security notions for bidirectional channels
play

Security Notions for Bidirectional Channels Giorgia Azzurra Marson - PowerPoint PPT Presentation

Nov 03, 2023 •207 likes •602 views

Security Notions for Bidirectional Channels Giorgia Azzurra Marson Bertram Poettering FSE 2017 Tokyo, Japan 1 / 11 Outline Secure channels and how they are modeled Security notions for bidirectional channels Analysis of bidirectional

  1. Security Notions for Bidirectional Channels Giorgia Azzurra Marson Bertram Poettering FSE 2017 Tokyo, Japan 1 / 11

  2. Outline Secure channels and how they are modeled Security notions for bidirectional channels Analysis of bidirectional channel design 2 / 11

  3. Communication channels • setting: two-party communication over the Internet • goal: deliver messages and preserve sending order • how to achieve this: TCP/IP Good, if there are only Alice and Bob (idealized world) m 1 , m 2 , m 3 m 1 , m 2 , m 3 network 3 / 11

  4. Cryptographic channels (a.k.a. secure channels) • setting: two-party communication over the Internet • goal: protect communication from adversaries m 1 , m 2 , m 3 m 1 , m 2 , m 3 network 4 / 11

  5. Cryptographic channels (a.k.a. secure channels) • setting: two-party communication over the Internet • goal: protect communication from adversaries • security (informally): prevent eavesdropping I shall wait. . . wait! · do not · buy now wait! · do not · buy now m 1 , m 2 , m 3 m 1 , m 2 , m 3 network 4 / 11

  6. Cryptographic channels (a.k.a. secure channels) • setting: two-party communication over the Internet • goal: protect communication from adversaries • security (informally): prevent eavesdropping and manipulation I shall wait. . . wait! · do not · buy now sell! · do not · buy now m ′ 1 , m 2 , m 3 m 1 , m 2 , m 3 network 4 / 11

  7. Cryptographic channels (a.k.a. secure channels) • setting: two-party communication over the Internet • goal: protect communication from adversaries • security (informally): prevent eavesdropping and manipulation I shall wait. . . wait! · do not · buy now do not · wait! · buy now m 1 , m 2 , m 3 m 2 , m 1 , m 3 network 4 / 11

  8. Cryptographic channels (a.k.a. secure channels) • setting: two-party communication over the Internet • goal: protect communication from adversaries • security (informally): prevent eavesdropping and manipulation make real world close to idealized world I shall wait. . . wait! · do not · buy now do not · wait! · buy now m 1 , m 2 , m 3 m 2 , m 1 , m 3 network 4 / 11

  9. Modeling channel security [BKN’02] Confidentiality • intuitively: ciphertext hides plaintext • formally: IND-CPA (a.k.a. ‘passive’) b ? ( m 0 , m 1 ) m b c ∗ 5 / 11

  10. Modeling channel security [BKN’02] Confidentiality • intuitively: ciphertext hides plaintext • formally: IND-CPA (a.k.a. ‘passive’) and IND-CCA (a.k.a. ‘active’) b ? ( m 0 , m 1 ) m b c ′ 1 , c ′ 2 , c ′ m ′ 1 , m ′ 2 , m ′ c ∗ 3 3 5 / 11

  11. Modeling channel security [BKN’02] Confidentiality • intuitively: ciphertext hides plaintext • formally: IND-CPA (a.k.a. ‘passive’) and IND-CCA (a.k.a. ‘active’) Integrity • intuitively: manipulations are detected • formally: INT-PTXT c ′ 1 , c ′ 2 , c ′ m ′ 1 , m ′ 2 , m ′ m 1 , m 2 , m 3 c 1 , c 2 , c 3 3 3 5 / 11

  12. Modeling channel security [BKN’02] Confidentiality • intuitively: ciphertext hides plaintext • formally: IND-CPA (a.k.a. ‘passive’) and IND-CCA (a.k.a. ‘active’) Integrity • intuitively: manipulations are detected • formally: INT-PTXT and INT-CTXT c ′ 1 , c ′ 2 , c ′ m 1 , m 2 , m 3 c 1 , c 2 , c 3 m 1 , m 2 , m 3 3 5 / 11

  13. Modeling channel security [BKN’02] Confidentiality • intuitively: ciphertext hides plaintext • formally: IND-CPA (a.k.a. ‘passive’) and IND-CCA (a.k.a. ‘active’) Integrity • intuitively: manipulations are detected • formally: INT-PTXT and INT-CTXT both incorporate replay and reordering protection m 1 , m 2 , m 3 c 1 , c 2 , c 3 c 1 , c 3 , c 2 m 1 , m 3 , m 2 5 / 11

  14. Cryptographic channels in theory: state of the art • channel security: IND-CPA + INT-CTXT (= ⇒ IND-CCA ) • also called ‘stateful authenticated encryption’ (stateful AE) • introduced to analyze (and prove) SSH channel security [BKN02] • reference model to analyse TLS [JKSS12,KPW13,. . . ] 6 / 11

  15. Cryptographic channels in theory: state of the art • channel security: IND-CPA + INT-CTXT (= ⇒ IND-CCA ) • also called ‘stateful authenticated encryption’ (stateful AE) • introduced to analyze (and prove) SSH channel security [BKN02] • reference model to analyse TLS [JKSS12,KPW13,. . . ] stateful AE considered good abstraction of a secure channel stateful AE 6 / 11

  16. Channels are used for bidirectional communication • prior work: ‘Sender → Receiver’ communication • practice: channels protect bidirectional communication • standard approach employs two independent unidirectional channels canonic composition of unidirectional channels 7 / 11

  17. Channels are used for bidirectional communication • prior work: ‘Sender → Receiver’ communication • practice: channels protect bidirectional communication • standard approach employs two independent unidirectional channels • does this yield a secure bidirectional channel? • folklore: unidirectional security = ⇒ bidirectional security canonic composition of unidirectional channels 7 / 11

  18. Channels are used for bidirectional communication • prior work: ‘Sender → Receiver’ communication • practice: channels protect bidirectional communication • standard approach employs two independent unidirectional channels • does this yield a secure bidirectional channel? • folklore: unidirectional security = ⇒ bidirectional security what does it mean ‘bidirectional security’? what is an what is reordering? active attack? 7 / 11

  19. Our contribution in a nutshell Defining bidirectional security • confidentiality: IND-2-CPA, IND-2-CCA • integrity: INT-2-PTXT, INT-2-CTXT • notions reflect that → and ← are not independent of each other 8 / 11

  20. Our contribution in a nutshell Defining bidirectional security • confidentiality: IND-2-CPA, IND-2-CCA • integrity: INT-2-PTXT, INT-2-CTXT • notions reflect that → and ← are not independent of each other Relations among notions • INT-2-CTXT = ⇒ INT-2-PTXT • IND-2-CCA = ⇒ IND-2-CPA • INT-2-CTXT + IND-2-CPA = ⇒ IND-2-CCA 8 / 11

  21. Our contribution in a nutshell Defining bidirectional security • confidentiality: IND-2-CPA, IND-2-CCA • integrity: INT-2-PTXT, INT-2-CTXT • notions reflect that → and ← are not independent of each other Relations among notions • INT-2-CTXT = ⇒ INT-2-PTXT • IND-2-CCA = ⇒ IND-2-CPA • INT-2-CTXT + IND-2-CPA = ⇒ IND-2-CCA Analysis of the canonic composition • question: can security be lifted from unidirectional components? • our results question common belief. . . 8 / 11

  22. Active attacks in a bidirectional setting active ≈ deviation from honest behavior manipulation of ciphertexts or of their order (akin to unidirectional setting) 9 / 11

  23. Active attacks in a bidirectional setting active ≈ deviation from honest behavior manipulation of ciphertexts or of their order (akin to unidirectional setting) c 1 s 1 9 / 11

  24. Active attacks in a bidirectional setting active ≈ deviation from honest behavior manipulation of ciphertexts or of their order (akin to unidirectional setting) c ′ r 2 c 1 s 1 9 / 11

  25. Active attacks in a bidirectional setting active ≈ deviation from honest behavior manipulation of ciphertexts or of their order (akin to unidirectional setting) Our model additionally allows to express that: • ‘passive’ query may chronologically follow ‘active’ query (concurrency) c ′ r 2 c 1 r s 3 1 9 / 11

  26. Active attacks in a bidirectional setting active ≈ deviation from honest behavior manipulation of ciphertexts or of their order (akin to unidirectional setting) Our model additionally allows to express that: • ‘passive’ query may chronologically follow ‘active’ query (concurrency) c 2 s 4 c ′ r 2 c 1 r s 3 1 9 / 11

  27. Active attacks in a bidirectional setting active ≈ deviation from honest behavior manipulation of ciphertexts or of their order (akin to unidirectional setting) Our model additionally allows to express that: • ‘passive’ query may chronologically follow ‘active’ query (concurrency) • active attack on ← may influence security of → c 2 r 5 s 4 c ′ r 2 c 1 r s 3 1 9 / 11

  28. Bidirectional security of the canonic composition Generic analysis: can security be lifted from unidirectional components? • INT-PTXT + INT-PTXT = ⇒ INT-2-PTXT • INT-CTXT + INT-CTXT = ⇒ INT-2-CTXT • IND-CPA + IND-CPA = ⇒ INT-2-CPA 10 / 11

  29. Bidirectional security of the canonic composition Generic analysis: can security be lifted from unidirectional components? • INT-PTXT + INT-PTXT = ⇒ INT-2-PTXT • INT-CTXT + INT-CTXT = ⇒ INT-2-CTXT • IND-CPA + IND-CPA = ⇒ INT-2-CPA • IND-CCA + IND-CCA � = ⇒ INT-2-CCA 10 / 11

  30. Bidirectional security of the canonic composition Generic analysis: can security be lifted from unidirectional components? • INT-PTXT + INT-PTXT = ⇒ INT-2-PTXT • INT-CTXT + INT-CTXT = ⇒ INT-2-CTXT } = ⇒ IND-2-CCA • IND-CPA + IND-CPA = ⇒ INT-2-CPA • IND-CCA + IND-CCA � = ⇒ INT-2-CCA Bidirectional security of TLS and SSH (the good news) • TLS and SSH channel offer stateful AE security [K01,BKN02,PRS11] Encode-then-E&M for SSH, CBC-based M-then-E for TLS • our result: they also offer IND-2-CCA and INT-2-CTXT security 10 / 11

  31. Summary This work • formalize security notions for bidirectional channels • analyze ‘canonic composition’ • confirm security of (crypto core of) TLS and SSH channels 11 / 11

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Unlimited Event Channels David Vrabel 24 October 2013 What are Event Channels?

Unlimited Event Channels David Vrabel 24 October 2013 What are Event Channels?

Unlimited Event Channels David Vrabel 24 October 2013 What are Event Channels? Paravirtual interrupts Edge triggered Bidirectional Directed at a single VCPU 24 October 2013 Unlimited Event Channels 2 / 13 How do

140 views • 13 slides
Fine-Grained Bandwidth Adaptivity in Networks-on-Chip Using Bidirectional Channels Robert Hesse ,

Fine-Grained Bandwidth Adaptivity in Networks-on-Chip Using Bidirectional Channels Robert Hesse ,

Fine-Grained Bandwidth Adaptivity in Networks-on-Chip Using Bidirectional Channels Robert Hesse , Jeff Nicholls, Natalie Enright Jerger University of Toronto May 10, 2012 Friday, 11 May, 12 Motivation May 10, 2012 2 University of Toronto

990 views • 97 slides
Bidirectional Flow Measurement, IPFIX, and Security Analysis Elisa Boschi, Hitachi Europe SAS

Bidirectional Flow Measurement, IPFIX, and Security Analysis Elisa Boschi, Hitachi Europe SAS

Bidirectional Flow Measurement, IPFIX, and Security Analysis Elisa Boschi, Hitachi Europe SAS Brian Trammell, CERT/NetSA Tuesday, October 10, 2006 FloCon 2006 - Vancouver, WA, US Introduction and Motivation Bidirectional flow (biflow)

418 views • 12 slides
New Notions of Security: Universal Composability without Trusted Setup Manoj Prabhakaran &

New Notions of Security: Universal Composability without Trusted Setup Manoj Prabhakaran &

New Notions of Security: Universal Composability without Trusted Setup Manoj Prabhakaran & Amit Sahai Princeton University To appear in STOC04 Defining Security Central Problem in Cryptography Understanding what we want and what we

1.13k views • 34 slides
Advanced security notions for the SSH secure channel: theory and practice Kenny Paterson -

Advanced security notions for the SSH secure channel: theory and practice Kenny Paterson -

Advanced security notions for the SSH secure channel: theory and practice Kenny Paterson - @kennyog Based on joint work with Martin Albrecht, Jean Paul Degabriele and Torben Hansen Information Security Group Overview 1. Introducing SSH 2. SSH

817 views • 52 slides
Objectives Security Notions of MACs NMACs and HMACs CBC-MACs Low Power Ajit Pal

Objectives Security Notions of MACs NMACs and HMACs CBC-MACs Low Power Ajit Pal

Message Authentication Codes (MACs) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Security Notions of MACs NMACs and HMACs

158 views • 12 slides
Bidirectional Transformations a PL perspective BIRS meeting on BX, 2013 Bidirectional

Bidirectional Transformations a PL perspective BIRS meeting on BX, 2013 Bidirectional

Bidirectional Transformations a PL perspective BIRS meeting on BX, 2013 Bidirectional Transformations (BX) to A B from database source materialized view software model code document representation screen visualization

1.27k views • 82 slides
Security Notions 1

Security Notions 1

Security Notions 1 Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically breakable given the time are theoretically breakable given

1.1k views • 37 slides
White-Box Security Notions for Symmetric Encryption Schemes ee 1 ede Lepoint 1 , 2 C ecile

White-Box Security Notions for Symmetric Encryption Schemes ee 1 ede Lepoint 1 , 2 C ecile

White-Box Security Notions for Symmetric Encryption Schemes ee 1 ede Lepoint 1 , 2 C ecile Delerabl Tancr` Pascal Paillier 1 Matthieu Rivain 1 CryptoExperts 1 , erieure 2 Ecole Normale Sup SAC 2013 Outline 1 What is white-box

406 views • 38 slides
Simulatable Channels: Extended Security that is Universally Composable and Easier to Prove.

Simulatable Channels: Extended Security that is Universally Composable and Easier to Prove.

Simulatable Channels: Extended Security that is Universally Composable and Easier to Prove. ASIACRYPT 2018 J. P. Degabriele M. Fischlin 1 What this talk is about We propose and explore new security definitions for symmetric encryption

819 views • 24 slides
Towards Security Notions for Motivation: White-Box Cryptography White-Box Cryptography

Towards Security Notions for Motivation: White-Box Cryptography White-Box Cryptography

ISC conference, September 2009, Pisa, Italy Outline Towards Security Notions for Motivation: White-Box Cryptography White-Box Cryptography The Theory of Obfuscation Brecht Wyseur (im)possibility results ISC 2009, September 2009

280 views • 3 slides
Blockcipher Security Notions Martijn Stam Department of Computer Science, University Of Bristol,

Blockcipher Security Notions Martijn Stam Department of Computer Science, University Of Bristol,

1 / 24 Blockcipher Security Notions Martijn Stam Department of Computer Science, University Of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB United Kingdom. Sibenik, 7 June 2016 Basic Syntax of Blockciphers DES

882 views • 85 slides
Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy US DoD 1985 Basically a

1.04k views • 67 slides
Data Security: The art of providing secure communication over insecure channels. Not a problem

Data Security: The art of providing secure communication over insecure channels. Not a problem

Data Security: The art of providing secure communication over insecure channels. Not a problem that suddenly arose when computers were invented - its as old as mankind. Data Security falls naturally into two cathegories: * Confidentiality

542 views • 16 slides
Consolidating Security Notions in Hardware Masking CHES 2019 Lauren De Meyer, Begl Bilgin,

Consolidating Security Notions in Hardware Masking CHES 2019 Lauren De Meyer, Begl Bilgin,

Consolidating Security Notions in Hardware Masking CHES 2019 Lauren De Meyer, Begl Bilgin, Oscar Reparaz P ROBLEM : SIDE - CHANNEL ANALYSIS S OLUTION : M ASKING P ROBING MODEL [ISW03] Adversary can probe up to intermediate values

885 views • 34 slides
Effects of Approximate Filtering on the Appearance of Bidirectional Texture Functions Adrian

Effects of Approximate Filtering on the Appearance of Bidirectional Texture Functions Adrian

Effects of Approximate Filtering on the Appearance of Bidirectional Texture Functions Adrian Jarabo, Hongzhi Wu, Julie Dorsey, Holly Rushmeier, Diego Gutierrez Bidirectional Texture Function [Filip et al.11] Bidirectional Texture Function

483 views • 34 slides
BotNets BotNets- Cybe Cyber T r Torrirism orrirism Ba Batt ttling ling th the t e thr

BotNets BotNets- Cybe Cyber T r Torrirism orrirism Ba Batt ttling ling th the t e thr

BotNets BotNets- Cybe Cyber T r Torrirism orrirism Ba Batt ttling ling th the t e thr hrea eats ts of inte of intern rnet et Assoc. Prof. Dr. Sureswaran Ramadass National Advanced IPv6 Center - Director Why Talk About Botnets?

722 views • 35 slides
Active Adversary Lecture 7 CCA Security MAC Active Adversary Active Adversary An active

Active Adversary Lecture 7 CCA Security MAC Active Adversary Active Adversary An active

Active Adversary Lecture 7 CCA Security MAC Active Adversary Active Adversary An active adversary can inject messages into the channel Active Adversary An active adversary can inject messages into the channel Eve can send ciphertexts to Bob

2.08k views • 160 slides
De-anonymizing Data CompSci 590.03 Instructor: Ashwin Machanavajjhala Lecture 2 : 590.03 Fall 12

De-anonymizing Data CompSci 590.03 Instructor: Ashwin Machanavajjhala Lecture 2 : 590.03 Fall 12

Source (http://xkcd.org/834/) De-anonymizing Data CompSci 590.03 Instructor: Ashwin Machanavajjhala Lecture 2 : 590.03 Fall 12 1 Announcements Project ideas will be posted on the site by Friday. You are welcome to send me (or talk to

763 views • 65 slides
Contents Introduction to data security Public key cryptosystems: Classical

Contents Introduction to data security Public key cryptosystems: Classical

Contents Introduction to data security Public key cryptosystems: Classical cryptosystems RSA Introduction to modern Prime number generation cryptography Polynomial arithmetic T-79.159 Block ciphers: DES, IDEA,

439 views • 15 slides
in Searchable Symmetric Encryption Kaoru Kurosawa and Yasuhiro Ohtaki Ibaraki University, Japan

in Searchable Symmetric Encryption Kaoru Kurosawa and Yasuhiro Ohtaki Ibaraki University, Japan

How to Update Documents Verifiably in Searchable Symmetric Encryption Kaoru Kurosawa and Yasuhiro Ohtaki Ibaraki University, Japan Outline (1) Introduction (2) Our (previous) verifiable SSE scheme (3) Extend it to a dynamic SSE scheme (but

1.13k views • 70 slides
Side Channel Analysis Chester Rebeiro IIT Madras CR Modern ciphers designed with very strong

Side Channel Analysis Chester Rebeiro IIT Madras CR Modern ciphers designed with very strong

Side Channel Analysis Chester Rebeiro IIT Madras CR Modern ciphers designed with very strong assumptions Kerckhoffs Principle The system is completely known to the attacker. This includes e ncryption & decryption algorithms,

1.25k views • 85 slides
TIDE: Proactive threat detection Introduction Ph.D. student from the University of Twente

TIDE: Proactive threat detection Introduction Ph.D. student from the University of Twente

2019-06-20 Olivier van der Toorn <o.i.vandertoorn@utwente.nl> University of Twente, Design and Analysis of Communication Systems TIDE: Proactive threat detection Introduction Ph.D. student from the University of Twente System

1.6k views • 108 slides
AuthenticationOverview(NSchapter9)

AuthenticationOverview(NSchapter9)

AuthenticationOverview(NSchapter9) Largesetofprincipalsattachedtoanopenchannel(eg,Internet). ComputerandNetworkSecurity

875 views • 20 slides

More recommend