verifying the set protocol overview
play

Verifying the SET Protocol: Overview Lawrence C Paulson, Computer - PowerPoint PPT Presentation

Apr 29, 2023 •327 likes •570 views

Verifying the SET Protocol: Overview Lawrence C Paulson, Computer Laboratory, University of Cambridge (Joint with Giampaolo Bella and Fabio Massacci) Plan of Talk The SET Protocol Defining the Formal Models Verifying the

  1. Verifying the SET Protocol: Overview Lawrence C Paulson, Computer Laboratory, University of Cambridge (Joint with Giampaolo Bella and Fabio Massacci)

  2. Plan of Talk • The SET Protocol • Defining the Formal Models • Verifying the Registration Phase • Verifying the Purchase Phase 2 Lawrence C Paulson

  3. Internet Shopping with SSL Credit card details SSL merchant cardholder “Curses! Can’t get that number!” 3 Lawrence C Paulson

  4. Why Trust the Merchant? Credit card details?? “Now I can buy that software!” SSL cardholder 4 Lawrence C Paulson

  5. Why Trust the Customer? Fake card details “Send MS Office, charge to my merchant SSL card…” 5 Lawrence C Paulson

  6. Basic Ideas of SET • Cardholders and Merchants must register • They receive electronic credentials – Proof of identity – Evidence of trustworthiness • Payment goes via the parties’ banks – Merchants don’t need card details – Bank does not see what you buy 6 Lawrence C Paulson

  7. Plan of Talk • The SET Protocol • Defining the Formal Models • Verifying the Registration Phase • Verifying the Purchase Phase 7 Lawrence C Paulson

  8. Inductive Protocol Verification • Define system’s operational semantics • Include honest parties and an attacker • Model each protocol step in an inductive definition • Prove security properties by induction • Mechanize using Isabelle/HOL 8 Lawrence C Paulson

  9. An Overview of Isabelle • Generic: higher-order logic, set theory, … • Good user interface (Proof General) • Automatic document generation • Powerful simplifier and classical prover • Strong support for inductive definitions 9 Lawrence C Paulson

  10. The SET Documentation • Business Description – General overview – 72 pages • Programmer’s Guide – Message formats & English description of actions – 619 pages • Formal Protocol Definition – Message formats & the equivalent ASN.1 definitions – 254 pages 10 Lawrence C Paulson

  11. SET Digital Envelopes • Consisting of two parts: – Symmetric key K, encrypted with a public key – Main ciphertext, encrypted with K • Hashing to link the two parts • Minimal use of public-key encryption • Great complications for formal reasoning – Numerous session keys in use – Dependency chains: keys encrypt keys 11 Lawrence C Paulson

  12. Obstacles to Formalization • Huge size of documentation & protocol • Lack of explicit objectives • “Out of band” steps • Many types of participants: – Cardholders – Merchants – Certificate Authorities – Payment Gateways (to pay merchants) 12 Lawrence C Paulson

  13. Plan of Talk • The SET Protocol • Defining the Formal Models • Verifying the Registration Phase • Verifying the Purchase Phase 13 Lawrence C Paulson

  14. Cardholder Registration • Cardholder C and certificate authority CA • C delivers credit card number • C completes registration form – Inserts security details – Discloses his public signature key • Outcomes : – C’s bank can vet the registration – CA associates C’s signing key with card details 14 Lawrence C Paulson

  15. Cardholder Registration * * Let’s look at this message 15 Lawrence C Paulson

  16. Message 5 in Isabelle 16 Lawrence C Paulson

  17. Secrecy of Session Keys • Three keys, created for digital envelopes • Dependency: one key protects another • Main theorem on this dependency relation • Generalizes an approach used for simpler protocols (Yahalom) • Similarly, prove secrecy of Nonces 17 Lawrence C Paulson

  18. Plan of Talk • The SET Protocol • Defining the Formal Models • Verifying the Registration Phase • Verifying the Purchase Phase 18 Lawrence C Paulson

  19. The Purchase Phase Purchase details SET Payment details (hidden from Merchant) Payment Gateway 19 Lawrence C Paulson

  20. The SET Dual Signature 3-way agreement with partial knowledge! • Cardholder shares Order Information only with Merchant • Cardholder shares Payment Information only with Payment Gateway • Cardholder signs hashes of OI, PI • Non-repudiation: all parties sign messages 20 Lawrence C Paulson

  21. The Purchase Request Message 21 Lawrence C Paulson

  22. Complications in SET Proofs • Massive redundancy – Caused by hashing and dual signature – E.g. 9 copies of “purchase amount” in one message! • Multi-page subgoals • Insufficient redundancy (no explicitness), failure of one agreement property • Many digital envelopes 22 Lawrence C Paulson

  23. Runtimes for Various Protocols 23 Lawrence C Paulson

  24. Conclusions • We can find flaws in massive protocols • Analyzing bigger protocols than SET may be impossible • Improvements are needed: – Abstract treatment of constructions such as digital envelopes – Better official formal definitions 24 Lawrence C Paulson

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Verifying the SET Protocol G Bella & L C Paulson Cambridge F Massacci Siena P Tramontano

Verifying the SET Protocol G Bella & L C Paulson Cambridge F Massacci Siena P Tramontano

Verifying the SET Protocol G Bella & L C Paulson Cambridge F Massacci Siena P Tramontano Rome Inductive Protocol Verification Define systems operational semantics Include honest parties and an attacker Model each

465 views • 22 slides
Verifying Authentication Properties of C Protocol Code Using VCC Franois Dupressoir (Open

Verifying Authentication Properties of C Protocol Code Using VCC Franois Dupressoir (Open

Verifying Authentication Properties of C Protocol Code Using VCC Franois Dupressoir (Open University) Andrew D. Gordon (MSR Cambridge) Jan Jrjens (TU Dortmund) Verifying Security Code Assume a security API specification.

397 views • 24 slides
Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail

Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail

Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail Aizatulin 1 supervised by Andrew Gordon 23 , Jan J urjens 4 , Bashar Nuseibeh 1 1 The Open University 2 Microsoft Research Cambridge 3 University of

543 views • 29 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 09 March, 2017 Overview 1. Why we need a verified filesystem 2. Our approach

514 views • 29 slides
What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i

What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i

What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i -Key-Protocol, i = 1, 2, 3, Family of protocols Secure electronic payment Based on credit card payments Christopher Hsu Can be extended

407 views • 4 slides
Verifying and enforcing network paths with ICING Jad Naous , Michael Walfish, Antonio Nicolosi,

Verifying and enforcing network paths with ICING Jad Naous , Michael Walfish, Antonio Nicolosi,

Verifying and enforcing network paths with ICING Jad Naous , Michael Walfish, Antonio Nicolosi, David Mazires, Michael Miller, and Arun Seehra 1 Today: New protocol for every feature Remote VPN, Private WANs, Specifying QoS, Firewalls,

581 views • 38 slides
Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth M.D.Ryan@cs.bham.ac.uk research@bensmyth.com Cryptoforma 7th April 2010 Cryptographic protocols A cryptographic protocol is a distributed procedure that employs

698 views • 46 slides
Overview/Questions What does Internet Protocol actually do? What is an IP address? How

Overview/Questions What does Internet Protocol actually do? What is an IP address? How

CS101 Lecture 6: Internetworking: Internet Protocol, IP Addresses, Routing, DNS John Magee 8 July 2013 Some images courtesy Wikimedia Commons 1 Overview/Questions What does Internet Protocol actually do? What is an IP address? How

495 views • 18 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 10 November, 2017 1/34 Outline Motivation and related work Our approach

681 views • 34 slides
Day 1 - Outline Introductions, Agenda Bashing OSP Protocol Design Issues Overview of Group Work

Day 1 - Outline Introductions, Agenda Bashing OSP Protocol Design Issues Overview of Group Work

Day 1 - Outline Introductions, Agenda Bashing OSP Protocol Design Issues Overview of Group Work Presentation API Protocol Items Review of Open Screen Protocol 1.0 Remote Playback API Protocol Items OSP Authentication & Security Second

1.75k views • 143 slides
Tow ards Self-Tim ed Logic in the Tim e- Triggered Protocol Overview Introduction

Tow ards Self-Tim ed Logic in the Tim e- Triggered Protocol Overview Introduction

Markus Ferringer Department of Computer Engineering Vienna University of Technology Tow ards Self-Tim ed Logic in the Tim e- Triggered Protocol Overview Introduction Project ARTS Asynchronous design Time-Triggered Protocol

684 views • 15 slides
DHCP EAP Analysis or wheres my pony? Protocol overview

DHCP EAP Analysis or wheres my pony? Protocol overview

DHCP EAP Analysis or wheres my pony? Protocol overview EAP Encapsulated in DHCP Protocol DHCP protocol starts normally Relay (proxy)

881 views • 12 slides
Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers

Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers

Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers Dining Philosophers Peter Welch and Neil Brown Peter Welch and Neil Brown School of Computing, University of Kent, UK School of Computing,

675 views • 44 slides
Attacks on TCP 1 Outline What is TCP protocol? How the TCP Protocol Works SYN

Attacks on TCP 1 Outline What is TCP protocol? How the TCP Protocol Works SYN

Attacks on TCP 1 Outline What is TCP protocol? How the TCP Protocol Works SYN Flooding Attack TCP Reset Attack TCP Session Hijacking Attack 2 TCP Protocol Transmission Control Protocol (TCP) is a core protocol

598 views • 47 slides
Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya Sergey Aleks Nanevski Anindya Banerjee ESOP 2015 A logic-based approach for Specifying and Verifying Concurrent Algorithms An

2.36k views • 186 slides
stateless analysis of a cryptographic protocol emina torlak february 22, 2005 authentication

stateless analysis of a cryptographic protocol emina torlak february 22, 2005 authentication

stateless analysis of a cryptographic protocol emina torlak february 22, 2005 authentication to be nobody-but-yourselfin a world which is doing its best to make you everybody else - e e cummings authentication: verifying the

490 views • 15 slides
Lec ectur ure 12 e 12 Public Key Certification and Revocation [lecture slides are adapted

Lec ectur ure 12 e 12 Public Key Certification and Revocation [lecture slides are adapted

Lec ectur ure 12 e 12 Public Key Certification and Revocation [lecture slides are adapted from previous slides by Prof. Gene Tsudik] 1 CertificationTree / Hierarchy Logical tree of CA-s PK root root [PK CA1 ]SK root CA1 CA3 [PK CA2 ]SK

578 views • 40 slides
Network Protocol Design and Evaluation 04 - Protocol Specification, Part III Stefan Rhrup

Network Protocol Design and Evaluation 04 - Protocol Specification, Part III Stefan Rhrup

Network Protocol Design and Evaluation 04 - Protocol Specification, Part III Stefan Rhrup University of Freiburg Computer Networks and Telematics Summer 2009 Overview In previous parts of this chapter: Modeling behaviour with

773 views • 74 slides
Glacier Hydrology Ian Hewitt, University of Oxford hewitt@maths.ox.ac.uk Water sources - Basal

Glacier Hydrology Ian Hewitt, University of Oxford hewitt@maths.ox.ac.uk Water sources - Basal

Glacier Hydrology Ian Hewitt, University of Oxford hewitt@maths.ox.ac.uk Water sources - Basal melting - Surface melting, precipitation Subglacial hydrology - Sheet flow - Tunnels / channels - Cavities - Canals - Lakes Large-scale models Glacier

446 views • 22 slides
ESnet's LHCONE Service Presented by Jason Zurawski, zurawski@es.net Science Engagement Authored

ESnet's LHCONE Service Presented by Jason Zurawski, zurawski@es.net Science Engagement Authored

ESnet's LHCONE Service Presented by Jason Zurawski, zurawski@es.net Science Engagement Authored by March 23 rd 2015 Joe Metzger metzger@es.net Network Engineering What is LHCONE? LHCONE is a Global Science Overlay Network designed for high

689 views • 14 slides
1 Wendell Crenshaw Technologies presents 1 2 Tumbleweed 2 All Your Baseband Are Belong To

1 Wendell Crenshaw Technologies presents 1 2 Tumbleweed 2 All Your Baseband Are Belong To

1 Wendell Crenshaw Technologies presents 1 2 Tumbleweed 2 All Your Baseband Are Belong To Us over-the-air exploitation of memory corruptions in GSM software stacks Ralf-Philipp Weinmann Laboratory for Algorithmics, Cryptology &

737 views • 45 slides
A Little Knowledge is a Dangerous Thi Thing Technology Transfer Workshops Technology Transfer

A Little Knowledge is a Dangerous Thi Thing Technology Transfer Workshops Technology Transfer

NORDUnet Nordic I nfrastructure for Research & Education A Little Knowledge is a Dangerous Thi Thing Technology Transfer Workshops Technology Transfer Workshops Training the community in new networking technologies Jerry Sobieski

660 views • 30 slides
Security Verification with F* Cdric Fournet Catalin Hritcu Aseem Rastogi *the Everest

Security Verification with F* Cdric Fournet Catalin Hritcu Aseem Rastogi *the Everest

Computer-Aided Security Proofs, Aarhus, Oct 9 13 2017 Security Verification with F* Cdric Fournet Catalin Hritcu Aseem Rastogi *the Everest VERified End-to-end Secure Transport Everest*: Verified Drop-in Replacements for TLS/HTTPS

464 views • 34 slides
Corporation for National and Community Service Programs and Funding Nov. 6, 2019 Welcome

Corporation for National and Community Service Programs and Funding Nov. 6, 2019 Welcome

Corporation for National and Community Service Programs and Funding Nov. 6, 2019 Welcome William Snow Office of Special Needs Assistance Programs U.S. Department of Housing and Urban Development Corporation for National & Community

545 views • 51 slides

More recommend