Attacking Group Multicast Key Management Protocols Using Coral

This paper describes the modelling of a two multicast group key management protocols in a firstorder inductive model, and the discovery of previously unknown attacks on them by the automated inductive counterexample finder Coral. These kinds of protocols had not been analysed in a scenario with an active intruder before. Coral proved to be a suitable tool for a job because, unlike most automated tools for discovering attacks, it deals directly with an open-ended model where the number of agents and the roles they play are unbounded. Additionally, Coral's model allows us to reason explicitly about lists of terms in a message, which proved to be essential for modelling the second protocol. In the course of the case studies, we also discuss other issues surrounding multicast protocol analysis, including identifying the goals of the protocol with respect to the intended trust model, modelling of the control conditions, which are considerably more complex than for standard two and three party protocols, and effective searching of the state space generated by the model, which has a much larger branching rate than for standard protocols.