C. Meadows, Formal Verification of Cryptographic Protocols: A Survey. Proc. 4th International Conference on the Theory and Applications of Cryptology: Advances in Cryptology, 1994, 135-150.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....A typical cancellation rule is D(E(m) m. This abstraction simplifies proofs of larger protocols considerably, and it gave rise to a large body of literature on analyzing the security of protocols using techniques for formal verification of computer programs (a very partial list of work includes [29, 26, 20, 9, 27, 21, 24, 33, 39, 1]) Since this line of work turned out to be very successful, the interesting question arose whether these abstractions are indeed justified from the view of cryptography, i.e. whether properties proved for the abstractions are still valid for the cryptographic implementation. Abadi et al. ....

C. Meadows. Formal verification of cryptographic protocols: A survey. In Proc. ASIACRYPT '94, volume 917 of Lecture Notes in Computer Science, pages 135--150. Springer, 1994.

.... Others a#ect less publicly known banking protocols, whose weaknesses have been exploited by dishonest employees [6] Some others are due to the specific implementation of the cryptographic primitives [96] The literature shows that formal approaches can significantly help to detect protocol flaws [56, 74], as well as to yield general principles of secure protocol design. Some approaches lack expressiveness or automation, others are just too complicated to use on realistic protocols. Informal reasoning indeed retains its importance: it is crucial to grasp the semantics of a protocol design beyond ....

C. A. Meadows. Formal Verification of Cryptographic Protocols: A Survey. In Advances in Cryptology --- Asiacrypt 94, volume 917 of Lecture Notes in Computer Science, pages 133--150. Springer-Verlag, 1995.

....the goals are. The remedy we will discuss here, is logics of authentication, with which protocols can be analyzed for correctness. No more than some core ideas are presented, not the logics in full [131, 27, 58, 136] Surveys of formal approaches to protocol design and verification can be found in [91, 60, 30]. An unpublished but continuously updated survey of authentication protocols is available as [33] 3.1.1 The BAN logic The BAN logic is a logic for authentication protocols, and it enables an analysis of beliefs. The logic consists of a notation to capture interesting aspects of ....

MEADOWS, C. Formal Verification of Cryptographic Protocols: A Survey. In Proceedings of Advances in Cryptology---Asiacrypt'9 (1995), vol. 917 of Lecture Notes in Computer Science, SpringerVerlag, pp. 133--150.

....the scenarios of possible attacks on the protocol. Two of them are presented. Our approach thus consists of using a generic formal language and its associated verification methods and tools to verify security protocols. In this respect, we give a brief comparison with other works and refer to [Mea95] for a more complete survey on this topic. Special modal logics have been designed to verify security protocols. The most well known such logic is the BAN logic [BAN90] which is intentionally limited to authentication properties. Other more expressive logics have been proposed, for example to ....

C. Meadows. Formal Verification of Cryptographic Protocols: A Survey. In: Proc. of Asiacrypt 94, LNCS 917, 1995, pp. 133-150.

....) 2.2. 3 Validation of Cryptographic Protocols The literature on cryptographic protocols gives various examples of weak protocols, such that an attacker could circumvent the protocol without possessing the necessary key(s) or breaking the cryptographic algorithm used in the protocol [26]. Examples are the Needham Schroeder protocol [32] in which an attacker could present an old session key and use it for a new authenticated session [8] see also the discussion above) the authentication protocol of an early draft version of the international standard X.509 [15] which contained a ....

C. Meadows. Formal Verification of Cryptographic Protocols: A Survey. In Advances in Cryptology -- Asiacrypt '94, number 917 in Lecture Notes in Computer Science, pages 133--150. Springer-Verlag, 1995.

....force unjust authentication. Unfortunately, the design of cryptographic protocols appears to be rather error prone: a great deal of published protocols has later been shown to contain errors prejudicing their safety. This stimulated research on formal verification of security protocols (see e.g. [6, 3, 10, 12, 9, 15, 14, 13, 5, 7, 4]) Security protocols are specified for accomplishing certain security goals. Unfortunately, in some cases there exist no standard definitions for the properties one needs to enforce. For example, a precise notion of authentication is still a topic of research. In this paper we present an ....

C. Meadows. Formal verification of cryptographic protocols: A survey. In J. Pieprzyk and R. Safavi-Naini, editors, Advances in Cryptology - ASIACRYPT ' 9,, LNCS, pages 133-150. Springer-Verlag, 1995.

....common and important case in which the cryptographic keys are messages of bounded size. Introduction The problem of the automatic verification of cryptographic protocols has received great attention and by now various algorithms and tools for checking security properties are available, see e.g. [13, 14, 15, 12, 21, 11, 19, 18, 22, 7]. These algorithms and tools typically analyse a formal model that describes the flow of information and the interaction between principals (as specified by the protocol) in a hostile environment, that is, in the presence of attackers. In general this analysis is infinite state. Indeed, even when ....

....M closed and M derivable (OUT) t ; #M#. P (SPLIT) t ; let (M, N) x, y) in P M, y N ] CASE) t ; case in P (MATCH) t ; if M = M then P t ; Q t # ; Q # t # ; P The entailment relation K M can be presented in different ways: by rewrite systems [13, 15], by deductive systems [21, 7] by inductive definitions [20] or by axioms [24] For our purposes, it is important that it be presented as a deductive system. The definition follows. The set of messages known to the environment is always ....

C. Meadows. Formal verification of cryptographic protocols: A survey. In Advances in Cryptology --- ASIACRYPT'94, volume 917 of Lecture Notes in Computer Science, pages 133--150. Springer-Verlag, 1994.

....to force unjust authentication. Unfortunately, the design of cryptographic protocols appears to be rather error prone. A great deal of published protocols has later been shown to contain errors prejudicing their safety. This stimulated research on formal verification of security protocols see e.g. [19, 10, 28, 31, 27, 35, 36, 32, 17, 18]. In this setting several approaches are based on Dolev and Yao s [19] where it is proposed to test a protocol explicitly against a hostile intruder who has complete control over the network, and who can intercept and forge messages. By an exhaustive search, one can establish whether the protocol ....

C. Meadows. Formal verification of cryptographic protocols: A survey. In J. Pieprzyk and R. Safavi-Naini, editors, Advances in Cryptology -- ASIACRYPT ' 94, LNCS, pages 133--150. Springer-Verlag, 1995.

....include Microsoft s PPTP protocol [7] an early version of Netscape s SSL protocol [2] and the CCITT X. 509 protocol [1] As a result of this fact, recent years have witnessed significant efforts directed at developing methods to facilitate the design and analysis of cryptographic protocols [6]. However, a shortcoming of most security protocol analysis methods is that they are not easily applied to a given security protocol, often being tedious to use and error prone when carried out by hand. Thus the opportunity exists for tool designers to create user friendly applications that ....

C.A. Meadows. Formal Verification of Cryptographic Protocols: A Survey. In Advances in Cryptology - Asiacrypt '94, pages 133 -- 150. Springer-Verlag, 1995.

....which the inference rules can be reapplied to determine whether the goals are attainable after these modifications have been made. The BAN modal logic [1] popularized the notion of using logics to detect flaws and redundancies in protocols. It has been labelled as a success by many commentators [6, 11, 4] and has been used to find flaws in several protocols. BAN spawned the creation of a number of related logics, each of which has tried to improve on or add to its underlying premises. A popular descendant of BAN is GNY [7, 8] However, due to the complexity of the GNY syntax, notation and ....

C.A. Meadows. Formal Verification of Cryptographic Protocols: A Survey. In Advances in Cryptology - Asiacrypt '9, pages 133 - 150. Springer-Verlag, 1995.

....that a hostile intruder can not get hold of secret information (e.g. a private key) or to force unjust authentication. Unfortunately, the design of cryptographic protocols appears to be rather error prone. This gave impulse to research on the formal verification of security protocols see e.g. [13, 6, 20, 23, 18, 28, 29]. In this setting several approaches are based on Dolev and Yao s [13] where it is proposed to test a protocol explicitly against a hostile intruder who has complete control over the network, can intercept and forge messages. By an exhaustive search, one can establish whether the protocol is ....

C. Meadows. Formal verification of cryptographic protocols: A survey. In Proc. ASIACRYPT '94, pages 133--150, 1995.

....include Microsoft s PPTP protocol [24] an early version of Netscape s SSL protocol [2] and the CCITT X. 509 protocol [1] As a result of this fact, recent years have witnessed significant efforts directed at developing methods to facilitate the design and analysis of cryptographic protocols [22]. Being able to clearly specify a security protocol forms the basis for further analysis and implementation. There are already systems which are used to design protocols in general, such as Message Sequence Charts (MSCs) 19] and the Specification and Description Language (SDL) 25] SDL is ....

C.A. Meadows. Formal Verification of Cryptographic Protocols: A Survey. In Advances in Cryptology - Asiacrypt '94, pages 133 -- 150. Springer-Verlag, 1995.

....[23] Many other objectives have been defined and studied (for an introduction see [1] and properties have been expressed and proved in a variety of frameworks. Some of these frameworks are specialized, as the BAN logic [8, 9, 22] of Burrow, Abadi and Needham, while others are more generic [22, 15]; in general they can be divided, as recently surveyed by Clarke and Wing in [10] in three different categories: model checking, theorem proving and software specification. In this work we are interested in the first type of approach, i.e. model checking of security protocols: it consists in ....

Catherine A. Meadows. Formal Verification of Cryptographic Protocols: a Survey. Lecture Notes in Computer Science, 917:133--149, 1995.

.... Brutus model checking of a spi calculus dialect Extended Abstract S. Gnesi y D. Latella G. Lenzini y June 23, 2000 1 Introduction Recently there has been a wide interest in applying formal methods to specify and verify cryptographic protocols (see for example [2, 7, 4, 16, 19, 23, 22, 25, 10, 17]) These approaches range from the use of a process calculus to model cryptographic protocols and using equivalence relations to prove security properties on them, to the use of a general or special purpose model checkers. In this paper we propose a model checking approach for verifying security ....

Catherine A. Meadows. Formal Verification of Cryptographic Protocols: a Survey. Lecture Notes in Computer Science, 917:133--149, 1995.

....and the Session Hijacking attacks defined in this paper. Some cryptographic protocol analysis methods that take the state machine approach start their search for attacks by constructing a path from the initial state to an insecure state[12, 16] and or by proving insecure states are unreachable[12, 15]. The intruder s possible objectives are ignored by the search process. This makes the search less efficient. That is one of the reasons the search might suffer state explosion. If one can identify the set of all the possible scenarios for the intruder to launch attacks, one can reduce the search ....

....acceptor) reasoning rules be added to BANlogic. Improving State Machine based Methods. Some state machine based cryptographic analysis methods start their search for attacks by constructing a path from the initial state to an insecure state[12, 16] and or by proving insecure states are unreachable[12, 15]. Looking at the intruder s point of view can make the search space smaller, since one does not consider the states that cannot reach the insecure state. Therefore, it is recommended that state machine based cryptographic protocol analysis methods start the analysis by enumerating all ....

Catherine Meadows. "Formal Verification of Cryptographic Protocols: A Survey." Advances in Cryptology - Asiacrypt'94, LNSC 917, 133-150, Springer-Verlag, 1995.

....environment to a Windows NT environment. 1. Introduction. Formal methods are used in a wide variety of environments to verify that complex systems accomplish their intended functionality. One area where formal methods received much attention is in the area of security protocol verification [9], 8] 11] Analysis of cryptographic protocols is a field that is growing in importance by the day. The widespread use of networking requires a method of securing communications over public channels. Cryptographic protocols were developed to accomplish this. Since these protocols are supposed ....

....they should be able to deliver the session keys to both principals involved in a communication without allowing those keys to be compromised. 2. Weakest Precondition Reasoning Many methods for verifying security protocols have been developed to date including [4] MCF87] BAN88] 6] 14] [9], 12] 7] 8] 15] 11] 13] 1] 3] and many others. Yasinsac and Wulf first used weakest precondition reasoning in the evaluation of protocols [18] and they have since been shown to facilitate detection of flaws and inconsistencies in security protocols [16] 2] Weakest precondition ....

Catherine Meadows, "Formal Verification of Cryptographic Protocols: A Survey," Advances in Cryptology - Asiacrypt '94, LNSC 917, Springer-Verlag, 1995, pp. 133-150

.... 1 Introduction The state machine approach verifying cryptographic protocols by Dolev and Yao [5] and Dolev, Even and Karp [4] however it is aimed at a simple type of cryptographic protocols, called ping pong protocols, has been a fundamental model of some contemporary verifying techniques [8], namely NRL Protocol Analyzer and Interrogator etc. In their approach the state machines are designed to accept strings of cryptographic operations which express both legitimate executions of protocols and sabotuers devices. Verification is done by an algorithm seeking a binary relation of ....

Catherine Meadows. Formal verification of cryptographic protocols: A survey. In ASIACRYPT: Proceedings of International Conference on the Theory and Application of Cryptology. LNCS 917, Springer-Verlag, 1994.

No context found.

C. Meadows, Formal Verification of Cryptographic Protocols: A Survey. Proc. 4th International Conference on the Theory and Applications of Cryptology: Advances in Cryptology, 1994, 135-150.

No context found.

C. Meadows. Formal Verification of Cryptographic Protocols: a Survey. In ASIACRYPT'94: Advances in Cryptology, volume 917 LNCS, pages 135--150. Springer, 1995.

No context found.

MEADOWS, C. Formal verification of cryptographic protocols: A survey. In 4th International Conference on the Theory and Applications of Cryptology (Asiacrypt) (Wollongong, Australia, Nov. 1994).

No context found.

C. Meadows. Formal verification of cryptographic protocols: A survey. In Proc. ASIACRYPT '94, volume 917 of Lecture Notes in Computer Science, pages 135--150. Springer, 1994.

No context found.

Catherine Meadows. Formal verification of cryptographic protocols: A survey. In Advances in Cryptology -- Asiacrypt '94, volume 917 of Lecture Notes in Computer Science, pages 133--150. Springer-Verlag, 1995. 24

No context found.

Catherine Meadows. Formal verification of cryptographic protocols: A survey. In Advances in Cryptology -- ASIACRYPT'94: 4th International Conference on the 67 Theory and Application of Cryptology, pages 135--150, Wollongong, November 1994.

No context found.

C. Meadows. Formal verification of cryptographic protocols: A survey. In J. Pieprzyk and R. Safavi-Naini, editors, Advances in Cryptology - ASIACRYPT ' 9,, LNCS, pages 133-150. Springer-Verlag, 1995.

No context found.

Meadows C.: Formal Verification of Cryptographic Protocol: A Survey. Asiacrypt'94 (1994)

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC