Results 11  20
of
115
Athena: a new efficient automatic checker for security protocol analysis
 In Proceedings of the Twelth IEEE Computer Security Foundations Workshop
, 1999
"... We propose an efficient automatic checking algorithm, Athena, for analyzing security protocols. Athena incorporates a logic that can express security properties including authentication, secrecy and properties related to electronic commerce. We have developed an automatic procedure for evaluating we ..."
Abstract

Cited by 72 (1 self)
 Add to MetaCart
We propose an efficient automatic checking algorithm, Athena, for analyzing security protocols. Athena incorporates a logic that can express security properties including authentication, secrecy and properties related to electronic commerce. We have developed an automatic procedure for evaluating wellformed formulae in this logic. For a wellformed formula, if the evaluation procedure terminates, it will generate a counterexample if the formula is false, or provide a proof if the formula is true. Even when the procedure does not terminate when we allow any arbitrary configurations of the protocol execution, (for example, any number of initiators and responders), termination could be forced by bounding the number of concurrent protocol runs and the length of messages, as is done in most existing model checkers. Athena also exploits several state space reduction techniques. It is based on an extension of the recently proposed Strand Space Model [25] which captures exact causal relation information. Together with backward search and other techniques, Athena naturally avoids the state space explosion problem commonly caused by asynchronous composition and symmetry redundancy. Athena also has the advantage that it can easily incorporate results from theorem proving through unreachability theorems. By using the unreachability theorems, it can prune the state space at an early stage, hence, reduce the state space explored and increase the likelyhood of termination. As shown in our experiments, these techniques dramatically reduce the state space that needs to be explored.
Athena: a novel approach to efficient automatic security protocol analysis
 Journal of Computer Security
, 2001
"... protocol analysis ..."
Mechanized Proofs for a Recursive Authentication Protocol
 In 10th IEEE Computer Security Foundations Workshop
, 1997
"... A novel protocol has been formally analyzed using the prover Isabelle/HOL, following the inductive approach described in earlier work [11]. There is no limit on the length of a run, the nesting of messages or the number of agents involved. A single run of the protocol delivers session keys for all t ..."
Abstract

Cited by 62 (3 self)
 Add to MetaCart
A novel protocol has been formally analyzed using the prover Isabelle/HOL, following the inductive approach described in earlier work [11]. There is no limit on the length of a run, the nesting of messages or the number of agents involved. A single run of the protocol delivers session keys for all the agents, allowing neighbours to perform mutual authentication. The basic security theorem states that session keys are correctly delivered to adjacent pairs of honest agents, regardless of whether other agents in the chain are compromised. The protocol's complexity caused some difficulties in the specification and proofs, but its symmetry reduced the number of theorems to prove. CONTENTS i Contents 1 Introduction 1 2 The Recursive Authentication Protocol 2 3 Review of the Inductive Approach 4 4 A Formalization of Hashing 6 5 Modelling the Protocol 7 5.1 Modelling the Server . . . . . . . . . . . . . . . . . . . . . . . 8 5.2 A Coarser Model of the Server . . . . . . . . . . . . . . . . ....
Towards an Automatic Analysis of Security Protocols in FirstOrder Logic
, 1999
"... . The NeumanStubblebine key exchange protocol is formalized in rstorder logic and analyzed by the automated theorem prover Spass. In addition to the analysis, we develop the necessary theoretical background providing new (un)decidability results for monadic rstorder fragments involved in the a ..."
Abstract

Cited by 62 (4 self)
 Add to MetaCart
. The NeumanStubblebine key exchange protocol is formalized in rstorder logic and analyzed by the automated theorem prover Spass. In addition to the analysis, we develop the necessary theoretical background providing new (un)decidability results for monadic rstorder fragments involved in the analysis. The approach is applicable to a variety of security protocols and we identify possible extensions leading to future directions of research. 1 Introduction The growing importance of the internet causes a growing need for security protocols that protect transactions and communication. It turns out that the design of such protocols is highly errorprone. Therefore, a variety of dierent methods have been described that analyze security protocols to discover aws. The topic of this paper is to add a further, new method that is based on automated theorem proving in rstorder logic. In the context of rstorder automated theorem proving, Schumann (1997) implemented the wellknown ...
Using State Space Exploration and a Natural Deduction Style Message Derivation Engine to Verify Security Protocols
 In Proc. IFIP Working Conference on Programming Concepts and Methods (PROCOMET
, 1998
"... As more resources are added to computer networks, and as more vendors look to the World Wide Web as a viable marketplace, the importance of being able to restrict access and to insure some kind of acceptable behavior even in the presence of malicious adversaries becomes paramount. Many researchers h ..."
Abstract

Cited by 61 (5 self)
 Add to MetaCart
As more resources are added to computer networks, and as more vendors look to the World Wide Web as a viable marketplace, the importance of being able to restrict access and to insure some kind of acceptable behavior even in the presence of malicious adversaries becomes paramount. Many researchers have proposed the use of security protocols to provide these security guarantees. In this paper, we develop a method of verifying these protocols using a special purpose model checker which executes an exhaustive state space search of a protocol model. Our tool also includes a natural deduction style derivation engine which models the capabilities of the adversary trying to attack the protocol. Because our models are necessarily abstractions, we cannot prove a protocol correct. However, our tool is extremely useful as a debugger. We have used our tool to analyze 14 different authentication protocols, and have found the previously reported attacks for them. Keywords Model checking, security ...
Rewriting for Cryptographic Protocol Verification
, 1999
"... . On a case study, we present a new approach for verifying cryptographic protocols, based on rewriting and on tree automata techniques. Protocols are operationally described using Term Rewriting Systems and the initial set of communication requests is described by a tree automaton. Starting from ..."
Abstract

Cited by 57 (8 self)
 Add to MetaCart
. On a case study, we present a new approach for verifying cryptographic protocols, based on rewriting and on tree automata techniques. Protocols are operationally described using Term Rewriting Systems and the initial set of communication requests is described by a tree automaton. Starting from these two representations, we automatically compute an overapproximation of the set of exchanged messages (also recognized by a tree automaton). Then, proving classical properties like confidentiality or authentication can be done by automatically showing that the intersection between the approximation and a set of prohibited behaviors is the empty set. Furthermore, this method enjoys a simple and powerful way to describe intruder work, the ability to consider an unbounded number of parties, an unbounded number of interleaved sessions, and a theoretical property ensuring safeness of the approximation. Introduction In this paper, we present a new way of verifying cryptographic pro...
Multiset Rewriting and the Complexity of Bounded Security Protocols
 Journal of Computer Security
, 2002
"... We formalize the DolevYao model of security protocols, using a notation based on multiset rewriting with existentials. The goals are to provide a simple formal notation for describing security protocols, to formalize the assumptions of the DolevYao model using this notation, and to analyze the ..."
Abstract

Cited by 56 (5 self)
 Add to MetaCart
We formalize the DolevYao model of security protocols, using a notation based on multiset rewriting with existentials. The goals are to provide a simple formal notation for describing security protocols, to formalize the assumptions of the DolevYao model using this notation, and to analyze the complexity of the secrecy problem under various restrictions. We prove that, even for the case where we restrict the size of messages and the depth of message encryption, the secrecy problem is undecidable for the case of an unrestricted number of protocol roles and an unbounded number of new nonces. We also identify several decidable classes, including a dexpcomplete class when the number of nonces is restricted, and an npcomplete class when both the number of nonces and the number of roles is restricted. We point out a remaining open complexity problem, and discuss the implications these results have on the general topic of protocol analysis.
Verifying Security Protocols with Brutus
, 2000
"... this article we present BRUTUS, a tool for verifying properties of security protocols. This tool can be viewed as a specialpurpose model checker for security protocols. We also present reduction techniques that make the tool efficient. Experimental results are provided to demonstrate the efficiency ..."
Abstract

Cited by 55 (3 self)
 Add to MetaCart
this article we present BRUTUS, a tool for verifying properties of security protocols. This tool can be viewed as a specialpurpose model checker for security protocols. We also present reduction techniques that make the tool efficient. Experimental results are provided to demonstrate the efficiency of BRUTUS
Protocol independence through disjoint encryption
 In Proceedings, 13th Computer Security Foundations Workshop. IEEE Computer
, 2000
"... One protocol (called the primary protocol) is independent of other protocols (jointly called the secondary protocol) if the question whether the primary protocol achieves a security goal never depends on whether the secondary protocol is in use. In this paper, we use multiprotocol strand spaces ([27 ..."
Abstract

Cited by 53 (13 self)
 Add to MetaCart
One protocol (called the primary protocol) is independent of other protocols (jointly called the secondary protocol) if the question whether the primary protocol achieves a security goal never depends on whether the secondary protocol is in use. In this paper, we use multiprotocol strand spaces ([27], cf. [28]) to prove that two cryptographic protocols are independent if they use encryption in nonoverlapping ways. This theorem (Proposition 7.2) applies even if the protocols share public key certificates and secret key “tickets.” We use the method of [8, 7] to study penetrator paths, namely sequences of penetrator actions connecting regular nodes (message transmissions or receptions) in the two protocols. Of special interest are inbound linking paths, which lead from a message transmission in the secondary protocol to a message reception in the primary protocol. We show that bundles can be modified to remove all inbound linking paths, if encryption does not overlap in the two protocols. The resulting bundle does not depend on any activity of the secondary protocol. We illustrate this method using the NeumanStubblebine protocol as an example [21, 27]. 1