Professional Documents
Culture Documents
Proto
ols
Submitted in partial fulllment of the requirements
For the degree of
Master of Te
hnology
by
Supervisor
Prof. G. Sivakumar
a
Department of Computer S
ien
e and Engineering
INDIAN INSTITUTE OF TECHNOLOGY, BOMBAY
De
ember 2002
A
knowledgments
I take this opportunity to express my sin
ere thanks and deep sense of gratitude to my
advisor Prof. G. Sivakumar for his valuable guidan
e and supervision in all phases of
the proje
t. I am also thankful to the Center of Formal Design and Veri
ation of
Software and the Department of Computer S
ien
e, IIT Bombay for providing
the ne
essary fa
ilities and support.
I believe, this work wouldn't have been possible without my parents blessings, I owe
it all to them.
i
Abstra
t
The pro
ess of designing a
orre
t
ryptographi
proto
ol does not end with getting the
ryptographi
primitives right. The literature is full of proto
ols whi
h were initially
believed to be
orre
t, and were later found to have
aws. Interestingly, most of these
are stru
tural
aws, i.e. the intruder
an subvert the goals of the proto
ol without
breaking the underlying
rypto-system. Given the wide range of operations whi
h the
intruder uses to
ompose these atta
ks, it is very diÆ
ult for the designer to intuitively
reason about these atta
ks. Formal methods of analysis should thus be applied before
the proto
ols are put to use. Su
h an analysis involves developing property preserving
abstra
tions of proto
ols, spe
i
ation languages to express goals and assumptions, and
pro
edures to de
ide whether the proto
ol a
hieves its intent. The Strand Spa
e Model
is one of the existing
ryptographi
proto
ol analysis me
hanisms. Here, we des
ribe
how proofs in the strand spa
es formalism
an be generalized and applied to a range
of proto
ols. We formalize our generalization in PVS and des
ribe how a proto
ol
des
ription in a
ommon spe
i
ation language
an be translated to theories, whi
h
an
be used to prove the
orre
tness of proto
ol properties.
ii
Contents
1. Introdu
tion 1
1.1. Flaws and Atta
ks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2. Formal Analysis - A Brief Survey . . . . . . . . . . . . . . . . . . . . . . 4
1.2.1. Atta
k Constru
tors . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2.2. Proof Generators . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3. S
ope of Our Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.4. Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2. The Problem 8
2.1. Ideal Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.1.1. Freeness Assumptions . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2. The Penetrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.3. Proto
ol Guarantees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.3.1. Authenti
ation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.3.2. Se
re
y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
3. Spe
i
ation 13
3.1. CAPSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.1.1. Type Spe
i
ations . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.1.2. Proto
ol Spe
i
ations . . . . . . . . . . . . . . . . . . . . . . . . 16
3.1.3. Environment Spe
i
ation . . . . . . . . . . . . . . . . . . . . . . 18
iii
Contents
iv
Contents
Bibliography 51
v
1. Introdu
tion
Se
urity is all about providing guarantees. Authenti
ation, for example, is the guarantee
that we are indeed
ommuni
ating with the party we think we are
ommuni
ating with.
Se
re
y, on the other hand, is the guarantee that the messages we send, are intelligible
only to the intended re
ipients. Providing these guarantees on the network is diÆ
ult,
be
ause all that we
an observe with surety are lo
al events, while these guarantees
require us to reason about what might have happened a
ross the network. This is where
network se
urity proto
ols
ome in.
A network se
urity proto
ol - from the perspe
tive of a party exe
uting it, is a sequen
e
of lo
al events, enough to guarantee the o
urren
e of
ertain events a
ross the network.
These global inferen
es from lo
al observations are enabled by using the properties of
ryptographi
transformations that are performed on the messages ex
hanged. For in-
stan
e, if we send a en
rypted message, we
an infer than it makes sense only to those
who posses the proper de
ryption key. The
orre
tness of this inferen
e, obviously,
depends on our faith in the underlying
rypto-system, but this is not the only fa
tor.
1
1.1 Flaws and Atta
ks
The literature is full of examples of
ryptographi
proto
ols that were published, believed
to be
orre
t and later found to have
aws independent of the strength of the primi-
tives used to implement them. In other words, even if the underlying
rypto-system is
perfe
t, penetrators
an subvert the goals of these proto
ols. Any new proto
ol, must
be thoroughly analyzed before being deployed, and this proje
t deals with how su
h an
analysis
an be done using formal te
hniques of software veri
ation.
One reason why formal analysis of
ryptographi
proto
ols is required is that, the atta
ks
are usually hard to gure out intuitively. Cryptographi
proto
ols rarely have more than
four messages per party, but the options available to the penetrator are enough to take all
possible exe
utions of the proto
ol beyond intuitive reasoning. To realize this,
onsider
the following symmetri
key proto
ol due to Woo and Lam. (It is assumed that all
prin
ipals share keys with a xed key server ). S
1. A ! B : A
2. B ! A : NB
3. A ! B : fNB gKAS
4. B ! S : fA; fNB gKAS gKBS
5. S ! B : fNB gKBS
The authors propose that the proto
ol stru
ture is enough to provide the guarantee -
\whenever a responder nishes exe
ution of the proto
ol, the initiator of the proto
ol is
in fa
t the prin
ipal
laimed in the initial message." This is how they informally reason
the
orre
tness of the proto
ol:
A
laims its identity in message 1; provides a non
e
hallenge in message 2; returns
B A
2
1.1 Flaws and Atta
ks
this
hallenge en
rypted under KAS in message 3; passes on this message to for ver-
B S
i
ation, bound with 's name en
rypted under KBS in message 4; S de
rypts fNB gKAS
A
using the key it shares with and re-en
rypts the result under 's key and sends it to
A B
B in the last message. If gets ba
k fNB gKBS from , it should be
onvin
ed that
B S A
has responded to the non
e
hallenge, sin
e only and know the key KAS .
A S
So far so good, but as we introdu
e the penetrator in the system, things start happening.
Consider the following run of the proto
ol. The penetrator su
eeds in making
P B
believe, that it is by starting two
on
urrent sessions. It uses the information that it
A
derives from one of the sessions to fool into believing that it is in the other session.
B A
1. P ! B : A
1'. P ! B : P
2. B ! A : NB
2'. B ! P : NB0
3. P ! B : fNB gKPS
3'. P ! B : fNB gKPS
4. B ! S : fA; fNB gKPS gKBS
4'. B ! S : fP; fNB gKPS gKBS
5. S ! B : fNB00 gKBS
5'. S ! B : fNB gKBS
Given this atta
k, we
an reason what is wrong with the proto
ol. The last message is
intended to be a reply to the query that is presented by to in the fourth message,
B S
but nothing in the proto
ol stru
ture links the two messages. The proto
ol impli
itly
asso
iates NB to the
laimed identity, and it is pre
isely this impli
it asso
iation that P
uses to subvert the proto
ol goal. The stru
ture of the proto
ol is
awed!
The atta
k
an be avoided if the proto
ol makes the relation between 's query and 's
B S
response expli
it in the last message by repla
ing it with fA; NB gKBS . Cryptographi
operations aren't wholly
heap, and the designer is tempted to do away with parts of
3
1.2 Formal Analysis - A Brief Survey
the messages whi
h he thinks aren't ne
essary for the
orre
tness of the proto
ol. While
su
h an optimization is denitely wel
ome, the ee
ts of removing information from
messages must be thoroughly examined.
Apart from the fa
t that reasoning intuitively about these proto
ols is diÆ
ult and error
prone, the use of formal methods is essential for another reason. These proto
ols are
usually
omponents of some larger systems, and the
riti
al nature of the appli
ations
that these systems support makes it essential to produ
e proofs of
orre
tness before
these proto
ols are deployed. Systems may be una
eptable to the users in absen
e of
su
h proofs of
orre
tness. This is indeed one of the reasons, why proto
ols like SET
ould never nd widespread usage.
Formal analysis of
ryptographi
proto
ols has been a eld of a
tive resear
h in re
ent
years, several formalisms and me
hanisms have been developed and have been used to
show that proto
ols are
orre
t. Most of the work done falls into one of the following
ategories -
The logi
al paradigm, makes use of logi
s of belief or knowledge to prove
orre
tness
of proto
ols. The framework
omprises of a set of
onstru
ts to express the beliefs of
proto
ol parti
ipants and a set of inferen
e rules to spe
ify how these beliefs
hange as the
proto
ol pro
eeds. BAN logi
[15℄, introdu
ed by Burrows et. al. is the most su
essful
attempt that falls under this style of analysis. The approa
h enjoys the advantages of
being intuitive and easy to use, but the system is abstra
ted at a very high level, and
several issues like
on
urren
y are ignored.
4
1.2 Formal Analysis - A Brief Survey
Complexity theoreti
analysis on the other hand, redu
e the problem of atta
king the
proto
ol to some
omputationally hard problem, thus proving that it is impossible for a
penetrator to atta
k the proto
ol. This approa
h is
exible enough to model the proto
ol
at any level of detail, but
an not be generalized or automated.
Most of the re
ent work done is based on algebrai
systems. Here,
ryptographi
prim-
itives are idealized as types with
ertain properties, and the proto
ol is
onsidered to
be a system that uses the properties of these types to provide the required guarantees.
Corre
tness of proto
ols is proved either by sear
hing the exe
ution spa
e for atta
ks
or by proving mathemati
ally that it is impossible for the penetrator to subvert the
goals of the proto
ol. These
orrespond to the two approa
hes of analysis namely, atta
k
onstru
tion and proof generation.
Millen'sInterrogator , Longley and Rigby's sear
h tool, are examples of spe
ialized ex-
haustive model
he
kers whi
h attempt to
onstru
t atta
ks. General purpose model
he
kers have also been used - Lowe, for instan
e used FDR to un
over a
aw in the
Needham-S
hroeder proto
ol, Mit
hell used to analyze SSL. Ea
h of these tools,
Mur
however sear
h the exe
ution spa
e exhaustively, and require the number of proto
ol
parti
ipants to be spe
ied before the sear
h begins. Re
ently, Song developed Athena ,
whi
h models the proto
ol state symboli
ally and
an sear
h for atta
ks with arbitrary
number of parti
ipants. Another noteworthy tool is Meadows NRL Proto
ol Analyzer .
Like Song's tool, the NRL analyzer
onstru
ts atta
ks ba
kward (starting from an un-
desirable state and sear
hing for states that rea
hable from the initial state) and thus
does not require initial number of parti
ipants to be spe
ied.
5
1.3 S
ope of Our Work
Paulson used Isabelleto generate indu
tive proofs of
orre
tness of
ryptographi
proto
ols[17℄.
Millen used PVS as a proof assistant to obtain proofs based on Paulson's ideas[18℄.
S
hneider uses rank fun
tions to reason about the possibility of events o
urring in the
proto
ol exe
ution [19℄. Thayer et.al. re
ently
ame up with a graph theoreti
model
of
ausality in a proto
ol,
alled strand spa
es. Strand spa
es form the theoreti
al base
of our tool, and are des
ribed in detail in the following
hapters. Abadi and Gordon
extend Miller's pi-
al
ulus, to what they
all, to prove se
re
y properties of
spi-
al
ulus
The goal of our proje
t is to
ome up with an tool that a
ryptographi
proto
ol designer
an use to analyze proto
ols that he designs. The following are the features of our tool
Strand spa
es form the theoreti
al base of our tool. Most of the work on proof generation
for
ryptographi
proto
ol properties is based on Paulson's indu
tive analysis. To the
best of our knowledge proofs based on strand spa
es haven't been automated. We have
developed a framework where
an be used to assist in proving properties of proto
ols
PVS
6
1.4 Outline
1.4. Outline
7
2. The Problem
Our problem
an be informally put as - given a proto
ol and the guarantees that it
laims
to provide, establish whether or not the proto
ol a
hieves its intent in the presen
e of an
a
tive penetrator, under the assumption that the underlying
ryptographi
primitives
are ideal. This problem statement is in
omplete unless we formalize the notions of ideal
ryptography, the
apabilities of the intruder and the guarantees that proto
ols attempt
to provide. We begin with our model of
ryptography.
We treat
ryptographi
primitives as bla
k boxes whi
h work exa
tly as the proto
ol
designer expe
ts them to. They are formalized as operations dened on a set of messages.
Consider A, the set of all possible messages that
an be ex
hanged in a proto
ol run.
We will
all elements of A - terms. Terms
an belong to the following subsets of A -
8
2.1 Ideal Cryptography
inv : K!K
en
r : KA!A
join : AA!A
K :N!K
K :NN!K
inv maps keys to their respe
tive inverses. We will denote (K ) by K 1. As a short-
inv
hand, we extend to set of keys and denote the the set of inverses of keys in a set S by
inv
overloaded, when given a single prin
ipal name it maps it to the publi
key
orrespond-
ing to the prin
ipal, we will denote (A) by A, and when given two arguments, it maps
K K
to the symmetri
key that the two prin
ipal share. We will denote (A; B ) by AB .
K K
Figure 2.1 gives a pi
torial des
ription of the term algebra and also the intuitive meaning
of the freeness assumption that we des
ribe next.
9
2.1 Ideal Cryptography
By abstra
ting
ryptography as an algebra, we restri
ted ourselves to deal with messages
as results of operations performed over atomi
omponents and not as bit-streams. The
freeness assumption
1 restri
ts us further. The assumption ensures that there is only one
representation of a given message. In parti
ular, the following
an be inferred from the
freeness assumption -
The most important
onsequen
e of these assumptions is that we are ignoring what are
alled type-
aw atta
ks. These atta
ks
orresponds to situations where the penetrator
su
eeds in making a parti
ipant read a term as some other term. Avoiding type-
aws
is mostly an implemention issue, and we, being more
on
erned with the stru
ture of
proto
ols, will ignore them in our analysis.
1 A is an algebra freely generated from T and K by the two operators en
r and join.
10
2.2 The Penetrator
The model of the atta
ker that we
onsider is was introdu
ed by Dolev and Yao[6℄ and
is thus
alled the . It is
apable of the following -
Dolev-Yao Intruder
Apart from these
apabilities, another fa
tor whi
h denes the strength of the penetrator
is its knowledge. The penetrator knows some terms to start with, and it
an learn new
terms from the messages that are sent over the network. The ability to learn is however
limited by the rules of the
ryptographi
primitives. For instan
e, if some proto
ol
parti
ipant sends a term fmgK then the intruder
an learn m out of it only if it knows
K 1 . The penetrator
an also originate a message
ontaining terms that it knows or
an
reate. To a
ount for dishonest parti
ipants, the penetrator is assumed to posses
all
apabilities of a normal parti
ipant. For instan
e, it
an posses a valid name, an
asso
iated asymmetri
key-pair, and
an even share keys with a key server, if any.
Se
urity proto
ols attempt to provide
ertain guarantees to the parti
ipants, in this
se
tion we formally dene these guarantees and des
ribe what it means for a proto
ol
to be
orre
t. In parti
ular, we des
ribe the meanings of authenti
ation and se
re
y.
11
2.3 Proto
ol Guarantees
In [24℄, Lowe
omes up with a hierar
hy of authenti
ation spe
i
ations. Our inter-
pretation of authenti
ation guarantee
orresponds to that of Non-Inje
tive Agreementin
Lowe's paper. We say a proto
ol guarantees authenti
ation of B to A i whenever A
ompletes a run of the proto
ol, apparently with B, then B has previously been running
the proto
ol, apparently with A, and the two agents agree on some data values, as re-
quired by the proto
ol. Note that A and B are parameters to the spe
i
ation rather
than spe
i
prin
ipals.
2.3.2. Se re y
Se
re
y is the requirement that some term doesn't fall into the hands of the penetrator.
The formal denition of depends on how we model the penetrator. It is assumed that
the penetrator emits values that it knows, so verifying whether the penetrator
an emit
a given value in the proto
ol run is equivalent to verifying if the proto
ol keeps that
value se
ret.
12
3. Spe
i
ation
In most
ases, the system des
ription that the analysis me
hanism requires does not
intuitively
orrespond to the analyst's per
eption. It is the task of the spe
i
ation
language to provide the analyst with abstra
tions
loser to what he thinks the system
is, and then translate these abstra
tions to the formalisms that the analysis me
hanism
works on. In this
hapter, we des
ribe CAPSL , the language whi
h does this job for
ryptographi
proto
ols.
As we mentioned, many me
hanisms for analyzing
ryptographi
proto
ols exist. In spite
of being used su
essfully for analyzing proto
ols, it is diÆ
ult for analysts other than the
original developers to translate
onventional proto
ol des
riptions to the formalisms that
these me
hanisms require. Also, an analyst wishing to use more than one me
hanism has
to translate between the spe
i
ation languages of the two. To summarize, the problems
that a
ryptographi
proto
ol analyst fa
es are -
13
3.1 CAPSL
Using more than one analysis me
hanisms requires translation between the
formalisms underlying the me
hanisms.
3.1. CAPSL
CAPSL stands for Common Authenti
ation Proto
ol Spe
i
ation Language. It was
introdu
ed by Jonathan Millen, as a
ommon spe
i
ation language that all analysis
me
hanisms
an use. The idea is to in
lude all the information needed for analysis in
the spe
i
ation, and allow a \
onne
tor" to sele
tively
hoose and translate the part
that its underlying me
hanism uses for the analysis. This is made possible by dividing
the spe
i
ation into three modules:
Type Spe
i
ation Module - De
lare and des
ribe
ryptographi
types, op-
erators and other fun
tions axiomati
ally.
Proto
ol Spe
i
ation Module - De
lare the assumptions, messages and goals
of the proto
ol.
Environment Spe
i
ation Module - De
lare run spe
i
information about
the proto
ol.
The types and operations that most
ryptographi
proto
ols use are provided in a
prelude,
whi
h is expe
ted to be in
luded in all spe
i
ations. So unless a proto
ol
CAPSL
uses spe
ial fun
tions or types, the module
an be omitted. Environment
typespe
spe
i
ations are used by tools whi
h sear
h the exe
ution spa
e of the proto
ol for
atta
ks. This module is optional and
an be omitted if su
h a sear
h is not to be
attempted. The most important part of a spe
i
ation is the proto
ol module, des
ribing
the messages, the assumptions and the goals of the proto
ol.
14
3.1 CAPSL
Messages in
ryptographi
proto
ols are
onstru
ted by
ryptographi
ally transforming
the message
omponents. Analysis me
hanisms use the properties of these transforming
operations to provide guarantees about the possible exe
ution of the proto
ol. Proper-
ties of types and these transformation operations are de
lared in the typespe
module.
A typespe
module
onsists of some de
larations, followed optionally by some axioms.
Typespe
s usually introdu
e a new type and some fun
tions dened on it, but in some
ases they merely extend an existing typespe
by dening new fun
tions on existing
types.
Listing 1.1. shows two typespe
s. The rst de
lares a new type Pkey, and a fun
tion
keypair on it. The fun
tion returns a boolean value. The COMM in the de
laration
spe
ies that the fun
tion is
ommutative. The se
ond typespe
imports the types
dened in PKEY using the IMPORTS de
laration and denes more fun
tions on the type.
The de
laration ped(Pkey, Atom):Atom de
lares a fun
tion ped with parameters of
type Pkey and Atom respe
tively, and a return type Atom. Properties of the fun
tions
are spe
ied in the AXIOMS denition. For instan
e, the property shown here says that
en
rypting a term en
rypted in a key, with its pair gives us the term again.
15
3.1 CAPSL
16
3.1 CAPSL
Intuitively, a % spe
ies that the senders and the re
ipient's view of the same message are
dierent due to the la
k of some information whi
h one party does not posses. CAPSL
. Assumptions
Proto
ols assumptions about the knowledge and the
apabilities of the of the parti
ipat-
ing prin
ipals are made expli
it in the ASSUMPTIONS
lause. The de
laration HOLDS A:
B spe
ies, that on starting its run of the proto
ol, prin
ipal A knows the value of the
proto
ol variable B. This in ee
t, makes expli
it the assumption that A knows whom it
wants to talk to.
. Messages
The messages ex
hanged in the proto
ol are spe
ied in the MESSAGES se
tion. A mes-
sage de
laration starts with a message id, is followed by a <sender> -> re
eiver:
onstru
t, and ends with an expression (whi
h is the message to be sent). Some no-
tational
onventions allow the expression to be written in more intuitive form. For
example, message
omponents
an be
on
atenated together, by en
losing them in {},
similarly en
ryption of a term a with a key K
an be expressed as {a}K. For instan
e, the
{Nb}
sk(A) in the third message is a short
ut for ped(
sk(A), Nb) where ped is the
en
ryption fun
tion dened in the prelude.
sk(
lient shared key) is another fun
tion
from the prelude, mapping names to keys that prin
ipals share with a key server.
. Goals
Proto
ol spe
i
ations usually end with a spe
i
ation of the GOALS of the proto
ol.
Goals are spe
ied using PRECEDES, AGREE and SECRET keywords. Se
re
y assertions
take the form SECRET V, spe
ifying that the value of the proto
ol variable V should not
be dis
losed to the penetrator. A pre
eden
e assertion of the form PRECEDES A,B | V,
17
3.2 Intermediate Language
spe
ies that when prin
ipal A nishes its run of the proto
ol, there should exists some
run of the proto
ol for B's role, whi
h agrees on the values of A, B and V. This notion
orresponds to Lowe's non-inje
tive agreement. Agreement assertions are pre
eden
e
laims with no
laims on the existen
e of other party exe
utions. AGREE A,B: V|W
states that if A and B agree on V then they should agree on W too.
Environment spe
i
ations provide run-time information that is needed by atta
k
on-
stru
tors to set up the sear
h for unwanted exe
utions. Typi
ally the information pro-
vided here in
ludes the a list of agents that are expe
ted to be part of the exe
ution, and
the a list of terms that are assumed to be known to the penetrator, Agent settings are
given using AGENT de
larations, whi
h are a
tually assignment of values to the proto
ol
variables. Penetrator knowledge is spe
ied using EXPOSED de
laration, whi
h en
loses
a list of terms that form the initial knowledge of the penetrator.
Our des
ription of CAPSL here is in
omplete, and was intended to give a feel of the
spe
i
ations of proto
ols. There's a lot more to the language synta
ti
ally as well as
semanti
ally, and the reader
an see the proje
t web page[12℄, for a detailed des
ription
of the language.
CAPSL provides abstra
tions that make it easy to translate published des
riptions of
proto
ols to the spe
i
ation required by analysis me
hanisms. These abstra
tions, how-
ever need to be translated to the formalism that the underlying analysis requires. Like
onne
tors translating CAPSL spe
i
ations for analyzers based on multi-set rewriting
systems[13℄ we use an intermediate language.
18
3.2 Intermediate Language
Our intermediate language is des
ribed as an XML vo
abulary, whose DTD is given
Appendix-A. The language has two purposes, rstly it a
ts as a
onne
tor to ,
CAPSL
ltering those parts of the spe
i
ation whi
h our analysis me
hanism
an make use of,
and se
ondly it serves as the language that our GUI writes spe
i
ation to and reads
spe
i
ations from.
The message spe
i
ation in CAPSL , is none better than the usual \Ali
e-Bob" style of
spe
ifying proto
ols. Given the fa
t that the intruder
an originate or
ush messages,
the {A -> B: A} notation doesn't make a lot of sense, sin
e we are niether sure of the
sender nor of the re
eiver. A better approa
h would be to spe
ify the interfa
e of ea
h
parti
ipant i.e. what messages it sends and re
eives, without asso
iating these messages
with any other prin
ipal as is done by the intermediate language.
As
an be done using the DENOTES de
laration in CAPSL , we de
lare all terms used
in messages before hand. Proto
ol roles are parameterized, as required for representing
them as parameterized strands. In short, the following are the features of the interme-
diate language.
19
4. Modeling
To reason about the
orre
tness of
ryptographi
proto
ols, we need a mathemati
al
model to represent their exe
ution. Several formalisms have been developed for this
purpose, some of whi
h are used spe
i
ally for modeling
ryptographi
proto
ols, while
others are generi
enough to be used for the analysis of other systems as well. Our work is
based on a formalism, whi
h models proto
ol exe
ution as . A run of the proto
ol
strands
is modeled as a
olle
tion of strands,
alled a strand spa
e. Proto
ol properties are
expressed as predi
ates on this stru
ture and they are veried by reasoning indu
tively.
Events in a
ryptographi
proto
ols are
ausally dependent on other events. Strand
spa
es[1℄ are a graph theoreti
model of this
ausal dependen
e. The basi
building
blo
k of this model is a strand. Informally, a strand is a sequen
e of events, that
represents either a proto
ol exe
ution by a honest prin
ipal or a sequen
e of a
tions
20
4.1 Strand Spa
es
to the event of sending or re
eiving the term by a proto
ol parti
ipant or the intruder.
A strand is string of signed terms, and a strand spa
eis a set together with a tra
e
mapping tr : ! (A). Figure 4.1 shows a strand spa
e with four strands.
4.1.1. Nodes
A node is a pair (s; i) where s 2 and 0 i jtr(s)j. Given a node n = (s; i),
strand(n) = s and index(n) = i. Also, term(n) is the ith signed term in the tra
e of
s, and unsterm(n) is the same term without the sign. For two nodes n1 and n2 we say
n1 ) n2 i n1 = (s; i) and n2 = (s; i + 1). )+ is the transitive
losure of ). Intuitively,
the )+ relation
aptures the fa
t that n1 pre
edes n2 on the same strand. For two nodes
n1 and n2 we say n1 ! n2 if term(n1 ) = +t and term(n2 ) = t form some term t 2 A.
Intuitively, n1 ! n2 means that n2 re
eives a term that is sent by n1 .
We dene as the re
exive and transitive
losure of () [ !), modeling the
ausal
dependen
y of events in the proto
ol exe
ution. For example, in Figure 4.1 (s4; 0)
(s1; 1)
aptures the fa
t that for the event
orresponding to (s1; 1) to happen, the event
orresponding to (s4; 0) must happen rst. To be a
orre
t model of a proto
ol exe
ution,
it is ne
essary that a node be in
luded only if all nodes that it
ausally depends on are
already in
luded. This requirement is enfor
ed in what we
all a bundle .
21
4.1 Strand Spa
es
4.1.2. Bundles
Let be the set of nodes in a strand spa
e , and let !C! and )C). A bundle is a
N
subgraph C = h C; ()C [ !C)i of the graph h () [ !)i with the following properties
N N
C is nite.
If n2 2 NC and term(n2 ) is negative, then there is a unique n1 su
h that
n1 !C n2 .
If n2 2 NC and n1 ) n2 then n1 )C n2
C is a
y
li
.
Intuitively, the denition insures that a node is in
luded only if all nodes that
ausally
pre
ede it are already in
luded. The graph in Figure 4.1
onstitutes a bundle, so do
the nodes and edges en
losed in the re
tangle labeled . The graphs
ontained in the
S
re
tangles labeled 0 and 00 are not a bundles be
ause they are not
ausally
losed. 0
S S S
22
4.1 Strand Spa
es
Strands in a bundle must be up wards
losed, but it is not ne
essary for them to be
ompletely in the bundle. We dene the C-height of a strand in a bundle C as the index
of the last node that is in
luded in the bundle.
If C is a bundle, the re
exive and transitive
losure of ()C [ !C) is a partial order
denoted by C. Moreover every non empty subset of the nodes in C has C minimal
members. This well-foundedness of bundles allows us to prove properties indu
tively.
aa
a fg gK if a g
a g h if a g _ a h
a b t for t 2 T i a = t; or
23
4.1 Strand Spa
es
abk for k 2 i a = k; or
K
a b fg gk i a = fg gk ; or
a b gh i a b g _ a b h _ a = gh:
h g; g h 2 I
fhgK 2 I .
The smallest k-ideal
ontaining h is denoted as k [h℄, and the smallest k-ideal
ontaining
I
4.1.4. Origination
t t0 g.
An unsigned term is if it originates at only one node.
uniquely originating
24
4.2 Modeling Proto
ols
Intuitively, a term o
urs at a node if the node either sends or re
eives a term whi
h
ontains it. A node is an entrypoint for a set of terms i it sends a term
ontained in
the set, and no node before it on the strand, either sends or re
eives any term in the set.
An originating node for a term is the entrypoint of the set of terms
ontaining the given
term. Intuitively, originating nodes are those sending nodes on a strand that send a term
without re
eiving it from somewhere for the rst time. A term is uniquely originating
i it is introdu
ed into the strand spa
e at a unique node. Uniquely originating terms
serve as non
es and session keys in proto
ols.
Two things de
ide the power of the penetrator - rst the keys he possesses and se
ond,
his ability to manipulate terms. denotes the keys that the penetrator knows initially,
Kp
and these in
lude publi
keys of all prin
ipals, the private keys of the penetrator, and
all keys that the penetrator shares with other prin
ipals. It also
ontains keys that it
might have obtained by some
ryptanalysis.
The se
ond
onstituent of the penetrator's power are the atomi
operations that enable
him to
ush messages, generate well known messages,
on
atenate messages together,
and apply
ryptographi
transformations using the keys that he knows. Atta
ks result
when the penetrator su
eeds in
omposing these atomi
a
tions together to a
hieve
something that is undesirable. The following set of penetrator tra
es give the penetrator
just the same powers as mentioned in the previous
hapter.
Unlike the penetrator tra
es, whi
h stay the same, honest prin
ipals send and re
eive
terms, the form of whi
h, is governed by the proto
ol. The messages ex
hanged are
25
4.2 Modeling Proto
ols
E En
ryption h K; h; +fhgK i
C De
ryption h K 1 ; fhgK ; +hi
however parameterized, and the a
tual term sent depends on the bindings that are
provided to the proto
ol parameters when a parti
ipant begins exe
ution. The strand
spa
e model, allows us to represent this parameterized exe
ution as a parameterized
strand.
1. A ! B : M A B fNa ; M; A; B gKAS
2. B ! S : M A B fNa ; M; A; B gKAS fNb ; M; A; B gKBS
3. S ! B : M fNa K gKAS fNb K gKBS
4. B ! A : M fNa K gKAS
26
4.2 Modeling Proto
ols
The initiator's interfa
e is parameterized by the following: its own identity, A; the
identity of the respondent, B ; the text
omponent, M ; the identity of the server, S ;
the value of the non
e, Na and the value of the session key, K . Spe
i
instan
es of
the initiator's role send messages of the form shown in the gure, with the parameters
repla
ed by the values bound to them for that run. The values may get bound to the
parameters before the role starts exe
ution, or they might be learned from the messages
re
eived. For instan
e B is bound to a value before the initiator starts its run, while K
gets its value only after the last message is re
eived. However, irrespe
tive of the a
tual
values, the interfa
e of the initiator is a tra
e of the form - h +M A B fNa; M; A; B gKAS
M fNa K gKAS i.
spe
i
run of the initiator role, would have some assignments to the parameters, but
the str
uture of the tra
e would remain the same. This notation also allows us express
tra
es with some
ommon feature, for instan
e [; ; ; Na0 ; ℄ is the set of all initiator
Init
[ a
Serv A; B ; S; N ; N ; M ; Kb ℄=
h M AB f a M AB
N gKAS f b N ; M ; A; B gKBS + f ; M a
N ;K gKAS f b
N ;K gKBS i
27
4.3 Modeling Corre
tness
4.2.2. Freshness
While parameterized strands represent the interfa
e behavior su
in
tly, they still don't
express the freshness guarantees of non
es and session keys. This is done using the
notion of origination dis
ussed in Se
tion 4.1.4. For instan
e, spe
ifying that Nb in
the Woo-Lam Proto
ol originates uniquely at the se
ond node of the responder strand,
establishes it as a non
e with the property that it o
urs at no sending node(ex
ept the
se
ond node of the responder strand) in the strand spa
e unless there is a re
eiving node
that pre
edes the sending node. Moreover, the requirement that non
es be generated
fresh every time
an be expressed as jResp[; ; ; Nb; ℄j 1.
Thus, the notion of origination models the requirements of session keys and non
es
appropriately, and this beautiful modeling of freshness is one of the strengths of the
strand spa
es model.
4.3.1. Se re y
Typi
ally, proto
ols
laim to guarantee se
re
y of terms like session keys and non
es. If
we
olle
t all terms to be kept se
ret in a set S , proving that the proto
ol guarantees
se
re
y is equivalent to proving that the predi
ate S(; S ) holds, where
28
4.3 Modeling Corre
tness
We begin our explanation of how this predi
ate
aptures the requirements of Se
tion
2.3.2, with the
laim that no key in S is in . It makes little sense to talk about
Kp
the se
re
y of terms(keys) that are already known to the penetrator. A
tually, will
ontain assumptions about keys in S not being in . In other words, we begin with
Kp
proving that the proto ol never sends its se rets unprote ted.
Like we did for the se
re
y guarantee, we will translate the requirements of authenti
ation
mentioned in Se
tion 2.3.1 to our model. Authenti
ation guarantees
an be expressed
using the following predi
ate
Intuitively, the impli
ation
laims about the presen
e of
ertain strands if
ertain other
strands are already in the bundle. Translated to normal language, this is the guarantee
of
ertain events happening given that some events happened, whi
h is pre
isely what
authenti
ation is all about.
29
4.3 Modeling Corre
tness
(s) spe
ies properties that the strand s should posses.As in the se
re
y requirement,
it also
ontains assumptions about terms being uniquely originating, and keys being
un
ompromised. The
on
lusion (s; s0) spe
ies properties that the strand s0 should
posses(s0 is always assumed to be a regular strand). It will also in
lude the agreement
requirements, i.e. what parameters of s and s0 should have the same values.
This
on
ludes our dis
ussion of how
ryptographi
proto
ols, penetrator and the
orre
t-
ness requirements are modeled in the strand spa
es formalism. While we have stated the
orre
tness requirements in the last se
tion, we haven't des
ribed of the way the proofs
of these impli
ations must be attempted. This forms the subje
t of the next
hapter.
30
5. Proving Proto
ol Corre
tness
A bundle models one possible exe
ution of a proto
ol. When we prove a property for
all bundles, we establish it for all exe
utions of the proto
ol. We identied properties
that we are interested in in the last
hapter. In this
hapter we dis
uss how proofs of
properties
an be
onstru
ted in the strand spa
es formalism.
Proofs in the strand spa
es framework, exploit two partial orderings, namely the subterm
relation between terms and the relation between nodes. Indu
tive arguments over
the relation are based on the minimal nodes, while those over relation are based
on ideals. Before des
ribing strategies to prove proto
ol properties we provide insights
on how proofs
an use these partial orders.
31
5.1 Using
5.1. Using
Suppose is a predi
ate on nodes, and suppose we want to prove the following statement
over all bundles C
8C 8n : n 2 C ) :
In words, this is the same as saying that nodes with
ertain features(those required
by ) do not belong to any bundle, whi
h in turn is equivalent to saying that that
ertain events never o
ur in proto
ol runs. The proof will use the well-foundedness of
bundles. Re
all that, every non empty subset of the nodes in a bundle must have -
minimal nodes. If we assume the set of nodes satisfying as non-empty, we must have
-minimal nodes in the set. If we prove that no node
an satisfy and the requirements
of a minimal node simultaneously, we prove that S is empty. In step iv. of the general
strategy, we are required to
onsider both regular and penetrator nodes. Considering all
these nodes might seem demanding at rst, but it a
tually isn't. Given that we have a
xed penetrator model and that the regular strands hardly have more than four nodes,
we are never required to
onsider a very large number of nodes. Moreover, we have a
few results that redu
e the number of
andidate nodes even further.
If has the additional property -
32
5.2 Using
Then all -minimal nodes of S are positive nodes, whi
h means we
an ignore all negative
nodes in step iv. This proposition
an be easily proved using the fa
t that for every
negative node in the bundle, there is a positive node whi
h pre
edes it. In addition,
most that we
onsider satisfy this property.
5.2. Using
We reason about the nodes using the relation, in a similar way we reason about terms,
using the relation. The notion of an ideal
orresponds to the notion of a minimal node
in the
ase of the relation. Ideals, allow us to obtain bounds on the
apabilities of the
intruder.
Re
all that a k-ideal of a set S , denoted by k [S ℄ is the smallest set
ontaining S ,
I
that is
losed under
on
atenation with arbitrary terms and en
ryption with keys in k.
Depending on our
hoi
e of k, and ideal
an represent the set of terms that a penetrator
an
reate or interpret. We would like to reason about terms that the penetrator
an
reate be
ause authenti
ation guarantees require that
ertain terms originate on regular
nodes only. On the
ontrary, we would like to reason about the terms that the penetrator
an interpret for providing se
re
y guarantees. The notion of ideals is useful in both
these situations.
The predi
ate of the generi
proof strategy usually involves ideals, and it is using
the properties of ideals, we rule out most
andidate nodes
onsidered in step iv. In
addition, ideals provide us generi
bounds on the
apabilities of the intruder, allowing
us to
ompletely skip penetrator nodes if the ideal stru
ture is enough for the bound to
apply. We mention one of su
h bounds, without a proof.
If K = S [ k 1 and S \ Kp is empty, then the entry points of k [S ℄ (if any) are regular.
I
33
5.3 Proving Se
re
y
5.3. Proving Se re y
Consider the Otway-Rees proto
ol, des
ribed in Figure 6.4. The strands of the proto
ol
parti
ipants are given in x4.2.1. Suppose we wish to prove that the proto
ol preserves
the se
re
y of the session key K ex
hanged and also does not dis
lose the shared keys
KAB and KBS . We restate the se
re
y requirement of x4.3.1 -
The set of se
rets S in our
ase is is fK; KBS ; KAS g. is expe
ted to
ontain assumptions
about the origination of terms, penetrator knowledge and the stru
ture of the strands.
We in
lude the following assumptions in
K is uniquely originating.
K 2= .
Kp
K 2= fKAS : A 2 Ng
K=K 1
The generi
proof strategy with (n) = term(n) 2 k [S ℄
an be used to prove the
I
If a prin
ipal sends a term en
rypted by some other prin
ipals key and later re
eives
it ba
k in some
ryptographi
ally altered form, and if we know that the keys required
34
5.4 Proving Authenti
ation
for su
h a transformation are not a
essible to the intruder, we
an be sure that some
regular prin
ipal must have operated upon it. An inferen
e of this kind is
alled an
[2℄. We use these to prove authenti
ation guarantees.
authenti
ation test
35
5.4 Proving Authenti
ation
Let be the set of keys in
luding those in and those that are learned during proto
ol
P Kp
exe
utions. If we know what keys belong to , then we
an reason about the possible
P
bundle stru
tures whi
h
an
ontain these tests. This brings us to the main results of
this se
tion, the authenti
ation tests.
Having dened the required notation, we des
ribe the main theorems whi
h will be used
to prove authenti
ation guarantees of proto
ols.
36
5.4 Proving Authenti
ation
The intuitive meaning of this theorem is expressed in Figure 5.2. In the gure nodes
marked with empty
ir
les are n and n0 and those marked by lled
ir
les are m and m0.
The theorem says that if a bundle has nodes n and n0 whi
h satisfy the
onditions then
it will also have nodes m, m0 and n00 . The next theorem, uses in
oming tests to oer a
similar guarantee.
In proto
ols whi
h involve more than two parti
ipants, like those with key servers, a
weaker test is often useful. This test uses the fa
t that re
eption of a term en
rypted by
some key whi
h the intruder doesn't know, provides some hints about the node whi
h
37
5.5 Using Tests
and K 2= P We
an use an unsoli
ited test to obtain the following theorem, also
alled
the unsoli
ited authenti
ation test.
Let C be a bundle, with n 2 C, and let n be an unsoli
ited test for t = fhgK . Then
there exists a positive regular node m 2 C su
h that t is a
omponent of m.
The authenti
ation tests, have been proved in [2℄. In this se
tion we will use them to
prove them to prove authenti
ation guarantees of the form mentioned in x2.3.1.
38
5.5 Using Tests
This
an be proved by verifying that the the rst two nodes on the initiator strand
onstitute an outgoing test for Na in fNa MAB gKAS . The outgoing test theorem ensures
that there will a regular transforming edge for Na . Again,
onsidering the nodes will
show that this edge
an lie on no strand other than s 2 Serv[A; B; S; Na; ; M; K ℄.
This ends our dis
ussion of how proofs of properties
an be obtained. As is evident from
most of the proofs we outlined, a lot of arguments are repeated again and again. Also,
a lot of the arguments are independent of the a
tual proto
ol under
onsideration. This
allows us to develop a general proof me
hanism in PVS. The next
hapter des
ribes the
details of the same.
39
6. PVS Theories
The overall design of our translation s
heme is shown in Figure 6.1. CAPSL spe
i
ations
are rst translated to an intermediate language representation whi
h are then
onverted
to PVS theories required from proving properties of proto
ols. Our PVS formalization
separates the proto
ol dependent arguments used in proofs from the independent ones.
The proto
ol independent arguments reside in theories that are in
luded along with the
40
6.1 Proto
ol Independent Theories
ore theories that PVS provides, allowing us to reuse these theories over proto
ols. Pro-
to
ol spe
i
arguments are
ontained in theories that are are generated automati
ally
from the proto
ol des
ription.
The message algebra, the penetrator model, and the basi
notions of strand spa
es do not
depend on the proto
ol under
onsideration. These are formalized as separate theories
whi
h proto
ol spe
i
theories
an use. We
on
entrate on proofs of se
re
y properties
in this
hapter, and thus we des
ribe only those portions of the theories that we will
need later in the example proofs. The theories, in their entirety are expressive enough
to handle any proof des
ribed in or based on the te
hniques in [1℄.
6.1.1. Messages
The set of all possible messages ex
hanged during a proto
ol run in
lude messages of
primitive types like text or keys and also
ompound types like en
rypted or
on
atenated
messages. In general, a message is an instan
e of a type
rypt_term, whi
h is dened
as a PVS data-type. Messages of more spe
ialized types
an be
reated by using their
orresponding
onstru
tors.
rypt_term : DATATYPE
WITH SUBTYPES key , text , name , en
rypt,
on
at
BEGIN
text ( id : nat ): text ?: text
key ( id : nat ): key ?: key
name ( id : nat ): name ?: name
en
r ( plain :
rypt_term , en
key : key ): en
rypt ?: en
rypt
join ( a :
rypt_term , b :
rypt_term ):
on
at ?:
on
at
END
rypt_term
41
6.1 Proto
ol Independent Theories
Equality of terms is dened indu
tively using the == operator. Note that the denition
takes into
onsideration the freeness assumptions des
ribed in x2.1.
==(x , y :
rypt_term ): INDUCTIVE boolean =
CASES y
OF text ( tid ): text ?( x ) AND id (x ) = tid ,
key ( tid ): key ?( x ) AND id (x ) = tid,
name ( tid ): name ?( x ) AND id (x ) = tid ,
en
r ( en
text, en
key ):
en
rypt?( x ) AND
( en
text == plain (x )) AND
( en
key == en
key ( x )),
join ( first , se
ond ):
on
at ?( x ) AND
( first == a( x )) AND ( se
ond == b (x ))
ENDCASES
The keys that the penetrator knows are modeled as a predi
ate on the set of keys
penetrated: pred[key℄. The penetrator's
apability to learn terms given the set of
keys he knows, is modeled using the notion of ideals des
ribed in x4.1.3.
Re
all that a -ideal of a term is the set of terms that
an be
onstru
ted by
on
ate-
k
nating terms already in the set with arbitrary terms or en rypting them with keys in . k
Alternatively, -ideal of a term t - k [t℄ is the set of terms from whi
h t
an be obtained
k I
if inverses of keys in are known. The notion of an ideal, and the set penetrated allow
k
us to su
in
tly express the set of terms that
ould potentially leak some se
ret. We use
the set se
re
y_ideal for this purpose.
se
re
y_ideal( S : set [
rypt_term ℄, x :
rypt_term ): INDUCTIVE
boolean =
S (x ) OR
( EXISTS ( y , z :
rypt_term ):
x == join ( y , z ) AND
( se
re
y_ideal( S , y ) OR se
re
y_ideal(S , z )))
OR
( EXISTS ( y :
rypt_term , k : key ):
x == en
r (y , k ) AND
se
re
y_ideal( S , y ) AND penetrated( inv (k )))
42
6.1 Proto
ol Independent Theories
Intuitively, when a prin
ipal sends a term term belonging to the se
re
y_ideal
or-
responding to a set of se
rets S , it sends some element of S without prote
ting it
with proper keys. Thus, proving that a proto
ol preserves se
re
y of a set of terms
is equivalent to proving that no proto
ol prin
ipal ever sends a term that belongs to the
se
re
y_ideal.
Before we des
ribe how su
h a proof
an be attempted, re
all that, the relation
models the
ausal dependen
ies of events in a proto
ol and that a bundle is a
ausally
omplete sub-graph of the strand spa
e of a proto
ol. Intuitively, a bundle models one
possible exe
ution of a proto
ol so proving a property for all bundles establishes it for
all exe
utions of the proto
ol. Also re
all that a bundle is well-founded i.e. all possible
subset of nodes in a bundle posses -minimal nodes, whi
h are nodes that are not
ausally dependent on other nodes of the subset. These minimal nodes form the base
ase of the indu
tive arguments that we use in proofs
6.1.3. Proving Se re y
43
6.1 Proto
ol Independent Theories
of nodes to be
onsidered even further. (Note that these results
an be proved in PVS
using the axioms of our theories).In parti
ular we use the result - If m is minimal in
fm : node j term(m) 2 I g then m is an entrypoint for I. Re
all that a node is an
entrypoint for a set of terms I if it sends a term in I while no node that pre
edes it on
its strand sends or re
eives any term in I . So, given a xed set of penetrator strands,
it is possible for us to sele
tively
hoose only those nodes whi
h
an possibly be entry-
points. We dene a formulae no_penetrator_entrypoint whi
h returns true i there
is no penetrator node
apable of being the entrypoint of give set of terms.
no_penetrator_entrypoint (I : set [
rypt_term ℄): boolean =
NOT (( EXISTS ( t : text ): I (t )) OR
( EXISTS ( k : key ): penetrated(k ) AND I (k )) OR
( EXISTS ( j :
on
at ):
(( NOT I (a( j ))) AND ( NOT I(b (j ))) AND I(j )) OR
( NOT I (j )) AND I (a( j )))
OR
( EXISTS ( e : en
rypt):
( NOT I ( plain (e ))) AND ( NOT I( en
key ( e ))) AND I(e ) OR
(( NOT I( e )) AND
( NOT I ( inv ( en
key (e )))) AND
penetrated( inv( en
key ( e ))) AND ( I( plain (e ))))))
Note that we
onsider only positive nodes on the penetrator strands(sin
e negative nodes
an not be entry-points), and every time we in
lude the terms
orresponding to a node in
the set, we
he
k whether terms of nodes pre
eding it on the same strand do not belong
to the set. A similar no_regular_entrypoint formula is expe
ted to be generated by
the translation me
hanism from the proto
ol spe
i
ation. Thus, if we denote the set of
se
rets by Se
ret, then the set of terms that
ould potentially leak the se
rets would be
LeakingTerms and proving that no node leaks se
rets is equivalent to proving NoLeaks.
44
6.2 The Translation
Thus, all we need now is the formula no_regular_entrypoint, whi
h is generated from
the proto
ol spe
i
ation.
We illustrate the translation using a simple proto
ol shown below, that was used by Nes-
sett to demonstrate a
aw in the BAN logi
analysis. The proto
ol
laims to distribute
a \good" session key between parties A and B , and
learly does not a
hieve this sin
e
en
ryption with the private key of A does not preserve the se
re
y of the session key.
We will use this simple proto
ol to illustrate our translation pro
edure and also show
how a proof attempt of this proto
ol pin-points the
aw in its stru
ture.
1. A ! B : f a g KA 1
N ;K
2. B ! A : f b gK
N
The proto
ol
an be spe
ied in CAPSL or using a GUI, and the spe
i
ation is then
translated to an intermediate language des
ription, whi
h is dened as an XML vo
ab-
ulary. A part of the spe
i
ation for the
urrent proto
ol, expressing the stru
ture of
messages that the proto
ol uses, is shown below.
