Introduction Specification language Translation Application Conclusion

De
Publié par

Introduction Specification language Translation Application Conclusion From CryptoVerif Specifications to Computationally Secure Implementations of Protocols Bruno Blanchet and David Cade INRIA, Ecole Normale Superieure, CNRS, Paris April 2012 Bruno Blanchet and David Cade (INRIA) CryptoVerif April 2012 1 / 30

  • specification proved

  • generate protocol

  • protocol verification

  • specification translated into

  • introduction specification language

  • computational f7

  • implementations fs2pv

  • cryptoverif


Publié le : mardi 19 juin 2012
Lecture(s) : 15
Tags :
Source : di.ens.fr
Nombre de pages : 35
Voir plus Voir moins
IBnrturnooudBclitnopSceiacitnoalgnauegrTnalstaoinpAlpciaitonoCFromCryptoVerifSpecificationstoComputationallySecureImplementationsofProtocolsnahctenadaDvdiaCe´d(BrunoBlanchetandDavidCade´INRIA,E´coleNormaleSupe´rieure,CNRS,ParisNIIR)AApril2012rCpyoteVirfpAirl2102cnlu1soi/n03
03/22102lirpAfireVotpyrC)AIRNI(e´daCdivaDdnatehcnalBonurBnoitacirevlocotorPnoisulcnoComputationalCSymbolicnCryptoVerif,oCertiCrypt,...iAndy’stalk,...tAndy’stalk,,...aFS2CV,ComputationalF7,cFS2PV,F7,Spi2Java,iImplementationslProVerif,...pFDR,AVISPA,pSpecificationsAnoitalsnarTegaugnalnoitacicepSnoitcudortnI
nIrtoudcitnopSceiacitnoalgnProtocolverificationrBuSpecificationsImplementationsonlBnahctenadaDvdiaCe´dI(NauegSymbolicFDR,AVISPA,ProVerif,...rTnalstaFS2PV,F7,Spi2Java,Andy’stalk,...IR)ArCpyoteVirfoinpAlpciaitonComputationalCryptoVerif,CertiCrypt,...oCcnlFS2CV,ComputationalF7,Andy’stalk,ourwork,...pAirl2102u2soi/n03
nIrtoudcitnopSOurapproachBceiacitnoalgnauegrTnalstaoinpAGenerateprotocolimplementationsfromspecifications.lpciaitonSpecificationprovedsecureinthecomputationalmodelbyCryptoVerif.SpecificationtranslatedintoanOCamlimplementationbyourcompiler.Goal:provedimplementationsofcryptographicprotocols.Remark:FS2CVdoesthetranslationintheotherdirection!uronlBnahctenadaDvdiaCe´dI(RNAI)rCpyoteVirfpAirl2102oCcnlu3soi/n03
hcaorpparuofoweivrevOnoisulcnoCnoitacilppAnoitalsnarTegaugnalnoitacicepSnoitcudortnIOCamlCompilerImplementationOurCompilerCaption:ToolInputResultCryptographicprimitivesProtocolCodeNetworkCodeCryptoVerifspecificationCryptoVerifProofinthecompu-tationalmodel03/42102lirpAfireVotpyrC)AIRNI(e´daCdivaDdnatehcnalBonurB
nIrtoudcitnopSceiacitnoalgnauegChoiceofthetargetlanguagerBnuolBarTnalstaoinpAlpciaitonoCcnWhyOCaml?Memorysafe.Easiertoshowthatthenetworkcodedoesnotaccesstheprotocolmemory.Cleansemantics.Cryptolibraryavailable.Writingacompilerintoanotherlanguagewouldnotbedifficult.lsuProvingthesecurityofthegeneratedprotocolmaybemoredifficult.cnehtnadaDvdiaCe´dI(RNAI)rCpyoteVirfpAirl21025oi/n03
nIrtoudcitnoCryptoVerifBpSceiacitnoalgnauegCryptoVerifisanautomaticprover:uronlBainthecomputationalmodel.rTnalstaoinpAlpciaitonprovessecrecyandcorrespondence(authentication)properties.providesagenericmethodforspecifyingpropertiesofcryptographicprimitives.oCcnlsuworksforNsessions(polynomialinthesecurityparameter),withanactiveadversary.givesaboundontheprobabilityofanattack(exactsecurity).possibilitytoguidetheprover(manualmode).cnehtnadaDvdiaCe´dI(RNAI)rCpyoteVirfpAirl21026oi/n03
nemaGp2...pnPropertynegligiblenegligibleobviousGame0←→Game1Protocolp1toprovenegligibleThelastgameis“ideal”:thesecuritypropertyisobviousfromtheformofthegame.(Theadvantageoftheadversaryis0forthisgame.)Onegoesfromonegametothenextbysyntactictransformationsorbyapplyingthedefinitionofsecurityofacryptographicprimitive.Thedifferenceofprobabilitybetweenconsecutivegamesisnegligible.Thefirstgameistherealprotocol.CryptoVerifproducesproofsbysequencesofgames,likethoseofcryptographers[Shoup,Bellare&Rogaway]:ProofsbysequencesofgamesnoisulcnoCnoitacilppAnoitalsnarTegaugnalnoitacicepSnoitcudortnI03/72102lirpAfireVotpyrC)AIRNI(e´daCdivaDdnatehcnalBonurB
nIrtoudcitnopSceiacitnoalgnauegrTnalstaoinpAlpciaitoTheCryptoVerifspecificationlanguage:termsBnCryptoVerifrepresentsprotocolsandgamesinaprocesscalculus.M,N::=xf(M1,...,Mm)smretvariablefunctionapplicationFunctionsymbolsfcorrespondtofunctionscomputablebypolynomial-timedeterministicTuringmachines.uronlBnahctenadaDvdiaCe´dI(RNAI)rCpyoteVirfpAirl2102oCcnlu8soi/n03
nIrtoudcitnopSceiacitnoalgnauegrTnalstaoinpAlpciaitonTheCryptoVerifspecificationlanguage:processesBQ::=oracledenitionslin0Q|Q0parallelcompositionforeachindoQreplicationntimesO[ie](x1:T1,...,xk:Tk):=Poracledefinitionoraclebodyreturnednbre=::Preturn(M1,...,Mk);QdneRxT;Prandomnumx:TM;PassignmentifMthenPelseP0conditionalinsertTbl(M1,...,Mk);PinsertintablegetTbl(x1:T1,...,xk:Tk)suchthatMinPelseP0getfromtableuronlBnahctenadaDvdiaCe´dI(RNAI)rCpyoteVirfpAirl2102oCcnlu9soi/n03
03/012102lirpAfireVotpyrC)AIRNI(e´daCdivaDdnatehcnalBonurBA−→B:enc(r,Kab)OnlyafterOstarthasbeencalled,wecancallatmostNtimesprocessAandatmostNtimesprocessB.Thissymmetrickeywillnotbeknownbytheopponent.TheoracleOstartgeneratesKab.processOstart():=rKabRkeyseed;Kabkgen(rKab);return();(foreachi1NdoprocessA|foreachi2NdoprocessB)elpmaxEnoisulcnoCnoitacilppAnoitalsnarTegaugnalnoitacicepSnoitcudortnI
Soyez le premier à déposer un commentaire !

17/1000 caractères maximum.