Types for Cryptographic Protocols

Cryptographic protocols are prone to subtle flaws. Flawed protocols have been published and flaws have often remained undiscovered for a considerable time. Yet, simple prudent engineering principles often suffice to avoid flaws. For instance, messages should always contain all principal identities that are important for the their semantics. Or messages should always explicitly identify their number in the protocol. These engineering principles can be enforced by type systems.

I will talk about type systems for authenticity and secrecy. These systems are sound, that is, well-typed protocols are robustly safe in the presence of Dolev--Yao intruders. Well-typedness can be checked quickly by an automatic type-checker, provided the protocol has been manually annotated with types. Type annotations tightly guide both the automatic type-checker and the human protocol specifier. In terms of automation, verification by type-checking is somewhere in between fully automatic verification methods and interactive theorem proving: it requires human help in the form of explicit type annotations but less help than interactive theorem proving. In contrast to many fully automatic methods, it terminates and does not impose a bound on the number of sessions.

This is an overview talk based on work that I have done with Alan Jeffrey and also previous work by Alan Jeffrey and Andy Gordon.