In this paper we analyse the well known Needham-Schroeder Public-Key Protocol using FDR, a refinement checker for CSP. We use FDR to discover an attack upon the protocol, which allows an intruder to impersonate another agent. We adapt the protocol, and then use FDR to show that the new protocol is secure, at least for a small system. Finally we prove a result which tells us that if this small system is secure, then so is a system of arbitrary size. 1 Introduction In a distributed computer system, it is necessary to have some mechanism whereby a pair of agents can be assured of each other's identity---they should become sure that they really are talking to each other, rather than to an intruder impersonating the other agent. This is the role of an authentication protocol. In this paper we use the Failures Divergences Refinement Checker (FDR) [11, 5], a model checker for CSP, to analyse the Needham-Schroeder PublicKey Authentication Protocol [8]. FDR takes as input two CSP processes, ...

. In this article, we describe an approach for the tool-supported development and verification of fault-tolerant systems according to the invent&verify paradigm. Our method is based on the CSP (Communicating Sequential Processes) specification language. It allows the desired properties of a system to be expressed as implicit specifications (assertions about traces and refusals), explicit specifications (CSP process terms), refinement relations or combinations of these three description formalisms. From our experience with industrial verification projects, this possibility to choose between different specification paradigms according to the specific needs of each development step is essential to cope with large-scale formal development and verification projects. Each topdown development step according to the invent&verify paradigm introduces a verification obligation whose type depends on the specification techniques applied for the different components involved in the step. We describe...