Results 1  10
of
117
A logic of authentication
 ACM TRANSACTIONS ON COMPUTER SYSTEMS
, 1990
"... Questions of belief are essential in analyzing protocols for the authentication of principals in distributed computing systems. In this paper we motivate, set out, and exemplify a logic specifically designed for this analysis; we show how various protocols differ subtly with respect to the required ..."
Abstract

Cited by 1339 (26 self)
 Add to MetaCart
(Show Context)
Questions of belief are essential in analyzing protocols for the authentication of principals in distributed computing systems. In this paper we motivate, set out, and exemplify a logic specifically designed for this analysis; we show how various protocols differ subtly with respect to the required initial assumptions of the participants and their final beliefs. Our formalism has enabled us to isolate and express these differences with a precision that was not previously possible. It has drawn attention to features of protocols of which we and their authors were previously unaware, and allowed us to suggest improvements to the protocols. The reasoning about some protocols has been mechanically verified. This paper starts with an informal account of the problem, goes on to explain the formalism to be used, and gives examples of its application to protocols from the literature, both with sharedkey cryptography and with publickey cryptography. Some of the examples are chosen because of their practical importance, while others serve to illustrate subtle points of the logic and to explain how we use it. We discuss extensions of the logic motivated by actual practice  for example, in order to account for the use of hash functions in signatures. The final sections contain a formal semantics of the logic and some conclusions.
A calculus for cryptographic protocols: The spi calculus
 Information and Computation
, 1999
"... We introduce the spi calculus, an extension of the pi calculus designed for the description and analysis of cryptographic protocols. We show how to use the spi calculus, particularly for studying authentication protocols. The pi calculus (without extension) suffices for some abstract protocols; the ..."
Abstract

Cited by 919 (55 self)
 Add to MetaCart
We introduce the spi calculus, an extension of the pi calculus designed for the description and analysis of cryptographic protocols. We show how to use the spi calculus, particularly for studying authentication protocols. The pi calculus (without extension) suffices for some abstract protocols; the spi calculus enables us to consider cryptographic issues in more detail. We represent protocols as processes in the spi calculus and state their security properties in terms of coarsegrained notions of protocol equivalence.
Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption)
, 2000
"... Two distinct, rigorous views of cryptography have developed over the years, in two mostly separate communities. One of the views relies on a simple but effective formal approach; the other, on a detailed computational model that considers issues of complexity and probability. ..."
Abstract

Cited by 389 (18 self)
 Add to MetaCart
Two distinct, rigorous views of cryptography have developed over the years, in two mostly separate communities. One of the views relies on a simple but effective formal approach; the other, on a detailed computational model that considers issues of complexity and probability.
A Semantic Model for Authentication Protocols
, 1993
"... We specify authentication protocols as formal objects with precise syntax and semantics, and define a semantic model that characterizes protocol executions. We have identified two basic types of correctness properties, namely, correspondence and secrecy, that underlie the correctness concerns of aut ..."
Abstract

Cited by 181 (3 self)
 Add to MetaCart
We specify authentication protocols as formal objects with precise syntax and semantics, and define a semantic model that characterizes protocol executions. We have identified two basic types of correctness properties, namely, correspondence and secrecy, that underlie the correctness concerns of authentication protocols. We define assertions for specifying these properties, and a formal semantics for their satisfaction in the semantic model. The OtwayRees protocol is used to illustrate the semantic model and the basic correctness properties. 1 Introduction Authentication is a fundamental concern in the design of secure distributed systems [14, 25]. In distributed systems, authentication is typically carried out by protocols, called authentication protocols. The primary goal of an authentication protocol is to establish the identities of the parties (referred to as principals in the security literature) who participate in the protocol. Many authentication protocols, however, also acc...
Some New Attacks upon Security Protocols
 In: 9th Computer Security Foundations Workshop. IEEE Computer
, 1996
"... ..."
(Show Context)
Formal Verification of Cryptographic Protocols: A Survey
, 1995
"... In this paper we give a survey of the state of the art in the application of formal methods to the analysis of cryptographic protocols. We attempt to outline some of the major threads of research in this area, and also to document some emerging trends. ..."
Abstract

Cited by 106 (1 self)
 Add to MetaCart
(Show Context)
In this paper we give a survey of the state of the art in the application of formal methods to the analysis of cryptographic protocols. We attempt to outline some of the major threads of research in this area, and also to document some emerging trends.
A Taxonomy of Replay Attacks
 In Proceedings of the 7th IEEE Computer Security Foundations Workshop
, 1994
"... This paper presents a taxonomy of replay attacks on cryptographic protocols in terms of message origin and destination. The taxonomy is independent of any method used to analyze or prevent such attacks. It is also complete in the sense that any replay attack is composed entirely of elements classifi ..."
Abstract

Cited by 106 (1 self)
 Add to MetaCart
(Show Context)
This paper presents a taxonomy of replay attacks on cryptographic protocols in terms of message origin and destination. The taxonomy is independent of any method used to analyze or prevent such attacks. It is also complete in the sense that any replay attack is composed entirely of elements classified by the taxonomy. The classification of attacks is illustrated using both new and previously known attacks on protocols. The taxonomy is also used to discuss the appropriateness of particular countermeasures and protocol analysis methods to particular kinds of replays. Introduction Cryptographic protocols employ cryptography to achieve some security function. But, for many of these protocols the structure, hence the security, of the employed cryptographic algorithms is not considered to be part of the protocol itself. These algorithms are generically represented by notation capturing only gross features, e.g., whether the algorithm is for public or shared keys, whether it produces a hash...
Applying Formal Methods to the Analysis of a Key Management Protocol
 Journal of Computer Security
, 1992
"... In this paper we develop methods for analyzing key management and authentication protocols using techniques developed for the solutions of equations in a term rewriting system. In particular, we describe a model of a class of protocols and possible attacks on those protocols as term rewriting system ..."
Abstract

Cited by 92 (12 self)
 Add to MetaCart
(Show Context)
In this paper we develop methods for analyzing key management and authentication protocols using techniques developed for the solutions of equations in a term rewriting system. In particular, we describe a model of a class of protocols and possible attacks on those protocols as term rewriting systems, and we also describe a software tool based on a narrowing algorithm that can be used in the analysis of such protocols. We formally model a protocol and describe the results of using these techniques to analyze security properties. We show how a security flaw was found, and we also describe the verification of a corrected scheme using these techniques. 1 Introduction It is difficult to be certain whether or not a cryptographic protocol satisfies its requirements. In a number of cases subtle security flaws have been found in protocols some time after they were published. These flaws were independent of the strengths or weakness of the cryptographic algorithms used. Examples include the N...
A Bisimulation Method for Cryptographic Protocols
, 1998
"... We introduce a definition of bisimulation for cryptographic protocols. The definition includes a simple and precise model of the knowledge of the environment with which a protocol interacts. Bisimulation is the basis of an effective proof technique, which yields proofs of classical security properti ..."
Abstract

Cited by 91 (6 self)
 Add to MetaCart
We introduce a definition of bisimulation for cryptographic protocols. The definition includes a simple and precise model of the knowledge of the environment with which a protocol interacts. Bisimulation is the basis of an effective proof technique, which yields proofs of classical security properties of protocols and also justifies certain protocol optimizations. The setting for our work is the spi calculus, an extension of the pi calculus with cryptographic primitives. We prove the soundness of the bisimulation proof technique within the spi calculus.
Formal Methods for Cryptographic Protocol Analysis: Emerging Issues and Trends
, 2003
"... The history of the application of formal methods to cryptographic protocol analysis spans over 20 years and recently has been showing signs of new maturity and consolidation. Not only have a number of specialized tools been developed, and generalpurpose ones been adapted, but people have begun apply ..."
Abstract

Cited by 77 (0 self)
 Add to MetaCart
The history of the application of formal methods to cryptographic protocol analysis spans over 20 years and recently has been showing signs of new maturity and consolidation. Not only have a number of specialized tools been developed, and generalpurpose ones been adapted, but people have begun applying these tools to realistic protocols, in many cases supplying feedback to designers that can be used to improve the protocol’s security. In this paper, we will describe some of the ongoing work in this area, as well as describe some of the new challenges and the ways in which they are being met.