the journey towards a reference implementation of ipsec
play

The Journey towards a Reference Implementation of IPSec Automatic - PowerPoint PPT Presentation

Mar 22, 2023 •147 likes •1.32k views

1/25 The Journey towards a Reference Implementation of IPSec Automatic Security Analysis with Tamarin-Prover Eike Stadtlnder July 12, 2018 2/25 Outline Motivation Tamarin-Prover Overview Multiset Rewriting Tamarin-Prover in Practice

  1. 7/25 fresh top s . Example (Cryptographic messages) S msg fresh pub , msg pub top s msg , PHS fst snd h senc top s k f Term Algebras and Cryptographic Messages I satisfying Defjnition sorts and is a set of function symbols associated with the sorts such that 1. For every s S the connected component C of s contains a top sort top s c , we also have C c top s . 2. For every k -ary function symbol f s s k s sdec A order-sorted signature is a triple ( S , ≤ , Σ) where ( S , ≤ ) is partially-ordered set of

  2. 7/25 msg pub top s k top s . Example (Cryptographic messages) fresh pub fresh msg Term Algebras and Cryptographic Messages I , PHS fst snd h senc top s f , we also have s Defjnition sorts and is a set of function symbols associated with the sorts such that 1. For every s S the connected component C of s contains a top sort top s satisfying c C c top s . 2. For every k -ary function symbol f s s k sdec A order-sorted signature is a triple ( S , ≤ , Σ) where ( S , ≤ ) is partially-ordered set of S = { msg , } ,

  3. 7/25 msg pub top s top s k top s . Example (Cryptographic messages) fresh msg Term Algebras and Cryptographic Messages I , PHS fst snd h senc f , we also have s s k Defjnition sorts and is a set of function symbols associated with the sorts such that 1. For every s S the connected component C of s contains a top sort top s satisfying c C c top s . 2. For every k -ary function symbol f s sdec A order-sorted signature is a triple ( S , ≤ , Σ) where ( S , ≤ ) is partially-ordered set of S = { msg , fresh , pub } ,

  4. 7/25 Term Algebras and Cryptographic Messages I senc h snd fst PHS Example (Cryptographic messages) . top s top s k top s f , we also have s s k s 2. For every k -ary function symbol f top s . c C c satisfying S the connected component C of s contains a top sort top s 1. For every s is a set of function symbols associated with the sorts such that and sorts Defjnition sdec A order-sorted signature is a triple ( S , ≤ , Σ) where ( S , ≤ ) is partially-ordered set of S = { msg , fresh , pub } , fresh ≤ msg , pub ≤ msg,

  5. 7/25 s senc h snd fst PHS Example (Cryptographic messages) . top s top s k top s f , we also have s k Term Algebras and Cryptographic Messages I s 2. For every k -ary function symbol f top s . c C c satisfying S the connected component C of s contains a top sort top s 1. For every s such that Defjnition sdec A order-sorted signature is a triple ( S , ≤ , Σ) where ( S , ≤ ) is partially-ordered set of sorts and Σ is a set of function symbols associated with the sorts S = { msg , fresh , pub } , fresh ≤ msg , pub ≤ msg,

  6. 7/25 Term Algebras and Cryptographic Messages I Example (Cryptographic messages) . top s top s k top s f , we also have s s k s 2. For every k -ary function symbol f top s . c C c satisfying S the connected component C of s contains a top sort top s 1. For every s such that Defjnition A order-sorted signature is a triple ( S , ≤ , Σ) where ( S , ≤ ) is partially-ordered set of sorts and Σ is a set of function symbols associated with the sorts S = { msg , fresh , pub } , fresh ≤ msg , pub ≤ msg, Σ PHS = {⟨· , ·⟩ , fst ( · ) , snd ( · ) , h ( · ) , senc ( · , · ) , sdec ( · , · ) }

  7. 7/25 Term Algebras and Cryptographic Messages I Example (Cryptographic messages) . top s top s k top s f , we also have s s k s 2. For every k -ary function symbol f Defjnition A order-sorted signature is a triple ( S , ≤ , Σ) where ( S , ≤ ) is partially-ordered set of sorts and Σ is a set of function symbols associated with the sorts such that 1. For every s ∈ S the connected component C of s contains a top sort top ( s ) satisfying ∀ c ∈ C : c ≤ top ( s ) . S = { msg , fresh , pub } , fresh ≤ msg , pub ≤ msg, Σ PHS = {⟨· , ·⟩ , fst ( · ) , snd ( · ) , h ( · ) , senc ( · , · ) , sdec ( · , · ) }

  8. 7/25 Term Algebras and Cryptographic Messages I Defjnition Example (Cryptographic messages) A order-sorted signature is a triple ( S , ≤ , Σ) where ( S , ≤ ) is partially-ordered set of sorts and Σ is a set of function symbols associated with the sorts such that 1. For every s ∈ S the connected component C of s contains a top sort top ( s ) satisfying ∀ c ∈ C : c ≤ top ( s ) . 2. For every k -ary function symbol f : s 1 × · · · × s k → s ∈ Σ , we also have f : top ( s 1 ) × · · · × top ( s k ) → top ( s ) ∈ Σ . S = { msg , fresh , pub } , fresh ≤ msg , pub ≤ msg, Σ PHS = {⟨· , ·⟩ , fst ( · ) , snd ( · ) , h ( · ) , senc ( · , · ) , sdec ( · , · ) }

  9. s and constants s where t if s t PHS we have, for instance, the following 8/25 A denotes the set of all well-sorted terms constructed over A . Example (Cryptographic messages) Given PHS well-sorted terms msg fresh pub s S m msg fst m n senc m k sdec k senc k s , s S s s Defjnition Given a order-sorted signature S . For every sort s S we assume there are countably infjnite sets of variables s Term Algebras and Cryptographic Messages II and s t s S s t . Then given A m

  10. s and constants s where t if s t PHS we have, for instance, the following 8/25 constructed over A . Example (Cryptographic messages) Given PHS msg fresh pub well-sorted terms s , m msg fst m n senc m k sdec k senc k A denotes the set of all well-sorted terms s S s S s Defjnition For every sort s S we assume there are countably infjnite sets of variables s s and s t s S s t . Then given A Term Algebras and Cryptographic Messages II m Given a order-sorted signature Σ = ( S , ≤ , Σ) .

  11. t if s t PHS we have, for instance, the following msg fresh pub constructed over A . Example (Cryptographic messages) Given PHS 8/25 s , well-sorted terms m msg fst m n senc m k sdec k senc k A denotes the set of all well-sorted terms s S Term Algebras and Cryptographic Messages II s Defjnition where s s and s t s S s t . Then given A s S m Given a order-sorted signature Σ = ( S , ≤ , Σ) . For every sort s ∈ S we assume there are countably infjnite sets of variables V s and constants C s

  12. PHS we have, for instance, the following 8/25 Example (Cryptographic messages) senc k sdec k senc m k fst m n msg m well-sorted terms msg fresh pub PHS Given A . Term Algebras and Cryptographic Messages II constructed over A denotes the set of all well-sorted terms s , s S s s S Then given A Defjnition m Given a order-sorted signature Σ = ( S , ≤ , Σ) . For every sort s ∈ S we assume there are countably infjnite sets of variables V s and constants C s where C s ∩ V s = ∅ and V s ∩ V t = ∅ = C s ∩ C t if s , t ∈ S , s ̸ = t .

  13. PHS we have, for instance, the following 8/25 PHS senc k sdec k senc m k fst m n msg m well-sorted terms msg fresh pub Given Term Algebras and Cryptographic Messages II Example (Cryptographic messages) Defjnition m Given a order-sorted signature Σ = ( S , ≤ , Σ) . For every sort s ∈ S we assume there are countably infjnite sets of variables V s and constants C s where C s ∩ V s = ∅ and V s ∩ V t = ∅ = C s ∩ C t if s , t ∈ S , s ̸ = t . Then given A ⊆ ∪ s ∈ S C s ∪ ∪ s ∈ S V s , T Σ ( A ) denotes the set of all well-sorted terms constructed over Σ ∪ A .

  14. 8/25 Term Algebras and Cryptographic Messages II senc k sdec k senc m k fst m n msg m well-sorted terms Example (Cryptographic messages) Defjnition m Given a order-sorted signature Σ = ( S , ≤ , Σ) . For every sort s ∈ S we assume there are countably infjnite sets of variables V s and constants C s where C s ∩ V s = ∅ and V s ∩ V t = ∅ = C s ∩ C t if s , t ∈ S , s ̸ = t . Then given A ⊆ ∪ s ∈ S C s ∪ ∪ s ∈ S V s , T Σ ( A ) denotes the set of all well-sorted terms constructed over Σ ∪ A . Given Σ PHS = ( { msg , fresh , pub } , ≤ , Σ PHS ) we have, for instance, the following

  15. 8/25 Term Algebras and Cryptographic Messages II senc k sdec k senc m k fst m n well-sorted terms Example (Cryptographic messages) m Defjnition Given a order-sorted signature Σ = ( S , ≤ , Σ) . For every sort s ∈ S we assume there are countably infjnite sets of variables V s and constants C s where C s ∩ V s = ∅ and V s ∩ V t = ∅ = C s ∩ C t if s , t ∈ S , s ̸ = t . Then given A ⊆ ∪ s ∈ S C s ∪ ∪ s ∈ S V s , T Σ ( A ) denotes the set of all well-sorted terms constructed over Σ ∪ A . Given Σ PHS = ( { msg , fresh , pub } , ≤ , Σ PHS ) we have, for instance, the following m ∈ V msg ,

  16. 8/25 Term Algebras and Cryptographic Messages II senc k sdec k senc m k well-sorted terms Example (Cryptographic messages) m Defjnition Given a order-sorted signature Σ = ( S , ≤ , Σ) . For every sort s ∈ S we assume there are countably infjnite sets of variables V s and constants C s where C s ∩ V s = ∅ and V s ∩ V t = ∅ = C s ∩ C t if s , t ∈ S , s ̸ = t . Then given A ⊆ ∪ s ∈ S C s ∪ ∪ s ∈ S V s , T Σ ( A ) denotes the set of all well-sorted terms constructed over Σ ∪ A . Given Σ PHS = ( { msg , fresh , pub } , ≤ , Σ PHS ) we have, for instance, the following m ∈ V msg , fst ( ⟨ m , n ⟩ ) ,

  17. 8/25 Example (Cryptographic messages) Defjnition Term Algebras and Cryptographic Messages II well-sorted terms Given a order-sorted signature Σ = ( S , ≤ , Σ) . For every sort s ∈ S we assume there are countably infjnite sets of variables V s and constants C s where C s ∩ V s = ∅ and V s ∩ V t = ∅ = C s ∩ C t if s , t ∈ S , s ̸ = t . Then given A ⊆ ∪ s ∈ S C s ∪ ∪ s ∈ S V s , T Σ ( A ) denotes the set of all well-sorted terms constructed over Σ ∪ A . Given Σ PHS = ( { msg , fresh , pub } , ≤ , Σ PHS ) we have, for instance, the following m ∈ V msg , fst ( ⟨ m , n ⟩ ) , senc ( m , k ) , sdec ( k 2 , senc ( k 1 , m ))

  18. E containing PHS as before. We defjne 9/25 y sdec k senc k m x snd x y fst x y E PHS Given Example (Cryptographic primitives) all instances of equations in E . The equational theory defjned by E is the smallest congruence relation Equational Theories and Cryptographic Primitives t . equation, we write s is called an of terms s t s t be a order-sorted signature. A pair Let Defjnition m

  19. E containing PHS as before. We defjne 9/25 Equational Theories and Cryptographic Primitives Defjnition The equational theory defjned by E is the smallest congruence relation all instances of equations in E . Example (Cryptographic primitives) Given E PHS fst x y x snd x y y sdec k senc k m m Let Σ be a order-sorted signature. A pair { s , t } of terms s , t ∈ T Σ ( V ) is called an equation, we write s = t .

  20. E containing PHS as before. We defjne 9/25 Equational Theories and Cryptographic Primitives Defjnition The equational theory defjned by E is the smallest congruence relation all instances of equations in E . Example (Cryptographic primitives) Given E PHS fst x y x snd x y y sdec k senc k m m Let Σ be a order-sorted signature. A pair { s , t } of terms s , t ∈ T Σ ( V ) is called an equation, we write s = t .

  21. E containing 9/25 Equational Theories and Cryptographic Primitives Defjnition The equational theory defjned by E is the smallest congruence relation all instances of equations in E . Example (Cryptographic primitives) Let Σ be a order-sorted signature. A pair { s , t } of terms s , t ∈ T Σ ( V ) is called an equation, we write s = t . Given Σ PHS as before. We defjne E PHS = { fst ( ⟨ x , y ⟩ ) = x , snd ( ⟨ x , y ⟩ ) = y , sdec ( k , senc ( k , m )) = m }

  22. 9/25 Equational Theories and Cryptographic Primitives Defjnition all instances of equations in E . Example (Cryptographic primitives) Let Σ be a order-sorted signature. A pair { s , t } of terms s , t ∈ T Σ ( V ) is called an equation, we write s = t . The equational theory defjned by E is the smallest congruence relation = E containing Given Σ PHS as before. We defjne E PHS = { fst ( ⟨ x , y ⟩ ) = x , snd ( ⟨ x , y ⟩ ) = y , sdec ( k , senc ( k , m )) = m }

  23. Fact be an unsorted signature partitioned into linear and persistent fact symbols. Fact modelling freshness. , we defjne the set of all facts by Fact arity F 10/25 Example c . a written p , A (labeled) multiset rewriting rule is a triple p a c of fjnite sequences p a c k t F t k Labeled Multiset Rewriting and Protocol Specifjcation I t k F t Given a order-sorted term algebra Furthermore, assume there is a designated fact symbol Fr Let Defjnition In our example from before:

  24. Fact modelling freshness. , we defjne the set of all facts by Fact arity F 10/25 Example c . a written p , A (labeled) multiset rewriting rule is a triple p a c of fjnite sequences p a c k t k F Labeled Multiset Rewriting and Protocol Specifjcation I t t k F t Given a order-sorted term algebra Furthermore, assume there is a designated fact symbol Fr Defjnition In our example from before: Let Σ Fact be an unsorted signature partitioned into linear and persistent fact symbols.

  25. Fact modelling freshness. 10/25 Labeled Multiset Rewriting and Protocol Specifjcation I Defjnition Furthermore, assume there is a designated fact symbol Fr A (labeled) multiset rewriting rule is a triple p a c of fjnite sequences p a c , written p a c . Example In our example from before: Let Σ Fact be an unsorted signature partitioned into linear and persistent fact symbols. Given a order-sorted term algebra T , we defjne the set of all facts by F = { F ( t 1 , . . . , t k ) | t 1 , . . . , t k ∈ T , F ∈ Σ Fact , arity ( F ) = k }

  26. Fact modelling freshness. 10/25 Labeled Multiset Rewriting and Protocol Specifjcation I Defjnition Furthermore, assume there is a designated fact symbol Fr A (labeled) multiset rewriting rule is a triple p a c of fjnite sequences p a c , written p a c . Example Let Σ Fact be an unsorted signature partitioned into linear and persistent fact symbols. Given a order-sorted term algebra T , we defjne the set of all facts by F = { F ( t 1 , . . . , t k ) | t 1 , . . . , t k ∈ T , F ∈ Σ Fact , arity ( F ) = k } In our example from before: Secret ( m , k )

  27. Fact modelling freshness. 10/25 Labeled Multiset Rewriting and Protocol Specifjcation I Defjnition Furthermore, assume there is a designated fact symbol Fr written p a c . Example Let Σ Fact be an unsorted signature partitioned into linear and persistent fact symbols. Given a order-sorted term algebra T , we defjne the set of all facts by F = { F ( t 1 , . . . , t k ) | t 1 , . . . , t k ∈ T , F ∈ Σ Fact , arity ( F ) = k } A (labeled) multiset rewriting rule is a triple ( p , a , c ) of fjnite sequences p , a , c ∈ F ∗ , In our example from before: Secret ( m , k )

  28. Fact modelling freshness. 10/25 Labeled Multiset Rewriting and Protocol Specifjcation I Defjnition Furthermore, assume there is a designated fact symbol Fr written p a c . Example Let Σ Fact be an unsorted signature partitioned into linear and persistent fact symbols. Given a order-sorted term algebra T , we defjne the set of all facts by F = { F ( t 1 , . . . , t k ) | t 1 , . . . , t k ∈ T , F ∈ Σ Fact , arity ( F ) = k } A (labeled) multiset rewriting rule is a triple ( p , a , c ) of fjnite sequences p , a , c ∈ F ∗ , In our example from before: [ Secret ( m , k )] Encrypted ( m ) [ Out ( senc ( k , m ))]

  29. 10/25 Labeled Multiset Rewriting and Protocol Specifjcation I Defjnition written p a c . Example Let Σ Fact be an unsorted signature partitioned into linear and persistent fact symbols. Furthermore, assume there is a designated fact symbol Fr ∈ Σ Fact modelling freshness. Given a order-sorted term algebra T , we defjne the set of all facts by F = { F ( t 1 , . . . , t k ) | t 1 , . . . , t k ∈ T , F ∈ Σ Fact , arity ( F ) = k } A (labeled) multiset rewriting rule is a triple ( p , a , c ) of fjnite sequences p , a , c ∈ F ∗ , In our example from before: [ Secret ( m , k )] Encrypted ( m ) [ Out ( senc ( k , m ))]

  30. 11/25 K x arity f f x k K f x K x k K x pub K x fresh K x fresh Fr x In x K x Labeled Multiset Rewriting and Protocol Specifjcation II K x Out x MD Message deduction rules (means of the attacker): Example in one of its premises (modulo E ). 3. No conclusion of a rule instance in R contains a fresh name which does not occur 2. No conclusion of a rule in R contains a Fr fact. fresh ). 1. No rule in R contains a fresh name ( properties Then we call R a (labeled) multiset rewriting system if it satisfjes the following Defjnition k Let E defjne an equational theory = E . Let R be a fjnite set of multiset rewriting rules.

  31. 11/25 K x arity f f x k K f x K x k K x pub K x fresh K x fresh Fr x In x K x Labeled Multiset Rewriting and Protocol Specifjcation II K x Out x MD Message deduction rules (means of the attacker): Example in one of its premises (modulo E ). 3. No conclusion of a rule instance in R contains a fresh name which does not occur 2. No conclusion of a rule in R contains a Fr fact. fresh ). 1. No rule in R contains a fresh name ( properties Then we call R a (labeled) multiset rewriting system if it satisfjes the following Defjnition k Let E defjne an equational theory = E . Let R be a fjnite set of multiset rewriting rules.

  32. 11/25 K x arity f f x k K f x K x k K x pub K x fresh K x fresh Fr x In x K x Labeled Multiset Rewriting and Protocol Specifjcation II K x Out x MD Message deduction rules (means of the attacker): Example in one of its premises (modulo E ). 3. No conclusion of a rule instance in R contains a fresh name which does not occur 2. No conclusion of a rule in R contains a Fr fact. properties Then we call R a (labeled) multiset rewriting system if it satisfjes the following Defjnition k Let E defjne an equational theory = E . Let R be a fjnite set of multiset rewriting rules. 1. No rule in R contains a fresh name ( V fresh ).

