UNIVERSITÉDUQUÉBECENOUTAOUAIS ...w3.uqo.ca/dii/etudMaitrise/uploads/16.pdfminimisantlecoûtdel’analyse. ... Nous avons construit un cadre formel dans le but d’assurer la correction

UNIVERSITÉ DU QUÉBEC EN OUTAOUAIS

FORMAL METHODS FOR SECURITY PROTOCOL CORRECTNESS

THESIS SUBMITED

IN PARTIAL FULFILLMENT

OF THE REQUIREMENTS FOR

THE DEGREE OF MASTER OF SCIENCE

BY

LIVIU PENE

JUNE 2004

UNIVERSITÉ DU QUÉBEC EN OUTAOUAIS

Département d’informatique et d’ingénierie

Ce mémoire intitulé :FORMAL METHODS FOR SECURITY PROTOCOL CORRECTNESS

présenté parLiviu Pene

pour l’obtention du grade de maître ès sciences (M.Sc.)

a été évalué par un jury composé des personnes suivantes :

Kamel Adi.................................directeur de rechercheKarim El Guemhioui.................président du juryLuigi Logrippo...........................membre du jury

Mémoire accepté le: 11 juin 2004

To Raluca.

Acknowledgments

First and foremost, I wish to thank my research supervisor, Dr. Kamel Adi, who

have guided my work on this project from beginning to end. Throughout the thesis,

I have often asked for his knowledgeable advice about a plethora of good and not-

so-good ideas I had. His valuable insights and constructive criticism have always

pushed me to think and write clearer and more concisely. His assistance with macros,

templates, tables and style in general was invaluable. It is largely due to him that

my thesis does not look like a 100 pages sentence.

I am grateful to Dr. Karim El Guemhioui and Dr. Luigi Logrippo who helped

me bound the scope of my project. Their useful comments and suggestions on the

research proposal encouraged and motivated me. Some of the changes in the second

chapter were triggered by their remarks. I extend my thanks to Dr. Karim El

Guemhioui for his introductory course to LATEX, which causes me so much grief and

enjoyment. I am still surprised, happy and annoyingly proud whenever a compilation

does not return any error message.

iii

iv

My friends have helped me preserve the contact with the real world every time I

was voluntarily secluding myself. My life has been filled with weddings, baptisms,

birthday parties, soccer games and weekly trips to Montreal. Their compassionate

affection and warm-hearted encouragements meant a lot to me. If any of those

who offered their help could have contributed with one paragraph to this thesis, I

wouldn’t have had to add a word to it.

Finally, I would like to thank my family for being very supportive and concerned all

along. Their genuine interest in the subject of this thesis helped me feel less guilty

for not sharing enough of my time with them. My wife, my mother-in-law and my

father can probably sustain a fairly technical discussion about the formal aspects

of security protocol verification. I am so grateful for having them by my side. My

father’s excellent coffee kept me awake and my mother-in-law’s cakes gave me the

desired energy supplement. My wife did a careful and merciless proof-reading and

helped correcting the draft. Above all, she showed me unquestioning faith in my

abilities, relentless support and unconditional love.

Résumé

Enjeux

Avec l’expansion rapide des réseaux informatiques et l’apparition de nouvelles techno-

logies telles que le "World Wide Web" et le commerce électronique, la sécurité des

communications est devenue une préoccupation majeure pour la communauté des

chercheurs en informatique et un grand intérêt s’est manifesté pour l’analyse, la

conception et l’implémentation des protocoles de sécurité.

Un protocole de communication est une séquence bien définie d’interactions per-

mettant de gouverner les communications dans les systèmes distribués. Le terme

protocole a était associé pour la première fois avec le transfert d’information dans un

mémorandum publié en 1967 par R. A. Scantlebury et K. A. Bartlett intitulé A pro-

tocol for use in the NPL data communication network [53]. Un protocole doit définir

un format des messages valides et des règles concernant l’échange des messages. Les

cinq éléments d’une spécification complète d’un protocole sont : le service fourni, les

hypothèses sur l’environnement, le vocabulaire, le codage et les règles procédurales.

v

vi

Les protocoles de sécurité (ou protocoles cryptographiques) sont une sous-classe des

protocoles de communication définis comme des séquences bien établies d’envoi et

de réception de messages utilisant des techniques cryptographiques afin d’atteindre

des objectifs de sécurité dans un environnement distribué. Les services de sécu-

rité assurés par les protocoles cryptographiques peuvent être l’authentification des

agents, la confidentialité des communications, l’intégrité des données, l’anonymat

des intervenants, la non-répudiation, etc.

Malgré le travail assidu de la communauté scientifique dans ce domaine, les proto-

coles cryptographiques sont toujours vulnérables à des attaques malicieuses. Il a été

prouvé, dans de nombreuses occasions, qu’une quantité insuffisante de temps allouée

à la phase de conception des protocoles peut mener à des attaques désastreuses. Il

est alors impératif de bien concevoir les protocoles et d’exécuter des tests pertinents

avant de passer à la phase d’implémentation. Dans le cas idéal, la vérification doit

révéler tous les défauts possibles ou prouver la correction du protocole d’une manière

convaincante. Par conséquent, un grand intérêt a été exprimé dans le développement

de techniques formelles pour la vérification de protocoles de sécurité.

État de l’art

L’analyse formelle des protocoles de sécurité a connu un développement impression-

nant au cours des dernières années. Les méthodes de vérification rudimentaires ont

évolué vers des techniques automatisées très complexes. Burrows, Abadi et Need-

vii

ham [14] ont introduit les notions de logique modale de croyance, de relations de

confiance et de juridiction afin de formaliser des principes de raisonnement sur les

protocoles de sécurité. Paulson [49] a utilisé l’idée de règles inductives pour modé-

liser les protocoles. Lowe est le premier qui a utilisé CSP [32] et des techniques de

"model checking" pour l’analyse des protocoles cryptographiques [34, 36]. La véri-

fication est exécutée par l’extraction d’un modèle de la spécification (d’habitude un

système de transition d’états finis) et la vérification du modèle par rapport à une

spécification logique ou comportementale. Des approches similaires ont été dévelop-

pées par Roscoe, Gardiner, Jackson, Hulance [25, 26, 52], Schneider [54] et Meadows

[38]. Abadi et Gordon ont conçu Spi [1], un calcul pour la description et l’analyse de

protocoles cryptographiques. Spi est construit comme une extension du π-calculus

de Milner [40, 41], une algèbre de processus mobile. Mitchell et al. [42, 43, 55]

a utilisé l’outil d’énumération d’états Murφ [18] pour vérifier quelques protocoles

existants. D’autres approches ayant donné de très bon résultats sont la méthode

de preuves de Bolignano [9] et les "strand spaces" de Thayer, Herzog et Guttman

[23, 30].

Plusieurs méthodes ont été utilisées avec succès pour la détection de failles dans

les protocoles cryptographiques. Cependant, les techniques fondamentales de véri-

fication, principalement celles basées sur le "model checking", sont problématiques

dans le cas de processus qui présentent des comportements infinis. En conséquence,

les aspects infinis des protocoles cryptographiques ne sont pas d’habitude supportés

par ces techniques.

viii

Interpretation abstraite

L’interprétation abstraite permet des manipulations sémantiques par l’exécution de

simulations sur une description des données afin d’obtenir l’analyse correcte la plus

précise. L’interprétation abstraite a été appliquée avec succès dans la vérification

de protocoles de sécurité et de nombreux modèles abstraits ont été obtenus, tels

que les automates d’arbre de Monniaux [44, 45], les abstractions paramétriques

d’automates de Goubault-Larrecq [29], les catégories abstraites de Adi et Debbabi

[3, 4, 5], l’abstraction basée sur les trames de Lakhnech et al. [11]. Des techniques

similaires sont les limites sur les attaques par Stoller [56], les fonctions de rang de

Heather et Schneider [31] et la limite sur le nombre des agents de Comon-Lundt et

Cortier [17].

Au chapitre 4 de ce mémoire, nous montrons comment les techniques d’interprétation

abstraite peuvent être appliquées aux problèmes d’analyse des protocoles de sécurité.

En général, les modèles de protocoles sont infinis, cependant, dans la majorité des

cas, pour des buts de vérification, seulement des modèles finis et approximatifs sont

nécessaires. Pour cette raison, nous considérons le problème du calcul d’une telle

approximation et nous nous proposons de simuler l’exécution partielle d’un protocole

à un niveau abstrait. Plus précisément, nous définissons une méthode qui calcule des

modèles finis abstraits pour les protocoles de sécurité. Le modèle abstrait est alors

utilisé pour construire une procédure semi-décidable pour la correction du protocole

par rapport à la propriété de confidentialité. Contrairement aux autres approches

ix

qui exigent que l’utilisateur conçoive l’abstraction manuellement, notre approche

est entièrement automatique, de la description de protocole aux résultats. Elle

n’exige pas d’intervention de l’utilisateur sauf pour la description du protocole et la

spécification du niveau de l’abstraction. Ce dernier paramètre permet à l’utilisateur

d’adapter la précision de l’abstraction pour obtenir les meilleurs résultats tout en

minimisant le coût de l’analyse.

Pour élaborer notre technique de vérification de protocoles de sécurité par interpré-

tation abstraite, nous avons commencé par définir une fonction d’abstraction sur les

messages manipulés par les protocoles. Cette fonction réalise une coupure dans la

structure algébrique des messages pour limiter leur taille. Cette abstraction reste

correcte puisqu’elle surestime les connaissances de l’intrus tout en rendant l’ensemble

de ses connaissances fini. Il est ainsi possible de calculer en un temps fini l’ensemble

des connaissances M# que l’intrus peut acquérir en exécutant un protocole de sécu-

rité P en multi-sessions et multi-rôles. Nous dirons alors que P ne divulgue pas

le message m ou bien P garde m secret si pour tout x dans M#, glb(x,ma) = ⊥

où ma est la forme abstraite du message m, glb est la fonction "borne inférieure"

et ⊥ est un message abstrait représentant la plus petite valeur du treillis abstrait.

La méthode est seulement semi-décidable, dans le sens où s’il existe un x dans M#

pour lequel glb(x,ma) 6= ⊥, nous ne pouvons pas conclure à l’existence d’une faille

de confidentialité dans le protocole.

x

Correction

Nous avons construit un cadre formel dans le but d’assurer la correction des pro-

tocoles cryptographiques par rapport à la propriété de confidentialité. Le modèle

défini est entièrement original, avec de nouveaux concepts tels que l’impasse, les

sessions dérivées et les stratégies gagnantes. Nous avons formalisé la confidentialité

et avons défini des conditions nécessaires pour garantir la correction des protocoles

par rapport à cette propriété. Nous avons prouvé qu’il y a une limite supérieure

sur le nombre de sessions nécessaires pour vérifier la propriété de sécurité analysée.

Ainsi, dans le chapitre 5 nous avons construit un modèle pour les protocoles de

sécurité permettant de capturer d’une manière formelle et élégante l’évolution des

connaissances de l’intrus. Le modèle borne les attaques en multi-sessions. Nous

démontrons qu’il est suffisant d’analyser un nombre limité de sessions afin de prou-

ver si la propriété de sécurité est conservée par des protocoles de sécurité. Notre

recherche s’est limitée aux catégories de protocoles impliquant deux agents, mais

peut s’être facilement étendue aux protocoles qui utilisent plusieurs agents.

Dans un protocole de sécurité, l’intrus peut être un participant actif ou passif. Un

comportement actif implique des actions de création ou de modification de messages

qui sont envoyés aux agents réguliers du système. Ceci signifie que l’intrus doit

avoir toutes les composantes nécessaires pour construire ou modifier des messages.

Quand l’intrus doit envoyer un message qu’il ne peut construire, il est alors dans

une situation d’impasse. Une telle situation peut arriver au maximum [n/2] fois

xi

où n correspond au nombre d’étapes du protocole dans lequel l’intrus peut jouer

le rôle d’émetteur. Une session initiée à l’intérieur d’une autre session suite au

besoin de l’intrus de résoudre une impasse est appelée une session dérivée. Une telle

session permet d’apporter les connaissances manquantes à l’intrus en instrumentant

d’autres exécutions du protocole. L’ensemble des sessions dérivées par l’intrus dans

le but de résoudre une impasse est appelée une stratégie et une stratégie qui réussit à

rapporter les données nécessaires pour résoudre une impasse est appelée une stratégie

gagnante. La séquence de stratégies nécessaires pour résoudre toutes les impasses

est appelée un scénario d’attaque. Pour illustrer ce travail par un exemple, nous

avons analysé le protocole CCITTX.509 [15] et le scénario d’attaque révélé par

notre technique pour la version originale du protocole est similaire à celui publié par

Burrows, Abadi et Needham.

Conclusion

Ce mémoire présente deux contributions de recherche dans l’utilisation de tech-

niques formelles pour la vérification de protocoles de sécurité. La première con-

tribution traite de la vérification des failles de confidentialité dans les protocoles

cryptographiques par construction de modèles abstraits. La deuxième contribution

est un cadre pour l’élaboration de preuves de corrections pour une sous classe de

protocoles par rapport à la propriété de confidentialité. Ainsi, dans le chapitre 4,

nous avons proposé une technique de construction de modèles de trace abstraits dans

xii

le but d’obtenir une procédure de correction de protocoles semi-décidable. Dans le

chapitre 5, nous avons élaboré un cadre de raisonnement formel pour vérifier la cor-

rection d’une sous classe de protocoles de sécurité. Le but de cette recherche est

l’étude de la propriété de confidentialité dans les protocoles de sécurité. Cependant,

il y a d’autres propriétés de sécurité intéressantes qui peuvent être examinées, tel

que la l’authentification, la non-répudiation, l’anonymat, la disponibilité, etc. et qui

peuvent constituer des extensions intéressantes de ce travail.

Plan du mémoire

La structure de ce mémoire est comme suit. Au chapitre 2 nous introduisons

quelques définitions fondamentales relatives à la cryptographie et aux protocoles

de sécurité. Au chapitre 3, nous présentons l’état de l’art dans la vérification de

protocoles de sécurité. Au chapitre 4, nous présentons une nouvelle méthode de véri-

fication de protocole de sécurité basée sur l’interprétation abstraite. Au chapitre 5,

nous présentons un cadre de raisonnement formel permettant de vérifier la correction

des protocoles de sécurité par rapport à la propriété de confidentialité. Au chapitre

6, nous résumons le travail présenté et soulignons nos contributions originales et de

possibles développements futurs de notre travail.

Abstract

The goal of this thesis is to explore the use of formal methods for security protocol

correctness. Nowadays, one of the core research directions in a constantly growing

distributed environment is the improvement of the security aspects of the commu-

nication process. Security flaws have been discovered in quite a few occasions, in

spite of the considerable amount of time and effort required for the design and im-

plementation of cryptographic protocols. The responsibility for proper verification

becomes crucial. Formal methods can play an essential role in the development of

reliable security protocols.

The thesis presents two different methodologies for assessing correctness. Our

first approach employs abstract interpretation techniques for creating a trace-based

model for protocol executions. The model was used for building a semi-decidable

procedure for verifying protocol secrecy. We also developed a second model and a

formal reasoning for multiple-session attacks on cryptographic protocols. The new

concepts of impasse and spawned sessions that we introduced led our research to

xiii

xiv

original statements about the intruder’s knowledge and protocol correctness with

respect to secrecy. Furthermore, we demonstrated that there is a bound on the

number of sessions needed for the analysis of secrecy.

Decidability and correctness results for security protocols are not abundant. How-

ever, recent advancements, such as the bound on the number of agents, indicate that

there are still important issues to be addressed in the security protocols field. Our

study presents two original conclusions to that effect. We will attempt to pursue

the work done in this thesis with complementary results.

Liviu Pene Dr. Kamel Adi

Student Supervisor

Table of Contents

1 Introduction 1

2 Basics 52.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.2 Cryptographic Protocols . . . . . . . . . . . . . . . . . . . . . . . . . 82.3 Cryptographic Protocol Properties . . . . . . . . . . . . . . . . . . . 11

2.3.1 Security Properties . . . . . . . . . . . . . . . . . . . . . . . . 112.3.2 Transaction Properties . . . . . . . . . . . . . . . . . . . . . . 13

2.4 Cryptographic Protocols Flaws . . . . . . . . . . . . . . . . . . . . . 142.4.1 Elementary Flaws . . . . . . . . . . . . . . . . . . . . . . . . . 152.4.2 Freshness Flaws . . . . . . . . . . . . . . . . . . . . . . . . . . 152.4.3 Parallel Session Flaws . . . . . . . . . . . . . . . . . . . . . . 162.4.4 Type Flaws . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.4.5 Key Guessing Flaws . . . . . . . . . . . . . . . . . . . . . . . 192.4.6 Internal Action Flaws . . . . . . . . . . . . . . . . . . . . . . . 192.4.7 Repudiation Flaws . . . . . . . . . . . . . . . . . . . . . . . . 202.4.8 Cryptosystem Related Flaws . . . . . . . . . . . . . . . . . . . 20

2.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

3 Formal Verification of Cryptographic Protocols 223.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223.2 Formal Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

3.2.1 Specification Languages . . . . . . . . . . . . . . . . . . . . . 233.2.1.1 Interface Specification Language . . . . . . . . . . . 243.2.1.2 Common Authentication Protocol Specification Lan-

guage . . . . . . . . . . . . . . . . . . . . . . . . . . 243.2.1.3 Casper . . . . . . . . . . . . . . . . . . . . . . . . . . 243.2.1.4 SPI Calculus . . . . . . . . . . . . . . . . . . . . . . 25

3.2.2 Formal Verification . . . . . . . . . . . . . . . . . . . . . . . . 273.2.2.1 Logic-Based Techniques . . . . . . . . . . . . . . . . 273.2.2.2 The Typing Method . . . . . . . . . . . . . . . . . . 303.2.2.3 Paulson’s Inductive Approach . . . . . . . . . . . . . 32

3.3 Abstract Interpretation Concepts . . . . . . . . . . . . . . . . . . . . 323.3.1 Ordered Sets Fundamentals . . . . . . . . . . . . . . . . . . . 333.3.2 Galois Connections . . . . . . . . . . . . . . . . . . . . . . . . 35

xv

xvi

3.4 Tree Automata Abstraction . . . . . . . . . . . . . . . . . . . . . . . 363.4.1 Concrete Model . . . . . . . . . . . . . . . . . . . . . . . . . . 363.4.2 Tree Automata Model . . . . . . . . . . . . . . . . . . . . . . 383.4.3 Abstract Model . . . . . . . . . . . . . . . . . . . . . . . . . . 403.4.4 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . 40

3.5 ∨-Parameterized Tree Automata . . . . . . . . . . . . . . . . . . . . . 413.5.1 ∨-Parameterized Tree Automata Concepts . . . . . . . . . . . 413.5.2 Algebra of Messages . . . . . . . . . . . . . . . . . . . . . . . 433.5.3 Intruder Capabilities . . . . . . . . . . . . . . . . . . . . . . . 443.5.4 Simulating Protocol Runs . . . . . . . . . . . . . . . . . . . . 453.5.5 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . 46

3.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

4 Abstract Trace-Based Model for Security Protocol Correctness 484.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484.2 Trace-Based Models for Security Protocols . . . . . . . . . . . . . . . 514.3 Abstract Domain of Messages . . . . . . . . . . . . . . . . . . . . . . 554.4 Simulating Cryptographic Protocol Runs . . . . . . . . . . . . . . . . 71

4.4.1 Abstracting Atomic Messages . . . . . . . . . . . . . . . . . . 724.4.1.1 Abstracting Agent Names . . . . . . . . . . . . . . . 734.4.1.2 Abstracting Keys . . . . . . . . . . . . . . . . . . . . 734.4.1.3 Abstracting Nonces . . . . . . . . . . . . . . . . . . . 74

4.4.2 Abstracting Protocols . . . . . . . . . . . . . . . . . . . . . . 744.5 Verification of Secrecy Correctness . . . . . . . . . . . . . . . . . . . . 784.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

5 Formal Reasoning for Security Protocol Correctness 805.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 805.2 Definitions and Assumptions . . . . . . . . . . . . . . . . . . . . . . . 825.3 Intruder’s Knowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

5.3.1 Intruder’s Capabilities . . . . . . . . . . . . . . . . . . . . . . 865.3.2 Impasse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875.3.3 Spawned Sessions . . . . . . . . . . . . . . . . . . . . . . . . . 89

5.4 Protocol Correctness . . . . . . . . . . . . . . . . . . . . . . . . . . . 935.5 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

5.5.1 Intruder Needs . . . . . . . . . . . . . . . . . . . . . . . . . . 955.5.2 Roles and Identities . . . . . . . . . . . . . . . . . . . . . . . . 955.5.3 Equivalent Attacks . . . . . . . . . . . . . . . . . . . . . . . . 97

5.6 Bound on Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 985.7 Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1055.8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

6 Conclusion 1116.1 Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1116.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

List of Tables

2.1 The Woo and Lam Authentication Protocol . . . . . . . . . . . . . . 92.2 The Neuman-Stubblebine Key Distribution Protocol . . . . . . . . . . 102.3 The Needham-Schroeder Protocol . . . . . . . . . . . . . . . . . . . . 162.4 Attack Scenario on the Needham-Schroeder Protocol . . . . . . . . . . 162.5 The Three-Pass Protocol . . . . . . . . . . . . . . . . . . . . . . . . . 172.6 Attack Scenario on the Three-Pass Protocol . . . . . . . . . . . . . . 172.7 The Otway-Rees Protocol . . . . . . . . . . . . . . . . . . . . . . . . 182.8 Type attack on the Otway-Rees Protocol . . . . . . . . . . . . . . . . 19

3.1 Experimental results for ∨PTA . . . . . . . . . . . . . . . . . . . . . 46

4.1 The Woo and Lam Authentication Protocol . . . . . . . . . . . . . . 534.2 Woo and Lam Inductive Rules . . . . . . . . . . . . . . . . . . . . . . 544.3 Abstract Intruder Knowledge Generation from Abstract Traces . . . 76

5.1 Spawning options for an initial session γ. . . . . . . . . . . . . . . . 1035.2 The original CCITT X.509 Protocol . . . . . . . . . . . . . . . . . . 1055.3 Spawning options for an initial session γ of the CCITT X.509 protocol 1075.4 The corrected CCITT X.509 Protocol . . . . . . . . . . . . . . . . . 108

xvii

Chapter 1

Introduction

A communication protocol is an orderly defined sequence of interaction between en-

tities designed to govern communications in a distributed system. The term protocol

was first associated with information transfer in a memorandum published in April

1967 by R. A. Scantlebury and K. A. Bartlett titled A protocol for use in the NPL

data communication network [53]. A protocol has to define a format of the valid

messages along with the rules for data exchange. The five elements of a complete

specification are: the service provided, the assumptions about the environment, the

vocabulary, the encoding and the procedure rules.

Security protocols (or cryptographic protocols) are a subclass of communication

protocols that can be defined as a precisely determined sequence of messages us-

ing cryptographic techniques in order to achieve security objectives in a distributed

environment. For the scope of this thesis, we make the assumption that the crypto-

graphic systems used by various algorithms are perfect, in the sense that they cannot

be broken by a malicious intruder. Among the techniques involved we can mention

symmetric and asymmetric encryption, hash functions and digital signatures. The

security services to be provided are authentication of principals, secrecy, integrity,

anonymity, non repudiation, establishment of session keys and so on. In spite of the

hard work of the scientific community in this field, security protocols are still prone

1

2

to error. In numerous occasions, it has been proven that an insufficient amount of

time spent on protocols design can lead to attacks that reveal secret information

to skilled intruders. Therefore, it is of utmost importance to allow enough time

for the design process and perform pertinent tests before implementing any security

protocol. In the ideal case, such an examination should either reveal all possible

flaws or prove correctness in a convincing manner.

