From protocol specifications to flaws and attack scenarios: an automatic and formal algorithm

Debbabi, Mourad; Mejre, M.; Tawbi, Nadia; Yahmadi, I.

doi:10.1109/enabl.1997.630823

Cited by 16 publications

(16 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We express by M ⊒ m the fact ∃m ′ ∈ M. m ′ ⊒ m + Let p be a protocol, we denote by R G (p) the set of the generalized roles of p. A generalized role is a protocol abstraction where the emphasis is put on a specific agent and where every unknown message by that agent and on which he cannot perform any verification is replaced by a variable. Further details on the role-based specification are available in [12]- [14]. We denote by M G p the set of messages (ground terms and terms with variables) generated by R G (p), by M p the set of messages that are ground terms generated by substitution in the messages of M G p .…”

Section: Notationsmentioning

confidence: 99%

Secrecy by witness-functions under equational theories

Fattahi

Mejri

2015

2015 7th International Conference on Electronics, Computers and Artificial Intelligence (ECAI)

View full text Add to dashboard Cite

Abstract-In this paper, we use the witness-functions to analyze cryptographic protocols for secrecy under nonempty equational theories. The witness-functions are safe metrics used to compute security. An analysis with a witness-function consists in making sure that the security of every atomic message does not decrease during its lifecycle in the protocol. The analysis gets more difficult under nonempty equational theories. Indeed, the intruder can take advantage of the algebraic properties of the cryptographic primitives to derive secrets. These properties arise from the use of mathematical functions, such as multiplication, addition, exclusive-or or modular exponentiation in the cryptosystems and the protocols. Here, we show how to use the witness-functions under nonempty equational theories and we run an analysis on the Needham-Schroeder-Lowe protocol under the cipher homomorphism. This analysis reveals that although this protocol is proved secure under the perfect encryption assumption, its security collapses under the homomorphic primitives. We show how the witness-functions help to illustrate an attack scenario on it and we propose an amended version to fix it.

show abstract

Section: Notationsmentioning

confidence: 99%

Secrecy by witness-functions under equational theories

Fattahi

Mejri

2015

2015 7th International Conference on Electronics, Computers and Artificial Intelligence (ECAI)

View full text Add to dashboard Cite

show abstract

“…An exponent i (the session identifier) is added to each fresh message to emphasize that these components change their values from one run to another. More details about the role-based specification are in [15]- [18]. + A valid trace is an interleaving of instantiated generalized roles where each message sent by the intruder can be produced by her using her capacity and the previous received messages.…”

Section: A Notationsmentioning

confidence: 99%

“…In [11]- [14], Houmani et al proposed universal functions, named interpretation functions, as metrics to calculate the security of messages. These functions are based on selections under the protection of the direct key of encryption and operate in a role-based specification [15]- [18]. An interpretation function must satisfy to some conditions before being certified reliable for protocol analysis.…”

Section: Introductionmentioning

confidence: 99%

Introduction to the Witness-Functions for Secrecy in Cryptographic Protocols

Fattahi¹,

Mejri²,

Houmani³

2015

IJMO

View full text Add to dashboard Cite

Abstract-In this paper, we examine the property of secrecy in cryptographic protocols from the angle of the growth of the protocol. Intuitively, an increasing protocol preserves the secret. For that, we need functions to estimate the security of messages. Here, we give relaxed conditions on the functions and on the protocol and we prove that an increasing protocol is correct when analyzed with functions that meet these conditions. Then, we shortly introduce the witness-functions to analyze protocols for secrecy IndexTerms-Cryptographic protocol, role-based specification, secrecy.

show abstract

“…If a protocol is designed that way, we can conclude that it is secure with respect to confidentiality. A witness-function bases its calculation fully on the static part of a message (static neighborhood) in a role-based specification [26], [33], [34] and ignores the dynamic one (dynamic neighborhood) by construction. It provides two elegant and practical bounds that enable to analyze a protocol on an unbounded number of sessions and with no restriction on the size of valid traces.…”

Section: Introductionmentioning

confidence: 99%

Ensuring Confidentiality in Cryptographic Protocols with the Witness-Functions

Fattahi¹,

Mejri²,

Miraoui³

et al. 2015

IJCCE

View full text Add to dashboard Cite

Abstract:In this paper, we present a new framework to verify cryptographic protocols statically for the property of confidentiality using the witness-functions. A witness-function is a reliable metric able to prove confidentiality in a cryptographic protocol by measuring security in it. Here, we present the theory of witness-functions and we run an analysis on the flawed version of the Woo-Lam protocol using one of these metrics.

show abstract

From protocol specifications to flaws and attack scenarios: an automatic and formal algorithm

Cited by 16 publications

References 4 publications

Secrecy by witness-functions under equational theories

Secrecy by witness-functions under equational theories

Introduction to the Witness-Functions for Secrecy in Cryptographic Protocols

Ensuring Confidentiality in Cryptographic Protocols with the Witness-Functions

Contact Info

Product

Resources

About