Abstract: Logics for cryptographic protocol analysis are presented, and a study is made of the protocol features that they are appropriate for analyzing: some are appropriate for analyzing trust, others security. It is shown that both features can be adequately captured by a single properly designed logic. The goals and capabilities of M. Burrows, M. Abadi and R. Needham's (1989) BAN logic are examined. It is found that there is confusion about these. While the logic is extremely useful heuristically, as a formal method it is seen to be ultimately unacceptable. Formal semantics is explored as a reasoning tool and the importance of soundness and completeness for protocol security is discussed. The KPL logic is used to resolve a debate over an alleged flaw in BAN logic and is shown to be uniquely capable of dealing with certain protocol security issues. >

Abstract: A cryptographic communication method and system for performing cryptographic communication between a host computer and a given one of plural terminals connected to the host computer by way of a communication network by using a data key designated by the given terminal or the host, wherein the host computer includes a cryptographic processing unit which includes a processing part for performing a public key cryptographic processing by using a pair of a public key and a private key and a common key cryptographic processing by using a common key, and an internal memory for storing master common key and master private key, a storage for recording as user private key information those data that result from the public key cryptographic processing performed by using a master public key on a plurality of user private keys which are in paired relation to user public keys held in the user terminals, respectively, and control means for performing input/output control between the storage and the cryptographic processing means.

Abstract: Describes a formal specification language and verification technique for analyzing key management protocols. A prototype verification tool that can be used to apply this technique is introduced. A protocol intended for use in the management of resource sharing, is formally specified and verified, and it is shown how the use of the considered techniques led to the discovery of a flaw that could be exploited by an intruder to convince a user of the system that he has obtained a service when he actually has not. >

Abstract: A major open problem in the theory of multiprover protocols is to characterize the languages which can be accepted by fully parallelized protocols which achieve an exponentially low probability of cheating in a single round. The problem was motivated by the observation that the probability of cheating the n parallel executions of a multiprover protocol can be exponentially higher than the probability of cheating in n sequential executions of the same protocol. The problem is solved by proving that any language in NEXP-time has a fully parallelized multiprover protocol. By combining this result with a fully parallelized version of the protocol of M. Ben-Or et al. (ACM Symp. on Theory of Computing, 1988), a one-round perfect zero-knowledge protocol (under no cryptographic assumptions) can be obtained for every NEXPTIME language. >

Abstract: A method and related cryptographic processing apparatus for handling information packets that are to be cryptographically processed prior to transmission onto a communication network, or that are to be locally cryptographically processed and looped back to a node processor. A special cryptographic preamble is included in each information packet that is to be subject to cryptographic processing. The cryptographic preamble contains an offset value pointing to the starting location of information that is to be processed, and completely defines the type of cryptographic processing to be performed. The cryptographic processor can then perform the processing as specified in the preamble without regard to a specific protocol. If the packet is to be transmitted onto the network, the preamble is stripped from the packet after cryptographic processing, so that the formats of packets transmitted onto the network will be unaffected by the preamble. Cryptographic processing modes include encryption of data for outbound transmission, encryption of a cipher key for loopback to the node processor, encryption or decryption of data for loopback to the node processor, and computation of an integrity check value for loopback to the node processor.

Abstract: In the quest for open systems, standardization of security mechanisms, framework, and protocols are becoming increasingly important. This puts high demands on the correctness of the standards. In this paper we use a formal logic-based approach to protocol analysis introduced by Burrows et al. [1]. We extend this logic to deal with protocols using public key cryptography, and with the notion of "duration" to capture some time-related aspects. The extended logic is used to analyse an important CCITT standard, the X.509 Authentication Framework. We conclude that protocol analysis can benefit from the use of the notation and that it highlights important aspects of the protocol analysed. Some aspects of the formalism need further study.

