Results 1 
8 of
8
Combining Intruder Theories
 In Proceedings of the 32nd International Colloquium on Automata, Languages and Programming (ICALP’05), volume 3580 of LNCS
, 2005
"... Abstract. Most of the decision procedures for symbolic analysis of protocols are limited to a fixed set of algebraic operators associated with a fixed intruder theory. Examples of such sets of operators comprise XOR, multiplication/exponentiation, abstract encryption/decryption. In this paper we giv ..."
Abstract

Cited by 19 (3 self)
 Add to MetaCart
Abstract. Most of the decision procedures for symbolic analysis of protocols are limited to a fixed set of algebraic operators associated with a fixed intruder theory. Examples of such sets of operators comprise XOR, multiplication/exponentiation, abstract encryption/decryption. In this paper we give an algorithm for combining decision procedures for arbitrary intruder theories with disjoint sets of operators, provided that solvability of ordered intruder constraints, a slight generalization of intruder constraints, can be decided in each theory. This is the case for most of the intruder theories for which a decision procedure has been given. In particular our result allows us to decide tracebased security properties of protocols that employ any combination of the above mentioned operators with a bounded number of sessions. 1
A method for symbolic analysis of security protocols
 , Theoretical Computer Science
, 2005
"... In security protocols, message exchange between the intruder and honest participants induces a form of state explosion which makes protocol models infinite. We propose a general method for automatic analysis of security protocols based on the notion of frame, essentially a rewrite system plus a se ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
In security protocols, message exchange between the intruder and honest participants induces a form of state explosion which makes protocol models infinite. We propose a general method for automatic analysis of security protocols based on the notion of frame, essentially a rewrite system plus a set of distinguished terms called messages. Frames are intended to model generic cryptosystems. Based on frames, we introduce a process language akin to Abadi and Fournet’s applied pi. For this language, we define a symbolic operational semantics that relies on unification and provides finite and effective protocol models. Next, we give a method to carry out trace analysis directly on the symbolic model. We spell out a regularity condition on the underlying frame, which guarantees completeness of our method for the considered class of properties, including secrecy and various forms of authentication. We show how to instantiate our method to some of the most common cryptosystems, including shared and publickey encryption, hashing and DiffieHellman key exchange.
Symbolic Protocol Analysis for DiffieHellman
"... Abstract. We extend symbolic protocol analysis to apply to protocols using DiffieHellman operations. DiffieHellman operations act on a cyclic group of prime order, together with an exponentiation operator. The exponents form a finite field. This rich algebraic structure has resisting previous symb ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract. We extend symbolic protocol analysis to apply to protocols using DiffieHellman operations. DiffieHellman operations act on a cyclic group of prime order, together with an exponentiation operator. The exponents form a finite field. This rich algebraic structure has resisting previous symbolic approaches. We work in an algebra defined by the normal forms of a rewriting theory (modulo associativity and commutativity). These normal forms allow us to define our crucial notion of indicator, a vector of integers that summarizes how many times each secret exponent appears in a message. We prove that the adversary can never construct a message with a new indicator in our adversary model. Using this invariant, we prove the main security goals achieved by several different protocols that use DiffieHellman operators in subtle ways. We also give a modeltheoretic justification of our rewriting theory: the theory proves all equations that are uniformly true as the order of the cyclic group varies. 1
An Algebra for Symbolic DiffieHellman Protocol Analysis
"... Abstract. We study the algebra underlying symbolic protocol analysis for protocols using DiffieHellman operations. DiffieHellman operations act on a cyclic group of prime order, together with an exponentiation operator. The exponents form a finite field: this rich algebraic structure has resisted ..."
Abstract
 Add to MetaCart
Abstract. We study the algebra underlying symbolic protocol analysis for protocols using DiffieHellman operations. DiffieHellman operations act on a cyclic group of prime order, together with an exponentiation operator. The exponents form a finite field: this rich algebraic structure has resisted previous symbolic approaches. We define an algebra that validates precisely the equations that hold almost always as the order of the cyclic group varies. We realize this algebra as the set of normal forms of a particular rewriting theory. The normal forms allow us to define our crucial notion of indicator, a vector of integers that summarizes how many times each secret exponent appears in a message. We prove that the adversary can never construct a message with a new indicator in our adversary model. Using this invariant, we prove the main security goals achieved by UM, a protocol using DiffieHellman for implicit authentication. Despite vigorous research in symbolic analysis of security protocols, many
Rank Functions Based Inference System for Group Key Management Protocols Verification
, 2007
"... Design and verification of cryptographic protocols has been under investigation for quite sometime. However, most of the attention has been paid for two parties protocols. In group key management and distribution protocols, keys are computed dynamically through cooperation of all protocol participan ..."
Abstract
 Add to MetaCart
Design and verification of cryptographic protocols has been under investigation for quite sometime. However, most of the attention has been paid for two parties protocols. In group key management and distribution protocols, keys are computed dynamically through cooperation of all protocol participants. Therefore regular approaches for two parties protocols verification cannot be applied on group key protocols. In this paper, we present a framework for formally verifying of group key management and distribution protocols based on the concept of rank functions. We define a class of rank functions that satisfy specific requirements and prove the soundness of these rank functions. Based on the set of sound rank functions, we provide a sound and complete inference system to detect attacks in group key management protocols. The inference system provides an elegant and natural proof strategy for such protocols compared to existing approaches. The above formalizations and rank theorems were implemented using the Prototype Verification System (PVS) theorem prover. We illustrate our approach by applying the inference system on a generic DiffieHellman group protocol and prove it in PVS.
Security protocols analyzed symbolically
, 2003
"... In the field of security protocol analysis, a class of automated methods relies upon the use of symbolic techniques. We illustrate this approach by focusing on one such method. We outline the underlying protocol model, the concept of symbolic execution and the resulting verification method. We then ..."
Abstract
 Add to MetaCart
In the field of security protocol analysis, a class of automated methods relies upon the use of symbolic techniques. We illustrate this approach by focusing on one such method. We outline the underlying protocol model, the concept of symbolic execution and the resulting verification method. We then discuss the benefits of the symbolic approach when contrasted with traditional methods baded on finitestate modelchecking.