Authentication via localized names
28 Jun 1999-Vol. 12, pp 98-110
TL;DR: The /spl pi/-calculus, which has been given an operational semantics that provides each sequential process of a system with its own local space of names, is exploited here to guarantee by construction that a message has been generated by a given entity.
Abstract: We address the problem of message authentication using the /spl pi/-calculus, which has been given an operational semantics that provides each sequential process of a system with its own local space of names. We exploit here that semantics and its localized names to guarantee by construction that a message has been generated by a given entity. Therefore, our proposal can be seen as a reference for the analysis of "real" protocols. As an example, we study the way authentication is ensured by encrypting messages in the spi-calculus.
Citations
More filters
01 Apr 1997
TL;DR: The objective of this paper is to give a comprehensive introduction to applied cryptography with an engineer or computer scientist in mind on the knowledge needed to create practical systems which supports integrity, confidentiality, or authenticity.
Abstract: The objective of this paper is to give a comprehensive introduction to applied cryptography with an engineer or computer scientist in mind. The emphasis is on the knowledge needed to create practical systems which supports integrity, confidentiality, or authenticity. Topics covered includes an introduction to the concepts in cryptography, attacks against cryptographic systems, key use and handling, random bit generation, encryption modes, and message authentication codes. Recommendations on algorithms and further reading is given in the end of the paper. This paper should make the reader able to build, understand and evaluate system descriptions and designs based on the cryptographic components described in the paper.
2,188 citations
DOI•
01 Jan 2006
TL;DR: This thesis develops a formal model for the description and analysis of security protocols at the process level, and develops an automated veri??cation procedure, which improves over existing methods and is applied in two novel case studies.
Abstract: Recent technologies have cleared the way for large scale application of electronic communication. The open and distributed nature of these communications implies that the communication medium is no longer completely controlled by the communicating parties. As a result, there has been an increasing demand for research in establishing secure communications over insecure networks, by means of security protocols. In this thesis, a formal model for the description and analysis of security protocols at the process level is developed. At this level, under the assumption of perfect cryptography, the analysis focusses on detecting aws and vulnerabilities of the security protocol. Starting from ??rst principles, operational semantics are developed to describe security protocols and their behaviour. The resulting model is parameterized, and can e.g. capture various intruder models, ranging from a secure network with no intruder, to the strongest intruder model known in literature. Within the security protocol model various security properties are de??ned, such as secrecy and various forms of authentication. A number of new results about these properties are formulated and proven correct. Based on the model, an automated veri??cation procedure is developed, which signi ??cantly improves over existing methods. The procedure is implemented in a prototype, which outperforms other tools. Both the theory and tool are applied in two novel case studies. Using the tool prototype, new results are established in the area of protocol composition, leading to the discovery of a class of previously undetected attacks. Furthermore, a new protocol in the area of multiparty authentication is developed. The resulting protocol is proven correct within the framework.
309 citations
01 Sep 2000
TL;DR: In this paper, many non-interference-like properties proposed for computer security are classified and compared in a unifying framework and the resulting taxonomy is evaluated through some case studies of access control in computer systems.
Abstract: In the recent years, many formalizations of security properties have been proposed, most of which are based on different underlying models and are consequently difficult to compare. A classification of security properties is thus of interest for understanding the relationships among different definitions and for evaluating the relative merits. In this paper, many non-interference-like properties proposed for computer security are classified and compared in a unifying framework. The resulting taxonomy is evaluated through some case studies of access control in computer systems. The approach has been mechanized, resulting in the tool CoSeC. Various extensions (e.g., the application to cryptographic protocol analysis) and open problems are discussed.
192 citations
Cites background from "Authentication via localized names"
...As a consequence, in the recent years there have been a number of proposals of formal definitions of security properties (see, for instance, [1,2,8,11,12,17,21,30,44,45,51,53,59,60])....
[...]
...In [19,20,11,12], a new definition of entity authentication, which is based on explicit locations of entities, has been proposed....
[...]
09 Jul 2000
TL;DR: Many security properties of cryptographic protocols can be all seen as specific instances of a general property, called Non Deducibility on Composition (NDC), that was proposed a few years ago for studying information flow properties in computer systems.
Abstract: Many security properties of cryptographic protocols can be all seen as specific instances of a general property, we called Non Deducibility on Composition (NDC), that we proposed a few years ago for studying information flow properties in computer systems The advantage of our unifying theory is that formal comparison among these properties is now easier and that the full generality of NDC has helped us in finding a few new attacks on cryptographic protocols
115 citations
Cites result from "Authentication via localized names"
...of authentication, have rarely been given, not widely agreed upon, usually not compared and only recently proposed in the literature (see, e.g., [ 5 ,17,21,26])....
[...]
20 Sep 1999
TL;DR: It is shown that the results of the theory can be easily applied to a number of existing security properties that can be rephrased in the authors' setting and permits to find some interesting relations among properties which have been proposed for different security issues.
Abstract: We present a uniform approach for the definition and the analysis of various security properties. It is based on the general idea that a security property should be satisfied even in the presence of an hostile environment. This principle determines a family of strong properties which are resistant to every external attack, but are quite impractical to check. For this reason, we find some general conditions that permit to check a property only against a "most powerful" intruder. We show that the results of our theory can be easily applied to a number of existing security properties that can be rephrased in our setting. This shows the generality of the approach and permits to find some interesting relations among properties which have been proposed for different security issues.
109 citations
References
More filters
TL;DR: The a-calculus is presented, a calculus of communicating systems in which one can naturally express processes which have changing structure, including the algebraic theory of strong bisimilarity and strong equivalence, including a new notion of equivalence indexed by distinctions.
Abstract: We present the a-calculus, a calculus of communicating systems in which one can naturally express processes which have changing structure. Not only may the component agents of a system be arbitrarily linked, but a communication between neighbours may carry information which changes that linkage. The calculus is an extension of the process algebra CCS, following work by Engberg and Nielsen, who added mobility to CCS while preserving its algebraic properties. The rr-calculus gains simplicity by removing all distinction between variables and constants; communication links are identified by names, and computation is represented purely as the communication of names across links. After an illustrated description of how the n-calculus generalises conventional process algebras in treating mobility, several examples exploiting mobility are given in some detail. The important examples are the encoding into the n-calculus of higher-order functions (the I-calculus and combinatory algebra), the transmission of processes as values, and the representation of data structures as processes. The paper continues by presenting the algebraic theory of strong bisimilarity and strong equivalence, including a new notion of equivalence indexed by distinctions-i.e., assumptions of inequality among names. These theories are based upon a semantics in terms of a labeled transition system and a notion of strong bisimulation, both of which are expounded in detail in a companion paper. We also report briefly on work-in-progress based upon the corresponding notion of weak bisimulation, in which internal actions cannot be observed. 0 1992 Academic Press, Inc.
3,093 citations
TL;DR: This paper describes the beliefs of trustworthy parties involved in authentication protocols and the evolution of these beliefs as a consequence of communication, and gives the results of the analysis of four published protocols.
Abstract: Authentication protocols are the basis of security in many distributed systems, and it is therefore essential to ensure that these protocols function correctly. Unfortunately, their design has been extremely error prone. Most of the protocols found in the literature contain redundancies or security flaws. A simple logic has allowed us to describe the beliefs of trustworthy parties involved in authentication protocols and the evolution of these beliefs as a consequence of communication. We have been able to explain a variety of authentication protocols formally, to discover subtleties and errors in them, and to suggest improvements. In this paper we present the logic and then give the results of our analysis of four published protocols, chosen either because of their practical importance or because they serve to illustrate our method.
2,638 citations
01 Apr 1997
TL;DR: The objective of this paper is to give a comprehensive introduction to applied cryptography with an engineer or computer scientist in mind on the knowledge needed to create practical systems which supports integrity, confidentiality, or authenticity.
Abstract: The objective of this paper is to give a comprehensive introduction to applied cryptography with an engineer or computer scientist in mind. The emphasis is on the knowledge needed to create practical systems which supports integrity, confidentiality, or authenticity. Topics covered includes an introduction to the concepts in cryptography, attacks against cryptographic systems, key use and handling, random bit generation, encryption modes, and message authentication codes. Recommendations on algorithms and further reading is given in the end of the paper. This paper should make the reader able to build, understand and evaluate system descriptions and designs based on the cryptographic components described in the paper.
2,188 citations
"Authentication via localized names" refers background in this paper
...For example, ntity authenticationis related to the verification of an entity’s claimed identity [ 8], while message authentication should make it possible for the receiver of a message to ascertain its origin [20]....
[...]
TL;DR: The purpose of the present paper is to provide a detailed presentation of some of the theory of the calculus developed to date, and in particular to establish most of the results stated in the companion paper.
Abstract: This is the second of two papers in which we present the rc-calculus, a calculus of mobile processes. The companion paper (Milner, Parrow, and Walker, 1989a) contains an introduction to the calculus through a sequence of examples, together with statements of many results about it. The purpose of the present paper is to provide a detailed presentation of some of the theory of the calculus developed to date, and in particular to establish most of the results stated in the companion paper. Once the motivation and intuition for the n-calculus are understood, with the help of the companion paper, the present paper serves as a self-contained development of the theory. To achieve this we have found it necessary to repeat some material from the companion paper. Section 1 contains a description of the syntax of agents and a discursive presentation of the transitional semantics. In Section 2 we present and motivate the definitions of strong bisimulation and strong bisimilarity, strong equivalence, and a useful family of indexed equivalences. Section 3 contains a series of properties of strong bisimilarity, while properties of
1,913 citations
"Authentication via localized names" refers background in this paper
...In this section we briefly recall the -calculus [ 12 ], a model of concurrent communicating processes based on the notion of naming....
[...]
...We recall here the basic ideas of [2] which extend the standard semantics of the -calculus of [ 12 ], in that it handles names locally....
[...]
...The essence of concurrent and mobile computation can be studied in a pure form using the -calculus [ 12 ], a foundational calculus based on the notion of naming....
[...]
01 Apr 1997
TL;DR: The spi calculus is introduced, an extension of the pi calculus designed for describing and analyzing cryptographic protocols and state their security properties in terms of coarse-grained notions of protocol equivalence.
Abstract: We introduce the spi calculus, an extension of the pi calculus designed for describing and analyzing cryptographic protocols. We show how to use the spi calculus, particularly for studying authentication protocols. The pi calculus (without extension) suffices for some abstract protocols; the spi calculus enables us to consider cryptographic issues in more detail. We represent protocols as processes in the spi calculus and state their security properties in terms of coarse-grained notions of protocol equivalence. ] 1999 Academic Press
1,412 citations
"Authentication via localized names" refers background or methods in this paper
...As an example, we study the way authentication is ensured by encrypting messages in the spi-calculus [1]....
[...]
...The authentication property studied in [1] seems slightly stronger than ours: it requires that if A has to send a message toB, then this should be the only message that B accepts at the end of (a successful run of) the protocol....
[...]
...Not surprisingly, the specification is in the style of [1]....
[...]
...A remarkable example of a process algebra with cryptographic features is given by the spicalculus [1], over which the mechanism of handling names locally carries easily....
[...]
...We plan to apply the proof techniques presented in [1] to our model....
[...]