Verification of Security Protocols Part I. Fosad 2010
|
|
- Mildred Thomas
- 6 years ago
- Views:
Transcription
1 Verification of Security Protocols Part I Véronique Cortier 1 September, 2010 Fosad LORIA, CNRS 1/65 Véronique Cortier Verification of Security Protocols
2 Two parts : 1 Analysis of security protocols with symbolic models 2 More guarantees : Analysis of security protocols with computational models 2/65 Véronique Cortier Verification of Security Protocols
3 Context : cryptographic protocols Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Cryptographic protocols are widely used in everyday life. They aim at securing communications over public or insecure networks. 3/65 Véronique Cortier Verification of Security Protocols
4 On the web Introduction on security protocols Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example - HTTPS, i.e. the SSL protocol for ensuring confidentiality - password-based authentication 4/65 Véronique Cortier Verification of Security Protocols
5 Credit Card payment Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example It is a real card? Is the pin code protected? 5/65 Véronique Cortier Verification of Security Protocols
6 Pay-per-view devices Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Checks your identity You should be granted access to the movie only once You should not be able to broadcast the movie to other people 6/65 Véronique Cortier Verification of Security Protocols
7 Electronic voting Introduction on security protocols Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example The result corresponds to the votes. Each vote is confidential. No partial result is leaked before the end of the election Only voters can vote and at most once Coercion resistance 7/65 Véronique Cortier Verification of Security Protocols
8 Electronic purse Introduction on security protocols Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example It should not possible to add money without paying. It should not be possible to create fake electronic purse. 8/65 Véronique Cortier Verification of Security Protocols
9 Security goals Introduction on security protocols Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Cryptographic protocols aim at preserving confidentiality of data (e.g. pin code, medical files,...) ensuring authenticity (Are you really talking to your bank??) ensuring anonymous communications (for e-voting protocols,...) protecting against repudiation (I never sent this message!!)... Cryptographic protocols vary depending on the application. 9/65 Véronique Cortier Verification of Security Protocols
10 Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example How does this work? 10/65 Véronique Cortier Verification of Security Protocols
11 Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example How does this work? A cryptographic protocol : Protocol describes how each participant should behave in order to get e.g. a common key. Cryptographic makes uses of cryptographic primitives (e.g. encryption, signatures, hashes,...) 10/65 Véronique Cortier Verification of Security Protocols
12 Credit Card payment Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example It is a real card? Is the pin code protected? 11/65 Véronique Cortier Verification of Security Protocols
13 Behavior in the usual case Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example The waiter introduces the credit card. The waiter enters the amount m of the transaction on the terminal. The terminal authenticates the card. The customer enters his secret code. If the amount m is greater than 100 euros (and in only 20% of the cases) The terminal asks the bank for authentication of the card. The bank provides authentication. 12/65 Véronique Cortier Verification of Security Protocols
14 More details Introduction on security protocols Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example 4 actors : Bank, Customer, Card and Terminal. Bank owns a signing key K 1 B, secret, a verification key K B, public, a secret symmetric key for each credit card K CB, secret. Card owns Data : last name, first name, card s number, expiration date, Signature s Value VS = {hash(data)} K 1, B secret key K CB. Terminal owns the verification key K B for bank s signatures. 13/65 Véronique Cortier Verification of Security Protocols
15 Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Credit card payment Protocol (in short) The terminal reads the card : 1. Ca T : Data, {hash(data)} K 1 B 14/65 Véronique Cortier Verification of Security Protocols
16 Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Credit card payment Protocol (in short) The terminal reads the card : 1. Ca T : Data, {hash(data)} K 1 B The terminal asks for the secret code : 2. T Cu : secret code? 3. Cu Ca : Ca T : ok 14/65 Véronique Cortier Verification of Security Protocols
17 Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Credit card payment Protocol (in short) The terminal reads the card : 1. Ca T : Data, {hash(data)} K 1 B The terminal asks for the secret code : 2. T Cu : secret code? 3. Cu Ca : Ca T : ok The terminal calls the bank : 5. T B : auth? 6. B T : N b 7. T Ca : N b 8. Ca T : {N b } KCB 9. T B : {N b } KCB 10. B T : ok 14/65 Véronique Cortier Verification of Security Protocols
18 Some flaws Introduction on security protocols Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example The security was initially ensured by : But the cards were very difficult to reproduce, the protocol and the keys were secret. cryptographic flaw : 320 bits keys can be broken (1988), logical flaw : no link between the secret code and the authentication of the card, fake cards can be build. 15/65 Véronique Cortier Verification of Security Protocols
19 Some flaws Introduction on security protocols Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example The security was initially ensured by : But the cards were very difficult to reproduce, the protocol and the keys were secret. cryptographic flaw : 320 bits keys can be broken (1988), logical flaw : no link between the secret code and the authentication of the card, fake cards can be build. YesCard build by Serge Humpich (1998 in France). 15/65 Véronique Cortier Verification of Security Protocols
20 How does the YesCard work? Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Logical flaw 1. Ca T : Data, {hash(data)} K 1 B 2. T Ca : secret code? 3. Cu Ca : Ca T : ok 16/65 Véronique Cortier Verification of Security Protocols
21 How does the YesCard work? Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Logical flaw 1. Ca T : Data, {hash(data)} K 1 B 2. T Ca : secret code? 3. Cu Ca : Ca T : ok 16/65 Véronique Cortier Verification of Security Protocols
22 How does the YesCard work? Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Logical flaw 1. Ca T : Data, {hash(data)} K 1 B 2. T Ca : secret code? 3. Cu Ca : Ca T : ok Remark : there is always somebody to debit. creation of a fake card 16/65 Véronique Cortier Verification of Security Protocols
23 How does the YesCard work? Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Logical flaw 1. Ca T : Data, {hash(data)} K 1 B 2. T Ca : secret code? 3. Cu Ca : Ca T : ok Remark : there is always somebody to debit. creation of a fake card 1. Ca T : XXX, {hash(xxx)} K 1 B 2. T Cu : secret code? 3. Cu Ca : Ca T : ok 16/65 Véronique Cortier Verification of Security Protocols
24 Commutative Symmetric encryption Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Symmetric encryption, denoted by {m} k Hello Alice clef Encryption Obawbhe Nyvpr clef Decryption Hello Alice The same key is used for encrypting and decrypting. Commutative (symmetric) encryption (e.g. RSA) {{m} k1 } k2 = {{m} k2 } k1 17/65 Véronique Cortier Verification of Security Protocols
25 Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Exchanging a secret with commutative encryption (RSA) {pin : 3443} kalice 18/65 Véronique Cortier Verification of Security Protocols
26 Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Exchanging a secret with commutative encryption (RSA) {pin : 3443} kalice j{pin : 3443} kalice ff k bob 18/65 Véronique Cortier Verification of Security Protocols
27 Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Exchanging a secret with commutative encryption (RSA) {pin : 3443} kalice j{pin : 3443} kalice ff k bob {pin : 3443} kbob } } Since {{pin : 3443} kalice {{pin : 3443} kbob k bob = k alice 18/65 Véronique Cortier Verification of Security Protocols
28 Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Exchanging a secret with commutative encryption (RSA) {pin : 3443} kalice j{pin : 3443} kalice ff k bob {pin : 3443} kbob It does not work! (Authentication problem) 18/65 Véronique Cortier Verification of Security Protocols
29 Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Exchanging a secret with commutative encryption (RSA) {pin : 3443} kalice j{pin : 3443} kalice ff k bob {pin : 3443} kbob It does not work! (Authentication problem) {pin : 3443} kalice j{pin : 3443} kalice ff k intruder {pin : 3443} kintruder 18/65 Véronique Cortier Verification of Security Protocols
30 Another example Introduction on security protocols Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example The famous Needham-Schroeder public key protocol (and its associated Man-In-The-Middle Attack) 19/65 Véronique Cortier Verification of Security Protocols
31 Public key encryption Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Public key : pk(a) Encryption : {m} pk(a) Hello Alice public key Encryption Obawbhe Nyvpr private key Decryption Hello Alice Encryption with the public key and decryption with the private key. Invented only in the late 70 s! 20/65 Véronique Cortier Verification of Security Protocols
32 Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Needham-Schroeder public key protocol N a Random number (called nonce) generated by A. N b Random number (called nonce) generated by B. A B : {A,N a } pub(b) B A : {N a,n b } pub(a) A B : {N b } pub(b) 21/65 Véronique Cortier Verification of Security Protocols
33 Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Needham-Schroeder public key protocol N a Random number (called nonce) generated by A. N b Random number (called nonce) generated by B. A B : {A,N a } pub(b) B A : {N a,n b } pub(a) A B : {N b } pub(b) 21/65 Véronique Cortier Verification of Security Protocols
34 Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Needham-Schroeder public key protocol N a Random number (called nonce) generated by A. N b Random number (called nonce) generated by B. A B : {A,N a } pub(b) B A : {N a,n b } pub(a) A B : {N b } pub(b) 21/65 Véronique Cortier Verification of Security Protocols
35 Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Needham-Schroeder public key protocol N a Random number (called nonce) generated by A. N b Random number (called nonce) generated by B. A B : {A,N a } pub(b) B A : {N a,n b } pub(a) A B : {N b } pub(b) Questions : Is N b secret between A and B? When B receives {N b } pub(b), does this message really come from A? 21/65 Véronique Cortier Verification of Security Protocols
36 Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example Needham-Schroeder public key protocol N a Random number (called nonce) generated by A. N b Random number (called nonce) generated by B. A B : {A,N a } pub(b) B A : {N a,n b } pub(a) A B : {N b } pub(b) Questions : Is N b secret between A and B? When B receives {N b } pub(b), does this message really come from A? An attack was discovered in 1994, 15 years after the publication of the protocol! 21/65 Véronique Cortier Verification of Security Protocols
37 Man in the middle attack Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example {A,N a} pub(p) {A,N a} pub(b) 22/65 Véronique Cortier Verification of Security Protocols
38 Man in the middle attack Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example {A,N a} pub(p) {A,N a} pub(b) { N a,n b } pub(a) { N a,n b } pub(a) 22/65 Véronique Cortier Verification of Security Protocols
39 Man in the middle attack Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example {A,N a} pub(p) {A,N a} pub(b) { N a,n b } pub(a) { N a,n b } pub(a) {N b } pub(p) {N b } pub(b) 22/65 Véronique Cortier Verification of Security Protocols
40 Man in the middle attack Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example {A,N a} pub(p) {A,N a} pub(b) {B,N a,n b } pub(a) {B,N a,n b } pub(a) {N b } pub(p) {N b } pub(b) Fixing the flaw : add the identity of B. 22/65 Véronique Cortier Verification of Security Protocols
41 Outline of the talk Introduction on security protocols Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example 1 Introduction on security protocols Context Security Protocols : how does it work? Commutative encryption (RSA) Needham-Schroeder Example 2 Messages Intruder Protocol Solving constraint systems 3 Undecidability Horn clauses 23/65 Véronique Cortier Verification of Security Protocols
42 Difficulty Introduction on security protocols Messages Intruder Protocol Solving constraint systems Presence of an attacker may read every message sent on the net, may intercept and send new messages. The system is infinitely branching 24/65 Véronique Cortier Verification of Security Protocols
43 A first approach Introduction on security protocols Messages Intruder Protocol Solving constraint systems Why not modeling security protocol using a (possibly extended) automata? login name pw correct START VALIDATE CONNECTED restart restart pw wrong DELAY log pw wrong LOG ERROR 25/65 Véronique Cortier Verification of Security Protocols
44 How to model a security protocol? Messages Intruder Protocol Solving constraint systems login name pw correct START VALIDATE CONNECTED restart restart pw wrong DELAY LOG ERROR log pw wrong The output of each participants strongly depends on the data received inside the message. At each step, a malicious user (called the adversary) may create arbitrary messages. The output of the adversary strongly depends on the messages sent on the network. It is important to have a tight modeling of the messages. 26/65 Véronique Cortier Verification of Security Protocols
45 Messages Intruder Protocol Solving constraint systems An appropriate datastructure : Terms Given a signature F of symbols with an arity e.g. {enc, pair, a, b, c, n a, n b } and a set X of variables, the set of terms T(F, X) is inductively defined as follows : constants terms (e.g. a, b, c, n a, n b ) are terms variables are terms f (t 1,...,t n ) is a term whenever t 1,...,t n are terms. Intuition : from words to trees. There exists automata on trees instead of (classical) automata on words, see e.g. TATA http ://tata.gforge.inria.fr/ 27/65 Véronique Cortier Verification of Security Protocols
46 Messages Introduction on security protocols Messages Intruder Protocol Solving constraint systems Messages are abstracted by terms. Agents : a, b,... Nonces : n 1, n 2,... Keys : k 1, k 2,.. Cyphertext : enc(m, k) Concatenation : pair(m 1, m 2 ) Example : The message {A, N a } K is represented by : {} enc(pair(a, N a ), K) K A N a Intuition : only the structure of the message is kept. 28/65 Véronique Cortier Verification of Security Protocols
47 Intruder abilities Composition rules T u Introduction on security protocols T v T u, v T u T v T enc(u, v) Messages Intruder Protocol Solving constraint systems T u T v T enca(u, v) 29/65 Véronique Cortier Verification of Security Protocols
48 Intruder abilities Composition rules T u Introduction on security protocols T v T u, v T u T v T enc(u, v) Messages Intruder Protocol Solving constraint systems T u T v T enca(u, v) Decomposition rules u T T u T u, v T u T u, v T v T enc(u, v) T v T enca(u, pub(v)) T priv(v) T u T u 9/65 Véronique Cortier Verification of Security Protocols
49 Intruder abilities Introduction on security protocols Messages Intruder Protocol Solving constraint systems Composition rules T u T v T u T v T u T v T u, v T enc(u, v) T enca(u, v) Decomposition rules u T T u T u, v T u T u, v T v T enc(u, v) T v T enca(u, pub(v)) T priv(v) T u T u Deducibility relation A term u is deducible from a set of terms T, denoted by T u, if there exists a prooftree witnessing this fact. 9/65 Véronique Cortier Verification of Security Protocols
50 A simple protocol Introduction on security protocols Messages Intruder Protocol Solving constraint systems Bob, k Alice, enc(s, k) 30/65 Véronique Cortier Verification of Security Protocols
51 A simple protocol Introduction on security protocols Messages Intruder Protocol Solving constraint systems Bob, k Alice, enc(s, k) Question? Can the attacker learn the secret s? 30/65 Véronique Cortier Verification of Security Protocols
52 A simple protocol Introduction on security protocols Messages Intruder Protocol Solving constraint systems Bob, k Alice, enc(s, k) Answer : Of course, Yes! Alice, enc(s, k) enc(s, k) s Bob, k k 30/65 Véronique Cortier Verification of Security Protocols
53 Decision of the intruder problem Messages Intruder Protocol Solving constraint systems Given A set of messages S and a message m Question Can the intruder learn m from S that is S m? This problem is decidable in polynomial time. Exercise : (medium) Prove it. 31/65 Véronique Cortier Verification of Security Protocols
54 Decision of the intruder problem Messages Intruder Protocol Solving constraint systems Given A set of messages S and a message m Question Can the intruder learn m from S that is S m? This problem is decidable in polynomial time. Exercise : (medium) Prove it. Lemma (Locality) If there is a proof of S m then there is a proof that only uses the subterms of S and m. 31/65 Véronique Cortier Verification of Security Protocols
55 Protocol description Messages Intruder Protocol Solving constraint systems Protocol : A B : {pin} ka B A : {{pin} ka } kb A B : {pin} kb A protocol is a finite set of roles : role Π(1) corresponding to the 1 st participant played by a talking to b : k init a enc(pin, ka ) enc(x, k a ) x. 32/65 Véronique Cortier Verification of Security Protocols
56 Protocol description Messages Intruder Protocol Solving constraint systems Protocol : A B : {pin} ka B A : {{pin} ka } kb A B : {pin} kb A protocol is a finite set of roles : role Π(1) corresponding to the 1 st participant played by a talking to b : k init a enc(pin, ka ) enc(x, k a ) x. role Π(2) corresponding to the 2 nd participant played by b with a : k x b enc(x, kb ) enc(y, k b ) stop. 32/65 Véronique Cortier Verification of Security Protocols
57 Secrecy via constraint solving Messages Intruder Protocol Solving constraint systems [Millen et al] Constraint systems are used to specify secrecy preservation under a particular, finite scenario. Scenario rcv(u 1 ) N 1 snd(v 1 ) rcv(u 2 ) N 2 snd(v 2 )... rcv(u n ) Nn snd(v n ) Constraint System T 0 u 1 T C = 0, v 1 u 2... T 0, v 1,..,v n s where T 0 is the initial knowledge of the attacker. Remark : Constraint Systems may be used more generally for trace-based properties, e.g. authentication. 33/65 Véronique Cortier Verification of Security Protocols
58 Secrecy via constraint solving Messages Intruder Protocol Solving constraint systems [Millen et al] Constraint systems are used to specify secrecy preservation under a particular, finite scenario. Scenario rcv(u 1 ) N 1 snd(v 1 ) rcv(u 2 ) N 2 snd(v 2 )... rcv(u n ) Nn snd(v n ) Constraint System T 0 u 1 T C = 0, v 1 u 2... T 0, v 1,..,v n s where T 0 is the initial knowledge of the attacker. Solution of a constraint system A substitution σ such that for every T u C, uσ is deducible from Tσ, that is uσ Tσ. 33/65 Véronique Cortier Verification of Security Protocols
59 Example of a system constraint Messages Intruder Protocol Solving constraint systems A B : {pin} ka B A : {{pin} ka } kb A B : {pin} kb and the attacker initially knows T 0 = {init}. One possible associated constraint system is : {init} init C = {init, {pin} ka } {x} ka {init, {pin} ka, x} pin Is there a solution? 34/65 Véronique Cortier Verification of Security Protocols
60 Example of a system constraint Messages Intruder Protocol Solving constraint systems A B : {pin} ka B A : {{pin} ka } kb A B : {pin} kb and the attacker initially knows T 0 = {init}. One possible associated constraint system is : {init} init C = {init, {pin} ka } {x} ka {init, {pin} ka, x} pin Is there a solution? Of course yes, simply consider x = pin! 34/65 Véronique Cortier Verification of Security Protocols
61 Example of a system constraint Messages Intruder Protocol Solving constraint systems A B : {pin} ka B A : {{pin} ka } kb A B : {pin} kb and the attacker initially knows T 0 = {init}. One possible associated constraint system is : {init} init C = {init, {pin} ka } {x} ka {init, {pin} ka, x} pin Is there a solution? Of course yes, simply consider x = pin! Exercise : (easy) Propose the constraint system associated to the (non-corrected) Needham-Schroeder protocol (for a reasonable choice of sessions) and exhibit a solution. 4/65 Véronique Cortier Verification of Security Protocols
62 How to solve constraint system? Messages Intruder Protocol Solving constraint systems T 0 u 1 T Given C = 0, v 1 u 2... T 0, v 1,..,v n u n+1 Question Is there a solution σ of C? 5/65 Véronique Cortier Verification of Security Protocols
63 Messages Intruder Protocol Solving constraint systems An easy case : solved constraint systems General case T 0 u 1 T Given C = 0, v 1 u 2... T 0, v 1,..,v n u n+1 Question Is there a solution σ of C? 6/65 Véronique Cortier Verification of Security Protocols
64 Messages Intruder Protocol Solving constraint systems An easy case : solved constraint systems General case T 0 u 1 T Given C = 0, v 1 u 2... T 0, v 1,..,v n u n+1 Question Is there a solution σ of C? Solved constraint systems T 0 x 1 T Given C = 0, v 1 x 2... T 0, v 1,..,v n x n+1 Question Is there a solution σ of C? 6/65 Véronique Cortier Verification of Security Protocols
65 Messages Intruder Protocol Solving constraint systems An easy case : solved constraint systems General case T 0 u 1 T Given C = 0, v 1 u 2... T 0, v 1,..,v n u n+1 Question Is there a solution σ of C? Solved constraint systems T 0 x 1 T Given C = 0, v 1 x 2... T 0, v 1,..,v n x n+1 Question Is there a solution σ of C? Of course yes! 36/65 Consider e.g. σ(x ) = Véronique = σ(x Cortier) = Verification t T of. Security Protocols
66 Messages Intruder Protocol Solving constraint systems Decision procedure [Millen / Comon-Lundh] Goal : Transformation of the constraints in order to obtain a solved constraint system. 8 T >< 0 u 1 T C = 0, v 1 u 2... >: T 0, v 1,.., v n u n+1 C 1 C 2 C 3 C 4 SOLVED C has a solution iff C C with C in solved form. 37/65 Véronique Cortier Verification of Security Protocols
67 Transformation rules Messages Intruder Protocol Solving constraint systems R 1 : C T u C if T {x T x C, T T } u R 2 : C T u σ Cσ Tσ uσ u st(t) if σ = mgu(u, u ) R 3 : C T v σ Cσ Tσ vσ u, u st(t) if σ = mgu(u, u ) R 4 : C T u if var(t, u) = and T u R 5 : C T f (u, v) C T u T v for f {, enc} 38/65 Véronique Cortier Verification of Security Protocols
68 Intruder step Introduction on security protocols Messages Intruder Protocol Solving constraint systems The intruder can built messages R 5 : C T f (u, v) C T u T v for f {, enc} 39/65 Véronique Cortier Verification of Security Protocols
69 Intruder step Introduction on security protocols Messages Intruder Protocol Solving constraint systems The intruder can built messages R 5 : C T f (u, v) C T u T v for f {, enc} Example : a, k enc( x, y, k) a, k k a, k x, y 39/65 Véronique Cortier Verification of Security Protocols
70 Unsolvable constraints Messages Intruder Protocol Solving constraint systems R 4 : C T u if var(t, u) = and T u Example :... a, enc(s, k) s... 0/65 Véronique Cortier Verification of Security Protocols
71 Guessing equalities Introduction on security protocols Messages Intruder Protocol Solving constraint systems 1 Example : k, enc(enc(x, k ), k) enc(a, k ) R 2 : C T u σ Cσ Tσ uσ u st(t) if σ = mgu(u, u ), u, u X, u u 41/65 Véronique Cortier Verification of Security Protocols
72 Guessing equalities Introduction on security protocols Messages Intruder Protocol Solving constraint systems 1 Example : k, enc(enc(x, k ), k) enc(a, k ) R 2 : C T u σ Cσ Tσ uσ u st(t) if σ = mgu(u, u ), u, u X, u u 2 Example : enc(s, a, x ), enc( y, b, k), k s R 3 : C T v σ Cσ Tσ vσ u, u st(t) if σ = mgu(u, u ), u, u X, u u 41/65 Véronique Cortier Verification of Security Protocols
73 Eliminating redundancies Messages Intruder Protocol Solving constraint systems k x k, enc(s, x) s The constraint enc(s, x) s will be satisfied as soon as k x is satisfied. 42/65 Véronique Cortier Verification of Security Protocols
74 Eliminating redundancies Messages Intruder Protocol Solving constraint systems k x k, enc(s, x) s The constraint enc(s, x) s will be satisfied as soon as k x is satisfied. R 1 : C T u C if T {x T x C, T T } u 42/65 Véronique Cortier Verification of Security Protocols
75 Soundness and completeness Messages Intruder Protocol Solving constraint systems Theorem Soundness If C σ C and θ solution of C then σθ is a solution of C. Completeness If θ solution of C then there exists C, σ, θ such that C σ C, θ = σθ and θ is a solution of C. Termination is terminating in polynomial time in the size of C. 3/65 Véronique Cortier Verification of Security Protocols
76 Soundness and completeness Messages Intruder Protocol Solving constraint systems Theorem Soundness If C σ C and θ solution of C then σθ is a solution of C. Completeness If θ solution of C then there exists C, σ, θ such that C σ C, θ = σθ and θ is a solution of C. Termination is terminating in polynomial time in the size of C. Exercise (easy) : show correctness Exercise (easy) : show termination using the lexicographic order (number of var, size of C). What complexity do you get? (More involved) : show termination in polynomial time Full proofs in [TOCL 2010] 43/65 Véronique Cortier Verification of Security Protocols
77 Messages Intruder Protocol Solving constraint systems NP-procedure for solving constraint systems 8 T >< 0 u 1 T C = 0, v 1 u 2... >: T 0, v 1,.., v n u n+1 C 1 C 2 C 3 C 4 SOLVED Corollary Checking secrecy for a bounded number of sessions is NP. NP-hardness can be shown by encoding 3-SAT. 44/65 Véronique Cortier Verification of Security Protocols
78 Example of tool : Avispa Platform Messages Intruder Protocol Solving constraint systems Collaborators LORIA, France DIST, Italy ETHZ, Switzerland Siemens, Germany 5/65 Véronique Cortier Verification of Security Protocols
79 Undecidability Horn clauses Limitations of this approach? Are you ready to use any protocol verified with this technique? 46/65 Véronique Cortier Verification of Security Protocols
80 Undecidability Horn clauses Limitations of this approach? Are you ready to use any protocol verified with this technique? Only a finite scenario is checked. What happens if the protocol is used one more time? The underlying mathematical properties of the primitives are abstracted away. The specification of the protocol is analysed, but not its implementation. 46/65 Véronique Cortier Verification of Security Protocols
81 Undecidability Horn clauses How to decide security for unlimited sessions? In general, it is undecidable! (i.e. there exists no algorithm for checking e.g. secrecy) How to prove undecidability? 47/65 Véronique Cortier Verification of Security Protocols
82 Undecidability Horn clauses How to decide security for unlimited sessions? In general, it is undecidable! (i.e. there exists no algorithm for checking e.g. secrecy) How to prove undecidability? Post correspondence problem (PCP) input {(u i, v i )} 1 i n, u i, v i Σ output n, i 1,...,i n u i1 u in = v i1 v in Example : {(bab, b), (ab, aba), (a, baba)} Solution? 7/65 Véronique Cortier Verification of Security Protocols
83 Undecidability Horn clauses How to decide security for unlimited sessions? In general, it is undecidable! (i.e. there exists no algorithm for checking e.g. secrecy) How to prove undecidability? Post correspondence problem (PCP) input {(u i, v i )} 1 i n, u i, v i Σ output n, i 1,...,i n u i1 u in = v i1 v in Example : {(bab, b), (ab, aba), (a, baba)} Solution? Yes, 1,2,3,1. babababab babababab 47/65 Véronique Cortier Verification of Security Protocols
84 Undecidability Horn clauses How to encode PCP in protocols? Given {(u i, v i )} 1 i n, we construct the following protocol P : A B : { u 1, v 1 } Kab,...,{ u k, v k } Kab B : { x, y } Kab A : { x, u 1, y, v 1 } Kab, {s} { x,u1,x,u 1 } Kab,...,{ x, u k, y, v k } Kab, {s} { x,uk,x,u k } Kab where a 1 a 2 a n denotes the term a 1, a 2, a 3,...a n. 8/65 Véronique Cortier Verification of Security Protocols
85 Undecidability Horn clauses How to encode PCP in protocols? Given {(u i, v i )} 1 i n, we construct the following protocol P : A B : { u 1, v 1 } Kab,...,{ u k, v k } Kab B : { x, y } Kab A : { x, u 1, y, v 1 } Kab, {s} { x,u1,x,u 1 } Kab,...,{ x, u k, y, v k } Kab, {s} { x,uk,x,u k } Kab where a 1 a 2 a n denotes the term a 1, a 2, a 3,...a n. Then there is an attack on P iff there is a solution to the Post Correspondence Problem with entry {(u i, v i )} 1 i n. 48/65 Véronique Cortier Verification of Security Protocols
86 Undecidability Horn clauses How to circumvent undecidability? Find decidable subclasses of protocols. Design semi-decision procedure, that works in practice... 49/65 Véronique Cortier Verification of Security Protocols
87 Undecidability Horn clauses How to model an unbounded number of sessions? For any x, if the agent A receives enc(x, k a ) then A responds with x. Use of first-order logic. 50/65 Véronique Cortier Verification of Security Protocols
88 Intruder Introduction on security protocols Undecidability Horn clauses Horn clauses perfectly reflects the attacker symbolic manipulations on terms. I(x), I(y) I(< x, y >) pairing I(x), I(y) I({x} y ) encryption I({x} y ), I(y) I(x) decryption I(< x, y >) I(x) projection I(< x, y >) I(y) projection 51/65 Véronique Cortier Verification of Security Protocols
89 Protocol Introduction on security protocols Undecidability Horn clauses Protocol : A B : {pin} ka B A : {{pin} ka } kb A B : {pin} kb Horn clauses : I({pin} ka ) I(x) I({x} kb ) I({x} ka ) I(x) 52/65 Véronique Cortier Verification of Security Protocols
90 Protocol Introduction on security protocols Undecidability Horn clauses Protocol : A B : {pin} ka B A : {{pin} ka } kb A B : {pin} kb Horn clauses : I({pin} ka ) I(x) I({x} kb ) I({x} ka ) I(x) Secrecy property is a reachability (accessibility) property I(pin) Then there exists an attack iff the set of formula corresponding to Intruder manipulations + protocol + property is NOT satisfiable. 52/65 Véronique Cortier Verification of Security Protocols
91 Undecidability Horn clauses How to decide satisfiability? Resolution techniques 53/65 Véronique Cortier Verification of Security Protocols
92 Undecidability Horn clauses Some vocabulary First order logic Atoms P(t 1,...,t n ) where t i are terms, P is a predicate Literals P(t 1,...,t n ) or P(t 1,...,t n ) closed under,,,, Clauses : Only universal quantifiers Horn Clauses : at most one positive literal where A i, B are atoms. A 1,...,A n B 54/65 Véronique Cortier Verification of Security Protocols
93 Binary resolution Introduction on security protocols Undecidability Horn clauses A, B are atoms and C, D are clauses. An intuitive rule A C A C In other words A C A C 55/65 Véronique Cortier Verification of Security Protocols
94 Undecidability Horn clauses Binary resolution A, B are atoms and C, D are clauses. An intuitive rule A C A C In other words A C A C Generalizing A C B Cθ θ = mgu(a, B) (i.e. Aθ = Bθ) 5/65 Véronique Cortier Verification of Security Protocols
95 Undecidability Horn clauses Binary resolution A, B are atoms and C, D are clauses. An intuitive rule A C A C In other words A C A C Generalizing A C B Cθ Generalizing a bit more A C B D Cθ Dθ θ = mgu(a, B) θ = mgu(a, B) (i.e. Aθ = Bθ) Binary resolution 55/65 Véronique Cortier Verification of Security Protocols
96 Undecidability Horn clauses Binary resolution and Factorization A C B D θ = mgu(a, B) Cθ Dθ A B C θ = mgu(a, B) Aθ Cθ Binary resolution Factorisation Theorem (Soundness and Completeness) Binary resolution and factorisation are sound and refutationally complete, i.e. a set of clauses C is not satisfiable if and only if (the empty clause) can be obtained from C by binary resolution and factorisation. Exercise : Why do we need the factorisation rule? 56/65 Véronique Cortier Verification of Security Protocols
97 Example Introduction on security protocols Undecidability Horn clauses C = { I(s), I(k 1 ), I({s} k1,k 1 ), I({x} y ), I(y) I(x), I(x), I(y) I( x, y ) I(k 1) I(x), I(y) I( x, y ) I({s} k1,k 1 ) I({x} y), I(y) I(x) I(k 1) I(y) I( k 1, y ) I( k 1, k 1 ) s I( k 1, k 1 ) I(s) I(s) 57/65 Véronique Cortier Verification of Security Protocols
98 But it is not terminating! Undecidability Horn clauses I(s) I(x), I(y) I( x, y ) I(s) I(y) I( s, y ) I(y) I( s, y ) I( s, s ) I(y) I( s, y ) I( s, s, s ) I( s, s, s, s ) This does not yield any decidability result. 58/65 Véronique Cortier Verification of Security Protocols
99 Undecidability Horn clauses Ordered Binary resolution and Factorization Let < be any order on clauses. A C B D θ = mgu(a, B) Aθ Cθ Dθ Cθ Dθ A B C θ = mgu(a, B) Aθ Cθ Aθ Cθ Ordered binary resolution Ordered factorisation 59/65 Véronique Cortier Verification of Security Protocols
100 Undecidability Horn clauses Ordered Binary resolution and Factorization Let < be any order on clauses. A C B D θ = mgu(a, B) Aθ Cθ Dθ Cθ Dθ A B C θ = mgu(a, B) Aθ Cθ Aθ Cθ Ordered binary resolution Ordered factorisation Theorem (Soundness and Completeness) Ordered binary resolution and factorisation are sound and refutationally complete provided that < is liftable A, B, θ A < B Aθ < Bθ 59/65 Véronique Cortier Verification of Security Protocols
101 Examples of liftable orders Undecidability Horn clauses A, B, θ A < B Aθ < Bθ First example : subterm order P(t 1,...,t n ) < Q(u 1,...,u k ) iff any t i is a subterm of u 1,...,u k extended to clauses as follows : C 1 < C 2 iff any literal of C 1 is smaller than some literal of C 2. Exercise : Show that C is not satisfiable by ordered resolution (and factorisation). 60/65 Véronique Cortier Verification of Security Protocols
102 Undecidability Horn clauses Examples of liftable orders - continued Second example : P(t 1,...,t n ) Q(u 1,...,u k ) iff 1 depth(p(t 1,...,t n )) depth(q(u 1,...,u k )) 2 For any variable x, depth x (P(t 1,...,t n )) depth x (Q(u 1,...,u k )) f? f x f x h x f h y a h y 61/65 Véronique Cortier Verification of Security Protocols
103 Undecidability Horn clauses Examples of liftable orders - continued Second example : P(t 1,...,t n ) Q(u 1,...,u k ) iff 1 depth(p(t 1,...,t n )) depth(q(u 1,...,u k )) 2 For any variable x, depth x (P(t 1,...,t n )) depth x (Q(u 1,...,u k )) f f x f x h x f h y a h y 61/65 Véronique Cortier Verification of Security Protocols
104 Undecidability Horn clauses Examples of liftable orders - continued Second example : P(t 1,...,t n ) Q(u 1,...,u k ) iff 1 depth(p(t 1,...,t n )) depth(q(u 1,...,u k )) 2 For any variable x, depth x (P(t 1,...,t n )) depth x (Q(u 1,...,u k )) f f x f x h x f h y a h y Exercise : Show that A, B, θ A B Aθ Bθ 61/65 Véronique Cortier Verification of Security Protocols
105 Undecidability Horn clauses Back to protocols Intruder clauses are of the form ±I(f (x 1,...,x n )), ±I(x i ), ±I(x j ) Protocol clauses I({pin} ka ) I(x) I({x} kb ) I({x} ka ) I(x) At most one variable per clause! 62/65 Véronique Cortier Verification of Security Protocols
106 Undecidability Horn clauses Back to protocols Intruder clauses are of the form Protocol clauses ±I(f (x 1,...,x n )), ±I(x i ), ±I(x j ) I({pin} ka ) I(x) I({x} kb ) I({x} ka ) At most one variable per clause! I(x) Theorem Given a set C of clauses such that each clause of C either contains at most one variable or is of the form ±I(f (x 1,...,x n )), ±I(x i ), ±I(x j ) Then ordered ( ) binary resolution and factorisation is terminating. 62/65 Véronique Cortier Verification of Security Protocols
107 Undecidability Horn clauses Decidability for an unbounded number of sessions Corollary For any protocol that can be encoded with clauses of the previous form, then checking secrecy is decidable. But how to deal with protocols that need more than one variable per clause? 63/65 Véronique Cortier Verification of Security Protocols
108 ProVerif Introduction on security protocols Undecidability Horn clauses Developed by Bruno Blanchet, Paris, France. No restriction on the clauses Implements a sound semi-decision procedure (that may not terminate). Based on a resolution strategy well adapted to protocols. performs very well in practice! Works on most of existing protocols in the literature Is also used on industrial protocols (e.g. certified protocol, JFK, Plutus filesystem) 64/65 Véronique Cortier Verification of Security Protocols
109 Undecidability Horn clauses What formal methods allow to do? In general, secrecy preservation is undecidable. 65/65 Véronique Cortier Verification of Security Protocols
110 Undecidability Horn clauses What formal methods allow to do? In general, secrecy preservation is undecidable. For a bounded number of sessions, secrecy is co-np-complete [RusinowitchTuruani CSFW01] several tools for detecting attacks (Casper, Avispa platform... ) 65/65 Véronique Cortier Verification of Security Protocols
111 Undecidability Horn clauses What formal methods allow to do? In general, secrecy preservation is undecidable. For a bounded number of sessions, secrecy is co-np-complete [RusinowitchTuruani CSFW01] several tools for detecting attacks (Casper, Avispa platform... ) For an unbounded number of sessions for one-copy protocols, secrecy is DEXPTIME-complete [CortierComon RTA03] [SeildVerma LPAR04] for message-length bounded protocols, secrecy is DEXPTIME-complete [Durgin et al FMSP99] [Chevalier et al CSL03] some tools for proving security (ProVerif, EVA Platform) 65/65 Véronique Cortier Verification of Security Protocols
Verification of security protocols introduction
Verification of security protocols introduction Stéphanie Delaune CNRS & IRISA, Rennes, France Tuesday, November 14th, 2017 Cryptographic protocols everywhere! they aim at securing communications over
More informationComputer Networks & Security 2016/2017
Computer Networks & Security 2016/2017 Network Security Protocols (10) Dr. Tanir Ozcelebi Courtesy: Jerry den Hartog Courtesy: Kurose and Ross TU/e Computer Science Security and Embedded Networked Systems
More informationEncryption as an Abstract Datatype:
June 2003 1/18 Outline Encryption as an Abstract Datatype: an extended abstract Dale Miller INRIA/Futurs/Saclay and École polytechnique 1. Security protocols specified using multisets rewriting. 2. Eigenvariables
More informationModelling and Analysing of Security Protocol: Lecture 1. Introductions to Modelling Protocols. Tom Chothia CWI
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI This Course This course will primarily teaching you: How to design your own secure communication
More informationSecurity protocols and their verification. Mark Ryan University of Birmingham
Security protocols and their verification Mark Ryan University of Birmingham Contents 1. Authentication protocols (this lecture) 2. Electronic voting protocols 3. Fair exchange protocols 4. Digital cash
More informationModule: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security
CMPSC443 - Introduction to Computer and Network Security Module: Cryptographic Protocols Professor Patrick McDaniel Spring 2009 1 Key Distribution/Agreement Key Distribution is the process where we assign
More informationThe automatic security protocol verifier ProVerif
The automatic security protocol verifier ProVerif Bruno Blanchet CNRS, École Normale Supérieure, INRIA, Paris June 2010 Bruno Blanchet (CNRS, ENS, INRIA) ProVerif June 2010 1 / 43 Introduction Many techniques
More informationAdvanced Cryptography 1st Semester Symmetric Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 22th 2007 1 / 58 Last Time (I) Security Notions Cyclic Groups Hard Problems One-way IND-CPA,
More informationA Short SPAN+AVISPA Tutorial
A Short SPAN+AVISPA Tutorial Thomas Genet IRISA/Université de Rennes 1 genet@irisa.fr November 6, 2015 Abstract The objective of this short tutorial is to show how to use SPAN to understand and debug HLPSL
More informationCS 395T. Analyzing SET with Inductive Method
CS 395T Analyzing SET with Inductive Method Theorem Proving for Protocol Analysis Prove correctness instead of looking for bugs Use higher-order logic to reason about all possible protocol executions No
More informationSecurity protocols. Correctness of protocols. Correctness of protocols. II. Logical representation and analysis of protocols.i
Security protocols Logical representation and analysis of protocols.i A security protocol is a set of rules, adhered to by the communication parties in order to ensure achieving various security or privacy
More informationProtocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh
Protocols II Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 17th February 2011 Outline Introduction Shared-key Authentication Asymmetric authentication protocols
More informationLecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena
Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall 2009 Nitesh Saxena *Adopted from a previous lecture by Gene Tsudik Course Admin HW3 Problem 3 due Friday midnight
More informationCS 395T. Symbolic Constraint Solving
CS 395T Symbolic Constraint Solving Overview Strand space model Protocol analysis with unbounded attacker Parametric strands Symbolic attack traces Protocol analysis via constraint solving SRI constraint
More informationOverview. Symbolic Protocol Analysis. Protocol Analysis Techniques. Obtaining a Finite Model. Decidable Protocol Analysis. Strand Space Model
CS 259 Overview Symbolic Protocol Analysis Vitaly Shmatikov Strand space model Protocol analysis with unbounded attacker Parametric strands Symbolic attack traces Protocol analysis via constraint solving
More informationSecurity Protocol Verification: Symbolic and Computational Models
Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA, École Normale Supérieure, CNRS Bruno.Blanchet@ens.fr March 2012 Bruno Blanchet (INRIA, ENS, CNRS) ETAPS March 2012
More informationCombined CPV-TLV Security Protocol Verifier
Combined CPV-TLV Security Protocol Verifier by Ariel Cohen Thesis submitted in partial fulfillment of the requirements for the degree of Master of Science Department of Computer Science Courant Institute
More informationHello World in HLPSL. Turning ASCII protocol specifications into HLPSL
Hello World in HLPSL Turning ASCII protocol specifications into HLPSL Modeling with HLPSL HLPSL is a higher-level protocol specification language we can transform ASCII protocol specifications into HLPSL
More informationCS 395T. Formal Model for Secure Key Exchange
CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,
More informationLecture 1: Perfect Security
CS 290G (Fall 2014) Introduction to Cryptography Oct 2nd, 2014 Instructor: Rachel Lin 1 Recap Lecture 1: Perfect Security Scribe: John Retterer-Moore Last class, we introduced modern cryptography and gave
More informationSecurity Handshake Pitfalls
Security Handshake Pitfalls 1 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: Authenticate each other Establish sessions keys This process may
More informationA Short SPAN+AVISPA Tutorial
A Short SPAN+AVISPA Tutorial Thomas Genet To cite this version: Thomas Genet. A Short SPAN+AVISPA Tutorial. [Research Report] IRISA. 2015. HAL Id: hal-01213074 https://hal.inria.fr/hal-01213074v1
More informationApplied Cryptography and Computer Security CSE 664 Spring 2017
Applied Cryptography and Computer Security Lecture 18: Key Distribution and Agreement Department of Computer Science and Engineering University at Buffalo 1 Key Distribution Mechanisms Secret-key encryption
More informationCryptographic Protocols 1
Cryptographic Protocols 1 Luke Anderson luke@lukeanderson.com.au 5 th May 2017 University Of Sydney Overview 1. Crypto-Bulletin 2. Problem with Diffie-Hellman 2.1 Session Hijacking 2.2 Encrypted Key Exchange
More informationCS5232 Formal Specification and Design Techniques. Using PAT to verify the Needham-Schroeder Public Key Protocol
CS5232 Formal Specification and Design Techniques Using PAT to verify the Needham-Schroeder Public Key Protocol Semester 2, AY 2008/2009 1/37 Table of Contents 1. Project Introduction 3 2. Building the
More informationIntroduction to Security
Introduction to Security Avinanta Tarigan Universitas Gunadarma 1 Avinanta Tarigan Introduction to Security Layout Problems General Security Cryptography & Protocol reviewed 2 Avinanta Tarigan Introduction
More informationWhat did we talk about last time? Public key cryptography A little number theory
Week 4 - Friday What did we talk about last time? Public key cryptography A little number theory If p is prime and a is a positive integer not divisible by p, then: a p 1 1 (mod p) Assume a is positive
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.
CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How
More informationCS 395T. JFK Protocol in Applied Pi Calculus
CS 395T JFK Protocol in Applied Pi Calculus Proving Security Real protocol Process-calculus specification of the actual protocol Ideal protocol Achieves the same goal as the real protocol, but is secure
More informationLecture 15: Cryptographic algorithms
06-06798 Distributed Systems Lecture 15: Cryptographic algorithms 22 March, 2002 1 Overview Cryptographic algorithms symmetric: TEA asymmetric: RSA Digital signatures digital signatures with public key
More informationThe Scyther Tool: Verification, Falsification, and Analysis of Security Protocols
The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols Tool Paper Cas J.F. Cremers Department of Computer Science, ETH Zurich, 8092 Zurich, Switzerland cas.cremers@inf.ethz.ch
More informationKey Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature
Key Management Digital signatures: classical and public key Classic and Public Key exchange 1 Handwritten Signature Used everyday in a letter, on a check, sign a contract A signature on a signed paper
More informationSecurity: Focus of Control. Authentication
Security: Focus of Control Three approaches for protection against security threats a) Protection against invalid operations b) Protection against unauthorized invocations c) Protection against unauthorized
More informationAnalysis Techniques. Protocol Verification by the Inductive Method. Analysis using theorem proving. Recall: protocol state space.
CS 259 Protocol Verification by the Inductive Method Analysis Techniques Crypto Protocol Analysis Formal Models Dolev-Yao (perfect cryptography) Computational Models John Mitchell Modal Logics Model Checking
More informationVerifying Security Protocols with Brutus
Verifying Security Protocols with Brutus E.M. CLARKE Carnegie Mellon University S. JHA University of Wisconsin and W. MARRERO DePaul University Due to the rapid growth of the Internet and the World Wide
More informationUNIT - IV Cryptographic Hash Function 31.1
UNIT - IV Cryptographic Hash Function 31.1 31-11 SECURITY SERVICES Network security can provide five services. Four of these services are related to the message exchanged using the network. The fifth service
More informationNetwork Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions
CHAPTER 3 Network Security Solutions to Review Questions and Exercises Review Questions. A nonce is a large random number that is used only once to help distinguish a fresh authentication request from
More informationAnalysis of an E-voting Protocol using the Inductive Method
Analysis of an E-voting Protocol using the Inductive Method Najmeh Miramirkhani 1, Hamid Reza Mahrooghi 1, Rasool Jalili 1 1 Sharif University of Technology,Tehran, Iran {miramirkhani@ce., mahrooghi@ce.,
More informationFormal Methods for Security Protocols
Role of Temur.Kutsia@risc.uni-linz.ac.at Formal Methods Seminar January 26, 2005 Role of Outline 1 Role of 2 Security Properties Attacker Models Keys Symmetric and Asymmetric Systems 3 Notation and Examples
More information0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken
0/41 Alice Who? Authentication Protocols Andreas Zeller/Stephan Neuhaus Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken The Menu 1/41 Simple Authentication Protocols The Menu 1/41 Simple
More informationCryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1
Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography CS555 Spring 2012/Topic 16 1 Outline and Readings Outline Private key management between two parties Key management
More informationDigital Signatures. Secure Digest Functions
Digital Signatures Secure Digest Functions 8 requirements for one-way hash functions given M, H(M) is easy to compute given H(M), M is difficult to compute given M, it is difficult to find M such that
More informationOutline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication
Outline Security Handshake Pitfalls (Chapter 11 & 12.2) Login Only Authentication (One Way) Login i w/ Shared Secret One-way Public Key Lamport s Hash Mutual Authentication Shared Secret Public Keys Timestamps
More informationCryptography (Overview)
Cryptography (Overview) Some history Caesar cipher, rot13 substitution ciphers, etc. Enigma (Turing) Modern secret key cryptography DES, AES Public key cryptography RSA, digital signatures Cryptography
More informationA Derivation System for Security Protocols and its Logical Formalization
A Derivation System for Security Protocols and its Logical Formalization Anupam Datta Ante Derek John C. Mitchell Dusko Pavlovic Stanford University CSFW July 1, 2003 Kestrel Institute Contributions Protocol
More informationDigital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)
Message Authentication Code (MAC) Key-dependent one-way hash function Only someone with a correct key can verify the hash value Easy way to turn one-way hash function into MAC is to encrypt hash value
More informationCS 161 Computer Security
Popa & Wagner Spring 2016 CS 161 Computer Security Midterm 2 Print your name:, (last) (first) I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that academic misconduct will be
More informationFormal Methods for Assuring Security of Computer Networks
for Assuring of Computer Networks May 8, 2012 Outline Testing 1 Testing 2 Tools for formal methods Model based software development 3 Principals of security Key security properties Assessing security protocols
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationMechanized Proofs for a Recursive Authentication Protocol
Recursive Authentication Protocol 1 L. C. Paulson Mechanized Proofs for a Recursive Authentication Protocol Lawrence C. Paulson Computer Laboratory University of Cambridge Recursive Authentication Protocol
More informationElements of Security
Elements of Security Dr. Bill Young Department of Computer Sciences University of Texas at Austin Last updated: April 8, 2015 at 12:47 Slideset 7: 1 Car Talk Puzzler You have a friend in a police state
More informationNEW FUNCTIONS FOR SECRECY ON REAL PROTOCOLS
NEW FUNCTIONS FOR SECRECY ON REAL PROTOCOLS Jaouhar Fattahi 1 and Mohamed Mejri 1 and Hanane Houmani 2 1 LSI Group, Laval University, Quebec, Canada 2 University Hassan II, Morocco ABSTRACT In this paper,
More informationProviding solutions for more secure exchanges
Providing solutions for more secure exchanges Stéphanie Delaune November 20, 2012 Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 1 / 44 Cryptographic protocols Cryptographic protocols
More informationSecure Multiparty Computation
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationOutline More Security Protocols CS 239 Computer Security February 4, 2004
Outline More Security Protocols CS 239 Computer Security February 4, 2004 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and Authentication
More informationDesign and Analysis of Security Protocols
CS 395T Design and Analysis of Security Protocols Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs395t_fall04/ Course Logistics Lectures Monday, Wednesday 3:30-5pm Project presentations in the
More informationOutline More Security Protocols CS 239 Computer Security February 6, 2006
Outline More Security Protocols CS 239 Computer Security February 6, 2006 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and Authentication
More informationCryptographically Sound Security Proofs for Basic and Public-key Kerberos
Cryptographically Sound Security Proofs for Basic and Public-key Kerberos ESORICS 2006 M. Backes 1, I. Cervesato 2, A. D. Jaggard 3, A. Scedrov 4, and J.-K. Tsay 4 1 Saarland University, 2 Carnegie Mellon
More informationGrenzen der Kryptographie
Microsoft Research Grenzen der Kryptographie Dieter Gollmann Microsoft Research 1 Summary Crypto does not solve security problems Crypto transforms security problems Typically, the new problems relate
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationSymmetric Encryption
Symmetric Encryption Ahmed Y. Banihammd & Ihsan, ALTUNDAG Mon November 5, 2007 Advanced Cryptography 1st Semester 2007-2008 University Joseph Fourrier, Verimag Master Of Information Security And Coding
More informationStructured Attacks on Cryptographic Protocols. Karl Mahlburg Everett Bull, Advisor
Structured Attacks on Cryptographic Protocols by Karl Mahlburg Everett Bull, Advisor Advisor: Second Reader: (Francis Su) May 2001 Department of Mathematics Abstract Structured Attacks on Cryptographic
More informationApplied Cryptography Basic Protocols
Applied Cryptography Basic Protocols Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 Session keys It is prudent practice to use a different key for each session. This
More informationSpring 2010: CS419 Computer Security
Spring 2010: CS419 Computer Security Vinod Ganapathy Lecture 7 Topic: Key exchange protocols Material: Class handout (lecture7_handout.pdf) Chapter 2 in Anderson's book. Today s agenda Key exchange basics
More informationLogic of Authentication
Logic of Authentication Dennis Kafura Derived from materials authored by: Burrows, Abadi, Needham 1 Goals and Scope Goals develop a formalism to reason about authentication protocols uses determine guarantees
More informationCS3235 Seventh set of lecture slides
CS3235 Seventh set of lecture slides Hugh Anderson National University of Singapore School of Computing October, 2007 Hugh Anderson CS3235 Seventh set of lecture slides 1 Warp 9... Outline 1 Public Key
More informationSecurity and Anonymity
Security and Anonymity Distributed Systems need a network to send messages. Any message you send in a network can be looked at by any router or machine it goes through. Further if your machine is on the
More informationNetwork Security (NetSec)
Chair of Network Architectures and Services Department of Informatics Technical University of Munich Network Security (NetSec) IN2101 WS 16/17 Prof. Dr.-Ing. Georg Carle Dr. Heiko Niedermayer Cornelius
More informationRefining Computationally Sound Mech. Proofs for Kerberos
Refining Computationally Sound Mechanized Proofs for Kerberos Bruno Blanchet Aaron D. Jaggard Jesse Rao Andre Scedrov Joe-Kai Tsay 07 October 2009 Protocol exchange Meeting Partially supported by ANR,
More informationChapter 10 : Private-Key Management and the Public-Key Revolution
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 10 : Private-Key Management and the Public-Key Revolution 1 Chapter 10 Private-Key Management
More informationProviding solutions for more secure exchanges
Providing solutions for more secure exchanges Stéphanie Delaune November 15, 2011 Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 1 / 50 Cryptographic protocols Cryptographic protocols
More informationLecture 1: Course Introduction
Lecture 1: Course Introduction Thomas Johansson T. Johansson (Lund University) 1 / 37 Chapter 9: Symmetric Key Distribution To understand the problems associated with managing and distributing secret keys.
