Results 1  10
of
77
A calculus for cryptographic protocols: The spi calculus
 Information and Computation
, 1999
"... We introduce the spi calculus, an extension of the pi calculus designed for the description and analysis of cryptographic protocols. We show how to use the spi calculus, particularly for studying authentication protocols. The pi calculus (without extension) suffices for some abstract protocols; the ..."
Abstract

Cited by 919 (55 self)
 Add to MetaCart
We introduce the spi calculus, an extension of the pi calculus designed for the description and analysis of cryptographic protocols. We show how to use the spi calculus, particularly for studying authentication protocols. The pi calculus (without extension) suffices for some abstract protocols; the spi calculus enables us to consider cryptographic issues in more detail. We represent protocols as processes in the spi calculus and state their security properties in terms of coarsegrained notions of protocol equivalence.
Non Interference for the Analysis of Cryptographic Protocols
, 2000
"... Many security properties of cryptographic protocols can be all seen as specific instances of a general property, we called Non Deducibility on Composition (NDC), that we proposed a few years ago for studying information flow properties in computer systems. The advantage of our unifying theory is tha ..."
Abstract

Cited by 76 (28 self)
 Add to MetaCart
Many security properties of cryptographic protocols can be all seen as specific instances of a general property, we called Non Deducibility on Composition (NDC), that we proposed a few years ago for studying information flow properties in computer systems. The advantage of our unifying theory is that formal comparison among these properties is now easier and that the full generality of NDC has helped us in finding a few new attacks on cryptographic protocols.
Multiset Rewriting and the Complexity of Bounded Security Protocols
 Journal of Computer Security
, 2002
"... We formalize the DolevYao model of security protocols, using a notation based on multiset rewriting with existentials. The goals are to provide a simple formal notation for describing security protocols, to formalize the assumptions of the DolevYao model using this notation, and to analyze the ..."
Abstract

Cited by 74 (9 self)
 Add to MetaCart
We formalize the DolevYao model of security protocols, using a notation based on multiset rewriting with existentials. The goals are to provide a simple formal notation for describing security protocols, to formalize the assumptions of the DolevYao model using this notation, and to analyze the complexity of the secrecy problem under various restrictions. We prove that, even for the case where we restrict the size of messages and the depth of message encryption, the secrecy problem is undecidable for the case of an unrestricted number of protocol roles and an unbounded number of new nonces. We also identify several decidable classes, including a dexpcomplete class when the number of nonces is restricted, and an npcomplete class when both the number of nonces and the number of roles is restricted. We point out a remaining open complexity problem, and discuss the implications these results have on the general topic of protocol analysis.
Tree Automata With One Memory, Set Constraints and Cryptographic Protocols
"... We introduce a class of tree automata that perform tests on a memory that is updated using function symbol application and projection. The language emptiness problem for this class of tree automata is shown to be in DEXPTIME. ..."
Abstract

Cited by 72 (3 self)
 Add to MetaCart
We introduce a class of tree automata that perform tests on a memory that is updated using function symbol application and projection. The language emptiness problem for this class of tree automata is shown to be in DEXPTIME.
A GameBased Verification of NonRepudiation and Fair Exchange Protocols
, 2001
"... . In this paper, we report on a recent work for the verication of nonrepudiation ..."
Abstract

Cited by 71 (3 self)
 Add to MetaCart
. In this paper, we report on a recent work for the verication of nonrepudiation
Analyzing the needhamschroeder publickey protocol: A comparison of two approaches
 In ESORICS: European Symposium on Research in Computer Security. LNCS
, 1996
"... Abstract. In this paper we contrast the use of the NRL Protocol Analyzer and Gavin Lowe's use of the model checker FDR [7] to analyze the NeedhamSchroeder public key protocol. This is used as a basis to compare and contrast the two systems and to point out possible future directions for resea ..."
Abstract

Cited by 69 (8 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we contrast the use of the NRL Protocol Analyzer and Gavin Lowe's use of the model checker FDR [7] to analyze the NeedhamSchroeder public key protocol. This is used as a basis to compare and contrast the two systems and to point out possible future directions for research. Most early work in the automated analysis of cryptographic protocols concentrated on building specialpurpose tools, such as the NRL Protocol Analyzer [4, 9], the Interrogator [10, 4], and Longley and Rigby's protocol analysis tool [5]. Although some work existed on the application of existing tools, such as Kemmerer's use of Ina Jo [4], this was not an approach followed by many. Some of this early concentration on specialpurpose tools may have been a result of the belief that cryptographic protocols had certain unique properties that would make them more amenable to analysis by a tool using specialpurpose models and algorithms.This was certainly the belief that motivatedmuch of the development of the NRL Protocol Analyzer. But, as research as progressed in this area,
Secrecy Types for Asymmetric Communication
, 2001
"... We develop a typed process calculus for security protocols in which types convey secrecy properties. We focus on asymmetric communication primitives, especially on publickey encryption. These present special difficulties, partly because they rely on related capabilities (e.g., "public" an ..."
Abstract

Cited by 68 (6 self)
 Add to MetaCart
We develop a typed process calculus for security protocols in which types convey secrecy properties. We focus on asymmetric communication primitives, especially on publickey encryption. These present special difficulties, partly because they rely on related capabilities (e.g., "public" and "private" keys) with different levels of secrecy and scopes.
A Compositional Logic for Proving Security Properties of Protocols
 Journal of Computer Security
, 2002
"... We present a logic for proving security properties of protocols that use nonces (randomly generated numbers that uniquely identify a protocol session) and publickey cryptography. The logic, designed around a process calculus with actions for each possible protocol step, consists of axioms about ..."
Abstract

Cited by 63 (15 self)
 Add to MetaCart
(Show Context)
We present a logic for proving security properties of protocols that use nonces (randomly generated numbers that uniquely identify a protocol session) and publickey cryptography. The logic, designed around a process calculus with actions for each possible protocol step, consists of axioms about protocol actions and inference rules that yield assertions about protocols composed of multiple steps. Although assertions are written using only steps of the protocol, the logic is sound in a stronger sense: each provable assertion about an action or sequence of actions holds in any run of the protocol that contains the given actions and arbitrary additional actions by a malicious attacker. This approach lets us prove security properties of protocols under attack while reasoning only about the sequence of actions taken by honest parties to the protocol. The main securityspecific parts of the proof system are rules for reasoning about the set of messages that could reveal secret data and an invariant rule called the "honesty rule." 1
New Decidability Results for Fragments of FirstOrder Logic and Application to Cryptographic Protocols
, 2003
"... We consider a new extension of the Skolem class for firstorder logic and prove its decidability by resolution techniques. We then extend this class including the builtin equational theory of exclusive or. Again, we prove the decidability of the class by resolution techniques. ..."
Abstract

Cited by 54 (18 self)
 Add to MetaCart
We consider a new extension of the Skolem class for firstorder logic and prove its decidability by resolution techniques. We then extend this class including the builtin equational theory of exclusive or. Again, we prove the decidability of the class by resolution techniques.