verification of security protocols
play

Verification of Security Protocols eronique Cortier 1 V July 2nd, - PowerPoint PPT Presentation

Mar 11, 2023 •508 likes •2.12k views

Introduction on security protocols Formal models Going further Towards more guarantees Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA, CNRS - INRIA Cassis project, Nancy Universities 1/102 V

  1. Introduction on security protocols Context Formal models Security Protocols : how does it work ? Going further Commutative encryption (RSA) Towards more guarantees Needham-Schroeder Example Some flaws The security was initially ensured by : the cards were very difficult to reproduce, the protocol and the keys were secret. But cryptographic flaw : 320 bits keys can be broken (1988), logical flaw : no link between the secret code and the authentication of the card, fake cards can be build. 19/102 V´ eronique Cortier Verification of Security Protocols

  2. Introduction on security protocols Context Formal models Security Protocols : how does it work ? Going further Commutative encryption (RSA) Towards more guarantees Needham-Schroeder Example Some flaws The security was initially ensured by : the cards were very difficult to reproduce, the protocol and the keys were secret. But cryptographic flaw : 320 bits keys can be broken (1988), logical flaw : no link between the secret code and the authentication of the card, fake cards can be build. → “YesCard” build by Serge Humpich (1998 in France). 19/102 V´ eronique Cortier Verification of Security Protocols

  3. Introduction on security protocols Context Formal models Security Protocols : how does it work ? Going further Commutative encryption (RSA) Towards more guarantees Needham-Schroeder Example How does the “YesCard” work ? Logical flaw 1 . Ca → T : Data , { hash (Data) } K − 1 B 2 . T → Ca : secret code ? 3 . Cu → Ca : 1234 4 . Ca → T : ok 20/102 V´ eronique Cortier Verification of Security Protocols

  4. Introduction on security protocols Context Formal models Security Protocols : how does it work ? Going further Commutative encryption (RSA) Towards more guarantees Needham-Schroeder Example How does the “YesCard” work ? Logical flaw 1 . Ca → T : Data , { hash (Data) } K − 1 B 2 . T → Ca : secret code ? → Ca ′ 3 . Cu : 2345 Ca ′ 4 . → T : ok 20/102 V´ eronique Cortier Verification of Security Protocols

  5. Introduction on security protocols Context Formal models Security Protocols : how does it work ? Going further Commutative encryption (RSA) Towards more guarantees Needham-Schroeder Example How does the “YesCard” work ? Logical flaw 1 . Ca → T : Data , { hash (Data) } K − 1 B 2 . T → Ca : secret code ? → Ca ′ 3 . Cu : 2345 Ca ′ 4 . → T : ok Remark : there is always somebody to debit. → creation of a fake card 20/102 V´ eronique Cortier Verification of Security Protocols

  6. Introduction on security protocols Context Formal models Security Protocols : how does it work ? Going further Commutative encryption (RSA) Towards more guarantees Needham-Schroeder Example How does the “YesCard” work ? Logical flaw 1 . Ca → T : Data , { hash (Data) } K − 1 B 2 . T → Ca : secret code ? → Ca ′ 3 . Cu : 2345 Ca ′ 4 . → T : ok Remark : there is always somebody to debit. → creation of a fake card Ca ′ → T : XXX , { hash (XXX) } K − 1 1 . B → Cu 2 . T : secret code ? → Ca ′ 3 . Cu : 0000 Ca ′ → T 4 . : ok 20/102 V´ eronique Cortier Verification of Security Protocols

  7. Introduction on security protocols Context Formal models Security Protocols : how does it work ? Going further Commutative encryption (RSA) Towards more guarantees Needham-Schroeder Example How to exchange a secret with commutative encryption First : a small challenge for your nephews / nieces / cousins / children. 21/102 V´ eronique Cortier Verification of Security Protocols

  8. Introduction on security protocols Context Formal models Security Protocols : how does it work ? Going further Commutative encryption (RSA) Towards more guarantees Needham-Schroeder Example A completely fictitious town Two types of inhabitants : Sedentary inhabitants stay at their home Post office workers deliver boxes between sedentary inhabitants 22/102 V´ eronique Cortier Verification of Security Protocols

  9. Introduction on security protocols Context Formal models Security Protocols : how does it work ? Going further Commutative encryption (RSA) Towards more guarantees Needham-Schroeder Example A completely fictitious town Two types of inhabitants : Sedentary inhabitants stay at their home Post office workers deliver boxes between sedentary inhabitants Axiom 1 Post office workers may steal any unlocked box (Reminder : this scenario is entirely fictitious !) Axiom 2 The content of locked boxes CANNOT be theft. Challenge How Alice (sedentary) can send a gift to Bob (also sedentary) ? 22/102 V´ eronique Cortier Verification of Security Protocols

  10. Introduction on security protocols Context Formal models Security Protocols : how does it work ? Going further Commutative encryption (RSA) Towards more guarantees Needham-Schroeder Example Commutative Symmetric encryption Symmetric encryption, denoted by { m } k clef clef Hello Obawbhe Hello Alice Nyvpr Alice Encryption Decryption The same key is used for encrypting and decrypting. Commutative (symmetric) encryption (e.g. RSA) {{ m } k 1 } k 2 = {{ m } k 2 } k 1 23/102 V´ eronique Cortier Verification of Security Protocols

  11. Introduction on security protocols Context Formal models Security Protocols : how does it work ? Going further Commutative encryption (RSA) Towards more guarantees Needham-Schroeder Example Exchanging a secret with commutative encryption (RSA) { pin : 3443 } k alice − − − − − − − − − − − → 24/102 V´ eronique Cortier Verification of Security Protocols

  12. Introduction on security protocols Context Formal models Security Protocols : how does it work ? Going further Commutative encryption (RSA) Towards more guarantees Needham-Schroeder Example Exchanging a secret with commutative encryption (RSA) { pin : 3443 } k alice − − − − − − − − − − − →  ff { pin : 3443 } k alice k bob ← − − − − − − − − − − − − − − − 24/102 V´ eronique Cortier Verification of Security Protocols

  13. Introduction on security protocols Context Formal models Security Protocols : how does it work ? Going further Commutative encryption (RSA) Towards more guarantees Needham-Schroeder Example Exchanging a secret with commutative encryption (RSA) { pin : 3443 } k alice − − − − − − − − − − − →  ff { pin : 3443 } k alice k bob ← − − − − − − − − − − − − − − − { pin : 3443 } k bob − − − − − − − − − − − → � � � � Since { pin : 3443 } k alice = { pin : 3443 } k bob k bob k alice 24/102 V´ eronique Cortier Verification of Security Protocols

  14. Introduction on security protocols Context Formal models Security Protocols : how does it work ? Going further Commutative encryption (RSA) Towards more guarantees Needham-Schroeder Example Exchanging a secret with commutative encryption (RSA) { pin : 3443 } k alice − − − − − − − − − − − →  ff { pin : 3443 } k alice k bob ← − − − − − − − − − − − − − − − { pin : 3443 } k bob − − − − − − − − − − − → → It does not work ! (Authentication problem) 24/102 V´ eronique Cortier Verification of Security Protocols

  15. Introduction on security protocols Context Formal models Security Protocols : how does it work ? Going further Commutative encryption (RSA) Towards more guarantees Needham-Schroeder Example Exchanging a secret with commutative encryption (RSA) { pin : 3443 } k alice − − − − − − − − − − − →  ff { pin : 3443 } k alice k bob ← − − − − − − − − − − − − − − − { pin : 3443 } k bob − − − − − − − − − − − → → It does not work ! (Authentication problem) { pin : 3443 } k alice − − − − − − − − − − − →  ff { pin : 3443 } k alice k intruder ← − − − − − − − − − − − − − − − − − { pin : 3443 } k intruder − − − − − − − − − − − − → 24/102 V´ eronique Cortier Verification of Security Protocols

  16. Introduction on security protocols Context Formal models Security Protocols : how does it work ? Going further Commutative encryption (RSA) Towards more guarantees Needham-Schroeder Example Another example The “famous” Needham-Schroeder public key protocol (and its associated Man-In-The-Middle Attack) 25/102 V´ eronique Cortier Verification of Security Protocols

  17. Introduction on security protocols Context Formal models Security Protocols : how does it work ? Going further Commutative encryption (RSA) Towards more guarantees Needham-Schroeder Example Public key encryption Public key : pk( A ) Encryption : { m } pk( A ) public private key key Hello Obawbhe Hello Alice Nyvpr Alice Encryption Decryption Encryption with the public key and decryption with the private key. Invented only in the late 70’s ! 26/102 V´ eronique Cortier Verification of Security Protocols

  18. Introduction on security protocols Context Formal models Security Protocols : how does it work ? Going further Commutative encryption (RSA) Towards more guarantees Needham-Schroeder Example Needham-Schroeder public key protocol N a Random number (called nonce) generated by A . N b Random number (called nonce) generated by B . • A → B : { A , N a } pub( B ) B → A : { N a , N b } pub( A ) A → B : { N b } pub( B ) 27/102 V´ eronique Cortier Verification of Security Protocols

  19. Introduction on security protocols Context Formal models Security Protocols : how does it work ? Going further Commutative encryption (RSA) Towards more guarantees Needham-Schroeder Example Needham-Schroeder public key protocol N a Random number (called nonce) generated by A . N b Random number (called nonce) generated by B . A → B : { A , N a } pub( B ) • B → A : { N a , N b } pub( A ) A → B : { N b } pub( B ) 27/102 V´ eronique Cortier Verification of Security Protocols

  20. Introduction on security protocols Context Formal models Security Protocols : how does it work ? Going further Commutative encryption (RSA) Towards more guarantees Needham-Schroeder Example Needham-Schroeder public key protocol N a Random number (called nonce) generated by A . N b Random number (called nonce) generated by B . A → B : { A , N a } pub( B ) B → A : { N a , N b } pub( A ) • A → B : { N b } pub( B ) 27/102 V´ eronique Cortier Verification of Security Protocols

  21. Introduction on security protocols Context Formal models Security Protocols : how does it work ? Going further Commutative encryption (RSA) Towards more guarantees Needham-Schroeder Example Needham-Schroeder public key protocol N a Random number (called nonce) generated by A . N b Random number (called nonce) generated by B . A → B : { A , N a } pub( B ) B → A : { N a , N b } pub( A ) A → B : { N b } pub( B ) Questions : Is N b secret between A and B ? When B receives { N b } pub( B ) , does this message really come from A ? 27/102 V´ eronique Cortier Verification of Security Protocols

  22. Introduction on security protocols Context Formal models Security Protocols : how does it work ? Going further Commutative encryption (RSA) Towards more guarantees Needham-Schroeder Example Needham-Schroeder public key protocol N a Random number (called nonce) generated by A . N b Random number (called nonce) generated by B . A → B : { A , N a } pub( B ) B → A : { N a , N b } pub( A ) A → B : { N b } pub( B ) Questions : Is N b secret between A and B ? When B receives { N b } pub( B ) , does this message really come from A ? → An attack was discovered in 1996, 17 years after the publication of the protocol ! 27/102 V´ eronique Cortier Verification of Security Protocols

  23. Introduction on security protocols Context Formal models Security Protocols : how does it work ? Going further Commutative encryption (RSA) Towards more guarantees Needham-Schroeder Example Man in the middle attack { A , N a } pub( P ) { A , N a } pub( B ) − − − − − − − → − − − − − − − → 28/102 V´ eronique Cortier Verification of Security Protocols

  24. Introduction on security protocols Context Formal models Security Protocols : how does it work ? Going further Commutative encryption (RSA) Towards more guarantees Needham-Schroeder Example Man in the middle attack { A , N a } pub( P ) { A , N a } pub( B ) − − − − − − − → − − − − − − − → { N a , N b } pub( A ) { N a , N b } pub( A ) ← − − − − − − − − − ← − − − − − − − − − 28/102 V´ eronique Cortier Verification of Security Protocols

  25. Introduction on security protocols Context Formal models Security Protocols : how does it work ? Going further Commutative encryption (RSA) Towards more guarantees Needham-Schroeder Example Man in the middle attack { A , N a } pub( P ) { A , N a } pub( B ) − − − − − − − → − − − − − − − → { N a , N b } pub( A ) { N a , N b } pub( A ) ← − − − − − − − − − ← − − − − − − − − − { N b } pub( P ) { N b } pub( B ) − − − − − − → − − − − − − → 28/102 V´ eronique Cortier Verification of Security Protocols

  26. Introduction on security protocols Context Formal models Security Protocols : how does it work ? Going further Commutative encryption (RSA) Towards more guarantees Needham-Schroeder Example Man in the middle attack { A , N a } pub( P ) { A , N a } pub( B ) − − − − − − − → − − − − − − − → { B , N a , N b } pub( A ) { B , N a , N b } pub( A ) ← − − − − − − − − − ← − − − − − − − − − { N b } pub( P ) { N b } pub( B ) − − − − − − → − − − − − − → Fixing the flaw : add the identity of B . 28/102 V´ eronique Cortier Verification of Security Protocols

  27. Introduction on security protocols Context Formal models Security Protocols : how does it work ? Going further Commutative encryption (RSA) Towards more guarantees Needham-Schroeder Example Outline of the talk 1 Introduction on security protocols Context Security Protocols : how does it work ? Commutative encryption (RSA) Needham-Schroeder Example 2 Formal models Messages Intruder Protocol Solving constraint systems 3 Going further Undecidability Horn clauses Adding equational theories Some results 4 Towards more guarantees Cryptographic models Linking Formal and cryptographic models Extension to indistinguishability Conclusion 29/102 V´ eronique Cortier Verification of Security Protocols

  28. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems Difficulty Presence of an attacker may read every message sent on the net, may intercept and send new messages. ⇒ The system is infinitely branching 30/102 V´ eronique Cortier Verification of Security Protocols

  29. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems A naive approach Why not modeling security protocol using a (possibly extended) automata ? A accepts Msg2 A sends Msg1 B sends Msg2 Step 1 Step 2 Init Success Invalid Invalid message message Failure restart 31/102 V´ eronique Cortier Verification of Security Protocols

  30. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems How to model a security protocol ? A accepts Msg2 A sends Msg1 B sends Msg2 Step 1 Step 2 Init Success Invalid Invalid message message Failure restart The output of each participants strongly depends on the data received inside the message. At each step, a malicious user (called the adversary) may create arbitrary messages. The output of the adversary strongly depends on the messages sent on the network. → It is important to have a tight modeling of the messages. 32/102 V´ eronique Cortier Verification of Security Protocols

  31. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems An appropriate datastructure : Terms Given a signature F of symbols with an arity e.g. { enc , pair , a , b , c , n a , n b } and a set X of variables, the set of terms T ( F , X ) is inductively defined as follows : constants terms (e.g. a , b , c , n a , n b ) are terms variables are terms f ( t 1 , . . . , t n ) is a term whenever t 1 , . . . , t n are terms. Intuition : from words to trees. → There exists automata on trees instead of (classical) automata on words, see e.g. TATA http ://tata.gforge.inria.fr/ 33/102 V´ eronique Cortier Verification of Security Protocols

  32. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems Messages Messages are abstracted by terms. Agents : a , b , . . . Nonces : n 1 , n 2 , . . . Keys : k 1 , k 2 , . . Cyphertext : enc( m , k ) Concatenation : pair( m 1 , m 2 ) Example : The message { A , N a } K is represented by : {} enc(pair( A , N a ) , K ) �� K A N a Intuition : only the structure of the message is kept. 34/102 V´ eronique Cortier Verification of Security Protocols

  33. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems Intruder abilities Composition rules T ⊢ u T ⊢ v T ⊢ u T ⊢ v T ⊢ u T ⊢ v T ⊢ � u , v � T ⊢ enc( u , v ) T ⊢ enca( u , v ) 35/102 V´ eronique Cortier Verification of Security Protocols

  34. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems Intruder abilities Composition rules T ⊢ u T ⊢ v T ⊢ u T ⊢ v T ⊢ u T ⊢ v T ⊢ � u , v � T ⊢ enc( u , v ) T ⊢ enca( u , v ) Decomposition rules T ⊢ � u , v � T ⊢ � u , v � u ∈ T T ⊢ u T ⊢ u T ⊢ v T ⊢ enc( u , v ) T ⊢ v T ⊢ enca( u , pub( v )) T ⊢ priv( v ) T ⊢ u T ⊢ u 35/102 V´ eronique Cortier Verification of Security Protocols

  35. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems Intruder abilities Composition rules T ⊢ u T ⊢ v T ⊢ u T ⊢ v T ⊢ u T ⊢ v T ⊢ � u , v � T ⊢ enc( u , v ) T ⊢ enca( u , v ) Decomposition rules T ⊢ � u , v � T ⊢ � u , v � u ∈ T T ⊢ u T ⊢ u T ⊢ v T ⊢ enc( u , v ) T ⊢ v T ⊢ enca( u , pub( v )) T ⊢ priv( v ) T ⊢ u T ⊢ u Deducibility relation A term u is deducible from a set of terms T , denoted by T ⊢ u , if there exists a prooftree witnessing this fact. 35/102 V´ eronique Cortier Verification of Security Protocols

  36. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems A simple protocol � Bob , k � � Alice , enc(s , k) � 36/102 V´ eronique Cortier Verification of Security Protocols

  37. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems A simple protocol � Bob , k � � Alice , enc(s , k) � Question ? Can the attacker learn the secret s ? 36/102 V´ eronique Cortier Verification of Security Protocols

  38. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems A simple protocol � Bob , k � � Alice , enc(s , k) � Answer : Of course, Yes ! � Alice , enc(s , k) � � Bob , k � enc(s , k) k s 36/102 V´ eronique Cortier Verification of Security Protocols

  39. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems Decision of the intruder problem Given A set of messages S and a message m Question Can the intruder learn m from S that is S ⊢ m ? This problem is decidable in polynomial time. (left as exercice) 37/102 V´ eronique Cortier Verification of Security Protocols

  40. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems Decision of the intruder problem Given A set of messages S and a message m Question Can the intruder learn m from S that is S ⊢ m ? This problem is decidable in polynomial time. (left as exercice) Lemma (Locality) If there is a proof of S ⊢ m then there is a proof that only uses the subterms of S and m. 37/102 V´ eronique Cortier Verification of Security Protocols

  41. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems Protocol description Protocol : A → B { pin } k a : B → A : {{ pin } k a } k b A → B { pin } k b : A protocol is a finite set of roles : role Π(1) corresponding to the 1 st participant played by a talking to b : k a init → enc(pin , k a ) enc( x , k a ) → x . 38/102 V´ eronique Cortier Verification of Security Protocols

  42. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems Protocol description Protocol : A → B { pin } k a : B → A : {{ pin } k a } k b A → B { pin } k b : A protocol is a finite set of roles : role Π(1) corresponding to the 1 st participant played by a talking to b : k a init → enc(pin , k a ) enc( x , k a ) → x . role Π(2) corresponding to the 2 nd participant played by b with a : k b → x enc( x , k b ) enc( y , k b ) → stop . 38/102 V´ eronique Cortier Verification of Security Protocols

  43. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems Secrecy via constraint solving [Millen et al] Constraint systems are used to specify secrecy preservation under a particular, finite scenario. Scenario Constraint System N 1 rcv( u 1 ) → snd( v 1 )  T 0 � u 1  N 2  → snd( v 2 ) T 0 , v 1 � u 2 rcv( u 2 )  C = ... . . .   N n T 0 , v 1 , .., v n � s  rcv( u n ) → snd( v n ) where T 0 is the initial knowledge of the attacker. Remark : Constraint Systems may be used more generally for trace-based properties, e.g. authentication. 39/102 V´ eronique Cortier Verification of Security Protocols

  44. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems Secrecy via constraint solving [Millen et al] Constraint systems are used to specify secrecy preservation under a particular, finite scenario. Scenario Constraint System N 1 rcv( u 1 ) → snd( v 1 )  T 0 � u 1  N 2  → snd( v 2 ) T 0 , v 1 � u 2 rcv( u 2 )  C = ... . . .   N n T 0 , v 1 , .., v n � s  rcv( u n ) → snd( v n ) where T 0 is the initial knowledge of the attacker. Solution of a constraint system A substitution σ such that for every T � u ∈ C , u σ is deducible from T σ , that is u σ ⊢ T σ . 39/102 V´ eronique Cortier Verification of Security Protocols

  45. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems Example of a system constraint A → B { pin } k a : B → A : {{ pin } k a } k b and the attacker initially knows T 0 = { init } . A → B : { pin } k b One possible associated constraint system is :  { init } � init  C = { init , { pin } k a } � { x } k a { init , { pin } k a , x } � pin  Is there a solution ? 40/102 V´ eronique Cortier Verification of Security Protocols

  46. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems Example of a system constraint A → B { pin } k a : B → A : {{ pin } k a } k b and the attacker initially knows T 0 = { init } . A → B : { pin } k b One possible associated constraint system is :  { init } � init  C = { init , { pin } k a } � { x } k a { init , { pin } k a , x } � pin  Is there a solution ? Of course yes, simply consider x = pin ! 40/102 V´ eronique Cortier Verification of Security Protocols

  47. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems How to solve constraint system ?  T 0 � u 1   T 0 , v 1 � u 2  Given C = ...   T 0 , v 1 , .., v n � u n +1  Question Is there a solution σ of C ? 41/102 V´ eronique Cortier Verification of Security Protocols

  48. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems An easy case : “solved constraint systems”  T 0 � x 1   T 0 , v 1 � x 2  Given C = ...   T 0 , v 1 , .., v n � x n +1  Question Is there a solution σ of C ? 42/102 V´ eronique Cortier Verification of Security Protocols

  49. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems An easy case : “solved constraint systems”  T 0 � x 1   T 0 , v 1 � x 2  Given C = ...   T 0 , v 1 , .., v n � x n +1  Question Is there a solution σ of C ? Of course yes ! Consider e.g. σ ( x 1 ) = · · · = σ ( x n +1 ) = t ∈ T 0 . 42/102 V´ eronique Cortier Verification of Security Protocols

  50. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems Decision procedure [Millen / Comon-Lundh] Goal : Transformation of the constraints in order to obtain a solved constraint system. 8 T 0 � u 1 > > T 0 , v 1 � u 2 < C = > ... > T 0 , v 1 , .., v n � u n +1 : C 1 C 2 C 3 ⊥ C 4 ⊥ SOLVED C has a solution iff C � C ′ with C ′ in solved form. 43/102 V´ eronique Cortier Verification of Security Protocols

  51. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems Intruder step The intruder can built messages R 5 : C ∧ T � f ( u , v ) C ∧ T � u ∧ T � v � for f ∈ {�� , enc , enca } 44/102 V´ eronique Cortier Verification of Security Protocols

  52. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems Intruder step The intruder can built messages R 5 : C ∧ T � f ( u , v ) C ∧ T � u ∧ T � v � for f ∈ {�� , enc , enca } Example : a , k � k a , k � enc( � x , y � , k ) � a , k � x a , k � y 44/102 V´ eronique Cortier Verification of Security Protocols

  53. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems Eliminating redundancies k � x k , enc( s , x ) � s The constraint enc( s , x ) � s will be satisfied as soon as k � x is satisfied. 45/102 V´ eronique Cortier Verification of Security Protocols

  54. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems Eliminating redundancies k � x k , enc( s , x ) � s The constraint enc( s , x ) � s will be satisfied as soon as k � x is satisfied. if T ∪ { x | T ′ � x ∈ C , T ′ � T } ⊢ u R 1 : C ∧ T � u � C 45/102 V´ eronique Cortier Verification of Security Protocols

  55. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems Unsolvable constraints R 4 : C ∧ T � u � ⊥ if var( T , u ) = ∅ and T �⊢ u Example : . . . ⊥ a , enc( s , k ) � s � . . . 46/102 V´ eronique Cortier Verification of Security Protocols

  56. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems Guessing equalities 1 Example : k , enc(enc( x , k ′ ) , k ) � enc( a , k ′ ) u ′ ∈ st ( T ) R 2 : C ∧ T � u � σ C σ ∧ T σ � u σ if σ = mgu( u , u ′ ), u , u ′ �∈ X , u � = u ′ 47/102 V´ eronique Cortier Verification of Security Protocols

  57. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems Guessing equalities 1 Example : k , enc(enc( x , k ′ ) , k ) � enc( a , k ′ ) u ′ ∈ st ( T ) R 2 : C ∧ T � u � σ C σ ∧ T σ � u σ if σ = mgu( u , u ′ ), u , u ′ �∈ X , u � = u ′ 2 Example : enc( s , � a , x � ) , enc( � y , b � , k ) , k � s u , u ′ ∈ st ( T ) R 3 : C ∧ T � v � σ C σ ∧ T σ � v σ if σ = mgu( u , u ′ ), u , u ′ �∈ X , u � = u ′ 47/102 V´ eronique Cortier Verification of Security Protocols

  58. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems NP-procedure for solving constraint systems 8 T 0 � u 1 > > T 0 , v 1 � u 2 < C = ... > > T 0 , v 1 , .., v n � u n +1 : C 1 C 2 C 3 ⊥ C 4 ⊥ SOLVED Theorem C has a solution iff C � C ′ with C ′ in solved form. � is terminating in polynomial time. 48/102 V´ eronique Cortier Verification of Security Protocols

  59. Introduction on security protocols Messages Formal models Intruder Going further Protocol Towards more guarantees Solving constraint systems Example of tool : Avispa Platform Collaborators LORIA, France DIST, Italy ETHZ, Switzer- land Siemens, Germany www.avispa-project.org 49/102 V´ eronique Cortier Verification of Security Protocols

  60. Introduction on security protocols Undecidability Formal models Horn clauses Going further Adding equational theories Towards more guarantees Some results Limitations of this approach ? Are you ready to use any protocol verified with this technique ? 50/102 V´ eronique Cortier Verification of Security Protocols

  61. Introduction on security protocols Undecidability Formal models Horn clauses Going further Adding equational theories Towards more guarantees Some results Limitations of this approach ? Are you ready to use any protocol verified with this technique ? Only a finite scenario is checked. → What happens if the protocol is used one more time ? The underlying mathematical properties of the primitives are abstracted away. 50/102 V´ eronique Cortier Verification of Security Protocols

  62. Introduction on security protocols Undecidability Formal models Horn clauses Going further Adding equational theories Towards more guarantees Some results How to decide security for unlimited sessions ? → In general, it is undecidable ! (i.e. there exists no algorithm for checking e.g. secrecy) How to prove undecidability ? 51/102 V´ eronique Cortier Verification of Security Protocols

  63. Introduction on security protocols Undecidability Formal models Horn clauses Going further Adding equational theories Towards more guarantees Some results How to decide security for unlimited sessions ? → In general, it is undecidable ! (i.e. there exists no algorithm for checking e.g. secrecy) How to prove undecidability ? Post correspondence problem (PCP) input { ( u i , v i ) } 1 ≤ i ≤ n , u i , v i ∈ Σ ∗ output ∃ n , i 1 , . . . , i n u i 1 · · · u i n = v i 1 · · · v i n Example : { ( bab , b ) , ( ab , aba ) , ( a , baba ) } Solution ? 51/102 V´ eronique Cortier Verification of Security Protocols

  64. Introduction on security protocols Undecidability Formal models Horn clauses Going further Adding equational theories Towards more guarantees Some results How to decide security for unlimited sessions ? → In general, it is undecidable ! (i.e. there exists no algorithm for checking e.g. secrecy) How to prove undecidability ? Post correspondence problem (PCP) input { ( u i , v i ) } 1 ≤ i ≤ n , u i , v i ∈ Σ ∗ output ∃ n , i 1 , . . . , i n u i 1 · · · u i n = v i 1 · · · v i n Example : { ( bab , b ) , ( ab , aba ) , ( a , baba ) } Solution ? → Yes, 1,2,3,1. babababab babababab 51/102 V´ eronique Cortier Verification of Security Protocols

  65. Introduction on security protocols Undecidability Formal models Horn clauses Going further Adding equational theories Towards more guarantees Some results How to encode PCP in protocols ? Given { ( u i , v i ) } 1 ≤ i ≤ n , we construct the following protocol P : A → B : {� u 1 , v 1 �} K ab , . . . , {� u k , v k �} K ab B : {� x , y �} K ab → A : {� x , u 1 , y , v 1 �} K ab , { s } {� x , u 1 , x , u 1 �} Kab , . . . , {� x , u k , y , v k �} K ab , { s } {�� x , u k , x , u k �} Kab where a 1 · a 2 · · · a n denotes the term �· · · �� a 1 , a 2 � , a 3 , � . . . a n � . 52/102 V´ eronique Cortier Verification of Security Protocols

  66. Introduction on security protocols Undecidability Formal models Horn clauses Going further Adding equational theories Towards more guarantees Some results How to encode PCP in protocols ? Given { ( u i , v i ) } 1 ≤ i ≤ n , we construct the following protocol P : A → B : {� u 1 , v 1 �} K ab , . . . , {� u k , v k �} K ab B : {� x , y �} K ab → A : {� x , u 1 , y , v 1 �} K ab , { s } {� x , u 1 , x , u 1 �} Kab , . . . , {� x , u k , y , v k �} K ab , { s } {�� x , u k , x , u k �} Kab where a 1 · a 2 · · · a n denotes the term �· · · �� a 1 , a 2 � , a 3 , � . . . a n � . Then there is an attack on P iff there is a solution to the Post Correspondence Problem with entry { ( u i , v i ) } 1 ≤ i ≤ n . 52/102 V´ eronique Cortier Verification of Security Protocols

  67. Introduction on security protocols Undecidability Formal models Horn clauses Going further Adding equational theories Towards more guarantees Some results How to circumvent undecidability ? Find decidable subclasses of protocols. Design semi-decision procedure, that works in practice ... 53/102 V´ eronique Cortier Verification of Security Protocols

  68. Introduction on security protocols Undecidability Formal models Horn clauses Going further Adding equational theories Towards more guarantees Some results How to model an unbounded number of sessions ? “For any x, if the agent A receives enc( x , k a ) then A responds with x.” → Use of first-order logic. 54/102 V´ eronique Cortier Verification of Security Protocols

  69. Introduction on security protocols Undecidability Formal models Horn clauses Going further Adding equational theories Towards more guarantees Some results Intruder Horn clauses perfectly reflects the attacker symbolic manipulations on terms. I ( x ) , I ( y ) ⇒ I ( < x , y > ) pairing ⇒ I ( { x } y ) I ( x ) , I ( y ) encryption I ( { x } y ) , I ( y ) ⇒ I ( x ) decryption ⇒ I ( < x , y > ) I ( x ) projection I ( < x , y > ) ⇒ I ( y ) projection 55/102 V´ eronique Cortier Verification of Security Protocols

  70. Introduction on security protocols Undecidability Formal models Horn clauses Going further Adding equational theories Towards more guarantees Some results Protocol Protocol : Horn clauses : A → B : { pin } k a ⇒ I ( { pin } k a ) B → A : {{ pin } k a } k b ⇒ I ( { x } k b ) I ( x ) A → B : { pin } k b I ( { x } k a ) ⇒ I ( x ) 56/102 V´ eronique Cortier Verification of Security Protocols

  71. Introduction on security protocols Undecidability Formal models Horn clauses Going further Adding equational theories Towards more guarantees Some results Protocol Protocol : Horn clauses : A → B : { pin } k a ⇒ I ( { pin } k a ) B → A : {{ pin } k a } k b ⇒ I ( { x } k b ) I ( x ) A → B : { pin } k b I ( { x } k a ) ⇒ I ( x ) Secrecy property is a reachability (accessibility) property ¬ I (pin) Then there exists an attack iff the set of formula corresponding to Intruder manipulations + protocol + property is NOT satisfiable. 56/102 V´ eronique Cortier Verification of Security Protocols

  72. Introduction on security protocols Undecidability Formal models Horn clauses Going further Adding equational theories Towards more guarantees Some results How to decide satisfiability ? → Resolution techniques 57/102 V´ eronique Cortier Verification of Security Protocols

  73. Introduction on security protocols Undecidability Formal models Horn clauses Going further Adding equational theories Towards more guarantees Some results Some vocabulary First order logic Atoms P ( t 1 , . . . , t n ) where t i are terms, P is a predicate Literals P ( t 1 , . . . , t n ) or ¬ P ( t 1 , . . . , t n ) closed under ∨ , ∧ , ¬ , ∃ , ∀ Clauses : Only universal quantifiers Horn Clauses : at most one positive literal A 1 , . . . , A n ⇒ B where A i , B are atoms. 58/102 V´ eronique Cortier Verification of Security Protocols

  74. Introduction on security protocols Undecidability Formal models Horn clauses Going further Adding equational theories Towards more guarantees Some results Binary resolution A , B are atoms and C , D are clauses. An intuitive rule A ⇒ C A C In other words ¬ A ∨ C A C 59/102 V´ eronique Cortier Verification of Security Protocols

  75. Introduction on security protocols Undecidability Formal models Horn clauses Going further Adding equational theories Towards more guarantees Some results Binary resolution A , B are atoms and C , D are clauses. An intuitive rule A ⇒ C A C In other words ¬ A ∨ C A C Generalizing ¬ A ∨ C B θ = mgu ( A , B ) (i.e. A θ = B θ ) C θ 59/102 V´ eronique Cortier Verification of Security Protocols

  76. Introduction on security protocols Undecidability Formal models Horn clauses Going further Adding equational theories Towards more guarantees Some results Binary resolution A , B are atoms and C , D are clauses. An intuitive rule A ⇒ C A C In other words ¬ A ∨ C A C Generalizing ¬ A ∨ C B θ = mgu ( A , B ) (i.e. A θ = B θ ) C θ Generalizing a bit more ¬ A ∨ C B ∨ D θ = mgu ( A , B ) Binary resolution C θ ∨ D θ 59/102 V´ eronique Cortier Verification of Security Protocols

  77. Introduction on security protocols Undecidability Formal models Horn clauses Going further Adding equational theories Towards more guarantees Some results Binary resolution and Factorization ¬ A ∨ C B ∨ D Binary resolution θ = mgu( A , B ) C θ ∨ D θ A ∨ B ∨ C Factorisation θ = mgu( A , B ) A θ ∨ C θ Theorem (Soundness and Completeness) Binary resolution and factorisation are sound and refutationally complete, i.e. a set of clauses C is not satisfiable if and only if ⊥ (the empty clause) can be obtained from C by binary resolution and factorisation. Exercise : Why do we need the factorisation rule ? 60/102 V´ eronique Cortier Verification of Security Protocols

  78. Introduction on security protocols Undecidability Formal models Horn clauses Going further Adding equational theories Towards more guarantees Some results Example C = {¬ I ( s ) , I ( k 1 ) , I ( { s } � k 1 , k 1 � ) , I ( { x } y ) , I ( y ) ⇒ I ( x ) , I ( x ) , I ( y ) ⇒ I ( � x , y � ) I ( k 1 ) I ( x ) , I ( y ) ⇒ I ( � x , y � ) I ( { s } � k 1 , k 1 � ) I ( { x } y ) , I ( y ) ⇒ I ( x ) I ( k 1 ) I ( y ) ⇒ I ( � k 1 , y � ) I ( � k 1 , k 1 � ) ⇒ s I ( � k 1 , k 1 � ) ¬ I ( s ) I ( s ) ⊥ 61/102 V´ eronique Cortier Verification of Security Protocols

  79. Introduction on security protocols Undecidability Formal models Horn clauses Going further Adding equational theories Towards more guarantees Some results But it is not terminating ! I ( s ) I ( x ) , I ( y ) ⇒ I ( � x , y � ) I ( y ) ⇒ I ( � s , y � ) I ( s ) I ( y ) ⇒ I ( � s , y � ) I ( � s , s � ) I ( y ) ⇒ I ( � s , y � ) I ( � s , � s , s �� ) I ( � s , � s , � s , s ��� ) · · · → This does not yield any decidability result. 62/102 V´ eronique Cortier Verification of Security Protocols

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018

1.23k views • 78 slides
Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1

Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1

Introduction on security protocols Formal models Unbounded number of sessions Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/65 V eronique Cortier Verification of Security

1.29k views • 111 slides
Modeling and verification of security protocols Part I: Basics of cryptography and introduction to

Modeling and verification of security protocols Part I: Basics of cryptography and introduction to

Modeling and verification of security protocols Part I: Basics of cryptography and introduction to security protocols Dresden University of Technology Martin Pitt martin@piware.de Paper and slides available at http://www.piware.de/docs.shtml

549 views • 33 slides
Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS &amp; ENS Cachan, Universit Paris Saclay, France Monday, June 27th, 2016 S. Delaune (LSV) Verification of security protocols 27th June 2016 1

1.88k views • 175 slides
Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Formal methods for protocols Cryptographic models Passive case Active case Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/76 V eronique Cortier Verification of Security

1.92k views • 139 slides
Parameterized Verification of Timed Security Protocols with Clock drift Li Li, Jun Sun and Jin

Parameterized Verification of Timed Security Protocols with Clock drift Li Li, Jun Sun and Jin

Parameterized Verification of Timed Security Protocols with Clock drift Li Li, Jun Sun and Jin Song Dong Motivation Since clock synchronization is so important in the security of the Kerberos protocol, if clocks are not synchronized within a

493 views • 23 slides
Towards a Logic for Verification of Security Protocols Work in progress Comments welcome

Towards a Logic for Verification of Security Protocols Work in progress Comments welcome

Towards a Logic for Verification of Security Protocols Work in progress Comments welcome Vincent Bernat Laboratoire Spcification et Vrification CNRS &amp; ENS Cachan SPV03 - Marseille p.1/17 Plan 1. Intro Existing models,

920 views • 63 slides
Verification of security protocols from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols from confidentiality to privacy Stphanie Delaune LSV, CNRS &amp; ENS Cachan, France Wednesday, August 26th, 2015 S. Delaune (LSV) Verification of security protocols 26th August 2015 1 / 54 This talk:

1.49k views • 124 slides
Security protocols: formal models and verification Sergiu Bursuc School of Computer Science,

Security protocols: formal models and verification Sergiu Bursuc School of Computer Science,

Security protocols: formal models and verification Sergiu Bursuc School of Computer Science, University of Bristol Finse Winter School, 7 May 2015 Security protocols: roles and goals Roles: P 1 , . . . , P n (e.g. clients, servers, devices,

1.43k views • 127 slides
Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS &amp; ENS Cachan, Universit Paris Saclay, France Monday, June 26th, 2017 Research at IRISA (Rennes) 800 members (among which about 400

1.78k views • 167 slides
Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola

Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola

Introduction Protocols with lists Generalized Horn Clauses From any length to length one An approximation algorithm Conclusion Verification of Security Protocols with Lists: from Length One to Unbounded Length Miriam Paiola Bruno Blanchet {

1.02k views • 44 slides
Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA), CNRS, France Tuesday, September 13th, 2016 Security protocols everywhere ! Cryptographic protocols small programs designed to secure

923 views • 56 slides
Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS

Verification of security protocols: from confidentiality to privacy Stphanie Delaune LSV, CNRS &amp; ENS Cachan, France Tuesday, August 25th, 2015 S. Delaune (LSV) Verification of security protocols 25th August 2015 1 / 60 ENS Cachan 12

1.42k views • 127 slides
Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France joint work with Alexandre Debant and Cyrille Wiedling 1/29 Security protocols everywhere ! Cryptographic protocols small

1.04k views • 56 slides
Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique Cortier INRIA project Cassis, Loria CNRS, Nancy, France French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of

605 views • 46 slides
Verification of security protocols: from confidentiality to privacy Stphanie Delaune Univ

Verification of security protocols: from confidentiality to privacy Stphanie Delaune Univ

Verification of security protocols: from confidentiality to privacy Stphanie Delaune Univ Rennes, CNRS, IRISA, France Thursday, June 28th, 2018 Research at IRISA (Rennes) 800 members (among which about 400 reasearchers) EMSEC team

1.05k views • 86 slides
A resource-control model based on deadlock avoidance Antoine Galland Mathieu Baudet

A resource-control model based on deadlock avoidance Antoine Galland Mathieu Baudet

A resource-control model based on deadlock avoidance Antoine Galland Mathieu Baudet antoine.galland@gemplus.com mathieu.baudet@lsv.ens-cachan.fr Gemplus Research Labs LIP6 ENS Cachan INRIA Futurs A resource-control model based on

250 views • 22 slides
1 Why using formal methods (FM)? 4 When there is nothing better to do. When the risk is

1 Why using formal methods (FM)? 4 When there is nothing better to do. When the risk is

1 Last update: 2 June 2004 Programming in the large Bertrand Meyer Chair of Softw are Engineering Programming in the large - Lecture 17 2 Lecture 17: Introducing Formal Methods (with an example) By Jean-Raymond Abrial Chair of Softw are

883 views • 61 slides
UP and Security: Penetrate-and-patch Overview of UMLsec (aka banana strategy): Jan

UP and Security: Penetrate-and-patch Overview of UMLsec (aka banana strategy): Jan

2 Software Engineering &amp; Security UP and Security: Penetrate-and-patch Overview of UMLsec (aka banana strategy): Jan Jrjens insecure Competence Center for IT Security disruptive Software &amp; Systems Engineering

219 views • 7 slides
Electronic PRO Monitoring in Duke Oncology Clinics World Cancer Congress Presentation Bradford

Electronic PRO Monitoring in Duke Oncology Clinics World Cancer Congress Presentation Bradford

Electronic PRO Monitoring in Duke Oncology Clinics World Cancer Congress Presentation Bradford Hirsch, MD, MBA August 28 rd , 2012 Medicine at Transition Point Medicine at Transition Point Care Redesign Patient Quality Centered Data

457 views • 20 slides
Testing, Installation, Integration and Performance Studies of a Cosmic Ray Tagging System for the

Testing, Installation, Integration and Performance Studies of a Cosmic Ray Tagging System for the

Testing, Installation, Integration and Performance Studies of a Cosmic Ray Tagging System for the Short Baseline Neutrino Program Far Detector (ICARUS) Chris Hilgenberg Colorado State University New Perspectives 5 June 2017 Outline 1) ICARUS

394 views • 15 slides
SEPT 6, 2015 SERMON NOTES Liberating News (With No Footnotes) 1 Timothy 2:1-7 Pastor John Sloan

SEPT 6, 2015 SERMON NOTES Liberating News (With No Footnotes) 1 Timothy 2:1-7 Pastor John Sloan

SEPT 6, 2015 SERMON NOTES Liberating News (With No Footnotes) 1 Timothy 2:1-7 Pastor John Sloan Introduction : Its diffjcult to tune in to drive-time radio for fjve minutes without hearing advertising spots containing dozens of disclaimers:

156 views • 3 slides
On the Science of Power Management: Encouraging Sustainability R&amp;D Erez Zadok Dept. of

On the Science of Power Management: Encouraging Sustainability R&amp;D Erez Zadok Dept. of

On the Science of Power Management: Encouraging Sustainability R&amp;D Erez Zadok Dept. of Computer Science Stony Brook University http://www.fsl.cs.sunysb.edu/ 2/22/2010 1 Zadok - SustainIT'10 - Science of Power Management NSF SciPM

259 views • 15 slides
loaded cajeput oil against Staphylococcus aureus and Pseudomonas aeruginosa -mediated infections

loaded cajeput oil against Staphylococcus aureus and Pseudomonas aeruginosa -mediated infections

Combinatory action of chitosan-based blended films and loaded cajeput oil against Staphylococcus aureus and Pseudomonas aeruginosa -mediated infections Title of the Presentation Joana C. Antunes *, Natlia C. Homem, Marta A. Teixeira, M. Teresa

526 views • 17 slides

More recommend