Formal methods for cryptographic protocol analysis: Emerging issues and trends

IEEE Journal on Selected Areas in Communications

Volumn 21, Issue 1, 2003, Pages 44-54

  Meadows, Catherine ^a  

^a NAVAL RESEARCH LABORATORY   (United States)

Author keywords

Cryptographic protocols; Formal methods; Security

Indexed keywords

ALGORITHMS; COMPUTER NETWORKS; DATA COMMUNICATION SYSTEMS; FINITE AUTOMATA; FORMAL LOGIC; MATHEMATICAL MODELS; NETWORK PROTOCOLS; SECURITY OF DATA; STATISTICAL METHODS; TELECOMMUNICATION TRAFFIC;

CRYPTOGRAPHIC PROTOCOL ANALYSIS; FORMAL METHODS;

CRYPTOGRAPHY;

EID: 0037250964     PISSN: 07338716     EISSN: None     Source Type: Journal    
DOI: 10.1109/JSAC.2002.806125     Document Type: Article

References (86)

1. M. Abadi, "Secrecy by typing in security protocols," J. ACM, vol. 46, no. 5, pp. 749-786, Sept. 1999
2. M. Abadi and P. Rogaway, "Reconciling two views of cryptography (the computational soundness of formal encryption)," J. Cryptology, vol. 5, pp. 103-127, Spring 2002.
3. J. Alves-Foss, "Multiprotocol attacks and the public key infrastructure," in 21st National Information Systems Security Conf., Arlington, VA, Oct. 1998, pp. 566-576.
4. ____, "Provably insecure mutual authentication protocols: The two party symmetric encryption case," presented at the Proc. 22nd National Information Systems Security Conf., Arlington, VA, 1999.
5. R. Amadio and D. Lugiez, "On the reachability problem in cryptographic protocols," in Proc. CONCUR, 2000, pp. 380-394.
6. G. Bella, F. Massacci, L. C. Paulson, and P. Tramontano, "Formal verification of cardholder registration in SET," in Computer Security-ESORICS 2000, F. Cuppens, Ed. New York: Springer-Verlag, 2000, pp. 159-174.
7. G. Bella et al., "Kerberos version IV: Inductive analysis of the secrecy goal," in Computer Security-ESORICS 98, J.-J. Quisquater et al., Eds. New York: Springer-Verlag, 1998, pp. 361-375.
8. J. Benaloh, B. Lampson, D. Simon, T. Spies, and B. Yee. (1995) The private communication technology protocol. [Online]. available: draft-benaloch-pct-00.txt
9. D. Bolignano, "Toward the formal verification of electronic commerce protocols," in Proc. 10th Computer Security Foundations Workshop, 1997, pp. 133-146.
10. S. Brackin, "Evaluation and improving protocol analysis by automatic proof," in Proc. 11th IEEE Computer Security Foundations Workshop, June 1998, pp. 138-152.
11. J. Bryans and S. Schneider. CBS, PVS, and a recursive authentication protocol. presented at Proc. DIMACS Workshop on Design and Formal Verification of Security Protocols. [Online]. Available: http://dimacs.rutgers.edu/Workshops/Security/
12. M. Burrows, M. Abadi, and R. Needham, "A logic of authentication," ACM Trans. Comput. Syst., vol. 8, pp. 18-36, Feb. 1990.
13. F. Butler, I. Cervesato, A. Jaggard, and A. Scedrov, "A formal analysis of some properties of Kerberos V using MSR," in Proc. 15th Computer Security Foundations Workshop, June 2002, pp. 165-180.
14. L. Buttyán and J.-P. Hubaux, "Rational exchange-A formal model based on game theory," in Proc. 2nd Int. Workshop Electronic Commerce (WELCOM'01). New York: Springer-Verlag, Nov. 16-17, 2001, pp. 114-126.
15. I. Cervesato, N. Durgin, P. Lincoln, J. Mitchell, and A. Scedrov, "A meta-notation for protocol analysis," in Proc. 12th IEEE Computer Security Foundations Workshop, June 1999, pp. 55-69.
16. R. Chadha, M. I. Kanovich, and A. Scedrov, "Inductive methods and contract-signing protocols," in Proc. 8th ACM Conf. Computer Communications Security, P. Samarati, Ed., Nov. 2001, pp. 176-185.
17. D. Chaum, "Untraceable electronic mail, return addresses and digital signatures," Commun. ACM, vol. 24, pp. 84-88, Feb. 1981.
18. E. Clark, S. Jha, and W. Marrero, "Partial order reductions for security protocol verification," in Proc. Tools and Algorithms for the Construction and Analysis of Systems, 2000, pp. 503-508.
19. E. Cohen, "TAPS: A first-order verifier for cryptographic protocols," in Proc. 13th IEEE Computer Security Foundations Workshop, June 2000, pp. 144-158.
20. Z. Dang and R. A. Kemmerer. Using the ASTRAL model checker for cryptographic protocol analysis. presented at Proc. DIMACS Workshop on Design and Formal Verification of Security Protocols. [Online]. Available: http://dimacs.rutgers.edu/Workshops/Security/
21. G. Denker, J. Millen, and H. Ruess, "The CAPSL integrated protocol environment," SRI International, Palo Alto, CA, SRI-CSL-2002-02, 2000.
22. D. Dolev, S. Even, and R. Karp, "On the security of ping-pong protocols," Inform. Control, pp. 57-68, 1982.
23. D. Dolev and A. Yao, "On the security of public key protocols," IEEE Trans. Inform. Theory, vol. IT-29, pp. 198-208, Mar. 1983.
24. A. Durante, R. Focardi, and R. Gorrieri, "CVS: A compiler for the analysis of cryptographic protocols," in Proc. 12th IEEE Computer Security Foundations Workshop, June 1999, pp. 203-212.
25. B. Dutertre and S. Schneider, "Using a PVS embedding of CSP to verify authentication protocols," in Proc. TPHOLS'97, 1997, pp. 121-136.
26. S. Even and O. Goldreich, "On the security of multiparty ping-pong protocols," in Proc. 24th IEEE Symp. Foundations of Computer Science, 1983, pp. 34-39.
27. N. Ferguson and B. Schneier, "A security evaluation of IPSec," in The IPSec Papers, M. Blaze, J. Ioannides, A. Keromytis, and J. Smith, Eds. Readng, MA: Addison-Wesley, to be published.
28. M. Fiore and M. Abadi, "Computing symbolic models for verifying cryptographic protocols," in Proc. 14th IEEE Computer Security Foundations Workshop, 2001, pp. 160-173.
29. D. Goldschlag, M. Reed, and P. Syverson, "Onion routing for anonymous and private internet connections," Commun. ACM, vol. 42, pp. 39-41, Feb. 1999.
30. L. Gong and P. Syverson, "Fail-stop protocols: An approach to designing secure protocols," in Dependable Computing for Critical Applications 5, R. K. Iyer, M. Morganti, W. K. Fuchs, and V. Gligor, Eds. Piscataway, NJ: IEEE, 1998, pp. 79-100.
31. A. Gordon and A. Jeffrey, "Authenticity by typing in security protocols," in Proc. 14th IEEE Computer Security Foundations Workshop, June 2001, pp. 145-159.
32. J. Guttman and J. T. Fäbrega, "Protocol independence through disjoint encryption," in Proc. 13th Computer Security Foundations Workshop, July 3-5, 2000, pp. 24-34.
33. D. Harkins and D. Carrel. (1998) The Internet Key Exchange (IKE), Internet Engineering Task Force. [Online]. Available: http://ietf.org/rfc/rfc2409.txt
34. J. Heather and S. Schneider, "Toward automatic verification of authentication protocols on an unbounded network," in Proc. 13th IEEE Computer Security Foundations Workshop, June 2000, pp. 132-143.
35. N. Heintze and J. D. Tygar, "A model for secure protocols and their composition," IEEE Trans. Softw. Eng., vol. 22, pp. 16-30, Jan. 1996.
36. A. Huima, "Efficient infinite-state analysis of security protocols," presented at the FLOC'99 Workshop on Formal Methods and Security Protocols, Trento, Italy, July 1999.
37. P. Karn and W. Simpson. (1999) Photuris: Session-Key Management Protocol. Internet Engineering Task Force. [Online]. Available: http://ietf.org/rfc/rfc2522.txt
38. J. Kelsey and B. Schneier, "Chosen interactions and the chosen protocol attack," in Proc. Security Protocols, 5th Int. Workshop 1997, Apr. 1998, pp. 91-104.
39. R. Kemmerer, "Using formal methods to analyze encryption protocols," IEEE J. Select. Areas Commun., vol. 7, pp. 448-457, May 1989.
40. S. Kremer and J.-F. Raskin, "A game-based verification of nonrepuditation and fair exchange protocols," in CONCUR 2001-Concurrency Theory. New York: Springer-Verlag, 2001.
41. P. Lincoln, J. Mitchell, M. Mitchell, and A. Scedrov, "Probabilistic polynomial-time equivalence and security analysis," in FM'99-Formal Methods, J. Wing, J. Woodcock, and J. Davies, Eds. New York: Springer-Verlag, 1999, pp. 776-793.
42. D. Longley and S. Rigby, "An automatic search for security flaws in key management schemes," Comput. Security, vol. 11, pp. 75-90, 1992.
43. G. Lowe, "Breaking and fixing the Needham-Schroeder public-key protocol using FDR," Softw.-Concepts Tools, vol. 17, no. 3, pp. 93-102, 1996.
44. ____, "Toward a completeness results for model checking security protocols," J. Comput. Security, vol. 7, pp. 89-146, 1999.
45. W. Marrero, A model checker for authentication protocols. presented at Proc. DIMACS Workshop on Design and Formal Verification of Security Protocols. [Online]. Available: http://dimacs.rutgers.edu/Workshops/Security/
46. C. Meadows, "Applying formal methods to the analysis of a key management protocol," J. Comput. Security, vol. 1, pp. 5-53, 1992.
47. ____, "Analysis of the Internet key exchange protocol using the NRL protocol analyzer," in Proc. 1999 Symp. Security and Privacy, May 1999, pp. 216-213.
48. ____, "A formal framework and evaluation method for network denial of service," in Proc. 12th IEEE Computer Security Foundations Workshop, June 1999, pp. 4-13.
49. ____, "Extending formal cryptographic protocol analysis techniques for group protocols and low-level cryptographic primitives," in Proc. 1st Workshop Issues Theory Security-WITS'00, P. Degano, Ed., Geneva, Switzerland, July 8-9, 2000, pp. 87-92.
50. ____, "Open issues in formal methods for cryptographic protocol analysis," in Proc. DISCEX 2000, Jan. 2000, pp. 237-250.
51. C. Meadows and P. Narendran, "A unification algorithm for the group Diffie-Hellman protocol," presented at the WITS'02, Portland, OR, Jan. 2002.
52. C. Meadows, P. Syverson, and I. Cervesato, "Formalizing GDOI group key management requirements in NPATRL," in Proc. ACM Conf. Computer Communications Security, Nov. 2001, pp. 235-244.
53. M. J. Merritt, "Cryptographic protocols," Ph.D. dissertation, Georgia Inst. Technol., Atlanta, GA, 1983.
54. J. Millen and H. Ruess, "Protocol-independent secrecy," in Proc. 2000 IEEE Security and Privacy Symp., May 2000, pp. 110-119.
55. J. Millen and V. Shmatikov, "Constraint solving for bounded-process cryptographic protocol analysis," in Proc. 8th ACM Conf. Computer Communication Security, Nov. 2001, pp. 166-175.
56. J. K. Millen, S. C. Clark, and S. B. Freedman, "The Interrogator: Protocol security analysis," IEEE Trans. Softw. Eng., vol. SE-13, pp. 274-288, 1987.
57. J. K. Millen. (1997) CAPSL: Common authentication protocol specification language. The MITRE Corp. [Online]. Available: http://www.csl.sri.com/millen/capsl
58. J. Mitchell, M. Mitchell, and U. Stern, "Automated analysis of cryptographic protocols using Murø," in Proc. 1997 IEEE Symp. Security and Privacy, May 1997, pp. 141-151.
59. J. C. Mitchell, V. Shmatikov, and U. Stern, "Finite-state analysis of SSL 3.0," in Proc. 7th USENIX Security Symp., San Antonio, TX, 1998, pp. 201-216.
60. R. M. Needham and M. D. Schroeder, "Using encryption for authentication in large networks of computers," Commun. ACM, vol. 21, pp. 993-999, Dec. 1978.
61. L. Paulson, "Mechanized proofs for a recursive authentication protocol," in Proc. 10th Computer Security Foundations Workshop, June 1997, pp. 84-95.
62. L. C. Paulson, "Inductive analysis of the internet protocol TLS," ACM Trans. Comput. Syst. Security, vol. 2, no. 3, pp. 332-351, 1999.
63. ____, "The inductive approach to verifying cryptographic protocols," J. Comput. Security, vol. 6, no. 1/2, pp. 85-128, 1998.
64. D. Pavlovic and D. R. Smith, "Guarded Transitions in Evolving Specifications," Kestrel Inst., 2002.
65. O. Pereira and J.-J. Quisquater, "A security analysis of the Cliques protocols suites," in Proc. 14th IEEE Computer Security Foundations Workshop, June 2001, pp. 73-81.
66. A. Perrig, R. Canetti, D. Song, and D. Tygar, "Efficient authentication and signing of multicast streams over lossy channels," in Proc. 2000 IEEE Symp. Security and Privacy, May 2000, pp. 247-262.
67. M. Reiter and A. Rubin, "Crowds: Anonymity for web transactions," in Proc. ACM TISSEC, June 1999.
68. A. W. Roscoe, "Modeling and verifying key-exchange protocols using CSP and FDR," in Proc. 8th IEEE Computer Security Foundations Workshop, 1995, pp. 98-107.
69. M. Rusinowitch and M. Turuani, "Protocol insecurity with finite number of sessions is NP-complete," in Proc. 14th IEEE Computer Security Foundations Workshop, 2001, pp. 174-190.
70. S. Schneider and A. Spirodopoulos, "CSP and anonymity," in Proc. ESORICS 96, 1996, pp. 198-218.
71. The SET Specification. SET Secure Electronic Transactions LLC. [Online]. Available: http://www.setco.org/set_specifications.html
72. V. Shmatikov, "Probabilistic analysis of anonymity," in Proc. 15th Computer Security Foundations Workshop, June 2002, pp. 119-128.
73. V. Shmatikov and J. Mitchell, "Finite-state analysis of two contract-signing protocols," Theor. Comput. Sci., pp. 419-450, June 2000.
74. D. Song, S. Berezin, and A. Perrig, "Athena: A novel approach to efficient automatic security protocol analysis," J. Comput. Security, vol. 9, pp. 47-74, 2001.
75. S. Stoller. A bound on attacks on authentication protocols. presented at 1999 Workshop on Formal Methods and Security Protocols. [Online]. Available: http://www.cs.indiana.edu/hyplan/stoller/
76. S. Stubblebine and V. Gligor, "On message integrity in cryptographic protocols," in Proc. 1992 Symp. Security and Privacy, May 1992, pp. 85-104.
77. S. Stubblebine and C. Meadows, "Formal characterization and automated analysis of known-pair and chosen-text attacks," IEEE J. Select. Areas Commun., vol. 18, pp. 571-581, Apr. 2000.
78. P. Syverson and S. Stubblebine, "Group principals and the formalization of anonymity," in FM'99-Formal Methods, J. Wing, J. Woodcock, and J. Davies, Eds. New York: Springer-Verlag, 1999, pp. 814-833.
79. P. F. Syverson and P. C. van Oorschot, "On unifying some cryptographic protocol logics," in Proc. 1994 IEEE Computer Society Symp. Research Security and Privacy, May 1994, pp. 14-28.
80. F. T. Fábrega, J. Herzog, and J. Guttman, "Strand spaces: Why is a security protocol correct?," in Proc. IEEE Symp. Security and Privacy, May 1998, pp. 160-171.
81. ____, "Mixed strand spaces," in Proc. IEEE Computer Security Foundations Workshop, June 1999, pp. 72-82.
82. B. Timmerman, "Secure adaptive dynamic traffic masking," in Proc. 1999 ACM New Security Paradigms Workshop, 2000, pp. 13-24.
83. P. C. van Oorschot, "Extending cryptographic logics of belief to key agreement protocols (extended abstract)," in Proc. 1st ACM Conf. Computer Communications Security, Nov. 1993, pp. 232-243.
84. B. Venkatraman and R. Newman-Wolfe, "Capacity estimation and auditability of network covert channels," in Proc. 1995 IEEE Symp. Security and Privacy, May 1995, pp. 186-198.
85. M. Wright, M. Adler, B. N. Levine, and C. Shields, An analysis of the degredation of anonymous protocols. presented at Proc. ISOC Network Distributed System Security Symp. [Online]. Available: http://www.isoc.org/isoc/conferences/ndss/02/proceedings/
86. J. Zhou, "Fixing a security flaw in IKE protocols," Electron. Lett., vol. 35, pp. 1072-1073, June 1999.