Richard A. Kemmerer. Analyzing encryption protocols using formal veri cation techniques. IEEE Journal on Selected Areas in Communications, 7(4):448-457, May 1989.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....protocols have been adapted for establishing the secrecy authenticity of the cryptographic protocols. Approaches can be broadly categorized as follows: 1) State Machine Models [11, 14] 2) Calculus Based Models [1] 3) Methods Based on Belief Logics [5] and (4) Theorem Prover based Methods [8, 3, 16, 4, 19, 9]. 17] provides an annotated bibliography. In the area provably correct systems, there have been quite considerable efforts in the speci cation and veri cation of reactive systems [7] The family of synchronous languages [2] has been well studied for the design and synthesis of provably correct ....

R. Kemmerer, Analyzing encryption protocols using formal veri cation techniques, IEEE J. on Selected Areas in Communications, 7(4), (1989) 448-457.

....A typical cancellation rule is D(E(m) m. This abstraction simplifies proofs of larger protocols considerably, and it gave rise to a large body of literature on analyzing the security of protocols using techniques for formal verification of computer programs (a very partial list of work includes [29, 26, 20, 9, 27, 21, 24, 33, 39, 1]) Since this line of work turned out to be very successful, the interesting question arose whether these abstractions are indeed justified from the view of cryptography, i.e. whether properties proved for the abstractions are still valid for the cryptographic implementation. Abadi et al. ....

R. Kemmerer. Analyzing encryption protocols using formal verification techniques. IEEE Journal on Selected Areas in Communications, 7(4):448--457, 1989.

....of cryptography are used. They are almost always based on the so called Dolev Yao model [10] This model simplifies proofs of larger protocols considerably and gave rise to a large body of literature on analyzing the security of protocols using various techniques for formal verification, e.g. [19, 17, 14, 7, 21, 1]. A prominent example demonstrating the usefulness of the formal methods approach is the work of Lowe [15] where he found a man in the middle attack on the well known Needham Schroeder publickey protocol [20] Lowe later proposed a repaired version of the protocol [16] and used the model checker ....

R. Kemmerer. Analyzing encryption protocols using formal verification techniques. IEEE Journal on Selected Areas in Communications, 7(4):448--457, 1989.

....for the abstract protocol, they also hold for the real protocol. Related work The Dolev Yao model is from [16] Cryptographic definitions of public key encryption and signature schemes were developed in [38, 20, 15, 21] First automated proof tools based on the Dolev Yao model were presented in [30, 28, 24]. Early examples of the large body of work of embedding the Dolev Yao model in standard tools are [1, 27] Simulatability, the basic notion for comparing an abstract and a real system, was first invented for multi party function evaluation [37, 19, 7, 29, 9] i.e. systems with only one initial ....

R. Kemmerer. Analyzing encryption protocols using formal verfication techniques. IEEE Journal on Selected Areas in Communications, 7(4):448 457, 1989.

....are both consistent and they have both been useful, but they come from two mostly separate communities and they are quite di#erent. In one of them, cryptographic operations are seen as functions on a space of symbolic (formal) expressions; their security properties are also modeled formally (e.g. [5, 13, 16 18, 28 30, 32, 34 37, 41]) In the other, cryptographic operations are seen as functions on strings of bits; their security properties are defined in terms of the probability and computational complexity of successful attacks (e.g. 7 9, 11, 22 26, 44] There is an uncomfortable gap between these two views. In ....

....Thus, the idealized security properties of encryption are modeled (rather than defined) They are built into the model of computation on expressions. This body of literature starts with the work of Dolev and Yao [17] DeMillo, Lynch, and Merritt [15] Millen, Clark, and Freedman [35] Kemmerer [30], Burrows, Abadi, and Needham [13] and Meadows [34] It includes many di#erent agendas and approaches, with a variety of techniques from the fields of rewriting, modal logic, process algebra, and others. Over the years, it has been used in the design of protocols, it has helped develop confidence ....

Richard A. Kemmerer. Analyzing encryption protocols using formal verification techniques. IEEE Journal on Selected Areas in Communications, 7(4):448--457, May 1989.

....used for I O automata differ greatly from the usual process algebraic notations and methods; notably, work based on I O automata uses explicit, structured representations of automaton states. Many researchers have stated and proved invariant assertions for security protocols (see, for example, [19, 36, 33, 30]) On the other hand, simulation relations have not been used much in prior work on reasoning about security protocols. An example of work using simulation relation ideas is the work on safe simplifying transformations by Hui and Lowe [18] Also, Abadi and co workers have used simulation ....

....value resulting from applying an easy function (one in EN C ) to values in has may be added to has . We restrict the reveal(u) output so that u 2 has , that is, Eve can only report a value that it has . Similar treatments of known information appear elsewhere in the literature, for example, in [12, 19, 28, 27]. Eve(C; P; A) eavesdrop(u) p;q;a , u 2 set C , p; q 2 P , p 6= q, a 2 A learn(u)a , u 2 set C , a 2 A reveal (u)a , u 2 set C , a 2 A compute(u; f)a , f 2 EN C , a 2 A has set C , initially ; u 2 has compute(u; f)a fu1 ; ukg s:has u = f(u1 ; uk ) ....

Richard A. Kemmerer. Analyzing encryption protocols using formal verification techniques. IEEE Journal on Selected Areas in Communications, 7(4):448--457, May 1989.

....complex problem and has gained much interest among scientists in recent years. It is difficult to handle these problems without some sort of formal or semiformal approach. For that reason, several methods for formal design and analysis of security architectures have recently been introduced, e.g. [4, 11, 5]. These methods use formal notations, which are usually based on first order predicate calculus and a proof theory. The drawback of most methods known in the literature is that they are all concerned with analysis of protocols after these have already been designed and not during the process of ....

Kemmerer R. A., Analyzing Encryption Protocols Using Formal Verification Techniques, IEEE Journal on Selected Areas in Communications, Vol. 7, No. 4, May 1989.

....E Mail: teshrim ucdavis.edu 1 on strings at all. Instead, typically, they see encryption as a formal symbol, the properties of which are modeled (not de ned) by the manner in which this formal symbol may be manipulated. There are many such formal views towards cryptography; see, for example, [9, 17, 12, 6, 16, 15, 18, 2]. Building bridges. Quite recently, some work has emerged which starts to bridge the computational view and the formal one. Lincoln, Mitchell, Mitchell and Scedrov [14] develop a formal model that blends in computational aspects. P tzmann, Schunter and Waidner [19] and then P tzmann and Waidner ....

Richard A. Kemmerer. Analyzing encryption protocols using formal verication techniques. IEEE Journal on Selected Areas in Communications, 7(4):448-457, May 1989.

....of relying on well defined and largely used techniques. For example, formal verification can be done using theorem provers or simplifiers for standard logics which may take advantage of all research in the area of automatic or assisted proving. The main approaches are the approach of Kemmerer [16] based on the formal specification language Ina Jo, the approach of Chen and Glicor [11] also based on the Ina Jo specification language, but using the BAN logic [9] to model belief, Bieber s approach [6] based on the for mal specification language B [2] and finally the approach of Meadows [19, ....

....section we compare the proposed approach with formal method based approaches and modal logic based approaches. Among formal method based approaches some use proof based techniques. This is the case with the proposed approach. A good representative of this kind of approaches is Kemmerer s approach [16]. First general authentication properties which cannot be expressed as simple invariant properties, cannot be handled using Kemmerer s approach. Another significant difference comes from the fact that no specific modeling and axiomatization of the intruder knowledge is used. This is indeed a ....

R.A. Kemmerer. Analyzing encryption protocols using formal verification techniques. In IEEE Journal on Selected Areas in Communications, volume 7(4), 1989.

....the restrictions do not hide many important subtleties and attacks. 2 From Politeness to Formality With varying degrees of explicitness, many of these simplifications have been embodied in symbolic algorithms, proof systems, and other formal methods for the analysis of security protocols (e.g. [4, 9, 11 13, 16, 19, 21, 23, 25, 27, 29, 31]) The power of the formal methods is largely due to these simplifications. In these methods, keys, nonces, and other fresh quantities are typically not defined as ordinary bitstrings. They may even be given a separate type. While all bitstrings can be enumerated by starting from 0 and adding 1 ....

Richard A. Kemmerer. Analyzing encryption protocols using formal verification techniques. IEEE Journal on Selected Areas in Communications, 7(4):448--457, May 1989.

....and Stark s work is not perfect; in particular, their use of partial bijections on names is di#erent from our use of frames and theories. In the last few years, several methods for analyzing cryptographic protocols have been developed within action based or state based models (see for example [5, 9, 10, 11, 12, 13, 14, 18, 21]) Some of these models are presented as process algebras, others in logical forms. Often, the analysis of a protocol requires defining a particular attacker (an environment) for the protocol; recently, there has been promising progress towards automating the construction of this attacker. ....

R. A. Kemmerer. Analyzing encryption protocols using formal verification techniques. IEEE Journal on Selected Areas in Communications, 7, 1989.

....key K. The final result, though, concerns x rather than K. 6. 2 Secrecy and inductive definitions Approaches based on predicates on behaviors rely on a rather di#erent definition of secrecy, which can be traced back to the influential work of Dolev and Yao [30] and other early work in this area [41, 57, 54]. According to that definition, a process preserves the secrecy of a piece of data M if the process never sends M in clear on the network, or anything that would permit the computation of M , even in interaction with an attacker. Next we show one instantiation of this general definition, again ....

Richard A. Kemmerer. Analyzing encryption protocols using formal verification techniques. IEEE Journal on Selected Areas in Communications, 7(4):448--457, May 1989.

....are both consistent and they have both been useful, but they come from two mostly separate communities and they are quite di#erent. In one of them, cryptographic operations are seen as functions on a space of symbolic (formal) expressions; their security properties are also modeled formally (e.g. [5, 13, 15, 21 23, 25, 27 30, 34]) In the other, cryptographic operations are seen as functions on strings of bits; their security properties are defined in terms of the probability and computational complexity of successful attacks (e.g. 7 9, 11, 16 19, 37] There is an uncomfortable gap between these two views. In this ....

....Thus, the idealized security properties of encryption are modeled (rather than defined) They are built into the model of computation on expressions. This body of literature starts with the work of Dolev and Yao [15] DeMillo, Lynch, and Merritt [14] Millen, Clark, and Freedman [28] Kemmerer [23], Burrows, Abadi, and Needham [13] and Meadows [27] It includes many di#erent agendas and approaches, with a variety of techniques from the fields of rewriting, modal logic, process algebra, and others. Over the years, it has been used in the design of protocols, it has helped develop confidence ....

Richard A. Kemmerer. Analyzing encryption protocols using formal verification techniques. IEEE Journal on Selected Areas in Communications, 7(4):448--457, May 1989.

....a cryptographic protocol as any other (distributed) program and attempt to prove its correctness. The first step is to specify the protocol and its correctness requirements so that the techniques apply. For this purpose, Varadharajan uses LOTOS [Var90] Kemmerer specifies the system in Ina Jo [Kem89], while others use even more general description techniques such as state machines [Var89] or Petri nets [NT92] Once the protocol and its requirements are specified, it can be investigated by using the tools that are available in the formalism used. In [Var90] Varadharajan proposes the use of ....

....[Var90] Varadharajan proposes the use of LOTOS to analyse authentication protocols. He gives example specifications of protocols in LOTOS, but he cannot demonstrate any result in their analysis. The paper concludes by stating that LOTOS tools are not yet adequate for this kind of analysis. 4 In [Kem89] and [KMM94] Kemmerer uses an extension of first order predicate calculus, a formal specification language called Ina Jo. Ina Jo was designed as a general purpose tool to support software development and correctness proofs. Kemmerer describes an example security system, and then gives an Ina Jo ....

R. Kemmerer. Analyzing encryption protocols using formal verification techniques. IEEE Journal on Selected Areas in Communications, 7(4):448--457, October 1989.

....with parameter (Ba)a2A . Then C C 0 if and only if, for every valid network N restrained with respect to A and X, N j ( C] n K) n A (N j ( C 0 ] n K) n A 7 Related work and conclusion There has been much work on the design and analysis of authentication protocols (e.g. [29, 18, 26, 23, 13, 9, 8, 21, 22, 4, 30, 20, 25]) Some of that work, like ours, relies on process calculi. There has also been signi cant work on the design of programmable systems with authentication (e.g. 10, 19, 33, 32] but much less on the analysis of those systems. As this paper illustrates, process calculi provide a useful basis for ....

Richard A. Kemmerer. Analyzing encryption protocols using formal verication techniques. IEEE Journal on Selected Areas in Communications, 7(4):448-457, May 1989.

....the spi calculus [6, 1] contain more substantial examples to which this concept of secrecy applies. Approaches based on predicates on behaviors rely on a rather di#erent definition of secrecy, which can be traced back to the influential work of Dolev and Yao [26] and other early work in this area [35, 49, 46]. According to that definition, a process preserves the secrecy of a piece of data M if the process never sends M in clear on the network, or anything that would permit the computation of M , even in interaction with an attacker. Next we show one instantiation of this general definition, again ....

Richard A. Kemmerer. Analyzing encryption protocols using formal verification techniques. IEEE Journal on Selected Areas in Communications, 7(4):448--457, May 1989.

....of messages and prepositions to idealised messages, the fact that there is no complete semantics for the logic, and the modelling of freshness. Attack construction methods construct probable attack sets based on the algebraic properties of the protocol s algorithms. These methods [13] [14] [15] 16] 17] 18] 19] 20] 21] 22] are targeted towards ensuring authentication, correctness, or security properties; they are not dependent on the correctness of a proposed logic. Their main disadvantage lies in the big number of possible events that must be examined. Attempting to avoid ....

....of every method. 2.1 Methods based on general purpose validation languages These methods analyse a cryptographic protocol as any other program whose correctness they are trying to prove. This is achieved by specifying the protocol: as a finite state machine [21] 22] using predicate calculus [14], or within a process algebra [20] 15] Sidhu and Varadharajan map the protocol to a finite state machine [21] 22] The first analysis method [21] verifies the basic properties of a number of protocols, detects basic flaws, but can not detect flaws due to the re use of old messages as no ....

[Article contains additional citation context not shown here]

Kemmerer R., Analyzing encryption protocols using formal verification techniques, IEEE Journal on Selected Areas in Communications, 7(4), (1989) 448-457.

....exchanging cryptographic keys over data networks can be vulnerable to message modification attacks. This fact led to the development of tools for cryptographic protocol analysis. Some of the earlier papers on the subject are [MCF87, Mea91] on goal directed state search tools implemented in Prolog, [Kem89] on the application of generalpurpose specification and verification tools, BAN90] on a specially designed logic of belief, and [Ros95, Low96] on the application of a model checking tool for CSP specifications. These tools and their successors have been effective, but it is difficult for ....

R. Kemmerer. Analyzing encryption protocols using formal verification techniques. IEEE Journal on Selected Areas in Communication, 7(4), May 1989.

....both consistent and they have both been useful, but they come from two mostly separate communities and they are quite different. In one of them, cryptographic operations are seen as functions on a space of symbolic (formal) expressions; their security properties are also modeled formally (e.g. [5, 13, 15, 21 23, 25, 27 30, 34]) In the other, cryptographic operations are seen as functions on strings of bits; their security properties are defined in terms of the probability and computational complexity of successful attacks (e.g. 7 9, 11, 16 19, 37] There is an uncomfortable gap between these two views. In this ....

....Thus, the idealized security properties of encryption are modeled (rather than defined) They are built into the model of computation on expressions. This body of literature starts with the work of Dolev and Yao [15] DeMillo, Lynch, and Merritt [14] Millen, Clark, and Freedman [28] Kemmerer [23], Burrows, Abadi, and Needham [13] and Meadows [27] It includes many different agendas and approaches, with a variety of techniques from the fields of rewriting, modal logic, process algebra, and others. Over the years, it has been used in the design of protocols, it has helped develop ....

Richard A. Kemmerer. Analyzing encryption protocols using formal verification techniques. IEEE Journal on Selected Areas in Communications, 7(4):448--457, May 1989.

....formalism; this has obvious advantages but it also implies that our method is less intuitive than some based on ad hoc formalisms (e.g. BAN89] As in some modal logics (e.g. ABLP93, LABW92] we emphasize reasoning about channels and their utterances. As in state transition models (e.g. [DY81, MCF87, Mil95a, Kem89, Mea92, Pau97]) we are interested in characterizing the knowledge of an environment. The unique features of our approach are its reliance on the powerful scoping constructs of the pi calculus; the radical definition of the environment as an arbitrary spi calculus process; and the representation of security ....

R. A. Kemmerer. Analyzing encryption protocols using formal verification techniques. IEEE Journal on Selected Areas in Communications, 7, 1989.

.... method of Dolev and Yao (1983) and Dolev, Even and Karp (1982) to analyze the security of a class of public key protocols, the logic of Burrows, Abadi and Needham (1990) and Gong, Needham and Yahalom (1990) to verify authentication protocols, and the state machine models of Millen (1984) Kemmerer (1989), Meadows (1991) and Kemmerer, Meadows, and Millen (1994) to specify and automatically verify cryptographic protocols. There are two important differences between our work and earlier work on formal 5 analysis of cryptographic protocols. First, previous work (Dolev and Yao (1983) Dolev, Even ....

....with how easy it is for a subset of protocol users to discover a target set of information through collusion. Second, as explained in x2 a collusion problem is defined on a transition system, and hence can in principle be solved by exhaustive reachability search, as done in Millen (1984) Kemmerer (1989), and Meadows (1991) By exploiting the special structure of the collusion problem, however, our algorithm avoids searching the state space of the transition system, which can have 2 jU j(jU j Gamma1) reachable states, and works on a graph with jU j nodes, where jU j is the number of colluders. ....

[Article contains additional citation context not shown here]

Kemmerer, R. (1989), Analyzing encryption protocols using formal verification techniques, IEEE Journal on Selected Areas in Communications, 7(4):448--457.

....used for I O automata differ greatly from the usual process algebraic notations and methods; notably, work based on I O automata uses explicit, structured representations of automaton states. Many researchers have stated and proved invariant assertions for security protocols (see, for example, [19, 36, 33, 30]) On the other hand, simulation relations have not been used much in prior work on reasoning about security protocols. An example of work using simulation relation ideas is the work on safe simplifying transformations by Hui and Lowe [18] Also, Abadi and co workers have used simulation ....

....value resulting from applying an easy function (one in EN C ) to values in has may be added to has . We restrict the reveal(u) output so that u 2 has , that is, Eve can only report a value that it has . Similar treatments of known information appear elsewhere in the literature, for example, in [12, 19, 28, 27]. Eve(C; P; A) Signature: Input: eavesdrop(u) p;q;a , u 2 set C , p; q 2 P , p 6= q, a 2 A learn(u)a , u 2 set C , a 2 A Output: reveal (u)a , u 2 set C , a 2 A Internal: compute(u; f)a , f 2 EN C , a 2 A States: has set C , initially ; Transitions: eavesdrop(u) p;q;a Effect: has ....

Richard A. Kemmerer. Analyzing encryption protocols using formal verification techniques. IEEE Journal on Selected Areas in Communications, 7(4):448--457, May 1989.

....suggests a specification technique that involves representing a protocol as a directed graph. Varadharajan [87] also adopts this method. However, in later publication [88] he uses LOTOS (Language of Temporal Ordering Specification) for specifying authentication protocols. The work by Kemmerer [40] fits into several of the types of approaches, as shown in Table 1. The author describes an example system with a special cryptographic facility. The Type I approach can be seen in his attempt to use machine aided verification techniques. The properties that the protocol should preserve are ....

....work in this area was redirected as the logics of the Type III approach gained popularity. 6 Moore [52] gives some examples of failures in cryptosystem that result form the interactions between protocols and the underlying encryption mechanisms. 5. 1 Using a Formal Verification System Kemmerer [40] describes two goals in using formal methods for the analysis of encryption protocols. The first is to verify formally that an encryption protocol satisfies its stated security requirements, and the second is to discover weaknesses in its specification. His formal model uses a state machine ....

[Article contains additional citation context not shown here]

Richard A. Kemmerer. Analyzing encryption protocols using formal verification techniques. IEEE Journal on Selected areas in Communications, 7(4):448--457, May 1989.

....leads to a vacuous proof. Once this assumption is removed, the analysis becomes correct again, though quite uninteresting. We make no formal attempt to detect incongruities between assumptions and messages. This might be possible, using existing tools to guard against release of secrets (see [2, 5, 9, 10, 12] for example) ffl T is not fresh: If the message includes an old timestamp, A should not accept the message as fresh. Old messages can be replays, and could provide A with a compromised key for B [3] In the formal analysis, the proof would be blocked at A believes S said ( K b 7 B; T ) ffl ....

R.A. Kemmerer. Analyzing Encryption Protocols Using Formal Verification Techniques, IEEE Journal on Selected Areas in Communications Vol. 7, No. 4, May 1989, pp. 448--457.

....formalism; this has obvious advantages but it also implies that our method is less intuitive than some based on ad hoc formalisms (e.g. BAN89] As in some modal logics (e.g. ABLP93, LABW92] we emphasise reasoning about channels and their utterances. As in state transition models (e.g. [DY81, MCF87, Mil95, Kem89, Mea92]) we are interested in characterising the knowledge of an environment. The unique features of our approach are its reliance on the powerful scoping constructs of the pi calculus; the radical definition of the environment as an arbitrary spi calculus process; and the representation of security ....

R. A. Kemmerer. Analyzing encryption protocols using formal verification techniques. IEEE Journal on Selected Areas in Communications, 7, 1989.

.... see Moore [38] Rubin Honeyman Protocol Protocol Analysis First Author Specification Type I Type II Type III Type IV Abadi [1] Bieber [2] Blumer [3] 3] Britton [4] Burrows [7] 8] Calvelli [9] Campbell [10] Dolev [16] Gaarder [18] Gong [19] 20] Gray [26] Kailar [27] Kasami [28] Kemmerer [29] [29] 29] Longley [30] Lu [31] Mao [32] Meadows [35] 35] 33] 34] 35] 36] Millen [37] Moser [39] Nessett [42] Rangan [44] Sidhu [50] Snekkenes [51] 52] 53] Syverson [60] 60] 56] 57] 58] 59] 61] 55] 60] Varadharajan [62] 63] 64] 62] 63] 64] Woo [67] 67] Table 1: The Focus of ....

.... see Moore [38] Rubin Honeyman Protocol Protocol Analysis First Author Specification Type I Type II Type III Type IV Abadi [1] Bieber [2] Blumer [3] 3] Britton [4] Burrows [7] 8] Calvelli [9] Campbell [10] Dolev [16] Gaarder [18] Gong [19] 20] Gray [26] Kailar [27] Kasami [28] Kemmerer [29] [29] [29] Longley [30] Lu [31] Mao [32] Meadows [35] 35] 33] 34] 35] 36] Millen [37] Moser [39] Nessett [42] Rangan [44] Sidhu [50] Snekkenes [51] 52] 53] Syverson [60] 60] 56] 57] 58] 59] 61] 55] 60] Varadharajan [62] 63] 64] 62] 63] 64] Woo [67] 67] Table 1: The Focus of ....

[Article contains additional citation context not shown here]

Richard A. Kemmerer. Analyzing encryption protocols using formal verification techniques. IEEE Journal on Selected areas in Communications, 7(4):448--457, May 1989.

....key distribution protocols represent encryption operators symbolically and specify their properties with abstract rules or axioms. Approaches that employ state transition models, such as the Prolog state search systems [3,4] those that use general purpose specification and verification systems [2], temporal logic [1] model checking [5] and others, typically use explicit or implicit term replacement rules to express the properties of these operators. An example of a term replacement rule is d(K; e(K; X) X; expressing the property that an encryption in a symmetric key system is ....

R. A. Kemmerer, "Analyzing encryption protocols using formal verification techniques," IEEE J. Selected Areas in Communication, Vol. 7, No. 4, May 1989.

....formalism; this has obvious advantages but it also implies that our method is less intuitive than some based on ad hoc formalisms (e.g. BAN89] As in some modal logics (e.g. ABLP93, LABW92] we emphasise reasoning about channels and their utterances. As in state transition models (e.g. [DY81, MCF87, Mil95a, Kem89, Mea92]) we are interested in characterising the knowledge of an environment. The unique features of our approach are its reliance on the powerful scoping constructs of the pi calculus; the radical definition of the environment as an arbitrary spi calculus process; and the representation of security ....

R. A. Kemmerer. Analyzing encryption protocols using formal verification techniques. IEEE Journal on Selected Areas in Communications, 7, 1989.

....In the last few years, the importance of reasoning about cryptographic protocols has been widely recognised, and several methods have been used for this task. Those methods are based on a large variety of formal frameworks: temporal logics, modal logics, state transition models, CSP (see e.g. [MCF87, BAN89, Kem89, Mil95a, Mea92, GM95, Low96, Sch96a]) The main emphasis of that work has been on authenticity properties. Proofs in the spi calculus are sometimes more difficult than proofs in those earlier frameworks. The sources of this difficulty are in part the novelties and advantages of the spi calculus approach: the expressive scoping ....

R. A. Kemmerer. Analyzing encryption protocols using formal verification techniques. IEEE Journal on Selected Areas in Communications, 7, 1989.

....and Stark s work is not perfect; in particular, their use of partial bijections on names is different from our use of frames and theories. In the last few years, several methods for analysing cryptographic protocols have been developed within action based or state based models (see for example [MCF87,Mil95,Kem89,Mea92,GM95,Low96,Sch96a,Bol96,Pau97]) Some of these models are presented as process algebras, others in logical forms. Often, the analysis of a protocol requires defining a particular attacker (an environment) for the protocol; recently, there has been promising progress towards automating the construction of this attacker. ....

R. A. Kemmerer. Analyzing encryption protocols using formal verification techniques. IEEE Journal on Selected Areas in Communications, 7, 1989.

No context found.

Richard A. Kemmerer. Analyzing encryption protocols using formal veri cation techniques. IEEE Journal on Selected Areas in Communications, 7(4):448-457, May 1989.

No context found.

R. A. Kemmerer, "Analyzing Encryption Protocols using Formal Verification Techniques", IEEE Journal on Selected Areas in Communications, 7(4):448457, 1989.

No context found.

R. A. Kemmerer, "Analyzing Encryption Protocols using Formal Verification Techniques", IEEE Journal on Selected Areas in Communications, 7(4):448-457, 1989.

No context found.

R. A. Kemmerer, "Analyzing Encryption Protocols using Formal Verification Techniques", IEEE J. on Selected Areas in Communications, 7(4):448-457, 1989.

No context found.

R. A. Kemmerer. Analyzing encryption protocols using formal verification techniques. IEEE Journal on Selected Areas in Communications, 7, 1989.

No context found.

R.A. Kemmerer, Analyzing Encryption Protocols Using Formal Verification Techniques. IEEE J. Selected Areas in Comm, 7(4), 1989, 448-457.

No context found.

R. Kemmerer. Analyzing encryption protocols using formal verification techniques. IEEE Journal on Selected Areas in Communications, 7(4):448--457, 1989.

No context found.

R. Kemmerer. Analyzing encryption protocols using formal verification techniques. IEEE Journal on Selected Areas in Communications, 7(4):448--457, 1989.

No context found.

R. A. Kemmerer. Analyzing encryption protocols using formal verification techniques. IEEE Journal on Selected Areas in Communications, 7, 1989.

No context found.

R. A. Kemmerer, "Analyzing Encryption Protocols using Formal Verification Techniques", IEEE J. on Selected Areas in Communications, 7(4):448-457, 1989.

No context found.

R. A. Kemmerer, "Analyzing Encryption Protocols using Formal Verification Techniques", IEEE Journal on Selected Areas in Communications, 7(4):448457, 1989.

No context found.

R. A. Kemmerer, "Analyzing Encryption Protocols using Formal Verification Techniques", IEEE Journal on Selected Areas in Communications, 7(4):448-457, 1989.

No context found.

R. Kemmerer. Analyzing encryption protocols using formal verification techniques. IEEE Journal on Selected Areas in Communications, 7(4):448--457, 1989.

No context found.

R. A. Kemmerer. Analyzing encryption protocols using formal verification techniques. IEEE Journal on Selected Areas in Communications, 7. 1989.

No context found.

R. A. Kemmerer, Analyzing Encryption Protocols Using Formal Veri#cation Techniques, IEEE Journal on SelectedAreas in Communications. Vol.7, No.4 #May 1989

No context found.

Kemmerer, Richard A., "Analyzing Encryption Protocols Using Formal Verification Techniques", IEEE Journal on Selected Areas in Communication, Volume 7, Number 4, May 1989, pp. 448-457.

No context found.

R Kemmerer, Analyzing encryption protocols using formal verification techniques, IEEE Journal on Selected Areas in Communications, 7, 1989.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC