Presentation is loading. Please wait.

Presentation is loading. Please wait.

PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005."— Presentation transcript:

1 PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005

2 Computer Security uCryptography Encryption, signatures, cryptographic hash, … uSecurity mechanisms Access control policy Network protocols uImplementation Cryptographic library Code implementing mechanisms –Reference monitor and TCB –Protocol Runs under OS, uses program library, network protocol stack Analyze protocols, assuming crypto, implementation, OS correct

3 Network Security Protocols uTwo or more parties uCommunication over insecure network uCryptography used to achieve goal Exchange secret keys Verify identity (authentication) uExample: SSL (internet banking) Examples of crypto primitives: Public-key encryption, symmetric-key encryption, CBC, hash, signature, key generation, random-number generators

4 This lecture is about… uNetwork security protocols Internet Engineering Task Force (IETF) Standards –SSL/TLS - web authentication –IPSec - corporate VPNs –Mobile IPv6 – routing security –Kerberos - network authentication –GDOI – secure group communication IEEE Standards Working Groups –802.11i - wireless LAN security –802.16e – wireless MAN security uAnd methods for their security analysis Security proof in some model; or Identify attacks

5 Why prove security? uExamples of protocol flaws IKE [Meadows; 1999] –Reflection attack; fix adopted by IETF WG IEEE 802.11i [He, Mitchell; 2004] –DoS attack; fix adopted by IEEE WG GDOI [Meadows, Pavlovic; 2004] –Composition attack; fix adopted by IETF WG Kerberos V5 [Scedrov et al; 2005] –Identity misbinding attack; fix adopted by IETF WG

6 Security Analysis uModel system uModel adversary uIdentify security properties uSee if properties preserved under attack uResult No “absolute security” Security means: under given assumptions about system, no attack of a certain form will destroy specified properties.

7 Important Modeling Decisions uHow powerful is the adversary? Simple replay of previous messages Block messages; Decompose, reassemble and resend Statistical analysis, partial info from network traffic Timing attacks uHow much detail in underlying data types? Plaintext, ciphertext and keys –atomic data or bit sequences Encryption and hash functions –“perfect” cryptography –algebraic properties: encr(x*y) = encr(x) * encr(y) for RSA encrypt(k,msg) = msg k mod N

8 Security Analysis Methodology Analysis Tool Protocol Property Security proof or attack Attacker model Our tool: Protocol Composition Logic (PCL) SSL authentication -Complete control over network -Perfect crypto 42 line axiomatic proof

9 Resources: Protocols & Tools uIETF Security Area http://www.ietf.org/html.charters/wg-dir.html uIEEE Security Working Groups http://grouper.ieee.org/groups/802/11/ uStanford CS 259: Security Analysis of Network Protocols http://www.stanford.edu/class/cs259/ Will focus today on one tool: Protocol Composition Logic (PCL)

10 Protocol Composition Logic: PCL uIntuition uFormalism Protocol programming language Protocol logic –Syntax –Semantics Proof System uExample Signature-based challenge-response uComposition Formulated by Datta, Derek, Durgin, Mitchell, Pavlovic http://www.stanford.edu/~danupam/logic-derivation.html

11 Intuition uReason about local information I chose a new number I sent it out encrypted I received it decrypted Therefore: someone decrypted it uIncorporate knowledge about protocol Protocol: Server only sends m if it received m’ If server not corrupt and I receive m signed by server, then server received m’

12 Intuition: Picture uAlice’s information Protocol Private data Sends and receives Honest Principals, Attacker Protocol Private Data

13 Example: Challenge-Response AB m, A n, sig B {m, n, A} sig A {m, n, B} uAlice reasons: if Bob is honest, then: only Bob can generate his signature. [protocol independent] if Bob generates a signature of the form sig B {m, n, A}, –he sends it as part of msg2 of the protocol and –he must have received msg1 from Alice. [protocol specific] uAlice deduces: Received (B, msg1) Λ Sent (B, msg2)

14 Formalizing the Approach uLanguage for protocol description Arrows-and-messages are informal. uProtocol Semantics How does the protocol execute? uProtocol logic Stating security properties. uProof system Formally proving security properties. (User view of the logic)

15 Cords u“protocol programming language” A protocol is described by specifying a “program” for each role –Server = [receive x; new n; send {x, n}] uBuilding blocks Terms (think “messages”) –names, nonces, keys, encryption, … Actions (operations on terms) –send, receive, pattern match, …

16 Terms t ::=cconstant term xvariable Nname Kkey t, ttupling sig K {t}signature enc K {t}encryption Example: x, sig B {m, x, A} is a term

17 Actions send t;send a term t receive x;receive a term into variable x match t/p(x);match term t against p(x) uA Cord is just a sequence of actions uNotation: we often omit match actions receive sig B {A, n} = receive x; match x/sig B {A, n}

18 Challenge-Response as Cords AB m, A n, sig B {m, n, A} sig A {m, n, B} InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]

19 Cord Spaces uCord space is a multiset of cords uCords may react via communication via internal actions uSample reaction steps: Communication: [ S; send t; S’]  [ T; receive x; T’ ]  [ S; S’]  [ T; T’(t/x) ] Matching: [ S; match p(t)/p(x); S’ ]  [ S; S’(t/x) ]

20 Execution Model Initial configuration Protocol is a finite set of roles Set of principals and keys Assignment of  1 role to each principal Run new x send {x} B receive {x} B A B C Position in run receive {z} B new z send {z} B

21 Attacker capabilities uControls complete network Can read, remove, inject messages uFixed set of operations on terms Pairing Projection Encryption with known key Decryption with known key … Commonly referred to as “Dolev-Yao” attacker Next lecture: more powerful “crypto-style” attacker

22 Logical assertions uModal operator  [ actions ] P  - if  holds and P executes actions, then  holds uPredicates in  Send(X,m) - principal X sent message m Receive(X,m) – principal X received message m Verify(X,m) - X verified signature m Has(X,m) - X created m or received msg containing m and has keys to extract m from msg Honest(X) – X follows rules of protocol

23 Formulas true at a position in run Action formulas a ::= Send(P,m) | Receive (P,m) | New(P,t) | Decrypt (P,t) | Verify (P,t) Formulas  ::= a | Has(P,t) | Fresh(P,t) | Honest(N) | Contains(t 1, t 2 ) |  |  1   2 |  x  |   |   Example After(a,b) =  (b   a)

24 Semantics uProtocol Q Defines set of roles (e.g, initiator, responder) Run R of Q is sequence of actions by principals following roles, plus attacker uSatisfaction Q, R |   [ actions ] P  If some role of P in R does exactly actions starting from state where  is true, then  is true in state after actions completed Q |   [ actions ] P  Q, R |   [ actions ] P  for all runs R of Q

25 Security Properties uAuthentication for Initiator CR |  true [ InitCR(A, B) ] A Honest(B)  ActionsInOrder( Send(A, {A,B,m}), Receive(B, {A,B,m}), Send(B, {B,A,{n, sig B {m, n, A}}}), Receive(A, {B,A,{n, sig B {m, n, A}}}) )

26 Proof System uGoal: formally prove security properties uAxioms Simple formulas provable by hand uInference rules Proof steps uTheorem Formula obtained from axioms by application of inference rules This is what you will do!

27 Sample axioms about actions uNew data true [ new x ] P Has(P,x) true [ new x ] P Has(Y,x)  Y=P uActions true [ send m ] P  Send(P,m) uKnowledge true [receive m ] P Has(P,m) uVerify true [ match x/sig X {m} ] P  Verify(P,m)

28 Reasoning about knowledge uPairing Has(X, {m,n})  Has(X, m)  Has(X, n) uEncryption Has(X, enc K (m))  Has(X, K -1 )  Has(X, m)

29 Encryption and signature uPublic key encryption Honest(X)   Decrypt(Y, enc X {m})  X=Y uSignature Honest(X)   Verify(Y, sig X {m})   m’ (  Send(X, m’)  Contains(m’, sig X {m})

30 Sample inference rules uFirst-order logic rules     uGeneric rules  [ actions ] P   [ actions ] P   [ actions ] P   

31 Bidding conventions (motivation) uBlackwood response to 4NT –5  : 0 or 4 aces –5  : 1 ace –5 : 2 aces –5  : 3 aces uReasoning If my partner is following Blackwood, then if she bid 5, she must have 2 aces

32 Honesty rule (rule scheme)  roles R of Q.  protocol steps A of R. Start(X) [ ] X   [ A ] X  Q |- Honest(X)   This is a finitary rule: –Typical protocol has 2-3 roles –Typical role has 1-3 receives –Only need to consider A waiting to receive

33 Honesty rule (example use)  roles R of Q.  protocol steps A of R. Start(X) [ ] X   [ A ] X  Q |- Honest(X)   Example use: –If Y receives a message m from X, and –Honest(X)  (Sent(X,m)  Received(X,m’)) –then Y can conclude Honest(X)  Received(X,m’)) Proved using honesty rule

34 Correctness of CR CR |- true [ InitCR(A, B) ] A Honest(B)  ActionsInOrder( Send(A, {A,B,m}), Receive(B, {A,B,m}), Send(B, {B,A,{n, sig B {m, n, A}}}), Receive(A, {B,A,{n, sig B {m, n, A}}}) ) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]

35 Correctness of CR – step 1 1. A reasons about her own actions CR |- true [ InitCR(A, B) ] A  Verify(A, sig B {m, n, A}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]

36 Correctness of CR – step 2 2. Properties of signatures CR |- true [ InitCR(A, B) ] A Honest(B)   m’ (  Send(B, m’)  Contains(m’, sig B {m, n, A}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ] Recall signature axiom

37 Correctness of CR – Honesty Invariant proved with Honesty rule CR |- Honest(X)   Send(X, m’)  Contains(m’, sig x {y, x, Y})    New(X, y)  m= X, Y, {x, sig B {y, x, Y}}   Receive(X, {Y, X, {y, Y}}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ] Induction over protocol steps

38 Correctness of CR – step 3 3. Use Honesty invariant CR |- true [ InitCR(A, B) ] A Honest(B)   Receive(B, {A,B,m}),… InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]

39 Correctness of CR – step 4 4. Use properties of nonces for temporal ordering CR |- true [ InitCR(A, B) ] A Honest(B)  Auth InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ] Nonces are “fresh” random numbers

40 Complete proof

41 We have a proof. So what? u Soundness Theorem: if Q |-  then Q |=  If  is a theorem then  is a valid formula u  holds in any step in any run of protocol Q Unbounded number of participants Dolev-Yao intruder

42 Weak Challenge-Response AB m n, sig B {m, n} sig A {m, n} InitWCR(A, X) = [ new m; send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespWCR(B) = [ receive Y, B, {y}; new n; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ]

43 Correctness of WCR – step 1 1. A reasons about it’s own actions WCR |- [ InitWCR(A, B) ] A  Verify(A, sig B {m, n}) InitWCR(A, X) = [ new m; send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespWCR(B) = [ receive Y, B, {y}; new n; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ]

44 Correctness of WCR – step 2 2. Properties of signatures CR |- [ InitCR(A, B) ] A Honest(B)   m’ (  Send(B, m’)  Contains(m’, sig B {m, n, A}) InitWCR(A, X) = [ new m; send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespWCR(B) = [ receive Y, B, {y}; new n; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ]

45 Correctness of WCR – Honesty Honesty invariant CR |- Honest(X)   Send(X, m’)  Contains(m’, sig x {y, x})    New(X, y)  m= X, Z, {x, sig B {y, x}}   Receive(X, {Z, X, {y, Z}}) InitWCR(A, X) = [ new m; send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespWCR(B) = [ receive Y, B, {y}; new n; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ]

46 Correctness of WCR – step 3 3. Use Honesty rule WCR |- [ InitWCR(A, B) ] A Honest(B)   Receive(B, {Z,B,m}), InitWCR(A, X) = [ new m; send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespWCR(B) = [ receive Y, B, {y}; new n; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ]

47 Result uWCR does not have the strong authentication property for the initiator uCounterexample Intruder can forge senders and receivers identity in first two messages –A -> X(B)m –X(C) -> Bm –B -> X(C) n, sig B (m, n) –X(B) ->An, sig B (m, n)

48 Protocol Composition Logic: PCL uIntuition uFormalism Protocol programming language Protocol logic –Syntax –Semantics Proof System uExample Signature-based challenge-response uComposition uComputational Soundness

49 Compositional Security uAssigned readings: A. Datta, A. Derek, J. C. Mitchell, D. Pavlovic. A derivation system and compositional logic for security protocols C. He, M. Sundararajan, A. Datta, A. Derek, J. C. Mitchell. A Modular Correctness Proof of TLS and IEEE 802.11i uPerspective: C. Meadows. Open issues in formal methods for cryptographic protocol analysis. J. M. Wing. Beyond the horizon: A call to arms.

50 ISO-9798-3 Key Exchange uAuthentication Do we need to prove it from scratch?  Shared secret: g ab AB g a, A g b, sig B { g a, g b, A} sig A { g a, g b, B} Goal: Combine proofs of Diffie-Hellman and challenge- response sub-protocols

51 Abstract challenge response uFree variables m and n instead of nonces  Modal form:  [ actions ]  precondition: Fresh(A,m) actions: [ InitACR ] A postcondition: Honest(B)  Authentication uSecrecy is proved from properties of Diffie-Hellman InitACR(A, X, m) = [ send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespACR(B, n) = [ receive Y, B, {y}; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ]

52 Diffie-Hellman: Property uFormula utrue [ new a ] A Fresh(A, g a ) uDiffie-Hellman property: uCan compute g ab given g a and b or g b and a uCannot compute g ab given g a and g b

53 Challenge Response: Property uModal form:  [ actions ] P  precondition: Fresh(A,m) actions: [ Initiator role actions ] A postcondition: Honest(B)  ActionsInOrder( send(A, {A,B,m}), receive(B, {A,B,m}), send(B, {B,A,{n, sig B {m, n, A}}}), receive(A, {B,A,{n, sig B {m, n, A}}}) )

54 Composition: DH+CR = ISO-9798-3 Additive Combination uDH post-condition matches CR precondition uSequential Composition: Substitute g a for m in CR to obtain ISO. Apply composition rule ISO initiator role inherits CR authentication. uDH secrecy is also preserved Proved using another application of composition rule. Nondestructive Combination DH and CR satisfy each other’s invariants

55 Composing protocols DH  Honest(X)  … ’’  |- Secrecy  ’ |- Authentication  ’ |- Secrecy  ’ |- Authentication  ’ |- Secrecy  Authentication [additive] DH  CR   ’ [nondestructive] ISO  Secrecy  Authentication = CR  Honest(X)  … Sequential and parallel composition theorems

56 Composition Rules uInvariant weakening rule  |-  […] P     ’ |-  […] P  uSequential Composition  |-  [ S ] P   |-  [ T ] P   |-  [ ST ] P  uProve invariants from protocol Q   Q’   Q  Q’  

57 Composition: Big Picture Protocol Q Safe Environment for Q Q1Q1 Q2Q2 Q3Q3 QnQn Q |- Inv(Q) Inv(Q) |-  Q i |- Inv(Q) No reasoning about attacker …

58 802.11i:Staged Composition uControl Flow Intended run is sequential Different Failure Recovery mechanisms can be implemented for efficiency Periodically update Group Key, PTK, PMK (omit here) uHybrid modes Pre-Shared Key (PSK) used directly instead of EAP authentication methods Cached PMK might be used for mobile users Alternatives for EAP-TLS, e.g., PEAP, LEAP Data Transmission Group Key 4-Way EAP-TLS PMK PTK GTK

59 802.11i Proof Structure Step 1.  i,  j |- θ i [P i ] X  i Separate proof of individual components TLS, 4-Way, and Group Key Handshake; Step 2.  i, j, Q i |-  j Necessary invariants are satisfied by all components; Step 3.  i,  i  θ i+1 The postcondition of TLS implies precondition of 4-Way; postcondition of 4-Way implies precondition of Group Key; Step 4.  i, θ i [B] X θ i The preconditions of each component are preserved by subsequent components. Applying the Staged Composition Theorem, 802.11i is secure

60 Protocol Composition Logic: PCL uIntuition uFormalism Protocol programming language Protocol logic –Syntax –Semantics Proof System uExample Signature-based challenge-response uComposition uComputational Soundness

61 Computational PCL uSymbolic proofs about complexity- theoretic model of cryptographic protocols!

62 Symbolic model [NS78,DY84,…] Complexity-theoretic model [GM84,…] Attacker actions-Fixed set of actions, e.g., decryption with known key (ABSTRACTION) + Any probabilistic poly-time computation Security properties-Idealized, e.g., secret message = not possessing atomic term representing message (ABSTRACTION) + Fine-grained, e.g., secret message = no partial information about bitstring representation Analysis methods+ Successful array of tools and techniques; automation - Hand-proofs are difficult, error-prone; no automation Can we get the best of both worlds? Two worlds

63 Our Approach Protocol Composition Logic (PCL) Syntax Proof System Symbolic “Dolev-Yao” model Semantics Computational PCL Syntax ±  Proof System ±  Complexity-theoretic model Semantics Talk so far… Leverage PCL success…

64 Main Result uComputational PCL Symbolic logic for proving security properties of network protocols using public-key encryption uSoundness Theorem: If a property is provable in CPCL, then property holds in computational model with overwhelming asymptotic probability. uBenefits Symbolic proofs about computational model Computational reasoning in soundness proof (only!) Different axioms rely on different crypto assumptions

65 ISO-9798-3 Key Exchange  Shared secret to be used as key: AB g a, A g b, sig B { g a, g b, A} sig A { g a, g b, B} Roughly: A, B have g ab and for everyone else it is indistinguishable from a random key g r

66 Central axioms uCryptographic security property of signature scheme Unforgeability (used for authentication) uCryptographic security property of Diffie-Hellman function DDH (used to prove secrecy)

67 CMA-Secure Signatures ChallengerAttacker mi Sig(Y,mi) Sig(Y,m) Attacker wins if m  mi

68 Decisional Diffie-Hellman Let a, b, c be chosen at random from a group G with generator g. Then the two distributions and are computationally indistinguishable (no polynomial time attacker can tell them apart)

69 Complete Proof

70 PCL  Computational PCL uSyntax, proof rules mostly the same But not sure about propositional connectives… uSignificant difference Symbolic “knowledge” –Has(X,t) : X can produce t from msgs that have been observed, by symbolic algorithm Computational “knowledge” –Possess(X,t) : can produce t by ppt algorithm –Indistinguishable(X,t) : can distinguish from random in ppt More subtle system: some axioms rely on CCA2, some are info-theoretically true, etc.

71 Complexity-theoretic semantics uQ |=  if  adversary A  distinguisher D  negligible function f  n 0  n > n 0 s.t. [[  ]](T,D,f) T(Q,A,n) [[  ]](T,D,f(n)) |/|T| > 1 – f(n) Fraction represents probability Fix protocol Q, PPT adversary A Choose value of security parameter n Vary random bits used by all programs Obtain set T=T(Q,A,n) of equi-probable traces

72 Inductive Semantics  [[  1   2 ]] (T,D,  ) = [[  1 ]] (T,D,  )  [[  2 ]] (T,D,  )  [[  1   2 ]] (T,D,  ) = [[  1 ]] (T,D,  )  [[  2 ]] (T,D,  )  [[   ]] (T,D,  ) = T - [[  ]] (T,D,  ) Implication uses conditional probability  [[  1   2 ]] (T,D,  ) = [[   1 ]] (T,D,  )  [[  2 ]] (T’,D,  ) where T’ = [[  1 ]] (T,D,  ) Formula defines transformation on probability distributions over traces

73 Soundness of proof system uExample axiom Source(Y,u,{m}X)   Decrypts(X, {m}X)  Honest(X,Y)  (Z  X,Y)  Indistinguishable(Z, u) uProof idea: crypto-style reduction Assume axiom not valid:  A  D  negligible f  n 0  n > n 0 s.t. [[  ]](T,D,f)|/|T| < 1 –f(n) Construct attacker A’ that uses A, D to break IND-CCA2 secure encryption scheme Conditional implication essential

74 Logic and Cryptography: Big Picture Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure encryption) Crypto constructions satisfying definitions (e.g., Cramer-Shoup encryption scheme) Axiom in proof system Protocol security proofs using proof system Semantics and soundness theorem

75 Summary: PCL uProving security properties of network protocols is important! uFormalism Protocol programming language Protocol logic –Syntax – stating security properties –Semantics – meaning of security properties Proof System –proving security properties uExamples Signature-based challenge-response, ISO, 802.11i uComposition Modular proofs uComputational Soundness Symbolic proofs about complexity-theoretic model

76 Thanks ! Questions?

Download ppt "PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005."

Similar presentations

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)

Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Security Definitions in Computational Cryptography

Security Definitions in Computational Cryptography
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004.

Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004.
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
Logic for Computer Security Protocols John Mitchell Stanford University.

Logic for Computer Security Protocols John Mitchell Stanford University.
CS 395T Computational Soundness of Formal Models.

CS 395T Computational Soundness of Formal Models.
Security Analysis of Network Protocols: Logical and Computational Methods John Mitchell Stanford University ICALP and PPDP, 2005.

Security Analysis of Network Protocols: Logical and Computational Methods John Mitchell Stanford University ICALP and PPDP, 2005.
Security Analysis of Network Protocols Anupam Datta Stanford University May 18, 2005.

Security Analysis of Network Protocols Anupam Datta Stanford University May 18, 2005.
Compositional Protocol Logic CS 395T. Outline uFloyd-Hoare logic of programs Compositional reasoning about properties of programs uDDMP protocol logic.

Compositional Protocol Logic CS 395T. Outline uFloyd-Hoare logic of programs Compositional reasoning about properties of programs uDDMP protocol logic.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.

Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.

Analysis of Security Protocols (V) John C. Mitchell Stanford University.
Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June.

Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June.
Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005.

Security Analysis of Network Protocols Anupam Datta Stanford University UW-Madison CSD April 18, 2005.
Symbolic Logic for Complexity- theoretic Model of Security Protocols Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov Mathieu Turuani May 5, 2005.

Symbolic Logic for Complexity- theoretic Model of Security Protocols Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov Mathieu Turuani May 5, 2005.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Similar presentations

Ads by Google