Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
UNIVERSITÉ DU QUÉBEC EN OUTAOUAIS
FORMAL METHODS FOR SECURITY PROTOCOL CORRECTNESS
THESIS SUBMITED
IN PARTIAL FULFILLMENT
OF THE REQUIREMENTS FOR
THE DEGREE OF MASTER OF SCIENCE
BY
LIVIU PENE
JUNE 2004
UNIVERSITÉ DU QUÉBEC EN OUTAOUAIS
Département d’informatique et d’ingénierie
Ce mémoire intitulé :FORMAL METHODS FOR SECURITY PROTOCOL CORRECTNESS
présenté parLiviu Pene
pour l’obtention du grade de maître ès sciences (M.Sc.)
a été évalué par un jury composé des personnes suivantes :
Kamel Adi.................................directeur de rechercheKarim El Guemhioui.................président du juryLuigi Logrippo...........................membre du jury
Mémoire accepté le: 11 juin 2004
To Raluca.
Acknowledgments
First and foremost, I wish to thank my research supervisor, Dr. Kamel Adi, who
have guided my work on this project from beginning to end. Throughout the thesis,
I have often asked for his knowledgeable advice about a plethora of good and not-
so-good ideas I had. His valuable insights and constructive criticism have always
pushed me to think and write clearer and more concisely. His assistance with macros,
templates, tables and style in general was invaluable. It is largely due to him that
my thesis does not look like a 100 pages sentence.
I am grateful to Dr. Karim El Guemhioui and Dr. Luigi Logrippo who helped
me bound the scope of my project. Their useful comments and suggestions on the
research proposal encouraged and motivated me. Some of the changes in the second
chapter were triggered by their remarks. I extend my thanks to Dr. Karim El
Guemhioui for his introductory course to LATEX, which causes me so much grief and
enjoyment. I am still surprised, happy and annoyingly proud whenever a compilation
does not return any error message.
iii
iv
My friends have helped me preserve the contact with the real world every time I
was voluntarily secluding myself. My life has been filled with weddings, baptisms,
birthday parties, soccer games and weekly trips to Montreal. Their compassionate
affection and warm-hearted encouragements meant a lot to me. If any of those
who offered their help could have contributed with one paragraph to this thesis, I
wouldn’t have had to add a word to it.
Finally, I would like to thank my family for being very supportive and concerned all
along. Their genuine interest in the subject of this thesis helped me feel less guilty
for not sharing enough of my time with them. My wife, my mother-in-law and my
father can probably sustain a fairly technical discussion about the formal aspects
of security protocol verification. I am so grateful for having them by my side. My
father’s excellent coffee kept me awake and my mother-in-law’s cakes gave me the
desired energy supplement. My wife did a careful and merciless proof-reading and
helped correcting the draft. Above all, she showed me unquestioning faith in my
abilities, relentless support and unconditional love.
Résumé
Enjeux
Avec l’expansion rapide des réseaux informatiques et l’apparition de nouvelles techno-
logies telles que le "World Wide Web" et le commerce électronique, la sécurité des
communications est devenue une préoccupation majeure pour la communauté des
chercheurs en informatique et un grand intérêt s’est manifesté pour l’analyse, la
conception et l’implémentation des protocoles de sécurité.
Un protocole de communication est une séquence bien définie d’interactions per-
mettant de gouverner les communications dans les systèmes distribués. Le terme
protocole a était associé pour la première fois avec le transfert d’information dans un
mémorandum publié en 1967 par R. A. Scantlebury et K. A. Bartlett intitulé A pro-
tocol for use in the NPL data communication network [53]. Un protocole doit définir
un format des messages valides et des règles concernant l’échange des messages. Les
cinq éléments d’une spécification complète d’un protocole sont : le service fourni, les
hypothèses sur l’environnement, le vocabulaire, le codage et les règles procédurales.
v
vi
Les protocoles de sécurité (ou protocoles cryptographiques) sont une sous-classe des
protocoles de communication définis comme des séquences bien établies d’envoi et
de réception de messages utilisant des techniques cryptographiques afin d’atteindre
des objectifs de sécurité dans un environnement distribué. Les services de sécu-
rité assurés par les protocoles cryptographiques peuvent être l’authentification des
agents, la confidentialité des communications, l’intégrité des données, l’anonymat
des intervenants, la non-répudiation, etc.
Malgré le travail assidu de la communauté scientifique dans ce domaine, les proto-
coles cryptographiques sont toujours vulnérables à des attaques malicieuses. Il a été
prouvé, dans de nombreuses occasions, qu’une quantité insuffisante de temps allouée
à la phase de conception des protocoles peut mener à des attaques désastreuses. Il
est alors impératif de bien concevoir les protocoles et d’exécuter des tests pertinents
avant de passer à la phase d’implémentation. Dans le cas idéal, la vérification doit
révéler tous les défauts possibles ou prouver la correction du protocole d’une manière
convaincante. Par conséquent, un grand intérêt a été exprimé dans le développement
de techniques formelles pour la vérification de protocoles de sécurité.
État de l’art
L’analyse formelle des protocoles de sécurité a connu un développement impression-
nant au cours des dernières années. Les méthodes de vérification rudimentaires ont
évolué vers des techniques automatisées très complexes. Burrows, Abadi et Need-
vii
ham [14] ont introduit les notions de logique modale de croyance, de relations de
confiance et de juridiction afin de formaliser des principes de raisonnement sur les
protocoles de sécurité. Paulson [49] a utilisé l’idée de règles inductives pour modé-
liser les protocoles. Lowe est le premier qui a utilisé CSP [32] et des techniques de
"model checking" pour l’analyse des protocoles cryptographiques [34, 36]. La véri-
fication est exécutée par l’extraction d’un modèle de la spécification (d’habitude un
système de transition d’états finis) et la vérification du modèle par rapport à une
spécification logique ou comportementale. Des approches similaires ont été dévelop-
pées par Roscoe, Gardiner, Jackson, Hulance [25, 26, 52], Schneider [54] et Meadows
[38]. Abadi et Gordon ont conçu Spi [1], un calcul pour la description et l’analyse de
protocoles cryptographiques. Spi est construit comme une extension du π-calculus
de Milner [40, 41], une algèbre de processus mobile. Mitchell et al. [42, 43, 55]
a utilisé l’outil d’énumération d’états Murφ [18] pour vérifier quelques protocoles
existants. D’autres approches ayant donné de très bon résultats sont la méthode
de preuves de Bolignano [9] et les "strand spaces" de Thayer, Herzog et Guttman
[23, 30].
Plusieurs méthodes ont été utilisées avec succès pour la détection de failles dans
les protocoles cryptographiques. Cependant, les techniques fondamentales de véri-
fication, principalement celles basées sur le "model checking", sont problématiques
dans le cas de processus qui présentent des comportements infinis. En conséquence,
les aspects infinis des protocoles cryptographiques ne sont pas d’habitude supportés
par ces techniques.
viii
Interpretation abstraite
L’interprétation abstraite permet des manipulations sémantiques par l’exécution de
simulations sur une description des données afin d’obtenir l’analyse correcte la plus
précise. L’interprétation abstraite a été appliquée avec succès dans la vérification
de protocoles de sécurité et de nombreux modèles abstraits ont été obtenus, tels
que les automates d’arbre de Monniaux [44, 45], les abstractions paramétriques
d’automates de Goubault-Larrecq [29], les catégories abstraites de Adi et Debbabi
[3, 4, 5], l’abstraction basée sur les trames de Lakhnech et al. [11]. Des techniques
similaires sont les limites sur les attaques par Stoller [56], les fonctions de rang de
Heather et Schneider [31] et la limite sur le nombre des agents de Comon-Lundt et
Cortier [17].
Au chapitre 4 de ce mémoire, nous montrons comment les techniques d’interprétation
abstraite peuvent être appliquées aux problèmes d’analyse des protocoles de sécurité.
En général, les modèles de protocoles sont infinis, cependant, dans la majorité des
cas, pour des buts de vérification, seulement des modèles finis et approximatifs sont
nécessaires. Pour cette raison, nous considérons le problème du calcul d’une telle
approximation et nous nous proposons de simuler l’exécution partielle d’un protocole
à un niveau abstrait. Plus précisément, nous définissons une méthode qui calcule des
modèles finis abstraits pour les protocoles de sécurité. Le modèle abstrait est alors
utilisé pour construire une procédure semi-décidable pour la correction du protocole
par rapport à la propriété de confidentialité. Contrairement aux autres approches
ix
qui exigent que l’utilisateur conçoive l’abstraction manuellement, notre approche
est entièrement automatique, de la description de protocole aux résultats. Elle
n’exige pas d’intervention de l’utilisateur sauf pour la description du protocole et la
spécification du niveau de l’abstraction. Ce dernier paramètre permet à l’utilisateur
d’adapter la précision de l’abstraction pour obtenir les meilleurs résultats tout en
minimisant le coût de l’analyse.
Pour élaborer notre technique de vérification de protocoles de sécurité par interpré-
tation abstraite, nous avons commencé par définir une fonction d’abstraction sur les
messages manipulés par les protocoles. Cette fonction réalise une coupure dans la
structure algébrique des messages pour limiter leur taille. Cette abstraction reste
correcte puisqu’elle surestime les connaissances de l’intrus tout en rendant l’ensemble
de ses connaissances fini. Il est ainsi possible de calculer en un temps fini l’ensemble
des connaissances M# que l’intrus peut acquérir en exécutant un protocole de sécu-
rité P en multi-sessions et multi-rôles. Nous dirons alors que P ne divulgue pas
le message m ou bien P garde m secret si pour tout x dans M#, glb(x,ma) = ⊥
où ma est la forme abstraite du message m, glb est la fonction "borne inférieure"
et ⊥ est un message abstrait représentant la plus petite valeur du treillis abstrait.
La méthode est seulement semi-décidable, dans le sens où s’il existe un x dans M#
pour lequel glb(x,ma) 6= ⊥, nous ne pouvons pas conclure à l’existence d’une faille
de confidentialité dans le protocole.
x
Correction
Nous avons construit un cadre formel dans le but d’assurer la correction des pro-
tocoles cryptographiques par rapport à la propriété de confidentialité. Le modèle
défini est entièrement original, avec de nouveaux concepts tels que l’impasse, les
sessions dérivées et les stratégies gagnantes. Nous avons formalisé la confidentialité
et avons défini des conditions nécessaires pour garantir la correction des protocoles
par rapport à cette propriété. Nous avons prouvé qu’il y a une limite supérieure
sur le nombre de sessions nécessaires pour vérifier la propriété de sécurité analysée.
Ainsi, dans le chapitre 5 nous avons construit un modèle pour les protocoles de
sécurité permettant de capturer d’une manière formelle et élégante l’évolution des
connaissances de l’intrus. Le modèle borne les attaques en multi-sessions. Nous
démontrons qu’il est suffisant d’analyser un nombre limité de sessions afin de prou-
ver si la propriété de sécurité est conservée par des protocoles de sécurité. Notre
recherche s’est limitée aux catégories de protocoles impliquant deux agents, mais
peut s’être facilement étendue aux protocoles qui utilisent plusieurs agents.
Dans un protocole de sécurité, l’intrus peut être un participant actif ou passif. Un
comportement actif implique des actions de création ou de modification de messages
qui sont envoyés aux agents réguliers du système. Ceci signifie que l’intrus doit
avoir toutes les composantes nécessaires pour construire ou modifier des messages.
Quand l’intrus doit envoyer un message qu’il ne peut construire, il est alors dans
une situation d’impasse. Une telle situation peut arriver au maximum [n/2] fois
xi
où n correspond au nombre d’étapes du protocole dans lequel l’intrus peut jouer
le rôle d’émetteur. Une session initiée à l’intérieur d’une autre session suite au
besoin de l’intrus de résoudre une impasse est appelée une session dérivée. Une telle
session permet d’apporter les connaissances manquantes à l’intrus en instrumentant
d’autres exécutions du protocole. L’ensemble des sessions dérivées par l’intrus dans
le but de résoudre une impasse est appelée une stratégie et une stratégie qui réussit à
rapporter les données nécessaires pour résoudre une impasse est appelée une stratégie
gagnante. La séquence de stratégies nécessaires pour résoudre toutes les impasses
est appelée un scénario d’attaque. Pour illustrer ce travail par un exemple, nous
avons analysé le protocole CCITTX.509 [15] et le scénario d’attaque révélé par
notre technique pour la version originale du protocole est similaire à celui publié par
Burrows, Abadi et Needham.
Conclusion
Ce mémoire présente deux contributions de recherche dans l’utilisation de tech-
niques formelles pour la vérification de protocoles de sécurité. La première con-
tribution traite de la vérification des failles de confidentialité dans les protocoles
cryptographiques par construction de modèles abstraits. La deuxième contribution
est un cadre pour l’élaboration de preuves de corrections pour une sous classe de
protocoles par rapport à la propriété de confidentialité. Ainsi, dans le chapitre 4,
nous avons proposé une technique de construction de modèles de trace abstraits dans
xii
le but d’obtenir une procédure de correction de protocoles semi-décidable. Dans le
chapitre 5, nous avons élaboré un cadre de raisonnement formel pour vérifier la cor-
rection d’une sous classe de protocoles de sécurité. Le but de cette recherche est
l’étude de la propriété de confidentialité dans les protocoles de sécurité. Cependant,
il y a d’autres propriétés de sécurité intéressantes qui peuvent être examinées, tel
que la l’authentification, la non-répudiation, l’anonymat, la disponibilité, etc. et qui
peuvent constituer des extensions intéressantes de ce travail.
Plan du mémoire
La structure de ce mémoire est comme suit. Au chapitre 2 nous introduisons
quelques définitions fondamentales relatives à la cryptographie et aux protocoles
de sécurité. Au chapitre 3, nous présentons l’état de l’art dans la vérification de
protocoles de sécurité. Au chapitre 4, nous présentons une nouvelle méthode de véri-
fication de protocole de sécurité basée sur l’interprétation abstraite. Au chapitre 5,
nous présentons un cadre de raisonnement formel permettant de vérifier la correction
des protocoles de sécurité par rapport à la propriété de confidentialité. Au chapitre
6, nous résumons le travail présenté et soulignons nos contributions originales et de
possibles développements futurs de notre travail.
Abstract
The goal of this thesis is to explore the use of formal methods for security protocol
correctness. Nowadays, one of the core research directions in a constantly growing
distributed environment is the improvement of the security aspects of the commu-
nication process. Security flaws have been discovered in quite a few occasions, in
spite of the considerable amount of time and effort required for the design and im-
plementation of cryptographic protocols. The responsibility for proper verification
becomes crucial. Formal methods can play an essential role in the development of
reliable security protocols.
The thesis presents two different methodologies for assessing correctness. Our
first approach employs abstract interpretation techniques for creating a trace-based
model for protocol executions. The model was used for building a semi-decidable
procedure for verifying protocol secrecy. We also developed a second model and a
formal reasoning for multiple-session attacks on cryptographic protocols. The new
concepts of impasse and spawned sessions that we introduced led our research to
xiii
xiv
original statements about the intruder’s knowledge and protocol correctness with
respect to secrecy. Furthermore, we demonstrated that there is a bound on the
number of sessions needed for the analysis of secrecy.
Decidability and correctness results for security protocols are not abundant. How-
ever, recent advancements, such as the bound on the number of agents, indicate that
there are still important issues to be addressed in the security protocols field. Our
study presents two original conclusions to that effect. We will attempt to pursue
the work done in this thesis with complementary results.
Liviu Pene Dr. Kamel Adi
Student Supervisor
Table of Contents
1 Introduction 1
2 Basics 52.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.2 Cryptographic Protocols . . . . . . . . . . . . . . . . . . . . . . . . . 82.3 Cryptographic Protocol Properties . . . . . . . . . . . . . . . . . . . 11
2.3.1 Security Properties . . . . . . . . . . . . . . . . . . . . . . . . 112.3.2 Transaction Properties . . . . . . . . . . . . . . . . . . . . . . 13
2.4 Cryptographic Protocols Flaws . . . . . . . . . . . . . . . . . . . . . 142.4.1 Elementary Flaws . . . . . . . . . . . . . . . . . . . . . . . . . 152.4.2 Freshness Flaws . . . . . . . . . . . . . . . . . . . . . . . . . . 152.4.3 Parallel Session Flaws . . . . . . . . . . . . . . . . . . . . . . 162.4.4 Type Flaws . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182.4.5 Key Guessing Flaws . . . . . . . . . . . . . . . . . . . . . . . 192.4.6 Internal Action Flaws . . . . . . . . . . . . . . . . . . . . . . . 192.4.7 Repudiation Flaws . . . . . . . . . . . . . . . . . . . . . . . . 202.4.8 Cryptosystem Related Flaws . . . . . . . . . . . . . . . . . . . 20
2.5 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3 Formal Verification of Cryptographic Protocols 223.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223.2 Formal Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.2.1 Specification Languages . . . . . . . . . . . . . . . . . . . . . 233.2.1.1 Interface Specification Language . . . . . . . . . . . 243.2.1.2 Common Authentication Protocol Specification Lan-
guage . . . . . . . . . . . . . . . . . . . . . . . . . . 243.2.1.3 Casper . . . . . . . . . . . . . . . . . . . . . . . . . . 243.2.1.4 SPI Calculus . . . . . . . . . . . . . . . . . . . . . . 25
3.2.2 Formal Verification . . . . . . . . . . . . . . . . . . . . . . . . 273.2.2.1 Logic-Based Techniques . . . . . . . . . . . . . . . . 273.2.2.2 The Typing Method . . . . . . . . . . . . . . . . . . 303.2.2.3 Paulson’s Inductive Approach . . . . . . . . . . . . . 32
3.3 Abstract Interpretation Concepts . . . . . . . . . . . . . . . . . . . . 323.3.1 Ordered Sets Fundamentals . . . . . . . . . . . . . . . . . . . 333.3.2 Galois Connections . . . . . . . . . . . . . . . . . . . . . . . . 35
xv
xvi
3.4 Tree Automata Abstraction . . . . . . . . . . . . . . . . . . . . . . . 363.4.1 Concrete Model . . . . . . . . . . . . . . . . . . . . . . . . . . 363.4.2 Tree Automata Model . . . . . . . . . . . . . . . . . . . . . . 383.4.3 Abstract Model . . . . . . . . . . . . . . . . . . . . . . . . . . 403.4.4 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . 40
3.5 ∨-Parameterized Tree Automata . . . . . . . . . . . . . . . . . . . . . 413.5.1 ∨-Parameterized Tree Automata Concepts . . . . . . . . . . . 413.5.2 Algebra of Messages . . . . . . . . . . . . . . . . . . . . . . . 433.5.3 Intruder Capabilities . . . . . . . . . . . . . . . . . . . . . . . 443.5.4 Simulating Protocol Runs . . . . . . . . . . . . . . . . . . . . 453.5.5 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . 46
3.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
4 Abstract Trace-Based Model for Security Protocol Correctness 484.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484.2 Trace-Based Models for Security Protocols . . . . . . . . . . . . . . . 514.3 Abstract Domain of Messages . . . . . . . . . . . . . . . . . . . . . . 554.4 Simulating Cryptographic Protocol Runs . . . . . . . . . . . . . . . . 71
4.4.1 Abstracting Atomic Messages . . . . . . . . . . . . . . . . . . 724.4.1.1 Abstracting Agent Names . . . . . . . . . . . . . . . 734.4.1.2 Abstracting Keys . . . . . . . . . . . . . . . . . . . . 734.4.1.3 Abstracting Nonces . . . . . . . . . . . . . . . . . . . 74
4.4.2 Abstracting Protocols . . . . . . . . . . . . . . . . . . . . . . 744.5 Verification of Secrecy Correctness . . . . . . . . . . . . . . . . . . . . 784.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
5 Formal Reasoning for Security Protocol Correctness 805.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 805.2 Definitions and Assumptions . . . . . . . . . . . . . . . . . . . . . . . 825.3 Intruder’s Knowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
5.3.1 Intruder’s Capabilities . . . . . . . . . . . . . . . . . . . . . . 865.3.2 Impasse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 875.3.3 Spawned Sessions . . . . . . . . . . . . . . . . . . . . . . . . . 89
5.4 Protocol Correctness . . . . . . . . . . . . . . . . . . . . . . . . . . . 935.5 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
5.5.1 Intruder Needs . . . . . . . . . . . . . . . . . . . . . . . . . . 955.5.2 Roles and Identities . . . . . . . . . . . . . . . . . . . . . . . . 955.5.3 Equivalent Attacks . . . . . . . . . . . . . . . . . . . . . . . . 97
5.6 Bound on Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 985.7 Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1055.8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
6 Conclusion 1116.1 Contribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1116.2 Future Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
List of Tables
2.1 The Woo and Lam Authentication Protocol . . . . . . . . . . . . . . 92.2 The Neuman-Stubblebine Key Distribution Protocol . . . . . . . . . . 102.3 The Needham-Schroeder Protocol . . . . . . . . . . . . . . . . . . . . 162.4 Attack Scenario on the Needham-Schroeder Protocol . . . . . . . . . . 162.5 The Three-Pass Protocol . . . . . . . . . . . . . . . . . . . . . . . . . 172.6 Attack Scenario on the Three-Pass Protocol . . . . . . . . . . . . . . 172.7 The Otway-Rees Protocol . . . . . . . . . . . . . . . . . . . . . . . . 182.8 Type attack on the Otway-Rees Protocol . . . . . . . . . . . . . . . . 19
3.1 Experimental results for ∨PTA . . . . . . . . . . . . . . . . . . . . . 46
4.1 The Woo and Lam Authentication Protocol . . . . . . . . . . . . . . 534.2 Woo and Lam Inductive Rules . . . . . . . . . . . . . . . . . . . . . . 544.3 Abstract Intruder Knowledge Generation from Abstract Traces . . . 76
5.1 Spawning options for an initial session γ. . . . . . . . . . . . . . . . 1035.2 The original CCITT X.509 Protocol . . . . . . . . . . . . . . . . . . 1055.3 Spawning options for an initial session γ of the CCITT X.509 protocol 1075.4 The corrected CCITT X.509 Protocol . . . . . . . . . . . . . . . . . 108
xvii
Chapter 1
Introduction
A communication protocol is an orderly defined sequence of interaction between en-
tities designed to govern communications in a distributed system. The term protocol
was first associated with information transfer in a memorandum published in April
1967 by R. A. Scantlebury and K. A. Bartlett titled A protocol for use in the NPL
data communication network [53]. A protocol has to define a format of the valid
messages along with the rules for data exchange. The five elements of a complete
specification are: the service provided, the assumptions about the environment, the
vocabulary, the encoding and the procedure rules.
Security protocols (or cryptographic protocols) are a subclass of communication
protocols that can be defined as a precisely determined sequence of messages us-
ing cryptographic techniques in order to achieve security objectives in a distributed
environment. For the scope of this thesis, we make the assumption that the crypto-
graphic systems used by various algorithms are perfect, in the sense that they cannot
be broken by a malicious intruder. Among the techniques involved we can mention
symmetric and asymmetric encryption, hash functions and digital signatures. The
security services to be provided are authentication of principals, secrecy, integrity,
anonymity, non repudiation, establishment of session keys and so on. In spite of the
hard work of the scientific community in this field, security protocols are still prone
1
2
to error. In numerous occasions, it has been proven that an insufficient amount of
time spent on protocols design can lead to attacks that reveal secret information
to skilled intruders. Therefore, it is of utmost importance to allow enough time
for the design process and perform pertinent tests before implementing any security
protocol. In the ideal case, such an examination should either reveal all possible
flaws or prove correctness in a convincing manner.
Formal analysis of security protocols has evolved from basic, sometimes rudimen-
tary, verification methods to very complex automated techniques in the form of
formal dedicated languages, calculi and logics. Burrows, Abadi and Needham [14]
introduced the notions of modal logic of belief, trust relationships and jurisdiction
in order to formalize reasoning principles on security protocols. Paulson applied in
[49] the idea of inductive rules as models for security protocols. Lowe [34, 36] was
the first to use CSP [32] and model-checking techniques for cryptographic protocol
analysis. The protocol is specified as a set of communicating sequential processes
that are running in parallel and interacting with their surroundings. The verification
is performed by extracting a model (usually a finite state transition system) from
the specification and checking the model against a logical specification (a formula
over a modal temporal logic) or a behavioral specification (a process term). The
idea is to verify whether an intruder could lead principals involved in a protocol
run to an insecure state. The process algebra-based methods have been successfully
used in the detection of several flaws in well-known cryptographic protocols. The
approach seems to be very promising and useful. However, it is well known that
the underlying verification techniques, mainly those based on model-checking, are
problematic in the presence of processes that exhibit infinite behaviors. Accord-
ingly, the infinite aspects of cryptographic protocols are usually not supported in
the verification process. Notice also that the specification of security properties in
terms of process agents or modal formulas is neither straightforward nor system-
atic. Abstract models have been successfully used for protocol correctness. Other
approaches attempted that produced good results are the use of theorem proving by
3
Bolignano [9], game semantics by Adi [3, 5] and strand spaces by Thayer, Herzog
and Guttman [23, 30].
