How to prove security of communication protocols?


 Jocelin Shelton
 2 years ago
 Views:
Transcription
1 1/37 Introduction on security protocols Modeling Verification Towards cryptographic guarantees How to prove security of communication protocols? Véronique Cortier, LORIA  CNRS, Nancy Colloquium Morgenstern, June 20th, 2012 Joint work with Hubert ComonLundh, Stéphanie Delaune, Steve Kremer, Ben Smyth and Bogdan Warinschi.
2 2/37 Introduction on security protocols Modeling Verification Towards cryptographic guarantees Context : cryptographic protocols Cryptographic protocols are widely used in everyday life. They aim at securing communications over public or insecure networks.
3 3/37 Introduction on security protocols Modeling Verification Towards cryptographic guarantees Security goals Cryptographic protocols aim at preserving confidentiality of data (e.g. pin code, medical files,...) ensuring authenticity (are you really talking to your bank?) ensuring anonymous communications (for evoting protocols,...) protecting against repudiation (I never sent this message!)
4 4/37 Introduction on security protocols Modeling Verification Towards cryptographic guarantees Difficulty : there are potential powerful attackers! Presence of an attacker may participate to the protocol. may forge and send messages, may read every message sent on the net, may intercept messages,
5 5/37 Introduction on security protocols Modeling Verification Towards cryptographic guarantees Attacking Single Sign On Protocol Single Sign On Protocols enables to log in once for several services used e.g. in Google App
6 Attacking Single Sign On Protocol Single Sign On Protocols enables to log in once for several services used e.g. in Google App 5/37 A flaw discovered in 2010, now fixed (Avantssar project) Step 1 An attacker offers an interesting or funny (but malicious) new Google App Step 2 Some clients register to this malicious Application Step 3 The attacker can now access all the other applications of the client, including e.g. Gmail or Google Calendar.
7 /37 Designing protocols is error prone Software testing leaves flaws : Flaw in the authentication protocol used in Google Apps Attack on payperview devices Maninthemiddle attack These flaws rely on the design of the protocols Not on a bad implementation (bugs) Not on weaknesses of the primitives (e.g. encryption, signatures) Not on generic hacking techniques (e.g. worms, code injection)
8 /37 How to analyse security protocols?? = confidentiality authenticity nonrepudiation Methodology 1 Proposing accurate models symbolic models cryptographic/computational models 2 Proving security decision procedures transfer results Running example : electronic voting
9 8/37 Introduction on security protocols Modeling Verification Towards cryptographic guarantees Example : Electronic voting Elections are a securitysensitive process which is the cornerstone of modern democracy. Electronic voting promises Convenient, efficient and secure facility for recording and tallying votes for a variety of types of elections : from small committees or online communities through to fullscale national elections Already used e.g. in Estonia, Norway, USA, France (from abroad).
10 9/37 Introduction on security protocols Modeling Verification Towards cryptographic guarantees Two main families for evoting Voting machines Voters have to attend a voting station External authentication system (e.g. ID card) Internet voting Voters vote from home from their own computers Systems in use : Civitas (A. Myers et al), Helios,...
11 10/37 Running example : Helios http ://heliosvoting.org/ Developed by B. Adida et al, already in use : Election at Louvain University Princeton Election of the IACR board (major association in Cryptography)
12 11/37 Helios : a voting protocol for lowcoercion environment The security of Helios relies on the assumption that the voter s computer can be trusted. Not suitable for political elections A corrupted machine may : leak the choice of the voter vote for a different candidate e.g. attack by Laurent Grégoire on the Élection législatives pour les francais de l étranger, using code injection.
13 Helios : a voting protocol for lowcoercion environment The security of Helios relies on the assumption that the voter s computer can be trusted. 1/37 Not suitable for political elections A corrupted machine may : leak the choice of the voter vote for a different candidate e.g. attack by Laurent Grégoire on the Élection législatives pour les francais de l étranger, using code injection. Suitable for medium issue elections : professional elections scientific councils, students representatives, etc. union representatives Should be compared with previous voting systems in use : e.g. attack (ballot stuffing) on the 2011 paper ballots (with barcodes) CNRS election
14 Behavior of Helios (simplified) Phase 1 : voting 1 Bulletin Board Alice {v A } pk(s) v A = 0 or 1 Bob {v B } pk(s) v B = 0 or 1 Chris {v C } pk(s) v C = 0 or 1 Phase 2 : Tallying using homomorphic encryption (El Gamal) n n {v i } pk(s) = { v i } pk(s) i=1 i=1 Only the final result needs to be decrypted. 12/37 pk(s) : public key, the private key being shared among trustees.
15 Behavior of Helios (simplified) Phase 1 : voting 1 {v D } pk(s) Bulletin Board Alice {v A } pk(s) v A = 0 or 1 Bob {v B } pk(s) v B = 0 or 1 Chris {v C } pk(s) v C = 0 or 1 Phase 2 : Tallying using homomorphic encryption (El Gamal) n n {v i } pk(s) = { v i } pk(s) i=1 i=1 Only the final result needs to be decrypted. 12/37 pk(s) : public key, the private key being shared among trustees.
16 Behavior of Helios (simplified) Phase 1 : voting 1 Bulletin Board Alice {v A } pk(s) v A = 0 or 1 Bob {v B } pk(s) v B = 0 or 1 Chris {v C } pk(s) v C = 0 or 1 David {v D } pk(s) v D = 0 or 1 Phase 2 : Tallying using homomorphic encryption (El Gamal) n n {v i } pk(s) = { v i } pk(s) i=1 i=1 Only the final result needs to be decrypted. 12/37 pk(s) : public key, the private key being shared among trustees.
17 Behavior of Helios (simplified) Phase 1 : voting 1 Bulletin Board Alice {v A } pk(s) v A = 0 or 1 Bob {v B } pk(s) v B = 0 or 1 Chris {v C } pk(s) v C = 0 or 1 David {v D } pk(s) v D = 0 or Phase 2 : Tallying using homomorphic encryption (El Gamal) n n {v i } pk(s) = { v i } pk(s) based on g a g b = g a+b i=1 i=1 Only the final result needs to be decrypted! 12/37 pk(s) : public key, the private key being shared among trustees.
18 3/37 This is oversimplified! {v D } pk(s) Bulletin Board Alice {v A } pk(s) v A = 0 or 1 Bob {v B } pk(s) v B = 0 or 1 Chris {v C } pk(s) v C = 0 or 1 David {v D } pk(s) Result : {v A +v B +v C +v D + } pk(s)
19 13/37 This is oversimplified! {v D } pk(s) Bulletin Board Alice {v A } pk(s) v A = 0 or 1 Bob {v B } pk(s) v B = 0 or 1 Chris {v C } pk(s) v C = 0 or 1 David {v D } pk(s) v D = Result : {v A +v B +v C } pk(s) A malicious voter can cheat!
20 13/37 This is oversimplified! {v D } pk(s) Bulletin Board Alice {v A } pk(s) v A = 0 or 1 Bob {v B } pk(s) v B = 0 or 1 Chris {v C } pk(s) v C = 0 or 1 David {v D } pk(s) v D = Result : {v A +v B +v C +v D + } pk(s) A malicious voter can cheat! In Helios : use of (Signature of) Proof of Knowledge {v D } pk(s),spk{v D = 0 or 1}
21 14/37 How to analyse security protocols? For example, how to prove that Helios is secure?
22 14/37 How to analyse security protocols? For example, how to prove that Helios is secure? Task 1 : Modeling 1 Modeling messages 2 Modeling the behavior of the protocol 3 Modeling security
23 15/37 Modeling messages Idea 1 : keeping only the structure of the messages Messages are abstracted by terms. Example : The message { A,N a } K is represented by : A < > {} N a K
24 15/37 Modeling messages Idea 1 : keeping only the structure of the messages Messages are abstracted by terms. Example : The message { A,N a } K is represented by : A < > {} N a K Idea 2 : Equations for reflecting the properties of the primitives Decryption dec({x} y,y) = x Homomorphic encryption {x 1 } y {x 2 } y = {x 1 +x 2 } y
25 6/37 Modeling protocols Processes of the applied picalculus [Abadi & Fournet] Voter id voting v Voter(id,v) = c id ({v} pk(s),spk(v,{v} pk(s) ))
26 16/37 Modeling protocols Processes of the applied picalculus [Abadi & Fournet] Voter id voting v Voter(id,v) = c id ({v} pk(s),spk(v,{v} pk(s) )) Bulletin board for n voters BulletinBoard = c id1 (x 1 ). if Valid(x 1 ) then out(x 1 ). c idn (x n ). if Valid(x n ) then out(x n ). c tally (π 1 (x 1 ) π 1 (x n ))
27 16/37 Modeling protocols Processes of the applied picalculus [Abadi & Fournet] Voter id voting v Voter(id,v) = c id ({v} pk(s),spk(v,{v} pk(s) )) Bulletin board for n voters BulletinBoard = c id1 (x 1 ). if Valid(x 1 ) then out(x 1 ). c idn (x n ). if Valid(x n ) then out(x n ). c tally (π 1 (x 1 ) π 1 (x n )) Tallying phase Tally = c tally (y).out(dec(y,sk(s)))
28 17/37 Modeling attackers We assume that the network can be controlled by attackers may participate to the protocol. may forge and send messages, may read every message sent on the net, may intercept messages,
29 17/37 Modeling attackers We assume that the network can be controlled by attackers may participate to the protocol. may forge and send messages, may read every message sent on the net, may intercept messages, Attackers in applied picalculus A protocol P satisfies some property φ if for all process A A P = φ
30 18/37 Examples of security properties Secrecy of s If A P Q then Q out(s) Q For any attacker A and reachable process Q, the secret s remains unknown. Authentication/Agreement If A P Q then Q = Received(B,N a ) Sent(A,N a ) For any attacker A, if B receives a nonce believing it is from A then A must have sent it. Most properties can be expressed as accessibility properties
31 19/37 What is a secure voting protocol?
32 20/37 Let s have a closer look to privacy How to state formally : No one should know my vote (0 or 1)? Idea 1 : An attacker should not learn the value of my vote.
33 20/37 Let s have a closer look to privacy How to state formally : No one should know my vote (0 or 1)? Idea 1 : An attacker should not learn the value of my vote. But everyone knows 0 and 1!
34 20/37 Let s have a closer look to privacy How to state formally : No one should know my vote (0 or 1)? Idea 1 : An attacker should not learn the value of my vote. Idea 2 : An attacker should not attach my vote to my identity.
35 0/37 Let s have a closer look to privacy How to state formally : No one should know my vote (0 or 1)? Idea 1 : An attacker should not learn the value of my vote. Idea 2 : An attacker should not attach my vote to my identity. But everyone can form Alice,0 and Alice,1!
36 20/37 Let s have a closer look to privacy How to state formally : No one should know my vote (0 or 1)? Idea 1 : An attacker should not learn the value of my vote. Idea 2 : An attacker should not attach my vote to my identity. Idea 3 : An attacker cannot see the difference when I vote 0 or 1. Voter 1(0) Voter 2(v 2) Voter n(v n) Voter 1(1) Voter 2(v 2) Voter n(v n)
37 20/37 Let s have a closer look to privacy How to state formally : No one should know my vote (0 or 1)? Idea 1 : An attacker should not learn the value of my vote. Idea 2 : An attacker should not attach my vote to my identity. Idea 3 : An attacker cannot see the difference when I vote 0 or 1. Voter 1(0) Voter 2(v 2) Voter n(v n) Voter 1(1) Voter 2(v 2) Voter n(v n) The attacker always sees the difference since the tally differs. Unanimity does break privacy.
38 Let s have a closer look to privacy How to state formally : No one should know my vote (0 or 1)? Idea 1 : An attacker should not learn the value of my vote. Idea 2 : An attacker should not attach my vote to my identity. Idea 3 : An attacker cannot see the difference when I vote 0 or 1. Voter 1(0) Voter 2(v 2) Voter n(v n) Voter 1(1) Voter 2(v 2) Voter n(v n) Idea 4 : An attacker cannot see when votes are swapped. Voter 1 (0) Voter 2 (1) Voter 1 (1) Voter 2 (0) 20/37 S. Kremer & M. Ryan
39 21/37 How to analyse security protocols?? = confidentiality authenticity nonrepudiation Methodology 1 Proposing accurate models symbolic models cryptographic/computational models 2 Proving security decision procedures transfer results
40 22/37 How to analyse security protocols? First, we consider accessibility properties, e.g. confidentiality, authentication, etc. Automatic verification Unfortunately, security (e.g. confidentiality) is undecidable. No generic algorithm can work. Identification of decidable fragments analysis of a finite number of sessions restriction on the class of protocols Semidecision procedure : ProVerif
41 23/37 How does ProVerif work? Developed by Bruno Blanchet, ENS Paris, France. Implements a sound semidecision procedure (that may not terminate). The applied picalculus is translated into firstorder logic, more precisely into Horn clauses. Based on a resolution strategy well adapted to protocols.
42 24/37 Horn clauses for the intruder Horn clauses perfectly reflect the attacker symbolic manipulations on terms. x y I(x),I(y) I(< x,y >) pairing x y I(x),I(y) I({x} y ) encryption x y I({x} y ),I(y) I(x) decryption x y I(< x,y >) I(x) projection x y I(< x,y >) I(y) projection
43 25/37 Horn clauses for the protocol Protocol WMF : A S : {n a,b,k} ka S B : {n s,a,k} kb B A : {m ab } k Horn clauses : I({n a,b,k} ka ) I({x,b,y} ka ) I({n s (x,y),a,y} kb ) I({x,a,y} kb ) I({m ab } y )
44 25/37 Horn clauses for the protocol Protocol WMF : A S : {n a,b,k} ka S B : {n s,a,k} kb B A : {m ab } k Horn clauses : I({n a,b,k} ka ) I({x,b,y} ka ) I({n s (x,y),a,y} kb ) I({x,a,y} kb ) I({m ab } y ) Secrecy property is a reachability (accessibility) property I(m ab ) Checking security reduces to checking satisfiability There exists an attack iff the set of formulas corresponding to Intruder manipulations + protocol + property is NOT satisfiable.
45 26/37 How to decide satisfiability? Resolution techniques : Binary resolution D 1 D k B A 1 A n C A1 θ = Bθ (D 1 D k A 2 A n C)θ
46 6/37 How to decide satisfiability? Resolution techniques : Binary resolution D 1 D k B A 1 A n C A1 θ = Bθ (D 1 D k A 2 A n C)θ It does not terminate. Example : I(s) I(x),I(y) I( x,y )
47 6/37 How to decide satisfiability? Resolution techniques : Binary resolution D 1 D k B A 1 A n C A1 θ = Bθ (D 1 D k A 2 A n C)θ It does not terminate. Example : I(s) I(x),I(y) I( x,y ) I(y) I( s,y )
48 6/37 How to decide satisfiability? Resolution techniques : Binary resolution D 1 D k B A 1 A n C A1 θ = Bθ (D 1 D k A 2 A n C)θ It does not terminate. Example : I(s) I(x),I(y) I( x,y ) I(y) I( s,y ) I( s,s ) I( s, s,s ) I( s, s, s,s ) I( s, s, s, s,s ) I( s, s, s, s, s,s )
49 27/37 Efficient and sound resolution strategy Idea : Resolution is only applied on selected literals A 1,B that do not belong to a forbidden set S. Typically S = {I(x)}. Theorem Resolution based on selection, avoiding S, is complete w.r.t. satisfiability. If the fixed point does not contain the empty clause, then the corresponding protocol is secure. ProVerif may not terminate.
50 Efficient and sound resolution strategy Idea : Resolution is only applied on selected literals A 1,B that do not belong to a forbidden set S. Typically S = {I(x)}. Theorem Resolution based on selection, avoiding S, is complete w.r.t. satisfiability. 27/37 If the fixed point does not contain the empty clause, then the corresponding protocol is secure. ProVerif may not terminate. Performs very well in practice! Works on most of existing protocols in the literature Is also used on industrial protocols (e.g. certified protocol, JFK, Plutus filesystem) Can handle various cryptographic primitives (various encryption, signatures, blind signatures, hash, etc.)
51 28/37 Security of Helios Privacy Voter 1 (0) Voter 2 (1) Voter 1 (1) Voter 2 (0) Not an accessibility property ProVerif cannot be applied (yet).
52 28/37 Security of Helios Privacy Voter 1 (0) Voter 2 (1) Voter 1 (1) Voter 2 (0) Not an accessibility property ProVerif cannot be applied (yet). Helios is actually subject to replay attack, which breaks privacy! The fixed version (weeding duplicated ballots) provably ensures privacy
53 Security of Helios Privacy Voter 1 (0) Voter 2 (1) Voter 1 (1) Voter 2 (0) Not an accessibility property ProVerif cannot be applied (yet). Helios is actually subject to replay attack, which breaks privacy! The fixed version (weeding duplicated ballots) provably ensures privacy 28/37 Verifiability Individual verifiability : voter can check that her own ballot is included in the election s bulletin board. Universal verifiability : anyone can check that the election outcome corresponds to the ballots published on the bulletin board. Helios provably satisfies both verifiability properties.
54 29/37 Limitations of this approach? Are you ready to use any protocol verified with this technique?
55 29/37 Limitations of this approach? Are you ready to use any protocol verified with this technique? Side channel attacks Representing messages by a term algebra abstracts away many mathematical properties.
56 30/37 Setting for cryptographic/computational models Messages : (Bitstrings) Protocol : Message exchange program Use cryptographic algorithms
57 30/37 Setting for cryptographic/computational models Messages : (Bitstrings) Protocol : Message exchange program Use cryptographic algorithms Adversary A : any probabilistic polynomial Turing machine, i.e. any probabilistic polynomial program. polynomial : captures what is feasible probabilistic : the adversary may try to guess some information
58 31/37 Computational secrecy OneWayness : The probability for an adversary A to compute the secret s against a protocol P is negligible (smaller than any inverse of polynomial).
59 1/37 Computational secrecy OneWayness : The probability for an adversary A to compute the secret s against a protocol P is negligible (smaller than any inverse of polynomial). Not strong enough! The adversary may be able to compute half of the secret message. There is no guarantee in case that some partial information on the secret is known.
60 31/37 Computational secrecy OneWayness : The probability for an adversary A to compute the secret s against a protocol P is negligible (smaller than any inverse of polynomial). Not strong enough! The adversary may be able to compute half of the secret message. There is no guarantee in case that some partial information on the secret is known. Indistinguishability : the adversary should not learn a bit of the secret. Pr[A P(n 0 ) 1] Pr[A P(n 1 ) 1] is negligible
61 32/37 Formal and Cryptographic approaches Formal approach Cryptographic approach Messages terms bitstrings Encryption idealized algorithm Adversary idealized any polynomial algorithm Guarantees unclear strong Proof automatic by hand, tedious and errorprone Link between the two approaches?
62 33/37 Proving cryptographic security through symbolic models Symbolic models Computational models < > {} K A N a
63 33/37 Proving cryptographic security through symbolic models Symbolic models Computational models < > {} K A N a Idea : soundness result Show that security in symbolic models implies security in computational ones. [Abadi Rogaway 00]
64 34/37 Soundness of equivalences in the applied picalculus Result : Assuming a strong encryption scheme (INDCCA2 hypothesis) P 1 P 2 [[P 1 ]] [[P 2 ]] Symbolic equivalence of processes P 1 and P 2 Indistinguishability of the implementation of P 1 and P 2
65 4/37 Soundness of equivalences in the applied picalculus Result : Assuming a strong encryption scheme (INDCCA2 hypothesis) P 1 P 2 [[P 1 ]] [[P 2 ]] Symbolic equivalence of processes P 1 and P 2 Indistinguishability of the implementation of P 1 and P 2 Key technique Any attack trace from the concrete adversary is an attack against the symbolic protocol, or the adversary breaks encryption. Consequence : Security in symbolic models directly implies security in cryptographic models, against arbitrary attackers.
66 35/37 Benefit : modularity Cryptographic security guarantees can be obtained at the symbolic level Ideal protocol Formal approach: verification of idealized protocols Implemented protocol signature algorithm encryption algorithm Cryptographers: verification of the cryptographic primitives
67 6/37 Conclusion Formal methods form a powerful approach for analyzing security protocols Use of existing techniques : term algebra, equational theories, clauses and resolution techniques, tree automata, etc. Many decision procedures Several successful automatic tools e.g. ProVerif, Avispa/Avantssar, Scyther, NRL Protocol Analyzer Detect attacks (e.g. flaw in Gmail) Prove security of standard protocols (e.g. IKE, JFK, Certified , Helios,...) Provides cryptographic guarantees under classical assumptions on the implementation of the primitives
68 37/37 The end Special thanks to : Hubert ComonLundh Ben Smyth Stéphanie Delaune Bogdan Warinschi Steve Kremer
Le vote électronique : un défi pour la vérification formelle
Le vote électronique : un défi pour la vérification formelle Steve Kremer Loria, Inria Nancy 1 / 17 Electronic voting Elections are a securitysensitive process which is the cornerstone of modern democracy
More informationElectronic Voting Protocol Analysis with the Inductive Method
Electronic Voting Protocol Analysis with the Inductive Method Introduction Evoting use is spreading quickly in the EU and elsewhere Sensitive, need for formal guarantees Inductive Method: protocol verification
More informationOutline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures
Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike
More informationAnalysis of an Electronic Boardroom Voting System
Analysis of an Electronic Boardroom Voting System Mathilde Arnaud Véronique Cortier Cyrille Wiedling VoteID 13 July 18th 2013 The Family of Electronic Voting The Family of Electronic Voting Voting Machines
More informationEDemocracy and evoting
EDemocracy and evoting How to make them secure and transparent August 2013 Jordi Puiggali CSO and SVP R&D Jordi.puiggali@scytl.com Index Introduction edemocracy Security and Transparency in evoting
More informationFormal Methods in Security Protocols Analysis
Formal Methods in Security Protocols Analysis Li Zhiwei Aidong Lu Weichao Wang Department of Computer Science Department of Software and Information Systems University of North Carolina at Charlotte Big
More informationFormal Modelling of Network Security Properties (Extended Abstract)
Vol.29 (SecTech 2013), pp.2529 http://dx.doi.org/10.14257/astl.2013.29.05 Formal Modelling of Network Security Properties (Extended Abstract) Gyesik Lee Hankyong National University, Dept. of Computer
More informationCryptography and Network Security: Summary
Cryptography and Network Security: Summary Timo Karvi 12.2013 Timo Karvi () Cryptography and Network Security: Summary 12.2013 1 / 17 Summary of the Requirements for the exam The advices are valid for
More informationComputational Soundness of Symbolic Security and Implicit Complexity
Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 37, 2013 Overview
More informationAutomated Verification of Selected Equivalences for Security Protocols
Automated Verification of Selected Equivalences for Security Protocols Bruno Blanchet CNRS, École Normale Supérieure, Paris Martín Abadi University of California, Santa Cruz Cédric Fournet Microsoft Research,
More informationHow to Formally Model Features of Network Security Protocols
, pp.423432 http://dx.doi.org/10.14257/ijsia How to Formally Model Features of Network Security Protocols Gyesik Lee Dept. of Computer & Web Information Engineering Hankyong National University Anseongsi,
More informationCryptography: Authentication, Blind Signatures, and Digital Cash
Cryptography: Authentication, Blind Signatures, and Digital Cash Rebecca Bellovin 1 Introduction One of the most exciting ideas in cryptography in the past few decades, with the widest array of applications,
More informationVoteID 2011 Internet Voting System with Cast as Intended Verification
VoteID 2011 Internet Voting System with Cast as Intended Verification September 2011 VP R&D Jordi Puiggali@scytl.com Index Introduction Proposal Security Conclusions 2. Introduction Client computers could
More informationInductive Analysis of Security Protocols in Isabelle/HOL with Applications to Electronic Voting
Inductive Analysis of Security Protocols in Isabelle/HOL with Applications to Electronic Voting Denis Butin 1 / 37 2 / 37 Introduction Network communication sensitive: banking, private correspondence,
More informationAn Electronic Voting System Based On Blind Signature Protocol
CSMR, VOL. 1, NO. 1 (2011) An Electronic Voting System Based On Blind Signature Protocol Marius Ion, Ionuţ Posea University POLITEHNICA of Bucharest Faculty of Automatic Control and Computers, Computer
More informationPart 2 D(E(M, K),K ) E(M, K) E(M, K) Plaintext M. Plaintext M. Decrypt with private key. Encrypt with public key. Ciphertext
Part 2 Plaintext M Encrypt with public key E(M, K) Ciphertext Plaintext M D(E(M, K),K ) Decrypt with private key E(M, K) Public and private key related mathematically Public key can be published; private
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 1 January 9, 2012 CPSC 467b, Lecture 1 1/22 Course Overview Symmetric Cryptography CPSC 467b, Lecture 1 2/22 Course Overview CPSC
More informationSecure Reactive Systems
Michael Backes Saarland University, Germany joint work with Birgit Pfitzmann and Michael Waidner Secure Reactive Systems Lecture at Tartu U, 02/27/06 Building Systems on Open Networks EGovernment Hospital
More informationBallot privacy in elections: new metrics and constructions.
Ballot privacy in elections: new metrics and constructions. Olivier Pereira Université catholique de Louvain Based on joint works with: D. Bernhard, V. Cortier, E. Cuvelier, T. Peters and B. Warinschi
More informationCSCE 465 Computer & Network Security
CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Public Key Cryptogrophy 1 Roadmap Introduction RSA DiffieHellman Key Exchange Public key and
More informationAuthenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre
Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense
More informationCSC474/574  Information Systems Security: Homework1 Solutions Sketch
CSC474/574  Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a oneround Feistel cipher
More informationQ: Why security protocols?
Security Protocols Q: Why security protocols? Alice Bob A: To allow reliable communication over an untrusted channel (eg. Internet) 2 Security Protocols are out there Confidentiality Authentication Example:
More informationIntroduction. Digital Signature
Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology
More informationVerifying a SecretBallot Election with Cryptography
Verifying a SecretBallot Election with Cryptography Ben Adida PhD Thesis Defense Thesis Committee Ronald L. Rivest, Srini Devadas, Shafi Goldwasser 22 June 2006 Ostraka (sea shells) http://darkwing.uoregon.edu/~klio/im/gr/ath/athen%20%20ostraka.jpg
More informationCIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives
CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; DH key exchange; Hash functions; Application of hash
More informationLecture 9  Message Authentication Codes
Lecture 9  Message Authentication Codes Boaz Barak March 1, 2010 Reading: BonehShoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,
More informationUniversally Composable Symbolic Analysis of DiffieHellman based Key Exchange
Universally Composable Symbolic Analysis of DiffieHellman based Key Exchange Ran Canetti and Sebastian Gajek School of Computer Science Tel Aviv University, Israel May 20, 2010 Abstract Canetti and Herzog
More informationNetwork Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23
Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest
More informationAn Overview of Common Adversary Models
An Overview of Common Adversary Karl Palmskog palmskog@kth.se 20120329 Introduction Requirements of Software Systems 1 Functional Correctness: partial, termination, liveness, safety,... 2 Nonfunctional
More informationNetwork Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering
Network Security Gaurav Naik Gus Anderson, Philadelphia, PA Lectures on Network Security Feb 12 (Today!): Public Key Crypto, Hash Functions, Digital Signatures, and the Public Key Infrastructure Feb 14:
More informationChapter 3. Network Domain Security
Communication System Security, Chapter 3, Draft, L.D. Chen and G. Gong, 2008 1 Chapter 3. Network Domain Security A network can be considered as the physical resource for a communication system. This chapter
More informationZQL. a cryptographic compiler for processing private data. George Danezis. Joint work with Cédric Fournet, Markulf Kohlweiss, Zhengqin Luo
ZQL Work in progress a cryptographic compiler for processing private data George Danezis Joint work with Cédric Fournet, Markulf Kohlweiss, Zhengqin Luo Microsoft Research and Joint INRIAMSR Centre Data
More informationFormal Analysis of Authentication in Bluetooth Device Pairing
Formal Analysis of Authentication in Bluetooth Device Pairing Richard Chang and Vitaly Shmatikov The University of Texas at Austin Abstract. Bluetooth is a popular standard for shortrange wireless communications.
More informationInformation Security
Information Security Dr. Vedat Coşkun Malardalen September 15th, 2009 08:00 10:00 vedatcoskun@isikun.edu.tr www.isikun.edu.tr/~vedatcoskun What needs to be secured? With the rapid advances in networked
More informationCapture Resilient ElGamal Signature Protocols
Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department
More information1 Signatures vs. MACs
CS 120/ E177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. KatzLindell 10 1 Signatures vs. MACs Digital signatures
More informationIntroduction to Computer Security
Introduction to Computer Security Hash Functions and Digital Signatures Pavel Laskov Wilhelm Schickard Institute for Computer Science Integrity objective in a wide sense Reliability Transmission errors
More informationSecure APIs and Simulationbased. Exposé thésard
Secure APIs and Simulationbased Security Exposé thésard 1 ME & MY THESIS at LSV since Oct 2010 Batiment IRIS Supervisors: Graham & Steve INRIA 2 Outline What are Secure Tokens, and what use do they have?
More informationCS Computer and Network Security: Applied Cryptography
CS 5410  Computer and Network Security: Applied Cryptography Professor Patrick Traynor Spring 2016 Reminders Project Ideas are due on Tuesday. Where are we with these? Assignment #2 is posted. Let s get
More information1 Message Authentication
Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions
More informationA New ReceiptFree EVoting Scheme Based on Blind Signature (Abstract)
A New ReceiptFree EVoting Scheme Based on Blind Signature (Abstract) Zhe Xia University of Surrey z.xia@surrey.ac.uk Steve Schneider University of Surrey s.schneider@surrey.ac.uk May 25, 2006 Abstract
More informationOnline Voting Project. New Developments in the Voting System an Consequently Implemented Improvements in the Representation of Legal Principles.
New Developments in the Voting System an Consequently Implemented Improvements in the Representation of Legal Principles. Introduction. Since 2001 TSystems made research on secure online voting systems
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 1 (rev. 1) Professor M. J. Fischer September 3, 2008 1 Course Overview Lecture Notes 1 This course is
More informationOutline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg
Outline CSc 466/566 Computer Security 8 : Cryptography Digital Signatures Version: 2012/02/27 16:07:05 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian
More informationThe Design of Web Based Secure Internet Voting System for Corporate Election
The Design of Web Based Secure Internet Voting System for Corporate Election Jagdish B. Chakole 1, P. R. Pardhi 2 \ 1 Deptt. of Computer Science & Engineering, R.C.O.E.M., Nagpur, Maharashtra (India) 2
More informationCryptography and Network Security
Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 9: Authentication protocols, digital signatures Ion Petre Department of IT, Åbo Akademi University 1 Overview of
More informationInternet Voting Protocols with Everlasting Privacy
Internet Voting Protocols with Everlasting Privacy Jeroen van de Graaf Joint work with Denise Demirel e Roberto Samarone jvdg@dccufmgbr Lleida, July 2013 Jeroen van de Graaf Joint work with Denise Demirel
More informationSecurity usually depends on the secrecy of the key, not the secrecy of the algorithm (i.e., the open design model!)
1 A cryptosystem has (at least) five ingredients: 1. 2. 3. 4. 5. Plaintext Secret Key Ciphertext Encryption algorithm Decryption algorithm Security usually depends on the secrecy of the key, not the secrecy
More informationOutline. Cryptography. Bret Benesh. Math 331
Outline 1 College of St. Benedict/St. John s University Department of Mathematics Math 331 2 3 The internet is a lawless place, and people have access to all sorts of information. What is keeping people
More informationAdversary Modelling 1
Adversary Modelling 1 Evaluating the Feasibility of a Symbolic Adversary Model on Smart Transport Ticketing Systems Authors Arthur Sheung Chi Chan, MSc (Royal Holloway, 2014) Keith Mayes, ISG, Royal Holloway
More informationA Study on Secure Electronic Medical DB System in Hospital Environment
A Study on Secure Electronic Medical DB System in Hospital Environment Yvette E. Gelogo 1 and Sungwon Park 2 * 1 Catholic University of Daegu, Daegu, Korea 2 Department of Nursing, Hannam University, 133
More informationOverview of Cryptographic Tools for Data Security. Murat Kantarcioglu
UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the
More informationVincent Cheval. Curriculum Vitae. Research
Vincent Cheval School of Computing University of Kent Canterbury, CT2 7NF, UK +44 (0)7479 555701 +44 (0)1227 823816 vincent.cheval@icloud.com homepage: www.cs.kent.ac.uk/ vc218/web Nationality : French
More informationAsymmetric Encryption. With material from Jonathan Katz, David Brumley, and Dave Levin
Asymmetric Encryption With material from Jonathan Katz, David Brumley, and Dave Levin Warmup activity Overview of asymmetrickey crypto Intuition for El Gamal and RSA And intuition for attacks Digital
More informationProviding solutions for more secure exchanges
Providing solutions for more secure exchanges Stéphanie Delaune November 18, 2014 Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 1 / 44 Cryptographic protocols Cryptographic protocols
More informationIntroduction to Cryptography CS 355
Introduction to Cryptography CS 355 Lecture 30 Digital Signatures CS 355 Fall 2005 / Lecture 30 1 Announcements Wednesday s lecture cancelled Friday will be guest lecture by Prof. Cristina Nita Rotaru
More informationComputer Science 308547A Cryptography and Data Security. Claude Crépeau
Computer Science 308547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308647A)
More informationContent Teaching Academy at James Madison University
Content Teaching Academy at James Madison University 1 2 The Battle Field: Computers, LANs & Internetworks 3 Definitions Computer Security  generic name for the collection of tools designed to protect
More informationClient Server Registration Protocol
Client Server Registration Protocol The ClientServer protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are
More informationComputer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University
Computer Networks Network Security and Ethics Week 14 College of Information Science and Engineering Ritsumeikan University Security Intro for Admins l Network administrators can break security into two
More informationPublic Key (asymmetric) Cryptography
PublicKey Cryptography UNIVERSITA DEGLI STUDI DI PARMA Dipartimento di Ingegneria dell Informazione Public Key (asymmetric) Cryptography Luca Veltri (mail.to: luca.veltri@unipr.it) Course of Network Security,
More informationNetwork Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶
Network Security 網 路 安 全 Lecture 1 February 20, 2012 洪 國 寶 1 Outline Course information Motivation Introduction to security Basic network concepts Network security models Outline of the course 2 Course
More informationHooks could have been left around for the imposter to regain control. A.ArpaciDusseau. Remove all files from disk and reinstall all software
UNIVERSITY of WISCONSINMADISON Computer Sciences Department CS 537 A. ArpaciDusseau Intro to Operating Systems Spring 2000 Security Solutions and Encryption Questions answered in these notes: How does
More informationSSL/TLS: The Ugly Truth
SSL/TLS: The Ugly Truth Examining the flaws in SSL/TLS protocols, and the use of certificate authorities. Adrian Hayter CNS Hut 3 Team adrian.hayter@cnsuk.co.uk Contents Introduction to SSL/TLS Cryptography
More informationIntroduction to Cryptography
Introduction to Cryptography Part 2: publickey cryptography JeanSébastien Coron January 2007 Publickey cryptography Invented by Diffie and Hellman in 1976. Revolutionized the field. Each user now has
More informationCUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631
Cunsheng DING, HKUST Lecture 08: Key Management for Onekey Ciphers Topics of this Lecture 1. The generation and distribution of secret keys. 2. A key distribution protocol with a key distribution center.
More informationSecurity Protocols: Principles and Calculi Tutorial Notes
Security Protocols: Principles and Calculi Tutorial Notes Martín Abadi Microsoft Research and University of California, Santa Cruz Abstract. This paper is a basic introduction to some of the main themes
More informationCS 758: Cryptography / Network Security
CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html
More information1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.
1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks
More informationanonymous secure decentralized SMS stealthtext transactions
anonymous secure decentralized SMS stealthtext transactions WHITEPAPER STATE OF THE ART 2/8 WHAT IS STEALTHTEXT? stealthtext is a way to send stealthcoin privately and securely using SMS texting. stealthtext
More informationSignature Schemes. CSG 252 Fall 2006. Riccardo Pucella
Signature Schemes CSG 252 Fall 2006 Riccardo Pucella Signatures Signatures in real life have a number of properties They specify the person responsible for a document E.g. that it has been produced by
More informationCryptography & Digital Signatures
Cryptography & Digital Signatures CS 594 Special Topics/Kent Law School: Computer and Network Privacy and Security: Ethical, Legal, and Technical Consideration Prof. Sloan s Slides, 2007, 2008 Robert H.
More informationSECURITY ANALYSIS OF A SINGLE SIGNON MECHANISM FOR DISTRIBUTED COMPUTER NETWORKS
SECURITY ANALYSIS OF A SINGLE SIGNON MECHANISM FOR DISTRIBUTED COMPUTER NETWORKS Abstract: The Single signon (SSO) is a new authentication mechanism that enables a legal user with a single credential
More informationCIS 5371 Cryptography. 8. Encryption 
CIS 5371 Cryptography p y 8. Encryption  Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: Allornothing secrecy.
More informationProvably Secure Cryptography: State of the Art and Industrial Applications
Provably Secure Cryptography: State of the Art and Industrial Applications Pascal Paillier Gemplus/R&D/ARSC/STD/Advanced Cryptographic Services FrenchJapanese Joint Symposium on Computer Security Outline
More informationCryptoVerifying Protocol Implementations in ML
CryptoVerifying Protocol Implementations in ML Karthikeyan Bhargavan 1,2 Ricardo Corin 1,3 Cédric Fournet 1,2 1 MSRINRIA Joint Centre 2 Microsoft Research 3 University of Twente June 2007 Abstract We
More informationKEY DISTRIBUTION: PKI and SESSIONKEY EXCHANGE. Mihir Bellare UCSD 1
KEY DISTRIBUTION: PKI and SESSIONKEY EXCHANGE Mihir Bellare UCSD 1 The public key setting Alice M D sk[a] (C) Bob pk[a] C C $ E pk[a] (M) σ $ S sk[a] (M) M, σ Vpk[A] (M, σ) Bob can: send encrypted data
More information1 Construction of CCAsecure encryption
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of secure encryption We now show how the MAC can be applied to obtain a secure encryption scheme.
More informationModule 7 Security CS655! 71!
Module 7 Security CS655! 71! Issues Separation of! Security policies! Precise definition of which entities in the system can take what actions! Security mechanism! Means of enforcing that policy! Distributed
More informationMidterm Exam Solutions CS161 Computer Security, Spring 2008
Midterm Exam Solutions CS161 Computer Security, Spring 2008 1. To encrypt a series of plaintext blocks p 1, p 2,... p n using a block cipher E operating in electronic code book (ECB) mode, each ciphertext
More informationLecture 15  Digital Signatures
Lecture 15  Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations  easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.
More informationDigital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?
Cryptography Digital Signatures Professor: Marius Zimand Digital signatures are meant to realize authentication of the sender nonrepudiation (Note that authentication of sender is also achieved by MACs.)
More informationAUTOMATIC PROTOCOL CREATION FOR INFORMATION SECURITY SYSTEM
AUTOMATIC PROTOCOL CREATION FOR INFORMATION SECURITY SYSTEM Mr. Arjun Kumar arjunsingh@abes.ac.in ABES Engineering College, Ghaziabad Master of Computer Application ABSTRACT Now a days, security is very
More informationCryptoVerif Tutorial
CryptoVerif Tutorial Bruno Blanchet INRIA ParisRocquencourt bruno.blanchet@inria.fr November 2014 Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 1 / 14 Exercise 1: preliminary definition SUFCMA
More informationChapter 16: Authentication in Distributed System
Chapter 16: Authentication in Distributed System Ajay Kshemkalyani and Mukesh Singhal Distributed Computing: Principles, Algorithms, and Systems Cambridge University Press A. Kshemkalyani and M. Singhal
More informationA SearchBased Framework for Security Protocol Synthesis
A SearchBased Framework for Security Protocol Synthesis Hao Chen Submitted for the degree of Doctor of Philosophy The University of York Department of Computer Science April 2007 For My Mum and Dad 献
More informationSimplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings
Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings Ernie Brickell Intel Corporation ernie.brickell@intel.com Liqun Chen HP Laboratories liqun.chen@hp.com March
More informationAnalysis of a Biometric Authentication Protocol for Signature Creation Application
Analysis of a Biometric Authentication Protocol for Signature Creation Application A. Salaiwarakul and M.D.Ryan School of Computer Science, University of Birmingham, UK {A.Salaiwarakul, M.D.Ryan}@cs.bham.ac.uk
More informationA Secure RFID Ticket System For Public Transport
A Secure RFID Ticket System For Public Transport Kun Peng and Feng Bao Institute for Infocomm Research, Singapore Abstract. A secure RFID ticket system for public transport is proposed in this paper. It
More informationModule: Applied Cryptography. Professor Patrick McDaniel Fall 2010. CSE543  Introduction to Computer and Network Security
CSE543  Introduction to Computer and Network Security Module: Applied Cryptography Professor Patrick McDaniel Fall 2010 Page 1 Key Distribution/Agreement Key Distribution is the process where we assign
More informationA Survey on Optimistic Fair Digital Signature Exchange Protocols
A Survey on Optimistic Fair Digital Signature Exchange s Alfin Abraham Vinodh Ewards Harlay Maria Mathew Abstract Security services become crucial to many applications such as ecommerce payment protocols,
More informationCryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53
Cryptography and Network Security, PART IV: Reviews, Patches, and Theory Timo Karvi 11.2012 Cryptography and Network Security, PART IV: Reviews, Patches, and11.2012 Theory 1 / 53 Key Lengths I The old
More informationAssociate Prof. Dr. Victor Onomza Waziri
BIG DATA ANALYTICS AND DATA SECURITY IN THE CLOUD VIA FULLY HOMOMORPHIC ENCRYPTION Associate Prof. Dr. Victor Onomza Waziri Department of Cyber Security Science, School of ICT, Federal University of Technology,
More informationLecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture  PRGs for one time pads
CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs
More informationAnonymity with Identity Escrow
Anonymity with Identity Escrow Aybek Mukhamedov and Mark Ryan The University of Birmingham March 30, 2006 Outline 1 Anonymity 2 Anonymity with identity escrow 3 Marshall and MolinaJiminez protocol 4 Our
More informationCh.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis
Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography
More informationRSA Attacks. By Abdulaziz Alrasheed and Fatima
RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.
More informationModule 8. Network Security. Version 2 CSE IIT, Kharagpur
Module 8 Network Security Lesson 2 Secured Communication Specific Instructional Objectives On completion of this lesson, the student will be able to: State various services needed for secured communication
More informationComputer and Network Security. Alberto Marchetti Spaccamela
Computer and Network Security Alberto Marchetti Spaccamela Slides are strongly based on material by Amos Fiat Good crypto courses on the Web with interesting material on web site of: Ron Rivest, MIT Dan
More information