complexity of automatic verification of cryptographic
play

Complexity of automatic verification of cryptographic protocols - PowerPoint PPT Presentation

Aug 28, 2022 •236 likes •946 views

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic protocols: Concurrent programs

  1. Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1

  2. Cryptographic protocols Communication on public network Cryptographic protocols: • Concurrent programs designed to secure communications • Rely on cryptographic primitives 2 / 29

  3. Context The protocol: Honest participants 3 / 29

  4. Context The protocol: Honest participants Controls the network Intruder 3 / 29

  5. Context The protocol: Honest participants Security properties Controls the network Intruder 3 / 29

  6. On the web Protocol HTTPS • Password based authentication • Confidentiality of personal data 4 / 29

  7. Payment with credit card • Authorization through PIN code • Wireless payment • Confidentiality of the transaction • Authenticity of the bank card 5 / 29

  8. Electronic passport • RFID chip inside the passport • Secret key printed on the passport • Confidentiality of personal data • Anonymity • Untraceability 6 / 29

  9. Electronic voting • Vote from personal computer • Vote from dedicated machines • Verifiability of the votes • Confidentiality of the vote • No partial results • One vote per voter • Anonymity of the voter • Coercition resistance 7 / 29

  10. Attacks Designing a secure protocol is hard ! Concrete attacks on: • authentication used by Google Apps • unlinkability of french passports • authentication of credit card (Yes-Card) • vote privacy on the Helios e-voting system • anonymity of routing protocols • … These attacks are the consequence of a bad design and not of a: • implementation bug • weak cryptographic primitives • usage of magical hacking techniques 8 / 29

  11. Existing models Cryptographic model Symbolic model 9 / 29

  12. Existing models Cryptographic model Symbolic model Bitstring Messages 9 / 29

  13. Existing models Cryptographic model Symbolic model Bitstring Messages Real algorithms Cryptographic primitives 9 / 29

  14. Existing models Cryptographic model Symbolic model Bitstring Messages Real algorithms Function symbols Cryptographic primitives 9 / 29

  15. Existing models Cryptographic model Symbolic model Bitstring Terms Messages Real algorithms Function symbols Cryptographic primitives 9 / 29

  16. Existing models Cryptographic model Symbolic model Bitstring Terms Messages Real algorithms Function symbols Cryptographic primitives PPT Idealized Attacker 9 / 29

  17. Existing models Cryptographic model Symbolic model Bitstring Terms Messages Real algorithms Function symbols Cryptographic primitives PPT Idealized Attacker "Easier" and mechanized Difficult and by hand Proofs 9 / 29

  18. Existing models Cryptographic model Symbolic model Bitstring Terms Messages Real algorithms Function symbols Cryptographic primitives PPT Idealized Attacker "Easier" and mechanized Difficult and by hand Proofs Strong and clear Unclear Security guarantees 9 / 29

  19. Symbolic models a, b, c, . . . Variables: Nonces: Symbolic terms x, y, z, . . . Functions symbols: enc , dec , h i , � , . . . enc ( x, y ) h x, y i a ⊕ x h i enc y y x x 10 / 29

  20. Symbolic models a, b, c, . . . Variables: Nonces: Symbolic terms x, y, z, . . . Functions symbols: enc , dec , h i , � , . . . enc ( x, y ) h x, y i a ⊕ x h i enc y y x x dec ( enc ( x, y ) , y ) → x proj 1 ( h x, y i ) ! x Rewrite rules 10 / 29

  21. Symbolic models a, b, c, . . . Variables: Nonces: Symbolic terms x, y, z, . . . Functions symbols: enc , dec , h i , � , . . . enc ( x, y ) h x, y i a ⊕ x h i enc y y x x dec ( enc ( x, y ) , y ) → x proj 1 ( h x, y i ) ! x Rewrite rules dec ( enc ( h m 1 , m 2 i , k ) , k ) ! h m 1 , m 2 i Example: 10 / 29

