tamarin prover
play

Tamarin prover Farzane Karami November 2019 Tamarin A tool for - PowerPoint PPT Presentation

Mar 07, 2024 •308 likes •578 views

Tamarin prover Farzane Karami November 2019 Tamarin A tool for modeling and analysis of security protocols Core team: David Basin, Cas Cremers, Jannik Dreier, Simon Meier, Ralf Sasse, Benedikt Schmidt

  1. Tamarin prover Farzane Karami November 2019

  2. Tamarin • A tool for modeling and analysis of security protocols • Core team: • David Basin, Cas Cremers, Jannik Dreier, Simon Meier, Ralf Sasse, Benedikt Schmidt • https://tamarin-prover.github.io/manual/tex/tamarin-manual.pdf

  3. Tamarin

  4. Tamarin • Security protocols are specified as rewriting logic systems • Security protocols • Rewriting logic systems

  5. Security protocols • Securing communication between agents • Transport Layer Security (TLS) to secure communication over the Internet • Authentication • Money transfer (HTTPS) • Voting • Cryptography

  6. A bit of cryptography • Asymmetric encryption: (public key and private key) [1] • Symmetric encryption: • The agents in a communication agree on a shared secret key • Diffie Hellman (DH) key exchange algorithm

  7. A bit of cryptography (DH) 𝑏, 𝑕, 𝑞 b 𝐵 = 𝑕 ' 𝑛𝑝𝑒 𝑞 𝑕, 𝑞, 𝐵 𝐶 = 𝑕 - 𝑛𝑝𝑒 𝑞 𝐿 = 𝐵 - 𝑛𝑝𝑒 𝑞 𝐿 = 𝐶 ' 𝑛𝑝𝑒 𝑞 𝐶 𝐿 = 𝑕 '- 𝑛𝑝𝑒 𝑞 𝐿 = 𝑕 '- 𝑛𝑝𝑒 𝑞

  8. Man-in-the-middle attack 𝑨 𝑎 = 𝑕 2 𝑛𝑝𝑒 𝑞 . = 𝐵 2 𝑛𝑝𝑒 𝑞 𝐿 𝑕, 𝑞, 𝐵 𝑏, 𝑕, 𝑞 𝑕, 𝑞, 𝑎 b 𝐵 = 𝑕 ' 𝑛𝑝𝑒 𝑞 𝐶 = 𝑕 - 𝑛𝑝𝑒 𝑞 𝑎 𝐶 . = 𝑎 ' 𝑛𝑝𝑒 𝑞 𝐿 𝐿 0 = 𝑎 - 𝑛𝑝𝑒 𝑞 𝐿 0 = 𝐶 2 𝑛𝑝𝑒 𝑞

  9. Replay attack • The attacker sends to the victim the same previous message which was used before in the victim’s communication • The victim thinks that it is a valid message and reacts to this message accordingly

  10. Security protocols • Security protocols must be robust and work in hostile environments where an attacker can: ⎻ eavesdrop messages ⎻ intercept messages ⎻ impersonate any agent ⎻ encrypt or decrypts massages with the keys he has got ⎻ repeat fake messages • A model checker is required to check the correctness of protocols

  11. Tamarin [2] • A method based on operational semantics • Protocols and adversaries are specified in multiset rewriting rules • Security properties are defined as trace properties, checked against the traces of the transition system • Rewrite rules specify: • the protocol initiator, responder, and trusted key server • the attacker’s knowledge • the messages on the network • the state of a protocol changes by interacting messages

  12. Rewriting Logic • Modelling behavior of a dynamic system, which defines how the system state evolves • What is a dynamic system? • For example, modelling how a person ages [4] Person(‘ ’ Peter’ ’ , 50, divorced) Person(‘Peter’, 50, married) Person(‘ ’ Peter ’ ’, 50, dead) Person(‘ ’ Peter ’ ’, 51, married) • One step of execution:

  13. Rewriting logic • Equations define the deterministic features and rewrite rules define the non-deterministic features • Rules are labeled: • 𝑐𝑗𝑠𝑢ℎ𝑒𝑏𝑧: 𝑄𝑓𝑠𝑡𝑝𝑜 𝑌, 𝑂, 𝑇 ⟶ 𝑄𝑓𝑠𝑡𝑝𝑜 𝑌, 𝑂 + 1, 𝑇 • 𝑒𝑗𝑤𝑝𝑠𝑑𝑓: 𝑄𝑓𝑠𝑡𝑝𝑜 𝑌, 𝑂, 𝑇 ⟶ 𝑄𝑓𝑠𝑡𝑝𝑜 𝑌, 𝑂, 𝑒𝑗𝑤𝑝𝑠𝑑𝑓𝑒 if 𝑂 > 40 ∧ 𝑇 == 𝑛𝑏𝑠𝑠𝑗𝑓𝑒 • 𝑛𝑏𝑠𝑠𝑗𝑏𝑕𝑓 ∶ … . • ...

  14. Rewriting logic • A rewriting logic specification is a tuple ℛ = Σ, 𝐹, 𝑀, 𝑆 , where Σ is a signature, 𝐹 is a set of equations, 𝑀 is a set of labels, and 𝑆 is a set of unconditional and conditional labeled rewrite rules [5]. • 𝑚: 𝑢 ⟶ 𝑢′ • Rules are non-deterministically applied • Rules are applied to the subterms of term 𝑢 (or 𝑢 itself), until it is not reducible anymore

  15. Modelling security protocols [6] • Rewriting logic model for formalizing and reasoning about security protocols • Rewrite logic for specification of a protocol: • Protocol roles • Messages are represented as terms communicated between agents • Protocol agents states evolve by getting messages • Based on different roles each agent reacts to a message and generates events

  16. Formalizing a protocol[6] • Basic terms: Agent, Role, Fresh, Var, Func, TID, AdvConst, … • agent names 𝐵𝑚𝑗𝑑𝑓, 𝐶𝑝𝑐 𝜗 𝐵𝑕𝑓𝑜𝑢 • Protocol roles 𝐽𝑜𝑗𝑢, 𝑆𝑓𝑑𝑞 𝜗 𝑆𝑝𝑚𝑓 • Freshly generated terms like nonce, session keys • Variables • Function names • Thread identifiers (the protocol role instance) 𝑢𝑗𝑒 𝜗 𝑈𝐽𝐸 • The set of fresh values generated by the adversary. • A term t is local to a thread: t#tid

  17. Terms and events[6] • Term ::= BasicTerm | (Term,Term)| pk(Term) | sk(Term) | k(Term,Term) | {| Term |}aTerm | {| Term |}sTerm | Func(Term ∗ ) • sk(Alice) : private key of agent Alice • pk(Alice) : public key • k(Alice, Bob) : shared symmetric key ' : asymmetric encryption of the term t1 with the key t2 • {|𝑢 ^ |} ` a • Event ::= create(Role, Sub) | send(Term) | recv(Term)

  18. A protocol Exm. [6] • A protocol (P) is a mapping from roles to event sequences • Role → 𝑓𝑤𝑓𝑜𝑢 ∗

  19. Adversary power • Dolev-Yao model: • all communicated messages between agents are intercepted by the adversary • all received messages are sent by the adversary • The adversary knows agent names and their public key • It can generate constants (AdvConst) • It has compromised some of the private keys of agents • 𝑁 ⊢ 𝑢 , The adversary can infer 𝑢, from 𝑁 (a set of terms)

  20. Execution model[6] • The semantics of a protocol 𝑄𝜗 𝑄𝑠𝑝𝑢𝑝𝑑𝑝𝑚 is defined by rewrite rules • The rewrite rules define a transition system • Each rule describes how each event causes a state transition • State configuration: < 𝑢𝑠𝑏𝑑𝑓, 𝐵𝑒𝑓𝑠𝑡𝑏𝑠𝑧 𝑙𝑜𝑝𝑥𝑚𝑓𝑒𝑕𝑓, 𝑓𝑤𝑓𝑜𝑢 >

