OFMC: A symbolic model checker for security protocols

International Journal of Information Security

Volumn 4, Issue 3, 2005, Pages 181-208

  Basin, David ^a   Mödersheim, Sebastian ^a   Viganò, Luca ^a  

^a ETH ZURICH   (Switzerland)

Author keywords

Constraints; Formal methods; Model checking; Security protocols; Verification

Indexed keywords

HIGH LEVEL LANGUAGES; MATHEMATICAL MODELS; NETWORK PROTOCOLS; OPTIMIZATION; SECURITY SYSTEMS; STATE SPACE METHODS;

LAZY INTRUDER; MODEL CHECKING; SECURITY PROTOCOLS;

SECURITY OF DATA;

EID: 19744367735     PISSN: 16155262     EISSN: None     Source Type: Journal    
DOI: 10.1007/s10207-004-0055-7     Document Type: Article

References (50)

1. Amadio R, Lugiez D (2002) On the reachability problem in cryptographic protocols. In: Proceedings of CONCUR'00. Lecture notes in computer science, vol 1877. Springer, Berlin Heidelberg New York, pp 380-394
2. Armando A, Basin D, Bouallagui M, Chevalier Y, Compagna L, Mödersheim S, Rusinowitch M, Turuani M, Viganò L, Vigneron L (2002) The AVISS security protocol analysis tool. In: Proceedings of CAV'02. Lecture notes in computer science, vol 2404. Springer, Berlin Heidelberg New York, pp 349-354
3. Armando A, Compagna L (2002) Automatic SAT-compilation of protocol insecurity problems via reduction to planning. In: Proceedings of FORTE 2002. Lecture notes in computer science, vol 2529. Springer, Berlin Heidelberg New York, pp 210-225
4. Armando A, Compagna L, Ganty P (2003) SAT-based model-checking of security protocols using planning graph analysis. In: Proceedings of FME 2003. Lecture notes in computer science, vol 2805. Springer, Berlin Heidelberg New York, pp 875-893
5. AVISPA: Automated validation of internet security protocols and applications (2003) FET Open Project IST-2001-39252. www.avispa-project.org
6. Baader F, Nipkow T (1998) Term rewriting and all that. Cambridge University Press, Cambridge, UK
7. Basin D (1999) Lazy infinite-state analysis of security protocols. In: Proceedings of CQRE'99. Lecture notes in computer science, vol 1740. Springer, Berlin Heidelberg New York, pp 30-42
8. Basin D, Denker G (2001) Maude versus Haskell: An experimental comparison in security protocol analysis. In: Electronic notes in computer science, vol 36. Elsevier, Amsterdam, pp 235-256
9. Basin D, Mödersheim S, Viganò L (2003) An on-the-fly model-checker for security protocol analysis. In: Proceedings of ESORICS'03. Lecture notes in computer science, vol 2808. Springer, Berlin Heidelberg New York, pp 253-270
10. Basin D, Mödersheim S, Viganò L (2003) Constraint differentiation: A new reduction technique for constraint-based analysis of security protocols. In: Proceedings of CCS'03. ACM Press, New York, pp 335-344
11. Boreale M (2001) Symbolic trace analysis of cryptographic protocols. In: Proceedings of ICALP'01. Lecture notes in computer science, vol 2076. Springer, Berlin Heidelberg New York, pp 667-681
12. Boreale M, Buscemi MG (2002) A framework for the analysis of security protocols. In: Proceedings of CONCUR'02. Lecture notes in computer science, vol 2421. Springer, Berlin Heidelberg New York, pp 483-498
13. Boreale M, Buscemi MG (2003) On the symbolic analysis of low-level cryptographic primitives: Modular exponentiation and the Diffie-Hellman protocol. In: Proceedings of FCS'03. TR-2003-04, Computer Science Department, University of Ottawa
14. Bouallagui M, Jain H (2003) Automatic session generation. AVISPA report, LORIA-INRIA-Lorraine
15. Cervesato I, Durgin NA, Lincoln PD, Mitchell JC, Scedrov A (2000) Relating strands and multiset rewriting for security protocol analysis. In: Proceedings of CSFW'00. IEEE Press, New York, pp 35-51
16. Chevalier Y, Küsters R, Rusinowitch M, Turuani M (2003) An NP decision procedure for protocol insecurity with Xor. In: Proceedings of LICS 2003. IEEE Press, New York, pp 261-270
17. Chevalier Y, Küsters R, Rusinowitch M, Turuani M (2003) Deciding the security of protocols with Diffie-Hellman exponentiation and products in exponents. Lecture notes in computer science, vol 2914. In: Proceedings of FST TCS'03. Springer, Berlin Heidelberg New York, pp 124-135
18. Chevalier Y, Küsters R, Rusinowitch M, Turuani M, Vigneron L (2003) Extending the Dolev-Yao intruder for analyzing an unbounded number of sessions. In: Proceedings of CSL 2003. Lecture notes in computer science, vol 2803. Springer, Berlin Heidelberg New York, pp 128-141
19. Chevalier Y, Vigneron L (2001) A tool for lazy verification of security protocols. In: Proceedings of ASE'01. IEEE Press, New York, pp 373-376
20. Chevalier Y, Vigneron L (2002) Automated unbounded verification of security protocols. In: Proceedings of CAV'02. Lecture notes in computer science, vol 2404. Springer, Berlin Heidelberg New York, pp 324-337
21. Clark J, Jacob J (1997) A survey of authentication protocol literature: version 1.0, 17 November 1997. www.cs.york.ac.uk/~jac/papers/drareview.ps.gz
22. Comon H, Shmatikov V (2002) Is it possible to decide whether a cryptographic protocol is secure or not? J Telecommun Inf Technol 4:5-15
23. Comon-Lundh H, Cortier V (2003) Security properties: Two agents are sufficient. In: Proceedings of ESOP'03. Lecture notes in computer science, vol 2618. Springer, Berlin Heidelberg New York, pp 99-113
24. Comon-Lundh H, Shmatikov V (2003) Intruder deductions, constraint solving and insecurity decision in presence of exclusive or. In: Proceedings of LICS 2003. IEEE Press, New York, pp 271-280
25. Corin R, Etalle S (2002) An improved constraint-based system for the verification of security protocols. In: Proceedings of SAS 2002. Lecture notes in computer science, vol 2477. Springer, Berlin Heidelberg New York, pp 326-341
26. Denker G, Millen J, Ruess H (2000) The CAPSL integrated protocol environment. Technical Report SRI-CSL-2000-02, SRI International, Menlo Park, CA
27. Dolev D, Yao A (1983) On the security of public-key protocols. IEEE Trans Inf Theory 2(29):198-208
28. Donovan B, Norris P, Lowe G (1999) Analyzing a library of security protocols using Casper and FDR. In: Proceedings of the FLOC'99 workshop on formal methods and security protocols (FMSP'99)
29. Durgin N, Lincoln PD, Mitchell JC, Scedrov A (1999) Undecidability of bounded security protocols. In: Proceedings of the FLOC'99 workshop on formal methods and security protocols (FMSP'99)
30. Fiore M, Abadi M (2001) Computing symbolic models for verifying cryptographic protocols. In: Proceedings of CSFW'01. IEEE Press, New York, pp 160-173
31. Huima A (1999) Efficient infinite-state analysis of security protocols. In: Proceedings of the FLOC'99 workshop on formal methods and security protocols (FMSP'99)
32. ITU-T Recommendation H.530: Symmetric security procedures for H.510 (mobility for H.323 multimedia systems and services) (2002)
33. ITU-T Recommendation H.530, Corrigendum 1 (2003) Corrected version of [32]
34. Jacquemard F, Rusinowitch M, Vigneron L (2000) Compiling and verifying security protocols. In: Proceedings of LPAR 2000. Lecture notes in computer science, vol 1955. Springer, Berlin Heidelberg New York, pp 131-160
35. Lowe G (1996) Breaking and fixing the Needham-Shroeder public-key protocol using FDR. In: Proceedings of TACAS '96. Lecture notes in computer science, vol 1055. Springer, Berlin Heidelberg New York, pp 147-166
36. Lowe G (1997) A hierarchy of authentication specifications. In: Proceedings of CSFW'97. IEEE Press, New York, pp 31-43
37. Lowe G (1998) Casper: A compiler for the analysis of security protocols. J Comput Secur 6(1):53-84
38. Meadows C (1996) The NRL protocol analyzer: An overview. J Logic Programm 26(2):113-131
39. Meadows C (1999) Analysis of the Internet Key Exchange Protocol using the NRL protocol analyzer. In: Proceedings of the 1999 IEEE symposium on security and privacy. IEEE Press, New York, pp 216-231
40. Millen JK, Shmatikov V (2001) Constraint solving for bounded-process cryptographic protocol analysis. In: Proceedings of CCS'01. ACM Press, New York, pp 166-175
41. Millen JK, Shmatikov V (2003) Symbolic protocol analysis with products and Diffie-Hellman exponentiation. In: Proceedings of CSFW'03. IEEE Press, New York, pp 47-61
42. Mitchell JC, Mitchell M, Stern U (1997) Automated analysis of cryptographic protocols using Murphi. In: Proceedings of the 1997 IEEE symposium on security and privacy. IEEE Press, New York, pp 141-153
43. Paulson LC (1998) The inductive approach to verifying cryptographic protocols. J Comput Secur 6(1):85-128
44. Paulson LC (1999) Relations between secrets: The Yahalom protocol. In: Proceedings of the 7th Cambridge international workshop on security protocols. Lecture notes in computer science, vol 1796. Springer, Berlin Heidelberg New York, pp 73-77
45. Perrig A, Song D (2000) Looking for diamonds in the desert (extending automatic protocol generation to three-party authentication and key agreement protocols). In: Proceedings of CSFW'00. IEEE Press, New York, pp 64-76
46. Rusinowitch M, Turuani M (2001) Protocol insecurity with finite number of sessions is NP-complete. In: Proceedings of CSFW'01. IEEE Press, New York, pp 174-187
47. Ryan P, Schneider S, Goldsmith M, Lowe G, Roscoe B (2000) Modelling and analysis of security protocols. Addison-Wesley, Reading, MA
48. Song D, Berezin S, Perrig A (2001) Athena: A novel approach to efficient automatic security protocol analysis. J Comput Secur 9:47-74
49. Thayer Fábrega FJ, Herzog JC, Guttman JD (1999) Strand spaces: proving security protocols correct. J Comput Secur 7:191-230
50. Turuani M (2003) Sécurité des protocoles cryptographiques: décidabilité et complexité. PhD Thesis, Université Henri Poincaré, Nancy, France