automatic security analyses of network protocols with
play

Automatic Security Analyses of Network Protocols with Tamarin-Prover - PowerPoint PPT Presentation

Jan 18, 2024 •333 likes •1.33k views

1/18 Automatic Security Analyses of Network Protocols with Tamarin-Prover Introductory Talk Eike Stadtlnder May 17, 2018 2/18 Outline Motivation Tamarin-Prover Overview Language and Environment State Demo Goals for the Lab . 3/18

  1. 1/18 Automatic Security Analyses of Network Protocols with Tamarin-Prover Introductory Talk Eike Stadtländer May 17, 2018

  2. 2/18 Outline Motivation Tamarin-Prover Overview Language and Environment State Demo Goals for the Lab

  3. . ⌢ 3/18 The Thing with Proofs Consider the following “proof”: i i i i i Thus, clearly Lesson: It is easy to make subtle mistakes in proofs which makes them diffjcult to verify.

  4. . ⌢ 3/18 The Thing with Proofs Consider the following “proof”: i i i i i Thus, clearly Lesson: It is easy to make subtle mistakes in proofs which makes them diffjcult to verify.

  5. . ⌢ 3/18 The Thing with Proofs Consider the following “proof”: i i i i i Thus, clearly Lesson: It is easy to make subtle mistakes in proofs which makes them diffjcult to verify. − 1 1 = 1 − 1

  6. . ⌢ 3/18 i It is easy to make subtle mistakes in proofs which makes them Lesson: Thus, clearly i i i i diffjcult to verify. The Thing with Proofs Consider the following “proof”: √ √ − 1 1 = 1 − 1 1 1 = − 1 ⇒ − 1

  7. . ⌢ 3/18 The Thing with Proofs It is easy to make subtle mistakes in proofs which makes them Lesson: Thus, clearly i i i i i diffjcult to verify. Consider the following “proof”: √ √− 1 √ √ − 1 1 = 1 − 1 1 1 1 = 1 = √ √− 1 − 1 ⇒ − 1 ⇒

  8. . ⌢ 3/18 The Thing with Proofs It is easy to make subtle mistakes in proofs which makes them Lesson: Thus, clearly i i i i diffjcult to verify. Consider the following “proof”: √ √− 1 √ √ − 1 1 = 1 − 1 1 1 1 = 1 1 = 1 = √− 1 ⇒ i √ − 1 ⇒ − 1 ⇒

  9. . ⌢ 3/18 The Thing with Proofs It is easy to make subtle mistakes in proofs which makes them Lesson: Thus, clearly i diffjcult to verify. Consider the following “proof”: √ √− 1 √ √ − 1 1 = 1 − 1 1 1 1 = 1 1 = 1 = √− 1 ⇒ i √ − 1 ⇒ − 1 ⇒ ⇒ − 1 = i 2 = i i = 1

  10. 3/18 The Thing with Proofs It is easy to make subtle mistakes in proofs which makes them Lesson: ⌢ i diffjcult to verify. Consider the following “proof”: √ √− 1 √ √ − 1 1 = 1 − 1 1 1 1 = 1 1 = 1 = √− 1 ⇒ i √ − 1 ⇒ − 1 ⇒ ⇒ − 1 = i 2 = i i = 1 Thus, clearly − 1 = 1 .

  11. 3/18 The Thing with Proofs It is easy to make subtle mistakes in proofs which makes them Lesson: i diffjcult to verify. Consider the following “proof”: √ √− 1 √ √ − 1 1 = 1 − 1 1 1 1 = 1 1 = 1 = √− 1 ⇒ i √ − 1 ⇒ − 1 ⇒ ⇒ − 1 = i 2 = i i = 1 Thus, clearly − 1 = 1 . ⌢

  12. 3/18 The Thing with Proofs It is easy to make subtle mistakes in proofs which makes them Lesson: i diffjcult to verify. Consider the following “proof”: √ √− 1 √ √ − 1 1 = 1 − 1 1 1 1 = 1 1 = 1 = √− 1 ⇒ i √ − 1 ⇒ − 1 ⇒ ⇒ − 1 = i 2 = i i = 1 Thus, clearly − 1 = 1 . ⌢

  13. 3/18 The Thing with Proofs It is easy to make subtle mistakes in proofs which makes them Lesson: i diffjcult to verify for humans , at least. Consider the following “proof”: √ √− 1 √ √ − 1 1 = 1 − 1 1 1 1 = 1 1 = 1 = √− 1 ⇒ i √ − 1 ⇒ − 1 ⇒ ⇒ − 1 = i 2 = i i = 1 Thus, clearly − 1 = 1 . ⌢

  14. • “In our opinion, many proofs in cryptography have become • “We generate more proofs than we carefully verify (and as a 4/18 Experts on Security Proofs 1 essentially unverifjable. Our fjeld may be approaching a crisis of rigor. [...] game-playing may play a role in the answer.” Bellare and Rogaway 2004 consequence some of our published proofs are incorrect).” Halevi 2005 1 Slide inspired by Barthe (2014)

  15. • “We generate more proofs than we carefully verify (and as a 4/18 Experts on Security Proofs 1 essentially unverifjable. Our fjeld may be approaching a crisis of rigor. [...] game-playing may play a role in the answer.” Bellare and Rogaway 2004 consequence some of our published proofs are incorrect).” Halevi 2005 1 Slide inspired by Barthe (2014) • “In our opinion, many proofs in cryptography have become

  16. 4/18 Experts on Security Proofs 1 essentially unverifjable. Our fjeld may be approaching a crisis of rigor. [...] game-playing may play a role in the answer.” Bellare and Rogaway 2004 consequence some of our published proofs are incorrect).” Halevi 2005 1 Slide inspired by Barthe (2014) • “In our opinion, many proofs in cryptography have become • “We generate more proofs than we carefully verify (and as a

  17. • can verify a proof • can complete a partial proof • can fjnd a proof • can fjnd counter examples for disproof 5/18 The Cryptographer’s Wish List Wouldn’t it be great if we had a machine that of statements or security properties for a given protocol. Goal : Extensible framework for plug-and-play security.

  18. • can complete a partial proof • can fjnd a proof • can fjnd counter examples for disproof 5/18 The Cryptographer’s Wish List Wouldn’t it be great if we had a machine that of statements or security properties for a given protocol. Goal : Extensible framework for plug-and-play security. • can verify a proof

  19. • can fjnd a proof • can fjnd counter examples for disproof 5/18 The Cryptographer’s Wish List Wouldn’t it be great if we had a machine that of statements or security properties for a given protocol. Goal : Extensible framework for plug-and-play security. • can verify a proof • can complete a partial proof

  20. • can fjnd counter examples for disproof 5/18 The Cryptographer’s Wish List Wouldn’t it be great if we had a machine that of statements or security properties for a given protocol. Goal : Extensible framework for plug-and-play security. • can verify a proof • can complete a partial proof • can fjnd a proof

  21. 5/18 The Cryptographer’s Wish List Wouldn’t it be great if we had a machine that of statements or security properties for a given protocol. Goal : Extensible framework for plug-and-play security. • can verify a proof • can complete a partial proof • can fjnd a proof • can fjnd counter examples for disproof

  22. 5/18 The Cryptographer’s Wish List Wouldn’t it be great if we had a machine that of statements or security properties for a given protocol. Goal : Extensible framework for plug-and-play security. • can verify a proof • can complete a partial proof • can fjnd a proof • can fjnd counter examples for disproof

  23. • based on homotopy type theory • Univalent Foundations of Mathematics, Vladimir Voevodsky • e.g. “Proving the TLS Handshake Secure (as it is)” • based on constraint logic • symbolic analysis • e.g. “A Comprehensive Symbolic Analysis of TLS 1.3” • Mathematics: Coq • ProVerif, CryptoVerif, ... • EasyCrypt • Tamarin-Prover 6/18 Automatic Provers - A Status Quo (Bhargavan et al. 2014) (Cremers et al. 2017) Our Goal : Analyse IPSec protocol using automatic provers

  24. • e.g. “Proving the TLS Handshake Secure (as it is)” • based on constraint logic • symbolic analysis • e.g. “A Comprehensive Symbolic Analysis of TLS 1.3” • based on homotopy type theory • Univalent Foundations of Mathematics, Vladimir Voevodsky • ProVerif, CryptoVerif, ... • EasyCrypt • Tamarin-Prover 6/18 Automatic Provers - A Status Quo (Bhargavan et al. 2014) (Cremers et al. 2017) Our Goal : Analyse IPSec protocol using automatic provers • Mathematics: Coq

  25. • e.g. “Proving the TLS Handshake Secure (as it is)” • based on constraint logic • symbolic analysis • e.g. “A Comprehensive Symbolic Analysis of TLS 1.3” • Univalent Foundations of Mathematics, Vladimir Voevodsky • ProVerif, CryptoVerif, ... • EasyCrypt • Tamarin-Prover 6/18 Automatic Provers - A Status Quo (Bhargavan et al. 2014) (Cremers et al. 2017) Our Goal : Analyse IPSec protocol using automatic provers • Mathematics: Coq • based on homotopy type theory

  26. • e.g. “Proving the TLS Handshake Secure (as it is)” • based on constraint logic • symbolic analysis • e.g. “A Comprehensive Symbolic Analysis of TLS 1.3” • ProVerif, CryptoVerif, ... • EasyCrypt • Tamarin-Prover 6/18 Automatic Provers - A Status Quo (Bhargavan et al. 2014) (Cremers et al. 2017) Our Goal : Analyse IPSec protocol using automatic provers • Mathematics: Coq • based on homotopy type theory • Univalent Foundations of Mathematics, Vladimir Voevodsky

  27. • e.g. “Proving the TLS Handshake Secure (as it is)” • based on constraint logic • symbolic analysis • e.g. “A Comprehensive Symbolic Analysis of TLS 1.3” • EasyCrypt • Tamarin-Prover 6/18 Automatic Provers - A Status Quo (Bhargavan et al. 2014) (Cremers et al. 2017) Our Goal : Analyse IPSec protocol using automatic provers • Mathematics: Coq • based on homotopy type theory • Univalent Foundations of Mathematics, Vladimir Voevodsky • ProVerif, CryptoVerif, ...

  28. • based on constraint logic • symbolic analysis • e.g. “A Comprehensive Symbolic Analysis of TLS 1.3” • e.g. “Proving the TLS Handshake Secure (as it is)” • Tamarin-Prover 6/18 Automatic Provers - A Status Quo (Bhargavan et al. 2014) (Cremers et al. 2017) Our Goal : Analyse IPSec protocol using automatic provers • Mathematics: Coq • based on homotopy type theory • Univalent Foundations of Mathematics, Vladimir Voevodsky • ProVerif, CryptoVerif, ... • EasyCrypt

Recommend

Automatic Formal Analyses of Cryptographic Protocols 19th National Information Systems Security

Automatic Formal Analyses of Cryptographic Protocols 19th National Information Systems Security

Automatic Formal Analyses of Cryptographic Protocols 19th National Information Systems Security Conference October 22-25, 1996 Baltimore Convention Center Dr. Stephen H. Brackin Arca Systems, Inc. 303 E. Yates St., Ithaca, NY 14850

141 views • 12 slides
Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic protocols: Concurrent programs

946 views • 69 slides
A First Step towards the Automatic Generation of Security Protocols Adrian Perrig and Dawn Song

A First Step towards the Automatic Generation of Security Protocols Adrian Perrig and Dawn Song

A First Step towards the Automatic Generation of Security Protocols Adrian Perrig and Dawn Song CMU, UCB Adrian Perrig and Dawn Song NDSS - APG 1 Difficulties in the Design of Security Protocols Usually ad-hoc, lacking formalism. Hidden

324 views • 19 slides
Security Analysis of Network Protocols John Mitchell Stanford University Usenix Security

Security Analysis of Network Protocols John Mitchell Stanford University Usenix Security

Security Analysis of Network Protocols John Mitchell Stanford University Usenix Security Symposium, 2008 Many Protocols Authentication and key exchange SSL/TLS, Kerberos, IKE, JFK, IKEv2, Wireless and mobile computing Mobile IP, WEP,

959 views • 71 slides
Introduction to Network Security Security Chapter 7 Transport Layer Protocols Dr. Doug

Introduction to Network Security Security Chapter 7 Transport Layer Protocols Dr. Doug

Introduction to Network Security Security Chapter 7 Transport Layer Protocols Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics TCP Layer Responsible for reliable end-to-end transfer of application data.

632 views • 32 slides
Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able to Skills identify design and Ability to analyze the implementation security of networked vulnerabilities in network systems protocols

564 views • 33 slides
Introduction to Network Security Chapter 6 Network Layer Protocols Dr. Doug Jacobson -

Introduction to Network Security Chapter 6 Network Layer Protocols Dr. Doug Jacobson -

Introduction to Network Security Chapter 6 Network Layer Protocols Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics The network layer IP V4 BOOTP & DHCP IP V6 Common IP countermeasures Dr.

1.88k views • 152 slides
23-04-18 Advanced Network Security 3. Agreement and consensus I: concepts and protocols for

23-04-18 Advanced Network Security 3. Agreement and consensus I: concepts and protocols for

23-04-18 Advanced Network Security 3. Agreement and consensus I: concepts and protocols for crash failures Jaap-Henk Hoepman Digital Security (DS) Radboud University Nijmegen, the Netherlands @xotoxot // * jhh@cs.ru.nl // 8 www.cs.ru.nl/~jhh

115 views • 8 slides
Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over an untrusted channel (eg. Internet) 2 Security Protocols are out there Authentication Confidentiality Example: HTTPS (HTTP + TLS)

669 views • 42 slides
Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering They are where cryptography and system mechanisms meet They allow trust to be taken from where it exists to where it s needed But they are

941 views • 67 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security

Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security

Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security Protocols Application layer security (email) PGP, S/MIME Transport layer security Bart Preneel SSL / TLS June 2003 Network layer

571 views • 19 slides
Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols 01 Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief introduction to security protocols; Model checking of security protocols, particularly using the process

1.28k views • 110 slides
Introduction to Network Security Chapter 7 Transport Layer Protocols Dr. Doug Jacobson -

Introduction to Network Security Chapter 7 Transport Layer Protocols Dr. Doug Jacobson -

Introduction to Network Security Chapter 7 Transport Layer Protocols Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics TCP Layer Responsible for reliable end-to-end transfer of application data. TCP

912 views • 64 slides
Security Bugs in Protocols are Really Bad! Marsh Ray PhoneFactor Protocol Bugs Objectives

Security Bugs in Protocols are Really Bad! Marsh Ray PhoneFactor Protocol Bugs Objectives

Security Bugs in Protocols are Really Bad! Marsh Ray PhoneFactor Protocol Bugs Objectives Discuss the complexities in mitigating security bugs occurring in network protocols. Describe some current issues. Leave time for Q&A.

631 views • 50 slides
Security Analysis of Network Protocols John Mitchell Reference:

Security Analysis of Network Protocols John Mitchell Reference:

CS259 Winter 2008 Security Analysis of Network Protocols John Mitchell Reference: http://www.stanford.edu/class/cs259/ Course organization Lectures Tues, Thurs for approx first six weeks of quarter Project presentations in 3

805 views • 42 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Cryptographic Protocols and Network Security G. Sivakumar Computer Science and Engineering IIT

Cryptographic Protocols and Network Security G. Sivakumar Computer Science and Engineering IIT

Some Puzzles Security Connection Cryptography Need For Formal Methods Cryptographic Protocols and Network Security G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in Oct 14, 2004 G. Sivakumar Computer Science and

671 views • 43 slides
Wireless Networks: Network Protocols/Mobile IP Mo$va$on

Wireless Networks: Network Protocols/Mobile IP Mo$va$on

Wireless Networks: Network Protocols/Mobile IP Mo$va$on Problems Data transfer DHCP Encapsula$on Security IPv6 Adapted from J. Schiller,

441 views • 29 slides
Network Security Protocols: Analysis methods and standards John Mitchell Stanford University

Network Security Protocols: Analysis methods and standards John Mitchell Stanford University

Network Security Protocols: Analysis methods and standards John Mitchell Stanford University Joint work with many students, postdocs, collaborators TRUST : Team for Research in Ubiquitous Secure Technologies NSF Science and Technology Center

536 views • 40 slides
Chapter 12 Network Organization and Architecture 2 12.4 Network Protocols I 12.6 Network

Chapter 12 Network Organization and Architecture 2 12.4 Network Protocols I 12.6 Network

Chapter 12 Objectives Learn the basic physical components of networks. Become familiar with routing protocols. Chapter 12 Network Organization and Architecture 2 12.4 Network Protocols I 12.6 Network Organization ISO/OSI Reference

554 views • 11 slides
Chapter 12 Network Organization and Architecture 2 12.4 Network Protocols I 12.6 Network

Chapter 12 Network Organization and Architecture 2 12.4 Network Protocols I 12.6 Network

Chapter 12 Objectives Learn the basic physical components of networks. Become familiar with routing protocols. Chapter 12 Network Organization and Architecture 2 12.4 Network Protocols I 12.6 Network Organization ISO/OSI Reference

475 views • 11 slides
Mobile Communications Chapter 8: Network Protocols/Mobile IP Motivation Problems Data

Mobile Communications Chapter 8: Network Protocols/Mobile IP Motivation Problems Data

Mobile Communications Chapter 8: Network Protocols/Mobile IP Motivation Problems Data transfer Micro mobility support Encapsulation DHCP Security Ad-hoc networks IPv6 Routing protocols Prof. Dr.-Ing. Jochen

984 views • 39 slides
Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval,

Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval,

Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval, Steve Kremer, Itsaka Rakotonirina Inria Nancy Grand-Est Security protocols TLS Wifi @ PASS E-voting E-passport 2 24 Security protocols

830 views • 69 slides

More recommend