Secure Reactive Systems, Day 3: Reactive Simulatability Property Preservation and Crypto. Examples
|
|
- Diana Miller
- 5 years ago
- Views:
Transcription
1 Michael Backes, Germany joint work with Birgit Pfitzmann and Michael Waidner Secure Reactive Systems, Day 3: Reactive Simulatability Property Preservation and Crypto. Examples Tartu, 03/01/06
2 Recall the Big Picture Crypto alized Id e S gnature i E cryption shfunction n H a K e y establishment But can we justify? CAD d by CAV signe D e by rified V e
3 Recall the RS Framework Precise system model allowing cryptographic and abstract operations Reactive simulatability with composition theorem Preservation theorems for security properties Concrete pairs of idealizations and secure realizations Sound symbolic abstractions (Dolev-Yao models) that are suitable for tool support Sound security proofs of security protocols: NSL, Otway-Rees, ikp, etc. Detailed Proofs (Poly-time, cryptographic bisimulations with static information flow analysis, )
4 Composition One System Given: Then this holds:
5 Proof Idea (Single Composition) H A # H 0 H A 0 = A # H A* = A' 0 H 0 H A' 0
6 Recall the RS Framework Precise system model allowing cryptographic and abstract operations Reactive simulatability with composition theorem Preservation theorems for security properties Concrete pairs of idealizations and secure realizations Sound symbolic abstractions (Dolev-Yao models) that are suitable for tool support Sound security proofs of security protocols: NSL, Otway-Rees, ikp, etc. Detailed Proofs (Poly-time, cryptographic bisimulations with static information flow analysis, )
7 Abstraction of one-step Public-Key Encryption On the board
8 Example: Encryption, passive A 1, A 2 PPT: P(b* = b :: (Attacker success) (sk, pk) gen(k); (Keys) (m 0, m 1, v) A 1 (k, pk); (Message choice) b R {0, 1}; c := enc(pk, m b ); (Encrypt) b* A 2 (v, c) ) (Guess) 1/2 + 1/poly(k) (Negligible)
9 Cryptographic Idealization Layers Symbolic abstractions Larger abstractions Small real abstractions Low-level crypto (not abstract) VSS [GM95] Secure channels [PW00, PW01, CK02, BJP02,...] Encryption as E(pk, 1 len ) [LMMS98, PW00, C01,...] Dolev-Yao Model Certified mail [PSW00] Credentials [CL01] Auth/sigs as statement database [BPW03...] Related: [SM93,P93] Real auth/sig s + integrity lookup [LMMS98, C01,...] Normal cryptographic definitions
10 Real System (send, m, r) (received, s, m) M s M r in s : (send, m, r): enc r (sign s (s,, m, r)) net r,s : ( enc r (sign s,c (s,, m, r)): 1. Decrypt, check signature, s, r abort at failure 2. Output (received, s, m)
11 Recall Naive Approach E.g., secure channel m m Not a good abstraction since not enough information for the simulator: Who is sender? Who is recipient? Length of m? No availability
12 Better Abstraction TH send msg receive send in s : (send, m, r): msg s,r := msg s,r & m, output (i, l, s, r) to Adversary from_adv r : (send,i,s( send,i,s): m:= msg msg s,r s,r [i], output (received, s, m) Tolerable imperfection s A
13 Proof Idea Real Secure Channels H H Ideal Secure Channels H L M r M s A TH SecCh A view real (H) view ideal (H) M* r M* s Simulator A 1. Proof by probabilistic bisimulation possible for most cases 2. Collect remaining traces in error sets (e.g., for forged signatures) 3. Show reduction proof of error sets against underlying crypto-primitive (e.g., against security of the signature scheme)
14 Explicit Security Requirements in the Model
15 Recall Prior Result as secure as (reactive simulatability) for certain versions of and
16 Specification Styles Is what people want? Often yes, in particular together with E.g., secure channels (see also spi calculus), certified mail But not always...
17 Alternative: Property-based spec. E.g., I want a tight roof on top : integrity Preserved by : Roof on top... Roof on top...
18 Characterization Integrity (e.g., temporal logic) Privacy (e.g., information flow, noninterference) Liveness: (Something good eventually happens) Termination Starvation freedom Guaranteed service
19 Integrity
20 Integrity Abstract formulation: e.g., temporal logic over the interface of a system (ports to the user) Cryptographic semantics: For all with linear-time semantics (set of permitted traces) Example: If m is input at p? at time t, then there exists a future time s such that m is output at port q! ( Reliability) A trace tr is contained in Req if t: t: p?m s > t: s: q!m
21 Fulfillment of Integrity Different kinds of fulfillment: Perfect: : Requirement always holds Computational: : For polynomial-time adversary and users only and up to negligible error probability Integrity Preservation Theorem: Simulatability preserves : Sys 1 Sys 2 and Sys 2 = Req Sys 1 = poly Req implies
22 Example: Ordered Secure Channels over Unordered Ones H H TH ord A = M 1 M 2 A TH SecMess Application: Composition Validate Formally THtheorem verified ord Bisimulation Transitivity (receivelist u,v sendlist u,v ) Preservation theorem H M 1 M 2 Real SecMess A
23 Cryptographic Non-Interference (Transitive)
24 Privacy No single well-established type of privacy properties in formal methods Most common type here: Non-interference Lots of application areas: Secure operating systems [De76,De77] Confinement: trusted program leaks information through covert channels Renewed importance with extensible systems: applets, kernel extensions, mobile agents, etc.
25 Some Prior Approaches Non-probabilistic Reactive systems: [Many] Based on process calculi Definitions are the main issue, different types of non-interference. Main problem here: refinement Probabilistic Reactive systems [Gr92] Gray s definition Probabilistic Non- Interference stands out For all high-level environment behaviours same probability distribution of the low-events. Perfect fulfillment only, not yet suited for real cryptography introduce error probabilities, etc.
26 Prior work (cont d) Deterministic Cryptographic Nondeterministic Probabilistic Non- Interference GM 82 Many Gray 92 New
27 Cryptographic Non-Interference Bit Out L H b {0,1} b* H L Want to express: No information can flow from H to L TH A Idea: Whatever H does, L will not recognize it P(b=b*) 1/2 + Negl + Now error probabilities, computational restrictions + Guessing a bit is a typical concept in cryptography Closely related to cryptographic definitions
28 Preservation under Simulatability Preservation Theorem (Informal): Whenever an abstractions fulfills a cryptographic non-interference requirement, then every secure implementation of it also fulfills this requirement. Formally: Sys 1 Sys 2 Sys 2 = NIReq H_L Sys 1 = NIReq H_L
29 Cryptographic Non-Interference (Intransitive)
30 A Scenario for Intransitive Non-Interference CEO
31 Prior work (cont d) Deterministic Cryptographic Nondeterministic Probabilistic Non- Interference GM 82 Many Gray 92 New Intransitive GM 84 Rushby 92, Pinsky 95, RG 99, SRS+ 00 New New
32 Definition 1: Blocking Non-Interference Secretary can prevent the flow b b* Bad Sec CEO Sys Bad CEO Sec: all poly-time Bad / CEO Prob(b* = b :: r run conf ; b := r b_in...; b* := r b_out ) ½ + ε 0 Small Negl
33 Definition 2: Recognition Non-interference Secretary sees what s going on b b D b* view Bad Sec CEO Sys CEO gets b Sec gets b. Bad CEO Sec D
34 Arbitrary Flow Graphs Bad Sec / VP CEO Friend B Friend CEO Bad CEO cuts Cut-Distinguisher
35 Preservation under Simulatability Theorem: Sys sec IdealSys Bad / Sec CEO Bad / Sec CEO
36 Implementation with Cryptographic Firewall Bad Sec CEO Bad Sec CEO Filtering rules Secure channels Fil 1 Fil 2 Fil 3 SC 1 SC 2 SC 3 sec Ideal Firewall Prove recognition NI
37 Michael Backes, Germany joint work with Birgit Pfitzmann and Michael Waidner Secure Reactive Systems, Day 4: Justifying Symbolic Abstractions of Cryptography Tartu, 03/02/06
38 Recall the RS Framework Precise system model allowing cryptographic and abstract operations Reactive simulatability with composition theorem Preservation theorems for security properties Concrete pairs of idealizations and secure realizations Sound symbolic abstractions (Dolev-Yao models) that are suitable for tool support Sound security proofs of security protocols: NSL, Otway-Rees, ikp, etc. Detailed Proofs (Poly-time, cryptographic bisimulations with static information flow analysis, )
39 Recall the RS Framework Precise system model allowing cryptographic and abstract operations Reactive simulatability with composition theorem Preservation theorems for security properties Concrete pairs of idealizations and secure realizations Sound symbolic abstractions (Dolev-Yao models) that are suitable for tool support Sound security proofs of security protocols: NSL, Otway-Rees, ikp, etc. Detailed Proofs (Poly-time, cryptographic bisimulations with static information flow analysis, )
40 Automatic Proofs of Security
41 Automation if Repetitive Tedious Why Formal Methods? Prone to human errors Critical application A top candidate: Distributed protocols Security variants for 20 years
42 Protocol Proof Tools HOL Provers Theory 1 Theory n Special security provers state Data indep/ Model Checkers Almost anything Much human interaction Special logic fragments for security Approximations: correct, not complete Fully automatic State exploration
43 Automating Security Protocol Proofs Even simple protocol classes & properties undecidable Robust protocol design helps Full arithmetic is out Probability theory just developing So how do current tools handle cryptography?
44 Dolev-Yao Model Idea [DY81] Abstraction as term algebras, e.g., D x (E x (E x (m))) Cancellation rules, e.g., D x E x = ε Well-developed proof theories Abstract data types Equational 1 st -order logic Important for security proofs: Inequalities! (Everything that cannot be derived.) Known as initial model Important goal: Justify or replace
45 Dolev-Yao Model Variants [Ours] Operators and equations pub enc, sym enc, nonce, payload, pairing, sigs,... Inequalities assumed across operators! Untyped or typed Destructors explicit or implicit Abstraction from probabilism Finite selection, counting, multisets Surrounding protocol language Special-purpose, CSP, pi calculus,... [any] [EG82, M83, EGS85...] pk sign pk E N (, ) m
46 The BPW Model (Ideal Dolev-Yao Style Library)
47 Dolev-Yao-style Crypto Abstractions Recall: Term algebra, inequalities Major tasks: Represent ideal and real library in the same way to higher protocols Prevent honest users from stupidity with real crypto objects, but don t restrict adversary E.g., sending a bitstring that s almost a signature What imperfections are tolerable / must be allowed?
48 Ideal Cryptographic Library U V No crypto outputs! Deterministic! Commands, payloads, terms? handles Payloads / test results, terms? handles For U: For V: For A: Term 1 T u,1 Term 2 T u,2 Term 3 T u,3 Not globally known - T v,1 - - T a,1 - E E A pk pk m pk m TH
49 Ideal Cryptographic Library (2) U V T u,4 encrypt(t u,1, T u,3 ) get_type(t v,2 ) send(v, T u,4 ) received(u, T v,2 ) T v,3 := decrypt(...) For U: For V: For A: Term 1 Term 2 Term 3 T u,1 - - T u,2 T v,1 T a,1 E T u,3 - - E pk Term 4... E E A pk pk m pk m pk m TH
50 Main Differences to Dolev-Yao Tolerable imperfections: Lengths of encrypted messages cannot be kept secret Adversary may include incorrect messages inside encryptions Signature schemes can have memory Slightly restricted key usage for symmetric encryption Most imperfections avoidable for more restricted cases
51 Main Additions to Given Cryptosystems Type tags Tagging with keys Additional randomization (e.g., needed when correct machines use A s keys)
52 The Simulator
53 Proof of Correct Simulation (1) Rewrite Idealize, comp/ theorem S H M H M' u H M' v A Enc sim, H
54 Proof of Correct Simulation (2) Combined system Reduction proofs for collisions, guesses, forgeries Probabilistic bisimulations With error sets (of runs) With info-flow analysis H S H M H M' u M' v A Enc sim, H
55 Related Work (until first half of 2005) Attacks Operators Protocols Properties DY version & impl AR00, AJ01, L01 Passive 1 (pke or ske) differs Equivalences Simple BPW02, BPW03, BP04 Active Many Arbitrary Simulatability, Int., non-interf, now nonce, key & payload secrecy More complex but see L05, BB06 MW04 Active 1 (pke) Restricted Integrity Simple L04 Active 1 (ske) Restricted Equivalences Simple CW05 Active pke, sig Restricted Nonce secrecy Simple CH05 Active 1 (pke) Restricted Key secrecy Simple All simple ones come with tool: Specific for equivalences, any standard DY tool otherwise
56 New General Framework for Symbolic Analysis Automata framework Our Sound DY-Model Different Logics Protocol Instantiations Lemmas and Theories
Cryptographically Sound Security Proofs for Basic and Public-key Kerberos
Cryptographically Sound Security Proofs for Basic and Public-key Kerberos ESORICS 2006 M. Backes 1, I. Cervesato 2, A. D. Jaggard 3, A. Scedrov 4, and J.-K. Tsay 4 1 Saarland University, 2 Carnegie Mellon
More informationFormal Methods and Cryptography
Formal Methods and Cryptography Michael Backes 1, Birgit Pfitzmann 2, and Michael Waidner 3 1 Saarland University, Saarbrücken, Germany, backes@cs.uni-sb.de 2 IBM Research, Rueschlikon, Switzerland, bpf@zurich.ibm.com
More informationLow-level Ideal Signatures and General Integrity Idealization
RZ 3511 (# 99529) 11/10/03 Computer Science 14 pages Research Report Low-level Ideal Signatures and General Integrity Idealization Michael Backes, Birgit Pfitzmann and Michael Waidner IBM Research Zurich
More informationA Cryptographically Sound Security Proof of the Needham-Schroeder-Lowe Public-Key Protocol
A Cryptographically Sound Security Proof of the Needham-Schroeder-Lowe Public-Key Protocol Michael Backes and Birgit Pfitzmann IBM Zurich Research Lab {mbc,bpf}@zurich.ibm.com Abstract. We prove the Needham-Schroeder-Lowe
More informationCryptographically Sound Implementations for Typed Information-Flow Security
FormaCrypt, Nov 30. 2007 Cryptographically Sound Implementations for Typed Information-Flow Security Cédric Fournet Tamara Rezk Microsoft Research INRIA Joint Centre http://msr-inria.inria.fr/projects/sec/cflow
More informationSecure Multiparty Computation
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationAnalyzing Security Protocols using Probabilistic I/O Automata
Analyzing Security Protocols using Probabilistic I/O Automata Nancy Lynch MIT, EECS, CSAIL Workshop on Discrete Event Systems (Wodes 06) Ann Arbor, Michigan July 11, 2006 1 References Authors: Ran Canetti,
More informationComputationally Sound Mechanized Proof of PKINIT for Kerberos
Computationally Sound Mechanized Proof of PKINIT for Kerberos B. Blanchet 1, A. D. Jaggard 2, J. Rao 3, A. Scedrov 3, J.-K. Tsay 4 Protocol exchange Meeting 02 October 2008 1 ENS 2 Rutgers University 3
More informationCS 395T. Formal Model for Secure Key Exchange
CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,
More informationAnalysis Techniques. Protocol Verification by the Inductive Method. Analysis using theorem proving. Recall: protocol state space.
CS 259 Protocol Verification by the Inductive Method Analysis Techniques Crypto Protocol Analysis Formal Models Dolev-Yao (perfect cryptography) Computational Models John Mitchell Modal Logics Model Checking
More informationFormal methods for software security
Formal methods for software security Thomas Jensen, INRIA Forum "Méthodes formelles" Toulouse, 31 January 2017 Formal methods for software security Formal methods for software security Confidentiality
More informationCS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong
CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationComposition and Integrity Preservation of Secure Reactive Systems
Composition and Integrity Preservation of Secure Reactive Systems Birgit Pfitzmann Universität des Saarlandes Saarbrücken, Germany pfitzmann@cs.uni-sb.de Michael Waidner IBM Research Division Rüschlikon,
More informationPlaintext Awareness via Key Registration
Plaintext Awareness via Key Registration Jonathan Herzog CIS, TOC, CSAIL, MIT Plaintext Awareness via Key Registration p.1/38 Context of this work Originates from work on Dolev-Yao (DY) model Symbolic
More informationUniversal composability for designing and analyzing cryptoprotocols
Universal composability for designing and analyzing cryptoprotocols István Vajda vajda@hit.bme.hu UC for cryptoprotocols 1 Agenda Brief overview of universal composability Example analysis of a secure
More informationCryptographically Sound Theorem Proving
Cryptographically Sound Theorem Proving Christoph Sprenger 1, Michael Backes 2, David Basin 1, Birgit Pfitzmann 2, and Michael Waidner 2 1 ETH Zurich, Switzerland, {sprenger,basin}@inf.ethz.ch 2 IBM Zurich
More informationDesign and Analysis of Protocols The Spyce Way
FY2001 ONR CIP/SW URI Software Quality and Infrastructure Protection for Diffuse Computing Design and Analysis of Protocols The Spyce Way Speaker: Joe Halpern (Cornell) Smart devices diffuse into the environment.
More informationCSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring 2018 5 and 6 February 2018 Identification schemes are mechanisms for Alice to prove her identity to Bob They comprise a setup
More informationSecure Multiparty Computation
Secure Multiparty Computation Li Xiong CS573 Data Privacy and Security Outline Secure multiparty computation Problem and security definitions Basic cryptographic tools and general constructions Yao s Millionnare
More informationA Framework for Universally Composable Diffie-Hellman Key Exchange
A Framework for Universally Composable Diffie-Hellman Key Exchange Ralf Küsters and Daniel Rausch University of Stuttgart Stuttgart, Germany Email: {ralf.kuesters, daniel.rausch}@informatik.uni-stuttgart.de
More informationMaude Implementation of MSR
Maude Implementation of MSR Mark-Oliver Stehr Stefan Reich University of Illinois, Urbana-Champaign (Iliano Cervesato) ITT Industries @ NRL http://theory.stanford.edu/~iliano/ IPCS - Savannah, GA October
More informationMTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More informationCS 395T. Analyzing SET with Inductive Method
CS 395T Analyzing SET with Inductive Method Theorem Proving for Protocol Analysis Prove correctness instead of looking for bugs Use higher-order logic to reason about all possible protocol executions No
More informationOverview of Cryptography
18739A: Foundations of Security and Privacy Overview of Cryptography Anupam Datta CMU Fall 2007-08 Is Cryptography A tremendous tool The basis for many security mechanisms Is not The solution to all security
More informationComputational Soundness of Symbolic Zero Knowledge Proofs
Computational Soundness of Symbolic Zero Knowledge Proofs Esfandiar Mohammadi Master Seminar Information Security and Cryptography Group Max-Planck Institute for Software Systems Saarland University Advisors:
More informationBrief Introduction to Provable Security
Brief Introduction to Provable Security Michel Abdalla Département d Informatique, École normale supérieure michel.abdalla@ens.fr http://www.di.ens.fr/users/mabdalla 1 Introduction The primary goal of
More information1 Defining Message authentication
ISA 562: Information Security, Theory and Practice Lecture 3 1 Defining Message authentication 1.1 Defining MAC schemes In the last lecture we saw that, even if our data is encrypted, a clever adversary
More informationDefining Encryption. Lecture 2. Simulation & Indistinguishability
Defining Encryption Lecture 2 Simulation & Indistinguishability Roadmap First, Symmetric Key Encryption Defining the problem We ll do it elaborately, so that it will be easy to see different levels of
More informationSecure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)
Secure Multiparty Computation: Introduction Ran Cohen (Tel Aviv University) Scenario 1: Private Dating Alice and Bob meet at a pub If both of them want to date together they will find out If Alice doesn
More informationCrypto Background & Concepts SGX Software Attestation
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 4b Slide deck extracted from Kamran s tutorial on SGX, presented during ECE 6095 Spring 2017 on Secure Computation and Storage, a precursor to this course
More informationApplied Cryptography and Computer Security CSE 664 Spring 2018
Applied Cryptography and Computer Security Lecture 13: Public-Key Cryptography and RSA Department of Computer Science and Engineering University at Buffalo 1 Public-Key Cryptography What we already know
More informationAdaptively Secure Broadcast
Adaptively Secure Broadcast Martin Hirt and Vassilis Zikas Department of Computer Science, ETH Zurich {hirt,vzikas}@inf.ethz.ch Abstract. A broadcast protocol allows a sender to distribute a message through
More informationCSC 5930/9010 Modern Cryptography: Public Key Cryptography
CSC 5930/9010 Modern Cryptography: Public Key Cryptography Professor Henry Carter Fall 2018 Recap Number theory provides useful tools for manipulating integers and primes modulo a large value Abstract
More informationAutomated Security Proofs with Sequences of Games
Automated Security Proofs with Sequences of Games Bruno Blanchet and David Pointcheval CNRS, Département d Informatique, École Normale Supérieure October 2006 Proofs of cryptographic protocols There are
More informationModelling Downgrading in Information Flow Security. A. Bossi, C. Piazza, and S. Rossi. Dipartimento di Informatica Università Ca Foscari di Venezia
Modelling Downgrading in Information Flow Security A. Bossi, C. Piazza, and S. Rossi Dipartimento di Informatica Università Ca Foscari di Venezia bossi, piazza, srossi @dsi.unive.it Joint Meeting MYTHS/MIKADO/DART,
More informationLecture 10, Zero Knowledge Proofs, Secure Computation
CS 4501-6501 Topics in Cryptography 30 Mar 2018 Lecture 10, Zero Knowledge Proofs, Secure Computation Lecturer: Mahmoody Scribe: Bella Vice-Van Heyde, Derrick Blakely, Bobby Andris 1 Introduction Last
More informationAuthenticity by Typing for Security Protocols
Authenticity by Typing for Security Protocols Andrew D. Gordon Microsoft Research Alan Jeffrey DePaul University May 2001 Technical Report MSR TR 2001 49 Microsoft Research Microsoft Corporation One Microsoft
More informationOutline More Security Protocols CS 239 Computer Security February 4, 2004
Outline More Security Protocols CS 239 Computer Security February 4, 2004 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and Authentication
More informationStructure-Preserving Certificateless Encryption and Its Application
SESSION ID: CRYP-T06 Structure-Preserving Certificateless Encryption and Its Application Prof. Sherman S. M. Chow Department of Information Engineering Chinese University of Hong Kong, Hong Kong @ShermanChow
More informationCombined CPV-TLV Security Protocol Verifier
Combined CPV-TLV Security Protocol Verifier by Ariel Cohen Thesis submitted in partial fulfillment of the requirements for the degree of Master of Science Department of Computer Science Courant Institute
More informationGeneric Transformation of a CCA2-Secure Public-Key Encryption Scheme to an eck-secure Key Exchange Protocol in the Standard Model
Generic Transformation of a CCA2-Secure Public-Key Encryption Scheme to an eck-secure Key Exchange Protocol in the Standard Model Janaka Alawatugoda Department of Computer Engineering University of Peradeniya,
More informationPaper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage
1 Announcements Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage 2 Recap and Overview Previous lecture: Symmetric key
More information2 What does it mean that a crypto system is secure?
Cryptography Written by: Marius Zimand Notes: On the notion of security 1 The One-time Pad cryptosystem The one-time pad cryptosystem was introduced by Vernam and Mauborgne in 1919 (for more details about
More informationTechnical Report: Justifying a Dolev-Yao Model under Active Attacks (Long Version)
Technical Report: Justifying a Dolev-Yao Model under Active Attacks (Long Version) Michael Backes, Birgit Pfitzmann, and Michael Waidner IBM Zurich Research Lab July 31, 2008 Abstract. We present the first
More informationComputational Secrecy by Typing for the Pi Calculus
Computational Secrecy by Typing for the Pi Calculus Martín Abadi 1,2, Ricardo Corin 1,3, and Cédric Fournet 1 1 Microsoft Research 2 University of California, Santa Cruz 3 University of Twente Abstract.
More informationIND-CCA2 secure cryptosystems, Dan Bogdanov
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee 1 Overview Notion of indistinguishability The Cramer-Shoup cryptosystem Newer results
More informationSecurity Protocol Verification: Symbolic and Computational Models
Security Protocol Verification: Symbolic and Computational Models INRIA, Bruno Blanchet École Normale Supérieure, CNRS, Paris blanchet@di.ens.fr Abstract. Security protocol verification has been a very
More informationLecture 15: Public Key Encryption: I
CSE 594 : Modern Cryptography 03/28/2017 Lecture 15: Public Key Encryption: I Instructor: Omkant Pandey Scribe: Arun Ramachandran, Parkavi Sundaresan 1 Setting In Public-key Encryption (PKE), key used
More informationRefining Computationally Sound Mech. Proofs for Kerberos
Refining Computationally Sound Mechanized Proofs for Kerberos Bruno Blanchet Aaron D. Jaggard Jesse Rao Andre Scedrov Joe-Kai Tsay 07 October 2009 Protocol exchange Meeting Partially supported by ANR,
More informationYuval Ishai Technion
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Yuval Ishai Technion 1 Zero-knowledge proofs for NP [GMR85,GMW86] Bar-Ilan University Computational MPC with no honest
More information2 Secure Communication in Private Key Setting
CSA E0 235: Cryptography January 11, 2016 Instructor: Arpita Patra Scribe for Lecture 2 Submitted by: Jayam Modi 1 Discrete Probability Background Probability Distribution -A probability distribution over
More informationCryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39
Cryptography 2017 Lecture 4 Attacks against Block Ciphers Introduction to Public Key Cryptography November 14, 2017 1 / 39 What have seen? What are we discussing today? What is coming later? Lecture 3
More informationImperfect Decryption and an Attack on the NTRU Encryption Scheme
Imperfect Decryption and an Attack on the NTRU Encryption Scheme John A. Proos University of Waterloo, Waterloo, Canada japroos@math.uwaterloo.ca January 7, 2003 Abstract A property of the NTRU public-key
More informationA CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model
A CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model Jörn Müller-Quade European Institute for System Security KIT, Karlsruhe, Germany 04/23/09 Session ID: CRYP301 Session Classification:
More informationCSC 5930/9010 Modern Cryptography: Digital Signatures
CSC 5930/9010 Modern Cryptography: Digital Signatures Professor Henry Carter Fall 2018 Recap Implemented public key schemes in practice commonly encapsulate a symmetric key for the rest of encryption KEM/DEM
More informationProofs for Key Establishment Protocols
Information Security Institute Queensland University of Technology December 2007 Outline Key Establishment 1 Key Establishment 2 3 4 Purpose of key establishment Two or more networked parties wish to establish
More informationFoundations of Cryptography CS Shweta Agrawal
Foundations of Cryptography CS 6111 Shweta Agrawal Course Information 4-5 homeworks (20% total) A midsem (25%) A major (35%) A project (20%) Attendance required as per institute policy Challenge questions
More informationModeling Random Oracles under Unpredictable Queries
Modeling Random Oracles under Unpredictable Queries Pooya Farshim 1 Arno Mittelbach 2 1 ENS, CNRS & INRIA, PSL Research University, Paris, France 2 TU Darmstadt, Germany 23rd Fast Software Encryption Nordrhein-Westfalen
More informationTechnical Report: A Cryptographically Sound Security Proof of the Needham-Schroeder-Lowe Public-Key Protocol (Long Version)
Technical Report: A Cryptographically Sound Security Proof of the Needham-Schroeder-Lowe Public-Key Protocol (Long Version) Michael Backes and Birgit Pfitzmann IBM Zurich Research Lab, Rüschlikon, Switzerland
More informationChosen-Ciphertext Security (II)
Chosen-Ciphertext Security (II) CS 601.442/642 Modern Cryptography Fall 2018 S 601.442/642 Modern Cryptography Chosen-Ciphertext Security (II) Fall 2018 1 / 13 Recall: Chosen-Ciphertext Attacks (CCA) Adversary
More informationSSL/TLS. How to send your credit card number securely over the internet
SSL/TLS How to send your credit card number securely over the internet The security provided by SSL SSL is implemented at level 4 The transport control layer In practice, SSL uses TCP sockets The underlying
More informationCSC 5930/9010 Modern Cryptography: Cryptographic Hashing
CSC 5930/9010 Modern Cryptography: Cryptographic Hashing Professor Henry Carter Fall 2018 Recap Message integrity guarantees that a message has not been modified by an adversary Definition requires that
More informationCryptography. Andreas Hülsing. 6 September 2016
Cryptography Andreas Hülsing 6 September 2016 1 / 21 Announcements Homepage: http: //www.hyperelliptic.org/tanja/teaching/crypto16/ Lecture is recorded First row might be on recordings. Anything organizational:
More informationInductive Trace Properties for Computational Security
Inductive Trace Properties for Computational Security Arnab Roy, Anupam Datta, Ante Derek, John C. Mitchell Department of Computer Science, Stanford University Abstract. Protocol authentication properties
More informationCSA E0 312: Secure Computation October 14, Guest Lecture 2-3
CSA E0 312: Secure Computation October 14, 2015 Guest Lecture 2-3 Guest Instructor: C. Pandu Rangan Submitted by: Cressida Hamlet 1 Introduction Till now we have seen only semi-honest parties. From now
More informationConcrete cryptographic security in F*
Concrete cryptographic security in F* crypto hash (SHA3) INT-CMA encrypt then-mac Auth. encryption Secure RPC some some some adversary attack attack symmetric encryption (AES). IND-CMA, CCA2 secure channels
More informationRelating the MSR Crypto-Protocol Specification Language to Rewriting Logic with Dependent Types
WRLA 2004 - Barcelona, Spain March 27, 2004 Relating the MSR Crypto-Protocol Specification Language to Rewriting Logic with Dependent Types Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc
More informationOn Symbolic Analysis of Cryptographic Protocols. Akshay Patil
On Symbolic Analysis of Cryptographic Protocols by Akshay Patil Submitted to the Department of Electrical Engineering and Computer Science in partial fulfillment of the requirements for the degree of Master
More informationAnalysis of an E-voting Protocol using the Inductive Method
Analysis of an E-voting Protocol using the Inductive Method Najmeh Miramirkhani 1, Hamid Reza Mahrooghi 1, Rasool Jalili 1 1 Sharif University of Technology,Tehran, Iran {miramirkhani@ce., mahrooghi@ce.,
More informationCryptography. Lecture 12. Arpita Patra
Cryptography Lecture 12 Arpita Patra Digital Signatures q In PK setting, privacy is provided by PKE q Integrity/authenticity is provided by digital signatures (counterpart of MACs in PK world) q Definition:
More informationThe automatic security protocol verifier ProVerif
The automatic security protocol verifier ProVerif Bruno Blanchet CNRS, École Normale Supérieure, INRIA, Paris June 2010 Bruno Blanchet (CNRS, ENS, INRIA) ProVerif June 2010 1 / 43 Introduction Many techniques
More informationLecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 15 PKI & Authenticated Key Exchange COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Today We will see how signatures are used to create public-key infrastructures
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lectures 16, 17: Security of RSA El Gamal Cryptosystem Announcement Final exam will be on May 11, 2015 between 11:30am 2:00pm in FMH 319 http://www.njit.edu/registrar/exams/finalexams.php
More informationLecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model
CMSC 858K Advanced Topics in Cryptography March 11, 2004 Lecturer: Jonathan Katz Lecture 14 Scribe(s): Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze 1 A Note on Adaptively-Secure NIZK A close look
More informationCryptography. and Network Security. Lecture 0. Manoj Prabhakaran. IIT Bombay
Cryptography and Network Security Lecture 0 Manoj Prabhakaran IIT Bombay Security In this course: Cryptography as used in network security Humans, Societies, The World Network Hardware OS Libraries Programs
More informationCRYPTOGRAPHIC PROTOCOLS: PRACTICAL REVOCATION AND KEY ROTATION
#RSAC SESSION ID: CRYP-W04 CRYPTOGRAPHIC PROTOCOLS: PRACTICAL REVOCATION AND KEY ROTATION Adam Shull Recent Ph.D. Graduate Indiana University Access revocation on the cloud #RSAC sk sk Enc Pub Sym pk k
More informationOverview. Symbolic Protocol Analysis. Protocol Analysis Techniques. Obtaining a Finite Model. Decidable Protocol Analysis. Strand Space Model
CS 259 Overview Symbolic Protocol Analysis Vitaly Shmatikov Strand space model Protocol analysis with unbounded attacker Parametric strands Symbolic attack traces Protocol analysis via constraint solving
More informationCS 395T. Symbolic Constraint Solving
CS 395T Symbolic Constraint Solving Overview Strand space model Protocol analysis with unbounded attacker Parametric strands Symbolic attack traces Protocol analysis via constraint solving SRI constraint
More informationLectures 4+5: The (In)Security of Encrypted Search
Lectures 4+5: The (In)Security of Encrypted Search Contents 1 Overview 1 2 Data Structures 2 3 Syntax 3 4 Security 4 4.1 Formalizing Leaky Primitives.......................... 5 1 Overview In the first
More informationIntroduction to Cryptography. Lecture 3
Introduction to Cryptography Lecture 3 Benny Pinkas March 6, 2011 Introduction to Cryptography, Benny Pinkas page 1 Pseudo-random generator seed s (random, s =n) Pseudo-random generator G Deterministic
More informationCS155. Cryptography Overview
CS155 Cryptography Overview Cryptography Is n n A tremendous tool The basis for many security mechanisms Is not n n n n The solution to all security problems Reliable unless implemented properly Reliable
More informationLecture 6: Symmetric Cryptography. CS 5430 February 21, 2018
Lecture 6: Symmetric Cryptography CS 5430 February 21, 2018 The Big Picture Thus Far Attacks are perpetrated by threats that inflict harm by exploiting vulnerabilities which are controlled by countermeasures.
More informationCryptographic protocols
Cryptographic protocols Lecture 3: Zero-knowledge protocols for identification 6/16/03 (c) Jussipekka Leiwo www.ialan.com Overview of ZK Asymmetric identification techniques that do not rely on digital
More informationA General Certification Framework with Applications to Privacy-Enhancing Certificate Infrastructures
W3C Workshop Ispra, Italy A General Certification Framework with Applications to Privacy-Enhancing Certificate Infrastructures Jan Camenisch Thomas Gross Dieter Sommer October 2006 Outline Scenario Protocols
More informationMechanising BAN Kerberos by the Inductive Method
Mechanising BAN Kerberos by the Inductive Method Giampaolo Bella Lawrence C Paulson Computer Laboratory University of Cambridge New Museums Site, Pembroke Street Cambridge CB2 3QG (UK) {gb221,lcp}@cl.cam.ac.uk
More informationA Remote Biometric Authentication Protocol for Online Banking
International Journal of Electrical Energy, Vol. 1, No. 4, December 2013 A Remote Biometric Authentication Protocol for Online Banking Anongporn Salaiwarakul Department of Computer Science and Information
More informationSecurity Protocol Verification: Symbolic and Computational Models
Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA, École Normale Supérieure, CNRS Bruno.Blanchet@ens.fr March 2012 Bruno Blanchet (INRIA, ENS, CNRS) ETAPS March 2012
More informationSymmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University
Symmetric-Key Cryptography Part 1 Tom Shrimpton Portland State University Building a privacy-providing primitive I want my communication with Bob to be private -- Alice What kind of communication? SMS?
More informationDefining Multi-Party Computation
2 Defining Multi-Party Computation In this chapter, we introduce notations and conventions we will use throughout, define some basic cryptographic primitives, and provide a security definition for multi-party
More informationFormal Verification of the WireGuard Protocol
Formal Verification of the WireGuard Protocol www.wireguard.com Jason A. Donenfeld jason@zx2c4.com Kevin Milner Oxford University kevin.milner@cs.ox.ac.uk Draft Revision Abstract WireGuard, the secure
More informationMTAT Cryptology II. Entity Authentication. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Entity Authentication Sven Laur University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie?
More informationLectures 6+7: Zero-Leakage Solutions
Lectures 6+7: Zero-Leakage Solutions Contents 1 Overview 1 2 Oblivious RAM 1 3 Oblivious RAM via FHE 2 4 Oblivious RAM via Symmetric Encryption 4 4.1 Setup........................................ 5 4.2
More informationComputer Networks & Security 2016/2017
Computer Networks & Security 2016/2017 Network Security Protocols (10) Dr. Tanir Ozcelebi Courtesy: Jerry den Hartog Courtesy: Kurose and Ross TU/e Computer Science Security and Embedded Networked Systems
More information1 Identification protocols
ISA 562: Information Security, Theory and Practice Lecture 4 1 Identification protocols Now that we know how to authenticate messages using MACs, a natural question is, how can we use MACs to prove that
More informationDistributed Systems Programming (F21DS1) Formal Verification
Distributed Systems Programming (F21DS1) Formal Verification Andrew Ireland Department of Computer Science School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh Overview Focus on
More informationFrom CryptoVerif Specifications to Computationally Secure Implementations of Protocols
From CryptoVerif Specifications to Computationally Secure Implementations of Protocols Bruno Blanchet and David Cadé INRIA, École Normale Supérieure, CNRS, Paris April 2012 Bruno Blanchet and David Cadé
More informationFair exchange and non-repudiation protocols
Fair exchange and non-repudiation protocols Levente Buttyán Laboratory of Cryptography and System Security (CrySyS) Budapest University of Technology and Economics buttyan@crysys.hu 2010 Levente Buttyán
More informationDistributed ID-based Signature Using Tamper-Resistant Module
, pp.13-18 http://dx.doi.org/10.14257/astl.2013.29.03 Distributed ID-based Signature Using Tamper-Resistant Module Shinsaku Kiyomoto, Tsukasa Ishiguro, and Yutaka Miyake KDDI R & D Laboratories Inc., 2-1-15,
More informationCONVENTIONAL EXECUTABLE SEMANTICS. Grigore Rosu CS522 Programming Language Semantics
CONVENTIONAL EXECUTABLE SEMANTICS Grigore Rosu CS522 Programming Language Semantics Conventional Semantic Approaches A language designer should understand the existing design approaches, techniques and
More information