symbolic protocol analysis in presence of a homomorphism
play

Symbolic Protocol Analysis in Presence of a Homomorphism Operator and - PowerPoint PPT Presentation

Sep 05, 2023 •643 likes •983 views

Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Pascal Lafourcade (with St ephanie Delaune, Denis Lugiez & Ralf Treinen)

  1. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Pascal Lafourcade (with St´ ephanie Delaune, Denis Lugiez & Ralf Treinen) Venise Italy ∗∗∗∗ LSV, CNRS UMR 8643, ENS de Cachan & INRIA Futurs LIF, Universit´ e Aix-Marseille 1 & CNRS UMR 6166 ICALP 10th July 2006 1/25

  2. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Motivation Introduction Symbolic approach • Intruder controls the network • Messages represented by terms - { m } k - � m 1 , m 2 � • Number of sessions bounded • Perfect encryption hypothesis 2/25

  3. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Motivation Introduction Symbolic approach • Intruder controls the network • Messages represented by terms - { m } k - � m 1 , m 2 � • Number of sessions bounded • Perfect encryption hypothesis Advantages • Automatic verification • Useful abstraction 2/25

  4. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Motivation Introduction Symbolic approach • Intruder controls the network • Messages represented by terms - { m } k - � m 1 , m 2 � • Number of sessions bounded • Perfect encryption hypothesis + algebraic properties Advantages • Automatic verification • Useful abstraction 2/25

  5. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Motivation Example: Key Exchange TMN Protocol (simplified) TMN Protocol: Distribution of a fresh symmetric key [Tatebayashi, Matsuzuki, Newmann 89]: A S W → : A , W , { N A } Pub S → : S , A ← : W , A , { N W } Pub S ← : S , W , N A ⊕ N W Alice retrieves N W : Using x ⊕ x = 0 and x ⊕ 0 = x , knowing N A 3/25

  6. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Motivation Example: Key Exchange TMN Protocol (simplified) Attack on TMN Protocol [Simmons 89] With homomorphic encryption { a } k ⊕ { b } k = { a ⊕ b } k C S Q → : C , Q , { N W } Pub S ⊕ { N C } Pub S � �� � { N W ⊕ N C } PubS → : S , C ← : Q , C , { N Q } Pub S ← : S , ( N W ⊕ N C ) ⊕ N Q Cheshire Learns: N W Using x ⊕ x = 0 and x ⊕ 0 = x , knowing N C and N Q 4/25

  7. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Motivation Example: Key Exchange TMN Protocol (simplified) Attack on TMN Protocol [Simmons 89] With homomorphic function h ( a ) ⊕ h ( b ) = h ( a ⊕ b ) C S Q → : C , Q , h ( N W ) ⊕ h ( N C ) � �� � h ( N W ⊕ N C ) → : S , C ← : Q , C , h ( N Q ) ← : S , ( N W ⊕ N C ) ⊕ N Q Cheshire Learns: N W Using x ⊕ x = 0 and x ⊕ 0 = x , knowing N C and N Q 5/25

  8. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or State of the Art Intruder Capabilities Deduction System: Extended Dolev-Yao T ⊢ � u , v � u ∈ T (A) (UL) T ⊢ u T ⊢ u (UR) T ⊢ � u , v � T ⊢ u T ⊢ v (P) T ⊢ � u , v � T ⊢ v T ⊢ { u } v T ⊢ v T ⊢ u T ⊢ v (C) (D) T ⊢ { u } v T ⊢ u T ⊢ u 1 · · · T ⊢ u n ( M E ) C is an context made with { h , ⊕} T ⊢ C [ u 1 , . . . , u n ] ↓ Example for M E T ⊢ a ⊕ h ( a ) T ⊢ bT ⊢ a ⊕ h 2 ( a ) ⊕ h ( b ) C [ u 1 , u 2 ] = u 1 ⊕ h ( u 1 ) ⊕ h ( u 2 ) 6/25

  9. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or State of the Art Intruder Deduction Problem Passive Intruder with homomorphisme and Xor Theorem of Locality [LLT’05,Del’05] A minimal proof P of T ⊢ u contains only computable terms. Complexity of Intruder Deduction [Del’05] T ⊢ u (for T , u ground) is decidable in PTIME The proof uses • McAllester’s locality theorem • linear equation solving over Z / 2 Z [ h ] 7/25

  10. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or State of the Art Security Problem Some Results to Active Intruder XOR : ACUN [Rusinowitch & al 03] [Comon-Shmatikov 03] • ( x ⊕ y ) ⊕ z = x ⊕ ( y ⊕ z ) Associativity • x ⊕ y = y ⊕ x Commutativity • x ⊕ 0 = x Unity • x ⊕ x = 0 Nilpotency Abelian Group and Exponential : AG [Millen-Shmatikov 05] • ( x ⊕ y ) ⊕ z = x ⊕ ( y ⊕ z ) Associativity • x ⊕ y = y ⊕ x Commutativity • x ⊕ 0 = x Unity • x ⊕ I ( x ) = 0 Inversion 8/25

  11. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or State of the Art Security Problem Our contribution Homomorphism over XOR : ACUNh • h ( x ⊕ y ) = h ( x ) ⊕ h ( y ) • ( x ⊕ y ) ⊕ z = x ⊕ ( y ⊕ z ) Associativity • x ⊕ y = y ⊕ x Commutativity • x ⊕ 0 = x Unity • x ⊕ x = 0 Nilpotency Theorem The security problem with a bounded number of sessions is decidable with ACUNh. 9/25

  12. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or State of the Art Security Problem Outline 1 Motivation Introduction Example: Key Exchange TMN Protocol (simplified) 2 State of the Art Intruder Capabilities Intruder Deduction Problem Security Problem 3 Modelisation of Protocols (Active Attacker) Constraints System Well-defined Constraints System 4 From Well-defined Constraints System to System of Equations 5 Conclusion 10/25

  13. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Modelisation of Protocols (Active Attacker) Outline 1 Motivation Introduction Example: Key Exchange TMN Protocol (simplified) 2 State of the Art Intruder Capabilities Intruder Deduction Problem Security Problem 3 Modelisation of Protocols (Active Attacker) Constraints System Well-defined Constraints System 4 From Well-defined Constraints System to System of Equations 5 Conclusion 11/25

  14. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Modelisation of Protocols (Active Attacker) Constraints System Modelisation of a protocol in a system of constraint The Intruder is the network, he can listen, built, send and replay messages.  recv ( u 1 ); send ( v 1 )   recv ( u 2 ); send ( v 2 )   := P . . .    recv ( u n ); send ( v n )  T 0 Intruder initial knowledge.  T 0 � u 1   T 0 , v 1 � u 2   C := . . .     T 0 , v 1 , . . . , v n � s If this system has a solution σ then the secret s can be obtain by the Intruder. 12/25

  15. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Modelisation of Protocols (Active Attacker) Well-defined Constraints System System of Constraints Well-formed [Millen-Shmatikov 03] C = { T i � u i } 1 ≤ i ≤ k is well-formed if: • monotonicity : The knowledge of the intruder is increasing. T 1 ⊆ T 2 ⊆ . . . ⊆ T k • origination : Variables appear first on right side: x ∈ vars ( T i ) ⇒ ∃ j < i such that : x ∈ vars ( u j ) System of Constraints Well-defined [Millen-Shmatikov 03] C is well-defined if for every substitution θ , C θ is well-formed. 13/25

  16. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Modelisation of Protocols (Active Attacker) Well-defined Constraints System System of Constraints Well-formed [Millen-Shmatikov 03] C = { T i � u i } 1 ≤ i ≤ k is well-formed if: • monotonicity : The knowledge of the intruder is increasing. T 1 ⊆ T 2 ⊆ . . . ⊆ T k • origination : Variables appear first on right side: x ∈ vars ( T i ) ⇒ ∃ j < i such that : x ∈ vars ( u j ) System of Constraints Well-defined [Millen-Shmatikov 03] C is well-defined if for every substitution θ , C θ is well-formed. 13/25

  17. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Modelisation of Protocols (Active Attacker) Well-defined Constraints System Well-Definedness: Example � T 0 X ⊕ Y � C := T 0 , X c � 14/25

  18. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Modelisation of Protocols (Active Attacker) Well-defined Constraints System Well-Definedness: Example � T 0 X ⊕ Y � C := T 0 , X c � Monotonicity OK ! 14/25

  19. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Modelisation of Protocols (Active Attacker) Well-defined Constraints System Well-Definedness: Example � T 0 X ⊕ Y � C := T 0 , X c � Monotonicity OK ! Origination OK ! 14/25

  20. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or Modelisation of Protocols (Active Attacker) Well-defined Constraints System Well-Definedness: Example � T 0 X ⊕ Y � C := T 0 , X c � Monotonicity OK ! Origination OK ! But NOT well-defined ! θ = { Y → X } and C θ is not well-formed: � T 0 0 � C θ := T 0 , X c � 14/25

  21. Symbolic Protocol Analysis in Presence of a Homomorphism Operator and Exclusive-Or From Well-defined Constraints System to System of Equations Outline 1 Motivation Introduction Example: Key Exchange TMN Protocol (simplified) 2 State of the Art Intruder Capabilities Intruder Deduction Problem Security Problem 3 Modelisation of Protocols (Active Attacker) Constraints System Well-defined Constraints System 4 From Well-defined Constraints System to System of Equations 5 Conclusion 15/25

Recommend

1 Roscoe 95, Schneider 96, Compositionality Language Approach Abadi-Gordon97

1 Roscoe 95, Schneider 96, Compositionality Language Approach Abadi-Gordon97

Probabilistic Polynomial-Time Standard analysis methods Process Calculus for Security Finite-state analysis Protocol Analysis Easier Dolev-Yao model Symbolic search of protocol runs Proofs of correctness in formal logic

258 views • 7 slides
Part 2: Finding Protocol Flaws with Symbolic Analysis The Needham-Schroeder problem In Using

Part 2: Finding Protocol Flaws with Symbolic Analysis The Needham-Schroeder problem In Using

Part 2: Finding Protocol Flaws with Symbolic Analysis The Needham-Schroeder problem In Using encryption for authentication in large networks of computers (CACM 1978) , Needham and Schroeder didnt just initiate a field that led to widely

1.32k views • 104 slides
Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef

Symbolic Execution of Security Protocol Impl.: Handling Cryptographic Primitives Mathy Vanhoef @vanhoefm USENIX WOOT, Baltimore, US, 14 August 2018 Overview Symbolic Execution 4-way handshake Handling Crypto Results 2 Overview Symbolic

446 views • 41 slides
Symbolic data analysis Symbolic data analysis Clustering of large data sets of mixed units

Symbolic data analysis Symbolic data analysis Clustering of large data sets of mixed units

Symbolic data analysis V. Batagelj Symbolic data analysis Symbolic data analysis Clustering of large data sets of mixed units Clustering and optimization Leaders method Vladimir Batagelj Agglomerative method Examples IMFM Ljubljana

871 views • 33 slides
Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps

Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps

Hierarchical Exact Symbolic Analysis y y of Large Analog Integrated Circuits By Symbolic Stamps Symbolic Stamps Hui Xu, Guoyong Shi and Xiaopeng Li School of Microelectronics, Shanghai Jiao Tong Univ. Shanghai, China Presentation at Asia

655 views • 36 slides
Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA,

Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA,

Introduction Symbolic Model Computational Model Implementations Conclusion Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA, Ecole Normale Sup erieure, CNRS Bruno.Blanchet@ens.fr March 2012

905 views • 53 slides
Constrained homomorphism orders Jan Hubi cka Charles University Prague Joint work with Jirka

Constrained homomorphism orders Jan Hubi cka Charles University Prague Joint work with Jirka

The homomorphism order Constrained homomorphisms Locally constrained homomorphism orders Constrained homomorphism orders Jan Hubi cka Charles University Prague Joint work with Jirka Fiala and Yangjing Long BGW2012, Bordeaux Jan Hubi

941 views • 81 slides
Computational Verification of C Protocol Implementations by Symbolic Execution Mihhail Aizatulin 1

Computational Verification of C Protocol Implementations by Symbolic Execution Mihhail Aizatulin 1

Computational Verification of C Protocol Implementations by Symbolic Execution Mihhail Aizatulin 1 Andrew Gordon 23 urjens 4 Jan J 1 The Open University 2 Microsoft Research Cambridge 3 University of Edinburgh 4 Dortmund University October 2012

426 views • 28 slides
Protocol Analysis 17-654/17-764 Analysis of Software Artifacts Kevin Bierhoff Take-Aways

Protocol Analysis 17-654/17-764 Analysis of Software Artifacts Kevin Bierhoff Take-Aways

Protocol Analysis 17-654/17-764 Analysis of Software Artifacts Kevin Bierhoff Take-Aways Protocols define temporal ordering of events Can often be captured with state machines Protocol analysis needs to pay attention to

602 views • 33 slides
Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail

Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail

Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail Aizatulin 1 supervised by Andrew Gordon 23 , Jan J urjens 4 , Bashar Nuseibeh 1 1 The Open University 2 Microsoft Research Cambridge 3 University of

543 views • 29 slides
Lazy Heap Analysis with Symbolic Memory Graphs Alexander Driemeyer Outline 1. Motivation 2.

Lazy Heap Analysis with Symbolic Memory Graphs Alexander Driemeyer Outline 1. Motivation 2.

Lazy Heap Analysis with Symbolic Memory Graphs Alexander Driemeyer Outline 1. Motivation 2. CPAchecker and Symbolic Memory Graphs 3. Abstractions of Symbolic Memory Graphs 4. Using counterexample guided abstraction refinement with Symbolic

412 views • 24 slides
A Weil descent homomorphism over the base field Darlison Nyirenda and Ed Schaefer University of

A Weil descent homomorphism over the base field Darlison Nyirenda and Ed Schaefer University of

A Weil descent homomorphism over the base field Darlison Nyirenda and Ed Schaefer University of Witwatersrand and Santa Clara University October 11, 2013 A homomorphism from an abelian variety to a group with sub-expl DLP, that is defined

439 views • 23 slides
Symbolic String Verification: Combining String Analysis and Size Analysis Fang Yu Tevfik Bultan

Symbolic String Verification: Combining String Analysis and Size Analysis Fang Yu Tevfik Bultan

Symbolic String Verification: Combining String Analysis and Size Analysis Symbolic String Verification: Combining String Analysis and Size Analysis Fang Yu Tevfik Bultan Oscar H. Ibarra Deptartment of Computer Science University of California

477 views • 36 slides
NEW ADVANCES IN SYMBOLIC DATA ANALYSIS and SPATIAL CLASSIFICATION. Edwin Diday Paris Dauphine

NEW ADVANCES IN SYMBOLIC DATA ANALYSIS and SPATIAL CLASSIFICATION. Edwin Diday Paris Dauphine

NEW ADVANCES IN SYMBOLIC DATA ANALYSIS and SPATIAL CLASSIFICATION. Edwin Diday Paris Dauphine University Remembering Suzanne WINSBERG This talk is dedicated to her OUTLINE PART 1: SYMBOLIC DATA ANALYSIS The two levels of

1.29k views • 89 slides
1 Use second form Sample Protocol Goals Given set of traces Authenticity: who sent it?

1 Use second form Sample Protocol Goals Given set of traces Authenticity: who sent it?

TECS Week 2005 Analysis Techniques Protocol Verification by the Inductive Method Crypto Protocol Analysis Dolev-Yao Formal Models Computational Models (perfect cryptography) Random oracle Probabilistic process calculi John Mitchell

63 views • 4 slides
The exponential homomorphism in non-commutative probability Michael Anshelevich (joint work with

The exponential homomorphism in non-commutative probability Michael Anshelevich (joint work with

The exponential homomorphism in non-commutative probability Michael Anshelevich (joint work with Octavio Arizmendi) Texas A&amp;M University March 25, 2016 Michael Anshelevich Exponential homomorphism Classical convolutions. Additive:

596 views • 23 slides
Encryption Beyond Group Homomorphism: Bilinear Groups Lecture 18 l l a c e

Encryption Beyond Group Homomorphism: Bilinear Groups Lecture 18 l l a c e

Encryption Beyond Group Homomorphism: Bilinear Groups Lecture 18 l l a c e Homomorphic Encryption R Group Homomorphism: Two groups G and G are homomorphic if there exists a function (homomorphism) f:G G such that for all

838 views • 14 slides
Encryption Beyond Group Homomorphism Bilinear Groups Lecture 18 l l a c e

Encryption Beyond Group Homomorphism Bilinear Groups Lecture 18 l l a c e

Encryption Beyond Group Homomorphism Bilinear Groups Lecture 18 l l a c e Homomorphic Encryption R Group Homomorphism: Two groups G and G are homomorphic if there exists a function (homomorphism) f:G G such that for all

556 views • 12 slides
Symbolic local Fourier Analysis Veronika Pillwein RISC Challenges in 21st Century Experimental

Symbolic local Fourier Analysis Veronika Pillwein RISC Challenges in 21st Century Experimental

Symbolic local Fourier Analysis Veronika Pillwein RISC Challenges in 21st Century Experimental Mathematical Computation, July 2125, 2014, ICERM, Brown University Symbolic local Fourier Analysis (and some Special Functions Inequalities)

1.21k views • 82 slides
Symbolic Data Analysis Tools Symbolic Data Analysis Tools for Recommendation Systems for

Symbolic Data Analysis Tools Symbolic Data Analysis Tools for Recommendation Systems for

Symbolic Data Analysis Tools Symbolic Data Analysis Tools for Recommendation Systems for Recommendation Systems Byron Leite Dantas Bezerra Byron Leite Dantas Bezerra bldb@dsc.upe.br bldb@dsc.upe.br Francisco Assis Tenrio Carvalho

708 views • 34 slides
Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS

Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS

Introduction / Motivation Symbolic Method Experiments Conclusion Symbolic Approach for Side-Channel Resistance Analysis of Masked Assembly Codes Workshop PROOFS In` es Ben El Ouahma Quentin Meunier Karine Heydemann Emmanuelle Encrenaz

271 views • 25 slides
Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90:

Outline Static Analysis: Symbolic Execution and Inductive Verification Methods Overview TDDC90: Software Security Symbolic Execution Ahmed Rezine Hoare Triples and Deductive Reasoning IDA, Linkpings Universitet Hsttermin 2014 Static

373 views • 6 slides
Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security

Static Analysis: Symbolic Execution and Inductive Verification Methods TDDC90: Software Security Ahmed Rezine IDA, Linkpings Universitet Hsttermin 2020 Outline Overview Symbolic Execution Hoare Triples and Deductive Reasoning Outline

767 views • 33 slides
Math 3230 Abstract Algebra I Sec 4.3: The fundamental homomorphism theorem Slides created by M.

Math 3230 Abstract Algebra I Sec 4.3: The fundamental homomorphism theorem Slides created by M.

Math 3230 Abstract Algebra I Sec 4.3: The fundamental homomorphism theorem Slides created by M. Macauley, Clemson (Modified by E. Gunawan, UConn) http://egunawan.github.io/algebra Abstract Algebra I Sec 4.3 The fundamental homomorphism theorem

506 views • 11 slides

More recommend