Section: New Results

Verification of Security Protocols in the Computational Model

The computational model of protocols considers messages as bitstrings, which is more realistic than the formal model, but also makes the proofs more difficult. Our verifier CryptoVerif is sound in this model. This year, we have continued our case study of Kerberos, have built a compiler from CryptoVerif specifications to implementations of protocols, and have implemented extensions of CryptoVerif .

Computationally Sound Mechanized Proofs for Basic and Public-Key Kerberos

Keywords : automatic verification, computational model, Kerberos, key usability, security protocols.

Participants : Bruno Blanchet, Aaron Jaggard [ Rutgers University ] , Jesse Rao, Andre Scedrov [ University of Pennsylvania ] , Joe-Kai Tsay [ Ruhr-University Bochum ] .

We have extended our computationally sound analysis of Kerberos 5 with CryptoVerif   [74] . In particular, we have extended our definition of key usability from IND-CCA2 key usability to INT-CTXT (ciphertext integrity) key usability, and we have proved that the session keys of Kerberos satisfy this new definition. This work was presented in [28] .

Automatic Translation from CryptoVerif Specifications to Implementations

Keywords : automatic verification, computational model, implementations, compilation, security protocols.

Participant : David Cadé.

We have implemented a compiler [44] [29] that takes a CryptoVerif specification and generates an implementation of the protocol in OCaml. The goal of this work is to obtain implementations of security protocols proved secure in the computational model.

In future works, we will prove that our compiler is correct, that is, the semantics of the generated code corresponds to the semantics of the specification. Therefore, if CryptoVerif can prove a property on the protocol, then the implementation will also satisfy this property.

Extensions of CryptoVerif

Keywords : automatic verification, computational model, security protocols.

Participant : Bruno Blanchet.

We have extended CryptoVerif in order to handle the computational Diffie–Hellman assumption, which allows us to prove a signed Diffie–Hellman protocol in the random oracle model, for instance. We allow manually guided elimination of collisions between random numbers; this extension is particularly helpful for passwords: passwords have a non-negligible probability of being guessed, so the automatic elimination of collisions for passwords often leads to unacceptably large probabilities of attacks. We also allow the manual insertion of events, whose probability of execution is later bounded by CryptoVerif . Thanks to these extensions, we plan to prove the AuthA password-based key exchange protocol (a variant of EKE, Encrypted Key Exchange).