this paper we give an overview of how the Analyzer works and describe its achievements so far. We also show how our use of the Prolog language benefited us in the design and implementation of the Analyzer. / 1. INTRODUCTION

We propose an efficient automatic checking algorithm, Athena, for analyzing security protocols. Athena incorporates a logic that can express security properties including authentication, secrecy and properties related to electronic commerce. We have developed an automatic procedure for evaluating well-formed formulae in this logic. For a well-formed formula, if the evaluation procedure terminates, it will generate a counterexample if the formula is false, or provide a proof if the formula is true. Even when the procedure does not terminate when we allow any arbitrary configurations of the protocol execution, (for example, any number of initiators and responders), termination could be forced by bounding the number of concurrent protocol runs and the length of messages, as is done in most existing model checkers. Athena also exploits several state space reduction techniques. It is based on an extension of the recently proposed Strand Space Model [25] which captures exact causal relation information. Together with backward search and other techniques, Athena naturally avoids the state space explosion problem commonly caused by asynchronous composition and symmetry redundancy. Athena also has the advantage that it can easily incorporate results from theorem proving through unreachability theorems. By using the unreachability theorems, it can prune the state space at an early stage, hence, reduce the state space explored and increase the likely-hood of termination. As shown in our experiments, these techniques dramatically reduce the state space that needs to be explored.

protocol analysis

We consider the problem of automatically verifying infinite-state cryptographic protocols. Specifically, we present an algorithm that given a finite process describing a protocol in a hostile environment (trying to force the system into a "bad" state) computes a model of traces on which security properties can be checked. Because of unbounded inputs from the environment, even finite processes have an infinite set of traces; the main focus of our approach is the reduction of this infinite set to a finite set by a symbolic analysis of the knowledge of the environment. Our algorithm is sound (and we conjecture complete) for protocols with shared-key encryption/decryption that use arbitrary messages as keys; further it is complete in the common and important case in which the cryptographic keys are messages of bounded size.

We propose a constraint-based system for the verification of security protocols that improves upon the one developed by Millen and Shmatikov [30]. Our system features (1) a significantly more efficient implementation, (2) a monotonic behavior, which also allows to detect flaws associated to partial runs and (3) a more expressive syntax, in which a principal may also perform explicit checks. In this paper we also show why these improvements yield a more effective and practical system.

and the United States Postal Service. The views and conclusions in this document are my own and should not be interpreted as representing the official policies, either expressed or implied, of any supporting organization or the U.S. Government.

The theory of relational parametricity and its logical relations proof technique are powerful tools for reasoning about information hiding in the polymorphic -calculus. We investigate the application of these tools in the security domain by defining a cryptographic -calculus---an extension of the standard simply typed -calculus with primitives for encryption, decryption, and key generation--- and introducing syntactic logical relations (in the style of Pitts and Birkedal-Harper) for this calculus that can be used to prove behavioral equivalences between programs that use encryption. We illustrate

We propose a new method and present a tool for the analysis of cryptographic protocols. The method is based on symbolic state space search. It can be used to analyze thoroughly an infinite state space if the infiniteness is caused only by the infiniteness of the enemy but not by an unbounded number of interleaved protocol runs nor unbounded behaviours of single protocol participants. The method is complete for the class of protocols it is defined for and does not require user interaction to work. 1 Introduction In this paper we consider the problem of analyzing cryptographic protocols by using symbolic state space enumeration and model checking. State space enumeration is the act of generating explicitly the state graph of a given system. By model checking we mean the act of verifying that the generated state graph has a certain structure defined by logical formulae. Symbolic state space enumeration is an extension of explicit state space enumeration: individual states are not enumer...

In this paper, we describe a simple logic. The logic uses the notion of channels that are generalisations of communication links with various security properties. The abstract nature of channels enables us to treat the protocol at a higher abstraction level than do most of the known logics for authentication, and thus, we can address the higher level functional properties of the system, without having to be concerned with the problems of the actual implementation. The major advantage of the proposed logic is its suitability for the design of authentication protocols. We give a set of synthetic rules that can be used by protocol designers to construct a protocol in a systematic way. 1. Introduction Cryptographic protocols are used to provide secure services in distributed systems. However, if the protocol is not designed carefully enough, it may contain flaws, which can be the ideal starting point for various attacks [8] [19] [6] [7]. Such flaws can be subtle and hard to find, so infor...

Formal methods, theory, and supporting tools can aid the design, analysis, and verification of the security -related and cryptographic protocols used over open networks and distributed systems. The most commonly followed techniques for the application of formal methods for the ex-post analysis and verification of cryptographic protocols, as the analysis approach, are reviewed, followed by the examination of robustness principles and application limitations. Modern high-level specification languages and tools can be used for automatically analysing cryptographic protocols. Recent research work focuses on the ex-ante use of formal methods in the design stage of new security protocols, as the synthesis approach. Finally, an outline is presented on current trends for the utilisation of formal methods for the analysis and verification of modern complicated protocols and protocol suites for the real commercial world. Keywords Protocol Analysis Tools, Formal methods, Security protocols, Cry...