verification of security protocols part i
play

Verification of Security Protocols Part I eronique Cortier 1 V - PowerPoint PPT Presentation

Aug 19, 2023 •174 likes •1.29k views

Introduction on security protocols Formal models Unbounded number of sessions Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/65 V eronique Cortier Verification of Security

  1. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example How does the “YesCard” work ? Logical flaw 1 . Ca → T : Data , { hash (Data) } K − 1 B 2 . T → Ca : secret code ? → Ca ′ 3 . Cu : 2345 Ca ′ 4 . → T : ok Remark : there is always somebody to debit. → creation of a fake card 16/65 V´ eronique Cortier Verification of Security Protocols

  2. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example How does the “YesCard” work ? Logical flaw 1 . Ca → T : Data , { hash (Data) } K − 1 B 2 . T → Ca : secret code ? → Ca ′ 3 . Cu : 2345 Ca ′ 4 . → T : ok Remark : there is always somebody to debit. → creation of a fake card Ca ′ → T : XXX , { hash (XXX) } K − 1 1 . B → Cu 2 . T : secret code ? → Ca ′ 3 . Cu : 0000 Ca ′ → T 4 . : ok 16/65 V´ eronique Cortier Verification of Security Protocols

  3. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Commutative Symmetric encryption Symmetric encryption, denoted by { m } k clef clef Hello Obawbhe Hello Alice Nyvpr Alice Encryption Decryption The same key is used for encrypting and decrypting. Commutative (symmetric) encryption (e.g. RSA) {{ m } k 1 } k 2 = {{ m } k 2 } k 1 17/65 V´ eronique Cortier Verification of Security Protocols

  4. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Exchanging a secret with commutative encryption (RSA) { pin : 3443 } k alice − − − − − − − − − − − → 18/65 V´ eronique Cortier Verification of Security Protocols

  5. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Exchanging a secret with commutative encryption (RSA) { pin : 3443 } k alice − − − − − − − − − − − →  ff { pin : 3443 } k alice k bob ← − − − − − − − − − − − − − − − 18/65 V´ eronique Cortier Verification of Security Protocols

  6. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Exchanging a secret with commutative encryption (RSA) { pin : 3443 } k alice − − − − − − − − − − − →  ff { pin : 3443 } k alice k bob ← − − − − − − − − − − − − − − − { pin : 3443 } k bob − − − − − − − − − − − → � � � � Since { pin : 3443 } k alice = { pin : 3443 } k bob k bob k alice 18/65 V´ eronique Cortier Verification of Security Protocols

  7. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Exchanging a secret with commutative encryption (RSA) { pin : 3443 } k alice − − − − − − − − − − − →  ff { pin : 3443 } k alice k bob ← − − − − − − − − − − − − − − − { pin : 3443 } k bob − − − − − − − − − − − → → It does not work ! (Authentication problem) 18/65 V´ eronique Cortier Verification of Security Protocols

  8. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Exchanging a secret with commutative encryption (RSA) { pin : 3443 } k alice − − − − − − − − − − − →  ff { pin : 3443 } k alice k bob ← − − − − − − − − − − − − − − − { pin : 3443 } k bob − − − − − − − − − − − → → It does not work ! (Authentication problem) { pin : 3443 } k alice − − − − − − − − − − − →  ff { pin : 3443 } k alice k intruder ← − − − − − − − − − − − − − − − − − { pin : 3443 } k intruder − − − − − − − − − − − − → 18/65 V´ eronique Cortier Verification of Security Protocols

  9. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Another example The “famous” Needham-Schroeder public key protocol (and its associated Man-In-The-Middle Attack) 19/65 V´ eronique Cortier Verification of Security Protocols

  10. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Public key encryption Public key : pk( A ) Encryption : { m } pk( A ) public private key key Hello Obawbhe Hello Alice Nyvpr Alice Encryption Decryption Encryption with the public key and decryption with the private key. Invented only in the late 70’s ! 20/65 V´ eronique Cortier Verification of Security Protocols

  11. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Needham-Schroeder public key protocol N a Random number (called nonce) generated by A . N b Random number (called nonce) generated by B . • A → B : { A , N a } pub( B ) B → A : { N a , N b } pub( A ) A → B : { N b } pub( B ) 21/65 V´ eronique Cortier Verification of Security Protocols

  12. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Needham-Schroeder public key protocol N a Random number (called nonce) generated by A . N b Random number (called nonce) generated by B . A → B : { A , N a } pub( B ) • B → A : { N a , N b } pub( A ) A → B : { N b } pub( B ) 21/65 V´ eronique Cortier Verification of Security Protocols

  13. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Needham-Schroeder public key protocol N a Random number (called nonce) generated by A . N b Random number (called nonce) generated by B . A → B : { A , N a } pub( B ) B → A : { N a , N b } pub( A ) • A → B : { N b } pub( B ) 21/65 V´ eronique Cortier Verification of Security Protocols

  14. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Needham-Schroeder public key protocol N a Random number (called nonce) generated by A . N b Random number (called nonce) generated by B . A → B : { A , N a } pub( B ) B → A : { N a , N b } pub( A ) A → B : { N b } pub( B ) Questions : Is N b secret between A and B ? When B receives { N b } pub( B ) , does this message really come from A ? 21/65 V´ eronique Cortier Verification of Security Protocols

  15. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Needham-Schroeder public key protocol N a Random number (called nonce) generated by A . N b Random number (called nonce) generated by B . A → B : { A , N a } pub( B ) B → A : { N a , N b } pub( A ) A → B : { N b } pub( B ) Questions : Is N b secret between A and B ? When B receives { N b } pub( B ) , does this message really come from A ? → An attack was discovered in 1994, 15 years after the publication of the protocol ! 21/65 V´ eronique Cortier Verification of Security Protocols

  16. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Man in the middle attack { A , N a } pub( P ) { A , N a } pub( B ) − − − − − − − → − − − − − − − → 22/65 V´ eronique Cortier Verification of Security Protocols

  17. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Man in the middle attack { A , N a } pub( P ) { A , N a } pub( B ) − − − − − − − → − − − − − − − → { N a , N b } pub( A ) { N a , N b } pub( A ) ← − − − − − − − − − ← − − − − − − − − − 22/65 V´ eronique Cortier Verification of Security Protocols

  18. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Man in the middle attack { A , N a } pub( P ) { A , N a } pub( B ) − − − − − − − → − − − − − − − → { N a , N b } pub( A ) { N a , N b } pub( A ) ← − − − − − − − − − ← − − − − − − − − − { N b } pub( P ) { N b } pub( B ) − − − − − − → − − − − − − → 22/65 V´ eronique Cortier Verification of Security Protocols

  19. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Man in the middle attack { A , N a } pub( P ) { A , N a } pub( B ) − − − − − − − → − − − − − − − → { B , N a , N b } pub( A ) { B , N a , N b } pub( A ) ← − − − − − − − − − ← − − − − − − − − − { N b } pub( P ) { N b } pub( B ) − − − − − − → − − − − − − → Fixing the flaw : add the identity of B . 22/65 V´ eronique Cortier Verification of Security Protocols

  20. Context Introduction on security protocols Security Protocols : how does it work ? Formal models Commutative encryption (RSA) Unbounded number of sessions Needham-Schroeder Example Outline of the talk 1 Introduction on security protocols Context Security Protocols : how does it work ? Commutative encryption (RSA) Needham-Schroeder Example 2 Formal models Messages Intruder Protocol Solving constraint systems 3 Unbounded number of sessions Undecidability Horn clauses 23/65 V´ eronique Cortier Verification of Security Protocols

  21. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Difficulty Presence of an attacker may read every message sent on the net, may intercept and send new messages. ⇒ The system is infinitely branching 24/65 V´ eronique Cortier Verification of Security Protocols

  22. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems A first approach Why not modeling security protocol using a (possibly extended) automata ? login name pw correct START VALIDATE CONNECTED restart pw wrong restart DELAY LOG ERROR log pw wrong 25/65 V´ eronique Cortier Verification of Security Protocols

  23. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems How to model a security protocol ? login name pw correct START VALIDATE CONNECTED restart pw wrong restart DELAY LOG ERROR log pw wrong The output of each participants strongly depends on the data received inside the message. At each step, a malicious user (called the adversary) may create arbitrary messages. The output of the adversary strongly depends on the messages sent on the network. → It is important to have a tight modeling of the messages. 26/65 V´ eronique Cortier Verification of Security Protocols

  24. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems An appropriate datastructure : Terms Given a signature F of symbols with an arity e.g. { enc , pair , a , b , c , n a , n b } and a set X of variables, the set of terms T ( F , X ) is inductively defined as follows : constants terms (e.g. a , b , c , n a , n b ) are terms variables are terms f ( t 1 , . . . , t n ) is a term whenever t 1 , . . . , t n are terms. Intuition : from words to trees. → There exists automata on trees instead of (classical) automata on words, see e.g. TATA http ://tata.gforge.inria.fr/ 27/65 V´ eronique Cortier Verification of Security Protocols

  25. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Messages Messages are abstracted by terms. Agents : a , b , . . . Nonces : n 1 , n 2 , . . . Keys : k 1 , k 2 , . . Cyphertext : enc( m , k ) Concatenation : pair( m 1 , m 2 ) Example : The message { A , N a } K is represented by : {} enc(pair( A , N a ) , K ) �� K A N a Intuition : only the structure of the message is kept. 28/65 V´ eronique Cortier Verification of Security Protocols

  26. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Intruder abilities Composition rules T ⊢ u T ⊢ v T ⊢ u T ⊢ v T ⊢ u T ⊢ v T ⊢ � u , v � T ⊢ enc( u , v ) T ⊢ enca( u , v ) 29/65 V´ eronique Cortier Verification of Security Protocols

  27. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Intruder abilities Composition rules T ⊢ u T ⊢ v T ⊢ u T ⊢ v T ⊢ u T ⊢ v T ⊢ � u , v � T ⊢ enc( u , v ) T ⊢ enca( u , v ) Decomposition rules T ⊢ � u , v � T ⊢ � u , v � u ∈ T T ⊢ u T ⊢ u T ⊢ v T ⊢ enc( u , v ) T ⊢ v T ⊢ enca( u , pub( v )) T ⊢ priv( v ) T ⊢ u T ⊢ u 29/65 V´ eronique Cortier Verification of Security Protocols

  28. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Intruder abilities Composition rules T ⊢ u T ⊢ v T ⊢ u T ⊢ v T ⊢ u T ⊢ v T ⊢ � u , v � T ⊢ enc( u , v ) T ⊢ enca( u , v ) Decomposition rules T ⊢ � u , v � T ⊢ � u , v � u ∈ T T ⊢ u T ⊢ u T ⊢ v T ⊢ enc( u , v ) T ⊢ v T ⊢ enca( u , pub( v )) T ⊢ priv( v ) T ⊢ u T ⊢ u Deducibility relation A term u is deducible from a set of terms T , denoted by T ⊢ u , if there exists a prooftree witnessing this fact. 29/65 V´ eronique Cortier Verification of Security Protocols

  29. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems A simple protocol � Bob , k � � Alice , enc(s , k) � 30/65 V´ eronique Cortier Verification of Security Protocols

  30. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems A simple protocol � Bob , k � � Alice , enc(s , k) � Question ? Can the attacker learn the secret s ? 30/65 V´ eronique Cortier Verification of Security Protocols

  31. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems A simple protocol � Bob , k � � Alice , enc(s , k) � Answer : Of course, Yes ! � Alice , enc(s , k) � � Bob , k � enc(s , k) k s 30/65 V´ eronique Cortier Verification of Security Protocols

  32. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Decision of the intruder problem Given A set of messages S and a message m Question Can the intruder learn m from S that is S ⊢ m ? This problem is decidable in polynomial time. Exercise : (medium) Prove it. 31/65 V´ eronique Cortier Verification of Security Protocols

  33. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Decision of the intruder problem Given A set of messages S and a message m Question Can the intruder learn m from S that is S ⊢ m ? This problem is decidable in polynomial time. Exercise : (medium) Prove it. Lemma (Locality) If there is a proof of S ⊢ m then there is a proof that only uses the subterms of S and m. 31/65 V´ eronique Cortier Verification of Security Protocols

  34. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Protocol description Protocol : A → B { pin } k a : B → A : {{ pin } k a } k b A → B { pin } k b : A protocol is a finite set of roles : role Π(1) corresponding to the 1 st participant played by a talking to b : k a init → enc(pin , k a ) enc( x , k a ) → x . 32/65 V´ eronique Cortier Verification of Security Protocols

  35. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Protocol description Protocol : A → B { pin } k a : B → A : {{ pin } k a } k b A → B { pin } k b : A protocol is a finite set of roles : role Π(1) corresponding to the 1 st participant played by a talking to b : k a init → enc(pin , k a ) enc( x , k a ) → x . role Π(2) corresponding to the 2 nd participant played by b with a : k b → x enc( x , k b ) enc( y , k b ) → stop . 32/65 V´ eronique Cortier Verification of Security Protocols

  36. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Secrecy via constraint solving [Millen et al] Constraint systems are used to specify secrecy preservation under a particular, finite scenario. Scenario Constraint System N 1 rcv( u 1 ) → snd( v 1 )  T 0 � u 1  N 2  T 0 , v 1 � u 2 rcv( u 2 ) → snd( v 2 )  C = ... . . .   T 0 , v 1 , .., v n � s N n  rcv( u n ) → snd( v n ) where T 0 is the initial knowledge of the attacker. Remark : Constraint Systems may be used more generally for trace-based properties, e.g. authentication. 33/65 V´ eronique Cortier Verification of Security Protocols

  37. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Secrecy via constraint solving [Millen et al] Constraint systems are used to specify secrecy preservation under a particular, finite scenario. Scenario Constraint System N 1 rcv( u 1 ) → snd( v 1 )  T 0 � u 1  N 2  T 0 , v 1 � u 2 rcv( u 2 ) → snd( v 2 )  C = ... . . .   T 0 , v 1 , .., v n � s N n  → snd( v n ) rcv( u n ) where T 0 is the initial knowledge of the attacker. Solution of a constraint system A substitution σ such that for every T � u ∈ C , u σ is deducible from T σ , that is u σ ⊢ T σ . 33/65 V´ eronique Cortier Verification of Security Protocols

  38. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Example of a system constraint A → B : { pin } k a B → A {{ pin } k a } k b : and the attacker initially knows T 0 = { init } . A → B : { pin } k b One possible associated constraint system is :  { init } � init  C = { init , { pin } k a } � { x } k a { init , { pin } k a , x } � pin  Is there a solution ? 34/65 V´ eronique Cortier Verification of Security Protocols

  39. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Example of a system constraint A → B : { pin } k a B → A {{ pin } k a } k b : and the attacker initially knows T 0 = { init } . A → B : { pin } k b One possible associated constraint system is :  { init } � init  C = { init , { pin } k a } � { x } k a { init , { pin } k a , x } � pin  Is there a solution ? Of course yes, simply consider x = pin ! 34/65 V´ eronique Cortier Verification of Security Protocols

  40. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Example of a system constraint A → B : { pin } k a B → A {{ pin } k a } k b : and the attacker initially knows T 0 = { init } . A → B : { pin } k b One possible associated constraint system is :  { init } � init  C = { init , { pin } k a } � { x } k a { init , { pin } k a , x } � pin  Is there a solution ? Of course yes, simply consider x = pin ! Exercise : (easy) Propose the constraint system associated to the (non-corrected) Needham-Schroeder protocol (for a reasonable choice of sessions) and exhibit a solution. 34/65 V´ eronique Cortier Verification of Security Protocols

  41. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems How to solve constraint system ?  T 0 � u 1   T 0 , v 1 � u 2  Given C = ...   T 0 , v 1 , .., v n � u n +1  Question Is there a solution σ of C ? 35/65 V´ eronique Cortier Verification of Security Protocols

  42. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems An easy case : “solved constraint systems” General case  T 0 � u 1   T 0 , v 1 � u 2  Given C = ...   T 0 , v 1 , .., v n � u n +1  Question Is there a solution σ of C ? 36/65 V´ eronique Cortier Verification of Security Protocols

  43. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems An easy case : “solved constraint systems” General case  T 0 � u 1   T 0 , v 1 � u 2  Given C = ...   T 0 , v 1 , .., v n � u n +1  Question Is there a solution σ of C ? Solved constraint systems  T 0 � x 1   T 0 , v 1 � x 2  Given C = ...   T 0 , v 1 , .., v n � x n +1  Question Is there a solution σ of C ? 36/65 V´ eronique Cortier Verification of Security Protocols

  44. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems An easy case : “solved constraint systems” General case  T 0 � u 1   T 0 , v 1 � u 2  Given C = ...   T 0 , v 1 , .., v n � u n +1  Question Is there a solution σ of C ? Solved constraint systems  T 0 � x 1   T 0 , v 1 � x 2  Given C = ...   T 0 , v 1 , .., v n � x n +1  Question Is there a solution σ of C ? Of course yes ! Consider e.g. σ ( x 1 ) = · · · = σ ( x n +1 ) = t ∈ T 0 . 36/65 V´ eronique Cortier Verification of Security Protocols

  45. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Decision procedure [Millen / Comon-Lundh] Goal : Transformation of the constraints in order to obtain a solved constraint system. 8 T 0 � u 1 > > T 0 , v 1 � u 2 < C = > ... > T 0 , v 1 , .., v n � u n +1 : C 1 C 2 C 3 ⊥ C 4 ⊥ SOLVED C has a solution iff C � C ′ with C ′ in solved form. 37/65 V´ eronique Cortier Verification of Security Protocols

  46. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Transformation rules if T ∪ { x | T ′ � x ∈ C , T ′ � T } ⊢ u R 1 : C ∧ T � u C � u ′ ∈ st ( T ) R 2 : C ∧ T � u C σ ∧ T σ � u σ � σ if σ = mgu( u , u ′ ) u , u ′ ∈ st ( T ) R 3 : C ∧ T � v � σ C σ ∧ T σ � v σ if σ = mgu( u , u ′ ) R 4 : C ∧ T � u � ⊥ if var( T , u ) = ∅ and T �⊢ u R 5 : C ∧ T � f ( u , v ) � C ∧ T � u ∧ T � v for f ∈ {�� , enc } 38/65 V´ eronique Cortier Verification of Security Protocols

  47. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Intruder step The intruder can built messages R 5 : C ∧ T � f ( u , v ) C ∧ T � u ∧ T � v � for f ∈ {�� , enc } 39/65 V´ eronique Cortier Verification of Security Protocols

  48. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Intruder step The intruder can built messages R 5 : C ∧ T � f ( u , v ) C ∧ T � u ∧ T � v � for f ∈ {�� , enc } Example : a , k � k a , k � enc( � x , y � , k ) � a , k � � x , y � 39/65 V´ eronique Cortier Verification of Security Protocols

  49. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Unsolvable constraints R 4 : C ∧ T � u � ⊥ if var( T , u ) = ∅ and T �⊢ u Example : . . . ⊥ a , enc( s , k ) � s � . . . 40/65 V´ eronique Cortier Verification of Security Protocols

  50. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Guessing equalities 1 Example : k , enc(enc( x , k ′ ) , k ) � enc( a , k ′ ) u ′ ∈ st ( T ) R 2 : C ∧ T � u � σ C σ ∧ T σ � u σ if σ = mgu( u , u ′ ), u , u ′ �∈ X , u � = u ′ 41/65 V´ eronique Cortier Verification of Security Protocols

  51. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Guessing equalities 1 Example : k , enc(enc( x , k ′ ) , k ) � enc( a , k ′ ) u ′ ∈ st ( T ) R 2 : C ∧ T � u � σ C σ ∧ T σ � u σ if σ = mgu( u , u ′ ), u , u ′ �∈ X , u � = u ′ 2 Example : enc( s , � a , x � ) , enc( � y , b � , k ) , k � s u , u ′ ∈ st ( T ) R 3 : C ∧ T � v � σ C σ ∧ T σ � v σ if σ = mgu( u , u ′ ), u , u ′ �∈ X , u � = u ′ 41/65 V´ eronique Cortier Verification of Security Protocols

  52. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Eliminating redundancies k � x k , enc( s , x ) � s The constraint enc( s , x ) � s will be satisfied as soon as k � x is satisfied. 42/65 V´ eronique Cortier Verification of Security Protocols

  53. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Eliminating redundancies k � x k , enc( s , x ) � s The constraint enc( s , x ) � s will be satisfied as soon as k � x is satisfied. if T ∪ { x | T ′ � x ∈ C , T ′ � T } ⊢ u R 1 : C ∧ T � u � C 42/65 V´ eronique Cortier Verification of Security Protocols

  54. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Soundness and completeness Theorem Soundness If C � σ C ′ and θ solution of C ′ then σθ is a solution of C . Completeness If θ solution of C then there exists C ′ , σ, θ ′ such that C � σ C ′ , θ = σθ ′ and θ ′ is a solution of C . Termination � is terminating in polynomial time in the size of C . 43/65 V´ eronique Cortier Verification of Security Protocols

  55. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Soundness and completeness Theorem Soundness If C � σ C ′ and θ solution of C ′ then σθ is a solution of C . Completeness If θ solution of C then there exists C ′ , σ, θ ′ such that C � σ C ′ , θ = σθ ′ and θ ′ is a solution of C . Termination � is terminating in polynomial time in the size of C . Exercise (easy) : show correctness Exercise (easy) : show termination using the lexicographic order (number of var, size of C ). What complexity do you get ? (More involved) : show termination in polynomial time Full proofs in [TOCL 2010] 43/65 V´ eronique Cortier Verification of Security Protocols

  56. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems NP-procedure for solving constraint systems 8 T 0 � u 1 > > T 0 , v 1 � u 2 < C = ... > > T 0 , v 1 , .., v n � u n +1 : C 1 C 2 C 3 ⊥ C 4 ⊥ SOLVED Corollary Checking secrecy for a bounded number of sessions is NP. NP-hardness can be shown by encoding 3-SAT. 44/65 V´ eronique Cortier Verification of Security Protocols

  57. Messages Introduction on security protocols Intruder Formal models Protocol Unbounded number of sessions Solving constraint systems Example of tool : Avispa Platform Collaborators LORIA, France DIST, Italy ETHZ, Switzer- land Siemens, Germany www.avispa-project.org 45/65 V´ eronique Cortier Verification of Security Protocols

  58. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions Limitations of this approach ? Are you ready to use any protocol verified with this technique ? 46/65 V´ eronique Cortier Verification of Security Protocols

  59. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions Limitations of this approach ? Are you ready to use any protocol verified with this technique ? Only a finite scenario is checked. → What happens if the protocol is used one more time ? The underlying mathematical properties of the primitives are abstracted away. The specification of the protocol is analysed, but not its implementation. 46/65 V´ eronique Cortier Verification of Security Protocols

  60. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions How to decide security for unlimited sessions ? → In general, it is undecidable ! (i.e. there exists no algorithm for checking e.g. secrecy) How to prove undecidability ? 47/65 V´ eronique Cortier Verification of Security Protocols

  61. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions How to decide security for unlimited sessions ? → In general, it is undecidable ! (i.e. there exists no algorithm for checking e.g. secrecy) How to prove undecidability ? Post correspondence problem (PCP) input { ( u i , v i ) } 1 ≤ i ≤ n , u i , v i ∈ Σ ∗ output ∃ n , i 1 , . . . , i n u i 1 · · · u i n = v i 1 · · · v i n Example : { ( bab , b ) , ( ab , aba ) , ( a , baba ) } Solution ? 47/65 V´ eronique Cortier Verification of Security Protocols

  62. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions How to decide security for unlimited sessions ? → In general, it is undecidable ! (i.e. there exists no algorithm for checking e.g. secrecy) How to prove undecidability ? Post correspondence problem (PCP) input { ( u i , v i ) } 1 ≤ i ≤ n , u i , v i ∈ Σ ∗ output ∃ n , i 1 , . . . , i n u i 1 · · · u i n = v i 1 · · · v i n Example : { ( bab , b ) , ( ab , aba ) , ( a , baba ) } Solution ? → Yes, 1,2,3,1. babababab babababab 47/65 V´ eronique Cortier Verification of Security Protocols

