1. Introduction

2. Timed Interpreted Systems

3. Modelling of TSP Executions

3.1. TIS for NSPKT Executions Modelling

We now explain how the previously defined structures are utilised to build the TIS model for NSPKT executions. Translating the protocol specified in ProToc into a Timed Interpreted System extends the method presented in [13,14].

The so-called execution automata represent the transmission of messages within the network. Each execution of the protocol is modelled as a distinct automaton, where each transition corresponds to a single step of the protocol. Additionally, we introduce a separate automaton that models the system’s time clock. The collection of all such automata constitutes the environment of our TIS model. In real network scenarios, the execution of protocols depends on the user’s knowledge, as every step can only be executed with the user possessing the requisite knowledge. To represent this, we define and employ knowledge automata that model the knowledge of users [14]. For instance, an automaton ${\mathbb{A}}_{T_A}^A$ models the knowledge of user A regarding the timestamp $T_A$. These automata function similarly to characteristic functions over the set of knowledge primitives. They consist of two states: the first states indicate that the user lacks a particular piece of knowledge (such as $T_A$), while the second state represents the situation where the user has acquired that knowledge ($T_A$). In such automata, the first transition model possesses the process of the proper primitive, and the loop in the second state models the necessity of knowing a primitive for executing a protocol’s step. These loops are specific guards for executing steps from the user’s knowledge point of view. In this way, we can model the protocol’s executions as the work of a TIS system that consists of three agents: a collection of automata that model the environment (executions automata [14] and clock automaton) and the users that execute the protocol (modelled by knowledge automata). For one, honest execution of NSPKT, we have the following structure (Figure 1).

This system involves three agents: one representing each honest user and one representing the environment. Within the model, we distinguish automata that map the execution of the protocol (the first one in Figure 1) and the clock automaton, which can reset each clock within the system. The product of these automata constitutes the environment $\mathcal{E}$. We also differentiate a network of synchronised automata that model the knowledge of individual agents, with blue representing agent A and green representing agent B. For the components of the environment depicted, we consider the locations: $l{\mathcal{E}}_0$, $l{\mathcal{E}}_1$, $l{\mathcal{E}}_2$, $l{\mathcal{E}}_3$, $\mathcal{Z}$; the actions associated with the protocol steps, $Ac{t}_{\mathcal{E}}={\alpha }_1,{\alpha }_2,{\alpha }_3$; and a set of clocks ${\mathbb{X}}_{\mathcal{E}}=x_0,x_{T_A},x_{T_B}$. The clock $x_0$ serves as a global clock, reflecting the passage of time between individual steps. Thus, to transition to the next state, a certain amount of time $D_i$ must elapse, where i denotes the step number. The value of $D_i$ corresponds to the time required for ticket generation, encryption, message creation, or decryption. In some steps of the protocol, encryption or decryption time is not considered; this occurs when users send encrypted messages they received earlier or need more knowledge to decrypt the message.

Therefore, each transition depends on the time condition – guard $x_0>D_i$, and for every step, the global clock is reset $\left\{x_0\right\}$. The agent used the other two clocks to check the validity of the generated data. They are reset in transitions, during which the appropriate ticket is generated. For example, the environment’s clock $x_{T_A}$, corresponding to the ticket $T_A$, is reset when transition labelled with the action ${\alpha }_1$ is executed because $T_A$ is generated in this step.

We assume the following local evolution functions for the environment:

$t_{\mathcal{E}}(l{\mathcal{E}}_0,x_0>D_1,\varnothing ,{\alpha }_1)=l{\mathcal{E}}_1,$

$t_{\mathcal{E}}(\mathcal{Z},\varnothing ,\{x_0,x_{T_A}\},{\alpha }_1)=\mathcal{Z}$,

$t_{\mathcal{E}}(l{\mathcal{E}}_1,x_0>D_2,\varnothing ,{\alpha }_2)=l{\mathcal{E}}_2,$

$t_{\mathcal{E}}(\mathcal{Z},\varnothing ,\{x_0,x_{T_B}\},{\alpha }_2)=\mathcal{Z}$,

$t_{\mathcal{E}}(l{\mathcal{E}}_2,x_0>D_3,\varnothing ,{\alpha }_3)=l{\mathcal{E}}_3,$

$t_{\mathcal{E}}(\mathcal{Z},\varnothing ,\left\{x_0\right\},{\alpha }_3)=\mathcal{Z}$.  

As previously noted, agents are modelled using knowledge models. Each automaton, ${\mathbb{A}}_Y^X$, represents the process by which a given agent X gains knowledge about a specific piece of data Y. For instance, the automaton ${\mathbb{A}}_{T_A}^A$ models the behaviour of agent A concerning the data $T_A$. These automata have two possible states: $l_0$ – representing the absence of knowledge, and $l_1$ – representing possession of knowledge. Additionally, there are temporal conditions to consider. For example, in the case of ${\mathbb{A}}_{T_A}^B$, during the action ${\alpha }_1$, a check is performed to determine whether the validity period of the information has expired, specified by $x_{T_A}<L_{T_A}$. It is important to note that we distinguish different lifetimes for different tickets, as the later a ticket is generated, the shorter its duration is during the protocol’s execution. The local evolution functions for $T_A$ and $T_B$ are:

$t_A(l_0,l{\mathcal{E}}_0,true,\varnothing ,{\alpha }_1)=l_1$,

$t_A(l_1,l{\mathcal{E}}_1,x_{T_A}<L_{T_A},\varnothing ,{\alpha }_2)=l_1,$

$t_B(l_0,l{\mathcal{E}}_0,x_{T_A}<L_{T_A},\varnothing ,{\alpha }_1)=l_1$,

$t_B(l_1,l{\mathcal{E}}_1,x_{T_A}<L_{T_A},\varnothing ,{\alpha }_2)=l_1$,

$t_A(l_0,l{\mathcal{E}}_1,x_{T_B}<L_{T_B},\varnothing ,{\alpha }_2)=l_1$,

$t_A(l_1,l{\mathcal{E}}_2,x_{T_B}<L_{T_B},\varnothing ,{\alpha }_3)=l_1$,

$t_B(l_0,l{\mathcal{E}}_1,true,\varnothing ,{\alpha }_2)=l_1$,

$t_B(l_1,l{\mathcal{E}}_2,x_{T_B}<L_{T_B},\varnothing ,{\alpha }_3)=l_1$.  

Analysing a single execution typically does not suffice to identify an attack. It is necessary to consider multiple executions, including those involving the Intruder, who will intertwine these executions precisely as they would occur in reality. There are three steps for each execution, and we can intertwine all of them. The rule is that the order of the steps within a single execution must be preserved, and a step cannot be executed if the sender does not possess the necessary knowledge to perform it. The second condition significantly reduces the search space. For example, consider the analysis of step ${\alpha }_3^2$. This step cannot be executed immediately after step ${\alpha }_2^2$ because the Intruder does not know the $T_B$ ticket (he cannot decode the information received from B). In our model, the Intruder can continue operations (allowing appropriate transitions in the automata) by either sending complete information (as in step ${\alpha }_2^1$) or by gathering the necessary individual components during the interlacing steps (as in ${\alpha }_1^1$ and ${\alpha }_3^1$).

Three automata are required to model the attack on the NSPKT protocol in the form of a Timed Interpreted System (TIS) (Figure 2), where their combined product represents the environment. Two of these automata are utilised to model the protocol’s execution, while the third automaton is responsible for resetting the clocks.

Figure 2. Timed Interpreted System for Lowe attack on NSPKT

Figure 2. Timed Interpreted System for Lowe attack on NSPKT

For these components of the environment, we define the locations as follows: $l{\mathcal{E}}_0^1,l{\mathcal{E}}_1^1$, $l{\mathcal{E}}_2^1$, $l{\mathcal{E}}_3^1,l{\mathcal{E}}_0^2,l{\mathcal{E}}_1^2$, $l{\mathcal{E}}_2^2,l{\mathcal{E}}_3^2,\mathcal{Z}$, actions $Ac{t}_{\mathcal{E}}=\{{\alpha }_1^1,{\alpha }_2^1,{\overline{\alpha }}_2^1,{\alpha }_3^1,{\alpha }_1^2,{\overline{\alpha }}_1^2,$ ${\alpha }_2^2,{\alpha }_3^2,{\overline{\alpha }}_3^2\}$, and a set of clocks ${\mathbb{X}}_{\mathcal{E}}=\{x_0,x_{T_A},x_{T_B}\}$. As observed, the superscript indicates the protocol execution number. Notably, there are no additional clocks, as the Intruder does not generate any new information. Instead, he merely duplicates the information that he has intercepted. The additional actions, denoted by ${\overline{\alpha }}_j^i$, represent the Intruder’s enhanced capabilities. Specifically, he can retransmit the entire message if it has been intercepted previously or reconstruct it from individual components.

An additional agent is introduced to represent the Intruder in the version that includes an attack. Automata are also used to model the Intruder’s knowledge (depicted in red in Figure 2). For the Intruder, we have two standard automata, ${\mathbb{A}}_{T_A}^I$ and ${\mathbb{A}}_{T_B}^I$, as well as an automaton that represents the possibility of the Intruder obtaining the entire message (${\mathbb{A}}_{{\langle T_A·T_B\rangle }_{K_A}}^I$).

