Automated Analysis of Cryptographic Protocols Using Murphi Mingchen Zhao University of Pennsylvania.

Slides:

Advertisements

Similar presentations

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

Advertisements

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Lecture 3Dr. Verma1 COSC 6397 – Information Assurance Module M2 – Protocol Specification and Verification University of Houston Rakesh Verma Lecture 3.

CS259: Security Analysis of Network Protocols Overview of Murphi Arnab Roy.

SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.

Chen Advisor: Limin Jia.  Whole picture  Process Calculus  Definition of Secrecy and Authenticity  Demo  Comparison  Conclusion.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.

Modeling Insider Attacks on Group Key Exchange Protocols Jonathan Katz Ji Sun Shin University of Maryland.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

Electronic Transaction Security (E-Commerce)

A Secure Remote User Authentication Scheme with Smart Cards Manoj Kumar 報告者 : 許睿中日期 :

SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.

Analysis of Security Protocols (I) John C. Mitchell Stanford University.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Authentication. Terminology  Authentication التثبت من الهوية  Access Control (authorization) التحكم في الوصول  Note the difference between the two.

A Secure Fault-Tolerant Conference- Key Agreement Protocol Wen-Guey Tzeng Source : IEEE Transactions on computers Speaker ： LIN, KENG-CHU.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Analysis of Security Protocols (IV) John C. Mitchell Stanford University.

Transaction Ordering Verification using Trace Inclusion Refinement Mike Jones 11 January 2000.

Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.

Information Security of Embedded Systems : Algorithms and Measures Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Elias M. Awad Third Edition ELECTRONIC COMMERCE From Vision to Fulfillment 13-1© 2007 Prentice-Hall, Inc ELC 200 Day 23.

Key Management and Distribution. YSLInformation Security – Mutual Trust2 Major Issues Involved in Symmetric Key Distribution For symmetric encryption.

1 Reducing Verification Complexity of a Multicore Coherence Protocol Using Assume/Guarantee Xiaofang Chen 1, Yu Yang 1, Ganesh Gopalakrishnan 1, Ching-Tsun.

Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.

CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.

1 Authentication Protocols Celia Li Computer Science and Engineering York University.

Foundations of Cryptography Rahul Jain CS6209, Jan – April 2011

INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.

Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.

Chapter 10: Authentication Guide to Computer Network Security.

ECE453 – Introduction to Computer Networks Lecture 18 – Network Security (I)

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

Cyrtographic Security Identity-based Encryption 1Dennis Kafura – CS5204 – Operating Systems.

Formal Analysis of Security Protocols Dr. Changyu Dong

IS511 Introduction to Information Security Lecture 4 Cryptography 2

Network Security Lecture 23 Presented by: Dr. Munam Ali Shah.

Cryptography and Network Security (CS435) Part Eight (Key Management)

Password Mistyping in Two-Factor Authenticated Key Exchange Vladimir KolesnikovCharles Rackoff Bell LabsU. Toronto ICALP 2008.

CSCE 813 Internet Security Cryptographic Protocol Analysis.

CS426Fall 2010/Lecture 61 Computer Security CS 426 Lecture 6 Cryptography: Message Authentication Code.

Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.

Intrusion Tolerant Software Architectures Bruno Dutertre and Hassen Saïdi System Design Laboratory, SRI International OASIS PI Meeting.

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

1 Needham-Schroeder A --> S: A,B, N A S --> A: {N A,B,K AB,{K AB,A} KBS } KAS A --> B:{K AB,A} KBS B --> A:{N B } KAB A --> B:{N B -1} KAB.

Using Cryptography for Network Security Common problems: –Authentication - A and B want to prove their identities to one another –Key-distribution - A.

Network Protocols Network Systems Security Mort Anvari.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Cryptographic Security Identity-Based Encryption.

Effortless Secure Wireless Enrollment Jeff Shirley David Evans.

Protocol Analysis. CSCE Farkas 2 Cryptographic Protocols Two or more parties Communication over insecure network Cryptography used to achieve goal.

Key Management Network Systems Security Mort Anvari.

Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.

1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002.

Fall 2006CS 395: Computer Security1 Key Management.

Key Management and Distribution Anand Seetharam CST 312.

Lesson Introduction ●Authentication protocols ●Key exchange protocols ●Kerberos Security Protocols.

Pertemuan #8 Key Management Kuliah Pengaman Jaringan.

Model Checking for Security Protocols Will Marrero, Edmund Clarke, Shomesh Jha.

Computer Security By Rubel Biswas. Introduction History Terms & Definitions Symmetric and Asymmetric Attacks on Cryptosystems Outline.

Fundamentals of Network Security Ravi Mukkamala SCI 101 October 6, 2003.

Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.

Formal Methods: Model Checkers and Theorem Provers

APPLE TWO STEP VERIFICATION CHANGE PHONE NUMBER Please read the following presentation on any help on Apple two step verification change phone number.

Presentation transcript:

Automated Analysis of Cryptographic Protocols Using Murphi Mingchen Zhao University of Pennsylvania

Outline Background – Model checking – Authentication protocol Outline of methodology Needham-Schroeder public-key protocol (with bug) Demo of Murphi Needham-Schroeder public-key protocol (with Lowe’s fix) Demo of Murphi Comparison between Model checking and Inductive Method

Background-Model checking Pioneering Work by Edmund M. Clarke, E. Allen Emerson and Joseph Sifakis Awarded 2007 Turing Award Definition: Model checking is a technique for automatically verifying correctness properties of finite state systems.

Model Checking Example P_{0}:: l_{0} : while True do NC_{0}: wait (turn=0); CR_{0}: turn:=1; end while; l’_{0} P_{1}:: l_{1} : while True do NC_{1}: wait (turn=1); CR_{1}: turn:=0; end while; l’_{1}

Model Checking Example

Authentication Protocol Needham-Schroeder Public-Key protocol – The Needham–Schroeder Public-Key Protocol is intended to provide mutual authentication between two parties communicating on a network, but in its proposed form is insecure.

Authentication Protocol – Imaging that you lost your debit card… How do you prove that you the person you claimed? Name? Photo? Birthday? SSN? Password? In cryptographic protocol, we trust you only when you have the private key.

Outline of Methodology Formulate the protocol Add an adversary to the system State the desired correctness condition Run the protocol for some specific choice of the system size parameters. Experiment with alternate formulations and repeat

NS public-key protocol (with bugs) Can anyone see the problem of this protocol?

Demo Murphi Ssh

NS public-key protocol (with Lowe’s fix)

Demo Murphi Ssh

Comparison between Model Checking and Inductive Method Model CheckingInductive approach Checking abilityFinite-State (Not only finite, the states increased exponentially with the size) Infinite-State Human Intelligence Involved Modeling PhaseThe whole process Easy-to-usePeople who can program Mathematician or Ph.D in corresponding area?