Abstract Specification of Crypto Protocols and their Attack Models in MSR

 Virgil Maxwell
 5 months ago
 Views:
Transcription
1 Abstract Specification of Crypto Protocols and their Attack Models in MSR Iliano Cervesato ITT Industries, NRL Washington DC Software Engineering Institute  CMU August 6 th, 2001
2 Outline I. DolevYao specifications II. Specifying Protocols in MSR III.Access Control IV. Specifying Attacker Models V. Inferring the DolevYao Attacker Specifying CryptoProtocols and their Intruder Models in MSR 2
3 Part I DolevYao Specification of Security Protocols Specifying CryptoProtocols and their Intruder Models in MSR 3
4 Why is Protocol Analysis Difficult? Subtle cryptographic primitives DolevYao abstraction Distributed hostile environment Prudent engineering practice Inadequate specification languages the devil is in details Specifying CryptoProtocols and their Intruder Models in MSR 4
5 DolevYao Abstraction Symbolic data No bitstrings Perfect cryptography No guessing of keys Public knowledge soup Magic access to data Specifying CryptoProtocols and their Intruder Models in MSR 5
6 pictorially s a k b k a Specifying CryptoProtocols and their Intruder Models in MSR 6
7 Languages to Specify What? Message flow Message constituents Operating environment Protocol goals Specifying CryptoProtocols and their Intruder Models in MSR 7
8 Desirable Properties Unambiguous Simple Flexible Applies to a wide class of protocols Insightful Gives insight about protocols Specifying CryptoProtocols and their Intruder Models in MSR 8
9 Part II Specifying Protocols in MSR Specifying CryptoProtocols and their Intruder Models in MSR 9
10 What s in MSR 2.0? Multiset rewriting with existentials Dependent types w/ subsorting Memory predicates New New Constraints New Specifying CryptoProtocols and their Intruder Models in MSR 10
11 Terms Atomic terms Principal names Keys Nonces Term constructors ( ) {_} _ [_] _ {{_}} _ A k n D e f i n a b l e Specifying CryptoProtocols and their Intruder Models in MSR 11
12 Rules x 1 : τ 1. x n : τ n. y 1 : τ 1. lhs rhs y n : τ n. N(t) Network L(t,, t) Local state M A (t,, t) Memory χ Constraints N(t) Network L(t,, t) Local state M A (t,, t) Memory Specifying CryptoProtocols and their Intruder Models in MSR 12
13 Types of Terms A: princ n: nonce k: shk A B k: pubk A Types can depend on term Captures relations between objects k : privk k (definable) Specifying CryptoProtocols and their Intruder Models in MSR 13
14 Subtyping τ :: msg Allows atomic terms in messages Definable Nontransmittable terms Subhierarchies Specifying CryptoProtocols and their Intruder Models in MSR 14
15 Role state predicates Hold data local to a role instance Lifespan = role L l (A,t,, t) Invoke next rule L l = control (A,t,, t) = data Specifying CryptoProtocols and their Intruder Models in MSR 15
16 Memory Predicates New M A (t,, t) Hold private info. across role exec. Support for subprotocols Communicate data Pass control Interface to outside system Implements intruder Specifying CryptoProtocols and their Intruder Models in MSR 16
17 Constraints New χ Guards over interpreted domain Abstract Modular Invoke constraint handler E.g.: timestamps (T E = T N + T d ) (T N < T E ) Specifying CryptoProtocols and their Intruder Models in MSR 17
18 Type of predicates Dependent sums Σx: τ. τ τ (x) x τ Forces associations among arguments x E.g.: princ (A) x pubk A (k A) x privk k A Specifying CryptoProtocols and their Intruder Models in MSR 18
19 Roles Role state pred. var. declarations Generic roles Role owner Anchored roles L: τ (x 1 ) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs L: τ (x1) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A A Specifying CryptoProtocols and their Intruder Models in MSR 19
20 NeedhamSchroeder PublicKey Protocol (fragment) A B: {n A, A} kb B A: {n A, n B } ka A B: {n B } kb ( Usual Notation ) Specifying CryptoProtocols and their Intruder Models in MSR 20
21 MSR 2.0 NS Initiator A L: princ x princ (B) x pubk B x nonce. B: princ k B : pubk B n A :nonce. L(A,B,k B,n A ) N({n A,A} kb ) k A : pubk A k A : privk k A n A,n B : nonce L(A,B,k B,n A ) N({n A,n B } ka ) N({n B } kb ) Specifying CryptoProtocols and their Intruder Models in MSR 21
22 MSR 2.0 NS Responder L: princ (B) x princ (A) x pubk B (kb) x privk k B x nonce x pubk A x nonce. B k B : pubk B k B : privk k B A: princ n A : nonce k A : pubk A N({n A,A} kb ) n B :nonce. L( ) N({n A,n B } ka ) n B : nonce L(B,k B,k B,A,n A,k A,n B ) N({n B } kb ) Specifying CryptoProtocols and their Intruder Models in MSR 22
23 Type Checking New Σ P t has type τ in Γ Catches: Γ t : τ Encryption with a nonce P is welltyped in Σ Transmission of a long term key Circular key hierarchies, Static and dynamic uses Decidable Specifying CryptoProtocols and their Intruder Models in MSR 23
24 Execution Model 1step firing P C C Activate roles Generates new role state pred. names Instantiate variables Apply rules Skips rules Specifying CryptoProtocols and their Intruder Models in MSR 24
25 Snapshots Active role set C = [S] R Σ State N(t) L l (t,, t) M A (t,, t) Signature a : τ L l : τ M _ : τ Specifying CryptoProtocols and their Intruder Models in MSR 25
26 Rule application Constraint check F, χ n:τ. G(n) Σ = χ (constraint handler) Firing [S 1 ] R Σ [S 2 ] R Σ, c:τ c not in S 1 S, F S, G(c) Specifying CryptoProtocols and their Intruder Models in MSR 26
27 Properties Admissibility of parallel firing Type preservation Access control preservation Completeness of DolevYao intruder New Specifying CryptoProtocols and their Intruder Models in MSR 27
28 Part III Access Control Specifying CryptoProtocols and their Intruder Models in MSR 28
29 Access Control r is ACvalid for A in Γ Catches Γ A r New P is ACvalid in Σ Σ P A signing/encrypting with B s key A accessing B s private data, Static Decidable Gives meaning to DolevYao intruder Specifying CryptoProtocols and their Intruder Models in MSR 29
30 Overview Interpret incoming information Collect received data Access unknown data Construct outgoing information Generate data Use known data Access new data Verify access to data Specifying CryptoProtocols and their Intruder Models in MSR 30
31 Processing a Rule Γ A lhs >> Δ Γ; Δ A rhs Γ A lhs rhs Specifying CryptoProtocols and their Intruder Models in MSR 31
32 Processing Predicates on the LHS Network messages Γ ; Δ A t >> Δ Γ; Δ A N(t) >> Δ Memory predicates Γ ; Δ A t 1,,t n >> Δ Γ; Δ A M A (t 1,,t n ) >> Δ Specifying CryptoProtocols and their Intruder Models in MSR 32
33 Interpreting Data on the LHS Pairs Γ; Δ A t 1, t 2 >> Δ Γ; Δ A (t 1, t 2 ) >> Δ Encrypted terms Γ; Δ A k >> Δ Γ; Δ A t >> Δ Γ; Δ A {t} k >> Δ Elementary terms Γ; (Δ,x) A x >> (Δ,x) (Γ,x:τ); Δ A x >> (Δ,x) Specifying CryptoProtocols and their Intruder Models in MSR 33
34 Accessing Data on the LHS Shared keys Γ; (Δ,k) A k >> (Δ,k) (Γ,x:shK A B); Δ A x >> (Δ,x) Public keys (Γ,k:pubK A,k :privk k); (Δ,k ) A k >> (Δ,k ) (Γ,k:pubK A,k :privk k); Δ A k >> (Δ,k ) Specifying CryptoProtocols and their Intruder Models in MSR 34
35 Generating Data on the RHS Nonces (Γ, x:nonce); (Δ, x) A rhs Γ; Δ A x:nonce. rhs Specifying CryptoProtocols and their Intruder Models in MSR 35
36 Constructing Terms on the RHS Pairs Γ; Δ A t 1 Γ; Δ A t 2 Γ; Δ A (t 1, t 2 ) Sharedkey encryptions Γ; Δ A t Γ; Δ A k Γ; Δ A {t} k Specifying CryptoProtocols and their Intruder Models in MSR 36
37 Accessing Data on the RHS Principal Γ, B:princ A B Shared key Γ, B:princ, k:shk A B A k Public key Γ, B:princ, k:pubk B A k Private key Γ, k:pubk A, k :privk k A k Specifying CryptoProtocols and their Intruder Models in MSR 37
38 Part IV Specifying Attacker Models Specifying CryptoProtocols and their Intruder Models in MSR 38
39 Execution with an Attacker P, P I C C Selected principal(s): Generic capabilities: Welltyped ACvalid I P I Modeled completely within MSR Specifying CryptoProtocols and their Intruder Models in MSR 39
40 The DolevYao Intruder Specific protocol suite P DY Underlies every protocol analysis tool Completeness still unproved!!! Specifying CryptoProtocols and their Intruder Models in MSR 40
41 Capabilities of the DY Intruder Intercept / emit messages Split / form pairs Decrypt / encrypt with known key Look up public information Generate fresh data Specifying CryptoProtocols and their Intruder Models in MSR 41
42 DY Intruder Data access M I (t) : Intruder knowledge A: princ. M I (A) I A: princ k: shk I A M I (k) I + dual A: princ k: pubk A M I (k) I k: pubk I k : privk k M I (k ) I No nonces, no other keys, Specifying CryptoProtocols and their Intruder Models in MSR 42
43 DY Intruder Data Generation Safe data n:nonce. M I (n) I m:msg. M I (m) I Anything else? A,B:princ. k:shk A B. M I (k) I??? It depends on the protocol!!! Automated generation Specifying CryptoProtocols and their Intruder Models in MSR 43
44 DY Intruder vs. AC ACvalid Welltyped DolevYao intruder New/ DY Intruder inferred from AC rules AC rules inferred from prot. spec. (with help) Specifying CryptoProtocols and their Intruder Models in MSR 44
45 Completeness of DY Intruder If P [S] R Σ [S ] R Σ with all welltyped and ACvalid Then P, P DY [S] R Σ [S ] R Σ Specifying CryptoProtocols and their Intruder Models in MSR 45
46 Consequences Justifies design of current tools Support optimizations DY intr. often too general/inefficient Generic optimizations Per protocol optimizations Restrictive environments Caps multiintruder situations Specifying CryptoProtocols and their Intruder Models in MSR 46
47 Part V New Inferring the DolevYao Intruder Specifying CryptoProtocols and their Intruder Models in MSR 47
48 The DolevYao Intruder Model Interpret incoming information Collect received data Access unknown data Construct outgoing information Generate data Use known data Access new data Same operations as AC! Specifying CryptoProtocols and their Intruder Models in MSR 48
49 Accessing Principal Names Γ, B:princ A B I B:princ. M I (B) I Specifying CryptoProtocols and their Intruder Models in MSR 49
50 What did we do? Instantiate acting principal to I Accessed data Intruder knowledge Metavariables Rule variables Ignore context Γ Specifying CryptoProtocols and their Intruder Models in MSR 50
51 Checking it out: Shared Keys Γ, A:princ, B:princ, k:shk A B A k I I I B: princ k: shk I B M I (k) I + dual Specifying CryptoProtocols and their Intruder Models in MSR 51
52 Getting Confident: Pub./Priv. Keys Γ, B:princ, k:pubk B A k I B: princ k: pubk B M I (k) I Γ, A:princ, k:pubk A, k :privk k A k I k: pubk I k : privk k M I (k ) Specifying CryptoProtocols and their Intruder Models in MSR 52 I I I
53 Constructing Messages: Pairs Γ; Δ A t 1 Γ; Δ A t I I 2 Γ; Δ A (t 1, t 2 ) I t 1,t 2 :msg. M I (t 1 ), M I (t 2 ) M I ((t 1,t 2 )) I Specifying CryptoProtocols and their Intruder Models in MSR 53
54 Now, what did we do? Instantiate acting principal to I Accessed data Intruder knowledge Metavariables Rule variables Ignore Γ and knowledge context Δ Premises antecedent Conclusion consequent Auxiliary typing derivation gives types Specifying CryptoProtocols and their Intruder Models in MSR 54
55 Carrying on: SharedKey Encrypt. Γ; Δ A t Γ; Δ A k I Γ; Δ A {t} I k I A,B: princ k: shk A B t: msg M I (t), M I (k) M I ({t} k ) I Similar for publickey encryption Specifying CryptoProtocols and their Intruder Models in MSR 55
56 Generating Data: Nonces (Γ, x:nonce); (Δ, x) A rhs Γ; Δ A x:nonce. rhs I I x:nonce. M I (x) I Similarly for other generated data Specifying CryptoProtocols and their Intruder Models in MSR 56
57 Now, what did we do? Instantiate acting principal to I Accessed data Intruder knowledge Metavariables Rule variables Ignore Γ and knowledge context Δ Premises antecedent Conclusion consequent Auxiliary typing derivation gives types One intruder rule for each AC rule Save generated object Specifying CryptoProtocols and their Intruder Models in MSR 57
58 Interpreting SharedKey Encrypt. Γ; Δ A k >> Δ Γ; Δ A t >> Δ I Γ; Δ A {t} k >> Δ I I A,B: princ k: shk A B t: msg M I ({t} k ), M I (k) M I (t) I Similar for publickey encryption pairing Specifying CryptoProtocols and their Intruder Models in MSR 58
59 Now, what did we do? Instantiate acting principal to I Accessed data Intruder knowledge Metavariables Rule variables Ignore Γ and knowledge context Δ Premises antecedent Conclusion consequent Auxiliary typing derivation gives types One intruder rule for each AC rule Save generated object Premises consequent Conclusion antecedant Specifying CryptoProtocols and their Intruder Models in MSR 59
60 Network Rules Γ ; Δ A t >> Δ Γ; Δ A N(t) >> Δ t:msg. N(t) M I (t) I Γ ; Δ A t Γ; Δ A N(t) t:msg. M I (t) N(t) I Specifying CryptoProtocols and their Intruder Models in MSR 60
61 Other Rules? Either redundant, or t:msg. N(t) N(t) I or, innocuous (but sensible) t 1,,t n :msg. M I (t 1,,t n ) M I (t 1 ),,M I (t n ) I Specifying CryptoProtocols and their Intruder Models in MSR 61
62 Dissecting AC 5 activities: Interpret message components on LHS Constructors atoms Pattern matching Trivial Access data (keys) on LHS Generate data on RHS Trivial Construct messages on RHS Access data on RHS Trivial Specifying CryptoProtocols and their Intruder Models in MSR 62
63 Accessing data Annotate the type of freely accessible data princ: + type Make it conditional for dep. types pubk: * princ > + type privk: ΠA: + princ. + pubk A > + type Specifying CryptoProtocols and their Intruder Models in MSR 63
64 Generating data Again, annotate types nonce:! type shk: + princ > + princ >! type shk: + princ > + princ >! type Specifying CryptoProtocols and their Intruder Models in MSR 64
65 Interpreting constructors Mark arguments as input or output _,_: msg > msg > msg {_} _ :  msg > ΠA: + princ. ΠB: + princ. + shk A B > msg {{_}} _ :  msg > ΠA: + princ. Πk: + pubk A. + privk k > msg hash: + msg > msg [_] _ : + msg > ΠA: * princ. Πk: * sigk A. * verk k > msg Specifying CryptoProtocols and their Intruder Models in MSR 65
66 Annotating declarations Integrates semantics of types and constructors Trimmed down version of AC Allows constructing AC rules Allows constructing the DolevYao intruder Specifying CryptoProtocols and their Intruder Models in MSR 66
67 alternatively Compute AC rules from protocol There are finitely many annotations Check protocol against each of them Keep the most restrictive ones that validate the protocol Exponential! More efficient algorithms? Specifying CryptoProtocols and their Intruder Models in MSR 67
68 Wrapup Specifying CryptoProtocols and their Intruder Models in MSR 68
69 CaseStudies Full NeedhamSchroeder publickey OtwayRees NeumanStubblebine repeated auth. OFT group key management Specifying CryptoProtocols and their Intruder Models in MSR 69
70 Conclusions Framework for specifying protocols Precise Flexible Powerful Provides Type /AC checking Sequential / parallel execution model Insights about DolevYao intruder Specifying CryptoProtocols and their Intruder Models in MSR 70
71 Future work Experimentation ClarkJacob library Fairexchange protocols More multicast Pragmatics Typereconstruction Operational execution model(s) Implementation Automated specification techniques Specifying CryptoProtocols and their Intruder Models in MSR 71
MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ PPL 01 March 21 st, 2001 Outline I. Security Protocols II. MSR by Examples
More informationMSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ IITD, CSE Dept. Delhi, India April 24 th,2002 Outline Security Protocols
More informationLecture 7: Specification Languages
Graduate Course on Computer Security Lecture 7: Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ DIMI, Universita
More informationOne Year Later. Iliano Cervesato. ITT Industries, NRL Washington, DC. MSR 3.0:
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil One Year Later ITT Industries, inc @ NRL Washington, DC http://www.cs.stanford.edu/~iliano
More informationA Logic of Authentication
A Logic of Authentication by Burrows, Abadi, and Needham Presented by Adam Schuchart, Kathryn Watkins, Michael Brotzman, Steve Bono, and Sam Small Agenda The problem Some formalism The goals of authentication,
More informationTimeBounding NeedhamSchroeder Public Key Exchange Protocol
TimeBounding NeedhamSchroeder Public Key Exchange Protocol Max Kanovich, Queen Mary, University of London, UK University College London, UCLCS, UK Tajana Ban Kirigin, University of Rijeka, HR Vivek
More informationProbabilistic PolynomialTime Process Calculus for Security Protocol Analysis. Standard analysis methods. Compositionality
Probabilistic PolynomialTime Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague P. Lincoln, P. Mateus, M. Mitchell Standard analysis methods Finitestate
More informationA Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols
ASIAN 07 A Formal Analysis for Capturing Replay Attacks in Cryptographic s Han Gao 1, Chiara Bodei 2, Pierpaolo Degano 2, Hanne Riis Nielson 1 Informatics and Mathematics Modelling, Technical University
More informationOn the Verification of Cryptographic Protocols
On the Verification of Cryptographic Protocols Federico Cerutti Dipartimento di Ingegneria dell Informazione, Università di Brescia Via Branze 38, I25123 Brescia, Italy January 11, 2011 Talk at Prof.
More informationThe Faithfulness of Abstract Protocol Analysis: Message Authentication
The Faithfulness of Abstract Protocol Analysis: Message Authentication Joshua D. Guttman F. Javier Thayer Lenore D. Zuck December 18, 2002 Abstract Dolev and Yao initiated an approach to studying cryptographic
More informationProving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory
Proving Security Protocols Correct Lawrence C. Paulson Computer Laboratory How Detailed Should a Model Be? too detailed too simple concrete abstract not usable not credible ``proves'' everything ``attacks''
More informationHandling Encryption in an Analysis for Secure Information Flow
Handling Encryption in an Analysis for Secure Information Flow Peeter Laud peeter l@ut.ee Tartu Ülikool Cybernetica AS ESOP 2003, 7.11.04.2003 p.1/15 Overview Some words about the overall approach. Definition
More informationA Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols
A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols Han Gao 1,ChiaraBodei 2, Pierpaolo Degano 2, and Hanne Riis Nielson 1 1 Informatics and Mathematical Modelling, Technical University
More informationAuthentication Tests and Disjoint Encryption: a Design Method for Security Protocols
Authentication Tests and Disjoint Encryption: a Design Method for Security Protocols Joshua D. Guttman The MITRE Corporation guttman@mitre.org 20 August 2003 Abstract We describe a protocol design process,
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationA derivation system and compositional logic for security protocols
Journal of Computer Security 13 2005) 423 482 423 IOS Press A derivation system and compositional logic for security protocols Anupam Datta a,, Ante Derek a, John C. Mitchell a and Dusko Pavlovic b a Computer
More informationParallel CoinTossing and ConstantRound Secure TwoParty Computation
Parallel CoinTossing and ConstantRound Secure TwoParty Computation Yehuda Lindell Dept. of Computer Science and Applied Math. The Weizmann Institute of Science Rehovot 76100, Israel. lindell@wisdom.weizmann.ac.il
More informationA Theory of Dictionary Attacks and its Complexity
A Theory of Dictionary Attacks and its Complexity Stéphanie Delaune, Florent Jacquemard To cite this version: Stéphanie Delaune, Florent Jacquemard. A Theory of Dictionary Attacks and its Complexity. 17th
More informationCHRISTIANALBRECHTSUNIVERSITÄT KIEL
INSTITUT FÜR INFORMATIK UND PRAKTISCHE MATHEMATIK A ConstraintBased Algorithm for ContractSigning Protocols Detlef Kähler, Ralf Küsters Bericht Nr. 0503 April 2005 CHRISTIANALBRECHTSUNIVERSITÄT KIEL
More informationOptimal Error Rates for Interactive Coding II: Efficiency and List Decoding
Optimal Error Rates for Interactive Coding II: Efficiency and List Decoding Mohsen Ghaffari MIT ghaffari@mit.edu Bernhard Haeupler Microsoft Research haeupler@cs.cmu.edu Abstract We study coding schemes
More informationCryptography 2017 Lecture 2
Cryptography 2017 Lecture 2 One Time Pad  Perfect Secrecy Stream Ciphers November 3, 2017 1 / 39 What have seen? What are we discussing today? Lecture 1 Course Intro Historical Ciphers Lecture 2 One Time
More informationA Semantics for a Logic of Authentication. Cambridge, MA : A; B
A Semantics for a Logic of Authentication (Extended Abstract) Martn Abadi Digital Equipment Corporation Systems Research Center 130 Lytton Avenue Palo Alto, CA 94301 ma@src.dec.com Abstract: Burrows, Abadi,
More informationLecture 10: ZeroKnowledge Proofs
Lecture 10: ZeroKnowledge Proofs Introduction to Modern Cryptography Benny Applebaum TelAviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationSingular curve point decompression attack
Singular curve point decompression attack Peter Günther joint work with Johannes Blömer University of Paderborn FDTC 2015, September 13th, Saint Malo Peter Günther (UPB) Decompression Attack FDTC 2015
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationPKZIP. PKZIP Stream Cipher 1
PKZIP PKZIP Stream Cipher 1 PKZIP Phil Katz s ZIP program Katz invented zip file format o ca 1989 Before that, Katz created PKARC utility o ARC compression was patented by SEA, Inc. o SEA successfully
More informationFrom Unpredictability to Indistinguishability: A Simple. Construction of PseudoRandom Functions from MACs. Preliminary Version.
From Unpredictability to Indistinguishability: A Simple Construction of PseudoRandom Functions from MACs Preliminary Version Moni Naor Omer Reingold y Abstract This paper studies the relationship between
More informationAnalysing Layered Security Protocols
Analysing Layered Security Protocols Thomas GibsonRobinson St Catherine s College University of Oxford A thesis submitted for the degree of Doctor of Philosophy Trinity 2013 Abstract Many security protocols
More informationCompositional System Security in the Presence of InterfaceConfined Adversaries
Compositional System Security in the Presence of InterfaceConfined Adversaries Deepak Garg, Jason Franklin, Dilsun Kaynar, Anupam Datta February 19, 2010 CMUCyLab10004 CyLab Carnegie Mellon University
More informationAsymmetric Unification: A New Unification Paradigm for Cryptographic Protocol Analysis
Asymmetric Unification: A New Unification Paradigm for Cryptographic Protocol Analysis Serdar Erbatur 6, Santiago Escobar 1, Deepak Kapur 2, Zhiqiang Liu 3, Christopher Lynch 3, Catherine Meadows 4, José
More informationSemantics for EnoughCertainty and Fitting s Embedding of Classical Logic in S4
Semantics for EnoughCertainty and Fitting s Embedding of Classical Logic in S4 Gergei Bana 1 and Mitsuhiro Okada 2 1 INRIA de Paris, Paris, France bana@math.upenn.edu 2 Department of Philosophy, Keio
More informationModular Multiset Rewriting in Focused Linear Logic
Modular Multiset Rewriting in Focused Linear Logic Iliano Cervesato and Edmund S. L. Lam July 2015 CMUCS15117 CMUCSQTR128 School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213
More informationFormal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers
Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers Sarani Bhattacharya and Debdeep Mukhopadhyay Indian Institute of Technology Kharagpur PROOFS 2016 August
More informationA Composition Theorem for Universal OneWay Hash Functions
A Composition Theorem for Universal OneWay Hash Functions Victor Shoup IBM Zurich Research Lab, Säumerstr. 4, 8803 Rüschlikon, Switzerland sho@zurich.ibm.com Abstract. In this paper we present a new scheme
More informationIntroduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions
Introduction to Modern Cryptography Lecture 7 1. RSA Public Key CryptoSystem 2. One way Trapdoor Functions Diffie and Hellman (76) New Directions in Cryptography Split the Bob s secret key K to two parts:
More informationDM492. Obligatoriske Opgave
DM492. Obligatoriske Opgave Jacob Christiansen, moffe42, 130282 Thomas Nordahl Pedersen, nordahl, 270282 1/405 Indhold 1 Opgave 1  Public Exponent 2 1.1 a.................................. 2 1.2 b..................................
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 15 October 20, 2014 CPSC 467, Lecture 15 1/37 Common Hash Functions SHA2 MD5 Birthday Attack on Hash Functions Constructing New
More informationUniversal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure PublicKey Encryption
Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure PublicKey Encryption Ronald Cramer Victor Shoup October 12, 2001 Abstract We present several new and fairly practical publickey
More informationA Proof Theory for Generic Judgments
A Proof Theory for Generic Judgments Dale Miller INRIA/Futurs/Saclay and École Polytechnique Alwen Tiu École Polytechnique and Penn State University LICS 2003, Ottawa, Canada, 23 June 2003 Outline 1. Motivations
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationOn the computational soundness of cryptographically masked flows
On the computational soundness of cryptographically masked flows Peeter Laud peeter.laud@ut.ee http://www.ut.ee/ peeter l Tartu University & Cybernetica AS & Institute of Cybernetics Mobius annual meeting,
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Finite Fields The finite field GF(q) exists iff q = p e for some prime p. Example: GF(9) GF(9) = {a + bi a, b Z 3, i 2 = i + 1} = {0, 1, 2, i, 1+i, 2+i, 2i, 1+2i, 2+2i} Addition:
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosenplaintext
More informationTAuth: Verifying Timed Security Protocols
TAuth: Verifying Timed Security Protocols Li Li 1, Jun Sun 2, Yang Liu 3, and Jin Song Dong 1 1 National University of Singapore 2 Singapore University of Technology and Design 3 Nanyang Technological
More informationSTRIBOB : Authenticated Encryption
1 / 19 STRIBOB : Authenticated Encryption from GOST R 34.112012 or Whirlpool MarkkuJuhani O. Saarinen mjos@item.ntnu.no Norwegian University of Science and Technology Directions in Authentication Ciphers
More informationOn the Complexity of the Hybrid Approach on HFEv
On the Complexity of the Hybrid Approach on HFEv Albrecht Petzoldt National Institute of Standards and Technology, Gaithersburg, Maryland, USA albrecht.petzoldt@gmail.com Abstract. The HFEv signature
More informationThéorie de l'information et codage. Master de cryptographie Cours 10 : RSA. 20,23 et 27 mars Université Rennes 1
Théorie de l'information et codage Master de cryptographie Cours 10 : RSA 20,23 et 27 mars 2009 Université Rennes 1 Master Crypto (20082009) Théorie de l'information et codage 20,23 et 27 mars 2009 1
More informationDan Boneh. Stream ciphers. The One Time Pad
Online Cryptography Course Stream ciphers The One Time Pad Symmetric Ciphers: definition Def: a cipher defined over is a pair of efficient algs (E, D) where E is often randomized. D is always deterministic.
More informationStrongly Unforgeable Signatures Based on Computational DiffieHellman
Strongly Unforgeable Signatures Based on Computational DiffieHellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationState and Protocols: The Envelope Example
State and Protocols: The Envelope Example rigorous design for protocols using state Daniel J. Dougherty and Joshua D. Guttman Worcester Polytechnic Institute Thanks to: National Science Foundation (Grant
More informationB. Encryption using quasigroup
Sequence Randomization Using Quasigroups and Number Theoretic s Vaignana Spoorthy Ella Department of Computer Science Oklahoma State University Stillwater, Oklahoma, USA spoorthyella@okstateedu Abstract
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationCSA E0 235: Cryptography March 16, (Extra) Lecture 3
CSA E0 235: Cryptography March 16, 2015 Instructor: Arpita Patra (Extra) Lecture 3 Submitted by: Ajith S 1 Chosen Plaintext Attack A chosenplaintext attack (CPA) is an attack model for cryptanalysis which
More informationAnalysing the Security of a Nonrepudiation Communication Protocol with Mandatory Proof of Receipt
Analysing the Security of a Nonrepudiation Communication Protocol with Mandatory Proof of Receipt TOM COFFEY, PUNEET SAIDHA, PETER URROWS Data Communication Security Laboratory University of Limerick
More informationAn Improved PseudoRandom Generator Based on Discrete Log
An Improved PseudoRandom Generator Based on Discrete Log Rosario Gennaro IBM T.J.Watson Research Center, P.O. Box 704, Yorktown Heights, NY 10598, rosario@watson.ibm.com Abstract. Under the assumption
More informationIDbased Encryption Scheme Secure against Chosen Ciphertext Attacks
IDbased Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {caozf,
More informationClassical Program Logics: Hoare Logic, Weakest Liberal Preconditions
Chapter 1 Classical Program Logics: Hoare Logic, Weakest Liberal Preconditions 1.1 The IMP Language IMP is a programming language with an extensible syntax that was developed in the late 1960s. We will
More informationTypeBased Automated Verification of Authenticity in Asymmetric Cryptographic Protocols
TypeBased Automated Verification of Authenticity in Asymmetric Cryptographic Protocols Morten Dahl 2, Naoki Kobayashi 1, Yunde Sun 1, and Hans Hüttel 2 1 Tohoku University 2 Aalborg University Abstract.
More informationAdvanced Cryptography 1st Semester Public Encryption
Advanced Cryptography 1st Semester 20072008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability
More informationCrypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.
Crypto math II Alin Tomescu alinush@mit.edu May 7, 015 Abstract A quick overview on group theory from Ron Rivest s 6.857 course in Spring 015. 1 Overview Group theory review DiffieHellman (DH) key exchange
More informationQuantitative Evaluation of Chaotic CBC Mode of Operation
Quantitative Evaluation of Chaotic CBC Mode of Operation Abdessalem Abidi 1, Qianxue Wang 3, Belgacem bouallègue 1, Mohsen Machhout 1 and Christophe Gyeux 2 1 Electronics and Microelectronics Laboratory
More informationLecture 17  DiffieHellman key exchange, pairing, IdentityBased Encryption and Forward Security
Lecture 17  DiffieHellman key exchange, pairing, IdentityBased Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationLecture Notes on Secret Sharing
COMS W4261: Introduction to Cryptography. Instructor: Prof. Tal Malkin Lecture Notes on Secret Sharing Abstract These are lecture notes from the first two lectures in Fall 2016, focusing on technical material
More informationComplexity of automatic verification of cryptographic protocols
Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic
More informationCausal Consistency for GeoReplicated Cloud Storage under Partial Replication
Causal Consistency for GeoReplicated Cloud Storage under Partial Replication Min Shen, Ajay D. Kshemkalyani, TaYuan Hsu University of Illinois at Chicago Min Shen, Ajay D. Kshemkalyani, TaYuan Causal
More informationArithmétique et Cryptographie Asymétrique
Arithmétique et Cryptographie Asymétrique Laurent Imbert CNRS, LIRMM, Université Montpellier 2 Journée d inauguration groupe Sécurité 23 mars 2010 This talk is about publickey cryptography Why did mathematicians
More informationPERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY
PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY BURTON ROSENBERG UNIVERSITY OF MIAMI Contents 1. Perfect Secrecy 1 1.1. A Perfectly Secret Cipher 2 1.2. Odds Ratio and Bias 3 1.3. Conditions for Perfect
More informationCryptography. pieces from work by Gordon Royle
Cryptography pieces from work by Gordon Royle The setup Cryptography is the mathematics of devising secure communication systems, whereas cryptanalysis is the mathematics of breaking such systems. We
More informationIntroduction to Isabelle/HOL
Introduction to Isabelle/HOL 1 Notes on Isabelle/HOL Notation In Isabelle/HOL: [ A 1 ;A 2 ; ;A n ]G can be read as if A 1 and A 2 and and A n then G 3 Note: Px (P x) stands for P (x) (P(x)) P(x, y) can
More informationSingle Database Private Information Retrieval with Logarithmic Communication
Single Database Private Information Retrieval with Logarithmic Communication YanCheng Chang Harvard University ycchang@eecs.harvard.edu February 10, 2004 Abstract In this paper, we study the problem of
More informationProvableSecurity Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design
Practical Cryptography: Provable Security as a Tool for Protocol Design Phillip Rogaway UC Davis & Chiang Mai Univ rogaway@csucdavisedu http://wwwcsucdavisedu/~rogaway Summer School on Foundations of Internet
More informationChapter 4 Asymmetric Cryptography
Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: DiffieHellman [NetSec/SysSec], WS 2008/2009 4.1 Asymmetric Cryptography General idea: Use two different keys K and +K for
More informationAsymmetric Cryptography
Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: DiffieHellman General idea: Use two different keys K and +K for encryption and decryption Given a
More informationPseudorandom Number Generation. Qiuliang Tang
Pseudorandom Number Generation Qiuliang Tang Random Numbers in Cryptography The keystream in the onetime pad The secret key in the DES encryption The prime numbers p, q in the RSA encryption The private
More informationOn Expected ConstantRound Protocols for Byzantine Agreement
On Expected ConstantRound Protocols for Byzantine Agreement Jonathan Katz ChiuYuen Koo Abstract In a seminal paper, Feldman and Micali show an nparty Byzantine agreement protocol in the plain model
More informationMathematics of Public Key Cryptography
Mathematics of Public Key Cryptography Eric Baxter April 12, 2014 Overview Brief review of publickey cryptography Mathematics behind publickey cryptography algorithms What is PublicKey Cryptography?
More informationCSE4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing
Lecture 11: Key Management, Secret Sharing Céline Blondeau Email: celine.blondeau@aalto.fi Department of Computer Science Aalto University, School of Science Key Management Secret Sharing Shamir s Threshold
More information14 DiffieHellman Key Agreement
14 DiffieHellman Key Agreement 14.1 Cyclic Groups Definition 14.1 Example Let д Z n. Define д n = {д i % n i Z}, the set of all powers of д reduced mod n. Then д is called a generator of д n, and д n
More information15 PublicKey Encryption
15 PublicKey Encryption So far, the encryption schemes that we ve seen are symmetrickey schemes. The same key is used to encrypt and decrypt. In this chapter we introduce publickey (sometimes called
More informationPrivate Authentication
Private Authentication Martín Abadi University of California at Santa Cruz Cédric Fournet Microsoft Research Abstract Frequently, communication between two principals reveals their identities and presence
More informationYale University Department of Computer Science
Yale University Department of Computer Science On Backtracking Resistance in Pseudorandom Bit Generation (preliminary version) Michael J. Fischer Mike Paterson Ewa Syta YALEU/DCS/TR1466 October 24, 2012
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More informationSlides for Chapter 14: Time and Global States
Slides for Chapter 14: Time and Global States From Coulouris, Dollimore, Kindberg and Blair Distributed Systems: Concepts and Design Edition 5, AddisonWesley 2012 Overview of Chapter Introduction Clocks,
More informationPartial Key Exposure: Generalized Framework to Attack RSA
Partial Key Exposure: Generalized Framework to Attack RSA Cryptology Research Group Indian Statistical Institute, Kolkata 12 December 2011 Outline of the Talk 1 RSA  A brief overview 2 Partial Key Exposure
More informationPrivate Key Cryptography. Fermat s Little Theorem. One Time Pads. Public Key Cryptography
Fermat s Little Theorem Private Key Cryptography Theorem 11 (Fermat s Little Theorem): (a) If p prime and gcd(p, a) = 1, then a p 1 1 (mod p). (b) For all a Z, a p a (mod p). Proof. Let A = {1, 2,...,
More information1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2
Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationA ConstructorBased Reachability Logic for Rewrite Theories
A ConstructorBased Reachability Logic for Rewrite Theories Stephen Skeirik, Andrei Stefanescu, Jose Meseguer October 10th, 2017 Outline 1 Introduction 2 Reachability Logic Semantics 3 The Invariant Paradox
More informationMaximal Noise in Interactive Communication over Erasure Channels and Channels with Feedback
Maximal Noise in Interactive Communication over Erasure Channels and Channels with Feedback Klim Efremenko UC Berkeley klimefrem@gmail.com Ran Gelles Princeton University rgelles@cs.princeton.edu Bernhard
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 19 November 8, 2017 CPSC 467, Lecture 19 1/37 Zero Knowledge Interactive Proofs (ZKIP) ZKIP for graph isomorphism FeigeFiatShamir
More informationCrossTool Semantics for Protocol Security Goals
Approved for Public Release; Distribution Unlimited. Case Number 161919. CrossTool Semantics for Protocol Security Goals Joshua D. Guttman, John D. Ramsdell, and Paul D. Rowe {guttman,ramsdell,prowe}@mitre.org
More informationGroup Diffie Hellman Protocols and ProVerif
Group Diffie Hellman Protocols and ProVerif CS 395T  Design and Analysis of Security Protocols Ankur Gupta Secure Multicast Communication Examples: Live broadcast of a match, stock quotes, video conferencing.
More informationMultiparty Computation from Threshold Homomorphic Encryption
Multiparty Computation from Threshold Homomorphic Encryption Ronald Cramer Ivan Damgård Jesper Buus Nielsen Aarhus University, Dept. of Computer Science, BRICS October 31, 2000 Abstract We introduce a
More informationLecture Notes on Quantification
Lecture Notes on Quantification 15317: Constructive Logic Frank Pfenning Lecture 5 September 8, 2009 1 Introduction In this lecture, we introduce universal and existential quantification As usual, we
More informationSolving LPN Using Covering Codes
Solving LPN Using Covering Codes Qian Guo 1,2 Thomas Johansson 1 Carl Löndahl 1 1 Dept of Electrical and Information Technology, Lund University 2 School of Computer Science, Fudan University ASIACRYPT
More informationLecture 6. 2 AdaptivelySecure NonInteractive ZeroKnowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationAlgebraic Intruder Deductions
Algebraic Intruder Deductions David Basin, Sebastian Mödersheim, and Luca Viganò Information Security Group, Dep. of Computer Science, ETH Zurich, Switzerland www.infsec.ethz.ch/~{basin,moedersheim,vigano}
More information8.1 Principles of PublicKey Cryptosystems
Publickey cryptography is a radical departure from all that has gone before. Right up to modern times all cryptographic systems have been based on the elementary tools of substitution and permutation.
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 4 Lecture date: January 26, 2005 Scribe: Paul Ray, Mike Welch, Fernando Pereira 1 Private Key Encryption Consider a game between
More informationDeterministic Finite Automata
Deterministic Finite Automata COMP2600 Formal Methods for Software Engineering Ranald Clouston Australian National University Semester 2, 2013 COMP 2600 Deterministic Finite Automata 1 Pop quiz What is
More information