Page 1
1424425778/08/$20.00 ©2008 IEEE
Termbased composition of security protocols
B. Genge1, P. Haller1, R. Ovidiu1, I. Ignat2
1“Petru Maior” University of Targu Mures, Romania, bgenge@upm.ro, phaller@upm.ro, oratoi@engineering.upm.ro
2Technical University of Cluj Napoca, Romania, Iosif.Ignat@cs.utcluj.ro
AbstractIn the context of security protocol parallel compo
sition, where messages belonging to different protocols can
intersect each other, we introduce a new paradigm: term
based composition (i.e. the composition of message compo
nents also known as terms). First, we create a protocol speci
fication model by extending the original strand spaces. Then,
we provide a term composition algorithm based on which
new terms can be constructed. To ensure that security prop
erties are maintained, we introduce the concept of term con
nections to express the existing connections between terms
and encryption contexts. We illustrate the proposed composi
tion process by using two existing protocols.
I. INTRODUCTION
Security protocols are communication protocols in
which participants use encryption to send each other en
coded information. With the rapid growth of the Internet
and a desperate need to secure communication, in the last
few decades the attention of many researchers has been led
towards the analysis of security protocols [1], [2], [3], [4],
[5], [6].
Recently, there have been several proposals developed
to help the process of security protocol design using for
mal methods and tools [7], [8], [9], [10], [11], [12], [13].
Most of the proposed techniques use a modular approach
in the design process, where the user is given a set of small
protocols from which more complex protocols can be con
structed, process also known as composition [9], [10],
[11].
In the existing composition techniques, authors mainly
deal with the sequential and parallel composition of secu
rity properties viewed as a set of information transmitted
over messages. However, the composition of message
components has not been addressed in a proper manner,
meaning that users have to solve the problem of creating
new messages on their own.
Solving this problem, apparently insignificant, can lead
to protocols which execute in half the time the original,
composed protocols do. In addition, the composition proc
ess can lead to multiple results, which must be carefully
analyzed on a message level to increase protocol perform
ance.
In this paper, we introduce a novel composition para
digm: termbased composition. The composition problem
is addressed at the message level based on syntactical con
structions and analysis. This new paradigm is addressed in
the context of parallel composition, where protocol mes
sages intersect each other. The resulting protocol contains
not only a set of unified messages but also a unified set of
security properties (e.g. secrecy, authentication, integrity).
The paper is structured as follows. Section II introduces
the concept of kstrands used to model security protocols.
Security requirements are addressed in section III. In sec
tion IV we present the problem of generating protocols
using parallel composition and termbased composition
and we propose a term composition algorithm. We exem
plify the composition process by composing two protocols.
II. KNOWLEDGE STRANDS
In this section we briefly present the concept of knowl
edge strands (kstrands). For a more detailed presentation,
the reader is directed to consult the authors’ previous work
[6], [17].
A strand is a sequence of transmission and reception
events used to model protocol participants. A collection of
strands is called a strand space. The strand space model
was introduced by Fabrega, Herzog and Guttman in [15]
and extended by the authors with participant knowledge,
specialized basic sets and explicit term construction in [5],
[6]. The resulting model is called a kstrand space. The
rest of this section formally defines the kstrand and k
strand space concepts.
By analyzing the protocol specifications from the
SPORE library [20] we can conclude that protocol partici
pants communicate by exchanging terms constructed from
elements belonging to the following sets: R, denoting the
set of participant names; N, denoting the set of nonces (i.e.
“number once used”) and K, denoting the set of crypto
graphic keys. If required, other sets can be easily added
without affecting the other components.
To denote the encryption type used to create crypto
graphic terms, we define the following function names:
FuncName ::= sk
The abovedefined basic sets and function names are
used in the definition of terms, where we also introduce
constructors for pairing and encryption:
(
:: .
=
T
R N K
(secret key)
(public key)
(private key)
(hash).
(1)
 pk
 pvk
 h
) { }

( )
T
,
FuncName
T TT
, (2)
where the ‘.’ symbol is used to denote an empty term. We
use the symbol
T to denote the set of all subsets of terms.
∗
Page 2
The composition process of two terms t1 and t2 into an
other term t implies that t has subterms. The subterm
relation ≺ is inductively defined as follows.
Definition 1. The subterm relation ≺ is the smallest rela
tion on terms such that:
1.
tt
≺ ;
2.
{ }( )
2
1
f t
tt
if
1
tt
or
()
12
,
t t t
≺
if
1
tt
≺ or
Before defining the concept of knowledge strands we
need to define another element: classifiers. As suggested
by their names, classifiers are used to classify or catego
rize knowledge strands. The categories are created based
on the type of operation modeled by a given knowledge
strand. Formally, classifiers are defined as:
≺
≺
2
tt
≺
;
3.
2
tt
≺
.
(
(
)
)
::

Participant classifier
Memory classifier
=
R
M
CC
C
.
To denote the transmission and reception of terms, we
use signed terms. The occurrence of a term with a positive
sign denotes transmission, while the occurrence of a term
with a negative sign denotes reception. The set of trans
mission and reception sequences is denoted by ()
∗
±T
.
Definition 2. A kstrand (i.e. knowledge strand) is a tuple
, , , r s
K c
, where
∈
KT denotes the knowledge corre
∗
sponding to the modeled participant,
classifier, r∈R denotes the participant name and
()
s
∈ ±T
denotes the sequence of transmissions and re
ceptions. A set of kstrands is called a kstrand space. The
set of all kstrand spaces is denoted by
∈
cC denotes the
∗
k
Σ . Let
k ς be a k
strand space and
kk
s
ς∈
a kstrand, then:
1. We define the following mapping functions:
( )
k
kknow s
to map the knowledge component;
( )
k
kclass s
to map the classifier component;
( )
k
kpart s
to map
( )
k
kstrand s
to map the term sequence component;
2. A node is any transmission or reception of a term,
( ),
n kstrand s
=
the name component;
written as
k
i
, where i is an inte
ger satisfying the condition
( )
1
ilength s
≤ ≤
. We
define the
( )
term n function to map the term corre
sponding to a given node;
3. Let
( )
k
1
,
nkstrand si
=
and
( )
2
,1
k
nkstrand si
=+
be two consecutive nodes
from the same kstrand. Then, there exists an edge
nn
⇒
in the same kstrand;
12
4. Let
12
,
n n be two nodes. If
1n is a positive node and
1n is a negative node belonging to different k
strands, then there exists an edge
( )
sign n function to map the sign of a given
node.
12
nn
→
. We de
fine the
Fig. 1 shows an example specification of Lowe’s BAN
Concrete Secure RPC [14] protocol in the described k
strand space model.
III. SECURITY REQUIREMENTS
The composition of security protocols can not be made
by simply adding messages to one protocol. By inspecting
the rather large number of reported attacks in the literature
[14], [18], [20] we can agree that any modification brought
upon a protocol can influence its existing security proper
ties. Based on these concerns, the authors have developed
in a previous paper [17] a framework for verifying the
composability of security protocols.
The method developed by the authors requires the exe
cution of two steps. First, we must verify if secret terms
from one protocol can be found in insecure terms in the
other protocol. By the concept insecure we mean terms
encrypted with insecure keys (e.g. session keys) or terms
that are sent out clearly. Second, we must verify if terms
encrypted with the same key are structurally independent.
In other words, we must verify if participants, based on
term structures and knowledge can distinguish between the
given terms.
The first requirement is fulfilled by conducting a syntac
tical verification of the given protocol terms. The protocol
model used is the one presented in the previous section.
Alongside the specification, the user has to provide the
terms considered to be secret for each protocol.
For the second requirement to be fulfilled we must con
struct the canonical specification model proposed by the
authors in the same paper. This model eliminates instantia
tionbased information (e.g. Na, A, B, Kab), leaving only
essential information needed in the structural independ
ence verification process (e.g. n, r, r, k).
IV. COMPOSITION
A. Generating protocols
By using parallel composition, we can produce several
distinct protocols. For example, given two protocols, P1
and P2, each of them with two messages, the protocols that
can be constructed are listed in Table 1, where P1.i and
P2.j,
{}
i, j1,2
∈
, denote message indexes corresponding to
the two protocols and Px.i,Py.j,
{}
x,y 1,2
∈
denotes con
catenation.
TABLE I
PROTOCOL AND MESSAGE SEQUENCES GENERATED
USING PARALLEL MESSAGE COMPOSITION
Without term
composition
P1.1
P2.1
P1.2
P2.2
P1.1
P2.1
P2.2
P1.2
P2.1
P1.1
P1.2
P2.2
With term
composition
P1.1
P1.2
P2.1
P2.2
P2.1
P1.1
P2.2
P1.2
P2.1
P2.2
P1.1
P1.2
P2.1, P1.1
P1.2
P2.2
P1.1
P2.1, P1.2
P2.2
P2.1, P1.1
P2.2, P1.2
P1.1
P2.1
P2.2, P1.2
P2.1
P1.1
P2.2, P1.2
P2.1, P1.1
P2.2
P1.2
 
P2.1
P2.2, P1.1
P1.2

(3)
Page 3
?
Figure 1. Lowe’s BAN Concrete Andrew
Secure RPC representation in the kstrand space model
More formally, given two protocols modeled in the k
strand space,
,
kkk
ς ς′ ∈Σ , we generate new protocols using
operations such as message intercalation and term
concatenation. Message intercalation denotes the process
by which several messages belonging to different
protocols are combined together maintainig at the same
time their original order of appearance. On the other hand,
term concatenation simply concatenates two terms without
performing any optimisations on the resulting term.
The generated protocols are denoted by the set
GenProtPairs. Each element of this set contains a
sequence of term pairs
,
ij
x y
, where the first component
denotes terms transmitted in the first protocol and the
second component denotes terms transmitted in the second
protocol. More formally,
ix ∈
()
k
sentTerms ς
,
jy ∈
()
k
sentTerms ς′ ,
()
1,
k
i sentTerms ς=
,
j =
()
1,
k
sentTerms ς′
, where
:
k
sentTerms
∗
Σ →T is a func
tion mapping the set of sent terms in a given protocol
specification, defined as:
=
This function also mapps empty components, denoted
by ‘.’ to model sittuations where the second operation (i.e.
term concatenation) is not applied.
As a final step for the protocol generation process, we
must check that concatenated messages have the same
source and destination participants. If we find at least one
message that does not satisfy this requirement, the entire
protocol is removed from the list.
() ( )
()
()
()( )
{}
.
1,
kstrand s
,
, ,
i sign n
kk
k
iki
ki
s
ilength kstrand s
n
sentTermsterm n
ς
ς
∈
=
= =+
∪
∪∪
. (4)
B. Security property definition
The term composition process constructs all possible
combinations of terms using two given terms by modify
ing existing terms. In the context of security protocols,
these combinations must not destroy existing security
properties. In order to provide a correct composition we
must define the concept of a security property.
Because security protocols consist of participants ex
changing terms, security properties are created by the
transmitted and received terms. More specifically, it is the
cryptographic context of each term in conjunction with the
exchange of terms from which security properties are con
structed. To formally define security properties we intro
duce two new concepts: partial and complete term connec
tion. Connections between terms denote the existence of a
set of common terms. Partial connections denote the con
nections between a free (i.e. unencrypted) term and an
encrypted one while complete connections denote the con
nections between two encrypted terms.
To express the existence of a partial and a complete
connection we introduce
()(
__ :
Pk
±××Σ×±
?
TT
two
×Σ
operators,
)
k
×
TT
and
()()
_ _ :
Ckk
±× ×Σ×±××Σ
?
TTTT
respectively.
These operators denote the connection between one node,
term and kstrand to another node, term and kstrand. The
first component of these operators is called a precondition
and the second is called a postcondition. We define the
following functions, cnode, cterm, cstrand to map the
node, term and kstrand corresponding to a precondition
or postcondition.
We say that there is a partial connection between two
terms
1t and
2t , if
1t is a subterm of
2t ,
1t is not en
crypted and
versa. Formally,
, ,
k
n t s
2t has a cryptographic construction or vice
111222
, ,
(
(
1
t
Pk
n t s
?
if 12
tt
≺
, where (5)
{ }( )
1
t
′
{ }( )
2
t
′
)
)
{ }( )
1
t
′
{ }( )
2
t
′
12
2
f tf t
f t
( )
f t
tt
t
≠∧=∨
=∧≠
,
11
t term n
{
i
n
∈
{
n
∈
≺
,
( )
11
t term n
≺
,
()
()
}
)
11
1
k
nilength kstrand s
≤ ≤
,
()
(
}
22
1
ik
nilength kstrand s
≤ ≤
.
A complete connection between two terms,
1t and
2t ,
exists only if 1t is an encrypted subterm of
a cryptographic construction or the noncryptographic
component of 1t is a subterm of 2t . Formally,
?
if 1
t
{ }( )
11
f t
tt′
=
,
( )
11
t term n
≺
{
1
1
i
nni
∈≤ ≤
{
2
1
i
nn
∈≤ ≤
Definition 3. A security property ξ is a collection of par
tial and complete connections.
By the definition given above, a security property is a
set of connections between terms. This definition is similar
to the definition of authenticaton tests given by Guttman in
[10]. The difference is that we define connections not only
between terms transmitted by different nodes, but also
between subterms. This allows us to define complex
security properties such as authentication, but also other,
more subtle ones such as secrecy.
By using term connections we can model dependencies
between terms. This key aspect is vital in the process of
term composition because by modifying one term we must
2t and
2t has
111222
, ,, ,
kCk
n t sn t s
2
t
≺
or 1
{ }( )
2
t′
≺
2
tt
′ ≺
, where (6)
2
f t
t
=
,
,
( )
11
t term n
,
()
()
}
)
1
k
length kstrand s
,
()
(
}
2
k
ilength kstrand s
.
?
?
?
?
?
?
?
{}
,, , ,
aAB
A A B N K
{}
,, ,,,
bAB
B B A N KK
,
a
A N
{}
()
,,
AB
a
sk K
N K B
{}
( )
a
sk K
N
b
N
Page 4
also modify other, dependent terms to maintain existing
security properties.
C. Modeling dynamic knowledge
As opposed to the static (i.e. initial) knowledge, there is
another type of knowledge that can be constructed by pro
tocol participants: dynamic knowledge. This type of
knowledge grows with every term that is received. Dy
namic knowledge is modeled as a kstrand that “communi
cates” with the participant’s kstrand using term transmis
sions and receptions.
Participants are modeled as a pair of kstrands consist
ing of one main, participant kstrand and a memory k
strand, modeling dynamic knowledge. In the composition
process, terms can be modified. For example, they can be
included in cryptographic context that can not be created
by a participant because at the given node cryptographic
keys have not yet been received. By modeling dynamic
knowledge, we are able to decide if the terms that must be
transmitted by a node can be constructed.
In order to provide a persistent model of the dynamic
knowledge, we consider that terms from this knowledge
are stored in a memory region that can only be accessed by
the corresponding participant. This memory region, as
mentioned earlier, is modeled as a kstrand. However, be
cause communication between each participant and its
attached memory must be private, we consider an en
crypted communication model using a new function type
mk and a key. The function is the same, while the key is
unique for each user.
Next, we propose an algorithm for creating memory k
strands, identified by the class
M
C . Given an initial k
strand
participant, by running the algorithm, we generate two
new kstrands, a participant kstrand
ks , that models the operations corresponding to a
ks′ and a memory k
strand
tionally contains nodes modeling communication with the
attached memory kstrand.
Receiving a term from the memory kstrand corre
sponds to the dynamic knowledge. The terms received by
memory kstrands are decoded, transformed into new
knowledge and added to the existing knowledge.
The proposed algorithm
:
genKnow
×→
TTT function to generate new knowl
edge based on existing knowledge (stored as a term) and a
new received term.
Algorithm 1. Memory kstrand generation:
1. Generate memory communication encryption key
ks′′ . The newly generated participant kstrand addi
makes use of the
m
K
2. Initialize the new kstrands:
{
k
s kknow s
′ =
{
k
s kknow s
′′ =
( )
},
},
, , .
r
km
K
∪
R
C
( )
, , .
r
km
K
∪
M
C
2. For every positive node
( ),
k
nkstrand si
=
add a
positive node to
ks′ :
′
( ) ( )
, , ,
r kstrand s
,
k
′
kk
′
s kknow sn
=
R
C
3. For every negative node
( ),
k
nkstrand si
=
add a
negative node to
ks′ and generate new knowledge:
( ) ( )
k
( )
{}
()
, , ,
r kstrand s
, ,
n
m
k
′
k
′
mk K
skknow s term n
′
=+
R
C
( )( )( )
{}
()
, , ,
r kstrand s
,
m
k
′′
k
′′
k
′′
mk K
s kknow sterm n
=−
M
C
Let n′be the last positive node from
( )
k
kknow s
′′
=
K
ks′′
( )
( )
Let and
(
k
′′
)
kknow s
′′
=
K
Let
( )
,
know
t genKnow term n term n′
=
( )
k
{}
()
, , ,
r kstrand s
,
m
k
′
know
mk K
st
′′
=−
R
K C
( ){}
()
, , ,
r kstrand s
,
m
k
′′
k
′′
know
mk K
st
′′
=+
M
K C
D. Term composition algorithm
In the protocol generation process described at section
A, terms that are concatenated must be composed in order
to generate more performant protocols. The composition
process can alter terms, maintaining at the same time exist
ing security properties.
First, we construct the connection sequences between
protocol terms for the involved protocols. Then, we initial
ize a new kstrand space by creating kstrands correspond
ing to participants. The initialization process also creates
unified static knowledge sets for every participant.
Next, for every pair of concatenated terms resulted in
the protocol generation phase we run the composition al
gorithm. By modifying one term we must ensure that the
terms from the connection sequence are also modified. We
ensure that partial connections are maintained by not
modifying the cryptographic context of terms. Maintaining
complete connections, however, requires a subsequent
modification of dependent terms.
After performing each term composition, the memory k
strand algorithm from section C is run to construct the
memory kstrands. Then, for every term transmitted by a
participant kstrand we use the
predicate to verify if the transmitted term can be con
structed from the existing static and dynamic knowledge.
For two concatenated terms(
()
2
k
tsentTerms ς′′
∈
, the composition algorithm is the fol
lowing.
Algorithm 2. Composition:
1. Construct connection sequences as security properties:
{
111,
, ,
k C P
n t s n t s
ξ
′
=
?
{
111,
, ,
kC P
n t s n t s
ξ
′′
=
?
2. Initialize new kstrand space:
Let
′′′′
∈∪
do
( )
(
,
kkk
skrole s
ς
∀∈<>
( )
,
kk
s kknow skrole s
=
{ }
kk
ςς
=∪
Else
Let
( )
:
kkk
s krole s
ς
∈=
:
Constructable
∗
××
TTT
)
12
, t t
,
()
1
k
tsentTerms ς′
∈
,
Let
}
}
′′
22211
, ,,,
kkkk
′
ss
ς
∈
Let
22211
, ,,,
kkkk
ss
ς
∈
k ς be the resulting kstrand space
For each
kk
s
ς
k
ς
If
( )
)
k
′
krole s
then
Let
( )
, , .
k
R
C
ks
( )
k
krole s
′
and
, , ,
r c s
ks
= K
Page 5
( )
{}, , ,
r c s
kk
′
s kknow s
=∪
K
EndIf
EndFor
3. Compose two terms:
Let
{ }
1
tt′
=
( )
1
f k
( )
=
1
1
,
{ }
2
t′
(
(
)
22
2
fk
t
=
,
)
1122
,
tterm ntterm n
≺≺
If
1212
ffkk
=∧
then
If () ( )( )
)
then
()
12
(
21
′
21
:
C
cc cterm ctcnode cn
ξ′
∃/∈=∧=
?
( )( )
11
′
11
cterm ct cnode cn
∨=∧=
{}
( )
1
f k
1
112
,
tt t ′ ′′
=
Else
If ()
12
:
C
c
(
c
ξ′
∃
/
∈
?
( ) ( )
)
1
}
1
′
11
cterm ct cnode cn
=∧=
then
{
( )
1
f k
1
112
,
t t t ′ ′′
=
EndIf
Else
1
t
@update term connection sequence
{}
( )
1
f k
1
12
,
t t ′
=
@update term connection sequence
EndIf
4. Generate memory kstrands
@run Algorithm 1 to construct
k ς initialized at step 2
5. Verify term generation
Let
,
kk
s s
′
∈
( )
( )
k
( )
:
kkk
′
kclass skclass s
( )
k
ς
=∧=∧
RM
CC
kpart s kpart s′
=
Letn , n′ be the last positive node from
spectively
(
Constructable term n kknow s
ks and
ks′ re
If
( )( )( )
)
,,
k
term n′
then
@Accept
k ς
Else
@Reject
k ς
EndIf
V. COMPOSITION EXAMPLE
To illustrate the composition process we use two proto
cols: “Woo and Lam Pi3” [16] and Lowe’s modified ver
sion of the Yahalom [18, 19] protocol. The kstrand repre
sentation of the two protocols can be seen in Fig. 2 and
Fig. 3. We use
k ς to model the kstrand space correspond
ing to the “Woo and Lam Pi3” and
strand space corresponding to Lowe’s Yahalom protocol.
The first step towards the composition of these
protocols consists in verifying
independence” security requirement formulated by the
authors in [17]. To achieve this, we specify the secret
terms for the two involved protocols. For the first protocol,
these are no secret terms, while the secret terms for the
second protocol are {
,
b
N K
participant names are public).
k ς′ to model the k
the „keysecrecy
}
AB
(we consider that
, , ,
Figure 2. Woo and Lam Pi3 representation in the kstrand space model
A A B S N K
Figure 3. Lowe’s modified version of Yahalom’s representation in the k
strand space model
Because
(
t sentTerms
ς
∃ ∈
encrypted, the first requirement is not satisfied. To allow
the composition of the two protocols, Nb in the first
protocol must be different from Nb in the second protocol.
We emphasize this aspect by replacing Nb with
Because of space considerations, we only construct
complete connections which play a crucial role in the
composition process. In protocol
complete connection:
{}
(
}
()
,,
AS AS
bb kA
sk Ksk K
NNs
+
):
kb
Nt
≺ and t is not
b
N′ in
k ς′ .
k ς we have only one
){
{}
()
{}
()
{}
()
,,,
ASAS
AS
C
bb kB
sk Ksk K
sk K
N A Ns
+
?
Because of term structure varieties, in protocol
are no complete connections. By using the steps described
in section IV.B we generate all possible sequences of
protocols, resulting a total number of 1683 protocols. After
filtering protocols for which concatenated terms have
different sourcedestination participants, there remain a
total number of 408 protocols. For each protocol we can
apply the term composition algorithm, resulting a new set
of protocols. One of the resulting protocols is shown in
Fig. 4. In order to select the most performant protocols, we
can apply the „minimum number of messages” principle,
k ς′ there
{}
,, , ,,
aAS
?
?
?
?
?
?
{}
,, , ,,
b BS
B A B S N K
,
a
A N
?
?
, , ,
A B S K
,
,
,
AB
ASBS
S
KK
{}
()
,
BS
AB
sk K
A K
?
?
?
?
{}
()
,,
BS
ab
sk K
A NN
{}
()
,,,
AS
ABab
sk K
B KNN
?
?
?
{}
()
, , ,
A B S N
AB
b
sk K
?
?
?
?
?
?
?
{}
,,
b BS
B A B S N K
{}
,, , ,
AS
A A B S K
A
b
N
{}
()
AS
b
sk K
N
?
?
?
?
{}
,, , ,
A B S K
,
ASBS
SK
{}
()
{}
()
,
AS
BS
b
sk K
sk K
A N
{}
()
,
BS
b
sk K
A N
Page 6
Figure 4. Composed protocol
or we can construct a performance evaluation method,
which we consider to be part of future work.
As we can see from Fig. 4, the complete connection is
also maintained in the composed protocol. In addition, the
second security requirement formulated by the authors in
[17], i.e. “message independence”, is also satisfied
because messages have
structures.
different cryptographical
VI. CONCLUSIONS AND FUTURE WORK
In this paper we proposed a method for composing se
curity protocol terms. To define security properties em
bedded in protocols we introduced the concept of partial
and complete connections. Our approach modifies terms
only in the sense of extending them with new components,
thus preserving partial connections. Complete connections
are maintained by modifying all subsequent terms depend
ent of the modified term.
As future work, we intend to extend the proposed term
composition algorithm with performancerelated informa
tion. This would give users the possibility to choose the
best suited protocol for a given environment. However,
this is rather difficult to achieve based only on informal
specifications. This is why we intend to construct a per
formance evaluation model that allows us to compare pro
tocol performance rather than giving an exact behavior in
a specific environment.
REFERENCES
[1] M. Abadi, A. D. Gordon, “A Calculus for Cryptographic Protocols:
the spicalculus”, In Fourth ACM Conference on Computer and
Communications Security, ACM Press, pp. 3647, 1997.
[2] Andrew D. Gordon, Alan Jeffrey, “Authenticity by Typing for
Security Protocols”, Journal of Computer Security, 11(4), pp. 451
520, 2003.
[3] Cremers C., Scyther documentation,
http://www.win.tue.nl/~cremers/scyther.
[4] Catherine Meadows, “A Procedure for Verifying Security Against
Type Confusion Attacks”, 16th IEEE Computer Security Founda
tions Workshop (CSFW'03), p. 62, 2003.
[5] Genge Bela, Iosif Ignat, “An Abstract Model for Security Protocol
Analysis”, WSEAS TRANSACTIONS on COMPUTERS, Issue 2,
Volume 6, pp. 207215, 2007.
[6] Genge Bela, Iosif Ignat, “A typed specification for security proto
cols”, Proceedings of the 5th WSEAS Int. Conf. on Data Networks,
Communications and Computers, Bucharest, Romania, October 16
17, pp. 113118, 2006.
[7] Cas J. F. Cremers, “Compositionality of Security Protocols: A
Research Agenda”, Electr. Notes Theor. Comput. Sci., 142, pp. 99
110, 2006.
[8] S. Andova, Cas J.F. Cremers, K. Gjosteen, S. Mauw, S. Mjolsnes,
and S. Radomirovic, “A framework for compositional verification
of security protocols”, Elsevier, to appear, 2007.
[9] Levente Buttyan, “Building blocks for secure services: Authenti
cated key transport and Rational exchange protocols”, Thesis, 2001.
[10] Joshua D. Guttman, “Security protocol design via authentication
tests”, In Proceedings of the 15th IEEE Computer Security Founda
tions Workshop, IEEE CS Press, June, 2002.
[11] HyunJin Choi, “Security protocol design by composition”, Cam
bridge University, UK, Technical report Nr. 657, UCAMCLTR
657, ISSN 14762986, 2006.
[12] Ran Canetti, Tal Rabin, “Universal Composition with Joint State”,
In Proceedings of CRYPTO 2003, Lecture Notes in Computer Sci
ence, vol. 2729. Springer Verlag, New York, pp. 265281, 2003.
[13] A. Datta, A. Derek, J. C. Mitchell, A. Roy, “Protocol Composition
Logic (PCL)”, Electronic Notes in Theoretical Computer Science
Volume 172, 1 April, pp. 311358, 2007.
[14] Gavin Lowe, Some new attacks upon security protocols, In Pro
ceedings of the 9th Computer Security Foundations Workshop,
IEEE Computer Society Press, pp. 162169, 1996.
[15] F. Javier Thayer Fabrega, Jonathan C. Herzog, Joshua D. Guttman,
“Strand spaces: Proving security protocols correct”, Journal of
Computer Security 7, 191230, 1999.
[16] T.Y.C. Woo and S. S. Lam, “A lesson on authentication protocol
design”, Operating Systems Review, 1994.
[17] Genge Bela, Iosif Ignat, “Verifying the Independence of Security
Protocols”, IEEE 3rd International Conference on Intelligent Com
puter Communication and Processing, ClujNapoca, Romania,
pp.155163, 2007.
[18] Gavin Lowe, “Towards a completeness result for model checking of
security protocols”, Technical Report 1998/6, Dept. of Mathematics
and Computer Science, University of Leicester, 1998.
[19] Lawrence J. Paulson, “Relations between secrets: Two formal
analyses of the Yahalom protocol”, Journal of Computer Science,
2001.
[20] , SPORE, Security Protocol Open Repository,
http://www.lsv.enscachan.fr/spore
2004, available at
?
?
?
?
?
?
?
?
?
?
{}
,
,, , ,,
bBS
A N
B A B S N K
{}
,, , ,,
a AS
A A B S N K
a
b
N
{}
()
AS
b
sk K
N
?
?
?
{}
,, , ,
A B S K
,
AS BS
SK
{}
()
{}
()
,,,
AS
BS
ab
′
b
sk K
sk K
A NNN
{}
()
,,,
AS
ABab
sk K
B KNN′
?
?
?
?
{}
()
,,
BS
bAB
sk K
A N K
?
?
{}
()
, , ,
A B S N′
AB
b
sk K