  21. Security properties [6] HT: honest agents which are not compromised by the attacker

  22. Model checking of security protocols [6] The set of reachable states is infinite, limiting the number of threads or sessions that can be created to make it finite

  23. Tamarin [2] • ℛ = Σ, 𝐹, 𝑀, 𝑆 • 𝐹 defining cryptographic operators • 𝑆 defining a protocol • a formula ϕ defining a trace property • Tamarin can either check the validity or the satisfiability of ϕ for the traces of executions

  24. Tamarin [2] • The Tamarin multiset rewriting rules define a labeled transition system. • Each rule defines how the system state evolves to a new state • If the current state of a system has a subterm, where its pattern maches the left-hand-side of a rule, then this rule can be applied • This subterm is replaced by an instance of the right-hand-side • A term is reduced and rewritten by rules until it is not reducable

  25. Tamarin [2]

  26. References • [1] https://cheapsslsecurity.com/blog/what-is-asymmetric-encryption-understand-with-simple-examples/ • [2] https://tamarin-prover.github.io/manual/tex/tamarin-manual.pdf • [3] https://www.virusbulletin.com/blog/2015/05/weak-keys-and- prime-reuse-make-diffie-hellman- implementations-vulnerable • [4] Designing Reliable Distributed Systems: A Formal Methods Approach Based on Executable Modeling in Maude , Peter Csaba Olveczky, 2018, Springer. • [5] A logical theory of concurrent objects and its realization in the Maude language , Jose Meseguer, Research Directions in Concurrent Object-oriented Programming, 1993, MIT Press. • [6] Model checking security protocols , David Basin, Cas Cremers, and Catherine Meadows, Handbook of Model Checking, 2011, Citeseer. • [7] https://cheapsslsecurity.com/blog/what-is-asymmetric-encryption-understand-with-simple-examples/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Journey towards a Reference Implementation of IPSec Automatic Security Analysis with

The Journey towards a Reference Implementation of IPSec Automatic Security Analysis with

1/25 The Journey towards a Reference Implementation of IPSec Automatic Security Analysis with Tamarin-Prover Eike Stadtlnder July 12, 2018 2/25 Outline Motivation Tamarin-Prover Overview Multiset Rewriting Tamarin-Prover in Practice

1.32k views • 117 slides
Automatic Security Analyses of Network Protocols with Tamarin-Prover Introductory Talk Eike

Automatic Security Analyses of Network Protocols with Tamarin-Prover Introductory Talk Eike

1/18 Automatic Security Analyses of Network Protocols with Tamarin-Prover Introductory Talk Eike Stadtlnder May 17, 2018 2/18 Outline Motivation Tamarin-Prover Overview Language and Environment State Demo Goals for the Lab . 3/18

1.33k views • 99 slides
Natural History Emperor Tamarin Saguinus imperator Live: Neo-tropical Primates, South America

Natural History Emperor Tamarin Saguinus imperator Live: Neo-tropical Primates, South America

A success story of Emperor Tamarin twins raised both by humans and their family By: Michelle Jordan and Jessica Grote Primate Keepers, Denver Zoo Natural History Emperor Tamarin Saguinus imperator Live: Neo-tropical Primates, South America

460 views • 20 slides
Two-prover entangled games are NP hard Anand Natarajan (MIT) Thomas Vidick (Caltech)

Two-prover entangled games are NP hard Anand Natarajan (MIT) Thomas Vidick (Caltech)

Two-prover entangled games are NP hard Anand Natarajan (MIT) Thomas Vidick (Caltech) arXiv:1710.03062 Interactive proofs MIP IP Completeness: If YES, prover can convince verifier with Pr c (e.g. 2/3) Soundness : If NO, prover cannot

472 views • 19 slides
Meditation for a Theorem Prover Reasoning and Consciousness Teaching a Theorem Prover to let

Meditation for a Theorem Prover Reasoning and Consciousness Teaching a Theorem Prover to let

Meditation for a Theorem Prover Reasoning and Consciousness Teaching a Theorem Prover to let its Mind Wander Ulrich Furbach Claudia Schon Univ. Koblenz - DFG Project Cognitive Reasoning Reasoning and Consciousness Teaching a

715 views • 55 slides
Model Checking 5G Security David Basin ETH Zurich Real World Crypto January 2020 Thanks Tamarin

Model Checking 5G Security David Basin ETH Zurich Real World Crypto January 2020 Thanks Tamarin

Model Checking 5G Security David Basin ETH Zurich Real World Crypto January 2020 Thanks Tamarin Team Simon Meier Benedikt Schmidt Cas Cremers Ralf Sasse Jannik Dreier 5G (verified using Tamarin) Ralf Sasse Jannik Dreier Sasa Radomirovic

906 views • 26 slides
Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
A Self-Verifying Theorem Prover Jared Davis (advertisement by J Strother Moore)

A Self-Verifying Theorem Prover Jared Davis (advertisement by J Strother Moore)

A Self-Verifying Theorem Prover Jared Davis (advertisement by J Strother Moore) Department of Computer Sciences University of Texas at Austin September 18, 2009 1 Theorem Prover ? Yes Proof Checker Yes No 2 Rules of

693 views • 40 slides
Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018

1.23k views • 78 slides
A Generic Tableau Prover and Its Integration with Isabelle Lawrence C. Paulson Computer

A Generic Tableau Prover and Its Integration with Isabelle Lawrence C. Paulson Computer

A Generic Tableau Prover and Its Integration with Isabelle Lawrence C. Paulson Computer Laboratory University of Cambridge 1 Overview of Isabelle a generic interactive prover for FOL, set theory, HOL, . . . Prolog influence: resolution

226 views • 10 slides
Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018 Organization of the course Two

774 views • 74 slides
Spot the similarities Red ruffed lemur: Threatened Cottontop Tamarin: Estimated Addax: Less than

Spot the similarities Red ruffed lemur: Threatened Cottontop Tamarin: Estimated Addax: Less than

Spot the similarities Red ruffed lemur: Threatened Cottontop Tamarin: Estimated Addax: Less than 300 by habitat loss, hunting &amp; pet wild population 6000 left in the wild trade Gorilla: 786 mountain Edwardss pheasant: Visayan warty

480 views • 24 slides
Learning to Advise an Equational Prover Chad E. Brown 1 , Bartosz Piotrowski 1,2 , Josef Urban 1 1

Learning to Advise an Equational Prover Chad E. Brown 1 , Bartosz Piotrowski 1,2 , Josef Urban 1 1

Learning to Advise an Equational Prover Chad E. Brown 1 , Bartosz Piotrowski 1,2 , Josef Urban 1 1 Czech Technical University 2 University of Warsaw AITP 17 September 2020 Aussois Introduction aimleap is a simple prover for solving equations

790 views • 13 slides
Parameters of Two-Prover-One-Round Game and The Hardness of Connectivity Problems Bundit

Parameters of Two-Prover-One-Round Game and The Hardness of Connectivity Problems Bundit

Parameters of Two-Prover-One-Round Game and The Hardness of Connectivity Problems Bundit Laekhanukit McGill University 1 This Talk Investigate the connection between 2-Prover-1-Round Game (2P1R) and Hardness of Approximating

540 views • 43 slides
CML Theorem Prover Simon Foster 2nd Review Brussels, 21 November, 2013 Deliverable: D33.2 (m24)

CML Theorem Prover Simon Foster 2nd Review Brussels, 21 November, 2013 Deliverable: D33.2 (m24)

CML Theorem Prover Simon Foster 2nd Review Brussels, 21 November, 2013 Deliverable: D33.2 (m24) www.compass-research.eu Theorem Prover Usage CML specifications to be verified by the COMPASS tool type-checking alone is insufficient to

311 views • 8 slides
1 What is a Theorem Prover? What is a Theorem? Theorem: A formalizable statement which is

1 What is a Theorem Prover? What is a Theorem? Theorem: A formalizable statement which is

Prerequisites Course 2D1453, 2006-07 Undergraduate logic and discrete maths CS literacy Advanced Formal Methods Some functional programming experience useful The theorem prover Isabelle is programming in SML Some SML

644 views • 4 slides
Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for the legal users, but are very difficult to the eavesdroppers. Public Key Cryptography 1 Such problems are called trapdoor problems . They allow to

379 views • 5 slides
Efficient Algorithms in Software Julio Lpez jlopez@ic.unicamp.br Institute of Computing,

Efficient Algorithms in Software Julio Lpez jlopez@ic.unicamp.br Institute of Computing,

Efficient Algorithms in Software Julio Lpez jlopez@ic.unicamp.br Institute of Computing, University of Campinas September 2017, Habana, Cuba. ASCrypto 2017 Agenda 1 Efficient Software Implementations Software Efficiency Parallel

1.68k views • 124 slides
Responsible Behavior http://xkcd.com/364/ Lab: Alternate CTR mode Suppose we use encrypt

Responsible Behavior http://xkcd.com/364/ Lab: Alternate CTR mode Suppose we use encrypt

Responsible Behavior http://xkcd.com/364/ Lab: Alternate CTR mode Suppose we use encrypt using the following formula: C i = P i E(K, IV+i) Is this secure? Why or why not? If so, how does this relate to CTR mode? If not, what

935 views • 48 slides
Cryptography and Network Security Amongst the tribes of Central Australia every man, woman, and

Cryptography and Network Security Amongst the tribes of Central Australia every man, woman, and

4/19/2010 Chapter 10 Other Public Key Cryptosystems Cryptography and Network Security Amongst the tribes of Central Australia every man, woman, and child has a secret or sacred name which is bestowed by the older Chapter 10 men upon him or her

241 views • 5 slides
Computer Security HKUST, Hong Kong Computer Security Cunsheng DING, HKUST COMP4631

Computer Security HKUST, Hong Kong Computer Security Cunsheng DING, HKUST COMP4631

CUNSHENG DING Computer Security HKUST, Hong Kong Computer Security Cunsheng DING, HKUST COMP4631 CUNSHENG DING Computer Security HKUST, Hong Kong Lecture 08: Key Management for One-key Ciphers Topics of this Lecture 1. The

377 views • 19 slides
Special Topics in Cryptography Mohammad Mahmoody Last time How to combine CPA security +

Special Topics in Cryptography Mohammad Mahmoody Last time How to combine CPA security +

Special Topics in Cryptography Mohammad Mahmoody Last time How to combine CPA security + MACS: Security against active attacks CCA secure private-key encryption Today Public-key encryption and key-agreement RSA (PKE) and

358 views • 14 slides
Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018 Introduction y 2 = x 3 + ax + b en.wikipedia.org/wiki/Elliptic curve Elliptic Curve Addition P = ( x p .y p ), Q = ( x q , y q ), R = ( x r .y r ) =

187 views • 16 slides
Diffie-Hellman Key Exchange Source: Wikipedia ElGamal Key Generator Generate primes p and

Diffie-Hellman Key Exchange Source: Wikipedia ElGamal Key Generator Generate primes p and

Diffie-Hellman Key Exchange Source: Wikipedia ElGamal Key Generator Generate primes p and q as well as an element g Z p that generates the subgroup G q . Choose a random x from { 0 , . . . , q 1 } . Compute h = g x .

754 views • 7 slides

More recommend