Abstract
When trying to prove the security of a protocol, one usually analyzes the protocol in isolation, i.e., in a network with no other protocols. But in reality, there will be many protocols operating on the same network, maybe even sharing data including keys, and an intruder may use messages of one protocol to break another. We call that a multi-protocol attack. In this paper, we try to find such attacks using the Tamarin prover. We analyze both examples that were previously analyzed by hand or using other tools, and find novel attacks.
This research was conducted with the support of the Indo-French Centre for the Promotion of Advanced Research (IFCPAR) and the Center Franco-Indien Pour La Promotion De La Recherche Avancée (CEFIPRA) through the project DST/CNRS 2015-03 under DST-INRIA-CNRS Targeted Programme, and by the CNRS PEPS SISC ASSI 2016/2017.
Access provided by CONRICYT-eBooks. Download conference paper PDF
Similar content being viewed by others
1 Introduction
When analyzing the security of protocols, one aims at proving specific security properties. The most common types of properties are secrecy, meaning that an intruder cannot know a secret value, and authentication, meaning that if A thinks he is talking to B, then he is really talking to B. In our digitalized world there are more and more cryptographic protocols everywhere, and we want to verify them to ensure their security.
It is not realistic to assume that a protocol is running alone in the network, and in the real world, an intruder can try to use messages of other protocols in the network to break a protocol. That is what we call a multi-protocol attack.
More precisely, we study the following problem of multi-protocols attacks. Given two protocols that ensure a certain security property in isolation, are they still safe for this property if we put them together in the same network? Unsurprisingly there exist many combinations of protocols where this is not the case, i.e., where we can mount multi-protocols attacks.
There are a lot of tools for automatic analysis of security properties, like ProVerif [3], AVISPA [2], Athena [27], Scyther [12], or Tamarin [23]. But they are generally used to analyze the security of a protocol executed in isolation, meaning that each agent only executes the analyzed protocol. In this paper, our aim is also to automatically find multi-protocols attacks using Tamarin .
Contributions: Several multi-protocols attacks have been found manually or using other tools, our aim is to find them automatically using the Tamarin prover [23]. Our contributions are the following:
-
We automatically find all the manual attacks described in [22]. Moreover, we find novel different attacks on the same properties, or unknown attacks on different properties. This demonstrates the limitations of a manual approach for finding attacks. It underlines that automatic verification is a very efficient approach for analyzing the security of cryptographic protocols.
-
We analyzed all the protocols given in [9], where the authors used Scyther, a different protocol verification tool. We confirm the results from Scyther using Tamarin.
-
We developed an algorithm to simplify the process of creating the multi-protocol specification file in Tamarin from the individual protocol specifications. The algorithm also automatically generates necessary helping lemmas in Tamarin in order to verify the combination of the two protocols more efficiently. The algorithm is implemented in Python, and available online [15].
Related work: The existence of multi-protocol attack have been introduced by Kelsey, Schneier, and Wagner in [18]. In this paper the attacks were found manually and the authors consider protocols crafted to break other protocols.
In [22], Mathuria, Raj Singh, Venkata Sharavan, and Kirtankar found six multi-protocol attacks based on 13 protocols from literature: Denning-Sacco protocol [13], amended Woo-Lam protocol [5], ISO Five-Pass protocol [7], Abadi-Needham protocol [1], six protocols from Perrig and Song using APG [26], and three protocols from Zhou and Foley using ASPB [30]. In contrast to these works, we use an automatic verification tool to find these attacks.
Cremers found many multi-protocol attacks in [9], using the tool Scyther, with 30 protocols from literature including Needham Schroeder protocol [24], Needham Schroeder symmetric key protocol [24], Needham Schroeder symmetric key amended protocol [25], Lowe’s modified version of the Needham Schroeder protocol [19], SPLICE/AS [29], Hwang and Chen’s version of SPLICE/AS [16], Clark and Jacob’s version of SPLICE/AS [8], a basic SOPH example (Secret-Out Public-Home), Woo Lam pi f [28], Kao Chow v.1, v.2 and v.3 [17], Yahalom’s protocol [4], and Lowe’s version of Yahalom protocol [21]. Compared to this work we use the Tamarin instead of Scyther.
There is also a considerable amount of work of preventing multi-protocol attacks by construction using special composition frameworks. These frameworks exist in the computational (e.g., Universal Composability [6]) and in the symbolic setting (e.g., Protocol Composition Logic [14]).
Outline: The paper is structured as follows. In Sect. 2, we present the results we obtain and we compare them with those obtained manually in [22] or using Scyther [9]. Then, Sect. 3 discusses our workflow in Tamarin , and finally the last section concludes the paper.
2 Multi-protocol Attacks
First we define the properties that we want to verify for each protocol. We define one property for secrecy and two authentication properties.
-
Secrecy [10]: if A claims the secrecy of a variable \(N_A\) at the end of the run of the protocol, then an intruder cannot know this variable.
-
Non-injective agreement [11]: if a protagonist A completes a run apparently with B, then B has run the protocol with A and A agrees with all other protagonist on all values. This is not exactly the same definition as in [20], but we keep this definition because it is this one that is used by Scyther.
-
Non-injective synchronisation [11]: if a protagonist A completes a run as the initiator apparently with B as the responder, then B has run the protocol as the responder with A, and all messages sent and received are exactly like described in the specification of the protocol, in the same order.
We call a type-flaw attack an attack where the intruder uses data of a different type than the data expected by the protocol. For example, in such an attack, the intruder could use two nonces \(N_1\), \(N_2\) instead of another single nonce N (\(N=(N_1,N_2)\)), or uses an ID as a nonce. We consider separately the case where the intruder can make type-flaw attacks (such attacks are valid) and the case where the intruder cannot (such attacks are not valid).
All our Tamarin files are available online [15].
2.1 Attacks by Cremers [9]
First we study the protocols analyzed in [9] using Scyther. We modeled all these protocols individually in Tamarin . Figure 1 presents our results using Tamarin for the properties described previously, and Fig. 2 presents our results for multi-protocols using Tamarin , where we verify the properties for the first of the two protocols. In these figures, ni-synch stands for non-injective synchronisation, sec stands for secrecy and ni-agree stands for non-injective agreement. Moreover, 
means that we did not find any attacks, and 
means there is at least one attack for the property. A yellow box means that the first protocol (the one for which we verify the security properties in the combination) is safe for this property in isolation, and red box means that both protocols are safe for this property in isolation. Empty box means that the property is not relevant for this protocol, for example the key \(K_{AB}\) does not exist in the protocol in the property secrecy A \(K_{AB}\) and secrecy B \(K_{AB}\), or a protagonist A never obtains a nonce \(N_B\) in the property secrecy A \(N_B\).
We find the same results with Tamarin as with Scyther. We do not consider type-flaw attack for these protocols, because the number of combination with multi-protocol attack is too large (more than 100 different combinations) to model them all manually with Tamarin . All timings are calculated with 6 CPUs of 2 GHz and 32 GB of memory.
Results found using Tamarin with NS = Needham Schroeder [24], NSS = Needham Schroeder Symmetric Key [24], NSSA = Needham Schroeder Symmetric Key Amended [25], NSL = Needham Schroeder Lowe [19], AS = SPLICE/AS [29], AShc = Hwang and Chen version of SPLICE/AS [16], AScj = Clark and Jacob version of SPLICE/AS [8], K = Kao Chow [17], K2 = Kao Chow v.2 [17], K3 = Kao Chow v.3 [17], WLpif = Woo Lam pi f [28], Y = Yahalom [4], YL = Yahalom Lowe [21], soph = a SOPH basic example. ni-synch denotes non-injective synchronisation, ni-agree denotes non-injective agreement, and sec A \(N_A\) denotes the fact that A claims the secrecy of \(N_A\).
Result found with Tamarin . NS = Needham Schroeder [24], NSS = Needham Schroeder Symmetric Key [24], NSSA = Needham Schroeder Symmetric Key Amended [25], NSL = Needham Schroeder Lowe [19], AS = SPLICE/AS [29], AShc = Hwang and Chen’s version of SPLICE/AS [16], AScj = Clark and Jacob’s version of SPLICE/AS [8], K = Kao Chow [17], K2 = Kao Chow v.2 [17], K3 = Kao Chow v.3 [17], WLpif = Woo Lam pi f [28], Y = Yahalom [4], YL = Yahalom Lowe [21], soph = a SOPH basic example. ni-synch denotes non-injective synchronisation, ni-agree denotes non-injective agreement, and sec A \(N_A\) denotes fact that A claims the secrecy of \(N_A\). * = the first protocol is safe in isolation, ** = both protocol are safe in isolation (Color figure online)
We can see in Fig. 2 that even if two protocols are safe in isolation for a property, it is not guaranteed that the combination of this two protocols is safe too if they share keys, and multi-protocol attacks are not only due to the other protocol that is not safe for this property.
We would expect that Tamarin takes more time to analyze properties for multi-protocols than for protocols in isolation, due to the increased number of transitions and the larger number of traces with the new protocol.
But as we can see in Figs. 1 and 2, this is not always the case, like for example for the property ni-synch A for Kao Chow (K) in Fig. 1, and for Kao Chow + Woo Lam pi f (K + WLpif) in Fig. 2. This is generally due to the fact that Tamarin finds an attack more rapidly than a proof as Tamarin stops after the first attack it finds (it does not try to find all attacks).
It can also happen that Tamarin proves a property for the combination of protocols more quickly than for the protocols in isolation, like for example Needham Schroeder Lowe in Fig. 1 and Needham Schroeder Lowe + SPLICE/AS in Fig. 2 for ni-synch A. This can occur for example if the precomputations are the dominating part of the total runtime.
2.2 Attacks by Mathuria et al. [22]
We try to find the attacks described in [22] using Tamarin , to see if we find the same or different attacks if we use an automatic tool. The properties verified are not clearly defined in [22], so we keep the properties as defined previously. More precisely, we verified different authentication properties: non-injective synchronization, non-injective agreement, and a weaker agreement property. The property non-injective agreement as define previously is too strong to get comparable result with the paper, most of protocols of the paper are not safe for this property even in isolation. So we consider a weaker authentication property defined as follows:
-
weaker agreement: if B thinks that a nonce \(N_A\) is generated by A, then A has generated \(N_A\) and B authenticates A (called Aut A in Figs. 3 and 4).
Figure 3 summarizes results that we obtain with Tamarin in isolation on protocols from [22], and Fig. 4 summarizes results we obtain for the multi-protocols. As previously, ni-synch stands for non-injective synchronization, sec stands for secrecy and ni-agree stands for non-injective agreement. Moreover 
means that we did not find any attacks, and 
means there is at least one attack for the property. A yellow box means that the first protocol (the one for which we verify security in the combination) is safe for this property in isolation, and red box means that both protocols are safe for this property in isolation. An empty box means that the property is not relevant for this protocol.
We can see in Fig. 3 in the case of APG.3 for non-injective synchronization and non-injective agreement, all attacks which we found in isolation are type-flaw attacks, and the protocol is safe if we do not consider type-flaw attacks. But attacks we found for APG.3 with APG.2 are not type flaw attacks (see 2.2), so we consider type-flaw attacks separately in this paper. But in the case of ZF.2, we have a protocol that is not safe for any property, considering type-flaws or not. So it is useless to see if ZF.2 can have a multi-protocol attack for a property in combination with an other protocol, a point that the authors of the original paper missed most likely since they searched for attacks manually.
The property weaker agreement seems to be closest to the property used in [22], because we found the same attacks for some protocols. Thus, in rest of the paper, we only present attacks on this property.
In comparison to the original paper we have found, using Tamarin , sometimes different attacks, and sometimes new attacks on the authentication of other protagonists in the same combination of protocols. This is likely due to the fact that Mathuria et al. searched for attacks manually, and were thus probably unable to analyze all combinations in detail or missed attacks in their analysis.
In all protocols, we have three participants, A the initiator, B the responder, and S the trusted server. We use symmetric encryption, so S shares the key \(K_{AS}\) (respectively \(K_{BS}\)) with A (respectively B). Moreover, \(K_{AB}\) denotes the session key between A and B, and \(N_A\) (respectively \(N_B\)) a nonce generated by A (respectively B). Then \(\{M\}_K\) denotes the cipher-text obtained by encrypting a message M with the symmetric key K. As in the original paper, we assume that each participant shares the same key for both protocols. In the following, when we talk about authentication, we mean non-injective agreement.
In the following we discuss our results in details. First we discuss attacks that we found and that differ from those presented in [22], then we present new attacks for properties that were not analyzed in [22].
Different Attacks
APG.4 with APG.6: The first attack is on the authentication of A. In this attack, two protagonists A and \(A'\) initiate the APG.6 [26] protocol with B, and the intruder C pretends to be A in APG.4 [26]. In the protocol initiated by \(A'\), C learns \((N_{A'},N_B',A')\), used as a session key, and its ciphertext \(\{N_{A'},N_B',A'\}_{K_{BS}}\). In the protocol initiated by A, C learns the nonce \(N_B\), used to authenticate to B. In Fig. 5, steps on the left hand side are steps of APG.4, and steps on the right hand side are steps from APG.6.
Representation of the attack on APG.4 with APG.6.
This attack is a type-flaw attack, because the intruder uses \((N_{A'},N_B',A')\) as a session key. So we blocked type-flaw attacks in Tamarin to see if there are other types of attacks, and we did not find other attacks on the authentication of A.
Denning-Sacco with Amended Woo-Lam: This attack is on the authentication of A. Again, it is a type-flaw attack, because the intruder uses \((K_{AB},T)\) as a nonce. In this attack, the intruder C plays the role of A and S in both protocols. First, B initiates a protocol Woo-Lam [5] with C who impersonates A. Then C sends the ID of A and a fake session key and a timestamp as a nonce. B encrypts that and C has now a valid message to send to B in Denning-Sacco [13]. This attack is described in Fig. 6.
Representation of the attack on Denning-Sacco with Woo-Lam.
We did not find other types of attacks for this protocol when we blocked type-flaw attacks in Tamarin using a modified model.
New Attacks
APG.1 with APG.2: The attack described in [22] is an attack on the authentication of B, but we also found an attack on the authentication of A. In this attack, the intruder C plays the role of A in both protocols. First, B runs the APG.2 [26] protocol as the initiator and then the protocol APG.1 [26] as the responder. C can pretend to be A in APG.1 and B will accept. In Fig. 7 steps at the left are steps from APG.1, and the right part are steps from APG.2.
Representation of the attack on APG.1 with APG.2.
APG.3 with APG.2: This attack is an attack on the authentication of B. This attack is possible if A runs the APG.3 [26] protocol as the initiator, and APG.2 [26] as the responder. In this attack, C plays the roles of B and S in both protocols. Then C can pretend to be B in APG.3, and A will accept. In Fig. 8 steps at the left are steps of APG.3, and at the right part are steps from APG.2.
Representation of the attack on APG.3 with APG.2.
We also found an attack on the authentication of A. In this attack, the intruder C plays the role of A in both protocols. B runs the APG.2 protocol as the initiator, and APG.3 as the responder. C can pretend to be A, and B in APG.3 will accept. In Fig. 9 steps at the left are steps from APG.3, and steps at the right are steps from APG.2.
Representation of the attack on APG.3 with APG.2.
APG.4 with APG.6: We found an attack on the authentication of B. In this attack, A initiates the protocol APG.3, then the intruder C will initiate APG.6 with B, using data sent by A in the other protocol. Finally, C sends the answer of B to the server in APG.4, and lets the protocol run. In Fig. 10, steps on the left hand side are steps from APG.4, and steps on the right hand side are steps from APG.6.
Representation of the attack on APG.4 with APG.6.
Representation of the attack on APG.5 with APG.6.
This attack is possible because the message from APG.6 used for this attack is also used in APG.4, so C can get a response from B, while B does not act in APG.4.
APG.5 with APG.6: This attack is on the authentication of A. In this attack, two protagonists A and \(A'\) initiate the APG.6 [26] protocol with B, and the intruder C pretends to be A in APG.5 [26]. In the protocol initiated by \(A'\), C learns \((N_{A'},N_B',A')\), used as a session key, and its encrypted version \(\{N_{A'},N_B',A'\}_{K_{BS}}\). In the protocol initiated by A, C learns the nonce \(N_B\), used to authenticate to B. In Fig. 11, steps at the left part are steps of APG.5, and steps on the right are steps from APG.6.
This attack is a type-flaw attack. So we changed our model to disable such type-flaw attacks in Tamarin to see if there are other types of attacks, and we did not find another attack on the authentication of A.
We also found an attack on the authentication of A where the intruder uses \((N_{A'},N_B',A')\) as a session key. In this attack, A initiates the protocol APG.5, then the intruder C will initiate APG.6 with B, using data sent by A in the other protocol. Finally, C sends the answer of B to the server in APG.5, and lets the protocol run. In Fig. 12, steps on the left hand side are steps from APG.5, and on the right hand side are steps from APG.6.
Representation of the attack on APG.5 with APG.6.
This attack is possible because the message from APG.6 used for this attack is also used in APG.5, so C can get a response from B, while B does not act in APG.5.
3 Workflow in Tamarin
As we had to write many different combinations of multiple protocols to obtain our results, we tried to simplify the process by adopting the following workflow to combine to protocols:
-
1.
Specify each protocol individually and check the properties in isolation using Tamarin.
-
2.
Generate the files for all the required combinations using the individual specifications.
-
3.
Verify the combined protocols, and compare the results to known results.
To simplify the process of generating the combined specifications, we adopted certain (mostly syntactic) conventions when specifying the protocols. These mostly concern the common setup rules (key distribution etc.), the placement of labels, and the uniqueness of labels to avoid conflicts.
These conventions allowed us to develop an algorithm that can generate the input files of the composed protocols based on the individual specifications, including intermediate lemmas that simplify the analysis for Tamarin by removing undesirable cases for the subsequent analysis. The generation of these lemmas goes beyond a pure syntactical merger of the individual files. The algorithm requires some interaction with Tamarin, but noticeably simplifies the following analysis. The main idea is that if Tamarin finds an a problem in the merged lemma, then we need to analyze the trace produced by the tool and to modify the lemma. This procedure seems to be systematic for all the examples that we have considered here.
This algorithm is implemented in Python, and works automatically on most combinations from [9, 22]. Only in a handful of cases we need to manually adapt the produced output to obtain a valid lemma that removes all undesirable cases. Note that even in these cases, the manual intervention was only necessary to create the models, the following analysis was then automatic. For more information about this algorithm, see the extended version of this paper [15]. The implementation is also available on line [15].
4 Conclusion
In this paper, we perform an automated analysis of multi-protocols in Tamarin. For this we have used the both protocols studied in [9] using Scyther and the protocol studied in [22] manually. In all cases where attacks were known previously, we also find attacks. However, the tool sometimes finds different attacks than the ones found manually or using Scyther. Moreover, we also find new and unknown attacks, underlining the advantages of an automatic analysis. We also proposed an algorithm to systematically merge two Tamarin files for our analysis.
Our future work is to see how we can integrate our algorithm for automatically merging two Tamarin files into the tools in order to facilitate the life of Tamarin users. Finally our experience also shows us that it might even be possible to propose a similar heuristic to help Tamarin users by automatically generating such helping intermediate lemmas.
References
Abadi, M., Needham, R.: Prudent engineering practice for cryptographic protocols. IEEE Trans. Softw. Eng. 22(1), 6–15 (1996)
Armando, A., Basin, D., Boichut, Y., Chevalier, Y., Compagna, L., Cuellar, J., Drielsma, P.H., Heám, P.C., Kouchnarenko, O., Mantovani, J., Mödersheim, S., von Oheimb, D., Rusinowitch, M., Santiago, J., Turuani, M., Viganò, L., Vigneron, L.: The AVISPA tool for the automated validation of internet security protocols and applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005). https://doi.org/10.1007/11513988_27
Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: Proceedings of the 14th IEEE Workshop on Computer Security Foundations, CSFW 2001, Washington, DC, USA, pp. 82–96. IEEE Computer Society (2001)
Burrows, M., Abadi, M., Needham, R.: A logic of authentication. ACM Trans. Comput. Syst. 8(1), 18–36 (1990)
Buttyan, L., Staamann, S., Wilhelm, U.: A simple logic for authentication protocol design. In: 11th IEEE Computer Security Foundations Workshop, pp. 153–162. IEEE Computer Society Press (1998)
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. Cryptology ePrint Archive, Report 2000/067 (2000). http://eprint.iacr.org/2000/067
Clark, J., Jacob, J.: A survey of authentication protocol literature: version 1.0 (1997)
Clark, J.A., Jacob, J.: On the security of recent protocols. Inf. Process. Lett. 56(3), 151–155 (1995)
C. Cremers. Feasibility of multi-protocol attacks. In: Proceedings of the First International Conference on Availability, Reliability and Security (ARES), Vienna, Austria, pp. 287–294. IEEE Computer Society (2006)
Cremers, C., Mauw, S.: Security properties. In: Operational Semantics and Verification of Security Protocols. ISC, pp. 37–65. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-540-78636-8_4
Cremers, C., Mauw, S., de Vink, E.: Injective synchronisation: an extension of the authentication hierarchy. Theor. Comput. Sci. 367(1), 139–161 (2006)
Cremers, C.J.: Unbounded verification, falsification, and characterization of security protocols by pattern refinement. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS 2008, pp. 119–128. ACM, New York (2008)
Denning, D.E., Sacco, G.M.: Timestamps in key distribution protocols. Commun. ACM 24(8), 533–536 (1981)
Durgin, N.A., Mitchell, J.C., Pavlovic, D.: A compositional logic for proving security properties of protocols. J. Comput. Secur. 11(4), 677–722 (2003)
Elliott, B., Dreier, J., Lafourcade, P.: Formal Analysis of Combinations of Secure Protocols (Extended Version). Technical report (2017). https://hal.archives-ouvertes.fr/hal-01558552v3
Hwang, T., Chen, Y.-H.: On the security of SPLICE/AS - the authentication system in WIDE internet. Inf. Process. Lett. 53(2), 97–101 (1995)
Kao, I.-L., Chow, R.: An efficient and secure authentication protocol using uncertified keys. SIGOPS Oper. Syst. Rev. 29(3), 14–21 (1995)
Kelsey, J., Schneier, B., Wagner, D.: Protocol interactions and the chosen protocol attack. In: Christianson, B., Crispo, B., Lomas, M., Roe, M. (eds.) Security Protocols 1997. LNCS, vol. 1361, pp. 91–104. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0028162
Lowe, G.: An attack on the needham-schroeder public-key authentication protocol. Inf. Process. Lett. 56(3), 131–133 (1995)
Lowe, G.: A hierarchy of authentication specification. In: 10th Computer Security Foundations Workshop (CSFW 1997), 10–12 June 1997, Rockport, Massachusetts, USA, pp. 31–44. IEEE Computer Society (1997)
Lowe, G.: Towards a completeness result for model checking of security protocols. J. comput. secur. 7(2–3), 89–146 (1999)
Mathuria, A., Singh, A.R., Shravan, P.V., Kirtankar, R.: Some new multi-protocol attacks. In: Proceedings of the 15th International Conference on Advanced Computing and Communications, ADCOM 2007, Washington, DC, USA, pp. 465–471. IEEE Computer Society (2007)
Meier, S., Schmidt, B., Cremers, C., Basin, D.: The TAMARIN prover for the symbolic analysis of security protocols. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 696–701. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39799-8_48
Needham, R.M., Schroeder, M.D.: Using encryption for authentication in large networks of computers. Commun. ACM 21(12), 993–999 (1978)
Needham, R.M., Schroeder, M.D.: Authentication revisited. SIGOPS Oper. Syst. Rev. 21(1), 7 (1987)
Perrig, A., Song, D.: Looking for diamonds in the desert - extending automatic protocol generation to three-party authentication and key agreement protocols. In: Proceedings of the 13th IEEE Workshop on Computer Security Foundations, CSFW 2000, Washington, DC, USA, pp. 64–76. IEEE Computer Society (2000)
Song, D.X., Berezin, S., Perrig, A.: Athena: a novel approach to efficient automatic security protocol analysis. J. Comput. Secur. 9(1–2), 47–74 (2001)
Woo, T.Y.C., Lam, S.S.: A lesson on authentication protocol design. SIGOPS Oper. Syst. Rev. 28(3), 24–37 (1994)
Yamaguchi, S., Okayama, K., Miyahara, H.: The design and implementation of an authentication system for the wide area distributed environment. IEICE Trans. Inf. Syst. 74(11), 3902–3909 (1991)
Zhou, H., Foley, S.N.: Fast automatic synthesis of security protocols using backward search. In: Proceedings of the 2003 ACM Workshop on Formal Methods in Security Engineering, FMSE 2003, pp. 1–10. ACM, New York (2003)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Blot, E., Dreier, J., Lafourcade, P. (2018). Formal Analysis of Combinations of Secure Protocols. In: Imine, A., Fernandez, J., Marion, JY., Logrippo, L., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2017. Lecture Notes in Computer Science(), vol 10723. Springer, Cham. https://doi.org/10.1007/978-3-319-75650-9_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-75650-9_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-75649-3
Online ISBN: 978-3-319-75650-9
eBook Packages: Computer ScienceComputer Science (R0)