Relating two standard notions of secrecy (original) (raw)

A Semi-Decidable Procedure for Secrecy in Cryptographic Protocols

In this paper, we present a new semi-decidable procedure to analyze cryptographic protocols for the property of secrecy based on a new class of functions that we call: the Witness-Functions. A Witness-Function is a raliable function that guarantees the secrecy in any protocol proved increasing once analyzed by it. Hence, the problem of correctness becomes a problem of protocol growth. A Witness-Function operates on derivative messages in a role-based specification and introduces new derivation techniques. We give here the technical aspects of the Witness-Functions and we show how to use them in a semi-decidable procedure. Then, we analyze a variation of Needham-Schroeder protocol and we show that a Witness-Function can also help to teach about flaws. Finally, we analyze the NSL protocol and we prove that it is correct with respect to secrecy.

A Decidable Subclass of Unbounded Security Protocols

Workshop on Issues in the Theory of Security, 2003

this paper, we propose a simple syntactic restriction on protocols andshow that it achieves this purpose. The condition essentially states that betweenany two terms that occur in distinct communications, no encrypted subtermof one can be unied with a subterm of the other. In the absence of such arestriction, the intruder may use such a binding to transfer information fromone play

Logics of Knowledge and Cryptography: Completeness and Expressiveness

Logics of Knowledge and Cryptography- Completeness and Expressiveness, 2013

An understanding of cryptographic protocols requires that we examine the knowledge of protocol participants and adversaries: When a participant receives a message, does she know who sent it? Does she know that the message is fresh, and not merely a replay of some old message? Does a network spy know who is talking to whom? This thesis studies logics of knowledge and cryptography. Specifically, the thesis addresses the problem of how to make the concept of knowledge reflect feasible computability within a Kripke-style semantics. The main contributions are as follows. • A generalized Kripke semantics for first-order epistemic logic and cryptography, where the later is modeled using private constants and arbitrary cryptographic operations, as in the Applied Pi-calculus. • An axiomatization of first-order epistemic logic which is sound and complete re-laive to an underlying theory of cryptographic terms, and to an omega-rule for quantifiers. Besides standard axioms and rules from first-order epistemic logic, the axiomatization includes some novel axioms for the interaction between knowledge and cryptography. • Epistemic characterizations of static equivalence and Dolev-Yao message deduction. • A generalization of Kripke semantics for propositional epistemic logic and symmetric cryptography. • Decidability, soundness and completeness for propositional BAN-like logics with respect to message passing systems. Completeness and decidability are generalised to logics induced from an arbitrary base of protocol specific assumptions. • An epistemic definition of message deduction. The definition lies between weaker and stronger versions of Dolev-Yao deduction, and coincides with weaker Dolev-Yao regarding all atomic messages. For composite messages, the definition withstands a well-known counterexample to Dolev-Yao deduction. • Protocol examples using mixes, a Crowds style protocol, and electronic payments.

Confidential Safety via Correspondence Assertions

2010

We study a notion of secrecy that arises naturally in adversarial systems. Let all agents agree on a space of possible values. An honest agent chooses one of these values, and aims to make sure that this particular choice cannot be reliably guessed by an adversary, even in the context of a distributed protocol. An example is an agent that uses an honest mail server to send a message, wishing to keep the identity of the eventual recipient hidden from an adversary.

On the Existence of an Effective and Complete Inference System for Cryptographic Protocols

Lecture Notes in Computer Science, 2004

A central question in the domain of program semantics and program verification is the existence of a complete inference system for assertions of the form π |= ϕ meaning that program π satisfies property ϕ. A stronger version of this question asks for an effective (decidable) complete inference system. We investigate these questions for cryptographic protocols focusing on authentication and confidentiality properties. While it is not difficult to see that a complete and effective inference system cannot exist when an unbounded number of sessions are considered, we prove that such a system exists for bounded protocols. More, precisely 1.) we provide a complete weakest precondition calculus for bounded cryptographic protocols and 2.) we show that assertions needed for completeness of the calculus are expressible in a decidable second order logic on terms.

Decidability and Complexity Results for Security Protocols

Verification of Infinite-State Systems with Applications to Security, 2005

Abstract. Security protocols are prescribed sequences of interactio ns between entities designed to provide various security services acros s distributed systems. Security protocols are often wrong due to the extremely subtle properties they are supposed to ensure. Deciding whether or not a security protocol assures secrecy is one of the main challenge in this area. In this paper we survey

Secrecy and Authenticity Types for Secure Distributed Messaging

Lecture Notes in Computer Science, 2010

We introduce a calculus with mobile names, distributed principals and primitives for secure remote communication, without any reference to explicit cryptography. The calculus is equipped with a system of types and effects providing static guarantees of secrecy and authenticity in the presence of a Dolev-Yao intruder. The novelty with respect to existing type systems for security is in the structure of our secrecy and authenticity types, which are inspired by the formulas of BAN Logic, and retain much of the simplicity and intuitive reading of such formulas. Drawing on these types, the type system makes it possible to characterize authenticity directly as a property of the data exchanged during a protocol rather than indirectly by extracting and interpreting the effects the protocol has on that data. Work partially supported by MIUR Projects SOFT "Security Oriented Formal Techniques" and IPODS "Interacting Processes in Open-ended Distributed Systems".

Soundness of Formal Encryption in the Presence of Active Adversaries

Lecture Notes in Computer Science, 2004

We present a general method to prove security properties of cryptographic protocols against active adversaries, when the messages exchanged by the honest parties are arbitrary expressions built using encryption and concatenation operations. The method allows to express security properties and carry out proofs using a simple logic based language, where messages are represented by syntactic expressions, and does not require dealing with probability distributions or asymptotic notation explicitly. Still, we show that the method is sound, meaning that logic statements can be naturally interpreted in the computational setting in such a way that if a statement holds true for any abstract (symbolic) execution of the protocol in the presence of a Dolev-Yao adversary, then its computational interpretation is also correct in the standard computational model where the adversary is an arbitrary probabilistic polynomial time program. This is the first paper providing a simple framework for translating security proofs from the logic setting to the standard computational setting for the case of powerful active adversaries that have total control of the communication network.

Computationally Sound Symbolic Secrecy in the Presence of Hash Functions

Lecture Notes in Computer Science, 2006

The standard symbolic, deducibility-based notions of secrecy are in general insufficient from a cryptographic point of view, especially in presence of hash functions. In this paper we devise and motivate a more appropriate secrecy criterion which exactly captures a standard cryptographic notion of secrecy for protocols involving public-key enryption and hash functions: protocols that satisfy it are computationally secure while any violation of our criterion directly leads to an attack. Furthermore, we prove that our criterion is decidable via an NP decision procedure. Our results hold for standard security notions for encryption and hash functions modeled as random oracles.