The inductive approach to verifying cryptographic protocols

Paulson, Lawrence C.

doi:10.3233/jcs-1998-61-205

Cited by 620 publications

(518 citation statements)

References 37 publications

Supporting

Mentioning

504

Contrasting

Unclassified

Order By: Relevance

“…Since the environment of the card is assumed to be hostile the message received may be any message that has already been sent, not just one that is directed to the card (this simple model of available messages is also used in many abstract specifications of security protocols, e.g. the traces of [Pau98] The protocol is started by two messages startFrom(msgna, value, msgno) and startTo(msgna, value, msgno) which are sent to the from and to purse respectively by the interface device. These two messages are assumed to be always available, so the initial ether already contains every such message.…”

Section: The Concrete Levelmentioning

confidence: 99%

The Mondex Challenge: Machine Checked Proofs for an Electronic Purse

Schellhorn

Grandy

Haneberg

et al. 2006

FM 2006: Formal Methods

View full text Add to dashboard Cite

Abstract. The Mondex case study about the specification and refinement of an electronic purse as defined in [SCJ00] has recently been proposed as a challenge for formal system-supported verification. This paper reports on the successful verification of the major part of the case study using the KIV specification and verification system. We demonstrate that even though the hand-made proofs were elaborated to an enormous level of detail we still could find small errors in the underlying data refinement theory as well as the formal proofs of the case study. We also provide an alternative formalisation of the communication protocol using abstract state machines. Finally the Mondex case study verifies functional correctness assuming a suitable security protocol. Therefore we propose to extend the case study to include the verification of a suitable security protocol.

show abstract

Section: The Concrete Levelmentioning

confidence: 99%

The Mondex Challenge: Machine Checked Proofs for an Electronic Purse

Schellhorn

Grandy

Haneberg

et al. 2006

FM 2006: Formal Methods

View full text Add to dashboard Cite

show abstract

“…Our definition of analysis refines the usual approach reminiscent of Paulson [Pau98]. Instead of directly defining a "flat" analysis set, we had to define a finitely stratified hierarchy (A n (K)) n∈N .…”

Section: Definitionmentioning

confidence: 99%

“…We do so by means of projection, focusing on the message components of our knowledge sets. This comparison is mainly intended to help readers who are familiar with Paulson's inductive approach (see [Pau98]) to better understand our formalism. In particular, we show that the stratified analysis of a message set yields a complete knowledge seed.…”

mentioning

confidence: 99%

A Formal Semantics for Protocol Narrations

Briais

Nestmann

2005

Trustworthy Global Computing

View full text Add to dashboard Cite

Protocol narrations are a widely-used informal means to describe, in an idealistic manner, the functioning of cryptographic protocols as a single intended sequence of cryptographic message exchanges among the protocol's participants. Protocol narrations have also been informally "turned into" a number of formal protocol descriptions, e.g., using the spi-calculus. In this paper, we propose a direct formal operational semantics for protocol narrations that fixes a particular and, as we argue, well-motivated interpretation on how the involved protocol participants are supposed to execute. Based on this semantics, we explain and formally justify a natural and precise translation of narrations into spi-calculus. An optimised translation has been implemented in OCaml, and we report on case studies that we have carried out using the tool.

show abstract

“…We use the inductive method of protocol verification, which has been described elsewhere [11,13]. This operational semantics assumes a population of honest agents obeying the protocol and a dishonest agent (the Spy) who can steal messages intended for other agents, decrypt them using any keys at his disposal and send new messages as he pleases.…”

Section: The Inductive Modelmentioning

confidence: 99%