Results 1  10
of
14
A metanotation for protocol analysis
 in: Proc. CSFW’99
, 1999
"... Most formal approaches to security protocol analysis are based on a set of assumptions commonly referred to as the “DolevYao model. ” In this paper, we use a multiset rewriting formalism, based on linear logic, to state the basic assumptions of this model. A characteristic of our formalism is the w ..."
Abstract

Cited by 142 (33 self)
 Add to MetaCart
Most formal approaches to security protocol analysis are based on a set of assumptions commonly referred to as the “DolevYao model. ” In this paper, we use a multiset rewriting formalism, based on linear logic, to state the basic assumptions of this model. A characteristic of our formalism is the way that existential quantification provides a succinct way of choosing new values, such as new keys or nonces. We define a class of theories in this formalism that correspond to finitelength protocols, with a bounded initialization phase but allowing unboundedly many instances of each protocol role (e.g., client, server, initiator, or responder). Undecidability is proved for a restricted class of these protocols, and PSPACEcompleteness is claimed for a class further restricted to have no new data (nonces). Since it is a fragment of linear logic, we can use our notation directly as input to linear logic tools, allowing us to do proof search for attacks with relatively little programming effort, and to formally verify protocol transformations and optimizations. 1
Towards an Automatic Analysis of Security Protocols in FirstOrder Logic
, 1999
"... . The NeumanStubblebine key exchange protocol is formalized in rstorder logic and analyzed by the automated theorem prover Spass. In addition to the analysis, we develop the necessary theoretical background providing new (un)decidability results for monadic rstorder fragments involved in the a ..."
Abstract

Cited by 62 (4 self)
 Add to MetaCart
. The NeumanStubblebine key exchange protocol is formalized in rstorder logic and analyzed by the automated theorem prover Spass. In addition to the analysis, we develop the necessary theoretical background providing new (un)decidability results for monadic rstorder fragments involved in the analysis. The approach is applicable to a variety of security protocols and we identify possible extensions leading to future directions of research. 1 Introduction The growing importance of the internet causes a growing need for security protocols that protect transactions and communication. It turns out that the design of such protocols is highly errorprone. Therefore, a variety of dierent methods have been described that analyze security protocols to discover aws. The topic of this paper is to add a further, new method that is based on automated theorem proving in rstorder logic. In the context of rstorder automated theorem proving, Schumann (1997) implemented the wellknown ...
Computing Symbolic Models for Verifying Cryptographic Protocols
 In Proc. of the 14th Computer Security Foundation Workshop (CSFW14
, 2001
"... We consider the problem of automatically verifying infinitestate cryptographic protocols. Specifically, we present an algorithm that given a finite process describing a protocol in a hostile environment (trying to force the system into a "bad" state) computes a model of traces on which security pro ..."
Abstract

Cited by 56 (0 self)
 Add to MetaCart
We consider the problem of automatically verifying infinitestate cryptographic protocols. Specifically, we present an algorithm that given a finite process describing a protocol in a hostile environment (trying to force the system into a "bad" state) computes a model of traces on which security properties can be checked. Because of unbounded inputs from the environment, even finite processes have an infinite set of traces; the main focus of our approach is the reduction of this infinite set to a finite set by a symbolic analysis of the knowledge of the environment. Our algorithm is sound (and we conjecture complete) for protocols with sharedkey encryption/decryption that use arbitrary messages as keys; further it is complete in the common and important case in which the cryptographic keys are messages of bounded size.
Multiset Rewriting and the Complexity of Bounded Security Protocols
 Journal of Computer Security
, 2002
"... We formalize the DolevYao model of security protocols, using a notation based on multiset rewriting with existentials. The goals are to provide a simple formal notation for describing security protocols, to formalize the assumptions of the DolevYao model using this notation, and to analyze the ..."
Abstract

Cited by 56 (5 self)
 Add to MetaCart
We formalize the DolevYao model of security protocols, using a notation based on multiset rewriting with existentials. The goals are to provide a simple formal notation for describing security protocols, to formalize the assumptions of the DolevYao model using this notation, and to analyze the complexity of the secrecy problem under various restrictions. We prove that, even for the case where we restrict the size of messages and the depth of message encryption, the secrecy problem is undecidable for the case of an unrestricted number of protocol roles and an unbounded number of new nonces. We also identify several decidable classes, including a dexpcomplete class when the number of nonces is restricted, and an npcomplete class when both the number of nonces and the number of roles is restricted. We point out a remaining open complexity problem, and discuss the implications these results have on the general topic of protocol analysis.
FiniteState Analysis of Two Contract Signing Protocols
 THEORETICAL COMPUTER SCIENCE
, 2001
"... Optimistic contract signing protocols allow two parties to commit to a previously agreed upon contract, relying on a third party to abort or confirm the contract if needed. These protocols are relatively subtle, since there may be interactions between the subprotocols used for normal signing without ..."
Abstract

Cited by 41 (1 self)
 Add to MetaCart
Optimistic contract signing protocols allow two parties to commit to a previously agreed upon contract, relying on a third party to abort or confirm the contract if needed. These protocols are relatively subtle, since there may be interactions between the subprotocols used for normal signing without the third party, aborting the protocol through the third party, or requesting confirmation from the third party. With the help of Mur', a finitestate verification tool, we analyze two related contract signing protocols: the optimistic contract signing protocol of Asokan, Shoup, and Waidner, and the abusefree contract signing protocol of Garay, Jakobsson, and MacKenzie. For the first protocol, we discover that a malicious participant can produce inconsistent versions of the contract or mount a replay attack. For the second protocol, we discover that negligence or corruption of the trusted third party may allow abuse or unfairness. In this case, contrary to the intent of the protocol, the cheated party is not able to hold the third party accountable. We present and analyze modifications to the protocols that avoid these problems and discuss the basic challenges involved in formal analysis of fair exchange protocols.
Performance Analysis of TLS Web Servers
 In Proceedings of the Network and Distributed Systems Security Symposium (NDSS
, 2002
"... ..."
Undecidability of Bounded Security Protocols
, 1999
"... Using a multiset rewriting formalism with existential quantification, it is shown that protocol security remains undecidable even when rather severe restrictions are placed on protocols. In particular, even if data constructors, message depth, message width, number of distinct roles, role length, an ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Using a multiset rewriting formalism with existential quantification, it is shown that protocol security remains undecidable even when rather severe restrictions are placed on protocols. In particular, even if data constructors, message depth, message width, number of distinct roles, role length, and depth of encryption are bounded by constants, secrecy is an undecidable property. If protocols are further restricted to have no new data (nonces), then secrecy is dexptimecomplete. Both lower bounds are obtained by encoding decision problems from existential Horn theories without function symbols into our protocol framework. The way that encryption and adversary behavior are used in the reduction sheds some light on protocol analysis.