verification techniques for cryptographic protocols
play

Verification techniques for cryptographic protocols eronique Cortier - PowerPoint PPT Presentation

Nov 26, 2022 •25 likes •785 views

Introduction Formal models Adding equational theories Towards more guarantees Verification techniques for cryptographic protocols eronique Cortier 1 V RTA08 1 LORIA, CNRS - INRIA Cassis project, Nancy Universities 1/45 V eronique

  1. Introduction Formal models Adding equational theories Towards more guarantees Verification techniques for cryptographic protocols eronique Cortier 1 V´ RTA’08 1 LORIA, CNRS - INRIA Cassis project, Nancy Universities 1/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  2. Introduction Formal models Context Adding equational theories A famous attack Towards more guarantees Context : cryptographic protocols Widely used : web (SSH, SSL, ...), pay-per-view, electronic purse, mobile phone, ... Should ensure : confidentiality, authenticity, integrity, anonymity, ... 2/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  3. Introduction Formal models Context Adding equational theories A famous attack Towards more guarantees Context : cryptographic protocols Widely used : web (SSH, SSL, ...), pay-per-view, electronic purse, mobile phone, ... Should ensure : confidentiality, authenticity, integrity, anonymity, ... Presence of an attacker may read every message sent on the net, may intercept and send new messages. 2/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  4. Introduction Formal models Context Adding equational theories A famous attack Towards more guarantees Example : Credit Card Payment Protocol The waiter introduces the credit card. The waiter enters the amount m of the transaction on the terminal. The terminal authenticates the card. The customer enters his secret code. If the amount m is greater than 100 euros (and in only 20% of the cases) The terminal asks the bank for authentication of the card. The bank provides authentication. 3/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  5. Introduction Formal models Context Adding equational theories A famous attack Towards more guarantees More details 4 actors : Bank, Customer, Card and Terminal. Bank owns a signing key K − 1 B , secret, a verification key K B , public, a secret symmetric key for each credit card K CB , secret. Card owns Data : last name, first name, card’s number, expiration date, Signature’s Value VS = { hash (Data) } K − 1 B , secret key K CB . Terminal owns the verification key K B for bank’s signatures. 4/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  6. Introduction Formal models Context Adding equational theories A famous attack Towards more guarantees Credit card payment Protocol (in short) The terminal reads the card : 1 . → T : Data , { hash (Data) } K − 1 Ca B 5/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  7. Introduction Formal models Context Adding equational theories A famous attack Towards more guarantees Credit card payment Protocol (in short) The terminal reads the card : 1 . → T : Data , { hash (Data) } K − 1 Ca B The terminal asks for the secret code : 2 . → Cu : secret code ? T 3 . Cu → Ca : 1234 4 . → T : ok Ca 5/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  8. Introduction Formal models Context Adding equational theories A famous attack Towards more guarantees Credit card payment Protocol (in short) The terminal reads the card : 1 . → T : Data , { hash (Data) } K − 1 Ca B The terminal asks for the secret code : 2 . → Cu : secret code ? T 3 . Cu → Ca : 1234 4 . → T : ok Ca The terminal calls the bank : 5 . T → B : auth ? 6 . → T : N b B 7 . T → Ca : N b 8 . → T : { N b } K CB Ca 9 . T → B : { N b } K CB → 10 . B T : ok 5/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  9. Introduction Formal models Context Adding equational theories A famous attack Towards more guarantees Some flaws The security was initially ensured by : the cards were very difficult to reproduce, the protocol and the keys were secret. But cryptographic flaw : 320 bits keys can be broken (1988), logical flaw : no link between the secret code and the authentication of the card, fake cards can be build. 6/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  10. Introduction Formal models Context Adding equational theories A famous attack Towards more guarantees Some flaws The security was initially ensured by : the cards were very difficult to reproduce, the protocol and the keys were secret. But cryptographic flaw : 320 bits keys can be broken (1988), logical flaw : no link between the secret code and the authentication of the card, fake cards can be build. → “YesCard” build by Serge Humpich (1998). 6/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  11. Introduction Formal models Context Adding equational theories A famous attack Towards more guarantees How does the “YesCard” work ? Logical flaw 1 . → T : Data , { hash (Data) } K − 1 Ca B 2 . → Ca : secret code ? T 3 . Cu → Ca : 1234 4 . → T : ok Ca 7/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  12. Introduction Formal models Context Adding equational theories A famous attack Towards more guarantees How does the “YesCard” work ? Logical flaw 1 . → T : Data , { hash (Data) } K − 1 Ca B 2 . → Ca : secret code ? T 3 . Cu → Ca ′ : 2345 4 . Ca ′ → T : ok 7/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  13. Introduction Formal models Context Adding equational theories A famous attack Towards more guarantees How does the “YesCard” work ? Logical flaw 1 . → T : Data , { hash (Data) } K − 1 Ca B 2 . → Ca : secret code ? T 3 . Cu → Ca ′ : 2345 4 . Ca ′ → T : ok Remark : there is always somebody to debit. → creation of a fake card (Serge Humpich). 7/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  14. Introduction Formal models Context Adding equational theories A famous attack Towards more guarantees How does the “YesCard” work ? Logical flaw 1 . → T : Data , { hash (Data) } K − 1 Ca B 2 . → Ca : secret code ? T 3 . Cu → Ca ′ : 2345 4 . Ca ′ → T : ok Remark : there is always somebody to debit. → creation of a fake card (Serge Humpich). Ca ′ → T : XXX , { hash (XXX) } K − 1 1 . B → Cu 2 . T : secret code ? 3 . → Ca ′ : 0000 Cu Ca ′ → T 4 . : ok 7/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  15. Introduction Formal models Context Adding equational theories A famous attack Towards more guarantees Outline of the talk 1 Introduction Context A famous attack 2 Formal models Intruder Protocol Solving constraint systems A survey of results 3 Adding equational theories Motivation Intruder problem Some results 4 Towards more guarantees Cryptographic models Linking Formal and cryptographic models Conclusion 8/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  16. Introduction Intruder Formal models Protocol Adding equational theories Solving constraint systems Towards more guarantees A survey of results Motivation : Cryptography does not suffice to ensure security ! Example : Commutative encryption (RSA) { pin : 3443 } k alice − − − − − − − − − − − → 9/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  17. Introduction Intruder Formal models Protocol Adding equational theories Solving constraint systems Towards more guarantees A survey of results Motivation : Cryptography does not suffice to ensure security ! Example : Commutative encryption (RSA) { pin : 3443 } k alice − − − − − − − − − − − →  ff { pin : 3443 } k alice k bob ← − − − − − − − − − − − − − − − 9/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  18. Introduction Intruder Formal models Protocol Adding equational theories Solving constraint systems Towards more guarantees A survey of results Motivation : Cryptography does not suffice to ensure security ! Example : Commutative encryption (RSA) { pin : 3443 } k alice − − − − − − − − − − − →  ff { pin : 3443 } k alice k bob ← − − − − − − − − − − − − − − − { pin : 3443 } k bob − − − − − − − − − − − → � � � � { pin : 3443 } k alice { pin : 3443 } k bob Since = k bob k alice 9/45 V´ eronique Cortier Verification techniques for cryptographic protocols

  19. Introduction Intruder Formal models Protocol Adding equational theories Solving constraint systems Towards more guarantees A survey of results Motivation : Cryptography does not suffice to ensure security ! Example : Commutative encryption (RSA) { pin : 3443 } k alice − − − − − − − − − − − →  ff { pin : 3443 } k alice k bob ← − − − − − − − − − − − − − − − { pin : 3443 } k bob − − − − − − − − − − − → → It does not work ! (Authentication problem) 9/45 V´ eronique Cortier Verification techniques for cryptographic protocols

Recommend

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique

Verification of cryptographic protocols: techniques, tools and link to cryptanalysis Vronique Cortier INRIA project Cassis, Loria CNRS, Nancy, France French/Japanese Symposium on Computer Security - Sept. 6th, 2005 Verification of

605 views • 46 slides
Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017

Complexity of automatic verification of cryptographic protocols Clermont Ferrand 02/02/2017 Vincent Cheval Equipe Pesto, INRIA, Nancy 1 Cryptographic protocols Communication on public network Cryptographic protocols: Concurrent programs

946 views • 69 slides
Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018

1.23k views • 78 slides
Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction

Cryptographic protocols Cryptographic protocols small programs designed to secure Introduction to cryptographic protocols communication (various security goals) Bruno Blanchet use cryptographic primitives (e.g. encryption, hash function,

451 views • 14 slides
Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin

Symbolic verification of cryptographic protocols using Tamarin Part 1 : Introduction David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018 Organization of the course Two

774 views • 74 slides
Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA), CNRS, France Tuesday, September 13th, 2016 Security protocols everywhere ! Cryptographic protocols small programs designed to secure

923 views • 56 slides
Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS,

Symbolic verification of distance bounding protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France joint work with Alexandre Debant and Cyrille Wiedling 1/29 Security protocols everywhere ! Cryptographic protocols small

1.04k views • 56 slides
Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in

Secure Cryptographic Protocol Execution based on Runtime Verification Secure Communication in the Quantum Era (SPS G5448) February 5th, 2020 Christian Colombo Mark Vella Cryptographic Protocols Design Proofs to validate design against

467 views • 20 slides
Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes,

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes,

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France Thursday, July 12th, 2018 Cryptographic protocols everywhere ! Cryptographic protocols small programs designed to secure

849 views • 80 slides
Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday,

Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday,

Rewriting in Protocol Verification Stphanie Delaune Univ Rennes, CNRS, IRISA, France Monday, June 29th, 2020 1/23 Cryptographic protocols everywhere ! Cryptographic protocols small programs designed to secure communication ( e.g.

900 views • 58 slides
Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth M.D.Ryan@cs.bham.ac.uk research@bensmyth.com Cryptoforma 7th April 2010 Cryptographic protocols A cryptographic protocol is a distributed procedure that employs

698 views • 46 slides
Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1

Formal methods for protocols Cryptographic models Passive case Active case Verification of Security Protocols Part II eronique Cortier 1 V September, 2010 Fosad 2010 1 LORIA, CNRS 1/76 V eronique Cortier Verification of Security

1.92k views • 139 slides
Formal Analysis of Imperfect Cryptographic Protocols Long Nguyen Hoang University of Tartu,

Formal Analysis of Imperfect Cryptographic Protocols Long Nguyen Hoang University of Tartu,

Formal Analysis of Imperfect Cryptographic Protocols Long Nguyen Hoang University of Tartu, Institute of Computer Science Agenda Introduction Probabilistic-spi calculus Security protocol verification Conclusion Q&A

633 views • 19 slides
First steps towards cryptographically sound confidentiality analysis of cryptographic protocols

First steps towards cryptographically sound confidentiality analysis of cryptographic protocols

First steps towards cryptographically sound confidentiality analysis of cryptographic protocols Peeter Laud peeter l@ut.ee Tartu Ulikool Cybernetica AS Teooriap aevad Arulas, 3.-5.02.2003 p.1/27 Overview Cryptographic protocols.

570 views • 27 slides
Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif

Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif

Automatic Verification of Cryptographic Protocols in the Formal Model Automatic Verifier ProVerif Bruno Blanchet INRIA, Ecole Normale Sup erieure, CNRS blanchet@di.ens.fr September 2011 Bruno Blanchet (INRIA) ProVerif September 2011

1.55k views • 143 slides
Programming Language Techniques for Cryptographic Proofs Gilles Barthe 1 egoire 2 eguelin 1

Programming Language Techniques for Cryptographic Proofs Gilles Barthe 1 egoire 2 eguelin 1

Programming Language Techniques for Cryptographic Proofs Gilles Barthe 1 egoire 2 eguelin 1 Benjamin Gr Santiago Zanella-B 1 IMDEA Software, Madrid, Spain 2 INRIA Sophia Antipolis - M editerran ee, France ITP 2010 Formal verification

521 views • 31 slides
Outline Cryptographic protocols, pt. 1 Key distribution and PKI CSci 5271 Introduction to

Outline Cryptographic protocols, pt. 1 Key distribution and PKI CSci 5271 Introduction to

Outline Cryptographic protocols, pt. 1 Key distribution and PKI CSci 5271 Introduction to Computer Security Announcements intermission Day 17: Crypto protocols and S protocols SSH Stephen McCamant University of Minnesota, Computer

338 views • 7 slides
Automatic Verification of Cryptographic Protocols in the Symbolic Model Automatic Verifier

Automatic Verification of Cryptographic Protocols in the Symbolic Model Automatic Verifier

Automatic Verification of Cryptographic Protocols in the Symbolic Model Automatic Verifier ProVerif Bruno Blanchet INRIA Paris-Rocquencourt Bruno.Blanchet@inria.fr September 2013 Bruno Blanchet (INRIA) ProVerif September 2013 1 / 114

1.56k views • 132 slides
Clang tools for implementing cryptographic protocols like OTRv4 Sofa Celi What is OTR and why

Clang tools for implementing cryptographic protocols like OTRv4 Sofa Celi What is OTR and why

Clang tools for implementing cryptographic protocols like OTRv4 Sofa Celi What is OTR and why it was created? Cryptographic protocol Paper in 2004 by Ian Goldberg , Nikita Borisov and Eric Brewer Conversations in the

299 views • 18 slides
Cryptographic Protocols 3. Broadcast 4. Blockchain Spring 2020 Part 1 Broadcast / Byzantine

Cryptographic Protocols 3. Broadcast 4. Blockchain Spring 2020 Part 1 Broadcast / Byzantine

Cryptographic Protocols 1. Interactive Proofs and Zero-Knowledge Protocols 2. Secure Multi-Party Computation Cryptographic Protocols 3. Broadcast 4. Blockchain Spring 2020 Part 1 Broadcast / Byzantine Agreement Secure Multi-Party

170 views • 3 slides
The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of

The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of

The Computational SLR: A Calculus for Verifying Cryptographic Proofs Yu Zhang Institute of Software Chinese Academy of Sciences BASICS09, Shanghai, China October 13, 2009 Background Formal verification of security protocols from

312 views • 28 slides
Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic

Cryptographic Logical Relations What is the contextual equivalence for cryptographic protocols and how to prove it? Yu ZHANG Including joint work with J. Goubault-Larrecq, D. Nowak and S. Lasota EVEREST, INRIA Sophia-Antipolis February

487 views • 37 slides
Outline Cryptographic protocols, contd More causes of crypto failure CSci 5271 Key

Outline Cryptographic protocols, contd More causes of crypto failure CSci 5271 Key

Outline Cryptographic protocols, contd More causes of crypto failure CSci 5271 Key distribution and PKI Introduction to Computer Security HW1 debrief Day 17: PKI and S protocols Stephen McCamant SSH University of Minnesota,

460 views • 11 slides

More recommend