Interpretation of formal proof for Cryptographic Protocols into Computational Model
|
|
- April Simon
- 5 years ago
- Views:
Transcription
1 Interpretation of formal proof for Cryptographic Protocols into Computational Model Sanjay Kumar Sonkar 1, Darmendra Lal Gupta 2, Dr. Anil Kumar Malviya 3, Ganesh Chandra 4, Vinod Kumar Yadav 5 1,4,5 M. Tech. Student, Department of Computer Science & Engineering, Kamla Nehru Institute of Technology, Sultanpur, (U.P.) India 2 Assistant Professor, Department of Computer Science & Engineering, Kamla Nehru Institute of Technology, Sultanpur, (U.P.) India 3 Associate Professor, Department of Computer Science & Engineering, Kamla Nehru Institute of Technology, Sultanpur, (U.P.) India { 1 kumarsanjaysonkar@gmail.com, 2 dlgupta2002@gmail.com, 3 anilkmalviya@yahoo.com, 4 ganesh.iiscgate@gmail.com, 5 vinodrockcsit@gmail.com } Abstract Cryptography is the spinal cord for all security measures involved in computing field so a lot of emphasis is required to be given to make it strong enough to deal all the transition of the security industry. We present a general method to prove security properties of multiple cryptographic protocols in an execution model where clients exchange messages using multiple protocols against active adversaries. The method discussed here allows to interpret the logical formal proofs of cryptographic systems into their computational equivalent. The security properties are expressed in terms of logics, which are then interpreted in a computational setup. Also, we further show that if the statement is true for any symbolic execution then the corresponding computational interpretation is widely accepted in all forms. The messages between clients are expressed in syntax form and do not require dealing with asymptotic notations and probability distribution. This paper provides a basic framework and edifice for extending the protocol specification language with other cryptographic primitives. Keywords: Cryptographic protocols, Symbolic analysis, Protocol logic, formal methods for security protocols. I. Introduction Cryptographic protocols are fundamental tool in the design of secure distributed computing systems [3][4][7], but they are also extremely hard to design and validate. The difficulty of designing valid cryptographic protocols[1][5] stems mostly from the fact that security properties[2] should remain valid even when the protocol is executed in an unpredictable adversarial environment, where some of the clients (or an external entity) are maliciously attempting to make the protocol deviate from its prescribed behavior. Basically, Cryptographic protocols are coined in one of two ways: [9][11][15] A. Computational Model: The computational model consists of following models: Messages are considered as bit-strings[17]; The encryption operation[19] of message is a concrete arithmetic; Security is defined in terms of that a computationally bounded[20][23] adversary can only attack successfully with negligible probability; Analysis of security is done by reduction. B. Formal Model ( Dolev-Yao model ): The formal model comprises of: Abstracts cryptographic concepts into an algebra of symbolic messages[9][12]; Messages are considered as formal expressions; The encryption operation is only an abstract function; Security is modeled by formal formulas[14]; Analysis of security is done by formal reasoning. This paper is divided into six parts. Starting with introduction (Section-I), next section covers theoretical experiment (Section-II). Moving ahead analysis model (Section-III), related work has been described in (Section-IV) and finally conclusion & future work has been described in (Section-V & VI). II. Theoretical Experiment Example: A B: e = {xˋk}x k, mac(e, x mk ) xˋk fresh A sends to B a fresh key x k encrypted under authenticated encryption [22][23], implemented as encrypt-then-mac. x k should remain secret. Step 1: Initialization: A B: e = {xˋk}x k, mac(e, x mk ) xˋk fresh Q 0 = start(); new x r : keyseed; let x k : key= kgen(x r ) in new xˋr : mkeyseed; let x mk : mkey = mkgen(xˋr) in α(); (Q A Q B ) Initialization of keys: The process Q 0 waits for a message on channel start. The adversary triggers this process. 525
2 Q 0 generates encryption and MAC keys, x k and x mk [2][6] respectively, using the key generation algorithms kgen and mkgen. Q 0 returns control to the adversary by the output α(). Q A and Q B represent the actions of A and B. Step 2: a) Role of A: A B: e = {xˋk}x k, mac(e, x mk ) xˋk fresh Q A = β i n C A (); new xˋk : key; new x r :coins; Let xm : bitstring = enc(k2b(xˋk), x k, x r ) in C A <x m, mac(x m, x mk )> β i n represents n copies, indexes by i ϵ [1,n] The protocol can be run n times (polynomial in the security parameter [4]). The process is triggered when a message is sent on C A by the adversary. The process chooses a fresh key xˋk and sends the message on channel C A. We obtain a sequence of games G 0 G 1 G m, which implies G 0 G m. If some equivalence or trace property hold with overwhelming probability in G m, then it also hold with overwhelming probability in G 0. Step 5: Security definition [1][2][9]: A MAC scheme: (Randomized) key generation function mkgen. MAC function mac (m, k) takes as input a message m and a key k. Verification function verify(m, k, t) such that Verify (m, k, mac (m, k)) = true. A MAC guarantees the integrity and authenticity [26] of the message because only someone who knows the secret key can build the mac. More formally, an adversary A that has oracle access to mac and verify has a negligible probability to forge a MAC: b) Role of B: A B: e = {xˋk}x k, mac(e, x mk ) xˋk fresh Q B = β i n C B (xˋm : bitstring, x ma : macstring); if veriry (xˋm, x mk, x ma ) than let i (k2b(x k )) = dec (xˋm, x k ) in C B () n copies, as for Q A. The process Q B waits for the message on channel C B. It verifies the MAC, decrypts and stores the key in x k. Step 3: Indistinguishability as observational equivalence: Two processes Q1, Q2 are observationally equivalent where the adversary has a negligible probability of distinguishing them: Q 1 Q 2 In the formal definition, the adversary is represented by an acceptable evaluation context C:: = C Q & Q C new Channel c; C. Observation equivalence is an equivalence relation. It is contextual: Q 1 Q 2 implies C[Q] C[Q] where C is any acceptable evaluation context. Step 4: Proof Technique: We transform a Game G 0 into an observationally equivalent [27][28] on using: Observational equivalences: L R given as axioms and that come from security assumptions on primitives. These equivalences are used inside a context: G1 C[L] C[R] G2 Syntactic transformations: Simplification, expansion of assignments, max Pr[verify (m, k, t) k mkgen; (m, t) A mac (., k), verify(., k,.) ] A is negligible, when the adversary A has not called the mac oracle on message m. Step 6: Intuitive Implementation: By the previous definition, up to neglible probability, The adversary cannot forge a correct MAC. So when verifying a MAC with verify (m, k, t) and k mkgen is used only for generating and verifying MACs, the verification can succeed only if m is in the list (array) of message whose mac has been computed by the protocol. So we can replace a call to verify with an array lookup: If the call to mac is mac (x, k), we replace verify (m, k, t) with find j N such that defined (x[j]) (m = x[j]) verify (m, k, t) then true else false. Step 7: Formal implementation (1) [15]: Verify (m, mkgen(r), mac(m, mkgen(r))) = true β N new r : mkeyseed; (β N (x : bitstring) mac(x, mkgen(r)), β Nˋ(m : bitstring, t : macstring) verify(m, mkgen(r), t)) β N new r : mkeyseed; (β N (x : bitstring) mac(x, mkgen(r)), β Nˋ(m : bitstring, t : macstring) find j N such that defined(x[j]) (m = x[j]) verify(m, mkgen(r), t) then true else false. Formal implementation (2): Verify (m, mkgen(r), mac(m, mkgen(r))) = true β N new r : mkeyseed; (β N (x : bitstring) mac(x, mkgen(r)), β Nˋ(m : bitstring, t : macstring) verify(m, mkgen(r), t)) 526
3 β N new r : mkeyseed; (β N (x : bitstring) macˋ(x, mkgenˋ(r)), β Nˋ(m : bitstring, t : macstring) find j N such that defined(x[j]) (m = x[j]) verifyˋ(m, mkgenˋ(r), t) then true else false. The prover applies the previous rule automatically in any (polynomial-time) context, perhaps containing several occurrences of mac and verify following: prove the source of the message to a third party. A practical secure deniable authentication protocol should have the following properties: Completeness or authentication, strong deniability, weak deniability, security of forgery attack, security of impersonate attack, security of compromising session secret attack, security of man-in-the-middle attack. Each occurrence of mac is replaced with macˋ. Each occurrence of verify is replaced with a message key and find that looks in all arrays of computed MACs. Step 8: Proof of security properties: a. One-session secrecy: The adversary cannot distinguish any of the secretes from a random number with one test query. Criterion for proving one-session secrecy [19][21] of x: X is defined by new x[i] : T and there is a set of variables S such that only variables in S depend on x. The output messages and the control-flow do not depend on x. b. Secrecy: The adversary cannot distinguish the secrets from independent random numbers with several test queries. Criterion for proving secrecy of x: Same as one-session secrecy, plus x[i] and x[iˋ] do not come from the same copy of the same restriction when i iˋ. Step 9: Result: In most cases, the prover succeeds in proving the desired properties when they hold and obviously it always fails to prove them when they do not hold. Only cases in which the prover fails although the property holds: Needham-Schroeder [9][11] public-key when the exchanged key is the nonce N A. Needham-Schroeder shared-key: fails to prove that N B [i] N B [iˋ]-1 with overwhelming probability, where N B is a nonce. III. Analysis Model Deniable authentication protocols allow a Sender to authenticate a message for a receiver, in a way that the receiver cannot convince a third party that such authentication (or any authentication) ever took place. Deniable authentication has two characteristics that differ from traditional authentication: One is that only the intended receiver can authenticate the true source of a given message; the other is that the receiver cannot provide the evidences to Figure 1: Analysis model of deniable authentication protocols with Blanchet calculus Generally deniable authentication protocol includes three roles, Sender which is initiator, receiver which is responder and third party, represented by Sender, Receiver and Third party, respectively. We assume that Sender plays only on the role of the initiator; Receiver plays only the role of responder, Third party play only on the prover. The deniable authentication protocol consists of a sequence of messages exchanged between the Sender and the Receiver & the Receiver and Third party. In deniable authentication protocol Sender can authenticate a message for Receiver, in a way that they cannot Receiver convince a Third party that such authentication (or any authentication) ever took place. Deniable authentication protocol has two characteristics that differ from traditional authentication protocol. One is that only the intended Receiver can authenticate the true source of a given message. The other is that the Sender cannot provide the evidences to prove the source of the message to a third party at some condition and the Receiver can provide the evidences to prove the source of the message to a third party. The ability of adversary is defined in the previous section. It can control the channel SR between Sender and Receiver. It cannot control the channels: Channel ST and channel RT. At the same time the adversary is a probabilistic polynomial-time attacker. Strong deniability: The purpose of strong deniability is to protect the privacy of Sender. After execution of the deniable authentication protocol the Sender can deny to have ever authenticated anything to Receiver. If the prover (Receiver or the any other party) wants to prove that the Sender have authenticated messages to Receiver, they must provide all the relevant evidence. The Sender can provide his secret information to the Third party. A adversary model in strong deniability: we suppose that the Sender and the Receiver cooperate with the judge or the prover or the any other party 527
4 which means that the Sender and the Receiver provide all the transcripts of the message in the deniable authentication protocol to them. If DAP satisfies the condition one and four in: Inj-event (whole sender (Receiver, x)) = inj-event(whole Receiver (Sender, x) ) Inj-event (whole Thirdparty (Receiver, x)) = inj-event(whole Thirdparty (Sender, x) ) Definition DAP and DAP satisfies the correspondence and with public variables V = φ, then DAP is a secure deniable authentication protocol with session in a adversary model in strong deniability. In the above definition of DAP the injective correspondence can be instead by non-injective correspondence. Weak deniability: The purpose of weak deniability is to protect the privacy of Sender. After execution of the deniable authentication protocol the Receiver can prove to have spoken to Sender but not the content of what the Sender authenticated in a way that the Receiver cannot convince a third party. Deniable Authentication Protocol Security Properties Active Adversary Model Relating the Two Models: Meng & Shao Mechnized Model Automated Verification In order to prove any