formal verification of security protocols an introduction l.
Skip this Video
Loading SlideShow in 5 Seconds..
Formal Verification of Security Protocols – an Introduction PowerPoint Presentation
Download Presentation
Formal Verification of Security Protocols – an Introduction

Loading in 2 Seconds...

play fullscreen
1 / 25

Formal Verification of Security Protocols – an Introduction - PowerPoint PPT Presentation

  • Uploaded on

ACCESS – distributed management group. Formal Verification of Security Protocols – an Introduction. Mads Dam KTH/CSC. Security Protocols. Two or more parties Communication over insecure network Active adversary can Intercept messages Forge messages Replay messages

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

Formal Verification of Security Protocols – an Introduction

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
security protocols
Security Protocols
  • Two or more parties
  • Communication over insecure network
  • Active adversary can
    • Intercept messages
    • Forge messages
    • Replay messages
  • Cryptography is countermeasure
    • Encrypt data
    • Sign and authenticate data
    • Exchange secret keys
    • Generate nonces and time stamps





security objectives
Security Objectives

Goal: To preserve some desired property as far as possible in face of attack


  • Secrecy of message, secrecy of bits
  • Anonymity, privacy


  • Authenticity
  • Distributed agreement
  • Survivability


  • Denial of service prevention
security analysis
Security Analysis
  • Model system

Granularity, adversary access paths

  • Model adversary

Memory, computational power, observational power

  • Identify security properties of interest
  • Examine if properties preserved under attack
  • Result:
    • Under given assumptions about the system and the adversary, no attack of a certain form will destroy the property we’re after
    • Unconditional security is not possible
modelling decisions
Modelling Decisions
  • Modelling the system
    • Single or multiple sessions, several concurrent runs
    • Accuracy of computation and communication model
    • Real or idealized crypto?
  • How powerful is the attacker?
    • Simple replays
    • Block messages
    • Decompose, reassemble and resend messages
    • Statistical analysis, traffic analysis?
    • Timing behaviour?
  • Accuracy of security properties
needham schroeder key exchange
Needham-Schroeder Key Exchange

NA, NB: Nonces, freshly generated random numbers

KA, KB: Public keys

  • {M}KA: Encryption of M readable only to by A
  • Since only A possesses secret key KA-1

Goal of protocol: Mutual authentication, establishment of shared secret (NA,NB)






nspk objectives
NSPK - Objectives
  • Responder correctly authenticated

If A believes she has authenticated B, and B is honest, then B believes he has authenticated A

  • Initiator correctly authenticated

If B believes he has authenticated A, and A is honest, then A believes she has authenticated B

  • Nonce secrecy

At the end of the protocol, if A and B are both honest (and in particular do not overtly reveal NA and NB to a third party) then (NA, NB) is a secret shared between A and B

lowe s attack
Lowe’s Attack

Man-in-the-middle attack

Dishonest E tricks A into revealing B’s session key NB

Note: Attack purely based on protocol functionality, not crypto dependent









G. Lowe: An Attack on the Needham-Schroeder Public-Key Authentication Protocol, IPL 1995

verification approaches
Verification Approaches

Cryptographic analysis:

  • Protocol security reduced to number-theoretic assumptions

Model checking:

  • Build state transition graphs for some system instances and check as well as possible

Theorem proving:

  • Phrase problem as idealized mathematical problem (perfect crypto, other simplifications) and prove it

Process modelling approach:

  • Model system as communicating processes, use equational reasoning

Other: temporal logics, logics of knowledge and belief

cryptographic protocol analysis
Cryptographic Protocol Analysis

Security reduced to number-theoretic assumptions, e.g.:

  • Hardness of prime factorization
  • Diffie-Hellman: Hard to compute g given g and g, for ,  2 Zq random

Universally composable security [Canetti]

  • Replace subprotocols by idealized versions while preserving security

Successfully analyze complex protocols, e.g. [Wikström]

Analysis complex and highly error-prone

Computationally sound formal analysis

  • Cf. [Rogaway-Abadi], currently active area

R. Canetti: Universally Composable Security: A New Paradigm for Cryptogaphic Protocols. Proc. 42nd FOCS, 2001

D. Wikström: On the Security of Mix-Nets and Hierarchical Group Signatures. Ph.D. Thesis, KTH-CSC, 2005

M. Abadi, P. Rogaway: Reconciling Two Views of Cryptography, J. Cryptology, 2002

model checking
Model Checking

Idea: System modelled as communicating finite state machines

  • Bounded state spaces
  • Bounded state variable domains
  • Communication by shared state variables or message passing

Query as state reachability problem

  • Is ”bad” state reachable?

Automated state space traversal

  • Hashing: 1 bit per state suffices
  • Subject to probabilistic accuracy

Examples: SPIN, SMV, Mur




limitations of finite state methods
Limitations of Finite State Methods

Everything must be fixed:

  • Number of participants
  • Participants behaviour

So no ”unknown” transitions, no open systems

  • Number of sessions
  • Message space

No encrypt(encrypt(...(encrypt(...)) ...))

  • Memory

Of honest party, of attacker, or communication channel

Really, this is ”just” very comprehensive simulation

model checking security protocols
Model Checking Security Protocols
  • Model protocol entities and network

Initiator and responder as fsa’s

Network as shared variable (SMV, Mur)

- Or as bounded buffer (SPIN)

  • Model adversary

Typically one control state, bounded memory

- Intercept messages

- Store and recall messages

- Bounded generation of new messages, using

observed and initial data (typically: Public keys)

  • Determine ”bad” states and hope for termination

Example: J. Mitchell, V. Shmatikov, I Stern: Finite-State Analysis of SSL 3.0, USENIX 1998

process oriented models
Process-Oriented Models

Model ”real” and idealized system as concurrent processes

Ideal system: SPEC

Real system: IMPL

Observational congruence:


  • No observational difference between SPEC and IMPL
  • SPEC and IMPL are observationally ”the same”
  • Congruence:

SPEC ¼ IMPL implies C[SPEC] ¼ C[IMPL]

in any context C[-]

  • Even a hostile one ) security for unknown attackers!

R. Milner: A Calculus of Communicating Processes, Prentice-Hall 1989

R. Milner, J. Parrow, D. Walker: A Calculus of Mobile Processes, I and II. Information and Computation 1992

example applied pi
Example: Applied Pi

Based on pi-calculus [Milner-Parrow-Walker-92]

Processes communicate by synchronous handshaking

Values = channel names

c: Declares new name c

1: A has local c, passes c to B

2: B receives c, spawns node C with link b, passes c on

3: C receives c, B forgets b and c






















applied pi
Applied Pi

Applied pi adds equational theory of names

Example: theory of pairs and asymmetric encryption

  • Operations: pair(-,-), fst(-), snd(-), pk(-), sk(-), dec(-,-), enc(-,-)
  • Equations:

fst(pair(x,y)) = x

snd(pair(x,y) = y

dec(enc(x,pk(y)),sk(y)) = x

Generation of random keys and nonces: Use  !!

Alice1(seedA,pkE) =


Alice2(seedA,pkE,NA) = ... etc ...

C. Fournet, M. Abadi: Mobile values, new names, and secure communication. Proc. POPL’01


ProVerif: Constraint-based tool developed by B. Blanchet

Successfully used for verification of complex protocols in applied pi


Just Fast Keying – complex authentication protocol

Protocol for certified email

Rationale for success:

Very rudimentary control flow in protocols

No branching on secrets

Remaining challenges:

Multiple sessions/agents, richer control flow, cryptographic soundness

M. Abadi, B. Blanchet, C. Fournet. Just Fast Keying in the Pi Calculus. TISSEC’07

M. Abadi, B. Blanchet. Computer-Assisted Verification of a Protocol for Certified Email. Science of Computer Programming 2005

epistemic security logics
Epistemic Security Logics

Many security-related concepts are naturally phrased in terms of knowledge:

  • A should not know the secret data
  • B should know the value received is the value sent
  • B should know that C knows the value sent
  • D should know that E does not know the vote cast
  • F should not know that G and H shares the secret x
  • ... etc. etc. ...

Epistemic logic: Formalization of modality A knows F


Property of agents state

M. Burrows, M. Abadi, R. M. Needham: A Logic of Authentication. ToCS, 1990

what is cryptographic knowledge
What Is Cryptographic Knowledge?

Not trivial

Standard accounts are cryptographically omniscient:

If x = enc(y,z) then A knows x = enc(y,z)

Ruins all cryptographic security !!

what is cryptographic knowledge20
What Is Cryptographic Knowledge?

State: Assignment of terms to variables

x = enc(y,pk(z))

y = pair(0,1)

z = c

All operations and public constants are one-way computable

Different agents have access to different variables

A knows F in state s:

F holds at all global states s’ that A cannot distinguish from s

what is cryptographic knowledge21
What Is Cryptographic Knowledge?

State: Assignment of terms to variables

x = enc(y,pk(z)) Accessible to A

y = pair(0,1) Not accessible to A

z = c Not accessible to A

All operations and public constants are one-way computable

Different agents have access to different variables

A knows F in state s:

F holds at all global states s’ that A cannot distinguish from s

E.g.: A knows y = pair(0,1), :(A knows x  enc(k,pk(c’))


A can distinguish global states s, s’:

Same equations hold for A in s and s’

Static equivalence in applied pi

Computationally justified semantics for BAN logic

Complete axiomatization of validity

For some theories, cryptographic soundness through link to applied pi:

A knows F at s if and only if F holds at all states that are computationally indistinguishable from s in sense of cryptography

M. Cohen, M. Dam: Logical Omniscience in the Semantics of BAN Logic, Proc. FCS’05

M. Cohen, M. Dam: A Completeness Result for BAN Logic, Proc. M4M’05

M. Cohen, M. Dam: A Complete Axiomatization of Knowledge and Cryptography, Submitted

state of the field
State of the Field

Single-session, approximate analysis of industry-scale security protocols becoming feasible

- ”Static” protocols

- Limited control flow, no recursion, no concurrency

- Cf. Avispa project site

Cryptographic analysis remains complex and error-prone

Cryptographic soundness active research area

- May become feasible in limited applications

Main challenge, cf. ACCESS:

- Lifting analysis techniques to dynamic and concurrent


survivable systems
Survivable Systems

Testing, diagnosis, repair, of large scale distributed systems – how?

For given protocol, how to identify a faulty (random, byzantine) node?

How to neutralize a faulty node?

For which fault models?

Random faults?

Byzantine faults?

Relative to given attack goal?

Goal: Probabilistic guarantees for

fault detection and elimination





confidential aggregation
Confidential Aggregation?

Example: Epidemic protocols

At round 0:

Local estimate = local value

At round n+1:

Neighbours exchange + average

local estimates

Local value leaked at step 1

Or when local value changes

Is it possible to aggregate without

leaking information?