Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works

pages

English

Documents

Écrit par
Miriam Paiola

Publié par
pefav

Lire un extrait

Obtenez un accès à la bibliothèque pour le consulter en ligne En savoir plus

Découvre YouScribe et accède à tout notre catalogue !

Je m'inscris

Découvre YouScribe et accède à tout notre catalogue !

Je m'inscris

pages

English

Documents

Lire un extrait

Obtenez un accès à la bibliothèque pour le consulter en ligne En savoir plus

Publié par

pefav

Nombre de lectures

Langue

English

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Extending ProVerif's Resolution Algorithm for Verifying Group Protocols Miriam Paiola Ecole Normale Superieure June 25, 2010 Extending ProVerif's Resolution Algorithm, for Verifying Group Protocols 1 / 24

horn clauses

protocols generalized

introduction group

considering cryptographic

cryptographic protocols

protocols

clauses syntax

horn clause

Voir

Publié par

pefav

Langue

English

IEnxttreondduicntgoinrPVorefis’rGuoprPtooocsleGenarilezdoHnrlCuaesseRosulitnolaogirhtmoCcnulisoExtendingProVerif’sResolutionAlgorithm
forVerifyingGroupProtocols

eRosulitnolAogirht,mofreViryfnigGMiriamPaiola
miriam.paiola@ens.fr

EcoleNormaleSupe´rieure

orpuPJune25,2010

orotocslsnnaduFtrehrowr1sk/42
nIrtoudtcoinContents

xEetdnnigrGuoprPtooocsleGenarilezdoHnrlCuaess1
Introduction
RepresentationwithHornclauses
Resolution

2
GroupProtocols

3
GeneralizedHornClauses
Syntax

eR4
Resolutionalgorithm
ExtensionofthedeﬁnitionofResolution
RelationwithHornclauses
TheAlgorithm

5
ConclusionsandFurtherworks

rPVorefis’eRosulitnolAogirht,mofreViryfnigrGuoprPtooocslosulitnolaogirhtmoCcnulisnosnaduFtrehrowr2sk/42
nIrtoudtcoinrGuoprPtooocsleGenarilezdoHnrlCuaesseRosulitnolaogirhtmCryptographicprotocolsandtheirVeriﬁcation

xEetdnnigrPVorefioCcnulisnosnaduFtrhCryptographicprotocolsareprotocolsthatperformasecurity-related
functionandapplycryptographicmethods.

Theconﬁdenceintheseprotocolscanbeincreasedbyaformal
analysisinordertoverifysecuritypropertiesconsidering
cryptographicprimitivesasblackboxes.

Foranunboundednumberofsessions

undecidability.

Groupprotocolsareprotocolsthatinvolveanunboundednumberof
participants

thenumberofstepsandtheformofmessages
dependonthenumberofparticipants.

s’eRosulitnolAogirht,mofreViryfnigrGuoprPtooocslreowr3sk/42
fireVorPfoweivrevOskrowrehtruFdnasnoisulcnoCmhtiroglanoituloseRsesualCnroHdezilareneGslocotorPpuorGnoitcudortnIHornclauses

Derivabilityqueries

Automatictranslator

Resolutionwithselection

Protocol:
Picalculus+cryptography

Propertiestoprove:
secrecy,authentication,...

Potentialattack

Thepropertyistrue

42/4slocotorPpuorGgniyfireVrof,mhtiroglAnoituloseRs’fireVorPgnidnetxE
42/5slocotorPpuoA
→
B
:
pencrypt
(
sign
(
k
,
sk
A
[])
,
pk
(
sk
B
[]))
B
→
A
:
sencrypt
(
s
,
k
)

rMessage1
Message2

GRepresentationwithHornclauses
Example
Denning-Sacco

gniyfireVrof,mhtiroglAnoituloseRs’fireVorPgnidnetxE))y,s(tpyrcnes(rekcatta⇒)))][Bks(kp,)][Aks,y(ngis(tpyrcnep(rekcatta))x(kp,)][Aks,])x(kp[k(ngis(tpyrcnep(rekcatta⇒))x(kp(rekcattaskrowrehtruFdnasnoisulcnoCmhtiroglanoituloseRsesualCnroHdezilareneGslocotorPpuorGnoitcudortnI
p(rekcattaskrowrehtruFdnasnoisulcnoCmhtiroglanoituloseRsesualCnroHdezilareneGslocotorPpuorGnoitcudortnIA
→
B
:
pencrypt
(
sign
(
k
,
sk
A
[])
,
pk
(
sk
B
[]
))
B
→
A
:
sencrypt
(
s
,
k
)

Message1
Message2

RepresentationwithHornclauses
Example
Denning-Sacco

42/5slocotorPpuorGgniyfireVrof,mhtiroglAnoituloseRs’fireVorPgnidnetxE))y,s(tpyrcnes(rekcatta⇒)))][Bks(kp,)][Aks,y(ngis(tpyrcnep(rekcatta))x(kp,)][Aks,])x(kp[k(ngis(tpyrcnep(rekcatta⇒))x(k
42/5slocotorPpuorGgniyfireVrof,mhtiroglAnoituloseRs’fireVorPgA
→
B
:
pencrypt
(
sign
(
k
,
sk
A
[])
,
pk
(
x
))
B
→
A
:
sencrypt
(
s
,
k
)

nMessage1
Message2

iRepresentationwithHornclauses
Example
Denning-Sacco

dnetxE))y,s(tpyrcnes(rekcatta⇒)))][Bks(kp,)][Aks,y(ngis(tpyrcnep(rekcatta))x(kp,)][Aks,])x(kp[k(ngis(tpyrcnep(rekcatta⇒))x(kp(rekcattaskrowrehtruFdnasnoisulcnoCmhtiroglanoituloseRsesualCnroHdezilareneGslocotorPpuorGnoitcudortnI
skrowrehtruFdnasnoisulcnoCmhtiroglanoituloseRsesualCnroHdezilareneGslocotorPpuorGnoitcudortnIA
→
B
:
pencrypt
(
sign
(
k
,
sk
A
[])
,
pk
(
x
))
B
→
A
:
sencrypt
(
s
,
k
)

Message1
Message2

RepresentationwithHornclauses
Example
Denning-Sacco

42/5slocotorPpuorGgniyfireVrof,mhtiroglAnoituloseRs’fireVorPgnidnetxE))y,s(tpyrcnes(rekcatta⇒)))][Bks(kp,)][Aks,y(ngis(tpyrcnep(rekcatta))x(kp,)][Aks,])x(kp[k(ngis(tpyrcnep(rekcatta⇒))x(kp(rekcatta
42/5slocotorPpuorGgniyfireVrof,mhtiroglAnoituloseRs’fireVorPgnidnetxE))y,s(tpyrcnes(rekcatta⇒)))][Bks(kp,)][A

AA
→
B
:
pencrypt
(
sign
(
B
→
A
:
sencrypt
(
s
,
k
)

kMessage1
Message2

sRepresentationwithHornclauses
Example
Denning-Sacco

,y(ngis(tpyrcnep(rekcatta))x(kp,)][Aks,])x(kp[k(ngis(tpyrcnep(rekcatta⇒))x(kp(rekcatta))x(kp,)][ks,])x(kp[kskrowrehtruFdnasnoisulcnoCmhtiroglanoituloseRsesualCnroHdezilareneGslocotorPpuorGnoitcudortnI
skrowrehtruFdnasnoisulcnoCmhtiroglanoituloseRsesualCnroHdezilareneGslocotorPpuorGnoitcudortnIattacker(
pk
(
x
))
⇒

Message1
Message2

A
→
B
:
pencrypt
(
sign
(
k
[
pk
(
x
)]
,
sk
A
[])
,
pk
(
x
))
B
→
A
:
sencrypt
(
s
,
k
)

RepresentationwithHornclauses
Example
Denning-Sacco

42/5slocotorPpuorGgniyfireVrof,mhtiroglAnoituloseRs’fireVorPgnidnetxE))y,s(tpyrcnes(rekcatta⇒)))][Bks(kp,)][Aks,y(ngis(tpyrcnep(rekcatta))x(kp,)][ks,])x(kp[k(ngis(tpyrcnep(rekcatta

Voir