Formal analysis of security protocols has evolved from basic, sometimes rudimen-

tary, verification methods to very complex automated techniques in the form of

formal dedicated languages, calculi and logics. Burrows, Abadi and Needham [14]

introduced the notions of modal logic of belief, trust relationships and jurisdiction

in order to formalize reasoning principles on security protocols. Paulson applied in

[49] the idea of inductive rules as models for security protocols. Lowe [34, 36] was

the first to use CSP [32] and model-checking techniques for cryptographic protocol

analysis. The protocol is specified as a set of communicating sequential processes

that are running in parallel and interacting with their surroundings. The verification

is performed by extracting a model (usually a finite state transition system) from

the specification and checking the model against a logical specification (a formula

over a modal temporal logic) or a behavioral specification (a process term). The

idea is to verify whether an intruder could lead principals involved in a protocol

run to an insecure state. The process algebra-based methods have been successfully

used in the detection of several flaws in well-known cryptographic protocols. The

approach seems to be very promising and useful. However, it is well known that

the underlying verification techniques, mainly those based on model-checking, are

problematic in the presence of processes that exhibit infinite behaviors. Accord-

ingly, the infinite aspects of cryptographic protocols are usually not supported in

the verification process. Notice also that the specification of security properties in

terms of process agents or modal formulas is neither straightforward nor system-

atic. Abstract models have been successfully used for protocol correctness. Other

approaches attempted that produced good results are the use of theorem proving by

3

Bolignano [9], game semantics by Adi [3, 5] and strand spaces by Thayer, Herzog

and Guttman [23, 30].

Contributions

We are particularly interested in the correctness aspects of security protocols veri-

fication. Formal methods presented themselves as the appropriate choice for com-

pleting the verification tasks involved. There are, however, inconveniences related

to this option. By hypothesis, an intruder can execute an infinite number of sessions

in order to find flaws. As a consequence secrecy in general - with no assumptions

made on the message size and the number of agents, keys, etc. - is undecidable.

It is a challenge to find the balance between the accuracy of the results and the

assumptions. If no restrictions are imposed on the model, the procedures can be

undecidable or semi-decidable at best. Conversely, more powerful results can emerge

when a set of assumptions is defined.

We have obtained both decidability and semi-decidability results with respect to

protocol correctness. First, we defined in chapter 4 a trace-based model based

on the interesting properties of an abstraction function defined by Adi [5]. The

abstraction overestimates the intruder’s knowledge and is correct with respect to

the information available to the intruder in any possible protocol execution. We

proved that secrecy is semi-decidable for our model, in the sense that the protocol

fails if a flaw is found, but nothing can be said if no flaws are discovered. The result

is similar to the one obtained by Adi for a category-based model.

Second, we built a completely new framework in chapter 5 with the same aim of

observing correctness for security protocol verification. The model defined is entirely

original, along with new concepts such as impasse, spawned sessions and winning

strategies. We formalize the notion of secrecy and define a set of assumptions for

the model, the most important one being the number of agents. We prove that

4

there is an upper bound on the number of sessions needed for verifying the security

property analyzed. To our knowledge, this is the first result that displays a bound

on the number of sessions that is independent of the number of protocol steps and

variables.

Outline

The layout of this thesis is presented below:

• Chapter 1 outlines the content of the thesis: the context, the original contri-

bution and the logical division into chapters.

• Chapter 2 introduces basic cryptography and cryptographic protocols defini-

tions and presents some of the common problems related to the implementation

of security properties.

• Chapter 3 overviews some of the advancements in security protocols verifica-

tion and addresses a theory that is of particular interest for this study: abstract

interpretation.

• Chapter 4 presents a new protocol verification method based on abstract in-

terpretation. The aim is to build a semi-decidable procedure for secrecy.

• Chapter 5 addresses correctness with respect to secrecy and presents a formal

reasoning for evaluating such correctness. The proposed framework includes a

comprehensive analysis and a bounding model for multi-session attacks that

is sufficient for our correctness proofs.

• Chapter 6 summarizes the work presented and underlines our original contri-

butions. Further development is also envisioned.

• Finally, the Bibliography section lists all the articles, reports, books etc. that

where cited in this study.

Chapter 2

Basics

Abstract

This chapter presents some basic cryptographic protocols definitions, the security

properties and the potential flaws associated with their impementation. This is not

an exhaustive introduction, it simply gathers the background knowledge needed for

following the rest of the thesis.

2.1 Introduction

Cryptology means, as translated from ancient Greek, hidden-word (kryptos logos)

and has been used for preserving confidentiality of military communications since im-

memorial times. Cryptography is, along with cryptanalysis, one of the two branches

of cryptology. The goal of cryptography is to provide data secrecy, for a period

of time, for messages transmitted between a sender and a receiver. This is accom-

plished by crafting codes and cyphers. Cryptanalysis, on the other hand, aims at

retrieving the clear text from encrypted messages through attacks on encoding al-

gorithms. The two complementary facets of cryptology evolve synchronized, as the

development of one necessarily leads to the advance of the other.

Nowadays, cryptography is no longer the prerogative of governments and military

5

2.1 Introduction 6

forces, especially with the extraordinary improvement in computing power brought

by distributed environments (and most notably the Internet) and personal comput-

ers. The cryptographic algorithms allow encryption of a message M to an encrypted

message M’ and decryption of M’ into M. The standard notation for encryption of

a message M with the key K is e(M,K) and for decryption of a message M’ with

the key K−1, d(M’,K−1). The functions are inverses of each other, meaning that:

d(e(M,K),K−1) = M

The parameters facilitating the two processes are called encryption and decryption

keys (K and K−1, respectively). Based on the relationship between the keys, three

systems are popular: symmetric key systems, asymmetric key systems and nonin-

vertible cryptography.

The symmetric key system has the particularity that the decryption key can be

computed starting from the encryption key. In most cases, the system uses the

same key M for both encryption and decryption. Therefore, one can write:

d(e(M,K),K) = M

The participants must agree, before exchanging messages, on a secret key to be used

for communication. There are some well-known algorithms of this type that were

or are still extensively used: RC2, RC4, RC5, IDEA (International Data Encryption

Algorithm) and DES (Data Encryption Standard).

The asymmetric key system allows a principal to derive a set of keys, which are

the inverse of each other, to be used for message encryption and decryption. The

method developed by Witfield Diffie and Martin E. Hellman [21] is an alternative to

the symmetric system that employs a public key and a private key, hence the name

public key system. The public key is supposed to be known or available to anybody

2.1 Introduction 7

wishing to communicate with the principal, and it is to be used for encryption. The

principal will then decrypt the message using the private key, which is extremely

hard, if not impossible, to compute from the public key. Public key cryptography

is much slower then its symmetric counterpart and it is mainly employed just to

ensure a secure exchange of symmetric keys.

The best known asymmetric key algorithm is RSA [51], an acronym for the names

of it’s creators: Ronald Rivest, Adi Shamir and Leonard Adleman. The algorithm

is used to generate public and private keys and is based on the difficulty of finding

two prime numbers starting from their product. The steps involved are:

• choosing two large numbers p and q

• computing their product n = p× q

• finding (e,d) such that e×d ≡ 1mod((p−1)×(q−1)) and e and (p−1)×(q−1)

are prime between them

• pairing the private key (d,e) and the public key (n,e)

• cutting de message M in blocs mi

• encrypting blocks by ci = mie mod(n)

• concatenating all encrypted blocks mi.

Other useful applications of asymmetric key algorithm include authentication and

digital signature. Authentication allows a user to prove his identity for the purpose

of login or access control, for instance. Digital signatures are additional credentials

attached to the message M, depending on a secret key, and that can only be verified

by someone holding the corresponding public key.

Noninvertible cryptography uses a single direction hash function H(M) for comput-

ing a print from the message M, with the following properties:

2.2 Cryptographic Protocols 8

• H(M) is easy to compute

• finding M from H(M) should be almost impossible

• finding M’ such that H(M) = H(M’) must be extremely difficult.

Noninvertible cryptography is implemented in password management in networked

environments in order to hide the true value of a password behind its hashed value.

2.2 Cryptographic Protocols

Participants to a protocol, called principals, have to follow well defined steps, known

in advance, to communicate with each other. Cryptographic techniques are used for

the protocols with a security objective, hence the name cryptographic protocols. The

security objective might be confidentiality or might involve authentication, genera-

tion of random sequences, or partial sharing of a secret.

The basic syntax agreed upon by most researchers denotes the principals by A, B

and S. A and B are two parties wishing to communicate in a secure way and S is

a trusted server. The two principals will share a key Kab. In case a public-private

key encryption scheme is used, the public key of A is Ka and the private one is

Ka−1. Random sequences of bits, called nonces, can be used to identify a particular

protocol execution. A nonce and a timestamp generated by principal B are Nb

and Tb, respectively. A message M encrypted by the key K is noted mK . The

communication steps are described by the following syntax:

Message number. Principal1 → Principal2 : Message

For instance, the third step of the Woo and Lam protocol [59] the following syntax:

Message 3. A → B : NbKas


The meaning of the above is that for this protocol, during the execution of the third

step, A sends to B a message containing a nonce Nb generated by B encrypted with

a key Kas shared only by A and the server S.

Based on their security objectives, there are several types of protocols, of which

the most prominent are authentication, key distribution and e-commerce protocols.

The authentication protocols verify the identity of the sender and the integrity of

the data to protect against masquerades. Depending on whether the authentication

occurs at one end or both, the protocols can be unidirectional or bidirectional. Table

2.1 below presents the Woo and Lam protocol, one of the best known authentication

protocols.

Message 1. A → B : A

Message 2. B → A : Nb

Message 3. A → B : NbKas

Message 4. B → S : A, NbKasKbs

Message 5. S → B : NbKbs

Table 2.1: The Woo and Lam Authentication Protocol

When secure distribution of cryptographic keys is desired, the key distribution pro-

tocols are used. The three aspects involved are confidentiality, integrity and avail-

ability. Confidentiality ensures that the key can’t be acquired by an intruder. Key

integrity is the assurance that any modification to the key is detected. Availability

guarantees the participants obtain a session key at the end of the protocol. Table

2.2 presents the Neuman-Stubblebine protocol, a key distribution protocol.


Message 1. A → B : A,Na

Message 2. B → S : B, A,Na, TbKbs, Nb

Message 3. S → A : B,Na, Kbs, TbKas , A,Kab, TbKbs, Nb

Message 4. A → B : A,Kab, TbKbs, NbKab

Table 2.2: The Neuman-Stubblebine Key Distribution Protocol

We can distinguish three different classes of protocols, considering the technique

used for solving potential conflicts: arbitrated, adjudicated and self-enforcing. The

arbitrated protocols involve a third trusted party that has no interest in the results

of the execution of the protocol and is fair to all the participants. On the other

hand, the participants are trusting the third party and always expect a complete

session run of the protocol. This type of protocol is the most widely used.

The adjudicated protocols are an altered version of the arbitrated ones, where the

third party plays a role only if required. The normal run of a protocol would lead

to a completion of the session. The adjudicator is called to analyze the dispute and

rule only if a party is suspected of cheating.

The self-enforcing protocols were specially designed to guarantee that no party will

gain an advantage by cheating. The protocol ensures cheating is discovered imme-

diately, so there is no need for an arbitrator.

Electronic commerce has emerged as the effect of the extraordinary growth of the

interactive communication over the Internet, and has been pushed forward by the

convenience of the process. It involves just the buyer, his credit card and his com-

puter, saves the time wasted for shopping and eliminates the long monologues of the

2.3 Cryptographic Protocol Properties 11

sales person. But electronic commerce (or e-commerce, for short), like any kind of

goods exchange, has to comply with certain rules and meet some extra requirements

that are obvious in the classic type of commerce, like transaction completion and

goods delivery. The simplicity of the concept as well as the lack of any physical,

hard evidence (like a real credit card, not just a number) make it vulnerable to mas-

querading attacks. The protocols designed to guarantee the security objectives are

called electronic commerce protocols. The most commonly used transaction proto-

cols are SSL (Secure Sockets Layer) [24] and SHTTP (Secure Hyper Text Transfer

Protocol) [50]. SSL is supported by the major Internet browsers (Netscape and Mi-

crosoft Internet Explorer) and uses the RSA digital signature for authenticating the

principals.

2.3 Cryptographic Protocol Properties

As a subclass of communication protocols, which have as the main objective the

exchange of information, security protocols have to satisfy certain specific require-

ments. Those requirements have been divided into general security properties and

transaction properties. The definitions of these properties are presented in the fol-

lowing subsections.

2.3.1 Security Properties

Security properties are defined for principals, data and keys. Depending on the

protocol’s purpose, failure to preserve a specific security property may result in

unveiling confidential information to an intruder and, consequently, may lead to

protocol failure. Some of the most important properties, listed in alphabetical order,

are:

• Anonymity: Anonymity allows a principal to make transactions that cannot

be tracked by others. Another principal can only notice that an event, such


as a transaction, has occurred, but can’t determine the initiator or responder.

This property is highly important for customer privacy in the new e-commerce

environment, where automated online agents try to profile customer behavior

and buying habits.

• Authentication: In a distributed environment, the message originator has to

be uniquely identifiable. The recipient also needs to be certain that the original

data has not been tampered with. That is where the authentication property

comes into play. If implemented, it ensures that messages have been issued by

the principals and the content was not changed. If not specifically stated, an

intruder can masquerade one or more principals identity and be mistaken for

a true principal, with the associated consequences for data confidentiality.

• Availability: The availability property refers to a protocol’s capacity of ac-

cessing resources. In order to establish a session, for instance, all the partici-

pants need to state that they are ready to communicate. To ensure the flow of

messages, control of the communication lines has to be guaranteed, certifying

that messages will arrive at the recipients end.

• Fairness: Fairness is mainly involved in protocols that don’t require the arbi-

tration of a third party, such as a server authority. The purpose is to prevent

incomplete executions of a protocol that might result in information unilater-

ally gained by one of the parties. A modified version of fair protocols states

that a normal run will only involve two agents that will call for a trusted third

party in case of dispute.

• Non-repudiation: Participants in a protocol run may need to convince not

only the other participants, but also trusted third parties, that they were or

were not involved. Stronger than the authentication property, non-repudiation

is defined as the impossibility of denying having participated in a message

exchange. It is implemented by collection, maintenance, availability and vali-

dation of evidence concerning events or actions.


• Integrity: Integrity protects against unauthorized creation, alteration or de-

struction of data. If any alteration occurs, it has to be detected and the

corresponding protocol flaw has to be identified.

• Secrecy: This property allows the messages to reach the intended receivers

only, and nobody else. It represents the foundation of communications con-

fidentiality, as many other security properties rely on it. Authentication,

anonymity and integrity, for instance, are strongly related to secrecy. Unautho-

rized parties cannot benefit from any information disclosure, such as sensitive

data or cryptographic keys.

Definition 2.3.1 (Correctness). A protocol is correct with respect to a security

property if the property is preserved in any possible execution of the protocol.

2.3.2 Transaction Properties

Some classes of cryptographic protocols allow (sometimes) more than a plain trans-

mission of information. Goods and money can also be transferred as a result of

a successful transaction. Given their special nature, e-commerce protocols need a

few more properties to be defined. The virtual interaction between the participants

tolerates half-way stops of the protocol by one of the parties. The transaction can

be terminated for various reasons: network disruptions, a customer cancelling an or-

der, a bank refusing the credentials etc. More guarantees are needed for both ends

that the money have been spent (or not) and the goods have been bought/sold and

shipped. The following three classes of atomicity for electronic goods are defined by

Tygar in [58]:

• Money Atomicity: The transfer either completes entirely or not, so we

talk about an atomic transfer of electronic money. Money is not created or

destroyed by purchase transactions.

• Goods Atomicity: The goods are received by the customer if and only if

the money is paid. This property is strongly related to money atomicity, as

2.4 Cryptographic Protocols Flaws 14

a payment can only be made once a money-atomic transaction has completed

successfully. The concept is similar to that of “cash on delivery” .

• Certified Delivery: A supplemental provision that allows both the merchant

and the customer to prove what was delivered is called certified delivery. Each

party can exhibit its evidence to a judge in case of a dispute. Obviously, a

certified delivery transaction is goods-atomic.

2.4 Cryptographic Protocols Flaws

Preventing protocol failures is the major concern of a protocol designer. Particular

features to be implemented are robustness and scalability and those are achieved

mainly through a simple, minimal design that is easily adaptable to technological

advancements. A number of rules [33] have been drawn as a framework for protocol

design:

1. Keep it simple

2. Define the problem: requirements, constraints, techniques

3. Define the service

4. Design external functionality: the black-box principle

5. Don’t force connections independent issues

6. Keep the design open-ended

7. Build a high-level prototype and test it

8. Implement the protocol and optimize it

9. Verify the optimized implementation

10. Don’t skip rules 1 to 7


For the scope of our study, we make the assumption that the cryptographic algo-

rithms and the corresponding implementation techniques are perfect. We will only

take into account security properties failures. Such faults, called protocol security

flaws, can only be exploited by active attacks, as the passive ones will simply observe

the protocol execution.

2.4.1 Elementary Flaws

A flaw is considered to be elementary if some simple analysis of a single protocol

run allows the attacker to reveal sensitive data. Despite the protection level one

would expect from security protocols, quite a significant number of elementary flaws

have been discovered. A notorious one is related to the CCITT X.509 protocol [15]:

the signature is added to the message after it was encrypted, therefore it doesn’t

get protected inside the encrypted message. An intruder needs only to intercept the

message, remove the original signature and add his to make the recipient believe

that he is, in fact, the sender.

2.4.2 Freshness Flaws

If one or more of the principals cannot decide if a message is fresh or not, an

attacker can play that message back at a convenient time to pretend he just sent it.

A good example of a flawed protocol for this case is the Needham-Schroeder protocol,

designed for mutual authentication and key exchange of two principal A and B with

the aid of a trusted server S. A corrected version, the Needham-Schroeder-Lowe

protocol, already replaced the faulty one. We present the original protocol in Table

2.3 and a possible attack scenario in Table 2.4.


Message 1. A → S : A,B, Na

Message 2. S → A : Na, B,Kab, Kab, AKbsKas

Message 3. A → B : Kab, AKbs

Message 4. B → A : NbKab

Message 5. A → B : Nb − 1Kab

Table 2.3: The Needham-Schroeder Protocol

The lack of information about the freshness of the message issued by A during the

third step of the protocol is crucial. If this message has been previously intercepted,

the session key K ′ab is compromised as it can be used by the intruder in a future

session. The intruder will masquerade the identity of A and B will then assume

that the key Kab was generated by the trusted server S. As a consequence, B will

reveal to the intruder some secrets.

Message 3. I(A) → B : K ′ab, AKbs

Message 4. B → I(A) : NbK′ab

Message 5. I(A) → B : Nb − 1K′ab

Table 2.4: Attack Scenario on the Needham-Schroeder Protocol

2.4.3 Parallel Session Flaws

The intruder has always the choice of when, what and how he can interfere. More-

over, he can switch roles at his convenience, participating in some sessions as A and


in others as B. Under certain circumstances, playing the suitable roles and running

just some appropriate steps of a protocol might reveal the contents of an encrypted

message. The protocols vulnerable to such attacks are said to contain parallel ses-

sion flaws. An excellent example is the Three-Pass protocol (Table 2.5), designed

by Rivest, Shamir and Adleman to allow transferring encrypted messages between

two parties without any authentication.

Message 1. A → B : MKa

Message 2. B → A : MKaKb

Message 3. A → B : MKb

Table 2.5: The Three-Pass Protocol

The intruder can take advantage of the encryption symmetry:

MKaKb= MKb

Ka

If the attacker sends back to the originator an unaltered message, he well get as a

response the decrypted message (Table 2.6):

Message 1. A → I(B) : MKa

Message 2. I(B) → A : MKa

Message 3. A → I(B) : M

Table 2.6: Attack Scenario on the Three-Pass Protocol


2.4.4 Type Flaws

Besides getting the information that can be re-used in a different session, an intruder

can mislead a principal by sending him a message of a different type than the one

normally used. If no type-checking is implemented for the protocol, the attacker can

take advantage of the type flaw.

Boyd [10] describes a type attack on the Otway-Rees protocol. During the regular

protocol run, the following sequence is executed: A sends to B a nonce M, the

identity of A and B and an encrypted message for which only the server S has the

key. B relays the message from A to S along with his own cyphertext. S performs

the decryption and compares the result of the two encrypted parts to ensure the

nonce and identities are the same. It also generates the key Kab and sends it to B,

who will then forward it to A. Table 2.7 displays the protocol steps.

Message 1. A → B : M,A, B, Na,M, A,BKas

Message 2. B → S : M,A, B, Na,M, A,BKas , Nb,M, A,BKbs

Message 3. S → B : M, Na, KabKas , Nb, KabKbs

Message 4. B → A : M, Na, KabKas

Table 2.7: The Otway-Rees Protocol

An attack can be constructed based on the idea that the session key intended for

A in Message 4 can be substituted since the intruder already has a message of the

same format (encrypted with Kab and containing Na) (Table 2.8):


Message 1. A → I(B) : M,A, B, Na,M, A,BKas

Message 4. I(B) → A : M, Na, M,A, BKas

Table 2.8: Type attack on the Otway-Rees Protocol

2.4.5 Key Guessing Flaws

Key guessing is a technique that is directed mainly against protocols that use pseudo-

random key generation. An old session might be analyzed to provide either the

session key or certain characteristics of the generating algorithm and the associated

generic format. The attacker will then, depending on his success with the histori-

cal session, try to use the revealed key or match it against a dictionary of possible

keys. The dictionary is an exhaustive collection of most-likely combinations com-

plying with the generic format. For instance, for the case of a 64-bit key, binary

representations from all 0 ’s to all 1 ’s for the 64 bits could be tested.

2.4.6 Internal Action Flaws

The principal’s incapacity to perform the appropriate actions required for message

transfer results in internal actions flaws. By appropriate actions we mean checking

the integrity, freshness and authenticity of the received messages or doing the nec-

essary computations. Incomplete specifications might result in major security holes

that can readily by exploited. The Three-Pass protocol, for instance, fails to check

if the message received during the third step of the protocol is encrypted or not.

2.5 Conclusion 20

2.4.7 Repudiation Flaws

A protocol contains a repudiation flaw if one of the participants is able to deny his

involvement in a successful protocol execution. Two distinct types of repudiation

may occur: repudiation of origin and repudiation of receipt. To prevent such events,

certain protocols collect evidence to be used as proof. The corresponding features

are called non-repudiation of origin and non-repudiation of receipt, respectively. If

the responsibility of message delivery is on a third trusted party, non-repudiation of

submission and non-repudiation of delivery might also be defined. An adjudicator

is called to settle disputes based on the above-mentioned features.

2.4.8 Cryptosystem Related Flaws

Even with perfect cryptographic primitives, some attacks are still possible. Simple,

reversible techniques such as the XOR function are particularly dangerous. This

is the case of the Three-Pass protocol, for which a scenario involving several XOR

operations on intercepted encrypted messages reveals the original plain text.

2.5 Conclusion

Security protocols are a very important aspect of the communication act, as they

are the guarantee of a properly conveyed message. Writing a good specification for

a solid protocol is not a simple task. In numerous occasions has it been proved

that a superficial approach or an oversight of what seemed to be a minor detail

can lead to disastrous results. Flaws are usually the result of an incomplete or

incorrect specification. However, there are cases when even if the protocol features

are well designed, good specifications may be turned into security holes by bad

implementations. The main issue is to identify them and find ways to prevent

exploiting them. Several methods, such as the specification languages and the formal

methods, are presently being used to ensure the preservation of security properties.

2.5 Conclusion 21

In this context, protocol verification and analysis become an indispensable part of

the design process.

Chapter 3

Formal Verification of Cryptographic

Protocols

Abstract

This chapter introduces some formal verification techniques and addresses a theory

that is of particular interest for this study: abstract interpretation. Among the quite

abundant number of methods that can be used for automatic verification, abstract

interpretation provides a framework for proving security properties for cryptographic

protocols. The work of David Monniaux on tree automata and the refinement of this

technique by Jean Goubault-Larrecq are also presented here.

3.1 Introduction

One of the objectives for improving the security properties associated with an ev-

ermore transparent communication environment is the use of automated techniques

for guaranteeing the absence of logical faults in cryptographic protocols. The logic

of authentication developed by Burrows, Abadi and Needham [14] paved the way by

presenting the notions of modal logic of belief (the BAN logic), trust relationships

and jurisdiction in order to formalize reasoning principles on crypto-protocols. G.

Lowe introduced the concept of model-checking and applied it to find flaws or prove

22

3.2 Formal Methods 23

correctness of security properties [35]. Such systems are FDR [22], NRL [38] and

others. They are complemented by efforts like TCSec, ITSec and Common Criteria

certification [47]. D. Bolignano’s formal verification [9] and L. C. Paulson’s inductive

rules [49] are to date the most successful techniques in giving security guarantees for

cryptographic protocols. Peter Naur pioneered the abstract interpretation field in

1963 when he proposed a method for defining abstract values for his compiler GIER

ALGOL III [46]. His idea was to execute a program using operators working on

descriptions of data rather than real data. This method has been implemented ever

since in various compilers in order to obtain program validation, partial evaluation,

effective parallel execution, and generation assertions for software verification.

3.2 Formal Methods

Although cryptographic protocols design takes a considerable amount of time and

effort, flaws have been discovered in quite a few occasions, mostly as the result of

an informal approach. The success of formal methods being applied to find such

flaws was a fertile ground for the development of two main directions: protocol

specification and protocol verification and analysis.

3.2.1 Specification Languages

There are two ways to specify the protocol requirements: formal languages and

calculi. In order to allow more precision and formal manipulations, a language

semantics is sometimes defined. Among the best known formal specification methods

are the ISL (Interface Specification Language), CAPSL (Common Authentication

Protocol Specification Language) and Casper languages and the SPI calculus, which

we will briefly introduce in this section.


3.2.1.1 Interface Specification Language

The Interface Specification Language, or ISL in short, is a simple language designed

by Brackin [12]. The Automatic Authentication Protocol Analyzer (AAPA), which

is used in conjunction with ISL, employs an extension of the Gong, Needham and

Yahalom belief logic (GNY) to prove either compliance or failure of the protocol with

regards to the specification. Therefore, protocol designers can eliminate a significant

number of errors from the early stages of their work.

3.2.1.2 Common Authentication Protocol Specification Language

Designed by Millen, the Common Authentication Protocol Specification Language

(or CAPSL) is intended as a standard input format for formal analysis. CAPSL is

structured as a three-faceted specification covering type, environment and protocol

requirements. Types are used to define the principals, the cryptographic operators

and some other functions. For various network scenarios, optional environment spec-

ifications are defined. The protocol part starts with variable types declarations and

initial conditions assumptions. The message and security goals lists complete the

protocol specification. The targeted objectives are usability, abstraction, complete-

ness, extensibility, parsability and scalability. In other words, it should be modular,

easy to read, use, translate, extend, it should cover all possible flaws but limit the

complexity to a reasonable minimum required for failure analysis.

3.2.1.3 Casper

A different approach is used by Lowe [36] who translates an abstract description

of a cryptographic protocol into a CSP (Communicating Sequential Processes) de-

scription [32]. That description is to be used in conjunction with the FDR (Failures

Divergence Refinement) model checker [22], allowing automatic verification of se-

curity properties. Casper, the language developed by Lowe, generates CSP scripts

from high level descriptions. In addition to the protocol specifications, similar to

the ones employed by CAPSL, the verified system has to be defined. Therefore,


the agents involved and their specific roles are included in the Casper protocol de-

scription [37]. Several protocols have been checked for security flaws using Casper,

including Yahalom, Kerberos, and CCITT X.509.

3.2.1.4 SPI Calculus

Milner’s π-calculus [40] is a general-purpose calculus that has been successfully used

to demonstrate security properties for some protocols. By extending it with spe-

cialized cryptographic primitives, Abadi obtained what he called the SPI calculus

[1], which allows verification of a broader spectrum of security protocols, as the

encryption and decryption can now be checked.

Processes and process equivalence are used in SPI for the representation of crypto-

graphic protocols and security properties, respectively. A syntax and a semantics

are defined for SPI, along with a process communication and synchronization mech-

anism.

The syntax consists of two parts: the processes and a set of terms. Ω and X are

used to denote an infinite set of names and an infinite set of variables, respectively.

The set of terms defines the following:

• terms: M, N

• name: n ∈ Ω

• pair: (M, N)

• zero: 0

• successor: suc(M)

• variable: x ∈ X

• shared-key encryption: MN


The processes are:

• process: P, Q

• output: M〈N〉.P

• input: M(x).P

• composition: P | Q; P and Q execute in parallel

• restriction: (νn)P ; creates a new private name n and then behaves as P

• replication: !P ; infinite number of copies of P running in parallel

• match: [M is N ] P ; acts like P if M and N are equal, if not it does nothing

• nil: 0; doesn’t do anything

• pair splitting: let(x, y) = M in P , x, y ∈ X; acts like P [N/x][L/y] if M is

the pair (N, L)

• integer case: case M of 0 : P suc(x) : Q x ∈ X; Q acts like P if M is the

term 0 and Q[N/x] if M is the term suc(N), if not it does nothing

• shared-key decryption: case L of xN in P x ∈ X; acts like P [M/x] if L is

the term MN , if not it does nothing

where P [M/x] is the result of replacing x in P with M.

The communication and synchronization mechanism takes care of the interaction

between processes. A ready-to-transmit process (denoted by c〈M〉.P ) must be syn-

chronized with a ready-to-receive process (denoted by c(x).P ) on the same channel.

As a consequence, messages are transferred between the output and input processes.

The semantics imitates a chemical model: the analogy for a process is a chemical

solution containing molecules ready to react. The technique is called the reaction


relation and was developed by Milner. If synchronization occurs, the two processes

interact:

c〈M〉.P | c(x).P → P | Q[N/x]

3.2.2 Formal Verification

Cryptographic protocols verification is accomplished via formal techniques. There is

a large variety of well-established techniques today, the most notable being the logic-

based techniques, the typing method, and the modelling approach. Representative

of the modelling approach are the inductive rules, briefly introduced in the present

section, and abstract interpretation, which is of particular interest, is introduced in

section 3.3 and detailed in a dedicated chapter.

3.2.2.1 Logic-Based Techniques

Knowledge, trust and beliefs are the foundations for constructing a logic that allows

derivation of new beliefs and knowledge about a distributed system. Specifying a

protocol based on that logic consists in defining the inference rules for the manip-

ulation of the initial statements and modelling the system. Several major results

were obtained based on this technique, the most important ones originating in the

BAN logic [14]. However, the logic-based techniques fail to provide a solid base for

protocols idealization, freshness modelling or some parallel session flaws.

BAN logic

The BAN logic [13, 14] was developed by Burrows, Abadi and Needham mainly for

detecting authentication flaws. It takes into account a set of initial beliefs of trusted

protocol participants in order to derive other beliefs. Assumptions and assertions

are checked for adequacy against the inference rules associated with the logic. The


conclusion is simply based on the beliefs assessment: if they are adequate, the

protocol is correct; if not, it contains an authentication flow.

Protocol analysis is divided in four phases: protocol idealization, initial assumption,

protocol annotation and beliefs analysis. The idealization consists in formalizing the

protocol notations trough actions such as stripping messages of plaintext compo-

nents. The initial assumption phase is straightforward: participants to the protocol

explicitly state the freshness of nonces and the validity of keys. Protocol annotation

involves attaching logical formulas to statements, which will be further scrutinized

during the final phase, beliefs analysis.

There are ten syntactic constructs defined for the BAN logic:

1. P |≡ X: P believes X.

2. P / X: P sees X.

3. P |∼ X: P once said X.

4. P ⇒ X: P has jurisdiction over X.

5. ](X): The formula X is fresh.

6. PK↔ Q: P and Q may use K to communicate.

7. K→ P : P has K as a public key.

8. PX Q: P and Q share a secret X.

9. XK : X encrypted with the key K.

10. 〈X〉Y : X combined with the formula Y, where Y should be a secret and proves

the identity of the sender.

Several inference rules have been defined for deriving beliefs from the initial as-

sumptions. The inference rules are presented in the form of fractions, with the


initial assumption as the numerator and the deriving belief as the denominator. We

will exemplify by the set of message-meaning rules:

1.P |≡ Q

K↔ P P / XK

P |≡ Q |∼ P(Shared Keys)

2.P |≡K→ Q P / XK−1

P |≡ Q |∼ P(Public Keys)

3.P |≡ Q

Y P P / 〈X〉YP |≡ Q |∼ P

(Shared Secrets)

The first rule applies to shared keys: if P believes that K is shared with Q and

sees XK , then P believes that Q once said X. The second rule, for public keys, is

similar: if P believes that Q K as a public key and he sees XK−1 , then he believes

that it is Q that once said X. The third rule refers to shared secrets: if P believes

that the secret Y is shared with Q and sees 〈X〉Y , then P believes that Q once said

X.

Freshness is modelled by defining two time frames: present and past. The distinction

is easy to make: the present starts with the beginning of the protocol run; whatever

precedes that moment is in the past, and past messages can’t be replayed by a

potential intruder as recent.

Although it has some limitations, the usefulness and impact of the BAN logic in the

field of formal verification can hardly be overlooked.

GNY logic

An improvement to the BAN logic of belief has been achieved by Gong, Needham

and Yahalom by adding a new set of properties for the principals: the possessions.

Defined aside from beliefs in the GNY logic system [28], possessions include - as

suggested by their name - everything the principal had initially and created or

received after the protocol run started. The set of notions is extended accordingly,

allowing a broader range of protocols to be analyzed.


The initial set of beliefs and possessions is permanently enriched through the appli-

cation of the inference rules, therefore it is monotonic. Possessions also consist of

all the formulae and formulae transformations available to the principal, including

a negation symbol. The extended set of statements defined by the GNY logic made

possible a more accurate expression of the variety of scenarios to be covered by the

protocol specification.

3.2.2.2 The Typing Method

Informal principles and formal typing rules were presented by Abadi [1]. The typing

method started to take shape then as an aid for his SPI calculus and evolved to a

more generic format. The typing rules are used to check the secrecy by defining

three possible types of messages and communication channels: Public, Secret and

Any. The first two types are obvious, the third refers to an unknown type that has

to be sent as if it is secret, since we don’t know it’s real nature. As per protocol

requirements, secret data should not be disclosed, so an appropriate mechanism for

testing equivalence is defined for the message type.

In addition to this, a fresh entity called a Confounder is introduced in order to

produce different encrypted messages for two similar plaintext messages. The judge-

ments that can be derived about an environment E from the typing rules are the

following:

• ` E well-formed

• E ` M : T (the term M is of class T in E )

• E ` P : Ok (the process P type-checks in E ).

The expression well-formed refers to an environment that is neither over-specified

nor under-specified and is bounded, self-stabilizing and self-adapting. The rules for

associating terms with types are the following:


• Zero: 0 is of level Public

• Name: used for determination of the level of names

• Variable: used for determination of the level of variables

• Successor: adding the number one to a message does not change its level

• Pair: if both components have the same level, that is the level of the pair; if

one is Public and one is Secret, the pair has the level Any

• Subsumption: terms of level Public or Secret also have level Any

• Public Encryption: if messages of a certain level T are encrypted with a Public

level key, the encrypted message has level T

• Secret Encryption: encryption with a Secret level key produces a cyphertext

of level Public.

To check if a process doesn’t reveal any secret (is of type Ok), the following rules

are used:

• Out. Pub.: Public level terms can be sent on public channels

• Out. Sec.: messages of all levels can be sent on secret channels

• In. Pub.: all inputs are assumed to be of level Public

• In. Sec.: used to assign levels to received messages components and verify if

the rest of the process is well-typed

• Match: used for comparison of Public and Secret level terms, but not Any.

In order to verify a protocol using the typing method, we have to specify the protocol

in the SPI calculus, define the initial associated environment E0 and perform the

typing to prove that each process type-checks Ok in E0.

3.3 Abstract Interpretation Concepts 32

3.2.2.3 Paulson’s Inductive Approach

Paulson applied the idea of modelling protocols as sets of possible traces of events

[49]. Protocol specification is written in the native language of Isabelle [48], a general-

purpose proof tool.

Traces P are defined inductively from a set of intruder and regular principal rules,

according to the capabilities of the parties involved. The inductive definition starts

with the empty rule, that always belongs to P. The ability of an intruder to send

messages previously intercepted is modelled by the Intruder rule. Traces can be ex-

tended with new events whenever a fresh nonce is part of it. Protocol-independent

functions and operators are defined by Paulson to facilitate building complex correct-

ness proofs. Therefore, several lemmas can be re-applied in elaborate demonstrations

based on Paulson’s previous results.

3.3 Abstract Interpretation Concepts

The dynamic semantics of a programming language is the sum of all possible be-

haviors during the execution of any program written in that language, using any

entry data possible. The method employed to obtain a description of the dynamic

semantics is called abstract interpretation. The goal is to pre-determine at compile

time the behavior of a program at run time. This can be used for building semantic

analysis algorithms that can allow further optimization of compiled code, genera-

tion of test suites and software verification. The behavior described by the abstract

semantics must be valid for all possible executions of a program, irrespective of

entry data. A non-standard semantics is defined for approximating the properties

associated with those behaviors. The abstract interpretation consists of a concrete

semantics (data and operations), an abstract (or approximated) semantics (data

and operations) and an abstraction relationship linking concrete data from abstract

data and relative to which the abstract operations are an abstraction of operations


on the concrete data.

The study of abstract semantics starts by defining the concrete semantics based

on a collected semantics. The collected semantics is the most accurate semantics

that can be built and it has to be minimal, correct and complete relatively to the

class of properties of the program studied. The resulting program analyzer has to

take into account and balance the following factors: complexity, flexibility, precision

and analysis cost. Specifying program analyzers and computing abstract properties

implies a sound knowledge of mathematical structures.

3.3.1 Ordered Sets Fundamentals

Some of the most important definitions required to define abstract interpretations,

as introduced in [6], are presented in this section. As a starting point, the sets S, T

and U are considered.

Powerset: the set containing all subsets of S is the powerset ℘(S) = X|X ⊆ S.

Cartesian product: a set containing all pairs with the first component in S and

the second in T is the cartesian product S × T = (s, t)|s ∈ S, t ∈ T.

Binary relation: a binary relation in S × T is a subset ρ ∈ ℘(S × T ).

Image by ϕ: the image of X ⊆ S by ϕ is ϕ∗(X) = ϕ(x)|x ∈ X.

Upper closure: an application f ∈ S → S is an upper closure if and only if:

• f is monotone ⇔ ∀x1, x2 ∈ S : x1 ≤ x2 ⇒ f(x1) ≤ f(x2)

• f is extensive ⇔ ∀x ∈ S : x ≤ f(x)

• f is idempotent ⇔ f f = f .


Pre-order: pre-order v on a set S is a binary reflexive (∀x ∈ S : x v x) and

transitive (∀x, y, z ∈ S : (x v y ∧ y v z) ⇒ x v z) relation.

Strict order: if (x v y ∧ x 6= y), we have a strict order relationship written x < y.

Partial order: a partial order relation on a set S is an anti-symmetric (∀x, y ∈ S :

(x v y ∧ y v x) ⇒ x = y) pre-order relation.

Upper bounds: let v be a partial order on a set S. Then u ∈ S is an upper bound

for X ⊆ S if and only if ∀x ∈ X : x v u. Let u be the smallest of all upper bound

of X ⊆ S, as defined by: ∀x ∈ X : x v u ∧ u′ ∈ S : (∀x ∈ X : x v u′) ⇒ (u v u′);

then u is called the least upper bound and denoted by tX. If it exists, it is unique.

Lower bounds: let v be a partial order on a set S. Then u ∈ S is a lower bound

for X ⊆ S if and only if ∀x ∈ X : u v x. Let u be the greatest of all lower bounds of

X ⊆ S, as defined by: ∀x ∈ X : u v x∧u′ ∈ S : (∀x ∈ X : u′ v x) ⇒ (u′ v u); then

u is called the greatest lower bound and denoted by uX. If it exists, it is unique.

Complete lattice: a complete lattice (L,v,⊥,>,t,u) is a set L partially ordered

by the relation v so that all subsets X ⊆ L have an upper bound tX and a lower

bound uX. In particular, L admits a smallest element ⊥ called infimum, with

⊥= t∅ = uL and greatest element > called supremum, with > = u∅ = tL.

Linear order: a partial order v for which all elements can be compared two by

two (∀x, y ∈ P : x v y ∨ y v x) is a linear order.

Complete partial order: a partial ordered set (L,v) is called complete (cpo, for

short) if all linear ordered subsets have at least an upper bound. The cpo is called

strict if it has an infimum.


Fixpoint: let ϕ ∈ P → P be an application. A fixpoint of ϕ is an element x of

P such that f(x) = x. If P is ordered, then the set of fixpoints of ϕ, noted fixϕ is

an ordered subset of P, possibly empty. If this set admits a minimum element, this

element is called the least fixpoint of ϕ (lpfϕ). If it accepts a maximum element,

that is called the greatest fixpoint of ϕ (gfpϕ).

3.3.2 Galois Connections

Definition: Given two partially ordered sets Dc(vc) and Da(va), a Galois connection

(or pair of adjoint functions or adjunction) is a pair of functions (α, γ) such that:

• α ∈ Dc → Da

• γ ∈ Da → Dc

• ∀dc ∈ Dc, ∀da ∈ Da : α(dc) va da ⇔ dc vc γ(da) (1)

We write then: Dc(vc) Da(va).

A number of properties for the Galois connections are particularly useful and given

as lemmas or theorems:

• γ α is extensive: ∀dc ∈ Dc : dc vc γ α(dc)

• α γ is reductive: ∀da ∈ Da : α γ(da) va (da)

• α and γ are monotone

• α γ α = α

• γ α γ = γ

3.4 Tree Automata Abstraction 36

3.4 Tree Automata Abstraction

David Monniaux achieved some important results by using abstract interpretation

techniques to analyze cryptographic protocols [44, 45]. He employs abstract model

checking of infinite systems to obtain a fully automatic implementation based on

tree automata. The ordered domain to be approximated is the transition systems.

The monotonic operators used ensure the preservation of the order relation.

Monniaux defines a concrete state space Σ along with a transition relation r and an

abstract state space Σ] with the corresponding abstract transition relation r]. The

abstract relation that links the two spaces is denoted by a ⊂ Σ × Σ]. The relation

a−1(X]) is defined by x ∈ σ|∃x] ∈ X] a](x, x]), where X] ∈ Σ]. The simulation

condition for the transition system is given by:

∀x, y ∈ Σ, x] ∈ Σ], r(x, y) ∧ a(x, x]) ⇒ ∃y] ∈ Σ], r](x], y]) ∧ a(y, y])

Therefore, for all σ0 and σ0] so that a(σ0, σ

]0), A0 ⊂ a−1(A]

0), where A0 = σ|σ0 →∗r

σ and A]0 = σ]|σ]

0 →∗r] σ].

The main observation on which the rest of the abstraction is based is that for a

property P to hold for all elements in A0, it is enough to prove that it holds for all

elements in r−1(A]0).

3.4.1 Concrete Model

The syntax and semantics are simple and they comply with the standard notations

used by cryptoprotocols designers. The following notations are used: a signature

F , a free algebra of terms T (F) over the signature, terms t ∈ T (F ,X ), a family


of variables (Xi)i∈i, a family of terms (xi)i∈i, a set of free variables of FV(t) and a

term t [xi/Xi] obtained by parallel substitution of Xi by xi in t.

The possible computations are defined by a function K : ℘(T (F)) → ℘(T (F)) that

computes the closure of a subset of T (F) by the following operations:

• a subset O of the function symbols found in F

• a set R of rewrite rules over T(F) of the form a → x, where a is a term with

variables over F and x is a variable that appears exactly once in a.

Therefore, an element x of T(F) is deemed as possibly computable from X ⊂ T(F)

if x ∈ K(X ). The fixpoints of K are denoted by ℘(T (F))K. The systems allowing

rewrite rules as stated above are called simplification systems.

For the concrete semantics, Monniaux considers a finite set P of principals, each

with a set Rp of registers that contains a program to execute xp and an uninitialized

element of T (F) (written T (F) ∪ ⊥). The program is a finite sequence of input,

output or match commands as follows:

• ?r : input register r, r ∈ Rp

• !t : output t, t ∈ T (F)

• r ' t : match register r against t, r ∈ 1, . . . , rp, t ∈ T (F , Rp ∪Rp).

The empty sequence is noted ε and h::t symbolizes a sequence that starts with the

command h and ends with t. A principal’s local state is defined by the content of its

registers and the program yet to execute. Its global state is a tuple of local states,

together with the state of the intruder. The set of global states is noted Σ. System’s

semantics is defined by a nondeterministic transition relation →. S.p is the local

state of principal p in S and S.I the intruder knowledge in S. So, for two global

states S and S’, the transition relation is S → S’ if there exists a principal p0 ∈ P

so that:


• for all p ∈ P so that p 6= p0, S′.p = S.p

• S.p0.P = h :: τ and either:

– h =?r0 and

∗ for all r ∈ Rp0 , S′.P0.r = S.p0.r,

∗ S ′.P0.r0 ∈ S.I

∗ S ′.P0.P = τ

– h =!t and

∗ for all r ∈ Rp0 , S′.P0.r = S.p0.r,

∗ S ′.I = K(S.I ∪ t[S.p0.r/r|r ∈ Rp0 ])∗ S ′.P0.P = τ

– h = r ' t and either

∗ there exists an unifier for the variables in Rp0 between t[S.p0.r/r|r ∈Rp0 ] and S.p0.r; then:

· for all r ∈ Rp0\FV (t), S ′.P0.r = S.p0.r,

· t[S.p0.r/r|r ∈ Rp0 , S′.p0.r/r|r ∈ Rp0 ] = S.p0.r

· S ′.P0.P = τ

∗ there is no such unifier; then

· for all r ∈ Rp0 , S′.P0.r = S.p0.r,

· S ′.P0.P = ε

3.4.2 Tree Automata Model

Tree languages can be used for the abstraction of a set of terms on a signature.

In particular, non-deterministic top-down tree automata can be employed for the

representation of subsets of T(F). A top-down tree automaton over F is a tuple

A = 〈Q, q0, ∆〉, where Q is a finite set of states, q0 ∈ Q is the initial state and ∆


is a set of rewrite rules over the signature F ∪ Q, where states are seen as unary

symbols. The rewrite rules in ∆, distinct from the set R, must be of the type:

q(f(x1, . . . , xn)) →A f(q1(x1), . . . , qn(xn))

where x1, . . . , xn are variables, n ≥ 0, f ∈ Fn, q, q1, . . . , qn ∈ Q. A good example of

a rewrite rule in the context of cryptographic protocols is the decryption process:

decrypt(encrypt(x, k), k) → x, where x is the original message and k is the encryp-

tion key. As an observation, for n = 0 the rule becomes: q(a) → a. The language

recognized by A is denoted by L(a) = Lq0(A), where

Lq(a) = t ∈ T (F) | q(t) →A t.

A special type of automata, denoted AF and requiring a particular set ∆ of rewrite

rules are employed for allowing a tree representation of the automaton. The tree

nodes are either states or symbols. States have an unordered list of children, which

are all symbols, while symbols have an ordered list of children. Position in a term is

defined as a sequence of positive integers describing the path from the root position

ε to that position. A set of positions in t is denoted by pos(t). The subterm of t

rooted at position p is symbolized by t|p.

