Results 1 
4 of
4
Using Horn clauses for analyzing security protocols
 Formal Models and Techniques for Analyzing Security Protocols. Cryptology and Information Security Series
, 2011
"... Abstract. This chapter presents a method for verifying security protocols based on an abstract representation of protocols by Horn clauses. This method is the foundation of the protocol verifier ProVerif. It is fully automatic, efficient, and can handle an unbounded number of sessions and an unbou ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
Abstract. This chapter presents a method for verifying security protocols based on an abstract representation of protocols by Horn clauses. This method is the foundation of the protocol verifier ProVerif. It is fully automatic, efficient, and can handle an unbounded number of sessions and an unbounded message space. It supports various cryptographic primitives defined by rewrite rules or equations. Even if we focus on secrecy in this chapter, this method can also prove other security properties, including authentication and process equivalences.
Security theorems via model theory
 EXPRESS: Expressiveness in Concurrency (EPTCS), 8:51
, 2009
"... A modeltheoretic approach can establish security theorems, which are formulas expressing authentication and nondisclosure properties of protocols. Security theorems have a special form, namely quantified implications ∀~x.(φ ⊃ ∃~y.ψ). Models (interpretations) for these formulas are skeletons, part ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
(Show Context)
A modeltheoretic approach can establish security theorems, which are formulas expressing authentication and nondisclosure properties of protocols. Security theorems have a special form, namely quantified implications ∀~x.(φ ⊃ ∃~y.ψ). Models (interpretations) for these formulas are skeletons, partially ordered structures consisting of a number of local protocol behaviors. Realized skeletons contain enough local sessions to explain all the behavior, when combined with some possible adversary behaviors. We show two results. (1) If φ is the antecedent of a security goal, then there is a skeleton Aφ such that, for every skeleton B, φ is satisfied in B iff there is a homomorphism from Aφ to B. (2) A protocol enforces ∀~x.(φ ⊃ ∃~y.ψ) iff every realized homomorphic image of Aφ satisfies ψ. Since the program CPSA finds the minimal realized skeletons, or “shapes, ” that are homomorphic images of Aφ, if ψ holds in each of these shapes, then the goal holds. 1
ProjectTeam Abstraction Abstract Interpretation
"... c t i v it y e p o r t 2007 Table of contents ..."
(Show Context)
Shapes: Surveying Crypto Protocol Runs 1
"... Abstract. Given a cryptographic protocol, and some assumptions, can we present everything that can happen, subject to these assumptions? The assumptions may include: (i) some behavior assumed to have occurred, (ii) some keys assumed to be uncompromised, and (iii) some values assumed to have been fre ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. Given a cryptographic protocol, and some assumptions, can we present everything that can happen, subject to these assumptions? The assumptions may include: (i) some behavior assumed to have occurred, (ii) some keys assumed to be uncompromised, and (iii) some values assumed to have been freshly chosen. An object representing these types of information is called a skeleton. The shapes for a skeleton A are the minimal, essentially different executions that are compatible with the assumptions in A. The set of shapes for an A is frequently but not always finite. Given a finite set of shapes for A, it is evident whether a security goal such as authentication or confidentiality holds for A. In this paper, we describe a search that finds the shapes, starting from a protocol and a skeleton A. The search is driven by the challengeresponse patterns formalized in the strand space authentication tests. 1. Initial Examples We develop here a search technique for finding the minimal, essentially different executions possible in a protocol, starting from some initial behavioral assumptions. This search gives counterexamples to false authentication and confidentiality assertions. Alternatively, the search proves these properties, when they hold and the search terminates, as it commonly though not universally does. We start with intuitive analyses, using Blanchet’s Simple Example Protocol [2] (see Fig. 1), and then proceed to formalize and justify them. Blanchet’s protocol SEP requires an initiator A to generate a fresh symmetric key k, sign and encrypt it for a chosen responder B, and await reception of a message {s}k. 2 Any responder B will await a message containing a signed and encrypted k, at which point it will select a secret s to transmit encrypted with k. A strand is a finite sequence of transmissions and receptions, so the actions of the initiator or responder in a single local session form a strand. Strands