Nonmonotonic Cryptographic Protocols

This paper presents a new method for specifying and analyzing cryptographic protocols. Our method o ers several advantages over previous approaches. Our technique is the rst to allow reasoning about nonmonotonic protocols. These protocols are needed for systems that rely on the deletion of information. There is no idealization step in specifying protocols; we specify at a level that is close to the actual implementation. This avoids errors that might otherwise render a speci cation that passes the analysis, useless in practice. In our method, knowledge and belief sets for each principal are modi ed via actions and inference rules. Every message is considered to be broadcast, and we introduce the update function to maintain global knowledge. We show how our method uncovers the known aw in the Needham and Schroeder protocol [11], and that the revision by the same authors [12] does not contain this aw. We also show that our method correctly handles protocols that are trivially insecure, such as Nessett's noted example. [13] We then apply our method to our khat protocol [14]. The analysis reveals a serious, previously undiscovered aw in our nonmonotonic protocol for long-running jobs; one that seems obvious in hindsight, but escaped the attention of the authors and over 300 USENIX conference attendees. In addition, our analysis reveals a previously unknown vulnerability in phase II of khat. These are stunning con rmations of the importance of tools for analyzing cryptographic protocols. Nonmonotonic Cryptographic Protocols