Relating Symbolic and Cryptographic Secrecy

We investigate the relation between symbolic and cryptographic secrecy properties for cryptographic protocols. Symbolic secrecy of payload messages or exchanged keys is arguably the most important notion of secrecy shown with automated proof tools. It means that an adversary restricted to symbolic operations on terms can never get the entire considered object into its knowledge set. Cryptographic secrecy essentially means computational indistinguishability between the real object and a random one, given the view of a much more general adversary. In spite of recent advances in linking symbolic and computational models of cryptography, no relation for secrecy under active attacks is known yet. For exchanged keys, we show that a certain strict symbolic secrecy definition over a specific Dolev-Yao-style cryptographic library implies cryptographic key secrecy for a real implementation of this cryptographic library. For payload messages, we present the first general cryptographic secrecy definition for a reactive scenario. The main challenge is to separate secrecy violations by the protocol under consideration from secrecy violations by the protocol users in a general way. For this definition we show a general secrecy preservation theorem under reactive simulatability, the cryptographic notion of secure implementation. This theorem is of independent cryptographic interest. We then show that symbolic secrecy implies cryptographic payload secrecy for the same cryptographic library as used in key secrecy. Our results thus enable existing formal proof techniques to establish cryptographically sound proofs of secrecy for payload messages and exchanged keys.

We present the first idealized cryptographic library that can be used like the Dolev-Yao model for automated proofs of cryptographic protocols that use nested cryptographic operations, while coming with a cryptographic implementation that is provably secure under active attacks. To illustrate the usefulness of the cryptographic library, we present a cryptographically sound security proof of the well-known Needham-Schroeder-Lowe public-key protocol for entity authentication. This protocol was previously only proved over unfounded abstractions from cryptography. We show that the protocol is secure against arbitrary active attacks if it is implemented using standard provably secure cryptographic primitives. Conducting the proof by means of the idealized cryptographic library does not require us to deal with the probabilistic aspects of cryptography, hence the proof is in the scope of current automated proof tools. Besides establishing the cryptographic security of the Needham-Schroeder-Lowe protocol, this exemplifies the potential of this cryptographic library and paves the way for the cryptographically sound verification of security protocols by automated proof tools.

We present the first idealized cryptographic library that can be used like the Dolev-Yao model for automated proofs of cryptographic protocols that use nested cryptographic operations, while coming with a cryptographic implementation that is provably secure under active attacks.

Side channels have long been recognized as a threat to the security of cryptographic applications. Implementations can unintentionally leak secret information through many channels, such as microarchitectural state changes in processors, changes in power consumption, or electromagnetic radiation. As a result of these threats, many implementations have been hardened to defend against these attacks. Despite these mitigations, this work presents a novel side-channel attack against ECDSA and DSA. The attack targets a common implementation pattern that is found in many cryptographic libraries. In fact, about half of the libraries that were tested exhibited the vulnerable pattern. This pattern is exploited in a full proof of concept attack against OpenSSL, demonstrating that it is possible to extract a 256-bit ECDSA private key using a simple cache attack after observing only a few thousand signatures. The target of this attack is a previously unexplored part of (EC)DSA signature generation, which explains why mitigations are lacking and the issue is so widespread. Finally, estimates are provided for the minimum number of signatures needed to perform the attack, and countermeasures are suggested to protect against this attack.

We prove the Needham-Schroeder-Lowe public-key protocol secure under real, active cryptographic attacks including concurrent protocol runs. This proof is based on an abstract cryptographic library, which is a provably secure abstraction of a real cryptographic library. Together with composition and integrity preservation theorems from the underlying model, this allows us to perform the actual proof effort in a deterministic setting corresponding to a slightly extended Dolev-Yao model.Our proof is one of the two first independent cryptographically sound security proofs of this protocol.It is the first protocol proof over an abstract Dolev-Yao-style library that is in the scope of formal proof tools and that automatically yields cryptographic soundness. We hope that it paves the way for the actual use of automatic proof tools for this and many similar cryptographically sound proofs of security protocols.KeywordsAuthentication ProtocolSecurity ProtocolCryptographic ProtocolProtocol MessageEntity AuthenticationThese keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Many cryptographic APIs provide extra functionality that was not intended by the designers. In this paper we discuss such an unintended functionality in the API of HMAC, and study the security implications of it’s use by applications. HMAC authenticates a single message at a time with a single authentication tag. However, most HMAC implementations do not complain when extra data is added to the stream after that tag is computed, nor they undo the side effects of the tag computation. Think of it as an API of a new authentication primitive, that provides tags to prefixes, rather than just to the full message. We call such primitives Incremental MACs (IncMACs). IncMACs may be used by applications to efficiently authenticate long messages, broken into fragments, which need their own individual authentication tag for performing an early abort or to retransmit only bad fragments, while each tag (strongly) authenticates the message prefix so far, and the last tag fully authenticates the full message. It appears that some applications (e.g., Siemens S7 protocol) use the standard HMAC API to provide an incremental MAC, allowing to identify transmission errors as soon as the first error occurs, while also directly authenticating the full message. We discuss two common implementations, used by cryptographic libraries and programs, whose APIs do not forbid using them incrementally, continuing with extra data after computing the tag. The most common one, which Siemens uses, uses a naive implementation (as natively coded from the RFCs). The other is the implementation of the OpenSSL library. We discuss these implementations, and show that they are not as secure as HMAC. Moreover, some of them may even be highly insecure when used incrementally, where in the particular case of OpenSSL it is possible to instantly find collisions and multi-collisions, which are also colliding under any key. We also discuss the fine details of the definition of IncMACs, and propose secure versions of such a primitive.

This paper introduces TweetNaCl, a compact reimplementation of the NaCl library, including all 25 of the NaCl functions used by applications. TweetNaCl is published on Twitter and fits into just 100 tweets; the tweets are available from anywhere, any time, in an unsuspicious way. Distribution via other social media, or even printed on a sheet of A4 paper, is also easily possible.TweetNaCl is human-readable C code; it is the smallest readable implementation of a high-security cryptographic library. TweetNaCl is the first cryptographic library that allows correct functionality to be verified by auditors with reasonable effort, making it suitable for inclusion into the trusted code base of a secure computer system. This paper uses two examples of formally verified correctness properties to illustrate the impact of TweetNaCl’s conciseness upon auditability.TweetNaCl consists of a single C source file, accompanied by a single header file generated by a short Python script (1811 bytes). The library can be trivially integrated into a wide range of software build processes.Portability and small code size come at a loss in efficiency, but TweetNaCl is sufficiently fast for most applications. TweetNaCl’s cryptographic implementations meet the same security and reliability standards as NaCl: for example, complete protection against cache-timing attacks.KeywordsTrusted code baseSource-code sizeAuditabilitySoftware implementationTiming-attack protectionNaClTwitter

In our data-driven culture, the need for remote data storage and computing services has grown exponentially, requiring secure access to such data and services. This study proposes a new biometric-based authentication system for secure access to remote (cloud) servers. The proposed approach treats the user's biometrics as confidential credentials. It then uses the user’s biometric data to generate a unique ID and uses it to generate the user's private key. In addition, we present an efficient way to generate session keys for secure messaging between two interlocutors using two biometric templates. That is, you don't have to store your private and session keys somewhere. The proposed approach follows formal security analysis using detailed RealorRandom (ROR) model-based formal security analysis, informal (unmathematical) security analysis, and widely accepted automated Internet security verification., Can withstand multiple known attacks against (passive / active) attackers. Protocol and application (AVISPA) tools. Finally, numerous and comparative studies have shown the effectiveness and usefulness of the proposed approach.

When doing reverse analysis of program’s binary codes, it is often to encounter the function of cryptographic library. In order to reduce workload, a cryptographic library model has been designed by analysts. Models use formalized approach to describe the frame of cryptology and the structure of cryptographic function, complete the mapping from cryptographic function property to its architecture, and accomplish the result presentation of data analysis and mapping at last. The model can solve two problems: the first one is to know the hierarchy of the cryptographic function in the library well; the second one is to know some kinds of information, such as related cryptology algorithm and protocol, etc. These function implements can display the result graphically. The model can find relevant knowledge for the analysts automatically and rapidly, which is helpful to the learning of the overall abstract structure of cryptology.

In 2006, LI Fagen et al. proposed an efficient identity based signcryption scheme and declared that this scheme had the attributes of privacy, unforgeability, public verifiability, repudiation and forward security. After detailed analysis, we find that scheme does not meet the attributes which the author's declared. Actually, an active attacker with the capacity of controlling the communication channel can replace the public key of the sender to forge a cipher text which can pass the unsigncrypt phase but don't need to steal the private key of the sender. In 2009, LI Xiao et al. also found a method to forge a cipher text on the scheme of LI Fagan et al. Further, they proposed an improved identity-based signcryption scheme and declared their improved scheme had the attributes mentioned above. However we find a forged cipher text still can be constructed using the public key replacement attack. Finally, we point out the flaws in their schemes which our attack based on. In additional, we show that the Identity-Based Multi-Signcryption Scheme proposed by MENG Tao et al. in 2007 is insecure against the key replacement attack as well. In their scheme, an active attacker can replace the signcrypter's public key and forge a valid cipher text to pass the examination of the receiver without knowledge of the signcrypter's private key. we point out the flaws which lead to our attack succeeding to forge the valid cipher text and public key and illustrate protecting the signcrypter's public key in the signcryption phase is very important as the message to be signcryption.

Real-or-random Key Secrecy of the Otway-Rees Protocol via a Symbolic Security Proof

Symbolic secrecy of exchanged keys is arguably one of the most important notions of secrecy shown with automated proof tools. It means that an adversary restricted to symbolic operations on terms can never get the entire key into its knowledge set. Cryptographic key secrecy essentially means computational indistinguishability between the real key and a random one, given the view of a much more general adversary.

The article delves into the intricate characteristics and security properties of the secp256k1 elliptic curve used for the generation of addresses in the Bitcoin blockchain. The Bitcoin blockchain is a decentralized digital ledger that records all transactions made with Bitcoin cryptocurrency. In this work, the secp256k1 elliptic curve and its parameters and the method of generating private and public keys using random numbers are described. While the private key allows for the signing of transactions to spend Bitcoin, the corresponding public key and address enable others to verify transactions and send funds to that specific address on the blockchain, ensuring security, authenticity, and privacy in the decentralized network. The attacks on the use of secp256k1 for generating the bitcoin addresses like the Brute force attack, twist attack, fault attacks, and side channel attacks in the implementation of the elliptic curve are discussed. By maintaining the security and integrity of secp256k1, we can ensure that cryptographic operations, such as digital signatures and key exchanges, remain uncompromised. If the curve's security were compromised, malicious users could potentially derive private keys from public keys, leading to unauthorized transactions, double-spending, or other malicious activities. The security of implementation can be enhanced by ensuring cryptographic libraries and software implementations that utilize secp256k1 undergo thorough testing and validation to ensure correct and secure operations. The important attacks on blockchain technology like the 51% attack, Sybil attack, Double Spending attack, and Smart Contract vulnerabilities are discussed. Through a comprehensive exploration, readers will gain insights into why this particular elliptic curve was chosen for use in Bitcoin's cryptographic protocols, highlighting its role in ensuring the robustness and integrity of the blockchain ecosystem.

Optimization of resource consumption and decreasing the response time of authentication requests is an immense urgent requirement for supporting the scalability of resources in IoT environments. The existing research attempts to design lightweight authentication protocols to address these issues. However, the schemes proposed in the literature are lacking in the creation of a lightweight (i.e., low computing, communication, and storage cost) and secure architecture. IoT devices in existing approaches consume high electricity and computing power, despite the fact that IoT devices have limited power and computing capabilities. Furthermore, the existing approaches lead to an increase in the burden on storage memory and also create heavy traffic on a communication channel, increasing the response time of device authentication requests. To overcome these limitations, we propose a novel lightweight and secure architecture that uses crypto-modules, which optimize the usage of one-way hash functions, elliptic-curve cryptography, and an exclusive-or operation. We demonstrate the proposed scheme’s security strength using informal security analysis and verified it by considering the widely used automated validation of internet security protocol application (AVISPA) and the ProVerif tool. The result shows that the proposed scheme is effective against active and passive security attacks and satisfies secure design. Moreover, we calculate the proposed scheme’s working cost by implementing it using a widely accepted standard pairing-based cryptography (PBC) library on embedded devices. The implementation proves that the proposed scheme is lightweight and reduces computation time by 0.933 ms, communication cost by 1408 bits, and storage cost by 384 bits, and removes the existing gaps.

We present the first cryptographically sound security proof of the well-known Otway-Rees protocol. More precisely, we show that the protocol is secure against arbitrary active attacks including concurrent protocol runs if it is implemented using provably secure cryptographic primitives. Although we achieve security under cryptographic definitions, our proof does not have to deal with probabilistic aspects of cryptography and is hence in the scope of current proof tools. The reason is that we exploit a recently proposed ideal cryptographic library, which has a provably secure cryptographic implementation. Together with composition and preservation theorems of the underlying model, this allows us to perform the actual proof effort in a deterministic setting corresponding to a slightly extended Dolev-Yao model. Besides establishing the cryptographic security of the Otway-Rees protocol, our result also exemplifies the potential of this cryptographic library. We hope that it paves the way for cryptographically sound verification of security protocols by means of formal proof tools.KeywordsCryptographic ProtocolSecurity ProofConsistency PropertySymmetric EncryptionCommitment ProblemThese keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.