Analyzing an Anonymous Fair Exchange E-commerce Protocol CS 259 Adam Barth (joint work with Andrew...
-
Upload
lora-morton -
Category
Documents
-
view
215 -
download
0
description
Transcript of Analyzing an Anonymous Fair Exchange E-commerce Protocol CS 259 Adam Barth (joint work with Andrew...
![Page 1: Analyzing an Anonymous Fair Exchange E-commerce Protocol CS 259 Adam Barth (joint work with Andrew Tappert)](https://reader036.fdocuments.in/reader036/viewer/2022082622/5a4d1b8e7f8b9ab0599c044c/html5/thumbnails/1.jpg)
Analyzing an Anonymous Fair Exchange E-commerce Protocol
CS 259
Adam Barth
(joint work with Andrew Tappert)
![Page 2: Analyzing an Anonymous Fair Exchange E-commerce Protocol CS 259 Adam Barth (joint work with Andrew Tappert)](https://reader036.fdocuments.in/reader036/viewer/2022082622/5a4d1b8e7f8b9ab0599c044c/html5/thumbnails/2.jpg)
Protocol Overview Protocol proposed in Ray and Ray 2001
• Protocol presented in pseudocode Five roles
• Customer and customer’s bank• Merchant and merchant’s bank• Trusted third party
Anonymous fair exchange of money for a digital good• Wanted to look at non-trace-based properties• Employed MOCHA, an ATL model checker
Customer assured of obtaining correct product by cross validation (not modeled)• Had enough to look at without this
![Page 3: Analyzing an Anonymous Fair Exchange E-commerce Protocol CS 259 Adam Barth (joint work with Andrew Tappert)](https://reader036.fdocuments.in/reader036/viewer/2022082622/5a4d1b8e7f8b9ab0599c044c/html5/thumbnails/3.jpg)
Protocol Overview (no TP)
Preamble (on a private channel) M => TP: m K1 MipubPreamble (on a private channel) TP => C: [m, K1] Mipub1) C => M: PO [CC(PO), Ciprv] [Cipub, Mipub]2) M => C: [CC(PO), Miprv] [m.r, K1xK2] [CC([m.r, K1xK2]), Miprv] [r, K1]
[CC([r, K1]), Miprv] [Macct, MBpub] [CC([Macct, MBpub]), Miprv]3) C => CB: [[MTI, Cprv], CBpub] 4) CB => C: [[P, Bcprv], Cpub]5) C => M: [[P, Bcprv], Mipub]6) M => MB: [[P, Bcprv], MBpub] 7) MB => M: [ack, MBprv]8) M => C: [K2inv, Cipub] [CC(K2inv), Miprv] [rinv, Cipub] [CC(rinv), Miprv]
C M
CB MB
1
2
3
4
56
7
8
![Page 4: Analyzing an Anonymous Fair Exchange E-commerce Protocol CS 259 Adam Barth (joint work with Andrew Tappert)](https://reader036.fdocuments.in/reader036/viewer/2022082622/5a4d1b8e7f8b9ab0599c044c/html5/thumbnails/4.jpg)
Formalizing Protocol Specification Protocol has many messages
• Eight, not including the trusted party Many terms in each message
• MOCHA bug limited total number of variables• Too complex to keep track of every term directly
Modeled messages as Boolean variables• Set to true when sent
Dishonest parties can forge messages• Based on the messages in their possession
![Page 5: Analyzing an Anonymous Fair Exchange E-commerce Protocol CS 259 Adam Barth (joint work with Andrew Tappert)](https://reader036.fdocuments.in/reader036/viewer/2022082622/5a4d1b8e7f8b9ab0599c044c/html5/thumbnails/5.jpg)
Design of Our MOCHA Model
Honest principals interact with network• Dishonest principals folded into network
Network records messages seen by dishonest parties Dishonest can forge messages with enough knowledge
• Each corrupt principal adds more initial knowledge
hc
nhm
hcb hmb
![Page 6: Analyzing an Anonymous Fair Exchange E-commerce Protocol CS 259 Adam Barth (joint work with Andrew Tappert)](https://reader036.fdocuments.in/reader036/viewer/2022082622/5a4d1b8e7f8b9ab0599c044c/html5/thumbnails/6.jpg)
Honest Customer Module (1)module hc -- honest customer external o2, o2a, o4, o4a, o8, oB: bool interface i1, i3, i5, i5a, iA, cprod /* customer has received product */, dc: bool atom controls i1, i3, i5, i5a, iA, cprod, dc reads o2, o2a, o4, o4a, o8, oB, i1, i3, i5, i5a, iA, cprod, dc
init [] true -> i1' := false; i3' := false; i5' := false; i5a' := false; iA' := false; cprod' := false; dc' := false
Vars for messages
Customer dishonesty flag
Initially has no messages
![Page 7: Analyzing an Anonymous Fair Exchange E-commerce Protocol CS 259 Adam Barth (joint work with Andrew Tappert)](https://reader036.fdocuments.in/reader036/viewer/2022082622/5a4d1b8e7f8b9ab0599c044c/html5/thumbnails/7.jpg)
Honest Customer Module (2) update [] ~i1 -> i1' := true [] i1 & o2 & ~o2a & ~i3 -> i3' := true [] i1 & o2 & ~o2a & i3 & o4 & ~o4a & ~i5 & ~i5a -> i5' := true [] i1 & o2 & ~o2a & i3 & ~o4 & o4a & ~i5 & ~i5a -> i5a' := true [] i1 & o2 & ~o2a & i3 & o4 & ~o4a & i5 & ~i5a & ~o8 & ~iA -> [] i1 & o2 & ~o2a & i3 & o4 & ~o4a & i5 & ~i5a & ~o8 & ~iA -> iA' := true [] (o8 | oB) & ~cprod -> cprod' := true endatomendmodule
Rules for updating state
Gets product from message 8 or B (part of TP resolution)
![Page 8: Analyzing an Anonymous Fair Exchange E-commerce Protocol CS 259 Adam Barth (joint work with Andrew Tappert)](https://reader036.fdocuments.in/reader036/viewer/2022082622/5a4d1b8e7f8b9ab0599c044c/html5/thumbnails/8.jpg)
Network Module (1) Able to record messages for dishonest
roles [] i1 & (dm | dnet) & ~m1 -> m1' := true [] i2 & (dc | dnet) & ~m2 -> m2' := true [] i2a & (dc | dnet) & ~m2a -> m2a' := true [] i3 & (dcb | dnet) & ~m3 -> m3' := true [] i4 & (dc | dnet) & ~m4 -> m4' := true [] i4a & (dc | dnet) & ~m4a -> m4a' := true [] i5 & (dm | dnet) & ~m5 -> m5' := true [] i5a & (dm | dnet) & ~m5a -> m5a' := true [] i6 & (dmb | dnet) & ~m6 -> m6' := true [] i7 & (dm | dnet) & ~m7 -> m7' := true [] i8 & (dc | dnet) & ~m8 -> m8' := true
Knowledge varsDishonest client or network can record message 4
![Page 9: Analyzing an Anonymous Fair Exchange E-commerce Protocol CS 259 Adam Barth (joint work with Andrew Tappert)](https://reader036.fdocuments.in/reader036/viewer/2022082622/5a4d1b8e7f8b9ab0599c044c/html5/thumbnails/9.jpg)
Network Module (2) Forge messages [] (dc | ii | mm) & ~m1 -> m1' := true [] m1 & dm & ~m2 -> m2' := true [] dm & ~m2a -> m2a' := true [] dc & ~m3 -> m3' := true [] (dcb | (dc & dmb)) & ~m4 -> m4' := true [] (dcb | dc) & ~m4a -> m4a' := true [] ((m4 & dc) | dcb | dmb) & ~m5 -> m5' := true [] (dc | ii | mm) & ~m5a -> m5a' := true [] ((m5 & dm) | dmb | (dm & dcb)) & ~m6 -> m6' := true [] dmb & ~m7 -> m7' := true [] m1 & dm & ~m8 -> m8' := true [] m1 & m2 & m5 & ~oA -> oA' := true; iitp' := true
Dishonest client can forge message 3 at will
![Page 10: Analyzing an Anonymous Fair Exchange E-commerce Protocol CS 259 Adam Barth (joint work with Andrew Tappert)](https://reader036.fdocuments.in/reader036/viewer/2022082622/5a4d1b8e7f8b9ab0599c044c/html5/thumbnails/10.jpg)
What Did We Do With the Model? MOCHA allowed us to “run” model by hand
• Useful to debug the model
Tested some invariants (trace-based properties)• Intruder can't get product unless he's acting as
merchant or customer– inv "inv1" (~nprod | dm | dc)
• Customer only gets prod when merchant is paid– inv "inv2" (~cprod | mpay)– inv "inv3" (cprod | ~mpay)
![Page 11: Analyzing an Anonymous Fair Exchange E-commerce Protocol CS 259 Adam Barth (joint work with Andrew Tappert)](https://reader036.fdocuments.in/reader036/viewer/2022082622/5a4d1b8e7f8b9ab0599c044c/html5/thumbnails/11.jpg)
More Complex ATL Properties Honest customer eventually gets product
• atl "atl1" (<< hc >> F (cprod))
When payment is sent, honest customer eventually gets the product• atl "atl2" (~i5 | << hc >> F (cprod));
Exchange can be successfully completed by honest parties• atl "atl3" (<< hc, hm, hcb >> F (cprod & mpay))
cb needed to make payment token
![Page 12: Analyzing an Anonymous Fair Exchange E-commerce Protocol CS 259 Adam Barth (joint work with Andrew Tappert)](https://reader036.fdocuments.in/reader036/viewer/2022082622/5a4d1b8e7f8b9ab0599c044c/html5/thumbnails/12.jpg)
Fairness Dishonest merchant can't get paid without honest
customer having a strategy to get product (DM model)• atl "cfair" (~(<< n >> F (npay & ~(<< hc >> F (cprod)))))
Dishonest customer can't get product without honest merchant having a strategy to get paid (DC model)• atl "mfair" (~(<< n, hcb >> F (nprod & ~(<< hm >> F (mpay)))))
Dishonest parties folded into network
Dishonest customer still needs help from honest bank
![Page 13: Analyzing an Anonymous Fair Exchange E-commerce Protocol CS 259 Adam Barth (joint work with Andrew Tappert)](https://reader036.fdocuments.in/reader036/viewer/2022082622/5a4d1b8e7f8b9ab0599c044c/html5/thumbnails/13.jpg)
Balance Dishonest customer can’t get to a point where
• (1) Customer can force receiving product• (2) Merchant can’t force getting paid• atl "cbal" (~(<< n, hcb >> F
Dishonest merchant can’t get to a point where• (1) Merchant can force getting paid• (2) Customer can’t force receiving product• atl "mbal" (~(<< n >> F ((<< n >> F npay) & ~(<< hc, hcb >> F cprod))))
((<< n >> F nprod) &~(<< hm >> F mpay))))
![Page 14: Analyzing an Anonymous Fair Exchange E-commerce Protocol CS 259 Adam Barth (joint work with Andrew Tappert)](https://reader036.fdocuments.in/reader036/viewer/2022082622/5a4d1b8e7f8b9ab0599c044c/html5/thumbnails/14.jpg)
Four Attacks on the Protocol Analysis reveals four attacks:
• Malicious banks can steal product– Banks share a signing key (should use group sigs)
• Man-in-the-middle can steal product– Ephemeral keys can be replaced (need another sig)
• Dishonest merchant can get paid without giving prod
– Customer and TP stuck in a loop (need TP state)• Unbalanced in favor of customer
– Customer can force outcome with payment token
![Page 15: Analyzing an Anonymous Fair Exchange E-commerce Protocol CS 259 Adam Barth (joint work with Andrew Tappert)](https://reader036.fdocuments.in/reader036/viewer/2022082622/5a4d1b8e7f8b9ab0599c044c/html5/thumbnails/15.jpg)
How the Attacks Were Found All found by hand while constructing
model• Did not see them before building the model
MOCHA found traced-based attacks 1 and 2
MOCHA should have found attack 4• Ran for 150 hours with no answer
![Page 16: Analyzing an Anonymous Fair Exchange E-commerce Protocol CS 259 Adam Barth (joint work with Andrew Tappert)](https://reader036.fdocuments.in/reader036/viewer/2022082622/5a4d1b8e7f8b9ab0599c044c/html5/thumbnails/16.jpg)
Conclusions Think carefully about your models!
• Process of creating formal model uncovers bugs
• Large impact on model checker’s efficiency MOCHA limitations frustrating
• Usually used for simpler models? Checking invariants successful Checking ATL properties time consuming
• MOCHA didn’t answer in a reasonable time