# Chen Advisor: Limin Jia.  Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Demo  Comparison  Conclusion.

## Presentation on theme: "Chen Advisor: Limin Jia.  Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Demo  Comparison  Conclusion."— Presentation transcript:

 Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Demo  Comparison  Conclusion

 Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Translation into Horn Clauses  Demo  Comparison  Conclusion

Original Protocol Pi CalculusHorn ClausesProverif Authenticity Reserved?

 Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Translation into Horn Clauses  Demo  Comparison  Conclusion

 Extension of pi calculus with: ◦ cryptographic primitives ◦ “begin” & “end” events  Pi calculus: ◦ mathematical formalisms for describing and analyzing properties of concurrent computation

 Name: ◦ Free name: Names globally known (also to adversary) ◦ Bound name: Names local to the process  Variable: ◦ Free variable: Variables not used anywhere ◦ Bound name: variables used in the process

 Equivalence:  Reduction:

Original Protocol Pi CalculusHorn ClausesProverif Process P

 A simplified version of Woo and Lam one-way public key authentication protocol

 Create secret key sk A & sk B  Create corresponding public keys  Distribute public keys  Create unbounded number of sessions

 Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Translation into Horn Clauses  Demo  Comparison  Conclusion

 Adversary (attacker) ◦ Closed process: Process without free variables (allow free names)

 Secrecy Remember: Q has access to all free names, including channel c

 Authenticity ◦ Non-injective agreement:  if event end(M) is executed, then begin(M) has also been executed.

 Authenticity ◦ Injective agreement:  The number of executions of end(M) is smaller than that of begin(M). Where is Authenticity?

 Authenticity ◦ Non-injective agreement:  if event end(M) is executed, then begin(M) has also been executed.

 Authenticity is satisfied when: ◦ B cannot emit his end event without A having emitted her begin event.  End(M) => Begin(M) for all cases.

Sarkozy thinks: Sarkozy says: Sarkozy agrees: Authenticity is satisfied when: The other side is indeed Sarkozy!

Begin(M): I start my part of the protocol. I think I would talk to Obama End(M): I finish my part of the protocol. I think I have talked to Sarkozy Protocol ensures: Remember: Protocol is lock-stepped!

Begin(M): I start my part of the protocol. I think I would talk to Obama End(M): I finish my part of the protocol. I think I has talked to Sarkozy Authenticity is violated when End(M) => Begin(M)!

 Authenticity is satisfied when: ◦ B cannot emit his end event without A having emitted her begin event.  End(M) => Begin(M) for all cases.

Begin(M): I start my part of the protocol. I think I would talk to Obama End(M): I finish my part of the protocol. I think I has talked to Sarkozy Here End(M) !=> Begin(M)!

 Authenticity ◦ Non-injective agreement:  if event end(M) is executed, then begin(M) has also been executed. Correct!

We will be back!

 Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Translation into Horn Clauses  Demo  Comparison  Conclusion

 (P1 Λ P2 Λ…Λ Pn) => u  Our usage: ◦ Patterns ◦ Facts ◦ Rules  Attacker  Protocol

 (P1 Λ P2 Λ…Λ Pn) => u  Our usage: ◦ Patterns ◦ Facts ◦ Rules  Attacker  Protocol

 (P1 Λ P2 Λ…Λ Pn) => u  Our usage: ◦ Patterns ◦ Facts ◦ Rules  Attacker  Protocol

 (P1 Λ P2 Λ…Λ Pn) => u  Our usage: ◦ Patterns ◦ Facts ◦ Rules  Attacker  Protocol

 (P1 Λ P2 Λ…Λ Pn) => u  Our usage: ◦ Patterns ◦ Facts ◦ Rules  Attacker  Protocol

Original Protocol Pi CalculusHorn ClausesProverif

 If c ∈ S, message(c[],M) = attacker(M)  Vo, Vs: ◦ Vo: Set of ordinary variables. ◦ Vs: Set of session identifiers.  ρ : mapping from variables and names to patterns  h : Sequence of facts of message and begin. ◦ Literals of horn clauses we want

 [|P|] = [|(vskA).P1|]  [|P1|] = [|(vskB).P2|]  [|P2|] = [|let pkA = pk(skA) in P3|]  [|P3|] = [|let pkB = pk(skB) in P4|]  [|P4|] = [|c.P5|]  ρ : c → c[]  h :  First Horn Clause: message(c[],pk(skA))=attacker(pk(skA[])),skA → skA[], skB → skB[], pkA → pk(skA[]), pkB → pk(skB[])

Original Protocol Pi CalculusHorn ClausesProverif B P0,S

 B P0,S : Horn clauses of the protocol  B b : Horn clauses of allowed begin event. We are back!

 Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Translation into Horn Clauses  Demo  Comparison  Conclusion

 Authenticity verification on Proverif

 Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Translation into Horn Clauses  Demo  Comparison  Conclusion

ProsCons Fully AutomaticSometimes no termination Unlimited number of sessionsSometimes not Complete General cryptographic primitives

 Inductive method similar to Proverif ◦ Proverif is kind of automatic  Model checking automatic ◦ Infinate session in Proverif. ProverifInductive Approach Model Checking (Mur phi) AutomaticityYNY Number of States Support Infinite Finite Concurrency Support YY(Manually)Y(limited)

 Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Translation into Horn Clauses  Demo  Comparison  Conclusion

New Technique for Authenticity verification in Cryptographic Protocol Fully automatic Precise sematic foundation Unbounded number of sessions Support general cryptographic primitive

Download ppt "Chen Advisor: Limin Jia.  Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Demo  Comparison  Conclusion."

Similar presentations