combining algorithms for deciding knowledge in security
play

Combining algorithms for deciding knowledge in security protocols - PowerPoint PPT Presentation

Oct 27, 2023 •165 likes •514 views

Combining algorithms for deciding knowledge in security protocols Mathilde Arnaud, Vronique Cortier and Stphanie Delaune LORIA, CNRS & INRIA project Cassis, Nancy, France September 10, 2007 S. Delaune (LORIA Projet Cassis) Deciding

  1. Combining algorithms for deciding knowledge in security protocols Mathilde Arnaud, Véronique Cortier and Stéphanie Delaune LORIA, CNRS & INRIA project Cassis, Nancy, France September 10, 2007 S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 1 / 20

  2. Context: cryptographic protocols Cryptographic protocols small programs designed to secure communication ( e.g. secrecy) use cryptographic primitives ( e.g. encryption, hash function, . . . ) Presence of an attacker may read every message sent on the network, may intercept and send new messages according to its deduction capabilities. S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 2 / 20

  3. Context: cryptographic protocols Cryptographic protocols small programs designed to secure communication ( e.g. secrecy) use cryptographic primitives ( e.g. encryption, hash function, . . . ) Presence of an attacker may read every message sent on the network, may intercept and send new messages according to its deduction capabilities. S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 2 / 20

  4. A simple protocol → Does the attacker know secret? − S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 3 / 20

  5. Attacker power (in formal models) − → The attacker can do symbolic manipulations on messages. Messages are abstracted by terms ... encryption { x } y , pairing � x , y � , . . . ... together with an equational theory classical theory (E enc ): proj 1 ( � x , y � ) = x proj 2 ( � x , y � ) = y dec ( enc ( x , y ) , y ) = x exclusive or (E xor ): ( x ⊕ y ) ⊕ z = x ⊕ ( y ⊕ z ) x ⊕ y = y ⊕ x x ⊕ 0 = x x ⊕ x = 0 S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 4 / 20

  6. Knowledge Understanding security protocols often requires reasoning about knowledge of the attacker. Two main kinds of knowledge deduction, static equivalence – indistinguishability − → rely on an underlying equational theory − → often used as subroutines in many decision procedures S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 5 / 20

  7. Deduction T ⊢ E M 1 · · · T ⊢ E M k f ∈ Σ M ∈ T T ⊢ E M T ⊢ E f ( M 1 , . . . , M k ) T ⊢ M M = E M ′ T ⊢ M ′ Example: Let E := dec ( enc ( x , y ) , y ) = x and T = { enc ( secret , k ) , k } . T ⊢ enc ( secret , k ) T ⊢ k f ∈ Σ T ⊢ dec ( enc ( secret , k ) , k ) dec ( enc ( x , y ) , y ) = x T ⊢ secret S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 6 / 20

  8. Deduction T ⊢ E M 1 · · · T ⊢ E M k f ∈ Σ M ∈ T T ⊢ E M T ⊢ E f ( M 1 , . . . , M k ) T ⊢ M M = E M ′ T ⊢ M ′ Example: Let E := dec ( enc ( x , y ) , y ) = x and T = { enc ( secret , k ) , k } . T ⊢ enc ( secret , k ) T ⊢ k f ∈ Σ T ⊢ dec ( enc ( secret , k ) , k ) dec ( enc ( x , y ) , y ) = x T ⊢ secret S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 6 / 20

  9. Deduction is not always sufficient → The intruder knows the values yes and no ! The real question Is the intruder able to tell whether Alice sends yes or no? S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 7 / 20

  10. Static equivalence (indistinguishability relation) frame = set of restricted names + sequence of messages n . { M 1 / x 1 , . . . , M ℓ / φ = ν ˜ x ℓ } Examples: If the key k is not revealed, we have that φ 1 = ν k . { enc ( yes , k ) / x } and φ 2 = ν k . { enc ( no , k ) / x } If the key k is revealed, we have that ψ 1 = ν k . { k / x 1 , enc ( yes , k ) / x 2 } and ψ 2 = ν k . { k / x 1 , enc ( no , k ) / x 2 } S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 8 / 20

  11. Static equivalence (indistinguishability relation) frame = set of restricted names + sequence of messages n . { M 1 / x 1 , . . . , M ℓ / φ = ν ˜ x ℓ } Examples: If the key k is not revealed, we have that φ 1 = ν k . { enc ( yes , k ) / x } and φ 2 = ν k . { enc ( no , k ) / x } If the key k is revealed, we have that ψ 1 = ν k . { k / x 1 , enc ( yes , k ) / x 2 } and ψ 2 = ν k . { k / x 1 , enc ( no , k ) / x 2 } S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 8 / 20

  12. Static equivalence (indistinguishability relation) frame = set of restricted names + sequence of messages n . { M 1 / x 1 , . . . , M ℓ / φ = ν ˜ x ℓ } Examples: If the key k is not revealed, we have that φ 1 = ν k . { enc ( yes , k ) / x } and φ 2 = ν k . { enc ( no , k ) / x } If the key k is revealed, we have that ψ 1 = ν k . { k / x 1 , enc ( yes , k ) / x 2 } and ψ 2 = ν k . { k / x 1 , enc ( no , k ) / x 2 } S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 8 / 20

  13. Static equivalence (indistinguishability relation) frame = set of restricted names + sequence of messages n . { M 1 / x 1 , . . . , M ℓ / φ = ν ˜ x ℓ } Examples: If the key k is not revealed, we have that φ 1 = ν k . { enc ( yes , k ) / x } and φ 2 = ν k . { enc ( no , k ) / x } − → indistinguishable If the key k is revealed, we have that ψ 1 = ν k . { k / x 1 , enc ( yes , k ) / x 2 } and ψ 2 = ν k . { k / x 1 , enc ( no , k ) / x 2 } − → distinguishable S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 8 / 20

  14. Goal of this paper Our contribution We propose combination algorithms (PTIME) for deduction and static equivalence for disjoint equational theories. A modular approach − → Deciding interesting theories can be done by reducing the decision to simpler theories. New decidability results Deduction and static equivalence are decidable in PTIME for subterm theories ( e.g. E enc ) and exclusive or (E xor ) [Abadì&Cortier,06], [Chevalier et al. ,03]. − → those problems are also decidable in PTIME for E enc ∪ E xor . S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 9 / 20

  15. Goal of this paper Our contribution We propose combination algorithms (PTIME) for deduction and static equivalence for disjoint equational theories. A modular approach − → Deciding interesting theories can be done by reducing the decision to simpler theories. New decidability results Deduction and static equivalence are decidable in PTIME for subterm theories ( e.g. E enc ) and exclusive or (E xor ) [Abadì&Cortier,06], [Chevalier et al. ,03]. − → those problems are also decidable in PTIME for E enc ∪ E xor . S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 9 / 20

  16. Related works Combination for unification Our procedures rely on combination algorithms for solving unification modulo E = E 1 ∪ E 2 (E 1 and E 2 are disjoint) − → [Schmidt-Schauss,89], [Baader&Schulz,96] Combination for deduction (active case) We follow the approach developed in [Chevalier&Rusinowitch,05] − → combination algorithm for deduction in the presence of an active attacker (they take into account the rules of the protocol) − → they do not consider static equivalence S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 10 / 20

  17. Outline of the talk Introduction 1 Deduction 2 Static equivalence 3 Conclusion 4 S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 11 / 20

  18. Deduction Lemma (characterization of deduction) φ ⊢ E M if and only if there exists a term ζ such that ζφ = E M. − → Such a term ζ is a recipe of the term M. Example: E := dec ( enc ( x , y ) , y ) = x . φ = ν k .ν s . { enc ( s , k ) / x 1 , k / x 2 } We have that φ ⊢ E s . Indeed ζ = dec ( x 1 , x 2 ) is a recipe of s . Deduction problem for the equational theory E built over Σ . Entries : A frame φ and a term M (both built over Σ ) Question : φ ⊢ E M ? S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 12 / 20

  19. Deduction Lemma (characterization of deduction) φ ⊢ E M if and only if there exists a term ζ such that ζφ = E M. − → Such a term ζ is a recipe of the term M. Example: E := dec ( enc ( x , y ) , y ) = x . φ = ν k .ν s . { enc ( s , k ) / x 1 , k / x 2 } We have that φ ⊢ E s . Indeed ζ = dec ( x 1 , x 2 ) is a recipe of s . Deduction problem for the equational theory E built over Σ . Entries : A frame φ and a term M (both built over Σ ) Question : φ ⊢ E M ? S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 12 / 20

  20. Main result for deduction Theorem (Combination for deduction) Let (Σ 1 , E 1 ) and (Σ 2 , E 2 ) be two disjoint equational theories. If deduction is decidable for (Σ 1 , E 1 ) and (Σ 2 , E 2 ) then deduction is decidable for (Σ 1 ∪ Σ 2 , E 1 ∪ E 2 ) . Our algorithm Let φ be a frame and M be a term built over Σ 1 ∪ Σ 2 . 1 compute the subterms (alien subterms) of φ and M . 2 saturation of φ by subterms which are deducible either in E 1 or in E 2 − → abstraction of alien factors by fresh names 3 check if M ∈ sat ( φ ) . − → completeness obtained thanks to a locality lemma. − → our algorithm is polynomial (in the DAG-size of the inputs) S. Delaune (LORIA – Projet Cassis) Deciding knowledge September 10, 2007 13 / 20

Recommend

Deciding knowledge in security protocols for monoidal equational theories Vronique Cortier and

Deciding knowledge in security protocols for monoidal equational theories Vronique Cortier and

Deciding knowledge in security protocols for monoidal equational theories Vronique Cortier and Stphanie Delaune LORIA, CNRS & INRIA project Cassis, Nancy, France July 8, 2007 S. Delaune (LORIA Projet Cassis) Deciding knowledge

378 views • 37 slides
Scheduling Algorithms of deciding which process in ready queue should be allocated to CPU.

Scheduling Algorithms of deciding which process in ready queue should be allocated to CPU.

2/15/2011 Scheduling Algorithms CPU Scheduling algorithms deal with the problem Scheduling Algorithms of deciding which process in ready queue should be allocated to CPU. Following are the commonly used scheduling algorithms: Gursharan

329 views • 8 slides
An End-to-End Model for Question Answering over Knowledge Base with Cross-Attention Combining

An End-to-End Model for Question Answering over Knowledge Base with Cross-Attention Combining

An End-to-End Model for Question Answering over Knowledge Base with Cross-Attention Combining Global Knowledge Authors: Hao et al. Presenter : Shivank Mishra Link to complete paper : https://aclweb.org/anthology/P/P17/P17-1021.pdf What is

462 views • 29 slides
Ensuring Effective MV Knowledge Management Combining Skill Sets to get the Best Products February

Ensuring Effective MV Knowledge Management Combining Skill Sets to get the Best Products February

Ensuring Effective MV Knowledge Management Combining Skill Sets to get the Best Products February 2015 Outline Program context Deliverables demonstration Success & Challenges Q&A 2 What is Utility Specific Knowledge?

482 views • 15 slides
Knowledge bases domainindependent algorithms Inference engine Knowledge base

Knowledge bases domainindependent algorithms Inference engine Knowledge base

Knowledge bases domainindependent algorithms Inference engine Knowledge base domainspecific content Logical agents Knowledge base = set of sentences in a formal language Declarative approach to building an agent (or other system): Tell

522 views • 18 slides
Creative AI Combining Knowledge, Learning and Control for Expressive Modeling & Animation

Creative AI Combining Knowledge, Learning and Control for Expressive Modeling & Animation

Creative AI Combining Knowledge, Learning and Control for Expressive Modeling & Animation Marie-Paule Cani Ecole Polytechnique Paris, France Visual representations Mandatory to understand and create! @ Renaud Chabrier Leonardo da Vinci

639 views • 33 slides
Dimensions of Knowledge in API Migration Thiago Bartolomei, Mahdi Derakhshanmanesh, Andreas

Dimensions of Knowledge in API Migration Thiago Bartolomei, Mahdi Derakhshanmanesh, Andreas

Combining Multiple Dimensions of Knowledge in API Migration Thiago Bartolomei, Mahdi Derakhshanmanesh, Andreas Fuhr, Peter Koch, Mathias Konrath, Ralf Lmmel, Heiko Winnebeck Contribution of this presentation Present a framework combining

537 views • 28 slides
"combining aboriginal tradi/onal knowledge with western-based

"combining aboriginal tradi/onal knowledge with western-based

"combining aboriginal tradi/onal knowledge with western-based science to benefit all" Overview The Nich Concept Walking in both Worlds A;ainment

461 views • 22 slides
Combining Axiom Injection and Knowledge Base Completion for Efficient Natural Language Inference

Combining Axiom Injection and Knowledge Base Completion for Efficient Natural Language Inference

Combining Axiom Injection and Knowledge Base Completion for Efficient Natural Language Inference Masashi Yoshikawa, Koji Mineshima, Hiroshi Noji, Daisuke Bekki Nara Institute of Science and Technology Ochanomizu University Artificial

549 views • 35 slides
Combining multiresolution and anisotropy Theory, algorithms and open problems Albert Cohen

Combining multiresolution and anisotropy Theory, algorithms and open problems Albert Cohen

Combining multiresolution and anisotropy Theory, algorithms and open problems Albert Cohen Laboratoire Jacques-Louis Lions Universit e Pierre et Marie Curie Paris Joint work with Nira Dyn, Fr ed eric Hecht and Jean-Marie Mirebeau

979 views • 81 slides
Scheduling Algorithms Gursharan Singh Tatla professorgstatla@gmail.com www.eazynotes.com 1

Scheduling Algorithms Gursharan Singh Tatla professorgstatla@gmail.com www.eazynotes.com 1

Scheduling Algorithms Gursharan Singh Tatla professorgstatla@gmail.com www.eazynotes.com 1 15-Feb-2011 Scheduling Algorithms CPU Scheduling algorithms deal with the problem of deciding which process in ready queue should be allocated to

745 views • 46 slides
$ Lesson Seven Consumer Awareness 04/09 deciding to buy deciding to spend your money Do I

$ Lesson Seven Consumer Awareness 04/09 deciding to buy deciding to spend your money Do I

Presentation Slides $ Lesson Seven Consumer Awareness 04/09 deciding to buy deciding to spend your money Do I really need this item? Is it worth the time I spend making the money to pay for it? Is there a better use for my money

489 views • 18 slides
Deciding about deciding: Early Christian communal decision-making in Acts Professor Steve

Deciding about deciding: Early Christian communal decision-making in Acts Professor Steve

The 2017 Paradosis lecture Rachel Dolezal Deciding about deciding: Early Christian communal decision-making in Acts Professor Steve Walton St Marys University, Twickenham (London, UK) 1 2 The importance of the communal in Acts

457 views • 6 slides
Propositional logic (Ch. 7) Representing knowledge So far we have looked at algorithms to find

Propositional logic (Ch. 7) Representing knowledge So far we have looked at algorithms to find

Propositional logic (Ch. 7) Representing knowledge So far we have looked at algorithms to find goals via search, where we are provided with all the knowledge and possibly a heuristic With CSP we saw how to apply inference to rules to find the

265 views • 22 slides
Outline More Security Protocols Combining key distribution and authentication CS 239

Outline More Security Protocols Combining key distribution and authentication CS 239

Outline More Security Protocols Combining key distribution and authentication CS 239 Verifying security protocols Computer Security February 4, 2004 Lecture 7 Lecture 7 Page 1 Page 2 CS 239, Winter 2004 CS 239, Winter 2004

297 views • 11 slides
Security Analysis of Constructions Combining FIL Random Oracles Yannick Seurin and Thomas Peyrin

Security Analysis of Constructions Combining FIL Random Oracles Yannick Seurin and Thomas Peyrin

Security Analysis of Constructions Combining FIL Random Oracles Yannick Seurin and Thomas Peyrin France Tlcom R&D and Universit de Versailles FSE 07, March 26 Intro Framework Computability Attacks Bounds Recap Applications

318 views • 19 slides
$ Lesson Eleven Consumer Awareness 04/09 deciding to buy deciding to spend your money Do I

$ Lesson Eleven Consumer Awareness 04/09 deciding to buy deciding to spend your money Do I

Presentation Slides $ Lesson Eleven Consumer Awareness 04/09 deciding to buy deciding to spend your money Do I really need this item? Is it worth the time I spend making the money to pay for it? Is there a better use for my money

620 views • 18 slides
Combining Graph Contraction and Strategy Generation for Green Security Games 1 Anjon Basak, Fei

Combining Graph Contraction and Strategy Generation for Green Security Games 1 Anjon Basak, Fei

Combining Graph Contraction and Strategy Generation for Green Security Games 1 Anjon Basak, Fei Fang, Thanh Hong Nguyen, Christopher Kiekintveld Environmental Crimes 2 Illegal fishing Poaching Illegal logging Consequences 3 Major

668 views • 44 slides
Knowledge Base Exchange Marcelo Arenas 1 Elena Botoeva 2 Diego Calvanese 2 1 Dept. of Computer

Knowledge Base Exchange Marcelo Arenas 1 Elena Botoeva 2 Diego Calvanese 2 1 Dept. of Computer

Knowledge Base Exchange Techniques for Deciding Knowledge Base Exchange Conclusions Knowledge Base Exchange Marcelo Arenas 1 Elena Botoeva 2 Diego Calvanese 2 1 Dept. of Computer Science, PUC Chile marenas@ing.puc.cl 2 KRDB Research Centre, Free

1.09k views • 81 slides
Security & Knowledge Management a.a. 2019/20 Pierfrancesco Bellini

Security & Knowledge Management a.a. 2019/20 Pierfrancesco Bellini

Security & Knowledge Management a.a. 2019/20 Pierfrancesco Bellini pierfrancesco.bellini@unifi.it a.a. 2019/20 Knowledge Management Security Semantic Technologies Security of web applications How to represent

250 views • 23 slides
Message Authentication Codes Auth. with MAC Security Algorithms CSS441: Security and

Message Authentication Codes Auth. with MAC Security Algorithms CSS441: Security and

CSS441 Introduction Functions Auth. with Encryption Message Authentication Codes Auth. with MAC Security Algorithms CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by

673 views • 21 slides
Algorithms for prerequisites Computer Games fundamentals of algorithms and data structures

Algorithms for prerequisites Computer Games fundamentals of algorithms and data structures

Course syllabus credits: 2 cu Algorithms for prerequisites Computer Games fundamentals of algorithms and data structures (see Cormen et al., Introduction to Algorithms ) knowledge in programming (e.g., with Java) Jouni Smed

406 views • 5 slides
Towards Interactive Belief, Knowledge & Provability: Possible Application to Zero-Knowledge

Towards Interactive Belief, Knowledge & Provability: Possible Application to Zero-Knowledge

Computer Laboratory Security Seminar Cambridge University Towards Interactive Belief, Knowledge & Provability: Possible Application to Zero-Knowledge Proofs Ph.D. Thesis Chapter 5 Simon Kramer December 18, 2007 Target audience:

496 views • 16 slides
How to capture, model, and verify the knowledge of legal, security, and privacy experts: a

How to capture, model, and verify the knowledge of legal, security, and privacy experts: a

Universit degli Studi di Trento How to capture, model, and verify the knowledge of legal, security, and privacy experts: a pattern-based approach L. Compagna, P. El Khoury F. Massacci , N. Zannone R. Thomas Security Research Dept.

357 views • 14 slides

More recommend