PAULSON, L. Mechanized proofs of security protocols: Needham-schroeder with public keys. Tech. Rep. 413, University of Cambridge Computer Laboratory, 1997.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....here is radically di#erent in syntax, semantics and implementation, and in particular it is much faster. Several logic based approaches have been applied to verification problems of security protocols. Among them, trace semantics is at the basis of the verification methods proposed, e.g. in [33, 34, 6, 5]. In [34] Paulson models a protocol in presence of an intruder as an inductively defined set of traces, and uses Isabelle and HOL to prove interactively the absence of attacks. Paulson s approach works on an infinite state search space. Our approach is actually closer to Basin s method [5] where ....

....our approach would be to extend the bottom up evaluation strategy to the multi conclusion setting as suggested by Bozzano [9] Most of the above work can analyze a finite number of protocol sessions. Noteworthy exception to this rule are: firstly, the approaches based on Theorem Proving (Paulson [33, 34]) together with the NRL analyzer, that require human intervention to limit the search space. Secondly, the works based on some form of abstraction, which does not guarantee completeness, like Abadi and Blanchet [2] which is based on types) and Schneider s work on rank functions [38] Blanchet ....

L. C. Paulson. Mechanized proofs of security protocols: Needham-Schroeder with public keys. Technical Report 413, University of Cambridge, Computer Laboratory, January 1997.

....completeness it would have failed, indicating the absence of such an attack. 6 Related Works In recent years several logic based approaches have been applied to veri cation problems of security protocols. Among them, trace semantics is at the basis of the veri cation methods proposed, e.g. in [18, 19, 3, 2]. In [19] Paulson models a protocol in presence of an intruder as an inductively de ned sets of traces, and uses Isabelle HOL to interactively prove the absence of attacks. Paulson s approach works on an 38 in nite state search space. In our approach we use instead proofs structured as trees to ....

L. C. Paulson. Mechanized proofs of security protocols: Needham-Schroeder with public keys. Technical Report 413, University of Cambridge, Computer Laboratory, January 1997.

....the attack by Mallory. This argument shows that changing the protocol eliminates one attack, but how do we know that there are no attacks on the repaired protocol There are several analyses of the repaired Needham Schroeder protocol that establish correctness under a specific set of assumptions [23, 27, 36, 41]. 3 Methods for protocol analysis 3.1 Security analysis Security analysis involves analysis of system activities when a malicious attacker interferes with the operation of the system. From a scientific point of view, the most significant problem in analyzing security protocols is accurate ....

L.C. Paulson. Mechanized proofs of security protocols: Needham-schroeder with public keys. Technical Report 413, University of Cambridge Computer Lab, 1997.

....among principals as logical inferences [3, 13] Although this method can deal with systems with an in nite number of states, it does not allow automatic veri cation and tends to require a speci c extension of modal logic for each kind of authentication protocol. Paulson took a di erent approach [10, 11]. He formalized a state transition system representing an authentication protocol using his theorem prover Isabelle HOL [12] He also formalized the knowledge that each principal can obtain by inductive de nitions in higher order logic. This allows to analyze possible transitions in a protocol as ....

....authentication protocols by this approach. We borrow his approach, because possible transitions of the protocol can be naturally de ned in our framework. In this section, to show the power of our framework, we explain how the correctness of the revised version of the Needham Schroeder protocol [6, 11] can be veri ed in the framework. 3.1 Needham Schroeder The set closure(M; S) denotes the set of messages that the intruder can generate. This set should be de ned by decomposing messages in M , introducing nonces in nonce(M;S) and composing messages from them. For the Needham Schroeder ....

Lawrence C. Paulson. Mechanized Proofs of Security Protocols: Needham-Schroeder with Public Keys. Technical Report 413, Computer Laboratory, University of Cambridge, Jan. 1997.

....often good intuitive reasons for believing that the limited check would find any attack, these are generally difficult to formalise into a component of a complete proof. Therefore it has been necessary to look to other varieties of tool, such as theorem provers (see, for example, Paulson s work [16]) for proofs once one s model checker has failed to find an attack. Secondly, it means that questions of no loss of service (in the presence, for example, of an attacker who makes a finite but unbounded number of interventions) are difficult to address, even though the formalisms (such as CSP) ....

L.C. Paulson, Mechanized Proofs of Security Protocols: Needham-Schroeder with Public Keys, Report 413, Cambridge University Computer Lab (1997).

....of knowledge. Keywords: temporal and modal logics, non classical resolution, theorem proving 1 Introduction Combinations of logics have been useful for specifying and reasoning about complex situations, for example multi agent systems [21, 24] accident analysis [15] and security protocols [18]. For example, logics to formalise multi agent systems often incorporate a dynamic component representing change of over time; an informational component to capture the agent s knowledge or beliefs; and a motivational component for notions such as goals, wishes, desires or intentions. Often ....

L. C. Paulson. Mechanized proofs of security protocols: Needham-schroeder with public keys. Technical Report 413, Computer Laboratory, University of Cambridge, January 1997.

....often good intuitive reasons for believing that the limited check would find any attack, these are generally difficult to formalise into a component of a complete proof. Therefore it has been necessary to look to other varieties of tool, such as theorem provers (see, for example, Paulson s work [23]) for proofs once one s model checker has failed to find an attack. Secondly, it means that questions of no loss of service (in the presence, for example, of an attacker who makes a finite but unbounded number of interventions) are difficult to address, even though the formalisms (such as CSP) ....

L.C. Paulson, Mechanized Proofs of Security Protocols: Needham-Schroeder with Public Keys, Report 413, Cambridge University Computer Lab, 1997.

....message to A. It is left vague whether B necessarily sent this message recently, and whether A may receive two messages for a single message sent by B, and so the above goal can be interpreted in different ways. However, this goal is clearly similar to Roscoe s intensional specification. Paulson [17, 18] uses the theorem prover Isabelle to analyse security protocols. He proves properties of the form: if A receives a message of a certain form, which appears to come from B, then B indeed sent that message. Thus his notion of authentication is similar to our non injective agreement. The form of ....

L. Paulson. Mechanized Proofs of Security Protocols: Needham-Schroeder with Public Keys. Technical Report 413, University of Cambridge Computer Laboratory, 1997.

....A has a private key priK A and public key pubKA. The operators clientK and serverK create symmetric keys from a triple of nonces. Modelling the underlying pseudo random number generator causes some complications compared with the treatment of simple public key protocols such as Needham Schroeder [5]. The common properties of clientK and serverK are captured in the constant sessionK, which is merely assumed to be injective and to generate session keys. consts sessionK : nat nat nat) nat = key clientK, serverK : nat nat nat = key rules injsessionK inj sessionK isSymsessionK ....

Lawrence C. Paulson. Mechanized proofs of security protocols: Needham-Schroeder with public keys. Technical Report 413, Computer Laboratory, University of Cambridge, January 1997.

....directed against implementation flaws. I have applied the inductive method to the three variants of the OtwayRees protocol described here, to a recursive generalization of it, to two variants of Yahalom, to a simplified version of Woo Lam [2] and to NeedhamSchroeder (both shared and public key [21] versions) 5 Proofs are highly automated: one command can generate tens or hundreds of inferences, and small changes to protocols involve only small changes to proof scripts. Bolignano [6] is developing a similar method. The similarity is most obvious in the realm of message analysis. His ....

L. C. Paulson. Mechanized proofs of security protocols: Needham-Schroeder with public keys. Technical Report 413, Computer Laboratory, University of Cambridge, Jan. 1997.

....protocols of the literature have been analysed with the support of the generic theorem prover Isabelle. Several guarantees (nearly two hundred theorems in all) have been established about the following protocols: Needham Schroeder (both shared key and publickey) Otway Rees, Yahalom [8, 9, 10]. A new attack has been discovered in a variant of the Otway Rees protocol. In H. Orman and C. Meadows, editors, DIMACS Workshop on Design and Formal Veri cation of Security Protocols, Rutgers University New Jersey (USA) September 1997. The inductive approach has also been tailored to ....

L. C. Paulson. Mechanized proofs of security protocols: Needham-Schroeder with public keys. Cambridge University, Computer Laboratory, Technical Report No. 413, 1997.

....contains theories for proving the correctness of cryptographic protocols. The approach is based upon operational semantics [38] rather than the more usual belief logics. On the same directory are proofs for some standard examples, such as the Needham Schroeder public key authentication protocol [36] and the Otway Rees protocol. Directory HOL IMP contains a formalization of various denotational, operational and axiomatic semantics of a simple while language, the necessary equivalence proofs, soundness and completeness of the Hoare rules with respect to the denotational semantics, and ....

Lawrence C. Paulson. Mechanized proofs of security protocols: NeedhamSchroeder with public keys. Technical Report 413, Computer Laboratory, University of Cambridge, January 1997.

....protocols of the literature have been analysed with the support of the generic theorem prover Isabelle. Several guarantees (nearly two hundred theorems in all) have been established about the following protocols: Needham Schroeder (both shared key and publickey) Otway Rees, Yahalom [8, 9, 10]. A new attack has been discovered in a variant of the Otway Rees protocol. The inductive approach has also been tailored to analyse real world protocols. The first one tackled in this field is Kerberos [5, 1] whose analysis has Giampaolo.Bella cl.cam.ac.uk y Larry.Paulson cl.cam.ac.uk ....

L. C. Paulson. Mechanized proofs of security protocols: Needham-Schroeder with public keys. Cambridge University, Computer Laboratory, Technical Report No. 413, 1997.

No context found.

PAULSON, L. Mechanized proofs of security protocols: Needham-schroeder with public keys. Tech. Rep. 413, University of Cambridge Computer Laboratory, 1997.

No context found.

L. C. Paulson. Mechanized proofs of security protocols: Needham-Schroeder with public keys. T.R. 413, Univ. of Cambridge, Computer Laboratory, January 1997.

No context found.

Lawrence C. Paulson. Mechanized Proofs of Security Protocols: NeedhamSchroeder with Public Key. Technical Report 413, Computer Laboratory, University of Cambridge, 1997.

No context found.

L. C.Paulson, Mechanized Proofs of Security Protocols: Needham-Schroeder with Public Keys. Technical Report 413, University of Cambridge, Computer Laboratory, January 1997.

No context found.

Paulson, L. C. (1997b). Mechanized proofs of security protocols: Needham-Schroeder with public keys. Technical Report 413, University of Cambridge, Computer Laboratory.

No context found.

Paulson, L. C.: Mechanized proofs of security protocols: Needham-Schroeder with public keys. TR 432 (Jan 1997) Cambridge University Computer Laboratory

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC