Results 11  20
of
378
Soundness of formal encryption in the presence of active adversaries
 In Proc. 1st Theory of Cryptography Conference (TCC), volume 2951 of LNCS
, 2004
"... Abstract. We present a general method to prove security properties of cryptographic protocols against active adversaries, when the messages exchanged by the honest parties are arbitrary expressions built using encryption and concatenation operations. The method allows to express security properties ..."
Abstract

Cited by 97 (11 self)
 Add to MetaCart
(Show Context)
Abstract. We present a general method to prove security properties of cryptographic protocols against active adversaries, when the messages exchanged by the honest parties are arbitrary expressions built using encryption and concatenation operations. The method allows to express security properties and carry out proofs using a simple logic based language, where messages are represented by syntactic expressions, and does not require dealing with probability distributions or asymptotic notation explicitly. Still, we show that the method is sound, meaning that logic statements can be naturally interpreted in the computational setting in such a way that if a statement holds true for any abstract (symbolic) execution of the protocol in the presence of a DolevYao adversary, then its computational interpretation is also correct in the standard computational model where the adversary is an arbitrary probabilistic polynomial time program. This is the first paper providing a simple framework for translating security proofs from the logic setting to the standard computational setting for the case of powerful active adversaries that have total control of the communication network. 1
Formal certification of codebased cryptographic proofs
 4 th Workshop on Formal and Computational Cryptography (FCC
, 2008
"... As cryptographic proofs have become essentially unverifiable, cryptographers have argued in favor of developing techniques that help tame the complexity of their proofs. Gamebased techniques provide a popular approach in which proofs are structured as sequences of games, and in which proof steps es ..."
Abstract

Cited by 84 (25 self)
 Add to MetaCart
As cryptographic proofs have become essentially unverifiable, cryptographers have argued in favor of developing techniques that help tame the complexity of their proofs. Gamebased techniques provide a popular approach in which proofs are structured as sequences of games, and in which proof steps establish the validity of transitions between successive games. Codebased techniques form an instance of this approach that takes a codecentric view of games, and that relies on programming language theory to justify proof steps. While codebased techniques contribute to formalize the security statements precisely and to carry out proofs systematically, typical proofs are so long and involved that formal verification is necessary to achieve a high degree of confidence. We present CertiCrypt, a framework that enables the machinechecked construction and verification of codebased proofs. CertiCrypt is built upon the generalpurpose proof assistant Coq, and draws on many areas, including probability, complexity, algebra, and semantics of programming languages. CertiCrypt provides certified tools to reason about the equivalence of probabilistic programs, including a relational Hoare logic, a theory of observational equivalence, verified program transformations, and gamebased techniques such as reasoning about failure events. The usefulness of CertiCrypt is demonstrated through classical examples, including a proof of semantic security of OAEP (with a bound that improves upon [9]), and a proof of existential unforgeability of FDH signatures. Our work provides a first yet significant step towards Halevi’s ambitious programme [21] of providing tool support for cryptographic proofs. 1.
Verified interoperable implementations of security protocols
"... We present an architecture and tools for verifying implementations of security protocols. Our implementations can run with both concrete and symbolic implementations of cryptographic algorithms. The concrete implementation is for production and interoperability testing. The symbolic implementation i ..."
Abstract

Cited by 80 (28 self)
 Add to MetaCart
(Show Context)
We present an architecture and tools for verifying implementations of security protocols. Our implementations can run with both concrete and symbolic implementations of cryptographic algorithms. The concrete implementation is for production and interoperability testing. The symbolic implementation is for debugging and formal verification. We develop our approach for protocols written in F#, a dialect of ML, and verify them by compilation to ProVerif, a resolutionbased theorem prover for cryptographic protocols. We establish the correctness of this compilation scheme, and we illustrate our approach with protocols for Web Services security. Categories and Subject Descriptors: F.3.2 [Theory of Computation]: Logics and meanings of programs—
Formal Methods for Cryptographic Protocol Analysis: Emerging Issues and Trends
, 2003
"... The history of the application of formal methods to cryptographic protocol analysis spans over 20 years and recently has been showing signs of new maturity and consolidation. Not only have a number of specialized tools been developed, and generalpurpose ones been adapted, but people have begun apply ..."
Abstract

Cited by 78 (0 self)
 Add to MetaCart
The history of the application of formal methods to cryptographic protocol analysis spans over 20 years and recently has been showing signs of new maturity and consolidation. Not only have a number of specialized tools been developed, and generalpurpose ones been adapted, but people have begun applying these tools to realistic protocols, in many cases supplying feedback to designers that can be used to improve the protocol’s security. In this paper, we will describe some of the ongoing work in this area, as well as describe some of the new challenges and the ways in which they are being met.
CircularSecure Encryption from Decision DiffieHellman
, 2008
"... Let E be a publickey encryption system and let (pk i, ski) be public/private key pairs for E for i = 0,..., n. A natural question is whether E remains secure once an adversary obtains an encryption cycle, which consists of the encryption of ski under pk (i mod n)+1 for all i = 1,..., n. Surprisingl ..."
Abstract

