Verification of the TLS Handshake protocol

Similar documents
Proving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory

Exam Security January 19, :30 11:30

Proving Properties of Security Protocols by Induction

Group Diffie Hellman Protocols and ProVerif

Cryptographical Security in the Quantum Random Oracle Model

Lecture 1: Introduction to Public key cryptography

Notes on BAN Logic CSG 399. March 7, 2006

CPSC 467b: Cryptography and Computer Security

Strand Spaces Proving Protocols Corr. Jonathan Herzog 6 April 2001

Automatic, computational proof of EKE using CryptoVerif

APPLICATIONS OF BAN-LOGIC JAN WESSELS CMG FINANCE B.V.

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

A Logic of Authentication

Question 1. The Chinese University of Hong Kong, Spring 2018

Lecture 28: Public-key Cryptography. Public-key Cryptography

A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols

Authentication. Chapter Message Authentication

Encoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania

Analysing privacy-type properties in cryptographic protocols

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

A Logic of Authentication. Borrows, Abadi and Needham TOCS 1990, DEC-SRC 1989

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

NSL Verification and Attacks Agents Playing Both Roles

Verification of Security Protocols in presence of Equational Theories with Homomorphism

Lecture 38: Secure Multi-party Computation MPC

A process algebraic analysis of privacy-type properties in cryptographic protocols

CPSC 467: Cryptography and Computer Security

Lecture 9 - Symmetric Encryption

Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool

Notes for Lecture 17

Verification of a Diffie-Hellman Password-based Authentication Protocol by Extending the Inductive Method

Question: Total Points: Score:

Quantum threat...and quantum solutions

Public Key Cryptography

Lecture 18: Message Authentication Codes & Digital Signa

The odd couple: MQV and HMQV

CPSC 467: Cryptography and Computer Security

CS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing

Fundamentals of Modern Cryptography

Post-quantum security models for authenticated encryption

Notes for Lecture 9. 1 Combining Encryption and Authentication

KEY DISTRIBUTION 1 /74

CPSC 467: Cryptography and Computer Security

Cryptography and Security Final Exam

An Efficient Cryptographic Protocol Verifier Based on Prolog Rules

Elliptic Curves. Giulia Mauri. Politecnico di Milano website:

Identity-Based Online/Offline Encryption

ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks

Distributed Oblivious RAM for Secure Two-Party Computation

BAN Logic A Logic of Authentication

A Calculus for Control Flow Analysis of Security Protocols

CRYPTOGRAPHY AND NUMBER THEORY

2 Message authentication codes (MACs)

Crypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.

Automatic Verification of Complex Security Protocols With an Unbounded Number of Sessions

CPSC 467b: Cryptography and Computer Security

A Small Subgroup Attack on Arazi s Key Agreement Protocol

MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra. Iliano Cervesato. ITT Industries, NRL Washington, DC

CRYPTANALYSIS OF COMPACT-LWE

Analysing Layered Security Protocols

Deriving GDOI. Dusko Pavlovic and Cathy Meadows

Introduction to Cryptography. Lecture 8

March 19: Zero-Knowledge (cont.) and Signatures

A Short Tutorial on Proverif

Enforcing honesty of certification authorities: Tagged one-time signature schemes

Chapter 8 Public-key Cryptography and Digital Signatures

1 Number Theory Basics

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

Lecture Notes, Week 10

Lecture 5, CPA Secure Encryption from PRFs

6.892 Computing on Encrypted Data October 28, Lecture 7

One-round and authenticated three-party multiple key exchange. protocol from parings *

CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols

TUM INSTITUT FÜR INFORMATIK. Stream Based Specification of Cryptographic Protocols and Their Composition Properties. Maria Spichkova, Jan Jürjens

Public-key cryptography and the Discrete-Logarithm Problem. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J.

An Introduction. Dr Nick Papanikolaou. Seminar on The Future of Cryptography The British Computer Society 17 September 2009

One Year Later. Iliano Cervesato. ITT Industries, NRL Washington, DC. MSR 3.0:

Elliptic Curves and an Application in Cryptography

A derivation system and compositional logic for security protocols

A Resolution Strategy for Verifying Cryptographic Protocols with CBC Encryption and Blind Signatures

Instructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year

Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh

Chapter 7: Signature Schemes. COMP Lih-Yuan Deng

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

CPSC 467: Cryptography and Computer Security

An Introduction to Pairings in Cryptography

On the Automatic Analysis of Recursive Security Protocols with XOR

Extending Dolev-Yao with Assertions

Actor Key Compromise: Consequences and Countermeasures

Public-Key Cryptosystems CHAPTER 4

Discrete Logarithm Problem

Cryptographic Protocols Notes 2

Lecture 10. Public Key Cryptography: Encryption + Signatures. Identification

Introduction to Modern Cryptography. Benny Chor

Eindhoven University of Technology MASTER. Kleptography cryptography with backdoors. Antheunisse, M. Award date: 2015

Multi-key Hierarchical Identity-Based Signatures

A FRAMEWORK FOR UNCONDITIONALLY SECURE PUBLIC-KEY ENCRYPTION (WITH POSSIBLE DECRYPTION ERRORS)

Cryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1

Transcription:

Verification of the TLS Handshake protocol Carst Tankink (0569954), Pim Vullers (0575766) 20th May 2008 1 Introduction In this text, we will analyse the Transport Layer Security (TLS) handshake protocol. This protocol is originally described in RFC 4346 of the Internet Engineering Task Force (IETF) [2] and is meant to establish a secure connection between a client and a server agent. In order to carry out the analysis, we will first give a high-level description and an informal narration of the basic handshake protocol in section 2. After this, we transcribe this narration into a ProVerif [1] protocol description, which we then validate using the automated validation tool ProVerif. Analysis results will be described in section 3. Next to the basic protocol, TLS offers several options, among which client certification and session resuming. We will describe these extensions in sections 4 and 6. Due to timing constraints, we were only able to analyse the certification extension, which is described in section 5. Finally we will describe any difficulties modelling the TLS handshake protocol in ProVerif and conclude this text in sections 7 and 8. 2 The basic protocol In this section, we consider the basic narration that derives from Paulson [3]. It consists of six messages, and several computation steps. We explicitly note the computation steps made by the parties in between the key exchange, and give explanations of the most important steps. 2.1 Abbreviations and definitions used A (Alice) the client B (Bob) the server Na, Nb fresh nonces from A resp. B Pa, Pb the preferences for encryption and compression from A resp. B Sid a session identifier cert(x, Kx) a certificate containing public key Kx of X PMS the pre-master-secret PRF a pseudo-random-number function M the master-secret M = P RF (P MS, Na, Nb) Finished an hash of M and all preceding handshake messages F inished = Hash(M, messages) 1

2.2 Informal narration As noted above, this informal narration is based on the one given by Paulson [3]. We have made the between-message computations explicit, and have added tags to all messages. The tagging of messages is considered good practice, and we therefore adhere to this from the start. : A generates fresh nonce N a (1) : A determines Sid (2) : A chooses options P a (3) A B : ClientHello, A, Na, Sid, P a (4) : B generates fresh nonce N b (5) : B chooses options P b (6) B A : ServerHello, Nb, Sid, P b (7) B A : ServerCertif icate, cert(b, Kb) (8) : A generates secret P MS (9) A B : {ClientKeyExchange, P MS} Kb (10) : A and B expect P MS to be secret (11) : A calculates M = P RF (P MS, Na, Nb) (12) : A calculates F inished (13) A B : {F inished} clientk(na,nb,m) (14) : B calculates M = P RF (P MS, Na, Nb) (15) : B calculates F inished (16) : B begins ServerAuth(A, B, PMS) (17) B A : {F inished} serverk(na,nb,m) (18) : A verifies received F inished (19) : B verifies received F inished (20) : A ends ServerAuth(A, B, PMS) (21) : A expects M and F inished to be secret (22) We will now clarify those steps that are non-standard in informal narration (such as nonce generation). Determining Sid (step 2) In this step, A picks a session identifier. This is necessary for session resuming, where an attempt is made to resume the session identified with Sid. For the moment, we assume that Sid is randomly generated by A. Choosing encryption options (steps 3 and 6) These steps are in the TLS specification for establishing the preferences for encryption and compression. These are not detailed here, and we assume that P a and P b are just some randomly generated data. Server certificates We do not model the Public Key Infrastructure that lies behind the certificates, we just assume that the server has a certificate containing his public encryption key and his name. It is important to note that an agent cannot create this certificate himself. In the actual implementation, these certificates are provided by a Certification Authority after carefully checking the identity of the owner. 3 Analysis of the basic protocol To analyse the TLS protocol, we have modeled it for use with the ProVerif tool [1]. The extended ProVerif model, including client certification, can be found in appendix A. For this model we used 2

the PI-calculus notation since this is closer to the informal narration than the default Horn clauses notation used by ProVerif. We have made several assumptions and simplifications in formalising the informal narration, which we will explain here. Certificate distribution Instead of having a CA signing a certificate containing a name and a public key, we assume that an agent has this certificate after the initialisation phase. Certificate verification Normally, a certificate is validated by checking the signature of the issuing CA and verifying the identity of this CA. This is done recursively until a trusted CA is found. In this formalisation, we assume that one can simply verify a certificate by confronting it with the name that is supposed to be in it. The certificate then yields the public key belonging to this name. Since agents cannot create certificates themselves, certificate forgery is not possible in this model. In our analysis, we have looked at several attacks. First of all, we have looked at the secrecy of the pre-master secret. Since the key is based on this pre-master secret, it can be assumed that the keys are secret. However, we have also tested that the final F inished messages are secret. This is not the case for the message going from the server to the client. The attack trace that shows this, however, is just a normal instantiation of the protocol, in which an attacker sends the name of A in the ClientHello message. The server then assumes that he is talking to A, and proceeds in the run. Next to these secrecy requirements, we have also looked at the injectivity of authentication between client and server, meaning that when server and client finish the protocol, the client A knows she has established a secure connection based on pre-master secret P MS with server B. This means that the server does not know that a message encrypted under clientk(na, Nb, M) is actually sent by A, since an attacker could pretend to be A in the beginning of a further valid run, and control the key used after this establishment. In other words, the authentication of server and client is not mutual; the server is always authenticated to the client, but the server must trust that the client in honest. This result is also noted by Paulson [3]. For our verification we only used the built-in external attacker model of ProVerif, using query attacker: somesecret and query evinj: someevent(a, B, C) ==> evinj: someotherevent(a, B, C). Due to timing constraints we did not model a spy to verify secrecy against an internal attacker. 4 Client certification As noted above, the basic protocol does not provide any guarantees to the server (B) about talking to the client (A). In order to fix this, TLS provides an optional certificate sent by A. This certificate establishes that A is the owner of a signing key, that is later used to verify that she has generated the nonce Na and the pre-master secret P MS for communication with B, and that those have not been sent by an attacker impersonating A. 4.1 Informal narration We have extended the informal narration as given in section 2.2 with the required messages and computations for client certification. Those additional steps have been marked such that they can be easily recognised. 3

: A generates fresh nonce N a (1) : A determines Sid (2) : A chooses options P a (3) A B : ClientHello, A, Na, Sid, P a (4) : B generates fresh nonce N b (5) : B chooses options P b (6) B A : ServerHello, Nb, Sid, P b (7) B A : ServerCertif icate, cert(b, Kb) (8) A B : ClientCertificate, cert(a, Ka) (9) : A generates secret P MS (10) A B : {ClientKeyExchange, P MS} Kb (11) : A begins ClientAuth(A, B, PMS) (12) A B : {CertificateVerify, Hash(Nb, B, PMS)} Ka 1 (13) : B ends ClientAuth(A, B, PMS) (14) : A and B expect P MS to be secret (15) : A calculates M = P RF (P MS, Na, Nb) (16) : A calculates F inished (17) A B : {F inished} clientk(na,nb,m) (18) : B calculates M = P RF (P MS, Na, Nb) (19) : B calculates F inished (20) : B begins ServerAuth(A, B, PMS) (21) B A : {F inished} serverk(na,nb,m) (22) : A verifies received F inished (23) : B verifies received F inished (24) : A ends ServerAuth(A, B, PMS) (25) : A and B expect M and F inished to be secret (26) We will now clarify those steps that are new in this informal narration. Sending of ClientCertificate (step 9) informs the server of the signature verification key. Again we do not model the Public Key Infrastructure that lies behind the certificates, as described before for server certificates. Sending of CertificateVerify (step 13) assures the authenticity of the client to the server by hashing some relevant data, and signing it. Authenticity markers (steps 12 and 14) can be added similar to the authenticity markers for the server authentication. Secrecy goals (step 26) now also apply for B since he now can be sure that A is not being impersonated by an attacker. 5 Analysis of client certification We have added the client certification step to the ProVerif formalisation, leading to the model found in section A. Using this model, the authentication between client and server is provably 4

established, and the finished messages are secret both when going from the server to the client and when going from client to server. This verification has been done using the same model and assumptions as mentioned for the basic protocol in section 3. 6 Session resuming The TLS protocol also provides the opportunity for an interrupted session to be resumed. The client and server are supposed to have kept the session ID Sid and the master secret M in some cache. At resumption a short version of the handshake protocol will be run, consisting only of ClientHello, ServerHello and F inished messages. The client and server random values (N a and N b respectively) are generated anew, and with the old M new session keys are derived (clientk(na, Nb, M) and serverk(na, Nb, M)). This is to prevent attacks on the keys that may have occurred in the meantime (that may be long). On the other hand, computation of the premaster secret P MS is not repeated, as that is the most time-consuming part of the handshake. So a resumption handshake is pretty efficient. Due to a lack of time we have not managed to model and verify session resuming in ProVerif. We refer to the work in the interactive proving tool Isabelle by Paulson [3], for a model and verification of this option of the TLS handshake protocol. 7 Modelling TLS in ProVerif The main problem in modelling the protocol with ProVerif was that there are several data items, such as the F inished messages in the protocol which are computed from other items, but still meant to be secret. ProVerif cannot attack these computed objects by default, but it is possible to verify the safety of such an object by outputting a flag on the computed objects. Now, an attacker can only find the value of the flag when she has knowledge of the object. Other difficulties mainly had to do with unreachable code, but checking for this and repairing it was straightforward. 8 Conclusion Based on our own verification and the work done by Paulson [3] we can conclude that the TLS handshake protocol establishes a secure session key for client and server. In the basic model the only trust that can be established is from the client in the server, if a higher level of trust is required, mutual authentication should be used which is provided by the client certification option of the protocol. References [1] Bruno Blanchet. ProVerif: Cryptographic protocol verifier in the formal model. Webpage. http://www.proverif.ens.fr/, accessed on 18 May 2008. [2] T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346, Internet Engineering Task Force, April 2006. [3] Lawrence C. Paulson. Inductive analysis of the Internet protocol TLS. ACM Transactions on Information and System Security, 2(3):332 351, 1999. 5

A ProVerif formalisation of the protocol ( The Transport Layer S e c u r i t y (TLS) Handshake P r o t o c o l Carst Tankink (0569954), Pim V u l l e r s (0575766) ) DEFINITIONS ( A p u b l i c channel ) free net. ( Message t a g s ) free C l i e n t H e l l o, ClientKeyExchange, C l i e n t C e r t i f i c a t e, S e r v e r H e l l o, S e r v e r C e r t i f i c a t e, C e r t i f i c a t e V e r i f y. ( Agent i n i t i a l i z a t i o n i s done over a p r i v a t e channel ) private free i n i t i a l C l i e n t D a t a, i n i t i a l S e r v e r D a t a. ( The c r y p t o g r a p h i c c o n s t r u c t o r s ) fun hash / 1. ( hashing ) fun encrypt / 2. ( symmetric key e n c r y p t i o n ) fun pencrypt / 2. ( P u b l i c key e n c r y p t i o n ) fun s i g n / 2. ( P u b l i c key s i g n i n g ) fun enc / 1. ( E x t r a c t s e n c r y p t i o n key from a k e y p a i r ) fun dec / 1. ( E x t r a c t s d e c r y p t i o n key from a k e y p a i r ) ( The c r y p t o g r a p h i c d e s t r u c t o r s ) ( d e c r y p t /2 ) reduc decrypt ( encrypt ( x, y ), y ) = x. ( p d e c r y p t /2 ) reduc pdecrypt ( pencrypt ( x, enc ( y ) ), dec ( y ) ) = x. ( unsign /2 ) reduc unsign ( s i g n ( x, enc ( y ) ), dec ( y ) ) = x. ( A c o n s t r u c t o r t h a t maps a g e n t s to t h e i r s e c r e t k e y p a i r s ) private fun pubkeypair / 1. private fun s i g n k e y p a i r / 1. ( Pseudo random number f u n c t i o n ) fun PRF/ 1. ( Symmetric key c o n s t r u c t i o n ) fun c l i e n t K / 3. fun serverk / 3. ( C e r t i f i c a t e s ) private fun c e r t / 2. ( I f c e r t ( x, y ) e s t a b l i s h e s x as owner o f key y, y i s r eturned ) reduc v e r i f y ( c e r t ( x, y ), x ) = y. 6

