Correctness Proofs and Counter-model Generation with Authentication-Protocol Logic Koji Hasebe...
-
Upload
clifford-richard -
Category
Documents
-
view
224 -
download
0
Transcript of Correctness Proofs and Counter-model Generation with Authentication-Protocol Logic Koji Hasebe...
Correctness Proofs and Counter-model Generation with Authentication-Protocol Logic
Koji HasebeMitsuhiro Okada
Department of Philosophy, Keio University
Background Security protocols:
Communication over insecure network Cryptography used for authentication,
secrecy, etc.
Formal analysis of security protocols: Assume perfect encryption Assume existence of intruder who may ...
• See all exchanged messages• Delete, alter, inject and redirect messages• Initiate new communications• Reuse messages from past sessions
An Example: A process of the Needham-Schroeder Protocol
BAN },{ 1
ANN },{ 21
BN }{ 2
Initiator Responder
The protocol aims to provide sharing secret data and .1N 2N
(1)
(2)
(3)
An Example: A process of the Needham-Schroeder Protocol
BAN },{ 1
ANN },{ 21
BN }{ 2
Initiator Responder
The protocol aims to provide sharing secret data and .1N 2N
(1)
(2)
(3)
Alice’s identityFresh random value generated by Alice
Encryption with Bob’s public key
The agreement property
},{
},{
}{
Initiator Responder
sends receives
sendsreceives
sends receives
},{
},{
}{
1N
1N
1N
1N
A A
2N
2N 2N
2N
B
B B
B
A A
A
A
A
B
B
B
Instantiation Instantiation1R 2R
21,,, NNBA(Here are constants,.)]:,:,:,:[ 2211 NnNnBQAP and substitution
Initiator’s role Responder’s role
21,,, nnQP(Here are variables.)
The agreement property
},{
},{
}{
Initiator Responder
sends receives
sendsreceives
sends receives
},{
},{
}{
1n
1n
1n
1n
P P
2n
2n 2n
2n
Q
Q Q
Q
P P
P
P
P
Q
Q
Q
1R 2R
The agreement property
},{
},{
}{
Initiator Responder
sends receives
sendsreceives
sends receives
},{
},{
}{
1N
1N
1N
1N
A A
2N
2N 2N
2N
B
B B
B
A A
A
A
A
B
B
B
For any substitution and for any process , if contains
execution of responder’s role and an initiator’s execution
according to , then contains .1R
1R2R
Definition: has agreement property w.r.t. 1R 2R
An attack on the NS protocol [Lowe, 1996]
IAN },{ 1
IN }{ 2
BAN },{ 1
BN }{ 2
From Bob's view, Bob believes that Alice communicates with Bob, but actually Alice communicates with Intruder.
This attack has nothing to do with cryptography.
(1)
ANN },{ 21
Alice BobIntruder
(1’)
(2)
(3)
(3’)
Proving vs Model Checking (Two approaches for protocol verifications)
Inference rule-based deductive approaches: BAN logics (Burrows-Abadi-Needham, 1989) Protocol logics (or Compositional logics)etc.
Trace-based semantic approaches: MSR (Cervesato-Durgin-Lincoln-Mitchell-Scedrov, 1999) Strand space (Thayer Fabrega-Herzog-Guttman, 1998)
etc.
Protocol Logics
Inference systems to prove protocols correct Primitive actions (“sending”, “receiving”, “generating”, etc.) ar
e described as predicate symbols
Some properties about nonces and keys are formalized as non-logical axioms
Prove correctness in the logical system
Durgin-Mitchell-Pavlovic (2001),Datta-Derek-Mitchell-Pavlovic (2003-),Cervesato-Meadows-Pavlovic (2004-), Hasebe-Okada (2004)
Proving Model Checkingvs
Proving
By completeness proof based on the proof-search (i.e., bottom-up proof construction) method
Model Checking=
Proof-search of a query (which represents a correctness property)
Obtain a formal proof of the query
Obtain concrete attacks on the protocol
If provable If not provable, then counter-example
By completeness proof based on the proof-search (i.e., bottom-up proof construction) method
Proving Model Checking=
Provable case Bottom-up proof search
Axioms
| Agreement formula
Unprovable case
Axioms
| Agreement formula
Bottom-up proof search
Counter-example
Proof search outputs
Provable
Counter-examples
Proof search outputs
Provable
Counter-examples
Realizable counter-examples (=attacks)
Use Comon-Treinen’s algorithm for the intruder deduction problem (2003)
Main results for agreement property with a bounded number of sessions
1. Basic part of Protocol Logic is describable in first-order predicate logic.
2. First-order proof search-based completeness proof is applicable to our Basic Protocol Logic,
hence, usable for proving correctness and detecting attacks at once.
3. Provability of correctness property is decidable (by finite domain property).
1. Basic Protocol Logic (or BPL, for short)
2. Proof search-based completeness proof
3. Example of our proof construction / counter-example generation
Sorts: name, nonce, message, (key) Terms:
Atomic terms:
• : atomic terms of sort (principal) name
• : atomic terms of sort nonce
• : variables of sort message
• All atomic terms of sort name and nonce are terms of sort message.
Compound terms of sort message:
,,,,, QPBA
,,,,, 2121 nnNN
Language of Basic Protocol Logic (1)
1}{,}{,,,1 PPk mmmm
,,,', 21 mmmm
Formulas: Atomic formulas:
Trace formula: a sequence of primitive actions (denoted by , or ) (Here we use sends, receives, generates as primitive actions.)
Equality and subterm relations ( )
Compound formulas: Made by first-order logical connectives
Language of Basic Protocol Logic (2)
QQQPP nreceivesQnsendsPngeneratesP }{;}{;;; 321
kPk
P ;;11
',' mmmm
(P generates before P sends before Q receives .)Qn}{ Qn}{n
e.g.
Base: Axioms of frist-order predicate logic with equality Rules for trace formulas:
(for )
Logical Axioms of BPL
n 1
(where are the list of order-preserving merges of and )n ,,1
)( vvttuussm
example: 2211221121212121 ;;;;;;;;;;;
(the list of order-preserving merges)
is axiom
Axioms of universal sentences over terms (known as decidable [Venkataraman 87]):
if is valid in free term algebra.vvttuuss
An example of the non-logical axioms: Nonce Verification axiom (Cf. Authentication-tests based Strand space)
does not include (i.e., is not a forwarded message).
m3m4 (P sends {m2}Q;Q receives m3;Q sends m4;P receives m5
{m2}Q m3 n1 m4 ) ]
5152121521 }{[ mnmreceivesPmnmsendsPngeneratesPmmPQn Q
is the only message sent by P which includes .1n2m
5m Qm }{ 2 5m
Intuitive meaning:
PQm }{ 2 )s.t.( 21 mn
)s.t.( 51 mn5m
An example of the non-logical axioms: Nonce Verification axiom (Cf. Authentication tests based strand space)
does not include (i.e., is not a forwarded message).
m3m4 (P sends {m2}Q;Q receives m3;Q sends m4;P receives m5
{m2}Q m3 n1 m4 ) ]
5152121521 }{[ mnmreceivesPmnmsendsPngeneratesPmmPQn Q
is the only message sent by P which includes .1n2m
5m Qm }{ 2 5m
Intuitive meaning:
P QQm }{ 2 )s.t.( 21 mn
)s.t.( 51 mn5m
3m )}{s.t.( 32 mm Q
4m )s.t.( 41 mn
decrypt
send back
Qm }{ 2
1n
PQn1m2m5 [ P generates n1 P sends {m2}Q n1 m2 P receives m5 n1 m5
m6(P sends m6 n1 m6 m6 m2)
{m2}Q m5
m3m4 (P sends {m2}Q;Q receives m3;Q sends m4;P receives m5
{m2}Q m3 n1 m4 ) ]
does not include (i.e., is not a forwarded message).