More informationBAN Logic. Logic of Authentication 1. BAN Logic. Source. The language of BAN. The language of BAN. Protocol 1 (Needham-Schroeder Shared-Key) [NS78]
Logic of Authentication 1. BAN Logic Ravi Sandhu BAN Logic BAN is a logic of belief. In an analysis, the protocol is first idealized into messages containing assertions, then assumptions are stated, and
More informationCryptography Today. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 44
Cryptography Today Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 About the Course Regular classes with worksheets so you can work with some concrete examples (every Friday at 1pm).
More informationSecurity Protocol Verification: Symbolic and Computational Models
Security Protocol Verification: Symbolic and Computational Models INRIA, Bruno Blanchet École Normale Supérieure, CNRS, Paris blanchet@di.ens.fr Abstract. Security protocol verification has been a very
More informationCS 161 Computer Security
Popa & Wagner Spring 2016 CS 161 Computer Security Discussion 5 Week of February 19, 2017 Question 1 Diffie Hellman key exchange (15 min) Recall that in a Diffie-Hellman key exchange, there are values
More informationVerifying Real-World Security Protocols from finding attacks to proving security theorems
Verifying Real-World Security Protocols from finding attacks to proving security theorems Karthik Bhargavan http://prosecco.inria.fr + many co-authors at INRIA, Microsoft Research, Formal security analysis
More informationSpecifying Authentication Protocols Using Rewriting and Strategies
Specifying Authentication Protocols Using Rewriting and Strategies Horatiu Cirstea LORIA and INRIA Campus Scientifique, BP 239 54506 Vandoeuvre-lès-Nancy, France Horatiu.Cirstea@loria.fr Abstract. Programming
More informationSEMINAR REPORT ON BAN LOGIC
SEMINAR REPORT ON BAN LOGIC Submitted by Name : Abhijeet Chatarjee Roll No.: 14IT60R11 SCHOOL OF INFORMATION TECHNOLOGY INDIAN INSTITUTE OF TECHNOLOGY, KHARAGPUR-721302 (INDIA) Abstract: Authentication
More informationSecurity: Focus of Control
Security: Focus of Control Three approaches for protection against security threats a) Protection against invalid operations b) Protection against unauthorized invocations c) Protection against unauthorized
More informationLecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005
Lecture 30 Security April 11, 2005 Cryptography K A ciphertext Figure 7.3 goes here K B symmetric-key crypto: sender, receiver keys identical public-key crypto: encrypt key public, decrypt key secret Symmetric
More informationUnit-VI. User Authentication Mechanisms.
Unit-VI User Authentication Mechanisms Authentication is the first step in any cryptographic solution Authentication can be defined as determining an identity to the required level of assurance Passwords
More informationThe AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications
The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications Alessandro Armando AI-Lab, DIST, Università di Genova Università di Genova INRIA-Lorraine ETH Zurich Siemens
More informationLecture Note 6 Date:
P.Lafourcade Lecture Note 6 Date: 18.10.2010 Security models 1st Semester 2010/2011 Jeremy BRUN-NOUVION Hicham HOSSAYNI Contents 1 Logical Attacks 3 1.1 Perfect Encryption Hypothesis.............................
More informationCS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:
50fb6be35f4c3105 9d4ed08fb86d8887 b746c452a9c9443b 15b22f450c76218e CS 470 Spring 2017 9df7031cdbff9d10 b700a92855f16328 5b757e66d2131841 62fedd7d9131e42e Mike Lam, Professor Security a.k.a. Why on earth
More informationSymbolic Cryptographic Protocol Analysis I
Symbolic Cryptographic Protocol Analysis I Jonathan K. Millen The MITRE Corporation August 2007 The author s affiliation with The MITRE Corporation is provided for identification purposes only, and is
More informationFinal Exam 90 minutes Date: TOTAL: 90 points
F.Autreau J. Dreier P.Lafourcade Y. Lakhnech JL. Roch Final Exam 90 minutes Date: 13.12.2012 TOTAL: 90 points Security models 1st Semester 2012/2013 J. Dreier P. Lafourcade Y. Lakhnech Notice: the number
More informationA Remote Biometric Authentication Protocol for Online Banking
International Journal of Electrical Energy, Vol. 1, No. 4, December 2013 A Remote Biometric Authentication Protocol for Online Banking Anongporn Salaiwarakul Department of Computer Science and Information
More informationLecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422
Lecture 18 Message Integrity Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422 Cryptography is the study/practice of techniques for secure communication,
More informationLecture 19: cryptographic algorithms
Lecture 19: cryptographic algorithms Operating Systems and Networks Behzad Bordbar School of Computer Science, University of Birmingham, UK 179 Overview Cryptographic algorithms symmetric: TEA asymmetric:
More informationIntruder Deductions, Constraint Solving and Insecurity Decision in Presence of Exclusive or
Intruder Deductions, Constraint Solving and Insecurity Decision in Presence of Exclusive or H Comon-Lundh LSV, INRIA and ENS Cachan 61 Avenue du Président Wilson 94235 Cachan cedex France HubertComon@lsvens-cachanfr
More informationUnderstanding Cryptography by Christof Paar and Jan Pelzl. Chapter 9 Elliptic Curve Cryptography
Understanding Cryptography by Christof Paar and Jan Pelzl www.crypto-textbook.com Chapter 9 Elliptic Curve Cryptography ver. February 2nd, 2015 These slides were prepared by Tim Güneysu, Christof Paar
More informationSecurity: Cryptography
Security: Cryptography Computer Science and Engineering College of Engineering The Ohio State University Lecture 38 Some High-Level Goals Confidentiality Non-authorized users have limited access Integrity
More informationInformation Security CS 526
Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric
More information1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class
1.264 Lecture 27 Security protocols Symmetric cryptography Next class: Anderson chapter 10. Exercise due after class 1 Exercise: hotel keys What is the protocol? What attacks are possible? Copy Cut and
More informationAnalysis of Verification Tools for Security Protocols
Analysis of Verification Tools for Security Protocols Sergey Reznick, Igor Kotenko Computer Security Research Group, St. Petersburg Institute for Informatics and Automation of Russian Academy of Sciences
More informationCSC 5930/9010 Modern Cryptography: Public Key Cryptography
CSC 5930/9010 Modern Cryptography: Public Key Cryptography Professor Henry Carter Fall 2018 Recap Number theory provides useful tools for manipulating integers and primes modulo a large value Abstract
More informationFoundations of AI. 9. Predicate Logic. Syntax and Semantics, Normal Forms, Herbrand Expansion, Resolution
Foundations of AI 9. Predicate Logic Syntax and Semantics, Normal Forms, Herbrand Expansion, Resolution Wolfram Burgard, Andreas Karwath, Bernhard Nebel, and Martin Riedmiller 09/1 Contents Motivation
More informationIntroduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell
Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell 1 Cryptography Merriam-Webster Online Dictionary: 1. secret writing 2. the enciphering and deciphering
More information