Results 1  10
of
15
A metanotation for protocol analysis
 in: Proc. CSFW’99
, 1999
"... Most formal approaches to security protocol analysis are based on a set of assumptions commonly referred to as the “DolevYao model. ” In this paper, we use a multiset rewriting formalism, based on linear logic, to state the basic assumptions of this model. A characteristic of our formalism is the w ..."
Abstract

Cited by 143 (33 self)
 Add to MetaCart
Most formal approaches to security protocol analysis are based on a set of assumptions commonly referred to as the “DolevYao model. ” In this paper, we use a multiset rewriting formalism, based on linear logic, to state the basic assumptions of this model. A characteristic of our formalism is the way that existential quantification provides a succinct way of choosing new values, such as new keys or nonces. We define a class of theories in this formalism that correspond to finitelength protocols, with a bounded initialization phase but allowing unboundedly many instances of each protocol role (e.g., client, server, initiator, or responder). Undecidability is proved for a restricted class of these protocols, and PSPACEcompleteness is claimed for a class further restricted to have no new data (nonces). Since it is a fragment of linear logic, we can use our notation directly as input to linear logic tools, allowing us to do proof search for attacks with relatively little programming effort, and to formally verify protocol transformations and optimizations. 1
Towards an Automatic Analysis of Security Protocols in FirstOrder Logic
, 1999
"... . The NeumanStubblebine key exchange protocol is formalized in rstorder logic and analyzed by the automated theorem prover Spass. In addition to the analysis, we develop the necessary theoretical background providing new (un)decidability results for monadic rstorder fragments involved in the a ..."
Abstract

Cited by 62 (4 self)
 Add to MetaCart
. The NeumanStubblebine key exchange protocol is formalized in rstorder logic and analyzed by the automated theorem prover Spass. In addition to the analysis, we develop the necessary theoretical background providing new (un)decidability results for monadic rstorder fragments involved in the analysis. The approach is applicable to a variety of security protocols and we identify possible extensions leading to future directions of research. 1 Introduction The growing importance of the internet causes a growing need for security protocols that protect transactions and communication. It turns out that the design of such protocols is highly errorprone. Therefore, a variety of dierent methods have been described that analyze security protocols to discover aws. The topic of this paper is to add a further, new method that is based on automated theorem proving in rstorder logic. In the context of rstorder automated theorem proving, Schumann (1997) implemented the wellknown ...
Computing Symbolic Models for Verifying Cryptographic Protocols
 In Proc. of the 14th Computer Security Foundation Workshop (CSFW14
, 2001
"... We consider the problem of automatically verifying infinitestate cryptographic protocols. Specifically, we present an algorithm that given a finite process describing a protocol in a hostile environment (trying to force the system into a "bad" state) computes a model of traces on which security pro ..."
Abstract

Cited by 56 (0 self)
 Add to MetaCart
We consider the problem of automatically verifying infinitestate cryptographic protocols. Specifically, we present an algorithm that given a finite process describing a protocol in a hostile environment (trying to force the system into a "bad" state) computes a model of traces on which security properties can be checked. Because of unbounded inputs from the environment, even finite processes have an infinite set of traces; the main focus of our approach is the reduction of this infinite set to a finite set by a symbolic analysis of the knowledge of the environment. Our algorithm is sound (and we conjecture complete) for protocols with sharedkey encryption/decryption that use arbitrary messages as keys; further it is complete in the common and important case in which the cryptographic keys are messages of bounded size.
Multiset Rewriting and the Complexity of Bounded Security Protocols
 Journal of Computer Security
, 2002
"... We formalize the DolevYao model of security protocols, using a notation based on multiset rewriting with existentials. The goals are to provide a simple formal notation for describing security protocols, to formalize the assumptions of the DolevYao model using this notation, and to analyze the ..."
Abstract

Cited by 56 (5 self)
 Add to MetaCart
We formalize the DolevYao model of security protocols, using a notation based on multiset rewriting with existentials. The goals are to provide a simple formal notation for describing security protocols, to formalize the assumptions of the DolevYao model using this notation, and to analyze the complexity of the secrecy problem under various restrictions. We prove that, even for the case where we restrict the size of messages and the depth of message encryption, the secrecy problem is undecidable for the case of an unrestricted number of protocol roles and an unbounded number of new nonces. We also identify several decidable classes, including a dexpcomplete class when the number of nonces is restricted, and an npcomplete class when both the number of nonces and the number of roles is restricted. We point out a remaining open complexity problem, and discuss the implications these results have on the general topic of protocol analysis.
FiniteState Analysis of Two Contract Signing Protocols
 THEORETICAL COMPUTER SCIENCE
, 2001
"... Optimistic contract signing protocols allow two parties to commit to a previously agreed upon contract, relying on a third party to abort or confirm the contract if needed. These protocols are relatively subtle, since there may be interactions between the subprotocols used for normal signing without ..."
Abstract

Cited by 41 (1 self)
 Add to MetaCart
Optimistic contract signing protocols allow two parties to commit to a previously agreed upon contract, relying on a third party to abort or confirm the contract if needed. These protocols are relatively subtle, since there may be interactions between the subprotocols used for normal signing without the third party, aborting the protocol through the third party, or requesting confirmation from the third party. With the help of Mur', a finitestate verification tool, we analyze two related contract signing protocols: the optimistic contract signing protocol of Asokan, Shoup, and Waidner, and the abusefree contract signing protocol of Garay, Jakobsson, and MacKenzie. For the first protocol, we discover that a malicious participant can produce inconsistent versions of the contract or mount a replay attack. For the second protocol, we discover that negligence or corruption of the trusted third party may allow abuse or unfairness. In this case, contrary to the intent of the protocol, the cheated party is not able to hold the third party accountable. We present and analyze modifications to the protocols that avoid these problems and discuss the basic challenges involved in formal analysis of fair exchange protocols.
Performance Analysis of TLS Web Servers
 In Proceedings of the Network and Distributed Systems Security Symposium (NDSS
, 2002
"... ..."
Undecidability of Bounded Security Protocols
, 1999
"... Using a multiset rewriting formalism with existential quantification, it is shown that protocol security remains undecidable even when rather severe restrictions are placed on protocols. In particular, even if data constructors, message depth, message width, number of distinct roles, role length, an ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
Using a multiset rewriting formalism with existential quantification, it is shown that protocol security remains undecidable even when rather severe restrictions are placed on protocols. In particular, even if data constructors, message depth, message width, number of distinct roles, role length, and depth of encryption are bounded by constants, secrecy is an undecidable property. If protocols are further restricted to have no new data (nonces), then secrecy is dexptimecomplete. Both lower bounds are obtained by encoding decision problems from existential Horn theories without function symbols into our protocol framework. The way that encryption and adversary behavior are used in the reduction sheds some light on protocol analysis.
ATTACK ANALYSIS OF CRYPTOGRAPHIC PROTOCOLS USING STRAND SPACES ABSTRACT
"... Network security protocols make use of cryptographic techniques to achieve goals such as confidentiality, authentication, integrity and nonrepudiation. However, the fact that strong cryptographic algorithms exist does not guarantee the security of a communications system. In fact, it is recognised ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
Network security protocols make use of cryptographic techniques to achieve goals such as confidentiality, authentication, integrity and nonrepudiation. However, the fact that strong cryptographic algorithms exist does not guarantee the security of a communications system. In fact, it is recognised that the engineering of security protocols is a very challenging task, since protocols that appear secure can contain subtle flaws and vulnerabilities that attackers can exploit. A number of techniques exist for the analysis of security protocol specifications. Each of the techniques currently available is not capable of detecting every possible flaw or attack against a protocol when used in isolation. However, when combined, these techniques all complement each other and allow a protocol engineer to obtain a more accurate overview of the security of a protocol that is being designed. This fact, amongst others, is the rationale for multidimensional security protocol engineering, a concept introduced by previous projects in the DNA group. We propose an attack construction approach to security protocol analysis within a multidimensional context. This analysis method complements the method used in the existing inference construction analysis tools developed earlier in the group. This paper gives a brief overview of the concepts associated with our project, including a summary of existing security protocol analysis techniques, and a description of the strand space model, which is the intended formalism for the analysis.