verifying the set protocol overview
play

Verifying the SET Protocol: Overview Lawrence C Paulson, Computer - PowerPoint PPT Presentation

Apr 29, 2023 •327 likes •570 views

Verifying the SET Protocol: Overview Lawrence C Paulson, Computer Laboratory, University of Cambridge (Joint with Giampaolo Bella and Fabio Massacci) Plan of Talk The SET Protocol Defining the Formal Models Verifying the

  1. Verifying the SET Protocol: Overview Lawrence C Paulson, Computer Laboratory, University of Cambridge (Joint with Giampaolo Bella and Fabio Massacci)

  2. Plan of Talk • The SET Protocol • Defining the Formal Models • Verifying the Registration Phase • Verifying the Purchase Phase 2 Lawrence C Paulson

  3. Internet Shopping with SSL Credit card details SSL merchant cardholder “Curses! Can’t get that number!” 3 Lawrence C Paulson

  4. Why Trust the Merchant? Credit card details?? “Now I can buy that software!” SSL cardholder 4 Lawrence C Paulson

  5. Why Trust the Customer? Fake card details “Send MS Office, charge to my merchant SSL card…” 5 Lawrence C Paulson

  6. Basic Ideas of SET • Cardholders and Merchants must register • They receive electronic credentials – Proof of identity – Evidence of trustworthiness • Payment goes via the parties’ banks – Merchants don’t need card details – Bank does not see what you buy 6 Lawrence C Paulson

  7. Plan of Talk • The SET Protocol • Defining the Formal Models • Verifying the Registration Phase • Verifying the Purchase Phase 7 Lawrence C Paulson

  8. Inductive Protocol Verification • Define system’s operational semantics • Include honest parties and an attacker • Model each protocol step in an inductive definition • Prove security properties by induction • Mechanize using Isabelle/HOL 8 Lawrence C Paulson

  9. An Overview of Isabelle • Generic: higher-order logic, set theory, … • Good user interface (Proof General) • Automatic document generation • Powerful simplifier and classical prover • Strong support for inductive definitions 9 Lawrence C Paulson

  10. The SET Documentation • Business Description – General overview – 72 pages • Programmer’s Guide – Message formats & English description of actions – 619 pages • Formal Protocol Definition – Message formats & the equivalent ASN.1 definitions – 254 pages 10 Lawrence C Paulson

  11. SET Digital Envelopes • Consisting of two parts: – Symmetric key K, encrypted with a public key – Main ciphertext, encrypted with K • Hashing to link the two parts • Minimal use of public-key encryption • Great complications for formal reasoning – Numerous session keys in use – Dependency chains: keys encrypt keys 11 Lawrence C Paulson

  12. Obstacles to Formalization • Huge size of documentation & protocol • Lack of explicit objectives • “Out of band” steps • Many types of participants: – Cardholders – Merchants – Certificate Authorities – Payment Gateways (to pay merchants) 12 Lawrence C Paulson

  13. Plan of Talk • The SET Protocol • Defining the Formal Models • Verifying the Registration Phase • Verifying the Purchase Phase 13 Lawrence C Paulson

  14. Cardholder Registration • Cardholder C and certificate authority CA • C delivers credit card number • C completes registration form – Inserts security details – Discloses his public signature key • Outcomes : – C’s bank can vet the registration – CA associates C’s signing key with card details 14 Lawrence C Paulson

  15. Cardholder Registration * * Let’s look at this message 15 Lawrence C Paulson

  16. Message 5 in Isabelle 16 Lawrence C Paulson

  17. Secrecy of Session Keys • Three keys, created for digital envelopes • Dependency: one key protects another • Main theorem on this dependency relation • Generalizes an approach used for simpler protocols (Yahalom) • Similarly, prove secrecy of Nonces 17 Lawrence C Paulson

  18. Plan of Talk • The SET Protocol • Defining the Formal Models • Verifying the Registration Phase • Verifying the Purchase Phase 18 Lawrence C Paulson

  19. The Purchase Phase Purchase details SET Payment details (hidden from Merchant) Payment Gateway 19 Lawrence C Paulson

  20. The SET Dual Signature 3-way agreement with partial knowledge! • Cardholder shares Order Information only with Merchant • Cardholder shares Payment Information only with Payment Gateway • Cardholder signs hashes of OI, PI • Non-repudiation: all parties sign messages 20 Lawrence C Paulson

  21. The Purchase Request Message 21 Lawrence C Paulson

  22. Complications in SET Proofs • Massive redundancy – Caused by hashing and dual signature – E.g. 9 copies of “purchase amount” in one message! • Multi-page subgoals • Insufficient redundancy (no explicitness), failure of one agreement property • Many digital envelopes 22 Lawrence C Paulson

  23. Runtimes for Various Protocols 23 Lawrence C Paulson

  24. Conclusions • We can find flaws in massive protocols • Analyzing bigger protocols than SET may be impossible • Improvements are needed: – Abstract treatment of constructions such as digital envelopes – Better official formal definitions 24 Lawrence C Paulson

Recommend

Verifying the SET Protocol G Bella & L C Paulson Cambridge F Massacci Siena P Tramontano

Verifying the SET Protocol G Bella & L C Paulson Cambridge F Massacci Siena P Tramontano

Verifying the SET Protocol G Bella & L C Paulson Cambridge F Massacci Siena P Tramontano Rome Inductive Protocol Verification Define systems operational semantics Include honest parties and an attacker Model each

465 views • 22 slides
Verifying Authentication Properties of C Protocol Code Using VCC Franois Dupressoir (Open

Verifying Authentication Properties of C Protocol Code Using VCC Franois Dupressoir (Open

Verifying Authentication Properties of C Protocol Code Using VCC Franois Dupressoir (Open University) Andrew D. Gordon (MSR Cambridge) Jan Jrjens (TU Dortmund) Verifying Security Code Assume a security API specification.

397 views • 24 slides
Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail

Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail

Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution Mihhail Aizatulin 1 supervised by Andrew Gordon 23 , Jan J urjens 4 , Bashar Nuseibeh 1 1 The Open University 2 Microsoft Research Cambridge 3 University of

543 views • 29 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 09 March, 2017 Overview 1. Why we need a verified filesystem 2. Our approach

514 views • 29 slides
What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i

What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i

What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i -Key-Protocol, i = 1, 2, 3, Family of protocols Secure electronic payment Based on credit card payments Christopher Hsu Can be extended

407 views • 4 slides
Verifying and enforcing network paths with ICING Jad Naous , Michael Walfish, Antonio Nicolosi,

Verifying and enforcing network paths with ICING Jad Naous , Michael Walfish, Antonio Nicolosi,

Verifying and enforcing network paths with ICING Jad Naous , Michael Walfish, Antonio Nicolosi, David Mazires, Michael Miller, and Arun Seehra 1 Today: New protocol for every feature Remote VPN, Private WANs, Specifying QoS, Firewalls,

581 views • 38 slides
Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth

Verifying Cryptographic Protocols in Applied Pi Calculus Mark Ryan Ben Smyth M.D.Ryan@cs.bham.ac.uk research@bensmyth.com Cryptoforma 7th April 2010 Cryptographic protocols A cryptographic protocol is a distributed procedure that employs

698 views • 46 slides
Overview/Questions What does Internet Protocol actually do? What is an IP address? How

Overview/Questions What does Internet Protocol actually do? What is an IP address? How

CS101 Lecture 6: Internetworking: Internet Protocol, IP Addresses, Routing, DNS John Magee 8 July 2013 Some images courtesy Wikimedia Commons 1 Overview/Questions What does Internet Protocol actually do? What is an IP address? How

495 views • 18 slides
Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of

Verifying filesystems in ACL2 Towards verifying file recovery tools Mihir Mehta Department of Computer Science University of Texas at Austin mihir@cs.utexas.edu 10 November, 2017 1/34 Outline Motivation and related work Our approach

681 views • 34 slides
Day 1 - Outline Introductions, Agenda Bashing OSP Protocol Design Issues Overview of Group Work

Day 1 - Outline Introductions, Agenda Bashing OSP Protocol Design Issues Overview of Group Work

Day 1 - Outline Introductions, Agenda Bashing OSP Protocol Design Issues Overview of Group Work Presentation API Protocol Items Review of Open Screen Protocol 1.0 Remote Playback API Protocol Items OSP Authentication & Security Second

1.75k views • 143 slides
Tow ards Self-Tim ed Logic in the Tim e- Triggered Protocol Overview Introduction

Tow ards Self-Tim ed Logic in the Tim e- Triggered Protocol Overview Introduction

Markus Ferringer Department of Computer Engineering Vienna University of Technology Tow ards Self-Tim ed Logic in the Tim e- Triggered Protocol Overview Introduction Project ARTS Asynchronous design Time-Triggered Protocol

684 views • 15 slides
DHCP EAP Analysis or wheres my pony? Protocol overview

DHCP EAP Analysis or wheres my pony? Protocol overview

DHCP EAP Analysis or wheres my pony? Protocol overview EAP Encapsulated in DHCP Protocol DHCP protocol starts normally Relay (proxy)

881 views • 12 slides
Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers

Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers

Self- -Verifying Verifying Self Self-Verifying * * Dining Philosophers Dining Philosophers Dining Philosophers Peter Welch and Neil Brown Peter Welch and Neil Brown School of Computing, University of Kent, UK School of Computing,

675 views • 44 slides
Attacks on TCP 1 Outline What is TCP protocol? How the TCP Protocol Works SYN

Attacks on TCP 1 Outline What is TCP protocol? How the TCP Protocol Works SYN

Attacks on TCP 1 Outline What is TCP protocol? How the TCP Protocol Works SYN Flooding Attack TCP Reset Attack TCP Session Hijacking Attack 2 TCP Protocol Transmission Control Protocol (TCP) is a core protocol

598 views • 47 slides
Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya

Specifying and Verifying Concurrent Algorithms with Histories and Subjectivity Ilya Sergey Aleks Nanevski Anindya Banerjee ESOP 2015 A logic-based approach for Specifying and Verifying Concurrent Algorithms An

2.36k views • 186 slides
stateless analysis of a cryptographic protocol emina torlak february 22, 2005 authentication

stateless analysis of a cryptographic protocol emina torlak february 22, 2005 authentication

stateless analysis of a cryptographic protocol emina torlak february 22, 2005 authentication to be nobody-but-yourselfin a world which is doing its best to make you everybody else - e e cummings authentication: verifying the

490 views • 15 slides
UC UC b Overview Leader Election Protocol Dynamic Voltage Scaling Optimal

UC UC b Overview Leader Election Protocol Dynamic Voltage Scaling Optimal

APPLICATIONS UC UC b Overview Leader Election Protocol Dynamic Voltage Scaling Optimal Reconfiguration of FPGA Memory Interface UC UCb Leader Election Protocol UC UC b Leader Election 2 1 0 3 Protocol by Leslie

917 views • 62 slides
Verifying Trigonometric Identities A trigonometric identity is simply an identity involving

Verifying Trigonometric Identities A trigonometric identity is simply an identity involving

Verifying Trigonometric Identities A trigonometric identity is simply an identity involving trigonometric functions. We learn to verify and spend time verifying trigonometric identities because the practice we get verifying trigonometric

661 views • 46 slides
Network Protocol Design and Evaluation 04 - Protocol Specification, Part III Stefan Rhrup

Network Protocol Design and Evaluation 04 - Protocol Specification, Part III Stefan Rhrup

Network Protocol Design and Evaluation 04 - Protocol Specification, Part III Stefan Rhrup University of Freiburg Computer Networks and Telematics Summer 2009 Overview In previous parts of this chapter: Modeling behaviour with

773 views • 74 slides
Outline NGN and SIGTRAN SCTP Motivation for SCTP Protocol Overview Stream Control

Outline NGN and SIGTRAN SCTP Motivation for SCTP Protocol Overview Stream Control

Topics in Computer Networking Outline NGN and SIGTRAN SCTP Motivation for SCTP Protocol Overview Stream Control Transmission Packet format Protocol Protection against SYN Flooding Multistreaming Multihoming

441 views • 9 slides
Formally-Verified ASN.1 Protocol C-language Stack 1 Carnegie Mellon University 2 Digamma.ai Vadim

Formally-Verified ASN.1 Protocol C-language Stack 1 Carnegie Mellon University 2 Digamma.ai Vadim

Formally-Verified ASN.1 Protocol C-language Stack 1 Carnegie Mellon University 2 Digamma.ai Vadim Zaliva 1 Nika Pona 2 What is ASN.1? At Digamma.ai we are verifying a compiler for ASN.1 The ASN.1 is a language for defining data

215 views • 21 slides
Network Protocol Design and Evaluation 04 - Protocol Specification, Part II Stefan Rhrup

Network Protocol Design and Evaluation 04 - Protocol Specification, Part II Stefan Rhrup

Network Protocol Design and Evaluation 04 - Protocol Specification, Part II Stefan Rhrup University of Freiburg Computer Networks and Telematics Summer 2009 Overview In Part I of this chapter: Modeling with state machines and

1.8k views • 126 slides
Software Component Protocol Inference Tao Xie General Examination Presentation Dept. of

Software Component Protocol Inference Tao Xie General Examination Presentation Dept. of

Software Component Protocol Inference Tao Xie General Examination Presentation Dept. of Computer Science and Engineering University of Washington 6 June 2003 1 Outline Background Overview of protocol inference Dynamic protocol

810 views • 52 slides
Protocol on SEA Chapter A5: Overview of basic tools for SEA Resource Manual to Support

Protocol on SEA Chapter A5: Overview of basic tools for SEA Resource Manual to Support

Protocol on SEA Chapter A5: Overview of basic tools for SEA Resource Manual to Support Application of the UNECE Protocol on Strategic Environmental Assessment draft 26-Apr-07 A5.1 Contents of the Chapter SEA & P/P making: basic

676 views • 25 slides

More recommend