verification of security protocols from confidentiality
play

Verification of security protocols from confidentiality to privacy - PowerPoint PPT Presentation

Nov 12, 2022 •246 likes •1.49k views

Verification of security protocols from confidentiality to privacy Stphanie Delaune LSV, CNRS & ENS Cachan, France Wednesday, August 26th, 2015 S. Delaune (LSV) Verification of security protocols 26th August 2015 1 / 54 This talk:

  1. Going back to the Needham-Schroeder’s protocol Role A played by a with the attacker c : new n a . out ( { a , n a } pub ( c ) ) . in ( { n a , x n b } pub ( a ) ) . out ( { x n b } pub ( c ) ) 1 4 5 Role B played by b (apparently) with a : in ( { a , y n a } pub ( b ) ) . new n b . out ( { y n a , n b } pub ( a ) ) 2 3 Constraint system: (secrecy of n b ) with T 0 = { a , b , c , priv ( c ) } : ? T 0 , { a , n a } pub ( c ) ⊢ { a , y n a } pub ( b ) S. Delaune (LSV) Verification of security protocols 26th August 2015 12 / 54

  2. Going back to the Needham-Schroeder’s protocol Role A played by a with the attacker c : new n a . out ( { a , n a } pub ( c ) ) . in ( { n a , x n b } pub ( a ) ) . out ( { x n b } pub ( c ) ) 1 4 5 Role B played by b (apparently) with a : in ( { a , y n a } pub ( b ) ) . new n b . out ( { y n a , n b } pub ( a ) ) 2 3 Constraint system: (secrecy of n b ) with T 0 = { a , b , c , priv ( c ) } : ? T 0 , { a , n a } pub ( c ) ⊢ { a , y n a } pub ( b ) T 0 , { a , n a } pub ( c ) , { y n a , n b } pub ( a ) S. Delaune (LSV) Verification of security protocols 26th August 2015 12 / 54

  3. Going back to the Needham-Schroeder’s protocol Role A played by a with the attacker c : new n a . out ( { a , n a } pub ( c ) ) . in ( { n a , x n b } pub ( a ) ) . out ( { x n b } pub ( c ) ) 1 4 5 Role B played by b (apparently) with a : in ( { a , y n a } pub ( b ) ) . new n b . out ( { y n a , n b } pub ( a ) ) 2 3 Constraint system: (secrecy of n b ) with T 0 = { a , b , c , priv ( c ) } : ? T 0 , { a , n a } pub ( c ) ⊢ { a , y n a } pub ( b ) ? T 0 , { a , n a } pub ( c ) , { y n a , n b } pub ( a ) ⊢ { n a , x n b } pub ( a ) S. Delaune (LSV) Verification of security protocols 26th August 2015 12 / 54

  4. Going back to the Needham-Schroeder’s protocol Role A played by a with the attacker c : new n a . out ( { a , n a } pub ( c ) ) . in ( { n a , x n b } pub ( a ) ) . out ( { x n b } pub ( c ) ) 1 4 5 Role B played by b (apparently) with a : in ( { a , y n a } pub ( b ) ) . new n b . out ( { y n a , n b } pub ( a ) ) 2 3 Constraint system: (secrecy of n b ) with T 0 = { a , b , c , priv ( c ) } : ? T 0 , { a , n a } pub ( c ) ⊢ { a , y n a } pub ( b ) ? T 0 , { a , n a } pub ( c ) , { y n a , n b } pub ( a ) ⊢ { n a , x n b } pub ( a ) T 0 , { a , n a } pub ( c ) , { y n a , n b } pub ( a ) , { x n b } pub ( c ) S. Delaune (LSV) Verification of security protocols 26th August 2015 12 / 54

  5. Going back to the Needham-Schroeder’s protocol Role A played by a with the attacker c : new n a . out ( { a , n a } pub ( c ) ) . in ( { n a , x n b } pub ( a ) ) . out ( { x n b } pub ( c ) ) Role B played by b (apparently) with a : in ( { a , y n a } pub ( b ) ) . new n b . out ( { y n a , n b } pub ( a ) ) Constraint system: (secrecy of n b ) with T 0 = { a , b , c , priv ( c ) } : ? T 0 , { a , n a } pub ( c ) ⊢ { a , y n a } pub ( b ) ? T 0 , { a , n a } pub ( c ) , { y n a , n b } pub ( a ) ⊢ { n a , x n b } pub ( a ) ? T 0 , { a , n a } pub ( c ) , { y n a , n b } pub ( a ) , { x n b } pub ( c ) ⊢ n b S. Delaune (LSV) Verification of security protocols 26th August 2015 12 / 54

  6. Going back to the Needham-Schroeder’s protocol Role A played by a with the attacker c : new n a . out ( { a , n a } pub ( c ) ) . in ( { n a , x n b } pub ( a ) ) . out ( { x n b } pub ( c ) ) Role B played by b (apparently) with a : in ( { a , y n a } pub ( b ) ) . new n b . out ( { y n a , n b } pub ( a ) ) Constraint system: (secrecy of n b ) with T 0 = { a , b , c , priv ( c ) } : ? T 0 , { a , n a } pub ( c ) ⊢ { a , y n a } pub ( b ) ? T 0 , { a , n a } pub ( c ) , { y n a , n b } pub ( a ) ⊢ { n a , x n b } pub ( a ) ? T 0 , { a , n a } pub ( c ) , { y n a , n b } pub ( a ) , { x n b } pub ( c ) ⊢ n b Does this constraint system have a solution? S. Delaune (LSV) Verification of security protocols 26th August 2015 12 / 54

