# Automated Verification of Selected Equivalences for Security Protocols

Save this PDF as:

Size: px
Start display at page:

## Transcription

1 Automated Verification of Selected Equivalences for Security Protocols Bruno Blanchet CNRS, École Normale Supérieure, Paris Martín Abadi University of California, Santa Cruz Cédric Fournet Microsoft Research, Cambridge June 2005

2 Introduction Analysis of cryptographic protocols: Powerful automatic tools for proving properties on behaviors (traces) of protocols (secrecy of keys, correspondences). Many important properties can be formalized as process equivalences, not as properties on behaviors: secrecy of a boolean x in P (x): P (true) P (false) the process P implements an ideal specification Q: P Q Equivalences are usually proved by difficult, long manual proofs. Already much research on this topic, using in particular sophisticated bisimulation techniques (e.g., Boreale et al). 1

3 Equivalences as properties of behaviors (1) Goal: extend tools designed for proving properties of behaviors (here ProVerif) to the proof of process equivalences. We focus on equivalences between processes that differ only by the terms they contain, e.g., P (true) P (false). Many interesting equivalences fall into this category. We introduce biprocesses to represent pairs of processes that differ only by the terms they contain. P (true) and P (false) are variants of a biprocess P (diff[true, false]). The variants give a different interpretation to diff[true, false], true for the first variant, false for the second one. 2

4 Equivalences as properties of behaviors (2) We introduce a new operational semantics for biprocesses: A biprocess reduces when both variants reduce in the same way and after reduction, they still differ only by terms (so can be written using diff). We establish P (true) P (false) by reasoning on behaviors of P (diff[true, false]): If, for all reachable configurations, both variants reduce in the same way, then we have equivalence. 3

5 Overview of the verification method Protocol: biprocess Pi calculus + cryptography Signature: Rewrite rules + equations Automatic translator Automatic translator Rewrite rules Horn clauses Resolution with selection bad is not derivable Equivalence is true bad is derivable Equivalence may be false 4

6 The process calculus Extension of the pi-calculus with function symbols for cryptographic primitives. M, N ::= terms x, y, z variable a, b, c, k, s name f(m 1,..., M n ) constructor application D ::= M eval h(d 1,..., D n ) term evaluations term function evaluation P, Q, R ::= processes M(x).P input M N.P output let x = D in P else Q term evaluation 0 P Q!P (νa)p 5

7 Representation of cryptographic primitives Two possible representations: When success/failure is visible: destructors with rewrite rules constructor sencrypt destructor sdecrypt(sencrypt(x, y), y) x The else clause of the term evaluation is executed when no rewrite rule of some destructor applies. When success/failure is not visible: equations sdecrypt(sencrypt(x, y), y) = x sencrypt(sdecrypt(x, y), y) = x The treatment of equations is one the main contributions of this work. 6

8 Semantics D M when the term evaluation D evaluates to M. Uses rewrite rules of destructors and equations. transforms processes so that reduction rules can be applied. Main reduction rules: N M.Q N (x).p Q P {M/x} if Σ N = N (Red I/O) let x = D in P else Q P {M/x} (Red Fun 1) if D M let x = D in P else Q Q (Red Fun 2) if there is no M such that D M 7

9 Observational equivalences and biprocesses Two processes P and Q are observationally equivalent (P Q) when the adversary cannot distinguish them. A biprocess P is a process with diff. fst(p ) = the process obtained by replacing diff[m, M ] with M. snd(p ) = the process obtained by replacing diff[m, M ] with M. P satisfies observational equivalence when fst(p ) snd(p ). 8

10 Semantics of biprocesses A biprocess reduces when both variants of the process reduce in the same way. N M.Q N (x).p Q P {M/x} if Σ fst(n) = fst(n ) and Σ snd(n) = snd(n ) (Red I/O) let x = D in P else Q P {diff[m 1, M 2 ]/x} (Red Fun 1) if fst(d) M 1 and snd(d) M 2 let x = D in P else Q Q (Red Fun 2) if there is no M 1 such that fst(d) M 1 and there is no M 2 such that snd(d) M 2 P fst(p ) snd(p ) Q fst(q) snd(q) 9

11 Proof of observational equivalence using biprocesses Let P 0 be a closed biprocess. If for all configurations P reachable from P 0 (in the presence of an adversary), both variants of P reduce in the same way, then P 0 satisfies observational equivalence. An adversary is represented by a plain evaluation context (evaluation context without diff), so: If, for all plain evaluation contexts C and reductions C[P 0 ] P, both variants of P reduce in the same way, then P 0 satisfies observational equivalence. 10

12 Formalizing the adversary Let P 0 be a closed biprocess. If for all configurations P reachable from P 0 (in the presence of an adversary), both variants of P reduce in the same way, then P 0 satisfies observational equivalence. An adversary is represented by a plain evaluation context (evaluation context without diff), so: If, for all plain evaluation contexts C and reductions C[P 0 ] P, both variants of P reduce in the same way, then P 0 satisfies observational equivalence. 10-a

13 Formalizing reduce in the same way The biprocess P is uniform when fst(p ) Q 1 implies P Q for some biprocess Q with fst(q) Q 1, and symmetrically for snd(p ) Q 2. P Q P Q fst(q) fst(p ) Q 1 snd(p ) snd(q) Q 2 If, for all plain evaluation contexts C and reductions C[P 0 ] P, the biprocess P is uniform, then P 0 satisfies observational equivalence. 11

14 Result Let P 0 be a closed biprocess. Suppose that, for all plain evaluation contexts C, all evaluation contexts C, and all reductions C[P 0 ] P, 1. the (Red I/O) rules apply in the same way on both variants. if P C [N M.Q N (x).r], then Σ fst(n) = fst(n ) if and only if Σ snd(n) = snd(n ), 2. the (Red Fun) rules apply in the same way on both variants. if P C [let x = D in Q else R], then there exists M 1 such that fst(d) M 1 if and only if there exists M 2 such that snd(d) M 2. Then P 0 satisfies observational equivalence. 12

15 Example: Non-deterministic encryption Non-deterministic public-key encryption is modeled by an equation: dec(enc(x, pk(s), a), s) = x Without knowledge of the decryption key, ciphertexts appear to be unrelated to the plaintexts. Ciphertexts are indistinguishable from fresh names: (νs)(c pk(s)!c (x).(νa)c diff[enc(x, pk(s), a), a] ) satisfies equivalence. This equivalence can be proved using the previous result, and verified automatically by ProVerif. 13

16 Treatment of equations We automatically transform equations into rewrite rules, much easier to handle (and already handled in ProVerif), e.g., transform g^x^y = g^y^x to g^x^y g^y^x. We have shown that, for each trace with equations, there is a corresponding trace with rewrite rules, and conversely. Then we obtain a result for proving equivalences using rewrite rules instead of equations. (See formal details in the paper.) 14

17 Translation into clauses As in our previous work, we translate the protocol and the adversary into a set of Horn clauses. The predicates differ in order to translate behaviors of biprocesses instead of processes: F ::= facts att (p, p ) the attacker has p (resp. p ) msg (p 1, p 2, p 1, p 2 ) message p 2 is sent on channel p 1 (resp. p 2 on p 1 ) input (p, p ) input on p (resp. p ) nounif(p, p ) p and p do not unify modulo Σ bad the property may be false Magenta arguments for the first version of the biprocess, blue ones for the second version. 15

18 Example: some generated clauses The biprocess of the non-deterministic encryption example: (νs)(c pk(s)!c (x).(νa)c diff[enc(x, pk(s), a), a] ) yields the clauses: msg (c, pk(s), c, pk(s)) msg (c, x, c, x ) msg (c, enc(x, pk(s), a[i, x]), c, a[i, x ]) The first clause corresponds to the output of the public key pk(s). The second clause corresponds to the other output. 16

19 Resolution algorithm Theorem 1 If bad is not a logical consequence of the clauses, then P 0 satisfies observational equivalence. We determine whether bad is a logical consequence of the clauses using a resolution-based algorithm. This algorithm uses domain-specific simplification steps (for predicate nounif in particular, using unification modulo the equational theory of Σ). 17

20 Applications Weak secrets: We can express that a password is protected against off-line guessing attacks by an equivalence, and prove it using our technique (done for 4 versions of EKE). Authenticity: We can formalize authenticity as an equivalence and prove it (for the Wide-Mouth Frog protocol). JFK: We can show that the encrypted messages of JFK are equivalent to fresh names, with our technique plus the property that observational equivalence is contextual. Total runtime: 45 s on a Pentium M 1.8 GHz. 18

21 Conclusion Contributions: Fully automatic proof of some process equivalences. Treatment of cryptographic primitives represented by equations. Implementation and more information at 19

### Formal Analysis of Authentication in Bluetooth Device Pairing

Formal Analysis of Authentication in Bluetooth Device Pairing Richard Chang and Vitaly Shmatikov The University of Texas at Austin Abstract. Bluetooth is a popular standard for short-range wireless communications.

### Le vote électronique : un défi pour la vérification formelle

Le vote électronique : un défi pour la vérification formelle Steve Kremer Loria, Inria Nancy 1 / 17 Electronic voting Elections are a security-sensitive process which is the cornerstone of modern democracy

### How to Formally Model Features of Network Security Protocols

, pp.423-432 http://dx.doi.org/10.14257/ijsia How to Formally Model Features of Network Security Protocols Gyesik Lee Dept. of Computer & Web Information Engineering Hankyong National University Anseong-si,

### How to prove security of communication protocols?

1/37 Introduction on security protocols Modeling Verification Towards cryptographic guarantees How to prove security of communication protocols? Véronique Cortier, LORIA - CNRS, Nancy Colloquium Morgenstern,

### Crypto-Verifying Protocol Implementations in ML

Crypto-Verifying Protocol Implementations in ML Karthikeyan Bhargavan 1,2 Ricardo Corin 1,3 Cédric Fournet 1,2 1 MSR-INRIA Joint Centre 2 Microsoft Research 3 University of Twente June 2007 Abstract We

### Computer-Assisted Verification of a Protocol for Certified Email

Computer-Assisted Verification of a Protocol for Certified Email Martín Abadi Computer Science Department University of California, Santa Cruz abadi@cs.ucsc.edu Bruno Blanchet CNRS, École Normale Supérieure,

### Computational Soundness of Symbolic Security and Implicit Complexity

Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview

### An Overview of Common Adversary Models

An Overview of Common Adversary Karl Palmskog palmskog@kth.se 2012-03-29 Introduction Requirements of Software Systems 1 Functional Correctness: partial, termination, liveness, safety,... 2 Nonfunctional

### Automated Formal Analysis of a Protocol for Secure File Sharing on Untrusted Storage

Automated Formal Analysis of a Protocol for Secure File Sharing on Untrusted Storage Bruno Blanchet CNRS, École Normale Supérieure, INRIA blanchet@di.ens.fr Avik Chaudhuri University of California at Santa

### Security Protocols: Principles and Calculi Tutorial Notes

Security Protocols: Principles and Calculi Tutorial Notes Martín Abadi Microsoft Research and University of California, Santa Cruz Abstract. This paper is a basic introduction to some of the main themes

### CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

### Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015

Network Security CS 5490/6490 Fall 2015 Lecture Notes 8/26/2015 Chapter 2: Introduction to Cryptography What is cryptography? It is a process/art of mangling information in such a way so as to make it

Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

### Formal Modelling of Network Security Properties (Extended Abstract)

Vol.29 (SecTech 2013), pp.25-29 http://dx.doi.org/10.14257/astl.2013.29.05 Formal Modelling of Network Security Properties (Extended Abstract) Gyesik Lee Hankyong National University, Dept. of Computer

### 159.334 Computer Networks. Network Security 1. Professor Richard Harris School of Engineering and Advanced Technology

Network Security 1 Professor Richard Harris School of Engineering and Advanced Technology Presentation Outline Overview of Identification and Authentication The importance of identification and Authentication

### Capture Resilient ElGamal Signature Protocols

Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department

### Secure Reactive Systems

Michael Backes Saarland University, Germany joint work with Birgit Pfitzmann and Michael Waidner Secure Reactive Systems Lecture at Tartu U, 02/27/06 Building Systems on Open Networks E-Government Hospital

### Universally Composable Symbolic Analysis of Diffie-Hellman based Key Exchange

Universally Composable Symbolic Analysis of Diffie-Hellman based Key Exchange Ran Canetti and Sebastian Gajek School of Computer Science Tel Aviv University, Israel May 20, 2010 Abstract Canetti and Herzog

### Electronic Voting Protocol Analysis with the Inductive Method

Electronic Voting Protocol Analysis with the Inductive Method Introduction E-voting use is spreading quickly in the EU and elsewhere Sensitive, need for formal guarantees Inductive Method: protocol verification

### Cryptography and Network Security: Summary

Cryptography and Network Security: Summary Timo Karvi 12.2013 Timo Karvi () Cryptography and Network Security: Summary 12.2013 1 / 17 Summary of the Requirements for the exam The advices are valid for

### Privacy through Pseudonymity in Mobile Telephony Systems

Privacy through Pseudonymity in Mobile Telephony Systems Eike Ritter University of Birmingham Joint work with Myrto Arapinis, Loretta Mancini and Mark Ryan Eike Ritter Privacy in Mobile Telephony Systems

### Paillier Threshold Encryption Toolbox

Paillier Threshold Encryption Toolbox October 23, 2010 1 Introduction Following a desire for secure (encrypted) multiparty computation, the University of Texas at Dallas Data Security and Privacy Lab created

### Inductive Analysis of Security Protocols in Isabelle/HOL with Applications to Electronic Voting

Inductive Analysis of Security Protocols in Isabelle/HOL with Applications to Electronic Voting Denis Butin 1 / 37 2 / 37 Introduction Network communication sensitive: banking, private correspondence,

### 1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

### Common security requirements Basic security tools. Example. Secret-key cryptography Public-key cryptography. Online shopping with Amazon

1 Common security requirements Basic security tools Secret-key cryptography Public-key cryptography Example Online shopping with Amazon 2 Alice credit card # is xxxx Internet What could the hacker possibly

### Authenticity by Typing for Security Protocols

Authenticity by Typing for Security Protocols Andrew D. Gordon Microsoft Research Alan Jeffrey DePaul University June 2002 Technical Report To appear in the Journal of Computer Security Microsoft Research

### Overview of Public-Key Cryptography

CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows

### Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre

Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense

### Lecture 3: One-Way Encryption, RSA Example

ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

### Lecture 6 - Cryptography

Lecture 6 - Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07 Question 2 Setup: Assume you and I don t know anything about

### Analysis of a Biometric Authentication Protocol for Signature Creation Application

Analysis of a Biometric Authentication Protocol for Signature Creation Application A. Salaiwarakul and M.D.Ryan School of Computer Science, University of Birmingham, UK {A.Salaiwarakul, M.D.Ryan}@cs.bham.ac.uk

### Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

### KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE Mihir Bellare UCSD 1 The public key setting Alice M D sk[a] (C) Bob pk[a] C C \$ E pk[a] (M) σ \$ S sk[a] (M) M, σ Vpk[A] (M, σ) Bob can: send encrypted data

### CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

### Authentication and Encryption: How to order them? Motivation

Authentication and Encryption: How to order them? Debdeep Muhopadhyay IIT Kharagpur Motivation Wide spread use of internet requires establishment of a secure channel. Typical implementations operate in

### Security Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012

Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database

### Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)

### Solutions to Problem Set 1

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Handout #8 Zheng Ma February 21, 2005 Solutions to Problem Set 1 Problem 1: Cracking the Hill cipher Suppose

### MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

### 1 Message Authentication

Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

### SECURITY ANALYSIS OF A SINGLE SIGN-ON MECHANISM FOR DISTRIBUTED COMPUTER NETWORKS

SECURITY ANALYSIS OF A SINGLE SIGN-ON MECHANISM FOR DISTRIBUTED COMPUTER NETWORKS Abstract: The Single sign-on (SSO) is a new authentication mechanism that enables a legal user with a single credential

### CS 758: Cryptography / Network Security

CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html

### Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT

Part I Contents Part I Introduction to Information Security Definition of Crypto Cryptographic Objectives Security Threats and Attacks The process Security Security Services Cryptography Cryptography (code

### CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 1 January 9, 2012 CPSC 467b, Lecture 1 1/22 Course Overview Symmetric Cryptography CPSC 467b, Lecture 1 2/22 Course Overview CPSC

### Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest

MACs Message authentication and integrity Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction MACs Constructing Secure MACs Secure communication and

### Verified Implementations of the Information Card Federated Identity-Management Protocol

Verified Implementations of the Information Card Federated Identity-Management Protocol Karthikeyan Bhargavan Cédric Fournet Andrew D. Gordon Nikhil Swamy Microsoft Research University of Maryland, College

### Software Tool for Implementing RSA Algorithm

Software Tool for Implementing RSA Algorithm Adriana Borodzhieva, Plamen Manoilov Rousse University Angel Kanchev, Rousse, Bulgaria Abstract: RSA is one of the most-common used algorithms for public-key

### 9 Modular Exponentiation and Cryptography

9 Modular Exponentiation and Cryptography 9.1 Modular Exponentiation Modular arithmetic is used in cryptography. In particular, modular exponentiation is the cornerstone of what is called the RSA system.

### CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Public Key Cryptogrophy 1 Roadmap Introduction RSA Diffie-Hellman Key Exchange Public key and

### Formally-based semi-automatic implementation of an open security protocol

Formally-based semi-automatic implementation of an open security protocol Alfredo Pironti a, Davide Pozza a, Riccardo Sisto a, a Politecnico di Torino, Dip. di Automatica e Informatica C.so Duca degli

### Secure Deduplication of Encrypted Data without Additional Independent Servers

Secure Deduplication of Encrypted Data without Additional Independent Servers Jian Liu Aalto University jian.liu@aalto.fi N. Asokan Aalto University and University of Helsinki asokan@acm.org Benny Pinkas

### Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

### OOo Digital Signatures. Malte Timmermann Technical Architect Sun Microsystems GmbH

OOo Digital Signatures Malte Timmermann Technical Architect Sun Microsystems GmbH About the Speaker Technical Architect in OpenOffice.org/StarOffice development OOo/StarOffice developer since 1991/94 Main

### Message Authentication Code

Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

### Secure Sessions for Web Services

Secure Sessions for Web Services Karthikeyan Bhargavan Microsoft Research and Ricardo Corin University of Twente and Cédric Fournet Microsoft Research and Andrew D. Gordon Microsoft Research We address

### Analyzing Security Protocols with Secrecy Types and Logic Programs

Analyzing Security Protocols with Secrecy Types and Logic Programs MARTÍN ABADI University of California, Santa Cruz and BRUNO BLANCHET CNRS, École Normale Supérieure, Paris We study and further develop

### Formal Methods in Security Protocols Analysis

Formal Methods in Security Protocols Analysis Li Zhiwei Aidong Lu Weichao Wang Department of Computer Science Department of Software and Information Systems University of North Carolina at Charlotte Big

### Authentication Protocols Using Hoover-Kausik s Software Token *

JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 22, 691-699 (2006) Short Paper Authentication Protocols Using Hoover-Kausik s Software Token * WEI-CHI KU AND HUI-LUNG LEE + Department of Computer Science

### Cryptography. Identity-based Encryption. Jean-Sébastien Coron and David Galindo. May 15, 2014. Université du Luxembourg

Identity-based Encryption Université du Luxembourg May 15, 2014 Summary Identity-Based Encryption (IBE) What is Identity-Based Encryption? Difference with conventional PK cryptography. Applications of

### Client Server Registration Protocol

Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are

### Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Network Security Abusayeed Saifullah CS 5600 Computer Networks These slides are adapted from Kurose and Ross 8-1 Public Key Cryptography symmetric key crypto v requires sender, receiver know shared secret

### ZQL. a cryptographic compiler for processing private data. George Danezis. Joint work with Cédric Fournet, Markulf Kohlweiss, Zhengqin Luo

ZQL Work in progress a cryptographic compiler for processing private data George Danezis Joint work with Cédric Fournet, Markulf Kohlweiss, Zhengqin Luo Microsoft Research and Joint INRIA-MSR Centre Data

### Entrust Managed Services PKI. Getting started with digital certificates and Entrust Managed Services PKI. Document issue: 1.0

Entrust Managed Services PKI Getting started with digital certificates and Entrust Managed Services PKI Document issue: 1.0 Date of issue: May 2009 Copyright 2009 Entrust. All rights reserved. Entrust

### Modeling and verification of security protocols

Modeling and verification of security protocols Part I: Basics of cryptography and introduction to security protocols Dresden University of Technology Martin Pitt martin@piware.de Paper and slides available

### Principles of Network Security

he Network Security Model Bob and lice want to communicate securely. rudy (the adversary) has access to the channel. lice channel data, control s Bob Kai Shen data secure sender secure receiver data rudy

### Introduction. Digital Signature

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

### Message Authentication Codes

2 MAC Message Authentication Codes : and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l08, Steve/Courses/2013/s2/css322/lectures/mac.tex,

### Chapter 11. Asymmetric Encryption. 11.1 Asymmetric encryption schemes

Chapter 11 Asymmetric Encryption The setting of public-key cryptography is also called the asymmetric setting due to the asymmetry in key information held by the parties. Namely one party has a secret

### Network Security (2) CPSC 441 Department of Computer Science University of Calgary

Network Security (2) CPSC 441 Department of Computer Science University of Calgary 1 Friends and enemies: Alice, Bob, Trudy well-known in network security world Bob, Alice (lovers!) want to communicate

### SCADA System Security, Complexity, and Security Proof

SCADA System Security, Complexity, and Security Proof Reda Shbib, Shikun Zhou, Khalil Alkadhimi School of Engineering, University of Portsmouth, Portsmouth, UK {reda.shbib,shikun.zhou,khalil.alkadhimi}@port.ac.uk

### Public Key Cryptography: RSA and Lots of Number Theory

Public Key Cryptography: RSA and Lots of Number Theory Public vs. Private-Key Cryptography We have just discussed traditional symmetric cryptography: Uses a single key shared between sender and receiver

### Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks

Identity-based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks Tsz Hon Yuen - Huawei, Singapore Ye Zhang - Pennsylvania State University, USA Siu Ming

### Ch.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis

Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography

### The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?)

The Order of Encryption and Authentication for Protecting Communications (Or: How Secure is SSL?) Hugo Krawczyk Abstract. We study the question of how to generically compose symmetric encryption and authentication

### Verifying security protocols using theorem provers

1562 2007 79-86 79 Verifying security protocols using theorem provers Miki Tanaka National Institute of Information and Communications Technology Koganei, Tokyo 184-8795, Japan Email: miki.tanaka@nict.go.jp

### YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 1 (rev. 1) Professor M. J. Fischer September 3, 2008 1 Course Overview Lecture Notes 1 This course is

### Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

### SECURITY IN NETWORKS

SECURITY IN NETWORKS GOALS Understand principles of network security: Cryptography and its many uses beyond confidentiality Authentication Message integrity Security in practice: Security in application,

### Schnorr Signcryption. Combining public key encryption with Schnorr digital signature. Laura Savu, University of Bucharest, Romania

Schnorr Signcryption Combining public key encryption with Schnorr digital signature Laura Savu, University of Bucharest, Romania IT Security for the Next Generation European Cup, Prague 17-19 February,

### Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 hmsun@cs.nthu.edu.tw Phone: 03-5742968 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

Network Security 孫 宏 民 hmsun@cs.nthu.edu.tw Phone: 03-5742968 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室 Security Attacks Normal flow: sender receiver Interruption: Information source Information destination

### SAMPLE EXAM QUESTIONS MODULE EE5552 NETWORK SECURITY AND ENCRYPTION ECE, SCHOOL OF ENGINEERING AND DESIGN BRUNEL UNIVERSITY UXBRIDGE MIDDLESEX, UK

SAMPLE EXAM QUESTIONS MODULE EE5552 NETWORK SECURITY AND ENCRYPTION September 2010 (reviewed September 2014) ECE, SCHOOL OF ENGINEERING AND DESIGN BRUNEL UNIVERSITY UXBRIDGE MIDDLESEX, UK NETWORK SECURITY

### CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher

### 1 Construction of CCA-secure encryption

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

### Secure Network Communications FIPS 140 2 Non Proprietary Security Policy

Secure Network Communications FIPS 140 2 Non Proprietary Security Policy 21 June 2010 Table of Contents Introduction Module Specification Ports and Interfaces Approved Algorithms Test Environment Roles

### CS 4803 Computer and Network Security

pk CA User ID U, pk U CS 4803 Computer and Network Security Verifies the ID, picks a random challenge R (e.g. a message to sign) R I want pk U Alexandra (Sasha) Boldyreva PKI, secret key sharing, implementation

### Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 13

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 13 Some More Secure Channel Issues Outline In the course we have yet only seen catastrophic

Adversary Modelling 1 Evaluating the Feasibility of a Symbolic Adversary Model on Smart Transport Ticketing Systems Authors Arthur Sheung Chi Chan, MSc (Royal Holloway, 2014) Keith Mayes, ISG, Royal Holloway

### The Open-source Fixed-point Model Checker for Symbolic Analysis of Security Protocols

The Open-source Fixed-point Model Checker for Symbolic Analysis of Security Protocols Sebastian Mödersheim 1 Luca Viganò 2 1 IBM Zurich Research Laboratory, Switzerland, smo@zurich.ibm.com 2 Department

### SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

www.arpapress.com/volumes/vol8issue1/ijrras_8_1_10.pdf SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES Malek Jakob Kakish Amman Arab University, Department of Computer Information Systems, P.O.Box 2234,

### Technical report: SeVe implementation

Technical report: SeVe implementation Luu Anh Tuan 1, Jun Sun 2, Yang Liu 1, and Jin Song Dong 1 1 School of Computing, National University of Singapore {tuanluu,liuyang,dongjs}@comp.nus.edu.sg 2 Singapore

### CryptoVerif Tutorial

CryptoVerif Tutorial Bruno Blanchet INRIA Paris-Rocquencourt bruno.blanchet@inria.fr November 2014 Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 1 / 14 Exercise 1: preliminary definition SUF-CMA

### Multi-Input Functional Encryption for Unbounded Arity Functions

Multi-Input Functional Encryption for Unbounded Arity Functions Saikrishna Badrinarayanan, Divya Gupta, Abhishek Jain, and Amit Sahai Abstract. The notion of multi-input functional encryption (MI-FE) was

### Verifiable Outsourced Computations Outsourcing Computations to Untrusted Servers

Outsourcing Computations to Untrusted Servers Security of Symmetric Ciphers in Network Protocols ICMS, May 26, 2015, Edinburgh Problem Motivation Problem Motivation Problem Motivation Problem Motivation

### Chapter 7: Network security

Chapter 7: Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice: application layer: secure e-mail transport

### Application Layer (1)

Application Layer (1) Functionality: providing applications (e-mail, www, USENET etc) providing support protocols to allow the real applications to function properly security comprising a large number

### Public Key Cryptography and RSA. Review: Number Theory Basics

Public Key Cryptography and RSA Murat Kantarcioglu Based on Prof. Ninghui Li s Slides Review: Number Theory Basics Definition An integer n > 1 is called a prime number if its positive divisors are 1 and

### Introduction to Computer Security

Introduction to Computer Security Hash Functions and Digital Signatures Pavel Laskov Wilhelm Schickard Institute for Computer Science Integrity objective in a wide sense Reliability Transmission errors