Computationally Sound Compositional Logic for Key Exchange Protocols

Datta, Anupam; Derek, Ante; Mitchell, John C.; Warinschi, Bogdan

doi:10.1109/csfw.2006.9

Cited by 49 publications

(68 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For example, AU T H client kas states that when C finishes executing the Client role, some thread ofK indeed sent the expected message with probability asymptotically close to one; SEC client akey states that the authorization key is "good" after execution of the Client role by C. The other security properties are analogous. More specifically, GoodKeyAgainst(X, k) [27] intuitively means that if k were used instead of a random key to key an IND-CCA encryption scheme, then the advantage of X in the corresponding security game would be negligible. The motivation for using this definition is that stronger conditions such as key indistinguishability fail to hold as soon as the key is used; key indistinguishability is also not necessary to establish reasonable security properties of practical protocols (see [27] for further discussion).…”

Section: Modelling the Protocolmentioning

confidence: 99%

“…More specifically, GoodKeyAgainst(X, k) [27] intuitively means that if k were used instead of a random key to key an IND-CCA encryption scheme, then the advantage of X in the corresponding security game would be negligible. The motivation for using this definition is that stronger conditions such as key indistinguishability fail to hold as soon as the key is used; key indistinguishability is also not necessary to establish reasonable security properties of practical protocols (see [27] for further discussion). We abbreviate the honesty assumptions by defining Hon(…”

Section: Modelling the Protocolmentioning

confidence: 99%

“…Specifically, in order to prove the axiom DH sound without the random oracle model, it is necessary to ensure that both parties use only each other's DH exponentials to generate keys-a condition guaranteed by DHStrongSecretive, but not DHSecretive or the variant considered in [27].…”

Section: Diffie-hellman Axiomsmentioning

confidence: 99%

“…Our formalization uses the characterization of "good key" from [27], but improves on previous work in several respects: (i) we fix a bug in the DH axiom in [27] by using the "DHStrongSecretive" formulas developed in the paper, (ii) we present a general inductive method for proving secrecy conditions for Diffie-Hellman key exchange, and (iii) we present axioms for reasoning from ciphertext integrity assumptions. These three innovations are essential for the formal proofs for DHINIT and IKEv2, which could not be carried out in the system of [27]. In addition, the present soundness proofs are based on a new cryptographic definition and associated theorems about the joint security of multiple encryption schemes keyed using random or DHKE-keys.…”

Section: Introductionmentioning

confidence: 99%

“…More generally, Abadi and Rogaway [1] initiated computationally sound symbolic analysis of static equivalence, with extensions and completeness explored in [37,2]; a recent extension to Diffie-Hellman appears in [15], covering only passive adversaries, not the stronger active adversaries used in the present paper. Protocol Composition Logic [24] was used in a case study of 802.11i [29], has previous computational semantics [26], and was used to study protocol composition and key exchange [27]. In other studies of DHKE, [30] uses a symbolic model, while [36] imposes nonstandard protocol assumptions.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Formal Proofs of Cryptographic Security of Diffie-Hellman-Based Protocols

Datta

Mitchell

Trustworthy Global Computing

View full text Add to dashboard Cite

Abstract. We present axioms and inference rules for reasoning about Diffie-Hellman-based key exchange protocols and use these rules to prove authentication and secrecy properties of two important protocol standards, the Diffie-Hellman variant of Kerberos, and IKEv2, the revised standard key management protocol for IPSEC. The new proof system is sound for an accepted semantics used in cryptographic studies. In the process of applying our system, we uncover a deficiency in Diffie-Hellman Kerberos that is easily repaired.

show abstract

Section: Modelling the Protocolmentioning

confidence: 99%

Section: Modelling the Protocolmentioning

confidence: 99%

Section: Diffie-hellman Axiomsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Formal Proofs of Cryptographic Security of Diffie-Hellman-Based Protocols

Datta

Mitchell

Trustworthy Global Computing

View full text Add to dashboard Cite

show abstract

Security enhancement for dynamic key refreshment in neighborhood area network of smart grid

Toor

2016

Security Comm. Networks

View full text Add to dashboard Cite

Wireless mesh networks are being considered as the most adequate topology for deployment in the neighborhood area network (NAN) domain in the smart‐grid infrastructure, because its features such as self‐organizing, scalability, and cost‐efficiency complement to the NAN requirements. To provide security functionality to the NAN, the key refreshment strategy of the simultaneous authentication of equals or the efficient mesh security association protocol is an efficient way to make the network more resilient against various cyberattacks. However, it is discovered that when the key refreshment strategy is used, the efficient mesh security association protocol demonstrates a security vulnerability, leading to denial of service attacks. In this paper, a simple hash‐based encryption scheme is proposed to prevent the unprotected messages from being replayed by the adversary with an enhancement to the key refreshment scheme to improve the resilience of the mesh key holder security handshake. The Protocol Composition Logic is used to describe the logical correctness of the proposed scheme, while the Process Analysis Toolkit is used to formally verify the security functionality against the malicious attacks. The efficiency analysis and the simulation results prove that the proposed scheme is reliable and efficient. Copyright © 2016 John Wiley & Sons, Ltd.

show abstract

Protocol Derivation System for the Needham–Schroeder family

Zhang

Yang

2012

Security Comm Networks

View full text Add to dashboard Cite

A framework consisting of the Protocol Derivation System (PDS) and the Protocol Composition Logic (PCL) has been recently proposed by Datta et al. for the design and analysis of a secure composition of cryptographic protocols. However, the PDS in this proposed framework can only be used for the protocols of the Station-to-Station family, which are signature-based authenticated Diffie-Hellman key exchange protocols. In this paper, the PDS is extended to support key exchange protocols using a trusted third party and an encryption-based authentication such as those in the Needham-Schroeder family. This is achieved by means of adding new components, refinements, and transformations to the PDS. In addition, the PCL is applied to prove the correctness of the derived protocols. Then, the derivation graph of the NeedhamÀSchroeder family is developed by using the extended PDS. Finally, the derivations and proofs of the protocols in the Needham-Schroeder family are shown in this paper.

show abstract

Computationally Sound Compositional Logic for Key Exchange Protocols

Cited by 49 publications

References 28 publications

Formal Proofs of Cryptographic Security of Diffie-Hellman-Based Protocols

Formal Proofs of Cryptographic Security of Diffie-Hellman-Based Protocols

Security enhancement for dynamic key refreshment in neighborhood area network of smart grid

Protocol Derivation System for the Needham–Schroeder family

Contact Info

Product

Resources

About