Mei Lin Hui and Gavin Lowe. Simplifying transformations for security protocols. In Proc. 12th IEEE Computer Security Foundations Workshop, pages 32--43, 1999.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....roles that forward ciphertexts do not encrypt the forwarded ciphertexts, so modifying the protocol to eliminate such forwarding has no impact on the correctness of the protocol, so for our purposes, it suces to analyze the modi ed protocol. This transformation is also used in [Low99, RB99, HL99] A trace for role r is a pre x of a trace obtained by substituting for each parameter x of r a term in the type of x. For example, two traces for Init NSL are 0 = hh fni 0 Bg pubkey(A) ii 1 = hh fni 0 Ag pubkey(B) fni 0 nr 0 Bg pubkey(A) fnr 0 g pubkey(B) ii: The requirement ....

....Key asym ) the operators key , pubkey, and pvtkey occur only in the second argument of encr . This implies that long term keys not in pik are not sent in messages. If a system does not satisfy the shallow ciphertext restriction, applying a transformation that removes some encryptions might help [HL99] 3.1 Weak Support Informally, a set S 0 of nodes supports a set S of nodes if S 0 contains all of the nodes in S and all of the regular nodes on which nodes in S depend. Note that S and S 0 cannot easily be regarded as histories, because S might lack some necessary regular strands and ....

Mei Lin Hui and Gavin Lowe. Simplifying transformations for security protocols. In Proc. 12th IEEE Computer Security Foundations Workshop (CSFW), 1999. To appear in Journal of Computer Security.

....in every term in every role, the operators key , pubkey, and pvtkey occur only in the second argument of encr . If a protocol of interest does not satisfy the shallow ciphertext restriction, applying a transformation that removes some encryptions (while preserving correctness) might help [HL99] It is easy to show that every protocol satisfying the unsent long term keys restriction satis es long term secrecy. 3.1 Support Informally, a set S 0 of nodes of a history tr supports a set S of nodes of tr if S 0 contains all of the regular nodes in S and all of the regular nodes on ....

Mei Lin Hui and Gavin Lowe. Simplifying transformations for security protocols. Technical Report 1999/1, Dept. of Mathematics and Computer Science, University of Leicester, 1999.

....that instantiating the parameters of a term in a role does not produce a term containing nested occurrences of encr . If a protocol of interest does not satisfy the shallow ciphertext restriction, applying a transformation that removes some encryptions (while preserving correctness) might help [HL99] Pi SET and Pi 1KP almost satisfy the shallow ciphertext restriction. The only problem is that parameters epd and eslip have type Term. However, these parameters are used to forward messages in a trivial way (specifically, all occurrences of these parameters are unencrypted) so it is easy to ....

Mei Lin Hui and Gavin Lowe. Simplifying transformations for security protocols. Technical Report 1999/1, Dept. of Mathematics and Computer Science, University of Leicester, 1999.

....every term in every role, the operators key , pubkey, and pvtkey appear only in the second argument of the encr operator. If a protocol of interest does not satisfy the shallow ciphertext restriction, applying a transformation that removes some encryptions (while preserving correctness) might help [HL99]. The type restrictions and the shallow ciphertext restriction together imply that for every regular node n, the encryption height of term(n) is at most 1. It is easy to show that every protocol satisfying the unsent long term keys restriction satisfies long term secrecy. 3.1 Support Informally, ....

Mei Lin Hui and Gavin Lowe. Simplifying transformations for security protocols. Technical Report 1999/1, Dept. of Mathematics and Computer Science, University of Leicester, 1999.

....is secure if and only if the original is: if there is an attack on the original, then there is a similar attack on the adapted protocol where the relevant components get sent directly, and vice versa. However, this certainly needs a formal proof; it might be possible to adapt the techniques of [9] to deal with cases such as this. However, this protocol does not meet Assumption 2 (identities inferable) because the initiator s identity is not inferable from the encrypted component of message 3, and the responder s identity is not inferable from the encrypted component of message 4. In [2] ....

M. L. Hui and G. Lowe. Simplifying transformations for security protocols. In preparation, 1998.

No context found.

Mei Lin Hui and Gavin Lowe. Simplifying transformations for security protocols. In Proc. 12th IEEE Computer Security Foundations Workshop, pages 32--43, 1999.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC