Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
10 CHAPTER 1. INTRODUCTION<br />
intercepted all messages between a <strong>and</strong> b. I can then later trick b into using the<br />
key Kab as follows: first I replays the message enc s (〈Kab, a〉, Kbs) to b<br />
I ⇒ b : enc s (〈Kab, a〉, Kbs)<br />
Assuming that a has initiated a new conversation, b replies to a<br />
b ⇒ I(a) : enc s (n ′ b, Kab)<br />
I intercepts the message, deciphers it, <strong>and</strong> impersonates a ′ s response:<br />
I(a) ⇒ b : enc s (n ′ b − 1, Kab)<br />
Thereafter, I can send false messages to b that appear to be from a.<br />
This attack, called a replay attack is the most famous attack on the Needham-<br />
Schroeder symmetric key protocol.<br />
1.4 <strong>Analysis</strong> <strong>of</strong> cryptographic protocols<br />
1.4.1 Overview<br />
<strong>Cryptographic</strong> protocols are programs designed to ensure secure electronic<br />
communications between participants using an insecure network. They use<br />
cryptographic primitives such as encryption schemes, signature schemes, hash<br />
functions, <strong>and</strong> others to construct exchanged messages. These cryptographic<br />
primitives are based on mathematical notions such as modular exponentiation<br />
<strong>and</strong> elliptic curves <strong>and</strong> on algorithmically hard problems such as factorisation<br />
into prime numbers, extracting the modular logarithm, <strong>and</strong> others.<br />
Unfortunately, the existence <strong>of</strong> cryptographic primitives is not sufficient to<br />
ensure security <strong>and</strong> several attacks were found on established protocols [78, 2].<br />
The most relevant example is the bug <strong>of</strong> the Needham-Schroeder public key<br />
protocol [163] found by Lowe [144] using a model-checking tool. It took 17<br />
years since the protocol was published to find the attack, a man-in-the-middle<br />
one. This situation shows that the design <strong>of</strong> a cryptographic protocol is tricky,<br />
<strong>and</strong> that it is easy to have it wrong. Thus, one needs formal verification. In<br />
the literature, we find two distinct worlds for the verification <strong>of</strong> cryptographic<br />
protocols: the computational world <strong>and</strong> the symbolic world. Let us now review<br />
briefly these two approaches:<br />
The “computational” world<br />
In the computational models, also called probabilistic, or cryptographic, or concrete<br />
models, messages are bit strings, <strong>and</strong> the intruder is an arbitrary probabilistic<br />
polynomial-time Turing machine. These models are closer to the reality than