MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.

 Jessica Murphy
 6 months ago
 Views:
Transcription
1 MSR by Examples Iliano Cervesato ITT Industries, NRL Washington DC IITD, CSE Dept. Delhi, India April 24 th,2002
2 Outline Security Protocols MSR Multiset rewriting The NeumanStubblebine Protocol MSR Iliano Cervesato MSR by Examples 2
3 Security Protocols Exchange of (encrypted) messages for Communicating secrets Authentication Contract signing Ecommerce Iliano Cervesato MSR by Examples 3
4 NeumanStubblebine Phase I A B: A, n A A wants to access service provided by B B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab S is the key distribution center Ticket Iliano Cervesato MSR by Examples 4
5 NeumanStubblebine Phase II A B: n A, {A, k AB, T B } kbs B A: n B, {n A } kab A B: {n B } kab Ticket A wants to use the service provided by B again Iliano Cervesato MSR by Examples 5
6 The DolevYao Model of Security Symbolic data No bits k a Blackbox cryptography No guessing of keys Partially abstract data access Knowledge soup a k a k b s Found in most protocol analysis tools Tractability Iliano Cervesato MSR by Examples 6
7 Why is Protocol Analysis Difficult? Subtle cryptographic primitives DolevYao abstraction Distributed hostile environment Prudent engineering practice Inadequate specification languages the devil is in details Iliano Cervesato MSR by Examples 7
8 Languages to Specify What? Message flow Message constituents Operating environment Protocol goals Iliano Cervesato MSR by Examples 8
9 Desirable Properties Unambiguous Simple Flexible Adapts to protocol Applies to a wide class of protocols Insightful Iliano Cervesato MSR by Examples 9
10 MSR Multiset rewriting with existentials Dependent types w/ subsorting Memory predicates New New Constraints New Iliano Cervesato MSR by Examples 10
11 Multiset Rewriting Multiset: set with repetitions allowed Rewrite rule: r: N 1 N 2 Application r M 1 M 2 r M, N 1 M, N 2 Multistep transition, reachability Iliano Cervesato MSR by Examples 11
12 NeumanStubblebine Phase I A B: B S: A, n A B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs, n B A B: {A, k AB, T B } kbs, {n B } kab Iliano Cervesato MSR by Examples 12
13 NSI: B s point of view A B: B S: A, n A B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs, n B A B: {A, k AB, T B } kbs, {n B } kab Iliano Cervesato MSR by Examples 13
14 NSI: S s point of view A B: B S: A, n A B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs, n B A B: {A, k AB, T B } kbs, {n B } kab Iliano Cervesato MSR by Examples 14
15 NSI: A s point of view A B: B S: A, n A B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs, n B A B: {A, k AB, T B } kbs, {n B } kab X X Ticket Iliano Cervesato MSR by Examples 15
16 Sending / Receiving Messages N(A, n A ) Network predicate N(t): t is a message in transit N({B,n A,k AB,T B } kas,x,n B ) N(X,{n B } kab ) Iliano Cervesato MSR by Examples 16
17 Terms Atomic terms Principal names A Keys k Nonces n Term constructors ( ) {_} D e f i n a b l e Iliano Cervesato MSR by Examples 17
18 Nonces n A. N(A, n A ) Existential variables n A instantiated to a new constant N({B,n A,k AB,T B } kas, X, n B ) N(X, {n B } kab ) Iliano Cervesato MSR by Examples 18
19 MSet Rewriting with Existentials msets of 1 st order atomic formulas Rules: Application r: F(x) n. G(x,n) r M 1 M 2 c not in M 1 r M, F(t) M, G(t,c) Iliano Cervesato MSR by Examples 19
20 Sequencing actions L. Fresh! n A. N(A, n A ) L(A,n A ) Role state predicate L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N(X, {n B } kab ) Iliano Cervesato MSR by Examples 20
21 Role state predicates Hold data local to a role instance Lifespan = role L l (A,t,, t) Invoke next rule L l = control (A,t,, t) = data Iliano Cervesato MSR by Examples 21
22 Remembering Things L. n A. L(A,n A ) N(A, n A ) L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N(X, {n B } kab ) Tkt A (B,k AB,X) Memory predicate Iliano Cervesato MSR by Examples 22
23 Memory Predicates New M A (t,, t) Hold private info. across role exec. Support for subprotocols Communicate data Pass control Interface to outside system Implements intruder Iliano Cervesato MSR by Examples 23
24 Role owner New Role owner The principal executing the role L. n A. L(A,n A ) N(A, n A ) A L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N(X, {n B } kab ) Tkt A (B,k AB,X) Iliano Cervesato MSR by Examples 24
25 What is what? Types A L: princ x nonce. na :nonce. n A :nonce. L(A,n A ) N(A, n A ) B:princ. n A,n B : nonce k AB : shk A B k AS : shk A S X: msg L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N(X, {n B } kab ) Tkt A (B,k AB,X) Iliano Cervesato MSR by Examples 25
26 Types of Terms A: princ n: nonce k: shk A B k: pubk A k : privk k (definable) Types can depend on term Captures relations between objects Static Local Mandatory Iliano Cervesato MSR by Examples 26
27 Subtyping τ :: msg Allows atomic terms in messages Definable Nontransmittable terms Subhierarchies Iliano Cervesato MSR by Examples 29
28 Type of predicates Dependent sums Σx: τ. τ τ (x) x τ Forces associations among arguments x E.g.: princ (A) x pubk A (k A) x privk k A Iliano Cervesato MSR by Examples 31
29 Type Checking New Σ P t has type τ in Γ Γ t : τ P is welltyped in Σ Catches: Encryption with a nonce Transmission of a long term key Iliano Cervesato MSR by Examples 37
30 Data Access Specification DAS r is DASvalid for A in Γ Catches New Γ A r P is DASvalid in Σ Σ P A signing/encrypting with B s key A accessing B s private data, Gives meaning to DolevYao intruder Iliano Cervesato MSR by Examples 38
31 NSI: B s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab Iliano Cervesato MSR by Examples 39
32 NSI: B s role L: princ (B) x princ x nonce x shk B S x nonce x time. B A:princ. n A : nonce k BS :shkb S T B : time n B :nonce. N(A, n A ) Clk B (T B ) N(B, {A,n A,T B } kbs, n B ) Clk B (T B ) L(B,A,n A,k BS,n B,T B ). k AB :shka B n B : nonce T now : time T V,T e : time L(B,A,n A,k BS,n B,T B ) N({A,k AB,T B } kbs, {n B } kab ) Val B (A,T B, T V ) (T e = T B + T V ) Auth B (A, k AB,T B,T e ) Val B (A,T B, T V ) Constraint Iliano Cervesato MSR by Examples 40
33 Constraints New χ Guards over interpreted domain Abstract Modular Invoke constraint handler E.g.: timestamps (T E = T N + T d ) (T N < T E ) Iliano Cervesato MSR by Examples 41
34 NSI: S s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab Iliano Cervesato MSR by Examples 42
35 NSI: S s role Anchored role A,B:princ. k AS :shka S k BS :shkb S n A,n B : nonce T B : time N(B, {A,n A,T B } kbs,n B ) k AB :shka B. N({B,n A,k AB,T B } kas, {A,k AB,T B } kbs, n B ) S Iliano Cervesato MSR by Examples 43
36 NeumanStubblebine Phase II A B: n A, {A, k AB, T B } kbs B A: n B, {n A } kab A B: {n B } kab Iliano Cervesato MSR by Examples 44
37 NSII: A s role A L: princ (A) x princ (B) x shk A B x nonce. n A :nonce. B:princ. k AB :shka B X: msg Tkt A (B,k AB,X) N( n A, X) Tkt A (B,k AB,X) L(A, B,k AB,n A ). n A,n B : nonce L(A, B,k AB,n A ) N(n B,{n A } kab ) N({n B } kab ) Iliano Cervesato MSR by Examples 45
38 NSII: B s role L: princ (B) x princ (A) x shk A B x nonce. B n A : nonce k BS :shkb S A:princ. k AB :shka B T B,T e : time T now : time N(n A, {A,k AB,T B } kbs ) Auth B (A, k AB,T B,T e ) Clk B (T now ) (T now < T e ) n B :nonce. N(n B, {n A } kab ) Auth B (A, k AB,T B,T e ) Clk B (T now ) L(B,A,k AB,n B ). n B : nonce L(B,A,k AB,n B ) N({n B } kab ) Iliano Cervesato MSR by Examples 46
39 Summary: Rules x 1 : τ 1. x n : τ n. y 1 : τ 1. lhs rhs y n : τ n. N(t) Network L(t,, t) Local state M A (t,, t) Memory χ Constraints N(t) Network L(t,, t) Local state M A (t,, t) Memory Iliano Cervesato MSR by Examples 47
40 Summary: Roles Role state pred. var. declarations Generic roles L: τ (x 1 ) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A Role owner Anchored roles L: τ (x1) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A Iliano Cervesato MSR by Examples 48
41 Summary: Snapshots Active role set C = [S] R Σ State N(t) L l (t,, t) M A (t,, t) Signature a : τ L l : τ M _ : τ Iliano Cervesato MSR by Examples 49
42 Summary: Execution Model Activate roles Generates new role state pred. names Instantiate variables Apply rules Skips rules P C C 1step firing Iliano Cervesato MSR by Examples 50
43 Summary: Rule application r = F, χ n:τ. G(n) Constraint check Σ = χ (constraint handler) Firing [S 1 ] R(r,ρ)A Σ [S 2 ] RρA Σ, c:τ c not in S 1 S, F S, G(c) Iliano Cervesato MSR by Examples 51
44 Properties Decidability of type checking Type preservation Access control preservation Decidability of DAS verification Completeness of DolevYao intruder Iliano Cervesato MSR by Examples 52
45 Completed CaseStudies Full NeedhamSchroeder publickey OtwayRees NeumanStubblebine repeated auth. OFT group key management Iliano Cervesato MSR by Examples 53
46 Part III The Intruder Iliano Cervesato MSR by Examples 54
47 Execution with an Attacker P, P I C C Selected principal(s): Generic capabilities: Welltyped ACvalid I P I Modeled completely within MSR Iliano Cervesato MSR by Examples 55
48 The DolevYao Intruder Specific protocol suite P DY Underlies every protocol analysis tool Completeness still unproved Iliano Cervesato MSR by Examples 56
49 Capabilities of the DY Intruder Intercept / emit messages Decrypt / encrypt with known key Split / form pairs Look up public information Generate fresh data Iliano Cervesato MSR by Examples 57
50 Future work Experimentation ClarkJacob library Fairexchange protocols More multicast Pragmatics Typereconstruction Operational execution model(s) Implementation Automated specification techniques Iliano Cervesato MSR by Examples 58
MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ PPL 01 March 21 st, 2001 Outline I. Security Protocols II. MSR by Examples
More informationAbstract Specification of Crypto Protocols and their Attack Models in MSR
Abstract Specification of Crypto Protocols and their Attack Models in MSR Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ Software
More informationLecture 7: Specification Languages
Graduate Course on Computer Security Lecture 7: Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ DIMI, Universita
More informationOne Year Later. Iliano Cervesato. ITT Industries, NRL Washington, DC. MSR 3.0:
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil One Year Later ITT Industries, inc @ NRL Washington, DC http://www.cs.stanford.edu/~iliano
More informationTimeBounding NeedhamSchroeder Public Key Exchange Protocol
TimeBounding NeedhamSchroeder Public Key Exchange Protocol Max Kanovich, Queen Mary, University of London, UK University College London, UCLCS, UK Tajana Ban Kirigin, University of Rijeka, HR Vivek
More informationA Logic of Authentication
A Logic of Authentication by Burrows, Abadi, and Needham Presented by Adam Schuchart, Kathryn Watkins, Michael Brotzman, Steve Bono, and Sam Small Agenda The problem Some formalism The goals of authentication,
More informationProbabilistic PolynomialTime Process Calculus for Security Protocol Analysis. Standard analysis methods. Compositionality
Probabilistic PolynomialTime Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague P. Lincoln, P. Mateus, M. Mitchell Standard analysis methods Finitestate
More informationA Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols
ASIAN 07 A Formal Analysis for Capturing Replay Attacks in Cryptographic s Han Gao 1, Chiara Bodei 2, Pierpaolo Degano 2, Hanne Riis Nielson 1 Informatics and Mathematics Modelling, Technical University
More informationOn the Verification of Cryptographic Protocols
On the Verification of Cryptographic Protocols Federico Cerutti Dipartimento di Ingegneria dell Informazione, Università di Brescia Via Branze 38, I25123 Brescia, Italy January 11, 2011 Talk at Prof.
More informationCHRISTIANALBRECHTSUNIVERSITÄT KIEL
INSTITUT FÜR INFORMATIK UND PRAKTISCHE MATHEMATIK A ConstraintBased Algorithm for ContractSigning Protocols Detlef Kähler, Ralf Küsters Bericht Nr. 0503 April 2005 CHRISTIANALBRECHTSUNIVERSITÄT KIEL
More informationProving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory
Proving Security Protocols Correct Lawrence C. Paulson Computer Laboratory How Detailed Should a Model Be? too detailed too simple concrete abstract not usable not credible ``proves'' everything ``attacks''
More informationA Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols
A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols Han Gao 1,ChiaraBodei 2, Pierpaolo Degano 2, and Hanne Riis Nielson 1 1 Informatics and Mathematical Modelling, Technical University
More informationA Theory of Dictionary Attacks and its Complexity
A Theory of Dictionary Attacks and its Complexity Stéphanie Delaune, Florent Jacquemard To cite this version: Stéphanie Delaune, Florent Jacquemard. A Theory of Dictionary Attacks and its Complexity. 17th
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Finite Fields The finite field GF(q) exists iff q = p e for some prime p. Example: GF(9) GF(9) = {a + bi a, b Z 3, i 2 = i + 1} = {0, 1, 2, i, 1+i, 2+i, 2i, 1+2i, 2+2i} Addition:
More informationTAuth: Verifying Timed Security Protocols
TAuth: Verifying Timed Security Protocols Li Li 1, Jun Sun 2, Yang Liu 3, and Jin Song Dong 1 1 National University of Singapore 2 Singapore University of Technology and Design 3 Nanyang Technological
More informationVerification of the TLS Handshake protocol
Verification of the TLS Handshake protocol Carst Tankink (0569954), Pim Vullers (0575766) 20th May 2008 1 Introduction In this text, we will analyse the Transport Layer Security (TLS) handshake protocol.
More informationFrom Unpredictability to Indistinguishability: A Simple. Construction of PseudoRandom Functions from MACs. Preliminary Version.
From Unpredictability to Indistinguishability: A Simple Construction of PseudoRandom Functions from MACs Preliminary Version Moni Naor Omer Reingold y Abstract This paper studies the relationship between
More informationA derivation system and compositional logic for security protocols
Journal of Computer Security 13 2005) 423 482 423 IOS Press A derivation system and compositional logic for security protocols Anupam Datta a,, Ante Derek a, John C. Mitchell a and Dusko Pavlovic b a Computer
More informationAuthentication Tests and Disjoint Encryption: a Design Method for Security Protocols
Authentication Tests and Disjoint Encryption: a Design Method for Security Protocols Joshua D. Guttman The MITRE Corporation guttman@mitre.org 20 August 2003 Abstract We describe a protocol design process,
More informationModel Checking Security Protocols Using a Logic of Belief
Model Checking Security Protocols Using a Logic of Belief Massimo Benerecetti 1 and Fausto Giunchiglia 1,2 1 DISA  University of Trento, Via Inama 5, 38050 Trento, Italy 2 IRST  Istituto Trentino di
More informationCSE4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing
Lecture 11: Key Management, Secret Sharing Céline Blondeau Email: celine.blondeau@aalto.fi Department of Computer Science Aalto University, School of Science Key Management Secret Sharing Shamir s Threshold
More informationThe Faithfulness of Abstract Protocol Analysis: Message Authentication
The Faithfulness of Abstract Protocol Analysis: Message Authentication Joshua D. Guttman F. Javier Thayer Lenore D. Zuck December 18, 2002 Abstract Dolev and Yao initiated an approach to studying cryptographic
More informationAnalysing the Security of a Nonrepudiation Communication Protocol with Mandatory Proof of Receipt
Analysing the Security of a Nonrepudiation Communication Protocol with Mandatory Proof of Receipt TOM COFFEY, PUNEET SAIDHA, PETER URROWS Data Communication Security Laboratory University of Limerick
More informationState and Protocols: The Envelope Example
State and Protocols: The Envelope Example rigorous design for protocols using state Daniel J. Dougherty and Joshua D. Guttman Worcester Polytechnic Institute Thanks to: National Science Foundation (Grant
More informationA one message protocol using cryptography, where K AB is a symmetric key shared between A and B for private communication. A B : {M} KAB on c AB
A one message protocol using cryptography, where K AB is a symmetric key shared between A and B for private communication. A B : {M} KAB on c AB This can be represented as A send cab {M} KAB ;halt B recv
More informationAnalysing Layered Security Protocols
Analysing Layered Security Protocols Thomas GibsonRobinson St Catherine s College University of Oxford A thesis submitted for the degree of Doctor of Philosophy Trinity 2013 Abstract Many security protocols
More informationA Semantics for a Logic of Authentication. Cambridge, MA : A; B
A Semantics for a Logic of Authentication (Extended Abstract) Martn Abadi Digital Equipment Corporation Systems Research Center 130 Lytton Avenue Palo Alto, CA 94301 ma@src.dec.com Abstract: Burrows, Abadi,
More informationAsymmetric Unification: A New Unification Paradigm for Cryptographic Protocol Analysis
Asymmetric Unification: A New Unification Paradigm for Cryptographic Protocol Analysis Serdar Erbatur 6, Santiago Escobar 1, Deepak Kapur 2, Zhiqiang Liu 3, Christopher Lynch 3, Catherine Meadows 4, José
More information1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2
Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number
More informationPrivate Key Cryptography. Fermat s Little Theorem. One Time Pads. Public Key Cryptography
Fermat s Little Theorem Private Key Cryptography Theorem 11 (Fermat s Little Theorem): (a) If p prime and gcd(p, a) = 1, then a p 1 1 (mod p). (b) For all a Z, a p a (mod p). Proof. Let A = {1, 2,...,
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationGroup Diffie Hellman Protocols and ProVerif
Group Diffie Hellman Protocols and ProVerif CS 395T  Design and Analysis of Security Protocols Ankur Gupta Secure Multicast Communication Examples: Live broadcast of a match, stock quotes, video conferencing.
More informationChapter 4 Asymmetric Cryptography
Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: DiffieHellman [NetSec/SysSec], WS 2008/2009 4.1 Asymmetric Cryptography General idea: Use two different keys K and +K for
More informationAsymmetric Cryptography
Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: DiffieHellman General idea: Use two different keys K and +K for encryption and decryption Given a
More informationOptimal Error Rates for Interactive Coding II: Efficiency and List Decoding
Optimal Error Rates for Interactive Coding II: Efficiency and List Decoding Mohsen Ghaffari MIT ghaffari@mit.edu Bernhard Haeupler Microsoft Research haeupler@cs.cmu.edu Abstract We study coding schemes
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationParallel CoinTossing and ConstantRound Secure TwoParty Computation
Parallel CoinTossing and ConstantRound Secure TwoParty Computation Yehuda Lindell Dept. of Computer Science and Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel. lindell@wisdom.weizmann.ac.il
More informationPostquantum cryptography
Postquantum cryptography Andreas Hülsing 10.12.2015 Today s CryptoEcoSystem Public key cryptography: Deployed schemes are based on RSA and discrete logarithm problem (incl. ECC, DH...). Secret key
More informationCryptography 2017 Lecture 2
Cryptography 2017 Lecture 2 One Time Pad  Perfect Secrecy Stream Ciphers November 3, 2017 1 / 39 What have seen? What are we discussing today? Lecture 1 Course Intro Historical Ciphers Lecture 2 One Time
More informationTypeBased Automated Verification of Authenticity in Asymmetric Cryptographic Protocols
TypeBased Automated Verification of Authenticity in Asymmetric Cryptographic Protocols Morten Dahl 2, Naoki Kobayashi 1, Yunde Sun 1, and Hans Hüttel 2 1 Tohoku University 2 Aalborg University Abstract.
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between
More informationDM492. Obligatoriske Opgave
DM492. Obligatoriske Opgave Jacob Christiansen, moffe42, 130282 Thomas Nordahl Pedersen, nordahl, 270282 1/405 Indhold 1 Opgave 1  Public Exponent 2 1.1 a.................................. 2 1.2 b..................................
More informationPrivatekey Systems. Block ciphers. Stream ciphers
Chapter 2 Stream Ciphers Further Reading: [Sim92, Chapter 2] 21 Introduction Remember classication: Privatekey Systems Block ciphers Stream ciphers Figure 21: Privatekey cipher classication Block Cipher:
More information14 DiffieHellman Key Agreement
14 DiffieHellman Key Agreement 14.1 Cyclic Groups Definition 14.1 Example Let д Z n. Define д n = {д i % n i Z}, the set of all powers of д reduced mod n. Then д is called a generator of д n, and д n
More informationLecture Notes on Secret Sharing
COMS W4261: Introduction to Cryptography. Instructor: Prof. Tal Malkin Lecture Notes on Secret Sharing Abstract These are lecture notes from the first two lectures in Fall 2016, focusing on technical material
More informationArithmétique et Cryptographie Asymétrique
Arithmétique et Cryptographie Asymétrique Laurent Imbert CNRS, LIRMM, Université Montpellier 2 Journée d inauguration groupe Sécurité 23 mars 2010 This talk is about publickey cryptography Why did mathematicians
More informationRSA. Ramki Thurimella
RSA Ramki Thurimella PublicKey Cryptography Symmetric cryptography: same key is used for encryption and decryption. Asymmetric cryptography: different keys used for encryption and decryption. PublicKey
More informationSolving LPN Using Covering Codes
Solving LPN Using Covering Codes Qian Guo 1,2 Thomas Johansson 1 Carl Löndahl 1 1 Dept of Electrical and Information Technology, Lund University 2 School of Computer Science, Fudan University ASIACRYPT
More informationOn the Complexity of the Hybrid Approach on HFEv
On the Complexity of the Hybrid Approach on HFEv Albrecht Petzoldt National Institute of Standards and Technology, Gaithersburg, Maryland, USA albrecht.petzoldt@gmail.com Abstract. The HFEv signature
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationA Piggybank Protocol for Quantum Cryptography
Piggybank Protocol for Quantum Cryptography Navya Chodisetti bstract This paper presents a quantum mechanical version of the piggybank cryptography protocol. The basic piggybank cryptography idea is to
More informationComplexity of automatic verification of cryptographic protocols
Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic
More informationAlgebraic Intruder Deductions
Algebraic Intruder Deductions David Basin, Sebastian Mödersheim, and Luca Viganò Information Security Group, Dep. of Computer Science, ETH Zurich, Switzerland www.infsec.ethz.ch/~{basin,moedersheim,vigano}
More informationHandling Encryption in an Analysis for Secure Information Flow
Handling Encryption in an Analysis for Secure Information Flow Peeter Laud peeter l@ut.ee Tartu Ülikool Cybernetica AS ESOP 2003, 7.11.04.2003 p.1/15 Overview Some words about the overall approach. Definition
More informationPartial Key Exposure: Generalized Framework to Attack RSA
Partial Key Exposure: Generalized Framework to Attack RSA Cryptology Research Group Indian Statistical Institute, Kolkata 12 December 2011 Outline of the Talk 1 RSA  A brief overview 2 Partial Key Exposure
More informationHashbased Signatures
Hashbased Signatures Andreas Hülsing Summer School on PostQuantum Cryptography June 2017, TU Eindhoven PostQuantum Signatures Lattice, MQ, Coding Signature and/or key sizes Runtimes Secure parameters
More informationOverlap and Independence in Multiset Comprehension Patterns. Supported by QNRF grants NPRP and
Overlap and Independence in Multiset Comprehension Patterns Edmund S.L. Lam sllam@qatar.cmu.edu Iliano Cervesato iliano@cmu.edu Supported by QNRF grants NPRP 415931260 and 43411059 Outline 1 The
More informationOn the computational soundness of cryptographically masked flows
On the computational soundness of cryptographically masked flows Peeter Laud peeter.laud@ut.ee http://www.ut.ee/ peeter l Tartu University & Cybernetica AS & Institute of Cybernetics Mobius annual meeting,
More informationA Cryptographically Sound Security Proof of the NeedhamSchroederLowe PublicKey Protocol
A Cryptographically Sound Security Proof of the NeedhamSchroederLowe PublicKey Protocol Michael Backes, Birgit Pfitzmann IBM Zurich Research Lab {mbc,bpf}@zurich.ibm.com Abstract We present the first
More informationYale University Department of Computer Science
Yale University Department of Computer Science On Backtracking Resistance in Pseudorandom Bit Generation (preliminary version) Michael J. Fischer Mike Paterson Ewa Syta YALEU/DCS/TR1466 October 24, 2012
More informationSecurity II: Cryptography
Security II: Cryptography Markus Kuhn Computer Laboratory, University of Cambridge http://www.cl.cam.ac.uk/teaching/1314/securityii/ These notes are provided as an aid for following the lectures, and are
More informationSlides for Chapter 14: Time and Global States
Slides for Chapter 14: Time and Global States From Coulouris, Dollimore, Kindberg and Blair Distributed Systems: Concepts and Design Edition 5, AddisonWesley 2012 Overview of Chapter Introduction Clocks,
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationMathematics of Public Key Cryptography
Mathematics of Public Key Cryptography Eric Baxter April 12, 2014 Overview Brief review of publickey cryptography Mathematics behind publickey cryptography algorithms What is PublicKey Cryptography?
More informationLecture 10: ZeroKnowledge Proofs
Lecture 10: ZeroKnowledge Proofs Introduction to Modern Cryptography Benny Applebaum TelAviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationIntroduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions
Introduction to Modern Cryptography Lecture 7 1. RSA Public Key CryptoSystem 2. One way Trapdoor Functions Diffie and Hellman (76) New Directions in Cryptography Split the Bob s secret key K to two parts:
More information2. Polynomials. 19 points. 3/3/3/3/3/4 Clearly indicate your correctly formatted answer: this is what is to be graded. No need to justify!
1. Short Modular Arithmetic/RSA. 16 points: 3/3/3/3/4 For each question, please answer in the correct format. When an expression is asked for, it may simply be a number, or an expression involving variables
More informationCryptanalysis of a Knapsack Based TwoLock Cryptosystem
Cryptanalysis of a Knapsack Based TwoLock Cryptosystem Bin Zhang 1,2, Hongjun Wu 1, Dengguo Feng 2, and Feng Bao 1 1 Institute for Infocomm Research, Singapore 119613 2 State Key Laboratory of Information
More informationCrossTool Semantics for Protocol Security Goals
Approved for Public Release; Distribution Unlimited. Case Number 161919. CrossTool Semantics for Protocol Security Goals Joshua D. Guttman, John D. Ramsdell, and Paul D. Rowe {guttman,ramsdell,prowe}@mitre.org
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationPERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY
PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY BURTON ROSENBERG UNIVERSITY OF MIAMI Contents 1. Perfect Secrecy 1 1.1. A Perfectly Secret Cipher 2 1.2. Odds Ratio and Bias 3 1.3. Conditions for Perfect
More informationNTRU Cryptosystem and Its Analysis
NTRU Cryptosystem and Its Analysis Overview 1. Introduction to NTRU Cryptosystem 2. A Brief History 3. How the NTRU Cryptosystem works? Examples 4. Why the Decryption Works? 5. The Advantages of NTRU 6.
More informationOn the Bit Security of Cryptographic Primitives
On the Bit Security of Cryptographic Primitives Daniele Micciancio Michael Walter February 6, 2018 Abstract We introduce a formal quantitative notion of bit security for a general type of cryptographic
More informationComputer Science Introductory Course MSc  Introduction to Java
Computer Science Introductory Course MSc  Introduction to Java Lecture 3:,, Pablo Oliveira ENST Outline 1 2 3 Definition An exception is an event that indicates an abnormal condition
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosenplaintext attack (CPA) is an attack model for cryptanalysis which
More informationPing Pong Protocol & Autocompensation
Ping Pong Protocol & Autocompensation Adam de la Zerda For QIP seminar Spring 2004 02.06.04 Outline Introduction to QKD protocols + motivation PingPong protocol Security Analysis for PingPong Protocol
More information7 Cryptanalysis. 7.1 Structural Attacks CA642: CRYPTOGRAPHY AND NUMBER THEORY 1
CA642: CRYPTOGRAPHY AND NUMBER THEORY 1 7 Cryptanalysis Cryptanalysis Attacks such as exhaustive keysearch do not exploit any properties of the encryption algorithm or implementation. Structural attacks
More informationLocally Decodable and Updatable NonMalleable Codes and Their Applications
Locally Decodable and Updatable NonMalleable Codes and Their Applications Dana DachmanSoled University of Maryland danadach@ece.umd.edu FengHao Liu University of Maryland fenghao@cs.umd.edu HongSheng
More information8.1 Principles of PublicKey Cryptosystems
Publickey cryptography is a radical departure from all that has gone before. Right up to modern times all cryptographic systems have been based on the elementary tools of substitution and permutation.
More informationA Proof Theory for Generic Judgments
A Proof Theory for Generic Judgments Dale Miller INRIA/Futurs/Saclay and École Polytechnique Alwen Tiu École Polytechnique and Penn State University LICS 2003, Ottawa, Canada, 23 June 2003 Outline 1. Motivations
More informationA probabilistic quantum key transfer protocol
SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 013; 6:1389 1395 Published online 13 March 013 in Wiley Online Library (wileyonlinelibrary.com)..736 RESEARCH ARTICLE Abhishek Parakh* Nebraska
More informationSemantics for EnoughCertainty and Fitting s Embedding of Classical Logic in S4
Semantics for EnoughCertainty and Fitting s Embedding of Classical Logic in S4 Gergei Bana 1 and Mitsuhiro Okada 2 1 INRIA de Paris, Paris, France bana@math.upenn.edu 2 Department of Philosophy, Keio
More informationPrivate Authentication
Private Authentication Martín Abadi University of California at Santa Cruz Cédric Fournet Microsoft Research Abstract Frequently, communication between two principals reveals their identities and presence
More informationLattice Reduction Attack on the Knapsack
Lattice Reduction Attack on the Knapsack Mark Stamp 1 Merkle Hellman Knapsack Every private in the French army carries a Field Marshal wand in his knapsack. Napoleon Bonaparte The Merkle Hellman knapsack
More information15 PublicKey Encryption
15 PublicKey Encryption So far, the encryption schemes that we ve seen are symmetrickey schemes. The same key is used to encrypt and decrypt. In this chapter we introduce publickey (sometimes called
More informationNew Variant of ElGamal Signature Scheme
Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 34, 16531662 New Variant of ElGamal Signature Scheme Omar Khadir Department of Mathematics Faculty of Science and Technology University of Hassan IIMohammedia,
More informationElGamal type signature schemes for ndimensional vector spaces
ElGamal type signature schemes for ndimensional vector spaces Iwan M. Duursma and Seung Kook Park Abstract We generalize the ElGamal signature scheme for cyclic groups to a signature scheme for ndimensional
More informationThe Dead Cryptographers Society Problem
The Dead Cryptographers Society Problem André Luiz Barbosa http://www.andrebarbosa.eti.br Noncommercial projects: SimuPLC PLC Simulator & LCE Electric Commands Language Abstract. This paper defines The
More informationLecture 11: Hash Functions, MerkleDamgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, MerkleDamgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review CollisionResistant Hash Functions
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationAdvanced Cryptography 1st Semester Public Encryption
Advanced Cryptography 1st Semester 20072008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability
More informationPublic Key Algorithms
Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse57109/
More informationFormal Models and Techniques for Analyzing Security Protocols: A Tutorial
Foundations and Trends R in Programming Languages Vol. 1, No. 3 (2014) 151 267 c 2014 V. Cortier and S. Kremer DOI: 10.1561/2500000001 Formal Models and Techniques for Analyzing Security Protocols: A Tutorial
More informationLecture 7: ElGamal and Discrete Logarithms
Lecture 7: ElGamal and Discrete Logarithms Johan Håstad, transcribed by Johan Linde 20060207 1 The discrete logarithm problem Recall that a generator g of a group G is an element of order n such that
More informationFormal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers
Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers Sarani Bhattacharya and Debdeep Mukhopadhyay Indian Institute of Technology Kharagpur PROOFS 2016 August
More informationLecture 3,4: Multiparty Computation
CS 276 Cryptography January 26/28, 2016 Lecture 3,4: Multiparty Computation Instructor: Sanjam Garg Scribe: Joseph Hui 1 ConstantRound Multiparty Computation Last time we considered the GMW protocol,
More informationRSA ENCRYPTION USING THREE MERSENNE PRIMES
Int. J. Chem. Sci.: 14(4), 2016, 22732278 ISSN 0972768X www.sadgurupublications.com RSA ENCRYPTION USING THREE MERSENNE PRIMES Ch. J. L. PADMAJA a*, V. S. BHAGAVAN a and B. SRINIVAS b a Department of
More informationSecurity II: Cryptography
Security II: Cryptography Markus Kuhn Computer Laboratory, University of Cambridge https://www.cl.cam.ac.uk/teaching/1718/securityii/ Lent 2018 Part II security2slides.pdf 20180209 14:38 90853d3 1 Related
More informationLecture 17  DiffieHellman key exchange, pairing, IdentityBased Encryption and Forward Security
Lecture 17  DiffieHellman key exchange, pairing, IdentityBased Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 19 November 8, 2017 CPSC 467, Lecture 19 1/37 Zero Knowledge Interactive Proofs (ZKIP) ZKIP for graph isomorphism FeigeFiatShamir
More information