Fulltext - International Journal of Computer Technology and ...
Fulltext - International Journal of Computer Technology and ...
Fulltext - International Journal of Computer Technology and ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Sanjay Kumar Sonkar et al ,Int.J.<strong>Computer</strong> <strong>Technology</strong> & Applications,Vol 3 (2), 525-531<br />
ISSN:2229-6093<br />
Interpretation <strong>of</strong> formal pro<strong>of</strong> for Cryptographic Protocols into<br />
Computational Model<br />
Sanjay Kumar Sonkar 1 , Darmendra Lal Gupta 2 , Dr. Anil Kumar Malviya 3 , Ganesh Ch<strong>and</strong>ra 4 , Vinod Kumar Yadav 5<br />
1,4,5 M. Tech. Student, Department <strong>of</strong> <strong>Computer</strong> Science & Engineering, Kamla Nehru Institute <strong>of</strong> <strong>Technology</strong>, Sultanpur, (U.P.) India<br />
2 Assistant Pr<strong>of</strong>essor, Department <strong>of</strong> <strong>Computer</strong> Science & Engineering, Kamla Nehru Institute <strong>of</strong> <strong>Technology</strong>, Sultanpur, (U.P.) India<br />
3 Associate Pr<strong>of</strong>essor, Department <strong>of</strong> <strong>Computer</strong> Science & Engineering, Kamla Nehru Institute <strong>of</strong> <strong>Technology</strong>, Sultanpur, (U.P.) India<br />
E-mail: { 1 kumarsanjaysonkar@gmail.com, 2 dlgupta2002@gmail.com, 3 anilkmalviya@yahoo.com,<br />
4 ganesh.iiscgate@gmail.com, 5 vinodrockcsit@gmail.com }<br />
Abstract<br />
Cryptography is the spinal cord for all security measures<br />
involved in computing field so a lot <strong>of</strong> emphasis is required<br />
to be given to make it strong enough to deal all the<br />
transition <strong>of</strong> the security industry. We present a general<br />
method to prove security properties <strong>of</strong> multiple<br />
cryptographic protocols in an execution model where clients<br />
exchange messages using multiple protocols against active<br />
adversaries. The method discussed here allows to interpret<br />
the logical formal pro<strong>of</strong>s <strong>of</strong> cryptographic systems into their<br />
computational equivalent. The security properties are<br />
expressed in terms <strong>of</strong> logics, which are then interpreted in a<br />
computational setup. Also, we further show that if the<br />
statement is true for any symbolic execution then the<br />
corresponding computational interpretation is widely<br />
accepted in all forms. The messages between clients are<br />
expressed in syntax form <strong>and</strong> do not require dealing with<br />
asymptotic notations <strong>and</strong> probability distribution. This<br />
paper provides a basic framework <strong>and</strong> edifice for extending<br />
the protocol specification language with other<br />
cryptographic primitives.<br />
Keywords: Cryptographic protocols, Symbolic analysis,<br />
Protocol logic, formal methods for security protocols.<br />
I. Introduction<br />
Cryptographic protocols are fundamental tool in the design<br />
<strong>of</strong> secure distributed computing systems [3][4][7], but they<br />
are also extremely hard to design <strong>and</strong> validate. The<br />
difficulty <strong>of</strong> designing valid cryptographic protocols[1][5]<br />
stems mostly from the fact that security properties[2] should<br />
remain valid even when the protocol is executed in an<br />
unpredictable adversarial environment, where some <strong>of</strong> the<br />
clients (or an external entity) are maliciously attempting to<br />
make the protocol deviate from its prescribed behavior.<br />
Basically, Cryptographic protocols are coined in one <strong>of</strong> two<br />
ways: [9][11][15]<br />
A. Computational Model:<br />
The computational model consists <strong>of</strong> following models:<br />
Messages are considered as bit-strings[17];<br />
The encryption operation[19] <strong>of</strong> message is a<br />
concrete arithmetic;<br />
Security is defined in terms <strong>of</strong> that a<br />
computationally bounded[20][23] adversary can<br />
only attack successfully with negligible probability;<br />
Analysis <strong>of</strong> security is done by reduction.<br />
B. Formal Model (“Dolev-Yao model”):<br />
The formal model comprises <strong>of</strong>:<br />
Abstracts cryptographic concepts into an algebra <strong>of</strong><br />
symbolic messages[9][12];<br />
Messages are considered as formal expressions;<br />
The encryption operation is only an abstract<br />
function;<br />
Security is modeled by formal formulas[14];<br />
Analysis <strong>of</strong> security is done by formal reasoning.<br />
This paper is divided into six parts. Starting with<br />
introduction (Section-I), next section covers theoretical<br />
experiment (Section-II). Moving ahead analysis model<br />
(Section-III), related work has been described in<br />
(Section-IV) <strong>and</strong> finally conclusion & future work has<br />
been described in (Section-V & VI).<br />
II. Theoretical Experiment<br />
Example:<br />
A→B: e = {xˋk}x k , mac(e, x mk )<br />
xˋk fresh<br />
A sends to B a fresh key x′ k encrypted under authenticated<br />
encryption [22][23], implemented as encrypt-then-MAC.<br />
x′ k should remain secret.<br />
Step 1: Initialization:<br />
A→B: e = {xˋk}x k , mac(e, x mk )<br />
xˋk fresh<br />
Q 0 = start(); new x r : keyseed; let x k : key= kgen(x r ) in<br />
new xˋr : mkeyseed; let x mk : mkey = mkgen(xˋr) in α(); (Q A | Q B )<br />
Initialization <strong>of</strong> keys:<br />
<br />
The process Q 0 waits for a message on channel<br />
start. The adversary triggers this process.<br />
525
Q 0 generates encryption <strong>and</strong> MAC keys, x k <strong>and</strong> x mk<br />
[2][6] respectively, using the key generation<br />
algorithms kgen <strong>and</strong> mkgen.<br />
Q 0 returns control to the adversary by the output<br />
α().<br />
Q A <strong>and</strong> Q B represent the actions <strong>of</strong> A <strong>and</strong> B.<br />
Step 2:<br />
a) Role <strong>of</strong> A:<br />
<br />
<br />
<br />
Sanjay Kumar Sonkar et al ,Int.J.<strong>Computer</strong> <strong>Technology</strong> & Applications,Vol 3 (2), 525-531<br />
A→B: e = {xˋk}x k , mac(e, x mk ) xˋk fresh<br />
Q A = β i ≤ n C A (); new xˋk : key; new x″ r :coins;<br />
Let xm : bitstring = enc(k2b(xˋk), x k , x″ r ) in<br />
C A <br />
β i ≤ n represents n copies, indexes by i ϵ [1,n]<br />
The protocol can be run n times (polynomial in the<br />
security parameter [4]).<br />
The process is triggered when a message is sent on<br />
C A by the adversary.<br />
The process chooses a fresh key xˋk <strong>and</strong> sends the<br />
message on channel C A .<br />
We obtain a sequence <strong>of</strong> games G 0 ≈ G 1 ≈ … ≈ G m , which<br />
implies G 0 ≈ G m .<br />
If some equivalence or trace property hold with<br />
overwhelming probability in G m , then it also hold with<br />
overwhelming probability in G 0 .<br />
Step 5: Security definition [1][2][9]:<br />
A MAC scheme:<br />
(R<strong>and</strong>omized) key generation function mkgen.<br />
MAC function mac (m, k) takes as input a message<br />
m <strong>and</strong> a key k.<br />
Verification function verify(m, k, t) such that<br />
Verify (m, k, mac (m, k)) = true.<br />
ISSN:2229-6093<br />
A MAC guarantees the integrity <strong>and</strong> authenticity [26] <strong>of</strong> the<br />
message because only someone who knows the secret key<br />
can build the mac.<br />
More formally, an adversary A that has oracle access to mac<br />
<strong>and</strong> verify has a negligible probability to forge a MAC:<br />
b) Role <strong>of</strong> B:<br />
A→B: e = {xˋk}x k , mac(e, x mk ) xˋk fresh<br />
Q B = β i ≤ n C B (xˋm : bitstring, x ma : macstring);<br />
if veriry (xˋm , x mk , x ma ) than<br />
let i ⊥ (k2b(x″ k )) = dec (xˋm, x k ) in C B ()<br />
n copies, as for Q A .<br />
The process Q B waits for the message on channel<br />
C B .<br />
It verifies the MAC, decrypts <strong>and</strong> stores the key in<br />
x″ k .<br />
Step 3: Indistinguishability as observational equivalence:<br />
Two processes Q1, Q2 are observationally equivalent where<br />
the adversary has a negligible probability <strong>of</strong> distinguishing<br />
them:<br />
Q 1 ≈ Q 2<br />
In the formal definition, the adversary is represented by an<br />
acceptable evaluation context C:: = C|Q & Q|C new<br />
Channel c; C.<br />
Observation equivalence is an equivalence relation.<br />
It is contextual: Q 1 ≈ Q 2 implies C[Q] ≈ C[Q]<br />
where C is any acceptable evaluation context.<br />
Step 4: Pro<strong>of</strong> Technique:<br />
We transform a Game G 0 into an observationally equivalent<br />
[27][28] on using:<br />
Observational equivalences: L ≈ R given as<br />
axioms <strong>and</strong> that come from security assumptions<br />
on primitives. These equivalences are used inside a<br />
context:<br />
G1 ≈ C[L] C[R] ≈ G2<br />
Syntactic transformations: Simplification,<br />
expansion <strong>of</strong> assignments,<br />
max Pr[verify (m, k, t) | k ← mkgen; (m, t) ← A mac (. , k), verify(. , k, .) ]<br />
A<br />
is negligible, when the adversary A has not called the mac<br />
oracle on message m.<br />
Step 6: Intuitive Implementation:<br />
By the previous definition, up to neglible probability,<br />
<br />
<br />
<br />
The adversary cannot forge a correct MAC.<br />
So when verifying a MAC with verify (m, k, t) <strong>and</strong><br />
k ← mkgen is used only for generating <strong>and</strong><br />
verifying MACs, the verification can succeed only<br />
if m is in the list (array) <strong>of</strong> message whose mac has<br />
been computed by the protocol.<br />
So we can replace a call to verify with an array<br />
lookup:<br />
If the call to mac is mac (x, k), we replace verify<br />
(m, k, t) with find j ≤ N such that defined (x[j]) ˄<br />
(m = x[j]) ˄ verify (m, k, t) then true else false.<br />
Step 7: Formal implementation (1) [15]:<br />
Verify (m, mkgen(r), mac(m, mkgen(r))) = true<br />
β N″ new r : mkeyseed; (β N (x : bitstring) → mac(x, mkgen(r)),<br />
β Nˋ(m : bitstring, t : macstring) → verify(m, mkgen(r), t))<br />
≈<br />
β N″ new r : mkeyseed; (β N (x : bitstring) → mac(x, mkgen(r)),<br />
β Nˋ(m : bitstring, t : macstring) →<br />
find j ≤ N such that defined(x[j]) ˄ (m = x[j]) ˄ verify(m,<br />
mkgen(r), t) then true else false.<br />
Formal implementation (2):<br />
Verify (m, mkgen(r), mac(m, mkgen(r))) = true<br />
β N″ new r : mkeyseed; (β N (x : bitstring) → mac(x, mkgen(r)),<br />
β Nˋ(m : bitstring, t : macstring) → verify(m, mkgen(r), t))<br />
526
Sanjay Kumar Sonkar et al ,Int.J.<strong>Computer</strong> <strong>Technology</strong> & Applications,Vol 3 (2), 525-531<br />
≈<br />
β N″ new r : mkeyseed; (β N (x : bitstring) → macˋ(x, mkgenˋ(r)),<br />
β Nˋ(m : bitstring, t : macstring) →<br />
find j ≤ N such that defined(x[j]) ˄ (m = x[j]) ˄ verifyˋ(m,<br />
mkgenˋ(r), t) then true else false.<br />
The prover applies the previous rule automatically in any<br />
(polynomial-time) context, perhaps containing several<br />
occurrences <strong>of</strong> mac <strong>and</strong> verify following:<br />
ISSN:2229-6093<br />
prove the source <strong>of</strong> the message to a third party. A practical<br />
secure deniable authentication protocol should have the<br />
following properties: Completeness or authentication, strong<br />
deniability, weak deniability, security <strong>of</strong> forgery attack,<br />
security <strong>of</strong> impersonate attack, security <strong>of</strong> compromising<br />
session secret attack, security <strong>of</strong> man-in-the-middle attack.<br />
<br />
<br />
Each occurrence <strong>of</strong> mac is replaced with macˋ.<br />
Each occurrence <strong>of</strong> verify is replaced with a<br />
message key <strong>and</strong> find that looks in all arrays <strong>of</strong><br />
computed MACs.<br />
Step 8: Pro<strong>of</strong> <strong>of</strong> security properties:<br />
a. One-session secrecy:<br />
The adversary cannot distinguish any <strong>of</strong> the<br />
secretes from a r<strong>and</strong>om number with one test query.<br />
Criterion for proving one-session secrecy [19][21] <strong>of</strong> x:<br />
X is defined by new x[i] : T <strong>and</strong> there is a set <strong>of</strong><br />
variables S such that only variables in S depend on x.<br />
The output messages <strong>and</strong> the control-flow do not<br />
depend on x.<br />
b. Secrecy:<br />
The adversary cannot distinguish the secrets from<br />
independent r<strong>and</strong>om numbers with several test queries.<br />
Criterion for proving secrecy <strong>of</strong> x:<br />
Same as one-session secrecy, plus x[i] <strong>and</strong> x[iˋ] do<br />
not come from the same copy <strong>of</strong> the same restriction when<br />
i ≠ iˋ.<br />
Step 9: Result:<br />
In most cases, the prover succeeds in proving the<br />
desired properties when they hold <strong>and</strong> obviously it always<br />
fails to prove them when they do not hold.<br />
Only cases in which the prover fails although the property<br />
holds:<br />
Needham-Schroeder [9][11] public-key when the<br />
exchanged key is the nonce N A.<br />
Needham-Schroeder shared-key: fails to prove that<br />
N B [i] ≠ N B [iˋ]-1 with overwhelming probability,<br />
where N B is a nonce.<br />
III. Analysis Model<br />
Deniable authentication protocols allow a Sender to<br />
authenticate a message for a receiver, in a way that the<br />
receiver cannot convince a third party that such<br />
authentication (or any authentication) ever took place.<br />
Deniable authentication has two characteristics that differ<br />
from traditional authentication: One is that only the intended<br />
receiver can authenticate the true source <strong>of</strong> a given message;<br />
the other is that the receiver cannot provide the evidences to<br />
Figure 1: Analysis model <strong>of</strong> deniable authentication protocols with<br />
Blanchet calculus<br />
Generally deniable authentication protocol includes three<br />
roles, Sender which is initiator, receiver which is responder<br />
<strong>and</strong> third party, represented by Sender, Receiver <strong>and</strong> Third<br />
party, respectively. We assume that Sender plays only on the<br />
role <strong>of</strong> the initiator; Receiver plays only the role <strong>of</strong><br />
responder, Third party play only on the prover. The deniable<br />
authentication protocol consists <strong>of</strong> a sequence <strong>of</strong> messages<br />
exchanged between the Sender <strong>and</strong> the Receiver & the<br />
Receiver <strong>and</strong> Third party. In deniable authentication<br />
protocol Sender can authenticate a message for Receiver, in<br />
a way that they cannot Receiver convince a Third party that<br />
such authentication (or any authentication) ever took place.<br />
Deniable authentication protocol has two characteristics that<br />
differ from traditional authentication protocol. One is that<br />
only the intended Receiver can authenticate the true source<br />
<strong>of</strong> a given message. The other is that the Sender cannot<br />
provide the evidences to prove the source <strong>of</strong> the message to<br />
a third party at some condition <strong>and</strong> the Receiver can provide<br />
the evidences to prove the source <strong>of</strong> the message to a third<br />
party. The ability <strong>of</strong> adversary is defined in the previous<br />
section. It can control the channel SR between Sender <strong>and</strong><br />
Receiver. It cannot control the channels: Channel ST <strong>and</strong><br />
channel RT. At the same time the adversary is a<br />
probabilistic polynomial-time attacker.<br />
Strong deniability:<br />
The purpose <strong>of</strong> strong deniability is to protect the privacy <strong>of</strong><br />
Sender. After execution <strong>of</strong> the deniable authentication<br />
protocol the Sender can deny to have ever authenticated<br />
anything to Receiver. If the prover (Receiver or the any<br />
other party) wants to prove that the Sender have<br />
authenticated messages to Receiver, they must provide all<br />
the relevant evidence. The Sender can provide his secret<br />
information to the Third party. A adversary model in strong<br />
deniability: we suppose that the Sender <strong>and</strong> the Receiver<br />
cooperate with the judge or the prover or the any other party<br />
527
which means that the Sender <strong>and</strong> the Receiver provide all<br />
the transcripts <strong>of</strong> the message in the deniable authentication<br />
protocol to them.<br />
If DAP satisfies the condition one <strong>and</strong> four in:<br />
Inj-event (whole sender (Receiver, x)) = inj-event(whole Receiver (Sender, x) )<br />
Inj-event (whole Thirdparty (Receiver, x)) = inj-event(whole Thirdparty (Sender, x) )<br />
Definition DAP <strong>and</strong> DAP’ satisfies the correspondence <strong>and</strong><br />
with public variables V = φ, then DAP is a secure deniable<br />
authentication protocol with session in a adversary model in<br />
strong deniability. In the above definition <strong>of</strong> DAP the<br />
injective correspondence can be instead by non-injective<br />
correspondence.<br />
Weak deniability:<br />
The purpose <strong>of</strong> weak deniability is to protect the privacy <strong>of</strong><br />
Sender. After execution <strong>of</strong> the deniable authentication<br />
protocol the Receiver can prove to have spoken to Sender<br />
but not the content <strong>of</strong> what the Sender authenticated in a<br />
way that the Receiver cannot convince a third party.<br />
Deniable Authentication Protocol<br />
Security Properties<br />
Active Adversary Model<br />
Sanjay Kumar Sonkar et al ,Int.J.<strong>Computer</strong> <strong>Technology</strong> & Applications,Vol 3 (2), 525-531<br />
Relating the Two Models:<br />
Meng & Shao<br />
Mechnized Model<br />
Automated<br />
Verification<br />
ISSN:2229-6093<br />
In order to prove any relationship between the formal <strong>and</strong><br />
computational worlds, we need to define the interpretation<br />
<strong>of</strong> expressions [8] <strong>and</strong> patterns. Once an encryption scheme<br />
is depicted, we can define the interpretation function α,<br />
which assigns to each expression or pattern M a family <strong>of</strong><br />
r<strong>and</strong>om variables {α η (M)} η∈ N such that each α η (M) takes<br />
values in strings. For expressions:<br />
