Using logics to detect implementation-dependent flaws [cryptographic protocol design]

Carlsen, Ulf

doi:10.1109/csac.1993.315453

Cited by 11 publications

(8 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This lead to the discovery of an implementation-dependent flaw similar to the one found in [12] and [2], as well as of an attack that pointed out a place where our requirements might be too stringent. As in the earlier case, the discovery of an implementation-dependent flaw does not mean that implementations of the protocol are necessarily or even likely to be flawed, but rather that there is a hidden assumption in the specification whose violation would cause a security flaw.…”

Section: Analysis Of a Modified Version Of The Ns Protocolmentioning

confidence: 99%

“…As in the earlier case, the discovery of an implementation-dependent flaw does not mean that implementations of the protocol are necessarily or even likely to be flawed, but rather that there is a hidden assumption in the specification whose violation would cause a security flaw. In this case, as in the flaw discovered in [12] and [2], the hidden assumption is that the principals have the ability to recognize different types of data, such as keys, nonces, and timestamps. In [12] and [2] an attack was found on the Neuman-Stubblebine protocol which depends upon the receiver's inability to distinguish a nonce from a key.…”

Section: Analysis Of a Modified Version Of The Ns Protocolmentioning

confidence: 99%

“…In this case, as in the flaw discovered in [12] and [2], the hidden assumption is that the principals have the ability to recognize different types of data, such as keys, nonces, and timestamps. In [12] and [2] an attack was found on the Neuman-Stubblebine protocol which depends upon the receiver's inability to distinguish a nonce from a key. We do not present the attack here, but note that it depends upon the receiver's confusing the message it generates in the second step in the protocol with the message it receives in the fourth step.…”

Section: Analysis Of a Modified Version Of The Ns Protocolmentioning

confidence: 99%

See 2 more Smart Citations

Formal requirements for key distribution protocols

Syverson

Meadows

1995

Advances in Cryptology — EUROCRYPT'94

View full text Add to dashboard Cite

Abstract. We discuss generic formal requirements for reasoning about two party key distribution protocols, using a language developed for specifying security requirements for security protocols. Typically earlier work has considered formal analysis of already developed protocols. Our goal is to present sets of formal requirements for various contexts which can be applied at the design stage as well as to existing protocols. We use a protocol analysis tool we have developed to determine whether or not a specific protocol has met some of the requirements we specified. We show how this process uncovered a flaw in the protocol and helped us refine our requirements.

show abstract

Section: Analysis Of a Modified Version Of The Ns Protocolmentioning

confidence: 99%

Section: Analysis Of a Modified Version Of The Ns Protocolmentioning

confidence: 99%

Section: Analysis Of a Modified Version Of The Ns Protocolmentioning

confidence: 99%

See 1 more Smart Citation

Formal requirements for key distribution protocols

Syverson

Meadows

1995

Advances in Cryptology — EUROCRYPT'94

View full text Add to dashboard Cite

show abstract

“…These are known as run internal attacks. An example involving the Neuman-Stubblebine repeated authentication protocol [NS93,CJ97] has been exposed by Syverson in [Syv93b] and by Carlsen in [Car93].…”

Section: A Taxonomy Of Replaysmentioning

confidence: 99%

The Logic of Authentication Protocols

Syverson

Cervesato

2001

Foundations of Security Analysis and Design

View full text Add to dashboard Cite

“…In previous work, verification of protocols susceptible to type flaw attacks has been attempted using various formalisms [12,10,8,7,25,11,24]. The attacks considered generally involve simple 'type confusion' attacks in which segments of one type are confused with segments of another type, or in the more advanced models, in which a segment of one type is confused with the concatenation of two or more other segments of varying types [18].…”

Section: Introductionmentioning

confidence: 99%

Formal verification of type flaw attacks in security protocols

Long

Tenth Asia-Pacific Software Engineering Conference, 2003.

View full text Add to dashboard Cite

Security protocols are often modelled at a high level of abstraction, potentially overlooking implementationdependent vulnerabilities. Here we use the Z specification language's rich set of data structures to formally model potentially ambiguous messages that may be exploited in a 'type flaw' attack. We then show how to formally verify whether or not such an attack is actually possible in a particular protocol using Z's schema calculus.

show abstract

Using logics to detect implementation-dependent flaws [cryptographic protocol design]

Cited by 11 publications

References 14 publications

Formal requirements for key distribution protocols

Formal requirements for key distribution protocols

The Logic of Authentication Protocols

Formal verification of type flaw attacks in security protocols

Contact Info

Product

Resources

About