Results 1  10
of
47
Typechecking zeroknowledge
 In CCS 2008
, 2008
"... This paper presents the first type system for statically analyzing security protocols that are based on zeroknowledge proofs. We show how certain properties offered by zeroknowledge proofs can be characterized in terms of authorization policies and statically enforced by a type system. The analysis ..."
Abstract

Cited by 22 (11 self)
 Add to MetaCart
(Show Context)
This paper presents the first type system for statically analyzing security protocols that are based on zeroknowledge proofs. We show how certain properties offered by zeroknowledge proofs can be characterized in terms of authorization policies and statically enforced by a type system. The analysis is modular and compositional, and provides security proofs for an unbounded number of protocol executions. We develop a new typechecker that conducts the analysis in a fully automated manner. We exemplify the applicability of our technique to realworld protocols by verifying the authenticity and secrecy properties of the Direct Anonymous Attestation (DAA) protocol. The analysis of DAA takes less than three seconds.
Epistemic Logic for the Applied Pi Calculus ⋆
"... Abstract. We propose an epistemic logic for the applied pi calculus, which is a variant of the pi calculus with extensions for modeling cryptographic protocols. In such a calculus, the security guarantees are usually stated as equivalences. While process calculi provide a natural means to describe t ..."
Abstract

Cited by 18 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We propose an epistemic logic for the applied pi calculus, which is a variant of the pi calculus with extensions for modeling cryptographic protocols. In such a calculus, the security guarantees are usually stated as equivalences. While process calculi provide a natural means to describe the protocols themselves, epistemic logics are often better suited for expressing certain security properties such as secrecy and anonymity. We intend to bridge the gap between these two approaches: using the set of traces generated by a process as models, we define a logic which has constructs for reasoning about both intruder’s epistemic knowledge and the set of messages in possession of the intruder. As an example we consider two formalizations of privacy in electronic voting and study the relationship between them. 1
A certifying compiler for zeroknowledge proofs of knowledge based on sigmaprotocols
 In ESORICS ’10
, 2010
"... Abstract. Zeroknowledge proofs of knowledge (ZKPoK) are important building blocks for numerous cryptographic applications. Although ZKPoK have very useful properties, their real world deployment is typically hindered by their significant complexity compared to other (noninteractive) crypto primit ..."
Abstract

Cited by 17 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Zeroknowledge proofs of knowledge (ZKPoK) are important building blocks for numerous cryptographic applications. Although ZKPoK have very useful properties, their real world deployment is typically hindered by their significant complexity compared to other (noninteractive) crypto primitives. Moreover, their design and implementation is timeconsuming and errorprone. We contribute to overcoming these challenges as follows: We present a comprehensive specification language and a certifying compiler for ZKPoK protocols based on Σprotocols and composition techniques known in literature. The compiler allows the fully automatic translation of an abstract description of a proof goal into an executable implementation. Moreover, the compiler overcomes various restrictions of previous approaches, e.g., it supports the important class of exponentiation homomorphisms with hiddenorder codomain, needed for privacypreserving applications such as idemix. Finally, our compiler is certifying, in the sense that it automatically produces a formal proof of security (soundness) of the compiled protocol (currently covering special homomorphisms) using the Isabelle/HOL theorem prover.
Union and intersection types for secure protocol implementations
"... We present a new type system for verifying the security of cryptographic protocol implementations. The type system combines prior work on refinement types, with union, intersection, and polymorphic types, and with the novel ability to reason statically about the disjointness of types. The increased ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
We present a new type system for verifying the security of cryptographic protocol implementations. The type system combines prior work on refinement types, with union, intersection, and polymorphic types, and with the novel ability to reason statically about the disjointness of types. The increased expressivity enables the analysis of important protocol classes that were previously out of scope for the typebased analyses of protocol implementations. In particular, our types can statically characterize: (i) more usages of asymmetric cryptography, such as signatures of private data and encryptions of authenticated data; (ii) authenticity and integrity properties achieved by showing knowledge of secret data; (iii) applications based on zeroknowledge proofs. The type system comes with a mechanized proof of correctness and an efficient typechecker.
Cryptographic protocol composition via the authentication tests
, 2009
"... Abstract. Although cryptographic protocols are typically analyzed in isolation, they are used in combinations. If a protocol was analyzed alone and shown to meet some security goals, will it still meet those goals when executed together with a second protocol? While not every choice of a second prot ..."
Abstract

Cited by 13 (7 self)
 Add to MetaCart
(Show Context)
Abstract. Although cryptographic protocols are typically analyzed in isolation, they are used in combinations. If a protocol was analyzed alone and shown to meet some security goals, will it still meet those goals when executed together with a second protocol? While not every choice of a second protocol can preserve the goals, there are syntactic criteria for the second protocol that ensure they will be preserved. Our main result strengthens previously known criteria. Our method has three main elements. First, a language L(Π) in classical logic describes executions of a protocol Π, and expresses its security goals. Strand spaces provide the models for L(Π). Second, the strand space “authentication test ” principles suggest our syntactic criterion for security goals to be preserved. Third, certain homomorphisms among models for L(Π) preserve the truth of formulas of the syntactic form that security goals take. This provides a way to extract—from a counterexample to a goal that uses both protocols—a counterexample using only the first protocol. 1
Security protocol verification: Symbolic and computational models
 PRINCIPLES OF SECURITY AND TRUST  FIRST INTERNATIONAL CONFERENCE, POST 2012, VOLUME 7215 OF LECTURE NOTES IN COMPUTER SCIENCE
, 2012
"... Security protocol verification has been a very active research area since the 1990s. This paper surveys various approaches in this area, considering the verification in the symbolic model, as well as the more recent approaches that rely on the computational model or that verify protocol implementa ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
(Show Context)
Security protocol verification has been a very active research area since the 1990s. This paper surveys various approaches in this area, considering the verification in the symbolic model, as well as the more recent approaches that rely on the computational model or that verify protocol implementations rather than specifications. Additionally, we briefly describe our symbolic security protocol verifier ProVerif and situate it among these approaches.
Models and Proofs of Protocol Security: A Progress Report
, 2009
"... This paper discusses progress in the verification of security protocols. Focusing on a small, classic example, it stresses the use of programlike representations of protocols, and their automatic analysis in symbolic and computational models. ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
(Show Context)
This paper discusses progress in the verification of security protocols. Focusing on a small, classic example, it stresses the use of programlike representations of protocols, and their automatic analysis in symbolic and computational models.
Applied pi calculus
 Formal Models and Techniques for Analyzing Security Protocols, chapter 6. IOS
, 2011
"... Abstract. The applied pi calculus is a language for modelling security protocols. It is an extension of the pi calculus, a language for studying concurrency and process interaction. This chapter presents the applied pi calculus in a tutorial style. It describes reachability, correspondence, and obs ..."
Abstract

Cited by 11 (4 self)
 Add to MetaCart
(Show Context)
Abstract. The applied pi calculus is a language for modelling security protocols. It is an extension of the pi calculus, a language for studying concurrency and process interaction. This chapter presents the applied pi calculus in a tutorial style. It describes reachability, correspondence, and observational equivalence properties, with examples showing how to model secrecy, authentication, and privacy aspects of protocols.
Enhanced privacy ID from bilinear pairing
, 2009
"... Enhanced Privacy ID (EPID) is a cryptographic scheme that enables the remote authentication of a hardware device while preserving the privacy of the device. EPID can be seen as a direct anonymous attestation scheme with enhanced revocation capabilities. In EPID, a device can be revoked if the privat ..."
Abstract

Cited by 11 (2 self)
 Add to MetaCart
Enhanced Privacy ID (EPID) is a cryptographic scheme that enables the remote authentication of a hardware device while preserving the privacy of the device. EPID can be seen as a direct anonymous attestation scheme with enhanced revocation capabilities. In EPID, a device can be revoked if the private key embedded in the hardware device has been extracted and published widely so that the revocation manager finds the corrupted private key. In addition, the revocation manager can revoke a device based on the signatures the device has signed, if the private key of the device is not known. In this paper, we introduce a new security notion of EPID including the formal definitions of anonymity and unforgeability with revocation. We also give a construction of an EPID scheme from bilinear pairing. Our EPID scheme is efficient and provably secure in the random oracle model under the strong DiffieHellman assumption and the decisional DiffieHellman assumption.