verifying security protocols and their implementations
play

Verifying Security Protocols and their Implementations Information - PowerPoint PPT Presentation

Sep 04, 2023 •211 likes •922 views

Verifying Security Protocols and their Implementations Information Security and Cryptography Reading Group Presenter: C t lin Hri cu References Verified Interoperable Implementations of Security Protocols. Karthikeyan Bhargavan,

  1. Verifying Security Protocols and their Implementations Information Security and Cryptography Reading Group Presenter: C ă t ă lin Hri ţ cu

  2. References  Verified Interoperable Implementations of Security Protocols. Karthikeyan Bhargavan, Cédric Fournet, Andrew D. Gordon, Stephen Tse, CSFW 2006. (and accompanying technical report with proofs)  Most of the slides are from  Protecting Alice from Malice: Protocols, Process Calculi, Proved Programs. Andy Gordon, Marktoberdorf, 2006.  Vérification de Protocoles Cryptographiques et de leurs Implémentations. Cédric Fournet, Colloquium INRIA, 2007.  Language-based Security. Matteo Maffei, Lecture, 2007.  Many thanks to Andy Gordon and Cédric Fournet (Microsoft Research), and Matteo Maffei 2

  3. Outline  Verifying Security Protocols  What are security protocols?  What are the properties we want to verify?  Why is it so difficult?  Formal methods  The Dolev-Yao model  Modeling protocols using process calculi  Specifying and analyzing security properties  Verifying Implementations of Security Protocols 3

  4. Verifying Security Protocols 4

  5. Security Protocols  Modern applications heavily rely on secure communication over an untrusted network  Malicious entities can read, block, modify, (re)transmit messages 5

  6. Security Properties  The exact notion of security depends on application  In this talk we focus on two simple properties:  Secrecy  Confidential information not disclosed to third-parties  Authentication  The recipient of a message should be able to verify its freshness and its originator 6

  7. A Simple eBanking Protocol 7

  8. A Simple eBanking Protocol  Bad Pete intercepts the message and modifies it in order to get 2000$ 7

  9. A Simple eBanking Protocol  Bad Pete intercepts the message and modifies it in order to get 2000$ 7

  10. Cryptography 8

  11. Cryptography  Unfortunately, cryptography is not enough!  Attacker can break security of the protocol  by simply intercepting, duplicating, sending back the messages in transit on the network, by interleaving simultaneous protocol sessions, etc  no need to break the encryption scheme  In the following, we assume that cryptography is a fully reliable black box 8

  12. Reflection Attack 9

  13. Reflection Attack  The symmetric nature of the encryption key k does not allow Mickey to verify whether the encrypted message has been generated by Minnie or himself 9

  14. Replay attack 10

  15. Replay attack  Minnie has no way to verify the freshness of the message she receives 10

  16. Fixed Protocol  Possible solution is to use a nonce  Randomly generated number used only once 11

  17. Fixed Protocol  Possible solution is to use a nonce  Randomly generated number used only once  This protocol is secure, it guarantees  the secrecy and authenticity of the message  ISO two-pass unilateral authentication protocol 11

  18. Protocols Are Hard to Get Right  Historically, one keeps finding simple attacks against protocols  even carefully-written, widely-deployed protocols  even a long time after the design and deployment  New protocols appear regularly, and the same mistakes are made again and again  Attacks on Web Services security  Recent MITM attack on public-key Kerberos (2005)  What’s so difficult about security protocols?  concurrency + distribution + cryptography  little control on the runtime environment  hard to test against active attackers 12

  19. Needham-Schroeder Protocol  This protocol was proposed in 1978  The aim is to guarantee the secrecy and authenticity of the two nonces (later used for generating a symmetric session-key) 13

  20. Man-in-the-middle Attack  Found by Lowe in a 1995 14

  21. Lowe’s Fix  Insert Mickey's identifier in the second message  Rules out the man-in-the-middle attack 15

  22. Informal Methods  Principles codified in articles and textbooks since mid-90s:  Abadi and Needham, Prudent engineering practice for cryptographic protocols, 1994  Anderson and Needham, Programming Satan’s Computer, 1995 Principle 1 Every message should say what it means: the interpretation of the message should depend only on its content. It should be possible to write down a straightforward English sentence describing the content — though if there is a suitable formalism available that is good too.  For instance, Lowe’s fix of the Needham-Schroeder protocol makes explicit that the second message is sent by Mickey  These check lists are useful; yet hard for the inexperienced to understand and to apply  No guarantee that they will make your protocol secure 16

  23. Formal Methods 17

  24. Dolev-Yao Attacker Model  Widely-used abstraction  Because of automatic tool support  The attacker can:  Engage in any number of protocol sessions with any number of many honest principals (unbounded)  Read, block, modify, reply any message sent on the network (the attacker is the network)  Split composite messages, recompose arbitrarily  Encrypt messages in arbitrary ways  Decrypt encrypted messages with the appropriate key  No bound on the size of the messages, or number of fresh nonces and keys 18

  25. Dolev-Yao Attacker Model  Strong assumptions  Perfect cryptography, the attacker cannot:  Decrypt a message without knowing the encryption key  Guess or brute-force keys, nonces or even passwords  Obtain partial information (e.g. half the bits of a message)  Message length is only partially observable  No collisions: {M}K={M’}K’ implies M=M’ and K=K’  Non-malleability: from {M}K cannot construct {M’}K  In cryptography attacker is PPT that tries to break security with non-negligible probability (computational model)  Justifying Dolev-Yao style symbolic models via computational models is sometimes possible 19

  26. Protocols as Processes  Security protocols in the Dolev-Yao model can be rephrased as processes in process calculi  E.g. spi calculus, applied pi-calculus etc.  Their security properties can be rigorously formalized  There are many applicable formalisms for analyzing these properties automatically  Type (and effect) systems, type inference  Abstract interpretation  E.g. abstract processes to Horn clauses (Prolog rules) then use resolution  Model checking (bounded or symbolic) 20

  27. Applied Pi-calculus (ProVerif) x , y , z variable a , b name f constructor (uncurried) function (curried) g destructor function P Q R :: = process M , N :: = value x variable a name f ( M 1 ,..., M n ) constructor application e :: = expression  constructors: enc, pair  value: enc(pair(pair(id, m), n), k)  destructors: dec, left, right 21

  28. Processes P , Q , R :: = process in ( M , x ) ; P input of x from M ( x out ( M , N ) ; P output of N on M new a ; P make new name a ( a ! P replication of P P | Q parallel composition 0 inactivity event M event M let x 1 ,..., x n suchthat M = N in P else Q match ( x 1 , ..., x n hav let x = g ( M 1 ,..., M n ) in P else Q destructor application ∆ :: = declaration 22

  29. Declarations and Scripts let x M n in P else Q g M 1 destructor application ∆ :: = declaration free a name a data f / n data constructor ] ] [ [ private fun f / n private constructor reduc g ( M 1 ,..., M n ) = M destructor [ ] ] [ private reduc g ( M 1 ,..., M n ) = M private destructor ∆ s :: = ∆ 1 . ··· ∆ n . set of declarations ( n ≥ 0) Σ :: = ∆ s process P script  Example fun enc / 2. fun pair / 2. reduc dec(enc(x,y),y) = x. reduc left(pair(x,y)) = x. reduc right(pair(x,y)) = y. 23

  30. Structural Equivalence P ≡ P Q ≡ P ⇒ P ≡ Q P ≡ Q , Q ≡ R ⇒ P ≡ R P | 0 ≡ P P | Q ≡ Q | P ( P | Q ) | R ≡ P | ( Q | R ) ! P ≡ P | ! P a / ∈ fn ( P ) ⇒ new a ; ( P | Q ) ≡ P | new a ; Q new a ; new b ; P ≡ new b ; new a ; P new a ; 0 ≡ 0 P ≡ P ′ ⇒ new a ; P ≡ new a ; P ′ P ≡ P ′ ⇒ P | R ≡ P ′ | R 24

  31. Internal Reduction P ≡ Q , Q → Q ′ , Q ′ ≡ P ′ ⇒ P → P ′ P → P ′ ⇒ P | Q → P ′ | Q P → P ′ ⇒ new a ; P → new a ; P ′ in ( M , x ) ; P | out ( M , N ) ; Q → P { N / x } | Q � if M = N σ and dom ( σ ) = { x 1 ,..., x n } P σ let x 1 ,..., x n suchthat M = N in P else Q → Q otherwise if M ′ � P { M σ / x } i = M i σ for all i ∈ 1 .. n let x = g ( M ′ 1 ,..., M ′ n ) in P else Q → Q otherwise where ( g ( M 1 ,..., M n ) = M ) declared in ∆ s a 25

  32. Modeling our protocol free ch. fun enc / 2. data pair / 2. data mickey / 0. data minnie / 0. private fun begin / 1. private fun end / 1. reduc dec(enc(x,y),y) = x. reduc left(pair(x,y)) = x. reduc right(pair(x,y)) = y. let Mickey = new m; in(ch,xn); event begin(mickey, minnie, xn); out (ch, enc(pair(pair(mickey, m), xn), k)). let Minnie = new n; out (ch,n); in (ch, x); let y = dec(x, k) in let xm suchthat y = pair(pair(mickey, xm), n) in event end(mickey, minnie, n). process new k; Mickey | Minnie 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Verifying Web Services Security Protocols, Standards, and Implementations Karthik Bhargavan

Verifying Web Services Security Protocols, Standards, and Implementations Karthik Bhargavan

Verifying Web Services Security Protocols, Standards, and Implementations Karthik Bhargavan Microsoft Research, Cambridge Microsoft Research INRIA Joint Centre, Paris Joint work with C. Fournet and A.D. Gordon + R. Puccella, S. Tse, N.

1.4k views • 122 slides
Towards an Ecosystem for Verifying Implementations of BFT protocols Ivana Vukotic, Vincent Rahli,

Towards an Ecosystem for Verifying Implementations of BFT protocols Ivana Vukotic, Vincent Rahli,

Towards an Ecosystem for Verifying Implementations of BFT protocols Ivana Vukotic, Vincent Rahli, Marcus Vlp and Paulo Esteves-Verssimo PhD start: April 2017 Areas: BFT & Formal verification Univ. of Luxembourg SnT Luxembourg

314 views • 10 slides
First Building Blocks For Implementations of Security Protocols Verified in Coq Reynald Affeldt

First Building Blocks For Implementations of Security Protocols Verified in Coq Reynald Affeldt

First Building Blocks For Implementations of Security Protocols Verified in Coq Reynald Affeldt 1) Kazuhiko Sakaguchi 1)2) 1) National Institute of Advanced Industrial Science and Technology, Japan 2) University of Tsukuba Motivation

352 views • 21 slides
Building Hardened Implementations of SCADA/ICS Protocols Using Language-Theoretic Security

Building Hardened Implementations of SCADA/ICS Protocols Using Language-Theoretic Security

Building Hardened Implementations of SCADA/ICS Protocols Using Language-Theoretic Security Prashant Anantharaman, Dartmouth College pa@cs.dartmouth.edu http://cs.dartmouth.edu/~pa CREDC Industry Workshop March 27-29, 2017 Funded by the U.S.

583 views • 36 slides
Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over an untrusted channel (eg. Internet) 2 Security Protocols are out there Authentication Confidentiality Example: HTTPS (HTTP + TLS)

669 views • 42 slides
The Coinductive Approach to Verifying Cryptographic Protocols Jesse Hughes joint work with

The Coinductive Approach to Verifying Cryptographic Protocols Jesse Hughes joint work with

The Coinductive Approach to Verifying Cryptographic Protocols Jesse Hughes joint work with Martijn Warnier jesseh@cs.kun.nl University of Nijmegen The Coinductive Approach to Verifying Cryptographic Protocols p.1/27 Outline I.

1.95k views • 184 slides
Outline More Security Protocols Combining key distribution and authentication CS 239

Outline More Security Protocols Combining key distribution and authentication CS 239

Outline More Security Protocols Combining key distribution and authentication CS 239 Verifying security protocols Computer Security February 4, 2004 Lecture 7 Lecture 7 Page 1 Page 2 CS 239, Winter 2004 CS 239, Winter 2004

297 views • 11 slides
Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering They are where cryptography and system mechanisms meet They allow trust to be taken from where it exists to where it s needed But they are

941 views • 67 slides
Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth M.D.Ryan@cs.bham.ac.uk research@bensmyth.com Cryptoforma 7th April 2010 Cryptographic protocols A cryptographic protocol is a distributed procedure that employs

698 views • 46 slides
The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of

The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of

The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of Software Chinese Academy of Sciences BASICS09, Shanghai, China October 13, 2009 Background Formal verification of security protocols from

312 views • 28 slides
Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols 01 Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief introduction to security protocols; Model checking of security protocols, particularly using the process

1.28k views • 110 slides
Extending ProVerifs Resolution Algorithm for Verifying Group Protocols Miriam Paiola

Extending ProVerifs Resolution Algorithm for Verifying Group Protocols Miriam Paiola

Introduction Group Protocols Generalized Horn Clauses Resolution algorithm Conclusions and Further works Extending ProVerifs Resolution Algorithm for Verifying Group Protocols Miriam Paiola miriam.paiola@ens.fr Ecole Normale Sup

692 views • 56 slides
Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval,

Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval,

Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval, Steve Kremer, Itsaka Rakotonirina Inria Nancy Grand-Est Security protocols TLS Wifi @ PASS E-voting E-passport 2 24 Security protocols

830 views • 69 slides
Verifying Electronic Voting Protocols in the Applied Pi Calculus Mark Ryan University of

Verifying Electronic Voting Protocols in the Applied Pi Calculus Mark Ryan University of

Verifying Electronic Voting Protocols in the Applied Pi Calculus Mark Ryan University of Birmingham joint work with St ephanie Delaune and Steve Kremer LSV Cachan, France SoCS Seminar November 2007 Outline Electronic voting Electronic

763 views • 33 slides
Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides

Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides

Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides originally by Ross Anderson Security Protocols Security protocols are the intellectual core of security engineering They are where cryptography

1.47k views • 118 slides
Verifying Authentication Properties of C Protocol Code Using VCC Franois Dupressoir (Open

Verifying Authentication Properties of C Protocol Code Using VCC Franois Dupressoir (Open

Verifying Authentication Properties of C Protocol Code Using VCC Franois Dupressoir (Open University) Andrew D. Gordon (MSR Cambridge) Jan Jrjens (TU Dortmund) Verifying Security Code Assume a security API specification.

397 views • 24 slides
MLTI Advisory Board Meeting #6 June 12 th , 2020 Beth Lambert, Team Lead Deb Lajoie, Project

MLTI Advisory Board Meeting #6 June 12 th , 2020 Beth Lambert, Team Lead Deb Lajoie, Project

MLTI Advisory Board Meeting #6 June 12 th , 2020 Beth Lambert, Team Lead Deb Lajoie, Project Manager Jordan Dean, Office Specialist Brandi Cota, Management Analyst Jon Graham, Elementary Digital Learning Specialist Emma Banks, Secondary Digital

379 views • 15 slides
An Initial Investigation of Protocol Customization David Ke Hong , Qi Alfred Chen, Z. Morley Mao

An Initial Investigation of Protocol Customization David Ke Hong , Qi Alfred Chen, Z. Morley Mao

An Initial Investigation of Protocol Customization David Ke Hong , Qi Alfred Chen, Z. Morley Mao University of Michigan Todays protocols are feature-rich Widely-used protocols contain a rich set of features and extensions Around

420 views • 15 slides
Distance Hijacking Attacks on Distance Bounding Protocols Cas Cremers ETH Zurich Joint work

Distance Hijacking Attacks on Distance Bounding Protocols Cas Cremers ETH Zurich Joint work

Distance Hijacking Attacks on Distance Bounding Protocols Cas Cremers ETH Zurich Joint work with: Joint work with: Kasper Rasmussen, Benedikt Schmidt, Srdjan Capkun Kasper Rasmussen, Benedikt Schmidt, Srdjan Capkun Distance Bounding 2

370 views • 16 slides
Fair Exchange Protocols Steve Kremer and Mark Ryan Fair Exchnage Protocols p.1 Examples of

Fair Exchange Protocols Steve Kremer and Mark Ryan Fair Exchnage Protocols p.1 Examples of

Fair Exchange Protocols Steve Kremer and Mark Ryan Fair Exchnage Protocols p.1 Examples of fair exchange protocols Electronic purchase of goods exchange of an electronic item against an electronic payment Digital contract signing exchange

353 views • 20 slides
Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert Sina Shiehian TCS+

Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert Sina Shiehian TCS+

Noninteractive Zero Knowledge for NP from Learning With Errors Chris Peikert Sina Shiehian TCS+ 1 May 2019 1 / 15 Zero Knowledge [GoldwasserMicaliRackoff85] Zero-knowledge (interactive) proof for language L : allows a prover P to

1.21k views • 89 slides
Distributed Systems Authentication Protocols Paul Krzyzanowski pxk@cs.rutgers.edu Except as

Distributed Systems Authentication Protocols Paul Krzyzanowski pxk@cs.rutgers.edu Except as

Distributed Systems Authentication Protocols Paul Krzyzanowski pxk@cs.rutgers.edu Except as otherwise noted, the content of this presentation is licensed under the Creative Commons Attribution 2.5 License. Page 1 Page 1 Authentication

799 views • 59 slides
Scalable Communication Protocols for Dynamic Sparse Data Exchange Torsten Hoefler, Christian

Scalable Communication Protocols for Dynamic Sparse Data Exchange Torsten Hoefler, Christian

Scalable Communication Protocols for Dynamic Sparse Data Exchange Torsten Hoefler, Christian Siebert, Andrew Lumsdaine PPoPP 2010, Bangalore, India The Sparse Data Exchange Problem Defines a generic communication problem Assume a set of

545 views • 26 slides
Protocol Validation with CRL Wan Fokkink Modelling Distributed Systems Springer, 2007 Goals

Protocol Validation with CRL Wan Fokkink Modelling Distributed Systems Springer, 2007 Goals

Protocol Validation with CRL Wan Fokkink Modelling Distributed Systems Springer, 2007 Goals Formal modeling of real-life protocols Automated analysis of protocols by means of state space exploration (i.e. simulation or model

1.86k views • 125 slides

More recommend