Stig Fr. Mjølsnes

A framework for compositional verification of security protocols

Automatic security protocol analysis is currently feasible only for small protocols. Since larger protocols quite often are composed of many small protocols, compositional analysis is an attractive, but non-trivial approach. We have developed a framework for compositional analysis of a large class of security protocols. The framework is intended to facilitate automatic as well as manual verification of large structured security protocols. Our approach is to verify properties of component protocols in a multi-protocol environment, then deduce properties about the composed protocol. To reduce the complexity of multi-protocol verification, we introduce a notion of protocol independence and prove a number of theorems that enable analysis of independent component protocols in isolation. To illustrate the applicability of our framework to real-world protocols, we study a key establishment sequence in WiMAX consisting of three subprotocols. Except for a small amount of trivial reasoning, the analysis is done using automatic tools.

An Improved Attack on TKIP

Beck and Tews described the first practical cryptographic attack on IEEE 802.11i TKIP in November 2008, and this paper continues this line of protocol cryptanalysis. We show that their attack on TKIP can be used to create an ARP poisoning attack and a cryptographic DoS attack. Moreover, we are able to decrypt DHCP ACK packets, which are over 12 times longer than the ARP packet used by Beck and Tews. Our method of analysis recovers 596 bytes of keystream that can be used in new attacks on other control protocol messages.

A formal analysis of IEEE 802.11w deadlock vulnerabilities

Formal methods can be used to discover obscure denial of service (DoS) vulnerabilities in wireless network protocols. The application of formal methods to the analysis of DoS vulnerabilities in communication protocols is not a mature research area. Although several formal models have been proposed, they lack a clear and convincing demonstration of their usefulness and practicality. This paper bridges the gap between theory and practice, and shows how a simple protocol model can be used to discover protocol deadlock vulnerabilities. A deadlock vulnerability is the most severe form of DoS vulnerabilities, thus checking for deadlock vulnerabilities is an essential part of robust protocol design. We demonstrate the usefulness of the proposed method through the discovery and experimental validation of deadlock vulnerabilities in the published IEEE 802.11w amendment to the 802.11 standard. We present the complete procedure of our approach, from model construction to verification and validation. An Appendix includes the complete model source code, which facilitates the replication and extension of our results. The source code can also be used as a template for modeling other protocols.

Security Requirements for Internet Voting Systems

Voters cast their ballots to election officials over Internet in an Internet voting system. Eligibility of the voter, confidentiality and integrity of the ballot, privacy of the voter and the ballot, validity of the ballot, verifiability of the counting process, availability of the voting components, robustness of the voting system, receipt-freeness, and coercion-resistance are the main information security requirements for an Internet voting system. Besides these requirements, completeness of the counting process, soundness of the counting process, unreuseability of ballot in the counting process, and fairness of the counting process are also important for a practical Internet voting system. This paper gives an overview of these basic and expanded information security requirements for a secure and functional Internet voting system.

PEVS: A Secure Electronic Voting Scheme Using Polling Booths

We present a Polling booth based Electronic Voting Scheme (PEVS) that allows eligible voters to cast their ballots inside polling booths. The ballot cast by a voter is inalterable and non-reusable. The scheme ensures vote-privacy since there is no link between the voter and the keys used for voting. A voter computer inside the booth performs the cryptographic task to construct the ballot to provide receipt-freeness. The scheme is coercion-resistant and modeled to fend off forced-abstention attacks, simulation attacks or randomization attacks. In addition, the scheme is both voter and universal verifiable. We formally analyze soundness (the eligibility of the voter, inalterability and non-reusability of the ballot), vote-privacy, receipt-freeness, and coercion-resistance in PEVS using the ProVerif tool. The analysis shows that PEVS satisfies these required properties. PEVS is the first polling booth based electronic voting scheme that satisfies all the requirements listed.

A secure internet voting scheme

We describe information security requirements for a secure and functional Internet voting scheme. Then we present the voting scheme with multiple parties; this voting scheme satisfies all these security requirements. In this scheme, the voter gets a signed key from the registrar, where the registrar signs the key as blinded. The voter uses this signed key during the voting period. All other parties can verify this signature without knowing the identity of the voter, hence the scheme provides privacy of the voter. This voting scheme also satisfies voter verifiability and public verifiability. In addition, the scheme is receipt-free.

A Survey on Trust and Privacy Negotiability in the Norwegian Mobile Telecom Market

We investigate, by method of statistical survey, peoples attitudes toward privacy, trust and personal information sharing in the context of price discrimination effects in the mobile telecom market, by asking a selection of 546 individuals, a sample size that is sufficient to be representative for the Norwegian mobile market of consumers. Common wisdom tells that people value their privacy, but not much facts have been collected about how much people value privacy, say, as consumers of specific services in the mobile market. Moreover, it is reasonable to expect that individuals will differ in their negotiability of personal information vs price of service. In this study, we measure a strong privacy negotiability correlated to age and income, thus confirming common intuition about this. We find that technically assuring anonymity of service will significantly affect and facilitate the users willingness to release personal information to the service provider, in particular with respect to information about specific buying preferences and frequent travel destinations. Somewhat surprising, a practice of targeted advertisement in exchange for lower mobile service price is acceptable to about half the population.

Public Key Infrastructure

Invited Talk.- New PKI Protocols Using Tamper Resistant Hardware.- Certificates.- Validation Algorithms for a Secure Internet Routing PKI.- Instant Revocation.- Optimized Certificates - A New Proposal for Efficient Electronic Document Signature Validation.- Authentication.- An Efficient and Provable Secure Identity-Based Identification Scheme in the Standard Model.- Trust-Rated Authentication for Domain-Structured Distributed Systems.- Levels of Assurance and Reauthentication in Federated Environments.- Practice.- Current Status of Japanese Government PKI Systems.- A Privacy-Preserving eHealth Protocol Compliant with the Belgian Healthcare System.- Signatures.- Fast Point Decompression for Standard Elliptic Curves.- An Efficient Strong Key-Insulated Signature Scheme and Its Application.- Efficient Generic Forward-Secure Signatures and Proxy Signatures.- Analysis.- Fault Attacks on Public Key Elements: Application to DLP-Based Schemes.- Weaknesses in BankID, a PKI-Substitute Deployed by Norwegian Banks.- Networks.- An Open Mobile Identity Tool: An Architecture for Mobile Identity Management.- PEACHES and Peers.