Results 1 
7 of
7
Cryptographically Verifies Implementations for TLS
 CCS'08
, 2008
"... We intend to narrow the gap between concrete implementations of cryptographic protocols and their verified models. We develop and verify a small functional implementation of the Transport Layer Security protocol (TLS 1.0). We make use of the same executable code for interoperability testing against ..."
Abstract

Cited by 33 (5 self)
 Add to MetaCart
We intend to narrow the gap between concrete implementations of cryptographic protocols and their verified models. We develop and verify a small functional implementation of the Transport Layer Security protocol (TLS 1.0). We make use of the same executable code for interoperability testing against mainstream implementations, for automated symbolic cryptographic verification, and for automated computational cryptographic verification. We rely on a combination of recent tools, and we also develop a new tool for extracting computational models from executable code. We obtain strong security guarantees for TLS as used in typical deployments.
Universally Composable Security Analysis of TLS
 In 2nd International Conference on Provable Security, ProvSec 2008, LNCS 5324
"... Abstract. We present a security analysis of the complete TLS protocol in the Universal Composable security framework. This analysis evaluates the composition of key exchange functionalities realized by the TLS handshake with the message transmission of the TLS record layer to emulate secure communic ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
Abstract. We present a security analysis of the complete TLS protocol in the Universal Composable security framework. This analysis evaluates the composition of key exchange functionalities realized by the TLS handshake with the message transmission of the TLS record layer to emulate secure communication sessions and is based on the adaption of the secure channel model from Canetti and Krawczyk to the setting where peer identities are not necessarily known prior the protocol invocation and may remain undisclosed. Our analysis shows that TLS, including the DiffieHellman and key transport suites in the unidirectional and bidirectional models of authentication, securely emulates secure communication sessions. Keywords: Universal Composability, TLS/SSL, key exchange, secure sessions
Optimal randomness extraction from a DiffieHellman element
 EUROCRYPT 2009, volume 5479 of LNCS
, 2009
"... Abstract. In this paper, we study a quite simple deterministic randomness extractor from random DiffieHellman elements defined over a prime order multiplicative subgroup G of a finite field Zp (the truncation), and over a group of points of an elliptic curve (the truncation of the abscissa). Inform ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
Abstract. In this paper, we study a quite simple deterministic randomness extractor from random DiffieHellman elements defined over a prime order multiplicative subgroup G of a finite field Zp (the truncation), and over a group of points of an elliptic curve (the truncation of the abscissa). Informally speaking, we show that the least significant bits of a random element in G ⊂ Z ∗ p or of the abscissa of a random point in E(Fp) are indistinguishable from a uniform bitstring. Such an operation is quite efficient, and is a good randomness extractor, since we show that it can extract nearly the same number of bits as the Leftover Hash Lemma can do for most Elliptic Curve parameters and for large subgroups of finite fields. To this aim, we develop a new technique to bound exponential sums that allows us to double the number of extracted bits compared with previous known results proposed at ICALP’06 by Fouque et al. It can also be used to improve previous bounds proposed by Canetti et al. One of the main application of this extractor is to mathematically prove an assumption proposed at Crypto ’07 and used in the security proof of the Elliptic Curve Pseudo Random Generator proposed by the NIST. The second most obvious application is to perform efficient key derivation given DiffieHellman elements. 1
Securing Remote Access Inside Wireless Mesh Networks (Full Version)
"... Abstract. Wireless mesh networks (WMNs) that are being increasingly deployed in communities and public places provide a relatively stable routing infrastructure and can be used for diverse carriermanaged services. As a particular example we consider the scenario where a mobile device initially regis ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract. Wireless mesh networks (WMNs) that are being increasingly deployed in communities and public places provide a relatively stable routing infrastructure and can be used for diverse carriermanaged services. As a particular example we consider the scenario where a mobile device initially registered for the use with one wireless network (its home network) moves to the area covered by another network inside the same mesh. The goal is to establish a secure access to the home network using the infrastructure of the mesh. Classical mechanisms such as VPNs can protect endtoend communication between the mobile device and its home network while remaining transparent to the routing infrastructure. In WMNs this transparency can be misused for packet injection leading to the unnecessary consumption of the communication bandwidth. This may have negative impact on the cooperation of mesh routers which is essential for the connection establishment. In this paper we describe how to establish remote connections inside WMNs while guaranteeing secure endtoend communication between the mobile device and its home network and secure transmission of the corresponding packets along the underlying multihop path. Our solution is a provably secure, yet lightweight and roundoptimal remote network access protocol in which intermediate mesh routers are considered to be part of the security architecture. We also sketch some ideas on the practical realization of the protocol using known standards and mention extensions with regard to forward secrecy, anonymity and accounting. 1
On the Security of TLSDHE in the Standard Model 1
, 2013
"... TLS is the most important cryptographic protocol in use today. However, up to now there is no complete cryptographic security proof in the standard model, nor in any other model. We give the first such proof for the core cryptographic protocol of TLS ciphersuites based on ephemeral DiffieHellman ke ..."
Abstract
 Add to MetaCart
TLS is the most important cryptographic protocol in use today. However, up to now there is no complete cryptographic security proof in the standard model, nor in any other model. We give the first such proof for the core cryptographic protocol of TLS ciphersuites based on ephemeral DiffieHellman key exchange (TLSDHE), which include the cipher suite TLS DHE DSS WITH 3DES EDE CBC SHA mandatory in TLS 1.0 and TLS 1.1. It is impossible to prove security of the TLS Handshake in any classical keyindistinguishabilitybased security model (like e.g. the BellareRogaway or the CanettiKrawczyk model), due to subtle issues with the encryption of the final Finished messages of the TLS Handshake. Therefore we start with proving the security of a truncated version of the TLS Handshake protocol, which has also been considered in previous work on TLS. Then we define the notion of authenticated and confidential channel establishment (ACCE) as a new security model which captures precisely the security properties expected from TLS in practice, and show that the combination of the TLS Handshake protocol with the TLS Record Layer can be proven secure
On the Security of TLSDH and TLSRSA in the Standard Model 1
, 2013
"... TLS is the most important cryptographic protocol in the Internet. At CRYPTO 2012, Jager et al. presented the first proof of the unmodified TLS with ephemeral DiffieHellman key exchange (TLSDHE) for mutual authentication. Since TLS cannot be proven secure under the classical definition of authentic ..."
Abstract
 Add to MetaCart
TLS is the most important cryptographic protocol in the Internet. At CRYPTO 2012, Jager et al. presented the first proof of the unmodified TLS with ephemeral DiffieHellman key exchange (TLSDHE) for mutual authentication. Since TLS cannot be proven secure under the classical definition of authenticated key exchange (AKE), they introduce a new security model called authenticated and confidential channel establishment (ACCE) that captures the security properties expected from TLS in practice. We extend this result in two ways. First we show that the cryptographic cores of the remaining ciphersuites, RSA encrypted key transport (TLSRSA) and static DiffieHellman (TLSDH), can be proven secure for mutual authentication in an extended ACCE model that also allows the adversary to register new public keys. In our security analysis we show that if TLSRSA is instantiated with a CCA secure public key cryptosystem and TLSDH is used in scenarios where a) the knowledge of secret key assumption holds or b) the adversary may not register new public keys at all, both ciphersuites can be proven secure in the standard model under standard security assumptions. Next, we present new and strong definitions of ACCE (and AKE) for serveronly authentication which fit well into the general framework of BellareRogawaystyle models. We show that all three ciphersuites families do remain secure in this serveronly setting. Our work identifies which primitives need to be exchanged in the TLS handshake to obtain strong security results under standard security assumptions (in the standard model) and may so help to guide future revisions of the TLS standard and make improvements to TLS’s extensibility pay off.
Instantiating Random Oracles via UCEs
, 2013
"... This paper provides a (standardmodel) notion of security for (keyed) hash functions, called UCE, that we show enables instantiation of random oracles (ROs) in a fairly broad and systematic way. Goals and schemes we consider include deterministic PKE; messagelocked encryption; hardcore functions; p ..."
Abstract
 Add to MetaCart
This paper provides a (standardmodel) notion of security for (keyed) hash functions, called UCE, that we show enables instantiation of random oracles (ROs) in a fairly broad and systematic way. Goals and schemes we consider include deterministic PKE; messagelocked encryption; hardcore functions; pointfunction obfuscation; OAEP; encryption secure for keydependent messages; encryption secure under relatedkey attack; proofs of storage; and adaptivelysecure garbled circuits with short tokens. We can take existing, natural and efficient ROM schemes and show that the instantiated scheme resulting from replacing the RO with a UCE function is secure in the standard model. In several cases this results in the first standardmodel schemes for these goals. The definition of UCEsecurity itself is quite simple, asking that outputs of the function look random given some “leakage, ” even if the adversary knows the key, as long as the leakage does not permit the adversary to compute the inputs.