SlideShare a Scribd company logo

Proving Properties of Security Protocols by Induction

Lawrence Paulson
Lawrence Paulson
TechnologyEntertainment & Humor
1 of 24
Download to read offline
Proving Security Protocols 1 L. C. Paulson Proving Properties of Security Protocols by Induction Lawrence C. Paulson Computer Laboratory University of Cambridge
Proving Security Protocols 2 L. C. Paulson Cryptographic Protocol Analysis • Finite-state checking Lowe, Millen, . . . + find attacks quickly − drastic simplifying assumptions • Belief logics Burrows, Abadi, Needham, . . . + short, abstract proofs − some variants are complicated & ill-motivated
Proving Security Protocols 3 An Inductive Approach • Traces of events: A sends X to B • Any number of interleaved runs • Algebraic theory of messages • A general attacker • Modelling of accidents • Mechanized proofs L. C. Paulson
Proving Security Protocols 4 L. C. Paulson Agents and Messages agent A, B, . . . = Server | Friend i | Spy msg X, Y, . . . = Agent A | Nonce N | Key K | { X| |X, } | Hash X | Crypt KX
Proving Security Protocols 5 L. C. Paulson Processing Sets of Messages Crypt KX parts: message components analz: message decryption X K −1 X Crypt KX, synth: message faking Regularity lemmas stated using parts H Secrecy theorems stated using analz H Spoof messages drawn from synth(analz H) X, K Crypt KX
Proving Security Protocols 6 L. C. Paulson Inductive Definition: parts H X∈H Crypt KX X ∈ parts H ∈ parts H X ∈ parts H { Y | ∈ parts H |X, } { Y | ∈ parts H |X, } X ∈ parts H Y ∈ parts H parts G ∪ parts H = parts(G ∪ H)
Proving Security Protocols 7 L. C. Paulson Inductive Definition: analz H Crypt KX X∈H ∈ analz H X ∈ analz H K −1 ∈ analz H X ∈ analz H { Y | ∈ analz H |X, } { Y | ∈ analz H |X, } X ∈ analz H Y ∈ analz H analz G ∪ analz H ⊆ analz(G ∪ H)
Proving Security Protocols 8 L. C. Paulson Inductive Definition: synth H X∈H Agent A X ∈ synth H ∈ synth H X∈H Hash X X ∈ synth H ∈ synth H Y ∈ synth H { Y | ∈ synth H |X, } X ∈ synth H Crypt KX G ⊆ H =⇒ synth G ⊆ synth H K∈H ∈ synth H
Proving Security Protocols 9 Simplification Laws  parts(parts H) = parts H    analz(analz H) = analz H idempotence   synth(synth H) = synth H  parts(analz H) = analz(parts H) = parts H parts(synth H) = parts H ∪ synth H analz(synth H) = analz H ∪ synth H synth(analz H) = ?? L. C. Paulson
Proving Security Protocols 10 L. C. Paulson Symbolic Evaluation of parts(ins XH) ins XH parts(ins(Key K)H) parts(ins(Hash X)H) parts(ins{ |X, Y | H) } parts(ins(Crypt KX)H) = {X} ∪ H = ins(Key K)(parts H) = ins(Hash X)(parts H) = ins{ Y | (parts(ins X(ins Y H))) |X, } = ins(Crypt KX)(parts(ins XH))
Proving Security Protocols 11 L. C. Paulson Symbolic Evaluation of analz(ins XH) analz(ins(Key K)H) = ins(Key K)(analz H) K ∈ keysFor(analz H) analz(ins(Crypt KX)H) =  ins(Crypt KX)(analz(ins XH)) K −1 ∈ analz H ins(Crypt KX)(analz H) otherwise
Proving Security Protocols 12 L. C. Paulson Deductions from synth H Nonce N Key K Crypt KX ∈ synth H =⇒ Nonce N ∈ H ∈ synth H =⇒ Key K ∈ H ∈ synth H =⇒ Crypt KX ∈ H or X ∈ synth H ∧ K ∈ H A similar law for { |X, Y | } ∈ synth H
Proving Security Protocols 13 Spoof Messages: Limiting the Damage Breaking down the spoof message: { Y | ∈ synth(analz H) ⇐⇒ |X, } X ∈ synth(analz H) ∧ Y ∈ synth(analz H) Eliminating the spoof message: X ∈ synth(analz G) =⇒ parts(ins X H) ⊆ synth(analz G) ∪ parts G ∪ parts H L. C. Paulson
Proving Security Protocols 14 L. C. Paulson The Shared-Key Model Traces as lists of events: Alice’s shared key: Items already used in this trace: Says A B X shrK A used evs Reading the traffic (with the help of lost keys): spies (Says A B X # evs) = {X} ∪ spies evs spies [] = {shrK A | A ∈ lost}
Proving Security Protocols 15 L. C. Paulson The Simplified Otway-Rees Protocol 1. A → B : N a, A, B, { a, A, B| Kas |N } 2. B → S : N a, A, B, { a, A, B| Kas , N b, { a, A, B| Kbs |N } |N } 3. S → B : N a, { a, Kab| Kas , { b, Kab| Kbs |N } |N } |N } 4. B → A : N a, { a, Kab| Kas
Proving Security Protocols 16 L. C. Paulson Inductively Defining the Protocol, 1–2 1. If evs is a trace and N a is unused, may add Says A B { a, A, B, Crypt(shrK A){ a, A, B| | |N |N }} 2. If evs has Says A B { a, A, B, X| and N b is unused, may |N } add Says B Server { a, A, B, X, N b, Crypt(shrK B){ a, A, B| | |N |N }} B doesn’t know the true sender & can’t read X
Proving Security Protocols 17 L. C. Paulson Inductively Defining the Protocol, 4 4. If evs contains the events Says B Server { a, A, B, X |N Says S , N b, Crypt(shrK B){ a, A, B| | |N }} B { a, X, Crypt(shrK B){ b, K| | |N |N }} may add Says B A { a, X| |N } Rule applies only if nonces agree, etc.
Proving Security Protocols 18 Modelling Attacks and Accidents Fake. If X ∈ synth(analz(spies evs)), may add Says Spy B X Oops. If server distributes key K , may add Says A Spy { a, N b, K| |N } Nonces show the time of the loss L. C. Paulson
Proving Security Protocols 19 Regularity & Unicity • Agents don’t talk to themselves • Secret keys are never lost (except initially) • Nonces & keys uniquely identify creating message Easily proved by induction & simplification of parts L. C. Paulson
Proving Security Protocols 20 Secrecy • Keys, if secure, are never encrypted using any session keys • Distributed keys remain confidential — to recipients! • Yahalom: nonce N b remains secure Simplification of analz: case analysis, big formulas L. C. Paulson
Proving Security Protocols 21 L. C. Paulson An Attack 1. A → B×: N a, A, B, { a, A, B| Kas |N } 1 . C → A : N c, C, A, { c, C, A| Kcs |N } |N } |N } 2 . A → S× : N c, C, A, { c, C, A| Kcs , N a , { c, C, A| Kas |N } |N } 2 . CA → S : N c, C, A, { c, C, A| Kcs , N a, { c, C, A| Kas 3 . S → A× : N c, { c, Kca| Kcs , { a, Kca| Kas |N } |N } 4. CB → A : N a, { a, Kca| Kas |N }
Proving Security Protocols 22 L. C. Paulson New Guarantees of Fixed Protocol B can trust the message if he sees Says S B { a, X, Crypt(shrK B){ b, K| | |N |N }} Says B Server { a, A, B, X , Crypt(shrK B){ a, N b, A, B| | |N |N }} A can trust the message if she sees Says B A { a, Crypt(shrK A){ a, K| | |N |N }} Says A B { a, A, B, Crypt(shrK A){ a, A, B| | |N |N }}
Proving Security Protocols 23 Statistics • 200 theorems about 10 protocol variants (3 × Otway-Rees, 2 × Yahalom, Needham-Schroeder, . . .) • 110 laws proved concerning messages • 2–9 minutes CPU time per protocol • few hours or days human time per protocol • over 1200 proof commands in all L. C. Paulson
Proving Security Protocols 24 Conclusions • A feasible method of analyzing protocols • Guarantees proved in a clear framework • Complementary to other methods: – Finite-state: finding simple attacks automatically – Belief logics: freshness analysis • Related work by Dominique Bolignano L. C. Paulson

Recommended

Cryptography (1)
Cryptography (1)Cryptography (1)
Cryptography (1)
ChandiniAishwaryaVen
 
defense
defensedefense
defense
Qing Dou
 
Homomorphic encryption in_cloud
Homomorphic encryption in_cloudHomomorphic encryption in_cloud
Homomorphic encryption in_cloud
Shivam Singh
 
Graph based cryptographic hash functions
Graph based cryptographic hash functionsGraph based cryptographic hash functions
Graph based cryptographic hash functions
mskmoorthy
 
Assembly language programs
Assembly language programsAssembly language programs
Assembly language programs
HarshitParkar6677
 
Assembly language programs 2
Assembly language programs 2Assembly language programs 2
Assembly language programs 2
HarshitParkar6677
 
Lattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWE
Lattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWELattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWE
Lattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWE
Priyanka Aash
 
Yampa AFRP Introduction
Yampa AFRP IntroductionYampa AFRP Introduction
Yampa AFRP Introduction
ChengHui Weng
 

Recommended

Cryptography (1)
Cryptography (1)Cryptography (1)
Cryptography (1)
ChandiniAishwaryaVen
 
defense
defensedefense
defense
Qing Dou
 
Homomorphic encryption in_cloud
Homomorphic encryption in_cloudHomomorphic encryption in_cloud
Homomorphic encryption in_cloud
Shivam Singh
 
Graph based cryptographic hash functions
Graph based cryptographic hash functionsGraph based cryptographic hash functions
Graph based cryptographic hash functions
mskmoorthy
 
Assembly language programs
Assembly language programsAssembly language programs
Assembly language programs
HarshitParkar6677
 
Assembly language programs 2
Assembly language programs 2Assembly language programs 2
Assembly language programs 2
HarshitParkar6677
 
Lattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWE
Lattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWELattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWE
Lattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWE
Priyanka Aash
 
Yampa AFRP Introduction
Yampa AFRP IntroductionYampa AFRP Introduction
Yampa AFRP Introduction
ChengHui Weng
 
Mechanized Proofs for a Recursive Authentication Protocol
Mechanized Proofs for a Recursive Authentication ProtocolMechanized Proofs for a Recursive Authentication Protocol
Mechanized Proofs for a Recursive Authentication Protocol
Lawrence Paulson
 
Proving Security Protocols Correct
Proving Security Protocols CorrectProving Security Protocols Correct
Proving Security Protocols Correct
Lawrence Paulson
 
Dm week01 prob-refresher.handout
Dm week01 prob-refresher.handoutDm week01 prob-refresher.handout
Dm week01 prob-refresher.handout
okeee
 
bloomfilter.ppt
bloomfilter.pptbloomfilter.ppt
bloomfilter.ppt
kashvirelhan1
 
bloomfilter.ppt
bloomfilter.pptbloomfilter.ppt
bloomfilter.ppt
kashvirelhan1
 
bloomfilter.ppt
bloomfilter.pptbloomfilter.ppt
bloomfilter.ppt
kashvirelhan1
 
chap2.pdf
chap2.pdfchap2.pdf
chap2.pdf
eseinsei
 
MetiTarski's menagerie of cooperating systems
MetiTarski's menagerie of cooperating systemsMetiTarski's menagerie of cooperating systems
MetiTarski's menagerie of cooperating systems
Lawrence Paulson
 
Automated theorem proving for special functions: the next phase
Automated theorem proving for special functions: the next phaseAutomated theorem proving for special functions: the next phase
Automated theorem proving for special functions: the next phase
Lawrence Paulson
 
Theorem proving and the real numbers: overview and challenges
Theorem proving and the real numbers: overview and challengesTheorem proving and the real numbers: overview and challenges
Theorem proving and the real numbers: overview and challenges
Lawrence Paulson
 
Source-Level Proof Reconstruction for Interactive Proving
Source-Level Proof Reconstruction for Interactive ProvingSource-Level Proof Reconstruction for Interactive Proving
Source-Level Proof Reconstruction for Interactive Proving
Lawrence Paulson
 
Defining Functions on Equivalence Classes
Defining Functions on Equivalence ClassesDefining Functions on Equivalence Classes
Defining Functions on Equivalence Classes
Lawrence Paulson
 
Organizing Numerical Theories using Axiomatic Type Classes
Organizing Numerical Theories using Axiomatic Type ClassesOrganizing Numerical Theories using Axiomatic Type Classes
Organizing Numerical Theories using Axiomatic Type Classes
Lawrence Paulson
 
A Generic Tableau Prover and Its Integration with Isabelle
A Generic Tableau Prover and Its Integration with IsabelleA Generic Tableau Prover and Its Integration with Isabelle
A Generic Tableau Prover and Its Integration with Isabelle
Lawrence Paulson
 
Mechanizing set theory: cardinal arithmetic and the axiom of choice
Mechanizing set theory: cardinal arithmetic and the axiom of choiceMechanizing set theory: cardinal arithmetic and the axiom of choice
Mechanizing set theory: cardinal arithmetic and the axiom of choice
Lawrence Paulson
 
MetiTarski: An Automatic Prover for Real-Valued Special Functions
MetiTarski: An Automatic Prover for Real-Valued Special FunctionsMetiTarski: An Automatic Prover for Real-Valued Special Functions
MetiTarski: An Automatic Prover for Real-Valued Special Functions
Lawrence Paulson
 
The Relative Consistency of the Axiom of Choice — Mechanized Using Isabelle/ZF
The Relative Consistency of the Axiom of Choice — Mechanized Using Isabelle/ZFThe Relative Consistency of the Axiom of Choice — Mechanized Using Isabelle/ZF
The Relative Consistency of the Axiom of Choice — Mechanized Using Isabelle/ZF
Lawrence Paulson
 
The Reflection Theorem: Formalizing Meta-Theoretic Reasoning
The Reflection Theorem: Formalizing Meta-Theoretic ReasoningThe Reflection Theorem: Formalizing Meta-Theoretic Reasoning
The Reflection Theorem: Formalizing Meta-Theoretic Reasoning
Lawrence Paulson
 
A Machine-Assisted Proof of Gödel's Incompleteness Theorems
A Machine-Assisted Proof of Gödel's Incompleteness TheoremsA Machine-Assisted Proof of Gödel's Incompleteness Theorems
A Machine-Assisted Proof of Gödel's Incompleteness Theorems
Lawrence Paulson
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 

More Related Content

Similar to Proving Properties of Security Protocols by Induction

Dm week01 prob-refresher.handout
Dm week01 prob-refresher.handoutDm week01 prob-refresher.handout
Dm week01 prob-refresher.handout
okeee
 

Similar to Proving Properties of Security Protocols by Induction (7)

Mechanized Proofs for a Recursive Authentication Protocol
Mechanized Proofs for a Recursive Authentication ProtocolMechanized Proofs for a Recursive Authentication Protocol
Mechanized Proofs for a Recursive Authentication Protocol
 
Proving Security Protocols Correct
Proving Security Protocols CorrectProving Security Protocols Correct
Proving Security Protocols Correct
 
Dm week01 prob-refresher.handout
Dm week01 prob-refresher.handoutDm week01 prob-refresher.handout
Dm week01 prob-refresher.handout
 
bloomfilter.ppt
bloomfilter.pptbloomfilter.ppt
bloomfilter.ppt
 
bloomfilter.ppt
bloomfilter.pptbloomfilter.ppt
bloomfilter.ppt
 
bloomfilter.ppt
bloomfilter.pptbloomfilter.ppt
bloomfilter.ppt
 
chap2.pdf
chap2.pdfchap2.pdf
chap2.pdf
 

More from Lawrence Paulson

Source-Level Proof Reconstruction for Interactive Proving
Source-Level Proof Reconstruction for Interactive ProvingSource-Level Proof Reconstruction for Interactive Proving
Source-Level Proof Reconstruction for Interactive Proving
Lawrence Paulson
 
Defining Functions on Equivalence Classes
Defining Functions on Equivalence ClassesDefining Functions on Equivalence Classes
Defining Functions on Equivalence Classes
Lawrence Paulson
 
MetiTarski: An Automatic Prover for Real-Valued Special Functions
MetiTarski: An Automatic Prover for Real-Valued Special FunctionsMetiTarski: An Automatic Prover for Real-Valued Special Functions
MetiTarski: An Automatic Prover for Real-Valued Special Functions
Lawrence Paulson
 
The Relative Consistency of the Axiom of Choice — Mechanized Using Isabelle/ZF
The Relative Consistency of the Axiom of Choice — Mechanized Using Isabelle/ZFThe Relative Consistency of the Axiom of Choice — Mechanized Using Isabelle/ZF
The Relative Consistency of the Axiom of Choice — Mechanized Using Isabelle/ZF
Lawrence Paulson
 
The Reflection Theorem: Formalizing Meta-Theoretic Reasoning
The Reflection Theorem: Formalizing Meta-Theoretic ReasoningThe Reflection Theorem: Formalizing Meta-Theoretic Reasoning
The Reflection Theorem: Formalizing Meta-Theoretic Reasoning
Lawrence Paulson
 
A Machine-Assisted Proof of Gödel's Incompleteness Theorems
A Machine-Assisted Proof of Gödel's Incompleteness TheoremsA Machine-Assisted Proof of Gödel's Incompleteness Theorems
A Machine-Assisted Proof of Gödel's Incompleteness Theorems
Lawrence Paulson
 

More from Lawrence Paulson (12)

MetiTarski's menagerie of cooperating systems
MetiTarski's menagerie of cooperating systemsMetiTarski's menagerie of cooperating systems
MetiTarski's menagerie of cooperating systems
 
Automated theorem proving for special functions: the next phase
Automated theorem proving for special functions: the next phaseAutomated theorem proving for special functions: the next phase
Automated theorem proving for special functions: the next phase
 
Theorem proving and the real numbers: overview and challenges
Theorem proving and the real numbers: overview and challengesTheorem proving and the real numbers: overview and challenges
Theorem proving and the real numbers: overview and challenges
 
Source-Level Proof Reconstruction for Interactive Proving
Source-Level Proof Reconstruction for Interactive ProvingSource-Level Proof Reconstruction for Interactive Proving
Source-Level Proof Reconstruction for Interactive Proving
 
Defining Functions on Equivalence Classes
Defining Functions on Equivalence ClassesDefining Functions on Equivalence Classes
Defining Functions on Equivalence Classes
 
Organizing Numerical Theories using Axiomatic Type Classes
Organizing Numerical Theories using Axiomatic Type ClassesOrganizing Numerical Theories using Axiomatic Type Classes
Organizing Numerical Theories using Axiomatic Type Classes
 
A Generic Tableau Prover and Its Integration with Isabelle
A Generic Tableau Prover and Its Integration with IsabelleA Generic Tableau Prover and Its Integration with Isabelle
A Generic Tableau Prover and Its Integration with Isabelle
 
Mechanizing set theory: cardinal arithmetic and the axiom of choice
Mechanizing set theory: cardinal arithmetic and the axiom of choiceMechanizing set theory: cardinal arithmetic and the axiom of choice
Mechanizing set theory: cardinal arithmetic and the axiom of choice
 
MetiTarski: An Automatic Prover for Real-Valued Special Functions
MetiTarski: An Automatic Prover for Real-Valued Special FunctionsMetiTarski: An Automatic Prover for Real-Valued Special Functions
MetiTarski: An Automatic Prover for Real-Valued Special Functions
 
The Relative Consistency of the Axiom of Choice — Mechanized Using Isabelle/ZF
The Relative Consistency of the Axiom of Choice — Mechanized Using Isabelle/ZFThe Relative Consistency of the Axiom of Choice — Mechanized Using Isabelle/ZF
The Relative Consistency of the Axiom of Choice — Mechanized Using Isabelle/ZF
 
The Reflection Theorem: Formalizing Meta-Theoretic Reasoning
The Reflection Theorem: Formalizing Meta-Theoretic ReasoningThe Reflection Theorem: Formalizing Meta-Theoretic Reasoning
The Reflection Theorem: Formalizing Meta-Theoretic Reasoning
 
A Machine-Assisted Proof of Gödel's Incompleteness Theorems
A Machine-Assisted Proof of Gödel's Incompleteness TheoremsA Machine-Assisted Proof of Gödel's Incompleteness Theorems
A Machine-Assisted Proof of Gödel's Incompleteness Theorems
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Recently uploaded (20)

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 

Proving Properties of Security Protocols by Induction

  • 1. Proving Security Protocols 1 L. C. Paulson Proving Properties of Security Protocols by Induction Lawrence C. Paulson Computer Laboratory University of Cambridge
  • 2. Proving Security Protocols 2 L. C. Paulson Cryptographic Protocol Analysis • Finite-state checking Lowe, Millen, . . . + find attacks quickly − drastic simplifying assumptions • Belief logics Burrows, Abadi, Needham, . . . + short, abstract proofs − some variants are complicated & ill-motivated
  • 3. Proving Security Protocols 3 An Inductive Approach • Traces of events: A sends X to B • Any number of interleaved runs • Algebraic theory of messages • A general attacker • Modelling of accidents • Mechanized proofs L. C. Paulson
  • 4. Proving Security Protocols 4 L. C. Paulson Agents and Messages agent A, B, . . . = Server | Friend i | Spy msg X, Y, . . . = Agent A | Nonce N | Key K | { X| |X, } | Hash X | Crypt KX
  • 5. Proving Security Protocols 5 L. C. Paulson Processing Sets of Messages Crypt KX parts: message components analz: message decryption X K −1 X Crypt KX, synth: message faking Regularity lemmas stated using parts H Secrecy theorems stated using analz H Spoof messages drawn from synth(analz H) X, K Crypt KX
  • 6. Proving Security Protocols 6 L. C. Paulson Inductive Definition: parts H X∈H Crypt KX X ∈ parts H ∈ parts H X ∈ parts H { Y | ∈ parts H |X, } { Y | ∈ parts H |X, } X ∈ parts H Y ∈ parts H parts G ∪ parts H = parts(G ∪ H)
  • 7. Proving Security Protocols 7 L. C. Paulson Inductive Definition: analz H Crypt KX X∈H ∈ analz H X ∈ analz H K −1 ∈ analz H X ∈ analz H { Y | ∈ analz H |X, } { Y | ∈ analz H |X, } X ∈ analz H Y ∈ analz H analz G ∪ analz H ⊆ analz(G ∪ H)
  • 8. Proving Security Protocols 8 L. C. Paulson Inductive Definition: synth H X∈H Agent A X ∈ synth H ∈ synth H X∈H Hash X X ∈ synth H ∈ synth H Y ∈ synth H { Y | ∈ synth H |X, } X ∈ synth H Crypt KX G ⊆ H =⇒ synth G ⊆ synth H K∈H ∈ synth H
  • 9. Proving Security Protocols 9 Simplification Laws  parts(parts H) = parts H    analz(analz H) = analz H idempotence   synth(synth H) = synth H  parts(analz H) = analz(parts H) = parts H parts(synth H) = parts H ∪ synth H analz(synth H) = analz H ∪ synth H synth(analz H) = ?? L. C. Paulson
  • 10. Proving Security Protocols 10 L. C. Paulson Symbolic Evaluation of parts(ins XH) ins XH parts(ins(Key K)H) parts(ins(Hash X)H) parts(ins{ |X, Y | H) } parts(ins(Crypt KX)H) = {X} ∪ H = ins(Key K)(parts H) = ins(Hash X)(parts H) = ins{ Y | (parts(ins X(ins Y H))) |X, } = ins(Crypt KX)(parts(ins XH))
  • 11. Proving Security Protocols 11 L. C. Paulson Symbolic Evaluation of analz(ins XH) analz(ins(Key K)H) = ins(Key K)(analz H) K ∈ keysFor(analz H) analz(ins(Crypt KX)H) =  ins(Crypt KX)(analz(ins XH)) K −1 ∈ analz H ins(Crypt KX)(analz H) otherwise
  • 12. Proving Security Protocols 12 L. C. Paulson Deductions from synth H Nonce N Key K Crypt KX ∈ synth H =⇒ Nonce N ∈ H ∈ synth H =⇒ Key K ∈ H ∈ synth H =⇒ Crypt KX ∈ H or X ∈ synth H ∧ K ∈ H A similar law for { |X, Y | } ∈ synth H
  • 13. Proving Security Protocols 13 Spoof Messages: Limiting the Damage Breaking down the spoof message: { Y | ∈ synth(analz H) ⇐⇒ |X, } X ∈ synth(analz H) ∧ Y ∈ synth(analz H) Eliminating the spoof message: X ∈ synth(analz G) =⇒ parts(ins X H) ⊆ synth(analz G) ∪ parts G ∪ parts H L. C. Paulson
  • 14. Proving Security Protocols 14 L. C. Paulson The Shared-Key Model Traces as lists of events: Alice’s shared key: Items already used in this trace: Says A B X shrK A used evs Reading the traffic (with the help of lost keys): spies (Says A B X # evs) = {X} ∪ spies evs spies [] = {shrK A | A ∈ lost}
  • 15. Proving Security Protocols 15 L. C. Paulson The Simplified Otway-Rees Protocol 1. A → B : N a, A, B, { a, A, B| Kas |N } 2. B → S : N a, A, B, { a, A, B| Kas , N b, { a, A, B| Kbs |N } |N } 3. S → B : N a, { a, Kab| Kas , { b, Kab| Kbs |N } |N } |N } 4. B → A : N a, { a, Kab| Kas
  • 16. Proving Security Protocols 16 L. C. Paulson Inductively Defining the Protocol, 1–2 1. If evs is a trace and N a is unused, may add Says A B { a, A, B, Crypt(shrK A){ a, A, B| | |N |N }} 2. If evs has Says A B { a, A, B, X| and N b is unused, may |N } add Says B Server { a, A, B, X, N b, Crypt(shrK B){ a, A, B| | |N |N }} B doesn’t know the true sender & can’t read X
  • 17. Proving Security Protocols 17 L. C. Paulson Inductively Defining the Protocol, 4 4. If evs contains the events Says B Server { a, A, B, X |N Says S , N b, Crypt(shrK B){ a, A, B| | |N }} B { a, X, Crypt(shrK B){ b, K| | |N |N }} may add Says B A { a, X| |N } Rule applies only if nonces agree, etc.
  • 18. Proving Security Protocols 18 Modelling Attacks and Accidents Fake. If X ∈ synth(analz(spies evs)), may add Says Spy B X Oops. If server distributes key K , may add Says A Spy { a, N b, K| |N } Nonces show the time of the loss L. C. Paulson
  • 19. Proving Security Protocols 19 Regularity & Unicity • Agents don’t talk to themselves • Secret keys are never lost (except initially) • Nonces & keys uniquely identify creating message Easily proved by induction & simplification of parts L. C. Paulson
  • 20. Proving Security Protocols 20 Secrecy • Keys, if secure, are never encrypted using any session keys • Distributed keys remain confidential — to recipients! • Yahalom: nonce N b remains secure Simplification of analz: case analysis, big formulas L. C. Paulson
  • 21. Proving Security Protocols 21 L. C. Paulson An Attack 1. A → B×: N a, A, B, { a, A, B| Kas |N } 1 . C → A : N c, C, A, { c, C, A| Kcs |N } |N } |N } 2 . A → S× : N c, C, A, { c, C, A| Kcs , N a , { c, C, A| Kas |N } |N } 2 . CA → S : N c, C, A, { c, C, A| Kcs , N a, { c, C, A| Kas 3 . S → A× : N c, { c, Kca| Kcs , { a, Kca| Kas |N } |N } 4. CB → A : N a, { a, Kca| Kas |N }
  • 22. Proving Security Protocols 22 L. C. Paulson New Guarantees of Fixed Protocol B can trust the message if he sees Says S B { a, X, Crypt(shrK B){ b, K| | |N |N }} Says B Server { a, A, B, X , Crypt(shrK B){ a, N b, A, B| | |N |N }} A can trust the message if she sees Says B A { a, Crypt(shrK A){ a, K| | |N |N }} Says A B { a, A, B, Crypt(shrK A){ a, A, B| | |N |N }}
  • 23. Proving Security Protocols 23 Statistics • 200 theorems about 10 protocol variants (3 × Otway-Rees, 2 × Yahalom, Needham-Schroeder, . . .) • 110 laws proved concerning messages • 2–9 minutes CPU time per protocol • few hours or days human time per protocol • over 1200 proof commands in all L. C. Paulson
  • 24. Proving Security Protocols 24 Conclusions • A feasible method of analyzing protocols • Guarantees proved in a clear framework • Complementary to other methods: – Finite-state: finding simple attacks automatically – Belief logics: freshness analysis • Related work by Dominique Bolignano L. C. Paulson