1 % $Id$ |
1 % $Id$ |
2 \chapter{Case Study: Verifying a Cryptographic Protocol} |
2 \chapter{Case Study: Verifying a Cryptographic Protocol} |
3 \label{chap:crypto} |
3 \label{chap:crypto} |
4 |
4 |
5 %crypto primitives FIXME: GET RID OF MANY |
5 %crypto primitives |
6 \def\lbb{\mathopen{\{\kern-.30em|}} |
6 \def\lbb{\mathopen{\{\kern-.30em|}} |
7 \def\rbb{\mathclose{|\kern-.32em\}}} |
7 \def\rbb{\mathclose{|\kern-.32em\}}} |
8 \def\comp#1{\lbb#1\rbb} |
8 \def\comp#1{\lbb#1\rbb} |
9 |
9 |
10 Communications security is an ancient art. Julius Caesar is said to have |
10 Communications security is an ancient art. Julius Caesar is said to have |
11 encrypted his messages, shifting each letter three places along the |
11 encrypted his messages, shifting each letter three places along the |
12 alphabet. Mary Queen of Scots was convicted of treason after a cipher used |
12 alphabet. Mary Queen of Scots was convicted of treason after a cipher used |
13 in her letters was broken. Today's postal system incorporates security |
13 in her letters was broken. Today's postal system |
14 features. The envelope provides a degree of |
14 incorporates security features. The envelope provides a degree of |
15 \emph{secrecy}. The signature provides \emph{authenticity} (proof of |
15 \emph{secrecy}. The signature provides \emph{authenticity} (proof of |
16 origin), as do departmental stamps and letterheads. |
16 origin), as do departmental stamps and letterheads. |
17 |
17 |
18 Networks are vulnerable: messages pass through many computers, any of which |
18 Networks are vulnerable: messages pass through many computers, any of which |
19 might be controlled by an adversary, who thus can capture or redirect |
19 might be controlled by an adversary, who thus can capture or redirect |
20 messages. People who wish to communicate securely over such a network can |
20 messages. People who wish to communicate securely over such a network can |
21 use cryptography, but if they are to understand each other, they need to |
21 use cryptography, but if they are to understand each other, they need to |
29 as somebody else, or he might obtain a secret key. |
29 as somebody else, or he might obtain a secret key. |
30 |
30 |
31 \emph{Nonces} help prevent splicing attacks. A typical nonce is a 20-byte |
31 \emph{Nonces} help prevent splicing attacks. A typical nonce is a 20-byte |
32 random number. Each message that requires a reply incorporates a nonce. The |
32 random number. Each message that requires a reply incorporates a nonce. The |
33 reply must include a copy of that nonce, to prove that it is not a replay of |
33 reply must include a copy of that nonce, to prove that it is not a replay of |
34 a past message. Nonces must be cryptographically protected, since |
34 a past message. The nonce in the reply must be cryptographically |
35 otherwise an adversary could easily generate fakes. You should be starting |
35 protected, since otherwise an adversary could easily replace it by a |
36 to see that protocol design is tricky! |
36 different one. You should be starting to see that protocol design is |
|
37 tricky! |
37 |
38 |
38 Researchers are developing methods for proving the correctness of security |
39 Researchers are developing methods for proving the correctness of security |
39 protocols. The Needham-Schroeder public-key |
40 protocols. The Needham-Schroeder public-key |
40 protocol~\cite{needham-schroeder} has become a standard test case. |
41 protocol~\cite{needham-schroeder} has become a standard test case. |
41 Proposed in 1978, it was found to be defective nearly two decades |
42 Proposed in 1978, it was found to be defective nearly two decades |
76 claim to be false: if Alice runs the protocol with someone untrustworthy |
77 claim to be false: if Alice runs the protocol with someone untrustworthy |
77 (Charlie say), then he can start a new run with another agent (Bob say). |
78 (Charlie say), then he can start a new run with another agent (Bob say). |
78 Charlie uses Alice as an oracle, masquerading as |
79 Charlie uses Alice as an oracle, masquerading as |
79 Alice to Bob~\cite{lowe-fdr}. |
80 Alice to Bob~\cite{lowe-fdr}. |
80 \begin{alignat*}{4} |
81 \begin{alignat*}{4} |
81 &1.&\quad A\to C &: \comp{Na,A}\sb{Kc} & |
82 &1.&\quad A\to C &: \comp{Na,A}\sb{Kc} && |
82 \qquad 1'.&\quad C\to B &: \comp{Na,A}\sb{Kb} \\ |
83 \qquad 1'.&\quad C\to B &: \comp{Na,A}\sb{Kb} \\ |
83 &2.&\quad B\to A &: \comp{Na,Nb}\sb{Ka} \\ |
84 &2.&\quad B\to A &: \comp{Na,Nb}\sb{Ka} \\ |
84 &3.&\quad A\to C &: \comp{Nb}\sb{Kc} & |
85 &3.&\quad A\to C &: \comp{Nb}\sb{Kc} && |
85 3'.&\quad A\to B &: \comp{Nb}\sb{Kb} |
86 \qquad 3'.&\quad C\to B &: \comp{Nb}\sb{Kb} |
86 \end{alignat*} |
87 \end{alignat*} |
87 In messages~1 and~3, Charlie removes the encryption using his private |
88 In messages~1 and~3, Charlie removes the encryption using his private |
88 key and re-encrypts Alice's messages using Bob's public key. Bob is |
89 key and re-encrypts Alice's messages using Bob's public key. Bob is |
89 left thinking he has run the protocol with Alice, which was not |
90 left thinking he has run the protocol with Alice, which was not |
90 Alice's intention, and Bob is unaware that the ``secret'' nonces are |
91 Alice's intention, and Bob is unaware that the ``secret'' nonces are |
91 known to Charlie. This is a typical man-in-the-middle attack launched |
92 known to Charlie. This is a typical man-in-the-middle attack launched |
92 by an insider. |
93 by an insider. |
93 |
94 |
94 Lowe also suggested a fix, namely to include Bob's name in message~2: |
95 Whether this counts as an attack has been disputed. In protocols of this |
|
96 type, we normally assume that the other party is honest. To be honest |
|
97 means to obey the protocol rules, so Alice's running the protocol with |
|
98 Charlie does not make her dishonest, just careless. After Lowe's |
|
99 attack, Alice has no grounds for complaint: this protocol does not have to |
|
100 guarantee anything if you run it with a bad person. Bob does have |
|
101 grounds for complaint, however: the protocol tells him that he is |
|
102 communicating with Alice (who is honest) but it does not guarantee |
|
103 secrecy of the nonces. |
|
104 |
|
105 Lowe also suggested a correction, namely to include Bob's name in |
|
106 message~2: |
95 \begin{alignat*}{2} |
107 \begin{alignat*}{2} |
96 &1.&\quad A\to B &: \comp{Na,A}\sb{Kb} \\ |
108 &1.&\quad A\to B &: \comp{Na,A}\sb{Kb} \\ |
97 &2.&\quad B\to A &: \comp{Na,Nb,B}\sb{Ka} \\ |
109 &2.&\quad B\to A &: \comp{Na,Nb,B}\sb{Ka} \\ |
98 &3.&\quad A\to B &: \comp{Nb}\sb{Kb} |
110 &3.&\quad A\to B &: \comp{Nb}\sb{Kb} |
99 \end{alignat*} |
111 \end{alignat*} |
100 If Charlie tries the same attack, Alice will receive the message |
112 If Charlie tries the same attack, Alice will receive the message |
101 $\comp{Na,Nb,B}\sb{Ka}$ when she was expecting to receive |
113 $\comp{Na,Nb,B}\sb{Ka}$ when she was expecting to receive |
102 $\comp{Na,Nb,C}\sb{Ka}$. She will abandon the run, and eventually so |
114 $\comp{Na,Nb,C}\sb{Ka}$. She will abandon the run, and eventually so |
103 will Bob. |
115 will Bob. Below, we shall look at parts of this protocol's correctness |
|
116 proof. |
104 |
117 |
105 In ground-breaking work, Lowe~\cite{lowe-fdr} showed how such attacks |
118 In ground-breaking work, Lowe~\cite{lowe-fdr} showed how such attacks |
106 could be found automatically using a model checker. An alternative, |
119 could be found automatically using a model checker. An alternative, |
107 which we shall examine below, is to prove protocols correct. Proofs |
120 which we shall examine below, is to prove protocols correct. Proofs |
108 can be done under more realistic assumptions because our model does |
121 can be done under more realistic assumptions because our model does |
147 Since datatype constructors are injective, we have the theorem |
160 Since datatype constructors are injective, we have the theorem |
148 \begin{isabelle} |
161 \begin{isabelle} |
149 Crypt K X = Crypt K' X' \isasymLongrightarrow\ K=K' \isasymand\ X=X'. |
162 Crypt K X = Crypt K' X' \isasymLongrightarrow\ K=K' \isasymand\ X=X'. |
150 \end{isabelle} |
163 \end{isabelle} |
151 A ciphertext can be decrypted using only one key and |
164 A ciphertext can be decrypted using only one key and |
152 can yield only one plaintext. This assumption is realistic if encryption |
165 can yield only one plaintext. In the real world, decryption with the |
153 includes some built-in redundancy. |
166 wrong key succeeds but yields garbage. Our model of encryption is |
|
167 realistic if encryption adds some redundancy to the plaintext, such as a |
|
168 checksum, so that garbage can be detected. |
154 |
169 |
155 |
170 |
156 \section{Modelling the Adversary} |
171 \section{Modelling the Adversary} |
157 |
172 |
158 The spy is part of the system and must be built into the model. He is |
173 The spy is part of the system and must be built into the model. He is |
159 a malicious user who does not have to follow the protocol. He |
174 a malicious user who does not have to follow the protocol. He |
160 watches the network and uses any keys he knows to decrypt messages, |
175 watches the network and uses any keys he knows to decrypt messages. |
161 perhaps learning additional keys and nonces. He uses the items he has |
176 Thus he accumulates additional keys and nonces. These he can use to |
162 accumulated to compose new messages, which he may send to anybody. |
177 compose new messages, which he may send to anybody. |
163 |
178 |
164 Two functions enable us to formalize this behaviour: \isa{analz} and |
179 Two functions enable us to formalize this behaviour: \isa{analz} and |
165 \isa{synth}. Each function maps a sets of messages to another set of |
180 \isa{synth}. Each function maps a sets of messages to another set of |
166 messages. The set \isa{analz H} formalizes what the adversary can learn |
181 messages. The set \isa{analz H} formalizes what the adversary can learn |
167 from the set of messages~$H$. The closure properties of this set are |
182 from the set of messages~$H$. The closure properties of this set are |
168 defined inductively. |
183 defined inductively. |
169 \begin{isabelle} |
184 \begin{isabelle} |
170 \isacommand{consts}\ \ analz\ \ \ ::\ "msg\ set\ =>\ msg\ set"\isanewline |
185 \isacommand{consts}\ \ analz\ \ \ ::\ "msg\ set\ =>\ msg\ set"\isanewline |
171 \isacommand{inductive}\ "analz\ H"\isanewline |
186 \isacommand{inductive}\ "analz\ H"\isanewline |
172 \ \ \isakeyword{intros}\ \isanewline |
187 \ \ \isakeyword{intros}\ \isanewline |
173 \ \ \ \ Inj\ [intro,simp]\ :\ \ \ "X\ \isasymin \ H\ |
188 \ \ \ \ Inj\ [intro,simp]\ :\ "X\ \isasymin \ H\ |
174 \isasymLongrightarrow\ X\ |
189 \isasymLongrightarrow\ X\ |
175 \isasymin |
190 \isasymin |
176 \ analz\ H"\isanewline |
191 \ analz\ H"\isanewline |
177 \ \ \ \ Fst:\ \ \ \ \ "\isacharbraceleft |X,Y|\isacharbraceright \ \isasymin \ analz\ H\ |
192 \ \ \ \ Fst:\ \ \ \ \ "{\isasymlbrace}X,Y\isasymrbrace \ \isasymin \ |
|
193 analz\ H\ |
178 \isasymLongrightarrow\ X\ \isasymin \ analz\ H"\isanewline |
194 \isasymLongrightarrow\ X\ \isasymin \ analz\ H"\isanewline |
179 \ \ \ \ Snd:\ \ \ \ \ "\isacharbraceleft |X,Y|\isacharbraceright \ \isasymin \ analz\ H\ |
195 \ \ \ \ Snd:\ \ \ \ \ "{\isasymlbrace}X,Y\isasymrbrace \ \isasymin \ analz\ H\ |
180 \isasymLongrightarrow\ Y\ \isasymin \ analz\ H"\isanewline |
196 \isasymLongrightarrow\ Y\ \isasymin \ analz\ H"\isanewline |
181 \ \ \ \ Decrypt\ [dest]:\ \isanewline |
197 \ \ \ \ Decrypt\ [dest]:\ \isanewline |
182 \ \ \ \ \ \ \ \ \ \ \ \ \ "[|Crypt\ K\ X\ \isasymin \ analz\ H;\ Key(invKey\ |
198 \ \ \ \ \ \ \ \ \ \ \ \ \ "{\isasymlbrakk}Crypt\ K\ X\ \isasymin \ analz\ H;\ Key(invKey\ |
183 K):\ analz\ H|]\isanewline |
199 K):\ analz\ H\isasymrbrakk\isanewline |
184 \ \ \ \ \ \ \ \ \ \ \ \ \ \ \isasymLongrightarrow\ X\ \isasymin \ analz\ H" |
200 \ \ \ \ \ \ \ \ \ \ \ \ \ \ \isasymLongrightarrow\ X\ \isasymin \ analz\ H" |
185 \end{isabelle} |
201 \end{isabelle} |
186 % |
202 % |
187 Note the \isa{Decrypt} rule: the spy can decrypt a |
203 Note the \isa{Decrypt} rule: the spy can decrypt a |
188 message encrypted with key~$K$ if he has the matching key,~$K^{-1}$. |
204 message encrypted with key~$K$ if he has the matching key,~$K^{-1}$. |
204 \ \ \isakeyword{intros}\ \isanewline |
220 \ \ \isakeyword{intros}\ \isanewline |
205 \ \ \ \ Inj\ \ \ [intro]:\ "X\ \isasymin \ H\ \isasymLongrightarrow\ |
221 \ \ \ \ Inj\ \ \ [intro]:\ "X\ \isasymin \ H\ \isasymLongrightarrow\ |
206 X\ \isasymin \ synth\ H"\isanewline |
222 X\ \isasymin \ synth\ H"\isanewline |
207 \ \ \ \ Agent\ [intro]:\ "Agent\ agt\ \isasymin \ synth\ H"\isanewline |
223 \ \ \ \ Agent\ [intro]:\ "Agent\ agt\ \isasymin \ synth\ H"\isanewline |
208 \ \ \ \ MPair\ [intro]:\isanewline |
224 \ \ \ \ MPair\ [intro]:\isanewline |
209 \ \ \ \ \ \ \ \ \ \ \ \ \ "[|X\ \isasymin \ synth\ H;\ \ Y\ \isasymin |
225 \ \ \ \ \ \ \ \ \ \ \ \ \ "{\isasymlbrakk}X\ \isasymin \ synth\ H;\ \ Y\ \isasymin |
210 \ synth\ H|]\ \isasymLongrightarrow\ |
226 \ synth\ H\isasymrbrakk\ \isasymLongrightarrow\ |
211 \isacharbraceleft |X,Y|\isacharbraceright \ \isasymin \ synth\ H"\isanewline |
227 {\isasymlbrace}X,Y\isasymrbrace \ \isasymin \ synth\ H"\isanewline |
212 \ \ \ \ Crypt\ [intro]:\isanewline |
228 \ \ \ \ Crypt\ [intro]:\isanewline |
213 \ \ \ \ \ \ \ \ \ \ \ \ \ "[|X\ \isasymin \ synth\ H;\ \ Key K\ |
229 \ \ \ \ \ \ \ \ \ \ \ \ \ "{\isasymlbrakk}X\ \isasymin \ synth\ H;\ \ Key K\ |
214 \isasymin \ H|]\ \isasymLongrightarrow\ Crypt\ K\ X\ |
230 \isasymin \ H\isasymrbrakk\ \isasymLongrightarrow\ Crypt\ K\ X\ |
215 \isasymin \ synth\ H" |
231 \isasymin \ synth\ H" |
216 \end{isabelle} |
232 \end{isabelle} |
217 The set includes all agent names. Nonces and keys are assumed to be |
233 The set includes all agent names. Nonces and keys are assumed to be |
218 unguessable, so none are included beyond those already in~$H$. Two |
234 unguessable, so none are included beyond those already in~$H$. Two |
219 elements of \isa{synth H} can be combined, and an element can be encrypted |
235 elements of \isa{synth H} can be combined, and an element can be encrypted |
279 The function \isa{knows} formalizes an agent's knowledge. Mostly we only |
296 The function \isa{knows} formalizes an agent's knowledge. Mostly we only |
280 care about the spy's knowledge, and \isa{knows Spy evs} is the set of items |
297 care about the spy's knowledge, and \isa{knows Spy evs} is the set of items |
281 available to the spy in the trace~\isa{evs}. Already in the empty trace, |
298 available to the spy in the trace~\isa{evs}. Already in the empty trace, |
282 the spy starts with some secrets at his disposal, such as the private keys |
299 the spy starts with some secrets at his disposal, such as the private keys |
283 of compromised users. After each \isa{Says} event, the spy learns the |
300 of compromised users. After each \isa{Says} event, the spy learns the |
284 message that was sent. Combinations of functions express other important |
301 message that was sent: |
285 concepts involving~\isa{evs}: |
302 \begin{isabelle} |
|
303 \ \ \ \ \ knows\ Spy\ ((Says\ A\ B\ X)\ \#\ evs)\ =\ parts\ |
|
304 \isacharbraceleft X\isacharbraceright \ \isasymunion\ (knows\ Spy\ evs) |
|
305 \end{isabelle} |
|
306 % |
|
307 Combinations of functions express other important |
|
308 sets of messages derived from~\isa{evs}: |
286 \begin{itemize} |
309 \begin{itemize} |
287 \item \isa{analz (knows Spy evs)} is the items that the spy could |
310 \item \isa{analz (knows Spy evs)} is everything that the spy could |
288 learn by decryption |
311 learn by decryption |
289 \item \isa{synth (analz (knows Spy evs))} is the items that the spy |
312 \item \isa{synth (analz (knows Spy evs))} is everything that the spy |
290 could generate |
313 could generate |
291 \end{itemize} |
314 \end{itemize} |
292 |
315 |
293 The function |
316 The function |
294 \isa{pubK} maps agents to their public keys. The function |
317 \isa{pubK} maps agents to their public keys. The function |
295 \isa{priK} maps agents to their private keys, is defined in terms of |
318 \isa{priK} maps agents to their private keys. It is defined in terms of |
296 \isa{invKey} and \isa{pubK} by a translation. |
319 \isa{invKey} and \isa{pubK} by a translation; therefore \isa{priK} is |
|
320 not a proper constant, so we declare it using \isacommand{syntax} |
297 \begin{isabelle} |
321 \begin{isabelle} |
298 \isacommand{consts}\ \,pubK\ \ \ \ ::\ "agent\ =>\ key"\isanewline |
322 \isacommand{consts}\ \,pubK\ \ \ \ ::\ "agent\ =>\ key"\isanewline |
299 \isacommand{syntax}\ priK\ \ \ \ ::\ "agent\ =>\ key"\isanewline |
323 \isacommand{syntax}\ priK\ \ \ \ ::\ "agent\ =>\ key"\isanewline |
300 \isacommand{translations}\ \ \ \ "priK\ x"\ \ \isasymrightleftharpoons\ \ "invKey(pubK\ x)" |
324 \isacommand{translations}\ \ \ \ "priK\ x"\ \ \isasymrightleftharpoons\ \ "invKey(pubK\ x)" |
301 \end{isabelle} |
325 \end{isabelle} |
395 Benefits of this approach are simplicity and clarity. The semantic model |
419 Benefits of this approach are simplicity and clarity. The semantic model |
396 is set theory, proofs are by induction and the translation from the informal |
420 is set theory, proofs are by induction and the translation from the informal |
397 notation to the inductive rules is straightforward. |
421 notation to the inductive rules is straightforward. |
398 |
422 |
399 |
423 |
400 \section{Proving Elementary Properties} |
424 \section{Proving Elementary Properties}\label{sec:regularity} |
401 |
425 |
402 Secrecy properties are hard to prove. The conclusion of a typical secrecy |
426 Secrecy properties can be hard to prove. The conclusion of a typical |
403 theorem is |
427 secrecy theorem is |
404 \isa{X\ \isasymnotin\ analz (knows Spy evs)}. The difficulty arises from |
428 \isa{X\ \isasymnotin\ analz (knows Spy evs)}. The difficulty arises from |
405 having to reason about \isa{analz}, or less formally, showing that the spy |
429 having to reason about \isa{analz}, or less formally, showing that the spy |
406 can never learn~\isa{X}. Much easier is to prove that \isa{X} can never |
430 can never learn~\isa{X}. Much easier is to prove that \isa{X} can never |
407 occur at all. Such \emph{regularity} properties are typically expressed |
431 occur at all. Such \emph{regularity} properties are typically expressed |
408 using \isa{parts} rather than \isa{analz}. |
432 using \isa{parts} rather than \isa{analz}. |
409 |
433 |
410 The following lemma states that \isa{A}'s private key is potentially |
434 The following lemma states that \isa{A}'s private key is potentially |
411 known to the spy if and only if \isa{A} belongs to the set \isa{bad} of |
435 known to the spy if and only if \isa{A} belongs to the set \isa{bad} of |
412 compromised agents. The statement uses \isa{parts}: the very presence of |
436 compromised agents. The statement uses \isa{parts}: the very presence of |
413 her private key in a message, whether protected by encryption or not, is |
437 \isa{A}'s private key in a message, whether protected by encryption or |
414 enough to confirm that \isa{A} is compromised. The proof, like nearly all |
438 not, is enough to confirm that \isa{A} is compromised. The proof, like |
415 protocol proofs, is by induction over traces. |
