SlideShare ist ein Scribd-Unternehmen logo

Proving Security Protocols Correct

Lawrence Paulson
Lawrence Paulson

Keynote lecture for the IEEE Symposium on Logic in Computer Science (LICS). Trento, Italy (1999).

Technologie
1 von 29
Downloaden Sie, um offline zu lesen
Proving Security Protocols Correct Lawrence C. Paulson Computer Laboratory
How Detailed Should a Model Be? too detailed too simple concrete abstract not usable not credible ``proves'' everything ``attacks'' everything publications 1 L. C. Paulson
Case Study: the Plight of Monica and Bill 2 L. C. Paulson
A,Na,Sid,Pa client server client hello Nb,Sid,Pb server hello cert(B,Kb) server certificate cert(A,Ka) client certificate {PMS}Kb client key exchange -1 {Hash(Nb,B,PMS)}Ka certificate verify M = PRF(PMS,Na,Nb) Finished = Hash(M,messages) {Finished}clientK(Na,Nb,M) client finished {Finished}serverK(Na,Nb,M) server finished An Internet Security Protocol (TLS) 3 L. C. Paulson
Why Are Security Protocols Often Wrong? they are TRIVIAL programs built from simple primitives, BUT they are complicated by concurrency a hostile environment – a bad user controls the network obscure concepts vague specifications – we have to guess what is wanted 4 L. C. Paulson
Typical Protocol Goals Authenticity: who sent it? Integrity: has it been altered? Secrecy: who can receive it? Anonymity Non-repudiation : : : all SAFETY properties 5 L. C. Paulson
What Are Session Keys? used for a single session not safeguarded forever distributed using long-term keys could eventually become compromised can only be trusted if FRESH 6 L. C. Paulson
Freshness, or Would You Eat This Fish? wine: six years old fish: ? weeks old 7 L. C. Paulson
Packaging a Session Key for Bill fjK; A; NbjgKb session key person it's shared with nonce specified sealed using Bill's key by Bill: proof of freshness 8 L. C. Paulson
A Bad Variant of the Otway-Rees Protocol 3: Na; fjNa; KabjgKa; fjNb; KabjgKb 1: Na; A; B; fjNa; A; BjgKa B S A 2: Na; A; B; fjNa; A; BjgKa; Nb; fjNa; A; BjgKb 4: Na; fjNa; KabjgKa 9 L. C. Paulson
A Splicing Attack with Interleaved Runs 1: A !CB : Na; A; B; fjNa; A; BjgKa 10 : C ! A : Nc;C; A; fjNc;C; AjgKc 20 : A !CS : Nc;C; A; fjNc;C; AjgKc; Na0 ; fjNc;C; AjgKa 200 : CA ! S : Nc;C; A; fjNc;C; AjgKc; Na; fjNc;C; AjgKa 30 : S !CA : Nc; fjNc; KcajgKc; fjNa; KcajgKa 4: CB ! A : Na; fjNa; KcajgKa Alice thinks the key Kca is shared with Bill, butÊit's shared with Carol! 10 L. C. Paulson
A Bad Variant of the Yahalom Protocol 2: B; Nb; fjA; NajgKb B S 3: fjB; Kab; Na; NbjgKa; fjA; KabjgKb A 1: A; Na 4: fjA; KabjgKb; fjNbjgKab 11 L. C. Paulson
A Replay Attack 1: CA ! B : A; Nc 2: B !CS : B; Nb; fjA; NcjgKb 4: CA ! B : fjA; Kjg Kb; fjNbjgK Carol has broken the old key, K. She makes Bill think it is shared with Alice. 12 L. C. Paulson
Verification Method I: Authentication Logics BAN logic: Burrows, Abadi, Needham (1989) Short proofs using high-level primitives: Nonce N is fresh Key Kab is good Agent S can be trusted good for freshness not-so-good for secrecy or splicing attacks 13 L. C. Paulson
Verification Method II: State Enumeration Specialized tools (Meadows) General model-checkers (Lowe) Model protocol as a finite-state system automatically finds splicing attacks freshness is hard to model Try using formal proof! 14 L. C. Paulson
Why An Operational Model? good fit to informal protocol proofs: inductive simple foundations readable protocol specifications easily explained to security experts easily mechanized using Isabelle 15 L. C. Paulson
An Overview of Isabelle uses higher-order logic as a logical framework generic treatment of inference rules logics supported include ZF set theory HOL powerful simplifier classical reasoner strong support for inductive definitions 16 L. C. Paulson
Overview of the Model Traces of events – A sends B message X – A receives X – A stores X A powerful attacker – is an accepted user – attempts all possible splicing attacks – has the same specification in all protocols 17 L. C. Paulson
Agents and Messages agent A; B; : : : D Server j Friend i j Spy message X; Y; : : : D Agent A j Nonce N j Key K j fjX; X0jg compound message j Crypt K X free algebras: we assume PERFECT ENCRYPTION 18 L. C. Paulson
Functions over Sets of Messages parts H: message components Crypt K X7! X analz H: accessible components Crypt K X; K−17! X synth H: expressible messages X; K7! Crypt K X RELATIONS are traditional, but FUNCTIONS give us an equational theory 19 L. C. Paulson
Operational Definition: analz H Crypt K X 2 analzH K−1 2 analz H X 2 analz H X 2 H X 2 analz H fjX; Y jg 2 analz H X 2 analz H fjX; Y jg 2 analz H Y 2 analz H Typical derived law: analz G [ analz H analz.G [ H/ 20 L. C. Paulson
Operational Definition: synth H X 2 H X 2 synth H Agent A 2 synth H X 2 synthH Y2 synth H fjX; Y jg 2 synth H X 2 synthH K2 H Crypt K X 2 synth H agent names can be guessed nonces keys cannot be! 21 L. C. Paulson
A Few Equations parts.parts H/ D parts H transitivity analz.synth H/ D analz H [ synth H “cut elimination” Symbolic Evaluation: analz.fCrypt K Xg [ H/ D 8 fCrypt K Xg [ analz.fXg [ H/ if K−1 2 analz H fCrypt K Xg [ analz H otherwise : 22 L. C. Paulson
What About Freshness? 23 L. C. Paulson
Modelling Attacks and Key Losses If X 2 synth.analz.spies evs// may add Says Spy B X (Fake rule) If the server distributes session key K may add Notes Spy fjNa; Nb; Kjg (Oops rule) Nonces show the TIME of the loss 24 L. C. Paulson
Overview of Results facts proved by induction classical reasoning simplifying analz H: case analysis, big formulas handles REAL protocols: TLS, Kerberos, : : : lemmas reveal surprising protocol features failed proofs can suggest attacks Proofs require days or weeks of effort Generalizing induction formulas is hard! 25 L. C. Paulson
The Recursive Authentication Protocol designed in industry (APM Ltd) novel recursive structure: variable length VERIFIED by Paulson – assuming perfect encryption ATTACKED by Ryan and Schneider – using the specified encryption (XOR) Doesn’t proof give certainty? Not in the real world! 26 L. C. Paulson
So Then, How Detailed Should a Model Be? detailed enough to answer the relevant questions abstract enough to fit our budget model-checking is almost free (thanks to Lowe, Roscoe, Schneider) formal proofs give more, but cost more 27 L. C. Paulson
Don’t let theory displace reality

Empfohlen

JavaLand gRPC vs REST API
JavaLand gRPC vs REST APIJavaLand gRPC vs REST API
JavaLand gRPC vs REST APIVladimir Dejanovic
 
REST API vs gRPC, which one should you use in breaking a monolith [Kdg.net 2018]
REST API vs gRPC, which one should you use in breaking a monolith [Kdg.net 2018]REST API vs gRPC, which one should you use in breaking a monolith [Kdg.net 2018]
REST API vs gRPC, which one should you use in breaking a monolith [Kdg.net 2018]Vladimir Dejanovic
 
PKCS11
PKCS11PKCS11
PKCS11Byeong Yeong Jeong
 
Svccg nosql 2011_sri-cassandra
Svccg nosql 2011_sri-cassandraSvccg nosql 2011_sri-cassandra
Svccg nosql 2011_sri-cassandrasrisatish ambati
 
OpenShift Enterprise Workshop - Frederic Hornain
OpenShift Enterprise Workshop - Frederic HornainOpenShift Enterprise Workshop - Frederic Hornain
OpenShift Enterprise Workshop - Frederic HornainKangaroot
 
A Generic Tableau Prover and Its Integration with Isabelle
A Generic Tableau Prover and Its Integration with IsabelleA Generic Tableau Prover and Its Integration with Isabelle
A Generic Tableau Prover and Its Integration with IsabelleLawrence Paulson
 
MetiTarski's menagerie of cooperating systems
MetiTarski's menagerie of cooperating systemsMetiTarski's menagerie of cooperating systems
MetiTarski's menagerie of cooperating systemsLawrence Paulson
 
Automated theorem proving for special functions: the next phase
Automated theorem proving for special functions: the next phaseAutomated theorem proving for special functions: the next phase
Automated theorem proving for special functions: the next phaseLawrence Paulson
 

Empfohlen

JavaLand gRPC vs REST API
JavaLand gRPC vs REST APIJavaLand gRPC vs REST API
JavaLand gRPC vs REST APIVladimir Dejanovic
 
REST API vs gRPC, which one should you use in breaking a monolith [Kdg.net 2018]
REST API vs gRPC, which one should you use in breaking a monolith [Kdg.net 2018]REST API vs gRPC, which one should you use in breaking a monolith [Kdg.net 2018]
REST API vs gRPC, which one should you use in breaking a monolith [Kdg.net 2018]Vladimir Dejanovic
 
PKCS11
PKCS11PKCS11
PKCS11Byeong Yeong Jeong
 
Svccg nosql 2011_sri-cassandra
Svccg nosql 2011_sri-cassandraSvccg nosql 2011_sri-cassandra
Svccg nosql 2011_sri-cassandrasrisatish ambati
 
OpenShift Enterprise Workshop - Frederic Hornain
OpenShift Enterprise Workshop - Frederic HornainOpenShift Enterprise Workshop - Frederic Hornain
OpenShift Enterprise Workshop - Frederic HornainKangaroot
 
A Generic Tableau Prover and Its Integration with Isabelle
A Generic Tableau Prover and Its Integration with IsabelleA Generic Tableau Prover and Its Integration with Isabelle
A Generic Tableau Prover and Its Integration with IsabelleLawrence Paulson
 
MetiTarski's menagerie of cooperating systems
MetiTarski's menagerie of cooperating systemsMetiTarski's menagerie of cooperating systems
MetiTarski's menagerie of cooperating systemsLawrence Paulson
 
Automated theorem proving for special functions: the next phase
Automated theorem proving for special functions: the next phaseAutomated theorem proving for special functions: the next phase
Automated theorem proving for special functions: the next phaseLawrence Paulson
 
Theorem proving and the real numbers: overview and challenges
Theorem proving and the real numbers: overview and challengesTheorem proving and the real numbers: overview and challenges
Theorem proving and the real numbers: overview and challengesLawrence Paulson
 
Source-Level Proof Reconstruction for Interactive Proving
Source-Level Proof Reconstruction for Interactive ProvingSource-Level Proof Reconstruction for Interactive Proving
Source-Level Proof Reconstruction for Interactive ProvingLawrence Paulson
 
Defining Functions on Equivalence Classes
Defining Functions on Equivalence ClassesDefining Functions on Equivalence Classes
Defining Functions on Equivalence ClassesLawrence Paulson
 
