v erification de protocoles cryptographiques en pr esence
play

V erification de protocoles cryptographiques en pr esence de th - PowerPoint PPT Presentation

Aug 16, 2023 •365 likes •1.12k views

V erification de protocoles cryptographiques en pr esence de th eories equationnelles V erification de protocoles cryptographiques en pr esence de th eories equationnelles Pascal Lafourcade LSV, UMR 8643, CNRS, ENS de

  1. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Pascal Lafourcade LSV, UMR 8643, CNRS, ENS de Cachan & INRIA Futurs LIF, UMR 6166, CNRS & Universit´ e Aix-Marseille 1 Cachan : September 25th 2006 1 / 37

  2. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Introduction & Motivation Cryptographic Protocols Osiris communicates with Isis via the net. 2 / 37

  3. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Introduction & Motivation Cryptographic Protocols Intruder Osiris communicates with Isis via the net. 2 / 37

  4. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Introduction & Motivation Cryptographic Protocols Intruder Osiris communicates with Isis via the net. Secrecy Property: Intruder cannot learn a secret data. 2 / 37

  5. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Introduction & Motivation Applications 3 / 37

  6. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Introduction & Motivation Cryptography Symmetric Encryption (DES, AES) encryption decryption symmetric key 4 / 37

  7. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Introduction & Motivation Cryptography Symmetric Encryption (DES, AES) encryption decryption symmetric key Asymmetric Encryption (RSA) encryption decryption public key private key 4 / 37

  8. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Introduction & Motivation Example : 5 / 37

  9. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Introduction & Motivation Example : 5 / 37

  10. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Introduction & Motivation Example : 5 / 37

  11. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Introduction & Motivation Example : Shamir 3-Pass Protocol 1 O → I : { m } K O 5 / 37

  12. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Introduction & Motivation Example : Shamir 3-Pass Protocol 1 O → I : { m } K O 2 I → O : {{ m } K O } K I 5 / 37

  13. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Introduction & Motivation Example : Shamir 3-Pass Protocol 1 O → I : { m } K O Commutative 2 I → O : {{ m } K O } K I = {{ m } K I } K O Encryption 5 / 37

  14. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Introduction & Motivation Example : Shamir 3-Pass Protocol 1 O → I : { m } K O Commutative 2 I → O : {{ m } K O } K I = {{ m } K I } K O Encryption 3 O → I : { m } K I 5 / 37

  15. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Introduction & Motivation Attacks Cryptanalysis 6 / 37

  16. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Introduction & Motivation Attacks Cryptanalysis 6 / 37

  17. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Introduction & Motivation Attacks Cryptanalysis Logical Attack Perfect Encryption hypothesis Needham-Schroeder Public Key Protocol (1978) “Man in the middle attack” [Lowe’96] 6 / 37

  18. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Introduction & Motivation Attacks Cryptanalysis Logical Attack + Algebraic properties Perfect Encryption hypothesis Needham-Schroeder Public Key Protocol (1978) “Man in the middle attack” [Lowe’96] 6 / 37

  19. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Introduction & Motivation Formal Approach Symbolic abstraction Messages represented by terms - { m } k - � m 1 , m 2 � Perfect encryption hypothesis 7 / 37

  20. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Introduction & Motivation Formal Approach Symbolic abstraction Messages represented by terms - { m } k - � m 1 , m 2 � Perfect encryption hypothesis Useful abstraction [Clark & Jacob’97] Automatic verification with Tools: AVISPA, Casper/FDR, Hermes, Murphi, NRL, Proverif, Scyther ... 7 / 37

  21. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Introduction & Motivation Formal Approach Symbolic abstraction Messages represented by terms - { m } k - � m 1 , m 2 � Perfect encryption hypothesis + algebraic properties Useful abstraction [Clark & Jacob’97] Automatic verification with Tools: AVISPA, Casper/FDR, Hermes, Murphi, NRL, Proverif, Scyther ... 7 / 37

  22. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Introduction & Motivation The Intruder is the Network (Worst Case) 8 / 37

  23. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Introduction & Motivation The Intruder is the Network (Worst Case) Listen Passive: Intruder deduction problem 8 / 37

  24. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Introduction & Motivation The Intruder is the Network (Worst Case) Listen Intercept message (Re)play message Passive: Intruder deduction problem Delete message Active: Security problem 8 / 37

  25. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Introduction & Motivation The Intruder is the Network (Worst Case) Listen Intercept message (Re)play message Passive: Intruder deduction problem Delete message Active: Security problem Intruder Capabilities (Dolev-Yao Model 80’s) Encryption, Decryption with a key Pairing, Projection. 8 / 37

  26. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Introduction & Motivation The Intruder is the Network (Worst Case) Listen Intercept message (Re)play message Passive: Intruder deduction problem Delete message Active: Security problem Intruder Capabilities (Dolev-Yao Model 80’s) Encryption, Decryption with a key Pairing, Projection. In general security problem undecidable [DLMS’99, AC’01] 8 / 37

  27. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Introduction & Motivation The Intruder is the Network (Worst Case) Listen Intercept message (Re)play message Passive: Intruder deduction problem Delete message Active: Security problem Intruder Capabilities (Dolev-Yao Model 80’s) Encryption, Decryption with a key Pairing, Projection. In general security problem undecidable [DLMS’99, AC’01] Bounded number of session ⇒ Decidability [AL’00, RT’01] 8 / 37

  28. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Introduction & Motivation Logical Attack on Shamir 3-Pass Protocol (I) Perfect encryption one-time pad (Vernam Encryption) { m } k = m ⊕ k XOR Properties (ACUN) ( x ⊕ y ) ⊕ z = x ⊕ ( y ⊕ z ) A ssociativity x ⊕ y = y ⊕ x C ommutativity x ⊕ 0 = x U nity x ⊕ x = 0 N ilpotency 9 / 37

  29. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Introduction & Motivation Logical Attack on Shamir 3-Pass Protocol (I) Perfect encryption one-time pad (Vernam Encryption) { m } k = m ⊕ k XOR Properties (ACUN) ( x ⊕ y ) ⊕ z = x ⊕ ( y ⊕ z ) A ssociativity x ⊕ y = y ⊕ x C ommutativity x ⊕ 0 = x U nity x ⊕ x = 0 N ilpotency Vernam encryption is a commutative encryption : {{ m } K O } K I = ( m ⊕ K O ) ⊕ K I = ( m ⊕ K I ) ⊕ K O = {{ m } K I } K O 9 / 37

  30. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Introduction & Motivation Logical Attack on Shamir 3-Pass Protocol (II) Perfect encryption one-time pad (Vernam Encryption) { m } k = m ⊕ k Shamir 3-Pass Protocol 1 O → I : m ⊕ K O 2 I → O : ( m ⊕ K O ) ⊕ K I 3 O → I : m ⊕ K I Passive attacker : m ⊕ K O m ⊕ K O ⊕ K I m ⊕ K I 10 / 37

  31. V´ erification de protocoles cryptographiques en pr´ esence de th´ eories ´ equationnelles Introduction & Motivation Logical Attack on Shamir 3-Pass Protocol (II) Perfect encryption one-time pad (Vernam Encryption) { m } k = m ⊕ k Shamir 3-Pass Protocol 1 O → I : m ⊕ K O 2 I → O : ( m ⊕ K O ) ⊕ K I 3 O → I : m ⊕ K I Passive attacker : m ⊕ K O ⊕ m ⊕ K O ⊕ K I ⊕ m ⊕ K I = m 10 / 37

Recommend

S ecurit e des protocoles cryptographiques : aspects logiques et calculatoires Mathieu

S ecurit e des protocoles cryptographiques : aspects logiques et calculatoires Mathieu

Introduction Symbolic analysis Constraint solving Computational justification Conclusion S ecurit e des protocoles cryptographiques : aspects logiques et calculatoires Mathieu Baudet Laboratoire Sp ecification et V erification

963 views • 58 slides
M ethodologies and outils pour l evaluation des protocoles de transport dans les r

M ethodologies and outils pour l evaluation des protocoles de transport dans les r

M ethodologies and outils pour l evaluation des protocoles de transport dans les r eseaux tr` es haut d ebit Romaric Guillier , doctorant sous la direction de Pascale Vicat-Blanc Primet LIP, Ecole Normale Sup erieure de

810 views • 43 slides
Primitives et constructions cryptographiques pour la confiance numrique Damien Vergnaud

Primitives et constructions cryptographiques pour la confiance numrique Damien Vergnaud

Primitives et constructions cryptographiques pour la confiance numrique Damien Vergnaud Ecole normale sup erieure C.N.R.S. I.N.R.I.A. 3 avril 2014 D. Vergnaud (ENS) Cryptographic Primitives for Digital Confidence Apr. 3rd 2014,

1.27k views • 82 slides
A M A M IXED ED V ER ON ERIFICATION S TRATEG EGY T AILOR ED FOR OR ORED N ET ORKS ON ON C C HIP

A M A M IXED ED V ER ON ERIFICATION S TRATEG EGY T AILOR ED FOR OR ORED N ET ORKS ON ON C C HIP

A M A M IXED ED V ER ON ERIFICATION S TRATEG EGY T AILOR ED FOR OR ORED N ET ORKS ON ON C C HIP ETWOR HIP G.Tsiligiannis, L.Pierre TIMA Laboratory, Grenoble, France I NTRODUCTION Questions: Is it worth defining a specific

556 views • 23 slides
V erification de programmes avec pointeurs ` a laide de r egions et de permissions

V erification de programmes avec pointeurs ` a laide de r egions et de permissions

INRIA Saclay Universit e de Paris-Sud 11 Ile-de-France Centre dOrsay Equipe ProVal V erification de programmes avec pointeurs ` a laide de r egions et de permissions Romain Bardou pr esent ee le 14 octobre 2011

944 views • 51 slides
NORTH CAROLINA DMV Identification Requirements and erification of Lawful Status in the U.S.

NORTH CAROLINA DMV Identification Requirements and erification of Lawful Status in the U.S.

NORTH CAROLINA DMV Identification Requirements and erification of Lawful Status in the U.S. Wednesday, January 25, 2012 Step 1 Documents Required as Proof of Identification to receive a DL/ID Driver License or State Issued

743 views • 27 slides
S PECIFICATION AND V ERIFICATION OF P ROPERTIES FOR G RAPH -B ASED M ODEL T RANSFORMATIONS G EHAN

S PECIFICATION AND V ERIFICATION OF P ROPERTIES FOR G RAPH -B ASED M ODEL T RANSFORMATIONS G EHAN

S PECIFICATION AND V ERIFICATION OF P ROPERTIES FOR G RAPH -B ASED M ODEL T RANSFORMATIONS G EHAN M. K. S ELIM , L EVI L UCIO , J AMES R. C ORDY , J UERGEN D INGEL , B ENTLEY J. O AKES A GENDA Problem Statement DSLTrans Model Transformation

712 views • 25 slides
V erification des programmes dordre sup erieur Charles Grellois (travaux r ealis

V erification des programmes dordre sup erieur Charles Grellois (travaux r ealis

V erification des programmes dordre sup erieur Charles Grellois (travaux r ealis es avec Dal Lago et Melli` es) Aix-Marseille Universit e - LSIS Visite des etudiants de lENS Paris-Saclay 23 novembre 2017 Charles

593 views • 57 slides
ROM PROOFS 1 G ROTH -S AHAI P ROOFS 2 I MPLEMENTATION 3 B ATCH V ERIFICATION 4 R ESULTS 5 S

ROM PROOFS 1 G ROTH -S AHAI P ROOFS 2 I MPLEMENTATION 3 B ATCH V ERIFICATION 4 R ESULTS 5 S

O UTLINE ROM PROOFS G ROTH -S AHAI P ROOFS I MPLEMENTATION B ATCH V ERIFICATION R ESULTS S UMMARY P RACTICAL Z ERO -K NOWLEDGE P ROOFS FOR C IRCUIT E VALUATION E. Ghadafi N.P. Smart B. Warinschi Department of Computer Science, University of

788 views • 57 slides
V erification automatique de multiplicateurs avec les *BMDs Pierre Senellart 10 d ecembre

V erification automatique de multiplicateurs avec les *BMDs Pierre Senellart 10 d ecembre

V erification automatique de multiplicateurs avec les *BMDs Pierre Senellart 10 d ecembre 2002 Introduction BDDs [1] very powerful tools for veifying arithmetic circuits. But exponential on multipliers. *BMDs [2] give a

524 views • 20 slides
V erification de syst` emes avec compteurs et pointeurs Arnaud Sangnier LSV, ENS Cachan,

V erification de syst` emes avec compteurs et pointeurs Arnaud Sangnier LSV, ENS Cachan,

V erification de syst` emes avec compteurs et pointeurs Arnaud Sangnier LSV, ENS Cachan, CNRS & EDF R&D 21 Novembre 2008 Th` ese CIFRE r ealis ee dans le cadre du projet RNTL AVERILES 1 Computer systems are everywhere 2

1.18k views • 79 slides
Fondements pour la v erification des syst` emes temps-r eel et concurrents Lecture 3

Fondements pour la v erification des syst` emes temps-r eel et concurrents Lecture 3

Fondements pour la v erification des syst` emes temps-r eel et concurrents Lecture 3 Alternation and LTL extensions St ephane Demri October 8th, 2007 Summary from previous lecture B = ( , S , S 0 , , F 1 , . . . , F k ) S

638 views • 49 slides
FLAVOR: A F ORMAL L ANGUAGE FOR A POSTERIORI V ERIFICATION OF L EGAL R ULES Romuald T HION , Daniel

FLAVOR: A F ORMAL L ANGUAGE FOR A POSTERIORI V ERIFICATION OF L EGAL R ULES Romuald T HION , Daniel

Introduction F LAVOR Analysis Conclusion FLAVOR: A F ORMAL L ANGUAGE FOR A POSTERIORI V ERIFICATION OF L EGAL R ULES Romuald T HION , Daniel L E M TAYER U NIVERSIT L YON 1, L IRIS /I NRIA G RENOBLE R HNE -A LPES IEEE International

393 views • 27 slides
E FFICIENT V ERIFICATION OF R EPLICATED D ATATYPES USING L ATER A PPEARANCE R ECORDS (LAR) Madhavan

E FFICIENT V ERIFICATION OF R EPLICATED D ATATYPES USING L ATER A PPEARANCE R ECORDS (LAR) Madhavan

E FFICIENT V ERIFICATION OF R EPLICATED D ATATYPES USING L ATER A PPEARANCE R ECORDS (LAR) Madhavan Mukund, Gautham Shenoy R, S P Suresh Chennai Mathematical Institute, Chennai, India ATVA 2015, Shanghai, China, 14 October 2015 Distributed

752 views • 45 slides
SIV IN MRCP W3C Biometrics W orkshop March 2009 Overview What is MRCP? MRCPv1 SIV in MRCPv1

SIV IN MRCP W3C Biometrics W orkshop March 2009 Overview What is MRCP? MRCPv1 SIV in MRCPv1

SIV IN MRCP W3C Biometrics W orkshop March 2009 Overview What is MRCP? MRCPv1 SIV in MRCPv1 MRCPv2 SIV Goals V erification Resource Security Model V erification Example What is MRCP? Media Resource Control Protocol Protocol - level

539 views • 12 slides
EMC D IRECTIVE 2014/30/EU V ERIFICATION C OMPLIANCE S TATEMENT For the Product : Water purifier

EMC D IRECTIVE 2014/30/EU V ERIFICATION C OMPLIANCE S TATEMENT For the Product : Water purifier

EMC D IRECTIVE 2014/30/EU V ERIFICATION C OMPLIANCE S TATEMENT For the Product : Water purifier Model : INFINITE-S Multiple Model : INFINITE-L, INFINITE-M, INFINITE-20 Applicant : WACO Corp. Standards : EN 55014-1, EN 55014-2, EN

747 views • 53 slides
Journ ee GDR Traitement dantenne : Signaux Non-Gaussiens, Non-Circulaires, Non-Stationnaires

Journ ee GDR Traitement dantenne : Signaux Non-Gaussiens, Non-Circulaires, Non-Stationnaires

Sch emas de D etection Adaptative Robuste en Environnement non Gaussien, h et erog` ene et en pr esence doutliers - Application au Traitement Radar Adaptatif Spatio-Temporel (STAP) Jean-Philippe Ovarlez 1 , 2 1 SONDRA,

900 views • 72 slides
Th eorie algorithmique des nombres et applications ` a la cryptanalyse de primitives

Th eorie algorithmique des nombres et applications ` a la cryptanalyse de primitives

Th eorie algorithmique des nombres et applications ` a la cryptanalyse de primitives cryptographiques Emmanuel Thom e 13 d ec. 2012 HDR E. Thom e 1/34 Algorithmic Number Theory and Applications to the Cryptanalysis of

620 views • 51 slides
Chapter 7: Systolic Architecture Design Keshab K. Parhi Syst olic ar chit ect ur es ar e

Chapter 7: Systolic Architecture Design Keshab K. Parhi Syst olic ar chit ect ur es ar e

Chapter 7: Systolic Architecture Design Keshab K. Parhi Syst olic ar chit ect ur es ar e designed by using linear mapping t echniques on r egular dependence gr aphs (DG). Regular Dependence Gr aph : The pr esence of an edge in a

626 views • 27 slides
MODEL DATA PREDICTION by VERIFICATION I NTRODUCTION B ACKGROUND S MOOTH MC R OBUST D ESIGN C

MODEL DATA PREDICTION by VERIFICATION I NTRODUCTION B ACKGROUND S MOOTH MC R OBUST D ESIGN C

M ACHINE L EARNING MEETS F ORMAL V ERIFICATION Luca Bortolussi 1 , 2 1 Dipartimento di Matematica e Geoscienze Universit degli studi di Trieste, Italy 2 Modelling and Simulation Group Saarland University, Saarbcken, Germany GANDALF,

973 views • 60 slides
Graphics Processing Units (GPUs): specialized electronic circuits rapidly manipulate and alter

Graphics Processing Units (GPUs): specialized electronic circuits rapidly manipulate and alter

UNIVERSITY OF TWENTE. Formal Methods & Tools. S PECIFICATION AND V ERIFICATION OF GPGPU P ROGRAMS USING P ERMISSION -B ASED S EPARATION L OGIC Marieke Huisman and Matej Mihel ci c March 23, 2013 Bytecode 2013. ... Introduction The

394 views • 28 slides
W HAT S SPECIAL ABOUT S YSTEM C ALLS ? From the point of view of a programmer, system calls

W HAT S SPECIAL ABOUT S YSTEM C ALLS ? From the point of view of a programmer, system calls

I NTRODUCTION S IMULATION AND R EASONING F RAMEWORK C ODE P ROOFS C ONCLUSION AND F UTURE W ORK S IMULATION AND F ORMAL V ERIFICATION OF X 86 M ACHINE -C ODE P ROGRAMS THAT MAKE S YSTEM C ALLS Shilpi Goel Warren A. Hunt, Jr. Matt Kaufmann

889 views • 54 slides
Everything you need to know about Lossy Counter Machines Ph. Schnoebelen

Everything you need to know about Lossy Counter Machines Ph. Schnoebelen

Everything you need to know about Lossy Counter Machines Ph. Schnoebelen http://www.lsv.ens-cachan.fr/ phs Lab. Sp ecification et V erification (LSV) CNRS & ENS de Cachan & INRIA-Saclay Journ ee DOTS / Mar. 18th, 2010

947 views • 68 slides
By Anton and Diana B IG P ICTURE How much does the semantics dictate in the verification

By Anton and Diana B IG P ICTURE How much does the semantics dictate in the verification

V ERIFICATION By Anton and Diana B IG P ICTURE How much does the semantics dictate in the verification process? Concerning the words Most and More than half, is there an innate feature of the word that forces an individual to

324 views • 28 slides

More recommend