Results 1  10
of
28
Types and Effects for Asymmetric Cryptographic Protocols
, 2002
"... We present the first type and effect system for proving authenticity properties of security protocols based on asymmetric cryptography. The most significant new features of our type system are: (1) a separation of public types (for data possibly sent to the opponent) from tainted types (for data pos ..."
Abstract

Cited by 69 (9 self)
 Add to MetaCart
We present the first type and effect system for proving authenticity properties of security protocols based on asymmetric cryptography. The most significant new features of our type system are: (1) a separation of public types (for data possibly sent to the opponent) from tainted types (for data possibly received from the opponent) via a subtype relation; (2) trust effects, to guarantee that tainted data does not, in fact, originate from the opponent; and (3) challenge/response types to support a variety of idioms used to guarantee message freshness. We illustrate the applicability of our system via protocol examples.
Multiset Rewriting and the Complexity of Bounded Security Protocols
 Journal of Computer Security
, 2002
"... We formalize the DolevYao model of security protocols, using a notation based on multiset rewriting with existentials. The goals are to provide a simple formal notation for describing security protocols, to formalize the assumptions of the DolevYao model using this notation, and to analyze the ..."
Abstract

Cited by 56 (5 self)
 Add to MetaCart
We formalize the DolevYao model of security protocols, using a notation based on multiset rewriting with existentials. The goals are to provide a simple formal notation for describing security protocols, to formalize the assumptions of the DolevYao model using this notation, and to analyze the complexity of the secrecy problem under various restrictions. We prove that, even for the case where we restrict the size of messages and the depth of message encryption, the secrecy problem is undecidable for the case of an unrestricted number of protocol roles and an unbounded number of new nonces. We also identify several decidable classes, including a dexpcomplete class when the number of nonces is restricted, and an npcomplete class when both the number of nonces and the number of roles is restricted. We point out a remaining open complexity problem, and discuss the implications these results have on the general topic of protocol analysis.
A Concurrent Logical Framework II: Examples and Applications
, 2002
"... CLF is a new logical framework with an intrinsic notion of concurrency. It is designed as a conservative extension of the linear logical framework LLF with the synchronous connectives # of intuitionistic linear logic, encapsulated in a monad. LLF is itself a conservative extension of LF with the ..."
Abstract

Cited by 46 (30 self)
 Add to MetaCart
CLF is a new logical framework with an intrinsic notion of concurrency. It is designed as a conservative extension of the linear logical framework LLF with the synchronous connectives # of intuitionistic linear logic, encapsulated in a monad. LLF is itself a conservative extension of LF with the asynchronous connectives #.
A Concurrent Logical Framework: The Propositional Fragment
, 2003
"... We present the propositional fragment CLF0 of the Concurrent Logical Framework (CLF). CLF extends the Linear Logical Framework to allow the natural representation of concurrent computations in an object language. The underlying type theory uses monadic types to segregate values from computations ..."
Abstract

Cited by 31 (3 self)
 Add to MetaCart
We present the propositional fragment CLF0 of the Concurrent Logical Framework (CLF). CLF extends the Linear Logical Framework to allow the natural representation of concurrent computations in an object language. The underlying type theory uses monadic types to segregate values from computations. This separation leads to a tractable notion of definitional equality that identifies computations di#ering only in the order of execution of independent steps. From a logical point of view our type theory can be seen as a novel combination of lax logic and dual intuitionistic linear logic. An encoding of a small Petri net exemplifies the representation methodology, which can be summarized as "concurrent computations as monadic expressions ".
Breaking and Fixing PublicKey Kerberos
 IN PROC. WITS’06
, 2006
"... We report on a maninthemiddle attack on PKINIT, the public key extension of the widely deployed Kerberos 5 authentication protocol. This flaw allows an attacker to impersonate Kerberos administrative principals (KDC) and endservers to a client, hence breaching the authentication guarantees o ..."
Abstract

Cited by 30 (5 self)
 Add to MetaCart
We report on a maninthemiddle attack on PKINIT, the public key extension of the widely deployed Kerberos 5 authentication protocol. This flaw allows an attacker to impersonate Kerberos administrative principals (KDC) and endservers to a client, hence breaching the authentication guarantees of Kerberos. It also gives the attacker the keys that the KDC would normally generate to encrypt the service requests of this client, hence defeating confidentiality as well. The discovery of this attack caused the IETF to change the specification of PKINIT and Microsoft to release a security update for some Windows operating systems. We
A.: A formal analysis of some properties of kerberos 5 using MSR
, 2004
"... We give three formalizations of the Kerberos 5 authentication protocol in the MultiSet Rewriting (MSR) formalism. One is a highlevel formalization containing just enough detail to prove authentication and confidentiality properties of the protocol. A second formalization refines this by adding a v ..."
Abstract