Organizing Numerical Theories using Axiomatic Type Classes
Organizing Numerical Theories using Axiomatic Type ClassesOrganizing Numerical Theories using Axiomatic Type Classes
Organizing Numerical Theories using Axiomatic Type ClassesLawrence Paulson
 
Mechanized Proofs for a Recursive Authentication Protocol
Mechanized Proofs for a Recursive Authentication ProtocolMechanized Proofs for a Recursive Authentication Protocol
Mechanized Proofs for a Recursive Authentication ProtocolLawrence Paulson
 
Mechanizing set theory: cardinal arithmetic and the axiom of choice
Mechanizing set theory: cardinal arithmetic and the axiom of choiceMechanizing set theory: cardinal arithmetic and the axiom of choice
Mechanizing set theory: cardinal arithmetic and the axiom of choiceLawrence Paulson
 
MetiTarski: An Automatic Prover for Real-Valued Special Functions
MetiTarski: An Automatic Prover for Real-Valued Special FunctionsMetiTarski: An Automatic Prover for Real-Valued Special Functions
MetiTarski: An Automatic Prover for Real-Valued Special FunctionsLawrence Paulson
 
The Relative Consistency of the Axiom of Choice — Mechanized Using Isabelle/ZF
The Relative Consistency of the Axiom of Choice — Mechanized Using Isabelle/ZFThe Relative Consistency of the Axiom of Choice — Mechanized Using Isabelle/ZF
The Relative Consistency of the Axiom of Choice — Mechanized Using Isabelle/ZFLawrence Paulson
 
The Reflection Theorem: Formalizing Meta-Theoretic Reasoning
The Reflection Theorem: Formalizing Meta-Theoretic ReasoningThe Reflection Theorem: Formalizing Meta-Theoretic Reasoning
The Reflection Theorem: Formalizing Meta-Theoretic ReasoningLawrence Paulson
 
Proving Properties of Security Protocols by Induction
Proving Properties of Security Protocols by InductionProving Properties of Security Protocols by Induction
Proving Properties of Security Protocols by InductionLawrence Paulson
 
A Machine-Assisted Proof of Gödel's Incompleteness Theorems
A Machine-Assisted Proof of Gödel's Incompleteness TheoremsA Machine-Assisted Proof of Gödel's Incompleteness Theorems
A Machine-Assisted Proof of Gödel's Incompleteness TheoremsLawrence Paulson
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 

Weitere ähnliche Inhalte

Mehr von Lawrence Paulson

Theorem proving and the real numbers: overview and challenges
Theorem proving and the real numbers: overview and challengesTheorem proving and the real numbers: overview and challenges
Theorem proving and the real numbers: overview and challengesLawrence Paulson
 
Source-Level Proof Reconstruction for Interactive Proving
Source-Level Proof Reconstruction for Interactive ProvingSource-Level Proof Reconstruction for Interactive Proving
Source-Level Proof Reconstruction for Interactive ProvingLawrence Paulson
 
Defining Functions on Equivalence Classes
Defining Functions on Equivalence ClassesDefining Functions on Equivalence Classes
Defining Functions on Equivalence ClassesLawrence Paulson
 
Organizing Numerical Theories using Axiomatic Type Classes
Organizing Numerical Theories using Axiomatic Type ClassesOrganizing Numerical Theories using Axiomatic Type Classes
Organizing Numerical Theories using Axiomatic Type ClassesLawrence Paulson
 
Mechanized Proofs for a Recursive Authentication Protocol
Mechanized Proofs for a Recursive Authentication ProtocolMechanized Proofs for a Recursive Authentication Protocol
Mechanized Proofs for a Recursive Authentication ProtocolLawrence Paulson
 
Mechanizing set theory: cardinal arithmetic and the axiom of choice
Mechanizing set theory: cardinal arithmetic and the axiom of choiceMechanizing set theory: cardinal arithmetic and the axiom of choice
Mechanizing set theory: cardinal arithmetic and the axiom of choiceLawrence Paulson
 
MetiTarski: An Automatic Prover for Real-Valued Special Functions
MetiTarski: An Automatic Prover for Real-Valued Special FunctionsMetiTarski: An Automatic Prover for Real-Valued Special Functions
MetiTarski: An Automatic Prover for Real-Valued Special FunctionsLawrence Paulson
 
The Relative Consistency of the Axiom of Choice — Mechanized Using Isabelle/ZF
The Relative Consistency of the Axiom of Choice — Mechanized Using Isabelle/ZFThe Relative Consistency of the Axiom of Choice — Mechanized Using Isabelle/ZF
The Relative Consistency of the Axiom of Choice — Mechanized Using Isabelle/ZFLawrence Paulson
 
The Reflection Theorem: Formalizing Meta-Theoretic Reasoning
The Reflection Theorem: Formalizing Meta-Theoretic ReasoningThe Reflection Theorem: Formalizing Meta-Theoretic Reasoning
The Reflection Theorem: Formalizing Meta-Theoretic ReasoningLawrence Paulson
 
Proving Properties of Security Protocols by Induction
Proving Properties of Security Protocols by InductionProving Properties of Security Protocols by Induction
Proving Properties of Security Protocols by InductionLawrence Paulson
 
A Machine-Assisted Proof of Gödel's Incompleteness Theorems
A Machine-Assisted Proof of Gödel's Incompleteness TheoremsA Machine-Assisted Proof of Gödel's Incompleteness Theorems
A Machine-Assisted Proof of Gödel's Incompleteness TheoremsLawrence Paulson
 

Mehr von Lawrence Paulson (11)

Theorem proving and the real numbers: overview and challenges
Theorem proving and the real numbers: overview and challengesTheorem proving and the real numbers: overview and challenges
Theorem proving and the real numbers: overview and challenges
 
Source-Level Proof Reconstruction for Interactive Proving
Source-Level Proof Reconstruction for Interactive ProvingSource-Level Proof Reconstruction for Interactive Proving
Source-Level Proof Reconstruction for Interactive Proving
 
Defining Functions on Equivalence Classes
Defining Functions on Equivalence ClassesDefining Functions on Equivalence Classes
Defining Functions on Equivalence Classes
 
Organizing Numerical Theories using Axiomatic Type Classes
Organizing Numerical Theories using Axiomatic Type ClassesOrganizing Numerical Theories using Axiomatic Type Classes
Organizing Numerical Theories using Axiomatic Type Classes
 
Mechanized Proofs for a Recursive Authentication Protocol
Mechanized Proofs for a Recursive Authentication ProtocolMechanized Proofs for a Recursive Authentication Protocol
Mechanized Proofs for a Recursive Authentication Protocol
 
Mechanizing set theory: cardinal arithmetic and the axiom of choice
Mechanizing set theory: cardinal arithmetic and the axiom of choiceMechanizing set theory: cardinal arithmetic and the axiom of choice
Mechanizing set theory: cardinal arithmetic and the axiom of choice
 
MetiTarski: An Automatic Prover for Real-Valued Special Functions
MetiTarski: An Automatic Prover for Real-Valued Special FunctionsMetiTarski: An Automatic Prover for Real-Valued Special Functions
MetiTarski: An Automatic Prover for Real-Valued Special Functions
 
The Relative Consistency of the Axiom of Choice — Mechanized Using Isabelle/ZF
The Relative Consistency of the Axiom of Choice — Mechanized Using Isabelle/ZFThe Relative Consistency of the Axiom of Choice — Mechanized Using Isabelle/ZF
The Relative Consistency of the Axiom of Choice — Mechanized Using Isabelle/ZF
 
The Reflection Theorem: Formalizing Meta-Theoretic Reasoning
The Reflection Theorem: Formalizing Meta-Theoretic ReasoningThe Reflection Theorem: Formalizing Meta-Theoretic Reasoning
The Reflection Theorem: Formalizing Meta-Theoretic Reasoning
 
Proving Properties of Security Protocols by Induction
Proving Properties of Security Protocols by InductionProving Properties of Security Protocols by Induction
Proving Properties of Security Protocols by Induction
 
