security proofs in the symbolic model
play

Security proofs in the symbolic model the applied pi calculus - PowerPoint PPT Presentation

Oct 23, 2022 •23 likes •413 views

Security proofs in the symbolic model the applied pi calculus Karthikeyan Bhargavan INRIA karthikeyan.bhargavan@inria.fr http://prosecco.inria.fr/personal/karthik September 2013 Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic

  1. Security proofs in the symbolic model the applied pi calculus Karthikeyan Bhargavan INRIA karthikeyan.bhargavan@inria.fr http://prosecco.inria.fr/personal/karthik September 2013 Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 1 / 29

  2. Recap: Cryptographic protocols Cryptographic protocol A set of rules for the exchange of data between multiple principals that uses cryptography to achieve security goals against a threat model. Principal : a protocol participant, typically human or computer Security Goal : the confidentiality or integrity of a data item, or the authentication of a principal Threat Model : the capabilities of the attacker Examples Communications protocols: TLS, IPsec, SSH, WPA Tamper-proof hardware: Smartcard, Navigo, SIM card Privacy preserving applications: BitCoin, Electronic Voting Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 2 / 29

  3. Informal Notation Principals : A (alice), B (bob), C (charlie), . . . Messages : m , n , o ,. . . Constructors : � m , n � (pairing), { m } k , sig { m } k , pk ( m ) Destructors : proj 1 ( m ) , proj 2 ( m ) ,dec ( m , k ) , verify ( m , s , k ) proj 1 ( � m , n � ) = m , proj 2 ( � m , n � ) = n A protocol is informally specified as a sequence of messages exchanged between principals: 1. A − → B : m 1 2. B − → C : m 2 3. C − → A : m 3 . . . Denotes the expected behaviour of a single run of the protocol The goal of the attacker is to disrupt this behaviour! Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 3 / 29

  4. Recap: Writing protocols, finding attacks Alice ( A ) wishes to perform an online transaction with her bank ( B ): A − → B : request B − → A : response Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 4 / 29

  5. Recap: Writing protocols, finding attacks Alice ( A ) wishes to perform an online transaction with her bank ( B ): A − → B : request B − → A : response Encryption for confidentiality A − → B : { request } pk ( B ) B − → A : { response } pk ( A ) Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 4 / 29

  6. Recap: Writing protocols, finding attacks Alice ( A ) wishes to perform an online transaction with her bank ( B ): A − → B : request B − → A : response Encryption for confidentiality A − → B : { request } pk ( B ) B − → A : { response } pk ( A ) Signature for integrity and authenticity A − → B : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) B − → A : { response } pk ( A ) , sig {{ response } pk ( A ) } sk ( B ) Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 4 / 29

  7. Recap: Writing protocols, finding attacks Alice ( A ) wishes to perform an online transaction with her bank ( B ): A − → B : request B − → A : response Encryption for confidentiality A − → B : { request } pk ( B ) B − → A : { response } pk ( A ) Signature for integrity and authenticity A − → B : { request } pk ( B ) , sig {{ request } pk ( B ) } sk ( A ) B − → A : { response } pk ( A ) , sig {{ response } pk ( A ) } sk ( B ) Nonces to prevent replays B − → A : { N } pk ( A ) A − → B : {� N , request �} pk ( B ) , sig {{� N , request �} pk ( B ) } sk ( A ) B − → A : {� N , response �} pk ( A ) , sig {{� N , response �} pk ( A ) } sk ( B ) Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 4 / 29

  8. Recap: From attacks to proofs Our informal notation is adequate for finding and explaining attacks replay, man-in-the-middle, guessing attacks, . . . that compromise confidentiality and authenticity To precisely state and prove security theorems about cryptographic protocols, we need to move to a more formal setting. Precisely state what actions each principal must do Formalize security goals and threat model Prove that these goals are met in all executions Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 5 / 29

  9. Recap: A small process calculus Simplified version of the applied pi calculus [Abadi, Fournet, 2000] Names : a , b , c , . . . (used for keys, nonces, channels) Messages : M , N , . . . Constructors : � m , n � (pairing), { m } k , sig { m } k , pk ( m ) Destructors : proj 1 ( m ) , proj 2 ( m ) , dec ( m , k ) , verify ( m , s , k ) Processes : P , Q , R , . . . P , Q , R ::= Processes 0 null process new a . P fresh name generation in ( c , x ) . P message input (continue as P) out ( c , M ) . P message output (continue as P) let x = g ( M 1 , . . . , M n ) in P else Q destructor application if M = N then P else Q conditional P | Q parallel composition ! P replication Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 6 / 29

  10. Today: The Applied Pi Calculus Introduction and syntax : communication, concurrency, crypto Term semantics : equational theories, term reduction systems Process semantics : structural congruence, internal reduction Attacker knowledge : frames, deduction, labeled reduction Security goals : syntactic secrecy, authenticity Proof technique : invariants Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 7 / 29

  11. References Books: Communicating and Mobile Systems: The Pi Calculus , R. Milner The Pi-Calculus: A Theory of Mobile Processes , D. Sangiorgi Papers: Mobile values, new names, and secure communication , M. Abadi and C. Fournet (POPL’01, ). Applied pi calculus , M.D. Ryan, B. Smyth (Tutorial, 2011) Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 8 / 29

  12. Process Calculi Process calculi have been proposed as models for distributed systems CCS [Milner, ’80], CSP [Hoare, ’85], . . . pi calculus, join calculus, ambient calculus, . . . Concurrency : P � Q Interleaving semantics : The actions in P and Q can happen in any order Communication : out ( c , M ) . P � in ( c , x ) . Q Both synchronous and asynchronous variants Synchronous : instant communication, both processes evolve out ( c , M ) . P � in ( c , x ) . Q − → P � Q { M / x } Asynchronous : output first, input may happen later out ( c , M ) . P − → P � out c ( M ) out ( c , M ) � in ( c , x ) . Q − → Q { M / x } Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 9 / 29

  13. Pi Calculus Proposed by Robin Milner in 1990s Dynamic creation of channels, capabilities useful to model mobile code,replicated servers,. . . recently used to model security protocols, memory models, . . . Names : a , b , c Fresh name generation : new a . P create a fresh (secret) communication channel create a new memory location (channel) create a fresh random nonce, key, . . . Replication : ! P create as many copies of P as necessary P � P � · · · � P Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 10 / 29

  14. Adding Crypto: Applied Pi Calculus Spi calculus [Abadi, Gordon ’99] adds cryptography to pi calculus specific primitives are hard-coded (symmetric and asymmetric encryption) Applied pi calculus [Abadi, Fournet ’00] generalizes spi calculus an algebra of terms (constructors, destructors) equational theory to encode arbitrary cryptographic primitives can also encode complex message formats Messages : m , n , o ,. . . Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 11 / 29

  15. Adding Crypto: Applied Pi Calculus Spi calculus [Abadi, Gordon ’99] adds cryptography to pi calculus specific primitives are hard-coded (symmetric and asymmetric encryption) Applied pi calculus [Abadi, Fournet ’00] generalizes spi calculus an algebra of terms (constructors, destructors) equational theory to encode arbitrary cryptographic primitives can also encode complex message formats Messages : m , n , o ,. . . Constructors : � m , n � (pairing), { m } k , sig { m } k , pk ( m ) Destructors : proj 1 ( m ) , proj 2 ( m ) ,dec ( m , k ) , verify ( m , s , k ) proj 1 ( � m , n � ) = m , proj 2 ( � m , n � ) = n Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 11 / 29

  16. Term Syntax N : an infinite (countable) set of names a , b , c , . . . X : an infinite (countable) set of variables x , y , z , . . . F : a finite signature of function symbols f , g , h , . . . Includes constructors and destructors F = F C ∪ F D Terms represent messages that may be sent between processes M , N , O , . . . ::= Terms a name x variable f ( M 1 , . . . , M n ) function application T (Σ) : terms constructed from the symbols in Σ Σ contains names, variables, and functions Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 12 / 29

  17. Process Syntax Processes : P , Q , R , . . . P , Q , R ::= Processes 0 null process new a . P fresh name generation in ( c , x ) . P message input (continue as P) out ( c , M ) . P message output (continue as P) if M = N then P else Q conditional P � Q parallel composition ! P replication Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 13 / 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security proofs in the symbolic model web services security, manual and automated proofs

Security proofs in the symbolic model web services security, manual and automated proofs

Security proofs in the symbolic model web services security, manual and automated proofs Karthikeyan Bhargavan INRIA karthikeyan.bhargavan@inria.fr http://prosecco.inria.fr/personal/karthik September 2013 Karthikeyan Bhargavan (INRIA)

800 views • 58 slides
PhD Defense Symbolic Proofs of Computational Indistinguishability Adrien Koutsos Thse

PhD Defense Symbolic Proofs of Computational Indistinguishability Adrien Koutsos Thse

PhD Defense Symbolic Proofs of Computational Indistinguishability Adrien Koutsos Thse prpare au sein du LSV, ENS Paris-Saclay September 27, 2019 Introduction Motivation Security Protocols Distributed programs which aim at providing some

1.55k views • 142 slides
Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth workshop Introduction to the workshop PROOFS: Security Proofs for Embedded Systems UCSB August 20, 2016 5th edition of PROOFS PROOFS 2012:

311 views • 7 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin & Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA,

Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA,

Introduction Symbolic Model Computational Model Implementations Conclusion Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA, Ecole Normale Sup erieure, CNRS Bruno.Blanchet@ens.fr March 2012

905 views • 53 slides
Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS

Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS

Introduction / Motivation Symbolic Method Experiments Conclusion Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS In` es Ben El Ouahma Quentin Meunier Karine Heydemann Emmanuelle Encrenaz

271 views • 25 slides
1 Roscoe 95, Schneider 96, Compositionality Language Approach Abadi-Gordon97

1 Roscoe 95, Schneider 96, Compositionality Language Approach Abadi-Gordon97

Probabilistic Polynomial-Time Standard analysis methods Process Calculus for Security Finite-state analysis Protocol Analysis Easier Dolev-Yao model Symbolic search of protocol runs Proofs of correctness in formal logic

258 views • 7 slides
Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shu ichi Katsumata (The University of Tokyo /AIST) Shota Yamada Takashi Yamakawa (AIST) (NTT) 1 Post Quantum Cryptography

1.22k views • 86 slides
Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH

Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH

Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH Zurich Road map Motivation Basic notions Problems Symbolic models 1 Security protocols Omnipresent Authentication:

827 views • 37 slides
Glitch-Resistant Masking Revisited or Why Proofs in the Robust Probing Model are Needed Thorben

Glitch-Resistant Masking Revisited or Why Proofs in the Robust Probing Model are Needed Thorben

Glitch-Resistant Masking Revisited or Why Proofs in the Robust Probing Model are Needed Thorben Moos 1 , Amir Moradi 1 , Tobias Schneider 2 and Franois-Xavier Standaert 2 Horst Grtz Institute for IT Security, Ruhr-Universitt Bochum,

694 views • 46 slides
Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef @vanhoefm USENIX WOOT, Baltimore, US, 14 August 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic

446 views • 41 slides
Lecture 5. Symbolic model checking. NuSMV and SPIN model checkers. User-friendly model checking

Lecture 5. Symbolic model checking. NuSMV and SPIN model checkers. User-friendly model checking

Lecture 5. Symbolic model checking. NuSMV and SPIN model checkers. User-friendly model checking ELEC-E8110 Automation Systems Synthesis and Analysis Igor Buzhinsky igor.buzhinskii@aalto.fi 2018 Igor Buzhinsky Lecture 5 2018 1 / 28 Symbolic

833 views • 61 slides
Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most

Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most

1 Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most protocols: (AES k (0) ; : : : ; AES k ( n 1)) is distinguishable from uniform with probability n ( n 1) = 2 129 , plus tiny key-guessing

577 views • 32 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Symbolic Model Checking 10 20 States and Beyond Burch Clarke McMillan Dill Hwang Seminal

Symbolic Model Checking 10 20 States and Beyond Burch Clarke McMillan Dill Hwang Seminal

The Mu-Calculus Model Checking Example Results Symbolic Model Checking 10 20 States and Beyond Burch Clarke McMillan Dill Hwang Seminal Papers in Verification March 23, 2012 Andrena Francisco Symbolic Model Checking The Mu-Calculus

196 views • 15 slides
Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern

Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern

Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern Jacques.Stern@ens.fr Laboratoire dInformatique Ecole Normale Sup erieure 45, rue dUlm 75230 PARIS CEDEX 05 Security Proofs for

588 views • 12 slides
Chapter 2 Professor Brendan Morris, SEB 3216, brendan.morris@unlv.edu

Chapter 2 Professor Brendan Morris, SEB 3216, brendan.morris@unlv.edu

Chapter 2 Professor Brendan Morris, SEB 3216, brendan.morris@unlv.edu http://www.ee.unlv.edu/~b1morris/cpe100/ CPE100: Digital Logic Design I Section 1004: Dr. Morris Combinational Logic Design Chapter 2 <1> Chapter 2 :: Topics

334 views • 31 slides
Names, Equations, Relations: Practical Ways to Reason about new Ian Stark BRICS Department of

Names, Equations, Relations: Practical Ways to Reason about new Ian Stark BRICS Department of

Names, Equations, Relations: Practical Ways to Reason about new Ian Stark BRICS Department of Computer Science University of Aarhus Denmark April 1997 What does it mean to be new ? Many useful aspects of programming languages depend on

337 views • 14 slides
Solving equations over small multi-unary algebras Przemyslaw Broniek Algorithmics Research Group

Solving equations over small multi-unary algebras Przemyslaw Broniek Algorithmics Research Group

Introduction to problem Current results Summary Solving equations over small multi-unary algebras Przemyslaw Broniek Algorithmics Research Group Jagiellonian University, Krakw Chambry-Krakw-Lyon Workshop, 20-21 June 2005 Przemyslaw

781 views • 48 slides
Component-Based Synthesis by Solving Language Equations Tiziano Villa 1 joint work with Nina

Component-Based Synthesis by Solving Language Equations Tiziano Villa 1 joint work with Nina

Component-Based Synthesis by Solving Language Equations Tiziano Villa 1 joint work with Nina Yevtushenko 2 , Alex Petrenko 3 , Robert Brayton 4 , Alan Mishchenko 4 , A. Sangiovanni-Vincentelli 4 , and more ... 1 Department of Computer Science,

849 views • 70 slides
mdmax at School Learning Selection in Equational Reasoning Sarah Winkler University of

mdmax at School Learning Selection in Equational Reasoning Sarah Winkler University of

mdmax at School Learning Selection in Equational Reasoning Sarah Winkler University of Innsbruck 4th Conference on Artificial Intelligence and Theorem Proving 10 April 2019 1 Equational Theorem Proving 0 + x x ( x ) + x 0 x + (

761 views • 58 slides
MU-TERM 2018 Termination Competition Ral Gutirrez 1 and Salvador Lucas 1 WST, July 2018,

MU-TERM 2018 Termination Competition Ral Gutirrez 1 and Salvador Lucas 1 WST, July 2018,

MU-TERM 2018 Termination Competition Ral Gutirrez 1 and Salvador Lucas 1 WST, July 2018, Oxford (UK) 1 DSIC, Universitat Politcnica de Valncia 1 Overview MU - TERM 5.18 is a tool which can be used to verify a number of termination

115 views • 8 slides
Time-periodic parabolic equations CEMRACS 2019 Jean-Jrme Casanova Introduction to analytic

Time-periodic parabolic equations CEMRACS 2019 Jean-Jrme Casanova Introduction to analytic

Time-periodic parabolic equations CEMRACS 2019 Jean-Jrme Casanova Introduction to analytic semigroups 1 The periodic problem 2 Application to a fluidstructure interaction problem 3 Jean-Jrme Casanova Time-periodic parabolic

454 views • 24 slides
Global existence of strong solution for the compressible Navier-Stokes equations with large

Global existence of strong solution for the compressible Navier-Stokes equations with large

Presentation of the results Idea of the Proof Global existence of strong solution for the compressible Navier-Stokes equations with large initial data on the irrotational part Boris Haspot, Universit e Paris Dauphine 1 Presentation of the

152 views • 14 slides

More recommend