Vitaly Shmatikov and John Mitchell. Finite-state analysis of two contract signing protocols. Theoretical Computer Science, special issue on Theoretical Foundations of Security Analysis and Design, 283(2):419--450, 2002.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....about the Internet Key Exchange protocol, a component of proposals for IP security [12] The reasoning, although enlightening in some respects, was not a full verification. The finite state model checker Murphi has served for the verification of SSL 3. 0 [13] and of contract signing protocols [16]. Somewhat similarly, Mocha has been used for the verification of contract signing protocols within a game model [11] Contract signing protocols have some high level similarities to protocols for certified email. Largely because of tool characteristics, the proofs in Murphi and Mocha require ....

V. Shmatikov and J. C. Mitchell. Finite-state analysis of two contract signing protocols. Theoretical Computer Science, 283(2):419--450, June 2002.

....about the Internet Key Exchange protocol, a component of proposals for IP security [12] The reasoning, although enlightening in some respects, was not a full veri cation. The nite state model checker Murphi has served for the veri cation of SSL 3. 0 [13] and of contract signing protocols [16]. Somewhat similarly, Mocha has been used for the veri cation of contract signing protocols within a game model [11] Contract signing protocols have some high level similarities to protocols for certi ed email. Largely because of tool characteristics, the proofs in Murphi and Mocha require ....

V. Shmatikov and J. C. Mitchell. Finite-state analysis of two contract signing protocols. Theoretical Computer Science, 283(2):419-450, June 2002.

....commerce protocols, such as fairness, cannot be expressed in this way. However, it is still possible to use model checkers designed for checking safety properties to analyze at least an approximation of the safety and liveness properties. Indeed, this was done by Shmatikov and Mitchell in [73], in which several attacks are found on published contract signing protocols, including ways in which, for one protocol, a malicious principal can produce inconsistent versions of the contract and mount a replay attack, and for another protocol, the trusted third party is able to allow abuse or ....

V. Shmatikov and J. Mitchell. Finite-state analysis of two contract-signing protocols. Theoretical Computer Science, (2):419--450 June 2000. Special Issue on Security, Roberto Gorrieri, ed.

....In addition, it does not seem to be appropriate to capture the notion of rationality, which is not a limitation itself, since it was not the goal of the authors to formalize the concept of rational exchange. Various other approaches to formal analysis of fair exchange protocols are described in [24, 10, 25], but these papers are only loosely related to our work as they do not use game theory (although the model of [10] could easily be related to a game) and they are concerned with fair exchange instead of rational exchange. 7 Conclusion We presented a formal model of exchange protocols based on ....

V. Shmatikov and J. Mitchell. Finite-state analysis of two contract signing protocols. Theoretical Computer Science, 283(2):419--450, June 2002.

.... be written once, the property is a safety property because we can tell in nite time whether it is violated (i.e. after both outputs have been written) Using a safety property is a natural way of formalizing fairness because it is close to invariantbased protocol analysis which is rather common [36]. While other authors often do not separate their correctness conditions into safety and liveness parts, the relevant aspect of fairness is usually a safety property [32, 36] 3.3.5. Fairness as a liveness property In the same direction, the notion of weak fairness was investigated. Informally, ....

.... property is a natural way of formalizing fairness because it is close to invariantbased protocol analysis which is rather common [36] While other authors often do not separate their correctness conditions into safety and liveness parts, the relevant aspect of fairness is usually a safety property [32, 36]. 3.3.5. Fairness as a liveness property In the same direction, the notion of weak fairness was investigated. Informally, weak fairness means that a possible disadvantage can occur but that it can be eventually refuted. If the disadvantage within the system is not permanent, i.e. there exist ....

[Article contains additional citation context not shown here]

Shmatikov, V. and Mitchell, J. C. (2002) Finite-state analysis of two contract signing protocols. Theoretical Computer Science, 283, 419-450.

....protocols and less interesting to contract signing protocols. Boyd and Kearny [4] used the specification animation tool Possum to analyze a fair exchange protocol. The tool gives the possibility to step through the protocol and examine the consequences of various actions. Shmatikov and Mitchell [17, 18, 19] used the finite state tool Mur# to examine fair exchange and contract signing protocols. Chadha et al. 6] used the multiset rewriting formalism combined to inductive methods to analyse abusefree contract signing. These two methods will be discussed in more details in the paper. Recently, Kremer ....

....that Bob controls the communication channels and adversarial behavior Alice is not going to help Bob to cheat her are useful in this context. In this paper we will above all focus on the analysis of abuse freeness. This property has known some di#culties to be modeled in other formalisms (cf [19]) and has however a natural representation in form of strategies. Moreover, we here present the first complete modeling of abuse freeness for verification purposes. In [19] and [6] a variant of abuse freeness, called balance, has been studied. We also formally show the relationship between ....

[Article contains additional citation context not shown here]

V. Shmatikov and J. Mitchell. Finite-state analysis of two contract signing protocols. Special issue of Theoretical Computer Science on security, 2001.

....and fair exchange protocols. First works have been done on non repudiation protocols using CSP [17] where the proofs were generated by hand, and Zhou and Gollman brie y considered using the belief logic SVO [22] Some work on fair exchange protocols has been realized using the model checker Mur [18 20] as well as the animation tool Possum [7] Non repudiation protocols as games. There are some fundamental di erences between authentication protocols and exchange protocols, e.g. non repudiation protocols. Generally one of the most dicult problems in authentication protocols is to deal with the ....

....abstraction that only allows to nd errors due to sending messages out of order. However they succeed in nding errors even on these very simpli ed versions of the protocols. The most extensive studies of fair exchange protocols using formal methods have been presented by Shmatikov and Mitchell in [18 20]. They use Mur , a nite state model checker to analyze a fair exchange and two contract signing protocols. Their approach di ers from our approach on some major points. First, they use an intruder model. To model the fact that a party is malicious and could try to cheat, they make that party ....

V. Shmatikov and J. Mitchell. Finite-state analysis of two contract signing protocols. To be published., 2001.

....with A, who is unaware of the judge s attempts to contact him) the higher the probability that B will be able to cheat A. Related work. A variety of formal methods have been successfully applied to the study of nondeterministic contract signing protocols, including nite state model checking [SM02], alternating transition systems [KR01,KR02] and gametheoretic approaches [BH99,CKS01,BHv02] None of these techniques, however, are applicable to contract signing in a probabilistic setting. Since fairness in protocols like BGMR is a fundamentally probabilistic property, these protocols can only ....

V. Shmatikov and J.C. Mitchell. Finite-state analysis of two contract signing protocols. Theoretical Computer Science, 283(2):419-450, 2002.

No context found.

Vitaly Shmatikov and John Mitchell. Finite-state analysis of two contract signing protocols. Theoretical Computer Science, special issue on Theoretical Foundations of Security Analysis and Design, 283(2):419--450, 2002.

No context found.

V. Shmatikov and J. Mitchell. Finite-state analysis of two contract signing protocols. Theoretical Computer Science, special issue on Theoretical Foundations of Security Analysis and Design, 283(2):419--450, 2002.

No context found.

Vitaly Shmatikov and John Mitchell. Finite-state analysis of two contract signing protocols. Theoretical Computer Science, special issue on Theoretical Foundations of Security Analysis and Design, 283(2):419--450, 2002.

No context found.

V.Shmatikov and J.C.Mitchell. Finite-state analysis of two contract signing protocols. In To appear in special issue of TCS on computer security, 2001.

No context found.

V. Shmatikov and J. Mitchell. Finite-state analysis of two contract signing protocols. Theoretical Computer Science, special issue on Theoretical Foundations of Security Analysis and Design, 283(2):419--450, 2002. A. Baum-Waidner multi-party contractsigning protocol

No context found.

V. Shmatikov and J. Mitchell. Finite-state analysis of two contract signing protocols. Theoretical Computer Science, special issue on Theoretical Foundations of Security Analysis and Design, 283(2):419--450, 2002.

No context found.

V. Shmatikov and J. Mitchell. Finite-state analysis of two contract signing protocols. Special issue of Theoretical Computer Science on security, 2001.

No context found.

Shmatikov, V. and Mitchell, J. C. 2002. Finite-state analysis of two contract signing protocols.

No context found.

Vitaly Shmatikov and John Mitchell. Finite-state analysis of two contract signing protocols. Theoretical Computer Science, special issue on Theoretical Foundations of Security Analysis and Design, 283(2):419--450, 2002.

No context found.

V. Shmatikov and J. Mitchell. Finite-state analysis of two contract signing protocols. Theoretical Computer Science, special issue on Theoretical Foundations of Security Analysis and Design, 283(2):419--450, 2002.

No context found.

Shmatikov, V. and Mitchell, J. C. (2002) Finite-state analysis of two contract signing protocols. Theoretical Computer Science, 283, 419--450.

No context found.

V. Shmatikov and J. C. Mitchell. Finite-state analysis of two contract signing protocols. Theoretical Computer Science, to appear, 2003. http://theory. stanford.edu/people/jcm/papers/tcs-contract-sign.ps.

No context found.

Vitaly Shmatikov and John Mitchell. Finite-state analysis of two contract signing protocols. Theoretical Computer Science, special issue on Theoretical Foundations of Security Analysis and Design, 283(2):419--450, 2002.

No context found.

V. Shmatikov and J. Mitchell. Finite-state analysis of two contract signing protocols. Special issue of Theoretical Computer Science on security, 2001.

No context found.

Shmatikov, V. and Mitchell, J. C. (2002) Finite-state analysis of two contract signing protocols. Theoret. Comput. Sci., 283, 419--450.

No context found.

V. Shmatikiv and J.C. Mitchell. Finite-state analysis of two contract signing protocols. To appear in Theoretical Computer Science, 2001.

No context found.

V. Shmatikov and J. Mitchell. Finite-state analysis of two contract signing protocols. Special issue of Theoretical Computer Science on security, 2001. Accepted for publication.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC