statverif: modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2....
TRANSCRIPT
![Page 1: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/1.jpg)
StatVerif: Modelling protocols that involvepersistent state
Mark D. RyanUniversity of Birmingham
Joint work with Myrto Arapinis, Stephanie Delaune, SteveKremer, Joshua Phillips and Graham Steel
7–8 December 2011
![Page 2: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/2.jpg)
Outline
The ProVerif method
Protocols with persistent state
The TPM
StatVerif
![Page 3: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/3.jpg)
Verifying cryptographic protocols
“Provable/computationalsecurity”
1 Computationally bounded(polynomial) attacker
2 Exact cryptographicoperations on bitstrings
3 Bitstring (more concrete)model
4 Prove difficulty of violatingsecurity property isequivalent to solving a hardproblem
“Formal/symbolic methods”
1 Idealised (worst case)attacker
2 Idealised (best case) perfectcryptography
3 Symbolic (more abstract)model of protocol
4 Prove impossibility ofviolating security propertywithin the model
![Page 4: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/4.jpg)
Attacker model
We model a very powerful attacker, with “Dolev-Yao” capabilities:
it completely controls thecommunication channels, so it is ableto record, alter, delete, insert, redirect,reorder, and reuse past or currentmessages, and inject new messages.(The network is the attacker.)
manipulate data in arbitrary ways,including applying crypto operationsprovided has the necessary keys.
It controls dishonest participants.
“It’s always better to assume the worst. Assume your adversaries are better
than they are. Assume science and technology will soon be able to do things
they cannot yet. Give yourself a margin for error. Give yourself more security
than you need today.” - Bruce Schneier
![Page 5: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/5.jpg)
Coding protocols as processes
Original handshake protocol:
let Server =
in (ch, pkC’);
new k;
out (ch, enc(pkC’, sign(skS, k ) ));
in (ch, m);
0.
Handshake protocol
S Cnew k
encpkC (signskS (k))−−−−−−−−−−−→
senck (s)←−−−−−−−−−−−
![Page 6: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/6.jpg)
The handshake protocol in full
free ch.
(* Public key cryptography *)
fun pk/1.
fun enc/2. fun dec/2.
equation dec(x, enc(pk(x), y) ) = y.
(* Signatures *)
fun sign/2. fun checksign/2. fun getmess/1. fun ok/0.
equation checksign(pk(x), sign(x,y)) = ok.
equation getmess(sign(x,y)) = y.
(* Shared-key cryptography *)
fun senc/2. fun sdec/2.
equation sdec(senc(x,y),x) = y.
![Page 7: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/7.jpg)
The handshake protocol in full 2
let Server =
in (ch, pkC’);
new k;
out (ch, enc(pkC’, sign(skS, k ) ));
in (ch, m);
0.
let Client =
in (ch, pkS’);
in (ch, m);
let m’ = dec(skC, m) in
if checksign(pkS’, m’) = ok then
let k’ = getmess(m) in
if pkS’ = pkS then
out (ch, senc(k’, s)).
![Page 8: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/8.jpg)
Security properties
The applied pi calculus can model the following:
Reachability properties (e.g., secrecy)
Correspondence assertions (e.g., authentication)
Observational equivalence (e.g., strong secrecy; for instance,ballot secrecy; )
![Page 9: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/9.jpg)
Handshake protocol - analysis
S I Cnew k new s
pkC←−−−−−−−−−−−pkM←−−−−−−−−−−−
encpkM(signskS (k))−−−−−−−−−−−→
encpkC (signskS (k))−−−−−−−−−−−→
senck (s)←−−−−−−−−−−−
C publishes her public key
I starts a session with S
I learns signskS(k) and k
I replays signskS(k) in asession with S
I is able to output secrect s
Adversary process I
in (c, xPK);
out (c, pkM);
in (c, y);let sig = decskM(y) in
out (c, encxPK (sig));in (c, z);
out (c, sdecgetmsg(sig)(z))
![Page 10: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/10.jpg)
Protocols withpersistent state
![Page 11: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/11.jpg)
Persistent state
Agents that have persistent state:
Web servers, database servers, . . .
