Results 1  10
of
26
A survey of algebraic properties used in cryptographic protocols
 JOURNAL OF COMPUTER SECURITY
"... Cryptographic protocols are successfully analyzed using formal methods. However, formal approaches usually consider the encryption schemes as black boxes and assume that an adversary cannot learn anything from an encrypted message except if he has the key. Such an assumption is too strong in general ..."
Abstract

Cited by 69 (20 self)
 Add to MetaCart
(Show Context)
Cryptographic protocols are successfully analyzed using formal methods. However, formal approaches usually consider the encryption schemes as black boxes and assume that an adversary cannot learn anything from an encrypted message except if he has the key. Such an assumption is too strong in general since some attacks exploit in a clever way the interaction between protocol rules and properties of cryptographic operators. Moreover, the executability of some protocols relies explicitly on some algebraic properties of cryptographic primitives such as commutative encryption. We give a list of some relevant algebraic properties of cryptographic operators, and for each of them, we provide examples of protocols or attacks using these properties. We also give an overview of the existing methods in formal approaches for analyzing cryptographic proto
Automated Analysis of DiffieHellman Protocols and Advanced Security Properties
, 2012
"... We present a general approach for the symbolic analysis of security protocols that use DiffieHellman exponentiation to achieve advanced security properties. We model protocols as multiset rewriting systems and security properties as firstorder formulas. We analyze them using a novel constraintso ..."
Abstract

Cited by 20 (9 self)
 Add to MetaCart
(Show Context)
We present a general approach for the symbolic analysis of security protocols that use DiffieHellman exponentiation to achieve advanced security properties. We model protocols as multiset rewriting systems and security properties as firstorder formulas. We analyze them using a novel constraintsolving algorithm that supports both falsification and verification, even in the presence of an unbounded number of protocol sessions. The algorithm exploits the finite variant property and builds on ideas from strand spaces and proof normal forms. We demonstrate the scope and the effectiveness of our algorithm on nontrivial case studies. For example, the algorithm successfully verifies the NAXOS protocol with respect to a symbolic version of the eCK security model.
YAPA: A generic tool for computing intruder knowledge
, 2009
"... Reasoning about the knowledge of an attacker is a necessary step in many formal analyses of security protocols. In the framework of the applied pi calculus, as in similar languages based on equational logics, knowledge is typically expressed by two relations: deducibility and static equivalence. Sev ..."
Abstract

Cited by 16 (3 self)
 Add to MetaCart
Reasoning about the knowledge of an attacker is a necessary step in many formal analyses of security protocols. In the framework of the applied pi calculus, as in similar languages based on equational logics, knowledge is typically expressed by two relations: deducibility and static equivalence. Several decision procedures have been proposed for these relations under a variety of equational theories. However, each theory has its particular algorithm, and none has been implemented so far. We provide a generic procedure for deducibility and static equivalence that takes as input any convergent rewrite system. We show that our algorithm covers all the existing decision procedures for convergent theories. We also provide an efficient implementation, and compare it briefly with the more general tool ProVerif.
Deciding H1 by Resolution
, 2005
"... Nielson, Nielson and Seidl’s class H1 is a decidable class of firstorder Horn clause sets, describing strongly regular relations. We give another proof of decidability, and of the regularity of the defined languages, based on fairly standard automated deduction techniques. ..."
Abstract

Cited by 11 (4 self)
 Add to MetaCart
Nielson, Nielson and Seidl’s class H1 is a decidable class of firstorder Horn clause sets, describing strongly regular relations. We give another proof of decidability, and of the regularity of the defined languages, based on fairly standard automated deduction techniques.
Equational cryptographic reasoning in the MaudeNRL Protocol Analyzer
 In Proc. of the First International Workshop on Security and Rewriting Techniques (SecReT 2006), Electronic Notes in Theoretical Computer Science. Elsevier Sciences Publisher
, 2006
"... Abstract. The MaudeNRL Protocol Analyzer (MaudeNPA) is a tool and inference system for reasoning about the security of cryptographic protocols in which the cryptosystems satisfy different equational properties. It both extends and provides a formal framework for the original NRL Protocol Analyzer, ..."
Abstract

Cited by 9 (4 self)
 Add to MetaCart
(Show Context)
Abstract. The MaudeNRL Protocol Analyzer (MaudeNPA) is a tool and inference system for reasoning about the security of cryptographic protocols in which the cryptosystems satisfy different equational properties. It both extends and provides a formal framework for the original NRL Protocol Analyzer, which limited itself to an equational theory ∆ of convergent rewrite rules. In this paper we extend our framework to include theories of the form ∆ ⊎ B, where B is the theory of associativity and commutativity and ∆ is convergent modulo B. Ordersorted Bunification plays a crucial role; to obtain this functionality we describe a sort propagation algorithm that filters out unsorted Bunifiers provided by the CiME unification tool. We show how extensions of some of the state reduction techniques of the original NRL Protocol Analyzer can be applied in this context. We illustrate the ideas and capabilities of the MaudeNPA with an example involving the DiffieHellman key agreement protocol. 1
Flat and OneVariable Clauses: Complexity of Verifying Cryptographic Protocols with Single Blind Copying
"... Cryptographic protocols with single blind copying were defined and modeled by Comon and Cortier using the new class C of first order clauses, which extends the Skolem class. They showed its satisfiability problem to be in 3DEXPTIME. We improve this result by showing that satisfiability for this c ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
Cryptographic protocols with single blind copying were defined and modeled by Comon and Cortier using the new class C of first order clauses, which extends the Skolem class. They showed its satisfiability problem to be in 3DEXPTIME. We improve this result by showing that satisfiability for this class is NEXPTIMEcomplete, using new resolution techniques. We show satisfiability to be DEXPTIMEcomplete if clauses are Horn, which is what is required for modeling cryptographic protocols. While translation to Horn clauses only gives a DEXPTIME upper bound for the secrecy problem for these protocols, we further show that this secrecy problem is actually DEXPTIMEcomplete.
Complexity Results for Security Protocols with DiffieHellman Exponentiation and Commuting Public Key Encryption
 In Paritosh K. Pandya and Jaikumar Radhakrishnan, editors, FSTTCS, volume 2914 of Lecture Notes in Computer Science
, 2003
"... We show that the insecurity problem for protocols with modular exponentiation and arbitrary products allowed in exponents is NPcomplete. This result is based on a protocol and intruder model which is powerful enough to uncover known attacks on the Authenticated Group DiffieHellman (AGDH.2) protoc ..."
Abstract

Cited by 8 (0 self)
 Add to MetaCart
We show that the insecurity problem for protocols with modular exponentiation and arbitrary products allowed in exponents is NPcomplete. This result is based on a protocol and intruder model which is powerful enough to uncover known attacks on the Authenticated Group DiffieHellman (AGDH.2) protocol suite. To prove our results, we develop a general framework in which the DolevYao intruder is extended by generic intruder rules. This framework is also applied to obtain complexity results for protocols with commuting public key encryption.
Towards an automatic analysis of web services security
 IN: PROCEEDINGS OF THE 6TH INTERNATIONAL SYMPOSIUM ON THE FRONTIERS OF COMBINING SYSTEMS (FROCOS’07). LNAI
, 2007
"... Web services send and receive messages in XML syntax with some parts hashed, encrypted or signed, according to the WSSecurity standard. In this paper we introduce a model to formally describe the protocols that underly these services, their security properties and the rewriting attacks they might ..."
Abstract

Cited by 7 (5 self)
 Add to MetaCart
Web services send and receive messages in XML syntax with some parts hashed, encrypted or signed, according to the WSSecurity standard. In this paper we introduce a model to formally describe the protocols that underly these services, their security properties and the rewriting attacks they might be subject to. Unlike other protocol models (in symbolic analysis) ours can handle nondeterministic receive/send actions and unordered sequence of XML nodes. Then to detect the attacks we have to consider the services as combining multiset operators and cryptographic ones and we have to solve specific satisfiability problems in the combined theory. By nontrivial extension of the combination techniques of [3] we obtain a decision procedure for insecurity of Web services with messages built using encryption, signature, and other cryptographic primitives. This combination technique allows one to decide insecurity in a modular way by reducing the associated constraint solving problems to problems in simpler theories.
Handling exp, × (and timestamps) in protocol analysis
 In Proc. of FOSSACS’06, volume 3921 of LNCS
, 2006
"... Abstract. We present a static analysis technique for the verification of cryptographic protocols, specified in a process calculus. Rather than assuming a specific, fixed set of cryptographic primitives, we only require them to be specified through a term rewriting system, with no restrictions. Examp ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We present a static analysis technique for the verification of cryptographic protocols, specified in a process calculus. Rather than assuming a specific, fixed set of cryptographic primitives, we only require them to be specified through a term rewriting system, with no restrictions. Examples are provided to support our analysis. First, we tackle forward secrecy for a DiffieHellmanbased protocol involving exponentiation, multiplication and inversion. Then, a simplified version of Kerberos is analyzed, showing that its use of timestamps succeeds in preventing replay attacks. 1