Tags for Multi-Protocol Authentication

Formal methods have been proved successful in analyzing different kinds of security protocols. They typically formalize and study the security guarantees provided by cryptographic protocols, when executed by a (possibly unbounded) number of different participants. A key problem in applying formal methods to cryptographic protocols, is the study of multi-protocol systems, where different protocols are concurrently executed. This scenario is particularly interesting in a global computing setting, where several different security services coexist and are possibly combined together. In this paper, we discuss how the tagging mechanism presented in [M. Bugliesi, R. Focardi, and M. Maffei. Compositional analysis of authentication protocols. In Proceedings of European Symposium on Programming (ESOP 2004), volume 2986 of Lecture Notes in Computer Science, pages 140–154. Springer-Verlag, 2004, M. Bugliesi, R.Focardi, and M.Maffei. A theory of types and effects for authentication. In ACM Proceedings of Formal Methods for Security Engineering: from Theory to Practice (FMSE 2004), pages 1–12. ACM Press, October 2004] addresses this issue.     

Cryptographic protocols with everyday objects

Most security protocols appearing in the literature make use of cryptographic primitives that assume that the participants have access to some sort of computational device. However, there are times when there is need for a security mechanism to evaluate some result without leaking sensitive information, but computational devices are unavailable. We discuss here various protocols for solving cryptographic problems using everyday objects: coins, dice, cards, and envelopes.     

Cryptographic protocol security analysis based on bounded constructing algorithm

1 Introduction 1.1 Background Cryptographic protocols have been used to provide security services for many applications on the open communication environment. More and more cryptographic protocols will be designed to solve the increasing security requirem…     

Short Group Signatures Without Random Oracles

We propose short group signature （GS） schemes which are provably secure without random oracles. Our basic scheme is about 14 times shorter than the Boyen-Waters GS scheme at Eurocrypt 2006, and 42% shorter than the recent GS schemes due to Ateniese et al. The security proofs are provided in the Universally Composable model, which allows the proofs of security valid not only when our scheme is executed in isolation, but also in composition with other secure cryptographic primitives. We also present several new computational assumptions and justify them in the generic group model. These assumptions are useful in the design of high-level protocols and may be of independent interest.     

Algebra model and security analysis for cryptographic protocols

With the rapid growth of the Internet and the World Wide Web a large number of cryptographic protocols have been deployed in distributed systems for various application requirements, and security problems of distributed systems have become very important issues. There are some natural problems: does the protocol have the right properties as dictated by the requirements of the system? Is it still secure that multiple secure cryptographic protocols are concurrently executed? How shall we analy…     

运行模式法分析TW密码协议

在介绍两方密码协议运行模式分析法的基础上,运用运行模式分析法对自行设计的TW两方密码协议进行了分析,成功地发现了TW协议的攻击,并验证了此协议的安全性,说明了两方密码协议运行模式分析法的有效性。     

加密模式与密码协议的安全性

密码协议的设计和安全性分析是困难的,在密码协议中总是以所使用的密码算法是安全的为前提,但是人们却忽略了密码算法的加密模式对密码协议安全性的影响。论文针对一个改进的Needham-Schroeder协议,假设其使用了分组密码的CBC加密模式,我们通过使用一条旧信息的明密文对来修改当前会话中的信息,从而成功地欺骗用户双方,并分别与他们建立了一个会话密钥,对该协议进行了成功的攻击。结果说明密码算法的加密模式对密码协议的安全性有着巨大的影响。Schroederauthenticationprotocol125     

Tree automata with one memory set constraints and cryptographic protocols

We introduce a class of tree automata that perform tests on a memory that is updated using function symbol application and projection. The language emptiness problem for this class of tree automata is shown to be in DEXPTIME.We also introduce a class of set constraints with equality tests and prove its decidability by completion techniques and a reduction to tree automata with one memory.Finally, we show how to apply these results to cryptographic protocols. We introduce a class of cryptographic protocols and show the decidability of secrecy for an arbitrary number of agents and an arbitrary number of (concurrent or successive) sessions, provided that only a bounded number of new data is generated. The hypothesis on the protocol (a restricted copying ability) is shown to be necessary: without this hypothesis, we prove that secrecy is undecidable, even for protocols without nonces.     

