Hello World in HLPSL. Turning ASCII protocol specifications into HLPSL
|
|
- Eleanore Payne
- 5 years ago
- Views:
Transcription
1 Hello World in HLPSL Turning ASCII protocol specifications into HLPSL
2 Modeling with HLPSL HLPSL is a higher-level protocol specification language we can transform ASCII protocol specifications into HLPSL programs HLPSL is suitable language for modeling industrial protocols with control flow, exceptions, dynamic key chains etc.
3 Objectives Understand or revise informal ASCII notation of security protocols Get acquainted with how such ASCII specifications can be written in HLPSL Appreciate standard coding patterns in HLPSL Learn how HLPSL programs can be analyzed
4 A protocol in ASCII 1. A --> B: {Na}_K 2. B --> A: {Nb}_K 3. A --> B: {Nb}_K1, where K1=Hash(Na, Nb) Agent A wants to generate fresh key K1 and share it with agent B,, is concatenation Na is fresh nonce generated by A Nb fresh nonce generated by B Hash is a hash function that A and B share
5 What is a nonce? 1. A --> B: {Na}_K 2. B --> A: {Nb}_K 3. A --> B: {Nb}_K1, where K1=Hash(Na, Nb) Nonce is a random piece of data (bit string) Its value should be (probabilistically) impossible to predict prior to its creation So each nonce, when seen in a protocol run, provides a causal link to when and where it was created
6 Intuition of protocol 1. A --> B: {Na}_K 2. B --> A: {Nb}_K 3. A --> B: {Nb}_K1, where K1=Hash(Na, Nb) A sends B encryption of Na (which only A knew initially), and only A and B know encryption key K B sends A encryption of Nb (which only B knew initially) fresh key is hash of concatenation of Na and Nb, both A and B can compute this fresh key K1 Then A sends acknowledgement receipt to B, an encryption of Nb with the fresh key
7 Implicit vs Explicit Notation 1. A --> B: {Na}_K 2. B --> A: {Nb}_K 3. A --> B: {Nb}_K1, where K1=Hash(Na, Nb) explicit: who sends what to whom, e.g. A sends Na encrypted with key K to B implicit: A generates Na, B generates Nb, A and B share a session key K and hash function Hash, A and B can compute K1 formal analysis needs to make this explicit
8 Agents, sessions, roles Agents take on particular roles in protocols E.g. initiator, responder, trusted authority Agents may have more than one role And protocols may run in multiple versions (called sessions here) in parallel Need ability to model instantiations of sessions and of their protocol roles
9 Role declarations in HLPSL Agents A, B, etc. from ASCII specs turn into named roles in HLPSL, e.g. alice for A In a session, alice may be instantiated with A, B, an attacker or any other agent Here is a code template for agent roles: role r(...) played_by Agt def= local... init... transition... end role % role r enacted by agent Agt % declare local variables % initialize variables if needed % define legal behavior of role r
10 Role alice in HLPSL played_by A: lets A play alice in role body (...): declares typed input parameters local: declares local variables init: local variables may be initialized here transition: declares state transitions of role role alice(...) played_by A def= local... init... transition... end role
11 Input header for alice agents A (for alice), B (for responder) symmetric key K hash function Hash communication channels SND and RCV so alice has a send and a receive channel role alice( A,B : agent, K : symmetric_key, Hash : hash_func, SND,RCV : channel(dy))
12 More on input headers note that input parameters are typed parameters may be shared across roles in headers, e.g. to express a shared key the (dy) for channels is redundant but needs to be stated, HLPSL anticipated different channel types but only has one role alice( A,B : agent, K : symmetric_key, Hash : hash_func, SND,RCV : channel(dy))
13 Local variables for alice 1. A --> B: {Na}_K 2. B --> A: {Nb}_K 3. A --> B: {Nb}_K1, where K1=Hash(Na, Nb) declare local all variables that are generated or received, and are not in header: local State : nat, % remembers local protocol state Na,Nb : text, % the two nonces generated K1 : message % the key to be generated % explain later different types for keys and nonces
14 Exercise 1. A --> B: {Na}_K 2. B --> A: {Nb}_K 3. A --> B: {Nb}_K1, where K1=Hash(Na, Nb) speculate why code declares nonces to be of type text and not, say, of type nonce speculate why code declares key to be of type message and not, say, of type key Na,Nb : text, % the two nonces generated K1 : message % the key to be generated
