Results 11  20
of
57
A theory of dictionary attacks and its complexity
 17th IEEE Computer Security Foundations Workshop (2004
"... We consider the problem of automating proofs of cryptographic protocols when some data, like poorly chosen passwords, can be guessed by dictionary attacks. First, we define a theory of these attacks: we introduce an inference system modeling the guessing capabilities of an intruder. This system exte ..."
Abstract

Cited by 18 (1 self)
 Add to MetaCart
(Show Context)
We consider the problem of automating proofs of cryptographic protocols when some data, like poorly chosen passwords, can be guessed by dictionary attacks. First, we define a theory of these attacks: we introduce an inference system modeling the guessing capabilities of an intruder. This system extends the classical Dolev–Yao rules. Using proof rewriting techniques, we show a locality lemma for our inference system which yields the PTIME–completeness of the deduction problem. This result is lifted to the simultaneous solving of intruder deduction constraints with variables. Constraint solving is the basis of a NP algorithm for the protocol insecurity problem in the presence of dictionary attacks, assuming a bounded number of sessions. This extends the classical NP–completeness result for the Dolev–Yao model. We illustrate the procedure with examples of published protocols. The model and decision algorithm have been validated on some examples in a prototype implementation. 1.
Soft Constraint Programming to Analysing Security Protocols
 THEORY AND PRACTICE OF LOGIC PROGRAMMING
, 2004
"... Security protocols stipulate how the remote principals of a computer network should interact in order to obtain specific security goals. The crucial goals of confidentiality and authentication may be achieved in various forms, each of different strength. Using soft (rather than crisp) constraints, w ..."
Abstract

Cited by 18 (10 self)
 Add to MetaCart
(Show Context)
Security protocols stipulate how the remote principals of a computer network should interact in order to obtain specific security goals. The crucial goals of confidentiality and authentication may be achieved in various forms, each of different strength. Using soft (rather than crisp) constraints, we develop a uniform formal notion for the two goals. They are no longer formalised as mere yes/no properties as in the existing literature, but gain an extra parameter, the security level. For example, different messages can enjoy different levels of confidentiality, or a principal can achieve different levels of authentication with different principals. The goals are formalised within a general framework for protocol analysis that is amenable to mechanisation by model checking. Following the application of the framework to analysing the asymmetric NeedhamSchroeder protocol (Bella and Bistarelli 2001; Bella and Bistarelli 2002), we have recently discovered a new attack on that protocol as a form of retaliation by principals who have been attacked previously. Having commented on that attack, we then demonstrate the framework on a bigger, largely deployed protocol consisting of three phases, Kerberos.
PatternMatching SpiCalculus
 In Formal Aspects in Security and Trust
, 2004
"... Abstract. Cryptographic protocols often make use of nested cryptographic primitives, for example signed message digests, or encrypted signed messages. Gordon and Jeffrey’s prior work on types for authenticity did not allow for such nested cryptography. In this work, we present the patternmatching s ..."
Abstract

Cited by 18 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Cryptographic protocols often make use of nested cryptographic primitives, for example signed message digests, or encrypted signed messages. Gordon and Jeffrey’s prior work on types for authenticity did not allow for such nested cryptography. In this work, we present the patternmatching spicalculus, which is an obvious extension of the spicalculus to include patternmatching as primitive. The novelty of the language is in the accompanying type system, which uses the same language of patterns to describe complex data dependencies which cannot be described using prior type systems. We show that any appropriately typed process is guaranteed to satisfy a strong robust safety property. 1
Easy Intruder Deductions
, 2003
"... We investigate extensions of the DolevYao model by some algebraic properties of cryptographic primitives. We provide sufficient conditions under which the intruder deduction problem is decidable (resp. decidable in polynomial time). We apply this result to the equational theory of homomorphism, and ..."
Abstract

Cited by 15 (3 self)
 Add to MetaCart
We investigate extensions of the DolevYao model by some algebraic properties of cryptographic primitives. We provide sufficient conditions under which the intruder deduction problem is decidable (resp. decidable in polynomial time). We apply this result to the equational theory of homomorphism, and show that in this case the intruder deduction problem is linear, provided that the messages are in normal form.
Control Flow Analysis Can Find New Flaws Too
 In Proceedings of the Workshop on Issues on the Theory of Security (WITS’04), ENTCS
, 2004
"... A previous study [6] showed how control ow analysis can be applied to analyse key distribution protocols based on symmetric key cryptography. We have extended both the theoretical treatment and our fully automatic veri er to deal with protocols based on asymmetric cryptography. This paper repor ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
(Show Context)
A previous study [6] showed how control ow analysis can be applied to analyse key distribution protocols based on symmetric key cryptography. We have extended both the theoretical treatment and our fully automatic veri er to deal with protocols based on asymmetric cryptography. This paper reports on the application of our technique { exempli ed on the BellerChangYacobi MSR protocol, which uses both symmetric and asymmetric cryptography { and show how we discover an undocumented aw.
On the Decidability of Cryptographic Protocols with Openended Data Structures
, 2002
"... Formal analysis of cryptographic protocols has mainly concentrated on protocols with closedended data structures, where closedended data structure means that the messages exchanged between principals have fixed and finite format. However, ..."
Abstract

Cited by 14 (7 self)
 Add to MetaCart
Formal analysis of cryptographic protocols has mainly concentrated on protocols with closedended data structures, where closedended data structure means that the messages exchanged between principals have fixed and finite format. However,
Recursion vs. Replication in Simple Cryptographic Protocols
, 2004
"... We use some recent techniques from process algebra to draw several conclusions about the well studied class of pingpong protocols introduced by Dolev and Yao. In particular we show that all nontrivial properties, including reachability and equivalence checking wrt. the whole van Glabbeek's ..."
Abstract

Cited by 13 (1 self)
 Add to MetaCart
We use some recent techniques from process algebra to draw several conclusions about the well studied class of pingpong protocols introduced by Dolev and Yao. In particular we show that all nontrivial properties, including reachability and equivalence checking wrt. the whole van Glabbeek's spectrum, become undecidable for a very simple recursive extension of the protocol. The result holds even if no nondeterministic choice operator is allowed. We also show that the extended calculus is capable of an implicit description of the active intruder, including full analysis and synthesis of messages in the sense of Amadio, Lugiez and Vanackere. We conclude by showing that reachability analysis for a replicative variant of the protocol becomes decidable.
Comparing State Spaces in Automatic Security Protocol Verification
 Proceedings of the 7th International Workshop on Automated Verification of Critical Systems (AVoCS’07
"... Abstract. There are several automatic tools available for the symbolic analysis of security protocols. The models underlying these tools differ in many aspects. Some of the differences have already been formally related to each other in the literature, such as difference in protocol execution models ..."
Abstract

Cited by 10 (5 self)
 Add to MetaCart
(Show Context)
Abstract. There are several automatic tools available for the symbolic analysis of security protocols. The models underlying these tools differ in many aspects. Some of the differences have already been formally related to each other in the literature, such as difference in protocol execution models or definitions of security properties. However, there is an important difference between analysis tools that has not been investigated in depth before: the explored state space. Some tools explore all possible behaviors, whereas others explore strict subsets, often by using socalled scenarios. We identify several types of state space explored by protocol analysis tools, and relate them to each other. We find previously unreported differences between the various approaches. Using combinatorial results, we determine the requirements for emulating one type of state space by combinations of another type. We apply our study of state space relations in a performance comparison of several wellknown automatic tools for security protocol analysis. We model a set of protocols and their properties as homogeneously as possible for each tool. We analyze the performance of the tools over comparable state spaces. This work enables us to effectively compare these automatic tools, i.e., using the same protocol description and exploring the same state space. We also propose some explanations for our experimental results, leading to a better understanding of the tools. 1