Abstract. This title question has been seeing a number of researchers up many nights long. As soon as major protocol flaws were discovered empirically — a good luck that is not older than the early 1990s — this question came up to the world. It was soon realised that some notion of formal correctness was necessary to substantiate the confidence derived from informal analyses. But protocol correctness was born in a decade when security in general was only beginning to ferment. Security protocols aim at such a variety of goals that only their various human understandings could further enlarge. This is partly due to the increasing domains where the protocols are finding an application, such as secure access to local-area network services, secure e-mail, e-commerce, public-key registration at certification authorities and so on. But it is also significantly due to the variety of interpretations that virtually each researcher tends to use for each goal. As it is clear to any expert in formal methods, it is impossible to study

Security protocols intend to give their parties reasonable assurance that certain security properties will protect their communication session. However, the literature confirms that the protocols may suffer subtle and hidden attacks. Flawed protocols are customarily sent back to the design process, but the costs of reengineering a deployed protocol may be prohibitive. This paper outlines the concept of retaliation: who would steal a sum of money today, should this pose significant risks of having twice as much stolen back tomorrow? When ethics is left behind, attacks are always balanced decisions: if an attack can be retaliated, the economics of security may convince the attacker to refrain from attacking, and us to live with a flawed protocol. This new perspective requires a new threat model where any party may decide to subvert the protocol for his own sake, depending on the risks of retaliation. This threat model, which for example is also suitable to studying non-repudiation protocols, seems more appropriate than the Dolev-Yao model to the present technological/social setting. It is demonstrated that machine-assisted protocol verification can and must be tailored to the new threat model. 1

Over an insecure network, agents need means to communicate securely. To these means we often call security protocols. Security protocols, although constructed over the arrangement of simple security blocks, normally target the yielding of complex goals. They seem simple at a first glance, but hide subtleties that allow them to be exploited. One way of trying to systematically capture such subtleties is through the usage of formal methods. The maturity of some methods for protocol verification is a fact today. But these methods are still not able to capture the whole set of security protocols being designed. With the convergence to an on-line world, new security goals are proposed and new protocols need to be designed. The evolution of formal verification methods becomes a necessity to keep the pace with this ongoing development. This thesis covers the Inductive Method and its extensions. The Inductive Method is a formalism to specify and verify security protocols based on structural induction and higher-order logic proofs. The account of our extensions comes to enable the Inductive Method to reason about non-Unicast communication and threshold cryptography.