formal verification of privacy
play

Formal verification of privacy (for RFID protocols) Stphanie - PowerPoint PPT Presentation

Dec 11, 2023 •355 likes •923 views

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA), CNRS, France Tuesday, September 13th, 2016 Security protocols everywhere ! Cryptographic protocols small programs designed to secure

  1. Formal verification of privacy (for RFID protocols) Stéphanie Delaune Équipe EMSEC (IRISA), CNRS, France Tuesday, September 13th, 2016

  2. Security protocols everywhere ! Cryptographic protocols ◮ small programs designed to secure communication e.g. secrecy, authentication, anonymity, . . . ◮ use cryptographic primitives e.g. encryption, signature, . . . . . .

  3. Security protocols everywhere ! Cryptographic protocols ◮ small programs designed to secure communication e.g. secrecy, authentication, anonymity, . . . ◮ use cryptographic primitives e.g. encryption, signature, . . . . . . The network is unsecure! Communications take place over a public network like the Internet.

  4. Security protocols everywhere ! Cryptographic protocols ◮ small programs designed to secure communication e.g. secrecy, authentication, anonymity, . . . ◮ use cryptographic primitives e.g. encryption, signature, . . . . . . It becomes more and more important to protect our privacy.

  5. Electronic passport An e-passport is a passport with an RFID tag embedded in it. The RFID tag stores: ◮ the information printed on your passport; ◮ a JPEG copy of your picture; ◮ . . .

  6. Electronic passport An e-passport is a passport with an RFID tag embedded in it. The RFID tag stores: ◮ the information printed on your passport; ◮ a JPEG copy of your picture; ◮ . . . The Basic Access Control (BAC) protocol is a key establishment protocol that has been designed to protect our personnal data, and to ensure unlinkability. Unlinkability aims to ensure that a user may make multiple uses of a service or resource without others being able to link these uses together . [ISO/IEC standard 15408]

  7. BAC protocol Passport Reader ( K E , K M ) ( K E , K M )

  8. BAC protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge

  9. BAC protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P

  10. BAC protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE )

  11. BAC protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) MAC KM ( { N P , N R , K P } KE ) { N P , N R , K P } KE ,

  12. BAC protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) MAC KM ( { N P , N R , K P } KE ) { N P , N R , K P } KE , K seed = f( K P , K R ) K seed = f( K P , K R )

  13. Verifying security protocols: a difficult task ◮ testing their resilience against well-known attacks is not sufficient; ◮ manual security analysis is error-prone. − → Caution: Do not underestimate your opponents!

  14. Verifying security protocols: a difficult task ◮ testing their resilience against well-known attacks is not sufficient; ◮ manual security analysis is error-prone. − → Caution: Do not underestimate your opponents! privacy issue The register - Jan. 2010 authentication issue Independent - Feb. 2016

  15. French electronic passport − → the passport must reply to all received messages. Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE )

  16. French electronic passport − → the passport must reply to all received messages. Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) If MAC check fails mac_error

  17. French electronic passport − → the passport must reply to all received messages. Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) If MAC check succeeds If nonce check fails nonce_error

  18. An attack on the French passport [Chothia & Smirnov, 10] An attacker can track a French passport , provided he has once witnessed a successful authentication.

  19. An attack on the French passport [Chothia & Smirnov, 10] An attacker can track a French passport , provided he has once witnessed a successful authentication. Part 1 of the attack. The attacker eavesdropes on Alice using her passport and records message M . M = { N R , N P , K R } K E , MAC K M ( { N R , N P , K R } K E )

  20. An attack on the French passport [Chothia & Smirnov, 10] An attacker can track a French passport , provided he has once witnessed a successful authentication. Part 1 of the attack. The attacker eavesdropes on Alice using her passport and records message M . M = { N R , N P , K R } K E , MAC K M ( { N R , N P , K R } K E ) Part 2 of the attack. In presence of an unknown passport ( K ′ E , K ′ M ), the attacker replays the message M and checks the error code he receives. 1. MAC check failed: K ′ M � = K M = ⇒ ???? is not Alice K ′ ⇒ 2. MAC check succeeded: M = K M = ???? is Alice

  21. A sucessful approach: formal symbolic verification − → provides a rigorous framework and automatic tools to analyse security protocols and find their flaws. Example: Authentication flaw in the Single Sign- On protocol used e.g. in GMail [Armando et al. (2011)] using SATMC (Avantssar verification platform)

  22. A sucessful approach: formal symbolic verification − → provides a rigorous framework and automatic tools to analyse security protocols and find their flaws. Example: Authentication flaw in the Single Sign- On protocol used e.g. in GMail [Armando et al. (2011)] using SATMC (Avantssar verification platform) Does the protocol satisfy a security property? Modelling | ϕ =

  23. A sucessful approach: formal symbolic verification − → provides a rigorous framework and automatic tools to analyse security protocols and find their flaws. Example: Authentication flaw in the Single Sign- On protocol used e.g. in GMail [Armando et al. (2011)] using SATMC (Avantssar verification platform) Does the protocol satisfy a security property? Modelling | | ϕ =

  24. State of the art (in a nutshell) for analysing confidentiality/authentication properties Unbounded number of sessions ◮ undecidable in general [Even & Goldreich, 83; Durgin et al , 99] ◮ decidable for restricted classes [Lowe, 99; Rammanujam & Suresh, 03] Bounded number of sessions ◮ a decidability result (NP-complete) [Rusinowitch & Turuani, 01; Millen & Shmatikov, 01]

  25. Main limitations of existing verifcation tools ◮ They are not suitable to analyse privacy-type properties. − → unlinkability, anonymity, vote-privacy . . . ◮ They do not allow one to reason modulo the algebraic properties of some primitives. − → exclusive or, homomorphic encryption, . . . ◮ They do not allow to take physical properties into account. − → transmission delay, location of participants, network topology

  26. Main limitations of existing verifcation tools ◮ They are not suitable to analyse privacy-type properties. − → unlinkability, anonymity, vote-privacy . . . ◮ They do not allow one to reason modulo the algebraic properties of some primitives. − → exclusive or, homomorphic encryption, . . . ◮ They do not allow to take physical properties into account. − → transmission delay, location of participants, network topology These features are important for analysing contactless systems ! POPSTAR (janv. 2017- déc. 2021) Reasoning about Physical properties Of security Protocols with an Application To contactless Systems

  27. Main limitations of existing verifcation tools ◮ They are not suitable to analyse privacy-type properties. − → unlinkability, anonymity, vote-privacy . . . ◮ They do not allow one to reason modulo the algebraic properties of some primitives. − → exclusive or, homomorphic encryption, . . . ◮ They do not allow to take physical properties into account. − → transmission delay, location of participants, network topology These features are important for analysing contactless systems ! POPSTAR (janv. 2017- déc. 2021) Reasoning about Physical properties Of security Protocols with an Application To contactless Systems

  28. Outline Does the protocol satisfy a security property? Modelling | | ϕ = Outline of the remaining of this talk 1. Modelling: protocols, security properties, and the attacker ! 2. Designing verification algorithms − → we focus here on privacy-type security properties

  29. Part I Modelling: protocols, security properties, and the attacker

  30. Protocols as processes Applied pi calculus: basic programming language with constructs for concurrency and communication [Abadi & Fournet, 01] − → based on the π -calculus [Milner et al. , 92] ... P , Q := 0 null process in( c , x ) . P input out( c , u ) . P output if u = v then P else Q conditional P | Q parallel composition ! P replication new n . P fresh name generation

  31. Protocols as processes Applied pi calculus: basic programming language with constructs for concurrency and communication [Abadi & Fournet, 01] − → based on the π -calculus [Milner et al. , 92] ... P , Q := 0 null process in( c , x ) . P input out( c , u ) . P output if u = v then P else Q conditional P | Q parallel composition ! P replication new n . P fresh name generation ... but messages that are exchanged are not necessarily atomic !

Recommend

Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply mathematical arguments to prove the correctness of systems Systems have bugs Formal verification aims to find and correct such bugs Why? Computer systems

1.42k views • 122 slides
Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for Analyzing Computing Systems Shilpi Goel shilpi@centtech.com Formal Verification Engineer Centaur Technology, Inc. Software and Reliability Can we rely

1.14k views • 78 slides
Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim for automation (bit level) Find niches where formal methods work well Use assertions/ properties first in sim. and then in FV (the acronym is ABV,

1.14k views • 65 slides
Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry 1 Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal verification Machine-checked proof Automatic and interactive approaches HOL Light Floating point

366 views • 25 slides
Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic 1 Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal verification Machine-checked proof Automatic and interactive approaches HOL Light

539 views • 19 slides
Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of

Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of

Formal Verification of Mathematical Algorithms 1 Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of bugs Formal verification Levels of verification HOL Light Formalizing mathematics

353 views • 19 slides
Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA

Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA

Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA http://www.clifford.at/papers/2018/riscv-formal/ About assertion based formal verification (formal ABV) Assertion based verification (ABV) Uses

781 views • 39 slides
Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal

Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal

Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal Verification Yosys-STMBMC iCE40 FPGAs Bounded Model Checking (Project IceStorm) Using any SMT-LIB2 solver (using QF_AUFBV logic) Xilinx

707 views • 56 slides
Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim Kobeissi PROSECCO: Pro gramming Sec urely with C rypt o graphy. Team at INRIA Paris specializing in applied cryptography and formal verification.

357 views • 14 slides
Formal Specification and Verification Formal specification (2) 29.11.2016 Viorica

Formal Specification and Verification Formal specification (2) 29.11.2016 Viorica

Formal Specification and Verification Formal specification (2) 29.11.2016 Viorica Sofronie-Stokkermans e-mail: sofronie@uni-koblenz.de 1 Until now Logic Formal specification (generalities) Algebraic specification 2 Formal

627 views • 19 slides
Formal Specification and Verification Formal specification (2) 6.12.2016 Viorica

Formal Specification and Verification Formal specification (2) 6.12.2016 Viorica

Formal Specification and Verification Formal specification (2) 6.12.2016 Viorica Sofronie-Stokkermans e-mail: sofronie@uni-koblenz.de 1 Until now Logic Formal specification (generalities) Algebraic specification Transition systems 2

798 views • 62 slides
Formal Verification and Testing for Formal Verification and Testing for Reactive Systems

Formal Verification and Testing for Formal Verification and Testing for Reactive Systems

ARTIST2 - ARTIST2 - MOTIVES MOTIVES Trento - - Italy, February 19 Italy, February 19- -23, 2007 23, 2007 Trento Session: Testing and Runtime Verification Formal Verification and Testing for Formal Verification and Testing for Reactive

881 views • 31 slides
Machine Learning in Formal Verification Manish Pandey, PhD Chief Architect, New Technologies

Machine Learning in Formal Verification Manish Pandey, PhD Chief Architect, New Technologies

Machine Learning in Formal Verification Manish Pandey, PhD Chief Architect, New Technologies Synopsys, Inc. June 18, 2017 1 Build Better Formal Verification Tools? CAR BICYCLE DOG S oftware that learns from experience and enables

767 views • 40 slides
Formal Verification with SymbiYosys and Yosys-SMTBMC Clifford Wolf Availability of various EDA

Formal Verification with SymbiYosys and Yosys-SMTBMC Clifford Wolf Availability of various EDA

Formal Verification with SymbiYosys and Yosys-SMTBMC Clifford Wolf Availability of various EDA tools for students, hobbyists, enthusiasts FPGA Synthesis Formal Verification Free to use: Free to use: Xilinx Vivado WebPack,

819 views • 49 slides
Formal Verification via MCMAS & PRISM Hongyang Qu University of Sheffield 1 December 2015

Formal Verification via MCMAS & PRISM Hongyang Qu University of Sheffield 1 December 2015

Formal Verification via MCMAS & PRISM Hongyang Qu University of Sheffield 1 December 2015 Outline Motivation for Formal Verification Overview of MCMAS Overview of PRISM Formal verification It is a systematic way to check

461 views • 34 slides
Formal Specification and Verification 8.11.2016 Viorica Sofronie-Stokkermans e-mail:

Formal Specification and Verification 8.11.2016 Viorica Sofronie-Stokkermans e-mail:

Formal Specification and Verification 8.11.2016 Viorica Sofronie-Stokkermans e-mail: sofronie@uni-koblenz.de 1 Mathematical foundations Formal logic: Syntax: a formal language (formula expressing facts) Semantics: to define the meaning

740 views • 54 slides
Formal Verification of Masked Implementations Sonia Bela d Benjamin Gr egoire CHES 2018

Formal Verification of Masked Implementations Sonia Bela d Benjamin Gr egoire CHES 2018

Formal Verification of Masked Implementations Sonia Bela d Benjamin Gr egoire CHES 2018 - Tutorial September 9th 2018 1 / 47 1 Side-Channel Attacks and Masking 2 Formal Tools for Verification at Fixed Order 3 Formal Tools

1.24k views • 97 slides
Formal Specification and Verification 23.04.2013 Viorica Sofronie-Stokkermans e-mail:

Formal Specification and Verification 23.04.2013 Viorica Sofronie-Stokkermans e-mail:

Formal Specification and Verification 23.04.2013 Viorica Sofronie-Stokkermans e-mail: sofronie@uni-koblenz.de 1 Mathematical foundations Formal logic: Syntax: a formal language (formula expressing facts) Semantics: to define the

811 views • 68 slides
Theorem Proving for Verification John Harrison Intel Corporation CAV 2008 Princeton 9th July

Theorem Proving for Verification John Harrison Intel Corporation CAV 2008 Princeton 9th July

Theorem Proving for Verification John Harrison Intel Corporation CAV 2008 Princeton 9th July 2008 0 Formal verification Formal verification: mathematically prove the correctness of a design with respect to a mathematical formal specification

570 views • 53 slides
Formal Formal Specif Specification ication and Verific and Verification ation of Solid of

Formal Formal Specif Specification ication and Verific and Verification ation of Solid of

Presented at FMBC 2020 Formal Formal Specif Specification ication and Verific and Verification ation of Solid of Solidity ity Contracts Contracts with E with Events vents kos Hajdu 1 , Dejan Jovanovi 2 , Gabriela Ciocarlie 2 1

298 views • 14 slides
Formal Privacy: Making an Impact at Large Organizations Deploying Differential Privacy for the

Formal Privacy: Making an Impact at Large Organizations Deploying Differential Privacy for the

Formal Privacy: Making an Impact at Large Organizations Deploying Differential Privacy for the 2020 Census of Population and Housing Simson L. Garfinkel Senior Scientist, Confidentiality and Data Access U.S. Census Bureau July 31, 2019 JSM

458 views • 35 slides
Formal verification of IA-64 division algorithms John Harrison Intel Corporation IA-64

Formal verification of IA-64 division algorithms John Harrison Intel Corporation IA-64

Formal verification of IA-64 division algorithms 1 Formal verification of IA-64 division algorithms John Harrison Intel Corporation IA-64 overview Quick introduction to HOL Light Floating point numbers and IA-64 formats HOL

451 views • 19 slides
Formal Methods Chapter 21 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide

Formal Methods Chapter 21 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide

Formal Methods Chapter 21 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 21-1 Outline Formal verification techniques Design verification languages Bell-LaPadula and SPECIAL Current verification systems

911 views • 63 slides
Formal Specification and Verification Formal specification Temporal logic 12.06.2012

Formal Specification and Verification Formal specification Temporal logic 12.06.2012

Formal Specification and Verification Formal specification Temporal logic 12.06.2012 Viorica Sofronie-Stokkermans e-mail: sofronie@uni-koblenz.de 1 Formal specification Specification for program/system Specification for

443 views • 21 slides

More recommend