  22. Symbolic models a, b, c, . . . Variables: Nonces: Symbolic terms x, y, z, . . . Functions symbols: enc , dec , h i , � , . . . enc ( x, y ) h x, y i a ⊕ x h i enc Subterm convergent y y x x dec ( enc ( x, y ) , y ) → x proj 1 ( h x, y i ) ! x Rewrite rules dec ( enc ( h m 1 , m 2 i , k ) , k ) ! h m 1 , m 2 i Example: unblind ( sign ( blind ( x, y ) , z ) , y ) → sign ( x, z ) Monadic convergent 10 / 29

  23. Symbolic models Example : Electronic passport Knows k e Knows k e n T enc ( h n R , n T , k R i , k e ) enc ( h n T , n R , k T i , k e ) Passeport Reader 11 / 29

  24. Symbolic models Example : Electronic passport Freshly generated by Passport Knows k e Knows k e n T enc ( h n R , n T , k R i , k e ) enc ( h n T , n R , k T i , k e ) Passeport Reader 11 / 29

  25. Symbolic models Example : Electronic passport Freshly generated by Passport Knows k e Knows k e n T enc ( h n R , n T , k R i , k e ) enc ( h n T , n R , k T i , k e ) Passeport Reader Reader expects a nonce and returns it 11 / 29

  26. Symbolic models Example : Electronic passport Freshly generated by Passport Knows k e Knows k e n T enc ( h n R , n T , k R i , k e ) enc ( h n T , n R , k T i , k e ) Passeport Reader Freshly generated by Reader Reader expects a nonce and returns it 11 / 29

  27. Symbolic models Example : Electronic passport Knows k e Knows k e n T enc ( h n R , n T , k R i , k e ) enc ( h n T , n R , k T i , k e ) Passeport Reader Knowledge of intruder: nonces he can generate + 1 : n T enc ( h n R , n T , k R i , k e ) 2 : enc ( h n T , n R , k T i , k e ) 3 : 11 / 29

  28. Symbolic models Another trace of the Electronic passport Knows k e Knows k e KO n T enc ( h n R , KO, k R i , k e ) Error Passeport Reader Knowledge of intruder: nonces he can generate (e.g. ) + KO 1 : n T enc ( h n R , KO, k R i , k e ) 2 : 3 : Error 12 / 29

  29. Applied pi calculus 0 Nil P + Q Non deterministic choice P | Q Parallel if u = v then P else Q Test in ( c, x ) .P Input out ( c, u ) .P Output Name restriction ν k.P ! P Replication 13 / 29

  30. Applied pi calculus Knows k e Knows k e n T enc ( h n R , n T , k R i , k e ) enc ( h n T , n R , k T i , k e ) Passeport Reader P ( k e ) = ν n T . out ( c, n T ) . in ( c, x ) . if proj 3 ( dec ( x, k e )) = n T then ν k T . out ( c, h n T , proj 1 ( dec ( x, k e )) , k T i ) else out ( c, Error ) Main process: ! ν k e ! P ( k e ) | R ( k e ) 14 / 29

  31. Trace A trace = one execution of the process P ( k e ) = ν n T . out ( c, n T ) . in ( c, x ) . if proj 3 ( dec ( x, k e )) = n T then ν k T . out ( c, h n T , proj 1 ( dec ( x, k e )) , k T i ) else out ( c, Error ) ( ∅ , ν k e .P ( k e ) , id ) Initial configuration: Substitution representing Set of private names The process the knowledge of the attacker 15 / 29

  32. Trace P ( k e ) = ν n T . out ( c, n T ) . in ( c, x ) . if proj 3 ( dec ( x, k e )) = n T then ν k T . out ( c, h n T , proj 1 ( dec ( x, k e )) , k T i ) else out ( c, Error ) ( ∅ , ν k e .P ( k e ) , id ) w 1 16 / 29

  33. Trace P ( k e ) = ν n T . out ( c, n T ) . in ( c, x ) . if proj 3 ( dec ( x, k e )) = n T then ν k T . out ( c, h n T , proj 1 ( dec ( x, k e )) , k T i ) else out ( c, Error ) ( { k e } , P ( k e ) , id ) ( ∅ , ν k e .P ( k e ) , id ) w 1 16 / 29

  34. Trace P 1 = out ( c, n T ) . in ( c, x ) . if proj 3 ( dec ( x, k e )) = n T then ν k T . out ( c, h n T , proj 1 ( dec ( x, k e )) , k T i ) else out ( c, Error ) ( { k e } , P ( k e ) , id ) ( ∅ , ν k e .P ( k e ) , id ) ( { k e , n T } , P 1 , id ) w 1 16 / 29

  35. Trace P 2 = in ( c, x ) . if proj 3 ( dec ( x, k e )) = n T then ν k T . out ( c, h n T , proj 1 ( dec ( x, k e )) , k T i ) else out ( c, Error ) ( { k e } , P ( k e ) , id ) ( ∅ , ν k e .P ( k e ) , id ) ( { k e , n T } , P 1 , id ) ( { k e , n T } , P 2 , { n T / w 1 } ) out ( c, w 1 ) w 1 16 / 29

  36. Trace P 2 = in ( c, x ) . if proj 3 ( dec ( x, k e )) = n T then ν k T . out ( c, h n T , proj 1 ( dec ( x, k e )) , k T i ) else out ( c, Error ) ( { k e } , P ( k e ) , id ) ( ∅ , ν k e .P ( k e ) , id ) ( { k e , n T } , P 1 , id ) ( { k e , n T } , P 2 , { n T / w 1 } ) out ( c, w 1 ) in ( c, M ) w 1 16 / 29

  37. Trace P 2 = in ( c, x ) . if proj 3 ( dec ( x, k e )) = n T then ν k T . out ( c, h n T , proj 1 ( dec ( x, k e )) , k T i ) else out ( c, Error ) ( { k e } , P ( k e ) , id ) ( ∅ , ν k e .P ( k e ) , id ) ( { k e , n T } , P 1 , id ) ( { k e , n T } , P 2 , { n T / w 1 } ) out ( c, w 1 ) in ( c, M ) w 1 Cannot contain private names 16 / 29

  38. Trace P 2 = in ( c, x ) . if proj 3 ( dec ( x, k e )) = n T then ν k T . out ( c, h n T , proj 1 ( dec ( x, k e )) , k T i ) else out ( c, Error ) ( { k e } , P ( k e ) , id ) ( ∅ , ν k e .P ( k e ) , id ) ( { k e , n T } , P 1 , id ) ( { k e , n T } , P 2 , { n T / w 1 } ) out ( c, w 1 ) in ( c, M ) Can contain variables from the frame, i.e. w 1 Cannot contain private names 16 / 29

  39. Trace P 2 = in ( c, x ) . if proj 3 ( dec ( x, k e )) = n T then ν k T . out ( c, h n T , proj 1 ( dec ( x, k e )) , k T i ) else out ( c, Error ) ( { k e } , P ( k e ) , id ) ( ∅ , ν k e .P ( k e ) , id ) ( { k e , n T } , P 1 , id ) ( { k e , n T } , P 2 , { n T / w 1 } ) out ( c, w 1 ) in ( c, M ) Can contain variables from the frame, i.e. w 1 Cannot contain private names M = h n I , w 1 i Ex: 16 / 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif

Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif

Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif Bruno Blanchet INRIA, Ecole Normale Sup erieure, CNRS blanchet@di.ens.fr September 2011 Bruno Blanchet (INRIA) ProVerif September 2011

1.55k views • 143 slides
Automatic Verification of Cryptographic Protocols in the Symbolic Model Automatic Verifier

Automatic Verification of Cryptographic Protocols in the Symbolic Model Automatic Verifier

Automatic Verification of Cryptographic Protocols in the Symbolic Model Automatic Verifier ProVerif Bruno Blanchet INRIA Paris-Rocquencourt Bruno.Blanchet@inria.fr September 2013 Bruno Blanchet (INRIA) ProVerif September 2013 1 / 114

1.56k views • 132 slides
Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018

1.23k views • 78 slides
Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim Kobeissi PROSECCO: Pro gramming Sec urely with C rypt o graphy. Team at INRIA Paris specializing in applied cryptography and formal verification.

357 views • 14 slides
Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique Cortier INRIA project Cassis, Loria CNRS, Nancy, France French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of

605 views • 46 slides
Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018 Organization of the course Two

774 views • 74 slides
Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in the Quantum Era (SPS G5448) February 5th, 2020 Christian Colombo Mark Vella Cryptographic Protocols Design Proofs to validate design against

467 views • 20 slides
Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Pascal LAFOURCADE

Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Pascal LAFOURCADE

Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Pascal LAFOURCADE , Vanessa Terrade & Sylvain Vigier Universit e Joseph

1.01k views • 49 slides
Signed Cryptographic Program Verification with Typed C RYPTO L INE Yu-Fu Fu 1 , Jiaxiang Liu 2 ,

Signed Cryptographic Program Verification with Typed C RYPTO L INE Yu-Fu Fu 1 , Jiaxiang Liu 2 ,

Signed Cryptographic Program Verification with Typed C RYPTO L INE Yu-Fu Fu 1 , Jiaxiang Liu 2 , Xiaomu Shi 2 , Ming-Hsien Tsai 1 , Bow-Yaw Wang 1 , Bo-Yin Yang 1 1 Academia Sinica 2 Shenzhen University ACM CCS 2019 1/42 Outline Introduction 1

936 views • 79 slides
Automatic Verification of Automatic Verification of Automatic Verification of Automatic

Automatic Verification of Automatic Verification of Automatic Verification of Automatic

Automatic Verification of Automatic Verification of Automatic Verification of Automatic Verification of Competitive Stochastic Systems Competitive Stochastic Systems Competitive Stochastic Systems Competitive Stochastic Systems Marta

500 views • 29 slides
Automatic Translation Error Analysis or how to brute-force through exponential complexity

Automatic Translation Error Analysis or how to brute-force through exponential complexity

Automatic Translation Error Analysis or how to brute-force through exponential complexity algorithms by abusing beam search Mark Fishel, T ATI Feb. 5, 2011, Theory Days at Nelijrve Outline Approaches to MT evaluation Automatic analysis

418 views • 18 slides
Soutenance dhabilitation Verification of Embedded Systems Algorithms and Complexity

Soutenance dhabilitation Verification of Embedded Systems Algorithms and Complexity

Soutenance dhabilitation Verification of Embedded Systems Algorithms and Complexity Nicolas Markey LSV, CNRS & ENS Cachan, France April 8, 2011 Verification of embedded systems Computers are everywhere Verification of embedded

1.32k views • 115 slides
MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan (Slides from A.D. Gordon and C. Fournet) Spring, 2014 Outline of Lectures Lecture 1 (Jan 22, Today) Intro to Verified Protocol Implementations

1.32k views • 112 slides
MPRI 2-30: ! Automated Verification of ! Cryptographic Protocol Implementations K Bhargavan (Slides

MPRI 2-30: ! Automated Verification of ! Cryptographic Protocol Implementations K Bhargavan (Slides

MPRI 2-30: ! Automated Verification of ! Cryptographic Protocol Implementations K Bhargavan (Slides from A.D. Gordon and C. Fournet) Spring, 2014 TLS Handshakes ''''''ClientHello''''''''''''''''''99999999>'

744 views • 73 slides
MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity .

MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity .

MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity . Arnab Roy 1 and Tyge Tiessen 1 ) Technical University of Denmark 1 Royal Holloway, University of London 2 TU Graz 3 1 (joint work with Martin Albrecht

275 views • 26 slides
Efficient Parameter Estimation for ODE Models from Relative Data Using Hierarchical

Efficient Parameter Estimation for ODE Models from Relative Data Using Hierarchical

MASAMB 2016 Efficient Parameter Estimation for ODE Models from Relative Data Using Hierarchical Optimization Sabrina Krause, Carolin Loos, Jan Hasenauer Helmholtz Zentrum Mnchen Institute of Computational Biology Data-driven

1.03k views • 43 slides
PADS/ML A Functional Data Description Language Yitzhak Mandelbaum Princeton University, AT&T

PADS/ML A Functional Data Description Language Yitzhak Mandelbaum Princeton University, AT&T

PADS/ML A Functional Data Description Language Yitzhak Mandelbaum Princeton University, AT&T With: Kathleen Fisher, David Walker, Mary Fernandez, Artem Gleyzer Meet Stan Stan works for a large networking company, managing their routers.

731 views • 33 slides
Improving Data Access Performance of Applications in IT Infrastructure Hao Wen Advisor: David

Improving Data Access Performance of Applications in IT Infrastructure Hao Wen Advisor: David

Improving Data Access Performance of Applications in IT Infrastructure Hao Wen Advisor: David Du April 24 th , 2019 Department of Computer Science and Engineering, University of Minnesota, USA C enter for R esearch in I ntelligent S torage

1.1k views • 66 slides
1 1 1 1 1 1 1 1 1 1 1 1 1 1 Jerome F riedman T rev or Hastie Rob

1 1 1 1 1 1 1 1 1 1 1 1 1 1 Jerome F riedman T rev or Hastie Rob

Stanford Univ ersit y Decem b er Bo osting Stanford Univ ersit y Decem b er Bo osting Classication Problem Additiv e Logistic Regression a

675 views • 18 slides
Surfaces/Meshes Well stick to triangles Working with Meshes CS 176 Winter 2011 CS 176 Winter

Surfaces/Meshes Well stick to triangles Working with Meshes CS 176 Winter 2011 CS 176 Winter

Surfaces/Meshes Well stick to triangles Working with Meshes CS 176 Winter 2011 CS 176 Winter 2011 1 2 Discrete Surfaces Whats a Mesh? Setup Formally pointers floats topology & geometry abstract simplicial

532 views • 4 slides
CSSE 220 Interfaces and Polymorphism Check out Interfaces from SVN Interfaces What, When,

CSSE 220 Interfaces and Polymorphism Check out Interfaces from SVN Interfaces What, When,

CSSE 220 Interfaces and Polymorphism Check out Interfaces from SVN Interfaces What, When, Why, How? What: Code Structure used to express operations that multiple class have in common No method implementations No fields

611 views • 12 slides
Time-regularized versus framewise reconstruction (a) A = 2 . 8 cps (c) A = 5 . 7 cps (e) A = 5 . 7

Time-regularized versus framewise reconstruction (a) A = 2 . 8 cps (c) A = 5 . 7 cps (e) A = 5 . 7

Time-regularized versus framewise reconstruction (a) A = 2 . 8 cps (c) A = 5 . 7 cps (e) A = 5 . 7 cps t y x (b) A = 4 . 3 cps (d) A = 8 . 3 cps (f) A = 8 . 3 cps Tuning of scattering/regularization parameters p , 7 1 . 0 12 A = 2 . 8 cps A

401 views • 3 slides
1 Peter Series Lesson #143 September 6, 2018 Dean Bible Ministries www.deanbibleministries.org Dr.

1 Peter Series Lesson #143 September 6, 2018 Dean Bible Ministries www.deanbibleministries.org Dr.

1 Peter Series Lesson #143 September 6, 2018 Dean Bible Ministries www.deanbibleministries.org Dr. Robert L. Dean, Jr. Leading the Church: The Beginnings 1 Peter 5:14 1 Pet. 5:1, The elders who are among you I exhort, I who am a fellow

605 views • 33 slides

More recommend