Date post: | 16-Jan-2016 |
Category: |
Documents |
Upload: | pauline-patrick |
View: | 214 times |
Download: | 0 times |
A Logic of Belief and a A Logic of Belief and a Model Checking Algorithm Model Checking Algorithm
for for Security ProtocolsSecurity Protocols
joint work with Massimo Benerecetti
Fausto GiunchigliaUniversity of [email protected]
Logics of Beliefs for Logics of Beliefs for Security ProtocolsSecurity Protocols
BAN Logic (Borrows, Abadi & Needham)
Concentrate on beliefs of trustworthy principals and on their evolution as consequence of communication
Logics of Beliefs for Logics of Beliefs for Security ProtocolsSecurity Protocols
BAN Logic (Borrows, Abadi & Needham)
Concentrate on beliefs of trustworthy principals and on their evolution as consequence of communication
Some Extensions
Abadi & Tuttle (AT Logic) Gong, Needham & Yahalom (GNY Logic) Boyd & Mao
Logics of Beliefs for Logics of Beliefs for Security ProtocolsSecurity Protocols
BAN Logic (Borrows, Abadi & Needham)
Concentrate on beliefs of trustworthy principals and on their evolution as consequence of communication
Some Extensions
Abadi & Tuttle (AT Logic) Gong, Needham & Yahalom (GNY Logic) Boyd & Mao
Attempts to automate reasoning in BAN
Kindred & Wing (Theory Building)
The ApproachThe Approach
Define a Logic of Belief and Time
The ApproachThe Approach
Define a Logic of Belief and Time
A Model Checking Algorithm for this logic
The ApproachThe Approach
Define a Logic of Belief and Time
A Model Checking Algorithm for this logic
Built on top of CTL model checking
Define a Logic of Belief and Time
A Model Checking Algorithm for this logic
Built on top of CTL model checking
Integration with existing tools
(e.g. NuSMV)
The ApproachThe Approach
Example: The Andrew ProtocolExample: The Andrew Protocol
1 A B : {NA}KAB
2 B A : {NA,NB}KAB
3 A B : {NB}KAB
4 B A : {KAB,N
B}KAB
Example Property: at the end of the protocol session, A believes that B believes that K’
AB is a "good shared key" for communication between them.
Example: The Andrew ProtocolExample: The Andrew Protocol
1 A B : {NA}KAB
2 B A : {NA,NB}KAB
3 A B : {NB}KAB
4 B A : {KAB,N
B}KAB
1 A B : {NA}KAB
2 B A : {NA,NB}KAB
3 A B : {NB}KAB
4 B A : {KAB,N
B}KAB
Example: Attack to the Andrew Example: Attack to the Andrew Protocol Protocol
1 A B : {NA}KAB
2 B A : {NA,NB}KAB
3 A B : {NB}KAB
4 B A : {KAB,N
B}KAB
1 A B : {NA}Kab
2 B A : {NA,N
B}Kab
3 A B : {NB}KAB
4 I(B) A : {KAB,N
B}KAB
Example: Attack to the Andrew Example: Attack to the Andrew Protocol Protocol
Outline of the TalkOutline of the Talk
Intuitions
Outline of the TalkOutline of the Talk
Intuitions
MultiAgent Temporal Logic (MATL)
MultiAgent Finite State Machine (MAFSM)
The Model Checking Algorithm (MAMC)
Outline of the TalkOutline of the Talk
Intuitions
MultiAgent Temporal Logic (MATL)
MultiAgent Finite State Machine (MAFSM)
The Model Checking Algorithm (MAMC)
Model of the Andrew Protocol in MAFSM
Outline of the TalkOutline of the Talk
Intuitions
MultiAgent Temporal Logic (MATL)
MultiAgent Finite State Machine (MAFSM)
The Model Checking Algorithm (MAMC)
Model of the Andrew Protocol in MAFSM
Conclusion and Future Work
IntuitionsIntuitions
IntuitionsIntuitionsPrincipals have two orthogonal aspects:
Temporal Evolution: when we consider the temporal evolution (CTL), formulae expressing beliefs are treated as atomic propositions.
IntuitionsIntuitionsPrincipals have two orthogonal aspects:
Temporal Evolution: when we consider the temporal evolution (CTL), formulae expressing beliefs are treated as atomic propositions.
Beliefs: "a principal ascribing beliefs to another one" means that it has access to a representation of the second principal as a process.
IntuitionsIntuitionsPrincipals have two orthogonal aspects:
Temporal Evolution: when we consider the temporal evolution (CTL), formulae expressing beliefs are treated as atomic propositions.
Beliefs: "a principal ascribing beliefs to another one" means that it has access to a representation of the second principal as a process.
PrincipalA
PrincipalB
IntuitionsIntuitions
PrincipalA
PrincipalB
A' s Repr. of B
Principals have two orthogonal aspects:
Temporal Evolution: when we consider the temporal evolution (CTL), formulae expressing beliefs are treated as atomic propositions.
Beliefs: "a principal ascribing beliefs to another one" means that it has access to a representation of the second principal as a process.
IntuitionsIntuitions
PrincipalA
PrincipalB
A' s Repr. of B
BB?
Principals have two orthogonal aspects:
Temporal Evolution: when we consider the temporal evolution (CTL), formulae expressing beliefs are treated as atomic propositions.
Beliefs: "a principal ascribing beliefs to another one" means that it has access to a representation of the second principal as a process.
IntuitionsIntuitions
PrincipalA
PrincipalB
A' s Repr. of B
?
BB?
Principals have two orthogonal aspects:
Temporal Evolution: when we consider the temporal evolution (CTL), formulae expressing beliefs are treated as atomic propositions.
Beliefs: "a principal ascribing beliefs to another one" means that it has access to a representation of the second principal as a process.
MultiAgent Temporal LogicMultiAgent Temporal Logic(MATL)(MATL)
.........
BA BB
BBBA BBBBBABBBABA
...
To each level of nesting of beliefs we associate a Representation of a process evolving over time.
MATL: ViewsMATL: Views
.........
BA BB
BBBA BBBBBABBBABA
...
Each Representation is called a View
MATL: ViewsMATL: Views
To each level of nesting of beliefs we associate a Representation of a process evolving over time.
Views represent the beliefs about a principal's evolution during the protocol
View the protocol as seen by the external observer (the analyser's point of view)
View BA 's beliefs about the evolution of principal A.
View BB 's beliefs about the evolution of principal B.
View BABB ('s beliefs about) A's beliefs about the evolution of principal B
....
MATL: ViewsMATL: Views
MATL: ViewsMATL: Views
.
BA BB
BBBA BBBBBABBBABA
.. .. .. ..
* is the set of (possibly empty)
strings of the form BX1···BXn
MATL: Language MATL: Language
We associate to each view a language
The language of each view allows for expressing properties of the process associated with that view
............
BA BB
BBBA BBBBBABBBABA
MATL: LanguageMATL: Language
............
BA BB
BBBA BBBBBABBBABA
BB
MATL: LanguageMATL: Language
............
BA BB
BBBA BBBBBABBBABA
BABB
BB
MATL: LanguageMATL: Language
......
......
BA BB
BBBA BBBBBABBBABA
BABB
BB
BBBA
BA
MATL: LanguageMATL: Language
MATL: LanguageMATL: Language
To each view we associate the smallest CTL language containing:
a finite set of Propositional Atoms
the set of Atoms = {BX| is a formula of BX}
that is the Belief Atoms of the form BX for each
formula of view BX
MATL: LanguageMATL: Language
To each view we associate the smallest CTL language containing:
a finite set of Propositional Atoms
the set of Atoms = {BX| is a formula of BX}
that is the Belief Atoms of the form BX for each
formula of view BX
Example
AG(BABBP) is a formula of view
MATL: LanguageMATL: Language
Definition: Given a family {} of sets of propositional atoms, the family of MATL languages on is the family of CTL languages {}
MATL: LanguageMATL: Language
Definition: Given a family {} of sets of propositional atoms, the family of MATL languages on is the family of CTL languages {}
A MATL formula belonging to is denoted by
Example
AG(BABBP) denotes the formula AG(BABBP) of view
MultiAgent Finite State MachineMultiAgent Finite State Machine(MAFSM)(MAFSM)
MAFSM: IntuitionsMAFSM: Intuitions
Model Checking employs Finite State Machines
We extend the notion of FSM to accommodate beliefs
We associate the Finite State Machine of a process to each view
MAFSM: IntuitionsMAFSM: Intuitions
Model Checking employs Finite State Machines
We extend the notion of FSM to accommodate beliefs
We associate the Finite State Machine of a process to each view
Restriction:
We consider only a finite number of views
MultiAgent Finite State MachineMultiAgent Finite State Machine
.
BA BB
BBBA BBBBBABBBABA
.. .. .. ..
* is the set of (possibly empty)
strings of the form BX1···BXn
MultiAgent Finite State MachineMultiAgent Finite State Machine
.
BA BB
BBBA BBBBBABBBABA
.. .. .. ..
n
MultiAgent Finite State MachineMultiAgent Finite State Machine
.
BA BB
BBBA BBBBBABBBABA
.. .. .. ..
n
n is a finite subset of strings in *
MultiAgent Finite State MachineMultiAgent Finite State MachineWe associate the Finite State Machine of a process to each view in n
BA BB
BA BB BBBA
MultiAgent Finite State MachineMultiAgent Finite State MachineWe associate the Finite State Machine of a process to each view in n
BA BB
BA BB BBBA
Problem: there's a infinite number of Belief Atoms in each view!
Explicit Belief AtomsExplicit Belief Atoms
Solution: chose a finite number of Belief Atoms (Explicit Beliefs Atoms) as state variables of the FSM of a view.
s
s' s''
BX
BX
Explicit Belief AtomsExplicit Belief Atoms
Explicit Belief Atoms induce a Compatibility Relation among states in different views.
s
s' s''
BX
B
X
Implicit Belief AtomsImplicit Belief AtomsImplicit Belief Atoms are the infinite set of Belief Atoms which are not Explicit
BX
BXBX
B
X
Implicit Belief AtomsImplicit Belief AtomsSatisfiability of Implicit Belief Atims in a state is computed via Compatibility Relation
BX
BXBX
BX
Implicit Belief AtomsImplicit Belief Atoms
Explicit Belief Atoms are used to assess the truth of Implicit Belief Atoms
BX
BXBX
Satisfiability of Implicit Belief Atims in a state is computed via Compatibility Relation
BX
MultiAgent Finite State MachineMultiAgent Finite State MachineA MAFSM is a set of FSMs plus compatibility relations induced by Explicit Belief Atoms among them.
BA BB
BA BB BBBA
MAFSM: From Trees to GraphsMAFSM: From Trees to Graphs
The definition of MAFSM as a Tree of FSMs (one for each view):
does not allow for arbitrary nesting of beliefs: “a priori” bound on the length of each branch of the tree.
MAFSM: From Trees to GraphsMAFSM: From Trees to Graphs
The definition of MAFS as a Tree of FSMs (one for each view):
does not allow for arbitrary nesting of beliefs: “a priori” bound on the length of each branch of the tree.
needs a distinct specification of each view even when it is not necessary: often in security protocol we can safely assume that the
protocol is publicly known and each (honest) principal behaviour is completely known to the other principals;
in some cases distinct views of that principal could be modelled by the same process (FSM).
MAFSM: From Trees to GraphsMAFSM: From Trees to Graphs
Solution:
allow for cycles in MAFSM;
a MAFSM becomes a Graph of views
MultiAgent Finite State MachineMultiAgent Finite State Machine
A MAFSM is a set of FSMs plus compatibility relations induced by Explicit Belief Atoms among them.
BBBA
Model Checking AlgorithmModel Checking Algorithm(MAMC)(MAMC)
MultiAgent Model Checking MultiAgent Model Checking AlgorithmAlgorithm
To check the formula in view , the algorithm performs three steps:
recursively descend the tree of views performing Steps 2 and 3 on the sub-formulas inside the BDI atoms at each step.
MultiAgent Model Checking MultiAgent Model Checking AlgorithmAlgorithm
To check the formula in view , the algorithm performs three steps:
recursively descend the tree of views performing Steps 2 and 3 on the sub-formulas inside the BDI atoms at each step.
compute for each state s the BDI atoms occurring in true at s.
MultiAgent Model Checking MultiAgent Model Checking AlgorithmAlgorithm
To check the formula in view , the algorithm performs three steps:
recursively descend the tree of views performing Steps 2 and 3 on the sub-formulas inside the BDI atoms at each step.
compute for each state s the BDI atoms occurring in true at s.
call the standard CTL model checking algorithm (treating BDI atoms as atomic formulas).
MultiAgent Model Checking AlgorithmMultiAgent Model Checking Algorithm
BB
BA
AG (BA BB )
MultiAgent Model Checking AlgorithmMultiAgent Model Checking Algorithm
BB
BAImplicit Belief Atom
AG (BA BB )
MultiAgent Model Checking AlgorithmMultiAgent Model Checking Algorithm
BB
BA
Implicit Belief Atom
AG (BA BB )
BB
MultiAgent Model Checking AlgorithmMultiAgent Model Checking Algorithm
BB
BA
AG (BA BB )
BB
MultiAgent Model Checking AlgorithmMultiAgent Model Checking Algorithm
BB
BA
AG (BA BB )
BB
MultiAgent Model Checking AlgorithmMultiAgent Model Checking Algorithm
BB
BA
AG (BA BB )
BB
AG (BA BB )
MultiAgent Model Checking AlgorithmMultiAgent Model Checking Algorithm
BB
BA
BB
AG (BA BB )
MultiAgent Model Checking AlgorithmMultiAgent Model Checking Algorithm
BB
BA
BB
Model of the Andrew ProtocolModel of the Andrew Protocol
Beliefs in Security ProtocolsBeliefs in Security Protocols
Each Principal is seen as a process able to have Beliefs about other principal
BX means that principal "X believes " to be true
Beliefs in Security ProtocolsBeliefs in Security Protocols
Each Principal is seen as a process able to have Beliefs about other principal
BX means that principal "X believes " to be true
Beliefs evolve over time (as messages are sent/received)
Beliefs in Security ProtocolsBeliefs in Security Protocols
Each Principal is seen as a process able to have Beliefs about other principal
BX means that principal "X believes " to be true
Beliefs evolve over time (as messages are sent/received)
Beliefs can be nested
Example (from BAN)
At the end of the protocol session:
A believes that B believes that K'AB is a "good shared
key" for communication between them.
Beliefs in Security ProtocolsBeliefs in Security Protocols
Each Principal is seen as a process able to have Beliefs about other principal
BX means that principal "X believes " to be true
Beliefs evolve over time (as messages are sent/received)
Beliefs can be nested
Example (from BAN)
At the end of the protocol session:
A believes that B believes that K'AB is a "good shared
key" for communication between them.
recA {K'AB,N'B}KAB BA fresh NA BA BB shk K'AB
Model of the Andrew ProtocolModel of the Andrew Protocol
External Observer a process (the protocol) ascribing beliefs to agents A and B
Agent A a process ascribing beliefs to agent B
Agent B a process ascribing beliefs to agent A
1 A B : {NA}KAB
2 B A : {NA,NB}KAB
3 A B : {NB}KAB
4 B A : {KAB,N
B}KAB
Model of the Andrew ProtocolModel of the Andrew Protocol
All these entities are modeled as processes accessing other agents' representations (views).
External Observer a process (the protocol) ascribing beliefs to agents A and B
Agent A a process ascribing beliefs to agent B
Agent B a process ascribing beliefs to agent A
1 A B : {NA}KAB
2 B A : {NA,NB}KAB
3 A B : {NB}KAB
4 B A : {KAB,N
B}KAB
Model of the Andrew ProtocolModel of the Andrew Protocol
BA BBBA BB BABB
(BBBA , BA) (i.e. BBBA and BA are modelled by the same process)
(BABB , BB) (i.e. BABB and BB are modelled by the same process)
Model of the Andrew ProtocolModel of the Andrew Protocol
To specify a MAFSM we need to specify the following elements:
Propositional Atoms Message variables
Freshness variables
Model of the Andrew ProtocolModel of the Andrew Protocol
To specify a MAFSM we need to specify the following elements:
Propositional Atoms Message variables
Freshness variables
Explicit Belief Atoms
Model of the Andrew ProtocolModel of the Andrew Protocol
To specify a MAFSM we need to specify the following elements:
Propositional Atoms Message variables
Freshness variables
Explicit Belief Atoms
How Atoms’ truth values vary during the protocol execution
Propositional Atoms : Message Propositional Atoms : Message VariablesVariables
We need to model principal sending and receiving messages
Propositional Atoms : Message Propositional Atoms : Message VariablesVariables
We need to model principal sending and receiving messages
Boolean varibles
Propositional Atoms : Message Propositional Atoms : Message VariablesVariables
We need to model principal sending and receiving messages
Boolean varibles
View BA
send {NA}KAB
rec {NA,NB}KAB
... rec {K'AB,N'B}KAB
Propositional Atoms : Message Propositional Atoms : Message VariablesVariables
View BB
rec {NA}KAB
send {NA,NB}KAB
... send {K'AB,N'B}KAB
View BA
send {NA}KAB
rec {NA,NB}KAB
...rec {K'AB,N'B}KAB
We need to model principal sending and receiving messages
Boolean varibles
Propositional Atoms : Message Propositional Atoms : Message VariablesVariables
View
recA {NA}KAB
sendAB {NA,NB}KAB
... sendAB {K'AB,N'B}KAB
View BA
send {NA}KAB
rec {NA,NB}KAB
...rec {K'AB,N'B}KAB
View BB
rec {NA}KAB
send {NA,NB}KAB
...send {K'AB,N'B}KAB
We need to model principal sending and receiving messages
Boolean varibles
Propositional Atoms : Message Propositional Atoms : Message VariablesVariables
Message Variables Evolution
Once they become true they remain stable
View BA
sendB {NA}KAB
rec {NA,NB}KAB
...rec {K'AB,N'B}KAB
View BB
rec {NA}KAB
sendA {NA,NB}KAB
...sendA {K'AB,N'B}KAB
View
recA {NA}KAB
sendAB {NA,NB}KAB
...sendAB {K'AB,N'B}KAB
Propositional Atoms : Message Propositional Atoms : Message VariablesVariables
View BA
sendB {NA}KAB
rec {NA,NB}KAB
...rec {K'AB,N'B}KAB
View BB
rec {NA}KAB
sendA {NA,NB}KAB
...sendA {K'AB,N'B}KAB
View
recA {NA}KAB
sendAB {NA,NB}KAB
...sendAB {K'AB,N'B}KAB
Message Variables Evolution
Once they become true they remain stable
Evolve following the order of messages in the protocol
Example: Evolution of Message Example: Evolution of Message VariablesVariables
send {NA}KAB
rec {NA,NB}KAB
Message variables evolve following the order of messages in the protocol
A has not sent/received any message
Example: Evolution of Message Example: Evolution of Message VariablesVariables
send {NA}KAB
rec {NA,NB}KAB
Message variables evolve following the order of messages in the protocol
A has sent Message 1
send {NA}KAB
rec {NA,NB}KAB
Example: Evolution of Message Example: Evolution of Message VariablesVariables
send {NA}KAB
rec {NA,NB}KAB
Message variables evolve following the order of messages in the protocol
send {NA}KAB
rec {NA,NB}KAB
send {NA}KAB
rec {NA,NB}KAB
A has received Message 2
Propositional Atoms : Freshness Propositional Atoms : Freshness VariablesVariables
We need to express basic properties of messages: freshness
Boolean varibles
View BA
fresh NA
...
fresh{K'AB,N'B}KAB
shk K'AB
Propositional Atoms : Freshness Propositional Atoms : Freshness VariablesVariables
View BA
fresh NB
...
fresh{K'AB,N'B}KAB
shk K'AB
View BA
fresh NA
...
fresh{K'AB,N'B}KAB
shk K'AB
We need to express basic properties of messages: freshness
Boolean varibles
Propositional Atoms : Freshness Propositional Atoms : Freshness VariablesVariables
View BA
fresh NA
…
fresh{K'AB,N'B}KAB
shk K'AB
View
fresh NA
...
fresh{K'AB,N'B}KAB
shk K'AB
View BB
fresh NB
...
fresh{K'AB,N'B}KAB
shk K'AB
We need to express basic properties of messages: freshness
Boolean varibles
Propositional Atoms : Freshness Propositional Atoms : Freshness VariablesVariables
Freshness Variables Evolution
Once they become true they remain stable
View BA
fresh NA
…
fresh{K'AB,N'B}KAB
shk K'AB
View BB
fresh NB
...
fresh{K'AB,N'B}KAB
shk K'AB
View
fresh NA
...
fresh{K'AB,N'B}KAB
shk K'AB
Propositional Atoms : Freshness Propositional Atoms : Freshness VariablesVariables
View BA
fresh NA
...
fresh{K'AB,N'B}KAB
shk K'AB
View BB
fresh NB
...
fresh{K'AB,N'B}KAB
shk K'AB
View
fresh NA
...
fresh{K'AB,N'B}KAB
shk K'AB
Freshness Variables Evolution
Once they become true they remain stable
Must satisfy some additional contraints
Evolution of Freshness VariablesEvolution of Freshness Variables
fresh {NA,NB}KAB fresh NA fresh NB
...
Evolution of Freshness VariablesEvolution of Freshness Variables
BA
fresh {NA,NB}KAB (fresh NA fresh NB) rec{NA,NB}KAB
fresh {K'AB,N'B}KAB (fresh K'AB fresh N'B) rec{K'AB,N'B}KAB
…
fresh {NA,NB}KAB fresh NA fresh NB
...
Evolution of Freshness VariablesEvolution of Freshness Variables
fresh {NA,NB}KAB fresh NA fresh NB
...
BA
fresh {NA,NB}KAB (fresh NA fresh NB) rec{NA,NB}KAB
fresh {K'AB,N'B}KAB (fresh K'AB fresh N'B) rec{K'AB,N'B}KAB..
BB
fresh {K'AB,N'B}KAB (fresh K'AB fresh N'B) rec{K'AB,N'B}KAB
fresh {K'AB,N'B}KAB shk K'AB
...
Explicit Beliefs AtomsExplicit Beliefs Atoms
View BA
BB sendA {K'AB,N'B}KAB
...
We need to express beliefs about (other) principal sending/receiving messages
Boolean varibles
Explicit Beliefs AtomsExplicit Beliefs Atoms
We need to express beliefs about (other) principal sending/receiving messages
Boolean varibles
View BA
BB sendA {K'AB,N'B}KAB
...
View BB
BA sendB {NA}KAB
...
Explicit Belief AtomsExplicit Belief Atoms
We need to express beliefs about (other) principal sending/receiving messages
Boolean varibles
View BA
BB sendA {K'AB,N'B}KAB
...
View BB
BA sendB {NA}KAB
…
View
BA rec {K'AB,N'B}KAB
BB sendA {K'AB,N'B}KAB
...
Explicit Belief AtomsExplicit Belief Atoms
Explicit Belief Atoms Evolution
Once they become true they remain stable
Must satisfy some additional contraints
View
BA rec {K'AB,N'B}KAB
BB sendA {K'AB,N'B}KAB
…
View BA
BB sendA {K'AB,N'B}KAB
...
View BB
BA sendB {NA}KAB
…
Evolution of Explicit Belief AtomsEvolution of Explicit Belief Atoms
recA {K'AB,N'B}KAB BA rec {K'AB,N'B}KAB
…
Evolution of Explicit Belief AtomsEvolution of Explicit Belief Atoms
recA {K'AB,N'B}KAB BA rec {K'AB,N'B}KAB
...
BA
rec {K'AB,N'B}KAB BB sendA {K'AB,N'B}KAB
fresh {K'AB,N'B}KAB BB fresh {K'AB,N'B}KAB
…
Evolution of Explicit Belief AtomsEvolution of Explicit Belief Atoms
recA {K'AB,N'B}KAB BA rec {K'AB,N'B}KAB
...
BA
rec {K'AB,N'B}KAB BB sendA {K'AB,N'B}KAB
fresh {K'AB,N'B}KAB BB fresh {K'AB,N'B}KAB
...
BB
rec {NB}KAB BA sendB {NB}KAB
fresh {NB}KAB BA fresh {NB}KAB
...
Checking the Andrew ProtocolChecking the Andrew Protocol
BB
BA
AG(rec {K'AB,N'B}KAB BA fresh NA BABB shk K'AB)
A security property for the Andrew Protocol
Checking the Andrew ProtocolChecking the Andrew Protocol
BB
BA
BB shk K'AB
shk K'AB
AG(rec {K'AB,N'B}KAB BA fresh NA BABB shk K'AB)
Checking the Andrew ProtocolChecking the Andrew Protocol
BB
BB shk K'AB
shk K'AB
fresh {K'AB,N'B}KAB shk K'AB
AG(rec {K'AB,N'B}KAB BA fresh NA BABB shk K'AB)
BA
Checking the Andrew ProtocolChecking the Andrew Protocol
BB
BB shk K'AB
shk K'AB
rec {K'AB,N'B}KAB BB sendA {K'AB,N'B}KAB
fresh {K'AB,N'B}KAB BB fresh {K'AB,N'B}KAB
(fresh K'AB fresh N'B) rec {K'AB,N'B}KAB fresh {K'AB,N'B}KAB
AG(rec {K'AB,N'B}KAB BA fresh NA BABB shk K'AB)
BA
Checking the Andrew ProtocolChecking the Andrew Protocol
BB
BB shk K'AB
shk K'AB
rec {K'AB,N'B}KAB BB sendA {K'AB,N'B}KAB
fresh {K'AB,N'B}KAB BB fresh {K'AB,N'B}KAB
(fresh K'AB fresh N'B) rec {K'AB,N'B}KAB fresh {K'AB,N'B}KAB
AG(rec {K'AB,N'B}KAB BA fresh NA BABB shk K'AB)
BA
Checking the Andrew ProtocolChecking the Andrew Protocol
BB
BB shk K'AB
shk K'AB
AG(rec {K'AB,N'B}KAB BA fresh NA BABB shk K'AB)
BA
recA {K'AB,N'B}KAB BA rec {K'AB,N'B}KAB
Checking the Andrew ProtocolChecking the Andrew Protocol
BB
BB shk K'AB
shk K'AB
AG(rec {K'AB,N'B}KAB BA fresh NA BABB shk K'AB)
BA
recA {K'AB,N'B}KAB BA rec {K'AB,N'B}KAB
The property doesn’t holdof the Andrew Protocol
ConclusionsConclusions
A Model-Checking based Verification Procedure for Security Protocols
Logic of Beliefs MultiAgent Finite State Machine Model Checking Algorithm
ConclusionsConclusions
A Model-Checking based Verification Procedure for Security Protocols
Logic of Beliefs MultiAgent Finite State Machine Model Checking Algorithm
Future Work Implementation (ongoing work) Experimental Analysis Extension of the logic and comparison with other
logics