Trust Management in Strand Spaces: A Rely-Guarantee Method

  • Joshua D. Guttman
  • F. Javier Thayer
  • Jay A. Carlson
  • Jonathan C. Herzog
  • John D. Ramsdell
  • Brian T. Sniffen
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2986)


We show how to combine trust management theories with nonce-based cryptographic protocols. The strand space framework for protocol analysis is extended by associating formulas from a trust management logic with the transmit and receive actions of the protocol principals. The formula on a transmission is a guarantee; the sender must ensure that this formula is true before sending the message. The formula on a receive event is an assumption that the recipient may rely on in deducing future guarantee formulas. The strand space framework allows us to prove that a protocol is sound, in the sense that when a principal relies on a formula, another principal has previously guaranteed it. We explain the ideas in reference to a simple new electronic commerce protocol, in which a customer obtains a money order from a bank to pay a merchant to ship some goods.


Trust Management Computer Security Message Transmission Trusted Platform Module Cryptographic Protocol 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abadi, M., Needham, R.: Prudent engineering practice for cryptographic protocols. In: Proceedings of 1994 IEEE Symposium on Research in Security and Privacy, pp. 122–136. IEEE Computer Society Press, Los Alamitos (1994)Google Scholar
  2. 2.
    Appel, A.W., Felten, E.W.: Proof-carrying authentication. In: 6th ACM Conference on Computer and Communications Security (November 1999)Google Scholar
  3. 3.
    Aristotle: Nicomachean Ethics. Oxford University Press, Oxford (1953)Google Scholar
  4. 4.
    Balacheff, B., Chen, L., Pearson, S. (eds.), Plaquin, D., Proudler, G.: Trusted Computing Platforms: TCPA Technology in Context. Prentice Hall PTR, Upper Saddle River (2003)Google Scholar
  5. 5.
    Blaze, M., Feigenbaum, J., Lacy, J.: Distributed trust management. In: Proceedings of 1996 IEEE Symposium on Security and Privacy, pp. 164–173 (1996)Google Scholar
  6. 6.
    Burrows, M., Abadi, M., Needham, R.: A logic of authentication. Proceedings of the Royal Society, Series A 426(1871), 233–271 (1989); Also appeared as SRC Research Report 39 and, in a shortened form, in ACM Transactions on Computer Systems 8, 1, 18–36 (February 1990)zbMATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    Carbone, M., Nielsen, M., Sassone, V.: A formal model for trust in dynamic networks. In: Cerone, A. (ed.) International Conference on Software Engineering and Formal Methods, September 2003. IEEE CS Press, Los Alamitos (2003)Google Scholar
  8. 8.
    Durgin, N., Mitchell, J., Pavlovic, D.: A compositional logic for proving security properties of protocols. Journal of Computer Security 11(4), 677–721 (2003)Google Scholar
  9. 9.
    Fagin, R., Halpern, J.Y., Moses, Y., Vardi, M.Y.: Reasoning about Knowledge. MIT Press, Cambridge (1995)zbMATHGoogle Scholar
  10. 10.
    Guttman, J.D.: Authentication tests and disjoint encryption: a method for security protocol design. Journal of Computer Security (2004) (forthcoming)Google Scholar
  11. 11.
    Guttman, J.D., Javier Thayer, F.: Protocol independence through disjoint encryption. In: Proceedings of 13th Computer Security Foundations Workshop, July 2000, IEEE Computer Society Press, Los Alamitos (2000)Google Scholar
  12. 12.
    Guttman, J.D., Javier Thayer, F.: Authentication tests and the structure of bundles. Theoretical Computer Science 283(2), 333–380 (2002)zbMATHCrossRefMathSciNetGoogle Scholar
  13. 13.
    Guttman, J.D., Javier Thayer, F., Zuck, L.D.: The faithfulness of abstract protocol analysis: Message authentication. Journal of Computer Security (2004) (forthcoming)Google Scholar
  14. 14.
    Halpern, J.Y., Pucella, R.: On the relationship between strand spaces and multi-agent systems. ACM Transactions on Information and System Security 6(1), 43–70 (2003)CrossRefGoogle Scholar
  15. 15.
    Heather, J., Lowe, G., Schneider, S.: How to prevent type flaw attacks on security protocols. In: Proceedings of 13th Computer Security Foundations Workshop, July 2000. IEEE Computer Society Press, Los Alamitos (2000)Google Scholar
  16. 16.
    Herzog, J., Sniffen, B., Carlson, J., Guttman, J.D., Ramsdell, J.D.: Trust management with cryptographic hardware assistance. MTR 03B0082, The MITRE Corp., Bedford, MA (September 2003)Google Scholar
  17. 17.
    Jones, C.B.: Tentative steps toward a development method for interfering programs. ACM Transactions on Programming Languages and Systems (1983)Google Scholar
  18. 18.
    Lampson, B., Abadi, M., Burrows, M., Wobber, E.: Authentication in distributed systems: Theory and practice. ACM Transactions on Computer Systems 10(4), 265–310 (1992)CrossRefGoogle Scholar
  19. 19.
    Li, N., Mitchell, J.C., Winsborough, W.H.: Design of a role-based trust management framework. In: Proceedings of 2002 IEEE Symposium on Security and Privacy, May 2002, pp. 114–130. IEEE CS Press, Los Alamitos (2002)Google Scholar
  20. 20.
    Li, N., Winsborough, W.H., Mitchell, J.C.: Beyond proof-ofcompliance: Safety and availability analysis on trust management. In: Proceedings of 2003 IEEE Symposium on Security and Privacy, May 2003. IEEE CS Press, Los Alamitos (2003)Google Scholar
  21. 21.
    Lowe, G.: Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In: Margaria, T., Steffen, B. (eds.) TACAS 1996. LNCS, vol. 1055, pp. 147–166. Springer, Heidelberg (1996)Google Scholar
  22. 22.
    Needham, R., Schroeder, M.: Using encryption for authentication in large networks of computers. Communications of the ACM 21(12) (1978)Google Scholar
  23. 23.
    Perrig, A., Song, D.X.: Looking for diamonds in the desert: Extending automatic protocol generation to three-party authentication and key agreement protocols. In: Proceedings of the 13th IEEE Computer Security Foundations Workshop, July 2000. IEEE Computer Society Press, Los Alamitos (2000)Google Scholar
  24. 24.
    Fábrega, F.J.T., Herzog, J.C., Guttman, J.D.: Strand spaces: Proving security protocols correct. Journal of Computer Security 7(2/3), 191–230 (1999)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Joshua D. Guttman
    • 1
  • F. Javier Thayer
    • 1
  • Jay A. Carlson
    • 1
  • Jonathan C. Herzog
    • 1
  • John D. Ramsdell
    • 1
  • Brian T. Sniffen
    • 1
  1. 1.The MITRE Corporation 

Personalised recommendations