verification of cryptographic protocols techniques tools
play

Verification of cryptographic protocols: techniques, tools and link - PowerPoint PPT Presentation

Feb 13, 2023 •134 likes •605 views

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique Cortier INRIA project Cassis, Loria CNRS, Nancy, France French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of

  1. Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Véronique Cortier INRIA project Cassis, Loria CNRS, Nancy, France French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.1

  2. Context: cryptographic protocols • Widely used: web (SSH, SSL, ...), pay-per-view, electronic purse, mobile phone, ... • Should ensure: confidentiality authenticity integrity anonymity, ... French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.2

  3. Context: cryptographic protocols • Widely used: web (SSH, SSL, ...), pay-per-view, electronic purse, mobile phone, ... • Should ensure: confidentiality authenticity integrity anonymity, ... • Presence of an attacker − may read every message sent on the net, − may intercept and send new messages. French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.2

  4. Credit Card Payment Protocol • The waiter introduces the credit card. • The waiter enters the amount m of the transaction on the terminal. • The terminal authenticates the card. • The customer enters his secret code. If the amount m is greater than 100 euros (and in only 20% of the cases) − The terminal asks the bank for the authentication of the card. − The bank provides the authentication. French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.3

  5. More details 4 actors : the Bank, the Customer, the Card and Terminal. Bank owns • a signing key K − 1 B , secret, • a verification key K B , public, • a secret symmetric key for each credit card K CB , secret. Card owns • Data : last name, first name, card’s number, expiration date, • Signature’s Value V S = { hash ( Data ) } K − 1 B , • secret key K CB . Terminal owns the verification key K B for bank’s signatures. French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.4

  6. Credit card payment Protocol (in short) The terminal reads the card: 1 . → T : Data , { hash ( Data ) } K − 1 Ca B French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.5

  7. Credit card payment Protocol (in short) The terminal reads the card: 1 . → T : Data , { hash ( Data ) } K − 1 Ca B The terminal asks for the secret code: 2 . → Cu : secret code ? T 3 . → Ca : 1234 Cu 4 . → T : ok Ca French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.5

  8. Credit card payment Protocol (in short) The terminal reads the card: 1 . → T : Data , { hash ( Data ) } K − 1 Ca B The terminal asks for the secret code: 2 . → Cu : secret code ? T 3 . → Ca : 1234 Cu 4 . → T : ok Ca The terminal calls the bank: 5 . → B : auth ? T 6 . → T : N b B 7 . → Ca : N b T 8 . → T : { N b } K CB Ca 9 . → B : { N b } K CB T 10 . → T : ok B French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.5

  9. Some flaws The security was initially ensured by: • the cards were very difficult to reproduce, • the protocol and the keys were secret. But • cryptographic flaw: 320 bits keys can be broken (1988), • logical flaw: no link between the secret code and the authentication of the card, • fake cards can be build. French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.6

  10. Some flaws The security was initially ensured by: • the cards were very difficult to reproduce, • the protocol and the keys were secret. But • cryptographic flaw: 320 bits keys can be broken (1988), • logical flaw: no link between the secret code and the authentication of the card, • fake cards can be build. → “YesCard” build by Serge Humpich (1998). French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.6

  11. How does the “YesCard” work? Logical flaw 1 . → T : Data , { hash ( Data ) } K − 1 Ca B 2 . → Ca : secret code ? T 3 . → Ca : 1234 Cu 4 . → T : ok Ca French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.7

  12. How does the “YesCard” work? Logical flaw 1 . → T : Data , { hash ( Data ) } K − 1 Ca B 2 . → Ca : secret code ? T 3 . → Ca ′ : 2345 Cu 4 . Ca ′ → T : ok French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.7

  13. How does the “YesCard” work? Logical flaw 1 . → T : Data , { hash ( Data ) } K − 1 Ca B 2 . → Ca : secret code ? T 3 . → Ca ′ : 2345 Cu 4 . Ca ′ → T : ok Remark: there is always somebody to debit. → creation of a fake card (Serge Humpich). French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.7

  14. How does the “YesCard” work? Logical flaw 1 . → T : Data , { hash ( Data ) } K − 1 Ca B 2 . → Ca : secret code ? T 3 . → Ca ′ : 2345 Cu 4 . Ca ′ → T : ok Remark: there is always somebody to debit. → creation of a fake card (Serge Humpich). 1 . → T : XXX , { hash ( XXX ) } K − 1 Ca ′ B 2 . → Cu : secret code ? T 3 . → Ca ′ : 0000 Cu 4 . Ca ′ → T : ok French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.7

  15. Map 1. Formal approaches 2. Tools and case study 3. Link between formal approaches and cryptanalysis French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.8

  16. Formal approaches • Messages are abstracted using terms. These terms are build over a fixed signature. E.g., Σ = { < >, enc , dec , ... } . French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.9

  17. Formal approaches • Messages are abstracted using terms. These terms are build over a fixed signature. E.g., Σ = { < >, enc , dec , ... } . • The attacker can do symbolic manipulations on terms. S ⊢ � M 1 , M 2 � i = 1 , 2 S ⊢ k − 1 S ⊢ enc ( M, k ) S ⊢ M i S ⊢ M French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.9

  18. Formal approaches • Messages are abstracted using terms. These terms are build over a fixed signature. E.g., Σ = { < >, enc , dec , ... } . • The attacker can do symbolic manipulations on terms. S ⊢ � M 1 , M 2 � i = 1 , 2 S ⊢ k − 1 S ⊢ enc ( M, k ) S ⊢ M i S ⊢ M This approach allows to detect any logical attack that does not rely on weaknesses of the encryption algorithm. French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.9

  19. Protocol description Protocol: S ⊢ x → Ca : T N b S ⊢ { x } K CB → T : { N b } K CB Ca Secrecy properties: S ⊢ s ? French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.10

  20. Decidability and complexity results • In general, secrecy preservation is undecidable. • For a bounded number of sessions, secrecy is co-NP-complete [RusinowitchTuruani CSFW01] → constraint solving • For an unbounded number of sessions − for one-copy protocols, secrecy is DEXPTIME-complete [CortierComon RTA03] [SeildVerma LPAR04] → tree automata, resolution theorem proving − for message-length bounded protocols, secrecy is DEXPTIME-complete [Durgin et al FMSP99] [Chevalier et al CSL03] French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.11

  21. Adding algebraic operators Some cryptographic primitives have algebraic properties. x ⊕ ( y ⊕ z ) = ( x ⊕ y ) ⊕ z • XOR x ⊕ y = y ⊕ x x ⊕ x = 0 x ⊕ 0 = x French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.12

  22. Adding algebraic operators Some cryptographic primitives have algebraic properties. x ⊕ ( y ⊕ z ) = ( x ⊕ y ) ⊕ z • XOR x ⊕ y = y ⊕ x x ⊕ x = 0 x ⊕ 0 = x • Modular exponentiation exp ( exp ( g, x ) , y ) = exp ( g, x · y ) exp ( g, x · y ) = exp ( g, y · x ) French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.12

  23. Adding algebraic operators Some cryptographic primitives have algebraic properties. x ⊕ ( y ⊕ z ) = ( x ⊕ y ) ⊕ z • XOR x ⊕ y = y ⊕ x x ⊕ x = 0 x ⊕ 0 = x • Modular exponentiation exp ( exp ( g, x ) , y ) = exp ( g, x · y ) exp ( g, x · y ) = exp ( g, y · x ) • Homomorphism h ( x · y ) = h ( x ) · h ( y ) French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.12

  24. Adding algebraic operators Some cryptographic primitives have algebraic properties. x ⊕ ( y ⊕ z ) = ( x ⊕ y ) ⊕ z • XOR x ⊕ y = y ⊕ x x ⊕ x = 0 x ⊕ 0 = x • Modular exponentiation exp ( exp ( g, x ) , y ) = exp ( g, x · y ) exp ( g, x · y ) = exp ( g, y · x ) • Homomorphism h ( x · y ) = h ( x ) · h ( y ) → These properties are modeled using equational theories or by extending the intruder power. French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of cryptographic protocols – p.12

Recommend

Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS

Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS

Introduction Formal models Adding equational theories Towards more guarantees Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS - INRIA Cassis project, Nancy Universities 1/45 V eronique

785 views • 76 slides
Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic protocols: Concurrent programs

947 views • 69 slides
Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018

1.23k views • 78 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

452 views • 14 slides
Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018 Organization of the course Two

774 views • 74 slides
Clang tools for implementing cryptographic protocols like OTRv4 Sofa Celi What is OTR and why

Clang tools for implementing cryptographic protocols like OTRv4 Sofa Celi What is OTR and why

Clang tools for implementing cryptographic protocols like OTRv4 Sofa Celi What is OTR and why it was created? Cryptographic protocol Paper in 2004 by Ian Goldberg , Nikita Borisov and Eric Brewer Conversations in the

299 views • 18 slides
CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools

CS 356 Lecture 2 Cryptographic Tools Spring 2013 Chapter 2 Cryptographic Tools Cryptographic Tools Cryptographic algorithms important element in security services Review various types of elements symmetric encryption secure

1.27k views • 23 slides
Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Pascal LAFOURCADE

Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Pascal LAFOURCADE

Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Pascal LAFOURCADE , Vanessa Terrade &amp; Sylvain Vigier Universit e Joseph

1.01k views • 49 slides
Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA), CNRS, France Tuesday, September 13th, 2016 Security protocols everywhere ! Cryptographic protocols small programs designed to secure

923 views • 56 slides
Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France joint work with Alexandre Debant and Cyrille Wiedling 1/29 Security protocols everywhere ! Cryptographic protocols small

1.04k views • 56 slides
Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in the Quantum Era (SPS G5448) February 5th, 2020 Christian Colombo Mark Vella Cryptographic Protocols Design Proofs to validate design against

467 views • 20 slides
Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes,

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes,

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France Thursday, July 12th, 2018 Cryptographic protocols everywhere ! Cryptographic protocols small programs designed to secure

849 views • 80 slides
Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday,

Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday,

Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday, June 29th, 2020 1/23 Cryptographic protocols everywhere ! Cryptographic protocols small programs designed to secure communication ( e.g.

900 views • 58 slides
Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth M.D.Ryan@cs.bham.ac.uk research@bensmyth.com Cryptoforma 7th April 2010 Cryptographic protocols A cryptographic protocol is a distributed procedure that employs

698 views • 46 slides
Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Formal methods for protocols Cryptographic models Passive case Active case Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/76 V eronique Cortier Verification of Security

1.92k views • 139 slides
Formal Analysis of Imperfect Cryptographic Protocols Long Nguyen Hoang University of Tartu,

Formal Analysis of Imperfect Cryptographic Protocols Long Nguyen Hoang University of Tartu,

Formal Analysis of Imperfect Cryptographic Protocols Long Nguyen Hoang University of Tartu, Institute of Computer Science Agenda Introduction Probabilistic-spi calculus Security protocol verification Conclusion Q&amp;A

633 views • 19 slides
First steps towards cryptographically sound confidentiality analysis of cryptographic protocols

First steps towards cryptographically sound confidentiality analysis of cryptographic protocols

First steps towards cryptographically sound confidentiality analysis of cryptographic protocols Peeter Laud peeter l@ut.ee Tartu Ulikool Cybernetica AS Teooriap aevad Arulas, 3.-5.02.2003 p.1/27 Overview Cryptographic protocols.

570 views • 27 slides
Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif

Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif

Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif Bruno Blanchet INRIA, Ecole Normale Sup erieure, CNRS blanchet@di.ens.fr September 2011 Bruno Blanchet (INRIA) ProVerif September 2011

1.55k views • 143 slides
Programming Language Techniques for Cryptographic Proofs Gilles Barthe 1 egoire 2 eguelin 1

Programming Language Techniques for Cryptographic Proofs Gilles Barthe 1 egoire 2 eguelin 1

Programming Language Techniques for Cryptographic Proofs Gilles Barthe 1 egoire 2 eguelin 1 Benjamin Gr Santiago Zanella-B 1 IMDEA Software, Madrid, Spain 2 INRIA Sophia Antipolis - M editerran ee, France ITP 2010 Formal verification

521 views • 31 slides
Outline Cryptographic protocols, pt. 1 Key distribution and PKI CSci 5271 Introduction to

Outline Cryptographic protocols, pt. 1 Key distribution and PKI CSci 5271 Introduction to

Outline Cryptographic protocols, pt. 1 Key distribution and PKI CSci 5271 Introduction to Computer Security Announcements intermission Day 17: Crypto protocols and S protocols SSH Stephen McCamant University of Minnesota, Computer

338 views • 7 slides
Automatic Verification of Cryptographic Protocols in the Symbolic Model Automatic Verifier

Automatic Verification of Cryptographic Protocols in the Symbolic Model Automatic Verifier

Automatic Verification of Cryptographic Protocols in the Symbolic Model Automatic Verifier ProVerif Bruno Blanchet INRIA Paris-Rocquencourt Bruno.Blanchet@inria.fr September 2013 Bruno Blanchet (INRIA) ProVerif September 2013 1 / 114

1.56k views • 132 slides
Cryptographic Protocols 3. Broadcast 4. Blockchain Spring 2020 Part 1 Broadcast / Byzantine

Cryptographic Protocols 3. Broadcast 4. Blockchain Spring 2020 Part 1 Broadcast / Byzantine

Cryptographic Protocols 1. Interactive Proofs and Zero-Knowledge Protocols 2. Secure Multi-Party Computation Cryptographic Protocols 3. Broadcast 4. Blockchain Spring 2020 Part 1 Broadcast / Byzantine Agreement Secure Multi-Party

170 views • 3 slides
The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of

The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of

The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of Software Chinese Academy of Sciences BASICS09, Shanghai, China October 13, 2009 Background Formal verification of security protocols from

312 views • 28 slides

More recommend