Substitution of terms for all term t and special automata Ai is the function described

by L(t[Ai/Xi]) = t[L(Ai)/xi]. The opposite problem, matching of a term against the

automata, has a solution in the form of L = t[Li/Xi], where L = t[xi/Xi] and (Li) is

a family of languages. The function associated, called match(A,t), is a finite subset

of FV (t) → AF and for any solution S in the set, L = L(t[Si/Xi]). The function

returns the set of matches of the term t against the automaton A, showing the states

in which the variable is to be recognized, for every match and each variable.


3.4.3 Abstract Model

The knowledge of the intruder in the concrete model is nondeterministic. In order

to render it useful, Monniaux [44, 45] employs a technique called folding on the

nondeterministic branches to reach a safe approximation and a finite state space for

the principals.

Local states are denoted by (S].p)p∈P and the tree automaton modelled knowledge

of the intruder is denoted by S].I. Program sequences of the form S].p.P and

automata families (S].p.r)r∈Rp correspond to local states. Together, the local states

and the intruder’s knowledge make up a global state S] ∈ Σ]. Using a style similar

to the concrete semantics definition, the abstract semantics is defined for two global

states S] and S ′]. To link the concrete and abstract model, an abstraction relation

a ⊂ Σ× Σ] is defined for any S in Σ and S] in Σ] as follows:

a(S, S]) ⇔ (S.I = L(S].I))∧∀p ∈ P ((S.p.P = S].p.P )∧∀r ∈ Rp S.p.r ∈ L(S].p.r))

3.4.4 Implementation

Monniaux implemented a protocol analyzer [44] based on the principles of tree au-

tomata abstraction. The input of the program is a file containing the signature

of the algebra, the rewrite system, the program run by the principal, the initial

knowledge of the intruder and the set L of terms the intruder wants to obtain. The

signature consists of public and private constructors, of which the private ones (keys,

for example) can not be applied by the intruder. The core concept is finding those

interleavings of the principals actions that potentially present a security risk. To re-

duce the complexity order of the abstraction and analysis, only a particular form of

interleaving is verified: input and match by a principal, followed by an output by the

same principal. The simplification is appropriate as the intruder’s final knowledge

can be modelled this way.

3.5 ∨-Parameterized Tree Automata 41

However, there are some inconveniences related to the automata implementations.

Two different approaches were: one follows the operations on the special tree au-

tomata and the other employs a minimal deterministic tree automata. The first

approach is very efficient for elementary operations, but doesn’t handle well the ex-

ploding size of the automata caused by longer traces. The second is very slow when

it comes to the completion of the rewriting system. A number of well-known pro-

tocols have been successfully analyzed, with varying computing times depending on

the hardware used, the number of principals and parallel runs. An interesting result

was revealed for the Otway-Rees protocol: the intruder could get the information he

wants by building it from outputs of previous steps, if the cryptographic primitives

do not prevent it by implementation. The replacement of the rewrite system by a

set of rules (patten matching, for example), is supposed to increase dramatically

the efficiency of the program and its ability to handle more challenging systems. To

date, this potential improvement has not been implemented.

3.5 ∨-Parameterized Tree Automata

The main idea of this cryptographic protocol verification technique [29] is the mod-

ification of the actual tree automaton in order to incorporate deductive reasoning,

based on a set of assumptions, for message freshness and secrecy properties. Previ-

ous developments that lead to J.Goubault-Larrecq’s work include David Monniaux’s

tree automata as a tool for computing upper approximants of intruders knowledge

[44, 45] and Mourad Debbadi et al’s modelling of honest principals as accomplices of

intruders [19]. There are other approaches on using the tree automata for protocol

verification, such as T.Genet and F.Klay rewrite systems modelling [27].

3.5.1 ∨-Parameterized Tree Automata Concepts

In order to add reasoning capabilities to the classic tree automata (see [16]), Goubault

employs a second style of sets representation, the propositional logic. The result is


called the ∨-Parameterized Tree Automata (∨PTA) and uses propositional formulae

and sets to represent sets of terms.

The term algebra used for the definition of ∨PTAs is a typed algebra. Types such

as msg (messages) or msglist (list of messages) are denoted by τ and are part of a

set T . A set of terms of a certain type τ is denoted by Tτ (Σ,X ), where Σ is a

first-order signature over a set F of function symbols, and X is a family of sets of

variables of type τ . Propositional formulae are defined for logical variables of type

τ with the aid of logical operators and newly introduced notions, like Aτ , a set of

logical variables of type τ . Such formulae F are defined by the following grammar:

F ::= A | F∧

F | F∨

F | ¬F | 0 | 1

where A ranges over Aτ .

Another useful definition in the context of term types and formulae is the assumption

h. An assumption is a map from types τ to formulae of type τ . An environment

ρ satisfies an assumption h, written ρ |= h, if and only if dh(τ)eρτ is the set of all

terms of type τ , for every type τ .

A modified version of the tree automata is built in order to accommodate propo-

sitional formulae for states. Each state q (of a set Q) has an associated type τq.

By definition, an ∨-parameterized tree automaton (or ∨PTA), of type τ0 , U , is a

4-tuple (D,F ,R,B), where:

• D is a finite subset of Q, whose elements are states of U ;

• F ⊆ D is the set of final states, assumed disjoint from Σ and such that τq = τ0

for every q ∈ F

• B maps each state q ∈ D to a formulae of type τq


• R is a set of rewrite rules f(q1, ..., qn) → q, where f ∈ Σ is such that Σ(f).=

τq1 × ... × τqn → τq (respects transition types).

A normal tree automaton will differ from an ∨PTA by lacking the B component,

therefore it can be considered as a ∨PTA where B maps each state to the class of

0. Since the purpose of the tree automaton in the abstract interpretation approach

is to approximate an infinite model, the operations that can be performed play a

major role. Just like for the classic tree automaton, ∨PTAs allow computation of

unions and upper approximations of intersections.

3.5.2 Algebra of Messages

The set T of typed terms contains the following types: msg (messages), msglist

(tuples of messages), key (keys), K (raw keys) and D (raw data). Function symbols

are used for building the keys by injecting the raw keys inside the space of the actual

symmetric and asymmetric keys, denoted by symk(k), asymk1(k) and asymk2(k).

A list of messages can be converted into a message using the tupling constructor:

t : msglist → msg. The basic signature obtained by the means of the constructors

has the following form:

• symk : K → key

• asymk1 : K → key

• asymk2 : K → key

• sk : msg × msg → key

• pubk : msg → key

• privk : msg → key

• * : → key

• k : key → msg

• d : D → msg

• c : msg × key → msg

• t : msglist → msg

• nil : → msglist

• cons : msg × msglist → msglist


The function symbol used to create the cyphertext is c: msg × key → msg. The

inverse of a symmetric key is itself and for an asymmetric one is her pair (pubk for

privk, privk for pubk, asym1 for asym2, asym2 for asym1).

3.5.3 Intruder Capabilities

The intruder’s knowledge is also modelled as an automaton. As initial assumptions,

the intruder knows all the public keys pubk(idA), but no long-term keys sk(idA,idB)

or private asymmetric keys privk(idA) . The initial assumption is that intruders

have the ability to read on any communication line, collect messages, and forge new

ones. To find out what information can be unveiled and how, a set of rules is defined:

(Ax)E,M 7→ M

(CryptI)E 7→ M E 7→ k(K)

E 7→ c(M, K)

(CryptE)E 7→ c(M, K) E 7→ k(K ′)

E 7→ M

(TupleI)E 7→ M1 . . . E 7→ Mn

E 7→ t([M1, . . . , Mn])

(TupleE)E 7→ t([M1, . . . , Mn])

E 7→ Mi

where K ′ is the inverse of K.

The actions carried out by the intruder to come to a conclusion are called derivation.

The rules allowing the intruder to decrypt and read components off tuples are called

elimination rules (name ending in E ). The ones allowing encryption of messages

and building of tuples are called introduction rules (name ending in I ). A message

M is called extractible from E (Ext(E)) if it can be derived from E by using only

(Ax) and the elimination rules or constructible (Con(E)) if it can be derived from

E by using only (Ax) and the introduction rules. If it can be deduced using any of


the rules, it is called deducible (Ded(E)). Goubault-Larrecq proves a theorem that

shows the following relation to be true :

Ded(E) = Con(Ext(E))

3.5.4 Simulating Protocol Runs

In order to complete an abstract interpretation simulation of the protocol we need

to build the following: a syntax, concrete and abstract semantics and a relationship

between the semantics to prove the correctness of the approximation. A simple lan-

guage consisting of expressions, patterns and commands needs to be defined along

with the associated syntax and semantics (both abstract and concrete) to describe

the behavior ascribed to message exchanges during protocol runs. Commands will

match expressions using patterns, with expressions denoting messages and, in gen-

eral, terms. A finite list of commands is called a program or role. Patterns are

matched by the exact(e) construction.

Pattern matching is defined as a partial function trying to match t against pat in

the environment σ. The external world is modelled by an external configuration W.= (E ,K,D), where E is a set of messages known to intruders, K is the current set of

existing raw keys, and D is the current set of existing raw data. A configuration is a

pair W , σ of an external configuration and a run-time environment. Configurations

are related through judgements of semantics, which are of the form W , σ ` c ⇒W ′, σ′. A local run of a role [c1, ..., cn] is a finite sequence of judgements of the form

W0, σ0 ` c1 ⇒W1, σ1 ` c2 ⇒ ... ⇒Wm−1, σm−1 ` cm ⇒Wm, σm, where 0 ≤ m ≤ n.

The concrete semantics is shaped by substituting the commands in the general form

of a judgement. The abstract semantics is obtained by replacing the sets of messages

known by intruders with ∨PTAs and by assumptions expressing relations between

sets of raw keys and raw data. The correctness of the abstract semantics with regard

to the concrete semantics is given by a lemma.


3.5.5 Experimental Results

The algorithms describing the abstract and concrete semantics have been imple-

mented by Goubault-Larrecq [29] as a verification tool in a bytecode compiler for

HimML, a variant of Standard ML. The tool outputs a sequence of commands from

each principal leading to a possible flaw, but doesn’t present any sequence of intruder

commands. Tests were done on three-party protocols involving two principals and a

key server. Results are presented in Table 3.1. Times are in seconds, the (*) denotes

a mono-session while (!) denotes a parallel multi-session. The #Branches column

indicates the non-determinism involved in checking all relevant interleavings of the

protocol.

Protocol Result Time(s) #Branches

Needham-Schroeder shared key (*) possibly flawed 1.94 4

Needham-Schroeder shared key (!) possibly flawed 1.56 3

Otway-Rees (*) correct 1.56 3

Otway-Rees (!) correct 1.56 3

Wide-Mouthed Frog (*) possibly flawed 0.34 2

Yahalom (*) possibly flawed 1.17 4

Yahalom (!) possibly flawed 1.20 3

Simpler Yahalom (*) correct 1.16 3

Simpler Yahalom (!) correct 1.52 3

Otway-Rees2 (!) correct 14.57 15

Table 3.1: Experimental results for ∨PTA

However, the algorithm is exponential in the size of the pattern and produces huge

automata at each read operation, which is impractical and could be improved by

modelling sequential mono-session principals and designing a proper widening oper-

ator.

3.6 Conclusion 47

3.6 Conclusion

Formal methods have been used with some success for verifying security protocols.

Various approaches have been developed in order to prove correctness or find flaws.

Abstract interpretation is one way to manipulate the semantics for program analysis.

This is accomplished by performing simulations on a description of the data to obtain

an accurate approximation. The resulting abstract interpretation is the correct,

implementable and most accurate analysis that can be obtained. When applied to

cryptographic protocols, a number of valuable results have been obtained, such as

the tree automata and the more complex ∨-parameterized tree abstractions. In spite

of their increased popularity, a number of problems are still to be studied more in

depth. Modelling protocols as tree automata involves an exponential complexity

which makes them difficult to implement in most cases.

Chapter 4

Abstract Trace-Based Model for

Security Protocol Correctness

Abstract

In this chapter we present a new method based on abstract interpretation for se-

curity protocol (or cryptographic protocol) verification. Hence, we introduce the

notion of abstract message domain and an abstract interpretation over finite and

approximated models of security protocols. The aim of this work is to build a semi-

decidable procedure for secrecy protocol correctness. The way to achieve this goal

is to restrict a concrete model of a security protocol to a finite abstract one ac-

cording to some abstraction of the intruder knowledge. Since the model is finite, it

becomes possible to compute the finite abstract set M# of messages that the intruder

can get by running the security protocol. Given a message m, if for all x in M#,

glb(x,ma) = xuma = ⊥ then m is distinct from all messages in M and consequently

the protocol does not leak the message m.

4.1 Introduction

With the expansion of computer networks and the emergence of new technologies

such as World Wide Web and electronic commerce, security became a major concern

48

4.1 Introduction 49

for the computer research community. Accordingly, a surge of interest is devoted to

the design, implementation and analysis of security protocols [4].

During the last decade, plenty of security protocols have been devised. Many among

them have been shown flawed many years after their use. Consequently, a great deal

of interest has been expressed into the development of formal techniques for the spec-

ification, design and verification of security protocols. Furthermore, we anticipate

that the rapid expansion of distributed systems, communication networks, Internet,

web applications, etc., will certainly bring a major need in security protocols. It is

then imperative to have appropriate environments for the correct development of

these protocols [4].

Security protocols verification has known a significant progress. Burrows, Abadi

and Needham [14] introduced the notion of modal logic of belief (the BAN logic)

on security protocols more then decade ago. A new linear and modal logic for

specifying security properties has been proposed by Adi, Debbabi and Mejri [4].

The logic is compact, expressive and formal and has been used to specify classical

security protocols and electronic commerce protocols. Lowe and others introduced

the concept of model-checking and used it to successfully finding flaws in security

protocols [35, 36] with the aid of systems such as FDR [22] and NRL [38]. Some other

approaches are attempted with good results, such as the use of theorem proving by

Bolignano [9], the use of inductive rules by Paulson [49] and the use of game models

by Adi [3].

Abstract interpretation allows semantics manipulations by performing simulations

on data description in order to obtain correct, implementable and most accurate

analysis. It has been applied successfully in the verification of security protocols

and number of valuable abstract models for cryptographic protocols have been ob-

tained, such as the tree automata of Monniaux [44, 45], the ∨-parameterized tree

abstractions of Goubault-Larrecq [29], the abstract game semantics of Adi and Deb-

4.1 Introduction 50

babi [3] and the pattern-based abstraction of Lakhnech et al. [11]. Other related

approaches are Stoller’s bound on attacks [56], Heather and Schneider’s rank func-

tions [31] and Comon-Lundt’s bound on the number of agents [17].

This chapter intends to demonstrate how abstract interpretation techniques can be

applied to the problem of analyzing security protocols. In general, models created

to describe protocols are infinite. In most cases, for verification purposes, only a

finite and approximated model is required. For this reason, we consider the problem

of computing such approximation and we propose to simulate the required partial

protocol execution in an abstract level. More precisely, we define a method that

computes abstract finite models for security protocols. The abstract model is then

used to build a semi decision procedure for secrecy correctness. Unlike the other

approaches which require that the user designs himself the abstraction or manually

helps a program to compute invariants (see for instance [9]), our approach is fully

automatic from cryptographic protocol description to results and requires no user

input except the protocol description and the level of the abstraction. The latter

parameter allows the user to tune the precision of the abstraction to get the best

results while minimizing the cost of the analysis.

The remainder of this chapter is organized as follows. The next section is devoted

to the definition of a trace-based model for cryptographic protocols. The concepts

presented here, along with the propositions and proofs from the next section, are

borrowed from Adi [5]. Section 4.3 is devoted to the definition of an abstract domain

of messages and an abstraction function on messages. Our original contribution is

presented in the sections following 4.3, until the end of chapter 4. In section 4.4 we

present a way to compute abstract cryptographic protocol and abstract trace-based

models. Section 4.5 demonstrates a method for verifying the secrecy property of a

cryptographic protocols. Finally, section 4.6 contains concluding remarks.

4.2 Trace-Based Models for Security Protocols 51

4.2 Trace-Based Models for Security Protocols

The message syntax used in security protocol descriptions is captured by the follow-

ing BNF (Backus-Naur Form) grammar:

m ::= cte Constant Message

| mm′ Encrypted Message

| m.m′ Message Concatenation

| f(m) Function Application

All messages that keep constant their values along a given protocol run are consid-

ered as constants and will be abstracted to terms of the form cte. A message m

encrypted with key m′ is written mm′ and forms a message by itself. The operator

“.” is used to separate concatenated messages. All non-constant messages will be

represented as terms through functional application. We use Ax, By, etc., to denote

principals and S to denote the server. A shared key between Ax and By is repre-

sented by Kaxby . A fresh nonce N , created by a principal Ax in a protocol run σ,

is represented by the term N(Ax, σ). For convenience, messages may be annotated.

We use superscript annotations to indicate run identifiers and subscript annotations

to indicate the principal association. Accordingly, the term N(Ax, σ) will be simply

represented as NσAx. If in some context more than one nonce are needed within the

same session, they will be represented by N1(Ax, σ), N2(Ax, σ), etc. Let m,m1 and

m2 be messages. We say that m is atomic if m 6= m1.m2 and m 6= m1m2 . We

suppose that encryption keys are always atomic messages.

In the presence of a malicious intruder, a protocol can be described as a finite

sequence of statements of the form:

σ.i, Ax → I(By) : m

σ.i, I(Ax) → By : m

which state that during a protocol step i, Ax sends the message m intended for By

over the network, then By gets the message m from the network, as intended by Ax.


I(Ax) stands for the intruder playing the Ax’s role. The motivation underlying such

a notation is that we assume that the network is under the control of a malicious

smart intruder. All messages sent or received by honest principals, transit by the

intruder. This is to capture the fact that the intruder is aware of any message

circulating over the network. For the sake of convenience, we can also represent the

two above actions by a unique action σ.i, Ax → By : m.

The execution of a security protocol generates a trace consisting of a sequence of

events. Each event results from the execution of a protocol step corresponding to a

send action or a receive action. A run of a protocol is a particular execution of the

protocol. We refer to a protocol run as a session. The execution of a protocol is based

on an interleaving model in which all events, including concurrent events, occurring

during a run are interleaved to form a single trace of that execution. A protocol

trace is said to be valid if all the messages sent by the intruder could be derived

from the intruder’s cumulated knowledge (initial knowledge and received messages),

and all the involved principals respect the protocol. We assume that the intruder is

able to perform the following actions: overhear messages, intercept messages, replay

messages and generate new messages using his initial knowledge and the overheard

messages. In the following, we introduce formally the notion of protocol traces.

A protocol trace is a sequence of protocol events resulting from any interleaving

of (possibly partial) protocol runs. We have no restrictions on traces in the sense

that we support multi-session (an agent could participate in many sessions) and

multi-role (an agent can be an initiator in some sessions and responder in others).

The set T of traces is defined inductively as follows:

• ε ∈ T

• if t ∈ T and a is a protocol event then t.a ∈ T

where ε stands for the empty trace and “.” is the concatenation operator for se-

quences.


A protocol can then be modelled as a subset of traces P ⊆ T . More formally,

following Paulson’s model [49], we describe the set of protocol traces P as the closure

of a set of inductive rules. In this approach, a security protocol is modelled by a set

of rules representing protocol steps and intruder capabilities. To give an example of

such a modelling, consider a version of the Woo and Lam authentication protocol

[59]. The goal of this protocol is to authenticate the identity of the principal Ax

with respect to the principal By. To achieve this objective, the protocol uses an

authentication server S. The specification of this protocol is given in Table 4.1.

Here, Kaxs is a key shared between Ax and S and Kbys is a key shared between By

and S. The message Nσby

is a nonce generated by By during the session σ. It is used

by By to preclude the replay of messages coming from preceding sessions. The Woo

and Lam protocol traces P are built up inductively by a set of rules shown in Table

4.2.

Table 4.1: The Woo and Lam Authentication Protocol

Message σ.1. Ax −→ By : Ax

Message σ.2. By −→ Ax : Nσby

Message σ.3. Ax −→ By : NσbyKaxs

Message σ.4. By −→ S : Ax.NσbyKaxsKbys

Message σ.5. S −→ By : NσbyKbs

The inductive definition starts with the empty rule. The empty trace belongs always

to P . For each protocol step, we have a corresponding rule. For example, in the rule

Message 2, a trace t ∈ P can be extended with the event (σ.j, By → I(Ax) : Nσb )

whenever Nσb is a fresh nonce, i.e., it has not been used in t. The rule Receive states

that a principal can get a message only if it has been previously sent to her. The

rule Intruder models the capacity of the intruder to send any message built up from


Table 4.2: Woo and Lam Inductive Rules

empty ε ∈ P

Receivet ∈ P (σ.j, Ax → I(By) : m) ∈ t

t. (σ.j, I(Ax) → By : m) ∈ P

Intrudert ∈ P m ∈ Message(t)⇓

t. (σ.j, I(By) → Ax : m) ∈ P

Message 1 t ∈ Pt. (σ.j, Ax → I(By) : Ax) ∈ P

Message 2t ∈ P Nσ

b 6∈ Message(t)⇓t. (σ.j, By → I(Ax) : Nσ

b ) ∈ P

Message 3t ∈ P (σ.j, I(By) → Ax : Nσ

b ) ∈ tt. (σ.j, Ax → I(By) : Nσ

b Kas) ∈ P

Message 4t ∈ P (σ.j, I(Ax) → By : Ax) ∈ t (σ.j, I(Ax) → By : Nσ

b Kas) ∈ tt. (σ.j, By → I(S) : Ax.Nσ

b KasKbs) ∈ P

Message 5t ∈ P (I(By) → S : Ax.Nσ

b KasKbs) ∈ t

t. (σ.j, S → I(By) : Nσb Kbs

) ∈ P

where

Message(t) is the set of messages in the trace t

t is the set of components in the sequence t

4.3 Abstract Domain of Messages 55

the past traffic.

The intruder closure operation _⇓ allows us to capture the usual intruder capabili-

ties: encryption, decryption, messages concatenation and message decomposition.

Definition 4.2.1 (Closure) Let M be a set of messages. We denote by M⇓ the

closure of the set M under the conventional intruder computations. The closure M⇓

is defined as the smallest set which satisfies the following conditions:

1. M ⊆ M⇓

2. If k ∈ M⇓ and mk ∈ M⇓ then m ∈ M⇓

3. If k ∈ M⇓ and m ∈ M⇓ then mk ∈ M⇓

4. If m ∈ M⇓ and m′ ∈ M⇓ then (m,m′) ∈ M⇓

5. If (m,m′) ∈ M⇓ then m ∈ M⇓

6. If (m,m′) ∈ M⇓ then m′ ∈ M⇓

4.3 Abstract Domain of Messages

The abstract domain of messages is built as an extension of the concrete domain

by the abstract messages > and ⊥. Intuitively, the value > is used to abstract a

(possibly infinite) set of messages. For instance, the message >K stands for any

message encrypted with the key K. It is an abstraction of a (possibly infinite) set

of concrete messages encrypted with the key K. We use also the abstract message

value ⊥ to represent the empty set of messages. From now on, we note D the

concrete domain of messages and D# the abstract domain of messages.

We define an ordering relation on abstract messages ≤a that captures the notion of

approximation on messages. ∀m,m′,m1,m′1 ∈ D#:


m ≤a m

⊥ ≤a m

m ≤a >m ≤a m′ and m′ is atomic ⇒ m = m′

m ≤a m′ and m′ ≤a m′′ ⇒ m ≤a m′′

m ≤a m′ ⇔ mK ≤a m′K

m ≤a m′ and m1 ≤a m′1 ⇔ m.m1 ≤a m′.m′

1

We define a function a_,_(_) to approximate (abstract) messages. This function

takes as parameters a message m and limits l1 and l2 (which are natural numbers).

It replaces some sub-messages of m by the abstract value >. Intuitively, the functiona_,_(_) is used to prune the algebraic structure of a message while keeping the

external form of that message. The value l1 acts on the depth of encryptions in a

message while the value l2 acts on the depth of concatenations. Note that similar

approaches have been used for other purposes. See for instance, k-limiting in may-

alias analysis [20] and Abstract rewriting [8].

