Results 1  10
of
22
Refinement types for secure implementations
 IN 21ST IEEE COMPUTER SECURITY FOUNDATIONS SYMPOSIUM (CSF’08
, 2008
"... We present the design and implementation of a typechecker for verifying security properties of the source code of cryptographic protocols and access control mechanisms. The underlying type theory is a λcalculus equipped with refinement types for expressing pre and postconditions within firstorde ..."
Abstract

Cited by 111 (24 self)
 Add to MetaCart
We present the design and implementation of a typechecker for verifying security properties of the source code of cryptographic protocols and access control mechanisms. The underlying type theory is a λcalculus equipped with refinement types for expressing pre and postconditions within firstorder logic. We derive formal cryptographic primitives and represent active adversaries within the type theory. Welltyped programs enjoy assertionbased security properties, with respect to a realistic threat model including key compromise. The implementation amounts to an enhanced typechecker for the general purpose functional language F#; typechecking generates verification conditions that are passed to an SMT solver. We describe a series of checked examples. This is the first tool to verify authentication properties of cryptographic protocols by typechecking their source code.
Formal certification of codebased cryptographic proofs
 4 th Workshop on Formal and Computational Cryptography (FCC
, 2008
"... As cryptographic proofs have become essentially unverifiable, cryptographers have argued in favor of developing techniques that help tame the complexity of their proofs. Gamebased techniques provide a popular approach in which proofs are structured as sequences of games, and in which proof steps es ..."
Abstract

Cited by 81 (25 self)
 Add to MetaCart
As cryptographic proofs have become essentially unverifiable, cryptographers have argued in favor of developing techniques that help tame the complexity of their proofs. Gamebased techniques provide a popular approach in which proofs are structured as sequences of games, and in which proof steps establish the validity of transitions between successive games. Codebased techniques form an instance of this approach that takes a codecentric view of games, and that relies on programming language theory to justify proof steps. While codebased techniques contribute to formalize the security statements precisely and to carry out proofs systematically, typical proofs are so long and involved that formal verification is necessary to achieve a high degree of confidence. We present CertiCrypt, a framework that enables the machinechecked construction and verification of codebased proofs. CertiCrypt is built upon the generalpurpose proof assistant Coq, and draws on many areas, including probability, complexity, algebra, and semantics of programming languages. CertiCrypt provides certified tools to reason about the equivalence of probabilistic programs, including a relational Hoare logic, a theory of observational equivalence, verified program transformations, and gamebased techniques such as reasoning about failure events. The usefulness of CertiCrypt is demonstrated through classical examples, including a proof of semantic security of OAEP (with a bound that improves upon [9]), and a proof of existential unforgeability of FDH signatures. Our work provides a first yet significant step towards Halevi’s ambitious programme [21] of providing tool support for cryptographic proofs. 1.
Béguelin, S.: Computeraided security proofs for the working cryptographer
 In: Advances in Cryptology – CRYPTO 2011. Lecture Notes in Computer Science
, 2011
"... Abstract. We present EasyCrypt, an automated tool for elaborating security proofs of cryptographic systems from proof sketches—compact, formal representations of the essence of a proof as a sequence of games and hints. Proof sketches are checked automatically using offtheshelf SMT solvers and auto ..."
Abstract

Cited by 51 (22 self)
 Add to MetaCart
Abstract. We present EasyCrypt, an automated tool for elaborating security proofs of cryptographic systems from proof sketches—compact, formal representations of the essence of a proof as a sequence of games and hints. Proof sketches are checked automatically using offtheshelf SMT solvers and automated theorem provers, and then compiled into verifiable proofs in the CertiCrypt framework. The tool supports most common reasoning patterns and is significantly easier tousethanits predecessors. Weargue thatEasyCryptisaplausible candidate foradoption by working cryptographers and illustrate its application to security proofs of the CramerShoup and Hashed ElGamal cryptosystems. Keywords: Provable security, verifiable security, gamebased proofs, CramerShoup cryptosystem,
Guiding a generalpurpose C verifier to prove cryptographic protocols
 in IEEE Computer Security Foundations Symposium (CSF’11), 2011
, 2011
"... We describe how to verify security properties of C code for cryptographic protocols by using a generalpurpose verifier. We prove security theorems in the symbolic model of cryptography. Our techniques include: use of ghost state to attach formal algebraic terms to concrete byte arrays and to detec ..."
Abstract

Cited by 14 (7 self)
 Add to MetaCart
(Show Context)
We describe how to verify security properties of C code for cryptographic protocols by using a generalpurpose verifier. We prove security theorems in the symbolic model of cryptography. Our techniques include: use of ghost state to attach formal algebraic terms to concrete byte arrays and to detect collisions when two distinct terms map to the same byte array; decoration of a crypto API with contracts based on symbolic terms; and expression of the attacker model in terms of C programs. We rely on the generalpurpose verifier VCC; we guide VCC to prove security simply by writing suitable header files and annotations in implementation files, rather than by changing VCC itself. We formalize the symbolic model in Coq in order to justify the addition of axioms to VCC. 1
A Framework for the Cryptographic Verification of Javalike Programs. Cryptology ePrint Archive, Report 2012/153
, 2012
"... Abstract—We consider the problem of establishing cryptographic guarantees—in particular, computational indistinguishability—for Java or Javalike programs that use cryptography. For this purpose, we propose a general framework that enables existing program analysis tools that can check (standard) no ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
(Show Context)
Abstract—We consider the problem of establishing cryptographic guarantees—in particular, computational indistinguishability—for Java or Javalike programs that use cryptography. For this purpose, we propose a general framework that enables existing program analysis tools that can check (standard) noninterference properties of Java programs to establish cryptographic security guarantees, even if the tools a priori cannot deal with cryptography. The approach that we take is new and combines techniques from program analysis and simulationbased security. Our framework is stated and proved for a Javalike language that comprises a rich fragment of Java. The general idea of our approach should, however, be applicable also to other practical programming languages. As a proof of concept, we use an automatic program analysis tool for checking noninterference properties of Java programs, namely the tool Joana, in order to establish computational indistinguishability for a Java program that involves clients sending encrypted messages over a network, controlled by an active adversary, to a server. I.
Union and intersection types for secure protocol implementations
"... We present a new type system for verifying the security of cryptographic protocol implementations. The type system combines prior work on refinement types, with union, intersection, and polymorphic types, and with the novel ability to reason statically about the disjointness of types. The increased ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
We present a new type system for verifying the security of cryptographic protocol implementations. The type system combines prior work on refinement types, with union, intersection, and polymorphic types, and with the novel ability to reason statically about the disjointness of types. The increased expressivity enables the analysis of important protocol classes that were previously out of scope for the typebased analyses of protocol implementations. In particular, our types can statically characterize: (i) more usages of asymmetric cryptography, such as signatures of private data and encryptions of authenticated data; (ii) authenticity and integrity properties achieved by showing knowledge of secret data; (iii) applications based on zeroknowledge proofs. The type system comes with a mechanized proof of correctness and an efficient typechecker.
Security protocol verification: Symbolic and computational models
 PRINCIPLES OF SECURITY AND TRUST  FIRST INTERNATIONAL CONFERENCE, POST 2012, VOLUME 7215 OF LECTURE NOTES IN COMPUTER SCIENCE
, 2012
"... Security protocol verification has been a very active research area since the 1990s. This paper surveys various approaches in this area, considering the verification in the symbolic model, as well as the more recent approaches that rely on the computational model or that verify protocol implementa ..."
Abstract

