Results 11  20
of
62
YAPA: A generic tool for computing intruder knowledge
, 2009
"... Reasoning about the knowledge of an attacker is a necessary step in many formal analyses of security protocols. In the framework of the applied pi calculus, as in similar languages based on equational logics, knowledge is typically expressed by two relations: deducibility and static equivalence. Sev ..."
Abstract

Cited by 16 (3 self)
 Add to MetaCart
Reasoning about the knowledge of an attacker is a necessary step in many formal analyses of security protocols. In the framework of the applied pi calculus, as in similar languages based on equational logics, knowledge is typically expressed by two relations: deducibility and static equivalence. Several decision procedures have been proposed for these relations under a variety of equational theories. However, each theory has its particular algorithm, and none has been implemented so far. We provide a generic procedure for deducibility and static equivalence that takes as input any convergent rewrite system. We show that our algorithm covers all the existing decision procedures for convergent theories. We also provide an efficient implementation, and compare it briefly with the more general tool ProVerif.
Limits of the Cryptographic Realization of DolevYaostyle XOR
 Computer Security, Proceedings of ESORICS 2005, number 3679 in Lecture Notes in Computer Science
, 2005
"... The abstraction of cryptographic operations by term algebras, called DolevYao models, is essential in almost all toolsupported methods for proving security protocols. Recently significant progress was made in proving that such abstractions can be sound with respect to actual cryptographic reali ..."
Abstract

Cited by 16 (4 self)
 Add to MetaCart
(Show Context)
The abstraction of cryptographic operations by term algebras, called DolevYao models, is essential in almost all toolsupported methods for proving security protocols. Recently significant progress was made in proving that such abstractions can be sound with respect to actual cryptographic realizations and security definitions. The strongest results show this in the sense of reactive simulatability/UC, a notion that essentially means retention of arbitrary security properties under arbitrary active attacks and in arbitrary protocol environments, with only small changes to both abstractions and natural implementations.
Deciding knowledge in security protocols for monoidal equational theories
 In Proc. of the Joint Workshop on Foundations of Computer Security and Automated Reasoning for Security Protocol Analysis (FCSARSPA’07), Wroc̷law
, 2007
"... Abstract. In formal approaches, messages sent over a network are usually modeled by terms together with an equational theory, axiomatizing the properties of the cryptographic functions (encryption, exclusive or,...). The analysis of cryptographic protocols requires a precise understanding of the att ..."
Abstract

Cited by 14 (5 self)
 Add to MetaCart
Abstract. In formal approaches, messages sent over a network are usually modeled by terms together with an equational theory, axiomatizing the properties of the cryptographic functions (encryption, exclusive or,...). The analysis of cryptographic protocols requires a precise understanding of the attacker knowledge. Two standard notions are usually used: deducibility and indistinguishability. Only few results have been obtained (in an adhoc way) for equational theories with associative and commutative properties, especially in the case of static equivalence. The main contribution of this paper is to propose a general setting for solving deducibility and indistinguishability for an important class (called monoidal) of these theories. Our setting relies on the correspondence between a monoidal theory E and a semiring SE which allows us to give an algebraic characterization of the deducibility and indistinguishability problems. As a consequence we recover easily existing decidability results and obtain several new ones. 1
Decidability and combination results for two notions of knowledge in security protocols
, 2010
"... In formal approaches, messages sent over a network are usually modeled by terms together with an equational theory, axiomatizing the properties of the cryptographic functions (encryption, exclusive or,...). The analysis of cryptographic protocols requires a precise understanding of the attacker know ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
In formal approaches, messages sent over a network are usually modeled by terms together with an equational theory, axiomatizing the properties of the cryptographic functions (encryption, exclusive or,...). The analysis of cryptographic protocols requires a precise understanding of the attacker knowledge. Two standard notions are usually considered: deducibility and indistinguishability. Those notions are wellstudied and several decidability results already exist to deal with a variety of equational theories. Most of the existing results are dedicated to specific equational theories and only few results, especially in the case of indistinguishability, have been obtained for equational theories with associative and commutative properties (AC). In this paper, we show that existing decidability results can be easily combined for any disjoint equational theories: if the deducibility and indistinguishability relations are decidable for two disjoint theories, they are also decidable for their union. We also propose a general setting for solving deducibility and indistinguishability for an important class (called monoidal) of equational theories involving AC operators. As a consequence of these two results, new decidability and complexity results can be obtained for many relevant equational theories.
Fully Automated Analysis of PaddingBased Encryption in the Computational Model
, 2013
"... Computeraided verification provides effective means of analyzing the security of cryptographic primitives. However, it has remained a challenge to achieve fully automated analyses yielding guarantees that hold against computational (rather than symbolic) attacks. This paper meets this challenge for ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
(Show Context)
Computeraided verification provides effective means of analyzing the security of cryptographic primitives. However, it has remained a challenge to achieve fully automated analyses yielding guarantees that hold against computational (rather than symbolic) attacks. This paper meets this challenge for publickey encryption schemes built from trapdoor permutations and hash functions. Using a novel combination of techniques from computational and symbolic cryptography, we present proof systems for analyzing the chosenplaintext and chosenciphertext security of such schemes in the random oracle model. Building on these proof systems, we develop a toolset that bundles together fully automated proof and attack finding algorithms. We use this toolset to build a comprehensive database of encryption
Computational Soundness of NonMalleable Commitments
"... Abstract. This paper aims to find a proper security notion for commitment schemes to give a sound computational interpretation of symbolic commitments. We introduce an indistinguishability based security definition of commitment schemes that is equivalent to nonmalleability with respect to commitme ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
Abstract. This paper aims to find a proper security notion for commitment schemes to give a sound computational interpretation of symbolic commitments. We introduce an indistinguishability based security definition of commitment schemes that is equivalent to nonmalleability with respect to commitment. Then, we give a construction using tagbased encryption and onetime signatures that is provably secure assuming the existence of trapdoor permutations. Finally, we apply this new machinery to give a sound interpretation of symbolic commitments in the DolevYao model while considering active adversaries. 1
Computationally Complete Symbolic Attacker in Action
"... Abstract. We show that the recent technique of computationally complete symbolic attackers proposed by Bana and ComonLundh [6] for computationally sound verification of security protocols is powerful enough to verify actual protocols. In their work, Bana and ComonLundh presented only the general f ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We show that the recent technique of computationally complete symbolic attackers proposed by Bana and ComonLundh [6] for computationally sound verification of security protocols is powerful enough to verify actual protocols. In their work, Bana and ComonLundh presented only the general framework, but they did not introduce sufficiently many axioms to actually prove protocols. We present a set of axioms—some generic axioms that are computationally sound for all PPT algorithms, two specific axioms that are sound for CCA2 secure encryptions, and a further minimal parsing assumption for pairing—and illustrate the power of this technique by giving the first computationally sound verification (secrecy and authentication) via symbolic attackers of the NSL Protocol that does not need any further restrictive assumptions about the computational implementation. In other words, all implementations for which the axioms are sound—namely, implementations using CCA2 encryption, and satisfying the parsing requirement for pairing—exclude the possibility of successful computational attacks. Furthermore, the axioms are entirely modular and not particular to the NSL protocol (except for the parsing assumption without which there is an attack). 1
Adaptive soundness of static equivalence
 In Proc. 12th European Symposium on Research in Computer Security (ESORICS’07), volume 4734 of LNCS
, 2007
"... Abstract. We define a framework to reason about implementations of equational theories in the presence of an adaptive adversary. We particularly focus on soundess of static equivalence. We illustrate our framework on several equational theories: symmetric encryption, XOR, modular exponentiation and ..."
Abstract

Cited by 6 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We define a framework to reason about implementations of equational theories in the presence of an adaptive adversary. We particularly focus on soundess of static equivalence. We illustrate our framework on several equational theories: symmetric encryption, XOR, modular exponentiation and also joint theories of encryption and modular exponentiation. This last example relies on a combination result for reusing proofs for the separate theories. Finally, we define a model for symbolic analysis of dynamic group key exchange protocols, and show its computational soundness. 1
Reducing Equational Theories for the Decision of Static Equivalence
"... Static equivalence is a well established notion of indistinguishability of sequences of terms which is useful in the symbolic analysis of cryptographic protocols. Static equivalence modulo equational theories allows a more accurate representation of cryptographic primitives by modelling properties o ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
Static equivalence is a well established notion of indistinguishability of sequences of terms which is useful in the symbolic analysis of cryptographic protocols. Static equivalence modulo equational theories allows a more accurate representation of cryptographic primitives by modelling properties of operators by equational axioms. We develop a method that allows in some cases to simplify the task of deciding static equivalence in a multisorted setting, by removing a symbol from the term signature and reducing the problem to several simpler equational theories. We illustrate our technique at hand of bilinear pairings.
Inductive proofs of computational secrecy
 In ESORICS
, 2007
"... Abstract. Secrecy properties of network protocols assert that no probabilistic polynomialtime distinguisher can win a suitable game presented by a challenger. Because such properties are not determined by tracebytrace behavior of the protocol, we establish a tracebased protocol condition, suitabl ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Secrecy properties of network protocols assert that no probabilistic polynomialtime distinguisher can win a suitable game presented by a challenger. Because such properties are not determined by tracebytrace behavior of the protocol, we establish a tracebased protocol condition, suitable for inductive proofs, that guarantees a generic reduction from protocol attacks to attacks on underlying primitives. We use this condition to present a compositional inductive proof system for secrecy, and illustrate the system by giving a modular, formal proof of computational authentication and secrecy properties of Kerberos V5. 1