MSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
|
|
- Geoffrey Briggs
- 6 years ago
- Views:
Transcription
1 MSR by Examples Iliano Cervesato ITT Industries, NRL Washington DC PPL 01 March 21 st, 2001
2 Outline I. Security Protocols II. MSR by Examples Multiset rewriting The Neuman-Stubblebine Protocol MSR III. Intruder Models Dolev-Yao intruder MSR by Examples 2
3 Part I Security Protocols MSR by Examples 3
4 What are they? Exchange of (encrypted) messages for Communicating secrets Authentication Contract signing E-commerce MSR by Examples 4
5 Neuman-Stubblebine Phase I A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab MSR by Examples 5
6 Neuman-Stubblebine Phase II A B: n A, {A, k AB, T B } kbs B A: n B, {n A } kab A B: {n B } kab MSR by Examples 6
7 Dolev-Yao Abstraction Symbolic data No bit-strings Perfect cryptography No guessing of keys Public knowledge soup Magic access to data MSR by Examples 7
8 Why is Protocol Analysis Difficult? Subtle cryptographic primitives Dolev-Yao abstraction Distributed hostile environment Prudent engineering practice Inadequate specification languages the devil is in details MSR by Examples 8
9 Languages to Specify What? Message flow Message constituents Operating environment Protocol goals MSR by Examples 9
10 Desirable Properties Unambiguous Simple Flexible Adapts to protocol Applies to a wide class of protocols Insightful MSR by Examples 10
11 Part II MSR by Examples MSR by Examples 11
12 What s in MSR? Multiset rewriting with existentials Dependent types w/ subsorting Memory predicates New New Constraints New MSR by Examples 12
13 Multiset Rewriting Multiset: set with repetitions allowed Rewrite rule: r: N 1 N 2 Application r M 1 M 2 r M, N 1 M, N 2 Multi-step transition, reachability MSR by Examples 13
14 Neuman-Stubblebine Phase I A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab MSR by Examples 14
15 NS-I: B s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab MSR by Examples 15
16 NS-I: S s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab MSR by Examples 16
17 NS-I: A s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab X X Ticket MSR by Examples 17
18 Sending / Receiving Messages N(A, n A ) Network predicate N(t): t is a message in transit N({B,n A,k AB,T B } kas,x,n B ) N({n B } kab ) MSR by Examples 18
19 Terms Atomic terms Principal names A Keys k Nonces n Term constructors ( ) {_} D e f i n a b l e MSR by Examples 19
20 Nonces n A. N(A, n A ) Existential variables n A instantiated to a new constant N({B,n A,k AB,T B } kas, X, n B ) N({n B } kab ) MSR by Examples 20
21 MSet Rewriting with Existentials msets of 1 st -order atomic formulas Rules: Application r: F(x) n. G(x,n) r M 1 M 2 c not in M 1 r M, F(t) M, G(t,c) MSR by Examples 21
22 Sequencing actions L. Fresh! n A. N(A, n A ) L(A,n A ) Role state predicate L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N({n B } kab ) MSR by Examples 22
23 Role state predicates Hold data local to a role instance Lifespan = role L l (A,t,, t) Invoke next rule L l = control (A,t,, t) = data MSR by Examples 23
24 Remembering Things L. n A. L(A,n A ) N(A, n A ) L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N({n B } kab ) Tkt A (B,k AB,X) Memory predicate MSR by Examples 24
25 Memory Predicates New M A (t,, t) Hold private info. across role exec. Support for subprotocols Communicate data Pass control Interface to outside system Implements intruder MSR by Examples 25
26 Role owner New Role owner The principal executing the role L. n A. L(A,n A ) N(A, n A ) A L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N({n B } kab ) Tkt A (B,k AB,X) MSR by Examples 26
