Analysis methods for cryptographic protocols have often focused on information leakage rather than on seeing whether a protocol meets its goals. Many protocols, however, fall far short of meeting their goals, sometimes for quite subtle reasons. We introduce a mechanism for reasoning about belief as a systematic way to understand the working of cryptographic protocols. Our mechanism captures mor...

In this paper, a new first-order logical framework and method of formalizing and verifying cryptographic protocols is presented. From the point of view of an intruder, the protocol and abilities of the intruder are modeled in Horn clauses. Based on deductive reasoning method, secrecy of cryptographic protocols is verified automatically, and if the secrecy is violated, attack scenarios can be pr...

Security protocol verification has been the area where the bulk of the research in cryptographic protocols has taken place and a number of successful supporting tools have been developed. However, not much research has been done in the area of applying formal methods to the design of cryptographic protocols in the first place, despite wide recognition that the design of cryptographic protocols ...

In ongoing work, we are investigating the design of secure distributed implementations of high-level process calculi (in particular, of the join-calculus). We formulate implementations as translations to lower-level languages with cryptographic primitives. Cryptographic protocols are essential components of those translations. In this paper we discuss basic cryptographic protocols for transmitt...

This paper shows how cryptographic protocols for mobile agent data integrity properties can be formally specified by using spi calculus, an extension of calculus with cryptographic properties. In particular, by means of a case study, it is shown how a specification technique initially conceived only for classical cryptographic protocols can be used in the context of mobile agents as well. Our c...

We study the composition of security protocols when protocols share secrets such as keys. We show (in a Dolev-Yao model) that if two protocols use disjoint cryptographic primitives, their composition is secure if the individual protocols are secure, even if they share data. Our result holds for any cryptographic primitives that can be modeled using equational theories, such as encryption, signa...