Binary decision diagrams for security protocols

Transcription

1 for Instytut Informatyki Teoretycznej i Stosowanej Politechnika Częstochowska 4 czerwca 2012 roku

2 Infrastructure with Intruder Threat template 5 References

3

4

5 BDD definition Definition An BDD G representing the Boolean Functions f 1,..., f m over the variables x 1,..., x n is a directed acyclic graph with following properties: 1 Nodes without outgoing edges, which are called sinks or terminal nodes, are labeled by 0 or 1. 2 All non-sink nodes of G, which are also called internal nodes, are labeled by a variable, a nd have two outgoing edges, a 0-edge and 1-edge. 3 On each directed path in the OBDD each variable occurs at most once as the label of the node.

6 Simple example

7 BDD types OBDD OBDD with complemented edges Algebraic Decision Diagrams Zero-suppressed Decision Diagrams

8 OBDD definition Definition An OBDD G representing the Boolean Functions f 1,..., f m over the variables x 1,..., x n is a directed acyclic graph with following properties has all properties and 1 there is a variable ordering π - a permutation of x 1,..., x n and on each directed path the variables occur according to this ordering

9 Basic operations I 1 Evaluation: For an OBDD G representing f and an input a compute the value f (a). 2 Reduction: For an OBDD G compute the equivalent reduced OBDD. 3 Equivalence test: Test whether two functions represented by OBDDs are equal. 4 Satisfiability problems: These problems include: Satisfiability: For an OBDD G representing f find an input a for which f (a) = 1 or output that no such input exists. SAT-Count: For an OBDD G representing f compute the number of inputs a for which f (a) = 1. 5 Synthesis (also called Apply): For functions f and g represented by an OBDD G include into G a representation for f g where is a binary Boolean operation (e.g., ).

10 Basic operations II 6 Replacements (also called Substitution): There are two replacement operations: Replacement by constants: For a function f represented by an OBDD, for a variable x i and a constant c 0, 1 compute an f xi =c. Replacement by functions: For functions f and g represented by an OBDD and for a variable x i compute an f xi =g. 7 Universal quantification and existential quantification: F or a function f represented by an OBDD and for a variable x i compute an ( x i : f ) := f xi =0 f xi =1 or ( x i : f ) := f xi =0 f xi =1, respectively.

11 Reduction

12 Knowledge variables Needham Schroeder Public Key Protocol: knowledge variables: α 1 A B : N A i(a) KB, α 2 B A : N A N B KA, (1) α 3 A B : N B KB. x N A A (N A Know A ), x N B A (N B Know A ), x N A B (N A Know B ), x N B B (N B Know B ). (2) If α j i is i-th step in the j-th execution of the, then the variable which corresponds to this step is marked by x α j. i

13 f1 1 = x N A A x N A B x α 1, 1 f2 1 = x N B B x N A B x N B A x α 1, (3) 2 f 1 3 = x N B A x α 1 3.

14

15 for : α 1 1 A ι : N A ι(a) Kι, α 2 1 ι(a) B : N A ι(a) KB, α 2 2 B ι(a) : N A N B KA, (4) α 1 2 ι A : N A N B KA, α 1 3 A ι : N B Kι, bollean functions: f 1 1 = x N A A α 2 3 ι(a) B : N B KB. (t) x N A ι (t) x α 1 1 (t), f 2 1 = x N A B (t + 1) x α 2 1, f 2 2 = x N B B (t + 2) x N A N B KA ι (t + 2) x α 2 2 (t + 2), (5) f1 2 = x N B A (t + 3) x α 2 (t + 3), 2 f1 3 = x N B ι (t + 4) x α 2 3 (t + 4), f 3 2 = x α 3 3 (t + 5).

16 Siedlecka

17 Chains Definition The chain in the OBDD tree for the run r is called the reduced correct sequence of boolean functions: c = f i 1 k 1, f i 2 k 2, f i 3 k 3,..., f is k s. The chain c = f i 1 k 1, f i 2 k 2, f i 3 k 3,..., f is k s can be written as: c = f i 1 k 1 (t 1 ) < f i 2 k 2 (t 2 ) < f i 3 k 3 (t 3 ) <... < f is k s (t s ) where t m < t n, for m = 1,..., s 1 and n = 2,..., s.

18 Threat template for St = (e 1 = x N A A (t)) < t 1 = th < (e 2 = x α 1 1 (t)) < t 2 = Th < (e 3 = x N A B (t > t)) < t 3 = th < (e 4 = x N B B (t > t)) < t 4 = th < (e 5 = x α 2(t > t)) < t 5 = Th < 2 (e 6 = x N B A (t > t )) < t 6 = th < (e 7 = x α 3 1 (t > t ))(6)

19 Threat template searching RS = (r 1 = x N A A (t)) < tr 1 = th < (r 2 = x α 1 1 (t)) < tr 2 = th < (r 3 = x N A ι (t 1 > t)) < tr 3 = th < (r 4 = x α 2 1 (t 1 > t)) < tr 4 = th < (r 5 = x N A B (t2 > t)) < tr 5 = th < (r 6 = x N B B (t2 > t 1 )) < tr 6 = th < (r 7 = x α 2 2 (t 2 > t 1 )) < tr 7 = th < (r 8 = x N A N B KA ι (t 3 > t 2 )) < tr 8 = th < (r 9 = x α 1 2 (t 3 > t 2 )) < tr 9 = th <(r 10 = x N B A (t4 > t 3 )) < tr 10 = th < (r 11 = x α 3 1 (t 5 > t 4 )) < tr 11 = th < (e 12 = x N B ι (t 6 > t 5 )) < t 12 = th < (e 13 = x α 2 3 (t 6 > t 5 )

20 References I Akers, S.B.:. IEEE Trans Comp 27, (1978) Bryant, R.E.: and beyond: enabling techniques for formal verification. Int Conf CAD, (1995) Drechsler, R., Becker, B.: - theory and implementation. Kluwer Academic Publishers, Boston, Mass., USA (1998) M., Srebrny, M.: A Quantifier-free First-order Knowledge Logic of Authentication, Fundamenta Informaticae, vol. 72, pp , IOS Press 2006 M., Penczek, W.: Verifying Protocols Modeled by Networks of Automata, Fundamenta Informaticae, Vol. 79 (3-4), pp , IOS Press 2007

21 References II M., Penczek, W.: Verifying Timed Protocols via Translation to Timed Automata, Fundamenta Informaticae, vol. 93 (1-3), pp , IOS Press 2009