<? xml version ='1.0' ?>
<! DOCTYPE proto
ol SYSTEM '
rypa . dtd '>
< proto
ol label =' nesset '>
< terms >
< name label =' A '/>
< name label =' B '/>
< text label =' Na '/>
< text label =' Nb '/>
< key label =' Ka ' type =' private ' prin
ipals =' A '/>
< key label =' K '/>
< en
rypt label =' one ' terms =' Na K ' key =' Ka '/>
< en
rypt label =' two ' terms =' Nb ' key = ' K '/>
</ terms >
< roles > ... </ roles >
< goals > ... </ goals >
</ proto
ol>
45
6.2 The Translation
The message stru
ture
an be
onverted to the PVS representation using the following
strategy.
if tag is ( key or text or name )
print ' label :< tag >=< tag >(< unique_id >)'
if tag is en
rypt
print ' label : en
rypt= en
r (< join ( terms )>, key )'
In the pseudo-
ode we use tag to denote the
urrent element, to a
ess values of
attributes of the
urrent element and we en
lose names in < > to denote that they must
be treated as a fun
tions whose return values must be inserted. Also, unique_id is
a fun
tion returning a identier that hasn't been used before and join is a fun
tion
generating the PVS expression for a term whi
h is
on
atenation of the terms in the
argument string. For example, a
all join("A B C") returns join(A,join(B,C)), whi
h
is the
rypt_term
orresponding to the
on
atenation of the terms in the string. We
also use a
onstru
t for-every to apply a set of statements for every
hild element
with the spe
ied name. For instan
e for-every role {print label} would print
the value of the label attribute of all role
hildren of the
urrent node.
The remaining spe
i
ation des
ribes the proto
ol roles using the role element.
< proto
ol>
< terms > ... </ terms >
< roles >
< role >
label =' Init ' self =' A ' parameters =' A B Na Nb K'
knows =' B ' originates =' Na '>
< send terms =' one '/>
< re
eive terms =' two '/>
</ role >
< role
label =' Resp ' self =' B ' parameters =' A B Na Nb K'
originates =' Nb '>
< re
eive terms =' one '/>
< send terms =' two '/>
</ role >
</ roles >
< goals >< se
ret terms =' K '/></ goals >
</ proto
ol>
46
6.2 The Translation
The role element has many attributes whi
h are not required for proving se
re
y proper-
ties whi
h are our
urrent
on
ern. All that we need to prove whether or not a proto
ol
preserves its se
rets is the fun
tion no_regular_entrypoint whi
h is true only if no
regular node
an be an entrypoint of the given set of terms. Su
h a fun
tion
an be
onstru
ted using the terms that a parti
ipant sends and re
eives. The following trans-
lation results in an expression whi
h is true if some regular node
an be an entrypoint
of a set of terms I.
for- every role
for - every send
print ' I( terms )'
for - every pre
eding- sibling
print '( NOT I ( terms ))'
endfor
endfor
print ' OR '
endfor
The assumptions about the penetrator knowledge are translated next using the following
strategy. All keys that the proto
ol
laims to be keep se
ret are also assumed to be
un
ompromised.
print ' phi: AXIOM '
for - every key
if type = ( private OR session OR shared )
print ' NOT penetrated( label )'
if type =' publi
'
print ' NOT penetrated( inv( label ))'
end - for
Lastly, the set Se
ret mentioned in the previous se
tion is generated using the following
translation
print ' Se
ret : set [
rypt_term ℄= LAMBDA ( t:
rypt_term )'
for - every token in se
retterms
print ' t == < token >'
endfor
The
omplete PVS le generated using the translation mentioned in this se
tion is given
next. The theory message_algebra whi
h this theory imports in
ludes the proto
ol
47
6.3 Proof in PVS
Having generated the required theories, we
an attempt the proof of the
laim that the
proto
ol guarantees se
re
y of the session key. As it turns out, the proof gets stu
k at
the following sequent
[-1℄ se
re
y_ideal( Se
ret , join ( text (3), key (1)))
[-2℄ penetrated( inv ( key (2)))
|-------
Rule ?
Here, key(2) is the key used to en
rypt the session key. Note that the formula [-1℄
holds, sin
e key(1)
orresponds to the session key whi
h is in the Se
ret set. So the
su
ess of the proof attempt boils down to whether or not penetrated(inv(key(2))
holds, whi
h does not. In other words, the proof attempts pin points the
aw in the
stru
ture of the proto
ol.
48
6.4 Otway-Rees Example
The intermediate language representation of the Otway-Rees proto
ol and its generated
PVS theory is is given in Appendix-B. Note that both the intermediate representation
and the PVS theory
leanly model the fa
t that the responder forwards
omponents
whi
h it
an not interpret, for the la
k of the required key. A proof attempt provides
useful insights on what properties of the uninterpreted terms the responder must be
apable of
he
king for the proto
ol to guarantee se
re
y.
49
7. Con
lusion
The PVS formalization of the strand spa
es proof me
hanism and the generi
translation
me
hanism are the two
ontributions of this report. The des
ription of our PVS the-
ories given here is in
omplete. The theories
an be used to prove mu
h more than
just the se
re
y guarantees. For instan
e proofs of lemmas and propositions in [1℄
have been su
essfully attempted. Also, the formulas no_regular_entrypoint and
no_penetrator_entrypoint that we generate from the proto
ol spe
i
ation are gen-
eral, and they work with sets of terms, other than ideals. In other words, proof of any
property that
an be expressed as a predi
ate on the terms that nodes send or re
eive
an be attempted using our theories.
Proofs in the strand spa
e me
hanism are more intuitive than proofs whi
h use other
me
hanisms[18℄. Moreover, using already proved results[2℄ we
an extend our theories to
attempt proofs of properties like authenti
ation, whi
h haven't been proved in an auto-
mated setting. We have su
essfully proved authenti
ation properties of a few proto
ols,
and will soon generalize our theories for the same.
50
Bibliography
[1℄ J. Thayer, J. Herzog, J. Guttman. Strand Spa
es: Proving Se
urity Pro-
to
ols Corre
t. Journal of Computer Se
urity, Volume 7, Issue 2-3:191{230,
1999.
[2℄ Joshua D. Guttman, F. Javier Thayer Fabrega. Authenti
ation tests and
the Stru
ture of Bundles. Journal of Theoreti
al Computer S
ien
e, 2001.
[5℄ Joshua D. Guttman Proto ol Design via the Authenti ation Tests
[6℄ D. Dolev and A. Yao On the se
urity of publi
-key proto
ols IEEE
Transa
tions on Information Theory, 2(29), 1983
51
BIBLIOGRAPHY
ods for their Analysis, Design, and Verifi
ation. Computer Commu-
ni
ations, 22(8):695{707, 1999.
Authenti ation Proto ol Spe ifi ation Language and Its Interme-
[11℄ Martin Abadi Se
urity Proto
ols and Spe
ifi
ations Foundations of
Software S
ien
e and Computation Stru
tures: Se
ond International Conferen
e,
FOSSACS '99. Vol-1578:1{13, 1999.
52
BIBLIOGRAPHY
[26℄ Owre, S. and Shankar, N. and Rushby, J.M. and Stringer-Calvert, D.W.J. PVS
Prover Guide, Version 2.4 CSL,SRI. November 2001
[27℄ Owre, S. and Shankar, N. and Rushby, J.M. and Stringer-Calvert, D.W.J. PVS
System Guide,Version 2.4 CSL,SRI. De
ember 2001
53
A. Intermediate Language DTD
54
B. Otway Rees Example
55
B.1 Intermediate Language Spe
i
ation
56
B.2 PVS Theory
57