Results 11  20
of
278
An OnTheFly ModelChecker for Security Protocol Analysis
 In Proceedings of Esorics’03, LNCS 2808
, 2003
"... www.infsec.ethz.ch/~{basin,moedersheim,vigano} ..."
(Show Context)
A survey of algebraic properties used in cryptographic protocols
 JOURNAL OF COMPUTER SECURITY
"... Cryptographic protocols are successfully analyzed using formal methods. However, formal approaches usually consider the encryption schemes as black boxes and assume that an adversary cannot learn anything from an encrypted message except if he has the key. Such an assumption is too strong in general ..."
Abstract

Cited by 69 (20 self)
 Add to MetaCart
(Show Context)
Cryptographic protocols are successfully analyzed using formal methods. However, formal approaches usually consider the encryption schemes as black boxes and assume that an adversary cannot learn anything from an encrypted message except if he has the key. Such an assumption is too strong in general since some attacks exploit in a clever way the interaction between protocol rules and properties of cryptographic operators. Moreover, the executability of some protocols relies explicitly on some algebraic properties of cryptographic primitives such as commutative encryption. We give a list of some relevant algebraic properties of cryptographic operators, and for each of them, we provide examples of protocols or attacks using these properties. We also give an overview of the existing methods in formal approaches for analyzing cryptographic proto
An improved constraintbased system for the verification of security protocols
 9TH INT. STATIC ANALYSIS SYMP. (SAS), VOLUME LNCS 2477
, 2002
"... We propose a constraintbased system for the verification of security protocols that improves upon the one developed by Millen and Shmatikov [30]. Our system features (1) a significantly more efficient implementation, (2) a monotonic behavior, which also allows to detect flaws associated to partial ..."
Abstract

Cited by 61 (15 self)
 Add to MetaCart
(Show Context)
We propose a constraintbased system for the verification of security protocols that improves upon the one developed by Millen and Shmatikov [30]. Our system features (1) a significantly more efficient implementation, (2) a monotonic behavior, which also allows to detect flaws associated to partial runs and (3) a more expressive syntax, in which a principal may also perform explicit checks. In this paper we also show why these improvements yield a more effective and practical system.
Compiling and Verifying Security Protocols
, 2000
"... We propose a direct and fully automated translation from standard security protocol descriptions to rewrite rules. This compilation defines nonambiguous operational semantics for protocols and intruder behavior: they are rewrite systems executed by applying a variant of acnarrowing. The rewrite ru ..."
Abstract

Cited by 61 (7 self)
 Add to MetaCart
We propose a direct and fully automated translation from standard security protocol descriptions to rewrite rules. This compilation defines nonambiguous operational semantics for protocols and intruder behavior: they are rewrite systems executed by applying a variant of acnarrowing. The rewrite rules are processed by the theoremprover daTac. Multiple instances of a protocol can be run simultaneously as well as a model of the intruder (among several possible). The existence of flaws in the protocol is revealed by the derivation of an inconsistency. Our implementation of the compiler CASRUL, together with the prover daTac, permitted us to derive security flaws in many classical cryptographic protocols.
Protocol independence through disjoint encryption
 In Proceedings, 13th Computer Security Foundations Workshop. IEEE Computer
, 2000
"... One protocol (called the primary protocol) is independent of other protocols (jointly called the secondary protocol) if the question whether the primary protocol achieves a security goal never depends on whether the secondary protocol is in use. In this paper, we use multiprotocol strand spaces ([27 ..."
Abstract

Cited by 60 (13 self)
 Add to MetaCart
One protocol (called the primary protocol) is independent of other protocols (jointly called the secondary protocol) if the question whether the primary protocol achieves a security goal never depends on whether the secondary protocol is in use. In this paper, we use multiprotocol strand spaces ([27], cf. [28]) to prove that two cryptographic protocols are independent if they use encryption in nonoverlapping ways. This theorem (Proposition 7.2) applies even if the protocols share public key certificates and secret key “tickets.” We use the method of [8, 7] to study penetrator paths, namely sequences of penetrator actions connecting regular nodes (message transmissions or receptions) in the two protocols. Of special interest are inbound linking paths, which lead from a message transmission in the secondary protocol to a message reception in the primary protocol. We show that bundles can be modified to remove all inbound linking paths, if encryption does not overlap in the two protocols. The resulting bundle does not depend on any activity of the secondary protocol. We illustrate this method using the NeumanStubblebine protocol as an example [21, 27]. 1
New Decidability Results for Fragments of FirstOrder Logic and Application to Cryptographic Protocols
, 2003
"... We consider a new extension of the Skolem class for firstorder logic and prove its decidability by resolution techniques. We then extend this class including the builtin equational theory of exclusive or. Again, we prove the decidability of the class by resolution techniques. ..."
Abstract

Cited by 54 (18 self)
 Add to MetaCart
We consider a new extension of the Skolem class for firstorder logic and prove its decidability by resolution techniques. We then extend this class including the builtin equational theory of exclusive or. Again, we prove the decidability of the class by resolution techniques.
Authentication Tests and the Structure of Bundles
 Theoretical Computer Science
, 2002
"... Suppose a principal in a cryptographic protocol creates and transmits a message containing a new value v, later receiving v back in a different cryptographic context. It can conclude that some principal possessing the relevant key has received and transformed the message in which v was emitted. In s ..."
Abstract

Cited by 54 (19 self)
 Add to MetaCart
Suppose a principal in a cryptographic protocol creates and transmits a message containing a new value v, later receiving v back in a different cryptographic context. It can conclude that some principal possessing the relevant key has received and transformed the message in which v was emitted. In some circumstances, this principal must be a regular participant of the protocol, not the penetrator. An inference of this kind is an authentication test. We introduce two main kinds of authentication test. An outgoing test is one in which the new value v is transmitted in encrypted form, and only a regular participant can extract it from that form. An incoming test is one in which v is received back in encrypted form, and only a regular participant can put it in that form. We combine these two tests with a supplementary idea, the unsolicited test, and a related method for checking that keys remain secret. Together, these techniques determine what authentication properties are achieved by a wide range of cryptographic protocols. In this paper we introduce authentication tests and prove their soundness. We illustrate their power by giving new and straightforward proofs of security goals for several protocols. We also illustrate how to use the authentication tests as a heuristic for finding attacks against incorrect protocols. Finally, we suggest a protocol design process. We express these ideas in the strand space formalism [Thayer, Herzog, and Guttman (1999b, Journal of Computer Security, 7, 191230)], which provides a convenient context to prove them correct.
SATbased ModelChecking for Security Protocols Analysis
"... We present a model checking technique for security protocols based on a reduction to propositional logic. At the core of our approach is a procedure that, given a description of the protocol in a multiset rewriting formalism and a positive integer k, builds a propositional formula whose models (i ..."
Abstract

Cited by 53 (4 self)
 Add to MetaCart
We present a model checking technique for security protocols based on a reduction to propositional logic. At the core of our approach is a procedure that, given a description of the protocol in a multiset rewriting formalism and a positive integer k, builds a propositional formula whose models (if any) correspond to attacks on the protocol. Thus, finding attacks on protocols boils down to checking a propositional formula for satisfiability, problem that is usually solved very efficiently by modern SAT solvers. Experimental results indicate that the approach scales up to industrial strength security protocols with performance comparable with (and in some cases superior to) that of other stateoftheart protocol analysers.
The CLAtse Protocol Analyser
, 2006
"... This paper presents an overview of the CLAtse tool, an efficient and versatile automatic analyser for the security of cryptographic protocols. CLAtse takes as input a protocol specified as a set of rewriting rules (IF format, produced by the AVISPA compiler), and uses rewriting and constraint sol ..."
Abstract

Cited by 51 (5 self)
 Add to MetaCart
This paper presents an overview of the CLAtse tool, an efficient and versatile automatic analyser for the security of cryptographic protocols. CLAtse takes as input a protocol specified as a set of rewriting rules (IF format, produced by the AVISPA compiler), and uses rewriting and constraint solving techniques to model all reachable states of the participants and decide if an attack exists w.r.t. the DolevYao intruder. Any statebased security property can be modelled (like secrecy, authentication, fairness, etc...), and the algebraic properties of operators like xor or exponentiation are taken into account with much less limitations than other tools, thanks to a complete modular unification algorithm. Also, useful constraints like typing, inequalities, or shared sets of knowledge (with set operations like removes, negative tests, etc...) can also be analysed.
Analyzing a Library of Security Protocols using Casper and FDR
 In Workshop on Formal Methods and Security Protocols
, 1999
"... In this paper we describe the analysis of a library of fifty security protocols using FDR, a model checker for the process algebra CSP, and Casper, a compiler that produces the CSP descriptions from a more concise description. We succeed in finding nearly all of the attacks previously reported upon ..."
Abstract

Cited by 50 (0 self)
 Add to MetaCart
(Show Context)
In this paper we describe the analysis of a library of fifty security protocols using FDR, a model checker for the process algebra CSP, and Casper, a compiler that produces the CSP descriptions from a more concise description. We succeed in finding nearly all of the attacks previously reported upon these protocols; in addition, we identify several new attacks. 1 Introduction In recent years, model checking has proved to be a very successful way for analyzing security protocols. In this paper we describe the application of model checking techniques to Clark and Jacob's library of security protocols [3]. This library has been the subject of a previous study [2], with which we can compare our results. We have used FDR, a model checker for the process algebra CSP [9], for the analysis. The CSP descriptions of the protocols were prepared using Casper [7], a compiler that produces the CSP from a more concise description. The ease of our techniques is evidenced by the fact that most of the a...