网络安全认证协议形讲义式化分析
合集下载
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
Formal methods, a combination of a mathematical or logical model of a system and its requirements, together with an effective procedure for determining whether a proof that a system satisfies its requirements is correct.
6
Notation
(3) Derivation (⊦, Dolev-Yao model)
m∈B ⇒B⊦m B ⊦ m ∧ B ⊦ m’ ⇒ B ⊦ m• m’ (pairing) B ⊦ m• m’ ⇒ B ⊦ m ∧ B ⊦ m’ (projection) B ⊦ m ∧ B ⊦ k ⇒ B ⊦ {m}k (encryption) B ⊦ {m}k ∧ B ⊦ k-1 ⇒ B ⊦ m (decryption)
25.01.2021
第二十次全国计算机安全学术交流会
7
Notation
(4) Properties
Lemma 1. B ⊦ m ∧ B ⊆ B’ ⇒ B’ ⊦ m Lemma 2. B ⊦ m’∧ B ∪ {m’ } ⊦ m ⇒ B ⊦ m Lemma 3. B ⊦ m ∧ X ⊑ m ∧ B ⊬ X ⇒ (Y: Y ∈ sub-msgs(m) :
25.01.2021
第二十次全国计算机安全学术交流会
8
Logic of Algorithmic Knowledge
Definition 1. Primitive propositions P0s for security: p, q ∈ P0s ::= sendi (m) Principal i sent message m recvi (m) Principal i received message m hasi (m) Principal i has message m
Messages meant for a principal cannot be read/accessed by others (secrecy); Guarantee genuineness of the sender of the message (authenticity); Integrity; Non-Repudiation (NRO, NRR); Fairness, etc.
ISCAS, LOIS, …(in China)
25.01.2021
第二十次全国计算机安全学术交流会
5
Notation
(1) Messages
a ∈Atom ::= C | N | k | m ∈ Msg ::= a | m• m | {m}k
(2) Contain Relationship (⊑)
25.01.2021
第二十次全国计算机安全学术交流会
2
Introduction
Cryptographic protocols are protocols that use cryptography to distribute keys and authenticate principals and data over a network.
m ⊑a ≜m =a m ⊑ m1• m2 ≜ m = m1• m2 ∨ m ⊑ m1∨ m ⊑ m2 m ⊑ {m1}k ≜ m = {m1}k ∨ m ⊑ m1
Submessage: sub-msgs(m) ≜ {m’ ∈ Msg | m’ ⊑ m }
25.01.2021
第二十次全国计算机安全学术交流会
Interrogator (Millen); Brutus (Marrero) SPIN (Hollzmann) theorem prover based methods (NRL, Meadows) methods based on state machine model and theorem prover (Athena, Dawn) Type checking
X ⊑ Y∧ B ⊦ Y)∧ (b: b ∈ B : Y ⊑ b)∧ (Z, k: Z ∈ Msg ∧ k ∈ Key : Y = {Z}k ∧ B ⊬ k-1) Lemma 4. (k, b: k ∈ Key ∧ b ∈ B : k ⊑ b ∧ A ⊬ k ∧ A∪B ⊦ k)∨ (z: z ∈ sub-msgs(x) : a ⊑ z ∧ A ⊦ z)∨ (b: b ∈ B: a ⊑ b∧ A ⊬ a)
25.01.20ቤተ መጻሕፍቲ ባይዱ1
第二十次全国计算机安全学术交流会
4
Related Work
Techniques of verifying security properties of the cryptographic protocols can be broadly categorized:
methods based on belief logics (BAN Logic) π-calculus based models state machine models (Model Checking)
网络安全认证协议形式化分析
Organization
Introduction Related Work Formal System Notation Intruders Algorithmic Knowledge Logic Verification Using SPIN/Promela Conclusion
Model; Requirement (Specification);
Verification.
25.01.2021
第二十次全国计算机安全学术交流会
3
Introduction (cont.)
In cryptographic protocols, it is very crucial to ensure:
Model checking advantages (compare with theory proving): automatic; counterexample if violation
Use LTL (Linear temporal logic ) to specify properties
FDR (Lowe); Mur (Mitchell);
6
Notation
(3) Derivation (⊦, Dolev-Yao model)
m∈B ⇒B⊦m B ⊦ m ∧ B ⊦ m’ ⇒ B ⊦ m• m’ (pairing) B ⊦ m• m’ ⇒ B ⊦ m ∧ B ⊦ m’ (projection) B ⊦ m ∧ B ⊦ k ⇒ B ⊦ {m}k (encryption) B ⊦ {m}k ∧ B ⊦ k-1 ⇒ B ⊦ m (decryption)
25.01.2021
第二十次全国计算机安全学术交流会
7
Notation
(4) Properties
Lemma 1. B ⊦ m ∧ B ⊆ B’ ⇒ B’ ⊦ m Lemma 2. B ⊦ m’∧ B ∪ {m’ } ⊦ m ⇒ B ⊦ m Lemma 3. B ⊦ m ∧ X ⊑ m ∧ B ⊬ X ⇒ (Y: Y ∈ sub-msgs(m) :
25.01.2021
第二十次全国计算机安全学术交流会
8
Logic of Algorithmic Knowledge
Definition 1. Primitive propositions P0s for security: p, q ∈ P0s ::= sendi (m) Principal i sent message m recvi (m) Principal i received message m hasi (m) Principal i has message m
Messages meant for a principal cannot be read/accessed by others (secrecy); Guarantee genuineness of the sender of the message (authenticity); Integrity; Non-Repudiation (NRO, NRR); Fairness, etc.
ISCAS, LOIS, …(in China)
25.01.2021
第二十次全国计算机安全学术交流会
5
Notation
(1) Messages
a ∈Atom ::= C | N | k | m ∈ Msg ::= a | m• m | {m}k
(2) Contain Relationship (⊑)
25.01.2021
第二十次全国计算机安全学术交流会
2
Introduction
Cryptographic protocols are protocols that use cryptography to distribute keys and authenticate principals and data over a network.
m ⊑a ≜m =a m ⊑ m1• m2 ≜ m = m1• m2 ∨ m ⊑ m1∨ m ⊑ m2 m ⊑ {m1}k ≜ m = {m1}k ∨ m ⊑ m1
Submessage: sub-msgs(m) ≜ {m’ ∈ Msg | m’ ⊑ m }
25.01.2021
第二十次全国计算机安全学术交流会
Interrogator (Millen); Brutus (Marrero) SPIN (Hollzmann) theorem prover based methods (NRL, Meadows) methods based on state machine model and theorem prover (Athena, Dawn) Type checking
X ⊑ Y∧ B ⊦ Y)∧ (b: b ∈ B : Y ⊑ b)∧ (Z, k: Z ∈ Msg ∧ k ∈ Key : Y = {Z}k ∧ B ⊬ k-1) Lemma 4. (k, b: k ∈ Key ∧ b ∈ B : k ⊑ b ∧ A ⊬ k ∧ A∪B ⊦ k)∨ (z: z ∈ sub-msgs(x) : a ⊑ z ∧ A ⊦ z)∨ (b: b ∈ B: a ⊑ b∧ A ⊬ a)
25.01.20ቤተ መጻሕፍቲ ባይዱ1
第二十次全国计算机安全学术交流会
4
Related Work
Techniques of verifying security properties of the cryptographic protocols can be broadly categorized:
methods based on belief logics (BAN Logic) π-calculus based models state machine models (Model Checking)
网络安全认证协议形式化分析
Organization
Introduction Related Work Formal System Notation Intruders Algorithmic Knowledge Logic Verification Using SPIN/Promela Conclusion
Model; Requirement (Specification);
Verification.
25.01.2021
第二十次全国计算机安全学术交流会
3
Introduction (cont.)
In cryptographic protocols, it is very crucial to ensure:
Model checking advantages (compare with theory proving): automatic; counterexample if violation
Use LTL (Linear temporal logic ) to specify properties
FDR (Lowe); Mur (Mitchell);