src/Doc/Tutorial/document/protocol.tex
author bulwahn
Wed, 17 Oct 2012 14:13:57 +0200
changeset 49900 89b118c0c070
parent 48985 5386df44a037
permissions -rw-r--r--
checking for bound variables in the set expression; handling negation more generally
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
11428
332347b9b942 tidying the index
paulson
parents: 11267
diff changeset
     1
\chapter{Case Study: Verifying a Security Protocol}
11248
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
     2
\label{chap:crypto}
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
     3
11428
332347b9b942 tidying the index
paulson
parents: 11267
diff changeset
     4
\index{protocols!security|(}
332347b9b942 tidying the index
paulson
parents: 11267
diff changeset
     5
11267
f9506f60aa7b revisions to Protocols chapter
paulson
parents: 11262
diff changeset
     6
%crypto primitives 
11248
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
     7
\def\lbb{\mathopen{\{\kern-.30em|}}
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
     8
\def\rbb{\mathclose{|\kern-.32em\}}}
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
     9
\def\comp#1{\lbb#1\rbb}
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    10
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    11
Communications security is an ancient art.  Julius Caesar is said to have
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    12
encrypted his messages, shifting each letter three places along the
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    13
alphabet.  Mary Queen of Scots was convicted of treason after a cipher used
11267
f9506f60aa7b revisions to Protocols chapter
paulson
parents: 11262
diff changeset
    14
in her letters was broken.  Today's postal system
f9506f60aa7b revisions to Protocols chapter
paulson
parents: 11262
diff changeset
    15
incorporates security features.  The envelope provides a degree of
11248
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    16
\emph{secrecy}.  The signature provides \emph{authenticity} (proof of
11267
f9506f60aa7b revisions to Protocols chapter
paulson
parents: 11262
diff changeset
    17
origin), as do departmental stamps and letterheads.
11248
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    18
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    19
Networks are vulnerable: messages pass through many computers, any of which
11262
9fde0021e1af *** empty log message ***
nipkow
parents: 11248
diff changeset
    20
might be controlled by an adversary, who thus can capture or redirect
11248
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    21
messages.  People who wish to communicate securely over such a network can
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    22
use cryptography, but if they are to understand each other, they need to
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    23
follow a
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    24
\emph{protocol}: a pre-arranged sequence of message formats. 
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    25
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    26
Protocols can be attacked in many ways, even if encryption is unbreakable. 
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    27
A \emph{splicing attack} involves an adversary's sending a message composed
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    28
of parts of several old messages.  This fake message may have the correct
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    29
format, fooling an honest party.  The adversary might be able to masquerade
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    30
as somebody else, or he might obtain a secret key.
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    31
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    32
\emph{Nonces} help prevent splicing attacks. A typical nonce is a 20-byte
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    33
random number. Each message that requires a reply incorporates a nonce. The
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    34
reply must include a copy of that nonce, to prove that it is not a replay of
11267
f9506f60aa7b revisions to Protocols chapter
paulson
parents: 11262
diff changeset
    35
a past message.  The nonce in the reply must be cryptographically
f9506f60aa7b revisions to Protocols chapter
paulson
parents: 11262
diff changeset
    36
protected, since otherwise an adversary could easily replace it by a
f9506f60aa7b revisions to Protocols chapter
paulson
parents: 11262
diff changeset
    37
different one. You should be starting to see that protocol design is
f9506f60aa7b revisions to Protocols chapter
paulson
parents: 11262
diff changeset
    38
tricky!
11248
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    39
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    40
Researchers are developing methods for proving the correctness of security
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    41
protocols.  The Needham-Schroeder public-key
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    42
protocol~\cite{needham-schroeder} has become a standard test case. 
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    43
Proposed in 1978, it was found to be defective nearly two decades
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    44
later~\cite{lowe-fdr}.  This toy protocol will be useful in demonstrating
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    45
how to verify protocols using Isabelle.
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    46
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    47
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    48
\section{The Needham-Schroeder Public-Key Protocol}\label{sec:ns-protocol}
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    49
11428
332347b9b942 tidying the index
paulson
parents: 11267
diff changeset
    50
\index{Needham-Schroeder protocol|(}%
11248
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    51
This protocol uses public-key cryptography. Each person has a private key, known only to
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    52
himself, and a public key, known to everybody. If Alice wants to send Bob a secret message, she
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    53
encrypts it using Bob's public key (which everybody knows), and sends it to Bob. Only Bob has the
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    54
matching private key, which is needed in order to decrypt Alice's message.
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    55
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    56
The core of the Needham-Schroeder protocol consists of three messages:
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    57
\begin{alignat*}{2}
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    58
  &1.&\quad  A\to B  &: \comp{Na,A}\sb{Kb} \\
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    59
  &2.&\quad  B\to A  &: \comp{Na,Nb}\sb{Ka} \\
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    60
  &3.&\quad  A\to B  &: \comp{Nb}\sb{Kb}
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    61
\end{alignat*}
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    62
First, let's understand the notation. In the first message, Alice
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    63
sends Bob a message consisting of a nonce generated by Alice~($Na$)
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    64
paired  with Alice's name~($A$) and encrypted using Bob's public
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    65
key~($Kb$). In the second message, Bob sends Alice a message
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    66
consisting of $Na$ paired with a nonce generated by Bob~($Nb$), 
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    67
encrypted using Alice's public key~($Ka$). In the last message, Alice
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    68
returns $Nb$ to Bob, encrypted using his public key.
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    69
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    70
When Alice receives Message~2, she knows that Bob has acted on her
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    71
message, since only he could have decrypted
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    72
$\comp{Na,A}\sb{Kb}$ and extracted~$Na$.  That is precisely what
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    73
nonces are for.  Similarly, message~3 assures Bob that Alice is
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    74
active.  But the protocol was widely believed~\cite{ban89} to satisfy a
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    75
further property: that
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    76
$Na$ and~$Nb$ were secrets shared by Alice and Bob.  (Many
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    77
protocols generate such shared secrets, which can be used
11428
332347b9b942 tidying the index
paulson
parents: 11267
diff changeset
    78
to lessen the reliance on slow public-key operations.)  
332347b9b942 tidying the index
paulson
parents: 11267
diff changeset
    79
Lowe\index{Lowe, Gavin|(} found this
11248
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    80
claim to be false: if Alice runs the protocol with someone untrustworthy
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    81
(Charlie say), then he can start a new run with another agent (Bob say). 
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    82
Charlie uses Alice as an oracle, masquerading as
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    83
Alice to Bob~\cite{lowe-fdr}.
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    84
\begin{alignat*}{4}
11267
f9506f60aa7b revisions to Protocols chapter
paulson
parents: 11262
diff changeset
    85
  &1.&\quad  A\to C  &: \comp{Na,A}\sb{Kc}   &&
11248
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    86
      \qquad 1'.&\quad  C\to B  &: \comp{Na,A}\sb{Kb} \\
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    87
  &2.&\quad  B\to A  &: \comp{Na,Nb}\sb{Ka} \\
11267
f9506f60aa7b revisions to Protocols chapter
paulson
parents: 11262
diff changeset
    88
  &3.&\quad  A\to C  &: \comp{Nb}\sb{Kc}  &&
f9506f60aa7b revisions to Protocols chapter
paulson
parents: 11262
diff changeset
    89
      \qquad 3'.&\quad  C\to B  &: \comp{Nb}\sb{Kb}
11248
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    90
\end{alignat*}
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    91
In messages~1 and~3, Charlie removes the encryption using his private
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    92
key and re-encrypts Alice's messages using Bob's public key. Bob is
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    93
left thinking he has run the protocol with Alice, which was not
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    94
Alice's intention, and Bob is unaware that the ``secret'' nonces are
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    95
known to Charlie.  This is a typical man-in-the-middle attack launched
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    96
by an insider.
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
    97
11267
f9506f60aa7b revisions to Protocols chapter
paulson
parents: 11262
diff changeset
    98
Whether this counts as an attack has been disputed.  In protocols of this
f9506f60aa7b revisions to Protocols chapter
paulson
parents: 11262
diff changeset
    99
type, we normally assume that the other party is honest.  To be honest
f9506f60aa7b revisions to Protocols chapter
paulson
parents: 11262
diff changeset
   100
means to obey the protocol rules, so Alice's running the protocol with
f9506f60aa7b revisions to Protocols chapter
paulson
parents: 11262
diff changeset
   101
Charlie does not make her dishonest, just careless.  After Lowe's
f9506f60aa7b revisions to Protocols chapter
paulson
parents: 11262
diff changeset
   102
attack, Alice has no grounds for complaint: this protocol does not have to
f9506f60aa7b revisions to Protocols chapter
paulson
parents: 11262
diff changeset
   103
guarantee anything if you run it with a bad person.  Bob does have
f9506f60aa7b revisions to Protocols chapter
paulson
parents: 11262
diff changeset
   104
grounds for complaint, however: the protocol tells him that he is
f9506f60aa7b revisions to Protocols chapter
paulson
parents: 11262
diff changeset
   105
communicating with Alice (who is honest) but it does not guarantee
f9506f60aa7b revisions to Protocols chapter
paulson
parents: 11262
diff changeset
   106
secrecy of the nonces.
f9506f60aa7b revisions to Protocols chapter
paulson
parents: 11262
diff changeset
   107
f9506f60aa7b revisions to Protocols chapter
paulson
parents: 11262
diff changeset
   108
Lowe also suggested a correction, namely to include Bob's name in
f9506f60aa7b revisions to Protocols chapter
paulson
parents: 11262
diff changeset
   109
message~2:
11248
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
   110
\begin{alignat*}{2}
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
   111
  &1.&\quad  A\to B  &: \comp{Na,A}\sb{Kb} \\
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
   112
  &2.&\quad  B\to A  &: \comp{Na,Nb,B}\sb{Ka} \\
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
   113
  &3.&\quad  A\to B  &: \comp{Nb}\sb{Kb}
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
   114
\end{alignat*}
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
   115
If Charlie tries the same attack, Alice will receive the message
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
   116
$\comp{Na,Nb,B}\sb{Ka}$ when she was expecting to receive
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
   117
$\comp{Na,Nb,C}\sb{Ka}$.  She will abandon the run, and eventually so
11267
f9506f60aa7b revisions to Protocols chapter
paulson
parents: 11262
diff changeset
   118
will Bob.  Below, we shall look at parts of this protocol's correctness
f9506f60aa7b revisions to Protocols chapter
paulson
parents: 11262
diff changeset
   119
proof. 
11248
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
   120
11428
332347b9b942 tidying the index
paulson
parents: 11267
diff changeset
   121
In ground-breaking work, Lowe~\cite{lowe-fdr}\index{Lowe, Gavin|)}
332347b9b942 tidying the index
paulson
parents: 11267
diff changeset
   122
showed how such attacks
11248
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
   123
could be found automatically using a model checker.  An alternative,
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
   124
which we shall examine below, is to prove protocols correct.  Proofs
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
   125
can be done under more realistic assumptions because our model does
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
   126
not have to be finite.  The strategy is to formalize the operational
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
   127
semantics of the system and to prove security properties using rule
11428
332347b9b942 tidying the index
paulson
parents: 11267
diff changeset
   128
induction.%
332347b9b942 tidying the index
paulson
parents: 11267
diff changeset
   129
\index{Needham-Schroeder protocol|)}
11248
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
   130
7a696a130de2 back to Unix format...
paulson
parents: 11247
diff changeset
   131
48966
6e15de7dd871 more standard document preparation within session context: avoid clashes with generated .tex files, even on case-insensible file-system;
wenzelm
parents: 48522
diff changeset
   132
\input{Message}
6e15de7dd871 more standard document preparation within session context: avoid clashes with generated .tex files, even on case-insensible file-system;
wenzelm
parents: 48522
diff changeset
   133
\input{Event}
6e15de7dd871 more standard document preparation within session context: avoid clashes with generated .tex files, even on case-insensible file-system;
wenzelm
parents: 48522
diff changeset
   134
\input{Public}
6e15de7dd871 more standard document preparation within session context: avoid clashes with generated .tex files, even on case-insensible file-system;
wenzelm
parents: 48522
diff changeset
   135
\input{NS_Public}