APPLICATIONS OF BAN-LOGIC JAN WESSELS CMG FINANCE B.V.
|
|
- Gervase Hodges
- 5 years ago
- Views:
Transcription
1 APPLITIONS OF AN-LOGIC JAN WESSELS CMG FINANCE.V. APRIL 19, 2001
2 Chapter 1 Introduction This document is meant to give an overview of the AN-logic. The AN-logic is one of the methods for the analysis of cryptographic protocols. One of the goals is to show how the AN-logic is applied best. Allthough the AN-logic can be easily applied and gives a quick insight in the working of a protocol, attention has to be paid that the analysis is made thoroughly. It should be avoided, that s are made quickly without writing them down. The document first gives an overview of the AN-logic, after which the Station - to - Station protocol is used as an example. The protocol is analysed in a number of ways. 1
3 Chapter 2 AN Overview urrows, Abadi and Needham [AN89] developed a logic for analysing authentication protocols. The logic is called AN-logic. With the logic all public - and shared key primitives are formalised and also the notion of a fresh message. This makes it possible to formalise a challenge response protocol. AN-logic can be used for answering the following questions: To what conclusions does this protocol come? What s are needed for this protocol? Does the protocol uses unnecessary actions, which can be left out? Does the protocol encrypt anything which could be sent in plain, without weakening the security? The AN logic makes it possible to reason in a simple way over cryptographic protocols in a formal way. The basis for the logic is the belief of a party in the truth of a formula. A formula does not necessarily be true in the general sense of truth. It should be kept in mind that the AN logic is meant for reasoning over cryptographic protocols. A verification with AN logic does not necessarily imply that no attacks on the protocol are possible. A proof with the AN logic is a good proof of correctness, based on the s. However, questions may arise over the semantics of the logic and the logic does exclude possible attacks. AN logic has its purpose, because it can be used in the design of a cryptographic protocol. The use of a formal language in the design process can exclude faults. 2
4 Chapter 3 Notation This chapter describes the syntax of the AN logic. Not all symbols are given here, only the symbols used for the analysis. See for the other syntactical rules the article of urrows, Abadi and Needham [AN89]. P believes that X holds: P X. It means that P believes that in the current run of the protocol that the formula X is true. This does not mean that X is a general truth, it just shows what P believes. P sees the formula X: P X. It can be said as: P holds X. P X. The entity P has complete controll over the formula X. This can be used when reasoning over Certificate Authorities. P has once said the formula X: P X. The past holds all earlier runs of the protocol and earlier messages of the current run of the protocol. X is fresh: (X) The formula X is recent. The formula has not been used before; X is a nonce. P and Q share a secret key: P K Q. The secret key K is only usable in the communication between P and Q, and is only known to P and Q. It is implicit, that K is a secret between both parties. P has a public key K is denoted by: K P. The secret key is denoted with K Encryption of X with key K is denoted in the standard way: {X K In order to use the logic, there is a need for introduction - and eliminationrules. 3
5 Chapter 4 Overview of Introduction and eliminationrules In this chapter a short overview is given of the introduction, usage and elimination rules. The overview is not complete, but is sufficient for the analysis in this document. The rules are also the most used rules. The rule for k -introduction is: A (k), A X A A k with X meaning the necessary ingredients for a key. The rule should be applied carefully, as it may cause confusion. Informally, the rule states that in order to believe a new session key, A has to be believe the key is a new key and that A has to believe that also believes in the parts of the key, so that is also able to make the key. Formally it is required that A believes that also takes part in the protocol, but this hard to formalise. A predicate P () is necessary, which states that takes part in the protocol. This is hard to prove, so we accept the that when believes parts of the key, also is able to create the key. When an entity creates a random value, it believes that this value has not been used before: The ()-introduction rule is: A creates random x A (x) Sending a message is formalised in the logic with: -introduction : Message n : A : X X For shared keys there is a -introduction rule: P Q K P, P {X K P Q X When P sees a message which is encrypted with the shared key of P and Q, than P believes that Q has sent the message. As the secret key only is known to P and Q, only P or Q are able to produce the message and P knows what it has said. 4
6 For public keys there is a -introduction rule for public keys: P K Q, P {X K P Q X The rule is almost the same as the previous rule.. K is the secret part of the public key of Q. When P sees a message which is encrypted with the secret key of Q, than it can only be sent by Q. -elimination rule: P (X), P Q X P Q X When P believes that X is a recent (fresh) message, and P believes that it was said by Q, than P believes that Q still believes the message X. It is mainly used with requests for keys from a Certificate authority, where not only the authority of the server is important but also the validity of the key. The server () has to believe the validity of the key. Jurisdiction or control: -elimination : P Q X, P Q X P X P believes that the principal Q jurisdiction has over the formula X. This means that Q is trusted to make statements over X. Introduction of multipart messages, -introduction : P X, P Y P (X, Y ) A composite message can be made when a principal believes in both parts. This can be generalised to more than two parts. Elimination of multipart messages or, -elimination : Usage P Q (X, Y ) P Q X P (X, Y ) P X P Q (X, Y ) P Q X P (X, Y ) P X P K P, P {X K P X P Q K P, P {X K P X These rules shows how principals handle encrypted messages. Freshness promotion of multipart messages or Promotion () P K Q, P {X K P X P (X) P ((X, Y )) P (X) P (α X ) When a value is found to be recent by an entity, than the entity also believes that the message, in which the value is used, is also recent. 5
7 A key is used both used in a communication between two entities: P R K R P R K R P Q R K R P Q R K R Introduction of sessionkeys: A (k), A X A A k in which with X the necessary elements for a key is meant. The introduction rule for random values: The rule for sees: -introduction : A chooses random x A (x) Message n : A : X X 6
8 Chapter 5 Station-to-Station protocol In this chapter the Station-to-Station protocol is presented and analysed with the AN-logic. First the protocl is presented, after which is modelled in the message-format used in the AN-logic. The analysis is started with an overview of the goals of the protocol together with the s. The analysis of the protocol is then given. 5.1 Protocol overview The Station-to-Station protocol [MvOV97, p. 532] is a variation on the Diffie- Hellman protocol for key exchange. First, the following variant will be used: Let ρ be a prime, α a generator Z ρ, the tuple (ρ,α) publicly known, Sig A (M) is the signature of station A on message M. The protocol is: 1. A sends A to. 2. chooses a random y, calculates Y = α y mod ρ, sends Y. 3. A chooses a random x, calculates X = α x mod ρ, calculates S A = Sig A (X, Y ), sends A, X, S A. 4. calculates S = Sig (Y ), sends, Y, S. A calculates k = Y x mod ρ calculates k = X y mod ρ It holds that k = X y = (α x ) y mod ρ = (α y ) x mod ρ = Y x = k. In the standard notation the protocol can presented as: Message 1 A : A Message 2 A: Y Message 3 A : A, X, Sig A (X, Y ) Message 4 A:, Y, Sig (Y ) 5.2 Goals The goal of the Station-to-Station protocol is to come to the exchange of a shared secret key between two entities with twoway explicit authentication. The means 7
9 that a k is agreed upon between the entities A and, both believe in k. Next to this, both entities have to believe that the other entity also believes in the key. In the AN-logic the goals can be presented as: 1. A A k 2. A k 3. A A k 4. A A k A These goals can be divided in two groups. First (subgoals 1 and 2) both parties believe thenselves that the key k is a good key for communication between A and. Secondly, (subgoals 3 and 4) both entities also believe that other entity believes in the key Subgoals Normally the goals will deduced from the. In this case, first a number of subgoals is presented. With these subgoals the goals can be reached: 1. A N A 2. A α N A 3. A α N 4. A N 5. N 6. A α N 7. α N A 8. A N A Subgoals 1 and 3 lead to goal 1 1. In the same way, from the subgoals 2 and 4 lead to goal 4. For, the goal 2 can be deduced from subgoals 5 and 7. Goal 3 can be based on subgoals 6 and Assumptions In the protocol a part of the message is signed with the private key of the send. In order to read the message, it is necessary to verify it with the public key. It is assumed that all entities (allready) hold the key material. When of the entities does not have the public key of the other entity, it should be retrieved from the. 1. A K A A 2. A K 3. K A A 4. K 5. A α N 6. A α N A These are the necessary s. 1. It holds: A (α N ) N A A k. 2. The presenation here is somewhat simplified. There are no rules for dealing with fresh compositions that lead to a sessionkey. A key K should only be known to A and and not outsiders. In the end (see chapter 8 it is shown that outsiders only arrive at α N A and α N. 8
10 5.4 Verificatie The rules 1 to 6 are the s. When the are correct, then also the conclusions are correct. 1. A K A A 2. K 3. A K 4. K A A 5. A α N A 6. A α N Message 1: A : A chooses random N (7. N subdoel 5; implicit) 8. (N ) random introduction Message 2: A: α N 9. A α N intro A chooses random N A (10. A N A subgoal 1; implicit) 11. A (N A ) random introduction Message 3: A : A, α N A, {α N A k A 12. A, α N A, {α N A K intro A 13. A (α N A ) 12, 4, intro 14. (α N A ) 8, ()-promotion 15. A (α N A ) 14, 13, -elimination 16. A α N A 15, decomposition 17. A N A 16 (subgoal 8; see remark) 18. α N A 5, 16, jurisdiction (subgoal 7) 19. A α N 15, (subgoal 6) Message 4: A:, {α N A K 20. A, {α N A K intro 21. A α N A 20, 3, intro 22. A (α N A ) 11, ()-promotion 23. A α N A 22, 21, -elimination (subgoal 2) A calculates sessionkey k = (α N ) N A 9
