Multiset rewriting and the complexity of bounded security protocols

Durgin, Nancy Ann; Lincoln, Patrick; Mitchell, John C.; Scedrov, Andre

doi:10.3233/jcs-2004-12203

Cited by 204 publications

(316 citation statements)

References 59 publications

Supporting

Mentioning

309

Contrasting

Unclassified

Order By: Relevance

“…While many complexity results are known for trace properties [DLM04,RT03], the case of behavioural equivalences remains mostly open. When the attacker is an eavesdropper and cannot interact with the protocol, the indistinguishability problem-static equivalence-has been shown ptime for large classes of cryptographic primitives [AC06,CDK12,CBC10].…”

Section: Related Workmentioning

confidence: 99%

DEEPSEC: Deciding Equivalence Properties in Security Protocols Theory and Practice

Cheval

Kremer

Rakotonirina

2018

2018 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

We study the automated verification of behavioural equivalences in the applied pi calculus, an essential problem in formal, symbolic analysis of cryptographic protocols. We establish new complexity results for static equivalence, trace equivalence and labelled bisimilarity and propose a new decision procedure for these equivalences. Our procedure is the first tool to decide trace equivalence and labelled bisimilarity exactly for a family of equational theories, namely those that can be represented by a subterm convergent destructor rewrite system. Finally, we implement the procedure in a new tool, called Deepsec and demonstrate the applicability of the tool on several case studies.

show abstract

Section: Related Workmentioning

confidence: 99%

DEEPSEC: Deciding Equivalence Properties in Security Protocols Theory and Practice

Cheval

Kremer

Rakotonirina

2018

2018 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

show abstract

“…We discovered this attack as we were interpreting the specification documents of this protocol [25] in preparation for its formalization in MSR [9,31,32], the specification language for our analysis. We start with a detailed description of the attacker's actions in the AS exchange, the key to the attack.…”

Section: The Attackmentioning

confidence: 99%

Breaking and Fixing Public-Key Kerberos

Cervesato

Jaggard

Scedrov

et al. 2007

Advances in Computer Science - ASIAN 2006. Secure Software and Related Issues

Self Cite

View full text Add to dashboard Cite

We report on a man-in-the-middle attack on PKINIT, the public key extension of the widely deployed Kerberos 5 authentication protocol. This flaw allows an attacker to impersonate Kerberos administrative principals (KDC) and end-servers to a client, hence breaching the authentication guarantees of Kerberos. It also gives the attacker the keys that the KDC would normally generate to encrypt the service requests of this client, hence defeating confidentiality as well. The discovery of this attack caused the IETF to change the specification of PKINIT and Microsoft to release a security update for some Windows operating systems. We discovered this attack as part of an ongoing formal analysis of the Kerberos protocol suite, and we have formally verified several possible fixes to PKINIT-including the one adopted by the IETF-that prevent our attack as well as other authentication and secrecy properties of Kerberos with PKINIT.

show abstract

“…This model assumes perfect cryptographic primitives and a nondeterministic intruder that has total control of the communication network and capacity to forge new messages. It is known that reachability is undecidable for cryptographic protocols in the general case [13], even when a bound is put on the size of messages [12]. Because of these negative results, from the point of view of verification, the best we can hope for is either to identify decidable sub-classes as in [3,24,21] or to develop correct but incomplete verification algorithms as in [22,17,15].…”

Section: Introductionmentioning

confidence: 99%

“…Recently, Comon, Cortier and Mitchell [7] extended this class allowing pairing and binary encryption while the use of nonces still cannot be expressed in their model. Reachability is decidable for the bounded number of sessions [3,24,21] or when nonce creation is not allowed and the size of messages is bounded [12]. These assumptions are rarely justified in practice.…”

Section: Introductionmentioning

confidence: 99%

Pattern-Based Abstraction for Verifying Secrecy in Protocols

Bozga

Lakhnech

Périn

2003

Tools and Algorithms for the Construction and Analysis of Systems

View full text Add to dashboard Cite

Abstract. We present a method based on abstract interpretation for verifying secrecy properties of cryptographic protocols. Our method allows to verify secrecy properties in a general model allowing an unbounded number of sessions, an unbounded number of principals and an unbounded size of messages. As abstract domain we use sets of so-called pattern terms, that is, terms with an interpreted constructor, Sup , where a term Sup (t) is meant for the set of terms that contain t as sub-term. We implemented a prototype and were able to verify well-known protocols such as for instance Needham-Schroeder-Lowe (0.02 sec), Yahalom (12.67 sec), Otway-Rees (0.02 sec), Skeme (0.06 sec) and Kao-Chow (0.07 sec).

show abstract

Multiset rewriting and the complexity of bounded security protocols

Cited by 204 publications

References 59 publications

DEEPSEC: Deciding Equivalence Properties in Security Protocols Theory and Practice

DEEPSEC: Deciding Equivalence Properties in Security Protocols Theory and Practice

Breaking and Fixing Public-Key Kerberos

Pattern-Based Abstraction for Verifying Secrecy in Protocols

Contact Info

Product

Resources

About