QUERIES ( s e c r e c y Pre Master s e c r e t ) query a t t a c k e r : PMS. ( s e c r e c y Master s e c r e t ) query a t t a c k e r : MSa. query a t t a c k e r : MSb. ( s e c r e c y Finished message from t h e c l i e n t ) query a t t a c k e r : FinishedAFlag. ( s e c r e c y Finished message from t h e s e r v e r ) query a t t a c k e r : FinishedBFlag. ( a u t h e n t i c i t y o f t h e s e r v e r ) query e v i n j : endserverauth ( x, y, z ) ==> e v i n j : beginserverauth ( x, y, z ). ( a u t h e n t i c i t y o f t h e c l i e n t ) query e v i n j : endclientauth ( x, y, z ) ==> e v i n j : beginclientauth ( x, y, z ). ( Dead code check ) query a t t a c k e r : c l i e n t F i n i s h e d. query a t t a c k e r : s e r v e r F i n i s h e d. CLIENT PROCESS, t h i s c l i e n t i s t h e i n i t i a t o r o f t h e p r o t o c o l. l e t c l i e n t = ( I n i t i a l agent data from a t r u s t e d channel ) in ( i n i t i a l C l i e n t D a t a, (A, signkey, c l i e n t C e r t ) ) ; ( R e p l i c a t i o n to model a r b i t r a r y s e s s i o n s )! ( Get t h e s e rver s name, perhaps as user i n p u t ) in ( net, B ) ; ( A g e n e r a t e s f r e s h nonce Na ) new Na ; ( A determines Sid, s e s s i o n i s randomly g e n e r at e d in b a s i c model ) new Sid ; ( A chooses o p t i o n s Pa, o p t i o n s are j u s t random data f o r our model ) new Pa ; ( A > B : C l i e n t H e l l o ) l e t CH = ( C l i e n t H e l l o, A, Na, Sid, Pa) in out ( net, CH) ; ( B > A : S e r v e r H e l l o ) in ( net, SH ) ; l e t (= S e r v e r H e l l o, Nb, =Sid, Pb) = SH in ( B > A : S e r v e r C e r t i f i c a t e ) in ( net, SC ) ; l e t (= S e r v e r C e r t i f i c a t e, s e r v e r C e r t ) = SC in 7

( A > B: C l i e n t C e r t i f i c a t e ) l e t CC = ( C l i e n t C e r t i f i c a t e, c l i e n t C e r t ) in out ( net, CC) ; ( A g e n e r a t e s s e c r e t PMS ) new PMS; ( b e g i n c l i e n t a u t h e n t i c a t i o n ) event beginclientauth (A, B, PMS) ; ( A > B : ClientKeyExchange ) l e t enckey = v e r i f y ( s e r v e r Cert, B) in l e t CKE = pencrypt ( ( ClientKeyExchange, PMS), enckey ) in out ( net, CKE) ; ( A > B: C e r t i f i c a t e V e r i f y ) l e t CV = s i g n ( ( C e r t i f i c a t e V e r i f y, hash ( (Nb, B, PMS) ) ), signkey ) in out ( net, CV) ; ( A c a l c u l a t e s t h e Master s e c r e t M ) l e t M = PRF( (PMS, Na, Nb) ) in ( A c a l c u l a t e s Finished ) l e t Finished = hash ( (CH, SH, SC, CC, CKE, CV, M) ) in ( A > B : Finished ) out ( net, encrypt ( Finished, c l i e n t K (Na, Nb, M) ) ) ; ( B > A : Finished ) in ( net, FB ) ; ( A v e r i f i e s r e c e i v e d f i n i s h e d ) l e t =Finished = decrypt (FB, serverk (Na, Nb, M) ) in ( end s e r v e r a u t h e n t i c a t i o n ) event endserverauth (A, B, PMS) ; ( s e c r e c y check on t h e Master s e c r e t ) new MSa; out (M, MSa ) ( s e c r e c y check on t h e Finished message ) new FinishedAFlag ; out ( Finished, FinishedAFlag ) ( dead code check ) new c l i e n t F i n i s h e d ; out ( net, c l i e n t F i n i s h e d ). THE SERVER PROCESS l e t s e r v e r = ( I n i t i a l agent data from a t r u s t e d channel ) in ( i n i t i a l S e r v e r D a t a, (B, deckey, s e r v e r C e r t ) ) ; ( R e p l i c a t i o n to model a r b i t r a r y s e s s i o n s )! ( A > B : C l i e n t H e l l o ) in ( net, CH) ; l e t (= C l i e n t H e l l o, A, Na, Sid, Pa) = CH in 8