m3m4 (P sends {m2}Q;Q receives m3;Q sends m4;P receives m5
{m2}Q m3 n1 m4 ) ]
5152121521 }{[ mnmreceivesPmnmsendsPngeneratesPmmPQn Q
is the only message sent by P which includes .1n2m
5m Qm }{ 2 5m
First order formalization:
An example of the non-logical axioms: Nonce Verification axiom (Cf. Authentication tests based strand space)
21nQn
A’s honesty:
(( A performs no action )
( A performs
and A does not perform any other actions)
( A performs
and A does not perform any other actions))
QAQ nsendsAnnreceivesAAnsendsAngeneratesA }{;},{;},{; 22111
QAnsendsAngeneratesA },{; 11
A’s run
(0)
(A performs no action) 1ngeneratesA QAnsendsA },{ 1 AnnreceivesA },{ 21
(1) (2)
)0(
)1(
)2(
QnsendsA }{ 2
An example of Honesty(The Needham-Schroeder protocol) B
A
B
NBA
NNAB
ANBA
}{:.3
},{:.2
},{:.1
2
21
1
))]},{(
)}{},{(
)(
}{;},{;},{;(
))(
)},{(
)(
},{;(
))()()([(
21
21
1
22111
1
1
11
21
A
QAQ
Q
Q
nnmmreceivesAm
nmAnmmsendsAm
nnngeneratesAn
nsendsAnnreceivesAAnsendsAngeneratesA
mreceivesAm
AnmmsendsAm
nnngeneratesAn
AnsendsAngeneratesA
mreceivesAmmsendsAmngeneratesAnnQn
A’s honesty (described in BPL)
)0(
)1(
)2(
B
A
B
NBA
NNAB
ANBA
}{:.3
},{:.2
},{:.1
2
21
1
Formalization of Honesty(The Needham-Schroeder protocol)
Main Results on BPL
Complete for a certain formal trace semantics.
Decidable for Provability of the query (which represents an agreement property).
Applicable to counter-example generations (i.e., flaw detections)
: name domain : nonce domain : free term algebra domain on and along with , , : a sequence of primitive actions : valuation
is extended to interpretation:
Truth conditions:
Formal Trace-Based Semantics
ND
),)}({())(),(()),((,)(,)( )( APN ttAKtAKDADN ))(),(());(),(();( 2121 mBceivesRemASendsmreceivesBmsendsA
),,,( NP DDM
)(|),,,( NP DD
MD
PD
PD ND , ),(K ),(1K
etc.
PN DPDn )(,)(
MNP DststDD on )()(|),,,(
MNP DststDD on )()(|),,,(
A formal trace model:
Completeness Theorem
For any query (which represents an agreement property), the formula is provable in BPL iff it is true for any model
).,,,( NP DDM
Completeness Proof (1) Proof-Search Tree Construction
Proof-search (i.e., bottom-up proof construction) is based on the sequent calculus of first-order predicate logic
Proof-search tree is constructed in Rounds: (Each round decomposes the outermost logical
symbols.)
Round 0 : put the query at the bottom of the tree
Round i : apply the rules for logical connectives (then go to Round i+1 unless the current topmost sequent is closed, i.e., matches an axiom.) |
Completeness Proof (1) Proof-Search Tree Construction
Bottom-up proof search
Axioms
| Agreement formula
Counter-example
Completeness Proof (2)
Main Lemma
For any given query (which represents an agreement property), if its proof-search tree includes a branch which is not closed at the end of Round 3, then there exists a counter-model for the query.),,,( NP DDM
Completeness Proof (3)
Construction of Counter-Models A model which is obtained from a topmost non-
closed sequent at the end of Round 3 (say, ) is as follows:),,,( NP DDM
|1. Take the set of literals from and , and solve the satisfaction
problem of these literals.
2. Decompose each literal which consists of compound terms. (e.g., and )
3. Take representatives as and .
PA nN }{}{ 11 11 nN PA
PD ND
:
, .
, .
.
Interpretations for compound terms and formulas are defined by inductions.
)()( *
NDnn
NDNN *)(
)()( *MDtm
PDPP *)(
PDAA *)(
(where is the representative of the equivalence class of )
*t
t
)(:
))''(''(' msendsAmm )'( tmmsendsAm
Completeness Proof (4)
Essential IdeaLet T be the set of terms in Round 3. For any variable (say, ) which appears above Round 3, an equation m=t with some t T always appears in the left side.
Search domain does not increase above Round 3.
