Skip to main content

How to Evaluate the Security of Real-Life Cryptographic Protocols?

The Cases of ISO/IEC 29128 and CRYPTREC

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 6054)

Abstract

Governments and international standards bodies have established certification procedures for security-critical technologies, such as cryptographic algorithms. Such standards have not yet been established for cryptographic protocols and hence it is difficult for users of these protocols to know whether they are trustworthy. This is a serious problem as many protocols proposed in the past have failed to achieve their stated security properties. In this paper, we propose a framework for certifying cryptographic protocols. Our framework specifies procedures for both protocol designers and evaluators for certifying protocols with respect to three different assurance levels. This framework is being standardized as ISO/IEC 29128 in ISO/IEC JTC1 SC27/WG3, in which three of the authors are project co-editors. As a case study in the application of our proposal, we also present the plan for the open evaluation of entity-authentication protocols within the CRYPTREC project.

Keywords

This is a preview of subscription content, log in via an institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD   54.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Blanchet, B.: From secrecy to authenticity in security protocols. In: Hermenegildo, M.V., Puebla, G. (eds.) SAS 2002. LNCS, vol. 2477, pp. 342–359. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  2. Kemmerer, R.: Using formal methods to analyze encryption protocols. IEEE Journal of Selected Areas in Communication 7(2), 448–457 (1989)

    Article  Google Scholar 

  3. Meadows, C.: The NRL protocol analyzer: An overview. Journal of Logic Programming 19 (1994)

    Google Scholar 

  4. Hoare, C.: Communicating sequential processes. CACM 21, 666–677 (1978)

    MATH  Google Scholar 

  5. Hoare, C.A.: Communicating Sequential Processes. Prentice-Hall, Englewood Cliffs (1995)

    MATH  Google Scholar 

  6. Basin, D.: Lazy infinite-state analysis of security protocols. In: Baumgart, R. (ed.) CQRE 1999. LNCS, vol. 1740, pp. 30–42. Springer, Heidelberg (1999)

    Chapter  Google Scholar 

  7. Basin, D., Mödersheim, S., Viganò, L.: OFMC: A symbolic model checker for security protocols. International Journal of Information Security 4(3), 181–208 (2005)

    Article  Google Scholar 

  8. Armando, A., Basin, D., Boichut, Y., Chevalier, Y., Compagna, L., Cuellar, J., Drielsma, P.H., Heám, P.C., Kouchnarenko, O., Mantovani, J., Mödersheim, S., von Oheimb, D., Rusinowitch, M., Santiago, J., Turuani, M., Viganò, L., Vigneron, L.: The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  9. Abadi, M., Blanchet, B.: Analyzing Security Protocols with Secrecy Types and Logic Programs. Journal of the ACM 52(1), 102–146 (2005)

    Article  MathSciNet  Google Scholar 

  10. Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: Proceedings of CSFW 2001, pp. 82–96. IEEE Computer Society Press, Los Alamitos (2001)

    Google Scholar 

  11. Blanchet, B.: A computationally sound mechanized prover for security protocols. In: IEEE Symposium on Security and Privacy, Oakland, California, May 2006, pp. 140–154 (2006)

    Google Scholar 

  12. Blanchet, B.: A computationally sound automatic prover for cryptographic protocols. In: Workshop on the link between formal and computational models, Paris, France (June 2005)

    Google Scholar 

  13. Cremers, C.: Scyther — Semantics and Verification of Security Protocols. PhD thesis, University of Eindhoven (2006)

    Google Scholar 

  14. Paulson, L.C.: The inductive approach to verifying cryptographic protocols. Journal of Computer Security 6, 85–128 (1998)

    Google Scholar 

  15. Durgin, N., Lincoln, P.D., Mitchell, J.C., Scedrov, A.: Undecidability of Bounded Security Protocols. In: Proceedings of the FLOC 1999 Workshop on Formal Methods and Security Protocols, FMSP 1999 (1999)

    Google Scholar 

  16. Boichut, Y., Heam, P.C., Kouchnarenko, O., Oehl, F.: Improvements on the Genet and Klay Technique to Automatically Verify Security Protocols. In: Automated Verification of Infinite States Systems (AVIS 2004). ENTCS (2004)

    Google Scholar 

  17. Goldwasser, S., Micali, S.: Probabilistic encryption. Journal of Computer and System Sciences 28, 270–299 (1984)

    Article  MATH  MathSciNet  Google Scholar 

  18. Sprenger, C., Backes, M., Basin, D., Pfitzmann, B., Waidner, M.: Cryptographically sound theorem proving. In: 19th IEEE Computer Security Foundations Workshop, Venice, Italy, July 2006, pp. 153–166. IEEE Computer Society, Los Alamitos (2006)

    Chapter  Google Scholar 

  19. Sprenger, C., Basin, D.: Cryptographically-sound protocol-model abstractions. In: Computer Security Foundations (CSF 2008), pp. 115–129. IEEE Computer Society, Los Alamitos (2008)

    Google Scholar 

  20. Nowak, D.: A framework for game-based security proofs. In: Qing, S., Imai, H., Wang, G. (eds.) ICICS 2007. LNCS, vol. 4861, pp. 319–333. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  21. CRYPTREC: e-government recommended ciphers list (2003), http://www.cryptrec.go.jp/english/images/cryptrec_01en.pdf

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Matsuo, S., Miyazaki, K., Otsuka, A., Basin, D. (2010). How to Evaluate the Security of Real-Life Cryptographic Protocols?. In: Sion, R., et al. Financial Cryptography and Data Security. FC 2010. Lecture Notes in Computer Science, vol 6054. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14992-4_16

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-14992-4_16

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-14991-7

  • Online ISBN: 978-3-642-14992-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics