Topic
Otway–Rees protocol
About: Otway–Rees protocol is a research topic. Over the lifetime, 1975 publications have been published within this topic receiving 40569 citations.
Papers published on a yearly basis
Papers
More filters
08 Jun 1997
TL;DR: The use, design, and implementation of an asymmetric transport-layer protocol for mobile systems, termed by us Mobile-TCP that provides the TCP functionality, is advocated and implemented.
Abstract: In this paper, we advocate the use, propose the design, and describe the implementation of an asymmetric transport-layer protocol for mobile systems. In an asymmetrically designed protocol, peer functions are implemented through algorithms and procedures that are of substantially different complexity, with the lower complexity procedures used on the mobile device. We have devised and implemented an example of such a communication protocol, termed by us Mobile-TCP that provides the TCP functionality. Although Mobile-TCP is based on the indirect interaction model, the semantics of the TCP protocol are preserved.
175 citations
TL;DR: The main theorem guarantees that any well-typed protocol is robustly safe, that is, its correspondence assertions are true in the presence of any opponent expressible in spi.
Abstract: We propose a new method to check authenticity properties of cryptographic protocols. First, code up the protocol in the spi-calculus of Abadi and Gordon. Second, specify authenticity properties by annotating the code with correspondence assertions in the style of Woo and Lam. Third, figure out types for the keys, nonces, and messages of the protocol. Fourth, check that the spi-calculus code is well-typed according to a novel type and effect system presented in this paper. Our main theorem guarantees that any well-typed protocol is robustly safe, that is, its correspondence assertions are true in the presence of any opponent expressible in spi. It is feasible to apply this method by hand to several well-known cryptographic protocols. It requires little human effort per protocol, puts no bound on the size of the opponent, and requires no state space enumeration. Moreover, the types for protocol data provide some intuitive explanation of how the protocol works. This paper describes our method and gives some simple examples. Our method has led us to the independent rediscovery of flaws in existing protocols and to the design of improved protocols.
173 citations
01 Oct 1997
TL;DR: This document describes how a protocol specifies a command for identifying and authenticating a user to a server and for optionally negotiating protection of subsequent protocol interactions, and defines the protocol for carrying a negotiated security layer over the connection.
Abstract: This document describes a method for adding authentication support to connection-based protocols. To use this specification, a protocol includes a command for identifying and authenticating a user to a server and for optionally negotiating protection of subsequent protocol interactions. If its use is negotiated, a security layer is inserted between the protocol and the connection. This document describes how a protocol specifies such a command, defines several mechanisms for use by the command, and defines the protocol used for carrying a negotiated security layer over the connection.
171 citations
TL;DR: A general framework for deriving security protocols from simple components, using composition, refinements, and transformations is proposed, and the derivation system provides a framework for further improvements.
Abstract: Many authentication and key exchange protocols are built using an accepted set of standard concepts such as Diffie-Hellman key exchange, nonces to avoid replay, certificates from an accepted authority, and encrypted or signed messages. We propose a general framework for deriving security protocols from simple components, using composition, refinements, and transformations. AS a case study, we examine the structure of a family of key exchange protocols that includes Station-TO-Station (STS), ISO-9798-3, Just Fast Keying (JFK), IKE and related protocols, derving all members of the family from two basic protocols, In order to associate formal proofs with protocol derivations, we extend our previous security protocol logic with preconditions, temporal assertions, composition rules, and Several other improvements. Using the logic, which we prove is sound with respect to the standard symbolic model of protocol execution and attack (the "Dolev-Yao model"), the security properties of the standard signature based Challange- Response protocol and the Diffie-Hellman key exchange protocol are estabilished. The ISO-9798-3 protocol is then proved correct by composing the correctness proofs of these two simple protocols Although our current formal logic is not sufficient to modulary prove security for all of our current protocol derivations. the derivation system provides a framework for further improvements.
169 citations
TL;DR: A new protocol for establishing secure communications over an insecure communications charmel in the absence of trusted third parties or authenticated keys is presented, which forces a potential eavesdropper to reveal his existence by modifying and seriously garbling the communication.
Abstract: We present a new protocol for establishing secure communications over an insecure communications charmel in the absence of trusted third parties or authenticated keys. The protocol is an improvement over the simpler protocol in which the communicating parties exchanged their public encryption keys and used them to encrypt messages. It forces a potential eavesdropper--if he wants to understand the messages--to reveal his existence by modifying and seriously garbling the communication.
162 citations