Results 1  10
of
184
Constraint Solving for BoundedProcess Cryptographic Protocol Analysis
 CCS'01
, 2001
"... The reachability problem for cryptographic protocols with nonatomic keys can be solved via a simple constraint satisfaction procedure. ..."
Abstract

Cited by 178 (3 self)
 Add to MetaCart
The reachability problem for cryptographic protocols with nonatomic keys can be solved via a simple constraint satisfaction procedure.
Intruder deductions, constraint solving and insecurity decision in presence of exclusive or
, 2003
"... We present decidability results for the verification of cryptographic protocols in the presence of equational theories corresponding to xor and Abelian groups. Since the perfect cryptography assumption is unrealistic for cryptographic primitives with visible algebraic properties such as xor, we exte ..."
Abstract

Cited by 91 (12 self)
 Add to MetaCart
(Show Context)
We present decidability results for the verification of cryptographic protocols in the presence of equational theories corresponding to xor and Abelian groups. Since the perfect cryptography assumption is unrealistic for cryptographic primitives with visible algebraic properties such as xor, we extend the conventional DolevYao model by permitting the intruder to exploit these properties. We show that the ground reachability problem in NP for the extended intruder theories in the cases of xor and Abelian groups. This result follows from a normal proof theorem. Then, we show how to lift this result in the xor case: we consider a symbolic constraint system expressing the reachability (e.g., secrecy) problem for a finite number of sessions. We prove that such constraint system is decidable, relying in particular on an extension of combination algorithms for unification procedures. As a corollary, this enables automatic symbolic verification of cryptographic protocols employing xor for a fixed number of sessions.
Formal Methods for Cryptographic Protocol Analysis: Emerging Issues and Trends
, 2003
"... The history of the application of formal methods to cryptographic protocol analysis spans over 20 years and recently has been showing signs of new maturity and consolidation. Not only have a number of specialized tools been developed, and generalpurpose ones been adapted, but people have begun apply ..."
Abstract

Cited by 77 (0 self)
 Add to MetaCart
The history of the application of formal methods to cryptographic protocol analysis spans over 20 years and recently has been showing signs of new maturity and consolidation. Not only have a number of specialized tools been developed, and generalpurpose ones been adapted, but people have begun applying these tools to realistic protocols, in many cases supplying feedback to designers that can be used to improve the protocol’s security. In this paper, we will describe some of the ongoing work in this area, as well as describe some of the new challenges and the ways in which they are being met.
Deciding the security of protocols with DiffieHellman exponentiation and products in exponents
, 2003
"... ..."
Tree Automata With One Memory, Set Constraints and Cryptographic Protocols
"... We introduce a class of tree automata that perform tests on a memory that is updated using function symbol application and projection. The language emptiness problem for this class of tree automata is shown to be in DEXPTIME. ..."
Abstract

Cited by 72 (3 self)
 Add to MetaCart
We introduce a class of tree automata that perform tests on a memory that is updated using function symbol application and projection. The language emptiness problem for this class of tree automata is shown to be in DEXPTIME.
An OnTheFly ModelChecker for Security Protocol Analysis
 In Proceedings of Esorics’03, LNCS 2808
, 2003
"... www.infsec.ethz.ch/~{basin,moedersheim,vigano} ..."
Verification of cryptographic protocols: Tagging enforces termination
 THEORETICAL COMPUTER SCIENCE
, 2003
"... In experiments with a resolutionbased verification method for cryptographic protocols, we could enforce its termination by tagging, a syntactic transformation of messages that leaves attackfree executions invariant. In this paper, we generalize the experimental evidence: we prove that the verific ..."
Abstract

Cited by 70 (6 self)
 Add to MetaCart
In experiments with a resolutionbased verification method for cryptographic protocols, we could enforce its termination by tagging, a syntactic transformation of messages that leaves attackfree executions invariant. In this paper, we generalize the experimental evidence: we prove that the verification method always terminates for tagged protocols.
Computationally sound, automated proofs for security protocols
, 2005
"... Abstract. Since the 1980s, two approaches have been developed for analyzing security protocols. One of the approaches relies on a computational model that considers issues of complexity and probability. This approach captures a strong notion of security, guaranteed against all probabilistic polynomi ..."
Abstract

Cited by 70 (14 self)
 Add to MetaCart
(Show Context)
Abstract. Since the 1980s, two approaches have been developed for analyzing security protocols. One of the approaches relies on a computational model that considers issues of complexity and probability. This approach captures a strong notion of security, guaranteed against all probabilistic polynomialtime attacks. The other approach relies on a symbolic model of protocol executions in which cryptographic primitives are treated as black boxes. Since the seminal work of Dolev and Yao, it has been realized that this latter approach enables significantly simpler and often automated proofs. However, the guarantees that it offers have been quite unclear. In this paper, we show that it is possible to obtain the best of both worlds: fully automated proofs and strong, clear security guarantees. Specifically, for the case of protocols that use signatures and asymmetric encryption, we establish that symbolic integrity and secrecy proofs are sound with respect to the computational model. The main new challenges concern secrecy properties for which we obtain the first soundness result for the case of active adversaries. Our proofs are carried out using Casrul, a fully automated tool. 1
A survey of algebraic properties used in cryptographic protocols
 JOURNAL OF COMPUTER SECURITY
"... Cryptographic protocols are successfully analyzed using formal methods. However, formal approaches usually consider the encryption schemes as black boxes and assume that an adversary cannot learn anything from an encrypted message except if he has the key. Such an assumption is too strong in general ..."
Abstract

Cited by 69 (20 self)
 Add to MetaCart
(Show Context)
Cryptographic protocols are successfully analyzed using formal methods. However, formal approaches usually consider the encryption schemes as black boxes and assume that an adversary cannot learn anything from an encrypted message except if he has the key. Such an assumption is too strong in general since some attacks exploit in a clever way the interaction between protocol rules and properties of cryptographic operators. Moreover, the executability of some protocols relies explicitly on some algebraic properties of cryptographic primitives such as commutative encryption. We give a list of some relevant algebraic properties of cryptographic operators, and for each of them, we provide examples of protocols or attacks using these properties. We also give an overview of the existing methods in formal approaches for analyzing cryptographic proto
An improved constraintbased system for the verification of security protocols
 9TH INT. STATIC ANALYSIS SYMP. (SAS), VOLUME LNCS 2477
, 2002
"... We propose a constraintbased system for the verification of security protocols that improves upon the one developed by Millen and Shmatikov [30]. Our system features (1) a significantly more efficient implementation, (2) a monotonic behavior, which also allows to detect flaws associated to partial ..."
Abstract

Cited by 61 (15 self)
 Add to MetaCart
(Show Context)
We propose a constraintbased system for the verification of security protocols that improves upon the one developed by Millen and Shmatikov [30]. Our system features (1) a significantly more efficient implementation, (2) a monotonic behavior, which also allows to detect flaws associated to partial runs and (3) a more expressive syntax, in which a principal may also perform explicit checks. In this paper we also show why these improvements yield a more effective and practical system.