1 / 27

By E. M. Clarke, et al.

Using State Space Exploration and a Natural Deduction Style Message Derivation Engine to Verify Security Protocols. By E. M. Clarke, et al. Presented by Zhenxiao Yang. Outline. Introduction Model Architecture Evaluation of the Model References. Introduction. What are network protocols

salene
Download Presentation

By E. M. Clarke, et al.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Using State Space Exploration and a Natural Deduction Style Message Derivation Engine to Verify Security Protocols By E. M. Clarke, et al. Presented by Zhenxiao Yang

  2. Outline • Introduction • Model Architecture • Evaluation of the Model • References

  3. Introduction • What are network protocols • principals + messages • Why are we using FM to reason about protocols? • Subtlety • Criticality • Main FM approaches being used • Belief logics and automated deduction process • Rigorous mathematical proof

  4. Introduction – cont’d • Comparison between this paper and the paper Ali presented • This paper focuses on the model itself, versus the specification logic • This paper focuses on common security protocols, versus e-commerce protocols

  5. Model Architecture

  6. Assumptions • Perfect Encryption Assumption • Crypto-techniques are unbreakable • Atomic Key Assumption • Keys are atomic messages • Open Network Assumption • The adversary controls the network

  7. Interesting Security Properties • Secrecy • Secret messages should never be exposed to the adversary • Correspondence • iff X event is preceded by a Y event • Scenario: • if A has successfully finished a authentication protocol run with B, then B has at least started the protocols run.

  8. Interesting Security Properties – cont’d • Correspondence – cont’d • A way to check correspondence: • in the event sequence, the number of X should never exceed the number of Y • Use a counter to indicate violation of correspondence property

  9. Messages • Atomic Messages • Keys • Principal names • Nonce’s • Data

  10. Messages – cont’d • Message Composition • Concatenation • Encryption – decryption • Formal Representation *A is the space of atomic messages *M is the set of all messages

  11. Messages – cont’d • Message Derivation Rules * is initial set of information

  12. State Machines • Model of honest principals • Model of the adversary • Model of global states

  13. Honest Agents • Each honest agent is modeled as a triple <N, p, B> • N is the name of the principal • P is a process

  14. The adversary • The adversary is modeled as a pair <Z, I> • Z is the name of the adversary • I is a set of messages

  15. Global State Model • The global state is a triple <Π, C, S>

  16. Search Algorithms • What to search? • Search for secrets in the set of messages the intruder can generate (secrecy) • When to search • After each SEND action of an honest agent (secrecy) • How to Search • Message derivations

  17. Message Derivation • Derivation rules for messages

  18. Message Derivation – cont’d • Concepts • minor premise: a key in a inference rule • major premise: any other premise • maximum message: conclusion of the introduction rule, or major premise of the elimination rules • normalized derivation tree: a derivation tree that contains no maximum message

  19. Example Derivation Trees Example Derivation Tree of

  20. Theorems • Theorem 1: Any derivation tree T for m depending on assumptions A can be transformed into a normalized derivation tree T’ for m depending on the same assumptions A • Theorem 2: No introduction rule appears above an elimination rule in a normalized derivation tree • Theorem 3: m can be derived from I iff m can be derived from I* • I is the knowledge of the adversary • I* is the closure of I under all elimination rules • Proves the correctness and decidability of the algorithm

  21. Algorithm Implementation

  22. Algorithm Implementation – cont’d Augmenting the adversary’s knowledge

  23. Algorithm Implementation – cont’d Searching the adversary’s knowledge

  24. The Model is Finite • A run of the a protocol • is some interleaving actions from a set of participants and from the adversary. • The length of each run is finite • we only consider a small number of runs. • A trace • is the interleaving of one or more runs. • Each trace is finite as well. • We only consider a finite number of traces

  25. Model Evaluation • The model is intuitive and practical • The model is finite and correct • Translation process is tedious • Efficiency is also a problem

  26. References • [1]E. Clarke, S. Jha, and W. Marrero. Using state space exploration and a natural deduction style message derivation engine to verify security protocols. In Proceedings of the IFIP Working Conference on Programming Concepts and Methods (PROCOMET), 1998. • [2]Michael Burrows, Martin Abadi, and Roger Needham. A logic of authentica- tion, from proceedings of the royal society, volume 426, number 1871, 1989. In William Stallings, editor, Practical Cryptography for Data Internetworks. IEEE Computer Society Press, 1996.

  27. Questions and Answers • Why use FM to reason about security protocols, what are the major methods used? • See slide #3 • Structure of the model, why is it finite and correct? • Model structure: slide #5 • Finiteness: slide #24 • Correctness: slide #20 • Strengths and weaknesses • See slide #25

More Related