Li Gong. Cryptographic Protocols for Distributed Systems. PhD thesis, University of Cambridge, Cambridge, England, April 1990.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....JOURNAL OF TELECOMMUNICATIONS logics of belief, aiming at formalizing such inferences, have been proposed. The first of these was the so called BAN logic from Burrows, Abadi and Needham [9,10] which was followed by more expressive and elaborate extensions such as GNY (Gong, Needham and Yahalom [16,15]) Syverson and van Oorschot [33,34] and CKT5 [8] One limitation of these logics is the need to annotate the protocols with logical assertions that are assumed to represent the intent of the sender of the message, as well as logical assumptions on the secrecy or freshness of certain pieces of ....

Li Gong. Cryptographic Protocols for Distributed Systems. PhD thesis, University of Cambridge, Cambridge, England, April 1990.

....in protocols. It has been labelled as a success by many commentators [6, 11, 4] and has been used to find flaws in several protocols. BAN spawned the creation of a number of related logics, each of which has tried to improve on or add to its underlying premises. A popular descendant of BAN is GNY [7, 8]. However, due to the complexity of the GNY syntax, notation and inference rules, it is commonly acknowledged that analysis with GNY tends to be inaccessible and obscure for the uninitiated. Often it requires experience and insight to determine what the desirable and appropriate initial and final ....

....within the GYPSIE modelling environment. Besides these user experiments, we have also tested the GYNGER analyzer and used it to analyze a wide variety of authentication protocols, as well as information exchange protocols. Some of these protocols include, the Needham Schroeder and Voting Protocols [8], the Wide Mouth Frog, Yahalom and Kerberos Protocols [1] as well as a number of authentication protocols from [10] All the results from our analyses worked out as expected and returned accurate results and proofs. The Visual GNY experiments returned some interesting results. We tested the ....

L. Gong. Cryptographic Protocols for Distributed Systems. PhD thesis, University of Cambridge, April 1990.

....to achieve a given set of beliefs and possessions. Analysis using logics was first popularized in 1989 by the BAN modal logic [2] BAN and other logic systems have successfully been used to reveal flaws in protocols that were previously accepted as correct [4] A popular successor of BAN is GNY [5]. However, it is commonly acknowledged that analysis using a modal logic such as GNY tends to be inaccessible and obscure for the uninitiated. Often it requires experience and insight to determine what the desirable and appropriate initial and final conditions for a given protocol should be. The ....

L. Gong. Cryptographic Protocols for Distributed Systems. PhD thesis, Cambridge University, United Kingdom, 1990.

....to achieve a given set of beliefs and possessions. Analysis using logics was first popularized in 1989 by the BAN modal logic [1] BAN and other logic systems have successfully been used to reveal flaws in protocols that were previously accepted as correct [3] A popular successor of BAN is GNY [4]. However, GNY analyses can appear complicated to uninitiated or nonmathematically inclined individuals. While teaching students how to analyze protocols with GNY, we noticed that many of them balked or got bogged down in syntactic issues, instead of focusing on the actual analysis. This ....

L. Gong, Cryptographic Protocols for Distributed Systems, PhD thesis, University of Cambridge, April, 1990.

....except the description of the protocol and the cryptographic primitives involved. 1. 2 Comparison to Related Works Burrows, Abadi and Needham proposed to analyze cryptographic protocols using a logic of belief, now known as the BAN logic [10] Several derivatives of this logic have followed [22,21,42,43]. All those systems provide a means to formalize the high level reasoning that stands behind the protocols. Such informal reasoning often uses steps such as Principal B receives a message signed with K a , and K a is a secret key only owned by A; therefore, this message must have been emitted by ....

Li Gong. Cryptographic Protocols for Distributed Systems. PhD thesis, University of Cambridge, Cambridge, England, April 1990.

