Results 1  10
of
113
Soundness of formal encryption in the presence of active adversaries
 In Proc. 1st Theory of Cryptography Conference (TCC), volume 2951 of LNCS
, 2004
"... Abstract. We present a general method to prove security properties of cryptographic protocols against active adversaries, when the messages exchanged by the honest parties are arbitrary expressions built using encryption and concatenation operations. The method allows to express security properties ..."
Abstract

Cited by 97 (11 self)
 Add to MetaCart
(Show Context)
Abstract. We present a general method to prove security properties of cryptographic protocols against active adversaries, when the messages exchanged by the honest parties are arbitrary expressions built using encryption and concatenation operations. The method allows to express security properties and carry out proofs using a simple logic based language, where messages are represented by syntactic expressions, and does not require dealing with probability distributions or asymptotic notation explicitly. Still, we show that the method is sound, meaning that logic statements can be naturally interpreted in the computational setting in such a way that if a statement holds true for any abstract (symbolic) execution of the protocol in the presence of a DolevYao adversary, then its computational interpretation is also correct in the standard computational model where the adversary is an arbitrary probabilistic polynomial time program. This is the first paper providing a simple framework for translating security proofs from the logic setting to the standard computational setting for the case of powerful active adversaries that have total control of the communication network. 1
Anonymity and Information Hiding in Multiagent Systems
, 2003
"... We provide a framework for reasoning about informationhiding requirements in multiagent systems and for reasoning about anonymity in particular. Our framework employs the modal logic of knowledge within the context of the runs and systems framework, much in the spirit of our earlier work on secrecy ..."
Abstract

Cited by 94 (3 self)
 Add to MetaCart
We provide a framework for reasoning about informationhiding requirements in multiagent systems and for reasoning about anonymity in particular. Our framework employs the modal logic of knowledge within the context of the runs and systems framework, much in the spirit of our earlier work on secrecy [9]. We give several definitions of anonymity with respect to agents, actions, and observers in multiagent systems, and we relate our definitions of anonymity to other definitions of information hiding, such as secrecy. We also give probabilistic definitions of anonymity that are able to quantify an observer's uncertainty about the state of the system. Finally, we relate our definitions of anonymity to other formalizations of anonymity and information hiding, including definitions of anonymity in the process algebra CSP and definitions of information hiding using function views.
A Compositional Logic for Proving Security Properties of Protocols
 Journal of Computer Security
, 2002
"... We present a logic for proving security properties of protocols that use nonces (randomly generated numbers that uniquely identify a protocol session) and publickey cryptography. The logic, designed around a process calculus with actions for each possible protocol step, consists of axioms about ..."
Abstract

Cited by 62 (15 self)
 Add to MetaCart
We present a logic for proving security properties of protocols that use nonces (randomly generated numbers that uniquely identify a protocol session) and publickey cryptography. The logic, designed around a process calculus with actions for each possible protocol step, consists of axioms about protocol actions and inference rules that yield assertions about protocols composed of multiple steps. Although assertions are written using only steps of the protocol, the logic is sound in a stronger sense: each provable assertion about an action or sequence of actions holds in any run of the protocol that contains the given actions and arbitrary additional actions by a malicious attacker. This approach lets us prove security properties of protocols under attack while reasoning only about the sequence of actions taken by honest parties to the protocol. The main securityspecific parts of the proof system are rules for reasoning about the set of messages that could reveal secret data and an invariant rule called the "honesty rule." 1
A Security Analysis of the Cliques Protocols Suites
, 2001
"... Secure group protocols' are not easy to design: this paper will show new attacks' found against a protocol suite for sharing key. The method we propose to analyse these protocols' is' very systematic, and can be applied to numerous protocols' of this' type. The AGDH. 2 ..."
Abstract

Cited by 59 (5 self)
 Add to MetaCart
(Show Context)
Secure group protocols' are not easy to design: this paper will show new attacks' found against a protocol suite for sharing key. The method we propose to analyse these protocols' is' very systematic, and can be applied to numerous protocols' of this' type. The AGDH. 2 protocols' suite analysed throughout this' paper is part of the Cliques suites that propose extensions of the DiffieHellman key exchange protocol to a group setting. The AGDH. 2 main protocol is intended to allow a group to share an authenticated key while the other protocols' of the suite allow to perform dynamic changes in the group constitution (adding and deleting members', fusion of groups .... ). We are proposing an original method to analyse these protocols' and are presenting a number of unpublished flaws' with respect to each of the main security properties claimed in protocol definition (key authentication, perfect forward secrecy, resistance to knownkeys attacks'). Most of these fiaws arise from the fact that using a group setting does not allow to reason about security properties in the same way as when only two (or three) parties are concerned. Our method has been easily applied on other Cliques protocols' and allowed us to pinpoint similar flaws.
Symmetric Encryption in Automatic Analyses for Confidentiality against Active Adversaries
, 2004
"... In this article we present a technique for static analysis, correct with respect to complexitytheoretic definitions of security, of cryptographic protocols for checking whether these protocols satisfy confidentiality properties. The approach is similar to Abadi and Rogaway  we define patterns fo ..."
Abstract

Cited by 57 (3 self)
 Add to MetaCart
In this article we present a technique for static analysis, correct with respect to complexitytheoretic definitions of security, of cryptographic protocols for checking whether these protocols satisfy confidentiality properties. The approach is similar to Abadi and Rogaway  we define patterns for cryptographic protocols (they did it for formal expressions), such that the protocol is secure iff the patterns are. We then statically analyse the patterns, they should be easier to analyse than the protocols themselves. We consider symmetric encryption as the cryptographic primitive in protocols. Handling this primitive has so far received comparatively less attention in approaches striving to unite the formal and computational models of cryptography.
A framework for security analysis of mobile wireless networks
 Theoretical Computer Science
, 2006
"... We present a framework for specification and security analysis of communication protocols for mobile wireless networks. This setting introduces new challenges which are not being addressed by classical protocol analysis techniques. The main complication stems from the fact that the actions of inter ..."
Abstract

