CN106411940A - Security protocol verification method taking attacker as center - Google Patents
Security protocol verification method taking attacker as center Download PDFInfo
- Publication number
- CN106411940A CN106411940A CN201611041828.7A CN201611041828A CN106411940A CN 106411940 A CN106411940 A CN 106411940A CN 201611041828 A CN201611041828 A CN 201611041828A CN 106411940 A CN106411940 A CN 106411940A
- Authority
- CN
- China
- Prior art keywords
- attacker
- state
- message
- security protocol
- rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/26—Special purpose or proprietary protocols or architectures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/03—Protocol definition or specification
Abstract
The invention belongs to the field of computer security protocol verification methods, and specifically relates to a security protocol verification method taking an attacker as the center. The security protocol verification method comprises the steps of 1, setting an initial state according to a protocol verification target; 2, extracting an event to be handled in the state, sequentially judging whether the current state and the event conform to TRules or not; and performing judgment on states in a Resultstate, wherein if a certain state that attacker knowledge contains parameters required to be kept secret of a protocol exists, the state is secrecy abnormal state, and if a certain state that a protocol session scene is abnormal exists, the state is an authentication abnormal state, otherwise, the protocol design is secure. The security protocol verification method aims to consider time sequence contradiction in the state extension process, a back tracking mechanism is introduced into state extension, extended branches of invalid states do not appear in the state searching process, and the number of intermediate states is reduced; and state extension is driven by requirements of the attacker, the mode is not fixed, the number of branches is less, and the number of state spaces is reduced.
Description
Technical field
The invention belongs to computer security protocol verification method field is and in particular to a kind of safety centered on attacker
Protocol verification method.
Background technology
Security protocol is the procotol employing cryptographic algorithm.Cryptographic algorithm is the foundation stone of information system security, but letter
The overall safety of breath system depends not only on the intensity of cryptographic algorithm, and the close phase with the security protocol that system is adopted
Close.Even if the cryptographic algorithm that system is adopted is safe, if there is security risk, attacker in the security protocol that it is adopted
Equally can system successfully be implemented to attack on the premise of not needing to break through cryptographic algorithm.General along with computer network
And constantly develop, security protocol has become the important support that various core securities in information system service reliability services, is to realize
In various distributed network environments safety share various Internet resources key means, information system security is had to
Close important effect.Nearly all key service in current internet, applications, such as system authentication mandate, ecommerce, Net silver,
Line payment etc., all be unable to do without the support of security protocol.Therefore, the Safety Analysis Method of security protocol is always information security neck
One of key issue of domain research.
In order to be able to reach design object, research worker proposes whether numerous method validation security protocols have the peace claimed
Quan Xing, wherein famous and effectively Formal Analysis Method.Formal Analysis Method adopts mathematical model that safety is assisted
View is modeled, and has reliable theoretical basiss, then is aided with computer automated reasoning verification technique, can automatically or secondary proof
The safety of agreement or the potential safety hazard finding its presence.Such as G.Lowe is based on CSP modeling method and FDR model inspection work
It was found that there is the leak of 17 years in Needham-Schroeder public key protocol in tool.Due to based on strict logistic model
And inference method, the conclusion of formalization analysis is widely recognized as by industry.Whether through formalization analysis, it has also become a safety is assisted
Discuss whether safe important indicator.Present invention mainly solves problem is how to carry out formalization analysis to agreement.
The security protocol analysis method based on model inspection for the prior art, can be divided into two kinds:
First kind method, need to set session context, with AVISPA series of tools as representative.Probably there are three kinds of methods:(1) people
Work is set as the parallel session between three main bodys when setting protocol conversation scene, such as checking NS agreement;(2) automatically set agreement
Session context, automatically generates fixing session instance by algorithm;(3) the protocol conversation scene of symbolization, even session
The main body of example is variable, is instantiated as specific protocol body on demand.After setting session context, according to the protocol model set up
With the Attacker Model, agreement is analyzed, its basic thought can be divided into two processes:First process is referred to as interaction transfer
Process, in agreement, interacting message causes state to shift, and forms state space tree;Second process is to attack search procedure, test
Under a certain node transition rule, can attacker form attack by participation agreement.Two processes have relevant art to reduce search
Space, interaction transfer process can adopt the thought of partial order stipulations, removes repeat mode, symbolization technology makes every in State Tree
One node represents a class state, reduced state space;Attack transfer process and can use inertia thought, real on demand in attacking search
Variable in exampleization message item.
Equations of The Second Kind method, does not set protocol conversation scene, and with Athena and Scyther instrument as representative, original state is only
Comprise the session instance of a main body, using the method for target bind or node binding, increase session instance.
Above two method haves such problems as that sequential contradiction, extended mode have redundancy, can increase State space explosion
Probability.
Content of the invention
There is sequential contradiction in the situation analysis that the present invention is directed to prior art, extended mode has redundancy, can increase state
The problems such as probability of Space Explosion, a kind of security protocol verification method centered on attacker is proposed.
The technical scheme is that:A kind of security protocol verification method centered on attacker, the method include with
Lower step:
Step 1:Legal main body in agreement running and attack behavior are modeled, according to protocol verification mesh
Mark, sets original state, and original state is set as only comprising a role instance;
Step 2:Pending event in extraction state, judges whether status praesenss and event meet rule successively
TRules, if meeting, by corresponding state transition rule more new state, continues step 2 process;Otherwise, this state enters
In Resultstate set;
Step 3:State in Resultstate being judged, if there is a certain state, comprising in its attacker's knowledge
The parameter of agreement need for confidentiality, then this state is secret abnormality;If there is a certain state, its protocol conversation scene is different
Often, then this context identification sexual abnormality state;Otherwise, this Protocol Design is safe.
The described security protocol verification method centered on attacker, the agreement in described step one:It is expressed as one
State set and the transfer set of state, and the various actions of attacker, the message be to and between agreement participant are all
It is considered, into this state set and state transfer set, to travel through whole state space, check whether that can to reach certain sense emerging
The state of interest.The described security protocol verification method centered on attacker, the modeling in described step 1 mainly includes:(1)
According to Dolve-Yao model, no matter whether the message destination party that main body sends is attacker, all can be considered that attacker receives, institute
The message that main body receives is had all to can be considered that attacker is sent;Therefore, the regular communication of attacker can be used in the interactive track of agreement
Relational sequence represents, is the regular communication sequence relevant with attacker so the attacker of agreement and legal main body Unify legislation
Row, and it is based on such communication sequence definition status;(2) when attacking occurs in agreement, attacker must take part in agreement
Running, due to cipher protocol interaction message more than using key encryption, attacker in the case of not knowing key be difficult to
Generate the message being accepted by legal main body, for this angle, whether indentification protocol is equivalent to safely whether verify attacker
Target message item can be synthesized;Attacker synthesize target message item mode can only two kinds, one kind is that oneself generates, and another kind is
Lure that legal main body replaces it to generate into;Therefore, node transition rule can be formulated from the angle of attacker, that is, by attacker according to target
Its decision of item is communicated with which main body, intercepts and captures which message, if need newly-increased session instance.
The described security protocol verification method centered on attacker, the rule T Rules of described step 2 includes:
TRule1、TRule2、TRule3、TRule4、TRule5、TRule6、TRule7、TRule8.
The described security protocol verification method centered on attacker, described TRule1 specific rules are:IfThen:
State'={ RI, E/e, pair ∪ (e → recv (I, t)), tpair, tE, Atk ∪ addTermAtK(t)}
Rule T Rule1 represents in the case of need not recalling, and attacker receives message, updates attacker's knowledge.
The described security protocol verification method centered on attacker, described TRule2 specific rules are:IfThen:
State'={ RI, E/e, pair ∪ p, tpair/p, tE, Atk ∪ addTermAtK(t)}
When rule T Rule2 represents the send event of process, exist in tpair set and correspond to correspondence therewith, due to this
Forerunner's event of send event has been disposed, and this correspondence should be added in pair.
The described security protocol verification method centered on attacker, described TRule3 specific rules are:IfThen
State'=RI, E/e, pair ∪ (send (I, t) → e), tpair, sE, Atk }
Rule T Rule3 represents that attacker can synthesize target message according to existing knowledge.
The described security protocol verification method centered on attacker, described TRule4 specific rules are:IfIf the requirements set of t { core (t) }, solve solution space S, forThen:
State'={ RI, E ∪ e1,pair,tpair,sE,Atk}
Rule T Rule4 represents that attacker can not synthesize target item it is intended to from outside acquisition demand to synthesize target item.
The described security protocol verification method centered on attacker, described TRule5 specific rules are:
IfThen form shape
State is:State'={ RI, E/e, pair ∪ (e1→e),tpair,sE/e1,Atk∪addTermAtK(t)};
Described TRule6 specific rules are:
IfThen form shape
State is:State'={ RI, E ∪ e1∪before(e1)/e,pair,tpair∪(e1→e),sE/(e1∪before(e1)),
Atk};
Rule T Rule5 and TRule6 represents that there is event in existing role instance can form correspondence with object event.
The described security protocol verification method centered on attacker, described TRule7 specific rules are:
If
AndThen forming state is:
Described TRule8 specific rules are:
If
AndThen forming state is:
Rule T Rule7 and TRule8 represents that there is event in existing role instance can form correspondence with object event.
The described security protocol verification method centered on attacker, described attack behavior mainly includes adding knowledge
With attacker's reasoning, it is expressed as addTermAtK(m) and core (m).
The described security protocol verification method centered on attacker, described interpolation specific knowledge includes:Attacker will
Intercept and capture substantial amounts of new information and obtain new knowledge, there are a large amount of subitems repeating in these message item, for simplifying attacker's knowledge
Set, has formulated following attacker's knowledge and has added rule, and removed the undecomposable subitem of identical:
R1:
R2:
R3:
R4:
R5:
The described security protocol verification method centered on attacker, described attacker's reasoning mainly solves two and asks
Topic:One is to judge that can attacker produce target item based on attacker's rule of inference and existing knowledge;If two is to determine whether
Attacker can not synthesize target item, determines whether that can attacker obtain specific new knowledge by certain approach and synthesize target
?;
Specific new knowledge is defined as demand core (m), ifCore (m) meets following condition:
(1)
(2)
(3)
In the demand definition, after condition (1) illustrates that attacker obtains core (m), message m, condition can be derived
(2) illustrate that core (m) lacks any element, attacker cannot derive message m, condition (3) requires attacker to obtain core
M, after (), the new knowledge of acquisition is no repeated with former knowledge collection.
The invention has the beneficial effects as follows:It is an object of the present invention to considering sequential contradiction during conditional extensions, state expands
Exhibition introduces backtracking mechanism, is not in the extension branch of this kind of disarmed state, intermediateness number subtracts during state search
Few;Conditional extensions are with attacker's demand for driving, and mode is not fixed, and branch is less, decreases state space number.
Brief description
Fig. 1 is sequential contradiction schematic diagram;
Fig. 2 is protocol model structural representation;
Specific embodiment
Embodiment 1:A kind of security protocol verification method centered on attacker, the method comprises the following steps:
Step 1:Legal main body in agreement running and attack behavior are modeled, according to protocol verification mesh
Mark, sets original state, and original state is set as only comprising a role instance;Agreement:It is expressed as a state set and one
Individual state transfer set, and the various actions of attacker, the message being to and between agreement participant are all considered into this
State set and state transfer set, travel through whole state space, check whether and can reach certain state interested.
Modeling is main to be included:(1) according to Dolve-Yao model, no matter whether the message destination party that main body sends is attack
Person, can be considered that attacker receives, the message that all main bodys receive all can be considered that attacker is sent;Therefore, the interaction of agreement
Track can be represented with the regular communication relational sequence of attacker, so the attacker of agreement and legal main body Unify legislation be with
The relevant regular communication sequence of attacker, and it is based on such communication sequence definition status;(2) when attacking occurs in agreement
Wait, attacker must take part in the running of agreement, due to being existed using key encryption, attacker more than cipher protocol interaction message
It is hardly produced the message being accepted by legal main body, for this angle, whether indentification protocol pacifies in the case of not knowing key
Entirely it is equivalent to verify whether attacker can synthesize target message item;Attacker synthesize target message item mode can only two kinds,
One kind is that oneself generates, and another kind is to lure that legal main body replaces it to generate into;Therefore, state transfer can be formulated from the angle of attacker
Rule, is communicated with which main body according to its decision of target item by attacker, is intercepted and captured which message, if need newly-increased session real
Example.
Attack behavior mainly includes adding knowledge and attacker's reasoning, is expressed as addTermAtK(m) and core
(m).
Described interpolation specific knowledge includes:Attacker obtains new knowledge by intercepting and capturing substantial amounts of new information, these message item
Middle have a large amount of subitems repeating, and for simplifying attacker's knowledge collection, has formulated following attacker's knowledge and has added rule, and removed
The undecomposable subitem of identical:
R1:
R2:
R3:
R4:
R5:
Described attacker's reasoning mainly solves two problems:One be judge attacker can based on attacker's rule of inference and
Existing knowledge produces target item;If two is to determine whether that attacker can not synthesize target item, determine whether that can attacker
Specific new knowledge is obtained by certain approach and synthesizes target item;
Specific new knowledge is defined as demand core (m), ifCore (m) meets following condition:
(1)
(2)
(3)
In the demand definition, after condition (1) illustrates that attacker obtains core (m), message m, condition can be derived
(2) illustrate that core (m) lacks any element, attacker cannot derive message m, condition (3) requires attacker to obtain core
M, after (), the new knowledge of acquisition is no repeated with former knowledge collection.
Step 2:Pending event in extraction state, judges whether status praesenss and event meet rule successively
TRules, if meeting, by corresponding state transition rule more new state, continues step 2 process;Otherwise, this state enters
In Resultstate set;The rule T Rules of step 2 includes:TRule1、TRule2、TRule3、TRule4、TRule5、
TRule6、TRule7、TRule8.
TRule1 specific rules are:IfThen:
State'={ RI, E/e, pair ∪ (e → recv (I, t)), tpair, tE, Atk ∪ addTermAtK(t)}
Rule T Rule1 represents in the case of need not recalling, and attacker receives message, updates attacker's knowledge.
TRule2 specific rules are:IfThen:
State'={ RI, E/e, pair ∪ p, tpair/p, tE, Atk ∪ addTermAtK(t)}
When rule T Rule2 represents the send event of process, exist in tpair set and correspond to correspondence therewith, due to this
Forerunner's event of send event has been disposed, and this correspondence should be added in pair.
TRule3 specific rules are:IfThen
State'=RI, E/e, pair ∪ (send (I, t) → e), tpair, sE, Atk }
Rule T Rule3 represents that attacker can synthesize target message according to existing knowledge.
TRule4 specific rules are:IfIf the requirements set of t { core (t) }, ask
Solution solution space S, forThen:State'={ RI, E ∪ e1,pair,tpair,sE,Atk}
Rule T Rule4 represents that attacker can not synthesize target item it is intended to from outside acquisition demand to synthesize target item.
TRule5 specific rules are:If
Then forming state is:State'={ RI, E/e, pair ∪ (e1→e),tpair,sE/e1,Atk∪addTermAtK(t)};
TRule6 specific rules are:
IfThen form shape
State is:State'={ RI, E ∪ e1∪before(e1)/e,pair,tpair∪(e1→e),sE/(e1∪before(e1)),
Atk};
Rule T Rule5 and TRule6 represents that there is event in existing role instance can form correspondence with object event.
TRule7 specific rules are:
If
AndThen forming state is:
TRule8 specific rules are:
If
AndThen forming state is:
Rule T Rule7 and TRule8 represents that there is event in existing role instance can form correspondence with object event.
Step 3:State in Resultstate being judged, if there is a certain state, comprising in its attacker's knowledge
The parameter of agreement need for confidentiality, then this state is secret abnormality;If there is a certain state, its protocol conversation scene is different
Often, then this context identification sexual abnormality state;Otherwise, this Protocol Design is safe.
Embodiment 2:A kind of security protocol verification method centered on attacker is it is necessary first to in agreement running
Legal main body and attack behavior be modeled, the behavior of legal main body can be described as role instance;The behavior of attacker
Knowledge and attacker's reasoning are added in main inclusion, are expressed as addTermAtK(m) and core (m).
Attacker obtains new knowledge by intercepting and capturing substantial amounts of new information, there are a large amount of subitems repeating in these message item,
For simplifying attacker's knowledge collection, the present invention has formulated following attacker's knowledge and has added rule, removes the undecomposable son of identical
?.
R1:
R2:
R3:
R4:
R5:
On the basis of attacker's knowledge, attacker's reasoning mainly solves two problems:One is to judge that can attacker base
Produce target item in attacker's rule of inference and existing knowledge;If two is to determine whether that attacker can not synthesize target item, enter
One step judges that can attacker obtain specific new knowledge by certain approach and synthesize target item.
In the present invention, specific new knowledge is defined as demand core (m), ifCore (m) meets following condition:
(1)
(2)
(3)
In the demand definition, after condition (1) illustrates that attacker obtains core (m), message m, condition can be derived
(2) illustrate that core (m) lacks any element, attacker cannot derive message m, condition (3) requires attacker to obtain core
M, after (), the new knowledge of acquisition is no repeated with former knowledge collection.Demand is the unknown knowledge collection of attacker, and attacker is synthesized
Target item is most important.
If set { n1,n2,...,nkAnd { m1,m2,...,mlIt is stipulated that computing × satisfaction:
{n1,n2,...,nk}×{m1,m2,...,ml}={ { n1,m1},{n1,m2},...{n1,ml},{n2,m1},{n2,
m2},
...{n2,ml},...,{nk,m1},{nk,m2},...{nk,ml}}
If next straton item of message item n is n1,n2..., then there is following recurrence relation:
{ core (n) }={ n } ∪ { core (n1)×core(n2)×...}
Else { core (n) }={ core (n1)×core(n2)×...}
Source template in agreement is the finite aggregate of a determination, and attacker travels through the message in source template, judges
Receive this message whether there is can obtain set core (m), meet this requirement message module element addition solution space S:
In the present invention, the state of agreement is defined as follows:State={ RI, E, pair, tE, tpair, Atk }.
Wherein RI is role instance set;E is pending sequence of events, is made up of the event of role instance in RI, and accords with
Close specification sequential;Pair is correspondence sequence, and it sequentially can be with response protocol perform track;TE is event sets, is used for depositing
Put and the uncertain event of event-order serie relation in E;Tpair is correspondence set, is used for depositing when can not add in pair
The indefinite correspondence of order relation;Atk represents attacker's knowledge.
ForCarry out state transfer according to the following rules.
TRule1:IfThen:
State'={ RI, E/e, pair ∪ (e → recv (I, t)), tpair, tE, Atk ∪ addTermAtK(t)}
Rule T Rule1 represents in the case of need not recalling, and attacker receives message, updates attacker's knowledge.
TRule2:IfThen:
State'={ RI, E/e, pair ∪ p, tpair/p, tE, Atk ∪ addTermAtK(t)}
When rule T Rule2 represents the send event of process, exist in tpair set and correspond to correspondence therewith, due to this
Forerunner's event of send event has been disposed, and this correspondence should be added in pair.
TRule3:IfThen
State'=RI, E/e, pair ∪ (send (I, t) → e), tpair, sE, Atk }
Rule T Rule3 represents that attacker can synthesize target message according to existing knowledge.
TRule4:IfIf the requirements set of t { core (t) }, solve solution space S,
ForThen:
State'={ RI, E ∪ e1,pair,tpair,sE,Atk}
Rule T Rule4 represents that attacker can not synthesize target item it is intended to from outside acquisition demand to synthesize target item.
TRule5:IfThen
Formation state is:
State'={ RI, E/e, pair ∪ (e1→e),tpair,sE/e1,Atk∪addTermAtK(t)}
TRule6:IfThen
Formation state is:
State'={ RI, E ∪ e1∪before(e1)/e,pair,tpair∪(e1→e),sE/(e1∪before
(e1)),Atk}
Rule T Rule5 and TRule6 represents that there is event in existing role instance can form correspondence with object event.
TRule7:If
AndThen forming state is:
TRule8:If
AndThen forming state is:
Rule T Rule7 and TRule8 represents that there is event in existing role instance can form correspondence with object event.
The mainly comprising the following steps of protocol verification:
Step 1:According to protocol verification target, set original state, original state is set as only comprising a role instance.
Step 2:Pending event in extraction state, judges whether status praesenss and event meet rule successively
TRules, if meeting, by corresponding state transition rule more new state, continues step 2 process;Otherwise, this state enters
In Resultstate set.
Step 3:State in Resultstate being judged, if there is a certain state, comprising in its attacker's knowledge
The parameter of agreement need for confidentiality, then this state is secret abnormality;If there is a certain state, its protocol conversation scene is different
Often, then this context identification sexual abnormality state;Otherwise, this Protocol Design is safe.
The present invention is based on model checking method, first agreement is expressed as a state set and a state transfer collection
Close, and the various actions of attacker, the message being to and between agreement participant are all considered into this state set and shape
State transfer set, travels through whole state space, checks whether and can reach certain state interested.
Model inspection is a kind of state search method, it considers that each main body has associated state set, all of
The union of subjective situation collection constitutes system mode, and each step of agreement is considered as node transition rule, according to holding of agreement
Row process carries out state transfer.By model inspection, see and whether there is from original state to the transfer of a unsafe condition
Journey.Model checking method should comprise three aspects such as state definition, node transition rule, end condition.
Two ultimate principles of the present invention are described as follows:
1., according to Dolve-Yao model, no matter whether the message destination party that main body sends is attacker, all can be considered attack
Person receives, and the message that all main bodys receive all can be considered that attacker is sent.Therefore, attacker's can be used in the interactive track of agreement
Regular communication relational sequence represents.So we can be to have with attacker the attacker of agreement and legal main body Unify legislation
The regular communication sequence closed, and it is based on such communication sequence definition status.
2., when attacking occurs in agreement, attacker must take part in the running of agreement.Due to cryptographic protocol
Mutually using key encryption more than message, attacker is hardly produced the message being accepted by legal main body in the case of not knowing key.
