Results 1  10
of
66
A RewritingBased Inference System for the NRL Protocol Analyzer and its MetaLogical Properties
, 2005
"... The NRL Protocol Analyzer (NPA) is a tool for the formal specification and analysis of cryptographic protocols that has been used with great effect on a number of complex reallife protocols. One of the most interesting of its features is that it can be used to reason about security in face of attem ..."
Abstract

Cited by 41 (20 self)
 Add to MetaCart
The NRL Protocol Analyzer (NPA) is a tool for the formal specification and analysis of cryptographic protocols that has been used with great effect on a number of complex reallife protocols. One of the most interesting of its features is that it can be used to reason about security in face of attempted attacks on lowlevel algebraic properties of the functions used in a protocol. Indeed, it has been used successfully to either reproduce or discover a number of such attacks. In this paper we give for the first time a precise formal specification of the main features of the NPA inference system: its grammarbased techniques for invariant generation and its backwards reachability analysis method. This formal specification is given within the wellknown rewriting framework so that the inference system is specified as a set of rewrite rules modulo an equational theory describing the behavior of the cryptographic algorithms involved. We then use this formalization to prove some important metalogical properties about the NPA inference system, including the soundness and completeness of the search algorithm and soundness of the grammar generation algorithm. The formalization and soundness and completeness theorems not only provide also a better understanding of the NPA as it currently operates, but provide a modular basis which can be used as a starting point for increasing the types of equational theories it can handle.
A Method for Automatic Cryptographic Protocol Verification
, 2000
"... . We present an automatic, terminating method for verifying confidentiality properties, and to a lesser extent freshness properties of cryptographic protocols. It is based on a safe abstract interpretation of cryptographic protocols using a specific extension of tree automata, parameterized tree ..."
Abstract

Cited by 40 (4 self)
 Add to MetaCart
(Show Context)
. We present an automatic, terminating method for verifying confidentiality properties, and to a lesser extent freshness properties of cryptographic protocols. It is based on a safe abstract interpretation of cryptographic protocols using a specific extension of tree automata, parameterized tree automata, which mix automatatheoretic techniques with deductive features. Contrary to most modelchecking approaches, this method offers actual security guarantees. It owes much to D. Bolignano's ways of modeling cryptographic protocols and to D. Monniaux' seminal idea of using tree automata to verify cryptographic protocols by abstract interpretation. It extends the latter by adding new deductive abilities, and by offering the possibility of analyzing protocols in the presence of parallel multisession principals, following some ideas by M. Debbabi, M. Mejri, N. Tawbi, and I. Yahmadi. 1 Introduction When secrets are to be preserved, or authenticity of messages is to be establish...
A Tool for Lazy Verification of Security Protocols
 In ASE 2001
, 2001
"... We present the lazy strategy implemented in a compiler of cryptographic protocols, Casrul. The purpose of this compiler is to verify protocols and to translate them into rewrite rules that can be used by several kinds of automatic or semiautomatic tools for finding flaws, or proving properties. It ..."
Abstract

Cited by 29 (8 self)
 Add to MetaCart
(Show Context)
We present the lazy strategy implemented in a compiler of cryptographic protocols, Casrul. The purpose of this compiler is to verify protocols and to translate them into rewrite rules that can be used by several kinds of automatic or semiautomatic tools for finding flaws, or proving properties. It is entirely automatic, and the efficiency of the generated rules is guaranteed because of the use of a lazy model of an Intruder behavior. This efficiency is illustrated on several examples.
Automated Security Protocol Analysis with the AVISPA Tool
 In Proceedings of MFPS’05
, 2006
"... The AVISPA Tool is a pushbutton tool for the Automated Validation of Internet Security Protocols and Applications. It provides a modular and expressive formal language for specifying protocols and their security properties, and integrates different backends that implement a variety of automatic pr ..."
Abstract

Cited by 27 (5 self)
 Add to MetaCart
(Show Context)
The AVISPA Tool is a pushbutton tool for the Automated Validation of Internet Security Protocols and Applications. It provides a modular and expressive formal language for specifying protocols and their security properties, and integrates different backends that implement a variety of automatic protocol analysis techniques. Experimental results, carried out on a large library of Internet security protocols, indicate that the AVISPA Tool is a stateoftheart tool for Internet security protocol analysis as, to our knowledge, no other tool exhibits the same level of scope and robustness while enjoying the same performance and scalability.
Abstraction and Resolution Modulo AC: How to Verify DiffieHellmanlike Protocols Automatically
, 2003
"... We show how cryptographic protocols using DiffieHellman primitives, i.e., modular exponentiation on a fixed generator, can be encoded in Horn clauses modulo associativity and commutativity. In order to obtain a sufficient criterion of security, we design a complete (but not sound in general) resolu ..."
Abstract

Cited by 26 (6 self)
 Add to MetaCart
We show how cryptographic protocols using DiffieHellman primitives, i.e., modular exponentiation on a fixed generator, can be encoded in Horn clauses modulo associativity and commutativity. In order to obtain a sufficient criterion of security, we design a complete (but not sound in general) resolution procedure for a class of flattened clauses modulo simple equational theories, including associativitycommutativity. We report on a practical implementation of this algorithm in the MOP modular platform for automated proving; in particular, we obtain the first fully automated proof of security of the IKA.1 initial key agreement protocol in the socalled pure eavesdropper model.
Rewriting Approximations for Fast Prototyping of Static Analyzers
 Research Report RR 5997, INRIA
, 2006
"... Abstract. This paper shows how to construct static analyzers using tree automata and rewriting techniques. Starting from a term rewriting system representing the operational semantics of the target programming language and given a program to analyze, we automatically construct an overapproximation ..."
Abstract

Cited by 25 (15 self)
 Add to MetaCart
(Show Context)
Abstract. This paper shows how to construct static analyzers using tree automata and rewriting techniques. Starting from a term rewriting system representing the operational semantics of the target programming language and given a program to analyze, we automatically construct an overapproximation of the set of reachable terms, i.e. of the program states that can be reached. The approach enables fast prototyping of static analyzers because modifying the analysis simply amounts to changing the set of rewrite rules defining the approximation. A salient feature of this approach is that the approximation is correct by construction and hence does not require an explicit correctness proof. To illustrate the framework proposed here on a realistic programming language we instantiate it with the Java Virtual Machine semantics and perform class analysis on Java bytecode programs. 1
Automatic verification of time sensitive cryptographic protocols
 10th International Conference, TACAS 2004, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2004, pages 342 – 356
, 2004
"... Abstract. We investigate the applicability of symbolic exploration to the automatic verification of secrecy and authentication properties for time sensitive cryptographic protocols. Our formal specifications are given in multiset rewriting over first order atomic formulas enriched with constraints s ..."
Abstract

Cited by 18 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We investigate the applicability of symbolic exploration to the automatic verification of secrecy and authentication properties for time sensitive cryptographic protocols. Our formal specifications are given in multiset rewriting over first order atomic formulas enriched with constraints so as to uniformly model fresh name generation and validity condition of time stamps. Our verification approach is based on data structures for symbolically representing sets of configurations of an arbitrary number of parallel protocol sessions. As a case study we discuss the verification of timed authentication for the Wide Mouth Frog protocol. 1
The opensource fixedpoint model checker for symbolic analysis of security protocols
 IN: FOSAD 2007–2008–2009, LNCS
, 2009
"... We introduce the Opensource Fixedpoint Model Checker OFMC for symbolic security protocol analysis, which extends the Onthefly Model Checker (the previous OFMC). The native input language of OFMC is the AVISPA Intermediate Format IF. OFMC also supports AnB, a new AliceandBobstyle language tha ..."
Abstract

Cited by 16 (2 self)
 Add to MetaCart
We introduce the Opensource Fixedpoint Model Checker OFMC for symbolic security protocol analysis, which extends the Onthefly Model Checker (the previous OFMC). The native input language of OFMC is the AVISPA Intermediate Format IF. OFMC also supports AnB, a new AliceandBobstyle language that extends previous similar languages with support for algebraic properties of cryptographic operators and with a simple notation for different kinds of channels that can be used both as assumptions and as protocol goals. AnB specifications are automatically translated to IF. OFMC performs both protocol falsification and bounded session verification by exploring, in a demanddriven way, the transition system resulting from an IF specification. OFMC’s effectiveness is due to the integration of a number of symbolic, constraintbased techniques, which are correct and terminating. The two major techniques are the lazy intruder, which is a symbolic representation of the intruder, and constraint differentiation, which is a general searchreduction technique that integrates the lazy intruder with ideas from partialorder reduction. Moreover, OFMC allows one to analyze security protocols with respect to an algebraic theory of the employed cryptographic operators, which can be specified as part of the input. We also sketch the ongoing integration of fixedpointbased techniques for protocol verification for an unbounded number of sessions.