Contributions
We are particularly interested in the correctness aspects of security protocols veri-
fication. Formal methods presented themselves as the appropriate choice for com-
pleting the verification tasks involved. There are, however, inconveniences related
to this option. By hypothesis, an intruder can execute an infinite number of sessions
in order to find flaws. As a consequence secrecy in general - with no assumptions
made on the message size and the number of agents, keys, etc. - is undecidable.
It is a challenge to find the balance between the accuracy of the results and the
assumptions. If no restrictions are imposed on the model, the procedures can be
undecidable or semi-decidable at best. Conversely, more powerful results can emerge
when a set of assumptions is defined.
We have obtained both decidability and semi-decidability results with respect to
protocol correctness. First, we defined in chapter 4 a trace-based model based
on the interesting properties of an abstraction function defined by Adi [5]. The
abstraction overestimates the intruder’s knowledge and is correct with respect to
the information available to the intruder in any possible protocol execution. We
proved that secrecy is semi-decidable for our model, in the sense that the protocol
fails if a flaw is found, but nothing can be said if no flaws are discovered. The result
is similar to the one obtained by Adi for a category-based model.
Second, we built a completely new framework in chapter 5 with the same aim of
observing correctness for security protocol verification. The model defined is entirely
original, along with new concepts such as impasse, spawned sessions and winning
strategies. We formalize the notion of secrecy and define a set of assumptions for
the model, the most important one being the number of agents. We prove that
4
there is an upper bound on the number of sessions needed for verifying the security
property analyzed. To our knowledge, this is the first result that displays a bound
on the number of sessions that is independent of the number of protocol steps and
variables.
Outline
The layout of this thesis is presented below:
• Chapter 1 outlines the content of the thesis: the context, the original contri-
bution and the logical division into chapters.
• Chapter 2 introduces basic cryptography and cryptographic protocols defini-
tions and presents some of the common problems related to the implementation
of security properties.
• Chapter 3 overviews some of the advancements in security protocols verifica-
tion and addresses a theory that is of particular interest for this study: abstract
interpretation.
• Chapter 4 presents a new protocol verification method based on abstract in-
terpretation. The aim is to build a semi-decidable procedure for secrecy.
• Chapter 5 addresses correctness with respect to secrecy and presents a formal
reasoning for evaluating such correctness. The proposed framework includes a
comprehensive analysis and a bounding model for multi-session attacks that
is sufficient for our correctness proofs.
• Chapter 6 summarizes the work presented and underlines our original contri-
butions. Further development is also envisioned.
• Finally, the Bibliography section lists all the articles, reports, books etc. that
where cited in this study.
Chapter 2
Basics
Abstract
This chapter presents some basic cryptographic protocols definitions, the security
properties and the potential flaws associated with their impementation. This is not
an exhaustive introduction, it simply gathers the background knowledge needed for
following the rest of the thesis.
2.1 Introduction
Cryptology means, as translated from ancient Greek, hidden-word (kryptos logos)
and has been used for preserving confidentiality of military communications since im-
memorial times. Cryptography is, along with cryptanalysis, one of the two branches
of cryptology. The goal of cryptography is to provide data secrecy, for a period
of time, for messages transmitted between a sender and a receiver. This is accom-
plished by crafting codes and cyphers. Cryptanalysis, on the other hand, aims at
retrieving the clear text from encrypted messages through attacks on encoding al-
gorithms. The two complementary facets of cryptology evolve synchronized, as the
development of one necessarily leads to the advance of the other.
Nowadays, cryptography is no longer the prerogative of governments and military
5
2.1 Introduction 6
forces, especially with the extraordinary improvement in computing power brought
by distributed environments (and most notably the Internet) and personal comput-
ers. The cryptographic algorithms allow encryption of a message M to an encrypted
message M’ and decryption of M’ into M. The standard notation for encryption of
a message M with the key K is e(M,K) and for decryption of a message M’ with
the key K−1, d(M’,K−1). The functions are inverses of each other, meaning that:
d(e(M,K),K−1) = M
The parameters facilitating the two processes are called encryption and decryption
keys (K and K−1, respectively). Based on the relationship between the keys, three
systems are popular: symmetric key systems, asymmetric key systems and nonin-
vertible cryptography.
The symmetric key system has the particularity that the decryption key can be
computed starting from the encryption key. In most cases, the system uses the
same key M for both encryption and decryption. Therefore, one can write:
d(e(M,K),K) = M
The participants must agree, before exchanging messages, on a secret key to be used
for communication. There are some well-known algorithms of this type that were
or are still extensively used: RC2, RC4, RC5, IDEA (International Data Encryption
Algorithm) and DES (Data Encryption Standard).
The asymmetric key system allows a principal to derive a set of keys, which are
the inverse of each other, to be used for message encryption and decryption. The
method developed by Witfield Diffie and Martin E. Hellman [21] is an alternative to
the symmetric system that employs a public key and a private key, hence the name
public key system. The public key is supposed to be known or available to anybody
2.1 Introduction 7
wishing to communicate with the principal, and it is to be used for encryption. The
principal will then decrypt the message using the private key, which is extremely
hard, if not impossible, to compute from the public key. Public key cryptography
is much slower then its symmetric counterpart and it is mainly employed just to
ensure a secure exchange of symmetric keys.
The best known asymmetric key algorithm is RSA [51], an acronym for the names
of it’s creators: Ronald Rivest, Adi Shamir and Leonard Adleman. The algorithm
is used to generate public and private keys and is based on the difficulty of finding
two prime numbers starting from their product. The steps involved are:
• choosing two large numbers p and q
• computing their product n = p× q
• finding (e,d) such that e×d ≡ 1mod((p−1)×(q−1)) and e and (p−1)×(q−1)
are prime between them
• pairing the private key (d,e) and the public key (n,e)
• cutting de message M in blocs mi
• encrypting blocks by ci = mie mod(n)
• concatenating all encrypted blocks mi.
Other useful applications of asymmetric key algorithm include authentication and
digital signature. Authentication allows a user to prove his identity for the purpose
of login or access control, for instance. Digital signatures are additional credentials
attached to the message M, depending on a secret key, and that can only be verified
by someone holding the corresponding public key.
Noninvertible cryptography uses a single direction hash function H(M) for comput-
ing a print from the message M, with the following properties:
2.2 Cryptographic Protocols 8
• H(M) is easy to compute
• finding M from H(M) should be almost impossible
• finding M’ such that H(M) = H(M’) must be extremely difficult.
Noninvertible cryptography is implemented in password management in networked
environments in order to hide the true value of a password behind its hashed value.
2.2 Cryptographic Protocols
Participants to a protocol, called principals, have to follow well defined steps, known
in advance, to communicate with each other. Cryptographic techniques are used for
the protocols with a security objective, hence the name cryptographic protocols. The
security objective might be confidentiality or might involve authentication, genera-
tion of random sequences, or partial sharing of a secret.
The basic syntax agreed upon by most researchers denotes the principals by A, B
and S. A and B are two parties wishing to communicate in a secure way and S is
a trusted server. The two principals will share a key Kab. In case a public-private
key encryption scheme is used, the public key of A is Ka and the private one is
Ka−1. Random sequences of bits, called nonces, can be used to identify a particular
protocol execution. A nonce and a timestamp generated by principal B are Nb
and Tb, respectively. A message M encrypted by the key K is noted mK . The
communication steps are described by the following syntax:
Message number. Principal1 → Principal2 : Message
For instance, the third step of the Woo and Lam protocol [59] the following syntax:
Message 3. A → B : NbKas
2.2 Cryptographic Protocols 9
The meaning of the above is that for this protocol, during the execution of the third
step, A sends to B a message containing a nonce Nb generated by B encrypted with
a key Kas shared only by A and the server S.
Based on their security objectives, there are several types of protocols, of which
the most prominent are authentication, key distribution and e-commerce protocols.
The authentication protocols verify the identity of the sender and the integrity of
the data to protect against masquerades. Depending on whether the authentication
occurs at one end or both, the protocols can be unidirectional or bidirectional. Table
2.1 below presents the Woo and Lam protocol, one of the best known authentication
protocols.
Message 1. A → B : A
Message 2. B → A : Nb
Message 3. A → B : NbKas
Message 4. B → S : A, NbKasKbs
Message 5. S → B : NbKbs
Table 2.1: The Woo and Lam Authentication Protocol
When secure distribution of cryptographic keys is desired, the key distribution pro-
tocols are used. The three aspects involved are confidentiality, integrity and avail-
ability. Confidentiality ensures that the key can’t be acquired by an intruder. Key
integrity is the assurance that any modification to the key is detected. Availability
guarantees the participants obtain a session key at the end of the protocol. Table
2.2 presents the Neuman-Stubblebine protocol, a key distribution protocol.
2.2 Cryptographic Protocols 10
Message 1. A → B : A,Na
Message 2. B → S : B, A,Na, TbKbs, Nb
Message 3. S → A : B,Na, Kbs, TbKas , A,Kab, TbKbs, Nb
Message 4. A → B : A,Kab, TbKbs, NbKab
Table 2.2: The Neuman-Stubblebine Key Distribution Protocol
We can distinguish three different classes of protocols, considering the technique
used for solving potential conflicts: arbitrated, adjudicated and self-enforcing. The
arbitrated protocols involve a third trusted party that has no interest in the results
of the execution of the protocol and is fair to all the participants. On the other
hand, the participants are trusting the third party and always expect a complete
session run of the protocol. This type of protocol is the most widely used.
The adjudicated protocols are an altered version of the arbitrated ones, where the
third party plays a role only if required. The normal run of a protocol would lead
to a completion of the session. The adjudicator is called to analyze the dispute and
rule only if a party is suspected of cheating.
The self-enforcing protocols were specially designed to guarantee that no party will
gain an advantage by cheating. The protocol ensures cheating is discovered imme-
diately, so there is no need for an arbitrator.
Electronic commerce has emerged as the effect of the extraordinary growth of the
interactive communication over the Internet, and has been pushed forward by the
convenience of the process. It involves just the buyer, his credit card and his com-
puter, saves the time wasted for shopping and eliminates the long monologues of the
2.3 Cryptographic Protocol Properties 11
sales person. But electronic commerce (or e-commerce, for short), like any kind of
goods exchange, has to comply with certain rules and meet some extra requirements
that are obvious in the classic type of commerce, like transaction completion and
goods delivery. The simplicity of the concept as well as the lack of any physical,
hard evidence (like a real credit card, not just a number) make it vulnerable to mas-
querading attacks. The protocols designed to guarantee the security objectives are
called electronic commerce protocols. The most commonly used transaction proto-
cols are SSL (Secure Sockets Layer) [24] and SHTTP (Secure Hyper Text Transfer
Protocol) [50]. SSL is supported by the major Internet browsers (Netscape and Mi-
crosoft Internet Explorer) and uses the RSA digital signature for authenticating the
principals.
2.3 Cryptographic Protocol Properties
As a subclass of communication protocols, which have as the main objective the
exchange of information, security protocols have to satisfy certain specific require-
ments. Those requirements have been divided into general security properties and
transaction properties. The definitions of these properties are presented in the fol-
lowing subsections.
2.3.1 Security Properties
Security properties are defined for principals, data and keys. Depending on the
protocol’s purpose, failure to preserve a specific security property may result in
unveiling confidential information to an intruder and, consequently, may lead to
protocol failure. Some of the most important properties, listed in alphabetical order,
are:
• Anonymity: Anonymity allows a principal to make transactions that cannot
be tracked by others. Another principal can only notice that an event, such
2.3 Cryptographic Protocol Properties 12
as a transaction, has occurred, but can’t determine the initiator or responder.
This property is highly important for customer privacy in the new e-commerce
environment, where automated online agents try to profile customer behavior
and buying habits.
• Authentication: In a distributed environment, the message originator has to
be uniquely identifiable. The recipient also needs to be certain that the original
data has not been tampered with. That is where the authentication property
comes into play. If implemented, it ensures that messages have been issued by
the principals and the content was not changed. If not specifically stated, an
intruder can masquerade one or more principals identity and be mistaken for
a true principal, with the associated consequences for data confidentiality.
• Availability: The availability property refers to a protocol’s capacity of ac-
cessing resources. In order to establish a session, for instance, all the partici-
pants need to state that they are ready to communicate. To ensure the flow of
messages, control of the communication lines has to be guaranteed, certifying
that messages will arrive at the recipients end.
• Fairness: Fairness is mainly involved in protocols that don’t require the arbi-
tration of a third party, such as a server authority. The purpose is to prevent
incomplete executions of a protocol that might result in information unilater-
ally gained by one of the parties. A modified version of fair protocols states
that a normal run will only involve two agents that will call for a trusted third
party in case of dispute.
• Non-repudiation: Participants in a protocol run may need to convince not
only the other participants, but also trusted third parties, that they were or
were not involved. Stronger than the authentication property, non-repudiation
is defined as the impossibility of denying having participated in a message
exchange. It is implemented by collection, maintenance, availability and vali-
dation of evidence concerning events or actions.
2.3 Cryptographic Protocol Properties 13
• Integrity: Integrity protects against unauthorized creation, alteration or de-
struction of data. If any alteration occurs, it has to be detected and the
corresponding protocol flaw has to be identified.
• Secrecy: This property allows the messages to reach the intended receivers
only, and nobody else. It represents the foundation of communications con-
fidentiality, as many other security properties rely on it. Authentication,
anonymity and integrity, for instance, are strongly related to secrecy. Unautho-
rized parties cannot benefit from any information disclosure, such as sensitive
data or cryptographic keys.
Definition 2.3.1 (Correctness). A protocol is correct with respect to a security
property if the property is preserved in any possible execution of the protocol.
2.3.2 Transaction Properties
Some classes of cryptographic protocols allow (sometimes) more than a plain trans-
mission of information. Goods and money can also be transferred as a result of
a successful transaction. Given their special nature, e-commerce protocols need a
few more properties to be defined. The virtual interaction between the participants
tolerates half-way stops of the protocol by one of the parties. The transaction can
be terminated for various reasons: network disruptions, a customer cancelling an or-
der, a bank refusing the credentials etc. More guarantees are needed for both ends
that the money have been spent (or not) and the goods have been bought/sold and
shipped. The following three classes of atomicity for electronic goods are defined by
Tygar in [58]:
• Money Atomicity: The transfer either completes entirely or not, so we
talk about an atomic transfer of electronic money. Money is not created or
destroyed by purchase transactions.
• Goods Atomicity: The goods are received by the customer if and only if
the money is paid. This property is strongly related to money atomicity, as
2.4 Cryptographic Protocols Flaws 14
a payment can only be made once a money-atomic transaction has completed
successfully. The concept is similar to that of “cash on delivery” .
• Certified Delivery: A supplemental provision that allows both the merchant
and the customer to prove what was delivered is called certified delivery. Each
party can exhibit its evidence to a judge in case of a dispute. Obviously, a
certified delivery transaction is goods-atomic.
2.4 Cryptographic Protocols Flaws
Preventing protocol failures is the major concern of a protocol designer. Particular
features to be implemented are robustness and scalability and those are achieved
mainly through a simple, minimal design that is easily adaptable to technological
advancements. A number of rules [33] have been drawn as a framework for protocol
design:
1. Keep it simple
2. Define the problem: requirements, constraints, techniques
3. Define the service
4. Design external functionality: the black-box principle
5. Don’t force connections independent issues
6. Keep the design open-ended
7. Build a high-level prototype and test it
8. Implement the protocol and optimize it
9. Verify the optimized implementation
10. Don’t skip rules 1 to 7
2.4 Cryptographic Protocols Flaws 15
For the scope of our study, we make the assumption that the cryptographic algo-
rithms and the corresponding implementation techniques are perfect. We will only
take into account security properties failures. Such faults, called protocol security
flaws, can only be exploited by active attacks, as the passive ones will simply observe
the protocol execution.
2.4.1 Elementary Flaws
A flaw is considered to be elementary if some simple analysis of a single protocol
run allows the attacker to reveal sensitive data. Despite the protection level one
would expect from security protocols, quite a significant number of elementary flaws
have been discovered. A notorious one is related to the CCITT X.509 protocol [15]:
the signature is added to the message after it was encrypted, therefore it doesn’t
get protected inside the encrypted message. An intruder needs only to intercept the
message, remove the original signature and add his to make the recipient believe
that he is, in fact, the sender.
2.4.2 Freshness Flaws
If one or more of the principals cannot decide if a message is fresh or not, an
attacker can play that message back at a convenient time to pretend he just sent it.
A good example of a flawed protocol for this case is the Needham-Schroeder protocol,
designed for mutual authentication and key exchange of two principal A and B with
the aid of a trusted server S. A corrected version, the Needham-Schroeder-Lowe
protocol, already replaced the faulty one. We present the original protocol in Table
2.3 and a possible attack scenario in Table 2.4.
2.4 Cryptographic Protocols Flaws 16
Message 1. A → S : A,B, Na
Message 2. S → A : Na, B,Kab, Kab, AKbsKas
Message 3. A → B : Kab, AKbs
Message 4. B → A : NbKab
Message 5. A → B : Nb − 1Kab
Table 2.3: The Needham-Schroeder Protocol
The lack of information about the freshness of the message issued by A during the
third step of the protocol is crucial. If this message has been previously intercepted,
the session key K ′ab is compromised as it can be used by the intruder in a future
session. The intruder will masquerade the identity of A and B will then assume
that the key Kab was generated by the trusted server S. As a consequence, B will
reveal to the intruder some secrets.
Message 3. I(A) → B : K ′ab, AKbs
Message 4. B → I(A) : NbK′ab
Message 5. I(A) → B : Nb − 1K′ab
Table 2.4: Attack Scenario on the Needham-Schroeder Protocol
2.4.3 Parallel Session Flaws
The intruder has always the choice of when, what and how he can interfere. More-
over, he can switch roles at his convenience, participating in some sessions as A and
2.4 Cryptographic Protocols Flaws 17
in others as B. Under certain circumstances, playing the suitable roles and running
just some appropriate steps of a protocol might reveal the contents of an encrypted
message. The protocols vulnerable to such attacks are said to contain parallel ses-
sion flaws. An excellent example is the Three-Pass protocol (Table 2.5), designed
by Rivest, Shamir and Adleman to allow transferring encrypted messages between
two parties without any authentication.
Message 1. A → B : MKa
Message 2. B → A : MKaKb
Message 3. A → B : MKb
Table 2.5: The Three-Pass Protocol
The intruder can take advantage of the encryption symmetry:
MKaKb= MKb
Ka
If the attacker sends back to the originator an unaltered message, he well get as a
response the decrypted message (Table 2.6):
Message 1. A → I(B) : MKa
Message 2. I(B) → A : MKa
Message 3. A → I(B) : M
Table 2.6: Attack Scenario on the Three-Pass Protocol
2.4 Cryptographic Protocols Flaws 18
2.4.4 Type Flaws
Besides getting the information that can be re-used in a different session, an intruder
can mislead a principal by sending him a message of a different type than the one
normally used. If no type-checking is implemented for the protocol, the attacker can
take advantage of the type flaw.
Boyd [10] describes a type attack on the Otway-Rees protocol. During the regular
protocol run, the following sequence is executed: A sends to B a nonce M, the
identity of A and B and an encrypted message for which only the server S has the
key. B relays the message from A to S along with his own cyphertext. S performs
the decryption and compares the result of the two encrypted parts to ensure the
nonce and identities are the same. It also generates the key Kab and sends it to B,
who will then forward it to A. Table 2.7 displays the protocol steps.
Message 1. A → B : M,A, B, Na,M, A,BKas
Message 2. B → S : M,A, B, Na,M, A,BKas , Nb,M, A,BKbs
Message 3. S → B : M, Na, KabKas , Nb, KabKbs
Message 4. B → A : M, Na, KabKas
Table 2.7: The Otway-Rees Protocol
An attack can be constructed based on the idea that the session key intended for
A in Message 4 can be substituted since the intruder already has a message of the
same format (encrypted with Kab and containing Na) (Table 2.8):
2.4 Cryptographic Protocols Flaws 19
Message 1. A → I(B) : M,A, B, Na,M, A,BKas
Message 4. I(B) → A : M, Na, M,A, BKas
Table 2.8: Type attack on the Otway-Rees Protocol
2.4.5 Key Guessing Flaws
Key guessing is a technique that is directed mainly against protocols that use pseudo-
random key generation. An old session might be analyzed to provide either the
session key or certain characteristics of the generating algorithm and the associated
generic format. The attacker will then, depending on his success with the histori-
cal session, try to use the revealed key or match it against a dictionary of possible
keys. The dictionary is an exhaustive collection of most-likely combinations com-
plying with the generic format. For instance, for the case of a 64-bit key, binary
representations from all 0 ’s to all 1 ’s for the 64 bits could be tested.
2.4.6 Internal Action Flaws
The principal’s incapacity to perform the appropriate actions required for message
transfer results in internal actions flaws. By appropriate actions we mean checking
the integrity, freshness and authenticity of the received messages or doing the nec-
essary computations. Incomplete specifications might result in major security holes
that can readily by exploited. The Three-Pass protocol, for instance, fails to check
if the message received during the third step of the protocol is encrypted or not.
2.5 Conclusion 20
2.4.7 Repudiation Flaws
A protocol contains a repudiation flaw if one of the participants is able to deny his
involvement in a successful protocol execution. Two distinct types of repudiation
may occur: repudiation of origin and repudiation of receipt. To prevent such events,
certain protocols collect evidence to be used as proof. The corresponding features
are called non-repudiation of origin and non-repudiation of receipt, respectively. If
the responsibility of message delivery is on a third trusted party, non-repudiation of
submission and non-repudiation of delivery might also be defined. An adjudicator
is called to settle disputes based on the above-mentioned features.
2.4.8 Cryptosystem Related Flaws
Even with perfect cryptographic primitives, some attacks are still possible. Simple,
reversible techniques such as the XOR function are particularly dangerous. This
is the case of the Three-Pass protocol, for which a scenario involving several XOR
operations on intercepted encrypted messages reveals the original plain text.
2.5 Conclusion
Security protocols are a very important aspect of the communication act, as they
are the guarantee of a properly conveyed message. Writing a good specification for
a solid protocol is not a simple task. In numerous occasions has it been proved
that a superficial approach or an oversight of what seemed to be a minor detail
can lead to disastrous results. Flaws are usually the result of an incomplete or
incorrect specification. However, there are cases when even if the protocol features
are well designed, good specifications may be turned into security holes by bad
implementations. The main issue is to identify them and find ways to prevent
exploiting them. Several methods, such as the specification languages and the formal
methods, are presently being used to ensure the preservation of security properties.
2.5 Conclusion 21
In this context, protocol verification and analysis become an indispensable part of
the design process.
Chapter 3
Formal Verification of Cryptographic
Protocols
Abstract
This chapter introduces some formal verification techniques and addresses a theory
that is of particular interest for this study: abstract interpretation. Among the quite
abundant number of methods that can be used for automatic verification, abstract
interpretation provides a framework for proving security properties for cryptographic
protocols. The work of David Monniaux on tree automata and the refinement of this
technique by Jean Goubault-Larrecq are also presented here.
3.1 Introduction
One of the objectives for improving the security properties associated with an ev-
ermore transparent communication environment is the use of automated techniques
for guaranteeing the absence of logical faults in cryptographic protocols. The logic
of authentication developed by Burrows, Abadi and Needham [14] paved the way by
presenting the notions of modal logic of belief (the BAN logic), trust relationships
and jurisdiction in order to formalize reasoning principles on crypto-protocols. G.
