Answered step by step
Verified Expert Solution
Question
1 Approved Answer
ProVerif Based Task. Here is the pv file: type FINMarker. type ID . type Nonce. type Key. table ltks ( ID , Key ) .
ProVerif Based Task. Here is the pv file:
type FINMarker.
type ID
type Nonce.
type Key.
table ltksID Key
free psk:Key private
free ch:channel.
free aMessage:bitstring private
fun KDFKey bitstring:Key.
fun MACKey bitstring:bitstring.
fun encKey bitstring:bitstring.
reduc forall k:Key, b:bitstring; deck enck b b
free FIN:FINMarker.
event evIRunningKey
event evRRunningKey
event evICompleteKey
event evRCompleteKey
event evReachI.
event evReachR.
client
let Idummyltk:Key, id:ID
let Iltk:Key, id:ID
new nI:Nonce;
outchid nI;
inchnR:Nonce, mac:bitstring;
if mac MACltknI nR id then
let k KDFltknI nR in
event evIRunningk;
outchMACltkFIN nR nI id;
event evICompletek;
Section : Addition of transmission of an encrypted and MACed message.
Three parts are needed: this sending, the receiving code in R
and the new properties attacker aMessage and that R received
the aMessage.
In all three places the relevant code is encapsulated in
BEGINEND comments.
BEGIN
Write your code here
END
event evReachI.
server
let R
new nR:Nonce;
inchid:ID nI:Nonce;
get ltksid ltkPeer:Key in
let k KDFltkPeernI nR in
event evRRunningk;
outchnR MACltkPeernI nR id;
inch mac:bitstring;
if mac MACltkPeerFIN nR nI id then
event evRCompletek;
Section : Addition of transmission of an encrypted and MACed
message.
BEGIN
Write your code here
END
event evReachR.
Sanity
query eventevReachI
query eventevReachR
Session key secrecy
query secret k
Key Authentication
The idea is that I and R shold agree on the output key from the KDF
query k:Key; eventevICompletek eventevRRunningk
query k:Key; eventevRCompletek eventevICompletek
Section : Addition of transmission of an encrypted and MACed message.
The "attacker query" is used to check secrecy of built up terms.
The "secret query" is used to check secrecy of bound names or variables.
BEGIN
Write your queries here
END
process
click on the verify button and examine the output in the textbox at the bottom. Pay special attention to the lines beginning with RESULT. These show whether the queries verified or not. Note the two queries eventevReachI and eventevReachR that evaluate to not false ietrue Find where in the model they are emitted.
Q: What can we conclude from that these two queries evaluate to true? Consult the manual to understand queries of this form if necessary
Go to the end of the model and look at the process definition. In the process definition, replace the subprocess I with Idummy. The result is that we use an Iprocess that does nothing. Press the verify button once more and examine output. The following will appear in the output:
RESULT eventevICompletekxy eventevRRunningkxy is true.
Q: Explain how this query can still evaluate to true even though the Idummyprocess does nothing. Use the ProVerif manual if needed. HINT: consider at which point the evICommplete event is emitted in traces from this updated model.
This shows the importance of always ensuring reaching the points in the model that are important for your properties. Now switch the process definition of the Iprocess back to I in the process at the bottom of the file. Recall that P means infinite replication of the process P The process is defined as:
new ltk:Key; new id:ID; insert ltksid ltk; Iltk idR
This runs two subprocess in parallel, separated by the pipeoperator The first process creates a key and a client identifier, inserts these into a longterm keystore and finally executes an infinite number of Iprocesses using this key. Because the just described process is replicated an infinite number of times, it models an infinite number of initiators executing an infinite number of Iprocesses each. The second process runs an infinite number of Rprocesses. Suppose the process was instead defined as follows:
new ltk:Key; new id:ID; insert ltksid ltk; Iltk idR
Q: What is the syntactical difference between the two definitions? If you were to model a protocol for MIT students logging in to Canvas and I models the student and R the server, which of the two process definitions would you use? Motivate your answer and consider limitations of the definitions.
Key Authentication
The model tries to capture key authentication by verifying that I and R both derive the same session key k This is reflected by the queries:
query k:Key; eventevICompletek eventevRRunningk
query k:Key; eventevRCompletekeventevICompletek
Q why does the nd query evaluate to false?Hint: it has to do with the fact that queries must hold for all traces and that events are scheduled in the trace like any other action, such as ex in out or get
Q correct the nd query using a more appropriate event and verify that it now evaluates to true. explain why your change works better
Step by Step Solution
There are 3 Steps involved in it
Step: 1
Get Instant Access to Expert-Tailored Solutions
See step-by-step solutions with expert insights and AI powered tools for academic success
Step: 2
Step: 3
Ace Your Homework with AI
Get the answers you need in no time with our AI-driven, step-by-step assistance
Get Started