secure protocols for secrecy
play

Secure Protocols for Secrecy Hanane Houmani and Mohamed Mejri LSFM - PowerPoint PPT Presentation

Jun 03, 2023 •176 likes •518 views

Secure Protocols for Secrecy Hanane Houmani and Mohamed Mejri LSFM Research Group Computer Science Department LAVAL University Quebec, Canada Houmani, 2003 p. 1/25 c Outline Motivations Related works Overview Protocol Modelling

  1. Secure Protocols for Secrecy Hanane Houmani and Mohamed Mejri LSFM Research Group Computer Science Department LAVAL University Quebec, Canada � Houmani, 2003 – p. 1/25 c

  2. Outline Motivations Related works Overview Protocol Modelling Secrecy property Correctness conditions Correctness theorem Example Conclusion and future works � Houmani, 2003 – p. 2/25 c

  3. Motivations Problems: ➪ Urgent need of security to develop Internet, www, electronic trade, etc. confidence between the electronic market actors Analysis of security protocols ➪ subtle and complex Need of guarantee that the protocols, used to make our transactions secure, don’t have any flaw ➪ Need of methods to verify the correctness of cryptographic protocols � Houmani, 2003 – p. 3/25 c

  4. Motivations Problems: ➪ Urgent need of security to develop Internet, www, electronic trade, etc. confidence between the electronic market actors Analysis of security protocols ➪ subtle and complex Need of guarantee that the protocols, used to make our transactions secure, don’t have any flaw ➪ Need of methods to verify the correctness of cryptographic protocols Objectives: Establish some sufficient conditions under which the correctness of a given protocol is guaranteed Conditions must be verified easily on a protocol � Houmani, 2003 – p. 3/25 c

  5. Related works Logical methods: based on multi-modal logics (temporal, epistemic and doxatic logics). BAN, CKT5, GNY, etc. General purpose formal methods: based on the use of traditional formal specification and verification methods. Z, VDM, B, RSL, Coq, Isabelle, HOL, etc. Process algebra methods: based on the use of process algebra for the protocol description and for verification. CSP , CCS, LOTOS, SPI, etc. Search oriented methods: based on the intruder abilities modeling and the search of insecure states. Interrogator, NRL, etc. Correctness oriented methods : based on proving correctness of protocols Methods based on model-checking, Typing system of Abadi, Inductive method of Paulson, method proving of Guttman, etc. � Houmani, 2003 – p. 4/25 c

  6. Overview Result: Any protocol that satisfies correctness conditions, is correct with respect to the secrecy property � Houmani, 2003 – p. 5/25 c

  7. Overview Result: Any protocol that satisfies correctness conditions, is correct with respect to the secrecy property Correctness verification: The verification of the correctness condition on a given protocol consists of a verification on the whole of messages sent in roles-based specification of this protocol. The verification of the correctness condition on protocols can be automatized. This result involves the protocols that use symmetric and atomic keys � Houmani, 2003 – p. 5/25 c

  8. Outline Motivations Related works Overview Protocol Modelling Basics Protocol & Generalized roles Reduction Example Secrecy property Correctness conditions Correctness theorem Example Conclusion and future works � Houmani, 2003 – p. 6/25 c

  9. Basics Message : A, B, C, S and I. : principal identities N a : nonce chosen by A k ab : shared key between A and B k a (resp k − 1 a ): A’s public key (resp A’s private key.) { m } k : message encrypted by public key of A m.m : composed message Communication step: → B : m i A � Houmani, 2003 – p. 7/25 c

  10. Protocol Modelling A Protocol is defined by a pair � P, K � , where: P has to respect the following BNF grammar: ::= � i, A → B : m � | P.P P K is a set of triples like ( X, K X , F X ) Role-based specification : is a set of generalized roles extracted from the analyzed protocol. Generalized roles are extracted from the protocol according to the following steps Extracting the roles: A role is a protocol abstraction where the emphasis is put on a particular principal. Extracting the generalized roles: A generalized role is an abstraction of a role where some messages are replaced by variables � Houmani, 2003 – p. 8/25 c

  11. Protocol Modelling Reduction ( ↓ ): Let M be a set of messages. The reduction of M , denoted by M ↓ , is defined as the normal form of M obtained from the following rewriting rules: ( M ∪ { m 1 .m 2 } ) ↓ → c ( M ∪ { m 1 , m 2 } ) ↓ ( M ∪ {{ m } k , k } ) ↓ → e ( M ∪ { m, k } ) ↓ Extended Reduction ( ↓ x ): Let M be a set of messages. The extended reduction of M , denoted by M ↓ x , is defined as the normal form of M obtained using the following rewriting rules: M ∪ { m 1 .m 2 } → c x M ∪ { m 1 , m 2 } M ∪ {{ m } α , β } → e x M ∪ {{ m } α , β } ∪ { mσ, βσ | σ = mgu ( α, β ) } � Houmani, 2003 – p. 9/25 c

