formally (?) deriving security protocols anupam datta wip with ante derek, john mitchell, dusko...
Post on 19-Dec-2015
217 views
TRANSCRIPT
Formally (?) Deriving Security Protocols
Anupam Datta
WIP with Ante Derek, John Mitchell, Dusko Pavlovic
October 23, 2002
Goals:
Build security protocols in a compositional manner, i.e., from standard sub-protocols.
Prove formally using logic that the composition process is sound, i.e., the resulting protocol is correct in a precise sense.
Idea:
Capture protocol designers’ intuition in a formal framework.
Example 1 Diffie-Hellman:
X Y: gx
Y X: gy
Property 1: Secrecy
X deduces: Knows(Z,gxy) ֿכ Knows(Z,y)
Example 2 Challenge Response: A B: m, A B A: n, sigB {n, m, A}
A B: sigA {m, n, B}
Property 2: Mutual Authentication A deduces: Created (B, n) Λ Sent (B, msg2)
Composition
ISO 9798-3 protocol: A B: ga, A B A: gb, sigB {gb, ga, A}
A B: sigA {ga, gb, B} Has both Property 1 & Property 2.
Can be inferred that A & B have shared secret, gab.
Refinement
Encrypt signatures: (find-and-replace)
A B: ga, A B A: gb, EK {sigB {gb, ga, A}}
A B: EK {sigA {ga, gb, B}} Has Property 1 & Property 2. Also Property 3: Identity protection
Other applications…
By applying a series of other such simple syntactic rules, we derive the JFK protocol ( proposed protocol to replace IKE as the IPSec key exchange protocol).
Technical Report: www.stanford.edu/~danupam/composition.ps
Formalization
Notation Cord Calculus and Compositional Logic
[Durgin, Mitchell, Pavlovic; 2001] Motivation: “Arrows and messages”
representation is inadequate. More descriptive language for describing the actions of the protocol participants.
Actions:(νx) generate new term x(x) receive term into x<t> send a term t
Challenge-Response revisited
A : ( ) [(νm)<{m, A}>(x) …]A <>
Input interface Output Interface Actions Attach logical assertions to actions [(νm)]A Created (A, m) This assertion is a required precondition
to prove mutual authentication.
ISO 9798-3 revisited A : ( ) [(νx)] <gx> ; (m) [<{m, A}>(x) …]A <>
1. Generate new x; compute gx 2. Substitute gx for m in the second cord
Created (A, gx) is a precondition. Mutual authentication can be proved
like in challenge-response.
Summary
Security protocols can be built in an incremental manner by combining sub-protocols.
Future work: Formal framework for reasoning that the composition process preserves the properties of the original sub-protocols.