security notions for bidirectional channels
play

Security Notions for Bidirectional Channels Giorgia Azzurra Marson - PowerPoint PPT Presentation

Nov 03, 2023 •207 likes •602 views

Security Notions for Bidirectional Channels Giorgia Azzurra Marson Bertram Poettering FSE 2017 Tokyo, Japan 1 / 11 Outline Secure channels and how they are modeled Security notions for bidirectional channels Analysis of bidirectional

  1. Security Notions for Bidirectional Channels Giorgia Azzurra Marson Bertram Poettering FSE 2017 Tokyo, Japan 1 / 11

  2. Outline Secure channels and how they are modeled Security notions for bidirectional channels Analysis of bidirectional channel design 2 / 11

  3. Communication channels • setting: two-party communication over the Internet • goal: deliver messages and preserve sending order • how to achieve this: TCP/IP Good, if there are only Alice and Bob (idealized world) m 1 , m 2 , m 3 m 1 , m 2 , m 3 network 3 / 11

  4. Cryptographic channels (a.k.a. secure channels) • setting: two-party communication over the Internet • goal: protect communication from adversaries m 1 , m 2 , m 3 m 1 , m 2 , m 3 network 4 / 11

  5. Cryptographic channels (a.k.a. secure channels) • setting: two-party communication over the Internet • goal: protect communication from adversaries • security (informally): prevent eavesdropping I shall wait. . . wait! · do not · buy now wait! · do not · buy now m 1 , m 2 , m 3 m 1 , m 2 , m 3 network 4 / 11

  6. Cryptographic channels (a.k.a. secure channels) • setting: two-party communication over the Internet • goal: protect communication from adversaries • security (informally): prevent eavesdropping and manipulation I shall wait. . . wait! · do not · buy now sell! · do not · buy now m ′ 1 , m 2 , m 3 m 1 , m 2 , m 3 network 4 / 11

  7. Cryptographic channels (a.k.a. secure channels) • setting: two-party communication over the Internet • goal: protect communication from adversaries • security (informally): prevent eavesdropping and manipulation I shall wait. . . wait! · do not · buy now do not · wait! · buy now m 1 , m 2 , m 3 m 2 , m 1 , m 3 network 4 / 11

  8. Cryptographic channels (a.k.a. secure channels) • setting: two-party communication over the Internet • goal: protect communication from adversaries • security (informally): prevent eavesdropping and manipulation make real world close to idealized world I shall wait. . . wait! · do not · buy now do not · wait! · buy now m 1 , m 2 , m 3 m 2 , m 1 , m 3 network 4 / 11

  9. Modeling channel security [BKN’02] Confidentiality • intuitively: ciphertext hides plaintext • formally: IND-CPA (a.k.a. ‘passive’) b ? ( m 0 , m 1 ) m b c ∗ 5 / 11

  10. Modeling channel security [BKN’02] Confidentiality • intuitively: ciphertext hides plaintext • formally: IND-CPA (a.k.a. ‘passive’) and IND-CCA (a.k.a. ‘active’) b ? ( m 0 , m 1 ) m b c ′ 1 , c ′ 2 , c ′ m ′ 1 , m ′ 2 , m ′ c ∗ 3 3 5 / 11

  11. Modeling channel security [BKN’02] Confidentiality • intuitively: ciphertext hides plaintext • formally: IND-CPA (a.k.a. ‘passive’) and IND-CCA (a.k.a. ‘active’) Integrity • intuitively: manipulations are detected • formally: INT-PTXT c ′ 1 , c ′ 2 , c ′ m ′ 1 , m ′ 2 , m ′ m 1 , m 2 , m 3 c 1 , c 2 , c 3 3 3 5 / 11

  12. Modeling channel security [BKN’02] Confidentiality • intuitively: ciphertext hides plaintext • formally: IND-CPA (a.k.a. ‘passive’) and IND-CCA (a.k.a. ‘active’) Integrity • intuitively: manipulations are detected • formally: INT-PTXT and INT-CTXT c ′ 1 , c ′ 2 , c ′ m 1 , m 2 , m 3 c 1 , c 2 , c 3 m 1 , m 2 , m 3 3 5 / 11

  13. Modeling channel security [BKN’02] Confidentiality • intuitively: ciphertext hides plaintext • formally: IND-CPA (a.k.a. ‘passive’) and IND-CCA (a.k.a. ‘active’) Integrity • intuitively: manipulations are detected • formally: INT-PTXT and INT-CTXT both incorporate replay and reordering protection m 1 , m 2 , m 3 c 1 , c 2 , c 3 c 1 , c 3 , c 2 m 1 , m 3 , m 2 5 / 11

  14. Cryptographic channels in theory: state of the art • channel security: IND-CPA + INT-CTXT (= ⇒ IND-CCA ) • also called ‘stateful authenticated encryption’ (stateful AE) • introduced to analyze (and prove) SSH channel security [BKN02] • reference model to analyse TLS [JKSS12,KPW13,. . . ] 6 / 11

  15. Cryptographic channels in theory: state of the art • channel security: IND-CPA + INT-CTXT (= ⇒ IND-CCA ) • also called ‘stateful authenticated encryption’ (stateful AE) • introduced to analyze (and prove) SSH channel security [BKN02] • reference model to analyse TLS [JKSS12,KPW13,. . . ] stateful AE considered good abstraction of a secure channel stateful AE 6 / 11

  16. Channels are used for bidirectional communication • prior work: ‘Sender → Receiver’ communication • practice: channels protect bidirectional communication • standard approach employs two independent unidirectional channels canonic composition of unidirectional channels 7 / 11

  17. Channels are used for bidirectional communication • prior work: ‘Sender → Receiver’ communication • practice: channels protect bidirectional communication • standard approach employs two independent unidirectional channels • does this yield a secure bidirectional channel? • folklore: unidirectional security = ⇒ bidirectional security canonic composition of unidirectional channels 7 / 11

  18. Channels are used for bidirectional communication • prior work: ‘Sender → Receiver’ communication • practice: channels protect bidirectional communication • standard approach employs two independent unidirectional channels • does this yield a secure bidirectional channel? • folklore: unidirectional security = ⇒ bidirectional security what does it mean ‘bidirectional security’? what is an what is reordering? active attack? 7 / 11

  19. Our contribution in a nutshell Defining bidirectional security • confidentiality: IND-2-CPA, IND-2-CCA • integrity: INT-2-PTXT, INT-2-CTXT • notions reflect that → and ← are not independent of each other 8 / 11

  20. Our contribution in a nutshell Defining bidirectional security • confidentiality: IND-2-CPA, IND-2-CCA • integrity: INT-2-PTXT, INT-2-CTXT • notions reflect that → and ← are not independent of each other Relations among notions • INT-2-CTXT = ⇒ INT-2-PTXT • IND-2-CCA = ⇒ IND-2-CPA • INT-2-CTXT + IND-2-CPA = ⇒ IND-2-CCA 8 / 11

  21. Our contribution in a nutshell Defining bidirectional security • confidentiality: IND-2-CPA, IND-2-CCA • integrity: INT-2-PTXT, INT-2-CTXT • notions reflect that → and ← are not independent of each other Relations among notions • INT-2-CTXT = ⇒ INT-2-PTXT • IND-2-CCA = ⇒ IND-2-CPA • INT-2-CTXT + IND-2-CPA = ⇒ IND-2-CCA Analysis of the canonic composition • question: can security be lifted from unidirectional components? • our results question common belief. . . 8 / 11

  22. Active attacks in a bidirectional setting active ≈ deviation from honest behavior manipulation of ciphertexts or of their order (akin to unidirectional setting) 9 / 11

  23. Active attacks in a bidirectional setting active ≈ deviation from honest behavior manipulation of ciphertexts or of their order (akin to unidirectional setting) c 1 s 1 9 / 11

  24. Active attacks in a bidirectional setting active ≈ deviation from honest behavior manipulation of ciphertexts or of their order (akin to unidirectional setting) c ′ r 2 c 1 s 1 9 / 11

  25. Active attacks in a bidirectional setting active ≈ deviation from honest behavior manipulation of ciphertexts or of their order (akin to unidirectional setting) Our model additionally allows to express that: • ‘passive’ query may chronologically follow ‘active’ query (concurrency) c ′ r 2 c 1 r s 3 1 9 / 11

  26. Active attacks in a bidirectional setting active ≈ deviation from honest behavior manipulation of ciphertexts or of their order (akin to unidirectional setting) Our model additionally allows to express that: • ‘passive’ query may chronologically follow ‘active’ query (concurrency) c 2 s 4 c ′ r 2 c 1 r s 3 1 9 / 11

  27. Active attacks in a bidirectional setting active ≈ deviation from honest behavior manipulation of ciphertexts or of their order (akin to unidirectional setting) Our model additionally allows to express that: • ‘passive’ query may chronologically follow ‘active’ query (concurrency) • active attack on ← may influence security of → c 2 r 5 s 4 c ′ r 2 c 1 r s 3 1 9 / 11

  28. Bidirectional security of the canonic composition Generic analysis: can security be lifted from unidirectional components? • INT-PTXT + INT-PTXT = ⇒ INT-2-PTXT • INT-CTXT + INT-CTXT = ⇒ INT-2-CTXT • IND-CPA + IND-CPA = ⇒ INT-2-CPA 10 / 11

  29. Bidirectional security of the canonic composition Generic analysis: can security be lifted from unidirectional components? • INT-PTXT + INT-PTXT = ⇒ INT-2-PTXT • INT-CTXT + INT-CTXT = ⇒ INT-2-CTXT • IND-CPA + IND-CPA = ⇒ INT-2-CPA • IND-CCA + IND-CCA � = ⇒ INT-2-CCA 10 / 11

  30. Bidirectional security of the canonic composition Generic analysis: can security be lifted from unidirectional components? • INT-PTXT + INT-PTXT = ⇒ INT-2-PTXT • INT-CTXT + INT-CTXT = ⇒ INT-2-CTXT } = ⇒ IND-2-CCA • IND-CPA + IND-CPA = ⇒ INT-2-CPA • IND-CCA + IND-CCA � = ⇒ INT-2-CCA Bidirectional security of TLS and SSH (the good news) • TLS and SSH channel offer stateful AE security [K01,BKN02,PRS11] Encode-then-E&M for SSH, CBC-based M-then-E for TLS • our result: they also offer IND-2-CCA and INT-2-CTXT security 10 / 11

  31. Summary This work • formalize security notions for bidirectional channels • analyze ‘canonic composition’ • confirm security of (crypto core of) TLS and SSH channels 11 / 11

Recommend

Unlimited Event Channels David Vrabel 24 October 2013 What are Event Channels?

Unlimited Event Channels David Vrabel 24 October 2013 What are Event Channels?

Unlimited Event Channels David Vrabel 24 October 2013 What are Event Channels? Paravirtual interrupts Edge triggered Bidirectional Directed at a single VCPU 24 October 2013 Unlimited Event Channels 2 / 13 How do

140 views • 13 slides
Fine-Grained Bandwidth Adaptivity in Networks-on-Chip Using Bidirectional Channels Robert Hesse ,

Fine-Grained Bandwidth Adaptivity in Networks-on-Chip Using Bidirectional Channels Robert Hesse ,

Fine-Grained Bandwidth Adaptivity in Networks-on-Chip Using Bidirectional Channels Robert Hesse , Jeff Nicholls, Natalie Enright Jerger University of Toronto May 10, 2012 Friday, 11 May, 12 Motivation May 10, 2012 2 University of Toronto

990 views • 97 slides
Bidirectional Flow Measurement, IPFIX, and Security Analysis Elisa Boschi, Hitachi Europe SAS

Bidirectional Flow Measurement, IPFIX, and Security Analysis Elisa Boschi, Hitachi Europe SAS

Bidirectional Flow Measurement, IPFIX, and Security Analysis Elisa Boschi, Hitachi Europe SAS Brian Trammell, CERT/NetSA Tuesday, October 10, 2006 FloCon 2006 - Vancouver, WA, US Introduction and Motivation Bidirectional flow (biflow)

418 views • 12 slides
New Notions of Security: Universal Composability without Trusted Setup Manoj Prabhakaran &

New Notions of Security: Universal Composability without Trusted Setup Manoj Prabhakaran &

New Notions of Security: Universal Composability without Trusted Setup Manoj Prabhakaran & Amit Sahai Princeton University To appear in STOC04 Defining Security Central Problem in Cryptography Understanding what we want and what we

1.13k views • 34 slides
Advanced security notions for the SSH secure channel: theory and practice Kenny Paterson -

Advanced security notions for the SSH secure channel: theory and practice Kenny Paterson -

Advanced security notions for the SSH secure channel: theory and practice Kenny Paterson - @kennyog Based on joint work with Martin Albrecht, Jean Paul Degabriele and Torben Hansen Information Security Group Overview 1. Introducing SSH 2. SSH

817 views • 52 slides
Objectives Security Notions of MACs NMACs and HMACs CBC-MACs Low Power Ajit Pal

Objectives Security Notions of MACs NMACs and HMACs CBC-MACs Low Power Ajit Pal

Message Authentication Codes (MACs) Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Security Notions of MACs NMACs and HMACs

158 views • 12 slides
Bidirectional Transformations a PL perspective BIRS meeting on BX, 2013 Bidirectional

Bidirectional Transformations a PL perspective BIRS meeting on BX, 2013 Bidirectional

Bidirectional Transformations a PL perspective BIRS meeting on BX, 2013 Bidirectional Transformations (BX) to A B from database source materialized view software model code document representation screen visualization

1.27k views • 82 slides
Security Notions 1

Security Notions 1

Security Notions 1 Unbreakable Cryptosystems ??? Almost all of the practical cryptosystems are theoretically breakable given the time are theoretically breakable given

1.1k views • 37 slides
White-Box Security Notions for Symmetric Encryption Schemes ee 1 ede Lepoint 1 , 2 C ecile

White-Box Security Notions for Symmetric Encryption Schemes ee 1 ede Lepoint 1 , 2 C ecile

White-Box Security Notions for Symmetric Encryption Schemes ee 1 ede Lepoint 1 , 2 C ecile Delerabl Tancr` Pascal Paillier 1 Matthieu Rivain 1 CryptoExperts 1 , erieure 2 Ecole Normale Sup SAC 2013 Outline 1 What is white-box

406 views • 38 slides
Simulatable Channels: Extended Security that is Universally Composable and Easier to Prove.

Simulatable Channels: Extended Security that is Universally Composable and Easier to Prove.

Simulatable Channels: Extended Security that is Universally Composable and Easier to Prove. ASIACRYPT 2018 J. P. Degabriele M. Fischlin 1 What this talk is about We propose and explore new security definitions for symmetric encryption

819 views • 24 slides
Towards Security Notions for Motivation: White-Box Cryptography White-Box Cryptography

Towards Security Notions for Motivation: White-Box Cryptography White-Box Cryptography

ISC conference, September 2009, Pisa, Italy Outline Towards Security Notions for Motivation: White-Box Cryptography White-Box Cryptography The Theory of Obfuscation Brecht Wyseur (im)possibility results ISC 2009, September 2009

280 views • 3 slides
Blockcipher Security Notions Martijn Stam Department of Computer Science, University Of Bristol,

Blockcipher Security Notions Martijn Stam Department of Computer Science, University Of Bristol,

1 / 24 Blockcipher Security Notions Martijn Stam Department of Computer Science, University Of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1UB United Kingdom. Sibenik, 7 June 2016 Basic Syntax of Blockciphers DES

882 views • 85 slides
Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that

Covert and Side Channels Robert Brotzman-Smith Covert Channels Any communication channel that can be exploited by a process to transfer information in a manner that violates the systems security policy US DoD 1985 Basically a

1.04k views • 67 slides
Data Security: The art of providing secure communication over insecure channels. Not a problem

Data Security: The art of providing secure communication over insecure channels. Not a problem

Data Security: The art of providing secure communication over insecure channels. Not a problem that suddenly arose when computers were invented - its as old as mankind. Data Security falls naturally into two cathegories: * Confidentiality

542 views • 16 slides
Consolidating Security Notions in Hardware Masking CHES 2019 Lauren De Meyer, Begl Bilgin,

Consolidating Security Notions in Hardware Masking CHES 2019 Lauren De Meyer, Begl Bilgin,

Consolidating Security Notions in Hardware Masking CHES 2019 Lauren De Meyer, Begl Bilgin, Oscar Reparaz P ROBLEM : SIDE - CHANNEL ANALYSIS S OLUTION : M ASKING P ROBING MODEL [ISW03] Adversary can probe up to intermediate values

885 views • 34 slides
Effects of Approximate Filtering on the Appearance of Bidirectional Texture Functions Adrian

Effects of Approximate Filtering on the Appearance of Bidirectional Texture Functions Adrian

Effects of Approximate Filtering on the Appearance of Bidirectional Texture Functions Adrian Jarabo, Hongzhi Wu, Julie Dorsey, Holly Rushmeier, Diego Gutierrez Bidirectional Texture Function [Filip et al.11] Bidirectional Texture Function

483 views • 34 slides
From obfuscation to white-box crypto: relaxation and security notions Matthieu Rivain WhibOx

From obfuscation to white-box crypto: relaxation and security notions Matthieu Rivain WhibOx

From obfuscation to white-box crypto: relaxation and security notions Matthieu Rivain WhibOx 2016, 14 Aug, UCSB What does this program do?

709 views • 66 slides
Image Retargeting Shai Avidan Tel Aviv University Bidirectional Similarity (Simakov et al.

Image Retargeting Shai Avidan Tel Aviv University Bidirectional Similarity (Simakov et al.

Image Retargeting Shai Avidan Tel Aviv University Bidirectional Similarity (Simakov et al. 2008) The Bidirectional (dis)similarity measure for images S and T: Goal: Given S, find T s.t. min d(S,T) Bidirectional Similarity The error

929 views • 33 slides
Building Secure Channels Kenny Paterson Information Security Group

Building Secure Channels Kenny Paterson Information Security Group

Building Secure Channels Kenny Paterson Information Security Group Overview Why do we need secure channels? What properties should they have?

480 views • 31 slides
Lecture 13 - Bidirectional Welcome! , = (, ) ,

Lecture 13 - Bidirectional Welcome! , = (, ) ,

INFOMAGR Advanced Graphics Jacco Bikker - November 2019 - February 2020 Lecture 13 - Bidirectional Welcome! , = (, ) , + , , ,

828 views • 51 slides
Lecture 14 - Bidirectional Welcome! , = (, ) ,

Lecture 14 - Bidirectional Welcome! , = (, ) ,

INFOMAGR Advanced Graphics Jacco Bikker - November 2018 - February 2019 Lecture 14 - Bidirectional Welcome! , = (, ) , + , , ,

907 views • 44 slides
Chapter 6 Marks and Channels Vis/Visual Analytics, Chap 6 Marks/Channels 1 CGGM Lab., CS

Chapter 6 Marks and Channels Vis/Visual Analytics, Chap 6 Marks/Channels 1 CGGM Lab., CS

Chapter 6 Marks and Channels Vis/Visual Analytics, Chap 6 Marks/Channels 1 CGGM Lab., CS Dept., NCTU Jung Hong Chuang The Big Picture Marks Basic graphical elements in an image Channels Visual channels to control the

667 views • 43 slides
Ideal quasi-normal convergence and related notions y , J . Pratulananda Das , L . Bukovsk

Ideal quasi-normal convergence and related notions y , J . Pratulananda Das , L . Bukovsk

Basic notions Properties of the Ideal and Decompositions Equivalences with classical notions ( I , J )QN, ( I , J )wQN and properties of C p ( X ) I - -covers Ideal quasi-normal convergence and related notions y , J . Pratulananda Das

646 views • 62 slides
Usability and Security of Out-Of-Band Channels in Secure Device Pairing Protocols Ronald Kainda,

Usability and Security of Out-Of-Band Channels in Secure Device Pairing Protocols Ronald Kainda,

Outline Introduction HISPs Proposed OOB Methods Experimental Design Results Analysis and Discussion Conclusion Usability and Security of Out-Of-Band Channels in Secure Device Pairing Protocols Ronald Kainda, Ivan Flechais, and A.W.

670 views • 41 slides

More recommend