Abstract: Radio-frequency identification tokens, such as contactless smartcards, are vulnerable to relay attacks if they are used for proximity authentication. Attackers can circumvent the limited range of the radio channel using transponders that forward exchanged signals over larger distances. Cryptographic distance-bounding protocols that measure accurately the round-trip delay of the radio signal provide a possible countermeasure. They infer an upper bound for the distance between the reader and the token from the fact that no information can propagate faster than at the speed of light. We propose a new distance-bounding protocol based on ultra-wideband pulse communication. Aimed at being implementable using only simple, asynchronous, low-power hardware in the token, it is particularly well suited for use in passive low-cost tokens, noisy environments and high-speed applications.

Abstract: RFID identification is a new technology that will become ubiquitous as RFID tags will be applied to every-day items in order to yield great productivity gains or “smart” applications for users. However, this pervasive use of RFID tags opens up the possibility for various attacks violating user privacy. In this work we present an RFID authentication protocol that enforces user privacy and protects against tag cloning. We designed our protocol with both tag-to-reader and reader-to-tag authentication in mind; unless both types of authentication are applied, any protocol can be shown to be prone to either cloning or privacy attacks. Our scheme is based on the use of a secret shared between tag and database that is refreshed to avoid tag tracing. However, this is done in such a way so that efficiency of identification is not sacrificed. Additionally, our protocol is very simple and it can be implemented easily with the use of standard cryptographic hash functions. In analyzing our protocol, we identify several attacks that can be applied to RFID protocols and we demonstrate the security of our scheme. Furthermore, we show how forward privacy is guaranteed; messages seen today will still be valid in the future, even after the tag has been compromised.

Abstract: Byzantine agreement requires a set of parties in a distributed system to agree on a value even if some parties are maliciously misbehaving. A new protocol for Byzantine agreement in a completely asynchronous network is presented that makes use of new cryptographic protocols, specifically protocols for threshold signatures and coin-tossing. These cryptographic protocols have practical and provably secure implementations in the random oracle model. In particular, a coin-tossing protocol based on the Diffie-Hellman problem is presented and analyzed. The resulting asynchronous Byzantine agreement protocol is both practical and theoretically optimal because it tolerates the maximum number of corrupted parties, runs in constant expected rounds, has message and communication complexity close to the optimum, and uses a trusted dealer only once in a setup phase, after which it can process a virtually unlimited number of transactions. The protocol is formulated as a transaction processing service in a cryptographic security model, which differs from the standard information-theoretic formalization and may be of independent interest.

Abstract: Biometric data offer a potential source of high-entropy, secret information that can be used in cryptographic protocols provided two issues are addressed: (1) biometric data are not uniformly distributed; and (2) they are not exactly reproducible. Recent work, most notably that of Dodis, Reyzin, and Smith, has shown how these obstacles may be overcome by allowing some auxiliary public information to be reliably sent from a server to the human user. Subsequent work of Boyen has shown how to extend these techniques, in the random oracle model, to enable unidirectional authentication from the user to the server without the assumption of a reliable communication channel. We show two efficient techniques enabling the use of biometric data to achieve mutual authentication or authenticated key exchange over a completely insecure (i.e., adversarially controlled) channel. In addition to achieving stronger security guarantees than the work of Boyen, we improve upon his solution in a number of other respects: we tolerate a broader class of errors and, in one case, improve upon the parameters of his solution and give a proof of security in the standard model.

Abstract: The just recently finished EU project AVISPA, Automated Validation of Internet Security Protocols and Applications, has aimed at developing a push-button, industrial-strength technology for the analysis of large-scale Internet security-sensitive protocols and applications. In this short industrial contribution paper, after giving a very brief overview of the AVISPA project, we introduce HLPSL, the High-Level Protocol Specification Language developed and used within the project to model security protocols and to specify their desired properties. This language enjoys a formal semantics based on Lamport's Temporal Logic of Actions. HLPSL is modular and allows for the specification of control flow patterns, data-structures, alternative intruder models, and complex security properties. It is suciently high-level to be accessible to protocol engineers (themselves not necessarily formal methods experts), yet easily translatable into a lower-level term-rewriting based language suited to model-checking tools.

Abstract: We present a constant-round protocol for general secure multiparty computation which makes a black-box use of a pseudorandom generator. In particular, the protocol does not require expensive zero-knowledge proofs and its communication complexity does not depend on the computational complexity of the underlying cryptographic primitive. Our protocol withstands an active, adaptive adversary corrupting a minority of the parties. Previous constant-round protocols of this type were only known in the semi-honest model or for restricted classes of functionalities.

Abstract: We introduce XOR constraints, and show how they enable a theorem prover to reason effectively about security critical subsystems which employ bitwise XOR. Our primary case study is the API of the IBM 4758 hardware security module. We also show how our technique can be applied to standard security protocols.

Abstract: We present a new mechanized prover for secrecy properties of security protocols. In contrast to most previous provers, our tool does not rely on the Dolev-Yao model, but on the computational model. It produces proofs presented as sequences of games; these games are formalized in a probabilistic polynomial-time process calculus. Our tool provides a generic method for specifying security properties of the cryptographic primitives, which can handle shared-key and public-key encryption, signatures, message authentication codes, and hash functions. Our tool produces proofs valid for a number of sessions polynomial in the security parameter, in the presence of an active adversary. We have implemented our tool and tested it on a number of examples of protocols from the literature.

Abstract: Since the 1980s, two approaches have been developed for analyzing security protocols. One of the approaches relies on a computational model that considers issues of complexity and probability. This approach captures a strong notion of security, guaranteed against all probabilistic polynomial-time attacks. The other approach relies on a symbolic model of protocol executions in which cryptographic primitives are treated as black boxes. Since the seminal work of Dolev and Yao, it has been realized that this latter approach enables significantly simpler and often automated proofs. However, the guarantees that it offers have been quite unclear. In this paper, we show that it is possible to obtain the best of both worlds: fully automated proofs and strong, clear security guarantees. Specifically, for the case of protocols that use signatures and asymmetric encryption, we establish that symbolic integrity and secrecy proofs are sound with respect to the computational model. The main new challenges concern secrecy properties for which we obtain the first soundness result for the case of active adversaries. Our proofs are carried out using Casrul, a fully automated tool.

Abstract: Implementations of cryptographic protocols, such as OpenSSL for example, contain bugs affecting security, which cannot be detected by just analyzing abstract protocols (e.g., SSL or TLS). We describe how cryptographic protocol verification techniques based on solving clause sets can be applied to detect vulnerabilities of C programs in the Dolev-Yao model, statically. This involves integrating fairly simple pointer analysis techniques with an analysis of which messages an external intruder may collect and forge. This also involves relating concrete run-time data with abstract, logical terms representing messages. To this end, we make use of so-called trust assertions. The output of the analysis is a set of clauses in the decidable class H 1 , which can then be solved independently. This can be used to establish secrecy properties, and to detect some other bugs.

Abstract: This document defines the common architecture for Multicast Security (MSEC) key management protocols to support a variety of application, transport, and network layer security protocols. It also defines the group security association (GSA), and describes the key management protocols that help establish a GSA. The framework and guidelines described in this document permit a modular and flexible design of group key management protocols for a variety of different settings that are specialized to applications needs. MSEC key management protocols may be used to facilitate secure one-to-many, many-to-many, or one-to-one communication. This memo provides information for the Internet community.

Abstract: A (1,2)-robust combiner for a cryptographic primitive ${\mathcal P}$ is a construction that takes two candidate schemes for ${\mathcal P}$and combines them into one scheme that securely implement ${\mathcal P}$even if one of the candidates fails. Robust combiners are a useful tool for ensuring better security in applied cryptography, and also a handy tool for constructing cryptographic protocols. For example, we discuss using robust combiners for obtaining universal schemes for cryptographic primitives (a universal scheme is an explicit construction that implements ${\mathcal P}$under the sole assumption that ${\mathcal P}$exists). In this paper we study what primitives admit robust combiners. In addition to known and very simple combiners for one-way functions and equivalent primitives, we show robust combiners for protocols in the world of public key cryptography, namely for Key Agreement(KA). The main point we make is that things are not as nice for Oblivious Transfer (OT) and in general for secure computation. We prove that there are no ”transparent black-box” robust combiners for OT, giving an indication to the difficulty of finding combiners for OT. On the positive side we show a black box construction of a (2,3)-robust combiner for OT, as well as a generic construction of (1,n)-robust OT-combiners from any (1,2)-robust OT-combiner.

Abstract: We construct a secure protocol for any multiparty functionality that remains secure (under a relaxed definition of security introduced by Prabhakaran and Sahai (STOC '04)) when executed concurrently with multiple copies of itself and other protocols, without any assumptions on existence of trusted parties, common reference string, honest majority or synchronicity of the network. The relaxation of security is obtained by allowing the ideal-model simulator to run in quasipolynomial (as opposed to polynomial) time. Quasipolynomial simulation suffices to ensure security for most applications of multiparty computation. Furthermore, Lindell (FOCS '03, TCC' 04) recently showed that such a protocol is impossible to obtain under the more standard definition of polynomial-time simulation by an ideal adversary. Our construction is the first such protocol under reasonably standard cryptographic assumptions (i.e., existence of a hash function collection that is collision resistent with respect to circuits of subexponential size, and existence of trapdoor permutations which are secure with respect to circuits of quasi-polynomial size). We introduce a new technique: "protocol condensing". That is, taking a protocol that has strong security properties but requires super-polynomial communication and computation, and then transforming it into a protocol with polynomial communication and computation, that still inherits the strong security properties of the original protocol. Our result is obtained by combining this technique with previous techniques of Canetti, Lindell, Ostrovsky, and Sahai (STOC '02) and Pass (STOC '04).

Abstract: The Border Gateway Protocol (BGP) is an IETF standard inter-domain routing protocol on the Internet. However, it is well known that BGP is vulnerable to a variety of attacks, and that a single misconfigured or malicious BGP speaker could result in large scale service disruption. We first summarize a set of security goals for BGP, and then propose Pretty Secure BGP (psBGP) as a new security protocol achieving these goals. psBGP makes use of a centralized trust model for authenticating Autonomous System (AS) numbers, and a decentralized trust model for verifying the propriety of IP prefix origination. We compare psBGP with S-BGP and soBGP, the two leading security proposals for BGP. We believe psBGP trades off the strong security guarantees of S-BGP for presumed-simpler operations, while requiring a different endorsement model: each AS must select a small number (e.g., one or two) of its peers from which to obtain endorsement of its prefix ownership assertions. This work contributes to the ongoing exploration of tradeoffs and balance between security guarantee, operational simplicity, and policies acceptable to the operator community.

Abstract: Sensor networks, usually built with a large number of small, low-cost sensor devices, are characterized by their large-scale and unattended deployment that invites many critical attacks, thereby necessitating high-level security support for their intended applications and services. However, making sensor networks secure is challenging due mainly to the fact that sensors are battery-powered and it is often very difficult to change or recharge their batteries. To address this challenge, we design, develop and evaluate Lightweight S ecurity Protocols (LiSP) that cooperatively build a unified, energy-efficient security framework for sensor networks. We present two (group-based and distributed) key management/sharing schemes that are tailored to local and remote transactions, respectively. While the group-based scheme achieves efficient and robust re-keying via key broadcasting/authentication/recovery, distributed key sharing enables the development of attack-tolerant routing protocols capable of gracefully resisting device compromises as well as replacing resource-expensive, public-key-cipher-based protocols with a purely symmetric-cipher-based alternative. The problem of attack-tolerance is further investigated for the development of a secure localization protocol. The proposed protocol uses mutual collaboration among sensors to achieve high-level attack-tolerance in terms of detecting/identifying/rejecting sources of attacks, if present. Accordingly, it plays the role of an anomaly-based intrusion detection system tailored to localization that safeguards the network from localization-targeted attacks. As a countermeasure against physically tampering with sensors, we develop a novel soft tamper-proofing technique that verifies integrity of the program residing in each sensor device whenever it joins the network, or is suspected to have been compromised. Unlike other techniques unsuitable for low-cost, resource-limited sensors, our technique augments such sensors to be usable for applications that require high-level security. Finally, the benefits of our protocols are demonstrated via analysis and evaluation of their capability to defeat known security attacks, and their performance in terms of processing, communication and memory overheads.

