124 research outputs found
Key-Secrecy of PACE with OTS/CafeOBJ
The ICAO-standardized Password Authenticated Connection Establishment (PACE) protocol is used all over the world to secure access to electronic passports. Key-secrecy of PACE is proven by first modeling
it as an Observational Transition System (OTS) in CafeOBJ, and then
proving invariant properties by induction
MAC-in-the-Box: Verifying a Minimalistic Hardware Design for MAC Computation
We study the verification of security properties at the state machine level of a minimalistic device, called the MAC-in-the-Box (MITB). This device computes a message authentication code based on the SHA-3 hash function and a key that is stored on device, but never output directly. It is designed for secure password storage, but may also be used for secure key-exchange and second-factor authentication. We formally verify, in the HOL4 theorem prover, that no outside observer can distinguish this device from an ideal functionality that provides only access to a hashing oracle. Furthermore, we propose protocols for the MITB’s use in password storage, key-exchange and second-factor authentication, and formally show that it improves resistance against host-compromise in these three application scenarios
The Cryptographic Security of the German Electronic Identity Card
In November 2010, the German government started to issue the new electronic identity card (eID) to its citizens. Besides its original utilization as a ’visual’ identification document, the eID card can be used by the cardholder to prove one’s identity at border control and to enhance security of authentication processes over the Internet, with the eID card serving as a token to reliably
transmit personal data to service providers or terminals, respectively. To this end, the German Federal Office for Information Security (BSI) proposed several cryptographic protocols now deployed on the eID card.
The Password Authenticated Connection Establishment (PACE) protocol secures the wireless communication between the eID card and the user’s local card reader, based on a cryptographically weak password like the PIN chosen by the card owner. Subsequently, the Extended Access Control (EAC) protocol is executed by the chip and the service provider to mutually authenticate and agree on a shared secret session key. This key is then used in the secure channel protocol, called Secure Messaging (SM). Finally, an optional protocol,
called Restricted Identification (RI), provides a method to use pseudonyms such that they can be linked by individual service providers, but not across different service providers (even not by malicious ones).
This thesis consists of two parts. First, we present the above protocols and provide a rigorous analysis on their security from a cryptographic point of view. We show that the Germen eID card provides reasonable security for authentication and exchange of sensitive information allaying concerns regarding its usage.
In the second part of this thesis, we introduce two possible modifications to enhance the security of these protocols even further. Namely, we show how to (a) add to PACE an additional efficient chip authentication step, and (b) augment RI to allow also for signatures under pseudonyms
Advanced Features in Protocol Verification: Theory, Properties, and Efficiency in Maude-NPA
The area of formal analysis of cryptographic protocols has been an active
one since the mid 80’s. The idea is to verify communication protocols
that use encryption to guarantee secrecy and that use authentication of
data to ensure security. Formal methods are used in protocol analysis to
provide formal proofs of security, and to uncover bugs and security flaws
that in some cases had remained unknown long after the original protocol
publication, such as the case of the well known Needham-Schroeder
Public Key (NSPK) protocol. In this thesis we tackle problems regarding
the three main pillars of protocol verification: modelling capabilities,
verifiable properties, and efficiency.
This thesis is devoted to investigate advanced features in the analysis
of cryptographic protocols tailored to the Maude-NPA tool. This tool
is a model-checker for cryptographic protocol analysis that allows for
the incorporation of different equational theories and operates in the
unbounded session model without the use of data or control abstraction.
An important contribution of this thesis is relative to theoretical aspects
of protocol verification in Maude-NPA. First, we define a forwards
operational semantics, using rewriting logic as the theoretical framework
and the Maude programming language as tool support. This is the first
time that a forwards rewriting-based semantics is given for Maude-NPA.
Second, we also study the problem that arises in cryptographic protocol
analysis when it is necessary to guarantee that certain terms generated
during a state exploration are in normal form with respect to the protocol
equational theory.
We also study techniques to extend Maude-NPA capabilities to support
the verification of a wider class of protocols and security properties.
