Abstract: Non-interactive zero-knowledge proofs play an essential role in many cryptographic protocols. We suggest several NIZK proof systems based on prime order groups with a bilinear map. We obtain linear size proofs for relations among group elements without going through an expensive reduction to an NP-complete language such as Circuit Satisfiability. Security of all our constructions is based on the decisional linear assumption. The NIZK proof system is quite general and has many applications such as digital signatures, verifiable encryption and group signatures. We focus on the latter and get the first group signature scheme satisfying the strong security definition of Bellare, Shi and Zhang [7] in the standard model without random oracles where each group signature consists only of a constant number of group elements. We also suggest a simulation-sound NIZK proof of knowledge, which is much more efficient than previous constructions in the literature. Caveat: The constants are large, and therefore our schemes are not practical. Nonetheless, we find it very interesting for the first time to have NIZK proofs and group signatures that except for a constant factor are optimal without using the random oracle model to argue security.

Abstract: Security is becoming an everyday concern for a wide range of electronic systems that manipulate, communicate, and store sensitive data. An important and emerging category of such electronic systems are battery-powered mobile appliances, such as personal digital assistants (PDAs) and cell phones, which are severely constrained in the resources they possess, namely, processor, battery, and memory. This work focuses on one important constraint of such devices-battery life-and examines how it is impacted by the use of various security mechanisms. In this paper, we first present a comprehensive analysis of the energy requirements of a wide range of cryptographic algorithms that form the building blocks of security mechanisms such as security protocols. We then study the energy consumption requirements of the most popular transport-layer security protocol: Secure Sockets Layer (SSL). We investigate the impact of various parameters at the protocol level (such as cipher suites, authentication mechanisms, and transaction sizes, etc.) and the cryptographic algorithm level (cipher modes, strength) on the overall energy consumption for secure data transactions. To our knowledge, this is the first comprehensive analysis of the energy requirements of SSL. For our studies, we have developed a measurement-based experimental testbed that consists of an iPAQ PDA connected to a wireless local area network (LAN) and running Linux, a PC-based data acquisition system for real-time current measurement, the OpenSSL implementation of the SSL protocol, and parameterizable SSL client and server test programs. Based on our results, we also discuss various opportunities for realizing energy-efficient implementations of security protocols. We believe such investigations to be an important first step toward addressing the challenges of energy-efficient security for battery-constrained systems.

Abstract: Recent technologies have cleared the way for large scale application of electronic communication. The open and distributed nature of these communications implies that the communication medium is no longer completely controlled by the communicating parties. As a result, there has been an increasing demand for research in establishing secure communications over insecure networks, by means of security protocols. In this thesis, a formal model for the description and analysis of security protocols at the process level is developed. At this level, under the assumption of perfect cryptography, the analysis focusses on detecting aws and vulnerabilities of the security protocol. Starting from ??rst principles, operational semantics are developed to describe security protocols and their behaviour. The resulting model is parameterized, and can e.g. capture various intruder models, ranging from a secure network with no intruder, to the strongest intruder model known in literature. Within the security protocol model various security properties are de??ned, such as secrecy and various forms of authentication. A number of new results about these properties are formulated and proven correct. Based on the model, an automated veri??cation procedure is developed, which signi ??cantly improves over existing methods. The procedure is implemented in a prototype, which outperforms other tools. Both the theory and tool are applied in two novel case studies. Using the tool prototype, new results are established in the area of protocol composition, leading to the discovery of a class of previously undetected attacks. Furthermore, a new protocol in the area of multiparty authentication is developed. The resulting protocol is proven correct within the framework.

Abstract: The Secure Shell (SSH) is a protocol for secure remote login and other secure network services over an insecure network. This document describes the SSH transport layer protocol, which typically runs on top of TCP/IP. The protocol can be used as a basis for a number of secure network services. It provides strong encryption, server authentication, and integrity protection. It may also provide compression. Key exchange method, public key algorithm, symmetric encryption algorithm, message authentication algorithm, and hash algorithm are all negotiated. This document also describes the Diffie-Hellman key exchange method and the minimal set of algorithms that are needed to implement the SSH transport layer protocol. [STANDARDS-TRACK]

Abstract: This paper presents an overview of the CL-Atse tool, an efficient and versatile automatic analyser for the security of cryptographic protocols. CL-Atse takes as input a protocol specified as a set of rewriting rules (IF format, produced by the AVISPA compiler), and uses rewriting and constraint solving techniques to model all reachable states of the participants and decide if an attack exists w.r.t. the Dolev-Yao intruder. Any state-based security property can be modelled (like secrecy, authentication, fairness, etc...), and the algebraic properties of operators like xor or exponentiation are taken into account with much less limitations than other tools, thanks to a complete modular unification algorithm. Also, useful constraints like typing, inequalities, or shared sets of knowledge (with set operations like removes, negative tests, etc...) can also be analysed.

Abstract: Linux is the most popular open source project. The Linux random number generator is part of the kernel of all Linux distributions and is based on generating randomness from entropy of operating system events. The output of this generator is used for almost every security protocol, including TLS/SSL key generation, choosing TCP sequence numbers, and file system and email encryption. Although the generator is part of an open source project, its source code (about 2500 lines of code) is poorly documented, and patched with hundreds of code patches. We used dynamic and static reverse engineering to learn the operation of this generator. This paper presents a description of the underlying algorithms and exposes several security vulnerabilities. In particular, we show an attack on the forward security of the generator which enables an adversary who exposes the state of the generator to compute previous states and outputs. In addition we present a few cryptographic flaws in the design of the generator, as well as measurements of the actual entropy collected by it, and a critical analysis of the use of the generator in Linux distributions on diskless devices.

Abstract: We present a new mechanized prover for secrecy properties of cryptographic protocols. In contrast to most previous provers, our tool does not rely on the Dolev-Yao model, but on the computational model. It produces proofs presented as sequences of games; these games are formalized in a probabilistic polynomial-time process calculus. Our tool provides a generic method for specifying security properties of the cryptographic primitives, which can handle shared-and public-key encryption, signatures, message authentication codes, and hash functions. Our tool produces proofs valid for a number of sessions polynomial in the security parameter, in the presence of an active adversary. We have implemented our tool and tested it on a number of examples of protocols from the literature.

Abstract: Designers of RFID security protocols can choose between a wide variety of cryptographic algorithms However, when implementing these algorithms on RFID tags fierce constraints have to be considered Looking at the common assumption in the literature that hash functions are implementable in a manner suitable for RFID tags and thus heavily used by RFID security protocol designers we claim the following Current standards and state-of-the-art low-power implementation techniques favor the use of block ciphers like the Advanced Encryption Standard (AES) instead of hash functions from the SHA family as building blocks for RFID security protocols In turn, we present a low-power architecture for the widely recommended hash function SHA-256 which is the basis for the smallest and most energy-efficient ASIC implementation published so far To back up our claim we compare the achieved results with the smallest available AES implementation The AES module requires only a third of the chip area and half of the mean power Our conclusions are even stronger since we can show that smaller hash functions like SHA-1, MD5 and MD4 are also less suitable for RFID tags than the AES Our analysis of the reasons of this result gives some input for future hash function designs.

Abstract: Designers of RFID security protocols can choose between a wide variety of cryptographic algorithms However, when implementing these algorithms on RFID tags fierce constraints have to be considered Looking at the common assumption in the literature that hash functions are implementable in a manner suitable for RFID tags and thus heavily used by RFID security protocol designers we claim the following Current standards and state-of-the-art low-power implementation techniques favor the use of block ciphers like the Advanced Encryption Standard (AES) instead of hash functions from the SHA family as building blocks for RFID security protocols In turn, we present a low-power architecture for the widely recommended hash function SHA-256 which is the basis for the smallest and most energy-efficient ASIC implementation published so far To back up our claim we compare the achieved results with the smallest available AES implementation The AES module requires only a third of the chip area and half of the mean power Our conclusions are even stronger since we can show that smaller hash functions like SHA-1, MD5 and MD4 are also less suitable for RFID tags than the AES Our analysis of the reasons of this result gives some input for future hash function designs.

Abstract: We develop an analysis of the Needham-Schroeder public key protocol in the framework of membrane computing. This analysis is used to validate the protocol and exhibits, as expected, a well known logical attack. The novelty of our approach is to use multiset rewriting in a nest of membranes. The use of membranes enables us to make airtight the conditions for detecting an attack. The approach has been validated by developing a full implementation for several versions of the analysis.

Abstract: We present a three-stage quantum cryptographic protocol based on public key cryptography in which each party uses its own secret key. Unlike the BB84 protocol, where the qubits are transmitted in only one direction and classical information exchanged thereafter, the communication in the proposed protocol remains quantum in each stage. A related system of key distribution is also described.

Abstract: We propose a straightforward technique to provide peer-to-peer security in mobile networks. We show that far from being a hurdle, mobility can be exploited to set up security associations among users. We leverage on the temporary vicinity of users, during which appropriate cryptographic protocols are run. We illustrate the operation of the solution in two scenarios, both in the framework of mobile ad hoc networks. In the first scenario, we assume the presence of an offline certification authority and we show how mobility helps to set up security associations for secure routing; in this case, the security protocol runs over one-hop radio links. We further show that mobility can be used for the periodic renewal of vital security information (e.g., the distribution of hash chain/Merkle tree roots). In the second scenario, we consider fully self-organized security: Users authenticate each other by visual contact and by the activation of an appropriate secure side channel of their personal device; we show that the process can be fuelled by taking advantage of trusted acquaintances. We then show that the proposed solution is generic: It can be deployed on any mobile network and it can be implemented either with symmetric or with asymmetric cryptography. We provide a performance analysis by studying the behavior of the solution in various scenarios.

Abstract: We introduce a new method of achieving intrusion-resilience in the cryptographic protocols. More precisely we show how to preserve security of such protocols, even if a malicious program (e.g. a virus) was installed on a computer of an honest user (and it was later removed). The security of our protocols relies on the assumption that the amount of data that the adversary can transfer from the infected machine is limited (however, we allow the adversary to perform any efficient computation on user's private data, before deciding on what to transfer). We focus on two cryptographic tasks, namely: session-key generation and entity authentication. Our method is based on the results from the Bounded-Storage Model.

Abstract: We present an architecture and tools for verifying implementations of security protocols. Our implementations can run with both concrete and symbolic implementations of cryptographic algorithms. The concrete implementation is for production and interoperability testing. The symbolic implementation is for debugging and formal verification. We develop our approach for protocols written in F#, a dialect of ML, and verify them by compilation to ProVerif a resolution-based theorem prover for cryptographic protocols. We establish the correctness of this compilation scheme, and we illustrate our approach with protocols for Web services security.

Abstract: We introduce a formal model, which we call the Bounded Retrieval Model, for the design and analysis of cryptographic protocols remaining secure against intruders that can retrieve a limited amount of parties' private memory. The underlying model assumption on the intruders' behavior is supported by real-life physical and logical considerations, such as the inherent superiority of a party's local data bus over a remote intruder's bandwidth-limited channel, or the detectability of voluminous resource access by any local intruder. More specifically, we assume a fixed upper bound on the amount of a party's storage retrieved by the adversary. Our model could be considered a non-trivial variation of the well-studied Bounded Storage Model, which postulates a bound on the amount of storage available to an adversary attacking a given system. In this model we study perhaps the simplest among cryptographic tasks: user authentication via a password protocol. Specifically, we study the problem of constructing efficient password protocols that remain secure against offline dictionary attacks even when a large (but bounded) part of the storage of the server responsible for password verification is retrieved by an intruder through a remote or local connection. We show password protocols having satisfactory performance on both efficiency (in terms of the server's running time) and provable security (making the offline dictionary attack not significantly stronger than the online attack). We also study the tradeoffs between efficiency, quantitative and qualitative security in these protocols. All our schemes achieve perfect security (security against computationally-unbounded adversaries). Our main schemes achieve the interesting efficiency property of the server's lookup complexity being much smaller than the adversary's retrieval bound.

Abstract: Privacy and security are two important but seemingly contradictory objectives in a pervasive computing environment (PCE). On one hand, service providers want to authenticate legitimate users and make sure they are accessing their authorized services in a legal way. On the other hand, users want to maintain the necessary privacy without being tracked down for wherever they are and whatever they are doing. In this paper, a novel privacy preserving authentication and access control scheme to secure the interactions between mobile users and services in PCEs is proposed. The proposed scheme seamlessly integrates two underlying cryptographic primitives, namely blind signature and hash chain, into a highly flexible and lightweight authentication and key establishment protocol. The scheme provides explicit mutual authentication between a user and a service while allowing the user to anonymously interact with the service. Differentiated service access control is also enabled in the proposed scheme by classifying mobile users into different service groups. The correctness of the proposed authentication and key establishment protocol is formally verified based on Burrows-Abadi-Needham logic

Abstract: Solutions for an easy and secure setup of a wireless connection between two devices are urgently needed for WLAN, Wireless USB, Bluetooth and similar standards for short range wireless communication. All such key exchange protocols employ data authentication as an unavoidable subtask. As a solution, we propose an asymptotically optimal protocol family for data authentication that uses short manually authenticated out-of-band messages. Compared to previous articles by Vaudenay and Pasini the results of this paper are more general and based on weaker security assumptions. In addition to providing security proofs for our protocols, we focus also on implementation details and propose practically secure and efficient sub-primitives for applications.

