SlideShare a Scribd company logo

Cryptographic Protocol is and isn't like LEGO.

Shin'ichiro Matsuo
Shin'ichiro Matsuo

Cryptographic protocols are widely applied to many application to enjoy security, privacy, authenticity and other features. Such protocols and cryptographic techniques are often composed to try to realize complicated features like a LEGO. It seems a good way to achieve many new security and privacy goals. However, the security of combination of cryptographic techniques cannot be thought is LEGO. This keynote talk at IWSEC 2015 explains how we are tackling with this issues for long years and how this problem is essential for future applications like blockchain. This talk was provided on August 26, 2015.

Internet
1 of 56
Download to read offline
Cryptographic Protocol is and isn't like LEGO Shin ichiro Matsuo August 26, 2015 IWSEC 2015
2014 The year of SSL/TLS nightmare.
Cryptographic Protocol? 3 A rule which describes how an activity should be performed + Cryptography
At Wikipedia A security protocol (cryptographic protocol or encryption protocol) is an abstract or concrete protocol that performs a security-related function and applies cryptographic methods, often as sequences of cryptographic primitives . A protocol describes how the algorithms should be used. A suf fi ciently detailed protocol includes details about data structures and representations, at which point it can be used to implement multiple, interoperable versions of a program. 4
Cryptographic Protocol is Important • Many security technologies based on cryptography are served as Cryptographic Protocol. • We do not directly use cryptographic primitives like AES and RSA. • We have long and established study on cryptographic primitives. • How much do we know about on cryptographic protocols? 5
Spectrum 6 Fundamental Application E-Cash E-Voting Authentication Key Exchange Secure Channel Blind Signature Time-stamp
Authentication 7 Alice Bob Adversary Con fi rm Alice Reject Adversary
Key Exchange 8 Alice Bob Cannot obtain key information Share a session key Adversary
Secure Channel 
 (Authenticated Key Exchange) 9 Alice Bob Cannot obtain key information Share a session key with an authenticated user Adversary
Blind Signature 10 Alice Bob Sign without knowing the contents Verify Signer
Time-stamping 11 Verify the existence at time t Alice Bob Calculate time- stamping token Time Stamping Authority
Electronic Voting 12 Voters Tallier Registration Prevent double voting and forgery Privacy of ballot
E-cash 13 Central Bank Bank A Bank B User 1 User 2 Prevent double spending and forgery Privacy in payment Check double spending
LEGO 14
Constructing something by LEGO Combination of blocks to realize functions designated in the instruction 15
Cryptographic Protocol is like LEGO Matching between security functionality and building blocks 16 Security Functionality Building block Authentication Anonymity Con fi dentiality Key Exchange Encryption Challenge-Response Shu ffl e
Simple Example: Challenge-Response 17 Random Bit Generator Random r Signing Key 
 (Secret) Singing Veri fi cation Digital Signature Veri fi cation Key 
 (Public)
SSL/TLS looks like LEGO 18 Client Server Symmetric Encryption Key Exchange Entity Authentication Negotiation Integrity Check
However, security isn t like LEGO 19 Man-in-the-Middle Attack Alice Bob Adversary Think as Bob s key
Security model of cryptographic primitive Operational environment is simple. 20 Alice Bob E( ) D( ) Encryption Key Decryption Key Adversary
Environment of real protocol • Communication channels are controlled by the adversary. • Not limited to eavesdropping • Man-in-the-middle • Some of protocol participants are controlled by the adversary. • Leakage of secret information 21
What can be done by an adversary? • Control the communication channel • Eavesdrop • Stop • Resend • Forge message • Attack on cryptography (with quite low probability) • Obtain plaintext • Forge signature • Obtain session keys, … 22
Dolev-Yao Model 23 • Cryptography is treated as ideal operation. • Only a party who has a decryption key obtains plaintext. • The other party obtains nothing. • Same treatment for digital signature and others • An adversary can control communication channel. • Eavesdrop, stop, and send any message.
How di ffi cult is it to evaluate the security? • Protocol execution produce huge number of states . • Each action produce a new state of protocol execution. • An adversary can attack on followings. We should care both. • Miscon fi guration of protocol which produce insecure state • Attack on cryptographic primitives 24
History of Evaluation 25 Formal Veri fi cation Mathematical Proof • Formal method • Find the existence of insecure state • Automated veri fi cation • Tool-aided • Rigorous proof • Estimate probability of attack • Same as cryptographic Primitive
Formal Veri fi cation • Cryptographic algorithm is idealized. • Explore the existence of state against the security property. • Dolev-Yao Model. • Omit the possibility of successful attack on underlying cryptographic algorithm. 26
Formal Veri fi cation Tools 27 Model&checking Theorem&proving Symbolic Cryptographic CryptoVerif SCYTHER ProVerif Isabelle/HOL BPW(on&Isabelle/HOL) NRL FDR AVISPA AVISPA& (TA4SP) Unbounded GamePbased&Security& Proof& on&Coq)
Mathematical Proof • Estimate the probability which the adversary breaks the security property. • Show the probability is negligible. • Like the security proof of cryptographic algorithm. 28
Universal Composability (UC) • De fi ne the ideal functionality, then prove that the actual protocol is indistinguishable against the ideal functionality. 29 F Ideal Functionality Actual Protocol Z P2 P4 P3 P1 P2 P4 P3 P1
Combination of Formal Veri fi cation and UC • Combine the merit of formal veri fi cation and mathematical rigorous proof. • Many researches from 2002 • Game-based evaluation • Crypto-verif 30
Formal Veri fi cation Tools 31 Model&checking Theorem&proving Symbolic Cryptographic CryptoVerif SCYTHER ProVerif Isabelle/HOL BPW(on&Isabelle/HOL) NRL FDR AVISPA AVISPA& (TA4SP) Unbounded GamePbased&Security& Proof& on&Coq)
Attack on standard protocols We had many attacks on standard cryptographic protocols. 32 Wireless LAN SSL/TLS WEP (2004) WPA-TKIP (2004) WPA-PSK (2011) TIME/CRIME/Lucky Thirteen Heartbleed POODLE …
An example in wireless LAN • Attack on WPA-TKIP (Beck-Tews: 2008) • Use ARP packet to fi gure the key stream • Improvement of this attack by Ohigashi and Morii (2009) 33
Attacks on SSL/TLS • SSL 2.0 (1994) 
 Downgrade attack, CRIME, BREACH • SSL3.0 (1995) 
 POODLE Attack • TLS1.0 (1999) 
 BEAST Attack • TLS 1.1 (2006) 
 Heartbleed bug 34
CRIME attack • Use compression functionality in SSL/TLS • Figure out the contents of Cookie by comparison of data size after the compression • Independent from The security of underlying cryptographic primitive 35
Heartbleed bug 36 • Bugs in OpenSSL related to Heatbeat extension • Insu ffi cient check of data size • An adversary can obtain the contents of data in the server • This attack is independent from the strength of underlying cryptographic primitives, too.
POODLE • Man-in-the-middle • Downgrade to RC4 (weak cipher) • A problem of the SSL 3.0 speci fi cation 37
Only in the speci fi cation? • Most threats come from implementation • or pitfall between the speci fi cation and implementation. 38