Cited by 22 (10 self)
 Add to MetaCart
We give three formalizations of the Kerberos 5 authentication protocol in the MultiSet Rewriting (MSR) formalism. One is a highlevel formalization containing just enough detail to prove authentication and confidentiality properties of the protocol. A second formalization refines this by adding a variety of protocol options; we similarly refine proofs of properties in the first formalization to prove properties of the second formalization. Our third formalization adds timestamps to the first formalization but has not been analyzed extensively. The various proofs make use of rank and corank functions, inspired by work of Schneider in CSP, and provide examples of reasoning about realworld protocols in MSR. We also note some potentially curious protocol behavior; given our positive results, this
The DolevYao Intruder is the Most Powerful Attacker
 Proceedings of the Sixteenth Annual Symposium on Logic in Computer Science  LICS'01
, 2001
"... Most systems designed for the verification of security protocols operate under the unproved assumption that an attack can only result from the combination of a fixed number of message transformations, which altogether constitute the capabilities of the socalled DolevYao intruder. In this paper, we ..."
Abstract

Cited by 22 (1 self)
 Add to MetaCart
Most systems designed for the verification of security protocols operate under the unproved assumption that an attack can only result from the combination of a fixed number of message transformations, which altogether constitute the capabilities of the socalled DolevYao intruder. In this paper, we prove that the DolevYao intruder can indeed emulate the actions of an arbitrary adversary. In order to do so, we extend MSR, a flexible specification framework for security protocols based on typed multiset rewriting, with a static check called access control, aimed at catching specification errors such as a principal trying to use a key that she is not entitled to access. Cryptographic protocols are increasingly used to secure transactions over the Internet and protect access to computer systems. Their design and analysis are notoriously complex and errorprone. Sources of difficulty include subtleties in the cryptographic primitives they rely on, and their deployment in distributed envi...
A Specification Language for CryptoProtocols based on Multiset Rewriting, Dependent Types and Subsorting
, 2001
"... MSR is an unambiguous, flexible, powerful and relatively simple specification framework for cryptoprotocols. It uses multiset rewriting rules over firstorder atomic formulas to express protocol actions and relies on a form of existential quantification to symbolically model the generation of no ..."
Abstract

Cited by 19 (10 self)
 Add to MetaCart
MSR is an unambiguous, flexible, powerful and relatively simple specification framework for cryptoprotocols. It uses multiset rewriting rules over firstorder atomic formulas to express protocol actions and relies on a form of existential quantification to symbolically model the generation of nonces and other fresh data. It supports an array of useful static checks that include typechecking and data access verification. In this paper, we give a detailed presentation of the typing infrastructure of MSR, which is based on the theory of dependent types with subsorting. We prove that typechecking protocol specifications is decidable and show that execution preserves welltyping. We illustrate these features by formalizing a wellknown protocol in MSR.
Formal Analysis of Kerberos 5
 THEOR. COMP. SCI., SPECIAL
, 2006
"... We report on the detailed verification of a substantial portion of the Kerberos 5 protocol specification. Because it targeted a deployed protocol rather than an academic abstraction, this multiyear effort led to the development of new analysis methods in order to manage the inherent complexity. Thi ..."
Abstract

Cited by 15 (3 self)
 Add to MetaCart
We report on the detailed verification of a substantial portion of the Kerberos 5 protocol specification. Because it targeted a deployed protocol rather than an academic abstraction, this multiyear effort led to the development of new analysis methods in order to manage the inherent complexity. This enabled proving that Kerberos supports the expected authentication and confidentiality properties, and that it is structurally sound; these results rely on a pair of intertwined inductions. Our work also detected a number of innocuous but nonetheless unexpected behaviors, and it clearly described how vulnerable the crossrealm authentication support of Kerberos is to the compromise of remote administrative domains.
PatternMatching SpiCalculus
 In Formal Aspects in Security and Trust
, 2004
"... Abstract. Cryptographic protocols often make use of nested cryptographic primitives, for example signed message digests, or encrypted signed messages. Gordon and Jeffrey’s prior work on types for authenticity did not allow for such nested cryptography. In this work, we present the patternmatching s ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
Abstract. Cryptographic protocols often make use of nested cryptographic primitives, for example signed message digests, or encrypted signed messages. Gordon and Jeffrey’s prior work on types for authenticity did not allow for such nested cryptography. In this work, we present the patternmatching spicalculus, which is an obvious extension of the spicalculus to include patternmatching as primitive. The novelty of the language is in the accompanying type system, which uses the same language of patterns to describe complex data dependencies which cannot be described using prior type systems. We show that any appropriately typed process is guaranteed to satisfy a strong robust safety property. 1