analysing privacy type properties in cryptographic
play

Analysing privacy-type properties in cryptographic protocols - PowerPoint PPT Presentation

Aug 18, 2022 •49 likes •849 views

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France Thursday, July 12th, 2018 Cryptographic protocols everywhere ! Cryptographic protocols small programs designed to secure

  1. Analysing privacy-type properties in cryptographic protocols Stéphanie Delaune Univ Rennes, CNRS, IRISA, France Thursday, July 12th, 2018

  2. Cryptographic protocols everywhere ! Cryptographic protocols ◮ small programs designed to secure communication ( e.g. secrecy, authentication, anonymity, . . . ) ◮ use cryptographic primitives ( e.g. encryption, signature, . . . . . . ) The network is unsecure! Communications take place over a public network like the Internet.

  3. Cryptographic protocols everywhere ! Cryptographic protocols ◮ small programs designed to secure communication ( e.g. secrecy, authentication, anonymity, . . . ) ◮ use cryptographic primitives ( e.g. encryption, signature, . . . . . . ) It becomes more and more important to protect our privacy.

  4. Electronic passport − → studied in [Arapinis et al. , 10] An e-passport is a passport with an RFID tag embedded in it. The RFID tag stores: ◮ the information printed on your passport, ◮ a JPEG copy of your picture.

  5. Electronic passport − → studied in [Arapinis et al. , 10] An e-passport is a passport with an RFID tag embedded in it. The RFID tag stores: ◮ the information printed on your passport, ◮ a JPEG copy of your picture. The Basic Access Control (BAC) protocol is a key establishment protocol that has been designed to also ensure unlinkability. ISO/IEC standard 15408 Unlinkability aims to ensure that a user may make multiple uses of a service or resource without others being able to link these uses together .

  6. Basic Acccess Control (BAC) protocol Passport Reader ( K E , K M ) ( K E , K M )

  7. Basic Acccess Control (BAC) protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge

  8. Basic Acccess Control (BAC) protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P

  9. Basic Acccess Control (BAC) protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE )

  10. Basic Acccess Control (BAC) protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) { N P , N R , K P } KE , MAC KM ( { N P , N R , K P } KE )

  11. Basic Acccess Control (BAC) protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) { N P , N R , K P } KE , MAC KM ( { N P , N R , K P } KE ) K seed = K P ⊕ K R K seed = K P ⊕ K R

  12. How cryptographic protocols can be attacked?

  13. How cryptographic protocols can be attacked? Logical attacks ◮ can be mounted even assuming perfect cryptography, ֒ → replay attack, man-in-the middle attack, . . . ◮ subtle and hard to detect by “eyeballing” the protocol This is the so-called Dolev-Yao attacker !

  14. How cryptographic protocols can be attacked? Logical attacks ◮ can be mounted even assuming perfect cryptography, ֒ → replay attack, man-in-the middle attack, . . . ◮ subtle and hard to detect by “eyeballing” the protocol Example: An authentication flaw on the Needham Schroeder protocol A → B : { A , N A } pub( B ) B → A : { N A , N B } pub( A ) A → B : { N B } pub( B ) NS protocol (1978)

  15. How cryptographic protocols can be attacked? Logical attacks ◮ can be mounted even assuming perfect cryptography, ֒ → replay attack, man-in-the middle attack, . . . ◮ subtle and hard to detect by “eyeballing” the protocol Example: An authentication flaw on the Needham Schroeder protocol A → B : { A , N A } pub( B ) A → B : { A , N A } pub( B ) B → A : { N A , N B } pub( A ) B → A : { N A , N B , B } pub( A ) A → B : { N B } pub( B ) A → B : { N B } pub( B ) NS protocol (1978) NS-Lowe protocol (1995)

  16. How cryptographic protocols can be attacked? Logical attacks ◮ can be mounted even assuming perfect cryptography, ֒ → replay attack, man-in-the middle attack, . . . ◮ subtle and hard to detect by “eyeballing” the protocol Example: FREAK attack by Barghavan et al. (2015) A logical flaw that allows a man-in-the- middle attacker to downgrade connections from ’strong’ RSA to ’export grade’ RSA.

  17. How cryptographic protocols can be attacked? Logical attacks ◮ can be mounted even assuming perfect cryptography, ֒ → replay attack, man-in-the middle attack, . . . ◮ subtle and hard to detect by “eyeballing” the protocol Example: A traceability attack on the BAC protocol (2010) privacy issue The register - Jan. 2010

  18. French electronic passport − → the passport must reply to all received messages. Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE )

  19. French electronic passport − → the passport must reply to all received messages. Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) If MAC check fails mac_error

  20. French electronic passport − → the passport must reply to all received messages. Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) If MAC check succeeds If nonce check fails nonce_error

  21. An attack on the French passport [Chothia & Smirnov, 10] An attacker can track a French passport , provided he has once witnessed a successful authentication.

  22. An attack on the French passport [Chothia & Smirnov, 10] An attacker can track a French passport , provided he has once witnessed a successful authentication. Part 1 of the attack. The attacker eavesdropes on Alice using her passport and records message M . M = { N R , N P , K R } K E , MAC K M ( { N R , N P , K R } K E )

  23. An attack on the French passport [Chothia & Smirnov, 10] An attacker can track a French passport , provided he has once witnessed a successful authentication. Part 1 of the attack. The attacker eavesdropes on Alice using her passport and records message M . M = { N R , N P , K R } K E , MAC K M ( { N R , N P , K R } K E ) Part 2 of the attack. In presence of an unknown passport ( K ′ E , K ′ M ), the attacker replays the message M and checks the error code he receives. 1. MAC check failed: K ′ M � = K M = ⇒ ???? is not Alice K ′ 2. MAC check succeeded: M = K M = ⇒ ???? is Alice

  24. Outline Does the protocol satisfy a security property? Modelling | | ϕ = Outline of the remaining of this talk 1. Modelling cryptographic protocols and their security properties 2. Designing verification algorithms − → we focus here on privacy-type security properties

  25. Part I Modelling cryptographic protocols and their security properties

  26. Two major families of models ... ... with some advantages and some drawbacks. Computational model ◮ + messages are bitstring, a general and powerful adversary ◮ – manual proofs, tedious and error-prone Symbolic model ◮ – abstract model, e.g. messages are terms ◮ + automatic proofs

  27. Two major families of models ... ... with some advantages and some drawbacks. Computational model ◮ + messages are bitstring, a general and powerful adversary ◮ – manual proofs, tedious and error-prone Symbolic model ◮ – abstract model, e.g. messages are terms ◮ + automatic proofs Some results allowed to make a link be- tween these two very different models. − → Abadi & Rogaway 2000

  28. Back to the BAC protocol Nonces n r , n p , and keys k r , k p , k e , k m are modelled using names Cryptographic primitives are modelled using function symbols ◮ encryption/decryption: senc / 2, sdec / 2 ◮ concatenation/projections: � , � / 2, proj 1 / 1, proj 2 / 1 ◮ mac construction: mac / 2 sdec(senc( x , y ) , y ) = x proj 1 ( � x , y � ) = x proj 2 ( � x , y � ) = y

  29. Back to the BAC protocol Nonces n r , n p , and keys k r , k p , k e , k m are modelled using names Cryptographic primitives are modelled using function symbols ◮ encryption/decryption: senc / 2, sdec / 2 ◮ concatenation/projections: � , � / 2, proj 1 / 1, proj 2 / 1 ◮ mac construction: mac / 2 sdec(senc( x , y ) , y ) = x proj 1 ( � x , y � ) = x proj 2 ( � x , y � ) = y Exclusive-or operator: ⊕ of arity 2 and 0 (neutral element) x ⊕ ( y ⊕ z ) = ( x ⊕ y ) ⊕ z x ⊕ x = 0 x ⊕ y = y ⊕ x x ⊕ 0 = x

  30. Protocols as processes Syntax [Abadi & Fournet, 01] P , Q := 0 null process in( c , x ) . P input out( c , u ) . P output if u = v then P else Q conditional P | Q parallel composition ! P replication new n . P fresh name generation

  31. Protocols as processes Syntax [Abadi & Fournet, 01] P , Q := 0 null process in( c , x ) . P input out( c , u ) . P output if u = v then P else Q conditional P | Q parallel composition ! P replication new n . P fresh name generation Modelling Passport’s role P BAC ( k E , k M ) = new n P . new k P . out( n P ) . in( � z E , z M � ) . if z M = mac( z E , k M ) then if n P = proj 1 (proj 2 (sdec( z E , k E ))) then out( � m , mac( m , k M ) � ) else out( nonce _ error ) else out( mac _ error ) where m = senc( � n P , � proj 1 ( z E ) , k P �� , k E ).

Recommend

Analysing Cryptographic Hardware Interfaces with Tookan Graham Steel joint work with R. Bardou,

Analysing Cryptographic Hardware Interfaces with Tookan Graham Steel joint work with R. Bardou,

Analysing Cryptographic Hardware Interfaces with Tookan Graham Steel joint work with R. Bardou, M. Bortolozzo, M. Centenaro, R. Focardi, Y. Kawamoto, L. Simionato, J.-K. Tsay Graham Steel September 23, 2012 Analysing Security Device

377 views • 22 slides
New cryptographic goals Data privacy is not the only important cryptographic goal CS 4803

New cryptographic goals Data privacy is not the only important cryptographic goal CS 4803

New cryptographic goals Data privacy is not the only important cryptographic goal CS 4803 It is also important that a receiver is assured Computer and Network Security that the data it receives has come from the sender and has not been

617 views • 5 slides
How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic

How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic

Department of Informatics Security and Privacy Maximilian Blochberger How to prevent cryptographic pitfalls by design February 3, 2019 How to prevent cryptographic pitfalls by design Goal Raise awareness of cryptographic misuse Disclaimer

910 views • 29 slides
S & P SECURITY & PRIVACY GROUP Challenges and Cryptographic Solutions with

S & P SECURITY & PRIVACY GROUP Challenges and Cryptographic Solutions with

FAKULTT FR !NFORMATIK Faculty of Informatics S & P SECURITY & PRIVACY GROUP Challenges and Cryptographic Solutions with Payment-Channel Networks Pedro Moreno-Sanchez RWC20 New York, Jan 10 th 2020 @pedrorechez Scalability

1.27k views • 84 slides
So far: had cryptographic algorithms to achieve Privacy: use encryption Integrity: use MAC Want

So far: had cryptographic algorithms to achieve Privacy: use encryption Integrity: use MAC Want

So far: had cryptographic algorithms to achieve Privacy: use encryption Integrity: use MAC Want both privacy and integrity Achieve this by combining encryption and MAC in appropriate way Eike Ritter Cryptography 2014/15 39 Several

1.18k views • 12 slides
Differential Privacy (Part IV) Alice Eve Bob Cryptographic protocols Tons of attacksnever

Differential Privacy (Part IV) Alice Eve Bob Cryptographic protocols Tons of attacksnever

Differential Privacy (Part IV) Alice Eve Bob Cryptographic protocols Tons of attacksnever ending list! essential in distributed systems Needham-Schroeder (1996) e-banking Microsoft Passport (2001) e-commerce Kerberos (2004) e-mail

571 views • 22 slides
Cryptographic Tools for Privacy, Compliance & Efficiency in Blockchain Applications Fernando

Cryptographic Tools for Privacy, Compliance & Efficiency in Blockchain Applications Fernando

Cryptographic Tools for Privacy, Compliance & Efficiency in Blockchain Applications Fernando Krell, PhD Columbia U. Lead Cryptography Engineer, Findora Public-Ledgers/Blockchains R 1:... R 2:... R 3:... R 4:... ... Append only Database

359 views • 34 slides
Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Pascal LAFOURCADE

Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Pascal LAFOURCADE

Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Pascal LAFOURCADE , Vanessa Terrade & Sylvain Vigier Universit e Joseph

1.01k views • 49 slides
Randomness Properties of Cryptographic Hash Functions Micah A. Thornton Southern Methodist

Randomness Properties of Cryptographic Hash Functions Micah A. Thornton Southern Methodist

Introduction Methodology Results Conclusions Randomness Properties of Cryptographic Hash Functions Micah A. Thornton Southern Methodist University Bobby B. Lyle School of Engineering August 8, 2017 Micah A. Thornton Randomness Properties of

886 views • 40 slides
Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic

Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic

Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic Point of View F. Prost Frederic.Prost@ens-lyon.fr Ecole Normale Sup erieure de Lyon July 2015 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale

1.55k views • 117 slides
Phase Type distributions Today: Phase type distribuions Distributions of phase type

Phase Type distributions Today: Phase type distribuions Distributions of phase type

Phase Type distributions Today: Phase type distribuions Distributions of phase type Definition Basic properties Closure properties Bo Friis Nielsen 1 Next week 1 DTU Informatics Phase type distributions Conditional

212 views • 4 slides
Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018

1.23k views • 78 slides
Using Groove for analysing RPGame models Model Driven Engineering Brent van Bladel University of

Using Groove for analysing RPGame models Model Driven Engineering Brent van Bladel University of

Using Groove for analysing RPGame models Using Groove for analysing RPGame models Model Driven Engineering Brent van Bladel University of Antwerp 22 January 2015 Using Groove for analysing RPGame models Overview Type graph Transformation

359 views • 25 slides
Cryptographic Properties and Applications of Bipermutive Cellular Automata Luca Mariot

Cryptographic Properties and Applications of Bipermutive Cellular Automata Luca Mariot

Cryptographic Properties and Applications of Bipermutive Cellular Automata Luca Mariot Dipartimento di Informatica, Sistemistica e Comunicazione, Universit degli Studi Milano - Bicocca, l.mariot@campus.unimib.it Nice, April 16, 2014 Luca

826 views • 56 slides
Strong whose properties are known at compilation Type conversions take place in a controlled

Strong whose properties are known at compilation Type conversions take place in a controlled

A language is strongly typed, if: Every data element has a unique type, Strong whose properties are known at compilation Type conversions take place in a controlled typing manner, by interpreting value of one type as another Not

340 views • 16 slides
Type checking privacy policies in the

Type checking privacy policies in the

Type checking privacy policies in the -calculus Anna Philippou University of Cyprus Joint work with Dimitrios

572 views • 28 slides
Subtleties of Location Privacy a special type of information privacy which concerns the

Subtleties of Location Privacy a special type of information privacy which concerns the

29.09.2007 Subtleties of Location Privacy a special type of information privacy which concerns the claim of individuals to determine for themselves when, how, and to what extent location information about them is communicated to others. A

197 views • 8 slides
Express: Lowering the Cost of Metadata-hiding Communication with Cryptographic Privacy Saba

Express: Lowering the Cost of Metadata-hiding Communication with Cryptographic Privacy Saba

Express: Lowering the Cost of Metadata-hiding Communication with Cryptographic Privacy Saba Eskandarian, Henry Corrigan-Gibbs, Matei Zaharia, Dan Boneh Stanford MIT CSAIL Stanford Stanford Our Story Our Story How to Communicate

1.35k views • 66 slides
Theoretical Background on Cryptographic Primitives Bogdan Groza This material intends to be a

Theoretical Background on Cryptographic Primitives Bogdan Groza This material intends to be a

Theoretical Background on Cryptographic Primitives Bogdan Groza This material intends to be a brief introduction to symmetric and asymmetric cryptographic primitives, pointing out some relevant design principles and security properties.

532 views • 26 slides
CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools Cryptographic Tools Cryptographic algorithms important element in security services Review various types of elements symmetric encryption secure

1.27k views • 23 slides
Type Checking General properties of type systems Types in programming languages

Type Checking General properties of type systems Types in programming languages

Outline Type Checking General properties of type systems Types in programming languages Notation for type rules Logical rules of inference Common type rules 2 Static Checking Static Checking (Cont.) Refers to

896 views • 10 slides
Outline Introduction Background Progress on the implementation of the MTSF

Outline Introduction Background Progress on the implementation of the MTSF

Outline Introduction Background Progress on the implementation of the MTSF Analysing the Programme of Action Report Analysing the 2014 2019 MTSFs Analysing the performance management system of government Analysing

946 views • 18 slides
Forgetting with Puzzles: Using Cryptographic Puzzles to support Digital Forgetting Shujaat Mirza

Forgetting with Puzzles: Using Cryptographic Puzzles to support Digital Forgetting Shujaat Mirza

Forgetting with Puzzles: Using Cryptographic Puzzles to support Digital Forgetting Shujaat Mirza msm622@nyu.edu Cyber Security & Privacy Lab (CSP-lab) Digital Forgetting Right to Right to be Privacy Forgotten constitutes data

466 views • 22 slides
Pattern-Matching Spi-Calculus A Type System for Cryptographic Protocols Christian Haack and Alan

Pattern-Matching Spi-Calculus A Type System for Cryptographic Protocols Christian Haack and Alan

Pattern-Matching Spi-Calculus A Type System for Cryptographic Protocols Christian Haack and Alan Jeffrey DePaul University, Chicago Pattern-Matching Spi-Calculus p.1/11 Types for Cryptographic Protocols Pattern-Matching Spi-Calculus

779 views • 55 slides

More recommend