A Formal Analysis for Capturing Replay Attacks in Cryptographic Protocols

  • Han Gao
  • Chiara Bodei
  • Pierpaolo Degano
  • Hanne Riis Nielson
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4846)


We present a reduction semantics for the LySa calculus extended with session information, for modelling cryptographic protocols, and a static analysis for it. If a protocol passes the analysis then it is free of replay attacks and thus preserves freshness. The analysis has been implemented and applied to a number of protocols, including both original and corrected version of Needham-Schroeder protocol. The experiment results show that the analysis is able to capture potential replay attacks.


Security Protocol Replay Attack Cryptographic Protocol Protocol Process Encrypt Message 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abadi, M., Gordon, A.D.: A Calculus for Cryptographic Protocols: The Spi Calculus. Information and Computation 148(1), 1–70 (1999)zbMATHCrossRefMathSciNetGoogle Scholar
  2. 2.
    Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. IEEE Computer Society Press, Los Alamitos (2001)Google Scholar
  3. 3.
    Bodei, C., Buchholtz, M., Degano, P., Nielson, F., Riis Nielson, H.: Automatic Valication of Protocol Narration. In: Proceeding of Computer Security Foundations Workshop, pp. 126–140. IEEE Press, Los Alamitos (2003)Google Scholar
  4. 4.
    Bodei, C., Buchholtz, M., Degano, P., Nielson, F., Riis Nielson, H.: Static Validation of Security Protocols. Journal of Computer Security 13(3), 347–390 (2005)Google Scholar
  5. 5.
    Bodei, C., Degano, P., Gao, H., Brodo, L.: Detecting and Preventing Type flaws: a Contro Flow Analysis with tags. In: Proceeding of 5th International Workshop on Security Issues in Concurrency. ENTCS (to appear)Google Scholar
  6. 6.
    Bugliesi, M., Focardi, R., Maffei, M.: Authenticity by Tagging and Typing. In: Proceeding of 2nd ACM Workshop on Formal Methods in Security Engineering, ACM Press, New York (2004)Google Scholar
  7. 7.
    Burrows, M., Abadi, M., Needham, R.: A Logic of Authentication. ACM Transactions in Computer Systems 8(1), 18–36 (1990)CrossRefGoogle Scholar
  8. 8.
    Comon-Lundh, H., Cortier, V.: Tree automata with one memory set constraints and cryptographic protocols. Theoretical Computer Science 331(1), 143–214 (2005)CrossRefMathSciNetGoogle Scholar
  9. 9.
    Curti, M., Degano, P., Tatiana Baldari, C.: Causal π-Calculus for Biochemical Modelling. In: Priami, C. (ed.) CMSB 2003. LNCS, vol. 2602, pp. 21–33. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  10. 10.
    Denning, D.E., Maria Sacco, G.: Timestamps in Key Distribution Protocols. Communications of the ACM 24(8), 533–536 (1981)CrossRefGoogle Scholar
  11. 11.
    Dolev, D., Yao, A.C.: On the Security of Public Key Protocols. IEEE TIT, IT 29(12), 198–208 (1983)zbMATHCrossRefMathSciNetGoogle Scholar
  12. 12.
    Nielson, F., Seidl, H., Riis Nielson, H.: A Succinct Solver for ALFP. Nordic Journal of Computing 9, 335–372 (2002)zbMATHMathSciNetGoogle Scholar
  13. 13.
    Gao, H., Riis Nielson, H.: Analysis of LYSA-calculus with explicit confidentiality annotations. In: Proceeding of Advanced Information Networking and Applications, IEEE Computer Society, Los Alamitos (2006)Google Scholar
  14. 14.
    Gordon, A.D., Jeffrey, A.: Authenticity by Typing for Security Protocols. In: Proceeding of Computer Security Foundations Symposium, IEEE, Los Alamitos (2001)Google Scholar
  15. 15.
    Gordon, A.D.: Typing Correspondence Assertions for Communication Protocols. In: Proceeding of Mathematical Foundations of Programming Semantics (2001)Google Scholar
  16. 16.
    Gordon, A.D., Jeffrey, A.: Types and Effects for Asymmetric Cryptographic Protocols. In: Proceeding of Computer Security Foundations Symposium, IEEE, Los Alamitos (2002)Google Scholar
  17. 17.
    IEEE Std 802.16e-2005, Standard for Local and metropolitan area networks Part 16: Air Interface for Fixed and Mobile Broadband Wireless Access Systems Amendment 2: Physical and Medium Access Control Layers for Combined Fixed and Mobile Operation in Licensed Bands and Corrigendum 1, IEEE, New York, USA (2006)Google Scholar
  18. 18.
    Meadows, C., Syverson, P., Cervesato, I.: Formal Specification and Analysis of the Group Domain of Interpretation Protocol Using NPATRL and the NRL Protocol Analyzer. Journal of Computer Security 12(6), 893–931 (2004)Google Scholar
  19. 19.
    Millen, J.K.: Term Replacement Algebra for the Interrogator. The MITRE Corporation, MP 97B65 (1997)Google Scholar
  20. 20.
    Milner, R.: Communicating and mobile systems: the π-calculus. Cambridge University Press, Cambridge (1999)Google Scholar
  21. 21.
    Needham, R., Schroeder, M.: Using encryption for authentication in large networks of computers. Communications of the ACM 21(12) (December 1978)Google Scholar
  22. 22.
    Otway, D., Rees, O.: Efficient and Timely Mutual Authentication. Operating Systems Review 21(1), 8–10 (1987)CrossRefGoogle Scholar
  23. 23.
    Paulson, L.C.: Inductive Analysis of the Internet Protocol TLS. ACM Transactions on Computer and System Security 2(3), 332–351 (1999)CrossRefGoogle Scholar
  24. 24.
    Paulson, L.C.: The foundation of a generic theorem prover. Automated Reasoning 5, 363–397 (1989)zbMATHCrossRefMathSciNetGoogle Scholar
  25. 25.
    Syverson, P.: A Taxonomy of Replay attacks. In: Proceeding of Computer Security Foundations Symposium, IEEE Computer Society Press, Los Alamitos (1994)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Han Gao
    • 1
  • Chiara Bodei
    • 2
  • Pierpaolo Degano
    • 2
  • Hanne Riis Nielson
    • 1
  1. 1.Informatics and Mathematical Modelling, Technical University of Denmark, Richard Petersens Plads bldg 322, DK-2800 Kongens LyngbyDenmark
  2. 2.Dipartimento di Informatica, Università di Pisa, Largo B. Pontecorvo, 3, I-56127, PisaItaly

Personalised recommendations