1 TOWARDS A HIERARCHY OF CRYPTOGRAPHIC PROTOCOL MODELS Catherine Meadows, NRL Joint work with Chris Lynch, Clarkson/NRL.

Slides:

Advertisements

Similar presentations

A less formal view of the Kerberos protocol J.-F. Pâris.

Advertisements

Giving a formal meaning to “Specialization” In these note we try to give a formal meaning to specifications, implementations, their comparisons. We define.

Situation Calculus for Action Descriptions We talked about STRIPS representations for actions. Another common representation is called the Situation Calculus.

Algebra Problems… Solutions Algebra Problems… Solutions © 2007 Herbert I. Gross Set 7 part 1 By Herb I. Gross and Richard A. Medeiros next.

Copyright © Cengage Learning. All rights reserved. CHAPTER 5 SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION SEQUENCES, MATHEMATICAL INDUCTION, AND RECURSION.

Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.

CTO Office Reliability & Security Distinctions and Interactions Hal Lockhart BEA Systems.

Great Theoretical Ideas in Computer Science.

Session 4 Asymmetric ciphers.

Sound Approximations to Diffie- Hellman using Rewrite Rules Christopher Lynch Catherine Meadows Naval Research Lab.

1 TOWARDS A HIERARCHY OF CRYPTOGRAPHIC PROTOCOL MODELS Catherine Meadows Naval Research Laboratory Code 5543 Washington, DC 20375

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

FORMAL METHODS IN CRYPTOGRAPHIC PROTOCOL ANALYSIS: EMERGING ISSUES AND TRENDS Catherine Meadows Center for High Assurance Computer Systems Naval Research.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.

Sound Approximations to Diffie- Hellman using Rewrite Rules Christopher Lynch Catherine Meadows Naval Research Lab.

Why Model? Fred S. Roberts Department of Mathematics and DIMACS (Center for Discrete Mathematics and Theoretical Computer Science) Rutgers University Piscataway,

CS555Spring 2012/Topic 41 Cryptography CS 555 Topic 4: Computational Approach to Cryptography.

Copyright © Cengage Learning. All rights reserved.

Cryptographic Protocol Models and Free Algebras Chris Lynch and Cathy Meadows Naval Research Laboratory.

Universally Composable Symbolic Analysis of Security Protocols Jonathan Herzog (Joint work with Ran Canetti) 7 June 2004 The author's affiliation with.

Foundations of Cryptography Rahul Jain CS6209, Jan – April 2011

Lecture 6: Public Key Cryptography

Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.

Introduction to Modular Arithmetic and Public Key Cryptography.

1 CIS 5371 Cryptography 3. Private-Key Encryption and Pseudorandomness B ased on: Jonathan Katz and Yehuda Lindel Introduction to Modern Cryptography.

© UCL Crypto group Sep-15 A Security Analysis of Cliques Protocols Suites Olivier Pereira – Jean-Jacques Quisquater UCL Crypto Group.

Great Theoretical Ideas in Computer Science.

Benjamin Gamble. What is Time?  Can mean many different things to a computer Dynamic Equation Variable System State 2.

Cryptography Dec 29. This Lecture In this last lecture for number theory, we will see probably the most important application of number theory in computer.

th grade math Variables and Expressions. Objective To evaluate expressions having as many as 3 variables. Why? To master one aspect of Algebra.

Overview of Formal Methods. Topics Introduction and terminology FM and Software Engineering Applications of FM Propositional and Predicate Logic Program.

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

Key Agreement Guilin Wang School of Computer Science 12 Nov

Design of Algorithms by Induction Part 1 Algorithm Design and Analysis Week 3 Bibliography: [Manber]- Chap.

CSCE 813 Internet Security Cryptographic Protocol Analysis.

1 Reasoning about Concrete Security in Protocol Proofs A. Datta, J.Y. Halpern, J.C. Mitchell, R. Pucella, A. Roy.

Correctness Proofs and Counter-model Generation with Authentication-Protocol Logic Koji Hasebe Mitsuhiro Okada Department of Philosophy, Keio University.

CSE Winter 2008 Introduction to Program Verification January 31 proofs through simplification.

June 11, 2002© Howard Huang1 Boolean algebra Last time we talked about Boolean functions, Boolean expressions, and truth tables. Today we’ll learn.

Lecture 5 1 CSP tools for verification of Sec Prot Overview of the lecture The Casper interface Refinement checking and FDR Model checking Theorem proving.

Warm Up. Warm Up Answers Theorem and Proof A theorem is a statement or conjecture that has been shown to be true. A theorem is a statement or conjecture.

Great Theoretical Ideas in Computer Science for Some.

Protocol Analysis. CSCE Farkas 2 Cryptographic Protocols Two or more parties Communication over insecure network Cryptography used to achieve goal.

Great Theoretical Ideas In Computer Science Anupam GuptaCS Fall 2006 Lecture 15Oct 17, 2006Carnegie Mellon University Algebraic Structures: Groups,

On the Notion of Pseudo-Free Groups Ronald L. Rivest MIT Computer Science and Artificial Intelligence Laboratory TCC 2/21/2004.

Formal Verification. Background Information Formal verification methods based on theorem proving techniques and modelchecking –To prove the absence of.

Lecture 5 Page 1 Advanced Network Security Review of Cryptography: Cryptographic Keys Advanced Network Security Peter Reiher August, 2014.

1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.

Cryptography in the Real World Diffie-Hellman Key Exchange RSA Analysis RSA Performance SSH Protocol Page 1.

1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.

Great Theoretical Ideas in Computer Science.

1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.

2.1 Rates of Change & Limits 2.2 Limits involving Infinity Intuitive Discussion of Limit Properties Behavior of Infinite Limits Infinite Limits & Graphs.

Security Principles.

@Yuan Xue CS 285 Network Security Key Distribution and Management Yuan Xue Fall 2012.

Chapter 3 Language Acquisition: A Linguistic Treatment Jang, HaYoung Biointelligence Laborotary Seoul National University.

Model Checking for Security Protocols Will Marrero, Edmund Clarke, Shomesh Jha.

On the Notion of Pseudo-Free Groups

Direct Proof and Counterexample III: Divisibility

Public Key Encryption Systems

Security Protocols Analysis

Boolean algebra Last time we talked about Boolean functions, Boolean expressions, and truth tables. Today we’ll learn how to how use Boolean algebra to.

The Inductive Approach to Verifying Cryptographic Protocols

Protocol Verification by the Inductive Method

Protocol Verification by the Inductive Method

Public Key Encryption Systems

Presentation transcript:

1 TOWARDS A HIERARCHY OF CRYPTOGRAPHIC PROTOCOL MODELS Catherine Meadows, NRL Joint work with Chris Lynch, Clarkson/NRL

2 WHAT’S THE PROBLEM? Formal analysis of cryptographic protocols based upon sand We use discrete methods to analyze systems that use algorithms whose security is based on probability and complexity theory Results are good for finding bugs, but any “proof” of security limited Emerging trend in research Security models amenable to discrete analysis that can be proven sound with respect to more detailed cryptographic models »Abadi-Rogaway »Backes-Pfitzmann Perhaps there is also a middle ground Intermediate points at which one proves that a less detailed model is sound with respect to a more complex and detailed model Leads to a hierarchy of cryptographic models

3 HOW OUR WORK GOT STARTED Arose out of two things: Desire to have equational unification rules for different theories to use with NRL Protocol Analyzer An argument with Jon Millen as to whether this was even necessary I favored cancellation rules, and had examples of protocols where they were necessary Jon favored free algebras, as being more efficient, and adequate in most cases Jon subsequently proved a result giving conditions under which free algebra model sound with respect to cancellation model for shared key case Left public key case an open question

4 WHAT’S NEXT? Other Cryptosystems Diffie-Hellman »Know how to model a non-commutative version of DH »When is it safe to use? »Have some conjectures on this, and are working on them Extended Diffie-Hellman »Multiple exponentations »What can we abstract away from here? Specific public or shared key cryptosystems »Exclusive-or »RSA - has homormorphic properties Other models NRL Protocol Analyzer model similar to Millen’s put perhaps more expressive, even when uses same cancellation rules Soundness with respect to other properties than secrecy Millen’s results apply to authenticaton properties too, but not clear which ones Efficient equational unification rules For use when protocol does not satisfy restrictions

5 WHAT WILL WE DO WITH THIS? Wind up with Hierarchy of models Collections of theorems saying that, if specification handles certain properties, then, for a certain class of statements, model X is sound with respect to model Y When verifiying a protocol, pick the most abstract model that it is safe to use Canc. rules Canc. rules Free algebra Free algebra Crypto mocel. Crypto mocel.

6 SUGGESTIONS FOR OTHER COMPONENTS OF HIERARCHY Representing system failures Compromise of old session keys Compromise of master keys Failure of servers These are often ignored in formal analysis of crypto protocols »Are there cases where safe to do so Ambiguous Messages Attacks involving passing off message of one type as message of another Heather, Schneider, Lowe show how in certain circumstances possible to guarantee security of typing attacks if unambiguous formatting is used How does this fit in the model hierarchy Cryptographic models Will they always be in the bottom of the hierarchy? Physical models Power attacks, etc.

7 SOME OTHER QUESTIONS What will conditions on specifications be? For the work we’ve been doing, it’s easy-to-check syntactic conditions Same for Heather-Lowe-Schneider What about lower level of granularity What about conditions on properties we’re checking? Much works in this area concentrates on secrecy alone For Millen’s and our results, it’s absence of certain subsequence of traces »Other properties (authentication properties) can be formulated as conditions on presence of subsequences –If X happened, then Y happened before it Are there general classes of properties it will make sense to look at? What levels of granularity make sense? How low should we go?