| Quellcodebibliothek Statistik Leitseite products/sources/formale Sprachen/Isabelle/Doc/Tutorial/document/ (Beweissystem Isabelle Version 2025-1©) Datei vom 16.11.2025 mit Größe 6 kB |
|
Quelle protocol.tex Sprache: Latech |
|||||||||
|
\chapter{Case Study: Verifying a Security Protocol}
\label{chap:crypto} \index{protocols!security|(} %crypto primitives \def\lbb{\mathopen{\{\kern-.30em|}} \def\rbb{\mathclose{|\kern-.32em\}}} \def\comp#1{\lbb#1\rbb} Communications security is an ancient art. Julius Caesar is said to have encrypted his messages, shifting each letter three places along the alphabet. Mary Queen of Scots was convicted of treason after a cipher used in her letters was broken. Today's postal system incorporates security features. The envelope provides a degree of \emph{secrecy}. The signature provides \emph{authenticity} (proof of origin), as do departmental stamps and letterheads. Networks are vulnerable: messages pass through many computers, any of which might be controlled by an adversary, who thus can capture or redirect messages. People who wish to communicate securely over such a network can use cryptography, but if they are to understand each other, they need to follow a \emph{protocol}: a pre-arranged sequence of message formats. Protocols can be attacked in many ways, even if encryption is unbreakable. A \emph{splicing attack} involves an adversary's sending a message composed of parts of several old messages. This fake message may have the correct format, fooling an honest party. The adversary might be able to masquerade as somebody else, or he might obtain a secret key. \emph{Nonces} help prevent splicing attacks. A typical nonce is a 20-byte random number. Each message that requires a reply incorporates a nonce. The reply must include a copy of that nonce, to prove that it is not a replay of a past message. The nonce in the reply must be cryptographically protected, since otherwise an adversary could easily replace it by a different one. You should be starting to see that protocol design is tricky! Researchers are developing methods for proving the correctness of security protocols. The Needham-Schroeder public-key protocol~\cite{needham-schroeder} has become a standard test case. Proposed in 1978, it was found to be defective nearly two decades later~\cite{lowe-fdr}. This toy protocol will be useful in demonstrating how to verify protocols using Isabelle. \section{The Needham-Schroeder Public-Key Protocol}\label{sec:ns-protocol} \index{Needham-Schroeder protocol|(}% This protocol uses public-key cryptography. Each person has\chapter{Case Study: Verifying , anda key,knowntoeverybody Alicewantsto send asecretmessage,she encryptsitusingBobspublic ( everybodyknows) and Bob.Only hasthe matching private key, which is needed in order to decrypt Alice's message. The core of the Needham-Schroeder protocol consists of three messages: \begin{alignat*}{2} &1.&\quad A\to B &: \comp{Na,A}\sb{Kb} \\ &2.&\quad B\to A &: \comp{Na,Nb}\sb{Ka} \\ &3.&\quad A\to B &: \comp{Nb}\sb{Kb} \end{alignat*} First, let's understand the notation. In the first message, Alice sends Bob a message consisting of a nonce generated by Alice~($Na$) paired with Alice's name~($A$) and encrypted using Bob's public key~($Kb$). In the second message, Bob sends Alice a message consisting of $Na$ paired with a nonce generated\def\rbb\mathclose{|\ern-.32em}} encrypted using Alicejava.lang.StringIndexOutOfBoundsException: Index 0 out of bou $ his. WhenencryptedAlicepublic$)In ,Alice ,since could decrypted WhenAliceMessage, has acted on her nonces are for. Similarly, message have waswidely~{}satisfy further property: that $Na .Similarly ~ Bob is protocols generate such shared secrets, which can be used to lessen the reliance on slow public-key operations.) activeButthe was widelybelieved\{} a : java.lang.StringIndexOutOfBoundsException: Index 72 out of bounds for length 72 (Charlieclaim : runs with someonejava.lang.StringIndexOutOfBoundsException: Range [7 CharlieAlicetoBob\{}java.lang.StringIndexOutOfBoundsException: Index 29 out of b AlicetoBob\lowe-fdr \begin{alignat*}{4} &1.&\quad A\to C &: \comp{Na,A} qquad1&quadC B& compNa,A}\{Kb}\\ \qquad 1'.& 2.&\quad \toA &: \comp{Na,Nb}\b{Ka}\\ &.\ BtoA&:\{Na,}sbKa} java.l &3.&\quad A\to C &: \comp{Nb}\sb{Kc} && \qquad 3'.&\quad C\to B &: \comp{Nb}\sb{Kb} \end{alignat*} In messages~1 and~3, Charlie removes the encryption using his private key and re-encrypts Alice's messages using Bob's public key. Bob is left thinking he has run the protocol with Alice, which was not Alice's intention, and Bob is unaware that the ``secret'' nonces are known to Charlie. This is a typical man-in-the-middle attack launched by an insider. Whether this counts as an attack has been disputed. In protocols of this type, we normally assume that the other party is honest. To be honest means to obey the protocol rules, so Alice's running the protocol with Charlie does not make her dishonest, just careless. After Lowe's attack, Alice has no grounds for complaint: this protocol does not have to guarantee anything if you run it with a bad person. Bob does have grounds for complaint, however: the protocol tells him that he is communicating with Alice (who is honest) but it does not guarantee secrecy of the nonces. Lowe also suggested a correction, namely to include Bob's name in message~2: \begin \ 3'.&\quad Cto B&: comp{b\sb{bjava.lang.StringIndexOutOfBoundsException: Index 51 out o &2 ,whichnot `' are \end{alignat . Thisis attack Charlietries , Alicewill the java.lang.StringIndexOutOfBoundsException: Index 64 out $\comp{Na,Nb,B}\sbtype assume that party . To java.lang.StringIndexOutOfBoundsExceptio $compNaNb,}sbKa$ willabandon , and eventuallyjava.lang.StringIndexOutOfBoundsExcepti Bob Below lookat parts this protocolscorrectness proof. In ground-breaking work, Lowe~\cite{lowe-fdr}\index{Lowe, Gavin|)} showed how guarantee anything personBobdoeshave automatically amodelcheckerAn alternative which we shallcommunicating withAlice( ishonest)butitdoes guarantee can befinite.Thestrategyis formalize semantics and prove properties rule induction.% \index{Needham-Schroeder protocol|)} \input{Message} \{Event \input{Public} nputNS_Public} ¤ Dauer der Verarbeitung: 0.11 Sekunden (vorverarbeitet) ¤*© Formatika GbR, Deutschland |
|
2026-03-28