Deriving Key Distribution Protocols and their Security Properties

We apply the derivational method of protocol verification to key distribution protocols. This method assembles the security properties of a protocol by composing the guarantees offered by embedded fragments and patterns. It has shed light on fundamental notions such as challenge-response and fed a growing taxonomy of protocols. Here, we similarly capture the essence of key distribution, authentication timestamps and key confirmation. With these building blocks, we derive the authentication properties of the Needham-Schroeder shared-key and the Denning-Sacco protocols, and of the cores of Kerberos 4 and 5. The main results of this research were obtained in 2003-04 and appeared in [3]. The present document collects proofs omitted for space reasons and unpublished background material. Carnegie Mellon University in Qatar, P.O. Box 42866, Doha, Qatar, e-mail: [email protected] Code 5543, Naval Research Laboratory, Washington, DC 20375, e-mail: [email protected] Kestrel Institute, 3260 Hillview Avenue, Palo Alto, CA 94304, e-mail:[email protected] Cervesato was partially supported by ONR under Grant N000149910150; significant portions of this work were completed while he was at Tulane University. Pavlovic was supported by ONR N00014-03-C-0237 and by NSF CCR-0345397.