11 24. A (k) 9, 11, ()-promotion, arithmetic (25. A N 9 (subgoal 4)) 26. A A k 24, 25, k -intro 27. A A k subgoals 2 and 4 calculates sessiekey k = (α N A ) N 28. (k) 12, 8, ()-promotion, arithmetic 29. A k 28, 16, k -intro (subgoals 5 and 7 ) 30. A A k subgoals 6 and 8 Remark: it is questionable that from line 16, line 17 can be deduced. It can be stated that (as does not know the value of N A ): XɛZ : ( X α X mod ρ = α N A mod ρ) To see where what has been derived, first an overview of the subgoals is given: 1 A N A line 10 2 A α N A line 23 3 A α N 4 A N (line 25) 5 N line 7 6 A α N line 19 7 α N A line 18 8 A N A line 17 When the deduction is controlled, it can be seen that six of the eight subgoals can be derived. At this moment goal 1 cannot be derived, because the protocol is asymetric. The value αn is sent only once and then also plain. On our meta-level, we know that N can be sent plain without difficulties. There is, however, another problem in the protocol, what is not shown in the analysis: who is the real sender. It is not sure that the messages from A and really come from A and. In the next chapter an adapted version will be analysed. 10
12 Chapter 6 Adapted version In the previous chapter has become clear, that because of ommisions the protocol may become flawed. The development of beliefs in the analysis stops and with it the analysis. In this chapter an adapted version of the Station-to-Station protocol is analysed. In the messages three and four certificates are used and these certificates are explicitly bound to the sender and this run of the protocol by the use of the parameters α N A and α N. The chapter first describes the adapted protocol, after which the goals are given and the s analysed. The chapter ends with the analysis of the protocol. 6.1 Description of the protocol The Station-to-Station protocol [MvOV97, p. 532] is a variatoin on the Diffie- Hellman protocol for key exchange. The adapted version is: Let ρ be a prime, α a generator Z ρ, the tuple (ρ,α) publicly known, Cert(A) the certificate for station A, Sig A (X) the signature of station A on message X. The protocol runs as: 1. A sends A to (as an invitation for key exchange). 2. chooses a random y, calculates Y = α y mod ρ, sends Y. 3. A chooses a random x, calculates X = α x mod ρ and S A = Sig A (Cert(A), X, Y ), sends Sig A Cert(A), X, S A. 4. calculates S = Sig (Cert(), Y ), sends Cert(), Y, S. A calculates k = Y x mod ρ calculates k = X y mod ρ It holds k = X y = (α x ) y mod ρ = (α y ) x mod ρ = Y x = k. In the standard notation the protcol is denoted as: Message 1 A : A Message 2 A: Y Message 3 A : Cert(A), X, Sig A (Cert(A), X, Y ) Message 4 A: Cert(), Y, Sig (Cert(), Y ) 11
13 6.2 Goals It is the goal of the Station-to-Station protocol to come to the exchage of a shared secret key between two parties with mutual explicit authentication. This means in short that a key k is agreed upon and in which both entities A and believe. The goals are: 1. A A k 2. A k 3. A A k 4. A k A The goals are the same as in the previous chapter. The subgoals, which we want to derive, are the same. See for an overview section on page Assumptions In the protocol a number of times a certificate is sent. In order to verify these certificates of A and, the other entity needs to have the public key. Next to this must the messages, enciphered with the private key, also be deciphered. In a practical situation these s are reasonble. If one of the parties does not possess the certificates, than a mechanism should be available for retrieval of the certificate. 1. A K A A 2. A K 3. K A A 4. K 5. A α N A 6. α N 6.4 Verification The key K is the key of the Certification Authority, who in this analysis (implicit)guarantees the correctness of the certificates. 1. A K A A 2. K 3. A K 4. K A A 5. A α N A 6. A α N Message 1: A : A chooses random N (7. N subgoal 5, implicit) 12
14 8. (N ) random introduction Message 2: A: α N 9. A α N intro A chooses random N A (10. A N A subgoal 1, implicit) 11. A (N A ) random introduction Message 3: A : {{(A, K A ) K K A 12. {{(A, K A ) K K intro A 13. A ({(A, K A ) K ) 12, 4, -intro 14. ({(A, K A K )) 8, ()-promotion 15. A ({(A, K A ) K ) 14, 13, -elimination 16. A α N A 15, decomposition 17. A N A 16 (see remark blz 5.4; subgoal 8) 18. α N A 5, 16, jurisdiction (subgoal 7) 19. A α N 15, (subgoal 6) Message 4: A: {{(, K ) K K 20. A {{(, K ) K K intro 21. A ({(, K ) K ) 20, 3, intro 22. A ({(, K ) K ) 11, ()-promotion 23. A ({(, K ) K ) 22, 21, -elimination 24. A α N A 23,, -usage (subgoal 2 ) A calculates sessionkey k = (α N ) N A 25. A (k) 9, 11, ()-promotion (26. A N 9 (subgoal 4) ) 27. A A k 25, 26, k -intro 28. A A k subgoals 2 and 4 calculates sessionkey k = (α N A ) N 29. (k) 12, 8, ()-promotion 30. A k 29, 15, k -intro (subgoals 5 and 7) 31. A A k subgoals 6 and 8 Just as in the previous analysis the subgoals are presented here: 13
15 1 A N A line 10 2 A α N A line 24 3 A α N 4 A N (line 26) 5 N line 7 6 A α N line 19 7 α N A line 18 8 A N A line 17 The broad outline of the analysis is the same as in section 5.4 (page 9). Also, subgoal 3 could not be proved. Goals 2, 3 and 4 can be proved, but for goal 1 the difficulties remain. For the AN analysis the protocol could be repaired in the second message with the sending of {{, K K results in an unnecessary addition of the protocol. K instead of α N. This Also another problem appears: we have added certificates and the use of certificates to the messages, but it has no real effect on the analysis. Outside the analysis, on the meta-level we know that this works. In order to use certificates in the AN logic, the logic has to be extended. 14
16 Chapter 7 Extension of the AN logic In chapte 6 the Station-to-Station protocol is repaired by the use of certificates. Alas, this is not shown by the analysis. In its standard form, the AN logic is not able to handle certificates. However, the logic can be extended. This is done in this chapter, based on the article of Gaarder and Snekkes [GS91]. They have analysed with these extensions the X.509 standard. The structure of this chapter is somewhat different than the previous two. The protocol is not shown here just as the goals. The chapter starts with the extentions of the protocol, after which the s are given. The chapter ends (again) with the analysis. 7.1 Extension of the AN logic Gaarder and Snekkenes define in their article [GS91] two extensions. Firstly, the AN logic is extended with axioms and rules for Public Key Cryptographic Systems (PKCS). With these extensions, derivations can be made directly. Secondly, the notion of time is extended in the logic. Certificates only have a limited life span, which has to be expressed in the analysis. In the current analysis only the extensions for Public Key Crypto Systems are used, so only these extensions are given here. PK(K, U) The entity U has the good key K associated. A unique key exits, which corresponds with K. Π(U) The entity U has a good private key. The value of this key is only known to U. σ(x, U) The formula X is signed with the private that belongs to U. Two extra inference rules are defined: U i PK(p j, U j ), U i Π(U), u j σ(x, X J ) U i U j X U i σ(x, U j ) U i X once-said for PKCS reading of signed messages 7.2 Assumptions In the protocol a number of times a certificate is sent. In order to verify these certificates of A and, the other entity needs to have the public key. Next to this 15
17 must the messages, enciphered with the private key, also be deciphered. In a practical situation these s are reasonble. If one of the parties does not possess the certificates, than a mechanism should be available for retrieval of the certificate. 1. A PK(K, ) 2. PK(K A, A) 3. Π(A) 4. A Π() 5. A α N A 6. α N 7.3 Verification 1. PK(K, ) 2. A PK(K, ) 3. Π(A) 4. Π() 5. A α N A 6. A α N Message 1: A : A chooses random N (7. N subgoal 5, implicit) 8. (N ) random introduction Message 2: A: {{(, K ) K K 9. A σ({{(, K ) K K intro 10. A α N,) 9, 2, intro for PKCS A chooses random N A (11. A N A subgoal 1, implicit) 12. A (N A ) random introduction Message 3: A : {{(A, K A ) K K A 13. σ({{(a, K A ) K 14. A ({(A, K A ) K, α N A K, A) intro A, α N A ) 13, 3, intro (PKCS) 15. ({(A, K A ) K ) 8, ()-promotion 16. A ({(A, K A ) K ) 15, 14, -elimination 17. A α N A A N A 17 (see remark on 10; subgoal α N A 5, 17, jurisdiction (subgoal 7) 20. A α N A 16, (subgoal 6) 16
18 Message 4: A: {{(, K ) K K 21. A σ({{(, K ) K K, ) intro 22. A ({(, K ) K ) 21, 2, 3, intro 23. A ({(, K ) K ) 12, ()-promotion 24. A ({(, K ) K ) 23, 22, -elimination 25. A α N A 24,, -gebruik (subgoal 2 ) A calculates sessionkey k = (α N ) N A 26. A (k) 9, 12, ()-promotion 27. A N 9 (subgoal 4) 28. A A k 26, 27, k -intro 29. A A k subgoals 2 and 4 calculates sessionkey k = (α N A ) N 30. (k) 13, 8, ()-promotion 31. A N A 14 (subgoal 8) 32. A k 30, 17, k -intro (subgoals 5 and A A k subgoals 6 and 8 First we show the subgoals and results of the analysis for these subgoals: 1 A N A line 11 2 A α N A line 25 3 A α N 4 A N line 27 5 N line 7 6 A α N line 20 7 α N A line 19 8 A N A line 18 The analysis has more results than in chapters 5.4 and 6.4, but is still impossible to derive the proof of all goals. Again subgoal 3 cannot be proved, this time because the freshness of α N is not sure. It is also shown in the s; not all s are used in the analysis. The analysis could be completed by sending α N again in message 4. With the use of the freshness of α N A the freshness of α N could be derived (analogous to the analysis of message 3). This analysis is not meant to come to a complete proof of the Station-to-Station protocol, but to show what is and what is not possible with the AN logic. Next to the analysis of the beliefs of the participants of the protocol, it can be abused for the analysis of the outsiders of the protocol. This is shown in the next chapter. 17
19 Chapter 8 Analysis by Outsiders In the other chapter the knowledge and beliefs of the participants of the protocol are analysed. Next to the participants, it can be very interesting what outsiders are able to learn from a run of the protocol. The AN-logic will be used for this, although the AN-logic has not been meant for this. 8.1 Assumptions For the analysis we do not start with goals, but we only want to see what can be learned from the analysis. The following s are used (with I standing for intruder): 1. I PK(K A, A) 2. I PK(K, ) 3. I Π(A) 4. I Π() 5. A α N A 6. α N These are the same s as in the previous chapters. It may assumed that the entity I has access to the certificates of A and. 8.2 Analysis 1. I PK(K A, A) 2. I PK(K, ) 3. I Π(A) 4. I Π() 5. I A α N A 6. I α N Message 1: A : A chooses random N (7. N subgoal 5, implicit) 8. (N ) random introduction 18
20 Message 2: A: {{(, K ) K K 9. I σ({{(, K ) K K, ) intro 10. I α N 9, 2, intro for PKCS A chooses random N A (11. A N A subgoal 1, implicit) 12. A (N A ) random introduction Message 3: A : {{(A, K A ) K K A 13. I σ({{(a, K A ) K 14. I A ({(A, K A ) K, α N A K, A) intro A, α N A ) 13, 3, intro (PKCS) 15. I (({(A, K A ) K )) 8, ()-promotion 16. I A ({(A, K A ) K ) 15, 14, -elimination 17. I A α N A I A N A 17 (see remark page 10; subgoal I α N A 5, 17, jurisdiction (subgoal 7) 20. I A α N A 16, (subgoal 6) Message 4: A: {{(, K ) K K 21. I σ({{(, K ) K K, ) intro 22. I ({(, K ) K ) 21, 2, 3, intro 23. I (({(, K ) K )) 12, ()-promotion 24. I ({(, K ) K ) 23, 22, -elimination 25. I α N A 24,, -usage (subgoal 2 ) and α N. With this, it should be impos- Conclusion: I only has knowledge of α N A sible for I to calculate N A and N. 19
21 Chapter 9 Method This chapter shortly describes, in my opinion, how the AN logic is applied best. The method is a natural one, but it has to applied with discipline. The method is: 1. Determine the goals of the protocol, for what the different parties want to achieve with the protocol. In general this could be something like (without explicit key confirmation): A A k A k However, it could that the goals reach further (with explicit key confirmation): A A k A k A A k A A k 2. Determine the s, as far these can be destilled from the description. Mostly the s deal with the necessary beliefs in the keys of the communicating parties in order to communicate with each other. 3. Start the analysis with the s and see how the beliefs develop on the basis of the exchange of the messages. This should be done in a bookkeeping way, in which is written down for every step which beliefs and rules are used. This should be done untill the analysis stops or untill the goals are reached. When the analysis stops, it should be examined on what message the analysis stops. Also, it should be examined what possibilities this gives for an attack on the protocol. 4. In a second analysis-round the analysis can be reversed: we start at the end and then is tried to work back to the start. This round is used for verifying that the steps taken are correct, it should be avoided that quantum leaps are made. 5. Write down explicitly what rules are applied. 6. Verify the validity of the s. It could be possible, that during the analysis extra s are necessary. Extra s as such is no problem, but they undermine the strength of the protocol. 20
22 Chapter 10 Conclusions In this document the Station-to-Station protocol is analysed four times. It shows what can be done with the AN logic, but it also shows the imperfections of the AN logic: The AN logic cannot handle multi-role attacks. The AN logic cannot handle explicit arithmetic in protocols. It has been shown to be virtually impossible to derive anything from message 2, in which α N is sent. On a meta level can be seen that can be done without harm. This is not a specific problem of the AN logic, but a more general problem. A third problem is the concept of identity: extensions are necessary for dealing with identity (see chapter 7). This is not always useful and it disturbs the simplicity of the AN logic. A last point is the deceitful simplicity of AN. This is not as much an imperfection, but more something which should be kept in mind. The different analyses also another danger: in order to prove the protocol, it might be very tempting to repair the protocol. In this case, this is the message 2. However, this is not necessary. It shows the limitations (and dangers) of the application of formal methods. 21
23 ibliography [AN89] M. urrows, M. Abadi, and R. Needham. A logic of authentication. ACM Operating Systems Review, 23(5):1 13, december A fuller version was published as DEC System Research Center Report number 39, Palo Alto, California, February, [GS91] Klaus Gaarder and Einar Snekkenes. Applying a formal analysis tecnique to the ccitt x.509 strong two-way authentication protocol. Journal of Cryptology, 3(2):81 98, [MvOV97] A.J. Menezes, P. van Oorschot, and S. Vanstone. Handbook of Applied Cryptography. CRC-Press, oca Raton, Florida,
Notes on BAN Logic CSG 399. March 7, 2006
Notes on BAN Logic CSG 399 March 7, 2006 The wide-mouthed frog protocol, in a slightly different form, with only the first two messages, and time stamps: A S : A, {T a, B, K ab } Kas S B : {T s, A, K ab
More informationA Logic of Authentication
A Logic of Authentication by Burrows, Abadi, and Needham Presented by Adam Schuchart, Kathryn Watkins, Michael Brotzman, Steve Bono, and Sam Small Agenda The problem Some formalism The goals of authentication,
More informationA Logic of Authentication. Borrows, Abadi and Needham TOCS 1990, DEC-SRC 1989
A Logic of Authentication Borrows, Abadi and Needham TOCS 1990, DEC-SRC 1989 Logic Constructs P believes X : P may act as though X is true. P sees X : a message containing X was sent to P; P can read and
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationBAN Logic A Logic of Authentication
BAN Logic A Logic of Authentication Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 BAN Logic The BAN logic was named after its inventors, Mike Burrows, Martín Abadí,
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationVerification of the TLS Handshake protocol
Verification of the TLS Handshake protocol Carst Tankink (0569954), Pim Vullers (0575766) 20th May 2008 1 Introduction In this text, we will analyse the Transport Layer Security (TLS) handshake protocol.
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationThe odd couple: MQV and HMQV
The odd couple: MQV and HMQV Jean-Philippe Aumasson 1 / 49 Summary MQV = EC-DH-based key agreement protocol, proposed by Menezes, Qu and Vanstone (1995), improved with Law and Solinas (1998), widely standardized
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationA Semantics for a Logic of Authentication. Cambridge, MA : A; B
A Semantics for a Logic of Authentication (Extended Abstract) Martn Abadi Digital Equipment Corporation Systems Research Center 130 Lytton Avenue Palo Alto, CA 94301 ma@src.dec.com Abstract: Burrows, Abadi,
More informationAn Introduction to Probabilistic Encryption
Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic
More informationOn the Key-collisions in the Signature Schemes
On the Key-collisions in the Signature Schemes Tomáš Rosa ICZ a.s., Prague, CZ Dept. of Computer Science, FEE, CTU in Prague, CZ tomas.rosa@i.cz Motivation to study k-collisions Def. Non-repudiation [9,10].
