1 Summary The verification problem for security protocols can be formulated as follows: given an abstract specification of the protocol as a sequence of communications between agents, is it the case that every run generated by possible multi-sessions between agents, with a hypothetical intruder interleaving arbitrarily many actions , satisfies the given security requirements? There are many requirements but an important (and central) requirement is that of secrecy: a secret that is generated by an honest agent should not be leaked to the intruder, who is assumed to have unlimited computational resources and can keep a record of every public system event and utilize it at an arbitrarily later time. However, the intruder cannot generate an honest agent's secret autonomously, nor can it break encryption. A crucial requirement on runs is that of freshness: every time an agent sends out a secret (a nonce), it is a new one — an obvious requirement to avoid the intruder replaying old sessions. But this means that when there is no bound on the number of plays of roles by agents, the number of nonces used grows unboundedly as well. [DLMS99] pinpoint to such unbounded generation of nonces as a problem, and use it to show that the secrecy problem for protocols is un-decidable, even when the number of roles, the length of each role and message length are bounded. They go on to show that for systems without the freshness constraint, the problem becomes decidable. In fact, we can get decidability as long as the honest agents are finite-state systems, which is equivalent to placing a bound on the number of fresh nonces generated by them. An alternative to placing bounds on fresh nonces is to look for subclasses of protocols in which, by virtue of the manner in which communication patterns between agents are structured, decidability obtains. The definition of such a subclass is arrived at by a detailed analysis of the undecidability proof; while we cannot hope for an exact characterization, it suffices to come up with a restriction that is strong enough to exclude the " source " of undecidability while yet retaining a large enough class of interesting protocols. In this paper, we propose a simple syntactic restriction on protocols and show that it achieves this purpose. The condition essentially states that between any two terms that occur in distinct communications, no encrypted subterm
[1]
J. Doug Tygar,et al.
A model for secure protocols and their compositions
,
1994,
Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.
[2]
Lawrence C. Paulson,et al.
The Inductive Approach to Verifying Cryptographic Protocols
,
2021,
J. Comput. Secur..
[3]
Vitaly Shmatikov,et al.
Constraint solving for bounded-process cryptographic protocol analysis
,
2001,
CCS '01.
[4]
Martín Abadi,et al.
Prudent Engineering Practice for Cryptographic Protocols
,
1994,
IEEE Trans. Software Eng..
[5]
Gavin Lowe,et al.
Towards a completeness result for model checking of security protocols
,
1998,
Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).
[6]
F. Javier Thayer Fábrega,et al.
Strand spaces: proving security protocols correct
,
1999
.
[7]
John A. Clark,et al.
A survey of authentication protocol literature: Version 1.0
,
1997
.
[8]
Vitaly Shmatikov,et al.
Is it possible to decide whether a cryptographic protocol is secure or not
,
2002
.