Abstract: We present a protocol for anonymous communication over the Internet. Our protocol, called P/sup 5/ (peer-to-peer personal privacy protocol) provides sender-, receiver-, and sender-receiver anonymity. P/sup 5/ is designed to be implemented over current Internet protocols, and does not require any special infrastructure support. A novel feature of P/sup 5/ is that it allows individual participants to trade-off degree of anonymity for communication efficiency, and hence can be used to scalably implement large anonymous groups. We present a description of P/sup 5/, an analysis of its anonymity and communication efficiency, and evaluate its performance using detailed packet-level simulations.

Abstract: We present a new technique for verifying authenticity in cryptographic protocols. This technique is fully automatic, it can handle an unbounded number of sessions of the protocol, and it is efficient in practice. It significantly extends a previous technique for the verification of secrecy. The protocol is represented in an extension of the pi calculus with fairly arbitrary cryptographic primitives. This protocol representation includes the authentication specification to be verified, but no other annotation. Our technique has been proved correct, implemented, and tested on various protocols from the literature. The experimental results show that we can verify these protocols in less than 1 s.

Abstract: When a group of people want to communicate securely over an open network, they run a conference-key protocol to establish a common conference key K such that all their communications thereafter are encrypted with the key K. In this paper, we propose a provably secure fault-tolerant conference-key agreement protocol under the authenticated broadcast channel model. We show that a passive adversary gets zero knowledge about the conference key established by the honest participants under the assumption of a variant Diffie-Hellman (1976) decision problem. We also show that the honest participants can agree on a common conference key no matter how many participants are malicious. Furthermore, we show that even if the broadcast channel is not authenticated, our protocol is secure against impersonators under the random oracle model.

Abstract: This paper explores the use of Spin for the verification of cryptographic protocol security properties. A general method is proposed to build a Promela model of the protocol and of the intruder capabilities. The method is illustrated showing the modeling of a classical case study, i.e. the Needham-Schroeder Public Key Authentication Protocol. Using the model so built, Spin can find a known attack on the protocol, and it correctly validates the fixed version of the protocol.

Abstract: Canetti and Fischlin have recently proposed the security notion universal composability for commitment schemes and provided two examples. This new notion is very strong. It guarantees that security is maintained even when an unbounded number of copies of the scheme are running concurrently, also it guarantees non-malleability and security against adaptive adversaries. Both proposed schemes use θ(k) bits to commit to one bit and can be based on the existence of trapdoor commitments and non-malleable encryption. We present new universally composable commitment (UCC) schemes based on extractable q one-way homomorphisms. These in turn exist based on the Paillier cryptosystem, the Okamoto-Uchiyama cryptosystem, or the DDH assumption. The schemes are efficient: to commit to k bits, they use a constant number of modular exponentiations and communicates O(k) bits. Furthermore the scheme can be instantiated in either perfectly hiding or perfectly binding versions. These are the first schemes to show that constant expansion factor, perfect hiding, and perfect binding can be obtained for universally composable commitments. We also show how the schemes can be applied to do efficient zero-knowledge proofs of knowledge that are universally composable.

Abstract: We consider the so called “cryptographic protocols” whose aim is to ensure some security properties when communication channels are not reliable. Such protocols usually rely on cryptographic primitives. Even if it is assumed that the cryptographic primitives are perfect, the security goals may not be achieved: the protocol itself may have weaknesses which can be exploited by an attacker. We survey recent work on decision techniques for the cryptographic protocol analysis.

Abstract: We propose a new protocol allowing the exchange of an item against a signature while assuring fairness. The proposed protocol, based on the Girault-Poupard-Stern signature scheme (a variation of the Schnorr scheme), assumes the existence of a trusted third party that, except in the setup phase, is involved in the protocol only when one of the parties does not follow the designated protocol or some technical problem occurs during the execution of the protocol. The interesting feature of the protocol is the low communication and computational charges required by the parties. Moreover, in case of problems during the main protocol, the trusted third party can derive the same digital signature as the one transmitted in a faultless case, rather than an affidavit or an official certificate.

