CN106411940A - Security protocol verification method taking attacker as center - Google Patents

Security protocol verification method taking attacker as center Download PDF

Info

Publication number
CN106411940A
CN106411940A CN201611041828.7A CN201611041828A CN106411940A CN 106411940 A CN106411940 A CN 106411940A CN 201611041828 A CN201611041828 A CN 201611041828A CN 106411940 A CN106411940 A CN 106411940A
Authority
CN
China
Prior art keywords
attacker
state
message
security protocol
rule
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611041828.7A
Other languages
Chinese (zh)
Other versions
CN106411940B (en
Inventor
谷文
韩继红
袁霖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
PLA Information Engineering University
Original Assignee
PLA Information Engineering University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by PLA Information Engineering University filed Critical PLA Information Engineering University
Priority to CN201611041828.7A priority Critical patent/CN106411940B/en
Publication of CN106411940A publication Critical patent/CN106411940A/en
Application granted granted Critical
Publication of CN106411940B publication Critical patent/CN106411940B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/26Special purpose or proprietary protocols or architectures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/03Protocol definition or specification 

Abstract

The invention belongs to the field of computer security protocol verification methods, and specifically relates to a security protocol verification method taking an attacker as the center. The security protocol verification method comprises the steps of 1, setting an initial state according to a protocol verification target; 2, extracting an event to be handled in the state, sequentially judging whether the current state and the event conform to TRules or not; and performing judgment on states in a Resultstate, wherein if a certain state that attacker knowledge contains parameters required to be kept secret of a protocol exists, the state is secrecy abnormal state, and if a certain state that a protocol session scene is abnormal exists, the state is an authentication abnormal state, otherwise, the protocol design is secure. The security protocol verification method aims to consider time sequence contradiction in the state extension process, a back tracking mechanism is introduced into state extension, extended branches of invalid states do not appear in the state searching process, and the number of intermediate states is reduced; and state extension is driven by requirements of the attacker, the mode is not fixed, the number of branches is less, and the number of state spaces is reduced.

Description

Security protocol verification method centered on attacker
Technical field
The invention belongs to computer security protocol verification method field is and in particular to a kind of safety centered on attacker Protocol verification method.
Background technology
Security protocol is the procotol employing cryptographic algorithm.Cryptographic algorithm is the foundation stone of information system security, but letter The overall safety of breath system depends not only on the intensity of cryptographic algorithm, and the close phase with the security protocol that system is adopted Close.Even if the cryptographic algorithm that system is adopted is safe, if there is security risk, attacker in the security protocol that it is adopted Equally can system successfully be implemented to attack on the premise of not needing to break through cryptographic algorithm.General along with computer network And constantly develop, security protocol has become the important support that various core securities in information system service reliability services, is to realize In various distributed network environments safety share various Internet resources key means, information system security is had to Close important effect.Nearly all key service in current internet, applications, such as system authentication mandate, ecommerce, Net silver, Line payment etc., all be unable to do without the support of security protocol.Therefore, the Safety Analysis Method of security protocol is always information security neck One of key issue of domain research.
In order to be able to reach design object, research worker proposes whether numerous method validation security protocols have the peace claimed Quan Xing, wherein famous and effectively Formal Analysis Method.Formal Analysis Method adopts mathematical model that safety is assisted View is modeled, and has reliable theoretical basiss, then is aided with computer automated reasoning verification technique, can automatically or secondary proof The safety of agreement or the potential safety hazard finding its presence.Such as G.Lowe is based on CSP modeling method and FDR model inspection work It was found that there is the leak of 17 years in Needham-Schroeder public key protocol in tool.Due to based on strict logistic model And inference method, the conclusion of formalization analysis is widely recognized as by industry.Whether through formalization analysis, it has also become a safety is assisted Discuss whether safe important indicator.Present invention mainly solves problem is how to carry out formalization analysis to agreement.
The security protocol analysis method based on model inspection for the prior art, can be divided into two kinds:
First kind method, need to set session context, with AVISPA series of tools as representative.Probably there are three kinds of methods:(1) people Work is set as the parallel session between three main bodys when setting protocol conversation scene, such as checking NS agreement;(2) automatically set agreement Session context, automatically generates fixing session instance by algorithm;(3) the protocol conversation scene of symbolization, even session The main body of example is variable, is instantiated as specific protocol body on demand.After setting session context, according to the protocol model set up With the Attacker Model, agreement is analyzed, its basic thought can be divided into two processes:First process is referred to as interaction transfer Process, in agreement, interacting message causes state to shift, and forms state space tree;Second process is to attack search procedure, test Under a certain node transition rule, can attacker form attack by participation agreement.Two processes have relevant art to reduce search Space, interaction transfer process can adopt the thought of partial order stipulations, removes repeat mode, symbolization technology makes every in State Tree One node represents a class state, reduced state space;Attack transfer process and can use inertia thought, real on demand in attacking search Variable in exampleization message item.
Equations of The Second Kind method, does not set protocol conversation scene, and with Athena and Scyther instrument as representative, original state is only Comprise the session instance of a main body, using the method for target bind or node binding, increase session instance.
Above two method haves such problems as that sequential contradiction, extended mode have redundancy, can increase State space explosion Probability.
Content of the invention
There is sequential contradiction in the situation analysis that the present invention is directed to prior art, extended mode has redundancy, can increase state The problems such as probability of Space Explosion, a kind of security protocol verification method centered on attacker is proposed.
The technical scheme is that:A kind of security protocol verification method centered on attacker, the method include with Lower step:
Step 1:Legal main body in agreement running and attack behavior are modeled, according to protocol verification mesh Mark, sets original state, and original state is set as only comprising a role instance;
Step 2:Pending event in extraction state, judges whether status praesenss and event meet rule successively TRules, if meeting, by corresponding state transition rule more new state, continues step 2 process;Otherwise, this state enters In Resultstate set;
Step 3:State in Resultstate being judged, if there is a certain state, comprising in its attacker's knowledge The parameter of agreement need for confidentiality, then this state is secret abnormality;If there is a certain state, its protocol conversation scene is different Often, then this context identification sexual abnormality state;Otherwise, this Protocol Design is safe.
The described security protocol verification method centered on attacker, the agreement in described step one:It is expressed as one State set and the transfer set of state, and the various actions of attacker, the message be to and between agreement participant are all It is considered, into this state set and state transfer set, to travel through whole state space, check whether that can to reach certain sense emerging The state of interest.The described security protocol verification method centered on attacker, the modeling in described step 1 mainly includes:(1) According to Dolve-Yao model, no matter whether the message destination party that main body sends is attacker, all can be considered that attacker receives, institute The message that main body receives is had all to can be considered that attacker is sent;Therefore, the regular communication of attacker can be used in the interactive track of agreement Relational sequence represents, is the regular communication sequence relevant with attacker so the attacker of agreement and legal main body Unify legislation Row, and it is based on such communication sequence definition status;(2) when attacking occurs in agreement, attacker must take part in agreement Running, due to cipher protocol interaction message more than using key encryption, attacker in the case of not knowing key be difficult to Generate the message being accepted by legal main body, for this angle, whether indentification protocol is equivalent to safely whether verify attacker Target message item can be synthesized;Attacker synthesize target message item mode can only two kinds, one kind is that oneself generates, and another kind is Lure that legal main body replaces it to generate into;Therefore, node transition rule can be formulated from the angle of attacker, that is, by attacker according to target Its decision of item is communicated with which main body, intercepts and captures which message, if need newly-increased session instance.
The described security protocol verification method centered on attacker, the rule T Rules of described step 2 includes: TRule1、TRule2、TRule3、TRule4、TRule5、TRule6、TRule7、TRule8.
The described security protocol verification method centered on attacker, described TRule1 specific rules are:IfThen:
State'={ RI, E/e, pair ∪ (e → recv (I, t)), tpair, tE, Atk ∪ addTermAtK(t)}
Rule T Rule1 represents in the case of need not recalling, and attacker receives message, updates attacker's knowledge.
The described security protocol verification method centered on attacker, described TRule2 specific rules are:IfThen:
State'={ RI, E/e, pair ∪ p, tpair/p, tE, Atk ∪ addTermAtK(t)}
When rule T Rule2 represents the send event of process, exist in tpair set and correspond to correspondence therewith, due to this Forerunner's event of send event has been disposed, and this correspondence should be added in pair.
The described security protocol verification method centered on attacker, described TRule3 specific rules are:IfThen
State'=RI, E/e, pair ∪ (send (I, t) → e), tpair, sE, Atk }
Rule T Rule3 represents that attacker can synthesize target message according to existing knowledge.
The described security protocol verification method centered on attacker, described TRule4 specific rules are:IfIf the requirements set of t { core (t) }, solve solution space S, forThen: State'={ RI, E ∪ e1,pair,tpair,sE,Atk}
Rule T Rule4 represents that attacker can not synthesize target item it is intended to from outside acquisition demand to synthesize target item.
The described security protocol verification method centered on attacker, described TRule5 specific rules are:
IfThen form shape State is:State'={ RI, E/e, pair ∪ (e1→e),tpair,sE/e1,Atk∪addTermAtK(t)};
Described TRule6 specific rules are:
IfThen form shape State is:State'={ RI, E ∪ e1∪before(e1)/e,pair,tpair∪(e1→e),sE/(e1∪before(e1)), Atk};
Rule T Rule5 and TRule6 represents that there is event in existing role instance can form correspondence with object event.
The described security protocol verification method centered on attacker, described TRule7 specific rules are:
If
AndThen forming state is:
Described TRule8 specific rules are:
If
AndThen forming state is:
Rule T Rule7 and TRule8 represents that there is event in existing role instance can form correspondence with object event.
The described security protocol verification method centered on attacker, described attack behavior mainly includes adding knowledge With attacker's reasoning, it is expressed as addTermAtK(m) and core (m).
The described security protocol verification method centered on attacker, described interpolation specific knowledge includes:Attacker will Intercept and capture substantial amounts of new information and obtain new knowledge, there are a large amount of subitems repeating in these message item, for simplifying attacker's knowledge Set, has formulated following attacker's knowledge and has added rule, and removed the undecomposable subitem of identical:
R1:
R2:
R3:
R4:
R5:
The described security protocol verification method centered on attacker, described attacker's reasoning mainly solves two and asks Topic:One is to judge that can attacker produce target item based on attacker's rule of inference and existing knowledge;If two is to determine whether Attacker can not synthesize target item, determines whether that can attacker obtain specific new knowledge by certain approach and synthesize target ?;
Specific new knowledge is defined as demand core (m), ifCore (m) meets following condition:
(1)
(2)
(3)
In the demand definition, after condition (1) illustrates that attacker obtains core (m), message m, condition can be derived (2) illustrate that core (m) lacks any element, attacker cannot derive message m, condition (3) requires attacker to obtain core M, after (), the new knowledge of acquisition is no repeated with former knowledge collection.
The invention has the beneficial effects as follows:It is an object of the present invention to considering sequential contradiction during conditional extensions, state expands Exhibition introduces backtracking mechanism, is not in the extension branch of this kind of disarmed state, intermediateness number subtracts during state search Few;Conditional extensions are with attacker's demand for driving, and mode is not fixed, and branch is less, decreases state space number.
Brief description
Fig. 1 is sequential contradiction schematic diagram;
Fig. 2 is protocol model structural representation;
Specific embodiment
Embodiment 1:A kind of security protocol verification method centered on attacker, the method comprises the following steps:
Step 1:Legal main body in agreement running and attack behavior are modeled, according to protocol verification mesh Mark, sets original state, and original state is set as only comprising a role instance;Agreement:It is expressed as a state set and one Individual state transfer set, and the various actions of attacker, the message being to and between agreement participant are all considered into this State set and state transfer set, travel through whole state space, check whether and can reach certain state interested.
Modeling is main to be included:(1) according to Dolve-Yao model, no matter whether the message destination party that main body sends is attack Person, can be considered that attacker receives, the message that all main bodys receive all can be considered that attacker is sent;Therefore, the interaction of agreement Track can be represented with the regular communication relational sequence of attacker, so the attacker of agreement and legal main body Unify legislation be with The relevant regular communication sequence of attacker, and it is based on such communication sequence definition status;(2) when attacking occurs in agreement Wait, attacker must take part in the running of agreement, due to being existed using key encryption, attacker more than cipher protocol interaction message It is hardly produced the message being accepted by legal main body, for this angle, whether indentification protocol pacifies in the case of not knowing key Entirely it is equivalent to verify whether attacker can synthesize target message item;Attacker synthesize target message item mode can only two kinds, One kind is that oneself generates, and another kind is to lure that legal main body replaces it to generate into;Therefore, state transfer can be formulated from the angle of attacker Rule, is communicated with which main body according to its decision of target item by attacker, is intercepted and captured which message, if need newly-increased session real Example.
Attack behavior mainly includes adding knowledge and attacker's reasoning, is expressed as addTermAtK(m) and core (m).
Described interpolation specific knowledge includes:Attacker obtains new knowledge by intercepting and capturing substantial amounts of new information, these message item Middle have a large amount of subitems repeating, and for simplifying attacker's knowledge collection, has formulated following attacker's knowledge and has added rule, and removed The undecomposable subitem of identical:
R1:
R2:
R3:
R4:
R5:
Described attacker's reasoning mainly solves two problems:One be judge attacker can based on attacker's rule of inference and Existing knowledge produces target item;If two is to determine whether that attacker can not synthesize target item, determine whether that can attacker Specific new knowledge is obtained by certain approach and synthesizes target item;
Specific new knowledge is defined as demand core (m), ifCore (m) meets following condition:
(1)
(2)
(3)
In the demand definition, after condition (1) illustrates that attacker obtains core (m), message m, condition can be derived (2) illustrate that core (m) lacks any element, attacker cannot derive message m, condition (3) requires attacker to obtain core M, after (), the new knowledge of acquisition is no repeated with former knowledge collection.
Step 2:Pending event in extraction state, judges whether status praesenss and event meet rule successively TRules, if meeting, by corresponding state transition rule more new state, continues step 2 process;Otherwise, this state enters In Resultstate set;The rule T Rules of step 2 includes:TRule1、TRule2、TRule3、TRule4、TRule5、 TRule6、TRule7、TRule8.
TRule1 specific rules are:IfThen:
State'={ RI, E/e, pair ∪ (e → recv (I, t)), tpair, tE, Atk ∪ addTermAtK(t)}
Rule T Rule1 represents in the case of need not recalling, and attacker receives message, updates attacker's knowledge.
TRule2 specific rules are:IfThen:
State'={ RI, E/e, pair ∪ p, tpair/p, tE, Atk ∪ addTermAtK(t)}
When rule T Rule2 represents the send event of process, exist in tpair set and correspond to correspondence therewith, due to this Forerunner's event of send event has been disposed, and this correspondence should be added in pair.
TRule3 specific rules are:IfThen
State'=RI, E/e, pair ∪ (send (I, t) → e), tpair, sE, Atk }
Rule T Rule3 represents that attacker can synthesize target message according to existing knowledge.
TRule4 specific rules are:IfIf the requirements set of t { core (t) }, ask Solution solution space S, forThen:State'={ RI, E ∪ e1,pair,tpair,sE,Atk}
Rule T Rule4 represents that attacker can not synthesize target item it is intended to from outside acquisition demand to synthesize target item.
TRule5 specific rules are:If Then forming state is:State'={ RI, E/e, pair ∪ (e1→e),tpair,sE/e1,Atk∪addTermAtK(t)};
TRule6 specific rules are:
IfThen form shape State is:State'={ RI, E ∪ e1∪before(e1)/e,pair,tpair∪(e1→e),sE/(e1∪before(e1)), Atk};
Rule T Rule5 and TRule6 represents that there is event in existing role instance can form correspondence with object event.
TRule7 specific rules are:
If
AndThen forming state is:
TRule8 specific rules are:
If
