Results 1  10
of
28
Soundness of formal encryption in the presence of active adversaries
 In Proc. 1st Theory of Cryptography Conference (TCC), volume 2951 of LNCS
, 2004
"... Abstract. We present a general method to prove security properties of cryptographic protocols against active adversaries, when the messages exchanged by the honest parties are arbitrary expressions built using encryption and concatenation operations. The method allows to express security properties ..."
Abstract

Cited by 103 (10 self)
 Add to MetaCart
(Show Context)
Abstract. We present a general method to prove security properties of cryptographic protocols against active adversaries, when the messages exchanged by the honest parties are arbitrary expressions built using encryption and concatenation operations. The method allows to express security properties and carry out proofs using a simple logic based language, where messages are represented by syntactic expressions, and does not require dealing with probability distributions or asymptotic notation explicitly. Still, we show that the method is sound, meaning that logic statements can be naturally interpreted in the computational setting in such a way that if a statement holds true for any abstract (symbolic) execution of the protocol in the presence of a DolevYao adversary, then its computational interpretation is also correct in the standard computational model where the adversary is an arbitrary probabilistic polynomial time program. This is the first paper providing a simple framework for translating security proofs from the logic setting to the standard computational setting for the case of powerful active adversaries that have total control of the communication network. 1
Symmetric Encryption in a Simulatable DolevYao Style Cryptographic Library
 In Proc. 17th IEEE Computer Security Foundations Workshop (CSFW
, 2004
"... Recently we solved the longstanding open problem of justifying a DolevYao type model of cryptography as used in virtually all automated protocol provers under active attacks. The justification was done by defining an ideal system handling DolevYaostyle terms and a cryptographic realization wi ..."
Abstract

Cited by 72 (19 self)
 Add to MetaCart
Recently we solved the longstanding open problem of justifying a DolevYao type model of cryptography as used in virtually all automated protocol provers under active attacks. The justification was done by defining an ideal system handling DolevYaostyle terms and a cryptographic realization with the same user interface, and by showing that the realization is as secure as the ideal system in the sense of reactive simulatability. This definition encompasses arbitrary active attacks and enjoys general composition and propertypreservation properties. Security holds in the standard model of cryptography and under standard assumptions of adaptively secure primitives.
Soundness of formal encryption in the presence of keycycles
 In Proc. 10th European Symposium on Research in Computer Security (ESORICS’05), volume 3679 of LNCS
, 2005
"... Abstract. Both the formal and the computational models of cryptography contain the notion of message equivalence or indistinguishability. An encryption scheme provides soundness for indistinguishability if, when mapping formal messages into the computational model, equivalent formal messages are map ..."
Abstract

Cited by 46 (5 self)
 Add to MetaCart
(Show Context)
Abstract. Both the formal and the computational models of cryptography contain the notion of message equivalence or indistinguishability. An encryption scheme provides soundness for indistinguishability if, when mapping formal messages into the computational model, equivalent formal messages are mapped to indistinguishable computational distributions. Previous soundness results are limited in that they do not apply when keycycles are present. We demonstrate that an encryption scheme provides soundness in the presence of keycycles if it satisfies the recentlyintroduced notion of keydependent message (KDM) security. We also show that soundness in the presence of keycycles (and KDM security) neither implies nor is implied by security against chosen ciphertext attack (CCA2). Therefore, soundness for keycycles is possible using a new notion of computational security, not possible using previous such notions, and the relationship between the formal and computational models extends beyond chosenciphertext security. 1
A cryptographically sound security proof of the NeedhamSchroederLowe publickey protocol
 JOURNAL ON SELECTED AREAS IN COMMUN.
, 2004
"... We present a cryptographically sound security proof of the wellknown NeedhamSchroederLowe publickey protocol for entity authentication. This protocol was previously only proved over unfounded abstractions from cryptography. We show that it is secure against arbitrary active attacks if it is imp ..."
Abstract

Cited by 38 (14 self)
 Add to MetaCart
(Show Context)
We present a cryptographically sound security proof of the wellknown NeedhamSchroederLowe publickey protocol for entity authentication. This protocol was previously only proved over unfounded abstractions from cryptography. We show that it is secure against arbitrary active attacks if it is implemented using standard provably secure cryptographic primitives. Nevertheless, our proof does not have to deal with the probabilistic aspects of cryptography and is hence in the scope of current automated proof tools. We achieve this by exploiting a recently proposed DolevYaostyle cryptographic library with a provably secure cryptographic implementation. Besides establishing the cryptographic security of the NeedhamSchroederLowe protocol, our result exemplifies the potential of this cryptographic library and paves the way for the cryptographically sound verification of security protocols by automated proof tools.
Cryptographically Sound Theorem Proving
 In Proc. 19th IEEE CSFW
, 2006
"... We describe a faithful embedding of the DolevYao model of Backes, Pfitzmann, and Waidner (CCS 2003) in the theorem prover Isabelle/HOL. This model is cryptographically sound in the strong sense of reactive simulatability/UC, which essentially entails the preservation of arbitrary security proper ..."
Abstract

Cited by 33 (10 self)
 Add to MetaCart
(Show Context)
We describe a faithful embedding of the DolevYao model of Backes, Pfitzmann, and Waidner (CCS 2003) in the theorem prover Isabelle/HOL. This model is cryptographically sound in the strong sense of reactive simulatability/UC, which essentially entails the preservation of arbitrary security properties under active attacks and in arbitrary protocol environments. The main challenge in designing a practical formalization of this model is to cope with the complexity of providing such strong soundness guarantees. We reduce this complexity by abstracting the model into a sound, lightweight formalization that enables both concise property specifications and efficient application of our proof strategies and their supporting proof tools. This yields the first toolsupported framework for symbolically verifying security protocols that enjoys the strong cryptographic soundness guarantees provided by reactive simulatability/UC. As a proof of concept, we have proved the security of the NeedhamSchroederLowe protocol using our framework.
A cryptographically sound DolevYao style security proof of the OtwayRees protocol
 In Proc. 9th European Symposium on Research in Computer Security (ESORICS
, 2004
"... We present the first cryptographically sound DolevYaostyle security proof of a comprehensive electronic payment system. The payment system is a slightly simplified variant of the 3KP payment system and comprises a variety of different security requirements ranging from basic ones like the impossibi ..."
Abstract

Cited by 26 (10 self)
 Add to MetaCart
(Show Context)
We present the first cryptographically sound DolevYaostyle security proof of a comprehensive electronic payment system. The payment system is a slightly simplified variant of the 3KP payment system and comprises a variety of different security requirements ranging from basic ones like the impossibility of unauthorized payments to more sophisticated properties like disputability. We show that the payment system is secure against arbitrary active attacks, including arbitrary concurrent protocol runs and arbitrary manipulation of bitstrings within polynomial time if the protocol is implemented using provably secure cryptographic primitives. Although we achieve security under cryptographic definitions, our proof does not have to deal with probabilistic aspects of cryptography and is hence within the scope of current proof tools. The reason is that we exploit a recently proposed DolevYaostyle cryptographic library with a provably secure cryptographic implementation. Together with composition and preservation theorems of the underlying model, this allows us to perform the actual proof effort in a deterministic setting corresponding to a slightly extended DolevYao model. 1.
Computationally sound secrecy proofs by mechanized flow analysis
 In Proc. 13th CCS
, 2006
"... A large body of work exists for machineassisted analysis of cryptographic protocols in the formal (DolevYao) model, i.e., by abstracting cryptographic operators as a free algebra. In particular, proving secrecy by typing has shown to be a salient technique as it allowed for elegant and fully autom ..."
Abstract

