Results 1  10
of
40
Modular verification of security protocol code by typing
 in: Proceedings of the 37th ACM SIGACTSIGPLAN Symposium on Principles of Programming Languages (POPL
, 2010
"... We propose a method for verifying the security of protocol implementations. Our method is based on declaring and enforcing invariants on the usage of cryptography. We develop cryptographic libraries that embed a logic model of their cryptographic structures and that specify preconditions and postcon ..."
Abstract

Cited by 50 (17 self)
 Add to MetaCart
We propose a method for verifying the security of protocol implementations. Our method is based on declaring and enforcing invariants on the usage of cryptography. We develop cryptographic libraries that embed a logic model of their cryptographic structures and that specify preconditions and postconditions on their functions so as to maintain their invariants. We present a theory to justify the soundness of modular code verification via our method. We implement the method for protocols coded in F # and verified using F7, our SMTbased typechecker for refinement types, that is, types carrying formulas to record invariants. As illustrated by a series of programming examples, our method can flexibly deal with a range of different cryptographic constructions and protocols. We evaluate the method on a series of larger case studies of protocol code, previously checked using wholeprogram analyses based on ProVerif, a leading verifier for cryptographic protocols. Our results indicate that compositional verification by typechecking with refinement types is more scalable than the best domainspecific analysis currently available for cryptographic code.
ASPIER: An Automated Framework for Verifying Security Protocol Implementations
"... Abstract—We present ASPIER – the first framework that combines software model checking with a standard protocol security model to automatically analyze authentication and secrecy properties of protocol implementations in C. The technical approach extends the iterative abstractionrefinement methodol ..."
Abstract

Cited by 37 (0 self)
 Add to MetaCart
(Show Context)
Abstract—We present ASPIER – the first framework that combines software model checking with a standard protocol security model to automatically analyze authentication and secrecy properties of protocol implementations in C. The technical approach extends the iterative abstractionrefinement methodology for software model checking with a domainspecific protocol and symbolic attacker model. We have implemented the ASPIER tool and used it to verify authentication and secrecy properties of a part of an industrial strength protocol implementation – the handshake in OpenSSL – for configurations consisting of up to 3 servers and 3 clients. We have also implemented two distinct methods for reasoning about attacker message derivations, and evaluated them in the context of OpenSSL verification. ASPIER detected the “versionrollback ” vulnerability in OpenSSL 0.9.6c source code and successfully verified the implementation when clients and servers are only willing to run SSL 3.0. Keywordssecurity protocol; verification; model checking; abstraction refinement. I.
Protocol Composition Logic (PCL)
, 2007
"... Protocol Composition Logic (PCL) is a logic for proving security properties of network protocols that use public and symmetric key cryptography. The logic is designed around a process calculus with actions for possible protocol steps including generating new random numbers, sending and receiving mes ..."
Abstract

Cited by 25 (2 self)
 Add to MetaCart
Protocol Composition Logic (PCL) is a logic for proving security properties of network protocols that use public and symmetric key cryptography. The logic is designed around a process calculus with actions for possible protocol steps including generating new random numbers, sending and receiving messages, and performing decryption and digital signature verification actions. The proof system consists of axioms about individual protocol actions and inference rules that yield assertions about protocols composed of multiple steps. Although assertions are written only using the steps of the protocol, the logic is sound in a strong sense: each provable assertion involving a sequence of actions holds in any protocol run containing the given actions and arbitrary additional actions by a malicious adversary. This approach lets us prove security properties of protocols under attack while reasoning only about the actions of honest parties in the protocol. PCL supports compositional reasoning about complex security protocols and has been applied to a number of industry standards including SSL/TLS, IEEE 802.11i and Kerberos V5.
Reasoning about the consequences of authorization policies in a linear epistemic logic
, 2009
"... Authorization policies are not standalone objects: they are used to selectively permit actions that change the state of a system. Thus, it is desirable to have a framework for reasoning about the semantic consequences of policies. To this end, we extend a rewriting interpretation of linear logic w ..."
Abstract

Cited by 21 (7 self)
 Add to MetaCart
(Show Context)
Authorization policies are not standalone objects: they are used to selectively permit actions that change the state of a system. Thus, it is desirable to have a framework for reasoning about the semantic consequences of policies. To this end, we extend a rewriting interpretation of linear logic with connectives for modeling affirmation, knowledge, and possession. To cleanly confine semantic effects to the rewrite sequence, we introduce a monad. The result is a richly expressive logic that elegantly integrates policies and their effects. After presenting this logic and its metatheory, we demonstrate its utility by proving properties that relate a simple file system’s policies to their semantic consequences.
Cryptographically Sound Security Proofs for Basic And PublicKey Kerberos
 Proc. 11th European Symp. on Research. in Comp. Sec
, 2006
"... Abstract We present a computational analysis of basic Kerberos with and without its publickey extension PKINIT in which we consider authentication and key secrecy properties. Our proofs rely on the Dolev–Yaostyle model of Backes, Pfitzmann, and Waidner, which allows for mapping results obtained sym ..."
Abstract