AndThen forming state is:
Rule T Rule7 and TRule8 represents that there is event in existing role instance can form correspondence with object event.
Step 3:State in Resultstate being judged, if there is a certain state, comprising in its attacker's knowledge The parameter of agreement need for confidentiality, then this state is secret abnormality;If there is a certain state, its protocol conversation scene is different Often, then this context identification sexual abnormality state;Otherwise, this Protocol Design is safe.
Embodiment 2:A kind of security protocol verification method centered on attacker is it is necessary first to in agreement running Legal main body and attack behavior be modeled, the behavior of legal main body can be described as role instance;The behavior of attacker Knowledge and attacker's reasoning are added in main inclusion, are expressed as addTermAtK(m) and core (m).
Attacker obtains new knowledge by intercepting and capturing substantial amounts of new information, there are a large amount of subitems repeating in these message item, For simplifying attacker's knowledge collection, the present invention has formulated following attacker's knowledge and has added rule, removes the undecomposable son of identical ?.
R1:
R2:
R3:
R4:
R5:
On the basis of attacker's knowledge, attacker's reasoning mainly solves two problems:One is to judge that can attacker base Produce target item in attacker's rule of inference and existing knowledge;If two is to determine whether that attacker can not synthesize target item, enter One step judges that can attacker obtain specific new knowledge by certain approach and synthesize target item.
In the present invention, specific new knowledge is defined as demand core (m), ifCore (m) meets following condition:
(1)
(2)
(3)
In the demand definition, after condition (1) illustrates that attacker obtains core (m), message m, condition can be derived (2) illustrate that core (m) lacks any element, attacker cannot derive message m, condition (3) requires attacker to obtain core M, after (), the new knowledge of acquisition is no repeated with former knowledge collection.Demand is the unknown knowledge collection of attacker, and attacker is synthesized Target item is most important.
If set { n1,n2,...,nkAnd { m1,m2,...,mlIt is stipulated that computing × satisfaction:
{n1,n2,...,nk}×{m1,m2,...,ml}={ { n1,m1},{n1,m2},...{n1,ml},{n2,m1},{n2, m2},
...{n2,ml},...,{nk,m1},{nk,m2},...{nk,ml}}
If next straton item of message item n is n1,n2..., then there is following recurrence relation:
{ core (n) }={ n } ∪ { core (n1)×core(n2)×...}
Else { core (n) }={ core (n1)×core(n2)×...}
Source template in agreement is the finite aggregate of a determination, and attacker travels through the message in source template, judges Receive this message whether there is can obtain set core (m), meet this requirement message module element addition solution space S:
In the present invention, the state of agreement is defined as follows:State={ RI, E, pair, tE, tpair, Atk }.
Wherein RI is role instance set;E is pending sequence of events, is made up of the event of role instance in RI, and accords with Close specification sequential;Pair is correspondence sequence, and it sequentially can be with response protocol perform track;TE is event sets, is used for depositing Put and the uncertain event of event-order serie relation in E;Tpair is correspondence set, is used for depositing when can not add in pair The indefinite correspondence of order relation;Atk represents attacker's knowledge.
ForCarry out state transfer according to the following rules.
TRule1:IfThen:
State'={ RI, E/e, pair ∪ (e → recv (I, t)), tpair, tE, Atk ∪ addTermAtK(t)}
Rule T Rule1 represents in the case of need not recalling, and attacker receives message, updates attacker's knowledge.
TRule2:IfThen:
State'={ RI, E/e, pair ∪ p, tpair/p, tE, Atk ∪ addTermAtK(t)}
When rule T Rule2 represents the send event of process, exist in tpair set and correspond to correspondence therewith, due to this Forerunner's event of send event has been disposed, and this correspondence should be added in pair.
TRule3:IfThen
State'=RI, E/e, pair ∪ (send (I, t) → e), tpair, sE, Atk }
Rule T Rule3 represents that attacker can synthesize target message according to existing knowledge.
TRule4:IfIf the requirements set of t { core (t) }, solve solution space S, ForThen:
State'={ RI, E ∪ e1,pair,tpair,sE,Atk}
Rule T Rule4 represents that attacker can not synthesize target item it is intended to from outside acquisition demand to synthesize target item.
TRule5:IfThen Formation state is:
State'={ RI, E/e, pair ∪ (e1→e),tpair,sE/e1,Atk∪addTermAtK(t)}
TRule6:IfThen Formation state is:
State'={ RI, E ∪ e1∪before(e1)/e,pair,tpair∪(e1→e),sE/(e1∪before (e1)),Atk}
Rule T Rule5 and TRule6 represents that there is event in existing role instance can form correspondence with object event.
TRule7:If AndThen forming state is:
TRule8:If AndThen forming state is:
Rule T Rule7 and TRule8 represents that there is event in existing role instance can form correspondence with object event.
The mainly comprising the following steps of protocol verification:
Step 1:According to protocol verification target, set original state, original state is set as only comprising a role instance.
Step 2:Pending event in extraction state, judges whether status praesenss and event meet rule successively TRules, if meeting, by corresponding state transition rule more new state, continues step 2 process;Otherwise, this state enters In Resultstate set.
Step 3:State in Resultstate being judged, if there is a certain state, comprising in its attacker's knowledge The parameter of agreement need for confidentiality, then this state is secret abnormality;If there is a certain state, its protocol conversation scene is different Often, then this context identification sexual abnormality state;Otherwise, this Protocol Design is safe.
The present invention is based on model checking method, first agreement is expressed as a state set and a state transfer collection Close, and the various actions of attacker, the message being to and between agreement participant are all considered into this state set and shape State transfer set, travels through whole state space, checks whether and can reach certain state interested.
Model inspection is a kind of state search method, it considers that each main body has associated state set, all of The union of subjective situation collection constitutes system mode, and each step of agreement is considered as node transition rule, according to holding of agreement Row process carries out state transfer.By model inspection, see and whether there is from original state to the transfer of a unsafe condition Journey.Model checking method should comprise three aspects such as state definition, node transition rule, end condition.
Two ultimate principles of the present invention are described as follows:
1., according to Dolve-Yao model, no matter whether the message destination party that main body sends is attacker, all can be considered attack Person receives, and the message that all main bodys receive all can be considered that attacker is sent.Therefore, attacker's can be used in the interactive track of agreement Regular communication relational sequence represents.So we can be to have with attacker the attacker of agreement and legal main body Unify legislation The regular communication sequence closed, and it is based on such communication sequence definition status.
2., when attacking occurs in agreement, attacker must take part in the running of agreement.Due to cryptographic protocol Mutually using key encryption more than message, attacker is hardly produced the message being accepted by legal main body in the case of not knowing key. For this angle, whether indentification protocol is equivalent to safely verify whether attacker can synthesize target message item.Attacker Synthesis target message item mode can only two kinds, one kind be oneself generate, another kind be lure into legal main body replace its generate.Cause This, can be formulated node transition rule from the angle of attacker, be communicated with which main body according to its decision of target item by attacker, Intercepted and captured which message, if need newly-increased session instance.
Term is explained:
Cipher protocol (cryptography protocol):It is also called security protocol (security protocol), be Set up a kind of network interaction communication protocol on the basis of cipher system, its objective is to provide various safety clothes for network environment Business, generally to realize the weight such as the authentication between various entities, encryption key distribution in network with cryptographic algorithm and protocol logic Want Security Target, be an important component part of network security.
Fresh number (fresh):Also referred to as random number, in agreement running, main body is used for certain session of identity protocol One group of random data, is one of the most frequently used security means in security protocol.
Dolve-Yao model hypothesis:Refer to the complete controlling network of attacker, can forward, eavesdrop, blocking message.
Message item (term):Message in agreement is represented with message item, and message item is divided into elemental term and compound term, substantially Include main body name agent, random number fresh, key key, compound term by elemental term pass through encryption (_)(_), link (_ | | _) With operation formation such as functions change f (_, _) (as the operation such as signature, Hash).
Event (event):Refer to interacting message action in agreement running for the main body, send (Re, term) represents master Body Re sends message item term;Event recv (In, term) represents that main body In receives message item term.
Preamble event and postorder event:If e1·e2·e3Expression event e1、e2And e3Temporally relation constitutes event partial order Sequence.e1Event sets before are designated as before (e1), event sets afterwards are designated as after (e1).
Correspondence →:Refer to the transmitting-receiving relation of message between main body, with symbol → representing.
Knowledge:Refer to main body or message item set known to attacker.
Role (role):Agreement participant, generally includes promoter, respondent, trusted third party, and it is by a series of orderly Event and knowledge composition.
Displacement and the example factor:DisplacementIfThenRepresenting will be all in t Variable subitem x replace with x';The example factorIn the example factor, r represents main body, and rid represents the operation of main body Round,For displacement set.
Source template template:Template is the message item set meeting the message format that agreement specifies and structure. All message during protocol interaction can regard the instantiation of message in source template as, and the instantiation of message can be divided into two kinds of feelings Condition, a kind of be role instance instantiation, when a newly-increased role instance, the performer of role, key and its use with Machine number will instantiation;Another kind is the instantiation building correspondence, it will including other roles to the variable in role makes With main body name, random number, key etc. carry out instantiation.
Adaptation function Match (inst, pt, m, inst'):Represent under inst and inst' effect, two message item pt and M is equal, that is, meet inst pt=inst'm.
Role instance (roleInst):Refer in the once operation interaction of agreement, role instanceization forms role instance, Represented with symbol rInst (), such as rInst (b#i) represent that main body b i & lt is run.
Target item:Refer to the message item that attacker needs to generate.

Claims (13)

1. a kind of security protocol verification method centered on attacker it is characterised in that:The method comprises the following steps:
Step 1:Legal main body in agreement running and attack behavior are modeled, according to protocol verification target, if Determine original state, original state is set as only comprising a role instance;
Step 2:Pending event in extraction state, judges whether status praesenss and event meet rule T Rules successively, if Meet, then press corresponding state transition rule more new state, continue step 2 process;Otherwise, this state enters Resultstate collection In conjunction;
Step 3:State in Resultstate being judged, if there is a certain state, in its attacker's knowledge, containing association The parameter of view need for confidentiality, then this state is secret abnormality;If there is a certain state, its protocol conversation scene is abnormal, Then this context identification sexual abnormality state;Otherwise, this Protocol Design is safe.
2. the security protocol verification method centered on attacker according to claim 1 it is characterised in that:Described step Agreement in one:It is expressed as a state set and the transfer set of state, and the various actions of attacker, be to and from association Message between view participant is all considered, into this state set and state transfer set, to travel through whole state space, check Certain state interested whether can be reached.
3. the security protocol verification method centered on attacker according to claim 1 it is characterised in that:Described step Modeling in 1 mainly includes:(1) according to Dolve-Yao model, no matter whether the message destination party that main body sends is attacker, All can be considered that attacker receives, the message that all main bodys receive all can be considered that attacker is sent;Therefore, the interactive track of agreement The regular communication relational sequence of available attacker represents, the attacker of agreement and legal main body Unify legislation is and attack so The relevant regular communication sequence of person, and it is based on such communication sequence definition status;(2) when attacking occurs in agreement, attack The person of hitting must take part in the running of agreement, and due to more than cipher protocol interaction message, using key encryption, attacker do not knowing It is hardly produced the message being accepted by legal main body in the case of road key, for this angle, whether indentification protocol safe etc. Whether valency can synthesize target message item in checking attacker;Attacker synthesize target message item mode can only two kinds, a kind of It is that oneself generates, another kind is to lure that legal main body replaces it to generate into;Therefore, state transfer rule can be formulated from the angle of attacker Then, communicated with which main body according to its decision of target item by attacker, intercepted and captured which message, if need newly-increased session real Example.
4. the security protocol verification method centered on attacker according to claim 1 it is characterised in that:
The rule T Rules of described step 2 includes:TRule1、TRule2、TRule3、TRule4、TRule5、TRule6、 TRule7、TRule8.
5. the security protocol verification method centered on attacker according to claim 4 it is characterised in that:Described TRule1 specific rules are:IfThen:
State'={ RI, E/e, pair ∪ (e → recv (I, t)), tpair, tE, Atk ∪ addTermAtK(t)}
Rule T Rule1 represents in the case of need not recalling, and attacker receives message, updates attacker's knowledge.
6. the security protocol verification method centered on attacker according to claim 4 it is characterised in that:Described TRule2 specific rules are:IfThen:
State'={ RI, E/e, pair ∪ p, tpair/p, tE, Atk ∪ addTermAtK(t)}
When rule T Rule2 represents the send event of process, exist in tpair set and correspond to correspondence therewith, due to this send Forerunner's event of event has been disposed, and this correspondence should be added in pair.
7. the security protocol verification method centered on attacker according to claim 4 it is characterised in that:Described TRule3 specific rules are:IfThen
State'=RI, E/e, pair ∪ (send (I, t) → e), tpair, sE, Atk }
Rule T Rule3 represents that attacker can synthesize target message according to existing knowledge.
8. the security protocol verification method centered on attacker according to claim 4 it is characterised in that:Described TRule4 specific rules are:IfIf the requirements set of t { core (t) }, solve solution space S, forThen:State'={ RI, E ∪ e1,pair,tpair,sE,Atk}
Rule T Rule4 represents that attacker can not synthesize target item it is intended to from outside acquisition demand to synthesize target item.
9. the security protocol verification method centered on attacker according to claim 4 it is characterised in that:Described TRule5 specific rules are:
IfThen forming state is:
State'={ RI, E/e, pair ∪ (e1→e),tpair,sE/e1,Atk∪addTermAtK(t)};
Described TRule6 specific rules are:
IfThen forming state is:
State'={ RI, E ∪ e1∪before(e1)/e,pair,tpair∪(e1→e),sE/(e1∪before(e1)), Atk};
Rule T Rule5 and TRule6 represents that there is event in existing role instance can form correspondence with object event.
10. the security protocol verification method centered on attacker according to claim 4 it is characterised in that:Described TRule7 specific rules are:
If
AndThen forming state is:
Described TRule8 specific rules are:
If
AndThen forming state is:
Rule T Rule7 and TRule8 represents that there is event in existing role instance can form correspondence with object event.
The 11. security protocol verification methods centered on attacker according to claim 2 it is characterised in that:Described attack The person's of hitting behavior mainly includes adding knowledge and attacker's reasoning, is expressed as addTermAtK(m) and core (m).
The 12. security protocol verification methods centered on attacker according to claim 11 it is characterised in that:Described add Plus specific knowledge includes:Attacker obtains new knowledge by intercepting and capturing substantial amounts of new information, there is a large amount of repetition in these message item Subitem, for simplifying attacker's knowledge collection, formulated following attacker's knowledge and added rule, and it is undecomposable to remove identical Subitem:
R1:
R2:
R3:
R4:
R5:
The 13. security protocol verification methods centered on attacker according to claim 11 it is characterised in that:
Described attacker's reasoning mainly solves two problems:One is to judge that can attacker based on attacker's rule of inference and existing Knowledge produces target item;If two is to determine whether that attacker can not synthesize target item, determine whether that can attacker pass through Certain approach obtains specific new knowledge to synthesize target item;
Specific new knowledge is defined as demand core (m), ifCore (m) meets following condition:
(1)
(2)
(3)
In the demand definition, after condition (1) illustrates that attacker obtains core (m), message m can be derived, condition (2) is said Bright core (m) lacks any element, and attacker cannot derive message m, after condition (3) requires attacker to obtain core (m), The new knowledge obtaining no is repeated with former knowledge collection.
CN201611041828.7A 2016-11-12 2016-11-12 Security protocol verification method centered on attacker Expired - Fee Related CN106411940B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611041828.7A CN106411940B (en) 2016-11-12 2016-11-12 Security protocol verification method centered on attacker

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611041828.7A CN106411940B (en) 2016-11-12 2016-11-12 Security protocol verification method centered on attacker

Publications (2)

Publication Number Publication Date
CN106411940A true CN106411940A (en) 2017-02-15
CN106411940B CN106411940B (en) 2019-07-12

Family

ID=58082420

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611041828.7A Expired - Fee Related CN106411940B (en) 2016-11-12 2016-11-12 Security protocol verification method centered on attacker

Country Status (1)

Country Link
CN (1) CN106411940B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108900545A (en) * 2018-08-14 2018-11-27 广西民族大学 A kind of Formal Modeling and verification method for security protocol
CN112511554A (en) * 2020-12-15 2021-03-16 中国电子科技集团公司第三十研究所 Symbolic modeling system of network security protocol

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101977180A (en) * 2010-06-08 2011-02-16 南京大学 Security protocol authentication method based on flaw attack

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101977180A (en) * 2010-06-08 2011-02-16 南京大学 Security protocol authentication method based on flaw attack

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
熊勇强等: "基于攻击者和秘密的安全协议验证算法的研究与实现", 《小型微型计算机系统》 *
黄连生等: "基于攻击者的"角色冒充"的协议验证方法", 《清华大学学报(自然科学版)》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108900545A (en) * 2018-08-14 2018-11-27 广西民族大学 A kind of Formal Modeling and verification method for security protocol
CN112511554A (en) * 2020-12-15 2021-03-16 中国电子科技集团公司第三十研究所 Symbolic modeling system of network security protocol
CN112511554B (en) * 2020-12-15 2021-12-17 中国电子科技集团公司第三十研究所 Symbolic modeling system of network security protocol

Also Published As

Publication number Publication date
CN106411940B (en) 2019-07-12

Similar Documents

Publication Publication Date Title
TWI770022B (en) Computer implemented control method, system and control system
Shukla et al. Online voting application using ethereum blockchain
JP2022033913A (en) Blockchain implemented method and system
CN107220820A (en) Resource transfers method, device and storage medium
CN107103473A (en) A kind of intelligent contract implementation method based on block chain
CN106789090A (en) Public key infrastructure system and semi-random participating certificate endorsement method based on block chain
CN106789920A (en) The joint connecting method and device of block chain
CN107609417A (en) For the anonymous message transmission system and method audited and followed the trail of
CN105610837A (en) Method and system for identity authentication between master station and slave station in SCADA (Supervisory Control and Data Acquisition) system
CN111709749A (en) Traceable blockchain transaction system with conditional privacy protection
CN113905351B (en) Internet of vehicles authentication method based on block chain and confidential calculation
CN115564434A (en) Block chain supervision privacy protection method based on zero knowledge proof
Puthal et al. Decision tree based user-centric security solution for critical IoT infrastructure
CN115795518B (en) Block chain-based federal learning privacy protection method
Datta et al. Abstraction and refinement in protocol derivation
Rathi et al. Security challenges & controls in cyber physical system
CN106411940B (en) Security protocol verification method centered on attacker
Smahi et al. BV-ICVs: A privacy-preserving and verifiable federated learning framework for V2X environments using blockchain and zkSNARKs
CN108173837A (en) A kind of aerospace plane authentication identifying method
CN115859371A (en) Privacy calculation method based on block chain, electronic device and storage medium
Cederquist et al. On the quest for impartiality: Design and analysis of a fair non-repudiation protocol
CN115840965A (en) Information security guarantee model training method and system
Flior et al. A knowledge-based system implementation of intrusion detection rules
Sivaranjani et al. ECC-Based Privacy-Preserving Mechanisms Using Deep Learning for Industrial IoT: A State-of-the-Art Approaches
Mishra et al. Development of quantum-enhanced authenticated key agreement protocol for autonomous vehicles

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20190712

Termination date: 20201112