automatic verification of cryptographic protocols in the
play

Automatic Verification of Cryptographic Protocols in the Formal - PowerPoint PPT Presentation

Oct 17, 2022 •111 likes •1.55k views

Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif Bruno Blanchet INRIA, Ecole Normale Sup erieure, CNRS blanchet@di.ens.fr September 2011 Bruno Blanchet (INRIA) ProVerif September 2011

  1. Example (7) → ( ν sk A )( ν sk B ) ( ν k ) c � pencrypt(sign( k , sk A ) , pk( sk B )) � . ( c ( x ) . let s = sdecrypt( x , k ) in 0 c ( y ) . let y ′ = pdecrypt( y , sk B ) in | let k = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ) � | ! c ( x pk B ) . . . . | ! c ( y ) . . . . ) Bruno Blanchet (INRIA) ProVerif September 2011 24 / 125

  2. Example (8) ≡ ( ν sk A )( ν sk B )( ν k ) c � pencrypt(sign( k , sk A ) , pk( sk B )) � . ( c ( x ) . let s = sdecrypt( x , k ) in 0 c ( y ) . let y ′ = pdecrypt( y , sk B ) in | let k ′ = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ′ ) � ) | ! c ( x pk B ) . . . . | ! c ( y ) . . . . ) Bruno Blanchet (INRIA) ProVerif September 2011 25 / 125

  3. Example (9) → ∗ ( ν sk A )( ν sk B )( ν k ) ( c ( x ) . let s = sdecrypt( x , k ) in 0 let y ′ = pdecrypt(pencrypt(sign( k , sk A ) , pk( sk B )) , sk B ) in | let k ′ = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ′ ) � | ! c ( x pk B ) . . . . | ! c ( y ) . . . . ) Bruno Blanchet (INRIA) ProVerif September 2011 26 / 125

  4. Example (10) → ∗ ( ν sk A )( ν sk B )( ν k ) ( c ( x ) . let s = sdecrypt( x , k ) in 0 | c � sencrypt(s , k ) � | ! c ( x pk B ) . . . . | ! c ( y ) . . . . ) Bruno Blanchet (INRIA) ProVerif September 2011 27 / 125

  5. Example (11) → ∗ ( ν sk A )( ν sk B )( ν k ) ( let s = sdecrypt(sencrypt(s , k ) , k ) in 0 | ! c ( x pk B ) . . . . | ! c ( y ) . . . . ) Bruno Blanchet (INRIA) ProVerif September 2011 28 / 125

  6. Another presentation of the semantics Semantic configurations are E , P where E is a set of names P is a multiset of processes Intuitively, E , P where E = { a 1 , . . . , a n } and P = { P 1 , . . . , P m } corresponds to ( ν a 1 ) . . . ( ν a n )( P 1 | . . . | P m ) Initial configuration for P : fn( P ) , { P } . Bruno Blanchet (INRIA) ProVerif September 2011 29 / 125

  7. Another presentation of the semantics: reduction relation E , P ∪ { 0 } → E , P (Red Nil) E , P ∪ { ! P } → E , P ∪ { P , ! P } (Red Repl) E , P ∪ { P | Q } → E , P ∪ { P , Q } (Red Par) E , P ∪ { ( ν a ) P } → E ∪ { a ′ } , P ∪ { P { a ′ / a } } (Red Res) where a ′ / ∈ E . E , P ∪ { N � M � . Q , N ( x ) . P } → E , P ∪ { Q , P { M / x } } (Red I/O) E , P ∪ { let x = g ( M 1 , . . . , M n ) in P else Q } → E , P ∪ { P { M ′ / x } } if g ( M 1 , . . . , M n ) → M ′ (Red Destr 1) E , P ∪ { let x = g ( M 1 , . . . , M n ) in P else Q } → E , P ∪ { Q } if there exists no M ′ such that g ( M 1 , . . . , M n ) → M ′ (Red Destr 2) Bruno Blanchet (INRIA) ProVerif September 2011 30 / 125

  8. Example { c } , { c ( xpk A ) . c ( xpk B ) . c � xpk B � | ( ν sk A )( ν sk B ) let pk A = pk( sk A ) in let pk B = pk( sk B ) in c � pk A � . c � pk B � . ( ! c ( x pk B ) . ( ν k ) c � pencrypt(sign( k , sk A ) , x pk B ) � . c ( x ) . let s = sdecrypt( x , k ) in 0 ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in | let k = checksign( y ′ , pk A ) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2011 31 / 125

  9. Example (2) → { c } , { c ( xpk A ) . c ( xpk B ) . c � xpk B � , ( ν sk A )( ν sk B ) let pk A = pk( sk A ) in let pk B = pk( sk B ) in c � pk A � . c � pk B � . ( ! c ( x pk B ) . ( ν k ) c � pencrypt(sign( k , sk A ) , x pk B ) � . c ( x ) . let s = sdecrypt( x , k ) in 0 ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in | let k = checksign( y ′ , pk A ) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2011 32 / 125

  10. Example (2) → { c } , { c ( xpk A ) . c ( xpk B ) . c � xpk B � , ( ν sk A )( ν sk B ) let pk A = pk( sk A ) in let pk B = pk( sk B ) in c � pk A � . c � pk B � . ( ! c ( x pk B ) . ( ν k ) c � pencrypt(sign( k , sk A ) , x pk B ) � . c ( x ) . let s = sdecrypt( x , k ) in 0 ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in | let k = checksign( y ′ , pk A ) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2011 32 / 125

  11. Example (3) → ∗ { c , sk A , sk B } , { c ( xpk A ) . c ( xpk B ) . c � xpk B � , let pk A = pk( sk A ) in let pk B = pk( sk B ) in c � pk A � . c � pk B � . ( ! c ( x pk B ) . ( ν k ) c � pencrypt(sign( k , sk A ) , x pk B ) � . c ( x ) . let s = sdecrypt( x , k ) in 0 ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in | let k = checksign( y ′ , pk A ) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2011 33 / 125

  12. Example (3) → ∗ { c , sk A , sk B } , { c ( xpk A ) . c ( xpk B ) . c � xpk B � , let pk A = pk( sk A ) in let pk B = pk( sk B ) in c � pk A � . c � pk B � . ( ! c ( x pk B ) . ( ν k ) c � pencrypt(sign( k , sk A ) , x pk B ) � . c ( x ) . let s = sdecrypt( x , k ) in 0 ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in | let k = checksign( y ′ , pk A ) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2011 33 / 125

  13. Example (4) → ∗ { c , sk A , sk B } , { c ( xpk A ) . c ( xpk B ) . c � xpk B � , c � pk( sk A ) � . c � pk( sk B ) � . ( ! c ( x pk B ) . ( ν k ) c � pencrypt(sign( k , sk A ) , x pk B ) � . c ( x ) . let s = sdecrypt( x , k ) in 0 ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in | let k = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2011 34 / 125

  14. Example (4) → ∗ { c , sk A , sk B } , { c ( xpk A ) . c ( xpk B ) . c � xpk B � , c � pk( sk A ) � . c � pk( sk B ) � . ( ! c ( x pk B ) . ( ν k ) c � pencrypt(sign( k , sk A ) , x pk B ) � . c ( x ) . let s = sdecrypt( x , k ) in 0 ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in | let k = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2011 34 / 125

  15. Example (5) → ∗ { c , sk A , sk B } , { c � pk( sk B ) � , ! c ( x pk B ) . ( ν k ) c � pencrypt(sign( k , sk A ) , x pk B ) � . ( c ( x ) . let s = sdecrypt( x , k ) in 0 ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in | let k = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2011 35 / 125

  16. Example (5) → ∗ { c , sk A , sk B } , { c � pk( sk B ) � , ! c ( x pk B ) . ( ν k ) c � pencrypt(sign( k , sk A ) , x pk B ) � . ( c ( x ) . let s = sdecrypt( x , k ) in 0 ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in | let k = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2011 35 / 125

  17. Example (6) → { c , sk A , sk B } , { c � pk( sk B ) � , ! c ( x pk B ) . ( ν k ) c � pencrypt(sign( k , sk A ) , x pk B ) � . c ( x ) . let s = sdecrypt( x , k ) in 0 , ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in let k = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2011 36 / 125

  18. Example (6) → { c , sk A , sk B } , { c � pk( sk B ) � , ! c ( x pk B ) . ( ν k ) c � pencrypt(sign( k , sk A ) , x pk B ) � . c ( x ) . let s = sdecrypt( x , k ) in 0 , ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in let k = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2011 36 / 125

  19. Example (7) → { c , sk A , sk B } , { c � pk( sk B ) � , c ( x pk B ) . ( ν k ) c � pencrypt(sign( k , sk A ) , x pk B ) � . c ( x ) . let s = sdecrypt( x , k ) in 0 , ! c ( x pk B ) . . . . , ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in let k = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2011 37 / 125

  20. Example (7) → { c , sk A , sk B } , { c � pk( sk B ) � , c ( x pk B ) . ( ν k ) c � pencrypt(sign( k , sk A ) , x pk B ) � . c ( x ) . let s = sdecrypt( x , k ) in 0 , ! c ( x pk B ) . . . . , ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in let k = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2011 37 / 125

  21. Example (8) → { c , sk A , sk B } , { ( ν k ) c � pencrypt(sign( k , sk A ) , pk( sk B )) � . c ( x ) . let s = sdecrypt( x , k ) in 0 , ! c ( x pk B ) . . . . , ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in let k = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2011 38 / 125

  22. Example (8) → { c , sk A , sk B } , { ( ν k ) c � pencrypt(sign( k , sk A ) , pk( sk B )) � . c ( x ) . let s = sdecrypt( x , k ) in 0 , ! c ( x pk B ) . . . . , ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in let k = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2011 38 / 125

  23. Example (9) → { c , sk A , sk B , k ′ } , c � pencrypt(sign( k ′ , sk A ) , pk( sk B )) � . { c ( x ) . let s = sdecrypt( x , k ′ ) in 0 , ! c ( x pk B ) . . . . , ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in let k = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2011 39 / 125

  24. Example (9) → { c , sk A , sk B , k ′ } , c � pencrypt(sign( k ′ , sk A ) , pk( sk B )) � . { c ( x ) . let s = sdecrypt( x , k ′ ) in 0 , ! c ( x pk B ) . . . . , ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in let k = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2011 39 / 125

  25. Example (10) → ∗ { c , sk A , sk B , k ′ } , c ( x ) . let s = sdecrypt( x , k ′ ) in 0 , { ! c ( x pk B ) . . . . , let y ′ = pdecrypt(pencrypt(sign( k ′ , sk A ) , pk( sk B )) , sk B ) in let k = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ) � ) ! c ( y ) . . . . } Bruno Blanchet (INRIA) ProVerif September 2011 40 / 125

  26. Example (10) → ∗ { c , sk A , sk B , k ′ } , c ( x ) . let s = sdecrypt( x , k ′ ) in 0 , { ! c ( x pk B ) . . . . , let y ′ = pdecrypt(pencrypt(sign( k ′ , sk A ) , pk( sk B )) , sk B ) in let k = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ) � ) ! c ( y ) . . . . } Bruno Blanchet (INRIA) ProVerif September 2011 40 / 125

