• Documents
  • Authors
  • Tables
  • Log in
  • Sign up
  • MetaCart
  • DMCA
  • Donate

CiteSeerX logo

Advanced Search Include Citations
Advanced Search Include Citations

Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In (1996)

by Gavin Lowe
Venue:TACAS,
Add To MetaCart

Tools

Sorted by:
Results 1 - 10 of 719
Next 10 →

A calculus for cryptographic protocols: The spi calculus

by Martin Abadi, Andrew D. Gordon - Information and Computation , 1999
"... We introduce the spi calculus, an extension of the pi calculus designed for the description and analysis of cryptographic protocols. We show how to use the spi calculus, particularly for studying authentication protocols. The pi calculus (without extension) suffices for some abstract protocols; the ..."
Abstract - Cited by 898 (50 self) - Add to MetaCart
We introduce the spi calculus, an extension of the pi calculus designed for the description and analysis of cryptographic protocols. We show how to use the spi calculus, particularly for studying authentication protocols. The pi calculus (without extension) suffices for some abstract protocols; the spi calculus enables us to consider cryptographic issues in more detail. We represent protocols as processes in the spi calculus and state their security properties in terms of coarsegrained notions of protocol equivalence.

DART: Directed automated random testing

by Patrice Godefroid, Nils Klarlund, Koushik Sen - In Programming Language Design and Implementation (PLDI , 2005
"... We present a new tool, named DART, for automatically testing software that combines three main techniques: (1) automated extraction of the interface of a program with its external environment using static source-code parsing; (2) automatic generation of a test driver for this interface that performs ..."
Abstract - Cited by 843 (42 self) - Add to MetaCart
We present a new tool, named DART, for automatically testing software that combines three main techniques: (1) automated extraction of the interface of a program with its external environment using static source-code parsing; (2) automatic generation of a test driver for this interface that performs random testing to simulate the most general environment the program can operate in; and (3) dynamic analysis of how the program behaves under random testing and automatic generation of new test inputs to direct systematically the execution along alternative program paths. Together, these three techniques constitute Directed Automated Random Testing,or DART for short. The main strength of DART is thus that testing can be performed completely automatically on any program that compiles – there is no need to write any test driver or harness code. During testing, DART detects standard errors such as program crashes, assertion violations, and non-termination. Preliminary experiments to unit test several examples of C programs are very encouraging.
(Show Context)

Citation Context

...er, Steps 2 and 4 are not represented explicitly by additional messages. The original code we started with contains a flag which, if turned on, implements Lowe’s fix to the Needham-Schroeder protocol =-=[25]-=-. By curiosity, we also tested this version with DART and, to our surprise, DART found again an assertion violation after about 22 minutes of search! After examining the error trace produced by DART, ...

Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption)

by Martín Abadi, Phillip Rogaway , 2000
"... Two distinct, rigorous views of cryptography have developed over the years, in two mostly separate communities. One of the views relies on a simple but effective formal approach; the other, on a detailed computational model that considers issues of complexity and probability. ..."
Abstract - Cited by 378 (11 self) - Add to MetaCart
Two distinct, rigorous views of cryptography have developed over the years, in two mostly separate communities. One of the views relies on a simple but effective formal approach; the other, on a detailed computational model that considers issues of complexity and probability.

Mobile Values, New Names, and Secure Communication

by Martín Abadi, Cédric Fournet , 2001
"... We study the interaction of the "new" construct with a rich but common form of (first-order) communication. This interaction is crucial in security protocols, which are the main motivating examples for our work; it also appears in other programming-language contexts. Specifically, we intro ..."
Abstract - Cited by 372 (17 self) - Add to MetaCart
We study the interaction of the "new" construct with a rich but common form of (first-order) communication. This interaction is crucial in security protocols, which are the main motivating examples for our work; it also appears in other programming-language contexts. Specifically, we introduce a simple, general extension of the pi calculus with value passing, primitive functions, and equations among terms. We develop semantics and proof techniques for this extended language and apply them in reasoning about some security protocols.

Automated Analysis of Cryptographic Protocols Using Murphi

by John C. Mitchell, Mark Mitchell, Ulrich Stern , 1997
"... A methodology is presented for using a generalpurpose state enumeration tool, Murphi, to analyze cryptographic and security-related protocols. We illustrate the feasibility of the approach by analyzing the Needham-Schroeder protocol, finding a known bug in a few seconds of computation time, and anal ..."
Abstract - Cited by 296 (25 self) - Add to MetaCart
A methodology is presented for using a generalpurpose state enumeration tool, Murphi, to analyze cryptographic and security-related protocols. We illustrate the feasibility of the approach by analyzing the Needham-Schroeder protocol, finding a known bug in a few seconds of computation time, and analyzing variants of Kerberos and the faulty TMN protocol used in another comparative study. The efficiency of Murphi allows us to examine multiple runs of relatively short protocols, giving us the ability to detect replay attacks, or errors resulting from confusion between independent execution of a protocol by independent parties.
(Show Context)

Citation Context

...tion of a protocol by independent parties. 1 Introduction Encouraged by the success of others in analyzing the Needham-Schroeder public-key authentication protocol using the FDR model checker for CSP =-=[10, 11, 13, 14], we have -=-carried out a feasibility study for a related, but somewhat different general tool called Mur' [1], pronounced "Mur-phi". In this paper, we outline our general methodology and summarize our ...

A Hierarchy of Authentication Specifications

by Gavin Lowe , 1997
"... Many security protocols have the aim of authenticating one agent to another. Yet there is no clear consensus in the academic literature about precisely what “authentication” means. In this paper we suggest that the appropriate authentication requirement will depend upon the use to which the protocol ..."
Abstract - Cited by 241 (5 self) - Add to MetaCart
Many security protocols have the aim of authenticating one agent to another. Yet there is no clear consensus in the academic literature about precisely what “authentication” means. In this paper we suggest that the appropriate authentication requirement will depend upon the use to which the protocol is put, and identify several possible definitions of “authentication”. We formalize each definition using the process algebra CSP, use this formalism to study their relative strengths, and show how the model checker FDR can be used to test whether a system running the protocol meets such a specification. 1
(Show Context)

Citation Context

...utational expense.) 3 Modelling protocols using CSP In this section we briefly review the method we use for modelling security protocols using CSP. For a fuller description, the reader is referred to =-=[11]-=-. All the authentication specifications we are considering are safety specifications (as opposed to liveness specifications); we will therefore be working in the traces model of CSP, which is adequate...

MOCHA: Modularity in Model Checking

by Rajeev Alur, Thomas A. Henzinger, F.Y.C. Mang, S. Qadeer, S.K. Rajamani, S. Tasiran , 1998
"... ..."
Abstract - Cited by 186 (20 self) - Add to MetaCart
Abstract not found

Constraint Solving for Bounded-Process Cryptographic Protocol Analysis

by Jonathan Millen, Vitaly Shmatikov - CCS'01 , 2001
"... The reachability problem for cryptographic protocols with nonatomic keys can be solved via a simple constraint satisfaction procedure. ..."
Abstract - Cited by 176 (3 self) - Add to MetaCart
The reachability problem for cryptographic protocols with nonatomic keys can be solved via a simple constraint satisfaction procedure.

Proving Properties of Security Protocols by Induction

by Lawrence C. Paulson - In 10th IEEE Computer Security Foundations Workshop , 1997
"... Informal justifications of security protocols involve arguing backwards that various events are impossible. Inductive definitions can make such arguments rigorous. The resulting proofs are complicated, but can be generated reasonably quickly using the proof tool Isabelle/HOL. There is no restriction ..."
Abstract - Cited by 167 (8 self) - Add to MetaCart
Informal justifications of security protocols involve arguing backwards that various events are impossible. Inductive definitions can make such arguments rigorous. The resulting proofs are complicated, but can be generated reasonably quickly using the proof tool Isabelle/HOL. There is no restriction to finite-state systems and the approach is not based on belief logics. Protocols are inductively defined as sets of traces, which may involve many interleaved protocol runs. Protocol descriptions model accidental key losses as well as attacks. The model spy can send spoof messages made up of components decrypted from previous traffic. Several key distribution protocols have been studied, including NeedhamSchroeder, Yahalom and Otway-Rees. The method applies to both symmetrickey and public-key protocols. A new attack has been discovered in a variant of Otway-Rees (already broken by Mao and Boyd). Assertions concerning secrecy and authenticity have been proved. CONTENTS i Contents 1 Intro...
(Show Context)

Citation Context

...ocol as a finite state system and verify by exhaustive search that all reachable states are safe. Lowe, for example, models protocols in CSP [13] and applies a modelchecker to explore their behaviour =-=[15, 17]-=-. The Interrogator [14] is another finite-state tool. Such methods can find attacks quickly, but keeping the state space small requires drastic simplifying assumptions. ffl Belief logics formally expr...

A meta-notation for protocol analysis

by I. Cervesato, N. A. Durgin, P. D. Lincoln, J. C. Mitchell, A. Scedrov - in: Proc. CSFW’99 , 1999
"... Most formal approaches to security protocol analysis are based on a set of assumptions commonly referred to as the “Dolev-Yao model. ” In this paper, we use a multiset rewriting formalism, based on linear logic, to state the basic assumptions of this model. A characteristic of our formalism is the w ..."
Abstract - Cited by 166 (38 self) - Add to MetaCart
Most formal approaches to security protocol analysis are based on a set of assumptions commonly referred to as the “Dolev-Yao model. ” In this paper, we use a multiset rewriting formalism, based on linear logic, to state the basic assumptions of this model. A characteristic of our formalism is the way that existential quantification provides a succinct way of choosing new values, such as new keys or nonces. We define a class of theories in this formalism that correspond to finite-length protocols, with a bounded initialization phase but allowing unboundedly many instances of each protocol role (e.g., client, server, initiator, or responder). Undecidability is proved for a restricted class of these protocols, and PSPACE-completeness is claimed for a class further restricted to have no new data (nonces). Since it is a fragment of linear logic, we can use our notation directly as input to linear logic tools, allowing us to do proof search for attacks with relatively little programming effort, and to formally verify protocol transformations and optimizations. 1
(Show Context)

Citation Context

...indivisible abstract values, not sequences of bits, and encryption is modeled in an idealized way. Although the same basic modeling assumptions are used in theorem proving [27], modelchecking methods =-=[18, 20, 25, 28, 29]-=- and symbolic search 1 tools [17], there does not appear to be any standard presentation of the Dolev-Yao model as it is currently used in a variety of projects. One goal of this paper is to identify ...

Powered by: Apache Solr
  • About CiteSeerX
  • Submit and Index Documents
  • Privacy Policy
  • Help
  • Data
  • Source
  • Contact Us

Developed at and hosted by The College of Information Sciences and Technology

© 2007-2019 The Pennsylvania State University