Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola Bruno Blanchet { miriam.paiola, bruno.blanchet } @ens.fr INRIA, Ecole Normale Sup´ erieure, CNRS March 2012 Verification of Security Protocols with Lists:, from Length One to Unbounded Length 1 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Cryptographic protocols and their Verification Verification of protocols is important! ProVerif can analyze protocols with lists of fixed lengths ↓ There could be attacks for other values ↓ Our goal: prove the protocols for lists of any length where all elements are treated in the same way Verification of Security Protocols with Lists:, from Length One to Unbounded Length 2 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Overview of ProVerif Properties to prove: Protocol: secrecy Pi calculus + cryptography Automatic translator Derivability queries Horn clauses Resolution with selection The property is true Potential attack Verification of Security Protocols with Lists:, from Length One to Unbounded Length 3 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Representation with Horn clauses Representation of a protocol Messages are represented by patterns p ::= x | a [ p 1 , . . . , p n ] | f ( p 1 , . . . , p n ) Example ( a , b ) Properties are represented by facts F ::= att ( p ) The protocol and the abilities of the attacker are represented by Horn clauses F 1 ∧ · · · ∧ F n ⇒ F Example att ( s ) ∧ att ( pk ) ⇒ att ( senc ( s , pk )) Verification of Security Protocols with Lists:, from Length One to Unbounded Length 4 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Derivability Secrecy and Derivability If att ( p ) cannot be derived from the clauses, then the protocol preserves the secrecy of p . root Definition (Derivability) F F is derivable from R iff there exists a finite tree defined as follows: R ′ η ′ subroot Its nodes (except the root) are labeled 1 by clauses R ∈ R ; Its edges are labeled by closed facts; 2 F 0 R = H ⇒ C : there exists a 3 . . . substitution σ such that σ C = F 0 and . . . R η σ H ⊆ F 1 ∧ · · · ∧ F n F 1 F n . . . The root has one outgoing edge 4 labeled by F . . . . . . . . . . Verification of Security Protocols with Lists:, from Length One to Unbounded Length 5 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Derivability Secrecy and Derivability If att ( p ) cannot be derived from the clauses, then the protocol preserves the secrecy of p . root Definition (Derivability) F F is derivable from R iff there exists a finite tree defined as follows: R ′ η ′ subroot Its nodes (except the root) are labeled 1 by clauses R ∈ R ; Its edges are labeled by closed facts; 2 F 0 R = H ⇒ C : there exists a 3 . . . substitution σ such that σ C = F 0 and . . . R η σ H ⊆ F 1 ∧ · · · ∧ F n F 1 F n . . . The root has one outgoing edge 4 labeled by F . . . . . . . . . . Verification of Security Protocols with Lists:, from Length One to Unbounded Length 5 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Derivability Secrecy and Derivability If att ( p ) cannot be derived from the clauses, then the protocol preserves the secrecy of p . root Definition (Derivability) F F is derivable from R iff there exists a finite tree defined as follows: R ′ η ′ subroot Its nodes (except the root) are labeled 1 by clauses R ∈ R ; Its edges are labeled by closed facts; 2 F 0 R = H ⇒ C : there exists a 3 . . . substitution σ such that σ C = F 0 and . . . R η σ H ⊆ F 1 ∧ · · · ∧ F n F 1 F n . . . The root has one outgoing edge 4 labeled by F . . . . . . . . . . Verification of Security Protocols with Lists:, from Length One to Unbounded Length 5 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Derivability Secrecy and Derivability If att ( p ) cannot be derived from the clauses, then the protocol preserves the secrecy of p . root Definition (Derivability) F F is derivable from R iff there exists a finite tree defined as follows: R ′ η ′ subroot Its nodes (except the root) are labeled 1 by clauses R ∈ R ; Its edges are labeled by closed facts; 2 F 0 R = H ⇒ C : there exists a 3 . . . substitution σ such that σ C = F 0 and . . . R η σ H ⊆ F 1 ∧ · · · ∧ F n F 1 F n . . . The root has one outgoing edge 4 labeled by F . . . . . . . . . . Verification of Security Protocols with Lists:, from Length One to Unbounded Length 5 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Derivability Secrecy and Derivability If att ( p ) cannot be derived from the clauses, then the protocol preserves the secrecy of p . root Definition (Derivability) F F is derivable from R iff there exists a finite tree defined as follows: R ′ η ′ subroot Its nodes (except the root) are labeled 1 by clauses R ∈ R ; Its edges are labeled by closed facts; 2 F 0 R = H ⇒ C : there exists a 3 . . . substitution σ such that σ C = F 0 and . . . R η σ H ⊆ F 1 ∧ · · · ∧ F n F 1 F n . . . The root has one outgoing edge 4 labeled by F . . . . . . . . . . Verification of Security Protocols with Lists:, from Length One to Unbounded Length 5 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Example Asokan-Ginzboorg protocol Let the set of players be { a i , i = 1 , . . . , N } for N ≥ 1 and L be the leader. The protocol describes the establishment of a session key between the leader and the other n participants. (1) L → ALL : ( L , { | e | } pw ) (2) a i → L : ( a i , { | ( r i , s i ) | } e ) | ( s 1 , . . . , s N , s ′ ) | (3) L → a i : { } r i | ( s i , h ( s 1 , . . . , s N , s ′ )) | (4) a i → L : ( a i , { } K ) , for some i , where K = f ( s 1 , . . . , s N , s ′ ) where K = f ( s 1 , . . . , s N , s ′ ) Verification of Security Protocols with Lists:, from Length One to Unbounded Length 6 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Syntax Generalized Horn Clauses Syntax p G , s , t ::= patterns variable ( h ≥ 0) x i 1 ,..., i h f ( p G 1 , . . . , p G l ) function application a i [ p G 1 , . . . , p G l ] indexed names list ( i ≤ M , p G ) list constructor F G ::= � i 1 ≤ M 1 ,..., i h ≤ M h att ( p G ) facts R G ::= F G 1 ∧ · · · ∧ F G n ⇒ att ( p G ) generalized Horn clause Verification of Security Protocols with Lists:, from Length One to Unbounded Length 7 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Syntax Representation of the protocol a i → L : ( a i , senc (( r i , s i ) , e )) 1 . L → a i : ( L , senc ( e , pw )) 2 . a i → L : ( a i , senc (( r i , s i ) , e )) L → a i : senc ( � s 1 , . . . , s N , s ′ � , r i ) � i ≤ N att (( a i , senc (( v i , w i ) , e [ ]))) ⇒ att ( senc (( list ( i ≤ N , w i ) , s ′ [ list ( i ≤ N , � v i , w i ))]) , v i )) a i → L : � a i , senc ( � s i , h ( s 1 , . . . , s N , s ′ ) � , K ) � , for some i att (( L , senc ( y , pw ))) ∧ att ( senc (( list ( j ≤ N , z j ) , z ′ ) , r i [ y ])) ⇒ att (( a i , senc (( s i [ y ] , h (( mpair ( j ≤ N , z j ) , z ′ ))) , K ))) , where K = f (( mpair ( j ≤ N , z j ) , z ′ )) Verification of Security Protocols with Lists:, from Length One to Unbounded Length 8 / 18
Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Syntax Representation of the protocol a i → L : ( a i , senc (( r i , s i ) , e )) 1 . L → a i : ( L , senc ( e , pw )) 2 . a i → L : ( a i , senc (( r i , s i ) , e )) L → a i : senc ( � s 1 , . . . , s N , s ′ � , r i ) � i ≤ N att (( a i , senc (( v i , w i ) , e [ ]))) ⇒ att ( senc (( list ( i ≤ N , w i ) , s ′ [ list ( i ≤ N , � v i , w i ))]) , v i )) a i → L : � a i , senc ( � s i , h ( s 1 , . . . , s N , s ′ ) � , K ) � , for some i att (( L , senc ( y , pw ))) ∧ att ( senc (( list ( j ≤ N , z j ) , z ′ ) , r i [ y ])) ⇒ att (( a i , senc (( s i [ y ] , h (( mpair ( j ≤ N , z j ) , z ′ ))) , K ))) , where K = f (( mpair ( j ≤ N , z j ) , z ′ )) Verification of Security Protocols with Lists:, from Length One to Unbounded Length 8 / 18
Recommend
More recommend
![3 PERFORMANCE LIMITATIONS IN SISO SYSTEMS [5] 3.1 Input-Output Controllability [5.1]](https://c.sambuz.com/616270/3-performance-limitations-in-siso-systems-5-s.jpg)