Blocks are interpreted as strings,<br />
Each key is interpreted by running the key<br />
generation algorithm,<br />
Pairs are translated into computational pairs,<br />
Formal encryptions terms are interpreted by<br />
running the encryption algorithm.<br />
Difference between Formal approach <strong>and</strong><br />
Computational approach [15]:<br />
Formal approach Computational<br />
approach<br />
Message Terms Bits-strings<br />
Encryption Idealized Algorithm<br />
Adversary Idealized Any polynomial<br />
algorithm<br />
Secrecy Reach ability-based Indistingability<br />
property property<br />
Guarantees Unclear Strong<br />
Pro<strong>of</strong> Automatic By h<strong>and</strong> <strong>and</strong> errorprone<br />
Balnchet Calculus<br />
Computational Model<br />
Crypto Verification<br />
Figure 2: Model <strong>of</strong> automatic verification <strong>of</strong> deniable authentication<br />
protocols<br />
If the Receiver want to prove that the Sender have<br />
authenticated messages to Receiver, he must provide the<br />
evidence related to the thing. An adversary model in weak<br />
deniability: When discussing the weak deniability, in<br />
addition the adversary has the ability in previous section; we<br />
always suppose that only the Receiver generates the<br />
evidence that the Sender have authenticated messages to<br />
Receiver. Receiver cannot get the secret information <strong>of</strong> the<br />
Sender, for example the private key <strong>of</strong> Sender. Receiver can<br />
provide his secret information to the Third party.<br />
If DAP’ satisfies the condition one in definition DAP <strong>and</strong><br />
DAP’ satisfies the correspondence:<br />
Inj-event (whole sender (Receiver, x)) = inj-event(whole Receiver (Sender, x) )<br />
Inj-event (whole Thirdparty (Receiver, x)) = inj-event(whole Thirdparty (Sender, x) )<br />
<strong>and</strong> with public variables V = φ, then DAP is a secure<br />
deniable authentication protocol with session functions in a<br />
adversary model in weak deniability. In the above definition<br />
<strong>of</strong> DAP the injective correspondence can be instead by noninjective<br />
correspondence.<br />
Our Contribution:<br />
The primary contribution <strong>of</strong> this paper is that it tried to bring<br />
about various concepts which are requisite for concrete<br />
development in pro<strong>of</strong>s <strong>of</strong> cryptography protocols <strong>and</strong><br />
remove the bottleneck reason for its failure. In particular, we<br />
define the equivalence between formal messages in the<br />
presence <strong>of</strong> both key cycles <strong>and</strong> secret shares, <strong>and</strong> then<br />
prove the computational soundness [13][16] about formal<br />
encryption in this setting.<br />
1. First computational analysis <strong>of</strong> an industrial protocol:<br />
Consider authentication[29] <strong>and</strong> secrecy<br />
properties[26],<br />
Analyzed Basic Kerberos 5 <strong>and</strong> public-key<br />
Kerberos[22],<br />
Kerberos is complex (e.g. PKINIT uses both<br />
public-key <strong>and</strong> symmetric).<br />
Cryptographic primitives (Encryption, Signatures,<br />
MACs).<br />
2. Pro<strong>of</strong>s were carried out symbolically in the BPW<br />
model:<br />
Pro<strong>of</strong>s in Dolev-Yao style model are<br />
cryptographically sound,<br />
Pro<strong>of</strong>s can be automated.<br />
528
Sanjay Kumar Sonkar et al ,Int.J.<strong>Computer</strong> <strong>Technology</strong> & Applications,Vol 3 (2), 525-531<br />
IV. Related Work<br />
Early work on linking Dolev-Yao models <strong>and</strong> cryptography<br />
only considered passive attacks, <strong>and</strong> therefore cannot make<br />
general statements about protocols. A Cryptographic<br />
justification for a Dolev-Yao model in the sense <strong>of</strong> under<br />
active attacks <strong>and</strong> within arbitrary surrounding interactive<br />
protocols [29][30].<br />
Diminishing the distance between the computational <strong>and</strong><br />
logic treatment <strong>of</strong> Cryptography has been the subject <strong>of</strong><br />
many recent research efforts. The works which are more<br />
closely related to our paper, which present a simple logic for<br />
reasoning about the security protocols written in a language<br />
similar to ours, but only for the case <strong>of</strong> passive adversaries.<br />
Other approaches to bridging the logic <strong>and</strong> computational<br />
models <strong>of</strong> cryptography have also been considered in the<br />
literature, but they all seem considerably more complex. The<br />
notions <strong>of</strong> probability, polynomial bounded computation,<br />
<strong>and</strong> computational in distinguish ability are incorporated in<br />
a process calculus, <strong>and</strong> security is defined in terms <strong>of</strong><br />
observational equivalence on processes.<br />
Work is in progress regarding formulation <strong>of</strong> mathematical<br />
model for syntactic approach dealing with probability <strong>and</strong><br />
polynomial-time [14] considerations <strong>and</strong> encoding them into<br />
pro<strong>of</strong> tools, in particular. This is equivalent to the work <strong>of</strong><br />
justifying Dolev-Yao models, which <strong>of</strong>fer a higher level <strong>of</strong><br />
abstractions <strong>and</strong> thus much simpler pro<strong>of</strong>s where applicable,<br />
so that pro<strong>of</strong>s <strong>of</strong> larger systems can be automated.<br />
V. Conclusion<br />
On the macroscopic view, we come across the various<br />
security measures involved in security protocol pro<strong>of</strong>s. This<br />
paper properly deals with all the computational technique<br />
which can overcome all the day by day new developments<br />
in cryptographic field.<br />
This paper reflects logical formal pro<strong>of</strong>s <strong>of</strong> security<br />
protocols into the computational model. The formal pro<strong>of</strong>s<br />
are easy with respect to computational model as we don’t<br />
have to consider the probabilistic distribution <strong>and</strong><br />
asymptotic notations. The security properties are expressed<br />
in terms simple logic based language using syntactic<br />
expressions <strong>and</strong> are then interpreted in a computational<br />
setup. Also these formal pro<strong>of</strong> are sound as any active<br />
adversaries can extract information from messages if the<br />
statement hold true for any symbolic execution. Therefore,<br />
we need such a framework for the interpretation <strong>of</strong> formal<br />
pro<strong>of</strong> into cryptographic system so as to develop more <strong>and</strong><br />
more secure communication systems.<br />
VI. Future Work<br />
1. Considering execution models in which we can extend<br />
instances not <strong>of</strong> a single but <strong>of</strong> a set <strong>of</strong> protocols if they<br />
are developed in future.<br />
2. Developing a more general execution model involving<br />
reactive clients.<br />
3. Generalize our abstract definition <strong>of</strong> security notions to<br />
capture secrecy properties.<br />
4. Augmenting the BPW model with tailored protocol<br />
logics to further simplify modular reasoning.<br />
5. Underst<strong>and</strong>ing the relation <strong>of</strong> correctness pro<strong>of</strong>s <strong>of</strong><br />
(commercial) protocols in MSR <strong>and</strong> in the BPW<br />
model.<br />
VII. References<br />
ISSN:2229-6093<br />
[1] E. S. Cohen, “Information transmission in<br />
computational systems,” ACM SIGOPS Operating<br />
Systems Review, vol. 11, no. 5, pp. 133–139, 1977.<br />
[2] J. McLean, “Security models <strong>and</strong> information<br />
flow,” in Proc. IEEE Symp. on Security <strong>and</strong><br />
Privacy, May 1990, pp. 180–187.<br />
[3] Focardi <strong>and</strong> R. Gorrieri, “A classification <strong>of</strong><br />
security properties for process algebras,” J.<br />
<strong>Computer</strong> Security, vol. 3, no. 1, pp. 5–33, 1995.<br />
[4] D. Song. An automatic checker for security<br />
protocol analysis. In 12th IEEE <strong>Computer</strong> Security<br />
Foundations Workshop, June 1999.<br />
[5] D. Kozen, “Language-based security,” in Proc.<br />
Mathematical Foundations <strong>of</strong> <strong>Computer</strong> Science.<br />
Sept. 1999, vol. 1672 <strong>of</strong> LNCS, pp. 284– 298,<br />
Springer-Verlag.<br />
[6] Aldini, “Probabilistic information flow in process<br />
algebra,” in Proc. CONCUR’01. Aug. 2001, vol.<br />
2154 <strong>of</strong> LNCS, pp. 152–168, Springer-Verlag.<br />
[7] Michele Boreale. Symbolic trace analysis <strong>of</strong><br />
cryptographic protocols. In 28th Colloquium on<br />
Automata, Languages <strong>and</strong> Programming (ICALP),<br />
LNCS. Springer, July 2001.<br />
[8] M. Zanotti, “Security typings by abstract<br />
interpretation,” in Proc.Symposium on Static<br />
Analysis. Sept. 2002, vol. 2477 <strong>of</strong> LNCS, pp. 360–<br />
375, Springer-Verlag.<br />
[9] M. Backes <strong>and</strong> B. Pfitzmann. A cryptographically<br />
sound security pro<strong>of</strong> <strong>of</strong> the Needham-Schroeder-<br />
Lowe public-key protocol. Available as Cryptology<br />
ePrint Archive, Report 2003/121.<br />
[10] M. Backes, B. Pfitzmann, <strong>and</strong> M. Waidner. A<br />
universally composable cryptographic library.<br />
Available as Cryptology ePrint Archive, Report<br />
2003/015.<br />
[11] M. Backes <strong>and</strong> B. Pfitzmann. Symmetric<br />
Encryption in a simulatable Dolev-Yao style<br />
cryptographic library. In Proceedings <strong>of</strong> the 17th<br />
<strong>Computer</strong> Security Foundations Workshop, pages<br />
204{218. IEEE <strong>Computer</strong> Society, June 2004.<br />
[12] Iliano Cervesato, Aaron D. Jaggard, Andre<br />
Scedrov, <strong>and</strong> Christopher Walstad. Specifying<br />
Kerberos 5 Cross-Realm Authentication. In Proc.<br />
WITS’05, pages 12–26. ACM Digital Lib., 2005.<br />
[13] V`eronique Cortier <strong>and</strong> Bogdan Warinschi.<br />
Computationally sound, automated pro<strong>of</strong>s for<br />
security protocols. In Proc. 14th European<br />
529
Sanjay Kumar Sonkar et al ,Int.J.<strong>Computer</strong> <strong>Technology</strong> & Applications,Vol 3 (2), 525-531<br />
Symposium on Programming (ESOP), pages 157–<br />
171, 2005.<br />
[14] Anupam Datta, Ante Derek, John Mitchell, Vitalij<br />
Shmatikov, <strong>and</strong> Matthieu Turuani. Probabilistic<br />
polynomial-time semantics for protocol security<br />
logic. In Proc. 32nd <strong>International</strong> Colloquium on<br />
Automata, Languages <strong>and</strong> Programming (ICALP),<br />
volume 3580 <strong>of</strong> Lecture Notes in <strong>Computer</strong><br />
Science, pages 16–29. Springer, 2005.<br />
[15] Laud, P. Formal analysis <strong>of</strong> crypto protocols:<br />
Secrecy types for a simulatable cryptographic<br />
library. In Proc. ACM Conf. on <strong>Computer</strong> <strong>and</strong><br />
Communication Security (ACM CCS 2005)<br />
(2005), ACM Press, pp. 26–35.<br />
http://scialert.net/fulltext/?doi=itj.2011.1068.1091<br />
&org=11<br />
[16] C. He <strong>and</strong> J. C. Mitchell. Security Analysis <strong>and</strong><br />
Improvements for IEEE 802.11i. In Proceedings <strong>of</strong><br />
the 11th Annual Network <strong>and</strong> Distributed System<br />
Security Symposium (NDSS ’05), February 2005.<br />
[17] Ran Canetti <strong>and</strong> Jonathan Herzog. Universally<br />
composable symbolic analysis <strong>of</strong> cryptographic<br />
protocols (the case <strong>of</strong> encryption-based mutual<br />
authentication <strong>and</strong> key exchange). In Proc. 3rd<br />
Theory <strong>of</strong> Cryptography Conference (TCC), 2006.<br />
[18] Iliano Cervesato, Aaron D. Jaggard, Andre<br />
Scedrov, Joe-Kai Tsay, <strong>and</strong> Chris Walstad.<br />
Breaking <strong>and</strong> fixing public-key Kerberos. In Proc.<br />
WITS’06, pages 55–70, 2006.<br />
[19] Anupam Datta, Ante Derek, John Mitchell, <strong>and</strong><br />
Bogdan Warinschi. Key exchange protocols:<br />
Security definition, pro<strong>of</strong> method, <strong>and</strong> applications.<br />
In 19th IEEE <strong>Computer</strong> Security Foundations<br />
Workshop (CSFW 19), Venice, Italy, 2006. IEEE<br />
Press.<br />
[20] Tsudik, G. YA-TRAP: Yet another trivial RFID<br />
authentication protocol. In Proc. IEEE Intern. Conf.<br />
on Pervasive Computing <strong>and</strong> Communications<br />
(PerCom 2006) (2006), IEEE Press.<br />
[21] Oren, Y., <strong>and</strong> Shamir, A. Power analysis <strong>of</strong> RFID<br />
tags. Appeared in the rump session <strong>of</strong> Advances in<br />
Cryptology, CRYPTO 2006. Available online at<br />
http://www.wisdom.weizmann.ac.il/_yossio/rfid/,<br />
Weizmann Institute, 2006.<br />
[22] Burmester, M., van Le, T., <strong>and</strong> de Medeiros, B.<br />
Provably secure ubiquitous systems: Universally<br />
composable RFID authentication protocols. E-print<br />
report 2006/131, <strong>International</strong> Association for<br />
Cryptological Research, 2006.<br />
[23] IETF. Public Key Cryptography for Initial<br />
Authentication in Kerberos, 1996–2006. Sequence<br />
<strong>of</strong> Internet drafts available from<br />
http://tools.ietf.org/wg/krb-wg/draft-ietf-catkerberos-pk-init/.<br />
[24] F. Wang <strong>and</strong> Y. Zhang, “A new provably secure<br />
authentication <strong>and</strong> key agreement mechanism for<br />
SIP using certificateless public-key cryptography”,<br />
Cryptology ePrint Archive, Report 2007/220, 2007.<br />
[25] Tarjei K. M<strong>and</strong>t <strong>and</strong> Chik How Tan,<br />
“Certificateless authenticated two-party key<br />
agreement protocol”, ASIAN 2006, LNCS 4435,<br />
pp.37-44, 2007.<br />
[26] Y. Sun, F. Zhang, <strong>and</strong> J. Baek, “Strongly Secure<br />
Certificate less Public Key Encryption without<br />
Pairing”, CANS 2007, LNCS 4856, pp.194-208,<br />
2007.<br />
[27] X. Liang, SH. Wang, J. Shen <strong>and</strong> G. Xu, “Breaking<br />
<strong>and</strong> Repairing the Certificate less key agreement<br />
protocol from ASIAN 2006”, Wuhan University<br />
<strong>Journal</strong> <strong>of</strong> Natural Sciences,vol. 13, no. 5, pp. 562-<br />
566, 2008.<br />
[28] Dario Fiore <strong>and</strong> Rosario Gennaro, “Making the<br />
Diffie-Hellman Protocol Identity-Based”,<br />
http://eprint.iacr.org/2009/174,2009.<br />
[29] Georg Lippold, Colin Boyd <strong>and</strong> Juan Gonzalez<br />
Nieto, “Strongly Secure Certificate less Key<br />
Agreement”, http://eprint.iacr.org/2009/219.<br />
[30] Cas J.F. Cremers, “Formally <strong>and</strong> Practically<br />
Relating the CK, CK-HMQV, <strong>and</strong> eCK Security<br />
Models for Authenticated Key Exchange”,<br />
http://eprint.iacr.org/2009/253.<br />
Bibliographies:<br />
ISSN:2229-6093<br />
Sanjay Kumar Sonkar was born at<br />
Varanasi, (U.P.), in India. He received<br />
the B. Tech degree in <strong>Computer</strong> Science<br />
& Engineering in 2010 from Radha<br />
Govind Engineering College, Meerut,<br />
India. Presently, he is an M.Tech student<br />
in <strong>Computer</strong> Science & Engineering from Kamla Nehru<br />
Institute <strong>of</strong> <strong>Technology</strong>, Sultanpur, U.P., India.<br />
Dharmendra Lal Gupta is currently<br />
working as an Assistant Pr<strong>of</strong>essor in the<br />
Department <strong>of</strong> <strong>Computer</strong> Science &<br />
Engineering at KNIT, Sultanpur (U.P.)<br />
India. And he is also pursuing his Ph.D.<br />
in <strong>Computer</strong> Science & Engineering<br />
from Mewar University, Chittorgarh (Rajasthan). He<br />
received B.Tech.(1999) from Kamla Nehru Institute <strong>of</strong><br />
<strong>Technology</strong> (KNIT) Sultanpur, in <strong>Computer</strong> Science &<br />
Engineering, M.Tech. Hon’s (2003) in Digital Electronics<br />
<strong>and</strong> Systems from Kamla Nehru Institute <strong>of</strong> <strong>Technology</strong><br />
(KNIT) Sultanpur. His research interests are Cryptography<br />
<strong>and</strong> Network Security, S<strong>of</strong>tware Quality Engineering, <strong>and</strong><br />
S<strong>of</strong>tware Engineering.<br />
Dr. Anil Kumar Malviya is an Associate<br />
Pr<strong>of</strong>essor in the <strong>Computer</strong> Science &<br />
Engineeering. Department at Kamla<br />
Nehru Institute <strong>of</strong> <strong>Technology</strong>, (KNIT),<br />
Sultanpur. He received his B.Sc. &<br />
M.Sc. both in <strong>Computer</strong> Science from<br />
Banaras Hindu University, Varanasi respectively in 1991<br />
<strong>and</strong> 1993 <strong>and</strong> Ph.D. degree in <strong>Computer</strong> Science from<br />
530
Sanjay Kumar Sonkar et al ,Int.J.<strong>Computer</strong> <strong>Technology</strong> & Applications,Vol 3 (2), 525-531<br />
Dr. B.R. Ambedkar University; Agra in 2006.He is Life<br />
Member <strong>of</strong> CSI, India. He has published about 31papers in<br />
<strong>International</strong>/National <strong>Journal</strong>s, conferences <strong>and</strong> seminars.<br />
His research interests are Data mining, S<strong>of</strong>tware<br />
Engineering, Cryptography & Network Security.<br />
ISSN:2229-6093<br />
Ganesh Ch<strong>and</strong>ra was born at Kanpur,<br />
India. He received the B. Tech. Degree<br />
in <strong>Computer</strong> Science <strong>and</strong> Engineering in<br />
2009 from Dr. Ambedkar Institute <strong>of</strong><br />
<strong>Technology</strong> for H<strong>and</strong>icapped, Kanpur,<br />
India. He is currently pursuing M. Tech<br />
in <strong>Computer</strong> Science <strong>and</strong> Engineering<br />
from Kamla Nehru Institute <strong>of</strong> <strong>Technology</strong>, Sultanpur, U.P,<br />
India.<br />
Vinod Kumar Yadav was born in<br />
Jaunpur, India. He received the B.Tech.<br />
Degree in <strong>Computer</strong> Science <strong>and</strong><br />
Information <strong>Technology</strong> in 2008 from<br />
I.E.T., M.J.P. Rohilkh<strong>and</strong> University<br />
Bareilly, India. He is currently pursuing<br />
M.Tech in <strong>Computer</strong> Science <strong>and</strong><br />
Engineering from Kamla Nehru Institute<br />
<strong>of</strong> <strong>Technology</strong>, Sultanpur, U.P., India.<br />
531