27 What is what? Types A L: princ x nonce. na :nonce. n A :nonce. L(A,n A ) N(A, n A ) B:princ. n A,n B : nonce k AB : shk A B k AS : shk A S X: msg L(A,n A ) N({B,n A,k AB,T B } kas, X, n B ) N({n B } kab ) Tkt A (B,k AB,X) MSR by Examples 27
28 Types of Terms A: princ n: nonce k: shk A B k: pubk A k : privk k (definable) Types can depend on term Captures relations between objects Static Local Mandatory MSR by Examples 28
29 Subtyping τ :: msg Allows atomic terms in messages Definable Non-transmittable terms Sub-hierarchies MSR by Examples 29
30 Type of predicates Dependent sums Σx: τ. τ τ (x) x τ Forces associations among arguments x E.g.: princ (A) x pubk A (k A) x privk k A MSR by Examples 30
31 Type Checking New Σ P t has type τ in Γ Γ t : τ P is welltyped in Σ Catches: Encryption with a nonce Transmission of a long term key MSR by Examples 31
32 Access Control New r is AC-valid for A in Γ Catches Γ A r P is ACvalid in Σ Σ P A signing/encrypting with B s key A accessing B s private data, Gives meaning to Dolev-Yao intruder MSR by Examples 32
33 NS-I: B s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab MSR by Examples 33
34 NS-I: B s role L: princ (B) x princ x nonce x shk B S x nonce x time. B A:princ. n A : nonce k BS :shkb S T B : time n B :nonce. N(A, n A ) Clk B (T B ) N(B, {A,n A,T B } kbs, n B ) Clk B (T B ) L(B,A,n A,k BS,n B,T B ). k AB :shka B n B : nonce T now : time T V,T e : time L(B,A,n A,k BS,n B,T B ) N({A,k AB,T B } kbs, {n B } kab ) Val B (A,T B, T V ) (T e = T B + T V ) Auth B (A, k AB,T B,T e ) Val B (A,T B, T V ) Constraint MSR by Examples 34
35 Constraints New χ Guards over interpreted domain Abstract Modular Invoke constraint handler E.g.: timestamps (T E = T N + T d ) (T N < T E ) MSR by Examples 35
36 NS-I: S s point of view A B: A, n A B S: B, {A, n A, T B } kbs, n B S A: {B, n A, k AB, T B } kas, {A, k AB, T B } kbs,n B A B: {A, k AB, T B } kbs, {n B } kab MSR by Examples 36
37 NS-I: S s role Anchored role A,B:princ. k AS :shka S k BS :shkb S n A,n B : nonce T B : time N(B, {A,n A,T B } kbs,n B ) k AB :shka B. N({B,n A,k AB,T B } kas, {A,k AB,T B } kbs, n B ) S MSR by Examples 37
38 Neuman-Stubblebine Phase II A B: n A, {A, k AB, T B } kbs B A: n B, {n A } kab A B: {n B } kab MSR by Examples 38
39 NS-II: A s role A L: princ (A) x princ (B) x shk A B x nonce. n A :nonce. B:princ. k AB :shka B X: msg Tkt A (B,k AB,X) N( n A, X) Tkt A (B,k AB,X) L(A, B,k AB,n A ). n A,n B : nonce L(A, B,k AB,n A ) N(n B,{n A } kab ) N({n B } kab ) MSR by Examples 39
40 NS-II: B s role L: princ (B) x princ (A) x shk A B x nonce. B n A : nonce k BS :shkb S A:princ. k AB :shka B T B,T e : time T now : time N(n A, {A,k AB,T B } kbs ) Auth B (A, k AB,T B,T e ) Clk B (T now ) (T now < T e ) n B :nonce. N(n B, {n A } kab ) Auth B (A, k AB,T B,T e ) Clk B (T now ) L(B,A,k AB,n B ). n B : nonce L(B,A,k AB,n B ) N({n B } kab ) MSR by Examples 40
41 Summary: Rules x 1 : τ 1. x n : τ n. y 1 : τ 1. lhs rhs y n : τ n. N(t) Network L(t,, t) Local state M A (t,, t) Memory χ Constraints N(t) Network L(t,, t) Local state M A (t,, t) Memory MSR by Examples 41
42 Summary: Roles Role state pred. var. declarations Generic roles L: τ (x 1 ) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A Role owner Anchored roles L: τ (x1) 1 x x τ n (xn) x:τ. lhs y:τ. rhs x:τ. lhs y:τ. rhs A MSR by Examples 42
43 Summary: Snapshots Active role set C = [S] R Σ State N(t) L l (t,, t) M A (t,, t) Signature a : τ L l : τ M _ : τ MSR by Examples 43
44 Summary: Execution Model Activate roles Generates new role state pred. names Instantiate variables Apply rules Skips rules P C C 1-step firing MSR by Examples 44
