Specifying Authentication Protocols Using ELAN

The Needham-Schroeder public-key protocol [NS78] has been already analyzed using several methodologies from model-checkers like FDR [Ros94] to approaches based on theorem proving like NRL [Mea96]. Although this protocol is simple it has been proved insecure only in 1995 by G. Lowe [Low95]. After the discover of the security problem and the correctness proof of a modified version in [Low96] several other approaches have been used in order to discover the attack and obtain correct versions like [Mea96, Mon99, Den98]. The protocol is described by defining the messages exchanged between the participants. Each agent sends a message and goes into a new state in which it possibly expects a confirmation message. We can thus say that the protocol consists in the sequence of states describing the agents and the communication network. Therefore it seems natural to use rewrite rules in order to describe the transition from one state to another and strategies in order to describe the way these rules are applied. In order to describe a computational version of a certain logic we use computational systems that can express the proof calculus of the given logic. A computational system ([KKV95]) is a combination of a rewrite theory and a strategy describing the intended set of computations. These ideas are implemented in the language ELAN ([BKK98]) which allows to describe computational systems. In our approach the whole formalization is done as the same level: the state transitions of the agents and of the intruder as well as the invariants the protocol should satisfy are described by ELAN rewrite rules. Furthermore, by making the formalization executable we allow either to directly use the specification for analyzing the protocol or to replay attacks or scenarios proposed by a third party.