relationship between the formal and computational worlds, we need to define the interpretation of expressions [8] and patterns. Once an encryption scheme is depicted, we can define the interpretation function α, which assigns to each expression or pattern M a family of random variables {α η (M)} η N such that each α η (M) takes values in strings. For expressions: Blocks are interpreted as strings, Each key is interpreted by running the key generation algorithm, Pairs are translated into computational pairs, Formal encryptions terms are interpreted by running the encryption algorithm. Difference between Formal approach and Computational approach [15]: Formal approach Computational approach Message Terms Bits-strings Encryption Idealized Algorithm Adversary Idealized Any polynomial algorithm Secrecy Reach ability-based Indistingability property property Guarantees Unclear Strong Proof Automatic By hand and errorprone Balnchet Calculus Computational Model Crypto Verification Figure 2: Model of automatic verification of deniable authentication protocols If the Receiver want to prove that the Sender have authenticated messages to Receiver, he must provide the evidence related to the thing. An adversary model in weak deniability: When discussing the weak deniability, in addition the adversary has the ability in previous section; we always suppose that only the Receiver generates the evidence that the Sender have authenticated messages to Receiver. Receiver cannot get the secret information of the Sender, for example the private key of Sender. Receiver can provide his secret information to the Third party. If DAP satisfies the condition one in definition DAP and DAP satisfies the correspondence: Inj-event (whole sender (Receiver, x)) = inj-event(whole Receiver (Sender, x) ) Inj-event (whole Thirdparty (Receiver, x)) = inj-event(whole Thirdparty (Sender, x) ) and with public variables V = φ, then DAP is a secure deniable authentication protocol with session functions in a adversary model in weak deniability. In the above definition of DAP the injective correspondence can be instead by noninjective correspondence. Our Contribution: The primary contribution of this paper is that it tried to bring about various concepts which are requisite for concrete development in proofs of cryptography protocols and remove the bottleneck reason for its failure. In particular, we define the equivalence between formal messages in the presence of both key cycles and secret shares, and then prove the computational soundness [13][16] about formal encryption in this setting. 1. First computational analysis of an industrial protocol: Consider authentication[29] and secrecy properties[26], Analyzed Basic Kerberos 5 and public-key Kerberos[22], Kerberos is complex (e.g. PKINIT uses both public-key and symmetric). Cryptographic primitives (Encryption, Signatures, MACs). 2. Proofs were carried out symbolically in the BPW model: Proofs in Dolev-Yao style model are cryptographically sound, Proofs can be automated. 528
5 IV. Related Work Early work on linking Dolev-Yao models and cryptography only considered passive attacks, and therefore cannot make general statements about protocols. A Cryptographic justification for a Dolev-Yao model in the sense of under active attacks and within arbitrary surrounding interactive protocols [29][30]. Diminishing the distance between the computational and logic treatment of Cryptography has been the subject of many recent research efforts. The works which are more closely related to our paper, which present a simple logic for reasoning about the security protocols written in a language similar to ours, but only for the case of passive adversaries. Other approaches to bridging the logic and computational models of cryptography have also been considered in the literature, but they all seem considerably more complex. The notions of probability, polynomial bounded computation, and computational in distinguish ability are incorporated in a process calculus, and security is defined in terms of observational equivalence on processes. Work is in progress regarding formulation of mathematical model for syntactic approach dealing with probability and polynomial-time [14] considerations and encoding them into proof tools, in particular. This is equivalent to the work of justifying Dolev-Yao models, which offer a higher level of abstractions and thus much simpler proofs where applicable, so that proofs of larger systems can be automated. V. Conclusion On the macroscopic view, we come across the various security measures involved in security protocol proofs. This paper properly deals with all the computational technique which can overcome all the day by day new developments in cryptographic field. This paper reflects logical formal proofs of security protocols into the computational model. The formal proofs are easy with respect to computational model as we don t have to consider the probabilistic distribution and asymptotic notations. The security properties are expressed in terms simple logic based language using syntactic expressions and are then interpreted in a computational setup. Also these formal proof are sound as any active adversaries can extract information from messages if the statement hold true for any symbolic execution. Therefore, we need such a framework for the interpretation of formal proof into cryptographic system so as to develop more and more secure communication systems. VI. Future Work 1. Considering execution models in which we can extend instances not of a single but of a set of protocols if they are developed in future. 2. Developing a more general execution model involving reactive clients. 3. Generalize our abstract definition of security notions to capture secrecy properties. 4. Augmenting the BPW model with tailored protocol logics to further simplify modular reasoning. 5. Understanding the relation of correctness proofs of (commercial) protocols in MSR and in the BPW model. VII. References [1] E. S. Cohen, Information transmission in computational systems, ACM SIGOPS Operating Systems Review, vol. 11, no. 5, pp , [2] J. McLean, Security models and information flow, in Proc. IEEE Symp. on Security and Privacy, May 1990, pp [3] Focardi and R. Gorrieri, A classification of security properties for process algebras, J. Computer Security, vol. 3, no. 1, pp. 5 33, [4] D. Song. An automatic checker for security protocol analysis. In 12th IEEE Computer Security Foundations Workshop, June [5] D. Kozen, Language-based security, in Proc. Mathematical Foundations of Computer Science. Sept. 1999, vol of LNCS, pp , Springer-Verlag. [6] Aldini, Probabilistic information flow in process algebra, in Proc. CONCUR 01. Aug. 2001, vol of LNCS, pp , Springer-Verlag. [7] Michele Boreale. Symbolic trace analysis of cryptographic protocols. In 28th Colloquium on Automata, Languages and Programming (ICALP), LNCS. Springer, July [8] M. Zanotti, Security typings by abstract interpretation, in Proc.Symposium on Static Analysis. Sept. 2002, vol of LNCS, pp , Springer-Verlag. [9] M. Backes and B. Pfitzmann. A cryptographically sound security proof of the Needham-Schroeder- Lowe public-key protocol. Available as Cryptology eprint Archive, Report 2003/121. [10] M. Backes, B. Pfitzmann, and M. Waidner. A universally composable cryptographic library. Available as Cryptology eprint Archive, Report 2003/015. [11] M. Backes and B. Pfitzmann. Symmetric Encryption in a simulatable Dolev-Yao style cryptographic library. In Proceedings of the 17th Computer Security Foundations Workshop, pages 204{218. IEEE Computer Society, June [12] Iliano Cervesato, Aaron D. Jaggard, Andre Scedrov, and Christopher Walstad. Specifying Kerberos 5 Cross-Realm Authentication. In Proc. WITS 05, pages ACM Digital Lib., [13] V`eronique Cortier and Bogdan Warinschi. Computationally sound, automated proofs for security protocols. In Proc. 14th European 529
6 Symposium on Programming (ESOP), pages , [14] Anupam Datta, Ante Derek, John Mitchell, Vitalij Shmatikov, and Matthieu Turuani. Probabilistic polynomial-time semantics for protocol security logic. In Proc. 32nd International Colloquium on Automata, Languages and Programming (ICALP), volume 3580 of Lecture Notes in Computer Science, pages Springer, [15] Laud, P. Formal analysis of crypto protocols: Secrecy types for a simulatable cryptographic library. In Proc. ACM Conf. on Computer and Communication Security (ACM CCS 2005) (2005), ACM Press, pp &org=11 [16] C. He and J. C. Mitchell. Security Analysis and Improvements for IEEE i. In Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS 05), February [17] Ran Canetti and Jonathan Herzog. Universally composable symbolic analysis of cryptographic protocols (the case of encryption-based mutual authentication and key exchange). In Proc. 3rd Theory of Cryptography Conference (TCC), [18] Iliano Cervesato, Aaron D. Jaggard, Andre Scedrov, Joe-Kai Tsay, and Chris Walstad. Breaking and fixing public-key Kerberos. In Proc. WITS 06, pages 55 70, [19] Anupam Datta, Ante Derek, John Mitchell, and Bogdan Warinschi. Key exchange protocols: Security definition, proof method, and applications. In 19th IEEE Computer Security Foundations Workshop (CSFW 19), Venice, Italy, IEEE Press. [20] Tsudik, G. YA-TRAP: Yet another trivial RFID authentication protocol. In Proc. IEEE Intern. Conf. on Pervasive Computing and Communications (PerCom 2006) (2006), IEEE Press. [21] Oren, Y., and Shamir, A. Power analysis of RFID tags. Appeared in the rump session of Advances in Cryptology, CRYPTO Available online at Weizmann Institute, [22] Burmester, M., van Le, T., and de Medeiros, B. Provably secure ubiquitous systems: Universally composable RFID authentication protocols. E-print report 2006/131, International Association for Cryptological Research, [23] IETF. Public Key Cryptography for Initial Authentication in Kerberos, Sequence of Internet drafts available from [24] F. Wang and Y. Zhang, A new provably secure authentication and key agreement mechanism for SIP using certificateless public-key cryptography, Cryptology eprint Archive, Report 2007/220, [25] Tarjei K. Mandt and Chik How Tan, Certificateless authenticated two-party key agreement protocol, ASIAN 2006, LNCS 4435, pp.37-44, [26] Y. Sun, F. Zhang, and J. Baek, Strongly Secure Certificate less Public Key Encryption without Pairing, CANS 2007, LNCS 4856, pp , [27] X. Liang, SH. Wang, J. Shen and G. Xu, Breaking and Repairing the Certificate less key agreement protocol from ASIAN 2006, Wuhan University Journal of Natural Sciences,vol. 13, no. 5, pp , [28] Dario Fiore and Rosario Gennaro, Making the Diffie-Hellman Protocol Identity-Based, [29] Georg Lippold, Colin Boyd and Juan Gonzalez Nieto, Strongly Secure Certificate less Key Agreement, [30] Cas J.F. Cremers, Formally and Practically Relating the CK, CK-HMQV, and eck Security Models for Authenticated Key Exchange, Bibliographies: Sanjay Kumar Sonkar was born at Varanasi, (U.P.), in India. He received the B. Tech degree in Computer Science & Engineering in 2010 from Radha Govind Engineering College, Meerut, India. Presently, he is an M.Tech student in Computer Science & Engineering from Kamla Nehru Institute of Technology, Sultanpur, U.P., India. Dharmendra Lal Gupta is currently working as an Assistant Professor in the Department of Computer Science & Engineering at KNIT, Sultanpur (U.P.) India. And he is also pursuing his Ph.D. in Computer Science & Engineering from Mewar University, Chittorgarh (Rajasthan). He received B.Tech.(1999) from Kamla Nehru Institute of Technology (KNIT) Sultanpur, in Computer Science & Engineering, M.Tech. Hon s (2003) in Digital Electronics and Systems from Kamla Nehru Institute of Technology (KNIT) Sultanpur. His research interests are Cryptography and Network Security, Software Quality Engineering, and Software Engineering. Dr. Anil Kumar Malviya is an Associate Professor in the Computer Science & Engineeering. Department at Kamla Nehru Institute of Technology, (KNIT), Sultanpur. He received his B.Sc. & M.Sc. both in Computer Science from Banaras Hindu University, Varanasi respectively in 1991 and 1993 and Ph.D. degree in Computer Science from 530
7 Dr. B.R. Ambedkar University; Agra in 2006.He is Life Member of CSI, India. He has published about 31papers in International/National Journals, conferences and seminars. His research interests are Data mining, Software Engineering, Cryptography & Network Security. Ganesh Chandra was born at Kanpur, India. He received the B. Tech. Degree in Computer Science and Engineering in 2009 from Dr. Ambedkar Institute of Technology for Handicapped, Kanpur, India. He is currently pursuing M. Tech in Computer Science and Engineering from Kamla Nehru Institute of Technology, Sultanpur, U.P, India. Vinod Kumar Yadav was born in Jaunpur, India. He received the B.Tech. Degree in Computer Science and Information Technology in 2008 from I.E.T., M.J.P. Rohilkhand University Bareilly, India. He is currently pursuing M.Tech in Computer Science and Engineering from Kamla Nehru Institute of Technology, Sultanpur, U.P., India. 531
Cryptographically Sound Security Proofs for Basic and Public-key Kerberos
Cryptographically Sound Security Proofs for Basic and Public-key Kerberos ESORICS 2006 M. Backes 1, I. Cervesato 2, A. D. Jaggard 3, A. Scedrov 4, and J.-K. Tsay 4 1 Saarland University, 2 Carnegie Mellon
More informationComputationally Sound Mechanized Proof of PKINIT for Kerberos
Computationally Sound Mechanized Proof of PKINIT for Kerberos B. Blanchet 1, A. D. Jaggard 2, J. Rao 3, A. Scedrov 3, J.-K. Tsay 4 Protocol exchange Meeting 02 October 2008 1 ENS 2 Rutgers University 3
More informationAutomated Security Proofs with Sequences of Games
Automated Security Proofs with Sequences of Games Bruno Blanchet and David Pointcheval CNRS, Département d Informatique, École Normale Supérieure October 2006 Proofs of cryptographic protocols There are
More informationFormal Methods and Cryptography
Formal Methods and Cryptography Michael Backes 1, Birgit Pfitzmann 2, and Michael Waidner 3 1 Saarland University, Saarbrücken, Germany, backes@cs.uni-sb.de 2 IBM Research, Rueschlikon, Switzerland, bpf@zurich.ibm.com
More informationRefining Computationally Sound Mech. Proofs for Kerberos
Refining Computationally Sound Mechanized Proofs for Kerberos Bruno Blanchet Aaron D. Jaggard Jesse Rao Andre Scedrov Joe-Kai Tsay 07 October 2009 Protocol exchange Meeting Partially supported by ANR,
More informationInductive Trace Properties for Computational Security
Inductive Trace Properties for Computational Security Arnab Roy, Anupam Datta, Ante Derek, John C. Mitchell Department of Computer Science, Stanford University Abstract. Protocol authentication properties
More informationModelling the Security of Key Exchange
Modelling the Security of Key Exchange Colin Boyd including joint work with Janaka Alawatugoda, Juan Gonzalez Nieto Department of Telematics, NTNU Workshop on Tools and Techniques for Security Analysis
More informationTwo Formal Views of Authenticated Group Diffie-Hellman Key Exchange
Two Formal Views of Authenticated Group Diffie-Hellman Key Exchange E. Bresson 1, O. Chevassut 2,3, O. Pereira 2, D. Pointcheval 1 and J.-J. Quisquater 2 1 Ecole Normale Supérieure, 75230 Paris Cedex 05,
More informationProofs for Key Establishment Protocols
Information Security Institute Queensland University of Technology December 2007 Outline Key Establishment 1 Key Establishment 2 3 4 Purpose of key establishment Two or more networked parties wish to establish
More informationUsing CryptoVerif Proof technique Encrypt-then-MAC FDH Conclusion. CryptoVerif. Bruno Blanchet. INRIA Paris-Rocquencourt
CryptoVerif Bruno Blanchet INRIA Paris-Rocquencourt bruno.blanchet@inria.fr November 2014 Bruno Blanchet (INRIA) CryptoVerif November 2014 1 / 78 Input and output of the tool 1 Prepare the input file containing
More informationBreaking and Fixing Public-Key Kerberos
Breaking and Fixing Public-Key Kerberos Iliano Cervesato Carnegie Mellon University - Qatar iliano@cmu.edu Joint work with Andre Scedrov, Aaron Jaggard, Joe-Kai Tsay, Christopher Walstad ASIAN 06 December
More informationMTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationBreaking and Fixing Public-Key Kerberos
Breaking and Fixing Public-Key Kerberos Iliano Cervesato Carnegie Mellon University - Qatar iliano@cmu.edu Joint work with Andre Scedrov, Aaron Jaggard, Joe-Kai Tsay, Christopher Walstad Qatar University
More informationCSC 5930/9010 Modern Cryptography: Public Key Cryptography
CSC 5930/9010 Modern Cryptography: Public Key Cryptography Professor Henry Carter Fall 2018 Recap Number theory provides useful tools for manipulating integers and primes modulo a large value Abstract
More informationResearch Statement. Yehuda Lindell. Dept. of Computer Science Bar-Ilan University, Israel.
Research Statement Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel. lindell@cs.biu.ac.il www.cs.biu.ac.il/ lindell July 11, 2005 The main focus of my research is the theoretical foundations
More informationOn the Security of a Certificateless Public-Key Encryption
On the Security of a Certificateless Public-Key Encryption Zhenfeng Zhang, Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100080,
More informationFormal Methods for Assuring Security of Computer Networks
for Assuring of Computer Networks May 8, 2012 Outline Testing 1 Testing 2 Tools for formal methods Model based software development 3 Principals of security Key security properties Assessing security protocols
More informationSecurity properties of two authenticated conference key agreement protocols
Security properties of two authenticated conference key agreement protocols Qiang Tang and Chris J. Mitchell Information Security Group Royal Holloway, University of London Egham, Surrey TW20 0EX, UK {qiang.tang,
More informationComputational Soundness of Symbolic Zero Knowledge Proofs
Computational Soundness of Symbolic Zero Knowledge Proofs Esfandiar Mohammadi Master Seminar Information Security and Cryptography Group Max-Planck Institute for Software Systems Saarland University Advisors:
More informationOutline More Security Protocols CS 239 Computer Security February 4, 2004
Outline More Security Protocols CS 239 Computer Security February 4, 2004 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and Authentication
More informationA compact Aggregate key Cryptosystem for Data Sharing in Cloud Storage systems.
A compact Aggregate key Cryptosystem for Data Sharing in Cloud Storage systems. G Swetha M.Tech Student Dr.N.Chandra Sekhar Reddy Professor & HoD U V N Rajesh Assistant Professor Abstract Cryptography
More informationOutline More Security Protocols CS 239 Computer Security February 6, 2006
Outline More Security Protocols CS 239 Computer Security February 6, 2006 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and Authentication
More informationA Remote Biometric Authentication Protocol for Online Banking
International Journal of Electrical Energy, Vol. 1, No. 4, December 2013 A Remote Biometric Authentication Protocol for Online Banking Anongporn Salaiwarakul Department of Computer Science and Information
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationCS 395T. Formal Model for Secure Key Exchange
CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,
More informationLow-level Ideal Signatures and General Integrity Idealization
RZ 3511 (# 99529) 11/10/03 Computer Science 14 pages Research Report Low-level Ideal Signatures and General Integrity Idealization Michael Backes, Birgit Pfitzmann and Michael Waidner IBM Research Zurich
More informationGroup Key Establishment Protocols
Group Key Establishment Protocols Ruxandra F. Olimid EBSIS Summer School on Distributed Event Based Systems and Related Topics 2016 July 14, 2016 Sinaia, Romania Outline 1. Context and Motivation 2. Classifications
More informationLecture 10, Zero Knowledge Proofs, Secure Computation
CS 4501-6501 Topics in Cryptography 30 Mar 2018 Lecture 10, Zero Knowledge Proofs, Secure Computation Lecturer: Mahmoody Scribe: Bella Vice-Van Heyde, Derrick Blakely, Bobby Andris 1 Introduction Last
More informationDesign and Analysis of Protocols The Spyce Way
FY2001 ONR CIP/SW URI Software Quality and Infrastructure Protection for Diffuse Computing Design and Analysis of Protocols The Spyce Way Speaker: Joe Halpern (Cornell) Smart devices diffuse into the environment.
More informationApplied Cryptography and Computer Security CSE 664 Spring 2017
Applied Cryptography and Computer Security Lecture 18: Key Distribution and Agreement Department of Computer Science and Engineering University at Buffalo 1 Key Distribution Mechanisms Secret-key encryption
More informationSecure Multiparty Computation
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationOutline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange
Outline More Security Protocols CS 239 Security for System Software April 22, 2002 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and
More informationEfficient Compilers for Authenticated Group Key Exchange
Efficient Compilers for Authenticated Group Key Exchange Qiang Tang and Chris J. Mitchell Information Security Group, Royal Holloway, University of London Egham, Surrey TW20 0EX, UK {qiang.tang, c.mitchell}@rhul.ac.uk
More informationPlaintext Awareness via Key Registration
Plaintext Awareness via Key Registration Jonathan Herzog CIS, TOC, CSAIL, MIT Plaintext Awareness via Key Registration p.1/38 Context of this work Originates from work on Dolev-Yao (DY) model Symbolic
More informationInductive Proofs of Computational Secrecy
Inductive Proofs of Computational Secrecy Arnab Roy 1, Anupam Datta 2, Ante Derek 1, John C. Mitchell 1 1 Stanford University, Stanford, CA {arnab, aderek, mitchell}@cs.stanford.edu 2 Carnegie Mellon University,
More information(In)security of ecient tree-based group key agreement using bilinear map
Loughborough University Institutional Repository (In)security of ecient tree-based group key agreement using bilinear map This item was submitted to Loughborough University's Institutional Repository by
More informationA Limitation of BAN Logic Analysis on a Man-in-the-middle Attack
ISS 1746-7659, England, U Journal of Information and Computing Science Vol. 1, o. 3, 2006, pp. 131-138 Limitation of Logic nalysis on a Man-in-the-middle ttack + Shiping Yang, Xiang Li Computer Software
More informationCS 395T. JFK Protocol in Applied Pi Calculus
CS 395T JFK Protocol in Applied Pi Calculus Proving Security Real protocol Process-calculus specification of the actual protocol Ideal protocol Achieves the same goal as the real protocol, but is secure
More informationA modified eck model with stronger security for tripartite authenticated key exchange
A modified eck model with stronger security for tripartite authenticated key exchange Qingfeng Cheng, Chuangui Ma, Fushan Wei Zhengzhou Information Science and Technology Institute, Zhengzhou, 450002,
More informationCryptanalysis on Two Certificateless Signature Schemes
Int. J. of Computers, Communications & Control, ISSN 1841-9836, E-ISSN 1841-9844 Vol. V (2010), No. 4, pp. 586-591 Cryptanalysis on Two Certificateless Signature Schemes F. Zhang, S. Li, S. Miao, Y. Mu,
More informationMechanizing Game-Based Proofs of Security Protocols: The Tool CryptoVerif
Mechanizing Game-Based Proofs of Security Protocols: The Tool CryptoVerif Bruno Blanchet INRIA Paris Bruno.Blanchet@inria.fr Year 2018-19 Bruno Blanchet (INRIA) CryptoVerif Year 2018-19 1 / 88 Outline
More informationCryptographic protocols
Cryptographic protocols Lecture 3: Zero-knowledge protocols for identification 6/16/03 (c) Jussipekka Leiwo www.ialan.com Overview of ZK Asymmetric identification techniques that do not rely on digital
More informationExclusion-Freeness in Multi-party Exchange Protocols
Exclusion-Freeness in Multi-party Exchange Protocols Nicolás González-Deleito and Olivier Markowitch Université Libre de Bruxelles Bd. du Triomphe CP212 1050 Bruxelles Belgium {ngonzale,omarkow}@ulb.ac.be
More informationSEMINAR REPORT ON BAN LOGIC
SEMINAR REPORT ON BAN LOGIC Submitted by Name : Abhijeet Chatarjee Roll No.: 14IT60R11 SCHOOL OF INFORMATION TECHNOLOGY INDIAN INSTITUTE OF TECHNOLOGY, KHARAGPUR-721302 (INDIA) Abstract: Authentication
More informationLecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena
Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall 2009 Nitesh Saxena *Adopted from a previous lecture by Gene Tsudik Course Admin HW3 Problem 3 due Friday midnight
More informationLecture 8 - Message Authentication Codes
Lecture 8 - Message Authentication Codes Benny Applebaum, Boaz Barak October 12, 2007 Data integrity Until now we ve only been interested in protecting secrecy of data. However, in many cases what we care
More informationCrypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))
Introduction (Mihir Bellare Text/Notes: http://cseweb.ucsd.edu/users/mihir/cse207/) Cryptography provides: Data Privacy Data Integrity and Authenticity Crypto-systems all around us ATM machines Remote
More informationA Cryptographically Sound Security Proof of the Needham-Schroeder-Lowe Public-Key Protocol
A Cryptographically Sound Security Proof of the Needham-Schroeder-Lowe Public-Key Protocol Michael Backes and Birgit Pfitzmann IBM Zurich Research Lab {mbc,bpf}@zurich.ibm.com Abstract. We prove the Needham-Schroeder-Lowe
More informationSecure Reactive Systems, Day 3: Reactive Simulatability Property Preservation and Crypto. Examples
Michael Backes, Germany joint work with Birgit Pfitzmann and Michael Waidner Secure Reactive Systems, Day 3: Reactive Simulatability Property Preservation and Crypto. Examples Tartu, 03/01/06 Recall the
More informationPassword-Based Encryption Analyzed
Password-Based Encryption Analyzed Martín Abadi and Bogdan Warinschi Computer Science Department, University of California, Santa Cruz Computer Science Department, Stanford University Abstract. The use
More informationAn Enhanced Certificateless Authenticated Key Agreement Protocol
An Enhanced Certificateless Authenticated Key Agreement Protocol Razieh Mokhtarnameh, Sin Ban Ho, Nithiapidary Muthuvelu Faculty of Information Technology, Multimedia University, 63100, Cyberjaya, Malaysia
More informationT Cryptography and Data Security
T-79.4501 Cryptography and Data Security Lecture 10: 10.1 Random number generation 10.2 Key management - Distribution of symmetric keys - Management of public keys Stallings: Ch 7.4; 7.3; 10.1 1 The Use
More informationIND-CCA2 secure cryptosystems, Dan Bogdanov
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee 1 Overview Notion of indistinguishability The Cramer-Shoup cryptosystem Newer results
More informationAuthenticated Key Agreement without Subgroup Element Verification
Authenticated Key Agreement without Subgroup Element Verification Taekyoung Kwon Sejong University, Seoul 143-747, Korea E-mail: tkwon@sejong.ac.kr Abstract. In this paper, we rethink the security of authenticated
More informationCombined CPV-TLV Security Protocol Verifier
Combined CPV-TLV Security Protocol Verifier by Ariel Cohen Thesis submitted in partial fulfillment of the requirements for the degree of Master of Science Department of Computer Science Courant Institute
More informationOn the security of a certificateless signature scheme in the standard model
On the security of a certificateless signature scheme in the standard model Lin Cheng, Qiaoyan Wen, Zhengping Jin, Hua Zhang State Key Laboratory of Networking and Switch Technology, Beijing University
More informationBAN Logic. Logic of Authentication 1. BAN Logic. Source. The language of BAN. The language of BAN. Protocol 1 (Needham-Schroeder Shared-Key) [NS78]
Logic of Authentication 1. BAN Logic Ravi Sandhu BAN Logic BAN is a logic of belief. In an analysis, the protocol is first idealized into messages containing assertions, then assumptions are stated, and
More informationCS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong
CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationStateful Key Encapsulation Mechanism
Stateful Key Encapsulation Mechanism Peng Yang, 1 Rui Zhang, 2 Kanta Matsuura 1 and Hideki Imai 2 The concept of stateful encryption was introduced to reduce computation cost of conventional public key
More informationDistributed ID-based Signature Using Tamper-Resistant Module
, pp.13-18 http://dx.doi.org/10.14257/astl.2013.29.03 Distributed ID-based Signature Using Tamper-Resistant Module Shinsaku Kiyomoto, Tsukasa Ishiguro, and Yutaka Miyake KDDI R & D Laboratories Inc., 2-1-15,
More informationZero-Knowledge Proof and Authentication Protocols
Zero-Knowledge Proof and Authentication Protocols Ben Lipton April 26, 2016 Outline Background Zero-Knowledge Proofs Zero-Knowledge Authentication History Example Protocols Guillou-Quisquater Non-zero-knowledge
More informationA Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security. T. Shrimpton October 18, 2004
A Characterization of Authenticated-Encryption as a Form of Chosen-Ciphertext Security T. Shrimpton October 18, 2004 Abstract In this note we introduce a variation of the standard definition of chosen-ciphertext
More informationBrief Introduction to Provable Security
Brief Introduction to Provable Security Michel Abdalla Département d Informatique, École normale supérieure michel.abdalla@ens.fr http://www.di.ens.fr/users/mabdalla 1 Introduction The primary goal of
More informationDirect Anonymous Attestation
Direct Anonymous Attestation Revisited Jan Camenisch IBM Research Zurich Joint work with Ernie Brickell, Liqun Chen, Manu Drivers, Anja Lehmann. jca@zurich.ibm.com, @JanCamenisch, ibm.biz/jancamenisch
More informationCrypto Background & Concepts SGX Software Attestation
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 4b Slide deck extracted from Kamran s tutorial on SGX, presented during ECE 6095 Spring 2017 on Secure Computation and Storage, a precursor to this course
More informationLecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model
CMSC 858K Advanced Topics in Cryptography March 11, 2004 Lecturer: Jonathan Katz Lecture 14 Scribe(s): Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze 1 A Note on Adaptively-Secure NIZK A close look
More informationInductive Trace Properties for Computational Security
Inductive Trace Properties for Computational Security Arnab Roy, Anupam Datta, Ante Derek, John C. Mitchell Abstract Protocol authentication properties are generally trace-based, meaning that authentication
More informationA Ring Signature Scheme with Strong Designated Verifiers to Provide Signer Anonymity
A Ring Signature Scheme with Strong Designated Verifiers to Provide Signer Anonymity Shin-Jia Hwang Department of Computer Science and Information Engineering,Tamkang University, Tamsui, Taipei Hsien,
More informationKey Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature
Key Management Digital signatures: classical and public key Classic and Public Key exchange 1 Handwritten Signature Used everyday in a letter, on a check, sign a contract A signature on a signed paper
More informationIdentification Schemes
Identification Schemes Lecture Outline Identification schemes passwords one-time passwords challenge-response zero knowledge proof protocols Authentication Data source authentication (message authentication):
More informationModule: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security
CMPSC443 - Introduction to Computer and Network Security Module: Cryptographic Protocols Professor Patrick McDaniel Spring 2009 1 Key Distribution/Agreement Key Distribution is the process where we assign
More information2 Secure Communication in Private Key Setting
CSA E0 235: Cryptography January 11, 2016 Instructor: Arpita Patra Scribe for Lecture 2 Submitted by: Jayam Modi 1 Discrete Probability Background Probability Distribution -A probability distribution over
More informationA Novel Identity-based Group Signature Scheme from Bilinear Maps
MM Research Preprints, 250 255 MMRC, AMSS, Academia, Sinica, Beijing No. 22, December 2003 A Novel Identity-based Group Signature Scheme from Bilinear Maps Zuo-Wen Tan, Zhuo-Jun Liu 1) Abstract. We propose
More informationVerifiably Encrypted Signature Scheme with Threshold Adjudication
Verifiably Encrypted Signature Scheme with Threshold Adjudication M. Choudary Gorantla and Ashutosh Saxena Institute for Development and Research in Banking Technology Road No. 1, Castle Hills, Masab Tank,
More informationFrom CryptoVerif Specifications to Computationally Secure Implementations of Protocols
From CryptoVerif Specifications to Computationally Secure Implementations of Protocols Bruno Blanchet and David Cadé INRIA, École Normale Supérieure, CNRS, Paris April 2012 Bruno Blanchet and David Cadé
More informationProtocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh
Protocols II Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 17th February 2011 Outline Introduction Shared-key Authentication Asymmetric authentication protocols
More informationCS 494/594 Computer and Network Security
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Real-Time Communication Security Network layers
More informationDesign of an Efficient Security Protocol Analyzer
74 IJCSNS International Journal of Computer Science and Network Security, VOL.7 No.6, June 2007 Design of an Efficient Security Protocol Analyzer Shinsaku KIYOMOTO, Haruki OTA, and Toshiaki TANAKA KDDI
More information1 Defining Message authentication
ISA 562: Information Security, Theory and Practice Lecture 3 1 Defining Message authentication 1.1 Defining MAC schemes In the last lecture we saw that, even if our data is encrypted, a clever adversary
More informationThe Modified Scheme is still vulnerable to. the parallel Session Attack
1 The Modified Scheme is still vulnerable to the parallel Session Attack Manoj Kumar Department of Mathematics, Rashtriya Kishan (P.G.) College Shamli- Muzaffarnagar-247776 yamu_balyan@yahoo.co.in Abstract
More informationSecurity Protocol Verification: Symbolic and Computational Models
Security Protocol Verification: Symbolic and Computational Models Bruno Blanchet INRIA, École Normale Supérieure, CNRS Bruno.Blanchet@ens.fr March 2012 Bruno Blanchet (INRIA, ENS, CNRS) ETAPS March 2012
More informationUniversal composability for designing and analyzing cryptoprotocols
Universal composability for designing and analyzing cryptoprotocols István Vajda vajda@hit.bme.hu UC for cryptoprotocols 1 Agenda Brief overview of universal composability Example analysis of a secure
More informationSecurity Analysis of the Authentication Modules of Chinese WLAN Standard and Its Implementation Plan*
Security Analysis of the Authentication Modules of Chinese WLAN Standard and Its Implementation Plan* Xinghua Li 1,2, Jianfeng Ma 1, and SangJae Moon 2 1 Key Laboratory of Computer Networks and Information
More informationExtended Diffie-Hellman Technique to Generate Multiple Shared Keys at a Time with Reduced KEOs and its Polynomial Time Complexity
ISSN (Online): 1694-0784 ISSN (Print): 1694-0814 Extended Diffie-Hellman Technique to Generate Multiple Shared Keys at a Time with Reduced KEOs and its Polynomial Time Complexity 26 Nistala V.E.S. Murthy
More informationIntroduction to Security Reduction
springer.com Computer Science : Data Structures, Cryptology and Information Theory Springer 1st edition Printed book Hardcover Printed book Hardcover ISBN 978-3-319-93048-0 Ca. $ 109,00 Planned Discount
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 1: Overview What is Cryptography? Cryptography is the study of
More informationSpecifying Kerberos 5 Cross-Realm Authentication
Specifying Kerberos 5 Cross-Realm Authentication Iliano Cervesato, Aaron D. Jaggard, Andre Scedrov, and Chris Walstad Supported by ONR, NSF, NRL Outline Introduction Kerberos 5 Formalization Properties
More informationHash Proof Systems and Password Protocols
Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David Pointcheval CNRS, Ecole normale supe rieure/psl & INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA
More informationA New Symmetric Key Algorithm for Modern Cryptography Rupesh Kumar 1 Sanjay Patel 2 Purushottam Patel 3 Rakesh Patel 4
IJSRD - International Journal for Scientific Research & Development Vol. 2, Issue 08, 2014 ISSN (online): 2321-0613 A New Symmetric Key Algorithm for Modern Cryptography Rupesh Kumar 1 Sanjay Patel 2 Purushottam
More informationKey Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2. Cas Cremers, ETH Zurich
Key Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2 Cas Cremers, ETH Zurich Overview What is IKE? Internet Key Exchange, part of IPsec Formal analysis of IKE Previously considered infeasible
More informationImprovement of Camenisch-Neven-Shelat Oblivious Transfer Scheme
Improvement of Camenisch-Neven-Shelat Oblivious Transfer Scheme Zhengjun Cao and Hanyue Cao Department of Mathematics, Shanghai University, Shanghai, China caozhj@shu.edu.cn Abstract. In 2007, Camenisch,
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More informationFine-Grained Data Sharing Supporting Attribute Extension in Cloud Computing
wwwijcsiorg 10 Fine-Grained Data Sharing Supporting Attribute Extension in Cloud Computing Yinghui Zhang 12 1 National Engineering Laboratory for Wireless Security Xi'an University of Posts and Telecommunications
More informationSpring 2010: CS419 Computer Security
Spring 2010: CS419 Computer Security Vinod Ganapathy Lecture 7 Topic: Key exchange protocols Material: Class handout (lecture7_handout.pdf) Chapter 2 in Anderson's book. Today s agenda Key exchange basics
More informationA Framework for Universally Composable Diffie-Hellman Key Exchange
A Framework for Universally Composable Diffie-Hellman Key Exchange Ralf Küsters and Daniel Rausch University of Stuttgart Stuttgart, Germany Email: {ralf.kuesters, daniel.rausch}@informatik.uni-stuttgart.de
More informationIdeal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012
Ideal Security Protocol Satisfies security requirements Requirements must be precise Efficient Small computational requirement Small bandwidth usage, network delays Not fragile Works when attacker tries
More informationThe Scyther Tool: Verification, Falsification, and Analysis of Security Protocols
The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols Tool Paper Cas J.F. Cremers Department of Computer Science, ETH Zurich, 8092 Zurich, Switzerland cas.cremers@inf.ethz.ch
More informationCryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1
Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography CS555 Spring 2012/Topic 16 1 Outline and Readings Outline Private key management between two parties Key management
More informationSecurity Protocol Verification: Symbolic and Computational Models
Security Protocol Verification: Symbolic and Computational Models INRIA, Bruno Blanchet École Normale Supérieure, CNRS, Paris blanchet@di.ens.fr Abstract. Security protocol verification has been a very
More information