15 Initialize variables for 1. A --> B: {Na}_K 2. B --> A: {Nb}_K alice 3. A --> B: {Nb}_K1, where K1=Hash(Na, Nb) do not initialize variables that will get frehly generated values in the protocol run do not initialize variables from the header so here only initialize state to 0: init State := 0
16 Syntax for transitions technicality: transitions, even first one, need receiving event; use start as initial event syntactic form of transitions is precondition = > postcondition variables may be primed (X ) or unprimed (X), will elaborate on this further below use /\ to denote conjunction of conditions, := for assignment, new() for fresh generation of values for variables
17 First transition for alice 1. A --> B: {Na}_K 2. B --> A: {Nb}_K 3. A --> B: {Nb}_K1, where K1=Hash(Na, Nb) if in state 0 and start received, state will be 2, generate fresh Na, send its encryption do not initialize variables from the header the 1. below is name of transition (has no computational significance) 1. State = 0 /\ RCV(start) = > State':= 2 /\ Na' := new() /\ SND({Na'}_K)
18 Primes in transition 1. State = 0 /\ RCV(start) = > State':= 2 /\ Na' := new() /\ SND({Na'}_K) no primes in first line, State is current one, and start event behaves like a constant Na primed in post-condition as it is freshly generated there State is primed in post-condition as this defines its value in next state K is not primed anywhere, as it is the key shared through the input header
19 Second alice transition 1. A --> B: {Na}_K 2. B --> A: {Nb}_K 3. A --> B: {Nb}_K1, where K1=Hash(Na, Nb) if in state 2 and a nonce encrypted with K is received, update state to 4, generate fresh key as hash of Na and Nb, and send receipt of Nb encrypted with fresh key will discuss witness specification later 2. State = 2 /\ RCV({Nb'}_K) = > State':= 4 /\ K1' := Hash(Na.Nb') /\ SND({Nb'}_K1') /\ witness(a,b,bob_alice_nb,nb')
20 Primes in transition Nb is primed as it is received on RCV Na is not primed as it needs to have the same value as in state 0! K1 is primed as it is freshly generated (from the unprimed Na and the primed Nb) K1 and Nb are also primed when sent on SND A, B, K not primed: input parameters 2. State = 2 /\ RCV({Nb'}_K) = > State':= 4 /\ K1' := Hash(Na.Nb') /\ SND({Nb'}_K1') /\ witness(a,b,bob_alice_nb,nb')
21 Complete alice role role alice( A,B : agent, K : symmetric_key, Hash : hash_func, SND,RCV : channel(dy)) played_by A def= % use. below for concatenation local State : nat, Na,Nb : text, K1 : message init State := 0 transition 1. State = 0 /\ RCV(start) = > State':= 2 /\ Na' := new() /\ SND({Na'}_K) 2. State = 2 /\ RCV({Nb'}_K) = > State':= 4 /\ K1' := Hash(Na.Nb') /\ SND({Nb'}_K1') /\ witness(a,b,bob_alice_nb,nb') end role
22 Complete bob role role bob( A,B : agent, K : symmetric_key, Hash : hash_func, SND,RCV : channel(dy)) % same input as for alice played_by B def= % but B plays responder role local State : nat, Nb,Na : text, K1 : message % same as alice init State := 1 % values local to role, but avoiding reuse % of 0 means attack traces easier to read transition 1. State = 1 /\ RCV({Na'}_K) = > State':= 3 /\ Nb' := new() /\ SND({Nb'}_K) /\ K1':= Hash(Na'.Nb') /\ secret(k1',k1,{a,b}) 2. State = 3 /\ RCV({Nb}_K1) = > State':= 5 /\ request(b,a,bob_alice_nb,nb) end role
23 First transition for bob 1. A --> B: {Na}_K 2. B --> A: {Nb}_K 3. A --> B: {Nb}_K1, where K1=Hash(Na, Nb) if in state 1 and encrypted nonce received, state will be 3, generate fresh Nb, send its encryption, generate fresh key as hash of two nonces discuss later secret condition 1. State = 1 /\ RCV({Na'}_K) = > State':= 3 /\ Nb' := new() /\ SND({Nb'}_K) /\ K1':= Hash(Na'.Nb') /\ secret(k1',k1,{a,b})
24 Primes in transition 1. State = 1 /\ RCV({Na'}_K) = > State':= 3 /\ Nb' := new() /\ SND({Nb'}_K) /\ K1':= Hash(Na'.Nb') /\ secret(k1',k1,{a,b}) Na primed as received on RCV Nb generated here so primed, also when sent fresh key K1 primed as generated here, also primed in secret specification k1 in secret is a constant name for this condition, constants are unprimed
25 Second bob transition 1. A --> B: {Na}_K 2. B --> A: {Nb}_K 3. A --> B: {Nb}_K1, where K1=Hash(Na, Nb) if in state 3 and own (unprimed!) nonce encrypted with fresh key received, state will be 5 (successful run) discuss later request condition -- corresponds to witness in role alice 2. State = 3 /\ RCV({Nb}_K1) = > State':= 5 /\ request(b,a,bob_alice_nb,nb)
26 Composition of roles 1. A --> B: {Na}_K 2. B --> A: {Nb}_K 3. A --> B: {Nb}_K1, where K1=Hash(Na, Nb) Roles define behavior of protocol participants, here A and B and an attacker Sessions define how these roles interact in the protocol let s see next how this works for the protocol above