  7. Going back to the Needham-Schroeder’s protocol Role A played by a with the attacker c : new n a . out ( { a , n a } pub ( c ) ) . in ( { n a , x n b } pub ( a ) ) . out ( { x n b } pub ( c ) ) Role B played by b (apparently) with a : in ( { a , y n a } pub ( b ) ) . new n b . out ( { y n a , n b } pub ( a ) ) Constraint system: (secrecy of n b ) with T 0 = { a , b , c , priv ( c ) } : ? T 0 , { a , n a } pub ( c ) ⊢ { a , y n a } pub ( b ) ? T 0 , { a , n a } pub ( c ) , { y n a , n b } pub ( a ) ⊢ { n a , x n b } pub ( a ) ? T 0 , { a , n a } pub ( c ) , { y n a , n b } pub ( a ) , { x n b } pub ( c ) ⊢ n b Does this constraint system have a solution? − → Yes ! σ = { y a �→ a , y n a �→ n a , x n b �→ n b } S. Delaune (LSV) Verification of security protocols 26th August 2015 12 / 54

  8. Going back to the Denning Sacco protocol A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) One possible interleaving: out ( aenc ( sign ( k , ska ) , pk ( skc ))) in ( aenc ( sign ( x , ska ) , pk ( skb ))); out ( senc ( s , x )) S. Delaune (LSV) Verification of security protocols 26th August 2015 13 / 54

  9. Going back to the Denning Sacco protocol A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) One possible interleaving: out ( aenc ( sign ( k , ska ) , pk ( skc ))) in ( aenc ( sign ( x , ska ) , pk ( skb ))); out ( senc ( s , x )) The associated constraint system is: ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ aenc ( sign ( x , ska ) , pk ( skb )) ? ⊢ T 0 ; aenc ( sign ( k , ska ) , pk ( skc )); senc ( s , x ) s with T 0 = { pk ( ska ) , pk ( skb ); skc } . S. Delaune (LSV) Verification of security protocols 26th August 2015 13 / 54

  10. Going back to the Denning Sacco protocol A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) One possible interleaving: out ( aenc ( sign ( k , ska ) , pk ( skc ))) in ( aenc ( sign ( x , ska ) , pk ( skb ))); out ( senc ( s , x )) The associated constraint system is: ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ aenc ( sign ( x , ska ) , pk ( skb )) ? ⊢ T 0 ; aenc ( sign ( k , ska ) , pk ( skc )); senc ( s , x ) s with T 0 = { pk ( ska ) , pk ( skb ); skc } . Does this constraint system have a solution? S. Delaune (LSV) Verification of security protocols 26th August 2015 13 / 54

  11. Going back to the Denning Sacco protocol A → B : aenc ( sign ( k , priv ( A )) , pub ( B )) B → A : senc ( s , k ) One possible interleaving: out ( aenc ( sign ( k , ska ) , pk ( skc ))) in ( aenc ( sign ( x , ska ) , pk ( skb ))); out ( senc ( s , x )) The associated constraint system is: ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ aenc ( sign ( x , ska ) , pk ( skb )) ? ⊢ T 0 ; aenc ( sign ( k , ska ) , pk ( skc )); senc ( s , x ) s with T 0 = { pk ( ska ) , pk ( skb ); skc } . Does this constraint system have a solution? x → k Yes ! S. Delaune (LSV) Verification of security protocols 26th August 2015 13 / 54

  12. The general case: is the constraint system C satisfiable? Main idea: simplify them until reaching ⊥ or solved forms Constraint system in solved form ?  T 0 ⊢ x 0     ?   T 0 ∪ T 1 ⊢ x 1 C = ...    ?   T 0 ∪ T 1 . . . ∪ T n ⊢ x n  Question Is there a solution to such a system ? S. Delaune (LSV) Verification of security protocols 26th August 2015 14 / 54

  13. The general case: is the constraint system C satisfiable? Main idea: simplify them until reaching ⊥ or solved forms Constraint system in solved form ?  T 0 ⊢ x 0     ?   T 0 ∪ T 1 ⊢ x 1 C = ...    ?   T 0 ∪ T 1 . . . ∪ T n ⊢ x n  Question Is there a solution to such a system ? Of course, yes ! Choose u 0 ∈ T 0 , and consider the substitution: σ = { x 0 �→ u 0 , . . . , x n �→ u 0 } S. Delaune (LSV) Verification of security protocols 26th August 2015 14 / 54

  14. Simplification rules − → these rules deal with pairs and symmetric encryption only ? if T ∪ { x | T ′ ? ⊢ x ∈ C , T ′ � T } ⊢ u C ∧ T ⊢ u C R ax : � ? ? R unif : C ∧ T ⊢ u C σ ∧ T σ ⊢ u σ � σ if σ = mgu ( t 1 , t 2 ) where t 1 , t 2 ∈ st ( T ) ∪ { u } ? R fail : C ∧ T ⊢ u ⊥ if vars ( T ∪ { u } ) = ∅ and T �⊢ u � ? ? ? R f : C ∧ T ⊢ f ( u 1 , u 2 ) � C ∧ T ⊢ u 1 ∧ T ⊢ u 2 f ∈ {�� , senc } S. Delaune (LSV) Verification of security protocols 26th August 2015 15 / 54

  15. Applying rule R f ? ? ? R f : C ∧ T ⊢ f ( u 1 , u 2 ) � C ∧ T ⊢ u 1 ∧ T ⊢ u 2 Example: ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ aenc ( sign ( x , ska ) , pk ( skb )) S. Delaune (LSV) Verification of security protocols 26th August 2015 16 / 54

  16. Applying rule R f ? ? ? R f : C ∧ T ⊢ f ( u 1 , u 2 ) � C ∧ T ⊢ u 1 ∧ T ⊢ u 2 Example: ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ aenc ( sign ( x , ska ) , pk ( skb ))  ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ sign ( x , ska )  � ? ⊢ T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) pk ( skb )  S. Delaune (LSV) Verification of security protocols 26th August 2015 16 / 54

  17. Applying rule R unif ? ? R unif : C ∧ T ⊢ u C σ ∧ T σ ⊢ u σ � σ if σ = mgu ( t 1 , t 2 ) where t 1 , t 2 ∈ st ( T ) ∪ { u } Example:  ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ sign ( x , ska )  ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ pk ( skb )  S. Delaune (LSV) Verification of security protocols 26th August 2015 17 / 54

  18. Applying rule R unif ? ? R unif : C ∧ T ⊢ u C σ ∧ T σ ⊢ u σ � σ if σ = mgu ( t 1 , t 2 ) where t 1 , t 2 ∈ st ( T ) ∪ { u } Example:  ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ sign ( x , ska )  ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ pk ( skb )   ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ sign ( k , ska )  � ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ pk ( skb )  S. Delaune (LSV) Verification of security protocols 26th August 2015 17 / 54

  19. Applying rule R ax ? if T ∪ { x | T ′ ? ⊢ x ∈ C , T ′ � T } ⊢ u R ax : C ∧ T ⊢ u C � Example: (assuming that skc and pk ( skb ) are in T 0 )  ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ sign ( k , ska )  ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ pk ( skb )  S. Delaune (LSV) Verification of security protocols 26th August 2015 18 / 54

  20. Applying rule R ax ? if T ∪ { x | T ′ ? ⊢ x ∈ C , T ′ � T } ⊢ u R ax : C ∧ T ⊢ u C � Example: (assuming that skc and pk ( skb ) are in T 0 )  ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ sign ( k , ska )  ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ pk ( skb )  � ? � T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ sign ( k , ska ) S. Delaune (LSV) Verification of security protocols 26th August 2015 18 / 54

  21. Applying rule R ax ? if T ∪ { x | T ′ ? ⊢ x ∈ C , T ′ � T } ⊢ u R ax : C ∧ T ⊢ u C � Example: (assuming that skc and pk ( skb ) are in T 0 )  ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ sign ( k , ska )  ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ pk ( skb )  � ? � T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) ⊢ sign ( k , ska ) ∅ (empty constraint system) � S. Delaune (LSV) Verification of security protocols 26th August 2015 18 / 54

  22. Exercice - still about the Denning Sacco protocol Exercise Reach a solved form starting with the constraint system: ? ⊢ T 0 ; aenc ( sign ( k , ska ) , pk ( skc )) aenc ( sign ( x , ska ) , pk ( skb )) ? T 0 ; aenc ( sign ( k , ska ) , pk ( skc )); senc ( s , x ) ⊢ s S. Delaune (LSV) Verification of security protocols 26th August 2015 19 / 54

  23. Results on the simplification rules ? if T ∪ { x | T ′ ? ⊢ x ∈ C , T ′ � T } ⊢ u R ax : C ∧ T ⊢ u C � ? ? R unif : C ∧ T ⊢ u C σ ∧ T σ ⊢ u σ � σ if σ = mgu ( t 1 , t 2 ) where t 1 , t 2 ∈ st ( T ) ∪ { u } ? R fail : C ∧ T ⊢ u ⊥ if vars ( T ∪ { u } ) = ∅ and T �⊢ u � ? ? ? R f : C ∧ T ⊢ f ( u 1 , u 2 ) � C ∧ T ⊢ u 1 ∧ T ⊢ u 2 f ∈ {�� , senc } Given a (well-formed) constraint system C : Soundness σ C ′ and θ solution of C ′ then σθ is a solution of C . If C � ∗ − → easy to show S. Delaune (LSV) Verification of security protocols 26th August 2015 20 / 54

  24. Results on the simplification rules ? if T ∪ { x | T ′ ? ⊢ x ∈ C , T ′ � T } ⊢ u R ax : C ∧ T ⊢ u C � ? ? R unif : C ∧ T ⊢ u C σ ∧ T σ ⊢ u σ � σ if σ = mgu ( t 1 , t 2 ) where t 1 , t 2 ∈ st ( T ) ∪ { u } ? R fail : C ∧ T ⊢ u ⊥ if vars ( T ∪ { u } ) = ∅ and T �⊢ u � ? ? ? R f : C ∧ T ⊢ f ( u 1 , u 2 ) � C ∧ T ⊢ u 1 ∧ T ⊢ u 2 f ∈ {�� , senc } Given a (well-formed) constraint system C : Termination There is no infinite chain C � σ 1 C 1 . . . � σ n C n . − → using the lexicographic order (number of var, size of rhs) S. Delaune (LSV) Verification of security protocols 26th August 2015 20 / 54

  25. Results on the simplification rules ? if T ∪ { x | T ′ ? ⊢ x ∈ C , T ′ � T } ⊢ u R ax : C ∧ T ⊢ u C � ? ? R unif : C ∧ T ⊢ u C σ ∧ T σ ⊢ u σ � σ if σ = mgu ( t 1 , t 2 ) where t 1 , t 2 ∈ st ( T ) ∪ { u } ? R fail : C ∧ T ⊢ u ⊥ if vars ( T ∪ { u } ) = ∅ and T �⊢ u � ? ? ? R f : C ∧ T ⊢ f ( u 1 , u 2 ) � C ∧ T ⊢ u 1 ∧ T ⊢ u 2 f ∈ {�� , senc } Given a (well-formed) constraint system C : Completeness If θ is a solution of C then there exists C ′ and θ ′ such that C � ∗ σ C ′ , θ ′ is a solution of C ′ , and θ = σθ ′ . − → more involved to show S. Delaune (LSV) Verification of security protocols 26th August 2015 20 / 54

  26. Procedure for solving a constraint system Main idea of the procedure:  ? ⊢ T 0 u 1    ?   C = T 0 , v 1 ⊢ u 2  . . .  ?    T 0 , v 1 , . . . , v n ⊢ s C 1 C 2 C 3 C 4 ⊥ solved ⊥ − → this gives us a symbolic representation of all the solutions. S. Delaune (LSV) Verification of security protocols 26th August 2015 21 / 54

  27. Main result Theorem Deciding confidentiality for a bounded number of sessions is decidable for classical primitives (actually in co-NP). Exercise: NP-hardness can be shown by encoding 3-SAT S. Delaune (LSV) Verification of security protocols 26th August 2015 22 / 54

  28. Main result Theorem Deciding confidentiality for a bounded number of sessions is decidable for classical primitives (actually in co-NP). Exercise: NP-hardness can be shown by encoding 3-SAT Some extensions that already exist: 1 disequality tests (protocol with else branches) 2 more primitives: asymmetric encryption, blind signature, exclusive-or, . . . S. Delaune (LSV) Verification of security protocols 26th August 2015 22 / 54

  29. Avantssar platform This approach has been implemented in the Avantssar Platform. http://www.avantssar.eu − → Typically concludes within few seconds over the flawed protocols of the Clark/Jacob library . S. Delaune (LSV) Verification of security protocols 26th August 2015 23 / 54

  30. Part II Equivalence-based security properties S. Delaune (LSV) Verification of security protocols 26th August 2015 24 / 54

  31. Electronic passport − → studied in [Arapinis et al. , 10] An electronic passport is a passport with an RFID tag embedded in it. The RFID tag stores: the information printed on your passport, a JPEG copy of your picture. S. Delaune (LSV) Verification of security protocols 26th August 2015 25 / 54

  32. Electronic passport − → studied in [Arapinis et al. , 10] An electronic passport is a passport with an RFID tag embedded in it. The RFID tag stores: the information printed on your passport, a JPEG copy of your picture. The Basic Access Control (BAC) protocol is a key establishment protocol that has been designed to also ensure unlinkability. ISO/IEC standard 15408 Unlinkability aims to ensure that a user may make multiple uses of a service or resource without others being able to link these uses together . S. Delaune (LSV) Verification of security protocols 26th August 2015 25 / 54

  33. BAC protocol Passport Reader ( K E , K M ) ( K E , K M ) S. Delaune (LSV) Verification of security protocols 26th August 2015 26 / 54

  34. BAC protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge S. Delaune (LSV) Verification of security protocols 26th August 2015 26 / 54

  35. BAC protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P S. Delaune (LSV) Verification of security protocols 26th August 2015 26 / 54

  36. BAC protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) S. Delaune (LSV) Verification of security protocols 26th August 2015 26 / 54

  37. BAC protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) { N P , N R , K P } KE , MAC KM ( { N P , N R , K P } KE ) S. Delaune (LSV) Verification of security protocols 26th August 2015 26 / 54

  38. BAC protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) { N P , N R , K P } KE , MAC KM ( { N P , N R , K P } KE ) K seed = K P ⊕ K R K seed = K P ⊕ K R S. Delaune (LSV) Verification of security protocols 26th August 2015 26 / 54

  39. BAC protocol as a process Cryptographic primitives are modelled using function symbols encryption/decryption: senc / 2, sdec / 2 concatenation/projections: � , � / 2, proj 1 / 1, proj 2 / 1 mac construction: mac / 2 − → proj 1 ( � x , y � ) = x , proj 2 ( � x , y � ) = y . sdec ( senc ( x , y ) , y ) = x , Nonces n r , n p , and keys k r , k p , k e , k m are modelled using names S. Delaune (LSV) Verification of security protocols 26th August 2015 27 / 54

  40. BAC protocol as a process Cryptographic primitives are modelled using function symbols encryption/decryption: senc / 2, sdec / 2 concatenation/projections: � , � / 2, proj 1 / 1, proj 2 / 1 mac construction: mac / 2 − → proj 1 ( � x , y � ) = x , proj 2 ( � x , y � ) = y . sdec ( senc ( x , y ) , y ) = x , Nonces n r , n p , and keys k r , k p , k e , k m are modelled using names Modelling Passport’s role P BAC ( k E , k M ) = new n P . new k P . out ( n P ) . in ( � z E , z M � ) . if z M = mac ( z E , k M ) then if n P = proj 1 ( proj 2 ( sdec ( z E , k E ))) then out ( � m , mac ( m , k M ) � ) else 0 else 0 where m = senc ( � n P , � proj 1 ( z E ) , k P �� , k E ) . S. Delaune (LSV) Verification of security protocols 26th August 2015 27 / 54

  41. What does unlinkability mean? Informally, an observer/attacker can not observe the difference between the two following situations: 1 a situation where the same passport may be used twice (or even more); 2 a situation where each passport is used at most once. S. Delaune (LSV) Verification of security protocols 26th August 2015 28 / 54

  42. What does unlinkability mean? Informally, an observer/attacker can not observe the difference between the two following situations: 1 a situation where the same passport may be used twice (or even more); 2 a situation where each passport is used at most once. More formally, ? ! new ke . new km . (! P BAC | ! R BAC ) ≈ ! new ke . new km . ( P BAC | ! R BAC ) ↑ ↑ many sessions only one session for each passport for each passport (we still have to formalize the notion of equivalence) S. Delaune (LSV) Verification of security protocols 26th August 2015 28 / 54

  43. Security properties - privacy Privacy-type properties are modelled as equivalence-based properties testing equivalence between P and Q , P ≈ Q for all processes A , we have that: ( A | P ) ⇓ c if, and only if, ( A | Q ) ⇓ c where R ⇓ c means that R can evolve and emits on public channel c . S. Delaune (LSV) Verification of security protocols 26th August 2015 29 / 54

  44. Security properties - privacy Privacy-type properties are modelled as equivalence-based properties testing equivalence between P and Q , P ≈ Q for all processes A , we have that: ( A | P ) ⇓ c if, and only if, ( A | Q ) ⇓ c where R ⇓ c means that R can evolve and emits on public channel c . ? Example 1: out ( a , s ) ≈ out ( a , s ′ ) S. Delaune (LSV) Verification of security protocols 26th August 2015 29 / 54

  45. Security properties - privacy Privacy-type properties are modelled as equivalence-based properties testing equivalence between P and Q , P ≈ Q for all processes A , we have that: ( A | P ) ⇓ c if, and only if, ( A | Q ) ⇓ c where R ⇓ c means that R can evolve and emits on public channel c . Example 1: out ( a , s ) �≈ out ( a , s ′ ) − → A = in ( a , x ) . if x = s then out ( c , ok ) S. Delaune (LSV) Verification of security protocols 26th August 2015 29 / 54

  46. Security properties - privacy Privacy-type properties are modelled as equivalence-based properties testing equivalence between P and Q , P ≈ Q for all processes A , we have that: ( A | P ) ⇓ c if, and only if, ( A | Q ) ⇓ c where R ⇓ c means that R can evolve and emits on public channel c . Example 2: new s . out ( a , senc ( s , k )) . out ( a , senc ( s , k ′ )) ? ≈ new s , s ′ . out ( a , senc ( s , k )) . out ( a , senc ( s ′ , k ′ )) S. Delaune (LSV) Verification of security protocols 26th August 2015 29 / 54

  47. Security properties - privacy Privacy-type properties are modelled as equivalence-based properties testing equivalence between P and Q , P ≈ Q for all processes A , we have that: ( A | P ) ⇓ c if, and only if, ( A | Q ) ⇓ c where R ⇓ c means that R can evolve and emits on public channel c . Example 2: new s . out ( a , senc ( s , k )) . out ( a , senc ( s , k ′ )) �≈ new s , s ′ . out ( a , senc ( s , k )) . out ( a , senc ( s ′ , k ′ )) − → A = in ( a , x ) . in ( a , y ) . if ( sdec ( x , k ) = sdec ( y , k ′ )) then out ( c , ok ) S. Delaune (LSV) Verification of security protocols 26th August 2015 29 / 54

  48. Security properties - privacy Privacy-type properties are modelled as equivalence-based properties testing equivalence between P and Q , P ≈ Q for all processes A , we have that: ( A | P ) ⇓ c if, and only if, ( A | Q ) ⇓ c where R ⇓ c means that R can evolve and emits on public channel c . Exercise: Are the two following processes in testing equivalence? ? new s . out ( a , s ) ≈ new s . new k . out ( a , enc ( s , k )) S. Delaune (LSV) Verification of security protocols 26th August 2015 29 / 54

  49. French electronic passport − → the passport must reply to all received messages. Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) S. Delaune (LSV) Verification of security protocols 26th August 2015 30 / 54

  50. French electronic passport − → the passport must reply to all received messages. Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) If MAC check fails mac_error S. Delaune (LSV) Verification of security protocols 26th August 2015 30 / 54

  51. French electronic passport − → the passport must reply to all received messages. Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) If MAC check succeeds If nonce check fails nonce_error S. Delaune (LSV) Verification of security protocols 26th August 2015 30 / 54

  52. BAC protocol (French version) as a process Cryptographic primitives are modelled as usual using function symbols − → proj 1 ( � x , y � ) = x , proj 2 ( � x , y � ) = y . sdec ( senc ( x , y ) , y ) = x , Nonces n r , n p , and keys k r , k p , k e , k m are modelled using names Error messages are modelled using constants mac _ error and nonce _ error . S. Delaune (LSV) Verification of security protocols 26th August 2015 31 / 54

  53. BAC protocol (French version) as a process Cryptographic primitives are modelled as usual using function symbols − → proj 1 ( � x , y � ) = x , proj 2 ( � x , y � ) = y . sdec ( senc ( x , y ) , y ) = x , Nonces n r , n p , and keys k r , k p , k e , k m are modelled using names Error messages are modelled using constants mac _ error and nonce _ error . Modelling Passport’s role P BAC ( k E , k M ) = new n P . new k P . out ( n P ) . in ( � z E , z M � ) . if z M = mac ( z E , k M ) then if n P = proj 1 ( proj 2 ( sdec ( z E , k E ))) then out ( � m , mac ( m , k M ) � ) else out ( nonce _ error ) else out ( mac _ error ) where m = senc ( � n P , � proj 1 ( z E ) , k P �� , k E ) . S. Delaune (LSV) Verification of security protocols 26th August 2015 31 / 54

  54. An attack on the French passport Attack against unlinkability [Chothia & Smirnov, 10] An attacker can track a French passport, provided he has once witnessed a successful authentication. S. Delaune (LSV) Verification of security protocols 26th August 2015 32 / 54

  55. An attack on the French passport Attack against unlinkability [Chothia & Smirnov, 10] An attacker can track a French passport, provided he has once witnessed a successful authentication. Part 1 of the attack. The attacker eavesdropes on Alice using her passport and records message M . Alice’s Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R = { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) M S. Delaune (LSV) Verification of security protocols 26th August 2015 32 / 54

  56. An attack on the French passport Part 2 of the attack. The attacker replays the message M and checks the error code he receives. ???? ’s Passport Attacker ( K ′ E , K ′ M ) get_challenge N ′ P , K ′ P N ′ P M = { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) S. Delaune (LSV) Verification of security protocols 26th August 2015 32 / 54

  57. An attack on the French passport Part 2 of the attack. The attacker replays the message M and checks the error code he receives. ???? ’s Passport Attacker ( K ′ E , K ′ M ) get_challenge N ′ P , K ′ P N ′ P M = { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) mac_error = ⇒ MAC check failed = ⇒ K ′ M � = K M = ⇒ ???? is not Alice S. Delaune (LSV) Verification of security protocols 26th August 2015 32 / 54

  58. An attack on the French passport Part 2 of the attack. The attacker replays the message M and checks the error code he receives. ???? ’s Passport Attacker ( K ′ E , K ′ M ) get_challenge N ′ P , K ′ P N ′ P M = { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) nonce_error = ⇒ MAC check succeeded = ⇒ K ′ M = K M = ⇒ ???? is Alice S. Delaune (LSV) Verification of security protocols 26th August 2015 32 / 54

  59. An attack on the French passport Attack ! The equivalence does not hold: P same �≈ P diff . More formally, def P same =! new ke . new km . (! P BAC | ! R BAC ) �≈ def P diff =! new ke . new km . ( P BAC | ! R BAC ) S. Delaune (LSV) Verification of security protocols 26th August 2015 33 / 54

  60. An attack on the French passport Attack ! The equivalence does not hold: P same �≈ P diff . More formally, def P same =! new ke . new km . (! P BAC | ! R BAC ) �≈ def P diff =! new ke . new km . ( P BAC | ! R BAC ) Exercise: Exhibit the process A that witnesses the fact that these two processes are not in testing equivalence. S. Delaune (LSV) Verification of security protocols 26th August 2015 33 / 54

  61. An attack on the French passport Attack ! The equivalence does not hold: P same �≈ P diff . More formally, def P same =! new ke . new km . (! P BAC | ! R BAC ) �≈ def P diff =! new ke . new km . ( P BAC | ! R BAC ) Exercise: Exhibit the process A that witnesses the fact that these two processes are not in testing equivalence. − → A = in ( c , x ) . out ( c , x ) . in ( c , y ) . if y = nonce_error then out ( ok , _ ) S. Delaune (LSV) Verification of security protocols 26th August 2015 33 / 54

  62. Some other equivalence-based security properties The notion of testing equivalence can be used to express: Vote privacy the fact that a particular voted in a particular way is not revealed to anyone Strong secrecy the fact that an adversary cannot see any difference when the value of the secret changes − → stronger than the notion of secrecy as non-deducibility. Guessing attack the fact that an adversary can not learn the value of passwords even if he knows that they have been choosen in a particular dictionary. S. Delaune (LSV) Verification of security protocols 26th August 2015 34 / 54

  63. State of the art in a nutshell (1/2) for analysing equivalence-based security properties for an unbounded number of sessions S. Delaune (LSV) Verification of security protocols 26th August 2015 35 / 54

  64. State of the art in a nutshell (1/2) for analysing equivalence-based security properties for an unbounded number of sessions undecidable in general even for some fragment for which confidentiality is decidable [Chrétien, Cortier & D., 13] some recent decidability results for some restricted fragment e.g. tagged protocol, no nonces, a particular set of primitives .. . [Chrétien, Cortier & D., Icalp’13, Concur’14, CSF’15] ProVerif: a tool that does not correspond to any decidability result for analysing the notion of diff-equivalence (too strong) [Blanchet, Abadi & Fournet, 05] None of these results is suitable to to analyse vote-privacy, or unlinkability of the BAC protocol. S. Delaune (LSV) Verification of security protocols 26th August 2015 35 / 54

  65. State of the art in a nutshell (2/2) for analysing equivalence-based security properties for a bounded number of sessions S. Delaune (LSV) Verification of security protocols 26th August 2015 36 / 54

  66. State of the art in a nutshell (2/2) for analysing equivalence-based security properties for a bounded number of sessions A “recent” result [Cheval, Comon & D., 11] A procedure for deciding testing equivalence for a large class of processes for a bounded number of sessions. Our class of processes: + non-trivial else branches, private channels, and non-deterministic choice; – a fixed set of cryptographic primitives (signature, encryption, hash function, mac). Similar results (for different classes of processes) have been obtained by [Baudet, 05], [Dawson& Tiu, 10], [Chevalier & Rusinowitch, 10], . . . S. Delaune (LSV) Verification of security protocols 26th August 2015 36 / 54

  67. Privacy using the constraint solving approach Two main steps: 1 A symbolic exploration of all the possible traces The infinite number of possible traces ( i.e. experiment) are represented by a finite set of constraint systems − → this set can be huge (exponential on the number of sessions) ! 2 A decision procedure for deciding (symbolic) equivalence between sets of constraint systems − → this algorithm works quite well S. Delaune (LSV) Verification of security protocols 26th August 2015 37 / 54

  68. Deciding symbolic equivalence Main idea: We rewrite pairs (Σ , Σ ′ ) of sets of constraint systems (extended to keep track of some information) until a trivial failure or a trivial success is found. (Σ , Σ ′ ) (Σ 1 , Σ ′ (Σ 2 , Σ ′ 1 ) 2 ) ( ⊥ , ⊥ ) (Σ 3 , Σ ′ ( ⊥ ,solved) 3 ) (solved,solved) S. Delaune (LSV) Verification of security protocols 26th August 2015 38 / 54

  69. Results on the simplification rules Termination Applying blindly the simplification rules does not terminate but there is a particular strategy S that allows us to ensure termination. Soundness/Completeness Let (Σ 0 , Σ ′ 0 ) be pair of sets of constraint systems, and consider a binary tree obtained by applying our simplification rule following a strategy S . 1 soundness: If all leaves of the tree are labeled with ( ⊥ , ⊥ ) or ( solved , solved ) , then Σ 0 ≈ s Σ ′ 0 . 2 completeness: if Σ 0 ≈ s Σ ′ 0 , then all leaves of the tree are labeled with ( ⊥ , ⊥ ) or ( solved , solved ) . Theorem Deciding testing equivalence between processes without replication for classical primitives is decidable. S. Delaune (LSV) Verification of security protocols 26th August 2015 39 / 54

  70. APTE- Algorithm for Proving Testing Equivalence http://projects.lsv.ens-cachan.fr/APTE (Ocaml - 12 KLocs) − → developed by Vincent Cheval [Cheval, TACAS’14] S. Delaune (LSV) Verification of security protocols 26th August 2015 40 / 54

  71. APTE- Algorithm for Proving Testing Equivalence http://projects.lsv.ens-cachan.fr/APTE (Ocaml - 12 KLocs) − → developed by Vincent Cheval [Cheval, TACAS’14] − → but a limited practical impact because it scales badly S. Delaune (LSV) Verification of security protocols 26th August 2015 40 / 54

  72. Partial order reduction for security protocols part of the PhD thesis of L. Hirschi Main objective to develop POR techniques that are suitable for analysing security protocols (especially testing equivalence) S. Delaune (LSV) Verification of security protocols 26th August 2015 41 / 54

  73. Partial order reduction for security protocols part of the PhD thesis of L. Hirschi Main objective to develop POR techniques that are suitable for analysing security protocols (especially testing equivalence) Example: in ( c 1 , x 1 ) . out ( c 1 , ok ) | in ( c 2 , x 2 ) . out ( c 2 , ok ) We propose two optimizations: 1 compression: we impose a simple strategy on the exploration of the available actions (roughly outputs are performed first and using a fixed arbitrary order) 2 reduction: we avoid exploring some redundant traces taking into account the data that are exchanged S. Delaune (LSV) Verification of security protocols 26th August 2015 41 / 54

  74. Practical impact of our optimizations (in APTE) Toy example Denning Sacco protocol − → Each optimisation brings an exponential speedup. S. Delaune (LSV) Verification of security protocols 26th August 2015 42 / 54

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS & ENS Cachan, Universit Paris Saclay, France Monday, June 26th, 2017 Research at IRISA (Rennes) 800 members (among which about 400

1.78k views • 167 slides
Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS & ENS Cachan, Universit Paris Saclay, France Monday, June 27th, 2016 S. Delaune (LSV) Verification of security protocols 27th June 2016 1

1.88k views • 175 slides
Verification of security protocols: from confidentiality to privacy Stphanie Delaune Univ

Verification of security protocols: from confidentiality to privacy Stphanie Delaune Univ

Verification of security protocols: from confidentiality to privacy Stphanie Delaune Univ Rennes, CNRS, IRISA, France Thursday, June 28th, 2018 Research at IRISA (Rennes) 800 members (among which about 400 reasearchers) EMSEC team

1.05k views • 86 slides
Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS & ENS Cachan, France Tuesday, August 25th, 2015 S. Delaune (LSV) Verification of security protocols 25th August 2015 1 / 60 ENS Cachan 12

1.42k views • 127 slides
Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over an untrusted channel (eg. Internet) 2 Security Protocols are out there Authentication Confidentiality Example: HTTPS (HTTP + TLS)

669 views • 42 slides
Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018

1.23k views • 78 slides
Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1

Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1

Introduction on security protocols Formal models Unbounded number of sessions Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/65 V eronique Cortier Verification of Security

1.29k views • 111 slides
Modeling and verification of security protocols Part I: Basics of cryptography and introduction to

Modeling and verification of security protocols Part I: Basics of cryptography and introduction to

Modeling and verification of security protocols Part I: Basics of cryptography and introduction to security protocols Dresden University of Technology Martin Pitt martin@piware.de Paper and slides available at http://www.piware.de/docs.shtml

549 views • 33 slides
Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA,

Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA,

Introduction on security protocols Formal models Going further Towards more guarantees Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA, CNRS - INRIA Cassis project, Nancy Universities 1/102 V

2.12k views • 160 slides
Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Formal methods for protocols Cryptographic models Passive case Active case Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/76 V eronique Cortier Verification of Security

1.92k views • 139 slides
Parameterized Verification of Timed Security Protocols with Clock drift Li Li, Jun Sun and Jin

Parameterized Verification of Timed Security Protocols with Clock drift Li Li, Jun Sun and Jin

Parameterized Verification of Timed Security Protocols with Clock drift Li Li, Jun Sun and Jin Song Dong Motivation Since clock synchronization is so important in the security of the Kerberos protocol, if clocks are not synchronized within a

493 views • 23 slides
Towards a Logic for Verification of Security Protocols Work in progress Comments welcome

Towards a Logic for Verification of Security Protocols Work in progress Comments welcome

Towards a Logic for Verification of Security Protocols Work in progress Comments welcome Vincent Bernat Laboratoire Spcification et Vrification CNRS & ENS Cachan SPV03 - Marseille p.1/17 Plan 1. Intro Existing models,

920 views • 63 slides
Security protocols: formal models and verification Sergiu Bursuc School of Computer Science,

Security protocols: formal models and verification Sergiu Bursuc School of Computer Science,

Security protocols: formal models and verification Sergiu Bursuc School of Computer Science, University of Bristol Finse Winter School, 7 May 2015 Security protocols: roles and goals Roles: P 1 , . . . , P n (e.g. clients, servers, devices,

1.43k views • 127 slides
Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola

Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola

Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola Bruno Blanchet {

1.02k views • 44 slides
Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA), CNRS, France Tuesday, September 13th, 2016 Security protocols everywhere ! Cryptographic protocols small programs designed to secure

923 views • 56 slides
Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France joint work with Alexandre Debant and Cyrille Wiedling 1/29 Security protocols everywhere ! Cryptographic protocols small

1.04k views • 56 slides
What makes an image memorable? P. Isola, J. Xiao, A. Torralba, A. Oliva. CVPR 2011 Islam Beltagy

What makes an image memorable? P. Isola, J. Xiao, A. Torralba, A. Oliva. CVPR 2011 Islam Beltagy

What makes an image memorable? P. Isola, J. Xiao, A. Torralba, A. Oliva. CVPR 2011 Islam Beltagy Experiment https://picasaweb.google. com/101392440470561716618/CS395TVi sualRecognition LabelMe Images database and annotation tool

698 views • 35 slides
Electing a University President using Open-Audit Voting Ben Adida , Olivier de Marneffe ,

Electing a University President using Open-Audit Voting Ben Adida , Olivier de Marneffe ,

Electing a University President using Open-Audit Voting Ben Adida , Olivier de Marneffe , Olivier Pereira Jean-Jacques Quisquater Harvard University Universit e catholique de Louvain August 11, 2009 UCL Crypto Group EVT/WOTE 09 -

426 views • 20 slides
POLL 1 8/23/2017 The View of Pedagogical Documentation as a Tool for Learning, Communication

POLL 1 8/23/2017 The View of Pedagogical Documentation as a Tool for Learning, Communication

8/23/2017 POLL 1 8/23/2017 The View of Pedagogical Documentation as a Tool for Learning, Communication and Engagement! Three Elements of Pedagogical Documentation Observe Document Interpret Listen Record Share Observe in everyday

608 views • 15 slides
Social Media Savvy Teen Self-Expression and Communication in a Digital Era How has access to

Social Media Savvy Teen Self-Expression and Communication in a Digital Era How has access to

Social Media Savvy Teen Self-Expression and Communication in a Digital Era How has access to mobile technology changed student learning? Sage on the Stage Guide on the Side The Heart of Social Media Influence - The Need for Acceptance

1.22k views • 77 slides
Adapting Helios for Provable Ballot Privacy David Bernhard, Veronique Cortier, Olivier Pereira,

Adapting Helios for Provable Ballot Privacy David Bernhard, Veronique Cortier, Olivier Pereira,

Adapting Helios for Provable Ballot Privacy David Bernhard, Veronique Cortier, Olivier Pereira, Ben Smyth, Bogdan Warinschi September 2, 2011 ESORICS 2011 Adapting Helios for Provable Ballot Privacy 1 / 26 Helios Helios is a web-based voting

629 views • 40 slides
Topic 6: 3D Transformations Homogeneous 3D transformations Scene Hierarchies Change

Topic 6: 3D Transformations Homogeneous 3D transformations Scene Hierarchies Change

Topic 6: 3D Transformations Homogeneous 3D transformations Scene Hierarchies Change of basis and rotations in 3D Showtime: Logitics Assignment 1 Due Tomorrow Assignment 2 available today/tomorrow For assignment

981 views • 71 slides
Photorealism Steve Ash, Rhodes College 2006 T exture Mapping = + = + T exture Mapping

Photorealism Steve Ash, Rhodes College 2006 T exture Mapping = + = + T exture Mapping

Photorealism Steve Ash, Rhodes College 2006 T exture Mapping = + = + T exture Mapping C(i, j) P(x, y, z) = + Given the intersection point P between the sphere and ray R , map the Cartesian coordinates ( x, y, z ) of P to ( u, v )

704 views • 33 slides
Coherent pion analysis with garsoft: status report December 10, 2019 Leo Bellantoni MPD meeting

Coherent pion analysis with garsoft: status report December 10, 2019 Leo Bellantoni MPD meeting

Coherent pion analysis with garsoft: status report December 10, 2019 Leo Bellantoni MPD meeting From DESY workshop 135 CC coh + in 11 shifts of data Its a pretty plot Reverse the |t| cut & get 1 + ~60% pure for

489 views • 14 slides

More recommend