Design and Analysis of Protocols The Spyce Way

Similar documents
Software Quality and Infrastructure Protection for Diffuse Computing

Specifying Kerberos 5 Cross-Realm Authentication

Cryptographically Sound Security Proofs for Basic and Public-key Kerberos

Computationally Sound Mechanized Proof of PKINIT for Kerberos

Refining Computationally Sound Mech. Proofs for Kerberos

Formal Methods and Cryptography

Security protocols. Correctness of protocols. Correctness of protocols. II. Logical representation and analysis of protocols.i

Security Analysis of Network Protocols. John Mitchell Stanford University

Outline More Security Protocols CS 239 Computer Security February 4, 2004

Games and the Impossibility of Realizable Ideal Functionality

Analysis Techniques. Protocol Verification by the Inductive Method. Analysis using theorem proving. Recall: protocol state space.

Inductive Trace Properties for Computational Security

Presented by Jack G. Nestell. Topics for Discussion. I. Introduction. Discussion on the different logics and methods of reasonings of Formal Methods

Outline More Security Protocols CS 239 Computer Security February 6, 2006

Report on DIMACS Workshop on Security Analysis of Protocols

A Derivation System for Security Protocols and its Logical Formalization

Game Analysis of Abuse-free Contract Signing

How Formal Analysis and Verification Add Security to Blockchain-based Systems

Breaking and Fixing Public-Key Kerberos

Outline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange

Overview. Game-Based Verification of Fair Exchange Protocols. The Problem of Fair Exchange. Game-Theoretic Model. Protocol as a Game Tree

A Derivation System for Security Protocols and its Logical Formalization

Mechanising BAN Kerberos by the Inductive Method

Contract Signing, Optimism, and Advantage?

Game Analysis of Abuse-free Contract Signing

Encryption as an Abstract Datatype:

CS 395T. Analyzing SET with Inductive Method

Security protocols and their verification. Mark Ryan University of Birmingham

An Executable Model for JFKr

Analysis of an E-voting Protocol using the Inductive Method

Formal Verification of e-reputation Protocols 1

Inductive Proofs of Computational Secrecy

Extensions of BAN. Overview. BAN Logic by Heather Goldsby Michelle Pirtle

Proofs for Key Establishment Protocols

Design and Analysis of Security Protocols

Combined CPV-TLV Security Protocol Verifier

Secure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)

Distributed Mechanism Design and Computer Security

Software Quality and Infrastructure Protection for Diffuse Computing

Breaking and Fixing Public-Key Kerberos

Secure Multi-Party Computation Without Agreement

Secure Reactive Systems, Day 3: Reactive Simulatability Property Preservation and Crypto. Examples

IND-CCA2 secure cryptosystems, Dan Bogdanov

Formal Methods for Assuring Security of Computer Networks

Security Protocol Verification: Symbolic and Computational Models

Lecture 8 - Message Authentication Codes

1 A Tale of Two Lovers

Analysis of EAP-GPSK Authentication Protocol

Crypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))

The NRL Protocol Analyzer. Outline. Motivations. Motivations

Principles of Security Part 4: Authentication protocols Sections 1 and 2

Security and Composition of Cryptographic Protocols: A tutorial. Ran Canetti Tel Aviv University

Fair Exchange Protocols

From Crypto to Code. Greg Morrisett

Maude Implementation of MSR

Robbing the Bank with a Theorem Prover

Rational Oblivious Transfer

NEW FUNCTIONS FOR SECRECY ON REAL PROTOCOLS

Introduction to Secure Multi-Party Computation

Introduction to Secure Multi-Party Computation

A ROLE-BASED SPECIFICATION OF THE SET PAYMENT TRANSACTION PROTOCOL

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Computer Networks & Security 2016/2017

Authenticity by Typing for Security Protocols

Secure Multi-Party Computation. Lecture 13

Lecture 4: Authentication Protocols

2 What does it mean that a crypto system is secure?

Secure Multiparty Computation

Crypto Background & Concepts SGX Software Attestation

CS 395T. Formal Model for Secure Key Exchange

Notes for Lecture 24

SEMINAR REPORT ON BAN LOGIC

Inductive Trace Properties for Computational Security

A Meta-notation for Protocol Analysis

A Remote Biometric Authentication Protocol for Online Banking

Formal Methods for Cryptographic Protocol Analysis: Emerging Issues and Trends

Securing services running over untrusted clouds : the two-tiered trust model

Symbolic Cryptographic Protocol Analysis I

Secrecy Analysis in Protocol Composition Logic

Lecture 10, Zero Knowledge Proofs, Secure Computation

MODELING ADVERSARIES IN A LOGIC FOR SECURITY PROTOCOL ANALYSIS

CSE 127: Computer Security. Security Concepts. Kirill Levchenko

Module: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

A Cryptographically Sound Security Proof of the Needham-Schroeder-Lowe Public-Key Protocol

Mobile and Ubiquitous Computing

Bounded-Concurrent Secure Multi-Party Computation with a Dishonest Majority

Group Key Establishment Protocols

Automated Verification of Security Protocol Implementations. Sagar Chaki and Anupam Datta. January 30, 2008 CMU-CyLab

