Results 1  10
of
167
A Hierarchy of Authentication Specifications
, 1997
"... Many security protocols have the aim of authenticating one agent to another. Yet there is no clear consensus in the academic literature about precisely what “authentication” means. In this paper we suggest that the appropriate authentication requirement will depend upon the use to which the protocol ..."
Abstract

Cited by 241 (5 self)
 Add to MetaCart
(Show Context)
Many security protocols have the aim of authenticating one agent to another. Yet there is no clear consensus in the academic literature about precisely what “authentication” means. In this paper we suggest that the appropriate authentication requirement will depend upon the use to which the protocol is put, and identify several possible definitions of “authentication”. We formalize each definition using the process algebra CSP, use this formalism to study their relative strengths, and show how the model checker FDR can be used to test whether a system running the protocol meets such a specification. 1
A metanotation for protocol analysis
 in: Proc. CSFW’99
, 1999
"... Most formal approaches to security protocol analysis are based on a set of assumptions commonly referred to as the “DolevYao model. ” In this paper, we use a multiset rewriting formalism, based on linear logic, to state the basic assumptions of this model. A characteristic of our formalism is the w ..."
Abstract

Cited by 166 (38 self)
 Add to MetaCart
(Show Context)
Most formal approaches to security protocol analysis are based on a set of assumptions commonly referred to as the “DolevYao model. ” In this paper, we use a multiset rewriting formalism, based on linear logic, to state the basic assumptions of this model. A characteristic of our formalism is the way that existential quantification provides a succinct way of choosing new values, such as new keys or nonces. We define a class of theories in this formalism that correspond to finitelength protocols, with a bounded initialization phase but allowing unboundedly many instances of each protocol role (e.g., client, server, initiator, or responder). Undecidability is proved for a restricted class of these protocols, and PSPACEcompleteness is claimed for a class further restricted to have no new data (nonces). Since it is a fragment of linear logic, we can use our notation directly as input to linear logic tools, allowing us to do proof search for attacks with relatively little programming effort, and to formally verify protocol transformations and optimizations. 1
Inductive analysis of the internet protocol TLS
 ACM Trans. Inf. Syst. Secur
, 1999
"... Internet browsers use security protocols to protect sensitive messages. An inductive analysis of TLS (a descendant of SSL 3.0) has been performed using the theorem prover Isabelle. Proofs are based on higherorder logic and make no assumptions concerning beliefs or flniteness. All the obvious securi ..."
Abstract

Cited by 131 (16 self)
 Add to MetaCart
(Show Context)
Internet browsers use security protocols to protect sensitive messages. An inductive analysis of TLS (a descendant of SSL 3.0) has been performed using the theorem prover Isabelle. Proofs are based on higherorder logic and make no assumptions concerning beliefs or flniteness. All the obvious security goals can be proved; session resumption appears to be secure even if old session keys have been compromised. The proofs suggest minor changes to simplify the analysis. TLS, even at an abstract level, is much more complicated than most protocols that researchers have verifled. Session keys are negotiated rather than distributed, and the protocol has many optional parts. Nevertheless, the resources needed to verify TLS are modest: six manweeks of efiort and three minutes of processor time.
Classification of Security Properties (Part I: Information Flow)
, 2001
"... In the recent years, many formalizations of security properties have been proposed, most of which are based on different underlying models and are consequently difficult to compare. A classification of security properties is thus of interest for understanding the relationships among different defini ..."
Abstract

Cited by 122 (17 self)
 Add to MetaCart
In the recent years, many formalizations of security properties have been proposed, most of which are based on different underlying models and are consequently difficult to compare. A classification of security properties is thus of interest for understanding the relationships among different definitions and for evaluating the relative merits. In this paper, many noninterferencelike properties proposed for computer security are classified and compared in a unifying framework. The resulting taxonomy is evaluated through some case studies of access control in computer systems. The approach has been mechanized, resulting in the tool CoSeC. Various extensions (e.g., the application to cryptographic protocol analysis) and open problems are discussed. This paper
A Probabilistic PolyTime Framework for Protocol Analysis
, 1998
"... We develop a framework for analyzing security protocols in which protocol adversaries may be arbitrary probabilistic polynomialtime processes. In this framework, protocols are written in a form of process calculus where security may be expressed in terms of observational equivalence, a standard rel ..."
Abstract

Cited by 114 (6 self)
 Add to MetaCart
We develop a framework for analyzing security protocols in which protocol adversaries may be arbitrary probabilistic polynomialtime processes. In this framework, protocols are written in a form of process calculus where security may be expressed in terms of observational equivalence, a standard relation from programming language theory that involves quantifying over possible environments that might interact with the protocol. Using an asymptotic notion of probabilistic equivalence, we relate observational equivalence to polynomialtime statistical tests and discuss some example protocols to illustrate the potential of this approach.
Strand Spaces: Proving Security Protocols Correct
, 1999
"... A strand is a sequence of events; it represents either an execution by a legitimate party in a security protocol or else a sequence of actions by a penetrator. A strand space is a collection of strands, equipped with a graph structure generated by causal interaction. In this framework, protocol corr ..."
Abstract

Cited by 113 (10 self)
 Add to MetaCart
(Show Context)
A strand is a sequence of events; it represents either an execution by a legitimate party in a security protocol or else a sequence of actions by a penetrator. A strand space is a collection of strands, equipped with a graph structure generated by causal interaction. In this framework, protocol correctness claims may be expressed in terms of the connections between strands of different kinds. Preparing for a
On the Reachability Problem in Cryptographic Protocols
, 2000
"... We study the verification of secrecy and authenticity properties for cryptographic protocols which rely on symmetric shared keys. The verification can be reduced to check whether a certain parallel program which models the protocol and the specification can reach an erroneous state while interacting ..."
Abstract

Cited by 93 (0 self)
 Add to MetaCart
We study the verification of secrecy and authenticity properties for cryptographic protocols which rely on symmetric shared keys. The verification can be reduced to check whether a certain parallel program which models the protocol and the specification can reach an erroneous state while interacting with the environment. Assuming finite principals, we present a simple decision procedure for the reachability problem which is based on a `symbolic' reduction system.
Athena: a new efficient automatic checker for security protocol analysis
 In Proceedings of the Twelth IEEE Computer Security Foundations Workshop
, 1999
"... We propose an efficient automatic checking algorithm, Athena, for analyzing security protocols. Athena incorporates a logic that can express security properties including authentication, secrecy and properties related to electronic commerce. We have developed an automatic procedure for evaluating we ..."
Abstract

Cited by 92 (1 self)
 Add to MetaCart
(Show Context)
We propose an efficient automatic checking algorithm, Athena, for analyzing security protocols. Athena incorporates a logic that can express security properties including authentication, secrecy and properties related to electronic commerce. We have developed an automatic procedure for evaluating wellformed formulae in this logic. For a wellformed formula, if the evaluation procedure terminates, it will generate a counterexample if the formula is false, or provide a proof if the formula is true. Even when the procedure does not terminate when we allow any arbitrary configurations of the protocol execution, (for example, any number of initiators and responders), termination could be forced by bounding the number of concurrent protocol runs and the length of messages, as is done in most existing model checkers. Athena also exploits several state space reduction techniques. It is based on an extension of the recently proposed Strand Space Model [25] which captures exact causal relation information. Together with backward search and other techniques, Athena naturally avoids the state space explosion problem commonly caused by asynchronous composition and symmetry redundancy. Athena also has the advantage that it can easily incorporate results from theorem proving through unreachability theorems. By using the unreachability theorems, it can prune the state space at an early stage, hence, reduce the state space explored and increase the likelyhood of termination. As shown in our experiments, these techniques dramatically reduce the state space that needs to be explored.
Athena: a novel approach to efficient automatic security protocol analysis
 Journal of Computer Security
, 2001
"... protocol analysis ..."
(Show Context)
Verifying authentication protocols with CSP
 In Proceedings of the 10th IEEE Computer Security Foundations Workshop
"... This paper presents a general approach for analysis and verification of authentication properties in the language of Communicating Sequential Processes (CSP). It is illustrated by an examination of the NeedhamSchroeder publickey protocol. The contribution of this paper is to develop a specific the ..."
Abstract

Cited by 84 (6 self)
 Add to MetaCart
(Show Context)
This paper presents a general approach for analysis and verification of authentication properties in the language of Communicating Sequential Processes (CSP). It is illustrated by an examination of the NeedhamSchroeder publickey protocol. The contribution of this paper is to develop a specific theory appropriate to the analysis of authentication protocols, built on top of the general CSP semantic framework. This approach aims to combine the ability to express such protocols in a natural and precise way with the facility to reason formally about the properties they exhibit. 1 Introduction Authentication comes in a number of flavours. For example, Gollmann [6] has identified four different varieties of authentication, which raises the question for any particular authentication protocol as to which kind of authentication the protocol was designed for, and which kinds it actually provides. The aim of the CSP approach is to reduce questions about security protocols and properties to ques...