An Encapsulated Authentication Logic for Reasoning about Key Distribution Protocols

Cervesato, Iliano; Meadows, Catherine; Pavlović, Duško

doi:10.1109/csfw.2005.7

Cited by 34 publications

(46 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The main difference between our runs and bundles is that in the present framework, the variables can be used to follow the execution of the run, and track the data as it flows through it. 3 Execution The above definition falls short of capturing the intuitive notion of a run as a snapshot of the execution of a protocol. Indeed, while our runs correctly map receives to sends, they do not ensure that variables are properly handled.…”

Section: Execution Modelmentioning

confidence: 99%

Deriving Key Distribution Protocols and their Security Properties

Cervesato

Meadows

Pavlović

2006

View full text Add to dashboard Cite

We apply the derivational method of protocol verification to key distribution protocols. This method assembles the security properties of a protocol by composing the guarantees offered by embedded fragments and patterns. It has shed light on fundamental notions such as challenge-response and fed a growing taxonomy of protocols. Here, we similarly capture the essence of key distribution, authentication timestamps and key confirmation. With these building blocks, we derive the authentication properties of the Needham-Schroeder shared-key and the Denning-Sacco protocols, and of the cores of Kerberos 4 and 5.The main results of this research were obtained in 2003-04 and appeared in [3]. The present document collects proofs omitted for space reasons and unpublished background material.Cervesato was partially supported by ONR under Grant N000149910150; significant portions of this work were completed while he was at Tulane University. Pavlovic was supported by ONR N00014-03-C-0237 and by NSF CCR-0345397. Report Documentation Page Form Approved OMB No. 0704-0188Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number.

show abstract

Section: Execution Modelmentioning

confidence: 99%

Deriving Key Distribution Protocols and their Security Properties

Cervesato

Meadows

Pavlović

2006

View full text Add to dashboard Cite

show abstract

“…In the symbolic model, protocol execution and the possible actions of an attacker are characterized using a symbolic model of computation that allows nondeterminism but does not incorporate probability or computational complexity bounds. In addition to many model checking and bug-finding efforts, there have been some significant correctness proofs carried using the symbolic model, including mechanically checked formal proofs [13,14], unformalized but mathematical proofs about a multiset rewriting model [15][16][17], and work using compositional formal logic approaches [18][19][20][21][22]. Several groups of researchers have taken steps to connect the symbolic model to the probabilistic polynomial-time computational model used in cryptographic studies, e.g., [23-29, 3, 4, 30].…”

Section: Introductionmentioning

confidence: 99%

Analysis of EAP-GPSK Authentication Protocol

Mitchell

Rowe

Scedrov

2008

Applied Cryptography and Network Security

View full text Add to dashboard Cite

Abstract. The EAP-GPSK protocol is a lightweight, flexible authentication protocol relying on symmetric key cryptography. It is part of an ongoing IETF process to develop authentication methods for the EAP framework. We analyze the protocol and find three weaknesses: a repairable Denial-of-Service attack, an anomaly with the key derivation function used to create a short-term master session key, and a ciphersuite downgrading attack. We propose fixes to these anomalies, and use a finite-state verification tool to search for remaining problems after making these repairs. We then prove the fixed version correct using a protocol verification logic. We discussed the attacks and our suggested fixes with the authors of the specification document which has subsequently been modified to include our proposed changes.

show abstract

“…Originally, it included signatures as well, but for simplicity, we leave that out from this analysis. BPL was defined to give a simple formulation of a core part of the protocol logics (PCL) of [16,12,11] for proving some aimed properties in the sense of [25,22] within the framework of first order logic; all notions and assumptions are strictly formulated by the first order logical language explicitly. Contrary to PCL, in BPL there are no explicit encrypt, decrypt, match actions, only nonce generation, send and receive.…”

Section: Introductionmentioning

confidence: 99%

Computational Semantics for First-Order Logical Analysis of Cryptographic Protocols

Bana

Hasebe

Okada

2009

Formal to Practical Security

View full text Add to dashboard Cite

Abstract. This paper is concerned about relating formal and computational models of cryptography in case of active adversaries when formal security analysis is done with first order logic As opposed to earlier treatments, we introduce a new, fully probabilistic method to assign computational semantics to the syntax. The idea is to make use of the usual mathematical treatment of stochastic processes, hence be able to treat arbitrary probability distributions, non-negligible probability of collision, causal dependence or independence, and so on. We present this via considering a simple example of such a formal model, the Basic Protocol Logic by K. Hasebe and M. Okada [20], but we think the technique is suitable for a wide range of formal methods for protocol correctness proofs. We first review our framework of proof-system, BPL, for proving correctness of authentication protocols, and provide computational semantics. Then we give a full proof of the soundness theorem. We also comment on the differences of our method and that of Computational PCL.

show abstract

An Encapsulated Authentication Logic for Reasoning about Key Distribution Protocols

Abstract: Abstract

Cited by 34 publications

References 15 publications

Deriving Key Distribution Protocols and their Security Properties

Deriving Key Distribution Protocols and their Security Properties

Analysis of EAP-GPSK Authentication Protocol

Computational Semantics for First-Order Logical Analysis of Cryptographic Protocols

Contact Info

Product

Resources

About