  33. 11/25 K x arity f f x k K f x K x k K x pub K x fresh K x fresh Fr x In x K x Labeled Multiset Rewriting and Protocol Specifjcation II K x Out x MD Message deduction rules (means of the attacker): Example in one of its premises (modulo E ). 3. No conclusion of a rule instance in R contains a fresh name which does not occur 2. No conclusion of a rule in R contains a Fr fact. properties Then we call R a (labeled) multiset rewriting system if it satisfjes the following Defjnition k Let E defjne an equational theory = E . Let R be a fjnite set of multiset rewriting rules. 1. No rule in R contains a fresh name ( V fresh ).

  34. 11/25 K x arity f f x k K f x K x k K x pub K x fresh K x fresh Fr x In x K x Labeled Multiset Rewriting and Protocol Specifjcation II K x Out x MD Message deduction rules (means of the attacker): Example in one of its premises (modulo E ). 3. No conclusion of a rule instance in R contains a fresh name which does not occur 2. No conclusion of a rule in R contains a Fr fact. properties Then we call R a (labeled) multiset rewriting system if it satisfjes the following Defjnition k Let E defjne an equational theory = E . Let R be a fjnite set of multiset rewriting rules. 1. No rule in R contains a fresh name ( V fresh ).

  35. 11/25 K x arity f f x k K f x K x k K x pub K x fresh K x fresh Fr x In x K x Labeled Multiset Rewriting and Protocol Specifjcation II K x Defjnition Then we call R a (labeled) multiset rewriting system if it satisfjes the following properties 2. No conclusion of a rule in R contains a Fr fact. 3. No conclusion of a rule instance in R contains a fresh name which does not occur in one of its premises (modulo E ). Example Message deduction rules (means of the attacker): Out x k Let E defjne an equational theory = E . Let R be a fjnite set of multiset rewriting rules. 1. No rule in R contains a fresh name ( V fresh ). { } MD Σ :=

  36. 11/25 K x arity f f x k K f x K x k K x pub K x fresh K x fresh Fr x In x K x Labeled Multiset Rewriting and Protocol Specifjcation II in one of its premises (modulo E ). Defjnition Then we call R a (labeled) multiset rewriting system if it satisfjes the following properties 2. No conclusion of a rule in R contains a Fr fact. 3. No conclusion of a rule instance in R contains a fresh name which does not occur Example Message deduction rules (means of the attacker): k Let E defjne an equational theory = E . Let R be a fjnite set of multiset rewriting rules. 1. No rule in R contains a fresh name ( V fresh ). { Out ( x ) K ( x ) , } MD Σ :=

  37. 11/25 Labeled Multiset Rewriting and Protocol Specifjcation II arity f f x k K f x K x k K x pub K x fresh K x fresh Fr x k 3. No conclusion of a rule instance in R contains a fresh name which does not occur Defjnition Then we call R a (labeled) multiset rewriting system if it satisfjes the following Message deduction rules (means of the attacker): Example in one of its premises (modulo E ). properties 2. No conclusion of a rule in R contains a Fr fact. Let E defjne an equational theory = E . Let R be a fjnite set of multiset rewriting rules. 1. No rule in R contains a fresh name ( V fresh ). { Out ( x ) K ( x ) , K ( x ) K ( x ) In ( x ) , } MD Σ :=

  38. 11/25 Labeled Multiset Rewriting and Protocol Specifjcation II arity f f x k K f x K x k K x pub K x k Message deduction rules (means of the attacker): 3. No conclusion of a rule instance in R contains a fresh name which does not occur Defjnition Then we call R a (labeled) multiset rewriting system if it satisfjes the following properties 2. No conclusion of a rule in R contains a Fr fact. in one of its premises (modulo E ). Example Let E defjne an equational theory = E . Let R be a fjnite set of multiset rewriting rules. 1. No rule in R contains a fresh name ( V fresh ). { Out ( x ) K ( x ) , K ( x ) K ( x ) In ( x ) , } MD Σ := Fr ( x : fresh ) K ( x : fresh )

  39. 11/25 Message deduction rules (means of the attacker): arity f f x k K f x K x k K x Labeled Multiset Rewriting and Protocol Specifjcation II k Example 2. No conclusion of a rule in R contains a Fr fact. Defjnition 3. No conclusion of a rule instance in R contains a fresh name which does not occur Then we call R a (labeled) multiset rewriting system if it satisfjes the following properties in one of its premises (modulo E ). Let E defjne an equational theory = E . Let R be a fjnite set of multiset rewriting rules. 1. No rule in R contains a fresh name ( V fresh ). { Out ( x ) K ( x ) , K ( x ) K ( x ) In ( x ) , } MD Σ := Fr ( x : fresh ) K ( x : fresh ) K ( x : pub )

  40. 11/25 2. No conclusion of a rule in R contains a Fr fact. Labeled Multiset Rewriting and Protocol Specifjcation II Message deduction rules (means of the attacker): Example 3. No conclusion of a rule instance in R contains a fresh name which does not occur in one of its premises (modulo E ). properties Then we call R a (labeled) multiset rewriting system if it satisfjes the following Defjnition Let E defjne an equational theory = E . Let R be a fjnite set of multiset rewriting rules. 1. No rule in R contains a fresh name ( V fresh ). { Out ( x ) K ( x ) , K ( x ) K ( x ) In ( x ) , } MD Σ := Fr ( x : fresh ) K ( x : fresh ) K ( x : pub ) ∪ { K ( x 1 ) , . . . , K ( x k ) K ( f ( x 1 , . . . , x k )) | f ∈ Σ , arity ( f ) = k }

  41. traces E R R E S R E S n A Id I x K x I x secrecy properties: Security properties can then be formulated as fjrst-order formulas on traces, e.g. uniqueness condition for freshness = A n R E = 12/25 Traces and Security Properties = A S n S A n A A facts. transition relation = Given a multiset rewriting system R and a equational theory by E . This yields a Corrupt I x ⇒ R , E modelling the application of rewriting rules to multisets of

  42. 12/25 Traces and Security Properties Id I x K x I x secrecy properties: Security properties can then be formulated as fjrst-order formulas on traces, e.g. uniqueness condition for freshness = = = facts. transition relation = Given a multiset rewriting system R and a equational theory by E . This yields a Corrupt I x ⇒ R , E modelling the application of rewriting rules to multisets of traces E ( R ) = { [ A 1 , A 2 , . . . , A n ] | ∃ S 1 , . . . , S n : ∅ ⇒ R , E S 1 A 1 ⇒ R , E . . . A n A 2 ⇒ R , E S n }

  43. 12/25 Traces and Security Properties Id I x K x I x secrecy properties: Security properties can then be formulated as fjrst-order formulas on traces, e.g. = = facts. = transition relation = Given a multiset rewriting system R and a equational theory by E . This yields a Corrupt I x ⇒ R , E modelling the application of rewriting rules to multisets of traces E ( R ) = { [ A 1 , A 2 , . . . , A n ] | ∃ S 1 , . . . , S n : ∅ ⇒ R , E S 1 A 1 ⇒ R , E . . . A n A 2 ⇒ R , E S n ∧ uniqueness condition for freshness }

  44. 12/25 Traces and Security Properties Id I x K x I x secrecy properties: , e.g. Security properties can then be formulated as fjrst-order formulas on traces = = facts. = transition relation = Given a multiset rewriting system R and a equational theory by E . This yields a Corrupt I x ⇒ R , E modelling the application of rewriting rules to multisets of traces E ( R ) = { [ A 1 , A 2 , . . . , A n ] | ∃ S 1 , . . . , S n : ∅ ⇒ R , E S 1 A 1 ⇒ R , E . . . A n A 2 ⇒ R , E S n ∧ uniqueness condition for freshness }

  45. 12/25 = Given a multiset rewriting system R and a equational theory by E . This yields a transition relation = facts. secrecy properties: = Traces and Security Properties Security properties can then be formulated as fjrst-order formulas on traces, e.g. = ⇒ R , E modelling the application of rewriting rules to multisets of traces E ( R ) = { [ A 1 , A 2 , . . . , A n ] | ∃ S 1 , . . . , S n : ∅ ⇒ R , E S 1 A 1 ⇒ R , E . . . A n A 2 ⇒ R , E S n ∧ uniqueness condition for freshness } ∀ I , x : K ( x ) ∧ Id ( I , x ) ⇒ Corrupt ( I , x )

  46. • at a trivially unsolvable constraint and the claim is falsifjed or • at a constraint system for which a trivial solution can be easily found and the claim is verifjed. • Trace formulas • Every R E -validity claim can be converted into a R E -satisfjability claim. • Security protocol verifjcation boils down to searching R E -satisfying traces. • Constraint systems are used to incrementally construct a satisfying trace by • The constraint reduction rules are a heuristic giving rise to a verifjcation • The underlying satisfjability problem is undecidable, the solver does not always algorithm. When the algorithm terminates it arrived either 13/25 solving constraints. Theoretical Outlook is not R E -satisfjable. is R E -valid ifg. • can be R E -valid or R E -satisfjable (or neither). terminate. Let R be a multiset rewriting system (with conditions) and = E an equational theory.

  47. • at a trivially unsolvable constraint and the claim is falsifjed or • at a constraint system for which a trivial solution can be easily found and the claim is verifjed. • Every R E -validity claim can be converted into a R E -satisfjability claim. • Security protocol verifjcation boils down to searching R E -satisfying traces. • Constraint systems are used to incrementally construct a satisfying trace by • The constraint reduction rules are a heuristic giving rise to a verifjcation • The underlying satisfjability problem is undecidable, the solver does not always algorithm. When the algorithm terminates it arrived either 13/25 solving constraints. Theoretical Outlook is not R E -satisfjable. is R E -valid ifg. • terminate. Let R be a multiset rewriting system (with conditions) and = E an equational theory. • Trace formulas ϕ can be R , E -valid or R , E -satisfjable (or neither).

  48. • at a trivially unsolvable constraint and the claim is falsifjed or • at a constraint system for which a trivial solution can be easily found and the claim is verifjed. • Security protocol verifjcation boils down to searching R E -satisfying traces. • Constraint systems are used to incrementally construct a satisfying trace by • The constraint reduction rules are a heuristic giving rise to a verifjcation • The underlying satisfjability problem is undecidable, the solver does not always solving constraints. algorithm. When the algorithm terminates it arrived either 13/25 Theoretical Outlook is not R E -satisfjable. is R E -valid ifg. • terminate. Let R be a multiset rewriting system (with conditions) and = E an equational theory. • Trace formulas ϕ can be R , E -valid or R , E -satisfjable (or neither). • Every R , E -validity claim can be converted into a R , E -satisfjability claim.

  49. • at a trivially unsolvable constraint and the claim is falsifjed or • at a constraint system for which a trivial solution can be easily found and the claim is verifjed. • Security protocol verifjcation boils down to searching R E -satisfying traces. • Constraint systems are used to incrementally construct a satisfying trace by • The constraint reduction rules are a heuristic giving rise to a verifjcation • The underlying satisfjability problem is undecidable, the solver does not always 13/25 Theoretical Outlook solving constraints. algorithm. When the algorithm terminates it arrived either terminate. Let R be a multiset rewriting system (with conditions) and = E an equational theory. • Trace formulas ϕ can be R , E -valid or R , E -satisfjable (or neither). • Every R , E -validity claim can be converted into a R , E -satisfjability claim. • ϕ is R , E -valid ifg. ¬ ϕ is not R , E -satisfjable.

  50. • at a trivially unsolvable constraint and the claim is falsifjed or • at a constraint system for which a trivial solution can be easily found and the claim is verifjed. • Constraint systems are used to incrementally construct a satisfying trace by • The constraint reduction rules are a heuristic giving rise to a verifjcation • The underlying satisfjability problem is undecidable, the solver does not always 13/25 Theoretical Outlook solving constraints. algorithm. When the algorithm terminates it arrived either terminate. Let R be a multiset rewriting system (with conditions) and = E an equational theory. • Trace formulas ϕ can be R , E -valid or R , E -satisfjable (or neither). • Every R , E -validity claim can be converted into a R , E -satisfjability claim. • ϕ is R , E -valid ifg. ¬ ϕ is not R , E -satisfjable. • Security protocol verifjcation boils down to searching R , E -satisfying traces.

  51. • at a trivially unsolvable constraint and the claim is falsifjed or • at a constraint system for which a trivial solution can be easily found and the claim is verifjed. • The constraint reduction rules are a heuristic giving rise to a verifjcation • The underlying satisfjability problem is undecidable, the solver does not always 13/25 Theoretical Outlook solving constraints. algorithm. When the algorithm terminates it arrived either terminate. Let R be a multiset rewriting system (with conditions) and = E an equational theory. • Trace formulas ϕ can be R , E -valid or R , E -satisfjable (or neither). • Every R , E -validity claim can be converted into a R , E -satisfjability claim. • ϕ is R , E -valid ifg. ¬ ϕ is not R , E -satisfjable. • Security protocol verifjcation boils down to searching R , E -satisfying traces. • Constraint systems are used to incrementally construct a satisfying trace by

  52. • The underlying satisfjability problem is undecidable, the solver does not always 13/25 Theoretical Outlook solving constraints. algorithm. When the algorithm terminates it arrived either terminate. Let R be a multiset rewriting system (with conditions) and = E an equational theory. • Trace formulas ϕ can be R , E -valid or R , E -satisfjable (or neither). • Every R , E -validity claim can be converted into a R , E -satisfjability claim. • ϕ is R , E -valid ifg. ¬ ϕ is not R , E -satisfjable. • Security protocol verifjcation boils down to searching R , E -satisfying traces. • Constraint systems are used to incrementally construct a satisfying trace by • The constraint reduction rules are a heuristic giving rise to a verifjcation • at a trivially unsolvable constraint and the claim is falsifjed or • at a constraint system for which a trivial solution can be easily found and the claim is verifjed.

  53. 13/25 Theoretical Outlook solving constraints. algorithm. When the algorithm terminates it arrived either terminate. Let R be a multiset rewriting system (with conditions) and = E an equational theory. • Trace formulas ϕ can be R , E -valid or R , E -satisfjable (or neither). • Every R , E -validity claim can be converted into a R , E -satisfjability claim. • ϕ is R , E -valid ifg. ¬ ϕ is not R , E -satisfjable. • Security protocol verifjcation boils down to searching R , E -satisfying traces. • Constraint systems are used to incrementally construct a satisfying trace by • The constraint reduction rules are a heuristic giving rise to a verifjcation • at a trivially unsolvable constraint and the claim is falsifjed or • at a constraint system for which a trivial solution can be easily found and the claim is verifjed. • The underlying satisfjability problem is undecidable, the solver does not always

  54. 14/25 Action facts Trace Formulas Parallel executions of the protocol Traces Protocol Specifjcation, Means of the Attacker Rewriting Systems Protocol transcript State transitions of protocol instances, Oracles Overview of the Theoretical Part Rules Semantics of cryptographic primitives Equational Theories Cryptographic messages Terms Model Notion Security properties (e.g. executability, secrecy, authenticity)

  55. 14/25 Action facts Trace Formulas Parallel executions of the protocol Traces Protocol Specifjcation, Means of the Attacker Rewriting Systems Protocol transcript State transitions of protocol instances, Oracles Overview of the Theoretical Part Rules Semantics of cryptographic primitives Equational Theories Cryptographic messages Terms Model Notion Security properties (e.g. executability, secrecy, authenticity)

  56. 14/25 Action facts Trace Formulas Parallel executions of the protocol Traces Protocol Specifjcation, Means of the Attacker Rewriting Systems Protocol transcript State transitions of protocol instances, Oracles Overview of the Theoretical Part Rules Semantics of cryptographic primitives Equational Theories Cryptographic messages Terms Model Notion Security properties (e.g. executability, secrecy, authenticity)

  57. 14/25 Action facts Trace Formulas Parallel executions of the protocol Traces Protocol Specifjcation, Means of the Attacker Rewriting Systems Protocol transcript State transitions of protocol instances, Oracles Overview of the Theoretical Part Rules Semantics of cryptographic primitives Equational Theories Cryptographic messages Terms Model Notion Security properties (e.g. executability, secrecy, authenticity)

  58. 14/25 Action facts Trace Formulas Parallel executions of the protocol Traces Protocol Specifjcation, Means of the Attacker Rewriting Systems Protocol transcript State transitions of protocol instances, Oracles Overview of the Theoretical Part Rules Semantics of cryptographic primitives Equational Theories Cryptographic messages Terms Model Notion Security properties (e.g. executability, secrecy, authenticity)

  59. 14/25 Action facts Trace Formulas Parallel executions of the protocol Traces Protocol Specifjcation, Means of the Attacker Rewriting Systems Protocol transcript State transitions of protocol instances, Oracles Overview of the Theoretical Part Rules Semantics of cryptographic primitives Equational Theories Cryptographic messages Terms Model Notion Security properties (e.g. executability, secrecy, authenticity)

  60. 15/25 Tamarin-Prover in Practice

  61. 16/25 (Short) Demo ⌣

  62. 17/25 Reference Implementation of IPSec

  63. • Diffje-Hellman exponentiation • Pseudo-random functions • Signature schemes (cf. demo) • Authenticated encryption schemes • Random choices • Cryptographic primitives • Certifjcates 18/25 Building Blocks for IPSec ( ) (built-in) (function symbols, no collisions) (use EtA for now) (use identifjer and signature(s) for now )

  64. • Diffje-Hellman exponentiation • Pseudo-random functions • Signature schemes (cf. demo) • Authenticated encryption schemes • Cryptographic primitives • Certifjcates 18/25 Building Blocks for IPSec ( ) (built-in) (function symbols, no collisions) (use EtA for now) (use identifjer and signature(s) for now ) • Random choices

  65. • Diffje-Hellman exponentiation • Pseudo-random functions • Signature schemes (cf. demo) • Authenticated encryption schemes • Cryptographic primitives • Certifjcates 18/25 rule gen_nonce: ) (use identifjer and signature(s) for now (function symbols, no collisions) (use EtA for now) Building Blocks for IPSec (built-in) ( ) [ Fr(~n) ] --> [ State(~n) ] • Random choices

  66. • Diffje-Hellman exponentiation • Pseudo-random functions • Signature schemes (cf. demo) • Authenticated encryption schemes • Cryptographic primitives • Certifjcates 18/25 rule gen_nonce: ) (use identifjer and signature(s) for now (function symbols, no collisions) (use EtA for now) Building Blocks for IPSec (built-in) ( ) [ Fr(~n) ] --> [ State(~n) ] • Random choices ✓

  67. (function symbols, no collisions) • Diffje-Hellman exponentiation • Pseudo-random functions • Signature schemes (cf. demo) • Authenticated encryption schemes • Certifjcates 18/25 Building Blocks for IPSec ( ) (built-in) (use EtA for now) (use identifjer and signature(s) for now ) • Random choices ✓ • Cryptographic primitives

  68. (function symbols, no collisions) • Pseudo-random functions • Signature schemes (cf. demo) • Authenticated encryption schemes • Certifjcates in gab = ga ^ ~b let rule dh_calc: ) (use identifjer and signature(s) for now 18/25 (use EtA for now) Building Blocks for IPSec (built-in) ( ) [ Fr(~b), In(<A, ga>) ] --> [ Out(<B, gab>) ] • Random choices ✓ • Cryptographic primitives • Diffje-Hellman exponentiation

  69. (function symbols, no collisions) • Pseudo-random functions • Signature schemes (cf. demo) • Authenticated encryption schemes • Certifjcates in gab = ga ^ ~b let rule dh_calc: ) (use identifjer and signature(s) for now 18/25 (use EtA for now) Building Blocks for IPSec ( ) [ Fr(~b), In(<A, ga>) ] --> [ Out(<B, gab>) ] • Random choices ✓ • Cryptographic primitives • Diffje-Hellman exponentiation (built-in)

  70. • Signature schemes (cf. demo) • Authenticated encryption schemes • Certifjcates 18/25 Building Blocks for IPSec ( ) (function symbols, no collisions) (use EtA for now) (use identifjer and signature(s) for now ) • Random choices ✓ • Cryptographic primitives • Diffje-Hellman exponentiation (built-in) • Pseudo-random functions

  71. • Signature schemes (cf. demo) • Authenticated encryption schemes • Certifjcates 18/25 in let SKEYSEED = prf(<Ni, Nr, DH>) rule use_prf: functions: prf/1 ) (use identifjer and signature(s) for now (use EtA for now) Building Blocks for IPSec ( ) [ State(Ni, Nr, DH) ] --> [ State(Ni, Nr, DH, SKEYSEED) ] • Random choices ✓ • Cryptographic primitives • Diffje-Hellman exponentiation (built-in) • Pseudo-random functions (function symbols, no collisions)

  72. • Authenticated encryption schemes • Certifjcates 18/25 Building Blocks for IPSec ( ) (use EtA for now) (use identifjer and signature(s) for now ) • Random choices ✓ • Cryptographic primitives • Diffje-Hellman exponentiation (built-in) • Pseudo-random functions (function symbols, no collisions) • Signature schemes (cf. demo)

  73. • Certifjcates 18/25 Building Blocks for IPSec ( ) (use EtA for now) (use identifjer and signature(s) for now ) • Random choices ✓ • Cryptographic primitives • Diffje-Hellman exponentiation (built-in) • Pseudo-random functions (function symbols, no collisions) • Signature schemes (cf. demo) • Authenticated encryption schemes

  74. • Certifjcates 18/25 hdr = < '120', ... > tag = mac(ct, key_a) let ct = senc(~secret, key_e) rule use_aeenc: ) (use identifjer and signature(s) for now in [ Fr(~secret), State(key_e, key_a) ] --> [ Out(<hdr, ct, tag>)] Building Blocks for IPSec ( ) • Random choices ✓ • Cryptographic primitives • Diffje-Hellman exponentiation (built-in) • Pseudo-random functions (function symbols, no collisions) • Signature schemes (cf. demo) • Authenticated encryption schemes (use EtA for now)

  75. • Certifjcates 18/25 Building Blocks for IPSec (use identifjer and signature(s) for now ) • Random choices ✓ • Cryptographic primitives ( ✓ ) • Diffje-Hellman exponentiation (built-in) • Pseudo-random functions (function symbols, no collisions) • Signature schemes (cf. demo) • Authenticated encryption schemes (use EtA for now)

  76. 18/25 Building Blocks for IPSec (use identifjer and signature(s) for now ) • Random choices ✓ • Cryptographic primitives ( ✓ ) • Diffje-Hellman exponentiation (built-in) • Pseudo-random functions (function symbols, no collisions) • Signature schemes (cf. demo) • Authenticated encryption schemes (use EtA for now) • Certifjcates

  77. 18/25 Building Blocks for IPSec • Random choices ✓ • Cryptographic primitives ( ✓ ) • Diffje-Hellman exponentiation (built-in) • Pseudo-random functions (function symbols, no collisions) • Signature schemes (cf. demo) • Authenticated encryption schemes (use EtA for now) • Certifjcates (use identifjer and signature(s) for now ✓ )

  78. 19/25 Finite State Machine Init Phase ∅

  79. 19/25 Finite State Machine Init Phase ∅

  80. 19/25 Finite State Machine Init Phase I 1 init_send ∅

  81. 19/25 Finite State Machine Init Phase I 1 init_send m 1 = ⟨ Hdr , SAi1 , KEi , Ni ⟩ ∅ resp_accept R 1

  82. 19/25 Finite State Machine Init Phase resp_send I 1 init_send ∅ m 1 resp_accept R 1 R 2

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC

Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC

Uses of IPSEC with VPNs VPNs Uses of IPSEC with Purpose Outline some scenarios where IPSEC can be used with VPNs Identify areas where extensions to IPSEC could be useful Bryan Gleeson, Page-1 VPN Reference Model CE CE PE

352 views • 9 slides
IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE

IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE

IPSEC VPN overview IPSEC VPN overview Basic VPN Architecture CPE/CLE CPE/CLE PE PE CPE/CLE Host PE CPE to CPE IPSEC can be used for : PE to PE PE to CPE Bryan Gleeson, Page-1 CPE to CPE IPSEC tunnels

680 views • 8 slides
Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt

Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt

Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt draft-jml-ipsec-ikev2-security-context-00.txt Presented by: Joy Latten Document authors: Serge Hallyn, Trent Jaeger, Joy Latten, and George Wilson Problem Description Mandatory

295 views • 6 slides
Traffic Flow Flow Confidentiality Confidentiality in in IPsec IPsec: : Traffic Protocol and

Traffic Flow Flow Confidentiality Confidentiality in in IPsec IPsec: : Traffic Protocol and

Universit di Roma di Roma Tor Tor Vergata Vergata Universit Traffic Flow Flow Confidentiality Confidentiality in in IPsec IPsec: : Traffic Protocol and and Implementation Implementation Protocol Giuseppe Bianchi,

514 views • 26 slides
Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab

Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab

Ipsec unter Linux 2.6 Einleitung: Die native IPsec Implementierung im Linux Kernel ab Version 2.5.47 basiert auf dem USAGI Projekt. Hierbei handelt es sich um eine alternative Implementierung des IPsec Stacks zum FreeS/WAN Projekt.

610 views • 8 slides
THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec

THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec

THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec based VPN solution Make encryption the default mode of communication Certifjcations (FIPS, Common Criteria, USGv6, etc.)

917 views • 25 slides
Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control

Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control

Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control Connectionless integrity Data origin authentication Rejection of replayed packets a form of partial sequence integrity Confidentiality

818 views • 37 slides
Firewalls, IPsec and Linux by Harald Welte &lt;laforge@netfilter.org&gt; Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte &lt;laforge@netfilter.org&gt; Firewalls, IPsec and

Firewalls, IPsec and Linux by Harald Welte &lt;laforge@netfilter.org&gt; Firewalls, IPsec and Linux Contents Introduction Highly Scalable Linux Network Stack Netfilter Hooks Packet selection based on IP Tables The Connection Tracking

444 views • 9 slides
OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by

OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by

OPPORTUNISTIC ENCRYPTION USING IPSEC Linux Security Summit, Toronto August 2016 Presented by Paul Wouters, RHEL Security THE LIBRESWAN PROJECT An Internet Key Exchange (IKE) daemon for IPsec Enterprise IPsec based VPN solution

736 views • 32 slides
Requirements for IPsec Negotiation in the SIP Framework

Requirements for IPsec Negotiation in the SIP Framework

Requirements for IPsec Negotiation in the SIP Framework draft-saito-mmusic-ipsec-negotiation-req-00.txt August 1, 2005 Makoto Saito (ma.saito@ntt.com) Shingo Fujimoto (shingo_fujimoto@jp.fujitsu.com) 1 Motivation To secure communication

83 views • 6 slides
Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF

Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF

Introduction to IPsec Charlie Kaufman charliek@microsoft.com 1 IP Security (IPsec) IETF standard for Network Layer security Popular for creating trusted link (VPN), either firewall-firewall, or machine to firewall Done at

868 views • 51 slides
IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised

IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised

IKEv2: IPSec Key Management Protocol Lecture 20 Acknowledgement: Slides from Vincent Luk, revised by Cunsheng Ding IP Security Architecture IPSec module 1 IPSec module 2 SPD SPD IKE IKE AH/ESP AH/ESP SAD SAD SA IKE: Internet Key

702 views • 26 slides
Fully Verified J AVA C ARD API Reference Implementation Wojciech Mostowski woj@cs.ru.nl Radboud

Fully Verified J AVA C ARD API Reference Implementation Wojciech Mostowski woj@cs.ru.nl Radboud

Fully Verified J AVA C ARD API Reference Implementation Wojciech Mostowski woj@cs.ru.nl Radboud University Nijmegen Background &amp; Motivation Full specification and implementation for the verification of J AVA C ARD applets reasoning

736 views • 28 slides
iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of

iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of

iLab IPsec Minoo Rouhi rouhi@net.in.tum.de Slides by Benjamin Hof hof@in.tum.de Chair of Network Architectures and Services Department of Informatics Technical University of Munich Lab 8 18ss 1 / 29 Outline Overview IPsec databases

563 views • 29 slides
IP IPSec ( ) 13 Network

IP IPSec ( ) 13 Network

IP IPSec ( ) 13 Network Security, Principles and Practice,2nd Ed. : http://www.fata.ir

567 views • 23 slides
ASC 842: LEASE ACCOUNTING THE IMPLEMENTATION JOURNEY June 26, 2019 WELCOME AGENDA AGENDA

ASC 842: LEASE ACCOUNTING THE IMPLEMENTATION JOURNEY June 26, 2019 WELCOME AGENDA AGENDA

ASC 842: LEASE ACCOUNTING THE IMPLEMENTATION JOURNEY June 26, 2019 WELCOME AGENDA AGENDA Overview of ASC 842 Beginning the Journey Process and Software Considerations Control and Documentation Considerations

1.07k views • 32 slides
Public Key Infrastructure Taofeeq Olatinwo Harmony Worldwide Inc. www.harmonycanada.com

Public Key Infrastructure Taofeeq Olatinwo Harmony Worldwide Inc. www.harmonycanada.com

Nigeria Computer Society 11 th International Conference Theme: e-Government &amp; National Security 24 th 26 th July, 2013 Public Key Infrastructure Taofeeq Olatinwo Harmony Worldwide Inc. www.harmonycanada.com www.hwwgs.com 25 th July

502 views • 19 slides
Finite field multiplication combining AMNS and DFT approach for Pairing Based Cryptography Nadia

Finite field multiplication combining AMNS and DFT approach for Pairing Based Cryptography Nadia

Finite field multiplication combining AMNS and DFT approach for Pairing Based Cryptography Nadia El Mrabet (1) and Christophe Negre (2) (1) Team Arith/LIRMM, Universit e Montpellier 2 (2) Team DALI/ELIAUS, Universit e de Perpignan

753 views • 49 slides
Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in the Quantum Era (SPS G5448) February 5th, 2020 Christian Colombo Mark Vella Cryptographic Protocols Design Proofs to validate design against

467 views • 20 slides
What Is the Future of Computers? 1 Introduction Moore's Law states, that the number of

What Is the Future of Computers? 1 Introduction Moore's Law states, that the number of

What Is the Future of Computers? 1 Introduction Moore's Law states, that the number of transistors on a microprocessor double every 18 months. 2 Introduction The year 2020 or 2030 will find the circuits on a microprocessor measured on

336 views • 18 slides
iOS Security Data protection January 17, Tokyo iOS Meetup What is? It is a feature to protect

iOS Security Data protection January 17, Tokyo iOS Meetup What is? It is a feature to protect

iOS Security Data protection January 17, Tokyo iOS Meetup What is? It is a feature to protect data at rest and to make offline attacks difficult. iOS 4 DATA PROTECTION 101

713 views • 60 slides
C R P T A L Sammy Tbeile | Jaewan Bahk | Michail Oikonomou Carolina Almirola | Rahul Kapur

C R P T A L Sammy Tbeile | Jaewan Bahk | Michail Oikonomou Carolina Almirola | Rahul Kapur

C R P T A L Sammy Tbeile | Jaewan Bahk | Michail Oikonomou Carolina Almirola | Rahul Kapur Overview Motivation Combined interest in the fields of security and cryptography. No well-documented or straightforward languages/packages

161 views • 14 slides
2018 Annual General Meeting of Shareholders Andrew Harrison Chair WiseTech Global - FY18

2018 Annual General Meeting of Shareholders Andrew Harrison Chair WiseTech Global - FY18

2018 Annual General Meeting of Shareholders Andrew Harrison Chair WiseTech Global - FY18 financial highlights Delivered strong, high quality growth while expanding technology lead and global footprint LOW sales and LOW HIGH innovation HIGH

431 views • 22 slides
Capita The AA Ebay Centrica WPP Group Teradata Sky Lloyds Banking Group Channel 4 By

Capita The AA Ebay Centrica WPP Group Teradata Sky Lloyds Banking Group Channel 4 By

Capita The AA Ebay Centrica WPP Group Teradata Sky Lloyds Banking Group Channel 4 By 2015, 4.4 million IT jobs globally will be created to support Big Data. But there is a challenge. There is not enough talent in the industry. Therefore,

246 views • 14 slides

More recommend