Cited by 10 (0 self)
 Add to MetaCart
(Show Context)
Security protocol verification has been a very active research area since the 1990s. This paper surveys various approaches in this area, considering the verification in the symbolic model, as well as the more recent approaches that rely on the computational model or that verify protocol implementations rather than specifications. Additionally, we briefly describe our symbolic security protocol verifier ProVerif and situate it among these approaches.
Computational Soundness without Protocol Restrictions ∗
, 2012
"... The abstraction of cryptographic operations by term algebras, called DolevYao models, is essential in almost all toolsupported methods for verifying security protocols. Recently significant progress was made in establishing computational soundness results: these results prove that DolevYao style ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
(Show Context)
The abstraction of cryptographic operations by term algebras, called DolevYao models, is essential in almost all toolsupported methods for verifying security protocols. Recently significant progress was made in establishing computational soundness results: these results prove that DolevYao style models can be sound with respect to actual cryptographic realizations and security definitions. However, these results came at the cost of imposing various constraints on the set of permitted security protocols: e.g., dishonestly generated keys must not be used, key cycles need to be avoided, and many more. In a nutshell, the cryptographic security definitions did not adequately capture these cases, but were considered carved in stone; in contrast, the symbolic abstractions were bent to reflect cryptographic features and idiosyncrasies, thereby requiring adaptations of existing verification tools. In this paper, we pursue the opposite direction: we consider a symbolic abstraction for publickey encryption and identify two cryptographic definitions called PROGKDM (programmable keydependent message) security and MKE (maliciouskey extractable) security that we jointly prove to be sufficient for obtaining computational soundness without imposing
Cryptographic Verification by Typing for a Sample Protocol Implementation
"... Abstract. Type systems are effective tools for verifying the security of cryptographic protocols and implementations. They provide automation, modularity and scalability, and have been applied to large protocols. In this tutorial, we illustrate the use of types for verifying authenticity properties, ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
Abstract. Type systems are effective tools for verifying the security of cryptographic protocols and implementations. They provide automation, modularity and scalability, and have been applied to large protocols. In this tutorial, we illustrate the use of types for verifying authenticity properties, first using a symbolic model of cryptography, then relying on a concrete computational assumption. (1) We introduce refinement types (that is, types carrying formulas to record invariants) for programs written in F # and verified by F7, an SMTbased type checker. (2) We describe a sample authenticated RPC protocol, we implement it in F#, and we specify its security against active adversaries. (3) We develop a sample symbolic library, we present its main cryptographic invariants, and we show that our RPC implementation is perfectly secure when linked to this symbolic library. (4) We implement the same library using concrete cryptographic primitives, we make a standard computational assumption, and we show that our RPC implementation is also secure with overwhelming probability when linked to this concrete library. 1 Verifying Protocol Implementations Cryptographic Protocols Go Wrong. Security flaws still regularly appear in widelyused protocol implementations, sometimes years after their deployment, despite the best efforts of skilled designers, developers, testers, and reviewers. We may organize these flaws into three categories: logical, cryptographic, and implementation flaws. – As a classic example of a logical flaw, consider the vulnerability in the publickey protocol of Needham and Schroeder (1978), discovered by Lowe (1996) in his seminal paper on modelchecking security protocols. This maninthemiddle attack is the staple example for protocol verification; it is well known in the formal methods research community, and many tools can discover it. Still, for instance, Cervesato et al. (2008) recently discovered that the IETF issued a publickey variant of Kerberos, shipped by multiple vendors, with essentially the same design flaw. – As an example of a cryptographic flaw, consider the paddingoracle attacks on
T.: Bridging the gap from trace properties to uniformity (2014) www.infsec.cs.unisaarland.de/~mohammadi/bridge.html
"... DolevYao models of cryptographic operations constitute the foundation of many successful verification tools for security protocols, such as the protocol verifier ProVerif. Research over the past decade has shown that many of these symbolic abstractions are computationally sound, i.e., the absence o ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
(Show Context)
DolevYao models of cryptographic operations constitute the foundation of many successful verification tools for security protocols, such as the protocol verifier ProVerif. Research over the past decade has shown that many of these symbolic abstractions are computationally sound, i.e., the absence of attacks against the abstraction entails the security of suitable cryptographic realizations. Most of these computational soundness (CS) results, however, are restricted to trace properties such as authentication. The few promising results that strive for CS for the more comprehensive class of equivalence properties, such as strong secrecy or anonymity, either only consider a limited class of protocols, or are not amenable to fully automated verification, or rely on abstractions for which it is not clear how to formalize any equivalence property beyond (strong) secrecy of payloads. In this work, we identify a general condition under which CS for trace properties implies CS for uniformity of biprocesses, i.e., the class of equivalence properties that ProVerif is able to verify for the applied picalculus. As a case study, we show that this general condition holds for a DolevYao model that contains signatures, publickey encryption, and corresponding length functions. We prove this result in the CoSP framework (a general framework for establishing CS results). To this end,