rewriting in protocol verification
play

Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, - PowerPoint PPT Presentation

Apr 07, 2023 •317 likes •900 views

Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday, June 29th, 2020 1/23 Cryptographic protocols everywhere ! Cryptographic protocols small programs designed to secure communication ( e.g.

  1. Rewriting in Protocol Verification Stéphanie Delaune Univ Rennes, CNRS, IRISA, France Monday, June 29th, 2020 1/23

  2. Cryptographic protocols everywhere ! Cryptographic protocols ◮ small programs designed to secure communication ( e.g. secrecy, authentication, anonymity, . . . ) ◮ use cryptographic primitives ( e.g. encryption, signature, . . . . . . ) The network is unsecure! Communications take place over a public network like the Internet. 2/23

  3. Cryptographic protocols everywhere ! Cryptographic protocols ◮ small programs designed to secure communication ( e.g. secrecy, authentication, anonymity, . . . ) ◮ use cryptographic primitives ( e.g. encryption, signature, . . . . . . ) It becomes more and more important to protect our privacy. 2/23

  4. How cryptographic protocols can be attacked? Cryptanalysis ◮ Differential attacks, ◮ Boomerang attacks, ◮ Cube attacks, ◮ . . . 3/23

  5. How cryptographic protocols can be attacked? Logical attacks ◮ can be mounted even assuming perfect cryptography, ֒ → replay attack, man-in-the middle attack, . . . ◮ subtle and hard to detect by “eyeballing” the protocol This is the so-called Dolev-Yao attacker ! 3/23

  6. How cryptographic protocols can be attacked? Logical attacks ◮ can be mounted even assuming perfect cryptography, ֒ → replay attack, man-in-the middle attack, . . . ◮ subtle and hard to detect by “eyeballing” the protocol Example: An authentication flaw on the Needham Schroeder protocol A → B : { A , N A } pub( B ) B → A : { N A , N B } pub( A ) A → B : { N B } pub( B ) NS protocol (1978) 3/23

  7. How cryptographic protocols can be attacked? Logical attacks ◮ can be mounted even assuming perfect cryptography, ֒ → replay attack, man-in-the middle attack, . . . ◮ subtle and hard to detect by “eyeballing” the protocol Example: An authentication flaw on the Needham Schroeder protocol A → B : { A , N A } pub( B ) A → B : { A , N A } pub( B ) B → A : { N A , N B } pub( A ) B → A : { N A , N B , B } pub( A ) A → B : { N B } pub( B ) A → B : { N B } pub( B ) NS protocol (1978) NS-Lowe protocol (1995) 3/23

  8. How cryptographic protocols can be attacked? Logical attacks ◮ can be mounted even assuming perfect cryptography, ֒ → replay attack, man-in-the middle attack, . . . ◮ subtle and hard to detect by “eyeballing” the protocol Example: FREAK attack by Barghavan et al. (2015) A logical flaw that allows a man-in-the- middle attacker to downgrade connections from ’strong’ RSA to ’export grade’ RSA. 3/23

  9. How cryptographic protocols can be attacked? Logical attacks ◮ can be mounted even assuming perfect cryptography, ֒ → replay attack, man-in-the middle attack, . . . ◮ subtle and hard to detect by “eyeballing” the protocol Example: A traceability attack on the BAC protocol (2010) privacy issue The register - Jan. 2010 3/23

  10. Basic Acccess Control (BAC) protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) { N P , N R , K P } KE , MAC KM ( { N P , N R , K P } KE ) K seed = K P ⊕ K R K seed = K P ⊕ K R 4/23

  11. Unlinkability/Untraceability Informally, an observer/attacker can not observe the difference between the two following situations: 1. a situation where the same passport may be used twice (or even more); 2. a situation where each passport is used at most once. 5/23

  12. Unlinkability/Untraceability Informally, an observer/attacker can not observe the difference between the two following situations: 1. a situation where the same passport may be used twice (or even more); 2. a situation where each passport is used at most once. More formally, ? !new ke . new km . (! P BAC | ! R BAC ) ≈ !new ke . new km . ( P BAC | R BAC ) ↑ ↑ many sessions only one session for each passport for each passport (we still have to formalize the notion of equivalence) 5/23

  13. Some other equivalence-based security properties Vote privacy the fact that a particular voter voted in a particular way is not revealed to anyone Strong secrecy the fact that an adversary cannot see any difference when the value of the secret changes − → stronger than the notion of secrecy as non-deducibility. Guessing attack the fact that an adversary can not learn the value of passwords even if he knows that they have been choosen in a particular dic- tionary. 6/23

  14. How rewriting and unification theory can help us in protocol verification? 7/23

  15. Messages as terms - Back to the BAC protocol Nonces n r , n p , and keys k r , k p , k e , k m are modelled using names Cryptographic primitives are modelled using function symbols ◮ encryption/decryption: senc / 2, sdec / 2 ◮ concatenation/projections: � , � / 2, proj 1 / 1, proj 2 / 1 ◮ mac construction: mac / 2 sdec(senc( x , y ) , y ) = x proj 1 ( � x , y � ) = x proj 2 ( � x , y � ) = y 8/23

  16. Messages as terms - Back to the BAC protocol Nonces n r , n p , and keys k r , k p , k e , k m are modelled using names Cryptographic primitives are modelled using function symbols ◮ encryption/decryption: senc / 2, sdec / 2 ◮ concatenation/projections: � , � / 2, proj 1 / 1, proj 2 / 1 ◮ mac construction: mac / 2 sdec(senc( x , y ) , y ) = x proj 1 ( � x , y � ) = x proj 2 ( � x , y � ) = y Exclusive-or operator: ⊕ of arity 2 and 0 (neutral element) x ⊕ ( y ⊕ z ) = ( x ⊕ y ) ⊕ z x ⊕ x = 0 x ⊕ y y ⊕ x x ⊕ 0 = = x 8/23

  17. Messages as terms - Back to the BAC protocol Nonces n r , n p , and keys k r , k p , k e , k m are modelled using names Cryptographic primitives are modelled using function symbols ◮ encryption/decryption: senc / 2, sdec / 2 ◮ concatenation/projections: � , � / 2, proj 1 / 1, proj 2 / 1 ◮ mac construction: mac / 2 sdec(senc( x , y ) , y ) = x proj 1 ( � x , y � ) = x proj 2 ( � x , y � ) = y Equational theories are useful to model algebraic properties of cryptographic primitives. 8/23

  18. Computations as recipes frame = knowledge of the attacker = sequence of messages φ = { w 1 ⊲ u 1 , . . . , w ℓ ⊲ u ℓ } 9/23

  19. Computations as recipes frame = knowledge of the attacker = sequence of messages φ = { w 1 ⊲ u 1 , . . . , w ℓ ⊲ u ℓ } Example: adec(aenc( x , pk( y )) , y ) → x { w 1 ⊲ pk( ska ); w 2 ⊲ pk( skb ); w 3 ⊲ skc ; w 4 ⊲ aenc( � a , n a � , pk( skc )) } . initial knowledge 1st message of NS 9/23

  20. Computations as recipes frame = knowledge of the attacker = sequence of messages φ = { w 1 ⊲ u 1 , . . . , w ℓ ⊲ u ℓ } Example: adec(aenc( x , pk( y )) , y ) → x { w 1 ⊲ pk( ska ); w 2 ⊲ pk( skb ); w 3 ⊲ skc ; w 4 ⊲ aenc( � a , n a � , pk( skc )) } . initial knowledge 1st message of NS Some recipes: ◮ from his private key skc , the attacker is able to get his public key with R = pk( w 3 ); ◮ R = aenc(adec( w 4 , w 3 ) , w 2 ) – this is the first step of the man-in-the-middle attack on NS protocol 9/23

  21. Computations as recipes frame = knowledge of the attacker = sequence of messages φ = { w 1 ⊲ u 1 , . . . , w ℓ ⊲ u ℓ } Example: adec(aenc( x , pk( y )) , y ) → x { w 1 ⊲ pk( ska ); w 2 ⊲ pk( skb ); w 3 ⊲ skc ; w 4 ⊲ aenc( � a , n a � , pk( skc )) } . initial knowledge 1st message of NS Some recipes: ◮ from his private key skc , the attacker is able to get his public key with R = pk( w 3 ); ◮ R = aenc(adec( w 4 , w 3 ) , w 2 ) – this is the first step of the man-in-the-middle attack on NS protocol Rewriting is useful to express computations performed by the attacker. 9/23

  22. Static equivalence Warm-up − → this is the so-called passive attacker 10/23

  23. The static equivalence problem ( φ ∼ ψ ) ◮ Input: two substitutions (called frames) φ and ψ φ = { w 1 ⊲ u 1 , . . . , w ℓ ⊲ u ℓ } ψ = { w 1 ⊲ v 1 , . . . , w ℓ ⊲ v ℓ } ◮ Output: Can the attacker distinguish the two frames, i.e. does ? there exist a test R 1 = R 2 such that: R 1 φ = E R 2 φ but R 1 ψ � = E R 2 ψ (or the converse). 11/23

  24. The static equivalence problem ( φ ∼ ψ ) ◮ Input: two substitutions (called frames) φ and ψ φ = { w 1 ⊲ u 1 , . . . , w ℓ ⊲ u ℓ } ψ = { w 1 ⊲ v 1 , . . . , w ℓ ⊲ v ℓ } ◮ Output: Can the attacker distinguish the two frames, i.e. does ? there exist a test R 1 = R 2 such that: R 1 φ = E R 2 φ but R 1 ψ � = E R 2 ψ (or the converse). Example 1: adec(aenc( x , pk( y )) , y ) = x ◮ φ = { w 1 ⊲ pk( sks ); w 2 ⊲ aenc( yes , pk( sks )) } ; and ◮ ψ = { w 1 ⊲ pk( sks ); w 2 ⊲ aenc( no , pk( sks )) } . 11/23

  25. The static equivalence problem ( φ ∼ ψ ) ◮ Input: two substitutions (called frames) φ and ψ φ = { w 1 ⊲ u 1 , . . . , w ℓ ⊲ u ℓ } ψ = { w 1 ⊲ v 1 , . . . , w ℓ ⊲ v ℓ } ◮ Output: Can the attacker distinguish the two frames, i.e. does ? there exist a test R 1 = R 2 such that: R 1 φ = E R 2 φ but R 1 ψ � = E R 2 ψ (or the converse). Example 1: adec(aenc( x , pk( y )) , y ) = x ◮ φ = { w 1 ⊲ pk( sks ); w 2 ⊲ aenc( yes , pk( sks )) } ; and ◮ ψ = { w 1 ⊲ pk( sks ); w 2 ⊲ aenc( no , pk( sks )) } . → They are not in static equivalence: aenc( yes , w 1 ) ? − = w 2 . 11/23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Formalizing and Analyzing the Needham-Schroeder Symmetric-Key Protocol by Rewriting Monica Nesi

Formalizing and Analyzing the Needham-Schroeder Symmetric-Key Protocol by Rewriting Monica Nesi

Formalizing and Analyzing the Needham-Schroeder Symmetric-Key Protocol by Rewriting Monica Nesi Giuseppina Rucci Dipartimento di Informatica Universit di L' Aquila (Italy) ARSPA05 p.1 Protocol Verification Aim: formally prove

670 views • 49 slides
Software Specification and Verification in Rewriting Logic: Lecture 1 Jos e Meseguer Computer

Software Specification and Verification in Rewriting Logic: Lecture 1 Jos e Meseguer Computer

Software Specification and Verification in Rewriting Logic: Lecture 1 Jos e Meseguer Computer Science Department University of Illinois at Urbana-Champaign 1 Sequential vs. Concurrent Programs Programs come in many different languages and

1.82k views • 153 slides
Relating Strands and Multiset Rewriting For Security Protocol Analysis Iliano Cervesato Nancy

Relating Strands and Multiset Rewriting For Security Protocol Analysis Iliano Cervesato Nancy

Relating Strands and Multiset Rewriting For Security Protocol Analysis Iliano Cervesato Nancy Durgin, Patrick Lincoln John Mitchell, Andre Scedrov July 3 rd , 2000 CSFW-13 Cambridge, UK Representing Security Protocols Several recent

632 views • 38 slides
MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan

MPRI 2-30: Automated Verification of Cryptographic Protocol Implementations K Bhargavan (Slides from A.D. Gordon and C. Fournet) Spring, 2014 Outline of Lectures Lecture 1 (Jan 22, Today) Intro to Verified Protocol Implementations

1.32k views • 112 slides
Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool Santiago Escobar

Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool Santiago Escobar

Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool Santiago Escobar Departamento de Sistemas Inform aticos y Computaci on Universitat Polit` ecnica de Val` encia sescobar@dsic.upv.es Santiago Escobar (UPV)

892 views • 68 slides
Formal Semantics and Automated Verification for the Border Gateway Protocol Konstantin Doug

Formal Semantics and Automated Verification for the Border Gateway Protocol Konstantin Doug

Formal Semantics and Automated Verification for the Border Gateway Protocol Konstantin Doug Emina Michael Arvind Zachary Weitz Woos Torlak D. Ernst Krishnamurthy Tatlock The Border Gateway Protocol The Border Gateway Protocol AS AS

645 views • 29 slides
Verification of the Session Management Protocol A Formal Methods Case Study Karl Palmskog School

Verification of the Session Management Protocol A Formal Methods Case Study Karl Palmskog School

Verification of the Session Management Protocol A Formal Methods Case Study Karl Palmskog School of Computer Science and Communication Royal Institute of Technology 2006-11-02 Karl Palmskog Verification of the Session Management Protocol

648 views • 27 slides
Protocol Verification using Flows: An Industrial Experience Murali Talupur Joint work with John

Protocol Verification using Flows: An Industrial Experience Murali Talupur Joint work with John

Protocol Verification using Flows: An Industrial Experience Murali Talupur Joint work with John O Leary, Mark R. Tuttle SCL, Intel Corp Parametric Verification using Flows P A True or Cex P(N) Model Check Abstract Last year we

479 views • 32 slides
Verification of the Session Management Protocol Masters Project in Computer Science Karl

Verification of the Session Management Protocol Masters Project in Computer Science Karl

Verification of the Session Management Protocol Masters Project in Computer Science Karl Palmskog Supervisor: Mads Dam Examiner: Johan H astad Commissioned by Yuri Ismailov at Ericsson AB 2006-11-08 Karl Palmskog Verification of the

488 views • 15 slides
Title: Formal Specification and Verification of a Communication Protocol (temporary) Author:

Title: Formal Specification and Verification of a Communication Protocol (temporary) Author:

Title: Formal Specification and Verification of a Communication Protocol (temporary) Author: Hojung Bang Affiliation: KAIST Address: 373-1, Kuseong-dong, Yuseong-gu, Daejeon, 305-701, Korea Abstract: In this paper, we summarized our experience

285 views • 6 slides
Formal verification of the implementation of the MQTT protocol in IoT devices Kristiyan Mladenov

Formal verification of the implementation of the MQTT protocol in IoT devices Kristiyan Mladenov

Formal verification of the implementation of the MQTT protocol in IoT devices Kristiyan Mladenov University of Amsterdam Faculty of Physics, Mathematics and Informatics MSc System and Network Engineering Research Project 2 July 3, 2017 1 /

476 views • 33 slides
1 Use second form Sample Protocol Goals Given set of traces Authenticity: who sent it?

1 Use second form Sample Protocol Goals Given set of traces Authenticity: who sent it?

TECS Week 2005 Analysis Techniques Protocol Verification by the Inductive Method Crypto Protocol Analysis Dolev-Yao Formal Models Computational Models (perfect cryptography) Random oracle Probabilistic process calculi John Mitchell

63 views • 4 slides
Protocol-based Verification of Message-passing Parallel Programs Hugo A. L opez, Eduardo R. B.

Protocol-based Verification of Message-passing Parallel Programs Hugo A. L opez, Eduardo R. B.

t i f a r c A t * C o m * p l * t e n t e A e t * A s i W s E n L e o l C l S C D P * o * c O e s u u m E O e R e n v o t t d e * y s * a a E d l u e a t Protocol-based

543 views • 37 slides
MPRI 2-30: ! Automated Verification of ! Cryptographic Protocol Implementations K Bhargavan (Slides

MPRI 2-30: ! Automated Verification of ! Cryptographic Protocol Implementations K Bhargavan (Slides

MPRI 2-30: ! Automated Verification of ! Cryptographic Protocol Implementations K Bhargavan (Slides from A.D. Gordon and C. Fournet) Spring, 2014 TLS Handshakes ''''''ClientHello''''''''''''''''''99999999>'

744 views • 73 slides
Solution 1: Rule Rewriting The grammar rewriting approach attempts to Natural Language

Solution 1: Rule Rewriting The grammar rewriting approach attempts to Natural Language

Solution 1: Rule Rewriting The grammar rewriting approach attempts to Natural Language capture local tree information by rewriting the grammar so that the rules capture the Processing regularities we want. By splitting and merging the

417 views • 5 slides
Planning for Change in a Formal Verification of the Raft Consensus Protocol Doug James

Planning for Change in a Formal Verification of the Raft Consensus Protocol Doug James

Planning for Change in a Formal Verification of the Raft Consensus Protocol Doug James Steve Zach Mike Tom Woos Wilcox Anton Tatlock Ernst Anderson Contributions First formal proof of Rafts safety first verified

1.17k views • 52 slides
Multivariate Cryptography Part 1: Basics Albrecht Petzoldt PQCrypto Summer School 2017

Multivariate Cryptography Part 1: Basics Albrecht Petzoldt PQCrypto Summer School 2017

Multivariate Cryptography Part 1: Basics Albrecht Petzoldt PQCrypto Summer School 2017 Eindhoven, Netherlands Tuesday, 20.06.2017 A. Petzoldt Multivariate Cryptography PQCrypto Summer School 1 / 24 Multivariate Cryptography [DS06] MPKC:

621 views • 24 slides
Report on Evaluation of Symmetric-Key Cryptographic Techniques May 22, 2003 Toshinobu Kaneko

Report on Evaluation of Symmetric-Key Cryptographic Techniques May 22, 2003 Toshinobu Kaneko

Report on Evaluation of Symmetric-Key Cryptographic Techniques May 22, 2003 Toshinobu Kaneko Chair, Symmetric-Key Cryptography Subcommittee (Science University of Tokyo) 1 Symmetric-Key Cryptography Subcommittee(2002) K.Araki (TIT)

998 views • 20 slides
On related-key attacks and KASUMI: the case of A5/3 Phuong Ha Nguyen 1 , M.J.B. Robshaw 2 ,

On related-key attacks and KASUMI: the case of A5/3 Phuong Ha Nguyen 1 , M.J.B. Robshaw 2 ,

Motivation 64-bit key version of Kasumi used for A5/3 Upper bound for any 3-round related-key differential over A5/3 Resistance against Crypto2010 Attack Conclusion On related-key attacks and KASUMI: the case of A5/3 Phuong Ha Nguyen 1 ,

624 views • 26 slides
Side-channel attacks in a microkernel environment Thomas Frase Thomas.b.Frase@student.hs-rm.de

Side-channel attacks in a microkernel environment Thomas Frase Thomas.b.Frase@student.hs-rm.de

Side-channel attacks in a microkernel environment Thomas Frase Thomas.b.Frase@student.hs-rm.de Fabian Seiberling Fabian.b.Seiberling@student.hs-rm.de 1st Wiesbaden Workshop on 13.02.2014 Advanced Microkernel Operating Systems Table of

580 views • 27 slides
Outline Framework Antiderivative Functions Applications Conclusion Outline Framework

Outline Framework Antiderivative Functions Applications Conclusion Outline Framework

Antiderivative Functions over F 2 n Valentin SUDER Seminar CALIN - Paris 13 April 12nd 2016. ComSec Lab, University of Waterloo ON, CANADA Outline Framework Antiderivative Functions Applications Conclusion Outline Framework Symmetric

999 views • 57 slides
Authenticated ciphers D. J. Bernstein University of Illinois at Chicago Joint work with: Tanja

Authenticated ciphers D. J. Bernstein University of Illinois at Chicago Joint work with: Tanja

Authenticated ciphers D. J. Bernstein University of Illinois at Chicago Joint work with: Tanja Lange Technische Universiteit Eindhoven Advertisement: SHARCS 2012 (Special-Purpose Hardware for Attacking Cryptographic Systems) is right before

1.03k views • 61 slides
Open Problems in Multivariate Cryptography Louis Goubin LGoubin@ slb.com Nicolas Courtois

Open Problems in Multivariate Cryptography Louis Goubin LGoubin@ slb.com Nicolas Courtois

Open Problems in Multivariate Cryptography Louis Goubin LGoubin@ slb.com Nicolas Courtois Ncourtois@ slb.com SchlumbergerSema Louveciennes France Bruges - 26/11/2002 STORK Cryptography Workshop 1 Design of Block Ciphers and Hash

429 views • 4 slides
Lecture 2: Secret Key Cryptography Helger Lipmaa Helsinki University of Technology

Lecture 2: Secret Key Cryptography Helger Lipmaa Helsinki University of Technology

T-79.159 Cryptography and Data Security Lecture 2: Secret Key Cryptography Helger Lipmaa Helsinki University of Technology helger@tcs.hut.fi T-79.159 Cryptography and Data Security, 28.01.2004 Lecture 2: Secret Key Cryptography, Helger Lipmaa

1.25k views • 34 slides

More recommend