27 alice and bob in session role session( A,B : agent, K : symmetric_key, Hash : hash_func) % input for entire session def= % four channels, two for each agent, local to session local SA, SB, RA, RB : channel (dy) % A, B, K, and Hash shared across roles % communication channels private to each role composition % /\ means parallel composition here alice(a,b,k,hash,sa,ra) /\ bob (A,B,K,Hash,SB,RB) end role 1. A --> B: {Na}_K 2. B --> A: {Nb}_K 3. A --> B: {Nb}_K1, where K1=Hash(Na, Nb)
28 composition details 1. A --> B: {Na}_K 2. B --> A: {Nb}_K 3. A --> B: {Nb}_K1, where K1=Hash(Na, Nb) A plays alice and B plays bob both roles agree on this, and make use of shared key K and hash function Hash each role has private send and receive channels composition alice(a,b,k,hash,sa,ra) /\ bob (A,B,K,Hash,SB,RB)
29 sessions in environment sessions define how agent parameters interact in a protocol a protocol instance may involve more than one session run in parallel and these sessions may be instantiated with real agents, key, etc. the environment role is used to specify this
30 environment role role environment() def= % declares session scenario const bob_alice_nb, k1 : protocol_id, % names for analyses kab,kai,kib : symmetric_key, % concrete keys a,b : agent, % concrete agents h : hash_func % concrete hash function % specify what the attacker (aka. intruder) knows initially intruder_knowledge = {a,b,h,kai,kib} % specify protocol scenario: how many sessions run in parallel % and in which instantiations composition session(a,b,kab,h) % normal session /\ session(a,i,kai,h) % intruder i impersonates b /\ session(i,b,kib,h) % intruder i impersonates a end role
31 constants in environment, const lists all concrete variables that make up the scenario names for authentication and secrecy properties are declared here, of type protocol_id (for tool internal reasons) const bob_alice_nb, k1 : protocol_id, % names for analyses kab,kai,kib : symmetric_key, % concrete keys a,b : agent, % concrete agents h : hash_func % concrete hash function
32 what intruder knows intruder models protocol attacker HLPSL has reserved variable i for intruder, who receives all network traffic in environment, we declare what intruder knows before protocol runs in environment here, i knows identities of the two agents, the hash function, and keys it shares with a and b in the second (resp.) third session % specify what the attacker knows initially intruder_knowledge = {a,b,h,kai,kib}
33 analysis goals Can check models of protocols for executability (consistency), this is useful But also want to verify declared secrecy and authentication properties Directives for such analyses are grouped in a goal block, for our example this is: goal secrecy_of k1 authentication_on bob_alice_nb end goal
34 secrecy goal in detail goal % analyze this secrecy_of k1 authentication_on bob_alice_nb end goal k1 is name for secrecy property declared in role bob: secret(k1',k1,{a,b}) says that fresh key K1 is known only to agents A and B in this protocol run declared right where key is first created (in role bob) and not in role alice, where it is received!
35 authentication goal witness(a,b,bob_alice_nb,nb') % in role alice request(b,a,bob_alice_nb,nb) % in role bob bob_alice_nb is name for authentication property declared in roles alice and bob request: B accepts value Nb, relies on existence of A and A s agreeing to value Nb Nb should be fresh, not replayed A s existence bound to protocol id for bob_alice_nb
36 authentication goal (2) witness(a,b,bob_alice_nb,nb') % in role alice request(b,a,bob_alice_nb,nb) % in role bob witness statement complements request statement it stipulates two things: A wants to be a peer with agent B in the protocol run with id bob_alice_nb and A wants to agree with B on the value Nb, for the purpose of authentication
37 Running the analyses.hlpsl files end and with a runner environment() all goals are tried but only first attack (so for one goal only) reported if applicable can use different analyses back-ends (more on that later) can, and have to, check executability of.hlpsl model as well (more on that later)
38 Analysis results for our HLPSL model, model checker OMFC found no attacks protocol may be unsafe in other session composition scenarios (like testing) will discuss back-end for unbounded sessions later (like proofs) % avispa ex1.hlpsl % OFMC % Version of 2006/02/13 SUMMARY SAFE DETAILS BOUNDED_NUMBER_OF_SESSIONS...
39 Structure of models role r1(...)... end role role r2(...)... end role... role rn(...)... end role % define participating roles role session(...) % define role interaction in protocol local... % private channels composition r1(...) /\... /\ rn(...) end role role environment() % define execution scenario of protocol def= const... % actual agents, keys, etc. intruder_knowledge = {... } % state what the attacker knows initially composition session(...) /\... /\ session(...) end role % several sessions in parallel goal secrecy_of... % what secrets should hold authentication_on % what correspondences should hold end goal environment() % run the model against all goals
40 Summary looked at a HLPSL model in detail learned general structure of.hlpsl specifications discussed how to encode behavior and (shared) knowledge in HLPSL saw how one can analyze such models for secrecy and authentication
Final Exam 90 minutes Date: TOTAL: 90 points
F.Autreau J. Dreier P.Lafourcade Y. Lakhnech JL. Roch Final Exam 90 minutes Date: 13.12.2012 TOTAL: 90 points Security models 1st Semester 2012/2013 J. Dreier P. Lafourcade Y. Lakhnech Notice: the number
More informationFORMAL VALIDATION OF SECURITY PROPERTIES OF AMT S THREE-WAY HANDSHAKE
FORMAL VALIDATION OF SECURITY PROPERTIES OF AMT S THREE-WAY HANDSHAKE Ali Salem A thesis in The Department of Computer Science and Software Engineering Presented in Partial Fulfillment of the Requirements
More informationA Short SPAN+AVISPA Tutorial
A Short SPAN+AVISPA Tutorial Thomas Genet IRISA/Université de Rennes 1 genet@irisa.fr November 6, 2015 Abstract The objective of this short tutorial is to show how to use SPAN to understand and debug HLPSL
More informationAnalysis of Verification Tools for Security Protocols
Analysis of Verification Tools for Security Protocols Sergey Reznick, Igor Kotenko Computer Security Research Group, St. Petersburg Institute for Informatics and Automation of Russian Academy of Sciences
More informationA Short SPAN+AVISPA Tutorial
A Short SPAN+AVISPA Tutorial Thomas Genet To cite this version: Thomas Genet. A Short SPAN+AVISPA Tutorial. [Research Report] IRISA. 2015. HAL Id: hal-01213074 https://hal.inria.fr/hal-01213074v1
More informationDeliverable D2.1: The High Level Protocol Specification Language
www.avispa-project.org Automated Validation of Internet Security Protocols and Applications Deliverable D2.1: The High Level Protocol Specification Language Abstract In this deliverable we provide the
More informationThe AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications
The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications Alessandro Armando AI-Lab, DIST, Università di Genova Università di Genova INRIA-Lorraine ETH Zurich Siemens
More informationFormal Verification of a Key Establishment Protocol for EPC Gen2 RFID Systems: Work in Progress
Formal Verification of a Key Establishment Protocol for EPC Gen2 RFID Systems: Work in Progress Wiem Tounsi, Nora Cuppens-Boulahia, Frédéric Cuppens, Joaquin Garcia-Alfaro Institut Télécom, Télécom Bretagne,
More informationComputer Networks & Security 2016/2017
Computer Networks & Security 2016/2017 Network Security Protocols (10) Dr. Tanir Ozcelebi Courtesy: Jerry den Hartog Courtesy: Kurose and Ross TU/e Computer Science Security and Embedded Networked Systems
More informationICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification
ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification Hossen Asiful Mustafa Introduction Entity Authentication is a technique designed to let one party prove the identity of another
More informationSecurity protocols. Correctness of protocols. Correctness of protocols. II. Logical representation and analysis of protocols.i
Security protocols Logical representation and analysis of protocols.i A security protocol is a set of rules, adhered to by the communication parties in order to ensure achieving various security or privacy
More informationCAS+ Ronan Saillard and Thomas Genet March 21, 2011
CAS+ Ronan Saillard and Thomas Genet March 21, 2011 We present the CAS+ language designed for the easy specification and verification of security protocols. The objective of CAS+ is to have a language
More informationPassword. authentication through passwords
Password authentication through passwords Human beings Short keys; possibly used to generate longer keys Dictionary attack: adversary tries more common keys (easy with a large set of users) Trojan horse
More informationSome Remarks on Security Protocols Verification Tools
Some Remarks on Security Protocols Verification Tools Mirosław Kurkowski 1, Adam Kozakiewicz 2 and Olga Siedlecka-Lamch 3 1 Institute of Computer Sciences, Cardinal Stefan Wyszynski University Warsaw,
More informationSpring 2010: CS419 Computer Security
Spring 2010: CS419 Computer Security Vinod Ganapathy Lecture 7 Topic: Key exchange protocols Material: Class handout (lecture7_handout.pdf) Chapter 2 in Anderson's book. Today s agenda Key exchange basics
More informationSPi Calculus: Outline. What is it? Basic SPi Calculus Notation Basic Example Example with Channel Establishment Example using Cryptography
SPi Calculus: Outline What is it? Basic SPi Calculus Notation Basic Example Example with Channel Establishment Example using Cryptography SPi Calculus: What is it? SPi Calculus is an executable model for
More informationEncryption as an Abstract Datatype:
June 2003 1/18 Outline Encryption as an Abstract Datatype: an extended abstract Dale Miller INRIA/Futurs/Saclay and École polytechnique 1. Security protocols specified using multisets rewriting. 2. Eigenvariables
More informationL13. Reviews. Rocky K. C. Chang, April 10, 2015
L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing
More informationAn Enhanced Authenticated Key Agreement for Session Initiation Protocol
ISSN 1392 124X, ISSN 2335 884X (online) INFORMATION TECHNOLOGY AND CONTROL, 2013, Vol.42, No.4 An Enhanced Authenticated Key Agreement for Session Initiation Protocol Mohammad Sabzinejad Farash 1, Mahmoud
More informationCryptographic Checksums
Cryptographic Checksums Mathematical function to generate a set of k bits from a set of n bits (where k n). k is smaller then n except in unusual circumstances Example: ASCII parity bit ASCII has 7 bits;
More informationUsing Animation to Improve Formal Specifications of Security Protocols
Using Animation to Improve Formal Specifications of Security Protocols Yohan Boichut 1, Thomas Genet 1, Yann Glouche 1 and Olivier Heen 2 1 IRISA, Rennes, France, yohan.boichut@irisa.fr, thomas.genet@irisa.fr,
More informationChapter 9: Key Management
Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures Slide #9-1 Overview Key exchange Session vs. interchange
More informationVerifying Security Protocols with Brutus
Verifying Security Protocols with Brutus E.M. CLARKE Carnegie Mellon University S. JHA University of Wisconsin and W. MARRERO DePaul University Due to the rapid growth of the Internet and the World Wide
More informationProtocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh
Protocols II Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 17th February 2011 Outline Introduction Shared-key Authentication Asymmetric authentication protocols
More informationCS5232 Formal Specification and Design Techniques. Using PAT to verify the Needham-Schroeder Public Key Protocol
CS5232 Formal Specification and Design Techniques Using PAT to verify the Needham-Schroeder Public Key Protocol Semester 2, AY 2008/2009 1/37 Table of Contents 1. Project Introduction 3 2. Building the
More informationMechanized Proofs for a Recursive Authentication Protocol
Recursive Authentication Protocol 1 L. C. Paulson Mechanized Proofs for a Recursive Authentication Protocol Lawrence C. Paulson Computer Laboratory University of Cambridge Recursive Authentication Protocol
More informationModule: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security
CMPSC443 - Introduction to Computer and Network Security Module: Cryptographic Protocols Professor Patrick McDaniel Spring 2009 1 Key Distribution/Agreement Key Distribution is the process where we assign
More informationModelling and Analysing of Security Protocol: Lecture 1. Introductions to Modelling Protocols. Tom Chothia CWI
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI This Course This course will primarily teaching you: How to design your own secure communication
More informationJournal of Internet Banking and Commerce
Journal of Internet Banking and Commerce An open access Internet journal (http://www.icommercecentral.com) Journal of Internet Banking and Commerce, August 2017, vol. 22, no. 2 TLS PROTOCOL VERIFICATION
More informationCryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 38 A Tutorial on Network Protocols
More informationReal-time protocol. Chapter 16: Real-Time Communication Security
Chapter 16: Real-Time Communication Security Mohammad Almalag Dept. of Computer Science Old Dominion University Spring 2013 1 Real-time protocol Parties negotiate interactively (Mutual) Authentication
More informationUNIT - IV Cryptographic Hash Function 31.1
UNIT - IV Cryptographic Hash Function 31.1 31-11 SECURITY SERVICES Network security can provide five services. Four of these services are related to the message exchanged using the network. The fifth service
More informationProtocols. Protocols. Pascal Lafourcade. Université Joseph Fourier, Verimag. October 6th / 63
Protocols Pascal Lafourcade Université Joseph Fourier, Verimag October 6th 2008 1 / 63 Last Time Historic and Motivation 2 / 63 General Schedule 1 Lundi 15 septembre Historique de la cryptographie 2 Lundi
More informationCIS 4360 Secure Computer Systems Applied Cryptography
CIS 4360 Secure Computer Systems Applied Cryptography Professor Qiang Zeng Spring 2017 Symmetric vs. Asymmetric Cryptography Symmetric cipher is much faster With asymmetric ciphers, you can post your Public
More informationCIS 6930/4930 Computer and Network Security. Topic 8.2 Internet Key Management
CIS 6930/4930 Computer and Network Security Topic 8.2 Internet Key Management 1 Key Management Why do we need Internet key management AH and ESP require encryption and authentication keys Process to negotiate
More informationChapter 9. Public Key Cryptography, RSA And Key Management
Chapter 9 Public Key Cryptography, RSA And Key Management RSA by Rivest, Shamir & Adleman of MIT in 1977 The most widely used public-key cryptosystem is RSA. The difficulty of attacking RSA is based on
More informationOutline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication
Outline Security Handshake Pitfalls (Chapter 11 & 12.2) Login Only Authentication (One Way) Login i w/ Shared Secret One-way Public Key Lamport s Hash Mutual Authentication Shared Secret Public Keys Timestamps
More informationOn the Internet, nobody knows you re a dog.
On the Internet, nobody knows you re a dog. THREATS TO DISTRIBUTED APPLICATIONS 1 Jane Q. Public Big Bank client s How do I know I am connecting to my bank? server s Maybe an attacker...... sends you phishing
More informationECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos
ECE596C: Handout #9 Authentication Using Shared Secrets Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract. In this lecture we introduce the concept of authentication and
More informationAuthentication Part IV NOTE: Part IV includes all of Part III!
Authentication Part IV NOTE: Part IV includes all of Part III! ECE 3894 Hardware-Oriented Security and Trust Spring 2018 Assoc. Prof. Vincent John Mooney III Georgia Institute of Technology NOTE: THE FOLLOWING
More informationDescription on How to Use the
124 Appendix A Description on How to Use the Athena System In this chapter, we describe how to use the APV, APG, and ACG system. The whole software package can be downloaded from http://www.ece.cmu.edu/
More informationLecture 1: Course Introduction
Lecture 1: Course Introduction Thomas Johansson T. Johansson (Lund University) 1 / 37 Chapter 9: Symmetric Key Distribution To understand the problems associated with managing and distributing secret keys.
More informationL7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806
L7: Key Distributions Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806 9/16/2015 CSCI 451 - Fall 2015 1 Acknowledgement Many slides are from or are
More informationTest 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.
Test 2 Review Name Student ID number Notation: {X} Bob Apply Bob s public key to X [Y ] Bob Apply Bob s private key to Y E(P, K) Encrypt P with symmetric key K D(C, K) Decrypt C with symmetric key K h(x)
More informationKey Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature
Key Management Digital signatures: classical and public key Classic and Public Key exchange 1 Handwritten Signature Used everyday in a letter, on a check, sign a contract A signature on a signed paper
More informationOverview. Symbolic Protocol Analysis. Protocol Analysis Techniques. Obtaining a Finite Model. Decidable Protocol Analysis. Strand Space Model
CS 259 Overview Symbolic Protocol Analysis Vitaly Shmatikov Strand space model Protocol analysis with unbounded attacker Parametric strands Symbolic attack traces Protocol analysis via constraint solving
More informationCS 494/594 Computer and Network Security
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Real-Time Communication Security Network layers
More informationKEDGEN2: A key establishment and derivation protocol for EPC Gen2 RFID systems
KEDGEN2: A key establishment and derivation protocol for EPC Gen2 RFID systems Wiem Tounsi 1, Nora Cuppens-Boulahia 1, Joaquin Garcia-Alfaro 1,2, Yannick Chevalier 3, Frédéric Cuppens 1 1 Institut Mines-Telecom,
More informationNetwork Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions
CHAPTER 3 Network Security Solutions to Review Questions and Exercises Review Questions. A nonce is a large random number that is used only once to help distinguish a fresh authentication request from
More informationPrinciples of Security Part 4: Authentication protocols Sections 1 and 2
Principles of Security Part 4: protocols Sections 1 and 2 Oxford Michaelmas Term 2008 Outline Basic ideas of authentication Challenge-Response Attacks What did we learn? Outline Basic ideas of authentication
More informationLecture 9a: Secure Sockets Layer (SSL) March, 2004
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York University artg@cs.nyu.edu Security Achieved by
More information0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken
0/41 Alice Who? Authentication Protocols Andreas Zeller/Stephan Neuhaus Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken The Menu 1/41 Simple Authentication Protocols The Menu 1/41 Simple
More informationSecure Cloud Storage Scheme Based On Hybrid Cryptosystem
Secure Cloud Storage Scheme Based On Hybrid Cryptosystem Atanu Basu ERP System, Indian Institute of Technology, Kharagpur - 721302. E-mail : atanu@iitkgp.ac.in Indranil Sengupta Department of Computer
More informationSecurity protocols and their verification. Mark Ryan University of Birmingham
Security protocols and their verification Mark Ryan University of Birmingham Contents 1. Authentication protocols (this lecture) 2. Electronic voting protocols 3. Fair exchange protocols 4. Digital cash
More informationKey Establishment and Authentication Protocols EECE 412
Key Establishment and Authentication Protocols EECE 412 1 where we are Protection Authorization Accountability Availability Access Control Data Protection Audit Non- Repudiation Authentication Cryptography
More informationINFSCI 2935: Introduction of Computer Security 1. Courtesy of Professors Chris Clifton & Matt Bishop. INFSCI 2935: Introduction to Computer Security 2
Digital Signature Introduction to Computer Security Lecture 7 Digital Signature October 9, 2003 Construct that authenticates origin, contents of message in a manner provable to a disinterested third party
More informationData Security and Privacy. Topic 14: Authentication and Key Establishment
Data Security and Privacy Topic 14: Authentication and Key Establishment 1 Announcements Mid-term Exam Tuesday March 6, during class 2 Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt
More informationLecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.
15-441 Lecture Nov. 21 st 2006 Dan Wendlandt Worms & Viruses Phishing End-host impersonation Denial-of-Service Route Hijacks Traffic modification Spyware Trojan Horse Password Cracking IP Spoofing DNS
More informationRobust EC-PAKA Protocol for Wireless Mobile Networks
International Journal of Mathematical Analysis Vol. 8, 2014, no. 51, 2531-2537 HIKARI Ltd, www.m-hikari.com http://dx.doi.org/10.12988/ijma.2014.410298 Robust EC-PAKA Protocol for Wireless Mobile Networks
More informationCS 395T. Symbolic Constraint Solving
CS 395T Symbolic Constraint Solving Overview Strand space model Protocol analysis with unbounded attacker Parametric strands Symbolic attack traces Protocol analysis via constraint solving SRI constraint
More informationCombined CPV-TLV Security Protocol Verifier
Combined CPV-TLV Security Protocol Verifier by Ariel Cohen Thesis submitted in partial fulfillment of the requirements for the degree of Master of Science Department of Computer Science Courant Institute
More informationCS Computer Networks 1: Authentication
CS 3251- Computer Networks 1: Authentication Professor Patrick Traynor 4/14/11 Lecture 25 Announcements Homework 3 is due next class. Submit via T-Square or in person. Project 3 has been graded. Scores
More informationTest 2 Review. (b) Give one significant advantage of a nonce over a timestamp.
Test 2 Review Name Student ID number Notation: {X} Bob Apply Bob s public key to X [Y ] Bob Apply Bob s private key to Y E(P, K) Encrypt P with symmetric key K D(C, K) Decrypt C with symmetric key K h(x)
More informationApplied Cryptography and Computer Security CSE 664 Spring 2017
Applied Cryptography and Computer Security Lecture 18: Key Distribution and Agreement Department of Computer Science and Engineering University at Buffalo 1 Key Distribution Mechanisms Secret-key encryption
More informationCS 395T. Analyzing SET with Inductive Method
CS 395T Analyzing SET with Inductive Method Theorem Proving for Protocol Analysis Prove correctness instead of looking for bugs Use higher-order logic to reason about all possible protocol executions No
More informationDigital Signatures. Secure Digest Functions
Digital Signatures Secure Digest Functions 8 requirements for one-way hash functions given M, H(M) is easy to compute given H(M), M is difficult to compute given M, it is difficult to find M such that
More informationA novel proxy signature scheme based on user hierarchical access control policy
Journal of King Saud University Computer and Information Sciences (2013) 25, 219 228 King Saud University Journal of King Saud University Computer and Information Sciences www.ksu.edu.sa www.sciencedirect.com
More informationSecurity Handshake Pitfalls
Security Handshake Pitfalls Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr 1 Cryptographic Authentication Password authentication is subject to eavesdropping Alternative: Cryptographic challenge-response
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Photuris and SKIP PHASE 1 IKE PHASE 2 IKE How is SA established? How do parties negotiate
More informationAnalysis and enhancements of an efficient biometricbased remote user authentication scheme using smart cards
Analysis and enhancements of an efficient biometricbased remote user authentication scheme using smart cards Sana Ibjaoun 1,2, Anas Abou El Kalam 1, Vincent Poirriez 2 1 University Cadi Ayyad, Marrakesh,
More informationUser Authentication Protocols
User Authentication Protocols Class 5 Stallings: Ch 15 CIS-5370: 26.September.2016 1 Announcement Homework 1 is due today by end of class CIS-5370: 26.September.2016 2 User Authentication The process of
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationEncryption 2. Tom Chothia Computer Security: Lecture 3
Encryption 2 Tom Chothia Computer Security: Lecture 3 This Lecture Counter Mode (CTR) enryption Diffie Helleman key exchange Public Key Encryption RSA Signing Combining public and symmetric key encryption
More informationOutline. Key Management. Security Principles. Security Principles (Cont d) Escrow Foilage Protection
Outline CSCI 454/554 Computer and Network Security Topic 8.2 Internet Key Management Key Management Security Principles Internet Key Management Manual Exchange SKIP Oakley ISAKMP IKE 2 Key Management Why
More informationCSC/ECE 574 Computer and Network Security. Outline. Key Management. Key Management. Internet Key Management. Why do we need Internet key management
Computer Science CSC/ECE 574 Computer and Network Security Topic 8.2 Internet Key Management CSC/ECE 574 Dr. Peng Ning 1 Outline Key Management Security Principles Internet Key Management Manual Exchange
More informationOutline. Key Management. CSCI 454/554 Computer and Network Security. Key Management
CSCI 454/554 Computer and Network Security Topic 8.2 Internet Key Management Key Management Outline Security Principles Internet Key Management Manual Exchange SKIP Oakley ISAKMP IKE 2 Key Management Why
More informationCSCI 454/554 Computer and Network Security. Topic 8.2 Internet Key Management
CSCI 454/554 Computer and Network Security Topic 8.2 Internet Key Management Outline Key Management Security Principles Internet Key Management Manual Exchange SKIP Oakley ISAKMP IKE 2 Key Management Why
More informationOutline. CSC/ECE 574 Computer and Network Security. Key Management. Security Principles. Security Principles (Cont d) Internet Key Management
