1 / 24

网络安全认证协议形式化分析

网络安全认证协议形式化分析. 肖 美 华 南昌大学信息工程学院 ( 南昌 ,330029) 中国科学院软件研究所计算机科学重点实验室 ( 北京 ,100080). Organization. Introduction Related Work Formal System Notation Intruders Algorithmic Knowledge Logic Verification Using SPIN/Promela Conclusion. Introduction.

cain-keith
Télécharger la présentation

网络安全认证协议形式化分析

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 网络安全认证协议形式化分析 肖 美 华 南昌大学信息工程学院(南昌,330029) 中国科学院软件研究所计算机科学重点实验室(北京,100080)

  2. Organization • Introduction • Related Work • Formal System Notation • Intruders Algorithmic Knowledge Logic • Verification Using SPIN/Promela • Conclusion 第二十次全国计算机安全学术交流会

  3. Introduction • Cryptographic protocols are protocols that use cryptography to distribute keys and authenticate principals and data over a network. • Formal methods, a combination of a mathematical or logical model of a system and its requirements, together with an effective procedure for determining whether a proof that a system satisfies its requirements is correct. • Model; • Requirement (Specification); • Verification. 第二十次全国计算机安全学术交流会

  4. Introduction(cont.) In cryptographic protocols, it is very crucial to ensure: • Messages meant for a principal cannot be read/accessed by others (secrecy); • Guarantee genuineness of the sender of the message (authenticity); • Integrity; • Non-Repudiation (NRO, NRR); • Fairness, etc. 第二十次全国计算机安全学术交流会

  5. Related Work Techniques of verifying security properties of the cryptographic protocols can be broadly categorized: • methods based on belief logics (BAN Logic) • π-calculus based models • state machine models (Model Checking) Model checking advantages (compare with theory proving): automatic; counterexample if violation Use LTL (Linear temporal logic ) to specify properties FDR (Lowe); Mur (Mitchell); Interrogator (Millen); Brutus (Marrero) SPIN (Hollzmann) • theorem prover based methods (NRL, Meadows) • methods based on state machine model and theorem prover (Athena, Dawn) • Type checking • ISCAS, LOIS, …(in China) 第二十次全国计算机安全学术交流会

  6. Notation (1) Messages a∈Atom ::= C | N | k |  m∈Msg ::= a | m•m | {m}k (2) ContainRelationship (⊑) m ⊑ a ≜ m = a m ⊑ m1• m2≜ m = m1• m2 ∨ m ⊑ m1∨ m ⊑ m2 m ⊑ {m1}k≜ m = {m1}k∨ m ⊑ m1 Submessage: sub-msgs(m) ≜ {m’ ∈Msg |m’ ⊑ m } 第二十次全国计算机安全学术交流会

  7. Notation (3) Derivation (⊦, Dolev-Yao model) m ∈ B ⇒ B ⊦ m B ⊦ m ∧ B ⊦ m’ ⇒ B ⊦ m• m’ (pairing) B ⊦ m• m’ ⇒ B ⊦ m ∧ B ⊦ m’ (projection) B ⊦ m ∧ B ⊦ k ⇒ B ⊦ {m}k (encryption) B ⊦ {m}k∧ B ⊦ k-1⇒ B ⊦ m (decryption) 第二十次全国计算机安全学术交流会

  8. Notation (4)Properties Lemma 1.B ⊦ m ∧ B ⊆ B’ ⇒ B’ ⊦ m Lemma 2. B ⊦ m’∧ B ∪ {m’ } ⊦ m ⇒ B ⊦ m Lemma 3.B ⊦ m ∧ X ⊑ m ∧ B ⊬ X ⇒ (Y: Y ∈sub-msgs(m) : X ⊑ Y∧ B ⊦ Y)∧ (b: b ∈ B : Y ⊑ b)∧ (Z, k: Z ∈ Msg ∧ k∈Key : Y = {Z}k ∧ B ⊬ k-1) Lemma 4.(k, b: k ∈ Key ∧ b ∈ B : k ⊑ b ∧ A ⊬ k ∧ A∪B ⊦ k)∨ (z: z ∈sub-msgs(x) : a ⊑ z ∧ A ⊦ z)∨  (b: b ∈ B: a ⊑ b∧ A ⊬ a) 第二十次全国计算机安全学术交流会

  9. Logic of Algorithmic Knowledge Definition 1. Primitive propositions P0s for security: p, q ∈P0s ::= sendi (m) Principal i sent message m recvi (m) Principal i received message m hasi (m) Principal i has message m 第二十次全国计算机安全学术交流会

  10. Logic of Algorithmic Knowledge Definition 2. An interpreted security system S = (R, ∏R), where ∏R is a system for security protocols, and ∏R is the following interpretation of the primitive propositions in R. ∏R(r, m) (sendi (m)) = true iff j such that send (j, m) ∈ri (m) ∏R(r, m) (recvi (m)) = true iff recv(m) ∈ri (m) ∏R(r, m) (hasi (m)) = true iff  m’ such that m ⊑ m’ and recv(m’ ) ∈ri (m) 第二十次全国计算机安全学术交流会

  11. Logic of Algorithmic Knowledge Definition 3. An interpreted algorithmic security system (R, ∏R, A1, A2,…, An ), where R is a security system, and ∏R is the interpretation in R, Ai is a knowledge algorithm for principal i. 第二十次全国计算机安全学术交流会

  12. Algorithm knowledge logic AiDY(hasi(m),l) ≜ K = keyof(l) for each recv(m’) in l do if submsg(m, m’, K) then return “Yes” return “No” submsg(m, m’, K) ≜ if m = m’ then return true if m’ is {m1}k and k-1 ∈K then return submsg(m, m1, K) if m’ is m1 .m2 then return submsg(m, m1, K) ∨ submsg(m, m2, K) return false 第二十次全国计算机安全学术交流会

  13. Cont. getkeys(m, K) ≜ if m ∈Key then return {m} if m’ is {m1}k and k-1 ∈K then return getkeys(m1, K) if m’ is m1 .m2 then return getkeys(m1, K) ∪ getkeys(m2, K) return {} keysof(l) ≜ K ← initkeys(l) loop until no change in K k ←∪getkeys(m, K) (when recv(m) ∈l ) return K 第二十次全国计算机安全学术交流会

  14. Verification Using SPIN/Promela SPIN is a highly successful and widely used software model-checking system based on "formal methods" from Computer Science. It has made advanced theoretical verification methods applicable to large and highly complex software systems. In April 2002 the tool was awarded the prestigious System Software Award for 2001 by the ACM. SPIN uses a high level language to specify systems descriptions, including protocols, called Promela (PROcess MEta LAnguage). 第二十次全国计算机安全学术交流会

  15. BAN-Yahalom Protocol [1] A→B: A, Na [2] B→S: B, Nb, {A, Na}Kbs [3] S→A: Nb, {B, Kab, Na}Kas , {A, Kab, Nb}Kbs [4] A→B: {A, Kab, Nb}Kbs , {Nb}Kab 第二十次全国计算机安全学术交流会

  16. Attack 1(intruder impersonates Bob to Alice) α.1 A→I(B): A, Na β.1 I(B)→A: B, Na β.2 A→I(S): A, Na’, {B, Na}Kas γ.2 I(A)→S: A, Na, {B, Na}Kas γ.3 S→I(B): Na, {A, Kab, Na}Kas , {B, Kab, Na}Kbs α.3 I(S)→A: Ne, {B, Kab, Na}Kas , {A, Kab, Na}Kbs α.4 A→I(B): {A, Kab, Nb}Kbs , {Ne}Kab 第二十次全国计算机安全学术交流会

  17. Attack 2(intruder impersonates Alice) α.1 A→B: A, Na α.2 B→S: B, Nb, {A, Na}Kbs β.1 I(A)→B: A, (Na, Nb) β.2 B→I(S): B, Nb’, {A, Na, Nb}Kas α.3 (Omitted) α.4 I(A)→B: {A, Na, Nb}Kbs , {Nb}Na 第二十次全国计算机安全学术交流会

  18. Attack 3 α.1 A→B: A, Na α.2 B→S: B, Nb, {A, Na}Kbs β.1 I(B)→A: B, Nb β.2 A→I(S): A, Na’, {B, Nb}Kas γ.2 I(A)→S: A, Na, {B, Nb}Kas β.3 S→I(B): Na, {A, Kab’, Nb}Kbs , {B, Kab’, Na}Kas δ.3 I(S)→A: Nb, {B, Kab’, Na}Kas , {A, Kab’, Nb}Kbs α.4 A→B: {A, Kab’, Nb}Kbs , {Nb}Kab’ 第二十次全国计算机安全学术交流会

  19. Optimization strategies • Using static analysis and syntactical reordering techniques • The two techniques are illustrated using BAN-Yahalom verification model as the benchmark. • describe the model as Original version to which static analysis and the syntactical reordering techniques are not applied, • the static analysis technique is only used as Fixed version(1), • both the static analysis and the syntactical reordering techniques are used as Fixed version(2). 第二十次全国计算机安全学术交流会

  20. Experimental results show the effectiveness 第二十次全国计算机安全学术交流会

  21. Needham-Schroeder Authentication Protocol 第二十次全国计算机安全学术交流会

  22. Attack to N-S Protocol (found by SPIN) 第二十次全国计算机安全学术交流会

  23. Conclusion • based on a logic of knowledge algorithm, a formal description of the intruder model under Dolev-Yao model is constructed; • a study on verifying the security protocols following above using model checker SPIN, and three attacks have been found successfully in only one general model about BAN-Yahalom protocol; • some search strategies such as static analysis and syntactical reordering are applied to reduce the model checking complexity and these approaches will benefit the analysis of more protocols. • Scalibility In any case, having a logic where we can specify the abilities of intruders is a necessary prerequisite to using model-checking techniques. 第二十次全国计算机安全学术交流会

  24. Thanks! 第二十次全国计算机安全学术交流会

More Related