analysing privacy type properties in cryptographic
play

Analysing privacy-type properties in cryptographic protocols - PowerPoint PPT Presentation

Aug 18, 2022 •49 likes •849 views

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France Thursday, July 12th, 2018 Cryptographic protocols everywhere ! Cryptographic protocols small programs designed to secure

  1. Analysing privacy-type properties in cryptographic protocols Stéphanie Delaune Univ Rennes, CNRS, IRISA, France Thursday, July 12th, 2018

  2. Cryptographic protocols everywhere ! Cryptographic protocols ◮ small programs designed to secure communication ( e.g. secrecy, authentication, anonymity, . . . ) ◮ use cryptographic primitives ( e.g. encryption, signature, . . . . . . ) The network is unsecure! Communications take place over a public network like the Internet.

  3. Cryptographic protocols everywhere ! Cryptographic protocols ◮ small programs designed to secure communication ( e.g. secrecy, authentication, anonymity, . . . ) ◮ use cryptographic primitives ( e.g. encryption, signature, . . . . . . ) It becomes more and more important to protect our privacy.

  4. Electronic passport − → studied in [Arapinis et al. , 10] An e-passport is a passport with an RFID tag embedded in it. The RFID tag stores: ◮ the information printed on your passport, ◮ a JPEG copy of your picture.

  5. Electronic passport − → studied in [Arapinis et al. , 10] An e-passport is a passport with an RFID tag embedded in it. The RFID tag stores: ◮ the information printed on your passport, ◮ a JPEG copy of your picture. The Basic Access Control (BAC) protocol is a key establishment protocol that has been designed to also ensure unlinkability. ISO/IEC standard 15408 Unlinkability aims to ensure that a user may make multiple uses of a service or resource without others being able to link these uses together .

  6. Basic Acccess Control (BAC) protocol Passport Reader ( K E , K M ) ( K E , K M )

  7. Basic Acccess Control (BAC) protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge

  8. Basic Acccess Control (BAC) protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P

  9. Basic Acccess Control (BAC) protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE )

  10. Basic Acccess Control (BAC) protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) { N P , N R , K P } KE , MAC KM ( { N P , N R , K P } KE )

  11. Basic Acccess Control (BAC) protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) { N P , N R , K P } KE , MAC KM ( { N P , N R , K P } KE ) K seed = K P ⊕ K R K seed = K P ⊕ K R

  12. How cryptographic protocols can be attacked?

  13. How cryptographic protocols can be attacked? Logical attacks ◮ can be mounted even assuming perfect cryptography, ֒ → replay attack, man-in-the middle attack, . . . ◮ subtle and hard to detect by “eyeballing” the protocol This is the so-called Dolev-Yao attacker !

  14. How cryptographic protocols can be attacked? Logical attacks ◮ can be mounted even assuming perfect cryptography, ֒ → replay attack, man-in-the middle attack, . . . ◮ subtle and hard to detect by “eyeballing” the protocol Example: An authentication flaw on the Needham Schroeder protocol A → B : { A , N A } pub( B ) B → A : { N A , N B } pub( A ) A → B : { N B } pub( B ) NS protocol (1978)

  15. How cryptographic protocols can be attacked? Logical attacks ◮ can be mounted even assuming perfect cryptography, ֒ → replay attack, man-in-the middle attack, . . . ◮ subtle and hard to detect by “eyeballing” the protocol Example: An authentication flaw on the Needham Schroeder protocol A → B : { A , N A } pub( B ) A → B : { A , N A } pub( B ) B → A : { N A , N B } pub( A ) B → A : { N A , N B , B } pub( A ) A → B : { N B } pub( B ) A → B : { N B } pub( B ) NS protocol (1978) NS-Lowe protocol (1995)

  16. How cryptographic protocols can be attacked? Logical attacks ◮ can be mounted even assuming perfect cryptography, ֒ → replay attack, man-in-the middle attack, . . . ◮ subtle and hard to detect by “eyeballing” the protocol Example: FREAK attack by Barghavan et al. (2015) A logical flaw that allows a man-in-the- middle attacker to downgrade connections from ’strong’ RSA to ’export grade’ RSA.

  17. How cryptographic protocols can be attacked? Logical attacks ◮ can be mounted even assuming perfect cryptography, ֒ → replay attack, man-in-the middle attack, . . . ◮ subtle and hard to detect by “eyeballing” the protocol Example: A traceability attack on the BAC protocol (2010) privacy issue The register - Jan. 2010

  18. French electronic passport − → the passport must reply to all received messages. Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE )

  19. French electronic passport − → the passport must reply to all received messages. Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) If MAC check fails mac_error

  20. French electronic passport − → the passport must reply to all received messages. Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) If MAC check succeeds If nonce check fails nonce_error

  21. An attack on the French passport [Chothia & Smirnov, 10] An attacker can track a French passport , provided he has once witnessed a successful authentication.

  22. An attack on the French passport [Chothia & Smirnov, 10] An attacker can track a French passport , provided he has once witnessed a successful authentication. Part 1 of the attack. The attacker eavesdropes on Alice using her passport and records message M . M = { N R , N P , K R } K E , MAC K M ( { N R , N P , K R } K E )

  23. An attack on the French passport [Chothia & Smirnov, 10] An attacker can track a French passport , provided he has once witnessed a successful authentication. Part 1 of the attack. The attacker eavesdropes on Alice using her passport and records message M . M = { N R , N P , K R } K E , MAC K M ( { N R , N P , K R } K E ) Part 2 of the attack. In presence of an unknown passport ( K ′ E , K ′ M ), the attacker replays the message M and checks the error code he receives. 1. MAC check failed: K ′ M � = K M = ⇒ ???? is not Alice K ′ 2. MAC check succeeded: M = K M = ⇒ ???? is Alice

  24. Outline Does the protocol satisfy a security property? Modelling | | ϕ = Outline of the remaining of this talk 1. Modelling cryptographic protocols and their security properties 2. Designing verification algorithms − → we focus here on privacy-type security properties

  25. Part I Modelling cryptographic protocols and their security properties

  26. Two major families of models ... ... with some advantages and some drawbacks. Computational model ◮ + messages are bitstring, a general and powerful adversary ◮ – manual proofs, tedious and error-prone Symbolic model ◮ – abstract model, e.g. messages are terms ◮ + automatic proofs

  27. Two major families of models ... ... with some advantages and some drawbacks. Computational model ◮ + messages are bitstring, a general and powerful adversary ◮ – manual proofs, tedious and error-prone Symbolic model ◮ – abstract model, e.g. messages are terms ◮ + automatic proofs Some results allowed to make a link be- tween these two very different models. − → Abadi & Rogaway 2000

  28. Back to the BAC protocol Nonces n r , n p , and keys k r , k p , k e , k m are modelled using names Cryptographic primitives are modelled using function symbols ◮ encryption/decryption: senc / 2, sdec / 2 ◮ concatenation/projections: � , � / 2, proj 1 / 1, proj 2 / 1 ◮ mac construction: mac / 2 sdec(senc( x , y ) , y ) = x proj 1 ( � x , y � ) = x proj 2 ( � x , y � ) = y

  29. Back to the BAC protocol Nonces n r , n p , and keys k r , k p , k e , k m are modelled using names Cryptographic primitives are modelled using function symbols ◮ encryption/decryption: senc / 2, sdec / 2 ◮ concatenation/projections: � , � / 2, proj 1 / 1, proj 2 / 1 ◮ mac construction: mac / 2 sdec(senc( x , y ) , y ) = x proj 1 ( � x , y � ) = x proj 2 ( � x , y � ) = y Exclusive-or operator: ⊕ of arity 2 and 0 (neutral element) x ⊕ ( y ⊕ z ) = ( x ⊕ y ) ⊕ z x ⊕ x = 0 x ⊕ y = y ⊕ x x ⊕ 0 = x

  30. Protocols as processes Syntax [Abadi & Fournet, 01] P , Q := 0 null process in( c , x ) . P input out( c , u ) . P output if u = v then P else Q conditional P | Q parallel composition ! P replication new n . P fresh name generation

  31. Protocols as processes Syntax [Abadi & Fournet, 01] P , Q := 0 null process in( c , x ) . P input out( c , u ) . P output if u = v then P else Q conditional P | Q parallel composition ! P replication new n . P fresh name generation Modelling Passport’s role P BAC ( k E , k M ) = new n P . new k P . out( n P ) . in( � z E , z M � ) . if z M = mac( z E , k M ) then if n P = proj 1 (proj 2 (sdec( z E , k E ))) then out( � m , mac( m , k M ) � ) else out( nonce _ error ) else out( mac _ error ) where m = senc( � n P , � proj 1 ( z E ) , k P �� , k E ).

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Analysing Cryptographic Hardware Interfaces with Tookan Graham Steel joint work with R. Bardou,

Analysing Cryptographic Hardware Interfaces with Tookan Graham Steel joint work with R. Bardou,

Analysing Cryptographic Hardware Interfaces with Tookan Graham Steel joint work with R. Bardou, M. Bortolozzo, M. Centenaro, R. Focardi, Y. Kawamoto, L. Simionato, J.-K. Tsay Graham Steel September 23, 2012 Analysing Security Device

377 views • 22 slides
New cryptographic goals Data privacy is not the only important cryptographic goal CS 4803

New cryptographic goals Data privacy is not the only important cryptographic goal CS 4803

New cryptographic goals Data privacy is not the only important cryptographic goal CS 4803 It is also important that a receiver is assured Computer and Network Security that the data it receives has come from the sender and has not been

617 views • 5 slides
How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic

How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic

Department of Informatics Security and Privacy Maximilian Blochberger How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic pitfalls by design Goal Raise awareness of cryptographic misuse Disclaimer

910 views • 29 slides
S & P SECURITY & PRIVACY GROUP Challenges and Cryptographic Solutions with

S & P SECURITY & PRIVACY GROUP Challenges and Cryptographic Solutions with

FAKULTT FR !NFORMATIK Faculty of Informatics S & P SECURITY & PRIVACY GROUP Challenges and Cryptographic Solutions with Payment-Channel Networks Pedro Moreno-Sanchez RWC20 New York, Jan 10 th 2020 @pedrorechez Scalability

1.27k views • 84 slides
So far: had cryptographic algorithms to achieve Privacy: use encryption Integrity: use MAC Want

So far: had cryptographic algorithms to achieve Privacy: use encryption Integrity: use MAC Want

So far: had cryptographic algorithms to achieve Privacy: use encryption Integrity: use MAC Want both privacy and integrity Achieve this by combining encryption and MAC in appropriate way Eike Ritter Cryptography 2014/15 39 Several

1.18k views • 12 slides
Differential Privacy (Part IV) Alice Eve Bob Cryptographic protocols Tons of attacksnever

Differential Privacy (Part IV) Alice Eve Bob Cryptographic protocols Tons of attacksnever

Differential Privacy (Part IV) Alice Eve Bob Cryptographic protocols Tons of attacksnever ending list! essential in distributed systems Needham-Schroeder (1996) e-banking Microsoft Passport (2001) e-commerce Kerberos (2004) e-mail

571 views • 22 slides
Cryptographic Tools for Privacy, Compliance & Efficiency in Blockchain Applications Fernando

Cryptographic Tools for Privacy, Compliance & Efficiency in Blockchain Applications Fernando

Cryptographic Tools for Privacy, Compliance & Efficiency in Blockchain Applications Fernando Krell, PhD Columbia U. Lead Cryptography Engineer, Findora Public-Ledgers/Blockchains R 1:... R 2:... R 3:... R 4:... ... Append only Database

359 views • 34 slides
Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Pascal LAFOURCADE

Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Pascal LAFOURCADE

Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Pascal LAFOURCADE , Vanessa Terrade & Sylvain Vigier Universit e Joseph

1.01k views • 49 slides
Randomness Properties of Cryptographic Hash Functions Micah A. Thornton Southern Methodist

Randomness Properties of Cryptographic Hash Functions Micah A. Thornton Southern Methodist

Introduction Methodology Results Conclusions Randomness Properties of Cryptographic Hash Functions Micah A. Thornton Southern Methodist University Bobby B. Lyle School of Engineering August 8, 2017 Micah A. Thornton Randomness Properties of

886 views • 40 slides
Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic

Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic

Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic Point of View F. Prost Frederic.Prost@ens-lyon.fr Ecole Normale Sup erieure de Lyon July 2015 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale

1.55k views • 117 slides
Phase Type distributions Today: Phase type distribuions Distributions of phase type

Phase Type distributions Today: Phase type distribuions Distributions of phase type

Phase Type distributions Today: Phase type distribuions Distributions of phase type Definition Basic properties Closure properties Bo Friis Nielsen 1 Next week 1 DTU Informatics Phase type distributions Conditional

212 views • 4 slides
Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018

1.23k views • 78 slides
Using Groove for analysing RPGame models Model Driven Engineering Brent van Bladel University of

Using Groove for analysing RPGame models Model Driven Engineering Brent van Bladel University of

Using Groove for analysing RPGame models Using Groove for analysing RPGame models Model Driven Engineering Brent van Bladel University of Antwerp 22 January 2015 Using Groove for analysing RPGame models Overview Type graph Transformation

359 views • 25 slides
Cryptographic Properties and Applications of Bipermutive Cellular Automata Luca Mariot

Cryptographic Properties and Applications of Bipermutive Cellular Automata Luca Mariot

Cryptographic Properties and Applications of Bipermutive Cellular Automata Luca Mariot Dipartimento di Informatica, Sistemistica e Comunicazione, Universit degli Studi Milano - Bicocca, l.mariot@campus.unimib.it Nice, April 16, 2014 Luca

826 views • 56 slides
Strong whose properties are known at compilation Type conversions take place in a controlled

Strong whose properties are known at compilation Type conversions take place in a controlled

A language is strongly typed, if: Every data element has a unique type, Strong whose properties are known at compilation Type conversions take place in a controlled typing manner, by interpreting value of one type as another Not

340 views • 16 slides
Type checking privacy policies in the

Type checking privacy policies in the

Type checking privacy policies in the -calculus Anna Philippou University of Cyprus Joint work with Dimitrios

572 views • 28 slides
Defeating Malicious Terminals in an Electronic Voting System Daniel Hanley Andre dos Santos

Defeating Malicious Terminals in an Electronic Voting System Daniel Hanley Andre dos Santos

Defeating Malicious Terminals in an Electronic Voting System Daniel Hanley Andre dos Santos Jeff King Georgia Tech Information Security Center Overview Motivation Related Work Protocol Examples Analysis Motivation The

621 views • 29 slides
Security Models For Everlasting Privacy Athecrypt 2020 Panagiotis Grontas Aris Pagourtzis

Security Models For Everlasting Privacy Athecrypt 2020 Panagiotis Grontas Aris Pagourtzis

Security Models For Everlasting Privacy Athecrypt 2020 Panagiotis Grontas Aris Pagourtzis Alexandros Zacharakis National Technical University Of Athens 07.01.2020 https://eprint.iacr.org/2019/1193 TL;DR Game-based definitions for

628 views • 28 slides
Efficient Quantum-Immune Keyless Signatures with Identity Risto Laanoja Tallinn University of

Efficient Quantum-Immune Keyless Signatures with Identity Risto Laanoja Tallinn University of

Efficient Quantum-Immune Keyless Signatures with Identity Risto Laanoja Tallinn University of Technology / Guardtime AS May 17, 2014 Estonian CS Theory days at Narva-J oesuu TL; DR Built a practical signature scheme without modular

585 views • 25 slides
Security considerations for e-voting Motivation National election debacle Outcry for

Security considerations for e-voting Motivation National election debacle Outcry for

Security considerations for e-voting Motivation National election debacle Outcry for improved process 1 Technology Technology improves Travel Transportation Accounting Entertainment Communications Natural

551 views • 28 slides
Distributive encryption A Baskar (CMI) R Ramanujam (IMSc) S P Suresh (CMI) Automata,

Distributive encryption A Baskar (CMI) R Ramanujam (IMSc) S P Suresh (CMI) Automata,

Distributive encryption A Baskar (CMI) R Ramanujam (IMSc) S P Suresh (CMI) Automata, Concurrency, and Timed Systems CMI January , Outline . . Proof normalization . Complexity lower bound . Size lower

1.08k views • 68 slides
The Realm of the Pairings Paulo S. L. M. Barreto Prolegomena Thanks to the organizers of SAC

The Realm of the Pairings Paulo S. L. M. Barreto Prolegomena Thanks to the organizers of SAC

The Realm of the Pairings Paulo S. L. M. Barreto Prolegomena Thanks to the organizers of SAC 2013 for the invitation! Accompanying paper: joint work with D. Aranha, P. Longa and J. Ricardini. I know Im speaking in a marvelous

648 views • 45 slides
Cryptography and Network Security Lecture 0 Manoj Prabhakaran IIT Bombay Security In this

Cryptography and Network Security Lecture 0 Manoj Prabhakaran IIT Bombay Security In this

Cryptography and Network Security Lecture 0 Manoj Prabhakaran IIT Bombay Security In this course: Cryptography as used in network security Network Devices People Cryptography & Security In this course: Cryptography

634 views • 22 slides
Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth M.D.Ryan@cs.bham.ac.uk research@bensmyth.com Cryptoforma 7th April 2010 Cryptographic protocols A cryptographic protocol is a distributed procedure that employs

698 views • 46 slides

More recommend