#### DMCA

## From Secrecy to Authenticity in Security Protocols (2002)

Venue: | In 9th International Static Analysis Symposium (SAS’02 |

Citations: | 77 - 8 self |

### Citations

1317 | A Semantics for a Logic of Authentication
- Abadi, Tuttle
- 1991
(Show Context)
Citation Context ...edham-Schroeder public key corrected [18] 21 16 Woo-Lam public key [26] 18 4 Woo-Lam public key corrected [28] 18 6 Woo-Lam shared key [14] 16 6 Woo-Lam shared key corrected [14] 15 5 Simpler Yahalom =-=[9]-=-, unidirectional 10 29 Simpler Yahalom [9], bidirectional 13 101 Otway-Rees [21] 12 62 Simpler Otway-Rees [3] 12 10 Main mode of Skeme [17] 19 67 Fig. 4. Experimental results Since x b contains i B , ... |

1021 | Using Encryption for Authentication in Large Networks of Computers
- Needham, Schroeder
- 1978
(Show Context)
Citation Context ...algorithm then yields begin(pk(sk B []); fi A 7! i A ; x pk B 7! pk (sk B []); x b 7! b[pk(sk A []); i B ]g) ) end(pk (sk B []); i B ) 16 Bruno Blanchet # rules Time (ms) Needham-Schroeder public key =-=[20]-=- 21 25 Needham-Schroeder public key corrected [18] 21 16 Woo-Lam public key [26] 18 4 Woo-Lam public key corrected [28] 18 6 Woo-Lam shared key [14] 16 6 Woo-Lam shared key corrected [14] 15 5 Simpler... |

710 | Breaking and Fixing the NeedhamSchroeder Public Key Protocol Using FDR
- Lowe
- 1996
(Show Context)
Citation Context ...es manual intervention of the user. An exception to this is [12], but it deals only with secrecy. The theorem prover TAPS [11] often succeeds without or with little human intervention. Model checking =-=[18-=-] in general implies a limit on the number of sessions of the protocol. This problem has been tackled by [7, 8, 23]. They recycle nonces, to use only asnite number of them in an innite number of runs.... |

470 | The Inductive Approach to Verifying Cryptographic Protocols
- Paulson
- 1998
(Show Context)
Citation Context ...rting an unbounded number of runs: the verier of [16], based on rank functions, can prove the correctness of orsnd attacks against protocols with atomic symmetric or asymmetric keys. Theorem proving [=-=22]-=- often requires manual intervention of the user. An exception to this is [12], but it deals only with secrecy. The theorem prover TAPS [11] often succeeds without or with little human intervention. Mo... |

398 | Prudent engineering practice for cryptographic protocols,’ expanded version of 1994
- ABADI
- 1994
(Show Context)
Citation Context ...] 18 6 Woo-Lam shared key [14] 16 6 Woo-Lam shared key corrected [14] 15 5 Simpler Yahalom [9], unidirectional 10 29 Simpler Yahalom [9], bidirectional 13 101 Otway-Rees [21] 12 62 Simpler Otway-Rees =-=[3]-=- 12 10 Main mode of Skeme [17] 19 67 Fig. 4. Experimental results Since x b contains i B , we move begin under the input that binds x b. The process PA then becomes: PA2 (sk A ; pk A ) = c(x pk B ):ch... |

369 | Mobile Values, New Names, and Secure Communication - Abadi, Fournet - 2001 |

278 | A survey of authentication protocol literature, Web Draft Version 1.0 available from http://www.cs.york.ac.uk/˜jac - Clark, Jacob - 1997 |

174 | A Semantic Model for Authentication Protocols
- Woo, Lam
- 1993
(Show Context)
Citation Context ...ely, a protocol authenticates A to B if, when B thinks he talks to A, then he actually talks to A. A simple and widely used denition of authenticity is the formalization by a correspondence property [=-=19, 27]-=-, according to the following scheme. When B thinks he has run the protocol with A, he emits a special event end. ? This work was supported in part by the RTD project IST-1999-20527 DAEDALUS of the eur... |

133 | Analyzing security protocols with secrecy types and logic programs
- Abadi, Blanchet
(Show Context)
Citation Context ...e literature, and, as we show in the following of the paper, our technique can handle most of them. Our technique is based on a substantial extension of our previous verication technique for secrecy [=-=1, 6-=-]. (This technique for secrecy is also similar to that of [25].) We show that in some cases, a proof of secrecy for a modied protocol can directly give a proof of authenticity for the considered proto... |

129 | SKEME: a versatile secure key exchange mechanism for Internet, proc
- Krawczyk
(Show Context)
Citation Context ...] 16 6 Woo-Lam shared key corrected [14] 15 5 Simpler Yahalom [9], unidirectional 10 29 Simpler Yahalom [9], bidirectional 13 101 Otway-Rees [21] 12 62 Simpler Otway-Rees [3] 12 10 Main mode of Skeme =-=[17]-=- 19 67 Fig. 4. Experimental results Since x b contains i B , we move begin under the input that binds x b. The process PA then becomes: PA2 (sk A ; pk A ) = c(x pk B ):chpk A i:c(x b):begin(x pk B ) :... |

125 | Authenticity by typing for security protocols
- Gordon, Jeffrey
(Show Context)
Citation Context ...icity in cryptographic protocols, without bounding the number of sessions. Gordon and Jerey dene a type system for verifying authenticity in cryptographic protocols,srst for shared-key cryptography [1=-=4]-=-, then for public-key cryptography [15]. Our system allows more general cryptographic primitives (including hash functions and Die-Hellman key agreements), and moresexibility (for example, our system ... |

100 | Authentication for distributed systems
- Woo, Lam
- 1992
(Show Context)
Citation Context ... b 7! b[pk(sk A []); i B ]g) ) end(pk (sk B []); i B ) 16 Bruno Blanchet # rules Time (ms) Needham-Schroeder public key [20] 21 25 Needham-Schroeder public key corrected [18] 21 16 Woo-Lam public key =-=[26]-=- 18 4 Woo-Lam public key corrected [28] 18 6 Woo-Lam shared key [14] 16 6 Woo-Lam shared key corrected [14] 15 5 Simpler Yahalom [9], unidirectional 10 29 Simpler Yahalom [9], bidirectional 13 101 Otw... |

97 | Programming satan’s computer
- Anderson, Needham
- 1995
(Show Context)
Citation Context ...ed non-injective and injective agreement on the name of the participants, and on all atomic data. For the Woo and Lam shared-key protocol, our tool proves the correctness of the corrected versions of =-=[5]-=- and [14]; itsnds an attack on thesawed version of [14]. (The messages received or sent by A do not depend on the host A wants to talk to, so A may start a session with the adversary C, and the advers... |

82 | Towards an automatic analysis of security protocols in first-order logic
- Weidenbach
- 1999
(Show Context)
Citation Context ...r technique can handle most of them. Our technique is based on a substantial extension of our previous verication technique for secrecy [1, 6]. (This technique for secrecy is also similar to that of [=-=25-=-].) We show that in some cases, a proof of secrecy for a modied protocol can directly give a proof of authenticity for the considered protocol. Then, we show how to extend our secrecy proof technique ... |

62 | Proving security protocols with model checkers by data independent techniques
- Roscoe
- 1998
(Show Context)
Citation Context ...m prover TAPS [11] often succeeds without or with little human intervention. Model checking [18] in general implies a limit on the number of sessions of the protocol. This problem has been tackled by =-=[7, 8, 23-=-]. They recycle nonces, to use only asnite number of them in an innite number of runs. The technique wassrst used for sequential runs, then generalized to parallel runs in [8], but with the additional... |

23 | Proving secrecy is easy enough
- Cortier, Millen, et al.
(Show Context)
Citation Context ...ns, can prove the correctness of orsnd attacks against protocols with atomic symmetric or asymmetric keys. Theorem proving [22] often requires manual intervention of the user. An exception to this is =-=[12]-=-, but it deals only with secrecy. The theorem prover TAPS [11] often succeeds without or with little human intervention. Model checking [18] in general implies a limit on the number of sessions of the... |

18 |
A hierarchy of authentication speci
- Lowe
- 1997
(Show Context)
Citation Context ...ely, a protocol authenticates A to B if, when B thinks he talks to A, then he actually talks to A. A simple and widely used denition of authenticity is the formalization by a correspondence property [=-=19, 27]-=-, according to the following scheme. When B thinks he has run the protocol with A, he emits a special event end. ? This work was supported in part by the RTD project IST-1999-20527 DAEDALUS of the eur... |

16 | Automating data independence - Broadfoot, Lowe, et al. - 2000 |

14 |
An ecient cryptographic protocol veri based on Prolog rules
- Blanchet
- 2001
(Show Context)
Citation Context ...e literature, and, as we show in the following of the paper, our technique can handle most of them. Our technique is based on a substantial extension of our previous verication technique for secrecy [=-=1, 6-=-]. (This technique for secrecy is also similar to that of [25].) We show that in some cases, a proof of secrecy for a modied protocol can directly give a proof of authenticity for the considered proto... |

12 | The game of the name in cryptographic tables
- Amadio, Prasad
- 1999
(Show Context)
Citation Context ...h that each run contains only one fresh value.) Athena [24] uses strand spaces to reduce the state space, but still sometimes limits the number of sessions to guarantee termination. Amadio and Prasad =-=[4-=-] already note that authenticity can be translated into secrecy, by using a judge process. The translation is limited in that only one message can be registered by the judge, so the veried authenticit... |

12 |
Athena: a new ecient automatic checker for security protocol analysis
- Song
- 1999
(Show Context)
Citation Context ... the additional restriction that the agents must be \factorisable". (Essentially, a single run of the agent has to be split into several runs such that each run contains only one fresh value.) At=-=hena [24]-=- uses strand spaces to reduce the state space, but still sometimes limits the number of sessions to guarantee termination. Amadio and Prasad [4] already note that authenticity can be translated into s... |

9 |
Ecient and timely mutual authentication. Operating Systems Review
- Otway, Rees
- 1987
(Show Context)
Citation Context ... system allows more general cryptographic primitives (including hash functions and Die-Hellman key agreements), and moresexibility (for example, our system can verify the original Otway-Rees protocol =-=[21]-=-). Also, From Secrecy to Authenticity in Security Protocols 3 in our system, no annotation is needed, whereas in [14, 15], explicit type casts and checks have to be manually added. However, their syst... |

6 | Internalising agents in CSP protocol models (extended abstract
- Broadfoot, Roscoe
(Show Context)
Citation Context ...m prover TAPS [11] often succeeds without or with little human intervention. Model checking [18] in general implies a limit on the number of sessions of the protocol. This problem has been tackled by =-=[7, 8, 23-=-]. They recycle nonces, to use only asnite number of them in an innite number of runs. The technique wassrst used for sequential runs, then generalized to parallel runs in [8], but with the additional... |

6 |
Towards automatic veri of authentication protocols on an unbounded network
- Heather, Schneider
- 2000
(Show Context)
Citation Context ...hen A must have been alive at some point before), and handle only shared-key cryptography. A few other methods require little human eort, while supporting an unbounded number of runs: the verier of [1=-=6]-=-, based on rank functions, can prove the correctness of orsnd attacks against protocols with atomic symmetric or asymmetric keys. Theorem proving [22] often requires manual intervention of the user. A... |

3 |
TAPS: A First-Order Veri for Cryptographic Protocols
- Cohen
- 2000
(Show Context)
Citation Context ...ls with atomic symmetric or asymmetric keys. Theorem proving [22] often requires manual intervention of the user. An exception to this is [12], but it deals only with secrecy. The theorem prover TAPS =-=[11]-=- often succeeds without or with little human intervention. Model checking [18] in general implies a limit on the number of sessions of the protocol. This problem has been tackled by [7, 8, 23]. They r... |

3 |
Types and Eects for Asymmetric Cryptographic Protocols
- Gordon, Jerey
- 2002
(Show Context)
Citation Context ...ut bounding the number of sessions. Gordon and Jerey dene a type system for verifying authenticity in cryptographic protocols,srst for shared-key cryptography [14], then for public-key cryptography [1=-=5]-=-. Our system allows more general cryptographic primitives (including hash functions and Die-Hellman key agreements), and moresexibility (for example, our system can verify the original Otway-Rees prot... |

2 |
A new algorithm for the automatic veri of authentication protocols: From speci to and attack scenarios
- Debbabi, Mejri, et al.
- 1997
(Show Context)
Citation Context ...plicit type casts and checks have to be manually added. However, their system has the advantage that type checking always terminates, whereas in some rare cases, our analyzer does not. Debbabi et al. =-=[13]-=- also verify authenticity thanks to a representation of protocols by inference rules, very similar to our Horn clauses. However, they verify a weaker notion of authenticity (corresponding to aliveness... |