)( tmmsendsAm
(closed)
left
left
left
( : new variable)
,1msendsA
),''('' msendsAm
tmmsendsA 11,1msendsA
)( tmmsendsAm
,1msendsA 1msendsA ,1msendsA tm 1,4 4| ,5 5| ,3 3|
,2 2| ,1 1|
|, ,(in Honesty)(Axiom of formula)
Query:
02
1m
1m
DecidabilityFrom Main Lemma and Soundness:
If a query is provable in BPL, then the proof-construction procedure terminates by Round 3.
Counter-Example Generations (1) Realizable Traces We cannot directly consider counter-models to
be an attack on the protocol in question, because some of them cannot be realizable.
Use Comon-Treinen’s algorithm for the intruder deduction problem (2003).
;},{;;},{;},{;},{ 2122111 AABQ NNsendsBNgeneratesBNNreceivesAANreceivesBANsendsA
(An example of the unrealizable trace)
Counter-Example Generations (2) Realizable Traces
Provable
Counter-examples
Realizable counter-examples (=attacks)
Proposition
For any given query, we can determine whether there exists a realizable counter-example (i.e., a concrete attack on the protocol in question) whenever we set any upper-bound on the number of sessions.
B
A
B
NBA
NNAB
ANBA
}{:.3
},{:.2
},{:.1
2
21
1
The NS protocol
Example: Proof construction and counter-example generation of the Needham-Schroeder
),(BOnlyResp
BAB NrecBNNsendsBNgenBANrecB }{;},{;;},{ 22121
B
A
B
NBA
NNAB
ANBA
}{:.3
},{:.2
},{:.1
2
21
1
The NS protocol
Query:If B (responder) executes a run of his role
with (i.e., communicating with A using and ).
):,:,:,:( 2211 NnNnQBAP 1N 2N
2R
),(BOnlyResp
BAB NrecBNNsendsBNgenBANrecB }{;},{;;},{ 22121
B
A
B
NBA
NNAB
ANBA
}{:.3
},{:.2
},{:.1
2
21
1
The NS protocol
Query:If B (responder) executes a run of his role
with (i.e., communicating with A using and ).
):,:,:,:( 2211 NnNnQBAP 1N 2N
2R
“B behaves as responder.”
)}{},{(
)},{(
)(
21
21
2
BB
A
NmANmmreceivesBm
NNmmsendsBm
NnngeneratesBn
Intuitively, means that B performs only the responder’s actions.
)(BOnlyResp
)(BOnlyResp
),(BOnlyResp
BAB NrecBNNsendsBNgenBANrecB }{;},{;;},{ 22121
)(AHonestInit
B
A
B
NBA
NNAB
ANBA
}{:.3
},{:.2
},{:.1
2
21
1
The NS protocol
Query:
A is honest (i.e., A always acts as initiator).
If B (responder) executes a run of his role
with (i.e., communicating with A using and ).
):,:,:,:( 2211 NnNnQBAP 1N 2N
2R
),(BOnlyResp
BAB NrecBNNsendsBNgenBANrecB }{;},{;;},{ 22121
)(AHonestInit
B
A
B
NBA
NNAB
ANBA
}{:.3
},{:.2
},{:.1
2
21
1
The NS protocol
Query:
A is honest (i.e., A always acts as initiator).
If B (responder) executes a run of his role
with (i.e., communicating with A using and ).
):,:,:,:( 2211 NnNnQBAP 1N 2N
2R
))]},{(
)}{},{(
)(
}{;},{;},{;(
))(
)},{(
)(
},{;(
))()()([(
21
21
1
22111
1
1
11
21
A
QAQ
Q
Q
nnmmreceivesAm
nmAnmmsendsAm
nnngeneratesAn
nsendsAnnreceivesAAnsendsAngeneratesA
mreceivesAm
AnmmsendsAm
nnngeneratesAn
AnsendsAngeneratesA
mreceivesAmmsendsAmngeneratesAnnQn
A’s honesty:)(AHonestInit
),(BOnlyResp
BAB NrecBNNsendsBNgenBANrecB }{;},{;;},{ 22121
)(AHonestInit BBAA
BB
NrecBNsendsANNrecANNsendsB
NgenBANrecBANsendsANgenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
B
A
B
NBA
NNAB
ANBA
}{:.3
},{:.2
},{:.1
2
21
1
The NS protocol
Query:
A is honest (i.e., A always acts as initiator).
then A executes the run of her role, and A and B agree on the order of the messages
exchanged.
If B (responder) executes a run of his role
with (i.e., communicating with A using and ).
):,:,:,:( 2211 NnNnQBAP 1N 2N
2R
1R
)(BOnlyResp
BAB NrecBNNsendsBNgenBANrecB }{;},{;;},{ 22121
),(AHonestInit BBAA
BB
NrecBNsendsANNrecANNsendsB
NgenBANrecBANsendsANgenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
,},{ 21 ANNmmrecA ),},{( 21 AnnmmrecAm
QBnNnN ,, 2211
,1 1BQAA
BQ
NrecBnsendsAnnrecANNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
B
A
B
NBA
NNAB
ANBA
}{:.3
},{:.2
},{:.1
2
21
1
The NS protocol
)(BOnlyResp
BAB NrecBNNsendsBNgenBANrecB }{;},{;;},{ 22121
),(AHonestInit BBAA
BB
NrecBNsendsANNrecANNsendsB
NgenBANrecBANsendsANgenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
,},{ 21 ANNmmrecA ),},{( 21 AnnmmrecAm
QBnNnN ,, 2211
,1 1BQAA
BQ
NrecBnsendsAnnrecANNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
B
A
B
NBA
NNAB
ANBA
}{:.3
},{:.2
},{:.1
2
21
1
The NS protocol
BA NrecBNNsendsBNgenB }{},{ 2212
then by the Nonce Verification axiom
)},{( 212 ANNmmNmsendsBm
)},{}{;;},{( 21221 ABA NNmNrecBmrecANNsendsBm
)(BOnlyResp
BAB NrecBNNsendsBNgenBANrecB }{;},{;;},{ 22121
),(AHonestInit BBAA
BB
NrecBNsendsANNrecANNsendsB
NgenBANrecBANsendsANgenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
,},{ 21 ANNmmrecA ),},{( 21 AnnmmrecAm
QBnNnN ,, 2211
,1 1BQAA
BQ
NrecBnsendsAnnrecANNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
B
A
B
NBA
NNAB
ANBA
}{:.3
},{:.2
},{:.1
2
21
1
The NS protocol
An order preserving merge of
BAB ANrecBNNsendsBNgenBANrecB },{;},{;;},{ 22121
QAQ nsendsAnnrecAAnsendsAngenA }{;},{;},{; 22111
(derived from ))(AHonestInit
)(BOnlyResp
BAB NrecBNNsendsBNgenBANrecB }{;},{;;},{ 22121
),(AHonestInit BBAA
BB
NrecBNsendsANNrecANNsendsB
NgenBANrecBANsendsANgenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
,},{ 21 ANNmmrecA ),},{( 21 AnnmmrecAm
QBnNnN ,, 2211
,1 1
left-
,},{ 21 ANNmmrecA ,},{ 21 AnnmmrecA
,2 2
BQAA
BQ
NrecBnsendsAnnrecANNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
BQAA
BQ
NrecBnsendsAnnrecANNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
B
A
B
NBA
NNAB
ANBA
}{:.3
},{:.2
},{:.1
2
21
1
The NS protocol
QBnNnN ,, 2211
)(BOnlyResp
BAB NrecBNNsendsBNgenBANrecB }{;},{;;},{ 22121
),(AHonestInit BBAA
BB
NrecBNsendsANNrecANNsendsB
NgenBANrecBANsendsANgenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
,},{ 21 ANNmmrecA ),},{( 21 AnnmmrecAm
QBnNnN ,, 2211
,1 1
left-
,},{ 21 ANNmmrecA ,},{ 21 AnnmmrecA
,2 2
BQAA
BQ
NrecBnsendsAnnrecANNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
BQAA
BQ
NrecBnsendsAnnrecANNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
B
A
B
NBA
NNAB
ANBA
}{:.3
},{:.2
},{:.1
2
21
1
The NS protocol
QBnNnN ,, 2211
Obtained by instantiation for
|)},{(, 21 AnnmmrecAm
|},{,,},{,},{, 2121222111 AkkAA nnttrecAnnttrecAnnttrecA
where is the list of terms such that
The length is less than or equal to the maximal length of terms appearing in the query.
Each is constructed by atomic terms appearing in the lower sequent.
ktt ,,1
it
m
left-
)(BOnlyResp
BAB NrecBNNsendsBNgenBANrecB }{;},{;;},{ 22121
),(AHonestInit BBAA
BB
NrecBNsendsANNrecANNsendsB
NgenBANrecBANsendsANgenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
,},{ 21 ANNmmrecA ),},{( 21 AnnmmrecAm
QBnNnN ,, 2211
,1 1
left-
,},{ 21 ANNmmrecA ,},{ 21 AnnmmrecA
,2 2
-left
,3,mrecA
mrecA 3
,},{ 21 Annm 4,mrecA ,},{ 21 ANNm
QB ,4
BQAA
BQ
NrecBnsendsAnnrecANNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
BQAA
BQ
NrecBnsendsAnnrecANNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
BQAA
BQ
NrecBnsendsAnnrecANNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
B
A
B
NBA
NNAB
ANBA
}{:.3
},{:.2
},{:.1
2
21
1
The NS protocol
QBnNnN ,, 2211
,11 nN ,22 nN
)(BOnlyResp
BAB NrecBNNsendsBNgenBANrecB }{;},{;;},{ 22121
),(AHonestInit BBAA
BB
NrecBNsendsANNrecANNsendsB
NgenBANrecBANsendsANgenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
,},{ 21 ANNmmrecA ),},{( 21 AnnmmrecAm
QBnNnN ,, 2211
,1 1
left-
,},{ 21 ANNmmrecA ,},{ 21 AnnmmrecA
,2 2
-left
,3,mrecA
mrecA 3left-
,3 ,mrecAmrecA3
closed ,},{ 21 Annm 4,mrecA ,},{ 21 ANNm
QB ,4
BQAA
BQ
NrecBnsendsAnnrecANNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
BQAA
BQ
NrecBnsendsAnnrecANNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
BQAA
BQ
NrecBnsendsAnnrecANNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
B
A
B
NBA
NNAB
ANBA
}{:.3
},{:.2
},{:.1
2
21
1
The NS protocol
QBnNnN ,, 2211
,11 nN ,22 nN
)(BOnlyResp
BAB NrecBNNsendsBNgenBANrecB }{;},{;;},{ 22121
),(AHonestInit BBAA
BB
NrecBNsendsANNrecANNsendsB
NgenBANrecBANsendsANgenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
,},{ 21 ANNmmrecA ),},{( 21 AnnmmrecAm
QBnNnN ,, 2211
,1 1
left-
,},{ 21 ANNmmrecA ,},{ 21 AnnmmrecA
,2 2
-left
,3,mrecA
mrecA 3left-
,3 ,mrecAmrecA3
closed ,},{ 21 Annm 4,mrecA ,},{ 21 ANNm
QB
This branch is not closed.
,4
BQAA
BQ
NrecBnsendsAnnrecANNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
BQAA
BQ
NrecBnsendsAnnrecANNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
BQAA
BQ
NrecBnsendsAnnrecANNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
B
A
B
NBA
NNAB
ANBA
}{:.3
},{:.2
},{:.1
2
21
1
The NS protocol
QBnNnN ,, 2211
,11 nN ,22 nN
QBnNnNNNmnnm AA 22112121 },{},{
is not valid in the free term algebra.
)},{},{( 2211212121 QBnNnNNNmnnmQnmn AA
is not axiom.
)(BOnlyResp
BAB NrecBNNsendsBNgenBANrecB }{;},{;;},{ 22121
),(AHonestInit BBAA
BB
NrecBNsendsANNrecANNsendsB
NgenBANrecBANsendsANgenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
,},{ 21 ANNmmrecA ),},{( 21 AnnmmrecAm
QBnNnN ,, 2211
,1 1
left-
,},{ 21 ANNmmrecA ,},{ 21 AnnmmrecA
,2 2
-left
,3,mrecA
mrecA 3left-
,3 ,mrecAmrecA3
closed ,},{ 21 Annm 4,mrecA ,},{ 21 ANNm
QB ,4
BQAA
BQ
NrecBnsendsAnnrecANNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
BQAA
BQ
NrecBnsendsAnnrecANNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
BQAA
BQ
NrecBnsendsAnnrecANNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
B
A
B
NBA
NNAB
ANBA
}{:.3
},{:.2
},{:.1
2
21
1
The NS protocol
QBnNnN ,, 2211
,11 nN ,22 nN
(with )QBnNnN ,, 2211
BQAA
BQ
ANrecBnsendsAnnrecANNsendsB
NgenBANrecBAnsendsAngenA
},{;}{;},{;},{
;;},{;},{;
222121
2111
Countermodel
)(BOnlyResp
BAB NrecBNNsendsBNgenBANrecB }{;},{;;},{ 22121
),(AHonestInit BBAA
BB
NrecBNsendsANNrecANNsendsB
NgenBANrecBANsendsANgenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
,},{ 21 ANNmmrecA ),},{( 21 AnnmmrecAm
QBnNnN ,, 2211
,1 1
left-
,},{ 21 ANNmmrecA ,},{ 21 AnnmmrecA
,2 2
-left
,3,mrecA
mrecA 3left-
,3 ,mrecAmrecA3
closed ,},{ 21 Annm 4,mrecA ,},{ 21 ANNm
QB ,4
BQAA
BQ
NrecBnsendsAnnrecANNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
BQAA
BQ
NrecBnsendsAnnrecANNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
BQAA
BQ
NrecBnsendsAnnrecANNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},{;},{
;;},{;},{;
222121
2111
B
A
B
NBA
NNAB
ANBA
}{:.3
},{:.2
},{:.1
2
21
1
The NS protocol
QBnNnN ,, 2211
,11 nN ,22 nN
(with )QBnNnN ,, 2211
BQAA
BQ
ANrecBnsendsAnnrecANNsendsB
NgenBANrecBAnsendsAngenA
},{;}{;},{;},{
;;},{;},{;
222121
2111
Countermodel
QAN },{ 1
QN }{ 2
BAN },{ 1
BN }{ 2
(1)
ANN },{ 21
A BQ
(1’)
(2)
(3)
(3’)
Lowe’s attack
B
A
B
NBA
NNAB
ANBA
}{:.3
},{:.2
},{:.1
2
21
1
The NSL protocol
Lowe’s modification of the NS protocol:
B
A
B
NBA
BNNAB
ANBA
}{:.3
},,{:.2
},{:.1
2
21
1
The NSL protocol
Lowe’s modification of the NS protocol:
Insert the sender’s name
Insertion of the sender’s name makes impossible the Lowe’s attack, because...
IAN },{ 1
IN }{ 2
BAN },{ 1
BN }{ 2
ABNN },,{ 21
Alice BobIntruder
In this scenario, A believes that she communicates with I, but she can detect that the message is actually sent by B.
)(BOnlyResp
BAB NrecBBNNsendsBNgenBANrecB }{;},,{;;},{ 22121
),(AHonestInit BBAA
BB
NrecBNsendsABNNrecABNNsendsB
NgenBANrecBANsendsANgenA
}{;}{;},,{;},,{
;;},{;},{;
222121
2111
,},,{ 21 ABNNmmrecA ),},,{( 21 AQnnmmrecAm
QBnNnN ,, 2211
,1 1
left-
,},,{ 21 ABNNmmrecA ,},,{ 21 AQnnmmrecA
,2 2
-left
,3,mrecA
mrecA 3left-
,3 ,mrecAmrecA3
closed ,},,{ 21 AQnnm 4,mrecA ,},,{ 21 ABNNm
QB ,4
BQAA
BQ
NrecBnsendsAQnnrecABNNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},,{;},,{
;;},{;},{;
222121
2111
BQAA
BQ
NrecBnsendsAQnnrecABNNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},,{;},,{
;;},{;},{;
222121
2111
BQAA
BQ
NrecBnsendsAQnnrecABNNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},,{;},,{
;;},{;},{;
222121
2111
B
A
B
NBA
BNNAB
ANBA
}{:.3
},,{:.2
},{:.1
2
21
1
The NSL protocol
QBnNnN ,, 2211
,11 nN ,22 nN
)(BOnlyResp
BAB NrecBBNNsendsBNgenBANrecB }{;},,{;;},{ 22121
),(AHonestInit BBAA
BB
NrecBNsendsABNNrecABNNsendsB
NgenBANrecBANsendsANgenA
}{;}{;},,{;},,{
;;},{;},{;
222121
2111
,},,{ 21 ABNNmmrecA ),},,{( 21 AQnnmmrecAm
QBnNnN ,, 2211
,1 1
left-
,},,{ 21 ABNNmmrecA ,},,{ 21 AQnnmmrecA
,2 2
-left
,3,mrecA
mrecA 3left-
,3 ,mrecAmrecA3
closed ,},,{ 21 AQnnm 4,mrecA ,},,{ 21 ABNNm
QB
This branch is closed.
