DMCA
Automated Security Protocol Analysis with the AVISPA Tool (2006)
| Venue: | In Proceedings of MFPS’05 |
| Citations: | 28 - 5 self |
Citations
| 1383 | On the security of public key protocols
- Dolev, Yao
- 1981
(Show Context)
Citation Context ...the back-ends of the tool analyze protocols under the assumptions of perfect cryptography and that the protocol messages are exchanged over a network that is under the control of a Dolev-Yao intruder =-=[44]-=-. That is, the back-ends analyze protocols by considering the standard protocolindependent, asynchronous model of an active intruder who controls the network but cannot break cryptography; in particul... |
| 929 | The temporal logic of actions
- Lamport
(Show Context)
Citation Context ...ey’ (hashed and paired together with other data) on channel SND. Here we see an example of priming; X’ means: the new value of the variable X. The notation stems from the Temporal Logic of Action TLA =-=[59,60]-=-, upon which HLPSL is based. It is important to realize that the value of the variable will not be changed until the current transition is complete. So, the right-hand side tells us that the value of ... |
| 480 | The inductive approach to verifying cryptographic protocols.
- Paulson
- 1998
(Show Context)
Citation Context ...have thus witnessed the development of a large number of new techniques for the formal analysis of security protocols. Many (semi-)automated security protocol analysis tools have been proposed (e.g., =-=[3,21,23,26,27,28,41,42,43,61,64,66,69,71,73,76]-=-), which can analyze small and medium-scale protocols such as those in the Clark/Jacob library [39]. However, scaling up to large, industrial-scale security protocols is both a scientific and a techno... |
| 391 | An efficient cryptographic protocol verifier based on Prolog rules. In: CSFW,
- Blanchet
- 2001
(Show Context)
Citation Context ...have thus witnessed the development of a large number of new techniques for the formal analysis of security protocols. Many (semi-)automated security protocol analysis tools have been proposed (e.g., =-=[3,21,23,26,27,28,41,42,43,61,64,66,69,71,73,76]-=-), which can analyze small and medium-scale protocols such as those in the Clark/Jacob library [39]. However, scaling up to large, industrial-scale security protocols is both a scientific and a techno... |
| 296 | Automated analysis of cryptographic protocols using Murphi
- JC, Mitchell, et al.
- 1997
(Show Context)
Citation Context ...have thus witnessed the development of a large number of new techniques for the formal analysis of security protocols. Many (semi-)automated security protocol analysis tools have been proposed (e.g., =-=[3,21,23,26,27,28,41,42,43,61,64,66,69,71,73,76]-=-), which can analyze small and medium-scale protocols such as those in the Clark/Jacob library [39]. However, scaling up to large, industrial-scale security protocols is both a scientific and a techno... |
| 288 | Internet Key Exchange (IKEv2) Protocol,
- Kaufman
- 2005
(Show Context)
Citation Context ... can be sure about the authenticity of the exchanged messages. The IKEv2 protocol with digital signatures A man-in-the-middle attack discovered on the IKEv2 protocol with digital signatures (IKEv2-DS =-=[56]-=-) is new 8 although it is similar to a well-known attack on the Station-2-Station protocol [62]. As pointed out in [67], several 8 Notice that, independently, the same attack has been reported in [65]... |
| 283 | A survey of authentication protocol literature:
- Clark, Jacob
- 1997
(Show Context)
Citation Context ...curity protocol analysis tools have been proposed (e.g., [3,21,23,26,27,28,41,42,43,61,64,66,69,71,73,76]), which can analyze small and medium-scale protocols such as those in the Clark/Jacob library =-=[39]-=-. However, scaling up to large, industrial-scale security protocols is both a scientific and a technological challenge. The AVISPA Tool 3 is a push-button tool 3 The AVISPA Tool has been developed joi... |
| 273 | The NRL protocol analyzer: An overview
- Meadows
- 1996
(Show Context)
Citation Context ...have thus witnessed the development of a large number of new techniques for the formal analysis of security protocols. Many (semi-)automated security protocol analysis tools have been proposed (e.g., =-=[3,21,23,26,27,28,41,42,43,61,64,66,69,71,73,76]-=-), which can analyze small and medium-scale protocols such as those in the Clark/Jacob library [39]. However, scaling up to large, industrial-scale security protocols is both a scientific and a techno... |
| 241 | A Hierarchy of Authentication Specifications
- Lowe
- 1997
(Show Context)
Citation Context ... logic (as safety properties), but macros are provided for the most frequently used security goals, i.e., secrecy and different forms of authentication (cf. the notions of authentication discussed in =-=[63]-=-). 2.2.3 The IF The HLPSL enjoys both a declarative semantics based on a fragment of the TLA [59,60] and an operational semantics based on the translation into the rewrite-based formalism Intermediate... |
| 233 |
a compiler for the analysis of security protocols
- Casper
- 1998
(Show Context)
Citation Context ...have thus witnessed the development of a large number of new techniques for the formal analysis of security protocols. Many (semi-)automated security protocol analysis tools have been proposed (e.g., =-=[3,21,23,26,27,28,41,42,43,61,64,66,69,71,73,76]-=-), which can analyze small and medium-scale protocols such as those in the Clark/Jacob library [39]. However, scaling up to large, industrial-scale security protocols is both a scientific and a techno... |
| 185 | Protocol insecurity with a finite number of sessions and composed keys is NP-complete.
- Rusinowitch, Turuani
- 2003
(Show Context)
Citation Context ...he Back-Ends of the AVISPA Tool The Constraint-Logic-based Attack Searcher (CL-AtSe) applies constraint solving to perform both protocol falsification and verification for bounded numbers of sessions =-=[30,32,33,34,35,36,37,38,55,72,77]-=-. The protocol messages can be typed or untyped, and the pairing can be considered to be associative or not. Several properties of the XOR operator can be handled too, and, more generally, CL-AtSe is ... |
| 151 | Asynchronous protocols for optimistic fair exchange. In:
- Asokan, Schunter, et al.
- 1998
(Show Context)
Citation Context ...rove that the card-holder authorized the transaction. Like [18], we suggest to include the name of the desired payment gateway into the messages to fix this problem. The ASW protocol The ASW protocol =-=[9]-=- is an optimistic fair exchange protocol for contract signing intended to enable two parties to commit themselves to a previously agreed upon contractual text. A trusted third party (T3P) is involved ... |
| 130 |
Modelling and Analysis of Security Protocols.
- Ryan, Schneider, et al.
- 2000
(Show Context)
Citation Context ...have thus witnessed the development of a large number of new techniques for the formal analysis of security protocols. Many (semi-)automated security protocol analysis tools have been proposed (e.g., =-=[3,21,23,26,27,28,41,42,43,61,64,66,69,71,73,76]-=-), which can analyze small and medium-scale protocols such as those in the Clark/Jacob library [39]. However, scaling up to large, industrial-scale security protocols is both a scientific and a techno... |
| 119 | How to prevent type flaw attacks on security protocols.
- Heather, Lowe, et al.
- 2003
(Show Context)
Citation Context ...d variant and in a typed one, which abstracts away type-flaw attacks (if any) from the protocol; this is useful as in many cases type-flaws can be prevented in the actual implementation of a protocol =-=[51]-=-. The Intermediate Format thus provides low-level descriptions of protocols and their properties that are suitable for automatic analysis (rather than being abstract and fairly easy to read for human ... |
| 118 |
L.: OFMC: A symbolic model checker for security protocols
- Basin, Mödersheim, et al.
- 2005
(Show Context)
Citation Context ...ole The sessions specified allow the AVISPA Tool to perform bounded session verification, but note that the associated search space is still infinite as the messages are not bounded. As we discuss in =-=[17]-=-, we also have a preliminary implementation of a technique that we call symbolic session generation, which can be used to exploit the symbolic representation of the intruder provided by OFMC and CL-At... |
| 107 | Some New Attacks upon Security Protocols. In:
- Lowe
- 1996
(Show Context)
Citation Context ...signatures A man-in-the-middle attack discovered on the IKEv2 protocol with digital signatures (IKEv2-DS [56]) is new 8 although it is similar to a well-known attack on the Station-2-Station protocol =-=[62]-=-. As pointed out in [67], several 8 Notice that, independently, the same attack has been reported in [65].s78 L. Viganò / Electronic Notes in Theoretical Computer Science 155 (2006) 61–86 Table 2 Effe... |
| 103 | An NP decision procedure for protocol insecurity with XOR.
- Chevalier, Kusters, et al.
- 2005
(Show Context)
Citation Context ...he Back-Ends of the AVISPA Tool The Constraint-Logic-based Attack Searcher (CL-AtSe) applies constraint solving to perform both protocol falsification and verification for bounded numbers of sessions =-=[30,32,33,34,35,36,37,38,55,72,77]-=-. The protocol messages can be typed or untyped, and the pairing can be considered to be associative or not. Several properties of the XOR operator can be handled too, and, more generally, CL-AtSe is ... |
| 99 | Analysis of the Internet Key Exchange Protocol using the NRL Protocol Analyzer.
- Meadows
- 1999
(Show Context)
Citation Context ...middle attack discovered on the IKEv2 protocol with digital signatures (IKEv2-DS [56]) is new 8 although it is similar to a well-known attack on the Station-2-Station protocol [62]. As pointed out in =-=[67]-=-, several 8 Notice that, independently, the same attack has been reported in [65].s78 L. Viganò / Electronic Notes in Theoretical Computer Science 155 (2006) 61–86 Table 2 Effectiveness of the AVISPA ... |
| 96 |
Specifying Systems.
- Lamport
- 2003
(Show Context)
Citation Context ...ey’ (hashed and paired together with other data) on channel SND. Here we see an example of priming; X’ means: the new value of the variable X. The notation stems from the Temporal Logic of Action TLA =-=[59,60]-=-, upon which HLPSL is based. It is important to realize that the value of the variable will not be changed until the current transition is complete. So, the right-hand side tells us that the value of ... |
| 92 | Athena: a new efficient automatic checker for security protocol analysis,
- Song
- 1999
(Show Context)
Citation Context ...have thus witnessed the development of a large number of new techniques for the formal analysis of security protocols. Many (semi-)automated security protocol analysis tools have been proposed (e.g., =-=[3,21,23,26,27,28,41,42,43,61,64,66,69,71,73,76]-=-), which can analyze small and medium-scale protocols such as those in the Clark/Jacob library [39]. However, scaling up to large, industrial-scale security protocols is both a scientific and a techno... |
| 83 |
Automatic proof of strong secrecy for security protocols. In
- Blanchet
- 2004
(Show Context)
Citation Context ... sequence of invocatore [48], who have formalized a translation procedure from protocol descriptions in HLPSL to descriptions in the applied pi calculus, which allowed them to apply the ProVerif tool =-=[1,2,21,22]-=- to some of our HLPSL protocol specifications. It will be interesting to compare similar translations from IF into the applied pi calculus or other protocol specification formalisms.s74 L. Viganò / El... |
| 72 | Deciding the security of protocols with Diffie-Hellman exponentiation and products in exponents
- Chevalier, Kusters, et al.
(Show Context)
Citation Context ...he Back-Ends of the AVISPA Tool The Constraint-Logic-based Attack Searcher (CL-AtSe) applies constraint solving to perform both protocol falsification and verification for bounded numbers of sessions =-=[30,32,33,34,35,36,37,38,55,72,77]-=-. The protocol messages can be typed or untyped, and the pairing can be considered to be associative or not. Several properties of the XOR operator can be handled too, and, more generally, CL-AtSe is ... |
| 71 | L.: An on-the-fly model-checker for security protocol analysis.
- Basin, Modersheim, et al.
- 2003
(Show Context)
Citation Context ...uder messages using terms with variables, and storing and manipulating constraints about what terms must be generated and which terms may be used to generate them. The On-the-fly Model-Checker (OFMC) =-=[13,14,15,16,17,49,50]-=- performs both protocol falsification and bounded session verification, by exploring the transition system described by an IF specification in a demand-driven way (i.e., on-the-fly, hence its name). O... |
| 67 | Capsl integrated protocol environment
- Denker, Millen
- 2000
(Show Context)
Citation Context ...have thus witnessed the development of a large number of new techniques for the formal analysis of security protocols. Many (semi-)automated security protocol analysis tools have been proposed (e.g., =-=[3,21,23,26,27,28,41,42,43,61,64,66,69,71,73,76]-=-), which can analyze small and medium-scale protocols such as those in the Clark/Jacob library [39]. However, scaling up to large, industrial-scale security protocols is both a scientific and a techno... |
| 67 | Rewriting for cryptographic protocol verification
- Genet, Klay
- 1966
(Show Context)
Citation Context ... approximating the intruder knowledge by using regular tree languages and rewriting. Its starting point is an extension of an approximation method based on tree automata, introduced by Genet and Klay =-=[46,47]-=- for verifying security protocols. The previous procedures of this kind required the presence of an expert to transform by hand a security protocol into a term-rewriting system and compute an ad hoc a... |
| 61 | An improved constraint-based system for the verification of security protocols.
- Corin, Etalle
- 2002
(Show Context)
Citation Context ...have thus witnessed the development of a large number of new techniques for the formal analysis of security protocols. Many (semi-)automated security protocol analysis tools have been proposed (e.g., =-=[3,21,23,26,27,28,41,42,43,61,64,66,69,71,73,76]-=-), which can analyze small and medium-scale protocols such as those in the Clark/Jacob library [39]. However, scaling up to large, industrial-scale security protocols is both a scientific and a techno... |
| 61 | Compiling and Verifying Security Protocols
- Jacquemard, Rusinowitch, et al.
- 2000
(Show Context)
Citation Context ...A → B : M. This notation is quite convenient as it gives an illustration of the messages exchanged in a normal, successful run of a given protocol, and several protocol specification languages (e.g., =-=[23,55,64,73]-=- as well as an older version of HLPSL [3]) are based on (a formalization of the) Alice&Bob notation. However, this notation, while intuitive and compact, is also informal and not expressive enough to ... |
| 59 | Just Fast Keying in the Pi Calculus.
- Abadi, Blanchet, et al.
- 2007
(Show Context)
Citation Context ... sequence of invocatore [48], who have formalized a translation procedure from protocol descriptions in HLPSL to descriptions in the applied pi calculus, which allowed them to apply the ProVerif tool =-=[1,2,21,22]-=- to some of our HLPSL protocol specifications. It will be interesting to compare similar translations from IF into the applied pi calculus or other protocol specification formalisms.s74 L. Viganò / El... |
| 53 | Finite-state analysis of two contract signing protocols:
- Shmatikov, Mitchell
- 2002
(Show Context)
Citation Context ...the log). A similar weakness was discovered by [74] on another contract signing protocol, GJM, while for ASW this weakness was not reported previously in the literature. Moreover, as already shown in =-=[75]-=-, ASW cannot provide strong authentication, and the AVISPA tool can also detect such attacks. However, these attacks against strong authentication are not very serious since one should assume that the... |
| 51 | Analyzing a library of security protocols using Casper and FDR,"
- Donovan, Norris, et al.
- 1999
(Show Context)
Citation Context ...O-PK3 (also known as “ISO Public Key Two-Pass Mutual Authentication”) protocol [52]. It was already known that ISO-PK3 is vulnerable to replay attacks and hence does not provide strong authentication =-=[45]-=-: nothing in the messages ensures the freshness of the messages for the responder role. The analysis with the AVISPA Tool showed that the ISO-PK3 protocol does not even guarantee weak authentication, ... |
| 49 | Static validation of security protocols.
- Bodei, Buchholtz, et al.
- 2005
(Show Context)
Citation Context ...have thus witnessed the development of a large number of new techniques for the formal analysis of security protocols. Many (semi-)automated security protocol analysis tools have been proposed (e.g., =-=[3,21,23,26,27,28,41,42,43,61,64,66,69,71,73,76]-=-), which can analyze small and medium-scale protocols such as those in the Clark/Jacob library [39]. However, scaling up to large, industrial-scale security protocols is both a scientific and a techno... |
| 47 | TulaFale: A Security Tool for Web Services,” - Bhargavan, Fournet, et al. - 2004 |
| 39 | The AVISS security protocol analysis tool,
- Armando, Basin, et al.
- 2002
(Show Context)
Citation Context ...have thus witnessed the development of a large number of new techniques for the formal analysis of security protocols. Many (semi-)automated security protocol analysis tools have been proposed (e.g., =-=[3,21,23,26,27,28,41,42,43,61,64,66,69,71,73,76]-=-), which can analyze small and medium-scale protocols such as those in the Clark/Jacob library [39]. However, scaling up to large, industrial-scale security protocols is both a scientific and a techno... |
| 36 | A high level protocol specification language for industrial security-sensitive protocols
- Chevalier, Compagna, et al.
- 2004
(Show Context)
Citation Context ...creen-shot of the AVISPA Tool in expert mode. tion and key agreement in mobile roaming scenarios in multimedia communication. The interested reader will find more details about the HLPSL in the paper =-=[31]-=-, in the HLPSL Tutorial [11],andintheAVISPAUserManual[12], which are all available at the AVISPA web-site [10]. There, the reader will also find the AVISPA Library, which contains example specificatio... |
| 34 | Analysis of a fair exchange protocol,"
- Shmatikov, Mitchell
- 2000
(Show Context)
Citation Context ...1–86 81 can be eliminated by replay protection (logging all commitments used in any exchange and refusing to start a run with commitments that appear in the log). A similar weakness was discovered by =-=[74]-=- on another contract signing protocol, GJM, while for ASW this weakness was not reported previously in the literature. Moreover, as already shown in [75], ASW cannot provide strong authentication, and... |
| 33 | Verifying policy-based security for web services. - Bhargavan, Fournet, et al. - 2004 |
| 33 |
Improvements on the Genet and Klay Technique to Automatically Verify Security Protocols.”
- Boichut, H´eam, et al.
- 2004
(Show Context)
Citation Context ... SATMC can easily incorporate and exploit new SAT solvers as soon as they become available. The TA4SP (Tree Automata based on Automatic Approximations for the Analysis of Security Protocols) back-end =-=[24,25,70]-=- performs unbounded protocol verification by approximating the intruder knowledge by using regular tree languages and rewriting. Its starting point is an extension of an approximation method based on ... |
| 31 | A framework for the analysis of security protocols
- Boreale, Buscemi
- 2002
(Show Context)
Citation Context ...have thus witnessed the development of a large number of new techniques for the formal analysis of security protocols. Many (semi-)automated security protocol analysis tools have been proposed (e.g., =-=[3,21,23,26,27,28,41,42,43,61,64,66,69,71,73,76]-=-), which can analyze small and medium-scale protocols such as those in the Clark/Jacob library [39]. However, scaling up to large, industrial-scale security protocols is both a scientific and a techno... |
| 29 | Automated unbounded verification of security protocols
- Chevalier, Vigneron
- 2002
(Show Context)
Citation Context ...he Back-Ends of the AVISPA Tool The Constraint-Logic-based Attack Searcher (CL-AtSe) applies constraint solving to perform both protocol falsification and verification for bounded numbers of sessions =-=[30,32,33,34,35,36,37,38,55,72,77]-=-. The protocol messages can be typed or untyped, and the pairing can be considered to be associative or not. Several properties of the XOR operator can be handled too, and, more generally, CL-AtSe is ... |
| 28 |
L.: SATMC: a SAT-based model checker for security protocols
- Armando, Compagna
- 2004
(Show Context)
Citation Context ...modeling an intruder who is capable of performing guessing attacks on weak passwords, and for the specification of algebraic properties of cryptographic operators. The SAT-based Model-Checker (SATMC) =-=[4,5,6,7,8,40]-=- considers the typed protocol model and performs both protocol falsification and bounded session verification by reducing the input problem to a sequence of invocatore [48], who have formalized a tran... |
| 28 | Lazy infinite-state analysis of security protocols.
- Basin
- 1999
(Show Context)
Citation Context ...uder messages using terms with variables, and storing and manipulating constraints about what terms must be generated and which terms may be used to generate them. The On-the-fly Model-Checker (OFMC) =-=[13,14,15,16,17,49,50]-=- performs both protocol falsification and bounded session verification, by exploring the transition system described by an IF specification in a demand-driven way (i.e., on-the-fly, hence its name). O... |
| 26 | Combining intruder theories
- Chevalier, Rusinowitch
- 2005
(Show Context)
Citation Context ...he Back-Ends of the AVISPA Tool The Constraint-Logic-based Attack Searcher (CL-AtSe) applies constraint solving to perform both protocol falsification and verification for bounded numbers of sessions =-=[30,32,33,34,35,36,37,38,55,72,77]-=-. The protocol messages can be typed or untyped, and the pairing can be considered to be associative or not. Several properties of the XOR operator can be handled too, and, more generally, CL-AtSe is ... |
| 25 |
Automatic SAT-Compilation of Protocol Insecurity Problems via Reduction to Planning
- Armando, Compagna
(Show Context)
Citation Context ...modeling an intruder who is capable of performing guessing attacks on weak passwords, and for the specification of algebraic properties of cryptographic operators. The SAT-based Model-Checker (SATMC) =-=[4,5,6,7,8,40]-=- considers the typed protocol model and performs both protocol falsification and bounded session verification by reducing the input problem to a sequence of invocatore [48], who have formalized a tran... |
| 25 | Constraint Differentiation: A New Reduction Technique for Constraint-Based Analysis of Security Protocols
- Basin, Mödersheim, et al.
- 2003
(Show Context)
Citation Context ...uder messages using terms with variables, and storing and manipulating constraints about what terms must be generated and which terms may be used to generate them. The On-the-fly Model-Checker (OFMC) =-=[13,14,15,16,17,49,50]-=- performs both protocol falsification and bounded session verification, by exploring the transition system described by an IF specification in a demand-driven way (i.e., on-the-fly, hence its name). O... |
| 23 |
An optimized intruder model for SAT-based modelchecking of security protocols.
- Armando, Compagna
- 2005
(Show Context)
Citation Context ...modeling an intruder who is capable of performing guessing attacks on weak passwords, and for the specification of algebraic properties of cryptographic operators. The SAT-based Model-Checker (SATMC) =-=[4,5,6,7,8,40]-=- considers the typed protocol model and performs both protocol falsification and bounded session verification by reducing the input problem to a sequence of invocatore [48], who have formalized a tran... |
| 23 | Algebraic intruder deductions
- Basin, Mödersheim, et al.
- 2005
(Show Context)
Citation Context ...uder messages using terms with variables, and storing and manipulating constraints about what terms must be generated and which terms may be used to generate them. The On-the-fly Model-Checker (OFMC) =-=[13,14,15,16,17,49,50]-=- performs both protocol falsification and bounded session verification, by exploring the transition system described by an IF specification in a demand-driven way (i.e., on-the-fly, hence its name). O... |
| 20 |
SAT-based Model-Checking of Security Protocols using Planning Graph Analysis
- Armando, Compagna, et al.
- 2003
(Show Context)
Citation Context ...modeling an intruder who is capable of performing guessing attacks on weak passwords, and for the specification of algebraic properties of cryptographic operators. The SAT-based Model-Checker (SATMC) =-=[4,5,6,7,8,40]-=- considers the typed protocol model and performs both protocol falsification and bounded session verification by reducing the input problem to a sequence of invocatore [48], who have formalized a tran... |
| 17 |
An automatic tool for the verification of secrecy in security protocols
- Bozga, Lakhnech, et al.
(Show Context)
Citation Context ...have thus witnessed the development of a large number of new techniques for the formal analysis of security protocols. Many (semi-)automated security protocol analysis tools have been proposed (e.g., =-=[3,21,23,26,27,28,41,42,43,61,64,66,69,71,73,76]-=-), which can analyze small and medium-scale protocols such as those in the Clark/Jacob library [39]. However, scaling up to large, industrial-scale security protocols is both a scientific and a techno... |
| 17 | Pattern-based abstraction for verifying secrecy in protocols
- Bozga, Lakhnech, et al.
- 2003
(Show Context)
Citation Context ...have thus witnessed the development of a large number of new techniques for the formal analysis of security protocols. Many (semi-)automated security protocol analysis tools have been proposed (e.g., =-=[3,21,23,26,27,28,41,42,43,61,64,66,69,71,73,76]-=-), which can analyze small and medium-scale protocols such as those in the Clark/Jacob library [39]. However, scaling up to large, industrial-scale security protocols is both a scientific and a techno... |
| 16 | Reconstruction of Attacks against Cryptographic Protocols
- Allamigeon, Blanchet
- 2005
(Show Context)
Citation Context ... sequence of invocatore [48], who have formalized a translation procedure from protocol descriptions in HLPSL to descriptions in the applied pi calculus, which allowed them to apply the ProVerif tool =-=[1,2,21,22]-=- to some of our HLPSL protocol specifications. It will be interesting to compare similar translations from IF into the applied pi calculus or other protocol specification formalisms.s74 L. Viganò / El... |
| 15 |
Abstraction-driven SAT-based Analysis of Security Protocols
- Armando, Compagna
- 2003
(Show Context)
Citation Context ...modeling an intruder who is capable of performing guessing attacks on weak passwords, and for the specification of algebraic properties of cryptographic operators. The SAT-based Model-Checker (SATMC) =-=[4,5,6,7,8,40]-=- considers the typed protocol model and performs both protocol falsification and bounded session verification by reducing the input problem to a sequence of invocatore [48], who have formalized a tran... |
| 15 |
Automatic Verification of Security Protocols Using Approximations
- Boichut, Héam, et al.
