We propose a new method to check authenticity properties of cryptographic protocols. First, code up the protocol in the spi-calculus of Abadi and Gordon. Second, specify authenticity properties by annotating the code with correspondence assertions in the style of Woo and Lam. Third, figure out types for the keys, nonces, and messages of the protocol. Fourth, check that the spi-calculus code is welltyped according to a novel type and effect system presented in this paper. Our main theorem guarantees that any welltyped protocol is robustly safe, that is, its correspondence assertions are true in the presence of any opponent expressible in spi. 1 Verifying Correspondences by Typing Spi We propose a new method for analysing authenticity

Many security protocols have appeared in the literature, with aims such as agreeing upon a cryptographic key, or achieving authentication. However, many of these have been shown to be flawed. In this paper we present a number of new attacks upon security protocols, and discuss ways in which we may avoid designing incorrect protocols in the future. 1. Introduction Many security protocols have appeared in the literature; these have various aims, such as agreeing upon a cryptographic key, or achieving authentication, where each agent becomes assured of the other's identity. Unfortunately, a large proportion of these protocols are subject to attacks, leading to them not correctly achieving their goals. In this paper, we present a few more attacks upon such protocols. The main point of this paper is to highlight the fact that, despite much research on the subject, many insecure protocols are still being produced. Further, most of the weaknesses that allow the attacks are well known. Our h...

This paper presents a methodology to facilitate the design and analysis of secure cryptographic protocols. This work is based on a novel notion of a fail-stop protocol, which automatically halts in response to any active attack. This paper suggests types of protocols that are fail-stop, outlines some proof techniques for them, and uses examples to illustrate how the notion of a failstop protocol can make protocol design easier and can provide a more solid basis for some proposed protocol analysis methods.

where afield that was originally intended to have one type is subsequently interpreted as having another type. A number of type fiaw attacks' have appeared in the academic literature. In this' paper we prove that type flaw attacks' can be prevented using a simple technique of tagging each field with some information indicating its' intended type.

Cryptographic protocols are used in distributed systems to identify users and authenticate transactions. They may involve the exchange of about 2--5 messages, and one might think that a program of this size would be fairly easy to get right. However, this is absolutely not the case: bugs are routinely found in well known protocols, and years after they were first published. The problem is the presence of a hostile opponent, who can alter messages at will. In effect, our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. This is a fascinating problem; and we hope that the lessons learned from programming Satan 's computer may be helpful in tackling the more common problem of programming Murphy's.

Many security properties of cryptographic protocols can be all seen as specific instances of a general property, we called Non Deducibility on Composition (NDC), that we proposed a few years ago for studying information flow properties in computer systems. The advantage of our unifying theory is that formal comparison among these properties is now easier and that the full generality of NDC has helped us in finding a few new attacks on cryptographic protocols.

We examine multi-party key agreement protocols that provide (i) key authentication, (ii) key confirmation and (iii) forward secrecy. Several minor (repairable) attacks are presented against previous two-party key agreement schemes and a model for key agreement is presented that provably provides the properties listed above. A generalization of the Burmester-Desmedt model (Eurocrypt '94) for multi-party key agreement is given, allowing a transformation of any two-party key agreement scheme into a multi-party scheme. Multi-party schemes (based on the general model and two specific 2-party schemes) are presented that reduce the number of rounds required for key computation compared to the specific Burmester-Desmedt scheme. It is also shown how the specific Burmester-Desmedt scheme fails to provide key authentication. 1991 AMS Classification: 94A60 CR Categories: D.4.6 Key Words: multi-party, key agreement, key authentication, key confirmation, forward secrecy. Carleton University, Sc...

Predator and scavenger aggregation to discarded by-catch from dredge fisheries: importance of damage level

A novel protocol has been formally analyzed using the prover Isabelle/HOL, following the inductive approach described in earlier work [11]. There is no limit on the length of a run, the nesting of messages or the number of agents involved. A single run of the protocol delivers session keys for all the agents, allowing neighbours to perform mutual authentication. The basic security theorem states that session keys are correctly delivered to adjacent pairs of honest agents, regardless of whether other agents in the chain are compromised. The protocol's complexity caused some difficulties in the specification and proofs, but its symmetry reduced the number of theorems to prove. CONTENTS i Contents 1 Introduction 1 2 The Recursive Authentication Protocol 2 3 Review of the Inductive Approach 4 4 A Formalization of Hashing 6 5 Modelling the Protocol 7 5.1 Modelling the Server . . . . . . . . . . . . . . . . . . . . . . . 8 5.2 A Coarser Model of the Server . . . . . . . . . . . . . . . . ....

We present a new technique for verifying authenticity in cryptographic protocols. This technique is fully automatic, it can handle an unbounded number of sessions of the protocol, and it is efficient in practice. It significantly extends a previous technique for the verification of secrecy. The protocol is represented in an extension of the pi calculus with fairly arbitrary cryptographic primitives. This protocol representation includes the authentication specification to be verified, but no other annotation. Our technique has been proved correct, implemented, and tested on various protocols from the literature. The experimental results show that we can verify these protocols in less than 1 s.