3,195 research outputs found
Formal security analysis of registration protocols for interactive systems: a methodology and a case of study
In this work we present and formally analyze CHAT-SRP (CHAos based
Tickets-Secure Registration Protocol), a protocol to provide interactive and
collaborative platforms with a cryptographically robust solution to classical
security issues. Namely, we focus on the secrecy and authenticity properties
while keeping a high usability. In this sense, users are forced to blindly
trust the system administrators and developers. Moreover, as far as we know,
the use of formal methodologies for the verification of security properties of
communication protocols isn't yet a common practice. We propose here a
methodology to fill this gap, i.e., to analyse both the security of the
proposed protocol and the pertinence of the underlying premises. In this
concern, we propose the definition and formal evaluation of a protocol for the
distribution of digital identities. Once distributed, these identities can be
used to verify integrity and source of information. We base our security
analysis on tools for automatic verification of security protocols widely
accepted by the scientific community, and on the principles they are based
upon. In addition, it is assumed perfect cryptographic primitives in order to
focus the analysis on the exchange of protocol messages. The main property of
our protocol is the incorporation of tickets, created using digests of chaos
based nonces (numbers used only once) and users' personal data. Combined with a
multichannel authentication scheme with some previous knowledge, these tickets
provide security during the whole protocol by univocally linking each
registering user with a single request. [..]Comment: 32 pages, 7 figures, 8 listings, 1 tabl
Formal Verification of Security Protocol Implementations: A Survey
Automated formal verification of security protocols has been mostly focused on analyzing high-level abstract models which, however, are significantly different from real protocol implementations written in programming languages. Recently, some researchers have started investigating techniques that bring automated formal proofs closer to real implementations. This paper surveys these attempts, focusing on approaches that target the application code that implements protocol logic, rather than the libraries that implement cryptography. According to these approaches, libraries are assumed to correctly implement some models. The aim is to derive formal proofs that, under this assumption, give assurance about the application code that implements the protocol logic. The two main approaches of model extraction and code generation are presented, along with the main techniques adopted for each approac
Chasing diagrams in cryptography
Cryptography is a theory of secret functions. Category theory is a general
theory of functions. Cryptography has reached a stage where its structures
often take several pages to define, and its formulas sometimes run from page to
page. Category theory has some complicated definitions as well, but one of its
specialties is taming the flood of structure. Cryptography seems to be in need
of high level methods, whereas category theory always needs concrete
applications. So why is there no categorical cryptography? One reason may be
that the foundations of modern cryptography are built from probabilistic
polynomial-time Turing machines, and category theory does not have a good
handle on such things. On the other hand, such foundational problems might be
the very reason why cryptographic constructions often resemble low level
machine programming. I present some preliminary explorations towards
categorical cryptography. It turns out that some of the main security concepts
are easily characterized through the categorical technique of *diagram
chasing*, which was first used Lambek's seminal `Lecture Notes on Rings and
Modules'.Comment: 17 pages, 4 figures; to appear in: 'Categories in Logic, Language and
Physics. Festschrift on the occasion of Jim Lambek's 90th birthday', Claudia
Casadio, Bob Coecke, Michael Moortgat, and Philip Scott (editors); this
version: fixed typos found by kind reader
Name-passing calculi and crypto-primitives: A survey
The paper surveys the literature on high-level name-passing process calculi, and their extensions with cryptographic primitives. The survey is by no means exhaustive, for essentially two reasons. First, in trying to provide a coherent presentation of different ideas and techniques, one inevitably ends up leaving out the approaches that do not fit the intended roadmap. Secondly, the literature on the subject has been growing at very high rate over the years. As a consequence, we decided to concentrate on few papers that introduce the main ideas, in the hope that discussing them in some detail will provide sufficient insight for further reading
Statistical Epistemic Logic
We introduce a modal logic for describing statistical knowledge, which we
call statistical epistemic logic. We propose a Kripke model dealing with
probability distributions and stochastic assignments, and show a stochastic
semantics for the logic. To our knowledge, this is the first semantics for
modal logic that can express the statistical knowledge dependent on
non-deterministic inputs and the statistical significance of observed results.
By using statistical epistemic logic, we express a notion of statistical
secrecy with a confidence level. We also show that this logic is useful to
formalize statistical hypothesis testing and differential privacy in a simple
and abstract manner
A Machine-Checked Formalization of the Generic Model and the Random Oracle Model
Most approaches to the formal analyses of cryptographic protocols make the perfect cryptography assumption, i.e. the hypothese that there is no way to obtain knowledge about the plaintext pertaining to a ciphertext without knowing the key. Ideally, one would prefer to rely on a weaker hypothesis on the computational cost of gaining information about the plaintext pertaining to a ciphertext without knowing the key. Such a view is permitted by the Generic Model and the Random Oracle Model which provide non-standard computational models in which one may reason about the computational cost of breaking a cryptographic scheme. Using the proof assistant Coq, we provide a machine-checked account of the Generic Model and the Random Oracle Mode
Formal Analysis of Vulnerabilities of Web Applications Based on SQL Injection (Extended Version)
We present a formal approach that exploits attacks related to SQL Injection
(SQLi) searching for security flaws in a web application. We give a formal
representation of web applications and databases, and show that our
formalization effectively exploits SQLi attacks. We implemented our approach in
a prototype tool called SQLfast and we show its efficiency on real-world case
studies, including the discovery of an attack on Joomla! that no other tool can
find
- ā¦