symbolic protocol analysis in presence of a homomorphism
play

Symbolic Protocol Analysis in Presence of a Homomorphism Operator and - PowerPoint PPT Presentation

Sep 05, 2023 •643 likes •983 views

Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Pascal Lafourcade (with St ephanie Delaune, Denis Lugiez & Ralf Treinen)

  1. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Pascal Lafourcade (with St´ ephanie Delaune, Denis Lugiez & Ralf Treinen) Venise Italy ∗∗∗∗ LSV, CNRS UMR 8643, ENS de Cachan & INRIA Futurs LIF, Universit´ e Aix-Marseille 1 & CNRS UMR 6166 ICALP 10th July 2006 1/25

  2. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Motivation Introduction Symbolic approach • Intruder controls the network • Messages represented by terms - { m } k - � m 1 , m 2 � • Number of sessions bounded • Perfect encryption hypothesis 2/25

  3. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Motivation Introduction Symbolic approach • Intruder controls the network • Messages represented by terms - { m } k - � m 1 , m 2 � • Number of sessions bounded • Perfect encryption hypothesis Advantages • Automatic verification • Useful abstraction 2/25

  4. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Motivation Introduction Symbolic approach • Intruder controls the network • Messages represented by terms - { m } k - � m 1 , m 2 � • Number of sessions bounded • Perfect encryption hypothesis + algebraic properties Advantages • Automatic verification • Useful abstraction 2/25

  5. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Motivation Example: Key Exchange TMN Protocol (simplified) TMN Protocol: Distribution of a fresh symmetric key [Tatebayashi, Matsuzuki, Newmann 89]: A S W → : A , W , { N A } Pub S → : S , A ← : W , A , { N W } Pub S ← : S , W , N A ⊕ N W Alice retrieves N W : Using x ⊕ x = 0 and x ⊕ 0 = x , knowing N A 3/25

  6. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Motivation Example: Key Exchange TMN Protocol (simplified) Attack on TMN Protocol [Simmons 89] With homomorphic encryption { a } k ⊕ { b } k = { a ⊕ b } k C S Q → : C , Q , { N W } Pub S ⊕ { N C } Pub S � �� � { N W ⊕ N C } PubS → : S , C ← : Q , C , { N Q } Pub S ← : S , ( N W ⊕ N C ) ⊕ N Q Cheshire Learns: N W Using x ⊕ x = 0 and x ⊕ 0 = x , knowing N C and N Q 4/25

  7. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Motivation Example: Key Exchange TMN Protocol (simplified) Attack on TMN Protocol [Simmons 89] With homomorphic function h ( a ) ⊕ h ( b ) = h ( a ⊕ b ) C S Q → : C , Q , h ( N W ) ⊕ h ( N C ) � �� � h ( N W ⊕ N C ) → : S , C ← : Q , C , h ( N Q ) ← : S , ( N W ⊕ N C ) ⊕ N Q Cheshire Learns: N W Using x ⊕ x = 0 and x ⊕ 0 = x , knowing N C and N Q 5/25

  8. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or State of the Art Intruder Capabilities Deduction System: Extended Dolev-Yao T ⊢ � u , v � u ∈ T (A) (UL) T ⊢ u T ⊢ u (UR) T ⊢ � u , v � T ⊢ u T ⊢ v (P) T ⊢ � u , v � T ⊢ v T ⊢ { u } v T ⊢ v T ⊢ u T ⊢ v (C) (D) T ⊢ { u } v T ⊢ u T ⊢ u 1 · · · T ⊢ u n ( M E ) C is an context made with { h , ⊕} T ⊢ C [ u 1 , . . . , u n ] ↓ Example for M E T ⊢ a ⊕ h ( a ) T ⊢ bT ⊢ a ⊕ h 2 ( a ) ⊕ h ( b ) C [ u 1 , u 2 ] = u 1 ⊕ h ( u 1 ) ⊕ h ( u 2 ) 6/25