Lowe introduced the concept of model-checking and applied it to find flaws or prove
22
3.2 Formal Methods 23
correctness of security properties [35]. Such systems are FDR [22], NRL [38] and
others. They are complemented by efforts like TCSec, ITSec and Common Criteria
certification [47]. D. Bolignano’s formal verification [9] and L. C. Paulson’s inductive
rules [49] are to date the most successful techniques in giving security guarantees for
cryptographic protocols. Peter Naur pioneered the abstract interpretation field in
1963 when he proposed a method for defining abstract values for his compiler GIER
ALGOL III [46]. His idea was to execute a program using operators working on
descriptions of data rather than real data. This method has been implemented ever
since in various compilers in order to obtain program validation, partial evaluation,
effective parallel execution, and generation assertions for software verification.
3.2 Formal Methods
Although cryptographic protocols design takes a considerable amount of time and
effort, flaws have been discovered in quite a few occasions, mostly as the result of
an informal approach. The success of formal methods being applied to find such
flaws was a fertile ground for the development of two main directions: protocol
specification and protocol verification and analysis.
3.2.1 Specification Languages
There are two ways to specify the protocol requirements: formal languages and
calculi. In order to allow more precision and formal manipulations, a language
semantics is sometimes defined. Among the best known formal specification methods
are the ISL (Interface Specification Language), CAPSL (Common Authentication
Protocol Specification Language) and Casper languages and the SPI calculus, which
we will briefly introduce in this section.
3.2 Formal Methods 24
3.2.1.1 Interface Specification Language
The Interface Specification Language, or ISL in short, is a simple language designed
by Brackin [12]. The Automatic Authentication Protocol Analyzer (AAPA), which
is used in conjunction with ISL, employs an extension of the Gong, Needham and
Yahalom belief logic (GNY) to prove either compliance or failure of the protocol with
regards to the specification. Therefore, protocol designers can eliminate a significant
number of errors from the early stages of their work.
3.2.1.2 Common Authentication Protocol Specification Language
Designed by Millen, the Common Authentication Protocol Specification Language
(or CAPSL) is intended as a standard input format for formal analysis. CAPSL is
structured as a three-faceted specification covering type, environment and protocol
requirements. Types are used to define the principals, the cryptographic operators
and some other functions. For various network scenarios, optional environment spec-
ifications are defined. The protocol part starts with variable types declarations and
initial conditions assumptions. The message and security goals lists complete the
protocol specification. The targeted objectives are usability, abstraction, complete-
ness, extensibility, parsability and scalability. In other words, it should be modular,
easy to read, use, translate, extend, it should cover all possible flaws but limit the
complexity to a reasonable minimum required for failure analysis.
3.2.1.3 Casper
A different approach is used by Lowe [36] who translates an abstract description
of a cryptographic protocol into a CSP (Communicating Sequential Processes) de-
scription [32]. That description is to be used in conjunction with the FDR (Failures
Divergence Refinement) model checker [22], allowing automatic verification of se-
curity properties. Casper, the language developed by Lowe, generates CSP scripts
from high level descriptions. In addition to the protocol specifications, similar to
the ones employed by CAPSL, the verified system has to be defined. Therefore,
3.2 Formal Methods 25
the agents involved and their specific roles are included in the Casper protocol de-
scription [37]. Several protocols have been checked for security flaws using Casper,
including Yahalom, Kerberos, and CCITT X.509.
3.2.1.4 SPI Calculus
Milner’s π-calculus [40] is a general-purpose calculus that has been successfully used
to demonstrate security properties for some protocols. By extending it with spe-
cialized cryptographic primitives, Abadi obtained what he called the SPI calculus
[1], which allows verification of a broader spectrum of security protocols, as the
encryption and decryption can now be checked.
Processes and process equivalence are used in SPI for the representation of crypto-
graphic protocols and security properties, respectively. A syntax and a semantics
are defined for SPI, along with a process communication and synchronization mech-
anism.
The syntax consists of two parts: the processes and a set of terms. Ω and X are
used to denote an infinite set of names and an infinite set of variables, respectively.
The set of terms defines the following:
• terms: M, N
• name: n ∈ Ω
• pair: (M, N)
• zero: 0
• successor: suc(M)
• variable: x ∈ X
• shared-key encryption: MN
3.2 Formal Methods 26
The processes are:
• process: P, Q
• output: M〈N〉.P
• input: M(x).P
• composition: P | Q; P and Q execute in parallel
• restriction: (νn)P ; creates a new private name n and then behaves as P
• replication: !P ; infinite number of copies of P running in parallel
• match: [M is N ] P ; acts like P if M and N are equal, if not it does nothing
• nil: 0; doesn’t do anything
• pair splitting: let(x, y) = M in P , x, y ∈ X; acts like P [N/x][L/y] if M is
the pair (N, L)
• integer case: case M of 0 : P suc(x) : Q x ∈ X; Q acts like P if M is the
term 0 and Q[N/x] if M is the term suc(N), if not it does nothing
• shared-key decryption: case L of xN in P x ∈ X; acts like P [M/x] if L is
the term MN , if not it does nothing
where P [M/x] is the result of replacing x in P with M.
The communication and synchronization mechanism takes care of the interaction
between processes. A ready-to-transmit process (denoted by c〈M〉.P ) must be syn-
chronized with a ready-to-receive process (denoted by c(x).P ) on the same channel.
As a consequence, messages are transferred between the output and input processes.
The semantics imitates a chemical model: the analogy for a process is a chemical
solution containing molecules ready to react. The technique is called the reaction
3.2 Formal Methods 27
relation and was developed by Milner. If synchronization occurs, the two processes
interact:
c〈M〉.P | c(x).P → P | Q[N/x]
3.2.2 Formal Verification
Cryptographic protocols verification is accomplished via formal techniques. There is
a large variety of well-established techniques today, the most notable being the logic-
based techniques, the typing method, and the modelling approach. Representative
of the modelling approach are the inductive rules, briefly introduced in the present
section, and abstract interpretation, which is of particular interest, is introduced in
section 3.3 and detailed in a dedicated chapter.
3.2.2.1 Logic-Based Techniques
Knowledge, trust and beliefs are the foundations for constructing a logic that allows
derivation of new beliefs and knowledge about a distributed system. Specifying a
protocol based on that logic consists in defining the inference rules for the manip-
ulation of the initial statements and modelling the system. Several major results
were obtained based on this technique, the most important ones originating in the
BAN logic [14]. However, the logic-based techniques fail to provide a solid base for
protocols idealization, freshness modelling or some parallel session flaws.
BAN logic
The BAN logic [13, 14] was developed by Burrows, Abadi and Needham mainly for
detecting authentication flaws. It takes into account a set of initial beliefs of trusted
protocol participants in order to derive other beliefs. Assumptions and assertions
are checked for adequacy against the inference rules associated with the logic. The
3.2 Formal Methods 28
conclusion is simply based on the beliefs assessment: if they are adequate, the
protocol is correct; if not, it contains an authentication flow.
Protocol analysis is divided in four phases: protocol idealization, initial assumption,
protocol annotation and beliefs analysis. The idealization consists in formalizing the
protocol notations trough actions such as stripping messages of plaintext compo-
nents. The initial assumption phase is straightforward: participants to the protocol
explicitly state the freshness of nonces and the validity of keys. Protocol annotation
involves attaching logical formulas to statements, which will be further scrutinized
during the final phase, beliefs analysis.
There are ten syntactic constructs defined for the BAN logic:
1. P |≡ X: P believes X.
2. P / X: P sees X.
3. P |∼ X: P once said X.
4. P ⇒ X: P has jurisdiction over X.
5. ](X): The formula X is fresh.
6. PK↔ Q: P and Q may use K to communicate.
7. K→ P : P has K as a public key.
8. PX Q: P and Q share a secret X.
9. XK : X encrypted with the key K.
10. 〈X〉Y : X combined with the formula Y, where Y should be a secret and proves
the identity of the sender.
Several inference rules have been defined for deriving beliefs from the initial as-
sumptions. The inference rules are presented in the form of fractions, with the
3.2 Formal Methods 29
initial assumption as the numerator and the deriving belief as the denominator. We
will exemplify by the set of message-meaning rules:
1.P |≡ Q
K↔ P P / XK
P |≡ Q |∼ P(Shared Keys)
2.P |≡K→ Q P / XK−1
P |≡ Q |∼ P(Public Keys)
3.P |≡ Q
Y P P / 〈X〉YP |≡ Q |∼ P
(Shared Secrets)
The first rule applies to shared keys: if P believes that K is shared with Q and
sees XK , then P believes that Q once said X. The second rule, for public keys, is
similar: if P believes that Q K as a public key and he sees XK−1 , then he believes
that it is Q that once said X. The third rule refers to shared secrets: if P believes
that the secret Y is shared with Q and sees 〈X〉Y , then P believes that Q once said
X.
Freshness is modelled by defining two time frames: present and past. The distinction
is easy to make: the present starts with the beginning of the protocol run; whatever
precedes that moment is in the past, and past messages can’t be replayed by a
potential intruder as recent.
Although it has some limitations, the usefulness and impact of the BAN logic in the
field of formal verification can hardly be overlooked.
GNY logic
An improvement to the BAN logic of belief has been achieved by Gong, Needham
and Yahalom by adding a new set of properties for the principals: the possessions.
Defined aside from beliefs in the GNY logic system [28], possessions include - as
suggested by their name - everything the principal had initially and created or
received after the protocol run started. The set of notions is extended accordingly,
allowing a broader range of protocols to be analyzed.
3.2 Formal Methods 30
The initial set of beliefs and possessions is permanently enriched through the appli-
cation of the inference rules, therefore it is monotonic. Possessions also consist of
all the formulae and formulae transformations available to the principal, including
a negation symbol. The extended set of statements defined by the GNY logic made
possible a more accurate expression of the variety of scenarios to be covered by the
protocol specification.
3.2.2.2 The Typing Method
Informal principles and formal typing rules were presented by Abadi [1]. The typing
method started to take shape then as an aid for his SPI calculus and evolved to a
more generic format. The typing rules are used to check the secrecy by defining
three possible types of messages and communication channels: Public, Secret and
Any. The first two types are obvious, the third refers to an unknown type that has
to be sent as if it is secret, since we don’t know it’s real nature. As per protocol
requirements, secret data should not be disclosed, so an appropriate mechanism for
testing equivalence is defined for the message type.
In addition to this, a fresh entity called a Confounder is introduced in order to
produce different encrypted messages for two similar plaintext messages. The judge-
ments that can be derived about an environment E from the typing rules are the
following:
• ` E well-formed
• E ` M : T (the term M is of class T in E )
• E ` P : Ok (the process P type-checks in E ).
The expression well-formed refers to an environment that is neither over-specified
nor under-specified and is bounded, self-stabilizing and self-adapting. The rules for
associating terms with types are the following:
3.2 Formal Methods 31
• Zero: 0 is of level Public
• Name: used for determination of the level of names
• Variable: used for determination of the level of variables
• Successor: adding the number one to a message does not change its level
• Pair: if both components have the same level, that is the level of the pair; if
one is Public and one is Secret, the pair has the level Any
• Subsumption: terms of level Public or Secret also have level Any
• Public Encryption: if messages of a certain level T are encrypted with a Public
level key, the encrypted message has level T
• Secret Encryption: encryption with a Secret level key produces a cyphertext
of level Public.
To check if a process doesn’t reveal any secret (is of type Ok), the following rules
are used:
• Out. Pub.: Public level terms can be sent on public channels
• Out. Sec.: messages of all levels can be sent on secret channels
• In. Pub.: all inputs are assumed to be of level Public
• In. Sec.: used to assign levels to received messages components and verify if
the rest of the process is well-typed
• Match: used for comparison of Public and Secret level terms, but not Any.
In order to verify a protocol using the typing method, we have to specify the protocol
in the SPI calculus, define the initial associated environment E0 and perform the
typing to prove that each process type-checks Ok in E0.
3.3 Abstract Interpretation Concepts 32
3.2.2.3 Paulson’s Inductive Approach
Paulson applied the idea of modelling protocols as sets of possible traces of events
[49]. Protocol specification is written in the native language of Isabelle [48], a general-
purpose proof tool.
Traces P are defined inductively from a set of intruder and regular principal rules,
according to the capabilities of the parties involved. The inductive definition starts
with the empty rule, that always belongs to P. The ability of an intruder to send
messages previously intercepted is modelled by the Intruder rule. Traces can be ex-
tended with new events whenever a fresh nonce is part of it. Protocol-independent
functions and operators are defined by Paulson to facilitate building complex correct-
ness proofs. Therefore, several lemmas can be re-applied in elaborate demonstrations
based on Paulson’s previous results.
3.3 Abstract Interpretation Concepts
The dynamic semantics of a programming language is the sum of all possible be-
haviors during the execution of any program written in that language, using any
entry data possible. The method employed to obtain a description of the dynamic
semantics is called abstract interpretation. The goal is to pre-determine at compile
time the behavior of a program at run time. This can be used for building semantic
analysis algorithms that can allow further optimization of compiled code, genera-
tion of test suites and software verification. The behavior described by the abstract
semantics must be valid for all possible executions of a program, irrespective of
entry data. A non-standard semantics is defined for approximating the properties
associated with those behaviors. The abstract interpretation consists of a concrete
semantics (data and operations), an abstract (or approximated) semantics (data
and operations) and an abstraction relationship linking concrete data from abstract
data and relative to which the abstract operations are an abstraction of operations
3.3 Abstract Interpretation Concepts 33
on the concrete data.
The study of abstract semantics starts by defining the concrete semantics based
on a collected semantics. The collected semantics is the most accurate semantics
that can be built and it has to be minimal, correct and complete relatively to the
class of properties of the program studied. The resulting program analyzer has to
take into account and balance the following factors: complexity, flexibility, precision
and analysis cost. Specifying program analyzers and computing abstract properties
implies a sound knowledge of mathematical structures.
3.3.1 Ordered Sets Fundamentals
Some of the most important definitions required to define abstract interpretations,
as introduced in [6], are presented in this section. As a starting point, the sets S, T
and U are considered.
Powerset: the set containing all subsets of S is the powerset ℘(S) = X|X ⊆ S.
Cartesian product: a set containing all pairs with the first component in S and
the second in T is the cartesian product S × T = (s, t)|s ∈ S, t ∈ T.
Binary relation: a binary relation in S × T is a subset ρ ∈ ℘(S × T ).
Image by ϕ: the image of X ⊆ S by ϕ is ϕ∗(X) = ϕ(x)|x ∈ X.
Upper closure: an application f ∈ S → S is an upper closure if and only if:
• f is monotone ⇔ ∀x1, x2 ∈ S : x1 ≤ x2 ⇒ f(x1) ≤ f(x2)
• f is extensive ⇔ ∀x ∈ S : x ≤ f(x)
• f is idempotent ⇔ f f = f .
3.3 Abstract Interpretation Concepts 34
Pre-order: pre-order v on a set S is a binary reflexive (∀x ∈ S : x v x) and
transitive (∀x, y, z ∈ S : (x v y ∧ y v z) ⇒ x v z) relation.
Strict order: if (x v y ∧ x 6= y), we have a strict order relationship written x < y.
Partial order: a partial order relation on a set S is an anti-symmetric (∀x, y ∈ S :
(x v y ∧ y v x) ⇒ x = y) pre-order relation.
Upper bounds: let v be a partial order on a set S. Then u ∈ S is an upper bound
for X ⊆ S if and only if ∀x ∈ X : x v u. Let u be the smallest of all upper bound
of X ⊆ S, as defined by: ∀x ∈ X : x v u ∧ u′ ∈ S : (∀x ∈ X : x v u′) ⇒ (u v u′);
then u is called the least upper bound and denoted by tX. If it exists, it is unique.
Lower bounds: let v be a partial order on a set S. Then u ∈ S is a lower bound
for X ⊆ S if and only if ∀x ∈ X : u v x. Let u be the greatest of all lower bounds of
X ⊆ S, as defined by: ∀x ∈ X : u v x∧u′ ∈ S : (∀x ∈ X : u′ v x) ⇒ (u′ v u); then
u is called the greatest lower bound and denoted by uX. If it exists, it is unique.
Complete lattice: a complete lattice (L,v,⊥,>,t,u) is a set L partially ordered
by the relation v so that all subsets X ⊆ L have an upper bound tX and a lower
bound uX. In particular, L admits a smallest element ⊥ called infimum, with
⊥= t∅ = uL and greatest element > called supremum, with > = u∅ = tL.
Linear order: a partial order v for which all elements can be compared two by
two (∀x, y ∈ P : x v y ∨ y v x) is a linear order.
Complete partial order: a partial ordered set (L,v) is called complete (cpo, for
short) if all linear ordered subsets have at least an upper bound. The cpo is called
strict if it has an infimum.
3.3 Abstract Interpretation Concepts 35
Fixpoint: let ϕ ∈ P → P be an application. A fixpoint of ϕ is an element x of
P such that f(x) = x. If P is ordered, then the set of fixpoints of ϕ, noted fixϕ is
an ordered subset of P, possibly empty. If this set admits a minimum element, this
element is called the least fixpoint of ϕ (lpfϕ). If it accepts a maximum element,
that is called the greatest fixpoint of ϕ (gfpϕ).
3.3.2 Galois Connections
Definition: Given two partially ordered sets Dc(vc) and Da(va), a Galois connection
(or pair of adjoint functions or adjunction) is a pair of functions (α, γ) such that:
• α ∈ Dc → Da
• γ ∈ Da → Dc
• ∀dc ∈ Dc, ∀da ∈ Da : α(dc) va da ⇔ dc vc γ(da) (1)
We write then: Dc(vc) Da(va).
A number of properties for the Galois connections are particularly useful and given
as lemmas or theorems:
• γ α is extensive: ∀dc ∈ Dc : dc vc γ α(dc)
• α γ is reductive: ∀da ∈ Da : α γ(da) va (da)
• α and γ are monotone
• α γ α = α
• γ α γ = γ
3.4 Tree Automata Abstraction 36
3.4 Tree Automata Abstraction
David Monniaux achieved some important results by using abstract interpretation
techniques to analyze cryptographic protocols [44, 45]. He employs abstract model
checking of infinite systems to obtain a fully automatic implementation based on
tree automata. The ordered domain to be approximated is the transition systems.
The monotonic operators used ensure the preservation of the order relation.
Monniaux defines a concrete state space Σ along with a transition relation r and an
abstract state space Σ] with the corresponding abstract transition relation r]. The
abstract relation that links the two spaces is denoted by a ⊂ Σ × Σ]. The relation
a−1(X]) is defined by x ∈ σ|∃x] ∈ X] a](x, x]), where X] ∈ Σ]. The simulation
condition for the transition system is given by:
∀x, y ∈ Σ, x] ∈ Σ], r(x, y) ∧ a(x, x]) ⇒ ∃y] ∈ Σ], r](x], y]) ∧ a(y, y])
Therefore, for all σ0 and σ0] so that a(σ0, σ
]0), A0 ⊂ a−1(A]
0), where A0 = σ|σ0 →∗r
σ and A]0 = σ]|σ]
0 →∗r] σ].
The main observation on which the rest of the abstraction is based is that for a
property P to hold for all elements in A0, it is enough to prove that it holds for all
elements in r−1(A]0).
3.4.1 Concrete Model
The syntax and semantics are simple and they comply with the standard notations
used by cryptoprotocols designers. The following notations are used: a signature
F , a free algebra of terms T (F) over the signature, terms t ∈ T (F ,X ), a family
3.4 Tree Automata Abstraction 37
of variables (Xi)i∈i, a family of terms (xi)i∈i, a set of free variables of FV(t) and a
term t [xi/Xi] obtained by parallel substitution of Xi by xi in t.
The possible computations are defined by a function K : ℘(T (F)) → ℘(T (F)) that
computes the closure of a subset of T (F) by the following operations:
• a subset O of the function symbols found in F
• a set R of rewrite rules over T(F) of the form a → x, where a is a term with
variables over F and x is a variable that appears exactly once in a.
Therefore, an element x of T(F) is deemed as possibly computable from X ⊂ T(F)
if x ∈ K(X ). The fixpoints of K are denoted by ℘(T (F))K. The systems allowing
rewrite rules as stated above are called simplification systems.
For the concrete semantics, Monniaux considers a finite set P of principals, each
with a set Rp of registers that contains a program to execute xp and an uninitialized
element of T (F) (written T (F) ∪ ⊥). The program is a finite sequence of input,
output or match commands as follows:
• ?r : input register r, r ∈ Rp
• !t : output t, t ∈ T (F)
• r ' t : match register r against t, r ∈ 1, . . . , rp, t ∈ T (F , Rp ∪Rp).
The empty sequence is noted ε and h::t symbolizes a sequence that starts with the
command h and ends with t. A principal’s local state is defined by the content of its
registers and the program yet to execute. Its global state is a tuple of local states,
together with the state of the intruder. The set of global states is noted Σ. System’s
semantics is defined by a nondeterministic transition relation →. S.p is the local
state of principal p in S and S.I the intruder knowledge in S. So, for two global
states S and S’, the transition relation is S → S’ if there exists a principal p0 ∈ P
so that:
3.4 Tree Automata Abstraction 38
• for all p ∈ P so that p 6= p0, S′.p = S.p
• S.p0.P = h :: τ and either:
– h =?r0 and
∗ for all r ∈ Rp0 , S′.P0.r = S.p0.r,
∗ S ′.P0.r0 ∈ S.I
∗ S ′.P0.P = τ
– h =!t and
∗ for all r ∈ Rp0 , S′.P0.r = S.p0.r,
∗ S ′.I = K(S.I ∪ t[S.p0.r/r|r ∈ Rp0 ])∗ S ′.P0.P = τ
– h = r ' t and either
∗ there exists an unifier for the variables in Rp0 between t[S.p0.r/r|r ∈Rp0 ] and S.p0.r; then:
· for all r ∈ Rp0\FV (t), S ′.P0.r = S.p0.r,
· t[S.p0.r/r|r ∈ Rp0 , S′.p0.r/r|r ∈ Rp0 ] = S.p0.r
· S ′.P0.P = τ
∗ there is no such unifier; then
· for all r ∈ Rp0 , S′.P0.r = S.p0.r,
· S ′.P0.P = ε
3.4.2 Tree Automata Model
Tree languages can be used for the abstraction of a set of terms on a signature.
In particular, non-deterministic top-down tree automata can be employed for the
representation of subsets of T(F). A top-down tree automaton over F is a tuple
A = 〈Q, q0, ∆〉, where Q is a finite set of states, q0 ∈ Q is the initial state and ∆
3.4 Tree Automata Abstraction 39
is a set of rewrite rules over the signature F ∪ Q, where states are seen as unary
symbols. The rewrite rules in ∆, distinct from the set R, must be of the type:
q(f(x1, . . . , xn)) →A f(q1(x1), . . . , qn(xn))
where x1, . . . , xn are variables, n ≥ 0, f ∈ Fn, q, q1, . . . , qn ∈ Q. A good example of
a rewrite rule in the context of cryptographic protocols is the decryption process:
decrypt(encrypt(x, k), k) → x, where x is the original message and k is the encryp-
tion key. As an observation, for n = 0 the rule becomes: q(a) → a. The language
recognized by A is denoted by L(a) = Lq0(A), where
Lq(a) = t ∈ T (F) | q(t) →A t.
A special type of automata, denoted AF and requiring a particular set ∆ of rewrite
rules are employed for allowing a tree representation of the automaton. The tree
nodes are either states or symbols. States have an unordered list of children, which
are all symbols, while symbols have an ordered list of children. Position in a term is
defined as a sequence of positive integers describing the path from the root position
ε to that position. A set of positions in t is denoted by pos(t). The subterm of t
rooted at position p is symbolized by t|p.
Substitution of terms for all term t and special automata Ai is the function described
by L(t[Ai/Xi]) = t[L(Ai)/xi]. The opposite problem, matching of a term against the
automata, has a solution in the form of L = t[Li/Xi], where L = t[xi/Xi] and (Li) is
a family of languages. The function associated, called match(A,t), is a finite subset
of FV (t) → AF and for any solution S in the set, L = L(t[Si/Xi]). The function
returns the set of matches of the term t against the automaton A, showing the states
in which the variable is to be recognized, for every match and each variable.
3.4 Tree Automata Abstraction 40
3.4.3 Abstract Model
The knowledge of the intruder in the concrete model is nondeterministic. In order
to render it useful, Monniaux [44, 45] employs a technique called folding on the
nondeterministic branches to reach a safe approximation and a finite state space for
the principals.
Local states are denoted by (S].p)p∈P and the tree automaton modelled knowledge
of the intruder is denoted by S].I. Program sequences of the form S].p.P and
automata families (S].p.r)r∈Rp correspond to local states. Together, the local states
and the intruder’s knowledge make up a global state S] ∈ Σ]. Using a style similar
to the concrete semantics definition, the abstract semantics is defined for two global
states S] and S ′]. To link the concrete and abstract model, an abstraction relation
a ⊂ Σ× Σ] is defined for any S in Σ and S] in Σ] as follows:
a(S, S]) ⇔ (S.I = L(S].I))∧∀p ∈ P ((S.p.P = S].p.P )∧∀r ∈ Rp S.p.r ∈ L(S].p.r))
3.4.4 Implementation
Monniaux implemented a protocol analyzer [44] based on the principles of tree au-
tomata abstraction. The input of the program is a file containing the signature
of the algebra, the rewrite system, the program run by the principal, the initial
knowledge of the intruder and the set L of terms the intruder wants to obtain. The
signature consists of public and private constructors, of which the private ones (keys,
for example) can not be applied by the intruder. The core concept is finding those
interleavings of the principals actions that potentially present a security risk. To re-
duce the complexity order of the abstraction and analysis, only a particular form of
interleaving is verified: input and match by a principal, followed by an output by the
same principal. The simplification is appropriate as the intruder’s final knowledge
can be modelled this way.
3.5 ∨-Parameterized Tree Automata 41
However, there are some inconveniences related to the automata implementations.
Two different approaches were: one follows the operations on the special tree au-
tomata and the other employs a minimal deterministic tree automata. The first
approach is very efficient for elementary operations, but doesn’t handle well the ex-
ploding size of the automata caused by longer traces. The second is very slow when
it comes to the completion of the rewriting system. A number of well-known pro-
tocols have been successfully analyzed, with varying computing times depending on
the hardware used, the number of principals and parallel runs. An interesting result
was revealed for the Otway-Rees protocol: the intruder could get the information he
wants by building it from outputs of previous steps, if the cryptographic primitives
do not prevent it by implementation. The replacement of the rewrite system by a
set of rules (patten matching, for example), is supposed to increase dramatically
the efficiency of the program and its ability to handle more challenging systems. To
date, this potential improvement has not been implemented.
3.5 ∨-Parameterized Tree Automata
The main idea of this cryptographic protocol verification technique [29] is the mod-
ification of the actual tree automaton in order to incorporate deductive reasoning,
based on a set of assumptions, for message freshness and secrecy properties. Previ-
ous developments that lead to J.Goubault-Larrecq’s work include David Monniaux’s
tree automata as a tool for computing upper approximants of intruders knowledge
[44, 45] and Mourad Debbadi et al’s modelling of honest principals as accomplices of
intruders [19]. There are other approaches on using the tree automata for protocol
verification, such as T.Genet and F.Klay rewrite systems modelling [27].
3.5.1 ∨-Parameterized Tree Automata Concepts
In order to add reasoning capabilities to the classic tree automata (see [16]), Goubault
employs a second style of sets representation, the propositional logic. The result is
3.5 ∨-Parameterized Tree Automata 42
called the ∨-Parameterized Tree Automata (∨PTA) and uses propositional formulae
and sets to represent sets of terms.
The term algebra used for the definition of ∨PTAs is a typed algebra. Types such
as msg (messages) or msglist (list of messages) are denoted by τ and are part of a
set T . A set of terms of a certain type τ is denoted by Tτ (Σ,X ), where Σ is a
first-order signature over a set F of function symbols, and X is a family of sets of
variables of type τ . Propositional formulae are defined for logical variables of type
τ with the aid of logical operators and newly introduced notions, like Aτ , a set of
logical variables of type τ . Such formulae F are defined by the following grammar:
F ::= A | F∧
F | F∨
F | ¬F | 0 | 1
where A ranges over Aτ .
Another useful definition in the context of term types and formulae is the assumption
h. An assumption is a map from types τ to formulae of type τ . An environment
ρ satisfies an assumption h, written ρ |= h, if and only if dh(τ)eρτ is the set of all
terms of type τ , for every type τ .
A modified version of the tree automata is built in order to accommodate propo-
sitional formulae for states. Each state q (of a set Q) has an associated type τq.
By definition, an ∨-parameterized tree automaton (or ∨PTA), of type τ0 , U , is a
4-tuple (D,F ,R,B), where:
• D is a finite subset of Q, whose elements are states of U ;
• F ⊆ D is the set of final states, assumed disjoint from Σ and such that τq = τ0
for every q ∈ F
• B maps each state q ∈ D to a formulae of type τq
3.5 ∨-Parameterized Tree Automata 43
• R is a set of rewrite rules f(q1, ..., qn) → q, where f ∈ Σ is such that Σ(f).=
τq1 × ... × τqn → τq (respects transition types).
A normal tree automaton will differ from an ∨PTA by lacking the B component,
therefore it can be considered as a ∨PTA where B maps each state to the class of
0. Since the purpose of the tree automaton in the abstract interpretation approach
is to approximate an infinite model, the operations that can be performed play a
major role. Just like for the classic tree automaton, ∨PTAs allow computation of
unions and upper approximations of intersections.
3.5.2 Algebra of Messages
The set T of typed terms contains the following types: msg (messages), msglist
(tuples of messages), key (keys), K (raw keys) and D (raw data). Function symbols
are used for building the keys by injecting the raw keys inside the space of the actual
symmetric and asymmetric keys, denoted by symk(k), asymk1(k) and asymk2(k).
A list of messages can be converted into a message using the tupling constructor:
t : msglist → msg. The basic signature obtained by the means of the constructors
has the following form:
• symk : K → key
• asymk1 : K → key
• asymk2 : K → key
• sk : msg × msg → key
• pubk : msg → key
• privk : msg → key
• * : → key
• k : key → msg
• d : D → msg
• c : msg × key → msg
• t : msglist → msg
• nil : → msglist
• cons : msg × msglist → msglist
3.5 ∨-Parameterized Tree Automata 44
The function symbol used to create the cyphertext is c: msg × key → msg. The
inverse of a symmetric key is itself and for an asymmetric one is her pair (pubk for
privk, privk for pubk, asym1 for asym2, asym2 for asym1).
3.5.3 Intruder Capabilities
The intruder’s knowledge is also modelled as an automaton. As initial assumptions,
the intruder knows all the public keys pubk(idA), but no long-term keys sk(idA,idB)
or private asymmetric keys privk(idA) . The initial assumption is that intruders
have the ability to read on any communication line, collect messages, and forge new
ones. To find out what information can be unveiled and how, a set of rules is defined:
(Ax)E,M 7→ M
(CryptI)E 7→ M E 7→ k(K)
E 7→ c(M, K)
(CryptE)E 7→ c(M, K) E 7→ k(K ′)
E 7→ M
(TupleI)E 7→ M1 . . . E 7→ Mn
E 7→ t([M1, . . . , Mn])
(TupleE)E 7→ t([M1, . . . , Mn])
E 7→ Mi
where K ′ is the inverse of K.
The actions carried out by the intruder to come to a conclusion are called derivation.
The rules allowing the intruder to decrypt and read components off tuples are called
elimination rules (name ending in E ). The ones allowing encryption of messages
and building of tuples are called introduction rules (name ending in I ). A message
M is called extractible from E (Ext(E)) if it can be derived from E by using only
(Ax) and the elimination rules or constructible (Con(E)) if it can be derived from
E by using only (Ax) and the introduction rules. If it can be deduced using any of
3.5 ∨-Parameterized Tree Automata 45
the rules, it is called deducible (Ded(E)). Goubault-Larrecq proves a theorem that
shows the following relation to be true :
Ded(E) = Con(Ext(E))
3.5.4 Simulating Protocol Runs
In order to complete an abstract interpretation simulation of the protocol we need
to build the following: a syntax, concrete and abstract semantics and a relationship
between the semantics to prove the correctness of the approximation. A simple lan-
guage consisting of expressions, patterns and commands needs to be defined along
with the associated syntax and semantics (both abstract and concrete) to describe
the behavior ascribed to message exchanges during protocol runs. Commands will
match expressions using patterns, with expressions denoting messages and, in gen-
eral, terms. A finite list of commands is called a program or role. Patterns are
matched by the exact(e) construction.
Pattern matching is defined as a partial function trying to match t against pat in
the environment σ. The external world is modelled by an external configuration W.= (E ,K,D), where E is a set of messages known to intruders, K is the current set of
existing raw keys, and D is the current set of existing raw data. A configuration is a
pair W , σ of an external configuration and a run-time environment. Configurations
are related through judgements of semantics, which are of the form W , σ ` c ⇒W ′, σ′. A local run of a role [c1, ..., cn] is a finite sequence of judgements of the form
W0, σ0 ` c1 ⇒W1, σ1 ` c2 ⇒ ... ⇒Wm−1, σm−1 ` cm ⇒Wm, σm, where 0 ≤ m ≤ n.
The concrete semantics is shaped by substituting the commands in the general form
of a judgement. The abstract semantics is obtained by replacing the sets of messages
known by intruders with ∨PTAs and by assumptions expressing relations between
sets of raw keys and raw data. The correctness of the abstract semantics with regard
to the concrete semantics is given by a lemma.
3.5 ∨-Parameterized Tree Automata 46
3.5.5 Experimental Results
The algorithms describing the abstract and concrete semantics have been imple-
mented by Goubault-Larrecq [29] as a verification tool in a bytecode compiler for
HimML, a variant of Standard ML. The tool outputs a sequence of commands from
each principal leading to a possible flaw, but doesn’t present any sequence of intruder
commands. Tests were done on three-party protocols involving two principals and a
key server. Results are presented in Table 3.1. Times are in seconds, the (*) denotes
a mono-session while (!) denotes a parallel multi-session. The #Branches column
indicates the non-determinism involved in checking all relevant interleavings of the
protocol.
Protocol Result Time(s) #Branches
Needham-Schroeder shared key (*) possibly flawed 1.94 4
Needham-Schroeder shared key (!) possibly flawed 1.56 3
Otway-Rees (*) correct 1.56 3
Otway-Rees (!) correct 1.56 3
Wide-Mouthed Frog (*) possibly flawed 0.34 2
Yahalom (*) possibly flawed 1.17 4
Yahalom (!) possibly flawed 1.20 3
Simpler Yahalom (*) correct 1.16 3
Simpler Yahalom (!) correct 1.52 3
Otway-Rees2 (!) correct 14.57 15
Table 3.1: Experimental results for ∨PTA
However, the algorithm is exponential in the size of the pattern and produces huge
automata at each read operation, which is impractical and could be improved by
modelling sequential mono-session principals and designing a proper widening oper-
ator.
3.6 Conclusion 47
3.6 Conclusion
Formal methods have been used with some success for verifying security protocols.
Various approaches have been developed in order to prove correctness or find flaws.
Abstract interpretation is one way to manipulate the semantics for program analysis.
This is accomplished by performing simulations on a description of the data to obtain
an accurate approximation. The resulting abstract interpretation is the correct,
implementable and most accurate analysis that can be obtained. When applied to
cryptographic protocols, a number of valuable results have been obtained, such as
the tree automata and the more complex ∨-parameterized tree abstractions. In spite
of their increased popularity, a number of problems are still to be studied more in
depth. Modelling protocols as tree automata involves an exponential complexity
which makes them difficult to implement in most cases.
Chapter 4
Abstract Trace-Based Model for
Security Protocol Correctness
Abstract
In this chapter we present a new method based on abstract interpretation for se-
curity protocol (or cryptographic protocol) verification. Hence, we introduce the
notion of abstract message domain and an abstract interpretation over finite and
approximated models of security protocols. The aim of this work is to build a semi-
decidable procedure for secrecy protocol correctness. The way to achieve this goal
is to restrict a concrete model of a security protocol to a finite abstract one ac-
cording to some abstraction of the intruder knowledge. Since the model is finite, it
becomes possible to compute the finite abstract set M# of messages that the intruder
can get by running the security protocol. Given a message m, if for all x in M#,
glb(x,ma) = xuma = ⊥ then m is distinct from all messages in M and consequently
the protocol does not leak the message m.
4.1 Introduction
With the expansion of computer networks and the emergence of new technologies
such as World Wide Web and electronic commerce, security became a major concern
48
4.1 Introduction 49
for the computer research community. Accordingly, a surge of interest is devoted to
the design, implementation and analysis of security protocols [4].
During the last decade, plenty of security protocols have been devised. Many among
them have been shown flawed many years after their use. Consequently, a great deal
of interest has been expressed into the development of formal techniques for the spec-
ification, design and verification of security protocols. Furthermore, we anticipate
that the rapid expansion of distributed systems, communication networks, Internet,
web applications, etc., will certainly bring a major need in security protocols. It is
then imperative to have appropriate environments for the correct development of
these protocols [4].
Security protocols verification has known a significant progress. Burrows, Abadi
and Needham [14] introduced the notion of modal logic of belief (the BAN logic)
on security protocols more then decade ago. A new linear and modal logic for
specifying security properties has been proposed by Adi, Debbabi and Mejri [4].
The logic is compact, expressive and formal and has been used to specify classical
security protocols and electronic commerce protocols. Lowe and others introduced
the concept of model-checking and used it to successfully finding flaws in security
protocols [35, 36] with the aid of systems such as FDR [22] and NRL [38]. Some other
approaches are attempted with good results, such as the use of theorem proving by
Bolignano [9], the use of inductive rules by Paulson [49] and the use of game models
by Adi [3].
Abstract interpretation allows semantics manipulations by performing simulations
on data description in order to obtain correct, implementable and most accurate
analysis. It has been applied successfully in the verification of security protocols
and number of valuable abstract models for cryptographic protocols have been ob-
tained, such as the tree automata of Monniaux [44, 45], the ∨-parameterized tree
abstractions of Goubault-Larrecq [29], the abstract game semantics of Adi and Deb-
4.1 Introduction 50
babi [3] and the pattern-based abstraction of Lakhnech et al. [11]. Other related
approaches are Stoller’s bound on attacks [56], Heather and Schneider’s rank func-
tions [31] and Comon-Lundt’s bound on the number of agents [17].
This chapter intends to demonstrate how abstract interpretation techniques can be
applied to the problem of analyzing security protocols. In general, models created
to describe protocols are infinite. In most cases, for verification purposes, only a
finite and approximated model is required. For this reason, we consider the problem
of computing such approximation and we propose to simulate the required partial
protocol execution in an abstract level. More precisely, we define a method that
computes abstract finite models for security protocols. The abstract model is then
used to build a semi decision procedure for secrecy correctness. Unlike the other
approaches which require that the user designs himself the abstraction or manually
helps a program to compute invariants (see for instance [9]), our approach is fully
automatic from cryptographic protocol description to results and requires no user
input except the protocol description and the level of the abstraction. The latter
parameter allows the user to tune the precision of the abstraction to get the best
results while minimizing the cost of the analysis.
The remainder of this chapter is organized as follows. The next section is devoted
to the definition of a trace-based model for cryptographic protocols. The concepts
presented here, along with the propositions and proofs from the next section, are
borrowed from Adi [5]. Section 4.3 is devoted to the definition of an abstract domain
of messages and an abstraction function on messages. Our original contribution is
presented in the sections following 4.3, until the end of chapter 4. In section 4.4 we
present a way to compute abstract cryptographic protocol and abstract trace-based
models. Section 4.5 demonstrates a method for verifying the secrecy property of a
cryptographic protocols. Finally, section 4.6 contains concluding remarks.
4.2 Trace-Based Models for Security Protocols 51
4.2 Trace-Based Models for Security Protocols
The message syntax used in security protocol descriptions is captured by the follow-
ing BNF (Backus-Naur Form) grammar:
m ::= cte Constant Message
| mm′ Encrypted Message
| m.m′ Message Concatenation
| f(m) Function Application
All messages that keep constant their values along a given protocol run are consid-
ered as constants and will be abstracted to terms of the form cte. A message m
encrypted with key m′ is written mm′ and forms a message by itself. The operator
“.” is used to separate concatenated messages. All non-constant messages will be
represented as terms through functional application. We use Ax, By, etc., to denote
principals and S to denote the server. A shared key between Ax and By is repre-
sented by Kaxby . A fresh nonce N , created by a principal Ax in a protocol run σ,
is represented by the term N(Ax, σ). For convenience, messages may be annotated.
We use superscript annotations to indicate run identifiers and subscript annotations
to indicate the principal association. Accordingly, the term N(Ax, σ) will be simply
represented as NσAx. If in some context more than one nonce are needed within the
same session, they will be represented by N1(Ax, σ), N2(Ax, σ), etc. Let m,m1 and
m2 be messages. We say that m is atomic if m 6= m1.m2 and m 6= m1m2 . We
suppose that encryption keys are always atomic messages.
In the presence of a malicious intruder, a protocol can be described as a finite
sequence of statements of the form:
σ.i, Ax → I(By) : m
σ.i, I(Ax) → By : m
which state that during a protocol step i, Ax sends the message m intended for By
over the network, then By gets the message m from the network, as intended by Ax.
4.2 Trace-Based Models for Security Protocols 52
I(Ax) stands for the intruder playing the Ax’s role. The motivation underlying such
a notation is that we assume that the network is under the control of a malicious
smart intruder. All messages sent or received by honest principals, transit by the
intruder. This is to capture the fact that the intruder is aware of any message
circulating over the network. For the sake of convenience, we can also represent the
two above actions by a unique action σ.i, Ax → By : m.
The execution of a security protocol generates a trace consisting of a sequence of
events. Each event results from the execution of a protocol step corresponding to a
send action or a receive action. A run of a protocol is a particular execution of the
protocol. We refer to a protocol run as a session. The execution of a protocol is based
on an interleaving model in which all events, including concurrent events, occurring
during a run are interleaved to form a single trace of that execution. A protocol
trace is said to be valid if all the messages sent by the intruder could be derived
from the intruder’s cumulated knowledge (initial knowledge and received messages),
and all the involved principals respect the protocol. We assume that the intruder is
able to perform the following actions: overhear messages, intercept messages, replay
messages and generate new messages using his initial knowledge and the overheard
messages. In the following, we introduce formally the notion of protocol traces.
A protocol trace is a sequence of protocol events resulting from any interleaving
of (possibly partial) protocol runs. We have no restrictions on traces in the sense
that we support multi-session (an agent could participate in many sessions) and
multi-role (an agent can be an initiator in some sessions and responder in others).
The set T of traces is defined inductively as follows:
• ε ∈ T
• if t ∈ T and a is a protocol event then t.a ∈ T
where ε stands for the empty trace and “.” is the concatenation operator for se-
quences.
4.2 Trace-Based Models for Security Protocols 53
A protocol can then be modelled as a subset of traces P ⊆ T . More formally,
following Paulson’s model [49], we describe the set of protocol traces P as the closure
of a set of inductive rules. In this approach, a security protocol is modelled by a set
of rules representing protocol steps and intruder capabilities. To give an example of
such a modelling, consider a version of the Woo and Lam authentication protocol
[59]. The goal of this protocol is to authenticate the identity of the principal Ax
with respect to the principal By. To achieve this objective, the protocol uses an
authentication server S. The specification of this protocol is given in Table 4.1.
Here, Kaxs is a key shared between Ax and S and Kbys is a key shared between By
and S. The message Nσby
is a nonce generated by By during the session σ. It is used
by By to preclude the replay of messages coming from preceding sessions. The Woo
and Lam protocol traces P are built up inductively by a set of rules shown in Table
4.2.
Table 4.1: The Woo and Lam Authentication Protocol
Message σ.1. Ax −→ By : Ax
Message σ.2. By −→ Ax : Nσby
Message σ.3. Ax −→ By : NσbyKaxs
Message σ.4. By −→ S : Ax.NσbyKaxsKbys
Message σ.5. S −→ By : NσbyKbs
The inductive definition starts with the empty rule. The empty trace belongs always
to P . For each protocol step, we have a corresponding rule. For example, in the rule
Message 2, a trace t ∈ P can be extended with the event (σ.j, By → I(Ax) : Nσb )
whenever Nσb is a fresh nonce, i.e., it has not been used in t. The rule Receive states
that a principal can get a message only if it has been previously sent to her. The
rule Intruder models the capacity of the intruder to send any message built up from
4.2 Trace-Based Models for Security Protocols 54
Table 4.2: Woo and Lam Inductive Rules
empty ε ∈ P
Receivet ∈ P (σ.j, Ax → I(By) : m) ∈ t
t. (σ.j, I(Ax) → By : m) ∈ P
Intrudert ∈ P m ∈ Message(t)⇓
t. (σ.j, I(By) → Ax : m) ∈ P
Message 1 t ∈ Pt. (σ.j, Ax → I(By) : Ax) ∈ P
Message 2t ∈ P Nσ
b 6∈ Message(t)⇓t. (σ.j, By → I(Ax) : Nσ
b ) ∈ P
Message 3t ∈ P (σ.j, I(By) → Ax : Nσ
b ) ∈ tt. (σ.j, Ax → I(By) : Nσ
b Kas) ∈ P
Message 4t ∈ P (σ.j, I(Ax) → By : Ax) ∈ t (σ.j, I(Ax) → By : Nσ
b Kas) ∈ tt. (σ.j, By → I(S) : Ax.Nσ
b KasKbs) ∈ P
Message 5t ∈ P (I(By) → S : Ax.Nσ
b KasKbs) ∈ t
t. (σ.j, S → I(By) : Nσb Kbs
) ∈ P
where
Message(t) is the set of messages in the trace t
t is the set of components in the sequence t
4.3 Abstract Domain of Messages 55
the past traffic.
The intruder closure operation _⇓ allows us to capture the usual intruder capabili-
ties: encryption, decryption, messages concatenation and message decomposition.
Definition 4.2.1 (Closure) Let M be a set of messages. We denote by M⇓ the
closure of the set M under the conventional intruder computations. The closure M⇓
is defined as the smallest set which satisfies the following conditions:
1. M ⊆ M⇓
2. If k ∈ M⇓ and mk ∈ M⇓ then m ∈ M⇓
3. If k ∈ M⇓ and m ∈ M⇓ then mk ∈ M⇓
4. If m ∈ M⇓ and m′ ∈ M⇓ then (m,m′) ∈ M⇓
5. If (m,m′) ∈ M⇓ then m ∈ M⇓
6. If (m,m′) ∈ M⇓ then m′ ∈ M⇓
4.3 Abstract Domain of Messages
The abstract domain of messages is built as an extension of the concrete domain
by the abstract messages > and ⊥. Intuitively, the value > is used to abstract a
(possibly infinite) set of messages. For instance, the message >K stands for any
message encrypted with the key K. It is an abstraction of a (possibly infinite) set
of concrete messages encrypted with the key K. We use also the abstract message
value ⊥ to represent the empty set of messages. From now on, we note D the
concrete domain of messages and D# the abstract domain of messages.
We define an ordering relation on abstract messages ≤a that captures the notion of
approximation on messages. ∀m,m′,m1,m′1 ∈ D#:
4.3 Abstract Domain of Messages 56
m ≤a m
⊥ ≤a m
m ≤a >m ≤a m′ and m′ is atomic ⇒ m = m′
m ≤a m′ and m′ ≤a m′′ ⇒ m ≤a m′′
m ≤a m′ ⇔ mK ≤a m′K
m ≤a m′ and m1 ≤a m′1 ⇔ m.m1 ≤a m′.m′
1
We define a function a_,_(_) to approximate (abstract) messages. This function
takes as parameters a message m and limits l1 and l2 (which are natural numbers).
It replaces some sub-messages of m by the abstract value >. Intuitively, the functiona_,_(_) is used to prune the algebraic structure of a message while keeping the
external form of that message. The value l1 acts on the depth of encryptions in a
message while the value l2 acts on the depth of concatenations. Note that similar
approaches have been used for other purposes. See for instance, k-limiting in may-
alias analysis [20] and Abstract rewriting [8].
Definition 4.3.1 (Abstraction Function) The abstraction function a_,_(_) is
defined as follows:
a : N× N×D# −→ D
al1,l2(m) = m if m is atomic
al1,l2(m.m′) = al1,l2−1(m).al1,l2−1(m′) if l2 ≥ 1
al1,l2(mm′) = al1−1,l2(m)m′ if l1 ≥ 1
al1,0(m.m′) = >a0,l2(mK) = >al1,l2(>) = >al1,l2(⊥) = ⊥
4.3 Abstract Domain of Messages 57
From now on, when l1 and l2 are understood, we write simply ma instead of al1,l2(m).
The following proposition establishes a relation between the values of l1 and l2 and
the precision of the abstraction. As we may expect, the precision of the abstraction
increases when the values of l1 and l2 increase.
Proposition 4.3.2 Let m ∈ D#, l1, l2, l′1 and l′2 four natural numbers such that
l1 ≥ l′1 and l2 ≥ l′2, then:
al1,l2(m) ≤a al′1,l′2(m)
Proof:
The proof is by structural induction on m.
• m is atomic:
al1,l2(m) = m ≤a m = al′1,l′2(m) (4.1)
• m = m1.m2: We distinguish the following cases:
– l′2 = 0:
al1,l2(m) ≤a > = al′1,0(m) = al′1,l′2(m) (4.2)
– l′2 6= 0:
By definition of the function a we have:
al1,l2(m) = al1,l2−1(m1).al1,l2−1(m2) (4.3)
By induction hypothesis, we have:
al1,l2−1(m1) ≤a al′1,l′2−1(m1)
al1,l2−1(m2) ≤a al′1,l′2−1(m2)(4.4)
By definition of the ordering and 4.4, we have:
al1,l2−1(m1).al1,l2−1(m2) ≤a al′1,l′2−1(m1).al′1,l′2−1(m2) (4.5)
By definition of the function a and 4.5, we have:
4.3 Abstract Domain of Messages 58
al1,l2(m1.m2) = al1,l2(m) ≤a al′1,l′2(m) = al′1,l′2(m1.m2) (4.6)
• m = m1K : we distinguish the following cases
– l′1 = 0:
al1,l2(m) ≤a > = a0,l′2(m) = al′1,l′2(m) (4.7)
– l′1 6= 0:
By definition of the function a we have:
al1,l2(m) = al1−1,l2(m1)K (4.8)
By induction hypothesis, we have:
al1−1,l2(m1) ≤a al′1−1,l′2(m1) (4.9)
By definition of the ordering and 4.9, we have:
al1−1,l2(m1)K ≤a al′1−1,l′2(m1)K (4.10)
By definition of the function a we deduce:
al1,l2(m) ≤a al′1,l′2(m) (4.11)
2
The following proposition states that the abstraction function a_,_(_) is extensive.
This means, as a generic definition, that a function produces an output that is
greater then the input value. In our case, it translates the ordering relation into
another precision result: the abstracted message can not be more precise than the
original message.
Proposition 4.3.3 The abstraction function a_,_(_) is extensive, i.e.:
∀m ∈ D#, ∀l1, l2 ∈ N : m ≤a al1,l2(m) (4.12)
4.3 Abstract Domain of Messages 59
Proof:
Let m ∈ D# and let l1 and l2 be two natural numbers. The proof is by
structural induction on m.
• m is atomic:
m ≤a m = al1,l2(m) (4.13)
• m = m1.m2: By induction hypothesis, we have:
m1 ≤a al1,l2(m1)
m2 ≤a al1,l2(m2)(4.14)
By definition of the ordering and 4.14, we have:
m1.m2 ≤a al1,l2(m1).al1,l2(m2) (4.15)
By definition of a, we have:
al1,l2(m1).al1,l2(m2) = al1,l2+1(m1.m2) (4.16)
By 4.15 and 4.16, we have:
m1.m2 ≤a al1,l2+1(m1.m2) (4.17)
By the proposition 4.3.2, we have
al1,l2+1(m1.m2) ≤a al1,l2(m1.m2) (4.18)
By 4.17 and 4.18, we have:
m1.m2 ≤a al1,l2(m1.m2) (4.19)
• m = m1K : By induction hypothesis, we have:
m1 ≤a al1,l2(m1) (4.20)
4.3 Abstract Domain of Messages 60
By definition of the ordering, we have:
m1K ≤a al1,l2(m1)K (4.21)
By definition of a, we have:
m1K ≤a al1+1,l2(m1K) (4.22)
By the proposition 4.3.2, we have:
al1+1,l2(m1K) ≤a al1,l2(m1K) (4.23)
By 4.22 and 4.23, we deduce:
m1K ≤a al1,l2(m1K) (4.24)
2
The following proposition states that the abstraction function a_,_(_) is idempotent.
This property can be interpreted as the fact that all the abstracted information is lost
at once. One abstraction is then equivalent to two or more successive abstractions,
as they produce the same result.
Proposition 4.3.4 The abstraction function a_,_(_) is idempotent, i.e.:
a a = a (4.25)
Proof:
Let m ∈ D# and let l1 and l2 be two natural numbers. The proof is by
structural induction on m.
• m is atomic:
al1,l2(al1,l2(m)) = m = al1,l2(m) (4.26)
4.3 Abstract Domain of Messages 61
• m = m1.m2. By definition of a, we have:
al1,l2(al1,l2(m1.m2)) = al1,l2−1(al1,l2−1(m1)).al1,l2−1(al1,l2−1(m2))
(4.27)
By induction hypothesis, we have:
al1,l2−1(al1,l2−1(m1)) = al1,l2−1(m1)
al1,l2−1(al1,l2−1(m2)) = al1,l2−1(m2)(4.28)
By 4.27 and 4.28, we have:
al1,l2(al1,l2(m1.m2)) = al1,l2−1(m1).al1,l2−1(m2) (4.29)
By definition of a and 4.29, we deduce:
al1,l2(al1,l2(m1.m2)) = al1,l2(m1.m2) (4.30)
• m = m1K . By definition of a, we have:
al1,l2(al1,l2(m1K)) = al1−1,l2(al1−1,l2(m1))K (4.31)
By induction hypothesis, we have:
al1−1,l2(al1−1,l2(m1)) = al1−1,l2(m1) (4.32)
By 4.31 and 4.32, we have:
al1,l2(al1,l2(m1K)) = al1−1,l2(m1)K (4.33)
By definition of a and 4.33, we deduce:
al1,l2(al1,l2(m1K)) = al1,l2(m1K) (4.34)
2
4.3 Abstract Domain of Messages 62
In the sequel we prove that the abstraction function a_,_(_) is monotone. First, we
have to prove technical lemmas which state that the size of an abstracted message
can be smaller than or equal to the size of the original message. The intuition is
that the abstraction leads to loss of detail, which is reflected in the contracted depth
and width of the resulting message. The equality corresponds to the special case of
the original and the abstracted message being the same.
Lemma 4.3.5 ∀m ∈ D#, ∀l1, l2 ∈ N : |al1,l2(m)| ≤ |m|
Proof:
Let m ∈ D# and let l1 and l2 be two natural numbers. The proof is by
structural induction on m.
• m is atomic. By definition al1,l2(m) = m, then we have:
|al1,l2(m)| = |m| ≤ |m| (4.35)
• m = m1.m2. By definition of a, we have:
al1,l2(m1.m2) = al1,l2−1(m1).al1,l2−1(m2) (4.36)
By 4.36 and the definition of |_|, we have:
|al1,l2(m1.m2)| = |al1,l2−1(m1)|+ |al1,l2−1(m2)|+ 1 (4.37)
By induction hypothesis, we have:
|al1,l2−1(m1)| ≤ |m1||al1,l2−1(m2)| ≤ |m2|
(4.38)
By 4.38, we have:
|al1,l2−1(m1)|+ |al1,l2−1(m2)|+ 1 ≤ |m1|+ |m2|+ 1 (4.39)
By 4.39 and the definition of |_| we have:
4.3 Abstract Domain of Messages 63
|al1,l2−1(m1).al1,l2−1(m2)| ≤ |m1.m2| (4.40)
By 4.40 and the definition of a we have:
|al1,l2(m1.m2)| ≤ |m1.m2| (4.41)
• m = m1K . By definition of a, we have:
al1,l2(m1K) = al1−1,l2(m1)K (4.42)
By 4.42 and the definition of |_|, we have:
|al1,l2(m1K)| = |al1−1,l2(m1)|+ 1 (4.43)
By induction hypothesis, we have:
|al1−1,l2(m1)| ≤ |m1| (4.44)
By ≤ property and 4.44 we have:
|al1−1,l2(m1)|+ 1 ≤ |m1|+ 1 (4.45)
By 4.45 and the definition of |_| we have:
|al1−1,l2(m1)K | ≤ |m1K | (4.46)
By 4.46 and the definition of a we have:
|al1,l2(m1K)| ≤ |m1K | (4.47)
2
Lemma 4.3.6 ∀m ∈ D#, ∀l1, l2 ∈ N : |al1,l2(m)| = |m| ⇒ al1,l2(m) = m
Proof:
Let m ∈ D# and let l1 and l2 be two natural numbers. The proof is by
structural induction on m.
4.3 Abstract Domain of Messages 64
• m is atomic. By definition of a, we have:
al1,l2(m) = m
• m = m1.m2. By definition of a and |_| operator, we have:
|m1.m2| = |m1|+ |m2|+ 1
|al1,l2(m1.m2)| = |al1,l2−1(m1)|+ |al1,l2−1(m2)|+ 1(4.48)
By hypothesis and 4.48, we deduce:
|al1,l2−1(m1)|+ |al1,l2−1(m2)| = |m1|+ |m2| (4.49)
By lemma 4.3.5 and 4.49, we deduce:
|al1,l2−1(m1)| = |m1||al1,l2−1(m2)| = |m2|
(4.50)
By induction hypothesis and 4.50, we deduce:
al1,l2−1(m1) = m1
al1,l2−1(m2) = m2
(4.51)
By definition of a and 4.51, we have:
al1,l2−1(m1).al1,l2−1(m2) = al1,l2(m2.m2) = m1.m2 (4.52)
• m = m1K . By definition of a and |_| operator, we have:
|al1,l2(m1K)| = |al1−1,l2(m1)K | = |al1−1,l2(m1)|+ 1
|m1K | = |m1|+ 1(4.53)
By hypothesis and 4.53, we deduce:
|al1−1,l2(m1)| = |m1| (4.54)
By induction hypothesis and 4.54, we deduce:
4.3 Abstract Domain of Messages 65
al1−1,l2(m1) = m1 (4.55)
By definition of a and 4.55, we deduce:
al1,l2−1(m1)K = al1,l2(m1K) = m1K (4.56)
2
Propositions 4.3.3 and 4.3.4 and lemmas 4.3.5 and 4.3.6 indicate that two abstracted
messages will be in the same order as the original ones. This property, called
monotony, can be interpreted as the fact that the abstraction process preserves
the soundness of the approximation.
Proposition 4.3.7 The abstraction function a_,_(_) is monotone, i.e.:
∀m,m′ ∈ D#, ∀l1, l2 ∈ N : m ≤a m′ ⇒ al1,l2(m) ≤a al1,l2(m′) (4.57)
Proof:
Let m, m′ ∈ D# such that m ≤a m′. Let l1 and l2 be two natural numbers.
The proof is by induction on H = |m|:
• H = 0. This means that m is atomic. We have two cases
– m′ = m.
al1,l2(m) = m ≤a m′ = al1,l2(m′) (4.58)
– m′ = >. By definition of the relation ≤a and a, we have:
al1,l2(m) = m ≤a > = al1,l2(>) = al1,l2(m′) (4.59)
• H = n. By the proposition 4.3.3, we have:
m′ ≤a al1,l2(m′) (4.60)
4.3 Abstract Domain of Messages 66
Since m ≤a m′ and by 4.60, we deduce:
m ≤a al1,l2(m′) (4.61)
By the lemma 4.3.5, we have two cases:
– |al1,l2(m)| < |m|, then by induction hypothesis, we have:
al1,l2(al1,l2(m)) ≤a al1,l2(m′) (4.62)
By proposition 4.3.4 and 4.62, we have:
al1,l2(m) ≤a al1,l2(m′) (4.63)
– |al1,l2(m)| = |m|. By lemma 4.3.6, we deduce that:
al1,l2(m) = m (4.64)
By 4.64 and 4.61, we deduce:
al1,l2(m) ≤a al1,l2(m′) (4.65)
2
As defined in chapter 3, a function f is an upper closure with respect to the ordering
relation if and only if f is monotone, extensive and idempotent. The abstraction
function has all these properties. Intuitively, we can acknowledge that the initial
ordering relation is preserved on the set of abstracted messages.
Corollary 4.3.8 The abstraction function a_,_(_) is an upper closure on the ab-
stract domain of messages with respect to the ordering relation ≤a.
Proof:
The proof is immediate from the propositions 4.3.3, 4.3.4 and 4.3.7 2
4.3 Abstract Domain of Messages 67
For example, let x = m1.m2.m3K1 .m4K2 .m5K3 .m6K4 be a message and let
l1 = 2, l2 = 4. The messages m1, m2, m3, m4, m5, m6 are atomic messages and
K1, K2, K3, K4 are cryptographic keys. Then, message x is abstracted by the ab-
straction function a_,_(_) in the following manner:
a2,4(x) = a1,4(m1.m2.m3K1 .m4K2 .m5K3 .m6)K4
= a1,3(m1).a1,3(m2.m3K1 .m4K2 .m5K3 .m6)K4
= m1.a1,2(m2.m3K1).a
1,2(m4K2 .m5K3 .m6)K4
= m1.a0,2(m2.m3)K1 .a1,1(m4K2 .m5K3).a
1,1(m6)K4
= m1.a0,1(m2).a0,1(m3)K1 .a0,1(m4K2 .m5)K3 .m6K4
= m1.m2.m3K1 .a0,0(m4K2).a0,0(m5)K3 .m6K4
= m1.m2.m3K1 .>.m5K3 .m6K4
Let m,m′ be messages. We define the size of a message, written |_| as follows:
• if m is atomic then |m| = 0
• |m.m′| = |m|+ |m′|+ 1
• |mm′| = |m|+ 1
The following proposition states that the abstraction function a_,_(_) bounds the
size of messages.
Proposition 4.3.9 Let m be a message, l1 and l2 be two natural numbers then:
|al1,l2(m)| ≤ 2l1+l2 − 1
Proof:
The proof is by structural induction on m.
• m is atomic. By definition al1,l2(m) = m, then we have:
|al1,l2(m)| = |m| = 0 ≤ 2l1+l2 − 1 (4.66)
4.3 Abstract Domain of Messages 68
• m = m′K . By definition of the abstraction function a, we have:
al1,l2(m′K) = al1−1,l2(m′)K (4.67)
By definition of the operator |_| and 4.67, we have:
|al1,l2(m′K)| = |al1−1,l2(m′)|+ 1 (4.68)
By induction hypothesis, we have:
|al1−1,l2(m′)| ≤ 2l1−1+l2 − 1 =2l1+l2 − 2
2≤ 2l1+l2 − 2 (4.69)
By 4.67, 4.68 and 4.69, we deduce:
|al1,l2(m′K)| ≤ 2l1+l2 − 1 (4.70)
• m = m1.m2. By definition of the abstraction function a, we have:
al1,l2(m1.m2) = al1,l2−1(m1).al1,l2−1(m2) (4.71)
By definition of the operator |_| and 4.71, we have:
|al1,l2(m1.m2)| = |al1,l2−1(m1)|+ |al1,l2−1(m2)|+ 1 (4.72)
By induction hypothesis, we have:
|al1,l2−1(m1)| ≤ 2l1+l2−1 − 1
|al1,l2−1(m2)| ≤ 2l1+l2−1 − 1(4.73)
By 4.72, 4.73, we deduce:
|al1,l2(m1.m2)| ≤ (2l1+l2−1 − 1) + (2l1+l2−1 − 1) + 1 = 2l1+l2 − 1 (4.74)
2
4.3 Abstract Domain of Messages 69
The intruder closure operation captures the usual intruder capabilities: encryption,
decryption, message concatenation and message decomposition. Given a finite set
of messages M , two natural numbers l1, l2, we define an abstract closure of M noted
M#⇓ , as the smallest set satisfying:
• If m ∈ M then al1,l2(m) ∈ M#⇓
• If K ∈ M#⇓ and mK ∈ M#
⇓ then al1,l2(m) ∈ M#⇓
• If m.m′ ∈ M#⇓ then al1,l2(m) ∈ M#
⇓
• If m.m′ ∈ M#⇓ then al1,l2(m′) ∈ M#
⇓
• If m ∈ M#⇓ and K ∈ M#
⇓ then al1,l2(mK) ∈ M#⇓
• If m ∈ M#⇓ and m′ ∈ M#
⇓ then al1,l2(m.m′) ∈ M#⇓
The next proposition establishes the finiteness of a set of messages under particular
conditions.
Proposition 4.3.10 Let M be a set of messages such that the set of atomic mes-
sages in M is finite. If the depth of each message in M is bounded then the set M
is finite.
Proof:
Let |M | = Max|m| | m ∈ M be the maximum length of the messages
in M (a bound). The proof is by induction on |M |.
• |M | = 0. We deduce that each message in M is atomic. By hypothesis,
we conclude that M is finite.
• |M | = n > 0. Let M = M1∪M2 such that |M1| = n−1 and M2 = m ∈M | |m| = n. By induction hypothesis, we have:
M1 is a finite set (4.75)
4.3 Abstract Domain of Messages 70
Let m ∈ M2. Since |m| = n > 0, we have the two following cases:
m = m1K ∧ |m1| = n− 1
m = m1.m2 ∧ |m1| < n ∧ |m2| < n(4.76)
We build the set M ′ as follows:
m1K ∈ M2 ⇒ m1,K ⊆ M ′
m1.m2 ∈ M2 ⇒ m1,m2 ⊆ M ′(4.77)
Since the encryption keys are atomic messages, then, by 4.76, we deduce
that:
|M ′| < n (4.78)
By induction hypothesis, we have:
M ′ is a finite set (4.79)
We build the set M ′′ as follows:
m1,K ⊆ M ′ ⇒ m1K ∈ M ′′
m1,m2 ⊆ M ′ ⇒ m1.m2 ∈ M ′′(4.80)
By 4.77 and 4.80, we deduce:
M2 ⊆ M ′′ (4.81)
By 4.79 and 4.80, we have:
M ′′ is finite (4.82)
By 4.81 and 4.82, we have:
M2 is finite (4.83)
By 4.75 and 4.83, we deduce that:
4.4 Simulating Cryptographic Protocol Runs 71
M is finite (4.84)
2
In general, the intruder closure operation leads to an infinite set of messages. The
abstraction process gives us a way to obtain an abstract finite representation. The
following proposition states that M#⇓ is a finite set.
Proposition 4.3.11 Let M be a finite set of messages. Then M#⇓ is finite.
Proof:
Since M is finite, then:
m ∈ M | |m| = 0 is finite (4.85)
Let m ∈ M#⇓ , by the definition of M#
⇓ and Proposition 4.3.9, we have:
|m| ≤ 2l1+l2 − 1 (4.86)
By 4.85, 4.86 and Proposition 4.3.10, we deduce that M#⇓ is finite.
2
In the sequel, we define an abstract semantics for security protocols. This new
semantics is used to approximate execution models of protocols. The obtained
abstract models are then used to decide if security protocols satisfy the secrecy
property with respect to a sensitive message.
4.4 Simulating Cryptographic Protocol Runs
The intruder can use the protocol in two different ways. The first involves a passive
attack on the protocol. It allows the intruder to intercept messages that will add
new information to his knowledge. However, not all the new data is necessarily
useful, as we will prove in this section. The second way of benefiting from protocol
4.4 Simulating Cryptographic Protocol Runs 72
runs is called protocol instrumentation. The intruder sends certain data expecting
a valuable message in response. We analyze in the following what would be helpful
for an intruder that tries to build an attack. The intruder can use his concatenation
and decomposition abilities at any time, as they don’t depend on the value of the
information. However, he might try to encrypt or decrypt messages with keys that
he does not possess. For instance, we consider the following protocol:
Message σ.1. Ax −→ By : Nσax
Message σ.2. By −→ Ax : NσaxKaxby
The intruder instruments the protocol as follows. He knows that the message trans-
mitted during the second step is an encryption of the first message with a session key
that he does not know. By playing the role of the initiator agent, he introduces the
piece of data, possibly from a different session, that he wants encrypted. In return,
he receives information that he could not derive from his knowledge set using the
standard closure capabilities. Of course, it is sometimes sufficient to run a proto-
col sequence, rather then a complete session. This observation allows the presence
of partial runs in the trace modeling the intruder’s behavior. The same approach
can be used for having messages decrypted by unsuspecting agents as shown in the
following protocol:
Message σ.1. Ax −→ By : NσaxKaxby
Message σ.2. By −→ Ax : Nσax
4.4.1 Abstracting Atomic Messages
Our aim is to compute the intruder’s knowledge in a parallel multi-session protocol
run. Unfortunately, as shown in previous sections, the model capturing such be-
havior is infinite and uses an unbounded number of principals. As it is impossible
to simulate such models, we introduce in the following a safe computable upper
approximation of the intruder’s knowledge.
4.4 Simulating Cryptographic Protocol Runs 73
4.4.1.1 Abstracting Agent Names
We use a finite set of constants A, B, · · · to denote agent names. This set of agent
identities is sufficient for modelling any protocol execution, including multi-sessions
and masquerading or impersonation attacks. Each constant abstracts a (possibly
infinite) set of agent names. For instance, for a protocol step σ.i.Ax −→ By : Ax, the
agent name A will be used to abstract the (possibly infinite) set of initiator agents
Ax. This abstraction is correct since it overestimates the intruder’s knowledge. We
conclude that if the intruder can get A, then he can get any agent name Ai, i ∈N running the concrete communication protocol as initiator. We make the same
assumption about the responder. Usually, only three constants are employed: A, B,
and S, where S abstracts a server name for protocols that involve one.
4.4.1.2 Abstracting Keys
Each agent has one pair of public-private keys. Public keys are considered known to
all potential agents participating in a protocol run, including the intruder. Therefore,
we assert that all public keys associated with agent names are part of the intruder’s
initial knowledge. For instance, the constant Kb abstracts the concrete public key
Kby of an agent named By. The private keys are the inverses of the public keys.
They are not part of the intruder’s initial knowledge and are never transmitted
during the protocol run. As a consequence of the number of agents being bounded,
the number of their public and private keys is a finite set.
Session keys are variables that are shared by agents for the duration of one session
only. We will abstract the session keys by a constant for any pair of agents. The
rationale behind this is that if the intruder is able to get an exchanged session key
in a particular session σ of a protocol run, then he can get the session keys used in
any other session of the protocol run.
4.4 Simulating Cryptographic Protocol Runs 74
4.4.1.3 Abstracting Nonces
Nonces are fresh messages unique to a particular session. Since we are interested
in secrecy, we will abstract away from the notion of message-freshness and consider
these messages as constants for all sessions of the protocol. The intuition is that if
the intruder is able to get an exchanged nonce in a particular session σ of a protocol
run, then he can get the same nonce in any other session of the protocol run. Hence,
the nonce Nσax
is abstracted by the atomic constant message Na. This abstraction
is an overestimation of the intruder capabilities and therefore it is correct for our
analysis.
We consider that the intruder owns a nonce Ni that is part of his initial knowledge.
Ni is a constant atomic message. Since there is no way for a regular agent to check
the value of a nonce created by any other agent, including the intruder, we empower
the intruder to re-use the same nonce Ni in any protocol session.
All the atomic messages other than those already introduced are abstracted by
constant values cte, as the security properties depend only on the keys and nonces.
4.4.2 Abstracting Protocols
Let P be the following authentication protocol:
Message σ.1. Ax −→ By : Ax.NσaxKby
Message σ.2. By −→ Ax : NσaxKax
Let l1 and l2 be two natural numbers. To abstract protocol specifications, we intro-
duce an abstraction function, noted Ψ. In the remainder of the chapter, we denote
by P# = Ψ(P) the abstract protocol, where P is a concrete protocol and l1 and l2
are two natural numbers. We define Ψ as follows:
4.4 Simulating Cryptographic Protocol Runs 75
Ψ((σ.i. X → Y : m). P) = (i. Ψ(X) → Ψ(Y ) : Ψ(m)). Ψ(P)
Ψ(m1m2) = al1,l2(Ψ(m1)Ψ(m2))
Ψ(m1.m2) = al1,l2(Ψ(m1).Ψ(m2))
Ψ(Ax) = A
Ψ(By) = B
Ψ(S) = S
Ψ(Nσax
) = Na
Ψ(Kax) = Ka
Ψ(K−1ax
) = K−1a
Ψ(Kaxby) = Kab
Ψ(Kσaxby
) = Kab
Ψ(x) = cte otherwise
If we fix the values of l1 = 1 and l2 = 1, the above protocol is then abstracted as:
Message 1. A −→ B : A.NaKb
Message 2. B −→ A : NaKa
A simulated run of P# reveals that the abstract intruder’s knowledge with limits
l1 = 1 and l2 = 1 is Ni, A.NaKab, NaKab
, which means that the nonce Na is
never revealed by the abstract protocol. This means that Nσax
is secret in P.
Let t = a1.a2. . . . be a (possibly infinite) trace where ai is a communication action.
In order to determine the abstracted knowledge of the intruder, we fix the values of
l1 and l2. The abstraction of each individual action produces an abstracted protocol
step. The sequence of all abstracted actions defines the abstracted trace t#. To
generate an abstract trace t# from an abstract protocol P#, we can use a modified
version of the Paulson’s inductive rules [49] by applying the abstraction function
a_,_(_) to each exchanged message and replace the intruder closure function _ ⇓by the abstract version _#
⇓ .
4.4 Simulating Cryptographic Protocol Runs 76
Let t be the following trace:
t = (σ.1. A1 → I(B1) : A1).
(σ.1. I(A1) → B1 : A1).
(σ.2. B1 → I(A1) : Nσb1
.A1.B1).
(σ.2. I(B1) → A1 : m).
(σ.3. A1 → I(B1) : mKa1s)
where m is part of the intruder knowledge. For l1 = 1 and l2 = 1, the abstracted
trace t# is:
t# = (1. A → I(B) : A).
(1. I(A) → B : A).
(2. B → I(A) : Nb.>).
(2. I(B) → A : ma).
(3. A → I(B) : maKas)
Given a trace t and a finite set of intruder’s initial knowledge KI , then the intruder
knowledge associated with the abstract trace t#, noted IK(t#), is generated by the
relation |∼ defined in Table 4.3.
Table 4.3: Abstract Intruder Knowledge Generation from Abstract Traces
Initε |∼ KI
#⇓
Get knowledget# |∼M
t#. (i. A → B : ma) |∼ M ∪ma
The following proposition states that the abstract trace model t# for an abstract
protocol P# is finite, i.e. has a finite number of actions.
4.4 Simulating Cryptographic Protocol Runs 77
Proposition 4.4.1 (Finiteness) Let P be a cryptographic protocol and let P# be
the corresponding abstracted protocol. Then, the multi-session, multi-role trace exe-
cution model t# of P# is finite.
Proof:
As stated in section 4.2, a trace can be extended with an event a whenever the
message transmitted during that action is fresh. We will prove that, because
of the protocol abstraction, the number of distinct messages that can be issued
is bounded.
The abstraction of atomic messages bounds the number of agents, keys (public
and session) and nonces. Henceforth, we denote by Nbatoms their total number.
We remind the reader that the inductive rules that can lead to a trace extension
are Receive and Intruder (Table 4.2). They define how the intruder can increase
his knowledge set either by intercepting messages and decomposing them, or
by building new messages from pieces of information that he already possesses.
We fix l1 and l2 and adapt the two rules to our abstracted trace model t#. In
the following, we analyze their effect on the abstracted protocol runs.
The Receive rule is modified to reflect that the intruder can only obtain ab-
stracted messages ma. Likewise, the Intruder rule is changed to indicate that
the intruder can only send ma. The size of those messages, |ma| is limited, as
shown in Proposition 4.3.9:
|ma| ≤ 2l1+l2 − 1
The intuition is quite simple: if, for any message size between 0 and 2l1+l2−1,
the number of messages is bounded, then there is a limited number of possible
messages ma.
Let m, m′ and m′′ be atomic messages. The total number of messages of
size 0 (atomic messages) is Nbatoms. For the messages of size 1, we have to
4.5 Verification of Secrecy Correctness 78
count both encryptions and concatenations of atoms. For each of them, the
number is (Nbatoms)2. So, the total number of possible messages of size 1
is 2 × (Nbatoms)2. For size 2, the computations become more complex. We
have several different combinations of operations on atoms that can produce
messages of size 2: m.m′.m′′, m.m′′′m, m′m′′m, m.m′′′m and m′m.m′′.
For each of them, there can be (Nbatoms)3 possible messages. Consequently,
the total number of messages of size 2 is 5 × (Nbatoms)3. The reasoning can
be continued until size 2l1+l2 − 1 is reached. For each size s ∈ [0, 2l1+l2 −1], there will be an increasing number of combinations of messages, each of
them with (Nbatoms)s possible messages. Although the total number increases
dramatically, it is still finite.
Since the number of messages that can be sent or received by the intruder
is bounded, there is a limited number of inductive rules that describe the
corresponding actions. Therefore, a new event that denotes the transfer of
an already transmitted message cannot be added to the abstracted trace t#,
which is then rendered finite.
2
4.5 Verification of Secrecy Correctness
Secrecy is the fact of keeping secret a given piece of information. This aspect of
security is certainly the oldest and the best known. We say that a protocol preserves
the secrecy of one of its parameters if it does not leak any information about these
parameters during its execution. The parameters of the protocol that have to be
kept secret can be cryptographic keys, nonces, or any other sensitive data. For
instance, the following protocol does not guarantee the secrecy of the message m
since the key used to encrypt m has been made public.
σ.1 Ax → By : Kaxby
σ.2 By → Ax : mKaxby
4.6 Conclusion 79
In the following we give a sufficient condition to check if a protocol preserves the
secrecy of a message.
Definition 4.5.1 (Secrecy) Given a security protocol P and a sensitive message
m, we say that P guarantees the secrecy of m if:
∀x ∈ IK(t#) : x uma = glb(x,ma) = ⊥
where t# is the finite abstract trace generated from the abstract protocol P#.
It is clear that with our definition, we can build only a semi-decidable procedure
since if there exists x ∈ IK(t#) such that x uma 6= ⊥, we cannot decide that the
protocol contains a secrecy flaw.
4.6 Conclusion
The main intent of the study presented in this chapter is to characterize the verifica-
tion of the secrecy property as an abstract interpretation of cryptographic protocols.
We employed a model that has been defined by Adi [5]. However, his abstraction
involves category theory while our approach uses traces. The abstract model was
defined by the means of a finite abstract trace that models all of the potential in-
truder behaviors. The model was applied to approximate the unbounded space of
intruder knowledge to a finite one. This information was then used to decide if the
security protocol satisfies the secrecy property for sensitive data. The way to achieve
this goal is to restrict the concrete protocol trace to a finite abstract one according
to some abstraction of the intruder knowledge. The approximation is correct with
respect to the original protocol execution, as it overestimates the capabilities of the
intruder. Since the abstract trace is finite, it becomes possible to compute the finite
abstract set M# of messages that the intruder can get by running a security protocol
P. Given a message m, if for all x in M#, glb(x,ma) = x uma = ⊥ then m is not
included in M and consequently P does not leak the message m.
Chapter 5
Formal Reasoning for Security
Protocol Correctness
Abstract
In this chapter we address security protocol correctness with respect to secrecy and
present a formal reasoning for evaluating such correctness. The proposed framework
includes a comprehensive analysis and a bounding model for multi-session attacks
that is sufficient for our correctness proofs. We examine the possible behavior of the
intruder during a protocol run and draw conclusions about how his knowledge evolves
and what actions he can take to gain as much information as possible for building
winning strategies for an attack. Our approach leads to simple and intuitive proofs
that can easily be automated.
5.1 Introduction
Formal analysis of security protocols has advanced from basic verification methods
to very complex automated techniques. The logic of authentication of Burrows,
Abadi and Needham [14] is enriched by new results such as the linear and modal
logic for specifying security properties advanced by Adi et al. [4]. Paulson applied
the idea of inductive rules as models for security protocols [49]. This idea was
80
5.1 Introduction 81
further developed by Millen in [39]. Lowe in [34, 36] was the first to use CSP
[32] and model-checking techniques for cryptographic protocol analysis. Similar
approaches were developed by Roscoe, Gardiner, Jackson and Hulance in [25, 26,
52], Schneider in [54] and Meadows [38]. Abadi and Gordon [1] advanced Spi, a
calculus for cryptographic protocols. Spi is built on top of the π-calculus [40, 41],
a mobile process algebra. It has been devised for the description and analysis of
security protocols. In [42, 43, 55] Mitchell et al. used the general-purpose state
enumeration tool Murφ [18]. Other successful approaches are the use of theorem
proving by Bolignano [9], game semantics [3] by Adi and Debbabi and strand spaces,
by Thayer, Herzog and Guttman [23, 30]. Abstract models have been successfully
used for protocol correctness in studies such as Lakhnech’s hat-messages abstraction
[11], Stoller’s bound on attacks on authentication protocols [56] and Comon-Lundt’s
bound on agents number [17]. However, some of the restrictions imposed by the
models limit the applicability of the conclusions to certain classes of protocols. For
instance, Stoller uses the strand model for proving both secrecy and authentication,
but imposes serious constraints on the encryption depth.
The aim of our research is to explore correctness in security protocols with respect
to various security properties, such as secrecy. The main challenge for protocol
correctness is the fact that real-world protocol simulations produce infinite models.
We overcome this inconvenient by choosing appropriate models. Our methodology
proposes a blend of concepts such as impasses, spawned sessions, intruder strategies
and attack scenarios etc. Impasses denote steps where the intruder does not have
enough knowledge to build the message he needs to send in order to continue a
protocol run. In this case, he can search for additional information in one or several
other sessions. We call these potentially useful protocol executions spawned sessions.
In case the information needed is found, it is added to the intruder’s knowledge set
and it helps him to solve the impasse. Our analysis reveals that, after a finite number
of spawned-session levels, the candidate sessions are the same as the ones on the
previous levels. We exhibit a bound on the number of sessions by abstracting all
5.2 Definitions and Assumptions 82
the subsequent runs of the session types already included. The intruder’s knowledge
becomes a finite set for which we define the necessary conditions for secrecy. Our
model doesn’t involve any assumptions about the nonces, the number of sessions,
the size of messages or the encryption levels allowed.
The remainder of this chapter is organized as follows. Section 5.2 defines the environ-
ment in which security protocols are analyzed. Section 5.3 presents the capabilities
of the intruder. Section 5.4 is devoted to the formalization the secrecy property.
Section 5.5 presents our methodology. Section 5.6 exhibits bounds on our security
models that are sufficient to ensure protocol correctness. We present an application
of our research in section 5.7. Finally, Section 5.8 provides concluding remarks on
this work and discusses future research.
5.2 Definitions and Assumptions
A communication protocol is an orderly defined sequence of interactions between en-
tities designed to govern communications in a distributed system. Security protocols
are a subclass of communication protocols that specify a precisely defined sequence
of messages using cryptographic techniques in order to achieve security objectives.
The security services to be provided are authentication of agents, secrecy, integrity,
anonymity, non repudiation, establishment of session keys and so on.
Our analysis is done on public key protocols that involve two principals using
only their public and private keys for encryption operations. This approach leads
to results that are relatively easy to prove and comprehend, but are general enough
to be readily extensible to more complex environments. We employ some of the
commonly used notations. The legitimate participants to a protocol P, called agents
or principals, are part of a finite set A of nodes that are able to communicate with
each other. The basic syntax agreed upon by most researchers denotes the agents
by A and B. A and B are two parties wishing to communicate in a secure way.
The intruder will be represented by I. Each agent executes a well-defined algorithm
5.2 Definitions and Assumptions 83
consisting of a finite number n of steps (protocol length) for an instance of a protocol
run (session). The set of all possible sessions that can be established between two
agents is denoted by S. Whenever a session needs to be distinctly introduced, it will
be identified by a letter of the Greek alphabet: α, β, . . . The set of all messages that
can be exchanged by agents during the communication act is denoted by M. The
public key of A is KA and the private one is its inverse, K−1A . A message m ∈ M
encrypted by the key K is noted mK . The communication steps are described by
the following syntax:
Message number. Agent1 → Agent2 : Message
where Agent1, Agent2 ∈ A, Message ∈M and 0 < number ≤ n.
The smallest possible messages, that cannot be further divided into components,
are called atomic messages or atoms. We divide the atoms into several categories as
follows:
• identity : agent identities are represented by A, B, I; I(C) denotes the intruder
trying to play the role of C, but it is just an abuse of the notation, in fact it
still represents the intruder
• key : KA, KB, KI , K−1A , K−1
B , K−1I denote the public and private keys of the
agents and the intruder
• nonce: nonces issued by agents A,B and I respectively are denoted by NA, NB, NI
• varia: we gather under the same category some constant atoms that are
included in the messages in some protocols, like e-commerce ones, to allow
supplemental verifications and correct identification, such as name, address,
gender etc.
• timestamp: TA, T ′A, TB etc, stand for a timestamps issued by agents A, B etc.
in order to allow recentness challenges
5.2 Definitions and Assumptions 84
• confidential : secret content that has to be readable by the intended partici-
pant(s) only; session keys are included here, too.
The above classification is open and by all means not exhaustive. New categories
can be added if there is a need to identify a particularity of an atomic message.
The atoms in the identity, key and varia categories have constant values, as they
do not change from one execution to the other. The others (from nonce, timestamp
and confidential categories) vary for each new session. They are generated by the
agents specifically for that protocol run and have an intended lifespan of one session
only. Except for the intruder, agents will not try to reuse them. We call the session
specific messages variable messages.
A role is a protocol abstraction that accounts for the actions of a particular agent.
For a protocol with two agents we can identify the role of the initiator and the role
of the responder. We represent by P(A,B) a session of the protocol P where A is
the initiator and B is the responder. However, a finer distinction is needed for our
purpose and we define two roles within each protocol step: the sender role and the
receiver role. If, for instance, during step i of a session σ, the message Mσi is sent
by the sender seσi to the receiver reσ
i , we identify two roles:
R(seσi ) = reσ
i !Mσi (5.1)
and
R(reσi ) = seσ
i ?Mσi (5.2)
where the symbol “!” denotes a send operator and “?” denotes a receive operator.
The design and implementation of security protocols take into account the poten-
tial behavior of the agents under any circumstances. There are a consistent number
of well-documented approaches, all aimed at suiting the particular needs of the de-
signer. Among them, the most notable are the principles for prudent engineering
practice of Abadi and Needham [2], the heuristics in the lesson of Woo and Lam
[59], the robustness principles of Anderson and Needham [7] and the limitations
5.3 Intruder’s Knowledge 85
presented by Syverson in [57].
We make the assumption that the cryptographic primitives used by various algo-
rithms are perfect, in the sense that the encryption systems cannot be broken by a
malicious intruder. Sessions and steps are clearly identified in order to distinguish
particularities of a protocol run. Session keys are valid for the duration of one session
only and expire, so they cannot be reused by the agents once a session is complete.
Private keys and secrets are never sent in clear, in order to prevent interception by
the intruder. Disjoint encryption is also assumed: any two messages of a protocol P
have distinct formats, so that they cannot be reused by the intruder for a different
step than the one during which they originated. We recommend signing a message
with a private key before the encryption of that message. Our model supports mes-
sage signing with private keys after it has been encrypted, but does not advise to
use it, as it can lead to authentication attacks.
We add a couple of remarks regarding the roles and knowledge gain. First, two
or more messages sent by an agent to the same destination, as part of consecutive
protocol steps, could be compressed in a single transmission. We will consider that
roles alternate, in the sense that if one agent acted as a sender during a protocol
step, then it will be the receiver in the next step and vice versa. Second, if a message
can be derived from the receiving agent’s knowledge set, then the corresponding step
might be redundant and could be removed from the protocol for increased efficiency.
5.3 Intruder’s Knowledge
The aim of this study is to examine the safeguarding of security properties under
any circumstances. Any assumption that the environment is not hostile might result
in potential flaws. We won’t restrict the capabilities of the intruder by any bounds.
5.3 Intruder’s Knowledge 86
5.3.1 Intruder’s Capabilities
At the very beginning of the protocol run, the intruder knows the identity of all
agents and their public keys. Knowledge gain can be achieved either by participating
as an agent or by overhearing messages exchanged by agents during protocol sessions.
We consider that intruders have the ability to intercept all messages exchanged
between any pair of agents, store messages, leak and kill messages, reroute them,
and forge new ones. They can replay messages or insert new ones at will.
An intruder also has the same message processing capabilities as the agents: en-
cryption, decryption, concatenation and decomposition. Whenever he intercepts a
message, he can retrieve data by splitting all concatenations and decrypting, when-
ever he has the appropriate key, all encryptions. As for the constructive abilities, he
can build any non-atomic message (concatenation, encryption or a combination of
both) from the components. To capture the intruder’s capabilities, we employ the
definition 4.2.1 for closure, as introduced in chapter 4. The information collected by
the intruder, along with all the data he can gain using his capabilities (encryption,
decryption, concatenation, decomposition etc.) is called the intruder’s knowledge
and is denoted by (Kσi )0≤i≤n, where σ is a session identifier and i is protocol step
for that session.
Let P be a protocol of length n and let σ be a session of that protocol. Prior to
starting the attack, the intruder has an initial knowledge Kσ0 . After completing a
protocol run, the knowledge becomes Kσn. The intruder’s knowledge throughout the
session is defined as a family of sets indexed by protocol step i. For a particular step
i, Kσi represents the knowledge of the intruder at the beginning of the protocol step,
right before sending or receiving a message. This means, for a sending step, that
the knowledge includes the message variables generated by the intruder in order to
build the message, along with the encryption that he can produce that will be part
of the message. However, the intruder might not be able to devise all variables or
encryptions needed.
5.3 Intruder’s Knowledge 87
Obviously, the sets Kσi are at least equal to Kσ
0 . With the aid of the closure definition
introduced above, the evolution of the intruder’s knowledge is illustrated by the
following inclusion:
(Kσi−1 ∪Mσ
i−1) ⇓ ⊆ Kσi (5.3)
where Mσi−1 represents the message sent during the step i− 1 and Kσ
i , Kσi−1 denote
the intruder’s knowledge for the steps i and i− 1, respectively.
5.3.2 Impasse
The intruder can be either actively involved in a protocol run or passively inter-
cepting messages. An active behavior implies creating and sending messages. This
means that the intruder has to have all the components for building the message.
Sometimes, this is not the case.
Definition 5.3.1 (Impasse) Let P be a protocol under attack by a malicious in-
truder. A situation in which the intruder has to act as a sender in order to continue
the attack and is unable to build a message intended for the legitimate participants
to the protocol run is called an impasse.
For the legitimate agents, there are no impasses. They have no difficulty decrypting
messages that were intended for them or building messages using the other agent’s
public key. However, the intruder is likely to encounter impasse situations as he pro-
gresses in the execution of the protocol. He cannot predict or guess such problems.
There are therefore only past, known impasses, of which at most one - the newest
- is unsolvable. All previous impasses must have been successfully surpassed until
session completion or up to a point where he cannot progress anymore. The set of
all impasses of a session σ is denoted by Imσ. Consequently, we say that an impasse
situation happens at step i if i ∈ Imσ.
5.3 Intruder’s Knowledge 88
Such a situation can arise a maximum of [n/2] times, which corresponds to the
number of steps of the protocol in which the intruder has a sender role, and that is
expressed by the following inequality:
card(Imσ) ≤ [n/2] (5.4)
where “card” denotes the cardinal function of the set and [_] stands for the “integer
part” operator.
The value [n/2] comes from the following analysis, based on the number of protocol
steps being odd or even, so of the form n = 2p or n = 2p + 1, with both n and
p integer numbers. If the intruder is the session initiator and n is odd, then the
intruder has to send data p + 1 times. He initiates the session either by creating
the first message or by replaying one that he intercepted previously. Since the first
step is certainly not an impasse, there are at most p = [n/2] potential impasses for
the intruder. If n is even, the total number of sending steps is p, but as the first
one cannot be an impasse step, there can be no more then p − 1 impasses. If the
intruder is the responder and n is either odd or even, the number of sending steps
for the intruder is p. Since p ≤ [n/2], we draw the conclusion that impasses cannot
occur in more than [n/2] times.
Remark 5.3.2 If a sending step does not involve any session specific variables, then
it is built from constant atomic messages only. If it is encrypted, the key is either a
public or a private key. As the constant atoms (including the public keys) are part
of the intruder’s initial knowledge, he can build a message that uses an encryption
with a public key. If the message is encrypted with an agent’s private key, then it
is identical in every session of protocol P involving the agent playing the same role.
The intruder has to intercept it and then he can replay it whenever needed. Therefore
no impasse is produced by such a step. The value of card(Imσ) is diminished with
the number of sending steps employing no session variables.
5.3 Intruder’s Knowledge 89
5.3.3 Spawned Sessions
For every step i, we denote the set of variable messages by V σi , and the set of
encryptions containing them by Qσi . For instance, the first message of the Needham-
Schroeder public-key protocol has the form A,NAKB. Here, i = 1, NA ∈ V1 and
A,NAKB∈ Q1. We only consider the top-level encryptions as part of Qσ
i , as
the intruder is not interested in nested encryptions that he cannot produce. The
intruder cannot get more knowledge from a protocol step then the variables V σi , the
encryptions Qσi and the associated closure operations. We identify an upper bound
for the intruder’s knowledge at step i:
Kσi ⊆ (Kσ
i−1 ∪ V σi ∪Qσ
i ) ⇓ (5.5)
The ideal case for the intruder is the equality. This happens when the intruder
knows all the new variables and he can devise all encryptions Qσi . However, for the
protocol execution to continue it suffices for the intruder to know Qσi , even if he
does not need to know individual variables in V σi . The lower bound is then:
(Kσi−1 ∪Qσ
i ) ⇓ ⊆ Kσi (5.6)
Therefore, from (5.5) and (5.6), we gather that the acceptable knowledge for exe-
cuting step i is bounded by:
(Kσi−1 ∪Qσ
i ) ⇓ ⊆ Kσi ⊆ (Kσ
i−1 ∪ V σi ∪Qσ
i ) ⇓ (5.7)
The set Kσi−1 is automatically inherited by the intruder in step i from step i − 1.
During an impasse step, he is the sender and he crafts all the new variables of V σi .
Then, for a step i ∈ Imσ, the equation (5.7) translates the definition for an impasse
situation into:
∀i ∈ Imσ | Qσi \ Kσ
i 6= ∅ (5.8)
5.3 Intruder’s Knowledge 90
If the intruder cannot get the data needed for resolving an impasse from what was
previously recorded and computed, it has to find it somewhere else. This implies
that the intruder has to get involved in a new session in search for the data. If that
effort is not successful, the saga stops there and no (other) flaws are found.
Definition 5.3.3 (Spawned session) A session triggered from within an existing
one by the intruder’s need to resolve an impasse is called a spawned session.
A situation demanding for a spawned session always appears when the intruder has
to send data (active); receiving is never a concern (passive). The intruder must
know either all variables of V σi or all encryptions from Qσ
i . Then, the spawned
session also has to reach at least step i, for two reasons. First, because some session
variables needed don’t appear in the protocol earlier then step i − 1 and therefore
won’t be used in a spawned session before step i. Second, because the format of the
encrypted message to be transmitted in step i, which includes all the components
from Qσi , does not appear before since we assumed disjoint encryption.
Let i ∈ Imσ be an impasse step of a session σ of the protocol P. Let τ be any
session of P different than σ in which the intruder can participate. We introduce
the notions parent and child to identify the session that generated the need and the
one that supposedly helps solving the problem. If τ is a child session with respect
to σ (or equivalently, if σ is the parent session of τ), then we note:
σi τi
Notice that one session can be, at the same time, both a parent and a child. For
instance, we can have a session υ spawned from a session τ spawned, at its turn,
from an initial session σ. However, the second spawned session (υ in this case) does
not necessarily have to reach step i. Indeed, τ has to advance to step i to be able to
return the requested data in the initial session σ. That means all impasses in τ prior
to step i have to be resolved. Suppose that i is not an impasse step for session τ
5.3 Intruder’s Knowledge 91
and j is the closest step to i where an impasse had to be surpassed, with 1 ≤ j < i.
