Video Converter
Audio Converter
Image Converter
PDF Converter
File Compressor
automatic formal analyses of cryptographic protocols

Automatic Formal Analyses of Cryptographic Protocols 19th National - PowerPoint PPT Presentation

Feb 25, 2024 •21 likes •144 views

Automatic Formal Analyses of Cryptographic Protocols 19th National Information Systems Security Conference October 22-25, 1996 Baltimore Convention Center Dr. Stephen H. Brackin Arca Systems, Inc. 303 E. Yates St., Ithaca, NY 14850

  1. Automatic Formal Analyses of Cryptographic Protocols 19th National Information Systems Security Conference October 22-25, 1996 Baltimore Convention Center Dr. Stephen H. Brackin Arca Systems, Inc. 303 E. Yates St., Ithaca, NY 14850 607-277-8211 or 607-277-2739 brackin@va.arca.com Supported by ESC/AXS through PRISM, and by Rome Laboratory P R I S M Page - 1 Custom Command and Control

  2. Outline of Talk • Problem: protocol failure • Automatic Authentication Protocol Analyzer (AAPA) • Three SPX protocols and results of analyzing them • Conclusions, for SPX and arbitrary protocols P R I S M Page - 2 Custom Command and Control

  3. Cryptographic Protocols • Goal: Secure communication over insecure networks – Networks, principals, messages – Worst case: enemy controls all communication – Nondisclosure and authentication • Tools: – Shared or confirmable secrets – Encryption – Hash functions – Timestamps, nonces, signatures, key-exchange functions • Distributed algorithms P R I S M Page - 3 Custom Command and Control

  4. Failure Example • Tatebayeshi-Matsuzaki-Newman protocol – 1. A->S: {Ka}Rsa(PkS), A, B – 2. S->B: S,A – 3. B->S: {Kb}Rsa(PkS) – 4. S->A: {Kb}Des(Ka) • AAPA notation, but more-or-less standard • Published (CRYPTO ‘89), recommended by experts • It’s wrong --- and has lots of company P R I S M Page - 4 Custom Command and Control

  5. Automatic Authentication Protocol Analyzer • Inputs Interface Specification Language (ISL) specs • Produces Higher Order Logic (HOL) theories • Automatically proves default and user-set goals – Belief logic extending Gong-Needham-Yahalom logic – Sample deduction: If P believes only P and Q know K, and P receives M that K decrypts to something meaningful, then P believes Q sent M --- though not necessarily recently or to P – Proceeds by induction on protocol stage • Gives proof results in ISL P R I S M Page - 5 Custom Command and Control

  6. SPX Credentials Initialization name = C 2 PwdC {C,Ts,Rn,H1(PwdC)}Rsa(KpLeaf) 3 LEAF 1 Read Privkey {UidC,{KsC}Des(H2(PwdC))}Des(Rn) KsC,UidC 6 7 4 Create Ticket C 5 claimant credentials {{KsC}Des(H2(PwdC)), H1(PwdC), 8 UidC}Rsa(KpLeaf) Make C Trusted Authorities 10 trusted CDC authorities C_certif_Ca1 9 Claimant P R I S M Page - 6 Custom Command and Control

  7. What AAPA Analysis Shows: I • KpC must be computable from KsC • Keys must be stored along with recognizable data • PwdC must not be older than KsC • ValidityKpCa1 must include the current time P R I S M Page - 7 Custom Command and Control

  8. SPX Authentication V = verifier 1 Ta1 = claimant trusted authority CDC Ta1,UidC,KpTa1 Ta2 = verifier trusted authority V Ticket(C) X_certif_Y = Tal_certif_V X certifies Y’s public key 2 claimant A(DesKey), Ticket(C), Delegator1 3 Ta2,UidV,KpTa2 KpV {Ts}Des(DesKey) 6 verifier A(DesKey) = 5 <Ts,ChannelIdC>Hdes(DesKey) C 4 Ticket(C) = [ValidityKspC,UidC,KspC] (H3,Rsa)(KsC) Ta2_certif_C Delegator1 = CDC [{DesKey}Rsa(PkV)] (H3,Rsa)(KssC) P R I S M Page - 8 Custom Command and Control

  9. What AAPA Analysis Shows: II • Keys must be stored with recognizable data • Validity intervals must include the current time – ValidityKpV, ValidityKpC, ValidityKspC • Belief DesKey from C depends on dubious assumptions • Delegation gives up to 8 hours of authentication failure P R I S M Page - 9 Custom Command and Control

  10. SPX Delegation V = verifier Ta1 = claimant trusted authority 1 Ta2 = verifier trusted authority CDC Ta1,UidC,KpTa1 V Ticket(C) X_certif_Y = X certifies Y’s public key Tal_certif_V 2 claimant A(DesKey), Ticket(C), Delegator2 3 Ta2,UidV,KpTa2 KpV {Ts}Des(DesKey) 6 verifier A(DesKey) = 5 <Ts,ChannelIdC>Hdes(DesKey) C 4 Ticket(C) = [ValidityKspC,UidC,KspC] (H3,Rsa)(KsC) Ta2_certif_C Delegator2 = CDC {DesKey}Rsa(PkV), {KssC}Des(DesKey) P R I S M Page - 10 Custom Command and Control

  11. What AAPA Analysis Shows: III • Similar recognizability and interval restrictions • Dubious assumptions don’t give belief KssC from C • Banker can obtain medical records P R I S M Page - 11 Custom Command and Control

  12. Conclusions • For the SPX protocols: – Initialization must include checks for meaningful data – Authentication possibly flawed – Delegation possibly flawed – These issues should be addressed in documentation • For all cryptographic protocols: – The AAPA is a fast, easy tool for reducing failures – The AAPA can be used as part of the design process P R I S M Page - 12 Custom Command and Control

Recommend

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

452 views • 14 slides
Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic protocols: Concurrent programs

951 views • 69 slides
MTAT.07.005 Cryptographic Protocols Introduction to Zero-Knowledge Helger Lipmaa University of

MTAT.07.005 Cryptographic Protocols Introduction to Zero-Knowledge Helger Lipmaa University of

Zero-Knowledge Two-Party Protocols MTAT.07.005 Cryptographic Protocols Introduction to Zero-Knowledge Helger Lipmaa University of Tartu MTAT.07.005 Cryptographic Protocols Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge

1.5k views • 122 slides
Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif

Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif

Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif Bruno Blanchet INRIA, Ecole Normale Sup erieure, CNRS blanchet@di.ens.fr September 2011 Bruno Blanchet (INRIA) ProVerif September 2011

1.56k views • 143 slides
Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes,

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes,

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France Thursday, July 12th, 2018 Cryptographic protocols everywhere ! Cryptographic protocols small programs designed to secure

851 views • 80 slides
Automatic Verification of Cryptographic Protocols in the Symbolic Model Automatic Verifier

Automatic Verification of Cryptographic Protocols in the Symbolic Model Automatic Verifier

Automatic Verification of Cryptographic Protocols in the Symbolic Model Automatic Verifier ProVerif Bruno Blanchet INRIA Paris-Rocquencourt Bruno.Blanchet@inria.fr September 2013 Bruno Blanchet (INRIA) ProVerif September 2013 1 / 114

1.56k views • 132 slides
Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth M.D.Ryan@cs.bham.ac.uk research@bensmyth.com Cryptoforma 7th April 2010 Cryptographic protocols A cryptographic protocol is a distributed procedure that employs

699 views • 46 slides
CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools Cryptographic Tools Cryptographic algorithms important element in security services Review various types of elements symmetric encryption secure

1.27k views • 23 slides
Cryptographic Protocols 3. Broadcast 4. Blockchain Spring 2020 Part 1 Broadcast / Byzantine

Cryptographic Protocols 3. Broadcast 4. Blockchain Spring 2020 Part 1 Broadcast / Byzantine

Cryptographic Protocols 1. Interactive Proofs and Zero-Knowledge Protocols 2. Secure Multi-Party Computation Cryptographic Protocols 3. Broadcast 4. Blockchain Spring 2020 Part 1 Broadcast / Byzantine Agreement Secure Multi-Party

170 views • 3 slides
Automatic Verification of Automatic Verification of Automatic Verification of Automatic

Automatic Verification of Automatic Verification of Automatic Verification of Automatic

Automatic Verification of Automatic Verification of Automatic Verification of Automatic Verification of Competitive Stochastic Systems Competitive Stochastic Systems Competitive Stochastic Systems Competitive Stochastic Systems Marta

506 views • 29 slides
Formal Definition of a Finite Automaton Formal Definition of a Finite Automaton p.1/23 Why a

Formal Definition of a Finite Automaton Formal Definition of a Finite Automaton p.1/23 Why a

Formal Definition of a Finite Automaton Formal Definition of a Finite Automaton p.1/23 Why a formal definition? A formal definition is precise: Formal Definition of a Finite Automaton p.2/23 Why a formal definition? A formal

715 views • 70 slides
First steps towards cryptographically sound confidentiality analysis of cryptographic protocols

First steps towards cryptographically sound confidentiality analysis of cryptographic protocols

First steps towards cryptographically sound confidentiality analysis of cryptographic protocols Peeter Laud peeter l@ut.ee Tartu Ulikool Cybernetica AS Teooriap aevad Arulas, 3.-5.02.2003 p.1/27 Overview Cryptographic protocols.

570 views • 27 slides
Computer Aided Security : Cryptographic Primitives, Voting protocols, and Wireless Sensor

Computer Aided Security : Cryptographic Primitives, Voting protocols, and Wireless Sensor

Computer Aided Security: Cryptographic Primitives, Voting protocols, and Wireless Sensor Networks Computer Aided Security : Cryptographic Primitives, Voting protocols, and Wireless Sensor Networks Pascal Lafourcade November 6, 2012

629 views • 44 slides
The Coinductive Approach to Verifying Cryptographic Protocols Jesse Hughes joint work with

The Coinductive Approach to Verifying Cryptographic Protocols Jesse Hughes joint work with

The Coinductive Approach to Verifying Cryptographic Protocols Jesse Hughes joint work with Martijn Warnier jesseh@cs.kun.nl University of Nijmegen The Coinductive Approach to Verifying Cryptographic Protocols p.1/27 Outline I.

1.95k views • 184 slides
Pattern-Matching Spi-Calculus A Type System for Cryptographic Protocols Christian Haack and Alan

Pattern-Matching Spi-Calculus A Type System for Cryptographic Protocols Christian Haack and Alan

Pattern-Matching Spi-Calculus A Type System for Cryptographic Protocols Christian Haack and Alan Jeffrey DePaul University, Chicago Pattern-Matching Spi-Calculus p.1/11 Types for Cryptographic Protocols Pattern-Matching Spi-Calculus

780 views • 55 slides
Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA), CNRS, France Tuesday, September 13th, 2016 Security protocols everywhere ! Cryptographic protocols small programs designed to secure

923 views • 56 slides
American Indian/Alaskan Native Tobacco Use Among Youth and Young Adults Paul D Mowery,

American Indian/Alaskan Native Tobacco Use Among Youth and Young Adults Paul D Mowery,

American Indian/Alaskan Native Tobacco Use Among Youth and Young Adults Paul D Mowery, Biostatistics, Inc. IHS Tobacco Prevention Webinar, September 16, 2015 The findings and conclusions are those of the authors and do not necessarily represent

561 views • 38 slides
Counting Affine Calculator and Applications Sven Verdoolaege Team ALCHEMY, INRIA Saclay, France

Counting Affine Calculator and Applications Sven Verdoolaege Team ALCHEMY, INRIA Saclay, France

April 3, 2011 1 / 23 Counting Affine Calculator and Applications Sven Verdoolaege Team ALCHEMY, INRIA Saclay, France Sven.Verdoolaege@inria.fr April 3, 2011 April 3, 2011 2 / 23 Outline Introduction 1 2 Basic Concepts and Operations

829 views • 65 slides
Integer Set Coalescing Sven Verdoolaege INRIA and KU Leuven January 19, 2015 January 19, 2015

Integer Set Coalescing Sven Verdoolaege INRIA and KU Leuven January 19, 2015 January 19, 2015

January 19, 2015 1 / 27 Integer Set Coalescing Sven Verdoolaege INRIA and KU Leuven January 19, 2015 January 19, 2015 2 / 27 Outline Introduction and Motivation 1 Polyhedal Model The need for coalescing Traditional Coalescing

1.24k views • 107 slides
CPSC 121: Models of Computation Convert sequences to and from explicit formulas that describe

CPSC 121: Models of Computation Convert sequences to and from explicit formulas that describe

Pre-Class Learning Goals By the start of class, you should be able to CPSC 121: Models of Computation Convert sequences to and from explicit formulas that describe the sequence. Convert sums to and from summation/ notation.

298 views • 14 slides
A #lang for data structures students 2 Welcome to DSSL2 #lang dssl2 struct nil: pass struct

A #lang for data structures students 2 Welcome to DSSL2 #lang dssl2 struct nil: pass struct

Jesse Tov, RacketCon.eighth() A #lang for data structures students 2 Welcome to DSSL2 #lang dssl2 struct nil: pass struct cons: let car let cdr 3 class ListBuilder: let head let tail def __init__(self): self.head = nil() self.tail =

1.32k views • 54 slides
An Indian Sign Language (ISL) Corpus of the Domain Disaster Message Using Avatar Mahesh Kulkarni 2

An Indian Sign Language (ISL) Corpus of the Domain Disaster Message Using Avatar Mahesh Kulkarni 2

1 Ali Yavar Jung National Institute of 2 Center for Development of Advanced Hearing Handicapped (AYJNIHH), Computing (C-DAC), Mumbai, India Pune India An Indian Sign Language (ISL) Corpus of the Domain Disaster Message Using Avatar

317 views • 3 slides
CS 525M Mobile and Ubiquitous Computing Seminar Ioanna Symeou Satellite-Based Internet: A

CS 525M Mobile and Ubiquitous Computing Seminar Ioanna Symeou Satellite-Based Internet: A

CS 525M Mobile and Ubiquitous Computing Seminar Ioanna Symeou Satellite-Based Internet: A Tutorial Yurong Hu and O.K. Li University of Hong Kong IEEE Communications Magazine, March 2001b Satellite-Based Internet: Introduction

477 views • 15 slides
Natural Language Processing Info 159/259 Lecture 15: Review (Oct 11, 2018) David Bamman, UC

Natural Language Processing Info 159/259 Lecture 15: Review (Oct 11, 2018) David Bamman, UC

Natural Language Processing Info 159/259 Lecture 15: Review (Oct 11, 2018) David Bamman, UC Berkeley Big ideas Classification Language modeling Naive Bayes, Logistic Markov assumption, regression, featurized, neural

1.43k views • 116 slides

More recommend

Explore More Topics

Stay informed with curated content and fresh updates.

animals pets art culture automotive transportation business finance computer internet construction architecture education-career electronics communication

Logo Sambuz

Unleash a World of Digital Possibilities—Browse, Share, and Explore Content Without Boundaries

Useful Links

About Us Privacy Services FAQ's Contact

Newsletter

Stay Informed & Inspired—Subscribe for the Latest Updates, Tips, and Exclusive Content Directly to Your Inbox.

Mail Us

mail@sambuz.com

2026 SAMBUZ, All right reserved.