1 / 12

CIMPA School on Security Specification and verification of randomized security protocols Lecture 2

CIMPA School on Security Specification and verification of randomized security protocols Lecture 2. Catuscia Palamidessi, INRIA & LIX catuscia@lix.polytechnique.fr www.lix.polytechnique.fr/~catuscia Page of the course: www.lix.polytechnique.fr/~catuscia/teaching/CIMPA_School_05/.

ira-levy
Download Presentation

CIMPA School on Security Specification and verification of randomized security protocols Lecture 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIMPA School on SecuritySpecification and verification of randomized security protocolsLecture 2 Catuscia Palamidessi, INRIA & LIX catuscia@lix.polytechnique.fr www.lix.polytechnique.fr/~catuscia Page of the course: www.lix.polytechnique.fr/~catuscia/teaching/CIMPA_School_05/ Probabilistic security protocols

  2. Plan of the course • Overview of the basic notions of Probability theory and Measure theory • Probabilistic automata • Probabilistic p-calculus • Applications to the specification and verification of randomized security protocols • Anonymity • Fair exchange Probabilistic security protocols

  3. Randomized security protocols • A certain number of security protocols use randomized primitives • Anonymity: • Crowds [Reiter and Rubin,1998], • anonymous communication (anonymity of the sender) • Onion Routing [Syverson, Goldschlag and Reed, 1997] • anonymous communication • Freenet [Clarke et al. 2001] • anonymous information storage and retrieval • Fairness • Probabilistic Contract Signing protocol [Ben-Or et al., 1990] • Probabilistic non-repudiation protocol [Markowitch and Roggeman, 1999] • Partial Secrets Exchange protocol [Even, Goldreich and Lempel, 1985] Probabilistic security protocols

  4. The probabilistic p-calculus References: • O.M. Herescu, C. Palamidessi. Probabilistic asynchronous p-calculus. In J. Tiuryn, ed., Proc. of FOSSACS 2000 (Part of ETAPS 2000), vol. 1784 of LNCS, pages 146--160. Springer-Verlag, 2000. www.lix.polytechnique.fr/~catuscia/papers/Prob_asy_pi/report.ps • C. Palamidessi, O.M. Herescu. A Randomized Distributed Encoding of the p-Calculus with Mixed Choice. To appear in Theoretical Computer Science (short version in Proc. of IFIP-TCS 2002, pages 537-549, Kluwer, 2002.) www.lix.polytechnique.fr/~catuscia/papers/prob_enc/report.ps Probabilistic security protocols

  5. The probabilistic p-calculus • Originally developed as an intermediate language for the fully distributed implementation of the p-calculus • The mixed choice mechanism of the p-calculus cannot be implemented in a fully distributed way deterministically, but can be done in a randomized way. Correctness is achieved with probability 1. • Presently, we use it as a framework to model the correctness of security protocols: • to specify security properties which require a probabilistic formulation, • to represent randomized security protocols • to prove their correctness, i.e. t verify that they satisfy the intended properties Probabilistic security protocols

  6. input | silent action inaction probabilistic choice output parallel new name replication The probabilistic p-calculus: syntax Similar to the asynchronous p-calculus of Amadio,Castellani and Sangiorgi, the only difference is that the input-guarded choice is probabilistic Probabilistic security protocols

  7. 1/2 1/3 1/2 1/3 1/3 1/2 1/3 1/2 1/3 1/3 2/3 2/3 1/3 1/3 1/2 1/3 1/3 1/2 1/3 2/3 1/3 The probabilistic p-calculus: operational sem • Based on the probabilistic automata of Segala and Lynch • nondeterministic and probabilistic behavior • nondeterminism associated to a scheduler (adversary) • probabilistic behavior associated to the choice of the process • groups, probabilistic distributions, steps steps Probabilistic security protocols

  8. m1 m2 mn pn p1 p2 … The probabilistic p-calculus: operational sem Probabilistic security protocols

  9. The probabilistic p-calculus: operational sem Probabilistic security protocols

  10. The probabilistic p-calculus: operational sem Probabilistic security protocols

  11. The probabilistic p-calculus: operational sem Probabilistic security protocols

  12. The probabilistic p-calculus: operational sem Probabilistic security protocols

More Related