Section: Scientific Foundations
Formalisms to express security properties and protocols and to verify them
Security protocols, also known as cryptographic protocols, are small concurrent programs designed to provide various security services across a distributed system. These goals include: authentication of agents and nodes, establishing session keys between nodes, ensuring secrecy, integrity, anonymity, non-repudiation, fairness, and so on. The challenge comes from the fact that we want to guarantee security of exchanges between participants using non-secure mediums, whose weaknesses can be exploited by malicious adversaries. In certain cases, like in the non-repudiation and fairness problems, we cannot even be sure that the participants are honest.
With the increasing degree of distribution and mobility of modern systems, and the increasing number of applications such as electronic commerce, electronic vote, etc, these protocols are becoming more and more used, and their correctness more and more crucial. Establishing the correctness of these protocols, however, is not an easy task; the difficulties arise from a number of considerations:
The properties that they are supposed to ensure are extremely subtle; the precise meaning of a property is often a matter of debate and needs to be formally specified.
The capabilities of adversaries (intruders, attackers, ...) are difficult to capture.
By their nature security protocols involve a high degree of concurrency, which makes the analysis much more complicated.
Several formalisms have been proposed for the specification of the protocols and intruders, for the description of the security properties, and for proving correctness. For example, the Strand spaces  ,  , the spi-calculus  and other process calculi  ,  ,  ,  , formalisms based on linear logic  ,  , on set-rewriting  ,  , on rewriting logic  , on tree automata  ,  , and on set constraints  .