Results 1  10
of
42
Deciding the security of protocols with DiffieHellman exponentiation and products in exponents
, 2003
"... ..."
Deciding security of protocols against offline guessing attacks
 In Proc. 12th ACM Conference on Computer and Communications Security (CCS’05
, 2005
"... We provide an effective procedure for deciding the existence of offline guessing attacks on security protocols, for a bounded number of sessions. The procedure consists of a constraint solving algorithm for determining satisfiability and equivalence of a class of secondorder Eunification problems ..."
Abstract

Cited by 73 (4 self)
 Add to MetaCart
We provide an effective procedure for deciding the existence of offline guessing attacks on security protocols, for a bounded number of sessions. The procedure consists of a constraint solving algorithm for determining satisfiability and equivalence of a class of secondorder Eunification problems, where the equational theory E is presented by a convergent subterm rewriting system. To the best of our knowledge, this is the first decidability result to use the generic definition of offline guessing attacks due to Corin et al. based on static equivalence in the applied pi calculus.
A survey of algebraic properties used in cryptographic protocols
 JOURNAL OF COMPUTER SECURITY
"... Cryptographic protocols are successfully analyzed using formal methods. However, formal approaches usually consider the encryption schemes as black boxes and assume that an adversary cannot learn anything from an encrypted message except if he has the key. Such an assumption is too strong in general ..."
Abstract

Cited by 69 (20 self)
 Add to MetaCart
(Show Context)
Cryptographic protocols are successfully analyzed using formal methods. However, formal approaches usually consider the encryption schemes as black boxes and assume that an adversary cannot learn anything from an encrypted message except if he has the key. Such an assumption is too strong in general since some attacks exploit in a clever way the interaction between protocol rules and properties of cryptographic operators. Moreover, the executability of some protocols relies explicitly on some algebraic properties of cryptographic primitives such as commutative encryption. We give a list of some relevant algebraic properties of cryptographic operators, and for each of them, we provide examples of protocols or attacks using these properties. We also give an overview of the existing methods in formal approaches for analyzing cryptographic proto
The CLAtse Protocol Analyser
, 2006
"... This paper presents an overview of the CLAtse tool, an efficient and versatile automatic analyser for the security of cryptographic protocols. CLAtse takes as input a protocol specified as a set of rewriting rules (IF format, produced by the AVISPA compiler), and uses rewriting and constraint sol ..."
Abstract

Cited by 51 (5 self)
 Add to MetaCart
This paper presents an overview of the CLAtse tool, an efficient and versatile automatic analyser for the security of cryptographic protocols. CLAtse takes as input a protocol specified as a set of rewriting rules (IF format, produced by the AVISPA compiler), and uses rewriting and constraint solving techniques to model all reachable states of the participants and decide if an attack exists w.r.t. the DolevYao intruder. Any statebased security property can be modelled (like secrecy, authentication, fairness, etc...), and the algebraic properties of operators like xor or exponentiation are taken into account with much less limitations than other tools, thanks to a complete modular unification algorithm. Also, useful constraints like typing, inequalities, or shared sets of knowledge (with set operations like removes, negative tests, etc...) can also be analysed.
Symbolic Reachability Analysis Using Narrowing and its Application to Verification of Cryptographic Protocols
 Journal of HigherOrder and Symbolic Computation
, 2004
"... Narrowing was introduced, and has traditionally been used, to solve equations in initial and free algebras modulo a set of equations E. This paper proposes a generalization of narrowing which can be used to solve reachability goals in initial and free models of a rewrite theory R. We show that narro ..."
Abstract

Cited by 34 (12 self)
 Add to MetaCart
(Show Context)
Narrowing was introduced, and has traditionally been used, to solve equations in initial and free algebras modulo a set of equations E. This paper proposes a generalization of narrowing which can be used to solve reachability goals in initial and free models of a rewrite theory R. We show that narrowing is sound and weakly complete (i.e., complete for normalized solutions) under reasonable executability assumptions about R. We also show that in general narrowing is not strongly complete, that is, not complete when some solutions can be further rewritten by R. We then identify several large classes of rewrite theories, covering many practical applications, for which narrowing is strongly complete. Finally, we illustrate an application of narrowing to analysis of cryptographic protocols.
Algebraic intruder deductions
 In Proceedings of LPAR’05, LNAI 3835
, 2005
"... Abstract. Many security protocols fundamentally depend on the algebraic properties of cryptographic operators. It is however difficult to handle these properties when formally analyzing protocols, since basic problems like the equality of terms that represent cryptographic messages are undecidable, ..."
Abstract

