Results 1  10
of
45
Automated Analysis of Cryptographic Protocols Using Murphi
, 1997
"... A methodology is presented for using a generalpurpose state enumeration tool, Murphi, to analyze cryptographic and securityrelated protocols. We illustrate the feasibility of the approach by analyzing the NeedhamSchroeder protocol, finding a known bug in a few seconds of computation time, and anal ..."
Abstract

Cited by 293 (24 self)
 Add to MetaCart
(Show Context)
A methodology is presented for using a generalpurpose state enumeration tool, Murphi, to analyze cryptographic and securityrelated protocols. We illustrate the feasibility of the approach by analyzing the NeedhamSchroeder protocol, finding a known bug in a few seconds of computation time, and analyzing variants of Kerberos and the faulty TMN protocol used in another comparative study. The efficiency of Murphi allows us to examine multiple runs of relatively short protocols, giving us the ability to detect replay attacks, or errors resulting from confusion between independent execution of a protocol by independent parties.
Delegation Logic: A Logicbased Approach to Distributed Authorization
 ACM Transactions on Information and System Security
, 2000
"... We address the problem of authorization in largescale, open... ..."
Abstract

Cited by 246 (14 self)
 Add to MetaCart
(Show Context)
We address the problem of authorization in largescale, open...
A Probabilistic PolyTime Framework for Protocol Analysis
, 1998
"... We develop a framework for analyzing security protocols in which protocol adversaries may be arbitrary probabilistic polynomialtime processes. In this framework, protocols are written in a form of process calculus where security may be expressed in terms of observational equivalence, a standard rel ..."
Abstract

Cited by 118 (6 self)
 Add to MetaCart
We develop a framework for analyzing security protocols in which protocol adversaries may be arbitrary probabilistic polynomialtime processes. In this framework, protocols are written in a form of process calculus where security may be expressed in terms of observational equivalence, a standard relation from programming language theory that involves quantifying over possible environments that might interact with the protocol. Using an asymptotic notion of probabilistic equivalence, we relate observational equivalence to polynomialtime statistical tests and discuss some example protocols to illustrate the potential of this approach.
Athena: a new efficient automatic checker for security protocol analysis
 In Proceedings of the Twelth IEEE Computer Security Foundations Workshop
, 1999
"... We propose an efficient automatic checking algorithm, Athena, for analyzing security protocols. Athena incorporates a logic that can express security properties including authentication, secrecy and properties related to electronic commerce. We have developed an automatic procedure for evaluating we ..."
Abstract

Cited by 90 (1 self)
 Add to MetaCart
(Show Context)
We propose an efficient automatic checking algorithm, Athena, for analyzing security protocols. Athena incorporates a logic that can express security properties including authentication, secrecy and properties related to electronic commerce. We have developed an automatic procedure for evaluating wellformed formulae in this logic. For a wellformed formula, if the evaluation procedure terminates, it will generate a counterexample if the formula is false, or provide a proof if the formula is true. Even when the procedure does not terminate when we allow any arbitrary configurations of the protocol execution, (for example, any number of initiators and responders), termination could be forced by bounding the number of concurrent protocol runs and the length of messages, as is done in most existing model checkers. Athena also exploits several state space reduction techniques. It is based on an extension of the recently proposed Strand Space Model [25] which captures exact causal relation information. Together with backward search and other techniques, Athena naturally avoids the state space explosion problem commonly caused by asynchronous composition and symmetry redundancy. Athena also has the advantage that it can easily incorporate results from theorem proving through unreachability theorems. By using the unreachability theorems, it can prune the state space at an early stage, hence, reduce the state space explored and increase the likelyhood of termination. As shown in our experiments, these techniques dramatically reduce the state space that needs to be explored.
Kerberos version IV: Inductive analysis of the secrecy goals
 Computer Security — ESORICS 98, LNCS 1485
, 1998
"... Abstract. An operational model of cryptoprotocols is tailored to the detailed analysis of the secrecy goals accomplished by Kerberos Version IV. The model is faithful to the specification of the protocol presented by the MIT technical plan [14] — e.g. timestamping, double session key delivery mech ..."
Abstract

Cited by 84 (28 self)
 Add to MetaCart
(Show Context)
Abstract. An operational model of cryptoprotocols is tailored to the detailed analysis of the secrecy goals accomplished by Kerberos Version IV. The model is faithful to the specification of the protocol presented by the MIT technical plan [14] — e.g. timestamping, double session key delivery mechanism are included. It allows an eavesdropper to exploit the shared keys of compromised agents, and admits the accidental loss of expired session keys. Confidentiality is expressed from the viewpoint of each party involved in a protocol run, with particular attention to the assumptions the party relies on. If such assumptions are unrealistic, they highlight weaknesses of the protocol. This is particularly so from the viewpoint of the responder: the model suggests and proves a reasonable correction.
Multiset Rewriting and the Complexity of Bounded Security Protocols
 Journal of Computer Security
, 2002
"... We formalize the DolevYao model of security protocols, using a notation based on multiset rewriting with existentials. The goals are to provide a simple formal notation for describing security protocols, to formalize the assumptions of the DolevYao model using this notation, and to analyze the ..."
Abstract

Cited by 74 (9 self)
 Add to MetaCart
We formalize the DolevYao model of security protocols, using a notation based on multiset rewriting with existentials. The goals are to provide a simple formal notation for describing security protocols, to formalize the assumptions of the DolevYao model using this notation, and to analyze the complexity of the secrecy problem under various restrictions. We prove that, even for the case where we restrict the size of messages and the depth of message encryption, the secrecy problem is undecidable for the case of an unrestricted number of protocol roles and an unbounded number of new nonces. We also identify several decidable classes, including a dexpcomplete class when the number of nonces is restricted, and an npcomplete class when both the number of nonces and the number of roles is restricted. We point out a remaining open complexity problem, and discuss the implications these results have on the general topic of protocol analysis.
Probabilistic PolynomialTime Equivalence and Security Analysis
 IN PROC. WORLD CONGRESS ON FORMAL METHODS, VOLUME 1708 OF LNCS
, 1999
"... We use properties of observational equivalence for a probabilistic process calculus to prove an authentication property of a cryptographic protocol. The process calculus is a form of calculus, with probabilistic scheduling instead of nondeterminism, over a term language that captures probabili ..."
Abstract

Cited by 51 (12 self)
 Add to MetaCart
We use properties of observational equivalence for a probabilistic process calculus to prove an authentication property of a cryptographic protocol. The process calculus is a form of calculus, with probabilistic scheduling instead of nondeterminism, over a term language that captures probabilistic polynomial time. The operational semantics of this calculus gives priority to communication over private channels, so that the presence of private communication does not affect the observable probability of visible actions. Our definition of observational equivalence involves asymptotic comparison of uniform process families, only requiring equivalence to within vanishing error probabilities. This definition differs from previous notions of probabilistic process equivalence that require equal probabilities for corresponding actions; asymptotics fit our intended application and make equivalence transitive, thereby justifying the use of the term "equivalence." Our security proof uses a series of lemmas about probabilistic observational equivalence that may well prove useful for establishing correctness of other cryptographic protocols.
Distributed Authentication in Kerberos Using Public Key Cryptography
 INTERNET SOCIETY 1997 SYMPOSIUM ON NETWORK AND DISTRIBUTED SYSTEM SECURITY
, 1997
"... In this work we describe a method for fully distributed authentication using public key cryptography within the Kerberos ticket framework. By distributing most of the authentication workload away from the trusted intermediary and to the communicating parties, significant enhancements to security and ..."
Abstract

Cited by 35 (2 self)
 Add to MetaCart
In this work we describe a method for fully distributed authentication using public key cryptography within the Kerberos ticket framework. By distributing most of the authentication workload away from the trusted intermediary and to the communicating parties, significant enhancements to security and scalability can be achieved as compared to Kerberos V5. Privacy of Kerberos clients is also enhanced. A working implementation of this extended protocol has been developed, and a migration plan is proposed for a transition from traditional to public key based Kerberos.
Denialofservice attacks on batterypowered mobile computers
 in Proc. 2nd International Conference on Pervasive Computing and Communications (PerCom’04
, 2004
"... Sleep deprivation attacks are a form of denial of service attack whereby an attacker renders a pervasive computing device inoperable by draining the battery more quickly than it would be drained under normal usage. We describe three main methods for an attacker to drain the battery: (1) Service requ ..."
Abstract

Cited by 25 (2 self)
 Add to MetaCart
(Show Context)
Sleep deprivation attacks are a form of denial of service attack whereby an attacker renders a pervasive computing device inoperable by draining the battery more quickly than it would be drained under normal usage. We describe three main methods for an attacker to drain the battery: (1) Service request power attacks, where repeated requests are made to the victim for services, typically over a networkeven if the service is not provided the victim must expend energy deciding whether or not to honor the request; (2) benign power attacks, where the victim is made to execute a valid but energyhungry task repeatedly, and (3) malignant power attacks, where the attacker modifies or creates an executable to make the system consume more energy than it would otherwise. Our initial results demonstrate the increased power consumption due to these attacks, which we believe are the first real examples of these attacks to appear in the literature. We also propose a powersecure architecture to thwart these power attacks by employing multilevel authentication and energy signatures. 1.
Analysis of Security Protocols
 IN CALCULATIONAL SYSTEM DESIGN, SERIES F: COMPUTER AND SYSTEMS SCIENCES
, 1999
"... Several approaches have been developed for analyzing security protocols. Most formal approaches are based on a set of assumptions commonly referred to as the "DolevYao model." In this paper, we use a formalism based on multiset rewriting to describe these modeling assumptions and expla ..."
Abstract

Cited by 24 (4 self)
 Add to MetaCart
Several approaches have been developed for analyzing security protocols. Most formal approaches are based on a set of assumptions commonly referred to as the "DolevYao model." In this paper, we use a formalism based on multiset rewriting to describe these modeling assumptions and explain how they are used in protocol analysis.