The Journey towards a Reference Implementation of IPSec Automatic - - PowerPoint PPT Presentation
1/25 The Journey towards a Reference Implementation of IPSec Automatic Security Analysis with Tamarin-Prover Eike Stadtlnder July 12, 2018 2/25 Outline Motivation Tamarin-Prover Overview Multiset Rewriting Tamarin-Prover in Practice
1/25
Automatic Security Analysis with Tamarin-Prover Eike Stadtländer July 12, 2018
2/25
Motivation Tamarin-Prover Overview Multiset Rewriting Tamarin-Prover in Practice Reference Implementation of IPSec Building Blocks Finite State Machine Status Quo Lab-Goals Refmection
3/25
4/25
Modern proofs are error-prone, they become more complex and they are created faster than they can be verifjed.
In: Hamburger Beiträge zur Angewandten Mathematik 9 (2011)
1708.03486v2 [cs.CC]
(recently updated: 602 pages) Security of network protocols is critical:
The security proofs are not always trustworthy (Halevi 2005; Bellare and Rogaway 2004). Automatic security analysis aims to improve trustworthiness of security proofs.
4/25
Modern proofs are error-prone, they become more complex and they are created faster than they can be verifjed.
In: Hamburger Beiträge zur Angewandten Mathematik 9 (2011)
1708.03486v2 [cs.CC]
(recently updated: 602 pages) Security of network protocols is critical:
The security proofs are not always trustworthy (Halevi 2005; Bellare and Rogaway 2004). Automatic security analysis aims to improve trustworthiness of security proofs.
4/25
Modern proofs are error-prone, they become more complex and they are created faster than they can be verifjed.
In: Hamburger Beiträge zur Angewandten Mathematik 9 (2011)
1708.03486v2 [cs.CC]
(recently updated: 602 pages) Security of network protocols is critical:
The security proofs are not always trustworthy (Halevi 2005; Bellare and Rogaway 2004). Automatic security analysis aims to improve trustworthiness of security proofs.
4/25
Modern proofs are error-prone, they become more complex and they are created faster than they can be verifjed.
In: Hamburger Beiträge zur Angewandten Mathematik 9 (2011)
1708.03486v2 [cs.CC]
(recently updated: 602 pages) Security of network protocols is critical:
The security proofs are not always trustworthy (Halevi 2005; Bellare and Rogaway 2004). Automatic security analysis aims to improve trustworthiness of security proofs.
4/25
Modern proofs are error-prone, they become more complex and they are created faster than they can be verifjed.
In: Hamburger Beiträge zur Angewandten Mathematik 9 (2011)
1708.03486v2 [cs.CC]
(recently updated: 602 pages) Security of network protocols is critical:
The security proofs are not always trustworthy (Halevi 2005; Bellare and Rogaway 2004). Automatic security analysis aims to improve trustworthiness of security proofs.
4/25
Modern proofs are error-prone, they become more complex and they are created faster than they can be verifjed.
In: Hamburger Beiträge zur Angewandten Mathematik 9 (2011)
1708.03486v2 [cs.CC]
(recently updated: 602 pages) Security of network protocols is critical:
The security proofs are not always trustworthy (Halevi 2005; Bellare and Rogaway 2004). Automatic security analysis aims to improve trustworthiness of security proofs.
4/25
Modern proofs are error-prone, they become more complex and they are created faster than they can be verifjed.
In: Hamburger Beiträge zur Angewandten Mathematik 9 (2011)
1708.03486v2 [cs.CC]
(recently updated: 602 pages) Security of network protocols is critical:
The security proofs are not always trustworthy (Halevi 2005; Bellare and Rogaway 2004). Automatic security analysis aims to improve trustworthiness of security proofs.
5/25
6/25
Overview
(Meier 2013; Schmidt 2012). We will follow Meier 2013, Chapters 7,8.
6/25
Overview
(Meier 2013; Schmidt 2012). We will follow Meier 2013, Chapters 7,8.
6/25
Overview
(Meier 2013; Schmidt 2012). We will follow Meier 2013, Chapters 7,8.
6/25
Overview
(Meier 2013; Schmidt 2012). We will follow Meier 2013, Chapters 7,8.
6/25
Overview
(Meier 2013; Schmidt 2012). We will follow Meier 2013, Chapters 7,8.
7/25
Defjnition
A order-sorted signature is a triple S where S is partially-ordered set of sorts and is a set of function symbols associated with the sorts such that
S the connected component C of s contains a top sort top s satisfying c C c top s .
s sk s , we also have f top s top sk top s .
Example (Cryptographic messages)
S msg fresh pub , fresh msg pub msg ,
PHS
fst snd h senc sdec
7/25
Defjnition
A order-sorted signature is a triple (S, ≤, Σ) where S is partially-ordered set of sorts and is a set of function symbols associated with the sorts such that
S the connected component C of s contains a top sort top s satisfying c C c top s .
s sk s , we also have f top s top sk top s .
Example (Cryptographic messages)
S msg fresh pub , fresh msg pub msg ,
PHS
fst snd h senc sdec
7/25
Defjnition
A order-sorted signature is a triple (S, ≤, Σ) where (S, ≤) is partially-ordered set of sorts and is a set of function symbols associated with the sorts such that
S the connected component C of s contains a top sort top s satisfying c C c top s .
s sk s , we also have f top s top sk top s .
Example (Cryptographic messages)
S msg fresh pub , fresh msg pub msg ,
PHS
fst snd h senc sdec
7/25
Defjnition
A order-sorted signature is a triple (S, ≤, Σ) where (S, ≤) is partially-ordered set of sorts and is a set of function symbols associated with the sorts such that
S the connected component C of s contains a top sort top s satisfying c C c top s .
s sk s , we also have f top s top sk top s .
Example (Cryptographic messages)
S = {msg, fresh pub }, fresh msg pub msg ,
PHS
fst snd h senc sdec
7/25
Defjnition
A order-sorted signature is a triple (S, ≤, Σ) where (S, ≤) is partially-ordered set of sorts and is a set of function symbols associated with the sorts such that
S the connected component C of s contains a top sort top s satisfying c C c top s .
s sk s , we also have f top s top sk top s .
Example (Cryptographic messages)
S = {msg, fresh, pub}, fresh msg pub msg ,
PHS
fst snd h senc sdec
7/25
Defjnition
A order-sorted signature is a triple (S, ≤, Σ) where (S, ≤) is partially-ordered set of sorts and is a set of function symbols associated with the sorts such that
S the connected component C of s contains a top sort top s satisfying c C c top s .
s sk s , we also have f top s top sk top s .
Example (Cryptographic messages)
S = {msg, fresh, pub}, fresh ≤ msg, pub ≤ msg,
PHS
fst snd h senc sdec
7/25
Defjnition
A order-sorted signature is a triple (S, ≤, Σ) where (S, ≤) is partially-ordered set of sorts and Σ is a set of function symbols associated with the sorts such that
S the connected component C of s contains a top sort top s satisfying c C c top s .
s sk s , we also have f top s top sk top s .
Example (Cryptographic messages)
S = {msg, fresh, pub}, fresh ≤ msg, pub ≤ msg,
PHS
fst snd h senc sdec
7/25
Defjnition
A order-sorted signature is a triple (S, ≤, Σ) where (S, ≤) is partially-ordered set of sorts and Σ is a set of function symbols associated with the sorts such that
S the connected component C of s contains a top sort top s satisfying c C c top s .
s sk s , we also have f top s top sk top s .
Example (Cryptographic messages)
S = {msg, fresh, pub}, fresh ≤ msg, pub ≤ msg, ΣPHS = {⟨·, ·⟩, fst(·), snd(·), h(·), senc(·, ·), sdec(·, ·)}
7/25
Defjnition
A order-sorted signature is a triple (S, ≤, Σ) where (S, ≤) is partially-ordered set of sorts and Σ is a set of function symbols associated with the sorts such that
satisfying ∀c ∈ C : c ≤ top(s).
s sk s , we also have f top s top sk top s .
Example (Cryptographic messages)
S = {msg, fresh, pub}, fresh ≤ msg, pub ≤ msg, ΣPHS = {⟨·, ·⟩, fst(·), snd(·), h(·), senc(·, ·), sdec(·, ·)}
7/25
Defjnition
A order-sorted signature is a triple (S, ≤, Σ) where (S, ≤) is partially-ordered set of sorts and Σ is a set of function symbols associated with the sorts such that
satisfying ∀c ∈ C : c ≤ top(s).
f : top(s1) × · · · × top(sk) → top(s) ∈ Σ.
Example (Cryptographic messages)
S = {msg, fresh, pub}, fresh ≤ msg, pub ≤ msg, ΣPHS = {⟨·, ·⟩, fst(·), snd(·), h(·), senc(·, ·), sdec(·, ·)}
8/25
Defjnition
Given a order-sorted signature S . For every sort s S we assume there are countably infjnite sets of variables
s and constants s where s s
and
s t s t if s t
S s t. Then given A
s S s s S s,
A denotes the set of all well-sorted terms constructed over A.
Example (Cryptographic messages)
Given
PHS
msg fresh pub
PHS we have, for instance, the following
well-sorted terms m
msg
fst m n senc m k sdec k senc k m
8/25
Defjnition
Given a order-sorted signature Σ = (S, ≤, Σ). For every sort s S we assume there are countably infjnite sets of variables
s and constants s where s s
and
s t s t if s t
S s t. Then given A
s S s s S s,
A denotes the set of all well-sorted terms constructed over A.
Example (Cryptographic messages)
Given
PHS
msg fresh pub
PHS we have, for instance, the following
well-sorted terms m
msg
fst m n senc m k sdec k senc k m
8/25
Defjnition
Given a order-sorted signature Σ = (S, ≤, Σ). For every sort s ∈ S we assume there are countably infjnite sets of variables Vs and constants Cs where
s s
and
s t s t if s t
S s t. Then given A
s S s s S s,
A denotes the set of all well-sorted terms constructed over A.
Example (Cryptographic messages)
Given
PHS
msg fresh pub
PHS we have, for instance, the following
well-sorted terms m
msg
fst m n senc m k sdec k senc k m
8/25
Defjnition
Given a order-sorted signature Σ = (S, ≤, Σ). For every sort s ∈ S we assume there are countably infjnite sets of variables Vs and constants Cs where Cs ∩ Vs = ∅ and Vs ∩ Vt = ∅ = Cs ∩ Ct if s, t ∈ S, s ̸= t. Then given A
s S s s S s,
A denotes the set of all well-sorted terms constructed over A.
Example (Cryptographic messages)
Given
PHS
msg fresh pub
PHS we have, for instance, the following
well-sorted terms m
msg
fst m n senc m k sdec k senc k m
8/25
Defjnition
Given a order-sorted signature Σ = (S, ≤, Σ). For every sort s ∈ S we assume there are countably infjnite sets of variables Vs and constants Cs where Cs ∩ Vs = ∅ and Vs ∩ Vt = ∅ = Cs ∩ Ct if s, t ∈ S, s ̸= t. Then given A ⊆ ∪
s∈S Cs ∪ ∪ s∈S Vs, TΣ(A) denotes the set of all well-sorted terms
constructed over Σ ∪ A.
Example (Cryptographic messages)
Given
PHS
msg fresh pub
PHS we have, for instance, the following
well-sorted terms m
msg
fst m n senc m k sdec k senc k m
8/25
Defjnition
Given a order-sorted signature Σ = (S, ≤, Σ). For every sort s ∈ S we assume there are countably infjnite sets of variables Vs and constants Cs where Cs ∩ Vs = ∅ and Vs ∩ Vt = ∅ = Cs ∩ Ct if s, t ∈ S, s ̸= t. Then given A ⊆ ∪
s∈S Cs ∪ ∪ s∈S Vs, TΣ(A) denotes the set of all well-sorted terms
constructed over Σ ∪ A.
Example (Cryptographic messages)
Given ΣPHS = ({msg, fresh, pub}, ≤, ΣPHS) we have, for instance, the following well-sorted terms m
msg
fst m n senc m k sdec k senc k m
8/25
Defjnition
Given a order-sorted signature Σ = (S, ≤, Σ). For every sort s ∈ S we assume there are countably infjnite sets of variables Vs and constants Cs where Cs ∩ Vs = ∅ and Vs ∩ Vt = ∅ = Cs ∩ Ct if s, t ∈ S, s ̸= t. Then given A ⊆ ∪
s∈S Cs ∪ ∪ s∈S Vs, TΣ(A) denotes the set of all well-sorted terms
constructed over Σ ∪ A.
Example (Cryptographic messages)
Given ΣPHS = ({msg, fresh, pub}, ≤, ΣPHS) we have, for instance, the following well-sorted terms m ∈ Vmsg, fst m n senc m k sdec k senc k m
8/25
Defjnition
Given a order-sorted signature Σ = (S, ≤, Σ). For every sort s ∈ S we assume there are countably infjnite sets of variables Vs and constants Cs where Cs ∩ Vs = ∅ and Vs ∩ Vt = ∅ = Cs ∩ Ct if s, t ∈ S, s ̸= t. Then given A ⊆ ∪
s∈S Cs ∪ ∪ s∈S Vs, TΣ(A) denotes the set of all well-sorted terms
constructed over Σ ∪ A.
Example (Cryptographic messages)
Given ΣPHS = ({msg, fresh, pub}, ≤, ΣPHS) we have, for instance, the following well-sorted terms m ∈ Vmsg, fst(⟨m, n⟩), senc m k sdec k senc k m
8/25
Defjnition
Given a order-sorted signature Σ = (S, ≤, Σ). For every sort s ∈ S we assume there are countably infjnite sets of variables Vs and constants Cs where Cs ∩ Vs = ∅ and Vs ∩ Vt = ∅ = Cs ∩ Ct if s, t ∈ S, s ̸= t. Then given A ⊆ ∪
s∈S Cs ∪ ∪ s∈S Vs, TΣ(A) denotes the set of all well-sorted terms
constructed over Σ ∪ A.
Example (Cryptographic messages)
Given ΣPHS = ({msg, fresh, pub}, ≤, ΣPHS) we have, for instance, the following well-sorted terms m ∈ Vmsg, fst(⟨m, n⟩), senc(m, k), sdec(k2, senc(k1, m))
9/25
Defjnition
Let be a order-sorted signature. A pair s t
is called an equation, we write s t. The equational theory defjned by E is the smallest congruence relation
E containing
all instances of equations in E.
Example (Cryptographic primitives)
Given
PHS as before. We defjne
EPHS fst x y x snd x y y sdec k senc k m m
9/25
Defjnition
Let Σ be a order-sorted signature. A pair {s, t} of terms s, t ∈ TΣ(V) is called an equation, we write s = t. The equational theory defjned by E is the smallest congruence relation
E containing
all instances of equations in E.
Example (Cryptographic primitives)
Given
PHS as before. We defjne
EPHS fst x y x snd x y y sdec k senc k m m
9/25
Defjnition
Let Σ be a order-sorted signature. A pair {s, t} of terms s, t ∈ TΣ(V) is called an equation, we write s = t. The equational theory defjned by E is the smallest congruence relation
E containing
all instances of equations in E.
Example (Cryptographic primitives)
Given
PHS as before. We defjne
EPHS fst x y x snd x y y sdec k senc k m m
9/25
Defjnition
Let Σ be a order-sorted signature. A pair {s, t} of terms s, t ∈ TΣ(V) is called an equation, we write s = t. The equational theory defjned by E is the smallest congruence relation
E containing
all instances of equations in E.
Example (Cryptographic primitives)
Given ΣPHS as before. We defjne EPHS = {fst(⟨x, y⟩) = x, snd(⟨x, y⟩) = y, sdec(k, senc(k, m)) = m}
9/25
Defjnition
Let Σ be a order-sorted signature. A pair {s, t} of terms s, t ∈ TΣ(V) is called an equation, we write s = t. The equational theory defjned by E is the smallest congruence relation =E containing all instances of equations in E.
Example (Cryptographic primitives)
Given ΣPHS as before. We defjne EPHS = {fst(⟨x, y⟩) = x, snd(⟨x, y⟩) = y, sdec(k, senc(k, m)) = m}
10/25
Defjnition
Let
Fact be an unsorted signature partitioned into linear and persistent fact symbols.
Furthermore, assume there is a designated fact symbol Fr
Fact modelling freshness.
Given a order-sorted term algebra , we defjne the set of all facts by F t tk t tk F
Fact arity F
k A (labeled) multiset rewriting rule is a triple p a c of fjnite sequences p a c , written p a c.
Example
In our example from before:
10/25
Defjnition
Let ΣFact be an unsorted signature partitioned into linear and persistent fact symbols. Furthermore, assume there is a designated fact symbol Fr
Fact modelling freshness.
Given a order-sorted term algebra , we defjne the set of all facts by F t tk t tk F
Fact arity F
k A (labeled) multiset rewriting rule is a triple p a c of fjnite sequences p a c , written p a c.
Example
In our example from before:
10/25
Defjnition
Let ΣFact be an unsorted signature partitioned into linear and persistent fact symbols. Furthermore, assume there is a designated fact symbol Fr
Fact modelling freshness.
Given a order-sorted term algebra T , we defjne the set of all facts by F = {F(t1, . . . , tk) | t1, . . . , tk ∈ T , F ∈ ΣFact, arity(F) = k} A (labeled) multiset rewriting rule is a triple p a c of fjnite sequences p a c , written p a c.
Example
In our example from before:
10/25
Defjnition
Let ΣFact be an unsorted signature partitioned into linear and persistent fact symbols. Furthermore, assume there is a designated fact symbol Fr
Fact modelling freshness.
Given a order-sorted term algebra T , we defjne the set of all facts by F = {F(t1, . . . , tk) | t1, . . . , tk ∈ T , F ∈ ΣFact, arity(F) = k} A (labeled) multiset rewriting rule is a triple p a c of fjnite sequences p a c , written p a c.
Example
In our example from before: Secret(m, k)
10/25
Defjnition
Let ΣFact be an unsorted signature partitioned into linear and persistent fact symbols. Furthermore, assume there is a designated fact symbol Fr
Fact modelling freshness.
Given a order-sorted term algebra T , we defjne the set of all facts by F = {F(t1, . . . , tk) | t1, . . . , tk ∈ T , F ∈ ΣFact, arity(F) = k} A (labeled) multiset rewriting rule is a triple (p, a, c) of fjnite sequences p, a, c ∈ F∗, written p a c.
Example
In our example from before: Secret(m, k)
10/25
Defjnition
Let ΣFact be an unsorted signature partitioned into linear and persistent fact symbols. Furthermore, assume there is a designated fact symbol Fr
Fact modelling freshness.
Given a order-sorted term algebra T , we defjne the set of all facts by F = {F(t1, . . . , tk) | t1, . . . , tk ∈ T , F ∈ ΣFact, arity(F) = k} A (labeled) multiset rewriting rule is a triple (p, a, c) of fjnite sequences p, a, c ∈ F∗, written p a c.
Example
In our example from before: [Secret(m, k)] Encrypted(m) [Out(senc(k, m))]
10/25
Defjnition
Let ΣFact be an unsorted signature partitioned into linear and persistent fact symbols. Furthermore, assume there is a designated fact symbol Fr ∈ ΣFact modelling freshness. Given a order-sorted term algebra T , we defjne the set of all facts by F = {F(t1, . . . , tk) | t1, . . . , tk ∈ T , F ∈ ΣFact, arity(F) = k} A (labeled) multiset rewriting rule is a triple (p, a, c) of fjnite sequences p, a, c ∈ F∗, written p a c.
Example
In our example from before: [Secret(m, k)] Encrypted(m) [Out(senc(k, m))]
11/25
Defjnition
Let E defjne an equational theory =E. Let R be a fjnite set of multiset rewriting rules. Then we call R a (labeled) multiset rewriting system if it satisfjes the following properties
fresh).
in one of its premises (modulo E).
Example
Message deduction rules (means of the attacker): MD Out x K x K x K x In x Fr x fresh K x fresh K x pub K x K xk K f x xk f arity f k
11/25
Defjnition
Let E defjne an equational theory =E. Let R be a fjnite set of multiset rewriting rules. Then we call R a (labeled) multiset rewriting system if it satisfjes the following properties
fresh).
in one of its premises (modulo E).
Example
Message deduction rules (means of the attacker): MD Out x K x K x K x In x Fr x fresh K x fresh K x pub K x K xk K f x xk f arity f k
11/25
Defjnition
Let E defjne an equational theory =E. Let R be a fjnite set of multiset rewriting rules. Then we call R a (labeled) multiset rewriting system if it satisfjes the following properties
in one of its premises (modulo E).
Example
Message deduction rules (means of the attacker): MD Out x K x K x K x In x Fr x fresh K x fresh K x pub K x K xk K f x xk f arity f k
11/25
Defjnition
Let E defjne an equational theory =E. Let R be a fjnite set of multiset rewriting rules. Then we call R a (labeled) multiset rewriting system if it satisfjes the following properties
in one of its premises (modulo E).
Example
Message deduction rules (means of the attacker): MD Out x K x K x K x In x Fr x fresh K x fresh K x pub K x K xk K f x xk f arity f k
11/25
Defjnition
Let E defjne an equational theory =E. Let R be a fjnite set of multiset rewriting rules. Then we call R a (labeled) multiset rewriting system if it satisfjes the following properties
in one of its premises (modulo E).
Example
Message deduction rules (means of the attacker): MD Out x K x K x K x In x Fr x fresh K x fresh K x pub K x K xk K f x xk f arity f k
11/25
Defjnition
Let E defjne an equational theory =E. Let R be a fjnite set of multiset rewriting rules. Then we call R a (labeled) multiset rewriting system if it satisfjes the following properties
in one of its premises (modulo E).
Example
Message deduction rules (means of the attacker): MDΣ := { Out x K x K x K x In x Fr x fresh K x fresh K x pub } K x K xk K f x xk f arity f k
11/25
Defjnition
Let E defjne an equational theory =E. Let R be a fjnite set of multiset rewriting rules. Then we call R a (labeled) multiset rewriting system if it satisfjes the following properties
in one of its premises (modulo E).
Example
Message deduction rules (means of the attacker): MDΣ := { Out(x) K(x), K x K x In x Fr x fresh K x fresh K x pub } K x K xk K f x xk f arity f k
11/25
Defjnition
Let E defjne an equational theory =E. Let R be a fjnite set of multiset rewriting rules. Then we call R a (labeled) multiset rewriting system if it satisfjes the following properties
in one of its premises (modulo E).
Example
Message deduction rules (means of the attacker): MDΣ := { Out(x) K(x), K(x) K(x) In(x), Fr x fresh K x fresh K x pub } K x K xk K f x xk f arity f k
11/25
Defjnition
Let E defjne an equational theory =E. Let R be a fjnite set of multiset rewriting rules. Then we call R a (labeled) multiset rewriting system if it satisfjes the following properties
in one of its premises (modulo E).
Example
Message deduction rules (means of the attacker): MDΣ := { Out(x) K(x), K(x) K(x) In(x), Fr(x : fresh) K(x : fresh) K x pub } K x K xk K f x xk f arity f k
11/25
Defjnition
Let E defjne an equational theory =E. Let R be a fjnite set of multiset rewriting rules. Then we call R a (labeled) multiset rewriting system if it satisfjes the following properties
in one of its premises (modulo E).
Example
Message deduction rules (means of the attacker): MDΣ := { Out(x) K(x), K(x) K(x) In(x), Fr(x : fresh) K(x : fresh) K(x : pub) } K x K xk K f x xk f arity f k
11/25
Defjnition
Let E defjne an equational theory =E. Let R be a fjnite set of multiset rewriting rules. Then we call R a (labeled) multiset rewriting system if it satisfjes the following properties
in one of its premises (modulo E).
Example
Message deduction rules (means of the attacker): MDΣ := { Out(x) K(x), K(x) K(x) In(x), Fr(x : fresh) K(x : fresh) K(x : pub) } ∪ {K(x1), . . . , K(xk) K(f(x1, . . . , xk)) | f ∈ Σ, arity(f) = k}
12/25
Given a multiset rewriting system R and a equational theory by E. This yields a transition relation = ⇒R,E modelling the application of rewriting rules to multisets of facts. tracesE R A A An S Sn
A
=
R E S A
=
R E An
=
R E Sn
uniqueness condition for freshness Security properties can then be formulated as fjrst-order formulas on traces, e.g. secrecy properties: I x K x Id I x Corrupt I x
12/25
Given a multiset rewriting system R and a equational theory by E. This yields a transition relation = ⇒R,E modelling the application of rewriting rules to multisets of facts. tracesE(R) = {[A1, A2, . . . , An] | ∃S1, . . . , Sn : ∅
A1
= ⇒R,E S1
A2
= ⇒R,E . . . An = ⇒R,E Sn} uniqueness condition for freshness Security properties can then be formulated as fjrst-order formulas on traces, e.g. secrecy properties: I x K x Id I x Corrupt I x
12/25
Given a multiset rewriting system R and a equational theory by E. This yields a transition relation = ⇒R,E modelling the application of rewriting rules to multisets of facts. tracesE(R) = {[A1, A2, . . . , An] | ∃S1, . . . , Sn : ∅
A1
= ⇒R,E S1
A2
= ⇒R,E . . . An = ⇒R,E Sn ∧ uniqueness condition for freshness} Security properties can then be formulated as fjrst-order formulas on traces, e.g. secrecy properties: I x K x Id I x Corrupt I x
12/25
Given a multiset rewriting system R and a equational theory by E. This yields a transition relation = ⇒R,E modelling the application of rewriting rules to multisets of facts. tracesE(R) = {[A1, A2, . . . , An] | ∃S1, . . . , Sn : ∅
A1
= ⇒R,E S1
A2
= ⇒R,E . . . An = ⇒R,E Sn ∧ uniqueness condition for freshness} Security properties can then be formulated as fjrst-order formulas on traces , e.g. secrecy properties: I x K x Id I x Corrupt I x
12/25
Given a multiset rewriting system R and a equational theory by E. This yields a transition relation = ⇒R,E modelling the application of rewriting rules to multisets of facts. tracesE(R) = {[A1, A2, . . . , An] | ∃S1, . . . , Sn : ∅
A1
= ⇒R,E S1
A2
= ⇒R,E . . . An = ⇒R,E Sn ∧ uniqueness condition for freshness} Security properties can then be formulated as fjrst-order formulas on traces, e.g. secrecy properties: ∀I, x : K(x) ∧ Id(I, x) ⇒ Corrupt(I, x)
13/25
Let R be a multiset rewriting system (with conditions) and =E an equational theory.
can be R E-valid or R E-satisfjable (or neither).
is not R E-satisfjable.
solving constraints.
is verifjed.
terminate.
13/25
Let R be a multiset rewriting system (with conditions) and =E an equational theory.
is not R E-satisfjable.
solving constraints.
is verifjed.
terminate.
13/25
Let R be a multiset rewriting system (with conditions) and =E an equational theory.
is not R E-satisfjable.
solving constraints.
is verifjed.
terminate.
13/25
Let R be a multiset rewriting system (with conditions) and =E an equational theory.
solving constraints.
is verifjed.
terminate.
13/25
Let R be a multiset rewriting system (with conditions) and =E an equational theory.
solving constraints.
is verifjed.
terminate.
13/25
Let R be a multiset rewriting system (with conditions) and =E an equational theory.
solving constraints.
is verifjed.
terminate.
13/25
Let R be a multiset rewriting system (with conditions) and =E an equational theory.
solving constraints.
is verifjed.
terminate.
13/25
Let R be a multiset rewriting system (with conditions) and =E an equational theory.
solving constraints.
is verifjed.
terminate.
14/25
Notion Model Terms Cryptographic messages Equational Theories Semantics of cryptographic primitives Rules State transitions of protocol instances, Oracles Action facts Protocol transcript Rewriting Systems Protocol Specifjcation, Means of the Attacker Traces Parallel executions of the protocol Trace Formulas Security properties (e.g. executability, secrecy, authenticity)
14/25
Notion Model Terms Cryptographic messages Equational Theories Semantics of cryptographic primitives Rules State transitions of protocol instances, Oracles Action facts Protocol transcript Rewriting Systems Protocol Specifjcation, Means of the Attacker Traces Parallel executions of the protocol Trace Formulas Security properties (e.g. executability, secrecy, authenticity)
14/25
Notion Model Terms Cryptographic messages Equational Theories Semantics of cryptographic primitives Rules State transitions of protocol instances, Oracles Action facts Protocol transcript Rewriting Systems Protocol Specifjcation, Means of the Attacker Traces Parallel executions of the protocol Trace Formulas Security properties (e.g. executability, secrecy, authenticity)
14/25
Notion Model Terms Cryptographic messages Equational Theories Semantics of cryptographic primitives Rules State transitions of protocol instances, Oracles Action facts Protocol transcript Rewriting Systems Protocol Specifjcation, Means of the Attacker Traces Parallel executions of the protocol Trace Formulas Security properties (e.g. executability, secrecy, authenticity)
14/25
Notion Model Terms Cryptographic messages Equational Theories Semantics of cryptographic primitives Rules State transitions of protocol instances, Oracles Action facts Protocol transcript Rewriting Systems Protocol Specifjcation, Means of the Attacker Traces Parallel executions of the protocol Trace Formulas Security properties (e.g. executability, secrecy, authenticity)
14/25
Notion Model Terms Cryptographic messages Equational Theories Semantics of cryptographic primitives Rules State transitions of protocol instances, Oracles Action facts Protocol transcript Rewriting Systems Protocol Specifjcation, Means of the Attacker Traces Parallel executions of the protocol Trace Formulas Security properties (e.g. executability, secrecy, authenticity)
15/25
16/25
17/25
18/25
( )
(built-in)
(function symbols, no collisions)
(use EtA for now)
(use identifjer and signature(s) for now )
18/25
( )
(built-in)
(function symbols, no collisions)
(use EtA for now)
(use identifjer and signature(s) for now )
18/25
( )
(built-in)
(function symbols, no collisions)
(use EtA for now)
(use identifjer and signature(s) for now ) rule gen_nonce: [ Fr(~n) ] --> [ State(~n) ]
