formal computational unlinkability proofs of rfid
play

Formal Computational Unlinkability Proofs of RFID Protocols Hubert - PowerPoint PPT Presentation

Sep 09, 2022 •267 likes •483 views

Formal Computational Unlinkability Proofs of RFID Protocols Hubert Comon, Adrien Koutsos January 29, 2018 Hubert Comon, Adrien Koutsos Formal Proofs of RFID Protocols January 29, 2018 1 / 21 Motivations Security protocols Distributed

  1. Formal Computational Unlinkability Proofs of RFID Protocols Hubert Comon, Adrien Koutsos January 29, 2018 Hubert Comon, Adrien Koutsos Formal Proofs of RFID Protocols January 29, 2018 1 / 21

  2. Motivations Security protocols Distributed programs which aim at providing some security properties. The KCL + RFID protocol $ ← R : n R $ T A : n T ← 1 : R − → T A : n R 2 : T A − → R : � A ⊕ H ( n T , k A ) , n T ⊕ H ( n R , k A ) � Hubert Comon, Adrien Koutsos Formal Proofs of RFID Protocols January 29, 2018 2 / 21

  3. Security Properties Security protocols are short: few lines of specification. Security properties are complex: the attacker controls the network. ⇒ Need to use formal methods. The problem Given a protocol P and a class of attackers C , show that: ∀A ∈ C ( P | A ) satisfies φ sec Hubert Comon, Adrien Koutsos Formal Proofs of RFID Protocols January 29, 2018 3 / 21

  4. Attacker Models Models Dolev Yao Computational Messages representation: Abstract terms Bitstrings Explicitly specified Polynomial Time Adversaries capabilities: through a TRS Probabilistic TMs Advantages and drawbacks Dolev Yao Computational Good proof automation Few proof automation Not a realistic model Strong security guarantees But with implicit hypothesis Hubert Comon, Adrien Koutsos Formal Proofs of RFID Protocols January 29, 2018 4 / 21

  5. The Complete Symbolic Attacker Model The Complete Symbolic Attacker Model [Bana,Comon 2012] A first-order logic. Axioms specifying what the adversary cannot do. Security of a protocol expressed as a goal formula. Advantages All hypotheses appear explicitly in the axioms. Possible proof automation. Security implies computational security. Two logics Reachability properties: [Scerri 2016] We focus on the indistinguishability logic. Hubert Comon, Adrien Koutsos Formal Proofs of RFID Protocols January 29, 2018 5 / 21

  6. Motivations 1 The Complete Symbolic Attacker Model 2 Syntax Computational semantics Axioms 3 Structural Axioms Pseudo Random Function Case Studies: Security of Two RFID Protocols 4 Conclusion 5 Hubert Comon, Adrien Koutsos Formal Proofs of RFID Protocols January 29, 2018 6 / 21

  7. Syntax Term algebra Control flow function symbols: if _ then _ else _ , EQ ( _ ; _ ) , true , false Protocol function symbols: {� _ , _ � , π 1 ( _ ) , π 2 ( _ ) , H ( _ , _ ) , _ ⊕ _ } Adversarial function symbols G . A set of names N . A set of variables X . Formulas φ ::= � u ∼ � v | φ ∧ φ | ¬ φ | ⊥ | ∀ x .φ where � v are sequences of terms u , � Hubert Comon, Adrien Koutsos Formal Proofs of RFID Protocols January 29, 2018 7 / 21

  8. Example The KCL + protocol 1 : R − → T A : n R 2 : T A − → R : � A ⊕ H ( n T , k A ) , n T ⊕ H ( n R , k A ) � Example Terms: m A = � A ⊕ H ( n T , k A ) , n T ⊕ H ( g ( n R ) , k A ) � Formula: n R , m A ∼ n R , m B Hubert Comon, Adrien Koutsos Formal Proofs of RFID Protocols January 29, 2018 8 / 21

  9. Computational Semantics of Terms Computational model M c : term interpretation f / n ∈ Σ ∪ G interpreted as a polynomial time Turing Machine. n ∈ N interpreted as a random sampling { if _ then _ else _ , EQ ( _ ; _ ) , true , false } interpretations are the expected ones. Computational model M c : predicate interpretation ∼ interpreted as computational indistinguishability. Example For every computational model M c we have: M c | = A ⊕ n 1 ∼ B ⊕ n 2 Hubert Comon, Adrien Koutsos Formal Proofs of RFID Protocols January 29, 2018 9 / 21

  10. Proof Technique Goal u ∼ � Ground formula � v expressing the security of the protocol. The formula is automatically obtained by folding the executions of the protocol [Bana,Comon 14]. Axioms A : what the adversary cannot do Computationally valid structural axioms. Implementation and cryptographic axioms. Soundness Theorem [Bana,Comon 14] If A ∧ � u �∼ � v is unsatisfiable then the protocol is computationally secure. (under some cryptographic/implementation assumptions) Hubert Comon, Adrien Koutsos Formal Proofs of RFID Protocols January 29, 2018 10 / 21

  11. Motivations 1 The Complete Symbolic Attacker Model 2 Syntax Computational semantics Axioms 3 Structural Axioms Pseudo Random Function Case Studies: Security of Two RFID Protocols 4 Conclusion 5 Hubert Comon, Adrien Koutsos Formal Proofs of RFID Protocols January 29, 2018 11 / 21

  12. Structural Axioms : Examples Relation axioms x ∼ y Sym x ∼ y y ∼ z Trans Refl x ∼ x y ∼ x x ∼ z ∼ is not a congruence! Counter-Example: n ∼ n and n ∼ n ′ , but n , n �∼ n , n ′ . Function Application If you cannot distinguish the arguments, you cannot distinguish the images. x 1 , . . . , x n ∼ y 1 , . . . , y n FunApp f ( x 1 , . . . , x n ) ∼ f ( y 1 , . . . , y n ) Hubert Comon, Adrien Koutsos Formal Proofs of RFID Protocols January 29, 2018 12 / 21

  13. Pseudo Random Function Definition H is a Pseudo Random Function if for every PPTM adversary A : | Pr ( k : A O H ( · , k ) ( 1 η ) = 1 ) − Pr ( g : A O g ( · ) ( 1 η ) = 1 ) | is negligible in η , where: k is drawn uniformly in { 0 , 1 } η . g is drawn uniformly in the set of all functions from { 0 , 1 } ∗ to { 0 , 1 } η . Hubert Comon, Adrien Koutsos Formal Proofs of RFID Protocols January 29, 2018 13 / 21

  14. Translation in the Logic Axiom for one hash H ( s , k ) ∼ n Where k does not appear in s . Bad axiom for two hashes If s and t are syntactically distinct, H ( s , k ) , H ( t , k ) ∼ H ( s , k ) , n Counter-Example: s = g ( A ) , t = g ( B ) and we interpret the attacker function g as a constant function. Hubert Comon, Adrien Koutsos Formal Proofs of RFID Protocols January 29, 2018 14 / 21

  15. Translation in the Logic The PRF 2 Axioms H ( s , k ) , if EQ ( t ; s ) then 0 else H ( t , k ) ∼ H ( s , k ) , if EQ ( t ; s ) then 0 else n where: H and k only occur in ( s , t ) as H ( s , k ) . n does not occur in ( s , t ) . Theorem : Soundness The ( PRF n ) n ∈ N axioms are valid in every computational model M c such that the interpretation of H satisfies the PRF assumption. Hubert Comon, Adrien Koutsos Formal Proofs of RFID Protocols January 29, 2018 15 / 21

  16. Motivations 1 The Complete Symbolic Attacker Model 2 Syntax Computational semantics Axioms 3 Structural Axioms Pseudo Random Function Case Studies: Security of Two RFID Protocols 4 Conclusion 5 Hubert Comon, Adrien Koutsos Formal Proofs of RFID Protocols January 29, 2018 16 / 21

  17. Security Property KCL + Protocol: Unlinkability for 2 rounds (A , A vs. A , B) φ sec n R , m 1 , n ′ R , m A 2 ∼ n R , m 1 , n ′ R , m B ≡ 2 2 where m 1 , m A 2 are the terms: m 1 = � A ⊕ H ( n T , k A ) , n T ⊕ H ( g ( n R ) , k A ) � m X 2 = � X ⊕ H ( n ′ T , k X ) , n ′ T ⊕ H ( g ′ ( n R , m 1 , n ′ R ) , k X ) � Unlinkability for n Rounds. A formula φ sec expressing unlinkability for n rounds of a protocol can n be automatically computed from the specification. If A ∧ ¬ φ sec is unsatisfiable then the protocol satisfies Strong n Privacy [Juels,Weis 2009] for n rounds. Hubert Comon, Adrien Koutsos Formal Proofs of RFID Protocols January 29, 2018 17 / 21

  18. Case Studies Theorem: Unlinkability of KCL + Assuming PRF for the keyed hash function, the KCL + protocol verifies Strong Privacy for two agents and any number of rounds. Theorem: Unlinkability of LAK + Assuming PRF for the keyed hash function, the LAK + protocol verifies Strong Privacy for two agents and two rounds. Hubert Comon, Adrien Koutsos Formal Proofs of RFID Protocols January 29, 2018 18 / 21

  19. Motivations 1 The Complete Symbolic Attacker Model 2 Syntax Computational semantics Axioms 3 Structural Axioms Pseudo Random Function Case Studies: Security of Two RFID Protocols 4 Conclusion 5 Hubert Comon, Adrien Koutsos Formal Proofs of RFID Protocols January 29, 2018 19 / 21

  20. Conclusion Contributions Designed and proved axioms for PRF, CR, XOR and PRNG. Formally expressed Strong Privacy [Juels,Weis 2009] in our model. Proved Strong Privacy of KCL + for an arbitrary number of rounds. Proved Strong Privacy LAK + protocol for two rounds. Showed attacks against KCL + and LAK + for weaker assumptions. Future Work More examples, with more primitives (RFID or not). Automation through decidability of (a fragment of) the logic. Interactive/automatic prover. Hubert Comon, Adrien Koutsos Formal Proofs of RFID Protocols January 29, 2018 20 / 21

  21. Thanks for your attention Hubert Comon, Adrien Koutsos Formal Proofs of RFID Protocols January 29, 2018 21 / 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of

The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of

The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of Software Chinese Academy of Sciences BASICS09, Shanghai, China October 13, 2009 Background Formal verification of security protocols from

312 views • 28 slides
Formal proofs, variable binding, and program extraction from proofs Colloquium Logicum 2016 (10

Formal proofs, variable binding, and program extraction from proofs Colloquium Logicum 2016 (10

Formal proofs, variable binding, and program extraction from proofs Colloquium Logicum 2016 (10 - 12 September 2016, Hamburg) Gyesik Lee Hankyong National University 1 Overview 1. Verification of proofs 2. Hales proof of the Kepler

651 views • 43 slides
Flexiformality in Proofs: Bridging between Formal and Informal Proofs Michael Kohlhase Professur

Flexiformality in Proofs: Bridging between Formal and Informal Proofs Michael Kohlhase Professur

Flexiformality in Proofs: Bridging between Formal and Informal Proofs Michael Kohlhase Professur fr Wissensreprsentation und -verarbeitung Informatik, FAU Erlangen-Nrnberg http://kwarc.info 20. October 2016, Dagstuhl Seminar on

568 views • 39 slides
Extracting computational content from proofs Helmut Schwichtenberg (j.w.w. Diana Ratiu)

Extracting computational content from proofs Helmut Schwichtenberg (j.w.w. Diana Ratiu)

Logic for inductive definitions Realizability interpretation Decorating proofs Extracting computational content from proofs Helmut Schwichtenberg (j.w.w. Diana Ratiu) Mathematisches Institut, LMU, M unchen National Institute of

1.57k views • 36 slides
Atlanta, USA 1. TSA worldwide RFID Trial History 2. ASTREC research effort in RFID 3. Inflight

Atlanta, USA 1. TSA worldwide RFID Trial History 2. ASTREC research effort in RFID 3. Inflight

March 2, 2014 Monte Jade's RFID Seminar Atlanta, USA 1. TSA worldwide RFID Trial History 2. ASTREC research effort in RFID 3. Inflight RFID 4. Current Airport RFID Deployments 5. Atlanta International Airport Activity with IATA RFID

912 views • 35 slides
03aInductive Definitions CS 3234: Logic and Formal Systems Martin Henz and Aquinas Hobor

03aInductive Definitions CS 3234: Logic and Formal Systems Martin Henz and Aquinas Hobor

What are inductive definitions? Formal definitions Taking cases and proofs by induction Inductive definitions and proofs by induction in Coq Extensions to other structures & summary 03aInductive Definitions CS 3234: Logic and Formal

678 views • 64 slides
Formal Proofs for Global Optimization Templates and Sums of Squares Victor MAGRON

Formal Proofs for Global Optimization Templates and Sums of Squares Victor MAGRON

Introduction SOS Certificates Maxplus Approximation Nonlinear Templates Formal SOS Conclusion Formal Proofs for Global Optimization Templates and Sums of Squares Victor MAGRON INRIA-LIX/CMAP, cole Polytechnique 2013 December 9 th Victor

1.38k views • 113 slides
IntelliSense RFID RFID PLATFORM WITH SENSORS INTEGRATION CAPABILITIES One Global Sensing

IntelliSense RFID RFID PLATFORM WITH SENSORS INTEGRATION CAPABILITIES One Global Sensing

IntelliSense RFID RFID PLATFORM WITH SENSORS INTEGRATION CAPABILITIES One Global Sensing Tag Oslo, 28 November 2007 IntelliSense RFID Workshop IntelliSense RFID RESEARCH PROJECT FOR TECHNOLOGY DEVELOPMENT WITHIN THE FIELDS OF RFID

788 views • 13 slides
Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA), CNRS, France Tuesday, September 13th, 2016 Security protocols everywhere ! Cryptographic protocols small programs designed to secure

923 views • 56 slides
The Art of RFID Exploitation Melanie Rieback FIRST 20 June, 2007 What is RFID? RFID = Radio

The Art of RFID Exploitation Melanie Rieback FIRST 20 June, 2007 What is RFID? RFID = Radio

The Art of RFID Exploitation Melanie Rieback FIRST 20 June, 2007 What is RFID? RFID = Radio Frequency Identification Modern RFID Applications VeriChips Subdermal RFID VeriChips Subdermal RFID VeriChips Subdermal RFID VeriChips

628 views • 29 slides
DEWDROP: AN ENERGY- AWARE RUNTIME FOR COMPUTATIONAL RFID Michael Buettner (UW), Benjamin

DEWDROP: AN ENERGY- AWARE RUNTIME FOR COMPUTATIONAL RFID Michael Buettner (UW), Benjamin

DEWDROP: AN ENERGY- AWARE RUNTIME FOR COMPUTATIONAL RFID Michael Buettner (UW), Benjamin Greenstein (Intel Labs, Seattle), David Wetherall (UW) Key Question How can we run programs on embedded computers using only scavenged RF energy? Battery

685 views • 29 slides
Computational content of proofs Helmut Schwichtenberg Mathematisches Institut, LMU, M unchen

Computational content of proofs Helmut Schwichtenberg Mathematisches Institut, LMU, M unchen

Partial continuous functionals Terms denoting computable functionals Logic of inductive definitions Computational content Computational content of proofs Helmut Schwichtenberg Mathematisches Institut, LMU, M unchen Pohlers-Fest, M

704 views • 29 slides
Distributed Enforcement of Unlinkability Policies: Looking Beyond the Chinese Wall Apu Kapadia,

Distributed Enforcement of Unlinkability Policies: Looking Beyond the Chinese Wall Apu Kapadia,

Distributed Enforcement of Unlinkability Policies: Looking Beyond the Chinese Wall Apu Kapadia, Prasad Naldurg, Roy H. Campbell Dartmouth College (ISTS) Microsoft Research, India University of Illinois at Urbana-Champaign Policy 2007 Lack

369 views • 15 slides
Formal software engineering for computational modelling Formal software engineering Focus on

Formal software engineering for computational modelling Formal software engineering Focus on

Formal software engineering for computational modelling Formal software engineering Focus on the formal, mathematical side of software Ex. Algebra Three problems What are the concepts that have to be used for the construction of

110 views • 7 slides
GeoProof: A user interface for formal proofs in geometry. Julien Narboux under the supervision

GeoProof: A user interface for formal proofs in geometry. Julien Narboux under the supervision

GeoProof: A user interface for formal proofs in geometry. Julien Narboux under the supervision of Hugo Herbelin INRIA-Futurs, LIX, Ecole Polytechnique UITP 2006, Seattle Plan 1 Related work and motivations 2 A general presentation of

565 views • 35 slides
XI. Computational Complexity Yuxi Fu BASICS, Shanghai Jiao Tong University Mathematic proofs,

XI. Computational Complexity Yuxi Fu BASICS, Shanghai Jiao Tong University Mathematic proofs,

XI. Computational Complexity Yuxi Fu BASICS, Shanghai Jiao Tong University Mathematic proofs, like computations, are energy consuming business. There are mathematical theorems, and computational tasks, that require more resources than what are

768 views • 35 slides
On Direct Distribution Matching for Adapting Segmentation Networks MIDL 2020 Georg Pichler, Jose

On Direct Distribution Matching for Adapting Segmentation Networks MIDL 2020 Georg Pichler, Jose

On Direct Distribution Matching for Adapting Segmentation Networks MIDL 2020 Georg Pichler, Jose Dolz, Ismail Ben Ayed, and Pablo Piantanida TU Wien, Austria & TS, Montreal, Canada & CentraleSuplec-CNRS-Universit Paris Sud &

240 views • 10 slides
Chromatic symmetric functions on graphs and polytopes 30th FPSAC, Hanover NH, Darmouth College

Chromatic symmetric functions on graphs and polytopes 30th FPSAC, Hanover NH, Darmouth College

Chromatic symmetric functions on graphs and polytopes 30th FPSAC, Hanover NH, Darmouth College Ra ul Penagui ao University of Zurich July 16th, 2018 Ra ul Penagui ao (University of Zurich) Kernel problems July 16th, 2018 1 / 23

605 views • 23 slides
Protein-Protein Interactions and Macromolecule Modelling Juliette Martin Team Modelling

Protein-Protein Interactions and Macromolecule Modelling Juliette Martin Team Modelling

Protein-Protein Interactions and Macromolecule Modelling Juliette Martin Team Modelling Biological Macromolecules UMR 5086 Molecular Microbiology and Structural Biochemistry, IBCP Lyon Runion MASIM, Paris 16 novembre 2017 Where are we ?

836 views • 22 slides
High Performance Computing at High Performance Computing at the University of Utah: A User the

High Performance Computing at High Performance Computing at the University of Utah: A User the

High Performance Computing at High Performance Computing at the University of Utah: A User the University of Utah: A User Services Overview Services Overview Julia Caldwell CHPC, University of Utah Overview Overview Resources l Research

447 views • 26 slides
Model Checking 5G Security David Basin ETH Zurich Real World Crypto January 2020 Thanks Tamarin

Model Checking 5G Security David Basin ETH Zurich Real World Crypto January 2020 Thanks Tamarin

Model Checking 5G Security David Basin ETH Zurich Real World Crypto January 2020 Thanks Tamarin Team Simon Meier Benedikt Schmidt Cas Cremers Ralf Sasse Jannik Dreier 5G (verified using Tamarin) Ralf Sasse Jannik Dreier Sasa Radomirovic

906 views • 26 slides
Disclosures Updates on Oncologic I have nothing to disclose Emergencies, Including Side Effects

Disclosures Updates on Oncologic I have nothing to disclose Emergencies, Including Side Effects

6/20/2019 Disclosures Updates on Oncologic I have nothing to disclose Emergencies, Including Side Effects of New Therapies Gerald Hsu, MD, PhD Assoc. Clinical Professor of Medicine University of California, San Francisco Hypercalcemia | Old

382 views • 10 slides
Webinar Login Directions Recommend calling in on your telephone . Enter your unique Audio

Webinar Login Directions Recommend calling in on your telephone . Enter your unique Audio

Webinar Login Directions Recommend calling in on your telephone . Enter your unique Audio PIN so we can mute/unmute your line when necessary. Audio PIN : Will be displayed after you log into GoToWebinar. This button should be clicked

706 views • 42 slides
Cert-Lexsi Cert-Lexsi Dead angle ( Torpig vs PRG) Dead angle ( Torpig vs PRG) Dead angle (

Cert-Lexsi Cert-Lexsi Dead angle ( Torpig vs PRG) Dead angle ( Torpig vs PRG) Dead angle (

Cert-Lexsi Cert-Lexsi Dead angle ( Torpig vs PRG) Dead angle ( Torpig vs PRG) Dead angle ( Torpig vs PRG) Dead angle ( Torpig vs PRG) 2 Agenda Cert-Lexsi Presentation Torpig vs PRG: Introduction Ecosystems Propagation

633 views • 15 slides

More recommend