Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chen Advisor: Limin Jia.  Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Demo  Comparison  Conclusion.

Published byLenard Porter Modified over 9 years ago

Similar presentations

Presentation on theme: "Chen Advisor: Limin Jia.  Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Demo  Comparison  Conclusion."— Presentation transcript:

1 Chen Advisor: Limin Jia

2  Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Demo  Comparison  Conclusion

3  Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Translation into Horn Clauses  Demo  Comparison  Conclusion

4 Original Protocol Pi CalculusHorn ClausesProverif Authenticity Reserved?

5  Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Translation into Horn Clauses  Demo  Comparison  Conclusion

6  Extension of pi calculus with: ◦ cryptographic primitives ◦ “begin” & “end” events  Pi calculus: ◦ mathematical formalisms for describing and analyzing properties of concurrent computation

7  Name: ◦ Free name: Names globally known (also to adversary) ◦ Bound name: Names local to the process  Variable: ◦ Free variable: Variables not used anywhere ◦ Bound name: variables used in the process

8  Equivalence:  Reduction:

9 Original Protocol Pi CalculusHorn ClausesProverif Process P

10  A simplified version of Woo and Lam one-way public key authentication protocol

11  Create secret key sk A & sk B  Create corresponding public keys  Distribute public keys  Create unbounded number of sessions

12

13  Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Translation into Horn Clauses  Demo  Comparison  Conclusion

14  Adversary (attacker) ◦ Closed process: Process without free variables (allow free names)

15  Secrecy Remember: Q has access to all free names, including channel c

16  Authenticity ◦ Non-injective agreement:  if event end(M) is executed, then begin(M) has also been executed.

17  Authenticity ◦ Injective agreement:  The number of executions of end(M) is smaller than that of begin(M). Where is Authenticity?

18  Authenticity ◦ Non-injective agreement:  if event end(M) is executed, then begin(M) has also been executed.

19  Authenticity is satisfied when: ◦ B cannot emit his end event without A having emitted her begin event.  End(M) => Begin(M) for all cases.

20 Sarkozy thinks: Sarkozy says: Sarkozy agrees: Authenticity is satisfied when: The other side is indeed Sarkozy!

21 Begin(M): I start my part of the protocol. I think I would talk to Obama End(M): I finish my part of the protocol. I think I have talked to Sarkozy Protocol ensures: Remember: Protocol is lock-stepped!

22 Begin(M): I start my part of the protocol. I think I would talk to Obama End(M): I finish my part of the protocol. I think I has talked to Sarkozy Authenticity is violated when End(M) => Begin(M)!

23  Authenticity is satisfied when: ◦ B cannot emit his end event without A having emitted her begin event.  End(M) => Begin(M) for all cases.

24 Begin(M): I start my part of the protocol. I think I would talk to Obama End(M): I finish my part of the protocol. I think I has talked to Sarkozy Here End(M) !=> Begin(M)!

25  Authenticity ◦ Non-injective agreement:  if event end(M) is executed, then begin(M) has also been executed. Correct!

26 We will be back!

27  Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Translation into Horn Clauses  Demo  Comparison  Conclusion

28  (P1 Λ P2 Λ…Λ Pn) => u  Our usage: ◦ Patterns ◦ Facts ◦ Rules  Attacker  Protocol

29  (P1 Λ P2 Λ…Λ Pn) => u  Our usage: ◦ Patterns ◦ Facts ◦ Rules  Attacker  Protocol

30  (P1 Λ P2 Λ…Λ Pn) => u  Our usage: ◦ Patterns ◦ Facts ◦ Rules  Attacker  Protocol

31  (P1 Λ P2 Λ…Λ Pn) => u  Our usage: ◦ Patterns ◦ Facts ◦ Rules  Attacker  Protocol

32  (P1 Λ P2 Λ…Λ Pn) => u  Our usage: ◦ Patterns ◦ Facts ◦ Rules  Attacker  Protocol

33 Original Protocol Pi CalculusHorn ClausesProverif

34  If c ∈ S, message(c[],M) = attacker(M)  Vo, Vs: ◦ Vo: Set of ordinary variables. ◦ Vs: Set of session identifiers.  ρ : mapping from variables and names to patterns  h : Sequence of facts of message and begin. ◦ Literals of horn clauses we want

35

36  [|P|] = [|(vskA).P1|]  [|P1|] = [|(vskB).P2|]  [|P2|] = [|let pkA = pk(skA) in P3|]  [|P3|] = [|let pkB = pk(skB) in P4|]  [|P4|] = [|c.P5|]  ρ : c → c[]  h :  First Horn Clause: message(c[],pk(skA))=attacker(pk(skA[])),skA → skA[], skB → skB[], pkA → pk(skA[]), pkB → pk(skB[])

37

38

39 Original Protocol Pi CalculusHorn ClausesProverif B P0,S

40  B P0,S : Horn clauses of the protocol  B b : Horn clauses of allowed begin event. We are back!

41  Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Translation into Horn Clauses  Demo  Comparison  Conclusion

42  Authenticity verification on Proverif

43  Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Translation into Horn Clauses  Demo  Comparison  Conclusion

44 ProsCons Fully AutomaticSometimes no termination Unlimited number of sessionsSometimes not Complete General cryptographic primitives

45  Inductive method similar to Proverif ◦ Proverif is kind of automatic  Model checking automatic ◦ Infinate session in Proverif. ProverifInductive Approach Model Checking (Mur phi) AutomaticityYNY Number of States Support Infinite Finite Concurrency Support YY(Manually)Y(limited)

46  Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Translation into Horn Clauses  Demo  Comparison  Conclusion

47 New Technique for Authenticity verification in Cryptographic Protocol Fully automatic Precise sematic foundation Unbounded number of sessions Support general cryptographic primitive

48

Download ppt "Chen Advisor: Limin Jia.  Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Demo  Comparison  Conclusion."

Similar presentations

Universally Composable Symbolic Analysis of Cryptographic Protocols

Universally Composable Symbolic Analysis of Cryptographic Protocols
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur ϕ verification system.
Distributed Snapshots: Determining Global States of Distributed Systems - K. Mani Chandy and Leslie Lamport.

Distributed Snapshots: Determining Global States of Distributed Systems - K. Mani Chandy and Leslie Lamport.
Modelling and Analysing of Security Protocol: Lecture 8 Automatically Checking Protocols II Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 8 Automatically Checking Protocols II Tom Chothia CWI.
A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Pairwise Key Agreement in Broadcasting Networks - 2005.11.11 - Ik Rae Jeong.

Pairwise Key Agreement in Broadcasting Networks Ik Rae Jeong.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.

Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
Applying Petri Net Unfoldings for Verification of Mobile Systems Apostolos Niaouris Joint work with V. Khomenko, M. Koutny MOCA ‘06.

Applying Petri Net Unfoldings for Verification of Mobile Systems Apostolos Niaouris Joint work with V. Khomenko, M. Koutny MOCA ‘06.
1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.

1 1 Regression Verification for Multi-Threaded Programs Sagar Chaki, SEI-Pittsburgh Arie Gurfinkel, SEI-Pittsburgh Ofer Strichman, Technion-Haifa Originally.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.

Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.

Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
Copyright © Cengage Learning. All rights reserved. CHAPTER 5 SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION.

Copyright © Cengage Learning. All rights reserved. CHAPTER 5 SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION.
Authenticity. Specifying Authenticity A begins! Send(A,m,B) A -> S : A, {B,m}kas S -> B : {A,m}kbs B ends Send(A,m,B) Insert begin- and end-markers into.

Authenticity. Specifying Authenticity A begins! Send(A,m,B) A -> S : A, {B,m}kas S -> B : {A,m}kbs B ends Send(A,m,B) Insert begin- and end-markers into.
Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.

Copyright © 2006 Addison-Wesley. All rights reserved.1-1 ICS 410: Programming Languages Chapter 3 : Describing Syntax and Semantics Axiomatic Semantics.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

Similar presentations

Ads by Google