  27. Example (11) → ∗ { c , sk A , sk B , k ′ } , c ( x ) . let s = sdecrypt( x , k ′ ) in 0 , { ! c ( x pk B ) . . . . , c � sencrypt(s , k ′ ) � ) ! c ( y ) . . . . } Bruno Blanchet (INRIA) ProVerif September 2011 41 / 125

  28. Example (11) → ∗ { c , sk A , sk B , k ′ } , c ( x ) . let s = sdecrypt( x , k ′ ) in 0 , { ! c ( x pk B ) . . . . , c � sencrypt(s , k ′ ) � ) ! c ( y ) . . . . } Bruno Blanchet (INRIA) ProVerif September 2011 41 / 125

  29. Example (12) → { c , sk A , sk B , k ′ } , let s = sdecrypt(sencrypt(s , k ′ ) , k ′ ) in 0 , { ! c ( x pk B ) . . . . , ! c ( y ) . . . . } Bruno Blanchet (INRIA) ProVerif September 2011 42 / 125

  30. Example (12) → { c , sk A , sk B , k ′ } , let s = sdecrypt(sencrypt(s , k ′ ) , k ′ ) in 0 , { ! c ( x pk B ) . . . . , ! c ( y ) . . . . } Bruno Blanchet (INRIA) ProVerif September 2011 42 / 125

  31. Comparison between the two semantics The first semantics is more standard (comes from the original semantics of the pi calculus) makes it easier to add a context around an existing process (see definition of process equivalence) The second semantics directs the reduction more precisely makes a minimal use of renaming (for restrictions only) Except when mentioned explicitly, I will rely on the second semantics. Bruno Blanchet (INRIA) ProVerif September 2011 43 / 125

  32. Adversary The protocol is executed in parallel with an adversary. The adversary can be any process. S = finite set of names (initial knowledge of the adversary). Definition The closed process Q is an S -adversary ⇔ fn( Q ) ⊆ S . Bruno Blanchet (INRIA) ProVerif September 2011 44 / 125

  33. Secrecy Intuitive definition The secret M cannot be output on a public channel Definition A trace T = E 0 , P 0 → ∗ E ′ , P ′ outputs M if and only if T contains a reduction E , P ∪ { c � M � . Q , c ( x ) . P } → E , P ∪ { Q , P { M / x } } for some E , P , x , P , Q , and c ∈ S . Definition The closed process P preserves the secrecy of M from S ⇔ ∀ S -adversary Q , ∀T = fn( P ) ∪ S , { P , Q } → ∗ E ′ , P ′ , T does not output M . Bruno Blanchet (INRIA) ProVerif September 2011 45 / 125

  34. Several variants of the spi calculus Presented variant [Abadi, Blanchet, POPL’02 and JACM’05] The spi-calculus [Abadi, Gordon, I&C, 1999] The applied pi calculus [Abadi, Fournet, POPL’01] Very powerful, thanks to equational theories A calculus for asymmetric communication [Abadi, Blanchet, FoSSaCS’01 and TCS’03] Bruno Blanchet (INRIA) ProVerif September 2011 46 / 125

  35. Overview 1. A variant of the spi-calculus 2. Intuitive presentation of the Horn clause representation 3. The solving algorithm 4. Experimental results 5. Formal translation from the spi-calculus. 6. Extension to correspondences Bruno Blanchet (INRIA) ProVerif September 2011 47 / 125

  36. ProVerif ProVerif is a verifier for cryptographic protocols Fully automatic For an unbounded number of sessions and an unbounded message size Undecidable problem ⇒ need for abstractions Handles many cryptographic primitives Proves various properties: secrecy, correspondences, equivalences Efficient Bruno Blanchet (INRIA) ProVerif September 2011 48 / 125

  37. Our solution Two ideas (extending [Weidenbach, CADE’99]): a simple abstract representation of these protocols, by a set of Horn clauses; an efficient solving algorithm to find which facts can be derived from these clauses. Using this, we can prove secrecy properties of protocols, or exhibit attacks showing why a message is not secret. We handle in particular shared- and public-key cryptography, hash functions, Diffie-Hellman key agreements. Bruno Blanchet (INRIA) ProVerif September 2011 49 / 125

  38. Protocol representation Messages � terms M ::= x | f ( M 1 , . . . , M n ) | k [ M 1 , . . . , M n ] pencrypt( c 0 , pk( sk A )). Properties � facts F ::= attacker( M ). Protocol, attacker � Horn clauses F 1 ∧ . . . ∧ F n ⇒ F attacker( m ) ∧ attacker( pk ) ⇒ attacker(pencrypt( m , pk )). Bruno Blanchet (INRIA) ProVerif September 2011 50 / 125

  39. Example - Cryptographic primitives Public-key encryption: Encryption pencrypt( m , pk ). attacker( m ) ∧ attacker( pk ) ⇒ attacker(pencrypt( m , pk )) Public key generation pk( sk ). (builds a public key from a secret key) attacker( sk ) ⇒ attacker(pk( sk )) Decryption pdecrypt(pencrypt( m , pk( sk )) , sk ) → m . attacker(pencrypt( m , pk( sk ))) ∧ attacker( sk ) ⇒ attacker( m ) Bruno Blanchet (INRIA) ProVerif September 2011 51 / 125

  40. General treatment of primitives Constructors f ( M 1 , . . . , M n ) attacker( x 1 ) ∧ . . . ∧ attacker( x n ) ⇒ attacker( f ( x 1 , . . . , x n )) Destructors g ( M 1 , . . . , M n ) → M attacker( M 1 ) ∧ . . . ∧ attacker( M n ) ⇒ attacker( M ) (There may be several rewrite rules defining a function.) Exercise Give clauses for shared-key encryption and signatures Bruno Blanchet (INRIA) ProVerif September 2011 52 / 125

  41. Initial knowledge Clauses that represent the initial knowledge of the adversary: attacker( M ) if the adversary knows M . Example For the Denning-Sacco protocol: attacker(pk( sk A )) attacker(pk( sk B )) Bruno Blanchet (INRIA) ProVerif September 2011 53 / 125

  42. Names Normally, fresh names are created each time the protocol is run. Here, we only distinguish two names when they are created after receiving different messages. Each name k becomes a function of the messages previously received: k [ M 1 , . . . , M n ] . (Skolemisation) These functions can only be applied by the principal that creates the name, not by the attacker. The attacker can create his own fresh names: attacker( b [ ]). Bruno Blanchet (INRIA) ProVerif September 2011 54 / 125

  43. Denning-Sacco protocol A → B : {{ k } sk A } pk B k fresh A talks with any principal represented by its public key pk( x ). A sends to it the message {{ k } sk A } pk( x ) . attacker(pk( x )) ⇒ attacker(pencrypt(sign( k [pk( x )] , sk A [ ]) , pk( x ))). B → A : { s } k B has received a message {{ y } sk A } pk B . B sends { s } y . attacker(pencrypt(sign( y , sk A [ ]) , pk( sk B [ ]))) ⇒ attacker(sencrypt(s , y )). Bruno Blanchet (INRIA) ProVerif September 2011 55 / 125

  44. General coding of a protocol If a principal A has received the messages M 1 , . . . , M n and sends the message M , attacker( M 1 ) ∧ . . . ∧ attacker( M n ) ⇒ attacker( M ) . Exercise Model the Needham-Shroeder public key protocol protocol: Message 1. A → B { N a , A } pk B N a fresh B → A { N a , N b } pk A Message 2. N b fresh Message 3. A → B { N b } pk B Bruno Blanchet (INRIA) ProVerif September 2011 56 / 125

  45. Approximations The freshness of nonces is partially modeled. The number of times a message appears is ignored, only the fact that is has appeared is taken into account. The state of the principals is not fully modeled. These approximations are keys for an efficient verification. Solve the state space explosion problem. No limit on the number of runs of the protocols. ⇒ essential for the certification of protocols. Bruno Blanchet (INRIA) ProVerif September 2011 57 / 125

  46. Approximations: a more formal view We can show formally by abstract interpretation that, with respect to the multiset rewriting model, the only approximation is that the number of repetitions of actions is ignored [Blanchet, IPL, 2005]. Multiset rewriting ⇔ linear logic After approximation: classical logic The modeling of names by skolemisation does not introduce an approximation in classical logic. Typical situation in which the proof fails: a protocol first needs to keep some data secret, and later reveals it. Bruno Blanchet (INRIA) ProVerif September 2011 58 / 125

  47. Secrecy Secrecy criterion If attacker( M ) cannot be derived from the clauses, then M is secret. The term M cannot be built by an attacker. The solving algorithm will determine whether a given fact can be derived from the clauses. Bruno Blanchet (INRIA) ProVerif September 2011 59 / 125

  48. Overview 1. A variant of the spi-calculus 2. Intuitive presentation of the Horn clause representation 3. The solving algorithm 4. Experimental results 5. Formal translation from the spi-calculus. 6. Extension to correspondences Bruno Blanchet (INRIA) ProVerif September 2011 60 / 125

  49. Which resolution algorithm A standard Prolog system would not terminate: attacker(sencrypt( x , y )) ∧ attacker( y ) ⇒ attacker( x ) generates bigger and bigger facts by SLD-resolution. We need a different resolution strategy. Bruno Blanchet (INRIA) ProVerif September 2011 61 / 125

  50. Saturation Completion of the clause base, by resolution with free selection. Selection function sel ( F 1 ∧ . . . ∧ F n ⇒ F ) ∈ { F 1 , . . . , F n , F } .  F if ∀ i ∈ { 1 , . . . , n } , F i = attacker( x )   sel ( F 1 ∧ . . . ∧ F n ⇒ F ) = F i different from attacker( x ),  of maximal size, otherwise  Bruno Blanchet (INRIA) ProVerif September 2011 62 / 125

  51. Saturation (2) R ′ = F ′ 1 ∧ . . . ∧ F ′ n ′ ⇒ F ′ R = F 1 ∧ . . . ∧ F n ⇒ F σ F 1 ∧ . . . ∧ σ F n ∧ σ F ′ 2 ∧ . . . ∧ σ F ′ n ′ ⇒ σ F ′ where σ is the most general unifier of F and F ′ 1 , where sel ( R ) = F , and sel ( R ′ ) = F ′ 1 . Starting from an initial set of clauses R 0 , perform this resolution step until a fixed point is reached, eliminating subsumed clauses: H ⇒ C subsumes H ′ ⇒ C ′ when there exists σ such that σ H ⊆ H ′ (multiset inclusion) and σ C = C ′ . saturate ( R 0 ) is the set of obtained clauses R such that sel ( R ) is the conclusion of R . Bruno Blanchet (INRIA) ProVerif September 2011 63 / 125

  52. Saturation (3) Example of a step: attacker( x ) ∧ attacker( y ) ⇒ attacker(pencrypt( x , y )) attacker(pencrypt(sign( z , sk A [ ]) , pk( sk B [ ]))) ⇒ attacker(sencrypt(s , z )) attacker(sign( z , sk A [ ])) ∧ attacker(pk( sk B [ ])) ⇒ attacker(sencrypt(s , z )) Theorem The clauses obtained after saturation saturate ( R 0 ) prove the same facts as the starting clauses R 0 . Bruno Blanchet (INRIA) ProVerif September 2011 64 / 125

  53. Proof (1): some notations If R = H ⇒ C , R ′ = F 0 ∧ H ′ ⇒ C ′ , and σ is the most general unifier of C and F 0 , then R ◦ F 0 R ′ = σ H ∧ σ H ′ ⇒ σ C ′ . If R subsumes R ′ , R ⊒ R ′ . R 0 : initial set of clauses. R 1 : set of clauses when the fixpoint is reached. R 2 = saturate ( R 0 ) = { H ⇒ C ∈ R 1 | sel ( H ⇒ C ) = C } Bruno Blanchet (INRIA) ProVerif September 2011 65 / 125

  54. Proof (2): derivation Definition (Derivation) Let F be a closed fact. Let R be a set of clauses. A derivation of F from R is a finite tree defined as follows: 1 Its nodes (except the root) are labeled by clauses R ∈ R . 2 Its edges are labeled by closed facts. (Edges go from a node to each of its sons.) 3 If the tree contains a node labeled by R with one incoming edge labeled by F 0 and n outgoing edges labeled by F 1 , . . . , F n , then R ⊒ { F 1 , . . . , F n } ⇒ F 0 . 4 The root has one outgoing edge, labeled by F . The unique son of the root is named the subroot . Bruno Blanchet (INRIA) ProVerif September 2011 66 / 125

  55. Proof (3): resolution step Lemma (Resolution) Consider a derivation containing a node η ′ , labeled R ′ . Let F 0 be a hypothesis of R ′ . Then there exists a son η of η ′ , labeled R, such that the edge η ′ → η is labeled by an instance of F 0 , R ◦ F 0 R ′ is defined, and one obtains a derivation of the same fact by replacing the nodes η and η ′ with a node η ′′ labeled R ′′ = R ◦ F 0 R ′ . C ′ C ′ 1 1 R ′ η ′ R ′′ η ′′ H ′ H 1 ∪ ( H ′ 1 − σ F 0 ) 1 σ F 0 R η H 1 Bruno Blanchet (INRIA) ProVerif September 2011 67 / 125

  56. Proof (4): subsumption Lemma (Subsumption) If a node η of a derivation D is labeled by R, then one obtains a derivation D ′ of the same fact as D by relabeling η with a clause R ′ such that R ′ ⊒ R. By transitivity of ⊒ . Bruno Blanchet (INRIA) ProVerif September 2011 68 / 125

  57. Proof (5): saturation properties Lemma (Saturation) R 1 satisfies the following properties: 1 For all R ∈ R 0 , there exists R ′ ∈ R 1 such that R ′ ⊒ R; 2 Let R = H ⇒ C , R ′ = H ′ ⇒ C ′ ∈ R 1 . Assume that sel ( R ) = C, sel ( R ′ ) = F 0 , and R ◦ F 0 R ′ is defined. In this case, there exists R ′′ ∈ R 1 , R ′′ ⊒ R ◦ F 0 R ′ . 1 A clause is removed only when it is subsumed by another one. 2 The fixpoint is reached. Bruno Blanchet (INRIA) ProVerif September 2011 69 / 125

  58. Proof (6): If F is derivable from R 0 , then F is derivable from saturate ( R 0 ). Consider a derivation of F from R 0 . For each R ∈ R 0 , there exists R ′ ∈ R 1 such that R ′ ⊒ R (Lemma saturation, Property 1). We relabel each node labeled by R ∈ R 0 \ R 1 with R ′ ∈ R 1 such that R ′ ⊒ R (by Lemma subsumption). Therefore, we obtain a derivation D of F from R 1 . Next, we build a derivation of F from R 2 , by transforming D . Bruno Blanchet (INRIA) ProVerif September 2011 70 / 125

  59. Proof (7): If F is derivable from R 0 , then F is derivable from saturate ( R 0 ) (continued). If D contains a clause not in R 2 , we transform D as follows. Let η ′ be a lowest node of D labeled by a clause not in R 2 . All sons of η ′ are labeled by elements of R 2 . Let R ′ be the clause labeling η ′ . Since R ′ / ∈ R 2 , sel ( R ′ ) = F 0 is a hypothesis of R ′ . By Lemma resolution, there exists a son of η of η ′ labeled by R , such that R ◦ F 0 R ′ is defined. Since all sons of η ′ are labeled by elements of R 2 , R ∈ R 2 . Hence sel ( R ) is the conclusion of R . So, by Lemma saturation, Property 2, there exists R ′′ ∈ R 1 such that R ′′ ⊒ R ◦ F 0 R ′ . By Lemma resolution, we replace η and η ′ with η ′′ labeled by R ◦ F 0 R ′ . By Lemma subsumption, we replace R ◦ F 0 R ′ with R ′′ . The total number of nodes strictly decreases since η and η ′ are replaced with a single node η ′′ . Hence, this replacement process terminates. Upon termination, we obtain a derivation of F from R 2 . Bruno Blanchet (INRIA) ProVerif September 2011 71 / 125

  60. Why it works The facts attacker( x ) unify with all facts attacker( M ). If we allow resolution on facts attacker( x ), we will create many clauses. The choice of the selection function implies that we avoid performing resolution upon attacker( x ). ⇒ This is key to obtaining termination in most cases. Bruno Blanchet (INRIA) ProVerif September 2011 72 / 125

  61. Derivation Let F be a closed fact. 1 Add the clause F ⇒ bad: R ′ 0 = R 0 ∪ { F ⇒ bad } . 2 Let deriv R 0 ( F ) be true if and only if saturate ( R ′ 0 ) contains a clause H ⇒ bad for some H . If F is derivable from R 0 then bad is derivable from R ′ 0 then bad is derivable from saturate ( R ′ 0 ) (previous theorem) then deriv R 0 ( F ) is true. If deriv R 0 ( F ) is false, then F is not derivable from R 0 . Technique similar to the ordered resolution with selection [Weidenbach, CADE’99]. Bruno Blanchet (INRIA) ProVerif September 2011 73 / 125

  62. Optimizations Elimination of tautologies Elimination of duplicate hypotheses Elimination of hypotheses attacker( x ) when x does not appear elsewhere. Tuples Secrecy assumptions: use conjectures to prune the search space. Bruno Blanchet (INRIA) ProVerif September 2011 74 / 125

  63. Termination The saturation algorithm does not always terminate, but we have proved that it terminates for tagged protocols That is, when each encryption, signature, ... is distinguished from others by a constant tag c i { c i , M 1 , ..., M n } K Large class of protocols Easy to add tags Good design practice [Blanchet, Podelski, Fossacs’03] Bruno Blanchet (INRIA) ProVerif September 2011 75 / 125

  64. Enforcing termination for all cases Termination can be enforced by additional approximations. Example: approximate clauses with clauses in decidable class H 1 . [Nielson, Nielson, Seidel, SAS’02; Goubault-Larrecq, JFLA’04] H 1 = clauses whose conclusion is P ( f ( x 1 , . . . , x n )), with distinct variables x 1 , . . . , x n . H ⇒ P ( f ( p 1 , . . . , p n )) p 1 , . . . , p n are not all variables Q 1 ( x 1 ) , . . . , Q n ( x n ) ⇒ P ( f ( x 1 , . . . , x n )) H ⇒ Q i ( p i ) H ⇒ P ( f ( x 1 , . . . , x i , . . . , x i , . . . , x n )) H , H { x / x i } ⇒ P ( f ( x 1 , . . . , x i , . . . , x , . . . , x n )) Bruno Blanchet (INRIA) ProVerif September 2011 76 / 125

  65. Termination Ordered resolution with factorization and splitting [Comon, Cortier, 2003] Terminates on clauses with at most one variable. Protocols which blindly copy at most one term. Decision procedure for a class of tagged protocols without blind copies. [Ramanujam, Suresh, 2003] Bruno Blanchet (INRIA) ProVerif September 2011 77 / 125

  66. Overview 1. A variant of the spi-calculus 2. Intuitive presentation of the Horn clause representation 3. The solving algorithm 4. Experimental results 5. Formal translation from the spi-calculus. 6. Extension to correspondences Bruno Blanchet (INRIA) ProVerif September 2011 78 / 125

  67. Experimental results Pentium III, 1 GHz. Protocol Result ms Needham-Schroeder public key Attack [Lowe] 10 Needham-Schroeder public key corrected Secure 7 Needham-Schroeder shared key Attack [Denning] 52 Needham-Schroeder shared key corrected Secure 109 Denning-Sacco Attack [AN] 6 Denning-Sacco corrected Secure 7 Otway-Rees Secure 10 Otway-Rees, variant of Paulson98 Attack [Paulson] 12 Yahalom Secure 10 Simpler Yahalom Secure 11 Main mode of Skeme Secure 23 Bruno Blanchet (INRIA) ProVerif September 2011 79 / 125

  68. Overview 1. A variant of the spi-calculus 2. Intuitive presentation of the Horn clause representation 3. The solving algorithm 4. Experimental results 5. Formal translation from the spi-calculus. 6. Extension to correspondences Bruno Blanchet (INRIA) ProVerif September 2011 80 / 125

  69. Translation pi + crypto → Horn clauses We consider a protocol P 0 , executed in the presence of an S -adversary. A protocol is translated into a set of Horn clauses using 2 predicates: attacker( p ) the adversary may have p the message p ′ may be sent on the channel p mess( p , p ′ ) Bruno Blanchet (INRIA) ProVerif September 2011 81 / 125

  70. Translation: attacker clauses For each a ∈ S , attacker( a [ ]) (Init) attacker( b [ ]) where b does not occur in P 0 (Name gen) For each constructor f of arity n , (Constr) attacker( x 1 ) ∧ . . . ∧ attacker( x n ) ⇒ attacker( f ( x 1 , . . . , x n )) For each destructor g , for each rewrite rule g ( M 1 , . . . , M n ) → M , attacker( M 1 ) ∧ . . . ∧ attacker( M n ) ⇒ attacker( M ) (Destr) mess( x , y ) ∧ attacker( x ) ⇒ attacker( y ) (Listen) attacker( x ) ∧ attacker( y ) ⇒ mess( x , y ) (Send) Bruno Blanchet (INRIA) ProVerif September 2011 82 / 125

  71. Translation: protocol clauses ρ : environment (variables, names �→ patterns) h : hypothesis (messages that must be received before reaching the current process) [ [0] ] ρ h = ∅ , [ [ P | Q ] ] ρ h = [ [ P ] ] ρ h ∪ [ [ Q ] ] ρ h , [ [! P ] ] ρ h = [ [ P ] ] ρ h [ [( ν a ) P ] ] ρ h = [ [ P ] ]( ρ [ a �→ a [ p 1 , . . . , p n ]]) h when h = mess( c 1 , p 1 ) ∧ . . . ∧ mess( c n , p n ). Bruno Blanchet (INRIA) ProVerif September 2011 83 / 125

