Results 1  10
of
17
The reactive simulatability (RSIM) framework for asynchronous systems
 Information and Computation
, 2007
"... We define reactive simulatability for general asynchronous systems. Roughly, simulatability means that a real system implements an ideal system (specification) in a way that preserves security in a general cryptographic sense. Reactive means that the system can interact with its users multiple times ..."
Abstract

Cited by 37 (5 self)
 Add to MetaCart
(Show Context)
We define reactive simulatability for general asynchronous systems. Roughly, simulatability means that a real system implements an ideal system (specification) in a way that preserves security in a general cryptographic sense. Reactive means that the system can interact with its users multiple times, e.g., in many concurrent protocol runs or a multiround game. In terms of distributed systems, reactive simulatability is a type of refinement that preserves particularly strong properties, in particular confidentiality. A core feature of reactive simulatability is composability, i.e., the real system can be plugged in instead of the ideal system within arbitrary larger systems; this is shown in followup papers, and so is the preservation of many classes of individual security properties from the ideal to the real systems. A large part of this paper defines a suitable system model. It is based on probabilistic IO automata (PIOA) with two main new features: One is generic distributed scheduling. Important special cases are realistic adversarial scheduling, procedurecalltype scheduling among colocated system parts, and special schedulers such as for fairness, also in combinations. The other is the definition of the reactive runtime via a realization by Turing machines such that notions like polynomialtime are composable. The simple complexity of the transition functions of the automata is not composable. As specializations of this model we define securityspecific concepts, in particular a separation between honest users and adversaries and several trust models. The benefit of IO automata as the main model, instead of only interactive Turing machines as usual in cryptographic multiparty computation, is that many cryptographic systems can be specified with an ideal system consisting of only one simple, deterministic IO automaton without any cryptographic objects, as many followup papers show. This enables the use of classic formal methods and automatic proof tools for proving larger distributed protocols and systems that use these cryptographic systems.
Secrecy analysis in protocol composition logic
 Proceedings of 11th Annual Asian Computing Science Conference
, 2006
"... Abstract. Extending a compositional protocol logic with an induction rule for secrecy, we prove soundness for a conventional symbolic protocol execution model, adapt and extend previous composition theorems, and illustrate the logic by proving properties of two key agreement protocols. The first exa ..."
Abstract

Cited by 13 (5 self)
 Add to MetaCart
(Show Context)
Abstract. Extending a compositional protocol logic with an induction rule for secrecy, we prove soundness for a conventional symbolic protocol execution model, adapt and extend previous composition theorems, and illustrate the logic by proving properties of two key agreement protocols. The first example is a variant of the NeedhamSchroeder protocol that illustrates the ability to reason about temporary secrets. The second example is Kerberos V5. The modular nature of the secrecy and authentication proofs for Kerberos makes it possible to reuse proofs about the basic version of the protocol for the PKINIT version that uses publickey infrastructure instead of shared secret keys in the initial steps. 1
Computationally Sound Mechanized Proofs for Basic and Publickey Kerberos
, 2008
"... We present a computationally sound mechanized analysis of Kerberos 5, both with and without its publickey extension PKINIT. We prove authentication and key secrecy properties using the prover CryptoVerif, which works directly in the computational model; these are the first mechanical proofs of a fu ..."
Abstract

