#### DMCA

## Security protocol verification: Symbolic and computational models (2012)

Venue: | PRINCIPLES OF SECURITY AND TRUST - FIRST INTERNATIONAL CONFERENCE, POST 2012, VOLUME 7215 OF LECTURE NOTES IN COMPUTER SCIENCE |

Citations: | 11 - 0 self |

### Citations

1332 | R.: A logic of authentication
- Burrows, Abadi, et al.
- 1990
(Show Context)
Citation Context ...h equivalence properties. Next, we present a selection of these techniques. – Logics have been designed to reason about protocols. Belief logics, such as the BAN logic, by Burrows, Abadi, and Needham =-=[69]-=-, reason about what participants to the protocol believe. The BAN logic is one of the first formalisms designed to reason about protocols. However, the main drawback of these logics is that they do no... |

830 | Universally Composable Security: A New Paradigm for Cryptographic Protocols
- Canetti
- 2001
(Show Context)
Citation Context ...positional proofs: if a protocol P is equivalent to P ′, P can be replaced with P ′ in a more complex protocol. In the computational model, this is at the basis of the idea of universal composability =-=[70]-=-. However, in the symbolic model, their proof is more difficult to automate than the proof of trace properties: they cannot be expressed on a single trace, they require relations between traces (or pr... |

765 | Systematic design of program analysis frameworks
- Cousot, Cousot
- 1979
(Show Context)
Citation Context ...ithout verifying its contents. Extensions of this decidability result include [14, 82]. In general, these decidability results are very restrictive in practice. – Several methods rely on abstractions =-=[98]-=-: they overestimate the attack possibilities, most often by computing a superset of the knowledge of the adversary. They yield fully automatic but incomplete systems. • Bolignano [63] was a precursor ... |

574 | Entity Authentication and Key Distribution
- Bellare, Rogaway
(Show Context)
Citation Context ...ve variant does not hold, because the adversary can replay the first message of the protocol. The formalization is fairly similar in the computational model, with the notion of matching conversations =-=[41]-=- and more recent formalizations based on session identifiers [9, 40], which basically require that the exchanged messages seen by A and by B are the same, up to negligible probability. This is also a ... |

421 | A concrete security treatment of of symmetric encryption
- Bellare, Desai, et al.
- 1997
(Show Context)
Citation Context ...ality (1) as above, but the security of encryption is expressed (informally) by saying that the adversary has a negligible probability of distinguishing encryptions of two messages of the same length =-=[39]-=-. Equalities other than (1) may exist, even if they are not made explicit. 4 Bruno Blanchet The computational model is much more realistic, but complicates the proofs, and until recently these proofs ... |

400 | Authenticated Key Exchange Secure Against Dictionary Attacks
- Bellare, Pointcheval, et al.
- 2000
(Show Context)
Citation Context ...rst message of the protocol. The formalization is fairly similar in the computational model, with the notion of matching conversations [41] and more recent formalizations based on session identifiers =-=[9, 40]-=-, which basically require that the exchanged messages seen by A and by B are the same, up to negligible probability. This is also a trace property. 2 Verifying Protocols in the Symbolic Model A very l... |

378 | Reconciling two views of cryptography (the computational soundness of formal encryption
- Abadi, Rogaway
- 2000
(Show Context)
Citation Context ...ver, the converse is not true in general: a protocol may be proved secure in symbolic model and still be subject to attacks in the computational model. Following the seminal work by Abadi and Rogaway =-=[8]-=-, many computational soundness results have been proved. These results show that, modulo additional assumptions, if a protocol is secure in the symbolic model, then it is also secure in the computatio... |

372 | Mobile values, new names, and secure communication,”
- Abadi, Fournet
- 2001
(Show Context)
Citation Context ...tained reply, these verifications are very important: they determine which messages will be accepted or rejected, and may therefore protect or not against attacks. Formal models of protocols, such as =-=[5, 7, 72, 117]-=- make all this precise. Although the explanation above may seem to justify its security informally, this protocol is subject to an attack: Message 1. A→ C : {{k}skA}pkC Message 1’. C(A)→ B : {{k}skA}p... |

273 | Secrecy by typing in security protocols.
- Abadi
- 1997
(Show Context)
Citation Context ...ese properties hold only for the fixed protocol of Sect. 1.1. – Sometimes, one uses a stronger notion, strong secrecy, which means that the adversary cannot detect a change in the value of the secret =-=[1, 48]-=-. In other words, the adversary has no information at all on the value of the secret. In the fixed protocol of Sect. 1.1, we could also show strong secrecy of s. The difference between syntactic secre... |

177 | Resolution theorem proving.
- Bachmair, Ganzinger
(Show Context)
Citation Context ...cols that blindly copy at most one message at each step [83]. (This class of protocols results in clauses with at most one variable.) – ProVerif uses resolution with free selection (without ordering) =-=[18]-=-. This strategy terminates on tagged protocols [57]: in these protocols, each application of a cryptographic primitive is distinguished from others by a constant (the tag). For example, we use enc((c0... |

166 | A Meta-notation for Protocol Analysis
- Cervesato, Durgin, et al.
- 1999
(Show Context)
Citation Context ...tained reply, these verifications are very important: they determine which messages will be accepted or rejected, and may therefore protect or not against attacks. Formal models of protocols, such as =-=[5, 7, 72, 117]-=- make all this precise. Although the explanation above may seem to justify its security informally, this protocol is subject to an attack: Message 1. A→ C : {{k}skA}pkC Message 1’. C(A)→ B : {{k}skA}p... |

156 | A composable cryptographic library with nested operations - Backes, Pfitzmann, et al. - 2003 |

155 | The security of triple encryption and a framework for code-based game-playing proofs.
- Bellare, Rogaway
- 2006
(Show Context)
Citation Context ...oofs consists in mechanizing proofs in the computational model, without relying at all on the symbolic model. Computational proofs made by cryptographers are typically presented as sequences of games =-=[42, 171]-=-: the initial game represents the protocol to prove; the goal is to show that the probability of breaking a certain security property is negligible in this game. Intermediate games are obtained each f... |

132 | Analyzing Security Protocols with Secrecy Types and Logic Programs.
- Abadi, Blanchet
- 2005
(Show Context)
Citation Context ...n, but allow one to prove any mathematically correct result. – Typing was also used for proving protocols. Abadi [1] proved strong secrecy for protocols with shared-key encryption. Abadi and Blanchet =-=[2]-=- designed a type system for proving secrecy, which supports a wide variety of cryptographic primitives. Gordon and Jeffrey [125–127] designed the system Cryptyc for verifying authentication by typing.... |

124 | Verifying privacy-type properties of electronic voting protocols: A taster
- Delaune, Kremer, et al.
(Show Context)
Citation Context ... categories and mention two particularly important examples: secrecy and authentication. These are two basic properties required by most security protocols. Some protocols, such as e-voting protocols =-=[104]-=-, require more complex and specific security properties, which will not be discussed here. Trace and Equivalence Properties. Trace properties are properties that can be defined on each execution trace... |

123 | A computationally sound mechanized prover for security protocols. Dependable and Secure Computing,
- BLANCHET
- 2008
(Show Context)
Citation Context ...desired probability is then negligible in the initial game. Halevi [131] suggested to use tools for mechanizing these proofs, and several techniques have been used for reaching this goal. CryptoVerif =-=[50, 51, 56, 58]-=-, which we have designed, is the first such tool. It generates proofs by sequences of games automatically or with little user interaction. The games are formalized in a probabilistic process calculus.... |

114 | Refinement types for secure implementations. In:
- Bengtson, Bhargavan, et al.
- 2008
(Show Context)
Citation Context ...els 17 of the protocol. Similarly, JavaSec [137] translates Java programs into firstorder logic formulas, which are then given as input to the first-order theorem prover e-SETHEO. The tools F7 and F? =-=[43, 45, 176]-=- use a dependent type system in order to prove security properties of protocols implemented in F#, therefore extending to implementations the approach of Cryptyc [125–127] for models. This approach sc... |

104 | Automated Verification of Selected Equivalences for Security Protocols.
- Blanchet, Abadi, et al.
- 2005
(Show Context)
Citation Context ...interaction, by tolerating non-termination, or with incomplete systems (which may answer “I don’t know”). Most of these techniques deal with trace properties; only the type system of [1] and ProVerif =-=[54]-=- deal with equivalence properties. Next, we present a selection of these techniques. – Logics have been designed to reason about protocols. Belief logics, such as the BAN logic, by Burrows, Abadi, and... |

103 | An NP decision procedure for protocol insecurity with XOR.
- Chevalier, Kusters, et al.
- 2005
(Show Context)
Citation Context ...ebraic relations, the verification is much more difficult, but the complexity class does not necessarily increase. For instance, exclusive or is handled in the case of a bounded number of sessions in =-=[78, 79, 86]-=- and the DiffieHellman key agreement in [77], still with an NP-complexity. Practical algorithms Security Protocol Verification: Symbolic and Computational Models 7 have been implemented to verify prot... |

90 | Intruder deductions, constraint solving and insecurity decision in presence of exclusive or.
- Comon-Lundh, Shmatikov
- 2003
(Show Context)
Citation Context ...ebraic relations, the verification is much more difficult, but the complexity class does not necessarily increase. For instance, exclusive or is handled in the case of a bounded number of sessions in =-=[78, 79, 86]-=- and the DiffieHellman key agreement in [77], still with an NP-complexity. Practical algorithms Security Protocol Verification: Symbolic and Computational Models 7 have been implemented to verify prot... |

89 | A bisimulation method for cryptographic protocols. Extended version of [3] containing all proofs., - Abadi, Gordon - 1998 |

84 | Formal certification of codebased cryptographic proofs.
- Barthe, Gregoire, et al.
- 2009
(Show Context)
Citation Context ...4, 177] developed a tool similar to CryptoVerif but that represents games by dependency graphs; it handles public-key and shared-key encryption and proves secrecy properties. The CertiCrypt framework =-=[31, 32, 34, 37, 38]-=- enables the machine-checked construction and verification of cryptographic proofs by sequences of games. It relies on the general-purpose proof assistant Coq, which is widely believed to be correct. ... |

83 |
Automatic proof of strong secrecy for security protocols. In
- Blanchet
- 2004
(Show Context)
Citation Context ...ese properties hold only for the fixed protocol of Sect. 1.1. – Sometimes, one uses a stronger notion, strong secrecy, which means that the adversary cannot detect a change in the value of the secret =-=[1, 48]-=-. In other words, the adversary has no information at all on the value of the secret. In the fixed protocol of Sect. 1.1, we could also show strong secrecy of s. The difference between syntactic secre... |

80 | Verified Interoperable Implementations of Security Protocols”, Proceeding in
- Bhargavan, Fournet, et al.
- 2008
(Show Context)
Citation Context ...uish two ways of analyzing implementations: – One can extract a protocol specification from the implementation, and verify it using existing protocol verification tools. For instance, the tools FS2PV =-=[46]-=- and FS2CV [120] translate protocols written in a subset of the functional language F# into the input language of ProVerif and CryptoVerif, respectively, so that protocol can be proved in the symbolic... |

72 | Symmetric encryption in a simulatable Dolev-Yao style cryptographic library - Backes, Pfitzmann - 2004 |

72 | Deciding the security of protocols with Diffie-Hellman exponentiation and products in exponents
- Chevalier, Kusters, et al.
(Show Context)
Citation Context ...icult, but the complexity class does not necessarily increase. For instance, exclusive or is handled in the case of a bounded number of sessions in [78, 79, 86] and the DiffieHellman key agreement in =-=[77]-=-, still with an NP-complexity. Practical algorithms Security Protocol Verification: Symbolic and Computational Models 7 have been implemented to verify protocols with a bounded number of sessions, by ... |

71 | L.: An on-the-fly model-checker for security protocol analysis.
- Basin, Modersheim, et al.
- 2003
(Show Context)
Citation Context ... bounded number of sessions, by constraint solving, such as [154] and CL-AtSe (Constraint-Logic-based Attack Searcher) [80], or by extensions of model-checking such as OFMC (On-the-Fly Model-Checker) =-=[35]-=-. The previous results only deal with trace properties. The verification of equivalence properties is much more complex. First, decision procedures were designed for a fixed set of basic primitives an... |

70 | Password-based authenticated key exchange in the three-party setting,”
- Abdalla, Fouque, et al.
- 2006
(Show Context)
Citation Context ...ser to the notion of secrecy used in the computational model, which means that a probabilistic polynomial-time adversary has a negligible probability of distinguishing the secret from a random number =-=[9]-=-. Syntactic secrecy is a trace property, while strong secrecy and computational secrecy are equivalence properties. Authentication. Authentication means that, if a participant A runs the protocol appa... |

70 | Verification of cryptographic protocols: Tagging enforces termination
- Blanchet, Podelski
- 2003
(Show Context)
Citation Context ...step [83]. (This class of protocols results in clauses with at most one variable.) – ProVerif uses resolution with free selection (without ordering) [18]. This strategy terminates on tagged protocols =-=[57]-=-: in these protocols, each application of a cryptographic primitive is distinguished from others by a constant (the tag). For example, we use enc((c0,m), k) for encrypting m under k, instead of enc(m,... |

70 | Tree automata with one memory set constraints and cryptographic protocols,”
- Comon, Cortier
- 2005
(Show Context)
Citation Context ... tagging scheme prevents blind copies, that is, situations in which a message is copied by a participant of the protocol without verifying its contents. Extensions of this decidability result include =-=[14, 82]-=-. In general, these decidability results are very restrictive in practice. – Several methods rely on abstractions [98]: they overestimate the attack possibilities, most often by computing a superset o... |

70 | Computationally sound, automated proofs for security protocols
- Cortier, Warinschi
- 2005
(Show Context)
Citation Context ...ey encryption in the presence of an active adversary. Therefore, authentication in the symbolic model implies authentication in the computational model. This result was further extended to signatures =-=[92, 135]-=-, hash functions [89, 136], non-malleable commitment [121], and zero-knowledge proofs [29]. Cortier and Warinschi [92] also showed that syntactic secrecy in the symbolic model implies secrecy in the c... |

69 | Automated verification of remote electronic voting protocols in the applied pi-calculus
- Backes, Hritcu, et al.
- 2008
(Show Context)
Citation Context ...ilesystem Plutus [55]. ProVerif was also used by other authors, for instance for verifying Web services, by translating XML protocols to ProVerif using the tool TulaFale [47, 149], e-voting protocols =-=[21, 104, 138]-=-, zero-knowledge protocols [23], RFID protocols [68], and the TPM (Trusted Platform Module) [74, 105]. An extension was proposed for supporting protocols with mutable global state [15]. ProVerif can b... |

59 | Just Fast Keying in the Pi Calculus.
- Abadi, Blanchet, et al.
- 2007
(Show Context)
Citation Context ...ay for these advantages: ProVerif does not always terminate and it is not complete (it may find false attacks). It is still precise and efficient in practice, as demonstrated by case studies, such as =-=[3, 4, 52, 55]-=-. The verification method is summarized in Fig. 1. The Horn clause verification technique is not specific to any formalism for representing the protocol. Among the many existing formalisms, we focused... |

54 | New decidability results for fragments of first-order logic and application to cryptographic protocols
- Comon-Lundh, Cortier
- 2003
(Show Context)
Citation Context ...mplemented in the theorem prover SPASS (http://www.spass-prover.org/). – Ordered resolution with factorization and splitting terminates on protocols that blindly copy at most one message at each step =-=[83]-=-. (This class of protocols results in clauses with at most one variable.) – ProVerif uses resolution with free selection (without ordering) [18]. This strategy terminates on tagged protocols [57]: in ... |

51 | Computer-aided security proofs for the working cryptographer.
- Barthe, Gregoire, et al.
- 2011
(Show Context)
Citation Context ...he machine-checked construction and verification of cryptographic proofs by sequences of games. It relies on the general-purpose proof assistant Coq, which is widely believed to be correct. EasyCrypt =-=[33]-=- generates CertiCrypt proofs from proof sketches that formally represent the sequence of games and hints, which makes the tool easier 16 Bruno Blanchet to use. Nowak et al. [11, 161, 162] follow a sim... |

51 | Cryptographically verified implementations for TLS.
- Bhargavan, Fournet, et al.
- 2008
(Show Context)
Citation Context ...ProVerif and CryptoVerif, respectively, so that protocol can be proved in the symbolic model and in the computational model. These techniques were applied to an important case study: the protocol TLS =-=[44]-=-. They analyze reference implementations written in F# in order to facilitate verification; one verifies that these implementations interoperate with other implementations, which provides some assuran... |

50 | Modular verification of security protocol code by typing.
- Bhargavan, Fournet, et al.
- 2010
(Show Context)
Citation Context ...els 17 of the protocol. Similarly, JavaSec [137] translates Java programs into firstorder logic formulas, which are then given as input to the first-order theorem prover e-SETHEO. The tools F7 and F? =-=[43, 45, 176]-=- use a dependent type system in order to prove security properties of protocols implemented in F#, therefore extending to implementations the approach of Cryptyc [125–127] for models. This approach sc... |

50 | Automatic Verification of Correspondences for Security Protocols.
- Blanchet
- 2009
(Show Context)
Citation Context ...ay for these advantages: ProVerif does not always terminate and it is not complete (it may find false attacks). It is still precise and efficient in practice, as demonstrated by case studies, such as =-=[3, 4, 52, 55]-=-. The verification method is summarized in Fig. 1. The Horn clause verification technique is not specific to any formalism for representing the protocol. Among the many existing formalisms, we focused... |

49 | Automatic Validation of Protocol Narration.,
- Bodei, Buchholtz, et al.
- 2003
(Show Context)
Citation Context ... to analyze the code of implementations written without verification in mind. Similarly, Elijah [163] translates Java programs into LySa protocol specifications, which can be verified by the LySatool =-=[59]-=-. Aizatulin et al. [12] use symbolic execution in order to extract ProVerif models from pre-existing protocol implementations in C. This technique currently analyzes a single execution path of the pro... |

49 | Static validation of security protocols. - Bodei, Buchholtz, et al. - 2005 |

48 | Relating Symbolic and Cryptographic Secrecy” - Backes - 2005 |

48 | Universally composable symbolic analysis of mutual authentication and key exchange protocols
- Canetti, Herzog
(Show Context)
Citation Context ...lev-Yao model, in which the length of messages is present. It has been used for a proof of the Needham-Schroeder protocol fixed by Lowe [147] verified in a proof assistant [175]. – Canetti and Herzog =-=[71]-=- showed how a symbolic analysis in the style of the Dolev-Yao model can be used to prove security properties of protocols in the framework of universal composability [70] for a restricted class of pro... |

47 | Zero-Knowledge in the Applied Pi-calculus and Automated Verification of the Direct Anonymous Attestation Protocol.
- Backes, Maffei, et al.
- 2008
(Show Context)
Citation Context ...used by other authors, for instance for verifying Web services, by translating XML protocols to ProVerif using the tool TulaFale [47, 149], e-voting protocols [21, 104, 138], zero-knowledge protocols =-=[23]-=-, RFID protocols [68], and the TPM (Trusted Platform Module) [74, 105]. An extension was proposed for supporting protocols with mutable global state [15]. ProVerif can be downloaded at http://www.prov... |

47 | TulaFale: A Security Tool for Web Services,”
- Bhargavan, Fournet, et al.
- 2004
(Show Context)
Citation Context ...) [4], and the cryptographic filesystem Plutus [55]. ProVerif was also used by other authors, for instance for verifying Web services, by translating XML protocols to ProVerif using the tool TulaFale =-=[47, 149]-=-, e-voting protocols [21, 104, 138], zero-knowledge protocols [23], RFID protocols [68], and the TPM (Trusted Platform Module) [74, 105]. An extension was proposed for supporting protocols with mutabl... |

45 | Soundness of formal encryption in the presence of key-cycles
- Adao, Bana, et al.
- 2005
(Show Context)
Citation Context ... encryption, there must be no key cycle (in which a key is encrypted directly or indirectly under itself, as in {k}k or {k}k′ , {k ′}k) or a specific definition of security of encryption is necessary =-=[10, 28]-=-. (The existence of key cycles for a bounded number of sessions Security Protocol Verification: Symbolic and Computational Models 15 is a NP-complete problem [94].) These limitations have lead to the ... |

45 | Probabilistic polynomial-time semantics for a protocol security logic. In:
- Datta, Derek, et al.
- 2005
(Show Context)
Citation Context ...dapt techniques previously designed for the symbolic model. For instance, the logic PCL [100, 115], first designed for proving protocols in the Dolev-Yao model, was adapted to the computational model =-=[101, 102]-=-. Other computationally sound logics include CIL (Computational Indistinguishability Logic) [30] and a specialized Hoare logic designed for proving asymmetric encryption schemes in the random oracle m... |

43 | Computer-Assisted Verification of a Protocol for Certified Email. In: Cousot, Radhia (Eds.):
- Abadi, Blanchet
- 2003
(Show Context)
Citation Context ...ay for these advantages: ProVerif does not always terminate and it is not complete (it may find false attacks). It is still precise and efficient in practice, as demonstrated by case studies, such as =-=[3, 4, 52, 55]-=-. The verification method is summarized in Fig. 1. The Horn clause verification technique is not specific to any formalism for representing the protocol. Among the many existing formalisms, we focused... |

43 |
Mantovani et al., “The avispa tool for the automated validation of internet security protocols and applications,” in Computer Aided Verification
- Armando, Basin, et al.
- 2005
(Show Context)
Citation Context ...uage can be translated into the input languages of Maude, NPA, Athena, and of the constraint solving verifier of [154]. – AVISPA (Automated Validation of Internet Security Protocols and Applications) =-=[17]-=- provides, like CAPSL, a protocol description language HLPSL (High-Level Protocol Specification Language), which is translated into an intermediate language based on multiset rewriting. Four verifiers... |

39 | Security properties: Two agents are sufficient
- Cortier
- 2002
(Show Context)
Citation Context ...d in the presence an active adversary; the number of sessions (runs) of the protocol is not bounded. However, we can easily bound the number of participants to the protocol without forgetting attacks =-=[84]-=-: for protocols that do not make difference tests, one honest participant is enough for secrecy if the same participant is allowed to play all roles of the protocol, two honest participants are enough... |

38 | Computationally sound compositional logic for key exchange protocols
- Datta, Derek, et al.
- 2006
(Show Context)
Citation Context ...dapt techniques previously designed for the symbolic model. For instance, the logic PCL [100, 115], first designed for proving protocols in the Dolev-Yao model, was adapted to the computational model =-=[101, 102]-=-. Other computationally sound logics include CIL (Computational Indistinguishability Logic) [30] and a specialized Hoare logic designed for proving asymmetric encryption schemes in the random oracle m... |

37 | ASPIER: An automated framework for verifying security protocol implementations.
- Chaki, Datta
- 2009
(Show Context)
Citation Context ...in Java using ESC/Java2: ESC/Java2 verifies that the implementation does not raise exceptions, and follows a specification of SSH by a finite automaton, but does not prove security properties. ASPIER =-=[73]-=- uses software model-checking, with predicate abstraction and counter-example guided abstraction refinement, in order to verify C implementations of protocols, assuming the size of messages and the nu... |

36 | Computational soundness of observational equivalence.
- Comon-Lundh, Cortier
- 2008
(Show Context)
Citation Context ...ures. While the previous results dealt with traces, Comon and Cortier showed a computational soundness result for observational equivalence, for protocols that use authenticated shared-key encryption =-=[85]-=-. These results consider a fixed protocol language and a few primitives at a time, limiting the scope of the results. Frameworks were designed to make computational soundness proofs modular, by encodi... |

33 | Symbolic Bisimulation in the Spi Calculus
- BORGSTRÖM, BRIAIS, et al.
(Show Context)
Citation Context ...icular to the detection of off-line guessing attacks against password-based protocols and to the proof of strong secrecy. These techniques rely on symbolic semantics: in a symbolic semantics, such as =-=[64, 103, 146]-=-, the messages that come from the adversary are represented by variables, to avoid an unbounded case distinction on these messages. For an unbounded number of sessions, the problem is undecidable [114... |

29 | A Tool for Lazy Verification of Security Protocols
- Chevalier, Vigneron
- 2001
(Show Context)
Citation Context ...bolic and Computational Models 7 have been implemented to verify protocols with a bounded number of sessions, by constraint solving, such as [154] and CL-AtSe (Constraint-Logic-based Attack Searcher) =-=[80]-=-, or by extensions of model-checking such as OFMC (On-the-Fly Model-Checker) [35]. The previous results only deal with trace properties. The verification of equivalence properties is much more complex... |

28 | Formal Verification of Privacy for RFID Systems
- Brusó, Chatzikokolakis, et al.
- 2010
(Show Context)
Citation Context ..., for instance for verifying Web services, by translating XML protocols to ProVerif using the tool TulaFale [47, 149], e-voting protocols [21, 104, 138], zero-knowledge protocols [23], RFID protocols =-=[68]-=-, and the TPM (Trusted Platform Module) [74, 105]. An extension was proposed for supporting protocols with mutable global state [15]. ProVerif can be downloaded at http://www.proverif.ens.fr/. 3 Verif... |

26 | Symbolic bisimulation for the applied pi calculus.
- Delaune, Kremer, et al.
- 2007
(Show Context)
Citation Context ...icular to the detection of off-line guessing attacks against password-based protocols and to the proof of strong secrecy. These techniques rely on symbolic semantics: in a symbolic semantics, such as =-=[64, 103, 146]-=-, the messages that come from the adversary are represented by variables, to avoid an unbounded case distinction on these messages. For an unbounded number of sessions, the problem is undecidable [114... |

25 | A.: Key-dependent message security under active attacks - BRSIM/UC-soundness of symbolic encryption with key cycles
- Backes, Pfitzmann, et al.
(Show Context)
Citation Context ... encryption, there must be no key cycle (in which a key is encrypted directly or indirectly under itself, as in {k}k or {k}k′ , {k ′}k) or a specific definition of security of encryption is necessary =-=[10, 28]-=-. (The existence of key cycles for a bounded number of sessions Security Protocol Verification: Symbolic and Computational Models 15 is a NP-complete problem [94].) These limitations have lead to the ... |

25 | Trace equivalence decision: negative tests and non-determinism. In:
- Cheval, Comon-Lundh, et al.
- 2011
(Show Context)
Citation Context ...thout else branches [112, 134], but their complexity was too large for practical implementations. Recently, more practical algorithms were designed for processes with else branches and nondeterminism =-=[75, 76]-=- or for a wide variety of primitives with the restriction that processes are determinate, that is, their execution is entirely determined by the adversary inputs [81, 87]. Diff-equivalence, a strong e... |

25 |
A Survey of Symbolic Methods in Computational Analysis of Cryptographic Systems
- Cortier, Kremer, et al.
- 2010
(Show Context)
Citation Context ...work of universal composability [70] for a restricted class of protocols that use only public-key encryption. They then use ProVerif [48] to verify protocols in this framework. We refer the reader to =-=[90]-=- for a more detailed survey of computational soundness results. This approach enjoyed important successes, but also has limitations: additional hypotheses are necessary, since the two models do not ma... |

24 | Cosp: a general framework for computational soundness proofs
- Backes, Hofheinz, et al.
- 2009
(Show Context)
Citation Context ...protocol language and a few primitives at a time, limiting the scope of the results. Frameworks were designed to make computational soundness proofs modular, by encoding many input languages into one =-=[20, 24]-=- and by allowing to compose proofs obtained independently for several primitives [93]. – Backes, Pfitzmann, andWaidner [25–27] developed an abstract cryptographic library including authenticated share... |

24 | Computationally sound mechanized proofs of correspondence assertions.
- Blanchet
- 2007
(Show Context)
Citation Context ...desired probability is then negligible in the initial game. Halevi [131] suggested to use tools for mechanizing these proofs, and several techniques have been used for reaching this goal. CryptoVerif =-=[50, 51, 56, 58]-=-, which we have designed, is the first such tool. It generates proofs by sequences of games automatically or with little user interaction. The games are formalized in a probabilistic process calculus.... |

23 |
Sécurité des protocoles cryptographiques: aspects logiques et calculatoires
- Baudet
- 2007
(Show Context)
Citation Context ... is entirely determined by the adversary inputs [81, 87]. Diff-equivalence, a strong equivalence between processes that have the same structure but differ by the terms they contain, is also decidable =-=[36]-=-; this result applies in particular to the detection of off-line guessing attacks against password-based protocols and to the proof of strong secrecy. These techniques rely on symbolic semantics: in a... |

22 | Computationally sound verification of source code (full version). IACR ePrint archive 2010/416
- Backes, Maffei, et al.
- 2010
(Show Context)
Citation Context ...protocol language and a few primitives at a time, limiting the scope of the results. Frameworks were designed to make computational soundness proofs modular, by encoding many input languages into one =-=[20, 24]-=- and by allowing to compose proofs obtained independently for several primitives [93]. – Backes, Pfitzmann, andWaidner [25–27] developed an abstract cryptographic library including authenticated share... |

22 | Automated Formal Analysis of a Protocol for Secure File Sharing on Untrusted Storage.
- Blanchet, Chaudhuri
- 2008
(Show Context)
Citation Context |

22 | Computationally sound symbolic secrecy in the presence of hash functions
- Cortier, Kremer, et al.
- 2006
(Show Context)
Citation Context ...nce of an active adversary. Therefore, authentication in the symbolic model implies authentication in the computational model. This result was further extended to signatures [92, 135], hash functions =-=[89, 136]-=-, non-malleable commitment [121], and zero-knowledge proofs [29]. Cortier and Warinschi [92] also showed that syntactic secrecy in the symbolic model implies secrecy in the computational model for non... |

21 | A method for proving observational equivalence.
- Cortier, Delaune
- 2009
(Show Context)
Citation Context ...e branches and nondeterminism [75, 76] or for a wide variety of primitives with the restriction that processes are determinate, that is, their execution is entirely determined by the adversary inputs =-=[81, 87]-=-. Diff-equivalence, a strong equivalence between processes that have the same structure but differ by the terms they contain, is also decidable [36]; this result applies in particular to the detection... |

20 |
SAT-based Model-Checking of Security Protocols using Planning Graph Analysis
- Armando, Compagna, et al.
- 2003
(Show Context)
Citation Context ...ecking techniques, using systems such as FDR [147] (which was used to discover the attack against the NeedhamSchroeder public-key protocol), Murφ [158], Maude [106], or SATMC (SATbased Model-Checker) =-=[16]-=-. These techniques allow one to find attacks against protocols, but not to prove the absence of attacks, since attacks may appear in an unexplored part of the state space. (One can indeed construct a ... |

20 | Computational soundness of symbolic zero-knowledge proofs against active attackers. In:
- Backes, Unruh
- 2008
(Show Context)
Citation Context ... model implies authentication in the computational model. This result was further extended to signatures [92, 135], hash functions [89, 136], non-malleable commitment [121], and zero-knowledge proofs =-=[29]-=-. Cortier and Warinschi [92] also showed that syntactic secrecy in the symbolic model implies secrecy in the computational model for nonces. A tool [88] was built based on [92] to obtain computational... |

19 |
Bounding messages for free in security protocols.
- Arapinis, Duflot
- 2007
(Show Context)
Citation Context ... tagging scheme prevents blind copies, that is, situations in which a message is copied by a participant of the protocol without verifying its contents. Extensions of this decidability result include =-=[14, 82]-=-. In general, these decidability results are very restrictive in practice. – Several methods rely on abstractions [98]: they overestimate the attack possibilities, most often by computing a superset o... |

19 | Computationally sound secrecy proofs by mechanized flow analysis.
- Backes, Laud
- 2006
(Show Context)
Citation Context ...r instance, [143] handles shared-key and public-key encryption, with an unbounded number of sessions. This system relies on the BackesPfitzmann-Waidner library. A type inference algorithm is given in =-=[22]-=-. 3.3 Direct Computational Proofs Finally, the direct approach to computational proofs consists in mechanizing proofs in the computational model, without relying at all on the symbolic model. Computat... |

19 | Automating security analysis: symbolic equivalence of constraint systems.
- Cheval, Comon-Lundh, et al.
- 2010
(Show Context)
Citation Context ...thout else branches [112, 134], but their complexity was too large for practical implementations. Recently, more practical algorithms were designed for processes with else branches and nondeterminism =-=[75, 76]-=- or for a wide variety of primitives with the restriction that processes are determinate, that is, their execution is entirely determined by the adversary inputs [81, 87]. Diff-equivalence, a strong e... |

19 | Relating two standard notions of secrecy.
- Cortier, Rusinowitch, et al.
- 2007
(Show Context)
Citation Context ...n this case, one has to use strong secrecy: the adversary must not be able to distinguish a protocol using the value 0 from the same protocol using the value 1. These two notions are often equivalent =-=[91]-=-, both for atomic data (which are never split into several pieces, such as nonces, which are random numbers chosen independently at each run of the protocol) and for probabilistic cryptographic primit... |

17 | Pattern-based abstraction for verifying secrecy in protocols
- Bozga, Lakhnech, et al.
- 2003
(Show Context)
Citation Context ... Feret’s abstract-interpretation-based relational analysis [118], Heather and Schneider’s rank functions verifier [133], Backes et al.’s causal graph technique [19], and the Hermès protocol verifier =-=[65]-=-. While most verifiers compute the knowledge of the adversary, Hermès computes forms of messages, such as encryption under certain keys, that guarantee preservation of secrecy. Platforms that group s... |

16 | Reconstruction of Attacks against Cryptographic Protocols
- Allamigeon, Blanchet
- 2005
(Show Context)
Citation Context ...l, ProVerif cannot prove secrecy. In this case, ProVerif uses the derivation of Security Protocol Verification: Symbolic and Computational Models 13 attacker(M) to reconstruct an attack automatically =-=[13]-=-. (Such a reconstruction fails if a false attack has been found.) We have extended this technique to more complex security properties: – ProVerif can verify complex non-injective and injective corresp... |

16 | Automating data independence
- Broadfoot, Lowe, et al.
- 2000
(Show Context)
Citation Context ...xtension of Athena’s method with trace patterns to analyze a group of traces simultaneously. These tools sometimes limit the number of sessions to guarantee termination. – Broadfoot, Lowe, and Roscoe =-=[66, 67, 169]-=- extended the model-checking approach to an unbounded number of sessions. They recycle nonces, to use a finite number of nonces for an infinite number of executions. – One of the very first approaches... |

15 |
Extracting and Verifying Cryptographic Models from C Protocol Code by Symbolic Execution.
- Aizatulin, Gordon, et al.
- 2011
(Show Context)
Citation Context ... implementations written without verification in mind. Similarly, Elijah [163] translates Java programs into LySa protocol specifications, which can be verified by the LySatool [59]. Aizatulin et al. =-=[12]-=- use symbolic execution in order to extract ProVerif models from pre-existing protocol implementations in C. This technique currently analyzes a single execution path of the protocol, so it is limited... |

15 | StatVerif: Verification of stateful processes
- Arapinis, Ritter, et al.
(Show Context)
Citation Context ...ocols [21, 104, 138], zero-knowledge protocols [23], RFID protocols [68], and the TPM (Trusted Platform Module) [74, 105]. An extension was proposed for supporting protocols with mutable global state =-=[15]-=-. ProVerif can be downloaded at http://www.proverif.ens.fr/. 3 Verifying Protocols in the Computational Model Proving protocols automatically in the computational model is much more difficult than in ... |

14 | Beyond provable security. Verifiable INDCCA security of OAEP
- Barthe, Grégoire, et al.
- 2011
(Show Context)
Citation Context ...4, 177] developed a tool similar to CryptoVerif but that represents games by dependency graphs; it handles public-key and shared-key encryption and proves secrecy properties. The CertiCrypt framework =-=[31, 32, 34, 37, 38]-=- enables the machine-checked construction and verification of cryptographic proofs by sequences of games. It relies on the general-purpose proof assistant Coq, which is widely believed to be correct. ... |

14 | H.R.: Flow logic for Dolev-Yao secrecy in cryptographic processes - Bodei, Degano, et al. - 2002 |

13 | Towards automated proofs for asymmetric encryption schemes in the random oracle model. In:
- Courant, Daubignard, et al.
- 2008
(Show Context)
Citation Context ...er computationally sound logics include CIL (Computational Indistinguishability Logic) [30] and a specialized Hoare logic designed for proving asymmetric encryption schemes in the random oracle model =-=[95, 96]-=-. Similarly, type systems [97, 143, 145, 172] can provide computational security guarantees. For instance, [143] handles shared-key and public-key encryption, with an unbounded number of sessions. Thi... |

13 | Formal analysis of protocols based on tpm state registers
- Delaune, Kremer, et al.
- 2011
(Show Context)
Citation Context ...y translating XML protocols to ProVerif using the tool TulaFale [47, 149], e-voting protocols [21, 104, 138], zero-knowledge protocols [23], RFID protocols [68], and the TPM (Trusted Platform Module) =-=[74, 105]-=-. An extension was proposed for supporting protocols with mutable global state [15]. ProVerif can be downloaded at http://www.proverif.ens.fr/. 3 Verifying Protocols in the Computational Model Proving... |

11 | Computational indistinguishability logic. In:
- Barthe, Daubignard, et al.
- 2010
(Show Context)
Citation Context ...rst designed for proving protocols in the Dolev-Yao model, was adapted to the computational model [101, 102]. Other computationally sound logics include CIL (Computational Indistinguishability Logic) =-=[30]-=- and a specialized Hoare logic designed for proving asymmetric encryption schemes in the random oracle model [95, 96]. Similarly, type systems [97, 143, 145, 172] can provide computational security gu... |

11 | Computationally sound mechanized proofs for basic and public-key kerberos.
- Blanchet, Jaggard, et al.
- 2008
(Show Context)
Citation Context ...desired probability is then negligible in the initial game. Halevi [131] suggested to use tools for mechanizing these proofs, and several techniques have been used for reaching this goal. CryptoVerif =-=[50, 51, 56, 58]-=-, which we have designed, is the first such tool. It generates proofs by sequences of games automatically or with little user interaction. The games are formalized in a probabilistic process calculus.... |

10 | E.: Deciding key cycles for security protocols
- Cortier, Zălinescu
- 2006
(Show Context)
Citation Context ...curity of encryption is necessary [10, 28]. (The existence of key cycles for a bounded number of sessions Security Protocol Verification: Symbolic and Computational Models 15 is a NP-complete problem =-=[94]-=-.) These limitations have lead to the idea of directly automating proofs in the computational model. 3.2 Adapting Techniques from the Symbolic Model Another way of proving protocols in the computation... |

9 |
Security Protocols: From Linear to Classical Logic by Abstract Interpretation
- Blanchet
- 2005
(Show Context)
Citation Context ...ep [113]. The Horn clause model can be seen as a sound abstraction, in the abstract interpretation sense [98], of the linear logic model, obtained by ignoring the number of repetitions of each action =-=[49]-=-. Hence, our technique is sound (when it says that a security property is true, then it is actually so), but not complete (false attacks can be found). However, in our tests, false attacks rarely occu... |

9 |
B.: Explicit randomness is not necessary when modeling probabilistic encryption
- Cortier, Hördegen, et al.
- 2006
(Show Context)
Citation Context ...ble commitment [121], and zero-knowledge proofs [29]. Cortier and Warinschi [92] also showed that syntactic secrecy in the symbolic model implies secrecy in the computational model for nonces. A tool =-=[88]-=- was built based on [92] to obtain computational proofs using the symbolic verifier AVISPA, for protocols that use public-key encryption and signatures. While the previous results dealt with traces, C... |

8 | S.Z.: Formal certification of ElGamal encryption. A gentle introduction to CertiCrypt
- Barthe, Grégoire, et al.
- 2009
(Show Context)
Citation Context ...4, 177] developed a tool similar to CryptoVerif but that represents games by dependency graphs; it handles public-key and shared-key encryption and proves secrecy properties. The CertiCrypt framework =-=[31, 32, 34, 37, 38]-=- enables the machine-checked construction and verification of cryptographic proofs by sequences of games. It relies on the general-purpose proof assistant Coq, which is widely believed to be correct. ... |

8 | B.: A composable computational soundness notion
- Cortier, Warinschi
- 2011
(Show Context)
Citation Context ...eworks were designed to make computational soundness proofs modular, by encoding many input languages into one [20, 24] and by allowing to compose proofs obtained independently for several primitives =-=[93]-=-. – Backes, Pfitzmann, andWaidner [25–27] developed an abstract cryptographic library including authenticated shared-encryption, public-key encryption, message authentication codes, signatures, and no... |

7 | Using Horn clauses for analyzing security protocols
- Blanchet
- 2011
(Show Context)
Citation Context ...Hence, we obtain the clause: attacker(penc(sign(y, skA), pk(skB)))⇒ attacker(enc(s, y)) More details on this representation as well as the complete coding of the protocol of Sect. 1.1 can be found in =-=[53]-=-. 12 Bruno Blanchet This representation of protocols is approximate in that the application of Horn clauses can be repeated any number of times, while the real protocol repeats each step only once per... |

7 | Attack, solution and verification for shared authorisation data in TCG TPM.
- Chen, Ryan
- 2009
(Show Context)
Citation Context ...y translating XML protocols to ProVerif using the tool TulaFale [47, 149], e-voting protocols [21, 104, 138], zero-knowledge protocols [23], RFID protocols [68], and the TPM (Trusted Platform Module) =-=[74, 105]-=-. An extension was proposed for supporting protocols with mutable global state [15]. ProVerif can be downloaded at http://www.proverif.ens.fr/. 3 Verifying Protocols in the Computational Model Proving... |

6 | M.: Causality-based abstraction of multiplicity in security protocols
- Backes, Cortesi, et al.
- 2007
(Show Context)
Citation Context ...n include control-flow analysis [59–61], Feret’s abstract-interpretation-based relational analysis [118], Heather and Schneider’s rank functions verifier [133], Backes et al.’s causal graph technique =-=[19]-=-, and the Hermès protocol verifier [65]. While most verifiers compute the knowledge of the adversary, Hermès computes forms of messages, such as encryption under certain keys, that guarantee preserv... |

6 |
Y.: Computationally sound typing for noninterference: The case of deterministic encryption
- Courant, Ene, et al.
- 2007
(Show Context)
Citation Context ...clude CIL (Computational Indistinguishability Logic) [30] and a specialized Hoare logic designed for proving asymmetric encryption schemes in the random oracle model [95, 96]. Similarly, type systems =-=[97, 143, 145, 172]-=- can provide computational security guarantees. For instance, [143] handles shared-key and public-key encryption, with an unbounded number of sessions. This system relies on the BackesPfitzmann-Waidne... |

5 | F.: Formally certifying the security of digital signature schemes
- Béguelin, Grégoire, et al.
- 2009
(Show Context)
Citation Context |

4 | K.: Certifying assembly with formal cryptographic proofs: the case of BBS
- Affeldt, Nowak, et al.
- 2009
(Show Context)
Citation Context ... be correct. EasyCrypt [33] generates CertiCrypt proofs from proof sketches that formally represent the sequence of games and hints, which makes the tool easier 16 Bruno Blanchet to use. Nowak et al. =-=[11, 161, 162]-=- follow a similar idea by providing Coq proofs for several basic cryptographic primitives. 4 Verifying Protocol Implementations The approaches mentioned so far verify specifications of protocols in mo... |

4 | L.: Validation of Prouvé protocols using the automatic tool TA4SP. In: TFIT’06
- Boichut, Kosmatov, et al.
- 2006
(Show Context)
Citation Context ...ional Models 9 combine tree automata with rewriting. This method lead to the implementation of the verifier TA4SP (Tree-Automata-based Automatic Approximations for the Analysis of Security Protocols) =-=[62]-=-. This approach abstracts away relational information on terms: when a variable appears several times in a message, one forgets that it has the same value at all its occurrences in the message, which ... |

4 | Y.: Automated proofs for asymmetric encryption
- Courant, Daubignard, et al.
(Show Context)
Citation Context ...er computationally sound logics include CIL (Computational Indistinguishability Logic) [30] and a specialized Hoare logic designed for proving asymmetric encryption schemes in the random oracle model =-=[95, 96]-=-. Similarly, type systems [97, 143, 145, 172] can provide computational security guarantees. For instance, [143] handles shared-key and public-key encryption, with an unbounded number of sessions. Thi... |

2 | Embedding agents within the intruder to detect parallel attacks
- Broadfoot, Roscoe
- 2004
(Show Context)
Citation Context ...xtension of Athena’s method with trace patterns to analyze a group of traces simultaneously. These tools sometimes limit the number of sessions to guarantee termination. – Broadfoot, Lowe, and Roscoe =-=[66, 67, 169]-=- extended the model-checking approach to an unbounded number of sessions. They recycle nonces, to use a finite number of nonces for an infinite number of executions. – One of the very first approaches... |

1 | 2003) Bruno Blanchet hal-00863388, version 1 - Springer - 2013 |

1 | Ciobâcă: Automated Verification of Security Protocols with Appplications to Electronic Voting - S¸tefan - 2011 |

1 | 2010) Protocol Verification - Springer |