can charlie distinguish alice and bob
play

Can Charlie distinguish Alice and Bob? Automated verification of - PowerPoint PPT Presentation

Jun 08, 2023 •219 likes •1.09k views

Can Charlie distinguish Alice and Bob? Automated verification of equivalence properties Steve Kremer joint work with: Myrto Arapinis, David Baelde, Rohit Chadha, Vincent Cheval, S tefan Ciob ac a, V eronique Cortier, St ephanie

  1. Can Charlie distinguish Alice and Bob? Automated verification of equivalence properties Steve Kremer joint work with: Myrto Arapinis, David Baelde, Rohit Chadha, Vincent Cheval, S ¸tefan Ciob˘ acˆ a, V´ eronique Cortier, St´ ephanie Delaune, Ivan Gazeau, Itsaka Rakotonirina, Mark Ryan 29th IEEE Computer Security Foundations Symposium 1/30

  2. Cryptographic protocols everywhere! ◮ Distributed programs that ◮ use crypto primitives (encryption, digital signature ,. . . ) ◮ to ensure security properties (confidentiality, authentication, anonymity,. . . ) 2/30

  3. Symbolic models for protocol verification Main ingredient of symbolic models ◮ messages = terms enc pair k s 1 s 2 ◮ perfect cryptography (equational theories) dec(enc( x , y ) , y ) = x fst(pair( x , y )) = x snd(pair( x , y )) = y ◮ the network is the attacker ◮ messages can be eavesdropped ◮ messages can be intercepted ◮ messages can be injected Dolev, Yao: On the Security of Public Key Protocols. FOCS’81 3/30

  4. Cryptographic protocols are tricky! 4/30

  5. Cryptographic protocols are tricky! Bhargavan et al.:FREAK, Logjam, SLOTH, . . . Cremers et al., S&P’16 4/30

  6. Cryptographic protocols are tricky! Arapinis et al., CCS’12 Bhargavan et al.:FREAK, Logjam, SLOTH, . . . Cremers et al., S&P’16 4/30

  7. Cryptographic protocols are tricky! Arapinis et al., CCS’12 Bhargavan et al.:FREAK, Logjam, SLOTH, . . . Cremers et al., S&P’16 Cortier & Smyth, CSF’11 4/30

  8. Cryptographic protocols are tricky! Arapinis et al., CCS’12 Bhargavan et al.:FREAK, Logjam, SLOTH, . . . Cremers et al., S&P’16 Cortier & Smyth, CSF’11 Steel et al., CSF’08, CCS’10 4/30

  9. Modelling the protocol Protocols modelled in a process calculus, e.g. the applied pi calculus P ::= 0 | in( c , x ) . P input | out( c , t ) . P output | if t 1 = t 2 then P else Q conditional | P | | Q parallel | ! P replication | new n . P restriction 5/30

  10. Modelling the protocol Protocols modelled in a process calculus, e.g. the applied pi calculus P ::= 0 | in( c , x ) . P input | out( c , t ) . P output | if t 1 = t 2 then P else Q conditional | P | | Q parallel | ! P replication | new n . P restriction Specificities: ◮ messages are terms (not just names as in the pi calculus) ◮ equality in conditionals interpreted modulo an equational theory 5/30

  11. Reasoning about attacker knowledge Terms output by a process are organised in a frame : n . { t 1 / x 1 , . . . , t n / x n } φ = new ¯ 6/30

  12. Reasoning about attacker knowledge Terms output by a process are organised in a frame : n . { t 1 / x 1 , . . . , t n / x n } φ = new ¯ Deducibility: φ ⊢ R t if R is a public term and R φ = E t Example ϕ = new n 1 , n 2 , k 1 , k 2 . { enc( n 1 , k 1 ) / x 1 , enc( n 2 , k 2 ) / x 2 , k 1 / x 3 } ϕ ⊢ dec( x 1 , x 3 ) n 1 ϕ ⊢ 1 1 ϕ �⊢ n 2 6/30

  13. Reasoning about attacker knowledge Terms output by a process are organised in a frame : n . { t 1 / x 1 , . . . , t n / x n } φ = new ¯ Static equivalence: φ 1 ∼ s φ 2 if ∀ public terms R , R ′ . R φ 1 = R ′ φ 1 ⇔ R φ 2 = R ′ φ 2 Examples new k . { enc( 0 , k ) / x 1 } ∼ s new k . { enc( 1 , k ) / x 1 } 6/30

  14. Reasoning about attacker knowledge Terms output by a process are organised in a frame : n . { t 1 / x 1 , . . . , t n / x n } φ = new ¯ Static equivalence: φ 1 ∼ s φ 2 if ∀ public terms R , R ′ . R φ 1 = R ′ φ 1 ⇔ R φ 2 = R ′ φ 2 Examples new n 1 , n 2 . { n 1 / x 1 , n 2 / x 2 } �∼ s new n 1 , n 2 . { n 1 / x 1 , n 1 / x 2 } ? Check ( x 1 = x 2 ) 6/30

  15. Reasoning about attacker knowledge Terms output by a process are organised in a frame : n . { t 1 / x 1 , . . . , t n / x n } φ = new ¯ Static equivalence: φ 1 ∼ s φ 2 if ∀ public terms R , R ′ . R φ 1 = R ′ φ 1 ⇔ R φ 2 = R ′ φ 2 Examples { enc( n , k ) / x 1 , k / x 2 } �∼ s { enc( 0 , k ) / x 1 , k / x 2 } Check ( dec ( x 1 , x 2 ) ? = 0 ) 6/30

  16. From authentication to privacy Many good tools: AVISPA, Casper, Maude-NPA, ProVerif, Scyther, Tamarin, . . . Good at verifying trace properties (predicates on system behavior), e.g., ◮ (weak) secrecy of a key ◮ authentication (correspondence properties) If B ended a session with A (and parameters p) then A must have started a session with B (and parameters p ′ ). 7/30

  17. From authentication to privacy Many good tools: AVISPA, Casper, Maude-NPA, ProVerif, Scyther, Tamarin, . . . Good at verifying trace properties (predicates on system behavior), e.g., ◮ (weak) secrecy of a key ◮ authentication (correspondence properties) If B ended a session with A (and parameters p) then A must have started a session with B (and parameters p ′ ). Not all properties can be expressed on a trace. � recent interest in indistinguishability properties . 7/30

  18. Indistinguishability as a process equivalence Naturally modelled using equivalences from process calculi Testing equivalence ( P ≈ Q ) for all processes A , we have that: A | P ⇓ c if, and only if, A | Q ⇓ c − → P ⇓ c when P can send a message on the channel c . 8/30

  19. A tour to the (equivalence) zoo testing equiv. obs. equiv. Abadi, Gordon. A Calculus for Cryptographic Protocols: The Spi Calculus. CCS’97, Inf.& Comp.’99 Abadi, Fournet. Mobile values, new names, and secure communication. POPL’01 9/30

  20. A tour to the (equivalence) zoo testing equiv. obs. equiv. labelled bisim. Abadi, Fournet. Mobile values, new names, and secure communication. POPL’01 9/30

  21. A tour to the (equivalence) zoo diff equiv. testing equiv. obs. equiv. labelled bisim. Blanchet et al.: Automated Verification of Selected Equivalences for Security Protocols. LICS’05 9/30

  22. A tour to the (equivalence) zoo diff equiv. testing equiv. obs. equiv. labelled bisim. Diff equivalence too fine grained for several properties. Blanchet et al.: Automated Verification of Selected Equivalences for Security Protocols. LICS’05 9/30

  23. A tour to the (equivalence) zoo diff equiv. testing equiv. obs. equiv. symbolic bisim. labelled bisim. Delaune et al. Symbolic bisimulation for the applied pi calculus. JCS’10 9/30

  24. A tour to the (equivalence) zoo diff equiv. testing equiv. obs. equiv. symbolic bisim. labelled bisim. Liu, Lin. A complete symbolic bisimulation for full applied pi calculus.TCS’12 9/30

  25. A tour to the (equivalence) zoo diff equiv. testing equiv. obs. equiv. trace equiv. symbolic bisim. labelled bisim. Cheval et al.: Deciding equivalence-based properties using constraint solving. TCS’13 9/30

  26. A tour to the (equivalence) zoo diff equiv. testing equiv. obs. equiv. trace equiv. symbolic bisim. labelled bisim. For a bounded number of sessions (no replication). Cheval et al.: Deciding equivalence-based properties using constraint solving. TCS’13 9/30

  27. A tour to the (equivalence) zoo diff equiv. testing equiv. obs. equiv. trace equiv. symbolic bisim. labelled bisim. For a class of determinate processes . Cheval et al.: Deciding equivalence-based properties using constraint solving. TCS’13 9/30

  28. A few security properties “Strong” secrecy (non-interference) in( c , x 1 ) . in( c , x 2 ) . P { x 1 / s } ≈ in( c , x 1 ) . in( c , x 2 ) . P { x 2 / s } 10/30

  29. A few security properties “Strong” secrecy (non-interference) in( c , x 1 ) . in( c , x 2 ) . P { x 1 / s } ≈ in( c , x 1 ) . in( c , x 2 ) . P { x 2 / s } Real-or-random secrecy P . out( c , s ) ≈ P . new r . out( c , r ) 10/30

  30. A few security properties “Strong” secrecy (non-interference) in( c , x 1 ) . in( c , x 2 ) . P { x 1 / s } ≈ in( c , x 1 ) . in( c , x 2 ) . P { x 2 / s } Real-or-random secrecy P . out( c , s ) ≈ P . new r . out( c , r ) Simulation based security ( I is an ideal functionality) ∃ S . P ≈ S [ I ] 10/30

  31. A few security properties “Strong” secrecy (non-interference) in( c , x 1 ) . in( c , x 2 ) . P { x 1 / s } ≈ in( c , x 1 ) . in( c , x 2 ) . P { x 2 / s } Real-or-random secrecy P . out( c , s ) ≈ P . new r . out( c , r ) Simulation based security ( I is an ideal functionality) ∃ S . P ≈ S [ I ] Anonymity P { a / id } ≈ P { b / id } 10/30

  32. A few security properties “Strong” secrecy (non-interference) in( c , x 1 ) . in( c , x 2 ) . P { x 1 / s } ≈ in( c , x 1 ) . in( c , x 2 ) . P { x 2 / s } Real-or-random secrecy P . out( c , s ) ≈ P . new r . out( c , r ) Simulation based security ( I is an ideal functionality) ∃ S . P ≈ S [ I ] Anonymity P { a / id } ≈ P { b / id } Vote privacy Unlinkability 10/30

  33. How to model vote privacy? How can we model “ the attacker does not learn my vote (0 or 1) ”? 11/30

  34. How to model vote privacy? How can we model “ the attacker does not learn my vote (0 or 1) ”? ◮ The attacker cannot learn the value of my vote 11/30

  35. How to model vote privacy? How can we model “ the attacker does not learn my vote (0 or 1) ”? ◮ The attacker cannot learn the value of my vote � but the attacker knows values 0 and 1 11/30

  36. How to model vote privacy? How can we model “ the attacker does not learn my vote (0 or 1) ”? ◮ The attacker cannot learn the value of my vote ◮ The attacker cannot distinguish A votes and B votes: V A ( v ) ≈ V B ( v ) 11/30

Recommend

= = = f f BOB BOB not does like not like = Alice Bob Alice Bob not Bob Coecke

= = = f f BOB BOB not does like not like = Alice Bob Alice Bob not Bob Coecke

picture logic for info-flow in language and physics (incl. the Lambek vs. Lambek battle) That flowin phyling October 2010 ALICE ALICE f f f f = = = f f BOB BOB not does like not like = Alice Bob Alice Bob not Bob

1.06k views • 94 slides
01 Meet ALICE ALICE A sset L imited I ncome C onstrained E mployed ALICE How we learned

01 Meet ALICE ALICE A sset L imited I ncome C onstrained E mployed ALICE How we learned

01 Meet ALICE ALICE A sset L imited I ncome C onstrained E mployed ALICE How we learned about ALICE How we got organized ALICE Steering Committee ALICE Research Advisory Committee ALICE Marketing Workgroup 28 United Ways

366 views • 21 slides
= = = f f BOB BOB meaning vectors of words not does like not like = Alice Bob Alice

= = = f f BOB BOB meaning vectors of words not does like not like = Alice Bob Alice

The logic of quantum mechanics - take II Bob Coecke arXiv:1204.3458 ALICE ALICE f f f f = = = f f BOB BOB meaning vectors of words not does like not like = Alice Bob Alice Bob not pregroup grammar An alternative

1.29k views • 118 slides
Introduction to Alice Alice is named in honor of Lewis Carroll s Alice in Wonderland Slides

Introduction to Alice Alice is named in honor of Lewis Carroll s Alice in Wonderland Slides

3/18/13 CS101 Lecture 20 Introduction to Alice Alice is named in honor of Lewis Carroll s Alice in Wonderland Slides Credit: Joel Adams, Alice in Action With thanks to John Magee for his guidance about these materials Alice A modern

447 views • 26 slides
2018 ALICE Report Overview Do You Know ALICE? ALICE is an acronym that stands for Asset

2018 ALICE Report Overview Do You Know ALICE? ALICE is an acronym that stands for Asset

2018 ALICE Report Overview Do You Know ALICE? ALICE is an acronym that stands for Asset Limited, Income Constrained, Employed. ALICE households have earnings above the Federal Poverty Level, but below a basic cost-of-living threshold. 2

292 views • 10 slides
= = = f f BOB BOB meaning vectors of words not does like = not like Alice Bob Alice

= = = f f BOB BOB meaning vectors of words not does like = not like Alice Bob Alice

The logic of quantum mechanics - take II arXiv:1204.3458 ALICE ALICE f f f f = = = f f BOB BOB meaning vectors of words not does like = not like Alice Bob Alice Bob not pregroup grammar genesis genesis

978 views • 79 slides
= = = f f BOB BOB meaning vectors of words not does like not like = Alice Bob Alice

= = = f f BOB BOB meaning vectors of words not does like not like = Alice Bob Alice

Physics, Language, Maths & Music (partly in arXiv:1204.3458) Bob Coecke, Oxford, CS-Quantum SyFest, Vienna, July 2013 ALICE ALICE f f f f = = = f f BOB BOB meaning vectors of words not does like not like = Alice Bob

1.03k views • 83 slides
Introduction to Alice 23 October 2012 Alice is named in honor of Lewis Carroll s Alice in

Introduction to Alice 23 October 2012 Alice is named in honor of Lewis Carroll s Alice in

10/22/12 CS101 Lecture 16 Introduction to Alice 23 October 2012 Alice is named in honor of Lewis Carroll s Alice in Wonderland Slides Credit: Joel Adams, Alice in Action With thanks to John Magee for his guidance about these materials

548 views • 27 slides
Alice TPC DCS 1 ALICE underground ACR CR1 CR2 CR3 CR4 PLUG ~50m ~15m ALICE BEAM DETECTOR

Alice TPC DCS 1 ALICE underground ACR CR1 CR2 CR3 CR4 PLUG ~50m ~15m ALICE BEAM DETECTOR

Alice TPC DCS 1 ALICE underground ACR CR1 CR2 CR3 CR4 PLUG ~50m ~15m ALICE BEAM DETECTOR ~55m 2 5.6.02 L.Jirdn Access ACR CR1 CR2 Cavern only CR3 accessible during CR4 shutdowns ! PLUG ~50m ~15m ALIC BEAM E DETECTO R ~55m 3

413 views • 30 slides
DIGITAL SIGNATURES 1 / 74 Signing by hand ALICE Pay Bob $100 COSMO ALICE

DIGITAL SIGNATURES 1 / 74 Signing by hand ALICE Pay Bob $100 COSMO ALICE

DIGITAL SIGNATURES 1 / 74 Signing by hand ALICE Pay Bob $100 COSMO ALICE Cosmo Alice Alice Bank =? no yes pay Bob Dont 2 / 74 Signing electronically SIGFILE scan Alice 101 1

654 views • 43 slides
Pine Grove Area School District ALiCE Implementation What is ALiCE? ALiCE is an options-based

Pine Grove Area School District ALiCE Implementation What is ALiCE? ALiCE is an options-based

Pine Grove Area School District ALiCE Implementation What is ALiCE? ALiCE is an options-based response which can increase survivability when faced with an active intruder situation. The program relies on the premise of providing information ,

195 views • 18 slides
cryptocomputing SEC2 2016 Lorient Renaud Sirdey CEA LIST (work in collaboration with other

cryptocomputing SEC2 2016 Lorient Renaud Sirdey CEA LIST (work in collaboration with other

Towards practical homomorphic cryptocomputing SEC2 2016 Lorient Renaud Sirdey CEA LIST (work in collaboration with other people cited at the end) July 2016 The dream Can Charlie do something useful for Alice using both Alice and Bob

355 views • 32 slides
Alice The 3D Object-Oriented Programming Environment Presentation by: Tom Goff What is Alice?

Alice The 3D Object-Oriented Programming Environment Presentation by: Tom Goff What is Alice?

Alice The 3D Object-Oriented Programming Environment Presentation by: Tom Goff What is Alice? Alice is a freely available, innovative way of teaching OOP concepts to students through storytelling. The user acts like the director of movie

308 views • 17 slides
Events (Alice In Ac.on, Ch 6) Slides Credit: Joel Adams, Alice in

Events (Alice In Ac.on, Ch 6) Slides Credit: Joel Adams, Alice in

CS 101 Lecture 26/27 Events (Alice In Ac.on, Ch 6) Slides Credit: Joel Adams, Alice in Action Objectives Programming to respond to events Create new events in Alice Create handler methods for Alice events

392 views • 17 slides
with ALICE at the LHC M. Gagliardi (INFN Torino) for the ALICE collaboration Workshop on

with ALICE at the LHC M. Gagliardi (INFN Torino) for the ALICE collaboration Workshop on

Quarkonium and heavy flavour physics with ALICE at the LHC M. Gagliardi (INFN Torino) for the ALICE collaboration Workshop on discovery physics at the LHC Kruger National Park (SA) 06/12/2010 1 Outline Physics motivation(s) The ALICE

956 views • 34 slides
ALICE Masterclass Magorzata Janik Before we start. Do you have the ALICE Masterclass files

ALICE Masterclass Magorzata Janik Before we start. Do you have the ALICE Masterclass files

ALICE Masterclass Magorzata Janik Before we start. Do you have the ALICE Masterclass files on your computer? If not, please copy them from USB stick to your local machine NOW! If you dont have ALICE software on the system

629 views • 29 slides
TCP spoofing Alice trusts Bob (e.g., logins on Alice are allowed with no password if TCP

TCP spoofing Alice trusts Bob (e.g., logins on Alice are allowed with no password if TCP

TCP spoofing Alice trusts Bob (e.g., logins on Alice are allowed with no password if TCP connection comes from host Bob) Mallory wants to impersonate Bob when opening a TCP/IP: TCP TCP connection to Alice Steps M kills B (e.g.,

349 views • 3 slides
ALICE TPC Simulation and Reconstruction Tom Junk Fourth DUNE Near Detector Workshop March 22,

ALICE TPC Simulation and Reconstruction Tom Junk Fourth DUNE Near Detector Workshop March 22,

ALICE TPC Simulation and Reconstruction Tom Junk Fourth DUNE Near Detector Workshop March 22, 2018 Summary We propose to build a copy of the ALICE gas TPC, using the ALICE readout planes ALICE is a highly capable three-dimensional

428 views • 38 slides
Ik ben Alice In the documentary Im Alice we see a glimpse on how social bots make their

Ik ben Alice In the documentary Im Alice we see a glimpse on how social bots make their

Ik ben Alice In the documentary Im Alice we see a glimpse on how social bots make their introduction to the caretakers home. She is there to take over the communication and story-sharing role of a caretaker or family. Benjamin W.

614 views • 19 slides
T2K & E61 Imperial College London Charlie Naseby 1/12 Charlie Naseby Imperial College

T2K & E61 Imperial College London Charlie Naseby 1/12 Charlie Naseby Imperial College

T2K & E61 Imperial College London Charlie Naseby 1/12 Charlie Naseby Imperial College London 2019-02-26 2/12 Charlie Naseby Imperial College London 2019-02-26 Neutrino Production Proton beam fired at graphite target to produce

412 views • 14 slides
An introduction of the ALICE - FAIR prototype Dr. Charalampos S. Kouzinopoulos CERN ALICE

An introduction of the ALICE - FAIR prototype Dr. Charalampos S. Kouzinopoulos CERN ALICE

An introduction of the ALICE - FAIR prototype Dr. Charalampos S. Kouzinopoulos CERN ALICE Offline week - Friday, 21 March 2014 Introduction to the ALICE - FAIR prototype - ALICE Offline week ALFA will be a new common framework to provide a

381 views • 13 slides
Disclosures Expression May Distinguish Expression May Distinguish Eosinophilic Esophagitis from

Disclosures Expression May Distinguish Expression May Distinguish Eosinophilic Esophagitis from

Differential Epithelial Gene Differential Epithelial Gene Disclosures Expression May Distinguish Expression May Distinguish Eosinophilic Esophagitis from Eosinophilic Esophagitis from I have had no relevant financial relationships with

528 views • 4 slides
Alice is declared bankrupt. Terry, her trustee in bankruptcy, asks the court to order Alice to

Alice is declared bankrupt. Terry, her trustee in bankruptcy, asks the court to order Alice to

Legal Aspects of Cryptoassets and Smart Contracts David Quest QC Alice holds the private key to a cryptoasset. Alice is declared bankrupt. Terry, her trustee in bankruptcy, asks the court to order Alice to transfer the cryptoasset to him.

67 views • 6 slides
ALICE Installation Procedure ALICE: Active Learning Interface for Circuits and Electronics

ALICE Installation Procedure ALICE: Active Learning Interface for Circuits and Electronics

ALICE Installation Procedure ALICE: Active Learning Interface for Circuits and Electronics ADALM1000 (M1K) Software Application M. A. Hameed ECSE Department Rensselaer Polytechnic Institute Intro to ECSE Software Required to run ALICE on

496 views • 6 slides

More recommend