The principle of guarantee availability for security protocol analysis

  • Giampaolo Bella
Regular Contribution


Conformity to prudent design principles is an established approach to protocol correctness although it is not free of limitations. We term goal availability a design principle that is often implicitly followed, prescribing protocols to aim at principal-centric goals. Adherence to a design principle is normally established through protocol analysis that is an evaluation of whether a protocol achieves its goals. However, the literature shows that there exists no clear guidance on how to conduct and interpret such an analysis, a process that is only left to the analyzer’s skill and experience. Goal availability has the desirable feature that its supporting protocol analysis can be precisely guided by what becomes a principle of realistic analysis, which we call guarantee availability. It prescribes that the outcome of the analysis, which is the set of guarantees confirming the protocol goals, be practically applicable by the protocol participants. In consequence, the guarantees must be based on assumptions that the principals have the capacity to verify. Our focus then turns entirely to protocol analysis, because an analysis conforming to guarantee availability signifies that the analyzed protocol conforms to goal availability. Existing analysis of (both classical and deployed) protocols has been reconsidered with the aim of studying their conformity to guarantee availability. Some experiments clarify the relationships between goal availability and the existing design principles, with particular reference to explicitness. Other experiments demonstrate that boosting an analysis with guarantee availability generally makes it deeper, unveiling additional protocol niceties that depending on the analyzer’s skills may remain overseen otherwise. In particular, an established claim about a protocol (made using a well-known formal method) can be subverted.


Formal analysis Theorem proving Network protocol Trust 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abadi, M., Gordon, A.: Reasoning about cryptographic protocols in the spi calculus. In: Mazurkiewicz, A.W., Winkowski, J. (eds.) Proceedings of the 8th International Conference on Concurrency Theory (CONCUR’97), LNCS 1243, pp. 59–73. Springer (1997)Google Scholar
  2. 2.
    Abadi M., Needham R.M.: Prudent engineering practice for cryptographic protocols. IEEE Trans. Softw. Eng. 22(1), 6–15 (1996)CrossRefGoogle Scholar
  3. 3.
    Abdalla M., Fouque P.A., Pointcheval D.: Password-based authenticated key exchange in the three-party setting. IEE Proc. Inf. Secur. 153(1), 27–39 (2006)CrossRefGoogle Scholar
  4. 4.
    Anderson, R., Needham, R.M.: Robustness principles for public key protocols. In: Coppersmith, D. (ed.) Proceedings of Advances in Cryptography (CRYPTO’95), LNCS 963, pp. 236–247. Springer (1995)Google Scholar
  5. 5.
    Bella, G.: Availability of protocol goals. In: Panda, B. (ed.) Proceedings of the 18th ACM Symposium on Applied Computing (ACM SAC’03), pp. 312–317. ACM Press (2003a)Google Scholar
  6. 6.
    Bella G.: Inductive verification of smartcard protocols. J. Comput. Secur. 11(1), 87–132 (2003b)Google Scholar
  7. 7.
    Bella G.: Formal Correctness of Security Protocols. Information Security and Cryptography. Springer, Berlin (2007)CrossRefGoogle Scholar
  8. 8.
    Bella, G., Paulson, L.C.: Kerberos Version IV: inductive analysis of the secrecy goals. In: Quisquater, J.J., Deswarte, Y., Meadows, C., Gollmann, D. (eds.) Proceedings of the 5th European Symposium on Research in Computer Security (ESORICS’98), LNCS 1485, pp. 361–375. Springer (1998)Google Scholar
  9. 9.
    Bella G., Paulson L.C.: Accountability protocols: formalized and verified. ACM Trans. Inf. Syst. Secur. 9(2), 1–24 (2006)CrossRefGoogle Scholar
  10. 10.
    Bella G., Massacci F., Paulson L.C.: Verifying the SET registration protocols. IEEE J. Sel. Areas Commun. 21(1), 77–87 (2003)CrossRefGoogle Scholar
  11. 11.
    Bellare, M., Rogaway, P.: Provably secure session key distribution—the three party case. In: Proceedings of the 27th ACM SIGACT Symposium on Theory of Computing (STOC’95), pp. 57–66. ACM Press (1995)Google Scholar
  12. 12.
    Brackin, S.: A HOL extension of GNY for automatically cryptographic protocols. In: Proceedings of the 9th IEEE Computer Security Foundations Workshop (CSFW’96), pp. 62–76. IEEE Press (1996)Google Scholar
  13. 13.
    Burrows M., Abadi M., Needham R.M.: A logic of authentication. Proc. R. Soc. Lond. 426, 233–271 (1989)zbMATHCrossRefMathSciNetGoogle Scholar
  14. 14.
    Denning D.E., Sacco G.M.: Timestamps in key distribution protocols. Commun. ACM 24(8), 533–536 (1981)CrossRefGoogle Scholar
  15. 15.
    Dolev D., Yao A.: On the security of public-key protocols. IEEE Trans. Inf. Theory 2(29), 198–208 (1983)CrossRefMathSciNetGoogle Scholar
  16. 16.
    Gollmann, D.: On the verification of cryptographic protocols—a tale of two committees. In: Schneider, S., Ryan, P.Y.A. (eds.) Proceedings of the Workshop on Secure Architectures and Information Flow, ENTCS 32, pp. 42–58. Elsevier (2000)Google Scholar
  17. 17.
    Gong, L., Syverson. P.: Fail-stop protocols: an approach to designing secure protocols. In: Iyer, R.K., Morganti, M., Fuchs, W.K., Gligor, V. (eds.) Proceedings of the 5th International Working Conference on Dependable Computing for Critical Applications (DCCA’95), pp. 79–100. IEEE Press (1998)Google Scholar
  18. 18.
    Heather, J., Schneider, S.: Towards automatic verification of authentication protocols on an unbounded network. In: Proceedings of the 13th IEEE Computer Security Foundations Workshop (CSFW’00), pp. 132–143. IEEE Press (2000)Google Scholar
  19. 19.
    Jerdonek, R., Honeyman, P., Coffman, K., Rees, J., Wheeler, K.: Implementation of a provably secure, smartcard-based key distribution protocol. In: Quisquater, J.J., Schneier, B. (eds.) Proceedings of the 3rd Smartcard Research and Advanced Application Conference (CARDIS’98), pp. 229–235. (1998)Google Scholar
  20. 20.
    Lowe G.: Breaking and fixing the Needham–Schroeder public-key protocol using CSP and FDR. In: Margaria, T., Steffen, B. (eds) Proceedings of the 2nd International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’96), LNCS 1055, pp. 147–166. Springer, Berlin (1996)Google Scholar
  21. 21.
    Lowe G., Roscoe A.W.: Using CSP to detect errors in the TMN protocol. IEEE Trans. Softw. Eng. 3(10), 659–669 (1997)CrossRefGoogle Scholar
  22. 22.
    Meadows, C.: Invariant generation techniques in cryptographic protocol analysis. In: Proceedings of the 13th IEEE Computer Security Foundations Workshop (CSFW’00), pp. 159–169. IEEE Press (2000)Google Scholar
  23. 23.
    Meadows C.A.: The NRL protocol analyzer: an overview. J. Log. Program. 26(2), 113–131 (1996)zbMATHCrossRefGoogle Scholar
  24. 24.
    Nipkow, T., Paulson, L.C., Wenzel, M.: Isabelle/HOL: A Proof Assistant for Higher-Order Logic. Springer, LNCS Tutorial 2283 (2002)Google Scholar
  25. 25.
    Paulson, L.C.: Proving properties of security protocols by induction. In: Proceedings of the 10th IEEE Computer Security Foundations Workshop (CSFW’97), pp. 70–83. IEEE Press (1997)Google Scholar
  26. 26.
    Paulson L.C.: The inductive approach to verifying cryptographic protocols. J. Comput. Secur. 6, 85–128 (1998)Google Scholar
  27. 27.
    Paulson L.C.: Inductive analysis of the internet protocol TLS. ACM Trans. Comput. Syst. Secur. 2(3), 332–351 (1999)CrossRefGoogle Scholar
  28. 28.
    Ryan, P.Y.A., Schneider, S., Goldsmith, M., Lowe, G., Roscoe, A.W.: Modelling and Analysis of Security Protocols. Addison-Wesley (2001)Google Scholar
  29. 29.
    Schneider, S.: Verifying authentication protocols with CSP. In: Proceedings of the 10th IEEE Computer Security Foundations Workshop (CSFW’97), pp. 3–17. IEEE Press (1997)Google Scholar
  30. 30.
    Shoup, V., Rubin, A.: Session key distribution using smartcards. In: Maurer, U. (ed.) Advances in Cryptology (Eurocrypt’96), LNCS 1070, pp. 321–331. Springer (1996)Google Scholar
  31. 31.
    Song, B., Kim, K.: Two-pass authenticated key agreement protocol with key confirmation. In: Roy, B.K., Okamoto, E. (eds.) Proceeings of 1st International Conference in Cryptology in India, Indocrypt 2000, LNCS 1977, pp. 237–249. Springer (2000)Google Scholar
  32. 32.
    Syverson, P.F.: Limitations on design principles for public key protocols. In: Proceedings of the 15th IEEE Symposium on Security and Privacy (SSP’96), pp. 62–72. IEEE Press (1996)Google Scholar
  33. 33.
    Thayer F.J., Herzog J.C., Guttman J.D.: Strand spaces: proving security protocols correct. J. Comput. Secur. 7, 191–220 (1999)Google Scholar
  34. 34.
  35. 35.

Copyright information

© Springer-Verlag 2009

Authors and Affiliations

  1. 1.Dip. Matematica e InformaticaUniversità di CataniaCataniaItaly
  2. 2.Software Technology Research LabDe Montfort UniversityLeicesterUK

Personalised recommendations