1 / 63

Correctness Proofs and Counter-model Generation with Authentication-Protocol Logic

Correctness Proofs and Counter-model Generation with Authentication-Protocol Logic. Koji Hasebe Mitsuhiro Okada Department of Philosophy, Keio University. Background. Security protocols: Communication over insecure network Cryptography used for authentication, secrecy, etc.

phuc
Télécharger la présentation

Correctness Proofs and Counter-model Generation with Authentication-Protocol Logic

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Correctness Proofs and Counter-model Generation with Authentication-Protocol Logic Koji Hasebe Mitsuhiro Okada Department of Philosophy, Keio University

  2. Background • Security protocols: • Communication over insecure network • Cryptography used for authentication, secrecy, etc. • Formal analysis of security protocols: • Assume perfect encryption • Assume existence of intruder who may ... • See all exchanged messages • Delete, alter, inject and redirect messages • Initiate new communications • Reuse messages from past sessions

  3. An Example: A process of the Needham-Schroeder Protocol Initiator Responder (1) (2) (3) The protocol aims to provide sharing secret data and .

  4. An Example: A process of the Needham-Schroeder Protocol Fresh random value generated by Alice Alice’s identity Initiator Responder (1) Encryption with Bob’s public key (2) (3) The protocol aims to provide sharing secret data and .

  5. The agreement property Initiator Responder sends receives receives sends sends receives Instantiation Instantiation (Here are constants, .) and substitution

  6. Initiator’s role Responder’s role (Here are variables.) The agreement property Initiator Responder sends receives receives sends sends receives

  7. The agreement property Initiator Responder sends receives receives sends sends receives Definition: has agreement property w.r.t. For any substitution and for any process , if contains execution of responder’s role and an initiator’s execution according to , then contains .

  8. An attack on the NS protocol[Lowe, 1996] Alice Intruder Bob (1) (1’) (2) (3) (3’) • From Bob's view, Bob believes that Alice communicates with Bob, but actually Alice communicates with Intruder. • This attack has nothing to do with cryptography.

  9. Proving vs Model Checking (Two approaches for protocol verifications) • Inference rule-based deductive approaches: • BAN logics(Burrows-Abadi-Needham, 1989) • Protocol logics (or Compositional logics) etc. • Trace-based semantic approaches: • MSR(Cervesato-Durgin-Lincoln-Mitchell-Scedrov, 1999) • Strand space(Thayer Fabrega-Herzog-Guttman, 1998) etc.

  10. Durgin-Mitchell-Pavlovic (2001), Datta-Derek-Mitchell-Pavlovic (2003-), Cervesato-Meadows-Pavlovic (2004-), Hasebe-Okada (2004) Protocol Logics Inference systems to prove protocols correct • Primitive actions (“sending”, “receiving”, “generating”, etc.) are described as predicate symbols • Some properties about nonces and keys are formalized as non-logical axioms • Prove correctness in the logical system

  11. Proving vs Model Checking

  12. Proving = Model Checking By completeness proof based on the proof-search (i.e., bottom-up proof construction) method

  13. Proving = Model Checking By completeness proof based on the proof-search (i.e., bottom-up proof construction) method Proof-search of a query (which represents a correctness property) If not provable, then counter-example If provable Obtain a formal proof of the query Obtain concrete attacks on the protocol

  14. Provable case • Bottom-up proof search Axioms Agreement formula

  15. Unprovable case • Bottom-up proof search Counter-example Axioms Agreement formula

  16. Proof search outputs Provable Counter-examples

  17. Proof search outputs Provable Counter-examples Realizable counter-examples (=attacks) Use Comon-Treinen’s algorithm for the intruder deduction problem (2003)

  18. Main results for agreement property with a bounded number of sessions • Basic part of Protocol Logic is describable in first-order predicate logic. • First-order proof search-based completeness proof is applicable to our Basic Protocol Logic, hence, usable for proving correctness and detecting attacks at once. • Provability of correctness property is decidable (by finite domain property).

  19. Basic Protocol Logic (or BPL, for short) • Proof search-based completeness proof • Example of our proof construction / counter-example generation

  20. Language of Basic Protocol Logic (1) • Sorts: name, nonce, message, (key) • Terms: • Atomic terms: • : atomic terms of sort (principal) name • : atomic terms of sort nonce • : variables of sort message • All atomic terms of sort name and nonce are terms of sort message. • Compound terms of sort message:

  21. Language of Basic Protocol Logic (2) Formulas: • Atomic formulas: • Trace formula: a sequence of primitive actions (denoted by , or ) (Here we use sends, receives, generates as primitive actions.) • Equality and subterm relations ( ) • Compound formulas: Made by first-order logical connectives e.g. (P generates before P sends before Q receives .)

  22. Logical Axioms of BPL • Base: Axioms of frist-order predicate logic with equality • Rules for trace formulas: (for ) (where are the list of order-preserving merges of and ) example: (the list of order-preserving merges) • Axioms of universal sentences over terms (known as decidable [Venkataraman 87]): is axiom if is valid in free term algebra.

