Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.

Published by Modified over 10 years ago

Similar presentations

Presentation on theme: "Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002."— Presentation transcript:

1 Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002

2 Goals: Build security protocols in a compositional manner, i.e., from standard sub-protocols. Prove formally using logic that the composition process is sound, i.e., the resulting protocol is correct in a precise sense.

3 Idea: Capture protocol designers’ intuition in a formal framework.

4 Example 1 Diffie-Hellman: X Y: g x Y X: g y Property 1: Secrecy X deduces: Knows(Z,g xy ) כֿ Knows(Z,y)

5 Example 2 Challenge Response: A B: m, A B A: n, sig B {n, m, A} A B: sig A {m, n, B} Property 2: Mutual Authentication A deduces: Created (B, n) Λ Sent (B, msg2)

6 Composition ISO 9798-3 protocol: A B: g a, A B A: g b, sig B {g b, g a, A} A B: sig A {g a, g b, B} Has both Property 1 & Property 2. Can be inferred that A & B have shared secret, g ab.

7 Refinement Encrypt signatures: (find-and-replace) A B: g a, A B A: g b, E K {sig B {g b, g a, A}} A B: E K {sig A {g a, g b, B}} Has Property 1 & Property 2. Also Property 3: Identity protection

8 Other applications… By applying a series of other such simple syntactic rules, we derive the JFK protocol ( proposed protocol to replace IKE as the IPSec key exchange protocol). Technical Report: www.stanford.edu/~danupam/composition.ps

9 Formalization

10 Notation Cord Calculus and Compositional Logic [Durgin, Mitchell, Pavlovic; 2001] Motivation: “Arrows and messages” representation is inadequate. More descriptive language for describing the actions of the protocol participants. Actions: (νx)generate new term x (x)receive term into x send a term t

11 Challenge-Response revisited A : ( ) [(νm) (x) …] A <> Input interface Output Interface Actions Attach logical assertions to actions [(νm)] A Created (A, m) This assertion is a required precondition to prove mutual authentication.

12 ISO 9798-3 revisited A : ( ) [(νx)] ; (m) [ (x) …] A <> 1. Generate new x; compute g x 2. Substitute g x for m in the second cord Created (A, g x ) is a precondition. Mutual authentication can be proved like in challenge-response.

13 Summary Security protocols can be built in an incremental manner by combining sub- protocols. Future work: Formal framework for reasoning that the composition process preserves the properties of the original sub-protocols.

Download ppt "Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002."

Similar presentations

Similar presentations

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.

Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
ARTIFICIAL INTELLIGENCE [INTELLIGENT AGENTS PARADIGM] Professor Janis Grundspenkis Riga Technical University Faculty of Computer Science and Information.

ARTIFICIAL INTELLIGENCE [INTELLIGENT AGENTS PARADIGM] Professor Janis Grundspenkis Riga Technical University Faculty of Computer Science and Information.
Service Bus Service Bus Access Control.

Service Bus Service Bus Access Control.
Key Management Protocols and Compositionality John Mitchell Stanford TECS Week2005.

Key Management Protocols and Compositionality John Mitchell Stanford TECS Week2005.
Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)

Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)
Copyright © Cengage Learning. All rights reserved.

Copyright © Cengage Learning. All rights reserved.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004.

Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004.
Copyright Justin Klein Keane InfoSec Training Encryption.

Copyright Justin Klein Keane InfoSec Training Encryption.
Compositional Protocol Logic CS 395T. Outline uFloyd-Hoare logic of programs Compositional reasoning about properties of programs uDDMP protocol logic.

Compositional Protocol Logic CS 395T. Outline uFloyd-Hoare logic of programs Compositional reasoning about properties of programs uDDMP protocol logic.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.
Analysis of Security Protocols (I) John C. Mitchell Stanford University.

Analysis of Security Protocols (I) John C. Mitchell Stanford University.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.
Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June.

Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June.
Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution of public keys –use of public-key.

Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution of public keys –use of public-key.
Symbolic Logic for Complexity- theoretic Model of Security Protocols Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov Mathieu Turuani May 5, 2005.

Symbolic Logic for Complexity- theoretic Model of Security Protocols Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov Mathieu Turuani May 5, 2005.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
Axiomatic Semantics Dr. M Al-Mulhem ICS535-091.

Axiomatic Semantics Dr. M Al-Mulhem ICS
1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.

1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.
Ads by Google