Paul F. Syverson and Paul C. van Oorschot. On unifying some cryptographic protocol logics. In IEEE Computer Society Symposium on Research in Security and Privacy, pages 14-28, 1994.  Home/Search   Document Details and Download   Summary   Related Articles   Check

.... example, work on the analysis of modes of encryption and chosen and known plaintext has been successful both in finding new problems [76] and reproducing known attacks [77] Work also exists on extending standard protocol analysis techniques to include Diffie Hellman, including belief logics [83] [79] and modelchecking techniques [47] 64] Another approach is to attempt to wed formal methods with the proofs of security provided by theoretical cryptography, thus obtaining, not only an automated state analysis, but a rigorous proof of security based on well defined cryptographic assumptions. ....

P. F. Syverson and P. C. van Oorschot. On unifying some cryptographic protocol logics. In 1994.

....to be flawed and vulnerable to some form of replay attack later [5] The reason for this is that flaws are usually subtle and hard to find. In order to solve this problem, many papers propose methods that can be used for formal verification of entity authentication and key establishment protocols [4, 6, 11], and principles that can help to avoid common mistakes in their design [1, 2] In this paper, we do not aim at contributing to these efforts, but we rather build on them: we adhere to the design principles of [1] and use a formal logic [11] to explain some of the subtle details of our protocols. ....

.... authentication and key establishment protocols [4, 6, 11] and principles that can help to avoid common mistakes in their design [1, 2] In this paper, we do not aim at contributing to these efforts, but we rather build on them: we adhere to the design principles of [1] and use a formal logic [11] to explain some of the subtle details of our protocols. The outline of the paper is the following. In Section 2, we introduce our system model and clarify the concept of entity authentication in this model. Then, in Section 3, we prove that the lower bound on the number of messages of multi party ....

[Article contains additional citation context not shown here]

P. Syverson and P. van Oorschot. On unifying some cryptographic protocol logics. In Proceedings of the IEEE CS Symposium on Research in Security and Privacy, pages 14-28, 1994.

....successfully used to identify flaws and redundancy in a number of protocols. In particular, it is praised for its simplicity and ease of use. Many researchers have developed extensions of BAN logic, others have tried to overcome the deficiencies of the logic by generalisation of its assumptions [64, 1, 161, 93, 156]. These attempts have often resulted in more complex and difficult to use logics. Therefore, as long as the verifier is aware of the limitations of the BAN logic, it is still considered to be a good starting point for the verification of a protocol. 3.3 The GNY logic The Gong, Needham and Yahalom ....

....this logic being more general than the BAN logic, since it relies on fewer assumptions, it is much more complex and contains over 40 inference rules making it far more difficult to use. 3. 4 The SvO logic Another important extension of the BAN logic is the SvO logic from Syverson and van Oorschot [156]. This logic was designed with the intent of unifying four logics from the BAN family: BAN logic [38] GNY logic [64] AT logic [1] and the van Oorschot logic [161] Whilst maintaining all the good features of those logics, the SvO logic is simpler, both in terms of syntactic complexity and the ....

Paul F. Syverson and Paul C. van Oorschot. On Unifying Some Cryptographic Protocol Logics. In IEEE Symposium on Research in Security and Privacy, pages 14--28. IEEE Computer Society, 1994.

....of belief, aiming at formalizing such inferences, have been proposed. The first of these was the so called BAN logic from Burrows, Abadi and Needham [9,10] which was followed by more expressive and elaborate extensions such as GNY (Gong, Needham and Yahalom [16,15] Syverson and van Oorschot [33,34]) and CKT5 [8] One limitation of these logics is the need to annotate the protocols with logical assertions that are assumed to represent the intent of the sender of the message, as well as logical assumptions on the secrecy or freshness of certain pieces of information. Also, they cannot verify ....

....receives. Also, it does not assume that a principal can always determine whether a message was not once originated by himself. GNY logic also separates what a principal says, what it believes and what it possesses. Other logics have been proposed to alleviate some other weaknesses of BAN logic [34, 33]. We shall restrict ourselves here to a cursory glance at GNY logic [16] We shall consider a very simple (and admittedly silly) protocol: B : N a 2. B A : N B : This is to be understood as: in step 1, A sends a newly generated number N a to B; B answers with the encryption of ....

[Article contains additional citation context not shown here]

P. Syverson and P. C. van Oorschot. On unifying some cryptographic protocol logics. In 1994.

....is applied to BDI attitudes (i.e. Belief, Desire, and Intention) of agents. Our work aims at the use of MATL for modeling payment protocols and uses NuMAS for their verification. This goal is fulfilled in three steps. First, we capture traditional logics of authentication (e.g. as [1, 8, 18]) in MATL. Second, we extend the above work in order to capture typical issues of electronic payment protocols. MATL is expressive enough to fulfill both the previous steps. Third, we model principals participating to a payment protocol session as (concurrent finite state) processes able to ....

....q) #L# (denoted by # : AG (p q) intuitively eans that in every future state (the CTL operator AG) if p is true then principal i believes q is false. The next step is the definition of an appropriate in order to represent the usual propositions of a logic of authentication as in [1, 8, 18]. First of all, a logic of authentication is a logic of belief, i.e. it has for ulae as Pbelieves#. Such for ulae have a one to one apping with MATL for ulae as BP # (see Fig. 2. The structure of views for the Lu and Smolka protocol and the proposition CseesXin MATL Fig. 3. The structure of ....

[Article contains additional citation context not shown here]

P. Syverson and P. C. van Oorschot. On Unifying Some Cryptographic Protocol Logics. In Proceedings of the IEEE Symposium on Research in Security and Privacy, pages 14--28, Oakland, CA, May 1994. IEEE Computer Society Press. 312, 314, 319, 320

....published approach of this class was BAN Logic [6] named after its inventors Burrows, Abadi and Needham. Various extensions and other approaches based on the same idea have been proposed since then [10, 12, 18, 24, 41, 53] Other logics based validation techniques for cryptographic protocols are [3, 4, 30, 37, 43, 44, 45, 46, 47]. One of the most successful approaches of this category is GNY Logic, which has been widely used to analyze cryptographic protocols since its publication [12] 2.3 Conclusion This chapter gave a brief introduction into principles of authentication. While data origin authentication aims to ....

P. Syverson and P.C. van Oorschot. On Unifying Some Cryptographic Protocol Logics. In 1994.

....with acyclic expressions. In contrast, cycles are typically permitted (without discussion ) in formal methods. 3.2 Equivalence Next we give a formal definition of equivalence of expressions. It draws on definitions from the works of Syverson and van Oorschot, Schneider, 7 Paulson, and others [37, 39, 40]. Some of the auxiliary definitions concern how expressions can be analyzed and synthesized; such definitions are quite common in formal methods for protocol analysis. Equivalence relations are useful in semantics of modal logics: in such semantics, one says that two states in a computation look ....

Paul F. Syverson and Paul C. van Oorschot. On unifying some cryptographic protocol logics. In IEEE Computer Society Symposium on Research in Security and Privacy, pages 14--28, 1994. 32

....parts of the proof system are rules for reasoning about the set of messages that could reveal secret data and an invariant rule called the honesty rule. 1 Introduction There has been considerable research on formal analysis of security protocols, ranging from BAN logic and related approaches [3, 8, 25] to finite state analy Partially supported by the Kestrel Institute, ONR MURI Semantic Consistency in Information Exchange, N00014 97 1 0505, and ONR Grant Games and Security in Systems of Autonomous Agents, N0014 00 C 0495. sis [23, 19] and proof methods based on higher order logic [21] ....

....imperative programs applying Floyd Hoare style annotations [7, 9] so that the composition of the assertions associated with each action can provide the basis for a protocol correctness proof. The underlying logic is different from previous belief logics such as BAN and its descendants [3, 8, 25] and from explicit reasoning about protocol and intruder as in Paulson s inductive method [21] The central idea is that assertions associated with an action will hold in any protocol execution that contains this action. This gives us the power to reason about all possible runs of a protocol, ....

P. Syverson and P. van Oorschot. On unifying some cryptographic protocol logics. In Proc. 1994.

....to determine whether a given protocol achieves its design goals. Another use is to help eliminate protocol and message field redundancy. Analysis using logics was first popularized in 1989 by the BAN logic [1] BAN spawned a family of related logics, two well known members being GNY [17] and SVO [30]. These and other logic systems have been used to reveal flaws in protocols that were previously accepted as correct [1, 17] The issue of security protocol efficiency has been given rather low priority over recent years. One possible explanation is that since cryptographic protocols tend to ....

P.F. Syverson and P.C. van Oorschot. On Unifying Some Cryptographic Protocol Logics. In Proceedings of the 1994.

.... in the considered state space ( 6] 7] 8] However several tools allow to obtain proofs for unbounded systems at the cost of the interactive proof of several lemmas [9] or of the risk of receiving no answer for some protocols [13] Other approaches are based on the use of logics ( 12] [14] . They allow to obtain proofs for arbitrary size systems, but they often require particularly error prone formalization steps and do not provide the same support in pinpointing problems as the direct generation of counter examples. Recently, manual approaches were presented, allowing to ....

P. Syverson and P. van Oorschot. On unifying some cryptographic protocols logics. In Proceedings of the IEEE Symposium on Research in Security and Privacy, pages 1424, 1994.

....Computer Science URL: www. elsevier. nl locate entcs A number of formal methods have been proposed for rigorously analyzing security protocols. Some of these methods are based on specialized security logics, such as the foundational BAN logic for authentication protocols (see [1,5] as well as [15,17] and the other logics discussed there) The idea be hind these logics is to formalize the doxastic or epistemic reasoning of agents executing a protocol. More precisely, the logics provide constructs, axioms and inference rules for expressing the basic notions of security protocols (e.g. secrecy ....

....the hide operator is introduced to model the assumption of perfect cryptography; the idea is to conceal the contents of unreadable encrypted messages that an agent possesses, thus preventing him from believing that a message contains information he does not (or is not yet ready to) understand. In [17], Syverson and van Oorschot give the logic SVO, which combines features of the GNY and AT logics with additional notions such as key agreement. The SVO logic has a possible worlds semantics that is close to the semantics given in [1] but hiding is replaced by a more refined notion of com ....

Syverson, P. F. and P. C. van Oorschot, On unifying some cryptographic protocol logics, in: Proceedings of the 1996.

....misinterpreted and used in the wrong context, leading to misguided results on numerous occasions. Various extensions to the BAN logic have been proposed to provide a richer framework, for example, the GNY logic by van Gong, Needham and Yahalom [GNY90] and that proposed by Syverson and Oorschot [SvO94] 1.3.2 General purpose model checkers A number of general purpose model checkers have proved to be extremely e#ective at finding attacks upon security protocols, for example as demonstrated in [Low96a, LR97b, MCJ97, MMS97] The method we will be using in this thesis falls into this category, ....

P. Syverson and P. van Oorschot. On unifying some cryptographic protocol logics. IEEE Computer Society Symposium on Research in Security and Privacy, pages 14--28, May 1994.

....and Yahalom [3, 4] These logics allow reasoning about authentication, but their complexity has resulted in problems with unsoundness and difficulty of implementation. In spite of the published soundness proof of BAN logic in [2] the BAN and GNY logics have been extensively criticised (e.g. [3, 4, 11]) One of the more recent members of this family is the SVO logic of Syverson and van Oorschot [11] The SVO logic unifies much of the previous work in an elegant framework, and is proved to be sound (which we view as essential, since we are particularly interested in the information security ....

....in problems with unsoundness and difficulty of implementation. In spite of the published soundness proof of BAN logic in [2] the BAN and GNY logics have been extensively criticised (e.g. 3, 4, 11] One of the more recent members of this family is the SVO logic of Syverson and van Oorschot [11]. The SVO logic unifies much of the previous work in an elegant framework, and is proved to be sound (which we view as essential, since we are particularly interested in the information security evaluation of cryptographic protocols at a high level) However, this logic is not suitable for ....

P. F. Syverson and P. C. van Oorschot, On Unifying Some Cryptographic Protocol Logics, Proceedings of the

....published approach of this class was BAN Logic [6] named after its inventors Burrows, Abadi and Needham. Various extensions and other approaches based on the same idea have been proposed since then [10, 12, 18, 24, 41, 53] Other logics based validation techniques for cryptographic protocols are [3, 4, 30, 37, 43, 44, 45, 46, 47]. One of the most successful approaches of this category is GNY Logic, which has been widely used to analyze cryptographic protocols since its publication [12] 2.3 Conclusion This chapter gave a brief introduction into principles of authentication. While data origin authentication aims to ....

P. Syverson and P.C. van Oorschot. On Unifying Some Cryptographic Protocol Logics. In

....example, they should be able to deliver the session keys to both principals involved in a communication without allowing those keys to be compromised. 2. Weakest Precondition Reasoning Many methods for verifying security protocols have been developed to date including [4] MCF87] BAN88] 6] [14], 9] 12] 7] 8] 15] 11] 13] 1] 3] and many others. Yasinsac and Wulf first used weakest precondition reasoning in the evaluation of protocols [18] and they have since been shown to facilitate detection of flaws and inconsistencies in security protocols [16] 2] Weakest ....

P. Syverson, and P.C. van Oorshot, "On Unifying Some Cryptographic Protocol Logics", in Proc of

....except the description of the protocol and the cryptographic primitives involved. 1. 2 Comparison to Related Works Burrows, Abadi and Needham proposed to analyze cryptographic protocols using a logic of belief, now known as the BAN logic [10] Several derivatives of this logic have followed [22,21,42,43]. All those systems provide a means to formalize the high level reasoning that stands behind the protocols. Such informal reasoning often uses steps such as Principal B receives a message signed with K a , and K a is a secret key only owned by A; therefore, this message must have been emitted by ....

P. Syverson and P. C. van Oorschot. On unifying some cryptographic protocol logics. In 1994 IEEE Computer Society Symposium on Research in Security and Privacy, pages 14--28, May 1994.

....www.elsevier.nl locate entcs Accorsi, Basin, Vigan o A number of formal methods have been proposed for rigorously analyzing security protocols. Some of these methods are based on specialized security logics, such as the foundational BAN logic for authentication protocols (see [1,5] as well as [14,16] and the other logics discussed there) The idea behind these logics is to formalize the doxastic or epistemic reasoning of agents executing a protocol. More precisely, the logics provide constructs, axioms and inference rules for expressing the basic notions of security protocols (e.g. secrecy of ....

....the hide operator is introduced to model the assumption of perfect cryptography; the idea is to conceal the contents of unreadable encrypted messages that an agent possesses, thus preventing him from believing that a message contains information he does not (or is not yet ready to) understand. In [16], Syverson and van Oorschot give the logic SVO, which combines features of the GNY and AT logics with additional notions such as key agreement. The SVO logic has a possible worlds semantics that is close to the semantics given in [1] but hiding is replaced by a more refined notion of ....

Syverson, P. F. and P. C. van Oorschot, On unifying some cryptographic protocol logics, in: Proceedings of the 1994 IEEE Computer Society Symposium on Research in Security and Privacy, IEEE Computer Society Press, 1994 pp. 14-- 28.

No context found.

Paul F. Syverson and Paul C. van Oorschot. On Unifying Some Cryptographic Protocol Logics. In Proceedings of the 1994 IEEE Computer Society Symposium on Research in Security and Privacy, pages 14--28. IEEE Computer Society Press, Los Alamitos, California, 1994.

No context found.

Paul F. Syverson and Paul C. van Oorschot. On unifying some cryptographic protocol logics. In IEEE Computer Society Symposium on Research in Security and Privacy, pages 14-28, 1994.

No context found.

P. F. Syverson and P. C. van Oorschot. On unifying some cryptographic protocol logics. In Proceedings of the 1994 IEEE Symp. on Security and Privacy, pages 14--28, 1994.

No context found.

P. Syverson and P. van Oorschot. On unifying some cryptographic protocol logics. In Proc. 1994.

No context found.

P. Syverson and P. van Oorschot. On unifying some cryptographic protocols logics. In Proceedings of the IEEE Symposium on Research in Security and Privacy, pages 14--24, Oakland, USA, 1994. IEEE Computer Society Press.

No context found.

Paul F. Syverson and PaulC.van Oorschot. On unifying some cryptographic protocol logics. In Proceedings of the 1994 IEEE Computer Society Symposium on Research in Security and Privacy, pages 14--28. IEEE Computer Society Press, Los Alamitos, CA, 1994.

No context found.

P. Syverson and P. van Oorschot, On unifying some cryptographic protocol logics, in: Proc.

No context found.

SYVERSON, P. F., AND VAN OORSCHOT, P. C. On unifying some cryptographic protocol logics. In Proceedings of the 1994.

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC