Proving Properties of Security Protocols by Induction
|
|
- Gwendolyn Warren
- 6 years ago
- Views:
Transcription
1 Proving Security Protocols 1 L. C. Paulson Proving Properties of Security Protocols by Induction Lawrence C. Paulson Computer Laboratory University of Cambridge
2 Proving Security Protocols 2 L. C. Paulson Cryptographic Protocol Analysis Finite-state checking Lowe, Millen,... + find attacks quickly drastic simplifying assumptions Belief logics Burrows, Abadi, Needham,... + short, abstract proofs some variants are complicated & ill-motivated
3 Proving Security Protocols 3 L. C. Paulson An Inductive Approach Traces of events: A sends X to B Any number of interleaved runs Algebraic theory of messages A general attacker Modelling of accidents Mechanized proofs
4 Proving Security Protocols 4 L. C. Paulson Agents and Messages agent A, B,... = Server Friend i Spy msg X, Y,... = Agent A Nonce N Key K { X, X } Hash X Crypt KX
5 Proving Security Protocols 5 L. C. Paulson Processing Sets of Messages parts: message components analz: message decryption synth: message faking Crypt KX X Crypt KX, K 1 X X, K Crypt KX Regularity lemmas stated using parts H Secrecy theorems stated using analz H Spoof messages drawn from synth(analz H)
6 Proving Security Protocols 6 L. C. Paulson Inductive Definition: parts H X H X parts H { X, Y } parts H X parts H Crypt KX parts H X parts H { X, Y } parts H Y parts H parts G parts H = parts(g H)
7 Proving Security Protocols 7 L. C. Paulson Inductive Definition: analz H X H X analz H Crypt KX analz H X analz H K 1 analz H { X, Y } analz H X analz H { X, Y } analz H Y analz H analz G analz H analz(g H)
8 Proving Security Protocols 8 L. C. Paulson Inductive Definition: synth H X H X synth H Agent A synth H X H Hash X synth H X synth H Y synth H { X, Y } synth H X synth H K H Crypt KX synth H G H = synth G synth H
9 Proving Security Protocols 9 L. C. Paulson Simplification Laws parts(parts H) = parts H analz(analz H) = analz H synth(synth H) = synth H idempotence parts(analz H) = analz(parts H) = parts H parts(synth H) = parts H synth H analz(synth H) = analz H synth H synth(analz H) =??
10 Proving Security Protocols 10 L. C. Paulson Symbolic Evaluation of parts(ins XH) ins XH = {X} H parts(ins(key K)H) = ins(key K)(parts H) parts(ins(hash X)H) = ins(hash X)(parts H) parts(ins{ X, Y }H) = ins{ X, Y }(parts(ins X(ins Y H))) parts(ins(crypt KX)H) = ins(crypt KX)(parts(ins XH))
11 Proving Security Protocols 11 L. C. Paulson Symbolic Evaluation of analz(ins XH) analz(ins(key K)H) = ins(key K)(analz H) K keysfor(analz H) analz(ins(crypt KX)H) = ins(crypt KX)(analz(ins XH)) ins(crypt KX)(analz H) K 1 analz H otherwise
12 Proving Security Protocols 12 L. C. Paulson Deductions from synth H Nonce N synth H = Nonce N H Key K synth H = Key K H Crypt KX synth H = Crypt KX H or X synth H K H A similar law for { X, Y } synth H
13 Proving Security Protocols 13 L. C. Paulson Spoof Messages: Limiting the Damage Breaking down the spoof message: { X, Y } synth(analz H) X synth(analz H) Y synth(analz H) Eliminating the spoof message: X synth(analz G) = parts(ins X H) synth(analz G) parts G parts H
14 Proving Security Protocols 14 L. C. Paulson The Shared-Key Model Traces as lists of events: Alice s shared key: Items already used in this trace: Says A B X shrk A used evs Reading the traffic (with the help of lost keys): spies (Says A B X # evs) = {X} spies evs spies [] = {shrk A A lost}
15 Proving Security Protocols 15 L. C. Paulson The Simplified Otway-Rees Protocol 1. A B : Na, A, B, { Na, A, B } Kas 2. B S : Na, A, B, { Na, A, B } Kas, Nb, { Na, A, B } Kbs 3. S B : Na, { Na, Kab } Kas, { Nb, Kab } Kbs 4. B A : Na, { Na, Kab } Kas
16 Proving Security Protocols 16 L. C. Paulson Inductively Defining the Protocol, If evs is a trace and Na is unused, may add Says A B { Na, A, B, Crypt(shrK A){ Na, A, B } } 2. If evs has Says A B { Na, A, B, X } and Nb is unused, may add Says B Server { Na, A, B, X, Nb, Crypt(shrK B){ Na, A, B } } B doesn t know the true sender & can t read X
17 Proving Security Protocols 17 L. C. Paulson Inductively Defining the Protocol, 4 4. If evs contains the events Says B Server { Na, A, B, X, Nb, Crypt(shrK B){ Na, A, B } } Says S B { Na, X, Crypt(shrK B){ Nb, K } } may add Says B A { Na, X } Rule applies only if nonces agree, etc.
18 Proving Security Protocols 18 L. C. Paulson Modelling Attacks and Accidents Fake. If X synth(analz(spies evs)), may add Says Spy B X Oops. If server distributes key K, may add Nonces show the time of the loss Says A Spy { Na, Nb, K }
19 Proving Security Protocols 19 L. C. Paulson Regularity & Unicity Agents don t talk to themselves Secret keys are never lost (except initially) Nonces & keys uniquely identify creating message Easily proved by induction & simplification of parts
20 Proving Security Protocols 20 L. C. Paulson Secrecy Keys, if secure, are never encrypted using any session keys Distributed keys remain confidential to recipients! Yahalom: nonce Nb remains secure Simplification of analz: case analysis, big formulas
21 Proving Security Protocols 21 L. C. Paulson An Attack 1. A B : Na, A, B, { Na, A, B } Kas 1. C A : Nc, C, A, { Nc, C, A } Kcs 2. A S : Nc, C, A, { Nc, C, A } Kcs, Na, { Nc, C, A } Kas 2. C A S : Nc, C, A, { Nc, C, A } Kcs, Na, { Nc, C, A } Kas 3. S A : Nc, { Nc, Kca } Kcs, { Na, Kca } Kas 4. C B A : Na, { Na, Kca } Kas
22 Proving Security Protocols 22 L. C. Paulson New Guarantees of Fixed Protocol B can trust the message if he sees Says S B { Na, X, Crypt(shrK B){ Nb, K } } Says B Server { Na, A, B, X, Crypt(shrK B){ Na, Nb, A, B } } A can trust the message if she sees Says B A { Na, Crypt(shrK A){ Na, K } } Says A B { Na, A, B, Crypt(shrK A){ Na, A, B } }
23 Proving Security Protocols 23 L. C. Paulson Statistics 200 theorems about 10 protocol variants (3 Otway-Rees, 2 Yahalom, Needham-Schroeder,...) 110 laws proved concerning messages 2 9 minutes CPU time per protocol few hours or days human time per protocol over 1200 proof commands in all
24 Proving Security Protocols 24 L. C. Paulson Conclusions A feasible method of analyzing protocols Guarantees proved in a clear framework Complementary to other methods: Finite-state: finding simple attacks automatically Belief logics: freshness analysis Related work by Dominique Bolignano
Proving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory
Proving Security Protocols Correct Lawrence C. Paulson Computer Laboratory How Detailed Should a Model Be? too detailed too simple concrete abstract not usable not credible ``proves'' everything ``attacks''
More informationA Logic of Authentication
A Logic of Authentication by Burrows, Abadi, and Needham Presented by Adam Schuchart, Kathryn Watkins, Michael Brotzman, Steve Bono, and Sam Small Agenda The problem Some formalism The goals of authentication,
More informationBAN Logic A Logic of Authentication
BAN Logic A Logic of Authentication Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 BAN Logic The BAN logic was named after its inventors, Mike Burrows, Martín Abadí,
More informationVerification of the TLS Handshake protocol
Verification of the TLS Handshake protocol Carst Tankink (0569954), Pim Vullers (0575766) 20th May 2008 1 Introduction In this text, we will analyse the Transport Layer Security (TLS) handshake protocol.
More informationProtocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete
Protocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete Michaël Rusinowitch and Mathieu Turuani LORIA-INRIA- Université Henri Poincaré, 54506 Vandoeuvre-les-Nancy cedex, France
More informationA Logic of Authentication. Borrows, Abadi and Needham TOCS 1990, DEC-SRC 1989
A Logic of Authentication Borrows, Abadi and Needham TOCS 1990, DEC-SRC 1989 Logic Constructs P believes X : P may act as though X is true. P sees X : a message containing X was sent to P; P can read and
More informationStrand Spaces Proving Protocols Corr. Jonathan Herzog 6 April 2001
Strand Spaces Proving Protocols Corr Jonathan Herzog 6 April 2001 Introduction 3Second part of talk given early last month Introduced class of cryptographic protocols Modeled at high level of abstraction
More informationNotes on BAN Logic CSG 399. March 7, 2006
Notes on BAN Logic CSG 399 March 7, 2006 The wide-mouthed frog protocol, in a slightly different form, with only the first two messages, and time stamps: A S : A, {T a, B, K ab } Kas S B : {T s, A, K ab
More informationEncoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania
Encoding security protocols in the cryptographic λ-calculus Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania An obvious fact Security is important Cryptography is a major way to
More informationLecture 7: Specification Languages
Graduate Course on Computer Security Lecture 7: Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ DIMI, Universita
More informationVerification of Security Protocols in presence of Equational Theories with Homomorphism
Verification of Security Protocols in presence of Equational Theories with Homomorphism Stéphanie Delaune France Télécom, division R&D, LSV CNRS & ENS Cachan February, 13, 2006 Stéphanie Delaune (FT R&D,
More informationModels and analysis of security protocols 1st Semester Security Protocols Lecture 6
Models and analysis of security protocols 1st Semester 2010-2011 Security Protocols Lecture 6 Pascal Lafourcade Université Joseph Fourier, Verimag Master: October 18th 2010 1 / 46 Last Time (I) Symmetric
More informationVerification of a Diffie-Hellman Password-based Authentication Protocol by Extending the Inductive Method
Verification of a Diffie-Hellman Password-based Authentication Protocol by Extending the Inductive Method Pasquale Noce Security Certification Specialist at Arjo Systems, Italy pasquale dot noce dot lavoro
More informationTerm Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool
Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool Santiago Escobar Departamento de Sistemas Informáticos y Computación Universitat Politècnica de València sescobar@dsic.upv.es
More informationA Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols
ASIAN 07 A Formal Analysis for Capturing Replay Attacks in Cryptographic s Han Gao 1, Chiara Bodei 2, Pierpaolo Degano 2, Hanne Riis Nielson 1 Informatics and Mathematics Modelling, Technical University
More informationA decidable subclass of unbounded security protocols
A decidable subclass of unbounded security protocols R. Ramanujam and S. P. Suresh The Institute of Mathematical Sciences C.I.T. Campus, Chennai 600 113, India. E-mail: {jam,spsuresh}@imsc.res.in 1 Summary
More informationControl Flow Analysis of Security Protocols (I)
Control Flow Analysis of Security Protocols (I) Mikael Buchholtz 02913 F2005 Mikael Buchholtz p. 1 History of Protocol Analysis Needham-Schroeder 78 Dolev-Yao 81 Algebraic view of cryptography 02913 F2005
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More informationAutomatic, computational proof of EKE using CryptoVerif
Automatic, computational proof of EKE using CryptoVerif (Work in progress) Bruno Blanchet blanchet@di.ens.fr Joint work with David Pointcheval CNRS, École Normale Supérieure, INRIA, Paris April 2010 Bruno
More informationSIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography
SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 8 of Trappe and Washington DIGITAL SIGNATURES message sig 1. How do we bind
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationProving secrecy is easy enough
Proving secrecy is easy enough VCronique Cortier Laboratoire SpCcification et VCrification Ecole Normale SupCrieure de Cachan 61, Avenue du President Wilson, 94230 Cachan, France cortier@ 1sv.ens-cachan.fr
More informationAn Efficient Cryptographic Protocol Verifier Based on Prolog Rules
An Efficient Cryptographic Protocol Verifier Based on Prolog Rules Bruno Blanchet INRIA Rocquencourt Domaine de Voluceau B.P. 105 78153 Le Chesnay Cedex, France Bruno.Blanchet@inria.fr Abstract We present
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationOn the Automatic Analysis of Recursive Security Protocols with XOR
On the Automatic Analysis of Recursive Security Protocols with XOR Ralf Küsters 1 and Tomasz Truderung 2 1 ETH Zurich ralf.kuesters@inf.ethz.ch 2 University of Kiel, Wrocław University tomasz.truderung@ii.uni.wroc.pl
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationA Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols
A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols Han Gao 1,ChiaraBodei 2, Pierpaolo Degano 2, and Hanne Riis Nielson 1 1 Informatics and Mathematical Modelling, Technical University
More informationMSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ IITD, CSE Dept. Delhi, India April 24 th,2002 Outline Security Protocols
More informationA Resolution Strategy for Verifying Cryptographic Protocols with CBC Encryption and Blind Signatures
A Resolution Strategy for Verifying Cryptographic Protocols with CBC Encryption and Blind Signatures Véronique Cortier LORIA, Nancy, France CNRS & INRIA Project Cassis cortier@loria.fr Michael Rusinowitch
More informationElliptic Curves. Giulia Mauri. Politecnico di Milano website:
Elliptic Curves Giulia Mauri Politecnico di Milano email: giulia.mauri@polimi.it website: http://home.deib.polimi.it/gmauri May 13, 2015 Giulia Mauri (DEIB) Exercises May 13, 2015 1 / 34 Overview 1 Elliptic
More informationMSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ PPL 01 March 21 st, 2001 Outline I. Security Protocols II. MSR by Examples
More informationCryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols
CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno Blanchet CNRS, École Normale Supérieure, INRIA, Paris March 2009 Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif March
More informationAPPLICATIONS OF BAN-LOGIC JAN WESSELS CMG FINANCE B.V.
APPLITIONS OF AN-LOGIC JAN WESSELS CMG FINANCE.V. APRIL 19, 2001 Chapter 1 Introduction This document is meant to give an overview of the AN-logic. The AN-logic is one of the methods for the analysis of
More informationProbabilistic Model Checking of Security Protocols without Perfect Cryptography Assumption
Our Model Checking of Security Protocols without Perfect Cryptography Assumption Czestochowa University of Technology Cardinal Stefan Wyszynski University CN2016 Our 1 2 3 Our 4 5 6 7 Importance of Security
More informationTime-Bounding Needham-Schroeder Public Key Exchange Protocol
Time-Bounding Needham-Schroeder Public Key Exchange Protocol Max Kanovich, Queen Mary, University of London, UK University College London, UCL-CS, UK Tajana Ban Kirigin, University of Rijeka, HR Vivek
More informationProvable Anonymity ABSTRACT. Categories and Subject Descriptors. General Terms. Keywords
Provable Anonymity Flavio D. Garcia Ichiro Hasuo Wolter Pieters Peter van Rossum Institute for Computing and Information Sciences, Radboud University Nijmegen P.O. Box 9010, 6500 GL Nijmegen, The Netherlands
More informationAutomatic Verification of Complex Security Protocols With an Unbounded Number of Sessions
Automatic Verification of Complex Security Protocols With an Unbounded Number of Sessions Kaile Su, Weiya Yue and Qingliang Chen Department of Computer Science, Sun Yat-sen University Guangzhou, P.R. China
More informationTyped MSR: Syntax and Examples
Typed MSR: Syntax and Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ MMM 01 St. Petersburg, Russia May 22 nd, 2001 Outline
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationA Calculus for Control Flow Analysis of Security Protocols
International Journal of Information Security manuscript No. (will be inserted by the editor) A Calculus for Control Flow Analysis of Security Protocols Mikael Buchholtz, Hanne Riis Nielson, Flemming Nielson
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationOn the Verification of Cryptographic Protocols
On the Verification of Cryptographic Protocols Federico Cerutti Dipartimento di Ingegneria dell Informazione, Università di Brescia Via Branze 38, I-25123 Brescia, Italy January 11, 2011 Talk at Prof.
More informationStrand Spaces: Why is a Security Protocol Correct?
Strand Spaces: Why is a Security Protocol Correct? F. Javier Thayer Fábrega Jonathan C. Herzog Joshua D. Guttman The MITRE Corporation fjt, jherzog, guttmang@mitre.org Abstract A strand is a sequence of
More informationMSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra. Iliano Cervesato. ITT Industries, NRL Washington, DC
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC http://theory.stanford.edu/~iliano ISSS 2003,
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationA simple procedure for finding guessing attacks (Extended Abstract)
A simple procedure for finding guessing attacks (Extended Abstract) Ricardo Corin 1 and Sandro Etalle 1,2 1 Dept. of Computer Science, University of Twente, The Netherlands 2 CWI, Center for Mathematics
More informationModels for an Adversary-Centric Protocol Logic
Workshop on Logical Aspects of Cryptographics 2001 Preliminary Version Models for an Adversary-Centric Protocol Logic Peter Selinger Department of Mathematics and Statistics University of Ottawa Ottawa,
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationOn-the-fly Model Checking of Security Protocols
Guoqiang LI Japan Advanced Institute of Science and Technology Supervisor: Prof. Mizuhito Ogawa February 7, 2008 1 / 103 A Challenging Problem and A Legend... A security protocol, although only containing
More informationThe Laws of Cryptography Zero-Knowledge Protocols
26 The Laws of Cryptography Zero-Knowledge Protocols 26.1 The Classes NP and NP-complete. 26.2 Zero-Knowledge Proofs. 26.3 Hamiltonian Cycles. An NP-complete problem known as the Hamiltonian Cycle Problem
More information1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2
Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationstructure of such protocols, the difficulty is that logics are useful only when the semantics is precise, and most of the problems seem to relate to p
Information based reasoning about security protocols R. Ramanujam and S. P. Suresh 1 The Institute of Mathematical Sciences C.I.T. Campus, Chennai 600 113, India. Abstract We propose a notion of information
More informationKEY DISTRIBUTION 1 /74
KEY DISTRIBUTION 1 /74 The public key setting Alice M D sk[a] (C) C Bob pk[a] C $ E pk[a] (M) σ $ S sk[a] (M) M,σ Vpk[A] (M,σ) Bob can: send encrypted data to Alice verify her signatures as long as he
More informationProbabilistic Polynomial-Time Process Calculus for Security Protocol Analysis. Standard analysis methods. Compositionality
Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague P. Lincoln, P. Mateus, M. Mitchell Standard analysis methods Finite-state
More informationCRYPTOGRAPHY AND NUMBER THEORY
CRYPTOGRAPHY AND NUMBER THEORY XINYU SHI Abstract. In this paper, we will discuss a few examples of cryptographic systems, categorized into two different types: symmetric and asymmetric cryptography. We
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationA Semantics for a Logic of Authentication. Cambridge, MA : A; B
A Semantics for a Logic of Authentication (Extended Abstract) Martn Abadi Digital Equipment Corporation Systems Research Center 130 Lytton Avenue Palo Alto, CA 94301 ma@src.dec.com Abstract: Burrows, Abadi,
More informationDecidable Analysis of Cryptographic Protocols with Products and Modular Exponentiation
Decidable Analysis of Cryptographic Protocols with Products and Modular Exponentiation Vitaly Shmatikov SRI International shmat@csl.sri.com Abstract. We demonstrate that the symbolic trace reachability
More informationSynthesising Secure APIs
Synthesising Secure APIs Véronique Cortier, Graham Steel To cite this version: Véronique Cortier, Graham Steel. Synthesising Secure APIs. [Research Report] RR-6882, INRIA. 2009, pp.24.
More informationAutomated Validation of Internet Security Protocols. Luca Viganò
Automated Validation of Internet Security Protocols Luca Viganò The AVISPA Project Luca Viganò 1 Motivation The number and scale of new security protocols under development is out-pacing the human ability
More informationExtracting a Secret Key from a Wireless Channel
Extracting a Secret Key from a Wireless Channel Suhas Mathur suhas@winlab.rutgers.edu W. Trappe, N. Mandayam (WINLAB) Chunxuan Ye, Alex Reznik (InterDigital) Suhas Mathur (WINLAB) Secret bits from the
More informationLogical Relations for Encryption
Logical Relations for Encryption Eijiro Sumii University of Tokyo sumii@saul.cis.upenn.edu Benjamin C. Pierce University of Pennsylvania bcpierce@cis.upenn.edu Abstract The theory of relational parametricity
More informationAnalysing Layered Security Protocols
Analysing Layered Security Protocols Thomas Gibson-Robinson St Catherine s College University of Oxford A thesis submitted for the degree of Doctor of Philosophy Trinity 2013 Abstract Many security protocols
More informationPractice Assignment 2 Discussion 24/02/ /02/2018
German University in Cairo Faculty of MET (CSEN 1001 Computer and Network Security Course) Dr. Amr El Mougy 1 RSA 1.1 RSA Encryption Practice Assignment 2 Discussion 24/02/2018-29/02/2018 Perform encryption
More informationModel Checking Security Protocols Using a Logic of Belief
Model Checking Security Protocols Using a Logic of Belief Massimo Benerecetti 1 and Fausto Giunchiglia 1,2 1 DISA - University of Trento, Via Inama 5, 38050 Trento, Italy 2 IRST - Istituto Trentino di
More informationQuantum Cryptography
Quantum Cryptography Christian Schaffner Research Center for Quantum Software Institute for Logic, Language and Computation (ILLC) University of Amsterdam Centrum Wiskunde & Informatica Winter 17 QuantumDay@Portland
More informationSymbolic Protocol Analysis with Products and Diffie-Hellman Exponentiation
Symbolic Protocol Analysis with Products and Diffie-Hellman Exponentiation Jonathan Millen and Vitaly Shmatikov Computer Science Laboratory SRI International millenshmat @cslsricom Abstract We demonstrate
More informationQuantum Wireless Sensor Networks
Quantum Wireless Sensor Networks School of Computing Queen s University Canada ntional Computation Vienna, August 2008 Main Result Quantum cryptography can solve the problem of security in sensor networks.
More informationA one message protocol using cryptography, where K AB is a symmetric key shared between A and B for private communication. A B : {M} KAB on c AB
A one message protocol using cryptography, where K AB is a symmetric key shared between A and B for private communication. A B : {M} KAB on c AB This can be represented as A send cab {M} KAB ;halt B recv
More informationWhisper: Local Secret Maintenance in Sensor Networks 1
Whisper: Local Secret Maintenance in Sensor Networks 1 Vinayak Naik Anish Arora Sandip Bapat Mohamed Gouda Department of Computer and Information Science The Ohio State University Columbus, OH 43210, USA
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationNSL Verification and Attacks Agents Playing Both Roles
NSL Verification and Attacks Agents Playing Both Roles Pedro Adão Gergei Bana Abstract Background: [2] and eprint version: [1] 1 The Axioms Equality is a Congruence. The first axiom says that the equality
More informationNegative applications of the ASM thesis
Negative applications of the ASM thesis Dean Rosenzweig and Davor Runje University of Zagreb Berlin, February 26-27, 2007 Outline 1 Negative applications of the ASM thesis Motivation Non-interactive algorithms
More information14 Diffie-Hellman Key Agreement
14 Diffie-Hellman Key Agreement 14.1 Cyclic Groups Definition 14.1 Example Let д Z n. Define д n = {д i % n i Z}, the set of all powers of д reduced mod n. Then д is called a generator of д n, and д n
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationThe RSA cryptosystem and primality tests
Mathematics, KTH Bengt Ek November 2015 Supplementary material for SF2736, Discrete mathematics: The RSA cryptosystem and primality tests Secret codes (i.e. codes used to make messages unreadable to outsiders
More informationFundamentals of Modern Cryptography
Fundamentals of Modern Cryptography BRUCE MOMJIAN This presentation explains the fundamentals of modern cryptographic methods. Creative Commons Attribution License http://momjian.us/presentations Last
More informationSecrecy and the Quantum
Secrecy and the Quantum Benjamin Schumacher Department of Physics Kenyon College Bright Horizons 35 (July, 2018) Keeping secrets Communication Alice sound waves, photons, electrical signals, paper and
More informationCS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing
Lecture 11: Key Management, Secret Sharing Céline Blondeau Email: celine.blondeau@aalto.fi Department of Computer Science Aalto University, School of Science Key Management Secret Sharing Shamir s Threshold
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More informationPrivate Authentication
Private Authentication Martín Abadi University of California at Santa Cruz Cédric Fournet Microsoft Research Abstract Frequently, communication between two principals reveals their identities and presence
More informationDeriving GDOI. Dusko Pavlovic and Cathy Meadows
Deriving GDOI Dusko Pavlovic and Cathy Meadows September 2003 1 Outline 1. Trace logic 2. Axioms and rules 3. Deriving core GDOI 4. Global encryption and hashing transformations 5. Adding PFS and POP options
More informationYou know that this guy is Napoléon
You know that this guy is Napoléon He believes he is Napoleon, but it is well known that I am Napoleon. Epistemic Logic and Modal Logic Pierre Lescanne, LIP, ENS de Lyon 6 Examples related to computers
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationFinite Models for Formal Security Proofs
Finite Models for Formal Security Proofs Jean Goubault-Larrecq goubault@lsv.ens-cachan.fr LSV, ENS Cachan, CNRS, INRIA 61, avenue du président Wilson 94230 Cachan, France Tel: +33-1 47 40 75 68 Fax: +33-1
More informationCPSA and Formal Security Goals
CPSA and Formal Security Goals John D. Ramsdell The MITRE Corporation CPSA Version 2.5.1 July 8, 2015 Contents 1 Introduction 3 2 Syntax 6 3 Semantics 8 4 Examples 10 4.1 Needham-Schroeder Responder.................
More informationPublic Key Cryptography
Public Key Cryptography Spotlight on Science J. Robert Buchanan Department of Mathematics 2011 What is Cryptography? cryptography: study of methods for sending messages in a form that only be understood
More informationCHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL
INSTITUT FÜR INFORMATIK UND PRAKTISCHE MATHEMATIK A Constraint-Based Algorithm for Contract-Signing Protocols Detlef Kähler, Ralf Küsters Bericht Nr. 0503 April 2005 CHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationCSE 311 Lecture 11: Modular Arithmetic. Emina Torlak and Kevin Zatloukal
CSE 311 Lecture 11: Modular Arithmetic Emina Torlak and Kevin Zatloukal 1 Topics Sets and set operations A quick wrap-up of Lecture 10. Modular arithmetic basics Arithmetic over a finite domain (a.k.a
More informationSolutions to the Midterm Test (March 5, 2011)
MATC16 Cryptography and Coding Theory Gábor Pete University of Toronto Scarborough Solutions to the Midterm Test (March 5, 2011) YOUR NAME: DO NOT OPEN THIS BOOKLET UNTIL INSTRUCTED TO DO SO. INSTRUCTIONS:
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationOne Year Later. Iliano Cervesato. ITT Industries, NRL Washington, DC. MSR 3.0:
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil One Year Later ITT Industries, inc @ NRL Washington, DC http://www.cs.stanford.edu/~iliano
More informationSharing a Secret in Plain Sight. Gregory Quenell
Sharing a Secret in Plain Sight Gregory Quenell 1 The Setting: Alice and Bob want to have a private conversation using email or texting. Alice Bob 2 The Setting: Alice and Bob want to have a private conversation
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationA derivation system and compositional logic for security protocols
Journal of Computer Security 13 2005) 423 482 423 IOS Press A derivation system and compositional logic for security protocols Anupam Datta a,, Ante Derek a, John C. Mitchell a and Dusko Pavlovic b a Computer
More informationSimple Math: Cryptography
1 Introduction Simple Math: Cryptography This section develops some mathematics before getting to the application. The mathematics that I use involves simple facts from number theory. Number theory is
More informationThe Logical Meeting Point of Multiset Rewriting and Process Algebra
MFPS 20 @ MU May 25, 2004 The Logical Meeting Point of Multiset Rewriting and Process Algebra Iliano ervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, D http://theory.stanford.edu/~iliano
More information