Logical Analysis and Verification of Cryptographic Protocols - Loria

More documents

Recommendations

Info

82 CHAPTER 4. PROTOCOLS WITH VULNERABLE SIGNATURE SCHEMES 4.1 Signature schemes 4.1.1 Definition of signature schemes The idea of digital signature first appeared in W. Diffie and M.E. Hellman’s seminal paper [101]. A digital signature of a message is a number dependent on some secret known only to the signer, and, additionally, on the content of the message being signed. Signatures must be verifiable; if a dispute arises as to whether a party signed a document (caused by either a lying signer trying to repudiate a signature it did create, or a fraudulent claimant), an unbiased third party should be able to resolve the matter equitably, without requiring access to the signers secret information (secret key). To this end, each agent A possesses a pair of keys: a public key, pkA and a secret key, skA. The agent A uses his secret key skA to sign messages, and pkA is the key used by the other agents to verify A’s signatures. The secret key of an agent is called signing key, and his public key is called verifying key. Formally, we define a key generation algorithm G to be an algorithm that takes an agent’s name A and a random number as arguments and returns a pair of public and secret keys, respectively denoted by P k(A) and Sk(A), corresponding to that agent. We define a digital signature generation algorithm (or signature generation algorithm), denoted by sig, to be an algorithm that takes a secret key (also called signing key), sk, and a message, m, as inputs, and generates a message, sig(m, sk), representing the digital signature of m using the secret key sk. We define a digital signature verification algorithm (or verification algorithm), denoted by ver, to be an algorithm testing whether a message s is a valid signature of a message m using the public key pk (also called verifying key). Definition 43 (digital signature scheme) A digital signature scheme (or simply a signature scheme) is defined by three algorithms: the signature generation algorithm “sig ′′ , the verification algorithm “ver ′′ , the key generation algorithm “G ′′ . Example 20 (Example of signature schemes) We give here a classical digital signature scheme: the signature scheme proposed by W. Diffie and M. E. Hellman [101]. To create a signature scheme, W. Diffie and M. E. Hellman proposed to use a “trap-door function” f (informally, a “trap-door function” f is a function for which it is easy to evaluate f(x) for any argument x but for which, given only f(x), it is computationally infeasible to find any y with f(y) = f(x) without the secret “trap-door” information). In their signature scheme, an agent A publishes the “trap-door function” f and anyone can validate any A ′ s signature by checking that f(signature) = message. Only the agent A possesses the “trap-door” information allowing him to invert f, and compute a signature y such that f(y) = x where x is the message to sign.
4.1. SIGNATURE SCHEMES 83 4.1.2 Classification of signature schemes There exists two general classes of digital signature schemes, which can be briefly summarised as follows: • Digital signature schemes with appendix require the message that has been signed (also called the original message) as input to the verification algorithm. • Digital signature schemes with message recovery do not require the original message as input to the verification algorithm. In this case, the original message is recovered from the signature itself. In what follows, we make use of A to denote the set of agents, K to denote the set of keys, R to denote a set of numbers, M to denote the message space, that is, the set of messages to which the signature generation algorithm may be applied, and S to denote the signature space, that is the set of messages to which belong the signatures. Digital signature schemes with appendix Digital signature schemes with appendix denote the schemes which require the original message as input to the verification algorithm. Examples of mechanisms providing digital signature schemes with appendix are the DSA [3], El- Gamal [116], and Schnorr [185] signature schemes. We describe below the three algorithms: the signature generation, the verification, and the key generation algorithms. Key generation algorithm. Each agent A creates a pair of keys, a secret key and a correspondant public key. The agent A will use his secret key to sign messages, and his public key will be used by other agents for verifying A ′ s signatures. The key generation algorithm is defined as follows: G : A × R → K ∗ K We remark that the second argument of the function G represents a randomly generated number, the use of this random number allows any agent A to have a different pair of keys for each session, and that using the same key generation function. Furthermore, we remark that the two functions Sk and P k denote the two parts of the key generation algorithm G, and we denote respectively by Sk(A) and P k(A) the secret and public keys of A ∈ A;
Page 1:
Logical Analysis and Verification o
Page 5:
Abstract This thesis is developed i
Page 8 and 9:
viii
Page 10 and 11:
x CONTENTS 2.1.7 Unification . . .
Page 12 and 13:
xii CONTENTS 5.8 Decidability of re
Page 14 and 15:
2 CHAPTER 1. INTRODUCTION Figure 1.
Page 16 and 17:
4 CHAPTER 1. INTRODUCTION Secrecy T
Page 18 and 19:
6 CHAPTER 1. INTRODUCTION “G”.
Page 20 and 21:
8 CHAPTER 1. INTRODUCTION And, a pe
Page 22 and 23:
10 CHAPTER 1. INTRODUCTION intercep
Page 24 and 25:
12 CHAPTER 1. INTRODUCTION Figure 1
Page 26 and 27:
14 CHAPTER 1. INTRODUCTION have bee
Page 28 and 29:
16 CHAPTER 1. INTRODUCTION the orde
Page 30 and 31:
18 CHAPTER 1. INTRODUCTION 1.5.3 Ch
Page 32 and 33:
20 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 34 and 35:
Page 36 and 37:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45: 32 CHAPTER 2. PROTOCOL ANALYSIS USI
Page 70 and 71: 58 CHAPTER 3. PROTOCOLS WITH VULNER
Page 112 and 113: 100 CHAPTER 4. PROTOCOLS WITH VULNE
Page 124 and 125: 112 CHAPTER 5. SATURATED DEDUCTION
Page 144 and 145:
132 CHAPTER 5. SATURATED DEDUCTION
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
Page 152 and 153:
Page 154 and 155:
Page 156 and 157:
Page 158 and 159:
Page 160 and 161:
148 CHAPTER 6. ON THE GROUND ENTAIL
Page 162 and 163:
Page 164 and 165:
Page 166 and 167:
Page 168 and 169:
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 178 and 179:
Page 180 and 181:
Page 182 and 183:
Page 184 and 185:
Page 186 and 187:
Page 188 and 189:
Page 190 and 191:
178 CHAPTER 7. VOTER VERIFIABILITY
Page 192 and 193:
Page 194 and 195:
Page 196 and 197:
Page 198 and 199:
Page 200 and 201:
Page 202 and 203:
Page 204 and 205:
Page 206 and 207:
Page 208 and 209:
Page 210 and 211:
198 CHAPTER 8. CONCLUSION AND PERSP
Page 212 and 213:
200 CHAPTER 8. CONCLUSION AND PERSP
Page 214 and 215:
202 BIBLIOGRAPHY [12] M. Abadi and
Page 216 and 217:
204 BIBLIOGRAPHY [36] M. Bellare, A
Page 218 and 219:
206 BIBLIOGRAPHY [60] U. Hustadt Ch
Page 220 and 221:
208 BIBLIOGRAPHY [83] H. Comon-Lund
Page 222 and 223:
210 BIBLIOGRAPHY [108] B. Donovan,
Page 224 and 225:
212 BIBLIOGRAPHY [132] T. Kohno, A.
Page 226 and 227:
214 BIBLIOGRAPHY [160] J. C. Mitche
Page 228 and 229:
216 BIBLIOGRAPHY [187] H. Seidl and
show all

Logical Analysis and Verification of Cryptographic Protocols - Loria

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?