- 2005
(Show Context)
Citation Context ... SATMC can easily incorporate and exploit new SAT solvers as soon as they become available. The TA4SP (Tree Automata based on Automatic Approximations for the Analysis of Security Protocols) back-end =-=[24,25,70]-=- performs unbounded protocol verification by approximating the intruder knowledge by using regular tree languages and rewriting. Its starting point is an extension of an approximation method based on ... |
| 15 |
Sécurité des protocoles cryptographiques: décidabilité et complexité
- Turuani
- 2003
(Show Context)
Citation Context ...he Back-Ends of the AVISPA Tool The Constraint-Logic-based Attack Searcher (CL-AtSe) applies constraint solving to perform both protocol falsification and verification for bounded numbers of sessions =-=[30,32,33,34,35,36,37,38,55,72,77]-=-. The protocol messages can be typed or untyped, and the pairing can be considered to be associative or not. Several properties of the XOR operator can be handled too, and, more generally, CL-AtSe is ... |
| 14 | Verifying the SET Purchase Protocols. In:
- Massacci
- 2006
(Show Context)
Citation Context ...e of the desired payment gateway. This weakness of the protocol was already mentioned in the analysis of the SET protocol by Bella, Massacci, and Paulson using the interactive theorem prover Isabelle =-=[18]-=-. They argue that the attack is not very interesting as a dishonest payment gateway “has more interesting crimes to commit”, however we believe that this vulnerability is not uncritical as it may lead... |
| 13 | Automatic Approximation for the Verification of Cryptographic Protocols
- Oehl, Cécé, et al.
- 2003
(Show Context)
Citation Context ... SATMC can easily incorporate and exploit new SAT solvers as soon as they become available. The TA4SP (Tree Automata based on Automatic Approximations for the Analysis of Security Protocols) back-end =-=[24,25,70]-=- performs unbounded protocol verification by approximating the intruder knowledge by using regular tree languages and rewriting. Its starting point is an extension of an approximation method based on ... |
| 12 | Strategy for Verifying Security Protocols with Unbounded Message Size, in "Journal of Automated Software Engineering
- CHEVALIER, VIGNERON
- 2004
(Show Context)
Citation Context ...he Back-Ends of the AVISPA Tool The Constraint-Logic-based Attack Searcher (CL-AtSe) applies constraint solving to perform both protocol falsification and verification for bounded numbers of sessions =-=[30,32,33,34,35,36,37,38,55,72,77]-=-. The protocol messages can be typed or untyped, and the pairing can be considered to be associative or not. Several properties of the XOR operator can be handled too, and, more generally, CL-AtSe is ... |
| 12 | A formalization of off-line guessing for security protocol analysis
- Drielsma, Modersheim, et al.
- 2005
(Show Context)
Citation Context ...uder messages using terms with variables, and storing and manipulating constraints about what terms must be generated and which terms may be used to generate them. The On-the-fly Model-Checker (OFMC) =-=[13,14,15,16,17,49,50]-=- performs both protocol falsification and bounded session verification, by exploring the transition system described by an IF specification in a demand-driven way (i.e., on-the-fly, hence its name). O... |
| 12 | Web Services Security: a preliminary study using Casper and FDR - Kleiner, Roscoe - 2004 |
| 11 |
Resolution de problemes d'accessibilite pour la compilation et la validation de protocoles cryptographiques
- Chevalier
- 2003
(Show Context)
Citation Context ...he Back-Ends of the AVISPA Tool The Constraint-Logic-based Attack Searcher (CL-AtSe) applies constraint solving to perform both protocol falsification and verification for bounded numbers of sessions =-=[30,32,33,34,35,36,37,38,55,72,77]-=-. The protocol messages can be typed or untyped, and the pairing can be considered to be associative or not. Several properties of the XOR operator can be handled too, and, more generally, CL-AtSe is ... |
| 11 |
Triem Tong. Reachability Analysis of Term Rewriting Systems with timbuk
- Genet, Viet
- 2001
(Show Context)
Citation Context ... approximating the intruder knowledge by using regular tree languages and rewriting. Its starting point is an extension of an approximation method based on tree automata, introduced by Genet and Klay =-=[46,47]-=- for verifying security protocols. The previous procedures of this kind required the presence of an expert to transform by hand a security protocol into a term-rewriting system and compute an ad hoc a... |
| 10 | Verification of Security Protocols using LOTOS – Method and Application
- Leduc, Germeau
(Show Context)
Citation Context ...have thus witnessed the development of a large number of new techniques for the formal analysis of security protocols. Many (semi-)automated security protocol analysis tools have been proposed (e.g., =-=[3,21,23,26,27,28,41,42,43,61,64,66,69,71,73,76]-=-), which can analyze small and medium-scale protocols such as those in the Clark/Jacob library [39]. However, scaling up to large, industrial-scale security protocols is both a scientific and a techno... |
| 9 | On the plausible deniability feature of internet protocols. http://isg. rhul.ac.uk/~kp/IKE.ps
- Mao, Paterson
- 2002
(Show Context)
Citation Context ...[56]) is new 8 although it is similar to a well-known attack on the Station-2-Station protocol [62]. As pointed out in [67], several 8 Notice that, independently, the same attack has been reported in =-=[65]-=-.s78 L. Viganò / Electronic Notes in Theoretical Computer Science 155 (2006) 61–86 Table 2 Effectiveness of the AVISPA Tool on the unty&b scenario. Problems CL-AtSe OFMC Protocol #P Time S A Time S A ... |
| 8 | Deciding the security of protocols with commuting public key encryption
- Chevalier, Küsters, et al.
- 2004
(Show Context)
Citation Context ...he Back-Ends of the AVISPA Tool The Constraint-Logic-based Attack Searcher (CL-AtSe) applies constraint solving to perform both protocol falsification and verification for bounded numbers of sessions =-=[30,32,33,34,35,36,37,38,55,72,77]-=-. The protocol messages can be typed or untyped, and the pairing can be considered to be associative or not. Several properties of the XOR operator can be handled too, and, more generally, CL-AtSe is ... |
| 8 | Extending the Dolev-Yao Intruder for Analyzing an Unbounded Number of Sessions. Technical Report available at http://www.inria.fr/rrrt/liste-2003.html
- Chevalier, Kusters, et al.
(Show Context)
Citation Context ...he Back-Ends of the AVISPA Tool The Constraint-Logic-based Attack Searcher (CL-AtSe) applies constraint solving to perform both protocol falsification and verification for bounded numbers of sessions =-=[30,32,33,34,35,36,37,38,55,72,77]-=-. The protocol messages can be typed or untyped, and the pairing can be considered to be associative or not. Several properties of the XOR operator can be handled too, and, more generally, CL-AtSe is ... |
| 7 |
The ASW Protocol Revisited: A Unified View
- P, Mödersheim
- 2004
(Show Context)
Citation Context ...uder messages using terms with variables, and storing and manipulating constraints about what terms must be generated and which terms may be used to generate them. The On-the-fly Model-Checker (OFMC) =-=[13,14,15,16,17,49,50]-=- performs both protocol falsification and bounded session verification, by exploring the transition system described by an IF specification in a demand-driven way (i.e., on-the-fly, hence its name). O... |
| 5 |
SAT-based Model-Checking of Security Protocols
- COMPAGNA
- 2005
(Show Context)
Citation Context ...modeling an intruder who is capable of performing guessing attacks on weak passwords, and for the specification of algebraic properties of cryptographic operators. The SAT-based Model-Checker (SATMC) =-=[4,5,6,7,8,40]-=- considers the typed protocol model and performs both protocol falsification and bounded session verification by reducing the input problem to a sequence of invocatore [48], who have formalized a tran... |
| 4 | On the relationship of traditional and Web Services Security protocols - Kleiner, Roscoe - 2005 |
| 2 | Towards an Independent Semantics and Verification Technology for the HLPSL Specification Language
- Gotsman, Massacci, et al.
- 2005
(Show Context)
Citation Context ...l-Checker (SATMC) [4,5,6,7,8,40] considers the typed protocol model and performs both protocol falsification and bounded session verification by reducing the input problem to a sequence of invocatore =-=[48]-=-, who have formalized a translation procedure from protocol descriptions in HLPSL to descriptions in the applied pi calculus, which allowed them to apply the ProVerif tool [1,2,21,22] to some of our H... |
