but nevertheless permitting * this operation, we model a scenario where * YSM _ AEAD _ GENERATE can be safely used to guarantee * the operation, but ¬ by the attacker. This * corresponds to a setup where Yubikey initialisation 126 * takes place on a different server, or a setup where * the initialisation takes place before the server is * plugged into the network. Uncomment the following * line to require the HSM to have the * YSM _ AEAD _ GENERATE flag set, YSM _ AEAD _ GENERATE(kh), Fr(~k2), Fr(~pid), Fr(~sid), !HSM(kh,~k), !Succ(zero ,
let ks=keystream(kh,pid) aead=<xor(senc(ks,k),<k2,sid>),mac(<k2,sid>,k)> 156 in [ In(<pid,nonce,senc(<sid,tc,~pr>, k2)>), !HSM(kh,k), !S _ AEAD(pid,aead), S _ Counter(pid,otc), !S _ sid(pid,sid), !Smaller ,
Deciding Knowledge in Security Protocols Under Equational Theories, Automata, Languages and Programming, pp.46-58, 2004. ,
URL : https://hal.archives-ouvertes.fr/inria-00000554
Mobile values, new names, and secure communication, Principles of Programming Languages, pp.104-115, 2001. ,
URL : https://hal.archives-ouvertes.fr/hal-01423924
Security engineering -a guide to building dependable distributed systems, 2001. ,
Low Cost Attacks on Tamper Resistant Devices, International Workshop on Security Protocols, pp.125-136, 1998. ,
StatVerif: Verification of Stateful Processes, Computer Security Foundations Symposium, pp.33-47, 2011. ,
The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications, pp.281-285, 2005. ,
DOI : 10.1007/11513988_27
URL : https://hal.archives-ouvertes.fr/inria-00000408
Formal analysis of SAML 2.0 web browser single sign-on, Proceedings of the 6th ACM workshop on Formal methods in security engineering, FMSE '08, pp.1-10, 2008. ,
DOI : 10.1145/1456396.1456397
How to Break and Repair a Universally Composable Signature Functionality, pp.61-72, 2004. ,
DOI : 10.1007/978-3-540-30144-8_6
Dynamic measurement and protected execution: model and analysis.' In: Trustworthy Global Computing, 2013. ,
A concrete security treatment of symmetric encryption, Proceedings 38th Annual Symposium on Foundations of Computer Science, pp.394-403, 1997. ,
DOI : 10.1109/SFCS.1997.646128
Relating multiset rewriting and process algebras for security protocol analysis, Journal of Computer Security, vol.13, issue.1, pp.3-47, 2005. ,
DOI : 10.3233/JCS-2005-13102
Increased security for Yubikey, p.154, 2009. ,
Yubikey Security Weaknesses, p.4, 2009. ,
An efficient cryptographic protocol verifier based on prolog rules, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001., pp.82-96, 2001. ,
DOI : 10.1109/CSFW.2001.930138
URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.14.5150
Automated Verification of Selected Equivalences for Security Protocols, 20th Annual IEEE Symposium on Logic in Computer Science (LICS' 05), pp.3-51, 2008. ,
DOI : 10.1109/LICS.2005.8
Automatic Verification of Protocols with Lists of Unbounded Length (long version).' to appear at CCS'13. 2013. url: https : / / sites . google . com / site, 2013. ,
API-level attacks on embedded systems, Computer, vol.34, issue.10, pp.67-75, 2001. ,
DOI : 10.1109/2.955101
Decimalisation table attacks for PIN cracking, 2003. ,
The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes, 2012 IEEE Symposium on Security and Privacy, 2012. ,
DOI : 10.1109/SP.2012.44
Attacking and fixing PKCS#11 security tokens, Proceedings of the 17th ACM conference on Computer and communications security, CCS '10, pp.260-269, 2010. ,
DOI : 10.1145/1866307.1866337
A Secure Cryptographic Token Interface, 2009 22nd IEEE Computer Security Foundations Symposium, pp.141-153, 2009. ,
DOI : 10.1109/CSF.2009.7
Universally composable security: a new paradigm for cryptographic protocols, Proceedings 2001 IEEE International Conference on Cluster Computing, pp.136-145, 2001. ,
DOI : 10.1109/SFCS.2001.959888
Universally composable signature, certification, and authentication, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004., pp.219-233, 2004. ,
DOI : 10.1109/CSFW.2004.1310743
URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.79.4596
Universal Composition with Joint State, pp.265-281, 2003. ,
DOI : 10.1007/978-3-540-45146-4_16
Proving More Observational Equivalences with ProVerif, pp.226-246, 2013. ,
DOI : 10.1007/978-3-642-36830-1_12
URL : https://hal.archives-ouvertes.fr/hal-00863377
On the Security of PKCS #11, International Worshop on Cryptographic Hardware and Embedded Systems, pp.411-425, 2003. ,
DOI : 10.1007/978-3-540-45238-6_32
Introduction to logic, 1982. ,
Automatic Analysis of the Security of XOR-Based Key Management Schemes, pp.538-552, 2007. ,
DOI : 10.1007/978-3-540-71209-1_42
URL : https://hal.archives-ouvertes.fr/inria-00181616
A Generic Security API for Symmetric Key Management on Cryptographic Devices, European Symposium on Research in Computer Security, pp.605-620, 2009. ,
DOI : 10.1109/CSFW.2001.930145
URL : https://hal.archives-ouvertes.fr/hal-00881072
Revoke and let live, Proceedings of the 2012 ACM conference on Computer and communications security, CCS '12, pp.918-928, 2012. ,
DOI : 10.1145/2382196.2382293
URL : https://hal.archives-ouvertes.fr/hal-00732902
A Secure Key Management Interface with Asymmetric Cryptography ,
DOI : 10.1007/978-3-642-54792-8_4
URL : https://hal.archives-ouvertes.fr/hal-00805987
A Formal Analysis of Authentication in the TPM, Formal Aspects in Security and Trust, vol.17, issue.4, pp.111-125, 2010. ,
DOI : 10.1007/978-3-540-74835-9_29
A Formal Analysis of Authentication in the TPM, pp.111-125, 2010. ,
DOI : 10.1007/978-3-540-74835-9_29
Formal Analysis of Protocols Based on TPM State Registers, 2011 IEEE 24th Computer Security Foundations Symposium, pp.66-82, 2011. ,
DOI : 10.1109/CSF.2011.12
URL : https://hal.archives-ouvertes.fr/inria-00636747
Formal security analysis of PKCS#11 and proprietary extensions, Journal of Computer Security, vol.18, issue.6, pp.1211-1245, 2010. ,
DOI : 10.3233/JCS-2009-0394
Protocol Specification and Analysis in Maude, Workshop on Formal Methods and Security Protocols, 1998. ,
Searching for Shapes in Cryptographic Protocols.' In: Tools and Algorithms for the Construction and Analysis of Systems. The Cryptographic Protocol Shapes Analyzer is available at http, pp.523-537, 2007. ,
On the security of public key protocols, In: Transactions on Information Theory, vol.2, pp.198-207, 1983. ,
Undecidability of Bounded Security Protocols, Workshop on Formal Methods and Security Protocols, 1999. ,
Maude-NPA: Cryptographic Protocol Analysis Modulo Equational Properties, Foundations of Security Analysis and Design, vol.20, issue.1-2, pp.1-50, 2009. ,
DOI : 10.1007/s10990-007-9000-6
URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.226.3197
Eurosmart General Assembly Confirms Strong Growth Accessed: Fr 13, 201314-09. ,
Reasoning with Past to Prove PKCS#11 Keys Secure, In: Formal Aspects in Security and Trust, vol.6561, pp.96-110, 2010. ,
DOI : 10.1007/978-3-642-03459-6_7
Analysing PKCS#11 Key Management APIs with Unbounded Fresh Data, pp.92-106, 2009. ,
DOI : 10.1007/978-3-642-03459-6_7
Abuse-Free Optimistic Contract Signing, pp.449-466, 1999. ,
DOI : 10.1007/3-540-48405-1_29
URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.118.4142
State and Progress in Strand Spaces: Proving Fair Exchange, Journal of Automated Reasoning, vol.14, issue.5, pp.159-195, 2012. ,
DOI : 10.1007/s10817-010-9202-1
YubiHSM login helper program Accessed: Wed, 2013. ,
Applying protocol analysis to security device interfaces, IEEE Security & Privacy Magazine, vol.4, issue.4, pp.84-87, 2006. ,
DOI : 10.1109/MSP.2006.85
Possibility and impossibility results for selective decommitments. Cryptology ePrint Archive, 2008. ,
GNUC: A New Universal Composability Framework. Cryptology ePrint Archive, 2011. ,
An Introduction to Logic, 1916. ,
Principles of logic, 1949. ,
On The RSA SecurID Compromise, 2011. ,
Universally Composable Key-Management, European Symposium on Research in Computer Security, pp.327-344, 2013. ,
DOI : 10.1007/978-3-642-40203-6_19
URL : https://hal.archives-ouvertes.fr/hal-00878632
Security for Key Management Interfaces, 2011 IEEE 24th Computer Security Foundations Symposium, pp.66-82, 2011. ,
DOI : 10.1109/CSF.2011.25
URL : https://hal.archives-ouvertes.fr/inria-00636734
Source files and proofs for the analysis of the Yubikey protocol, 2013. ,
YubiSecure? Formal Security Analysis Results for the Yubikey and YubiHSM, pp.257-272, 2012. ,
DOI : 10.1007/978-3-642-38004-4_17
Ideal Key Derivation and Encryption in Simulation-Based Security, pp.161-179, 2011. ,
DOI : 10.1007/11596981_72
Joint State Theorems for Public-Key Encryption and Digitial Signature Functionalities with Local Computation, Computer Security Foundations Symposium. IEEE Computer Society, pp.270-284, 2008. ,
The IITM Model: a Simple and Expressive Model for Universal Composability, 2013. ,
An automatic search for security flaws in key management schemes, Computers & Security, vol.11, issue.1, pp.75-89, 1992. ,
DOI : 10.1016/0167-4048(92)90222-D
An attack on the Needham-Schroeder publickey authentication protocol, Information Processing Letters, vol.3, pp.131-133, 1995. ,
DOI : 10.1016/0020-0190(95)00144-2
URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.21.7797
Breaking and fixing the Needham-Schroeder Public-Key Protocol using FDR, pp.147-166, 1996. ,
DOI : 10.1007/3-540-61042-1_43
Abstract Cryptography In: Innovations in Computer Science, pp.1-21, 2011. ,
Formal Analysis of Key-Exchange Protocols and Physical Protocols, 2013. ,
Simple security device (Example 1 from [5]). available in the example/ directory of the tamarin distribution Accessed: Tue 1731:32 CEST. 2012. url: https : / / github . com / tamarin -prover / tamarin prover, 2013. ,
The keyserver example from [74] Accessed: Tue 1723:53 CEST. 2012. url: https : / / github . com / tamarin -prover / tamarin prover / blob, 201314-09. ,
The TESLA protocol, scheme 1 and 2. available in the example/ directory of the tamarin distribution Accessed: Thu36:52 CEST. 2012. url: https://github. com/tamarin-prover/tamarin-prover/blob, 2013. ,
Strong Invariants for the Efficient Construction of Machine-Checked Protocol Security Proofs, 2010 23rd IEEE Computer Security Foundations Symposium, pp.231-245, 2010. ,
DOI : 10.1109/CSF.2010.23
Abstraction by set-membership: verifying security protocols and web services with databases, pp.351-360, 2010. ,
Side-Channel Attacks on the Yubikey 2 One-Time Password Generator, Research in Attacks, Intrusions and Defenses, 2013. ,
DOI : 10.1007/978-3-642-41284-4_11
Comparing the Expressive Power of the Synchronous and the Asynchronous pi-calculi.' Anglais, In: Mathematical Structures in Computer Science, vol.5, pp.685-719, 2003. ,
URL : https://hal.archives-ouvertes.fr/inria-00201104
Efficient authentication and signing of multicast streams over lossy channels, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000, pp.56-73, 2000. ,
DOI : 10.1109/SECPRI.2000.848446
Formally based semi-automatic implementation of an open security protocol, Journal of Systems and Software (2012), pp.835-849 ,
DOI : 10.1016/j.jss.2011.10.052
URL : https://hal.archives-ouvertes.fr/hal-00863391
Provably correct Java implementations of Spi Calculus security protocols specifications, Computers & Security, vol.29, issue.3, pp.302-314, 2010. ,
DOI : 10.1016/j.cose.2009.08.001
Cryptographic Token Interface Standard, 2004. ,
Deliverable 2.3: The Intermediate Format, 2003. ,
Simulation-Based Security with Inexhaustible Interactive Turing Machines, 19th IEEE Computer Security Foundations Workshop (CSFW'06), pp.309-320, 2006. ,
DOI : 10.1109/CSFW.2006.30
Reducing Protocol Analysis with XOR to the XOR-free Case in the Horn Theory Based Approach, Journal of Automated Reasoning, vol.3, pp.325-352, 2011. ,
Deterministic Authenticated Encryption: A Provable-Security Treatment of the Keywrap Problem, 2006. ,
Introduction to the TPM 1.2. Tech. rep, 2009. ,
Formal Analysis of Key-Exchange Protocols and Physical Protocols, 2012. ,
Automated Analysis of Diffie-Hellman Protocols and Advanced Security Properties, 2012 IEEE 25th Computer Security Foundations Symposium, pp.78-94, 2012. ,
DOI : 10.1109/CSF.2012.25
The TAMARIN Prover for the Symbolic Analysis of Security Protocols, Computer Aided Verification, pp.696-701, 2013. ,
Internet Engineering Task Force, 2003. ,
Strand Spaces: Why is a Security Protocol Correct?' In: Security and Privacy, IEEE Computer Society, pp.160-171, 1998. ,
Formal Analysis of Yubikey.' Master's Thesis. École normale supérieure de Cachan, 2011. ,
Combining Superposition, Sorts and Splitting, Handbook of Automated Reasoning, pp.1965-2013, 2001. ,
DOI : 10.1016/B978-044450813-3/50029-1
URL : http://hdl.handle.net/11858/00-001M-0000-000F-31F3-8
Towards an Automatic Analysis of Security Protocols in First-Order Logic, In: Automated Deduction, vol.1632, pp.314-328, 1999. ,
DOI : 10.1007/3-540-48660-7_29
Counter with CBC- MAC (CCM) RFC 3610 (Informational) Internet Engineering Task Force, 2003. ,
Department of Defence: Moving from legacy authentication to Yubico technology and best practice security processes. Accessed: Wed 17, pp.48-2013, 2013. ,
Yubico customer list Accessed: Wed 17, 201311-07. ,
Accessed: Wed 17, 201313-07. ,
YubiKey Security Evaluation: Discussion of security properties and best practices. v2.0, pp.2009-2018, 2009. ,