On-the-fly Model Checking of Security Protocols
|
|
- Andrea Hodges
- 6 years ago
- Views:
Transcription
1 Guoqiang LI Japan Advanced Institute of Science and Technology Supervisor: Prof. Mizuhito Ogawa February 7, / 103
2 A Challenging Problem and A Legend... A security protocol, although only containing several flows, is easily caused attacks even without breaking cryptography. Analyzing security protocols proves to be a challenging problem over 30 years. Analyzing the Needham-Schroeder authentication protocol becomes a legend. In 1978, the NSSK and NSPK protocols are proposed. In 1981, Denning and Sacco found NSSK was flawed and proposed a refined protocol. In 1994, Abadi found that the refined protocol was also flawed. In 1995, Lowe found an attack on the NSPK protocol. (17 years after its publication) 2 / 103
3 A Challenging Problem and A Legend... A security protocol, although only containing several flows, is easily caused attacks even without breaking cryptography. Analyzing security protocols proves to be a challenging problem over 30 years. Analyzing the Needham-Schroeder authentication protocol becomes a legend. In 1978, the NSSK and NSPK protocols are proposed. In 1981, Denning and Sacco found NSSK was flawed and proposed a refined protocol. In 1994, Abadi found that the refined protocol was also flawed. In 1995, Lowe found an attack on the NSPK protocol. (17 years after its publication) 2 / 103
4 A Challenging Problem and A Legend... A security protocol, although only containing several flows, is easily caused attacks even without breaking cryptography. Analyzing security protocols proves to be a challenging problem over 30 years. Analyzing the Needham-Schroeder authentication protocol becomes a legend. In 1978, the NSSK and NSPK protocols are proposed. In 1981, Denning and Sacco found NSSK was flawed and proposed a refined protocol. In 1994, Abadi found that the refined protocol was also flawed. In 1995, Lowe found an attack on the NSPK protocol. (17 years after its publication) 2 / 103
5 A Challenging Problem and A Legend... A security protocol, although only containing several flows, is easily caused attacks even without breaking cryptography. Analyzing security protocols proves to be a challenging problem over 30 years. Analyzing the Needham-Schroeder authentication protocol becomes a legend. In 1978, the NSSK and NSPK protocols are proposed. In 1981, Denning and Sacco found NSSK was flawed and proposed a refined protocol. In 1994, Abadi found that the refined protocol was also flawed. In 1995, Lowe found an attack on the NSPK protocol. (17 years after its publication) 2 / 103
6 A Challenging Problem and A Legend... A security protocol, although only containing several flows, is easily caused attacks even without breaking cryptography. Analyzing security protocols proves to be a challenging problem over 30 years. Analyzing the Needham-Schroeder authentication protocol becomes a legend. In 1978, the NSSK and NSPK protocols are proposed. In 1981, Denning and Sacco found NSSK was flawed and proposed a refined protocol. In 1994, Abadi found that the refined protocol was also flawed. In 1995, Lowe found an attack on the NSPK protocol. (17 years after its publication) 2 / 103
7 The NSPK Protocol A B : B A : A B : {A, N A } +KB {N A, N B } +KA {N B } +KB A I : {A, N A } +KI I(A) B : {A, N A } +KB B I(A) : {N A, N B } +KA I A : {N A, N B } +KA A I : {N B } +KI I(A) B : {N B } +KB 3 / 103
8 The Fixed NSPK Protocol A B : B A : A B : {A, N A } +KB {B, N A, N B } +KA {N B } +KB A I : {A, N A } +KI I(A) B : {A, N A } +KB B I(A) : {B, N A, N B } +KA I A : {I, N A, N B } +KA 4 / 103
9 Security Protocols A B : B A : A B : {A, N A } +KB {B, N A, N B } +KA {N B } +KB A security protocol is a finite sequence of flows taken between two or more protocol roles using cryptography to establish security properties in a hostile environment. Protocol roles comprise sender, receiver, server, and so on. Instances of protocol roles are named principals. A session of a security protocol is one execution of the protocol attended by minimal number of principals. A fresh session is usually distinguished by a nonce. A message is a bit stream representing the information communicated between principals. A undecomposable message is named a name. 5 / 103
10 Process Calculus π-calculus π ::= x y x(z) τ P ::= 0 π.p P P [x = y] P νz P P + P!P e.g. ((ν z)x z.p) x(y).q R + ((ν z)p Q{z/y}) R Channel-based VS. Environment-based Communications: exchange with a specific channel VS. exchange with environment Freshness of names: scopes of local names VS. fresh public names Generation of messages by intruders and dishonest principals: recursive processes VS. deductive systems (Dolev-Yao model) Replication!P VS. Identifier A(x 1,..., x n ) Each identifer has the unique definition A(x 1,..., x n) P. Infinite process definitions:!p P P...VS. A E(A). 6 / 103
11 Factors of Infinity Unbounded number of messages that intruders and dishonest principals can generate. Idea: Variables are substituted only when needed. Unbounded number of principals that each principal contacts. Idea: Names are extended from constants to terms, called binders. These binders are instantiated depending on the context. Unbounded number of sessions that each principal participates. Idea: Restricting primitives due to difference assumptions. Bounded sessions: contains no recursive processes (without identifiers), and uses distinguished symbols for fresh messages. Recursive protocols: contains only one sequential recursive process, and uses nested binders for fresh messages. 7 / 103
12 Infinite Messages and Lazy Evaluation A B : N A, {A, M} KAB Sending a message Lazy evaluation Input requirement a(n A, {A, M} k[a,b] ) 8 / 103
13 Infinite Messages and Lazy Evaluation A B : N A, {A, M} KAB Sending a message Lazy evaluation Input requirement a(n A, {A, M} k[a,b] ) b(x) 9 / 103
14 Infinite Messages and Lazy Evaluation A B : N A, {A, M} KAB Sending a message Lazy evaluation Input requirement a(n A, {A, M} k[a,b] ) b(x) a(n A, {A, M} k[a,b] ) b(x 1,x 2 ) Require pair splitting 10 / 103
15 Infinite Messages and Lazy Evaluation A B : N A, {A, M} KAB Sending a message Lazy evaluation Input requirement a(n A, {A, M} k[a,b] ) b(x) a(n A, {A, M} k[a,b] ) b(x 1,x 2 ) Require pair splitting a(n A, {A, M} k[a,b] ) b(x 1, {y} k[a,b] ) Require decrypting 11 / 103
16 Infinite Messages and Lazy Evaluation A B : N A, {A, M} KAB Sending a message Lazy evaluation Input requirement a(n A, {A, M} k[a,b] ) b(x) a(n A, {A, M} k[a,b] ) b(x 1,x 2 ) Require pair splitting a(n A, {A, M} k[a,b] ) b(x 1, {y} k[a,b] ) Require decrypting a(n A, {A, M} k[a,b] ) b(x 1, {z,w} k[a,b] ) Require pair splitting 12 / 103
17 Infinite Messages and Lazy Evaluation A B : N A, {A, M} KAB Sending a message Lazy evaluation Input requirement a(n A, {A, M} k[a,b] ) b(x) a(n A, {A, M} k[a,b] ) b(x 1,x 2 ) Require pair splitting a(n A, {A, M} k[a,b] ) b(x 1, {y} k[a,b] ) Require decrypting a(n A, {A, M} k[a,b] ) b(x 1, {z,w} k[a,b] ) Require pair splitting a(n A, {A, M} k[a,b] ) b(x 1, {A, w} k[a,b] ) Require comparing 13 / 103
18 Infinite Messages and Lazy Evaluation A B : N A, {A, M} KAB Sending a message Lazy evaluation Input requirement a(n A, {A, M} k[a,b] ) b(x) a(n A, {A, M} k[a,b] ) b(x 1,x 2 ) Require pair splitting a(n A, {A, M} k[a,b] ) b(x 1, {y} k[a,b] ) Require decrypting a(n A, {A, M} k[a,b] ) b(x 1, {z,w} k[a,b] ) Require pair splitting a(n A, {A, M} k[a,b] ) b(x 1, {A, w} k[a,b] ) Require comparing a(n A, {A, M} k[a,b] ) b(x 1, {A, M} k[a,b] ) Require encrypted message 14 / 103
19 Infinite Principals and Binders A B : {A, N A } +KB Existing method Our approach A {A, N A } +KB {A, N A } +KC B {A, N A } +KI a1{a, N A } KA a2{a, N A } K B a3{a, N A } K I (new x : I)a1{A, N A } +k[x] I: set of principals names 15 / 103
20 Infinite Principals and Binders A B : {A, N A } +KB Existing method Our approach A {A, N A } +KB {A, N A } +KC B {A, N A } +KI C a1{a, N A } KA a2{a, N A } K B a3{a, N A } K I (new x : I)a1{A, N A } +k[x] I: set of principals names 16 / 103
21 Infinite Principals and Binders A B : {A, N A } +KB Existing method Our approach A {A, N A } +KB {A, N A } +KC B {A, N A } +KI C I a1{a, N A } KA a2{a, N A } K B a3{a, N A } K I (new x : I)a1{A, N A } +k[x] I: set of principals names 17 / 103
22 Infinite Principals and Binders A B : {A, N A } +KB Existing method Our approach A {A, N A } +KB {A, N A } +KC B {A, N A } +KI C finite I a1{a, N A } KA a2{a, N A } K B a3{a, N A } K I (new x : I)a1{A, N A } +k[x] I: set of principals names 18 / 103
23 Infinite Principals and Binders A B : {A, N A } +KB Existing method Our approach A {A, N A } +KB {A, N A } +KC B A {A, N A } +KB {A, N A } +KC B {A, N {A, N A } +KI A } +KI C finite C I I a1{a, N A } KA a2{a, N A } K B a3{a, N A } K I (new x : I)a1{A, N A } +k[x] I: set of principals names 19 / 103
24 Infinite Principals and Binders A B : {A, N A } +KB Existing method Our approach A {A, N A } +KB {A, N A } +KC B A {A, N A } +KB {A, N A } +KC B {A, N {A, N A } +KI A } +KI C finite C I I a1{a, N A } KA a2{a, N A } K B a3{a, N A } K I (new x : I)a1{A, N A } +k[x] I: set of principals names 20 / 103
25 Infinite Principals and Binders A B : {A, N A } +KB Existing method Our approach A {A, N A } +KB {A, N A } +KC B A {A, N A } +KB {A, N A } +KC B {A, N {A, N A } +KI A } +KI C finite C I I a1{a, N A } KA a2{a, N A } K B a3{a, N A } K I (new x : I)a1{A, N A } +k[x] I: set of principals names 21 / 103
26 Infinite Principals and Binders A B : {A, N A } +KB Existing method Our approach A {A, N A } +KB {A, N A } +KC B A {A, N A } +KB {A, N A } +KC B {A, N A } +KI {A, N A } +KI C finite C infinite! I I a1{a, N A } KA a2{a, N A } K B a3{a, N A } K I (new x : I)a1{A, N A } +k[x] I: set of principals names 22 / 103
