Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko...
-
date post
19-Dec-2015 -
Category
Documents
-
view
220 -
download
4
Transcript of Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko...
![Page 1: Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.](https://reader035.fdocuments.net/reader035/viewer/2022072007/56649d3a5503460f94a1530c/html5/thumbnails/1.jpg)
Formally (?) Deriving Security Protocols
Anupam Datta
WIP with Ante Derek, John Mitchell, Dusko Pavlovic
October 23, 2002
![Page 2: Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.](https://reader035.fdocuments.net/reader035/viewer/2022072007/56649d3a5503460f94a1530c/html5/thumbnails/2.jpg)
Goals:
Build security protocols in a compositional manner, i.e., from standard sub-protocols.
Prove formally using logic that the composition process is sound, i.e., the resulting protocol is correct in a precise sense.
![Page 3: Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.](https://reader035.fdocuments.net/reader035/viewer/2022072007/56649d3a5503460f94a1530c/html5/thumbnails/3.jpg)
Idea:
Capture protocol designers’ intuition in a formal framework.
![Page 4: Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.](https://reader035.fdocuments.net/reader035/viewer/2022072007/56649d3a5503460f94a1530c/html5/thumbnails/4.jpg)
Example 1 Diffie-Hellman:
X Y: gx
Y X: gy
Property 1: Secrecy
X deduces: Knows(Z,gxy) ֿכ Knows(Z,y)
![Page 5: Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.](https://reader035.fdocuments.net/reader035/viewer/2022072007/56649d3a5503460f94a1530c/html5/thumbnails/5.jpg)
Example 2 Challenge Response: A B: m, A B A: n, sigB {n, m, A}
A B: sigA {m, n, B}
Property 2: Mutual Authentication A deduces: Created (B, n) Λ Sent (B, msg2)
![Page 6: Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.](https://reader035.fdocuments.net/reader035/viewer/2022072007/56649d3a5503460f94a1530c/html5/thumbnails/6.jpg)
Composition
ISO 9798-3 protocol: A B: ga, A B A: gb, sigB {gb, ga, A}
A B: sigA {ga, gb, B} Has both Property 1 & Property 2.
Can be inferred that A & B have shared secret, gab.
![Page 7: Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.](https://reader035.fdocuments.net/reader035/viewer/2022072007/56649d3a5503460f94a1530c/html5/thumbnails/7.jpg)
Refinement
Encrypt signatures: (find-and-replace)
A B: ga, A B A: gb, EK {sigB {gb, ga, A}}
A B: EK {sigA {ga, gb, B}} Has Property 1 & Property 2. Also Property 3: Identity protection
![Page 8: Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.](https://reader035.fdocuments.net/reader035/viewer/2022072007/56649d3a5503460f94a1530c/html5/thumbnails/8.jpg)
Other applications…
By applying a series of other such simple syntactic rules, we derive the JFK protocol ( proposed protocol to replace IKE as the IPSec key exchange protocol).
Technical Report: www.stanford.edu/~danupam/composition.ps
![Page 9: Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.](https://reader035.fdocuments.net/reader035/viewer/2022072007/56649d3a5503460f94a1530c/html5/thumbnails/9.jpg)
Formalization
![Page 10: Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.](https://reader035.fdocuments.net/reader035/viewer/2022072007/56649d3a5503460f94a1530c/html5/thumbnails/10.jpg)
Notation Cord Calculus and Compositional Logic
[Durgin, Mitchell, Pavlovic; 2001] Motivation: “Arrows and messages”
representation is inadequate. More descriptive language for describing the actions of the protocol participants.
Actions:(νx) generate new term x(x) receive term into x<t> send a term t
![Page 11: Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.](https://reader035.fdocuments.net/reader035/viewer/2022072007/56649d3a5503460f94a1530c/html5/thumbnails/11.jpg)
Challenge-Response revisited
A : ( ) [(νm)<{m, A}>(x) …]A <>
Input interface Output Interface Actions Attach logical assertions to actions [(νm)]A Created (A, m) This assertion is a required precondition
to prove mutual authentication.
![Page 12: Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.](https://reader035.fdocuments.net/reader035/viewer/2022072007/56649d3a5503460f94a1530c/html5/thumbnails/12.jpg)
ISO 9798-3 revisited A : ( ) [(νx)] <gx> ; (m) [<{m, A}>(x) …]A <>
1. Generate new x; compute gx 2. Substitute gx for m in the second cord
Created (A, gx) is a precondition. Mutual authentication can be proved
like in challenge-response.
![Page 13: Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.](https://reader035.fdocuments.net/reader035/viewer/2022072007/56649d3a5503460f94a1530c/html5/thumbnails/13.jpg)
Summary
Security protocols can be built in an incremental manner by combining sub-protocols.
Future work: Formal framework for reasoning that the composition process preserves the properties of the original sub-protocols.