Overview. Game-Based Verification of Fair Exchange Protocols. The Problem of Fair Exchange. Game-Theoretic Model. Protocol as a Game Tree

Similar documents
Game Analysis of Abuse-free Contract Signing

Game Analysis of Abuse-free Contract Signing

Fair Exchange Protocols

Fair exchange and non-repudiation protocols

Analysis of Probabilistic Contract Signing

Contract Signing, Optimism, and Advantage?

Overview. Symbolic Protocol Analysis. Protocol Analysis Techniques. Obtaining a Finite Model. Decidable Protocol Analysis. Strand Space Model

Verification of A Key Chain Based TTP Transparent CEM Protocol

Design and Analysis of Protocols The Spyce Way

Outline More Security Protocols CS 239 Computer Security February 4, 2004

CS 395T. Symbolic Constraint Solving

Monitoring Interfaces for Faults

How Formal Analysis and Verification Add Security to Blockchain-based Systems

OPTIMISTIC NON-REPUDIABLE INFORMATION EXCHANGE

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

Formal Methods in Software Engineering. Lecture 07

Formal Verification of e-reputation Protocols 1

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Formal Methods for Software Development

CS505: Distributed Systems

1 A Tale of Two Lovers

Formal Methods and Cryptography

Exclusion-Freeness in Multi-party Exchange Protocols

PRISM-games: Verification and Strategy Synthesis for Stochastic Multi-player Games with Multiple Objectives

Secure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)

CS 395T. Formal Model for Secure Key Exchange

System Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements

On the quest for impartiality: Design and analysis of a fair non-repudiation protocol

Security protocols, properties, and their monitoring Andreas Bauer, Jan Jürjens

A Tool for the Automated Verification of Nash Equilibria in Concurrent Games

Automatic Methods for Analyzing Non-repudiation Protocole with an Active Intruder

Theoretical Computer Science

Reminder: Homework 4. Due: Friday at the beginning of class

The NRL Protocol Analyzer. Outline. Motivations. Motivations

Design and Analysis of Security Protocols

Plaintext Awareness via Key Registration

Optimally Efficient Multi-Party Fair Exchange and Fair Secure Multi-Party Computation

Ambiguous Optimistic Fair Exchange

APPLICATIONS AND PROTOCOLS. Mihir Bellare UCSD 1

1 Defining Message authentication

Formal Methods for Cryptographic Protocol Analysis: Emerging Issues and Trends

Analysis Techniques. Protocol Verification by the Inductive Method. Analysis using theorem proving. Recall: protocol state space.

Introduction to Linear-Time Temporal Logic. CSE 814 Introduction to LTL

To be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 COPYRIGHT 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.

Specifying Kerberos 5 Cross-Realm Authentication

Variants of Turing Machines

Rational Oblivious Transfer

Refining Computationally Sound Mech. Proofs for Kerberos

Securing services running over untrusted clouds : the two-tiered trust model

Yuval Ishai Technion

Automatic Synthesis of a Voting Machine Design

CHAPTER 4 VERIFIABLE ENCRYPTION OF AN ELLIPTIC CURVE DIGITAL SIGNATURE

Lecture 8 - Message Authentication Codes

Negations in Refinement Type Systems

Simplifying Itai-Rodeh Leader Election for Anonymous Rings

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Identification Schemes

Verification of JADE Agents Using ATL Model Checking

The Maude LTL Model Checker and Its Implementation

Isomorphisms between low n and computable Boolean algebras

Minimal message complexity of asynchronous multi-party contract signing

Self-stabilizing Population Protocols

Formal Specification and Verification

Cryptographic Primitives and Protocols for MANETs. Jonathan Katz University of Maryland

Formal Analysis and Verification of a Communication Protocol

Principles of Security Part 4: Authentication protocols Sections 1 and 2

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

Automatic Verification of Remote Electronic Voting Protocols

A Family of Trusted Third Party based Fair-Exchange Protocols

CS21 Decidability and Tractability

Secure Multi-Party Computation Without Agreement

Core Membership Computation for Succinct Representations of Coalitional Games

Discrete Mathematics Lecture 4. Harper Langston New York University

Symbolic Synthesis of Observability Requirements for Diagnosability

Formalizing and Analyzing Sender Invariance

Self Stabilization. CS553 Distributed Algorithms Prof. Ajay Kshemkalyani. by Islam Ismailov & Mohamed M. Ali

Security protocols and their verification. Mark Ryan University of Birmingham

Behavioural Equivalences and Abstraction Techniques. Natalia Sidorova

Sérgio Campos, Edmund Clarke

CS 395T. JFK Protocol in Applied Pi Calculus

Key Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2. Cas Cremers, ETH Zurich

T Reactive Systems: Kripke Structures and Automata

Algorithmic Verification. Algorithmic Verification. Model checking. Algorithmic verification. The software crisis (and hardware as well)

Caveat. Much of security-related stuff is mostly beyond my expertise. So coverage of this topic is very limited

CSc 225 Algorithms and Data Structures I Case Studies

Fairness versus Guaranteed Output Delivery in Secure Multiparty Computation

CS 395T. Analyzing SET with Inductive Method

An algebraic semantics and logic for Actor Networks

Implementation of Lexical Analysis

Security Analysis of Network Protocols. John Mitchell Stanford University

A Simpler Variant of Universally Composable Security for Standard Multiparty Computation

Areas related to SW verif. Trends in Software Validation. Your Expertise. Research Trends High level. Research Trends - Ex 2. Research Trends Ex 1

Lecture 10, Zero Knowledge Proofs, Secure Computation

MOCHA: Modularity in Model Checking??? Computing Science Research Center, Bell Laboratories.

Combined CPV-TLV Security Protocol Verifier

Parallel Model Checking of ω-automata

Quantitative Synthesis for Concurrent Programs

Model Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12

More crypto and security

Rewriting Models of Boolean Programs

Transcription:

CS 259 Overview Game-ased Verification of Fair Exchange Protocols Vitaly Shmatikov Fair exchange protocols Protocols as games Security as presence or absence of certain strategies lternating transition systems Formal model for adversarial protocols lternating-time temporal logic Logic for reasoning about alternating transition systems Game-based verification of fair exchange Example: Garay-Jakobsson-MacKenzie protocol The Problem of Fair Exchange Game-Theoretic Model Signature (contract) Sorry, Signature you are (contract) fooled ;-) Malicious participant vs. external intruder Fair exchange protocols are designed to provide protection against misbehavior by protocol participants protocol can be viewed as a game dversarial behavior (e.g., lice vs. ob) Cooperative behavior (e.g., ob controls communication channel) Each protocol message is a game move Different sets of moves for different participants Four possible outcomes (for signature exchange) has s signature, has s signature has s signature, doesn t have s signature, etc. Honest players follow the protocol Dishonest players can make any Dolev-Yao move Send any message they can compute Wait instead of responding Reason about players game strategies Protocol as a Game Tree Define Properties on Game Trees (Y,N) (Y,Y) (Y,Y) (N,N) (N,Y) (N,Y) Every possible execution of the protocol is a path in the tree Players alternate their moves First sends a message, then, then dversary folded into dishonest player Every leaf labeled by an outcome (Y,Y) if has s signature and has s (Y,N) if only has s signature, etc. Natural concept of strategy has a strategy for getting s signature if, for any move can make, has a response move such that the game always terminates in some leaf state labeled (Y, ) (Y,N) (Y,Y) (Y,Y) (N,N) (N,Y) (N,Y) Fairness No leaf node is labeled (Y,N) or (N,Y) alance (for ) never has a strategy to reach (Y,Y) ND a strategy to reach (N,N) buse-freeness (for ) cannot prove that it has advantage Not trace-based properties (unlike secrecy and authentication) Very difficult to verify with symbolic analysis or process algebras 1

lternating Transition Systems Game variant of Kripke structures R. lur, T. Henzinger, O. Kupferman. lternatingtime temporal logic. FOCS 1997. Start by defining state space of the protocol Π is a set of propositions Σ is a set of players Q is a set of states Q 0 Q is a set of initial states π: Q 2 Π maps each state to the set of propositions that are true in the state So far, this is very similar to Murϕ Transition Function δ: Q Σ 2 2Q maps a state and a player to a nonempty set of choices, where each choice is a set of possible next states When the system is in state q, each player chooses a set Q a δ(q,a) The next state is the intersection of choices made by all players a Σ δ(q,a) The transition function must be defined in such a way that the intersection contains a unique state Informally, a player chooses a set of possible next states, then his opponents choose one of them Example: Two-Player TS Example: Computing Next State Σ = {lice, ob} s choices Σ = {lice, ob} p q p q Next state s choices p q If chooses this set can choose either state p q Next state lternating-time Temporal Logic Propositions p Π ϕ or ϕ 1 ϕ 2 where ϕ,ϕ 1,ϕ 2 are TL formulas ϕ, ϕ, ϕ 1 Uϕ 2 where Σ is a set of players, ϕ,ϕ 1,ϕ 2 are TL formulas These formulas express the ability of coalition to achieve a certain outcome,, U are standard temporal operators (similar to what we saw in PCTL) Define ϕ as true U ϕ Strategies in TL strategy for a player a Σ is a mapping f a :Q + 2 Q such that for all prefixes λ Q* and all states q Q, f a (λ q) δ(q,a) For each player, strategy maps any sequence of states to a set of possible next states Informally, the strategy tells the player in each state what to do next Note that the player cannot choose the next state. He can only choose a set of possible next states, and opponents will choose one of them as the next state. 2

Temporal TL Formulas (I) ϕ iff there exists a set F a of strategies, one executions λ out(q,f a ) ϕ holds in first state λ[1] Here out(q,f a ) is the set of all future executions assuming the players follow the strategies prescribed by F a, i.e., λ=q 0 q 1 q 2 out(q,f a ) if q 0 =q and i q i+1 a f a (λ[0,i]) Informally, ϕ holds if coalition has a strategy such that ϕ always holds in the next state Temporal TL Formulas (II) ϕ iff there exists a set F a of strategies, one executions λ out(q,f a ) ϕ holds in all states Informally, ϕ holds if coalition has a strategy such that ϕ holds in every execution state ϕ iff there exists a set F a of strategies, one executions λ out(q,f a ) ϕ eventually holds in some state Informally, ϕ holds if coalition has a strategy such that ϕ is true at some point in every execution Protocol Description Language buse-free Contract Signing Guarded command language Very similar to PRISM input language (proposed by the same people) Each action described as [] guard command guardis a boolean predicate over state variables commandis an update predicate, same as in PRISM Simple example: []SigM1 SendM2 Stop -> SendMr1 :=true; [Garay, Jakobsson, MacKenzie Crypto 99] PCS (text,,t) PCS (text,,t) sig (text) sig (text) Role of Trusted Third Party T can convert PCS to regular signature Resolve the protocol, when requested by either player T can issue an abort token Promise not to resolve protocol in future T acts only when requested Decides whether to abort or resolve on a first-come-first-served basis Only gets involved if requested by or Resolve Subprotocol r 1 = PCS (text,,t), sig (text) sig T (a 1 ) or sig (text)??? PCS (text,,t) PCS (text,,t) T r 2 aborted? Yes: r 2 = sig T (a 1 ) No: resolved := true r 2 = sig (text) store sig (text) 3

bort Subprotocol m 1 = PCS (text,,t)??? sig (text) OR sig T (a 1 ) a 1 =sig (m 1,abort) a 2 T resolved? Yes: a 2 = sig (text) No: aborted := true a 2 = sig T (a 1 ) Fairness in TL,Com (contract h contract ) ob in collaboration with communication channels does not have a strategy to reach a state in which ob has lice s signature but honest lice does not have a strategy to reach a state in which lice has ob s signature Timeliness + Fairness in TL h (stop ( contract,com contract )) Honest lice always has a strategy to reach a state in which she can stop the protocol and if she does not have ob s contract then ob does not have a strategy to obtain lice s signature even if he controls communication channels buse-freeness in TL (provetoc contract (aborted h contract )) lice doesn t have a strategy to reach state in which she can prove to Charlie that she has a strategy to obtain ob s contract ND a strategy to abort the protocol, i.e., reach a state where lice has received abort token and ob doesn t have a strategy to obtain lice s signature Modeling TTP and Communication Trusted third party is impartial This is modeled by defining a unique TTP strategy TTP has no choice: in every state, the next action is uniquely determined by its only strategy Can model protocol under different assumptions about communication channels Unreliable: infinite delay possible, order not guaranteed dd idle action to the channel state machine Resilient: finite delays, order not guaranteed dd idle action + special constraints to ensure that every message is eventually delivered (rule out infinite delay) Operational: immediate transmission MOCH Model Checker Model checker specifically designed for verifying alternating transition systems System behavior specified as guarded commands Essentially the same as PRISM input, except that transitions are nondeterministic (as in in Murϕ), not probabilistic Property specified as TL formula Slang scripting language Makes writing protocol specifications easier Try online implementation! http://www-cad.eecs.berkeley.edu/~mocha/trial/ 4

ibliography R. lur, T. Henzinger, O. Kupferman. lternating-time temporal logic. FOCS 97. Introduces alternating transition systems and TL logic R. lur, T. Henzinger, F. Mang, S. Qadeer, S. Rajamani, S. Tasiran. MOCH: modularity in model checking. CV 98. Introduces MOCH model checker for alternating transition systems http://www.cis.upenn.edu/~mocha/ MOCH web page S. Kremer and J.-F. Raskin. game-based verification of nonrepudiation and fair exchange protocols. J. of Computer Security 11(3), 2003. Detailed study of fair exchange protocols using TL and MOCH S. Kremer and J.-F. Raskin. Game-based analysis of abuse-free contract signing. CSFW 03. Model checking abuse-freeness with MOCH 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback