MSR A Framework for Security Protocols and their Meta-Theory
|
|
- MargaretMargaret Wilkinson
- 5 years ago
- Views:
Transcription
1 MSR A Framework for Security Protocols and their Meta-Theory Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, NRL Washington DC Dept. of Information Science University of Tokyo March 12 th, 2001
2 Outline I. Mis-specification languages II. MSR Overview Typing Access control Execution Properties Example III.The most powerful attacker Dolev-Yao intruder MSR, a Framework for Security Protocols and their Meta-Theory 2
3 Part I Mis-Specification Languages MSR, a Framework for Security Protocols and their Meta-Theory 3
4 Why is Protocol Analysis Difficult? Subtle cryptographic primitives Dolev-Yao abstraction Distributed hostile environment Prudent engineering practice Inadequate specification languages the devil is in details MSR, a Framework for Security Protocols and their Meta-Theory 4
5 Dolev-Yao Abstraction Symbolic data No bit-strings Perfect cryptography No guessing of keys Public knowledge soup Magic access to data MSR, a Framework for Security Protocols and their Meta-Theory 5
6 Languages to Specify What? Message flow Message constituents Operating environment Protocol goals MSR, a Framework for Security Protocols and their Meta-Theory 6
7 Desirable Properties Unambiguous Simple Flexible Adapts to protocol Powerful Applies to a wide class of protocols Insightful Gives insight about protocols MSR, a Framework for Security Protocols and their Meta-Theory 7
8 Usual Notation A B: {n A, A} kb B A: {n A, n B } ka A B: {n B } kb MSR, a Framework for Security Protocols and their Meta-Theory 8
9 How does it do? Flow Expected run Constituents Side remarks Environment Side remarks Goals Side remarks Unambiguous Simple Flexible Powerful Insightful MSR, a Framework for Security Protocols and their Meta-Theory 9
10 Strands {n A, A} kb {n A, A} kb {n A, n B } ka {n A, n B } ka {n B } kb {n B } kb MSR, a Framework for Security Protocols and their Meta-Theory 10
11 How do they do? Flow Role-based Constituents Informal math. Environment Side remarks Goals Side remarks Unambiguous Simple Flexible Powerful Insightful MSR, a Framework for Security Protocols and their Meta-Theory 11
12 MSR 1.x - Initiator Nonce generation π A0 (A) L 0 (A), π A0 (A) Message transmission L 0 (A), π A1 (B) n A. L 1 (A,B,n A ), N({n A,A} kb ), π A1 (B) L 1 (A,B,n A ), N({n A,n B } ka ) L 2 (A,B,n A,n B ) L 2 (A,B,n A,n B ) L 3 (A,B,n A,n B ), N({n B } kb ) where π A0 (A) = Pr(A), PrvK(A,k A -1 ) π A1 (B) = Pr(B), PubK(B,k B ) MSR, a Framework for Security Protocols and their Meta-Theory 12
13 MSR 1.x - Responder Role state predicate π B0 (B) L 0 (B), π B0 (B) L 0 (A), π B1 (A), N({n A,A} kb ) L 1 (A,B,n A ), π B1 (A) L 1 (A,B,n A ) n B. L 2 (A,B,n A,n B ), N({n A,n B } ka ) L 2 (A,B,n A,n B ), N({n B } kb ) L 3 (A,B,n A,n B ) where π B0 (B) = Pr(B), PrvK(B,k B -1 ) π B1 (A) = Pr(A), PubK(A,k A ) Persistent Info. MSR, a Framework for Security Protocols and their Meta-Theory 13
14 How did we do? Flow Role-based Constituents Persistent info. Environment In part Goals Unambiguous Simple Flexible Powerful Insightful MSR, a Framework for Security Protocols and their Meta-Theory 14
15 How will we do? Flow Role-based Constituents Strong typing Environment In part Goals Unambiguous Simple Flexible Powerful Insightful MSR, a Framework for Security Protocols and their Meta-Theory 15
16 Part II MSR MSR, a Framework for Security Protocols and their Meta-Theory 16
17 What s in MSR 2.0? Multiset rewriting with existentials Dependent types w/ subsorting Memory predicates New New Constraints New MSR, a Framework for Security Protocols and their Meta-Theory 17
18 Terms Atomic terms Principal names Keys Nonces Term constructors ( ) {_} _ [_] _ {{_}} _ A k n D e f i n a b l e MSR, a Framework for Security Protocols and their Meta-Theory 18
19 Rules x 1 : τ 1. x n : τ n. y 1 : τ 1. lhs rhs y n : τ n. N(t) Network L(t,, t) Local state M A (t,, t) Memory χ Constraints N(t) Network L(t,, t) Local state M A (t,, t) Memory MSR, a Framework for Security Protocols and their Meta-Theory 19
20 Types of Terms A: princ n: nonce k: shk A B k: pubk A k : privk k (definable) Types can depend on term Captures relations between objects Subsumes persistent information Static Local Mandatory MSR, a Framework for Security Protocols and their Meta-Theory 20
21 Subtyping τ :: msg Allows atomic terms in messages Definable Non-transmittable terms Sub-hierarchies MSR, a Framework for Security Protocols and their Meta-Theory 21
22 Role state predicates Hold data local to a role instance Lifespan = role L l (A,t,, t) Invoke next rule L l = control (A,t,, t) = data MSR, a Framework for Security Protocols and their Meta-Theory 22
23 Memory Predicates New M A (t,, t) Hold private info. across role exec. Support for subprotocols Communicate data Pass control Interface to outside system Implements intruder MSR, a Framework for Security Protocols and their Meta-Theory 23
24 Constraints New χ Guards over interpreted domain Abstract Modular Invoke constraint handler E.g.: timestamps (T E = T N + T d ) (T N < T E ) MSR, a Framework for Security Protocols and their Meta-Theory 24
25 Type of predicates Dependent sums Σx: τ. τ τ (x) x τ Forces associations among arguments x E.g.: princ (A) x pubk A (k A) x privk k A MSR, a Framework for Security Protocols and their Meta-Theory 25
26 Roles Role state pred. var. declarations Generic roles L: τ (x 1 ) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A Role owner Anchored roles L: τ (x1) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A MSR, a Framework for Security Protocols and their Meta-Theory 26
27 MSR 2.0 NS Initiator A L: princ x princ (B) x pubk B x nonce. B: princ k B : pubk B n A :nonce. L(A,B,k B,n A ) N({n A,A} kb ) k A : pubk A k A : privk k A n A,n B : nonce L(A,B,k B,n A ) N({n A,n B } ka ) N({n B } kb ) MSR, a Framework for Security Protocols and their Meta-Theory 27
28 MSR 2.0 NS Responder L: princ (B) x princ (A) x pubk B (kb) x privk k B x nonce x pubk A x nonce. B k B : pubk B k B : privk k B A: princ n A : nonce k A :pubka N({n A,A} kb ) n B :nonce. L( ) N({n A,n B } ka ) n B : nonce L(B,k B,k B,A,n A,k A,n B ) N({n B } kb ) MSR, a Framework for Security Protocols and their Meta-Theory 28
29 Type Checking New Σ P t has type τ in Γ Catches: Γ t : τ Encryption with a nonce P is welltyped in Σ Transmission of a long term key Circular key hierarchies, Static and dynamic uses Decidable MSR, a Framework for Security Protocols and their Meta-Theory 29
30 Access Control r is AC-valid for A in Γ Catches Γ A r New P is ACvalid in Σ Σ P A signing/encrypting with B s key A accessing B s private data, Fully static Decidable Gives meaning to Dolev-Yao intruder MSR, a Framework for Security Protocols and their Meta-Theory 30
31 Snapshots Active role set C = [S] R Σ State N(t) L l (t,, t) M A (t,, t) Signature a : τ L l : τ M _ : τ MSR, a Framework for Security Protocols and their Meta-Theory 31
32 Execution Model 1-step firing P C C Activate roles Generates new role state pred. names Instantiate variables Apply rules Skips rules MSR, a Framework for Security Protocols and their Meta-Theory 32
33 Rule application Constraint check F, χ n:τ. G(n) Σ = χ (constraint handler) Firing [S 1 ] R Σ [S 2 ] R Σ, c:τ c not in S 1 S, F S, G(c) MSR, a Framework for Security Protocols and their Meta-Theory 33
34 Properties Admissibility of parallel firing Type preservation Access control preservation Completeness of Dolev-Yao intruder New MSR, a Framework for Security Protocols and their Meta-Theory 34
35 Completed Case-Studies Full Needham-Schroeder public-key Otway-Rees Neuman-Stubblebine repeated auth. OFT group key management Dolev-Yao intruder MSR, a Framework for Security Protocols and their Meta-Theory 35
36 Part III The Most Powerful Attacker MSR, a Framework for Security Protocols and their Meta-Theory 36
37 Execution with an Attacker P, P I C C Selected principal(s): Generic capabilities: Well-typed AC-valid I P I Modeled completely within MSR MSR, a Framework for Security Protocols and their Meta-Theory 37
38 The Dolev-Yao Intruder Specific protocol suite P DY Underlies every protocol analysis tool Completeness still unproved!!! MSR, a Framework for Security Protocols and their Meta-Theory 38
39 Capabilities of the D-Y Intruder Intercept / emit messages Split / form pairs Decrypt / encrypt with known key Look up public information Generate fresh data MSR, a Framework for Security Protocols and their Meta-Theory 39
40 DY Intruder Data access M I (t) : Intruder knowledge A: princ. M I (A) I A: princ k: shk I A M I (k) I + dual A: princ k: pubk A M I (k) I k: pubk I k : privk k M I (k ) I No nonces, no other keys, MSR, a Framework for Security Protocols and their Meta-Theory 40
41 DY Intruder Data Generation Safe data n:nonce. M I (n) I m:msg. M I (m) I Anything else? A,B:princ. k:shk A B. M I (k) I??? It depends on the protocol!!! Automated generation? MSR, a Framework for Security Protocols and their Meta-Theory 41
42 DY Intruder Stretches AC to Limit AC-valid Well-typed Dolev-Yao intruder MSR, a Framework for Security Protocols and their Meta-Theory 42
43 Completeness of D-Y Intruder If P [S] R Σ [S ] R Σ with all well-typed and AC-valid Then P, P DY [S] R Σ [S ] R Σ MSR, a Framework for Security Protocols and their Meta-Theory 43
44 Encoding of P, S, Σ P Remove roles anchored on I S Map I s state / mem. pred. using M I Σ Remove I s role state pred.; add M I MSR, a Framework for Security Protocols and their Meta-Theory 44
45 Encoding of R No encoding on structure of R Lacks context! Encoding on AC-derivation for R A :: Σ R Associate roles from P DY to each AC rule MSR, a Framework for Security Protocols and their Meta-Theory 45
46 Completeness proof Induction on execution sequence Simulate every step with P DY Rule application Induction on AC-derivation for R Every AC-derivation maps to execution sequence relative to P DY Rule instantiation AC-derivations preserved Encoding unchanged MSR, a Framework for Security Protocols and their Meta-Theory 46
47 Consequences Justifies design of current tools Support optimizations D-Y intr. often too general/inefficient Generic optimizations Per protocol optimizations Restrictive environments Caps multi-intruder situations MSR, a Framework for Security Protocols and their Meta-Theory 47
48 Conclusions Framework for specifying protocols Precise Flexible Powerful Provides Type /AC checking Sequential / parallel execution model Insights about Dolev-Yao intruder MSR, a Framework for Security Protocols and their Meta-Theory 48
49 Future work Experimentation Clark-Jacob library Fair-exchange protocols More multicast Pragmatics Type-reconstruction Operational execution model(s) Implementation Automated specification techniques MSR, a Framework for Security Protocols and their Meta-Theory 49
Relating the MSR Crypto-Protocol Specification Language to Rewriting Logic with Dependent Types
WRLA 2004 - Barcelona, Spain March 27, 2004 Relating the MSR Crypto-Protocol Specification Language to Rewriting Logic with Dependent Types Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc
More informationMaude Implementation of MSR
Maude Implementation of MSR Mark-Oliver Stehr Stefan Reich University of Illinois, Urbana-Champaign (Iliano Cervesato) ITT Industries @ NRL http://theory.stanford.edu/~iliano/ IPCS - Savannah, GA October
More informationMaude Implementation of MSR Demo
Maude Implementation of MSR Demo Cast Analyst Programmer Customer Mark-Oliver Stehr Stefan Reich University of Illinois, Urbana-Champaign (Iliano Cervesato) ITT Industries @ NRL http://theory.stanford.edu/~iliano/
More informationLecture 4: Authentication Protocols
Graduate Course on Computer Security Lecture 4: Authentication Protocols Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ DIMI, Universita
More informationEncryption as an Abstract Datatype:
June 2003 1/18 Outline Encryption as an Abstract Datatype: an extended abstract Dale Miller INRIA/Futurs/Saclay and École polytechnique 1. Security protocols specified using multisets rewriting. 2. Eigenvariables
More informationCryptographically Sound Security Proofs for Basic and Public-key Kerberos
Cryptographically Sound Security Proofs for Basic and Public-key Kerberos ESORICS 2006 M. Backes 1, I. Cervesato 2, A. D. Jaggard 3, A. Scedrov 4, and J.-K. Tsay 4 1 Saarland University, 2 Carnegie Mellon
More informationAN EXTENSION OF TYPED MSR FOR SPECIFYING ESOTERIC PROTOCOLS AND THEIR DOLEV-YAO INTRUDER
AN EXTENSION OF TYPED MSR FOR SPECIFYING ESOTERIC PROTOCOLS AND THEIR DOLEV-YAO INTRUDER Theodoros Balopoulos, Stephanos Gritzalis, and Sokratis K. Katsikas Laboratory of Information and Communication
More informationMaude-NPA, Version 3.0
Maude-NPA, Version 3.0 Santiago Escobar sescobar@dsic.upv.es DSIC-ELP, Universitat Politècnica de València Valencia, Spain Catherine Meadows meadows@itd.nrl.navy.mil Naval Research Laboratory Washington,
More informationSpecifying Kerberos 5 Cross-Realm Authentication
Specifying Kerberos 5 Cross-Realm Authentication Iliano Cervesato, Aaron D. Jaggard, Andre Scedrov, and Chris Walstad Supported by ONR, NSF, NRL Outline Introduction Kerberos 5 Formalization Properties
More informationElements of Security
Elements of Security Dr. Bill Young Department of Computer Sciences University of Texas at Austin Last updated: April 8, 2015 at 12:47 Slideset 7: 1 Car Talk Puzzler You have a friend in a police state
More informationCSE BAN Logic Presentation
(Mike Burrows Marin Abadi Roger Needham Published 1989 SRC Research Report 9 Presentation by Heather Goldsby Michelle Pirtle "! #! $ % Problem Solution BAN Logic Goals of BAN Terms Symbols Notation and
More informationModelling and Analysing of Security Protocol: Lecture 1. Introductions to Modelling Protocols. Tom Chothia CWI
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI This Course This course will primarily teaching you: How to design your own secure communication
More informationIntroduction to Security
Introduction to Security Avinanta Tarigan Universitas Gunadarma 1 Avinanta Tarigan Introduction to Security Layout Problems General Security Cryptography & Protocol reviewed 2 Avinanta Tarigan Introduction
More informationMaude-NPA, Version 1.0
Maude-NPA, Version 1.0 Santiago Escobar sescobar@dsic.upv.es Technical University of Valencia Valencia, Spain Catherine Meadows meadows@itd.nrl.navy.mil Naval Research Laboratory Washington, DC, USA José
More informationOutline More Security Protocols CS 239 Computer Security February 4, 2004
Outline More Security Protocols CS 239 Computer Security February 4, 2004 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and Authentication
More informationComputer Networks & Security 2016/2017
Computer Networks & Security 2016/2017 Network Security Protocols (10) Dr. Tanir Ozcelebi Courtesy: Jerry den Hartog Courtesy: Kurose and Ross TU/e Computer Science Security and Embedded Networked Systems
More informationOutline More Security Protocols CS 239 Computer Security February 6, 2006
Outline More Security Protocols CS 239 Computer Security February 6, 2006 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and Authentication
More informationFormal Methods for Security Protocols
Role of Temur.Kutsia@risc.uni-linz.ac.at Formal Methods Seminar January 26, 2005 Role of Outline 1 Role of 2 Security Properties Attacker Models Keys Symmetric and Asymmetric Systems 3 Notation and Examples
More informationMaude-NPA, Version 2.0 (November 26th, 2011)
Maude-NPA, Version 2.0 (November 26th, 2011) Santiago Escobar sescobar@dsic.upv.es DSIC-ELP, Universitat Politècnica de València Valencia, Spain Catherine Meadows meadows@itd.nrl.navy.mil Naval Research
More informationSecurity protocols and their verification. Mark Ryan University of Birmingham
Security protocols and their verification Mark Ryan University of Birmingham Contents 1. Authentication protocols (this lecture) 2. Electronic voting protocols 3. Fair exchange protocols 4. Digital cash
More informationModule: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security
CMPSC443 - Introduction to Computer and Network Security Module: Cryptographic Protocols Professor Patrick McDaniel Spring 2009 1 Key Distribution/Agreement Key Distribution is the process where we assign
More informationBAN Logic. Logic of Authentication 1. BAN Logic. Source. The language of BAN. The language of BAN. Protocol 1 (Needham-Schroeder Shared-Key) [NS78]
Logic of Authentication 1. BAN Logic Ravi Sandhu BAN Logic BAN is a logic of belief. In an analysis, the protocol is first idealized into messages containing assertions, then assumptions are stated, and
More informationCryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology
Cryptography & Key Exchange Protocols Faculty of Computer Science & Engineering HCMC University of Technology Outline 1 Cryptography-related concepts 2 3 4 5 6 7 Key channel for symmetric cryptosystems
More informationThe NRL Protocol Analyzer. Outline. Motivations. Motivations
The NRL Protocol Analyzer CSE914 Instructor: Dr. Cheng Computer Science and Engineering MSU Presenters: Ali Ebnenasir & AliReza Namvar Motivations Outline The NRL Protocol Analyzer The Security Model of
More informationLogic of Authentication
Logic of Authentication Dennis Kafura Derived from materials authored by: Burrows, Abadi, Needham 1 Goals and Scope Goals develop a formalism to reason about authentication protocols uses determine guarantees
More informationOutline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange
Outline More Security Protocols CS 239 Security for System Software April 22, 2002 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and
More informationELAN. A rule-based programming language. Hélène Kirchner and Pierre-Etienne Moreau LORIA CNRS INRIA Nancy, France
ELAN A rule-based programming language Hélène Kirchner and Pierre-Etienne Moreau LORIA CNRS INRIA Nancy, France Introduction Overview General presentation ELAN: simple part (computation) ELAN: advanced
More informationLecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena
Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall 2009 Nitesh Saxena *Adopted from a previous lecture by Gene Tsudik Course Admin HW3 Problem 3 due Friday midnight
More informationAutomatic Verification of Cryptographic Protocols in First-Order Logic
Proceedings of the 8th WSEAS International Conference on Automation and Information, Vancouver, Canada, June 19-21, 2007 283 Automatic Verification of Cryptographic Protocols in First-Order Logic JIHONG
More informationA Logic for Automatic Verification of Cryptographic Protocols
A Logic for Automatic Verification of Cryptographic Protocols Jihong Han, Zhiyong Zhou, and Yadi Wang Abstract In this paper, a new first-order logical framework and method of formalizing and verifying
More informationSecurity Handshake Pitfalls
Hello Challenge R f(k, R f(k, R Problems: 1. Authentication is not mutual only authenticates Anyone can send the challenge R. f(k, R Problems: 1. Authentication is not mutual only authenticates Anyone
More informationL7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806
L7: Key Distributions Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806 9/16/2015 CSCI 451 - Fall 2015 1 Acknowledgement Many slides are from or are
More informationBreaking and Fixing Public-Key Kerberos
Breaking and Fixing Public-Key Kerberos Iliano Cervesato Carnegie Mellon University - Qatar iliano@cmu.edu Joint work with Andre Scedrov, Aaron Jaggard, Joe-Kai Tsay, Christopher Walstad Qatar University
More informationA ROLE-BASED SPECIFICATION OF THE SET PAYMENT TRANSACTION PROTOCOL
A ROLE-BASED SPECIFICATION OF THE SET PAYMENT TRANSACTION PROTOCOL Hideki Sakurada NTT Communication Science Laboratories, NTT Corporation, 3-1 Morinosato- Wakamiya, Atsugi, Kanagawa, 243-0198 Japan sakurada0theory.brl.ntt.co.jp
More informationWhat did we talk about last time? Public key cryptography A little number theory
Week 4 - Friday What did we talk about last time? Public key cryptography A little number theory If p is prime and a is a positive integer not divisible by p, then: a p 1 1 (mod p) Assume a is positive
More informationOverview. Symbolic Protocol Analysis. Protocol Analysis Techniques. Obtaining a Finite Model. Decidable Protocol Analysis. Strand Space Model
CS 259 Overview Symbolic Protocol Analysis Vitaly Shmatikov Strand space model Protocol analysis with unbounded attacker Parametric strands Symbolic attack traces Protocol analysis via constraint solving
More informationA Short SPAN+AVISPA Tutorial
A Short SPAN+AVISPA Tutorial Thomas Genet IRISA/Université de Rennes 1 genet@irisa.fr November 6, 2015 Abstract The objective of this short tutorial is to show how to use SPAN to understand and debug HLPSL
More informationProtocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh
Protocols II Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 17th February 2011 Outline Introduction Shared-key Authentication Asymmetric authentication protocols
More informationA Meta-notation for Protocol Analysis
A Meta-notation for Protocol Analysis I. Cervesato N.A. Durgin P.D. Lincoln J.C. Mitchell A. Scedrov Computer Science Lab Computer Science Dept. Mathematics Dept. SRI International Stanford University
More informationAutomatic SAT-Compilation of Protocol Insecurity Problems via Reduction to Planning
Automatic SAT-Compilation of Protocol Insecurity Problems via Reduction to Planning Luca Compagna joint work with Alessandro Armando MRG-Lab DIST, University of Genova FLoC 2002 FCS and VERIFY, Copenhagen,
More informationCS Protocol Design. Prof. Clarkson Spring 2017
CS 5430 Protocol Design Prof. Clarkson Spring 2017 Review Cryptography: Encryption, block ciphers, block cipher modes, MACs, cryptographic hash functions, digital signatures, authenticated encryption,
More informationLecture 15: Cryptographic algorithms
06-06798 Distributed Systems Lecture 15: Cryptographic algorithms 22 March, 2002 1 Overview Cryptographic algorithms symmetric: TEA asymmetric: RSA Digital signatures digital signatures with public key
More informationIdeal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012
Ideal Security Protocol Satisfies security requirements Requirements must be precise Efficient Small computational requirement Small bandwidth usage, network delays Not fragile Works when attacker tries
More informationRelating Strands and Multiset Rewriting for Security Protocol Analysis Revised Extended Abstract Ý
Relating Strands and Multiset Rewriting for Security Protocol Analysis Revised Extended Abstract Ý I. Cervesato ITT Industries iliano@itd.nrl.navy.mil N. Durgin, J. Mitchell Stanford University nad, jcm@cs.stanford.edu
More information6. Security Handshake Pitfalls Contents
Contents 1 / 45 6.1 Introduction 6.2 Log-in Only 6.3 Mutual Authentication 6.4 Integrity/Encryption of Data 6.5 Mediated Authentication (with KDC) 6.6 Bellovin-Merrit 6.7 Network Log-in and Password Guessing
More informationCombined CPV-TLV Security Protocol Verifier
Combined CPV-TLV Security Protocol Verifier by Ariel Cohen Thesis submitted in partial fulfillment of the requirements for the degree of Master of Science Department of Computer Science Courant Institute
More informationEquational Cryptographic Reasoning in the Maude-NRL Protocol Analyzer
SecReT 2006 Equational Cryptographic Reasoning in the Maude-NRL Protocol Analyzer Santiago Escobar a,1,4 Catherine Meadows b,2 José Meseguer c,3 a Universidad Politécnica de Valencia, Spain. b Naval Research
More informationEmpirical Evaluation of the Protocol Specification Language MSR 2.0
Empirical Evaluation of the Protocol Specification Language MSR Rishav Bhowmick School of Computer Science, Carnegie Mellon University Qatar rishavb@cmu.edu Advisor: Iliano Cervesato School of Computer
More informationTheorem proving. PVS theorem prover. Hoare style verification PVS. More on embeddings. What if. Abhik Roychoudhury CS 6214
Theorem proving PVS theorem prover Abhik Roychoudhury National University of Singapore Both specification and implementation can be formalized in a suitable logic. Proof rules for proving statements in
More informationMechanising BAN Kerberos by the Inductive Method
Mechanising BAN Kerberos by the Inductive Method Giampaolo Bella Lawrence C Paulson Computer Laboratory University of Cambridge New Museums Site, Pembroke Street Cambridge CB2 3QG (UK) {gb221,lcp}@cl.cam.ac.uk
More informationVerifying Security Protocols with Brutus
Verifying Security Protocols with Brutus E.M. CLARKE Carnegie Mellon University S. JHA University of Wisconsin and W. MARRERO DePaul University Due to the rapid growth of the Internet and the World Wide
More informationNetwork Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions
CHAPTER 3 Network Security Solutions to Review Questions and Exercises Review Questions. A nonce is a large random number that is used only once to help distinguish a fresh authentication request from
More informationCryptographic Checksums
Cryptographic Checksums Mathematical function to generate a set of k bits from a set of n bits (where k n). k is smaller then n except in unusual circumstances Example: ASCII parity bit ASCII has 7 bits;
More informationA Short SPAN+AVISPA Tutorial
A Short SPAN+AVISPA Tutorial Thomas Genet To cite this version: Thomas Genet. A Short SPAN+AVISPA Tutorial. [Research Report] IRISA. 2015. HAL Id: hal-01213074 https://hal.inria.fr/hal-01213074v1
More informationAcknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications
CSE565: Computer Security Lectures 16 & 17 Authentication & Applications Shambhu Upadhyaya Computer Science & Eng. University at Buffalo Buffalo, New York 14260 Lec 16.1 Acknowledgments Material for some
More informationCS 395T. Symbolic Constraint Solving
CS 395T Symbolic Constraint Solving Overview Strand space model Protocol analysis with unbounded attacker Parametric strands Symbolic attack traces Protocol analysis via constraint solving SRI constraint
More informationAuthentication Handshakes
AIT 682: Network and Systems Security Topic 6.2 Authentication Protocols Instructor: Dr. Kun Sun Authentication Handshakes Secure communication almost always includes an initial authentication handshake.
More informationFine-Grained MSR Specifications for Quantitative Security Analysis
Fine-Grained MSR Specifications for Quantitative Security Analysis Iliano Cervesato Advanced Engineering and Science Division, ITT Industries Inc. Alexandria, VA 22303, USA iliano@itd.nrl.navy.mil Abstract.
More informationAIR FORCE INSTITUTE OF TECHNOLOGY
AUTOMATING SECURITY PROTOCOL ANALYSIS THESIS Stephen W. Mancini, 1Lt, USAF AFIT/GCS/ENG/04-12 DEPARTMENT OF THE AIR FORCE AIR UNIVERSITY AIR FORCE INSTITUTE OF TECHNOLOGY Wright-Patterson Air Force Base,
More informationThe Needham-Schroeder Protocol in SAL
CSL Technical Note October 2003 (Updated June 2005) The Needham-Schroeder Protocol in SAL John Rushby Computer Science Laboratory SRI International Menlo Park CA 94025 USA This research was supported by
More informationMSR 2.0 : Language Definition and Programming Environment
MSR 2.0 : Language Definition and Programming Environment Iliano Cervesato November 2011 CMU-CS-11-141 CMU-CS-QTR-109 School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 Carnegie
More informationSEMINAR REPORT ON BAN LOGIC
SEMINAR REPORT ON BAN LOGIC Submitted by Name : Abhijeet Chatarjee Roll No.: 14IT60R11 SCHOOL OF INFORMATION TECHNOLOGY INDIAN INSTITUTE OF TECHNOLOGY, KHARAGPUR-721302 (INDIA) Abstract: Authentication
More informationCryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 38 A Tutorial on Network Protocols
More informationWe defined congruence rules that determine the order of evaluation, using the following evaluation
CS 4110 Programming Languages and Logics Lectures #21: Advanced Types 1 Overview In this lecture we will extend the simply-typed λ-calculus with several features we saw earlier in the course, including
More informationLecture 1: Course Introduction
Lecture 1: Course Introduction Thomas Johansson T. Johansson (Lund University) 1 / 37 Chapter 9: Symmetric Key Distribution To understand the problems associated with managing and distributing secret keys.
