DeepAI AI Chat
Log In Sign Up

Formal verification of the YubiKey and YubiHSM APIs in Maude-NPA

In this paper, we perform an automated analysis of two devices developed by Yubico: YubiKey, designed to authenticate a user to network-based services, and YubiHSM, Yubicos hardware security module. Both are analyzed using the Maude-NPA cryptographic protocol analyzer. Although previous work has been done applying automated tools to these devices, to the best of our knowledge there has been no completely automated analysis to date. This is not surprising, because both YubiKey and YubiHSM, which make use of cryptographic APIs, involve a number of complex features: (i) discrete time in the form of Lamport clocks, (ii) a mutable memory for storing previously seen keys or nonces, (iii) event-based properties that require an analysis of sequences of actions, and (iv) reasoning modulo exclusive-or. In this work, we have been able to both prove properties of YubiKey and find the known attacks on the YubiHSM, in a completely automated way beyond the capabilities of previous work in the literature.

READ FULL TEXT

page 1

page 2

page 3

page 4

12/05/2020

Automated Symbolic Verification of Telegram's MTProto 2.0

MTProto 2.0 is a suite of cryptographic protocols for instant messaging ...
04/23/2018

Keys in the Clouds: Auditable Multi-device Access to Cryptographic Credentials

Personal cryptographic keys are the foundation of many secure services, ...
06/23/2021

On the Differential Cryptanalysis of SEPAR Cipher

SEPAR is a lightweight cryptographic algorithm, designed to implement on...
01/17/2023

Analysis and Improvements of the Sender Keys Protocol for Group Messaging

Messaging between two parties and in the group setting has enjoyed wides...
07/05/2018

FocusST Solution for Analysis of Cryptographic Properties

To analyse cryptographic properties of distributed systems in a systemat...
12/15/2021

Do You See What I See? Capabilities and Limits of Automated Multimedia Content Analysis

The ever-increasing amount of user-generated content online has led, in ...