Cited by 17 (4 self)
 Add to MetaCart
Abstract We present a computational analysis of basic Kerberos with and without its publickey extension PKINIT in which we consider authentication and key secrecy properties. Our proofs rely on the Dolev–Yaostyle model of Backes, Pfitzmann, and Waidner, which allows for mapping results obtained symbolically within this model to cryptographically sound proofs if certain assumptions are met. This work was the first verification at the computational level of such a complex fragment of an industrial protocol. By considering a recently fixed version of PKINIT, we extend symbolic correctness results we previously attained in the Dolev– Yao model to cryptographically sound results in the computational model.
BioCryptographic Protocols With Bipartite Biotokens
 Proceedings of Biometric Symposium, BCC
, 2008
"... Cryptographic protocols are the foundation of secure network infrastructure, facilitating authentication, transactions, and data integrity. In traditional cryptographic protocols, generated keys (and, in most cases, passwords) are used. The utility of biometrics as a convenient and reliable method f ..."
Abstract

Cited by 15 (4 self)
 Add to MetaCart
(Show Context)
Cryptographic protocols are the foundation of secure network infrastructure, facilitating authentication, transactions, and data integrity. In traditional cryptographic protocols, generated keys (and, in most cases, passwords) are used. The utility of biometrics as a convenient and reliable method for authentication has emerged in recent years, but little work has been performed on a serious integration of biometrics with cryptographic protocols. In this paper, we review the notion of revocable biotokens, explain their nesting properties, and extend them to bipartite bitokens and use these to develop protocols for transactions, digital signatures, and a biometric version of Kerberos. We show bipartite biotokens offer a convenient enhancement to keys and passwords, allowing for tighter auditing and nonrepudiation, as well as protection from phishing and maninthemiddle attacks. 1.
Secrecy analysis in protocol composition logic
 Proceedings of 11th Annual Asian Computing Science Conference
, 2006
"... Abstract. Extending a compositional protocol logic with an induction rule for secrecy, we prove soundness for a conventional symbolic protocol execution model, adapt and extend previous composition theorems, and illustrate the logic by proving properties of two key agreement protocols. The first exa ..."
Abstract

Cited by 14 (5 self)
 Add to MetaCart
(Show Context)
Abstract. Extending a compositional protocol logic with an induction rule for secrecy, we prove soundness for a conventional symbolic protocol execution model, adapt and extend previous composition theorems, and illustrate the logic by proving properties of two key agreement protocols. The first example is a variant of the NeedhamSchroeder protocol that illustrates the ability to reason about temporary secrets. The second example is Kerberos V5. The modular nature of the secrecy and authentication proofs for Kerberos makes it possible to reuse proofs about the basic version of the protocol for the PKINIT version that uses publickey infrastructure instead of shared secret keys in the initial steps. 1
Guiding a generalpurpose C verifier to prove cryptographic protocols
 in IEEE Computer Security Foundations Symposium (CSF’11), 2011
, 2011
"... We describe how to verify security properties of C code for cryptographic protocols by using a generalpurpose verifier. We prove security theorems in the symbolic model of cryptography. Our techniques include: use of ghost state to attach formal algebraic terms to concrete byte arrays and to detec ..."
Abstract

Cited by 14 (7 self)
 Add to MetaCart
(Show Context)
We describe how to verify security properties of C code for cryptographic protocols by using a generalpurpose verifier. We prove security theorems in the symbolic model of cryptography. Our techniques include: use of ghost state to attach formal algebraic terms to concrete byte arrays and to detect collisions when two distinct terms map to the same byte array; decoration of a crypto API with contracts based on symbolic terms; and expression of the attacker model in terms of C programs. We rely on the generalpurpose verifier VCC; we guide VCC to prove security simply by writing suitable header files and annotations in implementation files, rather than by changing VCC itself. We formalize the symbolic model in Coq in order to justify the addition of axioms to VCC. 1
Computationally Sound Mechanized Proofs for Basic and Publickey Kerberos
, 2008
"... We present a computationally sound mechanized analysis of Kerberos 5, both with and without its publickey extension PKINIT. We prove authentication and key secrecy properties using the prover CryptoVerif, which works directly in the computational model; these are the first mechanical proofs of a fu ..."
Abstract

Cited by 11 (4 self)
 Add to MetaCart
We present a computationally sound mechanized analysis of Kerberos 5, both with and without its publickey extension PKINIT. We prove authentication and key secrecy properties using the prover CryptoVerif, which works directly in the computational model; these are the first mechanical proofs of a full industrial protocol at the computational level. We also generalize the notion of key usability and use CryptoVerif to prove that this definition is satisfied by keys in Kerberos.