verification of cryptographic protocols techniques tools
play

Verification of cryptographic protocols: techniques, tools and link - PowerPoint PPT Presentation

Feb 13, 2023 •134 likes •605 views

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique Cortier INRIA project Cassis, Loria CNRS, Nancy, France French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of

  1. Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Véronique Cortier INRIA project Cassis, Loria CNRS, Nancy, France French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.1

  2. Context: cryptographic protocols • Widely used: web (SSH, SSL, ...), pay-per-view, electronic purse, mobile phone, ... • Should ensure: confidentiality authenticity integrity anonymity, ... French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.2

  3. Context: cryptographic protocols • Widely used: web (SSH, SSL, ...), pay-per-view, electronic purse, mobile phone, ... • Should ensure: confidentiality authenticity integrity anonymity, ... • Presence of an attacker − may read every message sent on the net, − may intercept and send new messages. French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.2

  4. Credit Card Payment Protocol • The waiter introduces the credit card. • The waiter enters the amount m of the transaction on the terminal. • The terminal authenticates the card. • The customer enters his secret code. If the amount m is greater than 100 euros (and in only 20% of the cases) − The terminal asks the bank for the authentication of the card. − The bank provides the authentication. French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.3

  5. More details 4 actors : the Bank, the Customer, the Card and Terminal. Bank owns • a signing key K − 1 B , secret, • a verification key K B , public, • a secret symmetric key for each credit card K CB , secret. Card owns • Data : last name, first name, card’s number, expiration date, • Signature’s Value V S = { hash ( Data ) } K − 1 B , • secret key K CB . Terminal owns the verification key K B for bank’s signatures. French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.4

  6. Credit card payment Protocol (in short) The terminal reads the card: 1 . → T : Data , { hash ( Data ) } K − 1 Ca B French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.5

  7. Credit card payment Protocol (in short) The terminal reads the card: 1 . → T : Data , { hash ( Data ) } K − 1 Ca B The terminal asks for the secret code: 2 . → Cu : secret code ? T 3 . → Ca : 1234 Cu 4 . → T : ok Ca French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.5

  8. Credit card payment Protocol (in short) The terminal reads the card: 1 . → T : Data , { hash ( Data ) } K − 1 Ca B The terminal asks for the secret code: 2 . → Cu : secret code ? T 3 . → Ca : 1234 Cu 4 . → T : ok Ca The terminal calls the bank: 5 . → B : auth ? T 6 . → T : N b B 7 . → Ca : N b T 8 . → T : { N b } K CB Ca 9 . → B : { N b } K CB T 10 . → T : ok B French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.5

  9. Some flaws The security was initially ensured by: • the cards were very difficult to reproduce, • the protocol and the keys were secret. But • cryptographic flaw: 320 bits keys can be broken (1988), • logical flaw: no link between the secret code and the authentication of the card, • fake cards can be build. French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.6

  10. Some flaws The security was initially ensured by: • the cards were very difficult to reproduce, • the protocol and the keys were secret. But • cryptographic flaw: 320 bits keys can be broken (1988), • logical flaw: no link between the secret code and the authentication of the card, • fake cards can be build. → “YesCard” build by Serge Humpich (1998). French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.6

  11. How does the “YesCard” work? Logical flaw 1 . → T : Data , { hash ( Data ) } K − 1 Ca B 2 . → Ca : secret code ? T 3 . → Ca : 1234 Cu 4 . → T : ok Ca French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.7

  12. How does the “YesCard” work? Logical flaw 1 . → T : Data , { hash ( Data ) } K − 1 Ca B 2 . → Ca : secret code ? T 3 . → Ca ′ : 2345 Cu 4 . Ca ′ → T : ok French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.7

  13. How does the “YesCard” work? Logical flaw 1 . → T : Data , { hash ( Data ) } K − 1 Ca B 2 . → Ca : secret code ? T 3 . → Ca ′ : 2345 Cu 4 . Ca ′ → T : ok Remark: there is always somebody to debit. → creation of a fake card (Serge Humpich). French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.7

  14. How does the “YesCard” work? Logical flaw 1 . → T : Data , { hash ( Data ) } K − 1 Ca B 2 . → Ca : secret code ? T 3 . → Ca ′ : 2345 Cu 4 . Ca ′ → T : ok Remark: there is always somebody to debit. → creation of a fake card (Serge Humpich). 1 . → T : XXX , { hash ( XXX ) } K − 1 Ca ′ B 2 . → Cu : secret code ? T 3 . → Ca ′ : 0000 Cu 4 . Ca ′ → T : ok French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.7

  15. Map 1. Formal approaches 2. Tools and case study 3. Link between formal approaches and cryptanalysis French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.8

  16. Formal approaches • Messages are abstracted using terms. These terms are build over a fixed signature. E.g., Σ = { < >, enc , dec , ... } . French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.9

  17. Formal approaches • Messages are abstracted using terms. These terms are build over a fixed signature. E.g., Σ = { < >, enc , dec , ... } . • The attacker can do symbolic manipulations on terms. S ⊢ � M 1 , M 2 � i = 1 , 2 S ⊢ k − 1 S ⊢ enc ( M, k ) S ⊢ M i S ⊢ M French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.9

  18. Formal approaches • Messages are abstracted using terms. These terms are build over a fixed signature. E.g., Σ = { < >, enc , dec , ... } . • The attacker can do symbolic manipulations on terms. S ⊢ � M 1 , M 2 � i = 1 , 2 S ⊢ k − 1 S ⊢ enc ( M, k ) S ⊢ M i S ⊢ M This approach allows to detect any logical attack that does not rely on weaknesses of the encryption algorithm. French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.9

  19. Protocol description Protocol: S ⊢ x → Ca : T N b S ⊢ { x } K CB → T : { N b } K CB Ca Secrecy properties: S ⊢ s ? French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.10

  20. Decidability and complexity results • In general, secrecy preservation is undecidable. • For a bounded number of sessions, secrecy is co-NP-complete [RusinowitchTuruani CSFW01] → constraint solving • For an unbounded number of sessions − for one-copy protocols, secrecy is DEXPTIME-complete [CortierComon RTA03] [SeildVerma LPAR04] → tree automata, resolution theorem proving − for message-length bounded protocols, secrecy is DEXPTIME-complete [Durgin et al FMSP99] [Chevalier et al CSL03] French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.11

  21. Adding algebraic operators Some cryptographic primitives have algebraic properties. x ⊕ ( y ⊕ z ) = ( x ⊕ y ) ⊕ z • XOR x ⊕ y = y ⊕ x x ⊕ x = 0 x ⊕ 0 = x French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.12

  22. Adding algebraic operators Some cryptographic primitives have algebraic properties. x ⊕ ( y ⊕ z ) = ( x ⊕ y ) ⊕ z • XOR x ⊕ y = y ⊕ x x ⊕ x = 0 x ⊕ 0 = x • Modular exponentiation exp ( exp ( g, x ) , y ) = exp ( g, x · y ) exp ( g, x · y ) = exp ( g, y · x ) French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.12

  23. Adding algebraic operators Some cryptographic primitives have algebraic properties. x ⊕ ( y ⊕ z ) = ( x ⊕ y ) ⊕ z • XOR x ⊕ y = y ⊕ x x ⊕ x = 0 x ⊕ 0 = x • Modular exponentiation exp ( exp ( g, x ) , y ) = exp ( g, x · y ) exp ( g, x · y ) = exp ( g, y · x ) • Homomorphism h ( x · y ) = h ( x ) · h ( y ) French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.12

  24. Adding algebraic operators Some cryptographic primitives have algebraic properties. x ⊕ ( y ⊕ z ) = ( x ⊕ y ) ⊕ z • XOR x ⊕ y = y ⊕ x x ⊕ x = 0 x ⊕ 0 = x • Modular exponentiation exp ( exp ( g, x ) , y ) = exp ( g, x · y ) exp ( g, x · y ) = exp ( g, y · x ) • Homomorphism h ( x · y ) = h ( x ) · h ( y ) → These properties are modeled using equational theories or by extending the intruder power. French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS

Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS

Introduction Formal models Adding equational theories Towards more guarantees Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS - INRIA Cassis project, Nancy Universities 1/45 V eronique

785 views • 76 slides
Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic protocols: Concurrent programs

946 views • 69 slides
Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018

1.23k views • 78 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

451 views • 14 slides
Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018 Organization of the course Two

774 views • 74 slides
Clang tools for implementing cryptographic protocols like OTRv4 Sofa Celi What is OTR and why

Clang tools for implementing cryptographic protocols like OTRv4 Sofa Celi What is OTR and why

Clang tools for implementing cryptographic protocols like OTRv4 Sofa Celi What is OTR and why it was created? Cryptographic protocol Paper in 2004 by Ian Goldberg , Nikita Borisov and Eric Brewer Conversations in the

299 views • 18 slides
CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools Cryptographic Tools Cryptographic algorithms important element in security services Review various types of elements symmetric encryption secure

1.27k views • 23 slides
Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Pascal LAFOURCADE

Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Pascal LAFOURCADE

Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Pascal LAFOURCADE , Vanessa Terrade &amp; Sylvain Vigier Universit e Joseph

1.01k views • 49 slides
Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA), CNRS, France Tuesday, September 13th, 2016 Security protocols everywhere ! Cryptographic protocols small programs designed to secure

923 views • 56 slides
Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France joint work with Alexandre Debant and Cyrille Wiedling 1/29 Security protocols everywhere ! Cryptographic protocols small

1.04k views • 56 slides
Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in the Quantum Era (SPS G5448) February 5th, 2020 Christian Colombo Mark Vella Cryptographic Protocols Design Proofs to validate design against

467 views • 20 slides
Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes,

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes,

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France Thursday, July 12th, 2018 Cryptographic protocols everywhere ! Cryptographic protocols small programs designed to secure

849 views • 80 slides
Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday,

Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday,

Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday, June 29th, 2020 1/23 Cryptographic protocols everywhere ! Cryptographic protocols small programs designed to secure communication ( e.g.

900 views • 58 slides
Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth M.D.Ryan@cs.bham.ac.uk research@bensmyth.com Cryptoforma 7th April 2010 Cryptographic protocols A cryptographic protocol is a distributed procedure that employs

698 views • 46 slides
Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Formal methods for protocols Cryptographic models Passive case Active case Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/76 V eronique Cortier Verification of Security

1.92k views • 139 slides
Desynchronisation of coupled bistable oscillators perturbed by additive white noise Joint work

Desynchronisation of coupled bistable oscillators perturbed by additive white noise Joint work

Numerics and Theory for Stochastic Evolution Equations University of Bielefeld, 2224 November 2006 Barbara Gentz, University of Bielefeld http://www.math.uni-bielefeld.de/ gentz Desynchronisation of coupled bistable oscillators perturbed

698 views • 49 slides
Limits and new directions in PID J. Vavra, SLAC Reach of the present PID techniques TRD e

Limits and new directions in PID J. Vavra, SLAC Reach of the present PID techniques TRD e

Limits and new directions in PID J. Vavra, SLAC Reach of the present PID techniques TRD e identification TOF dE/dx hadron identification RICH 10 3 10 4 10 0 10 -1 10 1 10 2 p [GeV/c] TOF &amp; dE/dx cover the lowest momentum

557 views • 40 slides
SAT Solvers for Queries over Tree Automata with Constraints Pierre-Cyrille Ham, Vincent Hugot,

SAT Solvers for Queries over Tree Automata with Constraints Pierre-Cyrille Ham, Vincent Hugot,

The SAT encoding Implementation and Experiments SAT Solvers for Queries over Tree Automata with Constraints Pierre-Cyrille Ham, Vincent Hugot, Olga Kouchnarenko {pcheam,okouchnarenko}@lifc.univ-fcomte.fr, vhugot@edu.univ-fcomte.fr

882 views • 59 slides
Verification of Safety Properties in Presence of Transactions Bernhard Beckert Reiner Hhnle

Verification of Safety Properties in Presence of Transactions Bernhard Beckert Reiner Hhnle

Verification of Safety Properties in Presence of Transactions Bernhard Beckert Reiner Hhnle Wojciech Mostowski Chalmers University of Technology http://www.key-project.org/ Cassis 2004 Marseille, March 2004 Cassis 2004 p.1

527 views • 29 slides
Separation Logic, Abstraction and Inheritance M. Parkinson, G. Bierman, in Proc. POPL , 2008

Separation Logic, Abstraction and Inheritance M. Parkinson, G. Bierman, in Proc. POPL , 2008

Separation Logic, Abstraction and Inheritance M. Parkinson, G. Bierman, in Proc. POPL , 2008 Timothe Martiel Research Topics in Software Engineering 1 / 19 Outline 1 From Separation Logic to Inheritance 2 Beyond Separation Logic 3 What About

553 views • 24 slides
Resource Guarantees and PCC 50 ways* to say it with a proof Ian Stark Laboratory for Foundations

Resource Guarantees and PCC 50 ways* to say it with a proof Ian Stark Laboratory for Foundations

Resource Guarantees and PCC 50 ways* to say it with a proof Ian Stark Laboratory for Foundations of Computer Science School of Informatics The University of Edinburgh Proof Carrying Code workshop Friday 11 August 2006

469 views • 36 slides
On Securely Manipulating XML Data Houari Mahfoud and Abdessamad Imine Houari Mahfoud and

On Securely Manipulating XML Data Houari Mahfoud and Abdessamad Imine Houari Mahfoud and

On Securely Manipulating XML Data Houari Mahfoud and Abdessamad Imine Houari Mahfoud and Abdessamad Imine CASSIS Team CASSIS Team INRIA-LORIA Grand-Est, Nancy, France INRIA-LORIA Grand-Est, Nancy, France 5TH INTERNATIONAL SYMPOSIUM ON

905 views • 30 slides
Z3 - a Tutorial Leonardo de Moura Nikolaj Bjrner Microsoft Research Microsoft Research

Z3 - a Tutorial Leonardo de Moura Nikolaj Bjrner Microsoft Research Microsoft Research

Z3 - a Tutorial Leonardo de Moura Nikolaj Bjrner Microsoft Research Microsoft Research leonardo@microsoft.com nbjorner@microsoft.com Abstract This tutorial introduces the use of the state-of-the-art Satisfiability Modulo Theories Solver

1k views • 61 slides

More recommend