A Calculus for Cryptographic Protocols: The spi Calculus

We introduce the spi calculus, an extension of the pi calculus designed for describing and analyzing cryptographic protocols. We show how to use the spi calculus, particularly for studying authentication protocols. The pi calculus (without extension) suffices for some abstract protocols; the spi calculus enables us to consider cryptographic issues in more detail. We represent protocols as processes in the spi calculus and state their security properties in terms of coarse-grained notions of protocol equivalence.

[1]  Bruce Schneier,et al.  Applied cryptography : protocols, algorithms, and source codein C , 1996 .

[2]  Wenbo Mao,et al.  On two proposals for on-line bankcard payments using open networks: problems and solutions , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[3]  Rocco De Nicola,et al.  Testing Equivalences for Processes , 1984, Theor. Comput. Sci..

[4]  Lawrence C. Paulson,et al.  Proving properties of security protocols by induction , 1997, Proceedings 10th Computer Security Foundations Workshop.

[5]  Rocco De Nicola,et al.  Testing Equivalence for Mobile Processes , 1995, Inf. Comput..

[6]  Jonathan K. Millen,et al.  The Interrogator model , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[7]  Martín Abadi,et al.  Secrecy by Typing inSecurity Protocols , 1997, TACS.

[8]  Robin Milner,et al.  Functions as processes , 1990, Mathematical Structures in Computer Science.

[9]  Andrew D. Gordon Bisimilarity as a theory of functional programming , 1995, MFPS.

[10]  Steve A. Schneider Security properties and CSP , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[11]  Catherine A. Meadows,et al.  Applying Formal Methods to the Analysis of a Key Management Protocol , 1992, J. Comput. Secur..

[12]  Martín Abadi,et al.  A calculus for access control in distributed systems , 1991, TOPL.

[13]  Martín Abadi,et al.  Prudent Engineering Practice for Cryptographic Protocols , 1994, IEEE Trans. Software Eng..

[14]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[15]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[16]  Armin Liebl,et al.  Authentication in distributed systems: a bibliography , 1993, OPSR.

[17]  Martín Abadi,et al.  Reasoning about Cryptographic Protocols in the Spi Calculus , 1997, CONCUR.

[18]  B. Pierce,et al.  Typing and subtyping for mobile processes , 1993, [1993] Proceedings Eighth Annual IEEE Symposium on Logic in Computer Science.

[19]  C. A. R. Hoare,et al.  Communicating Sequential Processes (Reprint) , 1983, Commun. ACM.

[20]  Martín Abadi,et al.  A logic of authentication , 1989, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences.

[21]  Richard A. Kemmerer,et al.  Analyzing encryption protocols using formal verification techniques , 1989, IEEE J. Sel. Areas Commun..

[22]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[23]  Danny Dolev,et al.  On the Security of Public Key Protocols (Extended Abstract) , 1981, FOCS.

[24]  Davide Sangiorgi,et al.  On the bisimulation proof method , 1998, Mathematical Structures in Computer Science.

[25]  Martín Abadi,et al.  Authentication in distributed systems: theory and practice , 1991, SOSP '91.

[26]  Robin Milner,et al.  Barbed Bisimulation , 1992, ICALP.

[27]  Mihir Bellare,et al.  Provably secure session key distribution: the three party case , 1995, STOC '95.

[28]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[29]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[30]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[31]  Jonathan K. Millen,et al.  The Interrogator: Protocol Secuity Analysis , 1987, IEEE Transactions on Software Engineering.

[32]  Martín Abadi,et al.  A Bisimulation Method for Cryptographic Protocols , 1998, Nord. J. Comput..

[33]  James W. Gray,et al.  Using temporal logic to specify and verify cryptographic protocols , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.