Freshness Analysis in Security Protocols Chiara Braghin Agostino Cortesi Riccardo Focardi Dipartimento di Informatica, Universit` a Ca’Foscari di Venezia, Via Torino 155, 30173 Venezia – Mestre (Italy) braghin,cortesi,focardi @dsi.unive.it Abstract Guaranteeing freshness of messages is a key issue in entity authentication within security protocols, to pre- vent replay attacks. In this paper we show how to model cryptographic protocols by Mobile Ambients, and how a suitable Control Flow Analysis of Mobile Ambients can be defined for message freshness verification. Keywords: Mobile Ambients, Security, Static Analysis. The growing need for distributed systems development and the increasing load of network func- tionalities ask for the design of formal methods that properly model and face both mobility and security issues, leading to sophisticated analysis and verification tools. So, mobility and security can be seen as a very challenging and demanding workbench for any analysis and verification technique. This paper originates from a couple of quite naive questions: As Mobile Ambient Calculus [7] seems to be one of the best high-level approaches to mobility issues, what is needed to properly model also cryptographic protocols in that Calculus? Is it possible to specialize existing abstract-interpretation based analyses of Mobile Ambients to verify specific properties of cryptographic protocols, thus preventing malicious attacks? The results we present can be seen as a first attempt to properly address the questions above. We restrict our attention to a particular set of common attacks to cryptographic protocols, the so called “replay attacks”, where an adversary records a communication session and replays the entire session, or a portion thereof, at some later point in time. In order to avoid this kind of attacks, a crucial role in cryptographic protocols is played by message freshness, that guarantees against replication of messages. So we focus on a specific goal: designing a freshness verifier for cryptographic protocols within Mobile Ambient Calculus. Partially supported by MURST Projects “Interpretazione Astratta, Type Systems e Analisi Control-Flow”, and “Modelli formali per la sicurezza” and the EU Contract IST-2001-32617 “Models and Types for Security in Mobile Distributed Systems”. 1