View
223
Download
2
Category
Preview:
Citation preview
Whole picture
Process Calculus
Definition of Secrecy and Authenticity
Demo
Comparison
Conclusion
Outlines
Whole picture
Process Calculus
Definition of Secrecy and Authenticity
Translation into Horn Clauses
Demo
Comparison
Conclusion
Outlines
Whole picture
Process Calculus
Definition of Secrecy and Authenticity
Translation into Horn Clauses
Demo
Comparison
Conclusion
Outlines
Extension of pi calculus with:◦ cryptographic primitives◦ “begin” & “end” events
Pi calculus: ◦ mathematical formalisms for describing and
analyzing properties of concurrent computation
Process Calculus
Syntax
Name:◦ Free name: Names globally known (also to adversary)◦ Bound name: Names local to the process
Variable:◦ Free variable: Variables not used anywhere◦ Bound name: variables used in the process
Create secret key skA & skB
Create corresponding public keys Distribute public keys Create unbounded number of sessions
First Few Steps
Whole picture
Process Calculus
Definition of Secrecy and Authenticity
Translation into Horn Clauses
Demo
Comparison
Conclusion
Outlines
Adversary (attacker)
◦ Closed process: Process without free variables (allow free names)
Definitions
Authenticity
◦ Non-injective agreement: if event end(M) is executed, then begin(M) has also
been executed.
Definitions
Authenticity
◦ Injective agreement: The number of executions of end(M) is smaller than
that of begin(M).
Definitions
Where is Authenticity?
Authenticity
◦ Non-injective agreement: if event end(M) is executed, then begin(M) has also
been executed.
Definitions
Authenticity is satisfied when: ◦ B cannot emit his end event without A having
emitted her begin event.
End(M) => Begin(M) for all cases.
Why?
Authenticity
Sarkozy thinks:
Sarkozy says:
Sarkozy agrees:
Authenticity is satisfied when: The other side is indeed Sarkozy!
Event: Begin & End
Begin(M): I start my part of the protocol.I think I would talk to Obama
End(M): I finish my part of the
protocol.I think I have talked to
Sarkozy
Protocol ensures:
Remember: Protocol is lock-stepped!
You may ask: Is it sufficient?
Begin(M): I start my part of the protocol.I think I would talk to Obama
End(M): I finish my part of the
protocol.I think I has talked to
Sarkozy
Authenticity is violated when End(M) => Begin(M)!
Authenticity is satisfied when: ◦ B cannot emit his end event without A having
emitted her begin event.
End(M) => Begin(M) for all cases.
Why?
You may ask: Is it sufficient?
Begin(M): I start my part of the protocol.I think I would talk to Obama
End(M): I finish my part of the
protocol.I think I has talked to
Sarkozy
Here End(M) !=> Begin(M)!
Authenticity
◦ Non-injective agreement: if event end(M) is executed, then begin(M) has also
been executed.
Definitions
Correct!
Whole picture
Process Calculus
Definition of Secrecy and Authenticity
Translation into Horn Clauses
Demo
Comparison
Conclusion
Outlines
If c ∈ S, message(c[],M) = attacker(M)
Vo, Vs:◦ Vo: Set of ordinary variables.◦ Vs: Set of session identifiers.
ρ : mapping from variables and names to patterns
h : Sequence of facts of message and begin. ◦ Literals of horn clauses we want
Before Translation
[|P|] = [|(vskA).P1|] [|P1|] = [|(vskB).P2|] [|P2|] = [|let pkA = pk(skA) in P3|] [|P3|] = [|let pkB = pk(skB) in P4|] [|P4|] = [|c<pkA>.P5|]
ρ : c → c[] h :
First Horn Clause: message(c[],pk(skA))=attacker(pk(skA[]))
First Few Steps
,skA → skA[] , skB → skB[] , pkA → pk(skA[]) , pkB → pk(skB[])
BP0,S : Horn clauses of the protocol Bb : Horn clauses of allowed begin event.
From secrecy to authenticity
We are back!
Whole picture
Process Calculus
Definition of Secrecy and Authenticity
Translation into Horn Clauses
Demo
Comparison
Conclusion
Outlines
Whole picture
Process Calculus
Definition of Secrecy and Authenticity
Translation into Horn Clauses
Demo
Comparison
Conclusion
Outlines
Pros & Cons
Pros Cons
Fully Automatic Sometimes no termination
Unlimited number of sessions Sometimes not Complete
General cryptographic primitives
Inductive method similar to Proverif◦ Proverif is kind of automatic
Model checking automatic◦ Infinate session in Proverif.
Comparison
Proverif Inductive Approach
Model Checking(Mur phi)
Automaticity Y N Y
Number of States Support
Infinite Infinite Finite
Concurrency Support
Y Y(Manually) Y(limited)
Whole picture
Process Calculus
Definition of Secrecy and Authenticity
Translation into Horn Clauses
Demo
Comparison
Conclusion
Outlines
New Technique for Authenticity verification in Cryptographic
Protocol
Fully automatic Precise sematic foundation
Unbounded number of sessions Support general cryptographic primitive
Conclusion
Recommended