Results 1  10
of
391
Refinement types for secure implementations
 IN 21ST IEEE COMPUTER SECURITY FOUNDATIONS SYMPOSIUM (CSF’08
, 2008
"... We present the design and implementation of a typechecker for verifying security properties of the source code of cryptographic protocols and access control mechanisms. The underlying type theory is a λcalculus equipped with refinement types for expressing pre and postconditions within firstorde ..."
Abstract

Cited by 114 (25 self)
 Add to MetaCart
(Show Context)
We present the design and implementation of a typechecker for verifying security properties of the source code of cryptographic protocols and access control mechanisms. The underlying type theory is a λcalculus equipped with refinement types for expressing pre and postconditions within firstorder logic. We derive formal cryptographic primitives and represent active adversaries within the type theory. Welltyped programs enjoy assertionbased security properties, with respect to a realistic threat model including key compromise. The implementation amounts to an enhanced typechecker for the general purpose functional language F#; typechecking generates verification conditions that are passed to an SMT solver. We describe a series of checked examples. This is the first tool to verify authentication properties of cryptographic protocols by typechecking their source code.
Automated verification of selected equivalences for security protocols
 IN 20TH IEEE SYMPOSIUM ON LOGIC IN COMPUTER SCIENCE (LICS’05
, 2005
"... In the analysis of security protocols, methods and tools for reasoning about protocol behaviors have been quite effective. We aim to expand the scope of those methods and tools. We focus on proving equivalences P ≈ Q in which P and Q are two processes that differ only in the choice of some terms. Th ..."
Abstract

Cited by 104 (12 self)
 Add to MetaCart
In the analysis of security protocols, methods and tools for reasoning about protocol behaviors have been quite effective. We aim to expand the scope of those methods and tools. We focus on proving equivalences P ≈ Q in which P and Q are two processes that differ only in the choice of some terms. These equivalences arise often in applications. We show how to treat them as predicates on the behaviors of a process that represents P and Q at the same time. We develop our techniques in the context of the applied pi calculus and implement them in the tool ProVerif.
Verified interoperable implementations of security protocols
"... We present an architecture and tools for verifying implementations of security protocols. Our implementations can run with both concrete and symbolic implementations of cryptographic algorithms. The concrete implementation is for production and interoperability testing. The symbolic implementation i ..."
Abstract

Cited by 80 (28 self)
 Add to MetaCart
We present an architecture and tools for verifying implementations of security protocols. Our implementations can run with both concrete and symbolic implementations of cryptographic algorithms. The concrete implementation is for production and interoperability testing. The symbolic implementation is for debugging and formal verification. We develop our approach for protocols written in F#, a dialect of ML, and verify them by compilation to ProVerif, a resolutionbased theorem prover for cryptographic protocols. We establish the correctness of this compilation scheme, and we illustrate our approach with protocols for Web Services security. Categories and Subject Descriptors: F.3.2 [Theory of Computation]: Logics and meanings of programs—
Computationally sound, automated proofs for security protocols
, 2005
"... Abstract. Since the 1980s, two approaches have been developed for analyzing security protocols. One of the approaches relies on a computational model that considers issues of complexity and probability. This approach captures a strong notion of security, guaranteed against all probabilistic polynomi ..."
Abstract

Cited by 70 (13 self)
 Add to MetaCart
(Show Context)
Abstract. Since the 1980s, two approaches have been developed for analyzing security protocols. One of the approaches relies on a computational model that considers issues of complexity and probability. This approach captures a strong notion of security, guaranteed against all probabilistic polynomialtime attacks. The other approach relies on a symbolic model of protocol executions in which cryptographic primitives are treated as black boxes. Since the seminal work of Dolev and Yao, it has been realized that this latter approach enables significantly simpler and often automated proofs. However, the guarantees that it offers have been quite unclear. In this paper, we show that it is possible to obtain the best of both worlds: fully automated proofs and strong, clear security guarantees. Specifically, for the case of protocols that use signatures and asymmetric encryption, we establish that symbolic integrity and secrecy proofs are sound with respect to the computational model. The main new challenges concern secrecy properties for which we obtain the first soundness result for the case of active adversaries. Our proofs are carried out using Casrul, a fully automated tool. 1
A survey of algebraic properties used in cryptographic protocols
 JOURNAL OF COMPUTER SECURITY
"... Cryptographic protocols are successfully analyzed using formal methods. However, formal approaches usually consider the encryption schemes as black boxes and assume that an adversary cannot learn anything from an encrypted message except if he has the key. Such an assumption is too strong in general ..."
Abstract

Cited by 69 (20 self)
 Add to MetaCart
(Show Context)
Cryptographic protocols are successfully analyzed using formal methods. However, formal approaches usually consider the encryption schemes as black boxes and assume that an adversary cannot learn anything from an encrypted message except if he has the key. Such an assumption is too strong in general since some attacks exploit in a clever way the interaction between protocol rules and properties of cryptographic operators. Moreover, the executability of some protocols relies explicitly on some algebraic properties of cryptographic primitives such as commutative encryption. We give a list of some relevant algebraic properties of cryptographic operators, and for each of them, we provide examples of protocols or attacks using these properties. We also give an overview of the existing methods in formal approaches for analyzing cryptographic proto
Secrecy Types for Asymmetric Communication
, 2001
"... We develop a typed process calculus for security protocols in which types convey secrecy properties. We focus on asymmetric communication primitives, especially on publickey encryption. These present special difficulties, partly because they rely on related capabilities (e.g., "public" an ..."
Abstract

Cited by 68 (6 self)
 Add to MetaCart
We develop a typed process calculus for security protocols in which types convey secrecy properties. We focus on asymmetric communication primitives, especially on publickey encryption. These present special difficulties, partly because they rely on related capabilities (e.g., "public" and "private" keys) with different levels of secrecy and scopes.
An improved constraintbased system for the verification of security protocols
 9TH INT. STATIC ANALYSIS SYMP. (SAS), VOLUME LNCS 2477
, 2002
"... We propose a constraintbased system for the verification of security protocols that improves upon the one developed by Millen and Shmatikov [30]. Our system features (1) a significantly more efficient implementation, (2) a monotonic behavior, which also allows to detect flaws associated to partial ..."
Abstract

Cited by 61 (15 self)
 Add to MetaCart
(Show Context)
We propose a constraintbased system for the verification of security protocols that improves upon the one developed by Millen and Shmatikov [30]. Our system features (1) a significantly more efficient implementation, (2) a monotonic behavior, which also allows to detect flaws associated to partial runs and (3) a more expressive syntax, in which a principal may also perform explicit checks. In this paper we also show why these improvements yield a more effective and practical system.
Just fast keying in the pi calculus
, 2004
"... Abstract. JFK is a recent, attractive protocol for fast key establishment as part of securing IP communication. In this paper, we analyze it formally in the applied pi calculus (partly in terms of observational equivalences, partly with the assistance of an automatic protocol verifier). We treat JFK ..."
Abstract

Cited by 59 (6 self)
 Add to MetaCart
(Show Context)
Abstract. JFK is a recent, attractive protocol for fast key establishment as part of securing IP communication. In this paper, we analyze it formally in the applied pi calculus (partly in terms of observational equivalences, partly with the assistance of an automatic protocol verifier). We treat JFK’s core security properties, and also other properties that are rarely articulated and studied rigorously, such as resistance to denialofservice attacks. In the course of this analysis we found some ambiguities and minor problems, but we mostly obtain positive results about JFK. For this purpose, we develop ideas and techniques that should be useful more generally in the specification and verification of security protocols. 1