Time-Bounding Needham-Schroeder Public Key Exchange Protocol
|
|
- Lambert Walsh
- 6 years ago
- Views:
Transcription
1 Time-Bounding Needham-Schroeder Public Key Exchange Protocol Max Kanovich, Queen Mary, University of London, UK University College London, UCL-CS, UK Tajana Ban Kirigin, University of Rijeka, HR Vivek Nigam, Federal University of Paraíba, Brazil Andre Scedrov, UPENN, USA National Research University HSE, Russia Carolyn Talcott, SRI International, USA LAP 2014.
2 Cyber-Physical Security Protocols Cyber-Physical Security Protocols are security protocols which rely on the physical properties in which its protocol sessions are carried out, such as: message transmission takes time processing requests takes time different transmission channels different transmission velocities physical and network distances between participants
3 Cyber-Physical Security Protocols Example: Distance Bounding Protocols A t 0 m B t 1 t 3 m t 2 m t 4 t 5 t 3 t 0 is the response time The round trip time of messages and the transmission velocity is taken into account to infer an upper bound of the distance between two agents.
4 Cyber-Physical Security Protocols Example: Distance Bounding Protocols A t 0 m B t 1 t 3 m t 2 m t 4 t 5 If t 3 t 0 R for a given distance bounding time R, then the verifier A grants the access to its resources to the prover B and sends a confirmation message.
5 Specification of Cyber-Physical Security Protocols Specification of Distance Bounding Protocols Standard "Alice-Bob" notation needs to be refined. A B : m at time t 0 B A : m at time t 1 A B : m if t 1 t 0 R Many assumptions about time need to be formally specified, including: time requirements for the fulfillment of a protocol session assumptions about the network, such as communication mediums and transmission velocities
6 Verification of Cyber-Physical Security Protocols Protocol verification Following issues need to be addressed: which properties does the protocol ensure under which conditions against which intruders
7 Verification of Cyber-Physical Security Protocols Protocol verification Following issues need to be addressed: which properties does the protocol ensure under which conditions against which intruders Moreover, the standard Dolev-Yao intruder should be ammended with time features in order to make the physical properties of the system relevant.
8 Discrete vs. Continuous Time Protocol verification Discrete Time Models Continuous Time Models We investigate how the models with continuous time relate to models with discrete time in protocol verification.
9 Cyber-Physical Security Protocols Example: Original (non-secure) Needham-Schroeder protocol A B {N A, A} KB {N A, N B } KA {N B } KB
10 Cyber-Physical Security Protocols Example: Original (non-secure) Needham-Schroeder protocol A B t 0 {N A, A} KB t 1 t 3 {N A, N B } KA t 2 {N B } KB t t 5 4 Can the protocol be fixed by means of time (by some time requirements)?
11 Time-Sensitive Features We need to take into account time-sensitive features such as:
12 Time-Sensitive Features We need to take into account time-sensitive features such as: network delays
13 Time-Sensitive Features We need to take into account time-sensitive features such as: network delays participants processing time
14 Time-Sensitive Features We need to take into account time-sensitive features such as: network delays participants processing time protocol execution depends on the round trip time of messages by means of measuring the response time
15 Time-Sensitive Features Network Delay t 0 m t 1 A and B communicate through network: Message m sent at the moment t 0 is received at some later moment t 1, i.e. traversal of messages takes non-zero time t 1 t 0.
16 Time-Sensitive Features Network Delay t 0 m t 1 A and B communicate through network: Message m sent at the moment t 0 is received at some later moment t 1, i.e. traversal of messages takes non-zero time t 1 t 0. m 1 t 1 m 2 t 2 Processing Time Message m 1 is received at the moment t 1. Reply m 2 is sent at some later moment t 2. That is, processing takes non-zero time t 2 t 1.
17 Time-Bounding Needham-Schroeder Protocol A B t 0 {N A, A} KB t 1 t 3 {N A, N B } KA t 2 {N B } KB t t 5 4 If t 3 t 0 R for a given response bounding time R, then A and sends to Bob the confirmation message {N B } KB.
18 Time-Bounding Needham-Schroeder Protocol The protocol is secure if the "accepted" N A and N B may never be revealed to somebody else except Alice and Bob. For which response bounding time R is there an attack?
19 Time-Bounding Needham-Schroeder Protocol The protocol is secure if the "accepted" N A and N B may never be revealed to somebody else except Alice and Bob. For which response bounding time R is there an attack? We show that the answer depends on whether time is considered discrete or continuous.
20 Time-Bounding Needham-Schroeder Protocol The protocol is secure if the "accepted" N A and N B may never be revealed to somebody else except Alice and Bob. For which response bounding time R is there an attack? We show that the answer depends on whether time is considered discrete or continuous. We show that the answer also depends on network delay and on internal processing time.
21 Time-Bounding Needham-Schroeder Protocol A t 0 {N A, A} KB B t 1 The protocol is safe with an appropriate response bounding time R when using a model with discrete time : no attack can be found. t 3 {N A, N B } KA t 2 {N B } KB t t 5 4
22 Time-Bounding Needham-Schroeder Protocol A t 0 {N A, A} KB B t 1 The protocol is safe with an appropriate response bounding time R when using a model with discrete time : no attack can be found. t 3 {N A, N B } KA t 2 {N B } KB t t 5 4 The protocol is insecure for any response bounding time R in the case of continuous time : there is a timed version of Lowe attack.
23 Attack on Time-Bounding Needham-Schroeder Protocol Alice Mallory {N t A, A} km 0 t 1 Bob Lowe-style attack t 2 {N A, A} kb t 3 Mallory forces Bob to believe that he communicated with Alice, and that only Alice learned Bob s nonce N B. t 7 t 5 {N A, N B } ka t 6 {N A, N B } ka t 4 Actually, Bob communicated with Mallory, and Mallory learned N B. {N t B } km 8 t 9 {N t B } kb 10 t 11
24 Attack on Time-Bounding Needham-Schroeder Protocol Alice Mallory {N t A, A} km 0 t 1 Bob Lowe-style attack t 2 {N A, A} kb t 3 Mallory forces Bob to believe that he communicated with Alice, and that only Alice learned Bob s nonce N B. t 7 t 5 {N A, N B } ka t 6 {N A, N B } ka t 4 Actually, Bob communicated with Mallory, and Mallory learned N B. {N t B } km 8 t 9 Under which time conditions is the attack possible? {N t B } kb 10 t 11
25 Attack on Time-Bounding Needham-Schroeder Protocol Alice Mallory t 0 = 0 {N A, A} km t 1 = 1 Bob Lowe-style attack t 2 = 2 {N A, A} kb t 3 = 3 Discrete time model t 7 = 7 t 5 = 5 {N A, N B} ka {N A, N B} ka t 6 = 6 t 4 = 4 Since both network delay and processing take at least 1 time unit, attack can be performed only for response bounding time R 7. {N t 8 = 8 B} km t 9 = 9 {N t 10 = 10 B} kb t 11 = 11
26 Attack on Time-Bounding Needham-Schroeder Protocol Alice Mallory t 0 = 0 {N A, A} km t 1 = 1 Bob Lowe-style attack t 2 = 2 {N A, A} kb t 3 = 3 Discrete time model t 7 = 7 t 5 = 5 {N A, N B} ka {N A, N B} ka t 6 = 6 t 4 = 4 Since both network delay and processing take at least 1 time unit, attack can be performed only for response bounding time R 7. {N t 8 = 8 B} km t 9 = 9 There is no attack for R < 7. {N t 10 = 10 B} kb t 11 = 11
27 Attack on Time-Bounding Needham-Schroeder Protocol Alice Mallory t 0 = 0 {N A, A} km t 1 = 0.1 Bob Lowe-style attack t 2 = 0.2 {N A, A} kb t 3 = 0.3 Continuous time model t 5 = 0.5 {N A, N B} ka t 4 = 0.4 Attack is possible for every response bounding time t 7 = 0.7 {N A, N B} ka t 6 = 0.6 R > 0 {N t 8 = 0.8 B} km t 9 = 0.9 {N t 11 = 1 B} kb t 11 = 1.1
28 Discrete vs. Continuous Time The existance of the attack depends on whether time is considered discrete or continuous. No rescaling of discrete time units removes this issue: For any discretisation of time, such as days, seconds or any other infinitesimal time unit, there is a protocol, for which - there exists an attack with continuous time, and - no attack is possible in the discrete case.
29 Discrete vs. Continuous Time The existance of the attack depends on whether time is considered discrete or continuous. No rescaling of discrete time units removes this issue: For any discretisation of time, such as days, seconds or any other infinitesimal time unit, there is a protocol, for which - there exists an attack with continuous time, and - no attack is possible in the discrete case. Between moments t i and t j only a finite number of acts can happen within discrete time, whereas an unbounded number of timed events are possible within continuous time.