45 Summary: Rule application r = F, χ n:τ. G(n) Constraint check Σ = χ (constraint handler) Firing [S 1 ] R(r,ρ) Σ [S 2 ] Rρ Σ, c:τ c not in S 1 S, F S, G(c) MSR by Examples 45
46 Properties Type preservation Access control preservation Completeness of Dolev-Yao intruder New MSR by Examples 46
47 Completed Case-Studies Full Needham-Schroeder public-key Otway-Rees Neuman-Stubblebine repeated auth. OFT group key management MSR by Examples 47
48 Part III The Intruder MSR by Examples 48
49 Execution with an Attacker P, P I C C Selected principal(s): Generic capabilities: Well-typed AC-valid I P I Modeled completely within MSR MSR by Examples 49
50 The Dolev-Yao Intruder Specific protocol suite P DY Underlies every protocol analysis tool Completeness still unproved MSR by Examples 50
51 Capabilities of the D-Y Intruder Intercept / emit messages Decrypt / encrypt with known key Split / form pairs Look up public information Generate fresh data MSR by Examples 51
52 DY Intruder Net Interference M I (t) : Intruder knowledge t: msg. N(t) M I (t) I t: msg. M I (t) N(t) I MSR by Examples 52
53 DY Intruder Decryption A,B: princ k: shk A B t: msg M I ({t} k ) M I (k) M I (t) I A: princ k: pubk A k : privk A t: msg M I ({t} k ) M I (k) M I (t) I MSR by Examples 53
54 DY Intruder Encryption A,B: princ k: shk A B t: msg M I (t) M I (k) M I ({t} k ) I A: princ k: pubk A t: msg M I (t) M I (k) M I ({t} k ) I MSR by Examples 54
55 DY Intruder Pairs t 1,t 2 : msg M I (t 1,t 2 ) M I (t 1 ) M I (t 2 ) I t 1,t 2 : msg M I (t 1 ) M I (t 2 ) M I (t 1,t 2 ) I MSR by Examples 55
56 DY Intruder Structural rules t: msg M I ( t) M I (t) M I (t) I t: msg M I ( t) I MSR by Examples 56
57 DY Intruder Data access A: princ. M I (A) I A: princ k: shk I A M I (k) I + dual A: princ k: pubk A M I (k) I k: pubk I k : privk k M I (k ) I No nonces, no other keys, MSR by Examples 57
58 DY Intruder Data Generation Safe data n:nonce. M I (n) I m:msg. M I (m) I Anything else? A,B:princ. k:shk A B. M I (k) I??? It depends on the protocol!!! Automated generation? MSR by Examples 58
59 DY Intruder Stretches AC to Limit AC-valid Well-typed Dolev-Yao intruder MSR by Examples 59
60 Completeness of D-Y Intruder If P [S] R Σ [S ] R Σ with all well-typed and AC-valid Then P, P DY [S] R Σ [S ] R Σ MSR by Examples 60
61 Consequences Justifies design of current tools Support optimizations D-Y intr. often too general/inefficient Generic optimizations Per protocol optimizations Restrictive environments Caps multi-intruder situations MSR by Examples 61
62 Future work Experimentation Clark-Jacob library Fair-exchange protocols More multicast Pragmatics Type-reconstruction Operational execution model(s) Implementation Automated specification techniques MSR by Examples 62
Typed MSR: Syntax and Examples
Typed MSR: Syntax and Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ MMM 01 St. Petersburg, Russia May 22 nd, 2001 Outline
More informationMSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ IITD, CSE Dept. Delhi, India April 24 th,2002 Outline Security Protocols
More informationAbstract Specification of Crypto- Protocols and their Attack Models in MSR
Abstract Specification of Crypto- Protocols and their Attack Models in MSR Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ Software
More informationLecture 7: Specification Languages
Graduate Course on Computer Security Lecture 7: Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ DIMI, Universita
More informationOne Year Later. Iliano Cervesato. ITT Industries, NRL Washington, DC. MSR 3.0:
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil One Year Later ITT Industries, inc @ NRL Washington, DC http://www.cs.stanford.edu/~iliano
More informationMSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra. Iliano Cervesato. ITT Industries, NRL Washington, DC
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC http://theory.stanford.edu/~iliano ISSS 2003,
More informationNotes on BAN Logic CSG 399. March 7, 2006
Notes on BAN Logic CSG 399 March 7, 2006 The wide-mouthed frog protocol, in a slightly different form, with only the first two messages, and time stamps: A S : A, {T a, B, K ab } Kas S B : {T s, A, K ab
More informationThe Logical Meeting Point of Multiset Rewriting and Process Algebra
MFPS 20 @ MU May 25, 2004 The Logical Meeting Point of Multiset Rewriting and Process Algebra Iliano ervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, D http://theory.stanford.edu/~iliano
More informationEncoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania
Encoding security protocols in the cryptographic λ-calculus Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania An obvious fact Security is important Cryptography is a major way to
More informationControl Flow Analysis of Security Protocols (I)
Control Flow Analysis of Security Protocols (I) Mikael Buchholtz 02913 F2005 Mikael Buchholtz p. 1 History of Protocol Analysis Needham-Schroeder 78 Dolev-Yao 81 Algebraic view of cryptography 02913 F2005
More informationVerification of Security Protocols in presence of Equational Theories with Homomorphism
Verification of Security Protocols in presence of Equational Theories with Homomorphism Stéphanie Delaune France Télécom, division R&D, LSV CNRS & ENS Cachan February, 13, 2006 Stéphanie Delaune (FT R&D,
More informationModels and analysis of security protocols 1st Semester Security Protocols Lecture 6
Models and analysis of security protocols 1st Semester 2010-2011 Security Protocols Lecture 6 Pascal Lafourcade Université Joseph Fourier, Verimag Master: October 18th 2010 1 / 46 Last Time (I) Symmetric
More informationTime-Bounding Needham-Schroeder Public Key Exchange Protocol
Time-Bounding Needham-Schroeder Public Key Exchange Protocol Max Kanovich, Queen Mary, University of London, UK University College London, UCL-CS, UK Tajana Ban Kirigin, University of Rijeka, HR Vivek
More informationProtocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete
Protocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete Michaël Rusinowitch and Mathieu Turuani LORIA-INRIA- Université Henri Poincaré, 54506 Vandoeuvre-les-Nancy cedex, France
More informationA Logic of Authentication
A Logic of Authentication by Burrows, Abadi, and Needham Presented by Adam Schuchart, Kathryn Watkins, Michael Brotzman, Steve Bono, and Sam Small Agenda The problem Some formalism The goals of authentication,
More informationA Calculus for Control Flow Analysis of Security Protocols
International Journal of Information Security manuscript No. (will be inserted by the editor) A Calculus for Control Flow Analysis of Security Protocols Mikael Buchholtz, Hanne Riis Nielson, Flemming Nielson
More informationDiscrete vs. Dense Times in the Analysis of Cyber-Physical Security Protocols
Discrete vs. Dense Times in the Analysis of Cyber-Physical Security Protocols Max Kanovich 1,5 Tajana Ban Kirigin 2 Vivek Nigam 3 Andre Scedrov 4,5 and Carolyn Talcott 6 1 Queen Mary, University of London
More informationCPSA and Formal Security Goals
CPSA and Formal Security Goals John D. Ramsdell The MITRE Corporation CPSA Version 2.5.1 July 8, 2015 Contents 1 Introduction 3 2 Syntax 6 3 Semantics 8 4 Examples 10 4.1 Needham-Schroeder Responder.................
More informationRelating State-Based and Process-Based Concurrency through Linear Logic
École Polytechnique 17 September 2009 Relating State-Based and Process-Based oncurrency through Linear Logic Iliano ervesato arnegie Mellon University - Qatar iliano@cmu.edu Specifying oncurrent Systems
More informationTerm Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool
Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool Santiago Escobar Departamento de Sistemas Informáticos y Computación Universitat Politècnica de València sescobar@dsic.upv.es
More informationProbabilistic Polynomial-Time Process Calculus for Security Protocol Analysis. Standard analysis methods. Compositionality
Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague P. Lincoln, P. Mateus, M. Mitchell Standard analysis methods Finite-state
More informationA Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols
ASIAN 07 A Formal Analysis for Capturing Replay Attacks in Cryptographic s Han Gao 1, Chiara Bodei 2, Pierpaolo Degano 2, Hanne Riis Nielson 1 Informatics and Mathematics Modelling, Technical University
More informationModels for an Adversary-Centric Protocol Logic
Workshop on Logical Aspects of Cryptographics 2001 Preliminary Version Models for an Adversary-Centric Protocol Logic Peter Selinger Department of Mathematics and Statistics University of Ottawa Ottawa,
More informationA Logic of Authentication. Borrows, Abadi and Needham TOCS 1990, DEC-SRC 1989
A Logic of Authentication Borrows, Abadi and Needham TOCS 1990, DEC-SRC 1989 Logic Constructs P believes X : P may act as though X is true. P sees X : a message containing X was sent to P; P can read and
More informationQuantum Wireless Sensor Networks
Quantum Wireless Sensor Networks School of Computing Queen s University Canada ntional Computation Vienna, August 2008 Main Result Quantum cryptography can solve the problem of security in sensor networks.
More informationStrand Spaces Proving Protocols Corr. Jonathan Herzog 6 April 2001
Strand Spaces Proving Protocols Corr Jonathan Herzog 6 April 2001 Introduction 3Second part of talk given early last month Introduced class of cryptographic protocols Modeled at high level of abstraction
More informationExtending Dolev-Yao with Assertions
Extending Dolev-Yao with Assertions Vaishnavi Sundararajan Chennai Mathematical Institute FOSAD 2015 August 31, 2015 (Joint work with R Ramanujam and S P Suresh) Vaishnavi S Extending Dolev-Yao with Assertions
More informationA progress report on using Maude to verify protocol properties using the strand space model
A progress report on using Maude to verify protocol properties using the strand space model Presented by Robert P. Graham, MAJ, USAF/AFIT Stephen W. Mancini, 1Lt, USAF/AFIT Presentation date: 01 Oct 03
More informationProving Properties of Security Protocols by Induction
Proving Security Protocols 1 L. C. Paulson Proving Properties of Security Protocols by Induction Lawrence C. Paulson Computer Laboratory University of Cambridge Proving Security Protocols 2 L. C. Paulson
More informationProving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory
Proving Security Protocols Correct Lawrence C. Paulson Computer Laboratory How Detailed Should a Model Be? too detailed too simple concrete abstract not usable not credible ``proves'' everything ``attacks''
More informationOn the Verification of Cryptographic Protocols
On the Verification of Cryptographic Protocols Federico Cerutti Dipartimento di Ingegneria dell Informazione, Università di Brescia Via Branze 38, I-25123 Brescia, Italy January 11, 2011 Talk at Prof.
More informationEquational Tree Automata: Towards Automated Verification of Network Protocols
Equational Tree Automata: Towards Automated Verification of Network Protocols Hitoshi Ohsaki and Toshinori Takai National Institute of Advanced Industrial Science and Technology (AIST) Nakoji 3 11 46,
More informationAutomated Validation of Internet Security Protocols. Luca Viganò
Automated Validation of Internet Security Protocols Luca Viganò The AVISPA Project Luca Viganò 1 Motivation The number and scale of new security protocols under development is out-pacing the human ability
More informationMASTER S THESIS FROM FORMAL TO COMPUTATIONAL AUTHENTICITY DISTRIBUTED AND EMBEDDED SYSTEMS DEPARTMENT OF COMPUTER SCIENCE AALBORG UNIVERSITY
DISTRIBUTED AND EMBEDDED SYSTEMS DEPARTMENT OF COMPUTER SCIENCE AALBORG UNIVERSITY MASTER S THESIS MICHAEL GARDE FROM FORMAL TO COMPUTATIONAL AUTHENTICITY AN APPROACH FOR RECONCILING FORMAL AND COMPUTATIONAL
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationAutomatic Verification of Complex Security Protocols With an Unbounded Number of Sessions
Automatic Verification of Complex Security Protocols With an Unbounded Number of Sessions Kaile Su, Weiya Yue and Qingliang Chen Department of Computer Science, Sun Yat-sen University Guangzhou, P.R. China
More informationBAN Logic A Logic of Authentication
BAN Logic A Logic of Authentication Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 BAN Logic The BAN logic was named after its inventors, Mike Burrows, Martín Abadí,
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationA decidable subclass of unbounded security protocols
A decidable subclass of unbounded security protocols R. Ramanujam and S. P. Suresh The Institute of Mathematical Sciences C.I.T. Campus, Chennai 600 113, India. E-mail: {jam,spsuresh}@imsc.res.in 1 Summary
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationCS 395T. Probabilistic Polynomial-Time Calculus
CS 395T Probabilistic Polynomial-Time Calculus Security as Equivalence Intuition: encryption scheme is secure if ciphertext is indistinguishable from random noise Intuition: protocol is secure if it is
More informationGurgen Khachatrian Martun Karapetyan
34 International Journal Information Theories and Applications, Vol. 23, Number 1, (c) 2016 On a public key encryption algorithm based on Permutation Polynomials and performance analyses Gurgen Khachatrian
More informationNSL Verification and Attacks Agents Playing Both Roles
NSL Verification and Attacks Agents Playing Both Roles Pedro Adão Gergei Bana Abstract Background: [2] and eprint version: [1] 1 The Axioms Equality is a Congruence. The first axiom says that the equality
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationCHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL
INSTITUT FÜR INFORMATIK UND PRAKTISCHE MATHEMATIK A Constraint-Based Algorithm for Contract-Signing Protocols Detlef Kähler, Ralf Küsters Bericht Nr. 0503 April 2005 CHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL
More informationNegative applications of the ASM thesis
Negative applications of the ASM thesis Dean Rosenzweig and Davor Runje University of Zagreb Berlin, February 26-27, 2007 Outline 1 Negative applications of the ASM thesis Motivation Non-interactive algorithms
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationA new security notion for asymmetric encryption Draft #8
A new security notion for asymmetric encryption Draft #8 Muhammad Rezal Kamel Ariffin 1,2 1 Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, 2 Department of Mathematics,
More informationReport Documentation Page
Multiset Rewriting and the Complexity of Bounded Security Protocols Λ N.A. Durgin P.D. Lincoln J.C. Mitchell A. Scedrov Sandia National Laboratories Livermore, CA nadurgi@sandia.gov Computer Science Dept.
More informationThe Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Indistinguishability
The Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Catherine Meadows Naval Research Laboratory, Washington, DC 20375 catherine.meadows@nrl.navy.mil Formal Methods for the Science of
More informationAnalysis of authentication protocols Intership report
Analysis of authentication protocols Intership report Stéphane Glondu ENS de Cachan September 3, 2006 1 Introduction Many computers are interconnected through networks, the biggest of them being Internet.
More informationPractice Assignment 2 Discussion 24/02/ /02/2018
German University in Cairo Faculty of MET (CSEN 1001 Computer and Network Security Course) Dr. Amr El Mougy 1 RSA 1.1 RSA Encryption Practice Assignment 2 Discussion 24/02/2018-29/02/2018 Perform encryption
More informationA compositional logic for proving security properties of protocols
Journal of Computer Security 11 (2003) 677 721 677 IOS Press A compositional logic for proving security properties of protocols Nancy Durgin a, John Mitchell b and Dusko Pavlovic c a Sandia National Labs,
More informationDeciding the Security of Protocols with Commuting Public Key Encryption
Electronic Notes in Theoretical Computer Science 125 (2005) 55 66 www.elsevier.com/locate/entcs Deciding the Security of Protocols with Commuting Public Key Encryption Yannick Chevalier a,1 Ralf Küsters
More informationA simple procedure for finding guessing attacks (Extended Abstract)
A simple procedure for finding guessing attacks (Extended Abstract) Ricardo Corin 1 and Sandro Etalle 1,2 1 Dept. of Computer Science, University of Twente, The Netherlands 2 CWI, Center for Mathematics
More informationProof Scores in the OTS/CafeOBJ Method
Proof Scores in the OTS/CafeOBJ Method Kazuhiro Ogata 1,2 and Kokichi Futatsugi 2 1 NEC Software Hokuriku, Ltd. ogatak@acm.org 2 Japan Advanced Institute of Science and Technology (JAIST) kokichi@jaist.ac.jp
More informationA Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols
A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols Han Gao 1,ChiaraBodei 2, Pierpaolo Degano 2, and Hanne Riis Nielson 1 1 Informatics and Mathematical Modelling, Technical University
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationAn Efficient Cryptographic Protocol Verifier Based on Prolog Rules
An Efficient Cryptographic Protocol Verifier Based on Prolog Rules Bruno Blanchet INRIA Rocquencourt Domaine de Voluceau B.P. 105 78153 Le Chesnay Cedex, France Bruno.Blanchet@inria.fr Abstract We present
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationPicnic Post-Quantum Signatures from Zero Knowledge Proofs
Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM DAVID DERLER STEVEN GOLDFEDER JONATHAN KATZ VLAD KOLESNIKOV CLAUDIO ORLANDI SEBASTIAN RAMACHER CHRISTIAN RECHBERGER
More informationPublic Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy
Symmetric Cryptography Review Alice Bob Public Key x e K (x) y d K (y) x K K Instructor: Dr. Wei (Lisa) Li Department of Computer Science, GSU Two properties of symmetric (secret-key) crypto-systems: The
More informationAutomatic, computational proof of EKE using CryptoVerif
Automatic, computational proof of EKE using CryptoVerif (Work in progress) Bruno Blanchet blanchet@di.ens.fr Joint work with David Pointcheval CNRS, École Normale Supérieure, INRIA, Paris April 2010 Bruno
More informationOn the Automatic Analysis of Recursive Security Protocols with XOR
On the Automatic Analysis of Recursive Security Protocols with XOR Ralf Küsters 1 and Tomasz Truderung 2 1 ETH Zurich ralf.kuesters@inf.ethz.ch 2 University of Kiel, Wrocław University tomasz.truderung@ii.uni.wroc.pl
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationA Cryptographic Decentralized Label Model
A Cryptographic Decentralized Label Model Jeffrey A. Vaughan and Steve Zdancewic Department of Computer and Information Science University of Pennsylvania IEEE Security and Privacy May 22, 2007 Information
More informationA one message protocol using cryptography, where K AB is a symmetric key shared between A and B for private communication. A B : {M} KAB on c AB
A one message protocol using cryptography, where K AB is a symmetric key shared between A and B for private communication. A B : {M} KAB on c AB This can be represented as A send cab {M} KAB ;halt B recv
More informationNotes for Lecture 9. 1 Combining Encryption and Authentication
U.C. Berkeley CS276: Cryptography Handout N9 Luca Trevisan February 17, 2009 Notes for Lecture 9 Notes scribed by Joel Weinberger, posted March 1, 2009 Summary Last time, we showed that combining a CPA-secure
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Finite Fields The finite field GF(q) exists iff q = p e for some prime p. Example: GF(9) GF(9) = {a + bi a, b Z 3, i 2 = i + 1} = {0, 1, 2, i, 1+i, 2+i, 2i, 1+2i, 2+2i} Addition:
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationCryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1
Cryptography CS 555 Topic 25: Quantum Crpytography CS555 Topic 25 1 Outline and Readings Outline: What is Identity Based Encryption Quantum cryptography Readings: CS555 Topic 25 2 Identity Based Encryption
More informationProbabilistic Model Checking of Security Protocols without Perfect Cryptography Assumption
Our Model Checking of Security Protocols without Perfect Cryptography Assumption Czestochowa University of Technology Cardinal Stefan Wyszynski University CN2016 Our 1 2 3 Our 4 5 6 7 Importance of Security
More informationAutomata-based analysis of recursive cryptographic protocols
1 Automata-based analysis of recursive cryptographic protocols Thomas Wilke Joint work with Ralf Küsters Christian-Albrechts-Universität zu Kiel June 13, 2004 Un-/Decidability of security in the DY model
More informationarxiv: v1 [cs.cr] 27 May 2016
Towards the Automated Verification of Cyber-Physical Security Protocols: Bounding the Number of Timed Intruders Vivek Nigam 1, Carolyn Talcott 2 and Abraão Aires Urquiza 1 arxiv:1605.08563v1 [cs.cr] 27
More informationThe Faithfulness of Abstract Protocol Analysis: Message Authentication
The Faithfulness of Abstract Protocol Analysis: Message Authentication Joshua D. Guttman F. Javier Thayer Lenore D. Zuck December 18, 2002 Abstract Dolev and Yao initiated an approach to studying cryptographic
More informationVerification of the TLS Handshake protocol
Verification of the TLS Handshake protocol Carst Tankink (0569954), Pim Vullers (0575766) 20th May 2008 1 Introduction In this text, we will analyse the Transport Layer Security (TLS) handshake protocol.
More informationCryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols
CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno Blanchet CNRS, École Normale Supérieure, INRIA, Paris March 2009 Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif March
More informationAPPLICATIONS OF BAN-LOGIC JAN WESSELS CMG FINANCE B.V.
APPLITIONS OF AN-LOGIC JAN WESSELS CMG FINANCE.V. APRIL 19, 2001 Chapter 1 Introduction This document is meant to give an overview of the AN-logic. The AN-logic is one of the methods for the analysis of
More informationCS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing
Lecture 11: Key Management, Secret Sharing Céline Blondeau Email: celine.blondeau@aalto.fi Department of Computer Science Aalto University, School of Science Key Management Secret Sharing Shamir s Threshold
More informationA Resolution Strategy for Verifying Cryptographic Protocols with CBC Encryption and Blind Signatures
A Resolution Strategy for Verifying Cryptographic Protocols with CBC Encryption and Blind Signatures Véronique Cortier LORIA, Nancy, France CNRS & INRIA Project Cassis cortier@loria.fr Michael Rusinowitch
More informationGroup Diffie Hellman Protocols and ProVerif
Group Diffie Hellman Protocols and ProVerif CS 395T - Design and Analysis of Security Protocols Ankur Gupta Secure Multicast Communication Examples: Live broadcast of a match, stock quotes, video conferencing.
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationFundamentals of Modern Cryptography
Fundamentals of Modern Cryptography BRUCE MOMJIAN This presentation explains the fundamentals of modern cryptographic methods. Creative Commons Attribution License http://momjian.us/presentations Last
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationOn-the-fly Model Checking of Security Protocols
Guoqiang LI Japan Advanced Institute of Science and Technology Supervisor: Prof. Mizuhito Ogawa February 7, 2008 1 / 103 A Challenging Problem and A Legend... A security protocol, although only containing
More informationBranch Prediction based attacks using Hardware performance Counters IIT Kharagpur
Branch Prediction based attacks using Hardware performance Counters IIT Kharagpur March 19, 2018 Modular Exponentiation Public key Cryptography March 19, 2018 Branch Prediction Attacks 2 / 54 Modular Exponentiation
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More information1 Indistinguishability for multiple encryptions
CSCI 5440: Cryptography Lecture 3 The Chinese University of Hong Kong 26 September 2012 1 Indistinguishability for multiple encryptions We now have a reasonable encryption scheme, which we proved is message
More informationPractical Verifiable Encryption and Decryption of Discrete Logarithms
Practical Verifiable Encryption and Decryption of Discrete Logarithms Jan Camenisch IBM Zurich Research Lab Victor Shoup New York University p.1/27 Verifiable encryption of discrete logs Three players:
More informationA Short Tutorial on Proverif
A Short Tutorial on Proverif Alfredo Pironti and Riccardo Sisto Politecnico di Torino, Italy Cryptoforma Meeting, Apr 8, 2010 1 Outline PART 1: how the tool works (Riccardo Sisto) Context: Abstract modelling
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationIntroduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions
Introduction to Modern Cryptography Lecture 7 1. RSA Public Key CryptoSystem 2. One way Trapdoor Functions Diffie and Hellman (76) New Directions in Cryptography Split the Bob s secret key K to two parts:
More information