Embed Size (px)
Citation preview
From Secrecy to Authenticity in Security
ProtocolsChen Chen
Advisor: Limin Jia
Whole picture
Process Calculus
Definition of Secrecy and Authenticity
Demo
Comparison
Conclusion
Outlines
Whole picture
Process Calculus
Definition of Secrecy and Authenticity
Translation into Horn Clauses
Demo
Comparison
Conclusion
Outlines
Whole Picture
Original Protocol
Pi Calculus Horn Clauses Proverif
Authenticity Reserved?
Whole picture
Process Calculus
Definition of Secrecy and Authenticity
Translation into Horn Clauses
Demo
Comparison
Conclusion
Outlines
Extension of pi calculus with:◦ cryptographic primitives◦ “begin” & “end” events
Pi calculus: ◦ mathematical formalisms for describing and
analyzing properties of concurrent computation
Process Calculus
Syntax
Name:◦ Free name: Names globally known (also to adversary)◦ Bound name: Names local to the process
Variable:◦ Free variable: Variables not used anywhere◦ Bound name: variables used in the process
Equivalence: Reduction:
Extension of Rules
Whole Picture
Original Protocol
Pi Calculus Horn Clauses Proverif
Process P
A simplified version of Woo and Lam one-way public key authentication protocol
Let’s try it!
Create secret key skA & skB
Create corresponding public keys Distribute public keys Create unbounded number of sessions
First Few Steps
Now you can do it yourself
Whole picture
Process Calculus
Definition of Secrecy and Authenticity
Translation into Horn Clauses
Demo
Comparison
Conclusion
Outlines
Adversary (attacker)
◦ Closed process: Process without free variables (allow free names)
Definitions
Secrecy
Definitions
Remember: Q has access to all free names, including channel c
Authenticity
◦ Non-injective agreement: if event end(M) is executed, then begin(M) has also
been executed.
Definitions
Authenticity
◦ Injective agreement: The number of executions of end(M) is smaller than
that of begin(M).
Definitions
Where is Authenticity?
Authenticity
◦ Non-injective agreement: if event end(M) is executed, then begin(M) has also
been executed.
Definitions
Authenticity is satisfied when: ◦ B cannot emit his end event without A having
emitted her begin event.
End(M) => Begin(M) for all cases.
Why?
Authenticity
Sarkozy thinks:
Sarkozy says:
Sarkozy agrees:
Authenticity is satisfied when: The other side is indeed Sarkozy!
Event: Begin & End
Begin(M): I start my part of the protocol.I think I would talk to Obama
End(M): I finish my part of the
protocol.I think I have talked to
Sarkozy
Protocol ensures:
Remember: Protocol is lock-stepped!
You may ask: Is it sufficient?
Begin(M): I start my part of the protocol.I think I would talk to Obama
End(M): I finish my part of the
protocol.I think I has talked to
Sarkozy
Authenticity is violated when End(M) => Begin(M)!
Authenticity is satisfied when: ◦ B cannot emit his end event without A having
emitted her begin event.
End(M) => Begin(M) for all cases.
Why?
You may ask: Is it sufficient?
Begin(M): I start my part of the protocol.I think I would talk to Obama
End(M): I finish my part of the
protocol.I think I has talked to
Sarkozy
Here End(M) !=> Begin(M)!
Authenticity
◦ Non-injective agreement: if event end(M) is executed, then begin(M) has also
been executed.
Definitions
Correct!
From secrecy to authenticity
We will be back!
Whole picture
Process Calculus
Definition of Secrecy and Authenticity
Translation into Horn Clauses
Demo
Comparison
Conclusion
Outlines
(P1 Λ P2 Λ…Λ Pn) => u
Our usage:◦ Patterns◦ Facts◦ Rules
Attacker Protocol
Horn Clauses
(P1 Λ P2 Λ…Λ Pn) => u
Our usage:◦ Patterns◦ Facts◦ Rules
Attacker Protocol
Horn Clauses
(P1 Λ P2 Λ…Λ Pn) => u
Our usage:◦ Patterns◦ Facts◦ Rules
Attacker Protocol
Horn Clauses
(P1 Λ P2 Λ…Λ Pn) => u
Our usage:◦ Patterns◦ Facts◦ Rules
Attacker Protocol
Horn Clauses
(P1 Λ P2 Λ…Λ Pn) => u
Our usage:◦ Patterns◦ Facts◦ Rules
Attacker Protocol
Horn Clauses
Whole Picture
Original Protocol
Pi Calculus Horn Clauses Proverif
If c ∈ S, message(c[],M) = attacker(M)
Vo, Vs:◦ Vo: Set of ordinary variables.◦ Vs: Set of session identifiers.
ρ : mapping from variables and names to patterns
h : Sequence of facts of message and begin. ◦ Literals of horn clauses we want
Before Translation
First Few Steps
[|P|] = [|(vskA).P1|] [|P1|] = [|(vskB).P2|] [|P2|] = [|let pkA = pk(skA) in P3|] [|P3|] = [|let pkB = pk(skB) in P4|] [|P4|] = [|c<pkA>.P5|]
ρ : c → c[] h :
First Horn Clause: message(c[],pk(skA))=attacker(pk(skA[]))
First Few Steps
,skA → skA[] , skB → skB[] , pkA → pk(skA[]) , pkB → pk(skB[])
Finish it yourself
Finish it yourself
Whole Picture
Original Protocol
Pi Calculus Horn Clauses Proverif
BP0,S
BP0,S : Horn clauses of the protocol Bb : Horn clauses of allowed begin event.
From secrecy to authenticity
We are back!
Whole picture
Process Calculus
Definition of Secrecy and Authenticity
Translation into Horn Clauses
Demo
Comparison
Conclusion
Outlines
Authenticity verification on Proverif
Demos
Whole picture
Process Calculus
Definition of Secrecy and Authenticity
Translation into Horn Clauses
Demo
Comparison
Conclusion
Outlines
Pros & Cons
Pros Cons
Fully Automatic Sometimes no termination
Unlimited number of sessions Sometimes not Complete
General cryptographic primitives
Inductive method similar to Proverif◦ Proverif is kind of automatic
Model checking automatic◦ Infinate session in Proverif.
Comparison
Proverif Inductive Approach
Model Checking(Mur phi)
Automaticity Y N Y
Number of States Support
Infinite Infinite Finite
Concurrency Support
Y Y(Manually) Y(limited)
Whole picture
Process Calculus
Definition of Secrecy and Authenticity
Translation into Horn Clauses
Demo
Comparison
Conclusion
Outlines
New Technique for Authenticity verification in Cryptographic
Protocol
Fully automatic Precise sematic foundation
Unbounded number of sessions Support general cryptographic primitive
Conclusion
Thank you!Q&A
