The Inductive Approach to Verifying Cryptographic Protocols

Informal arguments that cryptographic protocols are secure can be made rigorous using inductive definitions. The approach is based on ordinary predicate calculus and copes with infinite-state systems. Proofs generated Isabelle/HOL. human effort required to analyze a protocol as little week or two, yielding proof script takes few minutes run. Protocols inductively defined sets of traces. A trace list communication events, perhaps comprising many interleaved runs. Protocol descriptions incorporate attacks accidental losses. model spy knows some private keys forge messages components decrypted from previous traffic. Three analyzed below: Otway-Rees (which uses shared-key encryption), Needham-Schroeder public-key recursive by Bull Otway variable length). One prove event $ev$ always precedes $ev'$ property $P$ holds provided $X$ remains secret. Properties proved the viewpoint various principals: say, if $A$ receives final message $B$ then session key it conveys good.