Model Checking Security Protocols

The formal analysis of security protocols is a prime example of a domain where model checking has been successfully applied. Although security protocols are typically small, analysis by hand is difficult as a protocol should work even when arbitrarily many runs are interleaved and in the presence of an adversary. Specialized model-checking techniques have been developed that address both the problems of unbounded, interleaved runs and a prolific, highly nondeterministic adversary. These techniques have been implemented in model-checking tools that now scale to protocols of realistic size and can be used to aid protocol design and standardization.

[1]  Leslie Lamport,et al.  The temporal logic of actions , 1994, TOPL.

[2]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[3]  Mathieu Turuani,et al.  The CL-Atse Protocol Analyser , 2006, RTA.

[4]  Stéphanie Delaune,et al.  The Finite Variant Property: How to Get Rid of Some Algebraic Properties , 2005, RTA.

[5]  Bruno Blanchet,et al.  Automatic verification of correspondences for security protocols , 2008, J. Comput. Secur..

[6]  Vitaly Shmatikov,et al.  Analysis of probabilistic contract signing , 2006 .

[7]  Gavin Lowe Casper: a compiler for the analysis of security protocols , 1998 .

[8]  Srdjan Capkun,et al.  Let's Get Physical: Models and Methods for Real-World Security Protocols , 2009, TPHOLs.

[9]  Franz Baader,et al.  Unification in the Union of Disjoint Equational Theories: Combining Decision Procedures , 1992, CADE.

[10]  Martín Abadi,et al.  Automated verification of selected equivalences for security protocols , 2008, J. Log. Algebraic Methods Program..

[11]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[12]  Birgit Pfitzmann,et al.  The reactive simulatability (RSIM) framework for asynchronous systems , 2007, Inf. Comput..

[13]  Véronique Cortier,et al.  A Survey of Symbolic Methods in Computational Analysis of Cryptographic Systems , 2011, Journal of Automated Reasoning.

[14]  Catherine A. Meadows,et al.  Applying Formal Methods to the Analysis of a Key Management Protocol , 1992, J. Comput. Secur..

[15]  Victor Shoup,et al.  On Formal Models for Secure Key Exchange , 1999, IACR Cryptol. ePrint Arch..

[16]  Catherine A. Meadows,et al.  Formal specification and analysis of the Group Domain Of Interpretation Protocol using NPATRL and the NRL Protocol Analyzer , 2004, J. Comput. Secur..

[17]  Catherine A. Meadows,et al.  Analysis of the Internet Key Exchange protocol using the NRL Protocol Analyzer , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[18]  David A. Basin Lazy Infinite-State Analysis of Security Protocols , 1999, CQRE.

[19]  Sebastian Mödersheim,et al.  OFMC: A symbolic model checker for security protocols , 2005, International Journal of Information Security.

[20]  Martín Abadi,et al.  Mobile values, new names, and secure communication , 2001, POPL '01.

[21]  Véronique Cortier,et al.  YAPA: A Generic Tool for Computing Intruder Knowledge , 2009, RTA.

[22]  Vitaly Shmatikov,et al.  Constraint solving for bounded-process cryptographic protocol analysis , 2001, CCS '01.

[23]  Dan Harkins,et al.  The Internet Key Exchange (IKE) , 1998, RFC.

[24]  Alessandro Armando,et al.  SATMC: a SAT-based model checker for security protocols, business processes, and security APIs , 2004, International Journal on Software Tools for Technology Transfer.

[25]  Paul E. Hoffman,et al.  Internet Key Exchange Protocol Version 2 (IKEv2) , 2010, RFC.

[26]  Michael K. Reiter,et al.  Crowds: anonymity for Web transactions , 1998, TSEC.

[27]  Andrew Hinton,et al.  PRISM: A Tool for Automatic Verification of Probabilistic Systems , 2006, TACAS.

[28]  Cédric Fournet,et al.  Cryptographically verified implementations for TLS , 2008, CCS.

[29]  Somesh Jha,et al.  Verifying security protocols with Brutus , 2000, TSEM.

[30]  Srdjan Capkun,et al.  Modeling and Verifying Physical Properties of Security Protocols for Wireless Networks , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[31]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[32]  Doron A. Peled,et al.  Partial-Order Reduction , 2018, Handbook of Model Checking.

[33]  David A. Basin,et al.  Degrees of Security: Protocol Guarantees in the Face of Compromising Adversaries , 2010, CSL.

[34]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[35]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[36]  Ralf Küsters,et al.  Using ProVerif to Analyze Protocols with Diffie-Hellman Exponentiation , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[37]  Sebastian Mödersheim,et al.  The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications , 2005, CAV.

[38]  José Meseguer,et al.  Variant Narrowing and Equational Unification , 2009, WRLA.

[39]  Stéphanie Delaune,et al.  Computing Knowledge in Security Protocols Under Convergent Equational Theories , 2010, Journal of Automated Reasoning.

[40]  Harald Ganzinger,et al.  Automated complexity analysis based on ordered resolution , 2001, JACM.

[41]  Sandro Etalle,et al.  Analysing Password Protocol Security Against Off-line Dictionary Attacks , 2003, WISP@ICATPN.

[42]  David A. Basin,et al.  Efficient Decision Procedures for Message Deducibility and Static Equivalence , 2010, Formal Aspects in Security and Trust.

[43]  John T. Kohl,et al.  The Kerberos Network Authentication Service (V5 , 2004 .

[44]  Luca Viganò,et al.  Automated Security Protocol Analysis With the AVISPA Tool , 2006, MFPS.

[45]  Véronique Cortier,et al.  Computationally sound implementations of equational theories against passive adversaries , 2005, Inf. Comput..

[46]  David A. Basin,et al.  Modeling and Analyzing Security in the Presence of Compromising Adversaries , 2010, ESORICS.

[47]  Manfred Schmidt-Schauß,et al.  Unification in Permutative Equational Theories is Undecidable , 1989, J. Symb. Comput..

[48]  Dawn Xiaodong Song Athena: a new efficient automatic checker for security protocol analysis , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[49]  Gavin Lowe,et al.  A hierarchy of authentication specifications , 1997, Proceedings 10th Computer Security Foundations Workshop.

[50]  Sebastian Mödersheim,et al.  Algebraic Intruder Deductions , 2005, LPAR.

[51]  Tobias Nipkow,et al.  Term rewriting and all that , 1998 .

[52]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[53]  David A. Basin,et al.  Automated Analysis of Diffie-Hellman Protocols and Advanced Security Properties , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[54]  Stig Fr. Mjølsnes,et al.  A framework for compositional verification of security protocols , 2006, Inf. Comput..

[55]  Srdjan Capkun,et al.  Secure positioning in wireless networks , 2006, IEEE Journal on Selected Areas in Communications.

[56]  Mathieu Baudet,et al.  Deciding security of protocols against off-line guessing attacks , 2005, CCS '05.

[57]  Jonathan K. Millen,et al.  The Interrogator: Protocol Secuity Analysis , 1987, IEEE Transactions on Software Engineering.

[58]  Joshua D. Guttman,et al.  Protocol independence through disjoint encryption , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[59]  Vitaly Shmatikov Probabilistic analysis of an anonymity system , 2004, J. Comput. Secur..

[60]  David A. Basin,et al.  Provably repairing the ISO/IEC 9798 standard for entity authentication , 2012, J. Comput. Secur..

[61]  Radha Poovendran,et al.  Distance Bounding Protocols: Authentication Logic Analysis and Collusion Attacks , 2007, Secure Localization and Time Synchronization for Wireless Sensor and Ad Hoc Networks.

[62]  Catherine A. Meadows,et al.  The NRL Protocol Analyzer: An Overview , 1996, J. Log. Program..

[63]  Andrea Maggiolo-Schettini,et al.  Automatic Analysis of a Non-Repudiation Protocol , 2005, Electron. Notes Theor. Comput. Sci..

[64]  Vipin Swarup,et al.  Metric Strand Spaces for Locale Authentication Protocols , 2010, IFIPTM.

[65]  Richard M. Karp,et al.  On the Security of Ping-Pong Protocols , 1982, Inf. Control..

[66]  Adrian Perrig,et al.  Secure broadcast communication in wired and wireless networks , 2002 .

[67]  Narciso Martí-Oliet,et al.  All About Maude - A High-Performance Logical Framework, How to Specify, Program and Verify Systems in Rewriting Logic , 2007, All About Maude.

[68]  Gavin Lowe,et al.  Analysing a stream authentication protocol using model checking , 2002, International Journal of Information Security.

[69]  José Meseguer,et al.  Maude-NPA: Cryptographic Protocol Analysis Modulo Equational Properties , 2009, FOSAD.

[70]  Serge Vaudenay,et al.  Authenticated Multi-Party Key Agreement , 1996, ASIACRYPT.

[71]  Diana K. Smetters,et al.  Talking to Strangers: Authentication in Ad-Hoc Wireless Networks , 2002, NDSS.

[72]  John C. Mitchell,et al.  Automated analysis of cryptographic protocols using Mur/spl phi/ , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[73]  Sharad Malik,et al.  Propositional SAT Solving , 2018, Handbook of Model Checking.

[74]  Danny Dolev,et al.  On the Security of Public Key Protocols (Extended Abstract) , 1981, FOCS.

[75]  Cas J. F. Cremers,et al.  Key Exchange in IPsec Revisited: Formal Analysis of IKEv1 and IKEv2 , 2011, ESORICS.

[76]  Adi Shamir,et al.  On the Security of Ping-Pong Protocols when Implemented using the RSA , 1985, CRYPTO.

[77]  Sebastian Mödersheim,et al.  Constraint differentiation: Search-space reduction for the constraint-based analysis of security protocols , 2010, J. Comput. Secur..

[78]  Paul Syverson,et al.  A formal language for cryptographic protocol requirements , 1996 .

[79]  Martín Abadi,et al.  Guessing attacks and the computational soundness of static equivalence , 2010, J. Comput. Secur..

[80]  Cas J. F. Cremers,et al.  The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols , 2008, CAV.

[81]  Dennis Longley,et al.  An automatic search for security flaws in key management schemes , 1992, Comput. Secur..

[82]  Martín Abadi,et al.  Deciding knowledge in security protocols under equational theories , 2006, Theor. Comput. Sci..

[83]  Jonathan K. Millen,et al.  On the freedom of decryption , 2003, Inf. Process. Lett..

[84]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[85]  Michaël Rusinowitch,et al.  Protocol insecurity with finite number of sessions is NP-complete , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[86]  David Chaum,et al.  Distance-Bounding Protocols (Extended Abstract) , 1994, EUROCRYPT.

[87]  John C. Mitchell,et al.  Multiset rewriting and the complexity of bounded security protocols , 2004, J. Comput. Secur..

[88]  Mark Ryan,et al.  Election Verifiability in Electronic Voting Protocols , 2010, ESORICS.

[89]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[90]  Birgit Pfitzmann,et al.  Limits of the BRSIM/UC Soundness of Dolev-Yao Models with Hashes , 2006, ESORICS.

[91]  Ralf Küsters,et al.  Reducing protocol analysis with XOR to the XOR-free case in the horn theory based approach , 2008, CCS.

[92]  Ralf Treinen,et al.  Easy Intruder Deductions , 2003, Verification: Theory and Practice.

[93]  David L. Dill,et al.  Improved probabilistic verification by hash compaction , 1995, CHARME.

[94]  Alessandro Armando,et al.  SAT-based model-checking for security protocols analysis , 2008, International Journal of Information Security.

[95]  Andrew D. Gordon,et al.  Verified implementations of the information card federated identity-management protocol , 2008, ASIACCS '08.