Results 1  10
of
36
Protocol insecurity with finite number of sessions is NPcomplete
 Theoretical Computer Science
, 2001
"... We investigate the complexity of the protocol insecurity problem for a finite number of sessions (fixed number of interleaved runs). We show that this problem is NPcomplete with respect to a DolevYao model of intruders. The result does not assume a limit on the size of messages and supports nonat ..."
Abstract

Cited by 148 (12 self)
 Add to MetaCart
We investigate the complexity of the protocol insecurity problem for a finite number of sessions (fixed number of interleaved runs). We show that this problem is NPcomplete with respect to a DolevYao model of intruders. The result does not assume a limit on the size of messages and supports nonatomic symmetric encryption keys. We also prove that in order to build an attack with a fixed number of sessions the intruder needs only to forge messages of linear size, provided that they are represented as dags.
A metanotation for protocol analysis
 in: Proc. CSFW’99
, 1999
"... Most formal approaches to security protocol analysis are based on a set of assumptions commonly referred to as the “DolevYao model. ” In this paper, we use a multiset rewriting formalism, based on linear logic, to state the basic assumptions of this model. A characteristic of our formalism is the w ..."
Abstract

Cited by 142 (33 self)
 Add to MetaCart
Most formal approaches to security protocol analysis are based on a set of assumptions commonly referred to as the “DolevYao model. ” In this paper, we use a multiset rewriting formalism, based on linear logic, to state the basic assumptions of this model. A characteristic of our formalism is the way that existential quantification provides a succinct way of choosing new values, such as new keys or nonces. We define a class of theories in this formalism that correspond to finitelength protocols, with a bounded initialization phase but allowing unboundedly many instances of each protocol role (e.g., client, server, initiator, or responder). Undecidability is proved for a restricted class of these protocols, and PSPACEcompleteness is claimed for a class further restricted to have no new data (nonces). Since it is a fragment of linear logic, we can use our notation directly as input to linear logic tools, allowing us to do proof search for attacks with relatively little programming effort, and to formally verify protocol transformations and optimizations. 1
CAPSL Integrated Protocol Environment
 IN PROC. OF DARPA INFORMATION SURVIVABILITY CONFERENCE (DISCEX 2000), PP 207221, IEEE COMPUTER SOCIETY
, 2000
"... CAPSL, a Common Authentication Protocol Specification Language, is a highlevel language to support security analysis of cryptographic authentication and key distribution protocols. It is translated to CIL, an intermediate language expressing state transitions with termrewriting rules. Connectors a ..."
Abstract

Cited by 58 (6 self)
 Add to MetaCart
CAPSL, a Common Authentication Protocol Specification Language, is a highlevel language to support security analysis of cryptographic authentication and key distribution protocols. It is translated to CIL, an intermediate language expressing state transitions with termrewriting rules. Connectors are being written to adapt CIL to supply input to different security analysis tools, including PVS for inductive verification and Maude for modelchecking.
Secrecy Types for Asymmetric Communication
, 2001
"... We develop a typed process calculus for security protocols in which types convey secrecy properties. We focus on asymmetric communication primitives, especially on publickey encryption. These present special difficulties, partly because they rely on related capabilities (e.g., "public" and "private ..."
Abstract

Cited by 57 (5 self)
 Add to MetaCart
We develop a typed process calculus for security protocols in which types convey secrecy properties. We focus on asymmetric communication primitives, especially on publickey encryption. These present special difficulties, partly because they rely on related capabilities (e.g., "public" and "private" keys) with different levels of secrecy and scopes.
Rewriting for Cryptographic Protocol Verification
, 1999
"... . On a case study, we present a new approach for verifying cryptographic protocols, based on rewriting and on tree automata techniques. Protocols are operationally described using Term Rewriting Systems and the initial set of communication requests is described by a tree automaton. Starting from ..."
Abstract

Cited by 57 (8 self)
 Add to MetaCart
. On a case study, we present a new approach for verifying cryptographic protocols, based on rewriting and on tree automata techniques. Protocols are operationally described using Term Rewriting Systems and the initial set of communication requests is described by a tree automaton. Starting from these two representations, we automatically compute an overapproximation of the set of exchanged messages (also recognized by a tree automaton). Then, proving classical properties like confidentiality or authentication can be done by automatically showing that the intersection between the approximation and a set of prohibited behaviors is the empty set. Furthermore, this method enjoys a simple and powerful way to describe intruder work, the ability to consider an unbounded number of parties, an unbounded number of interleaved sessions, and a theoretical property ensuring safeness of the approximation. Introduction In this paper, we present a new way of verifying cryptographic pro...
Multiset Rewriting and the Complexity of Bounded Security Protocols
 Journal of Computer Security
, 2002
"... We formalize the DolevYao model of security protocols, using a notation based on multiset rewriting with existentials. The goals are to provide a simple formal notation for describing security protocols, to formalize the assumptions of the DolevYao model using this notation, and to analyze the ..."
Abstract

Cited by 56 (5 self)
 Add to MetaCart
We formalize the DolevYao model of security protocols, using a notation based on multiset rewriting with existentials. The goals are to provide a simple formal notation for describing security protocols, to formalize the assumptions of the DolevYao model using this notation, and to analyze the complexity of the secrecy problem under various restrictions. We prove that, even for the case where we restrict the size of messages and the depth of message encryption, the secrecy problem is undecidable for the case of an unrestricted number of protocol roles and an unbounded number of new nonces. We also identify several decidable classes, including a dexpcomplete class when the number of nonces is restricted, and an npcomplete class when both the number of nonces and the number of roles is restricted. We point out a remaining open complexity problem, and discuss the implications these results have on the general topic of protocol analysis.
An improved constraintbased system for the verification of security protocols
 9TH INT. STATIC ANALYSIS SYMP. (SAS), VOLUME LNCS 2477
, 2002
"... We propose a constraintbased system for the verification of security protocols that improves upon the one developed by Millen and Shmatikov [30]. Our system features (1) a significantly more efficient implementation, (2) a monotonic behavior, which also allows to detect flaws associated to partial ..."
Abstract

Cited by 52 (14 self)
 Add to MetaCart
We propose a constraintbased system for the verification of security protocols that improves upon the one developed by Millen and Shmatikov [30]. Our system features (1) a significantly more efficient implementation, (2) a monotonic behavior, which also allows to detect flaws associated to partial runs and (3) a more expressive syntax, in which a principal may also perform explicit checks. In this paper we also show why these improvements yield a more effective and practical system.
Static validation of security protocols
 Journal of Computer Security
, 2005
"... We methodically expand protocol narrations into terms of a process algebra in order to specify some of the checks that need to be made in a protocol. We then apply static analysis technology to develop an automatic validation procedure for protocols. Finally, we demonstrate that these techniques suf ..."
Abstract

Cited by 35 (13 self)
 Add to MetaCart
We methodically expand protocol narrations into terms of a process algebra in order to specify some of the checks that need to be made in a protocol. We then apply static analysis technology to develop an automatic validation procedure for protocols. Finally, we demonstrate that these techniques suffice to identify several authentication flaws in symmetric and asymmetric key protocols such as NeedhamSchroeder symmetric key, OtwayRees, Yahalom, Andrew Secure RPC, NeedhamSchroeder asymmetric key, and BellerChangYacobi MSR.
Research Directions in Rewriting Logic
, 1998
"... Rewriting logic expresses an essential equivalence between logic and computation. System states are in bijective correspondence with formulas, and concurrent computations are in bijective correspondence with proofs. Given this equivalence between computation and logic, a rewriting logic axiom of the ..."
Abstract

Cited by 31 (12 self)
 Add to MetaCart
Rewriting logic expresses an essential equivalence between logic and computation. System states are in bijective correspondence with formulas, and concurrent computations are in bijective correspondence with proofs. Given this equivalence between computation and logic, a rewriting logic axiom of the form t \Gamma! t 0 has two readings. Computationally, it means that a fragment of a system 's state that is an instance of the pattern t can change to the corresponding instance of t 0 concurrently with any other state changes; logically, it just means that we can derive the formula t 0 from the formula t. Rewriting logic is entirely neutral about the structure and properties of the formulas/states t. They are entirely userdefinable as an algebraic data type satisfying certain equational axioms. Because of this ecumenical neutrality, rewriting logic has, from a logical viewpoint, good properties as a logical framework, in which many other logics can be naturally represented. And, computationally, it has also good properties as a semantic framework, in which many different system styles and models of concurrent computation and many different languages can be naturally expressed without any distorting encodings. The goal of this paper is to provide a relatively gentle introduction to rewriting logic, and to paint in broad strokes the main research directions that, since its introduction in 1990, have been pursued by a growing number of researchers in Europe, the US, and Japan. Key theoretical developments, as well as the main current applications of rewriting logic as a logical and semantic framework, and the work on formal reasoning to prove properties of specifications are surveyed.