www.infsec.ethz.ch/~{basin,moedersheim,vigano}

We demonstrate that for any well-defined cryptographic protocol, the symbolic trace reachability problem in the presence of an Abelian group operator (e.g., multiplication) can be reduced to solvability of a decidable system of quadratic Diophantine equations. This result enables complete, fully automated formal analysis of protocols that employ primitives such as Diffie-Hellman exponentiation, multiplication, andxor, with a bounded number of role instances, but without imposing any bounds on the size of terms created by the attacker. 1

We methodically expand protocol narrations into terms of a process algebra in order to specify some of the checks that need to be made in a protocol. We then apply static analysis technology to develop an automatic validation procedure for protocols. Finally, we demonstrate that these techniques suffice to identify several authentication flaws in symmetric and asymmetric key protocols such as Needham-Schroeder symmetric key, Otway-Rees, Yahalom, Andrew Secure RPC, Needham-Schroeder asymmetric key, and Beller-Chang-Yacobi MSR.

We propose a partial order reduction for model checking security protocols for the secrecy property. Based on this reduction we develop an automatic tool that can check security protocols for secrecy, given a finite execution scenario. We compare this tool to several other tools.

The formal and computational views of cryptography have been related by the seminal work of Abadi and Rogaway. In their work, a formal treatment of encryption that uses atomic keys is justified in the computational world. However, many proposed formal approaches allow the use of composed keys, where any arbitrary expression can be used as encryption key. In this paper we consider an extension of the formal model presented by Abadi and Rogaway, in which it is allowed to use composed keys in formal encryption. We then provide a computational interpretation for expressions that allow us to establish the computational soundness of formal encryption with composed keys.

Ricardo Corin , Sreekanth Malladi , Jim Alves-Foss , Sandro Etalle Faculty of Computer Science, Center for Secure and Dependable Systems, University of Twente, University of Idaho, P.O.Box 217, 7500AE Enschede, Moscow, ID - 83843, The Netherlands. Fax - (31 53)-489-4590 USA. Fax - (208)-885-9052 corin,etalle @cs.utwente.nl msskanth,jimaf @cs.uidaho.edu 1

We propose PS-LTL, a pure-past security linear temporal logic that allows the specification of a variety of authentication, secrecy and data freshness properties. Furthermore, we present a sound and complete decision procedure to establish the validity of security properties for symbolic execution traces, and show the integration with constraintbased analysis techniques. 1

We demonstrate that for any well-defined cryptographic protocol, the symbolic trace reachability problem in the presence of an Abelian group operator (e.g., multiplication) can be reduced to solvability of a decidable system of quadratic Diophantine equations. This result enables complete, fully automated formal analysis of protocols that employ primitives such as Diffie-Hellman exponentiation, multiplication, and xor, with a bounded number of role instances, but without imposing any bounds on the size of terms created by the attacker. 1

The AVISPA Tool is a push-button tool for the Automated Validation of Internet Security Protocols and Applications. It provides a modular and expressive formal language for specifying protocols and their security properties, and integrates different back-ends that implement a variety of automatic protocol analysis techniques. Experimental results, carried out on a large library of Internet security protocols, indicate that the AVISPA Tool is a state-of-the-art tool for Internet security protocol analysis as, to our knowledge, no other tool exhibits the same level of scope and robustness while enjoying the same performance and scalability.

We present a decentralized key management architecture for wireless sensor networks, covering the aspects of key deployment, key refreshment and key establishment. Our architecture is based on a clear set of assumptions and guidelines. Balance between security and energy consumption is achieved by partitioning a system into two interoperable security realms: the supervised realm trades o# simplicity and resources for higher security whereas the unsupervised realm vice versa. Key deployment uses minimal key storage while key refreshment is based on the well-studied scheme of Abdalla et al. The keying protocols involved use only symmetric cryptography and have all been verified with our constraint solving-based protocol verification tool CoProVe.