verification of security protocols from confidentiality
play

Verification of security protocols: from confidentiality to privacy - PowerPoint PPT Presentation

Jun 11, 2023 •136 likes •1.42k views

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS & ENS Cachan, France Tuesday, August 25th, 2015 S. Delaune (LSV) Verification of security protocols 25th August 2015 1 / 60 ENS Cachan 12

  1. Symbolic model − → Various models ( e.g. [Dolev & Yao, 81]) having some common features Messages They are abstracted by terms. S. Delaune (LSV) Verification of security protocols 25th August 2015 20 / 60

  2. Symbolic model − → Various models ( e.g. [Dolev & Yao, 81]) having some common features Messages They are abstracted by terms. The attacker S. Delaune (LSV) Verification of security protocols 25th August 2015 20 / 60

  3. Symbolic model − → Various models ( e.g. [Dolev & Yao, 81]) having some common features Messages They are abstracted by terms. The attacker may read every message sent on the network, may intercept and send new messages according to its deduction capabilities. − → only symbolic manipulations on terms. S. Delaune (LSV) Verification of security protocols 25th August 2015 20 / 60

  4. Messages as terms − → It is important to have a tight modelling of messages S. Delaune (LSV) Verification of security protocols 25th August 2015 21 / 60

  5. Messages as terms − → It is important to have a tight modelling of messages Terms They are built over a signature F , and an infinite set of names N . t ::= n name n ∈ N | f ( t 1 , . . . , t k ) application of symbol f ∈ F Names are used to model atomic data − → e.g. keys, nonces, agent names, . . . Function symbols are used to model cryptographic primitives − → e.g. encryption, signature, . . . S. Delaune (LSV) Verification of security protocols 25th August 2015 21 / 60

  6. A typical signature Standard primitives F = { senc , aenc , sk , sign , � �} S. Delaune (LSV) Verification of security protocols 25th August 2015 22 / 60

  7. A typical signature Standard primitives F = { senc , aenc , sk , sign , � �} Going back to the Denning Sacco protocol A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) These messages can be modelled as follows: 1 aenc ( sign ( k , sk ( a )) , b ) ; 2 senc ( s , k ) S. Delaune (LSV) Verification of security protocols 25th August 2015 22 / 60

  8. Capabilities of the attacker Symbolic manipulation on terms He may build new messages following deduction rules Pairing Symmetric encryption x y x y � x , y � � x , y � senc ( x , y ) y � x , y � senc ( x , y ) y x x Asymmetric encryption Signature x y x sk ( y ) aenc ( x , y ) sk ( y ) sign ( x , sk ( y )) aenc ( x , y ) sign ( x , sk ( y )) x x S. Delaune (LSV) Verification of security protocols 25th August 2015 23 / 60

  9. Deduction relation T ⊢ u We say that u is deducible from T if there exists a proof tree such that: 1 each leaf is labeled by v with v ∈ T ; 2 for each node labeled by v 0 and having n sons labeled by v 1 , . . . , v n , there exists a deduction rule R such that v 1 . . . v n is an instance of R v 0 3 the root is labeled by u . S. Delaune (LSV) Verification of security protocols 25th August 2015 24 / 60

  10. Deduction relation T ⊢ u We say that u is deducible from T if there exists a proof tree such that: 1 each leaf is labeled by v with v ∈ T ; 2 for each node labeled by v 0 and having n sons labeled by v 1 , . . . , v n , there exists a deduction rule R such that v 1 . . . v n is an instance of R v 0 3 the root is labeled by u . Exercise - Going back to the Denning Sacco protocol Let T = { a , b , c , sk ( c ) , aenc ( sign ( k , sk ( a )) , c ) , senc ( s , k ) } . Is s deducible from T ? S. Delaune (LSV) Verification of security protocols 25th August 2015 24 / 60

  11. Exercise Exercise - Going back to the Denning Sacco protocol Let T = { a , b , c , sk ( c ) , aenc ( sign ( k , sk ( a )) , c ) , senc ( s , k ) } . Is s deducible from T ? S. Delaune (LSV) Verification of security protocols 25th August 2015 25 / 60

  12. Exercise Exercise - Going back to the Denning Sacco protocol Let T = { a , b , c , sk ( c ) , aenc ( sign ( k , sk ( a )) , c ) , senc ( s , k ) } . Is s deducible from T ? Answer: Of course, Yes ! aenc ( sign ( k , sk ( a )) , c ) sk ( c ) sign ( k , sk ( a )) senc ( s , k ) k s S. Delaune (LSV) Verification of security protocols 25th August 2015 25 / 60

  13. Denning Sacco protocol 1 . A → C : aenc ( sign ( k , priv ( A )) , pub ( C )) 2 . C ( A ) → B : aenc ( sign ( k , priv ( A )) , pub ( B )) 3 . B → A : senc ( s , k ) Attack ! Exercise (continued) Let T 0 = { a , b , c , sk ( c ) , aenc ( sign ( k , sk ( a )) , c ) } . Is aenc ( sign ( k , sk ( a )) , b ) deducible from T 0 ? S. Delaune (LSV) Verification of security protocols 25th August 2015 26 / 60

  14. Denning Sacco protocol 1 . A → C : aenc ( sign ( k , priv ( A )) , pub ( C )) 2 . C ( A ) → B : aenc ( sign ( k , priv ( A )) , pub ( B )) 3 . B → A : senc ( s , k ) Attack ! Exercise (continued) Let T 0 = { a , b , c , sk ( c ) , aenc ( sign ( k , sk ( a )) , c ) } . Is aenc ( sign ( k , sk ( a )) , b ) deducible from T 0 ? Answer: Of course, Yes ! aenc ( sign ( k , sk ( a )) , c ) sk ( c ) sign ( k , sk ( a )) b aenc ( sign ( k , sk ( a )) , b ) S. Delaune (LSV) Verification of security protocols 25th August 2015 26 / 60

  15. Deciding deduction (in this simple setting) The deduction problem Input: a finite set of terms T (the knowledge of the attacker) and a term u (the secret), Output: Is u deducible from T ? S. Delaune (LSV) Verification of security protocols 25th August 2015 27 / 60

  16. Deciding deduction (in this simple setting) The deduction problem Input: a finite set of terms T (the knowledge of the attacker) and a term u (the secret), Output: Is u deducible from T ? Proposition The deduction problem is decidable in PTIME. S. Delaune (LSV) Verification of security protocols 25th August 2015 27 / 60

  17. Deciding deduction (in this simple setting) The deduction problem Input: a finite set of terms T (the knowledge of the attacker) and a term u (the secret), Output: Is u deducible from T ? Proposition The deduction problem is decidable in PTIME. Algorithm 1 Saturation of T with terms in St ( T ∪ { u } ) that are deducible in one step; 2 if u is in the saturated set then return Yes else return No. S. Delaune (LSV) Verification of security protocols 25th August 2015 27 / 60

  18. Soundness, completeness, and termination Soundness If the algorithm returns Yes then u is indeed deducible − → easy to prove from T . S. Delaune (LSV) Verification of security protocols 25th August 2015 28 / 60

  19. Soundness, completeness, and termination Soundness If the algorithm returns Yes then u is indeed deducible − → easy to prove from T . Termination The set of subterms is finite and polynomial, and one-step deducibility can be checked in polynomial time. − → easy to prove for the deduction rules under study S. Delaune (LSV) Verification of security protocols 25th August 2015 28 / 60

  20. Soundness, completeness, and termination Soundness If the algorithm returns Yes then u is indeed deducible − → easy to prove from T . Termination The set of subterms is finite and polynomial, and one-step deducibility can be checked in polynomial time. − → easy to prove for the deduction rules under study Completeness If the term u is deducible from T , then the algorithm returns Yes. Otherwise, it returns No. − → this relies on a locality property Locality lemma Let T and u be such that T ⊢ u . There exists a prooftree witnessing this fact for which all the nodes are labeled by some v with v ∈ St ( T ∪ { u } ) . S. Delaune (LSV) Verification of security protocols 25th August 2015 28 / 60

  21. Proof sketch Locality lemma Let T and u be such that T ⊢ u . There exists a tree witnessing this fact for which all the nodes are labeled by some v with v ∈ St ( T ∪ { u } ) . Let P be a proof tree witnessing the fact that T ⊢ u having a minimal size (number of nodes). We show by induction on P that: if P ends with root labeled by v then P only contains terms in St ( T ∪ { v } ) ; S. Delaune (LSV) Verification of security protocols 25th August 2015 29 / 60

  22. Proof sketch Locality lemma Let T and u be such that T ⊢ u . There exists a tree witnessing this fact for which all the nodes are labeled by some v with v ∈ St ( T ∪ { u } ) . We first split the deduction rules into two categories: 1 composition rules: encryption, signature, and pairing 2 decomposition rules: decryption, projections, . . . Let P be a proof tree witnessing the fact that T ⊢ u having a minimal size (number of nodes). We show by induction on P that: if P ends with root labeled by v then P only contains terms in St ( T ∪ { v } ) ; if P ends with a decomposition rule then P only contains terms in St ( T ) . − → this is left as an exercise S. Delaune (LSV) Verification of security protocols 25th August 2015 29 / 60

  23. Exercise Consider the following set of deduction rules: y x sk ( y ) sign ( x , sk ( y )) vk ( y ) vk ( y ) sign ( x , sk ( y )) x 1 Give an example showing that these deduction rules are not local. 2 Extend the notion of subterms to restore the locality property, and show that de deduction problem is decidable. S. Delaune (LSV) Verification of security protocols 25th August 2015 30 / 60

  24. Exercise Consider the following set of deduction rules: y x sk ( y ) sign ( x , sk ( y )) vk ( y ) vk ( y ) sign ( x , sk ( y )) x 1 Give an example showing that these deduction rules are not local. 2 Extend the notion of subterms to restore the locality property, and show that de deduction problem is decidable. Solution 1 Let T = { sign ( s , sk ( a )); a } and u = s . 2 St + ( T ) = St ( T ) ∪ { vk ( u ) | sk ( u ) ∈ vk ( u ) ∈ St ( T ) } . − → the locality proof is left as an exercise S. Delaune (LSV) Verification of security protocols 25th August 2015 30 / 60

  25. Exercise Consider the following set of deduction rules: x y x y � x , y � � x , y � senc ( x , y ) y � x , y � senc ( x , y ) y x x In order to decide whether a term u is deducible from a set of terms T , we propose the following algorithm: 1 Starting from T , apply as much as possible the decryption and the projection rules This leads to a set of terms called Decomposition ( T ) . 2 Check whether u can be obtained by applying the composition rules on top of terms in Decomposition ( T ) . 3 In case of success, the algorithm returns Yes. Otherwise, it returns No. Questions What about termination, soundness, and completness? S. Delaune (LSV) Verification of security protocols 25th August 2015 31 / 60

  26. Modelling messages and Deciding knowledge (in a richer setting) S. Delaune (LSV) Verification of security protocols 25th August 2015 32 / 60

  27. More cryptographic primitives We may want to consider a richer term algebra and rely on an equational theory E to take into account the properties of the primitives Exclusive or operator: ( x ⊕ y ) ⊕ z x ⊕ ( y ⊕ z ) x ⊕ x = = 0 x ⊕ y = y ⊕ x x ⊕ 0 = x S. Delaune (LSV) Verification of security protocols 25th August 2015 33 / 60

  28. More cryptographic primitives We may want to consider a richer term algebra and rely on an equational theory E to take into account the properties of the primitives Exclusive or operator: ( x ⊕ y ) ⊕ z x ⊕ ( y ⊕ z ) x ⊕ x = = 0 x ⊕ y = y ⊕ x x ⊕ 0 = x Blind signature (used in evoting protocol) check ( sign ( x , y ) , vk ( y )) = x unblind ( blind ( y , y ) , y ) = x unblindsign ( sign ( blind ( x , y ) , z ) , y ) = sign ( x , z ) S. Delaune (LSV) Verification of security protocols 25th August 2015 33 / 60

  29. More cryptographic primitives We may want to consider a richer term algebra and rely on an equational theory E to take into account the properties of the primitives Exclusive or operator: ( x ⊕ y ) ⊕ z x ⊕ ( y ⊕ z ) x ⊕ x = = 0 x ⊕ y = y ⊕ x x ⊕ 0 = x Blind signature (used in evoting protocol) check ( sign ( x , y ) , vk ( y )) = x unblind ( blind ( y , y ) , y ) = x unblindsign ( sign ( blind ( x , y ) , z ) , y ) = sign ( x , z ) Homomorphic encryption: sdec ( senc ( x , y ) , y ) = x enc ( � x , y � , z ) � enc ( x , z ) , enc ( y , z ) � proj 1 ( � x , y � ) = = x dec ( � x , y � , z ) = � dec ( x , z ) , dec ( y , z ) � proj 2 ( � x , y � ) = y S. Delaune (LSV) Verification of security protocols 25th August 2015 33 / 60

  30. Going back to the Denning Sacco protocol A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) What function symbols and equations do we need to model this protocol? S. Delaune (LSV) Verification of security protocols 25th August 2015 34 / 60

  31. Going back to the Denning Sacco protocol A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) What function symbols and equations do we need to model this protocol? 1 symmetric encryption: senc ( · , · ) , sdec ( · , · ) − → sdec ( senc ( x , y ) , y ) = x S. Delaune (LSV) Verification of security protocols 25th August 2015 34 / 60

  32. Going back to the Denning Sacco protocol A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) What function symbols and equations do we need to model this protocol? 1 symmetric encryption: senc ( · , · ) , sdec ( · , · ) − → sdec ( senc ( x , y ) , y ) = x 2 asymmetric encryption: aenc ( · , · ) , adec ( · , · ) , pk ( · ) − → adec ( aenc ( x , pk ( y )) , y ) = x S. Delaune (LSV) Verification of security protocols 25th August 2015 34 / 60

  33. Going back to the Denning Sacco protocol A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) What function symbols and equations do we need to model this protocol? 1 symmetric encryption: senc ( · , · ) , sdec ( · , · ) − → sdec ( senc ( x , y ) , y ) = x 2 asymmetric encryption: aenc ( · , · ) , adec ( · , · ) , pk ( · ) − → adec ( aenc ( x , pk ( y )) , y ) = x 3 signature: sign ( · , · ) , check ( · , · ) − → check ( sign ( x , y ) , pk ( y )) = x S. Delaune (LSV) Verification of security protocols 25th August 2015 34 / 60

  34. Deduction in this more general setting Deduction rules are as follows: u 1 · · · u k u f ∈ F u = E u ′ f ( u 1 , . . . , u k ) u ′ S. Delaune (LSV) Verification of security protocols 25th August 2015 35 / 60

  35. Deduction in this more general setting Deduction rules are as follows: u 1 · · · u k u f ∈ F u = E u ′ f ( u 1 , . . . , u k ) u ′ Example: Let E := sdec ( senc ( x , y ) , y ) = x and T = { senc ( secret , k ) , k } . We have that T ⊢ secret . senc ( secret , k ) k sdec ∈ F sdec ( senc ( secret , k ) , k ) sdec ( senc ( x , y ) , y ) = x secret S. Delaune (LSV) Verification of security protocols 25th August 2015 35 / 60

  36. The deduction problem: is u deducible from φ ? We consider a signature F and an equational theory E. The deduction problem Input A sequence φ = { w 1 ⊲ v 1 , . . . , w n ⊲ v n } of terms and a term u Output Is u deducible from φ ? S. Delaune (LSV) Verification of security protocols 25th August 2015 36 / 60

  37. The deduction problem: is u deducible from φ ? We consider a signature F and an equational theory E. The deduction problem Input A sequence φ = { w 1 ⊲ v 1 , . . . , w n ⊲ v n } of terms and a term u Output Is u deducible from φ ? Characterization of deduction T ⊢ u if, and only if, there exists a term R such that R φ = E u . − → such a term R is a recipe of the term u . S. Delaune (LSV) Verification of security protocols 25th August 2015 36 / 60

  38. The deduction problem: is u deducible from φ ? We consider a signature F and an equational theory E. The deduction problem Input A sequence φ = { w 1 ⊲ v 1 , . . . , w n ⊲ v n } of terms and a term u Output Is u deducible from φ ? Characterization of deduction T ⊢ u if, and only if, there exists a term R such that R φ = E u . − → such a term R is a recipe of the term u . Example: Let φ = { w 1 ⊲ pk ( ska ); w 2 ⊲ pk ( skb ); w 3 ⊲ skc ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )); w 5 ⊲ senc ( s , k ) } . We have that: S. Delaune (LSV) Verification of security protocols 25th August 2015 36 / 60

  39. The deduction problem: is u deducible from φ ? We consider a signature F and an equational theory E. The deduction problem Input A sequence φ = { w 1 ⊲ v 1 , . . . , w n ⊲ v n } of terms and a term u Output Is u deducible from φ ? Characterization of deduction T ⊢ u if, and only if, there exists a term R such that R φ = E u . − → such a term R is a recipe of the term u . Example: Let φ = { w 1 ⊲ pk ( ska ); w 2 ⊲ pk ( skb ); w 3 ⊲ skc ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )); w 5 ⊲ senc ( s , k ) } . We have that: k is deducible from φ using R 1 = check ( adec ( w 4 , w 3 ) , w 1 ) , S. Delaune (LSV) Verification of security protocols 25th August 2015 36 / 60

  40. The deduction problem: is u deducible from φ ? We consider a signature F and an equational theory E. The deduction problem Input A sequence φ = { w 1 ⊲ v 1 , . . . , w n ⊲ v n } of terms and a term u Output Is u deducible from φ ? Characterization of deduction T ⊢ u if, and only if, there exists a term R such that R φ = E u . − → such a term R is a recipe of the term u . Example: Let φ = { w 1 ⊲ pk ( ska ); w 2 ⊲ pk ( skb ); w 3 ⊲ skc ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )); w 5 ⊲ senc ( s , k ) } . We have that: k is deducible from φ using R 1 = check ( adec ( w 4 , w 3 ) , w 1 ) , s is deducible from φ using R 2 = sdec ( w 5 , R 1 ) . S. Delaune (LSV) Verification of security protocols 25th August 2015 36 / 60

  41. Deduction problem in this richer setting Proposition The deduction problem is decidable for the equational theory modelling the DS protocol (and actually any subterm convergent equational theory). Algorithm: 1 saturation of φ with its deducible subterm; we get φ + 2 does there exist a recipe R such that R φ + = s (syntaxic equality) S. Delaune (LSV) Verification of security protocols 25th August 2015 37 / 60

  42. Deduction problem in this richer setting Proposition The deduction problem is decidable for the equational theory modelling the DS protocol (and actually any subterm convergent equational theory). Algorithm: 1 saturation of φ with its deducible subterm; we get φ + 2 does there exist a recipe R such that R φ + = s (syntaxic equality) Going back to the previous example: φ = { w 1 ⊲ pk ( ska ); w 2 ⊲ pk ( skb ); w 3 ⊲ skc ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )); w 5 ⊲ senc ( s , k ) } . S. Delaune (LSV) Verification of security protocols 25th August 2015 37 / 60

  43. Deduction problem in this richer setting Proposition The deduction problem is decidable for the equational theory modelling the DS protocol (and actually any subterm convergent equational theory). Algorithm: 1 saturation of φ with its deducible subterm; we get φ + 2 does there exist a recipe R such that R φ + = s (syntaxic equality) Going back to the previous example: φ = { w 1 ⊲ pk ( ska ); w 2 ⊲ pk ( skb ); w 3 ⊲ skc ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )); w 5 ⊲ senc ( s , k ) } . S. Delaune (LSV) Verification of security protocols 25th August 2015 37 / 60

  44. Deduction problem in this richer setting Proposition The deduction problem is decidable for the equational theory modelling the DS protocol (and actually any subterm convergent equational theory). Algorithm: 1 saturation of φ with its deducible subterm; we get φ + 2 does there exist a recipe R such that R φ + = s (syntaxic equality) Going back to the previous example: φ = { w 1 ⊲ pk ( ska ); w 2 ⊲ pk ( skb ); w 3 ⊲ skc ; w 4 ⊲ aenc ( sign ( k , ska ) , pk ( skc )); w 5 ⊲ senc ( s , k ) } . φ + = φ ⊎ { w 6 ⊲ sign ( k , ska ); w 7 ⊲ pk ( skc ); w 8 ⊲ k ; w 9 ⊲ s } . S. Delaune (LSV) Verification of security protocols 25th August 2015 37 / 60

  45. Some other equational theories Blind signature check ( sign ( x , y ) , vk ( y )) x = unblind ( blind ( y , y ) , y ) = x unblindsign ( sign ( blind ( x , y ) , z ) , y ) = sign ( x , z ) Decidability can be shown in a similar fashion extending the notion of subterm. − → sign ( m , k ) will be considered as a subterm of sign ( blind ( m , r ) , k ) S. Delaune (LSV) Verification of security protocols 25th August 2015 38 / 60

  46. Some other equational theories Blind signature check ( sign ( x , y ) , vk ( y )) x = unblind ( blind ( y , y ) , y ) = x unblindsign ( sign ( blind ( x , y ) , z ) , y ) = sign ( x , z ) Decidability can be shown in a similar fashion extending the notion of subterm. − → sign ( m , k ) will be considered as a subterm of sign ( blind ( m , r ) , k ) Exclusive or ( x ⊕ y ) ⊕ z = x ⊕ ( y ⊕ z ) x ⊕ x = 0 x ⊕ y y ⊕ x x ⊕ 0 = = x The deduction problem can be reduced to the problem of solving systems of linear equations over Z / 2 Z . S. Delaune (LSV) Verification of security protocols 25th August 2015 38 / 60

  47. Deduction is not always sufficient pub ( k ) enc ( yes , pub ( k )) → The intruder knows the values yes and no ! The real question Is the intruder able to tell whether Alice sends yes or no? S. Delaune (LSV) Verification of security protocols 25th August 2015 39 / 60

  48. Static equivalence The static equivalence problem Input Two frames φ and ψ φ = { w 1 ⊲ u 1 , . . . , w ℓ ⊲ u ℓ } ψ = { w 1 ⊲ v 1 , . . . , w ℓ ⊲ v ℓ } Ouput Can the attacker distinguish the two frames, i.e. does there ? exist a test R 1 = R 2 such that: R 1 φ = E R 2 φ but R 1 ψ � = E R 2 ψ (or the converse). S. Delaune (LSV) Verification of security protocols 25th August 2015 40 / 60

  49. Static equivalence The static equivalence problem Input Two frames φ and ψ φ = { w 1 ⊲ u 1 , . . . , w ℓ ⊲ u ℓ } ψ = { w 1 ⊲ v 1 , . . . , w ℓ ⊲ v ℓ } Ouput Can the attacker distinguish the two frames, i.e. does there ? exist a test R 1 = R 2 such that: R 1 φ = E R 2 φ but R 1 ψ � = E R 2 ψ (or the converse). Example: Consider the frames: φ = { w 1 ⊲ pk ( sks ); w 2 ⊲ aenc ( yes , pk ( sks )) } ; and ψ = { w 1 ⊲ pk ( sks ); w 2 ⊲ aenc ( no , pk ( sks )) } . They are not in static equivalence: aenc ( yes , w 1 ) ? = w 2 . S. Delaune (LSV) Verification of security protocols 25th August 2015 40 / 60

  50. Exercise Consider the equational theories: E senc defined by sdec ( senc ( x , y ) , y ) = x , and E cipher which extends E senc by the equation senc ( sdec ( x , y ) , y ) = x . Questions Which of the following pairs of frames are statically equivalent ? Whenever applicable give the distinguishing test. ? { w 1 ⊲ yes } ∼ E senc { w 1 ⊲ no } ? { w 1 ⊲ senc ( yes , k ) } ∼ E senc { w 1 ⊲ senc ( no , k ) } ? { w 1 ⊲ senc ( n , k ) , w 2 ⊲ k } ∼ E senc { w 1 ⊲ senc ( n , k ) , w 2 ⊲ k ′ } ? { w 1 ⊲ senc ( n , k ) , w 2 ⊲ k } ∼ E cipher { w 1 ⊲ senc ( n , k ) , w 2 ⊲ k ′ } S. Delaune (LSV) Verification of security protocols 25th August 2015 41 / 60

  51. Exercise Consider the equational theories: E senc defined by sdec ( senc ( x , y ) , y ) = x , and E cipher which extends E senc by the equation senc ( sdec ( x , y ) , y ) = x . Questions Which of the following pairs of frames are statically equivalent ? Whenever applicable give the distinguishing test. ? { w 1 ⊲ yes } ∼ E senc { w 1 ⊲ no } X ? { w 1 ⊲ senc ( yes , k ) } ∼ E senc { w 1 ⊲ senc ( no , k ) } ? { w 1 ⊲ senc ( n , k ) , w 2 ⊲ k } ∼ E senc { w 1 ⊲ senc ( n , k ) , w 2 ⊲ k ′ } ? { w 1 ⊲ senc ( n , k ) , w 2 ⊲ k } ∼ E cipher { w 1 ⊲ senc ( n , k ) , w 2 ⊲ k ′ } S. Delaune (LSV) Verification of security protocols 25th August 2015 41 / 60

  52. Exercise Consider the equational theories: E senc defined by sdec ( senc ( x , y ) , y ) = x , and E cipher which extends E senc by the equation senc ( sdec ( x , y ) , y ) = x . Questions Which of the following pairs of frames are statically equivalent ? Whenever applicable give the distinguishing test. ? { w 1 ⊲ yes } ∼ E senc { w 1 ⊲ no } X ? { w 1 ⊲ senc ( yes , k ) } ∼ E senc { w 1 ⊲ senc ( no , k ) } � ? { w 1 ⊲ senc ( n , k ) , w 2 ⊲ k } ∼ E senc { w 1 ⊲ senc ( n , k ) , w 2 ⊲ k ′ } ? { w 1 ⊲ senc ( n , k ) , w 2 ⊲ k } ∼ E cipher { w 1 ⊲ senc ( n , k ) , w 2 ⊲ k ′ } S. Delaune (LSV) Verification of security protocols 25th August 2015 41 / 60

  53. Exercise Consider the equational theories: E senc defined by sdec ( senc ( x , y ) , y ) = x , and E cipher which extends E senc by the equation senc ( sdec ( x , y ) , y ) = x . Questions Which of the following pairs of frames are statically equivalent ? Whenever applicable give the distinguishing test. ? { w 1 ⊲ yes } ∼ E senc { w 1 ⊲ no } X ? { w 1 ⊲ senc ( yes , k ) } ∼ E senc { w 1 ⊲ senc ( no , k ) } � ? { w 1 ⊲ senc ( n , k ) , w 2 ⊲ k } ∼ E senc { w 1 ⊲ senc ( n , k ) , w 2 ⊲ k ′ } X ? { w 1 ⊲ senc ( n , k ) , w 2 ⊲ k } ∼ E cipher { w 1 ⊲ senc ( n , k ) , w 2 ⊲ k ′ } S. Delaune (LSV) Verification of security protocols 25th August 2015 41 / 60

  54. Exercise Consider the equational theories: E senc defined by sdec ( senc ( x , y ) , y ) = x , and E cipher which extends E senc by the equation senc ( sdec ( x , y ) , y ) = x . Questions Which of the following pairs of frames are statically equivalent ? Whenever applicable give the distinguishing test. ? { w 1 ⊲ yes } ∼ E senc { w 1 ⊲ no } X ? { w 1 ⊲ senc ( yes , k ) } ∼ E senc { w 1 ⊲ senc ( no , k ) } � ? { w 1 ⊲ senc ( n , k ) , w 2 ⊲ k } ∼ E senc { w 1 ⊲ senc ( n , k ) , w 2 ⊲ k ′ } X ? { w 1 ⊲ senc ( n , k ) , w 2 ⊲ k } ∼ E cipher { w 1 ⊲ senc ( n , k ) , w 2 ⊲ k ′ } � S. Delaune (LSV) Verification of security protocols 25th August 2015 41 / 60

  55. Static equivalence Proposition The static equivalence problem is decidable in PTIME for the theory modelling the DS protocol (and actually any subterm convergent equational theory). S. Delaune (LSV) Verification of security protocols 25th August 2015 42 / 60

  56. Static equivalence Proposition The static equivalence problem is decidable in PTIME for the theory modelling the DS protocol (and actually any subterm convergent equational theory). Algorithm: 1 saturation of φ/ψ with their deducible subterms φ + /ψ + = R 2 such that R 1 φ + = R 2 φ + whereas ? 2 does there exist a test R 1 R 1 ψ + � = R 2 ψ + (again syntaxic equality) ? − → actually, we only need to consider small tests S. Delaune (LSV) Verification of security protocols 25th August 2015 42 / 60

  57. Example Consider the frames: φ = { w 1 ⊲ aenc ( � yes , r 1 � , pk ( sks )); w 2 ⊲ sks } ; and ψ = { w 1 ⊲ aenc ( � no , r 2 � , pk ( sks )); w 2 ⊲ sks } . They are not in static equivalence: proj 1 ( adec ( w 1 , w 2 )) ? = yes . S. Delaune (LSV) Verification of security protocols 25th August 2015 43 / 60

  58. Example Consider the frames: φ = { w 1 ⊲ aenc ( � yes , r 1 � , pk ( sks )); w 2 ⊲ sks } ; and ψ = { w 1 ⊲ aenc ( � no , r 2 � , pk ( sks )); w 2 ⊲ sks } . They are not in static equivalence: proj 1 ( adec ( w 1 , w 2 )) ? = yes . Applying the algorithm on these frames, we get: φ + = φ ⊎ { , and ψ + = ψ ⊎ { . S. Delaune (LSV) Verification of security protocols 25th August 2015 43 / 60

  59. Example Consider the frames: φ = { w 1 ⊲ aenc ( � yes , r 1 � , pk ( sks )); w 2 ⊲ sks } ; and ψ = { w 1 ⊲ aenc ( � no , r 2 � , pk ( sks )); w 2 ⊲ sks } . They are not in static equivalence: proj 1 ( adec ( w 1 , w 2 )) ? = yes . Applying the algorithm on these frames, we get: φ + = φ ⊎ { w 3 ⊲ � yes , r 1 � ; , and ψ + = ψ ⊎ { w 3 ⊲ � no , r 2 � ; . S. Delaune (LSV) Verification of security protocols 25th August 2015 43 / 60

  60. Example Consider the frames: φ = { w 1 ⊲ aenc ( � yes , r 1 � , pk ( sks )); w 2 ⊲ sks } ; and ψ = { w 1 ⊲ aenc ( � no , r 2 � , pk ( sks )); w 2 ⊲ sks } . They are not in static equivalence: proj 1 ( adec ( w 1 , w 2 )) ? = yes . Applying the algorithm on these frames, we get: φ + = φ ⊎ { w 3 ⊲ � yes , r 1 � ; w 4 ⊲ yes ; , and ψ + = ψ ⊎ { w 3 ⊲ � no , r 2 � ; w 4 ⊲ no ; . S. Delaune (LSV) Verification of security protocols 25th August 2015 43 / 60

  61. Example Consider the frames: φ = { w 1 ⊲ aenc ( � yes , r 1 � , pk ( sks )); w 2 ⊲ sks } ; and ψ = { w 1 ⊲ aenc ( � no , r 2 � , pk ( sks )); w 2 ⊲ sks } . They are not in static equivalence: proj 1 ( adec ( w 1 , w 2 )) ? = yes . Applying the algorithm on these frames, we get: φ + = φ ⊎ { w 3 ⊲ � yes , r 1 � ; w 4 ⊲ yes ; w 5 ⊲ r 1 } , and ψ + = ψ ⊎ { w 3 ⊲ � no , r 2 � ; w 4 ⊲ no ; w 5 ⊲ r 2 } . S. Delaune (LSV) Verification of security protocols 25th August 2015 43 / 60

  62. Example Consider the frames: φ = { w 1 ⊲ aenc ( � yes , r 1 � , pk ( sks )); w 2 ⊲ sks } ; and ψ = { w 1 ⊲ aenc ( � no , r 2 � , pk ( sks )); w 2 ⊲ sks } . They are not in static equivalence: proj 1 ( adec ( w 1 , w 2 )) ? = yes . Applying the algorithm on these frames, we get: φ + = φ ⊎ { w 3 ⊲ � yes , r 1 � ; w 4 ⊲ yes ; w 5 ⊲ r 1 } , and ψ + = ψ ⊎ { w 3 ⊲ � no , r 2 � ; w 4 ⊲ no ; w 5 ⊲ r 2 } . → Conclusion: φ + and ψ + are not in static equivalence: w 4 ? − = yes . S. Delaune (LSV) Verification of security protocols 25th August 2015 43 / 60

  63. Some other equational theories Blind signature check ( sign ( x , y ) , vk ( y )) x = unblind ( blind ( x , y ) , y ) = x unblindsign ( sign ( blind ( x , y ) , z ) , y ) = sign ( x , z ) This can be done in a similar fashion extending a bit the notion of subterm − → again sign ( m , k ) will be considered as a subterm of sign ( blind ( m , r ) , k ) . S. Delaune (LSV) Verification of security protocols 25th August 2015 44 / 60

  64. Some other equational theories Blind signature check ( sign ( x , y ) , vk ( y )) x = unblind ( blind ( x , y ) , y ) = x unblindsign ( sign ( blind ( x , y ) , z ) , y ) = sign ( x , z ) This can be done in a similar fashion extending a bit the notion of subterm − → again sign ( m , k ) will be considered as a subterm of sign ( blind ( m , r ) , k ) . Exclusive or ( x ⊕ y ) ⊕ z = x ⊕ ( y ⊕ z ) x ⊕ x = 0 x ⊕ y = y ⊕ x x ⊕ 0 = x The static equivalence problem can be reduced in PTIME to the problem of deciding whether two systems of linear equations have the same set of solutions overs Z / 2 Z . S. Delaune (LSV) Verification of security protocols 25th August 2015 44 / 60

  65. Existing decidability/complexity results and tools Theory E Deduction Static Equivalence subterm convergent PTIME decidable blind sign., addition, homo. encryption [Abadi & Cortier, TCS’06] ACU NP-complete PTIME Exclusive Or PTIME PTIME Abelian Group ACUNh / AGh PTIME decidable [D., IPL’05;Cortier & D., JAR’12] − → A combination result for disjoint theories [Cortier & D., JAR’12] − → Automatic tools for checking static equivalence: YAPA M. Baudet (2006); KISS S. Ciobaca (2010); and FAST B. Conchinha (2011) S. Delaune (LSV) Verification of security protocols 25th August 2015 45 / 60

  66. Modelling protocols and security properties S. Delaune (LSV) Verification of security protocols 25th August 2015 46 / 60

  67. Protocols as processes Applied pi calculus [Abadi & Fournet, 01] basic programming language with constructs for concurrency and communication − → based on the π -calculus [Milner et al. , 92], and in some ways similar to the spi-calculus [Abadi & Gordon, 98] S. Delaune (LSV) Verification of security protocols 25th August 2015 47 / 60

  68. Protocols as processes Applied pi calculus [Abadi & Fournet, 01] basic programming language with constructs for concurrency and communication − → based on the π -calculus [Milner et al. , 92], and in some ways similar to the spi-calculus [Abadi & Gordon, 98] Some advantages: allows us to model cryptographic primitives both reachability and equivalence-based specification of properties S. Delaune (LSV) Verification of security protocols 25th August 2015 47 / 60

  69. Protocols as processes - syntax and semantics Syntax : P , Q := 0 null process in ( c , x ) . P input out ( c , u ) . P output if u = v then P else Q conditional P | Q parallel composition ! P replication new n . P fresh name generation S. Delaune (LSV) Verification of security protocols 25th August 2015 48 / 60

  70. Protocols as processes - syntax and semantics Syntax : P , Q := 0 null process in ( c , x ) . P input out ( c , u ) . P output if u = v then P else Q conditional P | Q parallel composition ! P replication new n . P fresh name generation Semantics → : Comm out ( c , M ) . P | in ( c , x ) . Q → P | Q { M / x } Then if M = N then P else Q → P when M = E N Else if M = N then P else Q → Q when M � = E N closed by structural equivalence ( ≡ ) and application of evaluation contexts. S. Delaune (LSV) Verification of security protocols 25th August 2015 48 / 60

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS & ENS Cachan, Universit Paris Saclay, France Monday, June 26th, 2017 Research at IRISA (Rennes) 800 members (among which about 400

1.78k views • 167 slides
Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS & ENS Cachan, Universit Paris Saclay, France Monday, June 27th, 2016 S. Delaune (LSV) Verification of security protocols 27th June 2016 1

1.88k views • 175 slides
Verification of security protocols from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols from confidentiality to privacy Stphanie Delaune LSV, CNRS & ENS Cachan, France Wednesday, August 26th, 2015 S. Delaune (LSV) Verification of security protocols 26th August 2015 1 / 54 This talk:

1.49k views • 124 slides
Verification of security protocols: from confidentiality to privacy Stphanie Delaune Univ

Verification of security protocols: from confidentiality to privacy Stphanie Delaune Univ

Verification of security protocols: from confidentiality to privacy Stphanie Delaune Univ Rennes, CNRS, IRISA, France Thursday, June 28th, 2018 Research at IRISA (Rennes) 800 members (among which about 400 reasearchers) EMSEC team

1.05k views • 86 slides
Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over an untrusted channel (eg. Internet) 2 Security Protocols are out there Authentication Confidentiality Example: HTTPS (HTTP + TLS)

669 views • 42 slides
Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018

1.23k views • 78 slides
Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1

Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1

Introduction on security protocols Formal models Unbounded number of sessions Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/65 V eronique Cortier Verification of Security

1.29k views • 111 slides
Modeling and verification of security protocols Part I: Basics of cryptography and introduction to

Modeling and verification of security protocols Part I: Basics of cryptography and introduction to

Modeling and verification of security protocols Part I: Basics of cryptography and introduction to security protocols Dresden University of Technology Martin Pitt martin@piware.de Paper and slides available at http://www.piware.de/docs.shtml

549 views • 33 slides
Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA,

Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA,

Introduction on security protocols Formal models Going further Towards more guarantees Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA, CNRS - INRIA Cassis project, Nancy Universities 1/102 V

2.12k views • 160 slides
Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Formal methods for protocols Cryptographic models Passive case Active case Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/76 V eronique Cortier Verification of Security

1.92k views • 139 slides
Parameterized Verification of Timed Security Protocols with Clock drift Li Li, Jun Sun and Jin

Parameterized Verification of Timed Security Protocols with Clock drift Li Li, Jun Sun and Jin

Parameterized Verification of Timed Security Protocols with Clock drift Li Li, Jun Sun and Jin Song Dong Motivation Since clock synchronization is so important in the security of the Kerberos protocol, if clocks are not synchronized within a

493 views • 23 slides
Towards a Logic for Verification of Security Protocols Work in progress Comments welcome

Towards a Logic for Verification of Security Protocols Work in progress Comments welcome

Towards a Logic for Verification of Security Protocols Work in progress Comments welcome Vincent Bernat Laboratoire Spcification et Vrification CNRS & ENS Cachan SPV03 - Marseille p.1/17 Plan 1. Intro Existing models,

920 views • 63 slides
Security protocols: formal models and verification Sergiu Bursuc School of Computer Science,

Security protocols: formal models and verification Sergiu Bursuc School of Computer Science,

Security protocols: formal models and verification Sergiu Bursuc School of Computer Science, University of Bristol Finse Winter School, 7 May 2015 Security protocols: roles and goals Roles: P 1 , . . . , P n (e.g. clients, servers, devices,

1.43k views • 127 slides
Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola

Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola

Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola Bruno Blanchet {

1.02k views • 44 slides
Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA), CNRS, France Tuesday, September 13th, 2016 Security protocols everywhere ! Cryptographic protocols small programs designed to secure

923 views • 56 slides
Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France joint work with Alexandre Debant and Cyrille Wiedling 1/29 Security protocols everywhere ! Cryptographic protocols small

1.04k views • 56 slides
Event Pitch vadim@grammarware.net Hackers & Founders Vadim Zaytsev, SWAT, CWI 2012 CWI

Event Pitch vadim@grammarware.net Hackers & Founders Vadim Zaytsev, SWAT, CWI 2012 CWI

Understanding Software Event Pitch vadim@grammarware.net Hackers & Founders Vadim Zaytsev, SWAT, CWI 2012 CWI CWI Centrum Wiskunde & Informatica = Centre of Mathematics and Computer Science First Dutch computers: ARRA, FERTA,

293 views • 8 slides
Behind the Scenes Programming for Engineers Winter 2015 Andreas Zeller, Saarland University

Behind the Scenes Programming for Engineers Winter 2015 Andreas Zeller, Saarland University

Behind the Scenes Programming for Engineers Winter 2015 Andreas Zeller, Saarland University Todays Topics Variables Assignments Computing models Storing Values We want to store values during computations We

828 views • 53 slides
Introduction to Probability and Statistics Machine Translation Lecture 2 Instructor: Chris

Introduction to Probability and Statistics Machine Translation Lecture 2 Instructor: Chris

Introduction to Probability and Statistics Machine Translation Lecture 2 Instructor: Chris Callison-Burch TAs: Mitchell Stern, Justin Chiu Website: mt-class.org/penn Last time ... 1) Formulate a model of pairs of sentences. 2) Learn an

770 views • 44 slides
Summary Security: Applications & Aspects Part I Cryptographic Features Introduction

Summary Security: Applications & Aspects Part I Cryptographic Features Introduction

Summary Security: Applications & Aspects Part I Cryptographic Features Introduction Software vs Hardware Support Hardware Acceleration Solutions Processor Extensions for Security Basic Cyphering Part II Symmetric vs Asymmetric

1.14k views • 21 slides
M1 Apprentissage Mich` ele Sebag Benoit Barbot LRI LSV Sept. 2013 1 Where we are

M1 Apprentissage Mich` ele Sebag Benoit Barbot LRI LSV Sept. 2013 1 Where we are

M1 Apprentissage Mich` ele Sebag Benoit Barbot LRI LSV Sept. 2013 1 Where we are Ast. series Pierre de Rosette World Natural Humanrelated phenomenons phenomenons Data / Principles Common Maths. Sense Modelling You are

1.02k views • 67 slides
Objective In this section we give a brief sketch of some of the key historical developments

Objective In this section we give a brief sketch of some of the key historical developments

Milestones in Computer Architecture Raul Queiroz Feitosa Objective In this section we give a brief sketch of some of the key historical developments in order to get a better understanding of how we got where we are. A. Tanenbaum 2

620 views • 35 slides
Cyber Security in the GCC: Cyber Security in the GCC: Are we doing The Best We Can? Are we doing

Cyber Security in the GCC: Cyber Security in the GCC: Are we doing The Best We Can? Are we doing

Cyber Security in the GCC: Cyber Security in the GCC: Are we doing The Best We Can? Are we doing The Best We Can? Varun Kukreja Varun Kukreja Sr. Security Consultant Sr. Security Consultant CISA, CISSP, ITIL CISA, CISSP, ITIL GBM GBM A

210 views • 19 slides
2014

2014

1 2014 2 Enigma g

491 views • 8 slides

More recommend