Introduction Using CryptoVerif Proof technique Enc then MAC example FDH example Conclusion

78 pages

English

Découvre YouScribe en t'inscrivant gratuitement

Je m'inscris

Introduction Using CryptoVerif Proof technique Enc then MAC example FDH example Conclusion

pefav - Bruno Blanchet

Découvre YouScribe en t'inscrivant gratuitement

Je m'inscris

Obtenez un accès à la bibliothèque pour le consulter en ligne
En savoir plus

78 pages

English

Obtenez un accès à la bibliothèque pour le consulter en ligne
En savoir plus

A propos
Informations
Extrait

Description

Introduction Using CryptoVerif Proof technique Enc-then-MAC example FDH example Conclusion CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols Bruno Blanchet CNRS, Ecole Normale Superieure, INRIA, Paris September 2009 Bruno Blanchet (CNRS, ENS, INRIA) CryptoVerif September 2009 1 / 72

cryptographic primitives

cryptoverif proof technique

proofs can

bitstrings cryptographic primitives

approach allows

direct approach

dolev-yao model

automatic proof

Sujets

Blanchet

Dolev-Yao model

Informations

Publié par	pefav
Nombre de lectures	51
Langue	English

Extrait

IntroductionUsignrCpyoteVirPforteofnicheEqu-tnc-neheCAMpmaxDFelmpleHexalusiConcnoBRNC(tehcnalBonurypCrA)RIINS,ENS,900227/1

Bruno Blanchet

´ CNRS,EcoleNormaleSup´erieure,INRIA,Paris

CryptoVerif: A Computationally Sound Mechanized Prover for Cryptographic Protocols

September 2009

VetofSriteepermb

nIrtdorPfireVonhcetfooUsontiucptrygCinlpFexemamalpHDxeEnc-ique-MACthennoinoCesulc

Introduction

Two models for security protocols: Computational model: messages are bitstrings cryptographic primitives are functions from bitstrings to bitstrings the adversary is a probabilistic polynomial-time Turing machine Proofs are done manually. Formal model(so-called “Dolev-Yao model”): cryptographic primitives are ideal blackboxes messages are terms built from the cryptographic primitives the adversary is restricted to use only the primitives Proofs can be done automatically. Our goal: achieveautomatic provabilityunder the realisticcomputational assumptions.

2/722009mberpeetirSfoteVrCpyA)RIINS,ENS,NR(CtehcnalBonurB

pleCexameFDHamplnsuoinolcIntroducCgyrtpVoitnosUniecftiqhniferooPrM-nexeCAnEeuht-c(CetchanS,ENS,NRlBonurBtembfSep093/er20)ArCNIIReVirpyot

Two approaches for the automatic proof of cryptographic protocols in a computational model: Indirect approach: 1) Make a Dolev-Yao proof. 2) Use a theorem that shows the soundness of the Dolev-Yao approach with respect to the computational model. Pioneered by Abadi and Rogaway; pursued by many others. Direct approach: Design automatic tools for proving protocols in a computational model. Approach pioneered by Laud.

Introduction

4/72

Advantages and drawbacks

The indirect approach allows more reuse of previous work, but it has limitations: Hypotheseshave to be added to make sure that the computational and Dolev-Yao models coincide. Theallowed cryptographic primitivesare often limited, and only ideal, not very practical primitives can be used. Using the Dolev-Yao model is actually a (big)detour; The computational deﬁnitions of primitives ﬁt the computational security properties to prove. They do not ﬁt the Dolev-Yao model. We decided to focus on the direct approach.

bmre0290irSfpeeturonB)AIRNI,SeVotpyrCetchanBlENS,NR(C-tncn-henicheEquDFelaxeHeCAMpmaxnUsingCrroductioPforfoetpyoteVirtnIoCcnpmelnoulis

oducIntriqhnecftooPriferVotpyrCgnisUnoitEnuethc--MenexAClpmaHDFemaxeCelponclusionRIINCrA)S,NRS,ENhcnaC(teurBlBonriVetoypmbteepfS/59002re

We have implemented anautomatic proverCryptoVerif: provessecrecyandcorrespondence(including authentication) properties. provides agenericmethod for specifying properties of cryptographic primitiveswhich handles MACs (message authentication codes), symmetric encryption, public-key encryption, signatures, hash functions, . . . works forNsessions(polynomial in the security parameter), with an active adversary. gives a bound on theprobabilityof an attack (exact security).

An automatic prover

lBonhcnaC(te,SRNS,ENRIINCrA)toypeVirSfpeetbmre02096/72

Produced proofs

We use Shoup’s and Bellare&Rogaway’sgame hoppingmethod.

The proof is asequence of games: The ﬁrst game is thereal protocol. One goes from one game to the next by syntactic transformations or by applying the deﬁnition of security of a cryptographic primitive. Between consecutive games, the diﬀerence of probability of success of an attack is negligible. The last game is“ideal”: the security property is obvious from the form of the game. (The advantage of the adversary is typically 0 for this game.)

BurCAxeneM--chteunEpleCexameFDHamplVotpyrCgnisUnoitiqhnecftooPrifernlcnooisunIrtdocu

noConclusiHexampleDFelpmaxeCAM-neh-tnceEqunichteofPforeVirpyotgnrCnUsictioroduInteVirSfpeetbmre02097/72

Input and output of the tool

1Prepare the input ﬁle containing the speciﬁcation of theprotocolto study (initial game), thesecurity assumptionson the cryptographic primitives, thesecurity propertiesto prove. 2Run CryptoVerif 3CryptoVerif outputs thesequence of gamesthat leads to the proof, asuccinct explanationof the transformations performed between games, an upper bound of theprobabilityof success of an attack.