  63. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions How to encode PCP in protocols ? Given { ( u i , v i ) } 1 ≤ i ≤ n , we construct the following protocol P : A → B : {� u 1 , v 1 �} K ab , . . . , {� u k , v k �} K ab B : {� x , y �} K ab → A : {� x , u 1 , y , v 1 �} K ab , { s } {� x , u 1 , x , u 1 �} Kab , . . . , {� x , u k , y , v k �} K ab , { s } {�� x , u k , x , u k �} Kab where a 1 · a 2 · · · a n denotes the term �· · · �� a 1 , a 2 � , a 3 , � . . . a n � . 48/65 V´ eronique Cortier Verification of Security Protocols

  64. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions How to encode PCP in protocols ? Given { ( u i , v i ) } 1 ≤ i ≤ n , we construct the following protocol P : A → B : {� u 1 , v 1 �} K ab , . . . , {� u k , v k �} K ab B : {� x , y �} K ab → A : {� x , u 1 , y , v 1 �} K ab , { s } {� x , u 1 , x , u 1 �} Kab , . . . , {� x , u k , y , v k �} K ab , { s } {�� x , u k , x , u k �} Kab where a 1 · a 2 · · · a n denotes the term �· · · �� a 1 , a 2 � , a 3 , � . . . a n � . Then there is an attack on P iff there is a solution to the Post Correspondence Problem with entry { ( u i , v i ) } 1 ≤ i ≤ n . 48/65 V´ eronique Cortier Verification of Security Protocols

  65. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions How to circumvent undecidability ? Find decidable subclasses of protocols. Design semi-decision procedure, that works in practice ... 49/65 V´ eronique Cortier Verification of Security Protocols

  66. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions How to model an unbounded number of sessions ? “For any x, if the agent A receives enc( x , k a ) then A responds with x.” → Use of first-order logic. 50/65 V´ eronique Cortier Verification of Security Protocols

  67. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions Intruder Horn clauses perfectly reflects the attacker symbolic manipulations on terms. I ( x ) , I ( y ) ⇒ I ( < x , y > ) pairing ⇒ I ( { x } y ) I ( x ) , I ( y ) encryption I ( { x } y ) , I ( y ) ⇒ I ( x ) decryption ⇒ I ( < x , y > ) I ( x ) projection I ( < x , y > ) ⇒ I ( y ) projection 51/65 V´ eronique Cortier Verification of Security Protocols

  68. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions Protocol Protocol : Horn clauses : A → B : { pin } k a ⇒ I ( { pin } k a ) B → A : {{ pin } k a } k b ⇒ I ( { x } k b ) I ( x ) A → B : { pin } k b I ( { x } k a ) ⇒ I ( x ) 52/65 V´ eronique Cortier Verification of Security Protocols

  69. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions Protocol Protocol : Horn clauses : A → B : { pin } k a ⇒ I ( { pin } k a ) B → A : {{ pin } k a } k b ⇒ I ( { x } k b ) I ( x ) A → B : { pin } k b I ( { x } k a ) ⇒ I ( x ) Secrecy property is a reachability (accessibility) property ¬ I (pin) Then there exists an attack iff the set of formula corresponding to Intruder manipulations + protocol + property is NOT satisfiable. 52/65 V´ eronique Cortier Verification of Security Protocols

  70. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions How to decide satisfiability ? → Resolution techniques 53/65 V´ eronique Cortier Verification of Security Protocols

  71. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions Some vocabulary First order logic Atoms P ( t 1 , . . . , t n ) where t i are terms, P is a predicate Literals P ( t 1 , . . . , t n ) or ¬ P ( t 1 , . . . , t n ) closed under ∨ , ∧ , ¬ , ∃ , ∀ Clauses : Only universal quantifiers Horn Clauses : at most one positive literal A 1 , . . . , A n ⇒ B where A i , B are atoms. 54/65 V´ eronique Cortier Verification of Security Protocols

  72. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions Binary resolution A , B are atoms and C , D are clauses. An intuitive rule A ⇒ C A C In other words ¬ A ∨ C A C 55/65 V´ eronique Cortier Verification of Security Protocols

  73. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions Binary resolution A , B are atoms and C , D are clauses. An intuitive rule A ⇒ C A C In other words ¬ A ∨ C A C Generalizing ¬ A ∨ C B θ = mgu ( A , B ) (i.e. A θ = B θ ) C θ 55/65 V´ eronique Cortier Verification of Security Protocols

  74. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions Binary resolution A , B are atoms and C , D are clauses. An intuitive rule A ⇒ C A C In other words ¬ A ∨ C A C Generalizing ¬ A ∨ C B θ = mgu ( A , B ) (i.e. A θ = B θ ) C θ Generalizing a bit more ¬ A ∨ C B ∨ D θ = mgu ( A , B ) Binary resolution C θ ∨ D θ 55/65 V´ eronique Cortier Verification of Security Protocols

  75. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions Binary resolution and Factorization ¬ A ∨ C B ∨ D Binary resolution θ = mgu( A , B ) C θ ∨ D θ A ∨ B ∨ C Factorisation θ = mgu( A , B ) A θ ∨ C θ Theorem (Soundness and Completeness) Binary resolution and factorisation are sound and refutationally complete, i.e. a set of clauses C is not satisfiable if and only if ⊥ (the empty clause) can be obtained from C by binary resolution and factorisation. Exercise : Why do we need the factorisation rule ? 56/65 V´ eronique Cortier Verification of Security Protocols

  76. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions Example C = {¬ I ( s ) , I ( k 1 ) , I ( { s } � k 1 , k 1 � ) , I ( { x } y ) , I ( y ) ⇒ I ( x ) , I ( x ) , I ( y ) ⇒ I ( � x , y � ) I ( k 1 ) I ( x ) , I ( y ) ⇒ I ( � x , y � ) I ( { s } � k 1 , k 1 � ) I ( { x } y ) , I ( y ) ⇒ I ( x ) I ( k 1 ) I ( y ) ⇒ I ( � k 1 , y � ) I ( � k 1 , k 1 � ) ⇒ s I ( � k 1 , k 1 � ) ¬ I ( s ) I ( s ) ⊥ 57/65 V´ eronique Cortier Verification of Security Protocols

  77. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions But it is not terminating ! I ( s ) I ( x ) , I ( y ) ⇒ I ( � x , y � ) I ( y ) ⇒ I ( � s , y � ) I ( s ) I ( y ) ⇒ I ( � s , y � ) I ( � s , s � ) I ( y ) ⇒ I ( � s , y � ) I ( � s , � s , s �� ) I ( � s , � s , � s , s ��� ) · · · → This does not yield any decidability result. 58/65 V´ eronique Cortier Verification of Security Protocols

  78. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions Ordered Binary resolution and Factorization Let < be any order on clauses. ¬ A ∨ C B ∨ D θ = mgu( A , B ) Ordered binary resolution A θ � < C θ ∨ D θ C θ ∨ D θ A ∨ B ∨ C θ = mgu( A , B ) Ordered factorisation A θ � < C θ A θ ∨ C θ 59/65 V´ eronique Cortier Verification of Security Protocols

  79. Introduction on security protocols Undecidability Formal models Horn clauses Unbounded number of sessions Ordered Binary resolution and Factorization Let < be any order on clauses. ¬ A ∨ C B ∨ D θ = mgu( A , B ) Ordered binary resolution A θ � < C θ ∨ D θ C θ ∨ D θ A ∨ B ∨ C θ = mgu( A , B ) Ordered factorisation A θ � < C θ A θ ∨ C θ Theorem (Soundness and Completeness) Ordered binary resolution and factorisation are sound and refutationally complete provided that < is liftable ∀ A , B , θ A < B ⇒ A θ < B θ 59/65 V´ eronique Cortier Verification of Security Protocols

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018

1.23k views • 78 slides
Modeling and verification of security protocols Part I: Basics of cryptography and introduction to

Modeling and verification of security protocols Part I: Basics of cryptography and introduction to

Modeling and verification of security protocols Part I: Basics of cryptography and introduction to security protocols Dresden University of Technology Martin Pitt martin@piware.de Paper and slides available at http://www.piware.de/docs.shtml

549 views • 33 slides
Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Formal methods for protocols Cryptographic models Passive case Active case Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/76 V eronique Cortier Verification of Security

1.92k views • 139 slides
Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA,

Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA,

Introduction on security protocols Formal models Going further Towards more guarantees Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA, CNRS - INRIA Cassis project, Nancy Universities 1/102 V

2.12k views • 160 slides
Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS &amp; ENS Cachan, Universit Paris Saclay, France Monday, June 27th, 2016 S. Delaune (LSV) Verification of security protocols 27th June 2016 1

1.88k views • 175 slides
Parameterized Verification of Timed Security Protocols with Clock drift Li Li, Jun Sun and Jin

Parameterized Verification of Timed Security Protocols with Clock drift Li Li, Jun Sun and Jin

Parameterized Verification of Timed Security Protocols with Clock drift Li Li, Jun Sun and Jin Song Dong Motivation Since clock synchronization is so important in the security of the Kerberos protocol, if clocks are not synchronized within a

493 views • 23 slides
Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018 Organization of the course Two

774 views • 74 slides
Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides

Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides

Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides originally by Ross Anderson Security Protocols Security protocols are the intellectual core of security engineering They are where cryptography

1.47k views • 118 slides
Towards a Logic for Verification of Security Protocols Work in progress Comments welcome

Towards a Logic for Verification of Security Protocols Work in progress Comments welcome

Towards a Logic for Verification of Security Protocols Work in progress Comments welcome Vincent Bernat Laboratoire Spcification et Vrification CNRS &amp; ENS Cachan SPV03 - Marseille p.1/17 Plan 1. Intro Existing models,

920 views • 63 slides
Verification of security protocols from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols from confidentiality to privacy Stphanie Delaune LSV, CNRS &amp; ENS Cachan, France Wednesday, August 26th, 2015 S. Delaune (LSV) Verification of security protocols 26th August 2015 1 / 54 This talk:

1.49k views • 124 slides
Security protocols: formal models and verification Sergiu Bursuc School of Computer Science,

Security protocols: formal models and verification Sergiu Bursuc School of Computer Science,

Security protocols: formal models and verification Sergiu Bursuc School of Computer Science, University of Bristol Finse Winter School, 7 May 2015 Security protocols: roles and goals Roles: P 1 , . . . , P n (e.g. clients, servers, devices,

1.43k views • 127 slides
Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS &amp; ENS Cachan, Universit Paris Saclay, France Monday, June 26th, 2017 Research at IRISA (Rennes) 800 members (among which about 400

1.78k views • 167 slides
Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola

Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola

Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola Bruno Blanchet {

1.02k views • 44 slides
Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA), CNRS, France Tuesday, September 13th, 2016 Security protocols everywhere ! Cryptographic protocols small programs designed to secure

923 views • 56 slides
Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS &amp; ENS Cachan, France Tuesday, August 25th, 2015 S. Delaune (LSV) Verification of security protocols 25th August 2015 1 / 60 ENS Cachan 12

1.42k views • 127 slides
Memory Usage Estimation for Java Smart Cards G ERARDO S CHNEIDER IRISA/INRIA - R ENNES , F RANCE

Memory Usage Estimation for Java Smart Cards G ERARDO S CHNEIDER IRISA/INRIA - R ENNES , F RANCE

Memory Usage Estimation for Java Smart Cards G ERARDO S CHNEIDER IRISA/INRIA - R ENNES , F RANCE CASTLES: Conception dAnalyses Statiques et de Tests pour le Logiciel Embarqu e S ecuris e NWPT04 - Uppsala, 06 October 2004 Memory

828 views • 43 slides
Mondex , an Electronic Purse : Specification &amp; Refinement Checks with the Alloy Model-Finding

Mondex , an Electronic Purse : Specification &amp; Refinement Checks with the Alloy Model-Finding

MPRI M1 Internship March 6 th August 26 th , 2006 Mondex , an Electronic Purse : Specification &amp; Refinement Checks with the Alloy Model-Finding method Tahina Ramananandro cole Normale Suprieure Paris, France Daniel Jackson

838 views • 40 slides
Gemplus electronic purse JavaCard applet that runs on JavaCard smart cards. Specifying and

Gemplus electronic purse JavaCard applet that runs on JavaCard smart cards. Specifying and

Gemplus electronic purse JavaCard applet that runs on JavaCard smart cards. Specifying and Verifying an Debit and credit operations on a global example: balance. Secured communication and a decimal representation in Java

339 views • 5 slides
Mobility Coalition Oct Octobe ober r 202 2020 Welcome! Review Agenda Welcome &amp;

Mobility Coalition Oct Octobe ober r 202 2020 Welcome! Review Agenda Welcome &amp;

North King County Mobility Coalition Oct Octobe ober r 202 2020 Welcome! Review Agenda Welcome &amp; Introductions Ice Breaker: What was your favorite Halloween costume? Announcements Announcements The Gaps Analysis

760 views • 42 slides
Security-by-Contract for Applications Evolution in Multi-Application Smart Cards Nicola

Security-by-Contract for Applications Evolution in Multi-Application Smart Cards Nicola

DTU Informatics Department of Informatics and Mathematical Modelling Security-by-Contract for Applications Evolution in Multi-Application Smart Cards Nicola Dragoni ndra@imm.dtu.dk http://www2.imm.dtu.dk/~ndra Embedded Systems Engineering

475 views • 35 slides
JavaCard group project Erik Poll Digital Security Radboud University Nijmegen 1 Smartcard

JavaCard group project Erik Poll Digital Security Radboud University Nijmegen 1 Smartcard

JavaCard group project Erik Poll Digital Security Radboud University Nijmegen 1 Smartcard group project You have been contracted to build a system electronic purse loyalty card petrol rationing car rental Only design

461 views • 30 slides
Hardware Security Organisational stuff Digital Security Radboud University Nijmegen 1 Other

Hardware Security Organisational stuff Digital Security Radboud University Nijmegen 1 Other

Hardware Security Organisational stuff Digital Security Radboud University Nijmegen 1 Other faces youll see Lejla Batina lectures on side-channels Anna Guinet &amp; Niels Samwel JavaCard project &amp; side-channel lab 2 This course:

424 views • 9 slides
C.b) RSA with Applications W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 C.31 RSA The

C.b) RSA with Applications W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 C.31 RSA The

1 C.b) RSA with Applications W. Schindler: Cryptography, B-IT, winter 2006 / 2007 2 C.31 RSA The RSA algorithm was introduced by Rivest, Shamir and Adleman in 1977. p,q large primes (to be kept secret) n := pq modulus (publicly

858 views • 69 slides

More recommend