Cited by 19 (4 self)
 Add to MetaCart
(Show Context)
A large body of work exists for machineassisted analysis of cryptographic protocols in the formal (DolevYao) model, i.e., by abstracting cryptographic operators as a free algebra. In particular, proving secrecy by typing has shown to be a salient technique as it allowed for elegant and fully automated proofs, often
Cryptographically Sound Security Proofs for Basic And PublicKey Kerberos
 Proc. 11th European Symp. on Research. in Comp. Sec
, 2006
"... Abstract We present a computational analysis of basic Kerberos with and without its publickey extension PKINIT in which we consider authentication and key secrecy properties. Our proofs rely on the Dolev–Yaostyle model of Backes, Pfitzmann, and Waidner, which allows for mapping results obtained sym ..."
Abstract

Cited by 16 (4 self)
 Add to MetaCart
Abstract We present a computational analysis of basic Kerberos with and without its publickey extension PKINIT in which we consider authentication and key secrecy properties. Our proofs rely on the Dolev–Yaostyle model of Backes, Pfitzmann, and Waidner, which allows for mapping results obtained symbolically within this model to cryptographically sound proofs if certain assumptions are met. This work was the first verification at the computational level of such a complex fragment of an industrial protocol. By considering a recently fixed version of PKINIT, we extend symbolic correctness results we previously attained in the Dolev– Yao model to cryptographically sound results in the computational model.
Adaptive security of symbolic encryption
 In Proc. 2nd Theory of Cryptography Conference (TCC’05), volume 3378 of LNCS
, 2005
"... Abstract. We prove a computational soundness theorem for the symbolic analysis of cryptographic protocols which extends an analogous theorem of Abadi and Rogaway (J. of Cryptology 15(2):103–127, 2002) to a scenario where the adversary gets to see the encryption of a sequence of adaptively chosen sym ..."
Abstract

Cited by 15 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We prove a computational soundness theorem for the symbolic analysis of cryptographic protocols which extends an analogous theorem of Abadi and Rogaway (J. of Cryptology 15(2):103–127, 2002) to a scenario where the adversary gets to see the encryption of a sequence of adaptively chosen symbolic expressions. The extension of the theorem of Abadi and Rogaway to such an adaptive scenario is nontrivial, and raises issues related to the classic problem of selective decommitment, which do not appear in the original formulation of the theorem. Although the theorem of Abadi and Rogaway applies only to passive adversaries, our extension to adaptive attacks makes it substantially stronger, and powerful enough to analyze the security of cryptographic protocols of practical interest. We exemplify the use of our soundness theorem in the analysis of group key distribution protocols like those that arise in multicast and broadcast applications. Specifically, we provide cryptographic definitions of security for multicast key distribution protocols both in the symbolic as well as the computational framework and use our theorem to prove soundness of the symbolic definition.
Machinechecked security proofs of cryptographic signature schemes
 In Proceedings of ESORICS’05, volume 3xxx of Lecture Notes in Computer Science
, 2005
"... Abstract. Formal methods have been extensively applied to the certification of cryptographic protocols. However, most of these works make the perfect cryptography assumption, i.e. the hypothesis that there is no way to obtain knowledge about the plaintext pertaining to a ciphertext without knowing t ..."
Abstract

Cited by 9 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Formal methods have been extensively applied to the certification of cryptographic protocols. However, most of these works make the perfect cryptography assumption, i.e. the hypothesis that there is no way to obtain knowledge about the plaintext pertaining to a ciphertext without knowing the key. A model that does not require the perfect cryptography assumption is the generic model and the random oracle model. These models provide nonstandard computational models in which one may reason about the computational cost of breaking a cryptographic scheme. Using the machinechecked account of the Generic Model and the Random Oracle Model formalized in Coq, we prove the safety of cryptosystems that depend on a cyclic group (like ElGamal cryptosystem), against interactive generic attacks and we prove the security of blind signatures against interactive attacks. To prove the last step, we use a generic parallel attack to create a forgery signature. 1