## A Compositional Logic for Protocol Correctness (2001)

Venue: | In Proceedings of 14th IEEE Computer Security Foundations Workshop |

Citations: | 33 - 14 self |

### BibTeX

@INPROCEEDINGS{Durgin01acompositional,

author = {Nancy Durgin and John Mitchell and Dusko Pavlovic},

title = {A Compositional Logic for Protocol Correctness},

booktitle = {In Proceedings of 14th IEEE Computer Security Foundations Workshop},

year = {2001},

pages = {241--255},

publisher = {IEEE}

}

### Years of Citing Articles

### OpenURL

### Abstract

We present a specialized protocol logic that is built around a process language for describing the actions of a protocol. In general terms, the relation between logic and protocol is like the relation between assertions in Floyd-Hoare logic and standard imperative programs. Like Floyd-Hoare logic, our logic contains axioms and inference rules for each of the main protocol actions and proofs are protocol-directed, meaning that the outline of a proof of correctness follows the sequence of actions in the protocol. We prove that the protocol logic is sound, in a specific sense: each provable assertion about an action or sequence of actions holds in any run of the protocol, under attack, in which the given actions occur. This approach lets us prove properties of protocols that hold in all runs, while explicitly reasoning only about the sequence of actions needed to achieve this property. In particular, no explicit reasoning about the potential actions of an attacker is required.

### Citations

1138 | A Logic of Authentication
- Burrows, Abadi, et al.
- 1989
(Show Context)
Citation Context ...ing about the potential actions of an attacker is required. 1 Introduction There has been considerable research on formal analysis of security protocols, ranging from BAN logic and related approaches =-=[2, 6, 19]-=- to finite-state analysis [18, 14] and proof methods based on higher-order logic [16]. Most approaches in current use are based on enumeration or reasoning about a set of protocol traces, each trace o... |

1047 | On the security of public-key protocols
- Dolev, Yao
- 1983
(Show Context)
Citation Context ... generating and sending new messages. This is the standard "Dolev-Yao model", which appears to have developed from positions taken by Needham and Schroeder [15] and a model presented by Dole=-=v and Yao [4]-=-; see also [3]. A run of a protocol with attacker starts with selection of some number of honest principals and assignment of one or more roles to each honest principal. In addition, a number of compr... |

864 |
Using encryption for authentication in large networks of computers
- Needham, Schroeder
(Show Context)
Citation Context ...5 (and in the appendix), with concluding remarks collected in section 6. The example in section 5 shows how we can prove correctness of Lowe's variant [8] of the Needham-Schroeder public key protocol =-=[15]-=-. A brief discussion in that section also shows how the same proof outline fails to produce a correct proof for the original Needham-Schroeder protocol, since Alice cannot correctly establish the iden... |

785 | A calculus for cryptographic protocols: The spi calculus
- Abadi, Gordon
- 1997
(Show Context)
Citation Context ...uggestion. 2 Communicating Cords Cords are the formalism we use to represent protocols and their parts. They form an action calculus [9, 10, 17], based on #-calculus [13], and related to spi-calculus =-=[1]-=-. The basic idea of #-calculus is to represent communication by term reduction, so that the communication links can be created dynamically [12]. The idea of spi is to add to # the suitable constructor... |

613 | Breaking and fixing the Needham-Schroeder public-key protocol using CSP and FDR
- Lowe
- 1996
(Show Context)
Citation Context ...ection 4. A sample proof is discussed in section 5 (and in the appendix), with concluding remarks collected in section 6. The example in section 5 shows how we can prove correctness of Lowe's variant =-=[8]-=- of the Needham-Schroeder public key protocol [15]. A brief discussion in that section also shows how the same proof outline fails to produce a correct proof for the original Needham-Schroeder protoco... |

262 | U.: Automated analysis of cryptographic protocols using MurĪ
- Mitchell, Mitchell, et al.
- 1997
(Show Context)
Citation Context ...n attacker is required. 1 Introduction There has been considerable research on formal analysis of security protocols, ranging from BAN logic and related approaches [2, 6, 19] to finite-state analysis =-=[18, 14]-=- and proof methods based on higher-order logic [16]. Most approaches in current use are based on enumeration or reasoning about a set of protocol traces, each trace obtained by combining protocol acti... |

189 | A calculus of mobile processes, parts
- Milner, Parrow, et al.
- 1992
(Show Context)
Citation Context ... is repaired according to Lowe's suggestion. 2 Communicating Cords Cords are the formalism we use to represent protocols and their parts. They form an action calculus [9, 10, 17], based on #-calculus =-=[13]-=-, and related to spi-calculus [1]. The basic idea of #-calculus is to represent communication by term reduction, so that the communication links can be created dynamically [12]. The idea of spi is to ... |

188 | Reasoning about Belief in Cryptographic Protocols
- Needham, Yahalom, et al.
- 1990
(Show Context)
Citation Context ...ing about the potential actions of an attacker is required. 1 Introduction There has been considerable research on formal analysis of security protocols, ranging from BAN logic and related approaches =-=[2, 6, 19]-=- to finite-state analysis [18, 14] and proof methods based on higher-order logic [16]. Most approaches in current use are based on enumeration or reasoning about a set of protocol traces, each trace o... |

150 | Proving properties of security protocols by induction
- Paulson
- 1997
(Show Context)
Citation Context ...onsiderable research on formal analysis of security protocols, ranging from BAN logic and related approaches [2, 6, 19] to finite-state analysis [18, 14] and proof methods based on higher-order logic =-=[16]-=-. Most approaches in current use are based on enumeration or reasoning about a set of protocol traces, each trace obtained by combining protocol actions with actions of a malicious intruder. While aut... |

143 | A meta-notation for protocol analysis
- Cervesato, Durgin, et al.
- 1999
(Show Context)
Citation Context ...d sending new messages. This is the standard "Dolev-Yao model", which appears to have developed from positions taken by Needham and Schroeder [15] and a model presented by Dolev and Yao [4];=-= see also [3]-=-. A run of a protocol with attacker starts with selection of some number of honest principals and assignment of one or more roles to each honest principal. In addition, a number of compromised keys ar... |

107 |
Spaces: Why is a Security Protocol Correct
- Strand
- 1998
(Show Context)
Citation Context ... For instance, an arrows-and-messages picture of Lowe's variant [8] of the Needham-Schroeder public key protocol [15], which we will refer to as NSL, might look something like Figure 1. Strand spaces =-=[5]-=- have been developed in an effort towards formalizing this language. The messages are captured in a term calculus, and decorated by + and -, respectively denoting the send and the receive actions. The... |

100 |
Communicating and mobile systems: the -calculus
- Milner
- 1999
(Show Context)
Citation Context ...7], based on #-calculus [13], and related to spi-calculus [1]. The basic idea of #-calculus is to represent communication by term reduction, so that the communication links can be created dynamically =-=[12]-=-. The idea of spi is to add to # the suitable constructors for encryption and decryption, and analyze secure communication in terms of bisimulations and process equivalences. 1 We treat the encryption... |

100 | On Unifying Some Cryptographic Protocol Logic
- Syverson, Oorschot
- 1994
(Show Context)
Citation Context ...ing about the potential actions of an attacker is required. 1 Introduction There has been considerable research on formal analysis of security protocols, ranging from BAN logic and related approaches =-=[2, 6, 19]-=- to finite-state analysis [18, 14] and proof methods based on higher-order logic [16]. Most approaches in current use are based on enumeration or reasoning about a set of protocol traces, each trace o... |

96 | Modelling and Verifying Key-Exchange Protocols Using
- Roscoe
- 1995
(Show Context)
Citation Context ...n attacker is required. 1 Introduction There has been considerable research on formal analysis of security protocols, ranging from BAN logic and related approaches [2, 6, 19] to finite-state analysis =-=[18, 14]-=- and proof methods based on higher-order logic [16]. Most approaches in current use are based on enumeration or reasoning about a set of protocol traces, each trace obtained by combining protocol acti... |

34 | Action Structures
- Milner
- 1992
(Show Context)
Citation Context ...the responder unless the protocol is repaired according to Lowe's suggestion. 2 Communicating Cords Cords are the formalism we use to represent protocols and their parts. They form an action calculus =-=[9, 10, 17]-=-, based on #-calculus [13], and related to spi-calculus [1]. The basic idea of #-calculus is to represent communication by term reduction, so that the communication links can be created dynamically [1... |

21 | Categorical logic of names and abstraction in action calculi
- Pavlovic
- 1997
(Show Context)
Citation Context ...the responder unless the protocol is repaired according to Lowe's suggestion. 2 Communicating Cords Cords are the formalism we use to represent protocols and their parts. They form an action calculus =-=[9, 10, 17]-=-, based on #-calculus [13], and related to spi-calculus [1]. The basic idea of #-calculus is to represent communication by term reduction, so that the communication links can be created dynamically [1... |

20 |
Action Calculi, or Syntactic Action Structures
- Milner
- 1993
(Show Context)
Citation Context ... a protocol, not about the attacker. 2.5 Static binding and cord category Finally, as the reader familiar with action calculus may have noticed, cords, taken as particles, generate an action category =-=[11, 17]-=-. 2 The idea is that a cord space C, displayed in the form # = (x 0 . . . x i-1 )C#y 0 . . . y j-1 # can be viewed as an arrow # : i -# j, where arities i,j are the objects of the category. The variab... |

12 |
A compositional protocol verification using relativized bisimulation
- Larsen, Milner
- 1992
(Show Context)
Citation Context ...rs come about, e.g., when a role is sent a term encrypted by someone else's key, which it should forward, rather than attempt to decrypt. More gen1 A notable earlier attempt at a similar approach was [7]. 2 A . {|A,m|}B . +3 . {|n|} B B . +3 . {|m,B,n|}A OO . Figure 1. NSL as Arrows and Messages A = +{|A, m|}B -{|m, B, n|} A +3 +{|n|} B B = -{|A, m|}B +3 +{|m, B, n|} A OO -{|n|} B Figure ... |

7 |
Action calculi and the pi-calculus
- Milner
- 1993
(Show Context)
Citation Context ...the responder unless the protocol is repaired according to Lowe's suggestion. 2 Communicating Cords Cords are the formalism we use to represent protocols and their parts. They form an action calculus =-=[9, 10, 17]-=-, based on #-calculus [13], and related to spi-calculus [1]. The basic idea of #-calculus is to represent communication by term reduction, so that the communication links can be created dynamically [1... |