automatic formal analyses of cryptographic protocols
play

Automatic Formal Analyses of Cryptographic Protocols 19th National - PowerPoint PPT Presentation

Feb 25, 2024 •21 likes •141 views

Automatic Formal Analyses of Cryptographic Protocols 19th National Information Systems Security Conference October 22-25, 1996 Baltimore Convention Center Dr. Stephen H. Brackin Arca Systems, Inc. 303 E. Yates St., Ithaca, NY 14850

  1. Automatic Formal Analyses of Cryptographic Protocols 19th National Information Systems Security Conference October 22-25, 1996 Baltimore Convention Center Dr. Stephen H. Brackin Arca Systems, Inc. 303 E. Yates St., Ithaca, NY 14850 607-277-8211 or 607-277-2739 brackin@va.arca.com Supported by ESC/AXS through PRISM, and by Rome Laboratory P R I S M Page - 1 Custom Command and Control

  2. Outline of Talk • Problem: protocol failure • Automatic Authentication Protocol Analyzer (AAPA) • Three SPX protocols and results of analyzing them • Conclusions, for SPX and arbitrary protocols P R I S M Page - 2 Custom Command and Control

  3. Cryptographic Protocols • Goal: Secure communication over insecure networks – Networks, principals, messages – Worst case: enemy controls all communication – Nondisclosure and authentication • Tools: – Shared or confirmable secrets – Encryption – Hash functions – Timestamps, nonces, signatures, key-exchange functions • Distributed algorithms P R I S M Page - 3 Custom Command and Control

  4. Failure Example • Tatebayeshi-Matsuzaki-Newman protocol – 1. A->S: {Ka}Rsa(PkS), A, B – 2. S->B: S,A – 3. B->S: {Kb}Rsa(PkS) – 4. S->A: {Kb}Des(Ka) • AAPA notation, but more-or-less standard • Published (CRYPTO ‘89), recommended by experts • It’s wrong --- and has lots of company P R I S M Page - 4 Custom Command and Control

  5. Automatic Authentication Protocol Analyzer • Inputs Interface Specification Language (ISL) specs • Produces Higher Order Logic (HOL) theories • Automatically proves default and user-set goals – Belief logic extending Gong-Needham-Yahalom logic – Sample deduction: If P believes only P and Q know K, and P receives M that K decrypts to something meaningful, then P believes Q sent M --- though not necessarily recently or to P – Proceeds by induction on protocol stage • Gives proof results in ISL P R I S M Page - 5 Custom Command and Control

  6. SPX Credentials Initialization name = C 2 PwdC {C,Ts,Rn,H1(PwdC)}Rsa(KpLeaf) 3 LEAF 1 Read Privkey {UidC,{KsC}Des(H2(PwdC))}Des(Rn) KsC,UidC 6 7 4 Create Ticket C 5 claimant credentials {{KsC}Des(H2(PwdC)), H1(PwdC), 8 UidC}Rsa(KpLeaf) Make C Trusted Authorities 10 trusted CDC authorities C_certif_Ca1 9 Claimant P R I S M Page - 6 Custom Command and Control

  7. What AAPA Analysis Shows: I • KpC must be computable from KsC • Keys must be stored along with recognizable data • PwdC must not be older than KsC • ValidityKpCa1 must include the current time P R I S M Page - 7 Custom Command and Control

  8. SPX Authentication V = verifier 1 Ta1 = claimant trusted authority CDC Ta1,UidC,KpTa1 Ta2 = verifier trusted authority V Ticket(C) X_certif_Y = Tal_certif_V X certifies Y’s public key 2 claimant A(DesKey), Ticket(C), Delegator1 3 Ta2,UidV,KpTa2 KpV {Ts}Des(DesKey) 6 verifier A(DesKey) = 5 <Ts,ChannelIdC>Hdes(DesKey) C 4 Ticket(C) = [ValidityKspC,UidC,KspC] (H3,Rsa)(KsC) Ta2_certif_C Delegator1 = CDC [{DesKey}Rsa(PkV)] (H3,Rsa)(KssC) P R I S M Page - 8 Custom Command and Control

  9. What AAPA Analysis Shows: II • Keys must be stored with recognizable data • Validity intervals must include the current time – ValidityKpV, ValidityKpC, ValidityKspC • Belief DesKey from C depends on dubious assumptions • Delegation gives up to 8 hours of authentication failure P R I S M Page - 9 Custom Command and Control

  10. SPX Delegation V = verifier Ta1 = claimant trusted authority 1 Ta2 = verifier trusted authority CDC Ta1,UidC,KpTa1 V Ticket(C) X_certif_Y = X certifies Y’s public key Tal_certif_V 2 claimant A(DesKey), Ticket(C), Delegator2 3 Ta2,UidV,KpTa2 KpV {Ts}Des(DesKey) 6 verifier A(DesKey) = 5 <Ts,ChannelIdC>Hdes(DesKey) C 4 Ticket(C) = [ValidityKspC,UidC,KspC] (H3,Rsa)(KsC) Ta2_certif_C Delegator2 = CDC {DesKey}Rsa(PkV), {KssC}Des(DesKey) P R I S M Page - 10 Custom Command and Control

  11. What AAPA Analysis Shows: III • Similar recognizability and interval restrictions • Dubious assumptions don’t give belief KssC from C • Banker can obtain medical records P R I S M Page - 11 Custom Command and Control

  12. Conclusions • For the SPX protocols: – Initialization must include checks for meaningful data – Authentication possibly flawed – Delegation possibly flawed – These issues should be addressed in documentation • For all cryptographic protocols: – The AAPA is a fast, easy tool for reducing failures – The AAPA can be used as part of the design process P R I S M Page - 12 Custom Command and Control

Recommend

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic protocols: Concurrent programs

947 views • 69 slides
Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif

Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif

Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif Bruno Blanchet INRIA, Ecole Normale Sup erieure, CNRS blanchet@di.ens.fr September 2011 Bruno Blanchet (INRIA) ProVerif September 2011

1.55k views • 143 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

452 views • 14 slides
A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols Han Gao 1 , Chiara

A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols Han Gao 1 , Chiara

ASIAN07 A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols Han Gao 1 , Chiara Bodei 2 , Pierpaolo Degano 2 , Hanne Riis Nielson 1 Informatics and Mathematics Modelling, Technical University of Denmark 1 Dipartimento di

435 views • 20 slides
Formal Analysis of Imperfect Cryptographic Protocols Long Nguyen Hoang University of Tartu,

Formal Analysis of Imperfect Cryptographic Protocols Long Nguyen Hoang University of Tartu,

Formal Analysis of Imperfect Cryptographic Protocols Long Nguyen Hoang University of Tartu, Institute of Computer Science Agenda Introduction Probabilistic-spi calculus Security protocol verification Conclusion Q&amp;A

633 views • 19 slides
Automatic Security Analyses of Network Protocols with Tamarin-Prover Introductory Talk Eike

Automatic Security Analyses of Network Protocols with Tamarin-Prover Introductory Talk Eike

1/18 Automatic Security Analyses of Network Protocols with Tamarin-Prover Introductory Talk Eike Stadtlnder May 17, 2018 2/18 Outline Motivation Tamarin-Prover Overview Language and Environment State Demo Goals for the Lab . 3/18

1.33k views • 99 slides
Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA), CNRS, France Tuesday, September 13th, 2016 Security protocols everywhere ! Cryptographic protocols small programs designed to secure

923 views • 56 slides
Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes,

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes,

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France Thursday, July 12th, 2018 Cryptographic protocols everywhere ! Cryptographic protocols small programs designed to secure

849 views • 80 slides
Automatic Verification of Cryptographic Protocols in the Symbolic Model Automatic Verifier

Automatic Verification of Cryptographic Protocols in the Symbolic Model Automatic Verifier

Automatic Verification of Cryptographic Protocols in the Symbolic Model Automatic Verifier ProVerif Bruno Blanchet INRIA Paris-Rocquencourt Bruno.Blanchet@inria.fr September 2013 Bruno Blanchet (INRIA) ProVerif September 2013 1 / 114

1.56k views • 132 slides
Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth M.D.Ryan@cs.bham.ac.uk research@bensmyth.com Cryptoforma 7th April 2010 Cryptographic protocols A cryptographic protocol is a distributed procedure that employs

698 views • 46 slides
Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS

Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS

Introduction Formal models Adding equational theories Towards more guarantees Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS - INRIA Cassis project, Nancy Universities 1/45 V eronique

785 views • 76 slides
First steps towards cryptographically sound confidentiality analysis of cryptographic protocols

First steps towards cryptographically sound confidentiality analysis of cryptographic protocols

First steps towards cryptographically sound confidentiality analysis of cryptographic protocols Peeter Laud peeter l@ut.ee Tartu Ulikool Cybernetica AS Teooriap aevad Arulas, 3.-5.02.2003 p.1/27 Overview Cryptographic protocols.

570 views • 27 slides
Cryptographic Protocols and Network Security G. Sivakumar Computer Science and Engineering IIT

Cryptographic Protocols and Network Security G. Sivakumar Computer Science and Engineering IIT

Some Puzzles Security Connection Cryptography Need For Formal Methods Cryptographic Protocols and Network Security G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in Oct 14, 2004 G. Sivakumar Computer Science and

671 views • 43 slides
Outline Cryptographic protocols, pt. 1 Key distribution and PKI CSci 5271 Introduction to

Outline Cryptographic protocols, pt. 1 Key distribution and PKI CSci 5271 Introduction to

Outline Cryptographic protocols, pt. 1 Key distribution and PKI CSci 5271 Introduction to Computer Security Announcements intermission Day 17: Crypto protocols and S protocols SSH Stephen McCamant University of Minnesota, Computer

338 views • 7 slides
Clang tools for implementing cryptographic protocols like OTRv4 Sofa Celi What is OTR and why

Clang tools for implementing cryptographic protocols like OTRv4 Sofa Celi What is OTR and why

Clang tools for implementing cryptographic protocols like OTRv4 Sofa Celi What is OTR and why it was created? Cryptographic protocol Paper in 2004 by Ian Goldberg , Nikita Borisov and Eric Brewer Conversations in the

299 views • 18 slides
Cryptographic Protocols 3. Broadcast 4. Blockchain Spring 2020 Part 1 Broadcast / Byzantine

Cryptographic Protocols 3. Broadcast 4. Blockchain Spring 2020 Part 1 Broadcast / Byzantine

Cryptographic Protocols 1. Interactive Proofs and Zero-Knowledge Protocols 2. Secure Multi-Party Computation Cryptographic Protocols 3. Broadcast 4. Blockchain Spring 2020 Part 1 Broadcast / Byzantine Agreement Secure Multi-Party

170 views • 3 slides
The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of

The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of

The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of Software Chinese Academy of Sciences BASICS09, Shanghai, China October 13, 2009 Background Formal verification of security protocols from

312 views • 28 slides
Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic protocols and how to prove it? Yu ZHANG Including joint work with J. Goubault-Larrecq, D. Nowak and S. Lasota EVEREST, INRIA Sophia-Antipolis February

487 views • 37 slides
Outline Cryptographic protocols, contd More causes of crypto failure CSci 5271 Key

Outline Cryptographic protocols, contd More causes of crypto failure CSci 5271 Key

Outline Cryptographic protocols, contd More causes of crypto failure CSci 5271 Key distribution and PKI Introduction to Computer Security HW1 debrief Day 17: PKI and S protocols Stephen McCamant SSH University of Minnesota,

461 views • 11 slides
Using Data Flow Analysis for Automatic Checking of Computational Confidentiality in

Using Data Flow Analysis for Automatic Checking of Computational Confidentiality in

Using Data Flow Analysis for Automatic Checking of Computational Confidentiality in Cryptographic Protocols Peeter Laud Tartu University and Cybernetica AS (joint work with Michael Backes) Teooriapevad Voorel, 29.0901.10.2006 p. 1/33

760 views • 47 slides
The Coinductive Approach to Verifying Cryptographic Protocols Jesse Hughes joint work with

The Coinductive Approach to Verifying Cryptographic Protocols Jesse Hughes joint work with

The Coinductive Approach to Verifying Cryptographic Protocols Jesse Hughes joint work with Martijn Warnier jesseh@cs.kun.nl University of Nijmegen The Coinductive Approach to Verifying Cryptographic Protocols p.1/27 Outline I.

1.95k views • 184 slides
MTAT.07.005 Cryptographic Protocols Introduction to Zero-Knowledge Helger Lipmaa University of

MTAT.07.005 Cryptographic Protocols Introduction to Zero-Knowledge Helger Lipmaa University of

Zero-Knowledge Two-Party Protocols MTAT.07.005 Cryptographic Protocols Introduction to Zero-Knowledge Helger Lipmaa University of Tartu MTAT.07.005 Cryptographic Protocols Helger Lipmaa MTAT.07.005 Cryptographic Protocols Zero-Knowledge

1.49k views • 122 slides
Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim Kobeissi PROSECCO: Pro gramming Sec urely with C rypt o graphy. Team at INRIA Paris specializing in applied cryptography and formal verification.

357 views • 14 slides

More recommend