CN104104587A - Post consistency analysis method for certified mail protocol - Google Patents

Abstract

The invention discloses a post consistency analysis method for a certified mail protocol. The post consistency analysis method comprises the following steps: the step 1) carrying out modeling on the certified mail protocol based on signcryption; the step 2) carrying out post consistency verification modeling, the model being: query sequence (send Rec (r) = = > sendMsg (m)); and the step 3) carrying out post consistency verification analysis according to the post consistency verification modeling, that is, verifying the post consistency of the certified mail protocol "after TTP sends a receipt r for A, whether a message m is sent to the B". Compared with the prior art, a post consistency algorithm is realized in the invention, and the method is specially targeted for the post consistency verification of the certified mail protocol. The experiment shows that the algorithm can not only find out the defective protocols, but also can find out the corresponding attack paths, so that in the later work, the protocol can be modified and improved more easily in a targeted manner.

Description

A kind of rear consistency analysis method that authenticates mail protocol

Technical field

The present invention relates to procotol safe practice field, particularly relate to based on signing close authentication mail protocol, even if the transmission of data has the rear consistency analysis method of a class procotol of confidentiality and authentication property.

Background technology

Fair Exchange Protocol has important effect in ecommerce, and is the agreement of relatively commonly using based on signing close authentication mail protocol, and the checking of authentication mail protocol has practical significance, and its fail safe directly affects the safety of whole the Internet.Authentication mail protocol is easy to make mistakes in design, and its defect is difficult to find by the method for test, can to the security property of agreement, verify by formal method.The research of security protocol Formal Verification is in recent years more and more, and the method for main research has the method based on logic of faith, the method based on theorem proving, strand space method and model checking method etc.And based on these methods, developed the security protocol verification instrument of many automations, Athena for example, ProVerif, Murphi, AVISPA and NRL etc., these instruments have good effect for the authentication secret of mail protocol and the checking of authentication property, but not comprehensive.

Authentication property, as the basic security character of security protocol, is studied widely, and usual way is by consistency, to carry out the authentication property of indentification protocol.Originally Woo and Lam have proposed the consistency of description authentication property and have asserted, but define fairly simple.Conforming form of Definition is general similar as follows: if agreement has been carried out some event, before it, must carry out other events, we claim that this form is front consistency.More for front conforming research at present, but less for the property research of " if agreement has been carried out some event, must carry out some event thereafter ", we are referred to as rear consistency.Consistency not only can indentification protocol authentication property, the transmission that it can also indentification protocol message is carried out in a certain order.

At present, the rear consistency of security protocol is more and more paid close attention to.As in Electronic Commerce Protocols, often need guarantee agreement to meet character A " if buyer's received payment, the seller must deliver thereafter ", this character can be by verifying that rear consistency verifies.And by front consistency verifiability matter B " before seller's delivery, the buyer necessarily pays the bill ", and can not verify character A.Run counter to rear conforming defect and mainly comprise two kinds: a kind of is to interrupt because abnormal (problems such as hardware, network) causes event A that rear agreement occurs, and now event B does not exist thereafter, and agreement should design abnormality processing agreement and deal with extremely; Another kind of for Protocol Design defect causes after event A generation, event B does not occur or causes B not occur owing to being subject to malicious attack, and designer should find and avoid this defect in time.

Summary of the invention

The problem existing in order to overcome above-mentioned prior art, the present invention proposes a kind of rear consistency analysis method that authenticates mail protocol, take based on signing close authentication mail protocol is research object, verifies the rear consistency of this class procotol, and ungratified agreement is proposed to attack path report targetedly

The present invention proposes a kind of rear consistency analysis method that authenticates mail protocol, the method comprises the following steps:

Step 1, one comprise Exchange agreement, Resolve agreement based on signing close authentication mail protocol; carry out under normal circumstances Exchange agreement; when there is abnormal or dispute, carry out Resolve agreement, realize the modeling of authentication mail protocol, model is as follows:

Exchange agreement

$E1:A\→B:h\left(m\right),E_{{\mathrm{sk}}_a}\left(h\left(m\right)\right)$

$E2:B\→A:c,r,s,h\left(\mathrm{receip}{t}_b\right),{\mathrm{Cert}}_{\mathrm{tb}},E_{{\mathrm{sk}}_b}\left(h\left(m\right)\right)$

$E3:A\→B:E_{{\mathrm{pk}}_b}\left(m\right)$

$E4:B\→A:E_{{\mathrm{pk}}_a}\left({\mathrm{receipt}}_b\right)$

Resolve agreement

$R1:A\→\mathrm{TPP}:{\mathrm{Cert}}_{\mathrm{tb}},E_{{\mathrm{sk}}_b}\left(h\left(m\right)\right),E_{{\mathrm{pk}}_{\mathrm{ttp}}}\left(m\right)$

$R2:\mathrm{TTP}\→A:E_{{\mathrm{pk}}_a}\left({\mathrm{receipt}}_b\right)$

$R3:\mathrm{TTP}\→B:E_{{\mathrm{pk}}_b}\left(m\right)$

Wherein E1, E2, E3, E4 represent the flow process of Exchange agreement, and E1 represents that A issues B: the cryptographic Hash of message m and the cryptographic Hash of passing through the m after the encrypted private key of A; E2 represents that B replys A: about receipt receipt _bcryptographic Hash, the TTP of signature (c, r, s), receipt before agreement operation, be the certificate Cert of the signature receipt generation of B _tband by the cryptographic Hash of the message m of the encrypted private key of B; E3 represents that A is B by validation of information the other side before, and A issues B: by the message m of the public key encryption of B; After E4 represents that B receives, B replys A: the receipt of using the public key encryption of A;

R1, R2, R3 represent the flow process of Resolve agreement, and R1 represents that A issues the certificate Cert that TTP:TTP is the signature receipt generation of B before agreement operation _tb, by the cryptographic Hash of the m after the encrypted private key of A; R2 represents that TTP replys A: the receipt of using the public key encryption of A; R1 represents that TTP issues B: the message m of using the public key encryption of B;

A, B, TTP represent respectively transmit leg, recipient and the trusted third party of mail; M represents the message sending; Receipt _bthe receipt that represents recipient B, before the operation of authentication mail protocol, the TTP of trusted third party generates a receipt receipt to recipient B _b, recipient B produces about receipt receipt _bsignature (c, r, s), transmit leg A is by certifying signature (c, r, s)=H (h (receipt _b)) whether become Rob Roy to determine that recipient B is to receipt receipt _bsignature whether can accept; Cert _tbrepresent that the TTP of trusted third party is the certificate of the signature receipt generation of recipient B before the operation of authentication mail protocol ${\mathrm{Cert}}_{\mathrm{tb}}=E_{{\mathrm{pk}}_{\mathrm{ttp}}}\left({\mathrm{recepit}}_b\right);$

Step 2, rear consistency checking modeling, model is as follows:

query?sequence(send?Rec(r)＝＝＞sendMsg(m))；

Step 3, assailant's modeling, the Attacker Model is assailant's knowledge base that automation is upgraded, as follows:

Assailant's initial knowledge is initK=ChannelMsg ∪ NewMsg ∪ NotSafeMsg, and the initial value that represents K is the message on channel, the message of newly transmission and the message of encrypting with the secret key of safety, and assailant is regular:

Definition K (M) represents that assailant has knowledge M, and F represents in season value set, and P represents common signal channel set, t represents item, and SameType (t, M) represents that t is identical with M type, use above-mentioned assailant's rule, and can upgrade assailant's knowledge base K in conjunction with effective set mode;

Step 4, carry out rear conforming check analysis according to above-mentioned " rear consistency checking modeling ", i.e. the rear consistency of authentication verification mail protocol " TTP is that A has sent receipt r, its after whether be that B has sent message m ", specifically comprises following processing:

The PKI of A, B, TTP is sent to common signal channel;

A sends message to B, and (hash (m), aencs (hash (m), skA)) represent the cryptographic Hash to message m, and with the private key of A, this cryptographic Hash are signed;

B sends message (getcrs (hash (r)) to A, hash (r), aenc (tobitstr (r), pk (skT)), aencs (hash (m), skB)), represent the cryptographic Hash of receipt r and through the r of the public key encryption of TTP, and by the cryptographic Hash of the m of the encrypted private key of B; Getcrs, two functions of tobitstr are that conversion parameter type becomes bitstring type, in order to mate at program runtime parameter;

A sends abnormality processing to TTP;

TTP receives abnormality processing message;

(aenc (tobitstr (r), pk (skT)), aencs (hash (sec r_Attac ker), skB), aenc sec (sec r_Attac ker, pk (skT))), represent that A receives due response, so look for TTP complaint, the evidence prove oneself that proposes oneself sends, evidence comprises: assailant replys his receipt, with the assailant of B encrypted private key, copy the cryptographic Hash of information, message with the assailant of TTP public key encryption), the message of receiving described in is that A sends message, message when victim interception forwards as last agreement operation while carrying out abnormality processing;

TTP sends aenc sec (r, pk (skA)) to A, represents that TTP sends proof, and A had sent message, and receipt is r;

Execution event send Rec (r), a sign of setting for consistency after program verification;

TTP sends aenc sec (sec r_Attac ker, pk (skB)) to B, represents the message after being distorted by go-between, and with the public key encryption of B;

Execution event sendMsg (sec r_Attac ker), second sign setting for consistency after program verification);

At TTP, to A, sent after receipt r, to B, sent the message sec r_Attac ker after being distorted by go-between, therefore consistency query sequence (send Rec (r)==> sendMsg (m)) after not meeting, represent TTP to A sent receipt r differ guarantee surely to have sent message m to B), there is Replay Attack in this agreement, malicious attacker retains last message, on sending when abnormality processing, message once causes occurring attacking, make A be subject to receipt r, and B does not receive this message m.

Compared with prior art, the present invention be take Sampling network protocol security as object, has proposed one and can verify rear conforming algorithm, and realized an algorithm.The beneficial effect of expection comprises:

1, the rear consistency of authentication mail protocol has been carried out to standardization definition, having supplemented of complete display authenticates the deficiency of mail protocol safety verification algorithm to this category of authentication property before.

2, the creationary rear consistency with PI calculation extended description authentication mail protocol, makes this definition of rear consistency of authentication mail protocol more rigorously, and proves that this character also can apply the related tool that powerful PI calculates.

3, the present invention has realized rear consistency algorithm, specially for the rear consistency checking that authenticates mail protocol.By experiment showed, that this algorithm not only can find those defective agreements, and can also find out corresponding attack path.This makes in later stage work, and modification and perfection agreement is more prone to targetedly.

Accompanying drawing explanation

Fig. 1 is overall flow schematic diagram of the present invention;

Fig. 2 is assailant's knowledge learning process.

Embodiment

Below in conjunction with accompanying drawing, the specific embodiment of the invention is described in further detail.

The present invention has expanded selection operator on the basis of Proverif grammer, calculates the rear consistency of Specifying Security Protocols and agreement with the PI after expansion.Different with general the Attacker Model, rear consistency need to be considered the malice of protocol body, the present invention is based on the Attacker Model that Dolve-Yao model has been set up automation, by malicious act being transferred to the malice that assailant expresses protocol body with it.Protocol description is converted to after LTS, by search mark model, verifies rear consistency.For fear of model, detect the state explosion problem follow, in conversion LTS process, add many strategies, for state, approximately subtract, experimental results show that these strategies can effectively avoid state explosion, shortened the proving time.Finally, to conforming model after not meeting, this method can provide attack path targetedly, so as in later stage work the revision and improvement to agreement.

One, theoretical foundation

1, the grammer of process calculation:

Above-mentioned code has comprised the definition of item with process.Be by name, variable and function form, a wherein, and b, c ..., s represents name, x, and y, z represents variable, f representative function.Proverif grammer based on existing function expansion event process and destructor function, function is divided into constructed fuction f and destructor function g, destructor function do not occur in item, and only for process.Constructed fuction f for example, for building complicated item (cryptographic calculation, digital signature etc.), and wherein l represents the columns of f.Destructor function calculates certain (for example decrypt operation), process let x=g (M based on existing item ₁..., M _l) in P else Q represents if g (M ₁..., M _l) calculate successfully, assignment is to x, and executive process P, otherwise carries out Q.The type of constructed fuction and destructor function is public or secret, and public function can be comprised that assailant uses by all main bodys, and secret function can only be used by some honest main body.Wherein, by constructed fuction and destructor function, the complex data in agreement can be described, and the computing such as encryption and decryption.Event (M) .P represents to have carried out after event event (M), and executive process P then, for describing consistency.Process is by P, Q, R represents, the present invention has expanded process operator and has selected, P Q (this symbol is exactly square, in csp, represents with []) expresses possibility and carries out P or carry out Q, select operator can describe the multiple uncertain behavior in protocol implementation, and assailant's uncertain behavior.

2, operational semantics

The operational semantics of model defines based on label transfer system (LTS).

Definition 1 (Labeled Transition System):

A LTS is comprised of tlv triple L=(S, init, T), and wherein S is state set, and init ∈ S is initial condition, and T:S * Σ τ * S is label transfer relationship.Definition Σ τ is event sets, the set that Σ * is mark.

(1), be defined as: to s', s ∈ S, if exist s ₀..., s _n∈ S, making, to 0≤i≤n, has e wherein _i∈ Σ τ, and s ₀=s, s _n=s'.

(2), s → * s' is defined as: if there is e ₁..., e _n∈ Σ τ makes

(3), suppose tr: Σ * is a sequence of events, be defined as: if there is e ₁..., e _n∈ Σ τ makes tr=< e ₁, e ₂..., e _n> is a mark of L.

(4), the set of all marks of L is

A given process P, numerical value mapping set V and a channel set C who represents global variable that P has and local variable, can construct LTS (S, an init by operational semantics, T), S={s| (P, V, C) → * s} wherein, init=(P, V, C) shift represent by carrying out a, structure (P, V, C) develops into (P ', V ', C ').

The rule of operational semantics,

Wherein select with parallel | be symmetrical.Eval (v, exp) represents to calculate based on set V the value of exp.Bn (A) represents the set of all name n that occur in vn in A, bv (A) represents in A all in vx and the set of the variable x occurring in input M (x), fn (A) represents the not set of the name under vn in A, and fv (A) represents the not set of the variable x of appearance in vx and input M (x) in A.

3, rear conformance definition

Based on model semantics, provide rear conforming definition, comprised two kinds of forms: a kind of Proverif of being similar to, event has a plurality of parameters, during checking, can by these parameter replacements, be a plurality of values in environment; A kind of event e1 of form and e2 are for independently, for verifying the consistency that there is no parameter between e1 and e2.

Definition 2 (Correspondency Relation):

Suppose that L=(S, init, T) is a realization, given two event e ₁, e ₂,

$\mathrm{CorrespondencyRelation}(e_1,e_2)==\mathrm{true\; iff}\&ForAll;\mathrm{tr}\&Element;\mathrm{traces}\left(L\right),$ In tr, there is each time e ₁, after it, must there will be e ₂.

Definition 3 (rear consistency 1):

Query x ₁: t ₁...., x _n: t _n; Event (e (M ₁..., M _n)) <==event (e'(N ₁..., N _n)), x wherein ₁..., x _nfor variable, t ₁..., t _nfor type, M ₁..., M _n, N ₁..., N _nby with variable x ₁..., x _nfor the item that parameter forms, e, e' is event.

query?x ₁:t ₁,....,x _n:t _n；event(e(M ₁,...,M _n))<＝＝event(e'(N ₁,...,N _n))＝＝true?iff

CorrespondencyRelation(e(M ₁,...,M _n),e'(N ₁,...,N _n))＝＝true

Definition 4 (rear consistency 2):

Query sequence (e (M ₁..., M _nthe > e'(N of)== ₁..., N _n)), M wherein ₁..., M _n, N ₁..., N _nfor not containing the term of variable.query?sequence(e(M ₁,...,M _n),e'(N ₁,...,N _n))＝＝true?iff

CorrespondencyRelation(e(M ₁,...,M _n),e'(N ₁,...,N _n))＝＝true

Two, modeling:

1, protocol description

One based on signing close authentication mail protocol, and this agreement is comprised of two parts.

1) Exchange agreement

$E1:A\&RightArrow;B:h\left(m\right),E_{{\mathrm{sk}}_a}\left(h\left(m\right)\right)$

$E2:B\&RightArrow;A:c,r,s,h\left(\mathrm{receip}{t}_b\right),{\mathrm{Cert}}_{\mathrm{tb}},E_{{\mathrm{sk}}_b}\left(h\left(m\right)\right)$

$E3:A\&RightArrow;B:E_{{\mathrm{pk}}_b}\left(m\right)$

$E4:B\&RightArrow;A:E_{{\mathrm{pk}}_a}\left({\mathrm{receipt}}_b\right)$

2) Resolve agreement

$R1:A\&RightArrow;\mathrm{TPP}:{\mathrm{Cert}}_{\mathrm{tb}},E_{{\mathrm{sk}}_b}\left(h\left(m\right)\right),E_{{\mathrm{pk}}_{\mathrm{ttp}}}\left(m\right)$

$R2:\mathrm{TTP}\&RightArrow;A:E_{{\mathrm{pk}}_a}\left({\mathrm{receipt}}_b\right)$

$R3:\mathrm{TTP}\&RightArrow;B:E_{{\mathrm{pk}}_b}\left(m\right)$

A, B, TTP represent respectively the transmit leg of mail, recipient and trusted third party, and m represents the mail sending, receipt _bthe receipt that represents B.This agreement comprises two parts, carries out under normal circumstances Exchange agreement, carries out Resolve agreement when there is abnormal or dispute.Before agreement operation, TTP can generate a receipt receipt to B _b, B can produce about receipt receipt _bsignature (c, r, s), A can be by checking (c, r, s)=H (h (receipt _b)) whether become Rob Roy to determine that B is to receipt _bsignature whether can accept, Cert _tbrepresent that TTP is the certificate of the signature receipt generation of B before agreement operation,

Exchange sub-protocol is described: A is first by the signature of h (m) and h (m) send to B, whether B certifying signature is effective, if effectively B is by the signature about receipt (c, r, s, the h (receipt that produce _b)), and certificate Cert _tbsend to together A.A receives rear checking two steps: (1) is by h (receipt _b) whether certifying signature (c, r, s) effective; (2) authentication certificate Cert _tbvalidity; If be verified the receipt receipt that A can recover to get the mail by TTP under abnormal conditions (1) _b; (1), (2) two steps all pass through rear A can be by the mail after encrypting send to B, B checking m effectively after by the receipt after encrypting send to A.

Resolve protocol description: A will send to TTP, TTP carries out two step cards: (1) checking Cert _tbwhether effective, and from Cert _tbrecover the receipt receipt of B _b; (2) whether the message m that checking B receives is effective; If above two steps are all passed through, TTP is by the mail after encrypting send to B, by the receipt after encrypting send to A.

2, Protocol Modeling

On the basis of Proverif language, expand choice operator, and increased the checking of two kinds of correspondences.This section is carried out modeling to above agreement, provides the process of A, B, TTP below.

When A is initial, have information m, the public and private key of A, the PKI of B and the PKI of TTP.Therefore A process can be described as following process:

let?clenta1(pkA1:pkey,skA1:skey,pkB1:pkey,pkT1:pkey,skT1:skey)＝

out(c,(hash(m),aencs(hash(m),skA1)))；

in(c,(crs:bitstring,qm:bitstring,zs:bitstring,bhm:bitstring))；

(out(c,val(zs,bhm,aenc?sec(m,pkT1)))|(ttp(pkA1,skT1,pkB1,pkT1)))[]

let(＝crs)＝getcrs(qm)in

if(hash(m)＝adecs(bhm,pkB1))then

out(c,aenc?sec(m,pkB1))；

in(c,y1:sec?rstring).

When B is initial, have receipt r, the public and private key of B, the PKI of A, the certificate Cert that the PKI of TTP and TTP generate _tb.Therefore B process can be described as following process:

let?clintb1(pkA1:pkey,skB1:skey,pkB1:pkey,pkT1:pkey,cts:bitstring)＝

in(c,(hm:bitstring,shm:bitstring))；

let(＝hm)＝adecs(shm,pkA1)in

let?ctsp＝adec(cts,skB1)in

out(c,(getcrs(hash(r)),hash(r),aenc(ctsp,pkT1),aencs(hm,skB1)))；

in(c,msg:sec?rstring)；

let?msgjm＝adec?sec(msg,skB1)in

let(＝hm)＝hash(msgjm)in

out(c,aenc?sec(r,pkA1)).

The rear consistency of indentification protocol " TTP is that A has sent receipt r, its after whether be that B has sent message m ", rear consistency is as follows:

query?sequence(send?Rec(r)＝＝＞sendMsg(m))

2, assailant's modeling

Compare with honest main body, assailant has the larger degree of freedom, and they can intercept and capture arbitrarily, combine, decipher, block and send message in open network environment, and this massage set is unlimited.But major part is invalid in these message, the present invention is only interested in the massage pattern occurring in agreement, and effectively massage set is limited.The Attacker Model be take Dolev-Yao model as basis, and assailant has the ability of constructing massage set.Definition K (M) represents that assailant has knowledge M, and F represents in season value set, and P represents common signal channel set, and t represents item, and SameType (t, M) represents that t is identical with M type.Assailant's rule description is as follows:

Assailant can construct new information, and wherein any already present item of the Xiang Buyu in F set is identical; For the message sending on public passage, assailant can intercept and capture message; For the message having, assailant can send arbitrarily; Assailant can combine known message, and message that also can decomposition and combination; If assailant has constructed fuction, and have the item of corresponding types, can construct new structure item; Assailant has analytical function, and has the item of corresponding types, can obtain new item by analytical function; In Protocol Modeling, regular constructor and deconstructor can be used for representing to encrypt, Hash and deciphering etc.

Assailant's initial knowledge is initK=ChannelMsg ∪ NewMsg ∪ NotSafeMsg, uses above-mentioned assailant's rule, and can upgrade assailant's knowledge base K in conjunction with effective set mode.

Three, flow process

Definition:

L _imp=(S _imp, init _imp, T _imp) be protocol model,

for final state, e1, e2 represents two events.

Function CorrespondencyRelation verification algorithm is described below:

Wherein row 1 represents to obtain all marks, and row 2 represents every mark all to verify to row 9, the call number set of the e1 that occurs in row 3 expression getIndexes functions acquisition mark tr, and row 4 represents to row 8 check occurs, after e1, whether occurring the situation of e2 after it at every turn; Row 5 represents that find function to whether occurring e2 between tr.length, if row 7 represents not occur returning false, does not meet this character for searching i in tr.After all marks are all verified, if all met, be expert at and 10 return to true.

