verification of security protocols from confidentiality
play

Verification of security protocols: from confidentiality to privacy - PowerPoint PPT Presentation

Aug 29, 2023 •174 likes •1.05k views

Verification of security protocols: from confidentiality to privacy Stphanie Delaune Univ Rennes, CNRS, IRISA, France Thursday, June 28th, 2018 Research at IRISA (Rennes) 800 members (among which about 400 reasearchers) EMSEC team

  1. Verification of security protocols: from confidentiality to privacy Stéphanie Delaune Univ Rennes, CNRS, IRISA, France Thursday, June 28th, 2018

  2. Research at IRISA (Rennes) − → 800 members (among which about 400 reasearchers)

  3. EMSEC team Embedded Security & Cryptography − → 7 permanent researchers, 12 PhD students, and 2 post-docs P. Derbez, G. Avoine, A. Roux-Langlois, B. Kordy, P.-A. Fouque + C. Maurice and myself.

  4. Advertisement POPSTAR ERC Project (2017-2022) Reasoning about Physical properties Of security Protocols with an Application To contactless Systems https://project.inria.fr/popstar/ Regular job offers: ◮ PhD positions and Post-doc positions; ◮ One research associate position (up to 5 years). − → contact me: stephanie.delaune@irisa.fr

  5. Cryptographic protocols everywhere ! − → they aim at securing communications over public networks

  6. A variety of security properties ◮ Secrecy : May an intruder learn some secret message exchanged between two honest participants? ◮ Authentication: Is the agent Alice really talking to Bob?

  7. A variety of security properties ◮ Secrecy : May an intruder learn some secret message exchanged between two honest participants? ◮ Authentication: Is the agent Alice really talking to Bob? ◮ Anonymity: Is an attacker able to learn something about the identity of the participants who are communicating? ◮ Non-repudiation: Alice sends a message to Bob. Alice cannot later deny having sent this message. Bob cannot deny having received the message. ◮ ...

  8. How does a cryptographic protocol work (or not)? Protocol: small programs explaining how to exchange messages

  9. How does a cryptographic protocol work (or not)? Protocol: small programs explaining how to exchange messages

  10. How does a cryptographic protocol work (or not)? Protocol: small programs explaining how to exchange messages Cryptographic: make use of cryptographic primitives Examples: symmetric encryption, asymmetric en- cryption, signature, hashes, . . .

  11. What is a symmetric encryption scheme? Symmetric encryption encryption decryption

  12. What is a symmetric encryption scheme? Symmetric encryption encryption decryption Example: This might be as simple as shifting each letter by a number of places in the alphabet (e.g. Caesar cipher) Today: DES (1977), AES (2000)

  13. A famous example Enigma machine (1918-1945) ◮ electro-mechanical rotor cipher machines used by the German to encrypt during Wold War II ◮ permutations and substitutions A bit of history ◮ 1918: invention of the Enigma machine ◮ 1940: Battle of the Atlantic during which Alan Turing’s Bombe was used to test Enigma settings. − → Everything about the breaking of the Enigma cipher systems remained secret until the mid-1970s.

  14. What is an asymmetric encryption scheme? Asymmetric encryption encryption decryption public key private key

  15. What is an asymmetric encryption scheme? Asymmetric encryption encryption decryption public key private key Examples: ◮ 1976: first system published by W. Diffie, and M. Hellman, ◮ 1977: RSA system published by R. Rivest, A. Shamir, and L. Adleman. − → their security relies on well-known mathematical problems ( e.g. factorizing large numbers, computing discrete logarithms) Today: those systems are still in use Turing Award 2016

  16. What is a signature scheme? Signature signature verification private key public key Example: The RSA cryptosystem (in fact, most public key cryptosystems) can be used as a signature scheme.

  17. How cryptographic protocols can be attacked?

  18. How cryptographic protocols can be attacked? Logical attacks ◮ can be mounted even assuming perfect cryptography, ֒ → replay attack, man-in-the middle attack, . . . ◮ subtle and hard to detect by “eyeballing” the protocol

  19. How cryptographic protocols can be attacked? Logical attacks ◮ can be mounted even assuming perfect cryptography, ֒ → replay attack, man-in-the middle attack, . . . ◮ subtle and hard to detect by “eyeballing” the protocol − → A traceability attack on the BAC protocol (2010) privacy issue The register - Jan. 2010

  20. Example: Denning Sacco protocol (1981) aenc ( sign ( k AB , priv ( A )) , pub ( B )) Is the Denning Sacco protocol a good key exchange protocol?

  21. Example: Denning Sacco protocol (1981) aenc ( sign ( k AB , priv ( A )) , pub ( B )) Is the Denning Sacco protocol a good key exchange protocol? No !

  22. Example: Denning Sacco protocol (1981) aenc ( sign ( k AB , priv ( A )) , pub ( B )) Is the Denning Sacco protocol a good key exchange protocol? No ! Description of a possible attack: aenc ( sign ( k AC , priv ( A )) , pub ( C ))

  23. Example: Denning Sacco protocol (1981) aenc ( sign ( k AB , priv ( A )) , pub ( B )) Is the Denning Sacco protocol a good key exchange protocol? No ! Description of a possible attack: aenc ( sign ( k AC , priv ( A )) , pub ( C )) sign ( k AC , priv ( A )) k AC aenc ( sign ( k AC , priv ( A )) , pub ( B ))

  24. Exercise We propose to fix the Denning-Sacco protocol as follows: Version 1 A → B aenc ( � A , B , sign ( k , priv ( A )) � , pub ( B )) : Version 2 A → B aenc ( sign ( � A , B , k � , priv ( A )) � , pub ( B )) : Which version would you prefer to use?

  25. Exercise We propose to fix the Denning-Sacco protocol as follows: Version 1 A → B aenc ( � A , B , sign ( k , priv ( A )) � , pub ( B )) : Version 2 A → B aenc ( sign ( � A , B , k � , priv ( A )) � , pub ( B )) : Which version would you prefer to use? Version 2 − → Version 1 is still vulnerable to the aforementioned attack.

  26. What about protocols used in real life ?

  27. Credit Card payment protocol Serge Humpich case “ Yescard “ (1997)

  28. Credit Card payment protocol Serge Humpich case “ Yescard “ (1997) Step 1: A logical flaw in the protocol allows one to copy a card and to use it without knowing the PIN code. − → not a real problem, there is still a bank account to withdraw

  29. Credit Card payment protocol Serge Humpich case “ Yescard “ (1997) Step 1: A logical flaw in the protocol allows one to copy a card and to use it without knowing the PIN code. − → not a real problem, there is still a bank account to withdraw Step 2: breaking encryption via factorisation of the following (96 digits) number: 213598703592091008239502270499962879705109534182 6417406442524165008583957746445088405009430865999 − → now, the number that is used is made of 232 digits

  30. HTTPS connections Lots of bugs and attacks, with fixes every month

  31. HTTPS connections Lots of bugs and attacks, with fixes every month FREAK attack discovered by Baraghavan et al (Feb. 2015) 1. a logical flaw that allows a man in the middle attacker to downgrade connections from ’strong’ RSA to ’export-grade’ RSA; 2. breaking encryption via factorisation of such a key can be easily done.

  32. HTTPS connections Lots of bugs and attacks, with fixes every month FREAK attack discovered by Baraghavan et al (Feb. 2015) 1. a logical flaw that allows a man in the middle attacker to downgrade connections from ’strong’ RSA to ’export-grade’ RSA; 2. breaking encryption via factorisation of such a key can be easily done. − → ’export-grade’ were introduced under the pressure of US governments agencies to ensure that they would be able to decrypt all foreign encrypted communication.

  33. This talk: formal methods for protocol verification Does the protocol satisfy a security property? Modelling | | ϕ =

  34. This talk: formal methods for protocol verification Does the protocol satisfy a security property? Modelling | | ϕ = Outline of the this talk 1. Modelling protocols, security properties, and the attacker 2. Designing verification algorithms

  35. Part I Modelling protocols, security properties and the attacker

  36. Two major families of models ... ... with some advantages and some drawbacks. Computational model ◮ + messages are bitstring, a general and powerful adversary ◮ – manual proofs, tedious and error-prone Symbolic model ◮ – abstract model, e.g. messages are terms ◮ + automatic proofs

  37. Two major families of models ... ... with some advantages and some drawbacks. Computational model ◮ + messages are bitstring, a general and powerful adversary ◮ – manual proofs, tedious and error-prone Symbolic model ◮ – abstract model, e.g. messages are terms ◮ + automatic proofs Some results allowed to make a link be- tween these two very different models. − → Abadi & Rogaway 2000

  38. Protocols as processes Applied pi calculus [Abadi & Fournet, 01] basic programming language with constructs for concurrency and communication − → based on the π -calculus [Milner et al. , 92] ... P , Q := 0 null process in ( c , x ) . P input out ( c , u ) . P output if u = v then P else Q conditional P | Q parallel composition ! P replication new n . P fresh name generation

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS & ENS Cachan, Universit Paris Saclay, France Monday, June 26th, 2017 Research at IRISA (Rennes) 800 members (among which about 400

1.78k views • 167 slides
Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS & ENS Cachan, Universit Paris Saclay, France Monday, June 27th, 2016 S. Delaune (LSV) Verification of security protocols 27th June 2016 1

1.88k views • 175 slides
Verification of security protocols from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols from confidentiality to privacy Stphanie Delaune LSV, CNRS & ENS Cachan, France Wednesday, August 26th, 2015 S. Delaune (LSV) Verification of security protocols 26th August 2015 1 / 54 This talk:

1.49k views • 124 slides
Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS & ENS Cachan, France Tuesday, August 25th, 2015 S. Delaune (LSV) Verification of security protocols 25th August 2015 1 / 60 ENS Cachan 12

1.42k views • 127 slides
Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over an untrusted channel (eg. Internet) 2 Security Protocols are out there Authentication Confidentiality Example: HTTPS (HTTP + TLS)

669 views • 42 slides
Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018

1.23k views • 78 slides
Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1

Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1

Introduction on security protocols Formal models Unbounded number of sessions Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/65 V eronique Cortier Verification of Security

1.29k views • 111 slides
Modeling and verification of security protocols Part I: Basics of cryptography and introduction to

Modeling and verification of security protocols Part I: Basics of cryptography and introduction to

Modeling and verification of security protocols Part I: Basics of cryptography and introduction to security protocols Dresden University of Technology Martin Pitt martin@piware.de Paper and slides available at http://www.piware.de/docs.shtml

549 views • 33 slides
Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA,

Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA,

Introduction on security protocols Formal models Going further Towards more guarantees Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA, CNRS - INRIA Cassis project, Nancy Universities 1/102 V

2.12k views • 160 slides
Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Formal methods for protocols Cryptographic models Passive case Active case Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/76 V eronique Cortier Verification of Security

1.92k views • 139 slides
Parameterized Verification of Timed Security Protocols with Clock drift Li Li, Jun Sun and Jin

Parameterized Verification of Timed Security Protocols with Clock drift Li Li, Jun Sun and Jin

Parameterized Verification of Timed Security Protocols with Clock drift Li Li, Jun Sun and Jin Song Dong Motivation Since clock synchronization is so important in the security of the Kerberos protocol, if clocks are not synchronized within a

493 views • 23 slides
Towards a Logic for Verification of Security Protocols Work in progress Comments welcome

Towards a Logic for Verification of Security Protocols Work in progress Comments welcome

Towards a Logic for Verification of Security Protocols Work in progress Comments welcome Vincent Bernat Laboratoire Spcification et Vrification CNRS & ENS Cachan SPV03 - Marseille p.1/17 Plan 1. Intro Existing models,

920 views • 63 slides
Security protocols: formal models and verification Sergiu Bursuc School of Computer Science,

Security protocols: formal models and verification Sergiu Bursuc School of Computer Science,

Security protocols: formal models and verification Sergiu Bursuc School of Computer Science, University of Bristol Finse Winter School, 7 May 2015 Security protocols: roles and goals Roles: P 1 , . . . , P n (e.g. clients, servers, devices,

1.43k views • 127 slides
Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola

Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola

Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola Bruno Blanchet {

1.02k views • 44 slides
Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA), CNRS, France Tuesday, September 13th, 2016 Security protocols everywhere ! Cryptographic protocols small programs designed to secure

923 views • 56 slides
Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France joint work with Alexandre Debant and Cyrille Wiedling 1/29 Security protocols everywhere ! Cryptographic protocols small

1.04k views • 56 slides
OUR ROAD TO IOT: SECURE DEVICE GRID 5 October 2015 Kresten Krab Thorup @drkrab

OUR ROAD TO IOT: SECURE DEVICE GRID 5 October 2015 Kresten Krab Thorup @drkrab

OUR ROAD TO IOT: SECURE DEVICE GRID 5 October 2015 Kresten Krab Thorup @drkrab Introduction IoT and SSL/TLS landscape Secure Device Grid design Lessons Learned ABOUT THE SPEAKER Kresten Krab Thorup, Ph.D. Trifork CTO - since 1999

948 views • 56 slides
Randomness Extractors. Secure Communication in Practice Lecture 17

Randomness Extractors. Secure Communication in Practice Lecture 17

Randomness Extractors. Secure Communication in Practice Lecture 17

816 views • 23 slides
Countering Cryptographic Subversion Post-Snowden Cryptography Workshop Brussels 8/12/2015 Kenny

Countering Cryptographic Subversion Post-Snowden Cryptography Workshop Brussels 8/12/2015 Kenny

Countering Cryptographic Subversion Post-Snowden Cryptography Workshop Brussels 8/12/2015 Kenny Paterson Information Security Group @kennyog ; www.isg.rhul.ac.uk/~kp The post-Snowden adversary Since the Snowden revelations beginning in

481 views • 27 slides
Communication Protocols Lecture 19 TLS We saw... Symmetric-Key Components SKE, MAC Public-Key

Communication Protocols Lecture 19 TLS We saw... Symmetric-Key Components SKE, MAC Public-Key

Communication Protocols Lecture 19 TLS We saw... Symmetric-Key Components SKE, MAC Public-Key Components PKE, Digital Signatures Building blocks: Block-ciphers (AES), Hash-functions (SHA-3), Trapdoor PRG/OWP for PKE (e.g., DDH, RSA) and

444 views • 16 slides
Development in the Civil Infrastructure Platform Yoshitake Kobayashi Open Source Summit Japan,

Development in the Civil Infrastructure Platform Yoshitake Kobayashi Open Source Summit Japan,

SLTS Kernel and Base-Layer Development in the Civil Infrastructure Platform Yoshitake Kobayashi Open Source Summit Japan, Tokyo, June 2, 2017 Our Civilization is Run by Linux Open Source Summit Japan 2017 2

1.03k views • 46 slides
Dominig ar Foll Senior Software Architect Intel Open Source Fosdem 2017, Brussel, Be

Dominig ar Foll Senior Software Architect Intel Open Source Fosdem 2017, Brussel, Be

Dominig ar Foll Senior Software Architect Intel Open Source Fosdem 2017, Brussel, Be dominig.arfoll@fridu.net 1/30 A harden Embedded Linux Applicable to any Industrial IoT Linux 2/30 3/30 4/30 Top 25 Git Commituers in 2016 Commits Name

1.37k views • 30 slides
Factoring as a Service Luke Valenta, Shaanan Cohney, Alex Liao, Joshua Fried, Satya Bodduluri,

Factoring as a Service Luke Valenta, Shaanan Cohney, Alex Liao, Joshua Fried, Satya Bodduluri,

Factoring as a Service Luke Valenta, Shaanan Cohney, Alex Liao, Joshua Fried, Satya Bodduluri, Nadia Heninger University of Pennsylvania seclab.upenn.edu/projects/faas Textbook RSA [Rivest Shamir Adleman 1977] Public Key Private Key N = pq

401 views • 39 slides
logi.CAD3 logi.CLOUD An expe ri en ce rep or t on migratj ng a n i nd ust r ia l -gra de

logi.CAD3 logi.CLOUD An expe ri en ce rep or t on migratj ng a n i nd ust r ia l -gra de

logi.CAD3 logi.CLOUD An expe ri en ce rep or t on migratj ng a n i nd ust r ia l -gra de ID E t o the Cl o ud u si ng t he Ec li pse e cosys tem Agenda of this Talk Introductjon (7 Minutes) Goal Company focus (products,

682 views • 37 slides

More recommend