Presentation is loading. Please wait.

Presentation is loading. Please wait.

Model Checking for Security Protocols Will Marrero, Edmund Clarke, Shomesh Jha.

Published byCecilia Higgins Modified over 8 years ago

Similar presentations

Presentation on theme: "Model Checking for Security Protocols Will Marrero, Edmund Clarke, Shomesh Jha."— Presentation transcript:

1 Model Checking for Security Protocols Will Marrero, Edmund Clarke, Shomesh Jha

2 Needham-Schroeder Protocol (circa 1996) Purpose: Authenticate Participants

3 Assumptions Perfect Encryption  The decryption key must be known to encrypt  No encryption collisions Proof offer no protection from poor encryption implementation!

4 Intruder’s Ability Interception  Ex: Impersonation  Ex: Legitimate Participant  Ex: Compromise Temporary Secrets  But those secrets should not be revealed by protocol

5 Security Properties Secrecy  Tracked by two sets in global state Correspondence   “If A believes it has completed two protocol runs with principal B, then principal B must have at least begun two protocol runs with principal A.”  Tracked by counters in global state

6 Atomic Messages Keys  Ex: Principal Names  Ex: A, B, I Nonces  Ex: Data

7 Messages and Atomic Messages Given A a set of atomic messages, M the set of all messages is defined inductively:

8 Closure of Messages Let be a subset of messages The closure of is defined by: (pairing) (projection) (encryption) (decryption)

9 Principals A 4-Tuple N the name of the principal p a process given as a sequence of actions to be performed is a set of known messages, generally infinite, but from a finite generator set. B a set of bindings from variables in p to messages in I

10 Initial Knowledge For the intruder 

11 Global State A 5-Tuple is the product of the individual principals (including the intruder) difference between number of times A has initiated a protocol and the number of times B has finished responding difference between number of times A has begun responding and the number of times B has finished initiating

12 Global State Continued A 5-Tuple a set of safe secrets. Remains constant. a set of temporary secrets. New secrets generated during the run of the protocol. The last four values check security constraints.

13 Process

14 Internal Actions NEWNONCE( var ) NEWSECRET( var )

15 Internal Actions GETSECRET( val ) – Intruder Only

16 Internal Actions A calls BEGINIT(B), B calls ENDRESPOND(A) BEGRESPOND/ENDINIT  Symmetric on

17 Communication Actions Send and receives are synchronized  A process can only send a message if it unifies with a receive message Sender must be able to sculpt a message that matches all existing bindings and expectations How does the intruder sculpt such a message?

18 Model Checking Algorithm

19 Finding a needle in a haystack Decidability of when is probably infinite? Normalized Derivation: (pairing) (projection) (encryption) (decryption) Expanding RulesShrinking Rules

20 Normalized Derivation Following algorithm is guaranteed to terminate and decide : Start with a generator set Apply all possible shrinking rules Try all possible sequences of expanding rules until word size is equal to s Proves existence

21 An Efficient Approach When adding a message to I in : Apply all possible shrinking rules Remove ‘redundant messages’ Result is minimal generator Can recursively attempt to build

22 Verification and Attack

23 The lack of correspondence trace reveals the following attack:

Download ppt "Model Checking for Security Protocols Will Marrero, Edmund Clarke, Shomesh Jha."

Similar presentations

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
University of Twente The Netherlands Centre for Telematics and Information Technology Verification of Security Protocols Sandro Etalle

University of Twente The Netherlands Centre for Telematics and Information Technology Verification of Security Protocols Sandro Etalle
DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13

DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13
DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 Digital Signatures Authentication.

DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 Digital Signatures Authentication.
University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.

University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.
Off-the-Record Communication, or, Why Not To Use PGP

Off-the-Record Communication, or, Why Not To Use PGP
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.

Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)

Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.

Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Similar presentations

Ads by Google