Using State Space Exploration and a Natural Deduction Style Message Derivation Engine to Verify Security Protocols

1
Using State Space Exploration and a Natural
Deduction Style Message Derivation Engine to
Verify Security Protocols

• By E. M. Clarke, et al.

Presented by Zhenxiao Yang
2
Outline

• Introduction
• Model Architecture
• Evaluation of the Model
• References

3
Introduction

• What are network protocols
• principals messages
• Why are we using FM to reason about protocols?
• Subtlety
• Criticality
• Main FM approaches being used
• Belief logics and automated deduction process
• Rigorous mathematical proof

4
Introduction contd

• Comparison between this paper and the paper Ali
  presented
• This paper focuses on the model itself, versus
  the specification logic
• This paper focuses on common security protocols,
  versus e-commerce protocols

5
Model Architecture
6
Assumptions

• Perfect Encryption Assumption
• Crypto-techniques are unbreakable
• Atomic Key Assumption
• Keys are atomic messages
• Open Network Assumption
• The adversary controls the network

7
Interesting Security Properties

• Secrecy
• Secret messages should never be exposed to the
  adversary
• Correspondence
• iff X event is preceded by a Y event
• Scenario
• if A has successfully finished a authentication
  protocol run with B, then B has at least started
  the protocols run.

8
Interesting Security Properties contd

• Correspondence contd
• A way to check correspondence
• in the event sequence, the number of X should
  never exceed the number of Y
• Use a counter to indicate violation of
  correspondence property

9
Messages

• Atomic Messages
• Keys
• Principal names
• Nonces
• Data

10
Messages contd

• Message Composition
• Concatenation
• Encryption decryption
• Formal Representation

A is the space of atomic messages M is the set
of all messages
11
Messages contd

• Message Derivation Rules

is initial set of information
12
State Machines

• Model of honest principals
• Model of the adversary
• Model of global states

13
Honest Agents

• Each honest agent is modeled as a triple
• ltN, p, Bgt
• N is the name of the principal
• P is a process

14
The adversary

• The adversary is modeled as a pair ltZ, Igt
• Z is the name of the adversary
• I is a set of messages

15
Global State Model

• The global state is a triple lt?, C, Sgt

16
Search Algorithms

• What to search?
• Search for secrets in the set of messages the
  intruder can generate (secrecy)
• When to search
• After each SEND action of an honest agent
  (secrecy)
• How to Search
• Message derivations

17
Message Derivation

• Derivation rules for messages

18
Message Derivation contd

• Concepts
• minor premise a key in a inference rule
• major premise any other premise
• maximum message conclusion of the introduction
  rule, or major premise of the elimination rules
• normalized derivation tree a derivation tree
  that contains no maximum message

19
Example Derivation Trees
Example Derivation Tree of
20
Theorems

• Theorem 1 Any derivation tree T for m depending
  on assumptions A can be transformed into a
  normalized derivation tree T for m depending on
  the same assumptions A
• Theorem 2 No introduction rule appears above an
  elimination rule in a normalized derivation tree
• Theorem 3 m can be derived from I iff m can be
  derived from I
• I is the knowledge of the adversary
• I is the closure of I under all elimination
  rules
• Proves the correctness and decidability of the
  algorithm

21
Algorithm Implementation
22
Algorithm Implementation contd
Augmenting the adversarys knowledge
23
Algorithm Implementation contd

• Searching the adversarys knowledge

24
The Model is Finite

• A run of the a protocol
• is some interleaving actions from a set of
  participants and from the adversary.
• The length of each run is finite
• we only consider a small number of runs.
• A trace
• is the interleaving of one or more runs.
• Each trace is finite as well.
• We only consider a finite number of traces

25
Model Evaluation

• The model is intuitive and practical
• The model is finite and correct
• Translation process is tedious
• Efficiency is also a problem

26
References

• 1E. Clarke, S. Jha, and W. Marrero. Using state
  space exploration and a natural deduction style
  message derivation engine to verify security
  protocols. In Proceedings of the IFIP Working
  Conference on Programming Concepts and Methods
  (PROCOMET), 1998.
• 2Michael Burrows, Martin Abadi, and Roger
  Needham. A logic of authentica- tion, from
  proceedings of the royal society, volume 426,
  number 1871, 1989. In William Stallings, editor,
  Practical Cryptography for Data Internetworks.
  IEEE Computer Society Press, 1996.

27
Questions and Answers

• Why use FM to reason about security protocols,
  what are the major methods used?
• See slide 3
• Structure of the model, why is it finite and
  correct?
• Model structure slide 5
• Finiteness slide 24
• Correctness slide 20
• Strengths and weaknesses
• See slide 25