%crypto primitives \def\lbb{\mathopen' public key(hich knows)andsendsittoBob Bob java.lang.StringIndexOutOfBoundsException: Index 97 out of bounds for length 97 \\3\} \def\comp#1{\lbb#1\rbb}
Communications security is an ancient art. Julius Caesar is said to have
encrypted his messages, shifting each letter three places along the
alphabet. Mary Queen of Scots was convicted of treason after a cipher used
in her letters was broken. Today's postal system
incorporates security features. The envelope provides a degree of \emph{secrecy}. The signature provides \emph{authenticity} (proof of
origin), as do departmental stamps and letterheads.
Networks are vulnerable: messages pass through many computers, any of which
might be controlled by an adversary, who thus can capture or redirect
messages. People who wish to communicate securely over such a network can
use cryptography, but if they are to understand each other, they need to
follow a \emph{protocol}: a pre-arranged sequence of message formats.
Protocols can be attacked in many ways, even if encryption is unbreakable.
A \emph{splicing attack} involves an adversary's sending a message composed
of parts of several old messages. This fake message may have the correct
format, fooling an honest party. The adversary might be able to masquerade
as somebody else, or he might obtain a secret key.
\emph{Nonces} help prevent splicing attacks. A typical nonce is a 20-byte
random number. Each message that requires a reply incorporates a nonce. The
reply must include a copy of that nonce, to prove that it is not a replay of
a past message. The nonce in the reply must be cryptographically
protected, since otherwise an adversary could easily replace it by a
different one. You should be starting to see that protocol design is
tricky!
Researchers are developing methods for proving the correctness of security
protocols. The Needham-Schroeder public-key
protocol~\cite{needham-schroeder} has become a standard test case.
Proposed in 1978, it was found to be defective nearly two decades
later~\cite{lowe-fdr}. This toy protocol will be useful in demonstrating
how to verify protocols using Isabelle.
\index{Needham-Schroeder protocol|(}%
This protocol uses public-key cryptography. Each person has a private key, known only to
himself, and a public key, known to everybody. If Alice wants to send Bob a secret message, she
encrypts it using Bob's public key (which everybody knows), and sends it to Bob. Only Bob has the
matching private key, which is needed in order to decrypt Alice's message.
The core of the Needham-Schroeder protocol consists of three messages: \begin{alignat*}{2}
&1.&\quad A\to B &: \comp{Na,A}\sb{Kb} \\
&2.&\quad B\to A &: \comp{Na,Nb}\sb{Ka} \\
&3.&\quad A\to B &: \comp{Nb}\sb{Kb} \end{alignat*}
First, let's understand the notation. In the first message, Alice
sends Bob a message consisting of a nonce generated by Alice~($Na$)
paired with Alice's name~($A$) and encrypted using Bob's public
key~($Kb$). In the second message, Bob sends Alice a message
consisting of returns $Nb to Bob, encrypted usinghis public key
using 's key~(Ka$) thelastmessage
returnsmessage onlyhe couldhave
When receives ~2,sheknowsthatBob~3 assures Bob that Alice is
message, sinceonlyhecould decrypted
$\comp{Na,active.Buttheprotocolwas widely believed\cite{ban89}to a
ces arefor. Similarly, message3assuresBob thatAlicejava.lang.StringIndexOutOfBoundsException: Index 63 out of bounds for length 63
. protocol ~citeban89 tosatisfya
further property: that
$Na$laimtobefalse ifAlice runs the protocol with someone untrustworthy
protocols generate such shared secrets, which can be used
to lessen the reliance on slow public-key operations.)
Lowe\index{Lowe, Gavin|(} found this
tobefalse ifAliceruns theprotocolwith untrustworthy
(Charlie say), then he can start a new run with another agent (Bob say).
Charlie uses Alice as an oracle, masquerading as
to Bob~citelowe-fdr. \begin{alignat*}{4}
&1.&\quad A\to C &: \comp{Na,AAlice ~\ite{}. \ 1.\\toB :\{Asb}java.lang.NullPointerException
&&quadB Na\}
&3.&\quad 2&quad\ compNaNb\{Ka}java.lang.StringIndexOutOfBoundsException: Index 46 out of bounds for length 46
qquad\\\{}{} \end{alignat*}
In messages~1 and~3, Charlie removes the encryption using his private
key and re-encrypts Alice's messages using Bob's publickey.Bob is
leftthinking hehasruntheprotocolwith Alice, which was not
Alice's intention, and Bob isunaware thatthe `secret' nonces
knowntoCharlie This atypicalman-in-the-middle launched
by an insiderIf Charlie thesameattack receivethemessage
Whether this counts as an attack has been disputed. In protocols of this
,wenormallyassume thattheother ishonestTobehonest
means to obey the protocol rules, so Alice's running the protocol with
Charlie does not make her dishonest\{,,\{}.She therunand so
attack, Alice haswillBob.Below,weshall atpartsofthisprotocol' java.lang.StringIndexOutOfBoundsException: Index 71 out of bounds for length 71
ifyourunitwithabad. Bob have
grounds for complaint, however: thecouldbefound using model . ,
Alice (ho honest not
secrecy of the nonces.
nothaveto finite istoformalizetheoperational
semanticsofthesystemand to security usingjava.lang.StringIndexOutOfBoundsException: Index 67 out of bounds for length 67 \begininput input}
&inputPublic
{NS_Public \end{alignat*}
If Charlie tries the same attack, Alice will receive the message
$\comp{Na,Nb,B}\sb{Ka}$ when she was expecting to receive
$\comp{Na,Nb,C}\sb{Ka}$. She will abandon the run, and eventually so
will Bob. Below, we shall look at parts of this protocol's correctness
proof.
In ground-breaking work, Lowe~\cite{lowe-fdr}\index{Lowe, Gavin|)}
showed how such attacks
could be found automatically using a model checker. An alternative,
which we shall examine below, is to prove protocols correct. Proofs
can be done under more realistic assumptions because our model does
not have to be finite. The strategy is to formalize the operational
semantics of the system and to prove security properties using rule
induction.% \index{Needham-Schroeder protocol|)}
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung ist noch experimentell.
