Professional Documents
Culture Documents
Popl01 Abadi Fournet
Popl01 Abadi Fournet
Mart
n Abadi C
edri Fournet
Lu ent Te hnologies
base type Data. In addition, if is a sort, then Channelh i We write , fM=x g, fMf=xe g for substitutions, x for the image
is a sort too (intuitively, the sort of those hannels that of x by , and T for the result of applying to the free
onvey messages of sort ). A variable an have any sort. A variables of T . We identify the empty substitution and the
name an have any sort or, in a more re ned version of the null pro ess 0. We always assume that our substitutions
sort system, any sort in a distinguished lass of sorts. We are y le-free. We also assume that, in an extended pro ess,
typi ally use a, b, and as hannel names, s and k as names there is at most one substitution for ea h variable, and there
of some base type (e.g., Data), and m and n as names of is exa tly one when the variable is restri ted.
any sort. For simpli ity, fun tion symbols take arguments Extending the sort system for terms, we rely on a sort
and produ e results of the base types only. (This separation system for extended pro esses. It enfor es that M and N are
of hannels from other values is onvenient but not essential of the same sort in the onditional expression, that u has sort
Channelh i for some in the input and output expressions, New- 0 n:0 0
and that x and N have the orresponding sort in those New-C u:v:A v:u:A
expressions. Again, we omit the unimportant details of this New-Par A j u:B u:(A j B )
sort system, but assume that extended pro esses are well- when u 62 fv (A) [ fn (A)
sorted. Alias x:f =x g 0
M
As usual, names and variables have s opes, whi h are Subst fM=x gMj A fMN =x g j AfM=x g
delimited by restri tions and by inputs. We write fv (A), f =x g f =x g when ` M = N
bv (A), fn (A), and bn (A) for the sets of free and bound vari-
Rewrite
ables and free and bound names of A, respe tively. These The rules for parallel omposition and restri tion are stan-
sets are indu tively de ned, using the same lauses for pro- dard. Alias enables the introdu tion of an arbitrary a tive
esses as in the pure pi al ulus, and using: substitution. Subst des ribes the appli ation of an a tive
substitution to a pro ess that is in onta t with it. Rewrite
fv (fM=x g) = fv (M ) [ fxg
def
deals with equational rewriting. In ombination, Alias and
Subst yield Af =x g x:(f =x g j A) for x 2
M M = fv (M ):
fn (fM=x g) = fn (M )
def
for a tive substitutions. An extended pro ess is losed when AfM=x g AfM=x g j 0 by Par-0
every variable is either bound or de ned by an a tive substi- 0 j AfMM=x g M by Par-C
tution. We use the abbreviation ue for the (possibly empty) (x:fM=x g) j AfM =x g by Alias
series of pairwise-distin t binders u1 :u2 : : : : ul . x:(fM=x g j Af =x g) by New-Par
A frame is an extended pro ess built up from 0 and a tive x:(f =x g j A) by Subst
substitutions of the form fM=x g by parallel omposition and
restri tion. We let ' and range over frames. The domain Using stru tural equivalen e, every losed extended pro -
dom (') of a frame ' is the set of the variables that ' exports ess A an be rewritten to onsist of a substitution and a
(those variables x for whi h ' ontains a substitution fM=x g losed plain pro ess with some restri ted names:
not under a restri tion on x). Every extended pro ess A an
be mapped to a frame '(A) by repla ing every plain pro ess A ne:fMf=xe g j P
embedded in A with 0. The frame '(A) an be viewed as an
approximation of A that a ounts for the stati knowledge where fv (P ) = ;, fv (M
f) = ;, and fn eg fn (M
f). In parti -
exposed by A to its environment, but not for A's dynami ular, every losed frame ' an be rewritten to onsist of a
behavior. The domain dom (A) of A is the domain of '(A). substitution with some restri ted names:
2.2 Operational semanti s ne:fMf=xe g
'
Given a signature , we equip it with an equational theory, f) = ; and fn
where fv (M eg fn (M
f). The set fx eg is the
that is, with an equivalen e relation on terms that is losed domain of '.
under substitutions of terms for variables. (See for exam- Internal redu tion ! is the smallest relation on extended
ple [33, hapter 3℄ and its referen es for ba kground on uni- pro esses losed by stru tural equivalen e and appli ation of
versal algebra and algebrai data types from a programming- evaluation ontexts su h that:
language perspe tive.) We further require that this equa-
tional theory be losed under one-to-one renamings, but not Comm ahxi:P j a(x):Q ! P j Q
ne essarily losed under substitutions of arbitrary terms for if M = M then P else Q ! P
names. Then
In '0 , the variables x and y are mapped to two unrelated 4.3 Labeled operational semanti s and equivalen e
values that are di erent from any value that the ontext A labeled operational semanti s extends the hemi al se-
may build (sin e k and s are new). These properties also manti s of se tion 2, enabling us to reason about pro esses
hold, but more subtly, for '1 ; although f (k) and g(k) are that intera t with their environment. The labeled semanti s
based on the same underlying fresh name, they look unre- de nes a relation A ! A0 , where is a label of one of the
lated. (Analogously, it is ommon to onstru t apparently following forms:
unrelated keys by hashing from a single underlying se ret,
as in SSL [21℄.) Hen e, a ontext that obtains the values a label a(M ), where M is a term that may ontain
for x and y annot distinguish '0 and '1 . On the other names and variables, whi h orresponds to an input of
hand, the ontext an dis riminate '2 by testing the pred- M on a;
i ate f (x) = y. Therefore, we would like to de ne stati
equivalen e so that '0 s '1 6s '2 . a label ahui or u:ahui, where u is either a hannel
This example relies on a on ept of equality of terms in name or a variable of base type, whi h orresponds to
a frame, whi h the following de nition aptures. an output of u on a.
De nition 2 We say that two terms M and N are equal in In addition to the rules for stru tural equivalen e and re-
the frame ', and write (M = N )', if and only if ' ne: , du tion of se tion 2, we adopt the following rules:
M = N , and fneg \ (fn (M ) [ fn (N )) = ; for some names
ne and substitution . In a(x):P a(M!
)
P fM=x g
For instan e, in our example, we have (f (x) = y)'2 but not
(f (x) = y)'1 , hen e '1 6s '2 . Out-Atom ahui:P ahu!
i
P
De nition 3 We say that two losed frames ' and are
stati ally equivalent, and write ' s , when dom (') = A ahu!
i A0 u 6= a
dom ( ) and when, for all terms M and N , we have (M = Open-Atom
u:ahui 0
N )' if and only if (M = N ) . u:A !A
We say that two losed extended pro esses are stati ally
equivalent, and write A s B , when their frames are stati- A ! A0 u does not o ur in
ally equivalent. u:A ! u:A0
S ope
key, without on ern for how the key was established, and = k:(A j B )
S def
without any side-e e ts from weaknesses in the establish-
ment of the key. The theorem says that this ideal out ome The pro ess S represents the omplete system, omposed of
is essentially a hieved, up to some \noise". This \noise" is a A and B ; the restri tion on k means that k is private to A
substitution that maps x0 and x1 to unrelated, fresh names. and B . The pro ess A re eives messages on a publi hannel
It a ounts for the fa t that an atta ker may have the key- a and returns them MACed on the publi hannel b. When
ex hange messages, and that they look just like unrelated B re eives a message on b, it he ks its MAC and a ts upon
values to the atta ker. In parti ular, the key in use between it, here simply by forwarding on a hannel . Intuitively,
P0 and P1 has no observable relation to those messages, or we would expe t that B forwards on only a message that
to any other left-over se rets. We view this independen e of A has MACed. In other words, although an atta ker may
the shared key as an important forward-se re y property. inter ept, modify, and inje t messages on b, it should not be
able to forge a MAC and tri k B into forwarding some other
Theorem 3 Let P0 and P1 be pro esses with free variable message.
y where the name k does not appear. We have: This property an be expressed pre isely in terms of the
labeled semanti s and it an be he ked without too mu h
y:(P0 j P1 j ') diÆ ulty when ma is a primitive fun tion symbol with no
k:(P0 j P1 )fk=y g j s0 :fs0=x0 g j s1 :fs1=x1 g equations. The property remains true even if there is a fun -
tion extra t that maps a MAC ma (x; y) to the underlying
The theorem follows from Lemma 2 and the stati equiva- leartext y, with the equation extra t(ma (x; y)) = y. Sin e
len e ' s s0 ; s1 ; k:fs0=x0 ;s1 =x1 ;k =y g, whi h says that the MACs are not supposed to guarantee se re y, su h a fun -
frame ' generated by the proto ol exe ution is equivalent tion may well exist, so it is safer to assume that it is available
to one that maps variables to fresh names. to the atta ker.
Extensions of the basi proto ol add rounds of ommuni- The property is more deli ate if ma is de ned from
ation that on rm the key and authenti ate the prin ipals. other operations, as it invariably is in pra ti e. In that
We have studied one su h extension with key on rmation. ase, the property may even be taken as the spe i ation of
There, the shared se ret f (n0 ; g(n1 )) is used in on rma- MACs [22℄. Thus, a MAC implementation may be deemed
tion messages. Be ause of these messages, the shared se ret orre t if and only if the pro ess S works as expe ted when
an no longer be equated with a virgin key for P0 and P1 . ma is instantiated with that implementation. More spe if-
Instead, the nal key is omputed by hashing the shared se- i ally, the next se tion deals with the question of whether
ret. This hashing guarantees the independen e of the nal the property remains true when ma is de ned from hash
key. fun tions.
6 Message authenti ation odes and hashing 6.2 Constru ting MACs
(another example) In se tion 3, we give no equations for one-way hash fun -
Message authenti ation odes (MACs) are ommon rypto- tions. In pra ti e, one-way hash fun tions are ommonly
graphi operations. In this se tion we treat MACs and their de ned by iterating a basi binary ompression fun tion,
onstru tions from one-way hash fun tions. This example whi h maps two input blo ks to one output blo k. Fur-
provides a further illustration of the usefulness of equations thermore, keyed one-way hash fun tions in lude a key as an
in the applied pi al ulus. On the other hand, some aspe ts additional argument. Thus, we may have:
of MAC onstru tions are rather low-level, and we would not f (x; y + z ) = h(f (x; y ); z )
expe t to a ount for all their ombinatorial details (e.g., the
\birthday atta ks"). A higher-level task is to express and where f is the keyed one-way hash fun tion, h is the om-
reason about proto ols treating MACs as primitive; this is pression fun tion, x is a key, and y + z represents the on-
squarely within the s ope of our approa h. atenation of blo k z to y. Con atenation (+) asso iates
to the left. We also assume other standard operations on
6.1 Using MACs sequen es and the orresponding equations.
In this equation we are rather abstra t in our treatment
MACs serve to authenti ate messages using shared keys. of blo ks, their sizes, and therefore of padding and other
When k is a key and M is a message, and k is known only related issues. We also ignore two ommon twists: some
to a ertain prin ipal A and to the re ipient B of the mes- fun tions use initialization ve tors to start the iteration, and
sage, B may take ma (k; M ) as proof that M omes from A. some append a length blo k to the input. Nevertheless, we
More pre isely, B an he k ma (k; M ) by re omputing it an explain various MAC onstru tions, des ribing aws in
upon re eipt of M and ma (k; M ), and reason that A must some and reasoning about the properties of others.
a(M )
k:(A j B ) ! k:(A j B j bh(M; ma (k; M ))i)
x:bhxi
! k:(A j B j f(M;ma (k;M ))=x g)
b((M +N;h(snd(x);N )))
!! k:(A j hM + N i j f(M;ma (k;M ))=x g)
y: hyi
! k:(A j f(M;ma (k;M ))=x ;M +N =y g)
a(M )
k:(A j B ) ! k:(A j B j bh(M; ma (k; M ))i)
x:bh(M;x)i
! k:(A j B j fma k;M =x g)
( )
hM N i
+
! k:(A j fma k;M =x g)
( )
A rst, lassi al de nition of a MAC from a keyed one- 7 Related work and on lusions
way hash fun tion f is:
In this paper, we des ribe a uniform extension of the pi
ma (x; y ) def
= f (x; y) al ulus, the applied pi al ulus, in whi h messages may
be ompound values, not just hannel names. We study
For instan e, the MAC of a three-blo k message M = M0 + its theory, developing its semanti s and proof te hniques.
M1 + M2 with key k is ma (k; M ) = h(h(f (k; M0 ); M1 ); M2 ). Although the al ulus has no spe ial, built-in features to
This implementation is subje t to a well-known extension deal with se urity, we nd it useful in the analysis of se urity
atta k. Given the MAC of M , an atta ker an ompute proto ols.
the MAC of any extension M + N without knowing the Other te hniques have been employed for the analysis
MAC key, sin e ma (k; M + N ) = h(ma (k; M ); N ). We of these proto ols. Some are based on omplexity theory;
an des ribe the atta k formally through the operational there, prin ipals are basi ally Turing ma hines that om-
semanti s, as done in Figure 2 and in Figure 3, whi h use the pute on bitstrings, and se urity depends on the omputa-
semanti s of se tions 4.3 and 4.4 respe tively. We assume tional limitations of atta kers (e.g., [44, 23, 24, 8, 22℄). Oth-
k 62 fn (M ) [ fn (N ). In those des riptions, we see that the ers rely on higher-level, formal representations where issues
message M that the system MACs di ers from the message of omputational omplexity an be onveniently avoided
M + N that it forwards on . (e.g., [19, 25, 29, 39, 35, 34, 42, 5, 16, 7℄). Although some
There are several ways to address extension atta ks, and re ent work [28, 36, 6℄ starts to relate these two s hools (for
indeed the literature ontains many MAC onstru tions that example, justifying the soundness of the se ond with respe t
are not subje t to these atta ks. We have onsidered some to the rst), they remain rather distin t. Our use of the ap-
of them. Here we des ribe a onstru tion that uses the MAC plied pi al ulus learly belongs in the se ond. Within this
key twi e: s hool, many re ent approa hes work essentially by reason-
ma (x; y ) def
= f (x; f (x; y)) ing about all possible tra es of a se urity proto ol. However,
the ways of talking about the tra es and their properties
Under this de nition, the pro ess S forwards on only a vary greatly. We use a pro ess al ulus. Its semanti s pro-
message that it has previously MACed, as desired. Looking vides a detailed spe i ation for sets of tra es. Be ause the
beyond the ase of S , we an prove a more general result by pro ess al ulus has a proper \new" onstru t (like the pi
omparing the situation where ma is primitive (and has no al ulus but unlike CSP), it provides a dire t a ount of the
spe ial equations) and one with the de nition of ma (x; y) as generation of new keys and other fresh quantities. It also
f (x; f (x; y )). Given a tuple of names ek and an extended pro - enables reasoning with equivalen e and implementation re-
ess C that uses the symbol ma , we write [ C ℄ for the trans- lations. Furthermore, the pro ess al ulus permits treating
lation of C in whi h the de nition of ma is expanded wher- se urity proto ols as programs written in a programming
notation|subje t to typing, to other stati analyses, and to
ever a key ki in ek is used, with f (ki ; f (ki ; M )) repla ed for translations [1, 3, 4, 2, 10, 11, 9, 13℄.
ma (ki ; M ). The theorem says that this translation yields The applied pi al ulus has many ommonalities with the
an equivalent pro ess (so, intuitively, the onstru ted MACs original pi al ulus and its relatives, su h as the spi al ulus
work as well as the primitive ones): (dis ussed above). In parti ular, the model of ommuni a-
Theorem 4 Suppose that the names ek appear only as MAC tion adopted in the applied pi al ulus is deliberately las-
keys in C . Take no equations for ma and the equation
si al: ommuni ation is through named hannels, and value
omputation is rather separate from ommuni ation. Fur-
f (x; y + z ) = h(f (x; y ); z ) for f . Then ek:C ek:[ C ℄ .
ther, a tive substitutions are reminis ent of the onstraints [8℄ Mihir Bellare and Phillip Rogaway. Entity authenti a-
of the fusion al ulus [43℄. They are espe ially lose to the tion and key distribution. In Advan es in Cryptology|
substitution environments that Boreale et al. employ in their CRYPTO '94, volume 773 of Le ture Notes in Com-
proof te hniques for a variant of the spi al ulus with a sym- puter S ien e, pages 232{249. Springer-Verlag, 1993.
metri ryptosystem [12℄; we in orporate substitutions into
pro esses, systematize them, and generalize from symmetri [9℄ Chiara Bodei. Se urity Issues in Pro ess Cal uli. PhD
ryptosystems to arbitrary operations and equations. thesis, Universita di Pisa, January 2000.
Famously, the pi al ulus is the language of those lively [10℄ Chiara Bodei, Pierpaolo Degano, Flemming Nielson,
so ial o asions where all onversations are ex hanges of and Hanne Riis Nielson. Control ow analysis for the
names. The applied pi al ulus opens the possibility of more pi- al ulus. In Davide Sangiorgi and Robert de Simone,
substantial, stru tured onversations; the rypti hara ter editors, CONCUR '98: Con urren y Theory (9th Inter-
of some of these onversations an only add to their harm national Conferen e), volume 1466 of Le ture Notes in
and to their tedium. Computer S ien e, pages 84{98. Springer, September
1998.
A knowledgements We thank Ro o De Ni ola, Andy
Gordon, Tony Hoare, and Phil Rogaway for dis ussions that [11℄ Chiara Bodei, Pierpaolo Degano, Flemming Nielson,
ontributed to this work. Georges Gonthier and Jan Jurjens and Hanne Riis Nielson. Stati analysis of pro esses for
suggested improvements in its presentation. no read-up and no write-down. In Wolfgang Thomas,
editor, Pro eedings of the Se ond International Confer-
en e on Foundations of Software S ien e and Computa-
Referen es tion Stru tures (FoSSaCS '99), volume 1578 of Le ture
[1℄ Martn Abadi. Prote tion in programming-language Notes in Computer S ien e, pages 120{134. Springer,
translations. In Kim G. Larsen, Sven Skyum, and 1999.
Glynn Winskel, editors, Pro eedings of the 25th Inter- [12℄ Mi hele Boreale, Ro o De Ni ola, and Rosario
national Colloquium on Automata, Languages and Pro- Pugliese. Proof te hniques for ryptographi pro esses.
gramming, volume 1443 of Le ture Notes in Computer In Pro eedings of the Fourteenth Annual IEEE Sym-
S ien e, pages 868{883. Springer, July 1998. Also Dig- posium on Logi in Computer S ien e, pages 157{166,
ital Equipment Corporation Systems Resear h Center July 1999.
report No. 154, April 1998.
[13℄ Lu a Cardelli. Mobility and se urity. In F. L. Bauer
[2℄ Martn Abadi. Se re y by typing in se urity proto ols. and R. Steinbrueggen, editors, Foundations of Se ure
Journal of the ACM, 46(5):749{786, September 1999. Computation, NATO S ien e Series, pages 3{37. IOS
[3℄ Martn Abadi, Cedri Fournet, and Georges Gonthier. Press, 2000.
Se ure implementation of hannel abstra tions. In Pro- [14℄ Sylvain Con hon and Fabri e Le Fessant. Jo aml:
eedings of the Thirteenth Annual IEEE Symposium on Mobile agents for Obje tive-Caml. In First Interna-
Logi in Computer S ien e, pages 105{116, June 1998. tional Symposium on Agent Systems and Appli ations
(ASA'99)/Third International Symposium on Mobile
[4℄ Martn Abadi, Cedri Fournet, and Georges Gonthier. Agents (MA'99), pages 22{29, O tober 1999.
Authenti ation primitives and their ompilation. In
Pro eedings of the 27th ACM Symposium on Prin i- [15℄ Core SDI S.A. ssh insertion atta k. Available
ples of Programming Languages, pages 302{315, Jan- at http://www. ore-sdi. om/soft/ssh/atta k.txt,
uary 2000. July 1998.
[5℄ Martn Abadi and Andrew D. Gordon. A al ulus for [16℄ Mads Dam. Proving trust in systems of se ond-order
ryptographi proto ols: The spi al ulus. Informa- pro esses. In Pro eedings of the 31th Hawaii Inter-
tion and Computation, 148(1):1{70, January 1999. An national Conferen e on System S ien es, volume VII,
extended version appeared as Digital Equipment Cor- pages 255{264, 1998.
poration Systems Resear h Center report No. 149, Jan- [17℄ W. DiÆe and M. Hellman. New dire tions in ryp-
uary 1998. tography. IEEE Transa tions on Information Theory,
[6℄ Martn Abadi and Phillip Rogaway. Re on iling two IT-22(6):644{654, November 1976.
views of ryptography (The omputational soundness [18℄ Whit eld DiÆe, Paul C. van Oors hot, and Mi hael J.
of formal en ryption). In Pro eedings of the First IFIP Wiener. Authenti ation and authenti ated key ex-
International Conferen e on Theoreti al Computer S i-
en e, volume 1872 of Le ture Notes in Computer S i- hanges. Designs, Codes and Cryptography, 2:107{125,
en e, pages 3{22. Springer-Verlag, August 2000. 1992.
[7℄ Roberto M. Amadio and Denis Lugiez. On the rea h- [19℄ Danny Dolev and Andrew C. Yao. On the se urity of
ability problem in ryptographi proto ols. In Catus- publi key proto ols. IEEE Transa tions on Informa-
ia Palamidessi, editor, CONCUR 2000: Con urren y tion Theory, IT-29(12):198{208, Mar h 1983.
Theory (11th International Conferen e), volume 1877 [20℄ Cedri Fournet and Georges Gonthier. A hierar hy
of Le ture Notes in Computer S ien e, pages 380{394. of equivalen es for asyn hronous al uli. In Kim G.
Springer-Verlag, August 2000. Larsen, Sven Skyum, and Glynn Winskel, editors, Pro-
eedings of the 25th International Colloquium on Au-
tomata, Languages and Programming, volume 1443 of
Le ture Notes in Computer S ien e, pages 844{855. [36℄ Birgit P tzmann, Matthias S hunter, and Mi hael
Springer, July 1998. Waidner. Cryptographi se urity of rea tive systems
(extended abstra t). Ele troni Notes in Theoreti al
[21℄ Alan O. Freier, Philip Karlton, and Paul C. Ko her. Computer S ien e, 32, April 2000.
The SSL proto ol: Version 3.0. Available at http://
home.nets ape. om/eng/ssl3/draft302.txt, Novem- [37℄ Benjamin C. Pier e and David N. Turner. Pi t: A pro-
ber 1996. gramming language based on the pi- al ulus. In Gordon
[22℄ Sha Goldwasser and Mihir Bellare. Le ture notes Plotkin, Colin Stirling, and Mads Tofte, editors, Proof,
Language and Intera tion: Essays in Honour of Robin
on ryptography. Summer Course \Cryptography and Milner, Foundations of Computing. MIT Press, May
Computer Se urity" at MIT, 1996{1999, August 1999. 2000.
[23℄ Sha Goldwasser and Silvio Mi ali. Probabilisti en- [38℄ D. Sangiorgi. On the bisimulation proof method. Jour-
ryption. Journal of Computer and System S ien es, nal of Mathemati al Stru tures in Computer S ien e,
28:270{299, April 1984. 8:447{479, 1998.
[24℄ Sha Goldwasser, Silvio Mi ali, and Ronald Rivest. [39℄ Steve S hneider. Se urity properties and CSP. In Pro-
A digital signature s heme se ure against adaptive eedings of the 1996 IEEE Symposium on Se urity and
hosen-message atta k. SIAM Journal on Computing, Priva y, pages 174{187, 1996.
17:281{308, 1988.
[25℄ R. Kemmerer, C. Meadows, and J. Millen. Three sys- [40℄ Bru e S hneier.Applied Cryptography: Proto ols, Al-
tem for ryptographi proto ol analysis. Journal of gorithms, and Sour e Code in C. John Wiley & Sons,
Cryptology, 7(2):79{130, Spring 1994. In ., se ond edition, 1996.
[26℄ Hugo Kraw zyk. SKEME: A versatile se ure key ex- [41℄ Stuart G. Stubblebine and Virgil D. Gligor. On message
hange me hanism for internet. In Pro eedings of integrity in ryptographi proto ols. In Pro eedings of
the Internet So iety Symposium on Network and Dis- the 1992 IEEE Symposium on Resear h in Se urity and
tributed Systems Se urity, February 1996. Available at Priva y, pages 85{104, 1992.
http://bilbo.isu.edu/sndss/sndss96.html. [42℄ F. Javier Thayer Fabrega, Jonathan C. Herzog, and
[27℄ Ben Liblit and Alexander Aiken. Type systems for dis- Joshua D. Guttman. Strand spa es: Why is a se urity
tributed data stru tures. In Pro eedings of the 27th proto ol orre t? In Pro eedings of the 1998 IEEE
ACM Symposium on Prin iples of Programming Lan- Symposium on Se urity and Priva y, pages 160{171,
guages, pages 199{213, January 2000. May 1998.
[28℄ P. Lin oln, J. Mit hell, M. Mit hell, and A. S edrov. [43℄ Bjorn Vi tor. The Fusion Cal ulus: Expressiveness and
A probabilisti poly-time framework for proto ol anal- Symmetry in Mobile Pro esses. PhD thesis, Dept. of
ysis. In Pro eedings of the Fifth ACM Conferen e on Computer Systems, Uppsala University, Sweden, June
Computer and Communi ations Se urity, pages 112{ 1998.
121, 1998. [44℄ Andrew C. Yao. Theory and appli ations of trapdoor
[29℄ Gavin Lowe. Breaking and xing the Needham- fun tions. In Pro eedings of the 23rd Annual Sympo-
S hroeder publi -key proto ol using FDR. In Tools sium on Foundations of Computer S ien e (FOCS 82),
and Algorithms for the Constru tion and Analysis of pages 80{91, 1982.
Systems, volume 1055 of Le ture Notes in Computer
S ien e, pages 147{166. Springer Verlag, 1996.
[30℄ Alfred J. Menezes, Paul C. van Oors hot, and S ott A.
Vanstone. Handbook of Applied Cryptography. CRC
Press, 1996.
[31℄ Robin Milner. Communi ation and Con urren y. In-
ternational Series in Computer S ien e. Prenti e Hall,
1989.
[32℄ Robin Milner. Communi ating and Mobile Systems: the
-Cal ulus. Cambridge University Press, 1999.
[33℄ John C. Mit hell. Foundations for Programming Lan-
guages. MIT Press, 1996.
[34℄ John C. Mit hell, Mark Mit hell, and Ulri h Stern.
Automated analysis of ryptographi proto ols using
Mur. In Pro eedings of the 1997 IEEE Symposium on
Se urity and Priva y, pages 141{151, 1997.
[35℄ Lawren e C. Paulson. The indu tive approa h to ver-
ifying ryptographi proto ols. Journal of Computer
Se urity, 6(1{2):85{128, 1998.