Breaking and fixing the Needham-Schroeder Public-Key Protocol using FDR

Lowe, Gavin

doi:10.1007/3-540-61042-1_43

Cited by 755 publications

(678 citation statements)

References 9 publications

Supporting

Mentioning

674

Contrasting

Unclassified

Order By: Relevance

“…Indeed, any enrichment in the symbolic model would translate to an analogous enrichment in the definition of simple protocols, while preserving the validity of the treatment.) We note that, while restricted, this format is still very meaningful; in particular, it allows expressing known 'benchmark' protocols such as several variants of the Needham-Schroeder-Lowe (NSL) protocol [47,35,36], and the Dwork-Dolev-Naor [23] protocol.…”

Section: Generalmentioning

confidence: 99%

See 1 more Smart Citation

Universally Composable Symbolic Analysis of Mutual Authentication and Key-Exchange Protocols

Canetti¹,

Herzog

2006

Theory of Cryptography

104

121

View full text Add to dashboard Cite

Abstract. Symbolic analysis of cryptographic protocols is dramatically simpler than full-fledged cryptographic analysis. In particular, it is simple enough to be automated. However, symbolic analysis does not, by itself, provide any cryptographic soundness guarantees. Following recent work on cryptographically sound symbolic analysis, we demonstrate how Dolev-Yao style symbolic analysis can be used to assert the security of cryptographic protocols within the universally composable (UC) security framework. Consequently, our methods enable security analysis that is completely symbolic, and at the same time cryptographically sound with strong composability properties.More specifically, we concentrate on mutual authentication and keyexchange protocols. We restrict attention to protocols that use publickey encryption as their only cryptographic primitive and have a specific restricted format. We define a mapping from such protocols to Dolev-Yao style symbolic protocols, and show that the symbolic protocol satisfies a certain symbolic criterion if and only if the corresponding cryptographic protocol is UC-secure. For mutual authentication, our symbolic criterion is similar to the traditional Dolev-Yao criterion. For key exchange, we demonstrate that the traditional Dolev-Yao style symbolic criterion is insufficient, and formulate an adequate symbolic criterion.Finally, to demonstrate the viability of our treatment, we use an existing tool to automatically verify whether some prominent key-exchange protocols are UC-secure.

show abstract

Section: Generalmentioning

confidence: 99%

“…Indeed, protocol analysis in these models is much simpler, more mechanical, and amenable to automation (see e.g. [36,39,53,46,11]). These are desirable properties when attempting to analyze large-scale systems.…”

Section: Introductionmentioning

confidence: 99%

Universally Composable Symbolic Analysis of Mutual Authentication and Key-Exchange Protocols

Canetti¹,

Herzog

2006

Theory of Cryptography

104

121

View full text Add to dashboard Cite

show abstract

“…Possible approaches generally used in the verification of cryptographic protocols are model-checking ( [Low96], [BMV03]) or interactive verification ( [Pau98], [Eva03]). Paulson's inductive approach has proven to be especially powerful by tackling complex industrial protocols ( [Pau01]).…”

Section: A Security Model For Mondex Pursesmentioning

confidence: 99%

The Mondex Challenge: Machine Checked Proofs for an Electronic Purse

Schellhorn

Grandy

Haneberg

et al. 2006

FM 2006: Formal Methods

View full text Add to dashboard Cite

Abstract. The Mondex case study about the specification and refinement of an electronic purse as defined in [SCJ00] has recently been proposed as a challenge for formal system-supported verification. This paper reports on the successful verification of the major part of the case study using the KIV specification and verification system. We demonstrate that even though the hand-made proofs were elaborated to an enormous level of detail we still could find small errors in the underlying data refinement theory as well as the formal proofs of the case study. We also provide an alternative formalisation of the communication protocol using abstract state machines. Finally the Mondex case study verifies functional correctness assuming a suitable security protocol. Therefore we propose to extend the case study to include the verification of a suitable security protocol.

show abstract

“…For example, the non-injective agreement property [21]: "For certain data items ds, if each time a principal B completes a run of the protocol as responder using ds, apparently with A, then there is a unique run of the protocol with the principal A as initiator using ds, apparently with B." The generated protocols could be re-analysed using more sophisticated protocol analysis tools, such as the NRL Analyzer [23], the Interrogator model [24], FDR [20], Murϕ [25], Athena [33]. In this case, the Protocol Selector of ASPB would be used to narrow down the set of candidate protocols to be verified.…”

Section: The Protocol Selectormentioning

confidence: 99%

“…The heuristics are also augmented by extending protocol selection/design strategies [16,21,22] in order to restrict the generated protocols to a collection of candidate protocols that are likely to be secure. While the collection of candidate protocols are secure under the BSW-ZF logic, the intention is that more sophisticated protocol analysis tools, such as [20,[23][24][25], are then used to select appropriate protocols from the collection.…”

Section: Introductionmentioning

confidence: 99%

Fast automatic security protocol generation

Hong-bin

Foley

2012

JCS

View full text Add to dashboard Cite

An automatic security protocol generator is described that uses logic-based heuristic rules to guide it in a backward search for suitable protocols from protocol goals. The approach taken is unlike existing automatic protocol generators which typically carry out a forward search for candidate protocols from the protocol assumptions. A prototype generator has been built that performs well in the automatic generation of authentication and key exchange protocols.

show abstract

Breaking and fixing the Needham-Schroeder Public-Key Protocol using FDR

Cited by 755 publications

References 9 publications

Universally Composable Symbolic Analysis of Mutual Authentication and Key-Exchange Protocols

Universally Composable Symbolic Analysis of Mutual Authentication and Key-Exchange Protocols

The Mondex Challenge: Machine Checked Proofs for an Electronic Purse

Fast automatic security protocol generation

Contact Info

Product

Resources

About