Results 1  10
of
52
A calculus for cryptographic protocols: The spi calculus
 Information and Computation
, 1999
"... We introduce the spi calculus, an extension of the pi calculus designed for the description and analysis of cryptographic protocols. We show how to use the spi calculus, particularly for studying authentication protocols. The pi calculus (without extension) suffices for some abstract protocols; the ..."
Abstract

Cited by 783 (55 self)
 Add to MetaCart
We introduce the spi calculus, an extension of the pi calculus designed for the description and analysis of cryptographic protocols. We show how to use the spi calculus, particularly for studying authentication protocols. The pi calculus (without extension) suffices for some abstract protocols; the spi calculus enables us to consider cryptographic issues in more detail. We represent protocols as processes in the spi calculus and state their security properties in terms of coarsegrained notions of protocol equivalence.
Secrecy by Typing in Security Protocols
 Journal of the ACM
, 1998
"... We develop principles and rules for achieving secrecy properties in security protocols. Our approach is based on traditional classification techniques, and extends those techniques to handle concurrent processes that use sharedkey cryptography. The rules have the form of typing rules for a basic co ..."
Abstract

Cited by 245 (15 self)
 Add to MetaCart
We develop principles and rules for achieving secrecy properties in security protocols. Our approach is based on traditional classification techniques, and extends those techniques to handle concurrent processes that use sharedkey cryptography. The rules have the form of typing rules for a basic concurrent language with cryptographic primitives, the spi calculus. They guarantee that, if a protocol typechecks, then it does not leak its secret inputs.
Proof Techniques for Cryptographic Processes
 in 14th Annual IEEE Symposium on Logic in Computer Science
, 1999
"... Contextual equivalences for cryptographic process calculi, like the spicalculus, can be used to reason about correctness of protocols, but their definition suffers from quantification over all possible contexts. Here, we focus on two such equivalences, namely maytesting and barbed equivalence, and ..."
Abstract

Cited by 60 (8 self)
 Add to MetaCart
Contextual equivalences for cryptographic process calculi, like the spicalculus, can be used to reason about correctness of protocols, but their definition suffers from quantification over all possible contexts. Here, we focus on two such equivalences, namely maytesting and barbed equivalence, and investigate tractable proof methods for them. To this aim, we design an enriched labelled transition system, where transitions are constrained by the knowledge the environment has of names and keys. The new transition system is then used to define a trace equivalence and a weak bisimulation equivalence, that avoid quantification over contexts. Our main results are soundness and completeness of trace and weak bisimulation equivalence with respect to maytesting and barbed equivalence, respectively. They lead to more direct proof methods for equivalence checking. The use of these methods is illustrated with a few examples, concerning implementation of secure channels and verification of proto...
A Hierarchy of Equivalences for Asynchronous Calculi
, 2003
"... We generate a natural hierarchy of equivalences for asynchronous namepassing process calculi from simple variations on Milner and Sangiorgi's definition of weak barbed bisimulation. The calculus, used here, and the join calculus are examples of such calculi. ..."
Abstract

Cited by 58 (5 self)
 Add to MetaCart
We generate a natural hierarchy of equivalences for asynchronous namepassing process calculi from simple variations on Milner and Sangiorgi's definition of weak barbed bisimulation. The calculus, used here, and the join calculus are examples of such calculi.
Reasoning about Cryptographic Protocols in the Spi Calculus
 In CONCUR'97: Concurrency Theory
, 1997
"... . The spi calculus is an extension of the pi calculus with constructs for encryption and decryption. This paper develops the theory of the spi calculus, focusing on techniques for establishing testing equivalence, and applying these techniques to the proof of authenticity and secrecy properties of c ..."
Abstract

Cited by 51 (3 self)
 Add to MetaCart
. The spi calculus is an extension of the pi calculus with constructs for encryption and decryption. This paper develops the theory of the spi calculus, focusing on techniques for establishing testing equivalence, and applying these techniques to the proof of authenticity and secrecy properties of cryptographic protocols. 1 From Cryptography to Testing Equivalence The idea of controlling communication by capabilities underlies both the pi calculus and much of the current work on security in distributed systems (see e.g. [MPW92, Lie93, Sch96b]). In the pi calculus, channel names are capabilities; a process can use a channel only if it has invented or been given the name of the channel, but cannot guess this name. In work on security, on the other hand, the capabilities for communication are often keys, which are used for encrypting and decrypting messages that travel on otherwise unprotected channels. These observations motivate the definition of the spi calculus, an extension of the p...
Algebraic Theories for NamePassing Calculi
, 1996
"... In a theory of processes the names are atomic data items which can be exchanged and tested for identity. A wellknown example of a calculus for namepassing is the πcalculus, where names additionally are used as communication ports. We provide complete axiomatisations of late and early bisimulation ..."
Abstract

Cited by 41 (10 self)
 Add to MetaCart
In a theory of processes the names are atomic data items which can be exchanged and tested for identity. A wellknown example of a calculus for namepassing is the πcalculus, where names additionally are used as communication ports. We provide complete axiomatisations of late and early bisimulation equivalences in such calculi. Since neither of the equivalences is a congruence we also axiomatise the corresponding largest congruences. We consider a few variations of the signature of the language; among these, a calculus of deterministic processes which is reminiscent of sequential functional programs with a conditional construct. Most of our axioms are shown to be independent. The axiom systems differ only by a few simple axioms and reveal the similarities and the symmetries of the calculi and the equivalences.
Security Protocols and their Properties
 Foundations of Secure Computation, NATO Science Series
, 2000
"... Specifications for security protocols range from informal narrations of message flows to formal assertions of protocol properties. This paper discusses those specifications, emphasizing authenticity and secrecy properties. It also suggests some gaps and some opportunities for further work. Some of t ..."
Abstract

Cited by 40 (4 self)
 Add to MetaCart
Specifications for security protocols range from informal narrations of message flows to formal assertions of protocol properties. This paper discusses those specifications, emphasizing authenticity and secrecy properties. It also suggests some gaps and some opportunities for further work. Some of them pertain to the traditional core of the field; others appear when we examine the context in which protocols operate.
A Theory of Bisimulation for the picalculus
, 1993
"... We study a new formulation of bisimulation for the calculus [MPW92], which we have called open bisimulation ( ). In contrast with the previously known bisimilarity equivalences, is preserved by all calculus operators, including input prefix. The differences among all these equivalences alread ..."
Abstract

Cited by 39 (0 self)
 Add to MetaCart
We study a new formulation of bisimulation for the calculus [MPW92], which we have called open bisimulation ( ). In contrast with the previously known bisimilarity equivalences, is preserved by all calculus operators, including input prefix. The differences among all these equivalences already appear in the sublanguage without name restrictions: Here the definition of can be factorised into a "standard" part which, modulo the different syntax of actions, is the CCS bisimulation, and a part specific to the calculus, which requires name instantiation. Attractive features of are: a simple axiomatisation (of the finite terms), with a completeness proof which leads to the construction of minimal canonical representatives for the equivalence classes of ; an "efficient" characterisation, based on a modified transition system. This characterisation seems promising for the development of automatedverification tools and also shows the callbyneed flavour of . Although in the...
Complete Inference Systems for Weak Bisimulation Equivalences in the piCalculus
 Journal of Information and Computation
, 1995
"... Proof systems for weak bisimulation equivalences in the calculus are presented, and their soundness and completeness are shown. Two versions of  calculus are investigated, one without and the other with the mismatch operator. ..."
Abstract

Cited by 26 (3 self)
 Add to MetaCart
Proof systems for weak bisimulation equivalences in the calculus are presented, and their soundness and completeness are shown. Two versions of  calculus are investigated, one without and the other with the mismatch operator.
Analysis of security protocols as open systems
 Theoretical Computer Science
, 2003
"... We propose a methodology for the formal analysis of security protocols. This originates from the observation that the verification of security protocols can be conveniently treated as the verification of open systems, i.e. systems which may have unspecified components. These might be used to represe ..."
Abstract

Cited by 26 (13 self)
 Add to MetaCart
We propose a methodology for the formal analysis of security protocols. This originates from the observation that the verification of security protocols can be conveniently treated as the verification of open systems, i.e. systems which may have unspecified components. These might be used to represent a hostile environment wherein the protocol runs and whose behavior cannot be predicted a priori. We define a language for the description of security protocols, namely CryptoCCS, and a logical language for expressing their properties. We provide an effective verification method for security protocols which is based on a suitable extension of partial model checking. Indeed, we obtain a decidability result for the secrecy analysis of protocols with a finite number of sessions, bounded message size and new nonce generation.