  12. Protocol Modelling Example: Let p = � P, K � be the following protocol :  P = � 1 , A → S : { A.B.N a } k as � .      � 2 , S → A : {{ A } N a .B.k ab } k as � .   � α. 1 , A → I ( S ) : { A.B.N α A = a } k as � .    � 3 , S → B : { A.B.k ab } k bs �    a .B.k α � α. 2 , I ( S ) → A : {{ A } N α ab } k as �         { ( A, K A , F A ) , ( B, K B , F B ) , ( S, K S , F S ) }  K =   � α. 3 , I ( S ) → B : { A.B.k α B = ab } k bs �  ➪  K A = { A, B, S, k as }   K B = { A, B, S, k bs }   � α. 1 , I ( A ) → S : { A.B.N α  S = a } k as � .    K S = { A, B, S, k ab , k bs , k as }   a .B.k α � α. 2 , S → I ( A ) : {{ A } N α ab } k as � .    F A = { N a }    � α. 3 , S → I ( B ) : { A.B.k α ab } k bs �    F B = ∅       F S = { k ab }  � Houmani, 2003 – p. 10/25 c

  13. Protocol Modelling Example: � α. 1 , A → I ( S ) : { A.B.N α � α. 1 , A → I ( S ) : { A.B.N α A = a } k as � . A G = a } k as � . a .B.k α � α. 2 , I ( S ) → A : {{ A } N α ab } k as � � α. 2 , I ( S ) → A : {{ A } N α a .B.X } k as � � α. 3 , I ( S ) → B : { A.B.k α B = ab } k bs � B G = � α. 3 , I ( S ) → B : { A.B.Y } k bs � ➪ � α. 1 , I ( A ) → S : { A.B.N α S = a } k as � . S G = � α. 1 , I ( A ) → S : { A.B.Z } k as � . a .B.k α � α. 2 , S → I ( A ) : {{ A } Z .B.k α � α. 2 , S → I ( A ) : {{ A } N α ab } k as � . ab } k as � . � α. 3 , S → I ( B ) : { A.B.k α � α. 3 , S → I ( B ) : { A.B.k α ab } k bs � ab } k bs � D ( p ) the set of all messages sent by the honest agents in all generalized roles of p and the initial knowledge of the intruder D ( p ) = K I ∪ {{ A.B.N α a } k as , {{ A } Z .B.k α ab } k as , { A.B.k α ab } k bs } � Houmani, 2003 – p. 11/25 c

  14. Outline Motivations Overview Protocol Modelling Secrecy property Trace Def/ Use Secrecy property Relationship between valid trace and generalized roles Correctness conditions Correctness theorem Example Conclusion and future works � Houmani, 2003 – p. 12/25 c

  15. Secrecy property Valid trace : Intuitively, a trace is an interleaving of many runs of the protocol in the presence of an active intruder. A trace is considered as valid when all the honest principals act according to the protocol specification and all the messages sent by the intruder are previously known by him � Houmani, 2003 – p. 13/25 c

  16. Secrecy property Valid trace : Intuitively, a trace is an interleaving of many runs of the protocol in the presence of an active intruder. A trace is considered as valid when all the honest principals act according to the protocol specification and all the messages sent by the intruder are previously known by him Def / Use : Def ( τ ) : The set of messages sent by the honest agent in τ Use ( τ ) : The set of messages received by the honest agent in τ � Houmani, 2003 – p. 13/25 c

  17. Secrecy property Valid trace : Intuitively, a trace is an interleaving of many runs of the protocol in the presence of an active intruder. A trace is considered as valid when all the honest principals act according to the protocol specification and all the messages sent by the intruder are previously known by him Def / Use : Def ( τ ) : The set of messages sent by the honest agent in τ Use ( τ ) : The set of messages received by the honest agent in τ Secret property: a protocol keeps a message m secret, if there is no valid trace that leaks this message to an intruder. Formally: ∀ τ, S ∩ Def ( τ ) ↓ = ∅ � Houmani, 2003 – p. 13/25 c

  18. Relationship between valid traces and generalized roles Valid trace : Intuitively, a trace is an interleaving of many runs of the protocol in the presence of an active intruder. A trace is considered as valid when all the honest principals act according to the protocol specification and all the messages sent by the intruder are previously known by him Honest agent acts according to the protocol specification if any given run in which he participates is an instance (variables are replaced by constant messages) of a prefix of his generalized role ➻ Let p be a protocol and τ a p -valid trace. There exist n communication steps, { e 1 , . . . , e n } ⊆ η R G ( p ) and a substitution σ such that: = { e 1 , . . . , e n } σ τ � Houmani, 2003 – p. 14/25 c

  19. Outline Motivations Overview Protocol Modelling Secrecy property Correctness conditions Correctness theorem Example Conclusion and future works � Houmani, 2003 – p. 15/25 c

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research & Boston University y Michael Schapira

701 views • 54 slides
Perfect Secrecy A cryptosystem is unconditionally secure if it cannot be broken, even with

Perfect Secrecy A cryptosystem is unconditionally secure if it cannot be broken, even with

Perfect Secrecy A cryptosystem is unconditionally secure if it cannot be broken, even with infinite computational resources. (There are other (weaker) types of security; well talk about those later.) A cryptosystem is unconditionally secure

642 views • 4 slides
Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols

Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols

Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols Yao s Garbled Circuit : 2-Party SFE secure against passive adversaries MPC Protocols Yao s Garbled Circuit : 2-Party SFE secure against

2.07k views • 85 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

451 views • 14 slides
Concurrently Secure Protocols Huijia (Rachel) Lin Rafael Pass MIT & BU Cornell Secure MPC

Concurrently Secure Protocols Huijia (Rachel) Lin Rafael Pass MIT & BU Cornell Secure MPC

Black-Box Constructions of Concurrently Secure Protocols Huijia (Rachel) Lin Rafael Pass MIT & BU Cornell Secure MPC Secure MPC Goal: Allow a set of distrustful parties to compute ANY function f on their own Secure MPC Goal: Allow a set

1.11k views • 98 slides
Secure Communica-on Protocols Today SSL/TLS Protec-on for web browsing / transac-ons

Secure Communica-on Protocols Today SSL/TLS Protec-on for web browsing / transac-ons

Secure Communica-on Protocols Today SSL/TLS Protec-on for web browsing / transac-ons SSH Secure shell (remote login) IPSec IP Security suite, originally for use with IPv6 SSL/TLS Secure Sockets Layer / Transport Layer

322 views • 18 slides
TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication

TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication

TLS/SSL TLS (Transport Layer Security) A suite of protocols to provide secure communication Confidentiality by applying block & stream ciphers - Integrity with MACs - Authenticity with certificates - Predecessor: SSL (secure

557 views • 13 slides
Cryptographic Approaches for Securing Routing Protocols Adrian Perrig perrig@cmu.edu Why Secure

Cryptographic Approaches for Securing Routing Protocols Adrian Perrig perrig@cmu.edu Why Secure

Cryptographic Approaches for Securing Routing Protocols Adrian Perrig perrig@cmu.edu Why Secure Routing? Current routing protocols assume trusted environment! Even misconfigurations severely disrupt Internet routing Secure routing

245 views • 22 slides
Il Ilan Orlov ov (BGU GU) ) Eran Omri (BIU) We explore 1/p-secure multiparty

Il Ilan Orlov ov (BGU GU) ) Eran Omri (BIU) We explore 1/p-secure multiparty

Yehuda Lindell (BIU) Amos Beimel (BGU BGU) Il Ilan Orlov ov (BGU GU) ) Eran Omri (BIU) We explore 1/p-secure multiparty protocols wi without out an honest majority Positive result: 1/p-secure protocols for cons

487 views • 27 slides
Cryptography Mohammad Mahmoody Last time Secrecy based on (unproven) computational

Cryptography Mohammad Mahmoody Last time Secrecy based on (unproven) computational

Special Topics in Cryptography Mohammad Mahmoody Last time Secrecy based on (unproven) computational assumptions Pseudorandom generators How to encrypt longer messages in an ind-secure way using a PRG Today How to make PRGs

501 views • 16 slides
OperationCheckpoint: SDN Application Control Workshop on Secure Network Protocols (NPSec14) 19

OperationCheckpoint: SDN Application Control Workshop on Secure Network Protocols (NPSec14) 19

OperationCheckpoint: SDN Application Control Workshop on Secure Network Protocols (NPSec14) 19 October 2014 Sandra Scott-Hayward, Christopher Kane and Sakir Sezer s.scott-hayward@qub.ac.uk Centre for Secure Information Technologies (CSIT)

359 views • 20 slides
Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M

Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M

Defining Encryption (ctd.) Lecture 3 SIM & IND security Beyond One-Time: CPA security Computational Indistinguishability Recall Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M {Enc(m,K)} K KeyGen

619 views • 20 slides
Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M

Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M

Defining Encryption (ctd.) Lecture 3 SIM & IND security Beyond One-Time: CPA security Computational Indistinguishability Recall Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M {Enc(m,K)} K KeyGen

1.45k views • 98 slides
Merkles Puzzles See: Merkle, Secrecy, Authentication, and Public Key Systems , UMI Research

Merkles Puzzles See: Merkle, Secrecy, Authentication, and Public Key Systems , UMI Research

Merkles Puzzles See: Merkle, Secrecy, Authentication, and Public Key Systems , UMI Research press, 1982 Merkle, Secure Communications Over Insecure Channels , CACM, Vol. 21, No. 4, pp. 294-299, April 1978 Eli Biham - May 3, 2005 c 206

372 views • 14 slides
Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted Cryptographic Protocols Estonian Winter School in Computer Science 2016 Motivation 2 Two Areas Cryptographic Protocols Secure Hardware strong security

759 views • 52 slides
Shannons Theory of Secrecy Systems See: C. E. Shannon, Communication Theory of Secrecy Systems

Shannons Theory of Secrecy Systems See: C. E. Shannon, Communication Theory of Secrecy Systems

Shannons Theory of Secrecy Systems See: C. E. Shannon, Communication Theory of Secrecy Systems , Bell Systems Technical Journal, Vol. 28, pp. 656715, 1948. Eli Biham - May 3, 2005 c 54 Shannons Theory of Secrecy Systems (2)

584 views • 14 slides
Decoding the nature of Dark Matter at current and future experiments Alexander Belyaev

Decoding the nature of Dark Matter at current and future experiments Alexander Belyaev

Decoding the nature of Dark Matter at current and future experiments Alexander Belyaev Southampton University & Rutherford Appleton Laboratory June 10 , 2020, Particle Physics Seminar Alexander Belyaev Decoding the nature of DM 1 Why

917 views • 77 slides
Strategic Term Rewriting and Its Application to a VDM-SL to SQL Conversion Review Outline

Strategic Term Rewriting and Its Application to a VDM-SL to SQL Conversion Review Outline

Strategic Term Rewriting and Its Application to a VDM-SL to SQL Conversion Review Outline Goal of the paper Algebraic design by calculation VooDooM model Conclusions and future work Goal of the paper Convert datatypes in

357 views • 14 slides
Semiexclusive production of vector mesons in proton-proton collisions with electromagnetic

Semiexclusive production of vector mesons in proton-proton collisions with electromagnetic

ANNA CISEK Semiexclusive production of vector mesons in proton-proton collisions with electromagnetic dissociation of protons Anna Cisek University of Rzeszow MESON 2018 - 15 th International Workshop on Meson Physics Krakw, 7-12 June 2018

422 views • 18 slides
Nontraditional Notions of Polynomial Ordering with Computational Applications Steve Hussung

Nontraditional Notions of Polynomial Ordering with Computational Applications Steve Hussung

Intro Potential Theoretic Background Convex Bodies, Orderings WAMS, Discrete Sequences Nontraditional Notions of Polynomial Ordering with Computational Applications Steve Hussung Indiana University Bloomington Midwestern Workshop on

801 views • 47 slides
Introduction Q uantum C hromo D ynamics is a Yang-Mills theory with fermions, based on local SU

Introduction Q uantum C hromo D ynamics is a Yang-Mills theory with fermions, based on local SU

PADES and LARGE- N c QCD SANTI PERIS (IFAE - UA Barcelona) Luminy, Sep. 2009 LARGE- Nc QCD p.1/19 PADES and Introduction Q uantum C hromo D ynamics is a Yang-Mills theory with fermions, based on local SU ( N c ) : 1 F A 4 g

733 views • 23 slides
TEST ORACLES Formal Definitions and Classifications Shin Yoo & Mark Harman(UCL) Muzammil

TEST ORACLES Formal Definitions and Classifications Shin Yoo & Mark Harman(UCL) Muzammil

TEST ORACLES Formal Definitions and Classifications Shin Yoo & Mark Harman(UCL) Muzammil Shahbaz & Phil McMinn(University of Sheffield) OVERVIEW Formal Definitions Oracle Literature Timeline & Classification FORMAL

564 views • 22 slides
Isabelle/UTP: Mechanised Theory Engineering for Computer Scientists Simon Foster University of

Isabelle/UTP: Mechanised Theory Engineering for Computer Scientists Simon Foster University of

Isabelle/UTP: Mechanised Theory Engineering for Computer Scientists Simon Foster University of York July 31, 2013 1 Outline COMPASS Overview of Isabelle/UTP Automating Proof Mechanising UTP Theories 2 Outline COMPASS Overview of

825 views • 43 slides
The Linear Universe Matt Johnson Perimeter Institute/York University Thursday, 4 July, 13

The Linear Universe Matt Johnson Perimeter Institute/York University Thursday, 4 July, 13

The Linear Universe Matt Johnson Perimeter Institute/York University Thursday, 4 July, 13 Modelling the Universe Most of cosmology is described by General Relativity and Relativistic Hydrodynamics. Thursday, 4 July, 13 Modelling the

1.2k views • 95 slides

More recommend