成果软件开发2015参考文献floc06.pptx

Provable Implementations of Security Protocols Andrew D. Gordon Based on joint work with Karthikeyan Bhargavan, Cédric Fournet, and Stephen Tse Microsoft Research 2 The Needham-Schroeder Problem In Using encryption for authentication in large networks of computers (CACM 1978), Needham and Schroeder didn’t just initiate a field that led to widely deployed protocols like Kerberos, SSL, SSH, IPSec, etc. They threw down a gauntlet. “Protocols such as those developed here are prone to extremely subtle errors that are unlikely to be detected in normal operation. The need for techniques to verify the correctness of such protocols is great, and we encourage those interested in such problems to consider this area.” 3 Informal Methods The Explicitness Principle Robust security is about explicitness. A cryptographic protocol should make any necessary naming, typing and freshness information explicit in its messages; designers must also be explicit about their starting assumptions and goals, as well as any algorithm properties which could be used in an attack. Anderson and Needham Programming Satan’s Computer 1995 Informal lists of prudent practices enumerate common patterns in the extensive record of flawed protocols, and formulate positive advice for avoiding each pattern. (eg Abadi and Needham 1994, Anderson and Needham 1995) For instance, Lowe’s famous fix of the Needham-Schroeder PK protocol makes explicit that message 6, {|NA,B,NB|}KA, is sent by B, who is not mentioned in the original version of the message. 4 Formal Methods DolevYao first formalize NS problem in early 80s Public key decryption: {| {| M |}KA |}KA-1 = M Their work now widely recognised, but at the time, few proof techniques, and little applied In 1987, Burrows, Abadi and Needham (BAN) propose a systematic rule-based logic for reasoning about protocols If P believes that he shares a key K with Q, and sees the message M encrypted under K, then he will believe that Q once said M If P believes that the