  9. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or State of the Art Intruder Deduction Problem Passive Intruder with homomorphisme and Xor Theorem of Locality [LLT’05,Del’05] A minimal proof P of T ⊢ u contains only computable terms. Complexity of Intruder Deduction [Del’05] T ⊢ u (for T , u ground) is decidable in PTIME The proof uses • McAllester’s locality theorem • linear equation solving over Z / 2 Z [ h ] 7/25

  10. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or State of the Art Security Problem Some Results to Active Intruder XOR : ACUN [Rusinowitch & al 03] [Comon-Shmatikov 03] • ( x ⊕ y ) ⊕ z = x ⊕ ( y ⊕ z ) Associativity • x ⊕ y = y ⊕ x Commutativity • x ⊕ 0 = x Unity • x ⊕ x = 0 Nilpotency Abelian Group and Exponential : AG [Millen-Shmatikov 05] • ( x ⊕ y ) ⊕ z = x ⊕ ( y ⊕ z ) Associativity • x ⊕ y = y ⊕ x Commutativity • x ⊕ 0 = x Unity • x ⊕ I ( x ) = 0 Inversion 8/25

  11. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or State of the Art Security Problem Our contribution Homomorphism over XOR : ACUNh • h ( x ⊕ y ) = h ( x ) ⊕ h ( y ) • ( x ⊕ y ) ⊕ z = x ⊕ ( y ⊕ z ) Associativity • x ⊕ y = y ⊕ x Commutativity • x ⊕ 0 = x Unity • x ⊕ x = 0 Nilpotency Theorem The security problem with a bounded number of sessions is decidable with ACUNh. 9/25

  12. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or State of the Art Security Problem Outline 1 Motivation Introduction Example: Key Exchange TMN Protocol (simplified) 2 State of the Art Intruder Capabilities Intruder Deduction Problem Security Problem 3 Modelisation of Protocols (Active Attacker) Constraints System Well-defined Constraints System 4 From Well-defined Constraints System to System of Equations 5 Conclusion 10/25

  13. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Modelisation of Protocols (Active Attacker) Outline 1 Motivation Introduction Example: Key Exchange TMN Protocol (simplified) 2 State of the Art Intruder Capabilities Intruder Deduction Problem Security Problem 3 Modelisation of Protocols (Active Attacker) Constraints System Well-defined Constraints System 4 From Well-defined Constraints System to System of Equations 5 Conclusion 11/25

  14. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Modelisation of Protocols (Active Attacker) Constraints System Modelisation of a protocol in a system of constraint The Intruder is the network, he can listen, built, send and replay messages.  recv ( u 1 ); send ( v 1 )   recv ( u 2 ); send ( v 2 )   := P . . .    recv ( u n ); send ( v n )  T 0 Intruder initial knowledge.  T 0 � u 1   T 0 , v 1 � u 2   C := . . .     T 0 , v 1 , . . . , v n � s If this system has a solution σ then the secret s can be obtain by the Intruder. 12/25

  15. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Modelisation of Protocols (Active Attacker) Well-defined Constraints System System of Constraints Well-formed [Millen-Shmatikov 03] C = { T i � u i } 1 ≤ i ≤ k is well-formed if: • monotonicity : The knowledge of the intruder is increasing. T 1 ⊆ T 2 ⊆ . . . ⊆ T k • origination : Variables appear first on right side: x ∈ vars ( T i ) ⇒ ∃ j < i such that : x ∈ vars ( u j ) System of Constraints Well-defined [Millen-Shmatikov 03] C is well-defined if for every substitution θ , C θ is well-formed. 13/25

  16. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Modelisation of Protocols (Active Attacker) Well-defined Constraints System System of Constraints Well-formed [Millen-Shmatikov 03] C = { T i � u i } 1 ≤ i ≤ k is well-formed if: • monotonicity : The knowledge of the intruder is increasing. T 1 ⊆ T 2 ⊆ . . . ⊆ T k • origination : Variables appear first on right side: x ∈ vars ( T i ) ⇒ ∃ j < i such that : x ∈ vars ( u j ) System of Constraints Well-defined [Millen-Shmatikov 03] C is well-defined if for every substitution θ , C θ is well-formed. 13/25

  17. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Modelisation of Protocols (Active Attacker) Well-defined Constraints System Well-Definedness: Example � T 0 X ⊕ Y � C := T 0 , X c � 14/25

  18. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Modelisation of Protocols (Active Attacker) Well-defined Constraints System Well-Definedness: Example � T 0 X ⊕ Y � C := T 0 , X c � Monotonicity OK ! 14/25

  19. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Modelisation of Protocols (Active Attacker) Well-defined Constraints System Well-Definedness: Example � T 0 X ⊕ Y � C := T 0 , X c � Monotonicity OK ! Origination OK ! 14/25

  20. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Modelisation of Protocols (Active Attacker) Well-defined Constraints System Well-Definedness: Example � T 0 X ⊕ Y � C := T 0 , X c � Monotonicity OK ! Origination OK ! But NOT well-defined ! θ = { Y → X } and C θ is not well-formed: � T 0 0 � C θ := T 0 , X c � 14/25

  21. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or From Well-defined Constraints System to System of Equations Outline 1 Motivation Introduction Example: Key Exchange TMN Protocol (simplified) 2 State of the Art Intruder Capabilities Intruder Deduction Problem Security Problem 3 Modelisation of Protocols (Active Attacker) Constraints System Well-defined Constraints System 4 From Well-defined Constraints System to System of Equations 5 Conclusion 15/25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 Roscoe 95, Schneider 96, Compositionality Language Approach Abadi-Gordon97

1 Roscoe 95, Schneider 96, Compositionality Language Approach Abadi-Gordon97

Probabilistic Polynomial-Time Standard analysis methods Process Calculus for Security Finite-state analysis Protocol Analysis Easier Dolev-Yao model Symbolic search of protocol runs Proofs of correctness in formal logic

258 views • 7 slides
Part 2: Finding Protocol Flaws with Symbolic Analysis The Needham-Schroeder problem In Using

Part 2: Finding Protocol Flaws with Symbolic Analysis The Needham-Schroeder problem In Using

Part 2: Finding Protocol Flaws with Symbolic Analysis The Needham-Schroeder problem In Using encryption for authentication in large networks of computers (CACM 1978) , Needham and Schroeder didnt just initiate a field that led to widely

1.32k views • 104 slides
Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef @vanhoefm USENIX WOOT, Baltimore, US, 14 August 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic

446 views • 41 slides
Symbolic data analysis Symbolic data analysis Clustering of large data sets of mixed units

Symbolic data analysis Symbolic data analysis Clustering of large data sets of mixed units

Symbolic data analysis V. Batagelj Symbolic data analysis Symbolic data analysis Clustering of large data sets of mixed units Clustering and optimization Leaders method Vladimir Batagelj Agglomerative method Examples IMFM Ljubljana

871 views • 33 slides
Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps

Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps

Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps Symbolic Stamps Hui Xu, Guoyong Shi and Xiaopeng Li School of Microelectronics, Shanghai Jiao Tong Univ. Shanghai, China Presentation at Asia

655 views • 36 slides
Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA,

Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA,

Introduction Symbolic Model Computational Model Implementations Conclusion Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA, Ecole Normale Sup erieure, CNRS Bruno.Blanchet@ens.fr March 2012

905 views • 53 slides
Constrained homomorphism orders Jan Hubi cka Charles University Prague Joint work with Jirka

Constrained homomorphism orders Jan Hubi cka Charles University Prague Joint work with Jirka

The homomorphism order Constrained homomorphisms Locally constrained homomorphism orders Constrained homomorphism orders Jan Hubi cka Charles University Prague Joint work with Jirka Fiala and Yangjing Long BGW2012, Bordeaux Jan Hubi

941 views • 81 slides
Computational Verification of C Protocol Implementations by Symbolic Execution Mihhail Aizatulin 1

Computational Verification of C Protocol Implementations by Symbolic Execution Mihhail Aizatulin 1

Computational Verification of C Protocol Implementations by Symbolic Execution Mihhail Aizatulin 1 Andrew Gordon 23 urjens 4 Jan J 1 The Open University 2 Microsoft Research Cambridge 3 University of Edinburgh 4 Dortmund University October 2012

426 views • 28 slides
Protocol Analysis 17-654/17-764 Analysis of Software Artifacts Kevin Bierhoff Take-Aways

Protocol Analysis 17-654/17-764 Analysis of Software Artifacts Kevin Bierhoff Take-Aways

Protocol Analysis 17-654/17-764 Analysis of Software Artifacts Kevin Bierhoff Take-Aways Protocols define temporal ordering of events Can often be captured with state machines Protocol analysis needs to pay attention to

602 views • 33 slides
Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail

Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail

Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail Aizatulin 1 supervised by Andrew Gordon 23 , Jan J urjens 4 , Bashar Nuseibeh 1 1 The Open University 2 Microsoft Research Cambridge 3 University of

543 views • 29 slides
Lazy Heap Analysis with Symbolic Memory Graphs Alexander Driemeyer Outline 1. Motivation 2.

Lazy Heap Analysis with Symbolic Memory Graphs Alexander Driemeyer Outline 1. Motivation 2.

Lazy Heap Analysis with Symbolic Memory Graphs Alexander Driemeyer Outline 1. Motivation 2. CPAchecker and Symbolic Memory Graphs 3. Abstractions of Symbolic Memory Graphs 4. Using counterexample guided abstraction refinement with Symbolic

412 views • 24 slides
A Weil descent homomorphism over the base field Darlison Nyirenda and Ed Schaefer University of

A Weil descent homomorphism over the base field Darlison Nyirenda and Ed Schaefer University of

A Weil descent homomorphism over the base field Darlison Nyirenda and Ed Schaefer University of Witwatersrand and Santa Clara University October 11, 2013 A homomorphism from an abelian variety to a group with sub-expl DLP, that is defined

439 views • 23 slides
Symbolic String Verification: Combining String Analysis and Size Analysis Fang Yu Tevfik Bultan

Symbolic String Verification: Combining String Analysis and Size Analysis Fang Yu Tevfik Bultan

Symbolic String Verification: Combining String Analysis and Size Analysis Symbolic String Verification: Combining String Analysis and Size Analysis Fang Yu Tevfik Bultan Oscar H. Ibarra Deptartment of Computer Science University of California

477 views • 36 slides
NEW ADVANCES IN SYMBOLIC DATA ANALYSIS and SPATIAL CLASSIFICATION. Edwin Diday Paris Dauphine

NEW ADVANCES IN SYMBOLIC DATA ANALYSIS and SPATIAL CLASSIFICATION. Edwin Diday Paris Dauphine

NEW ADVANCES IN SYMBOLIC DATA ANALYSIS and SPATIAL CLASSIFICATION. Edwin Diday Paris Dauphine University Remembering Suzanne WINSBERG This talk is dedicated to her OUTLINE PART 1: SYMBOLIC DATA ANALYSIS The two levels of

1.29k views • 89 slides
1 Use second form Sample Protocol Goals Given set of traces Authenticity: who sent it?

1 Use second form Sample Protocol Goals Given set of traces Authenticity: who sent it?

TECS Week 2005 Analysis Techniques Protocol Verification by the Inductive Method Crypto Protocol Analysis Dolev-Yao Formal Models Computational Models (perfect cryptography) Random oracle Probabilistic process calculi John Mitchell

63 views • 4 slides
The exponential homomorphism in non-commutative probability Michael Anshelevich (joint work with

The exponential homomorphism in non-commutative probability Michael Anshelevich (joint work with

The exponential homomorphism in non-commutative probability Michael Anshelevich (joint work with Octavio Arizmendi) Texas A&amp;M University March 25, 2016 Michael Anshelevich Exponential homomorphism Classical convolutions. Additive:

596 views • 23 slides
Distribution The Role of Distribution To ensure that the products are available for customers at

Distribution The Role of Distribution To ensure that the products are available for customers at

Marketing Mix Distribution The Role of Distribution To ensure that the products are available for customers at the right place , right time , in right quantities and in right conditions Definition Distribution is the process of making a

531 views • 22 slides
Normal Distribution Many families of distributions include members that show a familiar

Normal Distribution Many families of distributions include members that show a familiar

ST 370 Probability and Statistics for Engineers Normal Distribution Many families of distributions include members that show a familiar bell-shaped curve. R plots of binomial, Poisson, and gamma source(&quot;R-code/plot-distributions.R&quot;);

452 views • 19 slides
Graduate Services Coordinator Workshop June 1, 2016 go.ncsu.edu/grad-workshop Introduction and

Graduate Services Coordinator Workshop June 1, 2016 go.ncsu.edu/grad-workshop Introduction and

Annual Graduate Services Coordinator Workshop June 1, 2016 go.ncsu.edu/grad-workshop Introduction and Opening Remarks Dean Maureen Grasso NextGen Appointments Siarra Dickey Website Resources

1.27k views • 97 slides
D Leading People. Leading Organizations. SHRM Advocacy Team: Shaping HR Public Policy Meredith

D Leading People. Leading Organizations. SHRM Advocacy Team: Shaping HR Public Policy Meredith

D Leading People. Leading Organizations. SHRM Advocacy Team: Shaping HR Public Policy Meredith Nethercutt, Senior Associate, Member Advocacy A-Team Director April 9, 2016 Meredith Nethercutt Senior Associate, Member Advocacy Director of

877 views • 33 slides
Lattice Calculation of PDFs Two Challenges. Euclidean lattice precludes the calculation of

Lattice Calculation of PDFs Two Challenges. Euclidean lattice precludes the calculation of

Lattice Calculation of PDFs Two Challenges. Euclidean lattice precludes the calculation of light-cone correlation functions So Use Operator-Product-Expansion to formulate in terms of Mellin Moments with respect to Bjorken x . Z d

317 views • 10 slides
UDT 2020 Designing a Persistent Virtual Maritime Border Megeney 1 , Lowe 2 1 Hilary Megeney,

UDT 2020 Designing a Persistent Virtual Maritime Border Megeney 1 , Lowe 2 1 Hilary Megeney,

UDT 2020 Designing a Persistent Virtual Maritime Border Presentation/Panel UDT 2020 Designing a Persistent Virtual Maritime Border Megeney 1 , Lowe 2 1 Hilary Megeney, BMT, Ottawa, Canada 2 Geoff Lowe, BMT, Ottawa, Canada Abstract In order

254 views • 3 slides
VECTOR SENSOR FOR HF DIRECTION FINDER A REVOLUTIONARY WAY TO TACKLE THE HF CHALLENGE February

VECTOR SENSOR FOR HF DIRECTION FINDER A REVOLUTIONARY WAY TO TACKLE THE HF CHALLENGE February

VECTOR SENSOR FOR HF DIRECTION FINDER A REVOLUTIONARY WAY TO TACKLE THE HF CHALLENGE February 2020 Publication 16357A-000 UNCLASSIFIED This document contains proprietary information of ELTA Systems Ltd. and may not be reproduced, copied,

727 views • 26 slides
Hawaiis 100% RPS and Vermonts New RPS Hosted by Warren Leon, Executive Director, CESA

Hawaiis 100% RPS and Vermonts New RPS Hosted by Warren Leon, Executive Director, CESA

State-Federal RPS Collaborative Webinar Hawaiis 100% RPS and Vermonts New RPS Hosted by Warren Leon, Executive Director, CESA March 14, 2016 Housekeeping www.cleanenergystates.org 2 Clean Energy States Alliance (CESA) is a national

788 views • 44 slides

More recommend