CSG 399 Lecture. The Inductive Approach to Protocol Analysis p.1



Similar documents
Verifying security protocols using theorem provers

Formal Methods in Security Protocols Analysis

Electronic Voting Protocol Analysis with the Inductive Method

Computational Soundness of Symbolic Security and Implicit Complexity

Public Key Encryption Protocols And Their Models

SECTION 10-2 Mathematical Induction

Adversary Modelling 1

I. GROUPS: BASIC DEFINITIONS AND EXAMPLES

Discovering Attacks on Security Protocols by Refuting Incorrect Inductive Conjectures

Towards a Metalogic for Security Protocol Analysis

Specification and Analysis of Contracts Lecture 1 Introduction

Regular Languages and Finite State Machines

Authenticity by Typing for Security Protocols

Inductive Analysis of Security Protocols in Isabelle/HOL with Applications to Electronic Voting

1. Prove that the empty set is a subset of every set.

The Model Checker SPIN

CHAPTER 7 GENERAL PROOF SYSTEMS

MATH10212 Linear Algebra. Systems of Linear Equations. Definition. An n-dimensional vector is a row or a column of n numbers (or letters): a 1.

Online Supplement for Maximizing throughput in zero-buffer tandem lines with dedicated and flexible servers by Mohammad H. Yarmand and Douglas G.

Deterministic Finite Automata

INCIDENCE-BETWEENNESS GEOMETRY

SOLUTIONS TO ASSIGNMENT 1 MATH 576

C H A P T E R Regular Expressions regular expression

Formal Verification of Software

CS 103X: Discrete Structures Homework Assignment 3 Solutions

How to Formally Model Features of Network Security Protocols

Mathematics for Computer Science/Software Engineering. Notes for the course MSM1F3 Dr. R. A. Wilson

The Software Development Process

Full and Complete Binary Trees

Investigating a File Transfer Protocol Using CSP and B

Factorization in Polynomial Rings

Cost Model: Work, Span and Parallelism. 1 The RAM model for sequential computation:

The Halting Problem is Undecidable

HOMEWORK 5 SOLUTIONS. n!f n (1) lim. ln x n! + xn x. 1 = G n 1 (x). (2) k + 1 n. (n 1)!

Simulation-Based Security with Inexhaustible Interactive Turing Machines

Lecture 11: Tail Recursion; Continuations

Section 13.5 Equations of Lines and Planes

Model Checking: An Introduction

The Heat Equation. Lectures INF2320 p. 1/88

Linear Algebra. A vector space (over R) is an ordered quadruple. such that V is a set; 0 V ; and the following eight axioms hold:

6.2 Permutations continued

MA651 Topology. Lecture 6. Separation Axioms.

Systems of Linear Equations

24 Uses of Turing Machines

1 Sets and Set Notation.

Chapter 4, Arithmetic in F [x] Polynomial arithmetic and the division algorithm.

Turing Machines: An Introduction

Model Checking of Software

Winter Camp 2011 Polynomials Alexander Remorov. Polynomials. Alexander Remorov

A Framework for the Semantics of Behavioral Contracts

Kevin James. MTHSC 412 Section 2.4 Prime Factors and Greatest Comm

Formal Methods for Software Development

3. Mathematical Induction

APPLYING FORMAL METHODS TO CRYPTOGRAPHIC PROTOCOL ANALYSIS: EMERGING ISSUES AND TRENDS

Semantics and Verification of Software

Basic Concepts of Point Set Topology Notes for OU course Math 4853 Spring 2011

Section 4.2: The Division Algorithm and Greatest Common Divisors

TAKE-AWAY GAMES. ALLEN J. SCHWENK California Institute of Technology, Pasadena, California INTRODUCTION

This chapter is all about cardinality of sets. At first this looks like a

Security Analysis of (Un-) Fair Non-repudiation Protocols

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, Notes on Algebra

Modern Algebra Lecture Notes: Rings and fields set 4 (Revision 2)

Lecture 14: Section 3.3

Fixed-Point Logics and Computation

Discrete Mathematics and Probability Theory Fall 2009 Satish Rao, David Tse Note 2

Continued Fractions. Darren C. Collins

Proseminar on Semantic Theory Fall 2013 Ling 720. Problem Set on the Formal Preliminaries : Answers and Notes

The Prime Numbers. Definition. A prime number is a positive integer with exactly two positive divisors.

Automata and Formal Languages

Notes from Week 1: Algorithms for sequential prediction

Introduction to Automata Theory. Reading: Chapter 1

MATH 304 Linear Algebra Lecture 9: Subspaces of vector spaces (continued). Span. Spanning set.

Extending Semantic Resolution via Automated Model Building: applications

Computer Security. Programming Language Methods in Computer Security. Plan. Orientation. Part I. Personal POPL timeline. How did I get here?

Mathematical Induction

Verifying Specifications with Proof Scores in CafeOBJ

A Propositional Dynamic Logic for CCS Programs

FACTORING POLYNOMIALS IN THE RING OF FORMAL POWER SERIES OVER Z

How to prove security of communication protocols?

CUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631

Algebraic Structures II

Turing Degrees and Definability of the Jump. Theodore A. Slaman. University of California, Berkeley. CJuly, 2005

Verifying the SET Purchase Protocols

The Course.

Model Checking II Temporal Logic Model Checking

1 Construction of CCA-secure encryption

Diagonalization. Ahto Buldas. Lecture 3 of Complexity Theory October 8, Slides based on S.Aurora, B.Barak. Complexity Theory: A Modern Approach.

Sample Problems cos 2 x = tan2 x tan 2 = csc 2 tan sec x + tan x = cos x sin 4 x cos 4 x = 1 2 cos 2 x

Transcription:

The Inductive Approach to Protocol Analysis CSG 399 Lecture The Inductive Approach to Protocol Analysis p.1

Last Time CSP approach: Model system as a CSP process A specification is a property of traces Often, can be represented as a process Spec Message secrecy Correspondence assertion (see notes) Checking a specification: Spec P Every trace of P is a trace of Spec The Inductive Approach to Protocol Analysis p.2

Advantages There are well-developped techniques for establishing by hand Mechanical proof rules There are tools to automatically establish FDR: a commercial model-checker Requires some conditions on Spec and P to terminate There are even tools to automatically create CSP processes from protocols Casper Question: can we do the same without requiring CSP? The Inductive Approach to Protocol Analysis p.3

Paulson s Approach Larry Paulson advocates a simple approach: A protocol in a context describes a set of traces These traces are defined inductively A specification is again a property of traces Checking requires proving that all the traces satisfy the property By induction on the construction of the traces Main point: these proofs are big, uninteresting, and better left to machines Use a theorem prover to write the proofs The Inductive Approach to Protocol Analysis p.4

Inductively Defined Sets A set S is inductively defined by a set X and (guarded) operations (f 1, P 1 ), (f 2, P 2 ),... if S is the smallest set satisfying (i) X S (ii) For every guarded operation (f i, P i ), if x S and P i (x) is true, then f i (x) S Smallest S is contained in every other set satisfying (i) (ii) The Inductive Approach to Protocol Analysis p.5

Example The natural numbers are inductively defined by {0} and the operation +1 (no need for guard) I.e., N is the smallest set such that (i) 0 N (ii) If x N, then x + 1 N. The Inductive Approach to Protocol Analysis p.6

Induction Principle Theorem: Let S be inductively defined by X and (f 1, P 1 ), (f 2, P 2 ),..., and let Q be a property of elements of S. If (i) Q(x) is true for every x X (ii) For every (f i, P i ): whenever Q(x) is true for x S with P i (x), then Q(f i (x)) is true Then Q(x) is true for every x S Special case: natural numbers induction The Inductive Approach to Protocol Analysis p.7

Traces A trace is a finite sequence of events Says A B M Notes A M We concentrate on the first kind of event Thus a trace is just a finite sequence describing who sends a message to who. Traces do not record whether messages are received Cannot distinguish message no received from message received but never acted upon The Inductive Approach to Protocol Analysis p.8

Protocols Generate Traces Let Agents be a set of agents. Paulson s approach assumes that: Agents can participate in an arbitrary number of concurrent protocol interactions Agents can play any role in any such interaction Agents have an initial state initstate A We can associate a set of traces to the agents running a protocol The set of traces of a protocol will be an inductively defined set (In fact, everything will be inductively defined) The Inductive Approach to Protocol Analysis p.9

Needham-Schroeder Recall the Needham-Schroeder protocol: A B :{A, n A } kb B A :{n A, n B } ka A B :{n B } kb We assume public keys k A known for each agent. The Inductive Approach to Protocol Analysis p.10

Traces of Needham-Schroeder I Define the set T inductively The empty trace: is in T Can start an interaction: If t is in T A B n A used t Then t Says A B {A, n A } kb is in T The Inductive Approach to Protocol Analysis p.11

Traces of Needham-Schroeder II Can continue an interaction: If t is in T A B n B used t Says A B {A, n A } kb t Then t Says B A {n A, n B } ka is in T The Inductive Approach to Protocol Analysis p.12

Traces of Needham-Schroeder III Can continue an interaction: If t is in T Says A B {A, n A } kb t Says B A {n A, n B } ka t Then t Says A B {n B } kb is in T The Inductive Approach to Protocol Analysis p.13

Set parts H What about the set used t, the set of values used in a trace? We need to give an inductive definition First consider the set parts H that returns the parts of all messages in H. It is inductively defined by H parts H If (x, y) parts H then x parts H If (x, y) parts H then y parts H If {M} k parts H then M parts H The Inductive Approach to Protocol Analysis p.14

Set used t Straightforward definition: used = B parts (initstate B) used t Says A B M = (parts {M}) (used t) This does not look like an inductively defined set... But it can be put in that form... Consider (x, t) used... The Inductive Approach to Protocol Analysis p.15

Adversary The adversary is called Spy in Paulson s paper To account for the adversary, we only need to add one rule to the inductive definition of the traces of a protocol: If Then t is in T M known t B Spy t Says Spy B M is in T The Inductive Approach to Protocol Analysis p.16

Set known t The set of messages known to the adversary in trace t Definition: known t = synth (analz (spies t)) where spies t: set of messages the adversary has intercepted in t analz H: set of messages the adversary can extract from the messages in H synth H: set of messages the adversary can synthesize from messages in H The Inductive Approach to Protocol Analysis p.17

Set synth H Messages the adversary can synthesize from messages in H Inductively defined: Agents synth H H synth H If x synth H and y synth H then (x, y) synth H If x synth H and k H then {x} k synth H The Inductive Approach to Protocol Analysis p.18

Set analz H Messages the adversary can extract from the messages in H Inductively defined: H analz H If (x, y) analz H then x analz H If (x, y) analz H then y analz H If {x} k analz H and k 1 analz H then x analz H The Inductive Approach to Protocol Analysis p.19

Set spies t Messages the adversary can intercept in t Straightforward definition: spies = initstate Spy spies t Says A B M = {M} (spies t) Again, this can be made into a properly inductively defined set The Inductive Approach to Protocol Analysis p.20

So? So now, given a protocol, a set of agents, and an adversary: We have an inductively defined set of traces T Finitary description of an infinite set of traces How do you establish that something is true of all traces? By applying the induction principle corresponding to T If a property is true of a trace and remains true if you add an event to the trace according to the protocol, then the property is true of all traces corresponding to the protocol The Inductive Approach to Protocol Analysis p.21

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information