How to prove security of communication protocols?
|
|
- Jocelin Shelton
- 8 years ago
- Views:
Transcription
1 1/37 Introduction on security protocols Modeling Verification Towards cryptographic guarantees How to prove security of communication protocols? Véronique Cortier, LORIA - CNRS, Nancy Colloquium Morgenstern, June 20th, 2012 Joint work with Hubert Comon-Lundh, Stéphanie Delaune, Steve Kremer, Ben Smyth and Bogdan Warinschi.
2 2/37 Introduction on security protocols Modeling Verification Towards cryptographic guarantees Context : cryptographic protocols Cryptographic protocols are widely used in everyday life. They aim at securing communications over public or insecure networks.
3 3/37 Introduction on security protocols Modeling Verification Towards cryptographic guarantees Security goals Cryptographic protocols aim at preserving confidentiality of data (e.g. pin code, medical files,...) ensuring authenticity (are you really talking to your bank?) ensuring anonymous communications (for e-voting protocols,...) protecting against repudiation (I never sent this message!)
4 4/37 Introduction on security protocols Modeling Verification Towards cryptographic guarantees Difficulty : there are potential powerful attackers! Presence of an attacker may participate to the protocol. may forge and send messages, may read every message sent on the net, may intercept messages,
5 5/37 Introduction on security protocols Modeling Verification Towards cryptographic guarantees Attacking Single Sign On Protocol Single Sign On Protocols enables to log in once for several services used e.g. in Google App
6 Attacking Single Sign On Protocol Single Sign On Protocols enables to log in once for several services used e.g. in Google App 5/37 A flaw discovered in 2010, now fixed (Avantssar project) Step 1 An attacker offers an interesting or funny (but malicious) new Google App Step 2 Some clients register to this malicious Application Step 3 The attacker can now access all the other applications of the client, including e.g. Gmail or Google Calendar.
7 /37 Designing protocols is error prone Software testing leaves flaws : Flaw in the authentication protocol used in Google Apps Attack on pay-per-view devices Man-in-the-middle attack These flaws rely on the design of the protocols Not on a bad implementation (bugs) Not on weaknesses of the primitives (e.g. encryption, signatures) Not on generic hacking techniques (e.g. worms, code injection)
8 /37 How to analyse security protocols?? = confidentiality authenticity non-repudiation Methodology 1 Proposing accurate models symbolic models cryptographic/computational models 2 Proving security decision procedures transfer results Running example : electronic voting
9 8/37 Introduction on security protocols Modeling Verification Towards cryptographic guarantees Example : Electronic voting Elections are a security-sensitive process which is the cornerstone of modern democracy. Electronic voting promises Convenient, efficient and secure facility for recording and tallying votes for a variety of types of elections : from small committees or on-line communities through to full-scale national elections Already used e.g. in Estonia, Norway, USA, France (from abroad).
10 9/37 Introduction on security protocols Modeling Verification Towards cryptographic guarantees Two main families for e-voting Voting machines Voters have to attend a voting station External authentication system (e.g. ID card) Internet voting Voters vote from home from their own computers Systems in use : Civitas (A. Myers et al), Helios,...
11 10/37 Running example : Helios http ://heliosvoting.org/ Developed by B. Adida et al, already in use : Election at Louvain University Princeton Election of the IACR board (major association in Cryptography)
12 11/37 Helios : a voting protocol for low-coercion environment The security of Helios relies on the assumption that the voter s computer can be trusted. Not suitable for political elections A corrupted machine may : leak the choice of the voter vote for a different candidate e.g. attack by Laurent Grégoire on the Élection législatives pour les francais de l étranger, using code injection.
13 Helios : a voting protocol for low-coercion environment The security of Helios relies on the assumption that the voter s computer can be trusted. 1/37 Not suitable for political elections A corrupted machine may : leak the choice of the voter vote for a different candidate e.g. attack by Laurent Grégoire on the Élection législatives pour les francais de l étranger, using code injection. Suitable for medium issue elections : professional elections scientific councils, students representatives, etc. union representatives Should be compared with previous voting systems in use : e.g. attack (ballot stuffing) on the 2011 paper ballots (with barcodes) CNRS election
14 Behavior of Helios (simplified) Phase 1 : voting 1 Bulletin Board Alice {v A } pk(s) v A = 0 or 1 Bob {v B } pk(s) v B = 0 or 1 Chris {v C } pk(s) v C = 0 or 1 Phase 2 : Tallying using homomorphic encryption (El Gamal) n n {v i } pk(s) = { v i } pk(s) i=1 i=1 Only the final result needs to be decrypted. 12/37 pk(s) : public key, the private key being shared among trustees.
15 Behavior of Helios (simplified) Phase 1 : voting 1 {v D } pk(s) Bulletin Board Alice {v A } pk(s) v A = 0 or 1 Bob {v B } pk(s) v B = 0 or 1 Chris {v C } pk(s) v C = 0 or 1 Phase 2 : Tallying using homomorphic encryption (El Gamal) n n {v i } pk(s) = { v i } pk(s) i=1 i=1 Only the final result needs to be decrypted. 12/37 pk(s) : public key, the private key being shared among trustees.
16 Behavior of Helios (simplified) Phase 1 : voting 1 Bulletin Board Alice {v A } pk(s) v A = 0 or 1 Bob {v B } pk(s) v B = 0 or 1 Chris {v C } pk(s) v C = 0 or 1 David {v D } pk(s) v D = 0 or 1 Phase 2 : Tallying using homomorphic encryption (El Gamal) n n {v i } pk(s) = { v i } pk(s) i=1 i=1 Only the final result needs to be decrypted. 12/37 pk(s) : public key, the private key being shared among trustees.
17 Behavior of Helios (simplified) Phase 1 : voting 1 Bulletin Board Alice {v A } pk(s) v A = 0 or 1 Bob {v B } pk(s) v B = 0 or 1 Chris {v C } pk(s) v C = 0 or 1 David {v D } pk(s) v D = 0 or Phase 2 : Tallying using homomorphic encryption (El Gamal) n n {v i } pk(s) = { v i } pk(s) based on g a g b = g a+b i=1 i=1 Only the final result needs to be decrypted! 12/37 pk(s) : public key, the private key being shared among trustees.
18 3/37 This is oversimplified! {v D } pk(s) Bulletin Board Alice {v A } pk(s) v A = 0 or 1 Bob {v B } pk(s) v B = 0 or 1 Chris {v C } pk(s) v C = 0 or 1 David {v D } pk(s) Result : {v A +v B +v C +v D + } pk(s)
19 13/37 This is oversimplified! {v D } pk(s) Bulletin Board Alice {v A } pk(s) v A = 0 or 1 Bob {v B } pk(s) v B = 0 or 1 Chris {v C } pk(s) v C = 0 or 1 David {v D } pk(s) v D = Result : {v A +v B +v C } pk(s) A malicious voter can cheat!
20 13/37 This is oversimplified! {v D } pk(s) Bulletin Board Alice {v A } pk(s) v A = 0 or 1 Bob {v B } pk(s) v B = 0 or 1 Chris {v C } pk(s) v C = 0 or 1 David {v D } pk(s) v D = Result : {v A +v B +v C +v D + } pk(s) A malicious voter can cheat! In Helios : use of (Signature of) Proof of Knowledge {v D } pk(s),spk{v D = 0 or 1}
21 14/37 How to analyse security protocols? For example, how to prove that Helios is secure?
22 14/37 How to analyse security protocols? For example, how to prove that Helios is secure? Task 1 : Modeling 1 Modeling messages 2 Modeling the behavior of the protocol 3 Modeling security
23 15/37 Modeling messages Idea 1 : keeping only the structure of the messages Messages are abstracted by terms. Example : The message { A,N a } K is represented by : A < > {} N a K
24 15/37 Modeling messages Idea 1 : keeping only the structure of the messages Messages are abstracted by terms. Example : The message { A,N a } K is represented by : A < > {} N a K Idea 2 : Equations for reflecting the properties of the primitives Decryption dec({x} y,y) = x Homomorphic encryption {x 1 } y {x 2 } y = {x 1 +x 2 } y
25 6/37 Modeling protocols Processes of the applied pi-calculus [Abadi & Fournet] Voter id voting v Voter(id,v) = c id ({v} pk(s),spk(v,{v} pk(s) ))
26 16/37 Modeling protocols Processes of the applied pi-calculus [Abadi & Fournet] Voter id voting v Voter(id,v) = c id ({v} pk(s),spk(v,{v} pk(s) )) Bulletin board for n voters BulletinBoard = c id1 (x 1 ). if Valid(x 1 ) then out(x 1 ). c idn (x n ). if Valid(x n ) then out(x n ). c tally (π 1 (x 1 ) π 1 (x n ))
27 16/37 Modeling protocols Processes of the applied pi-calculus [Abadi & Fournet] Voter id voting v Voter(id,v) = c id ({v} pk(s),spk(v,{v} pk(s) )) Bulletin board for n voters BulletinBoard = c id1 (x 1 ). if Valid(x 1 ) then out(x 1 ). c idn (x n ). if Valid(x n ) then out(x n ). c tally (π 1 (x 1 ) π 1 (x n )) Tallying phase Tally = c tally (y).out(dec(y,sk(s)))
28 17/37 Modeling attackers We assume that the network can be controlled by attackers may participate to the protocol. may forge and send messages, may read every message sent on the net, may intercept messages,
29 17/37 Modeling attackers We assume that the network can be controlled by attackers may participate to the protocol. may forge and send messages, may read every message sent on the net, may intercept messages, Attackers in applied pi-calculus A protocol P satisfies some property φ if for all process A A P = φ
30 18/37 Examples of security properties Secrecy of s If A P Q then Q out(s) Q For any attacker A and reachable process Q, the secret s remains unknown. Authentication/Agreement If A P Q then Q = Received(B,N a ) Sent(A,N a ) For any attacker A, if B receives a nonce believing it is from A then A must have sent it. Most properties can be expressed as accessibility properties
31 19/37 What is a secure voting protocol?
32 20/37 Let s have a closer look to privacy How to state formally : No one should know my vote (0 or 1)? Idea 1 : An attacker should not learn the value of my vote.
33 20/37 Let s have a closer look to privacy How to state formally : No one should know my vote (0 or 1)? Idea 1 : An attacker should not learn the value of my vote. But everyone knows 0 and 1!
34 20/37 Let s have a closer look to privacy How to state formally : No one should know my vote (0 or 1)? Idea 1 : An attacker should not learn the value of my vote. Idea 2 : An attacker should not attach my vote to my identity.
35 0/37 Let s have a closer look to privacy How to state formally : No one should know my vote (0 or 1)? Idea 1 : An attacker should not learn the value of my vote. Idea 2 : An attacker should not attach my vote to my identity. But everyone can form Alice,0 and Alice,1!
36 20/37 Let s have a closer look to privacy How to state formally : No one should know my vote (0 or 1)? Idea 1 : An attacker should not learn the value of my vote. Idea 2 : An attacker should not attach my vote to my identity. Idea 3 : An attacker cannot see the difference when I vote 0 or 1. Voter 1(0) Voter 2(v 2) Voter n(v n) Voter 1(1) Voter 2(v 2) Voter n(v n)
37 20/37 Let s have a closer look to privacy How to state formally : No one should know my vote (0 or 1)? Idea 1 : An attacker should not learn the value of my vote. Idea 2 : An attacker should not attach my vote to my identity. Idea 3 : An attacker cannot see the difference when I vote 0 or 1. Voter 1(0) Voter 2(v 2) Voter n(v n) Voter 1(1) Voter 2(v 2) Voter n(v n) The attacker always sees the difference since the tally differs. Unanimity does break privacy.
38 Let s have a closer look to privacy How to state formally : No one should know my vote (0 or 1)? Idea 1 : An attacker should not learn the value of my vote. Idea 2 : An attacker should not attach my vote to my identity. Idea 3 : An attacker cannot see the difference when I vote 0 or 1. Voter 1(0) Voter 2(v 2) Voter n(v n) Voter 1(1) Voter 2(v 2) Voter n(v n) Idea 4 : An attacker cannot see when votes are swapped. Voter 1 (0) Voter 2 (1) Voter 1 (1) Voter 2 (0) 20/37 S. Kremer & M. Ryan
39 21/37 How to analyse security protocols?? = confidentiality authenticity non-repudiation Methodology 1 Proposing accurate models symbolic models cryptographic/computational models 2 Proving security decision procedures transfer results
40 22/37 How to analyse security protocols? First, we consider accessibility properties, e.g. confidentiality, authentication, etc. Automatic verification Unfortunately, security (e.g. confidentiality) is undecidable. No generic algorithm can work. Identification of decidable fragments analysis of a finite number of sessions restriction on the class of protocols Semi-decision procedure : ProVerif
41 23/37 How does ProVerif work? Developed by Bruno Blanchet, ENS Paris, France. Implements a sound semi-decision procedure (that may not terminate). The applied pi-calculus is translated into first-order logic, more precisely into Horn clauses. Based on a resolution strategy well adapted to protocols.
42 24/37 Horn clauses for the intruder Horn clauses perfectly reflect the attacker symbolic manipulations on terms. x y I(x),I(y) I(< x,y >) pairing x y I(x),I(y) I({x} y ) encryption x y I({x} y ),I(y) I(x) decryption x y I(< x,y >) I(x) projection x y I(< x,y >) I(y) projection
43 25/37 Horn clauses for the protocol Protocol WMF : A S : {n a,b,k} ka S B : {n s,a,k} kb B A : {m ab } k Horn clauses : I({n a,b,k} ka ) I({x,b,y} ka ) I({n s (x,y),a,y} kb ) I({x,a,y} kb ) I({m ab } y )
44 25/37 Horn clauses for the protocol Protocol WMF : A S : {n a,b,k} ka S B : {n s,a,k} kb B A : {m ab } k Horn clauses : I({n a,b,k} ka ) I({x,b,y} ka ) I({n s (x,y),a,y} kb ) I({x,a,y} kb ) I({m ab } y ) Secrecy property is a reachability (accessibility) property I(m ab ) Checking security reduces to checking satisfiability There exists an attack iff the set of formulas corresponding to Intruder manipulations + protocol + property is NOT satisfiable.
45 26/37 How to decide satisfiability? Resolution techniques : Binary resolution D 1 D k B A 1 A n C A1 θ = Bθ (D 1 D k A 2 A n C)θ
46 6/37 How to decide satisfiability? Resolution techniques : Binary resolution D 1 D k B A 1 A n C A1 θ = Bθ (D 1 D k A 2 A n C)θ It does not terminate. Example : I(s) I(x),I(y) I( x,y )
47 6/37 How to decide satisfiability? Resolution techniques : Binary resolution D 1 D k B A 1 A n C A1 θ = Bθ (D 1 D k A 2 A n C)θ It does not terminate. Example : I(s) I(x),I(y) I( x,y ) I(y) I( s,y )
48 6/37 How to decide satisfiability? Resolution techniques : Binary resolution D 1 D k B A 1 A n C A1 θ = Bθ (D 1 D k A 2 A n C)θ It does not terminate. Example : I(s) I(x),I(y) I( x,y ) I(y) I( s,y ) I( s,s ) I( s, s,s ) I( s, s, s,s ) I( s, s, s, s,s ) I( s, s, s, s, s,s )
49 27/37 Efficient and sound resolution strategy Idea : Resolution is only applied on selected literals A 1,B that do not belong to a forbidden set S. Typically S = {I(x)}. Theorem Resolution based on selection, avoiding S, is complete w.r.t. satisfiability. If the fixed point does not contain the empty clause, then the corresponding protocol is secure. ProVerif may not terminate.
50 Efficient and sound resolution strategy Idea : Resolution is only applied on selected literals A 1,B that do not belong to a forbidden set S. Typically S = {I(x)}. Theorem Resolution based on selection, avoiding S, is complete w.r.t. satisfiability. 27/37 If the fixed point does not contain the empty clause, then the corresponding protocol is secure. ProVerif may not terminate. Performs very well in practice! Works on most of existing protocols in the literature Is also used on industrial protocols (e.g. certified protocol, JFK, Plutus filesystem) Can handle various cryptographic primitives (various encryption, signatures, blind signatures, hash, etc.)
51 28/37 Security of Helios Privacy Voter 1 (0) Voter 2 (1) Voter 1 (1) Voter 2 (0) Not an accessibility property ProVerif cannot be applied (yet).
52 28/37 Security of Helios Privacy Voter 1 (0) Voter 2 (1) Voter 1 (1) Voter 2 (0) Not an accessibility property ProVerif cannot be applied (yet). Helios is actually subject to replay attack, which breaks privacy! The fixed version (weeding duplicated ballots) provably ensures privacy
53 Security of Helios Privacy Voter 1 (0) Voter 2 (1) Voter 1 (1) Voter 2 (0) Not an accessibility property ProVerif cannot be applied (yet). Helios is actually subject to replay attack, which breaks privacy! The fixed version (weeding duplicated ballots) provably ensures privacy 28/37 Verifiability Individual verifiability : voter can check that her own ballot is included in the election s bulletin board. Universal verifiability : anyone can check that the election outcome corresponds to the ballots published on the bulletin board. Helios provably satisfies both verifiability properties.
54 29/37 Limitations of this approach? Are you ready to use any protocol verified with this technique?
55 29/37 Limitations of this approach? Are you ready to use any protocol verified with this technique? Side channel attacks Representing messages by a term algebra abstracts away many mathematical properties.
56 30/37 Setting for cryptographic/computational models Messages : (Bitstrings) Protocol : Message exchange program Use cryptographic algorithms
57 30/37 Setting for cryptographic/computational models Messages : (Bitstrings) Protocol : Message exchange program Use cryptographic algorithms Adversary A : any probabilistic polynomial Turing machine, i.e. any probabilistic polynomial program. polynomial : captures what is feasible probabilistic : the adversary may try to guess some information
58 31/37 Computational secrecy One-Wayness : The probability for an adversary A to compute the secret s against a protocol P is negligible (smaller than any inverse of polynomial).
59 1/37 Computational secrecy One-Wayness : The probability for an adversary A to compute the secret s against a protocol P is negligible (smaller than any inverse of polynomial). Not strong enough! The adversary may be able to compute half of the secret message. There is no guarantee in case that some partial information on the secret is known.
60 31/37 Computational secrecy One-Wayness : The probability for an adversary A to compute the secret s against a protocol P is negligible (smaller than any inverse of polynomial). Not strong enough! The adversary may be able to compute half of the secret message. There is no guarantee in case that some partial information on the secret is known. Indistinguishability : the adversary should not learn a bit of the secret. Pr[A P(n 0 ) 1] Pr[A P(n 1 ) 1] is negligible
61 32/37 Formal and Cryptographic approaches Formal approach Cryptographic approach Messages terms bitstrings Encryption idealized algorithm Adversary idealized any polynomial algorithm Guarantees unclear strong Proof automatic by hand, tedious and error-prone Link between the two approaches?
62 33/37 Proving cryptographic security through symbolic models Symbolic models Computational models < > {} K A N a
63 33/37 Proving cryptographic security through symbolic models Symbolic models Computational models < > {} K A N a Idea : soundness result Show that security in symbolic models implies security in computational ones. [Abadi Rogaway 00]
64 34/37 Soundness of equivalences in the applied pi-calculus Result : Assuming a strong encryption scheme (IND-CCA2 hypothesis) P 1 P 2 [[P 1 ]] [[P 2 ]] Symbolic equivalence of processes P 1 and P 2 Indistinguishability of the implementation of P 1 and P 2
65 4/37 Soundness of equivalences in the applied pi-calculus Result : Assuming a strong encryption scheme (IND-CCA2 hypothesis) P 1 P 2 [[P 1 ]] [[P 2 ]] Symbolic equivalence of processes P 1 and P 2 Indistinguishability of the implementation of P 1 and P 2 Key technique Any attack trace from the concrete adversary is an attack against the symbolic protocol, or the adversary breaks encryption. Consequence : Security in symbolic models directly implies security in cryptographic models, against arbitrary attackers.
66 35/37 Benefit : modularity Cryptographic security guarantees can be obtained at the symbolic level Ideal protocol Formal approach: verification of idealized protocols Implemented protocol signature algorithm encryption algorithm Cryptographers: verification of the cryptographic primitives
67 6/37 Conclusion Formal methods form a powerful approach for analyzing security protocols Use of existing techniques : term algebra, equational theories, clauses and resolution techniques, tree automata, etc. Many decision procedures Several successful automatic tools e.g. ProVerif, Avispa/Avantssar, Scyther, NRL Protocol Analyzer Detect attacks (e.g. flaw in Gmail) Prove security of standard protocols (e.g. IKE, JFK, Certified , Helios,...) Provides cryptographic guarantees under classical assumptions on the implementation of the primitives
68 37/37 The end Special thanks to : Hubert Comon-Lundh Ben Smyth Stéphanie Delaune Bogdan Warinschi Steve Kremer
Le vote électronique : un défi pour la vérification formelle
Le vote électronique : un défi pour la vérification formelle Steve Kremer Loria, Inria Nancy 1 / 17 Electronic voting Elections are a security-sensitive process which is the cornerstone of modern democracy
More informationElectronic Voting Protocol Analysis with the Inductive Method
Electronic Voting Protocol Analysis with the Inductive Method Introduction E-voting use is spreading quickly in the EU and elsewhere Sensitive, need for formal guarantees Inductive Method: protocol verification
More informationOutline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures
Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike
More informationAnalysis of an Electronic Boardroom Voting System
Analysis of an Electronic Boardroom Voting System Mathilde Arnaud Véronique Cortier Cyrille Wiedling VoteID 13 July 18th 2013 The Family of Electronic Voting The Family of Electronic Voting Voting Machines
More informationE-Democracy and e-voting
E-Democracy and e-voting How to make them secure and transparent August 2013 Jordi Puiggali CSO and SVP R&D Jordi.puiggali@scytl.com Index Introduction e-democracy Security and Transparency in e-voting
More informationFormal Methods in Security Protocols Analysis
Formal Methods in Security Protocols Analysis Li Zhiwei Aidong Lu Weichao Wang Department of Computer Science Department of Software and Information Systems University of North Carolina at Charlotte Big
More informationFormal Modelling of Network Security Properties (Extended Abstract)
Vol.29 (SecTech 2013), pp.25-29 http://dx.doi.org/10.14257/astl.2013.29.05 Formal Modelling of Network Security Properties (Extended Abstract) Gyesik Lee Hankyong National University, Dept. of Computer
More informationCryptography and Network Security: Summary
Cryptography and Network Security: Summary Timo Karvi 12.2013 Timo Karvi () Cryptography and Network Security: Summary 12.2013 1 / 17 Summary of the Requirements for the exam The advices are valid for
More informationComputational Soundness of Symbolic Security and Implicit Complexity
Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview
More informationHow to Formally Model Features of Network Security Protocols
, pp.423-432 http://dx.doi.org/10.14257/ijsia How to Formally Model Features of Network Security Protocols Gyesik Lee Dept. of Computer & Web Information Engineering Hankyong National University Anseong-si,
More informationCryptography: Authentication, Blind Signatures, and Digital Cash
Cryptography: Authentication, Blind Signatures, and Digital Cash Rebecca Bellovin 1 Introduction One of the most exciting ideas in cryptography in the past few decades, with the widest array of applications,
More informationVoteID 2011 Internet Voting System with Cast as Intended Verification
VoteID 2011 Internet Voting System with Cast as Intended Verification September 2011 VP R&D Jordi Puiggali@scytl.com Index Introduction Proposal Security Conclusions 2. Introduction Client computers could
More informationInductive Analysis of Security Protocols in Isabelle/HOL with Applications to Electronic Voting
Inductive Analysis of Security Protocols in Isabelle/HOL with Applications to Electronic Voting Denis Butin 1 / 37 2 / 37 Introduction Network communication sensitive: banking, private correspondence,
More informationAn Electronic Voting System Based On Blind Signature Protocol
CSMR, VOL. 1, NO. 1 (2011) An Electronic Voting System Based On Blind Signature Protocol Marius Ion, Ionuţ Posea University POLITEHNICA of Bucharest Faculty of Automatic Control and Computers, Computer
More informationPart 2 D(E(M, K),K ) E(M, K) E(M, K) Plaintext M. Plaintext M. Decrypt with private key. Encrypt with public key. Ciphertext
Part 2 Plaintext M Encrypt with public key E(M, K) Ciphertext Plaintext M D(E(M, K),K ) Decrypt with private key E(M, K) Public and private key related mathematically Public key can be published; private
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 1 January 9, 2012 CPSC 467b, Lecture 1 1/22 Course Overview Symmetric Cryptography CPSC 467b, Lecture 1 2/22 Course Overview CPSC
More informationSecure Reactive Systems
Michael Backes Saarland University, Germany joint work with Birgit Pfitzmann and Michael Waidner Secure Reactive Systems Lecture at Tartu U, 02/27/06 Building Systems on Open Networks E-Government Hospital
More informationCSCE 465 Computer & Network Security
CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Public Key Cryptogrophy 1 Roadmap Introduction RSA Diffie-Hellman Key Exchange Public key and
More informationAuthenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre
Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense
More informationCSC474/574 - Information Systems Security: Homework1 Solutions Sketch
CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher
More informationQ: Why security protocols?
Security Protocols Q: Why security protocols? Alice Bob A: To allow reliable communication over an untrusted channel (eg. Internet) 2 Security Protocols are out there Confidentiality Authentication Example:
More informationIntroduction. Digital Signature
Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology
More informationVerifying a Secret-Ballot Election with Cryptography
Verifying a Secret-Ballot Election with Cryptography Ben Adida PhD Thesis Defense Thesis Committee Ronald L. Rivest, Srini Devadas, Shafi Goldwasser 22 June 2006 Ostraka (sea shells) http://darkwing.uoregon.edu/~klio/im/gr/ath/athen%20-%20ostraka.jpg
More informationChapter 3. Network Domain Security
Communication System Security, Chapter 3, Draft, L.D. Chen and G. Gong, 2008 1 Chapter 3. Network Domain Security A network can be considered as the physical resource for a communication system. This chapter
More informationUniversally Composable Symbolic Analysis of Diffie-Hellman based Key Exchange
Universally Composable Symbolic Analysis of Diffie-Hellman based Key Exchange Ran Canetti and Sebastian Gajek School of Computer Science Tel Aviv University, Israel May 20, 2010 Abstract Canetti and Herzog
More informationCIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives
CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash
More informationLecture 9 - Message Authentication Codes
Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,
More informationNetwork Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23
Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest
More informationNetwork Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering
Network Security Gaurav Naik Gus Anderson, Philadelphia, PA Lectures on Network Security Feb 12 (Today!): Public Key Crypto, Hash Functions, Digital Signatures, and the Public Key Infrastructure Feb 14:
More informationAn Overview of Common Adversary Models
An Overview of Common Adversary Karl Palmskog palmskog@kth.se 2012-03-29 Introduction Requirements of Software Systems 1 Functional Correctness: partial, termination, liveness, safety,... 2 Nonfunctional
More informationZQL. a cryptographic compiler for processing private data. George Danezis. Joint work with Cédric Fournet, Markulf Kohlweiss, Zhengqin Luo
ZQL Work in progress a cryptographic compiler for processing private data George Danezis Joint work with Cédric Fournet, Markulf Kohlweiss, Zhengqin Luo Microsoft Research and Joint INRIA-MSR Centre Data
More informationHow To Verify A Bluetooth Device Pairing With A Human Eye Oracle
Formal Analysis of Authentication in Bluetooth Device Pairing Richard Chang and Vitaly Shmatikov The University of Texas at Austin Abstract. Bluetooth is a popular standard for short-range wireless communications.
