automatic verification of cryptographic protocols in the
play

Automatic Verification of Cryptographic Protocols in the Symbolic - PowerPoint PPT Presentation

Apr 13, 2023 •221 likes •1.56k views

Automatic Verification of Cryptographic Protocols in the Symbolic Model Automatic Verifier ProVerif Bruno Blanchet INRIA Paris-Rocquencourt Bruno.Blanchet@inria.fr September 2013 Bruno Blanchet (INRIA) ProVerif September 2013 1 / 114

  1. Example (7) → ( ν sk A )( ν sk B ) ( ν k ) c � pencrypt(sign( k , sk A ) , pk( sk B )) � . ( c ( x ) . let s = sdecrypt( x , k ) in 0 c ( y ) . let y ′ = pdecrypt( y , sk B ) in | let k = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ) � | ! c ( x pk B ) . . . . | ! c ( y ) . . . . ) Bruno Blanchet (INRIA) ProVerif September 2013 24 / 114

  2. Example (8) ≡ ( ν sk A )( ν sk B )( ν k ) c � pencrypt(sign( k , sk A ) , pk( sk B )) � . ( c ( x ) . let s = sdecrypt( x , k ) in 0 c ( y ) . let y ′ = pdecrypt( y , sk B ) in | let k ′ = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ′ ) � ) | ! c ( x pk B ) . . . . | ! c ( y ) . . . . ) Bruno Blanchet (INRIA) ProVerif September 2013 25 / 114

  3. Example (9) → ∗ ( ν sk A )( ν sk B )( ν k ) ( c ( x ) . let s = sdecrypt( x , k ) in 0 let y ′ = pdecrypt(pencrypt(sign( k , sk A ) , pk( sk B )) , sk B ) in | let k ′ = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ′ ) � | ! c ( x pk B ) . . . . | ! c ( y ) . . . . ) Bruno Blanchet (INRIA) ProVerif September 2013 26 / 114

  4. Example (10) → ∗ ( ν sk A )( ν sk B )( ν k ) ( c ( x ) . let s = sdecrypt( x , k ) in 0 | c � sencrypt(s , k ) � | ! c ( x pk B ) . . . . | ! c ( y ) . . . . ) Bruno Blanchet (INRIA) ProVerif September 2013 27 / 114

  5. Example (11) → ∗ ( ν sk A )( ν sk B )( ν k ) ( let s = sdecrypt(sencrypt(s , k ) , k ) in 0 | ! c ( x pk B ) . . . . | ! c ( y ) . . . . ) Bruno Blanchet (INRIA) ProVerif September 2013 28 / 114

  6. Another presentation of the semantics Semantic configurations are E , P where E is a set of names P is a multiset of processes Intuitively, E , P where E = { a 1 , . . . , a n } and P = { P 1 , . . . , P m } corresponds to ( ν a 1 ) . . . ( ν a n )( P 1 | . . . | P m ) Initial configuration for P : fn( P ) , { P } . Bruno Blanchet (INRIA) ProVerif September 2013 29 / 114

  7. Another presentation of the semantics: reduction relation E , P ∪ { 0 } → E , P (Red Nil) E , P ∪ { ! P } → E , P ∪ { P , ! P } (Red Repl) E , P ∪ { P | Q } → E , P ∪ { P , Q } (Red Par) E , P ∪ { ( ν a ) P } → E ∪ { a ′ } , P ∪ { P { a ′ / a } } (Red Res) where a ′ / ∈ E . E , P ∪ { N � M � . Q , N ( x ) . P } → E , P ∪ { Q , P { M / x } } (Red I/O) E , P ∪ { let x = g ( M 1 , . . . , M n ) in P else Q } → E , P ∪ { P { M ′ / x } } if g ( M 1 , . . . , M n ) → M ′ (Red Destr 1) E , P ∪ { let x = g ( M 1 , . . . , M n ) in P else Q } → E , P ∪ { Q } if there exists no M ′ such that g ( M 1 , . . . , M n ) → M ′ (Red Destr 2) Bruno Blanchet (INRIA) ProVerif September 2013 30 / 114

  8. Example { c } , { c ( xpk A ) . c ( xpk B ) . c � xpk B � | ( ν sk A )( ν sk B ) let pk A = pk( sk A ) in let pk B = pk( sk B ) in c � pk A � . c � pk B � . ( ! c ( x pk B ) . ( ν k ) c � pencrypt(sign( k , sk A ) , x pk B ) � . c ( x ) . let s = sdecrypt( x , k ) in 0 ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in | let k = checksign( y ′ , pk A ) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2013 31 / 114

  9. Example (2) → { c } , { c ( xpk A ) . c ( xpk B ) . c � xpk B � , ( ν sk A )( ν sk B ) let pk A = pk( sk A ) in let pk B = pk( sk B ) in c � pk A � . c � pk B � . ( ! c ( x pk B ) . ( ν k ) c � pencrypt(sign( k , sk A ) , x pk B ) � . c ( x ) . let s = sdecrypt( x , k ) in 0 ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in | let k = checksign( y ′ , pk A ) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2013 32 / 114

  10. Example (2) → { c } , { c ( xpk A ) . c ( xpk B ) . c � xpk B � , ( ν sk A )( ν sk B ) let pk A = pk( sk A ) in let pk B = pk( sk B ) in c � pk A � . c � pk B � . ( ! c ( x pk B ) . ( ν k ) c � pencrypt(sign( k , sk A ) , x pk B ) � . c ( x ) . let s = sdecrypt( x , k ) in 0 ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in | let k = checksign( y ′ , pk A ) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2013 32 / 114

  11. Example (3) → ∗ { c , sk A , sk B } , { c ( xpk A ) . c ( xpk B ) . c � xpk B � , let pk A = pk( sk A ) in let pk B = pk( sk B ) in c � pk A � . c � pk B � . ( ! c ( x pk B ) . ( ν k ) c � pencrypt(sign( k , sk A ) , x pk B ) � . c ( x ) . let s = sdecrypt( x , k ) in 0 ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in | let k = checksign( y ′ , pk A ) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2013 33 / 114

  12. Example (3) → ∗ { c , sk A , sk B } , { c ( xpk A ) . c ( xpk B ) . c � xpk B � , let pk A = pk( sk A ) in let pk B = pk( sk B ) in c � pk A � . c � pk B � . ( ! c ( x pk B ) . ( ν k ) c � pencrypt(sign( k , sk A ) , x pk B ) � . c ( x ) . let s = sdecrypt( x , k ) in 0 ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in | let k = checksign( y ′ , pk A ) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2013 33 / 114

  13. Example (4) → ∗ { c , sk A , sk B } , { c ( xpk A ) . c ( xpk B ) . c � xpk B � , c � pk( sk A ) � . c � pk( sk B ) � . ( ! c ( x pk B ) . ( ν k ) c � pencrypt(sign( k , sk A ) , x pk B ) � . c ( x ) . let s = sdecrypt( x , k ) in 0 ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in | let k = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2013 34 / 114

  14. Example (4) → ∗ { c , sk A , sk B } , { c ( xpk A ) . c ( xpk B ) . c � xpk B � , c � pk( sk A ) � . c � pk( sk B ) � . ( ! c ( x pk B ) . ( ν k ) c � pencrypt(sign( k , sk A ) , x pk B ) � . c ( x ) . let s = sdecrypt( x , k ) in 0 ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in | let k = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2013 34 / 114

  15. Example (5) → ∗ { c , sk A , sk B } , { c � pk( sk B ) � , ! c ( x pk B ) . ( ν k ) c � pencrypt(sign( k , sk A ) , x pk B ) � . ( c ( x ) . let s = sdecrypt( x , k ) in 0 ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in | let k = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2013 35 / 114

  16. Example (5) → ∗ { c , sk A , sk B } , { c � pk( sk B ) � , ! c ( x pk B ) . ( ν k ) c � pencrypt(sign( k , sk A ) , x pk B ) � . ( c ( x ) . let s = sdecrypt( x , k ) in 0 ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in | let k = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2013 35 / 114

  17. Example (6) → { c , sk A , sk B } , { c � pk( sk B ) � , ! c ( x pk B ) . ( ν k ) c � pencrypt(sign( k , sk A ) , x pk B ) � . c ( x ) . let s = sdecrypt( x , k ) in 0 , ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in let k = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2013 36 / 114

  18. Example (6) → { c , sk A , sk B } , { c � pk( sk B ) � , ! c ( x pk B ) . ( ν k ) c � pencrypt(sign( k , sk A ) , x pk B ) � . c ( x ) . let s = sdecrypt( x , k ) in 0 , ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in let k = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2013 36 / 114

  19. Example (7) → { c , sk A , sk B } , { c � pk( sk B ) � , c ( x pk B ) . ( ν k ) c � pencrypt(sign( k , sk A ) , x pk B ) � . c ( x ) . let s = sdecrypt( x , k ) in 0 , ! c ( x pk B ) . . . . , ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in let k = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2013 37 / 114

  20. Example (7) → { c , sk A , sk B } , { c � pk( sk B ) � , c ( x pk B ) . ( ν k ) c � pencrypt(sign( k , sk A ) , x pk B ) � . c ( x ) . let s = sdecrypt( x , k ) in 0 , ! c ( x pk B ) . . . . , ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in let k = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2013 37 / 114

  21. Example (8) → { c , sk A , sk B } , { ( ν k ) c � pencrypt(sign( k , sk A ) , pk( sk B )) � . c ( x ) . let s = sdecrypt( x , k ) in 0 , ! c ( x pk B ) . . . . , ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in let k = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2013 38 / 114

  22. Example (8) → { c , sk A , sk B } , { ( ν k ) c � pencrypt(sign( k , sk A ) , pk( sk B )) � . c ( x ) . let s = sdecrypt( x , k ) in 0 , ! c ( x pk B ) . . . . , ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in let k = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2013 38 / 114

  23. Example (9) → { c , sk A , sk B , k ′ } , c � pencrypt(sign( k ′ , sk A ) , pk( sk B )) � . { c ( x ) . let s = sdecrypt( x , k ′ ) in 0 , ! c ( x pk B ) . . . . , ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in let k = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2013 39 / 114

  24. Example (9) → { c , sk A , sk B , k ′ } , c � pencrypt(sign( k ′ , sk A ) , pk( sk B )) � . { c ( x ) . let s = sdecrypt( x , k ′ ) in 0 , ! c ( x pk B ) . . . . , ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in let k = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ) � ) } Bruno Blanchet (INRIA) ProVerif September 2013 39 / 114

  25. Example (10) → ∗ { c , sk A , sk B , k ′ } , c ( x ) . let s = sdecrypt( x , k ′ ) in 0 , { ! c ( x pk B ) . . . . , let y ′ = pdecrypt(pencrypt(sign( k ′ , sk A ) , pk( sk B )) , sk B ) in let k = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ) � ) ! c ( y ) . . . . } Bruno Blanchet (INRIA) ProVerif September 2013 40 / 114

  26. Example (10) → ∗ { c , sk A , sk B , k ′ } , c ( x ) . let s = sdecrypt( x , k ′ ) in 0 , { ! c ( x pk B ) . . . . , let y ′ = pdecrypt(pencrypt(sign( k ′ , sk A ) , pk( sk B )) , sk B ) in let k = checksign( y ′ , pk( sk A )) in c � sencrypt(s , k ) � ) ! c ( y ) . . . . } Bruno Blanchet (INRIA) ProVerif September 2013 40 / 114

  27. Example (11) → ∗ { c , sk A , sk B , k ′ } , c ( x ) . let s = sdecrypt( x , k ′ ) in 0 , { ! c ( x pk B ) . . . . , c � sencrypt(s , k ′ ) � ) ! c ( y ) . . . . } Bruno Blanchet (INRIA) ProVerif September 2013 41 / 114

  28. Example (11) → ∗ { c , sk A , sk B , k ′ } , c ( x ) . let s = sdecrypt( x , k ′ ) in 0 , { ! c ( x pk B ) . . . . , c � sencrypt(s , k ′ ) � ) ! c ( y ) . . . . } Bruno Blanchet (INRIA) ProVerif September 2013 41 / 114

  29. Example (12) → { c , sk A , sk B , k ′ } , let s = sdecrypt(sencrypt(s , k ′ ) , k ′ ) in 0 , { ! c ( x pk B ) . . . . , ! c ( y ) . . . . } Bruno Blanchet (INRIA) ProVerif September 2013 42 / 114

  30. Example (12) → { c , sk A , sk B , k ′ } , let s = sdecrypt(sencrypt(s , k ′ ) , k ′ ) in 0 , { ! c ( x pk B ) . . . . , ! c ( y ) . . . . } Bruno Blanchet (INRIA) ProVerif September 2013 42 / 114

  31. Comparison between the two semantics The first semantics is more standard (comes from the original semantics of the pi calculus) makes it easier to add a context around an existing process (see definition of process equivalence) The second semantics directs the reduction more precisely makes a minimal use of renaming (for restrictions only) Except when mentioned explicitly, I will rely on the second semantics. Bruno Blanchet (INRIA) ProVerif September 2013 43 / 114

  32. Adversary The protocol is executed in parallel with an adversary. The adversary can be any process. S = finite set of names (initial knowledge of the adversary). Definition The closed process Q is an S -adversary ⇔ fn( Q ) ⊆ S . Bruno Blanchet (INRIA) ProVerif September 2013 44 / 114

  33. Secrecy Intuitive definition The secret M cannot be output on a public channel Definition A trace T = E 0 , P 0 → ∗ E ′ , P ′ outputs M if and only if T contains a reduction E , P ∪ { c � M � . Q , c ( x ) . P } → E , P ∪ { Q , P { M / x } } for some E , P , x , P , Q , and c ∈ S . Definition The closed process P preserves the secrecy of M from S ⇔ ∀ S -adversary Q , ∀T = fn( P ) ∪ S , { P , Q } → ∗ E ′ , P ′ , T does not output M . Bruno Blanchet (INRIA) ProVerif September 2013 45 / 114

  34. Several variants of the spi calculus Presented variant [Abadi, Blanchet, POPL’02 and JACM’05] The spi-calculus [Abadi, Gordon, I&C, 1999] The applied pi calculus [Abadi, Fournet, POPL’01] Very powerful, thanks to equational theories A calculus for asymmetric communication [Abadi, Blanchet, FoSSaCS’01 and TCS’03] Bruno Blanchet (INRIA) ProVerif September 2013 46 / 114

  35. Overview 1. A variant of the spi-calculus 2. Intuitive presentation of the Horn clause representation 3. The resolution algorithm 4. Formal translation from the spi-calculus. 5. Extension to correspondences Bruno Blanchet (INRIA) ProVerif September 2013 47 / 114

  36. ProVerif ProVerif is a verifier for cryptographic protocols Fully automatic For an unbounded number of sessions and an unbounded message size Undecidable problem ⇒ need for abstractions Handles a wide range of cryptographic primitives, defined by rewrite rules or equations Proves various security properties: secrecy, correspondences, some equivalences Does not always terminate and is not complete. In practice: Efficient: small examples verified in less than 0.1 s; complex ones in a few minutes. Very precise: no false attack in our tests for secrecy and authentication. Bruno Blanchet (INRIA) ProVerif September 2013 48 / 114

  37. Our solution Two ideas (extending [Weidenbach, CADE’99]): a simple abstract representation of protocols, by a set of Horn clauses; an efficient resolution algorithm to find which facts can be derived from these clauses. Using these ideas, we can prove secrecy properties of protocols, or exhibit attacks showing why a message is not secret. Bruno Blanchet (INRIA) ProVerif September 2013 49 / 114

  38. Protocol representation Messages � terms M ::= x | f ( M 1 , . . . , M n ) | k [ M 1 , . . . , M n ] pencrypt( c 0 , pk( sk A )). Properties � facts F ::= attacker( M ). Protocol, attacker � Horn clauses F 1 ∧ . . . ∧ F n ⇒ F attacker( m ) ∧ attacker( pk ) ⇒ attacker(pencrypt( m , pk )). Bruno Blanchet (INRIA) ProVerif September 2013 50 / 114

  39. Example - Cryptographic primitives Public-key encryption: Encryption pencrypt( m , pk ). attacker( m ) ∧ attacker( pk ) ⇒ attacker(pencrypt( m , pk )) Public key generation pk( sk ). (builds a public key from a secret key) attacker( sk ) ⇒ attacker(pk( sk )) Decryption pdecrypt(pencrypt( m , pk( sk )) , sk ) → m . attacker(pencrypt( m , pk( sk ))) ∧ attacker( sk ) ⇒ attacker( m ) Bruno Blanchet (INRIA) ProVerif September 2013 51 / 114

  40. General treatment of primitives Constructors f ( M 1 , . . . , M n ) attacker( x 1 ) ∧ . . . ∧ attacker( x n ) ⇒ attacker( f ( x 1 , . . . , x n )) Destructors g ( M 1 , . . . , M n ) → M attacker( M 1 ) ∧ . . . ∧ attacker( M n ) ⇒ attacker( M ) (There may be several rewrite rules defining a function.) Exercise Give clauses for shared-key encryption and signatures Bruno Blanchet (INRIA) ProVerif September 2013 52 / 114

  41. Initial knowledge Clauses that represent the initial knowledge of the adversary: attacker( M ) if the adversary knows M . Example For the Denning-Sacco protocol: attacker(pk( sk A )) attacker(pk( sk B )) Bruno Blanchet (INRIA) ProVerif September 2013 53 / 114

  42. Names Normally, fresh names are created each time the protocol is run. Here, we only distinguish two names when they are created after receiving different messages. Each name k becomes a function of the messages previously received: k [ M 1 , . . . , M n ] . (Skolemisation) These functions can only be applied by the principal that creates the name, not by the attacker. The attacker can create his own fresh names: attacker( b [ ]). Bruno Blanchet (INRIA) ProVerif September 2013 54 / 114

  43. Denning-Sacco protocol A → B : {{ k } sk A } pk B k fresh A talks to any principal represented by its public key pk( x ). A sends to it the message {{ k } sk A } pk( x ) . attacker(pk( x )) ⇒ attacker(pencrypt(sign( k [pk( x )] , sk A [ ]) , pk( x ))). B → A : { s } k B has received a message {{ y } sk A } pk B . B sends { s } y . attacker(pencrypt(sign( y , sk A [ ]) , pk( sk B [ ]))) ⇒ attacker(sencrypt(s , y )). Bruno Blanchet (INRIA) ProVerif September 2013 55 / 114

  44. General coding of a protocol If a principal A has received the messages M 1 , . . . , M n and sends the message M , attacker( M 1 ) ∧ . . . ∧ attacker( M n ) ⇒ attacker( M ) . Exercise Give Horn clauses for the Needham-Schroeder public key protocol: Message 1. A → B { N a , A } pk B N a fresh B → A { N a , N b } pk A Message 2. N b fresh Message 3. A → B { N b } pk B Bruno Blanchet (INRIA) ProVerif September 2013 56 / 114

  45. Approximations The freshness of nonces is partially modeled. The number of times a message appears is ignored, only the fact that is has appeared is taken into account. The state of the principals is not fully modeled. These approximations are keys for an efficient verification. Solve the state space explosion problem. No limit on the number of runs of the protocols. ⇒ essential for the certification of protocols. Bruno Blanchet (INRIA) ProVerif September 2013 57 / 114

  46. Approximations: a more formal view We can show formally by abstract interpretation that, with respect to the multiset rewriting model, the only approximation is that the number of repetitions of actions is ignored [Blanchet, IPL, 2005]. Multiset rewriting ⇔ linear logic After approximation: classical logic The modeling of names by skolemisation does not introduce an approximation in classical logic. Typical situation in which the proof fails: a protocol first needs to keep some data secret, and later reveals it. Bruno Blanchet (INRIA) ProVerif September 2013 58 / 114

  47. Secrecy Secrecy criterion If attacker( M ) cannot be derived from the clauses, then M is secret. The term M cannot be built by an attacker. The resolution algorithm will determine whether a given fact can be derived from the clauses. Bruno Blanchet (INRIA) ProVerif September 2013 59 / 114

  48. Overview 1. A variant of the spi-calculus 2. Intuitive presentation of the Horn clause representation 3. The resolution algorithm 4. Formal translation from the spi-calculus. 5. Extension to correspondences Bruno Blanchet (INRIA) ProVerif September 2013 60 / 114

  49. Which resolution algorithm A standard Prolog system would not terminate: attacker(sencrypt( x , y )) ∧ attacker( y ) ⇒ attacker( x ) generates bigger and bigger facts by SLD-resolution. We need a different resolution strategy. Bruno Blanchet (INRIA) ProVerif September 2013 61 / 114

  50. Saturation Completion of the clause base, by resolution with free selection. Selection function sel ( F 1 ∧ . . . ∧ F n ⇒ F ) ∈ { F 1 , . . . , F n , F } .  F if ∀ i ∈ { 1 , . . . , n } , F i = attacker( x )   sel ( F 1 ∧ . . . ∧ F n ⇒ F ) = F i different from attacker( x ),  of maximal size, otherwise  Bruno Blanchet (INRIA) ProVerif September 2013 62 / 114

  51. Saturation (2) R ′ = F ′ 1 ∧ . . . ∧ F ′ n ′ ⇒ F ′ R = F 1 ∧ . . . ∧ F n ⇒ F σ F 1 ∧ . . . ∧ σ F n ∧ σ F ′ 2 ∧ . . . ∧ σ F ′ n ′ ⇒ σ F ′ where σ is the most general unifier of F and F ′ 1 , where sel ( R ) = F , and sel ( R ′ ) = F ′ 1 . Starting from an initial set of clauses R 0 , perform this resolution step until a fixed point is reached, eliminating subsumed clauses: H ⇒ C subsumes H ′ ⇒ C ′ when there exists σ such that σ H ⊆ H ′ (multiset inclusion) and σ C = C ′ . saturate ( R 0 ) is the set of obtained clauses R such that sel ( R ) is the conclusion of R . Bruno Blanchet (INRIA) ProVerif September 2013 63 / 114

  52. Saturation (3) Example of a step: attacker( x ) ∧ attacker( y ) ⇒ attacker(pencrypt( x , y )) attacker(pencrypt(sign( z , sk A [ ]) , pk( sk B [ ]))) ⇒ attacker(sencrypt(s , z )) attacker(sign( z , sk A [ ])) ∧ attacker(pk( sk B [ ])) ⇒ attacker(sencrypt(s , z )) Theorem The clauses obtained after saturation saturate ( R 0 ) derive the same facts as the initial clauses R 0 . Bruno Blanchet (INRIA) ProVerif September 2013 64 / 114

  53. Why it works The facts attacker( x ) unify with all facts attacker( M ). If we allow resolution on facts attacker( x ), we will create many clauses. The choice of the selection function implies that we avoid performing resolution upon attacker( x ). ⇒ This is key to obtaining termination in most cases. Bruno Blanchet (INRIA) ProVerif September 2013 65 / 114

  54. Derivation Let F be a closed fact. 1 Add the clause F ⇒ bad: R ′ 0 = R 0 ∪ { F ⇒ bad } . 2 Let deriv R 0 ( F ) be true if and only if saturate ( R ′ 0 ) contains a clause H ⇒ bad for some H . If F is derivable from R 0 then bad is derivable from R ′ 0 then bad is derivable from saturate ( R ′ 0 ) (previous theorem) then deriv R 0 ( F ) is true. If deriv R 0 ( F ) is false, then F is not derivable from R 0 . Technique similar to the ordered resolution with selection [Weidenbach, CADE’99]. Bruno Blanchet (INRIA) ProVerif September 2013 66 / 114

  55. Optimizations Elimination of tautologies Elimination of duplicate hypotheses Elimination of hypotheses attacker( x ) when x does not appear elsewhere. Tuples Secrecy assumptions: use conjectures to prune the search space. Bruno Blanchet (INRIA) ProVerif September 2013 67 / 114

  56. Termination The saturation algorithm does not always terminate, but we have proved that it terminates for tagged protocols That is, when each encryption, signature, ... is distinguished from others by a constant tag c i { c i , M 1 , ..., M n } K Large class of protocols Easy to add tags Good design practice [Blanchet, Podelski, Fossacs’03] Bruno Blanchet (INRIA) ProVerif September 2013 68 / 114

  57. Overview 1. A variant of the spi-calculus 2. Intuitive presentation of the Horn clause representation 3. The resolution algorithm 4. Formal translation from the spi-calculus. 5. Extension to correspondences Bruno Blanchet (INRIA) ProVerif September 2013 69 / 114

  58. Translation pi + crypto → Horn clauses We consider a protocol P 0 , executed in the presence of an S -adversary. A protocol is translated into a set of Horn clauses using 2 predicates: attacker( p ) the adversary may have p the message p ′ may be sent on the channel p mess( p , p ′ ) Bruno Blanchet (INRIA) ProVerif September 2013 70 / 114

  59. Translation: attacker clauses For each a ∈ S , attacker( a [ ]) (Init) attacker( b [ ]) where b does not occur in P 0 (Name gen) For each constructor f of arity n , (Constr) attacker( x 1 ) ∧ . . . ∧ attacker( x n ) ⇒ attacker( f ( x 1 , . . . , x n )) For each destructor g , for each rewrite rule g ( M 1 , . . . , M n ) → M , attacker( M 1 ) ∧ . . . ∧ attacker( M n ) ⇒ attacker( M ) (Destr) mess( x , y ) ∧ attacker( x ) ⇒ attacker( y ) (Listen) attacker( x ) ∧ attacker( y ) ⇒ mess( x , y ) (Send) Bruno Blanchet (INRIA) ProVerif September 2013 71 / 114

  60. Translation: protocol clauses ρ : environment (variables, names �→ patterns) h : hypothesis (messages that must be received before reaching the current process) [ [0] ] ρ h = ∅ , [ [ P | Q ] ] ρ h = [ [ P ] ] ρ h ∪ [ [ Q ] ] ρ h , [ [! P ] ] ρ h = [ [ P ] ] ρ h [ [( ν a ) P ] ] ρ h = [ [ P ] ]( ρ [ a �→ a [ p 1 , . . . , p n ]]) h when h = mess( c 1 , p 1 ) ∧ . . . ∧ mess( c n , p n ). Bruno Blanchet (INRIA) ProVerif September 2013 72 / 114

  61. Translation: protocol clauses (continued) ]( ρ [ x �→ x ′ ])( h ∧ mess( ρ ( M ) , x ′ )) [ [ M ( x ) . P ] ] ρ h = [ [ P ] x ′ new variable [ M � N � . P ] ] ρ h ∪ { h ⇒ mess( ρ ( M ) , ρ ( N )) } [ ] ρ h = [ [ P ] [ [ if M = N then P else Q ] ] ρ h = [ [ P ] ]( σρ )( σ h ) ∪ [ [ Q ] ] ρ h where σ is the most general unifier of ρ ( M ) and ρ ( N ). [ [ let x = g ( M 1 , . . . , M n ) in P else Q ] ] ρ h = n ) → p ′ is a rewrite rule of g ](( σρ )[ x �→ σ ′ p ′ ])( σ h ) | g ( p ′ 1 , . . . , p ′ ∪{ [ [ P ] and ( σ, σ ′ ) is a most general pair of substitutions such that σρ ( M 1 ) = σ ′ p ′ 1 , . . . , σρ ( M n ) = σ ′ p ′ n } ∪ [ [ Q ] ] ρ h . Bruno Blanchet (INRIA) ProVerif September 2013 73 / 114

  62. Example: Denning-Sacco protocol Message 1. A → B : {{ k } sk A } pk B k fresh Message 2. B → A : { s } k ( ν sk A )( ν sk B ) let pk A = pk( sk A ) in let pk B = pk( sk B ) in c � pk A � . c � pk B � . ( A ) ! c ( x pk B ) . ( ν k ) c � pencrypt(sign( k , sk A ) , x pk B ) � . c ( x ) . let s = sdecrypt( x , k ) in 0 ! c ( y ) . let y ′ = pdecrypt( y , sk B ) in ( B ) | let k = checksign( y ′ , pk A ) in c � sencrypt(s , k ) � Bruno Blanchet (INRIA) ProVerif September 2013 74 / 114

  63. Example: protocol clauses P 0 = ( ν sk A )( ν sk B ) let pk A = pk( sk A ) in let pk B = pk( sk B ) in c � pk A � . c � pk B � . (! P A | ! P B ) [ [ P 0 ] ] { c �→ c [ ] }∅ Bruno Blanchet (INRIA) ProVerif September 2013 75 / 114

  64. Example: protocol clauses P 0 = ( ν sk A )( ν sk B ) let pk A = pk( sk A ) in let pk B = pk( sk B ) in c � pk A � . c � pk B � . (! P A | ! P B ) [ [ P 0 ] ] { c �→ c [ ] }∅ = [ [ let . . . ] ] { c �→ c [ ] , sk A �→ sk A [ ] , sk B �→ sk B [ ] }∅ Bruno Blanchet (INRIA) ProVerif September 2013 75 / 114

  65. Example: protocol clauses P 0 = ( ν sk A )( ν sk B ) let pk A = pk( sk A ) in let pk B = pk( sk B ) in c � pk A � . c � pk B � . (! P A | ! P B ) [ [ P 0 ] ] { c �→ c [ ] }∅ = [ [ let . . . ] ] { c �→ c [ ] , sk A �→ sk A [ ] , sk B �→ sk B [ ] }∅ = [ [ c � pk A � . . . ] ] ρ 0 ∅ ρ 0 = { c �→ c [ ] , sk A �→ sk A [ ] , sk B �→ sk B [ ] , pk A �→ pk( sk A [ ]) , pk B �→ pk( sk B [ ]) } Bruno Blanchet (INRIA) ProVerif September 2013 75 / 114

  66. Example: protocol clauses P 0 = ( ν sk A )( ν sk B ) let pk A = pk( sk A ) in let pk B = pk( sk B ) in c � pk A � . c � pk B � . (! P A | ! P B ) [ [ P 0 ] ] { c �→ c [ ] }∅ = [ [ let . . . ] ] { c �→ c [ ] , sk A �→ sk A [ ] , sk B �→ sk B [ ] }∅ = [ [ c � pk A � . . . ] ] ρ 0 ∅ ρ 0 = { c �→ c [ ] , sk A �→ sk A [ ] , sk B �→ sk B [ ] , pk A �→ pk( sk A [ ]) , pk B �→ pk( sk B [ ]) } = [ [! P A | ! P B ] ] ρ 0 ∅ ∪ { mess( c [ ] , pk( sk A [ ])) , comes from c � pk A � mess( c [ ] , pk( sk B [ ])) } comes from c � pk B � Bruno Blanchet (INRIA) ProVerif September 2013 75 / 114

  67. Example: protocol clauses P 0 = ( ν sk A )( ν sk B ) let pk A = pk( sk A ) in let pk B = pk( sk B ) in c � pk A � . c � pk B � . (! P A | ! P B ) [ [ P 0 ] ] { c �→ c [ ] }∅ = [ [ let . . . ] ] { c �→ c [ ] , sk A �→ sk A [ ] , sk B �→ sk B [ ] }∅ [ c � pk A � . . . ] ] ρ 0 ∅ = [ ρ 0 = { c �→ c [ ] , sk A �→ sk A [ ] , sk B �→ sk B [ ] , pk A �→ pk( sk A [ ]) , pk B �→ pk( sk B [ ]) } = [ [! P A | ! P B ] ] ρ 0 ∅ ∪ { mess( c [ ] , pk( sk A [ ])) , comes from c � pk A � mess( c [ ] , pk( sk B [ ])) } comes from c � pk B � ] ρ 0 ∅ ∪ [ ] ρ 0 ∅ ∪ { attacker(pk( sk A [ ])) , attacker(pk( sk B [ ])) } = [ [ P A ] [ P B ] attacker( p ) is equivalent to mess( c [ ] , p ) when c ∈ S , by (Listen) and (Send). Bruno Blanchet (INRIA) ProVerif September 2013 75 / 114

  68. Example: protocol clauses (A) P A = c ( x pk B ) . ( ν k ) c � pencrypt(sign( k , sk A ) , x pk B ) � . c ( x ) . let s = sdecrypt( x , k ) in 0 [ [ P A ] ] ρ 0 ∅ ] ρ 0 [ x pk B �→ x pk B ] mess( c [ ] , x pk B ) = [ [( ν k ) . . . ] [ c � pencrypt( . . . ) � . . . ] ] ρ 0 [ x pk B �→ x pk B , k �→ k [ x pk B ] ] mess( c [ ] , x pk B ) = [ = [ [ c ( x ) . . . ] ] ρ 0 [ x pk B �→ x pk B , k �→ k [ x pk B ] ] mess( c [ ] , x pk B ) ∪ { mess( c [ ] , x pk B ) ⇒ mess( c [ ] , pencrypt(sign( k [ x pk B ] , sk A [ ]) , x pk B )) } = { mess( c [ ] , x pk B ) ⇒ mess( c [ ] , pencrypt(sign( k [ x pk B ] , sk A [ ]) , x pk B )) } Bruno Blanchet (INRIA) ProVerif September 2013 76 / 114

  69. Example: protocol clauses (B) P B = c ( y ) . let y ′ = pdecrypt( y , sk B ) in let k = checksign( y ′ , pk A ) in c � sencrypt(s , k ) � [ [ P B ] ] ρ 0 ∅ [ let y ′ . . . ] = [ ] ρ 0 [ y �→ y ] mess( c [ ] , y ) ] ρ 0 [ y �→ pencrypt( y ′ , pk( sk B [ ])) , y ′ �→ y ′ ] = [ [ let k . . . ] mess( c [ ] , pencrypt( y ′ , pk( sk B [ ]))) ] ρ 0 [ y �→ pencrypt(sign( k , sk A [ ]) , pk( sk B [ ])) , y ′ �→ sign( k , sk A [ ]) , = [ [ c � . . . � ] k �→ k ] mess( c [ ] , pencrypt(sign( k , sk A [ ]) , pk( sk B [ ]))) = { mess( c [ ] , pencrypt(sign( k , sk A [ ]) , pk( sk B [ ]))) ⇒ mess( c [ ] , sencrypt(s , k )) } Bruno Blanchet (INRIA) ProVerif September 2013 77 / 114

  70. Proof of secrecy Closed process: P 0 Initial knowledge of the adversary: S finite set of names Clauses for the protocol and the adversary: R P 0 , S . Theorem If attacker(s) cannot be derived from R P 0 , S , then P 0 preserves the secrecy of s from S. Theorem If deriv R P 0 , S (attacker(s)) is false, then P 0 preserves the secrecy of s from S. Bruno Blanchet (INRIA) ProVerif September 2013 78 / 114

  71. Example For the Denning-Sacco protocol, attacker(s) is derivable from the clauses. The derivation corresponds to the description of the known attack. For the corrected version, attacker(s) is not derivable from the clauses: s is secret. Bruno Blanchet (INRIA) ProVerif September 2013 79 / 114

  72. Demo Demo: Denning-Sacco protocol examplesnd/demosimp/pidenning-sacco-orig examplesnd/demosimp/pidenning-sacco-corr-orig Needham-Schroeder public-key protocol examplesnd/demosimp/pineedham-orig examplesnd/demosimp/pineedham-corr-orig Bruno Blanchet (INRIA) ProVerif September 2013 80 / 114

  73. Comparison with typing [Abadi, Blanchet, POPL’02 and JACM’05] We have defined a generic type system for the explained variant of the spi-calculus. Theorem A secrecy property can be proved by the Horn clause verifier ⇔ it can be proved by any instance of the type system. A tight relation between two superficially different frameworks. Bruno Blanchet (INRIA) ProVerif September 2013 81 / 114

  74. Extension to equational theories: Diffie-Hellman Goal: Establish a shared key between two participants g n 0 A → B : Message 1. n 0 fresh g n 1 Message 2. B → A : n 1 fresh A computes k = ( g n 1 ) n 0 , B computes k = ( g n 0 ) n 1 . The exponentiation is such that these quantities are equal. ( g n 1 ) n 0 = ( g n 0 ) n 1 The exponentiation is computed in a cyclic multiplicative subgroup G of Z ∗ p , where p is a prime and g is a generator of G . Bruno Blanchet (INRIA) ProVerif September 2013 82 / 114

  75. Extension to equational theories: Diffie-Hellman example Simplified version of the secure shell protocol (SSH): KExDHInit , g n 0 Message 1. C → S : n 0 fresh KExDHReply , pk S , g n 1 , { h } sk S Message 2. S → C : n 1 fresh where K = ( g n 1 ) n 0 = ( g n 0 ) n 1 and h = H (( pk S , g n 0 , g n 1 , K )). K and h are shared secrets between C (client) and S (server). They are used to compute encryption keys. Bruno Blanchet (INRIA) ProVerif September 2013 83 / 114

  76. Extension to equational theories: other examples XOR: associative, commutative, xor ( x , x ) = 0, xor ( x , 0) = x Primitives whose success is not observable (for decryption for instance) sdecrypt(sencrypt( x , y ) , y ) = x sencrypt(sdecrypt( x , y ) , y ) = x Subtle interactions between primitives Example: XOR and crc crc ( xor ( x , y )) = xor ( crc ( x ) , crc ( y )) Bruno Blanchet (INRIA) ProVerif September 2013 84 / 114

  77. Extension to equational theories We have built algorithms that translate the equations into a set of rewrite rules, which generates enough terms (equal modulo the equational theory). [Blanchet, Abadi, Fournet, JLAP’08] We have shown that, for each trace with equations, there is a corresponding trace with rewrite rules, and conversely. Efficient because it avoids unification modulo. (Standard syntactic resolution can still be used.) Still fairly limited, since it leads to non-termination for many equational theories. (For example, cannot handle theories that contain associativity.) Bruno Blanchet (INRIA) ProVerif September 2013 85 / 114

Recommend

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic protocols: Concurrent programs

946 views • 69 slides
Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif

Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif

Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif Bruno Blanchet INRIA, Ecole Normale Sup erieure, CNRS blanchet@di.ens.fr September 2011 Bruno Blanchet (INRIA) ProVerif September 2011

1.55k views • 143 slides
Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018

1.23k views • 78 slides
Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique Cortier INRIA project Cassis, Loria CNRS, Nancy, France French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of

605 views • 46 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

451 views • 14 slides
Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018 Organization of the course Two

774 views • 74 slides
Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS

Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS

Introduction Formal models Adding equational theories Towards more guarantees Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS - INRIA Cassis project, Nancy Universities 1/45 V eronique

785 views • 76 slides
Automatic Formal Analyses of Cryptographic Protocols 19th National Information Systems Security

Automatic Formal Analyses of Cryptographic Protocols 19th National Information Systems Security

Automatic Formal Analyses of Cryptographic Protocols 19th National Information Systems Security Conference October 22-25, 1996 Baltimore Convention Center Dr. Stephen H. Brackin Arca Systems, Inc. 303 E. Yates St., Ithaca, NY 14850

141 views • 12 slides
Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA), CNRS, France Tuesday, September 13th, 2016 Security protocols everywhere ! Cryptographic protocols small programs designed to secure

923 views • 56 slides
Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France joint work with Alexandre Debant and Cyrille Wiedling 1/29 Security protocols everywhere ! Cryptographic protocols small

1.04k views • 56 slides
Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in the Quantum Era (SPS G5448) February 5th, 2020 Christian Colombo Mark Vella Cryptographic Protocols Design Proofs to validate design against

467 views • 20 slides
Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes,

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes,

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France Thursday, July 12th, 2018 Cryptographic protocols everywhere ! Cryptographic protocols small programs designed to secure

849 views • 80 slides
Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday,

Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday,

Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday, June 29th, 2020 1/23 Cryptographic protocols everywhere ! Cryptographic protocols small programs designed to secure communication ( e.g.

900 views • 58 slides
Automatic Verification of non-silent Population Protocols Masters Thesis Martin Helfrich

Automatic Verification of non-silent Population Protocols Masters Thesis Martin Helfrich

Automatic Verification of non-silent Population Protocols Masters Thesis Martin Helfrich Technical University of Munich September 2019 Martin Helfrich (TUM) Verification of non-silent PP September 2019 1 / 31 Population Protocols Model

460 views • 31 slides
Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth M.D.Ryan@cs.bham.ac.uk research@bensmyth.com Cryptoforma 7th April 2010 Cryptographic protocols A cryptographic protocol is a distributed procedure that employs

698 views • 46 slides
Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Formal methods for protocols Cryptographic models Passive case Active case Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/76 V eronique Cortier Verification of Security

1.92k views • 139 slides
Formal Analysis of Imperfect Cryptographic Protocols Long Nguyen Hoang University of Tartu,

Formal Analysis of Imperfect Cryptographic Protocols Long Nguyen Hoang University of Tartu,

Formal Analysis of Imperfect Cryptographic Protocols Long Nguyen Hoang University of Tartu, Institute of Computer Science Agenda Introduction Probabilistic-spi calculus Security protocol verification Conclusion Q&A

633 views • 19 slides
First steps towards cryptographically sound confidentiality analysis of cryptographic protocols

First steps towards cryptographically sound confidentiality analysis of cryptographic protocols

First steps towards cryptographically sound confidentiality analysis of cryptographic protocols Peeter Laud peeter l@ut.ee Tartu Ulikool Cybernetica AS Teooriap aevad Arulas, 3.-5.02.2003 p.1/27 Overview Cryptographic protocols.

570 views • 27 slides
Outline Cryptographic protocols, pt. 1 Key distribution and PKI CSci 5271 Introduction to

Outline Cryptographic protocols, pt. 1 Key distribution and PKI CSci 5271 Introduction to

Outline Cryptographic protocols, pt. 1 Key distribution and PKI CSci 5271 Introduction to Computer Security Announcements intermission Day 17: Crypto protocols and S protocols SSH Stephen McCamant University of Minnesota, Computer

338 views • 7 slides
Clang tools for implementing cryptographic protocols like OTRv4 Sofa Celi What is OTR and why

Clang tools for implementing cryptographic protocols like OTRv4 Sofa Celi What is OTR and why

Clang tools for implementing cryptographic protocols like OTRv4 Sofa Celi What is OTR and why it was created? Cryptographic protocol Paper in 2004 by Ian Goldberg , Nikita Borisov and Eric Brewer Conversations in the

299 views • 18 slides
Cryptographic Protocols 3. Broadcast 4. Blockchain Spring 2020 Part 1 Broadcast / Byzantine

Cryptographic Protocols 3. Broadcast 4. Blockchain Spring 2020 Part 1 Broadcast / Byzantine

Cryptographic Protocols 1. Interactive Proofs and Zero-Knowledge Protocols 2. Secure Multi-Party Computation Cryptographic Protocols 3. Broadcast 4. Blockchain Spring 2020 Part 1 Broadcast / Byzantine Agreement Secure Multi-Party

170 views • 3 slides
The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of

The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of

The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of Software Chinese Academy of Sciences BASICS09, Shanghai, China October 13, 2009 Background Formal verification of security protocols from

312 views • 28 slides
Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic protocols and how to prove it? Yu ZHANG Including joint work with J. Goubault-Larrecq, D. Nowak and S. Lasota EVEREST, INRIA Sophia-Antipolis February

487 views • 37 slides

More recommend