Type-Based Automated Verification of Authenticity in Asymmetric Cryptographic Protocols Morten Dahl 2 , Naoki Kobayashi 1 , Yunde Sun 1 , and Hans H ¨ uttel 2 1 Tohoku University 2 Aalborg University Abstract. Gordon and Jeffrey developed a type system for verification of asym- metric and symmetric cryptographic protocols. We propose a modified version of Gordon and Jeffrey’s type system and develop a type inference algorithm for it, so that protocols can be verified automatically as they are, without any type anno- tations or explicit type casts. We have implemented a protocol verifier SPI CA2 based on the algorithm, and confirmed its effectiveness. 1 Introduction Security protocols play a crucial role in today’s Internet technologies including elec- tronic commerce and voting. Formal verification of security protocols is thus an im- portant, highly active research topic, and a variety of approaches to (semi-)automated verification have been proposed [8, 5, 15]. Among others, type-based approaches [1, 14, 15] have advantages that protocols can be verified in a modular manner, and that it is relatively easy to extend them to verify protocols at the source code level [4]. They have however a disadvantage that users have to provide complex type annotations, which re- quire expertise in both security protocols and type theories. Kikuchi and Kobayashi [18] developed a type inference algorithm but it works only for symmetric cryptographic protocols. To overcome the limitation of the type-based approaches and enable fully automated protocol verification through type inference, we integrate and extend the two lines of work – Gordon and Jeffrey’s work [15] for verifying protocols using both symmet- ric and asymmetric cryptographic protocols, and Kikuchi and Kobayashi’s work. The outcome is an algorithm for automated verification of authenticity in symmetric and asymmetric cryptographic protocols. The key technical novelty lies in the symmetric notion of obligations and capabilities attached to name types, which allows us to rea- son about causalities between actions of protocol participants in a general and uniform manner in the type system. It not only enables automated type inference, but also brings a more expressive power, enabling, e.g., verification of multi-party cryptographic pro- tocols. We have developed a type inference algorithm for the new type system, and implemented a protocol verification tool SPI CA2 based on the algorithm. According to experiments, SPI CA2 is very fast; it could successfully verify a number of protocols in less than a second. The rest of this paper is structured as follows. Section 2 introduces spi-calculus [2] extended with correspondence assertions as a protocol description language. Sections 3