Formal veriﬁcation of the YubiKey and YubiHSM APIs in Maude-NPA

González-Burgueño, Antonio; Aparicio-Sánchez, Damián; Escobar, Santiago; Meadows, Catherine; Meseguer, José

doi:10.29007/c4xk

Cited by 3 publications

(3 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The Maude-NPA protocol analyzer has already been tested with various protocols using associative operators without encountering any incompleteness warnings (see[68]). 17 The iter, or iterated operator, theory is a built-in mechanism that allows the efficient input, output, and manipulation of very large stacks of a unary operator, see[24].…”

mentioning

confidence: 99%

Programming and symbolic computation in Maude

Durán

Eker

Escobar

et al. 2020

Journal of Logical and Algebraic Methods in Programming

Self Cite

View full text Add to dashboard Cite

Rewriting logic is both a flexible semantic framework within which widely different concurrent systems can be naturally specified and a logical framework in which widely different logics can be specified. Maude programs are exactly rewrite theories. Maude has also a formal environment of verification tools. Symbolic computation is a powerful technique for reasoning about the correctness of concurrent systems and for increasing the power of formal tools. We present several new symbolic features of Maude that enhance formal reasoning about Maude programs and the effectiveness of formal tools. They include: (i) very general unification modulo user-definable equational theories, and (ii) symbolic reachability analysis of concurrent systems using narrowing. The paper does not focus just on symbolic features: it also describes several other new Maude features, including: (iii) Maude's strategy language for controlling rewriting, and (iv) external objects that allow flexible interaction of Maude object-based concurrent systems with the external world. In particular, metainterpreters are external objects encapsulating Maude interpreters that can interact with many other objects. To make the paper self-contained and give a reasonably complete language overview, we also review the basic Maude features for equational rewriting and rewriting with rules, Maude programming of concurrent object systems, and reflection. Furthermore, we include many examples illustrating all the Maude notions and features described in the paper.

show abstract

mentioning

confidence: 99%

Programming and symbolic computation in Maude

Durán

Eker

Escobar

et al. 2020

Journal of Logical and Algebraic Methods in Programming

Self Cite

View full text Add to dashboard Cite

show abstract

“…In summary, nothing has changed for properties (b) and (c), and property (e) can now be carried out by Tamarin using a lemma. However, our automated analysis [63] was done before [45] appeared.…”

Section: Experiments Using Tamarinmentioning

confidence: 99%

“…We checked that the latest version of Tamarin was able to find the corresponding attack of the new specification of propery (e), though our automated analysis in Maude-NPA was done [63] before [45] appeared.…”

Section: Experiments Using Tamarinmentioning

confidence: 99%

Modeling and Analysis of Advanced Cryptographic Primitives and Security Protocols in Maude-NPA

Sánchez¹

View full text Add to dashboard Cite

The Maude-NPA crypto tool is a specialized model checker for cryptographic security protocols that take into account the algebraic properties of the cryptosystem. In the literature, additional crypto properties have uncovered weaknesses of security protocols and, in other cases, they are part of the protocol security assumptions in order to function properly. Maude-NPA has a theoretical basis on rewriting logic, equational unification, and narrowing to perform a backwards search from an insecure state pattern to determine whether or not it is reachable. Maude-NPA can be used to reason about a wide range of cryptographic properties, including cancellation of encryption and decryption, Diffie-Hellman exponentiation, exclusive-or, and some approximations of homomorphic encryption.In this thesis, we consider new cryptographic properties, either as part of security protocols or to discover new attacks. We have also modeled different families of security protocols, including Distance Bounding Protocols or Multiparty key agreement protocols. And we have developed new protocol modeling techniques to reduce the time and space analysis effort. This thesis contributes in several ways to the area of cryptographic protocol analysis and many of the contributions of this thesis can be useful for other crypto analysis tools.The Diffie-Hellman key exchange protocol of Section 1.1.3 is the earliest practical example of a public key agreement protocol implemented within the field of cryptography. The Diffie-Hellman key exchange algorithm allows two parties that have no prior knowledge of each other to jointly establish a shared secret key over an insecure channel. The protocol is described in Alice & Bob notation as follows where we remark the shared key between participants:A multi-party key establishment can be seen as a generalization of a twoparty key establishment. They are different versions of Diffie-Hellman key agreement that can negotiate a key shared by two or more participants. In the case of three honest participants in an insecure channel, a malicious participant can only see g a , g b , g c ,These honest participants have different options for choosing the order in which they contribute to the key. In the case of four honest participants, the protocol is as follows:In Chapter 3, we specify several three-party key agreement protocols where each protocol creates a shared secret key different from the three-party Diffie-Hellman. The STR protocol uses nested exponentiations. The Joux protocolThis protocol assumes the equational theory DH-CFVP above and its constructor sub-theory DH-SubCFVP. The expression X a computed by Alice is transformed into g a•N using X → g N . The transformed version of the protocol is as follows:where variables X and Y before were of sort Exp and here variables Ny and Nx are of sort ElemSet. In Chapter 3, the cryptography theories of all the analyzed protocols include constructor symbols, all the protocols have been transformed and the variant equations are no longer necessary.

show abstract