27 Infinite Sessions and Freshness of Messages Freshness of sessions is usually captured by fresh nonces. Only one sequential recursive process is allowed in the system. It is later encoded by the pushdown system. Unbounded number of nonces are represented by nested applications of binders. (e.g. N[null], N[N[null]],...) A B : {A, N A } +KB A recursively sending messages is encoded by {A, N[ ]} +K[ ],. (by N [ ], a group of distinguished messages is represented.) Recursive protocols can be analyzed within the restriction. 23 / 103
28 Thesis Outline Environment-based process calculus + Environmental deductive system Allows finite processes Sec. & Auth. in bounded sessions Extended with a recursive process Recursive Protocols Extended with P-deductive system Fair. & Non-r. in bounded sessions Protocol-independent spec. transf. to a reachability problem Protocol-independent spec. transf. to a reachability problem Protocol-dependent spec. transf. to a reachability problem Parametrization Refinement step Parametrization Refinement step Parametrization Two-phase refinement steps Encoded by a parametric model Encoded by the PDS Encoded by a parametric model Implemented by Maude Implemented by Maude Implemented by Maude 24 / 103
29 Thesis Outline Environment-based process calculus + Environmental deductive system Allows finite processes Sec. & Auth. in bounded sessions Extended with a recursive process Recursive Protocols Extended with P-deductive system Fair. & Non-r. in bounded sessions Protocol-independent spec. transf. to a reachability problem Protocol-independent spec. transf. to a reachability problem Protocol-dependent spec. transf. to a reachability problem Parametrization Refinement step Parametrization Refinement step Parametrization Two-phase refinement steps Encoded by a parametric model Encoded by the PDS Encoded by a parametric model Implemented by Maude Implemented by Maude Implemented by Maude 24 / 103
30 Thesis Outline Environment-based process calculus + Environmental deductive system Allows finite processes Sec. & Auth. in bounded sessions Extended with a recursive process Recursive Protocols Extended with P-deductive system Fair. & Non-r. in bounded sessions Protocol-independent spec. transf. to a reachability problem Protocol-independent spec. transf. to a reachability problem Protocol-dependent spec. transf. to a reachability problem Parametrization Refinement step Parametrization Refinement step Parametrization Two-phase refinement steps Encoded by a parametric model Encoded by the PDS Encoded by a parametric model Implemented by Maude Implemented by Maude Implemented by Maude 24 / 103
31 Thesis Outline Environment-based process calculus + Environmental deductive system Allows finite processes Sec. & Auth. in bounded sessions Extended with a recursive process Recursive Protocols Extended with P-deductive system Fair. & Non-r. in bounded sessions Protocol-independent spec. transf. to a reachability problem Protocol-independent spec. transf. to a reachability problem Protocol-dependent spec. transf. to a reachability problem Parametrization Refinement step Parametrization Refinement step Parametrization Two-phase refinement steps Encoded by a parametric model Encoded by the PDS Encoded by a parametric model Implemented by Maude Implemented by Maude Implemented by Maude 24 / 103
32 Thesis Outline Environment-based process calculus + Environmental deductive system Allows finite processes Sec. & Auth. in bounded sessions Extended with a recursive process Recursive Protocols Extended with P-deductive system Fair. & Non-r. in bounded sessions Protocol-independent spec. transf. to a reachability problem Protocol-independent spec. transf. to a reachability problem Protocol-dependent spec. transf. to a reachability problem Parametrization Refinement step Parametrization Refinement step Parametrization Two-phase refinement steps Encoded by a parametric model Encoded by the PDS Encoded by a parametric model Implemented by Maude Implemented by Maude Implemented by Maude 24 / 103
33 Thesis Outline Environment-based process calculus + Environmental deductive system Allows finite processes Sec. & Auth. in bounded sessions Extended with a recursive process Recursive Protocols Extended with P-deductive system Fair. & Non-r. in bounded sessions Protocol-independent spec. transf. to a reachability problem Protocol-independent spec. transf. to a reachability problem Protocol-dependent spec. transf. to a reachability problem Parametrization Refinement step Parametrization Refinement step Parametrization Two-phase refinement steps Encoded by a parametric model Encoded by the PDS Encoded by a parametric model Implemented by Maude Implemented by Maude Implemented by Maude 24 / 103
34 Thesis Outline Environment-based process calculus + Environmental deductive system Allows finite processes Sec. & Auth. in bounded sessions Extended with a recursive process Recursive Protocols Extended with P-deductive system Fair. & Non-r. in bounded sessions Protocol-independent spec. transf. to a reachability problem Protocol-independent spec. transf. to a reachability problem Protocol-dependent spec. transf. to a reachability problem Parametrization Refinement step Parametrization Refinement step Parametrization Two-phase refinement steps Encoded by a parametric model Encoded by the PDS Encoded by a parametric model Implemented by Maude Implemented by Maude Implemented by Maude 24 / 103
35 Thesis Outline Environment-based process calculus + Environmental deductive system Allows finite processes Sec. & Auth. in bounded sessions Extended with a recursive process Recursive Protocols Extended with P-deductive system Fair. & Non-r. in bounded sessions Protocol-independent spec. transf. to a reachability problem Protocol-independent spec. transf. to a reachability problem Protocol-dependent spec. transf. to a reachability problem Parametrization Refinement step Parametrization Refinement step Parametrization Two-phase refinement steps Encoded by a parametric model Encoded by the PDS Encoded by a parametric model Implemented by Maude Implemented by Maude Implemented by Maude 24 / 103
36 Thesis Outline Environment-based process calculus + Environmental deductive system Allows finite processes Sec. & Auth. in bounded sessions Extended with a recursive process Recursive Protocols Extended with P-deductive system Fair. & Non-r. in bounded sessions Protocol-independent spec. transf. to a reachability problem Protocol-independent spec. transf. to a reachability problem Protocol-dependent spec. transf. to a reachability problem Parametrization Refinement step Parametrization Refinement step Parametrization Two-phase refinement steps Encoded by a parametric model Encoded by the PDS Encoded by a parametric model Implemented by Maude Implemented by Maude Implemented by Maude 24 / 103
37 Thesis Outline Environment-based process calculus + Environmental deductive system Allows finite processes Sec. & Auth. in bounded sessions Extended with a recursive process Recursive Protocols Extended with P-deductive system Fair. & Non-r. in bounded sessions Protocol-independent spec. transf. to a reachability problem Protocol-independent spec. transf. to a reachability problem Protocol-dependent spec. transf. to a reachability problem Parametrization Refinement step Parametrization Refinement step Parametrization Two-phase refinement steps Encoded by a parametric model Encoded by the PDS Encoded by a parametric model Implemented by Maude Implemented by Maude Implemented by Maude 24 / 103
38 Thesis Outline Environment-based process calculus + Environmental deductive system Allows finite processes Sec. & Auth. in bounded sessions Extended with a recursive process Recursive Protocols Extended with P-deductive system Fair. & Non-r. in bounded sessions Protocol-independent spec. transf. to a reachability problem Protocol-independent spec. transf. to a reachability problem Protocol-dependent spec. transf. to a reachability problem Parametrization Refinement step Parametrization Refinement step Parametrization Two-phase refinement steps Encoded by a parametric model Encoded by the PDS Encoded by a parametric model Implemented by Maude Implemented by Maude Implemented by Maude 24 / 103
39 1 Introduction 2 Modeling Protocols for Authentication and Secrecy Description of Security Protocols Environment Ability Specification of Security Protocols 3 Authentication and Secrecy in Bounded Sessions 4 Authentication for Recursive Protocols 5 Non-repudiation and Fairness in Bounded Sessions 6 Conclusion 25 / 103
40 Process Calculus pr ::= x m[pr 1,..., pr n ] M, N, L ::= pr (M, N) {M} L H(M) P, Q, R ::= 0 Nil am.p output a(x).p input [M = N] P match (new x : A)P new (ν n)p restriction let (x, y) = M in P pair splitting case M of {x} L in P decryption P Q composition P + Q summation P; Q sequence A(pr 1,..., pr n ) identifier 26 / 103
41 Description of the NSPK Protocol A B : B A : A B : {A, N A } +KB {N A, N B } +KA {N B } +KB A (new x a : I)(ν N A ) a1{a, N A } +k[xa].a2(y a). case y a of {y a} k[a] in let (z a, z a) = y a in [z a = N A ] a3{z a} +k[xa].0 B (ν N B ) b1(x b ). case x b of {x b} k[b] in let (y b, y b) = x b in [y b = A] b2{y b, N B } +k[a].b3(z b ). case z b of {u b } k[b] in [u b = N B ] 0 SYS NSPK A B 27 / 103
42 Environment Ability Environment memorizes all communicated messages. Environment can produce, encrypt/decrypt, compose/split, and hash messages, following Dolev-Yao model (described as an environmental deductive system ). Environment produces infinitely many messages based on a bounded number of messages. A B C Environment 28 / 103
43 Specifications Trace semantics is chosen for the calculus. Each possible run of a protocol can be represented explicitly by a concrete trace. Processes for a given property will be inserted into a description of a protocol, to represent the security property. Security properties will be defined as reachability problems on a set of traces. A B : B A : A B : {A, N A } +KB {N A, N B } +KA {N B } +KB B (ν N B ) b1(x b ). case x b of {x b} k[b] in let (y b, y b) = x b in [y b = A] Authentication as reachability a3 x acc x b2{y b, N B } +k[a].b3(z b ). case z b of {u b } k[b] in [u b = N B ] acc z b.0 29 / 103
44 1 Introduction 2 Modeling Protocols for Authentication and Secrecy 3 Authentication and Secrecy in Bounded Sessions Parametrization and Refinement Experimental Results 4 Authentication for Recursive Protocols 5 Non-repudiation and Fairness in Bounded Sessions 6 Conclusion 30 / 103
45 Parametrization A receiver may receive an unbounded number of messages. A sender may send messages to an unbounded number of principals. Traces are abstracted to parametric traces by keeping fresh variables un-instantiated. ɛ, a(x).0 ɛ, a(x).0 a(m i), 0 a((m i,m i)), 0 a({m i} +k[i] ), 0 a(x), 0 ɛ, (new x : I)b1{M} +k[x].0 ɛ, (new x : I)b1{M} +k[x].0 b1{m} +k[b], 0 b1{m} +k[c], 0 b1{m} +k[i], 0 b1{m} +k[x], 0 31 / 103
46 Refinement Step Unifiers are applied when generating new parametric traces. ɛ, a1(x).case x of {y} k[a,s] in P p a1(x), case x of {y} k[a,s] in P p a1({y} k[a,s] ), P{{y} k[a,s] /x} An input action can be regarded as a required pattern. Some are easily satisfied (e.g.a1(x)), some are not (e.g. a1({y} k[a,s] )). A required pattern like a1({y} k[a,s] ) is named a rigid message. It should be satisfied by messages in the prefix trace (by unifications).... s {A, M} k[a,s]... a({a, x} k[a,s] ) 32 / 103
47 Refinement Step Unifiers are applied when generating new parametric traces. ɛ, a1(x).case x of {y} k[a,s] in P p a1(x), case x of {y} k[a,s] in P p a1({y} k[a,s] ), P{{y} k[a,s] /x} An input action can be regarded as a required pattern. Some are easily satisfied (e.g.a1(x)), some are not (e.g. a1({y} k[a,s] )). A required pattern like a1({y} k[a,s] ) is named a rigid message. It should be satisfied by messages in the prefix trace (by unifications). Unification x M... s {A, M} k[a,s]... a({a, x} k[a,s] ) 33 / 103
48 Refinement Step Unifiers are applied when generating new parametric traces. ɛ, a1(x).case x of {y} k[a,s] in P p a1(x), case x of {y} k[a,s] in P p a1({y} k[a,s] ), P{{y} k[a,s] /x} An input action can be regarded as a required pattern. Some are easily satisfied (e.g.a1(x)), some are not (e.g. a1({y} k[a,s] )). A required pattern like a1({y} k[a,s] ) is named a rigid message. It should be satisfied by messages in the prefix trace (by unifications). Unification x M... s {A, M} k[a,s]... a({a, x} k[a,s] )... s {A, M} k[a,s]... a({a, M} k[a,s] ) 34 / 103
49 Satisfiable Normal Form Given a parametric trace with bounded length, the refinement step will terminate and the set of normal forms of a parametric trace is finite.... s1{a, M} k[a,s]... a2({a, x} k[a,s] )... Th. The set of satisfiable normal forms (each rigid message is satisfiable) is sound and complete representatives to the set concrete traces. 35 / 103
50 Satisfiable Normal Form Given a parametric trace with bounded length, the refinement step will terminate and the set of normal forms of a parametric trace is finite. Unification θ... s1{a, M} k[a,s]... a2({a, x} k[a,s] )... Th. The set of satisfiable normal forms (each rigid message is satisfiable) is sound and complete representatives to the set concrete traces. 36 / 103
51 Satisfiable Normal Form Given a parametric trace with bounded length, the refinement step will terminate and the set of normal forms of a parametric trace is finite. Unification θ... s1{a, M} k[a,s]... a2({a, x} k[a,s] ) s1{a, M} k[a,s]...θ a2({a, M} k[a,s] )...θ Th. The set of satisfiable normal forms (each rigid message is satisfiable) is sound and complete representatives to the set concrete traces. 37 / 103
52 Satisfiable Normal Form Given a parametric trace with bounded length, the refinement step will terminate and the set of normal forms of a parametric trace is finite. Unification θ... s1{a, M} k[a,s]... a2({a, x} k[a,s] ) s1{a, M} k[a,s]...θ a2({a, M} k[a,s] ) {M(x)} k[n]...θ Th. The set of satisfiable normal forms (each rigid message is satisfiable) is sound and complete representatives to the set concrete traces. 38 / 103
53 Satisfiable Normal Form Given a parametric trace with bounded length, the refinement step will terminate and the set of normal forms of a parametric trace is finite. Unification θ... s1{a, M} k[a,s]... a2({a, x} k[a,s] )... Unification... s1{a, M} k[a,s]...θ a2({a, M} k[a,s] ) {M(x)} k[n]...θ Unification Th. The set of satisfiable normal forms (each rigid message is satisfiable) is sound and complete representatives to the set concrete traces. 39 / 103
54 Satisfiable Normal Form Given a parametric trace with bounded length, the refinement step will terminate and the set of normal forms of a parametric trace is finite. Unification θ... s1{a, M} k[a,s]... a2({a, x} k[a,s] )... Unification... s1{a, M} k[a,s]...θ a2({a, M} k[a,s] ) {M(x)} k[n]...θ Normal form Unification The set of satisfiable normal forms (each rigid message is satisfiable) is sound and complete representatives to the set concrete traces. 40 / 103
55 Japan Advanced Institute of Science and Technology Asahidai, Nomi, Ishikawa, Japan {guoqiang, Introduction Modeling Auth&Sec.in Bou.Ses. Rec.Pro. Non-r&Fair.in Bou.Ses. Conclusion Q&A Experimental Results protocols session protocol spec. states times(s) flaws NSPK protocol detected Woo-Lam protocol* detected fixed NSPK protocol secure fixed NSPK protocol , secure Abadi-Gordon protocol secure Abadi-Gordon protocol , secure Yahalom protocol secure Yahalom protocol detected Otway-Rees protocol secure Otway-Rees protocol , detected Woo-lam protocol secure Woo-lam protocol , detected The tests were Figureperformed 1: Experimental on a Pentium Results for MAuthentication 1.4 GHz, 1.5Protocols GB memory PC, under Windows XP. The protocols common part is about 330 lines protocol (for structures spec. states and functions). times(s) flaws Arecursive two-session authentication protocol protocol in which each principal 32 acts416 as the same 0.82 role detected is labeled by fixed, recursive and as different authentication rolesprotocol is labeled by secure represents a variation of the Woo-Lam protocol. Figure 2: Experimental Results for Recursive Protocols 41 / 103
56 1 Introduction 2 Modeling Protocols for Authentication and Secrecy 3 Authentication and Secrecy in Bounded Sessions 4 Authentication for Recursive Protocols Recursive Protocols Abstractions in the pushdown system Experimental Results 5 Non-repudiation and Fairness in Bounded Sessions 6 Conclusion 42 / 103
57 Recursive Protocols operate over an arbitrarily long chain of protocol principals, terminating with a key-generated server. intend to generate session-keys between each pair of two adjacent principals by contacting the key-generated server once. each principal has two choices: either contacts the server to terminate the protocol, or communicates with its next principal to continue the protocol. S Req(Null) Sub.Reqn(Null) Req n 1 (Null) Res 0 (k 0...kn) A 0 A 1 A n 1 A n Resn(k 0 ) Res 1 (k 0,...,k n 1 ) 43 / 103
58 Recursive Authentication Protocol [Bull&Otway 97] H K (X) = (H(K, X), X) A i A i+1 : H KAi S (A i, A i+1, N Ai, X) A 0 A 1 : A 1 A 2 :... H (A KA0 S 0, A 1, N A0, Null) H (A KA1 S 1, A 2, N A1, H (A KA0 S 0, A 1, N A0, Null)) A n S : H KAnS (A n, S, N An, H (A KAn 1 S n 1, A n, N An 1, H KAn 2 (... Null)...)) S S A n : {K n, S, N An } KAnS, {K n 1, A n 1, N An } KAnS, {K n 1, A n, N An 1 } KAn 1 S, {K n 2, A n 2, N An 1 } KAn 1 S,... {K 1, A 2, N A1 } KA1 S, {K 0, A 0, N A1 } KA1 S, {K 0, A 1, N A0 } KA0 S A i A i 1 : {K i 1, A i, N i 1 } KAi 1 S, {K i 2, A i 2, N i 1 } KAi 1 S,... A 1 A 0 : {K 0, A 1, N 0 } KA0 S 44 / 103
59 Abstracting Unbounded Number of Messages A Usage of Binders In bounded sessions, messages that principals generated are explicitly represented by distinguished symbols. Principals names, A, B, C, I,... Nonces, N A, N B,... For a recursive protocol, unbounded number of messages are encoded by nested applications of binders. Names: A[Null], A[A[Null]],... Nonces: N[Null], N[N[Null]], / 103
60 Encoding to Pushdown System A pushdown system P = (Q, Γ,, c 0 ) is a transition system with carrying an unbounded stack. Q is a set of control locations. A control location is a pair (R, ˆtr), in which R is a finite set of messages, and ˆtr is a finite parametric trace. Γ is a finite set of stack alphabet. Γ = { }. Nested applications of binders are encoded with binder markers, and nested times are captured by the length of the stack. (e.g. A[Null], A[A[Null]],... will be encoded by...a[ ]...,.) c 0 = (q 0, ω 0 ), is an initial configuration, where q 0 Q and ω 0 Γ. (, ɛ), ε. : (Q Γ) (Q Γ ) is a finite subset of transitions ( ). It encodes the parametric transitions and the refinement step. 46 / 103
61 Recall the Parametric Transitions Traces are abstracted to parametric traces by keeping fresh variables un-instantiated. ɛ, a(x).0 ɛ, (new x : I)b1{M} +k[x].0 a(x), 0 b1{m} +k[x], 0 Unifiers are applied when generating new parametric traces. ɛ, a1(x).case x of {y} k[a,s] in P p a1(x), case x of {y} k[a,s] in P p a1({y} k[a,s] ), P{{y} k[a,s] /x} Unbounded length of parametric traces should be represented. 47 / 103
62 Folding Parametric Traces by Pushdown System A 0 A 1 : N 1... A n 1 A n : N n Nonces are encoded by N[n], N[N[n]],... A 0 is defined as A a1 N[n].0 An identifier for receivers is defined as: R b1(x).b2 N[x].R The finite parametric trace in a control location is a compaction of the original trace. (, ɛ), ε (, a1 N[n]), ε (, a1 N[n]), ε (, a1 N[n].b1(x).b2 N[N[ ]]), ε (, ɛ), ε (, b1(x).b2 N[N[ ]]), ε (, b1(x).b2 N[N[ ]]), ε (, b1(x).b2 N[N[ ]]), (, a1 N[n].b1(x).b2 N[N[ ]]), ε (, a1 N[n].b1(x).b2 N[N[ ]]), / 103
63 Recall the Refinement Step An input action can be regarded as a required pattern. Some are easily satisfied (e.g.a1(x)), some are not (e.g. a1({y} k[a,s] )). A required pattern like a1({y} k[a,s] ) is named a rigid message. It needs to be satisfied by messages in the prefix trace (by unifications). Unification x M... s {A, M} k[a,s]... a({a, x} k[a,s] )... s {A, M} k[a,s]... a({a, M} k[a,s] ) Unbounded number of rigid messages should be unified. The set of messages to be unified may also be unbounded. 49 / 103
64 Context-insensitive Rigid Messages A B : {A, N A } KAB A is defined as A(N), where A(x) a1 {A, x} k[a,b].a(n[x]) B is defined as B b1(x).case x of {y} k[a,b] in let (z, w) = y in [z = A] 0 A rigid message {A, w} k[a,b] is insensitive to the current context. A rigid message is context-insensitive if it does not contain any binder markers. (, ɛ), ε (, a1 {A, N[ ]} k[a,b] ), ε (, a1 {A, N[ ]} k[a,b] ), ε (, a1 {A, N[ ]} k[a,b] ),... (, a1 {A, N[ ]} k[a,b].b1({a, w} k[a,b] )), ε ({{A, N[ ]} k[a,b] }, a1 {A, } k[a,b].b1({a, } k[a,b] )), ε 50 / 103
65 Context-sensitive Rigid Messages A B : B A : N A {B, N A } KAB A is defined as A(N), where A(x) a1 x.a2(y). case y of {z} k[a,b] of let (z 1, z 2 ) = z in [z 2 = x] A(N[x]) A rigid message {z 1, N[ ]} k[a,b] is sensitive to the current context. A rigid message is context-sensitive if it contains at least a binder marker. A context-sensitive rigid message can only be unified with bounded number of messages (in current context).... (, a1 N[ ].b1(x).b2 {B, x} k[a,b].a2({z 1, N[ ]} k[a,b] )), ε (, a1 N[ ].b1(n[ ]).b2 {B, N[ ]} k[a,b].a2({b, N[ ]} k[a,b] )), ε 51 / 103
66 Freshness of Sessions and Principals Freshness of sessions is captured by fresh nonces; Freshness of principals is captured by fresh names of principals. Generally, a stack can only represent one type of fresh messages by the context. When push, enters a new context (new session). When pop, returns to the previous context (previous session). In recursive protocols two type of fresh messages coincide with each other. Thus by one stack two type of fresh messages can be described. 52 / 103
67 An Attack for the RA Protocol There are two different views of the authentication property. L. Paulson took one view of authentication. He proved the correctness of the RA protocol by Isabelle/HOL. An attack, which violates authentication (a la Abadi et. al.) is found in the RA protocol by our method. S Req(Null) I Req n 1 (Null) Sub.Reqn(Null) A 0 A 1 A n 1 A n This attack does not violate secrecy. 53 / 103
68 Corrected Version of the RA Protocol S A n : {K n, S, N An } KA ns, {K n 1, A n 1, N An } KA ns, {K n 1, A n, N An 1 } KAn 1 S, {K n 2, A n 2, N An 1 } KAn 1 S,... {K 1, A 2, N A1 } KA1 S, {K 0, A 0, N A1 } KA1 S, {K 0, A 1, N A0 } KA0 S S A n : {{K n, S, N An } KA ns, {K n 1, A n 1, N An } KA ns, {{K n 1, A n, N An 1 } KAn 1 S, {K n 2, A n 2, N An 1 } KAn 1 S,... {{K 1, A 2, N A1 } KA1 S, {K 0, A 0, N A1 } KA1 S, {{K 0, A 1, N A0 } KA0 S } K A0 S...} K A ns 54 / 103
69 Yahalom protocol secure Introduction Modeling Auth&Sec.in Bou.Ses. Rec.Pro. Non-r&Fair.in Bou.Ses. Conclusion Yahalom protocol detected Q&A Otway-Rees protocol secure Otway-Rees protocol Experimental 2 34 Results 2, detected Woo-lam protocol secure Woo-lam protocol , detected Figure 1: Experimental Results for Authentication Protocols protocols protocol spec. states times(s) flaws recursive authentication protocol detected fixed recursive authentication protocol secure Figure 2: Experimental Results for Recursive Protocols The tests were performed on a Pentium M 1.4 GHz, 1.5 GB memory PC, under Windows XP. The common part is about 500 lines. 55 / 103
70 1 Introduction 2 Modeling Protocols for Authentication and Secrecy 3 Authentication and Secrecy in Bounded Sessions 4 Authentication for Recursive Protocols 5 Non-repudiation and Fairness in Bounded Sessions Extended with Dishonest Principals Two-Phase Refinement Steps Experimental Results 6 Conclusion 56 / 103
71 Honest Principal VS. Dishonest Principal A B : B A : N A {B, N A } KBS N A A B Each principal follows the rules of a protocol. Each principal disobeys the rules of a protocol. 57 / 103
72 Honest Principal VS. Dishonest Principal A B : B A : N A {B, N A } KBS N A A B {B,N A } KBS Each principal follows the rules of a protocol. Each principal disobeys the rules of a protocol. 58 / 103
73 Honest Principal VS. Dishonest Principal A B : B A : N A {B, N A } KBS N A N A A B A B {B,N A } KBS Each principal follows the rules of a protocol. Each principal disobeys the rules of a protocol. 59 / 103
74 Honest Principal VS. Dishonest Principal A B : B A : N A {B, N A } KBS N A N A A B A B {B,N A } KBS x Each principal follows the rules of a protocol. Each principal disobeys the rules of a protocol. 60 / 103
75 Honest Principal VS. Dishonest Principal A B : B A : N A {B, N A } KBS N A N A A B A B {B,N A } KBS N A Each principal follows the rules of a protocol. Each principal disobeys the rules of a protocol. 61 / 103
76 Honest Principal VS. Dishonest Principal A B : B A : N A {B, N A } KBS N A N A A B A B {B,N A } KBS Each principal follows the rules of a protocol. Each principal disobeys the rules of a protocol. 62 / 103
77 Model a Network Dishonest Principals Environment can memorize, produce, encrypt/decrypt, and compose/split messages (described as an environmental deductive system ). A dishonest principal may send unbounded number of messages during the communication (represented as P-deductive system P ). A B C Environment A dishonest principal P can generate each message the environment generates (s M s P M) A dishonest principal P can sign(encrypt with its private key), or encrypt with shared key a message it generates. (s P M s P {M} KP, s P M s P {M} KPS ) 63 / 103
78 New Infinity Factor and its Parametrization A sender may send infinitely many messages to the environment due to the P-deductive system. Traces are abstracted to parametric traces by keeping fresh variables un-instantiated. ɛ, (new x)a1{x} k[a].0 ɛ, (new x)a1{x} k[a].0 a1{m} k[a], 0 a1{m,b} k[a], 0 a1{{m} +k[b] } k[a], 0 a1{x} k[a], 0 64 / 103
79 Recall the Refinement Step An input action can be regarded as a required pattern. Some are easily satisfied (e.g.a1(x)), some are not (e.g. a1({y} k[a,s] )). A required pattern like a1({y} k[a,s] ) is named a rigid message. It needs to be satisfied by messages in the prefix trace (by unifications). Unification x M... s {A, M} k[a,s]... a({a, x} k[a,s] )... s {A, M} k[a,s]... a({a, M} k[a,s] ) 65 / 103
80 Further Refinement Step A refinement step may cause an inconsistency when a principal sends messages. A B : B A : N A {N B } kb A parametric trace is a1x.a2{y} k[b]. ({y} k[b] : rigid message). After unification, a1{y} k[b].a2{y} k[b]. Can principal A sign with B s signature? (Need further refinement!)... b1{b,y} k[b]... a1z a2({b,x} k[b] ) 66 / 103
81 Further Refinement Step A refinement step may cause an inconsistency when a principal sends messages. A B : B A : N A {N B } kb A parametric trace is a1x.a2{y} k[b]. ({y} k[b] : rigid message). After unification, a1{y} k[b].a2{y} k[b]. Can principal A sign with B s signature? (Need further refinement!) Unification... b1{b,y} k[b]... a1z a2({b,x} k[b] ) Unification 67 / 103
82 Further Refinement Step A refinement step may cause an inconsistency when a principal sends messages. A B : B A : N A {N B } kb A parametric trace is a1x.a2{y} k[b]. ({y} k[b] : rigid message). After unification, a1{y} k[b].a2{y} k[b]. Can principal A sign with B s signature? (Need further refinement!) Unification... b1{b,y} k[b]... a1z a2({b,x} k[b] ) Unification... b1{b,x} k[b]... a1{b,y} k[b] a2({b,y} k[b] ) 68 / 103
83 Further Refinement Step A refinement step may cause an inconsistency when a principal sends messages. A B : B A : N A {N B } kb A parametric trace is a1x.a2{y} k[b]. ({y} k[b] : rigid message). After unification, a1{y} k[b].a2{y} k[b]. Can principal A sign with B s signature? (Need further refinement!) Unification... b1{b,y} k[b]... a1z a2({b,x} k[b] ) Unification... b1{b,x} k[b]... a1{b,y} k[b] a2({b,y} k[b] ) Unification 69 / 103
84 Further Refinement Step A refinement step may cause an inconsistency when a principal sends messages. A B : B A : N A {N B } kb A parametric trace is a1x.a2{y} k[b]. ({y} k[b] : rigid message). After unification, a1{y} k[b].a2{y} k[b]. Can principal A sign with B s signature? (Need further refinement!) Unification... b1{b,y} k[b]... a1z a2({b,x} k[b] ) Unification... b1{b,x} k[b]... a1{b,y} k[b] a2({b,y} k[b] ) Unification... b1{b,x} k[b]... a1{b,x} k[b] a2({b,x} k[b] ) 70 / 103
85 Satisfiable Normal Form The refinement steps will also terminate and the set of normal forms of a parametric trace is finite.... b1{b,y} k[b]... a1z a2({b,x} k[b] ) Th. The set of satisfiable normal forms (each rigid message is satisfiable) is sound and complete representatives to concrete traces. 71 / 103
86 Satisfiable Normal Form The refinement steps will also terminate and the set of normal forms of a parametric trace is finite. Unification... b1{b,y} k[b]... a1z a2({b,x} k[b] ) Unification Th. The set of satisfiable normal forms (each rigid message is satisfiable) is sound and complete representatives to concrete traces. 72 / 103
87 Satisfiable Normal Form The refinement steps will also terminate and the set of normal forms of a parametric trace is finite. Unification... b1{b,y} k[b]... a1z a2({b,x} k[b] ) Unification... b1{b,x} k[b]... a1{b,y} k[b] a2({b,y} k[b] ) Th. The set of satisfiable normal forms (each rigid message is satisfiable) is sound and complete representatives to concrete traces. 73 / 103
