What Makes a Cryptographic Protocol Secure? The Evolution of Requirements Specification in Formal Cryptographic Protocol Analysis

  • Catherine Meadows
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2618)


Much attention has been paid to the design of languages for the specification of cryptographic protocols. However, the ability to specify their desired behavior correctly is also important; indeed many perceived protocol flaws arise out of a misunderstanding of the protocol’s requirements. In this talk we give a brief survey of the history of requirements specification in formal analysis of cryptographic protocols. We outline the main approaches and describe some of the open issues.


IEEE Computer Society Fault Tree Cryptographic Protocol Secrecy Requirement Requirement Language 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    M. Abadi. Secrecy by typing in security protocols. Journal of the ACM, 46(5):749–786, September 1999.zbMATHCrossRefMathSciNetGoogle Scholar
  2. 2.
    M. Abadi and P. Rogaway. Reconciling two views of cryptography (the computational soundness of formal encryption). Journal of Cryptology, to appear.Google Scholar
  3. 3.
    M. Bellare and P. Rogaway. Entity authentication and key distribution. In Advances in Cryptology-CRYPTO’ 93. Springer-Verlag, 1993.Google Scholar
  4. 4.
    R. Bird, I. Gopal, A. Herzberg, P. Janson, S. Kutten, R. Molva, and M. Yung. Systematic design of two-party authentication protocols. In Advances in Cryptology-Proceedings of CRYPTO 91. Springer-Verlag, 1991.Google Scholar
  5. 5.
    Michael Burrows, Martín Abadi, and Roger Needham. A Logic of Authentication. ACM Transactions in Computer Systems, 8(1):18–36, February 1990.CrossRefGoogle Scholar
  6. 6.
    L. Buttyán and J.-P. Hubaux. Rational exchange-a formal model based on game theory. In 2nd International Workshop on Electronic Commerce (WELCOM’01), 16–17 November 2001.Google Scholar
  7. 7.
    I. Cervesato and C. Meadows. A fault-tree representation of NPATRL security requirements. submitted for publication, 2003.Google Scholar
  8. 8.
    Whitfield Diffie, Paul C. van Oorschot, and Michael J. Wiener. Authentication and Authenticated Key Exchanges. Designs, Codes, and Cryptography, 2:107–125, 1992.CrossRefGoogle Scholar
  9. 9.
    D. Dolev and A. Yao. On the Security of Public Key Protocols. IEEE Transactions on Information Theory, 29(2):198–208, March 1983.zbMATHCrossRefMathSciNetGoogle Scholar
  10. 10.
    F. J. Thayer Fábrega, J. Herzog, and J. Guttman. Strand space pictures. In Proceedings of the Workshop on Formal Methods and Security Protocols, 1998. available at
  11. 11.
    F. Javier Thayer Fábrega, Jonathan C. Herzog, and Joshua D. Guttman. Strand spaces: Why is a security protocol correct? In Proceedings of the 1998 IEEE Symposium on Security and Privacy, pages 160–171. IEEE Computer Society Press, May 1998.Google Scholar
  12. 12.
    R. Focardi, R. Gorrieri, and F. Martinelli. Non interference for the analysis of cryptographic protocols. In U. Montanari, editor, 27th International Colloquium on Automata, Languages and Programming (ICALP’00). Springer Verlag: LNCS 1583, July 2000.Google Scholar
  13. 13.
    Li Gong and Paul Syverson. Fail-stop protocols: An approach to designing secure protocols. In R. K. Iyer, M. Morganti, Fuchs W. K, and V. Gligor, editors, Dependable Computing for Critical Applications 5, pages 79–100. IEEE Computer Society, 1998.Google Scholar
  14. 14.
    J. Goquen and J. Meseguer. Security policy and security models. In Proceedings of the 1982 Symposium on Security and Privacy, pages 11–20. IEEE Computer Society Press, 1982.Google Scholar
  15. 15.
    A. Gordon and A. Jeffrey. Authenticity by typing in security protocols. In Proceedings of the 14th IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, June 2001.Google Scholar
  16. 16.
    A. Gordon and A. Jeffrey. Typing one-to-one and one-to-many correspondences in security protocols. In International Software Security Symposium (ISSS 2002). Springer LNCS, 2003.Google Scholar
  17. 17.
    Paul Hoffman. Features of proposed successors to IKE. Internet Draft draft-ietfipsec-soi-features-01.txt, May 31 2002. available at
  18. 18.
    G. Lowe. Some new attacks on security protocols. In Proceedings of the 9th IEEE Computer Security Foundations Workshop, pages 162–169. IEEE Computer Society Press, 1996.Google Scholar
  19. 19.
    G. Lowe. A hierarchy of authentication speciifications. In Proceedings of the 10th IEEE Computer Security Foundations Workshop, pages 31–43. IEEE Computer Society Press, 1997.Google Scholar
  20. 20.
    C. Meadows. Applying Formal Methods to the Analysis of a Key Management Protocol. Journal of Computer Security, 1:5–53, 1992.Google Scholar
  21. 21.
    C. Meadows. A cost-based framework for analysis of denial of service in networks. Journal of Computer Security, 2001.Google Scholar
  22. 22.
    C. Meadows and P. Syverson. A formal specification of requirements for payment in the SET protocol. In Proceedings of Financial Cryptography’ 98. Springer-Verlag LLNCS, 1998.Google Scholar
  23. 23.
    C. Meadows, P. Syverson, and I. Cervesato. Formalizing GDOI group key management requirements in NPATRL. In Proceedings of the ACM Conference on Computer and Communications Security. ACM, November 2001.Google Scholar
  24. 24.
    J. K. Millen, S. C. Clark, and S. B. Freedman. The Interrogator: Protocol Security Analysis. IEEE Transactions on Software Engineering, SE-13(2), 1987.Google Scholar
  25. 25.
    J.C. Mitchell, A. Ramanathan, A. Scedrov, and V. Teague. A probabilistic polynomial-time calculus for analysis of cryptographic protocols (preliminary report). Electronic Notes in Theoretical Computer Science, 45, 2001.Google Scholar
  26. 26.
    G. Norman and V. Shmatikov. Analysis of probabilistic contract signing. In BCSFACS Formal Aspects of Security (FASec’ 02), 2002.Google Scholar
  27. 27.
    A. W. Roscoe. Intensional specification of security protocols. In Proceedings of the 9th IEEE Computer Security Foundations Workshop, pages 28–38. IEEE Computer Society Press, June 10–12 1996.Google Scholar
  28. 28.
    S. Schneider. Security properties and CSP. In IEEE Computer Society Symposium on Security and Privacy. IEEE Computer Society Press, 1996.Google Scholar
  29. 29.
    V. Shmatikov. Probabilistic analysis of anonymity. In Proceedings of the 15th Computer Security Foundations Workshop. IEEE Computer Society Press, June 2002.Google Scholar
  30. 30.
    P. Syverson and C. Meadows. Formal requirements for key distribution protocols. In Proceedings of Eurocrypt’ 94. Springer-Verlag, 1994.Google Scholar
  31. 31.
    P. Syverson and C. Meadows. A formal language for cryptographic protocol requirements. Designs, Codes, and Cryptography, 7(1/2):27–59, 1996.zbMATHMathSciNetGoogle Scholar
  32. 32.
    Paul Syverson and Catherine Meadows. A Logical Language for Specifying Cryptographic Protocol Requirements. In Proceedings of the 1993 IEEE Computer Society Symposium on Research in Security and Privacy, pages 165–177. IEEE Computer Society Press, Los Alamitos, California, 1993.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Catherine Meadows
    • 1
  1. 1.Naval Research Laboratory Center for High Assurance Computer SystemsWashington

Personalised recommendations