30 Specification of Cyber-Physical Security Protocols Lower bounds for passing messages and processing requests a - strict lower bound for passing messages b - strict lower bound for processing messages t 0 m t 1 Network Delay Traversal of messages is greater then a : t 1 t 0 > a m 1 t 1 m 2 t 2 Processing Time Internal processing is greater then b : t 2 t 1 > b
31 Time-Bounding Needham-Schroeder Protocol Lower bounds for passing messages and processing requests a - strict lower bound for passing messages b - strict lower bound for processing messages A B t 0 {N A, A} KB t 1 For which R the protocol is safe? For which R there is an attack? t 3 {N A, N B } KA t 2 {N B } KB t t 5 4
32 Time-Bounding Needham-Schroeder Protocol Lower bounds for passing messages and processing requests a - strict lower bound for passing messages b - strict lower bound for processing messages A B t 0 t 3 {N A, A} KB {N A, N B } KA t 1 t 2 {N B } KB t t 5 4 For which R the protocol is safe? For which R there is an attack? Given explicit lower bounds we can provide precise results.
33 Time-Bounding Needham-Schroeder Protocol Lower bounds for passing messages and processing requests a - strict lower bound for passing messages b - strict lower bound for processing messages In case a > 0 or b > 0, for non-negative integers a, b, For discrete time, there is no Dolev-Yao attack on the time-bounding Needham-Schroeder protocol with response bounding time R < 4a + 3b + 7. For continuous time, there is no Dolev-Yao attack on the time-bounding Needham-Schroeder protocol with the response bounding time R < 4a + 3b.
34 Discrete vs. Continuous Time Protocol verification Discrete Time Models Continuous Time Models There is a difference! There are protocols for which there is no attack in the discrete time model, but there is an attack in the continuous time model.
35 Discrete vs. Continuous Time Protocol verification Discrete Time Models Continuous Time Models There is a difference! There are protocols for which there is no attack in the discrete time model, but there is an attack in the continuous time model. One should be aware of this difference in cyber-physical security protocol verification.
36 Complexity results Planning Problem \ Reachability Problem Untimed system PSPACE-complete [Kanovich et al., FAST 10] Balanced System with PSPACE-complete actions discrete time [Kanovich et al.,rta 12] System with real time Actions not necessarily balanced PSPACE-complete new Undecidable Though the nonce updates cause a potentially infinite number of states, the PSPACE membership is given for the timed systems with fresh values (nonces).
37 Future Work Investigating the power of our intruder model: how much damage can be done under which conditions Alternative Intruder and Protocol Models e.g. agents allowed to move, not static Implementation of our model in automated tools e.g. Maude: verifying cyber-physical protocols Specification of asynchronous systems Time synchronization mechanisms Network Time Protocols Analysis of security protocols e.g. timestamps, timing channels
38 Related Work Durgin, Lincoln, Mitchell, Scedrov. Multiset rewriting and the complexity of bounded security protocols Kanovich, Okada, Scedrov. Specifying real-time finite-state systems in linear logic, Alur, Dill. A theory of timed automata, Brands, Chaum. Distance-bounding protocols, Meadows, Poovendran, Pavlovic, Chang, Syverson. Distance bounding protocols: Authentication logic analysis and collusion attacks, Lanotte, Maggiolo-Schettini, Troina. Reachability results for timed automata with unbounded data structures, Malladi, Bruhadeshwar, Kothapalli. Automatic analysis of distance bounding protocols, 2010.
Discrete vs. Dense Times in the Analysis of Cyber-Physical Security Protocols
Discrete vs. Dense Times in the Analysis of Cyber-Physical Security Protocols Max Kanovich 1,5 Tajana Ban Kirigin 2 Vivek Nigam 3 Andre Scedrov 4,5 and Carolyn Talcott 6 1 Queen Mary, University of London
More informationarxiv: v1 [cs.cr] 27 May 2016
Towards the Automated Verification of Cyber-Physical Security Protocols: Bounding the Number of Timed Intruders Vivek Nigam 1, Carolyn Talcott 2 and Abraão Aires Urquiza 1 arxiv:1605.08563v1 [cs.cr] 27
More informationNotes on BAN Logic CSG 399. March 7, 2006
Notes on BAN Logic CSG 399 March 7, 2006 The wide-mouthed frog protocol, in a slightly different form, with only the first two messages, and time stamps: A S : A, {T a, B, K ab } Kas S B : {T s, A, K ab
More informationA Logic of Authentication
A Logic of Authentication by Burrows, Abadi, and Needham Presented by Adam Schuchart, Kathryn Watkins, Michael Brotzman, Steve Bono, and Sam Small Agenda The problem Some formalism The goals of authentication,
More informationBAN Logic A Logic of Authentication
BAN Logic A Logic of Authentication Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 BAN Logic The BAN logic was named after its inventors, Mike Burrows, Martín Abadí,
More informationMSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra. Iliano Cervesato. ITT Industries, NRL Washington, DC
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC http://theory.stanford.edu/~iliano ISSS 2003,
More informationModels and analysis of security protocols 1st Semester Security Protocols Lecture 6
Models and analysis of security protocols 1st Semester 2010-2011 Security Protocols Lecture 6 Pascal Lafourcade Université Joseph Fourier, Verimag Master: October 18th 2010 1 / 46 Last Time (I) Symmetric
More informationA Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols
ASIAN 07 A Formal Analysis for Capturing Replay Attacks in Cryptographic s Han Gao 1, Chiara Bodei 2, Pierpaolo Degano 2, Hanne Riis Nielson 1 Informatics and Mathematics Modelling, Technical University
More informationVerification of Security Protocols in presence of Equational Theories with Homomorphism
Verification of Security Protocols in presence of Equational Theories with Homomorphism Stéphanie Delaune France Télécom, division R&D, LSV CNRS & ENS Cachan February, 13, 2006 Stéphanie Delaune (FT R&D,
More informationTerm Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool
Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool Santiago Escobar Departamento de Sistemas Informáticos y Computación Universitat Politècnica de València sescobar@dsic.upv.es
More informationOne Year Later. Iliano Cervesato. ITT Industries, NRL Washington, DC. MSR 3.0:
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil One Year Later ITT Industries, inc @ NRL Washington, DC http://www.cs.stanford.edu/~iliano
More informationProtocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete
Protocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete Michaël Rusinowitch and Mathieu Turuani LORIA-INRIA- Université Henri Poincaré, 54506 Vandoeuvre-les-Nancy cedex, France
More informationCollaborative Planning with Privacy
Collaborative Planning with Privacy Protocol exchange May 7, 2007 Max Kanovich 1, Paul Rowe 2, Andre Scedrov 2 1 Quenn Mary, University of London 2 University of Pennsylvania Context Many examples of collaboration
More informationMSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ PPL 01 March 21 st, 2001 Outline I. Security Protocols II. MSR by Examples
More informationProving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory
Proving Security Protocols Correct Lawrence C. Paulson Computer Laboratory How Detailed Should a Model Be? too detailed too simple concrete abstract not usable not credible ``proves'' everything ``attacks''
More informationMSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ IITD, CSE Dept. Delhi, India April 24 th,2002 Outline Security Protocols
More informationReachability Results for Timed Automata with Unbounded Data Structures
Acta Informatica manuscript No. (will be inserted by the editor) Reachability Results for Timed Automata with Unbounded Data Structures Ruggero Lanotte Andrea Maggiolo-Schettini Angelo Troina Received:
More informationTyped MSR: Syntax and Examples
Typed MSR: Syntax and Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ MMM 01 St. Petersburg, Russia May 22 nd, 2001 Outline
More informationSlides for Chapter 14: Time and Global States
Slides for Chapter 14: Time and Global States From Coulouris, Dollimore, Kindberg and Blair Distributed Systems: Concepts and Design Edition 5, Addison-Wesley 2012 Overview of Chapter Introduction Clocks,
More informationEncoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania
Encoding security protocols in the cryptographic λ-calculus Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania An obvious fact Security is important Cryptography is a major way to
More informationAutomatic Verification of Complex Security Protocols With an Unbounded Number of Sessions
Automatic Verification of Complex Security Protocols With an Unbounded Number of Sessions Kaile Su, Weiya Yue and Qingliang Chen Department of Computer Science, Sun Yat-sen University Guangzhou, P.R. China
More informationAutomata-based analysis of recursive cryptographic protocols
1 Automata-based analysis of recursive cryptographic protocols Thomas Wilke Joint work with Ralf Küsters Christian-Albrechts-Universität zu Kiel June 13, 2004 Un-/Decidability of security in the DY model
More informationAbstract Specification of Crypto- Protocols and their Attack Models in MSR
Abstract Specification of Crypto- Protocols and their Attack Models in MSR Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ Software
More informationCryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols
CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno Blanchet CNRS, École Normale Supérieure, INRIA, Paris March 2009 Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif March
More informationCPSA and Formal Security Goals
CPSA and Formal Security Goals John D. Ramsdell The MITRE Corporation CPSA Version 2.5.1 July 8, 2015 Contents 1 Introduction 3 2 Syntax 6 3 Semantics 8 4 Examples 10 4.1 Needham-Schroeder Responder.................
More informationControl Flow Analysis of Security Protocols (I)
Control Flow Analysis of Security Protocols (I) Mikael Buchholtz 02913 F2005 Mikael Buchholtz p. 1 History of Protocol Analysis Needham-Schroeder 78 Dolev-Yao 81 Algebraic view of cryptography 02913 F2005
More informationTAuth: Verifying Timed Security Protocols
TAuth: Verifying Timed Security Protocols Li Li 1, Jun Sun 2, Yang Liu 3, and Jin Song Dong 1 1 National University of Singapore 2 Singapore University of Technology and Design 3 Nanyang Technological
More informationA compositional logic for proving security properties of protocols
Journal of Computer Security 11 (2003) 677 721 677 IOS Press A compositional logic for proving security properties of protocols Nancy Durgin a, John Mitchell b and Dusko Pavlovic c a Sandia National Labs,
More informationOn the Automatic Analysis of Recursive Security Protocols with XOR
On the Automatic Analysis of Recursive Security Protocols with XOR Ralf Küsters 1 and Tomasz Truderung 2 1 ETH Zurich ralf.kuesters@inf.ethz.ch 2 University of Kiel, Wrocław University tomasz.truderung@ii.uni.wroc.pl
More informationAnalysis of authentication protocols Intership report
Analysis of authentication protocols Intership report Stéphane Glondu ENS de Cachan September 3, 2006 1 Introduction Many computers are interconnected through networks, the biggest of them being Internet.
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationProbabilistic Model Checking of Security Protocols without Perfect Cryptography Assumption
Our Model Checking of Security Protocols without Perfect Cryptography Assumption Czestochowa University of Technology Cardinal Stefan Wyszynski University CN2016 Our 1 2 3 Our 4 5 6 7 Importance of Security
More informationA Logic of Authentication. Borrows, Abadi and Needham TOCS 1990, DEC-SRC 1989
A Logic of Authentication Borrows, Abadi and Needham TOCS 1990, DEC-SRC 1989 Logic Constructs P believes X : P may act as though X is true. P sees X : a message containing X was sent to P; P can read and
More informationAnalysing Layered Security Protocols
Analysing Layered Security Protocols Thomas Gibson-Robinson St Catherine s College University of Oxford A thesis submitted for the degree of Doctor of Philosophy Trinity 2013 Abstract Many security protocols
More informationSymbolic Protocol Analysis with Products and Diffie-Hellman Exponentiation
Symbolic Protocol Analysis with Products and Diffie-Hellman Exponentiation Jonathan Millen and Vitaly Shmatikov Computer Science Laboratory SRI International millenshmat @cslsricom Abstract We demonstrate
More informationReport Documentation Page
Multiset Rewriting and the Complexity of Bounded Security Protocols Λ N.A. Durgin P.D. Lincoln J.C. Mitchell A. Scedrov Sandia National Laboratories Livermore, CA nadurgi@sandia.gov Computer Science Dept.
More informationSemantic Equivalences and the. Verification of Infinite-State Systems 1 c 2004 Richard Mayr
Semantic Equivalences and the Verification of Infinite-State Systems Richard Mayr Department of Computer Science Albert-Ludwigs-University Freiburg Germany Verification of Infinite-State Systems 1 c 2004
More informationAgreement. Today. l Coordination and agreement in group communication. l Consensus
Agreement Today l Coordination and agreement in group communication l Consensus Events and process states " A distributed system a collection P of N singlethreaded processes w/o shared memory Each process
More informationUnreliable Failure Detectors for Reliable Distributed Systems
Unreliable Failure Detectors for Reliable Distributed Systems A different approach Augment the asynchronous model with an unreliable failure detector for crash failures Define failure detectors in terms
More informationA decidable subclass of unbounded security protocols
A decidable subclass of unbounded security protocols R. Ramanujam and S. P. Suresh The Institute of Mathematical Sciences C.I.T. Campus, Chennai 600 113, India. E-mail: {jam,spsuresh}@imsc.res.in 1 Summary
More informationLecture 7: Specification Languages
Graduate Course on Computer Security Lecture 7: Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ DIMI, Universita
More informationStrand Spaces Proving Protocols Corr. Jonathan Herzog 6 April 2001
Strand Spaces Proving Protocols Corr Jonathan Herzog 6 April 2001 Introduction 3Second part of talk given early last month Introduced class of cryptographic protocols Modeled at high level of abstraction
More informationDRAFT. Distance-Bounding Protocols: Verification without Time and Location. Sjouke Mauw CSC/SnT University of Luxembourg
Distance-Bounding Protocols: Verification without Time and Location Sjouke Mauw CSC/SnT University of Luxembourg sjouke.mauw@uni.lu Zach Smith CSC University of Luxembourg zach.smith@uni.lu Jorge Toro-Pozo
More informationComplexity of Checking Freshness of Cryptographic Protocols
Complexity of Checking Freshness of Cryptographic Protocols Zhiyao Liang Rakesh M Verma Computer Science Department, University of Houston, Houston TX 77204-3010, USA Email: zliang@cs.uh.edu, rmverma@cs.uh.edu
More informationU.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6
U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom
More informationProving Properties of Security Protocols by Induction
Proving Security Protocols 1 L. C. Paulson Proving Properties of Security Protocols by Induction Lawrence C. Paulson Computer Laboratory University of Cambridge Proving Security Protocols 2 L. C. Paulson
More informationLogical Time. 1. Introduction 2. Clock and Events 3. Logical (Lamport) Clocks 4. Vector Clocks 5. Efficient Implementation
Logical Time Nicola Dragoni Embedded Systems Engineering DTU Compute 1. Introduction 2. Clock and Events 3. Logical (Lamport) Clocks 4. Vector Clocks 5. Efficient Implementation 2013 ACM Turing Award:
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationAn undecidability result for AGh
Theoretical Computer Science 368 (2006) 161 167 Note An undecidability result for AGh Stéphanie Delaune www.elsevier.com/locate/tcs France Télécom R&D, Lab. Spécification & Vérification, CNRS & ENS de
More informationAPPLICATIONS OF BAN-LOGIC JAN WESSELS CMG FINANCE B.V.
APPLITIONS OF AN-LOGIC JAN WESSELS CMG FINANCE.V. APRIL 19, 2001 Chapter 1 Introduction This document is meant to give an overview of the AN-logic. The AN-logic is one of the methods for the analysis of
More informationTime. Today. l Physical clocks l Logical clocks
Time Today l Physical clocks l Logical clocks Events, process states and clocks " A distributed system a collection P of N singlethreaded processes without shared memory Each process p i has a state s
More informationCoordination. Failures and Consensus. Consensus. Consensus. Overview. Properties for Correct Consensus. Variant I: Consensus (C) P 1. v 1.
Coordination Failures and Consensus If the solution to availability and scalability is to decentralize and replicate functions and data, how do we coordinate the nodes? data consistency update propagation
More informationVerification of the TLS Handshake protocol
Verification of the TLS Handshake protocol Carst Tankink (0569954), Pim Vullers (0575766) 20th May 2008 1 Introduction In this text, we will analyse the Transport Layer Security (TLS) handshake protocol.
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationGroup Diffie Hellman Protocols and ProVerif
Group Diffie Hellman Protocols and ProVerif CS 395T - Design and Analysis of Security Protocols Ankur Gupta Secure Multicast Communication Examples: Live broadcast of a match, stock quotes, video conferencing.
More informationAn Undecidability Result for AGh
An Undecidability Result for AGh Stéphanie Delaune France Télécom R&D, Lab. Spécification & Vérification, CNRS & ENS de Cachan, France. Abstract We present an undecidability result for the verification
More informationComplexity of automatic verification of cryptographic protocols
Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic
More informationCS 347 Parallel and Distributed Data Processing
CS 347 Parallel and Distributed Data Processing Spring 2016 & Clocks, Clocks, and the Ordering of Events in a Distributed System. L. Lamport, Communications of the ACM, 1978 Notes 15: & Clocks CS 347 Notes
More informationThe Logical Meeting Point of Multiset Rewriting and Process Algebra
MFPS 20 @ MU May 25, 2004 The Logical Meeting Point of Multiset Rewriting and Process Algebra Iliano ervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, D http://theory.stanford.edu/~iliano
More informationOn the Verification of Cryptographic Protocols
On the Verification of Cryptographic Protocols Federico Cerutti Dipartimento di Ingegneria dell Informazione, Università di Brescia Via Branze 38, I-25123 Brescia, Italy January 11, 2011 Talk at Prof.
