Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko...
-
date post
19-Dec-2015 -
Category
Documents
-
view
217 -
download
4
Transcript of Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko...
Formally (?) Deriving Security Protocols
Anupam Datta
WIP with Ante Derek, John Mitchell, Dusko Pavlovic
October 23, 2002
Goals:
Build security protocols in a compositional manner, i.e., from standard sub-protocols.
Prove formally using logic that the composition process is sound, i.e., the resulting protocol is correct in a precise sense.
Idea:
Capture protocol designers’ intuition in a formal framework.
Example 1 Diffie-Hellman:
X Y: gx
Y X: gy
Property 1: Secrecy
X deduces: Knows(Z,gxy) ֿכ Knows(Z,y)
Example 2 Challenge Response: A B: m, A B A: n, sigB {n, m, A}
A B: sigA {m, n, B}
Property 2: Mutual Authentication A deduces: Created (B, n) Λ Sent (B, msg2)
Composition
ISO 9798-3 protocol: A B: ga, A B A: gb, sigB {gb, ga, A}
A B: sigA {ga, gb, B} Has both Property 1 & Property 2.
Can be inferred that A & B have shared secret, gab.
Refinement
Encrypt signatures: (find-and-replace)
A B: ga, A B A: gb, EK {sigB {gb, ga, A}}
A B: EK {sigA {ga, gb, B}} Has Property 1 & Property 2. Also Property 3: Identity protection
Other applications…
By applying a series of other such simple syntactic rules, we derive the JFK protocol ( proposed protocol to replace IKE as the IPSec key exchange protocol).
Technical Report: www.stanford.edu/~danupam/composition.ps
Formalization
Notation Cord Calculus and Compositional Logic
[Durgin, Mitchell, Pavlovic; 2001] Motivation: “Arrows and messages”
representation is inadequate. More descriptive language for describing the actions of the protocol participants.
Actions:(νx) generate new term x(x) receive term into x<t> send a term t
Challenge-Response revisited
A : ( ) [(νm)<{m, A}>(x) …]A <>
Input interface Output Interface Actions Attach logical assertions to actions [(νm)]A Created (A, m) This assertion is a required precondition
to prove mutual authentication.
ISO 9798-3 revisited A : ( ) [(νx)] <gx> ; (m) [<{m, A}>(x) …]A <>
1. Generate new x; compute gx 2. Substitute gx for m in the second cord
Created (A, gx) is a precondition. Mutual authentication can be proved
like in challenge-response.
Summary
Security protocols can be built in an incremental manner by combining sub-protocols.
Future work: Formal framework for reasoning that the composition process preserves the properties of the original sub-protocols.