Event structure semantics for security protocols

Transcription

1 Event structure semantics for security protocols Jonathan Hayman and Glynn Winskel Computer Laboratory, University of Cambridge, United Kingdom Abstract. We study the use of event structures, a well-known model for concurrency, to provide a semantics for a language for security protocols called SPL. The semantics makes use of the ability to define event structures as rigid families of partial order configurations. We formulate a number of useful principles to establish correctness properties of protocols and use the well-studied Needham-Schroeder-Lowe protocol as an illustrative example of the the direct proofs arising from causal reasoning that the semantics permits. The work lays a foundation through which current work on logic, symmetry, name binding, probability and games for event structures may be brought to bear in the analysis of security protocols. 1 Introduction Protocols for security and trust are notoriously difficult to reason about, the classic example being the discovery by Lowe [1] of an attack on Needham and Schroeder s public key authentication protocol [2] sixteen years after its introduction. The challenges facing the design of such protocols, from their initial creation through to the the specification and proof of their key correctness properties, has led to the development of a range of languages, models and logics to support their formal analysis. A feature found in many proofs of correctness of security protocols is causal reasoning. For example, in showing that a security breach never happens, we may establish that such a breach causally depends on an earlier security breach; from this, we obtain a contradiction to the existence of an earliest breach. This is essentially Paulson s inductive method [3]. By employing causal models such as strand spaces [4], the model directly encapsulates the the facts necessary to prove the existence of the earlier event. In this paper, we show how an event structure semantics can be given to a simple language for security protocols called SPL [5]. The semantics is obtained through the use of rigid families of partial orders, which closely resemble the bundles of strand spaces [4], from which we may extract an event structure through the adjunction/equivalence between their categories. We show how this semantics equips direct proofs of properties, studying the Needham-Schroeder- Lowe protocol as an example. The support of the ERC through the Advanced Grant ECSYM is gratefully acknowledged

2 2 Jonathan Hayman and Glynn Winskel The key rationale for this work is that, by using an established model for concurrency and showing how it directly and uniformly supports compositional semantics and reasoning techniques that are as simple as those for the domainspecific model of strand spaces, we lay a foundation through which other theories may be imported to the analysis of security protocols and vice versa. For example, topics that have been extensively studied for event structures, including game-theoretic aspects [6], symmetry [7], and logic (e.g. [8, 9]), are all of central importance to the analysis of protocols. Finally, the capture of branching behaviour by event structures seems to be important in reasoning about more sophisticated correctness properties such as non-repudiation in exchange protocols [10]. Overview We begin by reviewing the NSL protocol and the syntax and operational semantics of SPL. We then introduce event structures and rigid families of configurations; these are an important tool in the following section where we define the semantics of SPL. We study the fundamental proof principles and properties of the semantics before reviewing the correctness of the NSL protocol in the newly developed setting. 2 The Needham-Schroeder-Lowe protocol We begin by giving a brief introduction to the Needham-Schroeder-Lowe (NSL) public key protocol [1]. The NSL protocol makes use of public-key cryptography to allow processes known as an initiator and a responder to authenticate each other s identity and to distribute a value that is known only to the two processes. We shall use this well-known protocol throughout the paper to explain SPL and show how its event structure semantics allows proofs that are as direct as those for strand spaces. We take the two participants (often called principals) to be A, who will act as the initiator, and B, who will act as the responder. Both participants have their own public-private key pairs: each participant is the only one to know its private key, whereas the public key for any participant is common knowledge. The assumption of public-key cryptography is that a participant must hold the corresponding private key to be able to decrypt a message encrypted using a public key. As such, any participant can send a message encrypted with the recipient s public key; even on an untrustworthy network, only the recipient will be able to read the contents of the message since only it has the private key needed to decrypt it. The protocol begins with A sending a message to B containing a nonce value (a freshly-generated number highly unlikely to be known or guessed by any other principal) x and its identity encrypted with B s public key. (1) A B : {A, x} P ub(b) B responds to A with a message, encrypted using A s public key, containing a new nonce value y, the nonce value x generated by A and B s identity. (2) B A : {B, x, y} P ub(a)

3 Event structure semantics for security protocols 3 As B is the only principal able to decrypt message (1), on receipt of message (2) A knows from the freshness of the value x that B has read (1). A confirms by sending the nonce value y back to B, encrypted using B s public key. (3) A B : {y} P ub(b) Upon receipt of this, process B can now be sure that it is communicating with A since only A had the ability to extract y from the message in (2). We shall focus on two of the algorithm s correctness criteria: secrecy and authentication. Secrecy means that the nonce values are only known to the two participants under the assumption that both processes have followed the protocol. The second is that, upon completion of the protocol, each participant can be sure that the process that it interacted with is who it claimed to be. 3 SPL To model the processes involved in interactions of the form seen above, we now introduce SPL [5], the security protocol language. The language has a limited yet expressive range of combinators to describe the kinds of action that processes involved in cryptographic protocols might perform. In particular, it has syntax for the generation of nonce values, the output of messages to the network and the input of messages matching a specified pattern from the network (cf. the message passing language Erlang or the pattern matching spi calculus [11]). Since various syntactic classes apart from processes shall be involved in pattern matching, as we introduce their syntax we shall also introduce variables over them. Names Drawing upon the intuitions of the pi-calculus [12], the starting point for the syntax of SPL is a set of names. Names will generalise the identities of processes, nonce values and any other basic values that can be communicated. Formally, we assume that the set of names includes all principal identifiers, ranged over by A, B,... disjoint from a countably-infinite set of other names, ranged over by m, n,.... The syntax also includes name variables, ranged over by X, Y, x, y,...; again, we use upper-case letters to indicate that the variable represents the identity of a principal. Finally, we use v, w,... to range over both names and name variables: v ::= n A x X Keys We use the symbols k, k,... to range over keys: k ::= P ub(v) P riv(v) Key( # v ) Keys can be either public keys, private keys, or symmetric keys identified by a vector of names # v. Messages M ranges over message expressions, which may be names v, keys k, pairs of message expressions M 1, M 2, messages encrypted with a key {M} k or message variables ψ. M ::= v k M 1, M 2 {M} k ψ

4 4 Jonathan Hayman and Glynn Winskel The processes of SPL follow the grammar p ::= out new # x M.p in pat # x # ψ M.p Intuitively, out new # x M.p both generates a set of nonce values, substituting them for the vector of distinct variables # x in M and p, and outputs the resulting message on the network before continuing to execute p. Turning to in pat # x ψ # M.p, we require that every variable in the vectors of distinct variables # x and ψ # occurs in M. Intuitively, this is a process that performs a pattern match on messages that have been output to the network. This means that values are nondeterministically chosen for the name variables # # x and message variables ψ in M in such a way that the message M with the appropriate substitution made has already been output by some other process; the resumption is the process p with the substitution of the corresponding values for # x and ψ. # The output out new # x M.p is seen to bind the finite vector of variables # x within M and p. The input in pat # x ψ # M.p binds the variables # x and ψ # within M and p. As standard, we obtain the set of free variables fv(p) and free names fn(p) of any process p and substitution of a vector of names for free name variables in messages M[ # n/ # x ] and processes p[ # n/ # x ], and also substitution of a vector of closed messages for free message variables. We give the definition of substitution on messages and processes in Appendix A. We adopt the conventions of writing out M.p instead of out new # x M.p when the list # x is empty and in M.p for the process in pat # x ψ # M.p when # x is the list of name variables free in M and ψ # is the list of message variables free in M. Any parallel composition is indexed by a by a set I to help identify any individual process within a parallel composition. We write!p for i ω p and nil for i p i. 0 i I p i 3.1 Programming the Needham-Schroeder-Lowe protocol The code for the initiator and responder processes is given in Figure 1. The process Init(A, B) is that for an initiator with identity A attempting to begin the protocol with a responder with identity B. The process Resp(B) is that for a responder with identity B that is open to communication with any initiator process. In order to reason about the security of protocols, we must consider the kinds of attack that can take place. If, for example, it turned out that publickey cryptography were unsound in the sense that a message encrypted using a public key could be decrypted within a reasonable amount of time without access to the private key, then the protocol as described above would surely fail in its objectives for authentication and creation of a value that it secret to the participants. Necessarily, we must describe the kinds of attack that are feasible under our assumptions about cryptography, and we do so by specifying spy processes. We assume that the forms of possible attack are as follows: messages

5 Event structure semantics for security protocols 5 Init(A, B) out new x {x, A} P ub(b). in {x, y, B} P ub(a). out {y} P ub(b). nil Spy 1 in ψ 1.in ψ 2.out (ψ 1, ψ 2).nil Spy 2 in (ψ 1, ψ 2).out ψ 1.out ψ 2.nil Spy 3 in x.in ψ.out {ψ} P ub(x).nil Spy 4 in P riv(x).in {ψ} P ub(x).out ψ.nil Spy Spy i i {1,2,3,4} Resp(B) in {x, Z} P ub(b). out new y {x, y, B} P ub(z). in {y} P ub(b). nil P init!init(a, B) A,B P resp A!Resp(A) P spy!spy NSL i {resp,init,spy} P i Fig. 1. The NSL protocol in SPL. Init(A, B) represents participant A attempting to initiate the protocol with B. Resp(B) represents participant B waiting to respond to any other participant. Spy i represent actions that the attacker can perform. NSL represents all interactions of the protocol. can be merged, messages can be split, messages can be encrypted using a public key and messages encrypted using a public key can be decrypted but only if the private key is available. These forms of attack are captured by the Spy process in Figure 1. These are the forms of attack specified in the Dolev-Yao model [13], and, as such, we make the perfect cryptography assumption that encryption cannot be broken. Our analysis will therefore reveal flaws only in the underlying distributed algorithm for public key authentication. 3.2 Operational semantics We now proceed to give the operational semantics of SPL. Notably, the semantics shall be asynchronous: output actions are not synchronized with input actions. Instead, we record which messages have been output to the network at any time, and a process can input a message if it has been output at any time in the past. This has the effect of us not assuming the network to be trustworthy in the ordering of messages. The operational semantics is defined as a transition relation between configurations. A configuration is a tuple p, s, t, where p is a closed process term, s is a subset of names indicating those that are currently in use and t is a subset of closed messages indicating the messages that have been output to the network. We restrict attention to proper configurations: these are configurations such that fn(p) s, A s for every principal identifier A and {fn(m) M t} s. Transitions are labelled with the action α that occurred: α ::=!( # n)m?m i : α

6 6 Jonathan Hayman and Glynn Winskel Output: Input: Parallel: if # n all distinct and not in s (writing # n for the underlying set) out new # x M.p, s, t!( # n )M[ # n / # x ] p[ # n/ # x ], s # n, t {M[ # n/ # x ]} if M[ # n/ # x ][ # N/ # ψ] t in pat # x # ψ M.p, s, t?m[ # n / # x ][ # N/ # ψ ] p[ # n/ # x ][ # N/ # ψ], s, t p j, s, t α p j, s, t j:α i I pi, s, t i I p i, s, t where p i = p i for j i Fig. 2. Operational semantics of SPL The action!( # n)m is the action that creates a vector of nonce values # n and outputs a closed message M. The action?m represents the input of a closed message M. Finally, the action i : α represents that the ith component of a parallel composition performs action α. 4 Event structures In this section, we give a brief introduction to event structures. We refer the reader to [14] for a full account. The idea is to equip a set of events with a partial order to indicate upon which prior events the occurrence of any event causally depends, and also to stipulate how the occurrence of events can inhibit the occurrence of others. Definition 1. A (prime) event structure is a tuple (E,, Con) where E is a set of events, E E is a partial order of causal dependency, and Con is a set of finite subsets of E, called consistency, satisfying for any e E, the set {e e e} is finite, Con and {e} Con for any e E, if X Con and Y X then Y Con, if X Con and e e X then X {e} Con. Definition 2. A configuration of an event structure (E,, Con) is a subset of events x E that is: Down-closed: if e x and e e then e x Consistent: X Con for all finite sets X x A finite configuration of an event structure represents a reachable state. Given a finite configuration x of an event structure ES = (E,, Con), we write ES/x for the event structure representing the behaviour of ES from the configuration x. It is defined to be ES/x = (E,, Con ) where Con = {y \ x y Con & x y}, the set of events E = Con and is the restriction of to E. Where the set x is the singleton set {e}, we write ES/e instead of ES/{e} and say that e is enabled in ES.