Cited by 74 (9 self)
 Add to MetaCart
(Show Context)
Let E be a publickey encryption system and let (pk i, ski) be public/private key pairs for E for i = 0,..., n. A natural question is whether E remains secure once an adversary obtains an encryption cycle, which consists of the encryption of ski under pk (i mod n)+1 for all i = 1,..., n. Surprisingly, even strong notions of security such as chosenciphertext security appear to be insufficient for proving security in these settings. Since encryption cycles come up naturally in several applications, it is desirable to construct systems that remain secure in the presence of such cycles. Until now, all known constructions have only be proved secure in the random oracle model. We construct an encryption system that is circularsecure under the Decision DiffieHellman assumption, without relying on random oracles. Our proof of security holds even if the adversary obtains an encryption clique, that is, encryptions of ski under pk j for all 0 ≤ i, j ≤ n. We also construct a circular counterexample: a oneway secure encryption scheme that becomes completely insecure if an encryption cycle of length 2 is published. 1
Semantics and Program Analysis of Computationally Secure Information Flow
, 2001
"... This paper presents a definition of secure information flow. It is not based on noninterference, but on computational indistinguishability of the secret inputs, when the public outputs are observed. This definition allows cryptographic primitives to be handled. This paper also presents a Denningsty ..."
Abstract

Cited by 74 (6 self)
 Add to MetaCart
This paper presents a definition of secure information flow. It is not based on noninterference, but on computational indistinguishability of the secret inputs, when the public outputs are observed. This definition allows cryptographic primitives to be handled. This paper also presents a Denningstyle informationflow analysis for programs that use encryption as a primitive operation. The proof of the correctness of the analysis is sketched.
Symmetric Encryption in a Simulatable DolevYao Style Cryptographic Library
 In Proc. 17th IEEE Computer Security Foundations Workshop (CSFW
, 2004
"... Recently we solved the longstanding open problem of justifying a DolevYao type model of cryptography as used in virtually all automated protocol provers under active attacks. The justification was done by defining an ideal system handling DolevYaostyle terms and a cryptographic realization wi ..."
Abstract

Cited by 72 (20 self)
 Add to MetaCart
Recently we solved the longstanding open problem of justifying a DolevYao type model of cryptography as used in virtually all automated protocol provers under active attacks. The justification was done by defining an ideal system handling DolevYaostyle terms and a cryptographic realization with the same user interface, and by showing that the realization is as secure as the ideal system in the sense of reactive simulatability. This definition encompasses arbitrary active attacks and enjoys general composition and propertypreservation properties. Security holds in the standard model of cryptography and under standard assumptions of adaptively secure primitives.
Computationally sound, automated proofs for security protocols
, 2005
"... Abstract. Since the 1980s, two approaches have been developed for analyzing security protocols. One of the approaches relies on a computational model that considers issues of complexity and probability. This approach captures a strong notion of security, guaranteed against all probabilistic polynomi ..."
Abstract

Cited by 70 (13 self)
 Add to MetaCart
(Show Context)
Abstract. Since the 1980s, two approaches have been developed for analyzing security protocols. One of the approaches relies on a computational model that considers issues of complexity and probability. This approach captures a strong notion of security, guaranteed against all probabilistic polynomialtime attacks. The other approach relies on a symbolic model of protocol executions in which cryptographic primitives are treated as black boxes. Since the seminal work of Dolev and Yao, it has been realized that this latter approach enables significantly simpler and often automated proofs. However, the guarantees that it offers have been quite unclear. In this paper, we show that it is possible to obtain the best of both worlds: fully automated proofs and strong, clear security guarantees. Specifically, for the case of protocols that use signatures and asymmetric encryption, we establish that symbolic integrity and secrecy proofs are sound with respect to the computational model. The main new challenges concern secrecy properties for which we obtain the first soundness result for the case of active adversaries. Our proofs are carried out using Casrul, a fully automated tool. 1
Opacity generalised to transition systems
 in &quot;Revised Selected Papers of the 3rd International Workshop on Formal Aspects in Security and Trust (FAST’05), Newcastle upon
, 2005
"... Abstract. Recently, opacity has proved to be a promising technique for describing security properties. Much of the work has been couched in terms of Petri nets. Here, we extend the notion of opacity to the model of labelled transition systems and generalise opacity in order to better represent conce ..."
Abstract

Cited by 69 (7 self)
 Add to MetaCart
(Show Context)
Abstract. Recently, opacity has proved to be a promising technique for describing security properties. Much of the work has been couched in terms of Petri nets. Here, we extend the notion of opacity to the model of labelled transition systems and generalise opacity in order to better represent concepts from the work on information flow. In particular, we establish links between opacity and the information flow concepts of anonymity and noninterference such as noninference. We also investigate ways of verifying opacity when working with Petri nets. Our work is illustrated by an example modelling requirements upon a simple voting system.
EncryptionScheme Security in the Presence of KeyDependent Messages
 In Selected Areas in Cryptography, volume 2595 of LNCS
, 2002
"... Encryption that is only semantically secure should not be used on messages that depend on the underlying secret key; all bets are o# when, for example, one encrypts using a shared key K the value K. Here we introduce a new notion of security, KDM security, appropriate for keydependent messages. ..."
Abstract

Cited by 68 (3 self)
 Add to MetaCart
Encryption that is only semantically secure should not be used on messages that depend on the underlying secret key; all bets are o# when, for example, one encrypts using a shared key K the value K. Here we introduce a new notion of security, KDM security, appropriate for keydependent messages. The notion makes sense in both the publickey and sharedkey settings. For the latter we show that KDM security is easily achievable within the randomoracle model. By developing and achieving stronger notions of encryptionscheme security it is hoped that protocols which are proven secure under "formal" models of security can, in time, be safely realized by generically instantiating their primitives.