StatVerif: Modelling protocols that involve persistent state
|
|
- Alexina Craig
- 5 years ago
- Views:
Transcription
1 StatVerif: Modelling protocols that involve persistent state Mark D. Ryan University of Birmingham Joint work with Myrto Arapinis, Stéphanie Delaune, Steve Kremer, Joshua Phillips and Graham Steel 7 8 December 2011
2 Outline The ProVerif method Protocols with persistent state The TPM StatVerif
3 Verifying cryptographic protocols Provable/computational security 1 Computationally bounded (polynomial) attacker 2 Exact cryptographic operations on bitstrings 3 Bitstring (more concrete) model 4 Prove difficulty of violating security property is equivalent to solving a hard problem Formal/symbolic methods 1 Idealised (worst case) attacker 2 Idealised (best case) perfect cryptography 3 Symbolic (more abstract) model of protocol 4 Prove impossibility of violating security property within the model
4 Attacker model We model a very powerful attacker, with Dolev-Yao capabilities: it completely controls the communication channels, so it is able to record, alter, delete, insert, redirect, reorder, and reuse past or current messages, and inject new messages. (The network is the attacker.) manipulate data in arbitrary ways, including applying crypto operations provided has the necessary keys. It controls dishonest participants. It s always better to assume the worst. Assume your adversaries are better than they are. Assume science and technology will soon be able to do things they cannot yet. Give yourself a margin for error. Give yourself more security than you need today. - Bruce Schneier
5 Coding protocols as processes Handshake protocol Original handshake protocol: let Server = in (ch, pkc ); S new k enc pkc (sign sks (k)) senc k (s) C new k; out (ch, enc(pkc, sign(sks, k ) )); in (ch, m); 0.
6 The handshake protocol in full free ch. (* Public key cryptography *) fun pk/1. fun enc/2. fun dec/2. equation dec(x, enc(pk(x), y) ) = y. (* Signatures *) fun sign/2. fun checksign/2. fun getmess/1. fun ok/0. equation checksign(pk(x), sign(x,y)) = ok. equation getmess(sign(x,y)) = y. (* Shared-key cryptography *) fun senc/2. fun sdec/2. equation sdec(senc(x,y),x) = y.
7 The handshake protocol in full 2 let Server = in (ch, pkc ); new k; out (ch, enc(pkc, sign(sks, k ) )); in (ch, m); 0. let Client = in (ch, pks ); in (ch, m); let m = dec(skc, m) in if checksign(pks, m ) = ok then let k = getmess(m) in if pks = pks then out (ch, senc(k, s)).
8 Security properties The applied pi calculus can model the following: Reachability properties (e.g., secrecy) Correspondence assertions (e.g., authentication) Observational equivalence (e.g., strong secrecy; for instance, ballot secrecy; )
9 Handshake protocol - analysis S I C new k pkm enc pkm (sign sks (k)) pkc enc pkc (sign sks (k)) senc k (s) new s C publishes her public key I starts a session with S I learns sign sks (k) and k I replays sign sks (k) in a session with S I is able to output secrect s Adversary process I in (c, xpk); out (c, pkm); in (c, y); let sig = dec skm (y) in out (c, enc xpk (sig)); in (c, z); out (c, sdec getmsg(sig) (z))
10 Protocols with persistent state
11 Persistent state Agents that have persistent state: Web servers, database servers,... Hardware tokens Smart cards: capabilities,... RFID tags: their identity,... TPM: PCR values, session nonces,... HSM: PIN codes,... Trusted party in contract signing protocols VANETs...
12 The trusted platform module
13 Digital rights management Secure environment rt ble epo a e r rg ion o f t un ura ig nf o c
14 Richard Stallman Creator of GNU, Emacs, GCC, GPL, the Free Software Foundation With a plan they call trusted computing, large media corporations, together with computer companies such as Microsoft and Intel, are planning to make your computer obey them instead of you. He calls it treacherous computing.
15 Ross Anderson Professor of Computer Security, University of Cambridge TC can support remote censorship. In its simplest form, applications may be designed to delete pirated music under remote control. In 2010 President Clinton may have two red buttons on her desk - one that sends the missiles to China, and another that turns off all the PCs in China. He also talks of commercial bullying, economic warfare and political censorship.
16 Secure environment Attestation from cloud Cloud server
17 Platform configuration registers The TPM has 24 platform configuration registers, PCRs. Updating a PCR The command TPM Extend(PCR p, Data x) effects the assignment p := SHA-1(p x)
18 StatVerif
19 StatVerif syntax: processes P, Q ::= processes out(m, N); P output in(m, x); P input P Q parallel composition!p replication new a; P restriction let x = g(m 1,..., M n ) in P else Q destructor application if M = N then P else Q conditional [s M] state cell read s as x; P read s := M; P write lock; P begin locked section unlock; P end locked section
20 Coding processes as Horn clauses: ProVerif let Server = in (ch, x); new n; out (ch, enc(k, (x,n) )); attacker:x attacker:enc(k[], (x,n[x]) );
21 Coding processes as Horn clauses: StatVerif let Server = in (ch, x); new n; out (ch, enc(k, (x,n) )); attacker:x attacker:enc(k[], (x,n[x]) ); attacker:u,x attacker:u,enc(k[], (x,n[x]) );
22 Assignments let Server = in (ch, x); u := h(u,x); attacker:u,x attacker:u,y attacker:h(u,x),y;
23 The Horn clauses representation The translation of a StatVerif process generates clauses built around the following two predicates att( M, N) means that state M is reachable and in that state the attacker knows the value N; mes( M, K, N) means that state M is reachable and in that state the value N is available on channel K.
24 Attacker clauses: constructors and destructors The attacker can build new messages by applying any constructor to messages he knows. For each constructor f (M 1,..., M n ) att(xs, M 1 ) att(xs, M n ) att(xs, f (M 1,..., M n )) Asymmetric encryption att(xs, xk) att(xs, xm) att(xs, aenc(xk, xm)) The attacker can analyse messages by applying any destructor to messages he knows. For each destructor g(m 1,..., M n ) M att(xs, M 1 ) att(xs, M n ) att(xs, M) Asymmetric-key decryption att(xs, xk) att(xs, aenc(pbk(xk), xm)) att(xs, xm)
25 Attacker clauses: public channels The attacker can send messages on public channels att(xs, xc) att(xs, xm) mes(xs, xc, xm) The attacker can eavesdrop on public channels att(xs, xc) mes(xs, xc, xm) att(xs, xm)
26 Attacker clauses: public state cells Consider the protocol new m; ([s 1 M 1 ] [s n M n ] P) The attacker can read from public state cells For all i {1,..., n} att((xs 1,..., xs n ), s i []) att((xs 1,..., xs n ), xs i ) The attacker can write to public state cells For all i {1,..., n} att((xs 1,... xs i,..., xs n ), s i []) att((xs 1,..., xs i,..., xs n ), ys i ) mes((xs 1,..., xs i,..., xs n ), zc, zm) mes((xs 1,..., ys i,..., xs n ), zc, zm) att((xs 1,... xs i,..., xs n ), s i []) att((xs 1,..., xs i,..., xs n ), ys i ) att((xs 1,..., xs i,..., xs n ), zm) att((xs 1,..., ys i,..., xs n ), zm)
27 Protocol clauses 0 ρhlφµ = Q 1 Q 2 ρhlφfalse = Q 1 ρ Hlφfalse Q 2 ρhlφfalse!q ρhlφfalse = Q ρhlφfalse j new a; Q ρhlφµ = Q (ρ {a a[l]})hlφµ Q (ρ {a attn[]})hlφµ if a bn(p) otherwise in(m, x); Q ρhlφfalse = Q (ρ {x x, vs 1 vs 1,..., vsn vsn}) H (x :: l) φ false where φ 0 = (vs 1,..., vsn), with vs 1,..., vsn fresh and H = H mes(φ 0, ρ(m), x) in(m, x); Q ρhlφtrue = Q (ρ {x x})(h mes(φ, ρ(m), x))(x :: l)φtrue out(m, N); Q ρhlφµ = {H mes(φ, ρ(m), ρ(n))} Q ρhlφµ let x = g(m 1,..., Mn) in Q 1 else Q 2 ρhlφµ = S j Q 1 ((ρσ) {x p σ })(Hσ)(lσ)(φσ)µ g(p 1,..., p n ) p def (g) and (σ, σ ) mgus and M 1 ρσ = p 1 σ,..., Mnρσ = p n ff σ Q 2 ρhlφµ if M = N then Q 1 else Q 2 ρhlφµ = Q 1 (ρσ)(hσ)(lσ)(φσ)µ Q 2 ρhlφµ where σ = mgu(ρ(m), ρ(n)) lock; Q ρhlφfalse = Q (ρ {vs 1 vs 1,..., vsn vsn})hlφ 0 true where φ 0 = (vs 1,..., vsn), with vs 1,..., vsn fresh unlock; Q ρhlφtrue = Q ρhlφfalse s i := M; Q ρhlφfalse = Q (ρ {vs 1 vs 1,..., vsn vsn, vc vc, vm vm})hlφfalse {H mes(φ 0, vc, vm) mes(φ 1, vc, vm)} {H att(φ 0, vm) att(φ 1, vm)} where φ 0 = (vs 1,..., vs i 1, vs i, vs i+1,..., vsn), and φ 1 = (vs 1,..., vs i 1, ρ(m), vs i+1,..., vsn) with vs 1,..., vsn, vc, vm fresh s i := M; Q ρhlφtrue = Q (ρ {vc vc, vm vm})hlφ true {H mes(φ, vc, vm) mes(φ, vc, vm)} {H att(φ, vm) att(φ, vm)} where φ = (M 1,..., M i 1, M i, M i+1,..., Mn), and φ = (M 1,..., M i 1, ρ(m), M i+1,..., Mn), and vc, vm fresh read s i as x; Q ρhlφfalse = Q (ρ {x vs i, vs 1 vs 1,..., vs i vs i,..., vsn vsn, vc vc, vm vm})(h mes(φ 0, vc, vm))lφfalse where φ 0 = (vs 1,..., vs i,..., vsn), with vs 1,..., vs i,..., vsn, vc, vm fresh read s i as x; Q ρhlφtrue = Q (ρ {x M i, vc vc, vm vm})(h mes(φ, vc, vm))lφtrue where φ = (M 1,..., M i,..., Mn) and vc, vm fresh
28 Protocol clauses 0 ρhlφµ = Q 1 Q 2 ρhlφfalse = Q 1 ρ Hlφfalse Q 2 ρhlφfalse!q ρhlφfalse Assignments = Q ρhlφfalse j Q (ρ {a a[l]})hlφµ if a bn(p) new a; Q ρhlφµ = Q (ρ {a attn[]})hlφµ otherwise in(m, x); Q ρhlφfalse = Q (ρ {x x, vs 1 vs 1,..., vsn vsn}) H (x :: l) φ false where φ 0 = (vs 1,..., vsn), with vs 1,..., vsn fresh s i := M; Q ρhlφfalse = Q ρ Hlφfalse and H = H mes(φ 0, ρ(m), x) in(m, x); Q ρhlφtrue = Q (ρ {x x})(h mes(φ, ρ(m), x))(x :: l)φtrue {H mes(φ out(m, N); Q ρhlφµ = {H mes(φ, ρ(m), 0, vc, vm) mes(φ ρ(n))} Q ρhlφµ 1, vc, vm)} S j let x = g(m 1,..., Mn) in Q 1 else Q 2 ρhlφµ = Q 1 ((ρσ) {x p σ })(Hσ)(lσ)(φσ)µ {H att(φ 0, vm) att(φ 1, vm)} where φ 0 = (vs 1,..., vs i 1, vs i, vs i+1,..., vs n), g(p 1,..., p n ) p def (g) and (σ, σ ) mgus and M 1 ρσ = p 1 σ,..., Mnρσ = p n ff σ Q 2 ρhlφµ if M = Nand then Qφ 11 else = Q 2 (vs ρhlφµ 1,..., vs i 1, ρ(m), = Qvs 1 (ρσ)(hσ)(lσ)(φσ)µ i+1,..., vs n) Q 2 ρhlφµ where σ = mgu(ρ(m), ρ(n)) lock; Q ρhlφfalse = Q (ρ {vs 1 vs 1,..., vsn vsn})hlφ 0 true with vs 1,..., vs n, vc, vm fresh where φ 0 = (vs 1,..., vsn), with vs 1,..., vsn fresh unlock; Q ρhlφtrue = Q ρhlφfalse and ρ = ρ {vs 1 vs 1,..., vs n vs n, vc vc, vm vm} s i := M; Q ρhlφfalse = Q (ρ {vs 1 vs 1,..., vsn vsn, vc vc, vm vm})hlφfalse {H mes(φ 0, vc, vm) mes(φ 1, vc, vm)} {H att(φ 0, vm) att(φ 1, vm)} where φ 0 = (vs 1,..., vs i 1, vs i, vs i+1,..., vsn), s i := M; Q ρhlφtrue = and φ 1 = (vs 1,..., vs i 1, ρ(m), vs i+1,..., vsn) Q (ρ {vc vc, vm vm})hlφ with vs 1,... true, vsn, vc, vm fresh s i := M; Q ρhlφtrue = Q (ρ {vc vc, vm vm})hlφ true {H mes(φ, vc, vm) {H mes(φ, vc, vm) mes(φ mes(φ, vc, vm)}, vc, vm)} {H att(φ, vm) vm) att(φ, vm)} att(φ, vm)} where φ = (M 1,..., M i 1, M i, M i+1,..., Mn), where φ = (M 1,..., M i 1, M i, M i+1,..., M n), and φ = (M 1,..., M i 1, ρ(m), M i+1,..., Mn), and vc, vm fresh and φ = (M 1,..., M i 1, ρ(m), M i+1,..., M n), read s i as x; Q ρhlφfalse = Q (ρ {x vs i, vs 1 vs 1,..., vs i vs i,..., vsn vsn, and vc, vm fresh vc vc, vm vm})(h mes(φ 0, vc, vm))lφfalse where φ 0 = (vs 1,..., vs i,..., vsn), with vs 1,..., vs i,..., vsn, vc, vm fresh read s i as x; Q ρhlφtrue = Q (ρ {x M i, vc vc, vm vm})(h mes(φ, vc, vm))lφtrue where φ = (M 1,..., M i,..., Mn) and vc, vm fresh
29 Main result Theorem (The StatVerif compiler is correct) Let M be a message. Let P be a protocol of the form new m; ([s 1 M 1 ] [s n M n ] Q) Clauses(P) secrecy(m) P = secrecy(m) If K the fact att( K, M) is not derivable from Clauses(P), then P preserves the secrecy of M.
30 Some clauses for commands of the TPM TPM Read: att(x p, x) att(x p, x p ) TPM CreateWrapKey: att(x p, x pcr ) key(x p, x sk, x pk, x p ) att(x p, pk(bindk[x pcr ]), wrap(x pk, bindk[x pcr ], tpmpf[], x pcr ) ) TPM LoadKey2: att(x p, pk(x key )) att(x p, wrap(x pk, x key, tpmpf[], x pcr )) key(x p, x sk, x pk, x p ) key(x p, x key, pk(x key ), x pcr ) TPM Unbind: att(x p, aenc(x pk, x data )) key(x p, x sk, x pk, x p ) att(x p, x data ) TPM Extend: att(x p, x v ) att(x p, x) att(h(x p, x v ), x) key(x p, x sk, x pk, x pcr ) att(x p, x v ) key(h(x p, x v ), x sk, x pk, x pcr )
31 Making ProVerif work on the Horn clauses Safe abstraction: Replace att(x p, x v ) att(x p, x) att(h(x p, x v ), x) with n instances, in which x p is zero[] h(zero[], x 1 ) h(h(zero[], x 1 ), x 2 ) h(h(h(zero[], x 1 ), x 2 ), x 3 )...
32 Current and future work Prototype implementation by Joshua Phillips More case studies UMTS protocols, RFID protocols,... Extension to authentication properties Extension to observational equivalence Abstractions
Automated analysis of security properties of the TPM
Automated analysis of security properties of the TPM Mark D. Ryan University of Birmingham Joint work with Myrto Arapinis, Ian Batten, Stéphanie Delaune, Steve Kremer, Joshua Phillips, Graham Steel, Shiwei
More informationStatVerif: Verification of Stateful Processes
StatVerif: Verification of Stateful Processes Myrto Arapinis Joshua Phillips Eike Ritter Mark D. Ryan {m.d.arapinis, e.ritter, j.phillips, m.d.ryan}@cs.bham.ac.uk School of Computer Science, University
More informationA process algebraic analysis of privacy-type properties in cryptographic protocols
A process algebraic analysis of privacy-type properties in cryptographic protocols Stéphanie Delaune LSV, CNRS & ENS Cachan, France Saturday, September 6th, 2014 S. Delaune (LSV) Verification of cryptographic
More informationVerifying security protocols with ProVerif and StatVerif
Verifying security protocols with ProVerif and StatVerif Mark D. Ryan University of Birmingham FOSAD summer school, Bertinoro, Italy 3 7 September 2012 L1: Security protocols and verification L2: ProVerif
More informationAnalysing privacy-type properties in cryptographic protocols
Analysing privacy-type properties in cryptographic protocols Stéphanie Delaune LSV, CNRS & ENS Cachan, France Wednesday, January 14th, 2015 S. Delaune (LSV) Verification of cryptographic protocols 14th
More informationA Short Tutorial on Proverif
A Short Tutorial on Proverif Alfredo Pironti and Riccardo Sisto Politecnico di Torino, Italy Cryptoforma Meeting, Apr 8, 2010 1 Outline PART 1: how the tool works (Riccardo Sisto) Context: Abstract modelling
More informationFormal analysis of protocols based on TPM state registers
Formal analysis of protocols based on TPM state registers Stéphanie Delaune and Steve Kremer and Mark D. Ryan and Graham Steel LSV, ENS Cachan & CNRS & INRIA Saclay Île-de-France School of Computer Science,
More informationExtending ProVerif s Resolution Algorithm for Verifying Group Protocols
Extending ProVerif s Resolution Algorithm for Verifying Group Protocols Miriam Paiola miriam.paiola@ens.fr Ecole Normale Supérieure June 25, 2010 Extending ProVerif s Resolution Algorithm, for Verifying
More informationVerification of the TLS Handshake protocol
Verification of the TLS Handshake protocol Carst Tankink (0569954), Pim Vullers (0575766) 20th May 2008 1 Introduction In this text, we will analyse the Transport Layer Security (TLS) handshake protocol.
More informationState and Protocols: The Envelope Example
State and Protocols: The Envelope Example rigorous design for protocols using state Daniel J. Dougherty and Joshua D. Guttman Worcester Polytechnic Institute Thanks to: National Science Foundation (Grant
More informationGroup Diffie Hellman Protocols and ProVerif
Group Diffie Hellman Protocols and ProVerif CS 395T - Design and Analysis of Security Protocols Ankur Gupta Secure Multicast Communication Examples: Live broadcast of a match, stock quotes, video conferencing.
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationApplied pi calculus. Mark D. Ryan and Ben Smyth. School of Computer Science, University of Birmingham, United Kingdom
Applied pi calculus Mark D. Ryan and Ben Smyth School of Computer Science, University of Birmingham, United Kingdom July 2010 Revised: November 2010, March 2011 Abstract The applied pi calculus is a language
More informationLecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics
0368.4162: Introduction to Cryptography Ran Canetti Lecture 11 12th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics Introduction to cryptographic protocols Commitments 1 Cryptographic
More informationExtending Dolev-Yao with Assertions
Extending Dolev-Yao with Assertions Vaishnavi Sundararajan Chennai Mathematical Institute FOSAD 2015 August 31, 2015 (Joint work with R Ramanujam and S P Suresh) Vaishnavi S Extending Dolev-Yao with Assertions
More informationApplied pi calculus. Mark D. Ryan and Ben Smyth. School of Computer Science, University of Birmingham, United Kingdom
Applied pi calculus Mark D. Ryan and Ben Smyth School of Computer Science, University of Birmingham, United Kingdom July 2010 Revised: November 2010, March 2011, November 2012, March 2013. Abstract The
More informationAutomated Analysis of Security Protocols with Global State
Automated Analysis of Security Protocols with Global State Steve Kremer, Robert Künnemann To cite this version: Steve Kremer, Robert Künnemann. Automated Analysis of Security Protocols with Global State.
More informationAn Efficient Cryptographic Protocol Verifier Based on Prolog Rules
An Efficient Cryptographic Protocol Verifier Based on Prolog Rules Bruno Blanchet INRIA Rocquencourt Domaine de Voluceau B.P. 105 78153 Le Chesnay Cedex, France Bruno.Blanchet@inria.fr Abstract We present
More informationComplexity of automatic verification of cryptographic protocols
Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic
More informationAutomated Verification of Privacy in Security Protocols:
Automated Verification of Privacy in Security Protocols: Back and Forth Between Theory & Practice LSV, ENS Paris-Saclay, Université Paris-Saclay, CNRS April 21st 2017 PhD advisors: David Baelde & Stéphanie
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationVerification of Security Protocols in presence of Equational Theories with Homomorphism
Verification of Security Protocols in presence of Equational Theories with Homomorphism Stéphanie Delaune France Télécom, division R&D, LSV CNRS & ENS Cachan February, 13, 2006 Stéphanie Delaune (FT R&D,
More informationA Calculus for Control Flow Analysis of Security Protocols
International Journal of Information Security manuscript No. (will be inserted by the editor) A Calculus for Control Flow Analysis of Security Protocols Mikael Buchholtz, Hanne Riis Nielson, Flemming Nielson
More informationA Computationally Complete Symbolic Attacker for Equivalence Properties
A Computationally Complete Symbolic Attacker for Equivalence Properties ABSTRACT Gergei Bana INRIA Paris-Rocquencourt Paris, France bana@math.upenn.edu We consider the problem of computational indistinguishability
More informationLecture 2: Perfect Secrecy and its Limitations
CS 4501-6501 Topics in Cryptography 26 Jan 2018 Lecture 2: Perfect Secrecy and its Limitations Lecturer: Mohammad Mahmoody Scribe: Mohammad Mahmoody 1 Introduction Last time, we informally defined encryption
More informationFundamentals of Modern Cryptography
Fundamentals of Modern Cryptography BRUCE MOMJIAN This presentation explains the fundamentals of modern cryptographic methods. Creative Commons Attribution License http://momjian.us/presentations Last
More informationCryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols
CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno Blanchet CNRS, École Normale Supérieure, INRIA, Paris March 2009 Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif March
More informationAutomated Analysis of the Security of XOR-Based Key Management Schemes
Automated Analysis of the Security of XOR-Based Key Management Schemes Véronique Cortier, Gavin Keighren, Graham Steel E H U N I V E R S I T Y T O H F R G E D I N B U 1 Automated Teller Machines 2 3 Criticality
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Previously on COS 433 Takeaway: Crypto is Hard Designing crypto is hard, even experts get it wrong Just because I don t know
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationMASTER S THESIS FROM FORMAL TO COMPUTATIONAL AUTHENTICITY DISTRIBUTED AND EMBEDDED SYSTEMS DEPARTMENT OF COMPUTER SCIENCE AALBORG UNIVERSITY
DISTRIBUTED AND EMBEDDED SYSTEMS DEPARTMENT OF COMPUTER SCIENCE AALBORG UNIVERSITY MASTER S THESIS MICHAEL GARDE FROM FORMAL TO COMPUTATIONAL AUTHENTICITY AN APPROACH FOR RECONCILING FORMAL AND COMPUTATIONAL
More informationLecture 9 - Symmetric Encryption
0368.4162: Introduction to Cryptography Ran Canetti Lecture 9 - Symmetric Encryption 29 December 2008 Fall 2008 Scribes: R. Levi, M. Rosen 1 Introduction Encryption, or guaranteeing secrecy of information,
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Announcements Reminder: Homework 1 due tomorrow 11:59pm Submit through Blackboard Homework 2 will hopefully be posted tonight
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationA Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols
ASIAN 07 A Formal Analysis for Capturing Replay Attacks in Cryptographic s Han Gao 1, Chiara Bodei 2, Pierpaolo Degano 2, Hanne Riis Nielson 1 Informatics and Mathematics Modelling, Technical University
More informationNotes on BAN Logic CSG 399. March 7, 2006
Notes on BAN Logic CSG 399 March 7, 2006 The wide-mouthed frog protocol, in a slightly different form, with only the first two messages, and time stamps: A S : A, {T a, B, K ab } Kas S B : {T s, A, K ab
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationPractical everlasting privacy
Practical everlasting privacy Myrto Arapinis 1, Véronique Cortier 2, Steve Kremer 2, and Mark Ryan 1 1 School of Computer Science, University of Birmingham 2 LORIA, CNRS, France Abstract. Will my vote
More informationStrand Spaces Proving Protocols Corr. Jonathan Herzog 6 April 2001
Strand Spaces Proving Protocols Corr Jonathan Herzog 6 April 2001 Introduction 3Second part of talk given early last month Introduced class of cryptographic protocols Modeled at high level of abstraction
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationFrom the Applied Pi Calculus to Horn Clauses for Protocols with Lists
From the Applied Pi Calculus to Horn Clauses for Protocols with Lists Miriam Paiola, Bruno Blanchet To cite this version: Miriam Paiola, Bruno Blanchet. From the Applied Pi Calculus to Horn Clauses for
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationAnalyzing Security Protocols with Secrecy Types and Logic Programs
Analyzing Security Protocols with Secrecy Types and Logic Programs Martín Abadi Computer Science Department University of California, Santa Cruz abadi@cs.ucsc.edu Bruno Blanchet Département d Informatique
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationCPSA and Formal Security Goals
CPSA and Formal Security Goals John D. Ramsdell The MITRE Corporation CPSA Version 2.5.1 July 8, 2015 Contents 1 Introduction 3 2 Syntax 6 3 Semantics 8 4 Examples 10 4.1 Needham-Schroeder Responder.................
More informationA Logic of Authentication
A Logic of Authentication by Burrows, Abadi, and Needham Presented by Adam Schuchart, Kathryn Watkins, Michael Brotzman, Steve Bono, and Sam Small Agenda The problem Some formalism The goals of authentication,
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationCryptographic Hash Functions
Cryptographic Hash Functions Çetin Kaya Koç koc@ece.orst.edu Electrical & Computer Engineering Oregon State University Corvallis, Oregon 97331 Technical Report December 9, 2002 Version 1.5 1 1 Introduction
More informationAnalysing Layered Security Protocols
Analysing Layered Security Protocols Thomas Gibson-Robinson St Catherine s College University of Oxford A thesis submitted for the degree of Doctor of Philosophy Trinity 2013 Abstract Many security protocols
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationNSL Verification and Attacks Agents Playing Both Roles
NSL Verification and Attacks Agents Playing Both Roles Pedro Adão Gergei Bana Abstract Background: [2] and eprint version: [1] 1 The Axioms Equality is a Congruence. The first axiom says that the equality
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #6 Sep 8 th 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Quiz #1 later today Still some have not signed up for class mailing list Perhaps
More informationMcBits: Fast code-based cryptography
McBits: Fast code-based cryptography Peter Schwabe Radboud University Nijmegen, The Netherlands Joint work with Daniel Bernstein, Tung Chou December 17, 2013 IMA International Conference on Cryptography
More informationFrom NewHope to Kyber. Peter Schwabe April 7, 2017
From NewHope to Kyber Peter Schwabe peter@cryptojedi.org https://cryptojedi.org April 7, 2017 In the past, people have said, maybe it s 50 years away, it s a dream, maybe it ll happen sometime. I used
More informationCryptography CS 555. Topic 25: Quantum Crpytography. CS555 Topic 25 1
Cryptography CS 555 Topic 25: Quantum Crpytography CS555 Topic 25 1 Outline and Readings Outline: What is Identity Based Encryption Quantum cryptography Readings: CS555 Topic 25 2 Identity Based Encryption
More informationIntroduction to Cybersecurity Cryptography (Part 5)
Introduction to Cybersecurity Cryptography (Part 5) Prof. Dr. Michael Backes 13.01.2017 February 17 th Special Lecture! 45 Minutes Your Choice 1. Automotive Security 2. Smartphone Security 3. Side Channel
More informationModels and analysis of security protocols 1st Semester Security Protocols Lecture 6
Models and analysis of security protocols 1st Semester 2010-2011 Security Protocols Lecture 6 Pascal Lafourcade Université Joseph Fourier, Verimag Master: October 18th 2010 1 / 46 Last Time (I) Symmetric
More informationCryptographic Solutions for Data Integrity in the Cloud
Cryptographic Solutions for Stanford University, USA Stanford Computer Forum 2 April 2012 Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. Homomorphic
More informationEncoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania
Encoding security protocols in the cryptographic λ-calculus Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania An obvious fact Security is important Cryptography is a major way to
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationAnalysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh
Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh Bruno Produit Institute of Computer Science University of Tartu produit@ut.ee December 19, 2017 Abstract This document is an analysis
More informationAPPLICATIONS OF BAN-LOGIC JAN WESSELS CMG FINANCE B.V.
APPLITIONS OF AN-LOGIC JAN WESSELS CMG FINANCE.V. APRIL 19, 2001 Chapter 1 Introduction This document is meant to give an overview of the AN-logic. The AN-logic is one of the methods for the analysis of
More informationVerification of a Diffie-Hellman Password-based Authentication Protocol by Extending the Inductive Method
Verification of a Diffie-Hellman Password-based Authentication Protocol by Extending the Inductive Method Pasquale Noce Security Certification Specialist at Arjo Systems, Italy pasquale dot noce dot lavoro
More informationEntity Authentication
Entity Authentication Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie? α k The
More informationModeling and Verifying Ad Hoc Routing Protocols
Modeling and Verifying Ad Hoc Routing Protocols Mathilde Arnaud, Véronique Cortier and Stéphanie Delaune LORIA, CNRS & INRIA Nancy Grand Est, France Email: cortier@loria.fr LSV, ENS Cachan & CNRS & INRIA
More informationOrdinary Math in Everyday Life. Jesse Walker, Ph.D. Intel Corporation Intel Labs Security and Privacy Research
Ordinary Math in Everyday Life Jesse Walker, Ph.D. Intel Corporation Intel Labs Security and Privacy Research jesse.walker@intel.com 1 Academia v. Industry Academic math is like fine dining Industrial
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationIdentity Authentication and Secrecy in the πcalculus and Prolog
Wesleyan University The Honors College Identity Authentication and Secrecy in the πcalculus and Prolog by Stefan Sundseth A thesis submitted to the faculty of Wesleyan University in partial fulfillment
More informationAutomatic, computational proof of EKE using CryptoVerif
Automatic, computational proof of EKE using CryptoVerif (Work in progress) Bruno Blanchet blanchet@di.ens.fr Joint work with David Pointcheval CNRS, École Normale Supérieure, INRIA, Paris April 2010 Bruno
More informationGreat Theoretical Ideas in Computer Science
15-251 Great Theoretical Ideas in Computer Science Lecture 22: Cryptography November 12th, 2015 What is cryptography about? Adversary Eavesdropper I will cut your throat I will cut your throat What is
More informationCommunication security: Formal models and proofs
Commnication secrity: Formal models and proofs Hbert Comon September 1, 2016 1 Introdction to protocol secrity The context (I) credit cards contactless cards telephones online transactions cars, fridges,...
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationQuantum-secure symmetric-key cryptography based on Hidden Shifts
Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic QMATH, Department of Mathematical Sciences University of Copenhagen Alexander Russell Department of Computer Science & Engineering
More informationCS 395T. Probabilistic Polynomial-Time Calculus
CS 395T Probabilistic Polynomial-Time Calculus Security as Equivalence Intuition: encryption scheme is secure if ciphertext is indistinguishable from random noise Intuition: protocol is secure if it is
More informationMSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ PPL 01 March 21 st, 2001 Outline I. Security Protocols II. MSR by Examples
More informationAutomata-based analysis of recursive cryptographic protocols
1 Automata-based analysis of recursive cryptographic protocols Thomas Wilke Joint work with Ralf Küsters Christian-Albrechts-Universität zu Kiel June 13, 2004 Un-/Decidability of security in the DY model
More informationarxiv: v1 [cs.cr] 27 May 2016
Towards the Automated Verification of Cyber-Physical Security Protocols: Bounding the Number of Timed Intruders Vivek Nigam 1, Carolyn Talcott 2 and Abraão Aires Urquiza 1 arxiv:1605.08563v1 [cs.cr] 27
More informationFormal Models and Techniques for Analyzing Security Protocols: A Tutorial
Foundations and Trends R in Programming Languages Vol. 1, No. 3 (2014) 151 267 c 2014 V. Cortier and S. Kremer DOI: 10.1561/2500000001 Formal Models and Techniques for Analyzing Security Protocols: A Tutorial
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationA Cryptographic Decentralized Label Model
A Cryptographic Decentralized Label Model Jeffrey A. Vaughan and Steve Zdancewic Department of Computer and Information Science University of Pennsylvania IEEE Security and Privacy May 22, 2007 Information
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationLattice Based Crypto: Answering Questions You Don't Understand
Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key
More informationLeakage Resilient ElGamal Encryption
Asiacrypt 2010, December 9th, Singapore Outline 1 Hybrid Encryption, the KEM/DEM framework 2 ElGamal KEM 3 Leakage Resilient Crypto Why? How? Other models? 4 Leakage Resilient ElGamal CCA1 secure KEM (Key
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols nichols@math.umass.edu University of Massachusetts Oct. 14, 2015 Cryptography basics Cryptography is the study of secure communications. Here are
More informationAutomated Verification of Selected Equivalences for Security Protocols
Automated Verification of Selected Equivalences for Security Protocols Bruno Blanchet CNRS, École Normale Supérieure, Paris Martín Abadi University of California, Santa Cruz Cédric Fournet Microsoft Research,
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationMinimal Design for Decentralized Wallet. Omer Shlomovits
Minimal Design for Decentralized Wallet Omer Shlomovits 1 !2 Motivation Imagine we had a private key management system where: No single point of failure Move of assets (signing) cannot happen without Owner
More informationPrivate Authentication
Private Authentication Martín Abadi University of California at Santa Cruz Cédric Fournet Microsoft Research Abstract Frequently, communication between two principals reveals their identities and presence
More informationProving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory
Proving Security Protocols Correct Lawrence C. Paulson Computer Laboratory How Detailed Should a Model Be? too detailed too simple concrete abstract not usable not credible ``proves'' everything ``attacks''
More informationPERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY
PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY BURTON ROSENBERG UNIVERSITY OF MIAMI Contents 1. Perfect Secrecy 1 1.1. A Perfectly Secret Cipher 2 1.2. Odds Ratio and Bias 3 1.3. Conditions for Perfect
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationEvaluating 2-DNF Formulas on Ciphertexts
Evaluating 2-DNF Formulas on Ciphertexts Dan Boneh, Eu-Jin Goh, and Kobbi Nissim Theory of Cryptography Conference 2005 Homomorphic Encryption Enc. scheme is homomorphic to function f if from E[A], E[B],
More informationCryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography
Cryptography CS 555 Topic 22: Number Theory/Public Key-Cryptography 1 Exam Recap 2 Exam Recap Highest Average Score on Question Question 4: (Feistel Network with round function f(x) = 0 n ) Tougher Questions
More informationComposition of Password-based Protocols
Composition of Password-based Protocols Stéphanie Delaune LSV, ENS Cachan & CNRS & INRIA France Mark Ryan School of Computer Science Birmingham University, UK Steve Kremer LSV, ENS Cachan & CNRS & INRIA
More informationControl Flow Analysis of Security Protocols (I)
Control Flow Analysis of Security Protocols (I) Mikael Buchholtz 02913 F2005 Mikael Buchholtz p. 1 History of Protocol Analysis Needham-Schroeder 78 Dolev-Yao 81 Algebraic view of cryptography 02913 F2005
More information