A Simple procedure for finding guessing attacks (extended abstract)

A novel procedure for finding guessing attacks in security protocols is presented. The procedure enjoys a simple and intuitive definition, and is easily implementable

An Improved Constraint-based system for the verification of security protocols

We propose a constraint-based system for the verification of security protocols that improves upon the one developed by Millen and Shmatikov. Our system features (1) a significantly more efficient implementation, (2) a monotonic behavior, which also allows to detect aws associated to partial runs and (3) a more expressive syntax, in which a principal may also perform explicit checks. We also show why these improvements yield a more effective and practical system

Analysis models for security protocols

In this thesis, we present five significant, orthogonal extensions to the Dolev Yao model. Each extension considers a more realistic setting, closer to the real world, thus providing a stronger security guarantee. We provide examples both from the literature and from industrial case studies to show the practical applicability of each extension

PS-LTL for constraint-based security protocol analysis

Several formal approaches have been proposed to analyse security protocols, e.g. [2,7,11,1,6,12]. Recently, a great interest has been growing on the use of constraint solving approach. Initially proposed by Millen and Shmatikov [9], this approach allows analysis of a finite number of protocol sessions. Yet, the representation of protocol runs by symbolic traces (as opposed to concrete traces) captures the possibility of having unbounded message space, allowing analysis over an infinite state space. A constraint is defined as a pair consisting of a message M and a set of messages K that represents the intruder¿s knowledge. Millen and Shmatikov present a procedure to solve a set of constraints, i.e. that in each constraint, M can be built from K. When a set of constraints is solved, then a concrete trace representing an attack over the protocol can be extracted. \ud Corin and Etalle [4] has improved the work of Millen and Shmatikov by presenting a more efficient procedure. However, none of these constraint-based systems provide enough flexibility and expresiveness in specifying security properties. For example, to check secrecy an artificial protocol role is added to simulate whether a secret can be learned by an intruder. Authentication cannot also be checked directly. Moreover, only a built-in notion of authentication is implemented by Millen and Shmatikov in his Prolog implementation [10]. This problem motivates our current work. \ud A logical formalism is considered to be an appropriate solution to improve the flexibility and expresiveness in specifying security properties. A preliminary attempt to use logic for specifying local security properties in a constraint-based setting has been carried out [3]. Inspired by this work and the successful NPATRL [11,8], we currently explores a variant of linear temporal logic (LTL) over finite traces, -LTL, standing for pure-past security LTL [5]. In contrast to standard LTL, this logic deals only with past events in a trace. In our current work, a protocol is modelled as in previous works [9,4,3], viz. by protocol roles. A protocol role is a sequence of send and receive events, together with status events to indicate, e.g. that a protocol role has completed her protocol run. A scenario is then used to deal with the number of sessions and protocol roles considered in the analysis. \ud Integrating -LTL into our constraint solving approach presents a challenge, since we need to develop a sound and complete decision procedure against symbolic traces, instead of concrete traces. Our idea to address this problem is by concretizing symbolic traces incrementally while deciding a formula. Basically, the decision procedure consists of two steps: transform and decide. The former step transforms a -LTL formula with respect to the current trace into a so-called elementary formula that is built from constraints and equalities using logical connectives and quantifiers. The decision is then performed by the latter step through solving the constraints and checking the equalities. \ud Although we define a decision procedure for a fragment of -LTL, this fragment is expressive enough to specify several security properties, like various notions of secrecy and authentication, and also data freshness. We provide a Prolog implementation and have analysed several security protocols. \ud There are many directions for improvement. From the implementation point of view, the efficiency of the decision procedure can still be improved. I would also like to investigate the expressiveness of the logic for speficying other security properties. This may result in an extension of the decision procedure for a larger fragment of the logic. Another direction is to characterize the expressivity power of -LTL compared to other security requirement languages

A Trace Logic for Local Security Properties

We propose a new simple \emph{trace} logic that can be used to specify \emph{local security properties}, i.e. security properties that refer to a single participant of the protocol specification. Our technique allows a protocol designer to provide a formal specification of the desired security properties, and integrate it naturally into the design process of cryptographic protocols. Furthermore, the logic can be used for formal verification. We illustrate the utility of our technique by exposing new attacks on the well studied protocol TMN.Comment: New versio

On Modelling Real-time and Security properties of Distributed Systems

We discuss a simplified version of the timing attack to illustrate a connection between security and real-time properties of distributed systems. We suggest several avenues for further research on this and similar connections

How to pay in LicenseScript

Current DRM systems do not provide flexible payment methods, requiring the user to handle the payment by hand. For instance, when the user needs to pay for watching a movie, she needs to decide which available payment method is the most optimal and suitable. This is a rather cumbersome process for the user that can be avoided by the specification of payment policies. A payment policy automates the payment process of each content usage, choosing the best alternative among the possible payment methods. We show how LicenseScript is able to model payment policies, allowing the user to precisely specify how a payment of content usage should be performed

Licensing structured data with ease

In response to the need of a rights expression language (REL), we have proposed LicenseScript, an REL based on multiset rewriting and Prolog. LicenseScript has advantage over existing RELs, in the sense that it has a well-defined semantics. In fact besides semantics, LicenseScript has a lot of other advantages over other RELs. The mission of this paper is twofold: (1) to put a spotlight on these advantages, (2) at the same time justifying some of our design rationales in LicenseScript. We accomplish this by giving examples of licensing models that are greatly facilitated by the use of Prolog as a component of LicenseScript. At the same time showing\ud how LicenseScript makes these non-trivial models viable, we also make LicenseScript a stronger case than it previously might have occurred to be

A formally verified decentralized key management architecture for wireless sensor networks

We present a decentralized key management architecture for wireless sensor networks, covering the aspects of key deployment, key refreshment and key establishment. Our architecture is based on a clear set of assumptions and guidelines. Balance between security and energy consumption is achieved by partitioning a system into two interoperable security realms: the supervised realm trades off simplicity and resources for higher security whereas in the unsupervised realm the vice versa is true. Key deployment uses minimal key storage while key refreshment is based on the well-studied scheme of Abdalla et al. The keying protocols involved use only symmetric cryptography and have all been verified with our constraint solving-based protocol verification tool CoProVe