Results 1  10
of
24
Automated verification of selected equivalences for security protocols
 IN 20TH IEEE SYMPOSIUM ON LOGIC IN COMPUTER SCIENCE (LICS’05
, 2005
"... In the analysis of security protocols, methods and tools for reasoning about protocol behaviors have been quite effective. We aim to expand the scope of those methods and tools. We focus on proving equivalences P ≈ Q in which P and Q are two processes that differ only in the choice of some terms. Th ..."
Abstract

Cited by 72 (11 self)
 Add to MetaCart
In the analysis of security protocols, methods and tools for reasoning about protocol behaviors have been quite effective. We aim to expand the scope of those methods and tools. We focus on proving equivalences P ≈ Q in which P and Q are two processes that differ only in the choice of some terms. These equivalences arise often in applications. We show how to treat them as predicates on the behaviors of a process that represents P and Q at the same time. We develop our techniques in the context of the applied pi calculus and implement them in the tool ProVerif.
Automated Security Proofs with Sequences of Games
 Proc. 27th IEEE Symposium on Security
, 2006
"... Abstract. This paper presents the first automatic technique for proving not only protocols but also primitives in the exact security computational model. Automatic proofs of cryptographic protocols were up to now reserved to the DolevYao model, which however makes quite strong assumptions on the pr ..."
Abstract

Cited by 40 (7 self)
 Add to MetaCart
Abstract. This paper presents the first automatic technique for proving not only protocols but also primitives in the exact security computational model. Automatic proofs of cryptographic protocols were up to now reserved to the DolevYao model, which however makes quite strong assumptions on the primitives. On the other hand, with the proofs by reductions, in the complexity theoretic framework, more subtle security assumptions can be considered, but security analyses are manual. A process calculus is thus defined in order to take into account the probabilistic semantics of the computational model. It is already rich enough to describe all the usual security notions of both symmetric and asymmetric cryptography, as well as the basic computational assumptions. As an example, we illustrate the use of the new tool with the proof of a quite famous asymmetric primitive: unforgeability under chosenmessage attacks (UFCMA) of the FullDomain Hash signature scheme under the (trapdoor)onewayness of some permutations. 1
Abstraction and refinement in protocol derivation
 In Proceedings of 17th IEEE Computer Security Foundations Workshop
, 2004
"... Protocols may be derived from initial components by composition, refinement, and transformation. Adding function variables to a previous protocol logic, we develop an abstractioninstantiation method for reasoning about a class of protocol refinements. The main idea is to view changes in a protocol ..."
Abstract

Cited by 22 (7 self)
 Add to MetaCart
(Show Context)
Protocols may be derived from initial components by composition, refinement, and transformation. Adding function variables to a previous protocol logic, we develop an abstractioninstantiation method for reasoning about a class of protocol refinements. The main idea is to view changes in a protocol as a combination of finding a meaningful “protocol template ” that contains function variables in messages, and producing the refined protocol as an instance of the template. Using higherorder protocol logic, we can develop a single proof for all instances of a template. A template can also be instantiated to another template, or a single protocol may be an instance of more than one template, allowing separate protocol properties to be proved modularly. These methods are illustrated using some challengeresponse and key exchange protocol templates and an exploration of the design space surrounding JFK (Just Fast Keying) and related protocolsfrom theIKE(InternetKeyExchange) family, which produces some interesting protocols not previously studied in the open literature. 1.
Taskstructured probabilistic I/O automata
, 2006
"... Modeling frameworks such as Probabilistic I/O Automata (PIOA) and Markov Decision Processes permit both probabilistic and nondeterministic choices. In order to use such frameworks to express claims about probabilities of events, one needs mechanisms for resolving nondeterministic choices. For PIOAs, ..."
Abstract

Cited by 18 (12 self)
 Add to MetaCart
Modeling frameworks such as Probabilistic I/O Automata (PIOA) and Markov Decision Processes permit both probabilistic and nondeterministic choices. In order to use such frameworks to express claims about probabilities of events, one needs mechanisms for resolving nondeterministic choices. For PIOAs, nondeterministic choices have traditionally been resolved by schedulers that have perfect information about the past execution. However, such schedulers are too powerful for certain settings, such as cryptographic protocol analysis, where information must sometimes be hidden. Here, we propose a new, less powerful nondeterminismresolution mechanism for PIOAs, consisting of tasks and local schedulers. Tasks are equivalence classes of system actions that are scheduled by oblivious, global task sequences. Local schedulers resolve nondeterminism within system components, based on local information only. The resulting taskPIOA framework yields simple notions of external behavior and implementation, and supports simple compositionality results. We also define a new kind of simulation relation, and show it to be sound for proving implementation. We illustrate the potential of the taskPIOA framework by outlining its use in verifying an Oblivious Transfer protocol.
Computationally Sound Mechanized Proofs of Correspondence Assertions
, 2007
"... We present a new mechanized prover for showing correspondence assertions for cryptographic protocols in the computational model. Correspondence assertions are useful in particular for establishing authentication. Our technique produces proofs by sequences of games, as standard in cryptography. These ..."
Abstract

Cited by 17 (6 self)
 Add to MetaCart
We present a new mechanized prover for showing correspondence assertions for cryptographic protocols in the computational model. Correspondence assertions are useful in particular for establishing authentication. Our technique produces proofs by sequences of games, as standard in cryptography. These proofs are valid for a number of sessions polynomial in the security parameter, in the presence of an active adversary. Our technique can handle a wide variety of cryptographic primitives, including shared and publickey encryption, signatures, message authentication codes, and hash functions. It has been implemented in the tool CryptoVerif and successfully tested on examples from the literature.
Timebounded taskPIOAs: A framework for analyzing security protocols
 PROCEEDINGS THE 20TH INTERNATIONAL SYMPOSIUM ON DISTRIBUTED COMPUTING (DISC 2006). VOLUME 4167 OF LNCS., SPRINGER (2006) 238–253 INVITED PAPER
, 2006
"... We present the TimeBounded TaskPIOA modeling framework, an extension of the Probabilistic I/O Automata (PIOA) framework that is intended to support modeling and verification of security protocols. TimeBounded TaskPIOAs directly model probabilistic and nondeterministic behavior, partialinformat ..."
Abstract

Cited by 16 (7 self)
 Add to MetaCart
We present the TimeBounded TaskPIOA modeling framework, an extension of the Probabilistic I/O Automata (PIOA) framework that is intended to support modeling and verification of security protocols. TimeBounded TaskPIOAs directly model probabilistic and nondeterministic behavior, partialinformation adversarial scheduling, and timebounded computation. Together, these features are adequate to support modeling of key aspects of security protocols, including secrecy requirements and limitations on the knowledge and computational power of adversarial parties. They also support security protocol verification, using methods that are compatible with informal approaches used in the computational cryptography research community. We illustrate the use of our framework by outlining a proof of functional correctness and security properties for a wellknown Oblivious Transfer protocol.
On the relationships between notions of simulationbased security
 In TCC 2005
, 2005
"... ..."
(Show Context)
Protocol Composition Logic (PCL)
, 2007
"... Protocol Composition Logic (PCL) is a logic for proving security properties of network protocols that use public and symmetric key cryptography. The logic is designed around a process calculus with actions for possible protocol steps including generating new random numbers, sending and receiving mes ..."
Abstract

Cited by 14 (2 self)
 Add to MetaCart
Protocol Composition Logic (PCL) is a logic for proving security properties of network protocols that use public and symmetric key cryptography. The logic is designed around a process calculus with actions for possible protocol steps including generating new random numbers, sending and receiving messages, and performing decryption and digital signature verification actions. The proof system consists of axioms about individual protocol actions and inference rules that yield assertions about protocols composed of multiple steps. Although assertions are written only using the steps of the protocol, the logic is sound in a strong sense: each provable assertion involving a sequence of actions holds in any protocol run containing the given actions and arbitrary additional actions by a malicious adversary. This approach lets us prove security properties of protocols under attack while reasoning only about the actions of honest parties in the protocol. PCL supports compositional reasoning about complex security protocols and has been applied to a number of industry standards including SSL/TLS, IEEE 802.11i and Kerberos V5.
Games and the impossibility of realizable ideal functionality
 IN THEORY OF CRYPTOGRAPHY, 3RD THEORY OF CRYPTOGRAPHY CONFERENCE, TCC 2006, VOLUME 3876 OF LECTURE NOTES IN COMPUTER SCIENCE
, 2006
"... A cryptographic primitive or a security mechanism can be specified in a variety of ways, such as a condition involving a game against an attacker, construction of an ideal functionality, or a list of properties that must hold in the face of attack. While game conditions are widely used, an ideal fun ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
(Show Context)
A cryptographic primitive or a security mechanism can be specified in a variety of ways, such as a condition involving a game against an attacker, construction of an ideal functionality, or a list of properties that must hold in the face of attack. While game conditions are widely used, an ideal functionality is appealing because a mechanism that is indistinguishable from an ideal functionality is therefore guaranteed secure in any larger system that uses it. We relate ideal functionalities to games by defining the set of ideal functionalities associated with a game condition and show that under this definition, which reflects accepted use and known examples, a number of cryptographic concepts do not have any realizable ideal functionality in the plain model. Some interesting examples are multiparty cointossing, bitcommitment and shared random sequences. One interpretation of this negative result is that equational approaches based on computational observational equivalence might be better applied to reasoning about game conditions than equivalence with ideal functionalities. Alternatively, generality might be obtained by allowing for various setup assumptions, or by other means.