Results 1  10
of
97
Symmetric Encryption in a Simulatable DolevYao Style Cryptographic Library
 In Proc. 17th IEEE Computer Security Foundations Workshop (CSFW
, 2004
"... Recently we solved the longstanding open problem of justifying a DolevYao type model of cryptography as used in virtually all automated protocol provers under active attacks. The justification was done by defining an ideal system handling DolevYaostyle terms and a cryptographic realization wi ..."
Abstract

Cited by 72 (20 self)
 Add to MetaCart
Recently we solved the longstanding open problem of justifying a DolevYao type model of cryptography as used in virtually all automated protocol provers under active attacks. The justification was done by defining an ideal system handling DolevYaostyle terms and a cryptographic realization with the same user interface, and by showing that the realization is as secure as the ideal system in the sense of reactive simulatability. This definition encompasses arbitrary active attacks and enjoys general composition and propertypreservation properties. Security holds in the standard model of cryptography and under standard assumptions of adaptively secure primitives.
Computationally sound, automated proofs for security protocols
, 2005
"... Abstract. Since the 1980s, two approaches have been developed for analyzing security protocols. One of the approaches relies on a computational model that considers issues of complexity and probability. This approach captures a strong notion of security, guaranteed against all probabilistic polynomi ..."
Abstract

Cited by 70 (13 self)
 Add to MetaCart
(Show Context)
Abstract. Since the 1980s, two approaches have been developed for analyzing security protocols. One of the approaches relies on a computational model that considers issues of complexity and probability. This approach captures a strong notion of security, guaranteed against all probabilistic polynomialtime attacks. The other approach relies on a symbolic model of protocol executions in which cryptographic primitives are treated as black boxes. Since the seminal work of Dolev and Yao, it has been realized that this latter approach enables significantly simpler and often automated proofs. However, the guarantees that it offers have been quite unclear. In this paper, we show that it is possible to obtain the best of both worlds: fully automated proofs and strong, clear security guarantees. Specifically, for the case of protocols that use signatures and asymmetric encryption, we establish that symbolic integrity and secrecy proofs are sound with respect to the computational model. The main new challenges concern secrecy properties for which we obtain the first soundness result for the case of active adversaries. Our proofs are carried out using Casrul, a fully automated tool. 1
Relating Symbolic and Cryptographic Secrecy
 IN PROC. IEEE SYMPOSIUM ON SECURITY AND PRIVACY
, 2004
"... We investigate the relation between symbolic and cryptographic secrecy properties for cryptographic protocols. Symbolic secrecy of payload messages or exchanged keys is arguably the most important notion of secrecy shown with automated proof tools. It means that an adversary restricted to symboli ..."
Abstract

Cited by 48 (9 self)
 Add to MetaCart
We investigate the relation between symbolic and cryptographic secrecy properties for cryptographic protocols. Symbolic secrecy of payload messages or exchanged keys is arguably the most important notion of secrecy shown with automated proof tools. It means that an adversary restricted to symbolic operations on terms can never get the entire considered object into its knowledge set. Cryptographic secrecy essentially
Automated Security Proofs with Sequences of Games
 Proc. 27th IEEE Symposium on Security
, 2006
"... Abstract. This paper presents the first automatic technique for proving not only protocols but also primitives in the exact security computational model. Automatic proofs of cryptographic protocols were up to now reserved to the DolevYao model, which however makes quite strong assumptions on the pr ..."
Abstract

Cited by 48 (9 self)
 Add to MetaCart
(Show Context)
Abstract. This paper presents the first automatic technique for proving not only protocols but also primitives in the exact security computational model. Automatic proofs of cryptographic protocols were up to now reserved to the DolevYao model, which however makes quite strong assumptions on the primitives. On the other hand, with the proofs by reductions, in the complexity theoretic framework, more subtle security assumptions can be considered, but security analyses are manual. A process calculus is thus defined in order to take into account the probabilistic semantics of the computational model. It is already rich enough to describe all the usual security notions of both symmetric and asymmetric cryptography, as well as the basic computational assumptions. As an example, we illustrate the use of the new tool with the proof of a quite famous asymmetric primitive: unforgeability under chosenmessage attacks (UFCMA) of the FullDomain Hash signature scheme under the (trapdoor)onewayness of some permutations. 1
Guessing attacks and the computational soundness of static equivalence
 In Proc. 9th International Conference on Foundations of Software Science and Computation Structures (FoSSaCS’06), volume 3921 of LNCS
, 2006
"... ..."
(Show Context)
Soundness of formal encryption in the presence of keycycles
 In Proc. 10th European Symposium on Research in Computer Security (ESORICS’05), volume 3679 of LNCS
, 2005
"... Abstract. Both the formal and the computational models of cryptography contain the notion of message equivalence or indistinguishability. An encryption scheme provides soundness for indistinguishability if, when mapping formal messages into the computational model, equivalent formal messages are map ..."
Abstract

Cited by 45 (5 self)
 Add to MetaCart
(Show Context)
Abstract. Both the formal and the computational models of cryptography contain the notion of message equivalence or indistinguishability. An encryption scheme provides soundness for indistinguishability if, when mapping formal messages into the computational model, equivalent formal messages are mapped to indistinguishable computational distributions. Previous soundness results are limited in that they do not apply when keycycles are present. We demonstrate that an encryption scheme provides soundness in the presence of keycycles if it satisfies the recentlyintroduced notion of keydependent message (KDM) security. We also show that soundness in the presence of keycycles (and KDM security) neither implies nor is implied by security against chosen ciphertext attack (CCA2). Therefore, soundness for keycycles is possible using a new notion of computational security, not possible using previous such notions, and the relationship between the formal and computational models extends beyond chosenciphertext security. 1
A cryptographically sound security proof of the NeedhamSchroederLowe publickey protocol
 JOURNAL ON SELECTED AREAS IN COMMUN.
, 2004
"... We present a cryptographically sound security proof of the wellknown NeedhamSchroederLowe publickey protocol for entity authentication. This protocol was previously only proved over unfounded abstractions from cryptography. We show that it is secure against arbitrary active attacks if it is imp ..."
Abstract

Cited by 39 (15 self)
 Add to MetaCart
(Show Context)
We present a cryptographically sound security proof of the wellknown NeedhamSchroederLowe publickey protocol for entity authentication. This protocol was previously only proved over unfounded abstractions from cryptography. We show that it is secure against arbitrary active attacks if it is implemented using standard provably secure cryptographic primitives. Nevertheless, our proof does not have to deal with the probabilistic aspects of cryptography and is hence in the scope of current automated proof tools. We achieve this by exploiting a recently proposed DolevYaostyle cryptographic library with a provably secure cryptographic implementation. Besides establishing the cryptographic security of the NeedhamSchroederLowe protocol, our result exemplifies the potential of this cryptographic library and paves the way for the cryptographically sound verification of security protocols by automated proof tools.
Computational Soundness of Observational Equivalence
, 2008
"... Many security properties are naturally expressed as indistinguishability between two versions of a protocol. In this paper, we show that computational proofs of indistinguishability can be considerably simplified, for a class of processes that covers most existing protocols. More precisely, we show ..."
Abstract

Cited by 36 (9 self)
 Add to MetaCart
Many security properties are naturally expressed as indistinguishability between two versions of a protocol. In this paper, we show that computational proofs of indistinguishability can be considerably simplified, for a class of processes that covers most existing protocols. More precisely, we show a soundness theorem, following the line of research launched by Abadi and Rogaway in 2000: computational indistinguishability in presence of an active attacker is implied by the observational equivalence of the corresponding symbolic processes. We prove our result for symmetric encryption, but the same techniques can be applied to other security primitives such as signatures and publickey encryption. The proof requires the introduction of new concepts, which are general and can be reused in other settings.
Cryptographically Sound Theorem Proving
 In Proc. 19th IEEE CSFW
, 2006
"... We describe a faithful embedding of the DolevYao model of Backes, Pfitzmann, and Waidner (CCS 2003) in the theorem prover Isabelle/HOL. This model is cryptographically sound in the strong sense of reactive simulatability/UC, which essentially entails the preservation of arbitrary security proper ..."
Abstract

Cited by 33 (10 self)
 Add to MetaCart
(Show Context)
We describe a faithful embedding of the DolevYao model of Backes, Pfitzmann, and Waidner (CCS 2003) in the theorem prover Isabelle/HOL. This model is cryptographically sound in the strong sense of reactive simulatability/UC, which essentially entails the preservation of arbitrary security properties under active attacks and in arbitrary protocol environments. The main challenge in designing a practical formalization of this model is to cope with the complexity of providing such strong soundness guarantees. We reduce this complexity by abstracting the model into a sound, lightweight formalization that enables both concise property specifications and efficient application of our proof strategies and their supporting proof tools. This yields the first toolsupported framework for symbolically verifying security protocols that enjoys the strong cryptographic soundness guarantees provided by reactive simulatability/UC. As a proof of concept, we have proved the security of the NeedhamSchroederLowe protocol using our framework.
A cryptographically sound DolevYao style security proof of the OtwayRees protocol
 In Proc. 9th European Symposium on Research in Computer Security (ESORICS
, 2004
"... We present the first cryptographically sound DolevYaostyle security proof of a comprehensive electronic payment system. The payment system is a slightly simplified variant of the 3KP payment system and comprises a variety of different security requirements ranging from basic ones like the impossibi ..."
Abstract

Cited by 25 (10 self)
 Add to MetaCart
(Show Context)
We present the first cryptographically sound DolevYaostyle security proof of a comprehensive electronic payment system. The payment system is a slightly simplified variant of the 3KP payment system and comprises a variety of different security requirements ranging from basic ones like the impossibility of unauthorized payments to more sophisticated properties like disputability. We show that the payment system is secure against arbitrary active attacks, including arbitrary concurrent protocol runs and arbitrary manipulation of bitstrings within polynomial time if the protocol is implemented using provably secure cryptographic primitives. Although we achieve security under cryptographic definitions, our proof does not have to deal with probabilistic aspects of cryptography and is hence within the scope of current proof tools. The reason is that we exploit a recently proposed DolevYaostyle cryptographic library with a provably secure cryptographic implementation. Together with composition and preservation theorems of the underlying model, this allows us to perform the actual proof effort in a deterministic setting corresponding to a slightly extended DolevYao model. 1.