Results 1  10
of
33
Computationally sound, automated proofs for security protocols
, 2005
"... Abstract. Since the 1980s, two approaches have been developed for analyzing security protocols. One of the approaches relies on a computational model that considers issues of complexity and probability. This approach captures a strong notion of security, guaranteed against all probabilistic polynomi ..."
Abstract

Cited by 60 (13 self)
 Add to MetaCart
Abstract. Since the 1980s, two approaches have been developed for analyzing security protocols. One of the approaches relies on a computational model that considers issues of complexity and probability. This approach captures a strong notion of security, guaranteed against all probabilistic polynomialtime attacks. The other approach relies on a symbolic model of protocol executions in which cryptographic primitives are treated as black boxes. Since the seminal work of Dolev and Yao, it has been realized that this latter approach enables significantly simpler and often automated proofs. However, the guarantees that it offers have been quite unclear. In this paper, we show that it is possible to obtain the best of both worlds: fully automated proofs and strong, clear security guarantees. Specifically, for the case of protocols that use signatures and asymmetric encryption, we establish that symbolic integrity and secrecy proofs are sound with respect to the computational model. The main new challenges concern secrecy properties for which we obtain the first soundness result for the case of active adversaries. Our proofs are carried out using Casrul, a fully automated tool. 1
Secrecy in multiagent systems
"... We introduce a general framework for reasoning about secrecy requirements in multiagent systems. Because secrecy requirements are closely connected with the knowledge of individual agents of a system, our framework employs the modal logic of knowledge within the context of the wellstudied runs and ..."
Abstract

Cited by 41 (5 self)
 Add to MetaCart
We introduce a general framework for reasoning about secrecy requirements in multiagent systems. Because secrecy requirements are closely connected with the knowledge of individual agents of a system, our framework employs the modal logic of knowledge within the context of the wellstudied runs and systems framework. Put simply, “secrets ” are facts about a system that lowlevel agents are never allowed to know. The framework presented here allows us to formalize this intuition precisely, in a way that is much in the spirit of Sutherland’s notion of nondeducibility. Several wellknown attempts to characterize the absence of information flow, including separability, generalized noninterference, and nondeducibility on strategies, turn out to be special cases of our definition of secrecy. However, our approach lets us go well beyond these definitions. It can handle probabilistic secrecy in a clean way, and it suggests generalizations of secrecy that may be useful for dealing with resourcebounded reasoning and with issues such as downgrading of information.
Automated Security Proofs with Sequences of Games
 Proc. 27th IEEE Symposium on Security
, 2006
"... Abstract. This paper presents the first automatic technique for proving not only protocols but also primitives in the exact security computational model. Automatic proofs of cryptographic protocols were up to now reserved to the DolevYao model, which however makes quite strong assumptions on the pr ..."
Abstract

Cited by 40 (7 self)
 Add to MetaCart
Abstract. This paper presents the first automatic technique for proving not only protocols but also primitives in the exact security computational model. Automatic proofs of cryptographic protocols were up to now reserved to the DolevYao model, which however makes quite strong assumptions on the primitives. On the other hand, with the proofs by reductions, in the complexity theoretic framework, more subtle security assumptions can be considered, but security analyses are manual. A process calculus is thus defined in order to take into account the probabilistic semantics of the computational model. It is already rich enough to describe all the usual security notions of both symmetric and asymmetric cryptography, as well as the basic computational assumptions. As an example, we illustrate the use of the new tool with the proof of a quite famous asymmetric primitive: unforgeability under chosenmessage attacks (UFCMA) of the FullDomain Hash signature scheme under the (trapdoor)onewayness of some permutations. 1
Soundness of formal encryption in the presence of keycycles
 In Proc. 10th European Symposium on Research in Computer Security (ESORICS’05), volume 3679 of LNCS
, 2005
"... Abstract. Both the formal and the computational models of cryptography contain the notion of message equivalence or indistinguishability. An encryption scheme provides soundness for indistinguishability if, when mapping formal messages into the computational model, equivalent formal messages are map ..."
Abstract

Cited by 37 (4 self)
 Add to MetaCart
Abstract. Both the formal and the computational models of cryptography contain the notion of message equivalence or indistinguishability. An encryption scheme provides soundness for indistinguishability if, when mapping formal messages into the computational model, equivalent formal messages are mapped to indistinguishable computational distributions. Previous soundness results are limited in that they do not apply when keycycles are present. We demonstrate that an encryption scheme provides soundness in the presence of keycycles if it satisfies the recentlyintroduced notion of keydependent message (KDM) security. We also show that soundness in the presence of keycycles (and KDM security) neither implies nor is implied by security against chosen ciphertext attack (CCA2). Therefore, soundness for keycycles is possible using a new notion of computational security, not possible using previous such notions, and the relationship between the formal and computational models extends beyond chosenciphertext security. 1
Logics for Reasoning about Cryptographic Constructions
 In Proc. 44th IEEE Symposium on Foundations of Computer Science
, 2003
"... We present two logical systems for reasoning about cryptographic constructions which are sound with respect to standard cryptographic definitions of security. Soundness of the first system is proved using techniques from nonstandard models of arithmetic. Soundness of the second system is proved by ..."
Abstract

