254 research outputs found
A Computationally Sound Mechanized Prover for Security Protocols
We present a new mechanized prover for secrecy properties of
cryptographic protocols. In contrast to most previous provers, our
tool does not rely on the Dolev-Yao model, but on the computational
model. It produces proofs presented as sequences of games; these
games are formalized in a probabilistic polynomial-time process
calculus. Our tool provides a generic method for specifying security
properties of the cryptographic primitives, which can handle shared-
and public-key encryption, signatures, message authentication codes,
and hash functions. Our tool produces proofs valid for a number of
sessions polynomial in the security parameter, in the presence of an
active adversary. We have implemented our tool and tested it on a
number of examples of protocols from the literature
Computational Soundness of Formal Encryption in Coq
We formalize Abadi and Rogaway's computational soundness result in the
Coq interactive theorem prover. This requires to model notions of provable
cryptography like indistinguishability between ensembles of
probability distributions, PPT reductions, and security notions for
encryption schemes.
Our formalization is the first computational soundness result to be
mechanized, and it shows the feasibility of rigorous reasoning of
computational cryptography inside a generic interactive theorem prover
07421 Abstracts Collection -- Formal Protocol Verification Applied
From 14/10/2007 to 19/10/2007, the Dagstuhl Seminar 07421 ``Formal Protocol Verification Applied\u27\u27 was held in the International Conference and Research Center (IBFI), Schloss Dagstuhl.
During the seminar, several participants presented their current
research, and ongoing work and open problems were discussed. Abstracts of
the presentations given during the seminar as well as abstracts of
seminar results and ideas are put together in this paper. The first section
describes the seminar topics and goals in general.
Links to extended abstracts or full papers are provided, if available
Computationally Sound Mechanized Proofs for Basic and Public-key Kerberos
We present a computationally sound mechanized analysis of Kerberos 5, both with and without its public-key extension PKINIT. We prove authentication and key secrecy properties using the prover CryptoVerif, which works directly in the computational model; these are the first mechanical proofs of a full industrial protocol at the computational level. We also generalize the notion of key usability and use CryptoVerif to prove that this definition is satisfied by keys in Kerberos
Crypto-Verifying Protocol Implementations in ML
We intend to narrow the gap between concrete
implementations and verified models of cryptographic protocols.
We consider protocols implemented in F#, a variant of ML, and
verified using CryptoVerif, Blanchet's protocol verifier for
computational cryptography.
We experiment with compilers from F# code to CryptoVerif processes,
and from CryptoVerif declarations to F# code.
We present two case studies: an implementation of the Otway-Rees
protocol, and an implementation of a simplified password-based
authentication protocol. In both cases, we obtain concrete security
guarantees for a computational model closely related to
executable code
A Survey of Symbolic Methods in Computational Analysis of Cryptographic Systems
Since the 1980s, two approaches have been developed for analyzing security protocols. One of the approaches relies on a computational model that considers issues of complexity and probability. This approach captures a strong notion of security, guaranteed against all probabilistic polynomial-time attacks. The other approach relies on a symbolic model of protocol executions in which cryptographic primitives are treated as black boxes. Since the seminal work of Dolev and Yao, it has been realized that this latter approach enables significantly simpler and often automated proofs. However, the guarantees that it offers have been quite unclear. For more than twenty years the two approaches have coexisted but evolved mostly independently. Recently, significant research efforts attempt to develop paradigms for cryptographic systems analysis that combines the best of both worlds. There are two broad directions that have been followed. {\em Computational soundness} aims to establish sufficient conditions under which results obtained using symbolic models imply security under computational models. The {\em direct approach} aims to apply the principles and the techniques developed in the context of symbolic models directly to computational ones. In this paper we survey existing results along both of these directions. Our goal is to provide a rather complete summary that could act as a quick reference for researchers who want to contribute to the field, want to make use of existing results, or just want to get a better picture of what results already exist
Formal Computational Unlinkability Proofs of RFID Protocols
We set up a framework for the formal proofs of RFID protocols in the
computational model. We rely on the so-called computationally complete symbolic
attacker model. Our contributions are: i) To design (and prove sound) axioms
reflecting the properties of hash functions (Collision-Resistance, PRF); ii) To
formalize computational unlinkability in the model; iii) To illustrate the
method, providing the first formal proofs of unlinkability of RFID protocols,
in the computational model
Automated Cryptographic Analysis of the Pedersen Commitment Scheme
Aiming for strong security assurance, recently there has been an increasing
interest in formal verification of cryptographic constructions. This paper
presents a mechanised formal verification of the popular Pedersen commitment
protocol, proving its security properties of correctness, perfect hiding, and
computational binding. To formally verify the protocol, we extended the theory
of EasyCrypt, a framework which allows for reasoning in the computational
model, to support the discrete logarithm and an abstraction of commitment
protocols. Commitments are building blocks of many cryptographic constructions,
for example, verifiable secret sharing, zero-knowledge proofs, and e-voting.
Our work paves the way for the verification of those more complex
constructions.Comment: 12 pages, conference MMM-ACNS 201
Automated Proof for Authorization Protocols of TPM 2.0 in Computational Model (full version)
We present the first automated proof of the authorization protocols in TPM 2.0 in the computational model. The Trusted Platform Module(TPM) is a chip that enables trust in computing platforms and achieves more security than software alone. The TPM interacts with a caller via a predefined set of commands. Many commands reference TPM-resident structures, and use of them may require authorization. The TPM will provide an acknowledgement once receiving an authorization. This interact ensure the authentication of TPM and the caller. In this paper, we present a computationally sound mechanized proof for authorization protocols in the TPM 2.0. We model the authorization protocols using a probabilistic polynomial-time calculus and prove authentication between the TPM and the caller with the aid of the tool CryptoVerif, which works in the computational model. In addition, the prover gives the upper bounds to break the authentication between them
Automatic analysis of distance bounding protocols
Distance bounding protocols are used by nodes in wireless networks to
calculate upper bounds on their distances to other nodes. However, dishonest
nodes in the network can turn the calculations both illegitimate and inaccurate
when they participate in protocol executions. It is important to analyze
protocols for the possibility of such violations. Past efforts to analyze
distance bounding protocols have only been manual. However, automated
approaches are important since they are quite likely to find flaws that manual
approaches cannot, as witnessed in literature for analysis pertaining to key
establishment protocols. In this paper, we use the constraint solver tool to
automatically analyze distance bounding protocols. We first formulate a new
trace property called Secure Distance Bounding (SDB) that protocol executions
must satisfy. We then classify the scenarios in which these protocols can
operate considering the (dis)honesty of nodes and location of the attacker in
the network. Finally, we extend the constraint solver so that it can be used to
test protocols for violations of SDB in these scenarios and illustrate our
technique on some published protocols.Comment: 22 pages, Appeared in Foundations of Computer Security, (Affiliated
workshop of LICS 2009, Los Angeles, CA)
- …