Results 1  10
of
265
A logic of authentication
 ACM TRANSACTIONS ON COMPUTER SYSTEMS
, 1990
"... Questions of belief are essential in analyzing protocols for the authentication of principals in distributed computing systems. In this paper we motivate, set out, and exemplify a logic specifically designed for this analysis; we show how various protocols differ subtly with respect to the required ..."
Abstract

Cited by 1132 (25 self)
 Add to MetaCart
Questions of belief are essential in analyzing protocols for the authentication of principals in distributed computing systems. In this paper we motivate, set out, and exemplify a logic specifically designed for this analysis; we show how various protocols differ subtly with respect to the required initial assumptions of the participants and their final beliefs. Our formalism has enabled us to isolate and express these differences with a precision that was not previously possible. It has drawn attention to features of protocols of which we and their authors were previously unaware, and allowed us to suggest improvements to the protocols. The reasoning about some protocols has been mechanically verified. This paper starts with an informal account of the problem, goes on to explain the formalism to be used, and gives examples of its application to protocols from the literature, both with sharedkey cryptography and with publickey cryptography. Some of the examples are chosen because of their practical importance, while others serve to illustrate subtle points of the logic and to explain how we use it. We discuss extensions of the logic motivated by actual practice  for example, in order to account for the use of hash functions in signatures. The final sections contain a formal semantics of the logic and some conclusions.
Universally composable security: A new paradigm for cryptographic protocols
, 2013
"... We present a general framework for representing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any cryptographic task in a unified and systematic way. Furthermore, in this framework the security of protocols is preserved ..."
Abstract

Cited by 611 (34 self)
 Add to MetaCart
We present a general framework for representing cryptographic protocols and analyzing their security. The framework allows specifying the security requirements of practically any cryptographic task in a unified and systematic way. Furthermore, in this framework the security of protocols is preserved under a general protocol composition operation, called universal composition. The proposed framework with its securitypreserving composition operation allows for modular design and analysis of complex cryptographic protocols from relatively simple building blocks. Moreover, within this framework, protocols are guaranteed to maintain their security in any context, even in the presence of an unbounded number of arbitrary protocol instances that run concurrently in an adversarially controlled manner. This is a useful guarantee, that allows arguing about the security of cryptographic protocols in complex and unpredictable environments such as modern communication networks.
Mobile Values, New Names, and Secure Communication
, 2001
"... We study the interaction of the "new" construct with a rich but common form of (firstorder) communication. This interaction is crucial in security protocols, which are the main motivating examples for our work; it also appears in other programminglanguage contexts. Specifically, we introduce a sim ..."
Abstract

Cited by 276 (18 self)
 Add to MetaCart
We study the interaction of the "new" construct with a rich but common form of (firstorder) communication. This interaction is crucial in security protocols, which are the main motivating examples for our work; it also appears in other programminglanguage contexts. Specifically, we introduce a simple, general extension of the pi calculus with value passing, primitive functions, and equations among terms. We develop semantics and proof techniques for this extended language and apply them in reasoning about some security protocols.
A Model for Asynchronous Reactive Systems and its Application to Secure Message Transmission
, 2000
"... We present the first rigorous model for secure reactive systems in asynchronous networks with a sound cryptographic semantics, supporting abstract specifications and the composition of secure systems. This enables modular proofs of security, which is essential in bridging the gap between the rigorou ..."
Abstract

Cited by 153 (18 self)
 Add to MetaCart
We present the first rigorous model for secure reactive systems in asynchronous networks with a sound cryptographic semantics, supporting abstract specifications and the composition of secure systems. This enables modular proofs of security, which is essential in bridging the gap between the rigorous proof techniques of cryptography and toolsupported formal proof techniques. The model follows the general simulatability approach of modern cryptography. A variety of network structures and trust models can be described, such as static and adaptive adversaries. As an example of our specification methodology we provide the first abstract and complete specification for Secure Message Transmission, improving on recent results by Lynch, and verify one concrete implementation. Our proof is based on a general theorem on the security of encryption in a reactive multiuser setting, generalizing a recent result by Bellare et al.
Composition and Integrity Preservation of Secure Reactive Systems
 In Proc. 7th ACM Conference on Computer and Communications Security
, 2000
"... We consider compositional properties of reactive systems that are secure in a cryptographic sense. We follow the wellknown simulatability approach, i.e., the specification is an ideal system and a real system should in some sense simulate it. We recently presented the first detailed general definit ..."
Abstract

Cited by 138 (13 self)
 Add to MetaCart
We consider compositional properties of reactive systems that are secure in a cryptographic sense. We follow the wellknown simulatability approach, i.e., the specification is an ideal system and a real system should in some sense simulate it. We recently presented the first detailed general definition of this concept for reactive systems that allows abstraction and enables proofs of efficient reallife systems like secure channels or certified mail. We proce two important properties...
A Composable Cryptographic Library with Nested Operations (Extended Abstract)
, 2003
"... Michael Backes mbc@zurich.ibm.com Birgit Pfitzmann bpf@zurich.ibm.com Michael Waidner wmi@zurich.ibm.com ABSTRACT We present the first idealized cryptographic library that can be used like the DolevYao model for automated proofs of cryptographic protocols that use nested cryptographic ..."
Abstract

Cited by 133 (26 self)
 Add to MetaCart
Michael Backes mbc@zurich.ibm.com Birgit Pfitzmann bpf@zurich.ibm.com Michael Waidner wmi@zurich.ibm.com ABSTRACT We present the first idealized cryptographic library that can be used like the DolevYao model for automated proofs of cryptographic protocols that use nested cryptographic operations, while coming with a cryptographic implementation that is provably secure under active attacks.
Formal Eavesdropping and its Computational Interpretation
, 2000
"... We compare two views of symmetric cryptographic primitives in the context of the systems that use them. We express those systems in a simple programming language; each of the views yields a semantics for the language. One of the semantics treats cryptographic operations formally (that is, symbolical ..."
Abstract

Cited by 98 (9 self)
 Add to MetaCart
We compare two views of symmetric cryptographic primitives in the context of the systems that use them. We express those systems in a simple programming language; each of the views yields a semantics for the language. One of the semantics treats cryptographic operations formally (that is, symbolically). The other semantics is more detailed and computational; it treats cryptographic operations as functions on bitstrings. Each semantics leads to a definition of equivalence of systems with respect to eavesdroppers. We establish the soundness of the formal definition with respect to the computational one. This result provides a precise computational justi cation for formal reasoning about security against eavesdroppers.
Keyprivacy in publickey encryption
, 2001
"... We consider a novel security requirement of encryption schemes that we call “keyprivacy” or “anonymity”.It asks that an eavesdropper in possession of a ciphertext not be able to tell which specific key, out of a set of known public keys, is the one under which the ciphertext was created, meaning t ..."
Abstract

Cited by 93 (8 self)
 Add to MetaCart
We consider a novel security requirement of encryption schemes that we call “keyprivacy” or “anonymity”.It asks that an eavesdropper in possession of a ciphertext not be able to tell which specific key, out of a set of known public keys, is the one under which the ciphertext was created, meaning the receiver is anonymous from the point of view of the adversary.We investigate the anonymity of known encryption schemes.We prove that the El Gamal scheme provides anonymity under chosenplaintext attack assuming the Decision DiffieHellman problem is hard and that the CramerShoup scheme provides anonymity under chosenciphertext attack under the same assumption.We also consider anonymity for trapdoor permutations.Known attacks indicate that the RSA trapdoor permutation is not anonymous and neither are the standard encryption schemes based on it.We provide a variant of RSAOAEP that provides anonymity in the random oracle model assuming RSA is oneway.We also give constructions of anonymous trapdoor permutations, assuming RSA is oneway, which yield anonymous encryption schemes in the standard model.
Soundness of formal encryption in the presence of active adversaries
 In Proc. 1st Theory of Cryptography Conference (TCC), volume 2951 of LNCS
, 2004
"... Abstract. We present a general method to prove security properties of cryptographic protocols against active adversaries, when the messages exchanged by the honest parties are arbitrary expressions built using encryption and concatenation operations. The method allows to express security properties ..."
Abstract

Cited by 85 (8 self)
 Add to MetaCart
Abstract. We present a general method to prove security properties of cryptographic protocols against active adversaries, when the messages exchanged by the honest parties are arbitrary expressions built using encryption and concatenation operations. The method allows to express security properties and carry out proofs using a simple logic based language, where messages are represented by syntactic expressions, and does not require dealing with probability distributions or asymptotic notation explicitly. Still, we show that the method is sound, meaning that logic statements can be naturally interpreted in the computational setting in such a way that if a statement holds true for any abstract (symbolic) execution of the protocol in the presence of a DolevYao adversary, then its computational interpretation is also correct in the standard computational model where the adversary is an arbitrary probabilistic polynomial time program. This is the first paper providing a simple framework for translating security proofs from the logic setting to the standard computational setting for the case of powerful active adversaries that have total control of the communication network. 1
Deciding knowledge in security protocols under equational theories
 In Proc. 31st International Colloquium on Automata, Languages and Programming (ICALP’04), volume 3142 of LNCS
, 2004
"... Abstract. The analysis of security protocols requires precise formulations of the knowledge of protocol participants and attackers. In formal approaches, this knowledge is often treated in terms of message deducibility and indistinguishability relations. In this paper we study the decidability of th ..."
Abstract

Cited by 81 (11 self)
 Add to MetaCart
Abstract. The analysis of security protocols requires precise formulations of the knowledge of protocol participants and attackers. In formal approaches, this knowledge is often treated in terms of message deducibility and indistinguishability relations. In this paper we study the decidability of these two relations. The messages in question may employ functions (encryption, decryption, etc.) axiomatized in an equational theory. Our main positive results say that, for a large and useful class of equational theories, deducibility and indistinguishability are both decidable in polynomial time. 1