FormaCrypt project: meeting June 19, 2009
ENS, salle INFO1, Nouvel Immeuble Rataud, level -1
(see access maps; the
building is marked "Bibliotheque" on the map of ENS)
10:15 - 10:30 Welcome
10:30 - 11:00 Steve Kremer, Simulation based
security in the applied pi calculus (with Stéphanie Delaune and Olivier Pereira)
slides
We present a symbolic framework for refinement and composition of
security protocols. The framework uses the notion of ideal
functionalities. These are abstract systems which are secure by
construction and which can be combined into larger systems. They can
be separately refined in order to obtain concrete protocols
implementing them. Our work builds on ideas from computational models
such as the universally composable security and reactive
simulatability frameworks. The underlying language we use is the
applied pi calculus which is a general language for specifying
security protocols. In our framework we can express the different
standard flavours of simulation-based security which happen to all
coincide. We illustrate our framework on an authentication
functionality which can be realized using the Needham-Schroeder-Lowe
protocol. For this we need to define an ideal functionality for
asymmetric encryption and its realization. We also show a joint state
result for this functionality which allows composition (even though
the same key material is reused) using a tagging mechanism.
11:00 - 11:30 Graham Steel, Synthesising Secure APIs (with
Véronique Cortier) slides
Security APIs are used to define the boundary between trusted and
untrusted code. The security properties of existing API are not always
clear. In this paper, we give a new generic API for managing symmetric
keys on a trusted cryptographic device. We state and prove security
properties for the API. In particular, our API offers a high level of
security even when the host machine is controlled by an attacker. Our
API is generic in the sense that it can implement a wide variety of
(symmetric key) protocols. As a proof of concept, we give an algorithm
for automatically instantiating the API commands for a given key
management protocol. We demonstrate the algorithm on a set of key
establishment protocols from the Clark-Jacob suite.
11:30 - 12:00 Gurvan Le Guernic, A Security-Preserving Compiler for Distributed Programs (with Cédric Fournet and Tamara Rezk) slides
This presentation/demo introduces a compiler to cryptographically secure
information flows of distributed programs. We build and prove the
correctness of a translation mechanism from sequential source programs to
distributed target programs. The source program is a sequential program
with annotations regarding the distribution of the target program. The
source program uses a shared memory whose protection mechanism relies on
security labels associated to variables. The translation mechanism returns
a distributed program whose threads use local memory for their execution.
Communication of values between threads of the target language is achieved
through a shared memory of encrypted and signed values.
12:00 - 14:00 Lunch
La Truffière, 4 rue Blainville, 75005 Paris
14:00 - 14:30 Ralf Küsters, An Epistemic Approach to
Coercion-Resistance for Electronic Voting Protocols (with Tomasz Truderung)
slides
Coercion resistance is an important and one of the most
intricate security requirements of electronic voting
protocols. Several definitions of coercion resistance have
been proposed in the literature, including definitions
based on symbolic models. However, existing definitions in
such models are rather restricted in their scope and quite
complex.
In this talk, I will report about a new definition of
coercion resistance in a symbolic setting, based on an
epistemic approach, that we have proposed recently. Our
definition is relatively simple and intuitive. It allows
for a fine-grained formulation of coercion resistance and
can be stated independently of a specific, symbolic
protocol and adversary model. As a proof of concept, we
apply our definition to three voting protocols. In
particular, we carry out the first rigorous analysis of the
recently proposed Civitas system. We precisely identify
those conditions under which this system guarantees
coercion resistance or fails to be coercion resistant. We
also analyze protocols proposed by Lee et al. and Okamoto.
14:30 - 15:00 Marion Daubignard, CIL : Computational
Indistinguishability Logic (with Gilles Barthe, Bruce Kapron, and
Yassine Lakhnech) slides
Computational Indistinguishability Logic (CIL) is a general logic to
reason about indistinguishability in presence of adaptive adversaries
and oracles. Using a notion of computational frame, which is inspired
from frames in the applied pi-calculus but abstracts away from many
specifics of a particular language, CIL provides a powerful framework
in which the security of cryptographic primitives can be established;
CIL is versatile, in that it is sound (with different axioms) both in
standard and idealized models and that it can be used for encryption,
signature... To illustrate the power of CIL, we provide concise
formal proofs of correctness for two emblematic case studies that are
often used in the literature: OAEP and FDH.
15:00 - 15:30 Pascal Lafourcade, Automated Security Proof for
Symmetric Encryption Modes (with Martin Gagné, Yassine Lakhnech, and
Reihaneh Safavi-Naini) slides
A block cipher algorithm (e.g. AES, Blowfish, DES,
Serpent and Twofish) is a symmetric key algorithm that takes a fixed
size input message block and produces a fixed size output block. A
mode of operation is a method of using a block cipher on an arbitrary
length message. Important modes of operation are Electronic Code Book
ECB, Cipher Block Chaining (CBC), Cipher FeedBack mode (CFB), Output
FeedBack (OFB), and Counter mode (CTR). Modes of operations have
different applications and provide different levels of security and
efficiency. An important question when a mode of operation is used
for encryption is the level of security that the mode provides,
assuming the underlying block cipher is secure. The answer to this
question is not straightforward. For example if one uses the naive
ECB mode with a ``secure'' block cipher, then the encryption scheme
obtained is not even IND-CPA secure. Other modes of operations preserve
confidentiality only if the initial vector is chosen appropriately.
Our main contribution is to propose a compositional
Hoare logic for proving IND-CPA-security of modes of operation for
symmetric key block ciphers. We first notice that most of modes use a
small set of operations such as xor, concatenation, and selection of
random values. This allows us to introduce a simple programming
language to specify encryption modes and an assertion language that
allows to state invariants and axioms and rules to establish such
invariants. The assertion language consists of few atomic predicates.
Transforming the Hoare logic into an (incomplete) automated
verification procedure is quite standard. Indeed, we can interpret the
logic as a set of rules that tell us how to propagate the invariants
backwards. We were able to automatically verify IND-CPA security of
several encryption modes including CBC, CFB, CTR and OFB.
15:30 - 16:00 Break
16:00 - 16:30 Bruno Blanchet, Models and Proofs of Protocol Security: A Progress Report (with Martín Abadi and Hubert Comon-Lundh) slides
We discuss progress in the verification of security protocols.
Focusing on a small, classic example, we stress the use of
program-like representations of protocols, and their automatic
analysis in symbolic and computational models.
Bruno Blanchet, Diffie-Hellman in CryptoVerif slides
We present the formalization of Diffie-Hellman in the automatic,
computationally-sound prover CryptoVerif. We begin with simple
formalizations of the Decisional and Computational Diffie-Hellman
assumptions, which are sufficient for studying cryptographic schemes,
such as the El Gamal encryption scheme. We show why they are not
sufficient for proving in CryptoVerif protocols based on
Diffie-Hellman key agreements, and how to extend the formalization of
the Computational Diffie-Hellman assumption to handle such protocols.
16:30 - 17:00 David Cadé, From CryptoVerif Specifications to
Computationally Secure Implementations of Protocols (Work in Progress) slides
We are implementing a compiler that takes a CryptoVerif specification
and generates an implementation of the protocol in OCaml. The goal of
this work is to obtain implementations of security protocols proved
secure in the computational model. We will prove that our compiler is
correct, that is, the semantics of the generated code corresponds to
the semantics of the specification. Therefore, if CryptoVerif can
prove a property on the protocol, then the implementation will also
satisfy this property.
The CryptoVerif specification is annotated by the user with hints
about the implementation details: the user indicates how the
specification is split into modules (e.g., the key generator part, the
client part, and the server part), the files that will store data
shared between several modules, the name of the OCaml functions
corresponding to the cryptographic primitives, and the size of the
random numbers. The compiler generates code for each module. For
each step of the protocol, inputting a message and outputting the
response, the compiler generates a function that takes the received
message as argument and returns the response. These functions can then
be called by a manually implemented network layer, which can be
considered as part of the adversary, so we need not make any security
assumptions on it. On the other hand, the CryptoVerif specification
makes security assumptions on the cryptographic primitives. We do not
verify that the OCaml implementation of these primitives satisfies
these assumptions: they still need to be proved manually, but the
CryptoVerif specification states precisely what has to be proved.
17:00 - Short business meeting
Page maintained by Bruno Blanchet