Research Proposal

Computer Science

Open Competition 2003

Accountability in Electronic Commerce Protocols

(ACCOUNT)

Applicants:Dr. B. CrispoDr. S. Etalle

Prof.Dr. W.J. Fokkink

Vrije Universiteit Amsterdam (VU)Universiteit Twente (UT)

Centrum voor Wiskunde en Informatica (CWI)

Principal investigator: Dr. S. EtalleUniversiteit TwenteDistributed and Embedded Systems GroupTel: +31 53 4891195Fax: +31 53 4894047E-mail: etalle@cs.utwente.nl

1

1 Title

1a. Project Title: Accountability in Electronic Commerce Protocols

1b. Acronym: ACCOUNT

1c. Principal Investigator: Dr. S. Etalle

2 Summary

More complex negotiation and payment scenarios for e-commerce are emerging. Accountabilityas a foundation for building trust is a crucial factor for determining the success of these services.We will develop and implement a tool for the specification, prototyping and verification of e-commerce protocols, based on constraint solving and model checking. We will use this tool toanalyze accountability in existing e-commerce protocols. Using this analysis, we will developnew protocols for electronic negotiation and payment. We will focus on accountability of trustedthird parties, non-repudiation, fairness, delegation protocols and multicast protocols.

3 Classification

The contributions are to 3.4 (system verification), 5.2 (identification, authentication and secu-rity) and 6.5 (formal methods). The application domains are 1.2 (distributed systems) and 1.3(dependability).

Relevant NOAG-i research themes are: Parallel and Distributed Computing (PDC), Algo-rithms and Formal Methods (AFM).

4 Composition of the Research Team

The three research groups in the project combine different areas of expertise:

• Design of security protocols at the Computer Systems Group (VU).

• Verification of security protocols using model checking at the Embedded Systems Group(CWI).

• Verification of security protocols using constraint solving at the Distributed and Embed-ded Systems Group (UT).

title name affiliation hours/week

Prof dr Andy Tanenbaum VU 1Dr Bruno Crispo 6

Prof dr Pieter Hartel UT 2Dr Sandro Etalle 5

Prof dr Wan Fokkink CWI 5Dr Jaco van de Pol 2

Drs/Ir AIO – vacancy VU 40Comp. Syst. Gr.

Dr postdoc – vacancy UT 40Dist. Emb. Syst. Gr.

Drs/Ir OIO – vacancy CWI 40Emb. Syst. Gr.

2

• Bruno Crispo is member of the Computer Systems Group at the VU. Andy Tanenbaum,the head of this group, will act as promotor of the AIO.

• Sandro Etalle is member of the Distributed and Embedded Systems Group at the UT.This group is headed by Pieter Hartel.

• Wan Fokkink is head of the Embedded Systems Group at CWI, and full professor inthe Theoretical Computer Science Group at the VU for one day a week. He will act aspromotor of the OIO. Jaco van de Pol is member of the Embedded Systems Group.

5 Research Schools

The Computer Systems Group at the VU participates in the Advanced School for Comput-ing and Imaging (ASCI). The Distributed and Embedded Systems Group at the UT and theEmbedded Systems Group at CWI participate in the Institute for Programming research andAlgorithmics (IPA).

6 Description of Proposed Research

Context

Even the simplest forms of trading have a negotiation phase and a subsequent contract estab-lishment and payment phase. So far, at e-commerce sites only relatively simple negotiation,contract signing and payment scenarios can be found. Most sites offer little beyond browsingcatalogues by way of negotiating, while contract signing and payment tends to consist of en-tering a credit card number and clicking accept. The trust in these sites is largely built onthe trust users have in the credit card companies, which keep records and in case of a problemorganize a refund.

More complex negotiation and payment scenarios are emerging, for instance through auctionsites, but also in the quite different context of cooperating agent platforms. For instance, inthe case of e-procurement there may be a buyer and many suppliers engaged in a multi-roundnegotiation where new conditions can be discussed at each round until agreement is reached.For users to actually use these services and systems, they must trust them. In general, userswill not blindly trust services and systems; user trust has to be built. A good way to build trust(witnessing the popularity of credit card payment over the Internet) is to be accountable, andto give the user the real option to oppose transactions based on information collected by allparties in the transaction. Accountability as a foundation for building trust is a crucial factorfor determining the success of more complex e-commerce services [45].

Security protocols are an essential means for the exchange of confidential information andauthentication. They are meant to guarantee that a hostile intruder cannot get hold of secretinformation or force unjust authentication, and that a business partner does not overstep hisbounds and keeps his promises. In order to maintain user trust, these protocols must beguaranteed to work correctly, and its participants must be accountable for their actions.

A considerable number of published security protocols were later shown to contain flaws, thusundermining the trust in such protocols. This has stimulated research on the formal verificationof security protocols, see e.g. [7, 11, 13, 33, 35, 43, 50]. Several approaches are based on thework of Dolev and Yao [24], where it is proposed to test a protocol explicitly against a hostileintruder who has complete control over the network. By an exhaustive search, one can thenestablish whether or not the protocol is flawed, as shown in e.g. [14, 28, 36]. Clearly, a crucialaspect in this approach is to try and limit the state explosion that occurs when modeling theintruder’s behavior. To this end, many solutions have been employed, ranging from human

3

intervention to the use of approximations. In recent work [27, 37, 44], this problem has alsobeen tackled by reducing the intruder’s action to a constraint solving problem.

Non-Repudiation and Fair Exchange

During the last decade, open networks, above all the Internet, have witnessed an impressivegrowth. As a consequence, new security issues, like non-repudiation and fair exchange have tobe considered. Repudiation is the denial of a previously uttered statement. Consider the casewhere agent A sends a message to agent B; specific protocols have been designed to guaranteethat agent A cannot deny having sent the message (NRS non-repudiation of submission) andthat that message was his (NRO non-repudiation of origin), and that agent B cannot denyhaving received it (NRR non-repudiation of receipt). This evidence is based on digital signa-tures. One of the major problems in these protocols arises when we want to achieve fairness,i.e. avoid that one of the entities gets its evidence without the other one being able to also getits evidence. Different partial solutions have been proposed, which are generally divided intotwo classes, according to whether they use a trusted third party (TTP) (see, e.g., [19]) or not.The approach without TTP is either based on a gradual release of knowledge or on probabilisticprotocols. Protocols based on the idea of a gradual exchange require that all involved partieshave equivalent computational power; this hypothesis, however, is unrealistic. Probabilisticprotocols generally overcome this first problem, but are inefficient due to the large number ofmessages that need to be sent. In the case of a TTP, a possible scenario is to first send eachmessage to the TTP, who acts as an intermediary to assure delivery. The major problem ofthis approach is the network and communication bottleneck, created at the TTP. To avoid theperformance decrease created by this bottleneck, Asokan et al. [4] introduced the optimisticapproach to fair exchange.

In 1980 Even and Yakobi showed that there is no deterministic protocol that solves thecontract signing problem without a TTP. This result applies to the case of non-repudiation andfair exchange protocols as well. An important weakness of current protocols using a TTP is thatthe TTP is not accountable for possible errors or failures. In other words, if the TTP fails toaccomplish its task, there is no way for the user to demonstrate that the TTP has failed. Thisis a crucial practical limitation, as it unrealistically assumes that the user has unlimited trust inthe TTP, and that the TTP never fails. Moreover, even a trustful TTP could be blocked by adenial of service attack, which could spoil fairness of the protocol. The problem of accountabilityof the TTP was recognized in [3, 5, 48], where some partial solutions were proposed. In [3],the TTP was made accountable, under the hypothesis that it is always responding to theagent’s requests. In [5] and [48], the accountability for a distributed TTP was investigated, inthe context of a certified e-mail protocol and of threshold signatures, respectively. In [20] itwas shown that the required trust in a TTP can be reduced by a functional rather than anunconditional TTP.

In comparison to other security issues, such as privacy or authenticity of communications,non-repudiation and fair exchange protocols have not been studied so intensively. A preliminaryanalysis of non-repudiation protocols was performed using CSP [46], where the proofs weregenerated by hand. Zhou and Gollmann [51] considered non-repudiation protocols using thebelief logic SVO; see [8] for a verification of this protocol using the theorem prover Isabelle.Some work on fair exchange protocols was realized using the model-checker Murϕ [47] as wellas the animation tool Possum [12]. Raskin and Kremer [30, 31] successfully employed a game-based approach for the verification of negotiation protocols; part of this project will involveextending their groundbreaking work.

4

Research Questions

In this project we will analyze existing accountable e-commerce protocols and develop new ones,with the help of formal methods, in particular constraint solving and model checking.

In the emerging models for (wireless) interaction between (mobile) agents, negotiations playa central role. Within such negotiations, the following functions must be implemented.

Digital Contract Signing As opposed to classical paper-based contract signing, digitallysigning a contract over a network presents the additional problem that once one agenthas put its signature under the contract, the other agent might at the last moment refuseto do so. If no measures are taken to prevent this, the second agent has an advantageover the first one. In this case the system is not fair.

Non Repudiation Repudiation is the denial of having participated in a conversation. Con-sider a business communication in which an agent A sends a message to another agent B.It is important that - after the communication has taken place - agent A may not denyhaving sent the message (repudiation of origin) and that agent B may not deny havingreceived it. Also in this context fairness plays a central role: at all times one needs toguarantee that no agent has a better handling position than the other one.

An important aspect of these situations is that fairness (and also abuse-freeness, in the case ofcontract signing protocols) is difficult to implement. In the last few years, new protocols havebeen devised that (should) guarantee this. Most of these protocols rely heavily on the use ofcryptographic algorithms and on the presence of a TTP, or in the case of a delegation protocol(see e.g. [21]) on a restricted proxy. These aspects are at the origin of the following centralproblems.

Accountability of TTPs In most non-repudiation and fair exchange protocols the TTP isnot accountable for possible errors or failures. This is a crucial problem that, if leftunresolved, would prevent a widespread deployment of such techniques. It is an openquestion whether it is at all possible to devise a negotiation protocol in which the TTPis accountable for its mistakes. A first objective is to provide an answer to this openquestion. We suspect that the answer to this question is negative as long as we remain inan algebraic context, i.e., in a context in which agent can be fully represented by e.g. CSPprocesses. Such a negative answer is in line with the result of Even and Yakobi. At thesame time we think it should be possible to devise a richer framework in which the TTPcan be made accountable for its mistakes. A second objective is to devise new protocolswhich ensure accountability of the TTP (as much as possible). In particular, we will studydistributed or hierarchical TTPs, where the problem of accountability becomes even morecomplex. We will apply verification tools in order to verify in how far accountability ofthe TTP is guaranteed.

Accountability in delegation A proxy is a token that allows one to operate with the rightsand privileges bestowed by its principal. It must be verified that a proxy was granted bythe principal that it names; this is an authentication problem. In practice, the privilegesgranted by a proxy are usually restricted, to safeguard the interest of its principal. Itmust be verified that these restrictions are sufficient, and that they are not tamperedwith. A third objective is to analyze the correctness of current delegation protocols,and to devise new delegation protocols. Again, we will apply verification tools to analyzethe accountability (or lack of it) in existing and new designed delegation protocols.

Many cryptographic protocols that were considered secure were shown to contain flaws. Theseflaws were in some cases discovered by means of the systematic application of formal methodssuch as model checking techniques and - more recently - constraint solving (see, e.g., [17]).

5

These methods were devised for verifying authentication and security protocols and cannot beapplied in their current form to (multicast) non-repudiation and fair exchange protocols.

We want to develop and implement a tool for the specification, prototyping and verificationof (multicast) e-commerce protocols. There are several problems that we have to tackle.

• Handling multicast protocols. In many real-life situations, like for instance in wirelessnetworks, an agent is asked to participate in a protocol together with a number of partnersthat is not known in advance. For this, a number of so-called multicast protocols havebeen devised, ranging from multicast authentication to multicast non-repudiation. oftenusing restricted proxies. Standard techniques for the verification of security protocolscannot deal with the multicast case: for this we have to develop and implement newabstraction techniques.

• Handling negotiation, payment, abuse-freeness and fairness. There are tools (based ongame semantics) that do this already, for instance the model-checker Mocha [1] (see be-low). However, Mocha cannot deal with (symbolic) communication, which is crucial forverifying protocols admitting malicious participants.

• Last but not least, we want our verification tool to be able to check for the accountabilityof a certain party taking part in a given e-commerce protocol. This is not-trivial, asaccountability is not definable as a logical primitive in a modal logic.

A game-based model checker for open systems As shown by Kremer and Raskin in[30, 31], a game-based approach is the most suitable one for modeling negotiation protocols. In[30, 31] Kremer and Raskin successfully employed the model-checker Mocha for the verificationof non-repudiation protocols. Their approach, however, presents a crucial shortcoming: it doesnot allow to model the situation in which one of the principals tries to cheat the other one bysending him a message which does not comply with the protocol specification (they allow anagent to try a different sequence of steps, but the messages being sent are fixed a priori). Thisis clearly a major limitation, and a source of incompleteness of the method.

We will devise and implement a model checker that employs the constraint-based approachfor modeling communication and that allows to check ATL (alternating temporal logic) for-mulae, i.e., based on a game semantics. Our aim is to combine protocol verification based onconstraint solving a la Delzanno and Etalle [23] or Millen and Shmatikov [37] with a model-checker based on game semantics such as Mocha.

Abstraction techniques for multi-cast protocols The majority of message exchangeprotocols are designed to ensure the fairness in exchange between two main participants, sayAlice and Bob. But with the increasing usage of computers in electronic commerce, protocols areneeded that ensure fairness for multi-party communications. Assume that Alice sends an officialadjudication to a number of Bobs. All the Bobs that want to participate to the adjudicationshould be allowed to do so and Alice should not be able to deny their participation. A maindifficulty here is to design a protocol that works no matter how many Bobs are involved in theprotocol run. Multipart non-repudiation protocols have been designed e.g., in [29, 34]

The design of multicast protocols is even more difficult than for the two-party case. Asmentioned before, the techniques developed for protocol verification cannot easily deal with thecase of multicast protocols. To deal with the verification of n-party fair exchange protocols,we intend to use methods that were developed for verifying parametrized distributed computersystems. In particular, we will investigate the use of the so-called ”counting abstraction” (see,e.g., [22]) and of multi-set rewriting [6] to model and verify those multi-party protocols.

These techniques will be incorporated in our tool, to obtain a tool for the verification ofmulticast e-commerce protocols. Moreover, since ATL formulae can be used to model also

6

simpler concepts such as those needed to express authentication and secrecy, the resulting toolwill also be applicable for the verification of multicast authentication and security protocols.

Related Research of the Research Team

Three research groups will cooperate in this project: The Computer Systems Group at the VU,the Distributed and Embedded Systems Group at the UT, and the Embedded Systems Groupat CWI.

• The Computer System research group has a long and well-established track record inthe area of distributed and operating systems and related security issues. Recently, wedesigned and implemented a secure middleware for very large and distributed systemscalled Globe [42], and a secure agent platform [38]. Currently, we are developing a DigitalRight Management system suitable for selling music online, and security protocols andreputation mechanisms in the context of content delivery networks and more in generalof peer-to-peer systems [40]. Bruno Crispo has been working on security for severalyears, with a special interest in designing authentication and delegation protocols andinvestigating security issues related to TTP services.

• The Distributed and Embedded Systems research group is developing security componentsin various projects.

– Leading a major national funding program, SENTINELS (www.sentinels.nl), whichaims to foster security research in the Netherlands.

– Leading the RESET project, which aims to build a roadmap for smart card research.All European smart card manufacturers participate in this activity.

– Development of CoProVe [17], which is likely to be the fastest tool for the verificationof security protocols (wwwes.cs.utwente.nl/24cqet/) [23]. CoProVe is also theonly practical tool available that can be used to identify ‘guessing attacks’ [18].

– Developing the security component in an ad-hoc sensor network in the context ofthe European project EYES (with Infineon, Nedap, see eyes.eu.org/) [32].

– Developing a Digital Rights Management system in the Senter funded Summerproject (with KPN Research, The Ministry of Traffic and Transport and V2-Labs,www.cs.utwente.nl/∼summer), and the Telematics Institute funded LicenseScriptproject (with Philips Research, wwwes.cs.utwente.nl/LicenseScript) [15, 16].

– Developing a novel transacted smart card memory manager with Sun Microsystemsin Cupertino (USA) [25, 41].

– Development of a pressure sensing smart card biometric system [26].

– Development of a smart card based digital trusted assistant [49].

• The Embedded Systems Group at CWI has ample experience in applying formal tech-niques for the analysis of distributed systems and protocols in general, and of securityprotocols in particular (see, e.g., [2, 39]). A main vehicle forms the specification languageµCRL in combination with the model checker CADP; others are timed automata (UP-PAAL, KRONOS), model checkers (SPIN) and theorem provers (PVS, Coq, homegrownµCRL prover [10]). The µCRL verification toolset [9] is used as a test bed to realize novelalgorithms in the realm of system verification and to carry out experiments. Notably, weare currently analyzing security protocols within the electronic payment system EMV. Wecoordinate the CWI Security Platform (www.cwi.nl/∼wan/security-platform.html),which combines a number of research groups within CWI that perform research on securityrelated issues.

7

Both the UT and CWI participate in SAFE-NL (the platform for Security: Applications, Formalaspects and Environments in the NetherLands); Sandro Etalle and Wan Fokkink serve onits steering committee. SAFE-NL provides a forum for research institutions, industry andgovernment agencies to exchange ideas on the state of the art in security technology. SAFE-NLWorkshops are organized twice a year.

7 Work Program

Phases

The duration of the project is four years.

Year 1 During the first six months, the PhD students will acquaint themselves with thevarious methods and techniques used in this project. They will study accountability, non-repudiation and contract-signing protocols, together with constraint solving, model checkingand theorem proving. At the same time, the postdoc will work on the question in how far it ispossible to define in algebraic terms a contract-signing (or non-repudiation) protocol in whichthe TTP is fully accountable.

In the next six months, the AIO and the postdoc will work on devising protocols (andif needed methods) for 2-party non-repudiation, contract-signing and delegation with a fullyaccountable TTP. The OIO and the postdoc will use existing verification techniques from con-straint solving, model checking and theorem proving to support the design of these protocols.

Year 2 In the first three months, the OIO will study game semantics, abstraction techniquesand the model-checker Mocha. The postdoc will prepare the development of a tool for theverification of security protocols. In the remaining nine months, the OIO and the postdocwill develop the methodology for and implement an extension of the constraint-based tool forprotocol verification developed by Corin and Etalle [17], so that it can check game-based traceproperties expressed as ATL formulae. The AIO and the postdoc will work on devising newe-commerce protocols for group communication in a scenario one-to-many (broadcast). Theywill also design protocols to distribute and replicate TTP services without loss of accountability.

Year 3 The OIO will verify existing negotiation protocols using the tool, and analyze theprotocols devised by the AIO and postdoc in the previous and current year. Furthermore,he will work on abstraction techniques for modeling multicast protocols and extend the toolaccordingly. The AIO will use the feedback provided by the OIO in its work to extend the nego-tiation protocols to the case of multicast communications (many-to-many) with possibly severalrounds of negotiations before the contract is signed. Furthermore, he will study accountabilityin delegation protocols and work on devising new delegation protocols. At the UT, work willbe continued on the tool, using the input from the AIO and OIO.

Year 4 The PhD students will complete ongoing research, write their thesis and prepare thedefense.

Educational aspects

The research institutes ASCI and IPA provide in-depth 5-day courses twice a year on importanttopics in computer science. The AIO and OIO will take part in the training programs of ASCIand IPA. Furthermore, they will take part in the group seminars (PhD seminars at the VU andPAM at CWI), both to take notice of current research efforts and to present their own work.

8

Furthermore, CWI and VU provide special courses on how to write research papers, how togive presentations, and how to be well-organized in research. The AIO and OIO will take partin these courses.

8 Expected Use of Instrumentation

None, except powerful computing machinery already present at the research groups involved.

9 Literature

References

[1] R. Alur, T.A. Henzinger, F.Y.C. Mang, S. Qadeer, S.K. Rajamani and S. Tasiran. Mocha:Modularity in model checking. In Proc. 10th Conference on Computer-Aided Verification(CAV’98), LNCS 1427, pp. 521–525. Springer, 1998.

[2] Th. Arts and I.A. van Langevelde. Correct Performance of Transaction Capabilities. InProc. 2nd Conference on Application of Concurrency to System Design (ICACSD’01), pp.35–42. IEEE Computer Society Press, 2001.

[3] N. Asokan. Fairness in Electronic Commerce. PhD Thesis, University of Waterloo, 1998.

[4] N. Asokan, M. Schunter and M. Waidner. Optimistic Protocols for Fair Exchange. In Proc.4th ACM Conference on Computer and Communications Security, pp. 7–17. ACM Press,1998.

[5] G. Ateniese, B. de Medeiros and M. T. Goodrich. TRICERT: Distributed Certified E-Mail Schemes. In Proc. ISOC 2001 Network and Distributed System Security Symposium(NDSS’01), pp. 47–56, 2001.

[6] J.P. Banatre and D. Le Metayer. Programming by Multiset Transformation. Communica-tions of the ACM, 36(1):98–111, 1993.

[7] G. Bella, F. Massacci and L.C. Paulson. Verifying the SET Registration Protocols. IEEEJournal on Selected Areas in Communications, 21(1):, 77–87, 2003.

[8] G. Bella and L.C. Paulson. Mechanical Proofs about a Non-Repudiation Protocol. In Proc.14th Conference on Theorem Proving in Higher Order Logics (TPHOLs’01), LNCS 2152,pp. 91–104. Springer, 2001.

[9] S.C.C. Blom, W.J. Fokkink, J.F. Groote, I.A. van Langevelde, B. Lisser and J.C. van dePol. µCRL: A Toolset for Analysing Algebraic Specifications. In Proc. 13th Conference onComputer Aided Verification (CAV’01), LNCS 2102, pp. 250–254. Springer, 2001.

[10] S.C.C. Blom and J.C. van de Pol. State Space Reduction by Proving Confluence. In Proc.14th Conference on Computer Aided Verification (CAV’02), LNCS 2404, pp. 596–609.Springer, 2002.

[11] D. Bolignano. Towards the Formal Verification of Electronic Commerce Protocols. In Proc.10th Computer Security Foundations Workshop (CSFW’97), pp. 113–147. IEEE ComputerSociety Press, 1997.

9

[12] C. Boyd and P. Kearney. Exploring Fair Exchange Protocols Using Specification Anima-tion. In Proc. Information Security Workshop (ISW00), LNCS 1975, pp. 209–223. Springer,2000.

[13] M. Burrows, M. Abadi and R. Needham. A Logic of Authentication. ACM Transactionson Computer Systems, 1(8):18–36, 1990.

[14] I. Cervesato, N. Durgin, P. Lincoln, J. Mitchell and A. Scedrov. Relating Strands andMultiset Rewriting for Security Protocol Analysis. In Proc. 13th IEEE Computer SecurityFoundations Workshop (CSFW’00), pp. 35–51. IEEE Computer Society Press, 2000.

[15] C.N. Chong, R. van Buuren, P.H. Hartel and G. Kleinhuis. Security Attributes BasedDigital Rights Management. In Proc. Joint Workshop on Interactive Distributed Multi-media Systems / Protocols for Multimedia Systems (IDMS/PROMS’02), LNCS 2515, pp.339–352. Springer, 2002.

[16] C.N. Chong, Z. Peng and P. H. Hartel. Secure Audit Logging with Tamper-ResistantHardware. In Proc. 18th IFIP Conference on Information Security (SEC’02), To appear.Kluwer Academic, 2003.

[17] R. Corin and S. Etalle. An Improved Constraint-Based System for the Verification ofSecurity Protocols. In Proc. 9th Static Analysis Symposium (SAS’02), LNCS 2477, pp.326–341. Springer, 2002.

[18] R. Corin, S. Malladi, J. Alves-Foss and S. Etalle. Guess What? Here is a New Toolthat Finds Some New Guessing Attacks. Technical Report, CTIT, University of Twente,January 2003.

[19] B. Crispo, P. Landrock and V. Matyas Jr. WWW Security and Trusted Third PartyServices. Future Generation Computer Systems, 16(4):331–341, 2000.

[20] B. Crispo and M. Lomas. A Certification Scheme for Electronic Commerce. In Proc. 1stSecurity Protocols Workshop, LNCS 1189, pp. 19–32. Springer, 1996.

[21] B. Crispo and G. Ruffo. Reasoning about Accountability within Delegation. In Proc. 3rdConference on Information and Communications Security (ICICS’01), LNCS 2229, pp.251–260. Springer, 2001.

[22] G. Delzanno and T. Bultan. Constraint-Based Verification of Client-Server Protocols. InProc. 7th Conference on Principles and Practice of Constraint Programming (CP’01),LNCS 2239, pp. 286–301. Springer, 2001.

[23] G. Delzanno and S. Etalle. Proof Theory, Transformations, and Logic Programming forDebugging Security Protocols. In Post-Proc. 11th Workshop on Logic Program Synthesisand Transformation (LOPSTR’01), LNCS 2372, pp. 76–90. Springer, 2002.

[24] D. Dolev and A. C. Yao. On the Security of Public Key Protocols. IEEE Transactions onInformation Theory, 29(2):198–208, 1983.

[25] P.H. Hartel, M.J. Butler, E.K. de Jong and M. Longley. Transacted Memory for SmartCards. In Proc. 10th Formal Methods for Increasing Software Productivity (FME’01),LNCS 2021, pp. 478–499. Springer, 2001.

[26] N.J. Henderson. Polymer Thick Film Sensors for Embedded Smartcard Biometrics andIdentity Verification. PhD thesis, University of Southampton, 2002.

10

[27] A. Huima. Efficient Infinite-State Analysis of Security Protocols. In Proc. FLOC’99 Work-shop on Formal Methods and Security Protocols, 1999.

[28] F. Jacquemard, M. Rusinowitch and L. Vigneron. Compiling and Verifying Security Pro-tocols. In Proc. 7th Conference on Logic for Programming and Automated Reasoning(LPAR’95), LNCS 1955, pp. 131–160. Springer, 2000.

[29] S. Kremer and O. Markowitch A Multi-Party Non-Repudiation Protocol. In Proc. 15thIFIP Conference on Information Security (SEC’00), pp. 271–280. Kluwer Academic, 2000.

[30] S. Kremer and J-F. Raskin. A Game-Based Verification of Non-Repudiation and Fair Ex-change Protocols. In Proc. 12th Conference of Concurrency Theory (CONCUR’01), LNCS2154, pp. 551–565. Springer, 2001.

[31] S. Kremer and J-F. Raskin. Game Analysis of Abuse-free Contract Signing. In Proc. 15thIEEE Computer Security Foundations Workshop (CSFW’02), pp. 206–222. IEEE Com-puter Society Press, 2002.

[32] Y.W. Law, S. Etalle and P. H. Hartel. Assessing Security-Critical Energy-Efficient SensorNetworks. In Proc. IFIP WG 11.2 Conference on Small Systems Security, To appear.Kluwer Academic, 2003.

[33] G. Lowe. Casper: A Compiler for the Analysis of Security Protocols. In Proc. 10th IEEEComputer Security Foundations Workshop (CSFW’97), pp. 18–30. IEEE Computer SocietyPress, 1997.

[34] O. Markowitch and S. Kremer. A Multi-party Optimistic Non-Repudiation Protocol. InProc. 3rd Conference on Information Security and Cryptology (ICISC’00), LNCS 2015, pp.109–122. Springer, 2000.

[35] C. Meadows. Formal Verification of Cryptographic Protocols: A Survey. In Proc. 4th Con-ference on the Theory and Applications of Cryptology (ASIACRYPT’94), LNCS 917, pp.135–150. Springer, 1994.

[36] C. Meadows. The NRL Protocol Analyzer: An Overview. Journal of Logic Programming,26(2):113–131, 1996.

[37] J. Millen and V. Shmatikov. Constraint Solving for Bounded-Process Cryptographic Pro-tocol Analysis. In Proc. 2001 ACM Conference on Computer and Communication Security,pp. 166–175, ACM Press, 2001.

[38] G. van ’t Noordende, F.M.T. Brazier and A.S. Tanenbaum. A Security Framework for aMobile Agent System. In Proc. 2nd Workshop on Security of Mobile Multiagent Systems(SEMAS’02), pp. 43–50, 2002.

[39] J. Pang. Analysis of a Security Protocol in µCRL. In Proc. 4th Conference on FormalEngineering Methods (ICFEM’02), LNCS 2495, pp. 396–400. Springer, 2002.

[40] G. Pierre, M. van Steen and A. S. Tanenbaum. Dynamically Selecting Optimal DistributionStrategies for Web Documents. IEEE Transactions on Computers, 51(6):637–651, 2002.

[41] E. Poll, P.H. Hartel and E.K. de Jong. A Java Reference Model of Transacted Memoryfor Smart Cards. In Proc. 5th IFIP WG 8.8 Conference on Smart Card Research andAdvanced Application (CARDIS’02), pp. 75–86. Usenix Association, 2002.

11

[42] B.C. Popescu, M. van Steen and A.S. Tanenbaum. A Security Architecture for Object-Based Distributed Systems. In Proc. 18th Annual Computer Security Applications Confer-ence (ACSAC’02), 2002.

[43] A.W. Roscoe. Modelling and verifying key-exchange protocols using CSP and FDR. InProc. 8th IEEE Symposium on Foundations of Secure Systems, pp. 98–107. IEEE ComputerSociety Press, 1995.

[44] M. Rusinowitch and M. Turuani. Protocol Insecurity with Finite Number of Sessions isNP-complete. In Proc. 14th IEEE Computer Security Foundations Workshop (CSFW’01),pp. 98–107. IEEE Computer Society Press, 2001.

[45] F.B. Schneider, editor. Trust in Cyberspace. National Academy Press, 1999.

[46] S. Schneider. Formal Analysis of a Non-Repudiation Protocol. In Proc. 11th IEEE Com-puter Security Foundations Workshop (CSFW’98), pp. 54–65. IEEE Computer SocietyPress, 1998.

[47] V. Shmatikov and J.C. Mitchell. Finite-State Analysis of Two Contract Signing Protocols.Theoretical Computer Science, 283(2):419–450, 2002.

[48] V. Shoup. Practical Threshold Signatures. In Proc. 17th Conference on the Theory andApplication of Cryptographic Techniques (EUROCRYPT’00), LNCS 1807, pp. 207–220.Springer, 2000.

[49] T. Stabell-Kulø. Private Computing: The Trusted Digital Assistant. PhD thesis, Universityof Twente, 2002.

[50] S.D. Stoller. A Bound on Attacks on Payment Protocols. In Proc. 16th Annual IEEESymposium on Logic in Computer Science (LICS’01), pp. 61–70. IEEE Computer SocietyPress, 2001.

[51] J. Zhou and D. Gollmann. Towards Verification of Non-Repudiation Protocols. In Proc.1998 Refinement Workshop and Formal Methods Pacific, pp. 370–380, 1998.

Five Main Publications of the Research Team

• R.J. Anderson, F. Bergadano, B. Crispo, J.H. Lee, C. Manifavas and R.M. Needham. ANew Family of Authentication Protocols. Operating Systems Review, 32(4):9–20, 1998.

• F. Bergadano, B. Crispo and M. Lomas. Strong Authentication and Privacy with Stan-dard Browsers. Journal of Computer Security, 5(3):191–212, 1997.

• R. Corin and S. Etalle. An Improved Constraint-Based System for the Verification ofSecurity Protocols. In Proc. 9th Static Analysis Symposium (SAS’02), LNCS 2477, pp.326–341. Springer, 2002.

• B. Crispo and G. Ruffo. Reasoning about Accountability within Delegation. In Proc. 3rdConference on Information and Communications Security (ICICS’01), LNCS 2229, pp.251–260. Springer, 2001.

• G. Delzanno and S. Etalle. Proof Theory, Transformations, and Logic Programming forDebugging Security Protocols. In Post-Proc. 11th Workshop on Logic Program Synthesisand Transformation (LOPSTR’01), LNCS 2372, pp. 76–90. Springer, 2002.

12

10 Requested Budget

We request the standard budget for two PhD students and a postdoc for two years. Theamounts below are in Euros.

AIO 135.762benchfee 4.538postdoc 104.601benchfee 4.538OIO 135.762benchfee 4.538TOTAL 389.739

Note: VU, CWI and UT will provide special purpose computing equipment and daily worksta-tions for the project members.

13