Many security properties of cryptographic protocols can be all seen as specific instances of a general property, we called Non Deducibility on Composition (NDC), that we proposed a few years ago for studying information flow properties in computer systems. The advantage of our unifying theory is that formal comparison among these properties is now easier and that the full generality of NDC has helped us in finding a few new attacks on cryptographic protocols.

Specifications for security protocols range from informal narrations of message flows to formal assertions of protocol properties. This paper (intended to accompany a lecture at ETAPS '99) discusses those specifications and suggests some gaps and some opportunities for further work. Some of them pertain to the traditional core of the field; others appear when we examine the context in which protocols operate.

The importance of clarifying the goals of a cryptographic protocol is widely recognised. The majority of authors have addressed intensional goals which are concerned with correct operation within the protocol itself. Extensional goals are properties independent of the protocol and define what the protocol is designed to achieve. This paper reviews the previous literature on goals in protocols and classifies them as intensional or extensional goals. A hierarchy of extensional protocol goals is proposed which includes the major proposed goals for key establishment. It is shown how these extensional goals can be exploited to motivate design of entity authentication protocols.

. Protocols for authentication and key establishment have special requirements in a wireless environment. In the next generation of wireless systems it is likely that public key based protocols will be employed. There are a number of important design decisions to be made in choosing an appropriate protocol. In this paper the design requirements are reviewed and some recently proposed public key protocols for wireless communications are examined. A new public key protocol is also proposed. 1 Introduction Security requirements in the emerging third generation of wireless communications will be considerably more comprehensive than those in the current second generation digital systems. Cryptographic protocols and algorithms need to be used in order to satisfy these requirements. Probably the most critical security interface is that between the user and network, characterised by the radio connection. The security of this interface is paramount in preventing fraudulent access to ne...

Authentication can serve both for assigning responsibility and for giving credit. Some authentication protocols are adequate for one purpose but not the other. This paper explains the distinction between responsibility and credit, through several examples, and discusses the role of this distinction in the design and analysis of protocols. Contents 1 Responsibility and Credit 1 2 Four Examples 2 2.1 Signing a Public Key . . . . . . . . . . . . . . . . . . . . . . . 2 2.2 Encrypting a Session Key . . . . . . . . . . . . . . . . . . . . 4 2.3 Making a Session Key from Encrypted Shares . . . . . . . . . 5 2.4 The Station-to-Station Protocol . . . . . . . . . . . . . . . . . 7 3 Discussion 8 3.1 Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3.2 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Acknowledgements 10 References 11 1 Responsibility and Credit Authentication can serve both for assigning responsibility and for giving credit. An ...

Abstract not found