Secrecy-Oriented First-Order Logical Analysis of Cryptographic Protocols (original) (raw)

Mechanized Proofs of Security Protocols: Needham-Schroeder with Public Keys

1997

The inductive approach to verifying security protocols, previously applied to shared-key encryption , is here applied to the public key version of the Needham-Schroeder protocol. As before, mechanized proofs are performed using Isabelle/HOL. Both the original, flawed version and Lowe's improved version are studied; the properties proved highlight the distinctions between the two versions. The results are compared with previous analyses of the same protocol. The analysis reported below required only 30 hours of the author's time. The proof scripts execute in under three minutes.

The inductive approach to verifying cryptographic protocols

Informal arguments that cryptographic protocols are secure can be made rigorous using inductive definitions. The approach is based on ordinary predicate calculus and copes with infinite-state systems. Proofs are generated using Isabelle/HOL. The human effort required to analyze a protocol can be as little as a week or two, yielding a proof script that takes a few minutes to run. Protocols are inductively defined as sets of traces. A trace is a list of communication events, perhaps comprising many interleaved protocol runs. Protocol descriptions incorporate attacks and accidental losses. The model spy knows some private keys and can forge messages using components de- crypted from previous traffic.

Computationally Sound, Automated Proofs for Security Protocols

Lecture Notes in Computer Science, 2005

Since the 1980s, two approaches have been developed for analyzing security protocols. One of the approaches relies on a computational model that considers issues of complexity and probability. This approach captures a strong notion of security, guaranteed against all probabilistic polynomial-time attacks. The other approach relies on a symbolic model of protocol executions in which cryptographic primitives are treated as black boxes. Since the seminal work of Dolev and Yao, it has been realized that this latter approach enables significantly simpler and often automated proofs. However, the guarantees that it offers have been quite unclear.

A Semi-Decidable Procedure for Secrecy in Cryptographic Protocols

In this paper, we present a new semi-decidable procedure to analyze cryptographic protocols for the property of secrecy based on a new class of functions that we call: the Witness-Functions. A Witness-Function is a raliable function that guarantees the secrecy in any protocol proved increasing once analyzed by it. Hence, the problem of correctness becomes a problem of protocol growth. A Witness-Function operates on derivative messages in a role-based specification and introduces new derivation techniques. We give here the technical aspects of the Witness-Functions and we show how to use them in a semi-decidable procedure. Then, we analyze a variation of Needham-Schroeder protocol and we show that a Witness-Function can also help to teach about flaws. Finally, we analyze the NSL protocol and we prove that it is correct with respect to secrecy.

Formal automatic verification of authentication cryptographic protocols

Proceedings First IEEE International Conference on Formal Engineering Methods, 1997

We address the formal analysis of authentication cryptographic protocols. We present a new veri cation algorithm that generates from the protocol description the set of possible aws, if any, as well as the corresponding attack scenarios. This algorithm does not require any property or invariant speci cation. The algorithm involves three steps: extracting the protocol roles, modeling the intruder abilities and veri cation. In addition to the classical known intruder computational abilities such as encryption and decryption, we also consider those computations that result from different instrumentations of the protocol. The intruder abilities are m o deled as a d e ductive system. The veri cation is based on the extracted r oles as well as the deductive system. It consists in checking whether the intruder can answer all the challenges uttered by a particular role. If it is the case, an attack scenario is automatically constructed. The extracted p r oof system does not ensure the termination of deductions. For that purpose, we present a general transformation schema that allows one to automatically rewrite the non-terminating proof system into a terminating one. The transformation schema is shown to be correct. To exemplify the usefulness and e ciency of our approach, we illustrate it on the Woo a n d L am authentication protocol. Abadi and Needham have shown that the protocol is insecure and they proposed a new corrected version. Thanks to this method we have discovered new unknown aws in the Woo a n d L am protocol and in the corrected version of Abadi and Needham.

Approaches to Formal Verification of Security Protocols

Computing Research Repository, 2011

In recent times, many protocols have been proposed to provide security for various information and communication systems. Such protocols must be tested for their functional correctness before they are used in practice. Application of formal methods for verification of security protocols would enhance their reliability thereby, increasing the usability of systems that employ them. Thus, formal verification of security protocols has become a key issue in computer and communications security. In this paper we present, analyze and compare some prevalent approaches towards verification of secure systems. We follow the notion of -same goal through different approaches -as we formally analyze the Needham Schroeder Public Key protocol for Lowe's attack using each of our presented approaches.

Formal Methods for Assuring Security of Protocols

The Computer Journal, 2002

Establishing the security of a system is an intricate problem with subtle nuances: it requires a careful examination of the underlying assumptions, abstractions, and possible actions. Consequently, assuring that a system behaves securely is virtually impossible without the use of rigorous analytical techniques. In this article, we focus on a single cryptographic protocol (Needham-Schroeder) and show how several different formal methods can be used to identify its various vulnerabilities. These vulnerabilities include susceptibility to freshness attacks and impersonations.

Proving Properties of Security Protocols by Induction

1997

Informal justifications of security protocols involve arguing backwards that various events are impossible. Inductive definitions can make such arguments rigorous. The resulting proofs are complicated, but can be generated reasonably quickly using the proof tool Isabelle/HOL. There is no restriction to finite-state systems and the approach is not based on belief logics.

Proving secure properties of cryptographic protocols with knowledge based approach

2005

Existing ciptogruph ic profocols usually contain Jaws. To analyze these protocols and j n d potential flaws in them, the secure properties of them need be studied in depth. This paper attempts to provide CI iiew fiumework to analyze and prove the secure properties in these protocols. A nuniber of predicates and action jiinctions are used to nrodel the network coiwnrimication environment. Doniain rules are given to describe the transitions of principals * knowledge and belief states. An example of public key authentication prorocois has been studied and analysed.