Results 1  10
of
28
Automated verification of equivalence properties of cryptographic protocols
, 2012
"... ..."
(Show Context)
Folding variant narrowing and optimal variant termination
 In WRLA 2010, LNCS 6381:52–68
, 2010
"... Abstract. If a set of equations E∪Ax is such that E is confluent, terminating, and coherent modulo Ax, narrowing with E modulo Ax provides a complete E ∪Axunification algorithm. However, except for the hopelessly inefficient case of full narrowing, nothing seems to be known about effective narrowin ..."
Abstract

Cited by 9 (5 self)
 Add to MetaCart
Abstract. If a set of equations E∪Ax is such that E is confluent, terminating, and coherent modulo Ax, narrowing with E modulo Ax provides a complete E ∪Axunification algorithm. However, except for the hopelessly inefficient case of full narrowing, nothing seems to be known about effective narrowing strategies in the general modulo case beyond the quite depressing observation that basic narrowing is incomplete modulo AC. In this work we propose an effective strategy based on the idea of the E ∪Axvariants of a term that we call folding variant narrowing. This strategy is complete, both for computing E ∪Axunifiers and for computing a minimal complete set of variants for any input term. And it is optimally variant terminating in the sense of terminating for an input term t iff t has a finite, complete set of variants. The applications of folding variant narrowing go beyond providing a complete E ∪ Axunification algorithm: computing the E ∪Axvariants of a term may be just as important as computing E∪Axunifiers in recent applications of folding variant narrowing such as termination methods modulo axioms, and checking confluence and coherence of rules modulo axioms. 1
Vertical protocol composition
 in CSF, 2011
"... Abstract—The security of key exchange and secure channel protocols, such as TLS, has been studied intensively. However, only few works have considered what happens when the established keys are actually used—to run some protocol securely over the established “channel”. We call this a vertical protoc ..."
Abstract

Cited by 6 (1 self)
 Add to MetaCart
(Show Context)
Abstract—The security of key exchange and secure channel protocols, such as TLS, has been studied intensively. However, only few works have considered what happens when the established keys are actually used—to run some protocol securely over the established “channel”. We call this a vertical protocol composition, and it is truly commonplace in today’s communication with the diversity of VPNs and secure browser sessions. In fact, it is normal that we have several layers of secure channels: For instance, on top of a VPNconnection, a browser may establish another secure channel (possibly with a different end point). Even using the same protocol several times in such a stack of channels is not unusual: An application may very well establish another TLS channel over an established one. We call this selfcomposition. In fact, there is nothing that tells us that all these compositions are sound, i.e., that the combination cannot introduce attacks that the individual protocols in isolation do not have. In this work, we prove a composability result in the symbolic model that allows for arbitrary vertical composition (including selfcomposition). It holds for protocols from any suite of channel and application protocols that fulfills a number of sufficient preconditions. These preconditions are satisfied for many practically relevant protocols such as TLS. I.
Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties
"... Abstract. Recently Kuesters et al proposed two new methods using ProVerif for analyzing cryptographic protocols with ExclusiveOr and DiffieHellman properties. Some tools, for instance CLAtse and OFMC, are able to deal with ExclusiveOr and DiffieHellman. In this article we compare time efficienc ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Recently Kuesters et al proposed two new methods using ProVerif for analyzing cryptographic protocols with ExclusiveOr and DiffieHellman properties. Some tools, for instance CLAtse and OFMC, are able to deal with ExclusiveOr and DiffieHellman. In this article we compare time efficiency of these tools verifying some protocols of the litterature that are designed with such algebraic properties. 1
Establishing and Preserving Protocol Security Goals ∗
, 2012
"... We take a modeltheoretic viewpoint on security goals and how to establish them. The models are (possibly fragmentary) executions. Security goals such as authentication and confidentiality are implications over the geometric fragment of predicate logic, i.e. implications Φ − → Ψ where Φ and Ψ are b ..."
Abstract

Cited by 5 (4 self)
 Add to MetaCart
(Show Context)
We take a modeltheoretic viewpoint on security goals and how to establish them. The models are (possibly fragmentary) executions. Security goals such as authentication and confidentiality are implications over the geometric fragment of predicate logic, i.e. implications Φ − → Ψ where Φ and Ψ are built from atomic formulas without negations, implications, or universal quantifiers. Security goals are then essentially statements about homomorphisms where the source is a minimal (fragmentary) model of the antecedent Φ. If every homomorphism to a model representing a nonfragmentary, complete execution factors through a model in which Ψ is satisfied, then the goal is achieved. This idea suggests validating security goals via a process of information enrichment. This idea also clarifies protocol transformation. A protocol transformation preserves security goals when it preserves the form of the information enrichment process. We formalize this idea using simulation relations between labeled transition systems. 1
Automated analysis of security protocols with global state
, 2013
"... Abstract—Security APIs, key servers and protocols that need to keep the status of transactions, require to maintain a global, nonmonotonic state, e.g., in the form of a database or register. However, most existing automated verification tools do not support the analysis of such stateful security pr ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Abstract—Security APIs, key servers and protocols that need to keep the status of transactions, require to maintain a global, nonmonotonic state, e.g., in the form of a database or register. However, most existing automated verification tools do not support the analysis of such stateful security protocols – sometimes because of fundamental reasons, such as the encoding of the protocol as Horn clauses, which are inherently monotonic. A notable exception is the recent tamarin prover which allows specifying protocols as multiset rewrite (msr) rules, a formalism expressive enough to encode state. As multiset rewriting is a “lowlevel ” specification language with no direct support for concurrent message passing, encoding protocols correctly is a difficult and errorprone process. We propose a process calculus which is a variant of the applied pi calculus with constructs for manipulation of a global state by processes running in parallel. We show that this language can be translated to msr rules whilst preserving all security properties expressible in a dedicated firstorder logic for security properties. The translation has been implemented in a prototype tool which uses the tamarin prover as a backend. We apply the tool to several case studies among which a simplified fragment of PKCS#11, the Yubikey security token, and an optimistic contract signing protocol. I.
Symbolic Protocol Analysis for DiffieHellman
"... Abstract. We extend symbolic protocol analysis to apply to protocols using DiffieHellman operations. DiffieHellman operations act on a cyclic group of prime order, together with an exponentiation operator. The exponents form a finite field. This rich algebraic structure has resisting previous symb ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We extend symbolic protocol analysis to apply to protocols using DiffieHellman operations. DiffieHellman operations act on a cyclic group of prime order, together with an exponentiation operator. The exponents form a finite field. This rich algebraic structure has resisting previous symbolic approaches. We work in an algebra defined by the normal forms of a rewriting theory (modulo associativity and commutativity). These normal forms allow us to define our crucial notion of indicator, a vector of integers that summarizes how many times each secret exponent appears in a message. We prove that the adversary can never construct a message with a new indicator in our adversary model. Using this invariant, we prove the main security goals achieved by several different protocols that use DiffieHellman operators in subtle ways. We also give a modeltheoretic justification of our rewriting theory: the theory proves all equations that are uniformly true as the order of the cyclic group varies. 1
An Algebra for Symbolic DiffieHellman Protocol Analysis
"... Abstract. We study the algebra underlying symbolic protocol analysis for protocols using DiffieHellman operations. DiffieHellman operations act on a cyclic group of prime order, together with an exponentiation operator. The exponents form a finite field: this rich algebraic structure has resisted ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We study the algebra underlying symbolic protocol analysis for protocols using DiffieHellman operations. DiffieHellman operations act on a cyclic group of prime order, together with an exponentiation operator. The exponents form a finite field: this rich algebraic structure has resisted previous symbolic approaches. We define an algebra that validates precisely the equations that hold almost always as the order of the cyclic group varies. We realize this algebra as the set of normal forms of a particular rewriting theory. The normal forms allow us to define our crucial notion of indicator, a vector of integers that summarizes how many times each secret exponent appears in a message. We prove that the adversary can never construct a message with a new indicator in our adversary model. Using this invariant, we prove the main security goals achieved by UM, a protocol using DiffieHellman for implicit authentication. Despite vigorous research in symbolic analysis of security protocols, many
Modular Termination of Basic Narrowing and Equational Unification
, 2009
"... Basic narrowing is a restricted form of narrowing which constrains narrowing steps to a set of unblocked (or basic) positions. In this work, we study the modularity of termination of basic narrowing in hierarchical combinations of TRSs, which provides new algorithmic criteria to prove termination of ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Basic narrowing is a restricted form of narrowing which constrains narrowing steps to a set of unblocked (or basic) positions. In this work, we study the modularity of termination of basic narrowing in hierarchical combinations of TRSs, which provides new algorithmic criteria to prove termination of basic narrowing. Basic narrowing has a number of important applications including equational unification in canonical theories. Another application is analyzing termination of narrowing by checking the termination of basic narrowing, as done in pioneering work by Hullot. As a particularly interesting application, we consider solving equations modulo a theory that is given by a TRS, and then distill a number of modularity results for the decidability of equational unification via the modularity of basic narrowing (completeness and) termination.
Unification modulo a property of the El Gamal Encryption Scheme
 UNIF 2012 – The 26th Workshop on Unification
, 2012
"... Equational Unification has recently been applied in the field of formal analysis of cryptographic protocols. Formal methods have been very useful in detecting nontrivial flaws in protocols and also to verify their correctness; see Meadows [7] for a survey of formal verification of cryptographic prot ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
Equational Unification has recently been applied in the field of formal analysis of cryptographic protocols. Formal methods have been very useful in detecting nontrivial flaws in protocols and also to verify their correctness; see Meadows [7] for a survey of formal verification of cryptographic protocols. Terms in this