网络安全认证协议形式化分析.ppt

《网络安全认证协议形式化分析.ppt》由会员分享，可在线阅读，更多相关《网络安全认证协议形式化分析.ppt（24页珍藏版）》请在三一办公上搜索。

1、网络安全认证协议形式化分析,肖 美 华南昌大学信息工程学院(南昌,330029)中国科学院软件研究所计算机科学重点实验室(北京,100080),2023/6/23,第二十次全国计算机安全学术交流会,2,Organization,IntroductionRelated WorkFormal System NotationIntruders Algorithmic Knowledge LogicVerification Using SPIN/PromelaConclusion,2023/6/23,第二十次全国计算机安全学术交流会,3,Introduction,Cryptographic proto

2、cols are protocols that use cryptography to distribute keys and authenticate principals and data over a network.Formal methods,a combination of a mathematical or logical model of a system and its requirements,together with an effective procedure for determining whether a proof that a system satisfie

3、s its requirements is correct.Model;Requirement(Specification);Verification.,2023/6/23,第二十次全国计算机安全学术交流会,4,Introduction(cont.),In cryptographic protocols,it is very crucial to ensure:Messages meant for a principal cannot be read/accessed by others(secrecy);Guarantee genuineness of the sender of the m

4、essage(authenticity);Integrity;Non-Repudiation(NRO,NRR);Fairness,etc.,2023/6/23,第二十次全国计算机安全学术交流会,5,Related Work,Techniques of verifying security properties of the cryptographic protocols can be broadly categorized:methods based on belief logics(BAN Logic)-calculus based models state machine models(M

5、odel Checking)Model checking advantages(compare with theory proving):automatic;counterexample if violation Use LTL(Linear temporal logic)to specify properties FDR(Lowe);Mur(Mitchell);Interrogator(Millen);Brutus(Marrero)SPIN(Hollzmann)theorem prover based methods(NRL,Meadows)methods based on state ma

6、chine model and theorem prover(Athena,Dawn)Type checkingISCAS,LOIS,(in China),2023/6/23,第二十次全国计算机安全学术交流会,6,Notation,(1)Messages a Atom:=C|N|k|m Msg:=a|m m|mk(2)Contain Relationship()m a m=a m m1 m2 m=m1 m2 m m1 m m2 m m1k m=m1k m m1 Submessage:sub-msgs(m)m Msg|m m,2023/6/23,第二十次全国计算机安全学术交流会,7,Notati

7、on,(3)Derivation(,Dolev-Yao model)m B B m B m B m B m m(pairing)B m m B m B m(projection)B m B k B mk(encryption)B mk B k-1 B m(decryption),2023/6/23,第二十次全国计算机安全学术交流会,8,Notation,(4)Properties Lemma 1.B m B B B m Lemma 2.B m B m m B m Lemma 3.B m X m B X（Y:Y sub-msgs(m):X Y B Y）（b:b B:Y b）（Z,k:Z Msg

8、k Key:Y=Zk B k-1）Lemma 4.（k,b:k Key b B:k b A k AB k）（z:z sub-msgs(x):a z A z）(b:b B:a b A a）,2023/6/23,第二十次全国计算机安全学术交流会,9,Logic of Algorithmic Knowledge,Definition 1.Primitive propositions P0s for security:p,q P0s:=sendi(m)Principal i sent message m recvi(m)Principal i received message m hasi(m)Pri

9、ncipal i has message m,2023/6/23,第二十次全国计算机安全学术交流会,10,Logic of Algorithmic Knowledge,Definition 2.An interpreted security system S=(R,R),where R is a system for security protocols,and R is the following interpretation of the primitive propositions in R.R(r,m)(sendi(m)=true iff j such that send(j,m)ri

10、(m)R(r,m)(recvi(m)=true iff recv(m)ri(m)R(r,m)(hasi(m)=true iff m such that m m and recv(m)ri(m),2023/6/23,第二十次全国计算机安全学术交流会,11,Logic of Algorithmic Knowledge,Definition 3.An interpreted algorithmic security system(R,R,A1,A2,An),where R is a security system,and R is the interpretation in R,Ai is a kn

11、owledge algorithm for principal i.,2023/6/23,第二十次全国计算机安全学术交流会,12,Algorithm knowledge logic,AiDY(hasi(m),l)K=keyof(l)for each recv(m)in l do if submsg(m,m,K)then return“Yes”return“No”submsg(m,m,K)if m=m then return true if m is m1k and k-1 K then return submsg(m,m1,K)if m is m1.m2 then return submsg(

12、m,m1,K)submsg(m,m2,K)return false,2023/6/23,第二十次全国计算机安全学术交流会,13,Cont.,getkeys(m,K)if m Key then return m if m is m1k and k-1 K then return getkeys(m1,K)if m is m1.m2 then return getkeys(m1,K)getkeys(m2,K)return keysof(l)K initkeys(l)loop until no change in K k getkeys(m,K)(when recv(m)l)return K,202

13、3/6/23,第二十次全国计算机安全学术交流会,14,Verification Using SPIN/Promela,SPIN is a highly successful and widely used software model-checking system based on formal methods from Computer Science.It has made advanced theoretical verification methods applicable to large and highly complex software systems.In April 2

14、002 the tool was awarded the prestigious System Software Award for 2001 by the ACM.SPIN uses a high level language to specify systems descriptions,including protocols,called Promela(PROcess MEta LAnguage).,2023/6/23,第二十次全国计算机安全学术交流会,15,BAN-Yahalom Protocol,1 AB:A,Na 2 BS:B,Nb,A,NaKbs 3 SA:Nb,B,Kab,N

15、aKas,A,Kab,NbKbs 4 AB:A,Kab,NbKbs,NbKab,2023/6/23,第二十次全国计算机安全学术交流会,16,Attack 1(intruder impersonates Bob to Alice),.1 AI(B):A,Na.1 I(B)A:B,Na.2 AI(S):A,Na,B,NaKas.2 I(A)S:A,Na,B,NaKas.3 SI(B):Na,A,Kab,NaKas,B,Kab,NaKbs.3 I(S)A:Ne,B,Kab,NaKas,A,Kab,NaKbs.4 AI(B):A,Kab,NbKbs,NeKab,2023/6/23,第二十次全国计算机安

16、全学术交流会,17,Attack 2(intruder impersonates Alice),.1 AB:A,Na.2 BS:B,Nb,A,NaKbs.1 I(A)B:A,(Na,Nb).2 BI(S):B,Nb,A,Na,NbKas.3(Omitted).4 I(A)B:A,Na,NbKbs,NbNa,2023/6/23,第二十次全国计算机安全学术交流会,18,Attack 3,.1 AB:A,Na.2 BS:B,Nb,A,NaKbs.1 I(B)A:B,Nb.2 AI(S):A,Na,B,NbKas.2 I(A)S:A,Na,B,NbKas.3 SI(B):Na,A,Kab,NbKbs,

17、B,Kab,NaKas.3 I(S)A:Nb,B,Kab,NaKas,A,Kab,NbKbs.4 AB:A,Kab,NbKbs,NbKab,2023/6/23,第二十次全国计算机安全学术交流会,19,Optimization strategies,Using static analysis and syntactical reordering techniquesThe two techniques are illustrated using BAN-Yahalom verification model as the benchmark.describe the model as Origin

18、al version to which static analysis and the syntactical reordering techniques are not applied,the static analysis technique is only used as Fixed version(1),both the static analysis and the syntactical reordering techniques are used as Fixed version(2).,2023/6/23,第二十次全国计算机安全学术交流会,20,Experimental res

19、ults show the effectiveness,2023/6/23,第二十次全国计算机安全学术交流会,21,Needham-Schroeder Authentication Protocol,2023/6/23,第二十次全国计算机安全学术交流会,22,Attack to N-S Protocol(found by SPIN),2023/6/23,第二十次全国计算机安全学术交流会,23,Conclusion,based on a logic of knowledge algorithm,a formal description of the intruder model under Do

20、lev-Yao model is constructed;a study on verifying the security protocols following above using model checker SPIN,and three attacks have been found successfully in only one general model about BAN-Yahalom protocol;some search strategies such as static analysis and syntactical reordering are applied to reduce the model checking complexity and these approaches will benefit the analysis of more protocols.ScalibilityIn any case,having a logic where we can specify the abilities of intruders is a necessary prerequisite to using model-checking techniques.,2023/6/23,第二十次全国计算机安全学术交流会,24,Thanks!,