Cited by 23 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Many security protocols fundamentally depend on the algebraic properties of cryptographic operators. It is however difficult to handle these properties when formally analyzing protocols, since basic problems like the equality of terms that represent cryptographic messages are undecidable, even for relatively simple algebraic theories. We present a framework for security protocol analysis that can handle algebraic properties of cryptographic operators in a uniform and modular way. Our framework is based on two ideas: the use of modular rewriting to formalize a generalized equational deduction problem for the DolevYao intruder, and the introduction of two parameters that control the complexity of the equational unification problems that arise during protocol analysis by bounding the depth of message terms and the operations that the intruder can perform when analyzing messages. We motivate the different restrictions made in our model by highlighting different ways in which undecidability arises when incorporating algebraic properties of cryptographic operators into formal protocol analysis. 1
Algebraic properties in alice and bob notation
 Availability, Reliability and Security, International Conference on, 0:433–440
, 2009
"... Some reports are available at ..."
(Show Context)
OFMC: A Symbolic ModelChecker for Security Protocols
, 2004
"... We present the onthefly modelchecker OFMC, a tool that combines two ideas for analyzing security protocols based on lazy, demanddriven search. The first is the use of lazy datatypes as a simple way of building efficient onthefly modelcheckers for protocols with very large, or even infinite, s ..."
Abstract

Cited by 14 (3 self)
 Add to MetaCart
We present the onthefly modelchecker OFMC, a tool that combines two ideas for analyzing security protocols based on lazy, demanddriven search. The first is the use of lazy datatypes as a simple way of building efficient onthefly modelcheckers for protocols with very large, or even infinite, statespaces. The second is the integration of symbolic techniques and optimizations for modeling a lazy DolevYao intruder, whose actions are generated in a demanddriven way. We present both techniques, along with optimizations and proofs of correctness and completeness. Our tool is stateoftheart both in terms of coverage and performance. For example, it finds all known attacks and discovers a new one in a testsuite of 38 protocols from the Clark/Jacob library in a few seconds of CPU time for the entire suite. We also give examples demonstrating how our tool scales to, and finds errors in, large industrialstrength protocols.
Generic Insecurity of CliquesType Authenticated Group Key Agreement Protocols
 In 17th IEEE Computer Security Foundation Workshop, CSFW
, 2004
"... The AGDH.2 and SAGDH.2 authenticated group key agreement protocols showed to be flawed at CSFW 2001. Even though the corresponding attacks (or some variants of them) have been rediscovered in several different frameworks, no fixed version of these protocols has been proposed until now. ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
The AGDH.2 and SAGDH.2 authenticated group key agreement protocols showed to be flawed at CSFW 2001. Even though the corresponding attacks (or some variants of them) have been rediscovered in several different frameworks, no fixed version of these protocols has been proposed until now.
Symbolic Analysis of CryptoProtocols based on Modular Exponentiation
 In Proc. of MFCS ’03, LNCS 2747
, 2003
"... Abstract. Automatic methods developed so far for analysis of security protocols only model a limited set of cryptographic primitives (often, only encryption and concatenation) and abstract from lowlevel features of cryptographic algorithms. This paper is an attempt towards closing this gap. We prop ..."
Abstract

Cited by 13 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Automatic methods developed so far for analysis of security protocols only model a limited set of cryptographic primitives (often, only encryption and concatenation) and abstract from lowlevel features of cryptographic algorithms. This paper is an attempt towards closing this gap. We propose a symbolic technique and a decision method for analysis of protocols based on modular exponentiation, such as DiffieHellman key exchange. We introduce a protocol description language along with its semantics. Then, we propose a notion of symbolic execution and, based on it, a verification method. We prove that the method is sound and complete with respect to the language semantics. 1