Lecture 7: Specification Languages
|
|
- Drusilla Bates
- 6 years ago
- Views:
Transcription
1 Graduate Course on Computer Security Lecture 7: Specification Languages Iliano Cervesato ITT Industries, NRL Washington DC DIMI, Universita di Udine, Italy December 6, 2001
2 Outline Dolev-Yao model Specification Evaluation criteria Some languages Usual notation BAN logic Spi calculus Strand spaces Inductive methods CAPSL MSR Motivations Syntax Type checking DAS Data Access Specification Execution Computer Security: 7 - Specification Languages 2
3 Why is Protocol Analysis Difficult? Subtle cryptographic primitives Dolev-Yao abstraction Lecture 4 a bit more in this lecture Distributed hostile environment Prudent engineering practice Lecture 4 Inadequate specification languages This lecture Computer Security: 7 - Specification Languages 3
4 Dolev-Yao Network Model Bob Alice Network Server Dan Charlie Computer Security: 7 - Specification Languages 4
5 The Dolev-Yao Model of Security Symbolic data No bits Black-box cryptography No guessing of keys k A Partially abstract data access Knowledge soup A k A k B S Found in most protocol analysis tools Tractability Computer Security: 7 - Specification Languages 5
6 Perfect Cryptography k -1 is needed to decrypt {m} k k -1 is just k for shared key ciphers No collisions {m 1 } ka = {m 2 } kb iff m 1 = m 2 and k A = k B {m} k = n never {m} k = (m 1 m 2 ) never We will relax this to handle type violations Computer Security: 7 - Specification Languages 6
7 Public Knowledge Soup Free access to auxiliary data Abstracts actual mechanisms Transmission of certificates Invocation of subprotocols Caching But not all data are public keys secrets A k S k AB S Computer Security: 7 - Specification Languages 7
8 Why is specification important? good Documentation Communicate Engineering Implementation Verification tools Science Foundations Assist engineering Computer Security: 7 - Specification Languages 8
9 Languages to Specify What? Message flow Message constituents Operating environment Protocol goals Computer Security: 7 - Specification Languages 9
10 Desirable Properties Unambiguous Simple Flexible Adapts to protocols Powerful Applies to a wide class of protocols Insightful Gives insight about protocols Computer Security: 7 - Specification Languages 10
11 Language Families Usual notation (user interfaces) Knowledge logic BAN Process theory Spi-calculus Strands MSR FDR, Casper Petri nets Inductive methods Temporal logic Automata CAPSL NRL Protocol Analyzer Murφ Why so many? Experience from mature fields Unifying problem Scientifically intriguing Funding opportunities Convergence of approaches Computer Security: 7 - Specification Languages 11
12 Running Example Needham-Schroeder public key protocol (fragment) Devised in 78 Broken in 95! But purely academic attack subject to interpretation Example of weak specification! Computer Security: 7 - Specification Languages 12
13 Usual Notation A B: {n A, A} kb B A: {n A, n B } ka A B: {n B } kb Computer Security: 7 - Specification Languages 13
14 Evaluation of the Usual Notation Flow Expected run Constituents Side remarks Environment Side remarks Goals Side remarks Unambiguous Simple Flexible Powerful Insightful Computer Security: 7 - Specification Languages 14
15 BAN Logic [Burrows, Abadi, Needham] Roots in belief logic Reason about knowledge as protocol unfolds Security: principals share same view Specification Usual notation Idealized protocol Assumptions Goals Verification Logical inference Computer Security: 7 - Specification Languages 15
16 BAN Idealization A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb n B is a shared secret between A and B NS-PK [3-5] A B: {n A } kb n A provides evidence to the fact that B A: { A n B B na } ka A B: { A n A B, B A n B B nb } kb Believes (more readable syntax proposed later) Computer Security: 7 - Specification Languages 16
17 BAN Assumptions A B: {A,n A } kb B A: {n A,n B } ka k A is the public key of A n A is fresh A B: {n B } kb NS-PK [3-5] A k A A A k B B B k B B B k A A A # n A A A n A B B # n B B A n B B Computer Security: 7 - Specification Languages 17
18 BAN Goals A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb NS-PK [3-5] Authentication goals expressed in terms of Mutual beliefs Beliefs about freshness B A A n A B A B A n B B A # n B B # n A Formally derived from BAN rules Computer Security: 7 - Specification Languages 18
19 Evaluation of BAN Flow Idealized run Constituents Assumptions Environment Implicit Goals BAN formulas Unambiguous Simple Flexible Powerful Insightful Computer Security: 7 - Specification Languages 19
20 The Spi-Calculus [Abadi, Gordon] π-calculus with cryptographic constructs Specification 1 process for each role Instance to be studied Intruder not explicitly modeled Verification Process equivalence to reference process Computer Security: 7 - Specification Languages 20
21 The Syntax of Spi Computer Security: 7 - Specification Languages 21
22 Spi: NS Initiator A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb init(a,b,c AB,k B+,k A- ) = NS-PK [3-5] (νn A ) c AB < { A, n A } kb + >. c AB (x). case x of { y } ka - in let (y 1,y 2 ) = y in [y 1 is n A ] c AB < { y 2 } kb + >. 0 Computer Security: 7 - Specification Languages 22
23 Spi: NS Responder A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb resp(b,a,c AB,k A+,k B- ) = NS-PK [3-5] c AB (x). case x of { y } kb - in let (y 1,y 2 ) = y in [y 1 is A] (νn B ) c AB < { y 2, n B } ka + >. c AB (x ). case x of { y } kb - in [y is n B ] 0 Computer Security: 7 - Specification Languages 23
24 Spi: NS Instance A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb inst(a,b,c AB ) = NS-PK [3-5] (νk A ) (νk B ) ( init(a,b,c AB,k B+,k A- ) resp(b,a,c AB,k A+,k B- )) Computer Security: 7 - Specification Languages 24
25 Evaluation of Spi Flow Role-based Constituents Informal math. Environment Implicit Goals Reference process Unambiguous Simple Flexible Powerful Insightful Computer Security: 7 - Specification Languages 25
26 Strand Spaces [Guttman, Thayer] Roots in trace theory Lamport s causality Mazurkiewicz s traces Specification Strands Sets of principals, keys, Verification Authentication tests Model checking Computer Security: 7 - Specification Languages 26
27 Strands A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb NS-PK [3-5] Initiator strand {n A, A} kb Responder strand {n A, A} kb {n A, n B } ka {n A, n B } ka {n B } kb {n B } kb Computer Security: 7 - Specification Languages 27
28 Evaluation of Strands Flow Role-based Constituents Informal math. Environment Side remarks Goals Side remarks Unambiguous Simple Flexible Powerful Insightful Computer Security: 7 - Specification Languages 28
29 Inductive Methods [Paulson] Protocol inductively defines traces Specification 1 inductive rule for each protocol rule Universal intruder based on language Verification Theorem proving (Isabelle HOL) Related methods [Bolignano] Computer Security: 7 - Specification Languages 29
30 IMs: NS A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb NS1 [evs ns; A B; Nonce N A used evs] NS-PK [3-5] Says A B {Nonce N A, Agent A} KB # evs ns NS2 [evs ns; A B; Nonce N B used evs; Says A B {Nonce N A, Agent A} KB set evs] Says B A {Nonce N A, Nonce N A } KA # evs ns NS3 [evs ns; Says A B {Nonce N A, Agent A} KB set evs; Says B A {Nonce N A, Nonce N A } KA set evs] Says A B {Nonce N A } KB # evs ns Computer Security: 7 - Specification Languages 30
31 IMs: Environment Nil [] ns Fake [evs ns; B Spy; X synth(analz (spies evs))] Says Spy B X # evs ns synth, analz, spies, protocol independent Computer Security: 7 - Specification Languages 31
32 Evaluation of Inductive Methods Flow Trace-based Constituents Formalized math. Environment Immutable Goals Imposs. traces Unambiguous Simple Flexible Powerful Insightful Computer Security: 7 - Specification Languages 32
33 CAPSL [Millen] Ad-hoc model checker Specification Special-purpose language Intruder built-in Implementation CIL [Denker] -> similar to MSR Related systems Murφ [Shmatikov, Stern] SMV [Clarke, Jha, Marrero] Computer Security: 7 - Specification Languages 33
34 CAPSL A B: {A,n A } kb B A: {n A,n B } ka A B: {n B } kb NS-PK [3-5] PROTOCOL NS; VARIABLES A, B: PKUser; Na, Nb: Nonce, CRYPTO ASSUMPTIONS HOLDS A: B; MESSAGES A -> B : {A, Na}pk(B); B -> A : {Na,Nb}pk(A); A -> B : {Nb}pk(B); GOALS SECRET Na; SECRET Nb; PRECEDES A: B Na; PRECEDES B: A Nb; END; Computer Security: 7 - Specification Languages 34
35 Evaluation of CAPSL Flow Explicit run Constituents Declarations Environment Implicit Goals Properties Unambiguous Simple Flexible Powerful Insightful Computer Security: 7 - Specification Languages 35
36 MSR [Cervesato, Durgin, Lincoln, Mitchell, Scedrov] A specification language based on MultiSet Rewriting with existentials MSR 1.0 Designed to prove the undecidability of protocol correctness verification Poor specification language Error-prone Limited automated assistance Limited support for verification MSR 2.0 Redesign of MSR 1.0 as a specification language Easy to use Support for automation New background in typetheory Margin for verification Current techniques can be adapted Computer Security: 7 - Specification Languages 36
37 Evaluation of MSR 2.0 Flow Role-based Constituents Strong typing Environment In part Goals Unambiguous Simple Flexible Powerful Insightful Computer Security: 7 - Specification Languages 37
38 Roadmap to MSR Step-by-step specification of example Neuman-Stubblebine protocol Language description Syntax Typing Data Access Control DAS Execution semantics Properties More examples NS-PK[3-5] Computer Security: 7 - Specification Languages 38
39 Multiset Rewriting Multiset: set with repetitions allowed Rewrite rule: r: N 1 N 2 Application r M 1 M 2 r M, N 1 M, N 2 Multi-step transition, reachability Computer Security: 7 - Specification Languages 39
40 NSt-I: B s Role A B: A,n A B S: B,{A,n A,t B } kbs,n B S A: {B,n A,k AB,t B } kab,t A B: T,{n B } kab where T = {A,k AB,t B } kbs A B: A, n A Neuman-Stubblebine phase I B S: B, {A, n A, t B } kbs, n B S A: {B, n A, k AB, t B } kas, {A, k AB, t B } kbs, n B A B: {A, k AB, t B } kbs, {n B } kab Computer Security: 7 - Specification Languages 40
41 NSt-I: S s Role A B: A,n A B S: B,{A,n A,t B } kbs,n B S A: {B,n A,k AB,t B } kab,t A B: T,{n B } kab where T = {A,k AB,t B } kbs Neuman-Stubblebine phase I A B: A, n A B S: B, {A, n A, t B } kbs, n B S A: {B, n A, k AB, t B } kas, {A, k AB, t B } kbs, n B A B: {A, k AB, t B } kbs, {n B } kab Computer Security: 7 - Specification Languages 41
42 NSt-I: A s Role A B: A,n A B S: B,{A,n A,t B } kbs,n B S A: {B,n A,k AB,t B } kab,t A B: A, n A A B: T,{n B } kab where T = {A,k AB,t B } kbs Neuman-Stubblebine phase I B S: B, {A, n A, t B } kbs, n B S A: {B, n A, k AB, t B } kas, {A, k AB, t B } kbs, n B A B: {A, k AB, t B } kbs, {n B } kab X X Ticket Computer Security: 7 - Specification Languages 42
43 Sending / Receiving Messages N(A, n A ) Network predicate N(m): m is a message in transit N({B,n A,k AB,t B } kas,x,n B ) N(X,{n B } kab ) Computer Security: 7 - Specification Languages 43
44 Terms Atomic terms Principal names Keys Nonces Term constructors ( ) {_} _ A k n D e f i n a b l e Computer Security: 7 - Specification Languages 44
45 Nonces A B: A,n A B S: B,{A,n A,t B } kbs,n B S A: {B,n A,k AB,t B } kab,t A B: T,{n B } kab Neuman-Stubblebine phase I n A. N(A, n A ) Existential variables n A instantiated to a new constant N({B,n A,k AB,t B } k AS, X, n B) N(X, {n B } k AB ) Computer Security: 7 - Specification Languages 45
46 MSet Rewriting with Existentials Multisets of 1 st -order atomic formulas Rules: Application r: F(x) n. G(x,n) r M 1 M 2 c not in M 1 r M, F(t) M, G(t,c) Computer Security: 7 - Specification Languages 46
47 Sequencing Actions A B: A,n A B S: B,{A,n A,t B } kbs,n B S A: {B,n A,k AB,t B } kab,t L. Fresh! n A. A B: T,{n B } kab Neuman-Stubblebine phase I N(A, n A ) L(A,n A ) Role state predicate L(A,n A ) N({B,n A,k AB,t B }, X, n k AS B) N(X, {n B } k AB ) Computer Security: 7 - Specification Languages 47
48 Role State Predicates Hold data local to a role instance Lifespan = role L l (A,t,, t) Invoke next rule L l = control (A,t,, t) = data Computer Security: 7 - Specification Languages 48
49 Remembering Things A B: A,n A B S: B,{A,n A,t B } kbs,n B S A: {B,n A,k AB,t B } kab,t A B: T,{n B } kab Neuman-Stubblebine phase I L. n A. L(A,n A ) N(A, n A ) L(A,n A ) N({B,n A,k AB,t B } k AS, X, n B) N(X, {n B } ) k AB Tkt A (B,k AB,X) Memory predicate Computer Security: 7 - Specification Languages 49
50 Memory Predicates M A (t,, t) Hold private info. across role exec. Support for subprotocols Communicate data Pass control Interface to outside system Implements intruder Computer Security: 7 - Specification Languages 50
51 Role Owner A B: A,n A B S: B,{A,n A,t B } kbs,n B S A: {B,n A,k AB,t B } kab,t A B: T,{n B } kab Role owner Neuman-Stubblebine phase I The principal executing the role L. n A. L(A,n A ) N(A, n A ) A L(A,n A ) N({B,n A,k AB,t B } k AS, X, n B) N(X, {n B } k AB ) Tkt A (B,k AB,X) Computer Security: 7 - Specification Languages 51
52 What is what? Types A L: princ x nonce. n A :nonce. n A :nonce. L(A,n A ) N(A, n A ) B:princ. n A,n B : nonce k AB : shk A B k AS : shk A S X: msg L(A,n A ) N({B,n A,k AB,t B } k AS, X, n B ) N(X, {n B} k AB ) Tkt A (B,k AB,X) Computer Security: 7 - Specification Languages 52
53 Types of Terms A: princ n: nonce k: shk A B k: pubk A k : privk k (definable) Types can depend on term Captures relations between objects Static Local Mandatory Computer Security: 7 - Specification Languages 53
54 Subtyping τ :: msg Allows atomic terms in messages Definable Non-transmittable terms Sub-hierarchies Computer Security: 7 - Specification Languages 54
55 Type of predicates Dependent sums Σx: τ. τ τ (x) x τ Forces associations among arguments x E.g.: princ (A) x pubk A (k A) x privk k A Computer Security: 7 - Specification Languages 55
56 Type Checking t has type τ in Γ Catches: Γ t : τ Encryption with a nonce Transmission of a long term key Σ P P is welltyped in Σ Computer Security: 7 - Specification Languages 56
57 Typing Terms Γ t 1 : msg Γ t 2 : msg Γ t 1 t 2 : msg Γ t : msg Γ k : shk A B Γ {t} k : msg Γ, x : τ, Γ x : τ Similar rules for Public key encryption Digital signatures, Computer Security: 7 - Specification Languages 57
58 Typing Types Γ msg Γ nonce Γ time Γ A : princ Γ shk A B Γ B : princ Typing for dependent types relies on typing for terms Computer Security: 7 - Specification Languages 58
59 Some Subtyping Rules τ :: τ Γ t : τ Γ t : τ princ :: msg nonce :: msg time :: msg shk A B :: msg pubk A B:: msg No rule for public keys Prevent transmission Computer Security: 7 - Specification Languages 59
60 Typing Tuples and Tuple Types Γ : Γ x : τ Γ t : [t/x]τ Γ (x,t) : τ (x) τ Γ Γ x : τ Γ τ (x) τ Γ, x:τ τ Computer Security: 7 - Specification Languages 60
61 Typing Predicates Γ t:msg Γ N(t) Γ, L:τ, Γ t : τ Γ, L:τ, Γ L(t) Γ, M _ :τ, Γ (A,t ) : τ Γ, M _ :τ, Γ M A (t) Computer Security: 7 - Specification Languages 61
62 Typing Protocol Rules Γ lhs Γ rhs Γ lhs rhs Γ τ Γ, x:τ r Γ x:τ. r Computer Security: 7 - Specification Languages 62
63 Typing Roles Γ Γ τ Γ L:τ. ρ Γ, L:τ ρ Γ r Γ r, ρ Γ ρ Computer Security: 7 - Specification Languages 63
64 Typing Protocol Theories Γ Σ P Σ, A:princ ρ Σ P, ρ A Σ, A:princ P Σ, A:princ ρ Σ, A:princ P, ρ A Computer Security: 7 - Specification Languages 64
65 Data Access Specification DAS r is DASvalid for A in Γ Catches Γ A r P is DASvalid in Σ Σ P A signing/encrypting with B s key A accessing B s private data, Gives meaning to Dolev-Yao intruder Computer Security: 7 - Specification Languages 65
66 An Overview of Access Control Interpret incoming information Collect received data Access unknown data Construct outgoing information Generate data Use known data Access new data Verify access to data Computer Security: 7 - Specification Languages 66
67 Processing a Rule Knowledge set: Collects what A knows Context Γ A lhs >> Γ; A rhs Γ A lhs rhs Computer Security: 7 - Specification Languages 67
68 Processing Predicates on the LHS Network messages Γ ; A t >> Γ; A N(t) >> Memory predicates Γ ; A t 1,,t n >> Γ; A M A (t 1,,t n ) >> Computer Security: 7 - Specification Languages 68
69 Interpreting Data on the LHS Pairs Γ; A t 1, t 2 >> Γ; A (t 1, t 2 ) >> Encrypted terms Γ; A k >> Γ; A t >> Γ; A {t} k >> Elementary terms Γ; (,x) A x >> (,x) (Γ,x:τ); A x >> (,x) Computer Security: 7 - Specification Languages 69
70 Accessing Data on the LHS Shared keys Γ; (,k) A k >> (,k) (Γ,x:shK A B); A x >> (,x) Public keys (Γ,k:pubK A,k :privk k); (,k ) A k >> (,k ) (Γ,k:pubK A,k :privk k); A k >> (,k ) Computer Security: 7 - Specification Languages 70
71 Generating Data on the RHS Nonces (Γ, x:nonce); (, x) A rhs Γ; A x:nonce. rhs Computer Security: 7 - Specification Languages 71
72 Constructing Terms on the RHS Pairs Γ; A t 1 Γ; A t 2 Γ; A (t 1, t 2 ) Shared-key encryptions Γ; A t Γ; A k Γ; A {t} k Computer Security: 7 - Specification Languages 72
73 Accessing Data on the RHS Principal Γ, B:princ A B Shared key Γ, B:princ, k:shk A B A k Public key Γ, B:princ, k:pubk B A k Private key Γ, k:pubk A, k :privk k A k Computer Security: 7 - Specification Languages 73
74 NS-I: B s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs, n B A B: {A, k AB, T B } kbs, {n B } kab Computer Security: 7 - Specification Languages 74
75 NS-I: B s role L: princ (B) x princ x nonce x shk B S x nonce x time. B A:princ. n A : nonce k BS : shk B S T B : time n B :nonce. N(A, n A ) Clk B (T B ) N(B, {A,n A,T B } kbs, n B ) Clk B (T B ) L(B,A,n A,k BS,n B,T B ). k AB : shk A B n B : nonce T now : time T V,T e : time L(B,A,n A,k BS,n B,T B ) N({A,k AB,T B } kbs, {n B } kab ) Val B (A,T B, T V ) (T e = T B + T V ) Auth B (A, k AB,T B,T e ) Val B (A,T B, T V ) Constraint Computer Security: 7 - Specification Languages 75
76 Constraints χ Guards over interpreted domain Abstract Modular Invoke constraint handler E.g.: timestamps (T E = T N + T d ) (T N < T E ) Computer Security: 7 - Specification Languages 76
77 NS-I: S s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs, n B A B: {A, k AB, T B } kbs, {n B } kab Computer Security: 7 - Specification Languages 77
78 NS-I: S s role Anchored role A,B:princ. k AS : shk A S k BS : shk B S n A,n B : nonce T B : time N(B, {A,n A,T B } kbs, n B ) k AB : shk A B. N({B,n A,k AB,T B } kas, {A,k AB,T B } kbs, n B ) S Computer Security: 7 - Specification Languages 78
79 Neuman-Stubblebine Phase II A B: n A, {A, k AB, T B } kbs B A: n B, {n A } kab A B: {n B } kab Computer Security: 7 - Specification Languages 79
80 NS-II: A s role A L: princ (A) x princ (B) x shk A B x nonce. n A :nonce. B:princ. k AB : shk A B X: msg Tkt A (B,k AB,X) N( n A, X) Tkt A (B,k AB,X) L(A, B,k AB,n A ). n A,n B : nonce L(A, B,k AB,n A ) N(n B, {n A } kab ) N({n B } kab ) Computer Security: 7 - Specification Languages 80
81 NS-II: B s role L: princ (B) x princ (A) x shk A B x nonce. B n A : nonce k BS : shk B S A:princ. k AB : shk A B T B,T e : time T now : time N(n A, {A,k AB,T B } kbs ) Auth B (A, k AB,T B,T e ) Clk B (T now ) (T now < T e ) n B :nonce. N(n B, {n A } kab ) Auth B (A, k AB,T B,T e ) Clk B (T now ) L(B,A,k AB,n B ). n B : nonce L(B,A,k AB,n B ) N({n B } kab ) Computer Security: 7 - Specification Languages 81
82 Summary: Rules x 1 : τ 1. x n : τ n. y 1 : τ 1. lhs rhs y n : τ n. N(t) Network L(t,, t) Local state M A (t,, t) Memory χ Constraints N(t) Network L(t,, t) Local state M A (t,, t) Memory Computer Security: 7 - Specification Languages 82
83 Summary: Roles Role state pred. var. declarations Generic roles L: τ 1 (x 1 ) x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A Role owner Anchored roles L: τ 1 (x 1 ) x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A Computer Security: 7 - Specification Languages 83
84 Summary: Snapshots Active role set C = [S] R Σ State N(t) L l (t,, t) M A (t,, t) Signatur e a : τ L l : τ M _ : τ Computer Security: 7 - Specification Languages 84
85 Summary: Execution Model Activate roles Generates new role state pred. names Instantiate variables Apply rules Skips rules P C C 1- step firing Computer Security: 7 - Specification Languages 85
86 Summary: Rule application r = F, χ n:τ. G(n) Constraint check Σ = χ (constraint handler) Firing [S 1 ] R(r,ρ)A Σ S, F [S 2 ] RρA Σ, c:τ S, G(c) c not in S 1 Computer Security: 7 - Specification Languages 86
87 Configurations Active role set C = [S] R Σ State N(t) L l (t,, t) M A (t,, t) Signatur e a : τ L l : τ M _ : τ Computer Security: 7 - Specification Languages 87
88 Execution Model 1- step firing P C C Activate roles Generates new role state pred. names Instantiate variables Apply rules Skips rules Computer Security: 7 - Specification Languages 88
89 Variable Instantiation Σ t : τ [S] R ( x:τ.r,ρ) A [S] Σ R ([t/x]r,ρ) A Σ Not fully realistic for verification Redundancy realizes typing, but not completely Computer Security: 7 - Specification Languages 89
90 Rule Application r = F, χ n:τ. G(n) Constraint check Σ = χ (constraint handler) Firing [S 1 ] R(r,ρ)A Σ S, F [S 2 ] RρA Σ, c:τ S, G(c) c not in S 1 Computer Security: 7 - Specification Languages 90
91 Properties Admissibility of parallel firing Type preservation Access control preservation Completeness of Dolev-Yao intruder Computer Security: 7 - Specification Languages 91
92 MSR 2.0 NS Initiator A B: {n A, A} kb B A: {n A, n B } ka A B: {n B } kb A L: princ x princ (B) x pubk B x nonce. B: princ k B : pubk B n A :nonce. L(A,B,k B,n A ) N({n A,A} kb ) k A : pubk A k A : privk k A n A,n B : nonce L(A,B,k B,n A ) N({n A,n B } ka ) N({n B } kb ) Computer Security: 7 - Specification Languages 92
93 MSR 2.0 NS Responder A B: {n A, A} kb B A: {n A, n B } ka A B: {n B } kb L: princ (B) x pubk B (kb) x privk k B x nonce. B k B : pubk B k B : privk k B A: princ n A : nonce k A : pubk A N({n A,A} kb ) n B :nonce. L(B,k B,k B,n B ) N({n A,n B } ka ) n B : nonce L(B,k B,k B,n B ) N({n B } kb ) Computer Security: 7 - Specification Languages 93
94 Readings R. Needham and M. Schroeder, Using Encryption for Authentication in Large Networks of Computers, 1978 M. Burrows, M. Abadi, and R. Needham, A Logic of Authentication, 1989 M. Abadi and A. Gordon, A Calculus for Cryptographic Protocols: The Spi-Calculus, 1999 J. Thayer-Fabrega, J. Herzog, and J. Guttman, Strand Spaces: Why is a Security Protocol Correct, 1998 Iliano Cervesato, Typed MSR: Syntax and Examples, 2000 Computer Security: 7 - Specification Languages 94
95 Exercises for Lecture 7 Give MSR 2.0 encodings of one of the following protocols from the Clark and Jacob library ( Needham-Schroeder public key [6.3.1] Amended Needham-Schroeder [6.3.4] Wide-Mouthed Frog [6.3.5] Yahalom[6.3.6] Woo-Lam [ Π] Kehne-Langendorfer-Shoenwalder [6.3.5] Kao-Chow [6.5.4] Computer Security: 7 - Specification Languages 95
96 Next Intruder Models Computer Security: 7 - Specification Languages 96
Typed MSR: Syntax and Examples
Typed MSR: Syntax and Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ MMM 01 St. Petersburg, Russia May 22 nd, 2001 Outline
More informationMSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ IITD, CSE Dept. Delhi, India April 24 th,2002 Outline Security Protocols
More informationMSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ PPL 01 March 21 st, 2001 Outline I. Security Protocols II. MSR by Examples
More informationAbstract Specification of Crypto- Protocols and their Attack Models in MSR
Abstract Specification of Crypto- Protocols and their Attack Models in MSR Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ Software
More informationMSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra. Iliano Cervesato. ITT Industries, NRL Washington, DC
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC http://theory.stanford.edu/~iliano ISSS 2003,
More informationOne Year Later. Iliano Cervesato. ITT Industries, NRL Washington, DC. MSR 3.0:
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil One Year Later ITT Industries, inc @ NRL Washington, DC http://www.cs.stanford.edu/~iliano
More informationNotes on BAN Logic CSG 399. March 7, 2006
Notes on BAN Logic CSG 399 March 7, 2006 The wide-mouthed frog protocol, in a slightly different form, with only the first two messages, and time stamps: A S : A, {T a, B, K ab } Kas S B : {T s, A, K ab
More informationThe Logical Meeting Point of Multiset Rewriting and Process Algebra
MFPS 20 @ MU May 25, 2004 The Logical Meeting Point of Multiset Rewriting and Process Algebra Iliano ervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, D http://theory.stanford.edu/~iliano
More informationControl Flow Analysis of Security Protocols (I)
Control Flow Analysis of Security Protocols (I) Mikael Buchholtz 02913 F2005 Mikael Buchholtz p. 1 History of Protocol Analysis Needham-Schroeder 78 Dolev-Yao 81 Algebraic view of cryptography 02913 F2005
More informationProving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory
Proving Security Protocols Correct Lawrence C. Paulson Computer Laboratory How Detailed Should a Model Be? too detailed too simple concrete abstract not usable not credible ``proves'' everything ``attacks''
More informationA Logic of Authentication
A Logic of Authentication by Burrows, Abadi, and Needham Presented by Adam Schuchart, Kathryn Watkins, Michael Brotzman, Steve Bono, and Sam Small Agenda The problem Some formalism The goals of authentication,
More informationProving Properties of Security Protocols by Induction
Proving Security Protocols 1 L. C. Paulson Proving Properties of Security Protocols by Induction Lawrence C. Paulson Computer Laboratory University of Cambridge Proving Security Protocols 2 L. C. Paulson
More informationTime-Bounding Needham-Schroeder Public Key Exchange Protocol
Time-Bounding Needham-Schroeder Public Key Exchange Protocol Max Kanovich, Queen Mary, University of London, UK University College London, UCL-CS, UK Tajana Ban Kirigin, University of Rijeka, HR Vivek
More informationA decidable subclass of unbounded security protocols
A decidable subclass of unbounded security protocols R. Ramanujam and S. P. Suresh The Institute of Mathematical Sciences C.I.T. Campus, Chennai 600 113, India. E-mail: {jam,spsuresh}@imsc.res.in 1 Summary
More informationModels and analysis of security protocols 1st Semester Security Protocols Lecture 6
Models and analysis of security protocols 1st Semester 2010-2011 Security Protocols Lecture 6 Pascal Lafourcade Université Joseph Fourier, Verimag Master: October 18th 2010 1 / 46 Last Time (I) Symmetric
More informationProtocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete
Protocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete Michaël Rusinowitch and Mathieu Turuani LORIA-INRIA- Université Henri Poincaré, 54506 Vandoeuvre-les-Nancy cedex, France
More informationProbabilistic Polynomial-Time Process Calculus for Security Protocol Analysis. Standard analysis methods. Compositionality
Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague P. Lincoln, P. Mateus, M. Mitchell Standard analysis methods Finite-state
More informationRelating State-Based and Process-Based Concurrency through Linear Logic
École Polytechnique 17 September 2009 Relating State-Based and Process-Based oncurrency through Linear Logic Iliano ervesato arnegie Mellon University - Qatar iliano@cmu.edu Specifying oncurrent Systems
More informationEncoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania
Encoding security protocols in the cryptographic λ-calculus Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania An obvious fact Security is important Cryptography is a major way to
More informationAnalysis of authentication protocols Intership report
Analysis of authentication protocols Intership report Stéphane Glondu ENS de Cachan September 3, 2006 1 Introduction Many computers are interconnected through networks, the biggest of them being Internet.
More informationVerification of Security Protocols in presence of Equational Theories with Homomorphism
Verification of Security Protocols in presence of Equational Theories with Homomorphism Stéphanie Delaune France Télécom, division R&D, LSV CNRS & ENS Cachan February, 13, 2006 Stéphanie Delaune (FT R&D,
More informationAutomatic Verification of Complex Security Protocols With an Unbounded Number of Sessions
Automatic Verification of Complex Security Protocols With an Unbounded Number of Sessions Kaile Su, Weiya Yue and Qingliang Chen Department of Computer Science, Sun Yat-sen University Guangzhou, P.R. China
More informationCPSA and Formal Security Goals
CPSA and Formal Security Goals John D. Ramsdell The MITRE Corporation CPSA Version 2.5.1 July 8, 2015 Contents 1 Introduction 3 2 Syntax 6 3 Semantics 8 4 Examples 10 4.1 Needham-Schroeder Responder.................
More informationHeuristic Methods for Security Protocols
Heuristic Methods for Security Protocols Qurat ul Ain Nizamani Department of Computer Science University of Leicester, UK qn4@mcs.le.ac.uk Emilio Tuosto Department of Computer Science University of Leicester,
More informationThe Sizes of Skeletons: Security Goals are Decidable
The Sizes of Skeletons: Security Goals are Decidable Joshua D. Guttman and F. Javier Thayer The MITRE Corporation guttman, jt@mitre.org Abstract. We show how to collapse executions of a cryptographic protocol,
More informationBAN Logic A Logic of Authentication
BAN Logic A Logic of Authentication Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 BAN Logic The BAN logic was named after its inventors, Mike Burrows, Martín Abadí,
More informationA Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols
ASIAN 07 A Formal Analysis for Capturing Replay Attacks in Cryptographic s Han Gao 1, Chiara Bodei 2, Pierpaolo Degano 2, Hanne Riis Nielson 1 Informatics and Mathematics Modelling, Technical University
More informationTerm Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool
Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool Santiago Escobar Departamento de Sistemas Informáticos y Computación Universitat Politècnica de València sescobar@dsic.upv.es
More informationStrand Spaces Proving Protocols Corr. Jonathan Herzog 6 April 2001
Strand Spaces Proving Protocols Corr Jonathan Herzog 6 April 2001 Introduction 3Second part of talk given early last month Introduced class of cryptographic protocols Modeled at high level of abstraction
More informationVerification of the TLS Handshake protocol
Verification of the TLS Handshake protocol Carst Tankink (0569954), Pim Vullers (0575766) 20th May 2008 1 Introduction In this text, we will analyse the Transport Layer Security (TLS) handshake protocol.
More informationA Calculus for Control Flow Analysis of Security Protocols
International Journal of Information Security manuscript No. (will be inserted by the editor) A Calculus for Control Flow Analysis of Security Protocols Mikael Buchholtz, Hanne Riis Nielson, Flemming Nielson
More informationAn Efficient Cryptographic Protocol Verifier Based on Prolog Rules
An Efficient Cryptographic Protocol Verifier Based on Prolog Rules Bruno Blanchet INRIA Rocquencourt Domaine de Voluceau B.P. 105 78153 Le Chesnay Cedex, France Bruno.Blanchet@inria.fr Abstract We present
More informationAPPLICATIONS OF BAN-LOGIC JAN WESSELS CMG FINANCE B.V.
APPLITIONS OF AN-LOGIC JAN WESSELS CMG FINANCE.V. APRIL 19, 2001 Chapter 1 Introduction This document is meant to give an overview of the AN-logic. The AN-logic is one of the methods for the analysis of
More informationModels for an Adversary-Centric Protocol Logic
Workshop on Logical Aspects of Cryptographics 2001 Preliminary Version Models for an Adversary-Centric Protocol Logic Peter Selinger Department of Mathematics and Statistics University of Ottawa Ottawa,
More informationThe Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Indistinguishability
The Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Catherine Meadows Naval Research Laboratory, Washington, DC 20375 catherine.meadows@nrl.navy.mil Formal Methods for the Science of
More informationA compositional logic for proving security properties of protocols
Journal of Computer Security 11 (2003) 677 721 677 IOS Press A compositional logic for proving security properties of protocols Nancy Durgin a, John Mitchell b and Dusko Pavlovic c a Sandia National Labs,
More informationA Logic of Authentication. Borrows, Abadi and Needham TOCS 1990, DEC-SRC 1989
A Logic of Authentication Borrows, Abadi and Needham TOCS 1990, DEC-SRC 1989 Logic Constructs P believes X : P may act as though X is true. P sees X : a message containing X was sent to P; P can read and
More informationA Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols
A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols Han Gao 1,ChiaraBodei 2, Pierpaolo Degano 2, and Hanne Riis Nielson 1 1 Informatics and Mathematical Modelling, Technical University
More informationEvent structure semantics for security protocols
Event structure semantics for security protocols Jonathan Hayman and Glynn Winskel Computer Laboratory, University of Cambridge, United Kingdom Abstract. We study the use of event structures, a well-known
More informationCS 395T. Probabilistic Polynomial-Time Calculus
CS 395T Probabilistic Polynomial-Time Calculus Security as Equivalence Intuition: encryption scheme is secure if ciphertext is indistinguishable from random noise Intuition: protocol is secure if it is
More informationSymbolic Protocol Analysis with Products and Diffie-Hellman Exponentiation
Symbolic Protocol Analysis with Products and Diffie-Hellman Exponentiation Jonathan Millen and Vitaly Shmatikov Computer Science Laboratory SRI International millenshmat @cslsricom Abstract We demonstrate
More informationProbabilistic Model Checking of Security Protocols without Perfect Cryptography Assumption
Our Model Checking of Security Protocols without Perfect Cryptography Assumption Czestochowa University of Technology Cardinal Stefan Wyszynski University CN2016 Our 1 2 3 Our 4 5 6 7 Importance of Security
More informationA progress report on using Maude to verify protocol properties using the strand space model
A progress report on using Maude to verify protocol properties using the strand space model Presented by Robert P. Graham, MAJ, USAF/AFIT Stephen W. Mancini, 1Lt, USAF/AFIT Presentation date: 01 Oct 03
More informationComplexity of Checking Freshness of Cryptographic Protocols
Complexity of Checking Freshness of Cryptographic Protocols Zhiyao Liang Rakesh M Verma Computer Science Department, University of Houston, Houston TX 77204-3010, USA Email: zliang@cs.uh.edu, rmverma@cs.uh.edu
More informationDiscrete vs. Dense Times in the Analysis of Cyber-Physical Security Protocols
Discrete vs. Dense Times in the Analysis of Cyber-Physical Security Protocols Max Kanovich 1,5 Tajana Ban Kirigin 2 Vivek Nigam 3 Andre Scedrov 4,5 and Carolyn Talcott 6 1 Queen Mary, University of London
More informationMASTER S THESIS FROM FORMAL TO COMPUTATIONAL AUTHENTICITY DISTRIBUTED AND EMBEDDED SYSTEMS DEPARTMENT OF COMPUTER SCIENCE AALBORG UNIVERSITY
DISTRIBUTED AND EMBEDDED SYSTEMS DEPARTMENT OF COMPUTER SCIENCE AALBORG UNIVERSITY MASTER S THESIS MICHAEL GARDE FROM FORMAL TO COMPUTATIONAL AUTHENTICITY AN APPROACH FOR RECONCILING FORMAL AND COMPUTATIONAL
More informationAutomated Validation of Internet Security Protocols. Luca Viganò
Automated Validation of Internet Security Protocols Luca Viganò The AVISPA Project Luca Viganò 1 Motivation The number and scale of new security protocols under development is out-pacing the human ability
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationAn undecidability result for AGh
Theoretical Computer Science 368 (2006) 161 167 Note An undecidability result for AGh Stéphanie Delaune www.elsevier.com/locate/tcs France Télécom R&D, Lab. Spécification & Vérification, CNRS & ENS de
More informationModel Checking Security Protocols Using a Logic of Belief
Model Checking Security Protocols Using a Logic of Belief Massimo Benerecetti 1 and Fausto Giunchiglia 1,2 1 DISA - University of Trento, Via Inama 5, 38050 Trento, Italy 2 IRST - Istituto Trentino di
More informationComputing Symbolic Models for Verifying Cryptographic Protocols
Computing Symbolic Models for Verifying Cryptographic Protocols Marcelo Fiore Computer Laboratory University of Cambridge Martín Abadi Bell Labs Research Lucent Technologies Abstract We consider the problem
More informationarxiv: v1 [cs.cr] 27 May 2016
Towards the Automated Verification of Cyber-Physical Security Protocols: Bounding the Number of Timed Intruders Vivek Nigam 1, Carolyn Talcott 2 and Abraão Aires Urquiza 1 arxiv:1605.08563v1 [cs.cr] 27
More informationSkeletons and the Shapes of Bundles
Skeletons and the Shapes of Bundles Shaddin F. Doghmi, Joshua D. Guttman, and F. Javier Thayer The MITRE Corporation Abstract. The shapes of a protocol are its minimal, essentially different executions.
More informationOn the Verification of Cryptographic Protocols
On the Verification of Cryptographic Protocols Federico Cerutti Dipartimento di Ingegneria dell Informazione, Università di Brescia Via Branze 38, I-25123 Brescia, Italy January 11, 2011 Talk at Prof.
More informationAn Undecidability Result for AGh
An Undecidability Result for AGh Stéphanie Delaune France Télécom R&D, Lab. Spécification & Vérification, CNRS & ENS de Cachan, France. Abstract We present an undecidability result for the verification
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationAutomata-based analysis of recursive cryptographic protocols
1 Automata-based analysis of recursive cryptographic protocols Thomas Wilke Joint work with Ralf Küsters Christian-Albrechts-Universität zu Kiel June 13, 2004 Un-/Decidability of security in the DY model
More informationA Cryptographic Decentralized Label Model
A Cryptographic Decentralized Label Model Jeffrey A. Vaughan and Steve Zdancewic Department of Computer and Information Science University of Pennsylvania IEEE Security and Privacy May 22, 2007 Information
More informationExtending Dolev-Yao with Assertions
Extending Dolev-Yao with Assertions Vaishnavi Sundararajan Chennai Mathematical Institute FOSAD 2015 August 31, 2015 (Joint work with R Ramanujam and S P Suresh) Vaishnavi S Extending Dolev-Yao with Assertions
More informationReport Documentation Page
Multiset Rewriting and the Complexity of Bounded Security Protocols Λ N.A. Durgin P.D. Lincoln J.C. Mitchell A. Scedrov Sandia National Laboratories Livermore, CA nadurgi@sandia.gov Computer Science Dept.
More informationTAuth: Verifying Timed Security Protocols
TAuth: Verifying Timed Security Protocols Li Li 1, Jun Sun 2, Yang Liu 3, and Jin Song Dong 1 1 National University of Singapore 2 Singapore University of Technology and Design 3 Nanyang Technological
More informationTHE SHAPES OF BUNDLES
THE SHAPES OF BUNDLES SHADDIN F. DOGHMI, JOSHUA D. GUTTMAN, AND F. JAVIER THAYER Contents 1. Introduction 2 2. Background 2 2.1. Protocols 2 2.2. An Example: The Yahalom Protocol 3 2.3. Occurrences and
More informationA Semantics for a Logic of Authentication. Cambridge, MA : A; B
A Semantics for a Logic of Authentication (Extended Abstract) Martn Abadi Digital Equipment Corporation Systems Research Center 130 Lytton Avenue Palo Alto, CA 94301 ma@src.dec.com Abstract: Burrows, Abadi,
More informationAnalysing Layered Security Protocols
Analysing Layered Security Protocols Thomas Gibson-Robinson St Catherine s College University of Oxford A thesis submitted for the degree of Doctor of Philosophy Trinity 2013 Abstract Many security protocols
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationRZ 3709 (# 99719) 06/20/2008 (Revised Version: October 2008) Computer Science 18 pages
RZ 3709 (# 99719) 06/20/2008 (Revised Version: October 2008) Computer Science 18 pages Research Report Algebraic Properties in Alice and Bob Notation (Extended Version, revised October 2008) Sebastian
More informationVerification of a Diffie-Hellman Password-based Authentication Protocol by Extending the Inductive Method
Verification of a Diffie-Hellman Password-based Authentication Protocol by Extending the Inductive Method Pasquale Noce Security Certification Specialist at Arjo Systems, Italy pasquale dot noce dot lavoro
More informationThe TLA + proof system
The TLA + proof system Stephan Merz Kaustuv Chaudhuri, Damien Doligez, Leslie Lamport INRIA Nancy & INRIA-MSR Joint Centre, France Amir Pnueli Memorial Symposium New York University, May 8, 2010 Stephan
More informationCryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols
CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno Blanchet CNRS, École Normale Supérieure, INRIA, Paris March 2009 Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif March
More informationOn the Automatic Analysis of Recursive Security Protocols with XOR
On the Automatic Analysis of Recursive Security Protocols with XOR Ralf Küsters 1 and Tomasz Truderung 2 1 ETH Zurich ralf.kuesters@inf.ethz.ch 2 University of Kiel, Wrocław University tomasz.truderung@ii.uni.wroc.pl
More informationstructure of such protocols, the difficulty is that logics are useful only when the semantics is precise, and most of the problems seem to relate to p
Information based reasoning about security protocols R. Ramanujam and S. P. Suresh 1 The Institute of Mathematical Sciences C.I.T. Campus, Chennai 600 113, India. Abstract We propose a notion of information
More informationSymbolic trace analysis of cryptographic protocols
Symbolic trace analysis of cryptographic protocols Michele Boreale Dipartimento di Sistemi e Informatica, Università di Firenze, Via Lombroso 6/17, 50134 Firenze, Italia. E-mail boreale@dsi.unifi.it. Abstract.
More informationDeciding the Security of Protocols with Commuting Public Key Encryption
Electronic Notes in Theoretical Computer Science 125 (2005) 55 66 www.elsevier.com/locate/entcs Deciding the Security of Protocols with Commuting Public Key Encryption Yannick Chevalier a,1 Ralf Küsters
More informationEquational Tree Automata: Towards Automated Verification of Network Protocols
Equational Tree Automata: Towards Automated Verification of Network Protocols Hitoshi Ohsaki and Toshinori Takai National Institute of Advanced Industrial Science and Technology (AIST) Nakoji 3 11 46,
More informationAutomatic, computational proof of EKE using CryptoVerif
Automatic, computational proof of EKE using CryptoVerif (Work in progress) Bruno Blanchet blanchet@di.ens.fr Joint work with David Pointcheval CNRS, École Normale Supérieure, INRIA, Paris April 2010 Bruno
More informationAuthentication Tests and the Structure of Bundles
Authentication Tests and the Structure of Bundles Joshua D. Guttman F. Javier Thayer September 2000 Today s Lecture Authentication Tests: How to find out what a protocol achieves How to prove it achieves
More informationAuthentication Tests and Disjoint Encryption: a Design Method for Security Protocols
Authentication Tests and Disjoint Encryption: a Design Method for Security Protocols Joshua D. Guttman The MITRE Corporation guttman@mitre.org 20 August 2003 Abstract We describe a protocol design process,
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationThe State Explosion Problem
The State Explosion Problem Martin Kot August 16, 2003 1 Introduction One from main approaches to checking correctness of a concurrent system are state space methods. They are suitable for automatic analysis
More informationLecture Notes on Certifying Theorem Provers
Lecture Notes on Certifying Theorem Provers 15-317: Constructive Logic Frank Pfenning Lecture 13 October 17, 2017 1 Introduction How do we trust a theorem prover or decision procedure for a logic? Ideally,
More informationU.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6
U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationAsymmetric Unification: A New Unification Paradigm for Cryptographic Protocol Analysis
Asymmetric Unification: A New Unification Paradigm for Cryptographic Protocol Analysis Serdar Erbatur 6, Santiago Escobar 1, Deepak Kapur 2, Zhiqiang Liu 3, Christopher Lynch 3, Catherine Meadows 4, José
More informationProof Scores in the OTS/CafeOBJ Method
Proof Scores in the OTS/CafeOBJ Method Kazuhiro Ogata 1,2 and Kokichi Futatsugi 2 1 NEC Software Hokuriku, Ltd. ogatak@acm.org 2 Japan Advanced Institute of Science and Technology (JAIST) kokichi@jaist.ac.jp
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationThe Expressivity of Universal Timed CCP: Undecidability of Monadic FLTL and Closure Operators for Security
The Expressivity of Universal Timed CCP: Undecidability of Monadic FLTL and Closure Operators for Security Carlos Olarte and Frank D. Valencia INRIA /CNRS and LIX, Ecole Polytechnique Motivation Concurrent
More informationStrand Spaces: Why is a Security Protocol Correct?
Strand Spaces: Why is a Security Protocol Correct? F. Javier Thayer Fábrega Jonathan C. Herzog Joshua D. Guttman The MITRE Corporation fjt, jherzog, guttmang@mitre.org Abstract A strand is a sequence of
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationReasoning with Higher-Order Abstract Syntax and Contexts: A Comparison
1 Reasoning with Higher-Order Abstract Syntax and Contexts: A Comparison Amy Felty University of Ottawa July 13, 2010 Joint work with Brigitte Pientka, McGill University 2 Comparing Systems We focus on
More informationA Constructor-Based Reachability Logic for Rewrite Theories
A Constructor-Based Reachability Logic for Rewrite Theories Stephen Skeirik, Andrei Stefanescu, Jose Meseguer October 10th, 2017 Outline 1 Introduction 2 Reachability Logic Semantics 3 The Invariant Paradox
More informationDecidable Analysis of Cryptographic Protocols with Products and Modular Exponentiation
Decidable Analysis of Cryptographic Protocols with Products and Modular Exponentiation Vitaly Shmatikov SRI International shmat@csl.sri.com Abstract. We demonstrate that the symbolic trace reachability
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationProving secrecy is easy enough
Proving secrecy is easy enough VCronique Cortier Laboratoire SpCcification et VCrification Ecole Normale SupCrieure de Cachan 61, Avenue du President Wilson, 94230 Cachan, France cortier@ 1sv.ens-cachan.fr
More informationA Short Tutorial on Proverif
A Short Tutorial on Proverif Alfredo Pironti and Riccardo Sisto Politecnico di Torino, Italy Cryptoforma Meeting, Apr 8, 2010 1 Outline PART 1: how the tool works (Riccardo Sisto) Context: Abstract modelling
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More information