A meta-notation for protocol analysis

Most formal approaches to security protocol analysis are based on a set of assumptions commonly referred to as the "Dolev-Yao model". In this paper, we use a multiset rewriting formalism, based on linear logic, to state the basic assumptions of this model. A characteristic of our formalism is the way that existential quantification provides a succinct way of choosing new values, such as new keys or nonces. We define a class of theories in this formalism that correspond to finite-length protocols, with a bounded initialization phase but allowing unboundedly many instances of each protocol role (e.g., client, sewer; initiator or responder). Undecidability is proved for a restricted class of these protocols, and PSPACE-completeness is claimed for a class further restricted to have no new data (nonces). Since it is a fragment of linear logic, we can use our notation directly as input to linear logic tools, allowing us to do proof search for attacks with relatively little programming effort, and to formally verify protocol transformations and optimizations.

[1]  Dale Miller,et al.  Forum: A Multiple-Conclusion Specification Logic , 1996, Theor. Comput. Sci..

[2]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[3]  J. MeseguerComputer Protocol Speci cation and Analysis in Maude , 1998 .

[4]  Martín Abadi,et al.  A Calculus for Cryptographic Protocols: The spi Calculus , 1999, Inf. Comput..

[5]  Frank Pfenning,et al.  A linear logical framework , 1996, Proceedings 11th Annual IEEE Symposium on Logic in Computer Science.

[6]  Lawrence C. Paulson,et al.  Proving properties of security protocols by induction , 1997, Proceedings 10th Computer Security Foundations Workshop.

[7]  Michael Winikoff,et al.  Programming in Lygon: An Overview , 1996, AMAST.

[8]  Carolyn L. Talcott,et al.  Formal specification and analysis of active networks and communication protocols: the Maude experience , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[9]  Jonathan K. Millen,et al.  CAPSL: Common Authentication Protocol Specification Language , 1996, NSPW '96.

[10]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[11]  Daniel Le Métayer,et al.  Programming by multiset transformation , 1993, CACM.

[12]  Gérard Berry,et al.  The chemical abstract machine , 1989, POPL '90.

[13]  Jean-Yves Girard,et al.  Linear Logic , 1987, Theor. Comput. Sci..

[14]  Steve A. Schneider Security properties and CSP , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[15]  John C. Mitchell,et al.  Analysis of Security Protocols e , 1999 .

[16]  John C. Mitchell,et al.  Automated analysis of cryptographic protocols using Mur/spl phi/ , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[17]  Michael Sipser,et al.  Introduction to the Theory of Computation , 1996, SIGA.

[18]  Serge Abiteboul,et al.  Foundations of Databases , 1994 .

[19]  A. W. Roscoe Modelling and verifying key-exchange protocols using CSP and FDR , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[20]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[21]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[22]  Herbert B. Enderton,et al.  A mathematical introduction to logic , 1972 .

[23]  John A. Clark,et al.  A survey of authentication protocol literature: Version 1.0 , 1997 .

[24]  Somesh Jha,et al.  Using state space exploration and a natural deduction style message derivation engine to verify security protocols , 1998, PROCOMET.

[25]  Catherine A. Meadows,et al.  Analyzing the Needham-Schroeder Public-Key Protocol: A Comparison of Two Approaches , 1996, ESORICS.

[26]  Alan J. Hu,et al.  Protocol verification as a hardware design aid , 1992, Proceedings 1992 IEEE International Conference on Computer Design: VLSI in Computers & Processors.

[27]  Catherine A. Meadows,et al.  The NRL Protocol Analyzer: An Overview , 1996, J. Log. Program..

[28]  John C. Mitchell Finite-State Analysis of Security Protocols , 1998, CAV.

[29]  Max I. Kanovich,et al.  Specifying Real-Time Finite-State Systems in Linear Logic , 1998, COTIC.

[30]  Gavin Lowe Casper: a compiler for the analysis of security protocols , 1998 .

[31]  G. Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol using CSP and FDR , 1996 .