Results 1  10
of
26
Automated Analysis of Cryptographic Protocols Using Murphi
, 1997
"... A methodology is presented for using a generalpurpose state enumeration tool, Murphi, to analyze cryptographic and securityrelated protocols. We illustrate the feasibility of the approach by analyzing the NeedhamSchroeder protocol, finding a known bug in a few seconds of computation time, and anal ..."
Abstract

Cited by 263 (23 self)
 Add to MetaCart
A methodology is presented for using a generalpurpose state enumeration tool, Murphi, to analyze cryptographic and securityrelated protocols. We illustrate the feasibility of the approach by analyzing the NeedhamSchroeder protocol, finding a known bug in a few seconds of computation time, and analyzing variants of Kerberos and the faulty TMN protocol used in another comparative study. The efficiency of Murphi allows us to examine multiple runs of relatively short protocols, giving us the ability to detect replay attacks, or errors resulting from confusion between independent execution of a protocol by independent parties.
Delegation Logic: A Logicbased Approach to Distributed Authorization
 ACM Transactions on Information and System Security
, 2000
"... We address the problem of authorization in largescale, open... ..."
Abstract

Cited by 198 (13 self)
 Add to MetaCart
We address the problem of authorization in largescale, open...
A Probabilistic PolyTime Framework for Protocol Analysis
, 1998
"... We develop a framework for analyzing security protocols in which protocol adversaries may be arbitrary probabilistic polynomialtime processes. In this framework, protocols are written in a form of process calculus where security may be expressed in terms of observational equivalence, a standard rel ..."
Abstract

Cited by 114 (7 self)
 Add to MetaCart
We develop a framework for analyzing security protocols in which protocol adversaries may be arbitrary probabilistic polynomialtime processes. In this framework, protocols are written in a form of process calculus where security may be expressed in terms of observational equivalence, a standard relation from programming language theory that involves quantifying over possible environments that might interact with the protocol. Using an asymptotic notion of probabilistic equivalence, we relate observational equivalence to polynomialtime statistical tests and discuss some example protocols to illustrate the potential of this approach.
Kerberos version IV: Inductive analysis of the secrecy goals
 Computer Security — ESORICS 98, LNCS 1485
, 1998
"... Abstract. An operational model of cryptoprotocols is tailored to the detailed analysis of the secrecy goals accomplished by Kerberos Version IV. The model is faithful to the specification of the protocol presented by the MIT technical plan [14] — e.g. timestamping, double session key delivery mech ..."
Abstract

Cited by 73 (27 self)
 Add to MetaCart
Abstract. An operational model of cryptoprotocols is tailored to the detailed analysis of the secrecy goals accomplished by Kerberos Version IV. The model is faithful to the specification of the protocol presented by the MIT technical plan [14] — e.g. timestamping, double session key delivery mechanism are included. It allows an eavesdropper to exploit the shared keys of compromised agents, and admits the accidental loss of expired session keys. Confidentiality is expressed from the viewpoint of each party involved in a protocol run, with particular attention to the assumptions the party relies on. If such assumptions are unrealistic, they highlight weaknesses of the protocol. This is particularly so from the viewpoint of the responder: the model suggests and proves a reasonable correction.
Athena: a new efficient automatic checker for security protocol analysis
 In Proceedings of the Twelth IEEE Computer Security Foundations Workshop
, 1999
"... We propose an efficient automatic checking algorithm, Athena, for analyzing security protocols. Athena incorporates a logic that can express security properties including authentication, secrecy and properties related to electronic commerce. We have developed an automatic procedure for evaluating we ..."
Abstract

Cited by 72 (1 self)
 Add to MetaCart
We propose an efficient automatic checking algorithm, Athena, for analyzing security protocols. Athena incorporates a logic that can express security properties including authentication, secrecy and properties related to electronic commerce. We have developed an automatic procedure for evaluating wellformed formulae in this logic. For a wellformed formula, if the evaluation procedure terminates, it will generate a counterexample if the formula is false, or provide a proof if the formula is true. Even when the procedure does not terminate when we allow any arbitrary configurations of the protocol execution, (for example, any number of initiators and responders), termination could be forced by bounding the number of concurrent protocol runs and the length of messages, as is done in most existing model checkers. Athena also exploits several state space reduction techniques. It is based on an extension of the recently proposed Strand Space Model [25] which captures exact causal relation information. Together with backward search and other techniques, Athena naturally avoids the state space explosion problem commonly caused by asynchronous composition and symmetry redundancy. Athena also has the advantage that it can easily incorporate results from theorem proving through unreachability theorems. By using the unreachability theorems, it can prune the state space at an early stage, hence, reduce the state space explored and increase the likelyhood of termination. As shown in our experiments, these techniques dramatically reduce the state space that needs to be explored.
Multiset Rewriting and the Complexity of Bounded Security Protocols
 Journal of Computer Security
, 2002
"... We formalize the DolevYao model of security protocols, using a notation based on multiset rewriting with existentials. The goals are to provide a simple formal notation for describing security protocols, to formalize the assumptions of the DolevYao model using this notation, and to analyze the ..."
Abstract

Cited by 56 (5 self)
 Add to MetaCart
We formalize the DolevYao model of security protocols, using a notation based on multiset rewriting with existentials. The goals are to provide a simple formal notation for describing security protocols, to formalize the assumptions of the DolevYao model using this notation, and to analyze the complexity of the secrecy problem under various restrictions. We prove that, even for the case where we restrict the size of messages and the depth of message encryption, the secrecy problem is undecidable for the case of an unrestricted number of protocol roles and an unbounded number of new nonces. We also identify several decidable classes, including a dexpcomplete class when the number of nonces is restricted, and an npcomplete class when both the number of nonces and the number of roles is restricted. We point out a remaining open complexity problem, and discuss the implications these results have on the general topic of protocol analysis.
Probabilistic PolynomialTime Equivalence and Security Analysis
 IN PROC. WORLD CONGRESS ON FORMAL METHODS, VOLUME 1708 OF LNCS
, 1999
"... We use properties of observational equivalence for a probabilistic process calculus to prove an authentication property of a cryptographic protocol. The process calculus is a form of calculus, with probabilistic scheduling instead of nondeterminism, over a term language that captures probabili ..."
Abstract

Cited by 52 (12 self)
 Add to MetaCart
We use properties of observational equivalence for a probabilistic process calculus to prove an authentication property of a cryptographic protocol. The process calculus is a form of calculus, with probabilistic scheduling instead of nondeterminism, over a term language that captures probabilistic polynomial time. The operational semantics of this calculus gives priority to communication over private channels, so that the presence of private communication does not affect the observable probability of visible actions. Our definition of observational equivalence involves asymptotic comparison of uniform process families, only requiring equivalence to within vanishing error probabilities. This definition differs from previous notions of probabilistic process equivalence that require equal probabilities for corresponding actions; asymptotics fit our intended application and make equivalence transitive, thereby justifying the use of the term "equivalence." Our security proof uses a series of lemmas about probabilistic observational equivalence that may well prove useful for establishing correctness of other cryptographic protocols.
Distributed Authentication in Kerberos Using Public Key Cryptography
 INTERNET SOCIETY 1997 SYMPOSIUM ON NETWORK AND DISTRIBUTED SYSTEM SECURITY
, 1997
"... In this work we describe a method for fully distributed authentication using public key cryptography within the Kerberos ticket framework. By distributing most of the authentication workload away from the trusted intermediary and to the communicating parties, significant enhancements to security and ..."
Abstract

Cited by 28 (2 self)
 Add to MetaCart
In this work we describe a method for fully distributed authentication using public key cryptography within the Kerberos ticket framework. By distributing most of the authentication workload away from the trusted intermediary and to the communicating parties, significant enhancements to security and scalability can be achieved as compared to Kerberos V5. Privacy of Kerberos clients is also enhanced. A working implementation of this extended protocol has been developed, and a migration plan is proposed for a transition from traditional to public key based Kerberos.
Analysis of Security Protocols
 IN CALCULATIONAL SYSTEM DESIGN, SERIES F: COMPUTER AND SYSTEMS SCIENCES
, 1999
"... Several approaches have been developed for analyzing security protocols. Most formal approaches are based on a set of assumptions commonly referred to as the "DolevYao model." In this paper, we use a formalism based on multiset rewriting to describe these modeling assumptions and explain how the ..."
Abstract

Cited by 21 (4 self)
 Add to MetaCart
Several approaches have been developed for analyzing security protocols. Most formal approaches are based on a set of assumptions commonly referred to as the "DolevYao model." In this paper, we use a formalism based on multiset rewriting to describe these modeling assumptions and explain how they are used in protocol analysis.
Trust and Reliance in MultiAgent Systems: A Preliminary Report
 In Proceedings of the 4th European Workshop on Modeling Autonomous Agents in a MultiAgent World
, 1992
"... This paper presents a notion of trust for use in multiagent systems. The role trust can play in various forms of interaction is considered. Trust allows interactions between agents where previously there could be none, and allows the trusting parties to acknowledge that, whilst there is a risk in r ..."
Abstract

Cited by 18 (2 self)
 Add to MetaCart
This paper presents a notion of trust for use in multiagent systems. The role trust can play in various forms of interaction is considered. Trust allows interactions between agents where previously there could be none, and allows the trusting parties to acknowledge that, whilst there is a risk in relationships with potentially malevolent agents, some form of interaction may produce benefits, where no interaction at all may not. In addition, accepting the risk allows the trusting agent to prepare itself for possibly irresponsible or untrustworthy behaviour, thus minimizing the potential damage caused. An introductory notation to refer to trusting relationships is presented and further work is discussed. MAAMAW'92, S. Martino al Cimino, Italy, 1992 1 1 Introduction Why cooperate? With whom? To what extent? And when? Previous work in Distributed Artificial Intelligence (DAI) has concentrated on the first of these questions, with little or no thought given to the others. In particular,...