Outline Computer Science CSC/ECE 574 Computer and Network Security Topic 8.2 Internet Key Management Key Management Security Principles Internet Key Management Manual Exchange SKIP Oakley ISAKMP IKE CSC/ECE
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationCryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1
Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography CS555 Spring 2012/Topic 16 1 Outline and Readings Outline Private key management between two parties Key management
More informationCSC 5930/9010 Modern Cryptography: Public Key Cryptography
CSC 5930/9010 Modern Cryptography: Public Key Cryptography Professor Henry Carter Fall 2018 Recap Number theory provides useful tools for manipulating integers and primes modulo a large value Abstract
More informationAuthentication. Strong Password Protocol. IT352 Network Security Najwa AlGhamdi
Authentication Strong Password Protocol 1 Strong Password Protocol Scenario : Alice uses any workstation to log to the server B, using a password to authenticate her self. Various way to do that? Use Ur
More informationSecurity: Cryptography
Security: Cryptography Computer Science and Engineering College of Engineering The Ohio State University Lecture 38 Some High-Level Goals Confidentiality Non-authorized users have limited access Integrity
More informationLecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena
Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall 2009 Nitesh Saxena *Adopted from a previous lecture by Gene Tsudik Course Admin HW3 Problem 3 due Friday midnight
More informationVerifying Real-World Security Protocols from finding attacks to proving security theorems
Verifying Real-World Security Protocols from finding attacks to proving security theorems Karthik Bhargavan http://prosecco.inria.fr + many co-authors at INRIA, Microsoft Research, Formal security analysis
More informationBAN Logic. Logic of Authentication 1. BAN Logic. Source. The language of BAN. The language of BAN. Protocol 1 (Needham-Schroeder Shared-Key) [NS78]
Logic of Authentication 1. BAN Logic Ravi Sandhu BAN Logic BAN is a logic of belief. In an analysis, the protocol is first idealized into messages containing assertions, then assumptions are stated, and
More informationCS3235 Seventh set of lecture slides
CS3235 Seventh set of lecture slides Hugh Anderson National University of Singapore School of Computing October, 2007 Hugh Anderson CS3235 Seventh set of lecture slides 1 Warp 9... Outline 1 Public Key
More informationSecurity Handshake Pitfalls
Cryptographic Authentication Security Handshake Pitfalls Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr Password authentication is subject to eavesdropping Alternative: Cryptographic challenge-response
More informationHOST Authentication Overview ECE 525
Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication in real-time
More informationNetwork Security - ISA 656 IPsec IPsec Key Management (IKE)
Network Security - ISA 656 IPsec IPsec (IKE) Angelos Stavrou September 28, 2008 What is IPsec, and Why? What is IPsec, and Why? History IPsec Structure Packet Layout Header (AH) AH Layout Encapsulating
More informationLecture 7.1: Private-key Encryption. Lecture 7.1: Private-key Encryption
Private-key Encryption Alice and Bob share a secret s {0, 1} n Private-key Encryption Alice and Bob share a secret s {0, 1} n Encryption and Decryption algorithms are efficient Private-key Encryption Alice
More informationSecurity Handshake Pitfalls
Security Handshake Pitfalls 1 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: Authenticate each other Establish sessions keys This process may
More informationJunos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services
Junos Security Chapter 8: IPsec VPNs 2012 Juniper Networks, Inc. All rights reserved. www.juniper.net Worldwide Education Services Chapter Objectives After successfully completing this chapter, you will
More informationSecure Multiparty Computation
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationExploring a Security Protocol for Secure Service Migration in Commercial Cloud Environments
Exploring a Security Protocol for Secure Service Migration in Commercial Cloud Environments ABSTRACT Mobile users are making more demands of networks. They want to run applications such as network steaming
More informationLecture 9. Authentication & Key Distribution
Lecture 9 Authentication & Key Distribution 1 Where are we now? We know a bit of the following: Conventional (symmetric) cryptography Hash functions and MACs Public key (asymmetric) cryptography Encryption
More informationUser Authentication Protocols Week 7
User Authentication Protocols Week 7 CEN-5079: 2.October.2017 1 Announcement Homework 1 is posted on the class webpage Due in 2 weeks 10 points (out of 100) subtracted each late day CEN-5079: 2.October.2017
More informationCS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:
50fb6be35f4c3105 9d4ed08fb86d8887 b746c452a9c9443b 15b22f450c76218e CS 470 Spring 2017 9df7031cdbff9d10 b700a92855f16328 5b757e66d2131841 62fedd7d9131e42e Mike Lam, Professor Security a.k.a. Why on earth
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.
CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How
More informationWhat did we talk about last time? Public key cryptography A little number theory
Week 4 - Friday What did we talk about last time? Public key cryptography A little number theory If p is prime and a is a positive integer not divisible by p, then: a p 1 1 (mod p) Assume a is positive
More information