Hardware tokens
Smart cards: capabilities, . . .RFID tags: their identity, . . .TPM: PCR values, session nonces, . . .HSM: PIN codes, . . .
Trusted party in contract signing protocols
VANETs
. . .
![Page 12: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/12.jpg)
The trusted platform module
![Page 13: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/13.jpg)
Digital rightsmanagement
unforgeable
config
uration re
port
Secure environment
![Page 14: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/14.jpg)
Richard StallmanCreator of GNU, Emacs,
GCC, GPL, the FreeSoftware Foundation
“With a plan they call trustedcomputing, large mediacorporations, together withcomputer companies such asMicrosoft and Intel, areplanning to make yourcomputer obey them instead ofyou.”
He calls it “treacherouscomputing”.
![Page 15: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/15.jpg)
Ross AndersonProfessor of ComputerSecurity, University of
Cambridge
“TC can support remotecensorship. In its simplest form,applications may be designed todelete pirated music under remotecontrol.”
“In 2010 President Clinton mayhave two red buttons on her desk -one that sends the missiles toChina, and another that turns offall the PCs in China.”
He also talks of commercialbullying, economic warfare andpolitical censorship.
![Page 16: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/16.jpg)
Secure environment
Attestationfrom cloud
Cloud server
![Page 17: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/17.jpg)
Platform configuration registers
The TPM has 24 platformconfiguration registers, PCRs.
Updating a PCR
The command TPM Extend(PCR p, Data x)effects the assignment
p := SHA-1(p || x)
![Page 18: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/18.jpg)
StatVerif
![Page 19: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/19.jpg)
StatVerif syntax: processes
P, Q ::= processesout(M, N); P outputin(M, x); P inputP | Q parallel composition!P replicationnew a; P restrictionlet x = g(M1, . . . ,Mn) in P else Q destructor applicationif M = N then P else Q conditional
[s 7→ M] state cellread s as x ; P reads := M; P writelock; P begin locked sectionunlock; P end locked section
![Page 20: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/20.jpg)
Coding processes as Horn clauses: ProVerif
let Server =
in (ch, x);
new n;
out (ch, enc(k, (x,n) ));
attacker:x → attacker:enc(k[], (x,n[x]) );
attacker:u,x → attacker:u,enc(k[], (x,n[x]) );
![Page 21: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/21.jpg)
Coding processes as Horn clauses: StatVerif
let Server =
in (ch, x);
new n;
out (ch, enc(k, (x,n) ));
attacker:x → attacker:enc(k[], (x,n[x]) );
attacker:u,x → attacker:u,enc(k[], (x,n[x]) );
![Page 22: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/22.jpg)
Assignments
let Server =
in (ch, x);
u := h(u,x);
attacker:u,x ∧ attacker:u,y → attacker:h(u,x),y;
![Page 23: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/23.jpg)
The Horn clauses representation
The translation of a StatVerif process generates clauses builtaround the following two predicates
att(M, N) means that state M is reachable and in that statethe attacker knows the value N;
mes(M, K , N) means that state M is reachable and in thatstate the value N is available on channel K .
![Page 24: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/24.jpg)
Attacker clauses: constructors and destructors
The attacker can build new messages by applying anyconstructor to messages he knows.
For each constructor f (M1, . . . ,Mn)att(xs, M1) ∧ · · · ∧ att(xs, Mn)→ att(xs, f (M1, . . . ,Mn))Asymmetric encryptionatt(xs, xk) ∧ att(xs, xm)→ att(xs, aenc(xk , xm))
The attacker can analyse messages by applying anydestructor to messages he knows .
For each destructor g(M1, . . . ,Mn)→ Matt(xs, M1) ∧ · · · ∧ att(xs, Mn)→ att(xs, M)
Asymmetric-key decryptionatt(xs, xk) ∧ att(xs, aenc(pbk(xk), xm))→ att(xs, xm)
![Page 25: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/25.jpg)
Attacker clauses: public channels
The attacker can send messages on public channels
att(xs, xc) ∧ att(xs, xm)→ mes(xs, xc , xm)
The attacker can eavesdrop on public channels
att(xs, xc) ∧mes(xs, xc , xm)→ att(xs, xm)
![Page 26: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/26.jpg)
Attacker clauses: public state cells
Consider the protocol new m; ([s1 7→ M1] | · · · | [sn 7→ Mn] | P)
The attacker can read from public state cells
For all i ∈ {1, . . . , n}att((xs1, . . . , xsn), si [])→ att((xs1, . . . , xsn), xsi )
The attacker can write to public state cells
For all i ∈ {1, . . . , n}att((xs1, . . . xsi , . . . , xsn), si [])∧att((xs1, . . . , xsi , . . . , xsn), ysi )∧mes((xs1, . . . , xsi , . . . , xsn), zc , zm)→ mes((xs1, . . . , ysi , . . . , xsn), zc , zm)
att((xs1, . . . xsi , . . . , xsn), si [])∧att((xs1, . . . , xsi , . . . , xsn), ysi )∧att((xs1, . . . , xsi , . . . , xsn), zm)→ att((xs1, . . . , ysi , . . . , xsn), zm)
![Page 27: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/27.jpg)
Protocol clauses
J0KρH`φµ = ∅JQ1 | Q2KρH`φfalse = JQ1Kρ H`φfalse ∪ JQ2KρH`φfalseJ!QKρH`φfalse = JQKρH`φfalse
Jnew a; QKρH`φµ = JQK(ρ ∪ {a 7→ a[`]})H`φµ
JQK(ρ ∪ {a 7→ attn[]})H`φµif a ∈ bn(P)
otherwise
Jin(M, x); QKρH`φfalse = JQK(ρ ∪ {x 7→ x, vs1 7→ vs1, . . . , vsn 7→ vsn}) H′ (x :: `) φ falsewhere φ0 = (vs1, . . . , vsn), with vs1, . . . , vsn fresh
and H′ = H ∧ mes(φ0, ρ(M), x)Jin(M, x); QKρH`φtrue = JQK(ρ ∪ {x 7→ x})(H ∧ mes(φ, ρ(M), x))(x :: `)φtrueJout(M, N); QKρH`φµ = {H ⇒ mes(φ, ρ(M), ρ(N))} ∪ JQKρH`φµ
Jlet x = g(M1, . . . ,Mn) in Q1 else Q2KρH`φµ =S
JQ1K((ρσ) ∪ {x 7→ p′σ′})(Hσ)(`σ)(φσ)µ |g(p′1, . . . , p′n) → p′ ∈ def (g) and (σ, σ′) mgus and
M1ρσ = p′1σ′, . . . ,Mnρσ = p′nσ
′ff∪ JQ2KρH`φµ
Jif M = N then Q1 else Q2KρH`φµ = JQ1K(ρσ)(Hσ)(`σ)(φσ)µ ∪ JQ2KρH`φµ where σ = mgu(ρ(M), ρ(N))Jlock; QKρH`φfalse = JQK(ρ ∪ {vs1 7→ vs1, . . . , vsn 7→ vsn})H`φ0true
where φ0 = (vs1, . . . , vsn), with vs1, . . . , vsn freshJunlock; QKρH`φtrue = JQKρH`φfalse
Jsi := M; QKρH`φfalse = JQK(ρ ∪ {vs1 7→ vs1, . . . , vsn 7→ vsn, vc 7→ vc, vm 7→ vm})H`φfalse∪{H ∧ mes(φ0, vc, vm) ⇒ mes(φ1, vc, vm)}∪{H ∧ att(φ0, vm) ⇒ att(φ1, vm)}
where φ0 = (vs1, . . . , vsi−1, vsi , vsi+1, . . . , vsn),and φ1 = (vs1, . . . , vsi−1, ρ(M), vsi+1, . . . , vsn)
with vs1, . . . , vsn, vc, vm fresh
Jsi := M; QKρH`φtrue = JQK(ρ ∪ {vc 7→ vc, vm 7→ vm})H`φ′true
∪{H ∧ mes(φ, vc, vm) ⇒ mes(φ′, vc, vm)}∪{H ∧ att(φ, vm) ⇒ att(φ′, vm)}
where φ = (M1, . . . ,Mi−1,Mi ,Mi+1, . . . ,Mn),
and φ′ = (M1, . . . ,Mi−1, ρ(M),Mi+1, . . . ,Mn),and vc, vm fresh
Jread si as x ; QKρH`φfalse = JQK(ρ ∪ {x 7→ vsi , vs1 7→ vs1, . . . , vsi 7→ vsi , . . . , vsn 7→ vsn,vc 7→ vc, vm 7→ vm})(H ∧ mes(φ0, vc, vm))`φfalse
where φ0 = (vs1, . . . , vsi , . . . , vsn),with vs1, . . . , vsi , . . . , vsn, vc, vm fresh
Jread si as x ; QKρH`φtrue = JQK(ρ ∪ {x 7→ Mi , vc 7→ vc, vm 7→ vm})(H ∧ mes(φ, vc, vm))`φtruewhere φ = (M1, . . . ,Mi , . . . ,Mn) and vc, vm fresh
![Page 28: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/28.jpg)
Protocol clauses
J0KρH`φµ = ∅JQ1 | Q2KρH`φfalse = JQ1Kρ H`φfalse ∪ JQ2KρH`φfalseJ!QKρH`φfalse = JQKρH`φfalse
Jnew a; QKρH`φµ = JQK(ρ ∪ {a 7→ a[`]})H`φµ
JQK(ρ ∪ {a 7→ attn[]})H`φµif a ∈ bn(P)
otherwise
Jin(M, x); QKρH`φfalse = JQK(ρ ∪ {x 7→ x, vs1 7→ vs1, . . . , vsn 7→ vsn}) H′ (x :: `) φ falsewhere φ0 = (vs1, . . . , vsn), with vs1, . . . , vsn fresh
and H′ = H ∧ mes(φ0, ρ(M), x)Jin(M, x); QKρH`φtrue = JQK(ρ ∪ {x 7→ x})(H ∧ mes(φ, ρ(M), x))(x :: `)φtrueJout(M, N); QKρH`φµ = {H ⇒ mes(φ, ρ(M), ρ(N))} ∪ JQKρH`φµ
Jlet x = g(M1, . . . ,Mn) in Q1 else Q2KρH`φµ =S
JQ1K((ρσ) ∪ {x 7→ p′σ′})(Hσ)(`σ)(φσ)µ |g(p′1, . . . , p′n) → p′ ∈ def (g) and (σ, σ′) mgus and
M1ρσ = p′1σ′, . . . ,Mnρσ = p′nσ
′ff∪ JQ2KρH`φµ
Jif M = N then Q1 else Q2KρH`φµ = JQ1K(ρσ)(Hσ)(`σ)(φσ)µ ∪ JQ2KρH`φµ where σ = mgu(ρ(M), ρ(N))Jlock; QKρH`φfalse = JQK(ρ ∪ {vs1 7→ vs1, . . . , vsn 7→ vsn})H`φ0true
where φ0 = (vs1, . . . , vsn), with vs1, . . . , vsn freshJunlock; QKρH`φtrue = JQKρH`φfalse
Jsi := M; QKρH`φfalse = JQK(ρ ∪ {vs1 7→ vs1, . . . , vsn 7→ vsn, vc 7→ vc, vm 7→ vm})H`φfalse∪{H ∧ mes(φ0, vc, vm) ⇒ mes(φ1, vc, vm)}∪{H ∧ att(φ0, vm) ⇒ att(φ1, vm)}
where φ0 = (vs1, . . . , vsi−1, vsi , vsi+1, . . . , vsn),and φ1 = (vs1, . . . , vsi−1, ρ(M), vsi+1, . . . , vsn)
with vs1, . . . , vsn, vc, vm fresh
Jsi := M; QKρH`φtrue = JQK(ρ ∪ {vc 7→ vc, vm 7→ vm})H`φ′true
∪{H ∧ mes(φ, vc, vm) ⇒ mes(φ′, vc, vm)}∪{H ∧ att(φ, vm) ⇒ att(φ′, vm)}
where φ = (M1, . . . ,Mi−1,Mi ,Mi+1, . . . ,Mn),
and φ′ = (M1, . . . ,Mi−1, ρ(M),Mi+1, . . . ,Mn),and vc, vm fresh
Jread si as x ; QKρH`φfalse = JQK(ρ ∪ {x 7→ vsi , vs1 7→ vs1, . . . , vsi 7→ vsi , . . . , vsn 7→ vsn,vc 7→ vc, vm 7→ vm})(H ∧ mes(φ0, vc, vm))`φfalse
where φ0 = (vs1, . . . , vsi , . . . , vsn),with vs1, . . . , vsi , . . . , vsn, vc, vm fresh
Jread si as x ; QKρH`φtrue = JQK(ρ ∪ {x 7→ Mi , vc 7→ vc, vm 7→ vm})(H ∧ mes(φ, vc, vm))`φtruewhere φ = (M1, . . . ,Mi , . . . ,Mn) and vc, vm fresh
Assignments
Jsi := M; QKρH`φfalse = JQKρ′H`φfalse∪{H ∧mes(φ0, vc, vm) ⇒ mes(φ1, vc, vm)}∪{H ∧ att(φ0, vm) ⇒ att(φ1, vm)}
where φ0 = (vs1, . . . , vs i−1, vs i , vs i+1, . . . , vsn),and φ1 = (vs1, . . . , vs i−1, ρ(M), vs i+1, . . . , vsn)with vs1, . . . , vsn, vc, vm freshand ρ′ = ρ ∪ {vs1 7→ vs1, . . . , vsn 7→ vsn, vc 7→ vc, vm 7→ vm}
Jsi := M; QKρH`φtrue = JQK(ρ ∪ {vc 7→ vc, vm 7→ vm})H`φ′true∪{H ∧mes(φ, vc, vm) ⇒ mes(φ′, vc, vm)}∪{H ∧ att(φ, vm) ⇒ att(φ′, vm)}
where φ = (M1, . . . ,Mi−1,Mi ,Mi+1, . . . ,Mn),and φ′ = (M1, . . . ,Mi−1, ρ(M),Mi+1, . . . ,Mn),and vc, vm fresh
![Page 29: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/29.jpg)
Main result
Theorem (The StatVerif compiler is correct)
Let M be a message. Let P be a protocol of the form
new m; ([s1 7→ M1] | · · · | [sn 7→ Mn] | Q)
Clauses(P) ` secrecy(M) ⇒ P |= secrecy(M)
If ∀K the fact att(K , M) is not derivable from Clauses(P), then Ppreserves the secrecy of M.
![Page 30: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/30.jpg)
Some clauses for commands of the TPM
TPM Read: att(xp, x)→ att(xp, xp)
TPM CreateWrapKey:att(xp, xpcr ) ∧ key(xp, xsk , xpk , xp)→
att(xp, 〈pk(bindk[xpcr ]), wrap(xpk , bindk[xpcr ], tpmpf[], xpcr )〉)
TPM LoadKey2:att(xp, pk(xkey )) ∧ att(xp, wrap(xpk , xkey , tpmpf[], xpcr )) ∧key(xp, xsk , xpk , xp)→
key(xp, xkey , pk(xkey ), xpcr )
TPM Unbind:att(xp, aenc(xpk , xdata)) ∧ key(xp, xsk , xpk , xp)→ att(xp, xdata)
TPM Extend:att(xp, xv ) ∧ att(xp, x)→ att(h(xp, xv ), x)key(xp, xsk , xpk , xpcr ) ∧ att(xp, xv )→ key(h(xp, xv ), xsk , xpk , xpcr )
![Page 31: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/31.jpg)
Making ProVerif work on the Horn clauses
Safe abstraction: Replace
att(xp, xv ) ∧ att(xp, x)→att(h(xp, xv ), x)
with n instances, in which xp is
zero[]
h(zero[], x1)
h(h(zero[], x1), x2)
h(h(h(zero[], x1), x2), x3)
. . .
![Page 32: StatVerif: Modelling protocols that involve persistent statemdr/slides/pdf/11-fmats.pdf · 2012. 2. 1. · Outline The ProVerif method Protocols with persistent state The TPM StatVerif](https://reader033.vdocuments.us/reader033/viewer/2022060823/609d31d1232aaa07c304008c/html5/thumbnails/32.jpg)
Current and future work
Prototype implementation by Joshua Phillips
More case studiesUMTS protocols,RFID protocols,. . .
Extension to authentication properties
Extension to observational equivalence
Abstractions