First, we present a framework to specify and verify sequential protocol
compositions in which one or more child protocols make use of information obtained from running a parent protocol. Second, we present a
theoretical framework to specify and verify protocol indistinguishability
in Maude-NPA. This kind of properties aim to verify that an attacker
cannot distinguish between two versions of a protocol: for example, one
using one secret and one using another, as it happens in electronic voting
protocols.
Finally, this thesis contributes to improve the efficiency of protocol
verification in Maude-NPA. We define several techniques which drastically
reduce the state space, and can often yield a finite state space,
so that whether the desired security property holds or not can in fact
be decided automatically, in spite of the general undecidability of such
problems.Santiago Pinazo, S. (2015). Advanced Features in Protocol Verification: Theory, Properties, and Efficiency in Maude-NPA [Tesis doctoral no publicada]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/4852
On the Application of Identity-Based Cryptography in Grid Security
This thesis examines the application of identity-based cryptography
(IBC) in designing security infrastructures for grid applications.
In this thesis, we propose a fully identity-based key infrastructure
for grid (IKIG). Our proposal exploits some interesting properties
of hierarchical identity-based cryptography (HIBC) to replicate
security services provided by the grid security infrastructure (GSI)
in the Globus Toolkit. The GSI is based on public key infrastructure
(PKI) that supports standard X.509 certificates and proxy
certificates. Since our proposal is certificate-free and has small
key sizes, it offers a more lightweight approach to key management
than the GSI. We also develop a one-pass delegation protocol that
makes use of HIBC properties. This combination of lightweight key
management and efficient delegation protocol has better scalability
than the existing PKI-based approach to grid security.
Despite the advantages that IKIG offers, key escrow remains an issue
which may not be desirable for certain grid applications. Therefore,
we present an alternative identity-based approach called dynamic key
infrastructure for grid (DKIG). Our DKIG proposal combines both
identity-based techniques and the conventional PKI approach. In this
hybrid setting, each user publishes a fixed parameter set through a
standard X.509 certificate. Although X.509 certificates are involved
in DKIG, it is still more lightweight than the GSI as it enables the
derivation of both long-term and proxy credentials on-the-fly based
only on a fixed certificate.
We also revisit the notion of secret public keys which was
originally used as a cryptographic technique for designing secure
password-based authenticated key establishment protocols. We
introduce new password-based protocols using identity-based secret
public keys. Our identity-based techniques can be integrated
naturally with the standard TLS handshake protocol. We then discuss
how this TLS-like identity-based secret public key protocol can be
applied to securing interactions between users and credential
storage systems, such as MyProxy, within grid environments
Modeling and Analysis of Advanced Cryptographic Primitives and Security Protocols in Maude-NPA
Tesis por compendio[ES] La herramienta criptográfica Maude-NPA es un verificador de modelos especializado para protocolos de seguridad criptográficos que tienen en cuenta las propiedades algebraicas de un sistema criptográfico. En la literatura, las propiedades criptográficas adicionales han descubierto debilidades de los protocolos de seguridad y, en otros casos, son parte de los supuestos de seguridad del protocolo para funcionar correctamente. Maude-NPA tiene una base teórica en la rewriting logic, la unificación ecuacional y el narrowing para realizar una búsqueda hacia atrás desde un patrón de estado inseguro para determinar si es alcanzable o no. Maude-NPA se puede utilizar para razonar sobre una amplia gama de propiedades criptográficas, incluida la cancelación del cifrado y descifrado, la exponenciación de Diffie-Hellman, el exclusive-or y algunas aproximaciones del cifrado homomórfico.
En esta tesis consideramos nuevas propiedades criptográficas, ya sea como parte de protocolos de seguridad o para descubrir nuevos ataques. También hemos modelado diferentes familias de protocolos de seguridad, incluidos los Distance Bounding Protocols or Multi-party key agreement protocolos. Y hemos desarrollado nuevas técnicas de modelado para reducir el coste del análisis en protocolos con tiempo y espacio. Esta tesis contribuye de varias maneras al área de análisis de protocolos criptográficos y muchas de las contribuciones de esta tesis pueden ser útiles para otras herramientas de análisis criptográfico.[CAT] L'eina criptografica Maude-NPA es un verificador de models especialitzats per a protocols de seguretat criptogrà fics que tenen en compte les propietats algebraiques d'un sistema criptogrà fic. A la literatura, les propietats criptogrà fiques addicionals han descobert debilitats dels protocols de seguretat i, en altres casos, formen part dels supòsits de seguretat del protocol per funcionar correctament. Maude-NPA te' una base teòrica a la rewriting lògic, la unificació' equacional i narrowing per realitzar una cerca cap enrere des d'un patró' d'estat insegur per determinar si es accessible o no. Maude-NPA es pot utilitzar per raonar sobre una amplia gamma de propietats criptogrà fiques, inclosa la cancel·lació' del xifratge i desxifrat, l'exponenciacio' de Diffie-Hellman, el exclusive-or i algunes aproximacions del xifratge homomòrfic.
En aquesta tesi, considerem noves propietats criptogrà fiques, ja sigui com a part de protocols de seguretat o per descobrir nous atacs. Tambe' hem modelat diferents famÃlies de protocols de seguretat, inclosos els Distance Bounding Protocols o Multi-party key agreement protocols. I hem desenvolupat noves tècniques de modelització' de protocols per reduir el cost de l'analisi en protocols amb temps i espai. Aquesta tesi contribueix de diverses maneres a l’à rea de l’anà lisi de protocols criptogrà fics i moltes de les contribucions d’aquesta tesi poden ser útils per a altres eines d’anà lisi criptogrà fic.[EN] The Maude-NPA crypto tool is a specialized model checker for cryptographic security protocols that take into account the algebraic properties of the cryptosystem. In the literature, additional crypto properties have uncovered weaknesses of security protocols and, in other cases, they are part of the protocol security assumptions in order to function properly. Maude-NPA has a theoretical basis on rewriting logic, equational unification, and narrowing to perform a backwards search from an insecure state pattern to determine whether or not it is reachable. Maude-NPA can be used to reason about a wide range of cryptographic properties, including cancellation of encryption and decryption, Diffie-Hellman exponentiation, exclusive-or, and some approximations of homomorphic encryption.
In this thesis, we consider new cryptographic properties, either as part of security protocols or to discover new attacks. We have also modeled different families of security protocols, including Distance Bounding Protocols or Multi-party key agreement protocols. And we have developed new protocol modeling techniques to reduce the time and space analysis effort. This thesis contributes in several ways to the area of cryptographic protocol analysis and many of the contributions of this thesis can be useful for other crypto analysis tools.This thesis would not have been possible without the funding of a set of research projects. The main contributions and derivative works of this thesis
have been made in the context of the following projects:
- Ministry of Economy and Business of Spain : Project LoBaSS Effective Solutions Based on Logic, Scientific Research under award number TIN2015-69175-C4-1-R, this project was focused on using powerful logic-based technologies to analyze safety-critical systems.
- Air Force Office of Scientific Research of United States of America : Project Advanced symbolic methods for the cryptographic protocol analyzer Maude-NPA Scientific Research under award number FA9550-17-1-0286
- State Investigation Agency of Spain : Project FREETech: Formal Reasoning for Enabling and Emerging Technologies Scientific I+D-i Research under award number RTI2018-094403-B-C32Aparicio Sánchez, D. (2022). Modeling and Analysis of Advanced Cryptographic Primitives and Security Protocols in Maude-NPA [Tesis doctoral]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/190915Compendi
Verification of Security Protocols with Lists: from Length One to Unbounded Length
International audienceWe present a novel, simple technique for proving secrecy properties for security protocols that manipulate lists of unbounded length, for an unbounded number of sessions. More specifically, our technique relies on the Horn clause approach used in the automatic verifier ProVerif: we show that if a protocol is proven secure by our technique with lists of length one, then it is secure for lists of unbounded length. Interestingly, this theorem relies on approximations made by our verification technique: in general, secrecy for lists of length one does not imply secrecy for lists of unbounded length. Our result can be used in particular to prove secrecy properties for group protocols with an unbounded number of participants and for some XML protocols (web services) with ProVerif
- …