More informationCuts. Cuts. Consistent cuts and consistent global states. Global states and cuts. A cut C is a subset of the global history of H
Cuts Cuts A cut C is a subset of the global history of H C = h c 1 1 hc 2 2...hc n n A cut C is a subset of the global history of H The frontier of C is the set of events e c 1 1,ec 2 2,...ec n n C = h
More informationFinite Models for Formal Security Proofs
Finite Models for Formal Security Proofs Jean Goubault-Larrecq goubault@lsv.ens-cachan.fr LSV, ENS Cachan, CNRS, INRIA 61, avenue du président Wilson 94230 Cachan, France Tel: +33-1 47 40 75 68 Fax: +33-1
More informationOur Problem. Model. Clock Synchronization. Global Predicate Detection and Event Ordering
Our Problem Global Predicate Detection and Event Ordering To compute predicates over the state of a distributed application Model Clock Synchronization Message passing No failures Two possible timing assumptions:
More informationAn Efficient Cryptographic Protocol Verifier Based on Prolog Rules
An Efficient Cryptographic Protocol Verifier Based on Prolog Rules Bruno Blanchet INRIA Rocquencourt Domaine de Voluceau B.P. 105 78153 Le Chesnay Cedex, France Bruno.Blanchet@inria.fr Abstract We present
More informationEquational Tree Automata: Towards Automated Verification of Network Protocols
Equational Tree Automata: Towards Automated Verification of Network Protocols Hitoshi Ohsaki and Toshinori Takai National Institute of Advanced Industrial Science and Technology (AIST) Nakoji 3 11 46,
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationTimed Automata VINO 2011
Timed Automata VINO 2011 VeriDis Group - LORIA July 18, 2011 Content 1 Introduction 2 Timed Automata 3 Networks of timed automata Motivation Formalism for modeling and verification of real-time systems.
More informationModels for an Adversary-Centric Protocol Logic
Workshop on Logical Aspects of Cryptographics 2001 Preliminary Version Models for an Adversary-Centric Protocol Logic Peter Selinger Department of Mathematics and Statistics University of Ottawa Ottawa,
More informationAn On-the-fly Tableau Construction for a Real-Time Temporal Logic
#! & F $ F ' F " F % An On-the-fly Tableau Construction for a Real-Time Temporal Logic Marc Geilen and Dennis Dams Faculty of Electrical Engineering, Eindhoven University of Technology P.O.Box 513, 5600
More informationConsensus when failstop doesn't hold
Consensus when failstop doesn't hold FLP shows that can't solve consensus in an asynchronous system with no other facility. It can be solved with a perfect failure detector. If p suspects q then q has
More informationCryptographic Protocols Notes 2
ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:
More informationClocks in Asynchronous Systems
Clocks in Asynchronous Systems The Internet Network Time Protocol (NTP) 8 Goals provide the ability to externally synchronize clients across internet to UTC provide reliable service tolerating lengthy
More informationThe Sizes of Skeletons: Security Goals are Decidable
The Sizes of Skeletons: Security Goals are Decidable Joshua D. Guttman and F. Javier Thayer The MITRE Corporation guttman, jt@mitre.org Abstract. We show how to collapse executions of a cryptographic protocol,
More informationA derivation system and compositional logic for security protocols
Journal of Computer Security 13 2005) 423 482 423 IOS Press A derivation system and compositional logic for security protocols Anupam Datta a,, Ante Derek a, John C. Mitchell a and Dusko Pavlovic b a Computer
More informationA simple procedure for finding guessing attacks (Extended Abstract)
A simple procedure for finding guessing attacks (Extended Abstract) Ricardo Corin 1 and Sandro Etalle 1,2 1 Dept. of Computer Science, University of Twente, The Netherlands 2 CWI, Center for Mathematics
More informationstructure of such protocols, the difficulty is that logics are useful only when the semantics is precise, and most of the problems seem to relate to p
Information based reasoning about security protocols R. Ramanujam and S. P. Suresh 1 The Institute of Mathematical Sciences C.I.T. Campus, Chennai 600 113, India. Abstract We propose a notion of information
More informationFailure detectors Introduction CHAPTER
CHAPTER 15 Failure detectors 15.1 Introduction This chapter deals with the design of fault-tolerant distributed systems. It is widely known that the design and verification of fault-tolerent distributed
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationThe Weighted Byzantine Agreement Problem
The Weighted Byzantine Agreement Problem Vijay K. Garg and John Bridgman Department of Electrical and Computer Engineering The University of Texas at Austin Austin, TX 78712-1084, USA garg@ece.utexas.edu,
More informationThe Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Indistinguishability
The Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Catherine Meadows Naval Research Laboratory, Washington, DC 20375 catherine.meadows@nrl.navy.mil Formal Methods for the Science of
More informationDistributed Systems. 06. Logical clocks. Paul Krzyzanowski. Rutgers University. Fall 2017
Distributed Systems 06. Logical clocks Paul Krzyzanowski Rutgers University Fall 2017 2014-2017 Paul Krzyzanowski 1 Logical clocks Assign sequence numbers to messages All cooperating processes can agree
More informationRecent results on Timed Systems
Recent results on Timed Systems Time Petri Nets and Timed Automata Béatrice Bérard LAMSADE Université Paris-Dauphine & CNRS berard@lamsade.dauphine.fr Based on joint work with F. Cassez, S. Haddad, D.
More informationAutomatic Synthesis of Distributed Protocols
Automatic Synthesis of Distributed Protocols Rajeev Alur Stavros Tripakis 1 Introduction Protocols for coordination among concurrent processes are an essential component of modern multiprocessor and distributed
More informationDecidable Analysis of Cryptographic Protocols with Products and Modular Exponentiation
Decidable Analysis of Cryptographic Protocols with Products and Modular Exponentiation Vitaly Shmatikov SRI International shmat@csl.sri.com Abstract. We demonstrate that the symbolic trace reachability
More informationA progress report on using Maude to verify protocol properties using the strand space model
A progress report on using Maude to verify protocol properties using the strand space model Presented by Robert P. Graham, MAJ, USAF/AFIT Stephen W. Mancini, 1Lt, USAF/AFIT Presentation date: 01 Oct 03
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 29.1.2018 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More informationA Calculus for Control Flow Analysis of Security Protocols
International Journal of Information Security manuscript No. (will be inserted by the editor) A Calculus for Control Flow Analysis of Security Protocols Mikael Buchholtz, Hanne Riis Nielson, Flemming Nielson
More informationElliptic Curves. Giulia Mauri. Politecnico di Milano website:
Elliptic Curves Giulia Mauri Politecnico di Milano email: giulia.mauri@polimi.it website: http://home.deib.polimi.it/gmauri May 13, 2015 Giulia Mauri (DEIB) Exercises May 13, 2015 1 / 34 Overview 1 Elliptic
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationDeriving GDOI. Dusko Pavlovic and Cathy Meadows
Deriving GDOI Dusko Pavlovic and Cathy Meadows September 2003 1 Outline 1. Trace logic 2. Axioms and rules 3. Deriving core GDOI 4. Global encryption and hashing transformations 5. Adding PFS and POP options
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationConsistent Global States of Distributed Systems: Fundamental Concepts and Mechanisms. CS 249 Project Fall 2005 Wing Wong
Consistent Global States of Distributed Systems: Fundamental Concepts and Mechanisms CS 249 Project Fall 2005 Wing Wong Outline Introduction Asynchronous distributed systems, distributed computations,
More informationA Resolution Strategy for Verifying Cryptographic Protocols with CBC Encryption and Blind Signatures
A Resolution Strategy for Verifying Cryptographic Protocols with CBC Encryption and Blind Signatures Véronique Cortier LORIA, Nancy, France CNRS & INRIA Project Cassis cortier@loria.fr Michael Rusinowitch
More informationLecture 3,4: Multiparty Computation
CS 276 Cryptography January 26/28, 2016 Lecture 3,4: Multiparty Computation Instructor: Sanjam Garg Scribe: Joseph Hui 1 Constant-Round Multiparty Computation Last time we considered the GMW protocol,
More informationDeciding the Security of Protocols with Commuting Public Key Encryption
Electronic Notes in Theoretical Computer Science 125 (2005) 55 66 www.elsevier.com/locate/entcs Deciding the Security of Protocols with Commuting Public Key Encryption Yannick Chevalier a,1 Ralf Küsters
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationGeorge Danezis Microsoft Research, Cambridge, UK
George Danezis Microsoft Research, Cambridge, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More information416 Distributed Systems. Time Synchronization (Part 2: Lamport and vector clocks) Jan 27, 2017
416 Distributed Systems Time Synchronization (Part 2: Lamport and vector clocks) Jan 27, 2017 1 Important Lessons (last lecture) Clocks on different systems will always behave differently Skew and drift
More informationAngelo Troina. Joint work with: Ruggero Lanotte (University of Insubria at Como) Andrea Maggiolo Schettini (University of Pisa)
Angelo Troina Dipartimento di Informatica, Università di Pisa, Italy Probabilistic Joint work with: Ruggero Lanotte (University of Insubria at Como) Andrea Maggiolo Schettini (University of Pisa) 1/23
More information