Abstract. We present a general method to prove security properties of cryptographic protocols against active adversaries, when the messages exchanged by the honest parties are arbitrary expressions built using encryption and concatenation operations. The method allows to express security properties and carry out proofs using a simple logic based language, where messages are represented by syntactic expressions, and does not require dealing with probability distributions or asymptotic notation explicitly. Still, we show that the method is sound, meaning that logic statements can be naturally interpreted in the computational setting in such a way that if a statement holds true for any abstract (symbolic) execution of the protocol in the presence of a Dolev-Yao adversary, then its computational interpretation is also correct in the standard computational model where the adversary is an arbitrary probabilistic polynomial time program. This is the first paper providing a simple framework for translating security proofs from the logic setting to the standard computational setting for the case of powerful active adversaries that have total control of the communication network. 1

We provide a framework for reasoning about information-hiding requirements in multiagent systems and for reasoning about anonymity in particular. Our framework employs the modal logic of knowledge within the context of the runs and systems framework, much in the spirit of our earlier work on secrecy [9]. We give several definitions of anonymity with respect to agents, actions, and observers in multiagent systems, and we relate our definitions of anonymity to other definitions of information hiding, such as secrecy. We also give probabilistic definitions of anonymity that are able to quantify an observer's uncertainty about the state of the system. Finally, we relate our definitions of anonymity to other formalizations of anonymity and information hiding, including definitions of anonymity in the process algebra CSP and definitions of information hiding using function views.

Secure group protocols' are not easy to design: this paper will show new attacks' found against a protocol suite for sharing key. The method we propose to analyse these protocols' is' very systematic, and can be applied to numerous protocols' of this' type. The A-GDH. 2 protocols' suite analysed throughout this' paper is part of the Cliques suites that propose extensions of the Diffie-Hellman key exchange protocol to a group setting. The A-GDH. 2 main protocol is intended to allow a group to share an authenticated key while the other protocols' of the suite allow to perform dynamic changes in the group constitution (adding and deleting members', fusion of groups .... ). We are proposing an original method to analyse these protocols' and are presenting a number of unpublished flaws' with respect to each of the main security properties claimed in protocol definition (key authentication, perfect forward secrecy, resistance to known-keys attacks'). Most of these fiaws arise from the fact that using a group setting does not allow to reason about security properties in the same way as when only two (or three) parties are concerned. Our method has been easily applied on other Cliques protocols' and allowed us to pinpoint similar flaws.

We present a logic for proving security properties of protocols that use nonces (randomly generated numbers that uniquely identify a protocol session) and public-key cryptography. The logic, designed around a process calculus with actions for each possible protocol step, consists of axioms about protocol actions and inference rules that yield assertions about protocols composed of multiple steps. Although assertions are written using only steps of the protocol, the logic is sound in a stronger sense: each provable assertion about an action or sequence of actions holds in any run of the protocol that contains the given actions and arbitrary additional actions by a malicious attacker. This approach lets us prove security properties of protocols under attack while reasoning only about the sequence of actions taken by honest parties to the protocol. The main security-specific parts of the proof system are rules for reasoning about the set of messages that could reveal secret data and an invariant rule called the "honesty rule." 1

In this article we present a technique for static analysis, correct with respect to complexity-theoretic definitions of security, of cryptographic protocols for checking whether these protocols satisfy confidentiality properties. The approach is similar to Abadi and Rogaway --- we define patterns for cryptographic protocols (they did it for formal expressions), such that the protocol is secure iff the patterns are. We then statically analyse the patterns, they should be easier to analyse than the protocols themselves. We consider symmetric encryption as the cryptographic primitive in protocols. Handling this primitive has so far received comparatively less attention in approaches striving to unite the formal and computational models of cryptography.

We consider the problem of specifying and verifying cryptographic security protocols for XML web services. The security specification WS-Security describes a range of XML security tokens, such as username tokens, public-key certificates, and digital signature blocks, amounting to a flexible vocabulary for expressing protocols. To describe the syntax of these tokens, we extend the usual XML data model with symbolic representations of cryptographic values. We use predicates on this data model to describe the semantics of security tokens and of sample protocols distributed with the Microsoft WSE implementation of WS-Security. By embedding our data model within Abadi and Fournet’s applied pi calculus, we formulate and prove security properties with respect to the standard Dolev-Yao threat model. Moreover, we informally discuss issues not addressed by the formal model. To the best of our knowledge, this is the first approach to the specification and verification of security protocols based on a faithful account of the XML wire format.

We consider a new extension of the Skolem class for first-order logic and prove its decidability by resolution techniques. We then extend this class including the built-in equational theory of exclusive or. Again, we prove the decidability of the class by resolution techniques.

We demonstrate that for any well-defined cryptographic protocol, the symbolic trace reachability problem in the presence of an Abelian group operator (e.g., multiplication) can be reduced to solvability of a decidable system of quadratic Diophantine equations. This result enables complete, fully automated formal analysis of protocols that employ primitives such as Diffie-Hellman exponentiation, multiplication, andxor, with a bounded number of role instances, but without imposing any bounds on the size of terms created by the attacker. 1

We consider arbitrary cryptographic protocols and security properties. We show that it is always sufficient to consider a bounded number of agents b (actually b = 2 in most of the cases): if there is an attack involving n agents, then there is an attack involving at most b agents.

Suppose a principal in a cryptographic protocol creates and transmits a message containing a new value v, later receiving v back in a different cryptographic context. It can conclude that some principal possessing the relevant key has received and transformed the message in which v was emitted. In some circumstances, this principal must be a regular participant of the protocol, not the penetrator. An inference of this kind is an authentication test. We introduce two main kinds of authentication test. An outgoing test is one in which the new value v is transmitted in encrypted form, and only a regular participant can extract it from that form. An incoming test is one in which v is received back in encrypted form, and only a regular participant can put it in that form. We combine these two tests with a supplementary idea, the unsolicited test, and a related method for checking that keys remain secret. Together, these techniques determine what authentication properties are achieved by a wide range of cryptographic protocols. In this paper we introduce authentication tests and prove their soundness. We illustrate their power by giving new and straightforward proofs of security goals for several protocols. We also illustrate how to use the authentication tests as a heuristic for finding attacks against incorrect protocols. Finally, we suggest a protocol design process. We express these ideas in the strand space formalism [Thayer, Herzog, and Guttman (1999b, Journal of Computer Security, 7, 191--230)], which provides a convenient context to prove them correct.