Sebastian M odersheim FMSEC Module 3, v.1 5.10archiv.infsec.ethz.ch/education/as09/fmsec/course...Sebastian M odersheimFMSEC Module 3, v.2 5.10.200916 of 36 The Dolev-Yao-Style Intruder

Security Protocols II:Syntax and Operational Semantics (Part 1)

Sebastian Modersheim

FMSEC Module 3, v.15.10.2009

Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 1 of 36

Introduction

What are formal models?

• A language is formal when it has a well-defined syntax andsemantics. Additionally there is often a deductive system fordetermining the truth of statements.

• Examples: propositional logic, first-order logic.

• A model (or construction) is formal when it is specified in aformal language.

• Standard protocol notation is not formal.

• We will see today how to formalize such notations.


Introduction

Formal modeling and analysis of protocols

Goal: formally model protocols and their properties and provide amathematically sound means for reasoning about these models.

Basis: suitable abstraction of protocols:

⇒

Analysis: with formal methods based on mathematics and logic.


Introduction

Formal Methods

systemspecification

securityproperties

proof

How does thesystem operate?

What shallbe achieved?

Does the system meetits requirements?

satisfies


AnB Syntax

Overview Module 3 & 4

• Introduction• Two formal specification languages:

AnB

Syntax______________ AnB

Semantics

Roles

Syntax

KKKKKKKKKK

______________ Roles

Semantics

The Dolev-Yao-style intruder

rrrrrrrrrr

• Security Properties• Landscape of Protocol Models: a quick tour.


AnB Syntax

Alice and Bob Notation/Message Sequence Charts

A B

{NA, A}pk(B)

{NA, NB}pk(A)

{NB}pk(B)

msc NSPK


AnB Syntax

A Formal Alice & Bob Language

Protocol : NSPKTypes :Agent A,B;Number NA,NB;Function pk;

Knowledge :A : A,B, pk, inv(pk(A));B : B, pk, inv(pk(B));

Actions :A → B : {NA,A}pk(B)

B → A : {NA,NB}pk(A)

A → B : {NB}pk(B)

Goals :A •→• B : NAB •→• A : NB


AnB Syntax


Protocol : NSPK

Types :Agent A,B;Number NA,NB;Function pk;




A → B : {NB}pk(B)


First, let’s give it a name.


AnB Syntax






A → B : {NB}pk(B)


Specify the types of all identifiers.NB: we do not necessarily consider types in the analysis!


AnB Syntax






A → B : {NB}pk(B)


Initial knowledge of each role; variables only of type Agent.Every other variable: freshly created by the agent who first uses it.


AnB Syntax






A → B : {NB}pk(B)


Specify the goals we want to achieve.Here: secure transmission of nonce NA from A to B and . . .(secrecy + authentication).


AnB Syntax

Towards to meaning of an AnB specification

Split a message sequence chart into single roles (aka chords, symbolicstrands, role scripts):

A B

{NA, A}pk(B)

{NA, NB}pk(A)

{NB}pk(B)

msc NSPK


AnB Syntax


Split a message sequence chart into single roles (aka chords, symbolicstrands, role scripts):

A

{NA, A}pk(B)

{NA, NB}pk(A)

{NB}pk(B)

msc NSPK A

B

{NA, A}pk(B)

{NA, NB}pk(A)

{NB}pk(B)

msc NSPK B


AnB Syntax


Not trivial for some protocols:

A B

{|M |}K

{|{|M |}K |}sk(A,B)

{|K|}sk(A,B)

msc Encryption-Example

Here, sk(A,B) is a shared key of A and B, K is fresh.


AnB Syntax


Not trivial for some protocols:

A

{|M |}K

{|{|M |}K |}sk(A,B)

{|K|}sk(A,B)

msc

Encryption-Example A

B

{|M |}K

{|{|M |}K |}sk(A,B)

{|K|}sk(A,B)

msc

Encryption-Example B

This is wrong: B cannot decrypt/check the format of the firstmessage... before receiving the third!


Roles Syntax



AnB

Syntax______________ AnB

Semantics

Roles

Syntax

KKKKKKKKKK

______________ Roles

Semantics


rrrrrrrrrr



Roles Syntax

Roles syntax

Graphical:

A

{NA, A}pk(B)

{NA, NB}pk(A)

{NB}pk(B)

msc NSPK A

Textual:snd({NA,A}pk(B)) · rcv({NA,NB ,B}pk(A)) · snd({NB}pk(B))


Roles Syntax

Roles Syntax

• Event = snd(Term) | rcv(Term) | sig(SID,Term)

• Role = Event∗

• Protocols = Rolename ⇀ Role

Role scripts

• A protocol is described by a role script for each role name.

• Role names are variables of type agent.

• Signal (sig) events are used for property specification andverification.


The Dolev-Yao-Style Intruder



AnB

Syntax______________ AnB

Semantics

Roles

Syntax

KKKKKKKKKK

______________ Roles

Semantics


rrrrrrrrrr




Danny Dolev & Andrew C. Yao

On the Security of Public Key Protocols (IEEE Trans. Inf. Th., 1983)

• Consider a public key system in which for every user XF there is a public encryption function EX

— every user can apply this function.F and a private decryption function DX

— only X can apply this function.F These functions have the property that EX DX = DX EX = 1.

• The Dolev-Yao intruder:F Controls the network (read, intercept, send)F Is also a user, called ZF Can apply EX for any XF Can apply DZ



Message Term Algebra

Signature Σ: set of function symbols for cryptographic andnon-cryptographic operations, for instance:

Symbol Arity Meaning Public

i 0 name of the intruder yesinv(·) 1 private-key of a given public-key no{·}· 2 asymmetric encryption yes{| · |}· 2 symmetric encryption yes〈·, ·〉 2 pairing/concatenation yesexp(·, ·) 2 exponentiation modulo fixed prime p yes· ⊕ · 2 bitwise exclusive or yesf (·) 1 User-defined function symbol f User-def.

ΣP ⊆ Σ to denote the public functions: every agent (including theintruder) can apply the function to known messages.



Message Term Algebra (Cont.)

Let Σ0 ⊆ Σ be a countable set of constants

• Convention: start with lower-case letters

• E.g. alice, na17, k2

Let V be a countable set of variables with V ∩ Σ = ∅.• Convention: start with upper-case letters

• E.g. A,NA,K

Definition

The set TΣ(V) of all message terms is the least set such that:

• V ⊆ TΣ(V)

• If t1, . . . , tn ∈ TΣ(V) and f ∈ Σ and f has arity n,then also f (t1, . . . , tn) ∈ TΣ(V).

For V = ∅, we write just TΣ, the set of all ground messages terms.




Definition

For a signature Σ, a Σ-Algebra A consists of a universe A andinterprets every symbol f ∈ Σ of arity n as a function f A : An → A.We extend this interpretation to terms as follows:

vA = v for v ∈ V(f (t1, . . . , tn))A = f A(tA1 , . . . , t

An )

We write t1 ≈A t2 for tA1 = tA2 , and simply t1 ≈ t2 when A is clear.

E.g.: A = {0, 1}2048, {| · |}A· = Description-of-AES, . . .




The most simple and most widely used interpretation:

Definition

In the free message term algebra, A = TΣ(V) and

f A(t1, . . . , tn) = f (t1, . . . , tn)

In the free algebra ...

• We interpret every term by itself.

• t1 ≈ t2 iff t1 = t2.

• a 6≈ b for any distinct constants a and b

• If m1 6≈ m2 then also h(m1) 6≈ h(m2).(Thus: hash functions are collision free)

• DecX (EncX (M)) 6≈ M for any functions Dec and Enc ...

• exp(exp(g ,X ),Y ) 6≈ exp(exp(g ,Y ),X )



Algebraic Properties

Example

{{M}K}inv(K) ≈ M inv(inv(K )) ≈ K{|{|M|}K |}K ≈ M exp(exp(B,X ),Y ) ≈ exp(exp(B,Y ),X )

Definition

A set of equations E induces a congruence relation ≈E on terms andthus the equivalence class [t]E of a term E . The quotient algebraTΣ(V)/≈E

interprets each term by its equivalence class.

• Two terms are semantically equal iff that’s a consequence of E .• For the above example equations:

F a 6≈ b for any distinct constants a and bF If m1 6≈ m2 then also h(m1) 6≈ h(m2)F {{M}inv(K)}K ≈ MF {|{|M|}exp(exp(g ,Y ),X )|}exp(exp(g ,X ),Y ) ≈ M



Substitution

Definition (Substitution)

A substitution σ = [x1 7→ t1, . . . , xn 7→ tn] is the following functionfrom V to TΣ(V):

σ(x) =

{ti if x = xi

x otherwise

where {x1, . . . , xn} is called the domain dom(σ) of σ.We use postfix notation (writing xσ instead of σ(x)) and extend σ toa homomorphism over TΣ(V):

f (t1, . . . , tn)σ = f (t1σ, . . . , tnσ)

Example

For σ = [x 7→ f (y), y 7→ z ] we have g(z , y , f (x))σ = g(z , z , f (f (y))).



Substitution (Cont.)

Definition

We denote with στ the composition of substitutions σ and τ , i.e.,τ ◦ σ.Substitution σ is more general than substitution τ on the set ofvariables V , written σ �V τ , iff there is a substitution ρ such that forall x ∈ V holds xσρ = xτ . For V = V, we simply write σ � τ .

Example

Let

• σ1 = [x 7→ f (y)],

• σ2 = [x 7→ f (c)],

• σ3 = [x 7→ f (c), y 7→ c],

• ρ = [y 7→ c]

then we have

• σ1 �{x} σ2 since xσ1ρ = xσ2.

• σ1 6� σ2: for any ρ such thatσ1ρ � σ2 we have that yρ = c ,thus yσ1ρ 6= yσ2.

• σ1 � σ3 since σ1ρ = σ3.

• σ2 � σ3 since σ2ρ = σ3.Sebastian Modersheim FMSEC Module 3, v.2 5.10.2009 21 of 36


Unification

Definition (Unification)

Given a set {(s1, t1), . . . , (sn, tn)} of pairs of terms. A unifier σ forthis unification problem is a substitution such that

s1σ ≈ t1σ and . . . and snσ ≈ tnσ .

Matching is a variant of unification where

s1σ ≈ t1 and . . . and snσ ≈ tn .

(Special case of unification if the ti are ground.)

Example

{(f (x , c), f (g(y), y))} has the unifier [x 7→ g(c), y 7→ c]{(f (x , c), g(y))} has no unifier—in the free algebra.



Unification in the Free Algebra

Postponed to module 5.

Definition (Unification Algorithm)

Input: A unification problem U and a substitution σ, initially empty.Output: A substitution or failure.If U = ∅ then return σ. Otherwise pick any pair (s, t) in U and

• if s = t, remove this pair and continue

• if s is a variable:F if s ∈ vars(t): return with failureF otherwise: remove the pair from U and continue with σ[s 7→ t]

• if t is a variable: analogous to previous case

• otherwise, i.e., s = f (s1, . . . , sn) and t = g(t1, . . . , tm):F if f = g (and thus n = m): replace in U the pair (s, t) with the

pairs {(s1, t1), . . . , (sn, tn)} and continueF if f 6= g : return with failure



Unification in the Free Algebra (Cont.)

Definition (Unification Algorithm)

Input: A unification problem U and a substitution σ, initially empty.Output: A substitution or failure.. . .

Theorem

• If the algorithm returns failure then, the unification problem hasno unifier (in the free algebra).

• If the algorithm returns a substitution σ, then σ is the mostgeneral unifier (in the free algebra), i.e., for all unifiers τ it holdsthat σ � τ .



Unification in other Algebras

• When considering other algebras, unifiability is in generalundecidable, e.g. associativity and distributivity.

• Similarly, matchability and ground equality of terms are ingeneral undecidable, e.g. encoding computational logic.

• Even when decidable, there is in general no unique most generalunifier, e.g., {exp(X ,Y ), exp(X ′, c)} . . .

• Some unification problems are decidable but infinitary: in general,there is an infinite set of most general unifiers, e.g. associativity.



Dolev-Yao Closure

Definition

Given a set of terms M we define DY(M) as the least closure of Munder the following rules:

m ∈ DY(M)Axiom (m ∈ M) s ∈ DY(M)

t ∈ DY(M)Algebra (s ≈ t)

t1 ∈ DY(M) . . . tn ∈ DY(M)

f (t1, . . . , tn) ∈ DY(M)Composition (f ∈ Σp)

〈m1,m2〉 ∈ DY(M)

mi ∈ DY(M)Proji

{|m|}k ∈ DY(M) k ∈ DY(M)

m ∈ DY(M)DecSym

{m}k ∈ DY(M) inv(k) ∈ DY(M)

m ∈ DY(M)DecAsym

{m}inv(k) ∈ DY(M)

m ∈ DY(M)OpenSig

Decidability/complexity: in module 5.



Dolev-Yao Closure

Example

M = { x , {|b, exp(g , y)|}k , k ,m }

{|m|}exp(exp(g ,x),y)

?∈ DY(M)

{|b, exp(g , y)|}k ∈ DY(M) k ∈ DY(M)

〈b, exp(g , y)〉 ∈ DY(M)

exp(g , y) ∈ DY(M) x ∈ DY(M)

exp(exp(g , y), x) ∈ DY(M)

exp(exp(g , x), y) ∈ DY(M) m ∈ DY(M)

{|m|}exp(exp(g ,x),y) ∈ DY(M)



Dolev-Yao Closure

Example

M = { x , {|b, exp(g , y)|}k , k ,m }


?∈ DY(M)

{|b, exp(g , y)|}k ∈ DY(M) k ∈ DY(M)

〈b, exp(g , y)〉 ∈ DY(M)







Dolev-Yao Closure

Example

M = { x , {|b, exp(g , y)|}k , k ,m }


?∈ DY(M)

{|b, exp(g , y)|}k ∈ DY(M) k ∈ DY(M)

〈b, exp(g , y)〉 ∈ DY(M)







Dolev-Yao Closure

Example

M = { x , {|b, exp(g , y)|}k , k ,m }


?∈ DY(M)

{|b, exp(g , y)|}k ∈ DY(M) k ∈ DY(M)

〈b, exp(g , y)〉 ∈ DY(M)







Dolev-Yao Closure

Example

M = { x , {|b, exp(g , y)|}k , k ,m }


?∈ DY(M)

{|b, exp(g , y)|}k ∈ DY(M) k ∈ DY(M)

〈b, exp(g , y)〉 ∈ DY(M)







Dolev-Yao Closure

Example

M = { x , {|b, exp(g , y)|}k , k ,m }


?∈ DY(M)

{|b, exp(g , y)|}k ∈ DY(M) k ∈ DY(M)

〈b, exp(g , y)〉 ∈ DY(M)







Dolev-Yao Closure

Example

M = { x , {|b, exp(g , y)|}k , k ,m }


?∈ DY(M)

{|b, exp(g , y)|}k ∈ DY(M) k ∈ DY(M)

〈b, exp(g , y)〉 ∈ DY(M)







Dolev-Yao Closure

Example

M = { x , {|b, exp(g , y)|}k , k ,m }


?∈ DY(M)

{|b, exp(g , y)|}k ∈ DY(M) k ∈ DY(M)

〈b, exp(g , y)〉 ∈ DY(M)







Dolev-Yao Closure

Example

M = { x , {|b, exp(g , y)|}k , k ,m }


?∈ DY(M)

{|b, exp(g , y)|}k ∈ DY(M) k ∈ DY(M)

〈b, exp(g , y)〉 ∈ DY(M)







Explicit vs. Implicit Destructors

Implicit Destructor Rules (no destruction operation)

〈m1,m2〉 ∈ DY(M)

mi ∈ DY(M)Proji

{|m|}k ∈ DY(M) k ∈ DY(M)

m ∈ DY(M)DecSym

{m}k ∈ DY(M) inv(k) ∈ DY(M)

m ∈ DY(M)DecAsym

{m}inv(k) ∈ DY(M)

m ∈ DY(M)OpenSig

versus

Explicit Destructors with algebraic properties

π1(〈m1,m2〉) ≈ m1 {{m}k}inv(k) ≈ mπ2(〈m1,m2〉) ≈ m2 open({m}inv(k)) ≈ m{|{|m|}k |}k ≈ m

• Implicit destructor rules are redundant with these properties• Explicit has strictly more derivable messages• Considerably more difficult to handle


Roles Semantics



AnB

Syntax______________ AnB

Semantics

Roles

Syntax

KKKKKKKKKK

______________ Roles

Semantics


rrrrrrrrrr



Roles Semantics

Free Variables

Those variables of a chord are called free for which the firstoccurrence is not in a receive event:

Definition

fv(Protocol ,R) = {R} ∪ fv ′{R}(Protocol(R))

fv ′M(role) =fv ′M∪vars(m)(role ′) if role = rcv(m) · role ′

(vars(m) \M) ∪ fv ′M∪vars(m)(role ′) if role = snd(m) · role ′

or role = sig(sig ,m) · role ′

∅ if role = []

Example: NSPK

fv(NSPK ,A) = {A,B,NA}fv(NSPK ,B) = {B,NB}


Roles Semantics

Role-based Protocol Specs (cont)aka cords, strands, scripts etc

• To execute a role, we first instantiate all free variables:F The name of the agent playing the role.F The name of other agents that are free in the role.F All the freshly generated values in the role.

• This yields a closed role description, i.e., one without freevariables.

• The remaining bound variables are placeholders for parts ofmessages that are going to be received and for which the value isnot yet determined.


Roles Semantics

Operational Semantics

Definition (State)

• State = Trace × IntruderKnowledge × Threads.

• Trace = (TID × Event)∗

• IntruderKnowledge = P(Term)

• Threads = TID ⇀ Role

where the trace and the intruder knowledge are ground and thethreads are closed.

• The TID are Thread IDs for each honest agent playing a role.


Roles Semantics

Initial State

• We start with an initial state ([], IK 0, th0) where IK 0 is the initialintruder knowledge and th0 are the threads of honest agents.

• IK 0 and th0 are parameters of the verification problem.

• Many analysis methods work only for the case that dom(th0) isfinite.

• For infinitely many threads, we need an appropriate finiterepresentation.

• For a given protocol P, all initial threads instantiate a role in P:F For each tid ∈ dom(th0), th0(tid) = P(R)σ for some role R and

such that P(R)σ is closed.F Usually, σ substitutes all variables except role names with fresh

constants (disjoint in all threads).F We denote with role(tid) the protocol role R that is instantiatedF and with player(tid) we denote the player Rσ of that role.


Roles Semantics

Initial State: Example

Example (An initial state that is sufficient to find the attackagainst NSPK)

tr0 = []

IK 0 = { a, b, i , pk(a), pk(b), pk(i), inv(pk(i)) }

th0(0) = NSPK (A)[A 7→ a,B 7→ i ,NA 7→ na0]

th0(1) = NSPK (B)[B 7→ B,NB 7→ nb1]

Note bound variables here.


Roles Semantics

Initial State: Example

Example (An initial state that is sufficient to find the attackagainst NSPK)

tr0 = []

IK 0 = { a, b, i , pk(a), pk(b), pk(i), inv(pk(i)) }

th0(0) = snd({na0, a}pk(i)) · rcv({na0,NB}pk(b)) · snd({NB}pk(i))

th0(1) = rcv({NA,A}pk(b)) · snd({NA, nb1}pk(A)) · rcv({nb1}pk(b))

Note bound variables here.


Roles Semantics

Operational Semantics

Rules

th(tid) = snd(t) · tl

(tr , IK , th)→ (tr · (tid , snd(t)), IK ∪ {t}, th[tid 7→ tl ])snd

th(tid) = rcv(t) · tl dom(σ) = var(t) tσ ∈ DY(IK )

(tr , IK , th)→ (tr · (tid , rcv(tσ)), IK , th[tid 7→ tlσ])rcv

th(tid) = sig(sig , t) · tl

(tr , IK , th)→ (tr · (tid , sig(sig , t)), IK , th[tid 7→ tl ])sig


Roles Semantics

Operational Semantics: Example

Example (NSPK Attack)

Trace th(0) th(1)

(0, snd({na0, i}pk(i))) snd({na0, i}pk(i)) rcv({NA,A}pk(b))(1, rcv({na0, a}pk(b))) rcv({na0,NB}pk(a)) snd({NA, nb1}pk(A))(1, snd({na0, nb1}pk(a))) snd({NB}pk(i)) rcv({nb1}pk(b))(0, rcv({na0, nb1}pk(a)))(0, snd({nb1}pk(i)))(1, rcv({nb1}pk(b)))

Attack!


Roles Semantics



Trace th(0) th(1)

(0, snd({na0, i}pk(i))) snd({na0, i}pk(i)) rcv({NA,A}pk(b))(1, rcv({na0, a}pk(b))) rcv({na0,NB}pk(a)) snd({NA, nb1}pk(A))(1, snd({na0, nb1}pk(a))) snd({NB}pk(i)) rcv({nb1}pk(b))(0, rcv({na0, nb1}pk(a)))(0, snd({nb1}pk(i)))(1, rcv({nb1}pk(b)))

Attack!


Roles Semantics



Trace th(0) th(1)

(0, snd({na0, i}pk(i))) rcv({NA,A}pk(b))(1, rcv({na0, a}pk(b))) rcv({na0,NB}pk(a)) snd({NA, nb1}pk(A))(1, snd({na0, nb1}pk(a))) snd({NB}pk(i)) rcv({nb1}pk(b))(0, rcv({na0, nb1}pk(a)))(0, snd({nb1}pk(i)))(1, rcv({nb1}pk(b)))

Attack!


Roles Semantics



Trace th(0) th(1)

(0, snd({na0, i}pk(i)))(1, rcv({na0, a}pk(b))) rcv({na0,NB}pk(a)) snd({na0, nb1}pk(a))(1, snd({na0, nb1}pk(a))) snd({NB}pk(i)) rcv({nb1}pk(b))(0, rcv({na0, nb1}pk(a)))(0, snd({nb1}pk(i)))(1, rcv({nb1}pk(b)))

Attack!


Roles Semantics



Trace th(0) th(1)

(0, snd({na0, i}pk(i)))(1, rcv({na0, a}pk(b))) rcv({na0,NB}pk(a))(1, snd({na0, nb1}pk(a))) snd({NB}pk(i)) rcv({nb1}pk(b))(0, rcv({na0, nb1}pk(a)))(0, snd({nb1}pk(i)))(1, rcv({nb1}pk(b)))

Attack!


Roles Semantics



Trace th(0) th(1)

(0, snd({na0, i}pk(i)))(1, rcv({na0, a}pk(b)))(1, snd({na0, nb1}pk(a))) snd({nb1}pk(i)) rcv({nb1}pk(b))(0, rcv({na0, nb1}pk(a)))(0, snd({nb1}pk(i)))(1, rcv({nb1}pk(b)))

Attack!


Roles Semantics



Trace th(0) th(1)

(0, snd({na0, i}pk(i)))(1, rcv({na0, a}pk(b)))(1, snd({na0, nb1}pk(a))) rcv({nb1}pk(b))(0, rcv({na0, nb1}pk(a)))(0, snd({nb1}pk(i)))(1, rcv({nb1}pk(b)))

Attack!


Roles Semantics



Trace th(0) th(1)

(0, snd({na0, i}pk(i)))(1, rcv({na0, a}pk(b)))(1, snd({na0, nb1}pk(a)))(0, rcv({na0, nb1}pk(a)))(0, snd({nb1}pk(i)))(1, rcv({nb1}pk(b)))

Attack!


Roles Semantics

Bibliography

• Franz Baader and Tobias Nipkow. Term Rewriting and All That. CambridgeUniversity Press, 1998.

• Iliano Cervesato, Nancy A. Durgin, Patrick D. Lincoln, John C. Mitchell,Andre Scedrov. A comparison between strand spaces and multiset rewritingfor security protocol analysis. Journal of Computer Security 13(2),IOS-Press, 2005.

• Danny Dolev and Andrew C. Yao. On the Security of Public Key Protocols.IEEE Trans. Inf. Th., 1983.

• Claude Kirchner, Helene Kirchner. Rewriting, Solving, Proving. Apreliminary version of a book available athttp://www.loria.fr/˜ckirchne/=rsp/rsp.pdf, 1999.

• Alfred J. Menezes, Paul C. van Oorschot, Scott A. Vanstone. Handbook ofApplied Cryptography. CRC Press, 1996.Available at http://www.cacr.math.uwaterloo.ca/hac

• Sebastian Modersheim. Algebraic Properties in Alice and Bob Notation.Proceedings of Ares’09. IEEE Computer Society, 2009.

• Peter Ryan, Steve Schneider, Michael Goldsmith, Gawin Lowe, Bill Roscoe.Modelling and Analysis of Security Protocols. Addison-Wesley, 2000.


http://www.loria.fr/~ckirchne/=rsp/rsp.pdf

http://www.cacr.math.uwaterloo.ca/hac

Documents

Sebastian M odersheim FMSEC Module 3, v.1 5.10archiv.infsec.ethz.ch/education/as09/fmsec/course...Sebastian M odersheimFMSEC Module 3, v.2 5.10.200916 of 36 The Dolev-Yao-Style Intruder