More informationSecurity protocols. Correctness of protocols. Correctness of protocols. II. Logical representation and analysis of protocols.i
Security protocols Logical representation and analysis of protocols.i A security protocol is a set of rules, adhered to by the communication parties in order to ensure achieving various security or privacy
More informationLecture Note 6 Date:
P.Lafourcade Lecture Note 6 Date: 18.10.2010 Security models 1st Semester 2010/2011 Jeremy BRUN-NOUVION Hicham HOSSAYNI Contents 1 Logical Attacks 3 1.1 Perfect Encryption Hypothesis.............................
More informationNetwork Security and Internet Protocols
Network Security and Internet Protocols Luca Viganò Dipartimento di Informatica Università di Verona Sicurezza delle Reti A.A. 12/13 Lecture 5 Luca Viganò (Università di Verona) Network Security and Internet
More informationCryptography and Network Security Chapter 13. Digital Signatures & Authentication Protocols
Cryptography and Network Security Chapter 13 Digital Signatures & Authentication Protocols Digital Signatures have looked at message authentication but does not address issues of lack of trust digital
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 3.3: Security Handshake Pitfalls CSC 474/574 Dr. Peng Ning 1 Authentication Handshakes Secure communication almost always includes an initial authentication
More informationT Cryptography and Data Security
T-79.4501 Cryptography and Data Security Lecture 10: 10.1 Random number generation 10.2 Key management - Distribution of symmetric keys - Management of public keys Stallings: Ch 7.4; 7.3; 10.1 1 The Use
More informationLecture 19: cryptographic algorithms
Lecture 19: cryptographic algorithms Operating Systems and Networks Behzad Bordbar School of Computer Science, University of Birmingham, UK 179 Overview Cryptographic algorithms symmetric: TEA asymmetric:
More informationThe automatic analysis of cryptographic protocols by using formal methods on concurrent. languages is a subject widely treated
Using tccp for the Specication of Communication Protocols Alexei Lescaylle Alicia Villanueva alescaylle@dsic.upv.es DSIC, UPV villanue@dsic.upv.es DSIC, UPV Abstract The automatic analysis of cryptographic
More informationPresented by Jack G. Nestell. Topics for Discussion. I. Introduction. Discussion on the different logics and methods of reasonings of Formal Methods
A Discussion on Security Protocols over open networks and distributed Systems: Formal methods for their Analysis, Design, and Verification S. Gritzalis, D. Spinellis, and P. Georgiadis Presented by Jack
More informationIntroduction to Type Theory August 2007 Types Summer School Bertinoro, It. Herman Geuvers Nijmegen NL
Introduction to Type Theory August 2007 Types Summer School Bertinoro, It Herman Geuvers Nijmegen NL Lecture 2: Dependent Type Theory, Logical Framework 1 For λ : Direct representation (shallow embedding)
More informationCS-XXX: Graduate Programming Languages. Lecture 17 Recursive Types. Dan Grossman 2012
CS-XXX: Graduate Programming Languages Lecture 17 Recursive Types Dan Grossman 2012 Where are we System F gave us type abstraction code reuse strong abstractions different from real languages (like ML),
More informationCryptography and Network Security Chapter 13. Fourth Edition by William Stallings. Lecture slides by Lawrie Brown
Cryptography and Network Security Chapter 13 Fourth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 13 Digital Signatures & Authentication Protocols To guard against the baneful influence
More informationOutline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication
Outline Security Handshake Pitfalls (Chapter 11 & 12.2) Login Only Authentication (One Way) Login i w/ Shared Secret One-way Public Key Lamport s Hash Mutual Authentication Shared Secret Public Keys Timestamps
More informationCase Studies in the Specification and Analysis of Protocols in Maude
Electronic Notes in Theoretical Computer Science 36 (2000) URL: http://www.elsevier.nl/locate/entcs/volume36.html 17 pages Case Studies in the Specification and Analysis of Protocols in Maude Dilia E.
More informationMechanized Proofs of Security Protocols: Needham-Schroeder with Public Keys
Mechanized Proofs of Security Protocols: Needham-Schroeder with Public Keys Lawrence C. Paulson Computer Laboratory University of Cambridge lcp@cl.cam.ac.uk January 1997 Abstract The inductive approach
More informationProofs of Correctness for Three Decentralized Authentication Protocols. Using Strand Spaces. Pavan Kumar Vankamamidi
Proofs of Correctness for Three Decentralized Authentication Protocols Using Strand Spaces Pavan Kumar Vankamamidi A thesis submitted to the faculty of Brigham Young University in partial fulfillment of
More informationSpring 2010: CS419 Computer Security
Spring 2010: CS419 Computer Security Vinod Ganapathy Lecture 7 Topic: Key exchange protocols Material: Class handout (lecture7_handout.pdf) Chapter 2 in Anderson's book. Today s agenda Key exchange basics
More informationDigital Signatures. Secure Digest Functions
Digital Signatures Secure Digest Functions 8 requirements for one-way hash functions given M, H(M) is easy to compute given H(M), M is difficult to compute given M, it is difficult to find M such that
More informationAnalysis of Attacks to Multi-Protocols
Università degli Studi di Catania Corso di Laurea in Informatica Casimiro Greco Analysis of Attacks to Multi-Protocols mwsf05 Catania, 16 Dicembre 2005 The 2005 miniworkshop on 1 Security Frameworks INTRODUCTION
More informationUNIT - IV Cryptographic Hash Function 31.1
UNIT - IV Cryptographic Hash Function 31.1 31-11 SECURITY SERVICES Network security can provide five services. Four of these services are related to the message exchanged using the network. The fifth service
More informationKey Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature
Key Management Digital signatures: classical and public key Classic and Public Key exchange 1 Handwritten Signature Used everyday in a letter, on a check, sign a contract A signature on a signed paper
More informationTypes and Effects for Asymmetric Cryptographic Protocols
Types and ffects for ymmetric Cryptographic Protocols ndrew D. Gordon Microsoft Research Cambridge, UK lan Jeffrey DePaul University Chicago, IL, US bstract We present the first type and effect system
More informationAnalysis of an E-voting Protocol using the Inductive Method
Analysis of an E-voting Protocol using the Inductive Method Najmeh Miramirkhani 1, Hamid Reza Mahrooghi 1, Rasool Jalili 1 1 Sharif University of Technology,Tehran, Iran {miramirkhani@ce., mahrooghi@ce.,
More informationSecurity Handshake Pitfalls
Security Handshake Pitfalls Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr 1 Cryptographic Authentication Password authentication is subject to eavesdropping Alternative: Cryptographic challenge-response
More informationCS Protocols. Prof. Clarkson Spring 2016
CS 5430 Protocols Prof. Clarkson Spring 2016 Review: Secure channel When we last left off, we were building a secure channel The channel does not reveal anything about messages except for their timing
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 9 March 30, 2011 Question 1 Another Use for Hash Functions (8 min) The traditional Unix system for password authentication works more or less like
More informationAuthenticity by Typing for Security Protocols
Authenticity by Typing for Security Protocols Andrew D. Gordon Microsoft Research Alan Jeffrey DePaul University May 2001 Technical Report MSR TR 2001 49 Microsoft Research Microsoft Corporation One Microsoft
More informationMilawa an extensible proof checker
Milawa an extensible proof checker Jared Davis ACL2 Seminar, November 16, 2005 Outline The Milawa logic A primitive proof checker An extended proof checker Soundness of the extended checker A reflection
More informationAnalyzing a Library of Security Protocols using Casper and FDR
Analyzing a Library of Security Protocols using Casper and FDR Ben Donovan Paul Norris Gavin Lowe Department of Mathematics and Computer Science, University of Leicester, University Road, Leicester, LE1
More informationPassword-based authentication and key distribution protocols with perfect forward secrecy
Journal of Computer and System Sciences 72 (2006) 1002 1011 www.elsevier.com/locate/jcss Password-based authentication and key distribution protocols with perfect forward secrecy Hung-Min Sun a,, Her-Tyan
More informationStructured Attacks on Cryptographic Protocols. Karl Mahlburg Everett Bull, Advisor
Structured Attacks on Cryptographic Protocols by Karl Mahlburg Everett Bull, Advisor Advisor: Second Reader: (Francis Su) May 2001 Department of Mathematics Abstract Structured Attacks on Cryptographic
More informationNAVAL POSTGRADUATE SCHOOL
NAVAL POSTGRADUATE SCHOOL MONTEREY, CALIFORNIA THESIS PROBABILITY DISTRIBUTIONS OVER CRYPTOGRAPHIC PROTOCOLS by Stephanie J.C. Skaff June 2009 Thesis Advisor: Second Reader: Jonathan Herzog George Dinolt
More informationCS152: Programming Languages. Lecture 11 STLC Extensions and Related Topics. Dan Grossman Spring 2011
CS152: Programming Languages Lecture 11 STLC Extensions and Related Topics Dan Grossman Spring 2011 Review e ::= λx. e x e e c v ::= λx. e c τ ::= int τ τ Γ ::= Γ, x : τ (λx. e) v e[v/x] e 1 e 1 e 1 e
More informationIDENTIFYING POTENTIAL TYPE CONFUSION ATTACKS IN AUTHENTICATED MESSAGES
IDENTIFYING POTENTIAL TYPE CONFUSION ATTACKS IN AUTHENTICATED MESSAGES Catherine Meadows Code 5543 Center for High Assurance Computer Systems Naval Research Laboratory Washington, DC 20375 meadows@itd.nrl.navy.mil
More informationDesign and Analysis of Security Protocols
CS 395T Design and Analysis of Security Protocols Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs395t_fall04/ Course Logistics Lectures Monday, Wednesday 3:30-5pm Project presentations in the
More information