JP5368903B2 - Verification device, verification method, and verification program for verifying protocol safety - Google Patents

Description

  The present invention relates to a verification device, a verification method, and a verification program for verifying the security of an authentication or key exchange protocol having security functions such as authentication and key sharing.

  Conventionally, an empirically secure authentication or key exchange protocol has been proposed based on the insight of security and cryptographic techniques possessed by a protocol designer. However, security vulnerabilities have been pointed out after the proposed authentication or key exchange protocol specifications have been published. If vulnerabilities are discovered after the standardized authentication or key exchange protocol is widely spread through products, the cost associated with the modification of the products becomes a major problem.

  In particular, when a fatal vulnerability is discovered, it is necessary to take immediate measures such as applying software patches and replacing hardware chips and components in order to avoid economic damage. Therefore, as the proposed authentication or key exchange protocol and related products become more widespread, the social impact becomes very large, and in some cases, the entire system may fail.

  Therefore, an apparatus, a method, and a program for verifying the security of an authentication or key exchange protocol using a concept called “generally connectable security” have been proposed (for example, Patent Document 1 and Patent Document 2). reference). Here, “generic combinable security” means that an authentication or key exchange protocol is secure if an authentication or key exchange protocol safely realizes an ideal function related to the security function. ing. For example, if a key exchange protocol securely implements the key exchange ideal function, this key exchange protocol has been shown to be secure.

JP 2007-28447 A JP 2008-35117 A

  The above-mentioned “general-linkable safety” is said to be the strongest safety at present, and the ideal function covers all the safety required for the security function. Therefore, when a certain authentication or key exchange protocol securely realizes its ideal function, this authentication or key exchange protocol satisfies all the security required for the security function.

  However, because the security and efficiency of the protocol are in a trade-off relationship, the efficiency decreases as the security of the authentication or key exchange protocol increases. Therefore, when importance is attached to the efficiency of the authentication or key exchange protocol, the security may be lowered to an allowable limit. However, although the above prior art can verify the strict security of the authentication or key exchange protocol, it cannot perform the verification according to the level of security.

  Therefore, an object of the present invention is to provide a verification device, a verification method, and a verification program that can verify an authentication or key exchange protocol according to a level of security.

  The present invention provides the following solutions.

(1) A verification device for verifying the security of an authentication or key exchange protocol,
Security against key leakage spoofing attacks and security against undetectable online dictionary attacks in the authentication protocol that conforms to a predetermined framework set for the role of cryptographic primitives used in the protocol Verification items to satisfy the requirements of the above, security against unknown key sharing attack in the key exchange protocol, strong forward secrecy, weak backward secrecy and undetectable online dictionary A verification unit for satisfying the respective requirements for security against attacks, and a storage unit for storing at least a part thereof,
A type setting unit for setting the type of cryptographic primitive used in the protocol;
A role setting unit for setting the role of the cryptographic primitive whose type is set by the type setting unit;
An element setting unit for setting an element indicating the type and state of the data value in the protocol, or the type and state of the function value of the cryptographic primitive;
A safety selection unit that selects the safety to be verified upon request;
The verification items related to each of the safety selected by the security selection unit are extracted from the storage unit, and the verification items are satisfied based on the type and role of the cryptographic primitive and the elements set by the element setting unit. A verification item determination unit for determining whether or not,
A verification apparatus comprising: a safety determination unit that determines that the protocol is safe when the verification item determination unit determines that all the selected verification items related to safety are satisfied.

(2) The framework is expressed as g (f (A, B), C),
The role of the function g is as follows: a first cryptographic primitive to be authenticated in the authentication protocol, a second cryptographic primitive to be a key generation target in the key exchange protocol, a third cryptographic primitive appearing on the flow, or Any of the first to third cryptographic primitives and a fifth cryptographic primitive that is not any of the fourth cryptographic primitives included in the arguments of the first to third cryptographic primitives;
The role of the function f is the fourth cryptographic primitive when the role of the function g is any of the first to third cryptographic primitives, and the role of the function g is the fifth cryptographic primitive. If any, any of the first to third cryptographic primitives;
The verification apparatus according to (1), wherein the arguments A, B, and C are function values or data values of cryptographic primitives.

(3) The types of the first to fourth cryptographic primitives set in the framework function include common key cryptography, encryption using a password, public key cryptography, Diffie-Hellman family, digital signature, hash function Or a message authentication code,
The argument of the function is an element value indicating a combination of general data, ID data, temporary data, long-term key, password, function fixed value or function temporary value, and a public state or a secret state ( The verification apparatus as described in 2).

  (4) The verification item in the authentication or key exchange protocol is a combination of the types of the function g and the function f and the element values set in the argument A, the argument B, and the argument C, respectively. The verification device according to (3).

(5) A verification method in which a computer verifies the security of an authentication or key exchange protocol,
The computer is secure against key leakage spoofing attacks in the authentication protocol and undetectable online dictionary attacks that conform to a predetermined framework set for the role of cryptographic primitives used in the protocol. Verification items for satisfying the respective requirements of security, security against unknown key sharing attacks in the key exchange protocol, strong forward secrecy, weak backward secrecy, and non-detection A storage unit for storing at least a part of verification items for satisfying respective requirements for security against possible online dictionary attacks,
A type setting step for setting the type of cryptographic primitive used in the protocol;
A role setting step for setting the role of the cryptographic primitive whose type is set by the type setting step;
An element setting step for setting an element indicating the type and state of the data value in the protocol or the type and state of the function value of the cryptographic primitive;
A safety selection step for selecting the safety to be verified upon request;
The verification items related to each of the security selected in the security selection step are extracted from the storage unit, and the verification items are satisfied based on the type and role of the cryptographic primitive and the elements set in the element setting step. A verification item determination step for determining whether or not,
A verification method comprising: a safety determination step that determines that the protocol is safe when it is determined in the verification item determination step that all the selected safety verification items are satisfied.

(6) A verification program that allows a computer to verify the security of an authentication or key exchange protocol,
The computer is secure against key leakage spoofing attacks in the authentication protocol and undetectable online dictionary attacks that conform to a predetermined framework set for the role of cryptographic primitives used in the protocol. Verification items for satisfying the respective requirements of security, security against unknown key sharing attacks in the key exchange protocol, strong forward secrecy, weak backward secrecy, and non-detection A storage unit for storing at least a part of verification items for satisfying respective requirements for security against possible online dictionary attacks,
A type setting step for setting the type of cryptographic primitive used in the protocol;
A role setting step for setting the role of the cryptographic primitive whose type is set by the type setting step;
An element setting step for setting an element indicating the type and state of the data value in the protocol or the type and state of the function value of the cryptographic primitive;
A safety selection step for selecting the safety to be verified upon request;
The verification items related to each of the security selected in the security selection step are extracted from the storage unit, and the verification items are satisfied based on the type and role of the cryptographic primitive and the elements set in the element setting step. A verification item determination step for determining whether or not,
A verification program for executing a safety determination step for determining that the protocol is safe when it is determined in the verification item determination step that all the selected safety verification items are satisfied.

  According to the present invention, the authentication or key exchange protocol can be verified according to the level of security.

It is the figure which showed the data relevant to each attack which concerns on embodiment of this invention, and the combination of the function in framework. It is a figure which shows the verification item of MC-RKCI which concerns on embodiment of this invention. It is a figure which shows the verification item of SS-RUKS which concerns on embodiment of this invention. It is a figure which shows the verification item of SS-SFS which concerns on embodiment of this invention. It is a figure which shows the verification item of SS-WBS which concerns on embodiment of this invention. It is a figure which shows the verification item of RUODA which concerns on embodiment of this invention. It is a figure which shows the structure of the verification apparatus which concerns on embodiment of this invention. It is a flowchart which shows the flow of the verification method which concerns on embodiment of this invention.

  Hereinafter, an example of an embodiment of the present invention will be described.

<Security model>
First, a security model related to the security level of an authentication or key exchange protocol is shown. In the present embodiment, a concept called “provable security” that proves the security of an authentication or key exchange protocol based on the computational complexity theory is used. “The authentication or key exchange protocol has provable security” means that the security of the authentication or key exchange protocol can be proved theoretically that the security of a certain cryptographic primitive results in security. Is shown. That is, an attacker who can break a certain authentication or key exchange protocol can prove that if this cryptographic primitive is not breached by proving that it can construct a machine that breaks a certain cryptographic primitive in polynomial time, Prove that the key exchange protocol is not broken.

  In the provable security described above, there is a security concept of matching conversion in the authentication protocol and semantic security in the key exchange protocol. For each concept, the following security requirements exist for authentication or key exchange protocols: The parentheses are abbreviations indicating safety.

・ Matching conversion (MC)
This security indicates that in the authentication protocol, the attacker can do nothing but send the message received from one party as it is to the other party. That is, it indicates that the attacker cannot perform fraud such as tampering with a message, sending a new message, blocking a message, and changing the order of messages.

(A) Security against key leakage spoofing attacks (MC-RKCI)
Even if an attacker can obtain a long-term key of a party such as a common key of a common key cipher, a password, a secret key of a public key cipher, etc., it indicates that it cannot impersonate a party other than that party.

・ Semantic security (SS)
This security indicates that in a key exchange protocol, an attacker cannot obtain any information about the session key. That is, the attacker cannot distinguish the session key and the random number in polynomial time.

(B) Security against unknown key sharing attack (SS-RUKS)
Indicates that a session key cannot be shared with a party that is considered correct by a party.

(C) strong forward secrecy (SS-SFS)
Even if an attacker can obtain the party's long-term key and internal state, such as a common key for common key cryptography, a secret key for public key cryptography, and a public key cryptography, it cannot obtain a session key shared before that Indicates.

(D) weak backup secrecy (SS-WBS)
Even if an attacker can obtain the internal state of the party, it indicates that he cannot obtain a session key shared after that session.

Common security requirements This security is a common security requirement for authentication and key exchange protocols.

(E) Security against undetectable online dictionary attacks (RUODA)
Indicates that an attacker can inquire about a password for a party that has registered a password.

  However, in the case of an authentication or key exchange protocol that does not use a long-term key, the security of (a) MC-RKCI and (c) SS-SFS is not required. In particular, in the case of an authentication or key exchange protocol that does not use a password, (e) RUODA security is not required.

Here, the types of cryptographic primitives used in the authentication or key exchange protocol are functions having the following purposes. Note that the parenthesized symbols are abbreviations that indicate the types of encryption primitives.
・ Common Key Cryptography (SKE): Function for encryption using pre-shared key ・ Encryption using password (EPW): Function for encryption using pre-shared password ・ Public Key Cryptography (PKE): Public Functions for encryption using keys-Diffie-Hellman family (DH): Functions for key exchange using Diffie-Hellman method-Digital signature (SIG): Function for generating signature using signature key Hash function (HF): a function for generating a digest without using a pre-shared key Message authentication code (MAC): a function for generating a digest using a pre-shared key

  These types are classified according to the purpose of the cryptographic primitive function. For example, a hash function that generates a digest using a pre-shared key is classified as MAC because it serves the purpose of a message authentication code.

The roles set for the types of cryptographic primitives are as follows. The parentheses are abbreviations indicating the roles.
-Cryptographic primitives (PAGs) subject to authentication in authentication protocols
-Cryptographic primitives (PKG) that are key generation targets in the key exchange protocol
-Cryptographic primitives (PAF) that appear on the flow
-Cryptographic primitives (PAO) included in PAG, PKG or PAF arguments
-Cryptographic primitives (PNA) that are not PAG, PKG, PAF, or PAO

  The framework used for these roles is g (f (A, B), C). Here, functions f and g represent one of the above-mentioned roles (PAG, PKG, PAF, PAO, PNA), and arguments A, B, and C represent function values or data values of cryptographic primitives. Note that arguments (A, B, or C) that are not relevant to verification are ignored.

  In this framework, the combination of functions f and g is such that g is PNA and f is any of PAG, PKG, PAF, or g is any of PAG, PKG, PAF, and Either f is a PAO. Note that g being PNA is synonymous with the absence of the function g and the argument C. That is, the framework may be f (A, B).

FIG. 1 is a diagram showing data related to each attack according to the present embodiment and combinations of functions in the framework.
For example, in the case of MC-RKCI, the functions g and f of the framework are a combination of PNA and PAG, or a combination of PAG and PAO. Further, in the case of security of the semantic security (SS), the framework functions g and f are PNA and PKG or a combination of PKG and PAO. As data related to each attack according to the present embodiment, in addition to all flows, SS-SFS targets long-term keys and internal states, and SS-WBS also targets internal states. In the case of RUODA, all flows are targeted, and framework functions g and f are PNA and PAF, or a combination of PAF and PAO.

Here, elements set in the function value or data value of the cryptographic primitive that is the argument A, B, or C of the framework, that is, the type and state are as follows. The parentheses are abbreviations indicating the type or state.
Data value type
・ General data (GD)
・ ID data (ID)
・ Temporary data (TD)
・ Long-term key (LLK)
・ Password (PW)
[Type of function value]
・ Fixed value (FV)
・ Temporary value (TV)
[Data value or function value status]
・ Public status (PS)
・ Secret state (SS)

<Verification items>
Next, verification items for the security of the authentication or key exchange protocol will be described. In the present embodiment, the authentication or key exchange protocol at two parties (between two users, between a server and a client, etc.) is targeted, and the following three points are assumed.

・ If a long-term key such as a secret key or password is used in an authentication or key exchange protocol, the parties to be shared must share the same long-term key in some secure procedure in advance and are vulnerable to that procedure. Suppose there is no sex.
・ If a public key is used in the authentication or key exchange protocol, each party can confirm the validity of the public key certificate with a third party such as a certificate authority. Is not vulnerable.
• Cryptographic primitives are not compromised. If a compromised cryptographic primitive is used in the authentication or key exchange protocol, the verification apparatus 1 determines that this protocol is not secure.

  2 to 6 show verification items for verifying the security of the authentication or key exchange protocol according to the level, that is, the type of security.

  When a plurality of symbols are written in the table frame, it indicates that any one of them may be used. Further, “---” in the figure indicates that there is no function or argument related to verification. The arguments A and B may be interchanged.

  The verification item of MC-RKCI is that the combination of the functions f and g and the arguments A, B, and C in the above-described framework matches one of the combinations shown in FIG.

  The verification item of SS-RUKS is that the combination of the functions f and g and the arguments A, B, and C in the above-described framework matches any of the combinations shown in FIG.

  The verification item of SS-SFS is that the combination of the functions f and g and the arguments A, B, and C in the framework described above matches any of the combinations shown in FIG.

  The verification item of the SS-WBS is that the combination of the functions f and g and the arguments A, B, and C in the framework described above matches any of the combinations shown in FIG.

  The verification item of RUODA is that the combination of the functions f and g and the arguments A, B, and C in the above-described framework matches one of the combinations shown in FIG.

<Configuration of verification device>
FIG. 7 is a diagram illustrating a configuration of the verification apparatus 1 that verifies the security of the authentication or key exchange protocol according to the present embodiment.
The verification device 1 includes a control unit 10, a storage unit 20, an input unit 30, and a display unit 40.

  The control unit 10 is a part that controls the entire verification apparatus 1, and appropriately reads and executes various programs stored in the storage unit 20, thereby cooperating with the above-described hardware and various functions according to the present invention. Is realized. The control unit 10 may be a CPU (Central Processing Unit).

  The storage unit 20 stores various programs for causing the hardware group to function as the verification device 1, programs for causing the control unit 10 to execute the functions of the present invention, a database, and the like. Specifically, the storage unit 20 stores the types and roles of the above-described cryptographic primitives, the types and states of the function values or data values of the cryptographic primitives, and further, each of the above-described security and its verification items. Yes. In addition, the verification item memorize | stored in the memory | storage part 20 may be all or one part of the above-mentioned safety | security. The storage unit 20 may be configured by any one of various storage devices such as a hard disk, an optical disk drive, or a semiconductor memory.

  The input unit 30 is an interface device that receives an instruction input from a user (an administrator of the verification device 1) to the verification device 1. The input unit 30 is configured by, for example, a keyboard and a mouse.

  The display unit 40 displays a screen for accepting data input to the user (administrator of the verification device 1) or displays a screen of a processing result by the verification device 1. The display unit 40 may be a display device such as a cathode ray tube display device (CRT) or a liquid crystal display device (LCD).

  The computer referred to in the present invention is an information processing apparatus including a control device, a storage device, and the like. The verification apparatus 1 is an information processing apparatus including a control unit 10, a storage unit 20, and the like.

  The control unit 10 also includes a protocol reception unit 101, a cryptographic primitive and data enumeration unit 102, a type setting unit 103, a role setting unit 104, an element setting unit 105, a safety selection unit 106, and a verification item determination. Unit 107 and safety determination unit 108.

  Based on the instruction input from the input unit 30, the protocol receiving unit 101 receives input of specification data of an authentication or key exchange protocol that is a security verification target.

  The cryptographic primitive and data enumeration unit 102 enumerates all the cryptographic primitives and data used in this protocol from the protocol specification data received by the protocol receiving unit 101.

  The type setting unit 103 selects and sets the target type of the cryptographic primitives enumerated by the cryptographic primitive and data enumeration unit 102 from the above SKE, EPW, PKE, DH, SIG, HF, and MAC.

  The role setting unit 104 selects and sets the role of the cryptographic primitive whose type is selected by the type setting unit 103 from among the above-described PAG, PKG, PAF, PAO, and PNA.

  The element setting unit 105 selects the encryption primitive and data values enumerated by the encryption primitive and data enumeration unit 102 from the above-mentioned GD, ID, TD, LLK, PW, FV, and TV according to the protocol specifications. Select and set the state by selecting from the above-mentioned PS and SS.

  Here, the type and state of the function value and data value of these cryptographic primitives are set in the order of the protocol flow. The state is updated according to the previous flow in the session. Also, in the public state (PS) and the secret state (SS), the public state (PS) is given priority.

  The safety selection unit 106 selects the safety requested for the verification target protocol received by the protocol reception unit 101. Specifically, it is selected from the above-mentioned (a) MC-RKCI, (b) SS-RUKS, (c) SS-SFS, (d) SS-WBS, and (e) RUODA via the input unit 30. Accept input. Note that there may be a plurality of selected safety, and it is preferable to select the minimum safety required for operating the protocol.

  For example, in the case of MC-RKCI, in the case of MC-RKCI, if one long-term key is not obtained in addition to the entire flow, it is not attacked. Therefore, safety should be selected in preference to RUODA. Further, in the key exchange protocol, SS-WBS and SS-SFS are not attacked unless more data is obtained than RUODA and SS-RUKS. Therefore, safety should be selected by giving priority to SS-WBS over SS-SFS and SS-RUKS and RUODA over SS-WBS.

  The verification item determination unit 107 uses the information set by the type setting unit 103, the role setting unit 104, and the element setting unit 105 to store the above-described verification items for each safety selected by the safety selection unit 106. 20 is read and verified.

  Further, the verification item determination unit 107 sets security parameters (for example, key size) required in the protocol. The function value or data value size of the corresponding cryptographic primitive is checked to see if it satisfies the set security parameter. If there is at least one size that is not satisfied, the security judgment unit 108 makes the protocol safe. It is determined that it is not.

  The safety determination unit 108 determines that the protocol is safe when the verification item determination unit 107 determines that the verification items are satisfied for all the safety selected by the safety selection unit 106. . On the other hand, if there is at least one safety that does not satisfy the verification item, the safety determination unit 108 determines that the protocol is not safe.

<Processing flow>
FIG. 8 is a flowchart showing the flow of the verification method executed by the control unit 10 of the verification apparatus 1 according to this embodiment.

  In step S1, the control unit 10 lists all the cryptographic primitives and data used in the accepted authentication or key exchange protocol.

  In step S2 (type setting step), the control unit 10 determines and sets the target types of the cryptographic primitives listed in step S1 by comparing with the information stored in the storage unit 20.

  In step S3 (role setting step), the control unit 10 determines and sets the role of the cryptographic primitive whose type is set in step S2 by comparing with the information stored in the storage unit 20.

  In step S4 (element setting step), the control unit 10 compares the cryptographic primitives and data values listed in step S1 with the information stored in the storage unit 20 according to the protocol specifications, thereby determining the type and state. Is determined and set.

  In step S5 (security selection step), the control unit 10 selects the security requested for the accepted authentication or key exchange protocol from the predetermined types stored in the storage unit 20. .

  In step S6 (verification item determination step), the control unit 10 uses the information set in step S2, step S3, and step S4 to store verification items for each safety selected in step S5 from the storage unit 20. Verify reading. And the control part 10 determines whether the verification item is satisfied regarding all the safety | security selected by step S5. If this determination is YES, the process proceeds to step S7, and if the determination is NO, the process proceeds to step S8.

  In step S7 (security determination step), the control unit 10 determines that this protocol is safe because the authentication or key exchange protocol to be verified satisfies all of the required security.

  In step S8 (safety determination step), the control unit 10 determines that this protocol is not safe because the verification target protocol does not satisfy one of the required safety levels.

  This process can also be performed by software. When a series of processing is performed by software, a program constituting the software is installed in the computer. The program may be recorded on a removable medium such as a CD-ROM and distributed to the user, or may be distributed by being downloaded to the user's computer via a network.

  As described above, according to the present embodiment, it is possible to select the required security for the authentication or key exchange protocol and verify the security. That is, according to this embodiment, the authentication or key exchange protocol can be verified according to the level of security.

  As mentioned above, although embodiment of this invention was described, this invention is not restricted to embodiment mentioned above. The effects described in the embodiments of the present invention are only the most preferable effects resulting from the present invention, and the effects of the present invention are limited to those described in the embodiments of the present invention. is not.

DESCRIPTION OF SYMBOLS 1 Verification apparatus 10 Control part 20 Storage part 30 Input part 40 Display part 101 Protocol reception part 102 Cryptographic primitive and data enumeration part 103 Type setting part 104 Role setting part 105 Element setting part 106 Safety selection part 107 Verification item determination part 108 Safety Sex determination unit

Claims (6)

