Verification of Security Protocols with Lists: from Length One to - - PowerPoint PPT Presentation
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola Bruno Blanchet {
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion
Miriam Paiola Bruno Blanchet {miriam.paiola, bruno.blanchet}@ens.fr
INRIA, Ecole Normale Sup´ erieure, CNRS
March 2012
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 1 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion
Verification of protocols is important! ProVerif can analyze protocols with lists of fixed lengths ↓ There could be attacks for other values ↓ Our goal: prove the protocols for lists of any length where all elements are treated in the same way
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 2 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion
Protocol: Pi calculus + cryptography Properties to prove: secrecy Automatic translator Horn clauses Derivability queries Resolution with selection The property is true Potential attack
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 3 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Representation with Horn clauses
Messages are represented by patterns p ::= x | a[p1, . . . , pn] | f (p1, . . . , pn) Example (a, b) Properties are represented by facts F ::= att(p) The protocol and the abilities of the attacker are represented by Horn clauses F1 ∧ · · · ∧ Fn ⇒ F Example att(s) ∧ att(pk) ⇒ att(senc(s, pk))
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 4 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Derivability
If att(p) cannot be derived from the clauses, then the protocol preserves the secrecy of p. subroot root Fn F1 . . . . . . . . . . . . . . . . . . η′ η R′ R F F0 Definition (Derivability) F is derivable from R iff there exists a finite tree defined as follows:
1
Its nodes (except the root) are labeled by clauses R ∈ R;
2
Its edges are labeled by closed facts;
3
R = H ⇒ C: there exists a substitution σ such that σC = F0 and σH ⊆ F1 ∧ · · · ∧ Fn
4
The root has one outgoing edge labeled by F.
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 5 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Derivability
If att(p) cannot be derived from the clauses, then the protocol preserves the secrecy of p. subroot root Fn F1 . . . . . . . . . . . . . . . . . . η′ η R′ R F F0 Definition (Derivability) F is derivable from R iff there exists a finite tree defined as follows:
1
Its nodes (except the root) are labeled by clauses R ∈ R;
2
Its edges are labeled by closed facts;
3
R = H ⇒ C: there exists a substitution σ such that σC = F0 and σH ⊆ F1 ∧ · · · ∧ Fn
4
The root has one outgoing edge labeled by F.
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 5 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Derivability
If att(p) cannot be derived from the clauses, then the protocol preserves the secrecy of p. subroot root Fn F1 . . . . . . . . . . . . . . . . . . η′ η R′ R F F0 Definition (Derivability) F is derivable from R iff there exists a finite tree defined as follows:
1
Its nodes (except the root) are labeled by clauses R ∈ R;
2
Its edges are labeled by closed facts;
3
R = H ⇒ C: there exists a substitution σ such that σC = F0 and σH ⊆ F1 ∧ · · · ∧ Fn
4
The root has one outgoing edge labeled by F.
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 5 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Derivability
If att(p) cannot be derived from the clauses, then the protocol preserves the secrecy of p. subroot root Fn F1 . . . . . . . . . . . . . . . . . . η′ η R′ R F F0 Definition (Derivability) F is derivable from R iff there exists a finite tree defined as follows:
1
Its nodes (except the root) are labeled by clauses R ∈ R;
2
Its edges are labeled by closed facts;
3
R = H ⇒ C: there exists a substitution σ such that σC = F0 and σH ⊆ F1 ∧ · · · ∧ Fn
4
The root has one outgoing edge labeled by F.
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 5 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Derivability
If att(p) cannot be derived from the clauses, then the protocol preserves the secrecy of p. subroot root Fn F1 . . . . . . . . . . . . . . . . . . η′ η R′ R F F0 Definition (Derivability) F is derivable from R iff there exists a finite tree defined as follows:
1
Its nodes (except the root) are labeled by clauses R ∈ R;
2
Its edges are labeled by closed facts;
3
R = H ⇒ C: there exists a substitution σ such that σC = F0 and σH ⊆ F1 ∧ · · · ∧ Fn
4
The root has one outgoing edge labeled by F.
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 5 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion
Asokan-Ginzboorg protocol
Let the set of players be {ai, i = 1, . . . , N} for N ≥ 1 and L be the
the leader and the other n participants. (1) L → ALL : (L, { |e| }pw) (2) ai → L : (ai, { |(ri, si)| }e) (3) L → ai : { |(s1, . . . , sN, s′)| }ri (4) ai → L : (ai, { |(si, h(s1, . . . , sN, s′))| }K), for some i, where K = f (s1, . . . , sN, s′) where K = f (s1, . . . , sN, s′)
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 6 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Syntax
Syntax
pG, s, t ::= patterns xi1,...,ih variable (h ≥ 0) f (pG
1 , . . . , pG l )
function application ai[pG
1 , . . . , pG l ]
indexed names list(i ≤ M, pG) list constructor F G ::=
i1≤M1,...,ih≤Mh att(pG)
facts RG ::= F G
1 ∧ · · · ∧ F G n ⇒ att(pG)
generalized Horn clause
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 7 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Syntax
ai → L : (ai, senc((ri, si), e)) 1. L → ai : (L, senc(e, pw)) 2. ai → L : (ai, senc((ri, si), e)) L → ai : senc(s1, . . . , sN, s′, ri)
att(senc((list(i ≤ N, wi), s′[list(i ≤ N, vi, wi))]), vi)) ai → L : ai, senc(si, h(s1, . . . , sN, s′), K), for some i att((L, senc(y, pw))) ∧ att(senc((list(j ≤ N, zj), z′), ri[y])) ⇒ att((ai, senc((si[y], h((mpair(j ≤ N, zj), z′))), K))), where K = f ((mpair(j ≤ N, zj), z′))
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 8 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Syntax
ai → L : (ai, senc((ri, si), e)) 1. L → ai : (L, senc(e, pw)) 2. ai → L : (ai, senc((ri, si), e)) L → ai : senc(s1, . . . , sN, s′, ri)
att(senc((list(i ≤ N, wi), s′[list(i ≤ N, vi, wi))]), vi)) ai → L : ai, senc(si, h(s1, . . . , sN, s′), K), for some i att((L, senc(y, pw))) ∧ att(senc((list(j ≤ N, zj), z′), ri[y])) ⇒ att((ai, senc((si[y], h((mpair(j ≤ N, zj), z′))), K))), where K = f ((mpair(j ≤ N, zj), z′))
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 8 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Syntax
ai → L : (ai, senc((ri, si), e)) 1. L → ai : (L, senc(y, pw)) 2. ai → L : (ai, senc((ri[y], si[y]), y)) L → ai : senc(s1, . . . , sN, s′, ri)
att(senc((list(i ≤ N, wi), s′[list(i ≤ N, vi, wi))]), vi)) ai → L : ai, senc(si, h(s1, . . . , sN, s′), K), for some i att((L, senc(y, pw))) ∧ att(senc((list(j ≤ N, zj), z′), ri[y])) ⇒ att((ai, senc((si[y], h((mpair(j ≤ N, zj), z′))), K))), where K = f ((mpair(j ≤ N, zj), z′))
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 8 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Syntax
ai → L : (ai, senc((ri, si), e)) att((L, senc(y, pw[ ]))) ⇒ att((ai, senc((ri[y], si[y]), y))) L → ai : senc(s1, . . . , sN, s′, ri)
att(senc((list(i ≤ N, wi), s′[list(i ≤ N, vi, wi))]), vi)) ai → L : ai, senc(si, h(s1, . . . , sN, s′), K), for some i att((L, senc(y, pw))) ∧ att(senc((list(j ≤ N, zj), z′), ri[y])) ⇒ att((ai, senc((si[y], h((mpair(j ≤ N, zj), z′))), K))), where K = f ((mpair(j ≤ N, zj), z′))
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 8 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Syntax
ai → L : (ai, senc((ri, si), e)) att((L, senc(y, pw[ ]))) ⇒ att((ai, senc((ri[y], si[y]), y))) L → ai : senc(s1, . . . , sN, s′, ri)
att(senc((list(i ≤ N, wi), s′[list(i ≤ N, vi, wi))]), vi)) ai → L : ai, senc(si, h(s1, . . . , sN, s′), K), for some i att((L, senc(y, pw))) ∧ att(senc((list(j ≤ N, zj), z′), ri[y])) ⇒ att((ai, senc((si[y], h((mpair(j ≤ N, zj), z′))), K))), where K = f ((mpair(j ≤ N, zj), z′))
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 8 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Syntax
ai → L : (ai, senc((ri, si), e)) att((L, senc(y, pw[ ]))) ⇒ att((ai, senc((ri[y], si[y]), y))) L → ai : senc(s1, . . . , sN, s′, ri)
att(senc((list(i ≤ N, wi), s′[list(i ≤ N, vi, wi))]), vi)) ai → L : ai, senc(si, h(s1, . . . , sN, s′), K), for some i att((L, senc(y, pw))) ∧ att(senc((list(j ≤ N, zj), z′), ri[y])) ⇒ att((ai, senc((si[y], h((mpair(j ≤ N, zj), z′))), K))), where K = f ((mpair(j ≤ N, zj), z′))
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 8 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Well typed clauses and their translation
To guarantee that all variables use indices that vary in the appropriate interval we developed the following type system:
i : [1, M] ∈ Γ Γ ⊢ i : [1, M] (EnvIndex) x : [1, M1] × · · · × [1, Mh] ∈ Γ Γ ⊢ x : [1, M1] × · · · × [1, Mh] (EnvVar) Γ ⊢ x : [1, M1] × · · · × [1, Mh] Γ ⊢ i1 : [1, M1] . . . Γ ⊢ ih : [1, Mh] Γ ⊢ xi1,...,ih (Var) Γ ⊢ pG
1 . . . Γ ⊢ pG h
Γ ⊢ f (pG
1 , . . . , pG h )(Fun)
Γ ⊢ pG
1 . . . Γ ⊢ pG h
Γ ⊢ i : [1, N] Γ ⊢ ai[pG
1 , . . . , pG h ]
(Name) Γ, i : [1, M] ⊢ pG Γ ⊢ list(i ≤ M, pG)(List) Γ, i1 : [1, M1], . . . , ih : [1, Mh] ⊢ pG Γ ⊢
i1≤M1,...,ih≤Mh att(pG)
(Fact) Γ ⊢ F G
1 . . . Γ ⊢ F G n
Γ ⊢ F G Γ ⊢ F G
1 ∧ · · · ∧ F G n ⇒ F G
(Clause)
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 9 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Well typed clauses and their translation
GHC RG Horn clauses R, RGT T Definition Γ ⊢ RG, an environment T for RG is a function that associates to each bound M a fixed integer MT; to each free index i that appears in RG, an index iT ∈ {1, . . . , MT}, if Γ ⊢ i : [1, M]. list(i ≤ M, pG)T = pGT[i→1], . . . , pGT[i→MT ] Example Let T = [M → 3, j → 2]: list(i ≤ M, f (xi,j))T = f (x1,2), f (x2,2), f (x3,2)
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 10 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Well typed clauses and their translation
GHC RG Horn clauses R, RGT T Definition Γ ⊢ RG, an environment T for RG is a function that associates to each bound M a fixed integer MT; to each free index i that appears in RG, an index iT ∈ {1, . . . , MT}, if Γ ⊢ i : [1, M]. list(i ≤ M, pG)T = pGT[i→1], . . . , pGT[i→MT ] Example Let T = [M → 3, j → 2]: list(i ≤ M, f (xi,j))T = f (x1,2), f (x2,2), f (x3,2)
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 10 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Well typed clauses and their translation
GHC RG Horn clauses R, RGT T Definition Γ ⊢ RG, an environment T for RG is a function that associates to each bound M a fixed integer MT; to each free index i that appears in RG, an index iT ∈ {1, . . . , MT}, if Γ ⊢ i : [1, M]. list(i ≤ M, pG)T = pGT[i→1], . . . , pGT[i→MT ] Example Let T = [M → 3, j → 2]: list(i ≤ M, f (xi,j))T = f (x1,2), f (x2,2), f (x3,2)
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 10 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Main result
GHC RG Horn clauses R, RGT T HC length 1 I(R), RG1 1 I replace all indices with 1; I(p1, . . . , ph) = {p | p ∈ I(p1) ∪ · · · ∪ I(ph)} Example I(f (x1,2), f (x2,2), f (x3,2) = {f (x1,1)} I(f (x2, b[ ]), f (a2[ ], x3), f (x1, b[ ])) = {f (x1, b[ ]), f (a1[ ], x1)}
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 11 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Main result
GHC RG Horn clauses R, RGT T HC length 1 I(R), RG1 1 I replace all indices with 1; I(p1, . . . , ph) = {p | p ∈ I(p1) ∪ · · · ∪ I(ph)} Example I(f (x1,2), f (x2,2), f (x3,2) = {f (x1,1)} I(f (x2, b[ ]), f (a2[ ], x3), f (x1, b[ ])) = {f (x1, b[ ]), f (a1[ ], x1)}
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 11 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Main result
GHC RG Horn clauses R, RGT T HC length 1 I(R), RG1 1 I replace all indices with 1; I(p1, . . . , ph) = {p | p ∈ I(p1) ∪ · · · ∪ I(ph)} Example I(f (x1,2), f (x2,2), f (x3,2) = {f (x1,1)} I(f (x2, b[ ]), f (a2[ ], x3), f (x1, b[ ])) = {f (x1, b[ ]), f (a1[ ], x1)}
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 11 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Main result
Given a set of generalized Horn clauses, RG, we define RGT = {RGT | RG ∈ RG, T is an environment for RG}. Idea of our contribution F is derivable from RGT
F ∈ I(F) is derivable from RG1
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 12 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Main result
Theorem Let RG be a set of generalized Horn clauses such that, for each clause RG ∈ RG, RG is well typed, that is, there exists Γ such that Γ ⊢ RG, with the following conditions:
1
the free indices of RG have pairwise distinct types in Γ;
2
the conclusion of RG is linear and the bound indices in the conclusion of RG have pairwise distinct bounds, and bounds different from the bounds of free indices of RG in Γ. For all facts F, if F is derivable from RGT , then for all F ∈ I(F), F is derivable from RG1. Proof: build a derivation of F from RG1, from a derivation of F from RGT , by applying I to the derivation of F from RGT .
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 13 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Remarks
(1) A → B : {(a, a)}k (2) B → A : ({(b, b)}k, {s}f (a,b)) (3) A → C : {(a1, a′
1)}k, . . . , {(aN, a′ N)}k
(4) C → A : f (a1, a′
1), . . . , f (a1, a′ N), . . . , f (aN, a′ 1), . . . , f (aN, a′ N)
An attacker sends {(a, a)}k, {(b, b)}k to C as Message 3: he obtains f (a, b) by decomposition of the list f (a, a), f (a, b), f (b, a), f (b, b), decrypts {s}f (a,b) and obtains the secret s. However, if we consider only lists of one element, there is no attack. The generalized Horn clause for Message 4 is: att(list(i′ ≤ N, senc((xi′, yi′), k))) ⇒ att(list(i ≤ N, list(j ≤ N, f (xj, yi)))) In this clause, the Hypothesis 2 of our theorem is not satisfied, because the bound indices i and j have the same bound N.
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 14 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Remarks
(1) A → B : {(a, a)}k (2) B → A : ({(b, b)}k, {s}f (a,b)) (3) A → C : {(a1, a′
1)}k, . . . , {(aN, a′ N)}k
(4) C → A : f (a1, a′
1), . . . , f (a1, a′ N), . . . , f (aN, a′ 1), . . . , f (aN, a′ N)
An attacker sends {(a, a)}k, {(b, b)}k to C as Message 3: he obtains f (a, b) by decomposition of the list f (a, a), f (a, b), f (b, a), f (b, b), decrypts {s}f (a,b) and obtains the secret s. However, if we consider only lists of one element, there is no attack. The generalized Horn clause for Message 4 is: att(list(i′ ≤ N, senc((xi′, yi′), k))) ⇒ att(list(i ≤ N, list(j ≤ N, f (xj, yi)))) In this clause, the Hypothesis 2 of our theorem is not satisfied, because the bound indices i and j have the same bound N.
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 14 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Remarks
(1) A → B : {(a, a)}k (2) B → A : ({(b, b)}k, {s}f (a,b)) (3) A → C : {(a1, a′
1)}k, . . . , {(aN, a′ N)}k
(4) C → A : f (a1, a′
1), . . . , f (a1, a′ N), . . . , f (aN, a′ 1), . . . , f (aN, a′ N)
An attacker sends {(a, a)}k, {(b, b)}k to C as Message 3: he obtains f (a, b) by decomposition of the list f (a, a), f (a, b), f (b, a), f (b, b), decrypts {s}f (a,b) and obtains the secret s. However, if we consider only lists of one element, there is no attack. The generalized Horn clause for Message 4 is: att(list(i′ ≤ N, senc((xi′, yi′), k))) ⇒ att(list(i ≤ N, list(j ≤ N, f (xj, yi)))) In this clause, the Hypothesis 2 of our theorem is not satisfied, because the bound indices i and j have the same bound N.
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 14 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Remarks
(1) A → B : {(a, a)}k (2) B → A : ({(b, b)}k, {s}f (a,b)) (3) A → C : {(a1, a′
1)}k, . . . , {(aN, a′ N)}k
(4) C → A : f (a1, a′
1), . . . , f (a1, a′ N), . . . , f (aN, a′ 1), . . . , f (aN, a′ N)
An attacker sends {(a, a)}k, {(b, b)}k to C as Message 3: he obtains f (a, b) by decomposition of the list f (a, a), f (a, b), f (b, a), f (b, b), decrypts {s}f (a,b) and obtains the secret s. However, if we consider only lists of one element, there is no attack. The generalized Horn clause for Message 4 is: att(list(i′ ≤ N, senc((xi′, yi′), k))) ⇒ att(list(i ≤ N, list(j ≤ N, f (xj, yi)))) In this clause, the Hypothesis 2 of our theorem is not satisfied, because the bound indices i and j have the same bound N.
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 14 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Remarks
(1) A → B : {(a, a)}k (2) B → A : ({(b, b)}k, {s}f (a,b)) (3) A → C : {(a1, a′
1)}k, . . . , {(aN, a′ N)}k
(4) C → A : f (a1, a′
1), . . . , f (a1, a′ N), . . . , f (aN, a′ 1), . . . , f (aN, a′ N)
An attacker sends {(a, a)}k, {(b, b)}k to C as Message 3: he obtains f (a, b) by decomposition of the list f (a, a), f (a, b), f (b, a), f (b, b), decrypts {s}f (a,b) and obtains the secret s. However, if we consider only lists of one element, there is no attack. The generalized Horn clause for Message 4 is: att(list(i′ ≤ N, senc((xi′, yi′), k))) ⇒ att(list(i ≤ N, list(j ≤ N, f (xj, yi)))) In this clause, the Hypothesis 2 of our theorem is not satisfied, because the bound indices i and j have the same bound N.
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 14 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Remarks
(1) A → B : {(a, a)}k (2) B → A : ({(b, b)}k, {s}f (a,b)) (3) A → C : {(a1, a′
1)}k, . . . , {(aN, a′ N)}k
(4) C → A : f (a1, a′
1), . . . , f (a1, a′ N), . . . , f (aN, a′ 1), . . . , f (aN, a′ N)
An attacker sends {(a, a)}k, {(b, b)}k to C as Message 3: he obtains f (a, b) by decomposition of the list f (a, a), f (a, b), f (b, a), f (b, b), decrypts {s}f (a,b) and obtains the secret s. However, if we consider only lists of one element, there is no attack. The generalized Horn clause for Message 4 is: att(list(i′ ≤ N, senc((xi′, yi′), k))) ⇒ att(list(i ≤ N, list(j ≤ N, f (xj, yi)))) In this clause, the Hypothesis 2 of our theorem is not satisfied, because the bound indices i and j have the same bound N.
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 14 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion
We built an algorithm that transforms a set of generalized Horn clauses for satisfying the hypothesis of the main theorem. att((L, senc(y, pw))) ∧ att(senc((list(j ≤ N, zj), z′), ri[y])) ⇒ att((ai, senc((si[y], h((list(j ≤ N, zj), z′))), f ((list(j ≤ N, zj), z′))))) rename the bound and the variables of one of the two list in the conclusion; replace one occurence of the variable z′ with a fresh one. → approximation!
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 15 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion
We built an algorithm that transforms a set of generalized Horn clauses for satisfying the hypothesis of the main theorem. att((L, senc(y, pw))) ∧ att(senc((list(j ≤ N, zj), z′), ri[y])) ⇒ att((ai, senc((si[y], h((list(j ≤ N, zj), z′))), f ((list(j ≤ N, zj), z′))))) rename the bound and the variables of one of the two list in the conclusion; replace one occurence of the variable z′ with a fresh one. → approximation!
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 15 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion
We built an algorithm that transforms a set of generalized Horn clauses for satisfying the hypothesis of the main theorem. att((L, senc(y, pw))) ∧ att(senc((list(j ≤ N, zj), z′), ri[y])) ⇒ att((ai, senc((si[y], h((list(j ≤ N, zj), z′))), f ((list(j ≤ N, zj), z′))))) rename the bound and the variables of one of the two list in the conclusion; replace one occurence of the variable z′ with a fresh one. → approximation!
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 15 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion
We built an algorithm that transforms a set of generalized Horn clauses for satisfying the hypothesis of the main theorem. att((L, senc(y, pw))) ∧ att(senc((list(j ≤ N, zj), z′), ri[y])) ∧ att(senc((list(j ≤ M, xj), z′), ri[y])) ⇒ att((ai, senc((si[y], h((list(j ≤ N, zj), z′))), f ((list(j ≤ M, xj), z′))))) rename the bound and the variables of one of the two list in the conclusion; replace one occurence of the variable z′ with a fresh one. → approximation!
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 15 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion
We built an algorithm that transforms a set of generalized Horn clauses for satisfying the hypothesis of the main theorem. att((L, senc(y, pw))) ∧ att(senc((list(j ≤ N, zj), z′), ri[y])) ∧ att(senc((list(j ≤ M, xj), z′), ri[y])) ⇒ att((ai, senc((si[y], h((list(j ≤ N, zj), z′))), f ((list(j ≤ M, xj), z′))))) rename the bound and the variables of one of the two list in the conclusion; replace one occurence of the variable z′ with a fresh one. → approximation!
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 15 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion
We built an algorithm that transforms a set of generalized Horn clauses for satisfying the hypothesis of the main theorem. att((L, senc(y, pw))) ∧ att(senc((list(j ≤ N, zj), z′), ri[y])) ∧ att(senc((list(j ≤ M, xj), z′), ri[y])) ⇒ att((ai, senc((si[y], h((list(j ≤ N, zj), z′))), f ((list(j ≤ M, xj), z′))))) rename the bound and the variables of one of the two list in the conclusion; replace one occurence of the variable z′ with a fresh one. → approximation!
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 15 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion
We built an algorithm that transforms a set of generalized Horn clauses for satisfying the hypothesis of the main theorem. att((L, senc(y, pw))) ∧ att(senc((list(j ≤ N, zj), z′), ri[y])) ∧ att(senc((list(j ≤ M, xj), z′), ri[y]))∧ att(senc((list(j ≤ N, zj), x′), ri[y])) ∧ att(senc((list(j ≤ M, xj), x′), ri[y])) ⇒ att((ai, senc((si[y], h((list(j ≤ N, zj), z′))), f ((list(j ≤ M, xj), x′))))) rename the bound and the variables of one of the two list in the conclusion; replace one occurence of the variable z′ with a fresh one. → approximation!
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 15 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion
We built an algorithm that transforms a set of generalized Horn clauses for satisfying the hypothesis of the main theorem. att((L, senc(y, pw))) ∧ att(senc((list(j ≤ N, zj), z′), ri[y])) ∧ att(senc((list(j ≤ M, xj), z′), ri[y]))∧ att(senc((list(j ≤ N, zj), x′), ri[y])) ∧ att(senc((list(j ≤ M, xj), x′), ri[y])) ⇒ att((ai, senc((si[y], h((list(j ≤ N, zj), z′))), f ((list(j ≤ M, xj), x′))))) rename the bound and the variables of one of the two list in the conclusion; replace one occurence of the variable z′ with a fresh one. → approximation!
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 15 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion
Applications: secrecy proved for Azokan-Ginzboorg protocol secrecy proved for a basic XML encryption protocol What has been done: extended syntax of Horn clauses generalized Horn clauses; define a relation between GHC and HC; derivation for lists of length one → derivation for lists of unbounded length; in general, secrecy on lists of length one → secrecy on list of unbounded length; approximation algorithm that transforms a set of generalized Horn clauses for satisfying the hypothesis of our main theorem.
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 16 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion
Applications: secrecy proved for Azokan-Ginzboorg protocol secrecy proved for a basic XML encryption protocol What has been done: extended syntax of Horn clauses generalized Horn clauses; define a relation between GHC and HC; derivation for lists of length one → derivation for lists of unbounded length; in general, secrecy on lists of length one → secrecy on list of unbounded length; approximation algorithm that transforms a set of generalized Horn clauses for satisfying the hypothesis of our main theorem.
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 16 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion
What we’d like to do: support more general data structures and protocols: new extension
extend this work to equational theories (Diffie-Hellman); extend the input language of ProVerif to model group protocols and to translate it to generalized Horn clauses; consider other security properties.
Verification of Security Protocols with Lists:, from Length One to Unbounded Length 17 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion
Questions?
Verification of Security Protocols with Lists:, from Length One to Unbounded Length