According to the Meadows's cost-based framework, the protocol events are dened and assigned costs. The main events of JFK protocol curried out by each of the initiator and responder for each message are summarized in the Table C.1. In this table, we associate each event a cost based on the cost of the original cost-based framework [261] (which either cheap, medium or expensive).
In TableC.2the JFK protocol in the cost-based framework notation is presented.
Message Initiator (I) Events Responder (R) Events
Compute nonce NI:
compute_nonce(NI) = cheap I → R :
{M sg.1} Hash of NI: hash(NI) = cheap Verify group ofgi: verifygroup(gi) = medium
Generate DH exp. (gi): generateHD(gi) = expensive
Compute nonce NR:
compute_nonce(NR) = cheap R → I :
Generate signature sigR1: generateSig(sigR1) = expensive Hash ofNI: hash(NI) = cheap Generate DH exp. gir:
generateHD(gir) = expensive
Verify cookie: verify(Cookie =
generateHD(gir) = expensive I → R : verify(generateMAC(K1, E1)) = medium
Generate MAC:
generateMAC(K1, E1) = medium Decrypt E1 : decrypt(K2, E1) = medium
Verify signaturesigI: verifySig(sigI)
= expensive Verify signature sigR2:
verifySig(sigR2) = expensive Generate MAC: generateMAC(K2, E2)
= medium
Table C.1: JFK protocol events and their associated costs according to cost-based framework
L1. I → R : compute_nonce1(NI), NI0 = hash(NI), generateHD1(gi) ||NI0, gi, IDR0 ||
verifygroup(gi), accept1
L2. R → I : compute_nonce2(NR), Cookie = generateMAC1(KR, gr, NR, N0I, IPI), sigR1 = generateSig1(gr, groupinfoR) || NI0, NR, groupinf oR, IDR, Cookie, sigR1 ||
verifySig1, accept2
L3. I → R : generateHD2(gir), K1 = computeKey1(gir, NI0, NR), sigI = generateSig2(NI0, NR, gi, gr, IDR, saI), E1 = encrypt1(K1,{IDI, sigI.saI}), C1 = generateMAC2(KI, E1) ||NI, NR, gi, gr, Cookie, E1, C1|| NI0 = hash2(NI), verify1(Cookie = generateMAC3(KR,{gr, NR, NI0, IPI}), generateHD2(gir), K2 = computeKey2(gir, NI0, NR), verify2(C1 = generateMAC4(K1, E1), decrypt1(K2, E1), verifySig2(sigI), accept3
L4. R → I : sigR2 = generateSig3(NI0, NR, gi, gr, IDI, saI, saR), E2 = encrypt2(K2,{sigR2, saR}), C2 = generateMAC4(K2, E2) ||E2, C2|| verify3(C2 = generateMAC6(K2, E2), decrypt2(E2), verifySig3(sigR2), accept4
Table C.2: JFK protocol in the cost-based framework notation
[1] http://www.joe-ks.com/archives_aug2003/BikeLocks.jpg. (Cited on pages 1 and13.)
[2] http://en.wikipedia.org/wiki/File:EnigmaMachineLabeled.jpg. (Cited on pages1 and14.)
[3] AVISPA: automated validation of internet security protocols and applications (2003) FET Open Project IST-2001-39252.
www.avispa-project.org. (Cited on page31.)
[4] http://www.mitre.org/tech/strands/. (Cited on page 34.)
[5] , âAVISPA Library â, http://www.avispa-project.org/library/. (Cited on page72.)
[6] "VoIP Security and Privacy Threat Taxonomy-Public Release 1.0", VOIPSA, October 2005. (Cited on page81.)
[7] Available on: http://insecure.org/sploits/ping-o-death.html. (Cited on page81.)
[8] Bysin, Knight.c sourcecode, PacketStormSecurity.nl July 11, 2001, Avail-able from <http://packetstormsecurity.nl/distributed/knight.c>. (Cited on page83.)
[9] W. Aiello, S. Bellovin, M. Blaze, R. Canetti, J. Ionnidis, A. Keromytis, and O. Reingold. Just fast keying (JFK). IETF Internet Draft draft-ietf-ipsec-jfk-04.txt, July 2002. (Cited on pages118 and 129.)
[10] CERT Advisory Ca-1998-01: Smurf Ip Denial-of-Service Attacks. Available on-line at: http://www.cert.org/advisories/CA-1998-01.html. (Cited on page80.) [11] Y. Boichut Y. Chevalier L. Compagna J. Cuellar P. Hankes Drielsma P.C.
Heám O. Kouchnarenko J. Mantovani S. Mödersheim D. von Oheimb M. Rusi-nowitch J. Santiago M. Turuani L. Viganò L. Vigneron. A. Armando, D. Basin.
The AVISPA tool for the automated validation of internet security protocols and applications, 2005. in proceedings of CAV 2005, Computer Aided Veri-cation, LNCS 3576, Springer Verlag. http://avispa-project.org/. (Cited on pages6 and20.)
[12] Martín Abadi. Secrecy by typing in security protocols. J. ACM, 46(5):749786, 1999. (Cited on page38.)
[13] Martín Abadi and Bruno Blanchet. Computer-assisted verication of a proto-col for certied email. Sci. Comput. Program., 58(1-2):327, 2005. (Cited on page39.)
[14] Martín Abadi, Bruno Blanchet, and Cédric Fournet. Just fast keying in the pi calculus. ACM Trans. Inf. Syst. Secur., 10(3):9, 2007. (Cited on page 39.) [15] Martín Abadi, Bruno Blanchet, and Cédric Fournet. Just fast keying in the pi calculus. ACM Trans. Inf. Syst. Secur., 10(3):9, 2007. (Cited on page129.) [16] Martin Abadi, Mike Burrows, Mark Manasse, and Ted Wobber. Moderately hard, memory-bound functions. ACM Trans. Internet Technol., 5(2):299327, 2005. (Cited on page 118.)
[17] Martín Abadi and Cédric Fournet. Mobile values, new names, and secure communication. SIGPLAN Not., 36(3):104115, 2001. (Cited on page39.) [18] Martín Abadi and Andrew D. Gordon. A calculus for cryptographic protocols:
The spi calculus. In Fourth ACM Conference on Computer and Communica-tions Security, pages 3647. ACM Press, 1997. (Cited on page37.)
[19] Martín Abadi and Andrew D. Gordon. A bisimulation method for crypto-graphic protocols. Nordic J. of Computing, 5(4):267303, 1998. (Cited on page38.)
[20] Martín Abadi and Roger Needham. Prudent engineering practice for cryp-tographic protocols. IEEE Trans. Softw. Eng., 22(1):615, 1996. (Cited on pages12 and 45.)
[21] Martín Abadi and Phillip Rogaway. Reconciling two views of cryptography (the computational soundness of formal encryption). In Proceedings of the International Conference IFIP on Theoretical Computer Science, Exploring New Frontiers of Theoretical Informatics, TCS '00, pages 322, London, UK, 2000. Springer-Verlag. (Cited on page 21.)
[22] Martín Abadi and Phillip Rogaway. Reconciling two views of cryptography (the computational soundness of formal encryption). In TCS '00: Proceed-ings of the International Conference IFIP on Theoretical Computer Science, Exploring New Frontiers of Theoretical Informatics, pages 322, London, UK, 2000. Springer-Verlag. (Cited on pages21 and22.)
[23] MartÃn Abadi, Bruno Blanchet, and D Epartement D'informatique. Analyz-ing security protocols with secrecy types and logic programs. In Journal of the ACM, pages 3344. ACM Press, 2002. (Cited on page39.)
[24] H. Abdelnur, T. Avanesov, M. Rusinowitch, and R. State. Abusing SIP au-thentication. In Information Assurance and Security, 2008. ISIAS '08. Fourth International Conference on, pages 237 242, sept. 2008. (Cited on page72.) [25] Mehmud Abliz. Internet denial of service attacks and defense mechanisms.
University of Pittsburgh Technical Report, No. TR-11-178, March 2011, Pages 1-50. (Cited on page 82.)
[26] Mehmud Abliz. Internet denial of service attacks and defense mechanisms.
University of Pittsburgh Technical Report, No. TR-11-178, March 2011.
(Cited on page108.)
[27] Mehmud Abliz and Taieb Znati. A guided tour puzzle for denial of service prevention. In ACSAC '09: Proceedings of the 2009 Annual Computer Security Applications Conference, pages 279288, Washington, DC, USA, 2009. IEEE Computer Society. (Cited on pages 87and 91.)
[28] Reynald Aeldt and Hubert Comon-Lundh. A note on rst-order logic and security protocols., 2008. (Cited on page41.)
[29] Gul Agha, Michael Greenwald, Carl A. Gunter, Sanjeev Khanna, Jose Meseguer, Koushik Sen, and Prasannaa Thati. Formal modeling and analysis of dos using probabilistic rewrite theories. In In International Workshop on Foundations of Computer Security (FCSâ05) (Aliated with LICSâ05, 2005.
(Cited on pages98,100 and 101.)
[30] Gul Agha, José Meseguer, and Koushik Sen. Pmaude: Rewrite-based spec-ication language for probabilistic object systems. Electron. Notes Theor.
Comput. Sci., 153(2):213239, 2006. (Cited on pages100 and 101.)
[31] William Aiello, Steven M. Bellovin, Matt Blaze, Ran Canetti, John Ioannidis, Angelos D. Keromytis, and Omer Reingold. Just fast keying: Key agreement in a hostile internet. ACM Trans. Inf. Syst. Secur., 7:242273, May 2004.
(Cited on pages118 and 129.)
[32] William Aiello, Steven M. Bellovin, Matt Blaze, John Ioannidis, Omer Rein-gold, Ran Canetti, and Angelos D. Keromytis. Ecient, dos-resistant, secure key exchange for internet protocols. In CCS '02: Proceedings of the 9th ACM conference on Computer and communications security, pages 4858, New York, NY, USA, 2002. ACM. (Cited on pages1,94,96,97,118,129 and130.) [33] M. Akbarzadeh and M. Azgomi. A framework for probabilistic model checking
of security protocols using coloured stochastic activity networks and PDETool.
In Proc. 5th International Symposium on Telecommunications (IST'10), 2010.
(Cited on page37.)
[34] S. Al-shadly, O. Alfandi, H. Brosenne, and D. Hogrefe. Security verication of trust-based authentication handover in ip networks. In Computer Com-munications and Networks (ICCCN), 2011 Proceedings of 20th International Conference on, pages 1 6, 31 2011-aug. 4 2011. (Cited on page117.)
[35] O. Alfandi, H. Brosenne, C. Werner, and D. Hogrefe. Fast re-authentication for inter-domain handover using context transfer. In International Conference on Information Networking (ICOIN), pages 15, 2008. (Cited on pages 54, 56,58 and72.)
[36] Musab AlTurki, José Meseguer, and Carl A. Gunter. Probabilistic modeling and analysis of dos protection for the asv protocol. Electron. Notes Theor.
Comput. Sci., 234:318, 2009. (Cited on pages50,96,98,100,101 and 118.) [37] Rajeev Alur and David L. Dill. Automata for modeling real-time systems. In
Proceedings of the 17th International Colloquium on Automata, Languages and Programming, ICALP '90, pages 322335, London, UK, 1990. Springer-Verlag.
(Cited on pages 6and 37.)
[38] Rajeev Alur and David L. Dill. A theory of timed automata. Theor. Comput.
Sci., 126:183235, April 1994. (Cited on page 6.)
[39] Roberto M. Amadio, Roberto M. Amadio, Denis Lugiez, Denis Lugiez, Thème Réseaux Et Systèmes, Unité Inria, and Sophia Antipolis. On the reachability problem in cryptographic protocols. pages 380394. Springer-Verlag, 2000.
(Cited on page39.)
[40] Tobias Amnell, Gerd Behrmann, Johan Bengtsson, Pedro R. D'Argenio, Alexandre David, Ansgar Fehnker, Thomas Hune, Bertrand Jeannet, Kim Guldstrand Larsen, M. Oliver Möller, Paul Pettersson, Carsten Weise, and Wang Yi. Uppaal - now, next, and future. In Proceedings of the 4th Summer School on Modeling and Verication of Parallel Processes, MOVEP '00, pages 99124, London, UK, 2001. Springer-Verlag. (Cited on page 37.) [41] Iván Arce and Elias Levy. An analysis of the slapper worm. IEEE Security
and Privacy, 1(1):8287, 2003. (Cited on page19.)
[42] Myla Archer and Ben Di Vito. Developing user strategies in pvs: A tutorial. In In: Proceedings of the First International Workshop on Design and Application of Strategies/Tactics in Higher Order Logics (STRATA, pages 2003212448, 2003. (Cited on page 47.)
[43] Alessandro Armando, Roberto Carbone, Jorge Cuellar, Llanos Tobarra, and Luca Compagna. Formal Analysis of SAML 2.0 Web Browser Single Sign-On:
Breaking the SAML-based Single Sign-On for Google Apps. In In Proceedings of FMSE 2008. ACM Press, 2008. (Cited on page72.)
[44] Alessandro Armando and Luca Compagna. Automatic sat-compilation of pro-tocol insecurity problems via reduction to planning. In FORTE '02: Proceed-ings of the 22nd IFIP WG 6.1 International Conference Houston on Formal Techniques for Networked and Distributed Systems, pages 210225, London, UK, 2002. Springer-Verlag. (Cited on page 33.)
[45] Alessandro Armando and Luca Compagna. Abstraction-driven sat-based anal-ysis of security protocols. In Theory and Applications of Satisability Test-ing, volume Volume 2919/2004, pages 301302, Berlin / Heidelberg, 2004.
Springer-Verlag. (Cited on page33.)
[46] Alessandro Armando and Luca Compagna. Satmc: A sat-based model checker for security protocols. In JELIA, pages 730733, 2004. (Cited on page33.) [47] Alessandro Armando and Luca Compagna. An optimized intruder model for
SAT-based model-checking of security protocols. Electr. Notes Theor. Comput.
Sci., 125(1):91108, 2005. (Cited on page33.)
[48] Alessandro Armando and Luca Compagna. Sat-based model-checking for secu-rity protocols analysis. Int. J. Inf. Secur., 7(1):332, 2008. (Cited on page56.) [49] Alessandro Armando, Luca Compagna, and Pierre Ganty. Sat-based model-checking of security protocols using planning graph analysis. In FME, pages 875893, 2003. (Cited on page33.)
[50] Gavin Lowe August. An attack on the needham-schroeder public-key authen-tication protocol. Information Processing Letters, 56:131133, 1995. (Cited on page5.)
[51] Tuomas Aura, Pekka Nikander, and Jussipekka Leiwo. Dos-resistant authen-tication with client puzzles. In Revised Papers from the 8th International Workshop on Security Protocols, pages 170177, London, UK, 2001. Springer-Verlag. (Cited on pages86,87,88,94 and95.)
[52] Jason Barlow. TFN2K - An Analysis., 2000. Available on:
http://www.securiteam.com/securitynews/5YP0G000FS.html. (Cited on pages79 and83.)
[53] Stylianos Basagiannis, Panagiotis Katsaros, and Andrew Pombortsis. Intru-sion attack tactics for the model checking of e-commerce security guarantees.
In SAFECOMP, pages 238251, 2007. (Cited on pages18 and 20.)
[54] Stylianos Basagiannis, Panagiotis Katsaros, Andrew Pombortsis, and Nikolaos Alexiou. A probabilistic attacker model for quantitative verication of dos security threats. Computer Software and Applications Conference, Annual International, 0:1219, 2008. (Cited on page98.)
[55] Stylianos Basagiannis, Panagiotis Katsaros, Andrew Pombortsis, and Nikolaos Alexiou. Probabilistic model checking for the quantication of dos security threats. Computers and Security, 28(6):450465, 2009. (Cited on pages 98 and100.)
[56] David Basin, Sebastian Moedersheim, and Luca Vigan. Ofmc: A symbolic model checker for security protocols. Published online: 21 December 2004
-c
Springer-Verlag 2004, 2004. (Cited on page31.)
[57] David Basin, Sebastian Moedersheim, and Luca Vigan. Ofmc: A symbolic model checker for security protocols. Published online: 21 December 2004
-c
Springer-Verlag 2004, 2004. (Cited on pages 20 and56.)
[58] David A. Basin. Lazy innite-state analysis of security protocols. In Proceedings of the International Exhibition and Congress on Secure Networking -CQRE (Secure) '99, pages 3042, London, UK, 1999. Springer-Verlag. (Cited on page 30.)
[59] Mathieu Baudet, Veronique Cortier, and Steve Kremer. Computationally sound implementations of equational theories against passive adversaries. In Proc. 32nd International Colloquium on Automata, Languages and Program-ming (ICALPâ05), volume 3580 of LNCS, pages 652663. Springer, 2005.
(Cited on page22.)
[60] Gerd Behrmann, Alexandre David, Kim Guldstrand Larsen, Paul Petters-son, and Wang Yi. Developing uppaal over 15 years. Softw., Pract. Exper., 41(2):133142, 2011. (Cited on page6.)
[61] Genge Bela and I. Ignat. Verifying the independence of security protocols.
In Intelligent Computer Communication and Processing, 2007 IEEE Interna-tional Conference on, pages 155162, 2007. (Cited on page45.)
[62] Giampaolo Bella. Inductive verication of cryptographic protocols, 2000.
(Cited on page43.)
[63] Giampaolo Bella. Inductive verication of smart card protocols. J. Comput.
Secur., 11(1):87132, 2003. (Cited on page 43.)
[64] Giampaolo Bella and Lawrence C. Paulson. Using isabelle to prove properties of the kerberos authentication system. In In DIMACS Workshop on Design and Formal Verication of Security Protocols, 1997. (Cited on page 43.) [65] Giampaolo Bella and Lawrence C Paulson. Kerberos version iv: Inductive
analysis of the secrecy goals. In Computer Security â ESORICS 98, LNCS 1485, pages 361375. Springer, 1998. (Cited on page 43.)
[66] John Bellardo and Stefan Savage. 802.11 denial-of-service attacks: real vul-nerabilities and practical solutions. In SSYM'03: Proceedings of the 12th conference on USENIX Security Symposium, pages 22, Berkeley, CA, USA, 2003. USENIX Association. (Cited on page81.)
[67] Mihir Bellare and Phillip Rogaway. Entity authentication and key distribu-tion. In Proceedings of the 13th annual international cryptology conference on Advances in cryptology, pages 232249, New York, NY, USA, 1994. Springer-Verlag New York, Inc. (Cited on page46.)
[68] Johan Bengtsson, Kim Larsen, Fredrik Larsson, Paul Pettersson, and Wang Yi. Uppaal: a tool suite for automatic verication of real-time systems. In Proceedings of the DIMACS/SYCON workshop on Hybrid systems III : ver-ication and control: verver-ication and control, pages 232243, Secaucus, NJ, USA, 1996. Springer-Verlag New York, Inc. (Cited on page6.)
[69] B. Berard, M. Bidoit, A. Finkel, F. Laroussinie, A. Petit, L. Petrucci, and P. Schnoebelen. Systems and Software Verication: Model-Checking Tech-niques and Tools. Springer Publishing Company, Incorporated, 1st edition, 2010. (Cited on page7.)
[70] Karthikeyan Bhargavan, Cédric Fournet, Andrew D. Gordon, and Riccardo Pucella. Tulafale: A security tool for web services. In In International Sym-posium on Formal Methods for Components and Objects (FMCO'03), volume 3188 of LNCS, pages 197222. Springer, 2004. (Cited on page50.)
[71] Armin Biere, Ro Cimatti, Edmund Clarke, and Yunshan Zhu. Symbolic model checking without bdds. pages 193207. Springer-Verlag, 1999. (Cited on pages27 and33.)
[72] Bruno Blanchet. An ecient cryptographic protocol verier based on prolog rules. In CSFW '01: Proceedings of the 14th IEEE workshop on Computer Security Foundations, page 82, Washington, DC, USA, 2001. IEEE Computer Society. (Cited on page36.)
[73] Bruno Blanchet. From secrecy to authenticity in security protocols. In SAS '02: Proceedings of the 9th International Symposium on Static Analysis, pages 342359, London, UK, 2002. Springer-Verlag. (Cited on page 39.)
[74] Bruno Blanchet and Benjamin Aziz. A calculus for secure mobility. In ASIAN, pages 188204, 2003. (Cited on page39.)
[75] Valer Bocan. Threshold puzzles: The evolution of dos-resistant authen-ticated. Buletinul Stiintic al Universitatii âPolitehnicaâ din Timisoara, ROMANIA Seria AUTOMATICA si CALCULATOARE PERIODICA PO-LITECHNICA, Transactions on AUTOMATIC CONTROL and COMPUTER SCIENCE Vol.49 (63), 2004, ISSN 1224-600X. (Cited on page91.)
[76] Valer Bocan and Mihai Fagadar-Cosma. Adaptive threshold puzzles. In Com-puter as a Tool, 2005. EUROCON 2005.The International Conference on, volume 1, pages 644 647, nov. 2005. (Cited on page91.)
[77] Yohan Boichut, Pierre-Cyrille Héam, and Olga Kouchnarenko. Automatic verication of security protocols using approximations. Research Report RR-5727, INRIA, 2005. (Cited on pages32 and57.)
[78] Michele Boreale. Symbolic trace analysis of cryptographic protocols. In ICALP '01: Proceedings of the 28th International Colloquium on Automata, Lan-guages and Programming,, pages 667681, London, UK, 2001. Springer-Verlag.
(Cited on page39.)
[79] Michele Boreale. Erratum of proof techniques for cryptographic processes., 2004. (unpublished manuscript). (Cited on page38.)
[80] Johannes Borgström and Uwe Nestmann. On bisimulations for the spi calcu-lus. Mathematical. Structures in Comp. Sci., 15(3):487552, 2005. (Cited on page38.)
[81] Daniel Boteanu, José M. Fernandez, John McHugh, and John Mullins. Queue management as a dos counter-measure? In Proceedings of the 10th inter-national conference on Information Security, ISC'07, pages 263280, Berlin, Heidelberg, 2007. Springer-Verlag. (Cited on page 106.)
[82] Julien Bournelle, Maryline Laurent-Maknavicius, Hannes Tschofenig, and Yacine El Mghazli. Handover-aware access control mechanism: Ctp for pana.
In Mário Freire, Prosper Chemouil, Pascal Lorenz, and Annie Gravey, editors, Universal Multiservice Networks, volume 3262 of Lecture Notes in Computer Science, pages 430439. Springer Berlin / Heidelberg, 2004. 10.1007/978-3-540-30197-4_43. (Cited on page 54.)
[83] Colin Boyd and Anish Mathuria. Protocols for Authentication and Key Estab-lishment. Springer, 2003. (Cited on page 23.)
[84] Stephen H. Brackin. A hol extension of gny for automatically analyzing cryp-tographic protocols. In In Proceedings of the Ninth IEEE Computer Secu-rity Foundations Workshop, pages 6276. Press, 1996. (Cited on pages 6, 12 and 27.)
[85] Sébastien Briais and Uwe Nestmann. Open bisimulation, revisited. Theor.
Comput. Sci., 386(3):236271, 2007. (Cited on page38.)
[86] Hans Uttel Brics and Hans Hüttel. Deciding framed bisimilarity. In In IN-FINITYâ02, pages 120, 2002. (Cited on page38.)
[87] Bob Briscoe, Arnaud Jacquet, Carla Di Cairano-Gilfedder, Alessandro Sal-vatori, Andrea Soppera, and Martin Koyabe. Policing congestion response in an internetwork using re-feedback. SIGCOMM Comput. Commun. Rev., 35(4):277288, August 2005. (Cited on page 86.)
[88] Aaron Brown and David A. Patterson. Towards availability benchmarks: a case study of software raid systems. In Proceedings of the annual conference on USENIX Annual Technical Conference, ATEC '00, pages 2222, Berkeley, CA, USA, 2000. USENIX Association. (Cited on page110.)
[89] Randal E. Bryant. Graph-based algorithms for boolean function manipulation.
IEEE Trans. Comput., 35:677691, August 1986. (Cited on page 27.)
[90] Randal E. Bryant. Graph-based algorithms for boolean function manipulation.
IEEE Transactions on Computers, 35:677691, 1986. (Cited on page33.) [91] Randal E. Bryant. Symbolic boolean manipulation with ordered
binary-decision diagrams. ACM Comput. Surv., 24:293318, September 1992. (Cited on page 27.)
[92] Michele Bugliesi and Giuseppe Castagna. Secure safe ambients. SIGPLAN Not., 36(3):222235, 2001. (Cited on page39.)
[93] Michele Bugliesi, Giuseppe Castagna, and Silvia Crafa. Boxed ambients. In In Proc. TACS 2001, LNCS 2215, pages 3863. Springer-Verlag, 2001. (Cited on page39.)
[94] J. R. Burch, E. M. Clarke, K. L. Mcmillan, D. L. Dill, and L. J. Hwang.
Symbolic model checking: 1020 states and beyond, 1990. (Cited on page 33.) [95] Michael Burrows, Martin Abadi, and Roger Needham. A logic of authenti-cation. ACM Transactions on Computer Systems, 8:1836, 1990. (Cited on pages6,12,23,26and 44.)
[96] L. Buttyan, S. Staamann, and U. Wilhelm. A simple logic for authentication protocol design. In Computer Security Foundations Workshop, 1998. Proceed-ings. 11th IEEE, pages 153162, June 1998. (Cited on page44.)
[97] Ran Canetti, Ling Cheung, Dilsun Kaynar, Moses Liskov, Nancy Lynch, Olivier Pereira, and Roberto Segala. Analyzing security protocols using time-bounded task-pioas. Discrete Event Dynamic Systems, 18(1):111159, March 2008. (Cited on page119.)
[98] Luca Cardelli and Andrew D. Gordon. Mobile ambients, 1998. (Cited on page39.)
[99] Claude Castelluccia, Einar Mykletun, and Gene Tsudik. Improving secure server performance by re-balancing ssl/tls handshakes. In ASIACCS '06: Pro-ceedings of the 2006 ACM Symposium on Information, computer and commu-nications security, pages 2634, New York, NY, USA, 2006. ACM. (Cited on pages94,95 and 96.)
[100] Jan Cederquist and Mohammad Torabi Dashti. An intruder model for veri-fying liveness in security protocols. In FMSE '06: Proceedings of the fourth ACM workshop on Formal methods in security, pages 2332, New York, NY, USA, 2006. ACM. (Cited on page20.)
[101] CERT. http://www.cert.org/tech_tips/denial_of_service.html. (Cited on page19.)
[102] CERT. CERT Advisory CA-1996-21 TCP SYN Flooding and IP Spoong At-tacks. Available online at: http://www.cert.org/advisories/CA-1996-21.html.
(Cited on page80.)
[103] CERT. CERT Advisory Ca-1997-28: IP Denial-of-service Attacks. Available on: http://www.cert.org/advisories/CA-1997-28.html. (Cited on page81.)
[104] CERT. Cert advisory ca-2001-20 continuing threats to home users. July 23, 2001, Available on http://www.cert.org/advisories/CA-2001-20.html. (Cited on page 83.)
[105] CERT. CERT Incident Note IN-2000-05: "mstream" Distributed Denial of Service Tool., 2000. Available on: http://www.cert.org/incident
_notes/IN-2000-05.html. (Cited on page83.)
[106] CERT. Cert/cc statistics (historical)., 2006. Available online on http://www.cert.org/stats/cert_stats.html#vul-total. (Cited on page78.) [107] Wu chang Feng. The case for tcp/ip puzzles. In in ACM SIGCOMM Workshop
on Future Directions in Network Architecture (FDNA03, pages 322327. ACM Press, 2003. (Cited on pages88 and 94.)
[108] E.Y. Chen. Detecting dos attacks on sip systems. In VoIP Management and Security, 2006. 1st IEEE Workshop on, pages 5358, 3 2006. (Cited on page81.)
[109] Yan Chen, Adam W. Bargteil, David Bindel, Randy H. Katz, and John Kubi-atowicz. Quantifying network denial of service: A location service case study.
In ICICS'01, pages 340351, 2001. (Cited on page 110.)
[110] Yan Chen, Toni Farley, and Nong Ye. Qos requirements of network applica-tions on the internet. Inf. Knowl. Syst. Manag., 4(1):5576, January 2004.
(Cited on page111.)
[111] Yu Chen and Kai Hwang. Collaborative detection and ltering of shrew ddos attacks using spectral analysis. J. Parallel Distrib. Comput., 66(9):11371151, September 2006. (Cited on page84.)
[112] Y. Chevalier, L. Compagna, J. Cuellar, P. Hankes Drielsma, J. Mantovani, S. Mödersheim, and L. Vigneron. A high level protocol specication language for industrial security-sensitive protocols. In Austrian Computer Society, pages 193205, 2004. (Cited on page56.)
[113] Yannick Chevalier and Laurent Vigneron. Automated unbounded verication of security protocols. In CAV '02: Proceedings of the 14th International Con-ference on Computer Aided Verication, pages 324337, London, UK, 2002.
Springer-Verlag. (Cited on page31.)
[114] Yannick Chevalier and Laurent Vigneron. Automated unbounded verication of security protocols. In CAV '02: Proceedings of the 14th International Con-ference on Computer Aided Verication, pages 324337, London, UK, 2002.
Springer-Verlag. (Cited on page56.)
[115] Kim-Kwang Raymond Choo. An integrative framework to protocol analysis and repair: Bellarerogaway model + planning + model checker, 2006. (Cited on page 46.)
[116] Wu chun Feng, A. Kapadia, and S. Thulasidasan. Green: proactive queue management over a best-eort network. In Global Telecommunications Con-ference, 2002. GLOBECOM '02. IEEE, volume 2, pages 1774 1778 vol.2, nov. 2002. (Cited on page108.)
[117] Jae Chung and Mark Claypool. Dynamic-cbt and chips-router support for improved multimedia performance on the internet. In Proceedings of the eighth ACM international conference on Multimedia, MULTIMEDIA '00, pages 239 248, New York, NY, USA, 2000. ACM. (Cited on page108.)
[118] A. Cimatti, E. Clarke, F. Giunchiglia, and M. Roveri. Nusmv: a new sym-bolic model checker. International Journal on Software Tools for Technology Transfer, 2:2000, 2000. (Cited on page6.)
[119] Alessandro Cimatti, Edmund Clarke, Enrico Giunchiglia, Fausto Giunchiglia, Marco Pistore, Marco Roveri, Roberto Sebastiani, and Armando Tacchella.
Nusmv 2: An opensource tool for symbolic model checking, 2002. (Cited on pages6 and33.)
[120] Alessandro Cimatti, Enrico Giunchiglia, Marco Pistore, Marco Roveri, Roberto Sebastiani, Armando Tacchella, and O Tacchella. Integrating bdd-based and sat-bdd-based symbolic model checking, 2002. (Cited on page33.) [121] CISCO. Dening Strategies to Protect Against TCP
SYN Denial of Service Attacks. Available online at:
http://www.cisco.com/en/US/tech/tk828/technologies _tech
_note09186a00800f67d5.shtml. (Cited on page80.)
[122] J.A. Clark and J.L. Jacob. Searching for a solution: engineering tradeos and the evolution of provably secure protocols. In Security and Privacy, 2000. S P 2000. Proceedings. 2000 IEEE Symposium on, 2000. (Cited on pages12,44 and45.)
[123] John Clark. Attacking authentication protocols. High Integrity Systems, 1,
[123] John Clark. Attacking authentication protocols. High Integrity Systems, 1,