Results 11  20
of
34
Computational and informationtheoretic soundness and completeness of formal encryption
 In Proceedings of the 18th IEEE Computer Security Foundations Workshop (CSFW
, 2005
"... We consider expansions of the AbadiRogaway logic of indistinguishability of formal cryptographic expressions. We expand the logic in order to cover cases when partial information of the encrypted plaintext is revealed. We consider not only computational, but also purely probabilistic, informationt ..."
Abstract

Cited by 24 (7 self)
 Add to MetaCart
We consider expansions of the AbadiRogaway logic of indistinguishability of formal cryptographic expressions. We expand the logic in order to cover cases when partial information of the encrypted plaintext is revealed. We consider not only computational, but also purely probabilistic, informationtheoretic interpretations. We present a general, systematic treatment of the expansions of the logic for symmetric encryption. We establish general soundness and completeness theorems for the interpretations. We also present applications to specific settings not covered in earlier works: a purely probabilistic one based on OneTime Pad, and computational settings of the socalled type2 (whichkey revealing) and type3 (whichkey and length revealing) encryption schemes based on computational complexity.
Computationally sound verification of source code
, 2010
"... Increasing attention has recently been given to the formal verification of the source code of cryptographic protocols. The standard approach is to use symbolic abstractions of cryptography that make the analysis amenable to automation. This leaves the possibility of attacks that exploit the mathema ..."
Abstract

Cited by 22 (7 self)
 Add to MetaCart
Increasing attention has recently been given to the formal verification of the source code of cryptographic protocols. The standard approach is to use symbolic abstractions of cryptography that make the analysis amenable to automation. This leaves the possibility of attacks that exploit the mathematical properties of the cryptographic algorithms themselves. In this paper, we show how to conduct the protocol analysis on the source code level (F # in our case) in a computationally sound way, i.e., taking into account cryptographic security definitions. We build upon the prominent F7 verification framework (Bengtson et al., CSF 2008) which comprises a security typechecker for F # protocol implementations using symbolic idealizations and the concurrent lambda calculus RCF to model a core fragment of F#. To leverage this prior work, we give conditions under which symbolic security of RCF programs using cryptoraphic idealizations implies computational security of the same programs using cryptographic algorithms. Combined with F7, this yields a computationally sound, automated verification of F# code containing publickey encryptions and signatures. For the actual computational soundness proof, we use the CoSP framework (Backes, Hofheinz, and Unruh, CCS 2009). We thus inherit the modularity of CoSP, which allows for easily extending our proof to other cryptographic primitives.
A closer look at pki: Security and efficiency
 In proceedings of PKC ’07, LNCS series
, 2007
"... In this paper we take a closer look at the security and efficiency of publickey encryption and signature schemes in publickey infrastructures (PKI). Unlike traditional analyses which assume an “ideal” implementation of the PKI, we focus on the security of joint constructions that consider the cert ..."
Abstract

Cited by 21 (2 self)
 Add to MetaCart
(Show Context)
In this paper we take a closer look at the security and efficiency of publickey encryption and signature schemes in publickey infrastructures (PKI). Unlike traditional analyses which assume an “ideal” implementation of the PKI, we focus on the security of joint constructions that consider the certification authority (CA) and the users, and include a keyregistration protocol and the algorithms of an encryption or a signature scheme. We therefore consider significantly broader adversarial capabilities. Our analysis clarifies and validates several crucial aspects such as the amount of trust put in the CA, the necessity and specifics of proofs of possession of secret keys, and the security of the basic primitives in this more complex setting. We also provide constructions for encryption and signature schemes that provably satisfy our strong security definitions and are more efficient than the corresponding traditional constructions that assume a digital certificate issued by the CA must be verified whenever a public key is used. Our results address some important aspects for the design and standardization of PKIs, as targeted for example in the standards project ANSI X9.109. 1
Computationally sound secrecy proofs by mechanized flow analysis
 In Proc. 13th CCS
, 2006
"... A large body of work exists for machineassisted analysis of cryptographic protocols in the formal (DolevYao) model, i.e., by abstracting cryptographic operators as a free algebra. In particular, proving secrecy by typing has shown to be a salient technique as it allowed for elegant and fully autom ..."
Abstract

Cited by 19 (4 self)
 Add to MetaCart
A large body of work exists for machineassisted analysis of cryptographic protocols in the formal (DolevYao) model, i.e., by abstracting cryptographic operators as a free algebra. In particular, proving secrecy by typing has shown to be a salient technique as it allowed for elegant and fully automated proofs, often
A Computational Interpretation of DolevYao Adversaries
 in Proc. of 3rd Int. Workshop on Issues in the Theory of Security (WITS’03
, 2003
"... The Dolev{Yao model is a simple and useful framework in which to analyze security protocols, but it assumes an extremely limited adversary. It is unclear if the results of this model would remain valid were the adversary to be given additional power. In this work, we show that there exist situat ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
(Show Context)
The Dolev{Yao model is a simple and useful framework in which to analyze security protocols, but it assumes an extremely limited adversary. It is unclear if the results of this model would remain valid were the adversary to be given additional power. In this work, we show that there exist situations in which DolevYao adversary can be viewed as a valid abstraction of all realistic adversaries. We do this in two steps: 1. We translate the allowed behaviors of the DolevYao adversary into the computational model, an alternate framework with a very powerful adversary.
Cryptographically Sound Security Proofs for Basic And PublicKey Kerberos
 Proc. 11th European Symp. on Research. in Comp. Sec
, 2006
"... Abstract We present a computational analysis of basic Kerberos with and without its publickey extension PKINIT in which we consider authentication and key secrecy properties. Our proofs rely on the Dolev–Yaostyle model of Backes, Pfitzmann, and Waidner, which allows for mapping results obtained sym ..."
Abstract

Cited by 17 (4 self)
 Add to MetaCart
Abstract We present a computational analysis of basic Kerberos with and without its publickey extension PKINIT in which we consider authentication and key secrecy properties. Our proofs rely on the Dolev–Yaostyle model of Backes, Pfitzmann, and Waidner, which allows for mapping results obtained symbolically within this model to cryptographically sound proofs if certain assumptions are met. This work was the first verification at the computational level of such a complex fragment of an industrial protocol. By considering a recently fixed version of PKINIT, we extend symbolic correctness results we previously attained in the Dolev– Yao model to cryptographically sound results in the computational model.
Unifying Simulatability Definitions in Cryptographic Systems under Different Timing Assumptions
 Concurrency Theory, Proceedings of CONCUR 2003
, 2003
"... The cryptographic concept of simulatability has become a salient technique for faithfully analyzing and proving security properties of arbitrary cryptographic protocols. We investigate the relationship between simulatability in synchronous and asynchronous frameworks by means of the formal models ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
(Show Context)
The cryptographic concept of simulatability has become a salient technique for faithfully analyzing and proving security properties of arbitrary cryptographic protocols. We investigate the relationship between simulatability in synchronous and asynchronous frameworks by means of the formal models of Pfitzmann et. al., which are seminal in using this concept in order to bridge the gap between the formalmethods and the cryptographic community. We show that the synchronous model can be seen as a special case of the asynchronous one with respect to simulatability, i.e., we present an embedding between both models that we show to preserve simulatability.
Soundness and Completeness of Formal Logics of Symmetric Encryption
, 2005
"... In the last two decades, two major directions in cryptography have developed: formal and computational. The formal approach uses simple, manageable formal languages to describe cryptographic protocols; this approach is amenable to automatization, suitable for computer tools, but its accuracy is oft ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
In the last two decades, two major directions in cryptography have developed: formal and computational. The formal approach uses simple, manageable formal languages to describe cryptographic protocols; this approach is amenable to automatization, suitable for computer tools, but its accuracy is often unclear. The computational approach is harder to handle mathematically, involves probability theory and considers limits in computing power; proofs are done by hand, but it is more accurate, hence widely accepted. Much effort
On the Cryptographic Key Secrecy of the Strengthened Yahalom Protocol
 PROCEEDINGS OF IFIP SEC 2006
, 2006
"... Symbolic secrecy of exchanged keys is arguably one of the most important notions of secrecy shown with automated proof tools. It means that an adversary restricted to symbolic operations on terms can never get the entire key into its knowledge set. Cryptographic key secrecy essentially means comput ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
Symbolic secrecy of exchanged keys is arguably one of the most important notions of secrecy shown with automated proof tools. It means that an adversary restricted to symbolic operations on terms can never get the entire key into its knowledge set. Cryptographic key secrecy essentially means computational indistinguishability between the real key and a random one, given the view of a much more general adversary. We analyze the cryptographic key secrecy for the strengthened Yahalom protocol, which constitutes one of the most prominent key exchange protocols analyzed symbolically by means of automated proof tools. We show that the strengthened Yahalom protocol does not guarantee cryptographic key secrecy. We further show that cryptographic key secrecy can be proven for a slight simplification of the protocol by exploiting recent results on linking symbolic and cryptographic key secrecy in order to perform a symbolic proof of secrecy for the simplified Yahalom protocol in a specific setting that allows us to derive the desired cryptographic key secrecy from the symbolic proof. The proof holds in the presence of arbitrary active attacks provided that the protocol is relying on standard provably secure cryptographic primitives.
Composability and OnLine Deniability of Authentication
"... Abstract. Protocols for deniable authentication achieve seemingly paradoxical guarantees: upon completion of the protocol the receiver is convinced that the sender authenticated the message, but neither party can convince anyone else that the other party took part in the protocol. We introduce and s ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Protocols for deniable authentication achieve seemingly paradoxical guarantees: upon completion of the protocol the receiver is convinced that the sender authenticated the message, but neither party can convince anyone else that the other party took part in the protocol. We introduce and study online deniability, where deniability should hold even when one of the parties colludes with a third party during execution of the protocol. This turns out to generalize several realistic scenarios that are outside the scope of previous models. We show that a protocol achieves our definition of online deniability if and only if it realizes the message authentication functionality in the generalized universal composability framework; any protocol satisfying our definition thus automatically inherits strong composability guarantees. Unfortunately, we show that our definition is impossible to realize in the PKI model if adaptive corruptions are allowed (even if secure erasure is assumed). On the other hand, we show feasibility with respect to static corruptions (giving the first separation in terms of feasibility between the static and adaptive setting), and show how to realize a relaxation termed deniability with incriminating abort under adaptive corruptions. 1