towards a logic for verification of security protocols
play

Towards a Logic for Verification of Security Protocols Work in - PowerPoint PPT Presentation

Aug 09, 2023 •271 likes •920 views

Towards a Logic for Verification of Security Protocols Work in progress Comments welcome Vincent Bernat Laboratoire Spcification et Vrification CNRS & ENS Cachan SPV03 - Marseille p.1/17 Plan 1. Intro Existing models,

  1. Towards a Logic for Verification of Security Protocols Work in progress Comments welcome Vincent Bernat Laboratoire Spécification et Vérification CNRS & ENS Cachan SPV’03 - Marseille – p.1/17

  2. Plan 1. Intro Existing models, caveats, reactive systems, properties 2. Transition system States, constraints, inference rules 3. Logics Temporal logics, expressiveness, decidability 4. Applications SPV’03 - Marseille – p.2/17

  3. Existing models Verification of cryptographic protocols is a model checking problem: does a protocol P satisfies a property φ ? SPV’03 - Marseille – p.3/17

  4. Existing models Verification of cryptographic protocols is a model checking problem: does a protocol P satisfies a property φ ? To prove protocols, you may use: Process algebra SPV’03 - Marseille – p.3/17

  5. Existing models Verification of cryptographic protocols is a model checking problem: does a protocol P satisfies a property φ ? To prove protocols, you may use: Process algebra Trace models SPV’03 - Marseille – p.3/17

  6. Existing models Verification of cryptographic protocols is a model checking problem: does a protocol P satisfies a property φ ? To prove protocols, you may use: Process algebra CSP [Schneider 96] Trace models SPV’03 - Marseille – p.3/17

  7. Existing models Verification of cryptographic protocols is a model checking problem: does a protocol P satisfies a property φ ? To prove protocols, you may use: Process algebra CSP [Schneider 96] Spi-calculus [Abadi Gordon 97] Trace models SPV’03 - Marseille – p.3/17

  8. Existing models Verification of cryptographic protocols is a model checking problem: does a protocol P satisfies a property φ ? To prove protocols, you may use: Process algebra CSP [Schneider 96] Spi-calculus [Abadi Gordon 97] Trace models [Paulson 98] [Millen Rueß 2000] SPV’03 - Marseille – p.3/17

  9. Existing models Verification of cryptographic protocols is a model checking problem: does a protocol P satisfies a property φ ? To prove protocols, you may use: Process algebra CSP [Schneider 96] Spi-calculus [Abadi Gordon 97] Trace models [Paulson 98] [Millen Rueß 2000] Rewriting rules [Rusinowitch Turuani 2001] SPV’03 - Marseille – p.3/17

  10. Existing models Verification of cryptographic protocols is a model checking problem: does a protocol P satisfies a property φ ? To prove protocols, you may use: Process algebra CSP [Schneider 96] Spi-calculus [Abadi Gordon 97] Trace models [Paulson 98] [Millen Rueß 2000] Rewriting rules [Rusinowitch Turuani 2001] Horn clauses [Comon-Lundh Cortier 2003] [Blanchet 2002] SPV’03 - Marseille – p.3/17

  11. Existing models Verification of cryptographic protocols is a model checking problem: does a protocol P satisfies a property φ ? To prove protocols, you may use: Process algebra CSP [Schneider 96] Spi-calculus [Abadi Gordon 97] Trace models [Paulson 98] [Millen Rueß 2000] Rewriting rules [Rusinowitch Turuani 2001] Horn clauses [Comon-Lundh Cortier 2003] [Blanchet 2002] Others... SPV’03 - Marseille – p.3/17

  12. Caveats of spi-calculus Introduced in [Abadi Gordon 97]. Properties are based on observational equivalence. SPV’03 - Marseille – p.4/17

  13. Caveats of spi-calculus Introduced in [Abadi Gordon 97]. Properties are based on observational equivalence. Secrecy Inst ( M ) ≃ Inst ( M ′ ) if M ≃ M ′ , for all M, M ′ . SPV’03 - Marseille – p.4/17

  14. Caveats of spi-calculus Introduced in [Abadi Gordon 97]. Properties are based on observational equivalence. Secrecy Inst ( M ) ≃ Inst ( M ′ ) if M ≃ M ′ , for all M, M ′ . Authentication Inst ( M ) ≃ Instspec ( M ) for all M . SPV’03 - Marseille – p.4/17

  15. Caveats of spi-calculus Introduced in [Abadi Gordon 97]. Properties are based on observational equivalence. Secrecy Inst ( M ) ≃ Inst ( M ′ ) if M ≃ M ′ , for all M, M ′ . Authentication Inst ( M ) ≃ Instspec ( M ) for all M . Many problems: SPV’03 - Marseille – p.4/17

  16. Caveats of spi-calculus Introduced in [Abadi Gordon 97]. Properties are based on observational equivalence. Secrecy Inst ( M ) ≃ Inst ( M ′ ) if M ≃ M ′ , for all M, M ′ . Authentication Inst ( M ) ≃ Instspec ( M ) for all M . Many problems: Secrecy is tightly linked to observational equivalence: how to express another kind of secrecy property ? SPV’03 - Marseille – p.4/17

  17. Caveats of spi-calculus Introduced in [Abadi Gordon 97]. Properties are based on observational equivalence. Secrecy Inst ( M ) ≃ Inst ( M ′ ) if M ≃ M ′ , for all M, M ′ . Authentication Inst ( M ) ≃ Instspec ( M ) for all M . Many problems: Secrecy is tightly linked to observational equivalence: how to express another kind of secrecy property ? To express an authentication property, one has to build an ad hoc process: difficulty to compare authentication properties between two different protocols. SPV’03 - Marseille – p.4/17

  18. Caveats for other models Most of these models are primary targeted to express protocols. SPV’03 - Marseille – p.5/17

  19. Caveats for other models Most of these models are primary targeted to express protocols. Questions you may ask: SPV’03 - Marseille – p.5/17

  20. Caveats for other models Most of these models are primary targeted to express protocols. Questions you may ask: Given two properties, one expressed with [Comon-Lundh Cortier 2003] and one with [Paulson 98], how could you compare them, since they do not work on the same abstraction? SPV’03 - Marseille – p.5/17

  21. Caveats for other models Most of these models are primary targeted to express protocols. Questions you may ask: Given two properties, one expressed with [Comon-Lundh Cortier 2003] and one with [Paulson 98], how could you compare them, since they do not work on the same abstraction? Given one protocol P in [Schneider 96] and one property φ expressed with [Comon-Lundh Cortier 2003], how can you check if φ satisfies P ? SPV’03 - Marseille – p.5/17

  22. Caveats for other models Most of these models are primary targeted to express protocols. Questions you may ask: Given two properties, one expressed with [Comon-Lundh Cortier 2003] and one with [Paulson 98], how could you compare them, since they do not work on the same abstraction? Given one protocol P in [Schneider 96] and one property φ expressed with [Comon-Lundh Cortier 2003], how can you check if φ satisfies P ? Given a set of properties and a protocol P expressed with [Blanchet 2002], how could you check them without altering P ? SPV’03 - Marseille – p.5/17

  23. Reactive systems Abstraction petri automata process ... nets networks algebra SPV’03 - Marseille – p.6/17

  24. Reactive systems Abstraction petri automata process ... nets networks algebra Temporal logic LTL CTL PLTL ... SPV’03 - Marseille – p.6/17

  25. Reactive systems Abstraction petri automata process ... nets networks algebra Transition system Temporal logic LTL CTL PLTL ... SPV’03 - Marseille – p.6/17

  26. Reactive systems Abstraction petri automata process ... nets networks algebra Transition system Temporal logic LTL CTL PLTL ... The transition system is the semantic glue between the abstraction and the temporal logic. SPV’03 - Marseille – p.6/17

  27. Reactive systems (2) Transposing the approach of reactive systems to cryptographic protocols has the following advantages: SPV’03 - Marseille – p.7/17

  28. Reactive systems (2) Transposing the approach of reactive systems to cryptographic protocols has the following advantages: Changing the abstraction layer while keeping the logic is allowed, and vice versa; SPV’03 - Marseille – p.7/17

  29. Reactive systems (2) Transposing the approach of reactive systems to cryptographic protocols has the following advantages: Changing the abstraction layer while keeping the logic is allowed, and vice versa; Easy comparison of different protocols for a given property; SPV’03 - Marseille – p.7/17

  30. Reactive systems (2) Transposing the approach of reactive systems to cryptographic protocols has the following advantages: Changing the abstraction layer while keeping the logic is allowed, and vice versa; Easy comparison of different protocols for a given property; Easy comparison of different properties for a given protocol; SPV’03 - Marseille – p.7/17

  31. Reactive systems (2) Transposing the approach of reactive systems to cryptographic protocols has the following advantages: Changing the abstraction layer while keeping the logic is allowed, and vice versa; Easy comparison of different protocols for a given property; Easy comparison of different properties for a given protocol; No new model needed, current models are fine if the transition system is general enough. SPV’03 - Marseille – p.7/17

  32. Goals Conception of a logic for security properties covering at least: secrecy from the intruder point of view temporary secrecy partial secrecy SPV’03 - Marseille – p.8/17

  33. Goals Conception of a logic for security properties covering at least: secrecy authentication vivacity weak agreement non-injective agreement agreement SPV’03 - Marseille – p.8/17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018

1.23k views • 78 slides
Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1

Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1

Introduction on security protocols Formal models Unbounded number of sessions Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/65 V eronique Cortier Verification of Security

1.29k views • 111 slides
Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA,

Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA,

Introduction on security protocols Formal models Going further Towards more guarantees Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA, CNRS - INRIA Cassis project, Nancy Universities 1/102 V

2.12k views • 160 slides
Modeling and verification of security protocols Part I: Basics of cryptography and introduction to

Modeling and verification of security protocols Part I: Basics of cryptography and introduction to

Modeling and verification of security protocols Part I: Basics of cryptography and introduction to security protocols Dresden University of Technology Martin Pitt martin@piware.de Paper and slides available at http://www.piware.de/docs.shtml

549 views • 33 slides
Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS & ENS Cachan, Universit Paris Saclay, France Monday, June 27th, 2016 S. Delaune (LSV) Verification of security protocols 27th June 2016 1

1.88k views • 175 slides
Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Formal methods for protocols Cryptographic models Passive case Active case Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/76 V eronique Cortier Verification of Security

1.92k views • 139 slides
Parameterized Verification of Timed Security Protocols with Clock drift Li Li, Jun Sun and Jin

Parameterized Verification of Timed Security Protocols with Clock drift Li Li, Jun Sun and Jin

Parameterized Verification of Timed Security Protocols with Clock drift Li Li, Jun Sun and Jin Song Dong Motivation Since clock synchronization is so important in the security of the Kerberos protocol, if clocks are not synchronized within a

493 views • 23 slides
Verification of security protocols from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols from confidentiality to privacy Stphanie Delaune LSV, CNRS & ENS Cachan, France Wednesday, August 26th, 2015 S. Delaune (LSV) Verification of security protocols 26th August 2015 1 / 54 This talk:

1.49k views • 124 slides
Security protocols: formal models and verification Sergiu Bursuc School of Computer Science,

Security protocols: formal models and verification Sergiu Bursuc School of Computer Science,

Security protocols: formal models and verification Sergiu Bursuc School of Computer Science, University of Bristol Finse Winter School, 7 May 2015 Security protocols: roles and goals Roles: P 1 , . . . , P n (e.g. clients, servers, devices,

1.43k views • 127 slides
Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS & ENS Cachan, Universit Paris Saclay, France Monday, June 26th, 2017 Research at IRISA (Rennes) 800 members (among which about 400

1.78k views • 167 slides
Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola

Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola

Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola Bruno Blanchet {

1.02k views • 44 slides
Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA), CNRS, France Tuesday, September 13th, 2016 Security protocols everywhere ! Cryptographic protocols small programs designed to secure

923 views • 56 slides
Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS & ENS Cachan, France Tuesday, August 25th, 2015 S. Delaune (LSV) Verification of security protocols 25th August 2015 1 / 60 ENS Cachan 12

1.42k views • 127 slides
Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France joint work with Alexandre Debant and Cyrille Wiedling 1/29 Security protocols everywhere ! Cryptographic protocols small

1.04k views • 56 slides
Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique Cortier INRIA project Cassis, Loria CNRS, Nancy, France French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of

605 views • 46 slides
Verification of security protocols: from confidentiality to privacy Stphanie Delaune Univ

Verification of security protocols: from confidentiality to privacy Stphanie Delaune Univ

Verification of security protocols: from confidentiality to privacy Stphanie Delaune Univ Rennes, CNRS, IRISA, France Thursday, June 28th, 2018 Research at IRISA (Rennes) 800 members (among which about 400 reasearchers) EMSEC team

1.05k views • 86 slides
Programming Distributed Systems Erlangs design principles Annette Bieniusa, Albert Schimpf FB

Programming Distributed Systems Erlangs design principles Annette Bieniusa, Albert Schimpf FB

Programming Distributed Systems Erlangs design principles Annette Bieniusa, Albert Schimpf FB Informatik TU Kaiserslautern Summer Term 2020 Annette Bieniusa, Albert Schimpf Programming Distributed Systems Summer Term 2020 1/ 7 Problem

370 views • 7 slides
The role of economists in policy a view from USAID Steve OConnell* Chief Economist, USAID

The role of economists in policy a view from USAID Steve OConnell* Chief Economist, USAID

The role of economists in policy a view from USAID Steve OConnell* Chief Economist, USAID UNU-WIDER 30 th Anniversary Helsinki, September 17, 2015 Disclaimer: The views expressed here are my own and do not constitute official policy of

199 views • 16 slides
Grammar Implementation with Lexicalized Tree Adjoining Grammars and Frame Semantics Grammar

Grammar Implementation with Lexicalized Tree Adjoining Grammars and Frame Semantics Grammar

Grammar Implementation with Lexicalized Tree Adjoining Grammars and Frame Semantics Grammar implementation with XMG: Frames Laura Kallmeyer, Timm Lichte, Rainer Osswald & Simon Petitjean University of Dsseldorf DGfS Fall School, September

407 views • 20 slides
Events and Delegates & Gui Programming January 23, 2008 Events and Delegates 1 Gui

Events and Delegates & Gui Programming January 23, 2008 Events and Delegates 1 Gui

Events and Delegates & Gui Programming January 23, 2008 Events and Delegates 1 Gui Programing 2 1/23 Event Driven Programming Imagine a game with many actors responding to their environment. 2/23 Event Driven Programming Imagine a

753 views • 28 slides
Polymorphism Polymorphism From Greek , polys, "many,

Polymorphism Polymorphism From Greek , polys, "many,

Polymorphism Polymorphism From Greek , polys, "many, much" and , morph, "form, shape." The ability for a derived

439 views • 9 slides
Overview of Murphi Arnab Roy Running Murphi Elaine Machines Murphi available at

Overview of Murphi Arnab Roy Running Murphi Elaine Machines Murphi available at

CS259: Security Analysis of Network Protocols Overview of Murphi Arnab Roy Running Murphi Elaine Machines Murphi available at /usr/class/cs259/Murphi3.1/ HW1 code available at /usr/class/cs259/hw1/ Any issues so far? Running

631 views • 17 slides
Caring for Aging Parents: Home Care Panel Discussion By Don Vinh January 22, 2016 Continuing

Caring for Aging Parents: Home Care Panel Discussion By Don Vinh January 22, 2016 Continuing

Caring for Aging Parents: Home Care Panel Discussion By Don Vinh January 22, 2016 Continuing Care Retirement Community (CCRC) Continuing Care Retirement Community (CCRC) (1/3) In the last few years, a variety of supportive housing options

151 views • 12 slides
Dr. William Leahy } Dr. Leahy reports no disclosure 2000 : The elderly- those 65 65 and older -

Dr. William Leahy } Dr. Leahy reports no disclosure 2000 : The elderly- those 65 65 and older -

Dr. William Leahy } Dr. Leahy reports no disclosure 2000 : The elderly- those 65 65 and older - } 2000 numbered 34. 34.7 7 million 2050 : The number is projected to increase to } 2050 78. 78.9 9 million 1988 : The elderly population

418 views • 17 slides

More recommend