Automatic Methods for Analyzing Non-Repudiation Protocols with an Active Intruder

Non-repudiation protocols have an important role in many areas where secured transactions with proofs of participation are necessary. Formal methods are clever and without error, therefore using them for verifying such protocols is crucial. In this purpose, we show how to partially represent non-repudiation as a combination of authentications on the Fair Zhou-Gollmann protocol. After discussing its limits, we define a new method based on the handling of the knowledge of protocol participants. This method is very general and is of natural use, as it consists in adding simple annotations, like for authentication problems. The method is very easy to implement in tools able to handle participants knowledge. We have implemented it in the AVISPA Tool and analyzed the optimistic Cederquist-Corin- Dashti protocol, discovering two unknown attacks. This extension of the AVISPA Tool for handling non-repudiation opens a highway to the specification of many other properties, without any more change in the tool itself.

💡 Research Summary

The paper addresses the challenging problem of automatically verifying non‑repudiation (NR) protocols in the presence of an active intruder. It begins by formalizing the various NR services—origin, receipt, submission, delivery—as well as fairness and timeliness, and shows how these services are traditionally expressed using authentication predicates. Using the Fair Zhou‑Gollmann (FairZG) protocol as a running example, the authors demonstrate that while some NR properties can be mapped to non‑injective authentication relations (auth), this mapping fails to capture essential state information such as session identifiers and symmetric keys. Consequently, authentication‑only approaches cannot guarantee that evidence is generated, transmitted, and retained in the correct order, leaving room for replay or substitution attacks.

To overcome these limitations, the authors propose a knowledge‑based verification method. Each participant and the Dolev‑Yao intruder are modeled with an explicit knowledge set that evolves as the protocol proceeds. The method augments the HLPSL description used by the AVISPA tool with simple annotations that state, for each protocol step, which evidence is added to whose knowledge. Non‑repudiation services are then defined as the presence of specific evidence in a participant’s knowledge at a particular point in the execution. This formulation allows the verification of NR and fairness properties as state invariants, avoiding the need for heavyweight temporal logics such as LTL or CSP.

The approach is implemented by extending AVISPA’s existing model checkers (OFMC and CL‑AtSe) with the new annotations. As a case study, the optimistic Cederquist‑Corin‑Dashti (CCD) protocol—an efficient NR protocol that avoids session labels and uses a trusted third party (TTP) only when necessary—is analyzed. The tool automatically discovers two previously unknown attacks. The first attack exploits the intruder’s ability to capture the symmetric key during the TTP‑key exchange and then reuse an earlier NRO evidence to deceive the recipient. The second attack manipulates the delivery of evidence, causing both parties to miss the required proofs and thereby violating strong fairness. These findings illustrate that the knowledge‑centric method can uncover subtle vulnerabilities that authentication‑only analyses miss.

Finally, the authors argue that the method is highly portable: adding knowledge annotations to any protocol specification suffices, and the underlying AVISPA infrastructure can be reused without modification. This makes it feasible to verify a wide range of security properties—non‑repudiation, fairness, timeliness—across many protocols and tools that support knowledge reasoning. The paper thus contributes a practical, scalable, and formally sound technique for the automatic analysis of non‑repudiation protocols, demonstrating its effectiveness on a realistic optimistic protocol and opening the way for broader adoption in protocol verification practice.