A short coursein Verification of Security Protocols在安全协议验证的短期课程.ppt

Verification of Security Protocols Outline Day 2: Practice analysis of many flawed protocol... ...using the online demo Resources: The online tool, reachable at wwwes.cs.utwente.nl/24cqet The Clark-Jacob library /clark97survey.html www-users.cs.york.ac.uk/~jac/papers/drareviewps.ps Security Protocols the Attacks Otway-Rees Secrecy+type-flaw attack Kao-chow replay-attack Woo-Lam authentication+type flaw attack NSL (as bonus protocol) auth+type-flaw attack Otway-Rees Protocol 1. A-B : [M,A,B,[Na,M,A,B]+Kas] 2. B-S : [M,A,B,[Na,M,A,B]+Kas], [Nb,M,A,B]+Kbs 3. S-B : [M, [Na,Kab]+Kas, [Nb,Kab]+Kbs 4. B-A : [M,[Na,Kab]+Kas ] Aim: key distribution using a trusted server. Kab: short-term key. Could be guessed. Na and Nb serve as challenges. Attack upon Otway-Rees a.1 A-e(B) : [M,A,B,[Na,M,A,B]+Kas] a.4 e(B)-A : [M,A,B,[Na,M,A,B]+Kas] Type flaw attack A takes [M,A,B] to be the key The intruder just replies the first message. It is an authentication flaw. It is also a secrecy flaw (the intruder knows the key, now). Otway-Rees in the tool initiator(A,B,Na,Nb,M,X,Kas,Kab,[ recv([A,B]), % for origination assumption send([M,A,B,[Na,M,A,B]+Kas]]), recv([M,[Na,Kab]+Kas]), send(X+Kab)]). % another way of checking secrecy responder(A,B,Na,Nb,M,X,Kas,Kab,[ %NOT RELEVANT recv([M,A,B,[Na,M,A,B]+Kas]), send([[M,A,B,[Na,M,A,B]+Kas], [Nb,M,A,B]+Kbs]), recv([[M,Na,Kab]+Kas, [Nb,Kab]+Kbs]), send([M,[Na,Kab]+Kas]), recv(X+Kab) ]). Otway-Rees in the tool cont’d secrecy(N,[recv(N)]). server(A,B,Na,Nb,M,X,Kas,Kab,[ recv([[M,A,B,[Na,M,A,B]+Kas]]], [Nb,[M,[A,B]]]+Kbs]), send([[M,[Na,Kab]]+Kas, [Nb,Kab]+Kbs])]). Scenario One initiator is enough. And the secrecy check. We could not check secrecy the “usual” way because Kab is not instantiated anywhere (it is given by the server). scenario([[sec1,St],[a,Sa1]]) :- initiator(a,b,na,Nb,m,x,kas,Kab,Sa1), secrecy(x, St). initial_intru