Control Flow Analysis of Security Protocols (I)
|
|
- Frederica Jefferson
- 6 years ago
- Views:
Transcription
1 Control Flow Analysis of Security Protocols (I) Mikael Buchholtz F2005 Mikael Buchholtz p. 1
2 History of Protocol Analysis Needham-Schroeder 78 Dolev-Yao 81 Algebraic view of cryptography F2005 Mikael Buchholtz p. 2
3 History of Protocol Analysis State/transition model Needham-Schroeder 78 Dolev-Yao 81 Algebraic view of cryptography Millen 84, Meadows 89, F2005 Mikael Buchholtz p. 2
4 History of Protocol Analysis State/transition model Needham-Schroeder 78 Dolev-Yao 81 Algebraic view of cryptography Millen 84, Meadows 89,... Modal logics Burrows-Abadi-Needham 89, F2005 Mikael Buchholtz p. 2
5 History of Protocol Analysis State/transition model Needham-Schroeder 78 Dolev-Yao 81 Algebraic view of cryptography Millen 84, Meadows 89,... Modal logics Language-based Burrows-Abadi-Needham 89,... Woo-Lam 93 Model checking of CSP Lowe LySa F2005 Mikael Buchholtz p. 2
6 History of Protocol Analysis Needham-Schroeder 78 Dolev-Yao 81 Algebraic view of cryptography State/transition model Strand Spaces Modal logics Millen 84, Meadows 89,... Burrows-Abadi-Needham 89,... Model checking of CSP Lowe 95 Language-based Woo-Lam LySa Thayer-Herzog- Guttman 98, F2005 Mikael Buchholtz p. 2
7 History of Protocol Analysis Needham-Schroeder 78 Dolev-Yao 81 Probabalistic/complexity theoretic view Algebraic view of cryptography Herzog 03, of cryptography Zunino-Degano 04 State/transition model Strand Spaces Modal logics Millen 84, Meadows 89,... Burrows-Abadi-Needham 89,... Model checking of CSP Lowe 95 Language-based Woo-Lam LySa Thayer-Herzog- Guttman 98, F2005 Mikael Buchholtz p. 2
8 Analysing a Protocol [Bodei-Buchholtz-Degano-Nielson-Nielson 04] 1. Write the protocol in the process calculus LYSA 2. Specify an attacker 3. Analyse the protocol and the attacker using control flow analysis 4. Inspect the analysis result to determine (security) properties of the protocol F2005 Mikael Buchholtz p. 3
9 LYSA for Symmetric Cryptography E ::= n name (n N ) x variable (x X ) {E 1,, E k } E0 encryption P ::= E 1,, E k. P output (E 1,, E j ; x j+1,, x k ). P input (with matching) decrypt E as {E 1,, E j ; x j+1,, x k } E0 in P decryption (with matching) P 1 P 2 parallel composition (ν n)p introduce new name n! P replication 0 terminated process F2005 Mikael Buchholtz p. 4
10 The Wide-mouthed-frog Protocol (without timestamps) [Burrows-Abadi-Needham 89] 1. A S : A, {B, K AB } KA 2. S B : {A, K AB } KB 3. A B : {mess} KAB K A A S Network K B B F2005 Mikael Buchholtz p. 5
11 The Wide-mouthed-frog Protocol (without timestamps) [Burrows-Abadi-Needham 89] 1. A S : A, {B, K AB } KA 2. S B : {A, K AB } KB 3. A B : {mess} KAB A S Network A, {B, K AB } KA B F2005 Mikael Buchholtz p. 5
12 The Wide-mouthed-frog Protocol (without timestamps) [Burrows-Abadi-Needham 89] 1. A S : A, {B, K AB } KA 2. S B : {A, K AB } KB 3. A B : {mess} KAB A S Network B {A, K AB } KB F2005 Mikael Buchholtz p. 5
13 The Wide-mouthed-frog Protocol (without timestamps) [Burrows-Abadi-Needham 89] 1. A S : A, {B, K AB } KA 2. S B : {A, K AB } KB 3. A B : {mess} KAB A S Network {mess} KAB B F2005 Mikael Buchholtz p. 5
14 Semantics LYSA has a reduction semantics defined by two relations P P the reduction relation P P the structural congruence (P R P parameterised reduction relation used in the paper) F2005 Mikael Buchholtz p. 6
15 Reduction Relation P P F2005 Mikael Buchholtz p. 7
16 Reduction Relation P P Executions F2005 Mikael Buchholtz p. 7
17 Reduction Relation P P (ν n)p (ν n)p j i=1 E i = E i E 1,, E k. P (E 1,, E j; x j+1,, x k ). Q P Q[E j+1 /x j+1,, E k /x k ] P P P Q P Q F2005 Mikael Buchholtz p. 8
18 Structural Congruence The structural congruence, P Q, brings processes on the right form for the reduction relation P Q Q Q Q P P P F2005 Mikael Buchholtz p. 9
19 Structural Congruence P P P 1 P 2 P 2 P 1 P 1 P 2 P 2 P 3 P 1 P 3 P 1 P 2 E 1,, E k. P 1 E 1,, E k. P 2 P 1 P 2 (E 1,, E j ; x j+1,, x k ). P 1 (E 1,, E j ; x j+1,, x k ). P 2 P 1 P 2 P 3 P 4 P 1 P 3 P 2 P 4 P 1 P 2 (ν n)p 1 (ν n)p 2 P 1 P 2!P 1!P 2 P 1 P 2 decrypt E as {E 1,, E j ; x j+1,, x k } E0 in P 1 decrypt E as {E 1,, E j ; x j+1,, x k } E0 in P F2005 Mikael Buchholtz p. 10
20 Structural Congruence P 1 P 2 ifp 1 and P 2 are disciplined α-equivalent P 1 P 2 P 2 P 1 (P 1 P 2 ) P 3 P 1 (P 2 P 3 ) P 0 P (ν n)0 0 (ν n)(ν n )P (ν n )(ν n)p (ν n)(p 1 P 2 ) P 1 (ν n)p 2 if n fn(p 1 )!P P!P F2005 Mikael Buchholtz p. 11
21 The Semantics at Work ((ν n) n. 0) (; x). n, x F2005 Mikael Buchholtz p. 12
22 The Semantics at Work ((ν n) n. 0) (; x). n, x. 0 ((ν m) m. 0) (; x). n, x. 0 (ν m)( m. 0 (; x). n, x. 0) F2005 Mikael Buchholtz p. 12
23 The Semantics at Work ((ν n) n. 0) (; x). n, x. 0 ((ν m) m. 0) (; x). n, x. 0 (ν m)( m. 0 (; x). n, x. 0) (ν m)(0 n, m. 0) F2005 Mikael Buchholtz p. 12
24 The Semantics at Work ((ν n) n. 0) (; x). n, x. 0 ((ν m) m. 0) (; x). n, x. 0 (ν m)( m. 0 (; x). n, x. 0) (ν m)(0 n, m. 0) 0 (ν m) n, m. 0 (ν m) n, m F2005 Mikael Buchholtz p. 12
25 Algebraic View of Cryptography For example, to model [Dolev-Yao 81] encrypt as E K (P ) and decrypt as D K (C) such that D K (E K (m)) = m and nothing else F2005 Mikael Buchholtz p. 13
26 Symmetric Cryptography in LYSA Encryption: Decryption: {E 1,, E k } E0 decrypt E as {E 1,, E j ; x j+1,, x k } E0 in P Semantics models perfect cryptography: j i=0 E i = E i decrypt {E 1,, E k } E0 as {E 1,, E j; x j+1,, x k } E 0 in P P [E j+1 /x j+1,, E k /x k ] F2005 Mikael Buchholtz p. 14
27 Asymmetric Cryptography in LYSA Keys: (ν ± m)p introduces two keys m +, m in P Encryption: Decryption: { E 1,, E k } E0 decrypt E as { E 1,, E j ; x j+1,, x k } E0 in P F2005 Mikael Buchholtz p. 15
28 Asymmetric Cryptography in LYSA Decryption with private key: j i=1 E i = E i decrypt { E 1,, E k } m + as { E 1,, E j; x j+1,, x k } m in P P [E j+1 /x j+1,, E k /x k ] Signature validation public key: j i=1 E i = E i decrypt { E 1,, E k } m as { E 1,, E j; x j+1,, x k } m + in P P [E j+1 /x j+1,, E k /x k ] (In the paper these two rules are merged into one) F2005 Mikael Buchholtz p. 16
29 Asymmetric Cryptography in LYSA E ::= m +, m public and private keys { E 1,, E k } E0 asymmetric encryption P ::= (ν ± m)p key pair creation decrypt E as { E 1,, E j ; x j+1,, x k } E0 in asymmetric decryption F2005 Mikael Buchholtz p. 17
30 The Analysis Executions F2005 Mikael Buchholtz p. 18
31 The Analysis Analysis Executions F2005 Mikael Buchholtz p. 18
32 The Analysis Analysis Executions F2005 Mikael Buchholtz p. 18
33 Analysis Components Network messages: κ P(V ) Variable bindings: ρ : X P(V) where values from V are variable-free terms i.e. V ::= n {V 1,, V k } V0 { V 1,, V k } V0 Example A, B, {mess} K. 0 (A, B; x). 0 A, B, {mess} K κ {mess} K ρ(x) F2005 Mikael Buchholtz p. 19
34 Analysis Judgements ρ, κ = P reads: ρ and κ are valid analysis estimates for P Example P 1 def = A. 0 (; x). 0 P 2 def = A, B. 0 (B; x). 0 κ a = { A, B } ρ a = [x ] κ b = { A } ρ b = [x {A}] κ c = { A, B } ρ c = [x {A, B}] F2005 Mikael Buchholtz p. 20
35 Analysing Restriction!(ν n) n F2005 Mikael Buchholtz p. 21
36 Analysing Restriction!(ν n) n. 0 (ν m) m. 0 (ν o) o. 0 (ν p) p. 0 (ν q) q. 0 (ν r) r. 0...!(ν n) n F2005 Mikael Buchholtz p. 21
37 Analysing Restriction!(ν n) n. 0 (ν m) m. 0 (ν o) o. 0 (ν p) p. 0 (ν q) q. 0 (ν r) r. 0...!(ν n) n. 0 Each name, n, is assigned a canonical name n The semantics uses disciplined α-equivalence: (ν n)p is α-equivalent to (ν n )P and n = n For example m = o = p = q = r =... = n F2005 Mikael Buchholtz p. 21
38 Canonical Names and Variables Network messages: κ P( V ) Variable bindings: ρ : X P( V ) Example (!(ν n) n, n. 0) (!(; x, y). 0) F2005 Mikael Buchholtz p. 22
39 Canonical Names and Variables Network messages: κ P( V ) Variable bindings: ρ : X P( V ) Example (!(ν n) n, n. 0) (!(; x, y). 0) (!(ν n) n, n. 0) (!(; x, y). 0) (ν n 1 ) n 1, n 1. 0 (; x 1, y 1 ) F2005 Mikael Buchholtz p. 22
40 Canonical Names and Variables Network messages: κ P( V ) Variable bindings: ρ : X P( V ) Example (!(ν n) n, n. 0) (!(; x, y). 0) (!(ν n) n, n. 0) (!(; x, y). 0) (ν n 1 ) n 1, n 1. 0 (; x 1, y 1 ). 0 (!(ν n) n, n. 0) (!(; x, y). 0) F2005 Mikael Buchholtz p. 22
41 Canonical Names and Variables Network messages: κ P( V ) Variable bindings: ρ : X P( V ) Example (!(ν n) n, n. 0) (!(; x, y). 0) (!(ν n) n, n. 0) (!(; x, y). 0) (ν n 1 ) n 1, n 1. 0 (; x 1, y 1 ). 0 (!(ν n) n, n. 0) (!(; x, y). 0) (!(ν n) n, n. 0) (!(; x, y). 0) (ν n 2 ) n 2, n 2. 0 (; x 2, y 2 ) but n = n 1 = n 2 = F2005 Mikael Buchholtz p. 22
42 The Analysis Analysis Executions F2005 Mikael Buchholtz p. 23
43 The Analysis n i Analysis n 1 n 2 n 3 Executions F2005 Mikael Buchholtz p. 23
44 Protocol Scenarios A S Network B In LySa: A B S F2005 Mikael Buchholtz p. 24
45 Protocol Scenarios A S Network M B In LySa: A B S M legitimate part of system the attacker F2005 Mikael Buchholtz p. 24
46 Protocol Scenarios A S Network M B In LySa: A B S M legitimate part of system the attacker We write the legitimate part of the system The attacker will be handled using the analysis F2005 Mikael Buchholtz p. 24
47 Protocols Scenarios K A A S Network M K B B F2005 Mikael Buchholtz p. 25
48 Protocols Scenarios A 1 A 2 A 3 A i S Network M B 1 B 2 B 3 B i F2005 Mikael Buchholtz p. 25
49 Protocols Scenarios K A1 K Ai A 1 A 2 A 3 A i S Network M B 1 B 2 B 3 B i K B1 K Bi F2005 Mikael Buchholtz p. 25
50 Meta Level E ::= n i1 i k Indexed names x i1 i k Indexed variables... P ::=... i S Indexed parallel (ν i S n i )P Indexed restriction (ν ± i S n i )P Indexed key pair restriction let X S in P Declare set Example i {1,2,3} mess i. 0 mess 1. 0 mess 2. 0 mess F2005 Mikael Buchholtz p. 26
51 Analysing a Protocol 1. Write the protocol in the process calculus LYSA 2. Specify an attacker 3. Analyse the protocol and the attacker using control flow analysis 4. Inspect the analysis result to determine (security) properties of the protocol F2005 Mikael Buchholtz p. 27
52 For Next Time Write one or two protocols from Appendix A of [BBDNN04] in LYSA Things to consider: The use of pattern matching, The use of restriction (ν n)p Scenarios (number of principals, sharing keys, etc.) To be presented on slides next time: Starting 9.30! (February 18 th ) (Try to parse your LySa through the LySatool?) F2005 Mikael Buchholtz p. 28
A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols
ASIAN 07 A Formal Analysis for Capturing Replay Attacks in Cryptographic s Han Gao 1, Chiara Bodei 2, Pierpaolo Degano 2, Hanne Riis Nielson 1 Informatics and Mathematics Modelling, Technical University
More informationA Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols
A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols Han Gao 1,ChiaraBodei 2, Pierpaolo Degano 2, and Hanne Riis Nielson 1 1 Informatics and Mathematical Modelling, Technical University
More informationA Calculus for Control Flow Analysis of Security Protocols
International Journal of Information Security manuscript No. (will be inserted by the editor) A Calculus for Control Flow Analysis of Security Protocols Mikael Buchholtz, Hanne Riis Nielson, Flemming Nielson
More informationNotes on BAN Logic CSG 399. March 7, 2006
Notes on BAN Logic CSG 399 March 7, 2006 The wide-mouthed frog protocol, in a slightly different form, with only the first two messages, and time stamps: A S : A, {T a, B, K ab } Kas S B : {T s, A, K ab
More informationAnalysis and Reconstruction of Attacks on Authentication Protocols. Master Thesis by Nikolaj Hjelm Kaplan
Analysis and Reconstruction of Attacks on Authentication Protocols Master Thesis by Nikolaj Hjelm Kaplan Institute of Informatics and Mathematical Modelling The Technical University of Denmark IMM-THESIS-2004-36
More informationModels and analysis of security protocols 1st Semester Security Protocols Lecture 6
Models and analysis of security protocols 1st Semester 2010-2011 Security Protocols Lecture 6 Pascal Lafourcade Université Joseph Fourier, Verimag Master: October 18th 2010 1 / 46 Last Time (I) Symmetric
More informationMSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra. Iliano Cervesato. ITT Industries, NRL Washington, DC
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, DC http://theory.stanford.edu/~iliano ISSS 2003,
More informationA Logic of Authentication
A Logic of Authentication by Burrows, Abadi, and Needham Presented by Adam Schuchart, Kathryn Watkins, Michael Brotzman, Steve Bono, and Sam Small Agenda The problem Some formalism The goals of authentication,
More informationMSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ PPL 01 March 21 st, 2001 Outline I. Security Protocols II. MSR by Examples
More informationOne Year Later. Iliano Cervesato. ITT Industries, NRL Washington, DC. MSR 3.0:
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil One Year Later ITT Industries, inc @ NRL Washington, DC http://www.cs.stanford.edu/~iliano
More informationLecture 7: Specification Languages
Graduate Course on Computer Security Lecture 7: Specification Languages Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ DIMI, Universita
More informationAbstract Specification of Crypto- Protocols and their Attack Models in MSR
Abstract Specification of Crypto- Protocols and their Attack Models in MSR Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ Software
More informationMSR by Examples. Iliano Cervesato. ITT Industries, NRL Washington DC.
MSR by Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ IITD, CSE Dept. Delhi, India April 24 th,2002 Outline Security Protocols
More informationEncoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania
Encoding security protocols in the cryptographic λ-calculus Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania An obvious fact Security is important Cryptography is a major way to
More informationTyped MSR: Syntax and Examples
Typed MSR: Syntax and Examples Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ MMM 01 St. Petersburg, Russia May 22 nd, 2001 Outline
More informationVerification of Security Protocols in presence of Equational Theories with Homomorphism
Verification of Security Protocols in presence of Equational Theories with Homomorphism Stéphanie Delaune France Télécom, division R&D, LSV CNRS & ENS Cachan February, 13, 2006 Stéphanie Delaune (FT R&D,
More informationEvent structure semantics for security protocols
Event structure semantics for security protocols Jonathan Hayman and Glynn Winskel Computer Laboratory, University of Cambridge, United Kingdom Abstract. We study the use of event structures, a well-known
More informationProbabilistic Model Checking of Security Protocols without Perfect Cryptography Assumption
Our Model Checking of Security Protocols without Perfect Cryptography Assumption Czestochowa University of Technology Cardinal Stefan Wyszynski University CN2016 Our 1 2 3 Our 4 5 6 7 Importance of Security
More informationMASTER S THESIS FROM FORMAL TO COMPUTATIONAL AUTHENTICITY DISTRIBUTED AND EMBEDDED SYSTEMS DEPARTMENT OF COMPUTER SCIENCE AALBORG UNIVERSITY
DISTRIBUTED AND EMBEDDED SYSTEMS DEPARTMENT OF COMPUTER SCIENCE AALBORG UNIVERSITY MASTER S THESIS MICHAEL GARDE FROM FORMAL TO COMPUTATIONAL AUTHENTICITY AN APPROACH FOR RECONCILING FORMAL AND COMPUTATIONAL
More informationComplexity of Checking Freshness of Cryptographic Protocols
Complexity of Checking Freshness of Cryptographic Protocols Zhiyao Liang Rakesh M Verma Computer Science Department, University of Houston, Houston TX 77204-3010, USA Email: zliang@cs.uh.edu, rmverma@cs.uh.edu
More informationModels for an Adversary-Centric Protocol Logic
Workshop on Logical Aspects of Cryptographics 2001 Preliminary Version Models for an Adversary-Centric Protocol Logic Peter Selinger Department of Mathematics and Statistics University of Ottawa Ottawa,
More informationarxiv: v1 [cs.cr] 27 May 2016
Towards the Automated Verification of Cyber-Physical Security Protocols: Bounding the Number of Timed Intruders Vivek Nigam 1, Carolyn Talcott 2 and Abraão Aires Urquiza 1 arxiv:1605.08563v1 [cs.cr] 27
More informationCPSA and Formal Security Goals
CPSA and Formal Security Goals John D. Ramsdell The MITRE Corporation CPSA Version 2.5.1 July 8, 2015 Contents 1 Introduction 3 2 Syntax 6 3 Semantics 8 4 Examples 10 4.1 Needham-Schroeder Responder.................
More informationProving Properties of Security Protocols by Induction
Proving Security Protocols 1 L. C. Paulson Proving Properties of Security Protocols by Induction Lawrence C. Paulson Computer Laboratory University of Cambridge Proving Security Protocols 2 L. C. Paulson
More informationAnalysis of authentication protocols Intership report
Analysis of authentication protocols Intership report Stéphane Glondu ENS de Cachan September 3, 2006 1 Introduction Many computers are interconnected through networks, the biggest of them being Internet.
More informationTime-Bounding Needham-Schroeder Public Key Exchange Protocol
Time-Bounding Needham-Schroeder Public Key Exchange Protocol Max Kanovich, Queen Mary, University of London, UK University College London, UCL-CS, UK Tajana Ban Kirigin, University of Rijeka, HR Vivek
More informationPreliminary Proceedings
Preliminary Proceedings 5th International Workshop on Security Issues in Concurrency (SecCo 07) Lisbon, Portugal September 3rd, 2007 Editors: Daniele Gorla Catuscia Palamidessi ii Contents Preface v Cédric
More informationProving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory
Proving Security Protocols Correct Lawrence C. Paulson Computer Laboratory How Detailed Should a Model Be? too detailed too simple concrete abstract not usable not credible ``proves'' everything ``attacks''
More informationIdentity Authentication and Secrecy in the πcalculus and Prolog
Wesleyan University The Honors College Identity Authentication and Secrecy in the πcalculus and Prolog by Stefan Sundseth A thesis submitted to the faculty of Wesleyan University in partial fulfillment
More informationOn the Verification of Cryptographic Protocols
On the Verification of Cryptographic Protocols Federico Cerutti Dipartimento di Ingegneria dell Informazione, Università di Brescia Via Branze 38, I-25123 Brescia, Italy January 11, 2011 Talk at Prof.
More informationA Verifiable Language for Cryptographic Protocols
Downloaded from orbit.dtu.dk on: Jan 30, 2018 A Verifiable Language for Cryptographic Protocols Nielsen, Christoffer Rosenkilde; Nielson, Flemming; Nielson, Hanne Riis Publication date: 2009 Document Version
More informationTerm Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool
Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool Santiago Escobar Departamento de Sistemas Informáticos y Computación Universitat Politècnica de València sescobar@dsic.upv.es
More informationProtocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete
Protocol Insecurity with a Finite Number of Sessions and Composed Keys is NP-complete Michaël Rusinowitch and Mathieu Turuani LORIA-INRIA- Université Henri Poincaré, 54506 Vandoeuvre-les-Nancy cedex, France
More informationThe Laws of Cryptography Zero-Knowledge Protocols
26 The Laws of Cryptography Zero-Knowledge Protocols 26.1 The Classes NP and NP-complete. 26.2 Zero-Knowledge Proofs. 26.3 Hamiltonian Cycles. An NP-complete problem known as the Hamiltonian Cycle Problem
More informationThe Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Indistinguishability
The Maude-NRL Protocol Analyzer Lecture 3: Asymmetric Unification and Catherine Meadows Naval Research Laboratory, Washington, DC 20375 catherine.meadows@nrl.navy.mil Formal Methods for the Science of
More informationExtending Dolev-Yao with Assertions
Extending Dolev-Yao with Assertions Vaishnavi Sundararajan Chennai Mathematical Institute FOSAD 2015 August 31, 2015 (Joint work with R Ramanujam and S P Suresh) Vaishnavi S Extending Dolev-Yao with Assertions
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationHeuristic Methods for Security Protocols
Heuristic Methods for Security Protocols Qurat ul Ain Nizamani Department of Computer Science University of Leicester, UK qn4@mcs.le.ac.uk Emilio Tuosto Department of Computer Science University of Leicester,
More informationBAN Logic A Logic of Authentication
BAN Logic A Logic of Authentication Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 BAN Logic The BAN logic was named after its inventors, Mike Burrows, Martín Abadí,
More informationProbabilistic Polynomial-Time Process Calculus for Security Protocol Analysis. Standard analysis methods. Compositionality
Probabilistic Polynomial-Time Process Calculus for Security Protocol Analysis J. Mitchell, A. Ramanathan, A. Scedrov, V. Teague P. Lincoln, P. Mateus, M. Mitchell Standard analysis methods Finite-state
More informationComputing Symbolic Models for Verifying Cryptographic Protocols
Computing Symbolic Models for Verifying Cryptographic Protocols Marcelo Fiore Computer Laboratory University of Cambridge Martín Abadi Bell Labs Research Lucent Technologies Abstract We consider the problem
More informationCryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols
CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno Blanchet CNRS, École Normale Supérieure, INRIA, Paris March 2009 Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif March
More informationA one message protocol using cryptography, where K AB is a symmetric key shared between A and B for private communication. A B : {M} KAB on c AB
A one message protocol using cryptography, where K AB is a symmetric key shared between A and B for private communication. A B : {M} KAB on c AB This can be represented as A send cab {M} KAB ;halt B recv
More informationAuthentication Tests and the Structure of Bundles
Authentication Tests and the Structure of Bundles Joshua D. Guttman F. Javier Thayer September 2000 Today s Lecture Authentication Tests: How to find out what a protocol achieves How to prove it achieves
More informationPractice Assignment 2 Discussion 24/02/ /02/2018
German University in Cairo Faculty of MET (CSEN 1001 Computer and Network Security Course) Dr. Amr El Mougy 1 RSA 1.1 RSA Encryption Practice Assignment 2 Discussion 24/02/2018-29/02/2018 Perform encryption
More informationStrand Spaces: Why is a Security Protocol Correct?
Strand Spaces: Why is a Security Protocol Correct? F. Javier Thayer Fábrega Jonathan C. Herzog Joshua D. Guttman The MITRE Corporation fjt, jherzog, guttmang@mitre.org Abstract A strand is a sequence of
More informationA compositional logic for proving security properties of protocols
Journal of Computer Security 11 (2003) 677 721 677 IOS Press A compositional logic for proving security properties of protocols Nancy Durgin a, John Mitchell b and Dusko Pavlovic c a Sandia National Labs,
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationAnalysing Layered Security Protocols
Analysing Layered Security Protocols Thomas Gibson-Robinson St Catherine s College University of Oxford A thesis submitted for the degree of Doctor of Philosophy Trinity 2013 Abstract Many security protocols
More informationRelating State-Based and Process-Based Concurrency through Linear Logic
École Polytechnique 17 September 2009 Relating State-Based and Process-Based oncurrency through Linear Logic Iliano ervesato arnegie Mellon University - Qatar iliano@cmu.edu Specifying oncurrent Systems
More informationA PROBABILISTIC POLYNOMIAL-TIME PROCESS CALCULUS FOR THE ANALYSIS OF CRYPTOGRAPHIC PROTOCOLS
A PROBABILISTIC POLYNOMIAL-TIME PROCESS CALCULUS FOR THE ANALYSIS OF CRYPTOGRAPHIC PROTOCOLS JOHN C. MITCHELL, AJITH RAMANATHAN, ANDRE SCEDROV, AND VANESSA TEAGUE Abstract. We prove properties of a process
More informationThe Elliptic Curve in https
The Elliptic Curve in https Marco Streng Universiteit Leiden 25 November 2014 Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 1 The s in https:// HyperText Transfer Protocol
More informationSkeletons and the Shapes of Bundles
Skeletons and the Shapes of Bundles Shaddin F. Doghmi, Joshua D. Guttman, and F. Javier Thayer The MITRE Corporation Abstract. The shapes of a protocol are its minimal, essentially different executions.
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationA process algebraic analysis of privacy-type properties in cryptographic protocols
A process algebraic analysis of privacy-type properties in cryptographic protocols Stéphanie Delaune LSV, CNRS & ENS Cachan, France Saturday, September 6th, 2014 S. Delaune (LSV) Verification of cryptographic
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationLecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]
CMSC 858K Advanced Topics in Cryptography February 19, 2004 Lecturer: Jonathan Katz Lecture 8 Scribe(s): Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan 1 Introduction Last time we introduced
More informationAPPLICATIONS OF BAN-LOGIC JAN WESSELS CMG FINANCE B.V.
APPLITIONS OF AN-LOGIC JAN WESSELS CMG FINANCE.V. APRIL 19, 2001 Chapter 1 Introduction This document is meant to give an overview of the AN-logic. The AN-logic is one of the methods for the analysis of
More informationA Short Tutorial on Proverif
A Short Tutorial on Proverif Alfredo Pironti and Riccardo Sisto Politecnico di Torino, Italy Cryptoforma Meeting, Apr 8, 2010 1 Outline PART 1: how the tool works (Riccardo Sisto) Context: Abstract modelling
More informationQuantum Wireless Sensor Networks
Quantum Wireless Sensor Networks School of Computing Queen s University Canada ntional Computation Vienna, August 2008 Main Result Quantum cryptography can solve the problem of security in sensor networks.
More informationStrand Spaces Proving Protocols Corr. Jonathan Herzog 6 April 2001
Strand Spaces Proving Protocols Corr Jonathan Herzog 6 April 2001 Introduction 3Second part of talk given early last month Introduced class of cryptographic protocols Modeled at high level of abstraction
More informationA decidable subclass of unbounded security protocols
A decidable subclass of unbounded security protocols R. Ramanujam and S. P. Suresh The Institute of Mathematical Sciences C.I.T. Campus, Chennai 600 113, India. E-mail: {jam,spsuresh}@imsc.res.in 1 Summary
More informationA Probabilistic Polynomial-time Calculus For Analysis of Cryptographic Protocols (Preliminary Report)
Electronic Notes in Theoretical Computer Science 45 (2001) URL: http://www.elsevier.nl/locate/entcs/volume45.html 31 pages A Probabilistic Polynomial-time Calculus For Analysis of Cryptographic Protocols
More informationAutomated Validation of Internet Security Protocols. Luca Viganò
Automated Validation of Internet Security Protocols Luca Viganò The AVISPA Project Luca Viganò 1 Motivation The number and scale of new security protocols under development is out-pacing the human ability
More informationThe Logical Meeting Point of Multiset Rewriting and Process Algebra
MFPS 20 @ MU May 25, 2004 The Logical Meeting Point of Multiset Rewriting and Process Algebra Iliano ervesato iliano@itd.nrl.navy.mil ITT Industries, inc @ NRL Washington, D http://theory.stanford.edu/~iliano
More informationIntruder Deduction for AC-like Equational Theories with Homomorphisms
Intruder Deduction for AC-like Equational Theories with Homomorphisms Pascal Lafourcade 1,2, Denis Lugiez 2, and Ralf Treinen 1 1 LSV, ENS de Cachan & CNRS UMR 8643 & INRIA Futurs project SECSI, 94235
More informationUniversal Concurrent Constraint Programing: Symbolic Semantics and Applications to Security
Universal Concurrent Constraint Programing: Symbolic Semantics and Applications to Security Carlos Olarte INRIA and LIX École Polytechnique Pontificia Universidad Javeriana carlos.olarte@lix.polytechnique.fr
More informationECE596C: Handout #11
ECE596C: Handout #11 Public Key Cryptosystems Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract In this lecture we introduce necessary mathematical background for studying
More informationRZ 3709 (# 99719) 06/20/2008 (Revised Version: October 2008) Computer Science 18 pages
RZ 3709 (# 99719) 06/20/2008 (Revised Version: October 2008) Computer Science 18 pages Research Report Algebraic Properties in Alice and Bob Notation (Extended Version, revised October 2008) Sebastian
More informationAnalyzing Security Protocols with Secrecy Types and Logic Programs
Analyzing Security Protocols with Secrecy Types and Logic Programs Martín Abadi Computer Science Department University of California, Santa Cruz abadi@cs.ucsc.edu Bruno Blanchet Département d Informatique
More informationCS 395T. Probabilistic Polynomial-Time Calculus
CS 395T Probabilistic Polynomial-Time Calculus Security as Equivalence Intuition: encryption scheme is secure if ciphertext is indistinguishable from random noise Intuition: protocol is secure if it is
More informationAnalysing privacy-type properties in cryptographic protocols
Analysing privacy-type properties in cryptographic protocols Stéphanie Delaune LSV, CNRS & ENS Cachan, France Wednesday, January 14th, 2015 S. Delaune (LSV) Verification of cryptographic protocols 14th
More informationAuthentication Tests and Disjoint Encryption: a Design Method for Security Protocols
Authentication Tests and Disjoint Encryption: a Design Method for Security Protocols Joshua D. Guttman The MITRE Corporation guttman@mitre.org 20 August 2003 Abstract We describe a protocol design process,
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationLogic of resources and capabilities
Logic of resources and capabilities Apostolos Tzimoulis joint work with Marta Bílková, Virginia Dignum, Giuseppe Greco and Alessandra Palmigiano Delft University of Technology Zürich - 10 February Logic
More informationAutomatic Verification of Complex Security Protocols With an Unbounded Number of Sessions
Automatic Verification of Complex Security Protocols With an Unbounded Number of Sessions Kaile Su, Weiya Yue and Qingliang Chen Department of Computer Science, Sun Yat-sen University Guangzhou, P.R. China
More informationProcess Calculi and the Verification of Security Protocols
Process Calculi and the Verification of Security Protocols Michele Boreale Daniele Gorla Dipartimento di Sistemi e Informatica, Università di Firenze e-mail: {boreale,gorla}@dsi.unifi.it Abstract Recently
More informationA progress report on using Maude to verify protocol properties using the strand space model
A progress report on using Maude to verify protocol properties using the strand space model Presented by Robert P. Graham, MAJ, USAF/AFIT Stephen W. Mancini, 1Lt, USAF/AFIT Presentation date: 01 Oct 03
More informationSymbolic Protocol Analysis with Products and Diffie-Hellman Exponentiation
Symbolic Protocol Analysis with Products and Diffie-Hellman Exponentiation Jonathan Millen and Vitaly Shmatikov Computer Science Laboratory SRI International millenshmat @cslsricom Abstract We demonstrate
More informationTHE SHAPES OF BUNDLES
THE SHAPES OF BUNDLES SHADDIN F. DOGHMI, JOSHUA D. GUTTMAN, AND F. JAVIER THAYER Contents 1. Introduction 2 2. Background 2 2.1. Protocols 2 2.2. An Example: The Yahalom Protocol 3 2.3. Occurrences and
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationHandling Encryption in an Analysis for Secure Information Flow
Handling Encryption in an Analysis for Secure Information Flow Peeter Laud peeter l@ut.ee Tartu Ülikool Cybernetica AS ESOP 2003, 7.-11.04.2003 p.1/15 Overview Some words about the overall approach. Definition
More informationNumber Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers
Number Theory: Applications Number Theory Applications Computer Science & Engineering 235: Discrete Mathematics Christopher M. Bourke cbourke@cse.unl.edu Results from Number Theory have many applications
More informationAn Efficient Cryptographic Protocol Verifier Based on Prolog Rules
An Efficient Cryptographic Protocol Verifier Based on Prolog Rules Bruno Blanchet INRIA Rocquencourt Domaine de Voluceau B.P. 105 78153 Le Chesnay Cedex, France Bruno.Blanchet@inria.fr Abstract We present
More informationA Semantics for a Logic of Authentication. Cambridge, MA : A; B
A Semantics for a Logic of Authentication (Extended Abstract) Martn Abadi Digital Equipment Corporation Systems Research Center 130 Lytton Avenue Palo Alto, CA 94301 ma@src.dec.com Abstract: Burrows, Abadi,
More informationNotes for Lecture 9. 1 Combining Encryption and Authentication
U.C. Berkeley CS276: Cryptography Handout N9 Luca Trevisan February 17, 2009 Notes for Lecture 9 Notes scribed by Joel Weinberger, posted March 1, 2009 Summary Last time, we showed that combining a CPA-secure
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 13 (rev. 2) Professor M. J. Fischer October 22, 2008 53 Chinese Remainder Theorem Lecture Notes 13 We
More informationSIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography
SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 8 of Trappe and Washington DIGITAL SIGNATURES message sig 1. How do we bind
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationCS522 - Programming Language Semantics
1 CS522 - Programming Language Semantics Simply Typed Lambda Calculus Grigore Roşu Department of Computer Science University of Illinois at Urbana-Champaign 2 We now discuss a non-trivial extension of
More informationDeciding the Security of Protocols with Commuting Public Key Encryption
Electronic Notes in Theoretical Computer Science 125 (2005) 55 66 www.elsevier.com/locate/entcs Deciding the Security of Protocols with Commuting Public Key Encryption Yannick Chevalier a,1 Ralf Küsters
More informationAn Undecidability Result for AGh
An Undecidability Result for AGh Stéphanie Delaune France Télécom R&D, Lab. Spécification & Vérification, CNRS & ENS de Cachan, France. Abstract We present an undecidability result for the verification
More informationAn undecidability result for AGh
Theoretical Computer Science 368 (2006) 161 167 Note An undecidability result for AGh Stéphanie Delaune www.elsevier.com/locate/tcs France Télécom R&D, Lab. Spécification & Vérification, CNRS & ENS de
More informationCombining Intruder Theories
Combining Intruder Theories Yannick Chevalier, Michaël Rusinowitch 1 IRIT Université Paul Sabatier, France email: ychevali@irit.fr 2 LORIA-INRIA-Lorraine, France email: rusi@loria.fr Abstract. Most of
More informationOn the Automatic Analysis of Recursive Security Protocols with XOR
On the Automatic Analysis of Recursive Security Protocols with XOR Ralf Küsters 1 and Tomasz Truderung 2 1 ETH Zurich ralf.kuesters@inf.ethz.ch 2 University of Kiel, Wrocław University tomasz.truderung@ii.uni.wroc.pl
More informationA simple procedure for finding guessing attacks (Extended Abstract)
A simple procedure for finding guessing attacks (Extended Abstract) Ricardo Corin 1 and Sandro Etalle 1,2 1 Dept. of Computer Science, University of Twente, The Netherlands 2 CWI, Center for Mathematics
More informationLinear Congruences. The equation ax = b for a, b R is uniquely solvable if a 0: x = b/a. Want to extend to the linear congruence:
Linear Congruences The equation ax = b for a, b R is uniquely solvable if a 0: x = b/a. Want to extend to the linear congruence: ax b (mod m), a, b Z, m N +. (1) If x 0 is a solution then so is x k :=
More informationCourse 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography
Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2006 Contents 9 Introduction to Number Theory and Cryptography 1 9.1 Subgroups
More informationAthena: a New Efficient Automatic Checker for Security Protocol Analysis
Athena: a Ne Efficient Automatic Checker for Security Protocol Analysis Dan Xiaodong Song Computer Science Department Carnegie Mellon University 5000 Forbes Avenue, Pittsburgh, PA 15213 skyxd@cs.cmu.edu
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More information