Results 11  20
of
41
Cryptographically Sound Theorem Proving
 In Proc. 19th IEEE CSFW
, 2006
"... We describe a faithful embedding of the DolevYao model of Backes, Pfitzmann, and Waidner (CCS 2003) in the theorem prover Isabelle/HOL. This model is cryptographically sound in the strong sense of reactive simulatability/UC, which essentially entails the preservation of arbitrary security proper ..."
Abstract

Cited by 26 (7 self)
 Add to MetaCart
We describe a faithful embedding of the DolevYao model of Backes, Pfitzmann, and Waidner (CCS 2003) in the theorem prover Isabelle/HOL. This model is cryptographically sound in the strong sense of reactive simulatability/UC, which essentially entails the preservation of arbitrary security properties under active attacks and in arbitrary protocol environments. The main challenge in designing a practical formalization of this model is to cope with the complexity of providing such strong soundness guarantees. We reduce this complexity by abstracting the model into a sound, lightweight formalization that enables both concise property specifications and efficient application of our proof strategies and their supporting proof tools. This yields the first toolsupported framework for symbolically verifying security protocols that enjoys the strong cryptographic soundness guarantees provided by reactive simulatability/UC. As a proof of concept, we have proved the security of the NeedhamSchroederLowe protocol using our framework.
Securing Vehicular Communications  Assumptions, Requirements, and Principles
 WORKSHOP ON EMBEDDED SECURITY IN CARS
, 2006
"... Among civilian communication systems, vehicular networks emerge as one of the most convincing and yet most challenging instantiations of the mobile ad hoc networking technology. Towards the deployment of vehicular communication systems, security and privacy are critical factors and significant chall ..."
Abstract

Cited by 20 (7 self)
 Add to MetaCart
Among civilian communication systems, vehicular networks emerge as one of the most convincing and yet most challenging instantiations of the mobile ad hoc networking technology. Towards the deployment of vehicular communication systems, security and privacy are critical factors and significant challenges to be met. Thanks to the substantial research efforts carried out by the community so far, we make the following contributions in this paper: we outline security requirements for vehicular communication systems, we provide models for the system and the communication, as well as models for the adversaries, and propose a set of design principles for future security and privacy solutions for vehicular communication systems.
Lecture Notes on Cryptography
, 2001
"... This is a set of lecture notes on cryptography compiled for 6.87s, a one week long course on cryptography taught at MIT by Shafi Goldwasser and Mihir Bellare in the summers of 1996–2001. The notes were formed by merging notes written for Shafi Goldwasser’s Cryptography and Cryptanalysis course at MI ..."
Abstract

Cited by 17 (0 self)
 Add to MetaCart
This is a set of lecture notes on cryptography compiled for 6.87s, a one week long course on cryptography taught at MIT by Shafi Goldwasser and Mihir Bellare in the summers of 1996–2001. The notes were formed by merging notes written for Shafi Goldwasser’s Cryptography and Cryptanalysis course at MIT with notes written for Mihir Bellare’s Cryptography and network security course at UCSD. In addition, Rosario Gennaro (as Teaching Assistant for the course in 1996) contributed Section 9.6, Section 11.4, Section 11.5, and Appendix D to the notes, and also compiled, from various sources, some of the problems in Appendix E. Cryptography is of course a vast subject. The thread followed by these notes is to develop and explain the notion of provable security and its usage for the design of secure protocols. Much of the material in Chapters 2, 3 and 7 is a result of scribe notes, originally taken by MIT graduate students who attended Professor Goldwasser’s Cryptography and Cryptanalysis course over the years, and later edited by Frank D’Ippolito who was a teaching assistant for the course in 1991. Frank also contributed much of the advanced number theoretic material in the Appendix. Some of the material in Chapter 3 is from the chapter on Cryptography, by R. Rivest, in the Handbook of Theoretical Computer Science. Chapters 4, 5, 6, 8 and 10, and Sections 9.5 and 7.4.6, were written by Professor Bellare for his Cryptography and network security course at UCSD.
SATbased ModelChecking for Security Protocols Analysis
"... We present a model checking technique for security protocols based on a reduction to propositional logic. At the core of our approach is a procedure that, given a description of the protocol in a multiset rewriting formalism and a positive integer k, builds a propositional formula whose models (i ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
We present a model checking technique for security protocols based on a reduction to propositional logic. At the core of our approach is a procedure that, given a description of the protocol in a multiset rewriting formalism and a positive integer k, builds a propositional formula whose models (if any) correspond to attacks on the protocol. Thus, finding attacks on protocols boils down to checking a propositional formula for satisfiability, problem that is usually solved very efficiently by modern SAT solvers. Experimental results indicate that the approach scales up to industrial strength security protocols with performance comparable with (and in some cases superior to) that of other stateoftheart protocol analysers.
Bounded KeyDependent Message Security
, 2009
"... We construct the first publickey encryption scheme that is proven secure (in the standard model, under standard assumptions) even when the attacker gets access to encryptions of arbitrary efficient functions of the secret key. Specifically, under either the DDH or LWE assumption, for every polynomi ..."
Abstract

Cited by 14 (3 self)
 Add to MetaCart
We construct the first publickey encryption scheme that is proven secure (in the standard model, under standard assumptions) even when the attacker gets access to encryptions of arbitrary efficient functions of the secret key. Specifically, under either the DDH or LWE assumption, for every polynomials L and N we obtain a publickey encryption scheme that resists keydependent message (KDM) attacks for up to N(k) public keys and functions of circuit size up to L(k), where k denotes the size of the secret key. We call such a scheme bounded KDM secure. Moreover, we show that our scheme suffices for one of the important applications of KDM security: ability to securely instantiate symbolic protocols with axiomatic proofs of security. We also observe that any fully homomorphic encryption scheme which additionally enjoys circular security and circuit privacy is fully KDM secure in the sense that the encryption and decryption algorithms can be independent of the polynomials L and N as above. Thus, the recent fully homomorphic encryption scheme of Gentry (STOC 2009) is fully KDM secure under certain nonstandard hardness assumptions. Previous works obtained either full KDM security in the random oracle model (Black et al., SAC 2002) or security with respect to a very restricted class of functions (e.g., clique/circular security and affine functions, Boneh et al., CRYPTO 2008, and Applebaum et al., CRYPTO 2009). Our main result is based on a combination of the circularsecure encryption scheme of either Boneh et al. or Applebaum et al. with Yao’s garbled circuit construction. Finally, we extend the impossibility result of Haitner and Holenstein (TCC 2009), showing that it is impossible to prove KDM security against a family of query functions that contains exponentially hard pseudorandom functions, using only blackbox access to the query function and the adversary attacking the scheme. This proves that the nonblackbox usage of the query function in our proof of security makes to the KDM query function is inherent. Keywords: KDM/clique/circular security; fully homomorphic encryption; formal security. 1
Computationally sound secrecy proofs by mechanized flow analysis
 In Proc. 13th CCS
, 2006
"... A large body of work exists for machineassisted analysis of cryptographic protocols in the formal (DolevYao) model, i.e., by abstracting cryptographic operators as a free algebra. In particular, proving secrecy by typing has shown to be a salient technique as it allowed for elegant and fully autom ..."
Abstract

Cited by 13 (2 self)
 Add to MetaCart
A large body of work exists for machineassisted analysis of cryptographic protocols in the formal (DolevYao) model, i.e., by abstracting cryptographic operators as a free algebra. In particular, proving secrecy by typing has shown to be a salient technique as it allowed for elegant and fully automated proofs, often
On the Decidability of Cryptographic Protocols with Openended Data Structures
, 2002
"... Formal analysis of cryptographic protocols has mainly concentrated on protocols with closedended data structures, where closedended data structure means that the messages exchanged between principals have fixed and finite format. However, ..."
Abstract

Cited by 12 (5 self)
 Add to MetaCart
Formal analysis of cryptographic protocols has mainly concentrated on protocols with closedended data structures, where closedended data structure means that the messages exchanged between principals have fixed and finite format. However,
Generic Insecurity of CliquesType Authenticated Group Key Agreement Protocols
 In 17th IEEE Computer Security Foundation Workshop, CSFW
, 2004
"... The AGDH.2 and SAGDH.2 authenticated group key agreement protocols showed to be flawed at CSFW 2001. Even though the corresponding attacks (or some variants of them) have been rediscovered in several different frameworks, no fixed version of these protocols has been proposed until now. ..."
Abstract

Cited by 12 (0 self)
 Add to MetaCart
The AGDH.2 and SAGDH.2 authenticated group key agreement protocols showed to be flawed at CSFW 2001. Even though the corresponding attacks (or some variants of them) have been rediscovered in several different frameworks, no fixed version of these protocols has been proposed until now.
Efficient Cryptographic Protocols Preventing “ManintheMiddle” Attacks
 COLUMBIA UNIVERSITY
, 2002
"... In the analysis of many cryptographic protocols, it is useful to distinguish two classes of attacks: passive attacks in which an adversary eavesdrops on messages sent between honest users and active attacks (i.e., “maninthemiddle ” attacks) in which — in addition to eavesdropping — the adversary ..."
Abstract

Cited by 12 (2 self)
 Add to MetaCart
In the analysis of many cryptographic protocols, it is useful to distinguish two classes of attacks: passive attacks in which an adversary eavesdrops on messages sent between honest users and active attacks (i.e., “maninthemiddle ” attacks) in which — in addition to eavesdropping — the adversary inserts, deletes, or arbitrarily modifies messages sent from one user to another. Passive attacks are well characterized (the adversary’s choices are inherently limited) and techniques for achieving security against passive attacks are relatively well understood. Indeed, cryptographers have long focused on methods for countering passive eavesdropping attacks, and much work in the 1970’s and 1980’s has dealt with formalizing notions of security and providing provablysecure solutions for this setting. On the other hand, active attacks are not well characterized and precise modeling has been difficult. Few techniques exist for dealing with active attacks, and designing practical protocols secure against such attacks remains a challenge. This dissertation considers active attacks in a variety of settings and provides new, provablysecure protocols preventing such attacks. Proofs of security are in the standard cryptographic model and rely on wellknown cryptographic assumptions. The protocols presented here are efficient and