Results 1  10
of
21
Examining IndistinguishabilityBased Proof Models for Key Establishment Protocols (Full version available from http: //eprint.iacr.org/2005/270
, 2005
"... Abstract. We examine various indistinguishabilitybased proof models for key establishment protocols, namely the Bellare & Rogaway (1993, 1995), the Bellare, Pointcheval, & Rogaway (2000), and the Canetti & Krawczyk (2001) proof models. We then consider several variants of these proof models, ident ..."
Abstract

Cited by 44 (8 self)
 Add to MetaCart
Abstract. We examine various indistinguishabilitybased proof models for key establishment protocols, namely the Bellare & Rogaway (1993, 1995), the Bellare, Pointcheval, & Rogaway (2000), and the Canetti & Krawczyk (2001) proof models. We then consider several variants of these proof models, identify several subtle differences between these variants and models, and compare the relative strengths of the notions of security between the models. For each of the pair of relations between the models (either an implication or a nonimplication), we provide proofs or counterexamples to support the observed relations. We also reveal a drawback with the original formulation of the Bellare, Pointcheval, & Rogaway (2000) model, whereby the Corrupt query is not allowed. 1
Relating Symbolic and Cryptographic Secrecy
 IN PROC. IEEE SYMPOSIUM ON SECURITY AND PRIVACY
, 2004
"... We investigate the relation between symbolic and cryptographic secrecy properties for cryptographic protocols. Symbolic secrecy of payload messages or exchanged keys is arguably the most important notion of secrecy shown with automated proof tools. It means that an adversary restricted to symboli ..."
Abstract

Cited by 41 (9 self)
 Add to MetaCart
We investigate the relation between symbolic and cryptographic secrecy properties for cryptographic protocols. Symbolic secrecy of payload messages or exchanged keys is arguably the most important notion of secrecy shown with automated proof tools. It means that an adversary restricted to symbolic operations on terms can never get the entire considered object into its knowledge set. Cryptographic secrecy essentially
Cryptographically Sound Theorem Proving
 In Proc. 19th IEEE CSFW
, 2006
"... We describe a faithful embedding of the DolevYao model of Backes, Pfitzmann, and Waidner (CCS 2003) in the theorem prover Isabelle/HOL. This model is cryptographically sound in the strong sense of reactive simulatability/UC, which essentially entails the preservation of arbitrary security proper ..."
Abstract

Cited by 26 (7 self)
 Add to MetaCart
We describe a faithful embedding of the DolevYao model of Backes, Pfitzmann, and Waidner (CCS 2003) in the theorem prover Isabelle/HOL. This model is cryptographically sound in the strong sense of reactive simulatability/UC, which essentially entails the preservation of arbitrary security properties under active attacks and in arbitrary protocol environments. The main challenge in designing a practical formalization of this model is to cope with the complexity of providing such strong soundness guarantees. We reduce this complexity by abstracting the model into a sound, lightweight formalization that enables both concise property specifications and efficient application of our proof strategies and their supporting proof tools. This yields the first toolsupported framework for symbolically verifying security protocols that enjoys the strong cryptographic soundness guarantees provided by reactive simulatability/UC. As a proof of concept, we have proved the security of the NeedhamSchroederLowe protocol using our framework.
The reactive simulatability (RSIM) framework for asynchronous systems
 Information and Computation
, 2007
"... We define reactive simulatability for general asynchronous systems. Roughly, simulatability means that a real system implements an ideal system (specification) in a way that preserves security in a general cryptographic sense. Reactive means that the system can interact with its users multiple times ..."
Abstract

Cited by 23 (4 self)
 Add to MetaCart
We define reactive simulatability for general asynchronous systems. Roughly, simulatability means that a real system implements an ideal system (specification) in a way that preserves security in a general cryptographic sense. Reactive means that the system can interact with its users multiple times, e.g., in many concurrent protocol runs or a multiround game. In terms of distributed systems, reactive simulatability is a type of refinement that preserves particularly strong properties, in particular confidentiality. A core feature of reactive simulatability is composability, i.e., the real system can be plugged in instead of the ideal system within arbitrary larger systems; this is shown in followup papers, and so is the preservation of many classes of individual security properties from the ideal to the real systems. A large part of this paper defines a suitable system model. It is based on probabilistic IO automata (PIOA) with two main new features: One is generic distributed scheduling. Important special cases are realistic adversarial scheduling, procedurecalltype scheduling among colocated system parts, and special schedulers such as for fairness, also in combinations. The other is the definition of the reactive runtime via a realization by Turing machines such that notions like polynomialtime are composable. The simple complexity of the transition functions of the automata is not composable. As specializations of this model we define securityspecific concepts, in particular a separation between honest users and adversaries and several trust models. The benefit of IO automata as the main model, instead of only interactive Turing machines as usual in cryptographic multiparty computation, is that many cryptographic systems can be specified with an ideal system consisting of only one simple, deterministic IO automaton without any cryptographic objects, as many followup papers show. This enables the use of classic formal methods and automatic proof tools for proving larger distributed protocols and systems that use these cryptographic systems.
Limits of the Cryptographic Realization of DolevYaostyle XOR
 Computer Security, Proceedings of ESORICS 2005, number 3679 in Lecture Notes in Computer Science
, 2005
"... The abstraction of cryptographic operations by term algebras, called DolevYao models, is essential in almost all toolsupported methods for proving security protocols. Recently significant progress was made in proving that such abstractions can be sound with respect to actual cryptographic reali ..."
Abstract

Cited by 16 (5 self)
 Add to MetaCart
The abstraction of cryptographic operations by term algebras, called DolevYao models, is essential in almost all toolsupported methods for proving security protocols. Recently significant progress was made in proving that such abstractions can be sound with respect to actual cryptographic realizations and security definitions. The strongest results show this in the sense of reactive simulatability/UC, a notion that essentially means retention of arbitrary security properties under arbitrary active attacks and in arbitrary protocol environments, with only small changes to both abstractions and natural implementations.
Cryptographically Sound Security Proofs for Basic And PublicKey Kerberos
 Proc. 11th European Symp. on Research. in Comp. Sec
, 2006
"... Abstract We present a computational analysis of basic Kerberos with and without its publickey extension PKINIT in which we consider authentication and key secrecy properties. Our proofs rely on the Dolev–Yaostyle model of Backes, Pfitzmann, and Waidner, which allows for mapping results obtained sym ..."
Abstract

Cited by 15 (4 self)
 Add to MetaCart
Abstract We present a computational analysis of basic Kerberos with and without its publickey extension PKINIT in which we consider authentication and key secrecy properties. Our proofs rely on the Dolev–Yaostyle model of Backes, Pfitzmann, and Waidner, which allows for mapping results obtained symbolically within this model to cryptographically sound proofs if certain assumptions are met. This work was the first verification at the computational level of such a complex fragment of an industrial protocol. By considering a recently fixed version of PKINIT, we extend symbolic correctness results we previously attained in the Dolev– Yao model to cryptographically sound results in the computational model.
Computationally sound secrecy proofs by mechanized flow analysis
 In Proc. 13th CCS
, 2006
"... A large body of work exists for machineassisted analysis of cryptographic protocols in the formal (DolevYao) model, i.e., by abstracting cryptographic operators as a free algebra. In particular, proving secrecy by typing has shown to be a salient technique as it allowed for elegant and fully autom ..."
Abstract

Cited by 13 (2 self)
 Add to MetaCart
A large body of work exists for machineassisted analysis of cryptographic protocols in the formal (DolevYao) model, i.e., by abstracting cryptographic operators as a free algebra. In particular, proving secrecy by typing has shown to be a salient technique as it allowed for elegant and fully automated proofs, often
On the Cryptographic Key Secrecy of the Strengthened Yahalom Protocol
 PROCEEDINGS OF IFIP SEC 2006
, 2006
"... Symbolic secrecy of exchanged keys is arguably one of the most important notions of secrecy shown with automated proof tools. It means that an adversary restricted to symbolic operations on terms can never get the entire key into its knowledge set. Cryptographic key secrecy essentially means comput ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
Symbolic secrecy of exchanged keys is arguably one of the most important notions of secrecy shown with automated proof tools. It means that an adversary restricted to symbolic operations on terms can never get the entire key into its knowledge set. Cryptographic key secrecy essentially means computational indistinguishability between the real key and a random one, given the view of a much more general adversary. We analyze the cryptographic key secrecy for the strengthened Yahalom protocol, which constitutes one of the most prominent key exchange protocols analyzed symbolically by means of automated proof tools. We show that the strengthened Yahalom protocol does not guarantee cryptographic key secrecy. We further show that cryptographic key secrecy can be proven for a slight simplification of the protocol by exploiting recent results on linking symbolic and cryptographic key secrecy in order to perform a symbolic proof of secrecy for the simplified Yahalom protocol in a specific setting that allows us to derive the desired cryptographic key secrecy from the symbolic proof. The proof holds in the presence of arbitrary active attacks provided that the protocol is relying on standard provably secure cryptographic primitives.
On simulatability soundness and mapping soundness of symbolic cryptography
 IN PROCEEDINGS OF 27TH INTERNATIONAL CONFERENCE ON FOUNDATIONS OF SOFTWARE TECHNOLOGY AND THEORETICAL COMPUTER SCIENCE (FSTTCS
, 2007
"... The abstraction of cryptographic operations by term algebras, called DolevYao models or symbolic cryptography, is essential in almost all toolsupported methods for proving security protocols. Recently significant progress was made – using two conceptually different approaches – in proving that Dol ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
The abstraction of cryptographic operations by term algebras, called DolevYao models or symbolic cryptography, is essential in almost all toolsupported methods for proving security protocols. Recently significant progress was made – using two conceptually different approaches – in proving that DolevYao models can be sound with respect to actual cryptographic realizations and security definitions. One such approach is grounded on the notion of simulatability, which constitutes a salient technique of Modern Cryptography with a longstanding history for a variety of different tasks. The other approach strives for the socalled mapping soundness – a more recent technique that is tailored to the soundness of specific security properties in DolevYao models, and that can be established using more compact proofs. Typically, both notions of soundness for similar DolevYao models are established separately in independent papers. In this paper, the two approaches are related for the first time. Our main result is that simulatability soundness entails mapping soundness provided that both approaches use the same cryptographic implementation. Interestingly, this result does not dependent on details of the simulator, which translates between cryptographic implementations and their DolevYao abstractions in simulatability soundness. Hence, future research may well concentrate on simulatability soundness whenever applicable, and resort to mapping soundness in those cases where simulatability soundness is too strong a notion.
Security Requirements for Key Establishment Proof Models: Revisiting Bellare–Rogaway and Jeong–Katz–Lee Protocols
 Proc. ACISP 2005
, 2005
"... Abstract. We observe that the definitions of security in the computational complexity proof models of Bellare & Rogaway (1993) and Canetti & Krawczyk (2001) require two partners in the presence of a malicious adversary to accept the same session key, which we term a key sharing requirement. We then ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
Abstract. We observe that the definitions of security in the computational complexity proof models of Bellare & Rogaway (1993) and Canetti & Krawczyk (2001) require two partners in the presence of a malicious adversary to accept the same session key, which we term a key sharing requirement. We then revisit the Bellare–Rogaway threeparty key distribution (3PKD) protocol and the Jeong–Katz–Lee twoparty authenticated key exchange protocol T S2, which carry claimed proofs of security in the Canetti & Krawczyk (2001) model and the Bellare & Rogaway (1993) model respectively. We reveal previously unpublished flaws in these protocols where we demonstrate that both protocols fail to satisfy the definition of security in the respective models. We present a new 3PKD protocol as an improvement with a proof of security in the Canetti & Krawczyk (2001) model and a simple fix to the specification of protocol T S2. We also identify several variants of the key sharing requirement and present a brief discussion. 1