Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digital signature in automatic analyses for confidentiality against active adversaries Ilja Tšahhirov, Peeter Laud.

Published byIsabel Loren Davis Modified over 8 years ago

Similar presentations

Presentation on theme: "Digital signature in automatic analyses for confidentiality against active adversaries Ilja Tšahhirov, Peeter Laud."— Presentation transcript:

1 Digital signature in automatic analyses for confidentiality against active adversaries Ilja Tšahhirov, Peeter Laud

2 Goal of the analysis Problem statement –Given the protocol (set of programs making calculations and exchanging messages) –It works with some secret data –No active adversary should be able to learn anything about the secret data Automatically determine whether the protocol is secure or not.

3 Original technique Published in: Peeter Laud. Symmetric encryption in automatic analyses for confidentiality against active adversaries. 2004 IEEE Symposium on Security and Privacy, pages 71-85, May 2004. –Automatic analyzer present –Programming language –Single cryptographic primitive – symmetric encryption –Definition of the adversary –Definition of the security –Protocol transformations

4 Programming language Instruction set P :: =k:=gen_key| y:=(x 1,…,x m )| x:= π i m (y) |x:=encr k (y)| y:=decr k (x)| x:=random |send(x)| x:=receive l| check(x=y) |x:=constant(b)| x:=y |kp:=gen_key_pair| pk:=public_key(kp) |sm:=sign kp (m)| test pk (sm) | m:=get_signed_message(sm) The only cryptographic primitive in original analysis – symmetric encryption Our contribution is adding the digital signature primitive support (commands in bold) to the language.

5 Adversary Adversary is active - it schedules the participants and relays messages between them Can modify, create new, or not deliver sent messages

6 Security definition The protocol is considered secure if the secret message is computationally independent from the adversary’s view.

7 Security against chosen-ciphertext attacks No PPT adversary should be able to distinguish second black box from the first Without querying the second algorithm with the outputs from the first

8 Protocol transformations - encryption During the analysis protocols are transformed Protocols working with the first black box can be replaced to use the second (under certain conditions)

9 Information flow analysis If some participant of the protocol contains a statement of the form x:=E(x 1,…,x n ) there is an information flow from the variable x i to the variable x. The protocol is deemed secure if M  * y holds for no y affecting the adversary’s view. The protocol transformation described above breaks some of those links.

10 Unforgeability under adaptive chosen message attack The property we require signature scheme to satisfy Adversary making queries to the signature oracle should not be able to create a valid signature for the message that has not previously been signed by it

11 Protocol transformations – digital signature Signature operations are replaced with checking whether the signed message being tested belongs to the set of the actually signed messages.

12 Running example Transmit the public key and signature from A to B A generates KP A A  : public_key(KP A ) A  B : enc(K AB : public_key(KP A )) A  B : enc(K AB :sign(KP A :M)) B verifies the signature B  : OK K AB is a long-term key shared between A and B.

13 Data dependencies

14 Control dependencies

15 Criterion for security No path from M to any S i   The system is secure

16 Security does not follow

17 Encryptions replaced

18 Security still does not follow

19 Case handling – Case 1

20 Case 1 - Replacing the signature test

21 Case 1 – in statement handling.

22 Case 1 – check statement handling Sub-protocol is secure (result of check can be statically determined)

23 Case 2 Sub-protocol is secure (test statement always fails)

24 Conclusions and future work Conclusions –The presented technique can be used in automated analysis of the cryptographic protocols –Technique is published in Nordsec 2005 proceedings, p 29-41. Future work –Implementation of the automated analyser –Introducing the support for other cryptographic primitives

Download ppt "Digital signature in automatic analyses for confidentiality against active adversaries Ilja Tšahhirov, Peeter Laud."

Similar presentations

Chapter 3 Public Key Cryptography and Message authentication.

Chapter 3 Public Key Cryptography and Message authentication.
Off-the-Record Communication, or, Why Not To Use PGP

Off-the-Record Communication, or, Why Not To Use PGP
SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.

SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Hybrid Signcryption with Insider Security Alexander W. Dent.

Hybrid Signcryption with Insider Security Alexander W. Dent.
Security Definitions in Computational Cryptography

Security Definitions in Computational Cryptography
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.

Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.

The Physically Observable Security of Signature Schemes Alexander W. Dent Joint work with John Malone-Lee University of Bristol.
Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.

Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Overview of Cryptography Anupam Datta CMU Fall 2007-08 18739A: Foundations of Security and Privacy.

Overview of Cryptography Anupam Datta CMU Fall A: Foundations of Security and Privacy.
Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.

Analysis of Key Agreement Protocols Brita Vesterås Supervisor: Chik How Tan.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Similar presentations

Ads by Google