For this angle, whether indentification protocol is equivalent to safely verify whether attacker can synthesize target message item.Attacker
Synthesis target message item mode can only two kinds, one kind be oneself generate, another kind be lure into legal main body replace its generate.Cause
This, can be formulated node transition rule from the angle of attacker, be communicated with which main body according to its decision of target item by attacker,
Intercepted and captured which message, if need newly-increased session instance.
Term is explained:
Cipher protocol (cryptography protocol):It is also called security protocol (security protocol), be
Set up a kind of network interaction communication protocol on the basis of cipher system, its objective is to provide various safety clothes for network environment
Business, generally to realize the weight such as the authentication between various entities, encryption key distribution in network with cryptographic algorithm and protocol logic
Want Security Target, be an important component part of network security.
Fresh number (fresh):Also referred to as random number, in agreement running, main body is used for certain session of identity protocol
One group of random data, is one of the most frequently used security means in security protocol.
Dolve-Yao model hypothesis:Refer to the complete controlling network of attacker, can forward, eavesdrop, blocking message.
Message item (term):Message in agreement is represented with message item, and message item is divided into elemental term and compound term, substantially
Include main body name agent, random number fresh, key key, compound term by elemental term pass through encryption (_)(_), link (_ | | _)
With operation formation such as functions change f (_, _) (as the operation such as signature, Hash).
Event (event):Refer to interacting message action in agreement running for the main body, send (Re, term) represents master
Body Re sends message item term;Event recv (In, term) represents that main body In receives message item term.
Preamble event and postorder event:If e1·e2·e3Expression event e1、e2And e3Temporally relation constitutes event partial order
Sequence.e1Event sets before are designated as before (e1), event sets afterwards are designated as after (e1).
Correspondence →:Refer to the transmitting-receiving relation of message between main body, with symbol → representing.
Knowledge:Refer to main body or message item set known to attacker.
Role (role):Agreement participant, generally includes promoter, respondent, trusted third party, and it is by a series of orderly
Event and knowledge composition.
Displacement and the example factor:DisplacementIfThenRepresenting will be all in t
Variable subitem x replace with x';The example factorIn the example factor, r represents main body, and rid represents the operation of main body
Round,For displacement set.
Source template template:Template is the message item set meeting the message format that agreement specifies and structure.
All message during protocol interaction can regard the instantiation of message in source template as, and the instantiation of message can be divided into two kinds of feelings
Condition, a kind of be role instance instantiation, when a newly-increased role instance, the performer of role, key and its use with
Machine number will instantiation;Another kind is the instantiation building correspondence, it will including other roles to the variable in role makes
With main body name, random number, key etc. carry out instantiation.
Adaptation function Match (inst, pt, m, inst'):Represent under inst and inst' effect, two message item pt and
M is equal, that is, meet inst pt=inst'm.
Role instance (roleInst):Refer in the once operation interaction of agreement, role instanceization forms role instance,
Represented with symbol rInst (), such as rInst (b#i) represent that main body b i & lt is run.
Target item:Refer to the message item that attacker needs to generate.
Claims (13)
1. a kind of security protocol verification method centered on attacker it is characterised in that:The method comprises the following steps:
Step 1:Legal main body in agreement running and attack behavior are modeled, according to protocol verification target, if
Determine original state, original state is set as only comprising a role instance;
Step 2:Pending event in extraction state, judges whether status praesenss and event meet rule T Rules successively, if
Meet, then press corresponding state transition rule more new state, continue step 2 process;Otherwise, this state enters Resultstate collection
In conjunction;
Step 3:State in Resultstate being judged, if there is a certain state, in its attacker's knowledge, containing association
The parameter of view need for confidentiality, then this state is secret abnormality;If there is a certain state, its protocol conversation scene is abnormal,
Then this context identification sexual abnormality state;Otherwise, this Protocol Design is safe.
2. the security protocol verification method centered on attacker according to claim 1 it is characterised in that:Described step
Agreement in one:It is expressed as a state set and the transfer set of state, and the various actions of attacker, be to and from association
Message between view participant is all considered, into this state set and state transfer set, to travel through whole state space, check
Certain state interested whether can be reached.
3. the security protocol verification method centered on attacker according to claim 1 it is characterised in that:Described step
Modeling in 1 mainly includes:(1) according to Dolve-Yao model, no matter whether the message destination party that main body sends is attacker,
All can be considered that attacker receives, the message that all main bodys receive all can be considered that attacker is sent;Therefore, the interactive track of agreement
The regular communication relational sequence of available attacker represents, the attacker of agreement and legal main body Unify legislation is and attack so
The relevant regular communication sequence of person, and it is based on such communication sequence definition status;(2) when attacking occurs in agreement, attack
The person of hitting must take part in the running of agreement, and due to more than cipher protocol interaction message, using key encryption, attacker do not knowing
It is hardly produced the message being accepted by legal main body in the case of road key, for this angle, whether indentification protocol safe etc.
Whether valency can synthesize target message item in checking attacker;Attacker synthesize target message item mode can only two kinds, a kind of
It is that oneself generates, another kind is to lure that legal main body replaces it to generate into;Therefore, state transfer rule can be formulated from the angle of attacker
Then, communicated with which main body according to its decision of target item by attacker, intercepted and captured which message, if need newly-increased session real
Example.
4. the security protocol verification method centered on attacker according to claim 1 it is characterised in that:
The rule T Rules of described step 2 includes:TRule1、TRule2、TRule3、TRule4、TRule5、TRule6、
TRule7、TRule8.
5. the security protocol verification method centered on attacker according to claim 4 it is characterised in that:Described
TRule1 specific rules are:IfThen:
State'={ RI, E/e, pair ∪ (e → recv (I, t)), tpair, tE, Atk ∪ addTermAtK(t)}
Rule T Rule1 represents in the case of need not recalling, and attacker receives message, updates attacker's knowledge.
6. the security protocol verification method centered on attacker according to claim 4 it is characterised in that:Described
TRule2 specific rules are:IfThen:
State'={ RI, E/e, pair ∪ p, tpair/p, tE, Atk ∪ addTermAtK(t)}
When rule T Rule2 represents the send event of process, exist in tpair set and correspond to correspondence therewith, due to this send
Forerunner's event of event has been disposed, and this correspondence should be added in pair.
7. the security protocol verification method centered on attacker according to claim 4 it is characterised in that:Described
TRule3 specific rules are:IfThen
State'=RI, E/e, pair ∪ (send (I, t) → e), tpair, sE, Atk }
Rule T Rule3 represents that attacker can synthesize target message according to existing knowledge.
8. the security protocol verification method centered on attacker according to claim 4 it is characterised in that:Described
TRule4 specific rules are:IfIf the requirements set of t { core (t) }, solve solution space
S, forThen:State'={ RI, E ∪ e1,pair,tpair,sE,Atk}
Rule T Rule4 represents that attacker can not synthesize target item it is intended to from outside acquisition demand to synthesize target item.
9. the security protocol verification method centered on attacker according to claim 4 it is characterised in that:Described
TRule5 specific rules are:
IfThen forming state is:
State'={ RI, E/e, pair ∪ (e1→e),tpair,sE/e1,Atk∪addTermAtK(t)};
Described TRule6 specific rules are:
IfThen forming state is:
State'={ RI, E ∪ e1∪before(e1)/e,pair,tpair∪(e1→e),sE/(e1∪before(e1)),
Atk};
Rule T Rule5 and TRule6 represents that there is event in existing role instance can form correspondence with object event.
10. the security protocol verification method centered on attacker according to claim 4 it is characterised in that:Described
TRule7 specific rules are:
If
AndThen forming state is:
Described TRule8 specific rules are:
If
AndThen forming state is:
Rule T Rule7 and TRule8 represents that there is event in existing role instance can form correspondence with object event.
The 11. security protocol verification methods centered on attacker according to claim 2 it is characterised in that:Described attack
The person's of hitting behavior mainly includes adding knowledge and attacker's reasoning, is expressed as addTermAtK(m) and core (m).
The 12. security protocol verification methods centered on attacker according to claim 11 it is characterised in that:Described add
Plus specific knowledge includes:Attacker obtains new knowledge by intercepting and capturing substantial amounts of new information, there is a large amount of repetition in these message item
Subitem, for simplifying attacker's knowledge collection, formulated following attacker's knowledge and added rule, and it is undecomposable to remove identical
Subitem:
R1:
R2:
R3:
R4:
R5:
The 13. security protocol verification methods centered on attacker according to claim 11 it is characterised in that:
Described attacker's reasoning mainly solves two problems:One is to judge that can attacker based on attacker's rule of inference and existing
Knowledge produces target item;If two is to determine whether that attacker can not synthesize target item, determine whether that can attacker pass through
Certain approach obtains specific new knowledge to synthesize target item;
Specific new knowledge is defined as demand core (m), ifCore (m) meets following condition:
(1)
(2)
(3)
In the demand definition, after condition (1) illustrates that attacker obtains core (m), message m can be derived, condition (2) is said
Bright core (m) lacks any element, and attacker cannot derive message m, after condition (3) requires attacker to obtain core (m),
The new knowledge obtaining no is repeated with former knowledge collection.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611041828.7A CN106411940B (en) | 2016-11-12 | 2016-11-12 | Security protocol verification method centered on attacker |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611041828.7A CN106411940B (en) | 2016-11-12 | 2016-11-12 | Security protocol verification method centered on attacker |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106411940A true CN106411940A (en) | 2017-02-15 |
CN106411940B CN106411940B (en) | 2019-07-12 |
Family
ID=58082420
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611041828.7A Expired - Fee Related CN106411940B (en) | 2016-11-12 | 2016-11-12 | Security protocol verification method centered on attacker |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106411940B (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108900545A (en) * | 2018-08-14 | 2018-11-27 | 广西民族大学 | A kind of Formal Modeling and verification method for security protocol |
CN112511554A (en) * | 2020-12-15 | 2021-03-16 | 中国电子科技集团公司第三十研究所 | Symbolic modeling system of network security protocol |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101977180A (en) * | 2010-06-08 | 2011-02-16 | 南京大学 | Security protocol authentication method based on flaw attack |
-
2016
- 2016-11-12 CN CN201611041828.7A patent/CN106411940B/en not_active Expired - Fee Related
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101977180A (en) * | 2010-06-08 | 2011-02-16 | 南京大学 | Security protocol authentication method based on flaw attack |
Non-Patent Citations (2)
Title |
---|
熊勇强等: "基于攻击者和秘密的安全协议验证算法的研究与实现", 《小型微型计算机系统》 * |
黄连生等: "基于攻击者的"角色冒充"的协议验证方法", 《清华大学学报(自然科学版)》 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108900545A (en) * | 2018-08-14 | 2018-11-27 | 广西民族大学 | A kind of Formal Modeling and verification method for security protocol |
CN112511554A (en) * | 2020-12-15 | 2021-03-16 | 中国电子科技集团公司第三十研究所 | Symbolic modeling system of network security protocol |
CN112511554B (en) * | 2020-12-15 | 2021-12-17 | 中国电子科技集团公司第三十研究所 | Symbolic modeling system of network security protocol |
Also Published As
Publication number | Publication date |
---|---|
CN106411940B (en) | 2019-07-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
TWI770022B (en) | Computer implemented control method, system and control system | |
Shukla et al. | Online voting application using ethereum blockchain | |
JP2022033913A (en) | Blockchain implemented method and system | |
CN107220820A (en) | Resource transfers method, device and storage medium | |
CN107103473A (en) | A kind of intelligent contract implementation method based on block chain | |
CN106789090A (en) | Public key infrastructure system and semi-random participating certificate endorsement method based on block chain | |
CN106789920A (en) | The joint connecting method and device of block chain | |
CN107609417A (en) | For the anonymous message transmission system and method audited and followed the trail of | |
CN105610837A (en) | Method and system for identity authentication between master station and slave station in SCADA (Supervisory Control and Data Acquisition) system | |
CN111709749A (en) | Traceable blockchain transaction system with conditional privacy protection | |
CN113905351B (en) | Internet of vehicles authentication method based on block chain and confidential calculation | |
CN115564434A (en) | Block chain supervision privacy protection method based on zero knowledge proof | |
Puthal et al. | Decision tree based user-centric security solution for critical IoT infrastructure | |
CN115795518B (en) | Block chain-based federal learning privacy protection method | |
Datta et al. | Abstraction and refinement in protocol derivation | |
Rathi et al. | Security challenges & controls in cyber physical system | |
CN106411940B (en) | Security protocol verification method centered on attacker | |
Smahi et al. | BV-ICVs: A privacy-preserving and verifiable federated learning framework for V2X environments using blockchain and zkSNARKs | |
CN108173837A (en) | A kind of aerospace plane authentication identifying method | |
CN115859371A (en) | Privacy calculation method based on block chain, electronic device and storage medium | |
Cederquist et al. | On the quest for impartiality: Design and analysis of a fair non-repudiation protocol | |
CN115840965A (en) | Information security guarantee model training method and system | |
Flior et al. | A knowledge-based system implementation of intrusion detection rules | |
Sivaranjani et al. | ECC-Based Privacy-Preserving Mechanisms Using Deep Learning for Industrial IoT: A State-of-the-Art Approaches | |
Mishra et al. | Development of quantum-enhanced authenticated key agreement protocol for autonomous vehicles |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20190712 Termination date: 20201112 |