Results 1  10
of
48
Searching for shapes in cryptographic protocols (extended version
, 2006
"... Abstract. We describe a method for enumerating all essentially different executions possible for a cryptographic protocol. We call them the shapes of the protocol. Naturally occurring protocols have only finitely many, indeed very few shapes. Authentication and secrecy properties are easy to determi ..."
Abstract

Cited by 42 (16 self)
 Add to MetaCart
(Show Context)
Abstract. We describe a method for enumerating all essentially different executions possible for a cryptographic protocol. We call them the shapes of the protocol. Naturally occurring protocols have only finitely many, indeed very few shapes. Authentication and secrecy properties are easy to determine from them, as are attacks. cpsa, our Cryptographic Protocol Shape Analyzer, implements the method. In searching for shapes, cpsa starts with some initial behavior, and discovers what shapes are compatible with it. Normally, the initial behavior is the point of view of one participant. The analysis reveals what the other principals must have done, given this participant’s view. 1
Keydependent message security under active attacks  BRSIM/UC . . .
 JOURNAL OF OPERATIONS MANAGEMENT
, 2007
"... Keydependent message security, short KDM security, was introduced by Black, Rogaway and Shrimpton to address the case where key cycles occur among encryptions, e.g., a key is encrypted with itself. It was mainly motivated by key cycles in DolevYao models, i.e., symbolic abstractions of cryptograp ..."
Abstract

Cited by 25 (2 self)
 Add to MetaCart
Keydependent message security, short KDM security, was introduced by Black, Rogaway and Shrimpton to address the case where key cycles occur among encryptions, e.g., a key is encrypted with itself. It was mainly motivated by key cycles in DolevYao models, i.e., symbolic abstractions of cryptography by term algebras, and a corresponding soundness result was later shown by Adão et al. However, both the KDM definition and this soundness result do not allow the general active attacks typical for DolevYao models and for security protocols in general. We extend these definitions so that we can obtain a soundness result under active attacks. We first present a definition AKDM as a KDM equivalent of authenticated symmetric encryption, i.e., it provides chosenciphertext security and integrity of ciphertexts even for key cycles. However, this is not yet sufficient for the desired soundness, and thus we give a definition DKDM that additionally allows limited dynamic revelation of keys. We show that this is sufficient for soundness, even in the strong sense of blackbox reactive simulatability (BRSIM)/UC and including joint terms with other operators. We also present constructions of schemes secure under the new definitions, based on current KDMsecure schemes. Moreover, we explore the relations between the new definitions and existing ones for symmetric encryption in detail, in the sense of implications or separating examples for almost all cases.
Computationally Sound Mechanized Proofs of Correspondence Assertions
, 2007
"... We present a new mechanized prover for showing correspondence assertions for cryptographic protocols in the computational model. Correspondence assertions are useful in particular for establishing authentication. Our technique produces proofs by sequences of games, as standard in cryptography. These ..."
Abstract

Cited by 24 (7 self)
 Add to MetaCart
We present a new mechanized prover for showing correspondence assertions for cryptographic protocols in the computational model. Correspondence assertions are useful in particular for establishing authentication. Our technique produces proofs by sequences of games, as standard in cryptography. These proofs are valid for a number of sessions polynomial in the security parameter, in the presence of an active adversary. Our technique can handle a wide variety of cryptographic primitives, including shared and publickey encryption, signatures, message authentication codes, and hash functions. It has been implemented in the tool CryptoVerif and successfully tested on examples from the literature.
Universally Composable Security Analysis of TLS
 In 2nd International Conference on Provable Security, ProvSec 2008, LNCS 5324
"... Abstract. We present a security analysis of the complete TLS protocol in the Universal Composable security framework. This analysis evaluates the composition of key exchange functionalities realized by the TLS handshake with the message transmission of the TLS record layer to emulate secure communic ..."
Abstract

Cited by 21 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We present a security analysis of the complete TLS protocol in the Universal Composable security framework. This analysis evaluates the composition of key exchange functionalities realized by the TLS handshake with the message transmission of the TLS record layer to emulate secure communication sessions and is based on the adaption of the secure channel model from Canetti and Krawczyk to the setting where peer identities are not necessarily known prior the protocol invocation and may remain undisclosed. Our analysis shows that TLS, including the DiffieHellman and key transport suites in the unidirectional and bidirectional models of authentication, securely emulates secure communication sessions. Keywords: Universal Composability, TLS/SSL, key exchange, secure sessions
Computationally sound secrecy proofs by mechanized flow analysis
 In Proc. 13th CCS
, 2006
"... A large body of work exists for machineassisted analysis of cryptographic protocols in the formal (DolevYao) model, i.e., by abstracting cryptographic operators as a free algebra. In particular, proving secrecy by typing has shown to be a salient technique as it allowed for elegant and fully autom ..."
Abstract

Cited by 19 (4 self)
 Add to MetaCart
(Show Context)
A large body of work exists for machineassisted analysis of cryptographic protocols in the formal (DolevYao) model, i.e., by abstracting cryptographic operators as a free algebra. In particular, proving secrecy by typing has shown to be a salient technique as it allowed for elegant and fully automated proofs, often
Cryptographic protocol composition via the authentication tests
, 2009
"... Abstract. Although cryptographic protocols are typically analyzed in isolation, they are used in combinations. If a protocol was analyzed alone and shown to meet some security goals, will it still meet those goals when executed together with a second protocol? While not every choice of a second prot ..."
Abstract

Cited by 13 (7 self)
 Add to MetaCart
(Show Context)
Abstract. Although cryptographic protocols are typically analyzed in isolation, they are used in combinations. If a protocol was analyzed alone and shown to meet some security goals, will it still meet those goals when executed together with a second protocol? While not every choice of a second protocol can preserve the goals, there are syntactic criteria for the second protocol that ensure they will be preserved. Our main result strengthens previously known criteria. Our method has three main elements. First, a language L(Π) in classical logic describes executions of a protocol Π, and expresses its security goals. Strand spaces provide the models for L(Π). Second, the strand space “authentication test ” principles suggest our syntactic criterion for security goals to be preserved. Third, certain homomorphisms among models for L(Π) preserve the truth of formulas of the syntactic form that security goals take. This provides a way to extract—from a counterexample to a goal that uses both protocols—a counterexample using only the first protocol. 1
Joint State Theorems for PublicKey Encryption and Digitial Signature Functionalities with Local Computation
 In Proc. 21st IEEE Computer Security Foundations Symposium (CSF’08
, 2008
"... Abstract. Composition theorems in simulationbased approaches allow to build complex protocols from subprotocols in a modular way. However, as first pointed out and studied by Canetti and Rabin, this modular approach often leads to impractical implementations. For example, when using a functionalit ..."
Abstract

Cited by 12 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Composition theorems in simulationbased approaches allow to build complex protocols from subprotocols in a modular way. However, as first pointed out and studied by Canetti and Rabin, this modular approach often leads to impractical implementations. For example, when using a functionality for digital signatures within a more complex protocol, parties have to generate new verification and signing keys for every session of the protocol. This motivates to generalize composition theorems to socalled joint state theorems, where different copies of a functionality may share some state, e.g., the same verification and signing keys. In this paper, we present a joint state theorem which is more general than the original theorem of Canetti and Rabin, for which several problems and limitations are pointed out. We apply our theorem to obtain joint state realizations for three functionalities: publickey encryption, replayable publickey encryption, and digital signatures. Unlike most other formulations, our functionalities model that ciphertexts and signatures are computed locally, rather than being provided by the adversary. To obtain the joint state realizations, the functionalities have to be designed carefully. Other formulations are shown to be unsuitable. Our work is based on a recently proposed, rigorous model for simulationbased security by Küsters, called the IITM model. Our definitions and results demonstrate the expressivity and simplicity of this model. For example, unlike Canetti’s UC model, in the IITM model no explicit joint state operator needs to be defined and the joint state theorem follows immediately from the composition theorem in the IITM model.
Security protocol verification: Symbolic and computational models
 PRINCIPLES OF SECURITY AND TRUST  FIRST INTERNATIONAL CONFERENCE, POST 2012, VOLUME 7215 OF LECTURE NOTES IN COMPUTER SCIENCE
, 2012
"... Security protocol verification has been a very active research area since the 1990s. This paper surveys various approaches in this area, considering the verification in the symbolic model, as well as the more recent approaches that rely on the computational model or that verify protocol implementa ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
(Show Context)
Security protocol verification has been a very active research area since the 1990s. This paper surveys various approaches in this area, considering the verification in the symbolic model, as well as the more recent approaches that rely on the computational model or that verify protocol implementations rather than specifications. Additionally, we briefly describe our symbolic security protocol verifier ProVerif and situate it among these approaches.
Computationally Sound Mechanized Proofs for Basic and Publickey Kerberos
, 2008
"... We present a computationally sound mechanized analysis of Kerberos 5, both with and without its publickey extension PKINIT. We prove authentication and key secrecy properties using the prover CryptoVerif, which works directly in the computational model; these are the first mechanical proofs of a fu ..."
Abstract

Cited by 11 (4 self)
 Add to MetaCart
We present a computationally sound mechanized analysis of Kerberos 5, both with and without its publickey extension PKINIT. We prove authentication and key secrecy properties using the prover CryptoVerif, which works directly in the computational model; these are the first mechanical proofs of a full industrial protocol at the computational level. We also generalize the notion of key usability and use CryptoVerif to prove that this definition is satisfied by keys in Kerberos.
Analyzing Security Protocols Using TimeBounded TaskPIOAs
, 2007
"... This paper presents the TimeBounded TaskPIOA modeling framework, an extension of the Probabilistic Input/Output Automata (PIOA) framework that can be used for modeling and verifying security protocols. Timebounded taskPIOAs can describe probabilistic and nondeterministic behavior, as well as tim ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
This paper presents the TimeBounded TaskPIOA modeling framework, an extension of the Probabilistic Input/Output Automata (PIOA) framework that can be used for modeling and verifying security protocols. Timebounded taskPIOAs can describe probabilistic and nondeterministic behavior, as well as timebounded computation. Together, these features support modeling of important aspects of security protocols, including secrecy requirements and limitations on the computational power of adversarial parties. They also support security protocol verification using methods that are compatible with less formal approaches used in the computational cryptography research community. We illustrate the use of our framework by outlining a proof of functional correctness and security properties for a wellknown Oblivious Transfer protocol.