security proofs in the symbolic model
play

Security proofs in the symbolic model web services security, manual - PowerPoint PPT Presentation

Oct 21, 2023 •218 likes •800 views

Security proofs in the symbolic model web services security, manual and automated proofs Karthikeyan Bhargavan INRIA karthikeyan.bhargavan@inria.fr http://prosecco.inria.fr/personal/karthik September 2013 Karthikeyan Bhargavan (INRIA)

  1. Security proofs in the symbolic model web services security, manual and automated proofs Karthikeyan Bhargavan INRIA karthikeyan.bhargavan@inria.fr http://prosecco.inria.fr/personal/karthik September 2013 Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 1 / 30

  2. Recap: Applied Pi Calculus A language for specifying cryptographic protocols [Abadi, Fournet ’00] Builds on pi calculus [Milner ’92], spi calculus [Abadi, Gordon ’99] Protocol roles encoded as concurrent processes that communicate by sending messages over public and private channels Names represent channels, keys, nonces Equational theories on messages specify cryptographic functions Term rewriting systems are a way of specifying equational theories Convergent term rewriting systems provide algorithms for equality Structural congruence defines behaviorally identical processes Internal reduction enables interaction between protocol processes Labeled reduction enables interaction with the attacker environment Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 2 / 30

  3. Recap: Term Syntax N : an infinite (countable) set of names a , b , c , . . . X : an infinite (countable) set of variables x , y , z , . . . F : a finite signature of function symbols f , g , h , . . . Includes constructors and destructors F = F C [ F D Terms represent messages that may be sent between processes M , N , O , . . . ::= Terms a name x variable f ( M 1 , . . . , M n ) function application T ( Σ ) : terms constructed from the symbols in Σ Σ contains names, variables, and functions Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 3 / 30

  4. Recap: Process Syntax Processes : P , Q , R , . . . P , Q , R ::= Processes 0 null process new a . P fresh name generation in ( c , x ) . P message input (continue as P) out ( c , M ) . P message output (continue as P) if M = N then P else Q conditional P k Q parallel composition ! P replication Extended Processes : A , B , C , . . . A , B , C ::= Extended processes P process new a . A fresh name generation A k B parallel composition { M / x } active substitution Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 4 / 30

  5. Recap: Security Goals Notation: Structural congruence P ⌘ Q , A ⌘ B ⌧ ⌧ ∗ Internal reduction P ! Q , transitive closure P � ! Q ~ l l Labeled reduction A ! B , transitive closure A � ! B Frames � represent attacker knowledge � = new ~ a . � where � is a substitution of the form: � = { M 1 / x 1 , M 2 / x 2 , . . . , M n / x n } � ( A ) : the frame of A , replace every plain process P in A by 0 Example: � ( new a . ( P k { M / x } k Q )) ⌘ new a . { M / x } Deduction � ` M enables an attacker to derive terms from a frame Secrecy goals in terms of what the attacker can deduce ~ l a is secret in A if for all A � ! B , � ( B ) 6` a A syntactic notion of secrecy, weaker than indistinguishability and computational secrecy. Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 5 / 30

  6. Recap: Finding Invariants A method to prove syntactic secrecy Find an invariant on the shape of the extended process as it evolves ~ l For all B such that A � ! B , B must have the shape I Example: B ⌘ new ~ a . { senc ( M , a i ) / x } k P for some M , i , P such that M , P do not mention a i Show that the frame of this invariant establishes your secrecy goal The attacker cannot deduce a secret from the frame of I � ( I ) = new ~ a . { senc ( M , a i ) / x } The attacker cannot deduce the secrets a k or M from this frame Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 6 / 30

  7. Today Case study: Web Services Security Introduction and motivation Writing a WS-Security protocol in the applied pi calculus Proving its security by demonstrating invariants Towards automated proof of protocol models Deducibility constraint systems for bounded protocol sessions Decision procedure for secrecy Undecidability result for unbounded protocol sessions (Next lecture and later in the course: tackling undecidability) Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 7 / 30

  8. APIs for Cloud-based Web Services APIs Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 8 / 30

  9. APIs for Cloud-based Web Services APIs Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic model September 2013 9 / 30

  10. Web Services Security Specifications and Implementations • A series of new specifications seeks to standardize cryptographic mechanisms for use with web services – WS-Security: message signatures, encryption – WS-Trust: token issuance, key establishment – WS-SecureConversation: secure sessions – WS-SecurityPolicy: specifying policies • Web services developers can combine these mechanisms to build a custom security protocol – in Java: Apache WSS4J, IBM Websphere – in C#: Microsoft Windows Communication Foundation Web Services Enhancements

  11. WS-Security • SOAP Envelope/Header/Security header includes: – Timestamp • To help prevent replay attacks – Tokens identifying principals and keys • Username token: name and password • X509: name and public-key • Others including Kerberos tickets, and session keys – Signatures • Syntax given by XML-DSIG standard • Bind together list of message elements, with key derived from a security token – Encrypted Keys • Syntax given by XML-ENC standard • Various message elements may be encrypted

  12. Password-based Authentication C  S : account C , HMAC-SHA1( pwd C , accoun t C ) S  C : balance C • Assume C has a username “C” & password pwd C at S • Request Authentication At S , only accepts an account C after checking pwd C • C MACs account C using the shared password • S checks the MAC on symbol before responding (HMAC-SHA1 = Keyed Hash, Message Authentication Code)

  13. Example 1: Password-based Auth UsernameToken assumes both ¡parties ¡know ¡adg’s ¡ <Envelope> secret password p <Header> <Security> <UsernameToken Id=1> <Username>“C" Each DigestValue <Nonce>"mTbzQM84RkFqza+lIes/xw==" <Created>"2004-09-01T13:31:50Z" is the sha1 hash of <Signature> the URI target <SignedInfo> <SignatureMethod Algorithm=hmac-sha1> <Reference URI=#2> <DigestValue >"U9sBHidIkVvKA4vZo0gGKxMhA1g=“ <SignatureValue>"8/ohMBZ5JwzYyu+POU/v879R01s=" <KeyInfo> <SecurityTokenReference> <Reference URI=#1 ValueType=UsernameToken> <Body Id=2> hmacsha1 ( key , SignedInfo ) where <BalanceRequest> key  psha1 ( p + nonce + created ) <AccountNumber> accoun t C </>

  14. Example 2: Signing Multiple Elements To prevent <Envelope> redirections, <Header> <Action Id=1> "http://stockservice.contoso.com/wse/samples/2003/06/StockQuoteRequest" need to sign To <MessageID Id=2> "uuid:abc4946b-112f-4a26-b923-4ffc948c15ef" <ReplyTo Id=3> <Address> "http://schemas.xmlsoap.org/ws/2004/03/addressing/role/anonymous" and Action <To Id=4> "http://localhost/UsernameSignCodeService/UsernameSigningService.asmx" <Security mustUnderstand="1"> <Timestamp Id=5> <Created> "2004-09-01T13:31:50Z" <Expires> "2004-09-01T13:32:50Z" To prevent replays, <UsernameToken Id=7> <Username> "adg" need to sign <Nonce> "mTbzQM84RkFqza+lIes/xw==" <Created> "2004-09-01T13:31:50Z" Timestamp and <Signature> MessageId <SignedInfo> <CanonicalizationMethod Algorithm=exc-c14n> <SignatureMethod Algorithm=hmac-sha1> <Reference URI=#1> ... <Reference URI=#2> ... <Reference URI=#3> ... <Reference URI=#4> ... <Reference URI=#5> ... <Reference URI=#6> ... Actually, to prevent various <SignatureValue> "8/ohMBZ5JwzYyu+POU/v879R01s=" XML ¡rewriting ¡attacks, ¡it’s ¡ <KeyInfo> <SecurityTokenReference> necessary to co-sign other <Reference URI=#7 ValueType=UsernameToken> <Body Id=6> message parts with the body <BalanceRequest> <AccountNumber> accoun t C </>

  15. Example 3: X.509 Mutual Auth Two-step encryption Response signature includes request signature • Assume C and S have key-pairs: ( sk C , pk C ) and ( sk S , pk S ) (Assume they have exchanged X.509 public-key certificates) • Secrecy of messages – freshly encrypted under pk S and pk C • Request and Response Authentication • Request-Response Correlation – signature of request counter-signed in response

  16. Example 3: Request Message (symbolic) A symbolic representation of an X.509 cert issued by “Root” ¡to ¡“C” Encrypting fresh symmetric ¡“key” ¡ ¡ Encrypting symbol under ¡“key” ¡ ¡

  17. Attacks on WS-Security Protocols

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security proofs in the symbolic model the applied pi calculus Karthikeyan Bhargavan INRIA

Security proofs in the symbolic model the applied pi calculus Karthikeyan Bhargavan INRIA

Security proofs in the symbolic model the applied pi calculus Karthikeyan Bhargavan INRIA karthikeyan.bhargavan@inria.fr http://prosecco.inria.fr/personal/karthik September 2013 Karthikeyan Bhargavan (INRIA) Security proofs in the symbolic

413 views • 39 slides
PhD Defense Symbolic Proofs of Computational Indistinguishability Adrien Koutsos Thse

PhD Defense Symbolic Proofs of Computational Indistinguishability Adrien Koutsos Thse

PhD Defense Symbolic Proofs of Computational Indistinguishability Adrien Koutsos Thse prpare au sein du LSV, ENS Paris-Saclay September 27, 2019 Introduction Motivation Security Protocols Distributed programs which aim at providing some

1.55k views • 142 slides
Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth workshop Introduction to the workshop PROOFS: Security Proofs for Embedded Systems UCSB August 20, 2016 5th edition of PROOFS PROOFS 2012:

311 views • 7 slides
Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution /

Symbolic execution for binary-level security / 50 3 A number of shades of symbolic execution / / Sbastien Bardin &amp; Richard Bonichon 20180409 CEA LIST 1 1,1,L Model Source qb int foo (int t ) { 0,1,L 0,1,L int y = t * t - 4 * t ;

567 views • 34 slides
Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA,

Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA,

Introduction Symbolic Model Computational Model Implementations Conclusion Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA, Ecole Normale Sup erieure, CNRS Bruno.Blanchet@ens.fr March 2012

905 views • 53 slides
Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS

Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS

Introduction / Motivation Symbolic Method Experiments Conclusion Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS In` es Ben El Ouahma Quentin Meunier Karine Heydemann Emmanuelle Encrenaz

271 views • 25 slides
1 Roscoe 95, Schneider 96, Compositionality Language Approach Abadi-Gordon97

1 Roscoe 95, Schneider 96, Compositionality Language Approach Abadi-Gordon97

Probabilistic Polynomial-Time Standard analysis methods Process Calculus for Security Finite-state analysis Protocol Analysis Easier Dolev-Yao model Symbolic search of protocol runs Proofs of correctness in formal logic

258 views • 7 slides
Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shu ichi Katsumata (The University of Tokyo /AIST) Shota Yamada Takashi Yamakawa (AIST) (NTT) 1 Post Quantum Cryptography

1.22k views • 86 slides
Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH

Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH

Introduction to Symbolic Verification Methods David Basin Institute of Information Security ETH Zurich Road map Motivation Basic notions Problems Symbolic models 1 Security protocols Omnipresent Authentication:

827 views • 37 slides
Glitch-Resistant Masking Revisited or Why Proofs in the Robust Probing Model are Needed Thorben

Glitch-Resistant Masking Revisited or Why Proofs in the Robust Probing Model are Needed Thorben

Glitch-Resistant Masking Revisited or Why Proofs in the Robust Probing Model are Needed Thorben Moos 1 , Amir Moradi 1 , Tobias Schneider 2 and Franois-Xavier Standaert 2 Horst Grtz Institute for IT Security, Ruhr-Universitt Bochum,

694 views • 46 slides
Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef @vanhoefm USENIX WOOT, Baltimore, US, 14 August 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic

446 views • 41 slides
Lecture 5. Symbolic model checking. NuSMV and SPIN model checkers. User-friendly model checking

Lecture 5. Symbolic model checking. NuSMV and SPIN model checkers. User-friendly model checking

Lecture 5. Symbolic model checking. NuSMV and SPIN model checkers. User-friendly model checking ELEC-E8110 Automation Systems Synthesis and Analysis Igor Buzhinsky igor.buzhinskii@aalto.fi 2018 Igor Buzhinsky Lecture 5 2018 1 / 28 Symbolic

833 views • 61 slides
Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most

Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most

1 Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most protocols: (AES k (0) ; : : : ; AES k ( n 1)) is distinguishable from uniform with probability n ( n 1) = 2 129 , plus tiny key-guessing

577 views • 32 slides
Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on

Symbolic Execution: Applications Symbolic execution is widely used in practice. Tools based on symbolic execution have found serious errors and security vulnerabilities in various systems: Network servers File systems Device drivers

733 views • 40 slides
Symbolic Model Checking 10 20 States and Beyond Burch Clarke McMillan Dill Hwang Seminal

Symbolic Model Checking 10 20 States and Beyond Burch Clarke McMillan Dill Hwang Seminal

The Mu-Calculus Model Checking Example Results Symbolic Model Checking 10 20 States and Beyond Burch Clarke McMillan Dill Hwang Seminal Papers in Verification March 23, 2012 Andrena Francisco Symbolic Model Checking The Mu-Calculus

196 views • 15 slides
Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern

Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern

Security Proofs for Signature Schemes David Pointcheval David.Pointcheval@ens.fr Jacques Stern Jacques.Stern@ens.fr Laboratoire dInformatique Ecole Normale Sup erieure 45, rue dUlm 75230 PARIS CEDEX 05 Security Proofs for

588 views • 12 slides
strt r r

strt r r

strt r r r t ss rr

425 views • 24 slides
Absence of the singular spectrum in a twisted Dirichlet-Neumann waveguide Ph. Briet 1 J.Dittrich 2

Absence of the singular spectrum in a twisted Dirichlet-Neumann waveguide Ph. Briet 1 J.Dittrich 2

The Dittrich-K r problem References Questions The spectrum Mourre estimate Absence of the singular spectrum in a twisted Dirichlet-Neumann waveguide Ph. Briet 1 J.Dittrich 2 rk 3 D. Krej ci 1 Centre de Physique Thorique,CNRS,

216 views • 19 slides
Gneiss A nice component framework in SPARK Johannes Kliemann FOSDEM, Brussels, 2020-02-02

Gneiss A nice component framework in SPARK Johannes Kliemann FOSDEM, Brussels, 2020-02-02

Gneiss A nice component framework in SPARK Johannes Kliemann FOSDEM, Brussels, 2020-02-02 Component-based Architectures Trusted Components Cant reimplement everything Solution: software reuse Protocol validator Untrusted

413 views • 17 slides
Cybersecurity for IoT: Verify your Software Today! Allan Blanchard, Nikolai Kosmatov (based on a

Cybersecurity for IoT: Verify your Software Today! Allan Blanchard, Nikolai Kosmatov (based on a

Cybersecurity for IoT: Verify your Software Today! Allan Blanchard, Nikolai Kosmatov (based on a tutorial prepared with Frdric Loulergue) Outline Introduction Verification of absence of runtime errors using Frama-C/Eva Deductive

694 views • 58 slides
A&amp;D Forum Space Entrepenuerism An Engineering Firm Specializing In Fluid Dynamics and

A&amp;D Forum Space Entrepenuerism An Engineering Firm Specializing In Fluid Dynamics and

A&amp;D Forum Space Entrepenuerism An Engineering Firm Specializing In Fluid Dynamics and Thermodynamics Solutions . Flometrics, Inc. provides engineering services, skills and expertise for applications involving fluid dynamics and

452 views • 12 slides
Training Knowledge Bots for Physics Based Simulations Using Artificial Neural Networks Jay Ming

Training Knowledge Bots for Physics Based Simulations Using Artificial Neural Networks Jay Ming

Introduction Knowledge Bot Trajectory Analysis Conclusion Training Knowledge Bots for Physics Based Simulations Using Artificial Neural Networks Jay Ming Wong Jamshid Samareh (Mentor) Department of Computer Science Vechicle Analysis Branch

504 views • 16 slides
Complete Information Flow Tracking from Gates Up Mohit Tiwari, Xun Li, Hassan M G Wassel,

Complete Information Flow Tracking from Gates Up Mohit Tiwari, Xun Li, Hassan M G Wassel,

Complete Information Flow Tracking from Gates Up Mohit Tiwari, Xun Li, Hassan M G Wassel, Frederic T Chong, Timothy Sherwood Presented by Mengjia Yan Based on slides from Mohit Tiwari Goal: Non-Interference Non-Interference: a change in a

604 views • 32 slides
Slicing Concurrent Programs Achievements and Open Challenges Dennis Giffhorn Programming

Slicing Concurrent Programs Achievements and Open Challenges Dennis Giffhorn Programming

Slicing Concurrent Programs Achievements and Open Challenges Dennis Giffhorn Programming paradigms group IPD Snelting Interference dependence Concurrency via threads and shared memory Shared-memory communication gives rise to interference

892 views • 39 slides

More recommend