Scholarly article on topic 'Formal Modelling of PKI Based Authentication'

Formal Modelling of PKI Based Authentication Academic research paper on "Computer and information sciences"

CC BY-NC-ND
0
0
Share paper
Keywords
{"Formal Methods" / Z / CSP / Security / Authentication / "Distributed systems" / Correctness}

Abstract of research paper on Computer and information sciences, author of scientific article — Ali Nasrat Haidar, Ali E. Abdallah

Abstract One of the main aims of certificate based Public Key Infrastructure (PKI) is to provide authentication in distributed systems. Through its functions, PKI authentication can be viewed as a re-usable component that can be integrated with other systems to offer strong authentication, scalability, and mobility, particularly for large organizations. PKI has been used to describe authentication in various types of applications ranging from e-commerce and web services applications to large scale systems such as Grid computing. This paper presents a formal approach for modeling certificate based PKI authentication. The approach makes use of two complementary models: one is state-based, described in Z, and the other is event-based, expressed in the Process Algebra of Hoare's Communicating Sequential Processes (CSP). The former will be used to capture the state of PKI key components used in the authentication process, the relationships between them, and model “back-end” operations on these components. Whereas the latter, CSP, will be used to model behavior, and in particular, “front-end” interactions and communications. Only when this authentication mechanism is properly formulated, reasoning about its correctness, vulnerabilities and usability can be scrutinized and possibly aided by automation.

Academic research paper on topic "Formal Modelling of PKI Based Authentication"

Available online at www.sciencedirect.com

ScienceDirect

Electronic Notes in Theoretical Computer Science 235 (2009) 55-70

www.elsevier.com/locate/entcs

Formal Modelling of PKI Based Authentication

Ali Nasrat Haidar1 Ali E. Abdallah2

E-Security Research Centre Institute for Computing Research London South Bank University 103 Borough Road London, UK

Abstract

One of the main aims of certificate based Public Key Infrastructure (PKI) is to provide authentication in distributed systems. Through its functions, PKI authentication can be viewed as a re-usable component that can be integrated with other systems to offer strong authentication, scalability, and mobility, particularly for large organizations. PKI has been used to describe authentication in various types of applications ranging from e-commerce and web services applications to large scale systems such as Grid computing. This paper presents a formal approach for modeling certificate based PKI authentication. The approach makes use of two complementary models: one is state-based, described in Z, and the other is event-based, expressed in the Process Algebra of Hoare's Communicating Sequential Processes (CSP). The former will be used to capture the state of PKI key components used in the authentication process, the relationships between them, and model "back-end" operations on these components. Whereas the latter, CSP, will be used to model behavior, and in particular, "front-end" interactions and communications. Only when this authentication mechanism is properly formulated, reasoning about its correctness, vulnerabilities and usability can be scrutinized and possibly aided by automation.

Keywords: Formal Methods, Z, CSP, Security, Authentication, Distributed systems, Correctness.

1 Introduction

Certificate based public Key Infrastructures (PKI) [2] have been the source of many of the radical advances in the evolution of security solutions to: authentication, authorization, confidentiality, integrity, and accountability. PKI has been used in a wide variety of distributed applications ranging from e-commerce and web services applications to complex systems such as Grid computing and virtual organizations [25]. Also, PKI has been used in the design of security protocols such as Secure Socket Layer (SSL/TLS) [24] and Secure Electronic Transaction (SET) [4] with the

1 Email: Ali.Haidar@lsbu.ac.uk

2 Email: A.Abdallah@lsbu.ac.uk

1571-0661/$ - see front matter © 2009 Elsevier B.V. All rights reserved. doi:10.1016/j.entcs.2009.03.005

main aim is to provide authentication. This refers to the ability to demonstrate the identity of an entity (human user, server, or a service) to any interested party [5].

Despite its widespread adoption, however, certificate based PKI still "suffers from certain ambiguity and lack of understanding and precision" [11]. The ability to have a clear and rigorous understanding of PKI-authentication requirements is particularly significant when building secure, reliable, and reusable PKI authentication components. However, poor implementations have been the main factor that has badly influenced the use of PKI based authentication on a large scale [18]. This is due to several reasons according to [1]: (1) PKI can be viewed as a complex distributed information system in which there is a potential risk that design errors and undesirable properties emerge causing considerable costs for failures to meet the intended requirements; (2) difficulty of integration into existing applications; (3) and lack of clear and rigorous approaches that enable reasoning about correctness of PKI systems' administrative side and their security and reliability. Successful PKI implementations have been restricted to "closed" environments where a conservative security policy can be applied in order to produce an effective implementation [19].

The primary aim of this paper is to present a formal model for certificate based PKI systems by combining and customizing existing formal frameworks for state-based and event-based systems. The model is formulated in specification notation Z [26,8,22], which is particularly suited for concisely describing state-based systems and reasoning about them. The specification consistency is checked using ZTC tool [10]. Then, the behavior of the PKI system components is captured using Hoare's Communicating Sequential Processes (CSP) [6]. When a certificate based PKI system is properly formulated, reasoning about its correctness, vulnerabilities and usability can be scrutinized and possibly aided by automation. This approach can be refined to deal with a wide range of components such as authorization and auditing, and would be useful in helping developers to have a clear and rigorous understanding of components during the design, analysis and implementation phases.

In this paper, we do not attempt to consider all the functions provided in a typical PKI system such as key generation and revocation-list management. We are interested in authentication related operations, security knowledge of the participants (user, server), security tokens, and administrative operations such as adding/removing users and trusting certificate authorities. We assume that: this PKI system will work in a closed environment, where all users can be identified and every user holds one certificate and its corresponding private key; also, PKI entities (i.e. client, server) do not need to negotiate which cryptographic algorithms they will all use.

The paper begins with an overview of certificate based PKI. In Section 3, a formal model for a PKI authentication system is constructed by stating its key components and describing the mathematical relationships between them using Z notation. Section 4 presents the process architecture for PKI authentication expressed in CSP notation. Section 5 describes typical administrative operations performed by a system administrator on the authentication server, which are for-

mally described in Z. Section 6 gives an overview of related work. Section 7 is the conclusion.

2 Overview of PKI

PKI is based on asymmetric cryptography [21] concept in which each user has a related pair of keys: a public key and a corresponding private key. When such a key pair is generated, the public key is intended to be made public, whereas the private key should only be known and protected by the user. One of the most currently used public key cryptographic algorithm is RSA [15] since it is suitable for both encryption and digital signatures.

Public Key encryption is used to maintain the privacy of data communicated over a public network (Fig. 1). When a message is transmitted using public key encryption, it is the public key of the recipient that is used to encrypt. For example, consider a user A with a public key pk and private key sk respectively that can be used with RSA algorithm. Another user, say B, wishing to send a message m to A, obtains A's public key, uses RSA to obtain the encryption c = RSApk m, and transmits c to A. To decrypt c, A applies RSA to obtain the original message RSA sk (RSApkm) = m. Public Key encryption also provide digital signature to ensure data integrity. When the private key is used for encrypting a message (known as signing) then any recipient who can obtain the corresponding public key can decrypt it. The relationship between the public key and the private key using RSA algorithm can be summarized by the following expressions:

RSA pk (RSA skm) = m (1)

RSA sk (RSA pkm) = m (2)

Public Key

Private Key

Plaintext Ciphertext Plaintext

Encryption Decryption

Private Key

Public Key

l=J—[y

Plaintext Ciphertext Plaintext

Encryption Decryption

Fig. 1. Public Key Encryption and Data Signing

In order to ensure the authenticity of public keys, digital certificates are used to enable the binding of a public key to identifying information about a subject on the certificate (i.e people, servers, organizations) in such a way that its integrity and validity can be verified [2]. Digital certificates can be viewed as a security token in which public keys may be stored, distributed or forwarded over a public network such as the Internet. In PKI, the binding between subject and key is established

58 A.N. Haidar, A.E. Abdallah /Electronic Notes in Theoretical Computer Science 235 (2009) 55—70

by a trusted third party called Certification Authority (CA) (also known as Issuer). The primary function of the CA is to generate, publish, revoke, and archive the public key certificates that binds the user identity with the user's public key. When a CA issues a certificate to a user, it signs it with its private key to ensure that any modification on the certificate can be detected. The CA also issues a certificate for itself (called root certificate). Anyone who wants to use a certificate must have a valid copy of the public key of the CA who issued the certificate, and must trust the CA (by having a copy of the root certificate). One can also choose where the key pair is generated. The keys can either be generated by the CA for the client or the client can generate the keys for itself and provide a copy of the public key to the CA to certify (in this work we assume that the client already has a key pair certified by a trusted CA).