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationBlind Collective Signature Protocol
Computer Science Journal of Moldova, vol.19, no.1(55), 2011 Blind Collective Signature Protocol Nikolay A. Moldovyan Abstract Using the digital signature (DS) scheme specified by Belarusian DS standard
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationVerification of Security Protocols in presence of Equational Theories with Homomorphism
Verification of Security Protocols in presence of Equational Theories with Homomorphism Stéphanie Delaune France Télécom, division R&D, LSV CNRS & ENS Cachan February, 13, 2006 Stéphanie Delaune (FT R&D,
More informationModels and analysis of security protocols 1st Semester Security Protocols Lecture 6
Models and analysis of security protocols 1st Semester 2010-2011 Security Protocols Lecture 6 Pascal Lafourcade Université Joseph Fourier, Verimag Master: October 18th 2010 1 / 46 Last Time (I) Symmetric
More informationA Small Subgroup Attack on Arazi s Key Agreement Protocol
Small Subgroup ttack on razi s Key greement Protocol Dan Brown Certicom Research, Canada dbrown@certicom.com lfred Menezes Dept. of C&O, University of Waterloo, Canada ajmeneze@uwaterloo.ca bstract In
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationExam Security January 19, :30 11:30
Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationCS-E4320 Cryptography and Data Security Lecture 11: Key Management, Secret Sharing
Lecture 11: Key Management, Secret Sharing Céline Blondeau Email: celine.blondeau@aalto.fi Department of Computer Science Aalto University, School of Science Key Management Secret Sharing Shamir s Threshold
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationNew Variant of ElGamal Signature Scheme
Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 34, 1653-1662 New Variant of ElGamal Signature Scheme Omar Khadir Department of Mathematics Faculty of Science and Technology University of Hassan II-Mohammedia,
More informationCPSC 467b: Cryptography and Computer Security
Outline Authentication CPSC 467b: Cryptography and Computer Security Lecture 18 Michael J. Fischer Department of Computer Science Yale University March 29, 2010 Michael J. Fischer CPSC 467b, Lecture 18
More informationEvidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs
Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs Jonah Brown-Cohen 1 Introduction The Diffie-Hellman protocol was one of the first methods discovered for two people, say Alice
More informationBlind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems
Applied Mathematical Sciences, Vol. 6, 202, no. 39, 6903-690 Blind Signature Protocol Based on Difficulty of Simultaneous Solving Two Difficult Problems N. H. Minh, D. V. Binh 2, N. T. Giang 3 and N. A.
More informationProving Security Protocols Correct. Lawrence C. Paulson Computer Laboratory
Proving Security Protocols Correct Lawrence C. Paulson Computer Laboratory How Detailed Should a Model Be? too detailed too simple concrete abstract not usable not credible ``proves'' everything ``attacks''
More informationElliptic Curves. Giulia Mauri. Politecnico di Milano website:
Elliptic Curves Giulia Mauri Politecnico di Milano email: giulia.mauri@polimi.it website: http://home.deib.polimi.it/gmauri May 13, 2015 Giulia Mauri (DEIB) Exercises May 13, 2015 1 / 34 Overview 1 Elliptic
More informationStrand Spaces Proving Protocols Corr. Jonathan Herzog 6 April 2001
Strand Spaces Proving Protocols Corr Jonathan Herzog 6 April 2001 Introduction 3Second part of talk given early last month Introduced class of cryptographic protocols Modeled at high level of abstraction
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationTheory of Computation Chapter 12: Cryptography
Theory of Computation Chapter 12: Cryptography Guan-Shieng Huang Dec. 20, 2006 0-0 Introduction Alice wants to communicate with Bob secretely. x Alice Bob John Alice y=e(e,x) y Bob y??? John Assumption
More informationChapter 4 Asymmetric Cryptography
Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman [NetSec/SysSec], WS 2008/2009 4.1 Asymmetric Cryptography General idea: Use two different keys -K and +K for
More informationWeek 7 An Application to Cryptography
SECTION 9. EULER S GENERALIZATION OF FERMAT S THEOREM 55 Week 7 An Application to Cryptography Cryptography the study of the design and analysis of mathematical techniques that ensure secure communications
More informationEncoding security protocols in the cryptographic λ-calculus. Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania
Encoding security protocols in the cryptographic λ-calculus Eijiro Sumii Joint work with Benjamin Pierce University of Pennsylvania An obvious fact Security is important Cryptography is a major way to
More informationAsymmetric Cryptography
Asymmetric Cryptography Chapter 4 Asymmetric Cryptography Introduction Encryption: RSA Key Exchange: Diffie-Hellman General idea: Use two different keys -K and +K for encryption and decryption Given a
More informationThe RSA public encryption scheme: How I learned to stop worrying and love buying stuff online
The RSA public encryption scheme: How I learned to stop worrying and love buying stuff online Anthony Várilly-Alvarado Rice University Mathematics Leadership Institute, June 2010 Our Goal Today I will
More informationQuantum Wireless Sensor Networks
Quantum Wireless Sensor Networks School of Computing Queen s University Canada ntional Computation Vienna, August 2008 Main Result Quantum cryptography can solve the problem of security in sensor networks.
More informationFundamentals of Modern Cryptography
Fundamentals of Modern Cryptography BRUCE MOMJIAN This presentation explains the fundamentals of modern cryptographic methods. Creative Commons Attribution License http://momjian.us/presentations Last
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationAN INTRODUCTION TO THE UNDERLYING COMPUTATIONAL PROBLEM OF THE ELGAMAL CRYPTOSYSTEM
AN INTRODUCTION TO THE UNDERLYING COMPUTATIONAL PROBLEM OF THE ELGAMAL CRYPTOSYSTEM VORA,VRUSHANK APPRENTICE PROGRAM Abstract. This paper will analyze the strengths and weaknesses of the underlying computational
More informationPractice Assignment 2 Discussion 24/02/ /02/2018
German University in Cairo Faculty of MET (CSEN 1001 Computer and Network Security Course) Dr. Amr El Mougy 1 RSA 1.1 RSA Encryption Practice Assignment 2 Discussion 24/02/2018-29/02/2018 Perform encryption
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Finite Fields The finite field GF(q) exists iff q = p e for some prime p. Example: GF(9) GF(9) = {a + bi a, b Z 3, i 2 = i + 1} = {0, 1, 2, i, 1+i, 2+i, 2i, 1+2i, 2+2i} Addition:
More informationCRYPTOGRAPHY AND NUMBER THEORY
CRYPTOGRAPHY AND NUMBER THEORY XINYU SHI Abstract. In this paper, we will discuss a few examples of cryptographic systems, categorized into two different types: symmetric and asymmetric cryptography. We
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationCryptanalysis on An ElGamal-Like Cryptosystem for Encrypting Large Messages
Cryptanalysis on An ElGamal-Like Cryptosystem for Encrypting Large Messages MEI-NA WANG Institute for Information Industry Networks and Multimedia Institute TAIWAN, R.O.C. myrawang@iii.org.tw SUNG-MING
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationAll-Or-Nothing Transforms Using Quasigroups
All-Or-Nothing Transforms Using Quasigroups Stelios I Marnas, Lefteris Angelis, and George L Bleris Department of Informatics, Aristotle University 54124 Thessaloniki, Greece Email: {marnas,lef,bleris}@csdauthgr
More informationCryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1
Cryptography CS 555 Topic 23: Zero-Knowledge Proof and Cryptographic Commitment CS555 Topic 23 1 Outline and Readings Outline Zero-knowledge proof Fiat-Shamir protocol Schnorr protocol Commitment schemes
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationMy brief introduction to cryptography
My brief introduction to cryptography David Thomson dthomson@math.carleton.ca Carleton University September 7, 2013 introduction to cryptography September 7, 2013 1 / 28 Outline 1 The general framework
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationCryptanalysis of Threshold-Multisignature Schemes
Cryptanalysis of Threshold-Multisignature Schemes Lifeng Guo Institute of Systems Science, Academy of Mathematics and System Sciences, Chinese Academy of Sciences, Beijing 100080, P.R. China E-mail address:
More informationBreaking Plain ElGamal and Plain RSA Encryption
Breaking Plain ElGamal and Plain RSA Encryption (Extended Abstract) Dan Boneh Antoine Joux Phong Nguyen dabo@cs.stanford.edu joux@ens.fr pnguyen@ens.fr Abstract We present a simple attack on both plain
More informationAnalysing the Security of a Non-repudiation Communication Protocol with Mandatory Proof of Receipt
Analysing the Security of a Non-repudiation Communication Protocol with Mandatory Proof of Receipt TOM COFFEY, PUNEET SAIDHA, PETER URROWS Data Communication Security Laboratory University of Limerick
More informationKEY DISTRIBUTION 1 /74
KEY DISTRIBUTION 1 /74 The public key setting Alice M D sk[a] (C) C Bob pk[a] C $ E pk[a] (M) σ $ S sk[a] (M) M,σ Vpk[A] (M,σ) Bob can: send encrypted data to Alice verify her signatures as long as he
More informationNotes on Zero Knowledge
U.C. Berkeley CS172: Automata, Computability and Complexity Handout 9 Professor Luca Trevisan 4/21/2015 Notes on Zero Knowledge These notes on zero knowledge protocols for quadratic residuosity are based
More informationA Comparative Study of RSA Based Digital Signature Algorithms
Journal of Mathematics and Statistics 2 (1): 354-359, 2006 ISSN 1549-3644 2006 Science Publications A Comparative Study of RSA Based Digital Signature Algorithms 1 Ramzi A. Haraty, 2 A. N. El-Kassar and
More informationOn the Big Gap Between p and q in DSA
On the Big Gap Between p and in DSA Zhengjun Cao Department of Mathematics, Shanghai University, Shanghai, China, 200444. caozhj@shu.edu.cn Abstract We introduce a message attack against DSA and show that
More informationGroup Diffie Hellman Protocols and ProVerif
Group Diffie Hellman Protocols and ProVerif CS 395T - Design and Analysis of Security Protocols Ankur Gupta Secure Multicast Communication Examples: Live broadcast of a match, stock quotes, video conferencing.
More informationImpossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs
Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs Dafna Kidron Yehuda Lindell June 6, 2010 Abstract Universal composability and concurrent general composition
More informationPublic Key Cryptography
Public Key Cryptography Spotlight on Science J. Robert Buchanan Department of Mathematics 2011 What is Cryptography? cryptography: study of methods for sending messages in a form that only be understood
More information19. Coding for Secrecy
19. Coding for Secrecy 19.1 Introduction Protecting sensitive information from the prying eyes and ears of others is an important issue today as much as it has been for thousands of years. Government secrets,
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationA Piggybank Protocol for Quantum Cryptography
Piggybank Protocol for Quantum Cryptography Navya Chodisetti bstract This paper presents a quantum mechanical version of the piggy-bank cryptography protocol. The basic piggybank cryptography idea is to
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationRevisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives
S C I E N C E P A S S I O N T E C H N O L O G Y Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives David Derler, Christian Hanser, and Daniel Slamanig, IAIK,
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/
More informationAn Introduction to Pairings in Cryptography
An Introduction to Pairings in Cryptography Craig Costello Information Security Institute Queensland University of Technology INN652 - Advanced Cryptology, October 2009 Outline 1 Introduction to Pairings
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationStrongly Unforgeable Signatures Based on Computational Diffie-Hellman
Strongly Unforgeable Signatures Based on Computational Diffie-Hellman Dan Boneh 1, Emily Shen 1, and Brent Waters 2 1 Computer Science Department, Stanford University, Stanford, CA {dabo,emily}@cs.stanford.edu
More informationNSL Verification and Attacks Agents Playing Both Roles
NSL Verification and Attacks Agents Playing Both Roles Pedro Adão Gergei Bana Abstract Background: [2] and eprint version: [1] 1 The Axioms Equality is a Congruence. The first axiom says that the equality
More informationCS 395T. Probabilistic Polynomial-Time Calculus
CS 395T Probabilistic Polynomial-Time Calculus Security as Equivalence Intuition: encryption scheme is secure if ciphertext is indistinguishable from random noise Intuition: protocol is secure if it is
More informationExtending Dolev-Yao with Assertions
Extending Dolev-Yao with Assertions Vaishnavi Sundararajan Chennai Mathematical Institute FOSAD 2015 August 31, 2015 (Joint work with R Ramanujam and S P Suresh) Vaishnavi S Extending Dolev-Yao with Assertions
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationPublic key exchange using semidirect product of (semi)groups
Public key exchange using semidirect product of (semi)groups Maggie Habeeb 1, Delaram Kahrobaei 2, Charalambos Koupparis 3, and Vladimir Shpilrain 4 1 California University of Pennsylvania habeeb@calu.edu
More informationCryptanalysis of a Message Authentication Code due to Cary and Venkatesan
Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan Simon R. Blackburn and Kenneth G. Paterson Department of Mathematics Royal Holloway, University of London Egham, Surrey, TW20 0EX,
More informationLecture 11: Key Agreement
Introduction to Cryptography 02/22/2018 Lecture 11: Key Agreement Instructor: Vipul Goyal Scribe: Francisco Maturana 1 Hardness Assumptions In order to prove the security of cryptographic primitives, we
More informationOne-round and authenticated three-party multiple key exchange. protocol from parings *
One-round and authenticated three-party multiple key exchange protocol from parings Feng LIU School of Mathematics & Information, Ludong University, Yantai 264025, China E-mail: liufeng23490@126.com (2010-05
More informationA probabilistic quantum key transfer protocol
SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 013; 6:1389 1395 Published online 13 March 013 in Wiley Online Library (wileyonlinelibrary.com)..736 RESEARCH ARTICLE Abhishek Parakh* Nebraska
More informationTime-Bounding Needham-Schroeder Public Key Exchange Protocol
Time-Bounding Needham-Schroeder Public Key Exchange Protocol Max Kanovich, Queen Mary, University of London, UK University College London, UCL-CS, UK Tajana Ban Kirigin, University of Rijeka, HR Vivek
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More informationTerm Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool
Term Rewriting applied to Cryptographic Protocol Analysis: the Maude-NPA tool Santiago Escobar Departamento de Sistemas Informáticos y Computación Universitat Politècnica de València sescobar@dsic.upv.es
More informationA derivation system and compositional logic for security protocols
Journal of Computer Security 13 2005) 423 482 423 IOS Press A derivation system and compositional logic for security protocols Anupam Datta a,, Ante Derek a, John C. Mitchell a and Dusko Pavlovic b a Computer
More informationOne Year Later. Iliano Cervesato. ITT Industries, NRL Washington, DC. MSR 3.0:
MSR 3.0: The Logical Meeting Point of Multiset Rewriting and Process Algebra MSR 3: Iliano Cervesato iliano@itd.nrl.navy.mil One Year Later ITT Industries, inc @ NRL Washington, DC http://www.cs.stanford.edu/~iliano
More informationModel Checking Security Protocols Using a Logic of Belief
Model Checking Security Protocols Using a Logic of Belief Massimo Benerecetti 1 and Fausto Giunchiglia 1,2 1 DISA - University of Trento, Via Inama 5, 38050 Trento, Italy 2 IRST - Istituto Trentino di
More informationElGamal type signature schemes for n-dimensional vector spaces
ElGamal type signature schemes for n-dimensional vector spaces Iwan M. Duursma and Seung Kook Park Abstract We generalize the ElGamal signature scheme for cyclic groups to a signature scheme for n-dimensional
More informationSecret sharing schemes
Secret sharing schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction Shamir s secret sharing scheme perfect secret
More informationNetwork Security Based on Quantum Cryptography Multi-qubit Hadamard Matrices
Global Journal of Computer Science and Technology Volume 11 Issue 12 Version 1.0 July Type: Double Blind Peer Reviewed International Research Journal Publisher: Global Journals Inc. (USA) Online ISSN:
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationAnalysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh
Analysis - "Post-Quantum Security of Fiat-Shamir" by Dominic Unruh Bruno Produit Institute of Computer Science University of Tartu produit@ut.ee December 19, 2017 Abstract This document is an analysis
More informationCHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL
INSTITUT FÜR INFORMATIK UND PRAKTISCHE MATHEMATIK A Constraint-Based Algorithm for Contract-Signing Protocols Detlef Kähler, Ralf Küsters Bericht Nr. 0503 April 2005 CHRISTIAN-ALBRECHTS-UNIVERSITÄT KIEL
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 18 November 6, 2017 CPSC 467, Lecture 18 1/52 Authentication While Preventing Impersonation Challenge-response authentication protocols
More information