Verifying the SET Protocol: Overview Lawrence C Paulson, Computer - - PowerPoint PPT Presentation

verifying the set protocol overview
SMART_READER_LITE
LIVE PREVIEW

Verifying the SET Protocol: Overview Lawrence C Paulson, Computer - - PowerPoint PPT Presentation

Apr 29, 2023 327 likes •573 views

Verifying the SET Protocol: Overview Lawrence C Paulson, Computer Laboratory, University of Cambridge (Joint with Giampaolo Bella and Fabio Massacci) Plan of Talk The SET Protocol Defining the Formal Models Verifying the

slide-1
SLIDE 1

Verifying the SET Protocol: Overview

Lawrence C Paulson,

Computer Laboratory, University of Cambridge (Joint with Giampaolo Bella and Fabio Massacci)

slide-2
SLIDE 2

2

Lawrence C Paulson

Plan of Talk

  • The SET Protocol
  • Defining the Formal Models
  • Verifying the Registration Phase
  • Verifying the Purchase Phase
slide-3
SLIDE 3

3

Lawrence C Paulson

Internet Shopping with SSL

SSL Credit card details “Curses! Can’t get that number!” cardholder merchant

slide-4
SLIDE 4

4

Lawrence C Paulson

Why Trust the Merchant?

SSL Credit card details?? “Now I can buy that software!” cardholder

slide-5
SLIDE 5

5

Lawrence C Paulson

Why Trust the Customer?

Fake card details SSL “Send MS Office, charge to my card…” merchant

slide-6
SLIDE 6

6

Lawrence C Paulson

Basic Ideas of SET

  • Cardholders and Merchants must register
  • They receive electronic credentials

– Proof of identity – Evidence of trustworthiness

  • Payment goes via the parties’ banks

– Merchants don’t need card details – Bank does not see what you buy

slide-7
SLIDE 7

7

Lawrence C Paulson

Plan of Talk

  • The SET Protocol
  • Defining the Formal Models
  • Verifying the Registration Phase
  • Verifying the Purchase Phase
slide-8
SLIDE 8

8

Lawrence C Paulson

Inductive Protocol Verification

  • Define system’s operational semantics
  • Include honest parties and an attacker
  • Model each protocol step in an inductive

definition

  • Prove security properties by induction
  • Mechanize using Isabelle/HOL
slide-9
SLIDE 9

9

Lawrence C Paulson

An Overview of Isabelle

  • Generic: higher-order logic, set theory, …
  • Good user interface (Proof General)
  • Automatic document generation
  • Powerful simplifier and classical prover
  • Strong support for inductive definitions
slide-10
SLIDE 10

10

Lawrence C Paulson

The SET Documentation

  • Business Description

– General overview – 72 pages

  • Programmer’s Guide

– Message formats & English description of actions – 619 pages

  • Formal Protocol Definition

– Message formats & the equivalent ASN.1 definitions – 254 pages

slide-11
SLIDE 11

11

Lawrence C Paulson

SET Digital Envelopes

  • Consisting of two parts:

– Symmetric key K, encrypted with a public key – Main ciphertext, encrypted with K

  • Hashing to link the two parts
  • Minimal use of public-key encryption
  • Great complications for formal reasoning

– Numerous session keys in use – Dependency chains: keys encrypt keys

slide-12
SLIDE 12

12

Lawrence C Paulson

Obstacles to Formalization

  • Huge size of documentation & protocol
  • Lack of explicit objectives
  • “Out of band” steps
  • Many types of participants:

– Cardholders – Merchants – Certificate Authorities – Payment Gateways (to pay merchants)

slide-13
SLIDE 13

13

Lawrence C Paulson

Plan of Talk

  • The SET Protocol
  • Defining the Formal Models
  • Verifying the Registration Phase
  • Verifying the Purchase Phase
slide-14
SLIDE 14

14

Lawrence C Paulson

Cardholder Registration

  • Cardholder C and certificate authority CA
  • C delivers credit card number
  • C completes registration form

– Inserts security details – Discloses his public signature key

  • Outcomes:

– C’s bank can vet the registration – CA associates C’s signing key with card details

slide-15
SLIDE 15

15

Lawrence C Paulson

* * Let’s look at this message

Cardholder Registration

slide-16
SLIDE 16

16

Lawrence C Paulson

Message 5 in Isabelle

slide-17
SLIDE 17

17

Lawrence C Paulson

Secrecy of Session Keys

  • Three keys, created for digital envelopes
  • Dependency: one key protects another
  • Main theorem on this dependency relation
  • Generalizes an approach used for simpler

protocols (Yahalom)

  • Similarly, prove secrecy of Nonces
slide-18
SLIDE 18

18

Lawrence C Paulson

Plan of Talk

  • The SET Protocol
  • Defining the Formal Models
  • Verifying the Registration Phase
  • Verifying the Purchase Phase
slide-19
SLIDE 19

19

Lawrence C Paulson

The Purchase Phase

SET

Purchase details Payment Gateway Payment details (hidden from Merchant)

slide-20
SLIDE 20

20

Lawrence C Paulson

The SET Dual Signature

3-way agreement with partial knowledge!

  • Cardholder shares Order Information only

with Merchant

  • Cardholder shares Payment Information
  • nly with Payment Gateway
  • Cardholder signs hashes of OI, PI
  • Non-repudiation: all parties sign messages
slide-21
SLIDE 21

21

Lawrence C Paulson

The Purchase Request Message

slide-22
SLIDE 22

22

Lawrence C Paulson

Complications in SET Proofs

  • Massive redundancy

– Caused by hashing and dual signature – E.g. 9 copies of “purchase amount” in one message!

  • Multi-page subgoals
  • Insufficient redundancy (no explicitness), failure
  • f one agreement property
  • Many digital envelopes
slide-23
SLIDE 23

23

Lawrence C Paulson

Runtimes for Various Protocols

slide-24
SLIDE 24

24

Lawrence C Paulson

Conclusions

  • We can find flaws in massive protocols
  • Analyzing bigger protocols than SET may

be impossible

  • Improvements are needed:

– Abstract treatment of constructions such as digital envelopes – Better official formal definitions