Content-Type: text/plain

Abstract not found

We study session key distribution in the three-party setting of Needham and Schroeder. (This is the trust model assumed by the popular Kerberos authentication system.) Such protocols are basic building blocks for contemporary distributed systems -- yet the underlying problem has, up until now, lacked a definition or provably-good solution. One consequence is that incorrect protocols have proliferated. This paper provides the first treatment of this problem in the complexity-theoretic framework of modern cryptography. We present a definition, protocol, and a proof that the protocol satisfies the definition, assuming the (minimal) assumption of a pseudorandom function. When this assumption is appropriately instantiated, our protocols are simple and efficient.

Abstract. Analysis methods for cryptographic protocols have often focused on information leakage rather than on seeing whether a protocol meets its goals. Many protocols, however, fall far short of meeting their goals, sometimes for quite subtle reasons. We introduce a mechanism for reasoning about belief as a systematic way to understand the working of cryptographic protocols. Our mechanism captures more features of such protocols than that given in a recent work [1], to which our proposals are a substantial extension. 1 Introduction Solutions to computer security problems over the last few years have brought forth the need for rigorous analysis methods. Formal tools must be provided to determine whether a solution indeed solves a problem, as well as to enable comparisons between proposed solutions. In this paper we propose a method for reasoning about cryptographic protocols in a distributed environment. The work described was inspired by the recent development of a modal logic to ...

We specify authentication protocols as formal objects with precise syntax and semantics, and define a semantic model that characterizes protocol executions. We have identified two basic types of correctness properties, namely, correspondence and secrecy, that underlie the correctness concerns of authentication protocols. We define assertions for specifying these properties, and a formal semantics for their satisfaction in the semantic model. The Otway-Rees protocol is used to illustrate the semantic model and the basic correctness properties. 1 Introduction Authentication is a fundamental concern in the design of secure distributed systems [14, 25]. In distributed systems, authentication is typically carried out by protocols, called authentication protocols. The primary goal of an authentication protocol is to establish the identities of the parties (referred to as principals in the security literature) who participate in the protocol. Many authentication protocols, however, also acc...

In a security system that allows people to choose their own passwords, those people tend to choose passwords that can be easily guessed. This weakness exists in practically all widely used systems. Instead of forcing users to choose well-chosen secrets, which are likely to be di cult to remember, we propose solutions that maintain both user convenience and a high level of security at the same time. The basic idea is to ensure that data available to the attacker is sufficiently unpredictable to prevent an off-line verification of whether a guess is successful or not. We examine common forms of guessing attacks, develop examples of cryptographic protocols that are immune to such attacks, and suggest a systematic way to examine protocols to detect vulnerabilities to such attacks.

We present an approach to the verification of authentication protocols. The approach is based on the use of general purpose formal methods. It is complementary with modal logic based-approaches as it allows for a description of protocol, hypotheses and authentication properties at a finer level of precision and with more freedom. It differs from formal methods based approaches and in particular from Meadows' approach in that it focuses more on proof conciseness and readability than on proof automatization. To achieve this we use a clear separation between the modeling of reliable agents and that of unreliable agents or more generally of intruders. We also show how to express authentication properties using basic and precise temporal notions. The approach is presented by the mean of an example based on a public-key version of the Needham-Schroeder protocol.

This paper describes a Higher Order Logic (HOL) theory formalizing an extended version of the Gong, Needham, Yahalom (GNY) belief logic, a theory used by software that automatically proves authentication properties of cryptographic protocols. The theory's extensions to the GNY logic include being able to specify protocol properties at intermediate stages and being able to specify protocols that use multiple encryption and hash operations, message authentication codes, computed values (e.g., hash codes) as keys, and keyexchange algorithms. 1. Introduction Cryptographic protocols are short sequences of message exchanges, usually involving encryption, intended to establish secure communication over insecure networks. Whether they actually do so, or can be subverted by attacks involving modified, replayed, or mislabeled messages, is a notoriously difficult problem. There have been several examples [11, 27, 28] of published protocols, recommended by experts, that were vulnerable to attack....

In this paper, we examine current approaches and the state of the art in the application of formal methods to the analysis of authentication protocols. We use Meadows' classification of analysis techniques into four types. The Type I approach models and verifies a protocol using specification languages and verification tools not specifically developed for the analysis of cryptographic protocols. In the Type II approach, a protocol designer develops expert systems to create and examine different scenarios, from which he may draw conclusions about the security of the protocols being studied. The Type III approach models the requirements of a protocol family using logics developed specifically for the analysis of knowledge and belief. Finally, the Type IV approach develops a formal model based on the algebraic term-rewriting properties of cryptographic systems. The majority of research and the most interesting results are in the Type III approach, including reasoning systems such as the B...

We methodically expand protocol narrations into terms of a process algebra in order to specify some of the checks that need to be made in a protocol. We then apply static analysis technology to develop an automatic validation procedure for protocols. Finally, we demonstrate that these techniques suffice to identify several authentication flaws in symmetric and asymmetric key protocols such as Needham-Schroeder symmetric key, Otway-Rees, Yahalom, Andrew Secure RPC, Needham-Schroeder asymmetric key, and Beller-Chang-Yacobi MSR.