models and proofs for security protocols
play

Models and proofs for security protocols eronique Cortier 1 V 1 - PowerPoint PPT Presentation

Oct 13, 2023 •25 likes •295 views

Terms Intruder Decidability Models and proofs for security protocols eronique Cortier 1 V 1 LORIA, CNRS - INRIA Cassis project, Universit e de Lorraine 1/13 Terms Intruder Decidability Messages Messages are abstracted by terms. Agents

  1. Terms Intruder Decidability Models and proofs for security protocols eronique Cortier 1 V´ 1 LORIA, CNRS - INRIA Cassis project, Universit´ e de Lorraine 1/13

  2. Terms Intruder Decidability Messages Messages are abstracted by terms. Agents : a , b , . . . Nonces : n 1 , n 2 , . . . Keys : k 1 , k 2 , . . Cyphertext : enc( m , k ) Concatenation : pair( m 1 , m 2 ) Example : The message { A , N a } K is represented by : {} enc(pair( A , N a ) , K ) �� K A N a Intuition : only the structure of the message is kept. 2/13

  3. Terms Intruder Decidability More formally - Signature Definition (Signature) A signature is a couple ( F , arity) where F is a finite set of function symbols and arity : F �→ N associates an arity to each symbol. Symbols of arity 0 are called constants. 3/13

  4. Terms Intruder Decidability More formally - Signature Definition (Signature) A signature is a couple ( F , arity) where F is a finite set of function symbols and arity : F �→ N associates an arity to each symbol. Symbols of arity 0 are called constants. Example : F = { enc; pair; a ; k ; n 1 ; n 2 } with arity(enc) = 2 arity(pair) = 2 arity( a ) = arity( k ) = 0 arity( n 1 ) = arity( n 2 ) = 0 We may write � t 1 , t 2 � instead of pair( t 1 , t 2 ). 3/13

  5. Terms Intruder Decidability More formally - Terms Given a signature F of symbols with an arity e.g. { enc; pair; a ; k ; n 1 ; n 2 } and a set X of variables, the set of terms T ( F , X ) is inductively defined as follows : constants terms (e.g. a , k , n 1 , n 2 ) are terms variables are terms f ( t 1 , . . . , t n ) is a term whenever t 1 , . . . , t n are terms. Intuition : from words to trees. → There exists automata on trees instead of (classical) automata on words, see e.g. TATA http ://tata.gforge.inria.fr/ 4/13

  6. Terms Intruder Decidability Subterms The set of positions of a term t is a finite set of sequence of integers. n � pos( f ( t 1 , . . . , t n )) = { ǫ } ∪ i · pos( t i ) i =1 5/13

  7. Terms Intruder Decidability Subterms The set of positions of a term t is a finite set of sequence of integers. n � pos( f ( t 1 , . . . , t n )) = { ǫ } ∪ i · pos( t i ) i =1 Definition The subterm t | p of t at position p ∈ pos( t ) is : t | ǫ = t � t i | p if t = f ( t 1 , . . . , t n ) , 1 ≤ i ≤ n = arity( f ) t i · p = undefined otherwise. 5/13

  8. Terms Intruder Decidability Subterms The set of positions of a term t is a finite set of sequence of integers. n � pos( f ( t 1 , . . . , t n )) = { ǫ } ∪ i · pos( t i ) i =1 Definition The subterm t | p of t at position p ∈ pos( t ) is : t | ǫ = t � t i | p if t = f ( t 1 , . . . , t n ) , 1 ≤ i ≤ n = arity( f ) t i · p = undefined otherwise. Definition The term t ′ is a subterm of t if there exists p ∈ pos( t ) such that t ′ = t | p . The set of subterms of t is denoted by st ( t ). 5/13

  9. Terms Intruder Decidability Substitution Definition A substitution σ is a function from a finite subset (called domain, noted dom( σ )) of X to T ( F , X ). The application of a substitution to a term is defined as follows. σ ( x ) = x if x / ∈ dom( σ ) σ ( f ( t 1 , . . . , t n )) = f ( σ ( t 1 ) , . . . , σ ( t n )) We will write t σ instead of σ ( t ). 6/13

  10. Terms Intruder Decidability Inference rules Definition An inference rule is a rule of the form T 1 · · · T n T with T 1 , . . . , T n , T ∈ T ( F , X ). 7/13

  11. Terms Intruder Decidability Intruder abilities Composition rules x y x y x y pair( x , y ) enc( x , y ) enca( x , y ) 8/13

  12. Terms Intruder Decidability Intruder abilities Composition rules x y x y x y pair( x , y ) enc( x , y ) enca( x , y ) Decomposition rules pair( x , y ) pair( x , y ) y x enc( x , y ) y enca( x , pub( y )) priv( y ) x x 8/13

  13. Terms Intruder Decidability Intruder abilities Composition rules x y x y x y pair( x , y ) enc( x , y ) enca( x , y ) Decomposition rules pair( x , y ) pair( x , y ) y x enc( x , y ) y enca( x , pub( y )) priv( y ) x x Deducibility relation A term u is deducible from a set of terms T , denoted by T ⊢ u , if there exists a prooftree witnessing this fact. 8/13

  14. Terms Intruder Decidability A simple protocol � Bob , k � � Alice , enc(s , k) � 9/13

  15. Terms Intruder Decidability A simple protocol � Bob , k � � Alice , enc(s , k) � Question ? Can the attacker learn the secret s ? 9/13

  16. Terms Intruder Decidability A simple protocol � Bob , k � � Alice , enc(s , k) � Answer : Of course, Yes ! � Alice , enc(s , k) � � Bob , k � enc(s , k) k s 9/13

  17. Terms Intruder Decidability More formally - derivability Definition (One step) A term t is derivable in one step from a set S and an inference I t if there exists T 1 · · · T n system I , notd S ⊢ 1 , t 1 , . . . , t n ∈ S , T and a substitution θ such that t i = T i θ t = T θ 10/13

  18. Terms Intruder Decidability More formally - derivability Definition (One step) A term t is derivable in one step from a set S and an inference I t if there exists T 1 · · · T n system I , notd S ⊢ 1 , t 1 , . . . , t n ∈ S , T and a substitution θ such that t i = T i θ t = T θ Definition (Derivable) A term t is derivable from a set of terms S , noted S ⊢ I t if t ∈ S or there exist terms t 1 , . . . , t n such that t n = t and t i +1 is derivable in one step from S ∪ { t 1 , . . . , t i } . The sequence t 1 , . . . , t n is called proof of S ⊢ I t . 10/13

  19. Terms Intruder Decidability Examples � � S = {�� a , k 3 � , k 4 �} � k 1 , k 2 � , a , k 1 , { k 3 } � k 1 , k 1 � 11/13

  20. Terms Intruder Decidability Examples � � S = {�� a , k 3 � , k 4 �} � k 1 , k 2 � , a , k 1 , { k 3 } � k 1 , k 1 � ? S ⊢ k 1 11/13

  21. Terms Intruder Decidability Examples � � S = {�� a , k 3 � , k 4 �} � k 1 , k 2 � , a , k 1 , { k 3 } � k 1 , k 1 � ? S ⊢ k 1 ? ⊢ k 3 S 11/13

  22. Terms Intruder Decidability Examples � � S = {�� a , k 3 � , k 4 �} � k 1 , k 2 � , a , k 1 , { k 3 } � k 1 , k 1 � ? S ⊢ k 1 ? ⊢ k 3 S ? ⊢ � a , k 3 � S 11/13

  23. Terms Intruder Decidability Examples � � S = {�� a , k 3 � , k 4 �} � k 1 , k 2 � , a , k 1 , { k 3 } � k 1 , k 1 � ? S ⊢ k 1 ? ⊢ k 3 S ? ⊢ � a , k 3 � S ? S ⊢ k 4 11/13

  24. Terms Intruder Decidability Examples � � S = {�� a , k 3 � , k 4 �} � k 1 , k 2 � , a , k 1 , { k 3 } � k 1 , k 1 � ? S ⊢ k 1 ? ⊢ k 3 S ? ⊢ � a , k 3 � S ? S ⊢ k 4 ? S ⊢ � a , k 4 � 11/13

  25. Terms Intruder Decidability Decidability What is it ? 12/13

  26. Terms Intruder Decidability Decision of the intruder problem Given A set of messages S and a message m Question Can the intruder learn m from S that is S ⊢ m ? This problem is decidable in polynomial time. Let’s prove it ! 13/13

  27. Terms Intruder Decidability Decision of the intruder problem Given A set of messages S and a message m Question Can the intruder learn m from S that is S ⊢ m ? This problem is decidable in polynomial time. Let’s prove it ! Lemma (Locality) If there is a proof of S ⊢ m then there is a proof that only uses the subterms of S and m. 13/13

Recommend

Security Models: Proofs, Protocols and Certification Florent Autrau - Yassine Lakhnech -

Security Models: Proofs, Protocols and Certification Florent Autrau - Yassine Lakhnech -

Security Models: Proofs, Protocols and Certification Florent Autrau - Yassine Lakhnech - Jean-Louis Roch Master-2 Security, Cryptology and Coding of Information Systems ENSIMAG/Grenoble-INP UJF Grenoble University, France Security Models,

396 views • 20 slides
Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most

Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most

1 Better proofs for rekeying D. J. Bernstein Security of AES-256 key k is far below 2 256 in most protocols: (AES k (0) ; : : : ; AES k ( n 1)) is distinguishable from uniform with probability n ( n 1) = 2 129 , plus tiny key-guessing

577 views • 32 slides
Introduction to cryptographic protocols models, proofs, and attacks Karthikeyan Bhargavan INRIA

Introduction to cryptographic protocols models, proofs, and attacks Karthikeyan Bhargavan INRIA

Introduction to cryptographic protocols models, proofs, and attacks Karthikeyan Bhargavan INRIA karthikeyan.bhargavan@inria.fr http://prosecco.inria.fr/personal/karthik September 2013 (Based on slides by Stphanie Delaune, Bruno Blanchet,

1.36k views • 96 slides
Automated and machine-verified security proofs of stateful protocols Andreas Hess 1 Sebastian

Automated and machine-verified security proofs of stateful protocols Andreas Hess 1 Sebastian

Automated and machine-verified security proofs of stateful protocols Andreas Hess 1 Sebastian Mdersheim 1 Achim Brucker 2,3 Anders Schlichtkrull 1 1 Technical University of Denmark 2 The University of Sheffield 3 University of Exeter Overview 1

650 views • 26 slides
Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth workshop Introduction to the workshop PROOFS: Security Proofs for Embedded Systems UCSB August 20, 2016 5th edition of PROOFS PROOFS 2012:

311 views • 7 slides
Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over an untrusted channel (eg. Internet) 2 Security Protocols are out there Authentication Confidentiality Example: HTTPS (HTTP + TLS)

669 views • 42 slides
Security protocols: formal models and verification Sergiu Bursuc School of Computer Science,

Security protocols: formal models and verification Sergiu Bursuc School of Computer Science,

Security protocols: formal models and verification Sergiu Bursuc School of Computer Science, University of Bristol Finse Winter School, 7 May 2015 Security protocols: roles and goals Roles: P 1 , . . . , P n (e.g. clients, servers, devices,

1.43k views • 127 slides
Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering They are where cryptography and system mechanisms meet They allow trust to be taken from where it exists to where it s needed But they are

941 views • 67 slides
Communication security: Formal models and proofs Hubert Comon September 1, 2016 1 Introduction

Communication security: Formal models and proofs Hubert Comon September 1, 2016 1 Introduction

Communication security: Formal models and proofs Hubert Comon September 1, 2016 1 Introduction to protocol security The context (I) credit cards contactless cards telephones online transactions cars, fridges,... Internet of

680 views • 11 slides
Formal Computational Unlinkability Proofs of RFID Protocols Hubert Comon, Adrien Koutsos January

Formal Computational Unlinkability Proofs of RFID Protocols Hubert Comon, Adrien Koutsos January

Formal Computational Unlinkability Proofs of RFID Protocols Hubert Comon, Adrien Koutsos January 29, 2018 Hubert Comon, Adrien Koutsos Formal Proofs of RFID Protocols January 29, 2018 1 / 21 Motivations Security protocols Distributed

483 views • 21 slides
Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols 01 Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief introduction to security protocols; Model checking of security protocols, particularly using the process

1.28k views • 110 slides
Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA,

Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA,

Introduction on security protocols Formal models Going further Towards more guarantees Verification of Security Protocols eronique Cortier 1 V July 2nd, 2010 Movep 2010 1 LORIA, CNRS - INRIA Cassis project, Nancy Universities 1/102 V

2.12k views • 160 slides
Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1

Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1

Introduction on security protocols Formal models Unbounded number of sessions Verification of Security Protocols Part I eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/65 V eronique Cortier Verification of Security

1.29k views • 111 slides
Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval,

Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval,

Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval, Steve Kremer, Itsaka Rakotonirina Inria Nancy Grand-Est Security protocols TLS Wifi @ PASS E-voting E-passport 2 24 Security protocols

830 views • 69 slides
The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of

The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of

The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of Software Chinese Academy of Sciences BASICS09, Shanghai, China October 13, 2009 Background Formal verification of security protocols from

312 views • 28 slides
Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography Reading Group Presenter: C t lin Hri cu References Verified Interoperable Implementations of Security Protocols. Karthikeyan Bhargavan,

922 views • 70 slides
Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides

Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides

Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides originally by Ross Anderson Security Protocols Security protocols are the intellectual core of security engineering They are where cryptography

1.47k views • 118 slides
Towards a Logic for Verification of Security Protocols Work in progress Comments welcome

Towards a Logic for Verification of Security Protocols Work in progress Comments welcome

Towards a Logic for Verification of Security Protocols Work in progress Comments welcome Vincent Bernat Laboratoire Spcification et Vrification CNRS & ENS Cachan SPV03 - Marseille p.1/17 Plan 1. Intro Existing models,

920 views • 63 slides
PhD Defense Symbolic Proofs of Computational Indistinguishability Adrien Koutsos Thse

PhD Defense Symbolic Proofs of Computational Indistinguishability Adrien Koutsos Thse

PhD Defense Symbolic Proofs of Computational Indistinguishability Adrien Koutsos Thse prpare au sein du LSV, ENS Paris-Saclay September 27, 2019 Introduction Motivation Security Protocols Distributed programs which aim at providing some

1.55k views • 142 slides
Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Formal methods for protocols Cryptographic models Passive case Active case Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/76 V eronique Cortier Verification of Security

1.92k views • 139 slides
Annotator https://github.com/okfn/annotator User interactions Protocols Data models User

Annotator https://github.com/okfn/annotator User interactions Protocols Data models User

Annotator https://github.com/okfn/annotator User interactions Protocols Data models User interactions Protocols Data models ? Content-Security-Policy: script-src https://example.com; SPEC ALL THE THINGS Build for pluralism Thank you

168 views • 12 slides
Proof Attempts Cooperating via Models Giles Reger With Dmitry Tishkovsky and Andrei Voronkov

Proof Attempts Cooperating via Models Giles Reger With Dmitry Tishkovsky and Andrei Voronkov

One Proof Many Models Two Proofs Many Models Many Proofs Many Models Proof Attempts Cooperating via Models Giles Reger With Dmitry Tishkovsky and Andrei Voronkov University of Manchester 15th September 2015 One Proof Many Models Two Proofs

1.37k views • 69 slides
Security proofs in the symbolic model web services security, manual and automated proofs

Security proofs in the symbolic model web services security, manual and automated proofs

Security proofs in the symbolic model web services security, manual and automated proofs Karthikeyan Bhargavan INRIA karthikeyan.bhargavan@inria.fr http://prosecco.inria.fr/personal/karthik September 2013 Karthikeyan Bhargavan (INRIA)

800 views • 58 slides
Outline Security Protocols Societal issues and cryptography CS 239 Key recovery

Outline Security Protocols Societal issues and cryptography CS 239 Key recovery

Outline Security Protocols Societal issues and cryptography CS 239 Key recovery cryptosystems Computer Security Designing secure protocols February 10, 2003 Basic protocols Key exchange Lecture 8 Lecture 8 Page 1 Page

148 views • 10 slides

More recommend