Results 1  10
of
40
Multiset Rewriting and the Complexity of Bounded Security Protocols
 Journal of Computer Security
, 2002
"... We formalize the DolevYao model of security protocols, using a notation based on multiset rewriting with existentials. The goals are to provide a simple formal notation for describing security protocols, to formalize the assumptions of the DolevYao model using this notation, and to analyze the ..."
Abstract

Cited by 76 (10 self)
 Add to MetaCart
(Show Context)
We formalize the DolevYao model of security protocols, using a notation based on multiset rewriting with existentials. The goals are to provide a simple formal notation for describing security protocols, to formalize the assumptions of the DolevYao model using this notation, and to analyze the complexity of the secrecy problem under various restrictions. We prove that, even for the case where we restrict the size of messages and the depth of message encryption, the secrecy problem is undecidable for the case of an unrestricted number of protocol roles and an unbounded number of new nonces. We also identify several decidable classes, including a dexpcomplete class when the number of nonces is restricted, and an npcomplete class when both the number of nonces and the number of roles is restricted. We point out a remaining open complexity problem, and discuss the implications these results have on the general topic of protocol analysis.
CAPSL Integrated Protocol Environment
 IN PROC. OF DARPA INFORMATION SURVIVABILITY CONFERENCE (DISCEX 2000), PP 207221, IEEE COMPUTER SOCIETY
, 2000
"... CAPSL, a Common Authentication Protocol Specification Language, is a highlevel language to support security analysis of cryptographic authentication and key distribution protocols. It is translated to CIL, an intermediate language expressing state transitions with termrewriting rules. Connectors a ..."
Abstract

Cited by 67 (7 self)
 Add to MetaCart
(Show Context)
CAPSL, a Common Authentication Protocol Specification Language, is a highlevel language to support security analysis of cryptographic authentication and key distribution protocols. It is translated to CIL, an intermediate language expressing state transitions with termrewriting rules. Connectors are being written to adapt CIL to supply input to different security analysis tools, including PVS for inductive verification and Maude for modelchecking.
Compiling and Verifying Security Protocols
, 2000
"... We propose a direct and fully automated translation from standard security protocol descriptions to rewrite rules. This compilation defines nonambiguous operational semantics for protocols and intruder behavior: they are rewrite systems executed by applying a variant of acnarrowing. The rewrite ru ..."
Abstract

Cited by 61 (7 self)
 Add to MetaCart
We propose a direct and fully automated translation from standard security protocol descriptions to rewrite rules. This compilation defines nonambiguous operational semantics for protocols and intruder behavior: they are rewrite systems executed by applying a variant of acnarrowing. The rewrite rules are processed by the theoremprover daTac. Multiple instances of a protocol can be run simultaneously as well as a model of the intruder (among several possible). The existence of flaws in the protocol is revealed by the derivation of an inconsistency. Our implementation of the compiler CASRUL, together with the prover daTac, permitted us to derive security flaws in many classical cryptographic protocols.
Relating Strands and Multiset Rewriting for Security Protocol Analysis (Extended Abstract)
, 2000
"... y I. Cervesato ITT Industries iliano@itd.nrl.navy.mil N. Durgin, J. Mitchell Stanford University fnad, jcmg@cs.stanford.edu P. Lincoln SRI International lincoln@csl.sri.com A. Scedrov U. of Pennsylvania scedrov@cis.upenn.edu Abstract Formal analysis of security protocols is largely bas ..."
Abstract

Cited by 56 (13 self)
 Add to MetaCart
y I. Cervesato ITT Industries iliano@itd.nrl.navy.mil N. Durgin, J. Mitchell Stanford University fnad, jcmg@cs.stanford.edu P. Lincoln SRI International lincoln@csl.sri.com A. Scedrov U. of Pennsylvania scedrov@cis.upenn.edu Abstract Formal analysis of security protocols is largely based on a set of assumptions commonly referred to as the DolevYao model. Two formalisms that state the basic assumptions of this model are related here: strand spaces [6] and multiset rewriting with existential quantification [2, 5]. Although it is fairly intuitive that these two languages should be equivalent in some way, a number of modifications to each system are required to obtain a meaningful equivalence. We extend the strand formalism with a way of incrementally growing bundles in order to emulate an execution of a protocol with parametric strands. We omit the initialization part of the multiset rewriting setting, which formalizes the choice of initial data, such as shared public or pr...
Typed MSR: Syntax and Examples
 FIRST INTERNATIONAL WORKSHOP ON MATHEMATICAL METHODS, MODELS AND ARCHITECTURES FOR COMPUTER NETWORKS SECURITY — MMM’01
, 2001
"... Many design flaws and incorrect analyses of cryptographic protocols can be traced to inadequate specification languages for message components, environment assumptions, and goals. In this paper, we present MSR, a strongly typed specification language for security protocols, which is intended to ..."
Abstract

Cited by 45 (26 self)
 Add to MetaCart
Many design flaws and incorrect analyses of cryptographic protocols can be traced to inadequate specification languages for message components, environment assumptions, and goals. In this paper, we present MSR, a strongly typed specification language for security protocols, which is intended to address the first two issues. Its typing infrastructure, based on the theory of dependent types with subsorting, yields elegant and precise formalizations, and supports a useful array of static check that include typechecking and access control validation. It uses multiset rewriting rules to express the actions of the protocol. The availability of memory predicates enable it to faithfully encode systems consisting of a collection of coordinated subprotocols, and constraints allow tackling objects belonging to complex interpretation domains, e.g. time stamps, in an abstract and modular way. We apply MSR to the specification of several examples.
Building Equational Proving Tools by Reflection in Rewriting Logic
 In Cafe: An IndustrialStrength Algebraic Formal Method
, 1998
"... This paper explains the design and use of two equational proving tools, namely an inductive theorem prover  to prove theorems about equational specifications with an initial algebra semantics  and a ChurchRosser checkerto check whether such specifications satisfy the ChurchRosser property. ..."
Abstract

Cited by 40 (21 self)
 Add to MetaCart
This paper explains the design and use of two equational proving tools, namely an inductive theorem prover  to prove theorems about equational specifications with an initial algebra semantics  and a ChurchRosser checkerto check whether such specifications satisfy the ChurchRosser property. These tools can be used to prove properties of ordersorted equational specifications in Cafe [11] and of membership equational logic specifications in Maude [7, 6]. The tools have been written entirely in Maude and are in fact executable specifications in rewriting logic of the formal inference systems that they implement.
The DolevYao Intruder is the Most Powerful Attacker
 Proceedings of the Sixteenth Annual Symposium on Logic in Computer Science  LICS'01
, 2001
"... Most systems designed for the verification of security protocols operate under the unproved assumption that an attack can only result from the combination of a fixed number of message transformations, which altogether constitute the capabilities of the socalled DolevYao intruder. In this paper, we ..."
Abstract

Cited by 30 (1 self)
 Add to MetaCart
(Show Context)
Most systems designed for the verification of security protocols operate under the unproved assumption that an attack can only result from the combination of a fixed number of message transformations, which altogether constitute the capabilities of the socalled DolevYao intruder. In this paper, we prove that the DolevYao intruder can indeed emulate the actions of an arbitrary adversary. In order to do so, we extend MSR, a flexible specification framework for security protocols based on typed multiset rewriting, with a static check called access control, aimed at catching specification errors such as a principal trying to use a key that she is not entitled to access. Cryptographic protocols are increasingly used to secure transactions over the Internet and protect access to computer systems. Their design and analysis are notoriously complex and errorprone. Sources of difficulty include subtleties in the cryptographic primitives they rely on, and their deployment in distributed envi...
A Tool for Lazy Verification of Security Protocols
 In ASE 2001
, 2001
"... We present the lazy strategy implemented in a compiler of cryptographic protocols, Casrul. The purpose of this compiler is to verify protocols and to translate them into rewrite rules that can be used by several kinds of automatic or semiautomatic tools for finding flaws, or proving properties. It ..."
Abstract

Cited by 29 (8 self)
 Add to MetaCart
(Show Context)
We present the lazy strategy implemented in a compiler of cryptographic protocols, Casrul. The purpose of this compiler is to verify protocols and to translate them into rewrite rules that can be used by several kinds of automatic or semiautomatic tools for finding flaws, or proving properties. It is entirely automatic, and the efficiency of the generated rules is guaranteed because of the use of a lazy model of an Intruder behavior. This efficiency is illustrated on several examples.
A Specification Language for CryptoProtocols based on Multiset Rewriting, Dependent Types and Subsorting
, 2001
"... MSR is an unambiguous, flexible, powerful and relatively simple specification framework for cryptoprotocols. It uses multiset rewriting rules over firstorder atomic formulas to express protocol actions and relies on a form of existential quantification to symbolically model the generation of no ..."
Abstract

Cited by 26 (14 self)
 Add to MetaCart
(Show Context)
MSR is an unambiguous, flexible, powerful and relatively simple specification framework for cryptoprotocols. It uses multiset rewriting rules over firstorder atomic formulas to express protocol actions and relies on a form of existential quantification to symbolically model the generation of nonces and other fresh data. It supports an array of useful static checks that include typechecking and data access verification. In this paper, we give a detailed presentation of the typing infrastructure of MSR, which is based on the theory of dependent types with subsorting. We prove that typechecking protocol specifications is decidable and show that execution preserves welltyping. We illustrate these features by formalizing a wellknown protocol in MSR.