Abstract
Tool-supported proofs of security protocols typically rely on abstractions from real cryptography by term algebras, so-called Dolev–Yao models. However, until recently it was not known whether a Dolev–Yao model could be implemented with real cryptography in a provably secure way under active attacks. For public-key encryption and signatures, this was recently shown, if one accepts a few additions to a typical Dolev–Yao model such as an operation that returns the length of a term.
Here we extend this Dolev–Yao-style model, its realization, and the security proof to include a first symmetric primitive message authentication. This adds a major complication: we must deal with the exchange of secret keys. For symmetric authentication, we can allow this at any time, before or after the keys are first used for authentication, while working only with standard cryptographic assumptions.
Similar content being viewed by others
References
Abadi M, Gordon AD (1997) A calculus for cryptographic protocols: the spi calculus. In: Proc. 4th ACM conference on computer and communications security, pp 36–47
Abadi M, Jürjens J (2001) Formal eavesdropping and its computational interpretation. In: Proc. 4th international symposium on theoretical aspects of computer software (TACS), pp 82–94
Abadi M, Rogaway P (2000) Reconciling two views of cryptography: the computational soundness of formal encryption. In: Proc. 1st IFIP international conference on theoretical computer science. Lecture notes in computer science, vol 1872. Springer, Berlin Heidelberg New York, pp 3–22
Backes M, Pfitzmann B (2003) A cryptographically sound security proof of the Needham-Schroeder-Lowe public-key protocol. In: Proc. 23rd conference on foundations of software technology and theoretical computer science (FSTTCS), pp 1–12 Full version in IACR Cryptology ePrint Archive 2003/121, June. http://eprint.iacr.org/
Backes M, Pfitzmann B (2004) Symmetric encryption in a simulatable Dolev-Yao style cryptographic library. In: Proc. 17th IEEE computer security foundations workshop (CSFW). Full version in IACR Cryptology ePrint Archive 2004/059, February. http://eprint.iacr.org/
Backes M, Pfitzmann B, Waidner M (2003) A composable cryptographic library with nested operations (extended abstract). In: Proc. 10th ACM conference on computer and communications security, pp 220–230. Full version in IACR Cryptology ePrint Archive 2003/015, January. http://eprint.iacr.org/
Beaver D (1991) Secure multiparty protocols and zero knowledge proof systems tolerating a faulty minority. J Cryptol 4(2):75–122
Bellare M, Canetti R, Krawczyk H (1996) Keying hash functions for message authentication. In: Advances in Cryptology: CRYPTO ’96. Lecture notes in computer science, vol 1109. Springer, Berlin Heidelberg New York, pp 1–15
Canetti R (2000) Security and composition of multiparty cryptographic protocols. J Cryptol 3(1):143–202
Canetti R (2001) Universally composable security: a new paradigm for cryptographic protocols. In: Proc. 42nd IEEE symposium on foundations of computer science (FOCS), pp 136–145. Extended version in Cryptology ePrint Archive, Report 2000/67. http://eprint.iacr.org/
Dolev D, Yao AC (1983) On the security of public key protocols. IEEE Trans Inf Theory 29(2):198–208
Even S, Goldreich O (1983) On the security of multi-party ping-pong protocols. In: Proc. 24th IEEE symposium on foundations of computer science (FOCS), pp 34–39
Even S, Goldreich O, Shamir A (1986) On the security of ping-pong protocols when implemented using the RSA (extended abstract). In: Advances in Cryptology: CRYPTO ’85. Lecture notes in computer science, vol 218. Springer, Berlin Heidelberg New York, pp 58–72
Goldreich O (2001) Foundations of cryptography: basic tools. Cambridge University Press, Cambridge, UK
Goldreich O, Micali S, Wigderson A (1987) How to play any mental game–or–a completeness theorem for protocols with honest majority. In: Proc. 19th annual ACM symposium on theory of computing (STOC), pp 218–229
Goldwasser S, Levin L (1990) Fair computation of general functions in presence of immoral majority. In: Advances in Cryptology: CRYPTO ’90. Lecture notes in computer science, vol 537. Springer, Berlin Heidelberg New York, pp 77–93
Goldwasser S, Micali S, Rivest RL (1988) A digital signature scheme secure against adaptive chosen-message attacks. SIAM J Comput 17(2):281–308
Herzog J, Liskov M, Micali S (2003) Plaintext awareness via key registration. In: Advances in Cryptology: CRYPTO 2003. Lecture notes in computer science, vol 2729. Springer, Berlin Heidelberg New York, pp 548–564
Kemmerer R, Meadows C, Millen J (1994) Three systems for cryptographic protocol analysis. J Cryptol 7(2):79–130
Krawczyk H (1994) LFSR-based hashing and authentication. In: Advances in Crptology: CRYPTO ’94. Lecture notes in computer science, vol 839. Springer, Berlin Heidelberg New York, pp 129–139
Laud P (2001) Semantics and program analysis of computationally secure information flow. In: Proc. 10th European symposium on programming (ESOP), pp 77–91
Laud P (2004) Symmetric encryption in automatic analyses for confidentiality against active adversaries. In: Proc. 25th IEEE symposium on security and privacy, pp 71–85
Lowe G (1996) Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In: Proc. 2nd international conference on tools and algorithms for the construction and analysis of systems (TACAS). Lecture notes in computer science, vol 1055. Springer, Berlin Heidelberg New York, pp 147–166
Lowe G (1997) Casper: a compiler for the analysis of security protocols. In: Proc. 10th IEEE computer security foundations workshop (CSFW), pp 18–30
Meadows C (1989) Using narrowing in the analysis of key management protocols. In: Proc. 10th IEEE symposium on security and privacy, pp 138–147
Merritt M (1983) Cryptographic Protocols. PhD thesis, Georgia Institute of Technology, Atlanta, GA
Micali S, Rogaway P (1991) Secure computation. In: Advances in Cryptology: CRYPTO ’91. Lecture notes in computer science, vol 576. Springer, Berlin Heidelberg New York, pp 392–404
Micciancio D, Warinschi B (2004) Soundness of formal encryption in the presence of active adversaries. In: Proc. 1st conference on the theory of cryptography (TCC). Lecture notes in computer science, vol 2951. Springer, Berlin Heidelberg New York, pp 133–151
Millen, JK (1984) The interrogator: a tool for cryptographic protocol security. In: Proc. 5th IEEE symposium on security and privacy, pp 134–141
Paulson L (1998) The inductive approach to verifying cryptographic protocols. J Cryptol 6(1):85–128
Pfitzmann B, Schunter M, Waidner M (2000) Cryptographic security of reactive systems. Presented at the DERA/RHUL workshop on secure architectures and information flow. Electronic notes in theoretical computer science (ENTCS). http://www.elsevier.nl/cas/tree/store/tcs/free/noncas/pc/menu.htm
Pfitzmann B, Waidner M (2000) Composition and integrity preservation of secure reactive systems. In: Proc. 7th ACM conference on computer and communications security, pp 245–254. Extended version (with Matthias Schunter) IBM Research Report RZ 3206, May. http://www.semper.org/sirene/publ/PfSW1-00ReactSimulIBM.ps.gz
Pfitzmann B, Waidner M (2001) A model for asynchronous reactive systems and its application to secure message transmission. In: Proc. 22nd IEEE symposium on security and privacy, pp 184–200. Extended version of the model (with Michael Backes) IACR Cryptology ePrint Archive 2004/082. http://eprint.iacr.org/
Rogaway P (1995) Bucket hashing and its application to fast message authentication. In: Advances in Crptology: CRYPTO ’95. Lecture notes in computer science, vol 963. Springer, Berlin Heidelberg New York, pp 29–42
Roscoe WA (1995) Modelling and verifying key-exchange protocols using CSP and FDR. In: Proc. 8th IEEE computer security foundations workshop (CSFW), pp 98–107
Schneider S (1996) Security properties and CSP. In: Proc. 17th IEEE symposium on security and privacy, pp 174–187
Yao CA (1982) Theory and applications of trapdoor functions. In: Proc. 23rd IEEE symposium on foundations of computer science (FOCS), pp 80–91
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Backes, M., Pfitzmann, B. & Waidner, M. Symmetric authentication in a simulatable Dolev–Yao-style cryptographic library. Int J Inf Secur 4, 135–154 (2005). https://doi.org/10.1007/s10207-004-0056-6
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-004-0056-6