Abstract: The authors discuss the virtues and limitations of several logics for cryptographic protocols focusing primarily on the logics of authentication. They emphasize the scope limitations of these logics rather than their virtues because: (1) their virtues to be better understood and accepted than their limitations; and (2) they hope to stimulate further research that will expand their scope. >

Abstract: A computer network has a number of computers coupled thereto at distinct nodes. A trust realm table defines which computers are members of predefined trust realms. All the members of each predefined trust realm enforce a common set of security protocols for protecting the confidentiality of data. Each computer that is a member of a trust realm enforces a predefined security policy, and also defines a security level for each set of data stored in the computer. Thus, each message has an associated label denoting how to enforce the computer's security policy with respect to the message. A trust realm service program prepares a specified message for transmission to a specified other computer system. To do this it uses the trust realm table to verify that both the computer system and the specified computer system are members of at least one common trust realm, and then selects one of those common trust realms. The message is transmitted as a protocol data unit, which includes a sealed version of the message, authenticated identifiers for the sending system and user, the message's label, and an identifier for the selected trust realm. Received protocol data units are processed by validating each of the components of the received protocol data unit before accepting the sealed message in the protocol data unit as authentic. Further, the label in the received protocol data unit is used by the receiving computer to determine what predefined security policy is to be enforced with respect to the message.

Abstract: The BAN approach to analysis of cryptographic protocols (M. Burrows et al., 1988) transforms a correctness requirement into a proof obligation of a formal belief logic. It is shown that the BAN protocol annotation rules make flaws due solely to protocol step permutation undetectable by the BAN logic. This is illustrated by a short example. In the style of BAN logic, the author defines the concept of a terminating idealized protocol. BAN logic has been used to prove the correctness of an insecure protocol (D. Nessett, 1990). The author shows that this protocol belongs to the class of nonterminating protocols. >

Abstract: PURPOSE: To ensure securecy of information by cyphering secret information by data cryptographic key and recording and transferring the data cryptographic key cyphered by means of cryptographic key means. CONSTITUTION: A terminal security unit 15 as a kind of cyphering devices takes a form of a black box and a proper cryptographic key TK whose contents are automatically extinguished when unsealing is done e.g. by illegal reverse engineering and aquired only by a user is sealed. The cryptographic key TK itself has not a function for directly cyphering plain text information (X), plays a role of a kind of master keys, cyphers a data cryptographic key DEX and is provided with the function of further cyphering the 'key' on algorism for cyphering processing of the plain text information. The data cryptographic key means itself is cyphered and freely stored or transferred. COPYRIGHT: (C)1994,JPO&Japio

Abstract: Cryptography is considered by many users to be a complicated subject. An architecture for a cryptographic application programming interface simplifies customer use of cryptographic services by helping to ensure compliance with national and international standards and by providing intuitive high-level services that may be implemented on a broad range of operating systems and underlying hardware. This paper gives an overview of the design rationale of the recently announced Common Cryptographic Architecture Cryptographic Application Programming Interface and gives typical application scenarios showing methods of using the services described in the architecture to meet security requirements.

Abstract: In the verification of cryptographic protocols using the authentication logic of Burrows, Abadi, and Needham (1989) it is possible to write a specification which does not faithfully represent the real world situation. Such a specification, though impossible or unreasonable to implement, can go undetected and be verified to be correct. It can also lead to logical statements that do not preserve causality which in turn can have undesirable consequences. Such a specification, called an infeasible specification, can be subtle and hard to locate. The article shows how the logic of cryptographic protocols of Gong, Needham, and Yahalom (1990) can be enhanced with a notion of eligibility to preserve causality of beliefs and detect infeasible specifications. It is conceivable that this technique can be adopted in other similar logics. >

Abstract: We consider cryptographic protocols for elections over computer networks. In addition to the requirements imposed upon customary secret balloting systems, we discuss possibilities of recasting one's vote, as well as verifying that it has been properly counted. All this should happen without compromising secrecy or relying on trusted persons and groups.

Abstract: The Exponential Security System (TESS) developed at the European Institute for System Security is the result of an attempt to increase the security in heterogenous computer networks In this paper we present the cryptographic protocols in the kernel of TESS We show how they can be used to implement access control, authentication, confidentiality protection, key exchange, digital signatures and distributed network security management We also look at the compatibility of TESS with existing standards, like the X509 Directory Authentication Framework, and compare it to established systems like Kerberos A comparison of TESS with the non-electronic "paper"-world of authentication and data exchange shows strong parallels Finally we give a short overview of the current state of development and availability of different TESS components

Abstract: This paper shows how to derive a representation of the participants’ knowledge in a cryptographic protocol. The modelization is based on the assumption that the underlying cryptographic system is perfect and is an extension of the “Hidden Automorphism Model” introduced by Merritt. It can be used to establish the security of the protocols.

Abstract: This article focuses on living systems at the group level. Cryptography is the study of secret writing. Cryptographic protocols are methods of systematically utilizing cryptosystems in devising communication systems that effectively exclude non-legitimate persons (eavesdroppers) and enable the legitimate users to transmit secrets necessary for the achievement of common goals. Of particular interest are protocols that do not rely on trusted middlemen. Cryptographic protocols could also be used in improving the secret ballot systems in the context of elections. We list four conditions that characterize any satisfactory secret balloting system. We then outline three cryptographic protocols that under specific conditions would satisfy these conditions.

Abstract: A well-designed application program interface for a line of cryptographic products simplifies customer use of cryptographic services by helping to ensure compliance with national and international standards and by providing intuitive high-level services that may be implemented on disparate systems. The Common Cryptographic Architecture is IBM's strategic cryptographic architecture. The Transaction Security System implements the Common Cryptographic Architecture in full. Furthermore, the Transaction Security System has implemented extensions to the architecture to address additional customer requirements. This paper gives the design rationale for some of the additional cryptographic functionality in the Transaction Security System beyond that mandated by the Common Cryptographic Architecture.

Abstract: We introduce an original method to verify probabilistic properties in cryptographic protocols. This method uses the representation of participants' knowledge that we presented at CRYPTO'91. The modelization is based on the assumption that the underlying cryptographic system is perfect and is an extension of the “Hidden Automorphism Model” introduced by Merritt.

Abstract: The author distinguishes between 'heuristic' and 'holistic' issues in the formal analysis of cryptographic protocols and discusses the contribution semantics can make to settling these issues. >

Abstract: This paper shows how to derive a representation of the participants' knowledge in a cryptographic protocol The modelization is based on the assumption that the underlying cryptographic system is perfect and is an extension of the "Hidden Automorphism Model" introduced by Merritt It can be used to establish the security of the protocols

Abstract: The invention described herein suggests methods of cryptographic key management based on control vectors in which the control vectors are generated or derived internal to a cryptographic facility implementing a set of cryptographic operations. The methods of alternate control vector enforcement described in the present application provide a high-integrity facility to ensure that cryptographic keys are used in a manner consistent with the type and usage attributes assigned to the keys by the originator of those keys. Since the control vectors are generated or derived internal to the cryptographic facility on the basis of data contained in each cryptographic service request to the cryptographic facility, control vectors need not be stored or managed outside the cryptographic facility.

Abstract: This paper presents a novel cryptographic scheme which fully conforms to the requirements of holding large scale general elections. The participants of the scheme are the voters, the candidates and the government. The scheme ensures independence between the voters in that they do not have to be present at the same time or go through several phases together; no global computation is needed. The scheme preserves the privacy of the votes against any subset of dishonest voters, and against any proper subset of dishonest candidates, including the government. Robustness is ensured in that no subset of voters can corrupt or disrupt the election. This also means that no voter is able to vote more than once without being detected. The verifiability of the scheme ensures that the government and the candidates cannot present a false tally without being caught. “Voting by telephone” is possible by employing the proposed scheme.

Abstract: We investigate protocols for authenticated exchange of messages between two parties in a communication network. Secure authenticated exchange is essential for network security. It is not difficult to design simple and seemingly correct solutions for it, however, many such 'solutions' can be broken. We give some examples of such protocols and we show a useful methodology which can be used to break many protocols. In particular, we break a protocol that is being standardized by the ISO.We present a new authenticated exchange protocol which is both provably secure and highly efficient and practical. The security of the protocol is proven, based on an assumption about the the cryptosystem employed (namely, that it is secure when used in CBC mode on a certain message space). We think that this assumption is quite reasonable for many cryptosystems, and furthermore it is often assumed in practical use of the DES cryptosystem. Our protocol cannot be broken using the methodology we present (which was strong enough to catch all protocol flaws we found). The reduction to the security of the encryption mode, indeed captures the non-existence of the exposures that the methodology catches (specialized to the actual use of encryption in our protocol). Furthermore, the protocol prevents chosen plaintext or ciphertext attacks on the cryptosystem.The proposed protocol is efficient and practical in several aspects. First, it uses only conventional cryptography (like the DES, or any privately-shared one-way function) and no public-key. Second, the protocol does not require synchronized clocks or counter management. Third, only a small number of encryption operations is needed (we use no decryption), all with a single shared key. In addition, only three messages are exchanged during the protocol, and the size of these messages is minimal. These properties are similar to existing and proposed actual protocols. This is essential for integration of the proposed protocol into existing systems and embedding it in existing communication protocols.