A Bisimulation Method for Cryptographic Protocols

We introduce a definition of bisimulation for cryptographic protocols. The definition includes a simple and precise model of the knowledge of the environment with which a protocol interacts. Bisimulation is the basis of an effective proof technique, which yields proofs of classical security properties of protocols and also justifies certain protocol optimizations. The setting for our work is the spi calculus, an extension of the pi calculus with cryptographic primitives. We prove the soundness of the bisimulation proof technique within the spi calculus.

[1]  B. Pierce,et al.  Typing and subtyping for mobile processes , 1993, [1993] Proceedings Eighth Annual IEEE Symposium on Logic in Computer Science.

[2]  Steve A. Schneider Security properties and CSP , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[3]  Ralph Howard,et al.  Data encryption standard , 1987 .

[4]  Jonathan K. Millen,et al.  The Interrogator: Protocol Secuity Analysis , 1987, IEEE Transactions on Software Engineering.

[5]  Jonathan K. Millen,et al.  The Interrogator model , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[6]  Yu. A. Gur'yan,et al.  Parts I and II , 1982 .

[7]  Catherine A. Meadows,et al.  Applying Formal Methods to the Analysis of a Key Management Protocol , 1992, J. Comput. Secur..

[8]  James W. Gray,et al.  Using temporal logic to specify and verify cryptographic protocols , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[9]  Martín Abadi,et al.  Secrecy by typing in security protocols , 1999, JACM.

[10]  Robin Milner,et al.  A Calculus of Mobile Processes, II , 1992, Inf. Comput..

[11]  Bruce Schneier,et al.  Applied cryptography : protocols, algorithms, and source codein C , 1996 .

[12]  Bernard P. Zajac Applied cryptography: Protocols, algorithms, and source code in C , 1994 .

[13]  Davide Sangiorgi,et al.  Typing and subtyping for mobile processes , 1993, [1993] Proceedings Eighth Annual IEEE Symposium on Logic in Computer Science.

[14]  Robin Milner,et al.  A Calculus of Mobile Processes, II , 1992, Inf. Comput..

[15]  Roberto Gorrieri,et al.  A Taxonomy of Security Properties for Process Algebras , 1995, J. Comput. Secur..

[16]  J. Davenport Editor , 1960 .

[17]  Dominique Bolignano An approach to the formal verification of cryptographic protocols , 1996, CCS '96.

[18]  Roberto Gorrieri,et al.  A Classification of Security Properties , 1993 .

[19]  Andrew M. Pitts,et al.  Observable Properties of Higher Order Functions that Dynamically Create Local Names, or What's new? , 1993, MFCS.

[20]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[21]  Martín Abadi,et al.  Reasoning about Cryptographic Protocols in the Spi Calculus , 1997, CONCUR.

[22]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[23]  Lawrence C. Paulson,et al.  Proving properties of security protocols by induction , 1997, Proceedings 10th Computer Security Foundations Workshop.

[24]  Martín Abadi,et al.  Secrecy by Typing inSecurity Protocols , 1997, TACS.

[25]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[26]  Bruce Schneier,et al.  Applied cryptography (2nd ed.): protocols, algorithms, and source code in C , 1995 .

[27]  David Park,et al.  Concurrency and Automata on Infinite Sequences , 1981, Theoretical Computer Science.

[28]  Richard A. Kemmerer,et al.  Analyzing encryption protocols using formal verification techniques , 1989, IEEE J. Sel. Areas Commun..

[29]  Dominique Bolignano An Approach to the Formal Veriication of Cryptographic Protocols , 1996 .