Results 1  10
of
109
Formal certification of codebased cryptographic proofs
 4 th Workshop on Formal and Computational Cryptography (FCC
, 2008
"... As cryptographic proofs have become essentially unverifiable, cryptographers have argued in favor of developing techniques that help tame the complexity of their proofs. Gamebased techniques provide a popular approach in which proofs are structured as sequences of games, and in which proof steps es ..."
Abstract

Cited by 84 (25 self)
 Add to MetaCart
As cryptographic proofs have become essentially unverifiable, cryptographers have argued in favor of developing techniques that help tame the complexity of their proofs. Gamebased techniques provide a popular approach in which proofs are structured as sequences of games, and in which proof steps establish the validity of transitions between successive games. Codebased techniques form an instance of this approach that takes a codecentric view of games, and that relies on programming language theory to justify proof steps. While codebased techniques contribute to formalize the security statements precisely and to carry out proofs systematically, typical proofs are so long and involved that formal verification is necessary to achieve a high degree of confidence. We present CertiCrypt, a framework that enables the machinechecked construction and verification of codebased proofs. CertiCrypt is built upon the generalpurpose proof assistant Coq, and draws on many areas, including probability, complexity, algebra, and semantics of programming languages. CertiCrypt provides certified tools to reason about the equivalence of probabilistic programs, including a relational Hoare logic, a theory of observational equivalence, verified program transformations, and gamebased techniques such as reasoning about failure events. The usefulness of CertiCrypt is demonstrated through classical examples, including a proof of semantic security of OAEP (with a bound that improves upon [9]), and a proof of existential unforgeability of FDH signatures. Our work provides a first yet significant step towards Halevi’s ambitious programme [21] of providing tool support for cryptographic proofs. 1.
Deciding security of protocols against offline guessing attacks
 In Proc. 12th ACM Conference on Computer and Communications Security (CCS’05
, 2005
"... We provide an effective procedure for deciding the existence of offline guessing attacks on security protocols, for a bounded number of sessions. The procedure consists of a constraint solving algorithm for determining satisfiability and equivalence of a class of secondorder Eunification problems ..."
Abstract

Cited by 72 (4 self)
 Add to MetaCart
(Show Context)
We provide an effective procedure for deciding the existence of offline guessing attacks on security protocols, for a bounded number of sessions. The procedure consists of a constraint solving algorithm for determining satisfiability and equivalence of a class of secondorder Eunification problems, where the equational theory E is presented by a convergent subterm rewriting system. To the best of our knowledge, this is the first decidability result to use the generic definition of offline guessing attacks due to Corin et al. based on static equivalence in the applied pi calculus.
Opacity generalised to transition systems
 in &quot;Revised Selected Papers of the 3rd International Workshop on Formal Aspects in Security and Trust (FAST’05), Newcastle upon
, 2005
"... Abstract. Recently, opacity has proved to be a promising technique for describing security properties. Much of the work has been couched in terms of Petri nets. Here, we extend the notion of opacity to the model of labelled transition systems and generalise opacity in order to better represent conce ..."
Abstract

Cited by 69 (7 self)
 Add to MetaCart
(Show Context)
Abstract. Recently, opacity has proved to be a promising technique for describing security properties. Much of the work has been couched in terms of Petri nets. Here, we extend the notion of opacity to the model of labelled transition systems and generalise opacity in order to better represent concepts from the work on information flow. In particular, we establish links between opacity and the information flow concepts of anonymity and noninterference such as noninference. We also investigate ways of verifying opacity when working with Petri nets. Our work is illustrated by an example modelling requirements upon a simple voting system.
A survey of algebraic properties used in cryptographic protocols
 JOURNAL OF COMPUTER SECURITY
"... Cryptographic protocols are successfully analyzed using formal methods. However, formal approaches usually consider the encryption schemes as black boxes and assume that an adversary cannot learn anything from an encrypted message except if he has the key. Such an assumption is too strong in general ..."
Abstract

Cited by 69 (20 self)
 Add to MetaCart
(Show Context)
Cryptographic protocols are successfully analyzed using formal methods. However, formal approaches usually consider the encryption schemes as black boxes and assume that an adversary cannot learn anything from an encrypted message except if he has the key. Such an assumption is too strong in general since some attacks exploit in a clever way the interaction between protocol rules and properties of cryptographic operators. Moreover, the executability of some protocols relies explicitly on some algebraic properties of cryptographic primitives such as commutative encryption. We give a list of some relevant algebraic properties of cryptographic operators, and for each of them, we provide examples of protocols or attacks using these properties. We also give an overview of the existing methods in formal approaches for analyzing cryptographic proto
Computationally sound implementations of equational theories against passive adversaries
, 2008
"... In this paper we study the link between formal and cryptographic models for security protocols in the presence of passive adversaries. In contrast to other works, we do not consider a fixed set of primitives but aim at results for arbitrary equational theories. We define a framework for comparing a ..."
Abstract

Cited by 59 (14 self)
 Add to MetaCart
(Show Context)
In this paper we study the link between formal and cryptographic models for security protocols in the presence of passive adversaries. In contrast to other works, we do not consider a fixed set of primitives but aim at results for arbitrary equational theories. We define a framework for comparing a cryptographic implementation and its idealization with respect to various security notions. In particular, we concentrate on the computational soundness of static equivalence, a standard tool in cryptographic pi calculi. We present a soundness criterion, which for many theories is not only sufficient but also necessary. Finally, to illustrate our framework, we establish the soundness of static equivalence for the exclusive OR and a theory of ciphers and lists.
Guessing attacks and the computational soundness of static equivalence
 In Proc. 9th International Conference on Foundations of Software Science and Computation Structures (FoSSaCS’06), volume 3921 of LNCS
, 2006
"... ..."
(Show Context)
Computational Soundness of Observational Equivalence
, 2008
"... Many security properties are naturally expressed as indistinguishability between two versions of a protocol. In this paper, we show that computational proofs of indistinguishability can be considerably simplified, for a class of processes that covers most existing protocols. More precisely, we show ..."
Abstract

Cited by 36 (9 self)
 Add to MetaCart
Many security properties are naturally expressed as indistinguishability between two versions of a protocol. In this paper, we show that computational proofs of indistinguishability can be considerably simplified, for a class of processes that covers most existing protocols. More precisely, we show a soundness theorem, following the line of research launched by Abadi and Rogaway in 2000: computational indistinguishability in presence of an active attacker is implied by the observational equivalence of the corresponding symbolic processes. We prove our result for symmetric encryption, but the same techniques can be applied to other security primitives such as signatures and publickey encryption. The proof requires the introduction of new concepts, which are general and can be reused in other settings.
Maudenpa: Cryptographic protocol analysis modulo equational properties
 of Lecture Notes in Computer Science
, 2007
"... Abstract. In this tutorial, we give an overview of the MaudeNRL Protocol Analyzer (MaudeNPA), a tool for the analysis of cryptographic protocols using functions that obey different equational theories. We show the reader how to use MaudeNPA, and how it works, and also give some of the theoretical ..."
Abstract

Cited by 29 (7 self)
 Add to MetaCart
(Show Context)
Abstract. In this tutorial, we give an overview of the MaudeNRL Protocol Analyzer (MaudeNPA), a tool for the analysis of cryptographic protocols using functions that obey different equational theories. We show the reader how to use MaudeNPA, and how it works, and also give some of the theoretical background behind the tool. 1
Symbolic bisimulation for the applied picalculus
 In Proc. 27th Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS’07), volume 4855 of Lecture Notes in Computer Science
, 2007
"... We propose a symbolic semantics for the finite applied pi calculus. The applied pi calculus is a variant of the pi calculus with extensions for modelling cryptographic protocols. By treating inputs symbolically, our semantics avoids potentially infinite branching of execution trees due to inputs fro ..."
Abstract

Cited by 26 (8 self)
 Add to MetaCart
(Show Context)
We propose a symbolic semantics for the finite applied pi calculus. The applied pi calculus is a variant of the pi calculus with extensions for modelling cryptographic protocols. By treating inputs symbolically, our semantics avoids potentially infinite branching of execution trees due to inputs from the environment. Correctness is maintained by associating with each process a set of constraints on terms. We define a symbolic labelled bisimulation relation, which is shown to be sound but not complete with respect to standard bisimulation. We explore the lack of completeness and demonstrate that the symbolic bisimulation relation is sufficient for many practical examples. This work is an important step towards automation of observational equivalence for the finite applied pi calculus, e.g. for verification of anonymity or strong secrecy properties.
Trace equivalence decision: Negative tests and nondeterminism
 IN: CCS’11
, 2011
"... We consider security properties of cryptographic protocols that can be modeled using the notion of trace equivalence. The notion of equivalence is crucial when specifying privacytype properties, like anonymity, voteprivacy, and unlinkability. In this paper, we give a calculus that is close to the ..."
Abstract

Cited by 25 (9 self)
 Add to MetaCart
(Show Context)
We consider security properties of cryptographic protocols that can be modeled using the notion of trace equivalence. The notion of equivalence is crucial when specifying privacytype properties, like anonymity, voteprivacy, and unlinkability. In this paper, we give a calculus that is close to the applied pi calculus and that allows one to capture most existing protocols that rely on classical cryptographic primitives. First, we propose a symbolic semantics for our calculus relying on constraint systems to represent infinite sets of possible traces, and we reduce the decidability of trace equivalence to deciding a notion of symbolic equivalence between sets of constraint systems. Second, we develop an algorithm allowing us to decide whether two sets of constraint systems are in symbolic equivalence or not. Altogether, this yields the first decidability result of trace equivalence for a general class of processes that may involve else branches and/or private channels (for a bounded number of sessions).