  72. Translation: protocol clauses (continued) ]( ρ [ x �→ x ′ ])( h ∧ mess( ρ ( M ) , x ′ )) [ [ M ( x ) . P ] ] ρ h = [ [ P ] x ′ new variable [ M � N � . P ] ] ρ h ∪ { h ⇒ mess( ρ ( M ) , ρ ( N )) } [ ] ρ h = [ [ P ] [ [ if M = N then P else Q ] ] ρ h = [ [ P ] ]( σρ )( σ h ) ∪ [ [ Q ] ] ρ h where σ is the most general unifier of ρ ( M ) and ρ ( N ). [ [ let x = g ( M 1 , . . . , M n ) in P else Q ] ] ρ h = n ) → p ′ is a rewrite rule of g ](( σρ )[ x �→ σ ′ p ′ ])( σ h ) | g ( p ′ 1 , . . . , p ′ ∪{ [ [ P ] and ( σ, σ ′ ) is a most general pair of substitutions such that σρ ( M 1 ) = σ ′ p ′ 1 , . . . , σρ ( M n ) = σ ′ p ′ n } ∪ [ [ Q ] ] ρ h . Bruno Blanchet (INRIA) ProVerif September 2011 84 / 125

  73. Example: Denning-Sacco protocol Message 1. A → B : {{ k } sk A } pk B k fresh Message 2. B → A : { s } k ( ν sk A )( ν sk B ) let pk A = pk( sk A ) in let pk B = pk( sk B ) in c � pk A � . c � pk B � . ( A ) ! c ( x pk B ) . ( ν k ) c � pencrypt(sign( k , sk A ) , x pk B ) � . c ( x ) . let s = sdecrypt( x , k ) in 0 ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in ( B ) | let k = checksign( y ′ , pk A ) in c � sencrypt(s , k ) � Bruno Blanchet (INRIA) ProVerif September 2011 85 / 125

  74. Example: protocol clauses P 0 = ( ν sk A )( ν sk B ) let pk A = pk( sk A ) in let pk B = pk( sk B ) in c � pk A � . c � pk B � . (! P A | ! P B ) [ [ P 0 ] ] { c �→ c [ ] }∅ Bruno Blanchet (INRIA) ProVerif September 2011 86 / 125

  75. Example: protocol clauses P 0 = ( ν sk A )( ν sk B ) let pk A = pk( sk A ) in let pk B = pk( sk B ) in c � pk A � . c � pk B � . (! P A | ! P B ) [ [ P 0 ] ] { c �→ c [ ] }∅ = [ [ let . . . ] ] { c �→ c [ ] , sk A �→ sk A [ ] , sk B �→ sk B [ ] }∅ Bruno Blanchet (INRIA) ProVerif September 2011 86 / 125

  76. Example: protocol clauses P 0 = ( ν sk A )( ν sk B ) let pk A = pk( sk A ) in let pk B = pk( sk B ) in c � pk A � . c � pk B � . (! P A | ! P B ) [ [ P 0 ] ] { c �→ c [ ] }∅ = [ [ let . . . ] ] { c �→ c [ ] , sk A �→ sk A [ ] , sk B �→ sk B [ ] }∅ = [ [ c � pk A � . . . ] ] ρ 0 ∅ ρ 0 = { c �→ c [ ] , sk A �→ sk A [ ] , sk B �→ sk B [ ] , pk A �→ pk( sk A [ ]) , pk B �→ pk( sk B [ ]) } Bruno Blanchet (INRIA) ProVerif September 2011 86 / 125

  77. Example: protocol clauses P 0 = ( ν sk A )( ν sk B ) let pk A = pk( sk A ) in let pk B = pk( sk B ) in c � pk A � . c � pk B � . (! P A | ! P B ) [ [ P 0 ] ] { c �→ c [ ] }∅ = [ [ let . . . ] ] { c �→ c [ ] , sk A �→ sk A [ ] , sk B �→ sk B [ ] }∅ = [ [ c � pk A � . . . ] ] ρ 0 ∅ ρ 0 = { c �→ c [ ] , sk A �→ sk A [ ] , sk B �→ sk B [ ] , pk A �→ pk( sk A [ ]) , pk B �→ pk( sk B [ ]) } = [ [! P A | ! P B ] ] ρ 0 ∅ ∪ { mess( c [ ] , pk( sk A [ ])) , comes from c � pk A � mess( c [ ] , pk( sk B [ ])) } comes from c � pk B � Bruno Blanchet (INRIA) ProVerif September 2011 86 / 125

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic protocols: Concurrent programs

946 views • 69 slides
Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Automatic Verification of Cryptographic Protocols in the Symbolic Model Automatic Verifier

Automatic Verification of Cryptographic Protocols in the Symbolic Model Automatic Verifier

Automatic Verification of Cryptographic Protocols in the Symbolic Model Automatic Verifier ProVerif Bruno Blanchet INRIA Paris-Rocquencourt Bruno.Blanchet@inria.fr September 2013 Bruno Blanchet (INRIA) ProVerif September 2013 1 / 114

1.56k views • 132 slides
Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018

1.23k views • 78 slides
Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique Cortier INRIA project Cassis, Loria CNRS, Nancy, France French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of

605 views • 46 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

451 views • 14 slides
Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018 Organization of the course Two

774 views • 74 slides
Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS

Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS

Introduction Formal models Adding equational theories Towards more guarantees Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS - INRIA Cassis project, Nancy Universities 1/45 V eronique

785 views • 76 slides
Automatic Formal Analyses of Cryptographic Protocols 19th National Information Systems Security

Automatic Formal Analyses of Cryptographic Protocols 19th National Information Systems Security

