On the specification and analysis of secure transport layers

The world is becoming strongly dependent on computers, and on distributed communication between computers. As a result of this, communication security is important, sometimes critically so, to many day-to-day activities. Finding strategies for discovering attacks against security protocols and for proving security protocols correct is an important area of research. An increasingly popular technique that is used to simplify the design of security protocols is to rely on a secure transport layer to protect messages on the network, and to provide protection against attackers. In order to make the right decision about which secure transport layer protocols to use, and to compare and contrast different secure transport protocols, it is important that we have a good understanding of the properties that they can provide. To do this, we require a means to specify these properties precisely. The aim of this thesis is to improve our understanding of the security guarantees that can be provided by secure transport protocols. We define a framework in which one can capture security properties. We describe a simulation relation over specifications based on the events performed by honest agents. This simulation relation allows us to compare channels; it also allows us to specify the same property in different ways, and to conclude that the specifications are equivalent. We describe a hierarchy of confidentiality, authentication, session and stream properties. We present example protocols that we believe satisfy these specifications, and we describe which properties we believe that the various modes of TLS satisfy. We investigate the effects of chaining our channel properties through a trusted third party, and we prove an invariance theorem for the secure channel properties. We describe how one can build abstract CSP models of the secure transport protocol properties. We use these models to analyse two single sign-on protocols for the internet that rely on SSL and TLS connections to function securely. We present a new methodology for designing security protocols which is based on our secure channel properties. This new approach to protocol design simplifies the design process and results in a simpler protocol.