Accountability in E-Commerce Protocols Research Proposal
1. Research Proposal
Computer Science
Open Competition 2003
Accountability in Electronic Commerce Protocols
(ACCOUNT)
Applicants:
Dr. B. Crispo
Dr. S. Etalle
Prof.Dr. W.J. Fokkink
Vrije Universiteit Amsterdam (VU)
Universiteit Twente (UT)
Centrum voor Wiskunde en Informatica (CWI)
Principal investigator: Dr. S. Etalle
Universiteit Twente
Distributed and Embedded Systems Group
Tel: +31 53 4891195
Fax: +31 53 4894047
E-mail: etalle@cs.utwente.nl
1
2. 1 Title
1a. Project Title: Accountability in Electronic Commerce Protocols
1b. Acronym: ACCOUNT
Dr. S. Etalle
1c. Principal Investigator:
2 Summary
More complex negotiation and payment scenarios for e-commerce are emerging. Accountability
as a foundation for building trust is a crucial factor for determining the success of these services.
We will develop and implement a tool for the specification, prototyping and verification of e-
commerce protocols, based on constraint solving and model checking. We will use this tool to
analyze accountability in existing e-commerce protocols. Using this analysis, we will develop
new protocols for electronic negotiation and payment. We will focus on accountability of trusted
third parties, non-repudiation, fairness, delegation protocols and multicast protocols.
3 Classification
The contributions are to 3.4 (system verification), 5.2 (identification, authentication and secu-
rity) and 6.5 (formal methods). The application domains are 1.2 (distributed systems) and 1.3
(dependability).
Relevant NOAG-i research themes are: Parallel and Distributed Computing (PDC), Algo-
rithms and Formal Methods (AFM).
4 Composition of the Research Team
The three research groups in the project combine different areas of expertise:
• Design of security protocols at the Computer Systems Group (VU).
• Verification of security protocols using model checking at the Embedded Systems Group
(CWI).
• Verification of security protocols using constraint solving at the Distributed and Embed-
ded Systems Group (UT).
title name affiliation hours/week
Prof dr Andy Tanenbaum VU 1
Dr Bruno Crispo 6
Prof dr Pieter Hartel UT 2
Dr Sandro Etalle 5
Prof dr Wan Fokkink CWI 5
Dr Jaco van de Pol 2
Drs/Ir AIO – vacancy VU 40
Comp. Syst. Gr.
Dr postdoc – vacancy UT 40
Dist. Emb. Syst. Gr.
Drs/Ir OIO – vacancy CWI 40
Emb. Syst. Gr.
2
3. • Bruno Crispo is member of the Computer Systems Group at the VU. Andy Tanenbaum,
the head of this group, will act as promotor of the AIO.
• Sandro Etalle is member of the Distributed and Embedded Systems Group at the UT.
This group is headed by Pieter Hartel.
• Wan Fokkink is head of the Embedded Systems Group at CWI, and full professor in
the Theoretical Computer Science Group at the VU for one day a week. He will act as
promotor of the OIO. Jaco van de Pol is member of the Embedded Systems Group.
5 Research Schools
The Computer Systems Group at the VU participates in the Advanced School for Comput-
ing and Imaging (ASCI). The Distributed and Embedded Systems Group at the UT and the
Embedded Systems Group at CWI participate in the Institute for Programming research and
Algorithmics (IPA).
6 Description of Proposed Research
Context
Even the simplest forms of trading have a negotiation phase and a subsequent contract estab-
lishment and payment phase. So far, at e-commerce sites only relatively simple negotiation,
contract signing and payment scenarios can be found. Most sites offer little beyond browsing
catalogues by way of negotiating, while contract signing and payment tends to consist of en-
tering a credit card number and clicking accept. The trust in these sites is largely built on
the trust users have in the credit card companies, which keep records and in case of a problem
organize a refund.
More complex negotiation and payment scenarios are emerging, for instance through auction
sites, but also in the quite different context of cooperating agent platforms. For instance, in
the case of e-procurement there may be a buyer and many suppliers engaged in a multi-round
negotiation where new conditions can be discussed at each round until agreement is reached.
For users to actually use these services and systems, they must trust them. In general, users
will not blindly trust services and systems; user trust has to be built. A good way to build trust
(witnessing the popularity of credit card payment over the Internet) is to be accountable, and
to give the user the real option to oppose transactions based on information collected by all
parties in the transaction. Accountability as a foundation for building trust is a crucial factor
for determining the success of more complex e-commerce services [45].
Security protocols are an essential means for the exchange of confidential information and
authentication. They are meant to guarantee that a hostile intruder cannot get hold of secret
information or force unjust authentication, and that a business partner does not overstep his
bounds and keeps his promises. In order to maintain user trust, these protocols must be
guaranteed to work correctly, and its participants must be accountable for their actions.
A considerable number of published security protocols were later shown to contain flaws, thus
undermining the trust in such protocols. This has stimulated research on the formal verification
of security protocols, see e.g. [7, 11, 13, 33, 35, 43, 50]. Several approaches are based on the
work of Dolev and Yao [24], where it is proposed to test a protocol explicitly against a hostile
intruder who has complete control over the network. By an exhaustive search, one can then
establish whether or not the protocol is flawed, as shown in e.g. [14, 28, 36]. Clearly, a crucial
aspect in this approach is to try and limit the state explosion that occurs when modeling the
intruder’s behavior. To this end, many solutions have been employed, ranging from human
3
4. intervention to the use of approximations. In recent work [27, 37, 44], this problem has also
been tackled by reducing the intruder’s action to a constraint solving problem.
Non-Repudiation and Fair Exchange
During the last decade, open networks, above all the Internet, have witnessed an impressive
growth. As a consequence, new security issues, like non-repudiation and fair exchange have to
be considered. Repudiation is the denial of a previously uttered statement. Consider the case
where agent A sends a message to agent B; specific protocols have been designed to guarantee
that agent A cannot deny having sent the message (NRS non-repudiation of submission) and
that that message was his (NRO non-repudiation of origin), and that agent B cannot deny
having received it (NRR non-repudiation of receipt). This evidence is based on digital signa-
tures. One of the major problems in these protocols arises when we want to achieve fairness,
i.e. avoid that one of the entities gets its evidence without the other one being able to also get
its evidence. Different partial solutions have been proposed, which are generally divided into
two classes, according to whether they use a trusted third party (TTP) (see, e.g., [19]) or not.
The approach without TTP is either based on a gradual release of knowledge or on probabilistic
protocols. Protocols based on the idea of a gradual exchange require that all involved parties
have equivalent computational power; this hypothesis, however, is unrealistic. Probabilistic
protocols generally overcome this first problem, but are inefficient due to the large number of
messages that need to be sent. In the case of a TTP, a possible scenario is to first send each
message to the TTP, who acts as an intermediary to assure delivery. The major problem of
this approach is the network and communication bottleneck, created at the TTP. To avoid the
performance decrease created by this bottleneck, Asokan et al. [4] introduced the optimistic
approach to fair exchange.
In 1980 Even and Yakobi showed that there is no deterministic protocol that solves the
contract signing problem without a TTP. This result applies to the case of non-repudiation and
fair exchange protocols as well. An important weakness of current protocols using a TTP is that
the TTP is not accountable for possible errors or failures. In other words, if the TTP fails to
accomplish its task, there is no way for the user to demonstrate that the TTP has failed. This
is a crucial practical limitation, as it unrealistically assumes that the user has unlimited trust in
the TTP, and that the TTP never fails. Moreover, even a trustful TTP could be blocked by a
denial of service attack, which could spoil fairness of the protocol. The problem of accountability
of the TTP was recognized in [3, 5, 48], where some partial solutions were proposed. In [3],
the TTP was made accountable, under the hypothesis that it is always responding to the
agent’s requests. In [5] and [48], the accountability for a distributed TTP was investigated, in
the context of a certified e-mail protocol and of threshold signatures, respectively. In [20] it
was shown that the required trust in a TTP can be reduced by a functional rather than an
unconditional TTP.
In comparison to other security issues, such as privacy or authenticity of communications,
non-repudiation and fair exchange protocols have not been studied so intensively. A preliminary
analysis of non-repudiation protocols was performed using CSP [46], where the proofs were
generated by hand. Zhou and Gollmann [51] considered non-repudiation protocols using the
belief logic SVO; see [8] for a verification of this protocol using the theorem prover Isabelle.
Some work on fair exchange protocols was realized using the model-checker Murϕ [47] as well
as the animation tool Possum [12]. Raskin and Kremer [30, 31] successfully employed a game-
based approach for the verification of negotiation protocols; part of this project will involve
extending their groundbreaking work.
4
5. Research Questions
In this project we will analyze existing accountable e-commerce protocols and develop new ones,
with the help of formal methods, in particular constraint solving and model checking.
In the emerging models for (wireless) interaction between (mobile) agents, negotiations play
a central role. Within such negotiations, the following functions must be implemented.
Digital Contract Signing As opposed to classical paper-based contract signing, digitally
signing a contract over a network presents the additional problem that once one agent
has put its signature under the contract, the other agent might at the last moment refuse
to do so. If no measures are taken to prevent this, the second agent has an advantage
over the first one. In this case the system is not fair.
Non Repudiation Repudiation is the denial of having participated in a conversation. Con-
sider a business communication in which an agent A sends a message to another agent B.
It is important that - after the communication has taken place - agent A may not deny
having sent the message (repudiation of origin) and that agent B may not deny having
received it. Also in this context fairness plays a central role: at all times one needs to
guarantee that no agent has a better handling position than the other one.
An important aspect of these situations is that fairness (and also abuse-freeness, in the case of
contract signing protocols) is difficult to implement. In the last few years, new protocols have
been devised that (should) guarantee this. Most of these protocols rely heavily on the use of
cryptographic algorithms and on the presence of a TTP, or in the case of a delegation protocol
(see e.g. [21]) on a restricted proxy. These aspects are at the origin of the following central
problems.
Accountability of TTPs In most non-repudiation and fair exchange protocols the TTP is
not accountable for possible errors or failures. This is a crucial problem that, if left
unresolved, would prevent a widespread deployment of such techniques. It is an open
question whether it is at all possible to devise a negotiation protocol in which the TTP
is accountable for its mistakes. A first objective is to provide an answer to this open
question. We suspect that the answer to this question is negative as long as we remain in
an algebraic context, i.e., in a context in which agent can be fully represented by e.g. CSP
processes. Such a negative answer is in line with the result of Even and Yakobi. At the
same time we think it should be possible to devise a richer framework in which the TTP
can be made accountable for its mistakes. A second objective is to devise new protocols
which ensure accountability of the TTP (as much as possible). In particular, we will study
distributed or hierarchical TTPs, where the problem of accountability becomes even more
complex. We will apply verification tools in order to verify in how far accountability of
the TTP is guaranteed.
Accountability in delegation A proxy is a token that allows one to operate with the rights
and privileges bestowed by its principal. It must be verified that a proxy was granted by
the principal that it names; this is an authentication problem. In practice, the privileges
granted by a proxy are usually restricted, to safeguard the interest of its principal. It
must be verified that these restrictions are sufficient, and that they are not tampered
with. A third objective is to analyze the correctness of current delegation protocols,
and to devise new delegation protocols. Again, we will apply verification tools to analyze
the accountability (or lack of it) in existing and new designed delegation protocols.
Many cryptographic protocols that were considered secure were shown to contain flaws. These
flaws were in some cases discovered by means of the systematic application of formal methods
such as model checking techniques and - more recently - constraint solving (see, e.g., [17]).
5
6. These methods were devised for verifying authentication and security protocols and cannot be
applied in their current form to (multicast) non-repudiation and fair exchange protocols.
We want to develop and implement a tool for the specification, prototyping and verification
of (multicast) e-commerce protocols. There are several problems that we have to tackle.
• Handling multicast protocols. In many real-life situations, like for instance in wireless
networks, an agent is asked to participate in a protocol together with a number of partners
that is not known in advance. For this, a number of so-called multicast protocols have
been devised, ranging from multicast authentication to multicast non-repudiation. often
using restricted proxies. Standard techniques for the verification of security protocols
cannot deal with the multicast case: for this we have to develop and implement new
abstraction techniques.
• Handling negotiation, payment, abuse-freeness and fairness. There are tools (based on
game semantics) that do this already, for instance the model-checker Mocha [1] (see be-
low). However, Mocha cannot deal with (symbolic) communication, which is crucial for
verifying protocols admitting malicious participants.
• Last but not least, we want our verification tool to be able to check for the accountability
of a certain party taking part in a given e-commerce protocol. This is not-trivial, as
accountability is not definable as a logical primitive in a modal logic.
A game-based model checker for open systems As shown by Kremer and Raskin in
[30, 31], a game-based approach is the most suitable one for modeling negotiation protocols. In
[30, 31] Kremer and Raskin successfully employed the model-checker Mocha for the verification
of non-repudiation protocols. Their approach, however, presents a crucial shortcoming: it does
not allow to model the situation in which one of the principals tries to cheat the other one by
sending him a message which does not comply with the protocol specification (they allow an
agent to try a different sequence of steps, but the messages being sent are fixed a priori). This
is clearly a major limitation, and a source of incompleteness of the method.
We will devise and implement a model checker that employs the constraint-based approach
for modeling communication and that allows to check ATL (alternating temporal logic) for-
mulae, i.e., based on a game semantics. Our aim is to combine protocol verification based on
constraint solving a la Delzanno and Etalle [23] or Millen and Shmatikov [37] with a model-
checker based on game semantics such as Mocha.
Abstraction techniques for multi-cast protocols The majority of message exchange
protocols are designed to ensure the fairness in exchange between two main participants, say
Alice and Bob. But with the increasing usage of computers in electronic commerce, protocols are
needed that ensure fairness for multi-party communications. Assume that Alice sends an official
adjudication to a number of Bobs. All the Bobs that want to participate to the adjudication
should be allowed to do so and Alice should not be able to deny their participation. A main
difficulty here is to design a protocol that works no matter how many Bobs are involved in the
protocol run. Multipart non-repudiation protocols have been designed e.g., in [29, 34]
The design of multicast protocols is even more difficult than for the two-party case. As
mentioned before, the techniques developed for protocol verification cannot easily deal with the
case of multicast protocols. To deal with the verification of n-party fair exchange protocols,
we intend to use methods that were developed for verifying parametrized distributed computer
systems. In particular, we will investigate the use of the so-called ”counting abstraction” (see,
e.g., [22]) and of multi-set rewriting [6] to model and verify those multi-party protocols.
These techniques will be incorporated in our tool, to obtain a tool for the verification of
multicast e-commerce protocols. Moreover, since ATL formulae can be used to model also
6
7. simpler concepts such as those needed to express authentication and secrecy, the resulting tool
will also be applicable for the verification of multicast authentication and security protocols.
Related Research of the Research Team
Three research groups will cooperate in this project: The Computer Systems Group at the VU,
the Distributed and Embedded Systems Group at the UT, and the Embedded Systems Group
at CWI.
• The Computer System research group has a long and well-established track record in
the area of distributed and operating systems and related security issues. Recently, we
designed and implemented a secure middleware for very large and distributed systems
called Globe [42], and a secure agent platform [38]. Currently, we are developing a Digital
Right Management system suitable for selling music online, and security protocols and
reputation mechanisms in the context of content delivery networks and more in general
of peer-to-peer systems [40]. Bruno Crispo has been working on security for several
years, with a special interest in designing authentication and delegation protocols and
investigating security issues related to TTP services.
• The Distributed and Embedded Systems research group is developing security components
in various projects.
– Leading a major national funding program, SENTINELS (www.sentinels.nl), which
aims to foster security research in the Netherlands.
– Leading the RESET project, which aims to build a roadmap for smart card research.
All European smart card manufacturers participate in this activity.
– Development of CoProVe [17], which is likely to be the fastest tool for the verification
of security protocols (wwwes.cs.utwente.nl/24cqet/) [23]. CoProVe is also the
only practical tool available that can be used to identify ‘guessing attacks’ [18].
– Developing the security component in an ad-hoc sensor network in the context of
the European project EYES (with Infineon, Nedap, see eyes.eu.org/) [32].
– Developing a Digital Rights Management system in the Senter funded Summer
project (with KPN Research, The Ministry of Traffic and Transport and V2-Labs,
www.cs.utwente.nl/∼summer), and the Telematics Institute funded LicenseScript
project (with Philips Research, wwwes.cs.utwente.nl/LicenseScript) [15, 16].
– Developing a novel transacted smart card memory manager with Sun Microsystems
in Cupertino (USA) [25, 41].
– Development of a pressure sensing smart card biometric system [26].
– Development of a smart card based digital trusted assistant [49].
• The Embedded Systems Group at CWI has ample experience in applying formal tech-
niques for the analysis of distributed systems and protocols in general, and of security
protocols in particular (see, e.g., [2, 39]). A main vehicle forms the specification language
µCRL in combination with the model checker CADP; others are timed automata (UP-
PAAL, KRONOS), model checkers (SPIN) and theorem provers (PVS, Coq, homegrown
µCRL prover [10]). The µCRL verification toolset [9] is used as a test bed to realize novel
algorithms in the realm of system verification and to carry out experiments. Notably, we
are currently analyzing security protocols within the electronic payment system EMV. We
coordinate the CWI Security Platform (www.cwi.nl/∼wan/security-platform.html),
which combines a number of research groups within CWI that perform research on security
related issues.
7
8. Both the UT and CWI participate in SAFE-NL (the platform for Security: Applications, Formal
aspects and Environments in the NetherLands); Sandro Etalle and Wan Fokkink serve on
its steering committee. SAFE-NL provides a forum for research institutions, industry and
government agencies to exchange ideas on the state of the art in security technology. SAFE-NL
Workshops are organized twice a year.
7 Work Program
Phases
The duration of the project is four years.
Year 1 During the first six months, the PhD students will acquaint themselves with the
various methods and techniques used in this project. They will study accountability, non-
repudiation and contract-signing protocols, together with constraint solving, model checking
and theorem proving. At the same time, the postdoc will work on the question in how far it is
possible to define in algebraic terms a contract-signing (or non-repudiation) protocol in which
the TTP is fully accountable.
In the next six months, the AIO and the postdoc will work on devising protocols (and
if needed methods) for 2-party non-repudiation, contract-signing and delegation with a fully
accountable TTP. The OIO and the postdoc will use existing verification techniques from con-
straint solving, model checking and theorem proving to support the design of these protocols.
Year 2 In the first three months, the OIO will study game semantics, abstraction techniques
and the model-checker Mocha. The postdoc will prepare the development of a tool for the
verification of security protocols. In the remaining nine months, the OIO and the postdoc
will develop the methodology for and implement an extension of the constraint-based tool for
protocol verification developed by Corin and Etalle [17], so that it can check game-based trace
properties expressed as ATL formulae. The AIO and the postdoc will work on devising new
e-commerce protocols for group communication in a scenario one-to-many (broadcast). They
will also design protocols to distribute and replicate TTP services without loss of accountability.
Year 3 The OIO will verify existing negotiation protocols using the tool, and analyze the
protocols devised by the AIO and postdoc in the previous and current year. Furthermore,
he will work on abstraction techniques for modeling multicast protocols and extend the tool
accordingly. The AIO will use the feedback provided by the OIO in its work to extend the nego-
tiation protocols to the case of multicast communications (many-to-many) with possibly several
rounds of negotiations before the contract is signed. Furthermore, he will study accountability
in delegation protocols and work on devising new delegation protocols. At the UT, work will
be continued on the tool, using the input from the AIO and OIO.
Year 4 The PhD students will complete ongoing research, write their thesis and prepare the
defense.
Educational aspects
The research institutes ASCI and IPA provide in-depth 5-day courses twice a year on important
topics in computer science. The AIO and OIO will take part in the training programs of ASCI
and IPA. Furthermore, they will take part in the group seminars (PhD seminars at the VU and
PAM at CWI), both to take notice of current research efforts and to present their own work.
8
9. Furthermore, CWI and VU provide special courses on how to write research papers, how to
give presentations, and how to be well-organized in research. The AIO and OIO will take part
in these courses.
8 Expected Use of Instrumentation
None, except powerful computing machinery already present at the research groups involved.
9 Literature
References
[1] R. Alur, T.A. Henzinger, F.Y.C. Mang, S. Qadeer, S.K. Rajamani and S. Tasiran. Mocha:
Modularity in model checking. In Proc. 10th Conference on Computer-Aided Verification
(CAV’98), LNCS 1427, pp. 521–525. Springer, 1998.
[2] Th. Arts and I.A. van Langevelde. Correct Performance of Transaction Capabilities. In
Proc. 2nd Conference on Application of Concurrency to System Design (ICACSD’01), pp.
35–42. IEEE Computer Society Press, 2001.
[3] N. Asokan. Fairness in Electronic Commerce. PhD Thesis, University of Waterloo, 1998.
[4] N. Asokan, M. Schunter and M. Waidner. Optimistic Protocols for Fair Exchange. In Proc.
4th ACM Conference on Computer and Communications Security, pp. 7–17. ACM Press,
1998.
[5] G. Ateniese, B. de Medeiros and M. T. Goodrich. TRICERT: Distributed Certified E-
Mail Schemes. In Proc. ISOC 2001 Network and Distributed System Security Symposium
(NDSS’01), pp. 47–56, 2001.
[6] J.P. Banˆtre and D. Le M´tayer. Programming by Multiset Transformation. Communica-
a e
tions of the ACM, 36(1):98–111, 1993.
[7] G. Bella, F. Massacci and L.C. Paulson. Verifying the SET Registration Protocols. IEEE
Journal on Selected Areas in Communications, 21(1):, 77–87, 2003.
[8] G. Bella and L.C. Paulson. Mechanical Proofs about a Non-Repudiation Protocol. In Proc.
14th Conference on Theorem Proving in Higher Order Logics (TPHOLs’01), LNCS 2152,
pp. 91–104. Springer, 2001.
[9] S.C.C. Blom, W.J. Fokkink, J.F. Groote, I.A. van Langevelde, B. Lisser and J.C. van de
Pol. µCRL: A Toolset for Analysing Algebraic Specifications. In Proc. 13th Conference on
Computer Aided Verification (CAV’01), LNCS 2102, pp. 250–254. Springer, 2001.
[10] S.C.C. Blom and J.C. van de Pol. State Space Reduction by Proving Confluence. In Proc.
14th Conference on Computer Aided Verification (CAV’02), LNCS 2404, pp. 596–609.
Springer, 2002.
[11] D. Bolignano. Towards the Formal Verification of Electronic Commerce Protocols. In Proc.
10th Computer Security Foundations Workshop (CSFW’97), pp. 113–147. IEEE Computer
Society Press, 1997.
9
10. [12] C. Boyd and P. Kearney. Exploring Fair Exchange Protocols Using Specification Anima-
tion. In Proc. Information Security Workshop (ISW00), LNCS 1975, pp. 209–223. Springer,
2000.
[13] M. Burrows, M. Abadi and R. Needham. A Logic of Authentication. ACM Transactions
on Computer Systems, 1(8):18–36, 1990.
[14] I. Cervesato, N. Durgin, P. Lincoln, J. Mitchell and A. Scedrov. Relating Strands and
Multiset Rewriting for Security Protocol Analysis. In Proc. 13th IEEE Computer Security
Foundations Workshop (CSFW’00), pp. 35–51. IEEE Computer Society Press, 2000.
[15] C.N. Chong, R. van Buuren, P.H. Hartel and G. Kleinhuis. Security Attributes Based
Digital Rights Management. In Proc. Joint Workshop on Interactive Distributed Multi-
media Systems / Protocols for Multimedia Systems (IDMS/PROMS’02), LNCS 2515, pp.
339–352. Springer, 2002.
[16] C.N. Chong, Z. Peng and P. H. Hartel. Secure Audit Logging with Tamper-Resistant
Hardware. In Proc. 18th IFIP Conference on Information Security (SEC’02), To appear.
Kluwer Academic, 2003.
[17] R. Corin and S. Etalle. An Improved Constraint-Based System for the Verification of
Security Protocols. In Proc. 9th Static Analysis Symposium (SAS’02), LNCS 2477, pp.
326–341. Springer, 2002.
[18] R. Corin, S. Malladi, J. Alves-Foss and S. Etalle. Guess What? Here is a New Tool
that Finds Some New Guessing Attacks. Technical Report, CTIT, University of Twente,
January 2003.
[19] B. Crispo, P. Landrock and V. Matyas Jr. WWW Security and Trusted Third Party
Services. Future Generation Computer Systems, 16(4):331–341, 2000.
[20] B. Crispo and M. Lomas. A Certification Scheme for Electronic Commerce. In Proc. 1st
Security Protocols Workshop, LNCS 1189, pp. 19–32. Springer, 1996.
[21] B. Crispo and G. Ruffo. Reasoning about Accountability within Delegation. In Proc. 3rd
Conference on Information and Communications Security (ICICS’01), LNCS 2229, pp.
251–260. Springer, 2001.
[22] G. Delzanno and T. Bultan. Constraint-Based Verification of Client-Server Protocols. In
Proc. 7th Conference on Principles and Practice of Constraint Programming (CP’01),
LNCS 2239, pp. 286–301. Springer, 2001.
[23] G. Delzanno and S. Etalle. Proof Theory, Transformations, and Logic Programming for
Debugging Security Protocols. In Post-Proc. 11th Workshop on Logic Program Synthesis
and Transformation (LOPSTR’01), LNCS 2372, pp. 76–90. Springer, 2002.
[24] D. Dolev and A. C. Yao. On the Security of Public Key Protocols. IEEE Transactions on
Information Theory, 29(2):198–208, 1983.
[25] P.H. Hartel, M.J. Butler, E.K. de Jong and M. Longley. Transacted Memory for Smart
Cards. In Proc. 10th Formal Methods for Increasing Software Productivity (FME’01),
LNCS 2021, pp. 478–499. Springer, 2001.
[26] N.J. Henderson. Polymer Thick Film Sensors for Embedded Smartcard Biometrics and
Identity Verification. PhD thesis, University of Southampton, 2002.
10
11. [27] A. Huima. Efficient Infinite-State Analysis of Security Protocols. In Proc. FLOC’99 Work-
shop on Formal Methods and Security Protocols, 1999.
[28] F. Jacquemard, M. Rusinowitch and L. Vigneron. Compiling and Verifying Security Pro-
tocols. In Proc. 7th Conference on Logic for Programming and Automated Reasoning
(LPAR’95), LNCS 1955, pp. 131–160. Springer, 2000.
[29] S. Kremer and O. Markowitch A Multi-Party Non-Repudiation Protocol. In Proc. 15th
IFIP Conference on Information Security (SEC’00), pp. 271–280. Kluwer Academic, 2000.
[30] S. Kremer and J-F. Raskin. A Game-Based Verification of Non-Repudiation and Fair Ex-
change Protocols. In Proc. 12th Conference of Concurrency Theory (CONCUR’01), LNCS
2154, pp. 551–565. Springer, 2001.
[31] S. Kremer and J-F. Raskin. Game Analysis of Abuse-free Contract Signing. In Proc. 15th
IEEE Computer Security Foundations Workshop (CSFW’02), pp. 206–222. IEEE Com-
puter Society Press, 2002.
[32] Y.W. Law, S. Etalle and P. H. Hartel. Assessing Security-Critical Energy-Efficient Sensor
Networks. In Proc. IFIP WG 11.2 Conference on Small Systems Security, To appear.
Kluwer Academic, 2003.
[33] G. Lowe. Casper: A Compiler for the Analysis of Security Protocols. In Proc. 10th IEEE
Computer Security Foundations Workshop (CSFW’97), pp. 18–30. IEEE Computer Society
Press, 1997.
[34] O. Markowitch and S. Kremer. A Multi-party Optimistic Non-Repudiation Protocol. In
Proc. 3rd Conference on Information Security and Cryptology (ICISC’00), LNCS 2015, pp.
109–122. Springer, 2000.
[35] C. Meadows. Formal Verification of Cryptographic Protocols: A Survey. In Proc. 4th Con-
ference on the Theory and Applications of Cryptology (ASIACRYPT’94), LNCS 917, pp.
135–150. Springer, 1994.
[36] C. Meadows. The NRL Protocol Analyzer: An Overview. Journal of Logic Programming,
26(2):113–131, 1996.
[37] J. Millen and V. Shmatikov. Constraint Solving for Bounded-Process Cryptographic Pro-
tocol Analysis. In Proc. 2001 ACM Conference on Computer and Communication Security,
pp. 166–175, ACM Press, 2001.
[38] G. van ’t Noordende, F.M.T. Brazier and A.S. Tanenbaum. A Security Framework for a
Mobile Agent System. In Proc. 2nd Workshop on Security of Mobile Multiagent Systems
(SEMAS’02), pp. 43–50, 2002.
[39] J. Pang. Analysis of a Security Protocol in µCRL. In Proc. 4th Conference on Formal
Engineering Methods (ICFEM’02), LNCS 2495, pp. 396–400. Springer, 2002.
[40] G. Pierre, M. van Steen and A. S. Tanenbaum. Dynamically Selecting Optimal Distribution
Strategies for Web Documents. IEEE Transactions on Computers, 51(6):637–651, 2002.
[41] E. Poll, P.H. Hartel and E.K. de Jong. A Java Reference Model of Transacted Memory
for Smart Cards. In Proc. 5th IFIP WG 8.8 Conference on Smart Card Research and
Advanced Application (CARDIS’02), pp. 75–86. Usenix Association, 2002.
11
12. [42] B.C. Popescu, M. van Steen and A.S. Tanenbaum. A Security Architecture for Object-
Based Distributed Systems. In Proc. 18th Annual Computer Security Applications Confer-
ence (ACSAC’02), 2002.
[43] A.W. Roscoe. Modelling and verifying key-exchange protocols using CSP and FDR. In
Proc. 8th IEEE Symposium on Foundations of Secure Systems, pp. 98–107. IEEE Computer
Society Press, 1995.
[44] M. Rusinowitch and M. Turuani. Protocol Insecurity with Finite Number of Sessions is
NP-complete. In Proc. 14th IEEE Computer Security Foundations Workshop (CSFW’01),
pp. 98–107. IEEE Computer Society Press, 2001.
[45] F.B. Schneider, editor. Trust in Cyberspace. National Academy Press, 1999.
[46] S. Schneider. Formal Analysis of a Non-Repudiation Protocol. In Proc. 11th IEEE Com-
puter Security Foundations Workshop (CSFW’98), pp. 54–65. IEEE Computer Society
Press, 1998.
[47] V. Shmatikov and J.C. Mitchell. Finite-State Analysis of Two Contract Signing Protocols.
Theoretical Computer Science, 283(2):419–450, 2002.
[48] V. Shoup. Practical Threshold Signatures. In Proc. 17th Conference on the Theory and
Application of Cryptographic Techniques (EUROCRYPT’00), LNCS 1807, pp. 207–220.
Springer, 2000.
[49] T. Stabell-Kulø. Private Computing: The Trusted Digital Assistant. PhD thesis, University
of Twente, 2002.
[50] S.D. Stoller. A Bound on Attacks on Payment Protocols. In Proc. 16th Annual IEEE
Symposium on Logic in Computer Science (LICS’01), pp. 61–70. IEEE Computer Society
Press, 2001.
[51] J. Zhou and D. Gollmann. Towards Verification of Non-Repudiation Protocols. In Proc.
1998 Refinement Workshop and Formal Methods Pacific, pp. 370–380, 1998.
Five Main Publications of the Research Team
• R.J. Anderson, F. Bergadano, B. Crispo, J.H. Lee, C. Manifavas and R.M. Needham. A
New Family of Authentication Protocols. Operating Systems Review, 32(4):9–20, 1998.
• F. Bergadano, B. Crispo and M. Lomas. Strong Authentication and Privacy with Stan-
dard Browsers. Journal of Computer Security, 5(3):191–212, 1997.
• R. Corin and S. Etalle. An Improved Constraint-Based System for the Verification of
Security Protocols. In Proc. 9th Static Analysis Symposium (SAS’02), LNCS 2477, pp.
326–341. Springer, 2002.
• B. Crispo and G. Ruffo. Reasoning about Accountability within Delegation. In Proc. 3rd
Conference on Information and Communications Security (ICICS’01), LNCS 2229, pp.
251–260. Springer, 2001.
• G. Delzanno and S. Etalle. Proof Theory, Transformations, and Logic Programming for
Debugging Security Protocols. In Post-Proc. 11th Workshop on Logic Program Synthesis
and Transformation (LOPSTR’01), LNCS 2372, pp. 76–90. Springer, 2002.
12
13. 10 Requested Budget
We request the standard budget for two PhD students and a postdoc for two years. The
amounts below are in Euros.
AIO 135.762
benchfee 4.538
postdoc 104.601
benchfee 4.538
OIO 135.762
benchfee 4.538
TOTAL 389.739
Note: VU, CWI and UT will provide special purpose computing equipment and daily worksta-
tions for the project members.
13