Deciding knowledge in security protocols under equational theories
The analysis of security protocols requires precise formulations of the knowledge of protocol participants and attackers. In formal approaches this knowledge is often treated in terms of message deducibility and indistinguishability relations. In this ...
Compositional analysis of contract-signing protocols
We develop a general method for proving properties of contract-signing protocols using a specialized protocol logic. The method is applied to the Asokan-Shoup--Waidner and the Garay-Jacobson-MacKenzie protocols. Our method offers certain advantages over ...
Formal analysis of Kerberos 5
We report on the detailed verification of a substantial portion of the Kerberos 5 protocol specification. Because it targeted a deployed protocol rather than an academic abstraction, this multiyear effort led to the development of new analysis methods ...
On the semantics of Alice&Bob specifications of security protocols
In the context of security protocols, the so-called Alice&Bob notation is often used to describe the messages exchanged between honest principals in successful protocol runs. While intuitive, this notation is ambiguous in its description of the actions ...
Probable innocence revisited
In this paper we propose a formalization of probable innocence, a notion of probabilistic anonymity that is associated to "realistic" protocols such as Crowds. We analyze critically two different definitions of probable innocence from the literature. ...
Injective synchronisation: an extension of the authentication hierarchy
Authentication is one of the foremost goals of many security protocols. It is most often formalised as a form of agreement, which expresses that the communicating partners agree on the values of a number of variables. In this paper we formalise and ...
A rewriting-based inference system for the NRL Protocol analyzer and its meta-logical properties
The NRL Protocol Analyzer (NPA) is a tool for the formal specification and analysis of cryptographic protocols that has been used with great effect on a number of complex real-life protocols. One of the most interesting of its features is that it can be ...
A framework for security analysis of mobile wireless networks
We present a framework for specification and security analysis of communication protocols for mobile wireless networks. This setting introduces new challenges which are not being addressed by classical protocol analysis techniques. The main complication ...
A (restricted) quantifier elimination for security protocols
While reasoning about security protocols, most of the difficulty of reasoning relates to the complicated semantics (with freshness of nonces, multisessions, etc.). While logics for security protocols need to be abstract (without explicitly dealing with ...
Formal analysis of PIN block attacks
Personal identification number (PIN) blocks are 64-bit strings that encode a PIN ready for encryption and secure transmission in banking networks. These networks employ tamper-proof hardware security modules (HSMs) to perform sensitive cryptographic ...