We perform a systematic expansion of protocol narrations into terms of a process algebra in order to make precise some of the detailed checks that need to be made in a protocol. We then apply static analysis technology to develop an automatic validation procedure for protocols. Finally, we demonstrate that these techniques suffice for identifying a number of authentication flaws in symmetric key protocols such as Needham-Schroeder, Otway-Rees, Yahalom and Andrew Secure RPC.

Security protocols use cryptography to set up private communication channels on an insecure network. Many protocols contain flaws, and because security goals are seldom specified in detail, we cannot be certain what constitutes a flaw. Thanks to recent work by a number of researchers, security protocols can now be analyzed formally. The paper outlines the problem area, emphasizing the notion of freshness. It describes how a protocol can be specified using operational semantics and properties proved by rule induction, with machine support from the proof tool Isabelle. The main example compares two versions of the Yahalom protocol. Unless the model of the environment is sufficiently detailed, it cannot distinguish the correct protocol from a flawed version. The paper attempts to draw some general lessons on the use of formalisms. Compared with model checking, the inductive method performs a finer analysis, but the cost of using it is greater. 1

Irrelevant clauses in resolution problems increase the search space, making it hard to find proofs in a reasonable time. Simple relevance filtering methods, based on counting function symbols in clauses, improve the success rate for a variety of automatic theorem provers and with various initial settings. We have designed these techniques as part of a project to link automatic theorem provers to the interactive theorem prover Isabelle. They should be applicable to other situations where the resolution problems are produced mechanically and where completeness is less important than achieving a high success rate with limited processor time. 1

We methodically expand protocol narrations into terms of a process algebra in order to specify some of the checks that need to be made in a protocol. We then apply static analysis technology to develop an automatic validation procedure for protocols. Finally, we demonstrate that these techniques suffice to identify several authentication flaws in symmetric and asymmetric key protocols such as Needham-Schroeder symmetric key, Otway-Rees, Yahalom, Andrew Secure RPC, Needham-Schroeder asymmetric key, and Beller-Chang-Yacobi MSR.

Secure electronic transaction (SET) is an immense e-commerce protocol designed to improve the security of credit card purchases. In this paper, we focus on the initial bootstrapping phases of SET, whose objective is the registration of cardholders and merchants with a SET certificate authority. The aim of registration is twofold: getting the approval of the cardholder's or merchant's bank and replacing traditional credit card numbers with electronic credentials that cardholders can present to the merchant so that their privacy is protected. These registration subprotocols present a number of challenges to current formal verification methods. First, they do not assume that each agent knows the public keys of the other agents. Key distribution is one of the protocols' tasks. Second, SET uses complex encryption primitives (digital envelopes) which introduce dependency chains: the loss of one secret key can lead to potentially unlimited losses. Building upon our previous work, we have been able to model and formally verify SETs registration with the inductive method in Isabelle/HOL (T. Nipkow et al., 2002). We have solved its challenges with very general techniques.

We describe a method for enumerating all essentially di#erent executions possible for a cryptographic protocol. We call them the shapes of the protocol. Naturally occurring protocols have only finitely many, indeed very few shapes. Authentication and secrecy properties are easy to determine from them, as are attacks. cpsa, our Cryptographic Protocol Shape Analyzer, implements the method.

We propose a new method for the static analysis of entity authentication protocols. We develop our approach based on a dialect of the spi-calculus as the underlying formalism for expressing protocol narrations. Our analysis validates the honest protocol participants against static (hence decidable) conditions that provide formal guarantees of entity authentication. The main result is that the validation of each component is provably sound and fully compositional: if all the protocol participants are successfully validated, then the protocol as a whole guarantees entity authentication in the presence of Dolev-Yao intruders. 1

Some cryptographic protocols are vulnerable to replay attacks, a type of weakness that was a focus of attention in the Burroughs-Abadi-Needham logic. Newer, more operational approaches to protocol analysis have not concentrated on this type of attack. This paper fills the gap for the strand space theory. The main technical point is to provide a definition of recency. Our candidate is convenient because we already have a powerful way to prove events recent, namely the incoming and outgoing authentication tests. A secondary purpose of this paper is to illustrate an easily mechanized pattern for using the authentication tests.

Two styles of definitions are usually considered to express that a security protocol preserves the confidentiality of a data s. Reachability-based secrecy means that s should never be disclosed while equivalence-based secrecy states that two executions of a protocol with distinct instances for s should be indistinguishable to an attacker. Although the second formulation ensures a higher level of security and is closer to cryptographic notions of secrecy, decidability results and automatic tools have mainly focused on the first definition so far. This paper initiates a systematic investigation of situations where syntactic secrecy entails strong secrecy. We show that in the passive case, reachability-based secrecy actually implies equivalence-based secrecy for signatures, symmetric and asymmetric encryption provided that the primitives are probabilistic. For active adversaries in the case of symmetric encryption, we provide sufficient (and rather tight) conditions on the protocol for this implication to hold.

We study the roles of message components in authentication protocols. In particular, we investigate how a certain component contributes to the task of achieving entity authentication. To this aim, we isolate a minimal set of roles that enables us to extract general principles that should be followed to avoid attacks. We then formalize these principles in terms of rules for protocol parties and we prove that any protocol following these rules (i.e., designed according to the principles) will achieve entity authentication.