Abstract Specification of Crypto- Protocols and their Attack Models in MSR
|
|
- Virgil Maxwell
- 6 years ago
- Views:
Transcription
1 Abstract Specification of Crypto- Protocols and their Attack Models in MSR Iliano Cervesato ITT Industries, NRL Washington DC Software Engineering Institute - CMU August 6 th, 2001
2 Outline I. Dolev-Yao specifications II. Specifying Protocols in MSR III.Access Control IV. Specifying Attacker Models V. Inferring the Dolev-Yao Attacker Specifying Crypto-Protocols and their Intruder Models in MSR 2
3 Part I Dolev-Yao Specification of Security Protocols Specifying Crypto-Protocols and their Intruder Models in MSR 3
4 Why is Protocol Analysis Difficult? Subtle cryptographic primitives Dolev-Yao abstraction Distributed hostile environment Prudent engineering practice Inadequate specification languages the devil is in details Specifying Crypto-Protocols and their Intruder Models in MSR 4
5 Dolev-Yao Abstraction Symbolic data No bit-strings Perfect cryptography No guessing of keys Public knowledge soup Magic access to data Specifying Crypto-Protocols and their Intruder Models in MSR 5
6 pictorially s a k b k a Specifying Crypto-Protocols and their Intruder Models in MSR 6
7 Languages to Specify What? Message flow Message constituents Operating environment Protocol goals Specifying Crypto-Protocols and their Intruder Models in MSR 7
8 Desirable Properties Unambiguous Simple Flexible Applies to a wide class of protocols Insightful Gives insight about protocols Specifying Crypto-Protocols and their Intruder Models in MSR 8
9 Part II Specifying Protocols in MSR Specifying Crypto-Protocols and their Intruder Models in MSR 9
10 What s in MSR 2.0? Multiset rewriting with existentials Dependent types w/ subsorting Memory predicates New New Constraints New Specifying Crypto-Protocols and their Intruder Models in MSR 10
11 Terms Atomic terms Principal names Keys Nonces Term constructors ( ) {_} _ [_] _ {{_}} _ A k n D e f i n a b l e Specifying Crypto-Protocols and their Intruder Models in MSR 11
12 Rules x 1 : τ 1. x n : τ n. y 1 : τ 1. lhs rhs y n : τ n. N(t) Network L(t,, t) Local state M A (t,, t) Memory χ Constraints N(t) Network L(t,, t) Local state M A (t,, t) Memory Specifying Crypto-Protocols and their Intruder Models in MSR 12
13 Types of Terms A: princ n: nonce k: shk A B k: pubk A Types can depend on term Captures relations between objects k : privk k (definable) Specifying Crypto-Protocols and their Intruder Models in MSR 13
14 Subtyping τ :: msg Allows atomic terms in messages Definable Non-transmittable terms Sub-hierarchies Specifying Crypto-Protocols and their Intruder Models in MSR 14
15 Role state predicates Hold data local to a role instance Lifespan = role L l (A,t,, t) Invoke next rule L l = control (A,t,, t) = data Specifying Crypto-Protocols and their Intruder Models in MSR 15
16 Memory Predicates New M A (t,, t) Hold private info. across role exec. Support for subprotocols Communicate data Pass control Interface to outside system Implements intruder Specifying Crypto-Protocols and their Intruder Models in MSR 16
17 Constraints New χ Guards over interpreted domain Abstract Modular Invoke constraint handler E.g.: timestamps (T E = T N + T d ) (T N < T E ) Specifying Crypto-Protocols and their Intruder Models in MSR 17
18 Type of predicates Dependent sums Σx: τ. τ τ (x) x τ Forces associations among arguments x E.g.: princ (A) x pubk A (k A) x privk k A Specifying Crypto-Protocols and their Intruder Models in MSR 18
19 Roles Role state pred. var. declarations Generic roles Role owner Anchored roles L: τ (x 1 ) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs L: τ (x1) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A A Specifying Crypto-Protocols and their Intruder Models in MSR 19
20 Needham-Schroeder Public-Key Protocol (fragment) A B: {n A, A} kb B A: {n A, n B } ka A B: {n B } kb ( Usual Notation ) Specifying Crypto-Protocols and their Intruder Models in MSR 20
21 MSR 2.0 NS Initiator A L: princ x princ (B) x pubk B x nonce. B: princ k B : pubk B n A :nonce. L(A,B,k B,n A ) N({n A,A} kb ) k A : pubk A k A : privk k A n A,n B : nonce L(A,B,k B,n A ) N({n A,n B } ka ) N({n B } kb ) Specifying Crypto-Protocols and their Intruder Models in MSR 21
22 MSR 2.0 NS Responder L: princ (B) x princ (A) x pubk B (kb) x privk k B x nonce x pubk A x nonce. B k B : pubk B k B : privk k B A: princ n A : nonce k A : pubk A N({n A,A} kb ) n B :nonce. L( ) N({n A,n B } ka ) n B : nonce L(B,k B,k B,A,n A,k A,n B ) N({n B } kb ) Specifying Crypto-Protocols and their Intruder Models in MSR 22
23 Type Checking New Σ P t has type τ in Γ Catches: Γ t : τ Encryption with a nonce P is welltyped in Σ Transmission of a long term key Circular key hierarchies, Static and dynamic uses Decidable Specifying Crypto-Protocols and their Intruder Models in MSR 23
24 Execution Model 1-step firing P C C Activate roles Generates new role state pred. names Instantiate variables Apply rules Skips rules Specifying Crypto-Protocols and their Intruder Models in MSR 24
25 Snapshots Active role set C = [S] R Σ State N(t) L l (t,, t) M A (t,, t) Signature a : τ L l : τ M _ : τ Specifying Crypto-Protocols and their Intruder Models in MSR 25
26 Rule application Constraint check F, χ n:τ. G(n) Σ = χ (constraint handler) Firing [S 1 ] R Σ [S 2 ] R Σ, c:τ c not in S 1 S, F S, G(c) Specifying Crypto-Protocols and their Intruder Models in MSR 26
27 Properties Admissibility of parallel firing Type preservation Access control preservation Completeness of Dolev-Yao intruder New Specifying Crypto-Protocols and their Intruder Models in MSR 27
28 Part III Access Control Specifying Crypto-Protocols and their Intruder Models in MSR 28
29 Access Control r is AC-valid for A in Γ Catches Γ A r New P is ACvalid in Σ Σ P A signing/encrypting with B s key A accessing B s private data, Static Decidable Gives meaning to Dolev-Yao intruder Specifying Crypto-Protocols and their Intruder Models in MSR 29
30 Overview Interpret incoming information Collect received data Access unknown data Construct outgoing information Generate data Use known data Access new data Verify access to data Specifying Crypto-Protocols and their Intruder Models in MSR 30
31 Processing a Rule Γ A lhs >> Δ Γ; Δ A rhs Γ A lhs rhs Specifying Crypto-Protocols and their Intruder Models in MSR 31
32 Processing Predicates on the LHS Network messages Γ ; Δ A t >> Δ Γ; Δ A N(t) >> Δ Memory predicates Γ ; Δ A t 1,,t n >> Δ Γ; Δ A M A (t 1,,t n ) >> Δ Specifying Crypto-Protocols and their Intruder Models in MSR 32
33 Interpreting Data on the LHS Pairs Γ; Δ A t 1, t 2 >> Δ Γ; Δ A (t 1, t 2 ) >> Δ Encrypted terms Γ; Δ A k >> Δ Γ; Δ A t >> Δ Γ; Δ A {t} k >> Δ Elementary terms Γ; (Δ,x) A x >> (Δ,x) (Γ,x:τ); Δ A x >> (Δ,x) Specifying Crypto-Protocols and their Intruder Models in MSR 33
34 Accessing Data on the LHS Shared keys Γ; (Δ,k) A k >> (Δ,k) (Γ,x:shK A B); Δ A x >> (Δ,x) Public keys (Γ,k:pubK A,k :privk k); (Δ,k ) A k >> (Δ,k ) (Γ,k:pubK A,k :privk k); Δ A k >> (Δ,k ) Specifying Crypto-Protocols and their Intruder Models in MSR 34
35 Generating Data on the RHS Nonces (Γ, x:nonce); (Δ, x) A rhs Γ; Δ A x:nonce. rhs Specifying Crypto-Protocols and their Intruder Models in MSR 35
36 Constructing Terms on the RHS Pairs Γ; Δ A t 1 Γ; Δ A t 2 Γ; Δ A (t 1, t 2 ) Shared-key encryptions Γ; Δ A t Γ; Δ A k Γ; Δ A {t} k Specifying Crypto-Protocols and their Intruder Models in MSR 36
37 Accessing Data on the RHS Principal Γ, B:princ A B Shared key Γ, B:princ, k:shk A B A k Public key Γ, B:princ, k:pubk B A k Private key Γ, k:pubk A, k :privk k A k Specifying Crypto-Protocols and their Intruder Models in MSR 37
38 Part IV Specifying Attacker Models Specifying Crypto-Protocols and their Intruder Models in MSR 38
39 Execution with an Attacker P, P I C C Selected principal(s): Generic capabilities: Well-typed AC-valid I P I Modeled completely within MSR Specifying Crypto-Protocols and their Intruder Models in MSR 39
40 The Dolev-Yao Intruder Specific protocol suite P DY Underlies every protocol analysis tool Completeness still unproved!!! Specifying Crypto-Protocols and their Intruder Models in MSR 40
41 Capabilities of the D-Y Intruder Intercept / emit messages Split / form pairs Decrypt / encrypt with known key Look up public information Generate fresh data Specifying Crypto-Protocols and their Intruder Models in MSR 41
42 DY Intruder Data access M I (t) : Intruder knowledge A: princ. M I (A) I A: princ k: shk I A M I (k) I + dual A: princ k: pubk A M I (k) I k: pubk I k : privk k M I (k ) I No nonces, no other keys, Specifying Crypto-Protocols and their Intruder Models in MSR 42
43 DY Intruder Data Generation Safe data n:nonce. M I (n) I m:msg. M I (m) I Anything else? A,B:princ. k:shk A B. M I (k) I??? It depends on the protocol!!! Automated generation Specifying Crypto-Protocols and their Intruder Models in MSR 43
44 DY Intruder vs. AC AC-valid Well-typed Dolev-Yao intruder New/ D-Y Intruder inferred from AC rules AC rules inferred from prot. spec. (with help) Specifying Crypto-Protocols and their Intruder Models in MSR 44
45 Completeness of D-Y Intruder If P [S] R Σ [S ] R Σ with all well-typed and AC-valid Then P, P DY [S] R Σ [S ] R Σ Specifying Crypto-Protocols and their Intruder Models in MSR 45
46 Consequences Justifies design of current tools Support optimizations D-Y intr. often too general/inefficient Generic optimizations Per protocol optimizations Restrictive environments Caps multi-intruder situations Specifying Crypto-Protocols and their Intruder Models in MSR 46
47 Part V New Inferring the Dolev-Yao Intruder Specifying Crypto-Protocols and their Intruder Models in MSR 47
48 The Dolev-Yao Intruder Model Interpret incoming information Collect received data Access unknown data Construct outgoing information Generate data Use known data Access new data Same operations as AC! Specifying Crypto-Protocols and their Intruder Models in MSR 48
49 Accessing Principal Names Γ, B:princ A B I B:princ. M I (B) I Specifying Crypto-Protocols and their Intruder Models in MSR 49
50 What did we do? Instantiate acting principal to I Accessed data Intruder knowledge Meta-variables Rule variables Ignore context Γ Specifying Crypto-Protocols and their Intruder Models in MSR 50
51 Checking it out: Shared Keys Γ, A:princ, B:princ, k:shk A B A k I I I B: princ k: shk I B M I (k) I + dual Specifying Crypto-Protocols and their Intruder Models in MSR 51
52 Getting Confident: Pub./Priv. Keys Γ, B:princ, k:pubk B A k I B: princ k: pubk B M I (k) I Γ, A:princ, k:pubk A, k :privk k A k I k: pubk I k : privk k M I (k ) Specifying Crypto-Protocols and their Intruder Models in MSR 52 I I I
53 Constructing Messages: Pairs Γ; Δ A t 1 Γ; Δ A t I I 2 Γ; Δ A (t 1, t 2 ) I t 1,t 2 :msg. M I (t 1 ), M I (t 2 ) M I ((t 1,t 2 )) I Specifying Crypto-Protocols and their Intruder Models in MSR 53
54 Now, what did we do? Instantiate acting principal to I Accessed data Intruder knowledge Meta-variables Rule variables Ignore Γ and knowledge context Δ Premises antecedent Conclusion consequent Auxiliary typing derivation gives types Specifying Crypto-Protocols and their Intruder Models in MSR 54
55 Carrying on: Shared-Key Encrypt. Γ; Δ A t Γ; Δ A k I Γ; Δ A {t} I k I A,B: princ k: shk A B t: msg M I (t), M I (k) M I ({t} k ) I Similar for public-key encryption Specifying Crypto-Protocols and their Intruder Models in MSR 55
56 Generating Data: Nonces (Γ, x:nonce); (Δ, x) A rhs Γ; Δ A x:nonce. rhs I I x:nonce. M I (x) I Similarly for other generated data Specifying Crypto-Protocols and their Intruder Models in MSR 56
57 Now, what did we do? Instantiate acting principal to I Accessed data Intruder knowledge Meta-variables Rule variables Ignore Γ and knowledge context Δ Premises antecedent Conclusion consequent Auxiliary typing derivation gives types One intruder rule for each AC rule Save generated object Specifying Crypto-Protocols and their Intruder Models in MSR 57
58 Interpreting Shared-Key Encrypt. Γ; Δ A k >> Δ Γ; Δ A t >> Δ I Γ; Δ A {t} k >> Δ I I A,B: princ k: shk A B t: msg M I ({t} k ), M I (k) M I (t) I Similar for public-key encryption pairing Specifying Crypto-Protocols and their Intruder Models in MSR 58
59 Now, what did we do? Instantiate acting principal to I Accessed data Intruder knowledge Meta-variables Rule variables Ignore Γ and knowledge context Δ Premises antecedent Conclusion consequent Auxiliary typing derivation gives types One intruder rule for each AC rule Save generated object Premises consequent Conclusion antecedant Specifying Crypto-Protocols and their Intruder Models in MSR 59
60 Network Rules Γ ; Δ A t >> Δ Γ; Δ A N(t) >> Δ t:msg. N(t) M I (t) I Γ ; Δ A t Γ; Δ A N(t) t:msg. M I (t) N(t) I Specifying Crypto-Protocols and their Intruder Models in MSR 60
61 Other Rules? Either redundant, or t:msg. N(t) N(t) I or, innocuous (but sensible) t 1,,t n :msg. M I (t 1,,t n ) M I (t 1 ),,M I (t n ) I Specifying Crypto-Protocols and their Intruder Models in MSR 61
62 Dissecting AC 5 activities: Interpret message components on LHS Constructors atoms Pattern matching Trivial Access data (keys) on LHS Generate data on RHS Trivial Construct messages on RHS Access data on RHS Trivial Specifying Crypto-Protocols and their Intruder Models in MSR 62
63 Accessing data Annotate the type of freely accessible data princ: + type Make it conditional for dep. types pubk: * princ -> + type privk: ΠA: + princ. + pubk A -> + type Specifying Crypto-Protocols and their Intruder Models in MSR 63
64 Generating data Again, annotate types nonce:! type shk: + princ -> + princ ->! type shk: + princ -> + princ ->! type Specifying Crypto-Protocols and their Intruder Models in MSR 64
65 Interpreting constructors Mark arguments as input or output _,_: -msg -> -msg -> msg {_} _ : - msg -> ΠA: + princ. ΠB: + princ. + shk A B -> msg {{_}} _ : - msg -> ΠA: + princ. Πk: + pubk A. + privk k -> msg hash: + msg -> msg [_] _ : + msg -> ΠA: * princ. Πk: * sigk A. * verk k -> msg Specifying Crypto-Protocols and their Intruder Models in MSR 65
66 Annotating declarations Integrates semantics of types and constructors Trimmed down version of AC Allows constructing AC rules Allows constructing the Dolev-Yao intruder Specifying Crypto-Protocols and their Intruder Models in MSR 66
67 alternatively Compute AC rules from protocol There are finitely many annotations Check protocol against each of them Keep the most restrictive ones that validate the protocol Exponential! More efficient algorithms? Specifying Crypto-Protocols and their Intruder Models in MSR 67
68 Wrap-up Specifying Crypto-Protocols and their Intruder Models in MSR 68
69 Case-Studies Full Needham-Schroeder public-key Otway-Rees Neuman-Stubblebine repeated auth. OFT group key management Specifying Crypto-Protocols and their Intruder Models in MSR 69
70 Conclusions Framework for specifying protocols Precise Flexible Powerful Provides Type /AC checking Sequential / parallel execution model Insights about Dolev-Yao intruder Specifying Crypto-Protocols and their Intruder Models in MSR 70
71 Future work Experimentation Clark-Jacob library Fair-exchange protocols More multicast Pragmatics Type-reconstruction Operational execution model(s) Implementation Automated specification techniques Specifying Crypto-Protocols and their Intruder Models in MSR 71
MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ PPL 01 March 21 st, 2001 Outline I. Security Protocols II. MSR by Examples
More informationMSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ IITD, CSE Dept. Delhi, India April 24 th,2002 Outline Security Protocols
More informationTyped MSR: Syntax and Examples
Typed MSR: Syntax and Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ MMM 01 St. Petersburg, Russia May 22 nd, 2001 Outline
More informationLecture 7: Specification Languages
Graduate Course on Computer Security Lecture 7: Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ DIMI, Universita
More informationOne Year Later. Iliano Cervesato. ITT Industries, NRL Washington, DC. MSR 3.0:
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil One Year Later ITT Industries, inc @ NRL Washington, DC http://www.cs.stanford.edu/~iliano
More informationMSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra. Iliano Cervesato. ITT Industries, NRL Washington, DC
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC http://theory.stanford.edu/~iliano ISSS 2003,
More informationThe Logical Meeting Point of Multiset Rewriting and Process Algebra
MFPS 20 @ MU May 25, 2004 The Logical Meeting Point of Multiset Rewriting and Process Algebra Iliano ervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, D http://theory.stanford.edu/~iliano
More informationNotes on BAN Logic CSG 399. March 7, 2006
Notes on BAN Logic CSG 399 March 7, 2006 The wide-mouthed frog protocol, in a slightly different form, with only the first two messages, and time stamps: A S : A, {T a, B, K ab } Kas S B : {T s, A, K ab
More informationControl Flow Analysis of Security Protocols (I)
Control Flow Analysis of Security Protocols (I) Mikael Buchholtz 02913 F2005 Mikael Buchholtz p. 1 History of Protocol Analysis Needham-Schroeder 78 Dolev-Yao 81 Algebraic view of cryptography 02913 F2005
More informationCPSA and Formal Security Goals
CPSA and Formal Security Goals John D. Ramsdell The MITRE Corporation CPSA Version 2.5.1 July 8, 2015 Contents 1 Introduction 3 2 Syntax 6 3 Semantics 8 4 Examples 10 4.1 Needham-Schroeder Responder.................
More informationA Logic of Authentication
A Logic of Authentication by Burrows, Abadi, and Needham Presented by Adam Schuchart, Kathryn Watkins, Michael Brotzman, Steve Bono, and Sam Small Agenda The problem Some formalism The goals of authentication,
More informationRelating State-Based and Process-Based Concurrency through Linear Logic
École Polytechnique 17 September 2009 Relating State-Based and Process-Based oncurrency through Linear Logic Iliano ervesato arnegie Mellon University - Qatar iliano@cmu.edu Specifying oncurrent Systems
More informationA Calculus for Control Flow Analysis of Security Protocols
International Journal of Information Security manuscript No. (will be inserted by the editor) A Calculus for Control Flow Analysis of Security Protocols Mikael Buchholtz, Hanne Riis Nielson, Flemming Nielson
More informationTime-Bounding Needham-Schroeder Public Key Exchange Protocol
Time-Bounding Needham-Schroeder Public Key Exchange Protocol Max Kanovich, Queen Mary, University of London, UK University College London, UCL-CS, UK Tajana Ban Kirigin, University of Rijeka, HR Vivek
More informationModels and analysis of security protocols 1st Semester Security Protocols Lecture 6
Models and analysis of security protocols 1st Semester 2010-2011 Security Protocols Lecture 6 Pascal Lafourcade Université Joseph Fourier, Verimag Master: October 18th 2010 1 / 46 Last Time (I) Symmetric
More informationProtocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete
Protocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete Michaël Rusinowitch and Mathieu Turuani LORIA-INRIA- Université Henri Poincaré, 54506 Vandoeuvre-les-Nancy cedex, France
More informationA Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols
ASIAN 07 A Formal Analysis for Capturing Replay Attacks in Cryptographic s Han Gao 1, Chiara Bodei 2, Pierpaolo Degano 2, Hanne Riis Nielson 1 Informatics and Mathematics Modelling, Technical University
More informationDiscrete vs. Dense Times in the Analysis of Cyber-Physical Security Protocols
Discrete vs. Dense Times in the Analysis of Cyber-Physical Security Protocols Max Kanovich 1,5 Tajana Ban Kirigin 2 Vivek Nigam 3 Andre Scedrov 4,5 and Carolyn Talcott 6 1 Queen Mary, University of London
More informationProbabilistic Polynomial-Time Process Calculus for Security Protocol Analysis. Standard analysis methods. Compositionality
Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague P. Lincoln, P. Mateus, M. Mitchell Standard analysis methods Finite-state
More informationExtending Dolev-Yao with Assertions
Extending Dolev-Yao with Assertions Vaishnavi Sundararajan Chennai Mathematical Institute FOSAD 2015 August 31, 2015 (Joint work with R Ramanujam and S P Suresh) Vaishnavi S Extending Dolev-Yao with Assertions
More informationEncoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania
Encoding security protocols in the cryptographic λ-calculus Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania An obvious fact Security is important Cryptography is a major way to
More informationModels for an Adversary-Centric Protocol Logic
Workshop on Logical Aspects of Cryptographics 2001 Preliminary Version Models for an Adversary-Centric Protocol Logic Peter Selinger Department of Mathematics and Statistics University of Ottawa Ottawa,
More informationVerification of Security Protocols in presence of Equational Theories with Homomorphism
Verification of Security Protocols in presence of Equational Theories with Homomorphism Stéphanie Delaune France Télécom, division R&D, LSV CNRS & ENS Cachan February, 13, 2006 Stéphanie Delaune (FT R&D,
More informationCS 395T. Probabilistic Polynomial-Time Calculus
CS 395T Probabilistic Polynomial-Time Calculus Security as Equivalence Intuition: encryption scheme is secure if ciphertext is indistinguishable from random noise Intuition: protocol is secure if it is
More informationTerm Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool
Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool Santiago Escobar Departamento de Sistemas Informáticos y Computación Universitat Politècnica de València sescobar@dsic.upv.es
More informationStrand Spaces Proving Protocols Corr. Jonathan Herzog 6 April 2001
Strand Spaces Proving Protocols Corr Jonathan Herzog 6 April 2001 Introduction 3Second part of talk given early last month Introduced class of cryptographic protocols Modeled at high level of abstraction
More informationAutomatic Verification of Complex Security Protocols With an Unbounded Number of Sessions
Automatic Verification of Complex Security Protocols With an Unbounded Number of Sessions Kaile Su, Weiya Yue and Qingliang Chen Department of Computer Science, Sun Yat-sen University Guangzhou, P.R. China
More informationA Cryptographic Decentralized Label Model
A Cryptographic Decentralized Label Model Jeffrey A. Vaughan and Steve Zdancewic Department of Computer and Information Science University of Pennsylvania IEEE Security and Privacy May 22, 2007 Information
More informationAutomata-based analysis of recursive cryptographic protocols
1 Automata-based analysis of recursive cryptographic protocols Thomas Wilke Joint work with Ralf Küsters Christian-Albrechts-Universität zu Kiel June 13, 2004 Un-/Decidability of security in the DY model
More informationQuantum Wireless Sensor Networks
Quantum Wireless Sensor Networks School of Computing Queen s University Canada ntional Computation Vienna, August 2008 Main Result Quantum cryptography can solve the problem of security in sensor networks.
More informationAnalysis of authentication protocols Intership report
Analysis of authentication protocols Intership report Stéphane Glondu ENS de Cachan September 3, 2006 1 Introduction Many computers are interconnected through networks, the biggest of them being Internet.
More informationOn the Automatic Analysis of Recursive Security Protocols with XOR
On the Automatic Analysis of Recursive Security Protocols with XOR Ralf Küsters 1 and Tomasz Truderung 2 1 ETH Zurich ralf.kuesters@inf.ethz.ch 2 University of Kiel, Wrocław University tomasz.truderung@ii.uni.wroc.pl
More informationOn the Verification of Cryptographic Protocols
On the Verification of Cryptographic Protocols Federico Cerutti Dipartimento di Ingegneria dell Informazione, Università di Brescia Via Branze 38, I-25123 Brescia, Italy January 11, 2011 Talk at Prof.
More informationA progress report on using Maude to verify protocol properties using the strand space model
A progress report on using Maude to verify protocol properties using the strand space model Presented by Robert P. Graham, MAJ, USAF/AFIT Stephen W. Mancini, 1Lt, USAF/AFIT Presentation date: 01 Oct 03
More informationMASTER S THESIS FROM FORMAL TO COMPUTATIONAL AUTHENTICITY DISTRIBUTED AND EMBEDDED SYSTEMS DEPARTMENT OF COMPUTER SCIENCE AALBORG UNIVERSITY
DISTRIBUTED AND EMBEDDED SYSTEMS DEPARTMENT OF COMPUTER SCIENCE AALBORG UNIVERSITY MASTER S THESIS MICHAEL GARDE FROM FORMAL TO COMPUTATIONAL AUTHENTICITY AN APPROACH FOR RECONCILING FORMAL AND COMPUTATIONAL
More informationProving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory
Proving Security Protocols Correct Lawrence C. Paulson Computer Laboratory How Detailed Should a Model Be? too detailed too simple concrete abstract not usable not credible ``proves'' everything ``attacks''
More informationA compositional logic for proving security properties of protocols
Journal of Computer Security 11 (2003) 677 721 677 IOS Press A compositional logic for proving security properties of protocols Nancy Durgin a, John Mitchell b and Dusko Pavlovic c a Sandia National Labs,
More informationNegative applications of the ASM thesis
Negative applications of the ASM thesis Dean Rosenzweig and Davor Runje University of Zagreb Berlin, February 26-27, 2007 Outline 1 Negative applications of the ASM thesis Motivation Non-interactive algorithms
More informationAPPLICATIONS OF BAN-LOGIC JAN WESSELS CMG FINANCE B.V.
APPLITIONS OF AN-LOGIC JAN WESSELS CMG FINANCE.V. APRIL 19, 2001 Chapter 1 Introduction This document is meant to give an overview of the AN-logic. The AN-logic is one of the methods for the analysis of
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationOptimization of the Hamming Code for Error Prone Media
278 IJCSNS International Journal of Computer Science and Network Security, VOL.8 No.3, March 2008 Optimization of the Hamming Code for Error Prone Media Eltayeb S. Abuelyaman and Abdul-Aziz S. Al-Sehibani
More informationAutomated Validation of Internet Security Protocols. Luca Viganò
Automated Validation of Internet Security Protocols Luca Viganò The AVISPA Project Luca Viganò 1 Motivation The number and scale of new security protocols under development is out-pacing the human ability
More informationReport Documentation Page
Multiset Rewriting and the Complexity of Bounded Security Protocols Λ N.A. Durgin P.D. Lincoln J.C. Mitchell A. Scedrov Sandia National Laboratories Livermore, CA nadurgi@sandia.gov Computer Science Dept.
More informationAnalysing privacy-type properties in cryptographic protocols
Analysing privacy-type properties in cryptographic protocols Stéphanie Delaune LSV, CNRS & ENS Cachan, France Wednesday, January 14th, 2015 S. Delaune (LSV) Verification of cryptographic protocols 14th
More informationTHE SHAPES OF BUNDLES
THE SHAPES OF BUNDLES SHADDIN F. DOGHMI, JOSHUA D. GUTTMAN, AND F. JAVIER THAYER Contents 1. Introduction 2 2. Background 2 2.1. Protocols 2 2.2. An Example: The Yahalom Protocol 3 2.3. Occurrences and
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationGurgen Khachatrian Martun Karapetyan
34 International Journal Information Theories and Applications, Vol. 23, Number 1, (c) 2016 On a public key encryption algorithm based on Permutation Polynomials and performance analyses Gurgen Khachatrian
More informationAn Efficient Cryptographic Protocol Verifier Based on Prolog Rules
An Efficient Cryptographic Protocol Verifier Based on Prolog Rules Bruno Blanchet INRIA Rocquencourt Domaine de Voluceau B.P. 105 78153 Le Chesnay Cedex, France Bruno.Blanchet@inria.fr Abstract We present
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationOptimization of the Hamming Code for Error Prone Media
Optimization of the Hamming Code for Error Prone Media Eltayeb Abuelyaman and Abdul-Aziz Al-Sehibani College of Computer and Information Sciences Prince Sultan University Abuelyaman@psu.edu.sa Summery
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationMechanizing Elliptic Curve Associativity
Mechanizing Elliptic Curve Associativity Why a Formalized Mathematics Challenge is Useful for Verification of Crypto ARM Machine Code Joe Hurd Computer Laboratory University of Cambridge Galois Connections
More informationA process algebraic analysis of privacy-type properties in cryptographic protocols
A process algebraic analysis of privacy-type properties in cryptographic protocols Stéphanie Delaune LSV, CNRS & ENS Cachan, France Saturday, September 6th, 2014 S. Delaune (LSV) Verification of cryptographic
More informationHandling Encryption in an Analysis for Secure Information Flow
Handling Encryption in an Analysis for Secure Information Flow Peeter Laud peeter l@ut.ee Tartu Ülikool Cybernetica AS ESOP 2003, 7.-11.04.2003 p.1/15 Overview Some words about the overall approach. Definition
More informationThe Faithfulness of Abstract Protocol Analysis: Message Authentication
The Faithfulness of Abstract Protocol Analysis: Message Authentication Joshua D. Guttman F. Javier Thayer Lenore D. Zuck December 18, 2002 Abstract Dolev and Yao initiated an approach to studying cryptographic
More informationCryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols
CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno Blanchet CNRS, École Normale Supérieure, INRIA, Paris March 2009 Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif March
More informationOWO Lecture: Modular Arithmetic with Algorithmic Applications
OWO Lecture: Modular Arithmetic with Algorithmic Applications Martin Otto Winter Term 2008/09 Contents 1 Basic ingredients 1 2 Modular arithmetic 2 2.1 Going in circles.......................... 2 2.2
More informationSkeletons and the Shapes of Bundles
Skeletons and the Shapes of Bundles Shaddin F. Doghmi, Joshua D. Guttman, and F. Javier Thayer The MITRE Corporation Abstract. The shapes of a protocol are its minimal, essentially different executions.
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationNSL Verification and Attacks Agents Playing Both Roles
NSL Verification and Attacks Agents Playing Both Roles Pedro Adão Gergei Bana Abstract Background: [2] and eprint version: [1] 1 The Axioms Equality is a Congruence. The first axiom says that the equality
More informationThe Needham-Schroeder-Lowe protocol
The Needham-Schroeder-Lowe protocol Unbounded sessions Principals run either initiator or responder role in each of their sessions We adopt the following conventions throughout this paper: honest principals
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationA new security notion for asymmetric encryption Draft #8
A new security notion for asymmetric encryption Draft #8 Muhammad Rezal Kamel Ariffin 1,2 1 Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, 2 Department of Mathematics,
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More information1 Indistinguishability for multiple encryptions
CSCI 5440: Cryptography Lecture 3 The Chinese University of Hong Kong 26 September 2012 1 Indistinguishability for multiple encryptions We now have a reasonable encryption scheme, which we proved is message
More informationDeciding the Security of Protocols with Commuting Public Key Encryption
Electronic Notes in Theoretical Computer Science 125 (2005) 55 66 www.elsevier.com/locate/entcs Deciding the Security of Protocols with Commuting Public Key Encryption Yannick Chevalier a,1 Ralf Küsters
More informationTHE SHAPES OF BUNDLES
THE SHAPES OF BUNDLES SHADDIN F. DOGHMI, JOSHUA D. GUTTMAN, AND F. JAVIER THAYER Contents 1. Introduction 2 2. Background 2 2.1. Protocols 2 2.2. An Example: The Yahalom Protocol 3 2.3. Occurrences and
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationNotes for Lecture 9. 1 Combining Encryption and Authentication
U.C. Berkeley CS276: Cryptography Handout N9 Luca Trevisan February 17, 2009 Notes for Lecture 9 Notes scribed by Joel Weinberger, posted March 1, 2009 Summary Last time, we showed that combining a CPA-secure
More informationThe Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Indistinguishability
The Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Catherine Meadows Naval Research Laboratory, Washington, DC 20375 catherine.meadows@nrl.navy.mil Formal Methods for the Science of
More informationFundamentals of Modern Cryptography
Fundamentals of Modern Cryptography BRUCE MOMJIAN This presentation explains the fundamentals of modern cryptographic methods. Creative Commons Attribution License http://momjian.us/presentations Last
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationPublic Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy
Symmetric Cryptography Review Alice Bob Public Key x e K (x) y d K (y) x K K Instructor: Dr. Wei (Lisa) Li Department of Computer Science, GSU Two properties of symmetric (secret-key) crypto-systems: The
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationA Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols
A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols Han Gao 1,ChiaraBodei 2, Pierpaolo Degano 2, and Hanne Riis Nielson 1 1 Informatics and Mathematical Modelling, Technical University
More informationThe Underlying Semantics of Transition Systems
The Underlying Semantics of Transition Systems J. M. Crawford D. M. Goldschlag Technical Report 17 December 1987 Computational Logic Inc. 1717 W. 6th St. Suite 290 Austin, Texas 78703 (512) 322-9951 1
More informationThe Sizes of Skeletons: Security Goals are Decidable
The Sizes of Skeletons: Security Goals are Decidable Joshua D. Guttman and F. Javier Thayer The MITRE Corporation guttman, jt@mitre.org Abstract. We show how to collapse executions of a cryptographic protocol,
More informationProving Properties of Security Protocols by Induction
Proving Security Protocols 1 L. C. Paulson Proving Properties of Security Protocols by Induction Lawrence C. Paulson Computer Laboratory University of Cambridge Proving Security Protocols 2 L. C. Paulson
More informationA derivation system and compositional logic for security protocols
Journal of Computer Security 13 2005) 423 482 423 IOS Press A derivation system and compositional logic for security protocols Anupam Datta a,, Ante Derek a, John C. Mitchell a and Dusko Pavlovic b a Computer
More informationAuthentication Tests and Disjoint Encryption: a Design Method for Security Protocols
Authentication Tests and Disjoint Encryption: a Design Method for Security Protocols Joshua D. Guttman The MITRE Corporation guttman@mitre.org 20 August 2003 Abstract We describe a protocol design process,
More informationAn extension of HM(X) with bounded existential and universal data-types
Groupe de travail Cristal July, 2003 An extension of HM(X) with bounded existential and universal data-types (To appear at ICFP 03) Vincent Simonet INRIA Rocquencourt Cristal project Vincent.Simonet@inria.fr
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationA Short Tutorial on Proverif
A Short Tutorial on Proverif Alfredo Pironti and Riccardo Sisto Politecnico di Torino, Italy Cryptoforma Meeting, Apr 8, 2010 1 Outline PART 1: how the tool works (Riccardo Sisto) Context: Abstract modelling
More informationPicnic Post-Quantum Signatures from Zero Knowledge Proofs
Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM DAVID DERLER STEVEN GOLDFEDER JONATHAN KATZ VLAD KOLESNIKOV CLAUDIO ORLANDI SEBASTIAN RAMACHER CHRISTIAN RECHBERGER
More informationA simple procedure for finding guessing attacks (Extended Abstract)
A simple procedure for finding guessing attacks (Extended Abstract) Ricardo Corin 1 and Sandro Etalle 1,2 1 Dept. of Computer Science, University of Twente, The Netherlands 2 CWI, Center for Mathematics
More informationAn Undecidability Result for AGh
An Undecidability Result for AGh Stéphanie Delaune France Télécom R&D, Lab. Spécification & Vérification, CNRS & ENS de Cachan, France. Abstract We present an undecidability result for the verification
More informationCryptographic Protocols Notes 2
ETH Zurich, Department of Computer Science SS 2018 Prof. Ueli Maurer Dr. Martin Hirt Chen-Da Liu Zhang Cryptographic Protocols Notes 2 Scribe: Sandro Coretti (modified by Chen-Da Liu Zhang) About the notes:
More informationAn undecidability result for AGh
Theoretical Computer Science 368 (2006) 161 167 Note An undecidability result for AGh Stéphanie Delaune www.elsevier.com/locate/tcs France Télécom R&D, Lab. Spécification & Vérification, CNRS & ENS de
More informationReduction of the Intruder Deduction Problem into Equational Elementary Deduction for Electronic Purse Protocols with Blind Signatures
Reduction of the Intruder Deduction Problem into Equational Elementary Deduction for Electronic Purse Protocols with Blind Signatures Daniele Nantes Sobrinho 1 and Mauricio Ayala-Rincón 1,2 Grupo de Teoria
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationAutomatic, computational proof of EKE using CryptoVerif
Automatic, computational proof of EKE using CryptoVerif (Work in progress) Bruno Blanchet blanchet@di.ens.fr Joint work with David Pointcheval CNRS, École Normale Supérieure, INRIA, Paris April 2010 Bruno
More informationA Resolution Strategy for Verifying Cryptographic Protocols with CBC Encryption and Blind Signatures
A Resolution Strategy for Verifying Cryptographic Protocols with CBC Encryption and Blind Signatures Véronique Cortier LORIA, Nancy, France CNRS & INRIA Project Cassis cortier@loria.fr Michael Rusinowitch
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More information