Results 1  10
of
104
Refinement types for secure implementations
 IN 21ST IEEE COMPUTER SECURITY FOUNDATIONS SYMPOSIUM (CSF’08
, 2008
"... We present the design and implementation of a typechecker for verifying security properties of the source code of cryptographic protocols and access control mechanisms. The underlying type theory is a λcalculus equipped with refinement types for expressing pre and postconditions within firstorde ..."
Abstract

Cited by 114 (25 self)
 Add to MetaCart
We present the design and implementation of a typechecker for verifying security properties of the source code of cryptographic protocols and access control mechanisms. The underlying type theory is a λcalculus equipped with refinement types for expressing pre and postconditions within firstorder logic. We derive formal cryptographic primitives and represent active adversaries within the type theory. Welltyped programs enjoy assertionbased security properties, with respect to a realistic threat model including key compromise. The implementation amounts to an enhanced typechecker for the general purpose functional language F#; typechecking generates verification conditions that are passed to an SMT solver. We describe a series of checked examples. This is the first tool to verify authentication properties of cryptographic protocols by typechecking their source code.
Verified interoperable implementations of security protocols
"... We present an architecture and tools for verifying implementations of security protocols. Our implementations can run with both concrete and symbolic implementations of cryptographic algorithms. The concrete implementation is for production and interoperability testing. The symbolic implementation i ..."
Abstract

Cited by 80 (28 self)
 Add to MetaCart
(Show Context)
We present an architecture and tools for verifying implementations of security protocols. Our implementations can run with both concrete and symbolic implementations of cryptographic algorithms. The concrete implementation is for production and interoperability testing. The symbolic implementation is for debugging and formal verification. We develop our approach for protocols written in F#, a dialect of ML, and verify them by compilation to ProVerif, a resolutionbased theorem prover for cryptographic protocols. We establish the correctness of this compilation scheme, and we illustrate our approach with protocols for Web Services security. Categories and Subject Descriptors: F.3.2 [Theory of Computation]: Logics and meanings of programs—
Deciding security of protocols against offline guessing attacks
 In Proc. 12th ACM Conference on Computer and Communications Security (CCS’05
, 2005
"... We provide an effective procedure for deciding the existence of offline guessing attacks on security protocols, for a bounded number of sessions. The procedure consists of a constraint solving algorithm for determining satisfiability and equivalence of a class of secondorder Eunification problems ..."
Abstract

Cited by 72 (4 self)
 Add to MetaCart
(Show Context)
We provide an effective procedure for deciding the existence of offline guessing attacks on security protocols, for a bounded number of sessions. The procedure consists of a constraint solving algorithm for determining satisfiability and equivalence of a class of secondorder Eunification problems, where the equational theory E is presented by a convergent subterm rewriting system. To the best of our knowledge, this is the first decidability result to use the generic definition of offline guessing attacks due to Corin et al. based on static equivalence in the applied pi calculus.
Guessing attacks and the computational soundness of static equivalence
 In Proc. 9th International Conference on Foundations of Software Science and Computation Structures (FoSSaCS’06), volume 3921 of LNCS
, 2006
"... ..."
(Show Context)
Zeroknowledge in the applied picalculus and automated verification of the direct anonymous attestation protocol
 IN: IEEE SYMPOSIUM ON SECURITY AND PRIVACY (SP 08). (2008) 202–215 PREPRINT ON IACR EPRINT 2007/289
, 2007
"... We devise an abstraction of zeroknowledge protocols that is accessible to a fully mechanized analysis. The abstraction is formalized within the applied picalculus using a novel equational theory that abstractly characterizes the cryptographic semantics of zeroknowledge proofs. We present an encod ..."
Abstract

Cited by 47 (10 self)
 Add to MetaCart
(Show Context)
We devise an abstraction of zeroknowledge protocols that is accessible to a fully mechanized analysis. The abstraction is formalized within the applied picalculus using a novel equational theory that abstractly characterizes the cryptographic semantics of zeroknowledge proofs. We present an encoding from the equational theory into a convergent rewriting system that is suitable for the automated protocol verifier ProVerif. The encoding is sound and fully automated. We successfully used ProVerif to obtain the first mechanized analysis of the Direct Anonymous Attestation (DAA) protocol. This required us to devise novel abstractions of sophisticated cryptographic security definitions based on interactive games. The analysis reported a novel attack on DAA that was overlooked in its existing cryptographic security proof. We propose a revised variant of DAA that we successfully prove secure using ProVerif.
Computational Soundness of Observational Equivalence
, 2008
"... Many security properties are naturally expressed as indistinguishability between two versions of a protocol. In this paper, we show that computational proofs of indistinguishability can be considerably simplified, for a class of processes that covers most existing protocols. More precisely, we show ..."
Abstract

Cited by 36 (9 self)
 Add to MetaCart
Many security properties are naturally expressed as indistinguishability between two versions of a protocol. In this paper, we show that computational proofs of indistinguishability can be considerably simplified, for a class of processes that covers most existing protocols. More precisely, we show a soundness theorem, following the line of research launched by Abadi and Rogaway in 2000: computational indistinguishability in presence of an active attacker is implied by the observational equivalence of the corresponding symbolic processes. We prove our result for symmetric encryption, but the same techniques can be applied to other security primitives such as signatures and publickey encryption. The proof requires the introduction of new concepts, which are general and can be reused in other settings.
Attacking and fixing helios: An analysis of ballot secrecy
, 2010
"... Helios 2.0 is an opensource webbased endtoend verifiable electronic voting system, suitable for use in lowcoercion environments. In this paper, we analyse ballot secrecy and discover a vulnerability which allows an adversary to compromise the privacy of voters. This vulnerability has been success ..."
Abstract

Cited by 36 (16 self)
 Add to MetaCart
Helios 2.0 is an opensource webbased endtoend verifiable electronic voting system, suitable for use in lowcoercion environments. In this paper, we analyse ballot secrecy and discover a vulnerability which allows an adversary to compromise the privacy of voters. This vulnerability has been successfully exploited to break privacy in a mock election using the current Helios implementation. Moreover, the feasibility of an attack is considered in the context of French legislative elections and, based upon our findings, we believe it constitutes a real threat to ballot secrecy in such settings. Finally, we present a fix and show that our solution satisfies a formal definition of ballot secrecy using the applied pi calculus.
A logic for constraintbased security protocol analysis
 in IEEE Symposium on Security and Privacy
, 2006
"... We propose PSLTL, a purepast security linear temporal logic that allows the specification of a variety of authentication, secrecy and data freshness properties. Furthermore, we present a sound and complete decision procedure to establish the validity of security properties for symbolic execution t ..."
Abstract

Cited by 26 (1 self)
 Add to MetaCart
(Show Context)
We propose PSLTL, a purepast security linear temporal logic that allows the specification of a variety of authentication, secrecy and data freshness properties. Furthermore, we present a sound and complete decision procedure to establish the validity of security properties for symbolic execution traces, and show the integration with constraintbased analysis techniques. 1
Symbolic bisimulation for the applied picalculus
 In Proc. 27th Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS’07), volume 4855 of Lecture Notes in Computer Science
, 2007
"... We propose a symbolic semantics for the finite applied pi calculus. The applied pi calculus is a variant of the pi calculus with extensions for modelling cryptographic protocols. By treating inputs symbolically, our semantics avoids potentially infinite branching of execution trees due to inputs fro ..."
Abstract

Cited by 26 (8 self)
 Add to MetaCart
(Show Context)
We propose a symbolic semantics for the finite applied pi calculus. The applied pi calculus is a variant of the pi calculus with extensions for modelling cryptographic protocols. By treating inputs symbolically, our semantics avoids potentially infinite branching of execution trees due to inputs from the environment. Correctness is maintained by associating with each process a set of constraints on terms. We define a symbolic labelled bisimulation relation, which is shown to be sound but not complete with respect to standard bisimulation. We explore the lack of completeness and demonstrate that the symbolic bisimulation relation is sufficient for many practical examples. This work is an important step towards automation of observational equivalence for the finite applied pi calculus, e.g. for verification of anonymity or strong secrecy properties.
Trace equivalence decision: Negative tests and nondeterminism
 IN: CCS’11
, 2011
"... We consider security properties of cryptographic protocols that can be modeled using the notion of trace equivalence. The notion of equivalence is crucial when specifying privacytype properties, like anonymity, voteprivacy, and unlinkability. In this paper, we give a calculus that is close to the ..."
Abstract

Cited by 25 (9 self)
 Add to MetaCart
(Show Context)
We consider security properties of cryptographic protocols that can be modeled using the notion of trace equivalence. The notion of equivalence is crucial when specifying privacytype properties, like anonymity, voteprivacy, and unlinkability. In this paper, we give a calculus that is close to the applied pi calculus and that allows one to capture most existing protocols that rely on classical cryptographic primitives. First, we propose a symbolic semantics for our calculus relying on constraint systems to represent infinite sets of possible traces, and we reduce the decidability of trace equivalence to deciding a notion of symbolic equivalence between sets of constraint systems. Second, we develop an algorithm allowing us to decide whether two sets of constraint systems are in symbolic equivalence or not. Altogether, this yields the first decidability result of trace equivalence for a general class of processes that may involve else branches and/or private channels (for a bounded number of sessions).