The automata ${\mathbb{A}}_{{\langle T_B\rangle }_{K_B}}^I$ and ${\mathbb{A}}_{{\langle T_A·i\left(A\right)\rangle }_{K_B}}^I$, which lack transitions between states $l_0$ and $l_1$ (Figure 2), model the Intruder’s inability to proceed. We refer to these as blocking automata. Their inclusion allows the constructed interlacing model to be limited to only realistic behaviours. Thus, any path where the Intruder sends a message they could not formulate will not be represented.

We define the local evolution functions in a similar manner for the environment and the initial execution:

$t_{\mathcal{E}}(l{\mathcal{E}}_0^1,x_0>D_1,\varnothing ,{\alpha }_1^1)=l{\mathcal{E}}_1^1$,

$t_{\mathcal{E}}(l{\mathcal{E}}_1^1,x_0>D_2,\varnothing ,{\alpha }_2^1)=l{\mathcal{E}}_2^1$,

$t_{\mathcal{E}}(l{\mathcal{E}}_1^1,x_0>D_2,\varnothing ,{\overline{\alpha }}_2^1)=l{\mathcal{E}}_2^1$,

$t_{\mathcal{E}}(l{\mathcal{E}}_2^1,x_0>D_3,\varnothing ,{\alpha }_3^1)=l{\mathcal{E}}_3^1$;

  the second execution:

$t_{\mathcal{E}}(l{\mathcal{E}}_0^2,x_0>D_4,\varnothing ,{\alpha }_1^2)=l{\mathcal{E}}_1^2$,

$t_{\mathcal{E}}(l{\mathcal{E}}_0^2,x_0>D_4,\varnothing ,{\overline{\alpha }}_1^2)=l{\mathcal{E}}_1^2$,

$t_{\mathcal{E}}(l{\mathcal{E}}_1^2,x_0>D_5,\varnothing ,{\alpha }_2^2)=l{\mathcal{E}}_2^2$,

$t_{\mathcal{E}}(l{\mathcal{E}}_2^2,x_0>D_6,\varnothing ,{\alpha }_3^2)=l{\mathcal{E}}_3^2$,

$t_{\mathcal{E}}(l{\mathcal{E}}_2^2,x_0>D_6,\varnothing ,{\overline{\alpha }}_3^2)=l{\mathcal{E}}_3^2$;

and the resetting automaton:

$t_{\mathcal{E}}(\mathcal{Z},\varnothing ,\{x_0,x_{T_A}\},{\alpha }_1^1)=\mathcal{Z},$

$t_{\mathcal{E}}(\mathcal{Z},\varnothing ,\left\{x_0\right\},{\alpha }_2^1)=\mathcal{Z},$

$t_{\mathcal{E}}(\mathcal{Z},\varnothing ,\left\{x_0\right\},{\alpha }_3^1)=\mathcal{Z},$

$t_{\mathcal{E}}(\mathcal{Z},\varnothing ,\left\{x_0\right\},{\alpha }_1^2)=\mathcal{Z},$

$t_{\mathcal{E}}(\mathcal{Z},\varnothing ,\{x_0,x_{T_B}\},{\alpha }_2^2)=\mathcal{Z},$

$t_{\mathcal{E}}(\mathcal{Z},\varnothing ,\left\{x_0\right\},{\alpha }_3^2)=\mathcal{Z}$.

  For the agents, we define the local evolution functions for the $T_A$:

$t_A(l_0,l{\mathcal{E}}_0^1,true,\varnothing ,{\alpha }_1^1)=l_1$,

$t_A(l_1,l{\mathcal{E}}_1^1,x_{T_A}<L_{T_A},\varnothing ,{\alpha }_2^1)=l_1$,

$t_B(l_0,l{\mathcal{E}}_0^2,x_{T_A}<L_{T_A},\varnothing ,{\alpha }_1^2)=l_1,$

$t_B(l_1,l{\mathcal{E}}_1^2,x_{T_A}<L_{T_A},\varnothing ,{\alpha }_2^2)=l_1$,

$t_I(l_0,l{\mathcal{E}}_0^1,true,\varnothing ,{\alpha }_1^1)=l_1$,

$t_I(l_1,l{\mathcal{E}}_0^2,x_{T_A}<L_{T_A},\varnothing ,{\alpha }_1^2)=l_1$;

and for the ticket $T_B$:

$t_A(l_0,l{\mathcal{E}}_1^1,x_{T_B}<L_{T_B},\varnothing ,{\alpha }_2^1)=l_1,$

$t_A(l_1,l{\mathcal{E}}_2^1,x_{T_B}<L_{T_B},\varnothing ,{\alpha }_3^1)=l_1$,

$t_B(l_0,l{\mathcal{E}}_1^2,true,\varnothing ,{\alpha }_2^2)=l_1,$

$t_B(l_1,l{\mathcal{E}}_2^2,x_{T_B}<L_{T_B},\varnothing ,{\alpha }_3^2)=l_1$,

$t_I(l_0,l{\mathcal{E}}_2^1,true,\varnothing ,{\alpha }_3^1)=l_1,$

$t_I(l_1,l{\mathcal{E}}_2^2,x_{T_B}<L_{T_B},\varnothing ,{\alpha }_3^2)=l_1$.

