cryptoverif a computationally sound mechanized prover for
play

CryptoVerif: A Computationally Sound Mechanized Prover for - PowerPoint PPT Presentation

Nov 06, 2022 •181 likes •972 views

Introduction Using CryptoVerif Proof technique Enc-then-MAC example FDH example Conclusion CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno Blanchet CNRS, Ecole Normale Sup erieure, INRIA,

  1. Introduction Using CryptoVerif Proof technique Enc-then-MAC example FDH example Conclusion CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno Blanchet CNRS, ´ Ecole Normale Sup´ erieure, INRIA, Paris September 2009 Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif September 2009 1 / 72

  2. Introduction Using CryptoVerif Proof technique Enc-then-MAC example FDH example Conclusion Introduction Two models for security protocols: Computational model: messages are bitstrings cryptographic primitives are functions from bitstrings to bitstrings the adversary is a probabilistic polynomial-time Turing machine Proofs are done manually. Formal model (so-called “Dolev-Yao model”): cryptographic primitives are ideal blackboxes messages are terms built from the cryptographic primitives the adversary is restricted to use only the primitives Proofs can be done automatically. Our goal: achieve automatic provability under the realistic computational assumptions. Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif September 2009 2 / 72

  3. Introduction Using CryptoVerif Proof technique Enc-then-MAC example FDH example Conclusion Introduction Two approaches for the automatic proof of cryptographic protocols in a computational model: Indirect approach: 1) Make a Dolev-Yao proof. 2) Use a theorem that shows the soundness of the Dolev-Yao approach with respect to the computational model. Pioneered by Abadi and Rogaway; pursued by many others. Direct approach: Design automatic tools for proving protocols in a computational model. Approach pioneered by Laud. Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif September 2009 3 / 72

  4. Introduction Using CryptoVerif Proof technique Enc-then-MAC example FDH example Conclusion Advantages and drawbacks The indirect approach allows more reuse of previous work, but it has limitations: Hypotheses have to be added to make sure that the computational and Dolev-Yao models coincide. The allowed cryptographic primitives are often limited, and only ideal, not very practical primitives can be used. Using the Dolev-Yao model is actually a (big) detour; The computational definitions of primitives fit the computational security properties to prove. They do not fit the Dolev-Yao model. We decided to focus on the direct approach. Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif September 2009 4 / 72

  5. Introduction Using CryptoVerif Proof technique Enc-then-MAC example FDH example Conclusion An automatic prover We have implemented an automatic prover CryptoVerif: proves secrecy and correspondence (including authentication) properties. provides a generic method for specifying properties of cryptographic primitives which handles MACs (message authentication codes), symmetric encryption, public-key encryption, signatures, hash functions, . . . works for N sessions (polynomial in the security parameter), with an active adversary. gives a bound on the probability of an attack (exact security). Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif September 2009 5 / 72

  6. Introduction Using CryptoVerif Proof technique Enc-then-MAC example FDH example Conclusion Produced proofs We use Shoup’s and Bellare&Rogaway’s game hopping method. The proof is a sequence of games: The first game is the real protocol. One goes from one game to the next by syntactic transformations or by applying the definition of security of a cryptographic primitive. Between consecutive games, the difference of probability of success of an attack is negligible. The last game is “ideal”: the security property is obvious from the form of the game. (The advantage of the adversary is typically 0 for this game.) Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif September 2009 6 / 72

  7. Introduction Using CryptoVerif Proof technique Enc-then-MAC example FDH example Conclusion Input and output of the tool 1 Prepare the input file containing the specification of the protocol to study (initial game), the security assumptions on the cryptographic primitives, the security properties to prove. 2 Run CryptoVerif 3 CryptoVerif outputs the sequence of games that leads to the proof, a succinct explanation of the transformations performed between games, an upper bound of the probability of success of an attack. Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif September 2009 7 / 72

  8. Introduction Using CryptoVerif Proof technique Enc-then-MAC example FDH example Conclusion Process calculus for games Games are formalized in a process calculus: It is adapted from the pi calculus. The semantics is purely probabilistic (no non-determinism). All processes run in polynomial time: polynomial number of copies of processes, length of messages on channels bounded by polynomials. This calculus is inspired by: the calculus of [Lincoln, Mitchell, Mitchell, Scedrov, 1998], the calculus of [Laud, 2005]. Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif September 2009 8 / 72

  9. Introduction Using CryptoVerif Proof technique Enc-then-MAC example FDH example Conclusion Example k ′ fresh A → B : e = { k ′ } k , mac ( e , mk ) A sends to B a fresh key k ′ encrypted under authenticated encryption, implemented as encrypt-then-MAC. k ′ should remain secret. Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif September 2009 9 / 72

  10. Introduction Using CryptoVerif Proof technique Enc-then-MAC example FDH example Conclusion Example (initialization) k ′ fresh A → B : e = { k ′ } k , mac ( e , mk ) Q 0 = start (); new r : keyseed ; let k : key = kgen ( r ) in new r ′ : mkeyseed ; let mk : mkey = mkgen ( r ′ ) in c �� ; ( Q A | Q B ) Initialization of keys: 1 The process Q 0 waits for a message on channel start to start running. The adversary triggers this process. 2 Q 0 generates encryption and MAC keys, k and mk respectively, using the key generation algorithms kgen and mkgen . 3 Q 0 returns control to the adversary by the output c �� . Q A and Q B represent the actions of A and B (see next slides). Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif September 2009 10 / 72

  11. Introduction Using CryptoVerif Proof technique Enc-then-MAC example FDH example Conclusion Example (role of A ) k ′ fresh A → B : e = { k ′ } k , mac ( e , mk ) Q A = ! i ≤ n c A (); new k ′ : key ; new r ′′ : coins ; let e : bitstring = enc ( k 2 b ( k ′ ) , k , r ′′ ) in c A � e , mac ( e , mk ) � Role of A : 1 ! i ≤ n represents n copies, indexed by i ∈ [1 , n ] The protocol can be run n times (polynomial in the security parameter). 2 The process is triggered when a message is sent on c A by the adversary. 3 The process chooses a fresh key k ′ and sends the message on channel c A . Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif September 2009 11 / 72

  12. Introduction Using CryptoVerif Proof technique Enc-then-MAC example FDH example Conclusion Example (role of B ) k ′ fresh A → B : e = { k ′ } k , mac ( e , mk ) Q B = ! i ′ ≤ n c B ( e ′ : bitstring , ma : macstring ); if verify ( e ′ , mk , ma ) then let i ⊥ ( k 2 b ( k ′′ )) = dec ( e ′ , k ) in c B �� Role of B : 1 n copies, as for Q A . 2 The process Q B waits for the message on channel c B . 3 It verifies the MAC, decrypts, and stores the key in k ′′ . Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif September 2009 12 / 72

  13. Introduction Using CryptoVerif Proof technique Enc-then-MAC example FDH example Conclusion Example (summary) k ′ fresh A → B : e = { k ′ } k , mac ( e , mk ) Q 0 = start (); new r : keyseed ; let k : key = kgen ( r ) in new r ′ : mkeyseed ; let mk : mkey = mkgen ( r ′ ) in c �� ; ( Q A | Q B ) Q A = ! i ≤ n c A (); new k ′ : key ; new r ′′ : coins ; let e : bitstring = enc ( k 2 b ( k ′ ) , k , r ′′ ) in c A � e , mac ( e , mk ) � Q B = ! i ′ ≤ n c B ( e ′ : bitstring , ma : macstring ); if verify ( e ′ , mk , ma ) then let i ⊥ ( k 2 b ( k ′′ )) = dec ( e ′ , k ) in c B �� Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif September 2009 13 / 72

  14. Introduction Using CryptoVerif Proof technique Enc-then-MAC example FDH example Conclusion Security assumptions on primitives The most frequent cryptographic primitives are already specified in a library. The user can use them without redefining them. In the example: The MAC is UF-CMA (unforgeable under chosen message attacks). An adversary that has access to the MAC and verification oracles has a negligible probability of forging a MAC (for a message on which the MAC oracle has not been called). Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif September 2009 14 / 72

  15. Introduction Using CryptoVerif Proof technique Enc-then-MAC example FDH example Conclusion Security assumptions on primitives The most frequent cryptographic primitives are already specified in a library. The user can use them without redefining them. In the example: The MAC is UF-CMA (unforgeable under chosen message attacks). An adversary that has access to the MAC and verification oracles has a negligible probability of forging a MAC (for a message on which the MAC oracle has not been called). The encryption is IND-CPA (indistinguishable under chosen plaintext attacks). An adversary has a negligible probability of distinguishing the encryption of two messages of the same length. Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif September 2009 14 / 72

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Computationally Sound Mechanized Prover for Security Protocols P. Cogn ee, D. Kolokosso, F.

A Computationally Sound Mechanized Prover for Security Protocols P. Cogn ee, D. Kolokosso, F.

A Computationally Sound Mechanized Prover for Security Protocols P. Cogn ee, D. Kolokosso, F. M ejean, L. Pillard, J. Tharaud National School of Applied Mathematics and Computer Science, ENSIMAG 27 November 2009 P. Cogn ee, D.

591 views • 23 slides
Towards computationally sound symbolic security analysis Daniele Micciancio, UCSD DIMACS

Towards computationally sound symbolic security analysis Daniele Micciancio, UCSD DIMACS

Towards computationally sound symbolic security analysis Daniele Micciancio, UCSD DIMACS Tutorial June 2004 Security protocols Protocols: distributed programs Goal: maintain prescribed behavior in adversarial execution environment

1.34k views • 51 slides
Two-prover entangled games are NP hard Anand Natarajan (MIT) Thomas Vidick (Caltech)

Two-prover entangled games are NP hard Anand Natarajan (MIT) Thomas Vidick (Caltech)

Two-prover entangled games are NP hard Anand Natarajan (MIT) Thomas Vidick (Caltech) arXiv:1710.03062 Interactive proofs MIP IP Completeness: If YES, prover can convince verifier with Pr c (e.g. 2/3) Soundness : If NO, prover cannot

472 views • 19 slides
Composition Theorems for CryptoVerif and Application to TLS 1.3 Bruno Blanchet INRIA Paris

Composition Theorems for CryptoVerif and Application to TLS 1.3 Bruno Blanchet INRIA Paris

Introduction Composition Application to TLS 1.3 Conclusion Composition Theorems for CryptoVerif and Application to TLS 1.3 Bruno Blanchet INRIA Paris Bruno.Blanchet@inria.fr March 2018 Bruno Blanchet (INRIA) Composition for CryptoVerif

825 views • 38 slides
Meditation for a Theorem Prover Reasoning and Consciousness Teaching a Theorem Prover to let

Meditation for a Theorem Prover Reasoning and Consciousness Teaching a Theorem Prover to let

Meditation for a Theorem Prover Reasoning and Consciousness Teaching a Theorem Prover to let its Mind Wander Ulrich Furbach Claudia Schon Univ. Koblenz - DFG Project Cognitive Reasoning Reasoning and Consciousness Teaching a

715 views • 55 slides
The computational and decisional Diffie-Hellman assumptions in CryptoVerif Bruno Blanchet and

The computational and decisional Diffie-Hellman assumptions in CryptoVerif Bruno Blanchet and

Basic DDH Basic CDH Need for extension Extended CDH Extended DDH Conclusion The computational and decisional Diffie-Hellman assumptions in CryptoVerif Bruno Blanchet and David Pointcheval CNRS, Ecole Normale Sup erieure, INRIA, Paris

226 views • 22 slides
Using Python to Solve Computationally Hard Problems Using Python to Solve Computationally Hard

Using Python to Solve Computationally Hard Problems Using Python to Solve Computationally Hard

Using Python to Solve Computationally Hard Problems Using Python to Solve Computationally Hard Problems Rachael Madsen Optimal Design Software LLC BS in Mathematics Software Engineer & Architect Python programmer

872 views • 46 slides
Sound 1 Sound "50% of the movie experience is sound - George Lucas Sound is used

Sound 1 Sound "50% of the movie experience is sound - George Lucas Sound is used

Sound 1 Sound "50% of the movie experience is sound - George Lucas Sound is used to create: Mood Ambience Drama Environmental clues Continuity Feedback Practical Issues Real-time requirement

311 views • 17 slides
Mechanized Type Soundness Proofs using Definitional Interpreters Hannes Saffrich University of

Mechanized Type Soundness Proofs using Definitional Interpreters Hannes Saffrich University of

Masters Thesis Mechanized Type Soundness Proofs using Definitional Interpreters Hannes Saffrich University of Freiburg Department of Computer Science Programming Languages Chair September 1, 2019 Hannes Saffrich Mechanized Type

1.03k views • 39 slides
? Message sound Message P(wolf|sound) P(sound| wolf) x P(wolf) 1 9/4/19 P(sound| wolf)

? Message sound Message P(wolf|sound) P(sound| wolf) x P(wolf) 1 9/4/19 P(sound| wolf)

9/4/19 Speech Hynek Hermansky Elecrical and Computer Engineering Hackerman 324Fp ? Message sound Message P(wolf|sound) P(sound| wolf) x P(wolf) 1 9/4/19 P(sound| wolf) no wolf wolf loudness timbre (sound color) More

334 views • 14 slides
Taking the machine seriously. A study of mechanized mathematics Liesbeth De Mol Centre for

Taking the machine seriously. A study of mechanized mathematics Liesbeth De Mol Centre for

Taking the machine seriously. A study of mechanized mathematics L. De Mol Taking the machine seriously. A study of mechanized mathematics Liesbeth De Mol Centre for Logic and Philosophy of Science, Belgium elizabeth.demol@ugent.be

969 views • 57 slides
Mechanized Formal Analysis for Safety-Critical Systems: The Convergence of Need and Opportunity

Mechanized Formal Analysis for Safety-Critical Systems: The Convergence of Need and Opportunity

Mechanized Formal Analysis for Safety-Critical Systems: The Convergence of Need and Opportunity John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SRI Mechanized Analysis: 1

433 views • 20 slides
A Self-Verifying Theorem Prover Jared Davis (advertisement by J Strother Moore)

A Self-Verifying Theorem Prover Jared Davis (advertisement by J Strother Moore)

A Self-Verifying Theorem Prover Jared Davis (advertisement by J Strother Moore) Department of Computer Sciences University of Texas at Austin September 18, 2009 1 Theorem Prover ? Yes Proof Checker Yes No 2 Rules of

693 views • 40 slides
SOUND SOUND Wha hat is t is sound sound? Click on the image below to find out. Sounds are

SOUND SOUND Wha hat is t is sound sound? Click on the image below to find out. Sounds are

SOUND SOUND Wha hat is t is sound sound? Click on the image below to find out. Sounds are made when objects vibrate and the vibrations travel to enter you ear. You hear these vibrations as sounds. Sound is all around us We cannot

357 views • 9 slides
Logik Cafe, Vienna 23 May 2016 Mechanized Analysis of Reconstructions of Anselms Ontological

Logik Cafe, Vienna 23 May 2016 Mechanized Analysis of Reconstructions of Anselms Ontological

Logik Cafe, Vienna 23 May 2016 Mechanized Analysis of Reconstructions of Anselms Ontological Argument John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I Mechanized Ontological Argument

764 views • 42 slides
The Journey towards a Reference Implementation of IPSec Automatic Security Analysis with

The Journey towards a Reference Implementation of IPSec Automatic Security Analysis with

1/25 The Journey towards a Reference Implementation of IPSec Automatic Security Analysis with Tamarin-Prover Eike Stadtlnder July 12, 2018 2/25 Outline Motivation Tamarin-Prover Overview Multiset Rewriting Tamarin-Prover in Practice

1.32k views • 117 slides
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso

Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! ( Using AES with 128 bit block size in Galois Counter Mode and SHA2 ) Taxonomy of security Authenticated encryption

440 views • 26 slides
the Oilfield Services Industry Authors: Clayton Mealer & Sung Hwan Park Advisor: Dr. Shardul

the Oilfield Services Industry Authors: Clayton Mealer & Sung Hwan Park Advisor: Dr. Shardul

A Simplified and Scalable Should-Cost Tool in the Oilfield Services Industry Authors: Clayton Mealer & Sung Hwan Park Advisor: Dr. Shardul Phadnis MIT SCM Research Fest May 22-23, 2013 Agenda Background Problem Statement

167 views • 13 slides
Magnet properties D. Chateigner CRISMAT-ENSICAEN, Caen, France M. Morales SIFCOM-ENSICAEN, Caen,

Magnet properties D. Chateigner CRISMAT-ENSICAEN, Caen, France M. Morales SIFCOM-ENSICAEN, Caen,

2 nd International Conference Texture and Anisotropy of Polycrystals, Metz, France, July 2004 Texture development in Nd-Fe-B and Nd-Fe-V alloys by hot forging in view of improving permanent Magnet properties D. Chateigner CRISMAT-ENSICAEN, Caen,

703 views • 30 slides
Insecurity on XLS and Forging Algorithm on the Mode COPA Mridul Nandi Indian Statistical

Insecurity on XLS and Forging Algorithm on the Mode COPA Mridul Nandi Indian Statistical

Insecurity on XLS and Forging Algorithm on the Mode COPA Mridul Nandi Indian Statistical Institute, Kolkata mridul@isical.ac.in August 23, 2014 DIAC, UCSB Mridul Nandi XLS-COPA Introduction and Overview. 1 Domain Extension and domain

576 views • 16 slides
Resilient Military Communities 1 COL (ret) Paul E. Roege, P.E. Fifth Annual VCPC Conference

Resilient Military Communities 1 COL (ret) Paul E. Roege, P.E. Fifth Annual VCPC Conference

Resilient Military Communities 1 COL (ret) Paul E. Roege, P.E. Fifth Annual VCPC Conference Williamsburg, VA 27 October 2017 Response to Resilience Advocacy 3 What is resilience? What must I be resilient to? How do I know if we

215 views • 9 slides
One Water Approaches to Complex Problems W. Shane Walker, Deana Pennington, Bill Hargrove,

One Water Approaches to Complex Problems W. Shane Walker, Deana Pennington, Bill Hargrove,

One Water Approaches to Complex Problems W. Shane Walker, Deana Pennington, Bill Hargrove, Ivonne Santiago, Ed Archuleta, and Malynda Cappelle April 24, 2019 CONTEXT: GLOBAL WATER ISSUES United Nations Sust. Devl. Goals

392 views • 16 slides
Minimum Number of Multiplications of U Hash Functions Mridul Nandi Indian Statistical

Minimum Number of Multiplications of U Hash Functions Mridul Nandi Indian Statistical

Minimum Number of Multiplications of U Hash Functions Mridul Nandi Indian Statistical Institute, Kolkata mridul@isical.ac.in March 4, FSE-2014, London Mridul Nandi U hash and Multiplication Authentication: The Popular Story 1 Alice and

1.01k views • 53 slides
Repairing HTTP authn. for Web security - HTTP Mutual authentication proposal - Yutaka OIWA (AIST

Repairing HTTP authn. for Web security - HTTP Mutual authentication proposal - Yutaka OIWA (AIST

Repairing HTTP authn. for Web security - HTTP Mutual authentication proposal - Yutaka OIWA (AIST Japan) May 25, 2011 W3C Workshop on Identity in the Browser Some Keywords yesterday and today You can't get there from here directly

322 views • 13 slides

More recommend