1 / 13

Formally (?) Deriving Security Protocols

Formally (?) Deriving Security Protocols. Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002. Goals:. Build security protocols in a compositional manner, i.e., from standard sub-protocols.

eben
Download Presentation

Formally (?) Deriving Security Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002

  2. Goals: • Build security protocols in a compositional manner, i.e., from standard sub-protocols. • Prove formally using logic that the composition process is sound, i.e., the resulting protocol is correct in a precise sense.

  3. Idea: Capture protocol designers’ intuition in a formal framework.

  4. Example 1 Diffie-Hellman: X Y: gx Y X: gy Property 1: Secrecy X deduces: Knows(Z,gxy) כֿ Knows(Z,y)

  5. Example 2 • Challenge Response: A B: m, A B A: n, sigB {n, m, A} A B: sigA {m, n, B} • Property 2: Mutual Authentication A deduces: Created (B, n) Λ Sent (B, msg2)

  6. Composition • ISO 9798-3 protocol: A B: ga, A B A: gb, sigB {gb, ga, A} A B: sigA {ga, gb, B} • Has both Property 1 & Property 2. Can be inferred that A & B have shared secret, gab.

  7. Refinement • Encrypt signatures: (find-and-replace) A B: ga, A B A: gb, EK {sigB {gb, ga, A}} A B: EK {sigA {ga, gb, B}} • Has Property 1 & Property 2. • Also Property 3: Identity protection

  8. By applying a series of other such simple syntactic rules, we derive the JFK protocol ( proposed protocol to replace IKE as the IPSec key exchange protocol). Technical Report: www.stanford.edu/~danupam/composition.ps Other applications…

  9. Formalization

  10. Notation • Cord Calculus and Compositional Logic [Durgin, Mitchell, Pavlovic; 2001] • Motivation: “Arrows and messages” representation is inadequate. More descriptive language for describing the actions of the protocol participants. • Actions: (νx) generate new term x (x) receive term into x <t> send a term t

  11. Challenge-Response revisited • A : ( ) [(νm)<{m, A}>(x) …]A <> Input interface Output Interface Actions • Attach logical assertions to actions [(νm)]A Created (A, m) • This assertion is a required precondition to prove mutual authentication.

  12. ISO 9798-3 revisited • A : ( ) [(νx)] <gx> ; (m) [<{m, A}>(x) …]A <> • Generate new x; compute gx • Substitute gx for m in the second cord • Created (A, gx) is a precondition. • Mutual authentication can be proved like in challenge-response.

  13. Summary • Security protocols can be built in an incremental manner by combining sub-protocols. • Future work: Formal framework for reasoning that the composition process preserves the properties of the original sub-protocols.

More Related