The main characteristics of a typical certificate consists of: names of the subject and issuer, a public key associated with the subject, a validity period, an identifier for the cryptographic algorithms used by the CA to sign this certificate and another identifier for the public key algorithm with which the public key on the certificate is used (i.e RSA, Diffie-Hellmann). X509 version 3 (Fig. 2) is the most currently used PKI standard for digital certificates [7].

Issuer: C=ZA, ST=Western Cape, L=Cape Town, 0=Thawte Consulting cc. Subject: C=ZA, ST=Western Cape, L = Cape Town, 0=TliaTJte Consulting cc,

Signature algorithm: mdSmtliRSAE nervation

Fig. 2. A Sample X509 Digital Certificate.

The main assumption when using public key cryptography is that only the owner of the certificate knows the private key corresponding to the public key on the certificate and that users (also CA management) are responsible for ensuring the confidentiality of their private keys.

A.N. Haidar, A.E. Abdallah / Electronic Notes in Theoretical Computer Science 235 (2009) 55—70 59

3 Formal Specification

In the following paragraphs, formal models of a Certificate Authority (CA), digital certificate, a user and an authentication server are constructed in order to develop an understanding of the whole PKI authentication system. An appropriate abstraction of the CA, certificate, user and the server can be well formulated as a state-based model. The model assumes the existence of the following types:

[Subject, Key, Data, SerialNb, CipherAlgName, CertAuthorityName, Date]

to denote the set of all possible users, public/private keys, encrypted and plain data, serial number of each digital certificate, names of cryptographic algorithms, names of the certificate authorities, and dates respectively. We assume that there are standard implementations of the cryptographic algorithms supported by the CA, the client and the server.

Let [[algo]] denotes the semantic of the cryptographic algorithm, algo. For example, one of the most common used cryptographic algorithms is AES [15]. The semantic of AES is a function that takes a key and data to be encrypted, and returns the data in encrypted form.

| [[_]] : CipherAlgName ^ Key ^ (Data ^ Data)

Let validDate be a global relation that relates a date d and a pair of dates (d 1, d2) if and only if d lies between d 1 and d2. This relation will be used to check whether a certificate has expired or not.

= [Date ] -

validDate : Date ^ (Date x Date)

V d, d 1, d2 : Date • d validDate (d 1, d2) ^ d 1 < d A d < d2

Let validPublicKeyPair be a relation that associates a public to its corresponding private key. This relation is used to ensure that key generated for the user are valid.

r=[CipherAlgName, Data, Key] validPKIKeyPair : Key ^ Key pkiAlgoName : CipherAlgName m : Data pk, sk : Key

pk validPKIKeyPair sk ^

[[pkiAlgoName]] pk ([[pkiAlgoName]] sk m) = m A [[pkiAlgoName]] sk ([[pkiAlgoName]] pk m) = m

3.1 Specifying Certificate Authority

The role of the CA is to create and sign digital certificates with its secret key and maintain a list of certificates that are not valid anymore, also known as certificate revocation lists (CRL). Some of this information is made public so that clients and servers can verify certificates issued by the CA. The CA can be modeled as a data type which can be formulated as follows:

PublicCAInfo_

name : CertAuthorityName publicKey : Key ca^revocationList : P SerialNb caSupportedCrypto : P CipherAlgName

where name, is the the name of the CA; publicKey, denotes the unique public key of the CA; ca-revocationList, is a set of revoked certificates; and caSupportedCrypto, is a set representing the names of the supported cryptographic algorithms used for signing certificates and verification.

The CA also has information that are private and can only be known by the CA management such as the secret key corresponding to the CA's public key and a documentation of the issued certificates. This private information can be captured by defining additional fields, secretKey, and issued, a function that relates a serial number to a certificate.

