verification techniques for cryptographic protocols
play

Verification techniques for cryptographic protocols eronique Cortier - PowerPoint PPT Presentation

Nov 26, 2022 •25 likes •785 views

Introduction Formal models Adding equational theories Towards more guarantees Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS - INRIA Cassis project, Nancy Universities 1/45 V eronique

  1. Introduction Formal models Adding equational theories Towards more guarantees Verification techniques for cryptographic protocols eronique Cortier 1 V´ RTA’08 1 LORIA, CNRS - INRIA Cassis project, Nancy Universities 1/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  2. Introduction Formal models Context Adding equational theories A famous attack Towards more guarantees Context : cryptographic protocols Widely used : web (SSH, SSL, ...), pay-per-view, electronic purse, mobile phone, ... Should ensure : confidentiality, authenticity, integrity, anonymity, ... 2/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  3. Introduction Formal models Context Adding equational theories A famous attack Towards more guarantees Context : cryptographic protocols Widely used : web (SSH, SSL, ...), pay-per-view, electronic purse, mobile phone, ... Should ensure : confidentiality, authenticity, integrity, anonymity, ... Presence of an attacker may read every message sent on the net, may intercept and send new messages. 2/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  4. Introduction Formal models Context Adding equational theories A famous attack Towards more guarantees Example : Credit Card Payment Protocol The waiter introduces the credit card. The waiter enters the amount m of the transaction on the terminal. The terminal authenticates the card. The customer enters his secret code. If the amount m is greater than 100 euros (and in only 20% of the cases) The terminal asks the bank for authentication of the card. The bank provides authentication. 3/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  5. Introduction Formal models Context Adding equational theories A famous attack Towards more guarantees More details 4 actors : Bank, Customer, Card and Terminal. Bank owns a signing key K − 1 B , secret, a verification key K B , public, a secret symmetric key for each credit card K CB , secret. Card owns Data : last name, first name, card’s number, expiration date, Signature’s Value VS = { hash (Data) } K − 1 B , secret key K CB . Terminal owns the verification key K B for bank’s signatures. 4/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  6. Introduction Formal models Context Adding equational theories A famous attack Towards more guarantees Credit card payment Protocol (in short) The terminal reads the card : 1 . → T : Data , { hash (Data) } K − 1 Ca B 5/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  7. Introduction Formal models Context Adding equational theories A famous attack Towards more guarantees Credit card payment Protocol (in short) The terminal reads the card : 1 . → T : Data , { hash (Data) } K − 1 Ca B The terminal asks for the secret code : 2 . → Cu : secret code ? T 3 . Cu → Ca : 1234 4 . → T : ok Ca 5/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  8. Introduction Formal models Context Adding equational theories A famous attack Towards more guarantees Credit card payment Protocol (in short) The terminal reads the card : 1 . → T : Data , { hash (Data) } K − 1 Ca B The terminal asks for the secret code : 2 . → Cu : secret code ? T 3 . Cu → Ca : 1234 4 . → T : ok Ca The terminal calls the bank : 5 . T → B : auth ? 6 . → T : N b B 7 . T → Ca : N b 8 . → T : { N b } K CB Ca 9 . T → B : { N b } K CB → 10 . B T : ok 5/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  9. Introduction Formal models Context Adding equational theories A famous attack Towards more guarantees Some flaws The security was initially ensured by : the cards were very difficult to reproduce, the protocol and the keys were secret. But cryptographic flaw : 320 bits keys can be broken (1988), logical flaw : no link between the secret code and the authentication of the card, fake cards can be build. 6/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  10. Introduction Formal models Context Adding equational theories A famous attack Towards more guarantees Some flaws The security was initially ensured by : the cards were very difficult to reproduce, the protocol and the keys were secret. But cryptographic flaw : 320 bits keys can be broken (1988), logical flaw : no link between the secret code and the authentication of the card, fake cards can be build. → “YesCard” build by Serge Humpich (1998). 6/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  11. Introduction Formal models Context Adding equational theories A famous attack Towards more guarantees How does the “YesCard” work ? Logical flaw 1 . → T : Data , { hash (Data) } K − 1 Ca B 2 . → Ca : secret code ? T 3 . Cu → Ca : 1234 4 . → T : ok Ca 7/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  12. Introduction Formal models Context Adding equational theories A famous attack Towards more guarantees How does the “YesCard” work ? Logical flaw 1 . → T : Data , { hash (Data) } K − 1 Ca B 2 . → Ca : secret code ? T 3 . Cu → Ca ′ : 2345 4 . Ca ′ → T : ok 7/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  13. Introduction Formal models Context Adding equational theories A famous attack Towards more guarantees How does the “YesCard” work ? Logical flaw 1 . → T : Data , { hash (Data) } K − 1 Ca B 2 . → Ca : secret code ? T 3 . Cu → Ca ′ : 2345 4 . Ca ′ → T : ok Remark : there is always somebody to debit. → creation of a fake card (Serge Humpich). 7/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  14. Introduction Formal models Context Adding equational theories A famous attack Towards more guarantees How does the “YesCard” work ? Logical flaw 1 . → T : Data , { hash (Data) } K − 1 Ca B 2 . → Ca : secret code ? T 3 . Cu → Ca ′ : 2345 4 . Ca ′ → T : ok Remark : there is always somebody to debit. → creation of a fake card (Serge Humpich). Ca ′ → T : XXX , { hash (XXX) } K − 1 1 . B → Cu 2 . T : secret code ? 3 . → Ca ′ : 0000 Cu Ca ′ → T 4 . : ok 7/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  15. Introduction Formal models Context Adding equational theories A famous attack Towards more guarantees Outline of the talk 1 Introduction Context A famous attack 2 Formal models Intruder Protocol Solving constraint systems A survey of results 3 Adding equational theories Motivation Intruder problem Some results 4 Towards more guarantees Cryptographic models Linking Formal and cryptographic models Conclusion 8/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  16. Introduction Intruder Formal models Protocol Adding equational theories Solving constraint systems Towards more guarantees A survey of results Motivation : Cryptography does not suffice to ensure security ! Example : Commutative encryption (RSA) { pin : 3443 } k alice − − − − − − − − − − − → 9/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  17. Introduction Intruder Formal models Protocol Adding equational theories Solving constraint systems Towards more guarantees A survey of results Motivation : Cryptography does not suffice to ensure security ! Example : Commutative encryption (RSA) { pin : 3443 } k alice − − − − − − − − − − − →  ff { pin : 3443 } k alice k bob ← − − − − − − − − − − − − − − − 9/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  18. Introduction Intruder Formal models Protocol Adding equational theories Solving constraint systems Towards more guarantees A survey of results Motivation : Cryptography does not suffice to ensure security ! Example : Commutative encryption (RSA) { pin : 3443 } k alice − − − − − − − − − − − →  ff { pin : 3443 } k alice k bob ← − − − − − − − − − − − − − − − { pin : 3443 } k bob − − − − − − − − − − − → � � � � { pin : 3443 } k alice { pin : 3443 } k bob Since = k bob k alice 9/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  19. Introduction Intruder Formal models Protocol Adding equational theories Solving constraint systems Towards more guarantees A survey of results Motivation : Cryptography does not suffice to ensure security ! Example : Commutative encryption (RSA) { pin : 3443 } k alice − − − − − − − − − − − →  ff { pin : 3443 } k alice k bob ← − − − − − − − − − − − − − − − { pin : 3443 } k bob − − − − − − − − − − − → → It does not work ! (Authentication problem) 9/45 V´ eronique Cortier Verification techniques for cryptographic protocols

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique Cortier INRIA project Cassis, Loria CNRS, Nancy, France French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of

605 views • 46 slides
Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic protocols: Concurrent programs

946 views • 69 slides
Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018

1.23k views • 78 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

451 views • 14 slides
Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018 Organization of the course Two

774 views • 74 slides
Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA), CNRS, France Tuesday, September 13th, 2016 Security protocols everywhere ! Cryptographic protocols small programs designed to secure

923 views • 56 slides
Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France joint work with Alexandre Debant and Cyrille Wiedling 1/29 Security protocols everywhere ! Cryptographic protocols small

1.04k views • 56 slides
Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in the Quantum Era (SPS G5448) February 5th, 2020 Christian Colombo Mark Vella Cryptographic Protocols Design Proofs to validate design against

467 views • 20 slides
Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes,

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes,

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France Thursday, July 12th, 2018 Cryptographic protocols everywhere ! Cryptographic protocols small programs designed to secure

849 views • 80 slides
Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday,

Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday,

Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday, June 29th, 2020 1/23 Cryptographic protocols everywhere ! Cryptographic protocols small programs designed to secure communication ( e.g.

900 views • 58 slides
Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth M.D.Ryan@cs.bham.ac.uk research@bensmyth.com Cryptoforma 7th April 2010 Cryptographic protocols A cryptographic protocol is a distributed procedure that employs

698 views • 46 slides
Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Formal methods for protocols Cryptographic models Passive case Active case Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/76 V eronique Cortier Verification of Security

1.92k views • 139 slides
Formal Analysis of Imperfect Cryptographic Protocols Long Nguyen Hoang University of Tartu,

Formal Analysis of Imperfect Cryptographic Protocols Long Nguyen Hoang University of Tartu,

Formal Analysis of Imperfect Cryptographic Protocols Long Nguyen Hoang University of Tartu, Institute of Computer Science Agenda Introduction Probabilistic-spi calculus Security protocol verification Conclusion Q&A

633 views • 19 slides
First steps towards cryptographically sound confidentiality analysis of cryptographic protocols

First steps towards cryptographically sound confidentiality analysis of cryptographic protocols

First steps towards cryptographically sound confidentiality analysis of cryptographic protocols Peeter Laud peeter l@ut.ee Tartu Ulikool Cybernetica AS Teooriap aevad Arulas, 3.-5.02.2003 p.1/27 Overview Cryptographic protocols.

570 views • 27 slides
Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif

Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif

Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif Bruno Blanchet INRIA, Ecole Normale Sup erieure, CNRS blanchet@di.ens.fr September 2011 Bruno Blanchet (INRIA) ProVerif September 2011

1.55k views • 143 slides
Resource Guarantees and PCC 50 ways* to say it with a proof Ian Stark Laboratory for Foundations

Resource Guarantees and PCC 50 ways* to say it with a proof Ian Stark Laboratory for Foundations

Resource Guarantees and PCC 50 ways* to say it with a proof Ian Stark Laboratory for Foundations of Computer Science School of Informatics The University of Edinburgh Proof Carrying Code workshop Friday 11 August 2006

469 views • 36 slides
Separation Logic, Abstraction and Inheritance M. Parkinson, G. Bierman, in Proc. POPL , 2008

Separation Logic, Abstraction and Inheritance M. Parkinson, G. Bierman, in Proc. POPL , 2008

Separation Logic, Abstraction and Inheritance M. Parkinson, G. Bierman, in Proc. POPL , 2008 Timothe Martiel Research Topics in Software Engineering 1 / 19 Outline 1 From Separation Logic to Inheritance 2 Beyond Separation Logic 3 What About

553 views • 24 slides
Desynchronisation of coupled bistable oscillators perturbed by additive white noise Joint work

Desynchronisation of coupled bistable oscillators perturbed by additive white noise Joint work

Numerics and Theory for Stochastic Evolution Equations University of Bielefeld, 2224 November 2006 Barbara Gentz, University of Bielefeld http://www.math.uni-bielefeld.de/ gentz Desynchronisation of coupled bistable oscillators perturbed

698 views • 49 slides
On Securely Manipulating XML Data Houari Mahfoud and Abdessamad Imine Houari Mahfoud and

On Securely Manipulating XML Data Houari Mahfoud and Abdessamad Imine Houari Mahfoud and

On Securely Manipulating XML Data Houari Mahfoud and Abdessamad Imine Houari Mahfoud and Abdessamad Imine CASSIS Team CASSIS Team INRIA-LORIA Grand-Est, Nancy, France INRIA-LORIA Grand-Est, Nancy, France 5TH INTERNATIONAL SYMPOSIUM ON

905 views • 30 slides
Z3 - a Tutorial Leonardo de Moura Nikolaj Bjrner Microsoft Research Microsoft Research

Z3 - a Tutorial Leonardo de Moura Nikolaj Bjrner Microsoft Research Microsoft Research

Z3 - a Tutorial Leonardo de Moura Nikolaj Bjrner Microsoft Research Microsoft Research leonardo@microsoft.com nbjorner@microsoft.com Abstract This tutorial introduces the use of the state-of-the-art Satisfiability Modulo Theories Solver

1k views • 61 slides
Models and proofs for security protocols eronique Cortier 1 V 1 LORIA, CNRS - INRIA Cassis

Models and proofs for security protocols eronique Cortier 1 V 1 LORIA, CNRS - INRIA Cassis

Terms Intruder Decidability Models and proofs for security protocols eronique Cortier 1 V 1 LORIA, CNRS - INRIA Cassis project, Universit e de Lorraine 1/13 Terms Intruder Decidability Messages Messages are abstracted by terms. Agents

295 views • 27 slides
YAPA: A generic tool for computing intruder knowledge Mathieu Baudet 1 eronique Cortier 2 and St

YAPA: A generic tool for computing intruder knowledge Mathieu Baudet 1 eronique Cortier 2 and St

YAPA: A generic tool for computing intruder knowledge Mathieu Baudet 1 eronique Cortier 2 and St ephanie Delaune 3 Joint work with V 1 DCSSI, France 2 LORIA, CNRS & INRIA project Cassis, France 3 LSV, ENS Cachan & CNRS & INRIA,

763 views • 41 slides
Hardest-to-Round Cases Part 2 Vincent LEFVRE AriC, INRIA Grenoble Rhne-Alpes / LIP,

Hardest-to-Round Cases Part 2 Vincent LEFVRE AriC, INRIA Grenoble Rhne-Alpes / LIP,

Hardest-to-Round Cases Part 2 Vincent LEFVRE AriC, INRIA Grenoble Rhne-Alpes / LIP, ENS-Lyon Journes TaMaDi, Lyon, 2013-10-08 [tamadi2013.tex 64039 2013-10-08 01:41:24Z vinc17/xvii] Outline Hardest-to-Round Cases in binary64

572 views • 30 slides

More recommend