automatic formal analyses of cryptographic protocols
play

Automatic Formal Analyses of Cryptographic Protocols 19th National - PowerPoint PPT Presentation

Feb 25, 2024 •21 likes •141 views

Automatic Formal Analyses of Cryptographic Protocols 19th National Information Systems Security Conference October 22-25, 1996 Baltimore Convention Center Dr. Stephen H. Brackin Arca Systems, Inc. 303 E. Yates St., Ithaca, NY 14850

  1. Automatic Formal Analyses of Cryptographic Protocols 19th National Information Systems Security Conference October 22-25, 1996 Baltimore Convention Center Dr. Stephen H. Brackin Arca Systems, Inc. 303 E. Yates St., Ithaca, NY 14850 607-277-8211 or 607-277-2739 brackin@va.arca.com Supported by ESC/AXS through PRISM, and by Rome Laboratory P R I S M Page - 1 Custom Command and Control

  2. Outline of Talk • Problem: protocol failure • Automatic Authentication Protocol Analyzer (AAPA) • Three SPX protocols and results of analyzing them • Conclusions, for SPX and arbitrary protocols P R I S M Page - 2 Custom Command and Control

  3. Cryptographic Protocols • Goal: Secure communication over insecure networks – Networks, principals, messages – Worst case: enemy controls all communication – Nondisclosure and authentication • Tools: – Shared or confirmable secrets – Encryption – Hash functions – Timestamps, nonces, signatures, key-exchange functions • Distributed algorithms P R I S M Page - 3 Custom Command and Control

  4. Failure Example • Tatebayeshi-Matsuzaki-Newman protocol – 1. A->S: {Ka}Rsa(PkS), A, B – 2. S->B: S,A – 3. B->S: {Kb}Rsa(PkS) – 4. S->A: {Kb}Des(Ka) • AAPA notation, but more-or-less standard • Published (CRYPTO ‘89), recommended by experts • It’s wrong --- and has lots of company P R I S M Page - 4 Custom Command and Control

  5. Automatic Authentication Protocol Analyzer • Inputs Interface Specification Language (ISL) specs • Produces Higher Order Logic (HOL) theories • Automatically proves default and user-set goals – Belief logic extending Gong-Needham-Yahalom logic – Sample deduction: If P believes only P and Q know K, and P receives M that K decrypts to something meaningful, then P believes Q sent M --- though not necessarily recently or to P – Proceeds by induction on protocol stage • Gives proof results in ISL P R I S M Page - 5 Custom Command and Control

  6. SPX Credentials Initialization name = C 2 PwdC {C,Ts,Rn,H1(PwdC)}Rsa(KpLeaf) 3 LEAF 1 Read Privkey {UidC,{KsC}Des(H2(PwdC))}Des(Rn) KsC,UidC 6 7 4 Create Ticket C 5 claimant credentials {{KsC}Des(H2(PwdC)), H1(PwdC), 8 UidC}Rsa(KpLeaf) Make C Trusted Authorities 10 trusted CDC authorities C_certif_Ca1 9 Claimant P R I S M Page - 6 Custom Command and Control

  7. What AAPA Analysis Shows: I • KpC must be computable from KsC • Keys must be stored along with recognizable data • PwdC must not be older than KsC • ValidityKpCa1 must include the current time P R I S M Page - 7 Custom Command and Control

  8. SPX Authentication V = verifier 1 Ta1 = claimant trusted authority CDC Ta1,UidC,KpTa1 Ta2 = verifier trusted authority V Ticket(C) X_certif_Y = Tal_certif_V X certifies Y’s public key 2 claimant A(DesKey), Ticket(C), Delegator1 3 Ta2,UidV,KpTa2 KpV {Ts}Des(DesKey) 6 verifier A(DesKey) = 5 <Ts,ChannelIdC>Hdes(DesKey) C 4 Ticket(C) = [ValidityKspC,UidC,KspC] (H3,Rsa)(KsC) Ta2_certif_C Delegator1 = CDC [{DesKey}Rsa(PkV)] (H3,Rsa)(KssC) P R I S M Page - 8 Custom Command and Control

  9. What AAPA Analysis Shows: II • Keys must be stored with recognizable data • Validity intervals must include the current time – ValidityKpV, ValidityKpC, ValidityKspC • Belief DesKey from C depends on dubious assumptions • Delegation gives up to 8 hours of authentication failure P R I S M Page - 9 Custom Command and Control

  10. SPX Delegation V = verifier Ta1 = claimant trusted authority 1 Ta2 = verifier trusted authority CDC Ta1,UidC,KpTa1 V Ticket(C) X_certif_Y = X certifies Y’s public key Tal_certif_V 2 claimant A(DesKey), Ticket(C), Delegator2 3 Ta2,UidV,KpTa2 KpV {Ts}Des(DesKey) 6 verifier A(DesKey) = 5 <Ts,ChannelIdC>Hdes(DesKey) C 4 Ticket(C) = [ValidityKspC,UidC,KspC] (H3,Rsa)(KsC) Ta2_certif_C Delegator2 = CDC {DesKey}Rsa(PkV), {KssC}Des(DesKey) P R I S M Page - 10 Custom Command and Control

  11. What AAPA Analysis Shows: III • Similar recognizability and interval restrictions • Dubious assumptions don’t give belief KssC from C • Banker can obtain medical records P R I S M Page - 11 Custom Command and Control

  12. Conclusions • For the SPX protocols: – Initialization must include checks for meaningful data – Authentication possibly flawed – Delegation possibly flawed – These issues should be addressed in documentation • For all cryptographic protocols: – The AAPA is a fast, easy tool for reducing failures – The AAPA can be used as part of the design process P R I S M Page - 12 Custom Command and Control

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic protocols: Concurrent programs

946 views • 69 slides
Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif

Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif

Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif Bruno Blanchet INRIA, Ecole Normale Sup erieure, CNRS blanchet@di.ens.fr September 2011 Bruno Blanchet (INRIA) ProVerif September 2011

1.55k views • 143 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

451 views • 14 slides
A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols Han Gao 1 , Chiara

A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols Han Gao 1 , Chiara

ASIAN07 A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols Han Gao 1 , Chiara Bodei 2 , Pierpaolo Degano 2 , Hanne Riis Nielson 1 Informatics and Mathematics Modelling, Technical University of Denmark 1 Dipartimento di

435 views • 20 slides
Formal Analysis of Imperfect Cryptographic Protocols Long Nguyen Hoang University of Tartu,

Formal Analysis of Imperfect Cryptographic Protocols Long Nguyen Hoang University of Tartu,

Formal Analysis of Imperfect Cryptographic Protocols Long Nguyen Hoang University of Tartu, Institute of Computer Science Agenda Introduction Probabilistic-spi calculus Security protocol verification Conclusion Q&amp;A

633 views • 19 slides
Automatic Security Analyses of Network Protocols with Tamarin-Prover Introductory Talk Eike

Automatic Security Analyses of Network Protocols with Tamarin-Prover Introductory Talk Eike

1/18 Automatic Security Analyses of Network Protocols with Tamarin-Prover Introductory Talk Eike Stadtlnder May 17, 2018 2/18 Outline Motivation Tamarin-Prover Overview Language and Environment State Demo Goals for the Lab . 3/18

1.33k views • 99 slides
Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA), CNRS, France Tuesday, September 13th, 2016 Security protocols everywhere ! Cryptographic protocols small programs designed to secure

923 views • 56 slides
Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes,

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes,

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France Thursday, July 12th, 2018 Cryptographic protocols everywhere ! Cryptographic protocols small programs designed to secure

849 views • 80 slides
Automatic Verification of Cryptographic Protocols in the Symbolic Model Automatic Verifier

Automatic Verification of Cryptographic Protocols in the Symbolic Model Automatic Verifier

Automatic Verification of Cryptographic Protocols in the Symbolic Model Automatic Verifier ProVerif Bruno Blanchet INRIA Paris-Rocquencourt Bruno.Blanchet@inria.fr September 2013 Bruno Blanchet (INRIA) ProVerif September 2013 1 / 114

1.56k views • 132 slides
Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth M.D.Ryan@cs.bham.ac.uk research@bensmyth.com Cryptoforma 7th April 2010 Cryptographic protocols A cryptographic protocol is a distributed procedure that employs

698 views • 46 slides
Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS

Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS

Introduction Formal models Adding equational theories Towards more guarantees Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS - INRIA Cassis project, Nancy Universities 1/45 V eronique

785 views • 76 slides
First steps towards cryptographically sound confidentiality analysis of cryptographic protocols

First steps towards cryptographically sound confidentiality analysis of cryptographic protocols

First steps towards cryptographically sound confidentiality analysis of cryptographic protocols Peeter Laud peeter l@ut.ee Tartu Ulikool Cybernetica AS Teooriap aevad Arulas, 3.-5.02.2003 p.1/27 Overview Cryptographic protocols.

570 views • 27 slides
Cryptographic Protocols and Network Security G. Sivakumar Computer Science and Engineering IIT

Cryptographic Protocols and Network Security G. Sivakumar Computer Science and Engineering IIT

Some Puzzles Security Connection Cryptography Need For Formal Methods Cryptographic Protocols and Network Security G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in Oct 14, 2004 G. Sivakumar Computer Science and

671 views • 43 slides
Outline Cryptographic protocols, pt. 1 Key distribution and PKI CSci 5271 Introduction to

Outline Cryptographic protocols, pt. 1 Key distribution and PKI CSci 5271 Introduction to

Outline Cryptographic protocols, pt. 1 Key distribution and PKI CSci 5271 Introduction to Computer Security Announcements intermission Day 17: Crypto protocols and S protocols SSH Stephen McCamant University of Minnesota, Computer

338 views • 7 slides
Clang tools for implementing cryptographic protocols like OTRv4 Sofa Celi What is OTR and why

Clang tools for implementing cryptographic protocols like OTRv4 Sofa Celi What is OTR and why

Clang tools for implementing cryptographic protocols like OTRv4 Sofa Celi What is OTR and why it was created? Cryptographic protocol Paper in 2004 by Ian Goldberg , Nikita Borisov and Eric Brewer Conversations in the

299 views • 18 slides
American Indian/Alaskan Native Tobacco Use Among Youth and Young Adults Paul D Mowery,

American Indian/Alaskan Native Tobacco Use Among Youth and Young Adults Paul D Mowery,

American Indian/Alaskan Native Tobacco Use Among Youth and Young Adults Paul D Mowery, Biostatistics, Inc. IHS Tobacco Prevention Webinar, September 16, 2015 The findings and conclusions are those of the authors and do not necessarily represent

560 views • 38 slides
Counting Affine Calculator and Applications Sven Verdoolaege Team ALCHEMY, INRIA Saclay, France

Counting Affine Calculator and Applications Sven Verdoolaege Team ALCHEMY, INRIA Saclay, France

April 3, 2011 1 / 23 Counting Affine Calculator and Applications Sven Verdoolaege Team ALCHEMY, INRIA Saclay, France Sven.Verdoolaege@inria.fr April 3, 2011 April 3, 2011 2 / 23 Outline Introduction 1 2 Basic Concepts and Operations

828 views • 65 slides
Integer Set Coalescing Sven Verdoolaege INRIA and KU Leuven January 19, 2015 January 19, 2015

Integer Set Coalescing Sven Verdoolaege INRIA and KU Leuven January 19, 2015 January 19, 2015

January 19, 2015 1 / 27 Integer Set Coalescing Sven Verdoolaege INRIA and KU Leuven January 19, 2015 January 19, 2015 2 / 27 Outline Introduction and Motivation 1 Polyhedal Model The need for coalescing Traditional Coalescing

1.24k views • 107 slides
CPSC 121: Models of Computation Convert sequences to and from explicit formulas that describe

CPSC 121: Models of Computation Convert sequences to and from explicit formulas that describe

Pre-Class Learning Goals By the start of class, you should be able to CPSC 121: Models of Computation Convert sequences to and from explicit formulas that describe the sequence. Convert sums to and from summation/ notation.

296 views • 14 slides
A #lang for data structures students 2 Welcome to DSSL2 #lang dssl2 struct nil: pass struct

A #lang for data structures students 2 Welcome to DSSL2 #lang dssl2 struct nil: pass struct

Jesse Tov, RacketCon.eighth() A #lang for data structures students 2 Welcome to DSSL2 #lang dssl2 struct nil: pass struct cons: let car let cdr 3 class ListBuilder: let head let tail def __init__(self): self.head = nil() self.tail =

1.31k views • 54 slides
An Indian Sign Language (ISL) Corpus of the Domain Disaster Message Using Avatar Mahesh Kulkarni 2

An Indian Sign Language (ISL) Corpus of the Domain Disaster Message Using Avatar Mahesh Kulkarni 2

1 Ali Yavar Jung National Institute of 2 Center for Development of Advanced Hearing Handicapped (AYJNIHH), Computing (C-DAC), Mumbai, India Pune India An Indian Sign Language (ISL) Corpus of the Domain Disaster Message Using Avatar

315 views • 3 slides
CS 525M Mobile and Ubiquitous Computing Seminar Ioanna Symeou Satellite-Based Internet: A

CS 525M Mobile and Ubiquitous Computing Seminar Ioanna Symeou Satellite-Based Internet: A

CS 525M Mobile and Ubiquitous Computing Seminar Ioanna Symeou Satellite-Based Internet: A Tutorial Yurong Hu and O.K. Li University of Hong Kong IEEE Communications Magazine, March 2001b Satellite-Based Internet: Introduction

477 views • 15 slides
Natural Language Processing Info 159/259 Lecture 15: Review (Oct 11, 2018) David Bamman, UC

Natural Language Processing Info 159/259 Lecture 15: Review (Oct 11, 2018) David Bamman, UC

Natural Language Processing Info 159/259 Lecture 15: Review (Oct 11, 2018) David Bamman, UC Berkeley Big ideas Classification Language modeling Naive Bayes, Logistic Markov assumption, regression, featurized, neural

1.42k views • 116 slides

More recommend