1 / 21

Modelling and Analysing of Security Protocol: Lecture 7 Automatically Checking Protocols

Modelling and Analysing of Security Protocol: Lecture 7 Automatically Checking Protocols. Tom Chothia CWI. Demo. of adding protocols to the JAPE tool for BAN logic. The rest of the course. Today: 5th Oct, Automatic protocol verification 12th Oct, Protocols for anonymity

mairi
Download Presentation

Modelling and Analysing of Security Protocol: Lecture 7 Automatically Checking Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Modelling and Analysing of Security Protocol: Lecture 7Automatically Checking Protocols Tom Chothia CWI

  2. Demo. of adding protocols to the JAPE tool for BAN logic.

  3. The rest of the course • Today: 5th Oct, Automatic protocol verification • 12th Oct, Protocols for anonymity (homework on BAN logic and ProVerif) • 19th Oct, Model Checking & Fair exchange protocols. • 26th Oct moved to 29th Oct, 11:15 to 13:00 • 29th Oct & 2nd, 9th, 16th, 23rd Nov Student presentations • 30th Nov, Summary Lecture.

  4. Introduction • This lecture describes a tool for automatically checking protocol. • Analysis cannot be prefect (protocol security is equivalent to the halting problem). • One of the main advantages of using a tool is to help you think hard about a protocol!

  5. Automatic Protocol Tools We will look at ProVerif, other tools include: Tool Model Who Athena Strand spaces Mitire FDR CSP Oxford Univ. Analyzer own N.R.L. PaMoChSa Crypto-CCS Pisa Univ. Murphi model-checking Stanford ...

  6. Automatic tools • To use an automatic tool you must understand: • How to specify your protocol. • What is being checked.

  7. ProVerif • To use an automatic tool you must understand: • How to specify your protocol. • Using Prolog style rules • Or applied pi-calculus format • What is being checked. • Secrecy of a message • Correspondence assertions.

  8. This Lecture • Quick introduction to Prolog • A protocol as Prolog rules • From Prolog to ProVerif • Checking secrecy BREAK • From secrecy to authenticity • Writing protocols in the pi-calculus • Examples

  9. Prolog • A very powerful and very inefficient language. • To write a program in Prolog, you tell the computer what you want, not do to do it.

  10. Prolog: Facts and Rules parent_of( bob, alice ). parent_of(bob, peter). parent_of(eve, bob). male(bob). male(peter). female(alice). female(eve). grandparent_of (X, Y) :- parent(X,Z),parent(Z,Y) grandmother_of(X,Y) :- grandparent(X,Y),female(X). sibling (X,Y) :- parent(Z,X), parent(Z,Y). brother_of(X,Y) :- male(X), siblings (X,Y).

  11. Prolog: Facts and Rules > grandparent (eve, alice) True > Grandparent (eve, X) X = alice? > N X = peter? > N False

  12. Prolog: Sort sort (In, Out) :- permutation (In,Out), is_sorted (Out).

  13. Prolog: Sort sort (In, Out) :- permutation (In,Out), is_sorted (Out). is_sorted([x]). is_sorted(x:y:xs) :- x =< y, sorted (y:ys)

  14. Prolog: Sort sort (In, Out) :- permutation (In,Out), is_sorted (Out). is_sorted([x]). is_sorted(x:y:xs) :- x =< y, sorted (y:ys) permutation([], []). permutation(x:xs,ys) :- member (x,ys), remove(x,ys,zs), permutation(xs,zs).

  15. What Does This Have To Do With Protocols? • We can write protocols as prolog rules and try to “solve” these to find a secret. • If we can’t find the secrecy by any application of the rules then the protocol is “safe”. • Problem: Prolog will not terminate.

  16. ProVerif • The facts in ProVerif describe what the attackers knows. • The rules in ProVerif describe how the attacker can learn new facts... ... including learning new facts by using the protocol. • The tool then tries to apply all the rules to learn a secret.

  17. See handouts

  18. The Denning-Sacco Public-Key Protocol • A  B : EB(KAB,TA,Sign(KAB,TA)) To test as a “secret” in ProVerif we model the protocol: 1. A  B : EB(Sign(KAB)) 2. B  A : { secret }KAB

  19. See handouts

  20. Avoiding Non-Termination ProVerif may not terminate, but almost always does. • New values, such as nonce, are parameterized on current knowledge. • ProVerif chains the rules together, rather than generating new facts and discards unhelpful rules. • See sections 3 and 4 of the handout for more details.

  21. This Lecture • Quick introduction to Prolog • A protocol as Prolog rules • From Prolog to ProVerif • Checking secrecy BREAK • From secrecy to authenticity • Writing protocols in the pi-calculus • Examples

More Related