Pitfall between speci fi cation and implementation In the case of Heartbleed • The description in RFC document does not describe the details of implementation • Treatment of data length (ex. the case of size = 0) • No instruction is provided for developers 39
Solve the pitfall • Write protocol speci fi cation without ambiguity for implementation • Clarify the operational condition and implementation condition. 40
We need collections of knowledge • There was no trust point where collects security information on cryptographic protocols. • Protocol designers and engineers need tips and best practice. • Which protocol is secure? • What kind of design is good? • Notes for implementation 41
CELLOS (2013 12 -): 
 International Consortium on Cryptographic Protocols 42 https://www.cellos-consortium.org
Overview of CELLOS 43 Universities and Research Institute System Vendors (Developmen t Perspective ) System Vendors (Usage Perspective ) For protocol design For system design International Standardizati on Organizations Fixing or deprecation of insecure protocols For research and education Referencers Wide-ranging and reliable security information from experts Public Information Consolidation of reliable information concerning security evaluation on a global scale Discussions align to actual ICT systems Consolidation of analysis theories, tools and results through formal verification Consolidation of analysis theories and methods other than formal verification Consolidation of detailed information on the latest attack methods Possibilities and impacts of attacks on actual ICT systems Methods for dealing with attacks on actual ICT systems Universities and Research Institutions Company CELLOS Latest analysis theories and methods and evaluation results Realistic countermeasures Detailed checking of information based on its technical validity
The action example against POODLE 44 Date/Time (JST) Action Oct. 14, 18:39 Find new in the Twitter and reported to the online discussion system. Discussed on the impacts. Oct. 15, 14:04 Started editing a prompt report Oct. 15, 14:04 1st draft of the prompt report Oct. 15, 21:48 2nd draft of the prompt report Add important descriptions on attacking condition and impacts Oct. 15, 22:20 3rd draft, add product names Oct. 15, 22:20 Edit both English and Japanese version Oct. 15, 22:52 Publish the 1st prompt report Oct. 15, 23:09 Add information on new version of OpenSSL Oct. 16, 10:07 Correct editorial errors
Evaluation of New Protocols 45 • Evaluate a cryptographic protocol proposed by member of CELLOS • Conduct formal verification by a evaluation group in the working group • The report will be publicly available on the Web site. • Used for supportive document for standardization and so on.
Requirements for the evaluation • Open • Evaluation criteria • Evaluation method • Public Veri fi able • Uni fi ed evaluation framework 46
ISO/IEC 29128 (2011 Nov.) • ISO/IEC standard on “Evaluation of Cryptographic Protocols” • Defines a workflow of protocol verification and protocol assurance levels according to verification techniques. • Workflow • A protocol designer writes documents and submit to an evaluator. • Protocol specification, Adversarial model, Security requirements and the Result. • The evaluator checks the correctness of these documents and re-execute the tool. • Introducing Four Protocol Assurance Levels 47
Protocol assurance level in ISO/IEC 29128 48 Protocol Assurance Level PAL1 PAL2 PAL3 PAL4 Protocol Specification PPS_SEMIFORMAL Semiformal description of protocol specification. PPS_FORMAL Formal description of protocol specification. PPS_ MECHANIZED Formal description of protocol specification in a tool- specific specification language, whose semantics is mathematically defined. Adversarial Model PAM_INFORMAL Informal description of adversarial model. PAM_ FORMAL Formal description of adversarial model. PAM_ MECHANIZED Formal description of adversarial model in a tool- specific specification language, whose semantics is mathematically defined. Security Property PSP_INFORMAL Informal description of security property PSP_ FORMAL Formal description of security property. PSP_ MECHANIZED Formal description of security property in a tool- specific specification language, whose semantics is mathematically defined. Self-assessment Evidence PEV_ARGUMENT 
 Informal argument that the specification of the cryptographic protocol in its adversarial model achieves and satisfies its objectives and properties. PEV_HANDPROVEN Mathematically formal paper- and-pencil proof verified by human that the specification of the cryptographic protocol in its adversarial model achieves and satisfies its objectives and properties. PEV_BOUNDED Tool-aided bounded verification that the specification of the cryptographic protocol in its adversarial model achieves and satisfies its objectives and properties. PEV_UNBOUNDED Tool-aided unbounded verification that the specification of the cryptographic protocol in its adversarial model achieves and satisfies its objectives and properties. Accurate
Toward future applications • Cryptographic protocols are implemented to realize future applications. • Directly connected to the business • ApplePay • Bitcoin (Blockchain) 49
Blockchain • Fundamental techniques to realize Public Ledger using P2P network and chained digital signature • Used in digital currencies like Bitcoin 50 User P2P Network Ledger Each node update its distributed ledger User User User User User Ledger Ledger Ledger Ledger Ledger Change Ledge r Time: t Ledge r Time: t+1 H(Lt) H(Lt-1) Digital Signature Digital Signature
Blockchain • Fundamental techniques to realize Public Ledger using P2P network and chained digital signature • Used in digital currencies like Bitcoin 51 User P2P Network Ledger Each node update its distributed ledger User User User User User Ledger Ledger Ledger Ledger Ledger Change Ledge r Time: t Ledge r Time: t+1 H(Lt) H(Lt-1) Digital Signature Digital Signature
Application of blockchain • Digital currency • Smart Contract • Registration and certi fi cation • Publicly veri fi able storage 52
How much do we know on the security of Bitcoin? 53 Formalization Formal Analysis Coq Others Security Anti-double spneding [GKL15] [B15], [G14] Not found Anti-Money Laundering Not found Not found Not found Privacy Unlinkability [AKRSC13] Not Found Not Found Taint- resistnat [MO15] Not Found Not Found
Cryptographic Protocols are becoming the foundation • Blockchain is a foundation of public veri fi able trust • Several applications will be developed over blockchain • Several private company focus on the research of cryptographic protocols including applications of blockchain. • Application, experiment and business are arising quickly in LEGO and agile development manner. • Cryptographic protocols directly connect to business. 54
We need more study. • Insu ffi cient security evaluation for emerging cryptographic protocols, unfortunately. • Quick business development vs. security • Needs for development methods to clear the risks both for business operator and users 55
Conclusion • Abstract of cryptographic protocol • Why cryptographic protocol is and isn t like LEGO • How can we evaluate the security • Future applications • We need more study toward smart applications based on cryptographic protocols. 56

Recommended

How to hack cryptographic protocols with Formal Methods
How to hack cryptographic protocols with Formal MethodsHow to hack cryptographic protocols with Formal Methods
How to hack cryptographic protocols with Formal Methods
Ofer Rivlin, CISSP
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14
mjos
 
Securing Text Messages Application Using MED
Securing Text Messages Application Using MEDSecuring Text Messages Application Using MED
Securing Text Messages Application Using MED
ZatulNadia
 
Ch 12: Cryptography
Ch 12: CryptographyCh 12: Cryptography
Ch 12: Cryptography
Sam Bowne
 
CISSP Week 20
CISSP Week 20CISSP Week 20
CISSP Week 20jemtallon
 
Linux IoT Botnet Wars and the lack of basic security hardening
Linux IoT Botnet Wars and the lack of basic security hardeningLinux IoT Botnet Wars and the lack of basic security hardening
Linux IoT Botnet Wars and the lack of basic security hardening
Mender.io
 
Information and network security 11 cryptography and cryptanalysis
Information and network security 11 cryptography and cryptanalysisInformation and network security 11 cryptography and cryptanalysis
Information and network security 11 cryptography and cryptanalysis
Vaibhav Khanna
 
CS6004 CYBER FORENSICS
CS6004 CYBER FORENSICS CS6004 CYBER FORENSICS
CS6004 CYBER FORENSICS
Kathirvel Ayyaswamy
 

Recommended

How to hack cryptographic protocols with Formal Methods
How to hack cryptographic protocols with Formal MethodsHow to hack cryptographic protocols with Formal Methods
How to hack cryptographic protocols with Formal Methods
Ofer Rivlin, CISSP
 
Talk28oct14
Talk28oct14Talk28oct14
Talk28oct14
mjos
 
Securing Text Messages Application Using MED
Securing Text Messages Application Using MEDSecuring Text Messages Application Using MED
Securing Text Messages Application Using MED
ZatulNadia
 
Ch 12: Cryptography
Ch 12: CryptographyCh 12: Cryptography
Ch 12: Cryptography
Sam Bowne
 
CISSP Week 20
CISSP Week 20CISSP Week 20
CISSP Week 20jemtallon
 
Linux IoT Botnet Wars and the lack of basic security hardening
Linux IoT Botnet Wars and the lack of basic security hardeningLinux IoT Botnet Wars and the lack of basic security hardening
Linux IoT Botnet Wars and the lack of basic security hardening
Mender.io
 
Information and network security 11 cryptography and cryptanalysis
Information and network security 11 cryptography and cryptanalysisInformation and network security 11 cryptography and cryptanalysis
Information and network security 11 cryptography and cryptanalysis
Vaibhav Khanna
 
CS6004 CYBER FORENSICS
CS6004 CYBER FORENSICS CS6004 CYBER FORENSICS
CS6004 CYBER FORENSICS
Kathirvel Ayyaswamy
 
Network Information And Security
Network Information And SecurityNetwork Information And Security
Network Information And Securityanandk10
 
A Taxonomy of Botnet Detection Approaches
A Taxonomy of Botnet Detection ApproachesA Taxonomy of Botnet Detection Approaches
A Taxonomy of Botnet Detection Approaches
Fabrizio Farinacci
 
Incident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and CountermeasuresIncident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and Countermeasures
Jose L. Quiñones-Borrero
 
Network Security Primer
Network Security PrimerNetwork Security Primer
Network Security Primer
Venkatesh Iyer
 
Symmetric encryption and message confidentiality
Symmetric encryption and message confidentialitySymmetric encryption and message confidentiality
Symmetric encryption and message confidentiality
CAS
 
Cryptanalysis by savyasachi
Cryptanalysis by savyasachiCryptanalysis by savyasachi
Cryptanalysis by savyasachi
Savyasachi14
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 
Cryptography
CryptographyCryptography
Cryptography
JohnsonDaniel JohnsonDaniel
 
Cryptography
CryptographyCryptography
Cryptography
Muhammad Shoaib Saleem
 
Introduction to cryptography part1-final
Introduction to cryptography part1-finalIntroduction to cryptography part1-final
Introduction to cryptography part1-final
Taymoor Nazmy
 
cryptography deepan fav subject
cryptography deepan fav subjectcryptography deepan fav subject
cryptography deepan fav subject
deepan v
 
Reverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation TovarReverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation Tovar
Lancope, Inc.
 
CISSP Week 21
CISSP Week 21CISSP Week 21
CISSP Week 21jemtallon
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)
Security Innovation
 
Encryption and Key Distribution Methods
Encryption and Key Distribution MethodsEncryption and Key Distribution Methods
Encryption and Key Distribution Methods
Gulcin Yildirim Jelinek
 
Cryto Party at CCU
Cryto Party at CCUCryto Party at CCU
Cryto Party at CCU
Jose L. Quiñones-Borrero
 
Cyber security
Cyber securityCyber security
Cyber security
SAKSHIMAHADIK
 
Firewall traversals
Firewall traversalsFirewall traversals
Firewall traversals
Kirti Ahirrao
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)
Kalpesh Kalekar
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
Pawan Arya
 
Ofer rivlin BGU - department seminar
Ofer rivlin BGU - department seminarOfer rivlin BGU - department seminar
Ofer rivlin BGU - department seminar
Ofer Rivlin, CISSP
 
SYSTEM SECURITY - Chapter 1 introduction
SYSTEM SECURITY - Chapter 1 introductionSYSTEM SECURITY - Chapter 1 introduction
SYSTEM SECURITY - Chapter 1 introductionAfna Crcs
 

More Related Content

What's hot

Network Information And Security
Network Information And SecurityNetwork Information And Security
Network Information And Securityanandk10
 
A Taxonomy of Botnet Detection Approaches
A Taxonomy of Botnet Detection ApproachesA Taxonomy of Botnet Detection Approaches
A Taxonomy of Botnet Detection Approaches
Fabrizio Farinacci
 
Incident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and CountermeasuresIncident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and Countermeasures
Jose L. Quiñones-Borrero
 
Network Security Primer
Network Security PrimerNetwork Security Primer
Network Security Primer
Venkatesh Iyer
 
Symmetric encryption and message confidentiality
Symmetric encryption and message confidentialitySymmetric encryption and message confidentiality
Symmetric encryption and message confidentiality
CAS
 
Cryptanalysis by savyasachi
Cryptanalysis by savyasachiCryptanalysis by savyasachi
Cryptanalysis by savyasachi
Savyasachi14
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 
Cryptography
CryptographyCryptography
Cryptography
JohnsonDaniel JohnsonDaniel
 
Cryptography
CryptographyCryptography
Cryptography
Muhammad Shoaib Saleem
 
Introduction to cryptography part1-final
Introduction to cryptography part1-finalIntroduction to cryptography part1-final
Introduction to cryptography part1-final
Taymoor Nazmy
 
cryptography deepan fav subject
cryptography deepan fav subjectcryptography deepan fav subject
cryptography deepan fav subject
deepan v
 
Reverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation TovarReverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation Tovar
Lancope, Inc.
 
CISSP Week 21
CISSP Week 21CISSP Week 21
CISSP Week 21jemtallon
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)
Security Innovation
 
Encryption and Key Distribution Methods
Encryption and Key Distribution MethodsEncryption and Key Distribution Methods
Encryption and Key Distribution Methods
Gulcin Yildirim Jelinek
 
Cryto Party at CCU
Cryto Party at CCUCryto Party at CCU
Cryto Party at CCU
Jose L. Quiñones-Borrero
 
Cyber security
Cyber securityCyber security
Cyber security
SAKSHIMAHADIK
 
Firewall traversals
Firewall traversalsFirewall traversals
Firewall traversals
Kirti Ahirrao
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)
Kalpesh Kalekar
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
Pawan Arya
 

What's hot (20)

Network Information And Security
Network Information And SecurityNetwork Information And Security
Network Information And Security
 
A Taxonomy of Botnet Detection Approaches
A Taxonomy of Botnet Detection ApproachesA Taxonomy of Botnet Detection Approaches
A Taxonomy of Botnet Detection Approaches
 
Incident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and CountermeasuresIncident response, Hacker Techniques and Countermeasures
Incident response, Hacker Techniques and Countermeasures
 
Network Security Primer
Network Security PrimerNetwork Security Primer
Network Security Primer
 
Symmetric encryption and message confidentiality
Symmetric encryption and message confidentialitySymmetric encryption and message confidentiality
Symmetric encryption and message confidentiality
 
Cryptanalysis by savyasachi
Cryptanalysis by savyasachiCryptanalysis by savyasachi
Cryptanalysis by savyasachi
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
 
Cryptography
CryptographyCryptography
Cryptography
 
Cryptography
CryptographyCryptography
Cryptography
 
Introduction to cryptography part1-final
Introduction to cryptography part1-finalIntroduction to cryptography part1-final
Introduction to cryptography part1-final
 
cryptography deepan fav subject
cryptography deepan fav subjectcryptography deepan fav subject
cryptography deepan fav subject
 
Reverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation TovarReverse Engineering Malware: A look inside Operation Tovar
Reverse Engineering Malware: A look inside Operation Tovar
 
CISSP Week 21
CISSP Week 21CISSP Week 21
CISSP Week 21
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)
 
Encryption and Key Distribution Methods
Encryption and Key Distribution MethodsEncryption and Key Distribution Methods
Encryption and Key Distribution Methods
 
Cryto Party at CCU
Cryto Party at CCUCryto Party at CCU
Cryto Party at CCU
 
Cyber security
Cyber securityCyber security
Cyber security
 
Firewall traversals
Firewall traversalsFirewall traversals
Firewall traversals
 
Transport layer security (tls)
Transport layer security (tls)Transport layer security (tls)
Transport layer security (tls)
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
 

Similar to Cryptographic Protocol is and isn't like LEGO.

Ofer rivlin BGU - department seminar
Ofer rivlin BGU - department seminarOfer rivlin BGU - department seminar
Ofer rivlin BGU - department seminar
Ofer Rivlin, CISSP
 
SYSTEM SECURITY - Chapter 1 introduction
SYSTEM SECURITY - Chapter 1 introductionSYSTEM SECURITY - Chapter 1 introduction
SYSTEM SECURITY - Chapter 1 introductionAfna Crcs
 
State of the art realistic cryptographic
State of the art realistic cryptographicState of the art realistic cryptographic
State of the art realistic cryptographic
ijcsa
 
A QUANTUM CRYPTOGRAPHY PROTOCOL FOR ACCESS CONTROL IN BIG DATA
A QUANTUM CRYPTOGRAPHY PROTOCOL FOR ACCESS CONTROL IN BIG DATAA QUANTUM CRYPTOGRAPHY PROTOCOL FOR ACCESS CONTROL IN BIG DATA
A QUANTUM CRYPTOGRAPHY PROTOCOL FOR ACCESS CONTROL IN BIG DATA
ijcisjournal
 
A QUANTUM CRYPTOGRAPHY PROTOCOL FOR ACCESS CONTROL IN BIG DATA
A QUANTUM CRYPTOGRAPHY PROTOCOL FOR ACCESS CONTROL IN BIG DATAA QUANTUM CRYPTOGRAPHY PROTOCOL FOR ACCESS CONTROL IN BIG DATA
A QUANTUM CRYPTOGRAPHY PROTOCOL FOR ACCESS CONTROL IN BIG DATA
ijcisjournal
 
Lesson 1. General Introduction to IT and Cyber Security.pptx
Lesson 1. General Introduction to IT and Cyber Security.pptxLesson 1. General Introduction to IT and Cyber Security.pptx
Lesson 1. General Introduction to IT and Cyber Security.pptx
Jezer Arces
 
Types of Cryptosystem and Cryptographic Attack
Types of Cryptosystem and Cryptographic AttackTypes of Cryptosystem and Cryptographic Attack
Types of Cryptosystem and Cryptographic Attack
Mona Rajput
 
IMPLEMENT A NOVEL SYMMETRIC BLOCK CIPHER ALGORITHM
IMPLEMENT A NOVEL SYMMETRIC BLOCK CIPHER ALGORITHMIMPLEMENT A NOVEL SYMMETRIC BLOCK CIPHER ALGORITHM
IMPLEMENT A NOVEL SYMMETRIC BLOCK CIPHER ALGORITHM
ijcisjournal
 
Implement a novel symmetric block
Implement a novel symmetric blockImplement a novel symmetric block
Implement a novel symmetric block
ijcisjournal
 
Cryptographic protocols
Cryptographic protocolsCryptographic protocols
Cryptographic protocols
Vrushali Lanjewar
 
Cryptography Project by Aelsayed & Kyasser.pdf
Cryptography Project by Aelsayed & Kyasser.pdfCryptography Project by Aelsayed & Kyasser.pdf
Cryptography Project by Aelsayed & Kyasser.pdf
ahmeddeath6
 
L017136269
L017136269L017136269
L017136269
IOSR Journals
 
Comparison of Various Encryption Algorithms and Techniques for improving secu...
Comparison of Various Encryption Algorithms and Techniques for improving secu...Comparison of Various Encryption Algorithms and Techniques for improving secu...
Comparison of Various Encryption Algorithms and Techniques for improving secu...
IOSR Journals
 
CRYPTOGRAPHY & NETWORK SECURITY [Autosaved].pptx
CRYPTOGRAPHY & NETWORK SECURITY [Autosaved].pptxCRYPTOGRAPHY & NETWORK SECURITY [Autosaved].pptx
CRYPTOGRAPHY & NETWORK SECURITY [Autosaved].pptx
asjadzaki2021
 
Surreptitiously weakening cryptographic systems
Surreptitiously weakening cryptographic systemsSurreptitiously weakening cryptographic systems
Surreptitiously weakening cryptographic systems
Yael Ziv
 
Comparative Analysis of Encryption Algorithm
Comparative Analysis of Encryption AlgorithmComparative Analysis of Encryption Algorithm
Comparative Analysis of Encryption Algorithm
Khubaib Ahmad Kunjahi
 
Session Slide
Session SlideSession Slide
Session Slide
Muralidharan Radhakrishnan
 
Improving Cloud Security Using Multi Level Encryption and Authentication
Improving Cloud Security Using Multi Level Encryption and AuthenticationImproving Cloud Security Using Multi Level Encryption and Authentication
Improving Cloud Security Using Multi Level Encryption and Authentication
AM Publications,India
 

Similar to Cryptographic Protocol is and isn't like LEGO. (20)

Ofer rivlin BGU - department seminar
Ofer rivlin BGU - department seminarOfer rivlin BGU - department seminar
Ofer rivlin BGU - department seminar
 
SYSTEM SECURITY - Chapter 1 introduction
SYSTEM SECURITY - Chapter 1 introductionSYSTEM SECURITY - Chapter 1 introduction
SYSTEM SECURITY - Chapter 1 introduction
 
State of the art realistic cryptographic
State of the art realistic cryptographicState of the art realistic cryptographic
State of the art realistic cryptographic
 
A QUANTUM CRYPTOGRAPHY PROTOCOL FOR ACCESS CONTROL IN BIG DATA
A QUANTUM CRYPTOGRAPHY PROTOCOL FOR ACCESS CONTROL IN BIG DATAA QUANTUM CRYPTOGRAPHY PROTOCOL FOR ACCESS CONTROL IN BIG DATA
A QUANTUM CRYPTOGRAPHY PROTOCOL FOR ACCESS CONTROL IN BIG DATA
 
A QUANTUM CRYPTOGRAPHY PROTOCOL FOR ACCESS CONTROL IN BIG DATA
A QUANTUM CRYPTOGRAPHY PROTOCOL FOR ACCESS CONTROL IN BIG DATAA QUANTUM CRYPTOGRAPHY PROTOCOL FOR ACCESS CONTROL IN BIG DATA
A QUANTUM CRYPTOGRAPHY PROTOCOL FOR ACCESS CONTROL IN BIG DATA
 
Lesson 1. General Introduction to IT and Cyber Security.pptx
Lesson 1. General Introduction to IT and Cyber Security.pptxLesson 1. General Introduction to IT and Cyber Security.pptx
Lesson 1. General Introduction to IT and Cyber Security.pptx
 
Types of Cryptosystem and Cryptographic Attack
Types of Cryptosystem and Cryptographic AttackTypes of Cryptosystem and Cryptographic Attack
Types of Cryptosystem and Cryptographic Attack
 
IMPLEMENT A NOVEL SYMMETRIC BLOCK CIPHER ALGORITHM
IMPLEMENT A NOVEL SYMMETRIC BLOCK CIPHER ALGORITHMIMPLEMENT A NOVEL SYMMETRIC BLOCK CIPHER ALGORITHM
IMPLEMENT A NOVEL SYMMETRIC BLOCK CIPHER ALGORITHM
 
Implement a novel symmetric block
Implement a novel symmetric blockImplement a novel symmetric block
Implement a novel symmetric block
 
Cryptographic protocols
Cryptographic protocolsCryptographic protocols
Cryptographic protocols
 
Cryptography Project by Aelsayed & Kyasser.pdf
Cryptography Project by Aelsayed & Kyasser.pdfCryptography Project by Aelsayed & Kyasser.pdf
Cryptography Project by Aelsayed & Kyasser.pdf
 
L017136269
L017136269L017136269
L017136269
 
Comparison of Various Encryption Algorithms and Techniques for improving secu...
Comparison of Various Encryption Algorithms and Techniques for improving secu...Comparison of Various Encryption Algorithms and Techniques for improving secu...
Comparison of Various Encryption Algorithms and Techniques for improving secu...
 
cryptography
cryptographycryptography
cryptography
 
Seminar V2
Seminar V2Seminar V2
Seminar V2
 
CRYPTOGRAPHY & NETWORK SECURITY [Autosaved].pptx
CRYPTOGRAPHY & NETWORK SECURITY [Autosaved].pptxCRYPTOGRAPHY & NETWORK SECURITY [Autosaved].pptx
CRYPTOGRAPHY & NETWORK SECURITY [Autosaved].pptx
 
Surreptitiously weakening cryptographic systems
Surreptitiously weakening cryptographic systemsSurreptitiously weakening cryptographic systems
Surreptitiously weakening cryptographic systems
 
Comparative Analysis of Encryption Algorithm
Comparative Analysis of Encryption AlgorithmComparative Analysis of Encryption Algorithm
Comparative Analysis of Encryption Algorithm
 
Session Slide
Session SlideSession Slide
Session Slide
 
Improving Cloud Security Using Multi Level Encryption and Authentication
Improving Cloud Security Using Multi Level Encryption and AuthenticationImproving Cloud Security Using Multi Level Encryption and Authentication
Improving Cloud Security Using Multi Level Encryption and Authentication
 

Recently uploaded

重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
vmemo1
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
CIOWomenMagazine
 
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
JeyaPerumal1
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
nhiyenphan2005
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
Trending Blogers
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
Laura Szabó
 
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
zyfovom
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
cuobya
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
harveenkaur52
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
SEO Article Boost
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
hackersuli
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
cuobya
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
zoowe
 

Recently uploaded (20)

重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
 
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
 
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
学位认证网(DU毕业证)迪肯大学毕业证成绩单一比一原版制作
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
 

Cryptographic Protocol is and isn't like LEGO.

  • 1. Cryptographic Protocol is and isn't like LEGO Shin ichiro Matsuo August 26, 2015 IWSEC 2015
  • 2. 2014 The year of SSL/TLS nightmare.
  • 3. Cryptographic Protocol? 3 A rule which describes how an activity should be performed + Cryptography
  • 4. At Wikipedia A security protocol (cryptographic protocol or encryption protocol) is an abstract or concrete protocol that performs a security-related function and applies cryptographic methods, often as sequences of cryptographic primitives . A protocol describes how the algorithms should be used. A suf fi ciently detailed protocol includes details about data structures and representations, at which point it can be used to implement multiple, interoperable versions of a program. 4
  • 5. Cryptographic Protocol is Important • Many security technologies based on cryptography are served as Cryptographic Protocol. • We do not directly use cryptographic primitives like AES and RSA. • We have long and established study on cryptographic primitives. • How much do we know about on cryptographic protocols? 5
  • 8. Key Exchange 8 Alice Bob Cannot obtain key information Share a session key Adversary
  • 9. Secure Channel 
 (Authenticated Key Exchange) 9 Alice Bob Cannot obtain key information Share a session key with an authenticated user Adversary
  • 10. Blind Signature 10 Alice Bob Sign without knowing the contents Verify Signer
  • 11. Time-stamping 11 Verify the existence at time t Alice Bob Calculate time- stamping token Time Stamping Authority
  • 13. E-cash 13 Central Bank Bank A Bank B User 1 User 2 Prevent double spending and forgery Privacy in payment Check double spending
  • 15. Constructing something by LEGO Combination of blocks to realize functions designated in the instruction 15
  • 16. Cryptographic Protocol is like LEGO Matching between security functionality and building blocks 16 Security Functionality Building block Authentication Anonymity Con fi dentiality Key Exchange Encryption Challenge-Response Shu ffl e
  • 17. Simple Example: Challenge-Response 17 Random Bit Generator Random r Signing Key 
 (Secret) Singing Veri fi cation Digital Signature Veri fi cation Key 
 (Public)
  • 18. SSL/TLS looks like LEGO 18 Client Server Symmetric Encryption Key Exchange Entity Authentication Negotiation Integrity Check
  • 19. However, security isn t like LEGO 19 Man-in-the-Middle Attack Alice Bob Adversary Think as Bob s key
  • 20. Security model of cryptographic primitive Operational environment is simple. 20 Alice Bob E( ) D( ) Encryption Key Decryption Key Adversary
  • 21. Environment of real protocol • Communication channels are controlled by the adversary. • Not limited to eavesdropping • Man-in-the-middle • Some of protocol participants are controlled by the adversary. • Leakage of secret information 21
  • 22. What can be done by an adversary? • Control the communication channel • Eavesdrop • Stop • Resend • Forge message • Attack on cryptography (with quite low probability) • Obtain plaintext • Forge signature • Obtain session keys, … 22
  • 23. Dolev-Yao Model 23 • Cryptography is treated as ideal operation. • Only a party who has a decryption key obtains plaintext. • The other party obtains nothing. • Same treatment for digital signature and others • An adversary can control communication channel. • Eavesdrop, stop, and send any message.
  • 24. How di ffi cult is it to evaluate the security? • Protocol execution produce huge number of states . • Each action produce a new state of protocol execution. • An adversary can attack on followings. We should care both. • Miscon fi guration of protocol which produce insecure state • Attack on cryptographic primitives 24
  • 25. History of Evaluation 25 Formal Veri fi cation Mathematical Proof • Formal method • Find the existence of insecure state • Automated veri fi cation • Tool-aided • Rigorous proof • Estimate probability of attack • Same as cryptographic Primitive
  • 26. Formal Veri fi cation • Cryptographic algorithm is idealized. • Explore the existence of state against the security property. • Dolev-Yao Model. • Omit the possibility of successful attack on underlying cryptographic algorithm. 26
  • 27. Formal Veri fi cation Tools 27 Model&checking Theorem&proving Symbolic Cryptographic CryptoVerif SCYTHER ProVerif Isabelle/HOL BPW(on&Isabelle/HOL) NRL FDR AVISPA AVISPA& (TA4SP) Unbounded GamePbased&Security& Proof& on&Coq)
  • 28. Mathematical Proof • Estimate the probability which the adversary breaks the security property. • Show the probability is negligible. • Like the security proof of cryptographic algorithm. 28
  • 29. Universal Composability (UC) • De fi ne the ideal functionality, then prove that the actual protocol is indistinguishable against the ideal functionality. 29 F Ideal Functionality Actual Protocol Z P2 P4 P3 P1 P2 P4 P3 P1
  • 30. Combination of Formal Veri fi cation and UC • Combine the merit of formal veri fi cation and mathematical rigorous proof. • Many researches from 2002 • Game-based evaluation • Crypto-verif 30
  • 31. Formal Veri fi cation Tools 31 Model&checking Theorem&proving Symbolic Cryptographic CryptoVerif SCYTHER ProVerif Isabelle/HOL BPW(on&Isabelle/HOL) NRL FDR AVISPA AVISPA& (TA4SP) Unbounded GamePbased&Security& Proof& on&Coq)
  • 32. Attack on standard protocols We had many attacks on standard cryptographic protocols. 32 Wireless LAN SSL/TLS WEP (2004) WPA-TKIP (2004) WPA-PSK (2011) TIME/CRIME/Lucky Thirteen Heartbleed POODLE …
  • 33. An example in wireless LAN • Attack on WPA-TKIP (Beck-Tews: 2008) • Use ARP packet to fi gure the key stream • Improvement of this attack by Ohigashi and Morii (2009) 33
  • 34. Attacks on SSL/TLS • SSL 2.0 (1994) 
 Downgrade attack, CRIME, BREACH • SSL3.0 (1995) 
 POODLE Attack • TLS1.0 (1999) 
 BEAST Attack • TLS 1.1 (2006) 
 Heartbleed bug 34
  • 35. CRIME attack • Use compression functionality in SSL/TLS • Figure out the contents of Cookie by comparison of data size after the compression • Independent from The security of underlying cryptographic primitive 35
  • 36. Heartbleed bug 36 • Bugs in OpenSSL related to Heatbeat extension • Insu ffi cient check of data size • An adversary can obtain the contents of data in the server • This attack is independent from the strength of underlying cryptographic primitives, too.
  • 37. POODLE • Man-in-the-middle • Downgrade to RC4 (weak cipher) • A problem of the SSL 3.0 speci fi cation 37
  • 38. Only in the speci fi cation? • Most threats come from implementation • or pitfall between the speci fi cation and implementation. 38
  • 39. Pitfall between speci fi cation and implementation In the case of Heartbleed • The description in RFC document does not describe the details of implementation • Treatment of data length (ex. the case of size = 0) • No instruction is provided for developers 39
  • 40. Solve the pitfall • Write protocol speci fi cation without ambiguity for implementation • Clarify the operational condition and implementation condition. 40
  • 41. We need collections of knowledge • There was no trust point where collects security information on cryptographic protocols. • Protocol designers and engineers need tips and best practice. • Which protocol is secure? • What kind of design is good? • Notes for implementation 41
  • 42. CELLOS (2013 12 -): 
 International Consortium on Cryptographic Protocols 42 https://www.cellos-consortium.org
  • 43. Overview of CELLOS 43 Universities and Research Institute System Vendors (Developmen t Perspective ) System Vendors (Usage Perspective ) For protocol design For system design International Standardizati on Organizations Fixing or deprecation of insecure protocols For research and education Referencers Wide-ranging and reliable security information from experts Public Information Consolidation of reliable information concerning security evaluation on a global scale Discussions align to actual ICT systems Consolidation of analysis theories, tools and results through formal verification Consolidation of analysis theories and methods other than formal verification Consolidation of detailed information on the latest attack methods Possibilities and impacts of attacks on actual ICT systems Methods for dealing with attacks on actual ICT systems Universities and Research Institutions Company CELLOS Latest analysis theories and methods and evaluation results Realistic countermeasures Detailed checking of information based on its technical validity
  • 44. The action example against POODLE 44 Date/Time (JST) Action Oct. 14, 18:39 Find new in the Twitter and reported to the online discussion system. Discussed on the impacts. Oct. 15, 14:04 Started editing a prompt report Oct. 15, 14:04 1st draft of the prompt report Oct. 15, 21:48 2nd draft of the prompt report Add important descriptions on attacking condition and impacts Oct. 15, 22:20 3rd draft, add product names Oct. 15, 22:20 Edit both English and Japanese version Oct. 15, 22:52 Publish the 1st prompt report Oct. 15, 23:09 Add information on new version of OpenSSL Oct. 16, 10:07 Correct editorial errors
  • 45. Evaluation of New Protocols 45 • Evaluate a cryptographic protocol proposed by member of CELLOS • Conduct formal verification by a evaluation group in the working group • The report will be publicly available on the Web site. • Used for supportive document for standardization and so on.
  • 46. Requirements for the evaluation • Open • Evaluation criteria • Evaluation method • Public Veri fi able • Uni fi ed evaluation framework 46
  • 47. ISO/IEC 29128 (2011 Nov.) • ISO/IEC standard on “Evaluation of Cryptographic Protocols” • Defines a workflow of protocol verification and protocol assurance levels according to verification techniques. • Workflow • A protocol designer writes documents and submit to an evaluator. • Protocol specification, Adversarial model, Security requirements and the Result. • The evaluator checks the correctness of these documents and re-execute the tool. • Introducing Four Protocol Assurance Levels 47
  • 48. Protocol assurance level in ISO/IEC 29128 48 Protocol Assurance Level PAL1 PAL2 PAL3 PAL4 Protocol Specification PPS_SEMIFORMAL Semiformal description of protocol specification. PPS_FORMAL Formal description of protocol specification. PPS_ MECHANIZED Formal description of protocol specification in a tool- specific specification language, whose semantics is mathematically defined. Adversarial Model PAM_INFORMAL Informal description of adversarial model. PAM_ FORMAL Formal description of adversarial model. PAM_ MECHANIZED Formal description of adversarial model in a tool- specific specification language, whose semantics is mathematically defined. Security Property PSP_INFORMAL Informal description of security property PSP_ FORMAL Formal description of security property. PSP_ MECHANIZED Formal description of security property in a tool- specific specification language, whose semantics is mathematically defined. Self-assessment Evidence PEV_ARGUMENT 
 Informal argument that the specification of the cryptographic protocol in its adversarial model achieves and satisfies its objectives and properties. PEV_HANDPROVEN Mathematically formal paper- and-pencil proof verified by human that the specification of the cryptographic protocol in its adversarial model achieves and satisfies its objectives and properties. PEV_BOUNDED Tool-aided bounded verification that the specification of the cryptographic protocol in its adversarial model achieves and satisfies its objectives and properties. PEV_UNBOUNDED Tool-aided unbounded verification that the specification of the cryptographic protocol in its adversarial model achieves and satisfies its objectives and properties. Accurate
  • 49. Toward future applications • Cryptographic protocols are implemented to realize future applications. • Directly connected to the business • ApplePay • Bitcoin (Blockchain) 49
  • 50. Blockchain • Fundamental techniques to realize Public Ledger using P2P network and chained digital signature • Used in digital currencies like Bitcoin 50 User P2P Network Ledger Each node update its distributed ledger User User User User User Ledger Ledger Ledger Ledger Ledger Change Ledge r Time: t Ledge r Time: t+1 H(Lt) H(Lt-1) Digital Signature Digital Signature
  • 51. Blockchain • Fundamental techniques to realize Public Ledger using P2P network and chained digital signature • Used in digital currencies like Bitcoin 51 User P2P Network Ledger Each node update its distributed ledger User User User User User Ledger Ledger Ledger Ledger Ledger Change Ledge r Time: t Ledge r Time: t+1 H(Lt) H(Lt-1) Digital Signature Digital Signature
  • 52. Application of blockchain • Digital currency • Smart Contract • Registration and certi fi cation • Publicly veri fi able storage 52
  • 53. How much do we know on the security of Bitcoin? 53 Formalization Formal Analysis Coq Others Security Anti-double spneding [GKL15] [B15], [G14] Not found Anti-Money Laundering Not found Not found Not found Privacy Unlinkability [AKRSC13] Not Found Not Found Taint- resistnat [MO15] Not Found Not Found
  • 54. Cryptographic Protocols are becoming the foundation • Blockchain is a foundation of public veri fi able trust • Several applications will be developed over blockchain • Several private company focus on the research of cryptographic protocols including applications of blockchain. • Application, experiment and business are arising quickly in LEGO and agile development manner. • Cryptographic protocols directly connect to business. 54
  • 55. We need more study. • Insu ffi cient security evaluation for emerging cryptographic protocols, unfortunately. • Quick business development vs. security • Needs for development methods to clear the risks both for business operator and users 55
  • 56. Conclusion • Abstract of cryptographic protocol • Why cryptographic protocol is and isn t like LEGO • How can we evaluate the security • Future applications • We need more study toward smart applications based on cryptographic protocols. 56