Four, results and analysis

Consistency after agreement is verified, and analyzed the result of agreement operation, obtain altogether 6216 counter-examples.In proof procedure, assailant has massage set, running into input operator can use all message of assailant's type matching to process at every turn, be all likely victim intercepting and capturing and transmission arbitrarily in each message process, therefore have a lot of paths agreement is in service, thereby cause having a plurality of paths.

Through manual analysis, find all to comprise event in counter-example

c？val(aenc(tobitstr(r),pk(skT)),aencs(hash(sec?r_Attac?ker),skB),aenc?sec(sec?r_Attac?ker,pk(skT)))

Be that TTP receives message thereby cause not meeting rear consistency.These counter-examples all show that agreement may be subject to man-in-the-middle attack, just because assailant causes counter-example to become many at difference participation agreement.

At TTP, to A, sent after receipt r, to B, sent message sec r_Attac ker, consistency query sequence (send Rec) r after therefore not meeting)==> sendMsg (m)).Therefore can find out that this agreement exists Replay Attack, malicious attacker (other assailants or protocol body) can retain last message, on sending when abnormality processing, message once causes occurring attacking, and make A be subject to receipt r, and B does not receive this message m.

Below by the proof procedure to an authentication mail protocol, shown complete proof procedure.

One, authentication mail protocol modeling

One based on signing close authentication mail protocol, it carried out perfect, and this agreement is comprised of two parts.

1, Exchange agreement

$E1:A\&RightArrow;B:h\left(m\right),E_{{\mathrm{sk}}_a}\left(h\left(m\right)\right)$

$E2:B\&RightArrow;A:c,r,s,h\left(\mathrm{receip}{t}_b\right),{\mathrm{Cert}}_{\mathrm{tb}},E_{{\mathrm{sk}}_b}\left(h\left(m\right)\right)$

$E3:A\&RightArrow;B:E_{{\mathrm{pk}}_b}\left(m\right)$

$E4:B\&RightArrow;A:E_{{\mathrm{pk}}_a}\left({\mathrm{receipt}}_b\right)$

2, Resolve agreement

$R1:A\&RightArrow;\mathrm{TPP}:{\mathrm{Cert}}_{\mathrm{tb}},E_{{\mathrm{sk}}_b}\left(h\left(m\right)\right),E_{{\mathrm{pk}}_{\mathrm{ttp}}}\left(m\right)$

$R2:\mathrm{TTP}\&RightArrow;A:E_{{\mathrm{pk}}_a}\left({\mathrm{receipt}}_b\right)$

$R3:\mathrm{TTP}\&RightArrow;B:E_{{\mathrm{pk}}_b}\left(m\right)$

On the basis of Proverif modeling language, expand choice operator, and increased the checking of two kinds of correspondences.The present embodiment carries out Formal Modeling to above agreement, provides the process of A, B, TTP below.

When A is initial, have information m, the public and private key of A, the PKI of B and the PKI of TTP.Therefore A process can be described as following process:

let?clenta1(pkA1:pkey,skA1:skey,pkB1:pkey,pkT1:pkey,skT1:skey)＝

out(c,(hash(m),aencs(hash(m),skA1)))；

in(c,(crs:bitstring,qm:bitstring,zs:bitstring,bhm:bitstring))；

(out(c,val(zs,bhm,aenc?sec(m,pkT1)))|(ttp(pkA1,skT1,pkB1,pkT1)))[]

let(＝crs)＝getcrs(qm)in

if(hash(m)＝adecs(bhm,pkB1))then

out(c,aenc?sec(m,pkB1))；

in(c,y1:sec?rstring).

When B is initial, have receipt r, the public and private key of B, the PKI of A, the certificate Cert that the PKI of TTP and TTP generate _tb.Therefore B process can be described as following process:

let?clintb1(pkA1:pkey,skB1:skey,pkB1:pkey,pkT1:pkey,cts:bitstring)＝

in(c,(hm:bitstring,shm:bitstring))；

let(＝hm)＝adecs(shm,pkA1)in

let?ctsp＝adec(cts,skB1)in

out(c,(getcrs(hash(r)),hash(r),aenc(ctsp,pkT1),aencs(hm,skB1)))；

in(c,msg:sec?rstring)；

let?msgjm＝adec?sec(msg,skB1)in

let(＝hm)＝hash(msgjm)in

out(c,aenc?sec(r,pkA1)).

The rear consistency of indentification protocol " TTP is that A has sent receipt r, its after whether be that B has sent message m ", rear consistency modeling is as follows:

query?sequence(send?Rec(r)＝＝＞sendMsg(m))。

Two, checking and analysis

Consistency after agreement is verified, and analyzed the result of agreement operation.In this example, obtain altogether 6216 counter-examples.In proof procedure, assailant has massage set, running into input operator can use all message of assailant's type matching to process at every turn, be all likely victim intercepting and capturing and transmission arbitrarily in each message process, therefore have a lot of paths agreement is in service, thereby cause having a plurality of paths.

Through manual analysis, find all to comprise event in counter-example

c？val(aenc(tobitstr(r),pk(skT)),aencs(hash(sec?r_Attac?ker),skB),aenc?sec(sec?r_Attac?ker,pk(skT)))

Be that TTP receives message thereby cause not meeting rear consistency.These counter-examples all show that agreement may be subject to man-in-the-middle attack, just because assailant causes counter-example to become many at difference participation agreement.Below to take a wherein process that counter-example is analyzed as example explanation:

1?c！pk(skA)

2?c！pk(skB)

3?c！pk(skT)

4?c！(hash(m),aencs(hash(m),skA))

5?c？(hash(m),aencs(hash(m),skA))

6?c！(getcrs(hash(r)),hash(r),aenc(tobitstr(r),pk(skT)),aencs(hash(m),skB))

7?c？(getcrs(hash(r)),hash(r),aenc(tobitstr(r),pk(skT)),aencs(hash(m),skB))

8?c！val(aenc(tobitstr(r),pk(skT)),aencs(hash(m),skB),aenc?sec(m,pk(skT)))

9?c？val(aenc(tobitstr(r),pk(skT)),aencs(hash(sec?r_Attac?ker),skB),aenc?sec(sec?r_Attac?ker,pk(skT)))

10?c！aenc?sec(r,pk(skA))

11?send?Rec(r)

12?c！aenc?sec(sec?r_Attac?ker,pk(skB))

13?sendMsg(sec?r_Attac?ker)

Counter-example is analyzed:

Row 1 to row 3 for the PKI of A, B, TTP is sent to common signal channel;

Row 4 row 5 represent that A sends message (hash (m), aencs (hash (m), skA)) to B;

Row 6 row 7 represent that B sends message to A

(getcrs(hash(r)),hash(r),aenc(tobitstr(r),pk(skT)),aencs(hash(m),skB))；

Row 8 represents that A sends abnormality processing to TTP;

Row 9 represents that TTP receives message

(aenc(tobitstr(r),pk(skT)),aencs(hash(sec?r_Attac?ker),skB),aenc?sec(sec?r_Attac?ker,pk(skT)))；

Message when wherein this message is last agreement operation, sec r_Attac ker is mail when last time, agreement was moved.Row 9 can be understood as when A carries out abnormality processing and sends message, and victim interception forwards the message while moving for last agreement; Also can be understood as A and when abnormality processing, send once the agreement message in when operation, rather than this message; The Attacker Model can represent attack behavior, malicious act that also can presentation protocol main body;

Row 10 represents that TTP sends aenc sec (r, pk (skA)) to A;

Row 11 represents execution event send Rec (r);

Row 12 represents that TTP sends aenc sec (sec r_Attac ker, pk (skB)) to B;

Row 13 represents execution event sendMsg (sec r_Attac ker);

As can be seen from the above, at TTP, to A, sent after receipt r, to B, sent message sec r_Attac ker, consistency query sequence (send Rec (r)==> sendMsg (m)) after therefore not meeting.Therefore can find out that this agreement exists Replay Attack, malicious attacker (other assailants or protocol body) can retain last message, on sending when abnormality processing, message once causes occurring attacking, and make A be subject to receipt r, and B does not receive this message m.

Claims (1)

1. a rear consistency analysis method that authenticates mail protocol, is characterized in that, the method comprises the following steps:

Step 1, one comprise Exchange agreement, Resolve agreement based on signing close authentication mail protocol; carry out under normal circumstances Exchange agreement; when there is abnormal or dispute, carry out Resolve agreement, realize the modeling of authentication mail protocol, model is as follows:

Exchange agreement:

E1:A→B:h(m),E _ska(h(m))

E2:B→A:c,r,s,h(receipt _b),Cert _tb,E _skb(h(m))

E3:A→B:E _pkb(m)

E4:B→A:E _pka(receipt _b)；

Resolve agreement:

R1:A→TPP:Cert _tb,E _skb(h(m)),E _pkttp(m)

R2:TTP→A:E _pka(receipt _b)

R3:TTP→B:E _pkb(m)；

Wherein E1, E2, E3, E4 represent the flow process of Exchange agreement, and E1 represents that A issues B: the cryptographic Hash of message m and the cryptographic Hash of passing through the m after the encrypted private key of A; E2 represents that B replys A: about receipt receipt _bcryptographic Hash, the TTP of signature (c, r, s), receipt before agreement operation, be the certificate Cert of the signature receipt generation of B _tband by the cryptographic Hash of the message m of the encrypted private key of B; E3 represents that A is B by validation of information the other side before, and A issues B: by the message m of the public key encryption of B; After E4 represents that B receives, B replys A: the receipt of using the public key encryption of A;

R1, R2, R3 represent the flow process of Resolve agreement, and R1 represents that A issues the certificate Cert that TTP:TTP is the signature receipt generation of B before agreement operation _tb, by the cryptographic Hash of the m after the encrypted private key of A; R2 represents that TTP replys A: the receipt of using the public key encryption of A; R1 represents that TTP issues B: the message m of using the public key encryption of B;

A, B, TTP represent respectively transmit leg, recipient and the trusted third party of mail; M represents the message sending; Receipt _bthe receipt that represents recipient B, before the operation of authentication mail protocol, the TTP of trusted third party generates a receipt receipt to recipient B _b, recipient B produces about receipt receipt _bsignature (c, r, s), transmit leg A is by certifying signature (c, r, s)=H (h (receipt _b)) whether become Rob Roy to determine that recipient B is to receipt receipt _bsignature whether can accept; Cert _tbrepresent that the TTP of trusted third party is the certificate Cert of the signature receipt generation of recipient B before the operation of authentication mail protocol _tb=E _pkttp(receipt _b);

Step 2, rear consistency checking modeling, model is as follows:

query?sequence(sendRec(r)＝＝＞sendMsg(m))；

Step 3, assailant's modeling, the Attacker Model is assailant's knowledge base that automation is upgraded, as follows:

Assailant's initial knowledge is initK=ChannelMsg ∪ NewMsg ∪ NotSafeMsg, and the initial value that represents K is the message on channel, the message of newly transmission and the message of encrypting with the secret key of safety, and assailant is regular:

$t\&Element;F\&DoubleRightArrow;K\left(t\right)\mathrm{new}$

Definition K (M) represents that assailant has knowledge M, and F represents in season value set, and P represents common signal channel set, t represents item, and SameType (t, M) represents that t is identical with M type, use above-mentioned assailant's rule, and can upgrade assailant's knowledge base K in conjunction with effective set mode;

Step 4, carry out rear conforming check analysis according to above-mentioned " rear consistency checking modeling ", i.e. the rear consistency of authentication verification mail protocol " TTP is that A has sent receipt r, its after whether be that B has sent message m ", specifically comprises following processing:

The PKI of A, B, TTP is sent to common signal channel;

A sends message to B, and (hash (m), aencs (hash (m), skA)) represent the cryptographic Hash to message m, and with the private key of A, this cryptographic Hash are signed;

B sends message (getcrs (hash (r)) to A, hash (r), aenc (tobitstr (r), pk (skT)), aencs (hash (m), skB)), represent the cryptographic Hash of receipt r and through the r of the public key encryption of TTP, and by the cryptographic Hash of the m of the encrypted private key of B; Getcrs, two functions of tobitstr are that conversion parameter type becomes bitstring type, in order to mate at program runtime parameter;

A sends abnormality processing to TTP;

TTP receives abnormality processing message;

(aenc (tobitstr (r), pk (skT)), aencs (hash (secr_Attacker), skB), aencsec (secr_Attacker, pk (skT))), represent that A receives due response, so look for TTP complaint, the evidence prove oneself that proposes oneself sends, evidence comprises: assailant replys his receipt, with the assailant of B encrypted private key, copy the cryptographic Hash of information, message with the assailant of TTP public key encryption), the message of receiving described in is that A sends message, message when victim interception forwards as last agreement operation while carrying out abnormality processing;

TTP sends aencsec (r, pk (skA)) to A, represents that TTP sends proof, and A had sent message, and receipt is r;

Execution event sendRec (r), a sign of setting for consistency after program verification;

Message after TTP sends aencsec (secr_Attacker, pk (skB)) and represents to be distorted by from go-between to B, and with the public key encryption of B;

Execution event sendMsg (secr_Attacker), second sign setting for consistency after program verification);

At TTP, to A, sent after receipt r, to B, sent the message secr_Attacker after being distorted by go-between, therefore consistency query sequence (sendRec (r)==> sendMsg (m)) after not meeting, represent that TTP has sent receipt r to A and differed and guarantee surely to have sent message m to B, there is Replay Attack in this agreement, malicious attacker retains last message, on sending when abnormality processing, message once causes occurring attacking, make A be subject to receipt r, and B does not receive this message m.