: We present a number of attacks, some new, on public key protocols. We also advance a number of principles which may help designers avoid many of the pitfalls, and help attackers spot errors which can be exploited. 1 Introduction Cryptographic protocols are typically used to identify a user to a computer system, to authenticate a transaction, or to set up a key. They typically involve the exchange of about 2--5 messages, and they are very easy to get wrong: bugs have been found in well known protocols years after they were first published. This is quite remarkable; after all, a protocol is a kind of program, and one would expect to get any other program of this size right by staring at it for a while. A number of remedies have been proposed. One approach is formal mathematical proof, and can range from systematic protocol verification techniques such as the BAN logic [BAN89] to the case-by-case reduction of security claims to the intractability of some problem such as factoring. Anot...

Cryptographic protocols are used in distributed systems to identify users and authenticate transactions. They may involve the exchange of about 2--5 messages, and one might think that a program of this size would be fairly easy to get right. However, this is absolutely not the case: bugs are routinely found in well known protocols, and years after they were first published. The problem is the presence of a hostile opponent, who can alter messages at will. In effect, our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. This is a fascinating problem; and we hope that the lessons learned from programming Satan 's computer may be helpful in tackling the more common problem of programming Murphy's.

It is often difficult to specify exactly what a security protocol is intended to achieve, and there are many example of attacks on protocol which have been proved to satisfy the `wrong', or too weak a specification. Contrary to the usual approach of attempting to capture what it is that protocol achieves in abstract terms, we propose a readily automatable style of specification which simply asserts that a node can only complete its part in a protocol run if the pattern of messages anticipated by the designer has occurred. While this intensional style of specification does not replace more abstract ones such as confidentiality, it does appear to preclude a wide range of the styles of attack that are hardest to exclude by other means. 1 Introduction Over the past two years, the author and associates in Oxford have been investigating the modelling of security properties and cryptographic protocols in CSP, with particular reference to testing and verification on the model-check...

Global networking has brought with it both new opportunities and new security threats on a worldwide scale. Since the Internet is inherently insecure, secure cryptographic protocols and a public key infrastructure are needed. In this paper we introduce a protocol component architecture that is well suited for the implementation of telecommunications protocols in general and cryptographic protocols in particular. Our implementation framework is based on the Java programming language and the Conduits+ protocol framework. It complies with the Beans architecture and security API of JDK 1.1, allowing its users to implement application specific secure protocols with relative ease. Furthermore, these protocols can be safely downloaded through the Internet and run on virtually any workstation equipped with a Java capable browser * . The framework has been implemented and tested in practice with a variety of cryptographic protocols. The framework is relatively independent of the actual crypto...

We investigate extensions of the Dolev-Yao model by some algebraic properties of cryptographic primitives. We provide sufficient conditions under which the intruder deduction problem is decidable (resp. decidable in polynomial time). We apply this result to the equational theory of homomorphism, and show that in this case the intruder deduction problem is linear, provided that the messages are in normal form.

The cryptographic protocol analysis logic of Gong, Needham and Yahalom (GNY) offers significant advantages over its predecessor, the Burrows, Abadi and Needham (BAN) logic. Manual analysis of protocols using the GNY logic, however, is cumbersome, as the logic has a large set of inference rules. This paper proposes a modified GNY logic, and describes the implementation of a protocol analysis tool based on that logic. The modifications ensure that no useful inferences are lost, and allow the logical statements derivable from a given protocol to be deduced in a finite number of steps. The tool offers a facility to automatically generate proofs of protocol goals. It has proved useful in mechanically verifying the need for several inference rules which are all absent from the original GNY logic. 1 Introduction The rapid proliferation of distributed computing systems has lead to an increased dependence on cryptographic techniques for protecting information transmitted over insecure channel...

Abstract. In spite of attractive theoretical properties, Vickrey auctions are seldom actually used due to information revelation and fear of cheating. Cryptographic Vickrey Auctions (CVAs) have been proposed to protect bidders ’ privacy or to prevent the bid taker from cheating. This paper has three parts. First, it identifies ideal goals for CVAs. One of the criteria identifies an incentive problem that is new to the literature on cryptographic Vickrey auctions: the disincentive of a bidder who has learned that she has lost the auction to complete the protocol. Any auction protocol that requires losing bidders to do additional work after learning they have lost needs to provide the losers with proper incentives to follow the protocol. Second, it shows that in a class of CVAs, some losers must continue to participate. Finally, it describes a new CVA protocol that solves the protocol-completion incentive problem. A proper treatment of incentives using cryptography, however, may make the auction too complicated for practical use. One possible alternative is the use of bonds as a way of providing an incentive to losers.

At the VIth Computer Security Foundations Workshop Simmons presented a protocol to make the Digital Signature Standard free of any subliminal channels. As Simmons has pointed out at several occasions the design of protocols is very difficult and one has claimed protocols to have certain properties, they turned out not to have. In this paper we demonstrate that Simmons' protocol is not free of any subliminal channels, by presenting a subliminal channel with a small capacity. We also discuss generalizations, which imply that several already presented protocols claimed to be "subliminal-free" are not. 1. Introduction At the end of the 1970's and the beginning of the 1980's Simmons addressed at several occasions, see e.g., [21, 22, 23], how to achieve message authentication "without" covert channels in the context of verification of treaty compliance. Then, in 1983 Simmons discovered that one overlooked that one could hide covert data in the authenticator itself, which he called a sublimi...

. Reasoning about key escrow protocols has increasingly become an important issue. The Escrowed Encryption Standard (EES) has been proposed as a US government standard for the encryption of unclassified telecommunications. One unique feature of this system is key escrow. The purpose of key escrow is to allow government access to session keys shared by EES devices. We develop a framework to formally specify and verify the correctness of key escrow protocols that we mechanize within the HOL theorem proving system. Our logic closely follows the logic, SVO , used for analyzing cryptographic protocols which was developed by Syverson and vanOorschot [13]. Using the HOL mechanization of SVO , we formally demonstrate the failure of the EES key escrow system by showing that it does not insure that the escrow agent receives correct information. This was previously shown experimentally [2]. Last, we offer an alternative escrow protocol and demonstrate its correctness. 1 Introduction Several logi...

Abstract. Collusion-free protocols prevent subliminal communication (i.e., covert channels) between parties running the protocol. In the standard communication model, if one-way functions exist, then protocols satisfying any reasonable degree of privacy cannot be collusion-free. To circumvent this impossibility, Alwen, shelat and Visconti (CRYPTO 2008) recently suggested the mediated model where all communication passes through a mediator. The goal is to design protocols where collusionfreeness is guaranteed as long as the mediator is honest, while standard security guarantees hold if the mediator is dishonest. In this model, they gave constructions of collusion-free protocols for commitments and zeroknowledge proofs in the two-party setting. We strengthen the definition of Alwen et al., and resolve the main open questions in this area by showing a collusion-free protocol (in the mediated model) for computing any multi-party functionality. 1