C. Meadows. A system for the specification and verification of key management protocols. In Proceedings of the 1991 IEEE Symposium in Research in Security and Privacy. IEEE Computer Society Press, May 1991.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....and transition rules which define both the protocol being analyzed, the network properties, and the capabilities of an enemy. Initial work in this area can be traced to [10] Much has been accomplished already in this area. A well known software tool is C. Meadows s NRL Protocol Analyzer [15]. Other promising work includes G. Lowe s use of the Failures Divergences Refinement Checker in CSP [11] S. Schneider s use of CSP [21] and the model checking algorithms of Marrero, Clarke, and Jha [14] In this paper we present our approach using the theorem prover Otter, we discuss our design ....

Meadows, C.: A system for the specification and verification of key management protocols. In Proceedings of the

....certain purposes. Also, the standard was changed with respect to the way the keys to be used by the smartcard are determined. We applied our methods to other protocols as well (among the known attacks which we also found by our methods are the on the TMN protocol, and the Lowe [15] and the Meadows [17] attacks on the Needham Schroeder public key protocol [19] In particular, we analyzed the Needham Schroeder protocol for symmetric algorithms (see [19] Our analysis found the attack first shown by Denning and Sacco in [8] and in addition a new attack not previously published (which we called ....

C. Meadows. A system for the specification and verification of key management protocols. In IEEE Symposium on Security and Privacy, pages 182--195. IEEE Computer Society Press, New York, 1991.

....1 Introduction 1.1 Background It is well known that protocols for exchanging cryptographic keys over data networks can be vulnerable to message modification attacks. This fact led to the development of tools for cryptographic protocol analysis. Some of the earlier papers on the subject are [MCF87, Mea91] on goal directed state search tools implemented in Prolog, Kem89] on the application of generalpurpose specification and verification tools, BAN90] on a specially designed logic of belief, and [Ros95, Low96] on the application of a model checking tool for CSP specifications. These tools and ....

C. Meadows. A system for the specification and verification of key management protocols. In IEEE Symposium on Security and Privacy, pages 182--195. IEEE Computer Society, 1991.

....as a basis for my research, it was unclear where we would ultimately wind up. Thus, we needed to ability to build a tool that could be rapidly reconfigured to incorporate new techniques and models, and that updated over (possibly) over a long period of time. The earliest version of the Analyzer [2] consisted of a simply of a state generation tool. The user specified a state, and the Analyzer would use equational unification to generate all states that immediately preceded it. The search strategy was largely guided by the user, and was input by hand. This was very tedious, but allowed me to ....

C. Meadows. A system for the specification and verification of key management protocols. In Proceedings of the 1991 IEEE Symposium in Research in Security and Privacy. IEEE Computer Society Press, May 1991.

....applied to a number of di#erent cryptographic protocols, and has found flaws in several. In some cases the flaws had not been discovered before. Examples of protocols the Analyzer has been used to examine are the Simmons Selective Broadcast Protocol [5] the Burns Mitchell Ticket Granting Protocol [4], the Needham Schroeder public key protocol [8] and, most recently, the Internet Key Exchange protocol [7] A description of the Analyzer is given in [6] Most of the protocols to which the Analyzer has been applied are specified at a higher degree of abstraction than the protocols we will be ....

....to the dishonest user. This is seen by the intruder, since all messages sent to dishonest users are shared with the intruder. 5. Transition 3) The intruder of course has already learned EH2 from Step 2. He uses it to find d(key(host(A) host(B) notsent(W) from the message sent in step [4]. The Analyzer also found a number of attacks similar to Bellovin s. We asked it two questions (described in more detail in Appendix B) The first was an integrity question which asked whether the first block of a decrypted message stored in the host could be a header indicating it had been sent ....

C. Meadows, A System for the Specification and Verification of Key Management Protocols, Proceedings of the 1991 IEEE Computer Society Symposium in Research in Security and Privacy, May 1991.

....to a number of different cryptographic protocols, and has found flaws in several. In some cases the flaws had not been discovered before. Examples of protocols the Analyzer has been used to examine are the Simmons Selective Broadcast Protocol [27] the Burns Mitchell Ticket Granting Protocol [32], and an early version of the Encapsulating Security Protocol [46] The Analyzer has also been used to prove security properties of a number of other protocols, by performing an exhaustive search of the finite space that is left after the necessary lemmas have been proved (see [28, 29] A more ....

Catherine Meadows. A system for the specification and verification of key management protocols. In Proceedings of the 1991 IEEE Computer Society Symposium in Research in Security and Privacy. IEEE Computer Society Press, May 1991.

....to a number of different cryptographic protocols, and has found flaws in several. In some cases the flaws had not been discovered before. Examples of protocols the Analyzer has been used to examine are the Simmons Selective Broadcast Protocol [16] the Burns Mitchell Ticket Granting Protocol [15], and an early version of the Encapsulating Security Protocol [26] A more detailed description of the Analyzer is given in [17] 4 Improvements Made to the Protocol Analyzer In order to analyze a protocol the size of IKE, it was necessary to make a number of improvements to the Protocol ....

C. Meadows. A system for the specification and verification of key management protocols. In Proceedings of the 1991 IEEE Symposium in Research in Security and Privacy. IEEE Computer Society Press, May 1991.

....two types of failures that it would be useful to be able to handle. One of these is the class of failures that we consider likely to occur, such as the compromise of a used session key. We can include such failures by specifying them as part of the protocol; this, for example, is what we did in [19] in an analysis of a variant of the Needham Schroeder protocol. The other is the class of failures that may or may not be likely, but can be shown to cause security failures in the protocol. It is, of course, impossible to list all such failures, but it would be useful to have a system that could ....

....us no assistance in answering this question. Our techniques allow us to specify the operation of a protocol, but they do not help us to determine its requirements. Extensions to the our system that we have subsequently developed make characterization of security and insecurity a little easier; in [19] we introduce a model in which we can specify the security of a protocol not only in terms of words learned by a penetrator and values of internal state variables, but in terms of histories of events that should or should not occur. Since most cryptographic protocols are informally specified in ....

C. A. Meadows. A system for the specification and verification of key management protocols. In Proceedings of the 1991 IEEE Symposium on Security and Privacy, pages 182--195, Oakland, CA, May 1991. IEEE Computer Society Press.

....to a number of different cryptographic protocols, and has found flaws in several. In some cases the flaws had not been discovered before. Examples of protocols the Analyzer has been used to examine are the Simmons Selective Broadcast Protocol [5] the Burns Mitchell Ticket Granting Protocol [4], the Needham Schroeder public key protocol [7] A description of the Analyzer is given in [6] Most of the protocols to which the Analyzer has been applied are specified at a higher degree of abstraction than the protocols we will be looking at in this paper. Methods for using block ciphers to ....

C. Meadows, A System for the Specification and Verification of Key Management Protocols, Proceedings of the 1991 IEEE Computer Society Symposium in Research in Security and Privacy, May 1991.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC