a syntactic criterion for injectivity of authentication
play

A Syntactic Criterion for Injectivity of Authentication Protocols - PowerPoint PPT Presentation

Sep 27, 2023 •31 likes •391 views

A Syntactic Criterion for Injectivity of Authentication Protocols Cas Cremers joint work with Sjouke Mauw and Erik de Vink ccremers@win.tue.nl Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p.

  1. A Syntactic Criterion for Injectivity of Authentication Protocols Cas Cremers joint work with Sjouke Mauw and Erik de Vink ccremers@win.tue.nl Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 1/22

  2. ECSS group Eindhoven Computer Science Security (ECSS) group Overview Motivation Goal: Problem statement To study the design and analysis of secure systems from a Security model fundamental point of view Main theorem Topics: Conclusions ■ Security protocol analysis ■ Multi-party protocols ■ Ad-hoc/sensor networks ■ Smartcard security ■ Attack trees ■ Digital Rights Management ■ RFID security ■ Privacy Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 2/22

  3. Overview ■ Motivation Overview ■ Problem statement Motivation ■ Main theorem Problem statement ■ Necessity of preconditions Security model ■ Conclusions Main theorem Conclusions Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 3/22

  4. Example: unilateral authentication protocol Overview Motivation pkR, skR pkR ● Example R I ● Replay attack ● Injectivity ● Fixed protocol nonce nR ● Nonces { I, nR } skR Problem statement Security model Main theorem Conclusions agree ( nR ) Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 4/22

  5. Example: unilateral authentication protocol Overview Motivation pkR, skR pkR ● Example R I ● Replay attack ● Injectivity ● Fixed protocol nonce nR ● Nonces { I, nR } skR Problem statement Security model Main theorem Conclusions agree ( nR ) Question: Does this protocol satisfy agreement? Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 4/22

  6. A replay attack Overview Motivation ● Example b ( R ) a ( I ) a ( I ) intruder ● Replay attack ● Injectivity ● Fixed protocol nonce nb ● Nonces { a, nb } skb Problem statement Security model learn { a, nb } skb Main theorem { a, nb } skb Conclusions agree ( nb ) agree ( nb ) Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 5/22

  7. A replay attack Overview Motivation ● Example b ( R ) a ( I ) a ( I ) intruder ● Replay attack ● Injectivity ● Fixed protocol nonce nb ● Nonces { a, nb } skb Problem statement Security model learn { a, nb } skb Main theorem { a, nb } skb Conclusions agree ( nb ) agree ( nb ) Question: How to fix this protocol? Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 5/22

  8. Fixed protocol should satisfy injectivity Each instance of an agent executing the authenticating role Overview corresponds to a unique instance of its communication partner Motivation ● Example running the responder role. ● Replay attack ● Injectivity ● Fixed protocol ● Nonces Problem statement Security model Main theorem Conclusions Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 6/22

  9. Non-injective authentication Overview Motivation ● Example ● Replay attack ● Injectivity ● Fixed protocol ● Nonces Problem statement Security model Main theorem Conclusions Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 7/22

  10. Non-injective authentication Overview Motivation ● Example ● Replay attack ● Injectivity ● Fixed protocol ● Nonces Problem statement Security model Main theorem Conclusions Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 7/22

  11. Injective authentication Overview Motivation ● Example ● Replay attack ● Injectivity ● Fixed protocol ● Nonces Problem statement Security model Main theorem Conclusions Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 8/22

  12. Injective authentication Overview Motivation ● Example ● Replay attack ● Injectivity ● Fixed protocol ● Nonces Problem statement Security model Main theorem Conclusions Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 8/22

  13. Fixing the injectivity problem Overview Motivation pkR, skR pkR ● Example R I ● Replay attack ● Injectivity ● Fixed protocol nonce nI ● Nonces Problem statement nI { I, nI } skR Security model Main theorem agree ( nI ) Conclusions Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 9/22

  14. Fixing the injectivity problem Overview Motivation pkR, skR pkR ● Example R I ● Replay attack ● Injectivity ● Fixed protocol nonce nI ● Nonces Problem statement nI { I, nI } skR Security model Main theorem agree ( nI ) Conclusions Question: What’s the general idea behind this fix? Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 9/22

  15. Fixing the injectivity problem Overview Motivation pkR, skR pkR ● Example R I ● Replay attack ● Injectivity ● Fixed protocol nonce nI ● Nonces Problem statement nI { I, nI } skR Security model Main theorem agree ( nI ) Conclusions Question: What’s the general idea behind this fix? Answer 1: By letting I control the nonce. Answer 2: By introducing a challenge-response mechanism from I via R back to I . (add a loop) Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 9/22

  16. Doesn’t a nonce suffice? Adding nonces does not trivially lead to injectivity. Overview Motivation ● Example pkR, skR pkR ● Replay attack ● Injectivity R I ● Fixed protocol ● Nonces nonce nI Problem statement nI Security model { I, g ( nI ) } skR Main theorem agree ( nI ) Conclusions Here, injectivity depends on the properties of the function g . Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 10/22

  17. Agreement over what? Sometimes roles have no shared value to determine injectivity Overview from ( I and S ?) Motivation ● Example ● Replay attack ● Injectivity skS skR, pkS pkR ● Fixed protocol S R I ● Nonces Problem statement nonce nI Security model I, R, S, nI Main theorem nonce nR Conclusions I, R, S, nR { nR, I, R } skS { I, S, nI } skR agree (?) Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 11/22

  18. Authentication Agreement Overview Upon successfully finishing a protocol session, parties Motivation agree on the values of (common) variables. Problem statement (G. Lowe) ● Authentication ● Problem statement Synchronization Security model Upon successfully finishing a protocol session, all Main theorem messages have been executed in intended order, with Conclusions intended contents. (Similar to Intensional Specifications, A.W. Roscoe) Synchronization is strictly stronger than agreement, but the differences are subtle. Both available in injective ( i - synch , i - agree ) and non-injective ( ni - synch ) variants. Claim: well-designed protocols satisfy both properties. Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 12/22

  19. Problem statement Find a generic and easy way to validate injectivity for Overview synchronizing protocols. Motivation Problem statement ● Authentication ● Problem statement Generic: Security model As few assumptions on the security model as possible. Main theorem Easy: Conclusions Statically decidable. Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 13/22

  20. Models for Security Protocols We require that the following two properties hold: Overview Motivation Intruder Model: Problem statement Intruder must have the ability to duplicate messages Security model ● Models ■ Satisfied by the standard Dolev-Yao model. Main theorem ■ No need to encrypt/decrypt. Conclusions Agent/Execution Model: Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 14/22

  21. Models for Security Protocols We require that the following two properties hold: Overview Motivation Intruder Model: Problem statement Intruder must have the ability to duplicate messages Security model ● Models ■ Satisfied by the standard Dolev-Yao model. Main theorem ■ No need to encrypt/decrypt. Conclusions Agent/Execution Model: Role instances must be independent: can be executed in any order ■ Satisfied by Strand Spaces, Operational Semantics. ■ No shared memory. (buffers/time) Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 14/22

  22. The LOOP property After the start of the authenticating role, but before it ends, Overview each involved role must have a read action and a send action. Motivation (As prescribed by the partial order on the protocol) Problem statement Security model Main theorem ● Loop property ● Main Theorem ● Loop ● Synchronization ● Indep. instances Conclusions ni - synch This protocol satisfies LOOP Cas Cremers, July 15, 2005 A Syntactic Criterion for Injectivity of Authentication Protocols - p. 15/22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NEW CRITERIA LABELS Criterion 1. Students Criterion 2. Program Educational Objectives Criterion

NEW CRITERIA LABELS Criterion 1. Students Criterion 2. Program Educational Objectives Criterion

NEW CRITERIA LABELS Criterion 1. Students Criterion 2. Program Educational Objectives Criterion 3. Student Outcomes Criterion 4. Continuous Improvement Criterion 5. Curriculum Criterion 6. Faculty Criterion 7. Facilities Criterion 8. Support

427 views • 27 slides
Injectivity of ordered and naturally ordered projection algebras Mojgan Mahmoudi (joint with Prof

Injectivity of ordered and naturally ordered projection algebras Mojgan Mahmoudi (joint with Prof

Injectivity of ordered and naturally ordered projection algebras Mojgan Mahmoudi (joint with Prof M.Mehdi Ebrahimi) Department of Mathematics Shahid Beheshti University TACL, 30th June 2017 Mojgan Mahmoudi (SBU) Injectivity of ordered

748 views • 64 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Outline Information Retrieval (IR) Syntactic IR Problems of Syntactic IR Semantic

Outline Information Retrieval (IR) Syntactic IR Problems of Syntactic IR Semantic

Fausto Giunchiglia, Uladzimir Kharkevich , Ilya Zaihrayeu Concept Search : Semantics Enabled Syntactic Search June 2nd, 2008, Tenerife, Spain 1 Outline Information Retrieval (IR) Syntactic IR Problems of Syntactic IR Semantic

736 views • 22 slides
Kan-injectivity and KZ-monads Lurdes Sousa IPV / CMUC July 10, 2018 Category Theory 2018,

Kan-injectivity and KZ-monads Lurdes Sousa IPV / CMUC July 10, 2018 Category Theory 2018,

Kan-injectivity and KZ-monads Lurdes Sousa IPV / CMUC July 10, 2018 Category Theory 2018, Azores, 8-14 July Kan-injectivity and KZ-monads 1 / 52 [A. Kock, Monads for which structures are adjoints to units, 1995]: -monads (lax

1.28k views • 96 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
A New Information Criterion A New Information Criterion for the Selection of Subspace Models for

A New Information Criterion A New Information Criterion for the Selection of Subspace Models for

1 A New Information Criterion A New Information Criterion for the Selection of Subspace Models for the Selection of Subspace Models Department of Computer Science, Tokyo Institute of Technology, Japan Masashi Sugiyama Hidemitsu Ogawa 2

380 views • 26 slides
Injectivity of Hermitian frame measurements Cynthia Vinzant North Carolina State University

Injectivity of Hermitian frame measurements Cynthia Vinzant North Carolina State University

Injectivity of Hermitian frame measurements Cynthia Vinzant North Carolina State University Frames and Algebraic & Combinatorial Geometry July 31, 2015 Cynthia Vinzant Injectivity of Hermitian frame measurements Frames and intensity

602 views • 57 slides
Von Mises Failure Criterion Von Mises Criterion . . . in Mechanics of Materials: Computing V

Von Mises Failure Criterion Von Mises Criterion . . . in Mechanics of Materials: Computing V

Basics of Mechanics of . . . Case of Larger Stress Ductile Materials and . . . Maxwells . . . Von Mises Failure Criterion Von Mises Criterion . . . in Mechanics of Materials: Computing V under . . . New Faster Algorithm . . . How to

353 views • 13 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password Token-based authentication Third party authentication Local Authentication How to store and verify password? Clear Data can be hacked

615 views • 14 slides
A Completeness Theorem for Injectivity Logic J. Ad amek, M. H ebert and L. Sousa CT06

A Completeness Theorem for Injectivity Logic J. Ad amek, M. H ebert and L. Sousa CT06

A Completeness Theorem for Injectivity Logic J. Ad amek, M. H ebert and L. Sousa CT06 White Point, June 2006 1 2 C is h-injective is written C | = h h B A g g C C H

459 views • 13 slides
The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch Security Engineer kbabioch@suse.de New authentication standards ... 2 Some authentication technologies ... 3 - Authentication theory -

1.28k views • 88 slides
Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit

Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit

Extending the Salsa20 nonce D. J. Bernstein University of Illinois at Chicago DES had 64-bit block. Highly troublesome by 1990s. AES has 128-bit block. Becoming troublesome now Extending the Salsa20 nonce 2006

762 views • 59 slides
BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and Mridul Nandi Indian

BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and Mridul Nandi Indian

Introduction Motivation Security Result Attack Security Proof BBB Secure Nonce Based MAC Using Public Permutation Avijit Dutta and Mridul Nandi Indian Institute of Technology, Kharagpur, India. AFRICACRYPT, 2020 June 30, 2020 Introduction

1.74k views • 57 slides
PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry

PAEQ: Parallelizable Permutation-based Authenticated Encryption Alex Biryukov and Dmitry Khovratovich University of Luxembourg 12 October 2014 Authenticated encryption Simple encryption If you just want to protect confidentiality of your

991 views • 32 slides
Using Data Flow Analysis for Automatic Checking of Computational Confidentiality in

Using Data Flow Analysis for Automatic Checking of Computational Confidentiality in

Using Data Flow Analysis for Automatic Checking of Computational Confidentiality in Cryptographic Protocols Peeter Laud Tartu University and Cybernetica AS (joint work with Michael Backes) Teooriapevad Voorel, 29.0901.10.2006 p. 1/33

760 views • 47 slides
AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at methods to provide privacy and

AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at methods to provide privacy and

AUTHENTICATED ENCRYPTION 1 / 1 So Far ... We have looked at methods to provide privacy and integrity/authenticity separately: Goal Primitive Security notions Data privacy symmetric encryption IND-CPA, IND-CCA Data integrity/authenticity

922 views • 73 slides
NONCE-BASED CRYPTOGRAPHY RETAINING SECURITY WHEN RANDOMNESS FAILS Mihir Bellare and Bjrn

NONCE-BASED CRYPTOGRAPHY RETAINING SECURITY WHEN RANDOMNESS FAILS Mihir Bellare and Bjrn

[Bellare-Tackmann, EC 2016, Nonce-based Cryptography] NONCE-BASED CRYPTOGRAPHY RETAINING SECURITY WHEN RANDOMNESS FAILS Mihir Bellare and Bjrn Tackmann University of California, San Diego Eurocrypt 2016, Vienna May 11, 2016

521 views • 37 slides
All about mining Joseph Bonneau Recap: Bitcoin miners Bitcoin depends on miners to: Store

All about mining Joseph Bonneau Recap: Bitcoin miners Bitcoin depends on miners to: Store

Lecture 4 All about mining Joseph Bonneau Recap: Bitcoin miners Bitcoin depends on miners to: Store and broadcast the block chain Validate new transactions Vote (by hash power) on consensus Who are the miners? Lecture 4.1: The

1.16k views • 99 slides
Haz Hazar ardou ous W s Was aste e Imp mport-Export Fi Final Rule Requirements and

Haz Hazar ardou ous W s Was aste e Imp mport-Export Fi Final Rule Requirements and

Haz Hazar ardou ous W s Was aste e Imp mport-Export Fi Final Rule Requirements and Implementa9on December 12, 2016 Agenda Webinar Instruc5ons (5 minutes) Overview of Requirements (70 minutes) Exports Imports Health

836 views • 55 slides

More recommend