State and Protocols: The Envelope Example
|
|
- Toby McGee
- 6 years ago
- Views:
Transcription
1 State and Protocols: The Envelope Example rigorous design for protocols using state Daniel J. Dougherty and Joshua D. Guttman Worcester Polytechnic Institute Thanks to: National Science Foundation (Grant CNS ). Mar 2013 DD & JDG ( WPI ) Envelope BiSS 1 / 23
2 Goal of this Talk Illustrate a: Logical approach to protocol refinement for protocols using state via Hardware Security Modules (specifically Trusted Platform Modules) using M. Ryan s envelope protocol DD & JDG ( WPI ) Envelope BiSS 2 / 23
3 Goal of this Talk Illustrate a: Diagrammatic approach to protocol refinement for protocols using state via Hardware Security Modules (specifically Trusted Platform Modules) using M. Ryan s envelope protocol DD & JDG ( WPI ) Envelope BiSS 2 / 23
4 Goal of this Talk Illustrate a: Diagrammatic approach to protocol refinement for protocols using state via Hardware Security Modules (specifically Trusted Platform Modules) using M. Ryan s envelope protocol DD & JDG ( WPI ) Envelope BiSS 2 / 23
5 Trusted Platform Modules Small cheap chip on motherboard of many PCs Offers: Cryptographic primitives Some protected storage Platform configuration registers that record certain event sequences State is a reliable record of those events Supports attestation Signed assertions about TPM state, reflecting system history DD & JDG ( WPI ) Envelope BiSS 3 / 23
6 The Envelope Protocol Alice deposits an encrypted secret { v } K s.t. Bob can obtain v Or Bob can certify v was never obtained, and never will be obtained But not both Bob may be adversarial, misbehaving to try to get both v and refuse({ v } K ) TPM used to achieve protocol goal DD & JDG ( WPI ) Envelope BiSS 4 / 23
7 The Envelope Protocol Alice deposits an encrypted secret { v } K s.t. Bob can obtain v Or Bob can certify v was never obtained, and never will be obtained But not both Bob may be adversarial, misbehaving to try to get both v and refuse({ v } K ) TPM used to achieve protocol goal DD & JDG ( WPI ) Envelope BiSS 4 / 23
8 The Envelope Protocol Alice deposits an encrypted secret { v } K s.t. Bob can obtain v Or Bob can certify v was never obtained, and never will be obtained But not both Bob may be adversarial, misbehaving to try to get both v and refuse({ v } K ) TPM used to achieve protocol goal DD & JDG ( WPI ) Envelope BiSS 4 / 23
9 The Envelope Protocol Alice deposits an encrypted secret { v } K s.t. Bob can obtain v Or Bob can certify v was never obtained, and never will be obtained But not both Bob may be adversarial, misbehaving to try to get both v and refuse({ v } K ) TPM used to achieve protocol goal DD & JDG ( WPI ) Envelope BiSS 4 / 23
10 Envelope Protocol: Security Goal This diagram never occurs within any execution: A { v } K v refuse({ v } K ) where v is fresh and unguessable DD & JDG ( WPI ) Envelope BiSS 5 / 23
11 Envelope Protocol: Security Goal This diagram never occurs within any execution: A { v } K v refuse({ v } K ) where v is fresh and unguessable DD & JDG ( WPI ) Envelope BiSS 5 / 23
12 Implementation Idea Using a TPM 1 Use one TPM platform configuration register 2 Put it in a state u 1 Suppose: Just one TPM with just one PCR 3 Allow decryption if extended to Hash(u 1,obtain) 4 Generate refusal cert if extended to Hash(u 1,refuse) 5 Ensure u 1 can never again be value of PCR regardless of this choice DD & JDG ( WPI ) Envelope BiSS 6 / 23
13 Implementation Idea Using a TPM 1 Use one TPM platform configuration register 2 Put it in a state u 1 Suppose: Just one TPM with just one PCR 3 Allow decryption if extended to Hash(u 1,obtain) 4 Generate refusal cert if extended to Hash(u 1,refuse) 5 Ensure u 1 can never again be value of PCR regardless of this choice DD & JDG ( WPI ) Envelope BiSS 6 / 23
14 Implementation Idea Using a TPM 1 Use one TPM platform configuration register 2 Put it in a state u 1 Suppose: Just one TPM with just one PCR 3 Allow decryption if extended to Hash(u 1,obtain) 4 Generate refusal cert if extended to Hash(u 1,refuse) 5 Ensure u 1 can never again be value of PCR regardless of this choice DD & JDG ( WPI ) Envelope BiSS 6 / 23
15 Implementation Idea Using a TPM 1 Use one TPM platform configuration register 2 Put it in a state u 1 Suppose: Just one TPM with just one PCR 3 Allow decryption if extended to Hash(u 1,obtain) 4 Generate refusal cert if extended to Hash(u 1,refuse) 5 Ensure u 1 can never again be value of PCR regardless of this choice DD & JDG ( WPI ) Envelope BiSS 6 / 23
16 Implementation Idea Using a TPM 1 Use one TPM platform configuration register 2 Put it in a state u 1 Suppose: Just one TPM with just one PCR 3 Allow decryption if extended to Hash(u 1,obtain) 4 Generate refusal cert if extended to Hash(u 1,refuse) 5 Ensure u 1 can never again be value of PCR regardless of this choice DD & JDG ( WPI ) Envelope BiSS 6 / 23
17 Analyzing the Envelope Protocol Delaune-Kremer-Ryan-Steel: verify it via ProVerif Under some restrictions: Bounded number of reboots Anchored at initial, post-boot state Monolithic Our contributions: 1 Lift the restrictions above using explicit model of distributed system behavior 2 Proof method tailored to protocol refinement steps 3 Ensure disjoint encryption properties DD & JDG ( WPI ) Envelope BiSS 7 / 23
18 Analyzing the Envelope Protocol Delaune-Kremer-Ryan-Steel: verify it via ProVerif Under some restrictions: Bounded number of reboots Anchored at initial, post-boot state Monolithic Our contributions: 1 Lift the restrictions above using explicit model of distributed system behavior 2 Proof method tailored to protocol refinement steps 3 Ensure disjoint encryption properties DD & JDG ( WPI ) Envelope BiSS 7 / 23
19 Analyzing the Envelope Protocol Delaune-Kremer-Ryan-Steel: verify it via ProVerif Under some restrictions: Bounded number of reboots Anchored at initial, post-boot state Monolithic Our contributions: 1 Lift the restrictions above using explicit model of distributed system behavior 2 Proof method tailored to protocol refinement steps 3 Ensure disjoint encryption properties DD & JDG ( WPI ) Envelope BiSS 7 / 23
20 Strands with state synchronization A strand is a linear sequence of 1 transmission nodes t 2 reception nodes t 3 state synchronization nodes φ representing a single local session We view transmissions as receptions as state synchronizations as positive negative neutral DD & JDG ( WPI ) Envelope BiSS 8 / 23
21 Strands with state synchronization A strand is a linear sequence of 1 transmission nodes t 2 reception nodes t 3 state synchronization nodes φ representing a single local session We view transmissions as receptions as state synchronizations as positive negative neutral DD & JDG ( WPI ) Envelope BiSS 8 / 23
22 Bundles, executions Definition A bundle B is a finite directed acyclic graph of nodes closed backward on each strand every reception has a unique matching transmission t Definition An execution is a pair B, where B is a bundle and is a partial order extending ( ) such that linearly orders the neutral nodes certain state evolution rules are satisfied n 1 n 2 implies pcr after(n 1 ) = pcr before(n 2 ) or m. Neutral(m) n 1 m n 2 DD & JDG ( WPI ) Envelope BiSS 9 / 23
23 Bundles, executions Definition A bundle B is a finite directed acyclic graph of nodes closed backward on each strand every reception has a unique matching transmission t Definition An execution is a pair B, where B is a bundle and is a partial order extending ( ) such that linearly orders the neutral nodes certain state evolution rules are satisfied n 1 n 2 implies pcr after(n 1 ) = pcr before(n 2 ) or m. Neutral(m) n 1 m n 2 DD & JDG ( WPI ) Envelope BiSS 9 / 23
24 Bundles, executions Definition A bundle B is a finite directed acyclic graph of nodes closed backward on each strand every reception has a unique matching transmission t Definition An execution is a pair B, where B is a bundle and is a partial order extending ( ) such that linearly orders the neutral nodes certain state evolution rules are satisfied n 1 n 2 implies pcr after(n 1 ) = pcr before(n 2 ) or m. Neutral(m) n 1 m n 2 DD & JDG ( WPI ) Envelope BiSS 9 / 23
25 Bundles, executions Definition A bundle B is a finite directed acyclic graph of nodes closed backward on each strand every reception has a unique matching transmission t Definition An execution is a pair B, where B is a bundle and is a partial order extending ( ) such that linearly orders the neutral nodes certain state evolution rules are satisfied n 1 n 2 implies pcr after(n 1 ) = pcr before(n 2 ) or m. Neutral(m) n 1 m n 2 DD & JDG ( WPI ) Envelope BiSS 9 / 23
26 Bundles, executions Definition A bundle B is a finite directed acyclic graph of nodes closed backward on each strand every reception has a unique matching transmission t Definition An execution is a pair B, where B is a bundle and is a partial order extending ( ) such that linearly orders the neutral nodes certain state evolution rules are satisfied n 1 n 2 implies pcr after(n 1 ) = pcr before(n 2 ) or m. Neutral(m) n 1 m n 2 DD & JDG ( WPI ) Envelope BiSS 9 / 23
27 I. State Evolution Equations TPM Formalization Boot(n) implies Extend(n, x) implies pcr after(n) = 1 pcr after(n) = Hash(pcr before(n), x) Boot(n) or Extend(n, x) or pcr after(n) = pcr before(n) Will write pcr(n) when pcr after(n) = pcr before(n) DD & JDG ( WPI ) Envelope BiSS 10 / 23
28 I. State Evolution Equations TPM Formalization Boot(n) implies Extend(n, x) implies pcr after(n) = 1 pcr after(n) = Hash(pcr before(n), x) Boot(n) or Extend(n, x) or pcr after(n) = pcr before(n) Will write pcr(n) when pcr after(n) = pcr before(n) DD & JDG ( WPI ) Envelope BiSS 10 / 23
29 II. Prefix/Boot TPM Formalization Definition Prefix(x, y) iff, recursively, x = y or z, w. y = Hash(z, w) and Prefix(x, z) Lemma n 0 n 2 implies either Prefix(pcr before(n 0 ), pcr after(n 2 )) or n 1. n 0 n 1 n 2 and Boot(n 1 ) DD & JDG ( WPI ) Envelope BiSS 11 / 23
30 II. Prefix/Boot TPM Formalization Definition Prefix(x, y) iff, recursively, x = y or z, w. y = Hash(z, w) and Prefix(x, z) Lemma n 0 n 2 implies either Prefix(pcr before(n 0 ), pcr after(n 2 )) or n 1. n 0 n 1 n 2 and Boot(n 1 ) DD & JDG ( WPI ) Envelope BiSS 11 / 23
31 IIIa. Request/reply roles TPM Formalization power on extend x quote x Boot(n) Extend(n) Quote(n, x) up ext ok c c = [[ quote pcr(n), x ]] aik DD & JDG ( WPI ) Envelope BiSS 12 / 23
32 IIIb. Request/reply roles TPM Formalization bind x unbind { t } K r 2 Bind(n, x) Unbind(n, r 2) r 1 t r 1 = [[ bind K, x ]] aik r 2 = [[ bind K, pcr(n) ]] aik K fresh values K 1 uncompromised, in bind role DD & JDG ( WPI ) Envelope BiSS 13 / 23
33 Envelope Protocol: Refined Security Goal This diagram never occurs within any execution: A [[ bind K, Hash(u 1,obtain) ]] aik { v } K v refuse(u 1,{ v } K ) refuse(u 1, { v } K ) = [[ quote Hash(u 1, refuse), { v } K ]] aik DD & JDG ( WPI ) Envelope BiSS 14 / 23
34 Envelope Protocol: Refined Security Goal This diagram never occurs within any execution: A [[ bind K, Hash(u 1,obtain) ]] aik { v } K v refuse(u 1,{ v } K ) refuse(u 1, { v } K ) = [[ quote Hash(u 1, refuse), { v } K ]] aik DD & JDG ( WPI ) Envelope BiSS 14 / 23
35 Refusal Specification Must traverse Quote-able state { v } K { v } K refuse(u 1,{ v } K ) n 2 refuse(u 1,{ v } K ) Quote(n 2, { v } K ) pcr(n 2 ) = Hash(u 1, refuse) DD & JDG ( WPI ) Envelope BiSS 15 / 23
36 Refusal Specification Must traverse Quote-able state { v } K { v } K refuse(u 1,{ v } K ) n 2 refuse(u 1,{ v } K ) Quote(n 2, { v } K ) pcr(n 2 ) = Hash(u 1, refuse) DD & JDG ( WPI ) Envelope BiSS 15 / 23
37 Disclosure Specification Must traverse Unbindable state { v } K { v } K n 0 v v Unbind(n 0, [[ bind K, Hash(u 1, obtain) ]] aik ) so pcr(n 0 ) = Hash(u 1, obtain) DD & JDG ( WPI ) Envelope BiSS 16 / 23
38 Disclosure Specification Must traverse Unbindable state { v } K { v } K n 0 v v Unbind(n 0, [[ bind K, Hash(u 1, obtain) ]] aik ) so pcr(n 0 ) = Hash(u 1, obtain) DD & JDG ( WPI ) Envelope BiSS 16 / 23
39 Disclosure Specification Must traverse Unbindable state { v } K { v } K n 0 v v Unbind(n 0, [[ bind K, Hash(u 1, obtain) ]] aik ) so pcr(n 0 ) = Hash(u 1, obtain) DD & JDG ( WPI ) Envelope BiSS 16 / 23
40 Implementation Idea Using a TPM 1 Use one TPM platform configuration register 2 Put it in a state u 1 3 Allow decryption if extended to Hash(u 1,obtain) 4 Generate refusal cert if extended to Hash(u 1,refuse) 5 Ensure u 1 can never again be value of PCR regardless of this choice DD & JDG ( WPI ) Envelope BiSS 17 / 23
41 Security Goal, and consequence This diagram never occurs within any execution: { v } K v refuse(u 1,{ v } K ) n 1. Boot(n 1 ) and n 0 n 1 n 2 or n 2 n 1 n 0 by the Prefix/Boot Lemma DD & JDG ( WPI ) Envelope BiSS 18 / 23
42 Security Goal, and consequence, 1 This diagram never occurs within any execution: { v } K n 0 n 1 n 2 v refuse(u 1,{ v } K ) n 1. Boot(n 1 ) and n 0 n 1 n 2 or n 2 n 1 n 0 by the Prefix/Boot Lemma DD & JDG ( WPI ) Envelope BiSS 18 / 23
43 Security Goal, and consequences, 2 This diagram never occurs within any execution: { v } K n 0 n 1 n 2 v refuse(u 1,{ v } K ) n 1. Boot(n 1 ) and n 0 n 1 n 2 or n 2 n 1 n 0 by the Prefix/Boot Lemma DD & JDG ( WPI ) Envelope BiSS 18 / 23
44 Implementation Idea Using a TPM 1 Use one TPM platform configuration register 2 Put it in a state u 1 3 Allow decryption if extended to Hash(u 1,obtain) 4 Generate refusal cert if extended to Hash(u 1,refuse) 5 Ensure u 1 can never again be value of PCR regardless of this choice Produce u 1 = Hash(u 0, N) by extending some state u 0 with a fresh nonce N DD & JDG ( WPI ) Envelope BiSS 19 / 23
45 Implementation Idea Using a TPM 1 Use one TPM platform configuration register 2 Put it in a state u 1 3 Allow decryption if extended to Hash(u 1,obtain) 4 Generate refusal cert if extended to Hash(u 1,refuse) 5 Ensure u 1 can never again be value of PCR regardless of this choice Produce u 1 = Hash(u 0, N) by extending some state u 0 with a fresh nonce N DD & JDG ( WPI ) Envelope BiSS 19 / 23
46 Specification: PCR setup subprotocol, 1 This diagram never occurs within any execution: N freshly chosen at n 0 N must be sent encrypted A n 0...extend N... Extend(n 1, N) Boot(n 2) Extend(n 3, N) pcr after(n 1, Hash(u 0, N)) DD & JDG ( WPI ) Envelope BiSS 20 / 23
47 Specification: PCR setup subprotocol, 2 This diagram never occurs within any execution: N freshly chosen at n 0 N must be sent encrypted A n 0 {...extend N... } esk Extend(n 1, N) Boot(n 2) Extend(n 3, N) pcr after(n 1, Hash(u 0, N)) DD & JDG ( WPI ) Envelope BiSS 20 / 23
48 PCR Setup subprotocol Implementation strategies A delivers extend N to TPM in an encrypted session Then either A closes the session before transmitting { v } K or TPM tears down encrypted sessions before reboot DD & JDG ( WPI ) Envelope BiSS 21 / 23
49 Specification: PCR setup subprotocol, 2 This diagram never occurs within any execution: N freshly chosen at n 0 N must be sent encrypted A n 0 Extend(n 1, N) Boot(n 2) Extend(n 3, N) pcr after(n 1, Hash(u 0, N)) DD & JDG ( WPI ) Envelope BiSS 22 / 23
50 Diagrams and Logic { v } K { v } K refuse(u 1,{ v } K ) n 2 refuse(u 1,{ v } K ) Each box shows a structure (model) Positive existential formulas summarize structures Diagram says: Executions containing LHS contain RHS Homomorphisms preserve positive existential formulas DD & JDG ( WPI ) Envelope BiSS 23 / 23
51 Diagrams and Logic { v } K { v } K refuse(u 1,{ v } K ) n 2 refuse(u 1,{ v } K ) Each box shows a structure (model) Positive existential formulas summarize structures Diagram says: Executions containing LHS contain RHS Homomorphisms preserve positive existential formulas DD & JDG ( WPI ) Envelope BiSS 23 / 23
52 Diagrams and Logic { v } K { v } K refuse(u 1,{ v } K ) n 2 refuse(u 1,{ v } K ) Each box shows a structure (model) Positive existential formulas summarize structures Diagram says: Executions containing LHS contain RHS Homomorphisms preserve positive existential formulas DD & JDG ( WPI ) Envelope BiSS 23 / 23
53 Diagrams and Logic { v } K { v } K refuse(u 1,{ v } K ) n 2 refuse(u 1,{ v } K ) Each box shows a structure (model) Positive existential formulas summarize structures Diagram says: Executions containing LHS contain RHS Homomorphisms preserve positive existential formulas DD & JDG ( WPI ) Envelope BiSS 23 / 23
THE SHAPES OF BUNDLES
THE SHAPES OF BUNDLES SHADDIN F. DOGHMI, JOSHUA D. GUTTMAN, AND F. JAVIER THAYER Contents 1. Introduction 2 2. Background 2 2.1. Protocols 2 2.2. An Example: The Yahalom Protocol 3 2.3. Occurrences and
More informationTHE SHAPES OF BUNDLES
THE SHAPES OF BUNDLES SHADDIN F. DOGHMI, JOSHUA D. GUTTMAN, AND F. JAVIER THAYER Contents 1. Introduction 2 2. Background 2 2.1. Protocols 2 2.2. An Example: The Yahalom Protocol 3 2.3. Occurrences and
More informationStrand Spaces Proving Protocols Corr. Jonathan Herzog 6 April 2001
Strand Spaces Proving Protocols Corr Jonathan Herzog 6 April 2001 Introduction 3Second part of talk given early last month Introduced class of cryptographic protocols Modeled at high level of abstraction
More informationAuthentication Tests and the Structure of Bundles
Authentication Tests and the Structure of Bundles Joshua D. Guttman F. Javier Thayer September 2000 Today s Lecture Authentication Tests: How to find out what a protocol achieves How to prove it achieves
More informationThe Sizes of Skeletons: Security Goals are Decidable
The Sizes of Skeletons: Security Goals are Decidable Joshua D. Guttman and F. Javier Thayer The MITRE Corporation guttman, jt@mitre.org Abstract. We show how to collapse executions of a cryptographic protocol,
More informationNotes on BAN Logic CSG 399. March 7, 2006
Notes on BAN Logic CSG 399 March 7, 2006 The wide-mouthed frog protocol, in a slightly different form, with only the first two messages, and time stamps: A S : A, {T a, B, K ab } Kas S B : {T s, A, K ab
More informationFormal analysis of protocols based on TPM state registers
Formal analysis of protocols based on TPM state registers Stéphanie Delaune and Steve Kremer and Mark D. Ryan and Graham Steel LSV, ENS Cachan & CNRS & INRIA Saclay Île-de-France School of Computer Science,
More informationSymbolic Protocol Analysis for Diffie-Hellman
Symbolic Protocol Analysis for Diffie-Hellman Daniel J. Dougherty Joshua D. Guttman Worcester Polytechnic Institute {dd,guttman}@wpi.edu Abstract. We extend symbolic protocol analysis to apply to protocols
More informationSessions and Separability in Security Protocols
Sessions and Separability in Security Protocols Marco Carbone IT University of Copenhagen carbonem@itu.dk Joshua D. Guttman Worcester Polytechnic Institute guttman@wpi.edu Abstract. Despite much work on
More informationSkeletons and the Shapes of Bundles
Skeletons and the Shapes of Bundles Shaddin F. Doghmi, Joshua D. Guttman, and F. Javier Thayer The MITRE Corporation Abstract. The shapes of a protocol are its minimal, essentially different executions.
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationPractice Assignment 2 Discussion 24/02/ /02/2018
German University in Cairo Faculty of MET (CSEN 1001 Computer and Network Security Course) Dr. Amr El Mougy 1 RSA 1.1 RSA Encryption Practice Assignment 2 Discussion 24/02/2018-29/02/2018 Perform encryption
More informationStatVerif: Modelling protocols that involve persistent state
StatVerif: Modelling protocols that involve persistent state Mark D. Ryan University of Birmingham Joint work with Myrto Arapinis, Stéphanie Delaune, Steve Kremer, Joshua Phillips and Graham Steel 7 8
More informationA Logic of Authentication
A Logic of Authentication by Burrows, Abadi, and Needham Presented by Adam Schuchart, Kathryn Watkins, Michael Brotzman, Steve Bono, and Sam Small Agenda The problem Some formalism The goals of authentication,
More informationTerm Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool
Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool Santiago Escobar Departamento de Sistemas Informáticos y Computación Universitat Politècnica de València sescobar@dsic.upv.es
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationThe Faithfulness of Abstract Protocol Analysis: Message Authentication
The Faithfulness of Abstract Protocol Analysis: Message Authentication Joshua D. Guttman F. Javier Thayer Lenore D. Zuck December 18, 2002 Abstract Dolev and Yao initiated an approach to studying cryptographic
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Finite Fields The finite field GF(q) exists iff q = p e for some prime p. Example: GF(9) GF(9) = {a + bi a, b Z 3, i 2 = i + 1} = {0, 1, 2, i, 1+i, 2+i, 2i, 1+2i, 2+2i} Addition:
More informationCross-Tool Semantics for Protocol Security Goals
Approved for Public Release; Distribution Unlimited. Case Number 16-1919. Cross-Tool Semantics for Protocol Security Goals Joshua D. Guttman, John D. Ramsdell, and Paul D. Rowe {guttman,ramsdell,prowe}@mitre.org
More informationVerification of the TLS Handshake protocol
Verification of the TLS Handshake protocol Carst Tankink (0569954), Pim Vullers (0575766) 20th May 2008 1 Introduction In this text, we will analyse the Transport Layer Security (TLS) handshake protocol.
More informationElliptic Curves. Giulia Mauri. Politecnico di Milano website:
Elliptic Curves Giulia Mauri Politecnico di Milano email: giulia.mauri@polimi.it website: http://home.deib.polimi.it/gmauri May 13, 2015 Giulia Mauri (DEIB) Exercises May 13, 2015 1 / 34 Overview 1 Elliptic
More informationBüchi Automata and Linear Temporal Logic
Büchi Automata and Linear Temporal Logic Joshua D. Guttman Worcester Polytechnic Institute 18 February 2010 Guttman ( WPI ) Büchi & LTL 18 Feb 10 1 / 10 Büchi Automata Definition A Büchi automaton is a
More informationTime-Bounding Needham-Schroeder Public Key Exchange Protocol
Time-Bounding Needham-Schroeder Public Key Exchange Protocol Max Kanovich, Queen Mary, University of London, UK University College London, UCL-CS, UK Tajana Ban Kirigin, University of Rijeka, HR Vivek
More informationCPSA and Formal Security Goals
CPSA and Formal Security Goals John D. Ramsdell The MITRE Corporation CPSA Version 2.5.1 July 8, 2015 Contents 1 Introduction 3 2 Syntax 6 3 Semantics 8 4 Examples 10 4.1 Needham-Schroeder Responder.................
More informationLogical Protocol Analysis for Authenticated Diffie-Hellman
Intended for submission to the CCS Logical Protocol Analysis for Authenticated Diffie-Hellman Daniel J. Dougherty and Joshua D. Guttman ABSTRACT Diffie-Hellman protocols for authenticated key agreement
More informationWinter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2
0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod
More informationU.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6
U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom
More informationCross-Tool Semantics for Protocol Security Goals
Cross-Tool Semantics for Protocol Security Goals Joshua D. Guttman, John D. Ramsdell, and Paul D. Rowe {guttman,ramsdell,prowe}@mitre.org The MITRE Corporation Abstract. Formal protocol analysis tools
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationA Relay-assisted Handover Pre-authentication Protocol in the LTE Advanced Network
ICNS 2012 : he Eighth International Conference on Networing and Services A Re-assisted Handover Pre-authentication Protocol in the LE Advanced Networ Ling ie he Department of Information Science and echnique
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationLecture 11: Hash Functions, Merkle-Damgaard, Random Oracle
CS 7880 Graduate Cryptography October 20, 2015 Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle Lecturer: Daniel Wichs Scribe: Tanay Mehta 1 Topics Covered Review Collision-Resistant Hash Functions
More informationGenerating Universal Models for Geometric Theories
Generating Universal Models for Geometric Theories A Major Qualifying Project Report submitted to the faculty of Worcester Polytechnic Institute in partial fulfillment of the requirements for the degree
More informationThe Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Indistinguishability
The Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Catherine Meadows Naval Research Laboratory, Washington, DC 20375 catherine.meadows@nrl.navy.mil Formal Methods for the Science of
More informationAuthentication Tests and Disjoint Encryption: a Design Method for Security Protocols
Authentication Tests and Disjoint Encryption: a Design Method for Security Protocols Joshua D. Guttman The MITRE Corporation guttman@mitre.org 20 August 2003 Abstract We describe a protocol design process,
More informationVerification of Security Protocols in presence of Equational Theories with Homomorphism
Verification of Security Protocols in presence of Equational Theories with Homomorphism Stéphanie Delaune France Télécom, division R&D, LSV CNRS & ENS Cachan February, 13, 2006 Stéphanie Delaune (FT R&D,
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationProving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory
Proving Security Protocols Correct Lawrence C. Paulson Computer Laboratory How Detailed Should a Model Be? too detailed too simple concrete abstract not usable not credible ``proves'' everything ``attacks''
More informationAnalysing privacy-type properties in cryptographic protocols
Analysing privacy-type properties in cryptographic protocols Stéphanie Delaune LSV, CNRS & ENS Cachan, France Wednesday, January 14th, 2015 S. Delaune (LSV) Verification of cryptographic protocols 14th
More informationPseudo-Random Generators
Pseudo-Random Generators Why do we need random numbers? Simulation Sampling Numerical analysis Computer programming (e.g. randomized algorithm) Elementary and critical element in many cryptographic protocols
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationPseudo-Random Generators
Pseudo-Random Generators Topics Why do we need random numbers? Truly random and Pseudo-random numbers. Definition of pseudo-random-generator What do we expect from pseudorandomness? Testing for pseudo-randomness.
More informationMSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ IITD, CSE Dept. Delhi, India April 24 th,2002 Outline Security Protocols
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Announcements Reminder: Homework 1 due tomorrow 11:59pm Submit through Blackboard Homework 2 will hopefully be posted tonight
More informationModeling and Verifying Ad Hoc Routing Protocols
Modeling and Verifying Ad Hoc Routing Protocols Mathilde Arnaud, Véronique Cortier and Stéphanie Delaune LORIA, CNRS & INRIA Nancy Grand Est, France Email: cortier@loria.fr LSV, ENS Cachan & CNRS & INRIA
More informationNTRU Cryptosystem and Its Analysis
NTRU Cryptosystem and Its Analysis Overview 1. Introduction to NTRU Cryptosystem 2. A Brief History 3. How the NTRU Cryptosystem works? Examples 4. Why the Decryption Works? 5. The Advantages of NTRU 6.
More informationA Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols
ASIAN 07 A Formal Analysis for Capturing Replay Attacks in Cryptographic s Han Gao 1, Chiara Bodei 2, Pierpaolo Degano 2, Hanne Riis Nielson 1 Informatics and Mathematics Modelling, Technical University
More informationLecture 38: Secure Multi-party Computation MPC
Lecture 38: Secure Multi-party Computation Problem Statement I Suppose Alice has private input x, and Bob has private input y Alice and Bob are interested in computing z = f (x, y) such that each party
More informationNon-Interactive Zero-Knowledge Proofs of Non-Membership
Non-Interactive Zero-Knowledge Proofs of Non-Membership O. Blazy, C. Chevalier, D. Vergnaud XLim / Université Paris II / ENS O. Blazy (XLim) Negative-NIZK CT-RSA 2015 1 / 22 1 Brief Overview 2 Building
More informationA process algebraic analysis of privacy-type properties in cryptographic protocols
A process algebraic analysis of privacy-type properties in cryptographic protocols Stéphanie Delaune LSV, CNRS & ENS Cachan, France Saturday, September 6th, 2014 S. Delaune (LSV) Verification of cryptographic
More informationMSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ PPL 01 March 21 st, 2001 Outline I. Security Protocols II. MSR by Examples
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationAnalysing Layered Security Protocols
Analysing Layered Security Protocols Thomas Gibson-Robinson St Catherine s College University of Oxford A thesis submitted for the degree of Doctor of Philosophy Trinity 2013 Abstract Many security protocols
More informationSecure Multiparty Computation from Graph Colouring
Secure Multiparty Computation from Graph Colouring Ron Steinfeld Monash University July 2012 Ron Steinfeld Secure Multiparty Computation from Graph Colouring July 2012 1/34 Acknowledgements Based on joint
More informationProving Properties of Security Protocols by Induction
Proving Security Protocols 1 L. C. Paulson Proving Properties of Security Protocols by Induction Lawrence C. Paulson Computer Laboratory University of Cambridge Proving Security Protocols 2 L. C. Paulson
More informationAdditive Conditional Disclosure of Secrets
Additive Conditional Disclosure of Secrets Sven Laur swen@math.ut.ee Helsinki University of Technology Motivation Consider standard two-party computation protocol. x f 1 (x, y) m 1 m2 m r 1 mr f 2 (x,
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationA Cryptographic Decentralized Label Model
A Cryptographic Decentralized Label Model Jeffrey A. Vaughan and Steve Zdancewic Department of Computer and Information Science University of Pennsylvania IEEE Security and Privacy May 22, 2007 Information
More informationMcBits: Fast code-based cryptography
McBits: Fast code-based cryptography Peter Schwabe Radboud University Nijmegen, The Netherlands Joint work with Daniel Bernstein, Tung Chou December 17, 2013 IMA International Conference on Cryptography
More informationNon-Conversation-Based Zero Knowledge
Non-Conversation-Based Zero Knowledge JOËL ALWEN Università di Salerno 84084 Fisciano (SA) ITALY jfa237@nyu.edu GIUSEPPE PERSIANO Università di Salerno 84084 Fisciano (SA) ITALY giuper@dia.unisa.it Submission
More informationReport on Learning with Errors over Rings-based HILA5 and its CCA Security
Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted
More informationCS 395T. Probabilistic Polynomial-Time Calculus
CS 395T Probabilistic Polynomial-Time Calculus Security as Equivalence Intuition: encryption scheme is secure if ciphertext is indistinguishable from random noise Intuition: protocol is secure if it is
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationExtending Dolev-Yao with assertions
Extending Dolev-Yao with assertions R. Ramanujam 1, Vaishnavi Sundararajan 2, and S.P. Suresh 2 1 Institute of Mathematical Sciences Chennai, India. jam@imsc.res.in 2 Chennai Mathematical Institute, Chennai,
More informationA derivation system and compositional logic for security protocols
Journal of Computer Security 13 2005) 423 482 423 IOS Press A derivation system and compositional logic for security protocols Anupam Datta a,, Ante Derek a, John C. Mitchell a and Dusko Pavlovic b a Computer
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationOn Everlasting Security in the Hybrid Bounded Storage Model
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor Abstract The bounded storage model (BSM) bounds the storage space of an adversary rather than its running time. It utilizes
More informationTyped MSR: Syntax and Examples
Typed MSR: Syntax and Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ MMM 01 St. Petersburg, Russia May 22 nd, 2001 Outline
More informationCollaborative Planning with Privacy
Collaborative Planning with Privacy Protocol exchange May 7, 2007 Max Kanovich 1, Paul Rowe 2, Andre Scedrov 2 1 Quenn Mary, University of London 2 University of Pennsylvania Context Many examples of collaboration
More informationCryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1
Cryptography CS 555 Topic 25: Quantum Crpytography CS555 Topic 25 1 Outline and Readings Outline: What is Identity Based Encryption Quantum cryptography Readings: CS555 Topic 25 2 Identity Based Encryption
More informationOn the Automatic Analysis of Recursive Security Protocols with XOR
On the Automatic Analysis of Recursive Security Protocols with XOR Ralf Küsters 1 and Tomasz Truderung 2 1 ETH Zurich ralf.kuesters@inf.ethz.ch 2 University of Kiel, Wrocław University tomasz.truderung@ii.uni.wroc.pl
More informationLecture 15: Privacy Amplification against Active Attackers
Randomness in Cryptography April 25, 2013 Lecture 15: Privacy Amplification against Active Attackers Lecturer: Yevgeniy Dodis Scribe: Travis Mayberry 1 Last Time Previously we showed that we could construct
More informationOn the CCA1-Security of Elgamal and Damgård s Elgamal
On the CCA1-Security of Elgamal and Damgård s Elgamal Cybernetica AS, Estonia Tallinn University, Estonia October 21, 2010 Outline I Motivation 1 Motivation 2 3 Motivation Three well-known security requirements
More informationEnforcing honesty of certification authorities: Tagged one-time signature schemes
Enforcing honesty of certification authorities: Tagged one-time signature schemes Information Security Group Royal Holloway, University of London bertram.poettering@rhul.ac.uk Stanford, January 11, 2013
More informationQuantum Wireless Sensor Networks
Quantum Wireless Sensor Networks School of Computing Queen s University Canada ntional Computation Vienna, August 2008 Main Result Quantum cryptography can solve the problem of security in sensor networks.
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Takeaway: Crypto is Hard Designing crypto is hard, even experts get it wrong Just because I don t know
More informationarxiv: v1 [cs.cr] 3 Mar 2016
Principles of Layered Attestation Paul D. Rowe prowe@mitre.org arxiv:1603.01244v1 [cs.cr] 3 Mar 2016 The MITRE Corporation Abstract. Systems designed with measurement and attestation in mind are often
More informationQuantum threat...and quantum solutions
Quantum threat...and quantum solutions How can quantum key distribution be integrated into a quantum-safe security infrastructure Bruno Huttner ID Quantique ICMC 2017 Outline Presentation of ID Quantique
More informationTopics in Cryptography. Lecture 5: Basic Number Theory
Topics in Cryptography Lecture 5: Basic Number Theory Benny Pinkas page 1 1 Classical symmetric ciphers Alice and Bob share a private key k. System is secure as long as k is secret. Major problem: generating
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationPeculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology
1 / 19 Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 2 / 19 Talk Agenda Encryption schemes
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationSIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography
SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 8 of Trappe and Washington DIGITAL SIGNATURES message sig 1. How do we bind
More informationQuestion 1. The Chinese University of Hong Kong, Spring 2018
CSCI 5440: Cryptography The Chinese University of Hong Kong, Spring 2018 Homework 2 Solutions Question 1 Consider the following encryption algorithm based on the shortlwe assumption. The secret key is
More informationModels and analysis of security protocols 1st Semester Security Protocols Lecture 6
Models and analysis of security protocols 1st Semester 2010-2011 Security Protocols Lecture 6 Pascal Lafourcade Université Joseph Fourier, Verimag Master: October 18th 2010 1 / 46 Last Time (I) Symmetric
More informationOne Year Later. Iliano Cervesato. ITT Industries, NRL Washington, DC. MSR 3.0:
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil One Year Later ITT Industries, inc @ NRL Washington, DC http://www.cs.stanford.edu/~iliano
More informationLecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics
0368.4162: Introduction to Cryptography Ran Canetti Lecture 11 12th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics Introduction to cryptographic protocols Commitments 1 Cryptographic
More informationJoint State Composition Theorems for Public-Key Encryption and Digital Signature Functionalities with Local Computation
Joint State Composition Theorems for Public-Key Encryption and Digital Signature Functionalities with Local Computation Ralf Küsters Max Tuengerthal University of Trier, Germany {kuesters,tuengerthal}@uni-trier.de
More informationNSL Verification and Attacks Agents Playing Both Roles
NSL Verification and Attacks Agents Playing Both Roles Pedro Adão Gergei Bana Abstract Background: [2] and eprint version: [1] 1 The Axioms Equality is a Congruence. The first axiom says that the equality
More informationPrivacy-Preserving Data Imputation
Privacy-Preserving Data Imputation Geetha Jagannathan Stevens Institute of Technology Hoboken, NJ, 07030, USA gjaganna@cs.stevens.edu Rebecca N. Wright Stevens Institute of Technology Hoboken, NJ, 07030,
More informationLogic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation
Quantum logic gates Logic gates Classical NOT gate Quantum NOT gate (X gate) A NOT A α 0 + β 1 X α 1 + β 0 A N O T A 0 1 1 0 Matrix form representation 0 1 X = 1 0 The only non-trivial single bit gate
More informationChapter 7: Signature Schemes. COMP Lih-Yuan Deng
Chapter 7: Signature Schemes COMP 7120-8120 Lih-Yuan Deng lihdeng@memphis.edu Overview Introduction Security requirements for signature schemes ElGamal signature scheme Variants of ElGamal signature scheme
More informationA decidable subclass of unbounded security protocols
A decidable subclass of unbounded security protocols R. Ramanujam and S. P. Suresh The Institute of Mathematical Sciences C.I.T. Campus, Chennai 600 113, India. E-mail: {jam,spsuresh}@imsc.res.in 1 Summary
More informationTopics. Pseudo-Random Generators. Pseudo-Random Numbers. Truly Random Numbers
Topics Pseudo-Random Generators Why do we need random numbers? Truly random and Pseudo-random numbers. Definition of pseudo-random-generator What do we expect from pseudorandomness? Testing for pseudo-randomness.
More informationAll-Or-Nothing Transforms Using Quasigroups
All-Or-Nothing Transforms Using Quasigroups Stelios I Marnas, Lefteris Angelis, and George L Bleris Department of Informatics, Aristotle University 54124 Thessaloniki, Greece Email: {marnas,lef,bleris}@csdauthgr
More information