Open Issues in Formal Methods for Cryptographic Protocol Analysis

The history of the application of formal methods to cryptographic protocol analysis spans nearly twenty years, and recently has been showing signs of new maturity and consolidation. A number of specialized tools have been developed, and others have effectively demonstrated that existing general-purpose tools can also be applied to these problems with good results. However, with this better understanding of the field comes new problems that strain against the limits of the existing tools. In this paper we will outline some of these new problem areas, and describe what new research needs to be done to to meet the challenges posed.

[1]  Hilarie K. Orman,et al.  The OAKLEY Key Determination Protocol , 1997, RFC.

[2]  Scott D. Stoller A Bound on Attacks on Authentication Protocols , 2002, IFIP TCS.

[3]  Lawrence C. Paulson,et al.  The Inductive Approach to Verifying Cryptographic Protocols , 2021, J. Comput. Secur..

[4]  Joshua D. Guttman,et al.  Strand spaces: why is a security protocol correct? , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[5]  Catherine Meadows,et al.  A System for the Specification and Verification of Key Management Protocols. , 1991, S&P 1991.

[6]  Michael K. Reiter,et al.  Crowds: anonymity for Web transactions , 1998, TSEC.

[7]  Zhe Dang,et al.  Using the ASTRAL Model Checker for Cryptographic Protocol Analysis , 1997 .

[8]  Somesh Jha,et al.  A model checker for authentication protocols , 1997 .

[9]  Catherine A. Meadows,et al.  The NRL Protocol Analyzer: An Overview , 1996, J. Log. Program..

[10]  Stephen H. Brackin Evaluating and improving protocol analysis by automatic proof , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[11]  Catherine A. Meadows,et al.  A logical language for specifying cryptographic protocol requirements , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[12]  Daniel Simon,et al.  The Private Communication Technology Protocol , 1995 .

[13]  Paul Syverson,et al.  Onion Routing for Anonymous and Private Internet Connections , 1999 .

[14]  Oded Goldreich,et al.  On the security of multi-party ping-pong protocols , 1983, 24th Annual Symposium on Foundations of Computer Science (sfcs 1983).

[15]  Joshua D. Guttman,et al.  Mixed strand spaces , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[16]  Jonathan K. Millen,et al.  CAPSL: Common Authentication Protocol Specification Language , 1996, NSPW '96.

[17]  Richard A. Kemmerer,et al.  Analyzing encryption protocols using formal verification techniques , 1989, IEEE J. Sel. Areas Commun..

[18]  John C. Mitchell,et al.  Automated analysis of cryptographic protocols using Mur/spl phi/ , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[19]  Brenda Timmerman,et al.  Secure dynamic adaptive traffic masking , 1999, NSPW '99.

[20]  Catherine A. Meadows,et al.  A formal framework and evaluation method for network denial of service , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[21]  Catherine A. Meadows,et al.  Analysis of the Internet Key Exchange protocol using the NRL Protocol Analyzer , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[22]  Virgil D. Gligor,et al.  On message integrity in cryptographic protocols , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[23]  Dennis Longley,et al.  An automatic search for security flaws in key management schemes , 1992, Comput. Secur..

[24]  John C. Mitchell,et al.  Probabilistic Polynomial-Time Equivalence and Security Analysis , 1999, World Congress on Formal Methods.

[25]  J. Doug Tygar,et al.  A model for secure protocols and their compositions , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[26]  ProtocolsLi GongSRI InternationalComputer Fail-Stop Protocols : An Approach to Designing Secure , 1994 .

[27]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[28]  Jonathan K. Millen,et al.  The Interrogator: Protocol Secuity Analysis , 1987, IEEE Transactions on Software Engineering.

[29]  John C. Mitchell,et al.  A meta-notation for protocol analysis , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[30]  Hugo Krawczyk,et al.  SKEME: a versatile secure key exchange mechanism for Internet , 1996, Proceedings of Internet Society Symposium on Network and Distributed Systems Security.

[31]  Dawn Xiaodong Song Athena: a new efficient automatic checker for security protocol analysis , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[32]  Catherine A. Meadows,et al.  Analyzing the Needham-Schroeder Public-Key Protocol: A Comparison of Two Approaches , 1996, ESORICS.

[33]  Jianying Zhou Fixing of security flaw in IKE protocols , 1999 .

[34]  W. Douglas Maughan,et al.  Internet Security Association and Key Management Protocol (ISAKMP) , 1998, RFC.

[35]  Catherine A. Meadows,et al.  A system for the specification and analysis of key management protocols , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[36]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[37]  Scott D. Stoller Lower and upper bounds for attacks on authentication protocols , 1999, PODC '99.

[38]  Dennis M. Volpano Formalization and proof of secrecy properties , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[39]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[40]  Steve A. Schneider,et al.  CSP, PVS and a Recursive Authentication Protocol , 1997 .

[41]  Susan Pancho-Festin Paradigm shifts in protocol analysis , 1999, NSPW.

[42]  Richard E. Newman,et al.  Capacity estimation and auditability of network covert channels , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[43]  Catherine A. Meadows,et al.  Applying Formal Methods to the Analysis of a Key Management Protocol , 1992, J. Comput. Secur..

[44]  Catherine A. Meadows,et al.  A Formal Specification of Requirements for Payment Transactions in the SET Protocol , 1998, Financial Cryptography.

[45]  Lawrence C. Paulson,et al.  Mechanized proofs for a recursive authentication protocol , 1997, Proceedings 10th Computer Security Foundations Workshop.

[46]  Steve A. Schneider,et al.  Using a PVS Embedding of CSP to Verify Authentication Protocols , 1997, TPHOLs.

[47]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[48]  Catherine A. Meadows,et al.  Formal characterization and automated analysis of known-pair and chosen-text attacks , 2000, IEEE Journal on Selected Areas in Communications.

[49]  Richard A. Kemmerer Using Formal Methods to Analyze Encryption Protocols , 1989 .

[50]  Joshua D. Guttman,et al.  Honest ideals on strand spaces , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[51]  Paul F. Syverson,et al.  Group Principals and the Formalization of Anonymity , 1999, World Congress on Formal Methods.

[52]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[53]  Antti Huima Efficient Infinite-State Analysis of Security Protocols , 1999 .

[54]  Richard M. Karp,et al.  On the Security of Ping-Pong Protocols , 1982, Information and Control.

[55]  C PaulsonLawrence The inductive approach to verifying cryptographic protocols , 1998 .

[56]  Roberto Gorrieri,et al.  CVS: a compiler for the analysis of cryptographic protocols , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[57]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.