Presentation is loading. Please wait.

Presentation is loading. Please wait.

Formal Methods for Security Protocols

Published byHugo Gibson Modified over 6 years ago

Similar presentations

Presentation on theme: "Formal Methods for Security Protocols"— Presentation transcript:

1 Formal Methods for Security Protocols
Catuscia Palamidessi Penn State university, USA 7 June Lecture 4 TU Dresden - Ws on Proof Theory and Computation

2 TU Dresden - Ws on Proof Theory and Computation
Security Protocols Contents of previous lectures: Brief introduction to security protocols Brief introduction to Cryptographic methods Vulnerability of Security protocols Introduction to CSP Modeling security protocols in CSP principals, server, intruder Expressing security properties in CSP anonymity Verification of security protocols using FDR example (of anonymity): Dining cryptographers 7 June Lecture 4 TU Dresden - Ws on Proof Theory and Computation

3 Expressing Security Properties in CSP
Security properties: the goals that a protocol is meant to satisfy, relatively to specific kinds and levels of threat – the intruders and their capabilities We will consider the following security properties: Secrecy No information leakage Authentication No falsification of identity Non-repudiation Evidence of the involvement of the other party Anonymity Protecting the identity of agents wrt particular events 7 June Lecture 4 TU Dresden - Ws on Proof Theory and Computation

4 Secrecy and authentication
Safety properties: a certain bad thing should not happen Explicit annotations: In the CSP approach, these properties are defined by “enhancing” the code of the processes with explicit signal claiming the success of the protocol wrt the intended property Secrecy: Claim_secret. m Information m has not become known to the intruder Authentication: Run with A , Commit with B The matching of these two events guarantees identities of A and B 7 June Lecture 4 TU Dresden - Ws on Proof Theory and Computation

5 Secrecy and authentication
Intr B A Intr B Protocol run Run with A Claim_Secret.m Commit with B 7 June Lecture 4 TU Dresden - Ws on Proof Theory and Computation

6 Example: The Yahalom Protocol
The protocol Message 1 a -> b : a.na Message 2 b -> s : b.{a.na.nb}ServerKey(b) Message 3 s -> a : {b.kab.na.nb}ServerKey(a) {a.kab}ServerKey(b) Message 4 a -> b : {a.kab}ServerKey(b) .{nb}kab Authentication of the participants Kab should remain secret We may require secrecy also on nb 7 June Lecture 4 TU Dresden - Ws on Proof Theory and Computation

7 Example: Secrecy in the Yahalom protocol
CSP description of the two parties - Original Initiator(a,na ) = env?b: Agent g send.a.b.a.na g [] (receive.J.a{b. kab.na.nb}ServerKey(a) .m kab e Key g send.a.b.m.{nb}kab nb e Nonce g Session(a,b,kab,na,nb) ) m e T Responder(b,nb ) = [] (receive.a.b.a.na g send.b.J.b .{a.na.nb}ServerKey(b) kab e Key g receive.a.b.{a. kab}ServerKey(b) .{nb}kab nb e Nonce g Session(b,a,kab,na,nb) ) 7 June Lecture 4 TU Dresden - Ws on Proof Theory and Computation

8 Example: Secrecy in the Yahalom protocol
CSP description of the two parties - Enhanced Initiator’(a,na ) = env?b: Agent g send.a.b.a.na g [] (receive.J.a{b. kab.na.nb}ServerKey(a) .m kab e Key g send.a.b.m.{nb}kab nb e Nonce g signal.Claim_Secret.a.b.kab m e T g Session(a,b,kab,na,nb) ) Responder’(b,nb ) = [] (receive.a.b.a.na g send.b.J.b .{a.na.nb}ServerKey(b) kab e Key g receive.a.b.{a. kab}ServerKey(b) .{nb}kab nb e Nonce g signal.Claim_Secret.a.b.kab m e T g Session(b,a,kab,na,nb) ) 7 June Lecture 4 TU Dresden - Ws on Proof Theory and Computation

9 Example: Secrecy in the Yahalom protocol
CSP description of the server Server(J,kab ) = [] (receive.b.J.b .{a.na.nb}ServerKey(b) A,B e Agent g send.J.a. {b. kab.na.nb}ServerKey(a) .{a.kab}ServerKey(b) Nb ,nb e Nonce g Server(J,ks ) ) Server(J) = ||| Server(J,kab ) kab e KeysServer 7 June Lecture 4 TU Dresden - Ws on Proof Theory and Computation

10 Example: Secrecy in the Yahalom protocol
CSP description of the intruder Intruder(X) = learn ? m: messages gIntruder(close(X U {m}) [] say ! m: X /\ messages gIntruder(X) Close(X) represents all the possible information that the attacker can infer from X. Typically we assume k , m |- {m}k {m}k , k-1 |- m <x1,…,xn> |- xi x1 ,…, xn |- <x1,…,xn> 7 June Lecture 4 TU Dresden - Ws on Proof Theory and Computation

11 Example: Secrecy in the Yahalom protocol
Initiator’(Alice,nA) S ||| Responder’(Bob,nB) S ||| Server(Jeeves) S ||| Intruder(f) S’ S = [fake,take/receive,send] S’ = [take.x.y/learn][fake.x.y, leak/say] Jeeves receive send Alice Bob receive send send receive fake.x.Bob take.Alice.y learn say Yves leak 7 June Lecture 4

12 Example: Secrecy in the Yahalom protocol
The property to be verified: Signal.Claim_Secret.a.b.m occurs in tr a not(leak.m occurs in tr) for all traces tr belonging to Traces(System) this property can be verified automatically by checking the traces 7 June Lecture 4 TU Dresden - Ws on Proof Theory and Computation

13 TU Dresden - Ws on Proof Theory and Computation
Authentication The CSP approach is based on inserting signals: Running.a.b (in a’s protocol) Agent a is executing a protocol run apparently with b Commit.b.a (in b’s protocol) Agent b has completed a protocol run apparently with a Authentication is achieved if Running.a.b always precedes Commit.b.a in the traces of the system Weaker or stronger forms of authentication can be achieved by variations of the parameters of these signals and the constraints on them 7 June Lecture 4 TU Dresden - Ws on Proof Theory and Computation

14 Authentication in the Yahalom Protocol
The Yahalom Protocol aims at providing authentication of both parties : authentication of the initiator to the responder, and viceversa We will analyze the two authentication properties separately This requires two separate enhancements of the protocol 7 June Lecture 4 TU Dresden - Ws on Proof Theory and Computation

15 Yahalom: authentication of initiator
CSP description of the two parties - Enhanced Initiator’(a,na ) = env?b: Agent g send.a.b.a.na g [] (receive.J.a{b. kab.na.nb}ServerKey(a) .m kab e Key g signal.Running_Initiator.a.b.na.nb.kab nb e Nonce g send.a.b.m.{nb}kab m e T g Session(a,b,kab,na,nb) ) Responder’(b,nb ) = [] (receive.a.b.a.na g send.b.J.b .{a.na.nb}ServerKey(b) kab e Key g receive.a.b.{a. kab}ServerKey(b) .{nb}kab nb e Nonce g signal. Commit_Responder.b.a.na.nb.kab m e T g Session(b,a,kab,na,nb) ) 7 June Lecture 4 TU Dresden - Ws on Proof Theory and Computation

16 Yahalom: authentication of initiator
Initiatora Responderb Server a.na b.{a.na.nb}ServerKey(b) {b.kab.na.nb}ServerKey(a) {a.kab}ServerKey(b) Run.Init.a.b.na.nb.kab {a.kab}ServerKey(b) .{nb}kab Comm.Resp.b.a.na.nb.kab 7 June Lecture 4 TU Dresden - Ws on Proof Theory and Computation

17 Yahalom: authentication of initiator
The property to be verified: signal. Running_Initiator.a.b.na.nb.kab precedes signal.Commit_Responder.b.a.na.nb.kab in all the traces in Traces(System) Again, this property can be verified automatically by checking the traces 7 June Lecture 4 TU Dresden - Ws on Proof Theory and Computation

18 Yahalom: authentication of responder
CSP description of the two parties - Enhanced Initiator’(a,na ) = env?b: Agent g send.a.b.a.na g [] (receive.J.a{b. kab.na.nb}ServerKey(a) .m kab e Key g send.a.b.m.{nb}kab nb e Nonce g signal.Commit_Initiator.a.b.na.nb.kab m e T g Session(a,b,kab,na,nb) ) Responder’(b,nb ) = [] (receive.a.b.a.na g send.b.J.b .{a.na.nb}ServerKey(b) kab e Key g signal.Running_Responder.b.a.na.nb nb e Nonce g receive.a.b.{a. kab}ServerKey(b) .{nb}kab m e T g Session(b,a,kab,na,nb) ) 7 June Lecture 4 TU Dresden - Ws on Proof Theory and Computation

19 Yahalom: authentication of responder
Initiatora Responderb Server a.na Run_Resp.b.a.na.nb. b.{a.na.nb}ServerKey(b) {b.kab.na.nb}ServerKey(a) {a.kab}ServerKey(b) {a.kab}ServerKey(b) .{nb}kab Comm.Init.a.b.na.nb.kab 7 June Lecture 4 TU Dresden - Ws on Proof Theory and Computation

20 Yahalom: authentication of responder
The property to be verified: signal. Running_Responder.b.a.na.nb precedes signal.Commit_Initiator.a.b.na.nb.kab in all the traces in Traces(System) Again, this property can be verified automatically by checking the traces 7 June Lecture 4 TU Dresden - Ws on Proof Theory and Computation

21 TU Dresden - Ws on Proof Theory and Computation
Authentication A similar analysis was done by Gavin Lowe for the Needham-Schoeder Public Key protocol Authentication of responder: Yes Authentication of initiator: No There is a trace which contains signal.Commit_Responder.b.a. preceded only by signal.Running_Initiator.a.i 7 June Lecture 4 TU Dresden - Ws on Proof Theory and Computation

22 Non-repudiation Goal: to provide the parties of an interaction with evidence so that later they cannot deny having participated Example: The Zhou-Gollmann protocol Message 1 a -> b : {fNRO .b.n.c}Ska Message 2 b -> a : {fNRR .a.n.c}Skb Message 3 a -> j : {fSUB .b.n.k}Ska Message 4 b <-> j : {fCON .a.b.n.k}Skj Message 5 a <-> j : {fCON .a.b.n.k}Skj c = {m}k where m is the message to be transmitted a and b are the parties, j is the trusted server fNRO , fNRR, etc. are flags identifying the steps. n is a nonce Ska, Skb, etc. are signature keys known only to their owners a can prove that b has got the message by presenting {fNRR .a.n.c}Skb and {fCON .a.b.n.k}Skj 7 June Lecture 4 TU Dresden - Ws on Proof Theory and Computation

23 The Zhou-Gollmann protocol
Non-Repudiation of Recipient: a can prove that b has got the message by presenting {fNRR.a.n.c}Skb and {fCON .a.b.n.k}Skj Non-Repudiation of Origin: b can prove that a has sent the message by presenting {fNRO.b.n.c}Ska and {fCON .a.b.n.k}Skj 7 June Lecture 4 TU Dresden - Ws on Proof Theory and Computation

24 CSP analysis of Non-Repudiation
Specification of the Zhou-Gollmann protocol in CSP Agenta(S) = [] b e Agent, m e S send.a.b.m -> Agenti(S) [] receive.a.b?m -> Agenta(close(S U {m})) [] ftp.a.Jeeves?m -> Agenta(close(S U {m})) [] m e S evidence.a.m -> Agenti(S) Close(S) represent the capability of inferring new information Server(S) = receive.a.Jeeves?. {fSUB .b.n.k}Ska -> Server(S U {fCON .a.b.n.k}Skj) [] b e Agent, m e S ftp.a.Jeeves.m -> Server(S) 7 June Lecture 4 TU Dresden - Ws on Proof Theory and Computation

25 The Zhou-Gollmann protocol in CSP
evidence.a evidence.b a b ftp.a ftp.b send.*.b send.*.a J receive.*.b receive.*.a receive.*.J send.*.J medium 7 June Lecture 4 TU Dresden - Ws on Proof Theory and Computation

26 Analysis of the Zhou-Gollmann protocol
Non-Repudiation of Recipient: evidence.a.{fNRR.a.n.c}Skb in tr a b sent (fNRR.a.n.c) for every trace tr evidence.a.{fCON.a.b.n.k}Skj in tr a receive.a.j.{fCON.a.b.n.k}Skj in tr for every trace tr Non-Repudiation of Origin: evidence.b.{fNRO.b.n.c}Ska in tr a a sent (fNRO.b.n.c) for every trace tr evidence.b.{fCON.a.b.n.k}Skj in tr a a sent (fSUB.b.n.k) for every trace tr Again, these properties on traces can be proven automatically 7 June Lecture 4 TU Dresden - Ws on Proof Theory and Computation

Download ppt "Formal Methods for Security Protocols"

Similar presentations

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
1 9 4 5 1 8 8 6 E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April. 30. 2003 Seo, Seung-Hyun Dept. of Computer Science and.

E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April Seo, Seung-Hyun Dept. of Computer Science and.
University of Twente The Netherlands Centre for Telematics and Information Technology Verification of Security Protocols Sandro Etalle

University of Twente The Netherlands Centre for Telematics and Information Technology Verification of Security Protocols Sandro Etalle
University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.

University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.
5 June 2002 - Lecture 1 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,

5 June Lecture 1 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.

Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.

Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
Lecture 4 1 Expressing Security Properties in CSP Security properties: the goals that a protocol is meant to satisfy, relatively to specific kinds and.

Lecture 4 1 Expressing Security Properties in CSP Security properties: the goals that a protocol is meant to satisfy, relatively to specific kinds and.
1 Lecture 3 The CSP approach to the specification and analysis of Security protocols Communicating Sequential Processes [Hoare 78] Mathematical framework.

1 Lecture 3 The CSP approach to the specification and analysis of Security protocols Communicating Sequential Processes [Hoare 78] Mathematical framework.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.
Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C. Mitchell, D. Pavlovic CS259: Security Analysis of Network Protocols,

Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C. Mitchell, D. Pavlovic CS259: Security Analysis of Network Protocols,
Information Security of Embedded Systems 10.2.2010: BAN-Logic Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

Information Security of Embedded Systems : BAN-Logic Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.

Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
Verification of Security Protocols Lecture 1 Introduction and Overview Sandro Etalle.

Verification of Security Protocols Lecture 1 Introduction and Overview Sandro Etalle.
IT 221: Introduction to Information Security Principles Lecture 6:Digital Signatures and Authentication Protocols For Educational Purposes Only Revised:

IT 221: Introduction to Information Security Principles Lecture 6:Digital Signatures and Authentication Protocols For Educational Purposes Only Revised:
Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.

Security protocols  Authentication protocols (this lecture)  Electronic voting protocols  Fair exchange protocols  Digital cash protocols.
Security protocols and their verification Mark Ryan University of Birmingham Midlands Graduate School University of Birmingham 11-15 April 2005 Steve Kremer.

Security protocols and their verification Mark Ryan University of Birmingham Midlands Graduate School University of Birmingham April 2005 Steve Kremer.
11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication.

11.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 11 Message Integrity and Message Authentication.

Similar presentations

Ads by Google