## Verifying secrets and rela-tive secrecy (2000)

### Cached

### Download Links

Venue: | In Symposium on Principles of Programming Languages (POPL'00 |

Citations: | 50 - 0 self |

### BibTeX

@INPROCEEDINGS{Volpano00verifyingsecrets,

author = {Dennis Volpano and Geoffrey Smith},

title = {Verifying secrets and rela-tive secrecy},

booktitle = {In Symposium on Principles of Programming Languages (POPL'00},

year = {2000},

publisher = {ACM}

}

### Years of Citing Articles

### OpenURL

### Abstract

Systems that authenticate a user based on a shared secret (such as a password or PIN) normally allow anyone to query whether the secret is a given value. For example, an ATM machine allows one to ask whether a string is the secret PIN of a (lost or stolen) ATM card. Yet such queries are prohibited in any model whose programs satisfy an informationflow property like Noninterference. But there is complexitybased justification for allowing these queries. A type system is given that provides the access control needed to prove that no well-typed program can leak secrets in polynomial time, or even leak them with nonnegligible probability if secrets are of sufficient length and randomly chosen. However, there are well-typed deterministic programs in a synchronous concurrent model capable of leaking secrets in linear time. 1

### Citations

1109 |
Applied Cryptography
- Schneier
- 1996
(Show Context)
Citation Context ...perations on a secret key and one exploits the fact that the implementation is optimized according to certain bits of the key. An example is the C implementation of the block cipher algorithm IDEA in =-=[10]-=- (see pg. 640). The default is to avoid multiplication when certain bits of a key are zero. The essence of this sort of attack can be formulated within the synchronous concurrent model. To formulate i... |

774 |
Security policies and security models
- Goguen, Meseguer
- 1982
(Show Context)
Citation Context ...query as match(e), which is true iff h = e, then a brute-force attack on h can be represented by a simple loop: l := 0; while ¬match(l) do l := l + 1 An information-flow property like Noninterference =-=[5, 15, 12, 14]-=- rejects the program. Given that h has security class H (high) and l has security class L (low), Noninterference ∗ Computer Science Department, Naval Postgraduate School, Monterey, California 93943. E... |

562 |
Introduction to the Theory of Computation
- Sipser
- 1996
(Show Context)
Citation Context ... by proving that no well-typed program that is capable of deducing h runs in time bounded by a polynomial in k (the size of h). Notice that such a result appears to separate P and N P (see pg. 373 of =-=[11]-=-), as a well-typed nondeterministic program can guess h and verify its guess with match in time linear in k. But our result actually separates relativized forms of P and N P because of our use of the ... |

486 | Jflow: Practical mostly-static information flow control
- Myers
- 1999
(Show Context)
Citation Context ...result of such an attempt from being observed by an arbitrary user. One way around this restriction is to allow privileged users to explicitly declassify the result, allowing some information to leak =-=[9]-=-. If a password checker merely returns the result of a match query, then the declassification could be justified knowing that any attempt to exploit the checker in order 5 When we run the algorithm an... |

483 | Timing Attacks on Implementations of Diffie-Hellman
- Kocher
- 1996
(Show Context)
Citation Context ...hat can be exploited to leak a secret perfectly in time linear in its size. Examples of multi-threaded programs capable of doing this can be found in timing attacks on implementations of cryptography =-=[7]-=-. Here there are bit-wise operations on a secret key and one exploits the fact that the implementation is optimized according to certain bits of the key. An example is the C implementation of the bloc... |

443 | A sound type system for secure flow analysis
- Volpano, Smith, et al.
- 1996
(Show Context)
Citation Context ...query as match(e), which is true iff h = e, then a brute-force attack on h can be represented by a simple loop: l := 0; while ¬match(l) do l := l + 1 An information-flow property like Noninterference =-=[5, 15, 12, 14]-=- rejects the program. Given that h has security class H (high) and l has security class L (low), Noninterference ∗ Computer Science Department, Naval Postgraduate School, Monterey, California 93943. E... |

209 | Secure Information Flow in a Multi-threaded Imperative Language
- Smith, Volpano
- 1998
(Show Context)
Citation Context ...query as match(e), which is true iff h = e, then a brute-force attack on h can be represented by a simple loop: l := 0; while ¬match(l) do l := l + 1 An information-flow property like Noninterference =-=[5, 15, 12, 14]-=- rejects the program. Given that h has security class H (high) and l has security class L (low), Noninterference ∗ Computer Science Department, Naval Postgraduate School, Monterey, California 93943. E... |

114 | A probabilistic polytime framework for protocol analysis
- Lincoln, Mitchell, et al.
- 1998
(Show Context)
Citation Context ...s to fh and calls to f rests squarely upon the hardness of inverting f. Turing reductions have also been used in proving the security of RSA-based signature schemes [3, 4] and cryptographic protocols =-=[6, 8]-=-. Again the basic idea is to prove that the security of a protocol rests on the strength of its cryptographic primitives. Our synchronous concurrency example shows that if an intruder can observe the ... |

96 | Probabilistic noninterference in a concurrent language
- Volpano, Smith
- 1999
(Show Context)
Citation Context |

69 | Eliminating covert flows with minimum typings - Volpano, Smith - 1997 |

47 |
P.: The exact security of digital signatures-how to sign with RSA
- Bellare, Rogaway
- 1996
(Show Context)
Citation Context ...a well-typed program with references to fh and calls to f rests squarely upon the hardness of inverting f. Turing reductions have also been used in proving the security of RSA-based signature schemes =-=[3, 4]-=- and cryptographic protocols [6, 8]. Again the basic idea is to prove that the security of a protocol rests on the strength of its cryptographic primitives. Our synchronous concurrency example shows t... |

31 | Timing attacks on implementations of Di±e-Hellman, RSA, DSS, and other systems - Kocher - 1996 |

27 |
Practice-oriented provable security
- Bellare
- 1997
(Show Context)
Citation Context ...a well-typed program with references to fh and calls to f rests squarely upon the hardness of inverting f. Turing reductions have also been used in proving the security of RSA-based signature schemes =-=[3, 4]-=- and cryptographic protocols [6, 8]. Again the basic idea is to prove that the security of a protocol rests on the strength of its cryptographic primitives. Our synchronous concurrency example shows t... |

23 | Secure information in a multi-threaded imperative language - Smith, Volpano - 1998 |

17 | A sound type system for secure analysis - Volpano, Smith, et al. - 1996 |

11 | JFlow: Practical mostly-static information control - Myers - 1999 |

3 | Eliminating covert with minimum typings - Volpano, Smith - 1997 |

1 |
The generation of random numbers that are provably prime
- Beauchemin, Brassard, et al.
- 1988
(Show Context)
Citation Context ...and we run the algorithm for some value of h and it terminates with l = n, then this does not imply h = n with probability .99. The same argument applies to probabilistic primality testing algorithms =-=[2]-=-. to learn a password is subject to the limitations of Theorems 3.1 and 3.2. Note we have said nothing about the role of the type system at this point. Type checking would be performed on any program ... |

1 | Provable security for cryptographic protocols|exact analysis and engineering applications
- Gray, Ip, et al.
- 1998
(Show Context)
Citation Context ...s to fh and calls to f rests squarely upon the hardness of inverting f. Turing reductions have also been used in proving the security of RSA-based signature schemes [3, 4] and cryptographic protocols =-=[6, 8]-=-. Again the basic idea is to prove that the security of a protocol rests on the strength of its cryptographic primitives. Our synchronous concurrency example shows that if an intruder can observe the ... |