Automated analysis of cryptographic protocols using Murφ

Mitchell, John C.; Mitchell, Mark L.; Stern, Ulrich

doi:10.1109/secpri.1997.601329

Cited by 262 publications

(224 citation statements)

References 12 publications

Supporting

Mentioning

215

Contrasting

Unclassified

Order By: Relevance

“…Examples of this abound (e.g. [36,40,46,38]) and later in this work we use one such automated tool to perform a symbolic analysis which we have (by then) shown to be computationally sound in the UC model.…”

Section: The Symbolic Modelmentioning

confidence: 99%

See 1 more Smart Citation

Universally Composable Symbolic Analysis of Mutual Authentication and Key-Exchange Protocols

Canetti¹,

Herzog

2006

Theory of Cryptography

104

121

View full text Add to dashboard Cite

Abstract. Symbolic analysis of cryptographic protocols is dramatically simpler than full-fledged cryptographic analysis. In particular, it is simple enough to be automated. However, symbolic analysis does not, by itself, provide any cryptographic soundness guarantees. Following recent work on cryptographically sound symbolic analysis, we demonstrate how Dolev-Yao style symbolic analysis can be used to assert the security of cryptographic protocols within the universally composable (UC) security framework. Consequently, our methods enable security analysis that is completely symbolic, and at the same time cryptographically sound with strong composability properties.More specifically, we concentrate on mutual authentication and keyexchange protocols. We restrict attention to protocols that use publickey encryption as their only cryptographic primitive and have a specific restricted format. We define a mapping from such protocols to Dolev-Yao style symbolic protocols, and show that the symbolic protocol satisfies a certain symbolic criterion if and only if the corresponding cryptographic protocol is UC-secure. For mutual authentication, our symbolic criterion is similar to the traditional Dolev-Yao criterion. For key exchange, we demonstrate that the traditional Dolev-Yao style symbolic criterion is insufficient, and formulate an adequate symbolic criterion.Finally, to demonstrate the viability of our treatment, we use an existing tool to automatically verify whether some prominent key-exchange protocols are UC-secure.

show abstract

Section: The Symbolic Modelmentioning

confidence: 99%

“…Indeed, protocol analysis in these models is much simpler, more mechanical, and amenable to automation (see e.g. [36,39,53,46,11]). These are desirable properties when attempting to analyze large-scale systems.…”

Section: Introductionmentioning

confidence: 99%

Universally Composable Symbolic Analysis of Mutual Authentication and Key-Exchange Protocols

Canetti¹,

Herzog

2006

Theory of Cryptography

104

121

View full text Add to dashboard Cite

show abstract

“…For example, the non-injective agreement property [21]: "For certain data items ds, if each time a principal B completes a run of the protocol as responder using ds, apparently with A, then there is a unique run of the protocol with the principal A as initiator using ds, apparently with B." The generated protocols could be re-analysed using more sophisticated protocol analysis tools, such as the NRL Analyzer [23], the Interrogator model [24], FDR [20], Murϕ [25], Athena [33]. In this case, the Protocol Selector of ASPB would be used to narrow down the set of candidate protocols to be verified.…”

Section: The Protocol Selectormentioning

confidence: 99%

“…The heuristics are also augmented by extending protocol selection/design strategies [16,21,22] in order to restrict the generated protocols to a collection of candidate protocols that are likely to be secure. While the collection of candidate protocols are secure under the BSW-ZF logic, the intention is that more sophisticated protocol analysis tools, such as [20,[23][24][25], are then used to select appropriate protocols from the collection.…”

Section: Introductionmentioning

confidence: 99%

Fast automatic security protocol generation

Hong-bin

Foley

2012

JCS

View full text Add to dashboard Cite

An automatic security protocol generator is described that uses logic-based heuristic rules to guide it in a backward search for suitable protocols from protocol goals. The approach taken is unlike existing automatic protocol generators which typically carry out a forward search for candidate protocols from the protocol assumptions. A prototype generator has been built that performs well in the automatic generation of authentication and key exchange protocols.

show abstract

“…The main systematic or formal approaches include specialised logics such as BAN logic [13,19,27], special-purpose tools designed for cryptographic protocol analysis [39], and theorem proving [55,56] and model-checking techniques using several general purpose tools [43,46,51,61,63]. Although these approaches differ in significant ways, all reflect the same basic assumptions about the way an adversary may interact with the protocol or attempt to decrypt encrypted messages.…”

Section: Introductionmentioning

confidence: 99%

Probabilistic Polynomial-Time Process Calculus and Security Protocol Analysis

Mitchell

2001

Programming Languages and Systems

View full text Add to dashboard Cite

Abstract. We prove properties of a process calculus that is designed for analysing security protocols. Our long-term goal is to develop a form of protocol analysis, consistent with standard cryptographic assumptions, that provides a language for expressing probabilistic polynomial-time protocol steps, a specification method based on a compositional form of equivalence, and a logical basis for reasoning about equivalence.The process calculus is a variant of CCS, with bounded replication and probabilistic polynomial-time expressions allowed in messages and boolean tests. To avoid inconsistency between security and nondeterminism, messages are scheduled probabilistically instead of nondeterministically. We prove that evaluation of any process expression halts in probabilistic polynomial time and define a form of asymptotic protocol equivalence that allows security properties to be expressed using observational equivalence, a standard relation from programming language theory that involves quantifying over all possible environments that might interact with the protocol.We develop a form of probabilistic bisimulation and use it to establish the soundness of an equational proof system based on observational equivalences. The proof system is illustrated by a formation derivation of the assertion, well-known in cryptography, that El Gamal encryption's semantic security is equivalent to the (computational) Decision Diffie-Hellman assumption. This example demonstrates the power of probabilistic bisimulation and equational reasoning for protocol security.

show abstract

Automated analysis of cryptographic protocols using Murφ

Cited by 262 publications

References 12 publications

Universally Composable Symbolic Analysis of Mutual Authentication and Key-Exchange Protocols

Universally Composable Symbolic Analysis of Mutual Authentication and Key-Exchange Protocols

Fast automatic security protocol generation

Probabilistic Polynomial-Time Process Calculus and Security Protocol Analysis

Contact Info

Product

Resources

About