Models and analysis of security protocols 1st Semester Security Protocols Lecture 6
|
|
- Bryan Blair
- 6 years ago
- Views:
Transcription
1 Models and analysis of security protocols 1st Semester Security Protocols Lecture 6 Pascal Lafourcade Université Joseph Fourier, Verimag Master: October 18th / 46
2 Last Time (I) Symmetric encryption and Protocols ECB, CBC, FBC, OFB Attack on ECB Hybrid Encryption OAEP Remarks, questions, comments? 2 / 46
3 Last Time (II) Exercises done CBC Attacks 3 / 46
4 Outline of Today: Logical Attacks 4 / 46
5 Outline of Today: Logical Attacks Diffie-Hellman 4 / 46
6 Outline of Today: Logical Attacks Diffie-Hellman 4 / 46
7 Outline of Today: Logical Attacks Diffie-Hellman Dolev Yao s Intruder 4 / 46
8 Outline of Today: Logical Attacks Diffie-Hellman Dolev Yao s Intruder Undecidability for unbounded number of sessions 4 / 46
9 Outline of Today: Logical Attacks Diffie-Hellman Dolev Yao s Intruder Undecidability for unbounded number of sessions Conclusion 4 / 46
10 Logical Attacks Outline Logical Attacks Diffie-Hellman Dolev Yao s Intruder Undecidability for unbounded number of sessions Conclusion 5 / 46
11 Logical Attacks Attacks Computational Model Cryptanalysis 6 / 46
12 Logical Attacks Attacks Computational Model Cryptanalysis 6 / 46
13 Logical Attacks Attacks Computational Model Cryptanalysis Perfect Encryption hypothesis Symbolic Model Logical Attack Needham-Schroeder Public Key Protocol (1978) Man in the middle attack [Lowe 96] 6 / 46
14 Logical Attacks Simple Example {12h10} KB 7 / 46
15 Logical Attacks Simple Example {12h10} KB {12h10} KB 7 / 46
16 Logical Attacks Simple Example {12h10} KB {12h10} KB Day After {11h45} KB {12h10} KB 7 / 46
17 Logical Attacks Simple Example {12h10} KB {12h10} KB Day After {11h45} KB {12h10} KB This kind of attack is valid for all encryptions 7 / 46
18 Logical Attacks Another Simple Example using RSA {12345} KA 8 / 46
19 Logical Attacks Another Simple Example using RSA {12345} KA {{12345} KA } KB = {{12345} KB } KA 8 / 46
20 Logical Attacks Another Simple Example using RSA {12345} KA {{12345} KA } KB = {{12345} KB } KA {12345} KB 8 / 46
21 Logical Attacks Another Simple Example using RSA {12345} KA {{12345} KA } KB = {{12345} KB } KA {12345} KB {12345} KA 8 / 46
22 Logical Attacks Another Simple Example using RSA {12345} KA {{12345} KA } KB = {{12345} KB } KA {12345} KB {12345} KA {{12345} KA } KI = {{12345} KI } KA 8 / 46
23 Logical Attacks Another Simple Example using RSA {12345} KA {{12345} KA } KB = {{12345} KB } KA {12345} KB {12345} KA {{12345} KA } KI = {{12345} KI } KA {12345} KI 8 / 46
24 Logical Attacks Another Simple Example using RSA {12345} KA {{12345} KA } KB = {{12345} KB } KA {12345} KB {12345} KA {{12345} KA } KI = {{12345} KI } KA Problem of Authentication {12345} KI 8 / 46
25 Logical Attacks Examples of kinds of attack Man-in-the-middle (or parallel sessions) attack: pass messages through to another session A I B. Replay (or freshness) attack: record and later re-introduce a message or part. Reflection attack: send transmitted information back to originator. Oracle attack: take advantage of normal protocol responses as encryption and decryption services. Type flaw (confusion) attack: substitute a different type of message field (e.g. a key vs. a name). 9 / 46
26 Diffie-Hellman Outline Logical Attacks Diffie-Hellman Dolev Yao s Intruder Undecidability for unbounded number of sessions Conclusion 10 / 46
27 Diffie-Hellman The Diffie-Hellman protocol g, p are public parameters. g x mod p Diffie chooses x and computes g x mod p. Hellman chooses y and computes g y mod p. Basic Diffie-Hellman key-exchange: initiator I and responder R exchange public half-keys to arrive at mutual session key k = g xy mod p. 11 / 46
28 Diffie-Hellman The Diffie-Hellman protocol g, p are public parameters. g x mod p g y mod p Diffie chooses x and computes g x mod p. Hellman chooses y and computes g y mod p. Basic Diffie-Hellman key-exchange: initiator I and responder R exchange public half-keys to arrive at mutual session key k = g xy mod p. 11 / 46
29 Diffie-Hellman Man-in-the-middle attack Choose g, p Generate x Compute X = g xmod p x Compute k I = Z mod p I (1) X [g,p] (2) Z A Generate z z Compute Z = g mod p z Compute k I = X mod p (1 ) Z [g,p] (2 ) Y z Compute k R = Y mod p R Generate y y Compute Y = g mod p y Compute k R = Z mod p 12 / 46
30 Outline Logical Attacks Diffie-Hellman Dolev Yao s Intruder Undecidability for unbounded number of sessions Conclusion 13 / 46
31 Messages Abstraction Names: A, B or Alice, Bob,... Nonces: N A. Fresh data. Keys: K and inverse keys K 1 Asymmetric Encryption: : {M} KA Symmetric Encryption: {M} KAB. Message concatenation: M 1,M 2. Example: { A N B,K AB } KB. 14 / 46
32 Example: Needham-Schroeder Protocol 1978 {N A,A} KB 15 / 46
33 Example: Needham-Schroeder Protocol 1978 {N A,A} KB {N A,N B } KA 15 / 46
34 Example: Needham-Schroeder Protocol 1978 {N A,A} KB {N A,N B } KA {N B } KB 15 / 46
35 Example: Needham-Schroeder Protocol 1978 {N A,A} KB {N A,N B } KA {N B } KB Question Is N B a shared secret between A et B? 15 / 46
36 Example: Needham-Schroeder Protocol 1978 {N A,A} KB {N A,N B } KA {N B } KB Question Is N B a shared secret between A et B? Answer In 1995, G.Lowe find an attack 17 years after its publication! 15 / 46
37 Lowe Attack on the Needham-Schroeder so-called Man in the middle attack Agent A Intruder I Agent B A B : {A,N a } KB B A : {N a,n b } KA A B : {N b } KB 16 / 46
38 Lowe Attack on the Needham-Schroeder so-called Man in the middle attack {A,N a } KI Agent A Intruder I Agent B A B : {A,N a } KB B A : {N a,n b } KA A B : {N b } KB 16 / 46
39 Lowe Attack on the Needham-Schroeder so-called Man in the middle attack {A,N a } KI {A,N a } KB Agent A Intruder I Agent B A B : {A,N a } KB B A : {N a,n b } KA A B : {N b } KB 16 / 46
40 Lowe Attack on the Needham-Schroeder so-called Man in the middle attack {A,N a } KI {A,N a } KB {N a,n b } KA Agent A Intruder I Agent B A B : {A,N a } KB B A : {N a,n b } KA A B : {N b } KB 16 / 46
41 Lowe Attack on the Needham-Schroeder so-called Man in the middle attack {A,N a } KI {N a,n b } KA {A,N a } KB {N a,n b } KA Agent A Intruder I Agent B A B : {A,N a } KB B A : {N a,n b } KA A B : {N b } KB 16 / 46
42 Lowe Attack on the Needham-Schroeder so-called Man in the middle attack {A,N a } KI {N a,n b } KA {A,N a } KB {N a,n b } KA {N b } KI Agent A Intruder I Agent B A B : {A,N a } KB B A : {N a,n b } KA A B : {N b } KB 16 / 46
43 Lowe Attack on the Needham-Schroeder so-called Man in the middle attack {A,N a } KI {N a,n b } KA {A,N a } KB {N a,n b } KA {N b } KI {N b } KB Agent A Intruder I Agent B A B : {A,N a } KB B A : {N a,n b } KA A B : {N b } KB 16 / 46
44 Needham-Schroeder corrected by Lowe 1995 {A,N A } KB 17 / 46
45 Needham-Schroeder corrected by Lowe 1995 {A,N A } KB {N A,N B,B} KA 17 / 46
46 Needham-Schroeder corrected by Lowe 1995 {A,N A } KB {N A,N B,B} KA {N B } KB 17 / 46
47 Needham-Schroeder corrected by Lowe 1995 {A,N A } KB {N A,N B,B} KA {N B } KB Question This time the protocol is secure? 17 / 46
48 Needham-Schroeder corrected by Lowe 1995 {A,N A } KB {N A,N B,B} KA {N B } KB Question This time the protocol is secure? Answer There exists a type flaw attack. 17 / 46
49 Type flaw attacks A message consists of a sequence of sub-messages. Examples: a principal s name, a nonce, a key,... Messages sent as bit strings. No type information Type flaw is when A B : M and B accepts M as valid but parses it differently. I.e., B interprets the bits differently than A. Example: two 16-bit nonces {N A,N B } could be mistaken as a 32-bit shared key. Let s consider several examples from actual protocols. 18 / 46
50 Type Flaw Attack on the Needham-Schroeder-Lowe Agent A Intruder I Agent B A B : {A,N a } KB B A : {N a,n b,b} KA A B : {N b } KB 19 / 46
51 Type Flaw Attack on the Needham-Schroeder-Lowe {A,I } KB Agent A Intruder I Agent B A B : {A,N a } KB B A : {N a,n b,b} KA A B : {N b } KB 19 / 46
52 Type Flaw Attack on the Needham-Schroeder-Lowe {A,I } KB {I,N b,b} KA Agent A Intruder I Agent B A B : {A,N a } KB B A : {N a,n b,b} KA A B : {N b } KB 19 / 46
53 Type Flaw Attack on the Needham-Schroeder-Lowe {I,(N b,b)} KA {A,I } KB {I,N b,b} KA Agent A Intruder I Agent B A B : {A,N a } KB B A : {N a,n b,b} KA A B : {N b } KB 19 / 46
54 Type Flaw Attack on the Needham-Schroeder-Lowe {I,(N b,b)} KA {(N b,b),n a,a} KI {A,I } KB {I,N b,b} KA Agent A Intruder I Agent B A B : {A,N a } KB B A : {N a,n b,b} KA A B : {N b } KB 19 / 46
55 Type Flaw Attack on the Needham-Schroeder-Lowe {I,(N b,b)} KA {(N b,b),n a,a} KI {A,I } KB {I,N b,b} KA {N b } KB Agent A Intruder I Agent B A B : {A,N a } KB B A : {N a,n b,b} KA A B : {N b } KB 19 / 46
56 Type Flaw Attack on the Needham-Schroeder-Lowe {I,(N b,b)} KA {(N b,b),n a,a} KI {N a } KA {A,I } KB {I,N b,b} KA {N b } KB Agent A Intruder I Agent B A B : {A,N a } KB B A : {N a,n b,b} KA A B : {N b } KB 19 / 46
57 Another Type Flaw Attack: Otway-Rees Protocol Otway-Rees 1 A B : (M,A,B,(N A,M,A,B) Kas ) 2 B S : (M,A,B,(N A,M,A,B) Kas,(N B,M,A,B) Kbs ) 3 S B : (M,(N A,Kab) Kas,(N B,Kab) Kbs ) 4 B A : (M,(N A,Kab) Kas ) where M is the session-identifier. 20 / 46
58 Another Type Flaw Attack: Otway-Rees Protocol Otway-Rees 1 A B : (M,A,B,(N A,M,A,B) Kas ) 2 B S : (M,A,B,(N A,M,A,B) Kas,(N B,M,A,B) Kbs ) 3 S B : (M,(N A,Kab) Kas,(N B,Kab) Kbs ) 4 B A : (M,(N A,Kab) Kas ) where M is the session-identifier. Attack 20 / 46
59 Another Type Flaw Attack: Otway-Rees Protocol Otway-Rees 1 A B : (M,A,B,(N A,M,A,B) Kas ) 2 B S : (M,A,B,(N A,M,A,B) Kas,(N B,M,A,B) Kbs ) 3 S B : (M,(N A,Kab) Kas,(N B,Kab) Kbs ) 4 B A : (M,(N A,Kab) Kas ) where M is the session-identifier. Attack 1 A B : (M,A,B,(N A,M,A,B) Kas ) 20 / 46
60 Another Type Flaw Attack: Otway-Rees Protocol Otway-Rees 1 A B : (M,A,B,(N A,M,A,B) Kas ) 2 B S : (M,A,B,(N A,M,A,B) Kas,(N B,M,A,B) Kbs ) 3 S B : (M,(N A,Kab) Kas,(N B,Kab) Kbs ) 4 B A : (M,(N A,Kab) Kas ) where M is the session-identifier. Attack 1 A B : (M,A,B,(N A,M,A,B) Kas ) 2 B I(S) : (M,A,B,(N A,M,A,B) Kas,(N B,M,A,B) Kbs ) 20 / 46
61 Another Type Flaw Attack: Otway-Rees Protocol Otway-Rees 1 A B : (M,A,B,(N A,M,A,B) Kas ) 2 B S : (M,A,B,(N A,M,A,B) Kas,(N B,M,A,B) Kbs ) 3 S B : (M,(N A,Kab) Kas,(N B,Kab) Kbs ) 4 B A : (M,(N A,Kab) Kas ) where M is the session-identifier. Attack 1 A B : (M,A,B,(N A,M,A,B) Kas ) 2 B I(S) : (M,A,B,(N A,M,A,B) Kas,(N B,M,A,B) Kbs ) 3 I(S) B : (M,(N A,M,A,B) Kas,(N B,M,A,B) Kbs ) Kab = (M,A,B) 20 / 46
62 Another Type Flaw Attack: Otway-Rees Protocol Otway-Rees 1 A B : (M,A,B,(N A,M,A,B) Kas ) 2 B S : (M,A,B,(N A,M,A,B) Kas,(N B,M,A,B) Kbs ) 3 S B : (M,(N A,Kab) Kas,(N B,Kab) Kbs ) 4 B A : (M,(N A,Kab) Kas ) where M is the session-identifier. Attack 1 A B : (M,A,B,(N A,M,A,B) Kas ) 2 B I(S) : (M,A,B,(N A,M,A,B) Kas,(N B,M,A,B) Kbs ) 3 I(S) B : (M,(N A,M,A,B) Kas,(N B,M,A,B) Kbs ) Kab = (M,A,B)4 B A : (M,(N A,M,A,B) Kas ) 20 / 46
63 Another Type Flaw Attack: Otway-Rees Protocol Otway-Rees 1 A B : (M,A,B,(N A,M,A,B) Kas ) 2 B S : (M,A,B,(N A,M,A,B) Kas,(N B,M,A,B) Kbs ) 3 S B : (M,(N A,Kab) Kas,(N B,Kab) Kbs ) 4 B A : (M,(N A,Kab) Kas ) where M is the session-identifier. Attack 1 A B : (M,A,B,(N A,M,A,B) Kas ) 2 B I(S) : (M,A,B,(N A,M,A,B) Kas,(N B,M,A,B) Kbs ) 3 I(S) B : (M,(N A,M,A,B) Kas,(N B,M,A,B) Kbs ) Kab = (M,A,B)4 B A : (M,(N A,M,A,B) Kas ) 20 / 46
64 Another Type Flaw Attack: Woo Lam Protocol Woo Lam 1 A B : (A) 2 B A : (N B ) 3 A B : (A,B,N B ) Kas 4 B S : (A,B,(A,B,N B ) Kas ) Kbs 5 S B : (A,B,N B ) Kbs 21 / 46
65 Another Type Flaw Attack: Woo Lam Protocol Woo Lam 1 A B : (A) 2 B A : (N B ) 3 A B : (A,B,N B ) Kas 4 B S : (A,B,(A,B,N B ) Kas ) Kbs 5 S B : (A,B,N B ) Kbs Attack 1 I(A) B : (A) 21 / 46
66 Another Type Flaw Attack: Woo Lam Protocol Woo Lam 1 A B : (A) 2 B A : (N B ) 3 A B : (A,B,N B ) Kas 4 B S : (A,B,(A,B,N B ) Kas ) Kbs 5 S B : (A,B,N B ) Kbs Attack 1 I(A) B : (A) 2 B I(A) : (N B ) 21 / 46
67 Another Type Flaw Attack: Woo Lam Protocol Woo Lam 1 A B : (A) 2 B A : (N B ) 3 A B : (A,B,N B ) Kas 4 B S : (A,B,(A,B,N B ) Kas ) Kbs 5 S B : (A,B,N B ) Kbs Attack 1 I(A) B : (A) 2 B I(A) : (N B ) 3 I(A) B : (N B ) instead of (A,B,N B ) Kas 21 / 46
68 Another Type Flaw Attack: Woo Lam Protocol Woo Lam 1 A B : (A) 2 B A : (N B ) 3 A B : (A,B,N B ) Kas 4 B S : (A,B,(A,B,N B ) Kas ) Kbs 5 S B : (A,B,N B ) Kbs Attack 1 I(A) B : (A) 2 B I(A) : (N B ) 3 I(A) B : (N B ) instead of (A,B,N B ) Kas 4 B I(S) : (A,B,N B ) Kbs 21 / 46
69 Another Type Flaw Attack: Woo Lam Protocol Woo Lam 1 A B : (A) 2 B A : (N B ) 3 A B : (A,B,N B ) Kas 4 B S : (A,B,(A,B,N B ) Kas ) Kbs 5 S B : (A,B,N B ) Kbs Attack 1 I(A) B : (A) 2 B I(A) : (N B ) 3 I(A) B : (N B ) instead of (A,B,N B ) Kas 4 B I(S) : (A,B,N B ) Kbs 5 I(S) B : (A,B,N B ) Kbs 21 / 46
70 What about Computational Security for Needham Schroeder? A Computational Analysis of the Needham Schroder Lowe Protocol by Bogdan Warinschi in Journal of Computer Security; 13(3), pp: , If encryption scheme is IND-CCA then Needham Schroder Lowe Protocol is indeed a secure mutual authentication protocol. 22 / 46
71 Link between Computational and Symbolic Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption) 2000, by Martin Abadi, Phillip Rogaway in IFIP International Conference on Theoretical Computer Science. Using an hybrid Argument ;-) 23 / 46
72 Questions? How can we find such attacks? Models for Protocols Models for Properties Theories Dedicated Techniques Tools Automatic Semi-automatic 24 / 46
73 Why is it difficult to verify such protocols? Messages: Size not bounded Nonces: Arbitrary number Channel: Insecure Intruder: Unlimited capabilities Instances: Unbounded numbers of principals Interleaving: Unlimited applications of the protocol. 25 / 46
74 FFGG by J.Millen 1 A B : A 2 B A : B,N,M 3 A B : A, {N,M,S} PkB for B view A, {N,X,S} PkB 4 B A : N,X, {X,S,N} PkB 26 / 46
75 FFGG by J.Millen 1 A B : A 2 B A : B,N,M 3 A B : A, {N,M,S} PkB for B view A, {N,X,S} PkB 4 B A : N,X, {X,S,N} PkB Is S secret? 26 / 46
76 FFGG by J.Millen 1 A B : A 2 B A : B,N,M 3 A B : A, {N,M,S} PkB for B view A, {N,X,S} PkB 4 B A : N,X, {X,S,N} PkB Is S secret? Parallel Attack 1.1 A B : A 2.1 A B : A 1.2 B I(A) : B,N 1,M B I(A) : B,N 2,M I(B) A : B,N 1,N 2 a 1.3 A B : A, {N 1,N 2,S} PkB b 1.4 B A : N 1,N 2, {N 2,S,N 1 } PkB c 2.3 I(A) B : A, {N 2,S,N 1 } PkB d 2.4 B A : N 2,S, {S,N 1,N 2 } PkB 26 / 46
77 TMN Protocol: Distribution of a fresh symmetric key [Tatebayashi, Matsuzuki, Newmann 89]: O S I : O,I, {N O } PubS : S,O : I,O, {N I } PubS : S,I,N O N I Osiris retrieves N I : 27 / 46
78 Attack on TMN Protocol [Simmons 94] With homomorphic encryption {a} k {b} k = {a b} k B S C : B, C, {N I } PubS {N B } PubS }{{} {N I N B } PubS : S, B : C, B, {N C } PubS : S, (N I N B ) N C Buto Learns: 28 / 46
79 Dolev Yao s Intruder Outline Logical Attacks Diffie-Hellman Dolev Yao s Intruder Undecidability for unbounded number of sessions Conclusion 29 / 46
80 Dolev Yao s Intruder The Intruder is the Network (Worst Case) 30 / 46
81 Dolev Yao s Intruder The Intruder is the Network (Worst Case) Listen Passive: Intruder deduction problem 30 / 46
82 Dolev Yao s Intruder The Intruder is the Network (Worst Case) Listen Intercept message Passive: Intruder deduction problem Active: Security problem (Re)play message Delete message 30 / 46
83 Dolev Yao s Intruder The Intruder is the Network (Worst Case) Listen Intercept message Passive: Intruder deduction problem Active: Security problem (Re)play message Delete message Intruder Capabilities (Dolev-Yao Model 80 s) Encryption, Decryption with a key Pairing, Projection. 30 / 46
84 Dolev Yao s Intruder Dolev-Yao 1982 Intruder controls the network and can: intercept messages modify messages block messages generate new messages insert new messages Perfect cryptography: Abstraction with terms algebra Decryption only if inverse key is known Protocol has Arbitrary number of principals Arbitrary number of parallel sessions Messages with arbitrary size 31 / 46
85 Dolev Yao s Intruder Proof System A sequent is an expression of the form T u. Definition A proof of a sequent T u is a tree whose nodes are labeled by either sequents or expressions of the form v T, such that: Each leaf is labeled by an expression of the form v T, and each non-leaf node is labeled by an sequent. Each node labeled by a sequent T v has n children labeled by T s 1,...,T s n such that there is an instance of an inference rule with conclusion T E v and hypotheses T s 1,...,T s n. The root of the tree is labeled by T u. A subproof of a proof P is a subtree of P. 32 / 46
86 Dolev Yao s Intruder Notions for Proof System Definition Size of a proof P of T u is denoted by P, is the number of nodes in the proof. A proof P of T u is minimal if there does not exist a proof P of T u such that P < P. 33 / 46
87 Dolev Yao s Intruder Dolev-Yao Deduction System Deduction System : T 0? s (A) u T 0 T 0 u (UL) T 0 u,v T 0 u (P) T 0 u T 0 v T 0 u,v (UR) T0 u,v T 0 v (C) T 0 u T 0 v T 0 {u} v (D) T 0 {u} v T 0 v T 0 u 34 / 46
88 Dolev Yao s Intruder Example: T 0? s Example T 0 = {k, {b} c, a, {c} k } and s = b 35 / 46
89 Dolev Yao s Intruder Example: T 0? s Example T 0 = {k, {b} c, a, {c} k } and s = b (D) (A) a, {c} k T 0 T 0 a, {c} k (A) {b} (UR) (A) k T 0 c T 0 T 0 {c} k T 0 k (D) T 0 {b} c T 0 c T 0 b 35 / 46
90 Dolev Yao s Intruder Exercise: T 0? s Is it possible from T 0 to deduce s T 0 = {a,k} and s = a, {a} k T 0 = {a,k} and s = b, {k} a T 0 = {{k} a,b} and s = {b} {k}a, {k} a T 0 = { a, {k} a } and s = { a, {k} a } k 36 / 46
91 Undecidability for unbounded number of sessions Outline Logical Attacks Diffie-Hellman Dolev Yao s Intruder Undecidability for unbounded number of sessions Conclusion 37 / 46
92 Undecidability for unbounded number of sessions Main Results In general security problem undecidable [DLMS 99, AC 01] Bounded number of session Decidability [AL 00, RT 01] 38 / 46
93 Undecidability for unbounded number of sessions Undecidability Definition (Post Correspondence Problem (PCP)) Let Σ be a finite alphabet. Input : Sequence of pairs u i,v i 1 i n u i,v i Σ, n N Question : Existence of k,i 1,...,i k N such that u i1...u ik = v i1...v ik? 39 / 46
94 Undecidability for unbounded number of sessions Undecidability Definition (Post Correspondence Problem (PCP)) Let Σ be a finite alphabet. Input : Sequence of pairs u i,v i 1 i n u i,v i Σ, n N Question : Existence of k,i 1,...,i k N such that u i1...u ik = v i1...v ik? Example u 1 u 2 u 3 u 4 v 1 v 2 v 3 v 4 aba bbb aab bb a aaa abab babba Solution: 1431 u 1 u 4 u 3 u 1 = aba bb aab aba = a babba abab a = v 1 v 4 v 3 v 1 But no solution for u 1,v 1, u 2,v 2, u 3,v 3 39 / 46
