A Cryptographic Decentralized Label Model
|
|
- Melina Chase
- 6 years ago
- Views:
Transcription
1 A Cryptographic Decentralized Label Model Jeffrey A. Vaughan and Steve Zdancewic Department of Computer and Information Science University of Pennsylvania IEEE Security and Privacy May 22, 2007
2 Information flow protects secrets from disclosure. Legit Users with Secrets Info. Flow Program and Runtime Network Disk Attackers 1/21
3 Information flow protects secrets from disclosure. Legit Users with Secrets Info. Flow Jif Program and [Myers et. al.] Runtime Network Disk Attackers 1/21
4 Information flow protects secrets from disclosure. Legit Users with Secrets Jif Applications Info. Flow Jif Program and [Myers et. JPmail al.] Runtime Jif Servlet Framework Network Battleship Attackers Game Disk Distributed Poker 1/21
5 Information flow protects secrets from disclosure. Legit Users with Secrets Info. Flow System Jif Program and [Myers et. al.] Trusted runtimeruntime Programming Language Network Attackers "Closed world" Disk 1/21
6 Information flow protects secrets from disclosure. Decentralized Labels Legit Users High with Secrets Alice: no readers Alice: Bob reads Network Info. Flow Jif Program and [Myers et. al.] Runtime Low Disk Attackers 1/21
7 Information flow protects secrets from disclosure. Legit Users Annotated Memory with Secrets x low 3 y Info. Flow high 4 Jif Program and [Myers et. al.] Runtime Network Disk Attackers 1/21
8 Noninterference: high inputs don t affect low outputs Secret High Low Public [Denning & Denning CACM 77] [Pottier & Simonet TOPLAS 03] [Volpano, Smith, & Irvine JCS 96] [... ] 2/21
9 Noninterference: high inputs don t affect low outputs Secret High Low Public [Denning & Denning CACM 77] [Pottier & Simonet TOPLAS 03] [Volpano, Smith, & Irvine JCS 96] [... ] 2/21
10 Some programs need to violate noninterference. Secret High Declassify Low Public Satisfies (decentralized) robust declassification instead of noninterference [Myers & Chong CSFW 06]. 3/21
11 Encryption can restore noninterference. Secret High Encrypt GenKey Low Public [Chothia, Duggan, & Vitek CSFW 02] [Sumii & Pierce POPL 04] [Laud & Vene ACSAC 05] [Askarov, Hedin, & Sabelfeld ISAS 06] 4/21
12 Our idea: make the cryptography transparent. Secret High Pack Low Public 5/21
13 Our idea: make the cryptography transparent. Secret High Encrypt Error Runtime Low Public 5/21
14 Our solution: label directed implicit packing. The Cryptographic Decentralized Label Model unifies a high-level, information-flow language, declarative labels that describe security policies, and cryptographic packages that implement policies. Key notation data + policies package v + l v l 6/21
15 SImp language can pack and unpack labeled data. Definition (SImp Syntax) types τ ::= int... pkg values v ::= v l package expressions e ::=... pack e at l package intro unpack e as τ{l} package elim Packages may be constructed and analyzed according to l. 7/21
16 SImp can implement a simple messaging system. Example text: string{high} out: pkg{low} dest: string{low} in: pkg{low} text := readline() match (pack text at {high}) with ok(p) => out := p; send(out) error => skip. in := receive() match (unpack in as text{high}) ok(t) => text := t; printline(text) error => skip 8/21
17 Pack succeeds iff runtime has sufficient authority. The SImp runtime contains a memory, M, and an authority, p. Evaluation Model precondition runtime state from to Definition (Pack Evaulation) p writes l p; M pack v at l ok( v l ) E-PACK-OK (p writes l) p; M pack v at l error E-PACK-FAIL Without enough keys, it is infeasible for the runtime to perform these operations. 9/21
18 Unpacking also performs dynamic checks. Definition Fragment (Unpack Evaluation) p reads l l 0 l v 0 : τ p; M unpack v 0 l0 as τ{l} ok(v 0 ) Checks ensure cryptographic feasibility information flow type safety (values have correct shapes) 10/21
19 Unpacking also performs dynamic checks. Definition Fragment (Unpack Evaluation) p reads l l 0 l v 0 : τ p; M unpack v 0 l0 as τ{l} ok(v 0 ) Checks ensure cryptographic feasibility information flow type safety (values have correct shapes) 10/21
20 Unpacking also performs dynamic checks. Definition Fragment (Unpack Evaluation) p reads l l 0 l v 0 : τ p; M unpack v 0 l0 as τ{l} ok(v 0 ) Checks ensure cryptographic feasibility information flow type safety (values have correct shapes) 10/21
21 Unpacking also performs dynamic checks. Definition Fragment (Unpack Evaluation) p reads l l 0 l v 0 : τ p; M unpack v 0 l0 as τ{l} ok(v 0 ) Checks ensure cryptographic feasibility information flow type safety (values have correct shapes) 10/21
22 Unpacking also performs dynamic checks. Definition Fragment (Unpack Evaluation) p reads l l 0 l v 0 : τ p; M unpack v 0 l0 as τ{l} ok(v 0 ) Checks ensure cryptographic feasibility information flow type safety (values have correct shapes) 10/21
23 Is failure to pack a covert channel? Example h: bool{high}, l: bool{low}, v: pkg{?} if h then v := pack 0 at low else v := pack 0 at high. match (unpack v as bool{low}) with ok(_) => l := true error => l := false 11/21
24 Is failure to pack a covert channel? Example h: bool{high}, l: bool{low}, v: pkg{?} } if h then Rule: High guard requires variables v := pack 0 at low assigned in branches are high. else v := pack 0 at high. match (unpack v as bool{low}) with ok(_) => l := true error => l := false Constraints: v is high 11/21
25 Is failure to pack a covert channel? Example h: bool{high}, l: bool{low}, v: pkg{?} if h then v := pack 0 at low else v := pack 0 at high Rule: Unpack does not declassify secret data.. match (unpack v as bool{low}) with ok(_) => l := true error => l := false Constraints: v is high; v is low 11/21
26 Is failure to pack a covert channel? Example h: bool{high}, l: bool{low}, v: pkg{?} if h then v := pack 0 at low else v := pack 0 at high. match (unpack v as bool{low}) with ok(_) => l := true error => l := false Constraints: v is high; v is low; high = low 11/21
27 Is failure to pack a covert channel? Example h: bool{high}, l: bool{low}, v: pkg{?} if h then v := pack 0 at low else v := pack 0 at high. match (unpack v as bool{low}) with ok(_) => l := true error => l := false reject statically 11/21
28 Pack provides a limited declassify, unpack an endorse. Definition Fragment (Pack Security Typing, 1 st attempt) If e has label l e then pack e at l e has label l. Definition Fragment (Unpack Security Typing, 1 st attempt) If e has label l e, and labels l and l e are equal, then unpack e as τ{l} has label l. 12/21
29 Pack provides a limited declassify, unpack an endorse. Definition Fragment (Pack Security Typing) If e has label l e, and labels l and l e have equal integrity components, then pack e at l e has label l. Definition Fragment (Unpack Security Typing) If e has label l e, and labels l and l e have equal confidentiality components, then unpack e as τ{l} has label l. 12/21
30 Can we cast away security labels? Example h: bool{high}, l: bool{low}, v: pkg{low} v := pack h at {high}. match (unpack v as bool{low}) with ok(true) => l := true ok(false) => l := false error => skip 13/21
31 Can we cast away security labels? Example h: bool{high}, l: bool{low}, v: pkg{low} v := pack h at {high}. match (unpack v as bool{low}) with ok(true) => l := true ok(false) => l := false error => skip State: h = true 13/21
32 Can we cast away security labels? Example h: bool{high}, l: bool{low}, v: pkg{low} v := pack h at {high}. match (unpack v as bool{low}) with ok(true) => l := true ok(false) => l := false error => skip State: h = true; v = true high 13/21
33 Can we cast away security labels? Example h: bool{high}, l: bool{low}, v: pkg{low} v := pack h at {high}. match (unpack v as bool{low}) with ok(true) => l := true ok(false) => l := false error => skip Check: high low 13/21
34 Can we cast away security labels? Example h: bool{high}, l: bool{low}, v: pkg{low} v := pack h at {high}. match (unpack v as bool{low}) with ok(true) => l := true ok(false) => l := false error => skip unpacking fails 13/21
35 Can we cast away security labels? Example h: bool{high}, l: bool{low}, v: pkg{low} v := pack h at {high}. match (unpack v as bool{low}) with ok(true) => l := true ok(false) => l := false error => skip State: h = true; v = true high 13/21
36 Can we cast away security labels? Example h: bool{high}, l: bool{low}, v: pkg{low} v := pack h at {high}. match (unpack v as bool{low}) with ok(true) => l := true ok(false) => l := false error => skip Conclusion: not a leak 13/21
37 Evaluation respects noninterference. Property (M 1 =l M 2 ) Example Memories M 1 and M 2 are equivalent to an observer with power l, if the observer cannot distinguish the memories. M 1 M 2 x low 2 x low 2 y low 3 high y low 4 high z high 3 z high 4 M 1 =low M 2 M 1 =high M 2 Property (Noninterference) evaluation M 1 =l M 2 M 2 = l M 1 evaluation 14/21
38 SImp is parameterized by a security lattice. Definition Fragment (Security lattice) A lattice whose elements are composed of orthogonal confidentiality and integrity components is a security lattice. Example high = {private!tainted} {private!trusted} {public!tainted} low = {public!trusted} 15/21
39 Decentralized labels specify security policies. l = {Alice: Bob! Charlie; Bob: Alice! Charlie, Dave} A label is a list of policies. A policy consists of an owner (who may distrust other owners), a reader set, and a writer set. Property (p reads l) Principal set p reads l when each owner in l permits some member of p to read. Example reads writes Alice x Dave x x {Alice, Dave} x Labeling is a variant of Myers and Liskov s DLM [TOSEM 00]. 16/21
40 Decentralized labels specify security policies. l = {Alice: Bob! Charlie; Bob: Alice! Charlie, Dave} A label is a list of policies. A policy consists of an owner (who may distrust other owners), a reader set, and a writer set. Property (p reads l) Principal set p reads l when each owner in l permits some member of p to read. Example reads writes Alice x Dave x x {Alice, Dave} x Labeling is a variant of Myers and Liskov s DLM [TOSEM 00]. 16/21
41 Decentralized labels specify security policies. l = {Alice: Bob! Charlie; Bob: Alice! Charlie, Dave} A label is a list of policies. A policy consists of an owner (who may distrust other owners), a reader set, and a writer set. Property (p reads l) Principal set p reads l when each owner in l permits some member of p to read. Example reads writes Alice x Dave x x {Alice, Dave} x Labeling is a variant of Myers and Liskov s DLM [TOSEM 00]. 16/21
42 Decentralized labels specify security policies. l = {Alice: Bob! Charlie; Bob: Alice! Charlie, Dave} A label is a list of policies. A policy consists of an owner (who may distrust other owners), a reader set, and a writer set. Property (p reads l) Principal set p reads l when each owner in l permits some member of p to read. Example reads writes Alice x Dave x x {Alice, Dave} x Labeling is a variant of Myers and Liskov s DLM [TOSEM 00]. 16/21
43 Decentralized labels specify security policies. l = {Alice: Bob! Charlie; Bob: Alice! Charlie, Dave} A label is a list of policies. A policy consists of an owner (who may distrust other owners), a reader set, and a writer set. Property (p reads l) Principal set p reads l when each owner in l permits some member of p to read. Example reads writes Alice x Dave x x {Alice, Dave} x Labeling is a variant of Myers and Liskov s DLM [TOSEM 00]. 16/21
44 Decentralized labels specify security policies. l = {Alice: Bob! Charlie; Bob: Alice! Charlie, Dave} A label is a list of policies. A policy consists of an owner (who may distrust other owners), a reader set, and a writer set. Property (p reads l) Principal set p reads l when each owner in l permits some member of p to read. Example reads writes Alice x Dave x x {Alice, Dave} x Labeling is a variant of Myers and Liskov s DLM [TOSEM 00]. 16/21
45 Decentralized labels specify security policies. l = {Alice: Bob! Charlie; Bob: Alice! Charlie, Dave} A label is a list of policies. A policy consists of an owner (who may distrust other owners), a reader set, and a writer set. Property (p reads l) Principal set p reads l when each owner in l permits some member of p to read. Example reads writes Alice x Dave x x {Alice, Dave} x Labeling is a variant of Myers and Liskov s DLM [TOSEM 00]. 16/21
46 Labels and packages need meaning outside of SImp. Cryptographic assumptions Each principal is mapped to a well-known public key. Cryptographic functions follow the Dolev-Yao model. Goals of interpretation Package confidentiality protects data from eavesdroppers. Package integrity protects the program from data. Packages can created and consumed offline. 17/21
47 Packages compile to cryptographic messages. Example (Compile 42 {Alice: Bob! } ) 1. Generate fresh key pairs (R +, R ) and (W +, W ). 2. Let payload = sign(w, { 42 } R +) 3. Let seal = sign(alice, ["{Alice: Bob!}", R +, W +, { R } K +, { R } Alice K +, { W } Bob K + ]) Alice 4. Return package = (seal, payload) R is a read capability. W is a write capability. 18/21
48 Package compilation is adequate. Property (m 1 =l m 2 ) Say m 1 =l m 2 when messages m 1 and m 2 reveal only equivalent information to Dolev-Yao observers weaker than l. Corollary Lemma (Adequacy for Values) If v 1 =l v 2 then compile(v 1 ) = l compile(v 2 ). M 1 =l M 2 compile compile σ 1 =l σ 2 19/21
49 Read the paper for more results. Today we discussed noninterference and adequacy. In the paper we consider feasibility. evaluation M 1 =l M 2 M 2 = l M 1 evaluation compile compile σ 1 =l σ 2 20/21
50 Read the paper for more results. Today we discussed noninterference and adequacy. In the paper we consider feasibility. evaluation M 1 =l M 2 M 2 = l M 1 evaluation compile compile σ 1 =l σ 2 20/21
51 Read the paper for more results. Today we discussed noninterference and adequacy. In the paper we consider feasibility. evaluation M 1 =l M 2 M 2 = l M 1 evaluation compile compile σ 1 =l σ 2 20/21
52 Read the paper for more results. Today we discussed noninterference and adequacy. In the paper we consider feasibility. compile compile evaluation M 1 =l M 2 evaluation M 2 = l M 1 compile crypto. ops σ 1 =l σ 2 σ 2 = l σ 1 compile crypto. ops 20/21
53 Read the paper for more results. Today we discussed noninterference and adequacy. In the paper we consider feasibility. compile compile evaluation M 1 =l M 2 evaluation M 2 = l M 1 compile crypto. ops σ 1 =l σ 2 σ 2 = l σ 1 compile crypto. ops 20/21
54 Take home messages SImp explores a new space in information flow languages with declarative policies implemented by a cryptographic mechanism, a strong noninterference property, and a rich, structural label language. 21/21
55 Appendix Typing Rules Future Work Package Uniqueness DLM Comparison Expression Noninterference Statement Command Noninterference Statement Adequacy Statements Feasibility Statement Cryptographic Operations
56 Pack provides a limited declassify, unpack an endorse. Definition Fragment Θ; Γ e : τ{l e } I(l e ) = I(l) Θ; Γ pack e at l e : (pkg + error){l} Θ; Γ e : pkg{l e } C(l e ) = C(l) Θ; Γ unpack e as τ{l} : (τ + error){l} These rules are safe because of the dynamic checks. toc A
57 This is just the beginning. Further research questions: Can homomorphic encryption be used for computation within packages? How can we compile alternative label models? share semantics uniqueness labels How does package upgrading and downgrading interact with cryptography? toc B
58 A explicit non-goal: package uniqueness. Replay attacks (vs. legitimate uses of persistence) are best detected at higher levels of abstraction. Uniqueness checks appear to require interactive protocols. Resolving these challenges would be interesting future work. toc C
59 Our DLM is a variant of Myers and Liskov s original. Example Here: l = {Alice: Charlie! ; Bob: Dave! } {Charlie, Dave} reads l Myers and Liskov: {Dave, Charlie} reads l toc We don t consider an explicit acts-for-hierarchy. It should work technically but is orthogonal. Intuitively, principal sets act for component principals. Key difference: Myers and Liskov: Calculate readers, then close under acts-for. Here: Close under acts-for, then calculate readers. D
60 Formal statement of expression noninterference. Theorem (Expression noninterference) If Θ M 1 OK, Θ M 2 OK and Θ M 1 =l M 2 Θ; e 1 : τ{l e } and e 1 =l e 2 where l e l p; M 1 e 1 v 1 and p; M 2 e 2 v 2 then v 1 =l v 2. toc E
61 Command evaluation respects noninterference. Theorem (Command Noninterference) If Θ M 1 OK, Θ M 2 OK and Θ M 1 =l M 2 pc; Θ; c 1 and c 1 =l c 2 p M 1, c 1 M 1, skip and p M 2, c 2 M 2, skip then Θ M 1 = l M 2. toc F
62 Adequacy theorems: compilation is secret preserving. Lemma (Adequacy of Value Translation) If v 1 =l v 2 and κ is fresh then V[[v 1 ]] κ =l V[[v 2 ]] κ. Corollary (Adequacy of Memory Translation) If Θ M 1 =l M 2 and κ is fresh then M[[M 1 ]] κ Θ = l M[[M 2 ]] Θ κ. toc G
63 Realizable operations simulate SImp evaluation. Theorem (Feasibility) If Θ M OK pc; Θ; Γ c p reads pc and p writes pc, p M, c M, c then κ 3, κ 4. M[[M]] Θ κ 1 state(κ 2, p, c) M[[M ]] Θ κ 3 state(κ 4, p, c). toc H
64 Only some operations are cryptographically realizable. Definition σ σ, knows (K + κ, K κ ) CS-FRESH κ fresh CS-DERIVE σ d m σ σ, knows m CS-FORGET σ σ σ σ CS-COMPUTE σ d "i 1 " σ d "i 2 " σ σ, "i 3 " where i 3 = i 1 + i 2 toc I
Dynamic Noninterference Analysis Using Context Sensitive Static Analyses. Gurvan Le Guernic July 14, 2007
Dynamic Noninterference Analysis Using Context Sensitive Static Analyses Gurvan Le Guernic July 14, 2007 1 Abstract This report proposes a dynamic noninterference analysis for sequential programs. This
More informationTowards information flow control. Chaire Informatique et sciences numériques Collège de France, cours du 30 mars 2011
Towards information flow control Chaire Informatique et sciences numériques Collège de France, cours du 30 mars 2011 Mandatory access controls and security levels DAC vs. MAC Discretionary access control
More informationInformation Security Theory vs. Reality
Information Security Theory vs. Reality 0368-4474-01, Winter 2011 Lecture 7: Information flow control Eran Tromer 1 Slides credit: Max Krohn, MIT Ian Goldberg and Urs Hengartner, University of Waterloo
More informationFast Probabilistic Simulation, Nontermination, and Secure Information Flow
Fast Probabilistic Simulation, Nontermination, and Secure Information Flow Geoffrey Smith Rafael Alpízar Florida International University {smithg,ralpi00}@cis.fiu.edu Abstract In secure information flow
More informationA Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols
ASIAN 07 A Formal Analysis for Capturing Replay Attacks in Cryptographic s Han Gao 1, Chiara Bodei 2, Pierpaolo Degano 2, Hanne Riis Nielson 1 Informatics and Mathematics Modelling, Technical University
More informationRapporto di Ricerca CS
UNIVERSITÀ CA FOSCARI DI VENEZIA Dipartimento di Informatica Technical Report Series in Computer Science Rapporto di Ricerca CS-2009-6 Giugno 2009 M. Centenaro, R. Focardi, F.L. Luccio, G. Steel Type-based
More informationOne Year Later. Iliano Cervesato. ITT Industries, NRL Washington, DC. MSR 3.0:
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil One Year Later ITT Industries, inc @ NRL Washington, DC http://www.cs.stanford.edu/~iliano
More informationLanguage-based Information Security. CS252r Spring 2012
Language-based Information Security CS252r Spring 2012 This course Survey of key concepts and hot topics in language-based information security The use of programming language abstractions and techniques
More informationDERIVING AND PROVING ABSTRACT NON-INTERFERENCE
DERIVING AND PROVING ABSTRACT NON-INTERFERENCE Roberto Giacobazzi and Isabella Mastroeni Dipartimento di Informatica Università di Verona Italy Paris, February 20th, 2004 Deriving and Proving Abstract
More informationCollaborative Planning with Privacy
Collaborative Planning with Privacy Protocol exchange May 7, 2007 Max Kanovich 1, Paul Rowe 2, Andre Scedrov 2 1 Quenn Mary, University of London 2 University of Pennsylvania Context Many examples of collaboration
More informationInformation Flow Inference for ML
POPL 02 INRIA Rocquencourt Projet Cristal Francois.Pottier@inria.fr http://cristal.inria.fr/~fpottier/ Vincent.Simonet@inria.fr http://cristal.inria.fr/~simonet/ Information flow analysis account number
More informationNotes on BAN Logic CSG 399. March 7, 2006
Notes on BAN Logic CSG 399 March 7, 2006 The wide-mouthed frog protocol, in a slightly different form, with only the first two messages, and time stamps: A S : A, {T a, B, K ab } Kas S B : {T s, A, K ab
More informationProgram Analysis Probably Counts
Probably Counts 1 c.hankin@imperial.ac.uk joint work with Alessandra Di Pierro 2 and Herbert Wiklicky 1 1 Department of Computing, 2 Dipartimento di Informatica, Università di Verona Computer Journal Lecture,
More informationInformation Flow Inference for ML
Information Flow Inference for ML Vincent Simonet INRIA Rocquencourt Projet Cristal MIMOSA September 27, 2001 Information flow account number bank applet order vendor account H order L bank H vendor L
More informationMSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra. Iliano Cervesato. ITT Industries, NRL Washington, DC
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC http://theory.stanford.edu/~iliano ISSS 2003,
More informationAbstract Specification of Crypto- Protocols and their Attack Models in MSR
Abstract Specification of Crypto- Protocols and their Attack Models in MSR Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ Software
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Takeaway: Crypto is Hard Designing crypto is hard, even experts get it wrong Just because I don t know
More informationTyping Noninterference for Reactive Programs
Typing Noninterference for Reactive Programs Ana Almeida Matos, Gérard Boudol and Ilaria Castellani June 7, 2004 Abstract We propose a type system to enforce the security property of noninterference in
More informationEAHyper: Satisfiability, Implication, and Equivalence Checking of Hyperproperties
EAHyper: Satisfiability, Implication, and Equivalence Checking of Hyperproperties Bernd Finkbeiner, Christopher Hahn, and Marvin Stenger Saarland Informatics Campus, Saarland University, Saarbrücken, Germany
More informationInteger Clocks and Local Time Scales
Integer Clocks and Local Time Scales Part I Part II Adrien Guatto ENS - PARKAS SYNCHRON 2014 Adrien Guatto (ENS - PARKAS) Integer Clocks and Local Time Scales SYNCHRON 2014 1 / 31 Part I Adrien Guatto
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationCS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing
Lecture 11: Key Management, Secret Sharing Céline Blondeau Email: celine.blondeau@aalto.fi Department of Computer Science Aalto University, School of Science Key Management Secret Sharing Shamir s Threshold
More informationA Logic for Information Flow Analysis with an Application to Forward Slicing of Simple Imperative Programs
A Logic for Information Flow Analysis with an Application to Forward Slicing of Simple Imperative Programs Torben Amtoft and Anindya Banerjee a,1,2 a Department of Computing and Information Sciences Kansas
More informationMASTER S THESIS FROM FORMAL TO COMPUTATIONAL AUTHENTICITY DISTRIBUTED AND EMBEDDED SYSTEMS DEPARTMENT OF COMPUTER SCIENCE AALBORG UNIVERSITY
DISTRIBUTED AND EMBEDDED SYSTEMS DEPARTMENT OF COMPUTER SCIENCE AALBORG UNIVERSITY MASTER S THESIS MICHAEL GARDE FROM FORMAL TO COMPUTATIONAL AUTHENTICITY AN APPROACH FOR RECONCILING FORMAL AND COMPUTATIONAL
More informationCryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1
Cryptography CS 555 Topic 25: Quantum Crpytography CS555 Topic 25 1 Outline and Readings Outline: What is Identity Based Encryption Quantum cryptography Readings: CS555 Topic 25 2 Identity Based Encryption
More informationOn the computational soundness of cryptographically masked flows
On the computational soundness of cryptographically masked flows Peeter Laud peeter.laud@ut.ee http://www.ut.ee/ peeter l Tartu University & Cybernetica AS & Institute of Cybernetics Mobius annual meeting,
More informationCPSA and Formal Security Goals
CPSA and Formal Security Goals John D. Ramsdell The MITRE Corporation CPSA Version 2.5.1 July 8, 2015 Contents 1 Introduction 3 2 Syntax 6 3 Semantics 8 4 Examples 10 4.1 Needham-Schroeder Responder.................
More informationDynamic Dependency Monitoring to Secure Information Flow
Dynamic Dependency Monitoring to Secure Information Flow Paritosh Shroff Scott F. Smith Mark Thober Department of Computer Science Johns Hopkins University {pari,scott,mthober}@cs.jhu.edu Abstract Although
More informationSimply Typed Lambda Calculus
Simply Typed Lambda Calculus Language (ver1) Lambda calculus with boolean values t ::= x variable x : T.t abstraction tt application true false boolean values if ttt conditional expression Values v ::=
More informationA bisimulation for dynamic sealing
Theoretical Computer Science 375 (2007) 169 192 www.elsevier.com/locate/tcs A bisimulation for dynamic sealing Eijiro Sumii a,, enjamin C. Pierce b a Graduate School of Information Sciences, Tohoku University,
More informationSecurity: Foundations, Security Policies, Capabilities
Department of Computer Science, Institute of Systems Architecture, Operating Systems Group Distributed Operating Systems Lecture 2014 Marcus Völp / Hermann Härtig Can you trust your system? to protect
More informationUsing Architecture to Reason about Information Security
Using Architecture to Reason about Information Security Ron van der Meyden (University of New South Wales Sydney, Australia) Joint work with Stephen Chong (Harvard) December 3, 2012 Overview Motivation:
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationA process algebraic analysis of privacy-type properties in cryptographic protocols
A process algebraic analysis of privacy-type properties in cryptographic protocols Stéphanie Delaune LSV, CNRS & ENS Cachan, France Saturday, September 6th, 2014 S. Delaune (LSV) Verification of cryptographic
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationENEE 457: Computer Systems Security 09/19/16. Lecture 6 Message Authentication Codes and Hash Functions
ENEE 457: Computer Systems Security 09/19/16 Lecture 6 Message Authentication Codes and Hash Functions Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationKeyword Search and Oblivious Pseudo-Random Functions
Keyword Search and Oblivious Pseudo-Random Functions Mike Freedman NYU Yuval Ishai, Benny Pinkas, Omer Reingold 1 Background: Oblivious Transfer Oblivious Transfer (OT) [R], 1-out-of-N [EGL]: Input: Server:
More informationPseudonym and Anonymous Credential Systems. Kyle Soska 4/13/2016
Pseudonym and Anonymous Credential Systems Kyle Soska 4/13/2016 Moving Past Encryption Encryption Does: Hide the contents of messages that are being communicated Provide tools for authenticating messages
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationMSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ PPL 01 March 21 st, 2001 Outline I. Security Protocols II. MSR by Examples
More informationAnalysing privacy-type properties in cryptographic protocols
Analysing privacy-type properties in cryptographic protocols Stéphanie Delaune LSV, CNRS & ENS Cachan, France Wednesday, January 14th, 2015 S. Delaune (LSV) Verification of cryptographic protocols 14th
More informationNon-interference. Christoph Sprenger and Sebastian Mödersheim. FMSEC Module 11, v.2 November 30, Department of Computer Science ETH Zurich
Non-interference Christoph Sprenger and Sebastian Mödersheim Department of Computer Science ETH Zurich FMSEC Module 11, v.2 November 30, 2009 Outline 1 Basic Non-interference Unwinding Access Control Interpretations
More informationSecrecy in Multiagent Systems
Secrecy in Multiagent Systems Joseph Y. Halpern & Kevin R. O Neill Department of Computer Science Cornell University halpern@cs.cornell.edu; kroneill@gmail.com We introduce a general framework for reasoning
More informationQuantum threat...and quantum solutions
Quantum threat...and quantum solutions How can quantum key distribution be integrated into a quantum-safe security infrastructure Bruno Huttner ID Quantique ICMC 2017 Outline Presentation of ID Quantique
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationA Logic of Authentication
A Logic of Authentication by Burrows, Abadi, and Needham Presented by Adam Schuchart, Kathryn Watkins, Michael Brotzman, Steve Bono, and Sam Small Agenda The problem Some formalism The goals of authentication,
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationCryptography: A Fairy Tale for Mathematicians and Starring Mathematicians!
Cryptography: A Fairy Tale for Mathematicians and Starring Mathematicians! University of California, Berkeley Mathematics Undergraduate Student Association October 27, 2014 Why Crypto? So why on earth
More informationTyped MSR: Syntax and Examples
Typed MSR: Syntax and Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ MMM 01 St. Petersburg, Russia May 22 nd, 2001 Outline
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 14 October 16, 2013 CPSC 467, Lecture 14 1/45 Message Digest / Cryptographic Hash Functions Hash Function Constructions Extending
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationCS 395T. Probabilistic Polynomial-Time Calculus
CS 395T Probabilistic Polynomial-Time Calculus Security as Equivalence Intuition: encryption scheme is secure if ciphertext is indistinguishable from random noise Intuition: protocol is secure if it is
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationSecuring Interactive Systems
Thesis for the Degree of Doctor of Philosophy Securing Interactive Systems Willard Rafnsson Department of Computer Science and Engineering Chalmers University of Technology and Göteborg University Göteborg,
More informationCryptography 2017 Lecture 2
Cryptography 2017 Lecture 2 One Time Pad - Perfect Secrecy Stream Ciphers November 3, 2017 1 / 39 What have seen? What are we discussing today? Lecture 1 Course Intro Historical Ciphers Lecture 2 One Time
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Secret Sharing Vault should only open if both Alice and Bob are present Vault should only open if Alice, Bob, and Charlie are
More informationLecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers
1 Winter 2018 CS 485/585 Introduction to Cryptography Lecture 6 Portland State University Jan. 25, 2018 Lecturer: Fang Song Draft note. Version: February 4, 2018. Email fang.song@pdx.edu for comments and
More informationLecture 10: Zero-Knowledge Proofs
Lecture 10: Zero-Knowledge Proofs Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Some of these slides are based on note by Boaz Barak. Quo vadis? Eo Romam
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationControl Flow Analysis of Security Protocols (I)
Control Flow Analysis of Security Protocols (I) Mikael Buchholtz 02913 F2005 Mikael Buchholtz p. 1 History of Protocol Analysis Needham-Schroeder 78 Dolev-Yao 81 Algebraic view of cryptography 02913 F2005
More informationPrivacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes
Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes F. Prost Frederic.Prost@ens-lyon.fr Ecole Normale Supérieure de Lyon July 2015 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Privacy
More informationEncoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania
Encoding security protocols in the cryptographic λ-calculus Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania An obvious fact Security is important Cryptography is a major way to
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationTutorial: Device-independent random number generation. Roger Colbeck University of York
Tutorial: Device-independent random number generation Roger Colbeck University of York Outline Brief motivation of random number generation Discuss what we mean by a random number Discuss some ways of
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationMSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ IITD, CSE Dept. Delhi, India April 24 th,2002 Outline Security Protocols
More informationAn Independence Relation for Sets of Secrets
Sara Miner More Pavel Naumov An Independence Relation for Sets of Secrets Abstract. A relation between two secrets, known in the literature as nondeducibility, was originally introduced by Sutherland.
More informationMandatory Access Control (MAC)
CS 5323 Mandatory Access Control (MAC) Prof. Ravi Sandhu Executive Director and Endowed Chair Lecture 3 ravi.utsa@gmail.com www.profsandhu.com Ravi Sandhu 1 CS 5323 Lattice-Based Access Control (LBAC)
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationThe Laws of Cryptography Zero-Knowledge Protocols
26 The Laws of Cryptography Zero-Knowledge Protocols 26.1 The Classes NP and NP-complete. 26.2 Zero-Knowledge Proofs. 26.3 Hamiltonian Cycles. An NP-complete problem known as the Hamiltonian Cycle Problem
More informationIntroduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions
Introduction to Modern Cryptography Lecture 7 1. RSA Public Key CryptoSystem 2. One way Trapdoor Functions Diffie and Hellman (76) New Directions in Cryptography Split the Bob s secret key K to two parts:
More informationTowards a Practical Secure Concurrent Language
Towards a Practical Secure Concurrent Language Stefan Muller and Stephen Chong TR-05-12 Computer Science Group Harvard University Cambridge, Massachusetts Towards a Practical Secure Concurrent Language
More informationExtracting a Secret Key from a Wireless Channel
Extracting a Secret Key from a Wireless Channel Suhas Mathur suhas@winlab.rutgers.edu W. Trappe, N. Mandayam (WINLAB) Chunxuan Ye, Alex Reznik (InterDigital) Suhas Mathur (WINLAB) Secret bits from the
More informationComputers and Mathematics with Applications
Computers and Mathematics with Applications 61 (2011) 1261 1265 Contents lists available at ScienceDirect Computers and Mathematics with Applications journal homepage: wwwelseviercom/locate/camwa Cryptanalysis
More informationProof assistants as a tool for thought
Proof assistants as a tool for thought Katherine Ye @hypotext Tools for thought workshop, March 16 circa 1700 Disputants unable to agree would not waste much time in futile argument... Leibniz (Harrison)
More informationMobile Functions and Secure Information Flow
Mobile Functions and Secure Information Flo Dilsun Kırlı Laboratory for Foundations of Computer Science, The University of Edinburgh, King s Buildings, Mayfield Road, Edinburgh, EH9 3JZ, Scotland, UK.
More informationThe Expressivity of Universal Timed CCP: Undecidability of Monadic FLTL and Closure Operators for Security
The Expressivity of Universal Timed CCP: Undecidability of Monadic FLTL and Closure Operators for Security Carlos Olarte and Frank D. Valencia INRIA /CNRS and LIX, Ecole Polytechnique Motivation Concurrent
More informationEvidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs
Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs Jonah Brown-Cohen 1 Introduction The Diffie-Hellman protocol was one of the first methods discovered for two people, say Alice
More informationConstructing Provably-Secure Identity-Based Signature Schemes
Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of Science, Bangalore November 23, 2013 Overview Table of contents Background Formal Definitions Schnorr Signature
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationCHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL
INSTITUT FÜR INFORMATIK UND PRAKTISCHE MATHEMATIK A Constraint-Based Algorithm for Contract-Signing Protocols Detlef Kähler, Ralf Küsters Bericht Nr. 0503 April 2005 CHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Announcements Reminder: Homework 1 due tomorrow 11:59pm Submit through Blackboard Homework 2 will hopefully be posted tonight
More informationEDA045F: Program Analysis LECTURE 10: TYPES 1. Christoph Reichenbach
EDA045F: Program Analysis LECTURE 10: TYPES 1 Christoph Reichenbach In the last lecture... Performance Counters Challenges in Dynamic Performance Analysis Taint Analysis Binary Instrumentation 2 / 44 Types
More informationCryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols
CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno Blanchet CNRS, École Normale Supérieure, INRIA, Paris March 2009 Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif March
More informationSecurity Abstractions and Intruder Models
EXPRESS 2008 Expressiveness in Concurrency 15th int. workshop Security Abstractions and Intruder Models (Extended Abstract) Michele Bugliesi 1 and Riccardo Focardi 2 Dipartimento di Informatica Università
More informationA Temporal Logic Approach to Information-flow Control
A Temporal Logic Approach to Information-flow Control Markus N. Rabe Saarland University UC Berkeley Berkeley, September 22 2015 Collaborations with Rayna Dimitrova, Bernd Finkbeiner, Máté Kovács, and
More informationA Theory for Comparing the Expressive Power of Access Control Models
A Theory for Comparing the Expressive Power of Access Control Models Mahesh V. Tripunitara Ninghui Li Department of Computer Sciences and CERIAS, Purdue University, West Lafayette, IN 47905. {tripunit,ninghui}@cerias.purdue.edu
More informationCPSC 467b: Cryptography and Computer Security
Outline Quadratic residues Useful tests Digital Signatures CPSC 467b: Cryptography and Computer Security Lecture 14 Michael J. Fischer Department of Computer Science Yale University March 1, 2010 Michael
More informationChallenges in Quantum Information Science. Umesh V. Vazirani U. C. Berkeley
Challenges in Quantum Information Science Umesh V. Vazirani U. C. Berkeley 1 st quantum revolution - Understanding physical world: periodic table, chemical reactions electronic wavefunctions underlying
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationCRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 2
CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 2 assumptions and reductions Helger Lipmaa University of Tartu, Estonia MOTIVATION Assume Alice designs a protocol How to make sure it is secure? Approach 1: proof
More informationPublic Key Cryptography
T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Public Key Cryptography EECE 412 1 What is it? Two keys Sender uses recipient s public key to encrypt Receiver uses his private key to decrypt
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 6, 2017 CPSC 467, Lecture 18 1/52 Authentication While Preventing Impersonation Challenge-response authentication protocols
More informationTrace semantics: towards a unification of parallel paradigms Stephen Brookes. Department of Computer Science Carnegie Mellon University
Trace semantics: towards a unification of parallel paradigms Stephen Brookes Department of Computer Science Carnegie Mellon University MFCSIT 2002 1 PARALLEL PARADIGMS State-based Shared-memory global
More information