verification of security protocols part ii
play

Verification of Security Protocols Part II eronique Cortier 1 V - PowerPoint PPT Presentation

Nov 01, 2023 •525 likes •1.92k views

Formal methods for protocols Cryptographic models Passive case Active case Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/76 V eronique Cortier Verification of Security

  1. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Encryption : the old time Caesar encryption : A → E , B → F , C → G , . . . Cypher Disk (L´ eone Battista Alberti 1466) → subject to statistical analysis (Analyzing letter frequencies) 18/76 V´ eronique Cortier Verification of Security Protocols

  2. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Encryption : mechanized time Automatic substitutions and permutations Enigma 19/76 V´ eronique Cortier Verification of Security Protocols

  3. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Encryption nowadays → Based on algorithmically hard problems. RSA Function n = pq , p et q primes. e : public exponent x �→ x e mod n easy (cubic) y = x e �→ x mod n difficult x = y d o` u d = e − 1 mod φ ( n ) 20/76 V´ eronique Cortier Verification of Security Protocols

  4. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Encryption nowadays → Based on algorithmically hard problems. RSA Function n = pq , p et q primes. e : public exponent x �→ x e mod n easy (cubic) y = x e �→ x mod n difficult x = y d o` u d = e − 1 mod φ ( n ) Diffie-Hellman Problem Given A = g a and B = g b , Compute DH( A , B ) = g ab 20/76 V´ eronique Cortier Verification of Security Protocols

  5. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Encryption nowadays → Based on algorithmically hard problems. RSA Function n = pq , p et q primes. e : public exponent x �→ x e mod n easy (cubic) y = x e �→ x mod n difficult x = y d o` u d = e − 1 mod φ ( n ) Diffie-Hellman Problem Given A = g a and B = g b , Compute DH( A , B ) = g ab → Based on hardness of integer factorization. 20/76 V´ eronique Cortier Verification of Security Protocols

  6. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Estimations for integer factorization Module Operations (bits) (in log 2 ) 512 58 ≈ 2 60 years 1024 80 2048 111 4096 149 8192 156 → Lower bound for RSA and Diffie-Hellman. 21/76 V´ eronique Cortier Verification of Security Protocols

  7. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models How does an (asymmetric) encryption algorithm look like ? Example : OAEP [Bellare Rogaway] n k 1 k 2 M r 0 M : plaintext of length n G r : randomness of length ⊕ k 0 H G , H : hash function f k : trapdoor function ⊕ s t E K ( x ; r ) = f K ( s || t ) 22/76 V´ eronique Cortier Verification of Security Protocols

  8. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models What is a secure encryption scheme ? 23/76 V´ eronique Cortier Verification of Security Protocols

  9. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models What is a secure encryption scheme ? Intuitively : An adversary should not know the underlying plaintext. 23/76 V´ eronique Cortier Verification of Security Protocols

  10. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Security of asymmetric encryption Public data : c = E k e ( m , r ) cyphertext k e encryption key There exists a unique message m satisfying the relation (with possible several relevant r ) → An exhaustive search on m and r yields m ! 24/76 V´ eronique Cortier Verification of Security Protocols

  11. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Security of asymmetric encryption Public data : c = E k e ( m , r ) cyphertext k e encryption key There exists a unique message m satisfying the relation (with possible several relevant r ) → An exhaustive search on m and r yields m ! ⇒ Unconditional secrecy is impossible, one has to rely on algorithmic assumptions. 24/76 V´ eronique Cortier Verification of Security Protocols

  12. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models How to define an attacker/adversary We wish to model an attacker : as clever as possible → he/she should be able to perform any operation with a limited time. E.g. we do not wish to consider attacks that require 2 60 years Otherwise, the adversary could enumerate all keys (exponential time in 2 size ( keys ) ) 25/76 V´ eronique Cortier Verification of Security Protocols

  13. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models How to define an attacker/adversary We wish to model an attacker : as clever as possible → he/she should be able to perform any operation with a limited time. E.g. we do not wish to consider attacks that require 2 60 years Otherwise, the adversary could enumerate all keys (exponential time in 2 size ( keys ) ) Model : we consider any Turing machine that models any algorithm probabilistic : The adversary can generate keys and chose randomly his behavior polynomial in the size of the keys : which represents a reasonable execution time. 25/76 V´ eronique Cortier Verification of Security Protocols

  14. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Security proof in a nutshell Proof by reduction 1 Hypothesis : The algorithmic problem P is hard = there is no polynomial algorithm ( P = RSA , DL , DDH , CDH ...) 26/76 V´ eronique Cortier Verification of Security Protocols

  15. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Security proof in a nutshell Proof by reduction 1 Hypothesis : The algorithmic problem P is hard = there is no polynomial algorithm ( P = RSA , DL , DDH , CDH ...) 2 Reduction : If there exists a (polynomial) adversary A un adversaire (polynomial) breaking the encryption scheme, Then one can build upon A for solving P in polynomial time. 26/76 V´ eronique Cortier Verification of Security Protocols

  16. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Security proof in a nutshell Proof by reduction 1 Hypothesis : The algorithmic problem P is hard = there is no polynomial algorithm ( P = RSA , DL , DDH , CDH ...) 2 Reduction : If there exists a (polynomial) adversary A un adversaire (polynomial) breaking the encryption scheme, Then one can build upon A for solving P in polynomial time. 3 Conclusion : the encryption scheme is secure, there is no polynomial adversary. 26/76 V´ eronique Cortier Verification of Security Protocols

  17. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models What is a secure encryption scheme ? An adversary should not know the underlying plaintext. → several possible definitions of knowledge 27/76 V´ eronique Cortier Verification of Security Protocols

  18. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models One-Wayness (OW) Basic security property : One-Wayness (OW) without the inverse key, one cannot retrieve the underlying plaintext : Pr m , r [ c = E ( m ; r ) | A ( c ) = m ] is negligible. 28/76 V´ eronique Cortier Verification of Security Protocols

  19. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models One-Wayness (OW) Basic security property : One-Wayness (OW) without the inverse key, one cannot retrieve the underlying plaintext : Pr m , r [ c = E ( m ; r ) | A ( c ) = m ] is negligible. Negligibility : f is negligible if for any polynomial p , there exists η 0 s.t. for all η ≥ η 0 f ( η ) ≤ 1 / p ( η ) 28/76 V´ eronique Cortier Verification of Security Protocols

  20. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Not strong enough ! The adversary may be able to compute half of the secret message. There is no guarantee in case that some partial information on the secret is known. 29/76 V´ eronique Cortier Verification of Security Protocols

  21. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Not strong enough ! The adversary may be able to compute half of the secret message. There is no guarantee in case that some partial information on the secret is known. → Introduction of a notion of indistinguishability. : The adversary shall not guess even one bit of the underlying plaintext. 29/76 V´ eronique Cortier Verification of Security Protocols

  22. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Indistinguabilit´ e (IND) Game Adversary : A = ( A 1 , A 2 ) 1 the adversary A 1 is given the public key pk. pk A 1 A 2 A E 30/76 V´ eronique Cortier Verification of Security Protocols

  23. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Indistinguabilit´ e (IND) Game Adversary : A = ( A 1 , A 2 ) 1 the adversary A 1 is given the public key pk. 2 The adversary A 1 chooses two messages m 0 , m 1 . pk A 1 A 2 A ( m 0 , m 1 ) E 30/76 V´ eronique Cortier Verification of Security Protocols

  24. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Indistinguabilit´ e (IND) Game Adversary : A = ( A 1 , A 2 ) 1 the adversary A 1 is given the public key pk. 2 The adversary A 1 chooses two messages m 0 , m 1 . 3 one bit b = 0 , 1 is flipped and c = E ( m b ; r ) is given to the adversary. pk A 1 A 2 A ( m 0 , m 1 ) E ( m b ; r ) E 30/76 V´ eronique Cortier Verification of Security Protocols

  25. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Indistinguabilit´ e (IND) Game Adversary : A = ( A 1 , A 2 ) 1 the adversary A 1 is given the public key pk. 2 The adversary A 1 chooses two messages m 0 , m 1 . 3 one bit b = 0 , 1 is flipped and c = E ( m b ; r ) is given to the adversary. 4 The adversary A 2 outputs b ′ . b ′ pk A 1 A 2 A ( m 0 , m 1 ) E ( m b ; r ) E 30/76 V´ eronique Cortier Verification of Security Protocols

  26. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Indistinguabilit´ e (IND) Game Adversary : A = ( A 1 , A 2 ) 1 the adversary A 1 is given the public key pk. 2 The adversary A 1 chooses two messages m 0 , m 1 . 3 one bit b = 0 , 1 is flipped and c = E ( m b ; r ) is given to the adversary. 4 The adversary A 2 outputs b ′ . b ′ pk A 1 A 2 A ( m 0 , m 1 ) E ( m b ; r ) E The probability Pr[ b = b ′ ] − 1 2 should be negligible. 30/76 V´ eronique Cortier Verification of Security Protocols

  27. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Even stronger ! Non Malleability (NM) Given a cyphertext E ( m ; r ) , the adversary should not be able to create a cyphertext E ( m ′ ; r ′ ) such that messages m and m ′ have a meaningful relation. 31/76 V´ eronique Cortier Verification of Security Protocols

  28. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Definition of Non Malleability (NM) Game Adversary : A = ( A 1 , A 2 ) 1 The adversary A 1 is given the public key pk. pk A 1 A 2 A E 32/76 V´ eronique Cortier Verification of Security Protocols

  29. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Definition of Non Malleability (NM) Game Adversary : A = ( A 1 , A 2 ) 1 The adversary A 1 is given the public key pk. 2 The adversary A 1 chooses a set of messages M . pk A 1 A 2 A M E 32/76 V´ eronique Cortier Verification of Security Protocols

  30. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Definition of Non Malleability (NM) Game Adversary : A = ( A 1 , A 2 ) 1 The adversary A 1 is given the public key pk. 2 The adversary A 1 chooses a set of messages M . 3 Two messages m and m ∗ are chosen at random in M and c = E ( m ; r ) is given to the adversary. pk A 1 A 2 A M c = E ( m ; r ) E m ∈ M , r 32/76 V´ eronique Cortier Verification of Security Protocols

  31. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Definition of Non Malleability (NM) Game Adversary : A = ( A 1 , A 2 ) 1 The adversary A 1 is given the public key pk. 2 The adversary A 1 chooses a set of messages M . 3 Two messages m and m ∗ are chosen at random in M and c = E ( m ; r ) is given to the adversary. 4 The adversary A 2 outputs a binary relation R and a cyphertext c ′ . R , c ′ pk A 1 A 2 A M c = E ( m ; r ) E m ∈ M , r 32/76 V´ eronique Cortier Verification of Security Protocols

  32. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Definition of Non Malleability (NM) R , c ′ pk A 1 A 2 A M c = E ( m ; r ) E m ∈ M , r 33/76 V´ eronique Cortier Verification of Security Protocols

  33. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Definition of Non Malleability (NM) m ′ = D ( c ′ ) R , c ′ pk A 1 A 2 A D M c = E ( m ; r ) E m ∈ M , r 33/76 V´ eronique Cortier Verification of Security Protocols

  34. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Definition of Non Malleability (NM) m ′ = D ( c ′ ) R , c ′ pk A 1 A 2 A D M c = E ( m ; r ) E m ∈ M , r The probability Pr[ R ( m , m ′ )] − Pr[ R ( m , m ∗ )] should be negligible. 33/76 V´ eronique Cortier Verification of Security Protocols

  35. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Relations Non Malleability ⇓ Indistinguishability ⇓ One-Wayness Exercise (medium) : show the implications. 34/76 V´ eronique Cortier Verification of Security Protocols

  36. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Adding even more security The adversary has access to oracles : → Encryption of all messages of his choice → Decryption of all messages of his choice Three standard levels of security : Chosen-Plaintext Attacks (CPA) 35/76 V´ eronique Cortier Verification of Security Protocols

  37. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Adding even more security The adversary has access to oracles : → Encryption of all messages of his choice → Decryption of all messages of his choice Three standard levels of security : Chosen-Plaintext Attacks (CPA) Non adaptive Chosen-Ciphertext Attacks (CCA1) → access to the (decryption) oracle before the challenge. 35/76 V´ eronique Cortier Verification of Security Protocols

  38. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Adding even more security The adversary has access to oracles : → Encryption of all messages of his choice → Decryption of all messages of his choice Three standard levels of security : Chosen-Plaintext Attacks (CPA) Non adaptive Chosen-Ciphertext Attacks (CCA1) → access to the (decryption) oracle before the challenge. Adaptive Chosen-Ciphertext Attacks (CCA2) → unlimited access to the (decryption) oracle (except for the challenge) 35/76 V´ eronique Cortier Verification of Security Protocols

  39. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Relations NM-CPA NM-CCA1 NM-CCA2 IND-CPA IND-CCA1 IND-CCA2 OW-CPA 36/76 V´ eronique Cortier Verification of Security Protocols

  40. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Outline of the talk Towards more cryptographic guarantees 1 Formal methods for protocols Yesterday course Adding equational theories 2 Cryptographic models Encryption schemes Security of encryption Cryptographic models Linking formal and cryptographic models 3 Passive case Setting Patterns Soundness of indistinguishability 4 Active case Setting Trace mapping A special case : computational secrecy General computational indistinguishability 37/76 V´ eronique Cortier Verification of Security Protocols

  41. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Cryptographic models Encryption is only one component of cryptographic models Cryptographic primitives : encryption, signatures, ... Protocol model Adversary Security notions 38/76 V´ eronique Cortier Verification of Security Protocols

  42. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Setting for cryptographic protocols Protocol : Message exchange program using cryptographic primitives Adversary A : any probabilistic polynomial Turing machine, i.e. any probabilistic polynomial program. polynomial : captures what is feasible probabilistic : the adversary may try to guess some information 39/76 V´ eronique Cortier Verification of Security Protocols

  43. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Definition of secrecy preservation → Several notions of secrecy : One-Wayness : The probability for an adversary A to compute the secret s against a protocol P is negligible (smaller than any inverse of polynomial). 1 ∀ p polynomial ∃ η 0 ∀ η ≥ η 0 Pr η m , r [ A ( P K ) = s ] ≤ p ( η ) η : security parameter = key length 40/76 V´ eronique Cortier Verification of Security Protocols

  44. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Definition of secrecy preservation → Several notions of secrecy : One-Wayness : The probability for an adversary A to compute the secret s against a protocol P is negligible (smaller than any inverse of polynomial). 1 ∀ p polynomial ∃ η 0 ∀ η ≥ η 0 Pr η m , r [ A ( P K ) = s ] ≤ p ( η ) η : security parameter = key length → Not enough ! (why ?) 40/76 V´ eronique Cortier Verification of Security Protocols

  45. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Computational secrecy Computational secrecy of s is defined through the following game : Two values n 0 and n 1 are randomly generated instead of s ; The adversary interacts with the protocol where s is replaced by n b , b ∈ { 0 , 1 } ; We give the pair ( n 0 , n 1 ) to the adversary ; The adversary gives b ′ , The data s is secret if Pr[ b = b ′ ] − 1 2 is a negligible function. 41/76 V´ eronique Cortier Verification of Security Protocols

  46. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models A typical cryptographic proof 1 Assume that some algorithmic problem P is difficult (E.g. RSA or integer factorization or Discrete Log or CDH, DDH, ...) 2 Suppose that a (polynomial probabilistic) adversary A breaks the protocol security with non negligible probability 42/76 V´ eronique Cortier Verification of Security Protocols

  47. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models A typical cryptographic proof 1 Assume that some algorithmic problem P is difficult (E.g. RSA or integer factorization or Discrete Log or CDH, DDH, ...) 2 Suppose that a (polynomial probabilistic) adversary A breaks the protocol security with non negligible probability 3 Build out of A an adversary B that solves P . 42/76 V´ eronique Cortier Verification of Security Protocols

  48. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models A typical cryptographic proof 1 Assume that some algorithmic problem P is difficult (E.g. RSA or integer factorization or Discrete Log or CDH, DDH, ...) 2 Suppose that a (polynomial probabilistic) adversary A breaks the protocol security with non negligible probability 3 Build out of A an adversary B that solves P . 4 Conclude that the protocol is secure provided P is difficult. 42/76 V´ eronique Cortier Verification of Security Protocols

  49. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Outline of the talk Towards more cryptographic guarantees 1 Formal methods for protocols Yesterday course Adding equational theories 2 Cryptographic models Encryption schemes Security of encryption Cryptographic models Linking formal and cryptographic models 3 Passive case Setting Patterns Soundness of indistinguishability 4 Active case Setting Trace mapping A special case : computational secrecy General computational indistinguishability 43/76 V´ eronique Cortier Verification of Security Protocols

  50. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Formal and Cryptographic approaches Formal approach Cryptographic approach Messages terms bitstrings Encryption idealized algorithm any polynomial Adversary idealized algorithm reachability-based Secrecy property indistinguishability property Guarantees unclear strong Protocol may be complex usually simpler 44/76 V´ eronique Cortier Verification of Security Protocols

  51. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Formal and Cryptographic approaches Formal approach Cryptographic approach Messages terms bitstrings Encryption idealized algorithm any polynomial Adversary idealized algorithm reachability-based Secrecy property indistinguishability property Guarantees unclear strong Protocol may be complex usually simpler by hand, tedious Proof automatic and error-prone Link between the two approaches ? 44/76 V´ eronique Cortier Verification of Security Protocols

  52. Formal methods for protocols Encryption schemes Cryptographic models Security of encryption Passive case Cryptographic models Active case Linking formal and cryptographic models Composition of the two approaches Automatic cryptographically sound proofs Formal approach: verification Ideal of idealized protocols protocol Implemented protocol Cryptographers: verification signature encryption of the cryptographic primitives algorithm algorithm 45/76 V´ eronique Cortier Verification of Security Protocols

  53. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Passive Case A first result : seminal result from M. Abadi and Ph. Rogaway J. of Cryptology, 2002 How to symbolically abstract computational indistinguishability of distributions ? 46/76 V´ eronique Cortier Verification of Security Protocols

  54. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Setting Messages are represented by terms T ::= term s | variable x | a name/nonce | f ( T 1 , . . . , T k ) application of symbol f ∈ F In the initial result of Abadi and Rogaway, F = { enc , � , �} Each functional symbol has a concrete implementation ⇒ a sequence of messages n , enc( n , k ) , enc( � n , n � , k ) generates a distribution : uniform distribution for nonces and application of the functions (symmetric encryption and pairing). 47/76 V´ eronique Cortier Verification of Security Protocols

  55. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Distinguishing distributions [ ψ ′ ] The two distributions [ [ ψ ] ] and [ ] are indistinguishable, [ ψ ′ ] [ [ ψ ] ] ≈ [ ], if � � � � � ]; A ( η, � � [ ψ ′ ] ]; A ( η, � ψ ← [ [ ψ ] ψ ) = 1 − P ψ ← [ ψ ) = 1 P is a negligible function of η . 48/76 V´ eronique Cortier Verification of Security Protocols

  56. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Distinguishing distributions [ ψ ′ ] The two distributions [ [ ψ ] ] and [ ] are indistinguishable, [ ψ ′ ] [ [ ψ ] ] ≈ [ ], if � � � � � ]; A ( η, � � [ ψ ′ ] ]; A ( η, � ψ ← [ [ ψ ] ψ ) = 1 − P ψ ← [ ψ ) = 1 P is a negligible function of η . Examples φ 1 = n 0 , n 1 , enc( n 0 , k ) φ 2 = n 0 , n 1 , enc( n 1 , k ) 48/76 V´ eronique Cortier Verification of Security Protocols

  57. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Distinguishing distributions [ ψ ′ ] The two distributions [ [ ψ ] ] and [ ] are indistinguishable, [ ψ ′ ] [ [ ψ ] ] ≈ [ ], if � � � � � ]; A ( η, � � [ ψ ′ ] ]; A ( η, � ψ ← [ [ ψ ] ψ ) = 1 − P ψ ← [ ψ ) = 1 P is a negligible function of η . Examples φ 1 = n 0 , n 1 , enc( n 0 , k ) ≈ φ 2 = n 0 , n 1 , enc( n 1 , k ) φ 3 = n 0 , n 1 , enc( n 0 , k ) , k φ 4 = n 0 , n 1 , enc( n 1 , k ) , k 48/76 V´ eronique Cortier Verification of Security Protocols

  58. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Distinguishing distributions [ ψ ′ ] The two distributions [ [ ψ ] ] and [ ] are indistinguishable, [ ψ ′ ] [ [ ψ ] ] ≈ [ ], if � � � � � ]; A ( η, � � [ ψ ′ ] ]; A ( η, � ψ ← [ [ ψ ] ψ ) = 1 − P ψ ← [ ψ ) = 1 P is a negligible function of η . Examples φ 1 = n 0 , n 1 , enc( n 0 , k ) ≈ φ 2 = n 0 , n 1 , enc( n 1 , k ) φ 3 = n 0 , n 1 , enc( n 0 , k ) , k �≈ φ 4 = n 0 , n 1 , enc( n 1 , k ) , k φ 6 = enc( n 0 , k ′ ) , k φ 5 = enc( n 0 , k ) , k 48/76 V´ eronique Cortier Verification of Security Protocols

  59. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Distinguishing distributions [ ψ ′ ] The two distributions [ [ ψ ] ] and [ ] are indistinguishable, [ ψ ′ ] [ [ ψ ] ] ≈ [ ], if � � � � � ]; A ( η, � � [ ψ ′ ] ]; A ( η, � ψ ← [ [ ψ ] ψ ) = 1 − P ψ ← [ ψ ) = 1 P is a negligible function of η . Examples φ 1 = n 0 , n 1 , enc( n 0 , k ) ≈ φ 2 = n 0 , n 1 , enc( n 1 , k ) φ 3 = n 0 , n 1 , enc( n 0 , k ) , k �≈ φ 4 = n 0 , n 1 , enc( n 1 , k ) , k φ 5 = enc( n 0 , k ) , k �≈ φ 6 = enc( n 0 , k ′ ) , k 48/76 V´ eronique Cortier Verification of Security Protocols

  60. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Patterns : Definition of what is visible to an intruder Given a sequence S = M 1 , M 2 , . . . , M k , we define Pat( S ) = { Pat S ( M 1 ) , Pat S ( M 2 ) , . . . , Pat S ( M k ) } with 49/76 V´ eronique Cortier Verification of Security Protocols

  61. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Patterns : Definition of what is visible to an intruder Given a sequence S = M 1 , M 2 , . . . , M k , we define Pat( S ) = { Pat S ( M 1 ) , Pat S ( M 2 ) , . . . , Pat S ( M k ) } with � a if S ⊢ a Pat S ( a ) = otherwise � 49/76 V´ eronique Cortier Verification of Security Protocols

  62. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Patterns : Definition of what is visible to an intruder Given a sequence S = M 1 , M 2 , . . . , M k , we define Pat( S ) = { Pat S ( M 1 ) , Pat S ( M 2 ) , . . . , Pat S ( M k ) } with � a if S ⊢ a Pat S ( a ) = otherwise � Pat S ( � M 1 , M 2 � ) � Pat S ( M 1 ) , Pat S ( M 2 ) � = 49/76 V´ eronique Cortier Verification of Security Protocols

  63. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Patterns : Definition of what is visible to an intruder Given a sequence S = M 1 , M 2 , . . . , M k , we define Pat( S ) = { Pat S ( M 1 ) , Pat S ( M 2 ) , . . . , Pat S ( M k ) } with � a if S ⊢ a Pat S ( a ) = otherwise � Pat S ( � M 1 , M 2 � ) � Pat S ( M 1 ) , Pat S ( M 2 ) � = � { Pat S ( M ) } k if S ⊢ k Pat S ( { M } k ) = � otherwise 49/76 V´ eronique Cortier Verification of Security Protocols

  64. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Reminder : deduction system Standard “Dolev Yao” deduction system, seen Part I of this course. T ⊢ u T ⊢ v T ⊢ u T ⊢ v T ⊢ � u , v � T ⊢ enc( u , v ) T ⊢ � u , v � T ⊢ � u , v � u ∈ T T ⊢ u T ⊢ u T ⊢ v T ⊢ enc( u , v ) T ⊢ v T ⊢ u 50/76 V´ eronique Cortier Verification of Security Protocols

  65. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Examples φ 1 = n 0 , n 1 , enc( n 0 , k ) ≈ φ 2 = n 0 , n 1 , enc( n 1 , k ) n 0 , n 1 , � n 0 , n 1 , � 51/76 V´ eronique Cortier Verification of Security Protocols

  66. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Examples φ 1 = n 0 , n 1 , enc( n 0 , k ) ≈ φ 2 = n 0 , n 1 , enc( n 1 , k ) n 0 , n 1 , � n 0 , n 1 , � φ 3 = n 0 , n 1 , enc( n 0 , k ) , k �≈ φ 4 = n 0 , n 1 , enc( n 1 , k ) , k n 0 , n 1 , enc( n 0 , k ) , k n 0 , n 1 , enc( n 1 , k ) , k 51/76 V´ eronique Cortier Verification of Security Protocols

  67. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Examples φ 1 = n 0 , n 1 , enc( n 0 , k ) ≈ φ 2 = n 0 , n 1 , enc( n 1 , k ) n 0 , n 1 , � n 0 , n 1 , � φ 3 = n 0 , n 1 , enc( n 0 , k ) , k �≈ φ 4 = n 0 , n 1 , enc( n 1 , k ) , k n 0 , n 1 , enc( n 0 , k ) , k n 0 , n 1 , enc( n 1 , k ) , k enc( n 0 , k ′ ) , k φ 5 = enc( n 0 , k ) , k �≈ φ 6 = enc( n 0 , k ) , k � , k 51/76 V´ eronique Cortier Verification of Security Protocols

  68. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Examples φ 1 = n 0 , n 1 , enc( n 0 , k ) ≈ φ 2 = n 0 , n 1 , enc( n 1 , k ) n 0 , n 1 , � n 0 , n 1 , � φ 3 = n 0 , n 1 , enc( n 0 , k ) , k �≈ φ 4 = n 0 , n 1 , enc( n 1 , k ) , k n 0 , n 1 , enc( n 0 , k ) , k n 0 , n 1 , enc( n 1 , k ) , k enc( n 0 , k ′ ) , k φ 5 = enc( n 0 , k ) , k �≈ φ 6 = enc( n 0 , k ) , k � , k Definition Two patterns are equivalent, denoted by ≡ if they are equal up-to bijective renaming. 51/76 V´ eronique Cortier Verification of Security Protocols

  69. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Soundness of indistinguishability Theorem (Abadi-Rogaway) Equivalence of patterns implies computational indistinguishability Pat( S 1 ) ≡ Pat( S 2 ) ⇒ [ [ S 1 ] ] ≈ [ [ S 2 ] ] 52/76 V´ eronique Cortier Verification of Security Protocols

  70. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Soundness of indistinguishability Theorem (Abadi-Rogaway) Equivalence of patterns implies computational indistinguishability Pat( S 1 ) ≡ Pat( S 2 ) ⇒ [ [ S 1 ] ] ≈ [ [ S 2 ] ] Provided that : Encryption is IND-CPA 52/76 V´ eronique Cortier Verification of Security Protocols

  71. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Soundness of indistinguishability Theorem (Abadi-Rogaway) Equivalence of patterns implies computational indistinguishability Pat( S 1 ) ≡ Pat( S 2 ) ⇒ [ [ S 1 ] ] ≈ [ [ S 2 ] ] Provided that : Encryption is IND-CPA message length-concealing Pat(enc( n , k )) = � = Pat(enc( � n , n , n , n � , k )) 52/76 V´ eronique Cortier Verification of Security Protocols

  72. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Soundness of indistinguishability Theorem (Abadi-Rogaway) Equivalence of patterns implies computational indistinguishability Pat( S 1 ) ≡ Pat( S 2 ) ⇒ [ [ S 1 ] ] ≈ [ [ S 2 ] ] Provided that : Encryption is IND-CPA message length-concealing Pat(enc( n , k )) = � = Pat(enc( � n , n , n , n � , k )) which key-concealing Pat(enc( n , k ) , enc( n ′ , k )) = � = Pat(Pat(enc( n , k ) , enc( n ′ , k ′ ))) 52/76 V´ eronique Cortier Verification of Security Protocols

  73. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Soundness of indistinguishability Theorem (Abadi-Rogaway) Equivalence of patterns implies computational indistinguishability Pat( S 1 ) ≡ Pat( S 2 ) ⇒ [ [ S 1 ] ] ≈ [ [ S 2 ] ] Provided that : Encryption is IND-CPA message length-concealing Pat(enc( n , k )) = � = Pat(enc( � n , n , n , n � , k )) which key-concealing Pat(enc( n , k ) , enc( n ′ , k )) = � = Pat(Pat(enc( n , k ) , enc( n ′ , k ′ ))) S 1 , S 2 contain no key cycles Examples : enc( k , k ) or enc( k 1 , k 2 ) , enc( k 2 , k 1 ) 52/76 V´ eronique Cortier Verification of Security Protocols

  74. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Proof of soundness of indistinguishability Lemma (Main lemma) [ [ S ] ] ≈ [ [Pat( S )] ] We can then easily deduce the main theorem. 53/76 V´ eronique Cortier Verification of Security Protocols

  75. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Proof of soundness of indistinguishability Lemma (Main lemma) [ [ S ] ] ≈ [ [Pat( S )] ] We can then easily deduce the main theorem. Indeed, assume Pat( S 1 ) ≡ Pat( S 2 ). 1 By the lemma, we have [ [ S 1 ] ] ≈ [ [Pat( S 1 )] ] and [ [ S 2 ] ] ≈ [ [Pat( S 2 )] ]. 2 Then Pat( S 1 ) ≡ Pat( S 2 ) implies [ [Pat( S 1 )] ] ≈ [ [Pat( S 2 )] ]. 53/76 V´ eronique Cortier Verification of Security Protocols

  76. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Proof of the main lemma [ [ S ] ] ≈ [ [Pat( S )] ] Main steps : Renaming Let K 1 , . . . , k n be the hidden (non deducible) keys of S and J 1 , . . . , J l be the visible (deducible) keys of S . Since S contain no key cycles, we may assume that K j does not encrypt k i whenever i < j . 54/76 V´ eronique Cortier Verification of Security Protocols

  77. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Proof of the main lemma [ [ S ] ] ≈ [ [Pat( S )] ] Main steps : Renaming Let K 1 , . . . , k n be the hidden (non deducible) keys of S and J 1 , . . . , J l be the visible (deducible) keys of S . Since S contain no key cycles, we may assume that K j does not encrypt k i whenever i < j . Intermediate patterns We define a sequence Pat o ( S ) , . . . , . . . Pat n ( S ) such that Pat o ( S ) = Pat( S ) and Pat n ( S ) = S 54/76 V´ eronique Cortier Verification of Security Protocols

  78. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Proof of the main lemma [ [ S ] ] ≈ [ [Pat( S )] ] Main steps : Renaming Let K 1 , . . . , k n be the hidden (non deducible) keys of S and J 1 , . . . , J l be the visible (deducible) keys of S . Since S contain no key cycles, we may assume that K j does not encrypt k i whenever i < j . Intermediate patterns We define a sequence Pat o ( S ) , . . . , . . . Pat n ( S ) such that Pat o ( S ) = Pat( S ) and Pat n ( S ) = S Hybrid argument If [ [ S ] ] �≈ [ [Pat( S )] ] then there exists i such that [ [Pat i ( S )] ] �≈ [ [Pat i +1 ( S )] ]. 54/76 V´ eronique Cortier Verification of Security Protocols

  79. Formal methods for protocols Setting Cryptographic models Patterns Passive case Soundness of indistinguishability Active case Proof of the main lemma [ [ S ] ] ≈ [ [Pat( S )] ] Main steps : Renaming Let K 1 , . . . , k n be the hidden (non deducible) keys of S and J 1 , . . . , J l be the visible (deducible) keys of S . Since S contain no key cycles, we may assume that K j does not encrypt k i whenever i < j . Intermediate patterns We define a sequence Pat o ( S ) , . . . , . . . Pat n ( S ) such that Pat o ( S ) = Pat( S ) and Pat n ( S ) = S Hybrid argument If [ [ S ] ] �≈ [ [Pat( S )] ] then there exists i such that [ [Pat i ( S )] ] �≈ [ [Pat i +1 ( S )] ]. Security of encryption [ [Pat i ( S )] ] �≈ [ [Pat i +1 ( S )] ] contradicts the security of encryption. 54/76 V´ eronique Cortier Verification of Security Protocols

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018

1.23k views • 78 slides
Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1

Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1

Introduction on security protocols Formal models Unbounded number of sessions Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/65 V eronique Cortier Verification of Security

1.29k views • 111 slides
Modeling and verification of security protocols Part I: Basics of cryptography and introduction to

Modeling and verification of security protocols Part I: Basics of cryptography and introduction to

Modeling and verification of security protocols Part I: Basics of cryptography and introduction to security protocols Dresden University of Technology Martin Pitt martin@piware.de Paper and slides available at http://www.piware.de/docs.shtml

549 views • 33 slides
Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA,

Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA,

Introduction on security protocols Formal models Going further Towards more guarantees Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA, CNRS - INRIA Cassis project, Nancy Universities 1/102 V

2.12k views • 160 slides
Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS &amp; ENS Cachan, Universit Paris Saclay, France Monday, June 27th, 2016 S. Delaune (LSV) Verification of security protocols 27th June 2016 1

1.88k views • 175 slides
Parameterized Verification of Timed Security Protocols with Clock drift Li Li, Jun Sun and Jin

Parameterized Verification of Timed Security Protocols with Clock drift Li Li, Jun Sun and Jin

Parameterized Verification of Timed Security Protocols with Clock drift Li Li, Jun Sun and Jin Song Dong Motivation Since clock synchronization is so important in the security of the Kerberos protocol, if clocks are not synchronized within a

493 views • 23 slides
Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018 Organization of the course Two

774 views • 74 slides
Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides

Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides

Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides originally by Ross Anderson Security Protocols Security protocols are the intellectual core of security engineering They are where cryptography

1.47k views • 118 slides
Towards a Logic for Verification of Security Protocols Work in progress Comments welcome

Towards a Logic for Verification of Security Protocols Work in progress Comments welcome

Towards a Logic for Verification of Security Protocols Work in progress Comments welcome Vincent Bernat Laboratoire Spcification et Vrification CNRS &amp; ENS Cachan SPV03 - Marseille p.1/17 Plan 1. Intro Existing models,

920 views • 63 slides
Verification of security protocols from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols from confidentiality to privacy Stphanie Delaune LSV, CNRS &amp; ENS Cachan, France Wednesday, August 26th, 2015 S. Delaune (LSV) Verification of security protocols 26th August 2015 1 / 54 This talk:

1.49k views • 124 slides
Security protocols: formal models and verification Sergiu Bursuc School of Computer Science,

Security protocols: formal models and verification Sergiu Bursuc School of Computer Science,

Security protocols: formal models and verification Sergiu Bursuc School of Computer Science, University of Bristol Finse Winter School, 7 May 2015 Security protocols: roles and goals Roles: P 1 , . . . , P n (e.g. clients, servers, devices,

1.43k views • 127 slides
Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS &amp; ENS Cachan, Universit Paris Saclay, France Monday, June 26th, 2017 Research at IRISA (Rennes) 800 members (among which about 400

1.78k views • 167 slides
Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola

Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola

Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola Bruno Blanchet {

1.02k views • 44 slides
Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA), CNRS, France Tuesday, September 13th, 2016 Security protocols everywhere ! Cryptographic protocols small programs designed to secure

923 views • 56 slides
Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS &amp; ENS Cachan, France Tuesday, August 25th, 2015 S. Delaune (LSV) Verification of security protocols 25th August 2015 1 / 60 ENS Cachan 12

1.42k views • 127 slides
Creating the Bro RFB (VNC) parser Martin van Hensbergen, Fox-IT Agenda Introduction

Creating the Bro RFB (VNC) parser Martin van Hensbergen, Fox-IT Agenda Introduction

Creating the Bro RFB (VNC) parser Martin van Hensbergen, Fox-IT Agenda Introduction Context: How we use Bro The dangers of VNC VNC protocol Dev Deploy Future work Introduction Martin van Hensbergen - Fox-IT

1.04k views • 82 slides
Brave, Fingerprinting and Privacy on the Web Me (the early years) Grew up in Chicago

Brave, Fingerprinting and Privacy on the Web Me (the early years) Grew up in Chicago

Brave, Fingerprinting and Privacy on the Web Me (the early years) Grew up in Chicago actual Chicago Law school, then freelance web design Started: Anchorage, AK Ended: Judge Judy Show invitation PhD in Computer Science

1.09k views • 105 slides
Secure Multi-Party Computation Lecture 13 Must We Trust ? Can we have an auction

Secure Multi-Party Computation Lecture 13 Must We Trust ? Can we have an auction

Secure Multi-Party Computation Lecture 13 Must We Trust ? Can we have an auction without an auctioneer?! Declared winning bid should be correct Only the winner and winning bid should be revealed Using data without sharing?

446 views • 20 slides
Lecture 3 - Passwords and Authentication CSE497b - Spring 2007 Introduction Computer and Network

Lecture 3 - Passwords and Authentication CSE497b - Spring 2007 Introduction Computer and Network

Lecture 3 - Passwords and Authentication CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s06/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor

560 views • 19 slides
Extend your Academic Vocab AKA HACKA &amp; GUPSA WORKSHOP IG: @bicyles_create_change IG:

Extend your Academic Vocab AKA HACKA &amp; GUPSA WORKSHOP IG: @bicyles_create_change IG:

5/09/2018 Extend your Academic Vocab AKA HACKA &amp; GUPSA WORKSHOP IG: @bicyles_create_change IG: @nina_griffith_uni FB: nina_griffith_uni Warm up: Write a paragraph Write on every second line. Write a 5-8 sentence paragraph on the topic

434 views • 24 slides
Westwood Hanlon Elementary School Sustainability Charrette January 30, 2020 Agenda 1) Welcome

Westwood Hanlon Elementary School Sustainability Charrette January 30, 2020 Agenda 1) Welcome

Westwood Hanlon Elementary School Sustainability Charrette January 30, 2020 Agenda 1) Welcome and Introduction 2) Project Overview &amp; Filing Schedule Overview 3) Team Visioning and Project Priorities 4) Sustainability Commitments

1.18k views • 79 slides
Turning Burnout Into Joy: Faculty: Dr. Mamta Gautam Disclosure: President and CEO, PEAK

Turning Burnout Into Joy: Faculty: Dr. Mamta Gautam Disclosure: President and CEO, PEAK

Faculty/Presenter Disclosure Turning Burnout Into Joy: Faculty: Dr. Mamta Gautam Disclosure: President and CEO, PEAK MD Inc Addressing Practitioner Stress and Burnout Relationships with commercial/pharma interests: NONE

286 views • 11 slides
In this program Themed Eventshundreds of ideas Passive Programming More than just

In this program Themed Eventshundreds of ideas Passive Programming More than just

4/19/2017 Adult Programming: A Session Full of Idea Generation and Sharing In this program Themed Eventshundreds of ideas Passive Programming More than just puzzles Our favorite online resources for programming ideas

254 views • 24 slides

More recommend