Abstract: We present principles for the design of cryptographic protocols. The principles are neither necessary nor sufficient for correctness. They are however helpful, in that adherence to them would have avoided a considerable number of published errors. Our principles are informal guidelines. They complement formal methods, but do not assume them. In order to demonstrate the actual applicability of these guidelines, we discuss some instructive examples from the literature.

Abstract: In this paper we give a survey of the state of the art in the application of formal methods to the analysis of cryptographic protocols. We attempt to outline some of the major threads of research in this area, and also to document some emerging trends. ...

Abstract: This paper presents a taxonomy of replay attacks on cryptographic protocols in terms of message origin and destination. The taxonomy is independent of any method used to analyze or prevent such attacks. It is also complete in the sense that any replay attack is composed entirely of elements classified by the taxonomy. The classification of attacks is illustrated using both new and previously known attacks on protocols. The taxonomy is also used to discuss the appropriateness of particular countermeasures and protocol analysis methods to particular kinds of replays. >

Abstract: In the past few years a lot of attention has been paid to the use of special logics to analyse cryptographic protocols, foremost among these being the logic of Burrows, Abadi and Needham (the BAN logic). These logics have been successful in finding weaknesses in various examples. In this paper a limitation of the BAN logic is illustrated with two examples. These show that it is easy for the BAN logic to approve protocols that are in practice unsound.

Abstract: We develop a model of computation for the NRL Protocol Analyzer by modifying and extending the model of computation for Burrows, Abadi, and Needham (BAN) logic (M. Burrows et al., 1990) developed by M. Abadi and M. Tuttle (1991). We use the results to point out the similarities and differences between the NRL Protocol Analyzer and BAN logic, and discuss the issues this raises with respect to the possible integration of the two. >

Abstract: We present a modified version of the BAN logic which is implemented in PROLOG. The modifications are motivated by the analysis of a lot of protocols. We analyze a challenge-response protocol and its dual version in order to show the advantages of the modified logic. The analysis shows an interesting difference between two protocols which seem to be very similar. Finally, we discuss the inability of the logic to handle parallel protocol runs. >

Abstract: Flaws are introduced at every stage of the protocol development cycle. The engineer is faced with the problem of how to avoid them. The first step is to gain an understanding of the different flavours of cryptographic protocol flaws, i.e. get to know the enemy. This paper provides a classification of protocol flaws, including two new flaws in an application of the mental poker protocol, and discusses appropriate countermeasures for relevant flaw-categories. >

Abstract: The paper presents a new method for specifying and analyzing cryptographic protocols. The method offers several advantages over previous approaches. The technique is the first to allow reasoning about nonmonotonic protocols, which are needed for systems that rely on the deletion of information. There is no idealization of protocols; we specify at a level that is close to the actual implementation. We show how the method uncovers the known flaw in the Needham and Schroeder protocol (R.M. Needham and M.D. Schroeder, 1978). We then apply the method to the khat protocol (A.D. Rubin, P. Honeyman, 1993). The analysis reveals a serious, previously undiscovered flaw in the nonmonotonic protocol for long-running jobs. >

Abstract: This paper presents a calculus of channel security properties which allows to analyze and compare protocols for establishing secure channels in an insecure open network at a high level of abstraction A channel is characterized by its direction, time of availability and its security properties Cryptographic primitives and trust relations are interpreted as transformations for channel security properties, and cryptographic protocols can be viewed as combinations of such transformations A protocol thus allows to transform a set of secure channels established during an initial setup phase, together with a set of insecure channels available during operation of the system, into the set of secure channels specified by the security requirements The necessary and sufficient requirements for establishing a secure channel between two entities are characterized in terms of secure channels to be made available during the initial setup phase and in terms of trust relations between users and/or between users and trusted authorities

Abstract: In several cryptographic protocols the product of a small number of exponentiations is required, but the separate exponentiation results are not needed. A simultaneous exponentiation algorithm that takes advantage of this situation and that is substantially faster than the ordinary approach using separate exponentiations is presented.

Abstract: We discuss generic formal requirements for reasoning about two party key distribution protocols, using a language developed for specifying security requirements for security protocols Typically earlier work has considered formal analysis of already developed protocols Our goal is to present sets of formal requirements for various contexts which can be applied at the design stage as well as to existing protocols We use a protocol analysis tool we have developed to determine whether or not a specific protocol has met some of the requirements we specified We show how this process uncovered a flaw in the protocol and helped us refine our requirements

Abstract: This paper describes a tool which translates a cryptographic protocol specified in the semi-formal standard notation i. A/spl rarr/B:M into the formal language CKT5. We examine the standard notation syntax, and describe how it is exploited by the tool to infer protocol conditions which must hold for every principal, thereby obtaining a complete, formal specification of the protocol. The translation criteria described herein are applicable to other target languages than CKT5. >

Abstract: We give a formal model of protocol security. Our model allows us to reason about the security of protocols, and considers issues of beliefs of agents, time, and secrecy. We prove a composition theorem which allows us to state sufficient conditions on two secure protocols A and B such that they may be combined to form a new secure protocol C. Moreover, we give counter-examples to show that when the conditions are not met, the protocol C may not be secure.

Abstract: We consider the basic cryptographic primitive known as zero-knowledge proofs on committed bits. In this primitive, a prover P commits to a set of bits, and then at a later time convinces a verifier V that some property /spl Pscr/ holds for a subset of these bits. It is known how to implement this primitive based on an ordinary bit-committal primitive, but the standard implementations involve a great deal of interaction between the prover and the verifier. We introduce new implementations that require markedly less interaction. We implement bounded-interaction proofs on committed bits, generalizing a model of A. De Micali et al. (1988). For all security parameters, our implementations require only a lg/sup 2/ (n) overhead over the best known circuit-based interactive implementations; for sufficiently large security parameters this gap drops to a lg(n) factor. >

Abstract: The paper proposes the use of more than one hard problem in the design of cryptographic protocols to enhance their security. Specifically, both the discrete logarithm problem and the factorisation problem are embedded in the process of signing to enhance the security of the original El Gamal signature scheme.

Abstract: We suggest a new methodology for design and analysis of key exchange protocols. The basic idea is to establish the minimum cryptographic requirements in delivering a new session key, and to identify how these are achieved in the protocol under examination. The method is therefore limited to key exchange protocols and to establishing that the basic properties exist. The method is easy to carry out by hand (although some existing protocols may be difficult to handle). It allows existing protocols to be re-designed and new protocols designed in a flexible manner. A number of new protocols designed with the method are suggested.

Abstract: Three protocols related to computer voting are presented. First protocol is an efficient ANDOS protocol which is based on a natural cryptographic assumption. The other two protocols attack a difficult problem in computer voting: buying of votes. We manage to solve this problem but our protocols are impractical in large-scale elections.

Abstract: We generalize and improve the schemes of [4]. We introduce analogues of exponentiation and discrete logarithms in the principle cycle of real quadratic orders. This enables us to implement many cryptographic protocols based on discrete logarithms, e.g. a variant of the signature scheme of ElGamal [8].

Abstract: Various published authentication protocols that employ symmetric cryptographic algorithms are examined. A number of misconceptions found in the specification, design and implementation of these protocols are revealed. Some misconceptions are considered responsible for definite security flaws, while others are shown to cause weaknesses which may help in attacks on the cryptographic mechanisms. We identify an underlying problem and attempt a remedy by developing a methodology for the development of secure and strong authentication protocols. >

Abstract: The intelligent network (IN) architecture is designed to enable rapid deployment of new services in telecommunication networks. But the security of this architecture, and of the new services based on it, must be guaranteed. For example, it is likely that for sensitive services a simple PIN authentication will not be considered as secure enough by customers. We propose a solution for a strong user authentication in an IN, addressing the diversity of user terminal equipment. We also present the necessary extensions of the distributed functional plane (DFP), the associated cryptographic protocols, and the new service independent building blocks (SIB) which can be used for introducing strong authentication in a service specification. >

Abstract: Modern mathematical cryptography provides many protocols for designing social and economic institutions. This article deals with cryptographic protocols for auctions, bargaining and arbitration. The main contribution of the protocols is in the elimination of specific types of behaviour which otherwise might undermine the desirable properties of the institutions.

Abstract: Protocol synthesis is used to derive a protocol specification based on a service specification. In the previous protocol synthesis methods, if the service specification includes simultaneous transmission of primitives, then the derived protocol specification includes protocol errors of unspecified receptions caused by message collisions. This paper extends a class of derived protocol specifications to include message collisions which often happen in real communication protocols, and proposes a protocol synthesis method such that (1) simultaneous transmission of primitives causing message collisions can be described in the service specifications, and (2) transitions for avoiding protocol errors of unspecified receptions can be generated by new transition synthesis rates. This paper also proposes a verification method for determining a real-time bound in the synthesized protocol specification using the task scheduling algorithm for multiprocessor systems. >

Abstract: A group membership protocol enables processes in a distributed system to agree on a group of processes that are currently operational. Membership protocol are a core component of many distributed systems and have proved to be fundamental for maintaining availability and consistency in distributed applications. We present a membership protocol for asynchronous distributed systems that tolerates the malicious corruption of group members. Our protocol ensures that correct members control and consistently observe changes to the group membership, provided that in each instance of the group membership, fewer than one-third of the members are corrupted or fail benignly. The protocol has many potential applications in secure systems and, in particular, is a central component of a toolkit for constructing high-integrity distributed services that we are presently implementing. >

Abstract: Cryptographic protocols have usually been designed at an abstract level without concern for the cryptographic algorithms used in implementation. In this paper it is shown that the abstract protocol definition can have an important effect on the ability of an attacker to mount a successful attack on an implementation. In particular, it will be determined whether an adversary is able to generate corresponding pairs of plaintext and ciphertext to use as a lever in compromising secret keys. The ideas are illustrated by analysis of two well-known authentication systems which have been used in practice. They are Kerberos and KryptoKnight. It is shown that for the Kerberos protocol, an adversary can acquire at will an unlimited number of known plaintext-ciphertext pairs. Similarly, an adversary in the KryptoKnight system can acquire an unlimited number of data pairs which, by a less direct means, can be seen to be cryptanalytically equivalent to known plaintext-ciphertext pairs. We propose new protocols, using key derivation techniques, which achieve the same end goals as these others without this undesirable feature.

Abstract: In this paper, decomposition techniques are used to simplify the analysis of cryptographic protocols using coloured Petri nets to locate security flaws and weaknesses. These techniques exploit the inherent modularity of the Petri net model which is composed of distinct protocol entities, distinct protocol stages, and an explicit intruder model. The intruder model may embody a suite of threat characteristics, which can be used to formulate simple or complex attacks. The methodology is described in this paper and is applied to a one-way authentication protocol with two stages. >

Abstract: There is a wide disparity between cryptographic algorithms as specified by researchers and cryptographic algorithms as implemented in software applications. Programmers are prone to implement poor key management, make mistakes coding the algorithm, and use the algorithm in ways and for periods of time not originally intended. I propose design heuristics for designing algorithms in the “hostile” implementation environment of real-world software development.In the real world, it is easy to choose a secure encryption algorithm. There are several, all designed by respected cryptographers, all described in the open literature, and all implemented in public-domain software. It is much harder to implement the algorithm properly in a software application.As a result, implementations of the algorithm are often far less secure in practice than its creators envisioned them. While it is not strictly the job of an algorithm designer to concern himself with implementation details, it is important to realize how algorithms are used in the real world. Armed with this knowledge, a cryptographer can make his algorithms resilient to the kinds of abuses that they will most likely face in the hands of naive programmers.This paper concerns itself with software implementations of cryptographic algorithms. Traditionally strong encryption was almost exclusively found in special-purpose and embedded hardware. Since these hardware devices were self-contained, it was easier to design them securely and force secure implementations. Today, the increased demand for cheap encryption combined with the increased power of personal computers has made software encryption more ubiquitous. Mistakes are far more common in software cryptographic systems, because programmers have far more control over the details of a software system.They have more opportunities to make mistakes in programming, implement bad key management processes, ignore memory management issues, and cut corners to improve performance.

Abstract: This paper studies the properties and constructions of nonlinear Boolean functions, which are a core component of cryptographic primitives including data encryption algorithms and one-way hash functions. A main contribution of this paper is to completely characterise the structures of cryptographic functions that satisfy the propagation criterion with respect to all but six or less vectors.