( B g e n e r a t e s f r e s h nonce Nb ) new Nb ; ( B chooses o p t i o n s Pb, j u s t some random data in our model ) new Pb ; ( B > A : S e r v e r H e l l o ) l e t SH = ( S e r v e r H e l l o, Nb, Sid, Pb) in out ( net, SH ) ; ( B > A : S e r v e r C e r t i f i c a t e ) l e t SC = ( S e r v e r C e r t i f i c a t e, s e r v e r C e r t ) in out ( net, SC ) ; ( A > B : C i e n t C e r t i f i c a t e ) in ( net, CC) ; l e t (= C l i e n t C e r t i f i c a t e, c l i e n t C e r t ) = CC in ( A > B : ClientKeyExchange ) in ( net, CKE) ; l e t (=ClientKeyExchange, PMS) = pdecrypt (CKE, deckey ) in ( A > B : C e r t i f i c a t e V e r i f y ) l e t unsignkey = v e r i f y ( c l i e n t C e r t, A) in in ( net, CV) ; l e t (= C e r t i f i c a t e V e r i f y, cvhash ) = unsign (CV, unsignkey ) in ( B v e r i f i e s c l i e n t s i g n a t u r e ) l e t =cvhash = hash ( (Nb, B, PMS) ) in ( end c l i e n t a u t h e n t i c a t i o n ) event endclientauth (A, B, PMS) ; ( A > B : Finished ) in ( net, FA) ; ( B c a l c u l a t e s M ) l e t M = PRF( (PMS, Na, Nb) ) in ( B c a l c u l a t e s Finished ) l e t Finished = hash ( (CH, SH, SC, CC, CKE, CV, M) ) in ( s e r v e r a u t h e n t i c a t i o n ) event beginserverauth (A, B, PMS) ; ( B > A : Finished ) out ( net, encrypt ( Finished, serverk (Na, Nb, M) ) ) ; ( B v e r i f i e s r e c e i v e d Finished ) l e t =Finished = decrypt (FA, c l i e n t K (Na, Nb, M) ) in ( s e c r e c y check on t h e Master s e c r e t ) new MSb; out (M, MSb) ( s e c r e c y check on t h e f i n i s h e d ) new FinishedBFlag ; out ( Finished, FinishedBFlag ) ( dead code check ) new s e r v e r F i n i s h e d ; out ( net, s e r v e r F i n i s h e d ). THE INITIALIZER PROCESS 9

l e t i n i t i a l i z e r = new agent ; ( Generate agent name ) l e t c l i e n t K e y P a i r = s i g n k e y p a i r ( agent ) in ( Generate c l i e n t key ) l e t serverkeypair = pubkeypair ( agent ) in ( Generate s e r v e r key ) l e t c l i e n t C e r t = c e r t ( agent, dec ( c l i e n t K e y P a i r ) ) in l e t s e r v e r C e r t = c e r t ( agent, enc ( serverkeypair ) ) in out ( i n i t i a l C l i e n t D a t a, ( agent, enc ( c l i e n t K e y P a i r ), c l i e n t C e r t ) ) ; out ( i n i t i a l S e r v e r D a t a, ( agent, dec ( serverkeypair ), s e r v e r C e r t ) ) ; out ( net, agent ). THE SYSTEM process! i n i t i a l i z e r! c l i e n t! s e r v e r 10

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback