Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002.

Slides:



Advertisements
Similar presentations
Security attacks. - confidentiality: only authorized parties have read access to information - integrity: only authorized parties have write access to.
Advertisements

ARTIFICIAL INTELLIGENCE [INTELLIGENT AGENTS PARADIGM] Professor Janis Grundspenkis Riga Technical University Faculty of Computer Science and Information.
Service Bus Service Bus Access Control.
Key Management Protocols and Compositionality John Mitchell Stanford TECS Week2005.
Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic Koji Hasebe Mitsuhiro Okada (Dept. of Philosophy, Keio University)
Copyright © Cengage Learning. All rights reserved.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
Formal Derivation of Security Protocols Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute HCSS April 15, 2004.
Copyright Justin Klein Keane InfoSec Training Encryption.
Compositional Protocol Logic CS 395T. Outline uFloyd-Hoare logic of programs Compositional reasoning about properties of programs uDDMP protocol logic.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.
Analysis of Security Protocols (I) John C. Mitchell Stanford University.
CMSC 414 Computer (and Network) Security Lecture 21 Jonathan Katz.
Analysis of Security Protocols (V) John C. Mitchell Stanford University.
Abstraction and Refinement in Protocol Derivation Anupam DattaAnte Derek John C. Mitchell Dusko Pavlovic Stanford University Kestrel Institute CSFW June.
Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution of public keys –use of public-key.
Symbolic Logic for Complexity- theoretic Model of Security Protocols Anupam Datta Ante Derek John C. Mitchell Vitaly Shmatikov Mathieu Turuani May 5, 2005.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
Axiomatic Semantics Dr. M Al-Mulhem ICS
1 Protocol composition and refinement patterns February, 2003 Dusko Pavlovic Kestrel Institute.
PSUCS322 HM 1 Languages and Compiler Design II Formal Semantics Material provided by Prof. Jingke Li Stolen with pride and modified by Herb Mayer PSU Spring.
Logic for Computer Security Protocols Ante Derek.
Just Fast Keying (JFK) Protocol 18739A: Foundations of Security and Privacy Anupam Datta CMU Fall
CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.
Protocol Composition Logic Arnab Roy joint work with A. Datta, A. Derek, N. Durgin, J.C. Mitchell, D. Pavlovic CS259: Security Analysis of Network Protocols,
Protocol Composition Logic II Anupam Datta Fall A: Foundations of Security and Privacy.
Logic for Protocol Composition A. Datta, A. Derek, J. Mitchell, D. Pavlovic.
Internet Security CSCE 813 IPsec. CSCE Farkas2 Reading Today: – Oppliger: IPSec: Chapter 14 – Stalllings: Network Security Essentials, 3 rd edition,
Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.
1 Relational Algebra and Calculus Yanlei Diao UMass Amherst Feb 1, 2007 Slides Courtesy of R. Ramakrishnan and J. Gehrke.
Information Security of Embedded Systems : BAN-Logic Prof. Dr. Holger Schlingloff Institut für Informatik und Fraunhofer FIRST.
Logics for Security Protocols Anupam Datta Fall A: Foundations of Security and Privacy.
Universally Composable Symbolic Analysis of Security Protocols Jonathan Herzog (Joint work with Ran Canetti) 7 June 2004 The author's affiliation with.
1 ECE453 – Introduction to Computer Networks Lecture 19 – Network Security (II)
Digital signature in automatic analyses for confidentiality against active adversaries Ilja Tšahhirov, Peeter Laud.
AQA Computing A2 © Nelson Thornes 2009 Section Unit 3 Section 6.4: Internet Security Digital Signatures and Certificates.
© UCL Crypto group Sep-15 A Security Analysis of Cliques Protocols Suites Olivier Pereira – Jean-Jacques Quisquater UCL Crypto Group.
Formal Analysis of Security Protocols Dr. Changyu Dong
BAN LOGIC Amit Chetal Monica Desai November 14, 2001
Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security.
ECE 454/CS 594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall.
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
Key Management Celia Li Computer Science and Engineering York University.
Presented by: Suparita Parakarn Kinzang Wangdi Research Report Presentation Computer Network Security.
1 Reasoning about Concrete Security in Protocol Proofs A. Datta, J.Y. Halpern, J.C. Mitchell, R. Pucella, A. Roy.
Digital Signatures, Message Digest and Authentication Week-9.
Correctness Proofs and Counter-model Generation with Authentication-Protocol Logic Koji Hasebe Mitsuhiro Okada Department of Philosophy, Keio University.
Propositional Calculus CS 270: Mathematical Foundations of Computer Science Jeremy Johnson.
Cryptography: Digital Signatures Message Digests Authentication
Authentication. Goal: Bob wants Alice to “prove” her identity to him Protocol ap1.0: Alice says “I am Alice” Failure scenario?? “I am Alice”
Programming Languages and Design Lecture 3 Semantic Specifications of Programming Languages Instructor: Li Ma Department of Computer Science Texas Southern.
ECE509 Cyber Security : Concept, Theory, and Practice Key Management Spring 2014.
Internet Key Exchange IKE ● RFC 2409 ● Services – Constructs shared authenticated keys – Establishes shared security parameters – Common SAs between IPSec.
Protocol Composition Logic (PCL): Part II Anupam Datta CS 259.
Formal Verification. Background Information Formal verification methods based on theorem proving techniques and model­checking –To prove the absence of.
1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002.
Key Management Protocols and Compositionality John Mitchell Stanford TECS Week2005.
Protocol Composition Logic II
Web Ontology Language for Service (OWL-S)
Logic for Computer Security Protocols
Just Fast Keying (JFK) Protocol
Formal Language.
Protocol Composition Logic (PCL)
Protocol Verification by the Inductive Method
Logic for Computer Security Protocols
An Executable Model for Security Protocol JFKr
Protocol Verification by the Inductive Method
Presentation transcript:

Formally (?) Deriving Security Protocols Anupam Datta WIP with Ante Derek, John Mitchell, Dusko Pavlovic October 23, 2002

Goals: Build security protocols in a compositional manner, i.e., from standard sub-protocols. Prove formally using logic that the composition process is sound, i.e., the resulting protocol is correct in a precise sense.

Idea: Capture protocol designers’ intuition in a formal framework.

Example 1 Diffie-Hellman: X Y: g x Y X: g y Property 1: Secrecy X deduces: Knows(Z,g xy ) כֿ Knows(Z,y)

Example 2 Challenge Response: A B: m, A B A: n, sig B {n, m, A} A B: sig A {m, n, B} Property 2: Mutual Authentication A deduces: Created (B, n) Λ Sent (B, msg2)

Composition ISO protocol: A B: g a, A B A: g b, sig B {g b, g a, A} A B: sig A {g a, g b, B} Has both Property 1 & Property 2. Can be inferred that A & B have shared secret, g ab.

Refinement Encrypt signatures: (find-and-replace) A B: g a, A B A: g b, E K {sig B {g b, g a, A}} A B: E K {sig A {g a, g b, B}} Has Property 1 & Property 2. Also Property 3: Identity protection

Other applications… By applying a series of other such simple syntactic rules, we derive the JFK protocol ( proposed protocol to replace IKE as the IPSec key exchange protocol). Technical Report:

Formalization

Notation Cord Calculus and Compositional Logic [Durgin, Mitchell, Pavlovic; 2001] Motivation: “Arrows and messages” representation is inadequate. More descriptive language for describing the actions of the protocol participants. Actions: (νx)generate new term x (x)receive term into x send a term t

Challenge-Response revisited A : ( ) [(νm) (x) …] A <> Input interface Output Interface Actions Attach logical assertions to actions [(νm)] A Created (A, m) This assertion is a required precondition to prove mutual authentication.

ISO revisited A : ( ) [(νx)] ; (m) [ (x) …] A <> 1. Generate new x; compute g x 2. Substitute g x for m in the second cord Created (A, g x ) is a precondition. Mutual authentication can be proved like in challenge-response.

Summary Security protocols can be built in an incremental manner by combining sub- protocols. Future work: Formal framework for reasoning that the composition process preserves the properties of the original sub-protocols.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.