Then υ has to execute all steps up to and including j, but not more. To reflect this
fact, we note:
σi τi υj
The benefit of spawned session is the added knowledge that the intruder gains by
gathering the data from other protocol runs. Session τ advanced to step i and the
knowledge available from that session to the intruder is transferred to session σ:
Kσi ⊇ (Kσ
i−1 ∪Mσi−1 ∪ V σ
i ∪ Kτi ) ⇓ (5.9)
where we denote by Mσi−1 the message sent in step i− 1 of the session σ and by Kτ
i
the intruder’s knowledge corresponding to step i of the τ session. The addition of
V σi is important, as it stresses that the intruder is the one creating all the message
variables for step i. He has the opportunity to reuse some of the nonces he already
possesses to maximize his chances of decomposing and decrypting future messages.
The intruder’s knowledge obviously increases with the number of spawns. However,
the execution of the protocol can only continue if the missing data can be found in
the set Kτi . Otherwise the exercise of spawning the τ session is futile. The intruder
can instrument the protocol in order to obtain more data from multiple spawned
sessions.
Figure 5.1 shows the knowledge transfer from a spawned sessions τ to an initial
session σ. The intruder encounters an impasse at step i of σ. He spawns a session τ ,
searching for useful data. Since he was previously involved in σ, the knowledge he
has at the very beginning of τ is inherited from the other session, so Kτ1 = Kσ
i . The
execution of the protocol P progresses in session τ up to (and including) step i. At
this point, the intruder transfers back the acquired knowledge and retries to execute
step i of σ with the new set of data: Kσi = Kτ
i . If he is successful, the intruder is
able to continue the protocol run with steps i + 1, i + 2, . . .
5.3 Intruder’s Knowledge 92
transfer
2
1
i
spawning
2
1
i
n
i+1Kτ
2
Kτ1
.
.
.
.
.
.
.
.
.
.Kτ
i
session τ
session σ
Kσi
Kσ2
.
.
.
.
.
Kσ1
.
.
.
.
.
.
.
.
.Kσ
n
Kσi+1
Figure 5.1: Knowledge transfer to session σ with the aid of a spawned session τ
The combination of sessions spawned by the intruder while trying to resolve an
impasse is called a strategy. A strategy that succeeds in bringing back the data
necessary to resolve an impasse is called a winning strategy. Following a winning
strategy, all the encryptions required for building the message Mσi become part of
the intruder’s knowledge:
Qσi ⊆ Kσ
i
Remark 5.3.4 In some cases, more strategies are possible. If an intruder finds a
winning strategy with a certain depth for a flaw, it is possible to build strategies with
a greater number of spawned sessions. These strategies, if they exist, are equiva-
lent as they result in solutions for surpassing the same impasse and they lead to a
family of attack scenarios. However, since it is not in the intruder’s interest to em-
ploy extended strategies, he will most likely use the shortest, most effective winning
strategies.
Strategies are session and step-specific. We use the notation stσi to represent a
5.4 Protocol Correctness 93
strategy, where i is the impasse step and σ is the session. A strategy represents, in
fact, a chain of parent-child sessions that enable the intruder to solve an impasse.
We employ the ª symbol to indicate the last session in a strategy. For instance,
suppose that two sessions τ and υ are needed and they successfully bring back to
the initial session σ the requested data. Then, we can illustrate this strategy by:
stσi = τi υj ª
If no strategy can be found for an impasse i (equivalent to an infinite chain), then
the protocol execution stops. Obviously, since an impasse cannot be resolved, we
cannot talk about strategies for the subsequent impasses. Therefore, for an attack
to continue beyond a certain step, the number of spawned sessions must be finite.
As a finite chain, a strategy will have a certain number of elements that determines
the size of the search space.
We call the strategy depth for a step i of a session σ the cardinal of stσi . The set of all
strategies involved in successfully breaking a security property of the protocol is an
attack scenario. An attack can lead to a complete execution of the protocol session
or stop right after revealing a protocol flaw. We denote the attack scenario for a
session σ by Atσ. It consists of the ordered set of winning strategies stσi employed
for overcoming impasses encountered at the respective steps i of the protocol, with
i ∈ Imσ.
5.4 Protocol Correctness
A security protocol P is correct with respect to a security property (e.g. secrecy, data
integrity, authentication etc.) if for every execution of the protocol the property is
preserved. In general, a security flaw represents a weakness that allows an attacker
to violate a security property. In the following we introduce the notion of secrecy.
5.5 Methodology 94
Secrecy, or confidentiality - as it is sometimes called, empowers the messages to reach
the intended receivers only, and nobody else. Whenever properly implemented, it
prevents unauthorized parties to benefit from any information disclosure, such as
sensitive data or cryptographic keys. However, the use of formal methods, especially
automated tools, lead to the discovery of a surprising number of secrecy flaws.
We can perceive secrecy as safeguarding some of the session specific, recently issued
data items. From this definition arises the need to define confidential messages
(such as session keys or secret text) and auxiliary session variables (such as nonces).
Revealing such pieces of information will consist in a failure of providing secrecy.
Since the intruder seeks to find out the content of those messages, they are not
originated by him. Consequently, the step i during which they are generated is
definitely not an impasse step. However, confidential messages can become part of
the intruder knowledge. Let m be a confidential message and let i and j be two
protocol steps, where i < j and i is the step in which m originated in session σ.
The secrecy property can be formalized as follows: a protocol P preserves the secrecy
of a message m if and only if
∃ i ∈ (1, n] | m ∈ V σi ∧ (∀ j ∈ (i, n], m 6∈ Kσ
j ) (5.10)
5.5 Methodology
To date, researchers deal with infinite models in order to ensure preservation of
the security properties. Given the challenges, several techniques emerged to allow
reasoning on a significantly smaller, finite model. In the following we examine the
intruder’s difficulties as he progresses through the protocol run - from mandatory
data to the effect of role and identity changing.
5.5 Methodology 95
5.5.1 Intruder Needs
A protocol run can be completed by the intruder only when the data needed for
solving all impasses can be obtained. If the desired information can be found in one
session, there is an elementary flaw in the conception of the protocol. We will just
acknowledge that this particular case sets the obvious lower bound for the number
of sessions:
card(Atσ) ≥ 1 (5.11)
Irrespective of the role the intruder had at the beginning of the attack, after a
certain number of steps he is stuck having to respond to an agent. What matters is
which agent he is communicating with, A or B, and he has both their public keys,
so encrypting the data is not an issue. The data needed by the intruder can be in
the form of an atomic message, an encryption or a concatenation. In some cases, the
information can be extracted from the intruder’s knowledge set. If not found there,
it might be possible to trick an unsuspecting agent into revealing it. The number of
sessions necessary for breaking a protocol depends on the number of impasses. The
number of impasses, in its turn, is determined by the role the intruder plays.
5.5.2 Roles and Identities
An intruder can participate in a two-party protocol run in one of the following
distinct session types: P(A, I), P(I, A), P(A, I(B)), P(I(B), A) P(B, I), P(I, B),
P(B, I(A)) and P(I(A), B). Henceforth, we denote them by α, β, γ, δ, λ, µ, ν and
ω respectively, as illustrated in Figure 5.2. Whenever an impasse appears, there
are eight options for a spawned session. Four of them involve the intruder as an
agent: α = P(A, I), β = P(I, A), λ = P(B, I) and µ = P(I, B). The other four
entail masqueraded identities of legitimate agents: γ = P(A, I(B)), δ = P(I(B), A),
ν = P(B, I(A)) and ω = P(I(A), B).
The needed data originated in step i−1 or earlier of the initial session of the protocol.
Since the intruder cannot devise by himself the pieces needed for step i, he has to
5.5 Methodology 96
rely on an honest, unsuspecting agent to do it. If the session roles are opposite to
the ones in the parent session, then the intruder would be the receiver in step i and
it could obtain the required elements of Qσi . If the roles are the same, he would
expect to find the desired information in step i + 1 of the spawned session.
At this point, we notice a very important aspect about agent identities. If in the
initial session he was talking to A masquerading B, for instance, then he needs to
talk to B in the spawned session. Agent A just sent him some data encrypted with
KB and B is the right agent to reveal it. So far, we conclude that there are only four
types of spawned sessions that could be useful for a specific step i. Those are the ones
involving the intruder and the agent whose identity he masquerades in the parent ses-
sion. The distinct ways to spawn a session with A are: P(A, I), P(I, A), P(A, I(B))
and P(I(B), A) (α, β, γ and δ). For B, they are: P(B, I), P(I, B), P(B, I(A)) and
P(I(A), B) (λ, µ, ν and ω). If any of the sessions where the intruder impersonates
another agent succeeds, that represents an authentication attack.
Remark 5.5.1 There is a special case though, the passive attack. If the initial ses-
sion is of the type P(A, I(B)) (γ) and the spawned session is of the type P(I(A), B)
(ω) and both executions complete, we have a sequence composed of the two halves
of a run P(A,B). In fact, we have a situation where the intruder intercepts and
forwards messages exchanged during a (regular) session P(A,B), known as “session
forwarding” . The occurrence of such a sequence invalidates the authentication at-
tack, as the data sent by A manages to get to B, as intended, in one protocol run
for both agents. This situation complies with Lowe’s definition of the agreement
that we adopted, fulfilling all requirements, including agreement on data items and
one-to-one correspondence for sessions. In this case the intruder simply relays the
information in both directions, without tampering with it and not being able to re-
veal any of the confidential data. For the authentication attack to work, the initial
session must not complete, so the intruder could simply refuse continuing that par-
ticular run. Same observation applies for a sequence where a session P(B, I(A)) (ν)
is followed by a session P(I(B), A) (δ): this represents just a forwarded P(B, A) pro-
5.5 Methodology 97
tocol run. Therefore, passive attacks can be successfully represented as two-session
active attacks.
In general, we do not reach an impasse for the first step of the protocol. If the
first message involves no encryptions or encryptions with public keys only, it is
either issued by an agent or can be built by the intruder. The problem becomes
more complex if private keys are used, sometimes as an authentication measure, to
“sign” data. If the intruder is the responder there is obviously no problem, as he
has the passive role of receiving the data in this step and no impasse occurs. If he
participates as an agent and is the initiator, there is no problem using his private
key. Finally, if he is the initiator in sessions P(I(A), B) and P(I(B), A), he needs to
produce messages encrypted with the agent’s private key, which he does not have.
In this case he can simply replay data recorded during a previous run and therefore
cannot be an initial session. However, it remains a valid option for spawned sessions.
5.5.3 Equivalent Attacks
For the sessions of types α, β, λ and µ, the intruder participates as an agent and,
as a result, gets all the information, so we cannot really talk about a secrecy flaw.
However, information gained during such sessions can be used for attacks.
A and B are only symbols chosen to represent the identity of two agents participating
in a protocol. Therefore, they are interchangeable. If a successful attack is found,
substituting all occurrences of A with B and all occurrences of B with A produces an
equivalent attack. In terms of sessions, we have the following equivalence relations:
α ≡ λ, β ≡ µ, γ ≡ ν and δ ≡ ω. The sessions are equivalent in the sense that if
one is present in some attack, then its equivalent is the corresponding session in the
equivalent attack. We consider the following winning strategy: stγi = ωi αj ª.
The equivalent strategy for the step i will involve sessions ν, δ and λ: stνi = δi λj ª. The equivalent attack of protocol P can then be built based on the equivalent
5.6 Bound on Sessions 98
strategies.
5.6 Bound on Sessions
In this section we derive benefit from the analysis performed in the previous section.
We present and prove a proposition that displays a bound for the number of sessions
needed to solve an impasse. Following, a theorem exhibits bounds for the analyzed
model that are sufficient to ensure protocol correctness.
Proposition 5.6.1 Let P be a two party public key encryption protocol. Let σ be a
session of that protocol and i be an impasse step within σ. If the impasse at step i
can be resolved, then the winning strategy stσi has a depth that is not greater then
three.
In formal terms, we represent the proposition by the following:
∀σ ∈ S,∀i ∈ Imσ | stσi 6= ∞⇒ card(stσi ) ≤ 3 (5.12)
Proof:
As previously stated, the roles and identities of the participants are capital.
We will study one session type and extrapolate using the same reasoning to all
others. The intuition is the following. Only some types of spawned sessions
can bring useful data. If they don’t solve the impasse, they lead to a new one.
After three levels of spawning the intruder comes across the initial session
type, which created the whole cycle, and gives up the search for a winning
strategy.
The intruder will adopt the same behavior for any impasse, irrespective of
the number of the step where it occurs. He will employ the same searching
technique for finding the missing data for the second protocol steps as for the
last one. Moreover, thanks to the equivalent strategies and attacks, we have
to analyze only half of the options for the initial sessions, as the results will
5.6 Bound on Sessions 99
also apply to the other half. That reduces drastically the size of the search
space.
We designate γ as the initial session to be analyzed. The progress is depicted
in Figure 5.2. Let i ∈ Imσ be the step where the initial session γ runs into
an impasse situation, where 2 ≤ i ≤ n. In this case, the intruder has just
completed step i − 1 as a receiver, but does not have the data he needs to
send during step i. He has to spawn a session where he will be communicating
with B, so sessions of types λ, µ, ν or ω. At this point the intruder is not
certain that any of the spawned sessions will succeed or if one of them should
be privileged over the others. We will study all four options. Case numbers
will be attributed to each situation for quick reference.
Case 1. If the intruder tries λ or µ first, there will be no impasses in the
spawned sessions as he gets all the messages encrypted with his own public
key. The information he acquired during the spawned session up to step i or
i+1 is added to his prior knowledge (see equation (5.9)). The intruder returns
to step i of the initial session γ. If the data he was seeking is contained in
the new set Kγi , then he just found a winning strategy. The same situation
arises if ν or ω are chosen and no impasses are encountered until step i. For
the choice of a λ session as the first spawn, for example, we have the following
relation:
stγi = λi ª ⇒ card(stγi ) = 1 (5.13)
Notice that also the knowledge set (Kγi−1 ∪Mγ
i ∪V γi ) ⇓ is already available to
the intruder. There is no benefit in spawning an γ type session if an impasse
occurs in ν. To conclude, if all the data required for the intruder to resolve
an impasse in ν is either in (Kγi−1 ∪Mγ
i ∪ V γi ) ⇓, Kλ
i or Kµi , the depth of the
strategy is still 1.
Case 1.1. Suppose that ν reaches an impasse at a step j < i, before the
needed data could be made available for the initial session. The intruder is in
a situation similar to the one of the initial γ session: he needs a successfully
spawned session to continue. This new session can be an α, β, γ or δ. We
5.6 Bound on Sessions 100
γ
δ
α
β
γ
δ
α
β
ω
ν
λ
µ
ω
ν
λ
µ
γ
δ
α
β
γ
δ
α
β
ω
ν
λ
µ
ω
ν
λ
µ
γ
δ
α
β
γ
δ
α
β
ω
ν
λ
µ
ω
ν
λ
µ
γ
δ
α
β
γ
δ
α
β
ω
ν
λ
µ
ω
ν
λ
µ
ω = P(I(A), B)
ν = P(B, I(A))
µ = P(I, B)
λ = P(B, I)
δ = P(I(B), A)
γ = P(A, I(B))
α = P(A, I)
β = P(I, A)
an impasse- sessions chosen for solving
- "no impasse" sessions
Figure 5.2: Options for winning strategies from initial sessions γ and δ
5.6 Bound on Sessions 101
already presented the case of the γ session in the previous paragraph. As
expected, there are no problems with advancing in the execution of spawned
sessions α or β to step j. If the needed data for the impasse at step j of session
ν is part of the knowledge sets Kαj or Kβ
j the execution of ν continues until it
reaches step i or another impasse is encountered. In case of another impasse,
the intruder uses the same technique: checks the knowledge from spawned
sessions α and/or β and then verifies the knowledge set Kνi , that is already
available.
Case 1.1.1. If the data is not part of the sets, a session δ has to be spawned.
If, same as for the previous stage, an impasse is reached at a step k < j,
the intruder has again an option of either benefiting from the knowledge of
ν or spawning a λ, µ or ω session. The case of λ and µ spawns has already
been presented in Case 1: no impasses, possibly beneficial for the intruder,
certainly the easiest way to acquire information. The intruder only has access
to (Kνj−1 ∪ Mν
j ∪ Vj) ⇓, as this situation was reached in order to resolve an
impasse at step j in the ν session. If the data is found in the available sets
from λ, µ or ν, then the impasse k is solved and the execution of δ continues.
If no other impasses occurs until step j is executed, the intruder returns to
Case 1.1. One winning strategy involves, for example, sessions ν and β and the
depth level of spawned sessions is 2, like for any other combination described
in Case 1.1 and Case 1.1.1:
stγi = νi β ª ⇒ card(stγi ) = 2 (5.14)
Case 1.1.1.1. If an impasse situation arises, then the intruder verifies again
the knowledge sets session or has to spawn a session ω. The search comes to an
end whenever an ω session is spawned. The options in case an impasse appears
at a step l < k are α, β, γ and δ sessions. But the intruder already passed
through the four session types to get to this point and therefore no spawning
would be beneficial. The corresponding four knowledge sets can contain the
data he is looking for, or not. If they don’t, the impasse l cannot be surpassed
and therefore impasses k, j and i cannot be solved. Therefore, no strategy
can be found for the impasse and no (other) attacks are discovered. If, on
5.6 Bound on Sessions 102
the contrary, the needed data is obtained or no (other) impasses is reached in
ω, the knowledge can be used in the parent δ session. Going recursively and
following the same logic, we trace back through cases 1.1.1 and 1.1 to reach
to the impasse at step i in the initial session. The intruder can then execute
the same search algorithm for Case 2, on the ω branch. The results will be
similar, only the spawn order is reversed for the ν and ω sessions, which is not
at all surprising given the hypothesis that the naming was arbitrary and the
results should be symmetric.
Therefore a winning strategy requires a maximum of three levels of spawned
sessions. The same reasoning applies to a situation where ω is the first spawned
session, and not ν, from the initial γ. This result that bounds the number of
spawned sessions for the intruder and, consequently, confines the search space,
is generally applicable for all other types the initial session α, β, δ, λ, µ, ν
and ω. For any new impasse in the initial session, the same exercise should be
executed.
2
We present in Table 5.1 the options that the intruder would have for spawning
sessions and finding winning strategies starting from a session P(A, I(B)), so a γ
type initial session. Similar choices are available for all other types of initial sessions.
Following the example presented here, we draw the conclusion that the intruder
is able to complete step i of the initial session γ if the data required to build the
message Mi is in any of the knowledge sets corresponding to the winning strategies
presented in the table 5.1. The union of all sets will represent the search space
for the needed data. Since knowledge is inherited from one spawning level to the
other, the two level 3 strategies already include the predecessor levels. Some of the
components of the two sets are common and need to be taken into account only
once: Kαn, Kβ
n, Kλn, Kµ
n and Kγi−1 ∪Mγ
i−1 ∪ V γi . Also, we have the following inclusion
relations:
i > j > k ⇒ Kωi ⊃ Kω
k (5.15)
i > j′ > k′ ⇒ Kνi ⊃ Kν
k′ (5.16)
5.6 Bound on Sessions 103
Session
Level1
Level2
Level3
Strategy
Kno
wledg
eset
γi
--
stγ i
=λ
iª
(Kγ i−
1∪
Mγ i∪
Vγ i∪Kλ n
)⇓
γi
--
stγ i
=µ
iª
(Kγ i−
1∪
Mγ i∪
Vγ i∪Kµ n
)⇓
γi
--
stγ i
=ν i
ª(K
γ i−1∪
Mγ i∪
Vγ i∪Kν i
)⇓
γi
--
stγ i
=ω
iª
(Kγ i−
1∪
Mγ i∪
Vγ i∪Kω i
)⇓
γi
j-
stγ i
=ν i
α
ª(K
γ i−1∪M
γ i∪V
γ i∪K
λ n∪K
µ n∪K
ν i∪K
α n)⇓
γi
j-
stγ i
=ν i
β
ª(K
γ i−1∪M
γ i∪V
γ i∪K
λ n∪K
µ n∪K
ν i∪K
β n)⇓
γi
j-
stγ i
=ν i
δ j
ª(K
γ i−1∪M
γ i∪V
γ i∪K
λ n∪K
µ n∪K
ν i∪K
δ j)⇓
γi
j’-
stγ i
=ω
i
αª
(Kγ i−
1∪M
γ i∪V
γ i∪K
λ n∪K
µ n∪K
ω i∪K
α n)⇓
γi
j’-
stγ i
=ω
i
βª
(Kγ i−
1∪M
γ i∪V
γ i∪K
λ n∪K
µ n∪K
ω i∪K
β n)⇓
γi
j’-
stγ i
=ω
i
δ j′ª
(Kγ i−
1∪M
γ i∪V
γ i∪K
λ n∪K
µ n∪K
ω i∪K
δ j′)⇓
γi
jk
stγ i
=ν i
δ j
ω
kª
(Kγ i−
1∪M
γ i∪V
γ i∪K
λ n∪K
µ n∪K
ν i∪K
δ j∪
Kα n∪Kβ n
∪Kω k
)⇓
γi
j’k’
stγ i
=ω
i
δ j′
ν k′ª
(Kγ i−
1∪M
γ i∪V
γ i∪K
λ n∪K
µ n∪K
ω i∪K
δ j′∪
Kα n∪Kβ n
∪Kν k
′)⇓
Table5.1:
Spaw
ning
option
sforan
initials
ession
γ.
5.6 Bound on Sessions 104
However, there is no way to say if j > j′ or j′ > j. If we denote the greatest of the
two by j” = max(j, j′) then we have:
Kδj” = Kδ
j ∪ Kδj′ (5.17)
Therefore, an impasse at a step i ∈ Imγ is resolvable if the following relation holds:
Qγi ⊂ (Kγ
i−1 ∪Mγi ∪ V γ
i ∪ Kλn ∪ Kµ
n ∪ Kαn ∪ Kβ
n ∪ Kνi ∪ Kω
i ∪ Kδj”) ⇓ (5.18)
Theorem 5.6.2 If a protocol P fails to provide secrecy, then an intruder would be
able to find attack scenarios that need at most card(Imσ)× 3 sessions for a secrecy
flaw.
The formal representation of the above-stated theorem is illustrated by:
∀σ ∈ S, ∃Atσ | card(Atσ) ≤ card(Imσ)× 3 (5.19)
where “card ” denotes the cardinal function of the set, Imσ is the number of resolved
impasses and Atσ is an attack scenario.
Proof:
We consider one impasse step and apply the result to all protocol steps. The
idea is rather simple: if there is a winning strategy for the intruder’s problem
for a certain impasse, he will proceed with the next step, and so on. The
depth of winning strategies is at most three. To find out which is the number
of sessions needed to find the respective flaws by simply to multiplying the
number of corresponding steps with 3.
Resolving impasses is a necessary condition. Since for each step there is at least
one winning strategy involving at most three spawned sessions (Proposition 1 ),
there exist an attack scenario for revealing a secrecy flaw that takes at most
card(Imσ)× 3 sessions. 2
5.7 Case Study 105
Remark 5.6.3 Secrecy flaws: If any of the successful spawned session is α, β, λ
or µ, then the messages received by the intruder are encrypted with KI , and therefore
secrets are revealed to him. Since we are searching for potential secrecy flaws, the
focus is on confidential variables: we say that if the attack progresses past the impasse
step i, where the impasse was resolved through a session of type α, β, λ or µ, a
secrecy flaw has been discovered.
5.7 Case Study
We illustrate the results on the CCITT X.509 protocol [15]. It is a very good
candidate as the original version has been found to be flawed, but there is a corrected
version for which there are no claimed attacks. The original version of the protocol
is presented in Table 5.2.
Message 1. A → B : A, TA, NA, B,XA, YAKBK−1
A
Message 2. B → A : B, TB, NB, A,NA, XB, YBKAK−1
B
Message 3. A → B : A, NBK−1A
Table 5.2: The original CCITT X.509 Protocol
We start by analyzing the options for the initial session. If any attacks are found,
there will be equivalent attacks and we need to perform the analysis only on half of
the session types. We have a choice of either α, β, γ, δ or λ, µ, ν, ω. In addition,
we notice that the first message contains an encryption with private keys, and that
prevents both δ and ω of being potential initial sessions in an attack: the intruder
would have to produce messages signed with the private key of A or B, which he
5.7 Case Study 106
does not possess. With that in mind, we choose to analyze the set of α, β, γ, δ,
from which we remove δ for the above mentioned reasons.
The sessions α and β complete successfully, but they do not qualify as attacks. The
intruder participates as an agent and there are no impasses and no secrecy issues.
Session γ needs to spawn a helping session at step two, as the intruder cannot use
B’s private key to encrypt a part of the second message. The options for spawned
sessions are λ, µ, ν and ω, as presented in Table 5.3. As in the case of α and β, λ
and µ complete successfully, but with no beneficial results for an attack. A ν session
does not bring good results either, since the intruder runs into an impasse at step
2, same in the case γ, as he cannot built a message encrypted with private key of
A. The single useful session type at this point is ω: the intruder is the initiator,
so he has an opportunity to introduce in the first message variables from γ and he
gets in response from B, in step 2, the message encryption needed in the initial
session. If the ω session completes, the intruder succeeds an attack. The agent
thinks he has just run the protocol with someone else. However, as discussed in the
subsection concerning roles and identities, if both γ and ω complete, we run into a
classic situation of a passive attack. The attack would otherwise succeed if the initial
session would not complete. Therefore, the intruder will focus only on completing
the execution of ω and will drop further involvement in the initial session γ. There
is an impasse that occurs in the third step of the ω session: the intruder has to build
the message encryption NBK−1A. There is a need for a spawned session with A,
and the options are α, β, γ and δ. The only one that returns the required data is α.
The data is fed back into the third step of the ω session and the attack completes,
as shown in Table 5.3.
There are two strategies involved in the attack Atγ, triggered by the impasses at the
step 2 in γ and 3 in ω, of which the first one is dropped and the second is resolved:
stγ2 = ω ª stω3 = α ª
5.7 Case Study 107
Step
Role
Dataneeded
Intrud
er’s
know
ledg
eIm
passe
Spaw
n
γ.1
seγ 1
Non
e(K
γ 0∪T
A,N
A,X
A,
YA K
B∪
TA,N
A,B
,XA,
YA K
B K
−1
A)⇓
NO
-
γ.2
reγ 2
TB,N
B,A
,NA,X
B,
YB,
YB K
A K
−1
B
(Kγ 0∪T
A,N
A,X
A,
YA K
B∪
TA,N
A,B
,XA,
YA K
B K
−1
A)⇓
YES
ω
ω.1
seω 1
Non
e(K
γ 0∪T
A,N
A,X
A,
YA K
B∪
TA,N
A,B
,XA,
YA K
B K
−1
A)⇓
NO
-
ω.2
reω 2
Non
e(K
γ 0∪
TA,N
A,X
A,
YA K
B
∪T
B,N
B,X
B,
YB K
A
∪T
B,N
B,A
,NA,X
B,
YB K
A K
−1
B∪
TA,N
A,B
,XA,
YA K
B K
−1
A)⇓
NO
-
ω.3
seω 3
NB K
−1
A(K
γ 0∪
TA,N
A,X
A,
YA K
B
∪T
B,N
B,X
B,
YB K
A
∪T
B,N
B,A
,NA,X
B,
YB K
A K
−1
B∪
TA,N
A,B
,XA,
YA K
B K
−1
A)⇓
YES
α
α.1
reα 1
Non
e(K
γ 0∪
TA,N
A,X
A,
YA K
B
∪T
B,N
B,X
B,
YB K
A
∪T
′ A,N
′ A,X
′ A,Y
′ A
∪T
B,N
B,A
,NA,X
B,
YB K
A K
−1
B∪
TA,N
A,B
,XA,
YA K
B K
−1
A∪T
′ A,N
′ A,I
,X′ A,
Y′ A K
I K
−1
A)⇓
NO
-
α.2
seα 2
Non
e(K
γ 0∪
TA,N
A,X
A,
YA K
B
∪T
B,N
B,X
B,
YB K
A
∪T
′ A,N
′ A,X
′ A,Y
′ A
∪T
I,X
I,Y
I
∪T
B,N
B,A
,NA,X
B,
YB K
A K
−1
B∪T
A,N
A,B
,XA,
YA K
B K
−1
A∪
T′ A,N
′ A,I
,X′ A,
Y′ A K
I K
−1
A∪T
I,N
B,A
,N′ A,X
I,
YI K
A K
−1
I)⇓
NO
-
α.3
reα 3
Non
e(K
γ 0∪
TA,N
A,X
A,
YA K
B
∪T
B,N
B,X
B,
YB K
A
∪T
′ A,N
′ A,X
′ A,Y
′ A
∪T
I,X
I,Y
I
∪N
B K
−1
A∪
TB,N
B,A
,NA,X
B,
YB K
A K
−1
B∪T
A,N
A,B
,XA,
YA K
B K
−1
A∪
T′ A,N
′ A,I
,X′ A,
Y′ A K
I K
−1
A∪T
I,N
B,A
,N′ A,X
I,
YI K
A K
−1
I)⇓
NO
-
ω.3
seω 3
Non
e(K
γ 0∪
TA,N
A,X
A,
YA K
B
∪T
B,N
B,X
B,
YB K
A
∪T
′ A,N
′ A,X
′ A,Y
′ A
∪T
I,X
I,Y
I
∪N
B K
−1
A∪
TB,N
B,A
,NA,X
B,
YB K
A K
−1
B∪
TA,N
A,B
,XA,
YA K
B K
−1
A∪
T′ A,N
′ A,I
,X′ A,
Y′ A K
I K
−1
A∪
TI,N
B,A
,N′ A,X
I,
YI K
A K
−1
I)⇓
NO
-
Table5.3:
Spaw
ning
option
sforan
initials
ession
γof
theCCIT
TX.509
protocol
5.7 Case Study 108
The equivalent strategies can be built for an initial session ν and spawned sessions
δ and λ:
stν2 = δ ª stδ3 = λ ª
A similar attack is presented by M. Burrows, M. Abadi and R. Needham in [14].
In the same paper [14], the authors propose and prove correct a slightly modified
version of the CCITT X.509 protocol 5.4, which uses the identity of one of the agents
in the 3rd message and does not use timestamps anymore, as they are redundant.
The removal of the timestamps does not affect the possible paths for an attack as
the problem with the original protocol lays one level higher. The intruder misses the
private keys of the agents. He stops even before starting to verify if he has all the
data needed to build the message encryption. A potential attack on the corrected
version would follow then the same path as for the original version of the protocol.
Message 1. A → B : A, NA, B, XA, YAKBK−1
A
Message 2. B → A : B, NB, A,NA, XB, YBKAK−1
B
Message 3. A → B : A, B,NBK−1A
Table 5.4: The corrected CCITT X.509 Protocol
We analyze the attempt to attack the corrected protocol by using γ as the initial
session. There is a very similar behavior for γ and ω: we encounter the same impasses
at steps 2 and 3, respectively. We also notice an almost identical expression for the
intruder’s knowledge, the difference being the absence of TA and TB. The important
change appears in the third message of α, where instead of NBK−1A
we encounter
I, NBK−1A. The new format of the message prevents the intruder to replay it in
5.8 Conclusion 109
session ω, therefore the attack that worked on the original protocol does not succeed
in the corrected one. Consequently, the equivalent attack does not succeed either.
Since this is the only possible pair of attacks, we conclude that the corrected CCITT
X.509 protocol is correct.
5.8 Conclusion
In this chapter we have presented some formal reasoning for evaluating security
protocol correctness. The proposed framework includes a comprehensive analysis
and a bounding model for multi-session attacks. We examined the possible behavior
of the intruder during a protocol run and drew conclusions about how his knowledge
evolves and what actions he can take to gain as much information as possible for
building winning strategies for an attack.
We defined and formalized the components of the environment, the assumptions
about the execution model and our understanding of terms such as protocol, secrecy
and correctness. The pivotal points of the reasoning are the impasses, the spawned
sessions and the winning strategies. Briefly, the logical sequence can be represented
as follows: the intruder cannot continue the protocol execution with the data he
has (impasse), therefore he needs to find it in a spawned session, and bring it back
through a winning strategy for the attack scenario to succeed. We dissected the
needs of the intruder and observed important properties exhibited by the model in
terms of roles and equivalent attacks.
The detailed examination of the potentially useful spawned sessions and winning
strategies leads to the conclusion that after a certain step, even if no impasses are
encountered, the data brought back from supplemental spawns is not useful for the
attack. The depth of a winning strategy for an impasse in a two party protocols
using public keys has been proven to be three. Consequently, the attack scenarios
for those protocols cannot exceed three times the number of the impasses and the
5.8 Conclusion 110
corresponding theorem for secrecy has been formulated. Proper formalization of
other security properties done in a similar manner, along with the corresponding
propositions and theorems would allow a thorough definition for protocol correct-
ness.
Chapter 6
Conclusion
6.1 Contribution
Cryptographic protocols verification is not an easy task. To date, there are a limited
number of methods for achieving correctness results with respect to security prop-
erties, such as authentication and secrecy. Formal methods are one of the successful
approaches. We employed two different techniques in order to examine how secrecy
can be guaranteed in the presence of a malicious intruder.
Our contribution comes in the shapes of an abstract trace model and a formal rea-
soning. Both share a common aim: defining conditions that are sufficient to preserve
security properties. Our attempt has been completed in two stages. During the first
stage, introduced in chapter 4, we succeeded to use a different approach of a known
result. We benefited from protocol and intruder models and the abstraction func-
tion that have been defined by Adi [5]. However, we replaced the category-based
abstraction with a trace model. The second stage comprises a formal reasoning pre-
sented in chapter 5. This part is entirely original, from assumptions to conclusions.
Some propositions and theorems relevant for the analyzed models, along with the
associated proofs, have also been included in chapters 4 and 5.
111
6.1 Contribution 112
We introduced the main concepts of abstract interpretation and some abstraction-
based models in chapter 3. The approach appealed to us as a powerful and suitable
method for bounding the infinite real-world protocol models. The concrete trace
model employed is related to Paulson’s inductive rules. Adding the abstraction
function defined in [5] led to an abstract model that overestimates the intruder’s
knowledge. The abstraction is therefore correct with respect to the information
that can be obtained by the intruder and used in possible attacks. The resulting
set of abstract messages is computable, since the model is finite. The secrets are
checked against the intruder’s abstract knowledge set. If any matches are found,
then the secrecy property does not hold for that particular protocol. The model
is only semi-decidable though, in the sense that if no matches are found, then no
statement can be made about secrecy. The size of the set increases quite fast with
the number of entities used during protocol runs. However, the abstraction function
manages to trim down the depth and width of the messages by imposing upper
bounds for both.
In chapter 5 we defined a new model for security protocols and the intruder’s knowl-
edge. The model bounds multi-sessions attacks and the result is similar in some
aspects with the one obtained by abstract interpretation. We demonstrated that it
is sufficient to analyze a limited number of sessions in order to find out if security
properties are preserved. The research was made on a two-party protocol, but can
be extended to protocols that use more then two agents. For the case studied, we
exhibit a bound for the number of sessions needed for successful attacks. There are
few models that succeed in verifying correctness for secrecy. Our framework is one
of them. Moreover, to our knowledge, this is the first result that shows a bound
on the number of protocol runs for multi-session attacks that is independent of the
number of steps and variables.
We introduced the original concepts of impasse, spawned session and winning strat-
egy. We also adapted the classic definition of session roles to represent individual
6.2 Future Work 113
protocol steps. Secrecy and authentication are formalized as conditions to be veri-
fied. The formal reasoning is presented in the form of proofs for a proposition and a
theorem. The basic idea is that an intruder runs into an impasse whenever he does
not have the data needed to build a message he has to send. To solve the impasse,
the agents have to spawn other sessions in search for that data. If the information is
found, the intruder has a winning strategy for that impasse. The sequence of strate-
gies needed for resolving all impasses, if there is one, is called an attack scenario. To
illustrate a practical implementation of this theory, the CCITTX.509 protocol was
analyzed. The attack scenario revealed by our technique for the original version of
the protocol is similar to the one published by Burrows, Abadi and Needham.
The results obtained by examining impasse steps can be readily adapted to the
case of two party protocols using symmetric keys. Considering a third agent or a
server would add two other sessions to the options for spawns, depending on which
agent the intruder needs to communicate with. For agent A and a server S, for
example, besides α, β, γ and δ, we would need to add P(A, I(S)) and P(I(S), A).
For the server S itself, the full set of options would be P(S, I), P(I, S), P(I(A), S),
P(S, I(A)), P(I(B), S) and P(S, I(B)). With six options for the spawned sessions,
the maximum depth of winning strategy changes, too. Accordingly, some of the
reasoning is still valid in the case of three party protocols involving a key server and
a model can be built based on this study.
6.2 Future Work
The main focus of this study is on the secrecy property. However, as presented in
the introductory chapter, there are many other interesting security properties to be
investigated, such as authentication, non-repudiation, anonymity, and availability.
Secrecy is a necessary condition for authentication and therefore any secrecy flaw
also translates into an authentication flaw. It would be interesting to attempt an
6.2 Future Work 114
integration of those features in the frameworks we developed in this thesis in order
to obtain either decidability or correctness results. Such an endeavor would require
a significant amount of work. The definitions themselves for those security proper-
ties are not yet standardized and various degrees of detail imply different levels of
complexity for the proper models.
Another potential development of the work presented in this thesis are software tools
for automatic verification. The input would be a protocol specification consisting of
formalized descriptions of the protocol steps, the participants and their capabilities.
In the case of the abstraction function, the output would be an answer for protocol
correctness with respect to secrecy. For the formal reasoning, the tool could reveal
winning strategies and attack scenarios, if they exist.
A final note about the scope of this thesis. Assumptions limit the applicability of
the models to certain classes of protocols. In some of the cases, the restrictions
imposed on the context of our research might have been too strict. For instance,
we defined keys as atomic messages in chapter 5. However, we do not make use of
their atomic nature in our proofs. Therefore, non-atomic keys are just as adequate
as the atomic keys. Relaxing some of the assumptions might lead to similar results
applicable to a wider class of protocols.
Bibliography
[1] Martín Abadi and Andrew D. Gordon. A calculus for cryptographic protocols:
The SPI calculus. In Fourth ACM Conference on Computer and Communica-
tions Security, pages 36–47. ACM Press, 1997.
[2] Martín Abadi and Roger Needham. Prudent engineering practice for crypto-
graphic protocols. IEEE Transactions on Software Engineering, 22(1):6–15,
January 1996.
[3] K. Adi and M. Debbabi. A game semantics approach for security protocols. In
6th International Symposium on Programming and Systems, ISPS’2003, pages
209–227, 2003.
[4] K. Adi, M. Debbabi, and M. Mejri. A New Logic for Electronic Commerce
Protocols. Theoretical Computer Science (TCS), 291(3), 2003.
[5] Kamel Adi. Formal Specification and Analysis of Security Protocols. PhD thesis,
Université Laval, Québec, 2002.
[6] Kamel Adi and Mourad Debbabi. Abstract interpretation for proving secrecy
properties in security protocols. In Electronic Notes in Theoretical Computer
Science, volume 55, pages 29–53, 2003.
[7] Ross Anderson and Roger Needham. Robustness principles for public key pro-
tocols. In CRYPTO: Proceedings of Crypto, 1995.
115
6.2 Future Work 116
[8] D. Bert, R. Echahed, and B. Ostvold. Abstract rewriting. In Third Interna-
tional Workshop on Static Analysis, pages 178–192. Lecture Notes in Computer
Science 724, Springer-Verlag, 1993.
[9] D. Bolignano. Towards a mechanization of cryptographic protocol verifica-
tion. In 9th International Computer-Aided Verification Conference, CAV’97,
Jun 1997.
[10] C. Boyd. A class of flexible and efficient key management protocols. In Pro-
ceedings 9th IEEE Computer Security Foundations Workshop, pages 2–8. IEEE
Computer Society Press, 1996.
[11] L. Bozga, Y. Lakhnech, and M. Périn. Pattern-based abstraction for verifying
secrecy in protocols. In TACAS, volume 2619 of Lecture Notes in Computer
Science, pages 299–314. Springer, 2003.
[12] S. Brackin. An interface specification language for automatically analyzing
cryptographic protocols. In Internet Society Symposium on Network and Dis-
tributed System Security, San Diego, CA, February 1997.
[13] Michael Burrows, Martín Abadi, and Roger Needham. The Scope of a Logic of
Authentication. Technical Report 39, Digital Systems Research Center, 1994.
[14] Michael Burrows, Martín Abadi, and Roger Needham. A logic of authentica-
tion, from Proceedings of the Royal Society, volume 426, number 1871, 1989. In
William Stallings, Practical Cryptography for Data Internetworks. IEEE Com-
puter Society Press, 1996, 1996.
[15] CCITT. The directory authentification framework. Draft Recommendation
X.509, 1987. Version 7.
[16] H. Comon, M. Dauchet, R. Gilleron, F. Jacquemard, D. Lugiez, S. Tison, and
M. Tommasi. Tree automata techniques and applications, 1997.
6.2 Future Work 117
[17] H. Comon-Lundh and V. Cortier. Security properties: Two agents are sufficient.
In Proceedings of the 12th European Symposium on Programming (ESOP ’03),
pages 99–113. Springer Verlag, April 2003.
[18] D. L. Dill. The Murphi Verification System. In Rajeev Alur and Thomas
A. Henzinger, editors, Proceedings of the Eighth International Conference on
Computer Aided Verification CAV, volume 1102 of Lecture Notes in Computer
Science, pages 390–393, New Brunswick, NJ, USA, July/August 1996. Springer
Verlag.
[19] M. Debbabi, M. Mejri, N. Tawbi, and I. Yahmadi. A new algorithm for the
automatic verification of authentication protocols: From specifications to flaws
and attack scenarios. In DIMACS Workshop on Design and Formal Verification
of Security Protocols, September 1997.
[20] Alain Deutsch. Interprocedural may-alias analysis for pointers: beyond k-
limiting. ACM SIGPLAN Notices, 29(6):230–241, 1994.
[21] Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE
Transactions on Information Theory, IT-22(6):644–654, 1976.
[22] B. Donovan, P. Norris, and G. Lowe. Analyzing a library of security protocols
using Casper and FDR. InWorkshop on Formal Methods and SecurityProtocols,
1999.
[23] F. J. T. Fabrega, J. C. Herzog, and J. D. Guttman. Strand spaces: Proving
security protocols correct. Journal of Computer Security, 7:191–230, 1999.
[24] A. O. Freier, P. Karlton, and P. C. Kocher. The SSL protocol: Version 3.0.,
March 1996. http://home.netscape.com/eng/ssl3/ssl-toc.html.
[25] P. Gardiner, D. Jackson, and J. Hulance et B. Roscoe. Security Modeling in CSP
and FDR: Deliverable bundle 2. Technical report, Formal Systems (Europe)
Ltd, April 1996.
6.2 Future Work 118
[26] P. Gardiner, D. Jackson, and B. Roscoe. Security Modeling in CSP and FDR:
Deliverable bundle 3. Technical report, Formal Systems (Europe) Ltd, July
1996.
[27] Thomas Genet and Francis Klay. Rewriting for cryptographic protocol verifi-
cation. In Conference on Automated Deduction, pages 271–290, 2000.
[28] Li Gong, Roger Needham, and Raphael Yahalom. Reasoning About Belief
in Cryptographic Protocols. In Deborah Cooper and Teresa Lunt, editors,
Proceedings 1990 IEEE Symposium on Research in Security and Privacy, pages
234–248. IEEE Computer Society, 1990.
[29] Jean Goubault-Larrecq. A method for automatic cryptographic protocol veri-
fication (extended abstract). In FMPPTA’2000, Cancun, Mexico, May 2000.
[30] Joshua D. Guttman and F. Javier Thayer Fábrega. Authentication tests and
the structure of bundles. Theoretical Computer Science, 2001.
[31] James Heather and Steve Schneider. Towards automatic verification of authen-
tication protocols on an unbounded network. In PCSFW: Proceedings of The
13th Computer Security Foundations Workshop. IEEE Computer Society Press,
2000.
[32] C. A. R. Hoare. Communicating Sequential Processes. Prentice Hall, 1985.
[33] Gerard J. Holzmann. Design and Validation of Computer Protocols. Prentice
Hall, Englewood Cliffs, New Jersey, 1991.
[34] G. Lowe. An Attack on the Needham-Schroeder Public Key Authentication
Protocol. Information Processing Letters, 56(3):131–136, November 1995.
[35] G. Lowe. Breaking and Fixing the Needham Schroeder Public-Key Protocol
using FDR. In Proceedings of TACAS, volume 1055, pages 147–166. Springer
Verlag, 1996.
6.2 Future Work 119
[36] G. Lowe. SPLICE-AS: A Case Study in Using CSP to Detect Errors in Security
Protocols. Technical report, Programming Research Group, Oxford, 1996.
[37] G. Lowe. Casper: A compiler for the analysis of security protocols. In PCSFW:
Proceedings of The 10th Computer Security Foundations Workshop, pages 53–
84. IEEE Computer Society Press, 1997.
[38] Catherine Meadows. The NRL protocol analyzer: An overview. Journal of
Logic Programming, 26(2):113–131, 1996.
[39] Jonathan K. Millen and Harald Ruess. Protocol-independent secrecy. In IEEE
Symposium on Security and Privacy, pages 110–209, 2000.
[40] R. Milner. The polyadic π-calculus: A tutorial. Technical report, Laboratory for
Foundations of Computer Science, Department of Computer Science, University
of Edinburgh, 1991.
[41] R. Milner, J. Parrow, and D. Walker. A calculus of mobile processes (Parts I
and II). Information and Computation, 100:1–77, 1992.
[42] J. C. Mitchell, M. Mitchell, and U. Stern. Automated Analysis of Cryptographic
Protocols Using Murφ. In Proceedings 1997 IEEE Symposium on Security and
Privacy, pages 141–153. IEEE Computer Society, May 1997.
[43] J. C. Mitchell, V. Shmatikov, and U. Stern. Finite-State Analysis of SSL 3.0.
In Proceedings of the DIMACS Workshop on Design and Formal Verification
of Security Protocols, September 3-5, 1997, DIMACS Center, CoRE Building,
Rutgers University, New Jersey, USA, pages 1–20, September 1997.
[44] David Monniaux. Abstracting cryptographic protocols with tree automata. In
Proceedings of the 6th International Symposium on Static Analysis, pages 149–
163, 1999.
[45] David Monniaux. Abstracting cryptographic protocols with tree automata.
Science of Computer Programming, 47(2–3):177–202, 2003.
6.2 Future Work 120
[46] Peter Naur. The design of the GIER ALGOL compiler. BIT, 3(2):124–140,
1963.
[47] International Standards Organisation. Common criteria for information tech-
nology security (cc). In International Standard ISO/IS 15408 Final Committee
Draft, version 2.0, 1998.
[48] L. C. Paulson. Isabelle: a Generic Theorem Prover, volume 828. Springer-
Verlag Inc., New York, NY, USA, 1994.
[49] L. C. Paulson. Proving properties of security protocols by induction. In 10th
Computer Security Foundations Workshop, pages 70–83. IEEE Computer Soci-
ety Press, 1997.
[50] E. Rescorla and A. Schiffman. The secure hypertext transfer protocol. In
Proceedings of the Forty-Second Internet Engineering Task Force, August 1998.
[51] R. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signa-
tures and public key cryptosystems. Communications of the ACM, 21(2):120–
126, February 1978.
[52] B. Roscoe and P. Gardiner. Security Modelling in CSP and FDR: Final report.
Technical report, Formal Systems Europe, October 1995.
[53] R. A. Scantlebury and K. A. Bartlett. A protocol for use in the NPL data
communication network. Technical report, National Physical Laboratory, April
1967.
[54] S. Schneider. Security Properties and CSP. In Proceedings of the 1996 IEEE
Symposium on Security and Privacy, pages 174–187. IEEE Computer Society
Press, May 1996.
[55] V. Shmatikov and J. C. Mitchell. Analysis of a Fair Exchange Protocol. Seventh
Annual Symposium on Network and Distributed System Security, San Diego,
pages 119–128, 2000.
6.2 Future Work 121
[56] Scott D. Stoller. A bound on attacks on payment protocols. In Logic in Com-
puter Science, pages 61–70, 2001.
[57] Paul Syverson. Limitations on design principles for public key protocols. In
IEEE Symposium on Security and Privacy, pages 62–73, Oakland, CA, 1996.
IEEE Computer Society Press.
[58] J. D. Tygar. Atomicity in electronic commerce. In Proceedings of the Fifteenth
Annual ACM Symposium on Principles of Distributed Computing, pages 8–26,
1996.
[59] Thomas Y. C. Woo and Simon S. Lam. A lesson on authentication protocol
design. Operating Systems Review, 28(3):24–37, 1994.