Protocol-independent secrecy

Inductive proofs of secrecy invariants for cryptographic protocols can be facilitated by separating the protocol dependent part from the protocol-independent part. Our secrecy theorem encapsulates the use of induction so that the discharge of protocol-specific proof obligations is reduced to first-order reasoning. Also, the verification conditions are modularly associated with the protocol messages. Secrecy proofs for Otway-Rees (1987) and the corrected Needham-Schroeder protocol are given.

[1]  Steve A. Schneider Verifying Authentication Protocols in CSP , 1998, IEEE Trans. Software Eng..

[2]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[3]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.

[4]  Lawrence C. Paulson,et al.  The Inductive Approach to Verifying Cryptographic Protocols , 2021, J. Comput. Secur..

[5]  Owen Rees,et al.  Efficient and timely mutual authentication , 1987, OPSR.

[6]  John C. Mitchell,et al.  Undecidability of bounded security protocols , 1999 .

[7]  Jonathan Millen A Necessarily Parallel Attack , 1999 .

[8]  Li Gong,et al.  Reasoning about belief in cryptographic protocols , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[9]  José Meseguer,et al.  Initiality, induction, and computability , 1986 .

[10]  Natarajan Shankar,et al.  PVS: A Prototype Verification System , 1992, CADE.

[11]  Joshua D. Guttman,et al.  Honest ideals on strand spaces , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).