security analysis of network protocols john mitchell stanford university
Post on 20-Dec-2015
217 views
TRANSCRIPT
![Page 1: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/1.jpg)
Security Analysis of Network Protocols
John MitchellStanford University
![Page 2: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/2.jpg)
Computer Security Research
Malicious Code
MDS/MLS
SituationalUnderstanding
OODA
Semantic Assuranc
e
FormalizedDesign
IntrusionDetection
IASensors
SurvivableNetwork
Infrastructures
PhysicalSecurity
AutonomicResponse
PolicyCourseof ActionProjection
AutoForensics
Cyber Control Panel
DynamicCoalitions
Law Enforcement Policy
ProtectiveMechanisms
Crypto
ComposableTrust
Open SourceStrategies
Cyber SensorExploitation
IntrusionTolerance
CyberStrategy
Lifecycle Attacks
Insider
?
?
Security of Mobile Agents
Privacy
Web Services
![Page 3: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/3.jpg)
Security Protocols
Challenge-response• ISO 9798-1,2,3; Needham-Schroeder, …
Authentication• Kerberos
Key Exchange• SSL handshake, IKE, JFK, IKEv2,
Wireless and mobile computing• Mobile IP, WEP, 802.11i
Electronic commerce• Contract signing, SET, electronic cash, …
![Page 4: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/4.jpg)
Needham-Schroeder Protocol
{ A, NonceA }
{ NonceA, NonceB }
{ NonceB}
Ka
Kb
Result: A and B share two private numbers
not known to any observer without Ka-1, Kb-1
A B
Kb
![Page 5: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/5.jpg)
Anomaly in Needham-Schroeder
A E
B
{ A, Na }
{ A, Na }{ Na, Nb }
{ Na, Nb }
{ Nb }
Ke
KbKa
Ka
Ke
Evil agent E trickshonest A into revealingprivate key Nb from B.
Evil E can then fool B.
[Lowe]
![Page 6: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/6.jpg)
Needham-Schroeder Lowe
{ A, NonceA }
{ NonceA, B, NonceB }
{ NonceB}
Ka
Kb
A BKb
Authentication?Secrecy?Replay attackForward secrecy?Denial of service?Identity protection?
![Page 7: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/7.jpg)
IKE subprotocol from IPSEC
A, (ga mod p)
B, (gb mod p)
Result: A and B share secret gab mod p
A B
m1
m2 ,
signB(m1,m2)
signA(m1,m2)
Analysis involves probability, modular exponentiation, complexity, digital signatures, communication networks
![Page 8: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/8.jpg)
Ticket 2
Ticket 2
Ticket 1
Ticket 1
Kerberos Protocol
Client
KDC
Service
TGS
{Kt}Kc
C TGS
{Ks}Kt
{C}Kt S
{C}Ks
Ktgs
Kc
Kv
{C, Ks}Kv
{C, Kt}Ktgs
{C, Ks}Kv
{C, Kt}Ktgs
![Page 9: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/9.jpg)
Protocol layer over TCP/IP
Network interface
Transport (TCP)
Physical layer
Internet (IP)
Applicationtelnet
http ftp
nntp
SSL
Common use: https = http over SSL
![Page 10: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/10.jpg)
Handshake Protocol
ClientHello CS C, VerC, SuiteC, NC
ServerHello S C VerS, Suite, SuiteSS, N, NSS,, signCA{ S, KS, KSS }
ClientVerify C S signCA{ C, VC }
{ VerC, SecretC }
signC { Hash( Master(NC, NNSS, SecretC) + Pad2 + Hash(Msgs + C + Master(NC, NNSS, SecretC) + Pad1)) }
(Change to negotiated cipher)
ServerFinished S C { Hash( Master(NC, NNSS, SecretC) + Pad2 + Hash( Msgs + S + Master(NC, NNSS, SecretC) + Pad1)) }
ClientFinished C S { Hash( Master(NC, NNSS, SecretC) + Pad2 + Hash( Msgs + C + Master(NC, NNSS, SecretC) + Pad1)) }
KSS
Master(NC, NSS, SecretC)
Master(NC, NSS, SecretC)
![Page 11: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/11.jpg)
Mobile IPv6 Architecture
IPv6
Mobile Node (MN)
Corresponding Node (CN)
Home Agent (HA)
Direct connection via binding update
Authentication is a requirement
Early proposals weak
![Page 12: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/12.jpg)
Wireless Authentication:Robust Security Network Association
Pre-RSNA Poor Security • 802.11 Authentication• Wired Equivalent Protocol• CRC MIC (Message Integrity Code)
RSNA Better Security• 802.1x Authentication• Key Management• Improved MIC scheme, data encryption
![Page 13: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/13.jpg)
RSNA Sub-protocols
Ethernet
Access Point
Radius ServerLaptop computer
Wireless
4-way Key management
802.11 Association
802.11x Authentication
(1 )MAC Disabled, Port Blocked
(2 )MAC Enabled, Port Blocked
(3 )MAC Enabled, Port Blocked, PMK generated in STA and AS
AS move PMK to AP
Secure Communication
(4 )MAC Enabled, Port Allowed, PTK := KCK|KEK|TK
![Page 14: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/14.jpg)
Optimistic contract signing
Trusted third party can force contract• Third party can declare contract binding if presented with first two messages.
A B
I am going to sign the contract
I am going to sign the contract
Here is my signature
Here is my signature
![Page 15: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/15.jpg)
BA
m1= sign(A, c, hash(r_A) )
sign(B, m1, hash(r_B) )r_A
r_B
Agree
A BNetwork
T
Abort
???
Resolve Attack?
BA Net
T sigT (m1, m2)
m1
???
m2 A
T
Asokan-Shoup-Waidner protocol
If not alreadyresolved
a1
sigT (a1,abort)
![Page 16: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/16.jpg)
BA
PCSA(text,B,T)
PCSB(text,A,T)
sigA(text)
sigB(text)
Agree
A BNetwork
T
m1 = PCSA(text,B,T)
Abort
???
Resolve Attack
BA Net
T PCSA(text,B,T)
sigB(text)
PCSA(text,B,T)
???
PCSB(text,A,T) B
T
sigT(abort)
abort AND sigB(text) abort
Leaked by T
Garay, Jakobsson, MacKenzie
![Page 17: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/17.jpg)
STS Family Derivation
m=gx, n=gy
k=gxy
STS0H
STSa STSaH
STSHSTS
STS0
STSPH
JFK1
distributecertificates
cookie
openresponder
JFK0
symmetrichash
JFKi
protect identities
JFKr
STSP
Properties: Certificates from CA Shared secret: gab
Identity protection DoS protection Reverse ID protection
![Page 18: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/18.jpg)
Protocol Analysis
Computational approaches (insightful, no tools…)
• Proof methods of Bellare-Rogaway, Mauer• Canetti, Backes-Pfitzmann-Waidner
BAN and related axiomatic approaches Methods grounded in symbolic execution
• Assume perfect cryptography• Protocol determines set of traces
– Arbitrary number of principals plus intruder
• Enumerate, search, or reason about this set
![Page 19: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/19.jpg)
Run of protocol
A
BInitiate
Respond
C
D
Correct if no security violation in any run
Attacker
![Page 20: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/20.jpg)
Explicit Intruder Method
Intruder Model
AnalysisTool
Formal Protocol
Informal Protocol
Description
Find error?Assurance?
![Page 21: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/21.jpg)
Automated Finite-State Analysis
Define finite-state system• Bound on number of steps• Finite number of participants• Nondeterministic adversary with finite options
Pose correctness condition• Can be simple: authentication and secrecy• Can be complex: contract signing
Exhaustive search using “verification” tool• Error in finite approximation Error in protocol• No error in finite approximation ???
![Page 22: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/22.jpg)
State Reduction on N-S Protocol
1706
17277
514550
980
6981
155709
58222
3263
1
10
100
1000
10000
100000
1000000
1 init
1 resp
2 init
1 resp
2 init
2 resp
Base: handoptimizationof model
CSFW:eliminatenet, maxknowledgeMergeintrud send,princ reply
![Page 23: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/23.jpg)
Model Checking Studies
Standard academic benchmarks• Needham-Schroeder, TMN, Kerberos-
Realistic network protocols• SSL 3.0, with resumption protocol
Contract signing protocols• Asokan-Shoup-Waidner, Garay-Jakobsson-MacKenzie
Wireless networking• Authenticated Mobile IPv6 • 802.11i
![Page 24: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/24.jpg)
CS259 Term Projects
iKP protocol family Electronic voting XML Security
IEEE 802.11i wireless handshake protocol
Onion Routing Electronic Voting
Secure Ad-Hoc Distance Vector Routing
An Anonymous Fair Exchange E-commerce Protocol
Key Infrastructure
Secure Internet Live Conferencing
Windows file-sharing protocols
![Page 25: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/25.jpg)
Analysis Methods
Modelin
g d
eta
il
Numbe
r of
sess
ions
Complexity of protocol
![Page 26: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/26.jpg)
Protocol analysis spectrum
Low High
Hig
hL
ow
Mo
de
ling
de
tail
Protocol complexity
Mur
FDR
NRLAthena
Hand proofs
Paulson
Strand spaces
BAN logic
Spi-calculus
Poly-time calculus
Model checking
Multiset rewriting with
Protocol logic
![Page 27: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/27.jpg)
Protocol derivation
Protocol derivation• Build security protocols by combining
parts from standard sub-protocols. Proof of correctness
• Prove protocols correct using logic that follows steps of derivation.
![Page 28: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/28.jpg)
Example
Construct protocol with properties:• Shared secret • Authenticated• Identity Protection• DoS Protection
Design requirements for IKE, JFK, IKEv2 (IPSec key exchange protocol)
![Page 29: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/29.jpg)
Component 1
Diffie-Hellman A B: ga
B A: gb
• Shared secret (with someone)– A deduces:
Knows(Y, gab) (Y = A) ۷ Knows(Y,b)
• Authenticated• Identity Protection• DoS Protection
![Page 30: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/30.jpg)
Component 2
Challenge Response: A B: m, A B A: n, sigB {m, n, A}
A B: sigA {m, n, B}
• Shared secret (with someone)• Authenticated
– A deduces: Received (B, msg1) Λ Sent (B, msg2)
• Identity Protection• DoS Protection
![Page 31: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/31.jpg)
Composition
ISO 9798-3 protocol: A B: ga, A B A: gb, sigB {ga, gb, A}
A B: sigA {ga, gb, B}
• Shared secret: gab
• Authenticated• Identity Protection• DoS Protection
m := ga
n := gb
![Page 32: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/32.jpg)
Refinement
Encrypt signatures: A B: ga, A B A: gb, EK {sigB {ga, gb, A}}
A B: EK {sigA {ga, gb, B}}
• Shared secret: gab
• Authenticated• Identity Protection• DoS Protection
![Page 33: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/33.jpg)
Transformation
Use cookie: JFK core protocolA B: ga, A
B A: gb, hashKB {gb, ga}
A B: ga, gb, hashKB {gb, ga}
EK {sigA {ga, gb, B}}
B A: gb, EK {sigB {ga, gb, A}}
• Shared secret: gab
• Authenticated• Identity Protection• DoS Protection
![Page 34: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/34.jpg)
STS Family Derivation
m=gx, n=gy
k=gxy
STS0H
STSa STSaH
STSHSTS
STS0
STSPH
JFK1
distributecertificates
cookie
openresponder
JFK0
symmetrichash
JFKi
protect identities
JFKr
STSP
Properties: Certificates from CA Shared secret: gab
Identity protection DoS protection Reverse ID protection
![Page 35: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/35.jpg)
Protocol logic (Implicit intruder method)
Alice’s information• Protocol• Private data• Sends and receives
Honest Principals,Attacker
Send
Receive
Protocol
Private Data
![Page 36: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/36.jpg)
Intuition
Reason about local information• I chose a new number• I sent it out encrypted• I received it decrypted • Therefore: someone decrypted it
Incorporate knowledge about protocol• Protocol: Server only sends m if it got m’• If server not corrupt and I receive m
signed by server, then server received m’
![Page 37: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/37.jpg)
Execution Model
Protocol• “Program” for each protocol role
Initial configuration• Set of principals and key• Assignment of 1 role to each principal
Run
new x
send {x}B
receive {x}B
A
B
C
Position in run
receive {z}B
new z
send {z}B
![Page 38: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/38.jpg)
Formulas true at a position in run
Action formulasa ::= Send(P,m) | Receive (P,m) | New(P,t)
| Decrypt (P,t) | Verify (P,t)
Formulas ::= a | Has(P,t) | Fresh(P,t) | Honest(N)
| Contains(t1, t2) | | 1 2 | x | |
ExampleAfter(a,b) = (b a)
![Page 39: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/39.jpg)
Modal Formulas
After actions, postcondition [ actions ] P where P = princ, role id
Before/after assertions [ actions ] P
Composition rule
[ S ] P [ T ] P
[ ST ] P
Note: same P in all formulas
![Page 40: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/40.jpg)
Proof System
Sample Axioms:• Reasoning about knowledge:
– Has(A, encX{m}) Has(A, K) Has(A, m)– Has(A, {m,n}) Has(A, m) Has(A, n)
• Reasoning about crypto primitives:– Honest(X) Decrypt(Y, encX{m}) X=Y– Honest(X) Verify(Y, sigX{m}) m’ (Send(X, m’) Contains(m’, sigX{m})
Inference Rule• Persistence rules, …• Honesty/Invariance rule
Soundness Theorem: • Every provable formula is valid
![Page 41: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/41.jpg)
Bidding conventions (motivation)
Blackwood response to 4NT –5 : 0 or 4 aces –5 : 1 ace –5 : 2 aces –5 : 3 aces
Reasoning • If my partner is following Blackwood,
then if she bid 5, she must have 2 aces
![Page 42: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/42.jpg)
Correctness of NSL
Bob knows he’s talking to Alice[ recv encrypt( Key(B), A,m ); new n; send encrypt( Key(A), m, B, n ); recv encrypt( Key(B), n ) ] B
Honest(A) Csent(A, msg1) Csent(A, msg3)
where Csent(A, …) Created(A, …) Sent(A, …)
msg1
msg3
![Page 43: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/43.jpg)
Composition Rules
Prove assertions from invariants |- […]P
Invariant weakening rule |- […]P ’ |- […]P
Prove invariants from protocol Q Q’ Q Q’
If combining protocols, extend assertions to combined
invariants
Use honesty (invariant) rule to show that both protocols
preserve assumed invariants
![Page 44: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/44.jpg)
Combining protocols
DH Honest(X) … CR Honest(X) …
’
|- Secrecy ’ |- Authentication
’ |- Secrecy ’ |- Authentication
’ |- Secrecy AuthenticationDH CR ’
ISO Secrecy Authentication
=
![Page 45: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/45.jpg)
Protocol Templates
Protocols with function variables instead of specific operations• One template can be instantiated to
many protocols Advantages:
• proof reuse• design principles/patterns
![Page 46: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/46.jpg)
Example
A B: mB A: n, F(B,A,n,m)A B: G(A,B,n,m)
A B: mB A: n,EKAB(n,m,B)
A B: EKAB(n,m)
A B: mB A: n,HKAB(n,m,B)
A B: HKAB(n,m,A)
A B: mB A: n, sigB(n,m,A)
A B: sigA(n,m,B)
Challenge-Response Template
ISO-9798-2
ISO-9798-3
SKID3
Abstraction
Instantiation
![Page 47: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/47.jpg)
Proof Structure
Template
axiom
hypothesis
Instance
Discharge hypothesis
![Page 48: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/48.jpg)
Sample projects using this method
Key exchange• STS family, JFK, IKEv2• Diffie-Hellman -> MQV• GDOI [Meadows, Pavlovic]
Work in progress• SSL verification• Wireless 802.11i
![Page 49: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/49.jpg)
Symbolic vs Computational model
Suppose |- [actions]X • If a protocol P satisfies invariants , then
if X does actions, will be true Symbolic soundness
• No idealized adversary acting against “perfect” cryptography can make fail
Computational soundness• No probabilistic polytime adversary can
make fail with nonnegligible probability
![Page 50: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/50.jpg)
Conclusions
Security Protocols• Subtle, critical, prone to error
Analysis methods• Model checking
– Practically useful; brute force is a good thing– Limitation: find errors in small configurations
• Protocol derivation– Systematic development of certain classes of
protocols• Proof methods
– Time-consuming to use general logics– Special-purpose logics can be sound, useful
• Cryptographic foundations– Scientific challenge; currently hot area
![Page 51: Security Analysis of Network Protocols John Mitchell Stanford University](https://reader030.vdocuments.us/reader030/viewer/2022032704/56649d4e5503460f94a2d13a/html5/thumbnails/51.jpg)
Collaborators on work described
Former and current students• Vitaly Shmatikov, Ulrich Stern• Nancy Durgin, Anupam Datta, Ante Derek• Ajith Ramanathan, Changhua He, …
Outside Stanford• Andre Scedrov (U Penn)• Patrick Lincoln (SRI)• Dusko Pavlovic (Kestrel)