security ii - security properties · 2020-04-24 · security ii - security properties stefano...
TRANSCRIPT
![Page 1: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/1.jpg)
1/21
Security II - Security Properties
Stefano Calzavara
Universita Ca’ Foscari Venezia
April 24, 2020
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 2: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/2.jpg)
2/21
Introduction
We studied how to model cryptographic protocols in applied pi-calculus
but how can we formulate security properties?
secrecy: the attacker should not be able to learn confidential partsof protocol messages
authentication: a subtle property, which ensures that the sender andthe receiver “agree” on the exchanged data and their respective roles
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 3: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/3.jpg)
3/21
Secrecy
Definition
The process P preserves the secrecy of M iff, for all the opponents O, wehave that P | O never outputs M on a public channel.
This also covers the case where M is not directly leaked by P, but can bereconstructed by O, because O can then output M on a public channel.
Do the following processes preserve the secrecy of n?
(νk) (c〈senc(n, k)〉)
(νn) (νk) (c〈senc(n, k)〉)(νn) (νk) (c〈senc(n, k〉.c〈k〉)
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 4: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/4.jpg)
3/21
Secrecy
Definition
The process P preserves the secrecy of M iff, for all the opponents O, wehave that P | O never outputs M on a public channel.
This also covers the case where M is not directly leaked by P, but can bereconstructed by O, because O can then output M on a public channel.
Do the following processes preserve the secrecy of n?
(νk) (c〈senc(n, k)〉)(νn) (νk) (c〈senc(n, k)〉)
(νn) (νk) (c〈senc(n, k〉.c〈k〉)
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 5: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/5.jpg)
3/21
Secrecy
Definition
The process P preserves the secrecy of M iff, for all the opponents O, wehave that P | O never outputs M on a public channel.
This also covers the case where M is not directly leaked by P, but can bereconstructed by O, because O can then output M on a public channel.
Do the following processes preserve the secrecy of n?
(νk) (c〈senc(n, k)〉)(νn) (νk) (c〈senc(n, k)〉)(νn) (νk) (c〈senc(n, k〉.c〈k〉)
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 6: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/6.jpg)
4/21
Violating Secrecy
Pick the process P , (νn) (νk) (c〈senc(n, k)〉.c〈k〉)
The secrecy of n is violated by the following opponent:
O , c(x).c(y).let z = sdec(x , y) in a〈z〉
We can show that:
P | O → (νn) (νk) (c〈k〉 | c(y).let z = sdec(senc(n, k), y) in a〈z〉)→ (νn) (νk) let z = sdec(senc(n, k), k) in a〈z〉→ (νn) (νk) a〈n〉
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 7: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/7.jpg)
5/21
Strong Secrecy
Our simple definition of secrecy has two main problems:
1 no implicit flows: we have discussed that secrets can be leaked bitby bit, we can’t capture that only part of the secret is revealed
2 limited expressiveness: what if the secret is a public value, like in thecase of e-voting protocols?
There are also stronger definitions of secrecy in the literature, based onthe notion of observational equivalence.
Example
A protocol run where Alice votes for Bob is observationally equivalent toa protocol run where Alice votes for Charlie.
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 8: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/8.jpg)
6/21
Authentication
Authentication is harder to formulate than secrecy
non-injective agreement: the parties must agree on their respectiveidentities, their role in the protocol and the content of the message
injective agreement: same as above, but the recipient must also beable to verify the freshness of the message
Example
Assume that A sends a payment order M to B. Non-injective agreementrequires that B authenticates A as the sender of M. Injective agreementalso ensures that B cannot accept M multiple times (no replay attacks).
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 9: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/9.jpg)
7/21
Correspondence Assertions
We decorate the protocol code with events, also called correspondenceassertions in traditional literature
begin(A,B,M): A sends to B the message M
end(A,B,M): B accepts from A the message M
We assume that the attacker’s code cannot contain end() events
Definition
The process P satisfies non-injective agreement iff, for all the opponentsO and runs of P | O, each end(A,B,M) is preceded by a begin(A,B,M).
We require a distinct begin(A,B,M) for injective agreement!
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 10: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/10.jpg)
8/21
Example: Injective vs Non-Injective Agreement
Alice Bob
{M}KA
A , begin(a, b,M).b〈sign(M,KA)〉B , !b(x).let y = ver(x , pk(KA)) in end(a, b, y)
S , (νKA) (A | B)
This protocol satisfies non-injective agreement, but violates injectiveagreement: O , b(x).b〈x〉.b〈x〉
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 11: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/11.jpg)
9/21
Challenge - Response Handshakes
We now study three different challenge-response schemes:
plain-cipher (PC): challenge in clear, response encrypted
cipher-plain (CP): challenge encrypted, response in clear
cipher-cipher (CC): both challenge and response encrypted
Common idea: prove your identity by encrypting/decrypting
However, these schemes enjoy different security properties!
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 12: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/12.jpg)
10/21
PC Handshake - Symmetric Key
Which authentication property is satisfied by the protocol?
Alice Bob
n
{A,M, n}KABbegin(A,B,M)
end(A,B,M)
Answer: injective agreement begin(A,B,M), . . . , end(A,B,M)
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 13: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/13.jpg)
10/21
PC Handshake - Symmetric Key
Which authentication property is satisfied by the protocol?
Alice Bob
n
{A,M, n}KABbegin(A,B,M)
end(A,B,M)
Answer: injective agreement begin(A,B,M), . . . , end(A,B,M)
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 14: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/14.jpg)
11/21
PC Handshake - Asymmetric Key
Which authentication property is satisfied by the protocol?
Alice Bob
n
{A,M, n}KAbegin(A,B,M)
end(A,B,M)
Answer: none! The second message is the same for Bob and Oliver!
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 15: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/15.jpg)
11/21
PC Handshake - Asymmetric Key
Which authentication property is satisfied by the protocol?
Alice Bob
n
{A,M, n}KAbegin(A,B,M)
end(A,B,M)
Answer: none! The second message is the same for Bob and Oliver!
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 16: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/16.jpg)
12/21
Breaking Authentication
Alice Oliver Bob
n
n
{A,M, n}KAbegin(A,O,M)
{A,M, n}KA
end(A,B,M)
Fix: in the second message replace the identity of the sender A with theidentity of the recipient O
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 17: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/17.jpg)
13/21
CP Handshake - Symmetric Key
Which authentication properties are satisfied by the protocol?
Alice Bob
{B,M, n}KABbegin(B,A,M)
end(B,A,M)
nbegin(A,B,M)
end(A,B,M)
Answer: non-injective agreement begin(B,A,M), . . . , end(B,A,M) andinjective agreement begin(A,B,M), . . . , end(A,B,M)
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 18: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/18.jpg)
13/21
CP Handshake - Symmetric Key
Which authentication properties are satisfied by the protocol?
Alice Bob
{B,M, n}KABbegin(B,A,M)
end(B,A,M)
nbegin(A,B,M)
end(A,B,M)
Answer: non-injective agreement begin(B,A,M), . . . , end(B,A,M) andinjective agreement begin(A,B,M), . . . , end(A,B,M)
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 19: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/19.jpg)
14/21
CP Handshake - Asymmetric Key
Which authentication properties are satisfied by the protocol?
Alice Bob
{B,M, n}pk(KA) begin(B,A,M)
end(B,A,M)
nbegin(A,B,M)
end(A,B,M)
Answer: just injective agreement begin(A,B,M), . . . , end(A,B,M), sincethe challenge might come from Oliver
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 20: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/20.jpg)
14/21
CP Handshake - Asymmetric Key
Which authentication properties are satisfied by the protocol?
Alice Bob
{B,M, n}pk(KA) begin(B,A,M)
end(B,A,M)
nbegin(A,B,M)
end(A,B,M)
Answer: just injective agreement begin(A,B,M), . . . , end(A,B,M), sincethe challenge might come from Oliver
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 21: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/21.jpg)
15/21
CC Handshake - Symmetric Key
Which authentication properties are satisfied by the protocol?
Alice Bob
{B,M1, n}KABbegin(B,A,M1)
end(B,A,M1)
{A,M2, n}KABbegin(A,B,M2)
end(A,B,M2)
Answer: non-injective agreement begin(B,A,M1), . . . , end(B,A,M1) andinjective agreement begin(A,B,M2), . . . , end(A,B,M2)
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 22: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/22.jpg)
15/21
CC Handshake - Symmetric Key
Which authentication properties are satisfied by the protocol?
Alice Bob
{B,M1, n}KABbegin(B,A,M1)
end(B,A,M1)
{A,M2, n}KABbegin(A,B,M2)
end(A,B,M2)
Answer: non-injective agreement begin(B,A,M1), . . . , end(B,A,M1) andinjective agreement begin(A,B,M2), . . . , end(A,B,M2)
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 23: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/23.jpg)
16/21
CC Handshake - Asymmetric Key
Which authentication properties are satisfied by the protocol?
Alice Bob
{B,M1, n}pk(KA) begin(B,A,M1)
end(B,A,M1)
{A,M2, n}pk(KB )begin(A,B,M2)
end(A,B,M2)
Answer: just injective agreement begin(A,B,M2), . . . , end(A,B,M2),since the challenge might come from Oliver
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 24: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/24.jpg)
16/21
CC Handshake - Asymmetric Key
Which authentication properties are satisfied by the protocol?
Alice Bob
{B,M1, n}pk(KA) begin(B,A,M1)
end(B,A,M1)
{A,M2, n}pk(KB )begin(A,B,M2)
end(A,B,M2)
Answer: just injective agreement begin(A,B,M2), . . . , end(A,B,M2),since the challenge might come from Oliver
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 25: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/25.jpg)
17/21
Mutual Authentication - Symmetric Key
Which authentication properties are satisfied by the protocol?
Alice Bob
n1
{A,M1, n1, n2}KABbegin(A,B,M1)
end(A,B,M1)
{M2, n2}KABbegin(B,A,M2)
end(B,A,M2)
Answer: injective agreement begin(B,A,M1), . . . , end(B,A,M1) andinjective agreement begin(A,B,M2), . . . , end(A,B,M2)
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 26: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/26.jpg)
17/21
Mutual Authentication - Symmetric Key
Which authentication properties are satisfied by the protocol?
Alice Bob
n1
{A,M1, n1, n2}KABbegin(A,B,M1)
end(A,B,M1)
{M2, n2}KABbegin(B,A,M2)
end(B,A,M2)
Answer: injective agreement begin(B,A,M1), . . . , end(B,A,M1) andinjective agreement begin(A,B,M2), . . . , end(A,B,M2)
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 27: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/27.jpg)
18/21
Mutual Authentication - Asymmetric Key
Which authentication properties are satisfied by the protocol?
Alice Bob
n1
{A,M1, n1, n2}pk(KB )begin(A,B,M1)
end(A,B,M1)
{M2, n2}pk(KA) begin(B,A,M2)
end(B,A,M2)
Answer: just injective agreement begin(B,A,M2), . . . , end(B,A,M2),since the first response might come from Oliver
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 28: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/28.jpg)
18/21
Mutual Authentication - Asymmetric Key
Which authentication properties are satisfied by the protocol?
Alice Bob
n1
{A,M1, n1, n2}pk(KB )begin(A,B,M1)
end(A,B,M1)
{M2, n2}pk(KA) begin(B,A,M2)
end(B,A,M2)
Answer: just injective agreement begin(B,A,M2), . . . , end(B,A,M2),since the first response might come from Oliver
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 29: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/29.jpg)
19/21
Mutual Authentication - Asymmetric Key (Revised)
Which authentication properties are satisfied by the protocol?
Alice Bob
n1
{A,M1, n1, n2}KAbegin(A,B,M1)
end(A,B,M1)
{M2, n2}KBbegin(B,A,M2)
end(B,A,M2)
Answer: injective agreement begin(B,A,M1), . . . , end(B,A,M1) andinjective agreement begin(A,B,M2), . . . , end(A,B,M2)
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 30: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/30.jpg)
19/21
Mutual Authentication - Asymmetric Key (Revised)
Which authentication properties are satisfied by the protocol?
Alice Bob
n1
{A,M1, n1, n2}KAbegin(A,B,M1)
end(A,B,M1)
{M2, n2}KBbegin(B,A,M2)
end(B,A,M2)
Answer: injective agreement begin(B,A,M1), . . . , end(B,A,M1) andinjective agreement begin(A,B,M2), . . . , end(A,B,M2)
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 31: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/31.jpg)
20/21
OAuth 2.0 (Explicit Mode)
UA RP TTP
Visit Login Page
Login Button with client id, reduri, state
client id, reduri, state
Login Form
User Credentials
code, state
code, state
client id, client secret, reduri, code
token
ok
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties
![Page 32: Security II - Security Properties · 2020-04-24 · Security II - Security Properties Stefano Calzavara Universit a Ca’ Foscari Venezia April 24, 2020 Stefano Calzavara Universit](https://reader034.vdocuments.site/reader034/viewer/2022050309/5f717e71889275106d39f1d1/html5/thumbnails/32.jpg)
21/21
What Now?
We have shown how to formalize security properties of protocols
showing that a property is false is “easy”: counter-example
showing that a property is true is more complicated, since mostuseful security properties are undecidable
very easy for humans to make mistakes, think about previous cases!
luckily, we have verification tools for secrecy and authenticationproperties of cryptographic protocols
next lecture: ProVerif, a state-of-the-art verification tool
Stefano Calzavara Universita Ca’ Foscari Venezia
Security II - Security Properties