A Machine-Assisted Proof of Gödel's Incompleteness Theorems
A Machine-Assisted Proof of Gödel's Incompleteness TheoremsA Machine-Assisted Proof of Gödel's Incompleteness Theorems
A Machine-Assisted Proof of Gödel's Incompleteness Theorems
 

Kürzlich hochgeladen

Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 

Kürzlich hochgeladen (20)

Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 

Proving Security Protocols Correct

  • 1. Proving Security Protocols Correct Lawrence C. Paulson Computer Laboratory
  • 2. How Detailed Should a Model Be? too detailed too simple concrete abstract not usable not credible ``proves'' everything ``attacks'' everything publications 1 L. C. Paulson
  • 3. Case Study: the Plight of Monica and Bill 2 L. C. Paulson
  • 4. A,Na,Sid,Pa client server client hello Nb,Sid,Pb server hello cert(B,Kb) server certificate cert(A,Ka) client certificate {PMS}Kb client key exchange -1 {Hash(Nb,B,PMS)}Ka certificate verify M = PRF(PMS,Na,Nb) Finished = Hash(M,messages) {Finished}clientK(Na,Nb,M) client finished {Finished}serverK(Na,Nb,M) server finished An Internet Security Protocol (TLS) 3 L. C. Paulson
  • 5. Why Are Security Protocols Often Wrong? they are TRIVIAL programs built from simple primitives, BUT they are complicated by concurrency a hostile environment – a bad user controls the network obscure concepts vague specifications – we have to guess what is wanted 4 L. C. Paulson
  • 6. Typical Protocol Goals Authenticity: who sent it? Integrity: has it been altered? Secrecy: who can receive it? Anonymity Non-repudiation : : : all SAFETY properties 5 L. C. Paulson
  • 7. What Are Session Keys? used for a single session not safeguarded forever distributed using long-term keys could eventually become compromised can only be trusted if FRESH 6 L. C. Paulson
  • 8. Freshness, or Would You Eat This Fish? wine: six years old fish: ? weeks old 7 L. C. Paulson
  • 9. Packaging a Session Key for Bill fjK; A; NbjgKb session key person it's shared with nonce specified sealed using Bill's key by Bill: proof of freshness 8 L. C. Paulson
  • 10. A Bad Variant of the Otway-Rees Protocol 3: Na; fjNa; KabjgKa; fjNb; KabjgKb 1: Na; A; B; fjNa; A; BjgKa B S A 2: Na; A; B; fjNa; A; BjgKa; Nb; fjNa; A; BjgKb 4: Na; fjNa; KabjgKa 9 L. C. Paulson
  • 11. A Splicing Attack with Interleaved Runs 1: A !CB : Na; A; B; fjNa; A; BjgKa 10 : C ! A : Nc;C; A; fjNc;C; AjgKc 20 : A !CS : Nc;C; A; fjNc;C; AjgKc; Na0 ; fjNc;C; AjgKa 200 : CA ! S : Nc;C; A; fjNc;C; AjgKc; Na; fjNc;C; AjgKa 30 : S !CA : Nc; fjNc; KcajgKc; fjNa; KcajgKa 4: CB ! A : Na; fjNa; KcajgKa Alice thinks the key Kca is shared with Bill, butÊit's shared with Carol! 10 L. C. Paulson
  • 12. A Bad Variant of the Yahalom Protocol 2: B; Nb; fjA; NajgKb B S 3: fjB; Kab; Na; NbjgKa; fjA; KabjgKb A 1: A; Na 4: fjA; KabjgKb; fjNbjgKab 11 L. C. Paulson
  • 13. A Replay Attack 1: CA ! B : A; Nc 2: B !CS : B; Nb; fjA; NcjgKb 4: CA ! B : fjA; Kjg Kb; fjNbjgK Carol has broken the old key, K. She makes Bill think it is shared with Alice. 12 L. C. Paulson
  • 14. Verification Method I: Authentication Logics BAN logic: Burrows, Abadi, Needham (1989) Short proofs using high-level primitives: Nonce N is fresh Key Kab is good Agent S can be trusted good for freshness not-so-good for secrecy or splicing attacks 13 L. C. Paulson