Abstract: Symbolic analysis of cryptographic protocols is dramatically simpler than full-fledged cryptographic analysis. In particular, it is simple enough to be automated. However, symbolic analysis does not, by itself, provide any cryptographic soundness guarantees. Following recent work on cryptographically sound symbolic analysis, we demonstrate how Dolev-Yao style symbolic analysis can be used to assert the security of cryptographic protocols within the universally composable (UC) security framework. Consequently, our methods enable security analysis that is completely symbolic, and at the same time cryptographically sound with strong composability properties. More specifically, we concentrate on mutual authentication and key-exchange protocols. We restrict attention to protocols that use public-key encryption as their only cryptographic primitive and have a specific restricted format. We define a mapping from such protocols to Dolev-Yao style symbolic protocols, and show that the symbolic protocol satisfies a certain symbolic criterion if and only if the corresponding cryptographic protocol is UC-secure. For mutual authentication, our symbolic criterion is similar to the traditional Dolev-Yao criterion. For key exchange, we demonstrate that the traditional Dolev-Yao style symbolic criterion is insufficient, and formulate an adequate symbolic criterion. Finally, to demonstrate the viability of our treatment, we use an existing tool to automatically verify whether some prominent key-exchange protocols are UC-secure.

Abstract: The recently proposed universally composable security framework for analyzing security of cryptographic protocols provides very strong security guarantees. In particular, a protocol proven secure in this framework is guaranteed to maintain its security even when run concurrently with arbitrary other protocols. It has been shown that if a majority of the parties are honest, then universally composable protocols exist for essentially any cryptographic task in the plain model (i.e., with no set-up assumptions beyond that of authenticated communication). When honest majority is not guaranteed, general feasibility results are known only when given a trusted set-up, such as in the common reference string model. Only little was known regarding the existence of universally composable protocols in the plain model without honest majority, and in particular regarding the important special case of two-party protocols. We study the feasibility of universally composable two-party function evaluation in the plain model. Our results show that in this setting, very few functions can be securely computed in the framework of universal composability. We demonstrate this by providing broad impossibility results that apply to large classes of deterministic and probabilistic functions. For some of these classes, we also present full characterizations of what can and cannot be securely realized in the framework of universal composability. Specifically, our characterizations are for the classes of deterministic functions in which (a) both parties receive the same output, (b) only one party receives output, and (c) only one party has input.

Abstract: We introduce a formal model, which we call the Bounded Retrieval Model, for the design and analysis of cryptographic protocols remaining secure against intruders that can retrieve a limited amount of parties' private memory. The underlying model assumption on the intruders' behavior is supported by real-life physical and logical considerations, such as the inherent superiority of a party's local data bus over a remote intruder's bandwidth-limited channel, or the detectability of voluminous resource access by any local intruder. More specifically, we assume a fixed upper bound on the amount of a party's storage retrieved by the adversary. Our model could be considered a non-trivial variation of the well-studied Bounded Storage Model, which postulates a bound on the amount of storage available to an adversary attacking a given system. In this model we study perhaps the simplest among cryptographic tasks: user authentication via a password protocol. Specifically, we study the problem of constructing efficient password protocols that remain secure against offline dictionary attacks even when a large (but bounded) part of the storage of the server responsible for password verification is retrieved by an intruder through a remote or local connection. We show password protocols having satisfactory performance on both efficiency (in terms of the server's running time) and provable security (making the offline dictionary attack not significantly stronger than the online attack). We also study the tradeoffs between efficiency, quantitative and qualitative security in these protocols. All our schemes achieve perfect security (security against computationally-unbounded adversaries). Our main schemes achieve the interesting efficiency property of the server's lookup complexity being much smaller than the adversary's retrieval bound.

Abstract: This document defines a Session Description Protocol (SDP) cryptographic attribute for media streams. The attribute describes a cryptographic key and other parameters, which serve to configure security for a media stream. This document defines the Secure Real- time Transport Protocol (SRTP) parameters for the attribute. The SDP crypto attribute requires the services of a data security protocol to secure the SDP message.

Abstract: In this thesis, we present five significant, orthogonal extensions to the Dolev Yao model. Each extension considers a more realistic setting, closer to the real world, thus providing a stronger security guarantee. We provide examples both from the literature and from industrial case studies to show the practical applicability of each extension.

Abstract: We introduce the notion of resource-fair protocols. Informally, this property states that if one party learns the output of the protocol, then so can all other parties, as long as they expend roughly the same amount of resources. As opposed to similar previously proposed definitions, our definition follows the standard simulation paradigm and enjoys strong composability properties. In particular, our definition is similar to the security definition in the universal composability (UC) framework, but works in a model that allows any party to request additional resources from the environment to deal with dishonest parties that may prematurely abort. In this model we specify the ideally fair functionality as allowing parties to invest resources in return for outputs, but in such an event offering all other parties a fair deal. (The formulation of fair dealings is kept independent of any particular functionality, by defining it using a wrapper.) Thus, by relaxing the notion of fairness, we avoid a well-known impossibility result for fair multi-party computation with corrupted majority; in particular, our definition admits constructions that tolerate arbitrary number of corruptions. We also show that, as in the UC framework, protocols in our framework may be arbitrarily and concurrently composed. Turning to constructions, we define a commit-prove-fair-open functionality and design an efficient resource-fair protocol that securely realizes it, using a new variant of a cryptographic primitive known as time-lines. With (the fairly wrapped version of) this functionality we show that some of the existing secure multi-party computation protocols can be easily transformed into resource-fair protocols while preserving their security.

Abstract: Symbolic analysis of cryptographic protocols is dramatically simpler than full-fledged cryptographic analysis. In particular, it is simple enough to be automated. However, symbolic analysis does not, by itself, provide any cryptographic soundness guarantees. Following recent work on cryptographically sound symbolic analysis, we demonstrate how Dolev-Yao style symbolic analysis can be used to assert the security of cryptographic protocols within the universally composable (UC) security framework. Consequently, our methods enable security analysis that is completely symbolic, and at the same time cryptographically sound with strong composability properties. More specifically, we concentrate on mutual authentication and key-exchange protocols. We restrict attention to protocols that use public-key encryption as their only cryptographic primitive and have a specific restricted format. We define a mapping from such protocols to Dolev-Yao style symbolic protocols, and show that the symbolic protocol satisfies a certain symbolic criterion if and only if the corresponding cryptographic protocol is UC-secure. For mutual authentication, our symbolic criterion is similar to the traditional Dolev-Yao criterion. For key exchange, we demonstrate that the traditional Dolev-Yao style symbolic criterion is insufficient, and formulate an adequate symbolic criterion. Finally, to demonstrate the viability of our treatment, we use an existing tool to automatically verify whether some prominent key-exchange protocols are UC-secure.

Abstract: Systems and methods are provided which implement a bridge server to provide user access to one or more secure applications. A bridge server of embodiments is disposed between a user and a secure application and invokes bridge server security protocols with respect to the user and secure application security protocols with respect to the secure application. In operation according to embodiments, client applications will link into a bridge server, the user will be authenticated by the bridge server, and a valid user will be correlated to an account of the secure application by the bridge server. Bridge servers of embodiments facilitate providing features with respect to secure application user access unavailable using the secure application security protocols.

Abstract: Privacy has become a factor of increasing importance in auction design. We propose general techniques for cryptographic first-price and (M+1)st-price auction protocols that only yield the winners' identities and the selling price. Moreover, if desired, losing bidders learn no information at all, except that they lost. Our security model is merely based on computational intractability. In particular, our approach does not rely on trusted third parties, e.g., auctioneers. We present an efficient implementation of the proposed techniques based on El Gamal encryption whose security only relies on the intractability of the decisional Diffie—Hellman problem. The resulting protocols require just three rounds of bidder broadcasting in the random oracle model. Communication complexity is linear in the number of possible bids.

Abstract: Maintaining security of wearable networked health monitoring sensors (body sensor networks (BSN)) is very important for the acceptance and long term viability of the technology. Sensors in BSNs organize themselves into different topologies for efficiency purpose. Securing these topology formation process is of prime importance. In this paper we present two schemes which rely on the novel technique of using physiological values from the wearer's body for securing a cluster topology formation. Traditional schemes for cluster (one of the most commonly used topology) formation were not designed with security in mind and are susceptible to security flaws. The schemes proposed here not only solve the secure cluster formation problem but also do so efficiently by eliminating all key distribution overheads. We analyzed the security of the protocols and tested their accuracy on a prototype implementation developed using Mica2 motes.