一种对密码协议攻击的分类分析

保证协议的安全性是保证数据通信安全性的一个重要保障,但是由于协议的应用环境的复杂性和协议设计目的侧重的多样性,协议漏洞被陆续发现。该文从协议设计的角度对协议攻击进行了分类分析,指出一些协议仍然存在的攻击,并结合对前人发现的协议攻击的分析,基于协议设计对协议攻击进行分类,并根据分析结果给出了协议设计的一些指导原则。     

密钥协商协议进展

密钥协商协议允许两个或多个用户在公开网络中建立一个共享密钥,是最基本的密码原型和公钥密码学的基础.本文综述密钥协商协议的研究进展,包括密钥协商的安全模型、传统离散对数环境下的密钥协商协议、最近发展起来的基于双线性对的密钥协商协议以及基于口令的密钥协商协议,指出了密钥协商协议中的公开问题和未来可能的发展方向.     

Tools for cryptographic protocols analysis: A technical and experimental comparison

The tools for cryptographic protocols analysis based on state exploration are designed to be completely automatic and should carry out their job with a reasonable amount of computing and storage resources, even when run by users having a limited amount of expertise in the field. This paper compares four tools of this kind to highlight their features and ability to detect bugs under the same experimental conditions. To this purpose, the ability of each tool to detect known flaws in a uniform set of well-known cryptographic protocols has been checked. Results are also given on the relative performance of the tools when analysing several known-good protocols with an increasing number of parallel sessions.     

A Calculus for Cryptographic Protocols: The Spi Calculus

We introduce the spi calculus, an extension of the pi calculus designed for describing and analyzing cryptographic protocols. We show how to use the spi calculus, particularly for studying authentication protocols. The pi calculus (without extension) suffices for some abstract protocols; the spi calculus enables us to consider cryptographic issues in more detail. We represent protocols as processes in the spi calculus and state their security properties in terms of coarse-grained notions of protocol equivalence.     

一种基于规划理论的密码协议形式模型

将规划理论引入到密码协议形式化分析领域,结合密码协议在实际网络环境中的运行特点和规律,提出了密码协议攻击规划理论;建立了一种对密码协议进行安全性验证的形式化模型,即密码协议攻击规划问题模型;给出了模型的一阶语法、形式定义及相关运算语义.同时,分析了Dolev-Yao模型的不足之处,基于基本消息元素策略对其进行了改进;并通过增强应用语义来保证改进模型的可行性,从而避免了"状态空间爆炸"问题的发生,提高了密码协议攻击规划问题模型的完备性;并给出了基于该模型的NS公钥协议分析实例.提出的密码协议形式模型是证伪的,目的在于对密码协议进行验证,并查找协议中可能存在的漏洞,既可以方便地进行手工推导证明,也非常易于自动化实现.     

Abstract Interpretation for Proving Secrecy Properties in Security Protocols

A cryptographic protocol is a distributed program that can be executed by several actors. Since several runs of the protocol within the same execution are allowed, models of cryptoprotocols are often infinite. Sometimes, for verification purposes, only a finite and approximated model is needed. For this, we consider the problem of computing such an approximation and we propose to simulate the required partial execution in an abstract level. More precisely, we define an abstract finite category G ^a as an abstract game semantics for the SPC calculus, a dedicated calculus for security protocols. The abstract semantics is then used to build a decision procedure for secrecy correctness in security protocols.     

The optimal split method of large integer multiplication for smart low-end devices on P2P ubiquitous networks

This paper proposes an optimal method for large integer multiplication when implementing modern cryptographic applications on Peer-to-Peer ubiquitous networks. P2P ubiquitous networks are usually composed of smart low-end devices, which operate on the limited battery power. To maximize the lifetime of P2P networks, the power consumption rate of each node must be quite careful, and an efficient and energy-saving large integer multiplication makes the cryptographic protocols possible to be executed on such nodes. The proposed method first recursively bisections multiplier and multiplicand in threshold times. Subsequently, classical multiplication calculates the products of the split multiplier and multiplicand blocks. Finally, the products of the blocks are gradually integrated to obtain the product of the large integers. This study demonstrates that the n-times recursive-balanced-2-way split method, where n is the floor of log₂(0.13515?×?s), obtains the optimal performance in multiplying two s-words based on classical multiplication. The experiment results show that modular exponentiation combined with other modular multiplication methods uses 1.28×–2.10× the computational cost required in the proposed method. The energy consumption of software is closely related to the execution time. The proposed scheme is an energy-saving method to maximize the lifetime of P2P ubiquitous networks when implementing security protocols in smart low-end devices on P2P networks. It is suitable for realizing robust security protocol on smart low-end devices, in which the framework is based on modular exponentiation and modular multiplication. Smart low-end devices based on the proposed method perform security protocols in satisfying the security recommendations of NIST.     

基于Petri网的密码协议分析

在Federico提出的一种密码协议进程语言的基础上,建立了便于进行密码协议分析的简化Petri网模型,给出了协议满足秘密性的充要条件,并以NS公钥协议为例,用Petri网模型,结合归纳方法和串空间分析方法从密钥、新鲜数和协议主体三个方面的秘密性分析了该协议的秘密性,简化了协议秘密性的分析。     

Reducing Protocol Analysis with XOR to the XOR-Free Case in the Horn Theory Based Approach

In the Horn theory based approach for cryptographic protocol analysis, cryptographic protocols and (Dolev?CYao) intruders are modeled by Horn theories and security analysis boils down to solving the derivation problem for Horn theories. This approach and the tools based on this approach, including ProVerif, have been very successful in the automatic analysis of cryptographic protocols. However, dealing with the algebraic properties of operators, such as the exclusive OR (XOR), which are frequently used in cryptographic protocols has been problematic. In particular, ProVerif cannot deal with XOR. In this paper, we show how to reduce the derivation problem for Horn theories with XOR to the XOR-free case. Our reduction works for an expressive class of Horn theories. A large class of intruder capabilities and protocols that employ the XOR operator can be modeled by these theories. Our reduction allows us to carry out protocol analysis using tools, such as ProVerif, that cannot deal with XOR, but are very efficient in the XOR-free case. We implemented our reduction and, in combination with ProVerif, used it for the fully automatic analysis of several protocols that employ the XOR operator. Among others, our analysis revealed a new attack on an IBM security module.     

Unification Modulo Homomorphic Encryption

Encryption ‘distributing over pairs’ is a technique employed in several cryptographic protocols. We show that unification is decidable for an equational theory HE specifying such an encryption. The method consists in transforming any given problem in such a way, that the resulting problem can be solved by combining a graph-based reasoning on its equations involving the homomorphisms, with a syntactic reasoning on its pairings. We show HE-unification to be NP-hard and in EXPTIME. We also indicate, briefly, how to extend HE-unification to Cap unification modulo HE, that can be used as a tool for modeling and analyzing cryptographic protocols where encryption follows the ECB mode, i.e., is done block-wise on messages.     

On the analysis of time-aware protocols in universal composability framework

We consider the analysis of time-aware cryptographic protocols in the universal composability (UC) framework (Canetti in 2000). The tasks we consider are the timeliness of messages within an instance as well as the time of validity of cryptographic credentials where the lifetime of time stamps overlaps lots of instances. We point out that the UC analysis of time-aware protocols with global access to real time clock cannot be carried out directly within the standard model. For the resolution of the corresponding problem, we considered two ways: one is the introduction of an auxiliary timing oracle into the ideal system, while the other consists of two time models: a quantized real time source and an abstract “random-time” source, and we show an essential equivalence between them. The time models provide not only theoretical but also practical benefits.     

Security by typing

We present an approach for analyzing cryptographic protocols that are subject to attack from an active intruder who takes advantage of knowledge of the protocol rules. The approach uses a form of type system in which types are communication steps and typing constraints characterize all the messages available to the intruder. This reduces verification of authentication and secrecy properties to a typing problem in our type system. We present the typing rules, prove soundness of a type inference algorithm, and establish the correctness of the typing rules with respect to the protocol execution and intruder actions. The protocol specifications used in the approach can be automatically extracted from the conventional, informal cryptographic protocol notation commonly found in the literature. To validate the approach, we implement our algorithm in a tool called DYMNA, which is a practical and efficient environment for the specification and analysis of cryptographic protocols.