Model Checking for Security Protocols Will Marrero, Edmund Clarke, Shomesh Jha.

Slides:



Advertisements
Similar presentations
Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
Advertisements

AUTHENTICATION AND KEY DISTRIBUTION
University of Twente The Netherlands Centre for Telematics and Information Technology Verification of Security Protocols Sandro Etalle
DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13
DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 DIGITAL SIGNATURES and AUTHENTICATION PROTOCOLS - Chapter 13 Digital Signatures Authentication.
University of Twente The Netherlands Centre for Telematics and Information Technology Constraint Logic Programming for Verifying Security Protocols Sandro.
Off-the-Record Communication, or, Why Not To Use PGP
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
Sri Lanka Institute of Information Technology
Luu Anh Tuan. Security protocol Intruder Intruder behaviors Overhead and intercept any messages being passed in the system Decrypt messages that are.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
Session 4 Asymmetric ciphers.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution of public keys –use of public-key.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
Security 2 Distributed Systems Lecture# 15. Overview Cryptography Symmetric Assymeteric Digital Signature Secure Digest Functions Authentication.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
ASYMMETRIC CIPHERS.
1 Authentication Protocols Celia Li Computer Science and Engineering York University.
CS5204 – Fall Cryptographic Security Presenter: Hamid Al-Hamadi October 13, 2009.
Bob can sign a message using a digital signature generation algorithm
Programming Satan’s Computer
Hash Functions A hash function H accepts a variable-length block of data M as input and produces a fixed-size hash value h = H(M) Principal object is.
© UCL Crypto group Sep-15 A Security Analysis of Cliques Protocols Suites Olivier Pereira – Jean-Jacques Quisquater UCL Crypto Group.
10/1/2015 9:38:06 AM1AIIS. OUTLINE Introduction Goals In Cryptography Secrete Key Cryptography Public Key Cryptograpgy Digital Signatures 2 10/1/2015.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security.
Basic Cryptography 1. What is cryptography? Cryptography is a mathematical method of protecting information –Cryptography is part of, but not equal to,
Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.
© UCL Crypto group oct.-15 On the Perfect Encryption Assumption in the Study of Security Protocols O. Pereira and J.-J. Quisquater UCL Crypto Group
Chapter 16 Security Introduction to CS 1 st Semester, 2012 Sanghyun Park.
Information Security By:-H.M.Patel. Information security There are three aspects of information security Security service Security mechanism Security.
Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
CSCE 813 Internet Security Cryptographic Protocol Analysis.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Lecture 16: Security CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9.
Digital Signatures, Message Digest and Authentication Week-9.
Correctness Proofs and Counter-model Generation with Authentication-Protocol Logic Koji Hasebe Mitsuhiro Okada Department of Philosophy, Keio University.
6 June Lecture 2 1 TU Dresden - Ws on Proof Theory and Computation Formal Methods for Security Protocols Catuscia Palamidessi Penn State University,
Authentication Issues and Solutions CSCI 5857: Encoding and Encryption.
Authentication. Goal: Bob wants Alice to “prove” her identity to him Protocol ap1.0: Alice says “I am Alice” Failure scenario?? “I am Alice”
ECE509 Cyber Security : Concept, Theory, and Practice Key Management Spring 2014.
Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect.
HACNet Simulation-based Validation of Security Protocols Vinay Venkataraghavan Advisors: S.Nair, P.-M. Seidel HACNet Lab Computer Science and Engineering.
Ch 13 Trustworthiness Myungchul Kim
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
Fall 2006CS 395: Computer Security1 Key Management.
1 Chapter 3-3 Key Distribution. 2 Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution.
Secure Instant Messenger in Android Name: Shamik Roy Chowdhury.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
1 Authentication Celia Li Computer Science and Engineering York University.
CSE503 – Design Charette Mattias Engblom Robert Franzén Johan Hesselberg Raphael Hoffman Ramy Shahin.
Cryptographic Hash Function
The Inductive Approach to Verifying Cryptographic Protocols
CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9
An Executable Model for JFKr
CDK: Chapter 7 TvS: Chapter 9
Presentation transcript:

Model Checking for Security Protocols Will Marrero, Edmund Clarke, Shomesh Jha

Needham-Schroeder Protocol (circa 1996) Purpose: Authenticate Participants

Assumptions Perfect Encryption  The decryption key must be known to encrypt  No encryption collisions Proof offer no protection from poor encryption implementation!

Intruder’s Ability Interception  Ex: Impersonation  Ex: Legitimate Participant  Ex: Compromise Temporary Secrets  But those secrets should not be revealed by protocol

Security Properties Secrecy  Tracked by two sets in global state Correspondence   “If A believes it has completed two protocol runs with principal B, then principal B must have at least begun two protocol runs with principal A.”  Tracked by counters in global state

Atomic Messages Keys  Ex: Principal Names  Ex: A, B, I Nonces  Ex: Data

Messages and Atomic Messages Given A a set of atomic messages, M the set of all messages is defined inductively:

Closure of Messages Let be a subset of messages The closure of is defined by: (pairing) (projection) (encryption) (decryption)

Principals A 4-Tuple N the name of the principal p a process given as a sequence of actions to be performed is a set of known messages, generally infinite, but from a finite generator set. B a set of bindings from variables in p to messages in I

Initial Knowledge For the intruder 

Global State A 5-Tuple is the product of the individual principals (including the intruder) difference between number of times A has initiated a protocol and the number of times B has finished responding difference between number of times A has begun responding and the number of times B has finished initiating

Global State Continued A 5-Tuple a set of safe secrets. Remains constant. a set of temporary secrets. New secrets generated during the run of the protocol. The last four values check security constraints.

Process

Internal Actions NEWNONCE( var ) NEWSECRET( var )

Internal Actions GETSECRET( val ) – Intruder Only

Internal Actions A calls BEGINIT(B), B calls ENDRESPOND(A) BEGRESPOND/ENDINIT  Symmetric on

Communication Actions Send and receives are synchronized  A process can only send a message if it unifies with a receive message Sender must be able to sculpt a message that matches all existing bindings and expectations How does the intruder sculpt such a message?

Model Checking Algorithm

Finding a needle in a haystack Decidability of when is probably infinite? Normalized Derivation: (pairing) (projection) (encryption) (decryption) Expanding RulesShrinking Rules

Normalized Derivation Following algorithm is guaranteed to terminate and decide : Start with a generator set Apply all possible shrinking rules Try all possible sequences of expanding rules until word size is equal to s Proves existence

An Efficient Approach When adding a message to I in : Apply all possible shrinking rules Remove ‘redundant messages’ Result is minimal generator Can recursively attempt to build

Verification and Attack

The lack of correspondence trace reveals the following attack:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.