Attacking fair-exchange protocols: parallel models vs trace models

Most approaches to formal protocol verification rely on an operational model based on traces of atomic actions. Modulo CSP, CCS, state-exploration, Higher Order Logic or strand spaces frills, authentication or secrecy are analyzed by looking at the existence or the absence of traces with a suitable property. We introduced an alternative operational approach based on parallel actions and an explicit representation of time. Our approach consists in specifying protocols within a logic language (ALSP ), and associating the existence of an attack to the protocol with the existence of a model for the specifications of both the protocol and the attack. In this paper we show that, for a large class of protocols such as authentication and key exchange protocols, modeling in ALSP is equivalent – as far as authentication and secrecy attacks are considered – to modeling in trace based models. We then consider fair exchange protocols introduced by N. Asokan et al. showing that parallel attacks may lead the trusted third party of the protocol into an inconsistent state. We show that the trace based model does not allow for the representation of this kind of attacks, whereas our approach can represent them. 1 We thank the anonymous reviewers for many useful suggestions and C. Marchetti for discussing the tricky issue of (fault-tolerant) local and distributed implementations of the Fair-Exchange protocol. This work is partly supported by ASI, CNR, and MURST grants. F. Massacci acknowledges the support of the CNR Fellowship 203-7-27. 2 Email:[email protected] 3 Email:[email protected] c ©2001 Published by Elsevier Science B. V. Carlucci Aiello and Massacci