Cited by 10 (4 self)
 Add to MetaCart
We present a computationally sound mechanized analysis of Kerberos 5, both with and without its publickey extension PKINIT. We prove authentication and key secrecy properties using the prover CryptoVerif, which works directly in the computational model; these are the first mechanical proofs of a full industrial protocol at the computational level. We also generalize the notion of key usability and use CryptoVerif to prove that this definition is satisfied by keys in Kerberos.
V.: Provablesecurity analysis of authenticated encryption
"... Kerberos is a widelydeployed network authentication protocol that is being considered for standardization. Many works have analyzed its security, identifying flaws and often suggesting fixes, thus helping the protocol’s evolution. Several recent results present successful formalmethodsbased verif ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
(Show Context)
Kerberos is a widelydeployed network authentication protocol that is being considered for standardization. Many works have analyzed its security, identifying flaws and often suggesting fixes, thus helping the protocol’s evolution. Several recent results present successful formalmethodsbased verification of a significant portion of the current version 5, and some even imply security in the computational setting. For these results to be meaningful, encryption in Kerberos should satisfy strong cryptographic security notions. However, neither currently deployed as part of Kerberos encryption schemes nor their proposed revisions are known to provably satisfy such notions. We take a close look at Kerberos ’ encryption and confirm that most of the options in the current version provably provide privacy and authenticity, some with slight modification that we suggest. Our results complement the formalmethodsbased analysis of Kerberos that justifies its current design.
On simulatability soundness and mapping soundness of symbolic cryptography. IACR Cryptology ePrint Archive 2007/233
, 2007
"... Abstract. The abstraction of cryptographic operations by term algebras, called DolevYao models or symbolic cryptography, is essential in almost all toolsupported methods for proving security protocols. Recently significant progress was made – using two conceptually different approaches – in provi ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
Abstract. The abstraction of cryptographic operations by term algebras, called DolevYao models or symbolic cryptography, is essential in almost all toolsupported methods for proving security protocols. Recently significant progress was made – using two conceptually different approaches – in proving that DolevYao models can be sound with respect to actual cryptographic realizations and security definitions. One such approach is grounded on the notion of simulatability, which constitutes a salient technique of Modern Cryptography with a longstanding history for a variety of different tasks. The other approach strives for the socalled mapping soundness – a more recent technique that is tailored to the soundness of specific security properties in DolevYao models, and that can be established using more compact proofs. Typically, both notions of soundness for similar DolevYao models are established separately in independent papers. This paper relates the two approaches for the first time. Our main result is that simulatability soundness entails mapping soundness provided that both approaches use the same cryptographic implementation. Hence, future research may well concentrate on simulatability soundness whenever applicable, and resort to mapping soundness in those cases where simulatability soundness constitutes too strong a notion. 1
Inductive proofs of computational secrecy
 In ESORICS
, 2007
"... Abstract. Secrecy properties of network protocols assert that no probabilistic polynomialtime distinguisher can win a suitable game presented by a challenger. Because such properties are not determined by tracebytrace behavior of the protocol, we establish a tracebased protocol condition, suitabl ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Secrecy properties of network protocols assert that no probabilistic polynomialtime distinguisher can win a suitable game presented by a challenger. Because such properties are not determined by tracebytrace behavior of the protocol, we establish a tracebased protocol condition, suitable for inductive proofs, that guarantees a generic reduction from protocol attacks to attacks on underlying primitives. We use this condition to present a compositional inductive proof system for secrecy, and illustrate the system by giving a modular, formal proof of computational authentication and secrecy properties of Kerberos V5. 1
A browserbased kerberos authentication scheme
 In ESORICS
, 2008
"... Abstract. When two players wish to share a security token (e.g., for the purpose of authentication and accounting), they call a trusted third party. This idea is the essence of Kerberos protocols, which are widely deployed in a large scale of computer networks. Browserbased Kerberos protocols are t ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
(Show Context)
Abstract. When two players wish to share a security token (e.g., for the purpose of authentication and accounting), they call a trusted third party. This idea is the essence of Kerberos protocols, which are widely deployed in a large scale of computer networks. Browserbased Kerberos protocols are the derivates with the exception that the Kerberos client application is a commodity Web browser. Whereas the native Kerberos protocol has been repeatedly peerreviewed without finding flaws, the history of browserbased Kerberos protocols is tarnished with negative results due to the fact that subtleties of browsers have been disregarded. We propose a browserbased Kerberos protocol based on client certificates and prove its security in the extended formal model for browserbased mutual authentication introduced at ACM ASIACCS’08. 1
S.: Universally composable symbolic analysis of Diffie–Hellman based key exchange. Cryptology ePrint Archive, Report 2010/303
, 2010
"... Canetti and Herzog (TCC’06) show how to efficiently perform fully automated, computationally sound security analysis of key exchange protocols with an unbounded number of sessions. A key tool in their analysis is composability, which allows deducing security of the multisession case from the securi ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
Canetti and Herzog (TCC’06) show how to efficiently perform fully automated, computationally sound security analysis of key exchange protocols with an unbounded number of sessions. A key tool in their analysis is composability, which allows deducing security of the multisession case from the security of a single session. However, their framework only captures protocols that use public key encryption as the only cryptographic primitive, and only handles static corruptions. We extend the [CH’06] modeling in two ways. First, we handle also protocols that use digital signatures and DiffieHellman exchange. Second, we handle also forward secrecy under fully adaptive party corruptions. This allows us to automatically analyze systems that use an unbounded number of sessions of realistic key exchange protocols such as the ISO 97983 or TLS protocol. A central tool in our treatment is a new abstract modeling of plain DiffieHellman key exchange. Specifically, we show that plain DiffieHellman securely realizes an idealized version of
Formal proofs of cryptographic security of DiffieHellmanbased protocols
, 2007
"... Abstract. We present axioms and inference rules for reasoning about DiffieHellmanbased key exchange protocols and use these rules to prove authentication and secrecy properties of two important protocol standards, the DiffieHellman variant of Kerberos, and IKEv2, the revised standard key manageme ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We present axioms and inference rules for reasoning about DiffieHellmanbased key exchange protocols and use these rules to prove authentication and secrecy properties of two important protocol standards, the DiffieHellman variant of Kerberos, and IKEv2, the revised standard key management protocol for IPSEC. The new proof system is sound for an accepted semantics used in cryptographic studies. In the process of applying our system, we uncover a deficiency in DiffieHellman Kerberos that is easily repaired. 1
M.: Ideal Key Derivation and Encryption in SimulationBased Security
 In: Topics in Cryptology  CTRSA’11. Volume 6558 of LNCS
, 2011
"... new keys from other keys. To be able to analyze such protocols in a composable way, in this paper we extend an ideal functionality for symmetric and publickey encryption proposed in previous work by a mechanism for key derivation. We also equip this functionality with message authentication codes ( ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
(Show Context)
new keys from other keys. To be able to analyze such protocols in a composable way, in this paper we extend an ideal functionality for symmetric and publickey encryption proposed in previous work by a mechanism for key derivation. We also equip this functionality with message authentication codes (MACs) and ideal nonce generation. We show that the resulting ideal functionality can be realized based on standard cryptographic assumptions and constructions, hence, providing a solid foundation for faithful, composable cryptographic analysis of realworld security protocols. Based on this new functionality, we identify sufficient criteria for protocols to provide universally composable key exchange and secure channels. Since these criteria are based on the new ideal functionality, checking the criteria requires merely informationtheoretic or even only syntactical arguments, rather than involved reduction arguments. As a case study, we use our method to analyze two central protocols of the IEEE 802.11i standard, namely the 4Way Handshake Protocol and the CCM Protocol, proving composable security properties. As to the best of our knowledge, this constitutes the first rigorous cryptographic analysis of these protocols.