Security Protocol Verification: Symbolic and Computational Models

profil-zyak-2012 - Bruno Blanchet

Découvre YouScribe en t'inscrivant gratuitement

Je m'inscris

Obtenez un accès à la bibliothèque pour le consulter en ligne
En savoir plus

26 pages

English

Obtenez un accès à la bibliothèque pour le consulter en ligne
En savoir plus

A propos
Informations
Extrait

Description

Niveau: Supérieur, Doctorat, Bac+8
Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA, Ecole Normale Superieure, CNRS, Paris Abstract. Security protocol verification has been a very active research area since the 1990s. This paper surveys various approaches in this area, considering the verification in the symbolic model, as well as the more recent approaches that rely on the computational model or that ver- ify protocol implementations rather than specifications. Additionally, we briefly describe our symbolic security protocol verifier ProVerif and sit- uate it among these approaches. 1 Security Protocols Security protocols are programs that aim at securing communications on in- secure networks, such as Internet, by relying on cryptographic primitives. Se- curity protocols are ubiquitous: they are used, for instance, for e-commerce (e.g., the protocol TLS [109], used for https:// URLs), bank transactions, mobile phone and WiFi networks, RFID tags, and e-voting. However, the de- sign of security protocols is particularly error-prone. This can be illustrated for instance by the very famous Needham-Schroeder public-key protocol [160], in which a flaw was found by Lowe [147] 17 years after its publication. Even though much progress has been made since then, many flaws are still found in current security protocols (see, e.

physical attacks

syntactic secrecy

protocol satisfies

equivalences can

protocol

split into

security protocols

attacks introduce

can easily

public key

Sujets

Needham

Blanchet

Protocol

Public-key cryptography

Informations

Publié par	profil-zyak-2012
Nombre de lectures	15
Langue	English

Extrait

SecurityProtocolVeriﬁcation:SymbolicandComputationalModelsBrunoBlanchetINRIA,E´coleNormaleSup´erieure,CNRS,Parisblanchet@di.ens.frAbstract.Securityprotocolveriﬁcationhasbeenaveryactiveresearchareasincethe1990s.Thispapersurveysvariousapproachesinthisarea,consideringtheveriﬁcationinthesymbolicmodel,aswellasthemorerecentapproachesthatrelyonthecomputationalmodelorthatver-ifyprotocolimplementationsratherthanspeciﬁcations.Additionally,webrieﬂydescribeoursymbolicsecurityprotocolveriﬁerProVerifandsit-uateitamongtheseapproaches.1SecurityProtocolsSecurityprotocolsareprogramsthataimatsecuringcommunicationsonin-securenetworks,suchasInternet,byrelyingoncryptographicprimitives.Se-curityprotocolsareubiquitous:theyareused,forinstance,fore-commerce(e.g.,theprotocolTLS[109],usedforhttps://URLs),banktransactions,mobilephoneandWiFinetworks,RFIDtags,ande-voting.However,thede-signofsecurityprotocolsisparticularlyerror-prone.ThiscanbeillustratedforinstancebytheveryfamousNeedham-Schroederpublic-keyprotocol[160],inwhichaﬂawwasfoundbyLowe[147]17yearsafteritspublication.Eventhoughmuchprogresshasbeenmadesincethen,manyﬂawsarestillfoundincurrentsecurityprotocols(see,e.g.,http://www.openssl.org/news/andhttp://www.openssh.org/security.html).Securityerrorscanhaveseriousconsequences,resultinginlossofmoneyorlossofconﬁdenceofusersinthesys-tem.Moreover,securityerrorscannotbedetectedbyfunctionalsoftwaretestingbecausetheyappearonlyinthepresenceofamaliciousadversary.Automatictoolscanthereforebeveryhelpfulinordertoobtainactualguaranteesthatsecurityprotocolsarecorrect.Thisisareasonwhytheveriﬁcationofsecurityprotocolshasbeenaveryactiveresearchareasincethe1990s,andisstillveryactive.Thissurveyaimsatsummarizingtheresultsobtainedinthisarea.Duetothelargenumberofpapersonsecurityprotocolveriﬁcationandthelimitedspace,wehadtoomitmanyofthem;webelievethatwestillpresentrepre-sentativesofthemainapproaches.Additionally,Sect.2.2brieﬂydescribesoursymbolicveriﬁcationtoolProVerif.1.1AnExampleofProtocolWeillustratethenotionofsecurityprotocolwiththefollowingexample,asim-pliﬁedversionoftheDenning-Saccopublic-keykeydistributionprotocol[108].

2BrunoBlanchetMessage1.A→B:{{k}skA}pkBkfreshMessage2.B→A:{s}kAsusual,A→B:MmeansthatAsendstoBthemessageM;{M}skdenotesthesignatureofMwiththesecretkeysk(whichcanbeveriﬁedwiththepublickeypk);{M}pkdenotesthepublic-keyencryptionofmessageMunderthepublickeypk(whichcanbedecryptedwiththecorrespondingsecretkeysk);{M}kdenotestheshared-keyencryptionofmessageMunderkeyk(whichcanbedecryptedwiththesamekeyk).Inthisprotocol,theprincipalAchoosesafreshkeykateachrunoftheprotocol.ShesignsthiskeywithhersigningkeyskA,encryptstheobtainedmessagewiththepublickeyofherinterlocutorB,andsendshimthemessage.WhenBreceivesit,hedecryptsit(withhissecretkeyskB),veriﬁesthesignatureofA,andobtainsthekeyk.Havingveriﬁedthissignature,BisconvincedthatthekeywaschosenbyA,andencryptionunderpkBguaranteesthatonlyBcoulddecryptthemessage,sokshouldbesharedbetweenAandB.Then,Bencryptsasecretsunderthesharedkeyk.OnlyAshouldbeabletodecryptthemessageandobtainthesecrets.Ingeneral,intheliterature,asintheexampleabove,theprotocolsarede-scribedinformallybygivingthelistofmessagesthatshouldbeexchangedbe-tweentheprincipals.Nevertheless,onemustbecarefulthatthesedescriptionsareonlyinformal:theyindicatewhathappensintheabsenceofanadversary.However,anadversarycancapturemessagesandsendhisownmessages,sothesourceandthetargetofamessagemaynotbetheexpectedone.Moreover,thesedescriptionsleaveimplicittheveriﬁcationsdonebytheprincipalswhentheyreceivemessages.Sincetheadversarymaysendmessagesdiﬀerentfromtheexpectedones,andexploittheobtainedreply,theseveriﬁcationsareveryimportant:theydeterminewhichmessageswillbeacceptedorrejected,andmaythereforeprotectornotagainstattacks.Formalmodelsofprotocols,suchas[5,7,72,117]makeallthisprecise.Althoughtheexplanationabovemayseemtojustifyitssecurityinformally,thisprotocolissubjecttoanattack:Message1.A→C:{{k}skA}pkCMessage1’.C(A)→B:{{k}skA}pkBMessage2.B→C(A):{s}kInthisattack,ArunstheprotocolwithadishonestprincipalC.Thisprincipalgetstheﬁrstmessageoftheprotocol{{k}skA}pkC,decryptsitandre-encryptsitunderthepublickeyofB.Theobtainedmessage{{k}skA}pkBcorrespondsexactlytotheﬁrstmessageofasessionbetweenAandB.Then,CsendsthismessagetoBimpersonatingA;above,wedenotebyC(A)thedishonestpartic-ipantCimpersonatingA.Breplieswiththesecrets,intendedforA,encryptedunderk.C,havingobtainedthekeykbytheﬁrstmessage,candecryptthismessageandobtainthesecrets.Theprotocolcaneasilybeﬁxed,byaddingtheidentityofBtothesignedmessage,whichyieldsthefollowingprotocol:

Univers
Ebooks
Livres audio
Presse
Podcasts
BD
Documents

Security Protocol Verification: Symbolic and Computational Models

Needham

Blanchet

Protocol

Public-key cryptography

YouScribe

Le catalogue

Le service

Les conditions