Results 1  10
of
480
Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption)
, 2000
"... Two distinct, rigorous views of cryptography have developed over the years, in two mostly separate communities. One of the views relies on a simple but effective formal approach; the other, on a detailed computational model that considers issues of complexity and probability. ..."
Abstract

Cited by 378 (11 self)
 Add to MetaCart
Two distinct, rigorous views of cryptography have developed over the years, in two mostly separate communities. One of the views relies on a simple but effective formal approach; the other, on a detailed computational model that considers issues of complexity and probability.
Mobile Values, New Names, and Secure Communication
, 2001
"... We study the interaction of the "new" construct with a rich but common form of (firstorder) communication. This interaction is crucial in security protocols, which are the main motivating examples for our work; it also appears in other programminglanguage contexts. Specifically, we intro ..."
Abstract

Cited by 372 (17 self)
 Add to MetaCart
We study the interaction of the "new" construct with a rich but common form of (firstorder) communication. This interaction is crucial in security protocols, which are the main motivating examples for our work; it also appears in other programminglanguage contexts. Specifically, we introduce a simple, general extension of the pi calculus with value passing, primitive functions, and equations among terms. We develop semantics and proof techniques for this extended language and apply them in reasoning about some security protocols.
Secrecy by Typing in Security Protocols
 Journal of the ACM
, 1998
"... We develop principles and rules for achieving secrecy properties in security protocols. Our approach is based on traditional classification techniques, and extends those techniques to handle concurrent processes that use sharedkey cryptography. The rules have the form of typing rules for a basic co ..."
Abstract

Cited by 273 (10 self)
 Add to MetaCart
(Show Context)
We develop principles and rules for achieving secrecy properties in security protocols. Our approach is based on traditional classification techniques, and extends those techniques to handle concurrent processes that use sharedkey cryptography. The rules have the form of typing rules for a basic concurrent language with cryptographic primitives, the spi calculus. They guarantee that, if a protocol typechecks, then it does not leak its secret inputs.
Protocol insecurity with finite number of sessions is NPcomplete
 Theoretical Computer Science
, 2001
"... We investigate the complexity of the protocol insecurity problem for a finite number of sessions (fixed number of interleaved runs). We show that this problem is NPcomplete with respect to a DolevYao model of intruders. The result does not assume a limit on the size of messages and supports nonat ..."
Abstract

Cited by 185 (12 self)
 Add to MetaCart
We investigate the complexity of the protocol insecurity problem for a finite number of sessions (fixed number of interleaved runs). We show that this problem is NPcomplete with respect to a DolevYao model of intruders. The result does not assume a limit on the size of messages and supports nonatomic symmetric encryption keys. We also prove that in order to build an attack with a fixed number of sessions the intruder needs only to forge messages of linear size, provided that they are represented as dags.
Constraint Solving for BoundedProcess Cryptographic Protocol Analysis
 CCS'01
, 2001
"... The reachability problem for cryptographic protocols with nonatomic keys can be solved via a simple constraint satisfaction procedure. ..."
Abstract

Cited by 176 (3 self)
 Add to MetaCart
The reachability problem for cryptographic protocols with nonatomic keys can be solved via a simple constraint satisfaction procedure.
Inductive analysis of the internet protocol TLS
 ACM Trans. Inf. Syst. Secur
, 1999
"... Internet browsers use security protocols to protect sensitive messages. An inductive analysis of TLS (a descendant of SSL 3.0) has been performed using the theorem prover Isabelle. Proofs are based on higherorder logic and make no assumptions concerning beliefs or flniteness. All the obvious securi ..."
Abstract

Cited by 131 (16 self)
 Add to MetaCart
(Show Context)
Internet browsers use security protocols to protect sensitive messages. An inductive analysis of TLS (a descendant of SSL 3.0) has been performed using the theorem prover Isabelle. Proofs are based on higherorder logic and make no assumptions concerning beliefs or flniteness. All the obvious security goals can be proved; session resumption appears to be secure even if old session keys have been compromised. The proofs suggest minor changes to simplify the analysis. TLS, even at an abstract level, is much more complicated than most protocols that researchers have verifled. Session keys are negotiated rather than distributed, and the protocol has many optional parts. Nevertheless, the resources needed to verify TLS are modest: six manweeks of efiort and three minutes of processor time.
How to prevent type flaw attacks on security protocols
 In 13th IEEE Computer Security Foundations Workshop — CSFW’00
, 2000
"... A type flaw attack on a security protocol is an attack where a field that was originally intended to have one type is subsequently interpreted as having another type. A number of type flaw attacks have appeared in the academic literature. In this paper we prove that type flaw attacks can be prevente ..."
Abstract

Cited by 119 (3 self)
 Add to MetaCart
(Show Context)
A type flaw attack on a security protocol is an attack where a field that was originally intended to have one type is subsequently interpreted as having another type. A number of type flaw attacks have appeared in the academic literature. In this paper we prove that type flaw attacks can be prevented using a simple technique of tagging each field with some information indicating its intended type. 1
Strand Spaces: Proving Security Protocols Correct
, 1999
"... A strand is a sequence of events; it represents either an execution by a legitimate party in a security protocol or else a sequence of actions by a penetrator. A strand space is a collection of strands, equipped with a graph structure generated by causal interaction. In this framework, protocol corr ..."
Abstract

Cited by 113 (10 self)
 Add to MetaCart
A strand is a sequence of events; it represents either an execution by a legitimate party in a security protocol or else a sequence of actions by a penetrator. A strand space is a collection of strands, equipped with a graph structure generated by causal interaction. In this framework, protocol correctness claims may be expressed in terms of the connections between strands of different kinds. Preparing for a
Deciding knowledge in security protocols under equational theories
 In Proc. 31st International Colloquium on Automata, Languages and Programming (ICALP’04), volume 3142 of LNCS
, 2004
"... Abstract. The analysis of security protocols requires precise formulations of the knowledge of protocol participants and attackers. In formal approaches, this knowledge is often treated in terms of message deducibility and indistinguishability relations. In this paper we study the decidability of th ..."
Abstract

Cited by 109 (9 self)
 Add to MetaCart
Abstract. The analysis of security protocols requires precise formulations of the knowledge of protocol participants and attackers. In formal approaches, this knowledge is often treated in terms of message deducibility and indistinguishability relations. In this paper we study the decidability of these two relations. The messages in question may employ functions (encryption, decryption, etc.) axiomatized in an equational theory. Our main positive results say that, for a large and useful class of equational theories, deducibility and indistinguishability are both decidable in polynomial time. 1