can charlie distinguish alice and bob
play

Can Charlie distinguish Alice and Bob? Automated verification of - PowerPoint PPT Presentation

Jun 08, 2023 •219 likes •1.09k views

Can Charlie distinguish Alice and Bob? Automated verification of equivalence properties Steve Kremer joint work with: Myrto Arapinis, David Baelde, Rohit Chadha, Vincent Cheval, S tefan Ciob ac a, V eronique Cortier, St ephanie

  1. Can Charlie distinguish Alice and Bob? Automated verification of equivalence properties Steve Kremer joint work with: Myrto Arapinis, David Baelde, Rohit Chadha, Vincent Cheval, S ¸tefan Ciob˘ acˆ a, V´ eronique Cortier, St´ ephanie Delaune, Ivan Gazeau, Itsaka Rakotonirina, Mark Ryan 29th IEEE Computer Security Foundations Symposium 1/30

  2. Cryptographic protocols everywhere! ◮ Distributed programs that ◮ use crypto primitives (encryption, digital signature ,. . . ) ◮ to ensure security properties (confidentiality, authentication, anonymity,. . . ) 2/30

  3. Symbolic models for protocol verification Main ingredient of symbolic models ◮ messages = terms enc pair k s 1 s 2 ◮ perfect cryptography (equational theories) dec(enc( x , y ) , y ) = x fst(pair( x , y )) = x snd(pair( x , y )) = y ◮ the network is the attacker ◮ messages can be eavesdropped ◮ messages can be intercepted ◮ messages can be injected Dolev, Yao: On the Security of Public Key Protocols. FOCS’81 3/30

  4. Cryptographic protocols are tricky! 4/30

  5. Cryptographic protocols are tricky! Bhargavan et al.:FREAK, Logjam, SLOTH, . . . Cremers et al., S&P’16 4/30

  6. Cryptographic protocols are tricky! Arapinis et al., CCS’12 Bhargavan et al.:FREAK, Logjam, SLOTH, . . . Cremers et al., S&P’16 4/30

  7. Cryptographic protocols are tricky! Arapinis et al., CCS’12 Bhargavan et al.:FREAK, Logjam, SLOTH, . . . Cremers et al., S&P’16 Cortier & Smyth, CSF’11 4/30

  8. Cryptographic protocols are tricky! Arapinis et al., CCS’12 Bhargavan et al.:FREAK, Logjam, SLOTH, . . . Cremers et al., S&P’16 Cortier & Smyth, CSF’11 Steel et al., CSF’08, CCS’10 4/30

  9. Modelling the protocol Protocols modelled in a process calculus, e.g. the applied pi calculus P ::= 0 | in( c , x ) . P input | out( c , t ) . P output | if t 1 = t 2 then P else Q conditional | P | | Q parallel | ! P replication | new n . P restriction 5/30

  10. Modelling the protocol Protocols modelled in a process calculus, e.g. the applied pi calculus P ::= 0 | in( c , x ) . P input | out( c , t ) . P output | if t 1 = t 2 then P else Q conditional | P | | Q parallel | ! P replication | new n . P restriction Specificities: ◮ messages are terms (not just names as in the pi calculus) ◮ equality in conditionals interpreted modulo an equational theory 5/30

  11. Reasoning about attacker knowledge Terms output by a process are organised in a frame : n . { t 1 / x 1 , . . . , t n / x n } φ = new ¯ 6/30

  12. Reasoning about attacker knowledge Terms output by a process are organised in a frame : n . { t 1 / x 1 , . . . , t n / x n } φ = new ¯ Deducibility: φ ⊢ R t if R is a public term and R φ = E t Example ϕ = new n 1 , n 2 , k 1 , k 2 . { enc( n 1 , k 1 ) / x 1 , enc( n 2 , k 2 ) / x 2 , k 1 / x 3 } ϕ ⊢ dec( x 1 , x 3 ) n 1 ϕ ⊢ 1 1 ϕ �⊢ n 2 6/30

  13. Reasoning about attacker knowledge Terms output by a process are organised in a frame : n . { t 1 / x 1 , . . . , t n / x n } φ = new ¯ Static equivalence: φ 1 ∼ s φ 2 if ∀ public terms R , R ′ . R φ 1 = R ′ φ 1 ⇔ R φ 2 = R ′ φ 2 Examples new k . { enc( 0 , k ) / x 1 } ∼ s new k . { enc( 1 , k ) / x 1 } 6/30

  14. Reasoning about attacker knowledge Terms output by a process are organised in a frame : n . { t 1 / x 1 , . . . , t n / x n } φ = new ¯ Static equivalence: φ 1 ∼ s φ 2 if ∀ public terms R , R ′ . R φ 1 = R ′ φ 1 ⇔ R φ 2 = R ′ φ 2 Examples new n 1 , n 2 . { n 1 / x 1 , n 2 / x 2 } �∼ s new n 1 , n 2 . { n 1 / x 1 , n 1 / x 2 } ? Check ( x 1 = x 2 ) 6/30

  15. Reasoning about attacker knowledge Terms output by a process are organised in a frame : n . { t 1 / x 1 , . . . , t n / x n } φ = new ¯ Static equivalence: φ 1 ∼ s φ 2 if ∀ public terms R , R ′ . R φ 1 = R ′ φ 1 ⇔ R φ 2 = R ′ φ 2 Examples { enc( n , k ) / x 1 , k / x 2 } �∼ s { enc( 0 , k ) / x 1 , k / x 2 } Check ( dec ( x 1 , x 2 ) ? = 0 ) 6/30

  16. From authentication to privacy Many good tools: AVISPA, Casper, Maude-NPA, ProVerif, Scyther, Tamarin, . . . Good at verifying trace properties (predicates on system behavior), e.g., ◮ (weak) secrecy of a key ◮ authentication (correspondence properties) If B ended a session with A (and parameters p) then A must have started a session with B (and parameters p ′ ). 7/30

  17. From authentication to privacy Many good tools: AVISPA, Casper, Maude-NPA, ProVerif, Scyther, Tamarin, . . . Good at verifying trace properties (predicates on system behavior), e.g., ◮ (weak) secrecy of a key ◮ authentication (correspondence properties) If B ended a session with A (and parameters p) then A must have started a session with B (and parameters p ′ ). Not all properties can be expressed on a trace. � recent interest in indistinguishability properties . 7/30

  18. Indistinguishability as a process equivalence Naturally modelled using equivalences from process calculi Testing equivalence ( P ≈ Q ) for all processes A , we have that: A | P ⇓ c if, and only if, A | Q ⇓ c − → P ⇓ c when P can send a message on the channel c . 8/30

  19. A tour to the (equivalence) zoo testing equiv. obs. equiv. Abadi, Gordon. A Calculus for Cryptographic Protocols: The Spi Calculus. CCS’97, Inf.& Comp.’99 Abadi, Fournet. Mobile values, new names, and secure communication. POPL’01 9/30

  20. A tour to the (equivalence) zoo testing equiv. obs. equiv. labelled bisim. Abadi, Fournet. Mobile values, new names, and secure communication. POPL’01 9/30

  21. A tour to the (equivalence) zoo diff equiv. testing equiv. obs. equiv. labelled bisim. Blanchet et al.: Automated Verification of Selected Equivalences for Security Protocols. LICS’05 9/30

  22. A tour to the (equivalence) zoo diff equiv. testing equiv. obs. equiv. labelled bisim. Diff equivalence too fine grained for several properties. Blanchet et al.: Automated Verification of Selected Equivalences for Security Protocols. LICS’05 9/30

  23. A tour to the (equivalence) zoo diff equiv. testing equiv. obs. equiv. symbolic bisim. labelled bisim. Delaune et al. Symbolic bisimulation for the applied pi calculus. JCS’10 9/30

  24. A tour to the (equivalence) zoo diff equiv. testing equiv. obs. equiv. symbolic bisim. labelled bisim. Liu, Lin. A complete symbolic bisimulation for full applied pi calculus.TCS’12 9/30

  25. A tour to the (equivalence) zoo diff equiv. testing equiv. obs. equiv. trace equiv. symbolic bisim. labelled bisim. Cheval et al.: Deciding equivalence-based properties using constraint solving. TCS’13 9/30

  26. A tour to the (equivalence) zoo diff equiv. testing equiv. obs. equiv. trace equiv. symbolic bisim. labelled bisim. For a bounded number of sessions (no replication). Cheval et al.: Deciding equivalence-based properties using constraint solving. TCS’13 9/30

  27. A tour to the (equivalence) zoo diff equiv. testing equiv. obs. equiv. trace equiv. symbolic bisim. labelled bisim. For a class of determinate processes . Cheval et al.: Deciding equivalence-based properties using constraint solving. TCS’13 9/30

  28. A few security properties “Strong” secrecy (non-interference) in( c , x 1 ) . in( c , x 2 ) . P { x 1 / s } ≈ in( c , x 1 ) . in( c , x 2 ) . P { x 2 / s } 10/30

  29. A few security properties “Strong” secrecy (non-interference) in( c , x 1 ) . in( c , x 2 ) . P { x 1 / s } ≈ in( c , x 1 ) . in( c , x 2 ) . P { x 2 / s } Real-or-random secrecy P . out( c , s ) ≈ P . new r . out( c , r ) 10/30

  30. A few security properties “Strong” secrecy (non-interference) in( c , x 1 ) . in( c , x 2 ) . P { x 1 / s } ≈ in( c , x 1 ) . in( c , x 2 ) . P { x 2 / s } Real-or-random secrecy P . out( c , s ) ≈ P . new r . out( c , r ) Simulation based security ( I is an ideal functionality) ∃ S . P ≈ S [ I ] 10/30

  31. A few security properties “Strong” secrecy (non-interference) in( c , x 1 ) . in( c , x 2 ) . P { x 1 / s } ≈ in( c , x 1 ) . in( c , x 2 ) . P { x 2 / s } Real-or-random secrecy P . out( c , s ) ≈ P . new r . out( c , r ) Simulation based security ( I is an ideal functionality) ∃ S . P ≈ S [ I ] Anonymity P { a / id } ≈ P { b / id } 10/30

  32. A few security properties “Strong” secrecy (non-interference) in( c , x 1 ) . in( c , x 2 ) . P { x 1 / s } ≈ in( c , x 1 ) . in( c , x 2 ) . P { x 2 / s } Real-or-random secrecy P . out( c , s ) ≈ P . new r . out( c , r ) Simulation based security ( I is an ideal functionality) ∃ S . P ≈ S [ I ] Anonymity P { a / id } ≈ P { b / id } Vote privacy Unlinkability 10/30

  33. How to model vote privacy? How can we model “ the attacker does not learn my vote (0 or 1) ”? 11/30

  34. How to model vote privacy? How can we model “ the attacker does not learn my vote (0 or 1) ”? ◮ The attacker cannot learn the value of my vote 11/30

  35. How to model vote privacy? How can we model “ the attacker does not learn my vote (0 or 1) ”? ◮ The attacker cannot learn the value of my vote � but the attacker knows values 0 and 1 11/30

  36. How to model vote privacy? How can we model “ the attacker does not learn my vote (0 or 1) ”? ◮ The attacker cannot learn the value of my vote ◮ The attacker cannot distinguish A votes and B votes: V A ( v ) ≈ V B ( v ) 11/30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

= = = f f BOB BOB not does like not like = Alice Bob Alice Bob not Bob Coecke

= = = f f BOB BOB not does like not like = Alice Bob Alice Bob not Bob Coecke

picture logic for info-flow in language and physics (incl. the Lambek vs. Lambek battle) That flowin phyling October 2010 ALICE ALICE f f f f = = = f f BOB BOB not does like not like = Alice Bob Alice Bob not Bob

1.06k views • 94 slides
01 Meet ALICE ALICE A sset L imited I ncome C onstrained E mployed ALICE How we learned

01 Meet ALICE ALICE A sset L imited I ncome C onstrained E mployed ALICE How we learned

01 Meet ALICE ALICE A sset L imited I ncome C onstrained E mployed ALICE How we learned about ALICE How we got organized ALICE Steering Committee ALICE Research Advisory Committee ALICE Marketing Workgroup 28 United Ways

366 views • 21 slides
= = = f f BOB BOB meaning vectors of words not does like not like = Alice Bob Alice

= = = f f BOB BOB meaning vectors of words not does like not like = Alice Bob Alice

The logic of quantum mechanics - take II Bob Coecke arXiv:1204.3458 ALICE ALICE f f f f = = = f f BOB BOB meaning vectors of words not does like not like = Alice Bob Alice Bob not pregroup grammar An alternative

1.29k views • 118 slides
Introduction to Alice Alice is named in honor of Lewis Carroll s Alice in Wonderland Slides

Introduction to Alice Alice is named in honor of Lewis Carroll s Alice in Wonderland Slides

3/18/13 CS101 Lecture 20 Introduction to Alice Alice is named in honor of Lewis Carroll s Alice in Wonderland Slides Credit: Joel Adams, Alice in Action With thanks to John Magee for his guidance about these materials Alice A modern

447 views • 26 slides
2018 ALICE Report Overview Do You Know ALICE? ALICE is an acronym that stands for Asset

2018 ALICE Report Overview Do You Know ALICE? ALICE is an acronym that stands for Asset

2018 ALICE Report Overview Do You Know ALICE? ALICE is an acronym that stands for Asset Limited, Income Constrained, Employed. ALICE households have earnings above the Federal Poverty Level, but below a basic cost-of-living threshold. 2

292 views • 10 slides
= = = f f BOB BOB meaning vectors of words not does like = not like Alice Bob Alice

= = = f f BOB BOB meaning vectors of words not does like = not like Alice Bob Alice

The logic of quantum mechanics - take II arXiv:1204.3458 ALICE ALICE f f f f = = = f f BOB BOB meaning vectors of words not does like = not like Alice Bob Alice Bob not pregroup grammar genesis genesis

978 views • 79 slides
= = = f f BOB BOB meaning vectors of words not does like not like = Alice Bob Alice

= = = f f BOB BOB meaning vectors of words not does like not like = Alice Bob Alice

Physics, Language, Maths & Music (partly in arXiv:1204.3458) Bob Coecke, Oxford, CS-Quantum SyFest, Vienna, July 2013 ALICE ALICE f f f f = = = f f BOB BOB meaning vectors of words not does like not like = Alice Bob

1.03k views • 83 slides
Introduction to Alice 23 October 2012 Alice is named in honor of Lewis Carroll s Alice in

Introduction to Alice 23 October 2012 Alice is named in honor of Lewis Carroll s Alice in

10/22/12 CS101 Lecture 16 Introduction to Alice 23 October 2012 Alice is named in honor of Lewis Carroll s Alice in Wonderland Slides Credit: Joel Adams, Alice in Action With thanks to John Magee for his guidance about these materials

548 views • 27 slides
Alice TPC DCS 1 ALICE underground ACR CR1 CR2 CR3 CR4 PLUG ~50m ~15m ALICE BEAM DETECTOR

Alice TPC DCS 1 ALICE underground ACR CR1 CR2 CR3 CR4 PLUG ~50m ~15m ALICE BEAM DETECTOR

Alice TPC DCS 1 ALICE underground ACR CR1 CR2 CR3 CR4 PLUG ~50m ~15m ALICE BEAM DETECTOR ~55m 2 5.6.02 L.Jirdn Access ACR CR1 CR2 Cavern only CR3 accessible during CR4 shutdowns ! PLUG ~50m ~15m ALIC BEAM E DETECTO R ~55m 3

413 views • 30 slides
DIGITAL SIGNATURES 1 / 74 Signing by hand ALICE Pay Bob $100 COSMO ALICE

DIGITAL SIGNATURES 1 / 74 Signing by hand ALICE Pay Bob $100 COSMO ALICE

DIGITAL SIGNATURES 1 / 74 Signing by hand ALICE Pay Bob $100 COSMO ALICE Cosmo Alice Alice Bank =? no yes pay Bob Dont 2 / 74 Signing electronically SIGFILE scan Alice 101 1

654 views • 43 slides
Pine Grove Area School District ALiCE Implementation What is ALiCE? ALiCE is an options-based

Pine Grove Area School District ALiCE Implementation What is ALiCE? ALiCE is an options-based

Pine Grove Area School District ALiCE Implementation What is ALiCE? ALiCE is an options-based response which can increase survivability when faced with an active intruder situation. The program relies on the premise of providing information ,

195 views • 18 slides
cryptocomputing SEC2 2016 Lorient Renaud Sirdey CEA LIST (work in collaboration with other

cryptocomputing SEC2 2016 Lorient Renaud Sirdey CEA LIST (work in collaboration with other

Towards practical homomorphic cryptocomputing SEC2 2016 Lorient Renaud Sirdey CEA LIST (work in collaboration with other people cited at the end) July 2016 The dream Can Charlie do something useful for Alice using both Alice and Bob

355 views • 32 slides
Alice The 3D Object-Oriented Programming Environment Presentation by: Tom Goff What is Alice?

Alice The 3D Object-Oriented Programming Environment Presentation by: Tom Goff What is Alice?

Alice The 3D Object-Oriented Programming Environment Presentation by: Tom Goff What is Alice? Alice is a freely available, innovative way of teaching OOP concepts to students through storytelling. The user acts like the director of movie

308 views • 17 slides
Events (Alice In Ac.on, Ch 6) Slides Credit: Joel Adams, Alice in

Events (Alice In Ac.on, Ch 6) Slides Credit: Joel Adams, Alice in

CS 101 Lecture 26/27 Events (Alice In Ac.on, Ch 6) Slides Credit: Joel Adams, Alice in Action Objectives Programming to respond to events Create new events in Alice Create handler methods for Alice events

392 views • 17 slides
with ALICE at the LHC M. Gagliardi (INFN Torino) for the ALICE collaboration Workshop on

with ALICE at the LHC M. Gagliardi (INFN Torino) for the ALICE collaboration Workshop on

Quarkonium and heavy flavour physics with ALICE at the LHC M. Gagliardi (INFN Torino) for the ALICE collaboration Workshop on discovery physics at the LHC Kruger National Park (SA) 06/12/2010 1 Outline Physics motivation(s) The ALICE

956 views • 34 slides
ALICE Masterclass Magorzata Janik Before we start. Do you have the ALICE Masterclass files

ALICE Masterclass Magorzata Janik Before we start. Do you have the ALICE Masterclass files

ALICE Masterclass Magorzata Janik Before we start. Do you have the ALICE Masterclass files on your computer? If not, please copy them from USB stick to your local machine NOW! If you dont have ALICE software on the system

629 views • 29 slides
Cryptography Crash Course Symmetric Key Cryptography School on Secure IoT, 2016 Dr. Ir. Jens

Cryptography Crash Course Symmetric Key Cryptography School on Secure IoT, 2016 Dr. Ir. Jens

Cryptography Crash Course Symmetric Key Cryptography School on Secure IoT, 2016 Dr. Ir. Jens Hermans KU Leuven/COSIC Cryptology: basic principles Eve Alice Bob CRYP CRYP Clear Clear %^C& %^C& TOB TOB @&^( @&^(

1.32k views • 119 slides
The Forgotten Art of Anonymous Digital Cash Jonathan Smuggler Logan Before the Chains

The Forgotten Art of Anonymous Digital Cash Jonathan Smuggler Logan Before the Chains

The Forgotten Art of Anonymous Digital Cash Jonathan Smuggler Logan Before the Chains Blockchain currencies were not the first digital non-government money The past is widely forgotten Im here from the past or from

402 views • 23 slides
Low-Rank Decomposition of Multi-Way Arrays: A Signal Processing Perspective Nikos Sidiropoulos

Low-Rank Decomposition of Multi-Way Arrays: A Signal Processing Perspective Nikos Sidiropoulos

TUC & UMN Nikos Sidiropoulos / SAM 2004, July 18-21, 2004, Sitges, Barcelona, Spain Low-Rank Decomposition of Multi-Way Arrays: A Signal Processing Perspective Nikos Sidiropoulos Dept. ECE, TUC-Greece & UMN-U.S.A

796 views • 35 slides
Union, Intersection, and Refinement Types and Reasoning about Type Disjointness for Security

Union, Intersection, and Refinement Types and Reasoning about Type Disjointness for Security

Union, Intersection, and Refinement Types and Reasoning about Type Disjointness for Security Protocol Analysis C t lin Hri cu Prof. Dr. Holger Hermanns (UdS) Dean of Math and CS Faculty Prof. Dr. Gert Smolka (UdS) Chair of Examination

1.39k views • 107 slides
Multi Signature Schemes for RSA Jonas B. Erasmus Thursday 25 th April, 2019 Chair of Network

Multi Signature Schemes for RSA Jonas B. Erasmus Thursday 25 th April, 2019 Chair of Network

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Multi Signature Schemes for RSA Jonas B. Erasmus Thursday 25 th April, 2019 Chair of Network Architectures and Services Department of

500 views • 19 slides
Security considerations for e-voting Motivation National election debacle Outcry for

Security considerations for e-voting Motivation National election debacle Outcry for

Security considerations for e-voting Motivation National election debacle Outcry for improved process 1 Technology Technology improves Travel Transportation Accounting Entertainment Communications Natural

551 views • 28 slides
Efficient Quantum-Immune Keyless Signatures with Identity Risto Laanoja Tallinn University of

Efficient Quantum-Immune Keyless Signatures with Identity Risto Laanoja Tallinn University of

Efficient Quantum-Immune Keyless Signatures with Identity Risto Laanoja Tallinn University of Technology / Guardtime AS May 17, 2014 Estonian CS Theory days at Narva-J oesuu TL; DR Built a practical signature scheme without modular

585 views • 25 slides
Security Models For Everlasting Privacy Athecrypt 2020 Panagiotis Grontas Aris Pagourtzis

Security Models For Everlasting Privacy Athecrypt 2020 Panagiotis Grontas Aris Pagourtzis

Security Models For Everlasting Privacy Athecrypt 2020 Panagiotis Grontas Aris Pagourtzis Alexandros Zacharakis National Technical University Of Athens 07.01.2020 https://eprint.iacr.org/2019/1193 TL;DR Game-based definitions for

628 views • 28 slides

More recommend