....themselves [Rajunas86] The second scheme [Karger88] allows capability copying, but prohibits free access. A client must authenticate itself with a server before access to an object is granted. This policy entails considerable overhead in that each access requires a client authentication. Lastly, [Gong90] eliminates both problems by requiring capabilities to be identity dependent. That is, a capability is issued only to the entity which may exercise the access rights to an object. 4.1.3 Reliability and Integrity Perhaps the most important aspect of a file system lies in its ability to provide ....

Li Gong. Cryptographic Protocols for Distributed Systems. PhD thesis, Cambridge University Computer Laboratory, April 1990. (p 37)

....a key known only to me and machine M , and I did not send it originally, then it must have been sent by M . The first of these was the socalled BAN logic from Burrows, Abadi and Needham [3] which was followed by more expressive and elaborate extensions such as GNY (Gong, Needham and Yahalom [6, 5]) and SVO (Syverson and van Oorschot [17, 18] One limitation of these logics is the need to annotate the protocols with logical assertions that are assumed to represent the intent of the sender of the message, as well as logical assumptions on the secrecy or freshness of certain pieces of ....

....; we apply the original decomposition rule at the bottom of these. 3 Application to GNY logic As the treatment of BAN logic by our method is very similar to that of GNY logic, and BAN is simpler, we deal here with GNY logic. 3. 1 Definitions The GNY logic [6] named after its authors, Li Gong [5], Roger Needham and Raphael Yahalom is a logic of belief similar to BAN, but which addresses some deficiencies in that latter one; among other things, it addresses unencrypted message parts and includes a notion of recognizability. We use the rules from [6] plus the following rule, which was ....

Li Gong. Cryptographic Protocols for Distributed Systems. PhD thesis, University of Cambridge, Cambridge, England, April 1990. http://java.sun.com/people/gong/papers/ phd-thesis.ps.gz

....of the protocol rather than the strength of the underlying cryptographic algorithms, such as message digests or encryption primitives. For instance, it is assumed that one may decrypt a message encrypted with a public key only when possessing the corresponding private key. Whereas belief logics [3, 9, 8, 19, 20] try to deal with the rationale behind the design of a protocol, the other methods (theorem proving, model checking) are based on some kind of well defined model of the computation [15] The next part of this paper will describe the model we are considering. Methods based on such models can be ....

Li Gong. Cryptographic Protocols for Distributed Systems. PhD thesis, University of Cambridge, Cambridge, England, April 1990.

....that a good grasp on the inherit complexity of authentication is required in order to fully enjoy the issues considered in this paper. A better place to start would be [Needham93] Then focus on authentication by means of [BAN90] including the appendix [Burrows94] Follow up with [Abadi94] and [Gong90]. A survey of authentication in distributed systems can be found in [Liebl93] A tutorial in security at large is available in [Stallings95] Channels and Encryption Encryption Channels There is more to key identifiers than meet the eye. The most important issue is that it is impossible to know ....

L. Gong. Cryptographic Protocols for Distributed Systems. PhD thesis. University of Cambridge, UK, April 1990.

....extension of the BAN logic, and our work raised some interesting scientific questions. Firstly, logics like BAN had been thought limited in scope to verifying mutual authentication or key sharing (e.g. by [9] we showed that this was not so. Secondly, we found a bug in another extension of BAN [8]. Thirdly, we highlighted the need for a formalism to deal with cryptographic chaining. Fourthly, this type of formal analysis turns out to be so useful and indeed straightforward that we argued it should be routine due diligence for financial and security critical systems. Our results were ....

.... the effect that if P tries a key K to decrypt a block, and recognises the result as coming from Q (P jj Q X P; P fXgK ) then he will believe that Q in fact used K (P jj Q j K) It has since been suggested that we might rather use the existing extension of the BAN logic by Gong and others [8, 10], which formalises recognisability in a different way. However, there always remains the nagging doubt that logics which reason about belief and implication in the same calculus may fall foul of the transitivity paradoxes [12] and in the specific case of that particular BAN extension, we found a ....

[Article contains additional citation context not shown here]

L Gong, Cryptographic Protocols for Distributed Systems (PhD Thesis), University of Cambridge 1990

....logic also fails to accommodate many of the wide range of cryptographic techniques available in designing protocols, and as a result the class of protocols that can be analyzed using the logic is limited. The shortcomings of the BAN logic have led to several extensions of the logic being proposed [6, 7, 8, 9]. Each of these extensions attempts to improve upon the BAN logic by introducing additional primitives and rules. A prominent extension of the BAN logic is the logic proposed by Gong, Needham and Yahalom [6] Their extension, known as the GNY logic, operates at a finer level of detail than its ....

....proofs of protocol goals to be obtained mechanically. The tool also generates the intermediate states attained after each step of the protocol, thus providing an environment for stepwise development of protocols. The modified logic includes several new rules from an extension of the GNY logic in [7]. These rules are clearly required during protocol analyses using the GNY logic, but are nonetheless absent in [6] The tool has proved useful in verifying the need for the inference rules we add to the GNY logic. It has also enabled us to detect a problem with the GNY protocol parser [6] used for ....

[Article contains additional citation context not shown here]

L. Gong, Cryptographic Protocols for Distributed Systems. PhD thesis, Cambridge University, U.K., 1990.

....when people try to be smart, and called for a protocol equivalent of structured programming. For example, by putting in the name of the sender and the recipient of each message in a protocol, and by insisting on freshness, most of the cut and paste attacks in the literature could be prevented [G]. 2. A month later, at Eurocrypt 93, Boyd and Mao suggested that a protocol should be called robust if authenticating any message depends only on information contained in the message itself or already in the possession of the recipient, and that the purpose of a message in a robust protocol should ....

.... (November 1976) p [E] B Ellis, Prosecuted for complaint over cash machine , in The Sunday Times, 27th March 1994, section 5 page 1 [ECMA] European Computer Manufacturers Association, Secure Information Processing versus the Concept of Product Evaluation , technical report 64 (December 1993) [G] L Gong, Thoughts on Cryptographic Protocols , in Proceedings of the 1993 Cambridge Protocols Workshop, Springer LNCS (to appear) GO] G Garon and R Outerbridge, DES Watch: An Examination of the Sufficiency of the Data Encryption Standard for Financial Institution Information Security in the ....

[Article contains additional citation context not shown here]

L. Gong, Cryptographic Protocols for Distributed Systems (PhD Thesis), University of Cambridge 1990.

No context found.

L. Gong. Cryptographic Protocols for Distributed Systems. Phd dissertation, University of Cambridge, England, April 1990.

....which is beyond the scope of this paper. An interesting outcome of this work is a simplification of the Yahalom protocol [1] which resulted from its analysis by using the GNY logic (with a new rule added) In our analysis of the protocol, we adopt the protocol parser proposed in Gong s logic [3], rather than that of the GNY logic. We find that it may not be possible to apply the inference rules of the logic, as intended by GNY, to a protocol description generated by the GNY parser [2] The parser given in [3] avoids this problem, and we adopt it in our analysis of the Yahalom protocol. ....

....analysis of the protocol, we adopt the protocol parser proposed in Gong s logic [3] rather than that of the GNY logic. We find that it may not be possible to apply the inference rules of the logic, as intended by GNY, to a protocol description generated by the GNY parser [2] The parser given in [3] avoids this problem, and we adopt it in our analysis of the Yahalom protocol. Needless to say, this does not affect the validity of the problems we point out with the GNY logic. In fact, our examples also apply, equally well, to Gong s logic too. The paper is organized as follows. In section 2 ....

[Article contains additional citation context not shown here]

L. Gong, Cryptographic Protocols for Distributed Systems. PhD thesis, Cambridge University, U.K., 1990.

.... Advances in the formal analysis of authentication protocols, based primarily on the logic of authentication of Burrows, Abadi, and Needham [2,4] have stimulated interest in the development of new logics for analysis of other aspects of cryptographic protocols, such as message meaning recognition [9,10] and message secrecy or privacy [6] not just for authentication. The use of these logics can be hampered, to some extent, by the difficulty of delimiting their usefulness in practical applications. The limited application scope of these logics can be easily misunderstood, thereby raising ....

....of these logics (e.g. 4] and significant debate (e.g. 5,15] at the same time, some important advantages of these logics are ignored, possibly due to insufficient application experience. In this note, we offer a perspective on the virtues and limitations of the logics presented in references [2,4,9,10], and more recently in [1] based on preliminary attempts to use them in the analysis of practical cryptographic protocols. Our focus on these logics is motivated exclusively by the fact that they are the best known logics for cryptographic protocol analysis to date. We revisit some of the ....

[Article contains additional citation context not shown here]

L. Gong, "Cryptographic Protocols for Distributed Systems," PhD dissertation, University of Cambridge, April, 1990. Also see "Handling Infeasible Specifications of Cryptographic Protocols " in these Proceedings.

....for generating challenges (e.g. supplier, prover, and verifier) the verifier depends on the honesty and competence of the prover. Securely resynchronizing the counters or the number generators is also important. Fresh encryption keys. A freshness identifier can be a fresh encryption key [Gong 90a] such as a session key chosen and distributed by an authentication server, or a key chosen and agreed upon by A and B. In this case, the security of any exchange depends on the quality of the key (i.e. the honesty and competence of the supplier) and on the prover and verifier not leaking the ....

....intended recipient. This attack would be possible if one cannot recognize messages sent by oneself that are encrypted with a shared key cryptosystem (such as DES) Another necessary condition for the attack is that two messages exchanged between the two parties have identical format [Boyd 90, Gong 90a, Bird 93] One possible solution is to arrange messages so that they can be uniquely identified by their patterns, formats or certain fields. For example, every message could bear a protocol identifier, a version number, a message sequence number, and so on. Or a message could include a direction ....

L. Gong, "Cryptographic Protocols for Distributed Systems," PhD dissertation, University of Cambridge, April, 1990.

....extension only beliefs it holds at the time the formula is sent. A protocol is considered infeasible if either of the two requirements is violated. In the revised GNY logic, a notion of eligibility is introduced so that the feasibility checks become an integral part of the logical analysis [Gong 90a] The remaining of this section shows how the logic works in this aspect. Only a brief description is given, and irrelevant parts of the logic are omitted. Usually, a message of the form P Q : X stating that P sends message X (possibly including message entensions in the GNY logic) to Q is ....

....can only occur regarding fictitious beliefs and possessions. Each of the postulates as given above takes care to cover the two types of infeasible specifications that can be possibly specified in the GNY logic. There are more postulates including those for using public key systems (see [Gong 90a] The rules as given above also ensure that any statement of the form P jj Q jj C can only be derived if Q jj C already holds. Thus they enforce a causal relation between beliefs. In case this enforcement is unnecessary, the rules can be modified, for example, so that messages that may lead to ....

L. Gong, "Cryptographic Protocols for Distributed Systems", PhD dissertation, University of Cambridge, April, 1990.

....rate, attacks may be more difficult. This is not just an idle suggestion; there are good security reasons why a clock used for authentication should not be turned back, even if it has accidentally drifted forwards. 3 The inclusion of a timestamp in message 1 (and 3) has another unusual impact [Gong 90a] Suppose that the timestamp is replaced with information that does not reflect the timeliness of the message. Now since S cannot determine whether message 1 is fresh, except by recording all such messages (which we assume to be impractical) an attacker may play back a previously recorded ....

L. Gong, "Cryptographic Protocols for Distributed Systems", Ph.D. dissertation, University of Cambridge, April, 1990.

No context found.

L. Gong, Cryptographic Protocols for Distributed Systems, PhD dissertation, University of Cambridge, April, 1990.

No context found.

Li Gong. Cryptographic Protocols for Distributed Systems. PhD thesis, Jesus College, University of Cambridge, United Kindom, 1990.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC