R Saccount


Published on

A good introduction

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

R Saccount

  1. 1. Research Proposal Computer Science Open Competition 2003 Accountability in Electronic Commerce Protocols (ACCOUNT) Applicants: Dr. B. Crispo Dr. S. Etalle Prof.Dr. W.J. Fokkink Vrije Universiteit Amsterdam (VU) Universiteit Twente (UT) Centrum voor Wiskunde en Informatica (CWI) Principal investigator: Dr. S. Etalle Universiteit Twente Distributed and Embedded Systems Group Tel: +31 53 4891195 Fax: +31 53 4894047 E-mail: etalle@cs.utwente.nl 1
  2. 2. 1 Title 1a. Project Title: Accountability in Electronic Commerce Protocols 1b. Acronym: ACCOUNT Dr. S. Etalle 1c. Principal Investigator: 2 Summary More complex negotiation and payment scenarios for e-commerce are emerging. Accountability as a foundation for building trust is a crucial factor for determining the success of these services. We will develop and implement a tool for the specification, prototyping and verification of e- commerce protocols, based on constraint solving and model checking. We will use this tool to analyze accountability in existing e-commerce protocols. Using this analysis, we will develop new protocols for electronic negotiation and payment. We will focus on accountability of trusted third parties, non-repudiation, fairness, delegation protocols and multicast protocols. 3 Classification The contributions are to 3.4 (system verification), 5.2 (identification, authentication and secu- rity) and 6.5 (formal methods). The application domains are 1.2 (distributed systems) and 1.3 (dependability). Relevant NOAG-i research themes are: Parallel and Distributed Computing (PDC), Algo- rithms and Formal Methods (AFM). 4 Composition of the Research Team The three research groups in the project combine different areas of expertise: • Design of security protocols at the Computer Systems Group (VU). • Verification of security protocols using model checking at the Embedded Systems Group (CWI). • Verification of security protocols using constraint solving at the Distributed and Embed- ded Systems Group (UT). title name affiliation hours/week Prof dr Andy Tanenbaum VU 1 Dr Bruno Crispo 6 Prof dr Pieter Hartel UT 2 Dr Sandro Etalle 5 Prof dr Wan Fokkink CWI 5 Dr Jaco van de Pol 2 Drs/Ir AIO – vacancy VU 40 Comp. Syst. Gr. Dr postdoc – vacancy UT 40 Dist. Emb. Syst. Gr. Drs/Ir OIO – vacancy CWI 40 Emb. Syst. Gr. 2
  3. 3. • Bruno Crispo is member of the Computer Systems Group at the VU. Andy Tanenbaum, the head of this group, will act as promotor of the AIO. • Sandro Etalle is member of the Distributed and Embedded Systems Group at the UT. This group is headed by Pieter Hartel. • Wan Fokkink is head of the Embedded Systems Group at CWI, and full professor in the Theoretical Computer Science Group at the VU for one day a week. He will act as promotor of the OIO. Jaco van de Pol is member of the Embedded Systems Group. 5 Research Schools The Computer Systems Group at the VU participates in the Advanced School for Comput- ing and Imaging (ASCI). The Distributed and Embedded Systems Group at the UT and the Embedded Systems Group at CWI participate in the Institute for Programming research and Algorithmics (IPA). 6 Description of Proposed Research Context Even the simplest forms of trading have a negotiation phase and a subsequent contract estab- lishment and payment phase. So far, at e-commerce sites only relatively simple negotiation, contract signing and payment scenarios can be found. Most sites offer little beyond browsing catalogues by way of negotiating, while contract signing and payment tends to consist of en- tering a credit card number and clicking accept. The trust in these sites is largely built on the trust users have in the credit card companies, which keep records and in case of a problem organize a refund. More complex negotiation and payment scenarios are emerging, for instance through auction sites, but also in the quite different context of cooperating agent platforms. For instance, in the case of e-procurement there may be a buyer and many suppliers engaged in a multi-round negotiation where new conditions can be discussed at each round until agreement is reached. For users to actually use these services and systems, they must trust them. In general, users will not blindly trust services and systems; user trust has to be built. A good way to build trust (witnessing the popularity of credit card payment over the Internet) is to be accountable, and to give the user the real option to oppose transactions based on information collected by all parties in the transaction. Accountability as a foundation for building trust is a crucial factor for determining the success of more complex e-commerce services [45]. Security protocols are an essential means for the exchange of confidential information and authentication. They are meant to guarantee that a hostile intruder cannot get hold of secret information or force unjust authentication, and that a business partner does not overstep his bounds and keeps his promises. In order to maintain user trust, these protocols must be guaranteed to work correctly, and its participants must be accountable for their actions. A considerable number of published security protocols were later shown to contain flaws, thus undermining the trust in such protocols. This has stimulated research on the formal verification of security protocols, see e.g. [7, 11, 13, 33, 35, 43, 50]. Several approaches are based on the work of Dolev and Yao [24], where it is proposed to test a protocol explicitly against a hostile intruder who has complete control over the network. By an exhaustive search, one can then establish whether or not the protocol is flawed, as shown in e.g. [14, 28, 36]. Clearly, a crucial aspect in this approach is to try and limit the state explosion that occurs when modeling the intruder’s behavior. To this end, many solutions have been employed, ranging from human 3
  4. 4. intervention to the use of approximations. In recent work [27, 37, 44], this problem has also been tackled by reducing the intruder’s action to a constraint solving problem. Non-Repudiation and Fair Exchange During the last decade, open networks, above all the Internet, have witnessed an impressive growth. As a consequence, new security issues, like non-repudiation and fair exchange have to be considered. Repudiation is the denial of a previously uttered statement. Consider the case where agent A sends a message to agent B; specific protocols have been designed to guarantee that agent A cannot deny having sent the message (NRS non-repudiation of submission) and that that message was his (NRO non-repudiation of origin), and that agent B cannot deny having received it (NRR non-repudiation of receipt). This evidence is based on digital signa- tures. One of the major problems in these protocols arises when we want to achieve fairness, i.e. avoid that one of the entities gets its evidence without the other one being able to also get its evidence. Different partial solutions have been proposed, which are generally divided into two classes, according to whether they use a trusted third party (TTP) (see, e.g., [19]) or not. The approach without TTP is either based on a gradual release of knowledge or on probabilistic protocols. Protocols based on the idea of a gradual exchange require that all involved parties have equivalent computational power; this hypothesis, however, is unrealistic. Probabilistic protocols generally overcome this first problem, but are inefficient due to the large number of messages that need to be sent. In the case of a TTP, a possible scenario is to first send each message to the TTP, who acts as an intermediary to assure delivery. The major problem of this approach is the network and communication bottleneck, created at the TTP. To avoid the performance decrease created by this bottleneck, Asokan et al. [4] introduced the optimistic approach to fair exchange. In 1980 Even and Yakobi showed that there is no deterministic protocol that solves the contract signing problem without a TTP. This result applies to the case of non-repudiation and fair exchange protocols as well. An important weakness of current protocols using a TTP is that the TTP is not accountable for possible errors or failures. In other words, if the TTP fails to accomplish its task, there is no way for the user to demonstrate that the TTP has failed. This is a crucial practical limitation, as it unrealistically assumes that the user has unlimited trust in the TTP, and that the TTP never fails. Moreover, even a trustful TTP could be blocked by a denial of service attack, which could spoil fairness of the protocol. The problem of accountability of the TTP was recognized in [3, 5, 48], where some partial solutions were proposed. In [3], the TTP was made accountable, under the hypothesis that it is always responding to the agent’s requests. In [5] and [48], the accountability for a distributed TTP was investigated, in the context of a certified e-mail protocol and of threshold signatures, respectively. In [20] it was shown that the required trust in a TTP can be reduced by a functional rather than an unconditional TTP. In comparison to other security issues, such as privacy or authenticity of communications, non-repudiation and fair exchange protocols have not been studied so intensively. A preliminary analysis of non-repudiation protocols was performed using CSP [46], where the proofs were generated by hand. Zhou and Gollmann [51] considered non-repudiation protocols using the belief logic SVO; see [8] for a verification of this protocol using the theorem prover Isabelle. Some work on fair exchange protocols was realized using the model-checker Murϕ [47] as well as the animation tool Possum [12]. Raskin and Kremer [30, 31] successfully employed a game- based approach for the verification of negotiation protocols; part of this project will involve extending their groundbreaking work. 4
  5. 5. Research Questions In this project we will analyze existing accountable e-commerce protocols and develop new ones, with the help of formal methods, in particular constraint solving and model checking. In the emerging models for (wireless) interaction between (mobile) agents, negotiations play a central role. Within such negotiations, the following functions must be implemented. Digital Contract Signing As opposed to classical paper-based contract signing, digitally signing a contract over a network presents the additional problem that once one agent has put its signature under the contract, the other agent might at the last moment refuse to do so. If no measures are taken to prevent this, the second agent has an advantage over the first one. In this case the system is not fair. Non Repudiation Repudiation is the denial of having participated in a conversation. Con- sider a business communication in which an agent A sends a message to another agent B. It is important that - after the communication has taken place - agent A may not deny having sent the message (repudiation of origin) and that agent B may not deny having received it. Also in this context fairness plays a central role: at all times one needs to guarantee that no agent has a better handling position than the other one. An important aspect of these situations is that fairness (and also abuse-freeness, in the case of contract signing protocols) is difficult to implement. In the last few years, new protocols have been devised that (should) guarantee this. Most of these protocols rely heavily on the use of cryptographic algorithms and on the presence of a TTP, or in the case of a delegation protocol (see e.g. [21]) on a restricted proxy. These aspects are at the origin of the following central problems. Accountability of TTPs In most non-repudiation and fair exchange protocols the TTP is not accountable for possible errors or failures. This is a crucial problem that, if left unresolved, would prevent a widespread deployment of such techniques. It is an open question whether it is at all possible to devise a negotiation protocol in which the TTP is accountable for its mistakes. A first objective is to provide an answer to this open question. We suspect that the answer to this question is negative as long as we remain in an algebraic context, i.e., in a context in which agent can be fully represented by e.g. CSP processes. Such a negative answer is in line with the result of Even and Yakobi. At the same time we think it should be possible to devise a richer framework in which the TTP can be made accountable for its mistakes. A second objective is to devise new protocols which ensure accountability of the TTP (as much as possible). In particular, we will study distributed or hierarchical TTPs, where the problem of accountability becomes even more complex. We will apply verification tools in order to verify in how far accountability of the TTP is guaranteed. Accountability in delegation A proxy is a token that allows one to operate with the rights and privileges bestowed by its principal. It must be verified that a proxy was granted by the principal that it names; this is an authentication problem. In practice, the privileges granted by a proxy are usually restricted, to safeguard the interest of its principal. It must be verified that these restrictions are sufficient, and that they are not tampered with. A third objective is to analyze the correctness of current delegation protocols, and to devise new delegation protocols. Again, we will apply verification tools to analyze the accountability (or lack of it) in existing and new designed delegation protocols. Many cryptographic protocols that were considered secure were shown to contain flaws. These flaws were in some cases discovered by means of the systematic application of formal methods such as model checking techniques and - more recently - constraint solving (see, e.g., [17]). 5
  6. 6. These methods were devised for verifying authentication and security protocols and cannot be applied in their current form to (multicast) non-repudiation and fair exchange protocols. We want to develop and implement a tool for the specification, prototyping and verification of (multicast) e-commerce protocols. There are several problems that we have to tackle. • Handling multicast protocols. In many real-life situations, like for instance in wireless networks, an agent is asked to participate in a protocol together with a number of partners that is not known in advance. For this, a number of so-called multicast protocols have been devised, ranging from multicast authentication to multicast non-repudiation. often using restricted proxies. Standard techniques for the verification of security protocols cannot deal with the multicast case: for this we have to develop and implement new abstraction techniques. • Handling negotiation, payment, abuse-freeness and fairness. There are tools (based on game semantics) that do this already, for instance the model-checker Mocha [1] (see be- low). However, Mocha cannot deal with (symbolic) communication, which is crucial for verifying protocols admitting malicious participants. • Last but not least, we want our verification tool to be able to check for the accountability of a certain party taking part in a given e-commerce protocol. This is not-trivial, as accountability is not definable as a logical primitive in a modal logic. A game-based model checker for open systems As shown by Kremer and Raskin in [30, 31], a game-based approach is the most suitable one for modeling negotiation protocols. In [30, 31] Kremer and Raskin successfully employed the model-checker Mocha for the verification of non-repudiation protocols. Their approach, however, presents a crucial shortcoming: it does not allow to model the situation in which one of the principals tries to cheat the other one by sending him a message which does not comply with the protocol specification (they allow an agent to try a different sequence of steps, but the messages being sent are fixed a priori). This is clearly a major limitation, and a source of incompleteness of the method. We will devise and implement a model checker that employs the constraint-based approach for modeling communication and that allows to check ATL (alternating temporal logic) for- mulae, i.e., based on a game semantics. Our aim is to combine protocol verification based on constraint solving a la Delzanno and Etalle [23] or Millen and Shmatikov [37] with a model- checker based on game semantics such as Mocha. Abstraction techniques for multi-cast protocols The majority of message exchange protocols are designed to ensure the fairness in exchange between two main participants, say Alice and Bob. But with the increasing usage of computers in electronic commerce, protocols are needed that ensure fairness for multi-party communications. Assume that Alice sends an official adjudication to a number of Bobs. All the Bobs that want to participate to the adjudication should be allowed to do so and Alice should not be able to deny their participation. A main difficulty here is to design a protocol that works no matter how many Bobs are involved in the protocol run. Multipart non-repudiation protocols have been designed e.g., in [29, 34] The design of multicast protocols is even more difficult than for the two-party case. As mentioned before, the techniques developed for protocol verification cannot easily deal with the case of multicast protocols. To deal with the verification of n-party fair exchange protocols, we intend to use methods that were developed for verifying parametrized distributed computer systems. In particular, we will investigate the use of the so-called ”counting abstraction” (see, e.g., [22]) and of multi-set rewriting [6] to model and verify those multi-party protocols. These techniques will be incorporated in our tool, to obtain a tool for the verification of multicast e-commerce protocols. Moreover, since ATL formulae can be used to model also 6
  7. 7. simpler concepts such as those needed to express authentication and secrecy, the resulting tool will also be applicable for the verification of multicast authentication and security protocols. Related Research of the Research Team Three research groups will cooperate in this project: The Computer Systems Group at the VU, the Distributed and Embedded Systems Group at the UT, and the Embedded Systems Group at CWI. • The Computer System research group has a long and well-established track record in the area of distributed and operating systems and related security issues. Recently, we designed and implemented a secure middleware for very large and distributed systems called Globe [42], and a secure agent platform [38]. Currently, we are developing a Digital Right Management system suitable for selling music online, and security protocols and reputation mechanisms in the context of content delivery networks and more in general of peer-to-peer systems [40]. Bruno Crispo has been working on security for several years, with a special interest in designing authentication and delegation protocols and investigating security issues related to TTP services. • The Distributed and Embedded Systems research group is developing security components in various projects. – Leading a major national funding program, SENTINELS (www.sentinels.nl), which aims to foster security research in the Netherlands. – Leading the RESET project, which aims to build a roadmap for smart card research. All European smart card manufacturers participate in this activity. – Development of CoProVe [17], which is likely to be the fastest tool for the verification of security protocols (wwwes.cs.utwente.nl/24cqet/) [23]. CoProVe is also the only practical tool available that can be used to identify ‘guessing attacks’ [18]. – Developing the security component in an ad-hoc sensor network in the context of the European project EYES (with Infineon, Nedap, see eyes.eu.org/) [32]. – Developing a Digital Rights Management system in the Senter funded Summer project (with KPN Research, The Ministry of Traffic and Transport and V2-Labs, www.cs.utwente.nl/∼summer), and the Telematics Institute funded LicenseScript project (with Philips Research, wwwes.cs.utwente.nl/LicenseScript) [15, 16]. – Developing a novel transacted smart card memory manager with Sun Microsystems in Cupertino (USA) [25, 41]. – Development of a pressure sensing smart card biometric system [26]. – Development of a smart card based digital trusted assistant [49]. • The Embedded Systems Group at CWI has ample experience in applying formal tech- niques for the analysis of distributed systems and protocols in general, and of security protocols in particular (see, e.g., [2, 39]). A main vehicle forms the specification language µCRL in combination with the model checker CADP; others are timed automata (UP- PAAL, KRONOS), model checkers (SPIN) and theorem provers (PVS, Coq, homegrown µCRL prover [10]). The µCRL verification toolset [9] is used as a test bed to realize novel algorithms in the realm of system verification and to carry out experiments. Notably, we are currently analyzing security protocols within the electronic payment system EMV. We coordinate the CWI Security Platform (www.cwi.nl/∼wan/security-platform.html), which combines a number of research groups within CWI that perform research on security related issues. 7
  8. 8. Both the UT and CWI participate in SAFE-NL (the platform for Security: Applications, Formal aspects and Environments in the NetherLands); Sandro Etalle and Wan Fokkink serve on its steering committee. SAFE-NL provides a forum for research institutions, industry and government agencies to exchange ideas on the state of the art in security technology. SAFE-NL Workshops are organized twice a year. 7 Work Program Phases The duration of the project is four years. Year 1 During the first six months, the PhD students will acquaint themselves with the various methods and techniques used in this project. They will study accountability, non- repudiation and contract-signing protocols, together with constraint solving, model checking and theorem proving. At the same time, the postdoc will work on the question in how far it is possible to define in algebraic terms a contract-signing (or non-repudiation) protocol in which the TTP is fully accountable. In the next six months, the AIO and the postdoc will work on devising protocols (and if needed methods) for 2-party non-repudiation, contract-signing and delegation with a fully accountable TTP. The OIO and the postdoc will use existing verification techniques from con- straint solving, model checking and theorem proving to support the design of these protocols. Year 2 In the first three months, the OIO will study game semantics, abstraction techniques and the model-checker Mocha. The postdoc will prepare the development of a tool for the verification of security protocols. In the remaining nine months, the OIO and the postdoc will develop the methodology for and implement an extension of the constraint-based tool for protocol verification developed by Corin and Etalle [17], so that it can check game-based trace properties expressed as ATL formulae. The AIO and the postdoc will work on devising new e-commerce protocols for group communication in a scenario one-to-many (broadcast). They will also design protocols to distribute and replicate TTP services without loss of accountability. Year 3 The OIO will verify existing negotiation protocols using the tool, and analyze the protocols devised by the AIO and postdoc in the previous and current year. Furthermore, he will work on abstraction techniques for modeling multicast protocols and extend the tool accordingly. The AIO will use the feedback provided by the OIO in its work to extend the nego- tiation protocols to the case of multicast communications (many-to-many) with possibly several rounds of negotiations before the contract is signed. Furthermore, he will study accountability in delegation protocols and work on devising new delegation protocols. At the UT, work will be continued on the tool, using the input from the AIO and OIO. Year 4 The PhD students will complete ongoing research, write their thesis and prepare the defense. Educational aspects The research institutes ASCI and IPA provide in-depth 5-day courses twice a year on important topics in computer science. The AIO and OIO will take part in the training programs of ASCI and IPA. Furthermore, they will take part in the group seminars (PhD seminars at the VU and PAM at CWI), both to take notice of current research efforts and to present their own work. 8
  9. 9. Furthermore, CWI and VU provide special courses on how to write research papers, how to give presentations, and how to be well-organized in research. The AIO and OIO will take part in these courses. 8 Expected Use of Instrumentation None, except powerful computing machinery already present at the research groups involved. 9 Literature References [1] R. Alur, T.A. Henzinger, F.Y.C. Mang, S. Qadeer, S.K. Rajamani and S. Tasiran. Mocha: Modularity in model checking. In Proc. 10th Conference on Computer-Aided Verification (CAV’98), LNCS 1427, pp. 521–525. Springer, 1998. [2] Th. Arts and I.A. van Langevelde. Correct Performance of Transaction Capabilities. In Proc. 2nd Conference on Application of Concurrency to System Design (ICACSD’01), pp. 35–42. IEEE Computer Society Press, 2001. [3] N. Asokan. Fairness in Electronic Commerce. PhD Thesis, University of Waterloo, 1998. [4] N. Asokan, M. Schunter and M. Waidner. Optimistic Protocols for Fair Exchange. In Proc. 4th ACM Conference on Computer and Communications Security, pp. 7–17. ACM Press, 1998. [5] G. Ateniese, B. de Medeiros and M. T. Goodrich. TRICERT: Distributed Certified E- Mail Schemes. In Proc. ISOC 2001 Network and Distributed System Security Symposium (NDSS’01), pp. 47–56, 2001. [6] J.P. Banˆtre and D. Le M´tayer. Programming by Multiset Transformation. Communica- a e tions of the ACM, 36(1):98–111, 1993. [7] G. Bella, F. Massacci and L.C. Paulson. Verifying the SET Registration Protocols. IEEE Journal on Selected Areas in Communications, 21(1):, 77–87, 2003. [8] G. Bella and L.C. Paulson. Mechanical Proofs about a Non-Repudiation Protocol. In Proc. 14th Conference on Theorem Proving in Higher Order Logics (TPHOLs’01), LNCS 2152, pp. 91–104. Springer, 2001. [9] S.C.C. Blom, W.J. Fokkink, J.F. Groote, I.A. van Langevelde, B. Lisser and J.C. van de Pol. µCRL: A Toolset for Analysing Algebraic Specifications. In Proc. 13th Conference on Computer Aided Verification (CAV’01), LNCS 2102, pp. 250–254. Springer, 2001. [10] S.C.C. Blom and J.C. van de Pol. State Space Reduction by Proving Confluence. In Proc. 14th Conference on Computer Aided Verification (CAV’02), LNCS 2404, pp. 596–609. Springer, 2002. [11] D. Bolignano. Towards the Formal Verification of Electronic Commerce Protocols. In Proc. 10th Computer Security Foundations Workshop (CSFW’97), pp. 113–147. IEEE Computer Society Press, 1997. 9
  10. 10. [12] C. Boyd and P. Kearney. Exploring Fair Exchange Protocols Using Specification Anima- tion. In Proc. Information Security Workshop (ISW00), LNCS 1975, pp. 209–223. Springer, 2000. [13] M. Burrows, M. Abadi and R. Needham. A Logic of Authentication. ACM Transactions on Computer Systems, 1(8):18–36, 1990. [14] I. Cervesato, N. Durgin, P. Lincoln, J. Mitchell and A. Scedrov. Relating Strands and Multiset Rewriting for Security Protocol Analysis. In Proc. 13th IEEE Computer Security Foundations Workshop (CSFW’00), pp. 35–51. IEEE Computer Society Press, 2000. [15] C.N. Chong, R. van Buuren, P.H. Hartel and G. Kleinhuis. Security Attributes Based Digital Rights Management. In Proc. Joint Workshop on Interactive Distributed Multi- media Systems / Protocols for Multimedia Systems (IDMS/PROMS’02), LNCS 2515, pp. 339–352. Springer, 2002. [16] C.N. Chong, Z. Peng and P. H. Hartel. Secure Audit Logging with Tamper-Resistant Hardware. In Proc. 18th IFIP Conference on Information Security (SEC’02), To appear. Kluwer Academic, 2003. [17] R. Corin and S. Etalle. An Improved Constraint-Based System for the Verification of Security Protocols. In Proc. 9th Static Analysis Symposium (SAS’02), LNCS 2477, pp. 326–341. Springer, 2002. [18] R. Corin, S. Malladi, J. Alves-Foss and S. Etalle. Guess What? Here is a New Tool that Finds Some New Guessing Attacks. Technical Report, CTIT, University of Twente, January 2003. [19] B. Crispo, P. Landrock and V. Matyas Jr. WWW Security and Trusted Third Party Services. Future Generation Computer Systems, 16(4):331–341, 2000. [20] B. Crispo and M. Lomas. A Certification Scheme for Electronic Commerce. In Proc. 1st Security Protocols Workshop, LNCS 1189, pp. 19–32. Springer, 1996. [21] B. Crispo and G. Ruffo. Reasoning about Accountability within Delegation. In Proc. 3rd Conference on Information and Communications Security (ICICS’01), LNCS 2229, pp. 251–260. Springer, 2001. [22] G. Delzanno and T. Bultan. Constraint-Based Verification of Client-Server Protocols. In Proc. 7th Conference on Principles and Practice of Constraint Programming (CP’01), LNCS 2239, pp. 286–301. Springer, 2001. [23] G. Delzanno and S. Etalle. Proof Theory, Transformations, and Logic Programming for Debugging Security Protocols. In Post-Proc. 11th Workshop on Logic Program Synthesis and Transformation (LOPSTR’01), LNCS 2372, pp. 76–90. Springer, 2002. [24] D. Dolev and A. C. Yao. On the Security of Public Key Protocols. IEEE Transactions on Information Theory, 29(2):198–208, 1983. [25] P.H. Hartel, M.J. Butler, E.K. de Jong and M. Longley. Transacted Memory for Smart Cards. In Proc. 10th Formal Methods for Increasing Software Productivity (FME’01), LNCS 2021, pp. 478–499. Springer, 2001. [26] N.J. Henderson. Polymer Thick Film Sensors for Embedded Smartcard Biometrics and Identity Verification. PhD thesis, University of Southampton, 2002. 10
  11. 11. [27] A. Huima. Efficient Infinite-State Analysis of Security Protocols. In Proc. FLOC’99 Work- shop on Formal Methods and Security Protocols, 1999. [28] F. Jacquemard, M. Rusinowitch and L. Vigneron. Compiling and Verifying Security Pro- tocols. In Proc. 7th Conference on Logic for Programming and Automated Reasoning (LPAR’95), LNCS 1955, pp. 131–160. Springer, 2000. [29] S. Kremer and O. Markowitch A Multi-Party Non-Repudiation Protocol. In Proc. 15th IFIP Conference on Information Security (SEC’00), pp. 271–280. Kluwer Academic, 2000. [30] S. Kremer and J-F. Raskin. A Game-Based Verification of Non-Repudiation and Fair Ex- change Protocols. In Proc. 12th Conference of Concurrency Theory (CONCUR’01), LNCS 2154, pp. 551–565. Springer, 2001. [31] S. Kremer and J-F. Raskin. Game Analysis of Abuse-free Contract Signing. In Proc. 15th IEEE Computer Security Foundations Workshop (CSFW’02), pp. 206–222. IEEE Com- puter Society Press, 2002. [32] Y.W. Law, S. Etalle and P. H. Hartel. Assessing Security-Critical Energy-Efficient Sensor Networks. In Proc. IFIP WG 11.2 Conference on Small Systems Security, To appear. Kluwer Academic, 2003. [33] G. Lowe. Casper: A Compiler for the Analysis of Security Protocols. In Proc. 10th IEEE Computer Security Foundations Workshop (CSFW’97), pp. 18–30. IEEE Computer Society Press, 1997. [34] O. Markowitch and S. Kremer. A Multi-party Optimistic Non-Repudiation Protocol. In Proc. 3rd Conference on Information Security and Cryptology (ICISC’00), LNCS 2015, pp. 109–122. Springer, 2000. [35] C. Meadows. Formal Verification of Cryptographic Protocols: A Survey. In Proc. 4th Con- ference on the Theory and Applications of Cryptology (ASIACRYPT’94), LNCS 917, pp. 135–150. Springer, 1994. [36] C. Meadows. The NRL Protocol Analyzer: An Overview. Journal of Logic Programming, 26(2):113–131, 1996. [37] J. Millen and V. Shmatikov. Constraint Solving for Bounded-Process Cryptographic Pro- tocol Analysis. In Proc. 2001 ACM Conference on Computer and Communication Security, pp. 166–175, ACM Press, 2001. [38] G. van ’t Noordende, F.M.T. Brazier and A.S. Tanenbaum. A Security Framework for a Mobile Agent System. In Proc. 2nd Workshop on Security of Mobile Multiagent Systems (SEMAS’02), pp. 43–50, 2002. [39] J. Pang. Analysis of a Security Protocol in µCRL. In Proc. 4th Conference on Formal Engineering Methods (ICFEM’02), LNCS 2495, pp. 396–400. Springer, 2002. [40] G. Pierre, M. van Steen and A. S. Tanenbaum. Dynamically Selecting Optimal Distribution Strategies for Web Documents. IEEE Transactions on Computers, 51(6):637–651, 2002. [41] E. Poll, P.H. Hartel and E.K. de Jong. A Java Reference Model of Transacted Memory for Smart Cards. In Proc. 5th IFIP WG 8.8 Conference on Smart Card Research and Advanced Application (CARDIS’02), pp. 75–86. Usenix Association, 2002. 11
  12. 12. [42] B.C. Popescu, M. van Steen and A.S. Tanenbaum. A Security Architecture for Object- Based Distributed Systems. In Proc. 18th Annual Computer Security Applications Confer- ence (ACSAC’02), 2002. [43] A.W. Roscoe. Modelling and verifying key-exchange protocols using CSP and FDR. In Proc. 8th IEEE Symposium on Foundations of Secure Systems, pp. 98–107. IEEE Computer Society Press, 1995. [44] M. Rusinowitch and M. Turuani. Protocol Insecurity with Finite Number of Sessions is NP-complete. In Proc. 14th IEEE Computer Security Foundations Workshop (CSFW’01), pp. 98–107. IEEE Computer Society Press, 2001. [45] F.B. Schneider, editor. Trust in Cyberspace. National Academy Press, 1999. [46] S. Schneider. Formal Analysis of a Non-Repudiation Protocol. In Proc. 11th IEEE Com- puter Security Foundations Workshop (CSFW’98), pp. 54–65. IEEE Computer Society Press, 1998. [47] V. Shmatikov and J.C. Mitchell. Finite-State Analysis of Two Contract Signing Protocols. Theoretical Computer Science, 283(2):419–450, 2002. [48] V. Shoup. Practical Threshold Signatures. In Proc. 17th Conference on the Theory and Application of Cryptographic Techniques (EUROCRYPT’00), LNCS 1807, pp. 207–220. Springer, 2000. [49] T. Stabell-Kulø. Private Computing: The Trusted Digital Assistant. PhD thesis, University of Twente, 2002. [50] S.D. Stoller. A Bound on Attacks on Payment Protocols. In Proc. 16th Annual IEEE Symposium on Logic in Computer Science (LICS’01), pp. 61–70. IEEE Computer Society Press, 2001. [51] J. Zhou and D. Gollmann. Towards Verification of Non-Repudiation Protocols. In Proc. 1998 Refinement Workshop and Formal Methods Pacific, pp. 370–380, 1998. Five Main Publications of the Research Team • R.J. Anderson, F. Bergadano, B. Crispo, J.H. Lee, C. Manifavas and R.M. Needham. A New Family of Authentication Protocols. Operating Systems Review, 32(4):9–20, 1998. • F. Bergadano, B. Crispo and M. Lomas. Strong Authentication and Privacy with Stan- dard Browsers. Journal of Computer Security, 5(3):191–212, 1997. • R. Corin and S. Etalle. An Improved Constraint-Based System for the Verification of Security Protocols. In Proc. 9th Static Analysis Symposium (SAS’02), LNCS 2477, pp. 326–341. Springer, 2002. • B. Crispo and G. Ruffo. Reasoning about Accountability within Delegation. In Proc. 3rd Conference on Information and Communications Security (ICICS’01), LNCS 2229, pp. 251–260. Springer, 2001. • G. Delzanno and S. Etalle. Proof Theory, Transformations, and Logic Programming for Debugging Security Protocols. In Post-Proc. 11th Workshop on Logic Program Synthesis and Transformation (LOPSTR’01), LNCS 2372, pp. 76–90. Springer, 2002. 12
  13. 13. 10 Requested Budget We request the standard budget for two PhD students and a postdoc for two years. The amounts below are in Euros. AIO 135.762 benchfee 4.538 postdoc 104.601 benchfee 4.538 OIO 135.762 benchfee 4.538 TOTAL 389.739 Note: VU, CWI and UT will provide special purpose computing equipment and daily worksta- tions for the project members. 13