  23. An example of the non-logical axioms: Nonce Verification axiom(Cf. Authentication-tests based Strand space) does not include (i.e., is not a forwarded message). is the only message sent by P which includes . Intuitive meaning:

  24. An example of the non-logical axioms: Nonce Verification axiom(Cf. Authentication tests based strand space) does not include (i.e., is not a forwarded message). is the only message sent by P which includes . Intuitive meaning: decrypt send back

  25. An example of the non-logical axioms: Nonce Verification axiom(Cf. Authentication tests based strand space) does not include (i.e., is not a forwarded message). is the only message sent by P which includes . First order formalization:

  26. An example of Honesty(The Needham-Schroeder protocol) • A’s honesty: (( A performs no action ) ( A performs and A does not perform any other actions) ( A performs and A does not perform any other actions)) A’s run (A performs no action) (2) (0) (1)

  27. Formalization of Honesty(The Needham-Schroeder protocol) • A’s honesty (described in BPL)

  28. Main Results on BPL • Complete for a certain formal trace semantics. • Decidable for Provability of the query (which represents an agreement property). • Applicable to counter-example generations (i.e., flaw detections)

  29. Formal Trace-Based Semantics A formal trace model: • : name domain • : nonce domain • : free term algebra domain on and along with , , • : a sequence of primitive actions • : valuation • is extended to interpretation: • Truth conditions: etc.

  30. Completeness Theorem For any query (which represents an agreement property), the formula is provable in BPL iff it is true for any model

  31. Completeness Proof (1) Proof-Search Tree Construction • Proof-search (i.e., bottom-up proof construction) is based on the sequent calculus of first-order predicate logic • Proof-search tree is constructed in Rounds: (Each round decomposes the outermost logical symbols.) • Round 0 :put the query at the bottom of the tree • Round i : apply the rules for logical connectives (then go to Round i+1 unless the current topmost sequent is closed, i.e., matches an axiom.)

  32. Counter-example Axioms Completeness Proof (1) Proof-Search Tree Construction • Bottom-up proof search Agreement formula

  33. Completeness Proof (2)Main Lemma For any given query (which represents an agreement property), if its proof-search tree includes a branch which is not closed at the end of Round 3, then there exists a counter-model for the query.

  34. Completeness Proof (3)Construction of Counter-Models • A model which is obtained from a topmost non-closed sequent at the end of Round 3 (say, ) is as follows: • Take the set of literals from and , and solve the satisfaction problem of these literals. • Decompose each literal which consists of compound terms. • (e.g., and ) • Take representatives as and . • : • , . • , . • . • Interpretations for compound terms and formulas are defined by inductions. (where is the representative of the equivalence class of )

  35. Completeness Proof (4) Essential Idea Let T be the set of terms in Round 3. For any variable (say, ) which appears above Round 3, an equation m=t with some t T always appears in the left side. Search domain does not increase above Round 3. (closed) left left left (: new variable) (Axiom of formula) (in Honesty) , , Query:

  36. Decidability From Main Lemma and Soundness: If a query is provable in BPL, then the proof-construction procedure terminates by Round 3.

  37. Counter-Example Generations (1) Realizable Traces • We cannot directly consider counter-models to be an attack on the protocol in question, because some of them cannot be realizable. (An example of the unrealizable trace) Use Comon-Treinen’s algorithm for the intruder deduction problem (2003).

  38. Counter-Example Generations (2) Realizable Traces Provable Counter-examples Realizable counter-examples (=attacks)

  39. Proposition For any given query, we can determine whether there exists a realizable counter-example (i.e., a concrete attack on the protocol in question) whenever we set any upper-bound on the number of sessions.

  40. Example: Proof construction and counter-example generation of the Needham-Schroeder The NS protocol

  41. The NS protocol Query: • If • B (responder) executes a run of his role with (i.e., communicating with A using and ).

  42. The NS protocol “B behaves as responder.” Intuitively, means that B performs only the responder’s actions. Query: • If • B (responder) executes a run of his role with (i.e., communicating with A using and ).

  43. The NS protocol Query: • If • B (responder) executes a run of his role with (i.e., communicating with A using and ). • A is honest (i.e., A always acts as initiator).

  44. The NS protocol A’s honesty: Query: • If • B (responder) executes a run of his role with (i.e., communicating with A using and ). • A is honest (i.e., A always acts as initiator).

  45. The NS protocol Query: • If • B (responder) executes a run of his role with (i.e., communicating with A using and ). • A is honest (i.e., A always acts as initiator). • then • A executes the run of her role, and A and B agree on the order of the messages exchanged.

  46. The NS protocol

  47. The NS protocol then by the Nonce Verification axiom

  48. The NS protocol An order preserving merge of (derived from )

  49. The NS protocol

  50. The NS protocol Obtained by instantiation for • where is the list of terms such that • The length is less than or equal to the maximal length of terms appearing in the query. • Each is constructed by atomic terms appearing in the lower sequent.

More Related