100 likes | 126 Views
Delve deep into the symbolic and computational analysis of security protocols, focusing on the Tamarin Prover, cryptographic primitives, adversary models, security properties, equational theory, multiset rewriting rules, and more.
E N D
On the Symbolic Analysis of Security Protocols And mainly the Tamarin Prover
Symbolic Vs. Computational Analysis Symbolic Analysis Computational Analysis Messages are bitstrings Cryptographic primitives are functions from bitstrings to bitstrings adversary is any probabilistic Turing machine A security property is considered to hold when the probability that it does not hold is negligible in the security parameter Ex. the adversary has a negligible probability of distinguishing encryptions of two messages of the same length • Cryptographic primitives as black-boxes • Assumes perfect cryptography • Usually, use equational theory to model algebraic properties • dec(enc(x, y), y) = x For more, please refer to: Blanchet, B.: Security Protocol Verification: Symbolic and Computational Models
Security Protocol THeorY (.spthy) in Tamarin • Specify • Signature and equational theory to use for the message algebra • Set of multiset rewriting rules modeling the protocol and the adversary capabilities • Security properties as lemmata • Check wellformedness • Run the prover and for each lemma: • Verified • A counter-example trace found • Prover does not terminate
Message Theory • Functions are black-boxes • Define a function as func/arity • Examples: h/1, aenc/2, adec/2, pk/1 • Equational Theory • adec(aenc(m, pk(k)), k) = m
Multiset Rewriting Rules • This is not the regular inference rule you see in First Order Logic. • The 'Fr‘, ‘Out’, ‘In’, ‘K’ facts are builtin facts. • Persistent facts • Linear Facts • We denote the sort of variables using prefixes • ~x denotes x:fresh • $x denotes x:pub • #i denotes i:temporal • i denotes i:msg rule BuyARing:[!Love(A, B)]--[Confess(A, B) ]-> [] rule Marriage: [Engaged(A, B) ] --[ Wedding(A, B) ]-> [ !Married(A, B) ] rule LoveFromFirstSight:[ ] --[ ]-> [!Love(A, B)] rule Engagement: [ !Love(A, B)] --[ Engage(A, B) ]-> [ Engaged(A, B) ]
Security Properties and Tamarin Axioms • Each security property is stated as a lemma • Will see syntax in the handout shortly • Used to limit instances to instances where the axioms are satisfied • Important to check the consistency of axioms • Example: • axiom Equality_Checks_Succeed: “ All x y #i. Eq(x,y) @i ==> x = y ”
Security Protocol THeorY (.spthy) in Tamarin • Specify • Signature and equational theory to use for the message algebra • Set of multiset rewriting rules modeling the protocol and the adversary capabilities • Security properties as lemmata • Check wellformedness • Run the prover and for each lemma: • Verified • A counter-example trace found • Prover does not terminate
Alice and Bob Input Language • Pattern Matching (Equational Theory S) • Message Model (Equational Theory M) • Keller build a tool to transfer from A&B into Tamarin using an Intermediate Representation (IR) • Kozmai worked on the converse Snippet from Keller’s bachelor thesis
Results of case studies Snippet From [2]
References • [1] Blanchet, B.: Security Protocol Verification: Symbolic and Computational Models • [2] Meier, S., Schmidt, B., Cremers, C., Basin, D.: The TAMARIN Prover for the Symbolic Analysis of Security Protocols • [3] Keller, M.: Converting Alice&Bob Protocol Specifications to Tamarin • [4] Kozmai, D.: Converting Tamarin to extended Alice&Bob protocol specifications • [5] http://www.infsec.ethz.ch/research/software/tamarin.html