From aline_said3 at hotmail.com Fri Aug 4 12:35:53 2006 From: aline_said3 at hotmail.com (ALINE SAID) Date: Fri Aug 4 05:54:06 2006 Subject: [Avispa-users] Question Message-ID: Hi. I have a parameter X already saved on user A and not created by this user. When user A send this parameter to B, it send it with the form: sndAB ({X}_Kb.) Kb is the public key of user B. I have to put witness (A, B, x, X) or witness (A, B, x, X’)? If I put witness (A, B, x, X’) I have an attack but if I put witness (A, B, x, X) it will be safe. Thanks in advance. _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From aline_said3 at hotmail.com Fri Aug 4 12:37:42 2006 From: aline_said3 at hotmail.com (ALINE SAID) Date: Fri Aug 4 05:57:16 2006 Subject: [Avispa-users] Authentication question Message-ID: Hi. I have an attack with the authentication of Ida; the scenario is: State = 1 /\ RcvT1A({Hash({Hash(Na.Tstart'.Ida’)}_Ka)}_Ka) =|> State' := 3 /\ request(T1,A,taa1_alice_ida,Ida’) I have an attack on Ida but if I put request(T1,A,taa1_alice_ida,Ida’)in state3 it would be safe: State = 3 /\ request(T1,A,taa1_alice_ida,Ida’) Which format is right: I have to put request in state 3 or in state’:=3 ? Thanks in advance. _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From Laurent.Vigneron at loria.fr Fri Aug 4 13:44:51 2006 From: Laurent.Vigneron at loria.fr (Laurent Vigneron) Date: Fri Aug 4 07:03:00 2006 Subject: [Avispa-users] Question In-Reply-To: References: Message-ID: <1154691891.44d3333360159@www.loria.fr> Hi Aline, > I have a parameter X already saved on user A and not created by this user. > When user A send this parameter to B, it send it with the form: sndAB > ({X}_Kb.) > Kb is the public key of user B. > I have to put witness (A, B, x, X) or witness (A, B, x, X?)? > If I put witness (A, B, x, X?) I have an attack but if I put witness (A, B, > x, X) it will be safe. In a transition, X represents the old value, and X' the new value (provided there is one). So if in your mesage you use X, an already known value, you have also to use X in the witness predicate. Laurent. From Laurent.Vigneron at loria.fr Fri Aug 4 14:43:11 2006 From: Laurent.Vigneron at loria.fr (Laurent Vigneron) Date: Fri Aug 4 08:01:23 2006 Subject: [Avispa-users] Authentication question In-Reply-To: References: Message-ID: <1154695391.44d340df565ac@www.loria.fr> Hi again, > I have an attack with the authentication of Ida; the scenario is: > State = 1 /\ RcvT1A({Hash({Hash(Na.Tstart'.Ida?)}_Ka)}_Ka) =|> > State' := 3 > /\ request(T1,A,taa1_alice_ida,Ida?) > > I have an attack on Ida but if I put request(T1,A,taa1_alice_ida,Ida?)in > state3 it would be safe: > State = 3 /\ request(T1,A,taa1_alice_ida,Ida?) > > Which format is right: I have to put request in state 3 or in state?:=3 ? I am not sure to really understand your last example (for state 3), but in any case a request predicate has to be put in the right-hand side of a transition. If state 3 is the final state, you do no need to add a specific transition for detecting when you are in state 3. The request predicate, put as in your first example should be OK. The main rule to remember when putting requests is to put them as late as possible. Laurent. PS: In your last case, do you mean Ida' or Ida in the request predicate? (if you are in another transition from that where you have learnt Ida, you have to write Ida and not Ida') From vigano at inf.ethz.ch Fri Aug 11 20:52:55 2006 From: vigano at inf.ethz.ch (Luca Vigano) Date: Fri Aug 11 14:10:51 2006 Subject: [Avispa-users] Special Issue of Information and Computation on 'Computer Security: Foundations and Automated Reasoning' Message-ID: <20060811185255.GA5721@nyx.inf.ethz.ch> (apologies for multiple posting) Special Issue of Information and Computation on Computer Security: Foundations and Automated Reasoning http://www.avispa-project.org/arspa *********************** *** CALL FOR PAPERS *** *********************** BACKGROUND AND SCOPE ==================== In connection with the Joint Workshop on Foundations of Computer Security and Automated Reasoning for Security Protocol Analysis FCS-ARSPA'06, a satellite event of LICS'06 as part of FLoC 2006, we are guest-editing a Special Issue of Information and Computation devoted to original papers on foundations and formal methods in computer security. Contributions are welcomed on the following topics and related ones: Automated reasoning techniques Composition issues Formal specification Foundations of verification Information flow analysis Language-based security Logic-based design Program transformation Security models Static analysis Statistical methods Tools Trust management for Access control and resource usage control Authentication Availability and denial of service Covert channels Confidentiality Integrity and privacy Intrusion detection Malicious code Mobile code Mutual distrust Privacy Security policies Security protocols SUBMISSION ========== Authors should submit their papers electronically, in portable document format (pdf) or postscript (ps), by sending an email with subject "I&C submission" to the address fcs-arspa06 - at - lists.inf.ethz.ch with the file of the paper as an attachment, by November 12, 2006. The following information should be included in the body of the email, in plain text: - paper title - author names - coordinates of the corresponding author - abstract of the paper The cover page of the submission should also include this information. Please, do not send files formatted for work processing packages (e.g., Microsoft Word or Wordperfect files). Authors are strongly encouraged to use Elsevier Science's document class 'elsart', or alternatively the standard document class 'article'. The Elsevier LaTeX package (including detailed instructions for LaTeX preparation) can be obtained from Elsevier's web site: http://www.elsevier.com/locate/latex (see also http://www.elsevier.com/wps/find/journaldescription.cws_home/505625/description). Submitted papers must be original and not submitted for journal publication elsewhere. The submitted papers will be subject to the standard journal refereeing process. We kindly ask the authors to send us an abstract of their submission by November 5, 2006. DEADLINES ========= Submission of abstract: November 5, 2006 Submission of paper: November 12, 2006 EDITORS ======= Pierpaolo Degano (Universita` di Pisa, Italy) Ralf Kuesters (ETH Zurich, Switzerland) Luca Vigano` (ETH Zurich, Switzerland) Steve Zdancewic (University of Pennsylvania, USA) From bhavin.desai at ntlworld.com Mon Aug 21 18:49:38 2006 From: bhavin.desai at ntlworld.com (bhavin.desai@ntlworld.com) Date: Mon Aug 21 10:56:18 2006 Subject: [Avispa-users] Unable to Model a Known Insecure Protocol Message-ID: <20060821164938.TBWL15733.aamtaout04-winn.ispmail.ntl.com@smtp.ntlworld.com> Hello, As shown below, I am trying to model a fairly simple protocol, called the Second Protocol Attempt in the book "Protocols for Authentication and Key Establishment " by Boyd and Mathuria. I was expecting AVISPA to produce a result of UNSAFE. However, the result is SAFE. The Alice & Bob notation, and the HLPSL is shown below. Perhaps I have modelled it wrong? Bhavin. ============================================= %% STILL NEED THE FRESHNESS GOAL SATISFIED %% Boyd and Mathuria %% Second Protocol Attempt %% %% 1. A -> S : A, B %% 2. S -> A : {Kab}_Kas, {Kab}_Kbs %% 3. A -> B : {Kab}_Kbs, A %% %% This is modelled in HLPSL for AVISPA as follows. %% %% HLPSL: %%---------------------------------------------------------------------- role alice (A, S, B: agent, Kas, Kbs : symmetric_key, SND_SA, RCV_SA, SND_BA, RCV_BA: channel(dy)) played_by A def= local Kab : symmetric_key, State : nat, X : {symmetric_key}_symmetric_key %% Note that X is required for X' = {Kab'}_Kbs below init State := 100 transition %% 1. A -> S : A, B 100. State = 100 /\ RCV_BA(start) =|> State':= 110 /\ SND_SA(A.B) %% 2. S -> A : {Kab}_Kas, {Kab}_Kbs 110. State = 110 /\ RCV_SA({Kab'}_Kas.X') =|> %% 3. A -> B : {Kab}_Kbs, A State':= 120 /\ SND_BA(X'.A) /\ witness(A, B, alice_bob_Kab, Kab') end role %%---------------------------------------------------------------------- role server (A, S, B: agent, Kas, Kbs : symmetric_key, SND_AS, RCV_AS: channel(dy)) played_by S def= local Kab : symmetric_key, State : nat init State := 200 transition %% 1. A -> S : A, B 200. State = 200 /\ RCV_AS(A.B) =|> %% 2. S -> A : {Kab}_Kas, {Kab}_Kbs State':= 2 /\ Kab' := new() /\ SND_AS({Kab'}_Kas.{Kab'}_Kbs) /\ secret(Kab', kab, {A, S, B}) %% IGNORED 3. A -> B : {Kab}_Kbs, A end role %%---------------------------------------------------------------------- role bob (A, S, B: agent, Kbs : symmetric_key, RCV_AB: channel(dy)) played_by B def= local Kab : symmetric_key, State : nat init State := 300 transition %% IGNORED 1. A -> S : A, B %% IGNORED 2. S -> A : KAB %% 3. A -> B : {Kab}_Kbs, A 300. State = 300 /\ RCV_AB({Kab'}_Kbs.A) =|> State':= 310 /\ witness(B, A, alice_bob_Kab, Kab') end role %%---------------------------------------------------------------------- role session(A, S, B : agent, Kas, Kbs : symmetric_key) def= local SSA, RSA, SBA, RBA, SAS, RAS, RAB: channel(dy) composition alice (A, S, B, Kas, Kbs, SSA, RSA, SBA, RBA) /\ server(A, S, B, Kas, Kbs, SAS, RAS) /\ bob (A, S, B, Kbs, RAB) end role %%---------------------------------------------------------------------- role environment() def= const a, b, s : agent, kas, kbs, ki : symmetric_key, kab: protocol_id intruder_knowledge = {a, b, s, ki} composition session(a,s,b, ka, kb) /\ session(a,s,i, ka, ki) /\ session(i,s,b, ki, kb) end role %%---------------------------------------------------------------------- goal secrecy_of kab end goal %%---------------------------------------------------------------------- environment() ----------------------------------------- Email sent from www.ntlworld.com Virus-checked using McAfee(R) Software Visit www.ntlworld.com/security for more information From Laurent.Vigneron at loria.fr Tue Aug 22 11:03:32 2006 From: Laurent.Vigneron at loria.fr (Laurent Vigneron) Date: Tue Aug 22 03:10:12 2006 Subject: [Avispa-users] Unable to Model a Known Insecure Protocol In-Reply-To: <20060821164938.TBWL15733.aamtaout04-winn.ispmail.ntl.com@smtp.ntlworld.com> References: <20060821164938.TBWL15733.aamtaout04-winn.ispmail.ntl.com@smtp.ntlworld.com> Message-ID: <17642.51300.432536.445406@valhey.loria.fr> Hi Bhavin, After a quick look at your specification, I see two problems: - in the parameters of role alice, you have put Kbs; this key should not be known by A. - you have two witness() predicates, but no request predicate; the one in role bob should be request() (or a wrequest() if you want to test weak authentication). The only goal that you have right now is a secrecy goal. If you want to test an authentication attack, do not forget to add this goal too: authentication_on alice_bob_Kab or weak_authentication_on alice_bob_Kab I have not check if those corrections do change anything to the result of the analysis, but if there are still some problems, do not hesitate to continue the discussion on the mailing-list. Laurent. From carmen.yago-sanchez.external at eads.com Fri Aug 25 12:03:50 2006 From: carmen.yago-sanchez.external at eads.com (Yago-Sanchez, Carmen (Ext)) Date: Fri Aug 25 04:10:25 2006 Subject: [Avispa-users] Cuestion about the executability of the model Message-ID: <48118F1A5369044088483C9DB5BE61EE0601D68E@edsnmsxbda05.edsn.com> Hello, I am using AVISPA to test some specifications. To check the executability of my model, I use the following instructions: avispa mymodel.hlpsl --ofmc -sessco avispa mymodel.hlpsl --satmc --check_only_executability=true In the first case, AVISPA does not tell me that the "protocol is not executable" and the second case it tells me the rules can be executed. But when I execute: avispa mymodel.hlpsl --ofmc -p to see the "search tree" AVISPA only shows one or two transitions (I am testing several hlpsl files). Can anybody tell me why the two first tests finish with success and the third fails? Is it normal that "--ofmc -p" shows such a low number of transitions? Thank you in advance. Best regards, Carmen