formal models for security and authenticityayala/events/12seminf2015mbenevides.pdf · formal models...
TRANSCRIPT
![Page 1: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/1.jpg)
Formal Models for Security andAuthenticity
Escola de Verão - Matemática - UnB
Mario BenevidesFederal University of Rio de Janeiro - Brazil
Fev-2015
UnB2015 – p. 1/??
![Page 2: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/2.jpg)
Roteiro• Lógica Clássica Proposicional
UnB2015 – p. 2/??
![Page 3: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/3.jpg)
Roteiro• Lógica Clássica Proposicional
• Lógica Clássica de 1a Ordem
UnB2015 – p. 2/??
![Page 4: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/4.jpg)
Roteiro• Lógica Clássica Proposicional
• Lógica Clássica de 1a Ordem
• Lógicas Modais
UnB2015 – p. 2/??
![Page 5: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/5.jpg)
Roteiro• Lógica Clássica Proposicional
• Lógica Clássica de 1a Ordem
• Lógicas Modais
• Lógica Epistêmica Multi-Agente
UnB2015 – p. 2/??
![Page 6: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/6.jpg)
Roteiro• Lógica Clássica Proposicional
• Lógica Clássica de 1a Ordem
• Lógicas Modais
• Lógica Epistêmica Multi-Agente
• Formalismos Lógicos/ Algébricos para Segurança e
Autenticação
UnB2015 – p. 2/??
![Page 7: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/7.jpg)
Roteiro• Modelo de Dolev Yao: On the Security of Public Key
Protocols - 1983
UnB2015 – p. 3/??
![Page 8: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/8.jpg)
Roteiro• Modelo de Dolev Yao: On the Security of Public Key
Protocols - 1983
• Reconciling Two Views of Cryptography (The
Computational Soundness of Formal Encryption) - M.
Abadi and P. Rogaway - 2000
UnB2015 – p. 3/??
![Page 9: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/9.jpg)
Roteiro• Modelo de Dolev Yao: On the Security of Public Key
Protocols - 1983
• Reconciling Two Views of Cryptography (The
Computational Soundness of Formal Encryption) - M.
Abadi and P. Rogaway - 2000
• SPi Calculus: A Calculus for Cryptographic Protocols: The
Spi Calculus - M. Abadi and A. Gordon - 1999
UnB2015 – p. 3/??
![Page 10: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/10.jpg)
Roteiro• Modelo de Dolev Yao: On the Security of Public Key
Protocols - 1983
• Reconciling Two Views of Cryptography (The
Computational Soundness of Formal Encryption) - M.
Abadi and P. Rogaway - 2000
• SPi Calculus: A Calculus for Cryptographic Protocols: The
Spi Calculus - M. Abadi and A. Gordon - 1999
• BAN Logic: A Logic of Authentication - M. Burrows, M.
Abadi, and R. Needham - 1990
UnB2015 – p. 3/??
![Page 11: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/11.jpg)
Roteiro• Modelo de Dolev Yao: On the Security of Public Key
Protocols - 1983
• Reconciling Two Views of Cryptography (The
Computational Soundness of Formal Encryption) - M.
Abadi and P. Rogaway - 2000
• SPi Calculus: A Calculus for Cryptographic Protocols: The
Spi Calculus - M. Abadi and A. Gordon - 1999
• BAN Logic: A Logic of Authentication - M. Burrows, M.
Abadi, and R. Needham - 1990
• Dolev/Yao Multi-Agent Epistemic Logic
UnB2015 – p. 3/??
![Page 12: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/12.jpg)
Motivação• Dois Grupos
UnB2015 – p. 4/??
![Page 13: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/13.jpg)
Motivação• Dois Grupos
• Lógicos=⇒ Dedução
− BAN Logic: A Logic of Authentication - M. Burrows,
M. Abadi, and R. Needham - 1990
− Dolev/Yao Multi-Agent Epistemic Logic
UnB2015 – p. 4/??
![Page 14: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/14.jpg)
Motivação• Dois Grupos
• Lógicos=⇒ Dedução
− BAN Logic: A Logic of Authentication - M. Burrows,
M. Abadi, and R. Needham - 1990
− Dolev/Yao Multi-Agent Epistemic Logic
• Algébrica=⇒ Equivalência entre Expressões
− SPi Calculus: - M. Abadi and A. Gordon - 1999
− Reconciling Two Views of Cryptography - M. Abadi
and P. Rogaway - 2000
UnB2015 – p. 4/??
![Page 15: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/15.jpg)
Lógica Clássica Proposicional
• Poder Expressão:
• Problema 1: Dada uma fórmulaϕ comcomprimento n e uma valoração v para ossímbolos proposicionais. Qual a complexidade dese calcular o valor para a atribuiçãov?
O(n)
• Problema 2: Dada fórmulaϕ com comprimenton e m símbolos proposicionais. Verificar se existealguma valoração que satisfazϕ.
O(2m.n) – NP-Completo
UnB2015 – p. 5/??
![Page 16: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/16.jpg)
Lógica Clássica de 1a Ordem
• Poder Expressão:
• Problema 1 (Satisfabilidade):Dada umafórmulaϕ uma estruturaE . Qual a complexidadede calcular o valor verdade deϕ?
Indecidıvel
• Problema 2 (Validade):Dada fórmulaϕ.Verificar se existe alguma estruturaE satisfazϕ.
Indecidıvel
UnB2015 – p. 6/??
![Page 17: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/17.jpg)
Poder Expressão: Est. Finitas
• Problema 1 (Satisfabilidade/Verificação deModelos): Dada uma fórmulaϕ uma estruturafinita E . Qual a complexidade de calcular valorverdade deϕ?
PSPACE-Completo
• Problema 2 (Validade):Dada fórmulaϕ.Verificar se existe alguma estruturafinita E quesatisfazϕ.
Indecidıvel
UnB2015 – p. 7/??
![Page 18: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/18.jpg)
Lógicas Modais
• Linguagem Modal
• Conjunto de Proposições atômicas
ϕ ::= p | ϕ1 ∧ ϕ2 | ϕ1 ∨ ϕ2 | ϕ1 → ϕ2 | ¬ϕ |2ϕ | ♦ϕ
• 2p: todo mundo que eu vejo marcoup como V
• 3p: alguém que eu vejo marcoup como V
UnB2015 – p. 8/??
![Page 19: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/19.jpg)
Semântica Modal
• Mundos Possíveis/Estados• Fórmulas são avaliadas em grafosF = (W,R)
W é um conjunto não-vazio deestados eR é uma relação binária emW
s1 s2
s3 s4
s5
Figura 1: Exemplo de um Frame.UnB2015 – p. 9/??
![Page 20: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/20.jpg)
Semântica Modal
• Fórmulas são avaliadas em grafosF = (W,R)rotulados com proposições atômicas
• modelo M = (F, V ) ondeF = (W,R) é umframe eV é uma função associa a cadap o conjunto
de estados nos quaisp é verdadeiro
s1 s2
s3 s4
s5
p
p
p,q
q,r
Figura 2: Exemplo de um Modelo.UnB2015 – p. 10/??
![Page 21: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/21.jpg)
Satisfação• M,w p ssew ∈ V (p)(∀p ∈ Φ)
• M,w ¬ϕ iff M,w 6 ϕ,
• M,w ϕ→ ϕ′ sseM,w 2 ϕ ouM,w ϕ′
• M,w ϕ ∧ ϕ′ sseM,w ϕ eM,w ϕ′
• M,w ϕ ∨ ϕ′ sseM,w ϕ ouM,w ϕ′
• M,w 2ϕ sse para todow′ ∈ W sewRw′ implicaM,w′
ϕ
• M,w ♦ϕ sse existew′ ∈ W , wRw′ eM,w′ ϕ
UnB2015 – p. 11/??
![Page 22: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/22.jpg)
Modalidades× Lógica Modal• Modalidades
√
• Tempo• Conhecimento: Saber e Acreditar• Obrigação e Permição
UnB2015 – p. 12/??
![Page 23: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/23.jpg)
Modalidades× Lógica Modal• Modalidades
√
• Tempo• Conhecimento: Saber e Acreditar• Obrigação e Permição
• Lógica Modal???
UnB2015 – p. 12/??
![Page 24: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/24.jpg)
Modalidades× Lógica Modal• Modalidades
√
• Tempo• Conhecimento: Saber e Acreditar• Obrigação e Permição
• Lógica Modal???• Será que posso expressarModalidadesem
LCPO???
UnB2015 – p. 12/??
![Page 25: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/25.jpg)
Modalidades× Lógica Modal• Modalidades
√
• Tempo• Conhecimento: Saber e Acreditar• Obrigação e Permição
• Lógica Modal???• Será que posso expressarModalidadesem
LCPO???• Resposta: SIM eNÃO
UnB2015 – p. 12/??
![Page 26: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/26.jpg)
Modalidades× Lógica Modal• Modalidades
√
• Tempo• Conhecimento: Saber e Acreditar• Obrigação e Permição
• Lógica Modal???• Será que posso expressarModalidadesem
LCPO???• Resposta: SIM eNÃO• Modelo: SIM
UnB2015 – p. 12/??
![Page 27: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/27.jpg)
Modalidades× Lógica Modal• Modalidades
√
• Tempo• Conhecimento: Saber e Acreditar• Obrigação e Permição
• Lógica Modal???• Será que posso expressarModalidadesem
LCPO???• Resposta: SIM eNÃO• Modelo: SIM• Validade: NÃO - Nem Sempre
UnB2015 – p. 12/??
![Page 28: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/28.jpg)
Comlexidade e Expressividade
• Verificacao de ModelosO(|ϕ| × (|W |+ |R|))
UnB2015 – p. 13/??
![Page 29: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/29.jpg)
Comlexidade e Expressividade
• Verificacao de ModelosO(|ϕ| × (|W |+ |R|))
• Validade: paraK , T eS4éPSPACE-Completo.
UnB2015 – p. 13/??
![Page 30: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/30.jpg)
Comlexidade e Expressividade
• Verificacao de ModelosO(|ϕ| × (|W |+ |R|))
• Validade: paraK , T eS4éPSPACE-Completo.
• Validade: paraS5éNP-Completo.
UnB2015 – p. 13/??
![Page 31: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/31.jpg)
Comlexidade e Expressividade
• Verificacao de ModelosO(|ϕ| × (|W |+ |R|))
• Validade: paraK , T eS4éPSPACE-Completo.
• Validade: paraS5éNP-Completo.
• P⊆ NP⊆ PSPACE⊆ EXPTIME
UnB2015 – p. 13/??
![Page 32: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/32.jpg)
Comlexidade e Expressividade
• Verificacao de ModelosO(|ϕ| × (|W |+ |R|))
• Validade: paraK , T eS4éPSPACE-Completo.
• Validade: paraS5éNP-Completo.
• P⊆ NP⊆ PSPACE⊆ EXPTIME
• Validade: EXPTIME -Completo,• Lógica Dinâmica Proposicional PDL• Lógica Epistêmica Multi-agente (c/
Conhecimento Comum)• CTL - Computation Tree Logic (Tempotal)• µ-Calculus (Menor Ponto Fixo)
UnB2015 – p. 13/??
![Page 33: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/33.jpg)
Lóg. Epistêmica Multi-agentes
• Conjunto Finito de AgentesG = a, b, c, ...
• Duas modalidades para cada agente• Kaϕ - ana saberϕ• Baϕ - ana acredita emϕ• Baϕ = ¬Ka¬ϕ• Modalidades de Grupos:• EGϕ - o grupoG sabeϕ• CGϕ - ϕ é de conhecimento comum do grupoG
UnB2015 – p. 14/??
![Page 34: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/34.jpg)
Modelando Conhecimento• Agentes: ana ebeto
UnB2015 – p. 15/??
![Page 35: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/35.jpg)
Modelando Conhecimento• Agentes: ana ebeto• Carta contendo a informação:
p = "ana ganhou R$ 1,00"
¬p = "ananaoganhou R$ 1,00"
UnB2015 – p. 15/??
![Page 36: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/36.jpg)
Modelando Conhecimento• Agentes: ana ebeto• Carta contendo a informação:
p = "ana ganhou R$ 1,00"
¬p = "ananaoganhou R$ 1,00"
• envelope lacrado e sobre a mesa
UnB2015 – p. 15/??
![Page 37: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/37.jpg)
Modelando Conhecimento• Agentes: ana ebeto• Carta contendo a informação:
p = "ana ganhou R$ 1,00"
¬p = "ananaoganhou R$ 1,00"
• envelope lacrado e sobre a mesa• O que ana e beto sabem?
UnB2015 – p. 15/??
![Page 38: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/38.jpg)
Modelando Conhecimento• Dois estados possíveis para ana e beto
s1 s2a, b
UnB2015 – p. 16/??
![Page 39: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/39.jpg)
Modelando Conhecimento• Dois estados possíveis para ana e beto
• s1 = "ana ganhou R$ 1,00"⇒ p
s1 s2a, b
UnB2015 – p. 16/??
![Page 40: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/40.jpg)
Modelando Conhecimento• Dois estados possíveis para ana e beto
• s1 = "ana ganhou R$ 1,00"⇒ p
• s2 = "ana não ganhou R$ 1,00"⇒ ¬p
s1 s2a, b
UnB2015 – p. 16/??
![Page 41: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/41.jpg)
Modelando Conhecimento• Dois estados possíveis para ana e beto
• s1 = "ana ganhou R$ 1,00"⇒ p
• s2 = "ana não ganhou R$ 1,00"⇒ ¬p• ana e beto não sabem se estão ems1 ous2
s1 s2a, b
UnB2015 – p. 16/??
![Page 42: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/42.jpg)
Modelando Conhecimento• Dois estados possíveis para ana e beto
• s1 = "ana ganhou R$ 1,00"⇒ p
• s2 = "ana não ganhou R$ 1,00"⇒ ¬p• ana e beto não sabem se estão ems1 ous2• Ka¬Kbp - ana sabe que beto não sabep
s1 s2a, b
UnB2015 – p. 16/??
![Page 43: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/43.jpg)
Modelando Conhecimento• Dois estados possíveis para ana e beto
• s1 = "ana ganhou R$ 1,00"⇒ p
• s2 = "ana não ganhou R$ 1,00"⇒ ¬p• ana e beto não sabem se estão ems1 ous2• Ka¬Kbp - ana sabe que beto não sabep
• EG¬Kbp - o grupo sabe que beto não sabep
s1 s2a, b
UnB2015 – p. 16/??
![Page 44: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/44.jpg)
Modelando Conhecimento• Dois estados possíveis para ana e beto
• s1 = "ana ganhou R$ 1,00"⇒ p
• s2 = "ana não ganhou R$ 1,00"⇒ ¬p• ana e beto não sabem se estão ems1 ous2• Ka¬Kbp - ana sabe que beto não sabep
• EG¬Kbp - o grupo sabe que beto não sabep
• CG¬Kbp - conhecimento comum q beto ñ sabep
s1 s2a, b
UnB2015 – p. 16/??
![Page 45: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/45.jpg)
Lógica Epistêmica - Linguagem• Alfabeto
• Φ conj. contável de símbolos prop.,• A conjunto finito de agentes,• ¬ e∧ conectivos booleanos,• Ka uma modalidade para cada agentea,• CG uma modalidade para cada agentea.
• Linguagem
ϕ ::= p | ⊤ | ¬ϕ | ϕ1 ∧ ϕ2 | Kaϕ | CGϕ
ondep ∈ Φ, a ∈ A.UnB2015 – p. 17/??
![Page 46: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/46.jpg)
Semântica• Um frame é um parF = (W,∼a) onde
• W é um conjunto não-vazio deestados;• ∼a é uma relação binária para cada agentea• Reflexiva• Transitiva• Simétrica
• ∼G=⋃
a∈G ∼a
• ∼⋆G fecho reflexivo transitivo de∼G
• Um modelo é um parM = (F, V ) onde• F = (W,R) é umframe e• V é uma função que faz corresponder a todo
símb. prop.p ∈ Φ o conjunto de estados nosquaisp é satisfeito, i.e.,V : Φ 7−→ Pow(W ).
UnB2015 – p. 18/??
![Page 47: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/47.jpg)
Semântica
• Dada uma estruturaM = 〈S,∼a, V 〉
M, s |= p iff s ∈ V (p)
M, s |= ¬φ iff M, s 6|= φ
M, s |= φ ∧ ψ iff M, s |= φ eM, s |= ψ
M, s |= Kaφ iff ∀t : s ∼a t implicaM, t |= φ
M, s |= CGφ iff ∀t : s ∼⋆G t implicaM, t |= φ
UnB2015 – p. 19/??
![Page 48: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/48.jpg)
Axiomatização• Axiomas
1. Tautologias proposicionais,2. Ka(ϕ→ ψ)→ (Kaϕ→ Kaψ),3. Kaϕ→ ϕ,4. Kaϕ→ KaKaϕ (+ introspection),5. ¬Kaϕ→ Ka¬Kaϕ (− introspection),6. CG(ϕ→ ψ)→ (CGϕ→ CGψ),7. CGϕ→ (ϕ ∧ EGCGϕ)
8. CG(ϕ→ EGϕ)→ (ϕ→ CGϕ) Indução
• Regras de inferenciaM.P.ϕ, ϕ→ ψ/ψ U.G.ϕ/Kaϕ
UnB2015 – p. 20/??
![Page 49: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/49.jpg)
Comlexidade e Expressividade
• Verificacao de ModelosO(|ϕ| × (|W |+ |R|))
UnB2015 – p. 21/??
![Page 50: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/50.jpg)
Comlexidade e Expressividade
• Verificacao de ModelosO(|ϕ| × (|W |+ |R|))
• Validade: EXPTIME -Completo
UnB2015 – p. 21/??
![Page 51: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/51.jpg)
Comlexidade e Expressividade
• Verificacao de ModelosO(|ϕ| × (|W |+ |R|))
• Validade: EXPTIME -Completo
• Modelo Finito
UnB2015 – p. 21/??
![Page 52: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/52.jpg)
Lógica Modal
• Porque
UnB2015 – p. 22/??
![Page 53: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/53.jpg)
Lógica Modal
• Porque
• Onde
UnB2015 – p. 22/??
![Page 54: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/54.jpg)
Lógica Modal
• Porque
• Onde
• Quando
UnB2015 – p. 22/??
![Page 55: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/55.jpg)
Lógica Modal: Porque
• Decidıveis
UnB2015 – p. 23/??
![Page 56: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/56.jpg)
Lógica Modal: Porque
• Decidıveis
• Modelo Finito
UnB2015 – p. 23/??
![Page 57: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/57.jpg)
Lógica Modal: Porque
• Decidıveis
• Modelo Finito
• Verificacao de Modelos: Polinomial
UnB2015 – p. 23/??
![Page 58: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/58.jpg)
Lógica Modal: Onde
• Grafos Rotulados
UnB2015 – p. 24/??
![Page 59: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/59.jpg)
Lógica Modal: Onde
• Grafos Rotulados
• Falar de propriedades que valem em grafosrotulados
UnB2015 – p. 24/??
![Page 60: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/60.jpg)
Lógica Modal: Onde
• Grafos Rotulados
• Falar de propriedades que valem em grafosrotulados
• Propriedades que não podem ser expressas emLCPO
UnB2015 – p. 24/??
![Page 61: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/61.jpg)
Lógica Modal: Onde
• Grafos Rotulados
• Falar de propriedades que valem em grafosrotulados
• Propriedades que não podem ser expressas emLCPO
• Fecho Transitivo: Iteração, ConhecimentoComum, Until
UnB2015 – p. 24/??
![Page 62: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/62.jpg)
Lógica Modal: Onde
• Grafos Rotulados
• Falar de propriedades que valem em grafosrotulados
• Propriedades que não podem ser expressas emLCPO
• Fecho Transitivo: Iteração, ConhecimentoComum, Until
• Ponto Fixo: Menor e MaiorUnB2015 – p. 24/??
![Page 63: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/63.jpg)
Lógica Modal: Quando
• Modelo:
Lóg. Modais correspondem ao fragmento deLCPO invariante por Bissimulação
UnB2015 – p. 25/??
![Page 64: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/64.jpg)
Lógica Modal: Quando
• Modelo:
Lóg. Modais correspondem ao fragmento deLCPO invariante por Bissimulação
• Bissimulacao: InformalmenteIsomorfismoParcial entre estruturas
UnB2015 – p. 25/??
![Page 65: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/65.jpg)
Lógica Modal: Quando
• Modelo:
Lóg. Modais correspondem ao fragmento deLCPO invariante por Bissimulação
• Bissimulacao: InformalmenteIsomorfismoParcial entre estruturas
• LM não distingui Modelos bissimilares
UnB2015 – p. 25/??
![Page 66: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/66.jpg)
Lógica Modal: Quando
• Modelo:
Lóg. Modais correspondem ao fragmento deLCPO invariante por Bissimulação
• Bissimulacao: InformalmenteIsomorfismoParcial entre estruturas
• LM não distingui Modelos bissimilares
• LM boa para falar de propriedades que sãoInvariantes por bissimulação
UnB2015 – p. 25/??
![Page 67: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/67.jpg)
Lógica Modal: Quando Não• Hamiltonian Graphs:
Existe um ciclo que percorre todos os nósexatamente uma vez.
1
2 3
4
a b
c
5 d
UnB2015 – p. 26/??
![Page 68: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/68.jpg)
Lógica Modal: Quando Não• Hamiltonian Graphs:
Existe um ciclo que percorre todos os nósexatamente uma vez.
1
2 3
4
a b
c
5 d
• Hamiltonian property is not modally definable.
UnB2015 – p. 26/??
![Page 69: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/69.jpg)
Lógica Modal: Quando Não• Hamiltonian Graphs:
Existe um ciclo que percorre todos os nósexatamente uma vez.
1
2 3
4
a b
c
5 d
• Hamiltonian property is not modally definable.• O que fazer???: Lógicas Hibridas, Memory
Logics , etc...UnB2015 – p. 26/??
![Page 70: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/70.jpg)
Modelo de Dolev & Yao• On the Security of Public Key Protocols
UnB2015 – p. 27/??
![Page 71: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/71.jpg)
Modelo de Dolev & Yao• On the Security of Public Key Protocols• D. Dolev and A. Yao, EEE Transactions on
Information Theory, 29(2):198–208, 1983.
UnB2015 – p. 27/??
![Page 72: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/72.jpg)
Modelo de Dolev & Yao• On the Security of Public Key Protocols• D. Dolev and A. Yao, EEE Transactions on
Information Theory, 29(2):198–208, 1983.
• Model: Public Key Protocols
UnB2015 – p. 27/??
![Page 73: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/73.jpg)
Modelo de Dolev & Yao• On the Security of Public Key Protocols• D. Dolev and A. Yao, EEE Transactions on
Information Theory, 29(2):198–208, 1983.
• Model: Public Key Protocols
• Perfect Criptography
UnB2015 – p. 27/??
![Page 74: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/74.jpg)
Modelo de Dolev & Yao• On the Security of Public Key Protocols• D. Dolev and A. Yao, EEE Transactions on
Information Theory, 29(2):198–208, 1983.
• Model: Public Key Protocols
• Perfect Criptography• Formal Model to Verify Protocols
UnB2015 – p. 27/??
![Page 75: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/75.jpg)
Modelo de Dolev & Yao• On the Security of Public Key Protocols• D. Dolev and A. Yao, EEE Transactions on
Information Theory, 29(2):198–208, 1983.
• Model: Public Key Protocols
• Perfect Criptography• Formal Model to Verify Protocols• Logical Level
UnB2015 – p. 27/??
![Page 76: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/76.jpg)
Modelo de Dolev & Yao• On the Security of Public Key Protocols• D. Dolev and A. Yao, EEE Transactions on
Information Theory, 29(2):198–208, 1983.
• Model: Public Key Protocols
• Perfect Criptography• Formal Model to Verify Protocols• Logical Level• NOT Encription Level.
UnB2015 – p. 27/??
![Page 77: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/77.jpg)
Modelo de Dolev & Yao• Model: Public Key Protocols
UnB2015 – p. 28/??
![Page 78: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/78.jpg)
Modelo de Dolev & Yao• Model: Public Key Protocols
• encryption functionEX (public)
UnB2015 – p. 28/??
![Page 79: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/79.jpg)
Modelo de Dolev & Yao• Model: Public Key Protocols
• encryption functionEX (public)• decryption functionDX (known only by userX)
UnB2015 – p. 28/??
![Page 80: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/80.jpg)
Modelo de Dolev & Yao• Model: Public Key Protocols
• encryption functionEX (public)• decryption functionDX (known only by userX)• Requirements:
UnB2015 – p. 28/??
![Page 81: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/81.jpg)
Modelo de Dolev & Yao• Model: Public Key Protocols
• encryption functionEX (public)• decryption functionDX (known only by userX)• Requirements:
• DXEX(M) =M
UnB2015 – p. 28/??
![Page 82: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/82.jpg)
Modelo de Dolev & Yao• Model: Public Key Protocols
• encryption functionEX (public)• decryption functionDX (known only by userX)• Requirements:
• DXEX(M) =M
• for any userY knowingEX(M) does not revealanything aboutM
UnB2015 – p. 28/??
![Page 83: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/83.jpg)
Example 1: Dolev & Yao ModelA sends msgM toB
A // (A,EB(M), B) //B
IntruderZ intercepts the message sent fromA toB
IntruderZ sends message(Z,EB(M), B) toB
A //
(A,EB(M),B)
��❃❃❃
❃❃❃❃
❃❃❃❃
❃❃❃❃
❃ | //B
Z
(Z,EB(M),B)
??⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧
UnB2015 – p. 29/??
![Page 84: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/84.jpg)
Example 1: Dolev & Yao ModelB sends message(B,EZ(M), Z) toZ
A //
(A,EB(M),B)
��❃❃❃
❃❃❃❃
❃❃❃❃
❃❃❃❃
❃ | //B
(B,EZ(M),Z)
��⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧
Z
IntruderZ decodesEZ(M) and obtainsM
UnB2015 – p. 30/??
![Page 85: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/85.jpg)
Example 2: Dolev & Yao ModelA sends msgMA toB andB replies to the user thatis encrypted with the messageM and not to the sender
A // (A,EB(MA), B) //B
IntruderZ intercepts the message sent fromA toB
IntruderZ sends message(Z,EB(MA), B) toB
A //
(A,EB(MA),B)
��❃❃❃
❃❃❃❃
❃❃❃❃
❃❃❃❃
❃ | //B
Z
(Z,EB(MA),B)
??⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧
UnB2015 – p. 31/??
![Page 86: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/86.jpg)
Example 2: Dolev & Yao ModelB sends message(B,EA(MB), Z) toZ
A //
(A,EB(MA),B)
��❃❃❃
❃❃❃❃
❃❃❃❃
❃❃❃❃
❃ | //B
(B,EA(MB),Z)
��⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧
Z
IntruderZ cannotdecodeEA(MB) to obtainM
It can be proved that this protocol in secure againstarbitrary behaviour of the intruder.
UnB2015 – p. 32/??
![Page 87: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/87.jpg)
Rules : Dolev & Yao Model
• These rules are not presented in the original paper
UnB2015 – p. 33/??
![Page 88: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/88.jpg)
Rules : Dolev & Yao Model
• These rules are not presented in the original paper• but they can easily be obtained from the theory
presented there.
UnB2015 – p. 33/??
![Page 89: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/89.jpg)
Rules : Dolev & Yao Model
• These rules are not presented in the original paper• but they can easily be obtained from the theory
presented there.
• We are assuming a setK = {K1, ...} of keys
UnB2015 – p. 33/??
![Page 90: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/90.jpg)
Rules : Dolev & Yao Model
• These rules are not presented in the original paper• but they can easily be obtained from the theory
presented there.
• We are assuming a setK = {K1, ...} of keys
• Encryption function{M}K , which encrypt amessageM under keyK.
UnB2015 – p. 33/??
![Page 91: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/91.jpg)
Rules : Dolev & Yao Model
• These rules are not presented in the original paper• but they can easily be obtained from the theory
presented there.
• We are assuming a setK = {K1, ...} of keys
• Encryption function{M}K , which encrypt amessageM under keyK.
• An user can only decrypt a encrypted message{M}K if He knows the keyK.
UnB2015 – p. 33/??
![Page 92: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/92.jpg)
Rules : Dolev & Yao Model
• These rules are not presented in the original paper• but they can easily be obtained from the theory
presented there.
• We are assuming a setK = {K1, ...} of keys
• Encryption function{M}K , which encrypt amessageM under keyK.
• An user can only decrypt a encrypted message{M}K if He knows the keyK.
• Let T be all the informationZ has.UnB2015 – p. 33/??
![Page 93: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/93.jpg)
Rules : Dolev & Yao ModelReflexivity
M ∈ TT ⊢M
Encryption Decryption
T ⊢ K T ⊢MT ⊢ {M}K
T ⊢ {M}K T ⊢ KT ⊢M
Pair − Composition Pair −Decomposition
T ⊢M T ⊢ NT ⊢ (M,N)
T ⊢ (M,N)
T ⊢MT ⊢ (M,N)
T ⊢ N
UnB2015 – p. 34/??
![Page 94: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/94.jpg)
Proving Example 11. T = {Z}
UnB2015 – p. 35/??
![Page 95: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/95.jpg)
Proving Example 11. T = {Z}2. IntruderZ intercepts the message sent fromA toB: T = {Z, (A, (EB(M), B))}
UnB2015 – p. 35/??
![Page 96: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/96.jpg)
Proving Example 11. T = {Z}2. IntruderZ intercepts the message sent fromA toB: T = {Z, (A, (EB(M), B))}
2.1 Applying reflexivity to 2.:T = {Z, (A, (EB(M), B))} ⊢ Z
UnB2015 – p. 35/??
![Page 97: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/97.jpg)
Proving Example 11. T = {Z}2. IntruderZ intercepts the message sent fromA toB: T = {Z, (A, (EB(M), B))}
2.1 Applying reflexivity to 2.:T = {Z, (A, (EB(M), B))} ⊢ Z
2.2 Applying reflexivity to 2.:T = {Z, (A, (EB(M), B))} ⊢ (A, (EB(M), B)
UnB2015 – p. 35/??
![Page 98: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/98.jpg)
Proving Example 11. T = {Z}2. IntruderZ intercepts the message sent fromA toB: T = {Z, (A, (EB(M), B))}
2.1 Applying reflexivity to 2.:T = {Z, (A, (EB(M), B))} ⊢ Z
2.2 Applying reflexivity to 2.:T = {Z, (A, (EB(M), B))} ⊢ (A, (EB(M), B)
2.3 Applying pair decomposition to 2.2:T = {Z, (A, (EB(M), B))} ⊢ (EB(M), B)
UnB2015 – p. 35/??
![Page 99: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/99.jpg)
Proving Example 11. T = {Z}2. IntruderZ intercepts the message sent fromA toB: T = {Z, (A, (EB(M), B))}
2.1 Applying reflexivity to 2.:T = {Z, (A, (EB(M), B))} ⊢ Z
2.2 Applying reflexivity to 2.:T = {Z, (A, (EB(M), B))} ⊢ (A, (EB(M), B)
2.3 Applying pair decomposition to 2.2:T = {Z, (A, (EB(M), B))} ⊢ (EB(M), B)
2.4 Applying pair composition to 2.1 and 2.3:T = {Z, (A, (EB(M), B))} ⊢ (Z, (EB(M), B))
UnB2015 – p. 35/??
![Page 100: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/100.jpg)
Proving Example 13. IntruderZ sends message(Z,EB(M), B) toB:T = {Z, (A, (EB(M), B))}
UnB2015 – p. 36/??
![Page 101: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/101.jpg)
Proving Example 13. IntruderZ sends message(Z,EB(M), B) toB:T = {Z, (A, (EB(M), B))}
4. B sends message(B,EZ(M), Z) toZ:T = {Z, (A, (EB(M), B)), (B, (EZ(M), Z))}
UnB2015 – p. 36/??
![Page 102: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/102.jpg)
Proving Example 13. IntruderZ sends message(Z,EB(M), B) toB:T = {Z, (A, (EB(M), B))}
4. B sends message(B,EZ(M), Z) toZ:T = {Z, (A, (EB(M), B)), (B, (EZ(M), Z))}
4.1 Reflexivity to 4.:T ⊢ (B, (EZ(M), Z))
UnB2015 – p. 36/??
![Page 103: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/103.jpg)
Proving Example 13. IntruderZ sends message(Z,EB(M), B) toB:T = {Z, (A, (EB(M), B))}
4. B sends message(B,EZ(M), Z) toZ:T = {Z, (A, (EB(M), B)), (B, (EZ(M), Z))}
4.1 Reflexivity to 4.:T ⊢ (B, (EZ(M), Z))
4.2 Pair decomposition to 4.1:T ⊢ (EZ(M), Z)
UnB2015 – p. 36/??
![Page 104: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/104.jpg)
Proving Example 13. IntruderZ sends message(Z,EB(M), B) toB:T = {Z, (A, (EB(M), B))}
4. B sends message(B,EZ(M), Z) toZ:T = {Z, (A, (EB(M), B)), (B, (EZ(M), Z))}
4.1 Reflexivity to 4.:T ⊢ (B, (EZ(M), Z))
4.2 Pair decomposition to 4.1:T ⊢ (EZ(M), Z)
4.3 Pair decomposition to 4.2:T ⊢ EZ(M)
UnB2015 – p. 36/??
![Page 105: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/105.jpg)
Proving Example 13. IntruderZ sends message(Z,EB(M), B) toB:T = {Z, (A, (EB(M), B))}
4. B sends message(B,EZ(M), Z) toZ:T = {Z, (A, (EB(M), B)), (B, (EZ(M), Z))}
4.1 Reflexivity to 4.:T ⊢ (B, (EZ(M), Z))
4.2 Pair decomposition to 4.1:T ⊢ (EZ(M), Z)
4.3 Pair decomposition to 4.2:T ⊢ EZ(M)
4.4 Pair decomposition to 4.2:T ⊢ Z
UnB2015 – p. 36/??
![Page 106: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/106.jpg)
Proving Example 13. IntruderZ sends message(Z,EB(M), B) toB:T = {Z, (A, (EB(M), B))}
4. B sends message(B,EZ(M), Z) toZ:T = {Z, (A, (EB(M), B)), (B, (EZ(M), Z))}
4.1 Reflexivity to 4.:T ⊢ (B, (EZ(M), Z))
4.2 Pair decomposition to 4.1:T ⊢ (EZ(M), Z)
4.3 Pair decomposition to 4.2:T ⊢ EZ(M)
4.4 Pair decomposition to 4.2:T ⊢ Z4.5 Applying Decryption rule to 4.3 and 4.4 we
obtain:T ⊢M
UnB2015 – p. 36/??
![Page 107: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/107.jpg)
Expressions Equivalence• Reconciling Two Views of Cryptography (The
Computational Soundness of FormalEncryption)M. Abadi and P. Rogaway, IFIP InternationalConference on Theoretical Computer Science(IFIP TCS2000), Sendai, Japan, August 2000.
UnB2015 – p. 37/??
![Page 108: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/108.jpg)
Expressions Equivalence• Reconciling Two Views of Cryptography (The
Computational Soundness of FormalEncryption)M. Abadi and P. Rogaway, IFIP InternationalConference on Theoretical Computer Science(IFIP TCS2000), Sendai, Japan, August 2000.
• Formal Approach to Encryption Models×
UnB2015 – p. 37/??
![Page 109: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/109.jpg)
Expressions Equivalence• Reconciling Two Views of Cryptography (The
Computational Soundness of FormalEncryption)M. Abadi and P. Rogaway, IFIP InternationalConference on Theoretical Computer Science(IFIP TCS2000), Sendai, Japan, August 2000.
• Formal Approach to Encryption Models×
• Computational Model that considers issues ofComplexity and Probability
UnB2015 – p. 37/??
![Page 110: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/110.jpg)
Formal Encryption• Expression Equivalence
UnB2015 – p. 38/??
![Page 111: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/111.jpg)
Formal Encryption• Expression Equivalence• Two Expressions to be Equivalente
E1 ≡ E2
UnB2015 – p. 38/??
![Page 112: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/112.jpg)
Formal Encryption• Expression Equivalence• Two Expressions to be Equivalente
E1 ≡ E2
• Two pieces of data “look the same”
UnB2015 – p. 38/??
![Page 113: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/113.jpg)
Formal Encryption• Expression Equivalence• Two Expressions to be Equivalente
E1 ≡ E2
• Two pieces of data “look the same”• 2 represents a ciphertext that an attacker cannot
decrypt.
UnB2015 – p. 38/??
![Page 114: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/114.jpg)
Formal Encryption• Expression Equivalence• Two Expressions to be Equivalente
E1 ≡ E2
• Two pieces of data “look the same”• 2 represents a ciphertext that an attacker cannot
decrypt.• If E ≡ 2 means that an attacker cannot decryptE.
UnB2015 – p. 38/??
![Page 115: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/115.jpg)
Formal Encryption• Expression Equivalence• Two Expressions to be Equivalente
E1 ≡ E2
• Two pieces of data “look the same”• 2 represents a ciphertext that an attacker cannot
decrypt.• If E ≡ 2 means that an attacker cannot decryptE.
• Expressions are all the information that theIntruder has intercepted.
UnB2015 – p. 38/??
![Page 116: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/116.jpg)
Language
• Expressions:
E ::= i | K | (E1, E2) | {E}K | 2
UnB2015 – p. 39/??
![Page 117: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/117.jpg)
Language
• Expressions:
E ::= i | K | (E1, E2) | {E}K | 2
• wherei ∈ {0, 1} - Bits (Messages)
UnB2015 – p. 39/??
![Page 118: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/118.jpg)
Language
• Expressions:
E ::= i | K | (E1, E2) | {E}K | 2
• wherei ∈ {0, 1} - Bits (Messages)
• K ∈ {K1, · · · } - Keys
UnB2015 – p. 39/??
![Page 119: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/119.jpg)
Language
• Expressions:
E ::= i | K | (E1, E2) | {E}K | 2
• wherei ∈ {0, 1} - Bits (Messages)
• K ∈ {K1, · · · } - Keys
• 2 - undecryptable
UnB2015 – p. 39/??
![Page 120: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/120.jpg)
Rules
• Rules are as in Dolev and Yao. LetM andN beexpressions
UnB2015 – p. 40/??
![Page 121: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/121.jpg)
Rules
• Rules are as in Dolev and Yao. LetM andN beexpressions
• M ⊢ 0 andM ⊢ 1
UnB2015 – p. 40/??
![Page 122: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/122.jpg)
Rules
• Rules are as in Dolev and Yao. LetM andN beexpressions
• M ⊢ 0 andM ⊢ 1
• M ⊢M
UnB2015 – p. 40/??
![Page 123: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/123.jpg)
Rules
• Rules are as in Dolev and Yao. LetM andN beexpressions
• M ⊢ 0 andM ⊢ 1
• M ⊢M• if M ⊢ K andM ⊢ N , thenM ⊢ {N}K
UnB2015 – p. 40/??
![Page 124: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/124.jpg)
Rules
• Rules are as in Dolev and Yao. LetM andN beexpressions
• M ⊢ 0 andM ⊢ 1
• M ⊢M• if M ⊢ K andM ⊢ N , thenM ⊢ {N}K• if M ⊢ {N}K andM ⊢ K, thenM ⊢ N
UnB2015 – p. 40/??
![Page 125: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/125.jpg)
Rules
• Rules are as in Dolev and Yao. LetM andN beexpressions
• M ⊢ 0 andM ⊢ 1
• M ⊢M• if M ⊢ K andM ⊢ N , thenM ⊢ {N}K• if M ⊢ {N}K andM ⊢ K, thenM ⊢ N• if M ⊢ N1 andM ⊢ N2, thenM ⊢ (N1, N2)
UnB2015 – p. 40/??
![Page 126: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/126.jpg)
Rules
• Rules are as in Dolev and Yao. LetM andN beexpressions
• M ⊢ 0 andM ⊢ 1
• M ⊢M• if M ⊢ K andM ⊢ N , thenM ⊢ {N}K• if M ⊢ {N}K andM ⊢ K, thenM ⊢ N• if M ⊢ N1 andM ⊢ N2, thenM ⊢ (N1, N2)
• if M ⊢ (N1, N2), thenM ⊢ N1 andM ⊢ N2
UnB2015 – p. 40/??
![Page 127: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/127.jpg)
Equivalence
• Paterns: Intuitively, it is an expression that mayhave some parts that an attacker cannot decrypt.
• Let T be a set of Keys• Functionp(E, T ) 7→ E
p(K,T ) = K
p(i, T ) = i
p((M,N), T ) = (p(M,T ), p(N,T ))
p({M}K , T ) = {p(M,T )}K if K ∈ T= 2 otherwise
• patern(M) = p(M, {K |M ⊢ K})
UnB2015 – p. 41/??
![Page 128: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/128.jpg)
Equivalence• M ≡ N iff patern(M) = patern(N)
• Example: letT = {K2,K3}• {({0}K1
, {1}K2)}K3
≡ {(2, {1}K2)}K3
• pattern({({0}K1, {1}K2
)}K3) =
pattern({(2, {1}K2)}K3
)
• p({({0}K1, {1}K2
)}K3, T ) =
• {p(({0}K1, {1}K2
), T )}K3=
• {((p({0}K1, T ), p({1}K2
, T ))}K3=
• {(2, {p(1, T )}K2)}K3
=
• {(2, {1}K2)}K3
UnB2015 – p. 42/??
![Page 129: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/129.jpg)
Equivalence
• Example (Cont.): letT = {K2,K3}
• {({0}K1, {1}K2
)}K3≡ {(2, {1}K2
)}K3
• pattern({({0}K1, {1}K2
)}K3) =
pattern({(2, {1}K2)}K3
)
• M ≡ N iff patern(M) = patern(N)
• M ∼= N iff M ≡ Nσ , σ is a renaing function• If we can proveM ∼= 2, thenM is
undecryptable
UnB2015 – p. 43/??
![Page 130: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/130.jpg)
Spi Calculus• A Calculus for Cryptographic Protocols: The
Spi CalculusM. Abadi and A. Gordon. Information andComputation , 148(1): 1–70, 1999.
UnB2015 – p. 44/??
![Page 131: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/131.jpg)
Spi Calculus• A Calculus for Cryptographic Protocols: The
Spi CalculusM. Abadi and A. Gordon. Information andComputation , 148(1): 1–70, 1999.
• Similar to theπ-Calculus
UnB2015 – p. 44/??
![Page 132: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/132.jpg)
Spi Calculus• A Calculus for Cryptographic Protocols: The
Spi CalculusM. Abadi and A. Gordon. Information andComputation , 148(1): 1–70, 1999.
• Similar to theπ-Calculus• Process Algebras
UnB2015 – p. 44/??
![Page 133: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/133.jpg)
Spi Calculus• A Calculus for Cryptographic Protocols: The
Spi CalculusM. Abadi and A. Gordon. Information andComputation , 148(1): 1–70, 1999.
• Similar to theπ-Calculus• Process Algebras• Terms are processes
UnB2015 – p. 44/??
![Page 134: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/134.jpg)
Spi Calculus• A Calculus for Cryptographic Protocols: The
Spi CalculusM. Abadi and A. Gordon. Information andComputation , 148(1): 1–70, 1999.
• Similar to theπ-Calculus• Process Algebras• Terms are processes• Equivalence Relation: Bisimulation
UnB2015 – p. 44/??
![Page 135: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/135.jpg)
Language - Spi Calculus• The language of the Spi-Calculus is very similar
to the Pi-Caculus.• In the standard Pi-Calculus terms are only names.
Terms:
L,M,N ::= Termsn name
(M,N) pair0 zero
suc(M) successorx variable
{M}N shared-key encryption
UnB2015 – p. 45/??
![Page 136: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/136.jpg)
Processes - Spi CalculusP,Q,R ::= Processes
M(N).P outputM(x).P inputP | Q parallel composition(ν)P restriction!P replication
[M is N ]P match0 nul
let (x, y) =M in P pair splittingcase M of 0 : suc(x) : Q integer casecase L of {x}N in P shared-key decryption
UnB2015 – p. 46/??
![Page 137: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/137.jpg)
Language - Spi Calculus• Process[M is N ]P behaves as P provided that
terms M and N are the same; otherwise it is stuck,that is, it does nothing.
UnB2015 – p. 47/??
![Page 138: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/138.jpg)
Language - Spi Calculus• Process[M is N ]P behaves as P provided that
terms M and N are the same; otherwise it is stuck,that is, it does nothing.
• Processlet (x, y) =M in P behaves asP [N/x][L/y] if termM is the pair(N,L).Otherwise, the process is stuck.
UnB2015 – p. 47/??
![Page 139: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/139.jpg)
Language - Spi Calculus• Process[M is N ]P behaves as P provided that
terms M and N are the same; otherwise it is stuck,that is, it does nothing.
• Processlet (x, y) =M in P behaves asP [N/x][L/y] if termM is the pair(N,L).Otherwise, the process is stuck.
• Processcase M of 0 : suc(x) : Q behaves asPif termM is 0, asQ[N/x] if M is suc(N).Otherwise, the process is stuck.
UnB2015 – p. 47/??
![Page 140: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/140.jpg)
Language - Spi Calculus• Process[M is N ]P behaves as P provided that
terms M and N are the same; otherwise it is stuck,that is, it does nothing.
• Processlet (x, y) =M in P behaves asP [N/x][L/y] if termM is the pair(N,L).Otherwise, the process is stuck.
• Processcase M of 0 : suc(x) : Q behaves asPif termM is 0, asQ[N/x] if M is suc(N).Otherwise, the process is stuck.
• Processcase L of {x}N in P attempts to decryptthe term L with the key N. If L is a ciphertext ofthe form{M}N , then the process behaves asP [M/x]. Otherwise, the process is stuck.
UnB2015 – p. 47/??
![Page 141: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/141.jpg)
Example - Spi Calculus• Example with key establishment
UnB2015 – p. 48/??
![Page 142: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/142.jpg)
Example - Spi Calculus• Example with key establishment• Wide Mouthed Frog
UnB2015 – p. 48/??
![Page 143: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/143.jpg)
Example - Spi Calculus• Example with key establishment• Wide Mouthed Frog• 3 agents:A,B andS (server)
UnB2015 – p. 48/??
![Page 144: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/144.jpg)
Example - Spi Calculus• Example with key establishment• Wide Mouthed Frog• 3 agents:A,B andS (server)• A andB share keysKAS andKSB repectively
with serverS
UnB2015 – p. 48/??
![Page 145: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/145.jpg)
Example - Spi Calculus• Protocol:• A creates a keyKAB
• A send keyKAB under encriptionKAS
• S decript the mesage and send keyKAB underencriptionKSB
• A send mesageM under encriptionKAB
A{KAB}KAS // S
{KAB}KSB //B
UnB2015 – p. 49/??
![Page 146: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/146.jpg)
Example - Spi Calculus• Protocol
A(M) =(νKAB)(cAS〈{KAB}KAS
〉.(cAB〈{M}KAB〉)
S = cAS(x).case x of {y}KASin cSB〈{y}KSB
〉B = cSB(x).case x of {y}KSB
incAB(z).case z of {w}y in F (w)Inst(M) = (νKAS)(νKSB)(A(M) | S | B)
• Since all communication is protected byencryption, communication can take placethrough public channels:cAS, cSB andcAB
UnB2015 – p. 50/??
![Page 147: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/147.jpg)
Secrecy - Spi Calculus• Secrecy: Inst(M) ≃ Inst(M ′), ifF (M) ≃ F (M ′) for all M andM ′
UnB2015 – p. 51/??
![Page 148: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/148.jpg)
Secrecy - Spi Calculus• Secrecy: Inst(M) ≃ Inst(M ′), ifF (M) ≃ F (M ′) for all M andM ′
• Secrecy: The messageM cannot be read intransit fromA toB: if F does not revealM , thenthe whole protocol does not revealM .
UnB2015 – p. 51/??
![Page 149: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/149.jpg)
Secrecy - Spi Calculus• Secrecy: Inst(M) ≃ Inst(M ′), ifF (M) ≃ F (M ′) for all M andM ′
• Secrecy: The messageM cannot be read intransit fromA toB: if F does not revealM , thenthe whole protocol does not revealM .
• The secrecy property can be stated in terms ofequivalences: ifF (M) ≃ F (M ′ for all M andM ′ , thenInst(M) ≃ Inst(M ′). This means thatif F (M) is indistinguishable fromF (M ′), thenthe protocol with messageM is indistinguishablefrom the protocol with messageM ′ .
UnB2015 – p. 51/??
![Page 150: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/150.jpg)
Authenticity - Spi Calculus• Authenticity : Inst(M) ≃ Instspec(M), for allM
UnB2015 – p. 52/??
![Page 151: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/151.jpg)
Authenticity - Spi Calculus• Authenticity : Inst(M) ≃ Instspec(M), for allM
• Authenticity :
UnB2015 – p. 52/??
![Page 152: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/152.jpg)
Authenticity - Spi Calculus• Authenticity : Inst(M) ≃ Instspec(M), for allM
• Authenticity :• B = cSB(x).case x of {y}KSB
incAB(z).case z of {w}y in F (w)
UnB2015 – p. 52/??
![Page 153: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/153.jpg)
Authenticity - Spi Calculus• Authenticity : Inst(M) ≃ Instspec(M), for allM
• Authenticity :• B = cSB(x).case x of {y}KSB
incAB(z).case z of {w}y in F (w)
• Bspec = cSB(x).case x of {y}KSBin
cAB(z).case z of {w}y in F (M)
UnB2015 – p. 52/??
![Page 154: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/154.jpg)
Authenticity - Spi Calculus• Authenticity : Inst(M) ≃ Instspec(M), for allM
• Authenticity :• B = cSB(x).case x of {y}KSB
incAB(z).case z of {w}y in F (w)
• Bspec = cSB(x).case x of {y}KSBin
cAB(z).case z of {w}y in F (M)
• Instespc is Inst substitutingB byBespec
UnB2015 – p. 52/??
![Page 155: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/155.jpg)
Authenticity - Spi Calculus• Authenticity : Inst(M) ≃ Instspec(M), for allM
• Authenticity :• B = cSB(x).case x of {y}KSB
incAB(z).case z of {w}y in F (w)
• Bspec = cSB(x).case x of {y}KSBin
cAB(z).case z of {w}y in F (M)
• Instespc is Inst substitutingB byBespec
• Authenticity : The run of the protocol is notaffected by any message that an intruder can sendtoB,
UnB2015 – p. 52/??
![Page 156: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/156.jpg)
Summary - Spi Calculus• Equivalence between processes: Bisimulation≃
UnB2015 – p. 53/??
![Page 157: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/157.jpg)
Summary - Spi Calculus• Equivalence between processes: Bisimulation≃• Secrecy: Inst(M) ≃ Inst(M ′), ifF (M) ≃ F (M ′) for all M andM ′
UnB2015 – p. 53/??
![Page 158: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/158.jpg)
Summary - Spi Calculus• Equivalence between processes: Bisimulation≃• Secrecy: Inst(M) ≃ Inst(M ′), ifF (M) ≃ F (M ′) for all M andM ′
• Secrecy: The messageM cannot be read intransit fromA toB
UnB2015 – p. 53/??
![Page 159: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/159.jpg)
Summary - Spi Calculus• Equivalence between processes: Bisimulation≃• Secrecy: Inst(M) ≃ Inst(M ′), ifF (M) ≃ F (M ′) for all M andM ′
• Secrecy: The messageM cannot be read intransit fromA toB
• Authenticity : Inst(M) ≃ Instspec(M), for allM
UnB2015 – p. 53/??
![Page 160: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/160.jpg)
Summary - Spi Calculus• Equivalence between processes: Bisimulation≃• Secrecy: Inst(M) ≃ Inst(M ′), ifF (M) ≃ F (M ′) for all M andM ′
• Secrecy: The messageM cannot be read intransit fromA toB
• Authenticity : Inst(M) ≃ Instspec(M), for allM
• Authenticity : The run of the protocol is notaffected by any message that an intruder can sendtoB
UnB2015 – p. 53/??
![Page 161: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/161.jpg)
BAN Logic• A Logic of Authentication - BAN Logic
M. Burrows, M. Abadi, and R. Needham. ACMTransactions on Computer Systems, 8:18–36,1990.
UnB2015 – p. 54/??
![Page 162: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/162.jpg)
BAN Logic• A Logic of Authentication - BAN Logic
M. Burrows, M. Abadi, and R. Needham. ACMTransactions on Computer Systems, 8:18–36,1990.
• It is hard to call it alogic
UnB2015 – p. 54/??
![Page 163: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/163.jpg)
BAN Logic• A Logic of Authentication - BAN Logic
M. Burrows, M. Abadi, and R. Needham. ACMTransactions on Computer Systems, 8:18–36,1990.
• It is hard to call it alogic• It look likes Hoare Logic/Rules
UnB2015 – p. 54/??
![Page 164: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/164.jpg)
BAN Logic• A Logic of Authentication - BAN Logic
M. Burrows, M. Abadi, and R. Needham. ACMTransactions on Computer Systems, 8:18–36,1990.
• It is hard to call it alogic• It look likes Hoare Logic/Rules• Set of Rules to manipulate assertions
UnB2015 – p. 54/??
![Page 165: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/165.jpg)
Notation - BAN Logic• Notation
UnB2015 – p. 55/??
![Page 166: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/166.jpg)
Notation - BAN Logic• Notation• A,B andS, denote specific principals;
UnB2015 – p. 55/??
![Page 167: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/167.jpg)
Notation - BAN Logic• Notation• A,B andS, denote specific principals;• Kab,Kas andKbs, denote specific shared keys;
UnB2015 – p. 55/??
![Page 168: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/168.jpg)
Notation - BAN Logic• Notation• A,B andS, denote specific principals;• Kab,Kas andKbs, denote specific shared keys;• Ka,Kb andKs, denote specific public keys;
UnB2015 – p. 55/??
![Page 169: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/169.jpg)
Notation - BAN Logic• Notation• A,B andS, denote specific principals;• Kab,Kas andKbs, denote specific shared keys;• Ka,Kb andKs, denote specific public keys;
• K−1a ,K−1b andK−1s , denote the correspondingsecret key;
UnB2015 – p. 55/??
![Page 170: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/170.jpg)
Notation - BAN Logic• Notation• A,B andS, denote specific principals;• Kab,Kas andKbs, denote specific shared keys;• Ka,Kb andKs, denote specific public keys;
• K−1a ,K−1b andK−1s , denote the correspondingsecret key;
• Na,Nb andNs, denote specific statements;
UnB2015 – p. 55/??
![Page 171: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/171.jpg)
Notation - BAN Logic• Notation• A,B andS, denote specific principals;• Kab,Kas andKbs, denote specific shared keys;• Ka,Kb andKs, denote specific public keys;
• K−1a ,K−1b andK−1s , denote the correspondingsecret key;
• Na,Nb andNs, denote specific statements;• P ,Q andR, range over principals;
UnB2015 – p. 55/??
![Page 172: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/172.jpg)
Notation - BAN Logic• Notation• A,B andS, denote specific principals;• Kab,Kas andKbs, denote specific shared keys;• Ka,Kb andKs, denote specific public keys;
• K−1a ,K−1b andK−1s , denote the correspondingsecret key;
• Na,Nb andNs, denote specific statements;• P ,Q andR, range over principals;• X andY , range over statements;
UnB2015 – p. 55/??
![Page 173: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/173.jpg)
Notation - BAN Logic• Notation• A,B andS, denote specific principals;• Kab,Kas andKbs, denote specific shared keys;• Ka,Kb andKs, denote specific public keys;
• K−1a ,K−1b andK−1s , denote the correspondingsecret key;
• Na,Nb andNs, denote specific statements;• P ,Q andR, range over principals;• X andY , range over statements;• K, ranges over encryption keys.
UnB2015 – p. 55/??
![Page 174: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/174.jpg)
Sintaxe- BAN Logic• The only propositional connective is conjunction,
denoted by a comma.
UnB2015 – p. 56/??
![Page 175: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/175.jpg)
Sintaxe- BAN Logic• The only propositional connective is conjunction,
denoted by a comma.• Conjunctions as sets: properties such as
associativity and commutativity.
UnB2015 – p. 56/??
![Page 176: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/176.jpg)
Sintaxe- BAN Logic• The only propositional connective is conjunction,
denoted by a comma.• Conjunctions as sets: properties such as
associativity and commutativity.• P believesX;
UnB2015 – p. 56/??
![Page 177: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/177.jpg)
Sintaxe- BAN Logic• The only propositional connective is conjunction,
denoted by a comma.• Conjunctions as sets: properties such as
associativity and commutativity.• P believesX;• P seesX;
UnB2015 – p. 56/??
![Page 178: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/178.jpg)
Sintaxe- BAN Logic• The only propositional connective is conjunction,
denoted by a comma.• Conjunctions as sets: properties such as
associativity and commutativity.• P believesX;• P seesX;• P saidX;
UnB2015 – p. 56/??
![Page 179: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/179.jpg)
Sintaxe- BAN Logic• The only propositional connective is conjunction,
denoted by a comma.• Conjunctions as sets: properties such as
associativity and commutativity.• P believesX;• P seesX;• P saidX;• P controlsX: P has jurisdiction overX;
UnB2015 – p. 56/??
![Page 180: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/180.jpg)
Sintaxe- BAN Logic• The only propositional connective is conjunction,
denoted by a comma.• Conjunctions as sets: properties such as
associativity and commutativity.• P believesX;• P seesX;• P saidX;• P controlsX: P has jurisdiction overX;• fresh(X): The formulaX is fresh;
UnB2015 – p. 56/??
![Page 181: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/181.jpg)
Sintaxe - BAN Logic• P K←→ Q: P andQ may use the shared key K to
communicate;
UnB2015 – p. 57/??
![Page 182: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/182.jpg)
Sintaxe - BAN Logic• P K←→ Q: P andQ may use the shared key K to
communicate;
• K7→ P : P has K as a public key;
UnB2015 – p. 57/??
![Page 183: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/183.jpg)
Sintaxe - BAN Logic• P K←→ Q: P andQ may use the shared key K to
communicate;
• K7→ P : P has K as a public key;
• PX⇋ Q: The formulaX is a secret known only to
P andQ;
UnB2015 – p. 57/??
![Page 184: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/184.jpg)
Sintaxe - BAN Logic• P K←→ Q: P andQ may use the shared key K to
communicate;
• K7→ P : P has K as a public key;
• PX⇋ Q: The formulaX is a secret known only to
P andQ;• {X}K : This represent the formulaX encrypted
under the key K.
UnB2015 – p. 57/??
![Page 185: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/185.jpg)
Sintaxe - BAN Logic• P K←→ Q: P andQ may use the shared key K to
communicate;
• K7→ P : P has K as a public key;
• PX⇋ Q: The formulaX is a secret known only to
P andQ;• {X}K : This represent the formulaX encrypted
under the key K.• 〈X〉Y : This representX combined with the
formulaY . In implementations,X is simplyconcatenated with the passwordY .
UnB2015 – p. 57/??
![Page 186: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/186.jpg)
Logical Postulates - BAN LogicMessage-meaning: rules for interpretation ofmessages.
For shared keys
P believesQ K←→P, P sees {X}KP believesQ saidX
For public keys
P believesK7→ Q, P sees {X}K−1
P believesQ saidX
UnB2015 – p. 58/??
![Page 187: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/187.jpg)
Logical Postulates - BAN Logic
Message-meaning: rules for interpretation ofmessages.
For shared secrets
P believesQY⇋ P, P sees 〈X〉Y
P believesQ saidX
UnB2015 – p. 59/??
![Page 188: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/188.jpg)
Logical Postulates - BAN Logic
Jurisdiction:
P believesQ controlsX, P believesQbelievesX
P believesX
UnB2015 – p. 60/??
![Page 189: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/189.jpg)
Logical Postulates - BAN Logic
Principal sees:
P sees (X,Y )
P seesX
P sees 〈X〉YP seesX
P believesQ K←→ P, P sees {X}KP seesX
UnB2015 – p. 61/??
![Page 190: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/190.jpg)
Logical Postulates - BAN Logic
Principal sees:
P believesK7→ P, P sees {X}KP seesX
P believesK7→ Q, P sees {X}K−1
P seesX
UnB2015 – p. 62/??
![Page 191: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/191.jpg)
Logical Postulates - BAN Logic
Fresh:
P believes fresh(X)
P believes fresh (X,Y )
UnB2015 – p. 63/??
![Page 192: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/192.jpg)
Quantifiers - BAN Logic• Quantifiers in Delegations
UnB2015 – p. 64/??
![Page 193: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/193.jpg)
Quantifiers - BAN Logic• Quantifiers in Delegations
• A believesS controlsA K←→ B
UnB2015 – p. 64/??
![Page 194: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/194.jpg)
Quantifiers - BAN Logic• Quantifiers in Delegations
• A believesS controlsA K←→ B
• Abelieves ∀K.(S controlsA K←→B)
UnB2015 – p. 64/??
![Page 195: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/195.jpg)
Quantifiers - BAN Logic• Quantifiers in Delegations
• A believesS controlsA K←→ B
• Abelieves ∀K.(S controlsA K←→B)
• Abelieves ∀K.(S controlsB controlsA K←→B)
UnB2015 – p. 64/??
![Page 196: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/196.jpg)
Quantifiers - BAN Logic• Quantifiers in Delegations
• A believesS controlsA K←→ B
• Abelieves ∀K.(S controlsA K←→B)
• Abelieves ∀K.(S controlsB controlsA K←→B)
P believes ∀V1 . . . Vn.(Q controlsX)
P believesQ′ controlsX ′
UnB2015 – p. 65/??
![Page 197: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/197.jpg)
Example 1: Dolev & Yao ModelA sends msgM toB
A // (A,EB(M), B) //B
IntruderZ intercepts the message sent fromA toB
IntruderZ sends message(Z,EB(M), B) toB
A //
(A,EB(M),B)
��❃❃❃
❃❃❃❃
❃❃❃❃
❃❃❃❃
❃ | //B
Z
(Z,EB(M),B)
??⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧
UnB2015 – p. 66/??
![Page 198: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/198.jpg)
Example 1: Dolev & Yao ModelB sends message(B,EZ(M), Z) toZ
A //
(A,EB(M),B)
��❃❃❃
❃❃❃❃
❃❃❃❃
❃❃❃❃
❃ | //B
(B,EZ(M),Z)
��⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧
Z
IntruderZ decodesEZ(M) and obtainsM
UnB2015 – p. 67/??
![Page 199: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/199.jpg)
Example - BAN Logic
• m1 : A −→ B : {m}KB
• m2 : Z −→ B : {m}KB
• m3 : B −→ Z : {m}KZ
• B believesAKB←→ B
• Z believesBKZ←→ Z
• m1 : Z sees{m}KB
• m2 : B sees{m}KB
• B seesm rule principal sees
• m3 : Z sees{m}KZ
• Z seesm rule principal sees
UnB2015 – p. 68/??
![Page 200: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/200.jpg)
Dolev/Yao Epistemic Logic• Dolev/Yao Multi-Agent Epistemic LogicS5DY
UnB2015 – p. 69/??
![Page 201: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/201.jpg)
Dolev/Yao Epistemic Logic• Dolev/Yao Multi-Agent Epistemic LogicS5DY
• Reasoning about Knowledge in Protocols
UnB2015 – p. 69/??
![Page 202: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/202.jpg)
Dolev/Yao Epistemic Logic• Dolev/Yao Multi-Agent Epistemic LogicS5DY
• Reasoning about Knowledge in Protocols
• What kind of knowledge?
UnB2015 – p. 69/??
![Page 203: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/203.jpg)
Dolev/Yao Epistemic Logic• Dolev/Yao Multi-Agent Epistemic LogicS5DY
• Reasoning about Knowledge in Protocols
• What kind of knowledge?
• Knowledge about
UnB2015 – p. 69/??
![Page 204: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/204.jpg)
Dolev/Yao Epistemic Logic• Dolev/Yao Multi-Agent Epistemic LogicS5DY
• Reasoning about Knowledge in Protocols
• What kind of knowledge?
• Knowledge about
• Keys,
UnB2015 – p. 69/??
![Page 205: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/205.jpg)
Dolev/Yao Epistemic Logic• Dolev/Yao Multi-Agent Epistemic LogicS5DY
• Reasoning about Knowledge in Protocols
• What kind of knowledge?
• Knowledge about
• Keys,• Messages,
UnB2015 – p. 69/??
![Page 206: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/206.jpg)
Dolev/Yao Epistemic Logic• Dolev/Yao Multi-Agent Epistemic LogicS5DY
• Reasoning about Knowledge in Protocols
• What kind of knowledge?
• Knowledge about
• Keys,• Messages,• Encription/Decription ,
UnB2015 – p. 69/??
![Page 207: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/207.jpg)
Dolev/Yao Epistemic Logic• Dolev/Yao Multi-Agent Epistemic LogicS5DY
• Reasoning about Knowledge in Protocols
• What kind of knowledge?
• Knowledge about
• Keys,• Messages,• Encription/Decription ,• Concatenation
UnB2015 – p. 69/??
![Page 208: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/208.jpg)
Dolev/Yao Epistemic Logic• Dolev/Yao Multi-Agent Epistemic LogicS5DY
• Reasoning about Knowledge in Protocols
• What kind of knowledge?
• Knowledge about
• Keys,• Messages,• Encription/Decription ,• Concatenation• Agents and Groups, and so on
UnB2015 – p. 69/??
![Page 209: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/209.jpg)
Language -S5DY
• Formulas are built from expressions and not onlyfrom proposition symbols.
UnB2015 – p. 70/??
![Page 210: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/210.jpg)
Language -S5DY
• Formulas are built from expressions and not onlyfrom proposition symbols.
• An expression is any peace of information thatcan be encrypted, decrypted or concatenated inorder to be communicated.
UnB2015 – p. 70/??
![Page 211: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/211.jpg)
Language -S5DY
• Formulas are built from expressions and not onlyfrom proposition symbols.
• An expression is any peace of information thatcan be encrypted, decrypted or concatenated inorder to be communicated.
• S5DY Alphabet
UnB2015 – p. 70/??
![Page 212: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/212.jpg)
Language -S5DY
• Formulas are built from expressions and not onlyfrom proposition symbols.
• An expression is any peace of information thatcan be encrypted, decrypted or concatenated inorder to be communicated.
• S5DY Alphabet
• a setΦ of countably many proposition symbols,
UnB2015 – p. 70/??
![Page 213: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/213.jpg)
Language -S5DY
• Formulas are built from expressions and not onlyfrom proposition symbols.
• An expression is any peace of information thatcan be encrypted, decrypted or concatenated inorder to be communicated.
• S5DY Alphabet
• a setΦ of countably many proposition symbols,• a finite setA of agents,
UnB2015 – p. 70/??
![Page 214: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/214.jpg)
Language -S5DY
• Formulas are built from expressions and not onlyfrom proposition symbols.
• An expression is any peace of information thatcan be encrypted, decrypted or concatenated inorder to be communicated.
• S5DY Alphabet
• a setΦ of countably many proposition symbols,• a finite setA of agents,• a set of keysK = {k1, · · · },
UnB2015 – p. 70/??
![Page 215: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/215.jpg)
Language -S5DY
• Formulas are built from expressions and not onlyfrom proposition symbols.
• An expression is any peace of information thatcan be encrypted, decrypted or concatenated inorder to be communicated.
• S5DY Alphabet
• a setΦ of countably many proposition symbols,• a finite setA of agents,• a set of keysK = {k1, · · · },• the boolean connectives¬ and∧,
UnB2015 – p. 70/??
![Page 216: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/216.jpg)
Language -S5DY
• Formulas are built from expressions and not onlyfrom proposition symbols.
• An expression is any peace of information thatcan be encrypted, decrypted or concatenated inorder to be communicated.
• S5DY Alphabet
• a setΦ of countably many proposition symbols,• a finite setA of agents,• a set of keysK = {k1, · · · },• the boolean connectives¬ and∧,• modalitiesKa for each agenta.
UnB2015 – p. 70/??
![Page 217: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/217.jpg)
Example 1: Dolev & Yao - Cont.A sends msgM toB
A // (A,EB(M), B) //B
IntruderZ intercepts the message sent fromA toB
IntruderZ sends message(Z,EB(M), B) toB
A //
(A,EB(M),B)
��❃❃❃
❃❃❃❃
❃❃❃❃
❃❃❃❃
❃ | //B
Z
(Z,EB(M),B)
??⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧
UnB2015 – p. 71/??
![Page 218: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/218.jpg)
Example 1: Dolev & Yao - Cont.B sends message(B,EZ(M), Z) toZ
A //
(A,EB(M),B)
��❃❃❃
❃❃❃❃
❃❃❃❃
❃❃❃❃
❃ | //B
(B,EZ(M),Z)
��⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧
Z
IntruderZ decodesEZ(M) and obtainsM
UnB2015 – p. 72/??
![Page 219: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/219.jpg)
Proving Example 1
• Proving example 1 Dolev & Yao inS5DY
UnB2015 – p. 73/??
![Page 220: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/220.jpg)
Proving Example 1
• Proving example 1 Dolev & Yao inS5DY
• Three agentsA,B andZ.
UnB2015 – p. 73/??
![Page 221: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/221.jpg)
Proving Example 1
• Proving example 1 Dolev & Yao inS5DY
• Three agentsA,B andZ.• KXY = KY X for every agentX andY .
UnB2015 – p. 73/??
![Page 222: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/222.jpg)
Proving Example 1
• Proving example 1 Dolev & Yao inS5DY
• Three agentsA,B andZ.• KXY = KY X for every agentX andY .
• Initial Knowledge :
KB0 = {KAkAB, KBkAB, KBkBZ , KZkBZ , KAm}
UnB2015 – p. 73/??
![Page 223: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/223.jpg)
Proving Example 1KB0 = {KAkAB, KBkAB, KBkBZ , KZkBZ , KAm}
sendAB({m}kAB)��
−−−Z intecepts
��
KB1 := KB0 ∪KZ{m}kAB
sendZB({m}kAB)��
KB2 := KB1 ∪KB{m}kAB
KBm ax. 7.
KB{m}kZBax. 6.
send ({m} )
UnB2015 – p. 74/??
![Page 224: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/224.jpg)
Proving Example 1KB2 := KB1 ∪KB{m}kAB
KBm ax. 7.
KB{m}kZBax. 6.
sendBZ({m}kBZ)��
KB3 := KB2 ∪KZ{m}kBZ
KZm ax.7
IntruderZ knowsMUnB2015 – p. 75/??
![Page 225: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/225.jpg)
Example 2: Dolev & Yao ModelA sends msgMA toB andB replies to the user thatis encrypted with the messageM and not to the sender
A // (A,EB(MA), B) //B
IntruderZ intercepts the message sent fromA toB
IntruderZ sends message(Z,EB(MA), B) toB
A //
(A,EB(MA),B)
��❃❃❃
❃❃❃❃
❃❃❃❃
❃❃❃❃
❃ | //B
Z
(Z,EB(MA),B)
??⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧
UnB2015 – p. 76/??
![Page 226: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/226.jpg)
Example 2: Dolev & Yao ModelB sends message(B,EA(MB), Z) toZ
A //
(A,EB(MA),B)
��❃❃❃
❃❃❃❃
❃❃❃❃
❃❃❃❃
❃ | //B
(B,EA(MB),Z)
��⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧⑧
Z
IntruderZ cannotdecodeEA(MB) to obtainM
It can be proved that this protocol in secure againstarbitrary behaviour of the intruder.
UnB2015 – p. 77/??
![Page 227: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/227.jpg)
Proving Example 2
• Proving example 2 Dolev & Yao inS5DY
UnB2015 – p. 78/??
![Page 228: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/228.jpg)
Proving Example 2
• Proving example 2 Dolev & Yao inS5DY
• Three agentsA,B andZ.
UnB2015 – p. 78/??
![Page 229: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/229.jpg)
Proving Example 2
• Proving example 2 Dolev & Yao inS5DY
• Three agentsA,B andZ.• KXY = KY X for every agentX andY .
UnB2015 – p. 78/??
![Page 230: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/230.jpg)
Proving Example 2
• Proving example 2 Dolev & Yao inS5DY
• Three agentsA,B andZ.• KXY = KY X for every agentX andY .
• Initial Knowledge :
KB0 = {KAkAB, KBkAB, KBkBZ , KZkBZ , KAm}
UnB2015 – p. 78/??
![Page 231: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/231.jpg)
Proving Example 2KB0 = {KAkAB, KBkAB, KBkBZ , KZkBZ , KAm}
KB0 ⊢ KA(kAB,m)
KB0 ⊢ KA{(kAB,m)}kABax. 6
sendAB({(kAB,m)}kAB)��
−−−Z intecepts
��
KB1 := KB0 ∪KZ{(kAB,m)}kAB
sendZB({(kAB,m)}kAB)��
KB2 := KB1 ∪KB{(kAB,m)}kAB UnB2015 – p. 79/??
![Page 232: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/232.jpg)
Proving Example 2KB2 := KB1 ∪KB{(kAB,m)}kAB
KB(kAB,m) ax. 7.
KBm ax. 8.
KB{(kAB,m)}kABax. 6.
sendBZ({(kAB,m)}kAB)��
KB3 := KB2 ∪KZ{(kAB,m)}kAB
KB3 6⊢ KZm UnB2015 – p. 80/??
![Page 233: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/233.jpg)
More Examples
• Third example of the original article of Dolev &Yao
UnB2015 – p. 81/??
![Page 234: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/234.jpg)
More Examples
• Third example of the original article of Dolev &Yao
• Kerberos Protocol
UnB2015 – p. 81/??
![Page 235: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/235.jpg)
More Examples
• Third example of the original article of Dolev &Yao
• Kerberos Protocol
• Andrew Secure RPC Handshake Protocol
UnB2015 – p. 81/??
![Page 236: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/236.jpg)
Adding Actions
• Adding Actions toS5DY
UnB2015 – p. 82/??
![Page 237: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/237.jpg)
Adding Actions
• Adding Actions toS5DY
• In all protocols - Actions are executed in theMeta-level
UnB2015 – p. 82/??
![Page 238: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/238.jpg)
Adding Actions
• Adding Actions toS5DY
• In all protocols - Actions are executed in theMeta-level
• Internalizing Actions toS5DY
UnB2015 – p. 82/??
![Page 239: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/239.jpg)
Adding Actions
• Adding Actions toS5DY
• In all protocols - Actions are executed in theMeta-level
• Internalizing Actions toS5DY
• Action Dolev/Yao Multi-Agent Epistemic LogicS5
A
DY
axiom:KAm→ [sendAB(M)]KBm ???????
UnB2015 – p. 82/??
![Page 240: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/240.jpg)
Future Works
• Adding Common Knowledge toS5DY
UnB2015 – p. 83/??
![Page 241: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/241.jpg)
Future Works
• Adding Common Knowledge toS5DY
• Adding Actions toS5DY
UnB2015 – p. 83/??
![Page 242: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/242.jpg)
Future Works
• Adding Common Knowledge toS5DY
• Adding Actions toS5DY
• Computational Complexity
UnB2015 – p. 83/??
![Page 243: Formal Models for Security and Authenticityayala/EVENTS/12SemInf2015MBenevides.pdf · Formal Models for Security and Authenticity Escola de Verão - Matemática - UnB Mario Benevides](https://reader033.vdocuments.mx/reader033/viewer/2022060510/5f27d2e94c5004213664253a/html5/thumbnails/243.jpg)
Future Works
• Adding Common Knowledge toS5DY
• Adding Actions toS5DY
• Computational Complexity
• Model Checking Algorithms
UnB2015 – p. 83/??