18/25
( )
(built-in)
(function symbols, no collisions)
(use EtA for now)
(use identifjer and signature(s) for now ) rule gen_nonce: [ Fr(~n) ] --> [ State(~n) ]
18/25
( )
(built-in)
(function symbols, no collisions)
(use EtA for now)
(use identifjer and signature(s) for now )
18/25
( )
(built-in)
(function symbols, no collisions)
(use EtA for now)
(use identifjer and signature(s) for now ) rule dh_calc: let gab = ga ^ ~b in [ Fr(~b), In(<A, ga>) ] --> [ Out(<B, gab>) ]
18/25
( )
(function symbols, no collisions)
(use EtA for now)
(use identifjer and signature(s) for now ) rule dh_calc: let gab = ga ^ ~b in [ Fr(~b), In(<A, ga>) ] --> [ Out(<B, gab>) ]
18/25
( )
(function symbols, no collisions)
(use EtA for now)
(use identifjer and signature(s) for now )
18/25
( )
(use EtA for now)
(use identifjer and signature(s) for now ) functions: prf/1 rule use_prf: let SKEYSEED = prf(<Ni, Nr, DH>) in [ State(Ni, Nr, DH) ] --> [ State(Ni, Nr, DH, SKEYSEED) ]
18/25
( )
(use EtA for now)
(use identifjer and signature(s) for now )
18/25
( )
(use EtA for now)
(use identifjer and signature(s) for now )
18/25
( )
(use identifjer and signature(s) for now ) rule use_aeenc: let ct = senc(~secret, key_e) tag = mac(ct, key_a) hdr = < '120', ... > in [ Fr(~secret), State(key_e, key_a) ] --> [ Out(<hdr, ct, tag>)]
18/25
(use identifjer and signature(s) for now )
18/25
(use identifjer and signature(s) for now )
18/25
19/25
Init Phase
∅
19/25
Init Phase
∅
19/25
Init Phase
∅ I1
init_send
19/25
Init Phase
∅ I1
init_send
R1
resp_accept
m1 = ⟨Hdr, SAi1, KEi, Ni⟩
19/25
Init Phase
∅ I1
init_send
R1 R2
resp_accept resp_send
m1
19/25
Init Phase
∅ I1 I2
init_send init_accept
R1 R2
resp_accept resp_send
m1 m2 = ⟨Hdr, SAr1, KEr, Nr, CERTREQ⟩
19/25
Init Phase
∅ I1 I2 I3
init_send init_accept init_keyderiv
R1 R2 R3
resp_accept resp_send resp_keyderiv
m1 m2
19/25
Init Phase
∅ I1 I2 I3 . . .
i n i t _ s e n d init_accept init_keyderiv . . .
R1 R2 R3 . . .
resp_accept resp_send resp_keyderiv . . .
m1 m2
20/25
21/25
22/25
⌣
equational theories
⌣
⌣
22/25
⌣
equational theories
⌣
⌣
22/25
⌣
equational theories
⌣
⌣
22/25
equational theories
⌣
⌣
22/25
equational theories
⌣
22/25
equational theories
⌣
22/25
equational theories
⌣
22/25
equational theories
22/25
equational theories
23/25
[bit17] bitkom, ed. Spionage, Sabotage, Datendiebstahl: Deutscher Wirtschaft entsteht jährlich ein Schaden von 55 Milliarden Euro. July 21, 2017. URL: https://www.bitkom.org/Presse/Presseinformation/Spionage- Sabotage-Datendiebstahl-Deutscher-Wirtschaft-entsteht- jaehrlich-ein-Schaden-von-55-Milliarden-Euro.html (visited on 06/30/2018). [Blu17] Norbert Blum. A Solution of the P versus NP Problem. Aug. 11, 2017. arXiv: 1708.03486v2 [cs.CC]. [BR04] Mihir Bellare and Phillip Rogaway. Code-Based Game-Playing Proofs and the Security of Triple Encryption. Cryptology ePrint Archive, Report 2004/331. 2004. URL: https://eprint.iacr.org/2004/331 (visited on 05/11/2018).
24/25
[Hal05] Shai Halevi. A plausible approach to computer-aided cryptographic proofs. Cryptology ePrint Archive, Report 2005/181. 2005. URL: https://eprint.iacr.org/2005/181 (visited on 05/11/2018). [Mei13] Simon Meier. “Advancing automated security protocol verifjcation”. PhD thesis. ETH Zürich, 2013. DOI: 10.3929/ethz-a-009790675. [Moc18] Sinichi Mochizuki. Inter-universal Teichmüller Theory I-IV. June 28, 2018. [Opf11] Gerhard Opfer. “An Analytic Approach to the Collatz 3n+1 Problem”. In: Hamburger Beiträge zur Angewandten Mathematik 9 (2011). [Sch12] Benedikt Schmidt. “Formal analysis of key exchange protocols and physical protocols”. PhD thesis. ETH Zürich, 2012. DOI: 10.3929/ethz-a-009898924.
25/25