In this report we present a process language for security protocols together with an operational semantics and an alternative semantics in terms of sets of events. The denotation of process is a set of events, and as each event specifies a set of pre and postconditions, this denotation can be viewed as a Petri net. This Petri-net semantics has a strong relation to both Paulson’s inductive set o...

We describe the design of Clap, a simple speciication language devoted to cryptographic protocols (exclusively). Its main design principle is that it should be not only possible, but relatively easy, to prove security properties of Clap protocols automatically on a machine. To this end, Clap is very restricted. We can think of Clap as isolating what can be thought as a set of essential programm...

We introduce the notion of security effectiveness, illustrate its use in the context of cryptographic protocol analysis, and argue that it requires analysis of protocol property dependencies. We provide examples to show that, without dependency analysis, the use of some logics for cryptographic protocol analysis yields results that are inconsistent or unrealistic in practice. We identify severa...

We consider the problem of automatically verifying infinite-state cryptographic protocols. Specifically, we present an algorithm that given a finite process describing a protocol in a hostile environment (trying to force the system into a “bad” state) computes a model of traces on which security properties can be checked. Because of unbounded inputs from the environment, even finite processes h...

In recent years auctions have become more and more important in the field of multiagent systems as useful mechanisms for resource allocation, task assignment and last but not least electronic commerce. In many cases the Vickrey (second-price sealed-bid) auction is used as a protocol that prescribes how the individual agents have to interact in order to come to an agreement. The main reasons for...

The correct and awless design of cryptographic protocols is crucial for the security of network services. As security aws within such protocols are in general very hard to detect, their security properties must be formally veriied. A computer-supported prove is highly desirable, but formal techniques as well as automatic theorem provers are hard to use for a non-specialist. To ooer a user-frien...

We present the first type and effect system for proving authenticity properties of security protocols based on asymmetric cryptography. The most significant new features of our type system are: (1) a separation of public types (for data possibly sent to the opponent) from tainted types (for data possibly received from the opponent) via a subtype relation; (2) trust effects, to guarantee that ta...

Cryptographic protocols can be divided into (1) protocols where the protocol steps are simple from a computational point of view and can thus be modeled by simple means, for instance, by single rewrite rules—we call these protocols non-looping— and (2) protocols, such as group protocols, where the protocol steps are complex and typically involve an iterative or recursive computation—we call the...