The intruder-specific automaton for a complete message ${\langle T_A·T_B\rangle }_{K_A}$ can be described by the following functions:

$t_I(l_0,l{\mathcal{E}}_1^2,true,\varnothing ,{\alpha }_2^2)=l_1$,

$t_I(l_1,l{\mathcal{E}}_1^1,true,\varnothing ,{\alpha }_2^1)=l_1$;

  and all the blocking automata:

$t_I(l_1,l{\mathcal{E}}_1^1,true,\varnothing ,{\overline{\alpha }}_2^1)=l_1$,

$t_I(l_1,l{\mathcal{E}}_2^0,true,\varnothing ,{\overline{\alpha }}_1^2)=l_1,$

$t_I(l_1,l{\mathcal{E}}_2^2,true,\varnothing ,{\overline{\alpha }}_3^2)=l_1.$

  The timed model induced by the above description of both NSPKT scenarios, as outlined in subsection 4.1, should be straightforward to infer.

4. Reachability Checking

5. Experimental Results

5.3. Performance Evaluation

Unfortunately, we could not compare our results with other approaches, as the executions of our TSP model are richer, capturing more time dependencies than the timed models mentioned in Section 1.

Our experiments were meticulously conducted on a high-performance computer, featuring an I7-5500U processor, 12 GB of RAM, and a Linux operating system running kernel 5.2.9. This robust setup ensured the reliability and accuracy of our results.

In our experiments, we examined the standard authentication and secrecy properties of TSP. In addition, we also detected and prevented situations where a passive intruder participates in the protocol execution by positioning themselves between the users and merely relaying all transmitted data. This scenario represents a Man-in-the-Middle (MitM) attack [57]. Although the intruder may not gain access to secret data or compromise the authentication process, the mere presence of the intruder in the network is undesirable. Such situations can be detected and prevented by selecting appropriate lifetime values.

We will discuss the experimental results and draw our conclusions based on nine timed versions of protocols well-known from the literature. We tested the following: the Needham-Schroeder Public Key Protocol (NSPKT) [49] and Lowe’s modification of NSPKT (${\mathrm{NSPKT}}_L$) [1,28]; the Denning-Sacco Protocol (DS) [58]; the Woo-Lam Pi Protocol (WLP) [37,59]; other versions of the Woo-Lam Pi protocol, WLP 1 and 3 [59]; the Andrew Protocol (AP) [60]; Lowe’s modification of the Andrew Protocol (${\mathrm{A}}_L$P) [61]; and MobInfoSec (MIS) [62].

5.3.1. Andrew protocol

To present the experimental results, we assume the delay values: $D_1=2$, $D_2=3$, $D_3=4$, and $D_4=5$. For the Andrew protocol (Figure 3), we conducted a comprehensive analysis and identified two paths indicative of Man-in-the-Middle behaviour (though not a complete attack). In these paths, locations 74 or 94 were found to be reachable. Additionally, we observed two paths that correspond to honest executions (paths where location 4 or 9 was reachable) and eight paths representing executions involving the Intruder (paths where locations 14, 24, 34, 44, 54, 64, 84, or 104 were reachable). The term executions with the Intruder encompasses two scenarios: firstly, executions in which the Intruder behaves as a legitimate user (paths where one of the locations 14, 54, 64, or 104 is reachable); and secondly, executions in which the Intruder unsuccessfully attempts to impersonate honest users (paths where one of the locations 24, 34, 44, or 84 is reachable).

It was found that the minimum lifetime values for the assumed delay values that ensure only honest executions occur (i.e., values that prevent Man-in-the-Middle behaviour) are $L_1=L_2=14$. The minimum values that permit Man-in-the-Middle behaviour to manifest at locations 74 and 94 are $L_1=L_2=21$.

5.3.2. Lowe’s Modification of Andrew Protocol

For Lowe’s modification of the Andrew Protocol (Figure 4), we assumed the following delay values: $D_1=2$, $D_2=3$, and $D_3=4$. With these delay settings, we identified two paths that indicate a Man-in-the-Middle behaviour (where locations 74 or 94 were reachable), two paths representing an honest execution (where locations 4 or 9 were reachable), and eight paths representing executions involving the Intruder (where locations 14, 24, 34, 44, 54, 64, 84, or 104 were reachable). The minimum lifetime values required to permit only honest executions are $L_1=L_2=7$. The minimum values required to enable a Man-in-the-Middle behaviour (reachability of locations 74 and 94) are $L_1=L_2=11$.