The automatic security protocol verifier ProVerif

Introduction to Security

Course Curriculum for Master Degree in Network Engineering and Security

Bounded-Concurrent Secure Multi-Party Computation with a Dishonest Majority

Plaintext Awareness via Key Registration

Formal Analysis of Chaumian Mix Nets with Randomized Partial Checking

Fairness Versus Guaranteed Output Delivery in Secure Multiparty Computation

Extending and Applying a Framework for the Cryptographic Verification of Java Programs

MTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems

Verification of Security Protocols

Cryptographic protocols

Low-level Ideal Signatures and General Integrity Idealization

Transcription:

FY2001 ONR CIP/SW URI Software Quality and Infrastructure Protection for Diffuse Computing Design and Analysis of Protocols The Spyce Way Speaker: Joe Halpern (Cornell)

Smart devices diffuse into the environment. SPYCE Objective: Scalable Distributed Assurance Room 40s Desktop 80s Wearable 90s with control and assurance Pervasive 00s Develop fundamental understanding, models, algorithms, and network testbed, in order to reduce cost, improve performance, and provide higher reliability for networked operations across untrusted networks. Incentives, Privacy, and Anonymity Protocol Design and Analysis Network Architecture Trust Management

Distributed assurance requires good protocols good ways of verifying that they do what they re supposed to good ways of describing, analyzing, and specifying them This can be hard!

Why Specifying Security Is Hard Standard programming languages approach: Protocol = set of traces/executions/runs That s the SPYCE view too But security protocols have special twists: Need to think about possible intruders, and what they can do What is a fresh message (nonce)? What is a fair protocol? What is anonymity?

Once we know how to describe/specify protocols, we can prove specific protocols correct develop a deeper understanding of what makes things hard/easy build tools to help design/specify/verify protocols We ve made major progress in all these areas!

SPYCE Protocol Methods Model checking - Automated, finite state. Example: Mobile IPv6 Multiset rewriting (MSR) - Symbolic computation, infinite state. Ex: Kerberos Epistemic logic - Understand who knows what; adversary capabilities Protocol composition logic - Axiomatic system; composition and design patterns Probabilistic poly-time process calculus - Full computational model; compositional reasoning using observational equivalence

Protocol analysis spectrum Sophistication of attacks Low High Hand proofs Poly-time calculus Epistemic logic analysis Spi-calculus Athena Paulson NRL Bolignano BAN logic Model checking Protocol logic FDR Murϕ Low Protocol complexity MSR High

SPYCE Accomplishments: A Representative Sample

A. Using MSR: Kerberos [Butler, Cervesato, Jaggard, Scedrov] Kerberos: real world protocol - Repeatedly authenticate a client to multiple servers - Minimize use of client s long term key(s) Results - Formalized Kerberos 5 at different levels of detail - Observed anomalous behavior: some properties of Kerberos 4 do not hold for Kerberos 5 - Proved that various properties do hold - Shows power of MSR as specification language Interactions with Kerberos working group

Using MSR: Contract Signing [Chadha, Mitchell, Scedrov, Shmatikov] Need third party to arbitrate contracts, in worst case Optimistic protocols - Can complete contract without third party Impossibility Theorem: There is no timely, fair, optimistic, and balanced contract signing protocol. - If protocol is timely, fair, and honest, dishonest player can always choose the outcome unilaterally - Bad news for e-commerce

B. Epistemic Logic Knowledge plays a fundamental role in security: What does an intruder know? - Can she factor? Anonymity: - Can an observer know who performed an action? Noninterference: - What does unprivileged user know about privileged user s state?

Modeling an Intruder [Halpern, Pucella] The literature focuses on Dolev-Yao intruders. But what about - an intruder that guesses? - an intruder with side information? Need to talk about what intruders can t know due to resource limitations Can use algorithmic knowledge (algorithms that model intruder s reasoning) to do that - Different algorithms -> different intruders

Capturing Security Concepts Using Knowledge [Halpern, van der Meyden, Pucella] What s a fresh message? - One that s unpredictable - No one knew its content in advance What s a good key? - One that only authorized users know. We need to make sense of these notions to prove that protocols are correct Can do this formally using knowledge

C. Protocol Derivation Logic [Datta, Derek, Durgin, Mitchell, Pavlovic] Reason about agent s knowledge Protocols are constructed from components by applying: composition, refinement, transformation Protocol logic supports derivation - General composition proofs Applied to several protocol families - STS, ISO-9798-3, JFKi, JFKr, IKE Poster: Anupam Datta

D. Probabilistic Process Calculus [Lincoln, Mitchell, Scedrov, Ramanathan, Teague] Probabilistic polynomial-time execution model Specify security via equivalence to ideal protocol Also state cryptographic assumptions via equivalences Leads to new proof system - Equational reasoning - Based on probabilistic bisimulation, asymptotic equivalence Applications - Characterize computational indistinguishability - Proof of semantic security from computational assumption (both stated as equations)

Summary We use a number of approaches for representing protocols, but they all boil down to sets of runs - We speak the same language - Can transfer results between frameworks We ve examined specific protocols - Kerberos, contract signing, BGP and proved general results about classes of protocols - impossibility results: no fair optimistic protocol

Central role of knowledge - in specifying properties of interest ofairness, anonymity - for defining basic concepts ofreshness, goodness of keys - in characterizing intruders

(Some) Next Steps Further investigation of practical protocols Synthesis of various approaches - move to upper right of protocol analysis spectrum Automating verification Adding utilities to specifications Verifying mechanisms - mechanism = set of rules for playing a game, designed to encourage good behavior o e.g. tax system, type of auction

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback