Structure Attacks in Cryptographic Protocols

Mahlburg, Karl

01 May 2001

Cryptographic protocols are in general difficult to analyze, and complicated attacks exposing security flaws have remained hidden years after a protocol is developed. Recently developed tools such as strand spaces and inductive logical proofs provide mechanical procedures for analyzing protocols. The key to these methods is that a generous upper bound on the activity of a malicious penetrator is often much easier to work with than a tighter bound. However, these formalizations make strong assumptions about the algebraic structure of the cryptosystem that are never met in a real application. In this work, we show that an extended form of the strand space machinery can be used to analyze protocols which contain nontrivial algebraic structure, specifically that which arises from the XOR operation. This work also serves as one of the first steps in reconciling computational and formal methods of analyzing cryptographic security.

Structured Attacks

Cryptographic Protocols

malicious penetrator

Modelling and Security Analysis of Authenticated Group Key Agreement Protocols

Pereira, Olivier

16 May 2003

<p>Authenticated Group Key Agreement Protocols are protocols allowing a group of principals to contributively generate a key by the exchange of messages on a network possibly controlled by an attacker. Furthermore, their execution also guarantees all group members that the key they obtained can only be known by the other intended protocol participants. These protocols can be exploited in many applications such as audio or videoconferencing, replicated servers (such as database, web, time servers), chat or network games for instance.</p> <p>AGKAP's present several particularities that make them interesting case studies for research in the theory of security. At first, the consideration of the number of protocol participants as a parameter raises several complexity problems that are not present in the classical two or three-party frameworks. Furthermore, up to now, the security properties of group protocols have roughly been considered as direct extensions of two-party properties, what does not capture several plausible attack scenarios. A second interesting aspect of the analysis of AGKAP's is the consideration of Diffie-Hellman-type primitives, that present properties out of the scope of most classical models.</p> <p>We started our study with the construction of a simple model for the analysis of a classical family of protocols: the Cliques AGKAP's. This allowed us to discover several attacks and define different flavors of group security properties. We then tried to fix these protocols, what led us to extend our model in order to prove that it is in fact impossible to build a secure AGKAP based on the same design assumptions as the Cliques protocols. Finally, we designed a new AGKAP based on different cryptographic primitives (signature and hash functions) for which we proved authentication, freshness and secrecy properties. A comparison with a similar AGKAP developed in parallel to ours is also proposed.</p>

theory of security

cryptographic protocols

formal analysis

Exploring Privacy in Location-based Services Using Cryptographic Protocols

Vishwanathan, Roopa

05 1900

Location-based services (LBS) are available on a variety of mobile platforms like cell phones, PDA's, etc. and an increasing number of users subscribe to and use these services. Two of the popular models of information flow in LBS are the client-server model and the peer-to-peer model, in both of which, existing approaches do not always provide privacy for all parties concerned. In this work, I study the feasibility of applying cryptographic protocols to design privacy-preserving solutions for LBS from an experimental and theoretical standpoint. In the client-server model, I construct a two-phase framework for processing nearest neighbor queries using combinations of cryptographic protocols such as oblivious transfer and private information retrieval. In the peer-to-peer model, I present privacy preserving solutions for processing group nearest neighbor queries in the semi-honest and dishonest adversarial models. I apply concepts from secure multi-party computation to realize our constructions and also leverage the capabilities of trusted computing technology, specifically TPM chips. My solution for the dishonest adversarial model is also of independent cryptographic interest. I prove my constructions secure under standard cryptographic assumptions and design experiments for testing the feasibility or practicability of our constructions and benchmark key operations. My experiments show that the proposed constructions are practical to implement and have reasonable costs, while providing strong privacy assurances.

Cryptographic protocols

privacy

location-based services

Using security protocols to extend the FiLDB architecture

Gudlaugsson, Rúnar

January 2002

<p>With the escalating growth of e-commerce in today’s society, many e-commerce sites have emerged that offer products on the Internet. To be able to verify orders from customers, some sites require sensitive information from their customers such as credit card details that is stored in their databases. The security of these sites has become the concern of many and it is a common opinion among the public that such sites cannot be trusted.</p><p>The FiLDB architecture presents an interesting approach for increasing the security of Internet connected databases. This approach is, in short, based on firewall protection; one external firewall protecting an external network, which in turn is connected to an internal network, which was protected by a internal firewall. A database is kept on each network. There are however few issues that are unsolved in the FiLDB architecture. One of them and the problem that is covered in this report is how a user could securely insert, modify and fetch sensitive data into the internal database which stores the sensitive data.</p><p>In this work a few selected cryptographic protocols are studied by evaluating them with respect to five security criteria: confidentiality, authentication, integrity, key management and nonrepudiation. The initial selection of cryptographic protocols is mainly based on applicability in e-commerce systems. Based on the evaluation, one of the protocols is chosen to be implemented with the FiLDB architecture and then the extended architecture was evaluated.</p><p>This project shows that, by integrating a security protocol into architectures such as the FiLDB, the security of the system can be increased substantially.</p>

FiLDB architecture

Security

Cryptographic protocols

Informatics and systems science

Informatik och systemvetenskap

Using security protocols to extend the FiLDB architecture

Gudlaugsson, Rúnar

January 2002

With the escalating growth of e-commerce in today’s society, many e-commerce sites have emerged that offer products on the Internet. To be able to verify orders from customers, some sites require sensitive information from their customers such as credit card details that is stored in their databases. The security of these sites has become the concern of many and it is a common opinion among the public that such sites cannot be trusted. The FiLDB architecture presents an interesting approach for increasing the security of Internet connected databases. This approach is, in short, based on firewall protection; one external firewall protecting an external network, which in turn is connected to an internal network, which was protected by a internal firewall. A database is kept on each network. There are however few issues that are unsolved in the FiLDB architecture. One of them and the problem that is covered in this report is how a user could securely insert, modify and fetch sensitive data into the internal database which stores the sensitive data. In this work a few selected cryptographic protocols are studied by evaluating them with respect to five security criteria: confidentiality, authentication, integrity, key management and nonrepudiation. The initial selection of cryptographic protocols is mainly based on applicability in e-commerce systems. Based on the evaluation, one of the protocols is chosen to be implemented with the FiLDB architecture and then the extended architecture was evaluated. This project shows that, by integrating a security protocol into architectures such as the FiLDB, the security of the system can be increased substantially.

FiLDB architecture

Security

Cryptographic protocols

Information Systems

Verification and composition of security protocols with applications to electronic voting / Vérification et composition des protocoles de securité avec des applications aux protocoles de vote electronique

Ciobâcǎ, Ştefan

09 December 2011

Cette these concerne la verification formelle et la composition de protocoles de securite, motivees en particulier par l'analyse des protocoles de vote electronique. Les chapitres 3 a 5 ont comme sujet la verification de protocoles de securite et le Chapitre 6 vise la composition.Nous montrons dans le Chapitre 3 comment reduire certains problemes d'une algebre quotient des termes a l'algebre libre des termes en utilisant des ensembles fortement complets de variants. Nous montrons que, si l'algebre quotient est donnee par un systeme de reecriture de termes convergent et optimalement reducteur (optimally reducing), alors des ensembles fortement complets de variants existent et sont finis et calculables.Dans le Chapitre 4, nous montrons que l'equivalence statique pour (des classes) de theories equationnelles, dont les theories sous-terme convergentes, la theorie de l'engagement a trappe (trapdoor commitment) et la theorie de signature en aveugle (blind signatures), est decidable en temps polynomial. Nous avons implemente de maniere efficace cette procedure.Dans le Chapitre 5, nous etendons la procedure de decision precedente a l'equivalence de traces. Nous utilisons des ensembles fortement complets de variants du Chapitre 3 pour reduire le probleme a l'algebre libre. Nous modelisons chaque trace du protocole comme une theorie de Horn et nous utilisons un raffinement de la resolution pour resoudre cette theorie. Meme si nous n'avons pas reussi a prouver que la procedure de resolution termine toujours, nous l'avons implementee et utilisee pour donner la premiere preuve automatique de l'anonymat dans le protocole de vote electronique FOO.Dans le Chapitre 6, nous etudions la composition de protocoles. Nous montrons que la composition de deux protocoles qui utilisent des primitives cryptographiques disjointes est sure s'ils ne revelent et ne reutilisent pas les secrets partages. Nous montrons qu'une forme d'etiquettage de protocoles est suffisante pour assurer la disjonction pour un ensemble fixe de primitives cryptographiques. / This thesis is about the formal verification and composition of security protocols, motivated by applications to electronic voting protocols. Chapters 3 to 5 concern the verification of security protocols while Chapter 6 concerns composition.We show in Chapter 3 how to reduce certain problems from a quotient term algebra to the free term algebra via the use of strongly complete sets of variants. We show that, when the quotient algebra is given by a convergent optimally reducing rewrite system, finite strongly complete sets of variants exist and are effectively computable.In Chapter 4, we show that static equivalence for (classes of) equational theories including subterm convergent equational theories, trapdoor commitment and blind signatures is decidable in polynomial time. We also provide an efficient implementation.In Chapter 5 we extend the previous decision procedure to handle trace equivalence. We use finite strongly complete sets of variants introduced in Chapter 3 to get rid of the equational theory and we model each protocol trace as a Horn theory which we solve using a refinement of resolution. Although we have not been able to prove that this procedure always terminates, we have implemented it and used it to provide the first automated proof of vote privacy of the FOO electronic voting protocol.In Chapter 6, we study composition of protocols. We show that two protocols that use arbitrary disjoint cryptographic primitives compose securely if they do not reveal or reuse any shared secret. We also show that a form of tagging is sufficient to provide disjointness in the case of a fixed set of cryptographic primitives.

Protocoles cryptographiques

Sécurité

Vérification formelle

Cryptographic protocols

Formal verification

Sécurity

Kryptografické protokoly v praxi / Cryptographic protocols in practice

Truneček, Petr

January 2009

The purpose of this work was first to describe the requirements for cryptographic protocols. Furthermore, the classification of these protocols should have been made with specific examples given. The aim of the next part of the work was to describe the methods which are suitable for description and modeling of cryptographic protocols. This work also addressed the analysis of cryptographic protocols by appropriate analytical means. The CSP method for modeling of the cryptographic protocols was applied in the practical part. The Yahalom protocol was selected as a protocol suitable for modeling. Two analysis was made. The first analysis concerned the standard version of the Yahalom protocol, which was tested to the requirements of cryptographic properties of the secrecy and authenticity. The second analysis was based on the possibility of disclosure of the key, including counterexamples and traces given by FDR. The first analysis did not reveal any weakening, in terms of two cryptographic properties. To demonstrate the possibility of FDR, Yahalom protocol was modified in order to cause the situation when the disclosure of keys appears. FDR then finds the exact procedure that an intruder must make to get the possession of the key.

Mobile agent security through multi-agent cryptographic protocols.

Xu, Ke

05 1900

An increasingly promising and widespread topic of research in distributed computing is the mobile agent paradigm: code travelling and performing computations on remote hosts in an autonomous manner. One of the biggest challenges faced by this new paradigm is security. The issue of protecting sensitive code and data carried by a mobile agent against tampering from a malicious host is particularly hard but important. Based on secure multi-party computation, a recent research direction shows the feasibility of a software-only solution to this problem, which had been deemed impossible by some researchers previously. The best result prior to this dissertation is a single-agent protocol which requires the participation of a trusted third party. Our research employs multi-agent protocols to eliminate the trusted third party, resulting in a protocol with minimum trust assumptions. This dissertation presents one of the first formal definitions of secure mobile agent computation, in which the privacy and integrity of the agent code and data as well as the data provided by the host are all protected. We present secure protocols for mobile agent computation against static, semi-honest or malicious adversaries without relying on any third party or trusting any specific participant in the system. The security of our protocols is formally proven through standard proof technique and according to our formal definition of security. Our second result is a more practical agent protocol with strong security against most real-world host attacks. The security features are carefully analyzed, and the practicality is demonstrated through implementation and experimental study on a real-world mobile agent platform. All these protocols rely heavily on well-established cryptographic primitives, such as encrypted circuits, threshold decryption, and oblivious transfer. Our study of these tools yields new contributions to the general field of cryptography. Particularly, we correct a well-known construction of the encrypted circuit and give one of the first provably secure implementations of the encrypted circuit.

Mobile agents (Computer software)

Computer security.

mobile agents

security

cryptographic protocols

Verification and composition of security protocols with applications to electronic voting

Ciobâcǎ, Ştefan

09 December 2011

This thesis is about the formal verification and composition of security protocols, motivated by applications to electronic voting protocols. Chapters 3 to 5 concern the verification of security protocols while Chapter 6 concerns composition.We show in Chapter 3 how to reduce certain problems from a quotient term algebra to the free term algebra via the use of strongly complete sets of variants. We show that, when the quotient algebra is given by a convergent optimally reducing rewrite system, finite strongly complete sets of variants exist and are effectively computable.In Chapter 4, we show that static equivalence for (classes of) equational theories including subterm convergent equational theories, trapdoor commitment and blind signatures is decidable in polynomial time. We also provide an efficient implementation.In Chapter 5 we extend the previous decision procedure to handle trace equivalence. We use finite strongly complete sets of variants introduced in Chapter 3 to get rid of the equational theory and we model each protocol trace as a Horn theory which we solve using a refinement of resolution. Although we have not been able to prove that this procedure always terminates, we have implemented it and used it to provide the first automated proof of vote privacy of the FOO electronic voting protocol.In Chapter 6, we study composition of protocols. We show that two protocols that use arbitrary disjoint cryptographic primitives compose securely if they do not reveal or reuse any shared secret. We also show that a form of tagging is sufficient to provide disjointness in the case of a fixed set of cryptographic primitives.

[INFO:INFO_OH] Computer Science/Other

[INFO:INFO_OH] Informatique/Autre

Cryptographic protocols

Formal verification

Sécurity

e-αξιολόγηση : εφαρμογές της κρυπτογραφίας στην αξιολόγηση μέσω τεχνολογιών πληροφορικής και επικοινωνιών

Γαλάνης, Βασίλειος

19 April 2010

Η εργασία αυτή έχει σα σκοπό τη διερεύνηση των εφαρμογών της κρυπτογραφίας στην ασφάλεια της διαδικασίας της αξιολόγησης σε περιβάλλοντα όπου γίνεται χρήση τεχνολογιών επικοινωνίας και πληροφορικής, κατασκευάζοντας μια κατηγορία πρωτοκόλλων που καλείται e-αξιολόγηση. Πιό συγκεκριμένα, ξεκινώντας από την όσο το δυνατόν πλήρη περιγραφή ενός συστήματος e-αξιολόγησης τόσο σε επίπεδο hardware όσο και σε επίπεδο software, σκοπός μας είναι να εισάγουμε κατάλληλες κρυπτογραφικές τεχνικές έτσι ώστε να καλύπτουμε τις απαιτήσεις ασφαλείας της διαδικασίας της e-αξιολόγησης και να δώσουμε παραδείγματα αντίστοιχων εφαρμογών όπου είναι γίνεται χρήση της ηλεκτρονικής αξιολόγησης. Στο πρώτο μέρος της εργασίας διερευνούμε τον τρόπο με τον οποίο ενσωματώνεται η έννοια της ασφάλειας στη διαδικασία της αξιολόγησης, τους λόγους για τους οποίους υπάρχει ανάγκη για ενσωμάτωση τεχνικών ασφαλείας στην αξιολόγηση και τα οφέλη που αποκομίζουμε από αυτές καθώς και μία γρήγορη παρουσίαση του συνόλου των τεχνικών που χρησιμοποιούνται. Στη συνέχεια του κεφαλαίου αυτού, παρουσιάζουμε που και πως ενσωματώνονται εφαρμογές κρυπτογραφίας στο σύνολο των τεχνικών ασφαλείας που χρησιμοποιούνται στη διαδικασία αξιολόγησης. Στο δεύτερο μέρος κάνουμε μια παρουσίαση των κρυπτογραφικών πρωτοκόλλων και τεχνικών που έχουν εφαρμογή στην e-αξιολόγηση, καθώς και μια παρουσίαση του μαθηματικού τους υπόβαθρου. Στο τρίτο μέρος κάνουμε μια παρουσίαση των εφαρμογών της ηλεκτρονικής αξιολόγησης στην εκπαίδευση. / The goal of this work is to research the application of cryptography in the security of the process of evaluation in on-line environments, creating a framework of protocols which is collectively called e-evaluation. More specifically, we begin by providing a description of an e-evaluation system in both the hardware and the software level and introducing suitable cryptographic techniques so as to satisfy the security requirements of the e-evaluation process, giving examples of applications where there is use of electronic evaluation procedures. In the first part of this work we research the way the concept of security is integrated within the process of evaluation, the reasons for which there is need for integrating security techniques in that process and the benefits we gain by them. Then we provide a short description of techniques being use in the electronic evaluation process as well as where and how cryptography is applied in them. In the second part, we provide a description of the cryptographic techniques and protocols that have applications in the e-evaluation framework and their mathematical background. In the third and final part, we make a presentation of the applications of e-evaluation in education.

e-αξιολόγηση

Κρυπτογραφία

Ασφάλεια δεδομένων

005.82

e-evaluation

Cryptography

Data security

Cryptographic protocols

e-voting