  • 15. Verification Method II: State Enumeration Specialized tools (Meadows) General model-checkers (Lowe) Model protocol as a finite-state system automatically finds splicing attacks freshness is hard to model Try using formal proof! 14 L. C. Paulson
  • 16. Why An Operational Model? good fit to informal protocol proofs: inductive simple foundations readable protocol specifications easily explained to security experts easily mechanized using Isabelle 15 L. C. Paulson
  • 17. An Overview of Isabelle uses higher-order logic as a logical framework generic treatment of inference rules logics supported include ZF set theory HOL powerful simplifier classical reasoner strong support for inductive definitions 16 L. C. Paulson
  • 18. Overview of the Model Traces of events – A sends B message X – A receives X – A stores X A powerful attacker – is an accepted user – attempts all possible splicing attacks – has the same specification in all protocols 17 L. C. Paulson
  • 19. Agents and Messages agent A; B; : : : D Server j Friend i j Spy message X; Y; : : : D Agent A j Nonce N j Key K j fjX; X0jg compound message j Crypt K X free algebras: we assume PERFECT ENCRYPTION 18 L. C. Paulson
  • 20. Functions over Sets of Messages parts H: message components Crypt K X7! X analz H: accessible components Crypt K X; K−17! X synth H: expressible messages X; K7! Crypt K X RELATIONS are traditional, but FUNCTIONS give us an equational theory 19 L. C. Paulson
  • 21. Operational Definition: analz H Crypt K X 2 analzH K−1 2 analz H X 2 analz H X 2 H X 2 analz H fjX; Y jg 2 analz H X 2 analz H fjX; Y jg 2 analz H Y 2 analz H Typical derived law: analz G [ analz H analz.G [ H/ 20 L. C. Paulson
  • 22. Operational Definition: synth H X 2 H X 2 synth H Agent A 2 synth H X 2 synthH Y2 synth H fjX; Y jg 2 synth H X 2 synthH K2 H Crypt K X 2 synth H agent names can be guessed nonces keys cannot be! 21 L. C. Paulson
  • 23. A Few Equations parts.parts H/ D parts H transitivity analz.synth H/ D analz H [ synth H “cut elimination” Symbolic Evaluation: analz.fCrypt K Xg [ H/ D 8 fCrypt K Xg [ analz.fXg [ H/ if K−1 2 analz H fCrypt K Xg [ analz H otherwise : 22 L. C. Paulson
  • 24. What About Freshness? 23 L. C. Paulson
  • 25. Modelling Attacks and Key Losses If X 2 synth.analz.spies evs// may add Says Spy B X (Fake rule) If the server distributes session key K may add Notes Spy fjNa; Nb; Kjg (Oops rule) Nonces show the TIME of the loss 24 L. C. Paulson
  • 26. Overview of Results facts proved by induction classical reasoning simplifying analz H: case analysis, big formulas handles REAL protocols: TLS, Kerberos, : : : lemmas reveal surprising protocol features failed proofs can suggest attacks Proofs require days or weeks of effort Generalizing induction formulas is hard! 25 L. C. Paulson
  • 27. The Recursive Authentication Protocol designed in industry (APM Ltd) novel recursive structure: variable length VERIFIED by Paulson – assuming perfect encryption ATTACKED by Ryan and Schneider – using the specified encryption (XOR) Doesn’t proof give certainty? Not in the real world! 26 L. C. Paulson
  • 28. So Then, How Detailed Should a Model Be? detailed enough to answer the relevant questions abstract enough to fit our budget model-checking is almost free (thanks to Lowe, Roscoe, Schneider) formal proofs give more, but cost more 27 L. C. Paulson
  • 29. Don’t let theory displace reality