Cited by 25 (1 self)
 Add to MetaCart
We present two logical systems for reasoning about cryptographic constructions which are sound with respect to standard cryptographic definitions of security. Soundness of the first system is proved using techniques from nonstandard models of arithmetic. Soundness of the second system is proved by an interpretation into the first system. We also present examples of how these systems may be used to formally prove the correctness of some elementary cryptographic constructions.
Abstraction and refinement in protocol derivation
 In Proceedings of 17th IEEE Computer Security Foundations Workshop
, 2004
"... Protocols may be derived from initial components by composition, refinement, and transformation. Adding function variables to a previous protocol logic, we develop an abstractioninstantiation method for reasoning about a class of protocol refinements. The main idea is to view changes in a protocol ..."
Abstract

Cited by 21 (7 self)
 Add to MetaCart
Protocols may be derived from initial components by composition, refinement, and transformation. Adding function variables to a previous protocol logic, we develop an abstractioninstantiation method for reasoning about a class of protocol refinements. The main idea is to view changes in a protocol as a combination of finding a meaningful “protocol template ” that contains function variables in messages, and producing the refined protocol as an instance of the template. Using higherorder protocol logic, we can develop a single proof for all instances of a template. A template can also be instantiated to another template, or a single protocol may be an instance of more than one template, allowing separate protocol properties to be proved modularly. These methods are illustrated using some challengeresponse and key exchange protocol templates and an exploration of the design space surrounding JFK (Just Fast Keying) and related protocolsfrom theIKE(InternetKeyExchange) family, which produces some interesting protocols not previously studied in the open literature. 1.
SimulationBased Security with Inexhaustible Interactive Turing Machines
 IN PROCEEDINGS OF THE 19TH IEEE COMPUTER SECURITY FOUNDATIONS WORKSHOP (CSFW19 2006
, 2006
"... Recently, there has been much interest in extending models for simulationbased security in such a way that the runtime of protocols may depend on the length of their input. Finding such extensions has turned out to be a nontrivial task. In this work, we propose a simple, yet expressive general ..."
Abstract

Cited by 21 (6 self)
 Add to MetaCart
Recently, there has been much interest in extending models for simulationbased security in such a way that the runtime of protocols may depend on the length of their input. Finding such extensions has turned out to be a nontrivial task. In this work, we propose a simple, yet expressive general computational model for systems of Interactive Turing Machines (ITMs) where the runtime of the ITMs may be polynomial per activation and may depend on the length of the input received. One distinguishing feature of our model is that the systems of ITMs that we consider involve a generic mechanism for addressing dynamically generated copies of ITMs. We study properties of such systems and, in particular, show that systems satisfying a certain acyclicity condition run in polynomial time. Based on our general computational model, we state di#erent notions of simulationbased security in a uniform and concise way, study their relationships, and prove a general composition theorem for composing a polynomial number of copies of protocols, where the polynomial is determined by the environment. The simplicity of our model is demonstrated by the fact that many of our results can be proved by mere equational reasoning based on a few equational principles on systems.
Computationally Sound Mechanized Proofs of Correspondence Assertions
, 2007
"... We present a new mechanized prover for showing correspondence assertions for cryptographic protocols in the computational model. Correspondence assertions are useful in particular for establishing authentication. Our technique produces proofs by sequences of games, as standard in cryptography. These ..."
Abstract

Cited by 17 (6 self)
 Add to MetaCart
We present a new mechanized prover for showing correspondence assertions for cryptographic protocols in the computational model. Correspondence assertions are useful in particular for establishing authentication. Our technique produces proofs by sequences of games, as standard in cryptography. These proofs are valid for a number of sessions polynomial in the security parameter, in the presence of an active adversary. Our technique can handle a wide variety of cryptographic primitives, including shared and publickey encryption, signatures, message authentication codes, and hash functions. It has been implemented in the tool CryptoVerif and successfully tested on examples from the literature.
Cryptographically sound implementations for communicating processes
, 2006
"... Abstract. We design a core language of principals running distributed programs over a public network. Our language is a variant of the pi calculus, with secure communications, mobile names, and highlevel certificates, but without any explicit cryptography. Within this language, security properties ..."
Abstract

Cited by 16 (4 self)
 Add to MetaCart
Abstract. We design a core language of principals running distributed programs over a public network. Our language is a variant of the pi calculus, with secure communications, mobile names, and highlevel certificates, but without any explicit cryptography. Within this language, security properties can be conveniently studied using trace properties and observational equivalences, even in the presence of an arbitrary (abstract) adversary. With some care, these security properties can be achieved in a concrete setting, relying on standard cryptographic primitives and computational assumptions, even in the presence of an adversary modeled as an arbitrary probabilistic polynomialtime algorithm. To this end, we develop a cryptographic implementation that preserves all properties for all safe programs. We give a series of soundness and completeness results that precisely relate the language to its implementation. 1 Secure Implementations of Communications Abstractions When designing and verifying security protocols, some level of idealization is needed to provide manageable mathematical treatment. Accordingly, two views of cryptography