Results 11  20
of
46
Preservation of epistemic properties in security protocol implementations
 In Proc. Conf. on Theoretical Aspects of Rationality and Knowledge
, 2007
"... We introduce (i) a general class of security protocols with private channel as cryptographic primitive and (ii) a probabilistic epistemic logic to express properties of security protocols. Our main theorem says that when a property expressed in our logic holds for an ideal protocol (where “ideal ” m ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
We introduce (i) a general class of security protocols with private channel as cryptographic primitive and (ii) a probabilistic epistemic logic to express properties of security protocols. Our main theorem says that when a property expressed in our logic holds for an ideal protocol (where “ideal ” means that the private channel hides everything), then it also holds when the private channel is implemented using an encryption scheme that guarantees perfect secrecy (in the sense of Shannon). Our class of protocols contains, for instance, an oblivious transfer protocol by Rivest and Chaum’s solution to the dining cryptographers problem. In our logic we can express fundamental security properties of these protocols. The proof of the main theorem is based on a notion of refinement for probabilistic Kripke structures. 1
On simulatability soundness and mapping soundness of symbolic cryptography. IACR Cryptology ePrint Archive 2007/233
, 2007
"... Abstract. The abstraction of cryptographic operations by term algebras, called DolevYao models or symbolic cryptography, is essential in almost all toolsupported methods for proving security protocols. Recently significant progress was made – using two conceptually different approaches – in provi ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
(Show Context)
Abstract. The abstraction of cryptographic operations by term algebras, called DolevYao models or symbolic cryptography, is essential in almost all toolsupported methods for proving security protocols. Recently significant progress was made – using two conceptually different approaches – in proving that DolevYao models can be sound with respect to actual cryptographic realizations and security definitions. One such approach is grounded on the notion of simulatability, which constitutes a salient technique of Modern Cryptography with a longstanding history for a variety of different tasks. The other approach strives for the socalled mapping soundness – a more recent technique that is tailored to the soundness of specific security properties in DolevYao models, and that can be established using more compact proofs. Typically, both notions of soundness for similar DolevYao models are established separately in independent papers. This paper relates the two approaches for the first time. Our main result is that simulatability soundness entails mapping soundness provided that both approaches use the same cryptographic implementation. Hence, future research may well concentrate on simulatability soundness whenever applicable, and resort to mapping soundness in those cases where simulatability soundness constitutes too strong a notion. 1
Computational secrecy by typing for the picalculus
 In Proc. ASIAN Symp. on Programming Languages and Systems
, 2006
"... Abstract. We define and study a distributed cryptographic implementation for an asynchronous pi calculus. At the source level, we adapt simple type systems designed for establishing formal secrecy properties. We show that those secrecy properties have counterparts in the implementation, not formally ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We define and study a distributed cryptographic implementation for an asynchronous pi calculus. At the source level, we adapt simple type systems designed for establishing formal secrecy properties. We show that those secrecy properties have counterparts in the implementation, not formally but at the level of bitstrings, and with respect to probabilistic polynomialtime active adversaries. We rely on compilation to a typed intermediate language with a fixed scheduling strategy. While we exploit interesting, previous theorems for that intermediate language, our result appears to be the first computational soundness theorem for a standard process calculus with mobile channels. 1
Inductive proofs of computational secrecy
 In ESORICS
, 2007
"... Abstract. Secrecy properties of network protocols assert that no probabilistic polynomialtime distinguisher can win a suitable game presented by a challenger. Because such properties are not determined by tracebytrace behavior of the protocol, we establish a tracebased protocol condition, suitabl ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Secrecy properties of network protocols assert that no probabilistic polynomialtime distinguisher can win a suitable game presented by a challenger. Because such properties are not determined by tracebytrace behavior of the protocol, we establish a tracebased protocol condition, suitable for inductive proofs, that guarantees a generic reduction from protocol attacks to attacks on underlying primitives. We use this condition to present a compositional inductive proof system for secrecy, and illustrate the system by giving a modular, formal proof of computational authentication and secrecy properties of Kerberos V5. 1
Cryptographicallysound protocolmodel abstractions
 CSF
, 2008
"... We present a formal theory for cryptographicallysound theorem proving. Our starting point is the BackesPfitzmannWaidner (BPW) model, which is a symbolic protocol model that is cryptographically sound in the sense of blackbox reactive simulatability. To achieve cryptographic soundness, this model ..."
Abstract

Cited by 5 (0 self)
 Add to MetaCart
(Show Context)
We present a formal theory for cryptographicallysound theorem proving. Our starting point is the BackesPfitzmannWaidner (BPW) model, which is a symbolic protocol model that is cryptographically sound in the sense of blackbox reactive simulatability. To achieve cryptographic soundness, this model is substantially more complex than standard symbolic models and the main challenge in formalizing and using this model is overcoming this complexity. We present a series of cryptographicallysound abstractions of the original BPW model that bring it much closer to standard DolevYao style models. We present a case study showing that our abstractions enable proofs of complexity comparable to those based on more standard models. Our entire development has been formalized in Isabelle/HOL. 1.
Adversaries and Information Leaks (Tutorial)
"... Abstract. Secure information flow analysis aims to prevent programs from leaking their H (high) inputs to their L (low) outputs. A major challenge in this area is to relax the standard noninterference properties to allow “small ” leaks, while still preserving security. In this tutorial paper, we con ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Secure information flow analysis aims to prevent programs from leaking their H (high) inputs to their L (low) outputs. A major challenge in this area is to relax the standard noninterference properties to allow “small ” leaks, while still preserving security. In this tutorial paper, we consider three instances of this theme. First, we consider a type system that enforces the usual Denning restrictions, except that it specifies that encrypting a H plaintext yields a L ciphertext. We argue that this type system ensures security, assuming strong encryption, by giving a reduction that maps a noninterference adversary (which tries to guess which of two H inputs was used, given the L outputs) to an INDCPA adversary (which tries to guess which of two plaintexts are encrypted, given the ciphertext). Second, we explore termination leaks in probabilistic programs when typed under the Denning restrictions. Using a notion of probabilistic simulation, we show that such programs satisfy an approximate noninterference property, provided that their probability of nontermination is small. Third, we consider quantitative information flow, which aims to measure the amount of information leaked. We argue that the common informationtheoretic measures in the literature are unsuitable, because these measures fail to distinguish between programs that are wildly different from the point of view of an adversary trying to guess the H input. 1
Auraconf: a unified approach to authorization and confidentiality
 In Proceedings of the 7th ACM SIGPLAN workshop on Types in language design and implementation, TLDI ’11
, 2011
"... This paper introduces AuraConf, the first programming language with a unified means to specify accesscontrol and confidentially policies. In concert with a proofcarrying access control mechanism, AuraConf allows confidentially policies to be specified declaratively using types and enforced via cry ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
This paper introduces AuraConf, the first programming language with a unified means to specify accesscontrol and confidentially policies. In concert with a proofcarrying access control mechanism, AuraConf allows confidentially policies to be specified declaratively using types and enforced via cryptography. Programs written in AuraConf enjoy a formal security guarantee via noninterference. Additionally, the language definition introduces a novel type system where the typechecker may use resources (i.e., private keys) and knowledge of an object’s provenance (i.e., how a ciphertext was computed) to guide analysis.
Vérification automatique de protocoles cryptographiques: modèle formel et modèle calculatoire
, 2008
"... ..."
Call by contract for cryptographic protocol
 In FCSARSPA
, 2006
"... Abstract. Call by contract is a way to specify and use interchangeable services in secure protocols, so that protocols and services can be independently designed and verified. A selection algorithm is given to test whether a candidate service is uniformly selectable. To facilitate independent securi ..."
Abstract

Cited by 4 (4 self)
 Add to MetaCart
Abstract. Call by contract is a way to specify and use interchangeable services in secure protocols, so that protocols and services can be independently designed and verified. A selection algorithm is given to test whether a candidate service is uniformly selectable. To facilitate independent security verification of the calling protocol and its services, contracts and requests also provide an NDA (NonDisclosure Agreement). Informally, NDAs are confidentiality constraints on parameters. 1