_PrivateCAInfo_

PublicCAInfo

issued : SerialNb ^ Certificate secretKey : Key

The CA, CertAuthority, is then modeled as a data type which can be captured using the conjunction of the private and public CA information:

CertAuthority = PublicCAInfo Л PrivateCAInfo 3.2 Specifying Digital Certificate

A digital certificate typically consists of: issuer, the name of the certificate authority that issued the certificate; serial , serial number of the certificate; subject, subject's name to be associated with the public key on the certificate; publicKey, public key of the subject; validity, the validity date of the certificate; pkiAlgoName, the name of the public key algorithm with which the public key on the certificate is used (e.g. RSA or Diffie-Hellman); and caSignatureAlgoName, the name of the signature algorithm used by the CA to generate the signature on this certificate. The certificate data part can be abstracted in Z as follows:

_CertificateData_

issuer : CertAuthorityName

serial : SerialNb

subject : Subject

publicKey : Key

validity : Date x Date

pkiAlgoName : CipherAlgName

caSignatureAlgoName : CipherAlgName

The signature part consists of the digital signature, caSignature, created by the issuer, thereby binding the subject's identity to the specified public key. The data type certificate is described in the Z schema Certificate. In addition to these fields, there are others that we chose not to include as they are not relevant here.

_Certificate_

CertificateData caSignature : Data

3.3 Specifying User Credentials

The model of a user focuses primarily on the security knowledge that the user must possess and maintain for the purpose of authentication. The user's information that are public knowledge, Public-UserCredrential, comprises two components: (1) cert, a digital certificate issued by a trusted CA; (2) userSupportedCrypto, a list of supported cryptographic algorithms for key generation and ciphering data communicated with other entities. Here, for simplicity, it is assumed that the user has one certificate only. The user's information which is publicly known can be formulated in Z as follows:

_Public-UserCredrential_

cert : Certificate

userSupportedCrypto : P CipherAlgName

cert .caSignatureAlgoName £ userSupportedCrypto cert .pkiAlgoName £ userSupportedCrypto

The information that can only be viewed by the user comprises two components: (1) user's private key, secretKey ; (2) the list of trusted CAs, trustedCA, a set of CA's trusted by the user, caKey, a relation that associates CA's with their corresponding public keys. The user's private information can then be described in Z as follows:

_Private-UserCredrential_

secretKey : Key

trustedCA : P CertAuthorityName caKey : CertAuthorityName ^ Key

trustedCA Ç dom caKey

As a result, the state of a user can then be constructed of public and private information as shown in the UserCredential schema. The invariant states that the issuer of the certificate is trusted by the user.

_UserCredential_

Public-UserCredrential Private-UserCredrential

cert .issuer G trustedCA Л

cert .publicKey validPKIKeyPair secretKey

3.4 Authentication Server

In this paper, it is assumed that the authentication server operates in a closed environment such as in a Bank or a University. The server administrator is responsible for maintaining a set of current registered-users. Therefore, authenticating users can be achieved by validating their certificates, verifying that they have knowledge of the private key corresponding to the one on the certificate, and by checking that their subject name is in the list of registered users. In open systems, there is no need for the registered-users set; any user who can pass the validation and verification phases can be considered authenticated. The abstract state of an authentication server consists of the following six components:

• registered-users, a set of known users

• key-association, a partial function that associates each subject with its public key

• trustedCA, a set of trusted CAs

• caKey relation that relates each CA trusted by the server to its public key

• revoked, a set of certificates that have been revoked

• today, the current date when the authentication is taking place

• serverSupportedCrypto, a list of cryptographic algorithms supported by the server

This can be formulated in as a schema as follows:

_AuthenticationServer_

registered-users : P Subject trustedCA : P CertAuthorityName key ^association : Subject ^ Key caKey : CertAuthorityName ^ Key revoked : P SerialNb today : Date

serverSupportedCrypto : P CipherAlgName

dom key-association = registered-users A trustedCA C dom caKey

The invariant states that every user must have a public key. The authentication server decision whether the authentication has failed or succeeded is reflect by an output response drawn from the following type Report:

Report ::= Auth-Success | Auth-Failure

Let the schema Success (Failure respectively) indicates the successful completion of (failure to complete respectively) the authentication operation.

_Success_

resp! : Report

resp! = Auth-Success

_Failure_

resp! : Report

resp! = Auth-Failure

3.5 Validating Certificate

An authentication server considers a digital certificate as valid if: (1) the certificate is issued by CA trusted by the server; (2) the certificate has not been revoked by checking it against a revocation list; (3) the certificate dates are still valid (hasn't expired); (4) the certificate has not been modified since it was created: this can be achieved by checking that the signature on the certificate is valid. It is important to know that verifying a certificate requires possession of the issuer's public Key, which is computed by caKey (cert ?. issuer)). The verification process can be captured as follows:

_CertValidationOk

EAuthenticationServer

cert? : Certificate

certData : Certificate ^ Data

cert?.issuer £ trustedCA A cert?.serial / revoked A

today validDate cert?.validity A

[[ cert ? .caSignatureAlgoName ]]

(caKeycert?.issuer) cert?.caSignature = certData (cert ?)

Where certData is a function that returns the data from a certificate. This data is usually signed by the CA to ensure the certificate integrity. This function is used in the certificate signature validation in order to compare the certificate signature with the data on the certificate. In practice, the certData function can be a hash function and the signature is the encryption of the hashed certificate using the issuing CA's private key.

3.6 Verifying User Knowledge of the Secret Key

The authentication server can establish that a user knows the private key corresponding to a public key on a certificate by having the following as inputs: a certificate, cert, a challenge nonce generated by the server, and what is believed to be the nonce signed with the user's private key, signed—nonce. The verification operation succeeds when the subject is a registered user, and the decryption of the signer-nonce with the public key on the user's certificate matches the original challenge, nonce, sent by server. The verification operation can be captured in Z as follows:

_VertificationOk_

EAuthenticationServer cert? : Certificate nonce ? : Data signer-nonce ? : Data

cert?.subject £ registered-users A

[[cert?.pkiAlgoName]] cert?.publicKey signed—nonce? = nonce?

3.7 Authenticating Users

A successful authentication operation can be viewed as a combination of successful certificate validation and client signature verification. This is modeled as a conjunction of the following operations:

AuthenticationOk = CertValidationOk A VertificationOk

The whole authentication operation can then be captured as follows: Authentication = (AuthenticationOk A Success) V Failure

4 Process Architecture for PKI-Based Authentication

So far, we have described an authentication server and a user as completely independent systems. The CSP events depends on the Z operation defined earlier. The authentication server (denoted AS) interacts with the clients by sending and receiving the above messages on designated communication channels. For example, sin (from client) is the input channel on which the certificate and client's response are communicated to the server; and sOut (to client) is the output channel on which the server's challenge and authentication response are sent. The authentication server behavior can be informally described as follows: (1) the AS receives a certificate from a client, say c; (2) sends a plain challenge to the client, say t; (3) receives a signed challenge from the client, m; (4) and checks validity of c (using the Authentication operation described in the previous section in Z). The interface of AS and its behavior are described below:

aAS = {sin?req, sOut!resp} AS = sin?c ^ sOut!t ^ sin?m ^ (sOut!Auth-Sucxess ^

THREAD(c, session-Key) ||| AS < pre (Authentication(c, nonce, reply)) > authentResp!Failure ^ AS)

The CSP expression pre (op (ii, i2..in)) (where pre is the precondition operator) denotes the precondition on the state of the system and inputs which makes successful completion of the operation op. If the precondition is true, then the server creates a thread with a session key, say THREAD(c, session-key), to serve the client while still serving other clients. The description of the thread depends on the user's role.

(Server Model in CSP) (Client Model in CSP)

Fig. 3. CSP models for Client and Server

4-1 Client Behavior

A typical interaction between a user, u0 =< certo, issuer0, publickeyo, secretkey0 >, with a valid certificate and an authentication server can be modelled as follows:

CLIENT(u0) = cOut!u0.certo ^ cin?t ^ cOut!m ^ cin?resp ^ SKIP

Where, t is the random challenge, m = [[uo.cerfo.pkiAlgName0]] uo.secretKeyo t] is the encryption of the challenge with the user's secret key using the PKI algorithm named on the certificate, and resp is the authentication result. If the authentication succeeds, the client will behave as authenticated

The result of CLIENT(u0) sequence of interactions with the authentication server is calculated using a parallel composition (Figure 4) of CLIENT and AS processes as follows:

CLIENT (u0)[rep / cOut, req / cIn] || AS (state )[rep / sin, req / sOut] = req ¡Success ^ AS (state)

A req

AS (state) _ CLIENT(u)

Fig. 4. PKI Authentication in CSP

5 Administrative operations

We consider some of the main administrative operations on the AuthenticationServer system namely: AddUser, RemoveUser, AddTrustedCA, and RemoveTrustedCA respectively.

RemoveTrustedCA

AddTrustedCA

RemoveUser

AddUserj (state)

Fig. 5. PKI Administrative Operations

The first operation, AddUser, receives the username and public key of a user, username? and publicKey? respectively, and changes the state of registered-users and key-association respectively in the authentication server. The precondition for this operation to succeed states that the username ? should not already be in the registered-users set (unique) otherwise all other components remain unchanged. The operation is captured in Z as follows:

_AddUser_

AAuthenticationServer username? : Subject publicKey? : Key resp! : Report

username ? / registered-users ^ registered-users' = registered-users U {username?} A key-association' =

key-association U {username? m publicKey?} A resp! = Succeeded username ? £ registered-users ^ registered-users' = registered-users A key-association' = key-association A resp! = Failed

The operation RemoveUser receives a username as argument and removes it with its corresponding public key from the authentication server. The precondition states that the username? must exists in the registered-users set.

_RemoveUser_

AAuthenticationServer username? : Subject resp! : Report

username ? £ registered-users ^ registered-users' = registered-users \ {username?} A key-association' = {username?} — key-association A resp! = Succeeded username ? / registered-users ^ registered-users' = registered-users A key-association' = key-association A resp! = Failed

AddTrstedCA operation receives a CA's name and public key respectively as arguments and add them to the trusted CA relation, trustedCA on the server. The precondition for this operation is that the CA's name should not already be in the trusted CA list.

_AddTrustedCA_

AAuthenticationServer ca-Name? : CertAuthorityName ca-Key ? : Key resp! : Report

ca-Name ? / trustedCA ^

trustedCA' = trustedCA U {ca-Name?} Л caKey' = caKey U {ca-Name? м ca-Key?} Л resp! = Succeeded ca-Name ? £ trustedCA ^

trustedCA' = trustedCA Л caKey' = caKey Л resp! = Failed

RemoveTrustedCA operation received the name of a trusted CA as input and removes it from the trusted CA relation. The precondition for this operation to succeed is that the CA's name should already be on the trusted list.

_RemoveTrustedCA_

AAuthenticationServer ca-Name? : CertAuthorityName resp! : Report

ca-Name ? £ trustedCA ^

trustedCA' = trustedCA \ {ca-Name?} A resp! = Succeeded ca-Name ? / trustedCA ^

trustedCA' = trustedCA A resp! = Failed

6 Related Work

Formal methods have been used for specifying, formulating, designing, analyzing, and verifying cryptographic protocols and particularly authentication protocols [20,3,4]. The literature also contains a number of approaches for applying formal methods to the PKI problem [13,16,9,11,23,14]. In [14], the authors presented a formal specification of a certificate management management system and some basic operations such as certificate issuing, certificate revocation using a state based approach. Schneider, Ryan, and Lowe developed formal security analysis methods which were successfully used to find security flaws or prove their absence using CSP [20,3]. Woodcock and his colleagues [17] as well as Laurence [12] have used a combination of state-based Z specifications and event-based CSP models to capture and reason about distributed applications.

A.N. Haidar, A.E. Abdallah / Electronic Notes in Theoretical Computer Science 235 (2009) 55—70 69

7 Conclusion

In this paper, key components of certificate based PKI were formalized in order to have a clear and rigorous understanding of them and to avoid ambiguities. These components were used as building block to construct a formal model for certificate based PKI authentication. The formalization of the PKI authentication system is expressed by combining some aspects of Z and CSP notations. The consistency of the model is checked with ZTC tool.

References

[1] Bickmore, R. and Baltimore Technologies, Implementing a PKI, Information Security Technical Report, 5(4)(2000), pages 33-38.

[2] Chokhani, S., "Computer Security Hand book", chapter Public Key Infrastructures and Certificate Authorities, 4th Ed., Wiley, 2002.

[3] Gavin, L., Breaking and Fixing the Needham-Schroeder Public-Key Protocol using CSP and FDR, volume1055 of Lecture Notes in Computer Science. Springer-Verlag, 1996.

[4] Giampaolo, G., F. Masacc F, and L. C. Paulson, Verifying the SET Registration Protocols, IEEE Journal on Selected Areas in Communications, 21(1) (2003),77-87.

[5] Gollmann, D, "Computer Security," 2nd Ed., Wiley, 2005.

[6] Hoare, C. A. R., "Communicating Sequential Processes," Prentice Hall, 1985.

[7] Housley, R., W. Ford, T. Polk, and D. Solo, Internet X.509 Public Key Infrastructure - Certificate and CRL Profile, RFC 2459 (RFC 3280-2002), January 1999.

[8] Houston, ISC and M. B. Josephs, Specifying distributed CICS in Z: accessing local and remote resources, Formal Aspects of Computing, 6(5)(1994), 569-579.

[9] Howell, J. and D. Kotz, A Formal Semantics for SPKI, Technical report, Hanover, NH, USA, 2000.

[10] Jia, X. , "ZTC: A Type Checker for Z Notation — User's Guide", DePaul University, Institute for Software Engineering, Department of Computer Science and Information Systems, Chicago,Illinois, USA, version 2.03 Ed., August 1998.

[11] Kohlas R. and U. M. Maurer, Reasoning about Public-Key Certification: On Bindings between Entities and Public Keys, Proceedings of the Third International Conference on Financial Cryptography,1999, pages 86-103, Springer-Verlag, UK

[12] Lawrence, J., Practical Application of CSP and FDR to Software Design, 25 Years Communicating Sequential Processes, volume 3525 (2004) of LNCS Springer, pages 151—174.

[13] Li, N. and J. Feigenbaum, Nonmonotonicity, User Interfaces, and Risk Assessment in Certificate Revocation, Proceedings of the 5th International Conference on Financial Cryptography, 2002, pages 166-177, Springer-Verlag, UK.

[14] Liu, C. and M. A. Ozols and M. Henderson and A. Cant, A State-Based Model for Certificate Management Systems, Proceedings of the Third International Workshop on Practice and Theory in Public Key Cryptography, pages 75—92, Springer-Verlag, UK, 2000.

[15] Menezes, A., P. van Oorschot, and S. Vanstone, "Handbook of Applied Cryptography", CRC Press, 1997.

[16] Maurer, U. M., Modelling a Public-Key Infrastructure, Proceedings of the 4th European Symposium on Research in Computer Security, pages 325-350, Springer-Verlag, UK, 1996.

[17] Oliveira, M. V. M., A. L. C. Cavalcanti, and J. C. P. Woodcock, Refining Industrial Scale Systems in Circus, in I.R. East, J. Martin, P.H. Welch, D. Duce, and M. Green, editors, Communicating Process Architectures 2004, volume 62 (2004), of Concurrent Systems Engineering Series, pages 281-309, IOS Press.

[18] Palmer, T., PKI needs good standards?, Information Security Technical Report, 8(3) (2003), pages 6-13.

[19] Piper, F., G. Price, and K. Paterson,Introduction,Information Security Technical Report, 8(3) (2003), 6-13.

[20] Ryan, P., S. Schneider, S. Goldsmith, G. Lowe, G., B. Roscoe, "Modelling and Analysis of Security Protocol", Pearson Education, 2001.

[21] Smart, N. " Cryptography: An Introduction", McGraw-Hill, 2003.

[22] Spivey, J. M., "The Z Notation: A Reference Manual", 2nd Ed., Prentice Hall,1992.

[23] Smith, S. W., Outbound authentication for programmable secure coprocessors, ESORICS '02: Proceedings of the 7th European Symposium on Research in Computer Security, 2002, pages 72-89, Springer-Verlag, UK.

[24] Thomas, S., "SSL and TLS Essentials, Securing the Web", Wiley, 2000.

[25] Welch, V., F. Siebenlistand, I. Foster, J. Bresnahan. K. Czajkowski, J. Gawor, S. Meder, L. Pearlman, and S. Tuecke, Security for Grid Services, 12th International Symposium on High Performance Distributed Computing (HPDC-12), IEEE Press, 2003.

[26] Woodcock, J. and J. Davies, "Using Z Specification, Refinement, and Proof", C.A.R Hoare series editor, Prentice Hall International, 1996.