Automatic Formal Analyses of Cryptographic Protocols 19th National Information Systems Security Conference October 22-25, 1996 Baltimore Convention Center Dr. Stephen H. Brackin Arca Systems, Inc. 303 E. Yates St., Ithaca, NY 14850

141 views • 12 slides
Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA), CNRS, France Tuesday, September 13th, 2016 Security protocols everywhere ! Cryptographic protocols small programs designed to secure

923 views • 56 slides
Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France joint work with Alexandre Debant and Cyrille Wiedling 1/29 Security protocols everywhere ! Cryptographic protocols small

1.04k views • 56 slides
Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in the Quantum Era (SPS G5448) February 5th, 2020 Christian Colombo Mark Vella Cryptographic Protocols Design Proofs to validate design against

467 views • 20 slides
Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes,

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes,

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France Thursday, July 12th, 2018 Cryptographic protocols everywhere ! Cryptographic protocols small programs designed to secure

849 views • 80 slides
Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday,

Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday,

Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday, June 29th, 2020 1/23 Cryptographic protocols everywhere ! Cryptographic protocols small programs designed to secure communication ( e.g.

900 views • 58 slides
Automatic Verification of non-silent Population Protocols Masters Thesis Martin Helfrich

Automatic Verification of non-silent Population Protocols Masters Thesis Martin Helfrich

Automatic Verification of non-silent Population Protocols Masters Thesis Martin Helfrich Technical University of Munich September 2019 Martin Helfrich (TUM) Verification of non-silent PP September 2019 1 / 31 Population Protocols Model

460 views • 31 slides
Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth M.D.Ryan@cs.bham.ac.uk research@bensmyth.com Cryptoforma 7th April 2010 Cryptographic protocols A cryptographic protocol is a distributed procedure that employs

698 views • 46 slides
For orest est Mon Monitor itorin ing g For or Action Action David Wheeler, Center for

For orest est Mon Monitor itorin ing g For or Action Action David Wheeler, Center for

For orest est Mon Monitor itorin ing g For or Action Action David Wheeler, Center for Global Development Robin Kraft and Dan Hammer, University of Maryland Scipy 2010 rkraft@umd.edu cgdev.org/forest Forest Monitoring for Action (FORMA)

1.47k views • 123 slides
Welcome to DataCamp ! C OU R SE C R E ATION AT DATAC AMP Mari Na z ar y Head of C u rric u l u m

Welcome to DataCamp ! C OU R SE C R E ATION AT DATAC AMP Mari Na z ar y Head of C u rric u l u m

Welcome to DataCamp ! C OU R SE C R E ATION AT DATAC AMP Mari Na z ar y Head of C u rric u l u m Learning objecti v es Understand the creation process from start to nish Co u rse creation phases Phase length DataCamp point of contact Deli v

392 views • 36 slides
TCMTF Working Group Forma2on Dan Wing dwing@cisco.com IETF89,

TCMTF Working Group Forma2on Dan Wing dwing@cisco.com IETF89,

TCMTF Working Group Forma2on Dan Wing dwing@cisco.com IETF89, March 4, 2014, London 1 TCMTF Working Group Forma2on Updated Charter Text Benefits

471 views • 4 slides
From Math 2220 Class 40 Integration and Stokes for Differential Forms Dr. Allen Back Stokes

From Math 2220 Class 40 Integration and Stokes for Differential Forms Dr. Allen Back Stokes

From Math 2220 Class 40 V1df Algebra of Differential Forms From Math 2220 Class 40 Integration and Stokes for Differential Forms Dr. Allen Back Stokes and Gauss Traditionally Dec. 3, 2014 Algebra of Differential Forms Differential

696 views • 23 slides
twenty five http:// nisee.berkeley.edu/godden concrete construction: flat spanning systems

twenty five http:// nisee.berkeley.edu/godden concrete construction: flat spanning systems

A RCHITECTURAL S TRUCTURES : Reinforced Concrete Design F ORM, B EHAVIOR, AND D ESIGN ARCH 331 economical & common D R. A NNE N ICHOLS resist lateral loads S PRING 2019 lecture twenty five http:// nisee.berkeley.edu/godden concrete

346 views • 6 slides
LBNF - Structural Discussion Dimitar MLADENOV - CERN EP/NU LBNF Cryostat Slab and Final design

LBNF - Structural Discussion Dimitar MLADENOV - CERN EP/NU LBNF Cryostat Slab and Final design

LBNF - Structural Discussion Dimitar MLADENOV - CERN EP/NU LBNF Cryostat Slab and Final design workshop Fermilab, 10-11 April 2018 LBNF - Weight summary Steel Structure: 3000 T (this includes: Steel profiles, steel plate, insulation and

390 views • 13 slides
IIRSM Qatar 20 th March 2018 Presented by: Mark Stephens Welcome & Announcements Welcome

IIRSM Qatar 20 th March 2018 Presented by: Mark Stephens Welcome & Announcements Welcome

IIRSM Qatar 20 th March 2018 Presented by: Mark Stephens Welcome & Announcements Welcome & Announcements Welcome to: - All of our members and visitors, especially those attending for the first time; Representatives of our

370 views • 34 slides
The Impact of Increased Development Fees on Existing Housing: Evidence from South Carolina Sean

The Impact of Increased Development Fees on Existing Housing: Evidence from South Carolina Sean

The Impact of Increased Development Fees on Existing Housing: Evidence from South Carolina Sean Brunson, Richard Buttimer, Craig Depken University of North Carolina at Charlotte, Lafayette College April 21, 2020 Overview In July 2018, Fort

590 views • 15 slides

More recommend