密码协议的归纳证明方法

通过对Otway-rees协议的分析,介绍了目前受到普遍关注的一种密码协议形式化分析方法－归纳方法。     

具有完全保密性的高效可净化数字签名方案*

现有的基于变色龙散列函数的方案均未达到完全保密性,而基于群签名的可净化数字签名方案满足完全保密性,但因效率较低而不够实用。为此,提出一个新的可净化数字签名方案,它基于传统数字签名方案、BLS签名方案和公钥加密方案构造,且满足可净化数字签名的所有基本安全性需求,即不可伪造性、不可变性、透明性、完全保密性及可审计性,同时具有比基于群签名方案更高的运算效率,继而具有更高的实用性。     

Experiments with probabilistic quantum auctions

We describe human-subject laboratory experiments on probabilistic auctions based on previously proposed auction protocols involving the simulated manipulation and communication of quantum states. These auctions are probabilistic in determining which bidder wins, or having no winner, rather than always having the highest bidder win. Comparing two quantum protocols in the context of first-price sealed bid auctions, we find the one predicted to be superior by game theory also performs better experimentally. We also compare with a conventional first-price auction, which gives higher performance. Thus to provide benefits, the quantum protocol requires more complex economic scenarios such as maintaining privacy of bids over a series of related auctions or involving allocative externalities.      

SEAS, a secure e-voting protocol: Design and implementation

This paper presents SEAS, the Secure E-voting Applet System, a protocol for implementing a secure system for polling over computer networks, usable in distributed organizations whose members may range up to dozens of thousands. We consider an architecture requiring the minimum number of servers involved in the validation and voting phases. Sensus, [Cranor L, Cytron RK. Sensor: a security-conscious electronic polling system for the internet. In: Proceedings of HICSS'97. IEEE; 1997. p. 561–70], a well-known e-voting protocol, requires only two servers, namely a validator and a tallier. Even if satisfying most of the security requirements of an e-voting system, Sensus suffers from a vulnerability that allows one of the entities involved in the election process to cast its own votes in place of those that abstain from the vote. SEAS is a portable and flexible system that preserves the limited number of servers of Sensus, but it avoids the mentioned vulnerability. We propose a prototype implementation of SEAS based on Java applet and XML technology.     

密码协议基于遍历的分析方法

文献[1]提出用两方密码协议的运行模式对协议进行分析,文章证明该方法未能列举出全部运行模式,因此一些协议的漏洞不能被发现。文章提出一种遍历分析法,让导致攻击成功的假冒消息遍历攻击者在各种情况下消息接收集来对协议进行分析,从而发现协议漏洞。     

On the Symbolic Reduction of Processes with Cryptographic Functions

We study the reachability problem for cryptographic protocols represented as processes relying on perfect cryptographic functions. We introduce a symbolic reduction system that can handle hashing functions, symmetric keys, and public keys. Desirable properties such as secrecy or authenticity are specified by inserting logical assertions in the processes.We show that the symbolic reduction system provides a flexible decision procedure for finite processes and a reference for sound implementations. The symbolic reduction system can be regarded as a variant of syntactic unification which is compatible with certain set-membership constraints. For a significant fragment of our formalism, we argue that a dag implementation of the symbolic reduction system leads to an algorithm running in nptime thus matching the lower bound of the problem.In the case of iterated or finite control processes, we show that the problem is undecidable in general and in ptime for a subclass of iterated processes that do not rely on pairing. Our technique is based on rational transductions of regular languages and it applies to a class of processes containing the ping-pong protocols studied in 1982 by Dolev, Even and Karp.     

串空间代数缺陷到实际攻击的转换

根据串空间证明协议安全性的代数结论,可以判断协议是否存在缺陷,但没有给出一个精确的答案：究竟攻击是如何进行的?本文提出四务启发式规则以完成代数缺陷到实际攻击的转换。并结合Needham—Schroeder公钥协议、Otway—Rees对称密钥协议进行了攻击转换分析。实践表明这四条规则在把串空间的代数缺陷转换为实际攻击时非常有效。     

On the decidability of cryptographic protocols with open-ended data structures

Formal analysis of cryptographic protocols has concentrated mainly on protocols with closed-ended data structures, i.e., protocols where the messages exchanged between principals have fixed and finite format. In many protocols, however, the data structures used are open-ended, i.e., messages have an unbounded number of data fields. In this paper, decidability issues for such protocols are studied. We propose a protocol model in which principals are described by transducers, i.e., finite automata with output, and show that in this model security is decidable and PSPACE-hard in presence of the standard Dolev-Yao intruder.     

基于类型的密码协议验证方法

探讨使用一组形式化的规则来验证密码协议安全属性的方法.这些规则基于传统的等级和信息流的思想,通过将其扩展后用来处理密码协议中的并发进程.通过这些规则可以向用户提供一种检测方法,该方法用于判断:如果协议通过了检测,则可以认为该协议没有泄漏任何秘密的消息.     

关于密码协议攻击的研究

该文通过具体实例从不同的角度讨论了对密码协议的各种攻击,并阐述了这些攻击产生的原因及防止它们的一般方法。     

抗原语分析的密码协议设计原则

列举了一个因密钥破解造成的协议失败案例,提出了协议设计的唯密文原则以最大限度地保证长期密钥的安全性,同时唯密文原则还可以抵抗重放、初始化和剪切粘贴攻击。     

无线传感器网络多应用场景下的安全数据融合方案

针对无线传感器网络多应用场景下异构数据的安全融合问题,提出了一种轻量级的安全数据融合保护方案,该方案可同时保障数据的隐私性、完整性和新鲜性。首先,以当前融合轮数和节点预置密钥作为哈希函数的输入,为节点更新每个融合周期的密钥;其次,采用同态加密技术,使中间节点能够对密文直接执行融合操作;然后,采用同态消息认证码,使基站能够验证融合数据在传输过程中是否被篡改;进一步,对明文信息采用编码机制,以满足多应用场景下异构数据聚集的使用需求。理论分析和仿真结果表明,该算法具有较好的安全性、较低的通信开销和更高的融合精确度。     

Selling multiple secrets to a single buyer

This paper deals with the original work due to Brassard et al., in which an algorithm to sell only one secret to one buyer was introduced. It is based on the theory of quadratic residues modulo an integer number and Jacobi symbols. Unfortunately, this algorithm exhibits an important security drawback: the seller can disclose more than one secret to the buyer instead of only one. This problem was overcome by other sophisticated protocols. Although such problem has been satisfactorily tackled, the main goal of this work is to modify the original work (preserving its flavour) in order to securely disclose multiple secrets without the participation of more buyers but with a third trusted party.     

Restricted adaptive oblivious transfer

In this work we consider the following primitive, that we call restricted adaptive oblivious transfer. On the one hand, the owner of a database wants to restrict the access of users to this data according to some policy, in such a way that a user can only obtain information satisfying the restrictions imposed by the owner. On the other hand, a legitimate user wants to privately retrieve allowed parts of the data, in a sequential and adaptive way, without letting the owner know which part of the data is being obtained.After having formally described the components and required properties of a protocol for restricted adaptive oblivious transfer, we propose two generic ways to realize this primitive. The first one uses a cryptographic tool which has received a lot of attention from the literature in recent years: cryptosystems which are both multiplicatively and additively homomorphic. Our second generic construction is based on secret sharing schemes.     

Transducer-based analysis of cryptographic protocols

Cryptographic protocols can be divided into (1) protocols where the protocol steps are simple from a computational point of view and can thus be modeled by simple means, for instance, by single rewrite rules—we call these protocols non-looping—and (2) protocols, such as group protocols, where the protocol steps are complex and typically involve an iterative or recursive computation—we call them recursive. While much is known on the decidability of security for non-looping protocols, only little is known for recursive protocols. In this paper, we prove decidability of security (with respect to the standard Dolev–Yao intruder) for a core class of recursive protocols and undecidability for several extensions. The key ingredient of our protocol model is specifically designed tree transducers which work over infinite signatures and have the ability to generate new constants (which allow us to mimic key generation). The decidability result is based on an automata-theoretic construction which involves a new notion of regularity, designed to work well with the infinite signatures we use.     

Efficient representation of the attacker’s knowledge in cryptographic protocols analysis

This paper addresses the problem of representing the intruder’s knowledge in the formal verification of cryptographic protocols, whose main challenges are to represent the intruder’s knowledge efficiently and without artificial limitations on the structure and size of messages. The new knowledge representation strategy proposed in this paper achieves both goals and leads to practical implementation because it is incrementally computable and is easily amenable to work with various term representation languages. In addition, it handles associative and commutative term composition operators, thus going beyond the free term algebra framework. An extensive computational complexity analysis of the proposed representation strategy is included in the paper. This work was partially supported by the Italian National Council of Research, grant number CNRC00FE45, and by the Center for Multimedia Radio Communications of Politecnico di Torino.     

远程动态口令认证方案的研究与改进

研究了动态口令技术,分析了文献[1]中的一个远程动态口令认证方案,发现原方案不能抵抗劫取连接攻击.对原方案进行了修改,修改后的方案克服了原方案存在的安全漏洞,保留了原方案的所有安全特性,具有更高的安全性.     

Networked cryptographic devices resilient to capture

We present a simple technique by which a device that performs private key operations (signatures or decryptions) in networked applications and whose local private key is activated with a password or PIN can be immunized to offline dictionary attacks in case the device is captured. Our techniques do not assume tamper resistance of the device but rather exploit the networked nature of the device in that the devices private key operations are performed using a simple interaction with a remote server. This server, however, is untrusted – its compromise does not reduce the security of the devices private key unless the device is also captured – and need not have a prior relationship with the device. We further extend this approach with support for key disabling, by which the rightful owner of a stolen device can disable the devices private key even if the attacker already knows the users password.