Results 1  10
of
16
YAPA: A generic tool for computing intruder knowledge
, 2009
"... Reasoning about the knowledge of an attacker is a necessary step in many formal analyses of security protocols. In the framework of the applied pi calculus, as in similar languages based on equational logics, knowledge is typically expressed by two relations: deducibility and static equivalence. Sev ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
Reasoning about the knowledge of an attacker is a necessary step in many formal analyses of security protocols. In the framework of the applied pi calculus, as in similar languages based on equational logics, knowledge is typically expressed by two relations: deducibility and static equivalence. Several decision procedures have been proposed for these relations under a variety of equational theories. However, each theory has its particular algorithm, and none has been implemented so far. We provide a generic procedure for deducibility and static equivalence that takes as input any convergent rewrite system. We show that our algorithm covers all the existing decision procedures for convergent theories. We also provide an efficient implementation, and compare it briefly with the more general tool ProVerif.
Handling exp, × (and timestamps) in protocol analysis
 In Proc. of FOSSACS’06, volume 3921 of LNCS
, 2006
"... Abstract. We present a static analysis technique for the verification of cryptographic protocols, specified in a process calculus. Rather than assuming a specific, fixed set of cryptographic primitives, we only require them to be specified through a term rewriting system, with no restrictions. Examp ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
Abstract. We present a static analysis technique for the verification of cryptographic protocols, specified in a process calculus. Rather than assuming a specific, fixed set of cryptographic primitives, we only require them to be specified through a term rewriting system, with no restrictions. Examples are provided to support our analysis. First, we tackle forward secrecy for a DiffieHellmanbased protocol involving exponentiation, multiplication and inversion. Then, a simplified version of Kerberos is analyzed, showing that its use of timestamps succeeds in preventing replay attacks. 1
Equational cryptographic reasoning in the MaudeNRL Protocol Analyzer
 In Proc. of the First International Workshop on Security and Rewriting Techniques (SecReT 2006), Electronic Notes in Theoretical Computer Science. Elsevier Sciences Publisher
, 2006
"... Abstract. The MaudeNRL Protocol Analyzer (MaudeNPA) is a tool and inference system for reasoning about the security of cryptographic protocols in which the cryptosystems satisfy different equational properties. It both extends and provides a formal framework for the original NRL Protocol Analyzer, ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
Abstract. The MaudeNRL Protocol Analyzer (MaudeNPA) is a tool and inference system for reasoning about the security of cryptographic protocols in which the cryptosystems satisfy different equational properties. It both extends and provides a formal framework for the original NRL Protocol Analyzer, which limited itself to an equational theory ∆ of convergent rewrite rules. In this paper we extend our framework to include theories of the form ∆ ⊎ B, where B is the theory of associativity and commutativity and ∆ is convergent modulo B. Ordersorted Bunification plays a crucial role; to obtain this functionality we describe a sort propagation algorithm that filters out unsorted Bunifiers provided by the CiME unification tool. We show how extensions of some of the state reduction techniques of the original NRL Protocol Analyzer can be applied in this context. We illustrate the ideas and capabilities of the MaudeNPA with an example involving the DiffieHellman key agreement protocol. 1
Towards an automatic analysis of web services security
 IN: PROCEEDINGS OF THE 6TH INTERNATIONAL SYMPOSIUM ON THE FRONTIERS OF COMBINING SYSTEMS (FROCOS’07). LNAI
, 2007
"... Web services send and receive messages in XML syntax with some parts hashed, encrypted or signed, according to the WSSecurity standard. In this paper we introduce a model to formally describe the protocols that underly these services, their security properties and the rewriting attacks they might ..."
Abstract

Cited by 3 (3 self)
 Add to MetaCart
Web services send and receive messages in XML syntax with some parts hashed, encrypted or signed, according to the WSSecurity standard. In this paper we introduce a model to formally describe the protocols that underly these services, their security properties and the rewriting attacks they might be subject to. Unlike other protocol models (in symbolic analysis) ours can handle nondeterministic receive/send actions and unordered sequence of XML nodes. Then to detect the attacks we have to consider the services as combining multiset operators and cryptographic ones and we have to solve specific satisfiability problems in the combined theory. By nontrivial extension of the combination techniques of [3] we obtain a decision procedure for insecurity of Web services with messages built using encryption, signature, and other cryptographic primitives. This combination technique allows one to decide insecurity in a modular way by reducing the associated constraint solving problems to problems in simpler theories.
Complexity Results for Security Protocols with DiffieHellman Exponentiation and Commuting Public Key Encryption
 In Paritosh K. Pandya and Jaikumar Radhakrishnan, editors, FSTTCS, volume 2914 of Lecture Notes in Computer Science
, 2003
"... We show that the insecurity problem for protocols with modular exponentiation and arbitrary products allowed in exponents is NPcomplete. This result is based on a protocol and intruder model which is powerful enough to uncover known attacks on the Authenticated Group DiffieHellman (AGDH.2) protoc ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
We show that the insecurity problem for protocols with modular exponentiation and arbitrary products allowed in exponents is NPcomplete. This result is based on a protocol and intruder model which is powerful enough to uncover known attacks on the Authenticated Group DiffieHellman (AGDH.2) protocol suite. To prove our results, we develop a general framework in which the DolevYao intruder is extended by generic intruder rules. This framework is also applied to obtain complexity results for protocols with commuting public key encryption.
Automated Analysis of DiffieHellman Protocols and Advanced Security Properties (Extended Version),” April 2012, available http: //www.infsec.ethz.ch/research/software#TAMARIN
"... Abstract—We present a general approach for the symbolic analysis of security protocols that use DiffieHellman exponentiation to achieve advanced security properties. We model protocols as multiset rewriting systems and security properties as firstorder formulas. We analyze them using a novel const ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
Abstract—We present a general approach for the symbolic analysis of security protocols that use DiffieHellman exponentiation to achieve advanced security properties. We model protocols as multiset rewriting systems and security properties as firstorder formulas. We analyze them using a novel constraintsolving algorithm that supports both falsification and verification, even in the presence of an unbounded number of protocol sessions. The algorithm exploits the finite variant property and builds on ideas from strand spaces and proof normal forms. We demonstrate the scope and the effectiveness of our algorithm on nontrivial case studies. For example, the algorithm successfully verifies the NAXOS protocol with respect to a symbolic version of the eCK security model. I.
Towards Producing Formally Checkable Security Proofs, Automatically
, 2008
"... Firstorder logic models of security for cryptographic protocols, based on variants of the DolevYao model, are now wellestablished tools. Given that we have checked a given security protocol π using a given firstorder prover, how hard is it to extract a formally checkable proof of it, as required ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Firstorder logic models of security for cryptographic protocols, based on variants of the DolevYao model, are now wellestablished tools. Given that we have checked a given security protocol π using a given firstorder prover, how hard is it to extract a formally checkable proof of it, as required in, e.g., common criteria at evaluation level 7? We demonstrate that this is surprisingly hard: the problem is nonrecursive in general. On the practical side, we show how we can extract finite models M from a set S of clauses representing π, automatically, in two ways. We then define a modelchecker testing M = S, and show how we can instrument it to output a formally checkable proof, e.g., in Coq. This was implemented in the h1 tool suite. Experience on a number of protocols shows that this is practical.
Finite models for formal security proofs
 Journal of Computer Security
"... Firstorder logic models of security for cryptographic protocols, based on variants of the DolevYao model, are now wellestablished tools. Given that we have checked a given security protocol π using a given firstorder prover, how hard is it to extract a formally checkable proof of it, as required ..."
Abstract

Cited by 2 (1 self)
 Add to MetaCart
Firstorder logic models of security for cryptographic protocols, based on variants of the DolevYao model, are now wellestablished tools. Given that we have checked a given security protocol π using a given firstorder prover, how hard is it to extract a formally checkable proof of it, as required in, e.g., common criteria at the highest evaluation level (EAL7)? We demonstrate that this is surprisingly hard in the general case: the problem is nonrecursive. Nonetheless, we show that we can instead extract finite models M from a set S of clauses representing π, automatically, and give two ways of doing so. We then define a modelchecker testing M  = S, and show how we can instrument it to output a formally checkable proof, e.g., in Coq. Experience on a number of protocols shows that this is practical, and that even complex (secure) protocols modulo equational theories have small finite models, making our approach suitable.
Analysis of the Collision Resistance of RadioGatún using Algebraic Techniques
"... Abstract. In this paper, we present some preliminary results on the security of the RadioGatún hash function. RadioGatún has an internal state of 58 words, and is parameterized by the word size, from one to 64 bits. We mostly study the onebit version of RadioGatún since according to the authors, at ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Abstract. In this paper, we present some preliminary results on the security of the RadioGatún hash function. RadioGatún has an internal state of 58 words, and is parameterized by the word size, from one to 64 bits. We mostly study the onebit version of RadioGatún since according to the authors, attacks on this version also affect the reasonablysized versions. On this toy version, we revisit the claims of the designers and first improve some results. Secondly, given a differential path, we show how to find a message pair colliding more efficiently than the strategy proposed by the authors using algebraic techniques. We experimented this strategy on the onebit version since we can efficiently find differential path by brute force. Even though the complexity of this collision attack is higher than the general security claim on RadioGatún〈1〉, it is still less than the birthday paradox on the size of the internal state. 1