J. K. Millen. The Interrogator model. In IEEE Symposium on Security and Privacy, pages 251--260, 1995.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....space reduction techniques which greatly reduce the state space explosion problem. 1. 1 Related Work Previous automatic tools for security protocol analysis include general purpose model checkers such as FDR [18, 15] and Mur [26] and special purpose model checkers, for example, the Interrogator [25] and Brutus [10] These tools start with an initial state of a protocol execution and then exhaustively search through all possible sequences of actions of both legitimate principals and a modeled attacker to see whether an attack could happen. All these tools have been successfully applied to ....

J. Millen. The Interrogator model. In Proceedings of the 1995 IEEE Symposium on Security and Privacy, pages 251--260. IEEE Computer Society Press, 1995.

....containing a fresh sub element is authenticated in the face of a stronger intruder. We next consider tools that make use of state exploration techniques in some form or the other. These include model checkers such as FDR Casper [15] or MurOE [22] specialized tools such as the Interrogator [20] that provide much of the same capability but are fine tuned for cryptographic protocol analysis, and tools such as the NRL Protocol Analyzer [17] that combine state exploration with a limited theorem proving capability. What all of these tools have in common is that at some point their designers ....

Jonathan Millen. The Interrogator model. In Proceedings of the 1995 IEEE Symposium on Security and Privacy, pages 251--260. IEEE Computer Society Press, May 1995.

....and Stark s work is not perfect; in particular, their use of partial bijections on names is di#erent from our use of frames and theories. In the last few years, several methods for analyzing cryptographic protocols have been developed within action based or state based models (see for example [5, 9, 10, 11, 12, 13, 14, 18, 21]) Some of these models are presented as process algebras, others in logical forms. Often, the analysis of a protocol requires defining a particular attacker (an environment) for the protocol; recently, there has been promising progress towards automating the construction of this attacker. ....

J. K. Millen. The Interrogator model. In IEEE Symposium on Security and Privacy, pages 251--260, 1995.

....and prepositions to idealised messages, the fact that there is no complete semantics for the logic, and the modelling of freshness. Attack construction methods construct probable attack sets based on the algebraic properties of the protocol s algorithms. These methods [13] 14] 15] 16] 17] [18] [19] 20] 21] 22] are targeted towards ensuring authentication, correctness, or security properties; they are not dependent on the correctness of a proposed logic. Their main disadvantage lies in the big number of possible events that must be examined. Attempting to avoid the exponential ....

....received. Events represent the state transitions in which new words are generated and beliefs are modified. Thus an intruder who controls the dissemination of messages can use the protocol to produce words, beliefs, and events. The NRL Protocol Analyzer, in common with the Interrogator model [18] [44] uses a backward search strategy to construct a path from a specified insecure state to an initial state. The main difference between the NRL model and the Interrogator stems from their end goals: the NRL model aims to prove that a protocol is secure while the Interrogator is designed to ....

[Article contains additional citation context not shown here]

Millen J., The Interrogator Model, Proceedings of the 1995 IEEE Symposium on Security and Privacy, (1995) 251-260, IEEE Computer Society Press.

....by analysing and documenting their operation [26] The most important methods can be divided into two categories [27] according to their operation domain: Attack construction tools construct probable attack sets based on the protocol s algorithms algebraic properties. These methods [28] 29] 30] [31] [32] 33] are targeted towards ensuring authentication, correctness or security properties and are not dependent on the correctness of a proposed logic. Their disadvantage lies mainly in the big number of possible events that must be examined. Inference construction tools are utilising either ....

....these methods have been judged as an important contribution to the field, research has turned into more specialised directions. The driving force behind this turn is the desire to use cryptography domain specific reasoning knowledge. 3.2. 2 Expert system, scenario based methods The method due to [31], known as the Interrogator Model, is using a system based on a Prolog solver to guide the designer towards examining whether a specific protocol can lead to an undesirable situation, such as compromising a key. Although this method can not guarantee absolute safety, it works very well in ....

Millen J. The Interrogator Model. In: Proceedings of the 1995 IEEE Symposium on Security and Privacy. IEEE Computer Society Press, 1995, pp. 251-260

....formalism; this has obvious advantages but it also implies that our method is less intuitive than some based on ad hoc formalisms (e.g. BAN89] As in some modal logics (e.g. ABLP93, LABW92] we emphasize reasoning about channels and their utterances. As in state transition models (e.g. [DY81, MCF87, Mil95a, Kem89, Mea92, Pau97]) we are interested in characterizing the knowledge of an environment. The unique features of our approach are its reliance on the powerful scoping constructs of the pi calculus; the radical definition of the environment as an arbitrary spi calculus process; and the representation of security ....

J. K. Millen. The Interrogator model. In IEEE Symposium on Security and Privacy, pages 251--260, 1995.

....state space. There exists also the famous NRL protocol analyzer [23, 24] It performs backwards reachability analysis for a system consisting of an unbounded number of participants. It is thus examining an infinite state space but its algorithm does not always terminate. Millen s Interrogator [15, 25] is another tool for doing backwards analysis. General information about finite state analysis of cryptographic protocols can be found e.g. from [26] 1.2 Other Methods There exist also other methods for the formal analysis of cryptographic protocols, for example the BAN logic [3, 4] and its ....

MILLEN, J. K. The Interrogator model. In Proceedings of the 1995 IEEE Symposium on Security and Privacy (1995), IEEE Computer Society Press, pp. 251--260.

....protocols. Many researchers have worked on applying formal techniques to the analysis of security protocols. They have developed logics of knowledge and belief such as BAN logic [2] and GNY logic [7] semi automatic and fully automatic tools such as the NRL Analyzer [14] the Interrogator Model [16], FDR [12] Mur [17] Brutus [5] and Revere [9] and theorem provers such as Isabelle [19] Automatic checkers have the practical advantage that they are easy to use and do not need the assistance of experienced users. Unfortunately, current automatic checkers suffer from the state space ....

J. Millen. The Interrogator model. In Proceedings of the 1995 IEEE Symposium on Security and Privacy, pages 251-- 260. IEEE Computer Society Press, 1995.

....years, formal methods have been successfully applied to the analysis of security protocols. The bulk of the effort has been concerned with authentication and confidentiality properties, and there are now a range of maturing techniques and approaches for such analysis, as exemplified in [6] and in [1, 3, 4, 5, 7, 11, 12]. Non repudiation [2] has not been addressed to the same degree by these techniques, and it is the aim of this paper to consider how the CSP approach presented in [9] extends or adapts to the analysis of this property. Non repudiation protocols are used to enable agents to send and receive ....

J. Millen. The interrogator model. In IEEE Computer Society Symposium on Research in Security and Privacy, 1995.

....to a specific class of problems, namely the verification of authentication protocols. Apart from existing mechanization of belief logics such as described in [3] tool support in this area, has mostly concentrated on analysing security protocols by searching for or attempting to construct attacks [16, 19, 14, 27]. The results of this kind of analysis is either the successful discovery of an attack, or else a bald statement that none can be found. The discovery of an attack provides useful insight into the flaws of a particular design, and hence can be useful in improving the design of the protocol. As ....

J. Millen. The interrogator model. In IEEE Symposium on Research in Security and Privacy, 1995.

....formalism; this has obvious advantages but it also implies that our method is less intuitive than some based on ad hoc formalisms (e.g. BAN89] As in some modal logics (e.g. ABLP93, LABW92] we emphasise reasoning about channels and their utterances. As in state transition models (e.g. [DY81, MCF87, Mil95, Kem89, Mea92]) we are interested in characterising the knowledge of an environment. The unique features of our approach are its reliance on the powerful scoping constructs of the pi calculus; the radical definition of the environment as an arbitrary spi calculus process; and the representation of security ....

J. K. Millen. The Interrogator model. In IEEE Symposium on Security and Privacy, pages 251-- 260, 1995.

....of the algorithms in the protocols; and attempting to construct inferences, using specialized logics based on a notion of belief , that protocol participants can confidently reach desired conclusions. Attack construction tools, following work by Dolev and Yao [12] include Millen s Interrogator [23, 25, 24] and Meadows NRL Protocol Analyzer [19, 20, 21] These tools address both authentication and security, and do not depend on the validity of a specialized logic. They suffer from a combinatorial explosion in the number of possibilities they must consider, though, and require that the user specify ....

J. Millen. The Interrogator model. In Proceedings of the Symposium on Security and Privacy, pages 251-- 260, Oakland, CA, May 1995. IEEE.

....formalism; this has obvious advantages but it also implies that our method is less intuitive than some based on ad hoc formalisms (e.g. BAN89] As in some modal logics (e.g. ABLP93, LABW92] we emphasise reasoning about channels and their utterances. As in state transition models (e.g. [DY81, MCF87, Mil95a, Kem89, Mea92]) we are interested in characterising the knowledge of an environment. The unique features of our approach are its reliance on the powerful scoping constructs of the pi calculus; the radical definition of the environment as an arbitrary spi calculus process; and the representation of security ....

J. K. Millen. The Interrogator model. In IEEE Symposium on Security and Privacy, pages 251--260, 1995.

....of a protocol [2, 26] Many have tried using formal models to analyze security protocols. Some have developed deductive systems or proof methodologies for their models [1, 3, 6, 7, 9, 20, 25, 27] while others have tried automated search techniques to try to find an error in a model of the protocol [12, 14, 15, 17, 18, 19]. Our approach is also based on model checking and automated search. In this paper we describe a special purpose model checker with two orthogonal components. The first is a state exploration component. Each honest agent is described by the sequence of actions that it takes during a run of the ....

J. Millen. The Interrogator model. In Proceedings of the 1995 IEEE Symposium on Security and Privacy, pages 251--260. IEEE Computer Society Press, 1995.

....In the last few years, the importance of reasoning about cryptographic protocols has been widely recognised, and several methods have been used for this task. Those methods are based on a large variety of formal frameworks: temporal logics, modal logics, state transition models, CSP (see e.g. [MCF87, BAN89, Kem89, Mil95a, Mea92, GM95, Low96, Sch96a]) The main emphasis of that work has been on authenticity properties. Proofs in the spi calculus are sometimes more difficult than proofs in those earlier frameworks. The sources of this difficulty are in part the novelties and advantages of the spi calculus approach: the expressive scoping ....

J. K. Millen. The Interrogator model. In IEEE Symposium on Security and Privacy, pages 251--260, 1995.

....and Stark s work is not perfect; in particular, their use of partial bijections on names is different from our use of frames and theories. In the last few years, several methods for analysing cryptographic protocols have been developed within action based or state based models (see for example [MCF87,Mil95,Kem89,Mea92,GM95,Low96,Sch96a,Bol96,Pau97]) Some of these models are presented as process algebras, others in logical forms. Often, the analysis of a protocol requires defining a particular attacker (an environment) for the protocol; recently, there has been promising progress towards automating the construction of this attacker. ....

J. K. Millen. The Interrogator model. In IEEE Symposium on Security and Privacy, pages 251--260, 1995.

....message containing a fresh sub element is authenticated in the face of a stronger intruder. We next consider tools that make use of state exploration techniques in some form or the other. These include model checkers such as FDR Casper [16] or MurOE [22] specialized tools such as the Interrogator [20] that provide much of the same capability but are fine tuned for cryptographic protocol analysis, and tools such as the NRL Protocol Analyzer [17] that combine state exploration with a limited theorem proving capability. What all of these tools have in common is that at some point their designers ....

Jonathan Millen. The Interrogator model. In Proceedings of the 1995 IEEE Symposium on Security and Privacy, pages 251--260. IEEE Computer Society Press, May 1995.

....the underlying separate processes. Fortunately, the protocol specifications required for most protocol analysis tools have considerable structural similarity. They generally specify a protocol with state transition rules for communicating processes. An earlier suggestion for the CIL semantics [Mil95] used a small set of primitive operations (send, receive, assign, compare) to characterize state transitions. The new approach summarized in this document uses multiset term rewriting rules that permit state changes to be presented more concisely, and in a way that more nearly matches the ....

.... Accepting a message means that A will undergo a state transition as a result of receiving it. CIL is designed to take advantage of this pattern matching concept. The purpose of CIL is to unambiguously define the meaning of a protocol specification. An earlier suggestion for the CIL semantics [Mil95] used a small set of primitive operations (send, receive, assign, compare) to characterize state transitions. The new approach summarized in this document uses multiset term rewriting rules that permit state changes to be presented more concisely, and in a way that more nearly matches the ....

J. Millen. The Interrogator model. In IEEE Symposium on Security and Privacy, pages 251--260. IEEE Computer Society, 1995.

....1 Introduction Current techniques for security analysis of authentication and key distribution protocols represent encryption operators symbolically and specify their properties with abstract rules or axioms. Approaches that employ state transition models, such as the Prolog state search systems [3,4], those that use general purpose specification and verification systems [2] temporal logic [1] model checking [5] and others, typically use explicit or implicit term replacement rules to express the properties of these operators. An example of a term replacement rule is d(K; e(K; X) X; ....

....in a symmetric key system is reversed by a decryption with the same key. We use capital letters for pattern variables that can be instantiated. Encryption reverses decryption similarly. Systems that search backwards from an insecure goal state to construct attacks, such as the Interrogator [4] and the NRL tool [3] have to solve equations when attempting to instantiate a state transition rule. An example of an equation is d(k; X) a; 1 Work performed while at The MITRE Corporation which can be solved by making the substitution X e(k; a) and then applying the rule to reduce the ....

J. K. Millen, "The Interrogator model," 1995 IEEE Symposium on Security and Privacy, IEEE Computer Society Press, 1995, 251-160.

No context found.

J. K. Millen. The Interrogator model. In IEEE Symposium on Security and Privacy, pages 251--260, 1995.

No context found.

J. Millen. The Interrogator model. In Proc. 16th IEEE Symposium on Security & Privacy, pages 251--260, 1995.

No context found.

J. K. Millen. The Interrogator model. In IEEE Symposium on Security and Privacy, pages 251--260, 1995.

No context found.

Millen, Jonathan K., "The Interrogator Model", Proceedings of the 1995 IEEE Symposium On Research in Security and Privacy, pp. 251-260.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC