Finite-state analysis of two contract signing protocols

Authors:
Vitaly Shmatikov;John C. Mitchell
Affiliations:
Stanford Univ., Stanford, CA;Stanford Univ., Stanford, CA
Venue:
Theoretical Computer Science
Year:
2002

Citing 22
Cited 38

Communicating sequential processes

Communicating sequential processes
Security without identification: transaction systems to make big brother obsolete

Communications of the ACM
Untraceable electronic cash

CRYPTO '88 Proceedings on Advances in cryptology
Communication and concurrency

Communication and concurrency
Fair exchange with a semi-trusted third party (extended abstract)

Proceedings of the 4th ACM conference on Computer and communications security
The inductive approach to verifying cryptographic protocols

Journal of Computer Security
The Theory and Practice of Concurrency

The Theory and Practice of Concurrency
Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR

TACAs '96 Proceedings of the Second International Workshop on Tools and Algorithms for Construction and Analysis of Systems
Analyzing the Needham-Schroeder Public-Key Protocol: A Comparison of Two Approaches

ESORICS '96 Proceedings of the 4th European Symposium on Research in Computer Security: Computer Security
Analysis of Abuse-Free Contract Signing

FC '00 Proceedings of the 4th International Conference on Financial Cryptography
The Murphi Verification System

CAV '96 Proceedings of the 8th International Conference on Computer Aided Verification
Towards a Mechanization of Cryptographic Protocal Verification

CAV '97 Proceedings of the 9th International Conference on Computer Aided Verification
Modelling and verifying key-exchange protocols using CSP and FDR

CSFW '95 Proceedings of the 8th IEEE workshop on Computer Security Foundations
Formal Analysis of a Non-Repudiation Protocol

CSFW '98 Proceedings of the 11th IEEE workshop on Computer Security Foundations
Efficient Finite-State Analysis for Large Security Protocols

CSFW '98 Proceedings of the 11th IEEE workshop on Computer Security Foundations
A Meta-Notation for Protocol Analysis

CSFW '99 Proceedings of the 12th IEEE workshop on Computer Security Foundations
Security Properties and CSP

SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
A fair non-repudiation protocol

SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
Automated analysis of cryptographic protocols using Mur/spl phi/

SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Model checking electronic commerce protocols

WOEC'96 Proceedings of the 2nd conference on Proceedings of the Second USENIX Workshop on Electronic Commerce - Volume 2
NetBill security and transaction protocol

WOEC'95 Proceedings of the 1st conference on USENIX Workshop on Electronic Commerce - Volume 1
Finite-state analysis of SSL 3.0

SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7

Game Analysis of Abuse-free Contract Signing

CSFW '02 Proceedings of the 15th IEEE workshop on Computer Security Foundations
A game-based verification of non-repudiation and fair exchange protocols

Journal of Computer Security - IFIP 2000
Ordering from Satan's menu: a survey of requirements specification for formal analysis of cryptographic protocols

Science of Computer Programming - Special issue on 12th European symposium on programming (ESOP 2003)
Security analysis of network protocols: logical and computational methods

PPDP '05 Proceedings of the 7th ACM SIGPLAN international conference on Principles and practice of declarative programming
Constraint solving for contract-signing protocols

CONCUR 2005 - Concurrency Theory
Computer-assisted verification of a protocol for certified email

Science of Computer Programming - Special issue: Static analysis symposium (SAS 2003)
An intruder model for verifying liveness in security protocols

Proceedings of the fourth ACM workshop on Formal methods in security
Compositional analysis of contract-signing protocols

Theoretical Computer Science - Automated reasoning for security protocol analysis
Analysis of probabilistic contract signing

Journal of Computer Security
A formal model of rational exchange and its application to the analysis of Syverson's protocol

Journal of Computer Security - Special issue on CSFW15
A roadmap to electronic payment transaction guarantees and a Colored Petri Net model checking approach

Information and Software Technology
Nuovo DRM Paradiso: Designing a Secure, Verified, Fair Exchange DRM Scheme

Fundamenta Informaticae - Fundamentals of Software Engineering 2007: Selected Contributions
Finite-state verification of the ebXML protocol

Electronic Commerce Research and Applications
The ASW Protocol Revisited: A Unified View

Electronic Notes in Theoretical Computer Science (ENTCS)
Automated Security Protocol Analysis With the AVISPA Tool

Electronic Notes in Theoretical Computer Science (ENTCS)
Deciding strategy properties of contract-signing protocols

ACM Transactions on Computational Logic (TOCL)
Computer-assisted verification of a protocol for certified email

SAS'03 Proceedings of the 10th international conference on Static analysis
Nuovo DRM paradiso: towards a verified fair DRM scheme

FSEN'07 Proceedings of the 2007 international conference on Fundamentals of software engineering
On-the-fly model checking of fair non-repudiation protocols

ATVA'07 Proceedings of the 5th international conference on Automated technology for verification and analysis
Games for non-repudiation protocol correctness

International Journal of Wireless and Mobile Computing
A new method for formalizing optimistic fair exchange protocols

ICICS'10 Proceedings of the 12th international conference on Information and communications security
A dolev-yao-based definition of abuse-free protocols

ICALP'06 Proceedings of the 33rd international conference on Automata, Languages and Programming - Volume Part II
Analysis of a multi-party fair exchange protocol and formal proof of correctness in the strand space model

FC'05 Proceedings of the 9th international conference on Financial Cryptography and Data Security
Usable optimistic fair exchange

Computer Networks: The International Journal of Computer and Telecommunications Networking
Deciding properties of contract-signing protocols

STACS'05 Proceedings of the 22nd annual conference on Theoretical Aspects of Computer Science
Fairness electronic payment protocol

International Journal of Grid and Utility Computing
On the quest for impartiality: design and analysis of a fair non-repudiation protocol

ICICS'05 Proceedings of the 7th international conference on Information and Communications Security
On-the-Fly trace generation and textual trace analysis and their applications to the analysis of cryptographic protocols

FMOODS'10/FORTE'10 Proceedings of the 12th IFIP WG 6.1 international conference and 30th IFIP WG 6.1 international conference on Formal Techniques for Distributed Systems
Cryptanalysis of the n-party encrypted diffie-hellman key exchange using different passwords

ACNS'06 Proceedings of the 4th international conference on Applied Cryptography and Network Security
Usable optimistic fair exchange

CT-RSA'10 Proceedings of the 2010 international conference on Topics in Cryptology
Synthesizing protocols for digital contract signing

VMCAI'12 Proceedings of the 13th international conference on Verification, Model Checking, and Abstract Interpretation
Game-based verification of contract signing protocols with minimal messages

Innovations in Systems and Software Engineering
Nuovo DRM Paradiso: Designing a Secure, Verified, Fair Exchange DRM Scheme

Fundamenta Informaticae - Fundamentals of Software Engineering 2007: Selected Contributions
From model-checking to automated testing of security protocols: bridging the gap

TAP'12 Proceedings of the 6th international conference on Tests and Proofs
Intrusion attack tactics for the model checking of e-commerce security guarantees

SAFECOMP'07 Proceedings of the 26th international conference on Computer Safety, Reliability, and Security
A cryptographic model for branching time security properties: the case of contract signing protocols

ESORICS'07 Proceedings of the 12th European conference on Research in Computer Security
Integrating Identity-Based Encryption in the Return Routability Protocol to Enhance Signal Security in Mobile IPv6

Wireless Personal Communications: An International Journal
Distributing trusted third parties

ACM SIGACT News

Quantified Score

Hi-index	5.23

Visualization

Abstract

Optimistic contract signing protocols allow two parties to commit to a previously agreed upon contract, relying on a third party to abort or confirm the contract if needed. These protocols are relatively subtle, since there may be interactions between the subprotocols used for normal signing without the third party, aborting the protocol through the third party, or requesting confirmation from the third party. With the help of Mur, a finite-state verification tool, we analyze two related contract signing protocols: the optimistic contract signing protocol of Asokan, Shoup, and Waidner, and the abuse-free contract signing protocol of Garay, Jakobsson, and MacKenzie. For the first protocol, we discover that a malicious participant can produce inconsistent versions of the contract or mount a replay attack. For the second protocol, we discover that negligence or corruption of the trusted third party may allow abuse or unfairness. In this case, contrary to the intent of the protocol, the cheated party is not able to hold the third party accountable. We present and analyze modifications to the protocols that avoid these problems and discuss the basic challenges involved in formal analysis of fair exchange protocols.