88 Satisfiable Normal Form The refinement steps will also terminate and the set of normal forms of a parametric trace is finite. Unification... b1{b,y} k[b]... a1z a2({b,x} k[b] ) Unification Unification... b1{b,x} k[b]... a1{b,y} k[b] a2({b,y} k[b] ) Unification Th. The set of satisfiable normal forms (each rigid message is satisfiable) is sound and complete representatives to concrete traces. 74 / 103
89 Satisfiable Normal Form The refinement steps will also terminate and the set of normal forms of a parametric trace is finite. Unification... b1{b,y} k[b]... a1z a2({b,x} k[b] ) Unification Unification... b1{b,x} k[b]... a1{b,y} k[b] a2({b,y} k[b] ) Unification... b1{b,x} k[b]... a1{b,x} k[b] a2({b,x} k[b] ) Th. The set of satisfiable normal forms (each rigid message is satisfiable) is sound and complete representatives to concrete traces. 75 / 103
90 Satisfiable Normal Form The refinement steps will also terminate and the set of normal forms of a parametric trace is finite. Unification... b1{b,y} k[b]... a1z a2({b,x} k[b] ) Unification Unification... b1{b,x} k[b]... a1{b,y} k[b] a2({b,y} k[b] ) Unification... b1{b,x} k[b]... a1{b,x} k[b] a2({b,x} k[b] ) Normal form The set of satisfiable normal forms (each rigid message is satisfiable) is sound and complete representatives to concrete traces. 76 / 103
91 Experimental Results Parametric system are implemented by Maude. protocols property protocol spec. states times(s) flaws Simplified ZG protocol NRO detected NRR secure FAIRO detected FAIRR secure FAIRM 50 4, detected Full ZG protocol NRO secure FAIRO secure FAIRM secure ISO/IEC M2 NRO 50 1, detected FAIRO 65 1, detected FAIRR 65 2, secure ISO/IEC M-h FAIRO detected FAIRR secure (Non-repudiation is composed of NRO and NRR; Fairness is composed of FAIRO, FAIRR, FAIRM) Figure 3: Experimental Results for Fair Non-repudiation Protocols Pentium M 1.4 GHz, 1.5 GB memory PC, under Windows XP. The common part is about 400 lines. 77 / 103
92 1 Introduction 2 Modeling Protocols for Authentication and Secrecy 3 Authentication and Secrecy in Bounded Sessions 4 Authentication for Recursive Protocols 5 Non-repudiation and Fairness in Bounded Sessions 6 Conclusion 78 / 103
93 Related Work Process Calculi Bisimulation (M. Abadi et. al. 97, 98) Typed-based static analysis (M. Abadi et. al. 99, 01) Horn clause+ resolution (M. Abadi et. al. 03, 04, 05) Trace analysis Theorem proving CSP+PVS (S. Schneider et. al ) Model checking (CSP+FDR G. Lowe et. al. 96, Spi+STA M. Boreale 01) 79 / 103
94 Related Work Lazy Intruder David Basin, et al. proposed an On-the-fly model checking method (OFMC). (Basin et.al. 05) They use a high-level language HLPSL to represent a protocol, then translate automatically to a low-level one, IF. The knowledge of intruder will be refined to satisfy the requirement of a principal (Lazy intruder). An intruder s role is explicitly assigned, thus flexible and efficient Messages 1. A -> B : A, NA 2. B -> S: B, { A, NA, NB }k(b,s) Session_instances [A:a; B:b; S:s] [A:i; B:b; S:s] state(rolea,step0,sess1,a,b,s,k(a,s)). state(roleb,step0,sess1,a,b,s,k(b,s)). state(roles,step0,sess1,a,b,s,k). state(rolea,step0,sess2,a,b,s,k(a,s)). state(roles,step0,sess2,a,b,s,k). i_knows(a).i_knows(b).i_knows(s). i_knows(s).i_knows(i).i_knows(k(i,s)). 80 / 103
95 Future Works More on the same direction: Analyzing other properties. anonymity, and other authentication variations. security properties for multiparty protocols and broadcast protocols. A translator that translates a formal protocol description to a Maude source file is designable. Adopt bisimulation as specifications. Affiliate to the resolution method, used as a heuristic guide to extract a counterexample when finding a flaw by resolution. Analyze from source codes of security protocols. 81 / 103
96 Conclusions Proposed security protocol analysis based on a sound and complete model checking method to analyze various security properties under certain assumptions. When flaws are not detected, it guarantees that a protocol is secure under the given assumptions. Several properties, such as non-repudiation, and authentication for recursive protocols, are first analyzed by us using model checking. 82 / 103
97 Thank you! 83 / 103
98 Sub-calculi P, Q ::= 0 am.p a(x).p [M = N] P (new x : A)P (ν n)p let (x, y) = M in P case M of {x} L in P P Q P, Q ::= 0 am.p a(x).p [M = N] P (new x : A)P (ν n)p let (x, y) = M in P case M of {x} L in P P Q P + Q P; Q A( pr) P, Q ::= 0 am.p a(x).p [M = N] P (new x)p (ν n)p let (x, y) = M in P case M of {x} L in P P Q P + Q 84 / 103
99 Difference of the New Operators In the sub-calculi for authentication and secrecy properties, the ranges of variables bounded by New operators are given statically: (new x : A)P In the sub-calculus for non-repudiation and fairness, the ranges of variables bounded by New operators are given dynamically by the P-deductive system: (new x)p The main difference, a process in the former calculi has a prenex normal form, while in the latter one has not. (new x : A)a1 x.(new y : B)a2 y.0 (new x : A)(new y : B)a1 x.a2 y.0 (new x)a1 x.(new y)a2 y.0 (new x)(new y)a1 x.a2 y.0 85 / 103
100 Restricting Infinite Processes Adopt identifier to represent infinite processes. For any identifier A(x 1,..., x n ), there must be a unique definition, that is, A(x 1,..., x n ) P. A process expression E is like a process, but may contain identifier variables. (eg: E(X) a(x).x) A recursive process is defined as an identifer. (eg: A E(A)) For recursive protocols, there are two restrictions: A system allows only one recursive process. The X in E for the recursive process is sequential. (X is sequential in E if X does not occur with composition combinators in E) 86 / 103
101 Sequence Primitive Sequence primitive, P; Q are usually a redundant operator in process calculus. P; Q has sub-expressiveness of P Q. If there is no identifiers, P; Q is equal to replace all 0 in P to Q. (eg:(α.0 + β.0); Q α.q + β.q ) Sequence operator is required, since the sequential restriction is adopted to identifier variables in expression E. while P; Q is needed when defining a recursive protocol. Without P; Q, when entering the another context, there are no actions in previous context. 87 / 103
102 Representing the RA Protocol: originator O(x 1, x 2 ) a1 H lk[x1,s](x 1, x 2, N[Null], Null). a2(x).case x of {y 1, y 2, y 3 } lk[x1,s]. [y 3 = N[Null]] 0 O(A[Null], A[A[Null]]) 88 / 103
103 Representing the RA Protocol: recipient R(x 1, x 2 ) (b1(x).let (y 1, y 2, y 3, y 4, y 5 ) = x in [y 2 = x 1 ] (b2 H lk[x1,s](x 1, A[x 1 ], N[y 3 ], x).r(a[x 1 ], x 1 )+ b3 H lk[x1,s](x 1, S, N[y 3 ], x).0)); (b4(x).let (z 1, z 2, z 3 ) = x in case z 1 of {z 4, z 5, z 6 } lk[x1,s] in [z 6 = N[y 3 ]] case z 2 of {z 7, z 8, z 9 } lk[x1,s] in [z 8 = x 2 ] [z 9 = N[y 3 ]] b5z 3.0) R(A[A[Null]], A[Null]) 89 / 103
104 Representing the RA Protocol: server S s1(x).s2 (F (x)).0 F (x) = let (y 1, y 2, y 3, y 4, y 5 ) = x; let t = ɛ; while (y 1 = H(y 2, y 3, y 4, y 5, lk[y 2, S])&&y 5! = Null) let (z 1, z 2, z 3, z 4, z 5 ) = y 5 ; if (z 1 = H(z 2, z 3, z 4, z 5, lk[z 2, S])&&z 3 == y 2 ) then t = (t, {k[y 4 ], y 3, y 4 }, {k[y 3 ], z 2, z 4 }); else raise error endif (y 1, y 2, y 3, y 4, y 5 ) := (z 1, z 2, z 3, z 4, z 5 ); endwhile t := (t, {k[y 4 ], y 3, y 4 }); return t; SYS RA O(A[Null], A[A[Null]]) R(A[A[Null]], A[Null]) S 90 / 103
105 Environmental Deductive System S M M E S M M S S (M, N) S M S M S N S (M, N) S {M} k[a,b] S k[a, B] S M S {M} ±k[a] S k[a] S M S M S H(M) S (M, N) S N S M S k[a, B] S {M} k[a,b] S M S ±k[a] S {M} ±k[a] 91 / 103
106 The Axioms of Structural Congruence SC-COMP-ASSOC P (Q R) (P Q) R SC-COMP-COMM P Q Q P SC-COMP-INACT P 0 P SC-SUM-ASSOC P + (Q + R) (P + Q) + R SC-SUM-COMM P + Q Q + P SC-RES (νm)(νn)p (νn)(νm)p SC-RES-INACT (νn)0 0 SC-RES-COMP (νn)(p Q) P (νn)q if n / f n(p) SC-NEW (new x : A)(new y : B)P (new y : B)(new x : A)P SC-NEW-INACT (new x : A)0 0 SC-NEW-COMP (new x : A)(P Q) P (new x : A)Q if x / f v(p) SC-SEQ-INACT 0; P P 92 / 103
107 Concrete Transition Rules in Bounded Sessions (INPUT ) s, a(x).p s.a(m), P{M/x} s M (OUTPUT ) s, am.p s.am, P (DEC) s, case {M} L of {x} L in P s, P{M/x} L = Opp(L) (PAIR) s, let (x, y) = (M, N) in P s, P{M/x, N/y} (NEW ) s, (new x : A)P s, P{m/x} m A (RESTRICTION) s, (νn)p s, P{m/n} m = freshn(v ) (MATCH) s, [M = M]P s, P (LCOM) s, P s, P s, P Q s, P Q (RCOM) s, Q s, Q s, P Q s, P Q P P s, P s, Q Q Q (STR) s, P s, Q 93 / 103
108 Parametric Transition Rules in Bounded Sessions (PINPUT ) ŝ, a(x).p p ŝ.a(x), P (POUTPUT ) ŝ, am.p p ŝ.am, P (PDEC) ŝ, case {M} L of {x} L in P p ŝθ, Pθ θ = Mgu({M} L, {x} Opp(L )) (PPAIR) ŝ, let (x, y) = M in P p ŝθ, Pθ θ = Mgu((x, y), M) (PNEW ) ŝ, (new x : A)P p ŝ, P{y/x} y / f v(p) b v(p) (PRESTRICTION) ŝ, (νn)p p ŝ, P{m/n} m = freshn(v ) (PMATCH) ŝ, [M = M ]P p ŝθ, Pθ θ = Mgu(M, M ) (PLCOM) ŝ, P p ŝ, P ŝ, P Q p ŝ, P Q Q = Qθ if ŝ = ŝθ else Q = Q P P s, P p s, Q Q Q (PSTR) s, P p s, Q 94 / 103
109 Q&A: Defining Security Properties Action Terms T ::= σ ::= α T T T T T T T T T F T s, P = T 1 T 2 : for each concrete trace s generated by s, P, if there is a ground substitution ρ such that T 2 ρ occurs in s, then so do T 1 ρ, and T 1 ρ occurs before T 2 ρ in s. s, P = T 1 F T 2 : for each concrete configuration s, P reached by s, P, if there is a ground substitution ρ such that T 1 ρ occurs in s, then for every path starting from s, P, there exists a concrete trace s such that T 2 ρ occurs in s. 95 / 103
110 Q&A: Testing Equivalence in Spi Calculus m(x).q m m M.Q m P β P β P Q Q β P β The testing equivalence P Q between P and Q is defined as follow: For all test (R, β), (P R) β if and only if (Q R) β. 96 / 103
111 The Zhou-Gollmann fair non-repudiation protocol A B : B A : A S : S A : S B : {B, N A, {M} K } KA {A, N A, {M} K } KB {B, N A, K } KA {A, B, N A, K } KS {A, B, N A, K } KS A B : B A : A S : S A : S B : {F NRO, B, N A, {M} K } KA {F NRR, A, N A, {M} K } KB {F SUB, B, N A, K } KA {F CON, A, B, N A, K } KS {F CON, A, B, N A, K } KS 97 / 103
112 On-the-fly Model Checking by Maude Two reasons to use Maude: A new parametric trace generation is decided dynamically by trying to unify rigid message (it may fail). A property is a reachability problem, which can be checked at the same time while a model is being generated. The way of implementation by Maude, Each elementary definition and function in the parametric model is implemented to functional modules. A trace generating system is represented in a system module. search command is used to find whether the negation of a specification is reachable. 98 / 103
Control Flow Analysis of Security Protocols (I)
Control Flow Analysis of Security Protocols (I) Mikael Buchholtz 02913 F2005 Mikael Buchholtz p. 1 History of Protocol Analysis Needham-Schroeder 78 Dolev-Yao 81 Algebraic view of cryptography 02913 F2005
More informationMSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ IITD, CSE Dept. Delhi, India April 24 th,2002 Outline Security Protocols
More informationProving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory
Proving Security Protocols Correct Lawrence C. Paulson Computer Laboratory How Detailed Should a Model Be? too detailed too simple concrete abstract not usable not credible ``proves'' everything ``attacks''
More informationMSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra. Iliano Cervesato. ITT Industries, NRL Washington, DC
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC http://theory.stanford.edu/~iliano ISSS 2003,
More informationProtocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete
Protocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete Michaël Rusinowitch and Mathieu Turuani LORIA-INRIA- Université Henri Poincaré, 54506 Vandoeuvre-les-Nancy cedex, France
More informationOne Year Later. Iliano Cervesato. ITT Industries, NRL Washington, DC. MSR 3.0:
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil One Year Later ITT Industries, inc @ NRL Washington, DC http://www.cs.stanford.edu/~iliano
More informationMSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ PPL 01 March 21 st, 2001 Outline I. Security Protocols II. MSR by Examples
More informationA Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols
ASIAN 07 A Formal Analysis for Capturing Replay Attacks in Cryptographic s Han Gao 1, Chiara Bodei 2, Pierpaolo Degano 2, Hanne Riis Nielson 1 Informatics and Mathematics Modelling, Technical University
More informationTerm Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool
Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool Santiago Escobar Departamento de Sistemas Informáticos y Computación Universitat Politècnica de València sescobar@dsic.upv.es
More informationTyped MSR: Syntax and Examples
Typed MSR: Syntax and Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ MMM 01 St. Petersburg, Russia May 22 nd, 2001 Outline
More informationModels and analysis of security protocols 1st Semester Security Protocols Lecture 6
Models and analysis of security protocols 1st Semester 2010-2011 Security Protocols Lecture 6 Pascal Lafourcade Université Joseph Fourier, Verimag Master: October 18th 2010 1 / 46 Last Time (I) Symmetric
More informationProving Properties of Security Protocols by Induction
Proving Security Protocols 1 L. C. Paulson Proving Properties of Security Protocols by Induction Lawrence C. Paulson Computer Laboratory University of Cambridge Proving Security Protocols 2 L. C. Paulson
More informationEncoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania
Encoding security protocols in the cryptographic λ-calculus Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania An obvious fact Security is important Cryptography is a major way to
More informationAbstract Specification of Crypto- Protocols and their Attack Models in MSR
Abstract Specification of Crypto- Protocols and their Attack Models in MSR Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ Software
More informationAutomated Validation of Internet Security Protocols. Luca Viganò
Automated Validation of Internet Security Protocols Luca Viganò The AVISPA Project Luca Viganò 1 Motivation The number and scale of new security protocols under development is out-pacing the human ability
More informationVerification of Security Protocols in presence of Equational Theories with Homomorphism
Verification of Security Protocols in presence of Equational Theories with Homomorphism Stéphanie Delaune France Télécom, division R&D, LSV CNRS & ENS Cachan February, 13, 2006 Stéphanie Delaune (FT R&D,
More informationA Calculus for Control Flow Analysis of Security Protocols
International Journal of Information Security manuscript No. (will be inserted by the editor) A Calculus for Control Flow Analysis of Security Protocols Mikael Buchholtz, Hanne Riis Nielson, Flemming Nielson
More informationOn the Automatic Analysis of Recursive Security Protocols with XOR
On the Automatic Analysis of Recursive Security Protocols with XOR Ralf Küsters 1 and Tomasz Truderung 2 1 ETH Zurich ralf.kuesters@inf.ethz.ch 2 University of Kiel, Wrocław University tomasz.truderung@ii.uni.wroc.pl
More informationCryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols
CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno Blanchet CNRS, École Normale Supérieure, INRIA, Paris March 2009 Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif March
More informationCHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL
INSTITUT FÜR INFORMATIK UND PRAKTISCHE MATHEMATIK A Constraint-Based Algorithm for Contract-Signing Protocols Detlef Kähler, Ralf Küsters Bericht Nr. 0503 April 2005 CHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL
More informationModels for an Adversary-Centric Protocol Logic
Workshop on Logical Aspects of Cryptographics 2001 Preliminary Version Models for an Adversary-Centric Protocol Logic Peter Selinger Department of Mathematics and Statistics University of Ottawa Ottawa,
More informationNotes on BAN Logic CSG 399. March 7, 2006
Notes on BAN Logic CSG 399 March 7, 2006 The wide-mouthed frog protocol, in a slightly different form, with only the first two messages, and time stamps: A S : A, {T a, B, K ab } Kas S B : {T s, A, K ab
More informationTrace Refinement of π-calculus Processes
Trace Refinement of pi-calculus Processes Trace Refinement of π-calculus Processes Manuel Gieseking manuel.gieseking@informatik.uni-oldenburg.de) Correct System Design, Carl von Ossietzky University of
More informationStrand Spaces Proving Protocols Corr. Jonathan Herzog 6 April 2001
Strand Spaces Proving Protocols Corr Jonathan Herzog 6 April 2001 Introduction 3Second part of talk given early last month Introduced class of cryptographic protocols Modeled at high level of abstraction
More informationThe Logical Meeting Point of Multiset Rewriting and Process Algebra
MFPS 20 @ MU May 25, 2004 The Logical Meeting Point of Multiset Rewriting and Process Algebra Iliano ervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, D http://theory.stanford.edu/~iliano
More informationAn Efficient Cryptographic Protocol Verifier Based on Prolog Rules
An Efficient Cryptographic Protocol Verifier Based on Prolog Rules Bruno Blanchet INRIA Rocquencourt Domaine de Voluceau B.P. 105 78153 Le Chesnay Cedex, France Bruno.Blanchet@inria.fr Abstract We present
More informationA Logic of Authentication. Borrows, Abadi and Needham TOCS 1990, DEC-SRC 1989
A Logic of Authentication Borrows, Abadi and Needham TOCS 1990, DEC-SRC 1989 Logic Constructs P believes X : P may act as though X is true. P sees X : a message containing X was sent to P; P can read and
More informationComputing Symbolic Models for Verifying Cryptographic Protocols
Computing Symbolic Models for Verifying Cryptographic Protocols Marcelo Fiore Computer Laboratory University of Cambridge Martín Abadi Bell Labs Research Lucent Technologies Abstract We consider the problem
More informationGroupe de travail. Analysis of Mobile Systems by Abstract Interpretation
Groupe de travail Analysis of Mobile Systems by Abstract Interpretation Jérôme Feret École Normale Supérieure http://www.di.ens.fr/ feret 31/03/2005 Introduction I We propose a unifying framework to design
More informationA one message protocol using cryptography, where K AB is a symmetric key shared between A and B for private communication. A B : {M} KAB on c AB
A one message protocol using cryptography, where K AB is a symmetric key shared between A and B for private communication. A B : {M} KAB on c AB This can be represented as A send cab {M} KAB ;halt B recv
More informationLazy Mobile Intruders (Extended Version)
Lazy Mobile Intruders (Extended Version) Sebastian Mödersheim, Flemming Nielson, and Hanne Riis Nielson DTU Compute, Denmark Tech-Report IMM-TR-2012-013 Revised version January 8, 2013 Abstract. We present
More informationA Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols
A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols Han Gao 1,ChiaraBodei 2, Pierpaolo Degano 2, and Hanne Riis Nielson 1 1 Informatics and Mathematical Modelling, Technical University
More informationVerification of the TLS Handshake protocol
Verification of the TLS Handshake protocol Carst Tankink (0569954), Pim Vullers (0575766) 20th May 2008 1 Introduction In this text, we will analyse the Transport Layer Security (TLS) handshake protocol.
More informationA Logic of Authentication
A Logic of Authentication by Burrows, Abadi, and Needham Presented by Adam Schuchart, Kathryn Watkins, Michael Brotzman, Steve Bono, and Sam Small Agenda The problem Some formalism The goals of authentication,
More informationTime-Bounding Needham-Schroeder Public Key Exchange Protocol
Time-Bounding Needham-Schroeder Public Key Exchange Protocol Max Kanovich, Queen Mary, University of London, UK University College London, UCL-CS, UK Tajana Ban Kirigin, University of Rijeka, HR Vivek
More informationAnalysing privacy-type properties in cryptographic protocols
Analysing privacy-type properties in cryptographic protocols Stéphanie Delaune LSV, CNRS & ENS Cachan, France Wednesday, January 14th, 2015 S. Delaune (LSV) Verification of cryptographic protocols 14th
More informationA Resolution Strategy for Verifying Cryptographic Protocols with CBC Encryption and Blind Signatures
A Resolution Strategy for Verifying Cryptographic Protocols with CBC Encryption and Blind Signatures Véronique Cortier LORIA, Nancy, France CNRS & INRIA Project Cassis cortier@loria.fr Michael Rusinowitch
More informationA process algebraic analysis of privacy-type properties in cryptographic protocols
A process algebraic analysis of privacy-type properties in cryptographic protocols Stéphanie Delaune LSV, CNRS & ENS Cachan, France Saturday, September 6th, 2014 S. Delaune (LSV) Verification of cryptographic
More informationProbabilistic Model Checking of Security Protocols without Perfect Cryptography Assumption
Our Model Checking of Security Protocols without Perfect Cryptography Assumption Czestochowa University of Technology Cardinal Stefan Wyszynski University CN2016 Our 1 2 3 Our 4 5 6 7 Importance of Security
More informationCS 395T. Probabilistic Polynomial-Time Calculus
CS 395T Probabilistic Polynomial-Time Calculus Security as Equivalence Intuition: encryption scheme is secure if ciphertext is indistinguishable from random noise Intuition: protocol is secure if it is
More informationAutomata-based analysis of recursive cryptographic protocols
1 Automata-based analysis of recursive cryptographic protocols Thomas Wilke Joint work with Ralf Küsters Christian-Albrechts-Universität zu Kiel June 13, 2004 Un-/Decidability of security in the DY model
More informationElliptic Curves. Giulia Mauri. Politecnico di Milano website:
Elliptic Curves Giulia Mauri Politecnico di Milano email: giulia.mauri@polimi.it website: http://home.deib.polimi.it/gmauri May 13, 2015 Giulia Mauri (DEIB) Exercises May 13, 2015 1 / 34 Overview 1 Elliptic
More informationComplexity of automatic verification of cryptographic protocols
Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic
More informationA Proof Theory for Generic Judgments
A Proof Theory for Generic Judgments Dale Miller INRIA/Futurs/Saclay and École Polytechnique Alwen Tiu École Polytechnique and Penn State University LICS 2003, Ottawa, Canada, 23 June 2003 Outline 1. Motivations
More informationMarie Duží
Marie Duží marie.duzi@vsb.cz 1 Formal systems, Proof calculi A proof calculus (of a theory) is given by: 1. a language 2. a set of axioms 3. a set of deduction rules ad 1. The definition of a language
More informationModeling and Verifying Ad Hoc Routing Protocols
Modeling and Verifying Ad Hoc Routing Protocols Mathilde Arnaud, Véronique Cortier and Stéphanie Delaune LORIA, CNRS & INRIA Nancy Grand Est, France Email: cortier@loria.fr LSV, ENS Cachan & CNRS & INRIA
More informationBusiness Process Management
Business Process Management Theory: The Pi-Calculus Frank Puhlmann Business Process Technology Group Hasso Plattner Institut Potsdam, Germany 1 What happens here? We discuss the application of a general
More informationA Short Tutorial on Proverif
A Short Tutorial on Proverif Alfredo Pironti and Riccardo Sisto Politecnico di Torino, Italy Cryptoforma Meeting, Apr 8, 2010 1 Outline PART 1: how the tool works (Riccardo Sisto) Context: Abstract modelling
More informationMASTER S THESIS FROM FORMAL TO COMPUTATIONAL AUTHENTICITY DISTRIBUTED AND EMBEDDED SYSTEMS DEPARTMENT OF COMPUTER SCIENCE AALBORG UNIVERSITY
DISTRIBUTED AND EMBEDDED SYSTEMS DEPARTMENT OF COMPUTER SCIENCE AALBORG UNIVERSITY MASTER S THESIS MICHAEL GARDE FROM FORMAL TO COMPUTATIONAL AUTHENTICITY AN APPROACH FOR RECONCILING FORMAL AND COMPUTATIONAL
More informationRelating State-Based and Process-Based Concurrency through Linear Logic
École Polytechnique 17 September 2009 Relating State-Based and Process-Based oncurrency through Linear Logic Iliano ervesato arnegie Mellon University - Qatar iliano@cmu.edu Specifying oncurrent Systems
More informationA Note on Scope and Infinite Behaviour in CCS-like Calculi p.1/32
A Note on Scope and Infinite Behaviour in CCS-like Calculi GERARDO SCHNEIDER UPPSALA UNIVERSITY DEPARTMENT OF INFORMATION TECHNOLOGY UPPSALA, SWEDEN Joint work with Pablo Giambiagi and Frank Valencia A
More informationAnalysing Layered Security Protocols
Analysing Layered Security Protocols Thomas Gibson-Robinson St Catherine s College University of Oxford A thesis submitted for the degree of Doctor of Philosophy Trinity 2013 Abstract Many security protocols
More informationCPSA and Formal Security Goals
CPSA and Formal Security Goals John D. Ramsdell The MITRE Corporation CPSA Version 2.5.1 July 8, 2015 Contents 1 Introduction 3 2 Syntax 6 3 Semantics 8 4 Examples 10 4.1 Needham-Schroeder Responder.................
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationA decidable subclass of unbounded security protocols
A decidable subclass of unbounded security protocols R. Ramanujam and S. P. Suresh The Institute of Mathematical Sciences C.I.T. Campus, Chennai 600 113, India. E-mail: {jam,spsuresh}@imsc.res.in 1 Summary
More informationAutomatic, computational proof of EKE using CryptoVerif
Automatic, computational proof of EKE using CryptoVerif (Work in progress) Bruno Blanchet blanchet@di.ens.fr Joint work with David Pointcheval CNRS, École Normale Supérieure, INRIA, Paris April 2010 Bruno
More informationPrivate Authentication
Private Authentication Martín Abadi University of California at Santa Cruz Cédric Fournet Microsoft Research Abstract Frequently, communication between two principals reveals their identities and presence
More informationMonotonic Set-Extended Prefix Rewriting and Verification of Recursive Ping-Pong Protocols
Monotonic Set-Extended Prefix Rewriting and Verification of Recursive Ping-Pong Protocols Giorgio Delzanno 1, Javier Esparza 2 and Jiří Srba 3 1 Dipartimento di Informatica e Scienze dell Informazione
More informationAutomata-based Verification - III
COMP30172: Advanced Algorithms Automata-based Verification - III Howard Barringer Room KB2.20: email: howard.barringer@manchester.ac.uk March 2009 Third Topic Infinite Word Automata Motivation Büchi Automata
More informationPřednáška 12. Důkazové kalkuly Kalkul Hilbertova typu. 11/29/2006 Hilbertův kalkul 1
Přednáška 12 Důkazové kalkuly Kalkul Hilbertova typu 11/29/2006 Hilbertův kalkul 1 Formal systems, Proof calculi A proof calculus (of a theory) is given by: A. a language B. a set of axioms C. a set of
More informationLecture 7: Specification Languages
Graduate Course on Computer Security Lecture 7: Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ DIMI, Universita
More informationProcess Calculi and the Verification of Security Protocols
Process Calculi and the Verification of Security Protocols Michele Boreale Daniele Gorla Dipartimento di Sistemi e Informatica, Università di Firenze e-mail: {boreale,gorla}@dsi.unifi.it Abstract Recently
More informationAutomatic Verification of Complex Security Protocols With an Unbounded Number of Sessions
Automatic Verification of Complex Security Protocols With an Unbounded Number of Sessions Kaile Su, Weiya Yue and Qingliang Chen Department of Computer Science, Sun Yat-sen University Guangzhou, P.R. China
More informationThe Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Indistinguishability
The Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Catherine Meadows Naval Research Laboratory, Washington, DC 20375 catherine.meadows@nrl.navy.mil Formal Methods for the Science of
More informationProbabilistic Polynomial-Time Process Calculus for Security Protocol Analysis. Standard analysis methods. Compositionality
Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague P. Lincoln, P. Mateus, M. Mitchell Standard analysis methods Finite-state
More informationSemantic Equivalences and the. Verification of Infinite-State Systems 1 c 2004 Richard Mayr
Semantic Equivalences and the Verification of Infinite-State Systems Richard Mayr Department of Computer Science Albert-Ludwigs-University Freiburg Germany Verification of Infinite-State Systems 1 c 2004
More informationNSL Verification and Attacks Agents Playing Both Roles
NSL Verification and Attacks Agents Playing Both Roles Pedro Adão Gergei Bana Abstract Background: [2] and eprint version: [1] 1 The Axioms Equality is a Congruence. The first axiom says that the equality
More informationModels of Concurrency
Models of Concurrency GERARDO SCHNEIDER UPPSALA UNIVERSITY DEPARTMENT OF INFORMATION TECHNOLOGY UPPSALA, SWEDEN Thanks to Frank Valencia Models of Concurrency p.1/57 Concurrency is Everywhere Concurrent
More informationReview of The π-calculus: A Theory of Mobile Processes
Review of The π-calculus: A Theory of Mobile Processes Riccardo Pucella Department of Computer Science Cornell University July 8, 2001 Introduction With the rise of computer networks in the past decades,
More informationComplexity of Checking Freshness of Cryptographic Protocols
Complexity of Checking Freshness of Cryptographic Protocols Zhiyao Liang Rakesh M Verma Computer Science Department, University of Houston, Houston TX 77204-3010, USA Email: zliang@cs.uh.edu, rmverma@cs.uh.edu
More informationExercises with solutions (Set B)
Exercises with solutions (Set B) 3. A fair coin is tossed an infinite number of times. Let Y n be a random variable, with n Z, that describes the outcome of the n-th coin toss. If the outcome of the n-th
More informationCRYPTOGRAPHY AND NUMBER THEORY
CRYPTOGRAPHY AND NUMBER THEORY XINYU SHI Abstract. In this paper, we will discuss a few examples of cryptographic systems, categorized into two different types: symmetric and asymmetric cryptography. We
More informationExtending ProVerif s Resolution Algorithm for Verifying Group Protocols
Extending ProVerif s Resolution Algorithm for Verifying Group Protocols Miriam Paiola miriam.paiola@ens.fr Ecole Normale Supérieure June 25, 2010 Extending ProVerif s Resolution Algorithm, for Verifying
More informationFrom Secure MPC to Efficient Zero-Knowledge
From Secure MPC to Efficient Zero-Knowledge David Wu March, 2017 The Complexity Class NP NP the class of problems that are efficiently verifiable a language L is in NP if there exists a polynomial-time
More informationDeriving GDOI. Dusko Pavlovic and Cathy Meadows
Deriving GDOI Dusko Pavlovic and Cathy Meadows September 2003 1 Outline 1. Trace logic 2. Axioms and rules 3. Deriving core GDOI 4. Global encryption and hashing transformations 5. Adding PFS and POP options
More informationBAN Logic A Logic of Authentication
BAN Logic A Logic of Authentication Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 BAN Logic The BAN logic was named after its inventors, Mike Burrows, Martín Abadí,
More informationA bisimulation for dynamic sealing
Theoretical Computer Science 375 (2007) 169 192 www.elsevier.com/locate/tcs A bisimulation for dynamic sealing Eijiro Sumii a,, enjamin C. Pierce b a Graduate School of Information Sciences, Tohoku University,
More informationIntelligent Agents. Formal Characteristics of Planning. Ute Schmid. Cognitive Systems, Applied Computer Science, Bamberg University
Intelligent Agents Formal Characteristics of Planning Ute Schmid Cognitive Systems, Applied Computer Science, Bamberg University Extensions to the slides for chapter 3 of Dana Nau with contributions by
More informationCryptographic Protocols Notes 2
ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:
More informationOutline. Logic. Definition. Theorem (Gödel s Completeness Theorem) Summary of Previous Week. Undecidability. Unification
Logic Aart Middeldorp Vincent van Oostrom Franziska Rapp Christian Sternagel Department of Computer Science University of Innsbruck WS 2017/2018 AM (DCS @ UIBK) week 11 2/38 Definitions elimination x φ
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationAutomata-based Verification - III
CS3172: Advanced Algorithms Automata-based Verification - III Howard Barringer Room KB2.20/22: email: howard.barringer@manchester.ac.uk March 2005 Third Topic Infinite Word Automata Motivation Büchi Automata
More informationSymbolic trace analysis of cryptographic protocols
Symbolic trace analysis of cryptographic protocols Michele Boreale Dipartimento di Sistemi e Informatica, Università di Firenze, Via Lombroso 6/17, 50134 Firenze, Italia. E-mail boreale@dsi.unifi.it. Abstract.
More informationThe Faithfulness of Abstract Protocol Analysis: Message Authentication
The Faithfulness of Abstract Protocol Analysis: Message Authentication Joshua D. Guttman F. Javier Thayer Lenore D. Zuck December 18, 2002 Abstract Dolev and Yao initiated an approach to studying cryptographic
More informationSelf-Adaptation and Information Flow in Multiparty Communications
Self-Adaptation and Information Flow in Multiparty Communications Joint work with Ilaria Castellani (INRIA, FR) Jorge A. Pérez (University of Groningen, NL) ABCD meeting London, 20th April, 2015 1 / 36
More informationModelling Membranes with Brane Calculi
Modelling Membranes with Brane Calculi (and translation of Brane Calculi into CLS) 1/42 Introduction A biological cellular membrane is an closed surface that can perform various molecular functions. Membranes
More informationCommunicating and Mobile Systems
Communicating and Mobile Systems Overview:! Programming Model! Interactive Behavior! Labeled Transition System! Bisimulation! The π-calculus! Data Structures and λ-calculus encoding in the π-calculus References:!
More informationThe π-calculus Semantics. Equivalence and Value-Passing. Infinite Sums 4/12/2004
The π-calculus Semantics Overview ate and early semantics Bisimulation and congruence Variations of the calculus eferences obin Milner, Communicating and Mobil Systems Davide Sangiorgi and David Walker,
More informationFull abstraction for nominal exceptions and general references
Full abstraction for nominal exceptions and general references Nikos Tzevelekos Oxford University N.Tzevelekos GALOP 08 1 Summary Summary Nominal games Further directions Semantics of nominal computation.
More informationFirst-Order Theorem Proving and Vampire. Laura Kovács (Chalmers University of Technology) Andrei Voronkov (The University of Manchester)
First-Order Theorem Proving and Vampire Laura Kovács (Chalmers University of Technology) Andrei Voronkov (The University of Manchester) Outline Introduction First-Order Logic and TPTP Inference Systems
More informationPrimitives for authentication in process algebras
Theoretical Computer Science 283 (2002) 271 304 www.elsevier.com/locate/tcs Primitives for authentication in process algebras Chiara Bodei a, Pierpaolo Degano a;, Riccardo Focardi b, Corrado Priami c a
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationA simple procedure for finding guessing attacks (Extended Abstract)
A simple procedure for finding guessing attacks (Extended Abstract) Ricardo Corin 1 and Sandro Etalle 1,2 1 Dept. of Computer Science, University of Twente, The Netherlands 2 CWI, Center for Mathematics
More informationBernhard Steffen, Falk Howar, Malte Isberner TU Dortmund /CMU. B. Steffen Summer School CPS
Active Automata Learning: From DFA to Interface Programs and Beyond or From Languages to Program Executions or (more technically) The Power of Counterexample Analysis Bernhard Steffen, Falk Howar, Malte
More informationModel Checking Security Protocols Using a Logic of Belief
Model Checking Security Protocols Using a Logic of Belief Massimo Benerecetti 1 and Fausto Giunchiglia 1,2 1 DISA - University of Trento, Via Inama 5, 38050 Trento, Italy 2 IRST - Istituto Trentino di
More informationAPPLICATIONS OF BAN-LOGIC JAN WESSELS CMG FINANCE B.V.
APPLITIONS OF AN-LOGIC JAN WESSELS CMG FINANCE.V. APRIL 19, 2001 Chapter 1 Introduction This document is meant to give an overview of the AN-logic. The AN-logic is one of the methods for the analysis of
More informationAn introduction to process calculi: Calculus of Communicating Systems (CCS)
An introduction to process calculi: Calculus of Communicating Systems (CCS) Lecture 2 of Modelli Matematici dei Processi Concorrenti Paweł Sobociński University of Southampton, UK Intro to process calculi:
More informationA π-calculus with preorders
A π-calculus with preorders Daniel Hirschkoff, Jean-Marie Madiot, Davide Sangiorgi École Normale Supérieure de Lyon Università di Bologna PACE kick-off meeting, 2013-04-23 Jean-Marie Madiot (Lyon, Bologna)
More informationHow to Pop a Deep PDA Matters
How to Pop a Deep PDA Matters Peter Leupold Department of Mathematics, Faculty of Science Kyoto Sangyo University Kyoto 603-8555, Japan email:leupold@cc.kyoto-su.ac.jp Abstract Deep PDA are push-down automata
More informationAutomated Reasoning Lecture 5: First-Order Logic
Automated Reasoning Lecture 5: First-Order Logic Jacques Fleuriot jdf@inf.ac.uk Recap Over the last three lectures, we have looked at: Propositional logic, semantics and proof systems Doing propositional
More information