Abstract: In the literature, voting protocols are considered secure if they satisfy requirements such as privacy, accuracy, robustness, etc. It can be time consuming to evaluate a voting protocol with respect to all these requirements and it is not clear that the list of known requirements is complete. Perhaps because of this many papers on electronic voting do not offer any security proof at all. As a solution to this, we suggest evaluating voting schemes in the universal composability framework. We investigate the popular class of voting schemes based on homomorphic threshold encryption. It turns out that schemes in this class realize an ideal voting functionality that takes the votes as input and outputs the result. This ideal functionality corresponds closely to the well-known ballot box model used today in manual voting. Security properties such as privacy, accuracy and robustness now follow as easy corollaries. We note that some security requirements, for instance incoercibility, are not addressed by our solution. Security holds in the random oracle model against a non-adaptive adversary. We show with a concrete example that the schemes are not secure against adaptive adversaries. We proceed to sketch how to make them secure against adaptive adversaries in the erasure model with virtually no loss of efficiency. We also sketch how to achieve security against adaptive adversaries in the erasure-free model.

Abstract: An important and popular trend in modern computing is to convert traditional centralized services into distributed services spread across multiple systems and networks. One-way function trees can be used to extend two-party Key Agreement protocols to n-party protocols. Tree-based Group Diffie-Hellman [17] is one such protocol. This paper proposes the first Identity based Group Key Agreement protocol by extending the Identity based two-party Authenticated Key Agreement protocol [13] using the One-way function trees. A new function called the transformation function is defined, which is required in generating keys at any level from a lower level key in the key tree. The new protocol provides complete forward and backward secrecy. Authentication is implicit in this protocol, whereas it has to be explicitly dealt with in other Key Agreement protocols. ID-AGKA protocol is more advantageous for systems without a deployed PKI.

Abstract: Cryptographic protocols are formally specified as a system of protocol agents using asynchronous product automata (APA). APA are a universal and very flexible operational description concept for communicating automata. Their specification, analysis and verification is supported by the SH-verification tool (SHVT). The local state of each agent is structured in several components describing its knowledge of keys, its "view" of the protocol and the goals to be reached within the protocol. Communication is modeled by adding messages to and removing them from a shared state component network. Cryptography is modeled by symbolic functions with certain properties. In addition to the regular protocol agents an intruder is specified, which has no access to the agents' local states but to the network. The intruder may intercept messages and create new ones based on his initial knowledge and on what he can extract from intercepted messages. Violations of the security goals can be found by state space analysis performed by the SHVT. The method is demonstrated using the symmetric Needham-Schroeder protocol, and an attack is presented that does not involve compromised session keys. Our approach defers from others in that protocol specifications do not use implicit assumptions, thus protocol security does not depend on whether some implicit assumptions made are reasonable for a particular environment. Therefore, our protocol specifications explicitly provide relevant information for secure implementations.

Abstract: An authenticated multiple-key agreement protocol is proposed. The protocol is not only secure against the unknown-key attack but also more efficient than other protocols.

Abstract: A system, protocol and related methods for providing secure manageability are generally described. In this regard, a communication protocol is introduced comprising an authentication protocol, responsive to an initialization event in a host device, to authenticate a remote device and establish an initial anti-replay value, and a secure communication protocol, selectively invoked upon authentication of the remote device, to facilitate subsequent communications between at least the host device and the authenticated remote device utilizing the initial anti-replay value in at least a first of said subsequent communications.

Abstract: This paper presents a mailbox-based scheme for designing flexible and adaptive message delivery protocols in mobile agent (MA) systems. The scheme associates each mobile agent with a mailbox while allowing the decoupling between them, i.e., a mobile agent can migrate to a new site without bringing its mailbox. By separating the concerns of locating the mailbox of a mobile agent and delivering a message to the agent, we obtain a large space of protocol design with flexibility. Using a three-dimensional model based on the scheme, we have developed a taxonomy of MA communication protocols, which not only covers, as special cases, several known MA message delivery protocols, but also allows for the design of new ones well suited for various application requirements. We describe such an efficient and adaptive protocol derived front the model. The protocol guarantees reliable delivery of messages to mobile agents. We analyze the design trade-offs and performance of the protocol, using an analytic model as well as extensive simulation experiments.

