Results 1  10
of
48
A calculus for cryptographic protocols: The spi calculus
 Information and Computation
, 1999
"... We introduce the spi calculus, an extension of the pi calculus designed for the description and analysis of cryptographic protocols. We show how to use the spi calculus, particularly for studying authentication protocols. The pi calculus (without extension) suffices for some abstract protocols; the ..."
Abstract

Cited by 783 (55 self)
 Add to MetaCart
We introduce the spi calculus, an extension of the pi calculus designed for the description and analysis of cryptographic protocols. We show how to use the spi calculus, particularly for studying authentication protocols. The pi calculus (without extension) suffices for some abstract protocols; the spi calculus enables us to consider cryptographic issues in more detail. We represent protocols as processes in the spi calculus and state their security properties in terms of coarsegrained notions of protocol equivalence.
Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption)
, 2000
"... Two distinct, rigorous views of cryptography have developed over the years, in two mostly separate communities. One of the views relies on a simple but effective formal approach; the other, on a detailed computational model that considers issues of complexity and probability. ..."
Abstract

Cited by 333 (18 self)
 Add to MetaCart
Two distinct, rigorous views of cryptography have developed over the years, in two mostly separate communities. One of the views relies on a simple but effective formal approach; the other, on a detailed computational model that considers issues of complexity and probability.
A Bisimulation Method for Cryptographic Protocols
, 1998
"... We introduce a definition of bisimulation for cryptographic protocols. The definition includes a simple and precise model of the knowledge of the environment with which a protocol interacts. Bisimulation is the basis of an effective proof technique, which yields proofs of classical security properti ..."
Abstract

Cited by 79 (5 self)
 Add to MetaCart
We introduce a definition of bisimulation for cryptographic protocols. The definition includes a simple and precise model of the knowledge of the environment with which a protocol interacts. Bisimulation is the basis of an effective proof technique, which yields proofs of classical security properties of protocols and also justifies certain protocol optimizations. The setting for our work is the spi calculus, an extension of the pi calculus with cryptographic primitives. We prove the soundness of the bisimulation proof technique within the spi calculus.
Reasoning about Cryptographic Protocols in the Spi Calculus
 In CONCUR'97: Concurrency Theory
, 1997
"... . The spi calculus is an extension of the pi calculus with constructs for encryption and decryption. This paper develops the theory of the spi calculus, focusing on techniques for establishing testing equivalence, and applying these techniques to the proof of authenticity and secrecy properties of c ..."
Abstract

Cited by 51 (3 self)
 Add to MetaCart
. The spi calculus is an extension of the pi calculus with constructs for encryption and decryption. This paper develops the theory of the spi calculus, focusing on techniques for establishing testing equivalence, and applying these techniques to the proof of authenticity and secrecy properties of cryptographic protocols. 1 From Cryptography to Testing Equivalence The idea of controlling communication by capabilities underlies both the pi calculus and much of the current work on security in distributed systems (see e.g. [MPW92, Lie93, Sch96b]). In the pi calculus, channel names are capabilities; a process can use a channel only if it has invented or been given the name of the channel, but cannot guess this name. In work on security, on the other hand, the capabilities for communication are often keys, which are used for encrypting and decrypting messages that travel on otherwise unprotected channels. These observations motivate the definition of the spi calculus, an extension of the p...
An Approach to the Formal Verification of Cryptographic Protocols
 In Third ACM Conference on Computer and Communications Security
, 1996
"... We present an approach to the verification of authentication protocols. The approach is based on the use of general purpose formal methods. It is complementary with modal logic basedapproaches as it allows for a description of protocol, hypotheses and authentication properties at a finer level of p ..."
Abstract

Cited by 45 (2 self)
 Add to MetaCart
We present an approach to the verification of authentication protocols. The approach is based on the use of general purpose formal methods. It is complementary with modal logic basedapproaches as it allows for a description of protocol, hypotheses and authentication properties at a finer level of precision and with more freedom. It differs from formal methods based approaches and in particular from Meadows' approach in that it focuses more on proof conciseness and readability than on proof automatization. To achieve this we use a clear separation between the modeling of reliable agents and that of unreliable agents or more generally of intruders. We also show how to express authentication properties using basic and precise temporal notions. The approach is presented by the mean of an example based on a publickey version of the NeedhamSchroeder protocol.
Authentication Primitives and Their Compilation
, 2000
"... Adopting a programminglanguage perspective, we study the problem of implementing authentication in a distributed system. We define a process calculus with constructs for authentication and show how this calculus can be translated to a lowerlevel language using marshaling, multiplexing, and cryptog ..."
Abstract

Cited by 40 (13 self)
 Add to MetaCart
Adopting a programminglanguage perspective, we study the problem of implementing authentication in a distributed system. We define a process calculus with constructs for authentication and show how this calculus can be translated to a lowerlevel language using marshaling, multiplexing, and cryptographic protocols. Authentication serves for identitybased security in the source language and enables simplifications in the translation. We reason about correctness relying on the concepts of observational equivalence and full abstraction.
Security Protocols and their Properties
 Foundations of Secure Computation, NATO Science Series
, 2000
"... Specifications for security protocols range from informal narrations of message flows to formal assertions of protocol properties. This paper discusses those specifications, emphasizing authenticity and secrecy properties. It also suggests some gaps and some opportunities for further work. Some of t ..."
Abstract

Cited by 40 (4 self)
 Add to MetaCart
Specifications for security protocols range from informal narrations of message flows to formal assertions of protocol properties. This paper discusses those specifications, emphasizing authenticity and secrecy properties. It also suggests some gaps and some opportunities for further work. Some of them pertain to the traditional core of the field; others appear when we examine the context in which protocols operate.
A cryptographically sound security proof of the NeedhamSchroederLowe publickey protocol
 JOURNAL ON SELECTED AREAS IN COMMUN.
, 2004
"... We present a cryptographically sound security proof of the wellknown NeedhamSchroederLowe publickey protocol for entity authentication. This protocol was previously only proved over unfounded abstractions from cryptography. We show that it is secure against arbitrary active attacks if it is imp ..."
Abstract

Cited by 33 (14 self)
 Add to MetaCart
We present a cryptographically sound security proof of the wellknown NeedhamSchroederLowe publickey protocol for entity authentication. This protocol was previously only proved over unfounded abstractions from cryptography. We show that it is secure against arbitrary active attacks if it is implemented using standard provably secure cryptographic primitives. Nevertheless, our proof does not have to deal with the probabilistic aspects of cryptography and is hence in the scope of current automated proof tools. We achieve this by exploiting a recently proposed DolevYaostyle cryptographic library with a provably secure cryptographic implementation. Besides establishing the cryptographic security of the NeedhamSchroederLowe protocol, our result exemplifies the potential of this cryptographic library and paves the way for the cryptographically sound verification of security protocols by automated proof tools.
D.: Zeroknowledge in the applied picalculus and automated verification of the direct anonymous attestation protocol
 In: IEEE Symposium on Security and Privacy (SP 08). (2008) 202–215 Preprint on IACR ePrint 2007/289
"... We devise an abstraction of zeroknowledge protocols that is accessible to a fully mechanized analysis. The abstraction is formalized within the applied picalculus using a novel equational theory that abstractly characterizes the cryptographic semantics of zeroknowledge proofs. We present an encod ..."
Abstract

Cited by 30 (7 self)
 Add to MetaCart
We devise an abstraction of zeroknowledge protocols that is accessible to a fully mechanized analysis. The abstraction is formalized within the applied picalculus using a novel equational theory that abstractly characterizes the cryptographic semantics of zeroknowledge proofs. We present an encoding from the equational theory into a convergent rewriting system that is suitable for the automated protocol verifier ProVerif. The encoding is sound and fully automated. We successfully used ProVerif to obtain the first mechanized analysis of the Direct Anonymous Attestation (DAA) protocol. This required us to devise novel abstractions of sophisticated cryptographic security definitions based on interactive games. The analysis reported a novel attack on DAA that was overlooked in its existing cryptographic security proof. We propose a revised variant of DAA that we successfully prove secure using ProVerif. 1
Formal Methods for the Analysis of Authentication Protocols
, 1993
"... In this paper, we examine current approaches and the state of the art in the application of formal methods to the analysis of authentication protocols. We use Meadows' classification of analysis techniques into four types. The Type I approach models and verifies a protocol using specification langua ..."
Abstract

Cited by 26 (0 self)
 Add to MetaCart
In this paper, we examine current approaches and the state of the art in the application of formal methods to the analysis of authentication protocols. We use Meadows' classification of analysis techniques into four types. The Type I approach models and verifies a protocol using specification languages and verification tools not specifically developed for the analysis of cryptographic protocols. In the Type II approach, a protocol designer develops expert systems to create and examine different scenarios, from which he may draw conclusions about the security of the protocols being studied. The Type III approach models the requirements of a protocol family using logics developed specifically for the analysis of knowledge and belief. Finally, the Type IV approach develops a formal model based on the algebraic termrewriting properties of cryptographic systems. The majority of research and the most interesting results are in the Type III approach, including reasoning systems such as the B...