Results 1  10
of
24
Deciding security of protocols against offline guessing attacks
 In Proc. 12th ACM Conference on Computer and Communications Security (CCS’05
, 2005
"... We provide an effective procedure for deciding the existence of offline guessing attacks on security protocols, for a bounded number of sessions. The procedure consists of a constraint solving algorithm for determining satisfiability and equivalence of a class of secondorder Eunification problems ..."
Abstract

Cited by 72 (4 self)
 Add to MetaCart
We provide an effective procedure for deciding the existence of offline guessing attacks on security protocols, for a bounded number of sessions. The procedure consists of a constraint solving algorithm for determining satisfiability and equivalence of a class of secondorder Eunification problems, where the equational theory E is presented by a convergent subterm rewriting system. To the best of our knowledge, this is the first decidability result to use the generic definition of offline guessing attacks due to Corin et al. based on static equivalence in the applied pi calculus.
Guessing attacks and the computational soundness of static equivalence
 In Proc. 9th International Conference on Foundations of Software Science and Computation Structures (FoSSaCS’06), volume 3921 of LNCS
, 2006
"... ..."
(Show Context)
A theory of dictionary attacks and its complexity
 17th IEEE Computer Security Foundations Workshop (2004
"... We consider the problem of automating proofs of cryptographic protocols when some data, like poorly chosen passwords, can be guessed by dictionary attacks. First, we define a theory of these attacks: we introduce an inference system modeling the guessing capabilities of an intruder. This system exte ..."
Abstract

Cited by 18 (1 self)
 Add to MetaCart
(Show Context)
We consider the problem of automating proofs of cryptographic protocols when some data, like poorly chosen passwords, can be guessed by dictionary attacks. First, we define a theory of these attacks: we introduce an inference system modeling the guessing capabilities of an intruder. This system extends the classical Dolev–Yao rules. Using proof rewriting techniques, we show a locality lemma for our inference system which yields the PTIME–completeness of the deduction problem. This result is lifted to the simultaneous solving of intruder deduction constraints with variables. Constraint solving is the basis of a NP algorithm for the protocol insecurity problem in the presence of dictionary attacks, assuming a bounded number of sessions. This extends the classical NP–completeness result for the Dolev–Yao model. We illustrate the procedure with examples of published protocols. The model and decision algorithm have been validated on some examples in a prototype implementation. 1.
A formalization of offline guessing for security protocol analysis
 LPAR 2004. LNCS (LNAI
, 2005
"... Guessing, or dictionary, attacks arise when an intruder exploits the fact that certain data like passwords may have low entropy, i.e. stem from a small set of values. In the case of offline guessing, in particular, the intruder may employ guessed values to analyze the messages he has observed. Prev ..."
Abstract

Cited by 12 (4 self)
 Add to MetaCart
Guessing, or dictionary, attacks arise when an intruder exploits the fact that certain data like passwords may have low entropy, i.e. stem from a small set of values. In the case of offline guessing, in particular, the intruder may employ guessed values to analyze the messages he has observed. Previous attempts at formalizing offline guessing consist of extending a DolevYaostyle intruder model with inference rules to capture the additional capabilities of the intruder concerning guessable messages. While it is easy to convince oneself that the proposed rules are correct, in the sense that an intruder can actually perform such “guessing steps”, it is difficult to see whether such a system of inference rules is complete in the sense that it captures all the kinds of attacks that we would intuitively call “guessing attacks”. Moreover, the proposed systems are specialized to particular sets of cryptographic primitives and intruder capabilities. As a consequence, these systems are helpful to discover some offline guessing attacks but are not fully appropriate for formalizing what offline guessing precisely means and verifying that a given protocol is not vulnerable to such guessing attacks. In this paper, we give a formalization of offline guessing by defining a deduction system that is uniform and general in that it is independent of the overall protocol model and of the details of the considered intruder model, i.e. cryptographic primitives, algebraic properties, and intruder capabilities.
Composition of Passwordbased Protocols
"... Abstract. We investigate the composition of protocols that share a common secret. This situation arises when users employ the same password on different services. More precisely we study whether resistance against guessing attacks composes when a same password is used. We model guessing attacks usin ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
Abstract. We investigate the composition of protocols that share a common secret. This situation arises when users employ the same password on different services. More precisely we study whether resistance against guessing attacks composes when a same password is used. We model guessing attacks using a common definition based on static equivalence in a cryptographic process calculus close to the applied pi calculus. We show that resistance against guessing attacks composes in the presence of a passive attacker. However, composition does not preserve resistance against guessing attacks for an active attacker. We therefore propose a simple syntactic criterion under which we show this composition to hold. Finally, we present a protocol transformation that ensures this syntactic criterion and preserves resistance against guessing attacks. 1
Analysing the vulnerability of protocols to produce knownpair and chosentext attacks
, 2004
"... ..."
(Show Context)
Passwordbased encryption analyzed
 In Proc. 32nd International Colloquium on Automata, Languages and Programming (ICALP’05), volume 3580 of LNCS
, 2005
"... Abstract. The use of passwords in security protocols is particularly delicate because of the possibility of offline guessing attacks. We study passwordbased protocols in the context of a recent line of research that aims to justify symbolic models in terms of more concrete, computational ones. We ..."
Abstract

Cited by 7 (2 self)
 Add to MetaCart
(Show Context)
Abstract. The use of passwords in security protocols is particularly delicate because of the possibility of offline guessing attacks. We study passwordbased protocols in the context of a recent line of research that aims to justify symbolic models in terms of more concrete, computational ones. We offer two models for reasoning about the concurrent use of symmetric, asymmetric, and passwordbased encryption in protocol messages. In each of the models we define a notion of equivalence between messages and also characterize when passwords are used securely in a message or in a set of messages. Our new definition for the computational security of passwordbased encryption may be of independent interest. The main results of this paper are two soundness theorems. We show that under certain (standard) assumptions about the computational implementation of the cryptographic primitives, symbolic equivalence implies computational equivalence. More importantly, we prove that symbolically secure uses of passwords are also computationally secure. 1
Finite models for formal security proofs
 JOURNAL OF COMPUTER SECURITY
, 2009
"... Firstorder logic models of security for cryptographic protocols, based on variants of the DolevYao model, are now wellestablished tools. Given that we have checked a given security protocol π using a given firstorder prover, how hard is it to extract a formally checkable proof of it, as required ..."
Abstract

Cited by 5 (1 self)
 Add to MetaCart
(Show Context)
Firstorder logic models of security for cryptographic protocols, based on variants of the DolevYao model, are now wellestablished tools. Given that we have checked a given security protocol π using a given firstorder prover, how hard is it to extract a formally checkable proof of it, as required in, e.g., common criteria at the highest evaluation level (EAL7)? We demonstrate that this is surprisingly hard in the general case: the problem is nonrecursive. Nonetheless, we show that we can instead extract finite models M from a set S of clauses representing π, automatically, and give two ways of doing so. We then define a modelchecker testing M  = S, and show how we can instrument it to output a formally checkable proof, e.g., in Coq. Experience on a number of protocols shows that this is practical, and that even complex (secure) protocols modulo equational theories have small finite models, making our approach suitable.
A calculus to detect guessing attacks
"... Abstract. We present a calculus for detecting guessing attacks, based on oracles that instantiate cryptographic functions. Adversaries can observe oracles, or control them either online or offline. These relations can be established by protocol analysis in the presence of a DolevYao intruder, and ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We present a calculus for detecting guessing attacks, based on oracles that instantiate cryptographic functions. Adversaries can observe oracles, or control them either online or offline. These relations can be established by protocol analysis in the presence of a DolevYao intruder, and the derived guessing rules can be used together with standard intruder deductions. Our rules also handle partial verifiers that fit more than one secret. We show how to derive a known weakness in the AndersonLomas protocol, and new vulnerabilities for a known faulty ATM system. 1 Introduction and related work Analyzing vulnerability to guessing attacks is of high practical relevance. A value is deemed guessable if it has small entropy (is chosen from a small cardinality set), and the guess can be verified. An adversary can perform guessing by offline computation, or online, exploiting the interaction with honest participants.
Automatic analysis of distance bounding protocols
 State University
, 2009
"... Abstract. Distance bounding protocols are used by nodes in wireless networks for the crucial purpose of estimating their distances to other nodes. Past efforts to analyze these protocols have only been manual. In this paper, we use the constraint solver tool to automatically analyze distance boundi ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Distance bounding protocols are used by nodes in wireless networks for the crucial purpose of estimating their distances to other nodes. Past efforts to analyze these protocols have only been manual. In this paper, we use the constraint solver tool to automatically analyze distance bounding protocols: We first formulate a new trace property called Secure Distance Bounding (SDB) that protocol executions must satisfy. We then classify the scenarios in which these protocols can operate considering the (dis)honesty of nodes and location of the attacker in the network. Finally, we extend the constraint solver tool so that it can be used to test protocols for violations of SDB in those scenarios and illustrate our technique on several examples.