Abstract: Building a secure system is one of the most complex and error-prone processes in computing. Unfortunately, the current design and development process is primarily manual, ad hoc, and far from satisfactory. In this thesis, I propose a new automatic approach for building secure systems. With this approach, users only need to specify desired security and system requirements. Such an automatic system can then explore the possible design space, generate design candidates, evaluate those candidates to find the most efficient correct design, and finally generate source code implementing the optimal design. Compared to the manual design and development process, this automatic approach is faster, more economical, yields protocols and implementations of higher security and efficiency. To demonstrate this automatic approach for building secure systems, we have focused on one of the most important aspects, designing and developing security protocols. In particular, I have designed and developed an automatic toolbox, called Athena, for automatic protocol generation, verification and implementation. The system contains three components: the automatic protocol generator (APG), the automatic protocol verifier (APV), and the automatic code generator (ACG). APV proposes a new automatic approach for security protocol analysis. Given a security protocol and desired security requirements, APV analyzes the protocol automatically. When APV terminates, it can either generate a proof of correctness, if the protocol satisfies the given requirements, or generate a counterexample, if the protocol is flawed. APV is the first automatic approach that has both the capability of providing a proof of correctness when the protocol is correct and the capability of generating a counterexample when the protocol is flawed. Athena runs efficiently and this high efficiency enables the approach of automatic protocol generation. APG uses powerful pruning techniques to drastically reduce the protocol search space. It is the first approach for automatic generation of security protocols. In our experiments, APG has generated new protocols that are more efficient than previous protocols proposed in the literature for different system settings. The composition of APG, APV and ACG forms an end-to-end system, Athena, which is the first system able to automatically generate, verify, and implement security protocols.

Abstract: Needham-Schroeder public-key protocol; With the growth and commercialization of the Internet, the security of communication between computers becomes a crucial point. A variety of security protocols based on cryptographic primitives are used to establish secure communication over insecure open networks and distributed systems. Unfortunately, security protocols often contain serious errors. Formal verification can be used to obtain assurance that a protocol cannot be attacked by an intruder. In this paper, we present how the process-algebraic language ?CRL can be used to specify and analyze security protocols. To illustrate the feasibility of our approach, we analyze the Needham-Schroeder public-key protocol and reproduce the error found by Gavin Lowe [Low96a]. Two more definitions of authentication are studied. We give some remarks on our approach and discuss some possible directions for future work.

Abstract: We address the problem of developing efficient cache coherence protocols for use in distributed systems implementing distributed shared memory (DSM) using message passing. A serious drawback of traditional approaches to this problem is that the users are required to state the desired coherence protocol at the level of asynchronous message interactions involving request, acknowledge, and negative acknowledge messages, and handle unexpected messages by introducing intermediate states. Proofs of correctness of protocols described in terms of low level asynchronous messages are very involved. Often the proofs hold only for specific configurations and buffer allocations. We propose a method in which the users state the desired protocol directly in terms of the desired high-level effect, namely synchronization and coordination, using the synchronous rendezvous construct. These descriptions are much easier to understand and computationally more efficient to verify than asynchronous protocols due to their small state spaces. The rendezvous protocol can also be synthesized into efficient asynchronous protocols. In this paper, we present our protocol refinement procedure, prove its soundness, and provide examples of its efficiency. Our synthesis procedure applies to large classes of DSM protocols.

Abstract: It is widely accepted that role-based modelling is quite adequate in the context of multi-agent systems (MAS) modelling techniques. Unfortunately, very little work has been reported on how to describe the relationships between several role models. Furthermore, many authors agree on that protocols need to be encapsulated into high-level abstractions. The synthesis of role models is an operation presented in the OORAM methodology that allows us to build new role models from others in order to represent the interrelations they have. To the best of our knowledge this operation has to be performed manually at protocol level and works with protocols expressed by means of messages. In this paper, we present two algorithms to extract the protocol of a role from the protocol of a role model and vice versa that automate the synthesis or role models at the protocol level. Furthermore, in order to deal with protocol descriptions in a top down approach both operations work with protocols expressed by means of an abstraction call multi-role interaction (mRI).

Abstract: Formal verification of security protocols has become a key issue in computer security. Yet, it has proven to be a hard task often error prone and discouraging for non-experts in formal methods.In this paper we show how security protocols can be specified and verified efficiently and effectively by embedding reasoning about actions into a logic programming language.In a nutshell, we view a protocol trace as a plan to achieve a goal, so that protocol attacks are plans achieving goals that correspond to security violations. Building on results from logic programming and planning, we map the existence of an attack to a protocol into the existence of a model for the protocol specification that satisfies the specification of an attack. To streamline such way of modeling security protocols, we use a description language ALSP which makes it possible to describe protocols with declarative ease and to search for attacks by relying on efficient model finders (e.g. the smodels systems by Niemela and his group). This paper shows how to use ALSP for modeling two significant case studies in protocol verification: the classical Needham-Schroeder public-key protocol, and Aziz-Diffie Key agreement protocol for mobile communication.

Abstract: We define a modular approach for specifying and implementing network protocols. Our approach partitions protocols into single function modules called protocol components. Each protocol component is specified in terms of finite state machines, action functions, memory, memory operations, and properties. This specification is amenable to rapid definition of protocol components, rapid composition of protocol components into protocols, and automatic analysis and manipulation of complete protocols.

Abstract: Abstrqact In CAN specification 2.0A, there are only physical layer and data link layer defined,users must design communication protocol before they use it. According to CAN specification 2.0A, implementation of communication protocol of CAN is analyzed on the basis of data frame structure. A method of implementation of communication protocol of CAN is brought forward. The flexible use of CANis achieved. ()

Abstract: This thesis is concerned with two security mechanisms: authenticated key transport and rational exchange protocols. These mechanisms are potential building blocks in the security architecture of a range of different services. Authenticated key transport protocols are used to build secure channels between entities, which protect their communications against eaves-dropping and alteration by an outside attacker. In contrast, rational exchange protocols can be used to protect the entities involved in an exchange transaction from each other. This is important, because often the entities do not trust each other, and both fear that the other will gain an advantage by misbehaving. Rational exchange protocols alleviate this problem by ensuring that a misbehaving party cannot gain any advantages. This means that misbehavior becomes uninteresting and it should happen only rarely. The thesis is focused on the construction of formal models for authenticated key transport and rational exchange protocols. In the first part of the thesis, we propose a formal model for key transport protocols, which is based on a logic of belief. Building on this model, we also propose an original systematic protocol construction approach. The main idea is that we reverse some implications that can be derived from the axioms of the logic, and turn them into synthesis rules. The synthesis rules can be used to construct a protocol and to derive a set of assumptions starting from a set of goals. The main advantage is that the resulting protocol is guaranteed to be correct in the sense that all the specified goals can be derived from the protocol and the assumptions using the underlying logic. Another important advantage is that all the assumptions upon which the correctness of the protocol depends are made explicit. The protocol obtained in the synthesis process is an abstract protocol, in which idealized messages that contain logical formulae are sent on channels with various access properties. The abstract protocol can then be implemented in several ways by replacing the idealized messages and the channels with appropriate bit strings and cryptographic primitives, respectively. We illustrate the usage of the logic and the synthesis rules through an example: We analyze an authenticated key transport protocol proposed in the literature, identify several weaknesses, show how these can be exploited by various attacks, and finally, we redesign the protocol using the proposed systematic approach. We obtain a protocol that resists against the presented attacks, and in addition, it is simpler than the original one. In the second part of the thesis, we propose an original formal model for exchange protocols, which is based on game theory. In this model, an exchange protocol is represented as a set of strategies in a game played by the protocol parties and the network that they use to communicate with each other. We give formal definitions for various properties of exchange protocols in this model, including rationality and fairness. Most importantly, rationality is defined in terms of a Nash equilibrium in the protocol game. The model and the formal definitions allow us to rigorously study the relationship between rational exchange and fair exchange, and to prove that fairness implies rationality (given that the protocol satisfies some further usual properties), but the reverse is not true in general. We illustrate how the formal model can be used for rigorous verification of existing protocols by analyzing two exchange protocols, and formally proving that they satisfy the definition of rational exchange. We also present an original application of rational exchange: We show how the concept of rationality can be used to improve a family of micropayment schemes with respect to fairness without substantial loss in efficiency. Finally, in the third part of the thesis, we extend the concept of rational exchange, and describe how similar ideas can be used to stimulate the nodes of a self-organizing ad hoc network for cooperation. More precisely, we propose an original approach to stimulate the nodes for packet forwarding. Like in rational exchange protocols, our design does not guarantee that a node cannot deny packet forwarding, but it ensures that it cannot gain any advantages by doing so. We analyze the proposed solution analytically and by means of simulation.

Abstract: A set of adaptive protocols for mobile wireless frequency-hop spread-spectrum communication networks is described. The primary elements of the protocol suite are the adaptive-transmission protocol, the adaptive-routing protocol, and the adaptive-forwarding protocol. Together, these protocols control the transmission of packets on each link in the network and the routing of packets through the network. Each protocol interacts with the other protocols and with elements of the physical layer in order to obtain information about the energy requirements and interference conditions of the alternative routes. The protocols adapt their responses to the observed changes in these energy requirements and interference conditions. No measurements of the signal-to-noise ratio or the received power are required by the adaptive protocols.

Abstract: Secure electronic commerce relies on the application of secure transaction protocol. However, even with the so-called secure protocol, the communication can be compromised frequently without effective approach to detect the subtle flaws before it launches into practice. We generated ENDL(2) that is used to formally verify the authentication properties of secure transaction protocols. We have showed how to employ it to depict the complicated security properties of secure protocols, especially the instances in SET (Secure Electronic Transaction) protocol, in our previous work (3). The first stage of the SET protocol, namely Cardholder Registration, has been defined in book (1) respectively. It formally describes the seven fundamental steps of the flow of transactions in outline. Based on the ENDL, we describe the whole verification of cardholder registration process in this paper. Some potentially dangerous flaws of SET protocol are noted while verifying the protocol.

Abstract: In this paper, we propose and evaluate a new protocol that provides topology change- and fault-tolerant real-time communication services on NOW and clusters. This protocol overcomes the main drawback of our previously proposed protocol, called Dynamically Re-established Real-Time Channels (DRRTC), which is physically limited by the number of virtual channels per port. The new protocol allows different real-time channels to share the same virtual channel. In this way, the new protocol allows us to establish a greater number of real-time channels than the previous one. Moreover, its only limitation is the bandwidth devoted to real-time traffic. However, this introduces two new problems that are successfully managed by the new protocol: the existence of cyclic dependencies among different real-time channels and the increased complexity of deadline requirements. We present and analyze the performance evaluation results when a single switch or a single link is deactivated/activated for different topologies and workloads. The new protocol overwhelms the DRRTC protocol while guaranteeing deadline requirements and channel recovery.

Abstract: Key exchange protocol is a main type of cryptographic protocols. And secure communication over open networks is based on secure and reliable key exchange. As an indispensable part of IPSEC protocol family, Internet key exchange protocol (IKE) brings into playing a very important role on secure communication and service over Internet and becomes a focus of cryptographic protocol analysis and research. This article introduces IKE protocol at first, then makes formal analysis on a certain key exchange mode by logical method, and proves the correctness of IKE.

Abstract: A new secure Vickrey auction protocol is presented in this paper by using the bit commitment protocol,multi party secure computation protocol and the ElGamal encryption schemeWith the advantages of anonymity,privacy,efficiency,the protocol also supports the optimal distribution of goods,Even when some bidder works together with the auctioneer,the protocol is still secure and valid

Abstract: Protocols. A protocol specifies the “rules of encounter” governing a dialogue between agents [2]. It specifies which agent is allowed to say what in a given situation. It will usually allow for several alternative utterances in every situation and the agent in question has to choose one according to its strategy. The protocol is public, while each agent’s strategy is private. When agents are involved in interactions where no concurrency is allowed, a popular representation formalism for protocols are deterministic finite automata and below we will propose an alternative, logic-based formalism. First we are going to discuss the notion of conformance to a protocol on a more general level.

Abstract: ATM networks are not more or less secure than other networks, but the demand for secure communications is increasing. The ATM forum has defined the Security Specifications using the Three-Way and Two-Way Security Message Exchange Protocols (SME) to support the negotiation and establishment of security services, mechanisms and other parameters needed for a secure connection. Different security mechanisms may degrade the guaranteed QoS through additional delays, error propagations and throughput limitations. The purpose of this paper is to overcome these negative influences of security operations on QoS. A new Three-Way SME/spl I.bar/Q Protocol is introduced. It provides the simultaneous capability of implementing required security services, while still offering the user requested QoS parameters during an ATM connection. The Three-Way SME/spl I.bar/Q protocol calculates and considers the impact of the security operations on the QoS parameters. This way, only security mechanisms are chosen, which fit into the QoS range requested.