Casper: a compiler for the analysis of security protocols

Lowe, Gavin

doi:10.1109/csfw.1997.596779

Cited by 256 publications

(177 citation statements)

References 19 publications

Supporting

Mentioning

177

Contrasting

Order By: Relevance

“…An identical interface is also an important precondition for reactive simulatability, i.e., the security notion. One can see protocol descriptions over this interface as a low-level symbolic representation as they exist in several other frameworks, and it should be possible to compile higher-level descriptions into it following the ideas first developed in [24]. The local names are called handles and chosen as successive natural numbers for simplicity.…”

Section: Abstraction From Probabilism and Participant Knowledgementioning

confidence: 99%

Symmetric authentication in a simulatable Dolev–Yao-style cryptographic library

2005

View full text Add to dashboard Cite

Tool-supported proofs of security protocols typically rely on abstractions from real cryptography by term algebras, so-called Dolev-Yao models. However, until recently it was not known whether a Dolev-Yao model could be implemented with real cryptography in a provably secure way under active attacks. For public-key encryption and signatures, this was recently shown, if one accepts a few additions to a typical Dolev-Yao model such as an operation that returns the length of a term.Here we extend this Dolev-Yao-style model, its realization, and the security proof to include a first symmetric primitive message authentication. This adds a major complication: we must deal with the exchange of secret keys. For symmetric authentication, we can allow this at any time, before or after the keys are first used for authentication, while working only with standard cryptographic assumptions.

show abstract

Section: Abstraction From Probabilism and Participant Knowledgementioning

confidence: 99%

Symmetric authentication in a simulatable Dolev–Yao-style cryptographic library

2005

View full text Add to dashboard Cite

show abstract

“…Alternatively, time is allowed to pass without changing the state of the specification. The compiler Casper [12] produces CSP models of security protocols from more abstract descriptions. Much of the above model was produced using Casper.…”

Section: Specification Processesmentioning

confidence: 99%

Analysing a stream authentication protocol using model checking

Hopcroft

Lowe

2004

IJIS

View full text Add to dashboard Cite

In this paper, we consider how one can analyse a stream authentication protocol using model checking techniques. In particular, we will be focusing on the Timed Efficient Stream Loss-tolerant Authentication Protocol, TESLA. This protocol differs from the standard class of authentication protocols previously analysed using model checking techniques in the following interesting way: an unbounded stream of messages is broadcast by a sender, making use of an unbounded stream of keys; the authentication of the n-th message in the stream is achieved on receipt of the n + 1-th message. We show that, despite the infinite nature of the protocol, it is possible to build a finite model that correctly captures its behaviour.

show abstract

“…To verify the protocol, we use a form of formal methods approach based on Casper/FDR tool [17]. The Casper tool accepts an abstract, human-friendly description of the system and compiles it into CSP code, suitable for the FDR [13] checker.…”

Section: Verifying Security Protocols Using Formal Methods and Caspermentioning

confidence: 99%

“…The Aliveness assertion checks the availability of the participants, e.g., the first Aliveness check Aliveness (EP, M) states that when M completes a run of the protocol, apparently with EP, then EP has previously been running the same protocol. Note that EP may have thought he was running the protocol with someone other than M [17]. A stronger definition of the above Aliveness is specified by the Weak Agreement, for instance WeakAgreement (EP,M) assertion could be interpreted as follows: if M has completed a run of the protocol with EP, then EP has previously been running the protocol, apparently with M. Generally, failing to meet the WeakAgreement assertions implies the failure to meet the Aliveness ones.…”

Section: The Formal Verification Of the Mobile Ethernet Protocolmentioning

confidence: 99%

See 1 more Smart Citation

A formally verified AKA protocol for vertical handover in heterogeneous environments using Casper/FDR

Aiash

Mapp

Lasebae

et al. 2012

J Wireless Com Network

View full text Add to dashboard Cite

Next generation networks will comprise different wireless networks including cellular technologies, WLAN and indoor technologies. To support these heterogeneous environments, there is a need to consider a new design of the network infrastructure. Furthermore, this heterogeneous environment implies that future devices will need to roam between different networks using vertical handover techniques. When a mobile user moves into a new foreign network, data confidentiality and mutual authentication between the user and the network are vital issues in this heterogeneous environment. This article deals with these issues by first examining the implication of moving towards an open architecture, and then looking at how current approaches such as the 3GPP, HOKEY and mobile ethernet respond to the new environment while trying to address the security issue. The results indicate that a new authentication and key agreement protocol is required to secure handover in this environment. Casper/ FDR, is used in the analysis and development of the protocol. The proposed protocol has been proven to be successful in this heterogeneous environment.

show abstract

Casper: a compiler for the analysis of security protocols

Cited by 256 publications

References 19 publications

Symmetric authentication in a simulatable Dolev–Yao-style cryptographic library

Symmetric authentication in a simulatable Dolev–Yao-style cryptographic library

Analysing a stream authentication protocol using model checking

A formally verified AKA protocol for vertical handover in heterogeneous environments using Casper/FDR

Contact Info

Product

Resources

About