95 Undecidability for unbounded number of sessions Undecidability Definition (Post Correspondence Problem (PCP)) Let Σ be a finite alphabet. Input : Sequence of pairs u i,v i 1 i n u i,v i Σ, n N Question : Existence of k,i 1,...,i k N such that u i1...u ik = v i1...v ik? Example u 1 u 2 u 3 u 4 v 1 v 2 v 3 v 4 aba bbb aab bb a aaa abab babba Solution: 1431 u 1 u 4 u 3 u 1 = aba bb aab aba = a babba abab a = v 1 v 4 v 3 v 1 But no solution for u 1,v 1, u 2,v 2, u 3,v 3 PCP is undecidable 39 / 46
96 Undecidability for unbounded number of sessions Undecidability for Protocols We construct a protocol such that decidability of secret implies decidability of PCP. A : send({ u i,v i } Kab ) (1 i n) B : receive({ x,y } Kab ) send( { x u i,y v i } Kab, {s} { x ui,x u i } Kab ) (1 i n) We assume that K AB is a shared key between A and B. Intruder can find s iff he can solve PCP. 40 / 46
97 Conclusion Outline Logical Attacks Diffie-Hellman Dolev Yao s Intruder Undecidability for unbounded number of sessions Conclusion 41 / 46
98 Conclusion Summary Today Diffie Hellman Dolev Yao Intruder Undecidability Result 42 / 46
99 Conclusion Next Time Passive Intruder Locality 43 / 46
100 Conclusion Thank you for your attention. Questions? 44 / 46
101 Conclusion Some References A Necessarily Parallel Attack (1999), Jonathan K. Millen In Workshop on Formal Methods and Security Protocols Makoto Tatebayashi, Natsume Matsuzaki, David B. Newman, Jr., Key Distribution Protocol for Digital Mobile Communication Systems, Proceedings of the 9th Annual International Cryptology Conference on Advances in Cryptology, p , August 20-24, 1989 Needham, Roger; Schroeder, Michael (December 1978). Using encryption for authentication in large networks of computers.. Communications of the ACM 21 (12): Lowe, Gavin (November 1995). An attack on the Needham-Schroeder public key authentication protocol.. Information Processing Letters 56 (3): / 46
102 Conclusion Some References Using CSP to Detect Errors in the TMN Protocol, Gavin Lowe and Bill Roscoe 1997 Undecidability of bounded security protocols. N. Durgin, P. Lincoln, J. Mitchell, and A. Scedrov. In Proc. Workshop on formal methods in security protocols, Trento, Italy, / 46
Verification of Security Protocols in presence of Equational Theories with Homomorphism
Verification of Security Protocols in presence of Equational Theories with Homomorphism Stéphanie Delaune France Télécom, division R&D, LSV CNRS & ENS Cachan February, 13, 2006 Stéphanie Delaune (FT R&D,
More informationTime-Bounding Needham-Schroeder Public Key Exchange Protocol
Time-Bounding Needham-Schroeder Public Key Exchange Protocol Max Kanovich, Queen Mary, University of London, UK University College London, UCL-CS, UK Tajana Ban Kirigin, University of Rijeka, HR Vivek
More informationAn Undecidability Result for AGh
An Undecidability Result for AGh Stéphanie Delaune France Télécom R&D, Lab. Spécification & Vérification, CNRS & ENS de Cachan, France. Abstract We present an undecidability result for the verification
More informationAn undecidability result for AGh
Theoretical Computer Science 368 (2006) 161 167 Note An undecidability result for AGh Stéphanie Delaune www.elsevier.com/locate/tcs France Télécom R&D, Lab. Spécification & Vérification, CNRS & ENS de
More informationA Logic of Authentication
A Logic of Authentication by Burrows, Abadi, and Needham Presented by Adam Schuchart, Kathryn Watkins, Michael Brotzman, Steve Bono, and Sam Small Agenda The problem Some formalism The goals of authentication,
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2009-2010 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: September 29th 2009 1 / 60 Last Time (I) Security
More informationControl Flow Analysis of Security Protocols (I)
Control Flow Analysis of Security Protocols (I) Mikael Buchholtz 02913 F2005 Mikael Buchholtz p. 1 History of Protocol Analysis Needham-Schroeder 78 Dolev-Yao 81 Algebraic view of cryptography 02913 F2005
More informationTerm Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool
Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool Santiago Escobar Departamento de Sistemas Informáticos y Computación Universitat Politècnica de València sescobar@dsic.upv.es
More informationNotes on BAN Logic CSG 399. March 7, 2006
Notes on BAN Logic CSG 399 March 7, 2006 The wide-mouthed frog protocol, in a slightly different form, with only the first two messages, and time stamps: A S : A, {T a, B, K ab } Kas S B : {T s, A, K ab
More informationAdvanced Cryptography 1st Semester Public Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability
More informationEncoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania
Encoding security protocols in the cryptographic λ-calculus Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania An obvious fact Security is important Cryptography is a major way to
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationStrand Spaces Proving Protocols Corr. Jonathan Herzog 6 April 2001
Strand Spaces Proving Protocols Corr Jonathan Herzog 6 April 2001 Introduction 3Second part of talk given early last month Introduced class of cryptographic protocols Modeled at high level of abstraction
More informationProving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory
Proving Security Protocols Correct Lawrence C. Paulson Computer Laboratory How Detailed Should a Model Be? too detailed too simple concrete abstract not usable not credible ``proves'' everything ``attacks''
More informationMSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ IITD, CSE Dept. Delhi, India April 24 th,2002 Outline Security Protocols
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationAutomata-based analysis of recursive cryptographic protocols
1 Automata-based analysis of recursive cryptographic protocols Thomas Wilke Joint work with Ralf Küsters Christian-Albrechts-Universität zu Kiel June 13, 2004 Un-/Decidability of security in the DY model
More informationBAN Logic A Logic of Authentication
BAN Logic A Logic of Authentication Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 BAN Logic The BAN logic was named after its inventors, Mike Burrows, Martín Abadí,
More informationOn the Automatic Analysis of Recursive Security Protocols with XOR
On the Automatic Analysis of Recursive Security Protocols with XOR Ralf Küsters 1 and Tomasz Truderung 2 1 ETH Zurich ralf.kuesters@inf.ethz.ch 2 University of Kiel, Wrocław University tomasz.truderung@ii.uni.wroc.pl
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationA Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols
ASIAN 07 A Formal Analysis for Capturing Replay Attacks in Cryptographic s Han Gao 1, Chiara Bodei 2, Pierpaolo Degano 2, Hanne Riis Nielson 1 Informatics and Mathematics Modelling, Technical University
More informationU.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6
U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom
More informationMSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ PPL 01 March 21 st, 2001 Outline I. Security Protocols II. MSR by Examples
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationTyped MSR: Syntax and Examples
Typed MSR: Syntax and Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ MMM 01 St. Petersburg, Russia May 22 nd, 2001 Outline
More informationProbabilistic Model Checking of Security Protocols without Perfect Cryptography Assumption
Our Model Checking of Security Protocols without Perfect Cryptography Assumption Czestochowa University of Technology Cardinal Stefan Wyszynski University CN2016 Our 1 2 3 Our 4 5 6 7 Importance of Security
More informationCryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols
CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno Blanchet CNRS, École Normale Supérieure, INRIA, Paris March 2009 Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif March
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationProving Properties of Security Protocols by Induction
Proving Security Protocols 1 L. C. Paulson Proving Properties of Security Protocols by Induction Lawrence C. Paulson Computer Laboratory University of Cambridge Proving Security Protocols 2 L. C. Paulson
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationProbabilistic Polynomial-Time Process Calculus for Security Protocol Analysis. Standard analysis methods. Compositionality
Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague P. Lincoln, P. Mateus, M. Mitchell Standard analysis methods Finite-state
More informationLecture 11: Key Agreement
Introduction to Cryptography 02/22/2018 Lecture 11: Key Agreement Instructor: Vipul Goyal Scribe: Francisco Maturana 1 Hardness Assumptions In order to prove the security of cryptographic primitives, we
More informationSymbolic Protocol Analysis with Products and Diffie-Hellman Exponentiation
Symbolic Protocol Analysis with Products and Diffie-Hellman Exponentiation Jonathan Millen and Vitaly Shmatikov Computer Science Laboratory SRI International millenshmat @cslsricom Abstract We demonstrate
More informationA decidable subclass of unbounded security protocols
A decidable subclass of unbounded security protocols R. Ramanujam and S. P. Suresh The Institute of Mathematical Sciences C.I.T. Campus, Chennai 600 113, India. E-mail: {jam,spsuresh}@imsc.res.in 1 Summary
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationAPPLICATIONS OF BAN-LOGIC JAN WESSELS CMG FINANCE B.V.
APPLITIONS OF AN-LOGIC JAN WESSELS CMG FINANCE.V. APRIL 19, 2001 Chapter 1 Introduction This document is meant to give an overview of the AN-logic. The AN-logic is one of the methods for the analysis of
More informationProtocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete
Protocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete Michaël Rusinowitch and Mathieu Turuani LORIA-INRIA- Université Henri Poincaré, 54506 Vandoeuvre-les-Nancy cedex, France
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationOWO Lecture: Modular Arithmetic with Algorithmic Applications
OWO Lecture: Modular Arithmetic with Algorithmic Applications Martin Otto Winter Term 2008/09 Contents 1 Basic ingredients 1 2 Modular arithmetic 2 2.1 Going in circles.......................... 2 2.2
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Finite Fields The finite field GF(q) exists iff q = p e for some prime p. Example: GF(9) GF(9) = {a + bi a, b Z 3, i 2 = i + 1} = {0, 1, 2, i, 1+i, 2+i, 2i, 1+2i, 2+2i} Addition:
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationPractice Assignment 2 Discussion 24/02/ /02/2018
German University in Cairo Faculty of MET (CSEN 1001 Computer and Network Security Course) Dr. Amr El Mougy 1 RSA 1.1 RSA Encryption Practice Assignment 2 Discussion 24/02/2018-29/02/2018 Perform encryption
More informationModels for an Adversary-Centric Protocol Logic
Workshop on Logical Aspects of Cryptographics 2001 Preliminary Version Models for an Adversary-Centric Protocol Logic Peter Selinger Department of Mathematics and Statistics University of Ottawa Ottawa,
More informationDecidable Analysis of Cryptographic Protocols with Products and Modular Exponentiation
Decidable Analysis of Cryptographic Protocols with Products and Modular Exponentiation Vitaly Shmatikov SRI International shmat@csl.sri.com Abstract. We demonstrate that the symbolic trace reachability
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationAbstract Specification of Crypto- Protocols and their Attack Models in MSR
Abstract Specification of Crypto- Protocols and their Attack Models in MSR Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ Software
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationAutomated Validation of Internet Security Protocols. Luca Viganò
Automated Validation of Internet Security Protocols Luca Viganò The AVISPA Project Luca Viganò 1 Motivation The number and scale of new security protocols under development is out-pacing the human ability
More informationIntroduction to Cryptography. Susan Hohenberger
Introduction to Cryptography Susan Hohenberger 1 Cryptography -- from art to science -- more than just encryption -- essential today for non-military applications 2 Symmetric Crypto Shared secret K =>
More informationIntruder Deduction for AC-like Equational Theories with Homomorphisms
Intruder Deduction for AC-like Equational Theories with Homomorphisms Pascal Lafourcade, Denis Lugiez, Ralf Treinen To cite this version: Pascal Lafourcade, Denis Lugiez, Ralf Treinen. Intruder Deduction
More informationAn Efficient Cryptographic Protocol Verifier Based on Prolog Rules
An Efficient Cryptographic Protocol Verifier Based on Prolog Rules Bruno Blanchet INRIA Rocquencourt Domaine de Voluceau B.P. 105 78153 Le Chesnay Cedex, France Bruno.Blanchet@inria.fr Abstract We present
More informationGreat Theoretical Ideas in Computer Science
15-251 Great Theoretical Ideas in Computer Science Lecture 22: Cryptography November 12th, 2015 What is cryptography about? Adversary Eavesdropper I will cut your throat I will cut your throat What is
More informationCryptography and Security Final Exam
Cryptography and Security Final Exam Serge Vaudenay 17.1.2017 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not
More informationA Resolution Strategy for Verifying Cryptographic Protocols with CBC Encryption and Blind Signatures
A Resolution Strategy for Verifying Cryptographic Protocols with CBC Encryption and Blind Signatures Véronique Cortier LORIA, Nancy, France CNRS & INRIA Project Cassis cortier@loria.fr Michael Rusinowitch
More informationIntruder Deduction for AC-like Equational Theories with Homomorphisms
Intruder Deduction for AC-like Equational Theories with Homomorphisms Pascal Lafourcade 1,2, Denis Lugiez 2, and Ralf Treinen 1 1 LSV, ENS de Cachan & CNRS UMR 8643 & INRIA Futurs project SECSI, 94235
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018
Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationLecture Note 3 Date:
P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2010-2011 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: October 11th 2010 1 / 61 Last Time (I) Security
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes Lecture 8 Tel-Aviv University
More informationComplexity of Checking Freshness of Cryptographic Protocols
Complexity of Checking Freshness of Cryptographic Protocols Zhiyao Liang Rakesh M Verma Computer Science Department, University of Houston, Houston TX 77204-3010, USA Email: zliang@cs.uh.edu, rmverma@cs.uh.edu
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationAnalysing Layered Security Protocols
Analysing Layered Security Protocols Thomas Gibson-Robinson St Catherine s College University of Oxford A thesis submitted for the degree of Doctor of Philosophy Trinity 2013 Abstract Many security protocols
More informationThe Sizes of Skeletons: Security Goals are Decidable
The Sizes of Skeletons: Security Goals are Decidable Joshua D. Guttman and F. Javier Thayer The MITRE Corporation guttman, jt@mitre.org Abstract. We show how to collapse executions of a cryptographic protocol,
More informationAnalysis of authentication protocols Intership report
Analysis of authentication protocols Intership report Stéphane Glondu ENS de Cachan September 3, 2006 1 Introduction Many computers are interconnected through networks, the biggest of them being Internet.
More informationNSL Verification and Attacks Agents Playing Both Roles
NSL Verification and Attacks Agents Playing Both Roles Pedro Adão Gergei Bana Abstract Background: [2] and eprint version: [1] 1 The Axioms Equality is a Congruence. The first axiom says that the equality
More informationCSE 105 Homework 1 Due: Monday October 9, Instructions. should be on each page of the submission.
CSE 5 Homework Due: Monday October 9, 7 Instructions Upload a single file to Gradescope for each group. should be on each page of the submission. All group members names and PIDs Your assignments in this
More informationAutomatic Verification of Complex Security Protocols With an Unbounded Number of Sessions
Automatic Verification of Complex Security Protocols With an Unbounded Number of Sessions Kaile Su, Weiya Yue and Qingliang Chen Department of Computer Science, Sun Yat-sen University Guangzhou, P.R. China
More informationA Theory of Dictionary Attacks and its Complexity
A Theory of Dictionary Attacks and its Complexity Stéphanie Delaune, Florent Jacquemard To cite this version: Stéphanie Delaune, Florent Jacquemard. A Theory of Dictionary Attacks and its Complexity. 17th
More informationAlgebraic Intruder Deductions
Algebraic Intruder Deductions David Basin, Sebastian Mödersheim, and Luca Viganò Information Security Group, Dep. of Computer Science, ETH Zurich, Switzerland www.infsec.ethz.ch/~{basin,moedersheim,vigano}
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationElliptic Curve Cryptography
AIMS-VOLKSWAGEN STIFTUNG WORKSHOP ON INTRODUCTION TO COMPUTER ALGEBRA AND APPLICATIONS Douala, Cameroon, October 12, 2017 Elliptic Curve Cryptography presented by : BANSIMBA Gilda Rech BANSIMBA Gilda Rech
More informationDeciding the Security of Protocols with Commuting Public Key Encryption
Electronic Notes in Theoretical Computer Science 125 (2005) 55 66 www.elsevier.com/locate/entcs Deciding the Security of Protocols with Commuting Public Key Encryption Yannick Chevalier a,1 Ralf Küsters
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationNotes 10: Public-key cryptography
MTH6115 Cryptography Notes 10: Public-key cryptography In this section we look at two other schemes that have been proposed for publickey ciphers. The first is interesting because it was the earliest such
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationLecture 5: Pseudorandom functions from pseudorandom generators
Lecture 5: Pseudorandom functions from pseudorandom generators Boaz Barak We have seen that PRF s (pseudorandom functions) are extremely useful, and we ll see some more applications of them later on. But
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms Lecture 7 Tel-Aviv University Revised March 1st, 2008 Reminder: The Prime Number Theorem Let π(x) denote the
More informationIntroduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions
Introduction to Modern Cryptography Lecture 7 1. RSA Public Key CryptoSystem 2. One way Trapdoor Functions Diffie and Hellman (76) New Directions in Cryptography Split the Bob s secret key K to two parts:
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationThe odd couple: MQV and HMQV
The odd couple: MQV and HMQV Jean-Philippe Aumasson 1 / 49 Summary MQV = EC-DH-based key agreement protocol, proposed by Menezes, Qu and Vanstone (1995), improved with Law and Solinas (1998), widely standardized
More informationElliptic Curves. Giulia Mauri. Politecnico di Milano website:
Elliptic Curves Giulia Mauri Politecnico di Milano email: giulia.mauri@polimi.it website: http://home.deib.polimi.it/gmauri May 13, 2015 Giulia Mauri (DEIB) Exercises May 13, 2015 1 / 34 Overview 1 Elliptic
More informationCRYPTOGRAPHY AND NUMBER THEORY
CRYPTOGRAPHY AND NUMBER THEORY XINYU SHI Abstract. In this paper, we will discuss a few examples of cryptographic systems, categorized into two different types: symmetric and asymmetric cryptography. We
More informationA Logic of Authentication. Borrows, Abadi and Needham TOCS 1990, DEC-SRC 1989
A Logic of Authentication Borrows, Abadi and Needham TOCS 1990, DEC-SRC 1989 Logic Constructs P believes X : P may act as though X is true. P sees X : a message containing X was sent to P; P can read and
More informationRSA RSA public key cryptosystem
RSA 1 RSA As we have seen, the security of most cipher systems rests on the users keeping secret a special key, for anyone possessing the key can encrypt and/or decrypt the messages sent between them.
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer 1 Lecture 13 October 16, 2017 (notes revised 10/23/17) 1 Derived from lecture notes by Ewa Syta. CPSC 467, Lecture 13 1/57 Elliptic Curves
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More information