Joux's protocol [29] is a one round, tripartite key agreement protocol that is more bandwidth-efficient than any previous three-party key agreement protocol. But it is insecure, suffering from a simple man-in-the-middle attack. This paper shows how to make Joux's protocol secure, presenting several tripartite, authenticated key agreement protocols that still require only one round of communication and no signature computations. A pass-optimal authenticated and key confirmed tripartite protocol that generalises the station-to-station protocol is also presented. The security properties of the new protocols are studied using provable security methods and heuristic approaches. Applications for the protocols are also discussed.

This paper takes the pairing-based tripartite key agreement protocol of Joux and develops it to produce three-party key agreement protocols offering additional security properties. We present a number of tripartite, one round, authenticated protocols related to the MTI and MQV protocols. We also present pass-optimal authenticated and key confirmed tripartite protocols that generalise the station-to-station protocol.

We introduce a multi-modal logic that combines complementary features of authentication logics and trace-based approaches. Our logic contains two kinds of modalities: implicit belief, which formalizes the view of an external agent reasoning about interleaved protocol executions, and explicit belief, which uses awareness to model the resource-bounded reasoning of the agents involved in the executions. We employ these modalities to formalize extensional and intensional specifications of protocols and their properties, and use these formalizations to characterize and reason about attacks. As an example, we consider the Needham-Schroeder Public Key protocol and use our logic to demonstrate the existence of the well-known man-in-the-middle attack, and also show the equivalence of our modal specification to one based on an interleaved trace semantics.

There is a substantial need of tools and methods for verification of security protocols due to the increasing use of distributed systems. We present a general framework for modelling infinite-state authentication protocols that allows an unbounded number of protocol participants. A method for verification by performing a backwards reachability analysis, where sets of insecure states are specified using constraints, is also presented. The method is illustrated by a model of the Needham-Schroeder public key protocol for which a security property is verified. Contents 1 Introduction 5 2 Preliminaries 8 2.1 What is Authentication? . . . . . . . . . . . . . . . . . . . . . . . 8 2.2 Protocol Components . . . . . . . . . . . . . . . . . . . . . . . . 9 2.3 Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3 A Modelling Framework 11 3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 3.2 The Protocol . . . . . . . . . . . . . . . . . . ....