Definition 4.3.1 (Abstraction Function) The abstraction function a_,_(_) is

defined as follows:

a : N× N×D# −→ D

al1,l2(m) = m if m is atomic

al1,l2(m.m′) = al1,l2−1(m).al1,l2−1(m′) if l2 ≥ 1

al1,l2(mm′) = al1−1,l2(m)m′ if l1 ≥ 1

al1,0(m.m′) = >a0,l2(mK) = >al1,l2(>) = >al1,l2(⊥) = ⊥


From now on, when l1 and l2 are understood, we write simply ma instead of al1,l2(m).

The following proposition establishes a relation between the values of l1 and l2 and

the precision of the abstraction. As we may expect, the precision of the abstraction

increases when the values of l1 and l2 increase.

Proposition 4.3.2 Let m ∈ D#, l1, l2, l′1 and l′2 four natural numbers such that

l1 ≥ l′1 and l2 ≥ l′2, then:

al1,l2(m) ≤a al′1,l′2(m)

Proof:

The proof is by structural induction on m.

• m is atomic:

al1,l2(m) = m ≤a m = al′1,l′2(m) (4.1)

• m = m1.m2: We distinguish the following cases:

– l′2 = 0:

al1,l2(m) ≤a > = al′1,0(m) = al′1,l′2(m) (4.2)

– l′2 6= 0:

By definition of the function a we have:

al1,l2(m) = al1,l2−1(m1).al1,l2−1(m2) (4.3)

By induction hypothesis, we have:

al1,l2−1(m1) ≤a al′1,l′2−1(m1)

al1,l2−1(m2) ≤a al′1,l′2−1(m2)(4.4)

By definition of the ordering and 4.4, we have:

al1,l2−1(m1).al1,l2−1(m2) ≤a al′1,l′2−1(m1).al′1,l′2−1(m2) (4.5)

By definition of the function a and 4.5, we have:


al1,l2(m1.m2) = al1,l2(m) ≤a al′1,l′2(m) = al′1,l′2(m1.m2) (4.6)

• m = m1K : we distinguish the following cases

– l′1 = 0:

al1,l2(m) ≤a > = a0,l′2(m) = al′1,l′2(m) (4.7)

– l′1 6= 0:

By definition of the function a we have:

al1,l2(m) = al1−1,l2(m1)K (4.8)


al1−1,l2(m1) ≤a al′1−1,l′2(m1) (4.9)


al1−1,l2(m1)K ≤a al′1−1,l′2(m1)K (4.10)

By definition of the function a we deduce:

al1,l2(m) ≤a al′1,l′2(m) (4.11)

2

The following proposition states that the abstraction function a_,_(_) is extensive.

This means, as a generic definition, that a function produces an output that is

greater then the input value. In our case, it translates the ordering relation into

another precision result: the abstracted message can not be more precise than the

original message.

Proposition 4.3.3 The abstraction function a_,_(_) is extensive, i.e.:

∀m ∈ D#, ∀l1, l2 ∈ N : m ≤a al1,l2(m) (4.12)


Proof:

Let m ∈ D# and let l1 and l2 be two natural numbers. The proof is by

structural induction on m.

• m is atomic:

m ≤a m = al1,l2(m) (4.13)

• m = m1.m2: By induction hypothesis, we have:

m1 ≤a al1,l2(m1)

m2 ≤a al1,l2(m2)(4.14)


m1.m2 ≤a al1,l2(m1).al1,l2(m2) (4.15)

By definition of a, we have:

al1,l2(m1).al1,l2(m2) = al1,l2+1(m1.m2) (4.16)

By 4.15 and 4.16, we have:

m1.m2 ≤a al1,l2+1(m1.m2) (4.17)

By the proposition 4.3.2, we have

al1,l2+1(m1.m2) ≤a al1,l2(m1.m2) (4.18)


m1.m2 ≤a al1,l2(m1.m2) (4.19)

• m = m1K : By induction hypothesis, we have:

m1 ≤a al1,l2(m1) (4.20)


By definition of the ordering, we have:

m1K ≤a al1,l2(m1)K (4.21)

By definition of a, we have:

m1K ≤a al1+1,l2(m1K) (4.22)

By the proposition 4.3.2, we have:

al1+1,l2(m1K) ≤a al1,l2(m1K) (4.23)

By 4.22 and 4.23, we deduce:

m1K ≤a al1,l2(m1K) (4.24)

2

The following proposition states that the abstraction function a_,_(_) is idempotent.

This property can be interpreted as the fact that all the abstracted information is lost

at once. One abstraction is then equivalent to two or more successive abstractions,

as they produce the same result.

Proposition 4.3.4 The abstraction function a_,_(_) is idempotent, i.e.:

a a = a (4.25)

Proof:



• m is atomic:

al1,l2(al1,l2(m)) = m = al1,l2(m) (4.26)


• m = m1.m2. By definition of a, we have:

al1,l2(al1,l2(m1.m2)) = al1,l2−1(al1,l2−1(m1)).al1,l2−1(al1,l2−1(m2))

(4.27)


al1,l2−1(al1,l2−1(m1)) = al1,l2−1(m1)

al1,l2−1(al1,l2−1(m2)) = al1,l2−1(m2)(4.28)


al1,l2(al1,l2(m1.m2)) = al1,l2−1(m1).al1,l2−1(m2) (4.29)

By definition of a and 4.29, we deduce:

al1,l2(al1,l2(m1.m2)) = al1,l2(m1.m2) (4.30)

• m = m1K . By definition of a, we have:

al1,l2(al1,l2(m1K)) = al1−1,l2(al1−1,l2(m1))K (4.31)


al1−1,l2(al1−1,l2(m1)) = al1−1,l2(m1) (4.32)


al1,l2(al1,l2(m1K)) = al1−1,l2(m1)K (4.33)


al1,l2(al1,l2(m1K)) = al1,l2(m1K) (4.34)

2


In the sequel we prove that the abstraction function a_,_(_) is monotone. First, we

have to prove technical lemmas which state that the size of an abstracted message

can be smaller than or equal to the size of the original message. The intuition is

that the abstraction leads to loss of detail, which is reflected in the contracted depth

and width of the resulting message. The equality corresponds to the special case of

the original and the abstracted message being the same.

Lemma 4.3.5 ∀m ∈ D#, ∀l1, l2 ∈ N : |al1,l2(m)| ≤ |m|

Proof:



• m is atomic. By definition al1,l2(m) = m, then we have:

|al1,l2(m)| = |m| ≤ |m| (4.35)

• m = m1.m2. By definition of a, we have:

al1,l2(m1.m2) = al1,l2−1(m1).al1,l2−1(m2) (4.36)

By 4.36 and the definition of |_|, we have:

|al1,l2(m1.m2)| = |al1,l2−1(m1)|+ |al1,l2−1(m2)|+ 1 (4.37)


|al1,l2−1(m1)| ≤ |m1||al1,l2−1(m2)| ≤ |m2|

(4.38)

By 4.38, we have:

|al1,l2−1(m1)|+ |al1,l2−1(m2)|+ 1 ≤ |m1|+ |m2|+ 1 (4.39)

By 4.39 and the definition of |_| we have:


|al1,l2−1(m1).al1,l2−1(m2)| ≤ |m1.m2| (4.40)

By 4.40 and the definition of a we have:

|al1,l2(m1.m2)| ≤ |m1.m2| (4.41)

• m = m1K . By definition of a, we have:

al1,l2(m1K) = al1−1,l2(m1)K (4.42)

By 4.42 and the definition of |_|, we have:

|al1,l2(m1K)| = |al1−1,l2(m1)|+ 1 (4.43)


|al1−1,l2(m1)| ≤ |m1| (4.44)

By ≤ property and 4.44 we have:

|al1−1,l2(m1)|+ 1 ≤ |m1|+ 1 (4.45)

By 4.45 and the definition of |_| we have:

|al1−1,l2(m1)K | ≤ |m1K | (4.46)

By 4.46 and the definition of a we have:

|al1,l2(m1K)| ≤ |m1K | (4.47)

2

Lemma 4.3.6 ∀m ∈ D#, ∀l1, l2 ∈ N : |al1,l2(m)| = |m| ⇒ al1,l2(m) = m

Proof:




• m is atomic. By definition of a, we have:

al1,l2(m) = m

• m = m1.m2. By definition of a and |_| operator, we have:

|m1.m2| = |m1|+ |m2|+ 1

|al1,l2(m1.m2)| = |al1,l2−1(m1)|+ |al1,l2−1(m2)|+ 1(4.48)

By hypothesis and 4.48, we deduce:

|al1,l2−1(m1)|+ |al1,l2−1(m2)| = |m1|+ |m2| (4.49)

By lemma 4.3.5 and 4.49, we deduce:

|al1,l2−1(m1)| = |m1||al1,l2−1(m2)| = |m2|

(4.50)

By induction hypothesis and 4.50, we deduce:

al1,l2−1(m1) = m1

al1,l2−1(m2) = m2

(4.51)

By definition of a and 4.51, we have:

al1,l2−1(m1).al1,l2−1(m2) = al1,l2(m2.m2) = m1.m2 (4.52)

• m = m1K . By definition of a and |_| operator, we have:

|al1,l2(m1K)| = |al1−1,l2(m1)K | = |al1−1,l2(m1)|+ 1

|m1K | = |m1|+ 1(4.53)

By hypothesis and 4.53, we deduce:

|al1−1,l2(m1)| = |m1| (4.54)

By induction hypothesis and 4.54, we deduce:


al1−1,l2(m1) = m1 (4.55)


al1,l2−1(m1)K = al1,l2(m1K) = m1K (4.56)

2

Propositions 4.3.3 and 4.3.4 and lemmas 4.3.5 and 4.3.6 indicate that two abstracted

messages will be in the same order as the original ones. This property, called

monotony, can be interpreted as the fact that the abstraction process preserves

the soundness of the approximation.

Proposition 4.3.7 The abstraction function a_,_(_) is monotone, i.e.:

∀m,m′ ∈ D#, ∀l1, l2 ∈ N : m ≤a m′ ⇒ al1,l2(m) ≤a al1,l2(m′) (4.57)

Proof:

Let m, m′ ∈ D# such that m ≤a m′. Let l1 and l2 be two natural numbers.

The proof is by induction on H = |m|:

• H = 0. This means that m is atomic. We have two cases

– m′ = m.

al1,l2(m) = m ≤a m′ = al1,l2(m′) (4.58)

– m′ = >. By definition of the relation ≤a and a, we have:

al1,l2(m) = m ≤a > = al1,l2(>) = al1,l2(m′) (4.59)

• H = n. By the proposition 4.3.3, we have:

m′ ≤a al1,l2(m′) (4.60)


Since m ≤a m′ and by 4.60, we deduce:

m ≤a al1,l2(m′) (4.61)

By the lemma 4.3.5, we have two cases:

– |al1,l2(m)| < |m|, then by induction hypothesis, we have:

al1,l2(al1,l2(m)) ≤a al1,l2(m′) (4.62)

By proposition 4.3.4 and 4.62, we have:

al1,l2(m) ≤a al1,l2(m′) (4.63)

– |al1,l2(m)| = |m|. By lemma 4.3.6, we deduce that:

al1,l2(m) = m (4.64)


al1,l2(m) ≤a al1,l2(m′) (4.65)

2

As defined in chapter 3, a function f is an upper closure with respect to the ordering

relation if and only if f is monotone, extensive and idempotent. The abstraction

function has all these properties. Intuitively, we can acknowledge that the initial

ordering relation is preserved on the set of abstracted messages.

Corollary 4.3.8 The abstraction function a_,_(_) is an upper closure on the ab-

stract domain of messages with respect to the ordering relation ≤a.

Proof:

The proof is immediate from the propositions 4.3.3, 4.3.4 and 4.3.7 2


For example, let x = m1.m2.m3K1 .m4K2 .m5K3 .m6K4 be a message and let

l1 = 2, l2 = 4. The messages m1, m2, m3, m4, m5, m6 are atomic messages and

K1, K2, K3, K4 are cryptographic keys. Then, message x is abstracted by the ab-

straction function a_,_(_) in the following manner:

a2,4(x) = a1,4(m1.m2.m3K1 .m4K2 .m5K3 .m6)K4

= a1,3(m1).a1,3(m2.m3K1 .m4K2 .m5K3 .m6)K4

= m1.a1,2(m2.m3K1).a

1,2(m4K2 .m5K3 .m6)K4

= m1.a0,2(m2.m3)K1 .a1,1(m4K2 .m5K3).a

1,1(m6)K4

= m1.a0,1(m2).a0,1(m3)K1 .a0,1(m4K2 .m5)K3 .m6K4

= m1.m2.m3K1 .a0,0(m4K2).a0,0(m5)K3 .m6K4

= m1.m2.m3K1 .>.m5K3 .m6K4

Let m,m′ be messages. We define the size of a message, written |_| as follows:

• if m is atomic then |m| = 0

• |m.m′| = |m|+ |m′|+ 1

• |mm′| = |m|+ 1

The following proposition states that the abstraction function a_,_(_) bounds the

size of messages.

Proposition 4.3.9 Let m be a message, l1 and l2 be two natural numbers then:

|al1,l2(m)| ≤ 2l1+l2 − 1

Proof:

The proof is by structural induction on m.

• m is atomic. By definition al1,l2(m) = m, then we have:

|al1,l2(m)| = |m| = 0 ≤ 2l1+l2 − 1 (4.66)


• m = m′K . By definition of the abstraction function a, we have:

al1,l2(m′K) = al1−1,l2(m′)K (4.67)

By definition of the operator |_| and 4.67, we have:

|al1,l2(m′K)| = |al1−1,l2(m′)|+ 1 (4.68)


|al1−1,l2(m′)| ≤ 2l1−1+l2 − 1 =2l1+l2 − 2

2≤ 2l1+l2 − 2 (4.69)

By 4.67, 4.68 and 4.69, we deduce:

|al1,l2(m′K)| ≤ 2l1+l2 − 1 (4.70)

• m = m1.m2. By definition of the abstraction function a, we have:

al1,l2(m1.m2) = al1,l2−1(m1).al1,l2−1(m2) (4.71)

By definition of the operator |_| and 4.71, we have:

|al1,l2(m1.m2)| = |al1,l2−1(m1)|+ |al1,l2−1(m2)|+ 1 (4.72)


|al1,l2−1(m1)| ≤ 2l1+l2−1 − 1

|al1,l2−1(m2)| ≤ 2l1+l2−1 − 1(4.73)

By 4.72, 4.73, we deduce:

|al1,l2(m1.m2)| ≤ (2l1+l2−1 − 1) + (2l1+l2−1 − 1) + 1 = 2l1+l2 − 1 (4.74)

2


The intruder closure operation captures the usual intruder capabilities: encryption,

decryption, message concatenation and message decomposition. Given a finite set

of messages M , two natural numbers l1, l2, we define an abstract closure of M noted

M#⇓ , as the smallest set satisfying:

• If m ∈ M then al1,l2(m) ∈ M#⇓

• If K ∈ M#⇓ and mK ∈ M#

⇓ then al1,l2(m) ∈ M#⇓

• If m.m′ ∈ M#⇓ then al1,l2(m) ∈ M#

⇓

• If m.m′ ∈ M#⇓ then al1,l2(m′) ∈ M#

⇓

• If m ∈ M#⇓ and K ∈ M#

⇓ then al1,l2(mK) ∈ M#⇓

• If m ∈ M#⇓ and m′ ∈ M#

⇓ then al1,l2(m.m′) ∈ M#⇓

The next proposition establishes the finiteness of a set of messages under particular

conditions.

Proposition 4.3.10 Let M be a set of messages such that the set of atomic mes-

sages in M is finite. If the depth of each message in M is bounded then the set M

is finite.

Proof:

Let |M | = Max|m| | m ∈ M be the maximum length of the messages

in M (a bound). The proof is by induction on |M |.

• |M | = 0. We deduce that each message in M is atomic. By hypothesis,

we conclude that M is finite.

• |M | = n > 0. Let M = M1∪M2 such that |M1| = n−1 and M2 = m ∈M | |m| = n. By induction hypothesis, we have:

M1 is a finite set (4.75)


Let m ∈ M2. Since |m| = n > 0, we have the two following cases:

m = m1K ∧ |m1| = n− 1

m = m1.m2 ∧ |m1| < n ∧ |m2| < n(4.76)

We build the set M ′ as follows:

m1K ∈ M2 ⇒ m1,K ⊆ M ′

m1.m2 ∈ M2 ⇒ m1,m2 ⊆ M ′(4.77)

Since the encryption keys are atomic messages, then, by 4.76, we deduce

that:

|M ′| < n (4.78)


M ′ is a finite set (4.79)

We build the set M ′′ as follows:

m1,K ⊆ M ′ ⇒ m1K ∈ M ′′

m1,m2 ⊆ M ′ ⇒ m1.m2 ∈ M ′′(4.80)


M2 ⊆ M ′′ (4.81)


M ′′ is finite (4.82)


M2 is finite (4.83)

By 4.75 and 4.83, we deduce that:

4.4 Simulating Cryptographic Protocol Runs 71

M is finite (4.84)

2

In general, the intruder closure operation leads to an infinite set of messages. The

abstraction process gives us a way to obtain an abstract finite representation. The

following proposition states that M#⇓ is a finite set.

Proposition 4.3.11 Let M be a finite set of messages. Then M#⇓ is finite.

Proof:

Since M is finite, then:

m ∈ M | |m| = 0 is finite (4.85)

Let m ∈ M#⇓ , by the definition of M#

⇓ and Proposition 4.3.9, we have:

|m| ≤ 2l1+l2 − 1 (4.86)

By 4.85, 4.86 and Proposition 4.3.10, we deduce that M#⇓ is finite.

2

In the sequel, we define an abstract semantics for security protocols. This new

semantics is used to approximate execution models of protocols. The obtained

abstract models are then used to decide if security protocols satisfy the secrecy

property with respect to a sensitive message.

4.4 Simulating Cryptographic Protocol Runs

The intruder can use the protocol in two different ways. The first involves a passive

attack on the protocol. It allows the intruder to intercept messages that will add

new information to his knowledge. However, not all the new data is necessarily

useful, as we will prove in this section. The second way of benefiting from protocol


runs is called protocol instrumentation. The intruder sends certain data expecting

a valuable message in response. We analyze in the following what would be helpful

for an intruder that tries to build an attack. The intruder can use his concatenation

and decomposition abilities at any time, as they don’t depend on the value of the

information. However, he might try to encrypt or decrypt messages with keys that

he does not possess. For instance, we consider the following protocol:

Message σ.1. Ax −→ By : Nσax

Message σ.2. By −→ Ax : NσaxKaxby

The intruder instruments the protocol as follows. He knows that the message trans-

mitted during the second step is an encryption of the first message with a session key

that he does not know. By playing the role of the initiator agent, he introduces the

piece of data, possibly from a different session, that he wants encrypted. In return,

he receives information that he could not derive from his knowledge set using the

standard closure capabilities. Of course, it is sometimes sufficient to run a proto-

col sequence, rather then a complete session. This observation allows the presence

of partial runs in the trace modeling the intruder’s behavior. The same approach

can be used for having messages decrypted by unsuspecting agents as shown in the

following protocol:

Message σ.1. Ax −→ By : NσaxKaxby

Message σ.2. By −→ Ax : Nσax

4.4.1 Abstracting Atomic Messages

Our aim is to compute the intruder’s knowledge in a parallel multi-session protocol

run. Unfortunately, as shown in previous sections, the model capturing such be-

havior is infinite and uses an unbounded number of principals. As it is impossible

to simulate such models, we introduce in the following a safe computable upper

approximation of the intruder’s knowledge.


4.4.1.1 Abstracting Agent Names

We use a finite set of constants A, B, · · · to denote agent names. This set of agent

identities is sufficient for modelling any protocol execution, including multi-sessions

and masquerading or impersonation attacks. Each constant abstracts a (possibly

infinite) set of agent names. For instance, for a protocol step σ.i.Ax −→ By : Ax, the

agent name A will be used to abstract the (possibly infinite) set of initiator agents

Ax. This abstraction is correct since it overestimates the intruder’s knowledge. We

conclude that if the intruder can get A, then he can get any agent name Ai, i ∈N running the concrete communication protocol as initiator. We make the same

assumption about the responder. Usually, only three constants are employed: A, B,

and S, where S abstracts a server name for protocols that involve one.

4.4.1.2 Abstracting Keys

Each agent has one pair of public-private keys. Public keys are considered known to

all potential agents participating in a protocol run, including the intruder. Therefore,

we assert that all public keys associated with agent names are part of the intruder’s

initial knowledge. For instance, the constant Kb abstracts the concrete public key

Kby of an agent named By. The private keys are the inverses of the public keys.

They are not part of the intruder’s initial knowledge and are never transmitted

during the protocol run. As a consequence of the number of agents being bounded,

the number of their public and private keys is a finite set.

Session keys are variables that are shared by agents for the duration of one session

only. We will abstract the session keys by a constant for any pair of agents. The

rationale behind this is that if the intruder is able to get an exchanged session key

in a particular session σ of a protocol run, then he can get the session keys used in

any other session of the protocol run.


4.4.1.3 Abstracting Nonces

Nonces are fresh messages unique to a particular session. Since we are interested

in secrecy, we will abstract away from the notion of message-freshness and consider

these messages as constants for all sessions of the protocol. The intuition is that if

the intruder is able to get an exchanged nonce in a particular session σ of a protocol

run, then he can get the same nonce in any other session of the protocol run. Hence,

the nonce Nσax

is abstracted by the atomic constant message Na. This abstraction

is an overestimation of the intruder capabilities and therefore it is correct for our

analysis.

We consider that the intruder owns a nonce Ni that is part of his initial knowledge.

Ni is a constant atomic message. Since there is no way for a regular agent to check

the value of a nonce created by any other agent, including the intruder, we empower

the intruder to re-use the same nonce Ni in any protocol session.

All the atomic messages other than those already introduced are abstracted by

constant values cte, as the security properties depend only on the keys and nonces.

4.4.2 Abstracting Protocols

Let P be the following authentication protocol:

Message σ.1. Ax −→ By : Ax.NσaxKby

Message σ.2. By −→ Ax : NσaxKax

Let l1 and l2 be two natural numbers. To abstract protocol specifications, we intro-

duce an abstraction function, noted Ψ. In the remainder of the chapter, we denote

by P# = Ψ(P) the abstract protocol, where P is a concrete protocol and l1 and l2

are two natural numbers. We define Ψ as follows:


Ψ((σ.i. X → Y : m). P) = (i. Ψ(X) → Ψ(Y ) : Ψ(m)). Ψ(P)

Ψ(m1m2) = al1,l2(Ψ(m1)Ψ(m2))

Ψ(m1.m2) = al1,l2(Ψ(m1).Ψ(m2))

Ψ(Ax) = A

Ψ(By) = B

Ψ(S) = S

Ψ(Nσax

) = Na

Ψ(Kax) = Ka

Ψ(K−1ax

) = K−1a

Ψ(Kaxby) = Kab

Ψ(Kσaxby

) = Kab

Ψ(x) = cte otherwise

If we fix the values of l1 = 1 and l2 = 1, the above protocol is then abstracted as:

Message 1. A −→ B : A.NaKb

Message 2. B −→ A : NaKa

A simulated run of P# reveals that the abstract intruder’s knowledge with limits

l1 = 1 and l2 = 1 is Ni, A.NaKab, NaKab

, which means that the nonce Na is

never revealed by the abstract protocol. This means that Nσax

is secret in P.

Let t = a1.a2. . . . be a (possibly infinite) trace where ai is a communication action.

In order to determine the abstracted knowledge of the intruder, we fix the values of

l1 and l2. The abstraction of each individual action produces an abstracted protocol

step. The sequence of all abstracted actions defines the abstracted trace t#. To

generate an abstract trace t# from an abstract protocol P#, we can use a modified

version of the Paulson’s inductive rules [49] by applying the abstraction function

a_,_(_) to each exchanged message and replace the intruder closure function _ ⇓by the abstract version _#

⇓ .


Let t be the following trace:

t = (σ.1. A1 → I(B1) : A1).

(σ.1. I(A1) → B1 : A1).

(σ.2. B1 → I(A1) : Nσb1

.A1.B1).

(σ.2. I(B1) → A1 : m).

(σ.3. A1 → I(B1) : mKa1s)

where m is part of the intruder knowledge. For l1 = 1 and l2 = 1, the abstracted

trace t# is:

t# = (1. A → I(B) : A).

(1. I(A) → B : A).

(2. B → I(A) : Nb.>).

(2. I(B) → A : ma).

(3. A → I(B) : maKas)

Given a trace t and a finite set of intruder’s initial knowledge KI , then the intruder

knowledge associated with the abstract trace t#, noted IK(t#), is generated by the

relation |∼ defined in Table 4.3.

Table 4.3: Abstract Intruder Knowledge Generation from Abstract Traces

Initε |∼ KI

#⇓

Get knowledget# |∼M

t#. (i. A → B : ma) |∼ M ∪ma

The following proposition states that the abstract trace model t# for an abstract

protocol P# is finite, i.e. has a finite number of actions.


Proposition 4.4.1 (Finiteness) Let P be a cryptographic protocol and let P# be

the corresponding abstracted protocol. Then, the multi-session, multi-role trace exe-

cution model t# of P# is finite.

Proof:

As stated in section 4.2, a trace can be extended with an event a whenever the

message transmitted during that action is fresh. We will prove that, because

of the protocol abstraction, the number of distinct messages that can be issued

is bounded.

The abstraction of atomic messages bounds the number of agents, keys (public

and session) and nonces. Henceforth, we denote by Nbatoms their total number.

We remind the reader that the inductive rules that can lead to a trace extension

are Receive and Intruder (Table 4.2). They define how the intruder can increase

his knowledge set either by intercepting messages and decomposing them, or

by building new messages from pieces of information that he already possesses.

We fix l1 and l2 and adapt the two rules to our abstracted trace model t#. In

the following, we analyze their effect on the abstracted protocol runs.

The Receive rule is modified to reflect that the intruder can only obtain ab-

stracted messages ma. Likewise, the Intruder rule is changed to indicate that

the intruder can only send ma. The size of those messages, |ma| is limited, as

shown in Proposition 4.3.9:

|ma| ≤ 2l1+l2 − 1

The intuition is quite simple: if, for any message size between 0 and 2l1+l2−1,

the number of messages is bounded, then there is a limited number of possible

messages ma.

Let m, m′ and m′′ be atomic messages. The total number of messages of

size 0 (atomic messages) is Nbatoms. For the messages of size 1, we have to

4.5 Verification of Secrecy Correctness 78

count both encryptions and concatenations of atoms. For each of them, the

number is (Nbatoms)2. So, the total number of possible messages of size 1

is 2 × (Nbatoms)2. For size 2, the computations become more complex. We

have several different combinations of operations on atoms that can produce

messages of size 2: m.m′.m′′, m.m′′′m, m′m′′m, m.m′′′m and m′m.m′′.

For each of them, there can be (Nbatoms)3 possible messages. Consequently,

the total number of messages of size 2 is 5 × (Nbatoms)3. The reasoning can

be continued until size 2l1+l2 − 1 is reached. For each size s ∈ [0, 2l1+l2 −1], there will be an increasing number of combinations of messages, each of

them with (Nbatoms)s possible messages. Although the total number increases

dramatically, it is still finite.

Since the number of messages that can be sent or received by the intruder

is bounded, there is a limited number of inductive rules that describe the

corresponding actions. Therefore, a new event that denotes the transfer of

an already transmitted message cannot be added to the abstracted trace t#,

which is then rendered finite.

2

4.5 Verification of Secrecy Correctness

Secrecy is the fact of keeping secret a given piece of information. This aspect of

security is certainly the oldest and the best known. We say that a protocol preserves

the secrecy of one of its parameters if it does not leak any information about these

parameters during its execution. The parameters of the protocol that have to be

kept secret can be cryptographic keys, nonces, or any other sensitive data. For

instance, the following protocol does not guarantee the secrecy of the message m

since the key used to encrypt m has been made public.

σ.1 Ax → By : Kaxby

σ.2 By → Ax : mKaxby

4.6 Conclusion 79

In the following we give a sufficient condition to check if a protocol preserves the

secrecy of a message.

Definition 4.5.1 (Secrecy) Given a security protocol P and a sensitive message

m, we say that P guarantees the secrecy of m if:

∀x ∈ IK(t#) : x uma = glb(x,ma) = ⊥

where t# is the finite abstract trace generated from the abstract protocol P#.

It is clear that with our definition, we can build only a semi-decidable procedure

since if there exists x ∈ IK(t#) such that x uma 6= ⊥, we cannot decide that the

protocol contains a secrecy flaw.

4.6 Conclusion

The main intent of the study presented in this chapter is to characterize the verifica-

tion of the secrecy property as an abstract interpretation of cryptographic protocols.

We employed a model that has been defined by Adi [5]. However, his abstraction

involves category theory while our approach uses traces. The abstract model was

defined by the means of a finite abstract trace that models all of the potential in-

truder behaviors. The model was applied to approximate the unbounded space of

intruder knowledge to a finite one. This information was then used to decide if the

security protocol satisfies the secrecy property for sensitive data. The way to achieve

this goal is to restrict the concrete protocol trace to a finite abstract one according

to some abstraction of the intruder knowledge. The approximation is correct with

respect to the original protocol execution, as it overestimates the capabilities of the

intruder. Since the abstract trace is finite, it becomes possible to compute the finite

abstract set M# of messages that the intruder can get by running a security protocol

P. Given a message m, if for all x in M#, glb(x,ma) = x uma = ⊥ then m is not

included in M and consequently P does not leak the message m.

Chapter 5

Formal Reasoning for Security

Protocol Correctness

Abstract

In this chapter we address security protocol correctness with respect to secrecy and

present a formal reasoning for evaluating such correctness. The proposed framework

includes a comprehensive analysis and a bounding model for multi-session attacks

that is sufficient for our correctness proofs. We examine the possible behavior of the

intruder during a protocol run and draw conclusions about how his knowledge evolves

and what actions he can take to gain as much information as possible for building

winning strategies for an attack. Our approach leads to simple and intuitive proofs

that can easily be automated.

5.1 Introduction

Formal analysis of security protocols has advanced from basic verification methods

to very complex automated techniques. The logic of authentication of Burrows,

Abadi and Needham [14] is enriched by new results such as the linear and modal

logic for specifying security properties advanced by Adi et al. [4]. Paulson applied

the idea of inductive rules as models for security protocols [49]. This idea was

80

5.1 Introduction 81

further developed by Millen in [39]. Lowe in [34, 36] was the first to use CSP

[32] and model-checking techniques for cryptographic protocol analysis. Similar

approaches were developed by Roscoe, Gardiner, Jackson and Hulance in [25, 26,

52], Schneider in [54] and Meadows [38]. Abadi and Gordon [1] advanced Spi, a

calculus for cryptographic protocols. Spi is built on top of the π-calculus [40, 41],

a mobile process algebra. It has been devised for the description and analysis of

security protocols. In [42, 43, 55] Mitchell et al. used the general-purpose state

enumeration tool Murφ [18]. Other successful approaches are the use of theorem

proving by Bolignano [9], game semantics [3] by Adi and Debbabi and strand spaces,

by Thayer, Herzog and Guttman [23, 30]. Abstract models have been successfully

used for protocol correctness in studies such as Lakhnech’s hat-messages abstraction

[11], Stoller’s bound on attacks on authentication protocols [56] and Comon-Lundt’s

bound on agents number [17]. However, some of the restrictions imposed by the

models limit the applicability of the conclusions to certain classes of protocols. For

instance, Stoller uses the strand model for proving both secrecy and authentication,

but imposes serious constraints on the encryption depth.

The aim of our research is to explore correctness in security protocols with respect

to various security properties, such as secrecy. The main challenge for protocol

correctness is the fact that real-world protocol simulations produce infinite models.

We overcome this inconvenient by choosing appropriate models. Our methodology

proposes a blend of concepts such as impasses, spawned sessions, intruder strategies

and attack scenarios etc. Impasses denote steps where the intruder does not have

enough knowledge to build the message he needs to send in order to continue a

protocol run. In this case, he can search for additional information in one or several

other sessions. We call these potentially useful protocol executions spawned sessions.

In case the information needed is found, it is added to the intruder’s knowledge set

and it helps him to solve the impasse. Our analysis reveals that, after a finite number

of spawned-session levels, the candidate sessions are the same as the ones on the

previous levels. We exhibit a bound on the number of sessions by abstracting all

5.2 Definitions and Assumptions 82

the subsequent runs of the session types already included. The intruder’s knowledge

becomes a finite set for which we define the necessary conditions for secrecy. Our

model doesn’t involve any assumptions about the nonces, the number of sessions,

the size of messages or the encryption levels allowed.

The remainder of this chapter is organized as follows. Section 5.2 defines the environ-

ment in which security protocols are analyzed. Section 5.3 presents the capabilities

of the intruder. Section 5.4 is devoted to the formalization the secrecy property.

Section 5.5 presents our methodology. Section 5.6 exhibits bounds on our security

models that are sufficient to ensure protocol correctness. We present an application

of our research in section 5.7. Finally, Section 5.8 provides concluding remarks on

this work and discusses future research.

5.2 Definitions and Assumptions

A communication protocol is an orderly defined sequence of interactions between en-

tities designed to govern communications in a distributed system. Security protocols

are a subclass of communication protocols that specify a precisely defined sequence

of messages using cryptographic techniques in order to achieve security objectives.

The security services to be provided are authentication of agents, secrecy, integrity,

anonymity, non repudiation, establishment of session keys and so on.

Our analysis is done on public key protocols that involve two principals using

only their public and private keys for encryption operations. This approach leads

to results that are relatively easy to prove and comprehend, but are general enough

to be readily extensible to more complex environments. We employ some of the

commonly used notations. The legitimate participants to a protocol P, called agents

or principals, are part of a finite set A of nodes that are able to communicate with

each other. The basic syntax agreed upon by most researchers denotes the agents

by A and B. A and B are two parties wishing to communicate in a secure way.

The intruder will be represented by I. Each agent executes a well-defined algorithm


consisting of a finite number n of steps (protocol length) for an instance of a protocol

run (session). The set of all possible sessions that can be established between two

agents is denoted by S. Whenever a session needs to be distinctly introduced, it will

be identified by a letter of the Greek alphabet: α, β, . . . The set of all messages that

can be exchanged by agents during the communication act is denoted by M. The

public key of A is KA and the private one is its inverse, K−1A . A message m ∈ M

encrypted by the key K is noted mK . The communication steps are described by

the following syntax:

Message number. Agent1 → Agent2 : Message

where Agent1, Agent2 ∈ A, Message ∈M and 0 < number ≤ n.

The smallest possible messages, that cannot be further divided into components,

are called atomic messages or atoms. We divide the atoms into several categories as

follows:

• identity : agent identities are represented by A, B, I; I(C) denotes the intruder

trying to play the role of C, but it is just an abuse of the notation, in fact it

still represents the intruder

• key : KA, KB, KI , K−1A , K−1

B , K−1I denote the public and private keys of the

agents and the intruder

• nonce: nonces issued by agents A,B and I respectively are denoted by NA, NB, NI

• varia: we gather under the same category some constant atoms that are

included in the messages in some protocols, like e-commerce ones, to allow

supplemental verifications and correct identification, such as name, address,

gender etc.

• timestamp: TA, T ′A, TB etc, stand for a timestamps issued by agents A, B etc.

in order to allow recentness challenges


• confidential : secret content that has to be readable by the intended partici-

pant(s) only; session keys are included here, too.

The above classification is open and by all means not exhaustive. New categories

can be added if there is a need to identify a particularity of an atomic message.

The atoms in the identity, key and varia categories have constant values, as they

do not change from one execution to the other. The others (from nonce, timestamp

and confidential categories) vary for each new session. They are generated by the

agents specifically for that protocol run and have an intended lifespan of one session

only. Except for the intruder, agents will not try to reuse them. We call the session

specific messages variable messages.

A role is a protocol abstraction that accounts for the actions of a particular agent.

For a protocol with two agents we can identify the role of the initiator and the role

of the responder. We represent by P(A,B) a session of the protocol P where A is

the initiator and B is the responder. However, a finer distinction is needed for our

purpose and we define two roles within each protocol step: the sender role and the

receiver role. If, for instance, during step i of a session σ, the message Mσi is sent

by the sender seσi to the receiver reσ

i , we identify two roles:

R(seσi ) = reσ

i !Mσi (5.1)

and

R(reσi ) = seσ

i ?Mσi (5.2)

where the symbol “!” denotes a send operator and “?” denotes a receive operator.

The design and implementation of security protocols take into account the poten-

tial behavior of the agents under any circumstances. There are a consistent number

of well-documented approaches, all aimed at suiting the particular needs of the de-

signer. Among them, the most notable are the principles for prudent engineering

practice of Abadi and Needham [2], the heuristics in the lesson of Woo and Lam

[59], the robustness principles of Anderson and Needham [7] and the limitations

5.3 Intruder’s Knowledge 85

presented by Syverson in [57].

We make the assumption that the cryptographic primitives used by various algo-

rithms are perfect, in the sense that the encryption systems cannot be broken by a

malicious intruder. Sessions and steps are clearly identified in order to distinguish

particularities of a protocol run. Session keys are valid for the duration of one session

only and expire, so they cannot be reused by the agents once a session is complete.

Private keys and secrets are never sent in clear, in order to prevent interception by

the intruder. Disjoint encryption is also assumed: any two messages of a protocol P

have distinct formats, so that they cannot be reused by the intruder for a different

step than the one during which they originated. We recommend signing a message

with a private key before the encryption of that message. Our model supports mes-

sage signing with private keys after it has been encrypted, but does not advise to

use it, as it can lead to authentication attacks.

We add a couple of remarks regarding the roles and knowledge gain. First, two

or more messages sent by an agent to the same destination, as part of consecutive

protocol steps, could be compressed in a single transmission. We will consider that

roles alternate, in the sense that if one agent acted as a sender during a protocol

step, then it will be the receiver in the next step and vice versa. Second, if a message

can be derived from the receiving agent’s knowledge set, then the corresponding step

might be redundant and could be removed from the protocol for increased efficiency.

5.3 Intruder’s Knowledge

The aim of this study is to examine the safeguarding of security properties under

any circumstances. Any assumption that the environment is not hostile might result

in potential flaws. We won’t restrict the capabilities of the intruder by any bounds.


5.3.1 Intruder’s Capabilities

At the very beginning of the protocol run, the intruder knows the identity of all

agents and their public keys. Knowledge gain can be achieved either by participating

as an agent or by overhearing messages exchanged by agents during protocol sessions.

We consider that intruders have the ability to intercept all messages exchanged

between any pair of agents, store messages, leak and kill messages, reroute them,

and forge new ones. They can replay messages or insert new ones at will.

An intruder also has the same message processing capabilities as the agents: en-

cryption, decryption, concatenation and decomposition. Whenever he intercepts a

message, he can retrieve data by splitting all concatenations and decrypting, when-

ever he has the appropriate key, all encryptions. As for the constructive abilities, he

can build any non-atomic message (concatenation, encryption or a combination of

both) from the components. To capture the intruder’s capabilities, we employ the

definition 4.2.1 for closure, as introduced in chapter 4. The information collected by

the intruder, along with all the data he can gain using his capabilities (encryption,

decryption, concatenation, decomposition etc.) is called the intruder’s knowledge

and is denoted by (Kσi )0≤i≤n, where σ is a session identifier and i is protocol step

for that session.

Let P be a protocol of length n and let σ be a session of that protocol. Prior to

starting the attack, the intruder has an initial knowledge Kσ0 . After completing a

protocol run, the knowledge becomes Kσn. The intruder’s knowledge throughout the

session is defined as a family of sets indexed by protocol step i. For a particular step

i, Kσi represents the knowledge of the intruder at the beginning of the protocol step,

right before sending or receiving a message. This means, for a sending step, that

the knowledge includes the message variables generated by the intruder in order to

build the message, along with the encryption that he can produce that will be part

of the message. However, the intruder might not be able to devise all variables or

encryptions needed.


Obviously, the sets Kσi are at least equal to Kσ

0 . With the aid of the closure definition

introduced above, the evolution of the intruder’s knowledge is illustrated by the

following inclusion:

(Kσi−1 ∪Mσ

i−1) ⇓ ⊆ Kσi (5.3)

where Mσi−1 represents the message sent during the step i− 1 and Kσ

i , Kσi−1 denote

the intruder’s knowledge for the steps i and i− 1, respectively.

5.3.2 Impasse

The intruder can be either actively involved in a protocol run or passively inter-

cepting messages. An active behavior implies creating and sending messages. This

means that the intruder has to have all the components for building the message.

Sometimes, this is not the case.

Definition 5.3.1 (Impasse) Let P be a protocol under attack by a malicious in-

truder. A situation in which the intruder has to act as a sender in order to continue

the attack and is unable to build a message intended for the legitimate participants

to the protocol run is called an impasse.

For the legitimate agents, there are no impasses. They have no difficulty decrypting

messages that were intended for them or building messages using the other agent’s

public key. However, the intruder is likely to encounter impasse situations as he pro-

gresses in the execution of the protocol. He cannot predict or guess such problems.

There are therefore only past, known impasses, of which at most one - the newest

- is unsolvable. All previous impasses must have been successfully surpassed until

session completion or up to a point where he cannot progress anymore. The set of

all impasses of a session σ is denoted by Imσ. Consequently, we say that an impasse

situation happens at step i if i ∈ Imσ.


Such a situation can arise a maximum of [n/2] times, which corresponds to the

number of steps of the protocol in which the intruder has a sender role, and that is

expressed by the following inequality:

card(Imσ) ≤ [n/2] (5.4)

where “card” denotes the cardinal function of the set and [_] stands for the “integer

part” operator.

The value [n/2] comes from the following analysis, based on the number of protocol

steps being odd or even, so of the form n = 2p or n = 2p + 1, with both n and

p integer numbers. If the intruder is the session initiator and n is odd, then the

intruder has to send data p + 1 times. He initiates the session either by creating

the first message or by replaying one that he intercepted previously. Since the first

step is certainly not an impasse, there are at most p = [n/2] potential impasses for

the intruder. If n is even, the total number of sending steps is p, but as the first

one cannot be an impasse step, there can be no more then p − 1 impasses. If the

intruder is the responder and n is either odd or even, the number of sending steps

for the intruder is p. Since p ≤ [n/2], we draw the conclusion that impasses cannot

occur in more than [n/2] times.

Remark 5.3.2 If a sending step does not involve any session specific variables, then

it is built from constant atomic messages only. If it is encrypted, the key is either a

public or a private key. As the constant atoms (including the public keys) are part

of the intruder’s initial knowledge, he can build a message that uses an encryption

with a public key. If the message is encrypted with an agent’s private key, then it

is identical in every session of protocol P involving the agent playing the same role.

The intruder has to intercept it and then he can replay it whenever needed. Therefore

no impasse is produced by such a step. The value of card(Imσ) is diminished with

the number of sending steps employing no session variables.


5.3.3 Spawned Sessions

For every step i, we denote the set of variable messages by V σi , and the set of

encryptions containing them by Qσi . For instance, the first message of the Needham-

Schroeder public-key protocol has the form A,NAKB. Here, i = 1, NA ∈ V1 and

A,NAKB∈ Q1. We only consider the top-level encryptions as part of Qσ

i , as

the intruder is not interested in nested encryptions that he cannot produce. The

intruder cannot get more knowledge from a protocol step then the variables V σi , the

encryptions Qσi and the associated closure operations. We identify an upper bound

for the intruder’s knowledge at step i:

Kσi ⊆ (Kσ

i−1 ∪ V σi ∪Qσ

i ) ⇓ (5.5)

The ideal case for the intruder is the equality. This happens when the intruder

knows all the new variables and he can devise all encryptions Qσi . However, for the

protocol execution to continue it suffices for the intruder to know Qσi , even if he

does not need to know individual variables in V σi . The lower bound is then:

(Kσi−1 ∪Qσ

i ) ⇓ ⊆ Kσi (5.6)

Therefore, from (5.5) and (5.6), we gather that the acceptable knowledge for exe-

cuting step i is bounded by:

(Kσi−1 ∪Qσ

i ) ⇓ ⊆ Kσi ⊆ (Kσ

i−1 ∪ V σi ∪Qσ

i ) ⇓ (5.7)

The set Kσi−1 is automatically inherited by the intruder in step i from step i − 1.

During an impasse step, he is the sender and he crafts all the new variables of V σi .

Then, for a step i ∈ Imσ, the equation (5.7) translates the definition for an impasse

situation into:

∀i ∈ Imσ | Qσi \ Kσ

i 6= ∅ (5.8)


If the intruder cannot get the data needed for resolving an impasse from what was

previously recorded and computed, it has to find it somewhere else. This implies

that the intruder has to get involved in a new session in search for the data. If that

effort is not successful, the saga stops there and no (other) flaws are found.

Definition 5.3.3 (Spawned session) A session triggered from within an existing

one by the intruder’s need to resolve an impasse is called a spawned session.

A situation demanding for a spawned session always appears when the intruder has

to send data (active); receiving is never a concern (passive). The intruder must

know either all variables of V σi or all encryptions from Qσ

i . Then, the spawned

session also has to reach at least step i, for two reasons. First, because some session

variables needed don’t appear in the protocol earlier then step i − 1 and therefore

won’t be used in a spawned session before step i. Second, because the format of the

encrypted message to be transmitted in step i, which includes all the components

from Qσi , does not appear before since we assumed disjoint encryption.

Let i ∈ Imσ be an impasse step of a session σ of the protocol P. Let τ be any

session of P different than σ in which the intruder can participate. We introduce

the notions parent and child to identify the session that generated the need and the

one that supposedly helps solving the problem. If τ is a child session with respect

to σ (or equivalently, if σ is the parent session of τ), then we note:

σi τi

Notice that one session can be, at the same time, both a parent and a child. For

instance, we can have a session υ spawned from a session τ spawned, at its turn,

from an initial session σ. However, the second spawned session (υ in this case) does

not necessarily have to reach step i. Indeed, τ has to advance to step i to be able to

return the requested data in the initial session σ. That means all impasses in τ prior

to step i have to be resolved. Suppose that i is not an impasse step for session τ


and j is the closest step to i where an impasse had to be surpassed, with 1 ≤ j < i.

Then υ has to execute all steps up to and including j, but not more. To reflect this

fact, we note:

σi τi υj

The benefit of spawned session is the added knowledge that the intruder gains by

gathering the data from other protocol runs. Session τ advanced to step i and the

knowledge available from that session to the intruder is transferred to session σ:

Kσi ⊇ (Kσ

i−1 ∪Mσi−1 ∪ V σ

i ∪ Kτi ) ⇓ (5.9)

where we denote by Mσi−1 the message sent in step i− 1 of the session σ and by Kτ

i

the intruder’s knowledge corresponding to step i of the τ session. The addition of

V σi is important, as it stresses that the intruder is the one creating all the message

variables for step i. He has the opportunity to reuse some of the nonces he already

possesses to maximize his chances of decomposing and decrypting future messages.

The intruder’s knowledge obviously increases with the number of spawns. However,

the execution of the protocol can only continue if the missing data can be found in

the set Kτi . Otherwise the exercise of spawning the τ session is futile. The intruder

can instrument the protocol in order to obtain more data from multiple spawned

sessions.

Figure 5.1 shows the knowledge transfer from a spawned sessions τ to an initial

session σ. The intruder encounters an impasse at step i of σ. He spawns a session τ ,

searching for useful data. Since he was previously involved in σ, the knowledge he

has at the very beginning of τ is inherited from the other session, so Kτ1 = Kσ

i . The

execution of the protocol P progresses in session τ up to (and including) step i. At

this point, the intruder transfers back the acquired knowledge and retries to execute

step i of σ with the new set of data: Kσi = Kτ

i . If he is successful, the intruder is

able to continue the protocol run with steps i + 1, i + 2, . . .


transfer

2

1

i

spawning

2

1

i

n

i+1Kτ

2

Kτ1

.

.

.

.

.

.

.

.

.

.Kτ

i

session τ

session σ

Kσi

Kσ2

.

.

.

.

.

Kσ1

.

.

.

.

.

.

.

.

.Kσ

n

Kσi+1

Figure 5.1: Knowledge transfer to session σ with the aid of a spawned session τ

The combination of sessions spawned by the intruder while trying to resolve an

impasse is called a strategy. A strategy that succeeds in bringing back the data

necessary to resolve an impasse is called a winning strategy. Following a winning

strategy, all the encryptions required for building the message Mσi become part of

the intruder’s knowledge:

Qσi ⊆ Kσ

i

Remark 5.3.4 In some cases, more strategies are possible. If an intruder finds a

winning strategy with a certain depth for a flaw, it is possible to build strategies with

a greater number of spawned sessions. These strategies, if they exist, are equiva-

lent as they result in solutions for surpassing the same impasse and they lead to a

family of attack scenarios. However, since it is not in the intruder’s interest to em-

ploy extended strategies, he will most likely use the shortest, most effective winning

strategies.

Strategies are session and step-specific. We use the notation stσi to represent a

5.4 Protocol Correctness 93

strategy, where i is the impasse step and σ is the session. A strategy represents, in

fact, a chain of parent-child sessions that enable the intruder to solve an impasse.

We employ the ª symbol to indicate the last session in a strategy. For instance,

suppose that two sessions τ and υ are needed and they successfully bring back to

the initial session σ the requested data. Then, we can illustrate this strategy by:

stσi = τi υj ª

If no strategy can be found for an impasse i (equivalent to an infinite chain), then

the protocol execution stops. Obviously, since an impasse cannot be resolved, we

cannot talk about strategies for the subsequent impasses. Therefore, for an attack

to continue beyond a certain step, the number of spawned sessions must be finite.

As a finite chain, a strategy will have a certain number of elements that determines

the size of the search space.

We call the strategy depth for a step i of a session σ the cardinal of stσi . The set of all

strategies involved in successfully breaking a security property of the protocol is an

attack scenario. An attack can lead to a complete execution of the protocol session

or stop right after revealing a protocol flaw. We denote the attack scenario for a

session σ by Atσ. It consists of the ordered set of winning strategies stσi employed

for overcoming impasses encountered at the respective steps i of the protocol, with

i ∈ Imσ.

5.4 Protocol Correctness

A security protocol P is correct with respect to a security property (e.g. secrecy, data

integrity, authentication etc.) if for every execution of the protocol the property is

preserved. In general, a security flaw represents a weakness that allows an attacker

to violate a security property. In the following we introduce the notion of secrecy.

5.5 Methodology 94

Secrecy, or confidentiality - as it is sometimes called, empowers the messages to reach

the intended receivers only, and nobody else. Whenever properly implemented, it

prevents unauthorized parties to benefit from any information disclosure, such as

sensitive data or cryptographic keys. However, the use of formal methods, especially

automated tools, lead to the discovery of a surprising number of secrecy flaws.

We can perceive secrecy as safeguarding some of the session specific, recently issued

data items. From this definition arises the need to define confidential messages

(such as session keys or secret text) and auxiliary session variables (such as nonces).

Revealing such pieces of information will consist in a failure of providing secrecy.

Since the intruder seeks to find out the content of those messages, they are not

originated by him. Consequently, the step i during which they are generated is

definitely not an impasse step. However, confidential messages can become part of

the intruder knowledge. Let m be a confidential message and let i and j be two

protocol steps, where i < j and i is the step in which m originated in session σ.

The secrecy property can be formalized as follows: a protocol P preserves the secrecy

of a message m if and only if

∃ i ∈ (1, n] | m ∈ V σi ∧ (∀ j ∈ (i, n], m 6∈ Kσ

j ) (5.10)

5.5 Methodology

To date, researchers deal with infinite models in order to ensure preservation of

the security properties. Given the challenges, several techniques emerged to allow

reasoning on a significantly smaller, finite model. In the following we examine the

intruder’s difficulties as he progresses through the protocol run - from mandatory

data to the effect of role and identity changing.

5.5 Methodology 95

5.5.1 Intruder Needs

A protocol run can be completed by the intruder only when the data needed for

solving all impasses can be obtained. If the desired information can be found in one

session, there is an elementary flaw in the conception of the protocol. We will just

acknowledge that this particular case sets the obvious lower bound for the number

of sessions:

card(Atσ) ≥ 1 (5.11)

Irrespective of the role the intruder had at the beginning of the attack, after a

certain number of steps he is stuck having to respond to an agent. What matters is

which agent he is communicating with, A or B, and he has both their public keys,

so encrypting the data is not an issue. The data needed by the intruder can be in

the form of an atomic message, an encryption or a concatenation. In some cases, the

information can be extracted from the intruder’s knowledge set. If not found there,

it might be possible to trick an unsuspecting agent into revealing it. The number of

sessions necessary for breaking a protocol depends on the number of impasses. The

number of impasses, in its turn, is determined by the role the intruder plays.

5.5.2 Roles and Identities

An intruder can participate in a two-party protocol run in one of the following

distinct session types: P(A, I), P(I, A), P(A, I(B)), P(I(B), A) P(B, I), P(I, B),

P(B, I(A)) and P(I(A), B). Henceforth, we denote them by α, β, γ, δ, λ, µ, ν and

ω respectively, as illustrated in Figure 5.2. Whenever an impasse appears, there

are eight options for a spawned session. Four of them involve the intruder as an

agent: α = P(A, I), β = P(I, A), λ = P(B, I) and µ = P(I, B). The other four

entail masqueraded identities of legitimate agents: γ = P(A, I(B)), δ = P(I(B), A),

ν = P(B, I(A)) and ω = P(I(A), B).

The needed data originated in step i−1 or earlier of the initial session of the protocol.

Since the intruder cannot devise by himself the pieces needed for step i, he has to

5.5 Methodology 96

rely on an honest, unsuspecting agent to do it. If the session roles are opposite to

the ones in the parent session, then the intruder would be the receiver in step i and

it could obtain the required elements of Qσi . If the roles are the same, he would

expect to find the desired information in step i + 1 of the spawned session.

At this point, we notice a very important aspect about agent identities. If in the

initial session he was talking to A masquerading B, for instance, then he needs to

talk to B in the spawned session. Agent A just sent him some data encrypted with

KB and B is the right agent to reveal it. So far, we conclude that there are only four

types of spawned sessions that could be useful for a specific step i. Those are the ones

involving the intruder and the agent whose identity he masquerades in the parent ses-

sion. The distinct ways to spawn a session with A are: P(A, I), P(I, A), P(A, I(B))

and P(I(B), A) (α, β, γ and δ). For B, they are: P(B, I), P(I, B), P(B, I(A)) and

P(I(A), B) (λ, µ, ν and ω). If any of the sessions where the intruder impersonates

another agent succeeds, that represents an authentication attack.

Remark 5.5.1 There is a special case though, the passive attack. If the initial ses-

sion is of the type P(A, I(B)) (γ) and the spawned session is of the type P(I(A), B)

(ω) and both executions complete, we have a sequence composed of the two halves

of a run P(A,B). In fact, we have a situation where the intruder intercepts and

forwards messages exchanged during a (regular) session P(A,B), known as “session

forwarding” . The occurrence of such a sequence invalidates the authentication at-

tack, as the data sent by A manages to get to B, as intended, in one protocol run

for both agents. This situation complies with Lowe’s definition of the agreement

that we adopted, fulfilling all requirements, including agreement on data items and

one-to-one correspondence for sessions. In this case the intruder simply relays the

information in both directions, without tampering with it and not being able to re-

veal any of the confidential data. For the authentication attack to work, the initial

session must not complete, so the intruder could simply refuse continuing that par-

ticular run. Same observation applies for a sequence where a session P(B, I(A)) (ν)

is followed by a session P(I(B), A) (δ): this represents just a forwarded P(B, A) pro-

5.5 Methodology 97

tocol run. Therefore, passive attacks can be successfully represented as two-session

active attacks.

In general, we do not reach an impasse for the first step of the protocol. If the

first message involves no encryptions or encryptions with public keys only, it is

either issued by an agent or can be built by the intruder. The problem becomes

more complex if private keys are used, sometimes as an authentication measure, to

“sign” data. If the intruder is the responder there is obviously no problem, as he

has the passive role of receiving the data in this step and no impasse occurs. If he

participates as an agent and is the initiator, there is no problem using his private

key. Finally, if he is the initiator in sessions P(I(A), B) and P(I(B), A), he needs to

produce messages encrypted with the agent’s private key, which he does not have.

In this case he can simply replay data recorded during a previous run and therefore

cannot be an initial session. However, it remains a valid option for spawned sessions.

5.5.3 Equivalent Attacks

For the sessions of types α, β, λ and µ, the intruder participates as an agent and,

as a result, gets all the information, so we cannot really talk about a secrecy flaw.

However, information gained during such sessions can be used for attacks.

A and B are only symbols chosen to represent the identity of two agents participating

in a protocol. Therefore, they are interchangeable. If a successful attack is found,

substituting all occurrences of A with B and all occurrences of B with A produces an

equivalent attack. In terms of sessions, we have the following equivalence relations:

α ≡ λ, β ≡ µ, γ ≡ ν and δ ≡ ω. The sessions are equivalent in the sense that if

one is present in some attack, then its equivalent is the corresponding session in the

equivalent attack. We consider the following winning strategy: stγi = ωi αj ª.

The equivalent strategy for the step i will involve sessions ν, δ and λ: stνi = δi λj ª. The equivalent attack of protocol P can then be built based on the equivalent

5.6 Bound on Sessions 98

strategies.

5.6 Bound on Sessions

In this section we derive benefit from the analysis performed in the previous section.

We present and prove a proposition that displays a bound for the number of sessions

needed to solve an impasse. Following, a theorem exhibits bounds for the analyzed

model that are sufficient to ensure protocol correctness.

Proposition 5.6.1 Let P be a two party public key encryption protocol. Let σ be a

session of that protocol and i be an impasse step within σ. If the impasse at step i

can be resolved, then the winning strategy stσi has a depth that is not greater then

three.

In formal terms, we represent the proposition by the following:

∀σ ∈ S,∀i ∈ Imσ | stσi 6= ∞⇒ card(stσi ) ≤ 3 (5.12)

Proof:

As previously stated, the roles and identities of the participants are capital.

We will study one session type and extrapolate using the same reasoning to all

others. The intuition is the following. Only some types of spawned sessions

can bring useful data. If they don’t solve the impasse, they lead to a new one.

After three levels of spawning the intruder comes across the initial session

type, which created the whole cycle, and gives up the search for a winning

strategy.

The intruder will adopt the same behavior for any impasse, irrespective of

the number of the step where it occurs. He will employ the same searching

technique for finding the missing data for the second protocol steps as for the

last one. Moreover, thanks to the equivalent strategies and attacks, we have

to analyze only half of the options for the initial sessions, as the results will


also apply to the other half. That reduces drastically the size of the search

space.

We designate γ as the initial session to be analyzed. The progress is depicted

in Figure 5.2. Let i ∈ Imσ be the step where the initial session γ runs into

an impasse situation, where 2 ≤ i ≤ n. In this case, the intruder has just

completed step i − 1 as a receiver, but does not have the data he needs to

send during step i. He has to spawn a session where he will be communicating

with B, so sessions of types λ, µ, ν or ω. At this point the intruder is not

certain that any of the spawned sessions will succeed or if one of them should

be privileged over the others. We will study all four options. Case numbers

will be attributed to each situation for quick reference.

Case 1. If the intruder tries λ or µ first, there will be no impasses in the

spawned sessions as he gets all the messages encrypted with his own public

key. The information he acquired during the spawned session up to step i or

i+1 is added to his prior knowledge (see equation (5.9)). The intruder returns

to step i of the initial session γ. If the data he was seeking is contained in

the new set Kγi , then he just found a winning strategy. The same situation

arises if ν or ω are chosen and no impasses are encountered until step i. For

the choice of a λ session as the first spawn, for example, we have the following

relation:

stγi = λi ª ⇒ card(stγi ) = 1 (5.13)

Notice that also the knowledge set (Kγi−1 ∪Mγ

i ∪V γi ) ⇓ is already available to

the intruder. There is no benefit in spawning an γ type session if an impasse

occurs in ν. To conclude, if all the data required for the intruder to resolve

an impasse in ν is either in (Kγi−1 ∪Mγ

i ∪ V γi ) ⇓, Kλ

i or Kµi , the depth of the

strategy is still 1.

Case 1.1. Suppose that ν reaches an impasse at a step j < i, before the

needed data could be made available for the initial session. The intruder is in

a situation similar to the one of the initial γ session: he needs a successfully

spawned session to continue. This new session can be an α, β, γ or δ. We


γ

δ

α

β

γ

δ

α

β

ω

ν

λ

µ

ω

ν

λ

µ

γ

δ

α

β

γ

δ

α

β

ω

ν

λ

µ

ω

ν

λ

µ

γ

δ

α

β

γ

δ

α

β

ω

ν

λ

µ

ω

ν

λ

µ

γ

δ

α

β

γ

δ

α

β

ω

ν

λ

µ

ω

ν

λ

µ

ω = P(I(A), B)

ν = P(B, I(A))

µ = P(I, B)

λ = P(B, I)

δ = P(I(B), A)

γ = P(A, I(B))

α = P(A, I)

β = P(I, A)

an impasse- sessions chosen for solving

- "no impasse" sessions

Figure 5.2: Options for winning strategies from initial sessions γ and δ


already presented the case of the γ session in the previous paragraph. As

expected, there are no problems with advancing in the execution of spawned

sessions α or β to step j. If the needed data for the impasse at step j of session

ν is part of the knowledge sets Kαj or Kβ

j the execution of ν continues until it

reaches step i or another impasse is encountered. In case of another impasse,

the intruder uses the same technique: checks the knowledge from spawned

sessions α and/or β and then verifies the knowledge set Kνi , that is already

available.

Case 1.1.1. If the data is not part of the sets, a session δ has to be spawned.

If, same as for the previous stage, an impasse is reached at a step k < j,

the intruder has again an option of either benefiting from the knowledge of

ν or spawning a λ, µ or ω session. The case of λ and µ spawns has already

been presented in Case 1: no impasses, possibly beneficial for the intruder,

certainly the easiest way to acquire information. The intruder only has access

to (Kνj−1 ∪ Mν

j ∪ Vj) ⇓, as this situation was reached in order to resolve an

impasse at step j in the ν session. If the data is found in the available sets

from λ, µ or ν, then the impasse k is solved and the execution of δ continues.

If no other impasses occurs until step j is executed, the intruder returns to

Case 1.1. One winning strategy involves, for example, sessions ν and β and the

depth level of spawned sessions is 2, like for any other combination described

in Case 1.1 and Case 1.1.1:

stγi = νi β ª ⇒ card(stγi ) = 2 (5.14)

Case 1.1.1.1. If an impasse situation arises, then the intruder verifies again

the knowledge sets session or has to spawn a session ω. The search comes to an

end whenever an ω session is spawned. The options in case an impasse appears

at a step l < k are α, β, γ and δ sessions. But the intruder already passed

through the four session types to get to this point and therefore no spawning

would be beneficial. The corresponding four knowledge sets can contain the

data he is looking for, or not. If they don’t, the impasse l cannot be surpassed

and therefore impasses k, j and i cannot be solved. Therefore, no strategy

can be found for the impasse and no (other) attacks are discovered. If, on


the contrary, the needed data is obtained or no (other) impasses is reached in

ω, the knowledge can be used in the parent δ session. Going recursively and

following the same logic, we trace back through cases 1.1.1 and 1.1 to reach

to the impasse at step i in the initial session. The intruder can then execute

the same search algorithm for Case 2, on the ω branch. The results will be

similar, only the spawn order is reversed for the ν and ω sessions, which is not

at all surprising given the hypothesis that the naming was arbitrary and the

results should be symmetric.

Therefore a winning strategy requires a maximum of three levels of spawned

sessions. The same reasoning applies to a situation where ω is the first spawned

session, and not ν, from the initial γ. This result that bounds the number of

spawned sessions for the intruder and, consequently, confines the search space,

is generally applicable for all other types the initial session α, β, δ, λ, µ, ν

and ω. For any new impasse in the initial session, the same exercise should be

executed.

2

We present in Table 5.1 the options that the intruder would have for spawning

sessions and finding winning strategies starting from a session P(A, I(B)), so a γ

type initial session. Similar choices are available for all other types of initial sessions.

Following the example presented here, we draw the conclusion that the intruder

is able to complete step i of the initial session γ if the data required to build the

message Mi is in any of the knowledge sets corresponding to the winning strategies

presented in the table 5.1. The union of all sets will represent the search space

for the needed data. Since knowledge is inherited from one spawning level to the

other, the two level 3 strategies already include the predecessor levels. Some of the

components of the two sets are common and need to be taken into account only

once: Kαn, Kβ

n, Kλn, Kµ

n and Kγi−1 ∪Mγ

i−1 ∪ V γi . Also, we have the following inclusion

relations:

i > j > k ⇒ Kωi ⊃ Kω

k (5.15)

i > j′ > k′ ⇒ Kνi ⊃ Kν

k′ (5.16)


Session

Level1

Level2

Level3

Strategy

Kno

wledg

eset

γi

--

stγ i

=λ

iª

(Kγ i−

1∪

Mγ i∪

Vγ i∪Kλ n

)⇓

γi

--

stγ i

=µ

iª

(Kγ i−

1∪

Mγ i∪

Vγ i∪Kµ n

)⇓

γi

--

stγ i

=ν i

ª(K

γ i−1∪

Mγ i∪

Vγ i∪Kν i

)⇓

γi

--

stγ i

=ω

iª

(Kγ i−

1∪

Mγ i∪

Vγ i∪Kω i

)⇓

γi

j-

stγ i

=ν i

α

ª(K

γ i−1∪M

γ i∪V

γ i∪K

λ n∪K

µ n∪K

ν i∪K

α n)⇓

γi

j-

stγ i

=ν i

β

ª(K

γ i−1∪M

γ i∪V

γ i∪K

λ n∪K

µ n∪K

ν i∪K

β n)⇓

γi

j-

stγ i

=ν i

δ j

ª(K

γ i−1∪M

γ i∪V

γ i∪K

λ n∪K

µ n∪K

ν i∪K

δ j)⇓

γi

j’-

stγ i

=ω

i

αª

(Kγ i−

1∪M

γ i∪V

γ i∪K

λ n∪K

µ n∪K

ω i∪K

α n)⇓

γi

j’-

stγ i

=ω

i

βª

(Kγ i−

1∪M

γ i∪V

γ i∪K

λ n∪K

µ n∪K

ω i∪K

β n)⇓

γi

j’-

stγ i

=ω

i

δ j′ª

(Kγ i−

1∪M

γ i∪V

γ i∪K

λ n∪K

µ n∪K

ω i∪K

δ j′)⇓

γi

jk

stγ i

=ν i

δ j

ω

kª

(Kγ i−

1∪M

γ i∪V

γ i∪K

λ n∪K

µ n∪K

ν i∪K

δ j∪

Kα n∪Kβ n

∪Kω k

)⇓

γi

j’k’

stγ i

=ω

i

δ j′

ν k′ª

(Kγ i−

1∪M

γ i∪V

γ i∪K

λ n∪K

µ n∪K

ω i∪K

δ j′∪

Kα n∪Kβ n

∪Kν k

′)⇓

Table5.1:

Spaw

ning

option

sforan

initials

ession

γ.


However, there is no way to say if j > j′ or j′ > j. If we denote the greatest of the

two by j” = max(j, j′) then we have:

Kδj” = Kδ

j ∪ Kδj′ (5.17)

Therefore, an impasse at a step i ∈ Imγ is resolvable if the following relation holds:

Qγi ⊂ (Kγ

i−1 ∪Mγi ∪ V γ

i ∪ Kλn ∪ Kµ

n ∪ Kαn ∪ Kβ

n ∪ Kνi ∪ Kω

i ∪ Kδj”) ⇓ (5.18)

Theorem 5.6.2 If a protocol P fails to provide secrecy, then an intruder would be

able to find attack scenarios that need at most card(Imσ)× 3 sessions for a secrecy

flaw.

The formal representation of the above-stated theorem is illustrated by:

∀σ ∈ S, ∃Atσ | card(Atσ) ≤ card(Imσ)× 3 (5.19)

where “card ” denotes the cardinal function of the set, Imσ is the number of resolved

impasses and Atσ is an attack scenario.

Proof:

We consider one impasse step and apply the result to all protocol steps. The

idea is rather simple: if there is a winning strategy for the intruder’s problem

for a certain impasse, he will proceed with the next step, and so on. The

depth of winning strategies is at most three. To find out which is the number

of sessions needed to find the respective flaws by simply to multiplying the

number of corresponding steps with 3.

Resolving impasses is a necessary condition. Since for each step there is at least

one winning strategy involving at most three spawned sessions (Proposition 1 ),

there exist an attack scenario for revealing a secrecy flaw that takes at most

card(Imσ)× 3 sessions. 2

5.7 Case Study 105

Remark 5.6.3 Secrecy flaws: If any of the successful spawned session is α, β, λ

or µ, then the messages received by the intruder are encrypted with KI , and therefore

secrets are revealed to him. Since we are searching for potential secrecy flaws, the

focus is on confidential variables: we say that if the attack progresses past the impasse

step i, where the impasse was resolved through a session of type α, β, λ or µ, a

secrecy flaw has been discovered.

5.7 Case Study

We illustrate the results on the CCITT X.509 protocol [15]. It is a very good

candidate as the original version has been found to be flawed, but there is a corrected

version for which there are no claimed attacks. The original version of the protocol

is presented in Table 5.2.

Message 1. A → B : A, TA, NA, B,XA, YAKBK−1

A

Message 2. B → A : B, TB, NB, A,NA, XB, YBKAK−1

B

Message 3. A → B : A, NBK−1A

Table 5.2: The original CCITT X.509 Protocol

We start by analyzing the options for the initial session. If any attacks are found,

there will be equivalent attacks and we need to perform the analysis only on half of

the session types. We have a choice of either α, β, γ, δ or λ, µ, ν, ω. In addition,

we notice that the first message contains an encryption with private keys, and that

prevents both δ and ω of being potential initial sessions in an attack: the intruder

would have to produce messages signed with the private key of A or B, which he

5.7 Case Study 106

does not possess. With that in mind, we choose to analyze the set of α, β, γ, δ,

from which we remove δ for the above mentioned reasons.

The sessions α and β complete successfully, but they do not qualify as attacks. The

intruder participates as an agent and there are no impasses and no secrecy issues.

Session γ needs to spawn a helping session at step two, as the intruder cannot use

B’s private key to encrypt a part of the second message. The options for spawned

sessions are λ, µ, ν and ω, as presented in Table 5.3. As in the case of α and β, λ

and µ complete successfully, but with no beneficial results for an attack. A ν session

does not bring good results either, since the intruder runs into an impasse at step

2, same in the case γ, as he cannot built a message encrypted with private key of

A. The single useful session type at this point is ω: the intruder is the initiator,

so he has an opportunity to introduce in the first message variables from γ and he

gets in response from B, in step 2, the message encryption needed in the initial

session. If the ω session completes, the intruder succeeds an attack. The agent

thinks he has just run the protocol with someone else. However, as discussed in the

subsection concerning roles and identities, if both γ and ω complete, we run into a

classic situation of a passive attack. The attack would otherwise succeed if the initial

session would not complete. Therefore, the intruder will focus only on completing

the execution of ω and will drop further involvement in the initial session γ. There

is an impasse that occurs in the third step of the ω session: the intruder has to build

the message encryption NBK−1A. There is a need for a spawned session with A,

and the options are α, β, γ and δ. The only one that returns the required data is α.

The data is fed back into the third step of the ω session and the attack completes,

as shown in Table 5.3.

There are two strategies involved in the attack Atγ, triggered by the impasses at the

step 2 in γ and 3 in ω, of which the first one is dropped and the second is resolved:

stγ2 = ω ª stω3 = α ª

5.7 Case Study 107

Step

Role

Dataneeded

Intrud

er’s

know

ledg

eIm

passe

Spaw

n

γ.1

seγ 1

Non

e(K

γ 0∪T

A,N

A,X

A,

YA K

B∪

TA,N

A,B

,XA,

YA K

B K

−1

A)⇓

NO

-

γ.2

reγ 2

TB,N

B,A

,NA,X

B,

YB,

YB K

A K

−1

B

(Kγ 0∪T

A,N

A,X

A,

YA K

B∪

TA,N

A,B

,XA,

YA K

B K

−1

A)⇓

YES

ω

ω.1

seω 1

Non

e(K

γ 0∪T

A,N

A,X

A,

YA K

B∪

TA,N

A,B

,XA,

YA K

B K

−1

A)⇓

NO

-

ω.2

reω 2

Non

e(K

γ 0∪

TA,N

A,X

A,

YA K

B

∪T

B,N

B,X

B,

YB K

A

∪T

B,N

B,A

,NA,X

B,

YB K

A K

−1

B∪

TA,N

A,B

,XA,

YA K

B K

−1

A)⇓

NO

-

ω.3

seω 3

NB K

−1

A(K

γ 0∪

TA,N

A,X

A,

YA K

B

∪T

B,N

B,X

B,

YB K

A

∪T

B,N

B,A

,NA,X

B,

YB K

A K

−1

B∪

TA,N

A,B

,XA,

YA K

B K

−1

A)⇓

YES

α

α.1

reα 1

Non

e(K

γ 0∪

TA,N

A,X

A,

YA K

B

∪T

B,N

B,X

B,

YB K

A

∪T

′ A,N

′ A,X

′ A,Y

′ A

∪T

B,N

B,A

,NA,X

B,

YB K

A K

−1

B∪

TA,N

A,B

,XA,

YA K

B K

−1

A∪T

′ A,N

′ A,I

,X′ A,

Y′ A K

I K

−1

A)⇓

NO

-

α.2

seα 2

Non

e(K

γ 0∪

TA,N

A,X

A,

YA K

B

∪T

B,N

B,X

B,

YB K

A

∪T

′ A,N

′ A,X

′ A,Y

′ A

∪T

I,X

I,Y

I

∪T

B,N

B,A

,NA,X

B,

YB K

A K

−1

B∪T

A,N

A,B

,XA,

YA K

B K

−1

A∪

T′ A,N

′ A,I

,X′ A,

Y′ A K

I K

−1

A∪T

I,N

B,A

,N′ A,X

I,

YI K

A K

−1

I)⇓

NO

-

α.3

reα 3

Non

e(K

γ 0∪

TA,N

A,X

A,

YA K

B

∪T

B,N

B,X

B,

YB K

A

∪T

′ A,N

′ A,X

′ A,Y

′ A

∪T

I,X

I,Y

I

∪N

B K

−1

A∪

TB,N

B,A

,NA,X

B,

YB K

A K

−1

B∪T

A,N

A,B

,XA,

YA K

B K

−1

A∪

T′ A,N

′ A,I

,X′ A,

Y′ A K

I K

−1

A∪T

I,N

B,A

,N′ A,X

I,

YI K

A K

−1

I)⇓

NO

-

ω.3

seω 3

Non

e(K

γ 0∪

TA,N

A,X

A,

YA K

B

∪T

B,N

B,X

B,

YB K

A

∪T

′ A,N

′ A,X

′ A,Y

′ A

∪T

I,X

I,Y

I

∪N

B K

−1

A∪

TB,N

B,A

,NA,X

B,

YB K

A K

−1

B∪

TA,N

A,B

,XA,

YA K

B K

−1

A∪

T′ A,N

′ A,I

,X′ A,

Y′ A K

I K

−1

A∪

TI,N

B,A

,N′ A,X

I,

YI K

A K

−1

I)⇓

NO

-

Table5.3:

Spaw

ning

option

sforan

initials

ession

γof

theCCIT

TX.509

protocol

5.7 Case Study 108

The equivalent strategies can be built for an initial session ν and spawned sessions

δ and λ:

stν2 = δ ª stδ3 = λ ª

A similar attack is presented by M. Burrows, M. Abadi and R. Needham in [14].

In the same paper [14], the authors propose and prove correct a slightly modified

version of the CCITT X.509 protocol 5.4, which uses the identity of one of the agents

in the 3rd message and does not use timestamps anymore, as they are redundant.

The removal of the timestamps does not affect the possible paths for an attack as

the problem with the original protocol lays one level higher. The intruder misses the

private keys of the agents. He stops even before starting to verify if he has all the

data needed to build the message encryption. A potential attack on the corrected

version would follow then the same path as for the original version of the protocol.

Message 1. A → B : A, NA, B, XA, YAKBK−1

A

Message 2. B → A : B, NB, A,NA, XB, YBKAK−1

B

Message 3. A → B : A, B,NBK−1A

Table 5.4: The corrected CCITT X.509 Protocol

We analyze the attempt to attack the corrected protocol by using γ as the initial

session. There is a very similar behavior for γ and ω: we encounter the same impasses

at steps 2 and 3, respectively. We also notice an almost identical expression for the

intruder’s knowledge, the difference being the absence of TA and TB. The important

change appears in the third message of α, where instead of NBK−1A

we encounter

I, NBK−1A. The new format of the message prevents the intruder to replay it in

5.8 Conclusion 109

session ω, therefore the attack that worked on the original protocol does not succeed

in the corrected one. Consequently, the equivalent attack does not succeed either.

Since this is the only possible pair of attacks, we conclude that the corrected CCITT

X.509 protocol is correct.

5.8 Conclusion

In this chapter we have presented some formal reasoning for evaluating security

protocol correctness. The proposed framework includes a comprehensive analysis

and a bounding model for multi-session attacks. We examined the possible behavior

of the intruder during a protocol run and drew conclusions about how his knowledge

evolves and what actions he can take to gain as much information as possible for

building winning strategies for an attack.

We defined and formalized the components of the environment, the assumptions

about the execution model and our understanding of terms such as protocol, secrecy

and correctness. The pivotal points of the reasoning are the impasses, the spawned

sessions and the winning strategies. Briefly, the logical sequence can be represented

as follows: the intruder cannot continue the protocol execution with the data he

has (impasse), therefore he needs to find it in a spawned session, and bring it back

through a winning strategy for the attack scenario to succeed. We dissected the

needs of the intruder and observed important properties exhibited by the model in

terms of roles and equivalent attacks.

The detailed examination of the potentially useful spawned sessions and winning

strategies leads to the conclusion that after a certain step, even if no impasses are

encountered, the data brought back from supplemental spawns is not useful for the

attack. The depth of a winning strategy for an impasse in a two party protocols

using public keys has been proven to be three. Consequently, the attack scenarios

for those protocols cannot exceed three times the number of the impasses and the

5.8 Conclusion 110

corresponding theorem for secrecy has been formulated. Proper formalization of

other security properties done in a similar manner, along with the corresponding

propositions and theorems would allow a thorough definition for protocol correct-

ness.

Chapter 6

Conclusion

6.1 Contribution

Cryptographic protocols verification is not an easy task. To date, there are a limited

number of methods for achieving correctness results with respect to security prop-

erties, such as authentication and secrecy. Formal methods are one of the successful

approaches. We employed two different techniques in order to examine how secrecy

can be guaranteed in the presence of a malicious intruder.

Our contribution comes in the shapes of an abstract trace model and a formal rea-

soning. Both share a common aim: defining conditions that are sufficient to preserve

security properties. Our attempt has been completed in two stages. During the first

stage, introduced in chapter 4, we succeeded to use a different approach of a known

result. We benefited from protocol and intruder models and the abstraction func-

tion that have been defined by Adi [5]. However, we replaced the category-based

abstraction with a trace model. The second stage comprises a formal reasoning pre-

sented in chapter 5. This part is entirely original, from assumptions to conclusions.

Some propositions and theorems relevant for the analyzed models, along with the

associated proofs, have also been included in chapters 4 and 5.

111

6.1 Contribution 112

We introduced the main concepts of abstract interpretation and some abstraction-

based models in chapter 3. The approach appealed to us as a powerful and suitable

method for bounding the infinite real-world protocol models. The concrete trace

model employed is related to Paulson’s inductive rules. Adding the abstraction

function defined in [5] led to an abstract model that overestimates the intruder’s

knowledge. The abstraction is therefore correct with respect to the information

that can be obtained by the intruder and used in possible attacks. The resulting

set of abstract messages is computable, since the model is finite. The secrets are

checked against the intruder’s abstract knowledge set. If any matches are found,

then the secrecy property does not hold for that particular protocol. The model

is only semi-decidable though, in the sense that if no matches are found, then no

statement can be made about secrecy. The size of the set increases quite fast with

the number of entities used during protocol runs. However, the abstraction function

manages to trim down the depth and width of the messages by imposing upper

bounds for both.

In chapter 5 we defined a new model for security protocols and the intruder’s knowl-

edge. The model bounds multi-sessions attacks and the result is similar in some

aspects with the one obtained by abstract interpretation. We demonstrated that it

is sufficient to analyze a limited number of sessions in order to find out if security

properties are preserved. The research was made on a two-party protocol, but can

be extended to protocols that use more then two agents. For the case studied, we

exhibit a bound for the number of sessions needed for successful attacks. There are

few models that succeed in verifying correctness for secrecy. Our framework is one

of them. Moreover, to our knowledge, this is the first result that shows a bound

on the number of protocol runs for multi-session attacks that is independent of the

number of steps and variables.

We introduced the original concepts of impasse, spawned session and winning strat-

egy. We also adapted the classic definition of session roles to represent individual

6.2 Future Work 113

protocol steps. Secrecy and authentication are formalized as conditions to be veri-

fied. The formal reasoning is presented in the form of proofs for a proposition and a

theorem. The basic idea is that an intruder runs into an impasse whenever he does

not have the data needed to build a message he has to send. To solve the impasse,

the agents have to spawn other sessions in search for that data. If the information is

found, the intruder has a winning strategy for that impasse. The sequence of strate-

gies needed for resolving all impasses, if there is one, is called an attack scenario. To

illustrate a practical implementation of this theory, the CCITTX.509 protocol was

analyzed. The attack scenario revealed by our technique for the original version of

the protocol is similar to the one published by Burrows, Abadi and Needham.

The results obtained by examining impasse steps can be readily adapted to the

case of two party protocols using symmetric keys. Considering a third agent or a

server would add two other sessions to the options for spawns, depending on which

agent the intruder needs to communicate with. For agent A and a server S, for

example, besides α, β, γ and δ, we would need to add P(A, I(S)) and P(I(S), A).

For the server S itself, the full set of options would be P(S, I), P(I, S), P(I(A), S),

P(S, I(A)), P(I(B), S) and P(S, I(B)). With six options for the spawned sessions,

the maximum depth of winning strategy changes, too. Accordingly, some of the

reasoning is still valid in the case of three party protocols involving a key server and

a model can be built based on this study.

6.2 Future Work

The main focus of this study is on the secrecy property. However, as presented in

the introductory chapter, there are many other interesting security properties to be

investigated, such as authentication, non-repudiation, anonymity, and availability.

Secrecy is a necessary condition for authentication and therefore any secrecy flaw

also translates into an authentication flaw. It would be interesting to attempt an

6.2 Future Work 114

integration of those features in the frameworks we developed in this thesis in order

to obtain either decidability or correctness results. Such an endeavor would require

a significant amount of work. The definitions themselves for those security proper-

ties are not yet standardized and various degrees of detail imply different levels of

complexity for the proper models.

Another potential development of the work presented in this thesis are software tools

for automatic verification. The input would be a protocol specification consisting of

formalized descriptions of the protocol steps, the participants and their capabilities.

In the case of the abstraction function, the output would be an answer for protocol

correctness with respect to secrecy. For the formal reasoning, the tool could reveal

winning strategies and attack scenarios, if they exist.

A final note about the scope of this thesis. Assumptions limit the applicability of

the models to certain classes of protocols. In some of the cases, the restrictions

imposed on the context of our research might have been too strict. For instance,

we defined keys as atomic messages in chapter 5. However, we do not make use of

their atomic nature in our proofs. Therefore, non-atomic keys are just as adequate

as the atomic keys. Relaxing some of the assumptions might lead to similar results

applicable to a wider class of protocols.

Bibliography

[1] Martín Abadi and Andrew D. Gordon. A calculus for cryptographic protocols:

The SPI calculus. In Fourth ACM Conference on Computer and Communica-

tions Security, pages 36–47. ACM Press, 1997.

[2] Martín Abadi and Roger Needham. Prudent engineering practice for crypto-

graphic protocols. IEEE Transactions on Software Engineering, 22(1):6–15,

January 1996.

[3] K. Adi and M. Debbabi. A game semantics approach for security protocols. In

6th International Symposium on Programming and Systems, ISPS’2003, pages

209–227, 2003.

[4] K. Adi, M. Debbabi, and M. Mejri. A New Logic for Electronic Commerce

Protocols. Theoretical Computer Science (TCS), 291(3), 2003.

[5] Kamel Adi. Formal Specification and Analysis of Security Protocols. PhD thesis,

Université Laval, Québec, 2002.

[6] Kamel Adi and Mourad Debbabi. Abstract interpretation for proving secrecy

properties in security protocols. In Electronic Notes in Theoretical Computer

Science, volume 55, pages 29–53, 2003.

[7] Ross Anderson and Roger Needham. Robustness principles for public key pro-

tocols. In CRYPTO: Proceedings of Crypto, 1995.

115

6.2 Future Work 116

[8] D. Bert, R. Echahed, and B. Ostvold. Abstract rewriting. In Third Interna-

tional Workshop on Static Analysis, pages 178–192. Lecture Notes in Computer

Science 724, Springer-Verlag, 1993.

[9] D. Bolignano. Towards a mechanization of cryptographic protocol verifica-

tion. In 9th International Computer-Aided Verification Conference, CAV’97,

Jun 1997.

[10] C. Boyd. A class of flexible and efficient key management protocols. In Pro-

ceedings 9th IEEE Computer Security Foundations Workshop, pages 2–8. IEEE

Computer Society Press, 1996.

[11] L. Bozga, Y. Lakhnech, and M. Périn. Pattern-based abstraction for verifying

secrecy in protocols. In TACAS, volume 2619 of Lecture Notes in Computer

Science, pages 299–314. Springer, 2003.

[12] S. Brackin. An interface specification language for automatically analyzing

cryptographic protocols. In Internet Society Symposium on Network and Dis-

tributed System Security, San Diego, CA, February 1997.

[13] Michael Burrows, Martín Abadi, and Roger Needham. The Scope of a Logic of

Authentication. Technical Report 39, Digital Systems Research Center, 1994.

[14] Michael Burrows, Martín Abadi, and Roger Needham. A logic of authentica-

tion, from Proceedings of the Royal Society, volume 426, number 1871, 1989. In

William Stallings, Practical Cryptography for Data Internetworks. IEEE Com-

puter Society Press, 1996, 1996.

[15] CCITT. The directory authentification framework. Draft Recommendation

X.509, 1987. Version 7.

[16] H. Comon, M. Dauchet, R. Gilleron, F. Jacquemard, D. Lugiez, S. Tison, and

M. Tommasi. Tree automata techniques and applications, 1997.

6.2 Future Work 117

[17] H. Comon-Lundh and V. Cortier. Security properties: Two agents are sufficient.

In Proceedings of the 12th European Symposium on Programming (ESOP ’03),

pages 99–113. Springer Verlag, April 2003.

[18] D. L. Dill. The Murphi Verification System. In Rajeev Alur and Thomas

A. Henzinger, editors, Proceedings of the Eighth International Conference on

Computer Aided Verification CAV, volume 1102 of Lecture Notes in Computer

Science, pages 390–393, New Brunswick, NJ, USA, July/August 1996. Springer

Verlag.

[19] M. Debbabi, M. Mejri, N. Tawbi, and I. Yahmadi. A new algorithm for the

automatic verification of authentication protocols: From specifications to flaws

and attack scenarios. In DIMACS Workshop on Design and Formal Verification

of Security Protocols, September 1997.

[20] Alain Deutsch. Interprocedural may-alias analysis for pointers: beyond k-

limiting. ACM SIGPLAN Notices, 29(6):230–241, 1994.

[21] Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE

Transactions on Information Theory, IT-22(6):644–654, 1976.

[22] B. Donovan, P. Norris, and G. Lowe. Analyzing a library of security protocols

using Casper and FDR. InWorkshop on Formal Methods and SecurityProtocols,

1999.

[23] F. J. T. Fabrega, J. C. Herzog, and J. D. Guttman. Strand spaces: Proving

security protocols correct. Journal of Computer Security, 7:191–230, 1999.

[24] A. O. Freier, P. Karlton, and P. C. Kocher. The SSL protocol: Version 3.0.,

March 1996. http://home.netscape.com/eng/ssl3/ssl-toc.html.

[25] P. Gardiner, D. Jackson, and J. Hulance et B. Roscoe. Security Modeling in CSP

and FDR: Deliverable bundle 2. Technical report, Formal Systems (Europe)

Ltd, April 1996.

6.2 Future Work 118

[26] P. Gardiner, D. Jackson, and B. Roscoe. Security Modeling in CSP and FDR:

Deliverable bundle 3. Technical report, Formal Systems (Europe) Ltd, July

1996.

[27] Thomas Genet and Francis Klay. Rewriting for cryptographic protocol verifi-

cation. In Conference on Automated Deduction, pages 271–290, 2000.

[28] Li Gong, Roger Needham, and Raphael Yahalom. Reasoning About Belief

in Cryptographic Protocols. In Deborah Cooper and Teresa Lunt, editors,

Proceedings 1990 IEEE Symposium on Research in Security and Privacy, pages

234–248. IEEE Computer Society, 1990.

[29] Jean Goubault-Larrecq. A method for automatic cryptographic protocol veri-

fication (extended abstract). In FMPPTA’2000, Cancun, Mexico, May 2000.

[30] Joshua D. Guttman and F. Javier Thayer Fábrega. Authentication tests and

the structure of bundles. Theoretical Computer Science, 2001.

[31] James Heather and Steve Schneider. Towards automatic verification of authen-

tication protocols on an unbounded network. In PCSFW: Proceedings of The

13th Computer Security Foundations Workshop. IEEE Computer Society Press,

2000.

[32] C. A. R. Hoare. Communicating Sequential Processes. Prentice Hall, 1985.

[33] Gerard J. Holzmann. Design and Validation of Computer Protocols. Prentice

Hall, Englewood Cliffs, New Jersey, 1991.

[34] G. Lowe. An Attack on the Needham-Schroeder Public Key Authentication

Protocol. Information Processing Letters, 56(3):131–136, November 1995.

[35] G. Lowe. Breaking and Fixing the Needham Schroeder Public-Key Protocol

using FDR. In Proceedings of TACAS, volume 1055, pages 147–166. Springer

Verlag, 1996.

6.2 Future Work 119

[36] G. Lowe. SPLICE-AS: A Case Study in Using CSP to Detect Errors in Security

Protocols. Technical report, Programming Research Group, Oxford, 1996.

[37] G. Lowe. Casper: A compiler for the analysis of security protocols. In PCSFW:

Proceedings of The 10th Computer Security Foundations Workshop, pages 53–

84. IEEE Computer Society Press, 1997.

[38] Catherine Meadows. The NRL protocol analyzer: An overview. Journal of

Logic Programming, 26(2):113–131, 1996.

[39] Jonathan K. Millen and Harald Ruess. Protocol-independent secrecy. In IEEE

Symposium on Security and Privacy, pages 110–209, 2000.

[40] R. Milner. The polyadic π-calculus: A tutorial. Technical report, Laboratory for

Foundations of Computer Science, Department of Computer Science, University

of Edinburgh, 1991.

[41] R. Milner, J. Parrow, and D. Walker. A calculus of mobile processes (Parts I

and II). Information and Computation, 100:1–77, 1992.

[42] J. C. Mitchell, M. Mitchell, and U. Stern. Automated Analysis of Cryptographic

Protocols Using Murφ. In Proceedings 1997 IEEE Symposium on Security and

Privacy, pages 141–153. IEEE Computer Society, May 1997.

[43] J. C. Mitchell, V. Shmatikov, and U. Stern. Finite-State Analysis of SSL 3.0.

In Proceedings of the DIMACS Workshop on Design and Formal Verification

of Security Protocols, September 3-5, 1997, DIMACS Center, CoRE Building,

Rutgers University, New Jersey, USA, pages 1–20, September 1997.

[44] David Monniaux. Abstracting cryptographic protocols with tree automata. In

Proceedings of the 6th International Symposium on Static Analysis, pages 149–

163, 1999.

[45] David Monniaux. Abstracting cryptographic protocols with tree automata.

Science of Computer Programming, 47(2–3):177–202, 2003.

6.2 Future Work 120

[46] Peter Naur. The design of the GIER ALGOL compiler. BIT, 3(2):124–140,

1963.

[47] International Standards Organisation. Common criteria for information tech-

nology security (cc). In International Standard ISO/IS 15408 Final Committee

Draft, version 2.0, 1998.

[48] L. C. Paulson. Isabelle: a Generic Theorem Prover, volume 828. Springer-

Verlag Inc., New York, NY, USA, 1994.

[49] L. C. Paulson. Proving properties of security protocols by induction. In 10th

Computer Security Foundations Workshop, pages 70–83. IEEE Computer Soci-

ety Press, 1997.

[50] E. Rescorla and A. Schiffman. The secure hypertext transfer protocol. In

Proceedings of the Forty-Second Internet Engineering Task Force, August 1998.

[51] R. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signa-

tures and public key cryptosystems. Communications of the ACM, 21(2):120–

126, February 1978.

[52] B. Roscoe and P. Gardiner. Security Modelling in CSP and FDR: Final report.

Technical report, Formal Systems Europe, October 1995.

[53] R. A. Scantlebury and K. A. Bartlett. A protocol for use in the NPL data

communication network. Technical report, National Physical Laboratory, April

1967.

[54] S. Schneider. Security Properties and CSP. In Proceedings of the 1996 IEEE

Symposium on Security and Privacy, pages 174–187. IEEE Computer Society

Press, May 1996.

[55] V. Shmatikov and J. C. Mitchell. Analysis of a Fair Exchange Protocol. Seventh

Annual Symposium on Network and Distributed System Security, San Diego,

pages 119–128, 2000.

6.2 Future Work 121

[56] Scott D. Stoller. A bound on attacks on payment protocols. In Logic in Com-

puter Science, pages 61–70, 2001.

[57] Paul Syverson. Limitations on design principles for public key protocols. In

IEEE Symposium on Security and Privacy, pages 62–73, Oakland, CA, 1996.

IEEE Computer Society Press.

[58] J. D. Tygar. Atomicity in electronic commerce. In Proceedings of the Fifteenth

Annual ACM Symposium on Principles of Distributed Computing, pages 8–26,

1996.

[59] Thomas Y. C. Woo and Simon S. Lam. A lesson on authentication protocol

design. Operating Systems Review, 28(3):24–37, 1994.

Documents

UNIVERSITÉDUQUÉBECENOUTAOUAIS ...w3.uqo.ca/dii/etudMaitrise/uploads/16.pdfminimisantlecoûtdel’analyse. ... Nous avons construit un cadre formel dans le but d’assurer la correction