5.3.3. Denning–Sacco Protocol

In our analysis of the Denning–Sacco protocol (Figure 5), we assigned the following delay values: $D_1=2$, $D_2=3$, $D_3=4$, $D_4=5$. We found two paths that exhibit a Man-in-the-Middle behaviour, where locations 47 or 87 were reachable. Additionally, we discovered two paths representing an honest execution, with locations 3 or 7 being reachable, and two paths representing an execution involving the Intruder, with locations 43 or 83 being reachable. Our observations showed that for the Denning–Sacco protocol, under the assumed delays, the minimum value allowing both honest executions but not permitting a Man-in-the-Middle attack is $L_1=7$. Furthermore, we determined that the minimum value enabling a Man-in-the-Middle behaviour for the given delays (reachability of locations 47 and 87) is $L_1=8$.

5.3.4. Needham Schroeder Public Key Protocol

Within the NSPKT protocol (Figure 6), we assigned the following delay values: $D_1=2$, $D_2=3$, $D_3=4$. Over the course of our analysis, we executed four scenarios, encompassing two instances of Intruder interventions, two Lowe’s attacks, and two instances of Man in the Middle behaviour. It’s important to note that, as outlined by the protocol structure, we were required to employ two distinct lifetime values, which play a crucial role in the protocol’s operation.

Lowe’s attacks were found to be possible at locations 23 or 55, while Man in the Middle behaviour could manifest at locations 47 or 71. Honest executions were feasible at locations 3 or 7. Intruder interventions were observed at locations 11, 15, 27, 31, 39, 43, 59, or 63.

Our investigation revealed that for the NSPKT protocol and the stipulated delays, the minimum values of $L_1=L_2=9$ ensured honest executions without enabling the Man in the Middle behaviour. To allow for the occurrence of the Man in the Middle behaviour at locations 47 and 71, the minimum required values were $L_1=L_2=12$. These minimum values for honest executions and specific attacks are crucial for understanding the behaviour of the NSPKT protocol.

5.3.5. Lowe’s Modification of Needham Schroeder Public Key Protocol

In the NSPKT protocol (Figure 6), we assigned the following delay values: $D_1=2$, $D_2=3$, $D_3=4$. During our analysis, we carried out four scenarios, including two Intruder interventions, two Lowe’s attacks, and two Man in the Middle behaviour. It is important to note that as per the protocol structure, we had to use two distinct lifetime values, which are crucial for the protocol’s operation.

Figure 7. NSPKT Lowe’s modification

Figure 7. NSPKT Lowe’s modification

Lowe’s attacks were found to be possible at locations 23 or 55, while Man in the Middle behaviour could occur at locations 47 or 71. Honest executions were feasible at locations 3 or 7. Intruder interventions were observed at locations 11, 15, 27, 31, 39, 43, 59, or 63.

Upon investigation, we found that for the NSPKT protocol and the given delays, the minimum values of $L_1=L_2=9$ ensured honest executions without enabling the Man in the Middle behaviour. The minimum values that allow a Man in the Middle behaviour (the locations 47 and 71 are reachable) are $L_1=L_2=12$. These minimum values for honest executions and specific attacks are crucial for understanding the behaviour of the NSPKT protocol.

5.3.6. Woo Lam Pi Protocol

We have established the following delay values for the WLP protocol (Figure 8): $D_1=2,D_2=3,D_3=4$. Our analysis revealed two paths indicating potential Man in the Middle behaviour, with locations 71 or 131 being reachable. These two paths represent honest executions, with locations 5 or 11 being reachable, while ten other paths represent executions with an intruder, where locations 17, 29, 35, 41, 53, 77, 83, 89, 101 or 113 are reachable. Notably, for this protocol, the values $L_1=L_2=8$ are the minimum values allowing both honest executions. Furthermore, the minimum values that allow Man in the Middle behaviour to appear (locations 71 and 131 are reachable) are $L_1=L_2=10$.

5.3.7. Woo Lam Pi 1 and 3

For the WLP1 and WLP3 protocols (Figure 9 and Figure 10), we assumed delay values as $D_1=2$, $D_2=3$, $D_3=4$. We found two paths indicating a Man in the Middle behaviour (locations 53 or 113 are reachable). These two paths represent an honest execution (locations 5 or 11 are reachable), and six paths represent execution with the Intruder (locations 17, 29, 41, 77, 89 or 101 are reachable). For those protocols and the assumed delays, we observed that values $L_1=L_2=8$ are minimum values that allow us to perform honest executions and do not allow Man in the Middle behaviour. However, it was impossible to find the lifetime values that allow performing the executions to represent MitM behaviour for the assumed delays, highlighting the challenges in network security.

5.3.8. MobInfoSec Protocol

The MIS protocol has the following delay values: $D_1=2,D_2=3,D_3=4$. We have identified four paths that indicate a Man in the Middle behaviour (locations 195, 1345, 1763, or 2463 are reachable), twenty-four paths representing an honest execution (locations from 1 to 24 are reachable), and 380 paths representing execution with the Intruder.

For this protocol, we have observed that values $L_1=L_2=L_3=11$ and $L_4=11$ are the only values that allow all the honest executions (these values do not allow a Man in the Middle behaviour). The minimum values that allow a Man in the Middle behaviour to appear (locations 1345, 1763, or 2463 are reachable) are $L_1=L_2=L_3=L_4=12$.

The minimum values that allow all Man in the Middle behaviours to appear (locations 195, 1345, 1763, or 2463 are reachable) are $L_1=L_2=L_3=L_4=13$.

6. Conclusions

References

1. Lowe, G. Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR. Proc. of TACAS’96; Springer-Verlag: London, UK, 1996; pp. 147–166. [Google Scholar]
2. Burrows, M.; Abadi, M.; Needham, R. A Logic of Authentication. ACM Trans. Comput. Syst. 1990, 8, 18–36. [Google Scholar] [CrossRef]
3. Dojen, R.; Jurcut, A.; Coffey, T.; Gyorodi, C. On Establishing and Fixing a Parallel Session Attack in a Security Protocol. Intelligent Distributed Computing, Systems and Applications. Springer, 2008, pp. 239–244.
4. Boureanu, I.; Delicata, S.; Rasmussen, K. Timed Authentication in Security Protocols. International Journal of Information Security 2019, 18, 287–309. [Google Scholar]
5. van der Meyden, R.; Su, K. Timed Epistemic Logic for Security Protocols. International Symposium on Trustworthy Global Computing. Springer, 2012, pp. 224–241. [CrossRef]
6. Kremer, S.; Ryan, M.D.; Steel, G. A Compositional Proof System for Cryptographic Protocols with Time Constraints. In International Conference on Computer Aided Verification; Springer, 2018; pp. 110–128. [Google Scholar] [CrossRef]
7. Dolev, D.; Halpern, J.Y.; Pinter, S. On Clocks and Messaging in Cryptographic Protocols. Journal of Cryptology 2004, 17, 41–58. [Google Scholar]
8. Alur, R.; Dill, D.L. A Theory of Timed Automata. Theoretical Computer Science. Springer, 1994, pp. 116–135. [CrossRef]
9. Halpern, J.Y.; Vardi, M.Y. Epistemic Logic for Distributed Protocols. Proceedings of the First Symposium on Logic in Computer Science. IEEE, 1989, pp. 250–260.
10. Lomuscio, A.R.; Penczek, W.; Qu, H. Model Checking for Multi-Agent Systems with Time Constraints. Software and Systems Modeling 2017, 16, 425–444. [Google Scholar] [CrossRef]
11. Herzberg, A.; Jarecki, S. Timed Communication Protocols in Adversarial Networks. International Workshop on Theory and Practice in Public Key Cryptography. Springer, 1995, pp. 73–89. [CrossRef]
12. Kuhn, M.G.; Anderson, R.J. Timing Attacks on Cryptographic Protocols: Formal Analysis and Prevention. ACM Transactions on Information and System Security (TISSEC) 2010, 13, 47. [Google Scholar] [CrossRef]
13. Grosser, A.; Kurkowski, M.; Piatkowski, J.; Szymoniak, S. ProToc - An Universal Language for Security Protocols Specifications. Soft Computing in Computer and Information Science. Springer, 2014, Vol. 342, Advances in Intelligent Systems and Computing, pp. 237–248.
14. Kurkowski, M.; Penczek, W. Applying Timed Automata to Model Checking of Security Protocols. Handbook of Finite State Based Models and Applications, CRC Press, Taylor & Francis Group, 2016; 223–254. [Google Scholar] [CrossRef]
15. Zbrzezny, A.M.; Siedlecka-Lamch, O.; Szymoniak, S.; Kurkowski, M. SMT Solvers as Efficient Tools for Automatic Time Properties Verification of Security Protocols. 20th Int’l Conf. PDCAT. IEEE, 2019, pp. 320–327.
16. Kanovich, M.; Kirigin, T.; Nigam, V.; Scedrov, A.; Talcott, C. Discrete vs. Dense Times in the Analysis of Cyber-Physical Security Protocols. Proc. of 4th Conf. on Principles of Security and Trust, vol. 9036. Springer, 2015, p. 259–279.
17. Basin, D.A.; Cremers, C.; Meadows, C.A. Model Checking Security Protocols. In Handbook of Model Checking; Springer, 2018; pp. 727–762. [Google Scholar]
18. Biere, A.; Cimatti, A.; Clarke, E.M.; Fujita, M.; Zhu, Y. Symbolic Model Checking Using SAT Procedures instead of BDDs. Proc. of the 36th Conf. on Design Automation., 1999, pp. 317–320.
19. Kurkowski, M.; Srebrny, M. A Quantifier-free First-order Knowledge Logic of Authentication. Fundam. Inform. 2006, 72, 263–282. [Google Scholar]
20. Lomuscio, A.; Raimondi, F.; Wozna, B. Verification of the TESLA protocol in MCMAS-X. Fundam. Inform. 2007, 79, 473–486. [Google Scholar]
21. Basin, D.A.; Cremers, C.; Dreier, J.; Sasse, R. Symbolically analyzing security protocols using tamarin. ACM SIGLOG News 2017, 4, 19–30. [Google Scholar] [CrossRef]
22. Siedlecka-Lamch, O.; Szymoniak, S.; Kurkowski, M. A Fast Method for Security Protocols Verification. Proc. of 18th Int’l Conf. CISIM, 2019, pp. 523–534.
23. Hess, A.V.; Mödersheim, S. Formalizing and Proving a Typing Result for Security Protocols in Isabelle/HOL. 30th IEEE Computer Security Foundations Symposium, CSF 2017, Santa Barbara, CA, USA, August 21-25, 2017. IEEE Computer Society, 2017, pp. 451–463. 21 August. [CrossRef]
24. Mödersheim, S.; Viganò, L.; Basin, D.A. Constraint differentiation: Search-space reduction for the constraint-based analysis of security protocols. J. Comput. Secur. 2010, 18, 575–618. [Google Scholar] [CrossRef]
25. Armando, A.; Carbone, R.; Compagna, L. SATMC: a SAT-based model checker for security protocols, business processes, and security APIs. Int. J. Softw. Tools Technol. Transf. 2016, 18, 187–204. [Google Scholar] [CrossRef]
26. Li, L.; Sun, J.; Liu, Y.; Sun, M.; Dong, J. A Formal Specification and Verification Framework for Timed Security Protocols. IEEE Transactions on Software Engineering 2018, 44, 725–746. [Google Scholar] [CrossRef]
27. Benerecetti, M.; Cuomo, N.; Peron, A. TPMC: A Model Checker For Time–Sensitive Security Protocols. Journal of Computers 2009, 4, 366–377. [Google Scholar] [CrossRef]
28. Szymoniak, S.; Siedlecka-Lamch, O.; Kurkowski, M. On Some Time Aspects in Security Protocols Analysis. Proc. of 25th Int’l Conf. CN’18, 2018, pp. 344–356.
29. Zbrzezny, A.M.; Zbrzezny, A.; Siedlecka-Lamch, O.; Szymoniak, S.; Kurkowski, M. VerSecTis - an agent based model checker for security protocols. Proc. of Int’l Conf. AAMAS’20. ACM, 2020, pp. 2123–2125.
30. Lomuscio, A.; Penczek, W. LDYIS: a Framework for Model Checking Security Protocols. Fundam. Inform. 2008, 85, 359–375. [Google Scholar]
31. Boureanu, I.; Cohen, M.; Lomuscio, A. Model checking detectability of attacks in multiagent systems. Proc. of 9th Int’l Conf. AAMAS’10, 2010, Vol. 1-3, pp. 691–698.
32. Boureanu, I.; Jones, A.V.; Lomuscio, A. Automatic verification of epistemic specifications under convergent equational theories. Proc. of 11th Int’l Conf. AAMAS’12, 2012, Vol. 3, pp. 1141–1148.
33. Millen, J.K. CAPSL: Common Authentication Protocol Specification Language. Proc. of the 1996 Workshop on New Security Paradigms, 1996, p. 132.
34. Boureanu, I.; Kouvaros, P.; Lomuscio, A. Verifying Security Properties in Unbounded Multiagent Systems. Proc. AAMAS’16 Conf., 2016, pp. 1209–1217.
35. Corin, R.; Etalle, S.; Hartel, P.H.; Mader, A. Timed analysis of security protocols. Journal of Computer Security 2007, 15, 619–645. [Google Scholar] [CrossRef]
36. Jakubowska, G.; Penczek, W. Modelling and Checking Timed Authentication of Security Protocols. Fundam. Inform. 2007, 79, 363–378. [Google Scholar]
37. Zbrzezny, A.M.; Szymoniak, S.; Kurkowski, M. Efficient Verification of Security Protocols Time Properties Using SMT Solvers. Proc. of 12th Int’l Conf. CISIS’19, 2019, pp. 25–35. [CrossRef]
38. Li, L.; Sun, J.; Dong, J.S. Automated Verification of Timed Security Protocols with Clock Drift. FM 2016: Formal Methods - 21st International Symposium, Proceedings, 2016, Vol. 9995, Lecture Notes in Computer Science, pp. 513–530. [CrossRef]
39. Mu, Y.; Juan, L.; Shen, G.; Zihao, W. Runtime verification of self-adaptive multi-agent system using probabilistic timed automata. Journal of Intelligent and Fuzzy Systems 2023. [Google Scholar] [CrossRef]
40. Sankur, O. Timed Automata Verification and Synthesis via Finite Automata Learning. International Conference on Tools and Algorithms for Construction and Analysis of Systems, 2023, pp. 335–349. [CrossRef]
41. Barthe, G.; Lago, U.D.; Malavolta, G.; Rakotonirina, I. Tidy: Symbolic Verification of Timed Cryptographic Protocols. Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, 2022. [CrossRef]
42. Middelburg, C. Dormancy-aware timed branching bisimilarity with an application to communication protocol analysis. Theoretical Computer Science 2024, 912, 114681. [Google Scholar] [CrossRef]
43. Sahu, P. Automated Verification for Real-Time Systems. Lecture Notes in Computer Science, 2023. [CrossRef]
44. Fagin, R.; Halpern, J.Y.; Moses, Y.; Vardi, M.Y. Reasoning about Knowledge; MIT Press: Cambridge, 1995. [Google Scholar]
45. Wooldridge, M. An Introduction to Multi-Agent Systems - Second Edition, John Wiley & Sons, 2009.
46. Lomuscio, A.; Sergot, M.J. Deontic Interpreted Systems. Studia Logica 2003, 75, 63–92. [Google Scholar] [CrossRef]
47. Woźna-Szcześniak, B. SAT-Based Bounded Model Checking for Weighted Deontic Interpreted Systems. Proc. of Conf. EPIA’13, 2013, pp. 444–455.
48. Woźna-Szcześniak, B.; Zbrzezny, A. Checking EMTLK Properties of Timed Interpreted Systems Via Bounded Model Checking. Studia Logica 2015, 1–38. [Google Scholar]
49. Needham, R.; Schroeder, M. Using Encryption for Authentication in Large Networks of Computers. Commun. ACM 1978, 21, 993–999. [Google Scholar] [CrossRef]
50. Lowe, G. An Attack on the Needham-Schroeder Public-Key Authentication Protocol. Inf. Process. Lett. 1995, 56, 131–133. [Google Scholar] [CrossRef]
51. Baier, C.; Katoen, J.P. Principles of Model Checking; MIT Press, 2008; pp. I–XVII, 1–975. [Google Scholar]
52. Zbrzezny, A.M.; Zbrzezny, A. Checking WECTLK Properties of Timed Real-Weighted Interpreted Systems via SMT-based Bounded Model Checking. Proc. of 17th Conf. EPIA’15. Springer, 2015, Vol. 9273, LNCS, pp. 638–650.
53. Moura, L.D.; Bjørner, N. Z3: an Efficient SMT solver. Proc. of 14th Int’l Conf. TACAS’08. Springer-Verlag, 2008, Vol. 4963, LNCS, pp. 337–340.
54. Dutertre, B. Yices 2.2. Proc. of CAV’14 Conf. Springer, 2014, Vol. 8559, LNCS, pp. 737–744.
55. Barrett, C.; Conway, C.L.; Deters, M.; Hadarean, L.; Jovanovi’c, D.; King, T.; Reynolds, A.; Tinelli, C. CVC4. Proc. of the 23rd CAV Conf. Springer, 2011, Vol. 6806, LNCS, pp. 171–177.
56. Zbrzezny, A.M.; Zbrzezny, A. SAT-Based BMC Approach to Verifying Real-Time Properties of Multi-Agent Systems. 15th IEEE/ACS Int’l Conf. AICCSA’18, 2018, pp. 1–8.
57. Callegati, F.; Cerroni, W.; Ramilli, M. Man-in-the-Middle Attack to the HTTPS Protocol. IEEE Secur. Priv. 2009, 7, 78–81. [Google Scholar] [CrossRef]
58. Denning, D.E.; Sacco, G.M. Timestamps in Key Distribution Protocols. Commun. ACM 1981, 24, 533–536. [Google Scholar] [CrossRef]
59. Woo, T.Y.C.; Lam, S.S. A Lesson on Authentication Protocol Design. SIGOPS Oper. Syst. Rev. 1994, 28, 24–37. [Google Scholar] [CrossRef]
60. Satyanarayanan, M. Integrating security in a large distributed system. ACM Trans. Comput. Syst. 1989, 7, 247–280. [Google Scholar] [CrossRef]
61. Lowe, G. Some new attacks upon security protocols. Proceedings 9th IEEE Computer Security Foundations Workshop, 1996, pp. 162–169.
62. Siedlecka-Lamch, O.; El Fray, I.; Kurkowski, M.; Pejas, J. Verification of Mutual Authentication Protocol for MobInfoSec System. Proc. of 14th Int’l Conf. CISIM, 2015, pp. 461–474.