Results 1  10
of
45
Types and Effects for Asymmetric Cryptographic Protocols
, 2002
"... We present the first type and effect system for proving authenticity properties of security protocols based on asymmetric cryptography. The most significant new features of our type system are: (1) a separation of public types (for data possibly sent to the opponent) from tainted types (for data pos ..."
Abstract

Cited by 84 (10 self)
 Add to MetaCart
We present the first type and effect system for proving authenticity properties of security protocols based on asymmetric cryptography. The most significant new features of our type system are: (1) a separation of public types (for data possibly sent to the opponent) from tainted types (for data possibly received from the opponent) via a subtype relation; (2) trust effects, to guarantee that tainted data does not, in fact, originate from the opponent; and (3) challenge/response types to support a variety of idioms used to guarantee message freshness. We illustrate the applicability of our system via protocol examples.
Multiset Rewriting and the Complexity of Bounded Security Protocols
 Journal of Computer Security
, 2002
"... We formalize the DolevYao model of security protocols, using a notation based on multiset rewriting with existentials. The goals are to provide a simple formal notation for describing security protocols, to formalize the assumptions of the DolevYao model using this notation, and to analyze the ..."
Abstract

Cited by 74 (9 self)
 Add to MetaCart
(Show Context)
We formalize the DolevYao model of security protocols, using a notation based on multiset rewriting with existentials. The goals are to provide a simple formal notation for describing security protocols, to formalize the assumptions of the DolevYao model using this notation, and to analyze the complexity of the secrecy problem under various restrictions. We prove that, even for the case where we restrict the size of messages and the depth of message encryption, the secrecy problem is undecidable for the case of an unrestricted number of protocol roles and an unbounded number of new nonces. We also identify several decidable classes, including a dexpcomplete class when the number of nonces is restricted, and an npcomplete class when both the number of nonces and the number of roles is restricted. We point out a remaining open complexity problem, and discuss the implications these results have on the general topic of protocol analysis.
A Concurrent Logical Framework II: Examples and Applications
, 2002
"... CLF is a new logical framework with an intrinsic notion of concurrency. It is designed as a conservative extension of the linear logical framework LLF with the synchronous connectives # of intuitionistic linear logic, encapsulated in a monad. LLF is itself a conservative extension of LF with the ..."
Abstract

Cited by 59 (35 self)
 Add to MetaCart
CLF is a new logical framework with an intrinsic notion of concurrency. It is designed as a conservative extension of the linear logical framework LLF with the synchronous connectives # of intuitionistic linear logic, encapsulated in a monad. LLF is itself a conservative extension of LF with the asynchronous connectives #.
Breaking and Fixing PublicKey Kerberos
 IN PROC. WITS’06
, 2006
"... We report on a maninthemiddle attack on PKINIT, the public key extension of the widely deployed Kerberos 5 authentication protocol. This flaw allows an attacker to impersonate Kerberos administrative principals (KDC) and endservers to a client, hence breaching the authentication guarantees o ..."
Abstract

Cited by 37 (6 self)
 Add to MetaCart
(Show Context)
We report on a maninthemiddle attack on PKINIT, the public key extension of the widely deployed Kerberos 5 authentication protocol. This flaw allows an attacker to impersonate Kerberos administrative principals (KDC) and endservers to a client, hence breaching the authentication guarantees of Kerberos. It also gives the attacker the keys that the KDC would normally generate to encrypt the service requests of this client, hence defeating confidentiality as well. The discovery of this attack caused the IETF to change the specification of PKINIT and Microsoft to release a security update for some Windows operating systems. We
A.: A formal analysis of some properties of kerberos 5 using MSR
, 2004
"... We give three formalizations of the Kerberos 5 authentication protocol in the MultiSet Rewriting (MSR) formalism. One is a highlevel formalization containing just enough detail to prove authentication and confidentiality properties of the protocol. A second formalization refines this by adding a v ..."
Abstract

Cited by 31 (16 self)
 Add to MetaCart
We give three formalizations of the Kerberos 5 authentication protocol in the MultiSet Rewriting (MSR) formalism. One is a highlevel formalization containing just enough detail to prove authentication and confidentiality properties of the protocol. A second formalization refines this by adding a variety of protocol options; we similarly refine proofs of properties in the first formalization to prove properties of the second formalization. Our third formalization adds timestamps to the first formalization but has not been analyzed extensively. The various proofs make use of rank and corank functions, inspired by work of Schneider in CSP, and provide examples of reasoning about realworld protocols in MSR. We also note some potentially curious protocol behavior; given our positive results, this
A Concurrent Logical Framework: The Propositional Fragment
, 2003
"... We present the propositional fragment CLF0 of the Concurrent Logical Framework (CLF). CLF extends the Linear Logical Framework to allow the natural representation of concurrent computations in an object language. The underlying type theory uses monadic types to segregate values from computations ..."
Abstract

Cited by 31 (3 self)
 Add to MetaCart
(Show Context)
We present the propositional fragment CLF0 of the Concurrent Logical Framework (CLF). CLF extends the Linear Logical Framework to allow the natural representation of concurrent computations in an object language. The underlying type theory uses monadic types to segregate values from computations. This separation leads to a tractable notion of definitional equality that identifies computations di#ering only in the order of execution of independent steps. From a logical point of view our type theory can be seen as a novel combination of lax logic and dual intuitionistic linear logic. An encoding of a small Petri net exemplifies the representation methodology, which can be summarized as "concurrent computations as monadic expressions ".
The DolevYao Intruder is the Most Powerful Attacker
 Proceedings of the Sixteenth Annual Symposium on Logic in Computer Science  LICS'01
, 2001
"... Most systems designed for the verification of security protocols operate under the unproved assumption that an attack can only result from the combination of a fixed number of message transformations, which altogether constitute the capabilities of the socalled DolevYao intruder. In this paper, we ..."
Abstract

Cited by 29 (1 self)
 Add to MetaCart
(Show Context)
Most systems designed for the verification of security protocols operate under the unproved assumption that an attack can only result from the combination of a fixed number of message transformations, which altogether constitute the capabilities of the socalled DolevYao intruder. In this paper, we prove that the DolevYao intruder can indeed emulate the actions of an arbitrary adversary. In order to do so, we extend MSR, a flexible specification framework for security protocols based on typed multiset rewriting, with a static check called access control, aimed at catching specification errors such as a principal trying to use a key that she is not entitled to access. Cryptographic protocols are increasingly used to secure transactions over the Internet and protect access to computer systems. Their design and analysis are notoriously complex and errorprone. Sources of difficulty include subtleties in the cryptographic primitives they rely on, and their deployment in distributed envi...
A Specification Language for CryptoProtocols based on Multiset Rewriting, Dependent Types and Subsorting
, 2001
"... MSR is an unambiguous, flexible, powerful and relatively simple specification framework for cryptoprotocols. It uses multiset rewriting rules over firstorder atomic formulas to express protocol actions and relies on a form of existential quantification to symbolically model the generation of no ..."
Abstract

Cited by 27 (14 self)
 Add to MetaCart
MSR is an unambiguous, flexible, powerful and relatively simple specification framework for cryptoprotocols. It uses multiset rewriting rules over firstorder atomic formulas to express protocol actions and relies on a form of existential quantification to symbolically model the generation of nonces and other fresh data. It supports an array of useful static checks that include typechecking and data access verification. In this paper, we give a detailed presentation of the typing infrastructure of MSR, which is based on the theory of dependent types with subsorting. We prove that typechecking protocol specifications is decidable and show that execution preserves welltyping. We illustrate these features by formalizing a wellknown protocol in MSR.
Reasoning about the consequences of authorization policies in a linear epistemic logic
, 2009
"... Authorization policies are not standalone objects: they are used to selectively permit actions that change the state of a system. Thus, it is desirable to have a framework for reasoning about the semantic consequences of policies. To this end, we extend a rewriting interpretation of linear logic w ..."
Abstract

Cited by 21 (7 self)
 Add to MetaCart
(Show Context)
Authorization policies are not standalone objects: they are used to selectively permit actions that change the state of a system. Thus, it is desirable to have a framework for reasoning about the semantic consequences of policies. To this end, we extend a rewriting interpretation of linear logic with connectives for modeling affirmation, knowledge, and possession. To cleanly confine semantic effects to the rewrite sequence, we introduce a monad. The result is a richly expressive logic that elegantly integrates policies and their effects. After presenting this logic and its metatheory, we demonstrate its utility by proving properties that relate a simple file system’s policies to their semantic consequences.
Algorithmic specifications in linear logic with subexponentials
 In ACM SIGPLAN Conference on Principles and Practice of Declarative Programming (PPDP
, 2009
"... nigam at lix.polytechnique.fr, dale.miller at inria.fr The linear logic exponentials!, ? are not canonical: one can add to linear logic other such operators, say! l, ? l, which may or may not allow contraction and weakening, and where l is from some preordered set of labels. We shall call these add ..."
Abstract

Cited by 19 (9 self)
 Add to MetaCart
(Show Context)
nigam at lix.polytechnique.fr, dale.miller at inria.fr The linear logic exponentials!, ? are not canonical: one can add to linear logic other such operators, say! l, ? l, which may or may not allow contraction and weakening, and where l is from some preordered set of labels. We shall call these additional operators subexponentials and use them to assign locations to multisets of formulas within a linear logic programming setting. Treating locations as subexponentials greatly increases the algorithmic expressiveness of logic. To illustrate this new expressiveness, we show that focused proof search can be precisely linked to a simple algorithmic specification language that contains whileloops, conditionals, and insertion into and deletion from multisets. We also give some general conditions for when a focused proof step can be executed in constant time. In addition, we propose a new logical connective that allows for the creation of new subexponentials, thereby further augmenting the algorithmic expressiveness of logic.