Searching for Shapes in Cryptographic Protocols

We describe a method for enumerating all essentially different executions possible for a cryptographic protocol. We call them the shapes of the protocol. Naturally occurring protocols have only finitely many, indeed very few shapes. Authentication and secrecy properties are easy to determine from them, as are attacks and anomalies. cpsa, our Cryptographic Protocol Shape Analyzer, implements the method. In searching for shapes, cpsa starts with some initial behavior, and discovers what shapes are compatible with it. Normally, the initial behavior is the point of view of one participant. The analysis reveals what the other principals must have done, given this participant’s view. The search is complete, i.e. every shape can in fact be found in a finite number of steps. The steps in question are applications of two authentication tests, fundamental patterns for protocol analysis and heuristics for protocol design. We have formulated the authentication tests in a new, stronger form, and proved completeness for a search algorithm based on them.