,4
BQAA
BQ
NrecBnsendsAQnnrecABNNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},,{;},,{
;;},{;},{;
222121
2111
BQAA
BQ
NrecBnsendsAQnnrecABNNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},,{;},,{
;;},{;},{;
222121
2111
BQAA
BQ
NrecBnsendsAQnnrecABNNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},,{;},,{
;;},{;},{;
222121
2111
B
A
B
NBA
BNNAB
ANBA
}{:.3
},,{:.2
},{:.1
2
21
1
The NSL protocol
QBnNnN ,, 2211
,11 nN ,22 nN
)(BOnlyResp
BAB NrecBBNNsendsBNgenBANrecB }{;},,{;;},{ 22121
),(AHonestInit BBAA
BB
NrecBNsendsABNNrecABNNsendsB
NgenBANrecBANsendsANgenA
}{;}{;},,{;},,{
;;},{;},{;
222121
2111
,},,{ 21 ABNNmmrecA ),},,{( 21 AQnnmmrecAm
QBnNnN ,, 2211
,1 1
left-
,},,{ 21 ABNNmmrecA ,},,{ 21 AQnnmmrecA
,2 2
-left
,3,mrecA
mrecA 3left-
,3 ,mrecAmrecA3
closed ,},,{ 21 AQnnm 4,mrecA ,},,{ 21 ABNNm
QB
This branch is closed.
,4
BQAA
BQ
NrecBnsendsAQnnrecABNNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},,{;},,{
;;},{;},{;
222121
2111
BQAA
BQ
NrecBnsendsAQnnrecABNNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},,{;},,{
;;},{;},{;
222121
2111
BQAA
BQ
NrecBnsendsAQnnrecABNNsendsB
NgenBANrecBAnsendsAngenA
}{;}{;},,{;},,{
;;},{;},{;
222121
2111
B
A
B
NBA
BNNAB
ANBA
}{:.3
},,{:.2
},{:.1
2
21
1
The NSL protocol
QBnNnN ,, 2211
,11 nN ,22 nN
The set of literals
is axiom.
QBnNnNBNNmQnnm AA 22112121 },,{},,{
is valid in the free term algebra.
)},,{},,{( 2211212121 QBnNnNBNNmQnnmQnmn AA
In the proof-search tree, there are some open branches, and each topmost sequent is: Left side includes an order-preserving merge of the following trac
e formulas
(where )
are satisfied.
Realizable counter-examples of the NS protocol (1)
BAB
QAQ
trecBttsendsBtgenBAtrecB
tsendsAttrecAAtsendsAtgenA
}{;},{;;},{
}{;},{;},{;
22121
22111
2121
222112211
,
,,,,}{,},{,,
nnNN
QBQABAtmttmnNnN QA
222111 or,or nNtnNt
Realizable counter-examples of the NS protocol (2)
Counter-model
where
an order-preserving merge of the following formulas
),,,( NP DDM
},{,},,{ 21 NNDQBAD NP
21,,, NNQBQABA
BAB
QAQ
trecBttsendsBtgenBAtrecB
tsendsAttrecAAtsendsAtgenA
}{;},{;;},{
}{;},{;},{;
22121
22111
Conclusions and Future Work Gave an inference system for proving protocols c
orrect based on first-order predicate logic Showed completeness and decidability Presented how to construct proofs / generate co
unter-examples
Implementation for automation Compositionality issue for automated protocol d
esign