More informationInformation Security
Information Security Dr. Vedat Coşkun Malardalen September 15th, 2009 08:00 10:00 vedatcoskun@isikun.edu.tr www.isikun.edu.tr/~vedatcoskun What needs to be secured? With the rapid advances in networked
More informationSecure APIs and Simulationbased. Exposé thésard
Secure APIs and Simulationbased Security Exposé thésard 1 ME & MY THESIS at LSV since Oct 2010 Batiment IRIS Supervisors: Graham & Steve INRIA 2 Outline What are Secure Tokens, and what use do they have?
More informationCapture Resilient ElGamal Signature Protocols
Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department
More informationIntroduction to Computer Security
Introduction to Computer Security Hash Functions and Digital Signatures Pavel Laskov Wilhelm Schickard Institute for Computer Science Integrity objective in a wide sense Reliability Transmission errors
More information1 Signatures vs. MACs
CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 22, 2006 Lecture Notes 17: Digital Signatures Recommended Reading. Katz-Lindell 10 1 Signatures vs. MACs Digital signatures
More information1 Message Authentication
Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions
More informationCryptography and Network Security
Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 9: Authentication protocols, digital signatures Ion Petre Department of IT, Åbo Akademi University 1 Overview of
More informationA New Receipt-Free E-Voting Scheme Based on Blind Signature (Abstract)
A New Receipt-Free E-Voting Scheme Based on Blind Signature (Abstract) Zhe Xia University of Surrey z.xia@surrey.ac.uk Steve Schneider University of Surrey s.schneider@surrey.ac.uk May 25, 2006 Abstract
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 1 (rev. 1) Professor M. J. Fischer September 3, 2008 1 Course Overview Lecture Notes 1 This course is
More informationOutline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg
Outline CSc 466/566 Computer Security 8 : Cryptography Digital Signatures Version: 2012/02/27 16:07:05 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian
More informationA Study on Secure Electronic Medical DB System in Hospital Environment
A Study on Secure Electronic Medical DB System in Hospital Environment Yvette E. Gelogo 1 and Sungwon Park 2 * 1 Catholic University of Daegu, Daegu, Korea 2 Department of Nursing, Hannam University, 133
More informationInternet Voting Protocols with Everlasting Privacy
Internet Voting Protocols with Everlasting Privacy Jeroen van de Graaf Joint work with Denise Demirel e Roberto Samarone jvdg@dccufmgbr Lleida, July 2013 Jeroen van de Graaf Joint work with Denise Demirel
More informationThe Design of Web Based Secure Internet Voting System for Corporate Election
The Design of Web Based Secure Internet Voting System for Corporate Election Jagdish B. Chakole 1, P. R. Pardhi 2 \ 1 Deptt. of Computer Science & Engineering, R.C.O.E.M., Nagpur, Maharashtra (India) 2
More informationAdversary Modelling 1
Adversary Modelling 1 Evaluating the Feasibility of a Symbolic Adversary Model on Smart Transport Ticketing Systems Authors Arthur Sheung Chi Chan, MSc (Royal Holloway, 2014) Keith Mayes, ISG, Royal Holloway
More informationOnline Voting Project. New Developments in the Voting System an Consequently Implemented Improvements in the Representation of Legal Principles.
New Developments in the Voting System an Consequently Implemented Improvements in the Representation of Legal Principles. Introduction. Since 2001 T-Systems made research on secure online voting systems
More informationSecurity Protocols: Principles and Calculi Tutorial Notes
Security Protocols: Principles and Calculi Tutorial Notes Martín Abadi Microsoft Research and University of California, Santa Cruz Abstract. This paper is a basic introduction to some of the main themes
More informationOverview of Cryptographic Tools for Data Security. Murat Kantarcioglu
UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the
More informationClient Server Registration Protocol
Client Server Registration Protocol The Client-Server protocol involves these following steps: 1. Login 2. Discovery phase User (Alice or Bob) has K s Server (S) has hash[pw A ].The passwords hashes are
More informationIntroduction to Cryptography CS 355
Introduction to Cryptography CS 355 Lecture 30 Digital Signatures CS 355 Fall 2005 / Lecture 30 1 Announcements Wednesday s lecture cancelled Friday will be guest lecture by Prof. Cristina Nita- Rotaru
More informationContent Teaching Academy at James Madison University
Content Teaching Academy at James Madison University 1 2 The Battle Field: Computers, LANs & Internetworks 3 Definitions Computer Security - generic name for the collection of tools designed to protect
More informationNetwork Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶
Network Security 網 路 安 全 Lecture 1 February 20, 2012 洪 國 寶 1 Outline Course information Motivation Introduction to security Basic network concepts Network security models Outline of the course 2 Course
More informationCUNSHENG DING HKUST, Hong Kong. Computer Security. Computer Security. Cunsheng DING, HKUST COMP4631
Cunsheng DING, HKUST Lecture 08: Key Management for One-key Ciphers Topics of this Lecture 1. The generation and distribution of secret keys. 2. A key distribution protocol with a key distribution center.
More informationComputer Science 308-547A Cryptography and Data Security. Claude Crépeau
Computer Science 308-547A Cryptography and Data Security Claude Crépeau These notes are, largely, transcriptions by Anton Stiglic of class notes from the former course Cryptography and Data Security (308-647A)
More informationComputer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University
Computer Networks Network Security and Ethics Week 14 College of Information Science and Engineering Ritsumeikan University Security Intro for Admins l Network administrators can break security into two
More informationE- Encryption in Unix
UNIVERSITY of WISCONSIN-MADISON Computer Sciences Department CS 537 A. Arpaci-Dusseau Intro to Operating Systems Spring 2000 Security Solutions and Encryption Questions answered in these notes: How does
More informationPublic Key (asymmetric) Cryptography
Public-Key Cryptography UNIVERSITA DEGLI STUDI DI PARMA Dipartimento di Ingegneria dell Informazione Public Key (asymmetric) Cryptography Luca Veltri (mail.to: luca.veltri@unipr.it) Course of Network Security,
More informationSSL/TLS: The Ugly Truth
SSL/TLS: The Ugly Truth Examining the flaws in SSL/TLS protocols, and the use of certificate authorities. Adrian Hayter CNS Hut 3 Team adrian.hayter@cnsuk.co.uk Contents Introduction to SSL/TLS Cryptography
More informationVincent Cheval. Curriculum Vitae. Research
Vincent Cheval School of Computing University of Kent Canterbury, CT2 7NF, UK +44 (0)7479 555701 +44 (0)1227 823816 vincent.cheval@icloud.com homepage: www.cs.kent.ac.uk/ vc218/web Nationality : French
More informationHow to Send Stealth Text From Your Cell Phone
anonymous secure decentralized SMS stealthtext transactions WHITEPAPER STATE OF THE ART 2/8 WHAT IS STEALTHTEXT? stealthtext is a way to send stealthcoin privately and securely using SMS texting. stealthtext
More informationSimplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings
Simplified Security Notions of Direct Anonymous Attestation and a Concrete Scheme from Pairings Ernie Brickell Intel Corporation ernie.brickell@intel.com Liqun Chen HP Laboratories liqun.chen@hp.com March
More informationCS 758: Cryptography / Network Security
CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html
More informationProviding solutions for more secure exchanges
Providing solutions for more secure exchanges Stéphanie Delaune November 18, 2014 Stéphanie Delaune (LSV) Providing solutions for more secure exchanges 1 / 44 Cryptographic protocols Cryptographic protocols
More informationSECURITY ANALYSIS OF A SINGLE SIGN-ON MECHANISM FOR DISTRIBUTED COMPUTER NETWORKS
SECURITY ANALYSIS OF A SINGLE SIGN-ON MECHANISM FOR DISTRIBUTED COMPUTER NETWORKS Abstract: The Single sign-on (SSO) is a new authentication mechanism that enables a legal user with a single credential
More informationCrypto-Verifying Protocol Implementations in ML
Crypto-Verifying Protocol Implementations in ML Karthikeyan Bhargavan 1,2 Ricardo Corin 1,3 Cédric Fournet 1,2 1 MSR-INRIA Joint Centre 2 Microsoft Research 3 University of Twente June 2007 Abstract We
More information1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.
1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks
More informationCryptography & Digital Signatures
Cryptography & Digital Signatures CS 594 Special Topics/Kent Law School: Computer and Network Privacy and Security: Ethical, Legal, and Technical Consideration Prof. Sloan s Slides, 2007, 2008 Robert H.
More informationCIS 5371 Cryptography. 8. Encryption --
CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.
More informationSignature Schemes. CSG 252 Fall 2006. Riccardo Pucella
Signature Schemes CSG 252 Fall 2006 Riccardo Pucella Signatures Signatures in real life have a number of properties They specify the person responsible for a document E.g. that it has been produced by
More informationKEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1
KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE Mihir Bellare UCSD 1 The public key setting Alice M D sk[a] (C) Bob pk[a] C C $ E pk[a] (M) σ $ S sk[a] (M) M, σ Vpk[A] (M, σ) Bob can: send encrypted data
More informationA Search-Based Framework for Security Protocol Synthesis
A Search-Based Framework for Security Protocol Synthesis Hao Chen Submitted for the degree of Doctor of Philosophy The University of York Department of Computer Science April 2007 For My Mum and Dad 献
More information1 Construction of CCA-secure encryption
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.
More informationModule 7 Security CS655! 7-1!
Module 7 Security CS655! 7-1! Issues Separation of! Security policies! Precise definition of which entities in the system can take what actions! Security mechanism! Means of enforcing that policy! Distributed
More informationLecture 15 - Digital Signatures
Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.
More informationEfficient construction of vote-tags to allow open objection to the tally in electronic elections
Information Processing Letters 75 (2000) 211 215 Efficient construction of vote-tags to allow open objection to the tally in electronic elections Andreu Riera a,,joseprifà b, Joan Borrell b a isoco, Intelligent
More informationThe Advantages of Automatic Protocol Creation
AUTOMATIC PROTOCOL CREATION FOR INFORMATION SECURITY SYSTEM Mr. Arjun Kumar arjunsingh@abes.ac.in ABES Engineering College, Ghaziabad Master of Computer Application ABSTRACT Now a days, security is very
More informationDigital Signatures. (Note that authentication of sender is also achieved by MACs.) Scan your handwritten signature and append it to the document?
Cryptography Digital Signatures Professor: Marius Zimand Digital signatures are meant to realize authentication of the sender nonrepudiation (Note that authentication of sender is also achieved by MACs.)
More informationAnalysis of a Biometric Authentication Protocol for Signature Creation Application
Analysis of a Biometric Authentication Protocol for Signature Creation Application A. Salaiwarakul and M.D.Ryan School of Computer Science, University of Birmingham, UK {A.Salaiwarakul, M.D.Ryan}@cs.bham.ac.uk
More informationChapter 16: Authentication in Distributed System
Chapter 16: Authentication in Distributed System Ajay Kshemkalyani and Mukesh Singhal Distributed Computing: Principles, Algorithms, and Systems Cambridge University Press A. Kshemkalyani and M. Singhal
More informationA Survey on Optimistic Fair Digital Signature Exchange Protocols
A Survey on Optimistic Fair Digital Signature Exchange s Alfin Abraham Vinodh Ewards Harlay Maria Mathew Abstract Security services become crucial to many applications such as e-commerce payment protocols,
More informationCryptoVerif Tutorial
CryptoVerif Tutorial Bruno Blanchet INRIA Paris-Rocquencourt bruno.blanchet@inria.fr November 2014 Bruno Blanchet (INRIA) CryptoVerif Tutorial November 2014 1 / 14 Exercise 1: preliminary definition SUF-CMA
More informationModule: Applied Cryptography. Professor Patrick McDaniel Fall 2010. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Applied Cryptography Professor Patrick McDaniel Fall 2010 Page 1 Key Distribution/Agreement Key Distribution is the process where we assign
More informationAnonymity with Identity Escrow
Anonymity with Identity Escrow Aybek Mukhamedov and Mark Ryan The University of Birmingham March 30, 2006 Outline 1 Anonymity 2 Anonymity with identity escrow 3 Marshall and Molina-Jiminez protocol 4 Our
More informationA Secure RFID Ticket System For Public Transport
A Secure RFID Ticket System For Public Transport Kun Peng and Feng Bao Institute for Infocomm Research, Singapore Abstract. A secure RFID ticket system for public transport is proposed in this paper. It
More informationModule 8. Network Security. Version 2 CSE IIT, Kharagpur
Module 8 Network Security Lesson 2 Secured Communication Specific Instructional Objectives On completion of this lesson, the student will be able to: State various services needed for secured communication
More informationAssociate Prof. Dr. Victor Onomza Waziri
BIG DATA ANALYTICS AND DATA SECURITY IN THE CLOUD VIA FULLY HOMOMORPHIC ENCRYPTION Associate Prof. Dr. Victor Onomza Waziri Department of Cyber Security Science, School of ICT, Federal University of Technology,
More informationRSA Attacks. By Abdulaziz Alrasheed and Fatima
RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.
More informationLecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads
CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs
More informationAn Introduction to Digital Signature Schemes
An Introduction to Digital Signature Schemes Mehran Alidoost Nia #1, Ali Sajedi #2, Aryo Jamshidpey #3 #1 Computer Engineering Department, University of Guilan-Rasht, Iran m.alidoost@hotmail.com #2 Software
More informationCryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur
Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)
More informationSecurity Aspects of. Database Outsourcing. Vahid Khodabakhshi Hadi Halvachi. Dec, 2012
Security Aspects of Database Outsourcing Dec, 2012 Vahid Khodabakhshi Hadi Halvachi Security Aspects of Database Outsourcing Security Aspects of Database Outsourcing 2 Outline Introduction to Database
More informationCh.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis
Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography
More informationComputer and Network Security. Alberto Marchetti Spaccamela
Computer and Network Security Alberto Marchetti Spaccamela Slides are strongly based on material by Amos Fiat Good crypto courses on the Web with interesting material on web site of: Ron Rivest, MIT Dan
More informationNetwork Security (2) CPSC 441 Department of Computer Science University of Calgary
Network Security (2) CPSC 441 Department of Computer Science University of Calgary 1 Friends and enemies: Alice, Bob, Trudy well-known in network security world Bob, Alice (lovers!) want to communicate
More informationComputer Security. Draft Exam with Answers. 2009.
Computer Security Draft Exam with Answers. 2009. Please note that the questions written here are a draft of the final exam. There may be typos in the questions that were corrected in the final version
More informationDigital Signatures. Murat Kantarcioglu. Based on Prof. Li s Slides. Digital Signatures: The Problem
Digital Signatures Murat Kantarcioglu Based on Prof. Li s Slides Digital Signatures: The Problem Consider the real-life example where a person pays by credit card and signs a bill; the seller verifies
More informationCryptography and Network Security
Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 1: Introduction Ion Petre Department of IT, Åbo Akademi University January 10, 2012 1 Motto Unfortunately, the technical
More informationCertificate Based Signature Schemes without Pairings or Random Oracles
Certificate Based Signature Schemes without Pairings or Random Oracles p. 1/2 Certificate Based Signature Schemes without Pairings or Random Oracles Joseph K. Liu, Joonsang Baek, Willy Susilo and Jianying
More informationSecure Electronic Voting
7 th Computer Security Incidents Response Teams Workshop Syros,, Greece, September 2002 Secure Electronic Voting New trends, new threats... Prof.. Dr. Dimitris Gritzalis Dept. of Informatics Athens University
More information