439 nearly all protocol proofs, is by induction over traces. |
416 \begin{isabelle} |
440 \begin{isabelle} |
417 \isacommand{lemma}\ Spy_see_priK\ [simp]:\ \isanewline |
441 \isacommand{lemma}\ Spy_see_priK\ [simp]:\ \isanewline |
418 \ \ \ \ \ \ "evs\ \isasymin \ ns_public\isanewline |
442 \ \ \ \ \ \ "evs\ \isasymin \ ns_public\isanewline |
419 \ \ \ \ \ \ \ \isasymLongrightarrow \ |
443 \ \ \ \ \ \ \ \isasymLongrightarrow \ |
420 (Key\ (priK\ A)\ \isasymin \ parts\ (spies\ evs))\ =\ (A\ \isasymin \ |
444 (Key\ (priK\ A)\ \isasymin \ parts\ (knows\ Spy\ evs))\ =\ (A\ \isasymin \ |
421 bad)"\isanewline |
445 bad)"\isanewline |
422 \isacommand{apply}\ (erule\ ns_public.induct,\ simp_all) |
446 \isacommand{apply}\ (erule\ ns_public.induct,\ simp_all) |
423 \end{isabelle} |
447 \end{isabelle} |
424 % |
448 % |
425 The induction yields five subgoals, one for each rule in the definition of |
449 The induction yields five subgoals, one for each rule in the definition of |
426 \isa{ns_public}. Informally, the idea is to prove that the protocol |
450 \isa{ns_public}. The idea is to prove that |
427 property holds initially (rule \isa{Nil}), is preserved by each of the |
451 the protocol property holds initially (rule |
428 legitimate protocol steps (rules \isa{NS1}--\isa{3}), and even is preserved |
452 \isa{Nil}), is preserved by each of the legitimate protocol steps (rules |
429 in the face of anything the spy can do (rule \isa{Fake}). Simplification |
453 \isa{NS1}--\isa{3}), and even is preserved in the face of anything the |
430 leaves only the \isa{Fake} case (as indicated by the variable name |
454 spy can do (rule |
431 \isa{evsf}): |
455 \isa{Fake}). |
|
456 |
|
457 The proof is trivial. No legitimate protocol rule sends any keys |
|
458 at all, so only \isa{Fake} is relevant. Indeed, |
|
459 simplification leaves only the \isa{Fake} case, as indicated by the |
|
460 variable name |
|
461 \isa{evsf}: |
432 \begin{isabelle} |
462 \begin{isabelle} |
433 \ 1.\ \isasymAnd X\ evsf.\isanewline |
463 \ 1.\ \isasymAnd X\ evsf.\isanewline |
434 \isaindent{\ 1.\ \ \ \ }\isasymlbrakk evsf\ \isasymin \ ns_public;\isanewline |
464 \isaindent{\ 1.\ \ \ \ }\isasymlbrakk evsf\ \isasymin \ ns_public;\isanewline |
435 \isaindent{\ 1.\ \ \ \ \ \ \ }(Key\ (priK\ A)\ \isasymin \ parts\ (knows\ Spy\ evsf))\ =\ (A\ \isasymin \ bad);\isanewline |
465 \isaindent{\ 1.\ \ \ \ \ \ \ }(Key\ (priK\ A)\ \isasymin \ parts\ (knows\ Spy\ evsf))\ =\ (A\ \isasymin \ bad);\isanewline |
436 \isaindent{\ 1.\ \ \ \ \ \ \ }X\ \isasymin \ synth\ (analz\ (knows\ Spy\ evsf))\isasymrbrakk \isanewline |
466 \isaindent{\ 1.\ \ \ \ \ \ \ }X\ \isasymin \ synth\ (analz\ (knows\ Spy\ evsf))\isasymrbrakk \isanewline |
441 \end{isabelle} |
471 \end{isabelle} |
442 % |
472 % |
443 The \isa{Fake} case is proved automatically. If |
473 The \isa{Fake} case is proved automatically. If |
444 \isa{priK~A} is in the extended trace then either (1) it was already in the |
474 \isa{priK~A} is in the extended trace then either (1) it was already in the |
445 original trace or (2) it was |
475 original trace or (2) it was |
446 generated by the spy, and so the spy must have known this key already. |
476 generated by the spy, who must have known this key already. |
447 Either way, the induction hypothesis applies. If the spy can tell himself |
477 Either way, the induction hypothesis applies. |
448 something, then he must have known it already. |
|
449 |
478 |
450 \emph{Unicity} lemmas are regularity lemmas stating that specified items |
479 \emph{Unicity} lemmas are regularity lemmas stating that specified items |
451 can occur only once in a trace. The following lemma states that a nonce |
480 can occur only once in a trace. The following lemma states that a nonce |
452 cannot be used both as $Na$ and as $Nb$ unless |
481 cannot be used both as $Na$ and as $Nb$ unless |
453 it is known to the spy. Intuitively, it holds because honest agents |
482 it is known to the spy. Intuitively, it holds because honest agents |
454 always choose fresh values as nonces; only the spy might reuse a value, |
483 always choose fresh values as nonces; only the spy might reuse a value, |
455 and he doesn't know this particular value. The proof script is three steps |
484 and he doesn't know this particular value. The proof script is short: |
456 long. |
485 induction, simplification, \isa{blast}. |
457 \begin{isabelle} |
486 \begin{isabelle} |
458 \isacommand{lemma}\ no_nonce_NS1_NS2\ [rule_format]:\ \isanewline |
487 \isacommand{lemma}\ no_nonce_NS1_NS2:\isanewline |
459 \ "evs\ \isasymin \ ns_public\ \isanewline |
488 \ \ \ \ "\isasymlbrakk Crypt\ (pubK\ C)\ \isasymlbrace NA',\ Nonce\ |
460 \ \ \isasymLongrightarrow \ Crypt\ (pubK\ C)\ \isasymlbrace NA',\ Nonce\ NA,\ Agent\ D\isasymrbrace \ \isasymin \ parts\ (spies\ evs)\ \isasymlongrightarrow \isanewline |
489 NA,\ Agent\ D\isasymrbrace \ \isasymin \ parts\ (knows\ Spy\ |
461 \ \ \ \ \ \ Crypt\ (pubK\ B)\ \isasymlbrace Nonce\ NA,\ Agent\ A\isasymrbrace \ \isasymin \ parts\ (spies\ evs)\ \isasymlongrightarrow \ \ \isanewline |
490 evs);\isanewline |
462 \ \ \ \ \ \ Nonce\ NA\ \isasymin \ analz\ (spies\ evs)" |
491 \ \ \ \ \ \ Crypt\ (pubK\ B)\ \isasymlbrace Nonce\ NA,\ Agent\ |
463 \end{isabelle} |
492 A\isasymrbrace \ \isasymin \ parts\ (knows\ Spy\ evs);\isanewline |
464 |
493 \ \ \ \ \ \ evs\ \isasymin \ ns_public\isasymrbrakk \isanewline |
465 This unicity lemma states that, if \isa{NA} is secret, then its appearance |
494 \ \ \ \ \ \isasymLongrightarrow \ Nonce\ NA\ \isasymin \ analz\ (knows\ |
466 in any instance of message~1 determines the other components. The proof is |
495 Spy\ evs)"\isanewline |
467 another easy induction. |
496 \isacommand{apply}\ (erule\ rev_mp,\ erule\ rev_mp)\isanewline |
|
497 \isacommand{apply}\ (erule\ ns_public.induct,\ simp_all)\isanewline |
|
498 \isacommand{apply}\ (blast\ intro:\ analz_insertI)+\isanewline |
|
499 \isacommand{done} |
|
500 \end{isabelle} |
|
501 |
|
502 The following unicity lemma states that, if \isa{NA} is secret, then its |
|
503 appearance in any instance of message~1 determines the other components. |
|
504 The proof is similar to the previous one. |
468 \begin{isabelle} |
505 \begin{isabelle} |
469 \isacommand{lemma}\ unique_NA:\ \isanewline |
506 \isacommand{lemma}\ unique_NA:\ \isanewline |
470 \ \ \ \ \ "\isasymlbrakk Crypt(pubK\ B)\ \ \isasymlbrace Nonce\ NA,\ Agent\ A\ \isasymrbrace \ \isasymin \ parts(spies\ evs);\ \ \isanewline |
507 \ \ \ \ \ "\isasymlbrakk Crypt(pubK\ B)\ \ \isasymlbrace Nonce\ NA,\ Agent\ A\ \isasymrbrace \ \isasymin \ parts(knows\ Spy\ evs);\ \ \isanewline |
471 \ \ \ \ \ \ \ Crypt(pubK\ B')\ \isasymlbrace Nonce\ NA,\ Agent\ A'\isasymrbrace \ \isasymin \ parts(spies\ evs);\ \ \isanewline |
508 \ \ \ \ \ \ \ Crypt(pubK\ B')\ \isasymlbrace Nonce\ NA,\ Agent\ A'\isasymrbrace \ \isasymin \ parts(knows\ Spy\ evs);\ \ \isanewline |
472 \ \ \ \ \ \ \ Nonce\ NA\ \isasymnotin \ analz\ (spies\ evs);\ evs\ \isasymin \ ns_public\isasymrbrakk \isanewline |
509 \ \ \ \ \ \ \ Nonce\ NA\ \isasymnotin \ analz\ (knows\ Spy\ evs);\ evs\ \isasymin \ ns_public\isasymrbrakk \isanewline |
473 \ \ \ \ \ \ \isasymLongrightarrow \ A=A'\ \isasymand \ B=B'" |
510 \ \ \ \ \ \ \isasymLongrightarrow \ A=A'\ \isasymand \ B=B'" |
474 \end{isabelle} |
511 \end{isabelle} |
475 |
512 |
476 |
513 |
477 \section{Proving Secrecy Theorems}\label{sec:secrecy} |
514 \section{Proving Secrecy Theorems}\label{sec:secrecy} |
478 |
515 |
479 The secrecy theorems for Bob (the second participant) are especially |
516 The secrecy theorems for Bob (the second participant) are especially |
480 important, since they fail for the original protocol. This theorem states |
517 important because they fail for the original protocol. The following |
481 that if Bob sends message~2 to Alice, and both agents are uncompromised, |
518 theorem states that if Bob sends message~2 to Alice, and both agents are |
482 then Bob's nonce will never reach the spy. |
519 uncompromised, then Bob's nonce will never reach the spy. |
483 \begin{isabelle} |
520 \begin{isabelle} |
484 \isacommand{theorem}\ Spy_not_see_NB\ [dest]:\isanewline |
521 \isacommand{theorem}\ Spy_not_see_NB\ [dest]:\isanewline |
485 \ "\isasymlbrakk Says\ B\ A\ (Crypt\ (pubK\ A)\ \isasymlbrace Nonce\ NA,\ Nonce\ NB,\ Agent\ B\isasymrbrace )\ \isasymin \ set\ evs;\isanewline |
522 \ "\isasymlbrakk Says\ B\ A\ (Crypt\ (pubK\ A)\ \isasymlbrace Nonce\ NA,\ Nonce\ NB,\ Agent\ B\isasymrbrace )\ \isasymin \ set\ evs;\isanewline |
486 \ \ \ A\ \isasymnotin \ bad;\ \ B\ \isasymnotin \ bad;\ \ evs\ \isasymin \ ns_public\isasymrbrakk \isanewline |
523 \ \ \ A\ \isasymnotin \ bad;\ \ B\ \isasymnotin \ bad;\ \ evs\ \isasymin \ ns_public\isasymrbrakk \isanewline |
487 \ \ \isasymLongrightarrow \ Nonce\ NB\ \isasymnotin \ analz\ (spies\ evs)" |
524 \ \ \isasymLongrightarrow \ Nonce\ NB\ \isasymnotin \ analz\ (knows\ Spy\ evs)" |
488 \end{isabelle} |
525 \end{isabelle} |
489 % |
526 % |
490 To prove this, we must formulate the induction properly (one of the |
527 To prove it, we must formulate the induction properly (one of the |
491 assumptions mentions~\isa{evs}), apply induction, and simplify. |
528 assumptions mentions~\isa{evs}), apply induction, and simplify: |
|
529 \begin{isabelle} |
|
530 \isacommand{apply}\ (erule\ rev_mp,\ erule\ ns_public.induct,\ simp_all) |
|
531 \end{isabelle} |
|
532 % |
492 The proof states are too complicated to present in full. |
533 The proof states are too complicated to present in full. |
493 Let's just look |
534 Let's examine the simplest subgoal, that for message~1. The following |
494 at the easiest subgoal, that for message~1: |
535 event has just occurred: |
|
536 \[ 1.\quad A'\to B' : \comp{Na',A'}\sb{Kb'} \] |
|
537 The variables above have been primed because this step |
|
538 belongs to a different run from that referred to in the theorem |
|
539 statement --- the theorem |
|
540 refers to a past instance of message~2, while this subgoal |
|
541 concerns message~1 being sent just now. |
|
542 In the Isabelle subgoal, instead of primed variables like $B'$ and $Na'$ |
|
543 we have \isa{Ba} and~\isa{NAa}: |
495 \begin{isabelle} |
544 \begin{isabelle} |
496 \ 1.\ \isasymAnd Ba\ NAa\ evs1.\isanewline |
545 \ 1.\ \isasymAnd Ba\ NAa\ evs1.\isanewline |
497 \isaindent{\ 1.\ \ \ \ }\isasymlbrakk A\ \isasymnotin \ bad;\ B\ \isasymnotin \ bad;\ evs1\ \isasymin \ ns_public;\isanewline |
546 \isaindent{\ 1.\ \ \ \ }\isasymlbrakk A\ \isasymnotin \ bad;\ B\ \isasymnotin \ bad;\ evs1\ \isasymin \ ns_public;\isanewline |
498 \isaindent{\ 1.\ \ \ \ \ \ \ }Says\ B\ A\ (Crypt\ (pubK\ A)\ \isasymlbrace Nonce\ NA,\ Nonce\ NB,\ Agent\ B\isasymrbrace )\isanewline |
547 \isaindent{\ 1.\ \ \ \ \ \ \ }Says\ B\ A\ (Crypt\ (pubK\ A)\ \isasymlbrace Nonce\ NA,\ Nonce\ NB,\ Agent\ B\isasymrbrace )\isanewline |
499 \isaindent{\ 1.\ \ \ \ \ \ \ }\isasymin \ set\ evs1\ \isasymlongrightarrow \isanewline |
548 \isaindent{\ 1.\ \ \ \ \ \ \ }\isasymin \ set\ evs1\ \isasymlongrightarrow \isanewline |
502 \isaindent{\ 1.\ \ \ \ }\isasymLongrightarrow \ Ba\ \isasymin \ bad\ \isasymlongrightarrow \isanewline |
551 \isaindent{\ 1.\ \ \ \ }\isasymLongrightarrow \ Ba\ \isasymin \ bad\ \isasymlongrightarrow \isanewline |
503 \isaindent{\ 1.\ \ \ \ \isasymLongrightarrow \ }Says\ B\ A\ (Crypt\ (pubK\ A)\ \isasymlbrace Nonce\ NA,\ Nonce\ NB,\ Agent\ B\isasymrbrace )\isanewline |
552 \isaindent{\ 1.\ \ \ \ \isasymLongrightarrow \ }Says\ B\ A\ (Crypt\ (pubK\ A)\ \isasymlbrace Nonce\ NA,\ Nonce\ NB,\ Agent\ B\isasymrbrace )\isanewline |
504 \isaindent{\ 1.\ \ \ \ \isasymLongrightarrow \ }\isasymin \ set\ evs1\ \isasymlongrightarrow \isanewline |
553 \isaindent{\ 1.\ \ \ \ \isasymLongrightarrow \ }\isasymin \ set\ evs1\ \isasymlongrightarrow \isanewline |
505 \isaindent{\ 1.\ \ \ \ \isasymLongrightarrow \ }NB\ \isasymnoteq \ NAa |
554 \isaindent{\ 1.\ \ \ \ \isasymLongrightarrow \ }NB\ \isasymnoteq \ NAa |
506 \end{isabelle} |
555 \end{isabelle} |
507 This subgoal refers to another protocol run, in which \isa{B} has sent |
556 % |
508 message~1 to somebody called~\isa{Ba}. Agent \isa{Ba} |
557 The simplifier has used a |
509 is compromised, and so the spy has learnt the nonce that was just sent, |
558 default simplification rule that does a case |
510 which is called~\isa{NAa}. We need to know that this nonce differs from the |
559 analysis for each encrypted message on whether or not the decryption key |
511 one we care about, namely~\isa{NB}\@. They do indeed differ: \isa{NB} was |
560 is compromised. |
512 sent earlier, while \isa{NAa} was chosen to be fresh (we have the assumption |
561 \begin{isabelle} |
513 \isa{Nonce\ NAa\ \isasymnotin \ used\ evs1}). |
562 analz\ (insert\ (Crypt\ K\ X)\ H)\ =\isanewline |
|
563 \ (if\ Key\ (invKey\ K)\ \isasymin \ analz\ H\isanewline |
|
564 \ \ then\ insert\ |
|
565 (Crypt\ K\ X)\ (anal\ z\ (insert\ X\ H))\isanewline |
|
566 \ \ else\ insert\ (Crypt\ K\ X)\ (analz\ H)) |
|
567 \rulename{analz_Crypt_if} |
|
568 \end{isabelle} |
|
569 The simplifier has also used \isa{Spy_see_priK}, proved in |
|
570 \S\ref{sec:regularity}) above, to yield \isa{Ba\ \isasymin \ bad}. |
|
571 |
|
572 Recall that this subgoal concerns the case |
|
573 where the last message to be sent was |
|
574 \[ 1.\quad A'\to B' : \comp{Na',A'}\sb{Kb'}. \] |
|
575 This message can compromise $Nb$ only if $Nb=Na'$ and $B'$ is compromised, |
|
576 allowing the spy to decrypt the message. The Isabelle subgoal says |
|
577 precisely this, if we allow for its choice of variable names. |
|
578 Proving \isa{NB\ \isasymnoteq \ NAa} is easy: \isa{NB} was |
|
579 sent earlier, while \isa{NAa} is fresh; formally, we have |
|
580 the assumption |
|
581 \isa{Nonce\ NAa\ \isasymnotin \ used\ evs1}. |
514 |
582 |
515 Note that our reasoning concerned \isa{B}'s participation in another |
583 Note that our reasoning concerned \isa{B}'s participation in another |
516 run. Agents may engage in several runs concurrently, and some attacks work |
584 run. Agents may engage in several runs concurrently, and some attacks work |
517 by interleaving the messages of two runs. With model checking, this |
585 by interleaving the messages of two runs. With model checking, this |
518 possibility can cause a state-space explosion, and for us it |
586 possibility can cause a state-space explosion, and for us it |
519 certainly complicates proofs. The biggest subgoal concerns message~2. It |
587 certainly complicates proofs. The biggest subgoal concerns message~2. It |
520 splits into several cases, some of which are proved by unicity, others by |
588 splits into several cases, such as whether or not the message just sent is |
|
589 the very message mentioned in the theorem statement. |
|
590 Some of the cases are proved by unicity, others by |
521 the induction hypothesis. For all those complications, the proofs are |
591 the induction hypothesis. For all those complications, the proofs are |
522 automatic by \isa{blast} with the theorem \isa{no_nonce_NS1_NS2}. |
592 automatic by \isa{blast} with the theorem \isa{no_nonce_NS1_NS2}. |
523 |
593 |
524 The remaining proofs are straightforward. This theorem asserts that if |
594 The remaining theorems about the protocol are not hard to prove. The |
|
595 following one asserts a form of \emph{authenticity}: if |
525 \isa{B} has sent an instance of message~2 to~\isa{A} and has received the |
596 \isa{B} has sent an instance of message~2 to~\isa{A} and has received the |
526 expected reply, then that reply really came from~\isa{A}. The proof is a |
597 expected reply, then that reply really originated with~\isa{A}. The |
527 simple induction. |
598 proof is a simple induction. |
528 \begin{isabelle} |
599 \begin{isabelle} |
529 \isacommand{theorem}\ B_trusts_NS3:\isanewline |
600 \isacommand{theorem}\ B_trusts_NS3:\isanewline |
530 \ "\isasymlbrakk Says\ B\ A\ \ (Crypt\ (pubK\ A)\ \isasymlbrace Nonce\ NA,\ Nonce\ NB,\ Agent\ B\isasymrbrace )\ \isasymin \ set\ evs;\isanewline |
601 \ "\isasymlbrakk Says\ B\ A\ \ (Crypt\ (pubK\ A)\ \isasymlbrace Nonce\ NA,\ Nonce\ NB,\ Agent\ B\isasymrbrace )\ \isasymin \ set\ evs;\isanewline |
531 \ \ \ Says\ A'\ B\ (Crypt\ (pubK\ B)\ (Nonce\ NB))\ \isasymin \ set\ evs;\ \isanewline |
602 \ \ \ Says\ A'\ B\ (Crypt\ (pubK\ B)\ (Nonce\ NB))\ \isasymin \ set\ evs;\ \isanewline |
532 \ \ \ A\ \isasymnotin \ bad;\ \ B\ \isasymnotin \ bad;\ \ evs\ \isasymin \ ns_public\isasymrbrakk \ \ \ \ \ \ \ \ \isanewline |
603 \ \ \ A\ \isasymnotin \ bad;\ \ B\ \isasymnotin \ bad;\ \ evs\ \isasymin \ ns_public\isasymrbrakk \ \ \ \ \ \ \ \ \isanewline |
533 \ \ \isasymLongrightarrow \ Says\ A\ B\ (Crypt\ (pubK\ B)\ (Nonce\ NB))\ \isasymin \ set\ |
604 \ \ \isasymLongrightarrow \ Says\ A\ B\ (Crypt\ (pubK\ B)\ (Nonce\ NB))\ \isasymin \ set\ |
534 evs" |
605 evs" |
535 \end{isabelle} |
606 \end{isabelle} |
536 |
607 |
537 From similar assumptions, we can prove that \isa{A} started the protocol |
608 From similar assumptions, we can prove that \isa{A} started the protocol |
538 run by sending an instance of message~1 involving the nonce~\isa{NA}. For |
609 run by sending an instance of message~1 involving the nonce~\isa{NA}\@. |
539 this theorem, the conclusion is |
610 For this theorem, the conclusion is |
540 \begin{isabelle} |
611 \begin{isabelle} |
541 \ \ \ \ \ Says\ A\ B\ (Crypt\ (pubK\ B)\ \isasymlbrace Nonce\ NA,\ Agent\ |
612 \ \ \ \ \ Says\ A\ B\ (Crypt\ (pubK\ B)\ \isasymlbrace Nonce\ NA,\ Agent\ |
542 A\isasymrbrace )\ \isasymin \ set\ evs |
613 A\isasymrbrace )\ \isasymin \ set\ evs |
543 \end{isabelle} |
614 \end{isabelle} |
544 % |
615 % |
545 Analogous theorems can be proved for~\isa{A}, stating that nonce~\isa{NA} |
616 Analogous theorems can be proved for~\isa{A}, stating that nonce~\isa{NA} |
546 remains secret and that message~2 really originates with~\isa{B}. Even the |
617 remains secret and that message~2 really originates with~\isa{B}. Even the |
547 flawed protocol establishes these properties for~\isa{A}; |
618 flawed protocol establishes these properties for~\isa{A}; |
548 the flaw only harms the second participant. |
619 the flaw only harms the second participant. |
549 Detailed information on this technique can be found |
620 |
|
621 \medskip |
|
622 |
|
623 Detailed information on this protocol verification technique can be found |
550 elsewhere~\cite{paulson-jcs}, including proofs of an Internet |
624 elsewhere~\cite{paulson-jcs}, including proofs of an Internet |
551 protocol~\cite{paulson-tls}. |
625 protocol~\cite{paulson-tls}. We must stress that the protocol discussed |
|
626 in this chapter is trivial. There are only three messages; no keys are |
|
627 exchanged; we merely have to prove that encrypted data remains secret. |
|
628 Real world protocols are much longer and distribute many secrets to their |
|
629 participants. To be realistic, the model has to include the possibility |
|
630 of keys being lost dynamically due to carelessness. If those keys have |
|
631 been used to encrypt other sensitive information, there may be cascading |
|
632 losses. We may still be able to establish a bound on the losses and to |
|
633 prove that other protocol runs function |
|
634 correctly~\cite{paulson-yahalom}. Proofs of real-world protocols follow |
|
635 the strategy illustrated above, but the subgoals can |
|
636 be much bigger and there are more of them. |
552 |
637 |
553 |
638 |
554 \endinput |
639 \endinput |