Results 1  10
of
156
A computationally sound mechanized prover for security protocols
 In IEEE Symposium on Security and Privacy
, 2006
"... ..."
(Show Context)
Verified interoperable implementations of security protocols
"... We present an architecture and tools for verifying implementations of security protocols. Our implementations can run with both concrete and symbolic implementations of cryptographic algorithms. The concrete implementation is for production and interoperability testing. The symbolic implementation i ..."
Abstract

Cited by 81 (29 self)
 Add to MetaCart
(Show Context)
We present an architecture and tools for verifying implementations of security protocols. Our implementations can run with both concrete and symbolic implementations of cryptographic algorithms. The concrete implementation is for production and interoperability testing. The symbolic implementation is for debugging and formal verification. We develop our approach for protocols written in F#, a dialect of ML, and verify them by compilation to ProVerif, a resolutionbased theorem prover for cryptographic protocols. We establish the correctness of this compilation scheme, and we illustrate our approach with protocols for Web Services security. Categories and Subject Descriptors: F.3.2 [Theory of Computation]: Logics and meanings of programs—
Symmetric Encryption in a Simulatable DolevYao Style Cryptographic Library
 In Proc. 17th IEEE Computer Security Foundations Workshop (CSFW
, 2004
"... Recently we solved the longstanding open problem of justifying a DolevYao type model of cryptography as used in virtually all automated protocol provers under active attacks. The justification was done by defining an ideal system handling DolevYaostyle terms and a cryptographic realization wi ..."
Abstract

Cited by 72 (19 self)
 Add to MetaCart
Recently we solved the longstanding open problem of justifying a DolevYao type model of cryptography as used in virtually all automated protocol provers under active attacks. The justification was done by defining an ideal system handling DolevYaostyle terms and a cryptographic realization with the same user interface, and by showing that the realization is as secure as the ideal system in the sense of reactive simulatability. This definition encompasses arbitrary active attacks and enjoys general composition and propertypreservation properties. Security holds in the standard model of cryptography and under standard assumptions of adaptively secure primitives.
Computationally sound, automated proofs for security protocols
, 2005
"... Abstract. Since the 1980s, two approaches have been developed for analyzing security protocols. One of the approaches relies on a computational model that considers issues of complexity and probability. This approach captures a strong notion of security, guaranteed against all probabilistic polynomi ..."
Abstract

Cited by 70 (14 self)
 Add to MetaCart
(Show Context)
Abstract. Since the 1980s, two approaches have been developed for analyzing security protocols. One of the approaches relies on a computational model that considers issues of complexity and probability. This approach captures a strong notion of security, guaranteed against all probabilistic polynomialtime attacks. The other approach relies on a symbolic model of protocol executions in which cryptographic primitives are treated as black boxes. Since the seminal work of Dolev and Yao, it has been realized that this latter approach enables significantly simpler and often automated proofs. However, the guarantees that it offers have been quite unclear. In this paper, we show that it is possible to obtain the best of both worlds: fully automated proofs and strong, clear security guarantees. Specifically, for the case of protocols that use signatures and asymmetric encryption, we establish that symbolic integrity and secrecy proofs are sound with respect to the computational model. The main new challenges concern secrecy properties for which we obtain the first soundness result for the case of active adversaries. Our proofs are carried out using Casrul, a fully automated tool. 1
Computationally sound implementations of equational theories against . . .
, 2008
"... In this paper we study the link between formal and cryptographic models for security protocols in the presence of passive adversaries. In contrast to other works, we do not consider a fixed set of primitives but aim at results for arbitrary equational theories. We define a framework for comparing a ..."
Abstract

Cited by 62 (16 self)
 Add to MetaCart
(Show Context)
In this paper we study the link between formal and cryptographic models for security protocols in the presence of passive adversaries. In contrast to other works, we do not consider a fixed set of primitives but aim at results for arbitrary equational theories. We define a framework for comparing a cryptographic implementation and its idealization with respect to various security notions. In particular, we concentrate on the computational soundness of static equivalence, a standard tool in cryptographic pi calculi. We present a soundness criterion, which for many theories is not only sufficient but also necessary. Finally, to illustrate our framework, we establish the soundness of static equivalence for the exclusive OR and a theory of ciphers and lists.
Towards plaintextaware publickey encryption without random oracles
 Advances in Cryptology – Asiacrypt 2004, volume 3329 of Lecture Notes in Computer Science
, 2004
"... Abstract. We consider the problem of defining and achieving plaintextaware encryption without random oracles in the classical publickey model. We provide definitions for a hierarchy of notions of increasing strength: PA0, PA1 and PA2, chosen so that PA1+INDCPA → INDCCA1 and PA2+INDCPA → INDCCA2 ..."
Abstract

Cited by 50 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We consider the problem of defining and achieving plaintextaware encryption without random oracles in the classical publickey model. We provide definitions for a hierarchy of notions of increasing strength: PA0, PA1 and PA2, chosen so that PA1+INDCPA → INDCCA1 and PA2+INDCPA → INDCCA2. Towards achieving the new notions of plaintext awareness, we show that a scheme due to Damg˚ard [12], denoted DEG, and the “lite ” version of the CramerShoup scheme [11], denoted CSlite, are both PA0 under the DHK0 assumption of [12], and PA1 under an extension of this assumption called DHK1. As a result, DEG is the most efficient proven INDCCA1 scheme known. 1
Universally composable symbolic analysis of mutual authentication and keyexchange protocols
 In Shai Halevi and Tal Rabin, editors, TCC, volume 3876 of LNCS
, 2006
"... Abstract. Symbolic analysis of cryptographic protocols is dramatically simpler than fullfledged cryptographic analysis. In particular, it is simple enough to be automated. However, symbolic analysis does not, by itself, provide any cryptographic soundness guarantees. Following recent work on crypto ..."
Abstract

Cited by 49 (5 self)
 Add to MetaCart
(Show Context)
Abstract. Symbolic analysis of cryptographic protocols is dramatically simpler than fullfledged cryptographic analysis. In particular, it is simple enough to be automated. However, symbolic analysis does not, by itself, provide any cryptographic soundness guarantees. Following recent work on cryptographically sound symbolic analysis, we demonstrate how DolevYao style symbolic analysis can be used to assert the security of cryptographic protocols within the universally composable (UC) security framework. Consequently, our methods enable security analysis that is completely symbolic, and at the same time cryptographically sound with strong composability properties. More specifically, we concentrate on mutual authentication and keyexchange protocols. We restrict attention to protocols that use publickey encryption as their only cryptographic primitive and have a specific restricted format. We define a mapping from such protocols to DolevYao style symbolic protocols, and show that the symbolic protocol satisfies a certain symbolic criterion if and only if the corresponding cryptographic protocol is UCsecure. For mutual authentication, our symbolic criterion is similar to the traditional DolevYao criterion. For key exchange, we demonstrate that the traditional DolevYao style symbolic criterion is insufficient, and formulate an adequate symbolic criterion. Finally, to demonstrate the viability of our treatment, we use an existing tool to automatically verify whether some prominent keyexchange protocols are UCsecure. 1
Automated Security Proofs with Sequences of Games
 Proc. 27th IEEE Symposium on Security
, 2006
"... Abstract. This paper presents the first automatic technique for proving not only protocols but also primitives in the exact security computational model. Automatic proofs of cryptographic protocols were up to now reserved to the DolevYao model, which however makes quite strong assumptions on the pr ..."
Abstract

Cited by 48 (9 self)
 Add to MetaCart
(Show Context)
Abstract. This paper presents the first automatic technique for proving not only protocols but also primitives in the exact security computational model. Automatic proofs of cryptographic protocols were up to now reserved to the DolevYao model, which however makes quite strong assumptions on the primitives. On the other hand, with the proofs by reductions, in the complexity theoretic framework, more subtle security assumptions can be considered, but security analyses are manual. A process calculus is thus defined in order to take into account the probabilistic semantics of the computational model. It is already rich enough to describe all the usual security notions of both symmetric and asymmetric cryptography, as well as the basic computational assumptions. As an example, we illustrate the use of the new tool with the proof of a quite famous asymmetric primitive: unforgeability under chosenmessage attacks (UFCMA) of the FullDomain Hash signature scheme under the (trapdoor)onewayness of some permutations. 1
Relating Symbolic and Cryptographic Secrecy
 IN PROC. IEEE SYMPOSIUM ON SECURITY AND PRIVACY
, 2004
"... We investigate the relation between symbolic and cryptographic secrecy properties for cryptographic protocols. Symbolic secrecy of payload messages or exchanged keys is arguably the most important notion of secrecy shown with automated proof tools. It means that an adversary restricted to symboli ..."
Abstract

Cited by 47 (9 self)
 Add to MetaCart
We investigate the relation between symbolic and cryptographic secrecy properties for cryptographic protocols. Symbolic secrecy of payload messages or exchanged keys is arguably the most important notion of secrecy shown with automated proof tools. It means that an adversary restricted to symbolic operations on terms can never get the entire considered object into its knowledge set. Cryptographic secrecy essentially
Soundness of formal encryption in the presence of keycycles
 In Proc. 10th European Symposium on Research in Computer Security (ESORICS’05), volume 3679 of LNCS
, 2005
"... Abstract. Both the formal and the computational models of cryptography contain the notion of message equivalence or indistinguishability. An encryption scheme provides soundness for indistinguishability if, when mapping formal messages into the computational model, equivalent formal messages are map ..."
Abstract

Cited by 46 (5 self)
 Add to MetaCart
(Show Context)
Abstract. Both the formal and the computational models of cryptography contain the notion of message equivalence or indistinguishability. An encryption scheme provides soundness for indistinguishability if, when mapping formal messages into the computational model, equivalent formal messages are mapped to indistinguishable computational distributions. Previous soundness results are limited in that they do not apply when keycycles are present. We demonstrate that an encryption scheme provides soundness in the presence of keycycles if it satisfies the recentlyintroduced notion of keydependent message (KDM) security. We also show that soundness in the presence of keycycles (and KDM security) neither implies nor is implied by security against chosen ciphertext attack (CCA2). Therefore, soundness for keycycles is possible using a new notion of computational security, not possible using previous such notions, and the relationship between the formal and computational models extends beyond chosenciphertext security. 1