A verification device for verifying the security of an authentication or key exchange protocol,
Security against key leakage spoofing attacks and security against undetectable online dictionary attacks in the authentication protocol that conforms to a predetermined framework set for the role of cryptographic primitives used in the protocol Verification items to satisfy the requirements of the above, security against unknown key sharing attack in the key exchange protocol, strong forward secrecy, weak backward secrecy and undetectable online dictionary A verification unit for satisfying the respective requirements for security against attacks, and a storage unit for storing at least a part thereof,
A type setting unit for setting the type of cryptographic primitive used in the protocol;
A role setting unit for setting the role of the cryptographic primitive whose type is set by the type setting unit;
An element setting unit for setting an element indicating the type and state of the data value in the protocol, or the type and state of the function value of the cryptographic primitive;
A safety selection unit that selects the safety to be verified upon request;
The verification items related to each of the safety selected by the security selection unit are extracted from the storage unit, and the verification items are satisfied based on the type and role of the cryptographic primitive and the elements set by the element setting unit. A verification item determination unit for determining whether or not,
A verification apparatus comprising: a safety determination unit that determines that the protocol is safe when the verification item determination unit determines that all the selected verification items related to safety are satisfied. The framework is expressed as g (f (A, B), C),
The role of the function g is as follows: a first cryptographic primitive to be authenticated in the authentication protocol, a second cryptographic primitive to be a key generation target in the key exchange protocol, a third cryptographic primitive appearing on the flow, or Any of the first to third cryptographic primitives and a fifth cryptographic primitive that is not any of the fourth cryptographic primitives included in the arguments of the first to third cryptographic primitives;
The role of the function f is the fourth cryptographic primitive when the role of the function g is any of the first to third cryptographic primitives, and the role of the function g is the fifth cryptographic primitive. If any, any of the first to third cryptographic primitives;
The verification apparatus according to claim 1, wherein the arguments A, B, and C are function values or data values of cryptographic primitives. The types of the first to fourth cryptographic primitives set in the function of the framework include common key cryptography, password encryption, public key cryptography, Diffie-Hellman family, digital signature, hash function, or message authentication. One of the codes,
The argument of the function is an element value indicating a combination of general data, ID data, temporary data, long-term key, password, function fixed value or function temporary value, and a public state or a secret state. Item 3. The verification device according to Item 2.   The verification item in the authentication or key exchange protocol is a combination of the types of the function g and the function f and the element values set in the argument A, the argument B, and the argument C, respectively. 3. The verification device according to 3. A verification method in which a computer verifies the security of an authentication or key exchange protocol,
The computer is secure against key leakage spoofing attacks in the authentication protocol and undetectable online dictionary attacks that conform to a predetermined framework set for the role of cryptographic primitives used in the protocol. Verification items for satisfying the respective requirements of security, security against unknown key sharing attacks in the key exchange protocol, strong forward secrecy, weak backward secrecy, and non-detection A storage unit for storing at least a part of verification items for satisfying respective requirements for security against possible online dictionary attacks,
A type setting step for setting the type of cryptographic primitive used in the protocol;
A role setting step for setting the role of the cryptographic primitive whose type is set by the type setting step;
An element setting step for setting an element indicating the type and state of the data value in the protocol or the type and state of the function value of the cryptographic primitive;
A safety selection step for selecting the safety to be verified upon request;
The verification items related to each of the security selected in the security selection step are extracted from the storage unit, and the verification items are satisfied based on the type and role of the cryptographic primitive and the elements set in the element setting step. A verification item determination step for determining whether or not,
The computer executes a safety determination step for determining that the protocol is safe when it is determined in the verification item determination step that all the selected safety verification items are satisfied. Method of verification. A verification program for causing a computer to verify the security of an authentication or key exchange protocol,
The computer is secure against key leakage spoofing attacks in the authentication protocol and undetectable online dictionary attacks that conform to a predetermined framework set for the role of cryptographic primitives used in the protocol. Verification items for satisfying the respective requirements of security, security against unknown key sharing attacks in the key exchange protocol, strong forward secrecy, weak backward secrecy, and non-detection A storage unit for storing at least a part of verification items for satisfying the respective requirements for security against possible online dictionary attacks,
A type setting step for setting the type of cryptographic primitive used in the protocol;
A role setting step for setting the role of the cryptographic primitive whose type is set by the type setting step;
An element setting step for setting an element indicating the type and state of the data value in the protocol or the type and state of the function value of the cryptographic primitive;
A safety selection step for selecting the safety to be verified upon request;
The verification items related to each of the security selected in the security selection step are extracted from the storage unit, and the verification items are satisfied based on the type and role of the cryptographic primitive and the elements set in the element setting step. A verification item determination step for determining whether or not,
In order to cause a computer to execute a safety determination step of determining that the protocol is safe when it is determined in the verification item determination step that all the selected safety verification items are satisfied. of the verification program.

Images