Formal Methods in Security Protocols Analysis
|
|
- Adele Edwards
- 8 years ago
- Views:
Transcription
1 Formal Methods in Security Protocols Analysis Li Zhiwei Aidong Lu Weichao Wang Department of Computer Science Department of Software and Information Systems University of North Carolina at Charlotte
2 Big Picture Biggest Problem - rapid growth of interconnectivity - opens doors to cyber attacks Best tool - security mechanisms - security protocols play an essential role Full Control Insecure network Therefore Therefore future improvements depend highly on our ability to analyse security protocols
3 This talk is about Network security protocols Become a central concern And formal methods for their security analysis Security proof in some model; or Identify attacks
4 Outline Part I: Overview Motivation Why Security Protocols Analysis? Central problems Security Analysis Methodology Current Analysis Techniques Part II: Athena Alogrithm Strand Spaces Model Security Properties Penetrator Strands Design of Model Checker Experiment Results
5 Security Protocol Security Protocols use cryptographic primitives as building blocks to achieve security goals such as authentication, confidentiality, and integrity. consists of a set of rules which determine the exchange of messages between two or more participants. Protocol steps n : A B : M A sends M to B according to the n th protocol step. A, B principals, M message
6 Security Protocol Security Protocol Program distributed over network Use cryptography to achieve goal Attacker Read, intercept, replace messages, and remember their contents Correctness Attacker cannot learn protected secret or cause incorrect protocol completion
7 A Simple Protocol { A, N A } K B { N A, N B } K A A { N B } K B B K B = pk(b), K B -1 = sk(b) K A = pk(a), K A -1 = sk(a) Needham-Schroeder Public Key Protocol
8 Run of a protocol A Initiate Respond B Attacker C D Correct if no security violation in any run
9 Many other security protocols Challenge-response ISO ,2,3; Needham-Schroeder, Authentication Kerberos Key Exchange SSL handshake, IKE, JFK, IKEv2, Wireless and mobile computing Mobile IP, WEP, i Electronic commerce Contract signing, SET, electronic cash,
10 Motivation Why do we need security protocol analysis even after we constructed security protocols with so much care? Error-prone Security protocols are intricate and attackers are powerful Non-optimal may contain unnecessary operations
11 Examples of protocol flaws IKE [Meadows; 1999] Reflection attack; fix adopted by IETF WG IEEE i [He, Mitchell; 2004] DoS attack; fix adopted by IEEE WG GDOI [Meadows, Pavlovic; 2004] Composition attack; fix adopted by IETF WG Kerberos V5 [Scedrov et al; 2005] Identity misbinding attack; fix adopted by IETF WG How to addresses these shortcomings.
12 the answer is. use automatic verification approach to analysis security protocol Good domain for formal methods Active research area since early 80 s
13 Outline Part I: Overview Motivation Why Security Protocols Analysis? Central problems Security Analysis Methodology Current Analysis Techniques Part II: Athena Alogrithm Strand Spaces Model Security Properties Penetrator Strands Design of Model Checker Experiment Results
14 Central Problems 1 2 Identify security Model system properties Protocol Property See if properties are preserved under attack 4 Analysis Tool Security proof or attack Answer: the protocol is correct or not Attacker model 3 Model adversary
15 Security Analysis Methodology Security Properties authentication,secrecy,etc Analysis Tool Formal Methods Security proof or attack Answer the protocol is correct or not Security Protocols NS,Kerberos,etc. Attacker Model Complete control over network Perfect crypto 1 Specifies the security protocols to be verified as input 2 Specifies the desired security properties as requirement 3 Use Attacker Model to model adversary 4 The protocol analysis tool analyzes the input protocols using formal methods See if the security properties are preserved under attack 5 Output the result: the procol is flawed or it is correct
16 Outline Part I: Overview Motivation Why Security Protocols Analysis? Central problems Security Analysis Methodology Current Analysis Techniques Current Analysis Techniques Part II: Athena Alogrithm Strand Spaces Model Security Properties Penetrator Strands Design of Model Checker Experiment Results
17 Four Stanford approaches Finite-state analysis Case studies: find errors, debug specifications Symbolic execution model: Multiset rewriting Identify basic assumptions Study optimizations, prove correctness Complexity results Process calculus with probability and complexity More realistic intruder model Interaction between protocol and cryptography Equational specification and reasoning methods Protocol logic Axiomatic system for modular proofs of protocol properties
18 Some other projects and tools Exhaustive finite-state analysis FDR, based on CSP Search using symbolic representation of states Meadows: NRL Analyzer, Millen: Interrogator Prove protocol correct Paulson s Inductive method, others in HOL, PVS, MITRE -- Strand spaces Process calculus approach: Abadi-Gordon spicalculus, applied pi-calculus, Type-checking method: Gordon and Jeffreys, Many more this is just a small sample
19 Protocol Analysis Techniques Security Protocol Analysis Formal Models Dolev-Yao (perfect cryptography) Cryptographic Models Model Checking Protocol Logics Process Calculi Theorem Proving Probabilistic Interactive TM Probabilistic process calculi Probabilistic I/O automata FDR, Murphi, Athena, NRL, Brutus, OFMC BAN, PCL Spi-calculus, Applied π-calculus Inductive Method, Automating BAN, TAPS, Automating PCL Bug Finding Correctness Proofs
20 Outline Part I: Overview Motivation Why Security Protocols Analysis? Central problems Security Analysis Methodology Current Analysis Techniques Part II: Athena Alogrithm Strand Spaces Model Security Properties Penetrator Strands Design of Model Checker Experiment Results
21 The Athena aims to provide a method to: generates a proof if the protocol is actually RIGHT generates a counterexample if the protocol is actually WRONG
22 Outline Part I: Overview Motivation Why Security Protocols Analysis? Central problems Security Analysis Methodology Current Analysis Techniques Part II: Athena Alogrithm Strand Spaces Model Security Properties Penetrator Strands Design of Model Checker Experiment Results
23 Strand Space Model Answer Problem 1: Specifies the security protocols model security protocols and their execution graphical representation of execution Simple and intuitive A suitable framework for... formal specifications of security properties... proving correctness of protocols Thayer, Herzog, Guttman [THG98]
24 Defining Strand Spaces Message: ground term in free algebra Strand: sequence of nodes Node is labeled with +/- message Bundle: causal partial ordering of nodes in strands strand space:is a collection of strands Example: (The global view) { A, N A } K B { N A, N B } K A A { N B } K B B
25 Defining Strand Spaces(cont d) { A, N A } K B KA { N A, N B } B s view of the protocol { A, N A } K B {N B } K B A s view of the protocol { N A, N B } K A {N B } K B + { A, N A } K B -{ N A, N B } K A + {N B } K B Strand represents a sequence of actions (i.e, signed messages ±m) of an instance of a role + means principal sends this message - means principal receives this message A s (trace of his) strand
26 Outline Part I: Overview Motivation Why Security Protocols Analysis? Central problems Security Analysis Methodology Current Analysis Techniques Part II: Athena Alogrithm Strand Spaces Model Security Properties Penetrator Strands Design of Model Checker Experiment Results
27 Security Properties in this Logic Answer Problem 2: Specifies the desired security properties Authentication Secrecy A value v is secret in a strand space S if, for every bundle C that contains S, there does not exist a node n C, such that term(n)=v
28 For NS Authentication The formula that needs to be checked is gamma n 1 : - { A 0, N a0 } K b0 protocol The NS protocol delta n 1 : + { A 0, N a0 } K b0 + { A, N A } K B -{ A, N A } K B n 2 : + { N a0, N b0 } K a0 n 2 : - { N a0, N b0 } K a0 -{ N A, N B } K A + {N A, N B } K A n 3 : - {N b0 } K b0 + {N B } K B, -{N B } K B n 3 : + {N b0 } K b0
29 Outline Part I: Overview Motivation Why Security Protocols Analysis? Central problems Security Analysis Methodology Current Analysis Techniques Part II: Athena Alogrithm Strand Spaces Model Security Properties Penetrator Strands Design of Model Checker Experiment Results
30 The Penetrator Answer Problem 3: Model adversary participates in protocols via penetrator strands reflect the potentials of the penetrator penetrator is able to intercept and create messages (independent of the protocol) read and memorize all (not encrypted) message parts synthesize new messages built from his knowledge
31 The Penetrator Description of the intruder
32 Composing Strands to Bundles Regular strands Penetrator strands Intended protocol Attacker protocol
33 Penetrator s Work An Example Breaking into Needham-Schroeder protocol k A -{ N A, A } Kp + K p -1 -K p -1 Key K + N A, A Decryption D -N A, A -K B Key K + K B Man-in-the-middle attack + {N A, A } KB Encryption E pass messages through to another session A X B
34 Outline Part I: Overview Motivation Why Security Protocols Analysis? Central problems Security Analysis Methodology Current Analysis Techniques Part II: Athena Alogrithm Strand Spaces Model Security Properties Penetrator Strands Design of Model Checker Experiment Results
35 Design of Model Checker Answer Problem 4: See if properties are preserved under attack Verification Algorithm Given a model P, check if it satisfies formula F It turns out to be state search problem
36 Design of Model Checker Verification Algorithm Given a model P, check if it satisfies formula F It turns out to be state search problem If provable Athena If not provable, then counter-example Obtain a formal proof of the protocol Obtain concrete attacks on the protocol Axioms Axioms Counter-example Agreement formula Agreement formula
37 Outline Part I: Overview Motivation Why Security Protocols Analysis? Central problems Security Analysis Methodology Current Analysis Techniques Part II: Athena Alogrithm Strand Spaces Model Security Properties Penetrator Strands Design of Model Checker Experiment Results
38 NSPK in Strand Space Model A strand B strand Penetrator strands +{n,a} k b -{n,r} k a -{n,a} k b +{n,r} k a {x} k x k -1 x k +{r} k b -{r} k b {x} k The NS protocol 1. A 2. B 3. A B :{ N A:{ N B :{ N A A B, A}, N } B B B } A Each primitive capability of the attacker is a penetrator strand Same set of attacker strands for every protocol
39 The NS protocol + { A, N A } K -{ A, N A } B K B NS Protocol -{N A, N B } K A + {N A, N B } K A + {N B } K B -{N B } K B Try to discover the flaw in NS Anomaly in NS gamma,delta k A
40 NS Example l 0 =gamma n 1 : - { A 0, N a0 } K b0 unbound goals n 2 : + { N a0, N b0 } K a0 n 3 : - {N b0 } K b0
41 l 1 n 1 : - { A 0, N a0 } K b0 n 2 : + { N a0, N b0 } K a0 E(ncription) n 4 : -K b0 n 5 : - N b0 unbound goals n 3 : - {N b0 } K b0 n 6 : + {N b0 } K b0 3 unbound goals l 0 l 1 (3 unbound goal) l 2 (0 unbound goal) l 2 n 1 : - { A 0, N a0 } K b0 NS n4: + { A0, Na0 }Kb0 n 2 : + { N a0, N b0 } K a0 n 5 : - { N a0, N b0 } K a0 n 3 : - {N b0 } K b0 n 6 : + {N b0 } K b0
42 State Search for Needham-Shroeder l 0 l 1 n 1 : - { A 0, N a0 } K b0 E(ncription) n 4 : -K b0 l 1 (3) l 2 (0) n 2 : + { N a0, N b0 } K a0 n 5 : - N b0 l 3 (2) n 3 : - {N b0 } K b0 n 6 : + {N b0 } K b0 l 4 (3) l 5 (2) l 6 (2) l 2 n 1 : - { A 0, N a0 } K b0 NS n4: + { A0, Na0 }Kb0 l 7 (2) n 2 : + { N a0, N b0 } K a0 n 5 : - { N a0, N b0 } K a0 l 8 (invalid,cycle) n 3 : - {N b0 } K b0 n 6 : + {N b0 } K b0 l 9 (0)
43 l 9 NS gamma E(ncription) n 12 : -K b0 K(ey) n 7 D(ecription) K(ey) n 15 : -K I n 11 n 16 : -{A 0, N a0 } K I NS delta n 18 : + { A 0, N a0 } K b0 n 13 : - A 0, N a0 n 17 : + A 0, N a0 n 1 : - { A 0, N a0 } K b0 n 14 : + {A 0, N a0 } K b0 n 2 : + { N a0, N b0 } K a0 E(ncription) n 4 : -K b0 D(ecription) n 8 : -K I K(ey) n 7 :+K b0 n 9 : -{N b0 } K I K(ey) n 11 : +K I n 19 : - { N a0, N b0 } K a0 n 20 : + {N b0 } K b0 n 5 : - N b0 n 10 : + N b0 n 3 : - {N b0 } K b0 n 6 : + {N b0 } K b0 Search procedure terminate and counter example found!!! Obtain concrete attacks on the protocol Axioms Counter-example : Man-in-the-middle attack gamma delta
44 NSPK Attack +{n,a} k e Anomaly in NS -{n,r} k a k e -1 {n,a} k b +{r} k e {n,a} k b k A +{n,r} k a -{r} k b
45 NSL verification The NSL protocol A B A B :{ N 1 A:{ N B :{ N 1, A} 2, N } B 2 B, B} A
46 Conclusions Practical protocols may contain errors Automated formal methods find bugs that humans overlook Variety of tools Model checking can find errors Proof method can show correctness Athena Closing gap between the model checking and proof method Strand Spaces Model Security Properties Penetrator Strands Design of Model Checker Secrity protocol analysis is a challenge Some subtleties are hard to formalize No absolute security Security means: under given assumptions about system, no attack of a certain form will destroy specified properties.
47 References [THG98] F.Javier Thayer, Jonathan C. Herzog, and Joshua D. Guttman. Strand spaces: Why is a security protocol correct? In Proceedings of 1998 IEEE Symposium on Security and Privacy, [Low96] G. Lowe. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In Tools and Algorithms for the Construction and Analysis of Systems, volume 1055 of Lecture Notes in Computer Science, pages Springer-Verlag, [Mil95] J. Millen. The Interrogator model. In Proceedings of the 1995 IEEE Symposium on Security and Privacy, pages IEEE Computer Society Press, [MMS97] J. C. Mitchell, M. Mitchell, and U. Stern. Automated analysis of cryptographic protocols using mur. In Proceedings of the 1997 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, [RN95] Stuart Russell and Peter Norvig. Artificial Intelligence: A Modern Approach. Prentice Hall Series in Artificial Intelligence, [HT96] N. Heintze and J. Tygar. A model for secure protocols and their compositions. IEEE Transactions on Software Engineering, 22(1):16 30, January 1996.
Course organization. Security Analysis of Network Protocols. Cryptographic Protocols. Computer Security. Security Analysis. Correctness vs Security
CS 259 Security Analysis of Network Protocols John Mitchell Stanford Vitaly Shmatikov SRI Course organization Lectures Tues, Thurs for approx first six weeks of quarter Project presentations last three
More informationThe Advantages of Automatic Protocol Creation
AUTOMATIC PROTOCOL CREATION FOR INFORMATION SECURITY SYSTEM Mr. Arjun Kumar arjunsingh@abes.ac.in ABES Engineering College, Ghaziabad Master of Computer Application ABSTRACT Now a days, security is very
More informationFormal Modelling of Network Security Properties (Extended Abstract)
Vol.29 (SecTech 2013), pp.25-29 http://dx.doi.org/10.14257/astl.2013.29.05 Formal Modelling of Network Security Properties (Extended Abstract) Gyesik Lee Hankyong National University, Dept. of Computer
More informationSECURITY ANALYSIS OF NETWORK PROTOCOLS: COMPOSITIONAL REASONING AND COMPLEXITY-THEORETIC FOUNDATIONS
SECURITY ANALYSIS OF NETWORK PROTOCOLS: COMPOSITIONAL REASONING AND COMPLEXITY-THEORETIC FOUNDATIONS A DISSERTATION SUBMITTED TO THE DEPARTMENT OF COMPUTER SCIENCE AND THE COMMITTEE ON GRADUATE STUDIES
More informationQ: Why security protocols?
Security Protocols Q: Why security protocols? Alice Bob A: To allow reliable communication over an untrusted channel (eg. Internet) 2 Security Protocols are out there Confidentiality Authentication Example:
More informationComputational Soundness of Symbolic Security and Implicit Complexity
Computational Soundness of Symbolic Security and Implicit Complexity Bruce Kapron Computer Science Department University of Victoria Victoria, British Columbia NII Shonan Meeting, November 3-7, 2013 Overview
More informationHow to Formally Model Features of Network Security Protocols
, pp.423-432 http://dx.doi.org/10.14257/ijsia How to Formally Model Features of Network Security Protocols Gyesik Lee Dept. of Computer & Web Information Engineering Hankyong National University Anseong-si,
More informationAuthenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre
Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm By Mihir Bellare and Chanathip Namprempre Some slides were also taken from Chanathip Namprempre's defense
More informationInductive Analysis of Security Protocols in Isabelle/HOL with Applications to Electronic Voting
Inductive Analysis of Security Protocols in Isabelle/HOL with Applications to Electronic Voting Denis Butin 1 / 37 2 / 37 Introduction Network communication sensitive: banking, private correspondence,
More informationSecure Reactive Systems
Michael Backes Saarland University, Germany joint work with Birgit Pfitzmann and Michael Waidner Secure Reactive Systems Lecture at Tartu U, 02/27/06 Building Systems on Open Networks E-Government Hospital
More informationPublic Key Encryption Protocols And Their Models
APPLYING FORMAL METHODS TO CRYPTOGRAPHIC PROTOCOL ANALYSIS Catherine Meadows Code 5543 Center for High Assurance Computer Systems US Naval Research Laboratory Washington, DC 20375 meadows@itd.nrl.navy.mil
More informationCSG 399 Lecture. The Inductive Approach to Protocol Analysis p.1
The Inductive Approach to Protocol Analysis CSG 399 Lecture The Inductive Approach to Protocol Analysis p.1 Last Time CSP approach: Model system as a CSP process A specification is a property of traces
More informationSecurity Protocols And Their Advantages
Electronic Notes in Theoretical Computer Science 83 (2004) URL: http://www.elsevier.nl/locate/entcs/volume83.html 32 pages Secure Protocol Composition Anupam Datta 1 Ante Derek 1 John C. Mitchell 1 Computer
More informationHow to prove security of communication protocols?
1/37 Introduction on security protocols Modeling Verification Towards cryptographic guarantees How to prove security of communication protocols? Véronique Cortier, LORIA - CNRS, Nancy Colloquium Morgenstern,
More informationCryptography and Network Security: Summary
Cryptography and Network Security: Summary Timo Karvi 12.2013 Timo Karvi () Cryptography and Network Security: Summary 12.2013 1 / 17 Summary of the Requirements for the exam The advices are valid for
More informationAn Overview of Common Adversary Models
An Overview of Common Adversary Karl Palmskog palmskog@kth.se 2012-03-29 Introduction Requirements of Software Systems 1 Functional Correctness: partial, termination, liveness, safety,... 2 Nonfunctional
More informationDiscovering Attacks on Security Protocols by Refuting Incorrect Inductive Conjectures
Discovering Attacks on Security Protocols by Refuting Incorrect Inductive Conjectures Graham J. Steel E H U N I V E R S I T Y T O H F G R E D I N B U Doctor of Philosophy Centre for Intelligent Systems
More informationNetwork Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶
Network Security 網 路 安 全 Lecture 1 February 20, 2012 洪 國 寶 1 Outline Course information Motivation Introduction to security Basic network concepts Network security models Outline of the course 2 Course
More informationVerifying security protocols using theorem provers
1562 2007 79-86 79 Verifying security protocols using theorem provers Miki Tanaka National Institute of Information and Communications Technology Koganei, Tokyo 184-8795, Japan Email: miki.tanaka@nict.go.jp
More informationComputer Security. Programming Language Methods in Computer Security. Plan. Orientation. Part I. Personal POPL timeline. How did I get here?
Programming Language Methods in Computer Security John Mitchell Stanford University Plan Perspective on computer security Protocol security Protocol examples basic rewriting model Incorporating probability
More informationElectronic Voting Protocol Analysis with the Inductive Method
Electronic Voting Protocol Analysis with the Inductive Method Introduction E-voting use is spreading quickly in the EU and elsewhere Sensitive, need for formal guarantees Inductive Method: protocol verification
More informationIs it possible to decide whether a cryptographic protocol is secure or not?
Is it possible to decide whether a cryptographic protocol is secure or not? Hubert Comon and Vitaly Shmatikov Abstract We consider the so called cryptographic protocols whose aim is to ensure some security
More informationAttestation and Authentication Protocols Using the TPM
Attestation and Authentication Protocols Using the TPM Ariel Segall June 21, 2011 Approved for Public Release: 11-2876. Distribution Unlimited. c 2011. All Rights Reserved. (1/28) Motivation Almost all
More informationSCADA System Security, Complexity, and Security Proof
SCADA System Security, Complexity, and Security Proof Reda Shbib, Shikun Zhou, Khalil Alkadhimi School of Engineering, University of Portsmouth, Portsmouth, UK {reda.shbib,shikun.zhou,khalil.alkadhimi}@port.ac.uk
More informationA STRUCTURED APPROACH TO NETWORK SECURITY PROTOCOL IMPLEMENTATION
A STRUCTURED APPROACH TO NETWORK SECURITY PROTOCOL IMPLEMENTATION a dissertation submitted to the department of computer science, faculty of science at the university of cape town in fulfillment of the
More informationModule: Applied Cryptography. Professor Patrick McDaniel Fall 2010. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Applied Cryptography Professor Patrick McDaniel Fall 2010 Page 1 Key Distribution/Agreement Key Distribution is the process where we assign
More informationFormal/Computational Verification of Protocol Implementations by Typechecking
Formal/Computational Verification of Protocol Implementations by Typechecking Cédric Fournet Microsoft Research with Karthik Bhargavan, Andy Gordon, http://research.microsoft.com/~fournet http://msr-inria.inria.fr/projects/sec
More informationAPPLYING FORMAL METHODS TO CRYPTOGRAPHIC PROTOCOL ANALYSIS: EMERGING ISSUES AND TRENDS
PPLYING FORML METHODS TO CRYPTOGRPHIC PROTOCOL NLYSIS: EMERGING ISSUES ND TRENDS Catherine Meadows Code 5543 Center for High ssurance Computer Systems US Naval Research Laboratory Washington, DC 20375
More informationTo Infinity And Beyond or, Avoiding the infinite in security protocol analysis
To Infinity And Beyond or, Avoiding the infinite in security protocol analysis ABSTRACT James Heather Department of Computing University of Surrey Guildford, UK j.heather@surrey.ac.uk We investigate conditions
More informationPart 2 D(E(M, K),K ) E(M, K) E(M, K) Plaintext M. Plaintext M. Decrypt with private key. Encrypt with public key. Ciphertext
Part 2 Plaintext M Encrypt with public key E(M, K) Ciphertext Plaintext M D(E(M, K),K ) Decrypt with private key E(M, K) Public and private key related mathematically Public key can be published; private
More informationSIGMA: the SIGn-and-MAc Approach to Authenticated Diffie-Hellman and its Use in the IKE Protocols
SIGMA: the SIGn-and-MAc Approach to Authenticated Diffie-Hellman and its Use in the IKE Protocols Hugo Krawczyk June 12, 2003 Abstract We present the SIGMA family of key-exchange protocols and the SIGn-and-MAc
More informationNathalie Louise Foster
The application of software and safety engineering techniques to security protocol development Nathalie Louise Foster Submitted for the degree of Doctor of Philosophy University of York Department of Computer
More informationHow To Verify A Bluetooth Device Pairing With A Human Eye Oracle
Formal Analysis of Authentication in Bluetooth Device Pairing Richard Chang and Vitaly Shmatikov The University of Texas at Austin Abstract. Bluetooth is a popular standard for short-range wireless communications.
More informationKerberos. Guilin Wang. School of Computer Science, University of Birmingham G.Wang@cs.bham.ac.uk
Kerberos Guilin Wang School of Computer Science, University of Birmingham G.Wang@cs.bham.ac.uk 1 Entity Authentication and Key Exchange In the last talk, we discussed key exchange and reviewed some concrete
More informationA Rewriting-Based Inference System for the NRL Protocol Analyzer
A Rewriting-Based Inference System for the NRL Protocol Analyzer Santiago Escobar Cathy Meadows José Meseguer UIUC NRL UIUC (UPV, Valencia, Spain) PROTOCOL EXCHANGE MEETING 2005, BALTIMORE, JUNE 9-10 Outline
More informationUniversally Composable Symbolic Analysis of Diffie-Hellman based Key Exchange
Universally Composable Symbolic Analysis of Diffie-Hellman based Key Exchange Ran Canetti and Sebastian Gajek School of Computer Science Tel Aviv University, Israel May 20, 2010 Abstract Canetti and Herzog
More informationNetwork Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide
Network Security [2] Public Key Encryption Also used in message authentication & key distribution Based on mathematical algorithms, not only on operations over bit patterns (as conventional) => much overhead
More informationThe Eighth International Conference INCOSE_IL 2015. Formal Methods Security Tools in the Service of Cyber Security
The Eighth International Conference INCOSE_IL 2015 כלים ובדיקות Formal Methods Security Tools in the Service of Cyber Security Dr. Michael J. May Kinneret College on the Sea of Galilee 1 כלים ובדיקות /
More informationAdversary Modelling 1
Adversary Modelling 1 Evaluating the Feasibility of a Symbolic Adversary Model on Smart Transport Ticketing Systems Authors Arthur Sheung Chi Chan, MSc (Royal Holloway, 2014) Keith Mayes, ISG, Royal Holloway
More informationTowards the Correctness of Security Protocols
Electronic Notes in Theoretical Computer Science 83 (2004) URL: http://www.elsevier.nl/locate/entcs/volume83.html 46 pages Towards the Correctness of Security Protocols Mourad Debbabi 1 Panasonic Information
More informationModel Checking Security Protocols
David Basin, Cas Cremers, Catherine Meadows Model Checking Security Protocols Draft manuscript October 22, 2012 Springer 2 24.1 Introduction Cryptographic protocols are communication protocols that use
More informationComparing State Spaces in Automatic Security Protocol Analysis
Comparing State Spaces in Automatic Security Protocol Analysis Cas J.F. Cremers 1, Pascal Lafourcade 2, and Philippe Nadeau 3 1 Department of Computer Science, ETH Zurich, 8092 Zurich, Switzerland 2 Verimag,
More informationSecurity Analysis of Network Protocols. John Mitchell Stanford University
Security Analysis of Network Protocols John Mitchell Stanford University Usenix Security Symposium, 2008 Many Protocols Authentication and key exchange SSL/TLS, Kerberos, IKE, JFK, IKEv2, Wireless and
More informationCryptography and Network Security
Cryptography and Network Security Spring 2012 http://users.abo.fi/ipetre/crypto/ Lecture 9: Authentication protocols, digital signatures Ion Petre Department of IT, Åbo Akademi University 1 Overview of
More informationDeriving Secure Network Protocols for Enterprise Services Architectures
1 Deriving Secure Network Protocols for Enterprise Services Architectures Matthias Anlauff, Dusko Pavlovic, and Asuman Suenbuel Kestrel Institute SAP Research Labs 3260 Hillview Avenue 3175 Deer Creek
More informationOperational Semantics of Security Protocols
Operational Semantics of Security Protocols Cas Cremers and Sjouke Mauw Eindhoven University of Technology, Department of Mathematics and Computer Science, P.O. Box 513, NL-5600 MB Eindhoven, The Netherlands.
More informationSECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES
www.arpapress.com/volumes/vol8issue1/ijrras_8_1_10.pdf SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES Malek Jakob Kakish Amman Arab University, Department of Computer Information Systems, P.O.Box 2234,
More informationCOSC 472 Network Security
COSC 472 Network Security Instructor: Dr. Enyue (Annie) Lu Office hours: http://faculty.salisbury.edu/~ealu/schedule.htm Office room: HS114 Email: ealu@salisbury.edu Course information: http://faculty.salisbury.edu/~ealu/cosc472/cosc472.html
More informationLecture 13 of 41. More Propositional and Predicate Logic
Lecture 13 of 41 More Propositional and Predicate Logic Monday, 20 September 2004 William H. Hsu, KSU http://www.kddresearch.org http://www.cis.ksu.edu/~bhsu Reading: Sections 8.1-8.3, Russell and Norvig
More informationSecure Client Applications
Secure Client Applications Networking Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 26 June 2014 Common/Reports/secure-client-apps.tex, r900 1/26 Acronyms
More informationAnalyzing Internet Security Protocols
Analyzing Internet Security Protocols Alec Yasinsac, Justin Childs Florida State University Computer Science Dept. yasinsac@cs.fsu.edu, childs@cs.fsu.edu Abstract In this paper, we show how a novel tool
More informationChapter 8. Network Security
Chapter 8 Network Security Cryptography Introduction to Cryptography Substitution Ciphers Transposition Ciphers One-Time Pads Two Fundamental Cryptographic Principles Need for Security Some people who
More informationCS 758: Cryptography / Network Security
CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html
More informationSecurity protocol verification by means of symbolic model checking.
Università degli Studi di Pisa Facoltà di Scienze Matematiche Fisiche e Naturali Corso di Laurea Specialistica in Informatica Tesi di Laurea Security protocol verification by means of symbolic model checking.
More informationArchitecture and Design for a Secure IM -Team 04: Discovery. Carl Nayak, Swanand Abhyankar Snowvee Gonsalves Sonali Kudtarkar
Architecture and Design for a Secure IM -Team 04: Discovery Carl Nayak, Swanand Abhyankar Snowvee Gonsalves Sonali Kudtarkar Features Secure Communication : Authentication, Confidentiality and Integrity
More informationAnalysis of Privacy-Preserving Element Reduction of Multiset
Analysis of Privacy-Preserving Element Reduction of Multiset Jae Hong Seo 1, HyoJin Yoon 2, Seongan Lim 3, Jung Hee Cheon 4 and Dowon Hong 5 1,4 Department of Mathematical Sciences and ISaC-RIM, Seoul
More informationLecture 2: Complexity Theory Review and Interactive Proofs
600.641 Special Topics in Theoretical Cryptography January 23, 2007 Lecture 2: Complexity Theory Review and Interactive Proofs Instructor: Susan Hohenberger Scribe: Karyn Benson 1 Introduction to Cryptography
More informationKEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1
KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE Mihir Bellare UCSD 1 The public key setting Alice M D sk[a] (C) Bob pk[a] C C $ E pk[a] (M) σ $ S sk[a] (M) M, σ Vpk[A] (M, σ) Bob can: send encrypted data
More informationTowards a Metalogic for Security Protocol Analysis
Towards a Metalogic for Security Protocol Analysis (Extended Abstract) Carlos Caleiro 1 Luca Viganò 2 David Basin 2 1 CLC, Department of Mathematics, IST, Lisbon, Portugal cs.math.ist.utl.pt/ccal.html
More informationSecurity Analysis of (Un-) Fair Non-repudiation Protocols
Security Analysis of (Un-) Fair Non-repudiation Protocols Sigrid Gürgens and Carsten Rudolph Fraunhofer Institute for Secure Telecooperation SIT Rheinstrasse 75, D-64295 Darmstadt, Germany {guergens,rudolphc}@sit.fraunhofer.de
More informationSymbolic Protocol Analysis With an Abelian Group Operator or Diffie-Hellman Exponentiation
Symbolic Protocol Analysis With an Abelian Group Operator or Diffie-Hellman Exponentiation Jonathan Millen and Vitaly Shmatikov Computer Science Laboratory SRI International millen,shmat@csl.sri.com Abstract
More informationNetwork Security Protocols: Analysis methods and standards
Network Security Protocols: Analysis methods and standards John Mitchell Stanford University Joint work with many students, postdocs, collaborators TRUST: Team for Research in Ubiquitous Secure Technologies
More informationAuthenticity by Typing for Security Protocols
Authenticity by Typing for Security Protocols Andrew D. Gordon Microsoft Research Alan Jeffrey DePaul University June 2002 Technical Report To appear in the Journal of Computer Security Microsoft Research
More informationCHAPTER 5 ACO BASED MOBILE AGENT FOR SECURED KEY MANAGEMENT
112 CHAPTER 5 ACO BASED MOBILE AGENT FOR SECURED KEY MANAGEMENT 5.1 Related Work Security in ad hoc network becomes a critical issue for the past few decades. Attacks will be avoided by authenticating
More informationCRYPTOGRAPHY IN NETWORK SECURITY
ELE548 Research Essays CRYPTOGRAPHY IN NETWORK SECURITY AUTHOR: SHENGLI LI INSTRUCTOR: DR. JIEN-CHUNG LO Date: March 5, 1999 Computer network brings lots of great benefits and convenience to us. We can
More informationA Search-Based Framework for Security Protocol Synthesis
A Search-Based Framework for Security Protocol Synthesis Hao Chen Submitted for the degree of Doctor of Philosophy The University of York Department of Computer Science April 2007 For My Mum and Dad 献
More informationWhat is Protocol Analysis?
What is Protocol Analysis? Francien Dechesne, Jan van Eijck, Wouter Teepe, Yanjing Wang The following is a transcript of one of the discussion sessions that took place during the Workshop on Games, Action
More informationIntroducing Formal Methods. Software Engineering and Formal Methods
Introducing Formal Methods Formal Methods for Software Specification and Analysis: An Overview 1 Software Engineering and Formal Methods Every Software engineering methodology is based on a recommended
More informationSecurity (II) ISO 7498-2: Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012
Course Outline: Fundamental Topics System View of Network Security Network Security Model Security Threat Model & Security Services Model Overview of Network Security Security Basis: Cryptography Secret
More informationTake-home points. Distributed Systems Security II. Remember digital signatures. Today: Auth protocols 15-440
Distributed Systems Security II 5-440 Take-home points What does using public-key for our authentication buy us? Compare kerberos (needham-schroeder) and SSL with a certificate authority Metrics: Scaling,
More informationSymbolic Analysis of Computer Network Security Protocols. Andre Scedrov University of Pennsylvania
Symbolic Analysis of Computer Network Security Protocols Andre Scedrov University of Pennsylvania Computer Security Goal: protection of computer systems and digital information Access control OS security
More informationChapter 3. Network Domain Security
Communication System Security, Chapter 3, Draft, L.D. Chen and G. Gong, 2008 1 Chapter 3. Network Domain Security A network can be considered as the physical resource for a communication system. This chapter
More informationMaude-NPA: Cryptographic Protocol Analysis Modulo Equational Properties
Maude-NPA: Cryptographic Protocol Analysis Modulo Equational Properties Santiago Escobar 1, Catherine Meadows 2, and Jose Meseguer 2 1 Universidad Politecnica de Valencia, Spain. sescobar@dsic.upv.es 2
More informationChapter 16: Authentication in Distributed System
Chapter 16: Authentication in Distributed System Ajay Kshemkalyani and Mukesh Singhal Distributed Computing: Principles, Algorithms, and Systems Cambridge University Press A. Kshemkalyani and M. Singhal
More informationInformation Security
Information Security Dr. Vedat Coşkun Malardalen September 15th, 2009 08:00 10:00 vedatcoskun@isikun.edu.tr www.isikun.edu.tr/~vedatcoskun What needs to be secured? With the rapid advances in networked
More informationCIS 433/533 - Computer and Network Security Public Key Crypto/ Cryptographic Protocols
CIS 433/533 - Computer and Network Security Public Key Crypto/ Cryptographic Protocols Professor Kevin Butler Winter 2010 Computer and Information Science Key Distribution/Agreement Key Distribution is
More informationModule 8. Network Security. Version 2 CSE IIT, Kharagpur
Module 8 Network Security Lesson 2 Secured Communication Specific Instructional Objectives On completion of this lesson, the student will be able to: State various services needed for secured communication
More informationTowards Security Analyses of an Identity Federation Protocol for Web Services in Convergent Networks
Towards Security Analyses of an Identity Federation Protocol for Web Services in Convergent Networks Maurice ter Beek ISTI CNR, Via G Moruzzi 1, 56124 Pisa, Italy Email: mauriceterbeek@isticnrit Corrado
More informationStatic Program Transformations for Efficient Software Model Checking
Static Program Transformations for Efficient Software Model Checking Shobha Vasudevan Jacob Abraham The University of Texas at Austin Dependable Systems Large and complex systems Software faults are major
More informationMessage Authentication Code
Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44
More informationSecurity: Focus of Control. Authentication
Security: Focus of Control Three approaches for protection against security threats a) Protection against invalid operations b) Protection against unauthorized invocations c) Protection against unauthorized
More informationLecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References
Lecture Objectives Wireless Networks and Mobile Systems Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks Introduce security vulnerabilities and defenses Describe security functions
More informationDepartment of Computer & Information Sciences. CSCI-445: Computer and Network Security Syllabus
Department of Computer & Information Sciences CSCI-445: Computer and Network Security Syllabus Course Description This course provides detailed, in depth overview of pressing network security problems
More informationInformation Security Basic Concepts
Information Security Basic Concepts 1 What is security in general Security is about protecting assets from damage or harm Focuses on all types of assets Example: your body, possessions, the environment,
More informationSTATUS REPORT ON MAUDE-NPA TOOL
STATUS REPORT ON MAUDE-NPA TOOL Catherine Meadows Santiago Escobar Jose Meseguer September 28, 2006 1 GOAL Extend standard free algebra model of crypto protocol analysis to deal with algebraic properties
More informationHybrid Planning in Cyber Security Applications
Louisa Pragst 20. November 2013 Hybrid Planning in Cyber Security Applications Bachelor Thesis 2 Hybrid Planning in Cyber Security Applications Introduction Overview Transformation of a POCL domain into
More informationA Review of Anomaly Detection Techniques in Network Intrusion Detection System
A Review of Anomaly Detection Techniques in Network Intrusion Detection System Dr.D.V.S.S.Subrahmanyam Professor, Dept. of CSE, Sreyas Institute of Engineering & Technology, Hyderabad, India ABSTRACT:In
More informationCS5008: Internet Computing
CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is
More informationEasyCrypt - Lecture 6 Overview and perspectives. Tuesday November 25th
EasyCrypt - Lecture 6 Overview and perspectives Tuesday November 25th EasyCrypt - Lecture 6 Case studies Verified implementations Automated proofs and synthesis Perspectives 2 Inventaire à la Prevert Examples
More information3-6 Toward Realizing Privacy-Preserving IP-Traceback
3-6 Toward Realizing Privacy-Preserving IP-Traceback The IP-traceback technology enables us to trace widely spread illegal users on Internet. However, to deploy this attractive technology, some problems
More informationAssociate Prof. Dr. Victor Onomza Waziri
BIG DATA ANALYTICS AND DATA SECURITY IN THE CLOUD VIA FULLY HOMOMORPHIC ENCRYPTION Associate Prof. Dr. Victor Onomza Waziri Department of Cyber Security Science, School of ICT, Federal University of Technology,
More information12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust
Security in Wireless LANs and Mobile Networks Wireless Magnifies Exposure Vulnerability Information going across the wireless link is exposed to anyone within radio range RF may extend beyond a room or
More informationCSCI 454/554 Computer and Network Security. Final Exam Review
CSCI 454/554 Computer and Network Security Final Exam Review Topics covered by Final Topic before Midterm 20% Topic after Midterm 80% Date: 05/13/2015 9:00am noon Place: the same classroom Open book/notes
More informationAuthentication Types. Password-based Authentication. Off-Line Password Guessing
Authentication Types Chapter 2: Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter 3: Security on Network and Transport Layer Chapter 4:
More informationNetwork Security. by David G. Messerschmitt. Secure and Insecure Authentication. Security Flaws in Public Servers. Firewalls and Packet Filtering
Network Security by David G. Messerschmitt Supplementary section for Understanding Networked Applications: A First Course, Morgan Kaufmann, 1999. Copyright notice: Permission is granted to copy and distribute
More informationLecture 9 - Message Authentication Codes
Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,
More informationNetwork Security. Lecture 3
Network Security Lecture 3 Design and Analysis of Communication Networks (DACS) University of Twente The Netherlands Security protocols application transport network datalink physical Contents IPSec overview
More informationCMSC 421, Operating Systems. Fall 2008. Security. URL: http://www.csee.umbc.edu/~kalpakis/courses/421. Dr. Kalpakis
CMSC 421, Operating Systems. Fall 2008 Security Dr. Kalpakis URL: http://www.csee.umbc.edu/~kalpakis/courses/421 Outline The Security Problem Authentication Program Threats System Threats Securing Systems
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationSecure APIs and Simulationbased. Exposé thésard
Secure APIs and Simulationbased Security Exposé thésard 1 ME & MY THESIS at LSV since Oct 2010 Batiment IRIS Supervisors: Graham & Steve INRIA 2 Outline What are Secure Tokens, and what use do they have?
More information