Jonathan K. Millen, Sidney C. Clark, and Sheryl B. Freedman. The Interrogator: Protocol security analysis. IEEE Transactions on Software Engineering, SE-13(2):274-288, February 1987.  Home/Search   Document Not in Database   Summary   Related Articles   Check

.... such as the BAN logic [12] used in [31] theorem proving, used in Isabelle [41] rank functions [29] typing [2, 13, 30] abstract interpretation [8, 9, 28, 37] model checking, rewriting, and related techniques, used in Elan [15] Brutus [16] Maude [22] FDR [33] NRL [34] the Interrogator [35], Mur [36] Athena [43] Most existing protocol veri ers based on model checking su er from the problem of the state space explosion, and they need very large resources to verify even relatively simple protocols. Moreover, in general, they limit the number of runs of the protocol This work was ....

....in practice. We have applied it to prove secrecy properties of several protocols of the literature, including Skeme [32] or to nd attacks against them. 3 Related work Logic programming and similar formalisms have already been used in a number of works on cryptographic protocols, for example [21, 22, 34, 35, 46]. We propose a more abstract representation of the protocols than [22, 34] that enables us to design a simpler and faster analysis, and to avoid limiting the number of runs of the protocol, thus improving over most model checkers. Of course, the additional approximations imply that our analysis ....

J. K. Millen, S. C. Clark, and S. B. Freedman. The Interrogator: Protocol Security Analysis. IEEE Transactions on Software Engineering, SE-13(2):274{ 288, Feb. 1987.

....later work on the formal analysis of cryptographic protocols is based on this model or some variant of it. Shortly later, work began on developing tools for the analysis of security protocols in general, all of which were based on the Dolev Yao model or some variant, including the Interrogator [56], the NRL Protocol Analyzer [46] and the the LongleyRigby tool [42] Others applied general purpose formal methods to the problem [39] Most of this work used some type of state exploration technique, in which a state space is defined and then explored by the tool to determine if there are any ....

J. K. Millen, S. C. Clark, and S. B. Freedman. The Interrogator: protocol security analysis. IEEE Transactions on Software Engineering, SE-13(2), 1987.

.... such as the BAN logic [11] used in [23] theorem proving, used in Isabelle [33] rank functions [21] typing [2, 12, 22] abstract interpretation [7, 8, 20, 29] model checking, rewriting, and related techniques, used in Elan [13] Brutus [14] Maude [16] FDR [25] NRL [26] the Interrogator [27], Mur [28] Athena [35] Most existing protocol verifiers based on model checking suffer from the problem of the state space explosion, and they need very large resources to verify even relatively simple protocols. Moreover, in general, they limit the number of runs of the This work was partly ....

....efficient in practice. We have applied it to prove secrecy properties of several protocols of the literature, including Skeme [24] or to find attacks against them. Related work Prolog rules and similar formalisms have already been used in a number of works on cryptographic protocols, for example [16, 26, 27]. We propose a more abstract representation of the protocols, that enables us to design a simpler and faster analysis, and to avoid limiting the number of runs of the protocol, thus improving over most model checkers. Of course, the additional approximations imply that our analysis may not be able ....

J. K. Millen, S. C. Clark, and S. B. Freedman. The Interrogator: Protocol Security Analysis. IEEE Transactions on Software Engineering, SE-13(2):274--288, Feb. 1987.

....analysis, only one type of requirement was considered, and that was the simplest: that some term or set of terms designated as secret should not be learned by the intruder. Some of the earlier work on automated cryptographic protocol analysis, such as the first versions of the Interrogator [24], also restricted itself to this limited definition of secrecy. Others, such as the earlier versions of the NRL Protocol Analyzer[20] allowed the user to specify security in terms of the unreachability of insecure states, in which it was possible to specify such a state in terms of words known by ....

J. K. Millen, S. C. Clark, and S. B. Freedman. The Interrogator: Protocol Security Analysis. IEEE Transactions on Software Engineering, SE-13(2), 1987.

....can play any of the roles in the protocol 1 (e.g. in case of two party protocols, anybody can be initiator as well as responder) We further assume that principals may run several instances of the protocol concurrently, and play different roles in different instances. As usual in the literature [8], we assume that the network is under the control of the attacker. This means that the attacker can observe every message sent via the network, furthermore, it can intercept, modify, generate, delay, and replay messages or parts of them. We assume that the attacker knows the protocol that is run ....

J. Millen, S. Clark, and S. Freedman. The Interrogator: Protocol security analysis. IEEE Transactions on Software Engineering, SE- 13(2):274-288, February 1987.

....VA 22303 USA ilianoitd. nrl. navy. rail 1 Introduction The rationale of authentication has been a topic of study for about a decade and a half. First attempts at formal analysis of authentication protocols were not using logics per se, but were certainly logical. Millen s Interrogator [Mi184,MCF87] was a Prolog based tool specifically designed for authentication protocol analysis that functioned essentially as a special purpose model checker. Kemmerer used the general purpose formal specification language Ina Jo and an accompanying symbolic execution tool Inatest to specify and analyze ....

Jonathan K. Millen, Sidney C. Clark, and Sheryl B. Freedman. The Inter- rogator: Protocol security analysis. IEEE Transactions on Software Engineer- ing, 13(2):274 288, 1987.

....analysis of the Needham Schroeder protocol using the BAN logic is given in [BAN90] However, this analysis did not find the security problem subsequently reported in [Low95] although it was an authentication problem. Another approach consists of using state machines. In the Interrogator system [MCF87] the participants are modelled as communicating state machines and the network is assumed to be under the control of an intruder, which can intercept messages, destroy or modify them, or pass them through unmodified. Given a final state in which the intruder knows something which should be ....

J. Millen, S. Clark, and S. Freedman. The Interrogator: Protocol Security Analysis. IEEE Transactions on Software Engineering, SE-13(2), 1987.

....are not sufficiently suited for analysis of attacks on cryptographic protocols. 2. Expert system based approaches: The knowledge of human experts is formalized into deductive rules that can be used by a protocol designer to investigate different scenarios in an automated or even interactive way [23, 29]. While this approach is well suited to analyze a protocol s resistance to known attacks it does not allow to find flaws in a protocol that are based on unknown attacking techniques [38, p. 66] Copyright at Technical University Berlin. All rights reserved. 2.3. CONCLUSION 3. Algebraic ....

J. K. Millen, S. C. Clark, and S. B. Freedman. The Interrogator: Protocol Security Analysis. IEEE Transactions on Software Engineering, 13(2):274--288, 1987.

....common and important case in which the cryptographic keys are messages of bounded size. Introduction The problem of the automatic verification of cryptographic protocols has received great attention and by now various algorithms and tools for checking security properties are available, see e.g. [13, 14, 15, 12, 21, 11, 19, 18, 22, 7]. These algorithms and tools typically analyse a formal model that describes the flow of information and the interaction between principals (as specified by the protocol) in a hostile environment, that is, in the presence of attackers. In general this analysis is infinite state. Indeed, even when ....

....M closed and M derivable (OUT) t ; #M#. P (SPLIT) t ; let (M, N) x, y) in P M, y N ] CASE) t ; case in P (MATCH) t ; if M = M then P t ; Q t # ; Q # t # ; P The entailment relation K M can be presented in different ways: by rewrite systems [13, 15], by deductive systems [21, 7] by inductive definitions [20] or by axioms [24] For our purposes, it is important that it be presented as a deductive system. The definition follows. The set of messages known to the environment is always ....

J. Millen, S. Clark, and S. Freedman. The Interrogator: Protocol security analysis. IEEE Transactions on Software Engineering, SE-13(2):274--288, 1987.

....simple and powerful. He can mimic very easily real world non cryptographic and non repetitive attacks on the behaviour of the protocol. The idea of explicitly introducing an intruder was first proposed in [DEK82, DY83] in another setting. This idea was then used in the Interrogator system 16 [MCF87] where the participants are modelled as communicating state machines and the network is assumed to be under the control of an intruder, which can intercept messages, destroy or modify them, or pass them through unmodified. The NRL Protocol Analyser [KMM94, Mea94] is similar to the Interrogator, ....

J. Millen, S. Clark, and S. Freedman. The Interrogator: Protocol Security Analysis. IEEE Transactions on Software Engineering, SE-13(2), 1987.

....K from alone. Thus, the idealized security properties of encryption are modeled (rather than defined) They are built into the model of computation on expressions. This body of literature starts with the work of Dolev and Yao [17] DeMillo, Lynch, and Merritt [15] Millen, Clark, and Freedman [35], Kemmerer [30] Burrows, Abadi, and Needham [13] and Meadows [34] It includes many di#erent agendas and approaches, with a variety of techniques from the fields of rewriting, modal logic, process algebra, and others. Over the years, it has been used in the design of protocols, it has helped ....

Jonathan K. Millen, Sidney C. Clark, and Sheryl B. Freedman. The Interrogator: Protocol security analysis. IEEE Transactions on Software Engineering, SE-13(2):274--288, February 1987.

....that a hostile intruder can not get hold of secret information (e.g. a private key) or to force unjust authentication. Unfortunately, the design of cryptographic protocols appears to be rather error prone. This gave impulse to research on the formal verification of security protocols see e.g. [13, 6, 20, 23, 18, 28, 29]. In this setting several approaches are based on Dolev and Yao s [13] where it is proposed to test a protocol explicitly against a hostile intruder who has complete control over the network, can intercept and forge messages. By an exhaustive search, one can establish whether the protocol is ....

....are based on Dolev and Yao s [13] where it is proposed to test a protocol explicitly against a hostile intruder who has complete control over the network, can intercept and forge messages. By an exhaustive search, one can establish whether the protocol is flawed or not as shown, e.g. in [23, 21, 8, 16]. Clearly, a crucial aspect in this approach is try to limit the search space explosion that occurs when modelling the intruder s behaviour . To this end, many solutions have been employed, ranging from human intervention to the use of approximations. In recent work [15, 30, 22] this problem has ....

J. K. Millen, S. C. Clark, and S. B. Freedman. The Interrogator: Protocol security analysis. IEEE Trans. on Software Engineering, 13(2):274--288, 1987.

....in possible plaintext lying around on secondary storage. Encoding messages to be sent to another entity must also be carried out correctly in order for decoding to proceed without any errors and this is often a difficult task. Tools such as the NRL Protocol Analyzer [23] the Interrogator [14] and the Higher Order Logic (HOL) based cryptographic tool [10] have been developed to aid in analyzing security protocols. The Interrogator is a Prolog based program that searches for security vulnerabilities in network protocols used for automatic cryptographic key distribution, while the NRL ....

S.C. Clark, S.B. Freedman, and J.K. Millen. The Interrogator: Protocol Security Analysis. IEEE Transactions on Software Engineering, SE-13(2), 1987.

....value resulting from applying an easy function (one in EN C ) to values in has may be added to has . We restrict the reveal(u) output so that u 2 has , that is, Eve can only report a value that it has . Similar treatments of known information appear elsewhere in the literature, for example, in [12, 19, 28, 27]. Eve(C; P; A) eavesdrop(u) p;q;a , u 2 set C , p; q 2 P , p 6= q, a 2 A learn(u)a , u 2 set C , a 2 A reveal (u)a , u 2 set C , a 2 A compute(u; f)a , f 2 EN C , a 2 A has set C , initially ; u 2 has compute(u; f)a fu1 ; ukg s:has u = f(u1 ; uk ) ....

Jonathan K. Millen, Sidney C. Clark, and Sheryl B. Freedman. The Interrogator: Protocol security analysis. IEEE Transactions on Software Engineering, SE-13(2):274-- 288, February 1987.

No context found.

Jonathan K. Millen, Sidney C. Clark, and Sheryl B. Freedman. The Interrogator: Protocol security analysis. IEEE Transactions on Software Engineering, SE-13(2):274-288, February 1987.

No context found.

J. K. Millen, S. C. Clark, S. B. Freedman, "The Interrogator: Protocol Security Analysis", IEEE Transactions on Software Engineering, SE-13(2):274-288, 1987.

No context found.

J. K. Millen, S. C. Clark, S. B. Freedman, "The Interrogator: Protocol Security Analysis", IEEE Transactions on Software Engineering, SE-13(2):274-288, 1987.

No context found.

J. K. Millen, S. C. Clark, S. B. Freedman, "The Interrogator: Protocol Security Analysis", IEEE Transactions on Software Engineering, SE-13(2):274-288, 1987.

No context found.

J. K. Millen, S. C. Clark, and S. B. Freedman. The Interrogator: Protocol security analysis. IEEE Transactions on Software Engineering, SE-13(2):274--288, February 1987.

No context found.

J. K. Millen, S. C. Clark, and S. B. Freedman. The Interrogator: Protocol security analysis. IEEE Transactions on Software Engineering, SE-13(2):274--288, February 1987.

No context found.

J. K. Millen, S. C. Clark, S. B. Freedman, "The Interrogator: Protocol Security Analysis", IEEE Transactions on Software Engineering, SE-13(2):274-288, 1987.

No context found.

J. K. Millen, S. C. Clark, S. B. Freedman, "The Interrogator: Protocol Security Analysis", IEEE Transactions on Software Engineering, SE-13(2):274-288, 1987.

No context found.

J. K. Millen, S. C. Clark, S. B. Freedman, "The Interrogator: Protocol Security Analysis", IEEE Transactions on Software Engineering, SE-13(2):274-288, 1987.

No context found.

J.K. Millen, S.C. Clark, and S.B. Freedman. The interrogator: Protocol security analysis. IEEE Transactions on Software Engineering, SE-13(2), 1987.

No context found.

J. K. Millen, S. C. Clark, and S. B. Freedman. The Interrogator: Protocol security analysis. IEEE Transactions on Software Engineering, 13(2):274--288, 1987.

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC