Denial of serviceisbecoming a growing concern. As our systems communicate more and more with others that we know less and less, they become increasingly vulnerable to hostile intruders who may take advantage of the very protocols intended for the establishment and authentication of communication to tie up our resources and disable our servers. Since these attacks occur beforeparties are authenticatedtoeach other, we cannot rely upon enforcement of the appropriate access control policy to protect us #as is recommended in the classic work of Gligor and Millen in #5, 18, 19##. Instead we must build our defenses, as much as possible, into the protocols themselves. This paper shows how some principles that have already been used to make protocols moreresistant to denial of servicecan be formalized, and indicates the ways in which existing cryptographic protocol analysis tools could be modi#ed to operate within this formal framework. 1 Introduction Denial of service is becoming a growing c...

We introduce a definition of bisimulation for cryptographic protocols. The definition includes a simple and precise model of the knowledge of the environment with which a protocol interacts. Bisimulation is the basis of an effective proof technique, which yields proofs of classical security properties of protocols and also justifies certain protocol optimizations. The setting for our work is the spi calculus, an extension of the pi calculus with cryptographic primitives. We prove the soundness of the bisimulation proof technique within the spi calculus.

This paper presents a general approach for analysis and verification of authentication properties in the language of Communicating Sequential Processes (CSP). It is illustrated by an examination of the Needham-Schroeder public-key protocol. The contribution of this paper is to develop a specific theory appropriate to the analysis of authentication protocols, built on top of the general CSP semantic framework. This approach aims to combine the ability to express such protocols in a natural and precise way with the facility to reason formally about the properties they exhibit. 1 Introduction Authentication comes in a number of flavours. For example, Gollmann [6] has identified four different varieties of authentication, which raises the question for any particular authentication protocol as to which kind of authentication the protocol was designed for, and which kinds it actually provides. The aim of the CSP approach is to reduce questions about security protocols and properties to ques...

We propose an efficient automatic checking algorithm, Athena, for analyzing security protocols. Athena incorporates a logic that can express security properties including authentication, secrecy and properties related to electronic commerce. We have developed an automatic procedure for evaluating well-formed formulae in this logic. For a well-formed formula, if the evaluation procedure terminates, it will generate a counterexample if the formula is false, or provide a proof if the formula is true. Even when the procedure does not terminate when we allow any arbitrary configurations of the protocol execution, (for example, any number of initiators and responders), termination could be forced by bounding the number of concurrent protocol runs and the length of messages, as is done in most existing model checkers. Athena also exploits several state space reduction techniques. It is based on an extension of the recently proposed Strand Space Model [25] which captures exact causal relation information. Together with backward search and other techniques, Athena naturally avoids the state space explosion problem commonly caused by asynchronous composition and symmetry redundancy. Athena also has the advantage that it can easily incorporate results from theorem proving through unreachability theorems. By using the unreachability theorems, it can prune the state space at an early stage, hence, reduce the state space explored and increase the likely-hood of termination. As shown in our experiments, these techniques dramatically reduce the state space that needs to be explored.

protocol analysis

As more resources are added to computer networks, and as more vendors look to the World Wide Web as a viable marketplace, the importance of being able to restrict access and to insure some kind of acceptable behavior even in the presence of malicious adversaries becomes paramount. Many researchers have proposed the use of security protocols to provide these security guarantees. In this paper, we develop a method of verifying these protocols using a special purpose model checker which executes an exhaustive state space search of a protocol model. Our tool also includes a natural deduction style derivation engine which models the capabilities of the adversary trying to attack the protocol. Because our models are necessarily abstractions, we cannot prove a protocol correct. However, our tool is extremely useful as a debugger. We have used our tool to analyze 14 different authentication protocols, and have found the previously reported attacks for them. Keywords Model checking, security ...

. The spi calculus is an extension of the pi calculus with constructs for encryption and decryption. This paper develops the theory of the spi calculus, focusing on techniques for establishing testing equivalence, and applying these techniques to the proof of authenticity and secrecy properties of cryptographic protocols. 1 From Cryptography to Testing Equivalence The idea of controlling communication by capabilities underlies both the pi calculus and much of the current work on security in distributed systems (see e.g. [MPW92, Lie93, Sch96b]). In the pi calculus, channel names are capabilities; a process can use a channel only if it has invented or been given the name of the channel, but cannot guess this name. In work on security, on the other hand, the capabilities for communication are often keys, which are used for encrypting and decrypting messages that travel on otherwise unprotected channels. These observations motivate the definition of the spi calculus, an extension of the p...

This paper applies the theory of Communicating Sequential Processes (CSP) to the modelling and analysis of a non-repudiation protocol. Non-repudiation protocols differ from authentication and key-exchange protocols in that the participants require protection from each other, rather than from an external hostile agent. This means that the kinds of properties that are required of such a protocol, and the way it needs to be modelled to enable analysis, are different to the standard approaches taken to the more widely studied class of protocols and properties. A non-repudiation protocol proposed by Zhou and Gollmann is analysed within this framework, and this highlights some novel considerations that are required for this kind of protocol. 1. Introduction Over the past few years, formal methods have been successfully applied to the analysis of security protocols. The bulk of the effort has been concerned with authentication and confidentiality properties, and there are now a range of matu...

Denial of service is becoming a growing concern. As computer systems communicate more and more with others that they know less and less, they become increasingly vulnerable to hostile intruders who may take advantage of the very protocols intended for the establishment and authentication of communication to tie up resources and disable servers. This paper shows how some principles that have already been used to make cryptographic protocols more resistant to denial of service by trading off the cost to defender against the cost to the attacker can be formalized based on a modification of the Gong-Syverson fail-stop model of cryptographic protocols, and indicates the ways in which existing cryptographic protocol analysis tools could be modified to operate within this formal framework. We also indicate how this framework could be extended to protocols that do not make use of strong authentication. 1 1 INTRODUCTION 2 1 Introduction Denial of service is becoming a growing con...

We propose a new method and present a tool for the analysis of cryptographic protocols. The method is based on symbolic state space search. It can be used to analyze thoroughly an infinite state space if the infiniteness is caused only by the infiniteness of the enemy but not by an unbounded number of interleaved protocol runs nor unbounded behaviours of single protocol participants. The method is complete for the class of protocols it is defined for and does not require user interaction to work. 1 Introduction In this paper we consider the problem of analyzing cryptographic protocols by using symbolic state space enumeration and model checking. State space enumeration is the act of generating explicitly the state graph of a given system. By model checking we mean the act of verifying that the generated state graph has a certain structure defined by logical formulae. Symbolic state space enumeration is an extension of explicit state space enumeration: individual states are not enumer...