verification of indistinguishability properties
play

Verification of Indistinguishability Properties Stphanie Delaune - PowerPoint PPT Presentation

Jun 05, 2023 •43 likes •673 views

Verification of Indistinguishability Properties Stphanie Delaune LSV, CNRS & ENS Cachan & INRIA Saclay le-de-France, France Thursday, October 11th, 2012 S. Delaune (LSV) VIP project 11th October 2012 1 / 30 VIP in a nutshell

  1. Verification of Indistinguishability Properties Stéphanie Delaune LSV, CNRS & ENS Cachan & INRIA Saclay Île-de-France, France Thursday, October 11th, 2012 S. Delaune (LSV) VIP project 11th October 2012 1 / 30

  2. VIP in a nutshell − → ANR project - programme JCJC (Jan. 2012 - Dec. 2015) http://www.lsv.ens-cachan.fr/Projects/anr-vip/ Ressources Travel + Equipment: 53,5 kE Pôle Systematic: 10 kE ?? 1 PhD student (Rémy Chrétien )+ 1 post-doc Permanent members: Stephanie Delaune (80%) Steve Kremer (35%) Graham Steel (35%) S. Delaune (LSV) VIP project 11th October 2012 2 / 30

  3. VIP in a nutshell − → ANR project - programme JCJC (Jan. 2012 - Dec. 2015) http://www.lsv.ens-cachan.fr/Projects/anr-vip/ Ressources Travel + Equipment: 53,5 kE Pôle Systematic: 10 kE ?? 1 PhD student (Rémy Chrétien )+ 1 post-doc Permanent members: Stephanie Delaune (80%) Steve Kremer (35%) − → Cassis team in Nancy since Sept. 2011 Graham Steel (35%) − → ProSecco team in Paris since Sept. 2012 S. Delaune (LSV) VIP project 11th October 2012 2 / 30

  4. Context: cryptographic protocols Cryptographic protocols small programs designed to secure communication ( e.g. confidentiality, authentication, . . . ) use cryptographic primitives ( e.g. encryption, signature, . . . . . . ) The network is unsecure! Communications take place over a public network like the Internet. S. Delaune (LSV) VIP project 11th October 2012 3 / 30

  5. Context: cryptographic protocols Cryptographic protocols small programs designed to secure communication ( e.g. confidentiality, authentication, . . . ) use cryptographic primitives ( e.g. encryption, signature, . . . . . . ) S. Delaune (LSV) VIP project 11th October 2012 3 / 30

  6. Context: cryptographic protocols Cryptographic protocols small programs designed to secure communication ( e.g. confidentiality, authentication, . . . ) use cryptographic primitives ( e.g. encryption, signature, . . . . . . ) It becomes more and more important to protect our privacy. S. Delaune (LSV) VIP project 11th October 2012 3 / 30

  7. Example: electronic passport − → studied in [Arapinis et al. , 10] An electronic passport is a passport with an RFID tag embedded in it. The RFID tag stores: the information printed on your passport, a JPEG copy of your picture. S. Delaune (LSV) VIP project 11th October 2012 4 / 30

  8. Example: electronic passport − → studied in [Arapinis et al. , 10] An electronic passport is a passport with an RFID tag embedded in it. The RFID tag stores: the information printed on your passport, a JPEG copy of your picture. The Basic Access Control (BAC) protocol is a key establishment protocol that has been designed to also ensure unlinkability. ISO/IEC standard 15408 Unlinkability aims to ensure that a user may make multiple uses of a service or resource without others being able to link these uses together . S. Delaune (LSV) VIP project 11th October 2012 4 / 30

  9. The electronic passport protocol Passport Reader ( K E , K M ) ( K E , K M ) S. Delaune (LSV) VIP project 11th October 2012 5 / 30

  10. The electronic passport protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge S. Delaune (LSV) VIP project 11th October 2012 5 / 30

  11. The electronic passport protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P S. Delaune (LSV) VIP project 11th October 2012 5 / 30

  12. The electronic passport protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R MAC KM ( { N R , N P , K R } KE ) { N R , N P , K R } KE , S. Delaune (LSV) VIP project 11th October 2012 5 / 30

  13. The electronic passport protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R MAC KM ( { N R , N P , K R } KE ) { N R , N P , K R } KE , { N P , N R , K P } KE , MAC KM ( { N P , N R , K P } KE ) S. Delaune (LSV) VIP project 11th October 2012 5 / 30

  14. The electronic passport protocol Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R MAC KM ( { N R , N P , K R } KE ) { N R , N P , K R } KE , { N P , N R , K P } KE , MAC KM ( { N P , N R , K P } KE ) K seed = K P ⊕ K R K seed = K P ⊕ K R S. Delaune (LSV) VIP project 11th October 2012 5 / 30

  15. How cryptographic protocols can be attacked? S. Delaune (LSV) VIP project 11th October 2012 6 / 30

  16. Some famous examples The Serge Humpich case (1997) He factorizes the number (320 bits) used to protect credit cards and he builds a false credit card. (the « YesCard »). → this makes it possible to withdraw a bank account that does not exist! − S. Delaune (LSV) VIP project 11th October 2012 7 / 30

  17. Some famous examples The Serge Humpich case (1997) He factorizes the number (320 bits) used to protect credit cards and he builds a false credit card. (the « YesCard »). → this makes it possible to withdraw a bank account that does not exist! − Attack on the Belgian e-passport (2006) − → this makes it possible to obtain the personnal data of the user ( e.g. the signature) S. Delaune (LSV) VIP project 11th October 2012 7 / 30

  18. How cryptographic protocols can be attacked? S. Delaune (LSV) VIP project 11th October 2012 8 / 30

  19. How cryptographic protocols can be attacked? Logical attacks can be mounted even assuming perfect cryptography, → replay attack, man-in-the middle attack, . . . ֒ are numerous, → a flaw discovered in 2008 in Single Sign On Protocols used in ֒ Google App (Avantssar european project) subtle and hard to detect by “eyeballing” the protocol S. Delaune (LSV) VIP project 11th October 2012 8 / 30

  20. French electronic passport → the passport must reply to all received messages. − Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) S. Delaune (LSV) VIP project 11th October 2012 9 / 30

  21. French electronic passport → the passport must reply to all received messages. − Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) If MAC check fails mac_error S. Delaune (LSV) VIP project 11th October 2012 9 / 30

  22. French electronic passport → the passport must reply to all received messages. − Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) If MAC check succeeds If nonce check fails nonce_error S. Delaune (LSV) VIP project 11th October 2012 9 / 30

  23. An attack on the French passport [Chothia & Smirnov, 10] Attack against unlinkability An attacker can track a French passport, provided he has once witnessed a successful authentication. S. Delaune (LSV) VIP project 11th October 2012 10 / 30

  24. An attack on the French passport [Chothia & Smirnov, 10] Attack against unlinkability An attacker can track a French passport, provided he has once witnessed a successful authentication. Part 1 of the attack. The attacker eavesdropes on Alice using her passport and records message M . Alice’s Passport Reader ( K E , K M ) ( K E , K M ) get_challenge N P , K P N P N R , K R M = { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) S. Delaune (LSV) VIP project 11th October 2012 10 / 30

  25. An attack on the French passport [Chothia & Smirnov, 10] Part 2 of the attack. The attacker replays the message M and checks the error code he receives. ???? ’s Passport Attacker ( K ′ E , K ′ M ) get_challenge N ′ P , K ′ P N ′ P M = { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) S. Delaune (LSV) VIP project 11th October 2012 10 / 30

  26. An attack on the French passport [Chothia & Smirnov, 10] Part 2 of the attack. The attacker replays the message M and checks the error code he receives. ???? ’s Passport Attacker ( K ′ E , K ′ M ) get_challenge N ′ P , K ′ P N ′ P M = { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) mac_error = ⇒ MAC check failed = ⇒ K ′ M � = K M = ⇒ ???? is not Alice S. Delaune (LSV) VIP project 11th October 2012 10 / 30

  27. An attack on the French passport [Chothia & Smirnov, 10] Part 2 of the attack. The attacker replays the message M and checks the error code he receives. ???? ’s Passport Attacker ( K ′ E , K ′ M ) get_challenge N ′ P , K ′ P N ′ P M = { N R , N P , K R } KE , MAC KM ( { N R , N P , K R } KE ) nonce_error = ⇒ MAC check succeeded = ⇒ K ′ M = K M = ⇒ ???? is Alice S. Delaune (LSV) VIP project 11th October 2012 10 / 30

  28. Objectives of the project Automatic verification of privacy-type security properties (in the symbolic model) Target applications: electronic voting protocols, RFID protocols, routing protocols, vehicular ad hoc networks, electronic auction protocols, . . . S. Delaune (LSV) VIP project 11th October 2012 11 / 30

  29. Objectives of the project Automatic verification of privacy-type security properties (in the symbolic model) Target applications: electronic voting protocols, RFID protocols, routing protocols, vehicular ad hoc networks, electronic auction protocols, . . . Main tasks of the project: Task 2. A taxonomy for privacy-type properties Task 3. Algorithmic and decidability issues Task 4. Modularity issues − → Tool development ( Task 5 ) + Case studies ( Task 6 ) S. Delaune (LSV) VIP project 11th October 2012 11 / 30

Recommend

Verification of Indistinguishability Properties Stphanie Delaune quipe EMSEC (IRISA), CNRS,

Verification of Indistinguishability Properties Stphanie Delaune quipe EMSEC (IRISA), CNRS,

Verification of Indistinguishability Properties Stphanie Delaune quipe EMSEC (IRISA), CNRS, France November 16th, 2016 VIP in a nutshell V erifiation of I ndistinguishability P roperties Projet JCJC Jeunes Chercheuses Jeunes Chercheurs

488 views • 31 slides
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar

Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar Pandey Indian Statistical Institute Kolkata January 14, 2012 Sumit Kumar Pandey Relaxing IND-CCA: Indistinguishability Against Chosen Outline 1

624 views • 37 slides
Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018

1.23k views • 78 slides
Outline Introduction Modeling Specifying properties and Verification An example

Outline Introduction Modeling Specifying properties and Verification An example

Outline Introduction Modeling Specifying properties and Verification An example Project assignment References, links Shangzhu Weng Labeled Transition System Analyzer (LTSA) Animate and check the behavior of the overall

928 views • 51 slides
Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation

Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation

Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation Dan Boneh Mark Zhandry Stanford University {dabo, zhandry}@cs.stanford.edu Abstract In this work, we show how to use indistinguishability

780 views • 49 slides
Understanding the Security Properties of Ballot-Based Verification Techniques Eric Rescorla

Understanding the Security Properties of Ballot-Based Verification Techniques Eric Rescorla

Understanding the Security Properties of Ballot-Based Verification Techniques Eric Rescorla ekr@rtfm.com EVT/WOTE 2009 Understanding the Security Properties of Ballot-Based Verification 1 WARNING This talk contains no research content.

284 views • 15 slides
Parameterised Verification of Strategic Properties in Probabilistic Multi-Agent Systems Alessio

Parameterised Verification of Strategic Properties in Probabilistic Multi-Agent Systems Alessio

Parameterised Verification of Strategic Properties in Probabilistic Multi-Agent Systems Alessio Lomuscio and Edoardo Pirovano Verification of Autonomous Systems Group Imperial College London, UK https://vas.doc.ic.ac.uk/ AAMAS 2020

289 views • 17 slides
Streaming Verification of Graph Properties Amirali Abdullah 1 Samira Daruki 2 Chitradeep Dutta Roy

Streaming Verification of Graph Properties Amirali Abdullah 1 Samira Daruki 2 Chitradeep Dutta Roy

Streaming Verification of Graph Properties Amirali Abdullah 1 Samira Daruki 2 Chitradeep Dutta Roy 2 Suresh Venkatasubramanian 2 December 11, 2016 1 Qualtrics 2 University of Utah 1 Streaming Verification of Graph Properties Amirali Abdullah 1

983 views • 72 slides
Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Pascal LAFOURCADE

Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Pascal LAFOURCADE

Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Pascal LAFOURCADE , Vanessa Terrade & Sylvain Vigier Universit e Joseph

1.01k views • 49 slides
Verification and Synthesis of Symmetric Uni-Rings for Leads-To Properties Ali Ebnenasir

Verification and Synthesis of Symmetric Uni-Rings for Leads-To Properties Ali Ebnenasir

Verification and Synthesis of Symmetric Uni-Rings for Leads-To Properties Ali Ebnenasir aebnenas@mtu.edu Department of Computer Science College of Computing Michigan Technological University Houghton MI 49931 http://asd.cs.mtu.edu/

584 views • 56 slides
Decidability of a Sound Set of Inference Rules for Computational Indistinguishability Adrien

Decidability of a Sound Set of Inference Rules for Computational Indistinguishability Adrien

Decidability of a Sound Set of Inference Rules for Computational Indistinguishability Adrien Koutsos LSV, CNRS, ENS Paris-Saclay June 29, 2019 Adrien Koutsos (LSV, ENS PS) Indistinguishability June 29, 2019 1 / 34 Introduction Motivation

1.06k views • 76 slides
Boosting Verification Scalability via Structural Grouping and Semantic Partitioning of Properties

Boosting Verification Scalability via Structural Grouping and Semantic Partitioning of Properties

Boosting Verification Scalability via Structural Grouping and Semantic Partitioning of Properties Rohit Dureja * , Jason Baumgartner , Alexander Ivrii , Robert Kanzelman , Kristin Y. Rozier * * Iowa State University IBM Corporation

577 views • 46 slides
Can Charlie distinguish Alice and Bob? Automated verification of equivalence properties Steve

Can Charlie distinguish Alice and Bob? Automated verification of equivalence properties Steve

Can Charlie distinguish Alice and Bob? Automated verification of equivalence properties Steve Kremer joint work with: Myrto Arapinis, David Baelde, Rohit Chadha, Vincent Cheval, S tefan Ciob ac a, V eronique Cortier, St ephanie

1.09k views • 87 slides
Limits on the Power of Indistinguishability Obfuscation Gilad Asharov Gil Segev Limits on the

Limits on the Power of Indistinguishability Obfuscation Gilad Asharov Gil Segev Limits on the

Limits on the Power of Indistinguishability Obfuscation Gilad Asharov Gil Segev Limits on the Power of iO Limits on the Power of Indistinguishability Obfuscation (and Functional Encryption) FOCS 2015 On Constructing One-Way

841 views • 47 slides
An Automata Based Approach for Verification of Information Flow Properties Deepak DSouza,

An Automata Based Approach for Verification of Information Flow Properties Deepak DSouza,

An Automata Based Approach for Verification of Information Flow Properties Deepak DSouza, Raghavendra K.R., Barbara Sprick Indian Institute of Science, Bangalore, India An Automata Based Approach for Verification of Information Flow

696 views • 58 slides
Structured graphs and the verification of their monadic second-order properties by means of

Structured graphs and the verification of their monadic second-order properties by means of

Structured graphs and the verification of their monadic second-order properties by means of automata Bruno Courcelle and Irne Durand Bordeaux University, LaBRI (CNRS laboratory) Demonstration of the software TRAG Written by Irne Durand and

754 views • 52 slides
Compositional Verification of Security Properties for Embedded Execution Platforms Christoph

Compositional Verification of Security Properties for Embedded Execution Platforms Christoph

Compositional Verification of Security Properties for Embedded Execution Platforms Christoph Baumann , Oliver Schwarz , Mads Dam KTH Royal Institute of Technology, Stockholm, Sweden RISE.SICS, Kista, Sweden cbaumann@kth.se

903 views • 65 slides
PART FIVE: SOME VERIFICATION CHALLENGES a DFC case study with several verification problems,

PART FIVE: SOME VERIFICATION CHALLENGES a DFC case study with several verification problems,

PART FIVE: SOME VERIFICATION CHALLENGES a DFC case study with several verification problems, all concerning signaling properties and event-based feature interactions SIGNALING INTERACTIONS transparency: a box behaves transparently autonomy:

321 views • 12 slides
Scalable Software Testing and Verification of Non-Functional Properties through Heuristic Search

Scalable Software Testing and Verification of Non-Functional Properties through Heuristic Search

Scalable Software Testing and Verification of Non-Functional Properties through Heuristic Search and Optimization Lionel Briand Interdisciplinary Centre for ICT Security, Reliability, and Trust (SnT) University of Luxembourg, Luxembourg ITEQS,

1.41k views • 113 slides
based Hardware Verification Makai Mann, Clark Barrett Hardware Verification SAT is king

based Hardware Verification Makai Mann, Clark Barrett Hardware Verification SAT is king

Finding Critical Clauses in SMT- based Hardware Verification Makai Mann, Clark Barrett Hardware Verification SAT is king Still faces scaling issues, particularly for data-path properties Satisfiability Modulo Theories (SMT) can

605 views • 5 slides
Automated Verification for Functional and Relational Properties of Voting Rules Bernhard Beckert,

Automated Verification for Functional and Relational Properties of Voting Rules Bernhard Beckert,

Automated Verification for Functional and Relational Properties of Voting Rules Bernhard Beckert, Thorsten Bormer, Michael Kirsten, Till Neuber, Mattias Ulbrich | July 26, 2016 KARLSRUHE INSTITUTE OF TECHNOLOGY INSTITUTE OF THEORETICAL

920 views • 75 slides
Model Checking Lots of Systems Efficient Verification of Temporal Properties in Software Product

Model Checking Lots of Systems Efficient Verification of Temporal Properties in Software Product

Model Checking Lots of Systems Efficient Verification of Temporal Properties in Software Product Lines Andreas Classen, Patrick Heymans, Pierre-Yves Schobbens, Axel Legay, Jean-Franois Raskin (2010) Presented by Laura Walsh 1 Overview 1.

401 views • 28 slides
Symbolic Verification of Epistemic Properties in Programs Ioana Boureanu (Univ. of Surrey, SCCS)

Symbolic Verification of Epistemic Properties in Programs Ioana Boureanu (Univ. of Surrey, SCCS)

Symbolic Verification of Epistemic Properties in Programs Ioana Boureanu (Univ. of Surrey, SCCS) joint work @ IJCAI 2017, with N. Gorogiannis (Middlesex, Facebook) and F . Raimondi (Middelsex, Amazon) Asking you... Motivation & Aim

429 views • 38 slides
Simplifying Game-Based Definitions Indistinguishability up to correctness and its application to

Simplifying Game-Based Definitions Indistinguishability up to correctness and its application to

Simplifying Game-Based Definitions Indistinguishability up to correctness and its application to stateful AE Phillip Rogaway Yusi (James) Zhang University of California, Davis, USA C RYPTO 2018 1. Introduction 2. IND|C 3. Examples 1

523 views • 20 slides

More recommend