verifying the set protocol
play

Verifying the SET Protocol G Bella & L C Paulson Cambridge F - PowerPoint PPT Presentation

Feb 20, 2024 •225 likes •465 views

Verifying the SET Protocol G Bella & L C Paulson Cambridge F Massacci Siena P Tramontano Rome Inductive Protocol Verification Define systems operational semantics Include honest parties and an attacker Model each

  1. Verifying the SET Protocol G Bella & L C Paulson Cambridge F Massacci Siena P Tramontano Rome

  2. Inductive Protocol Verification • Define system’s operational semantics • Include honest parties and an attacker • Model each protocol step in an inductive definition • Prove security properties by induction • Mechanize using Isabelle/HOL 2 Lawrence C Paulson

  3. Can Big Protocols Be Verified? • Can verify some real protocols: – Kerberos IV – TLS (the new version of SSL) – APM’s recursive protocol • Other verification methods available: – Model-checking (Lowe) – NRL Protocol Analyzer (Meadows) 3 Lawrence C Paulson

  4. Growth in Protocol Complexity 6 pages • Needham-Schroeder (1978): 80 pages • TLS: • SET: 5 main sub-protocols, 3 manuals, nearly 1000 pages Why so big? 4 Lawrence C Paulson

  5. Internet Shopping with SSL Credit card details SSL Curses! Can’t get that number! 5 Lawrence C Paulson

  6. Do We Trust the Merchant? Credit card details?? Now I can buy that software! SSL 6 Lawrence C Paulson

  7. Do We Trust the Customer? Fake card details Send MS Office, charge to my SSL card... 7 Lawrence C Paulson

  8. Basic Ideas of SET • Legitimate Cardholders and Merchants receive electronic credentials • Merchants don’t see credit card numbers (usually!) • Payment is made via the parties’ banks • Both sides are protected from fraud 8 Lawrence C Paulson

  9. SET Participants • Issuer = cardholder’s bank • Acquirer = merchant’s bank • Payment gateway pays the merchant • Certificate authority (CA) issues electronic credentials • Trust hierarchy: top CAs certify others 9 Lawrence C Paulson

  10. Internet Shopping with SET purchase details SET Her bank His bank 10 Lawrence C Paulson

  11. SET Cryptographic Primitives • Hashing, to make message digests • Digital signatures • Public-key encryption • Symmetric-key encryption: session keys • Digital envelopes involving all of these! • Deep nesting of crypto functions 11 Lawrence C Paulson

  12. The 5 Sub-Protocols of SET � � • Cardholder registration � � � � • Merchant registration � � • Purchase request • Payment authorization • Payment capture � verified! � � � 12 Lawrence C Paulson

  13. CARDHOLDER REGISTRATION CERTIFICATE CARDHOLDER AUTHORITY (CA) INITIATE COMPUTER PROCESS REQUEST CARDHOLDER CERTIFICATE INITIATES AUTHORITY REGISTRATION SENDS INITIATE RESPONSE RESPONSE CARDHOLDER RECEIVES RESPONSE REGISTRATION AND FORM REQUEST REQUESTS REGISTRATION CERTIFICATE FORM AUTHORITY PROCESSES REQUEST AND REGISTRATION SENDS FORM REGISTRATION FORM CARDHOLDER RECEIVES REGISTRATION FORM CARDHOLDER AND CERTIFICATE REQUEST REQUESTS CERTIFICATE CERTIFICATE � Let’s look at AUTHORITY � PROCESSES REQUEST AND this message CARDHOLDER CREATES CARDHOLDER CERTIFICATE CERTIFICATE RECEIVES CERTIFICATE 13 Lawrence C Paulson

  14. Message 5 in Isabelle [ evs5 ∈ set_cr; C = Cardholder k; [ Nonce NC3 / ∈ used evs5; Nonce CardSecret / ∈ used evs5; NC3 � = CardSecret; Key KC2 / ∈ used evs5; KC2 ∈ symKeys; Key KC3 / ∈ used evs5; KC3 ∈ symKeys; KC2 � = KC3; Gets C ... ∈ set evs5; Says C (CA i) ... ∈ set evs5 ] ] ⇒ Says C (CA i) = | Crypt KC3 { | Agent C, Nonce NC3, Key KC2, Key cardSK, { Crypt (invKey cardSK) (Hash { | Agent C, Nonce NC3, Key KC2, Key cardSK, Pan(pan C), Nonce CardSecret | } ) | } , Crypt EKi { | Key KC3, Pan (pan C), Nonce CardSecret | }| } # evs5 ∈ set_cr 14 Lawrence C Paulson

  15. What Did That Mean? • Cardholder had asked to register a PAN (primary account number) • Cardholder has received the CA’s reply • Cardholder sends a digital envelope: – A public signing key, cardSK – A message, signed using the private key – Two session keys (one for the CA’s reply) – A secret number, CardSecret 15 Lawrence C Paulson

  16. Secrecy of the Card Number • Intuitively obvious: PAN is always hashed or encrypted • Huge case-splits caused by nested encryptions • Two lemmas: – Session keys never encrypt PANs – Session keys never encrypt private keys 16 Lawrence C Paulson

  17. Secrecy of Session Keys • Three keys, created for digital envelopes • Dependency: one key protects another • Main theorem on this dependency relation • Generalizes an approach used for simpler protocols (Yahalom) 17 Lawrence C Paulson

  18. Secrecy of Nonces • Secret numbers exchanged to generate Cardholder’s password • Protected using those session keys • Similar to the proofs for keys • Main theorem about the Key/Nonce dependency relationship 18 Lawrence C Paulson

  19. The Purchase Phase! 19 Lawrence C Paulson

  20. Novel Aspects of SET Purchase 3-way agreement: with partial knowledge! • Cardholder shares Order Information only with Merchant • Cardholder shares Payment Information only with Payment Gateway • Cardholder signs hashes of OI, PI • Non-repudiation: all parties sign messages 20 Lawrence C Paulson

  21. Complications in SET Purchase • Massive redundancy: exponential blow-ups • Insufficient redundancy (no explicitness), requiring toil to prove trivial facts • Two message flows: signed and unsigned • Many digital envelopes • No clear goals: What should I prove?? 21 Lawrence C Paulson

  22. Conclusions • Proofs are big, but not too big! • Can prove secrecy for several keys and nonces, with dependency chains • Can handle digital envelopes • Merchant registration verified similarly— Purchase & Payment phases too! 22 Lawrence C Paulson

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Verifying the SET Protocol: Overview Lawrence C Paulson, Computer Laboratory, University of

Verifying the SET Protocol: Overview Lawrence C Paulson, Computer Laboratory, University of

Verifying the SET Protocol: Overview Lawrence C Paulson, Computer Laboratory, University of Cambridge (Joint with Giampaolo Bella and Fabio Massacci) Plan of Talk The SET Protocol Defining the Formal Models Verifying the

570 views • 24 slides
Verifying Authentication Properties of C Protocol Code Using VCC Franois Dupressoir (Open

Verifying Authentication Properties of C Protocol Code Using VCC Franois Dupressoir (Open

Verifying Authentication Properties of C Protocol Code Using VCC Franois Dupressoir (Open University) Andrew D. Gordon (MSR Cambridge) Jan Jrjens (TU Dortmund) Verifying Security Code Assume a security API specification.

397 views • 24 slides
Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail

Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail

Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail Aizatulin 1 supervised by Andrew Gordon 23 , Jan J urjens 4 , Bashar Nuseibeh 1 1 The Open University 2 Microsoft Research Cambridge 3 University of

543 views • 29 slides
What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i

What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i

What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i -Key-Protocol, i = 1, 2, 3, Family of protocols Secure electronic payment Based on credit card payments Christopher Hsu Can be extended

407 views • 4 slides
Verifying and enforcing network paths with ICING Jad Naous , Michael Walfish, Antonio Nicolosi,

Verifying and enforcing network paths with ICING Jad Naous , Michael Walfish, Antonio Nicolosi,

Verifying and enforcing network paths with ICING Jad Naous , Michael Walfish, Antonio Nicolosi, David Mazires, Michael Miller, and Arun Seehra 1 Today: New protocol for every feature Remote VPN, Private WANs, Specifying QoS, Firewalls,

581 views • 38 slides
Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth M.D.Ryan@cs.bham.ac.uk research@bensmyth.com Cryptoforma 7th April 2010 Cryptographic protocols A cryptographic protocol is a distributed procedure that employs

698 views • 46 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 10 November, 2017 1/34 Outline Motivation and related work Our approach

681 views • 34 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 09 March, 2017 Overview 1. Why we need a verified filesystem 2. Our approach

514 views • 29 slides
Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers

Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers

Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers Dining Philosophers Peter Welch and Neil Brown Peter Welch and Neil Brown School of Computing, University of Kent, UK School of Computing,

675 views • 44 slides
Attacks on TCP 1 Outline What is TCP protocol? How the TCP Protocol Works SYN

Attacks on TCP 1 Outline What is TCP protocol? How the TCP Protocol Works SYN

Attacks on TCP 1 Outline What is TCP protocol? How the TCP Protocol Works SYN Flooding Attack TCP Reset Attack TCP Session Hijacking Attack 2 TCP Protocol Transmission Control Protocol (TCP) is a core protocol

598 views • 47 slides
Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya Sergey Aleks Nanevski Anindya Banerjee ESOP 2015 A logic-based approach for Specifying and Verifying Concurrent Algorithms An

2.36k views • 186 slides
stateless analysis of a cryptographic protocol emina torlak february 22, 2005 authentication

stateless analysis of a cryptographic protocol emina torlak february 22, 2005 authentication

stateless analysis of a cryptographic protocol emina torlak february 22, 2005 authentication to be nobody-but-yourselfin a world which is doing its best to make you everybody else - e e cummings authentication: verifying the

490 views • 15 slides
Verifying Trigonometric Identities A trigonometric identity is simply an identity involving

Verifying Trigonometric Identities A trigonometric identity is simply an identity involving

Verifying Trigonometric Identities A trigonometric identity is simply an identity involving trigonometric functions. We learn to verify and spend time verifying trigonometric identities because the practice we get verifying trigonometric

661 views • 46 slides
Formally-Verified ASN.1 Protocol C-language Stack 1 Carnegie Mellon University 2 Digamma.ai Vadim

Formally-Verified ASN.1 Protocol C-language Stack 1 Carnegie Mellon University 2 Digamma.ai Vadim

Formally-Verified ASN.1 Protocol C-language Stack 1 Carnegie Mellon University 2 Digamma.ai Vadim Zaliva 1 Nika Pona 2 What is ASN.1? At Digamma.ai we are verifying a compiler for ASN.1 The ASN.1 is a language for defining data

215 views • 21 slides
Forest Protocol Forest Protocol Protocol Update Effort Protocol Update Effort Goals and

Forest Protocol Forest Protocol Protocol Update Effort Protocol Update Effort Goals and

Forest Protocol Forest Protocol Protocol Update Effort Protocol Update Effort Goals and Objectives Goals and Objectives CAR adopted the Forest Protocols in 2005 CAR Board directed staff in 2007 to: Initiate a stakeholder process

532 views • 25 slides
TCP/IP CIS 218/238 Internet Protocol (IP) The Internet Protocol (IP) is responsible for

TCP/IP CIS 218/238 Internet Protocol (IP) The Internet Protocol (IP) is responsible for

TCP/IP CIS 218/238 Internet Protocol (IP) The Internet Protocol (IP) is responsible for ensuring that data is transferred between two Intenret hosts based on a 32 bit address. To be ROUTABLE, a protocol must specify a NETWORK ADDRESS

899 views • 22 slides
Revocaton protocols of WebPKI and Revocaton Transparency Nikita Korzhitskii Niklas Carlsson

Revocaton protocols of WebPKI and Revocaton Transparency Nikita Korzhitskii Niklas Carlsson

Revocaton protocols of WebPKI and Revocaton Transparency Nikita Korzhitskii Niklas Carlsson Lifecycle of a typical WebPKI certfcate www.liu.se Certificate Certificate Authority Server 1. Issuance www.liu.se Hello 2. Use Certificate

377 views • 10 slides
PKI: Public Key Infrastructure What is it, and why should I care? Conference on Higher Education

PKI: Public Key Infrastructure What is it, and why should I care? Conference on Higher Education

PKI: Public Key Infrastructure What is it, and why should I care? Conference on Higher Education Wes Hubert Computing in Kansas Information Services June 3, 2004 The University of Kansas Why? PKI adoption will continue growing to support

1.28k views • 46 slides
Certificates A ubiquitous form of authentication Generally used with public key

Certificates A ubiquitous form of authentication Generally used with public key

Certificates A ubiquitous form of authentication Generally used with public key cryptography A signed electronic document proving you are who you claim to be Often used to help distribute other keys Lecture 5 Page 1 CS 236

339 views • 29 slides
We believe that we are on the verge of the Internet of Things explosion. Now is the time to make

We believe that we are on the verge of the Internet of Things explosion. Now is the time to make

We believe that we are on the verge of the Internet of Things explosion. Now is the time to make sure that IoT incorporates everything weve learned about digital security and infrastructure resiliency over the last 20 years of the Internet.

661 views • 50 slides
Computer Security HKUST, Hong Kong Computer Security Cunsheng Ding, HKUST COMP4631

Computer Security HKUST, Hong Kong Computer Security Cunsheng Ding, HKUST COMP4631

CUNSHENG DING Computer Security HKUST, Hong Kong Computer Security Cunsheng Ding, HKUST COMP4631 CUNSHENG DING Computer Security HKUST, Hong Kong Lecture 11: Public-Key Infrastructure Main Topics of this Lecture 1. Digital

433 views • 25 slides
Certificates Noah Zani, Tim Strasser, Andrs Baumeler Overview Motivation Introduction

Certificates Noah Zani, Tim Strasser, Andrs Baumeler Overview Motivation Introduction

Certificates Noah Zani, Tim Strasser, Andrs Baumeler Overview Motivation Introduction Public Key Infrastructure (PKI) Economic Aspects Motivation Need for secure, trusted communication Growing certificate market

777 views • 49 slides
GUESS THE CORRECT LOG CT INSIGHTS 1 2 3 4 5 Content TLS + Vulnerabilities CA +

GUESS THE CORRECT LOG CT INSIGHTS 1 2 3 4 5 Content TLS + Vulnerabilities CA +

create your own exercise Berkay Kozan, Jan Krol Group 202 GUESS THE CORRECT LOG CT INSIGHTS 1 2 3 4 5 Content TLS + Vulnerabilities CA + Black Tulip How Certificate Transparency Works SCT delivering methods Merkle

729 views • 55 slides
Web Security, Summer Term 2012 Secure HyperText Transfer Protocol Dr. E. Benoist Sommer Semester

Web Security, Summer Term 2012 Secure HyperText Transfer Protocol Dr. E. Benoist Sommer Semester

IIG University of Freiburg Web Security, Summer Term 2012 Secure HyperText Transfer Protocol Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 3 Secure HyperText Transfer Protocol 1 Table of Contents Attacks using HTTP

486 views • 25 slides

More recommend