounting By: Jamie Freiman Rutgers University Overview What is Blockchain? How does it work? Types of Blockchain systems. Impacts of the Blockchain on business and accounting. Integration with Smart

879 views • 22 slides
Communication-efficient Group Key Agreement June 20, 2001 Gene Tsudik, UC Irvine

Communication-efficient Group Key Agreement June 20, 2001 Gene Tsudik, UC Irvine

Communication-efficient Group Key Agreement June 20, 2001 Gene Tsudik, UC Irvine gts@ics.uci.edu Joint work with: Adrian Perrig, CMU/UC Berkeley Yongdae Kim, USC/UC Irvine Outline Definitions/concepts Related work

761 views • 31 slides
Distributed Intelligence and the Future of Dynamic Pricing, Price Responsive Demand, and Demand

Distributed Intelligence and the Future of Dynamic Pricing, Price Responsive Demand, and Demand

Distributed Intelligence and the Future of Dynamic Pricing, Price Responsive Demand, and Demand Response in PJM Paul Centolella President, Paul Centolella & Associates, LLC Senior Consultant, Tabors Caramanis Rudkevich Energy Policy

583 views • 21 slides
Security in Cloud Computing A survey of the unique challenges and risks inherent to the Cloud

Security in Cloud Computing A survey of the unique challenges and risks inherent to the Cloud

Security in Cloud Computing A survey of the unique challenges and risks inherent to the Cloud Computing model. Presented By: Marissa Hollingsworth Overview What is Cloud Computing? Unique Security Concerns in the Cloud

556 views • 34 slides

More recommend