Cited by 54 (2 self)
 Add to MetaCart
(Show Context)
We present a framework for specification and security analysis of communication protocols for mobile wireless networks. This setting introduces new challenges which are not being addressed by classical protocol analysis techniques. The main complication stems from the fact that the actions of intermediate nodes and their connectivity can no longer be abstracted into a single unstructured adversarial environment as they form an inherent part of the system’s security. In order to model this scenario faithfully, we present a broadcast calculus which makes a clear distinction between the protocol processes and the network’s connectivity graph, which may change independently from protocol actions. We identify a property characterising an important aspect of security in this setting and express it using behavioural equivalences of the calculus. We complement this approach with a control flow analysis which enables us to automatically check this property on a given network and attacker specification. 1
New Decidability Results for Fragments of FirstOrder Logic and Application to Cryptographic Protocols
, 2003
"... We consider a new extension of the Skolem class for firstorder logic and prove its decidability by resolution techniques. We then extend this class including the builtin equational theory of exclusive or. Again, we prove the decidability of the class by resolution techniques. ..."
Abstract

Cited by 54 (18 self)
 Add to MetaCart
We consider a new extension of the Skolem class for firstorder logic and prove its decidability by resolution techniques. We then extend this class including the builtin equational theory of exclusive or. Again, we prove the decidability of the class by resolution techniques.
Authentication Tests and the Structure of Bundles
 Theoretical Computer Science
, 2002
"... Suppose a principal in a cryptographic protocol creates and transmits a message containing a new value v, later receiving v back in a different cryptographic context. It can conclude that some principal possessing the relevant key has received and transformed the message in which v was emitted. In s ..."
Abstract

Cited by 54 (19 self)
 Add to MetaCart
Suppose a principal in a cryptographic protocol creates and transmits a message containing a new value v, later receiving v back in a different cryptographic context. It can conclude that some principal possessing the relevant key has received and transformed the message in which v was emitted. In some circumstances, this principal must be a regular participant of the protocol, not the penetrator. An inference of this kind is an authentication test. We introduce two main kinds of authentication test. An outgoing test is one in which the new value v is transmitted in encrypted form, and only a regular participant can extract it from that form. An incoming test is one in which v is received back in encrypted form, and only a regular participant can put it in that form. We combine these two tests with a supplementary idea, the unsolicited test, and a related method for checking that keys remain secret. Together, these techniques determine what authentication properties are achieved by a wide range of cryptographic protocols. In this paper we introduce authentication tests and prove their soundness. We illustrate their power by giving new and straightforward proofs of security goals for several protocols. We also illustrate how to use the authentication tests as a heuristic for finding attacks against incorrect protocols. Finally, we suggest a protocol design process. We express these ideas in the strand space formalism [Thayer, Herzog, and Guttman (1999b, Journal of Computer Security, 7, 191230)], which provides a convenient context to prove them correct.
A Semantics for Web Services Authentication
, 2004
"... We consider the problem of specifying and verifying cryptographic security protocols for XML web services. The security specification WSSecurity describes a range of XML security tokens, such as username tokens, publickey certificates, and digital signature blocks, amounting to a flexible vocabula ..."
Abstract

Cited by 49 (11 self)
 Add to MetaCart
(Show Context)
We consider the problem of specifying and verifying cryptographic security protocols for XML web services. The security specification WSSecurity describes a range of XML security tokens, such as username tokens, publickey certificates, and digital signature blocks, amounting to a flexible vocabulary for expressing protocols. To describe the syntax of these tokens, we extend the usual XML data model with symbolic representations of cryptographic values. We use predicates on this data model to describe the semantics of security tokens and of sample protocols distributed with the Microsoft WSE implementation of WSSecurity. By embedding our data model within Abadi and Fournet’s applied pi calculus, we formulate and prove security properties with respect to the standard DolevYao threat model. Moreover, we informally discuss issues not addressed by the formal model. To the best of our knowledge, this is the first approach to the specification and verification of security protocols based on a faithful account of the XML wire format.
A RewritingBased Inference System for the NRL Protocol Analyzer and its MetaLogical Properties
, 2005
"... The NRL Protocol Analyzer (NPA) is a tool for the formal specification and analysis of cryptographic protocols that has been used with great effect on a number of complex reallife protocols. One of the most interesting of its features is that it can be used to reason about security in face of attem ..."
Abstract

Cited by 41 (20 self)
 Add to MetaCart
The NRL Protocol Analyzer (NPA) is a tool for the formal specification and analysis of cryptographic protocols that has been used with great effect on a number of complex reallife protocols. One of the most interesting of its features is that it can be used to reason about security in face of attempted attacks on lowlevel algebraic properties of the functions used in a protocol. Indeed, it has been used successfully to either reproduce or discover a number of such attacks. In this paper we give for the first time a precise formal specification of the main features of the NPA inference system: its grammarbased techniques for invariant generation and its backwards reachability analysis method. This formal specification is given within the wellknown rewriting framework so that the inference system is specified as a set of rewrite rules modulo an equational theory describing the behavior of the cryptographic algorithms involved. We then use this formalization to prove some important metalogical properties about the NPA inference system, including the soundness and completeness of the search algorithm and soundness of the grammar generation algorithm. The formalization and soundness and completeness theorems not only provide also a better understanding of the NPA as it currently operates, but provide a modular basis which can be used as a starting point for increasing the types of equational theories it can handle.