Abstract: We prove properties of a process calculus that is designed for analysing security protocols. Our long-term goal is to develop a form of protocol analysis, consistent with standard cryptographic assumptions, that provides a language for expressing probabilistic polynomial-time protocol steps, a specification method based on a compositional form of equivalence, and a logical basis for reasoning about equivalence.The process calculus is a variant of CCS, with bounded replication and probabilistic polynomial-time expressions allowed in messages and boolean tests. To avoid inconsistency between security and nondeterminism, messages are scheduled probabilistically instead of nondeterministically. We prove that evaluation of any process expression halts in probabilistic polynomial time and define a form of asymptotic protocol equivalence that allows security properties to be expressed using observational equivalence, a standard relation from programming language theory that involves quantifying over all possible environments that might interact with the protocol.We develop a form of probabilistic bisimulation and use it to establish the soundness of an equational proof system based on observational equivalences. The proof system is illustrated by a formation derivation of the assertion, well-known in cryptography, that El Gamal encryption's semantic security is equivalent to the (computational) Decision Diffie-Hellman assumption. This example demonstrates the power of probabilistic bisimulation and equational reasoning for protocol security.

Abstract: Developing security-critical systems is difficult and there are many well-known examples of security weaknesses exploited in practice. Thus a sound methodology supporting secure systems development is urgently needed. We present an extensible verification framework for verifying UML models for security requirements. In particular, it includes various plugins performing different security analyses on models of the security extension UMLsec of UML. Here, we concentrate on an automated theorem prover binding to verify security properties of UMLsec models which make use of cryptography (such as cryptographic protocols). The paper aims to contribute towards usage of UML for secure systems development in practice by offering automated analysis routines connected to popular CASE tools. We present an example of such an application where our approach found and corrected several serious design flaws in an industrial biometric authentication system.

Abstract: Implementations of cryptographic protocols, such as OpenSSL for example, contain bugs affecting security, which cannot be detected by just analyzing abstract protocols (e.g., SSL or TLS). We describe how cryptographic protocol verification techniques based on solving clause sets can be applied to detect vulnerabilities of C programs in the Dolev-Yao model, statically. This involves integrating fairly simple pointer analysis techniques with an analysis of which messages an external intruder may collect and forge. This also involves relating concrete run-time data with abstract, logical terms representing messages. To this end, we make use of so-called trust assertions. The output of the analysis is a set of clauses in the decidable class $\mathcal{H}_1$, which can then be solved independently. This can be used to establish secrecy properties, and to detect some other bugs.

Abstract: Invited Talks.- Design of Secure Key Establishment Protocols: Successes, Failures and Prospects.- Secure Protocols for Complex Tasks in Complex Environments.- Cryptographic Protocols.- Tripartite Key Exchange in the Canetti-Krawczyk Proof Model.- The Marriage Proposals Problem: Fair and Efficient Solution for Two-Party Computations.- Applications.- On the Security of a Certified E-Mail Scheme.- Multiplicative Homomorphic E-Voting.- Stream Ciphers.- Chosen Ciphertext Attack on a New Class of Self-Synchronizing Stream Ciphers.- Algebraic Attacks over GF(q).- Cryptographic Boolean Functions.- Results on Algebraic Immunity for Cryptographically Significant Boolean Functions.- Generalized Boolean Bent Functions.- On Boolean Functions with Generalized Cryptographic Properties.- Foundations.- Information Theory and the Security of Binary Data Perturbation.- Symmetric Authentication Codes with Secrecy and Unconditionally Secure Authenticated Encryption.- Block Ciphers.- Faster Variants of the MESH Block Ciphers.- Related-Key Attacks on Reduced Rounds of SHACAL-2.- Related-Key Attacks on DDP Based Ciphers: CIKS-128 and CIKS-128H.- Cryptanalysis of Ake98.- Public Key Encryption.- Designing an Efficient and Secure Public-Key Cryptosystem Based on Reducible Rank Codes.- HEAD: Hybrid Encryption with Delegated Decryption Capability.- A Provably Secure Elliptic Curve Scheme with Fast Encryption.- Efficient Representations.- Advances in Alternative Non-adjacent Form Representations.- Public Key Cryptanalysis.- Attacks on Public Key Cryptosystems Based on Free Partially Commutative Monoids and Groups.- Exact Analysis of Montgomery Multiplication.- Cryptography, Connections, Cocycles and Crystals: A p-Adic Exploration of the Discrete Logarithm Problem.- Modes of Operation.- EME*: Extending EME to Handle Arbitrary-Length Messages with Associated Data.- Impossibility of Construction of OWHF and UOWHF from PGV Model Based on Block Cipher Secure Against ACPCA.- The Security and Performance of the Galois/Counter Mode (GCM) of Operation.- Signatures.- Revisiting Fully Distributed Proxy Signature Schemes.- New ID-Based Threshold Signature Scheme from Bilinear Pairings.- Separable Linkable Threshold Ring Signatures.- Traitor Tracing and Visual Cryptography.- A New Black and White Visual Cryptographic Scheme for General Access Structures.- Identification Algorithms for Sequential Traitor Tracing.

Abstract: Key establishment and management is the core of security protocols for wireless sensor networks deployed in the hostile environment. Due to the strict resource constraints, traditional asymmetric key cryptosystems, such as public/private key based schemes, are infeasible for large-scale wireless sensor networks. Research shows that pre-distributing pairwise keys into wireless sensor nodes before deployment is a practical way to deal with the key establishment problem. Existing random key based key pre-distribution schemes only provide probabilistic connectivity of the network and some level of network resilience. In this paper, we propose an efficient pairwise key establishment and management scheme to achieve both network connectivity and resilience for static wireless sensor networks. Compared with current key pre-distribution schemes, our scheme supports large network size, and has lower communication and computational overhead

Abstract: Differential power analysis is widely recognized as an extremely powerful and low-cost technique to extract secret information from cryptographic devices. As a consequence, DPA-countermeasures have been proposed in the technical literature ranging over every abstraction level in an embedded system, from software to transistor-level techniques. In this paper, a novel gate-level countermeasure is proposed which, exploiting the insertion of random delays in the datapath of a cryptographic processor, allows us to randomize not just the instantaneous current consumption profile but also the total charge quantity transferred from the power supply during a clock cycle.

Abstract: In this paper we study the link between formal and cryptographic models for security protocols in the presence of a passive adversary. In contrast to other works, we do not consider a fixed set of primitives but aim at results for an arbitrary equational theory. We define a framework for comparing a cryptographic implementation and its idealization w.r.t. various security notions. In particular, we concentrate on the computational soundness of static equivalence, a standard tool in cryptographic pi calculi. We present a soundness criterion, which for many theories is not only sufficient but also necessary. Finally, we establish new soundness results for the exclusive OR and a theory of ciphers and lists.

Abstract: A (1,2)-robust combiner for a cryptographic primitive P is a construction that takes two candidate schemes for P and combines them into one scheme that securely implement P even if one of the candidates fails. Robust combiners are a useful tool for ensuring better security in applied cryptography, and also a handy tool for constructing cryptographic protocols. For example, we discuss using robust combiners for obtaining universal schemes for cryptographic primitives (a universal scheme is an explicit construction that implements P under the sole assumption that P exists). In this paper we study what primitives admit robust combiners. In addition to known and very simple combiners for one-way functions and equivalent primitives, we show robust combiners for protocols in the world of public key cryptography, namely for Key Agreement(KA). The main point we make is that things are not as nice for Oblivious Transfer (OT) and in general for secure computation. We prove that there are no transparent black-box robust combiners for OT, giving an indication to the difficulty of finding combiners for OT. On the positive side we show a black box construction of a. (2, 3)-robust combiner for OT, as well as a generic construction of (1, n)-robust OT-combiners from any (1,2)-robust OT-combiner.

Abstract: We introduce a new method of achieving intrusion-resilience in the cryptographic protocols. More precisely we show how to preserve security of such protocols, even if a malicious program (e.g. a virus) was installed on a computer of an honest user (and it was later removed). The security of our protocols relies on the assumption that the amount of data that the adversary can transfer from the infected machine is limited (however, we allow the adversary to perform any efficient computation on user’s private data, before deciding on what to transfer). We focus on two cryptographic tasks, namely: session-key generation and entity authentication. Our method is based on the results from the BoundedStorage Model.

Abstract: In this work, we address the security of VANETs. We provide a detailed threat analysis and devise an appropriate security architecture. We also describe some major design decisions still to be made, which in some cases have more than mere technical implications. We provide a set of security protocols, we show that they protect privacy and we analyze their robustness, and we carry out a quantitative assessment of the proposed solution.

Abstract: The invention define a new protection mechanism against attacks to security enforcing operation performed by cryptographic token and smart card. It is based on an attack detector which signal to the main elaboration system a potential attack situation. The invention offer an easy solution to SIM cloning problems of telecom operators which use old and breakable cryptographic algorithms such as the COMP-128 and does not want to invest many in updating the network authentication systems with more resistant authentication cryptographic algorithms. This is requirement is typical of the telecom operator of the emerging market which use not the state of the art in technology.

Abstract: We introduce a class of tree automata that perform tests on a memory that is updated using function symbol application and projection. The language emptiness problem for this class of tree automata is shown to be in DEXPTIME.We also introduce a class of set constraints with equality tests and prove its decidability by completion techniques and a reduction to tree automata with one memory.Finally, we show how to apply these results to cryptographic protocols. We introduce a class of cryptographic protocols and show the decidability of secrecy for an arbitrary number of agents and an arbitrary number of (concurrent or successive) sessions, provided that only a bounded number of new data is generated. The hypothesis on the protocol (a restricted copying ability) is shown to be necessary: without this hypothesis, we prove that secrecy is undecidable, even for protocols without nonces.

Abstract: A wide spectrum of e-commerce (B2B/B2C), banking, financial trading and other business applications require the exchange of data to be highly secure. The Secure Sockets Layer (SSL) protocol provides the essential ingredients of secure communications - privacy, integrity and authentication. Though it is well-understood that security always comes at the cost of performance, these costs depend on the cryptographic algorithms. In this paper, we present a detailed description of the anatomy of a secure session. We analyze the time spent on the various cryptographic operations (symmetric, asymmetric and hashing) during the session negotiation and data transfer. We then analyze the most frequently used cryptographic algorithms (RSA, AES, DES, 3DES, RC4, MD5 and SHA-1). We determine the key components of these algorithms (setting up key schedules, encryption rounds, substitutions, permutations, etc) and determine where most of the time is spent. We also provide an architectural analysis of these algorithms, show the frequently executed instructions and discuss the ISA/hardware support that may be beneficial to improving SSL performance. We believe that the performance data presented in this paper is useful to performance analysts and processor architects to help accelerate SSL performance in future processors