A Specification Language for Crypto-Protocols based on Multiset Rewriting, Dependent Types and Subsorting

MSR is an unambiguous, flexible, powerful and relatively simple specification framework for crypto-protocols. It uses multiset rewriting rules over first-order atomic formulas to express protocol actions and relies on a form of existential quantification to symbolically model the generation of nonces and other fresh data. It supports an array of useful static checks that include type-checking and data access verification. In this paper, we give a detailed presentation of the typing infrastructure of MSR, which is based on the theory of dependent types with subsorting. We prove that type-checking protocol specifications is decidable and show that execution preserves well-typing. We illustrate these features by formalizing a wellknown protocol in MSR.

[1]  OtwayDave,et al.  Efficient and timely mutual authentication , 1987 .

[2]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[3]  Martín Abadi,et al.  Prudent Engineering Practice for Cryptographic Protocols , 1994, IEEE Trans. Software Eng..

[4]  Owen Rees,et al.  Efficient and timely mutual authentication , 1987, OPSR.

[5]  Iliano Cervesato Typed Multiset Rewriting Specifications of Security Protocols , 2000, Electron. Notes Theor. Comput. Sci..

[6]  John C. Mitchell,et al.  A meta-notation for protocol analysis , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[7]  Iliano Cervesato Typed MSR: Syntax and Examples , 2001, MMM-ACNS.

[8]  John C. Mitchell,et al.  Relating strands and multiset rewriting for security protocol analysis , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[9]  Alan T. Sherman,et al.  Key Management for Large Dynamic Groups: One-Way Function Trees and Amortized Initialization , 2000 .

[10]  John A. Clark,et al.  A survey of authentication protocol literature: Version 1.0 , 1997 .

[11]  John C. Mitchell,et al.  Undecidability of bounded security protocols , 1999 .

[12]  David Aspinall,et al.  Subtyping dependent types , 1996, Proceedings 11th Annual IEEE Symposium on Logic in Computer Science.

[13]  Catherine A. Meadows,et al.  The NRL Protocol Analyzer: An Overview , 1996, J. Log. Program..

[14]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[15]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[16]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.

[17]  Interpreting Strands in Linear Logic , 2000 .

[18]  Iliano Cervesato Control , and the Most Powerful Attacker , 2001 .

[19]  Joshua D. Guttman,et al.  Strand spaces: why is a security protocol correct? , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[20]  G Denker,et al.  Capsl Intermediate Language , 1999 .