Symbolic Verification of Computational Security for Branching-Time Properties

Two different models for security of cryptographic protocols have been developed: Symbolic security is an abstract notion which can often be verified automatically. Computational security is defined in a realistic concurrent model against arbitrary, randomized polynomial-time attacks. A recent research trend is to prove that often, these security notions coincide, thereby transferring the decidability results from the abstract setting into the more realistic computational model. Previous results in this area are only concerned with trace properties, i.e., security goals that can be characterized as properties of single protocol runs. We prove the first equivalence result for a more complex class of goals, which include balance for contract signing protocols. Our result shows that computational security for these protocols can be verified automatically. The proof relies on a careful "derandomization" of realistic attacks

07421 Abstracts Collection -- Formal Protocol Verification Applied

From 14/10/2007 to 19/10/2007, the Dagstuhl Seminar 07421 ``Formal Protocol Verification Applied\u27\u27 was held in the International Conference and Research Center (IBFI), Schloss Dagstuhl. During the seminar, several participants presented their current research, and ongoing work and open problems were discussed. Abstracts of the presentations given during the seminar as well as abstracts of seminar results and ideas are put together in this paper. The first section describes the seminar topics and goals in general. Links to extended abstracts or full papers are provided, if available

Combining behavioural types with security analysis

Today's software systems are highly distributed and interconnected, and they increasingly rely on communication to achieve their goals; due to their societal importance, security and trustworthiness are crucial aspects for the correctness of these systems. Behavioural types, which extend data types by describing also the structured behaviour of programs, are a widely studied approach to the enforcement of correctness properties in communicating systems. This paper offers a unified overview of proposals based on behavioural types which are aimed at the analysis of security properties

KeyForge: Mitigating Email Breaches with Forward-Forgeable Signatures

Email breaches are commonplace, and they expose a wealth of personal, business, and political data that may have devastating consequences. The current email system allows any attacker who gains access to your email to prove the authenticity of the stolen messages to third parties -- a property arising from a necessary anti-spam / anti-spoofing protocol called DKIM. This exacerbates the problem of email breaches by greatly increasing the potential for attackers to damage the users' reputation, blackmail them, or sell the stolen information to third parties. In this paper, we introduce "non-attributable email", which guarantees that a wide class of adversaries are unable to convince any third party of the authenticity of stolen emails. We formally define non-attributability, and present two practical system proposals -- KeyForge and TimeForge -- that provably achieve non-attributability while maintaining the important protection against spam and spoofing that is currently provided by DKIM. Moreover, we implement KeyForge and demonstrate that that scheme is practical, achieving competitive verification and signing speed while also requiring 42% less bandwidth per email than RSA2048

A Constraint-Based Algorithm for Contract-Signing Protocols

Research on the automatic analysis of cryptographic protocols has so far mainly concentrated on reachability properties, such as secrecy and authentication. Only recently it was shown that certain game-theoretic security properties, such as balance for contract-signing protocols, are decidable in a Dolev-Yao style model with a bounded number of sessions but unbounded message size. However, this result does not provide a practical algorithm as it merely bounds the size of attacks. In this paper, we prove that game-theoretic security properties can be decided based on standard constraint solving procedures. This paves the way for extending existing implementations and tools for reachability properties to deal with game-theoretic security properties

Strategy properties for cryptographic protocols

In this thesis we introduce the alternating mu-calculus (AMC) for cryptographic protocols and show in which cases this logic is decidable and in which cases it is not. We also give tight complexity bounds for the decidable classes of this problem. We extend the constraint solving approach developed for reachability properties to strategy properties and show how to utilize existing constraint solvers as a black box to decide strategy properties when a bounded number of sessions is considered and no bound on the message length is imposed. We give an alternative proof of the impossibility result given by Chadha et~al. based on an axiomatic approach. In order to formulate the properties of protocols we extend ATL by what we call move selectors. With move selectors one can talk about different kinds of behaviors (such as honest, dishonest, and optimistic behavior) of participants in a natural way rather than model each kind of possible behavior in an ad hoc fashion

Keeping Fairness Alive : Design and formal verification of optimistic fair exchange protocols

Fokkink, W.J. [Promotor]Pol, J.C. van de [Promotor

Infinite State AMC-Model Checking for Cryptographic Protocols

Only very little is known about the automatic analysis of cryptographic protocols for game-theoretic security properties. In this paper, we therefore study decidability and complexity of the model checking problem for AMC-formulas over infinite state concurrent game structures induced by cryptographic protocols and the Dolev-Yao intruder. We show that the problem is NEXPTIME-complete when making reasonable assumptions about protocols and for an expressive fragment of AMC, which contains, for example, all properties formulated by Kremer and Raskin in fair ATL for contract-signing and non-repudiation protocols. We also prove that our assumptions on protocols are necessary to obtain decidability

Analysing security properties using refinement

Security properties are essential in open and distributed environments with high dependability requirements. An approach to development and analysis of safety- and security-critical systems based on refinement as the central concept can offer an integrated solution. We analyse the Online Certificate Status Protocol (OCSP), showing how to use refinement as an interference analysis tool for secure communication protocols and intruders