Results 1 - 10
of
40
Multiset Rewriting and the Complexity of Bounded Security Protocols
- Journal of Computer Security
, 2002
"... We formalize the Dolev-Yao model of security protocols, using a notation based on multi-set rewriting with existentials. The goals are to provide a simple formal notation for describing security protocols, to formalize the assumptions of the Dolev-Yao model using this notation, and to analyze the ..."
Abstract
-
Cited by 76 (10 self)
- Add to MetaCart
(Show Context)
We formalize the Dolev-Yao model of security protocols, using a notation based on multi-set rewriting with existentials. The goals are to provide a simple formal notation for describing security protocols, to formalize the assumptions of the Dolev-Yao model using this notation, and to analyze the complexity of the secrecy problem under various restrictions. We prove that, even for the case where we restrict the size of messages and the depth of message encryption, the secrecy problem is undecidable for the case of an unrestricted number of protocol roles and an unbounded number of new nonces. We also identify several decidable classes, including a dexp-complete class when the number of nonces is restricted, and an np-complete class when both the number of nonces and the number of roles is restricted. We point out a remaining open complexity problem, and discuss the implications these results have on the general topic of protocol analysis.
CAPSL Integrated Protocol Environment
- IN PROC. OF DARPA INFORMATION SURVIVABILITY CONFERENCE (DISCEX 2000), PP 207-221, IEEE COMPUTER SOCIETY
, 2000
"... CAPSL, a Common Authentication Protocol Specification Language, is a high-level language to support security analysis of cryptographic authentication and key distribution protocols. It is translated to CIL, an intermediate language expressing state transitions with term-rewriting rules. Connectors a ..."
Abstract
-
Cited by 67 (7 self)
- Add to MetaCart
(Show Context)
CAPSL, a Common Authentication Protocol Specification Language, is a high-level language to support security analysis of cryptographic authentication and key distribution protocols. It is translated to CIL, an intermediate language expressing state transitions with term-rewriting rules. Connectors are being written to adapt CIL to supply input to different security analysis tools, including PVS for inductive verification and Maude for model-checking.
Compiling and Verifying Security Protocols
, 2000
"... We propose a direct and fully automated translation from standard security protocol descriptions to rewrite rules. This compilation defines non-ambiguous operational semantics for protocols and intruder behavior: they are rewrite systems executed by applying a variant of ac-narrowing. The rewrite ru ..."
Abstract
-
Cited by 61 (7 self)
- Add to MetaCart
We propose a direct and fully automated translation from standard security protocol descriptions to rewrite rules. This compilation defines non-ambiguous operational semantics for protocols and intruder behavior: they are rewrite systems executed by applying a variant of ac-narrowing. The rewrite rules are processed by the theorem-prover daTac. Multiple instances of a protocol can be run simultaneously as well as a model of the intruder (among several possible). The existence of flaws in the protocol is revealed by the derivation of an inconsistency. Our implementation of the compiler CASRUL, together with the prover daTac, permitted us to derive security flaws in many classical cryptographic protocols.
Relating Strands and Multiset Rewriting for Security Protocol Analysis (Extended Abstract)
, 2000
"... y I. Cervesato ITT Industries iliano@itd.nrl.navy.mil N. Durgin, J. Mitchell Stanford University fnad, jcmg@cs.stanford.edu P. Lincoln SRI International lincoln@csl.sri.com A. Scedrov U. of Pennsylvania scedrov@cis.upenn.edu Abstract Formal analysis of security protocols is largely bas ..."
Abstract
-
Cited by 56 (13 self)
- Add to MetaCart
y I. Cervesato ITT Industries iliano@itd.nrl.navy.mil N. Durgin, J. Mitchell Stanford University fnad, jcmg@cs.stanford.edu P. Lincoln SRI International lincoln@csl.sri.com A. Scedrov U. of Pennsylvania scedrov@cis.upenn.edu Abstract Formal analysis of security protocols is largely based on a set of assumptions commonly referred to as the Dolev-Yao model. Two formalisms that state the basic assumptions of this model are related here: strand spaces [6] and multiset rewriting with existential quantification [2, 5]. Although it is fairly intuitive that these two languages should be equivalent in some way, a number of modifications to each system are required to obtain a meaningful equivalence. We extend the strand formalism with a way of incrementally growing bundles in order to emulate an execution of a protocol with parametric strands. We omit the initialization part of the multiset rewriting setting, which formalizes the choice of initial data, such as shared public or pr...
Typed MSR: Syntax and Examples
- FIRST INTERNATIONAL WORKSHOP ON MATHEMATICAL METHODS, MODELS AND ARCHITECTURES FOR COMPUTER NETWORKS SECURITY — MMM’01
, 2001
"... Many design flaws and incorrect analyses of cryptographic protocols can be traced to inadequate specification languages for message components, environment assumptions, and goals. In this paper, we present MSR, a strongly typed specification language for security protocols, which is intended to ..."
Abstract
-
Cited by 45 (26 self)
- Add to MetaCart
Many design flaws and incorrect analyses of cryptographic protocols can be traced to inadequate specification languages for message components, environment assumptions, and goals. In this paper, we present MSR, a strongly typed specification language for security protocols, which is intended to address the first two issues. Its typing infrastructure, based on the theory of dependent types with subsorting, yields elegant and precise formalizations, and supports a useful array of static check that include type-checking and access control validation. It uses multiset rewriting rules to express the actions of the protocol. The availability of memory predicates enable it to faithfully encode systems consisting of a collection of coordinated subprotocols, and constraints allow tackling objects belonging to complex interpretation domains, e.g. time stamps, in an abstract and modular way. We apply MSR to the specification of several examples.
Building Equational Proving Tools by Reflection in Rewriting Logic
- In Cafe: An Industrial-Strength Algebraic Formal Method
, 1998
"... This paper explains the design and use of two equational proving tools, namely an inductive theorem prover -- to prove theorems about equational specifications with an initial algebra semantics -- and a Church-Rosser checker---to check whether such specifications satisfy the Church-Rosser property. ..."
Abstract
-
Cited by 40 (21 self)
- Add to MetaCart
This paper explains the design and use of two equational proving tools, namely an inductive theorem prover -- to prove theorems about equational specifications with an initial algebra semantics -- and a Church-Rosser checker---to check whether such specifications satisfy the Church-Rosser property. These tools can be used to prove properties of order-sorted equational specifications in Cafe [11] and of membership equational logic specifications in Maude [7, 6]. The tools have been written entirely in Maude and are in fact executable specifications in rewriting logic of the formal inference systems that they implement.
The Dolev-Yao Intruder is the Most Powerful Attacker
- Proceedings of the Sixteenth Annual Symposium on Logic in Computer Science | LICS'01
, 2001
"... Most systems designed for the verification of security protocols operate under the unproved assumption that an attack can only result from the combination of a fixed number of message transformations, which altogether constitute the capabilities of the so-called Dolev-Yao intruder. In this paper, we ..."
Abstract
-
Cited by 30 (1 self)
- Add to MetaCart
(Show Context)
Most systems designed for the verification of security protocols operate under the unproved assumption that an attack can only result from the combination of a fixed number of message transformations, which altogether constitute the capabilities of the so-called Dolev-Yao intruder. In this paper, we prove that the Dolev-Yao intruder can indeed emulate the actions of an arbitrary adversary. In order to do so, we extend MSR, a flexible specification framework for security protocols based on typed multiset rewriting, with a static check called access control, aimed at catching specification errors such as a principal trying to use a key that she is not entitled to access. Cryptographic protocols are increasingly used to secure transactions over the Internet and protect access to computer systems. Their design and analysis are notoriously complex and error-prone. Sources of difficulty include subtleties in the cryptographic primitives they rely on, and their deployment in distributed envi...
A Tool for Lazy Verification of Security Protocols
- In ASE 2001
, 2001
"... We present the lazy strategy implemented in a compiler of cryptographic protocols, Casrul. The purpose of this compiler is to verify protocols and to translate them into rewrite rules that can be used by several kinds of automatic or semi-automatic tools for finding flaws, or proving properties. It ..."
Abstract
-
Cited by 29 (8 self)
- Add to MetaCart
(Show Context)
We present the lazy strategy implemented in a compiler of cryptographic protocols, Casrul. The purpose of this compiler is to verify protocols and to translate them into rewrite rules that can be used by several kinds of automatic or semi-automatic tools for finding flaws, or proving properties. It is entirely automatic, and the efficiency of the generated rules is guaranteed because of the use of a lazy model of an Intruder behavior. This efficiency is illustrated on several examples.
A Specification Language for Crypto-Protocols based on Multiset Rewriting, Dependent Types and Subsorting
, 2001
"... MSR is an unambiguous, flexible, powerful and relatively simple specification framework for crypto-protocols. It uses multiset rewriting rules over first-order atomic formulas to express protocol actions and relies on a form of existential quantification to symbolically model the generation of no ..."
Abstract
-
Cited by 26 (14 self)
- Add to MetaCart
(Show Context)
MSR is an unambiguous, flexible, powerful and relatively simple specification framework for crypto-protocols. It uses multiset rewriting rules over first-order atomic formulas to express protocol actions and relies on a form of existential quantification to symbolically model the generation of nonces and other fresh data. It supports an array of useful static checks that include type-checking and data access verification. In this paper, we give a detailed presentation of the typing infrastructure of MSR, which is based on the theory of dependent types with subsorting. We prove that type-checking protocol specifications is decidable and show that execution preserves well-typing. We illustrate these features by formalizing a well-known protocol in MSR.