7 Event structure semantics for security protocols 7 In the coming semantics, we shall make use of labelled event structures. These are just event structures with an additional function λ : E L taking events to elements of a labelling set L. Finally, two event structures are isomorphic, written ES = ES, if there is a label-preserving bijection between their events that preserves and reflects causality and consistency. 4.1 Rigid families Some constructions on event structures are more easily expressed in alternative but equivalent categories. Stable families [15], for example, are useful in defining the product of event structures and, from this, their parallel composition. In the present work, we shall see that it is in fact more convenient to work with rigid families of partial orders. For a partial order x X X, write x for the set X and e x e iff (e, e ) x. Define the relation of rigid inclusion on partial orders as x y iff the following conditions hold: x y and e, e x : e x e e y e e y e x : e y e = e x We write x y for x y and x y. A rigid family is a set of finite partial orders that is non-empty and is down-closed with respect to rigid inclusions. We shall also call partial orders in the rigid family configurations. Let D 0 (ES) be the set of partial orders x such that x is a finite configuration of ES and the order is the restriction of causal dependency to x. It is clear that this defines a rigid family. Conversely, we can obtain an event structure Pr(F) from a rigid family F by considering its primes: a prime of F is a partial order [e] x for e x F, where [e] x denotes the restriction of the partial order x to elements less than or equal to e: [e] x {(u, u ) (u, e) x & (u, u ) x} The primes of F form the events of Pr(F); causal dependency is rigid inclusion; and a finite subset of primes X is consistent if its least upper bound is in F. As for event structures, we can define the resumption F/x of a rigid family F following x. The configurations of F/x are the configurations of F that rigidly extend x with the events in x removed. The details of the categories of rigid families and event structures are given in Appendix B, and D 0 and Pr extend to functors that exhibit an equivalence of categories. Two rigid families are isomorphic, written F = F, iff there is a bijection between their configurations that preserves and reflects rigid inclusion. 5 Event structure semantics In this section, we give a labelled event structure semantics to closed SPL processes. The semantics shall be defined in two stages. First, we define a compositional open semantics for processes. This shall include events from individual

8 8 Jonathan Hayman and Glynn Winskel parallel processes that might in isolation be impossible, for example inputs of messages for which there is no earlier output of the message; these events are necessary in case we later compose the semantics with that for some other process that does output the message. Making use of rigid families, we then define the closed semantics of processes. This reveals the causal dependency of input events on corresponding output events and removes events that cannot possibly occur. 5.1 The open semantics The open semantics of a closed SPL process p will be an event structure denoted p. In the definition of its events, we frequently wish to enforce disjointness of various subsets of events. For example, when forming the event structure for a prefixed process (an input or an output), we need to ensure that the event prefixing the process is not equal to any event in the semantics of the resumption. This requires a little book-keeping, so we say that any event structure representing the open semantics shall have events drawn from the set Events, the least set satisfying the following conditions: out M Events, for any closed message M, in M Events, for any closed message M, (i, e) Events for any e Events and i that is either a natural number, vector of messages and names or index from the definition of parallel composition; we normally write i : e for (i, e). In order to avoid continually being drawn into detail about the precise structure of any event, we consider event structures with each event labelled by an action α as defined for the operational semantics. The definition of the semantics shall be by induction on the size of terms rather than structural induction on the terms themselves. This is due to the definitions of input and output using the definition of the semantics of closed subterms following substitution. To avoid having to restrict to finite parallel compositions, we do not define size as a natural number but instead define a well-founded size relation: Definition 3 (Size relation). Define the size relation to be the least transitive relation on closed process terms satisfying: p[ # n/ # x ] out new # x M.p for any substitution of names [ # n/ # x ], p[ # N/ # ψ][ # n/ # x ] in pat # x # ψ M.p for any substitution of names [ # n/ # x ] and closed messages [ # N/ # ψ], and p j i I p i for any index j I. In the following definitions, for any vector # a we write len( # a ) for the length of # a. For any event structure ES, we write E ES for its set of events, write ES for its partial order, write Con ES for its consistency relation and write λ ES for its labelling function. A diagrammatic account is presented in Figure 3.

9 Event structure semantics for security protocols 9 All vec. distinct names # n 1, # n 2 All compat. vec. # N 1, N 2, n 1, n 2 p[ # n 1/ # x ] p[ # n 2/ # x ] p[ # N 2/ # ψ][ # n 1/ # x ] p[ # N 2/ # ψ][ # n 2/ # x ]!( # n 1)M[ # n 1/ # x ]!( # n 2)M[ # n 2/ # x ] out new # x M.p?M[ # N 1/ # ψ][ # n 1/ # x ]?M[ # N 2/ # ψ][ # n 2/ # x ] in pat # ψ # x M.p Fig. 3. Event structure semantics of output and input, showing the relationships between pairs of bindings. Dots represent labelled events, arrows represent causal dependency and wavy lines represent conflict: that two events do not both occur in any consistent set. Boxes indicate the event structures for subterms; arrows into and wavy lines between them represent causal dependency and conflict for all their events. Output Let Σ be the set of vectors of distinct names # n such that len( # n) = len( # x ). The labelled event structure out new # x M.p = (E,, Con, λ) is defined as: E = { # n : 1 : out M[ # n/ # x ]) n Σ} { # n : 2 : e # n Σ & e E p[ # n / # x ] } e e # n, u, u. e = # n : 1 : u & e = # n : 2 : u or e = # n : 2 : u & e = # n : 2 : u & u p[ n # / # x ] u X Con X = or # n. m, # i, u. m # : i : u X = m # = # n & {u # n : 2 : u X} Con p[ n # / # x ] {!( # n)m[ # n/ # x ] if e = # n : 1 : out M[ # n/ # x ]) λ(e) = λ p[ n # / # x ] (u) if e = # n : 2 : u Input In the following definition, let Σ denote the set of pairs ( # n, # N) of vectors of names and closed messages that are of lengths consistent with # x and # ψ. Note that unlike in the definition for output, we do not require # n to be a vector of distinct names. The labelled event structure in pat # x # ψ M.p = (E,, Con, λ) is defined as: e e E = {# n # N : 1 : in M[ # N/ # ψ][ # n/ # x ] ( # n, # N) Σ} { # n # N : 2 : e ( # n, # N) Σ & e E p[ # N/ # ψ ][ # n / # x ] } # n, # N, u, u. e = # n # N : 1 : u & e = # n # N : 2 : u or e = # n # N : 2 : u & e = # n # N : 2 : u & u p[ # N/ # ψ ][ # n / # x ] u X Con X = or # n N. # m, # Q, # i, u. m # # Q : i : u X = m # = # # # n & Q = N & {u # n N # : 2 : u X} Con # # p[ N/ ψ ][ n # / # x ] {?M[ N/ # ψ][ # # n/ # x ] if e = # n N # : 1 : in M[ N/ # ψ][ # # n/ # x ]) λ(e) = λ # # p[ N/ ψ ][ n # / # x ] (u) if e = # n N # : 2 : u

10 10 Jonathan Hayman and Glynn Winskel Parallel composition The parallel composition is formed by allowing the event structures for each subprocess to run in parallel with each other: the events are the disjoint union, formed using the tagging operation, with causality and consistency inherited from each component. It is important to note that the labels on each event are extended to include the index of their component of the parallel composition; this is unlike the previous definitions, where the labels on events from inductively-defined subprocesses were completely unchanged. This reflects the fact that we later wish to identify the particular process performing each action. For each i I, let p i = (E i, i, Con i ). Define i I p i = (E,, Con) as: E = {i : e i I & e E i} i : e i : e i = i & e i e X Con X is finite & λ(i : e) = i : λ i(e) i I. {e i : e X} Con i 5.2 Closed asynchronous semantics The closed semantics of processes, denoted p t s, represents the behaviour of the process p regarded as a closed system from initial state (s, t): there is no potential for input from an external process. It is formed by taking the open semantics and removing behaviours that cannot possibly be seen: inputs of messages that we can now be sure will never be output and the generation of non-fresh names. It also extends the causality relation to include the dependency of inputs on particular outputs, mirroring the definition of bundles from strand spaces [4]. Here we encounter a slight technical issue, prompting the earlier introduction of rigid families. In the process out 1.nil out 1.nil in 1.nil, the input can only occur once either of the two outputs have occurred. The prime event structures introduced earlier (or stable families) cannot model this using just three events: every event in a prime event structure has a unique set of events that must occur prior to it. By using rigid families, we avoid having to define further events. In more detail, the closed semantics p t s shall be formed from partial order configurations of p. There are two facets of the construction of configurations of p t s. Firstly, we must ensure that the configurations of p t s are consistent with the concept of freshness: if a name is generated on an output event, the name should not be in s and it should be distinct from any other name generated. Secondly, we must extend the order on events in the configuration arising from the event structure p by recording upon which output event, if any, any input event depends. In doing so, we must be careful to avoid creating cycles in the dependency relation. For example, given the open semantics of in 1.out 2.nil in 2.out 1.nil we do not obtain a configuration by extending the relation of causal dependency in the following way (the solid lines represent causal dependency from the open semantics; the dotted lines represent the candidate I/O causal dependency):

11 Event structure semantics for security protocols 11!2!1?1?2 Even though the open event structure for the process above has several configurations, if initially t =, we would expect there to be no non-empty configurations in the closed semantics since the processes are deadlocked. Definition 4. For any event e, write Fresh(n, e) if the event e creates n as a fresh name, i.e. λ(e) = π :!( # m)m for some sequence of tags π and there exists i such that m i = n. Every event in the open and closed semantics is either an input or an output event. We write msg(e) for the message either input or output by the event e; formally, this can be straightforwardly identified from the label of λ(e). Causal dependency in a configuration of the closed semantics extends that in the open semantics as specified by a relation of data dependency, x d : Definition 5. A partial order x E E is a configuration of p t s if, and only if, there is a partial order x 0 E E and a relation x d E E such that: 1. x 0 D 0 ( p ) 2. x = (x 0 x d ) +, the transitive closure of x 0 x d 3. e, n. e x & Fresh(n, e) = n s 4. e, e, n. e, e x & Fresh(n, e) & Fresh(n, e ) = e = e 5. for all (e, e ) x d, the event e is an output event and e is an input event and msg(e) = msg(e ) 6. for all e E, if e is an input event then either msg(e ) t or there exists unique e such that (e, e ) x d Note that the relation (x 0 x d ) + above must be antisymmetric due to the assumption that x is a partial order. Proposition 1. The set of configurations of p t s form a rigid family. Proof. It is sufficient to establish that if x is a configuration of p t s and e is maximal in x then x e, the partial order with e removed, is a configuration of p t s. It is straightforward to verify that restricting x d to x e we obtain a relation satisfying the constraints, by maximality of e. The event structure semantics corresponds to the earlier operational semantics (Appendix C). α Proposition 2. If p, s, t p, s, t then there exists an enabled event e in p t s such that λ(e) = α and p t s = p t s/e. If e is enabled in p t s then there exist p, s and t such that p, s, t λ(e) p, s, t and p t s = p t s/e.

12 12 Jonathan Hayman and Glynn Winskel 5.3 Example: The semantics of NSL Each configuration of the open semantics NSL is the disjoint union of some number of configurations of initiator, responder and spy processes. This disjoint union is obtained by attaching tags which propagate to the labels on events. For example, the following is a configuration of NSL in which an initiator and two individual spy processes have begun to act. The first spy process decrypts the message sent by the initiator and the second spy process breaks it apart. Though NSL is an event structure and its configurations are sets, we have drawn in the causal dependency relation. The primes of the order drawn here are analogous to (partial) strands [4]. The first number in any sequence is simply to indicate from which replicated process the event originates; it can be disregarded (and it would be meaningful to represent the symmetry where different labels could be chosen see the conclusion). init : (A 0, B 0 ) : 1 :!(n 0 ){n 0, A 0 } P ub(b0 ) init : (A 0, B 0 ) : 1 :?{n 0, m 0, B 0 } P ub(a0 ) Spy : 5 : 4 :!n 0, A 0 Spy : 5 : 4 :?P riv(b 0 ) Spy : 5 : 4 :?{n 0, A 0 } P ub(b0 ) Spy : 8 : 2 :!A 0 Spy : 8 : 2 :!n 0 Spy : 8 : 2 :?n 0, A 0 Configurations of NSL t s are partial order configurations of NSL as drawn above to which we add dependencies of events on data. For example, suppose that t contains P riv(b 0 ). This allows the event labelled Spy : 5 : 4 :?P riv(b 0 ) to be in the configuration: the message that it receives is already assumed to be on the network, from which the message transmitted by A 0 can be intercepted and the secret value compromised. init : (A 0, B 0 ) : 1 :!(n 0 ){n 0, A 0 } P ub(b0 ) Spy : 5 : 4 :!n 0, A 0 Spy : 5 : 4 :?P riv(b 0 ) Spy : 5 : 4 :?{n 0, A 0 } P ub(b0 ) Spy : 8 : 2 :!A 0 Spy : 8 : 2 :!n 0 Spy : 8 : 2 :?n 0, A 0 This configuration could be extended with further spy process events so that the process A 0 receives the message expected from B 0 without B 0 having taken any part in the communication. Configurations of p t s correspond to bundles in the terminology of [4]. Note, however, that we can view the set of configurations as an event structure by taking their primes. Though this perspective is not central to the secrecy and authentication protocols discussed here, it is important to have a handle on nondeterminism when addressing other issues such as repudiation [10].

13 6 Fundamental properties Event structure semantics for security protocols 13 In this section, we study the underlying properties of all SPL processes, providing the key lemmas that will enable intuitive and direct reasoning about security protocols. We begin by defining the submessage relation as the least relation on messages such that M M, M M 1 = M (M 1, M 2 ) & M (M 2, M 1 ), and M M = M {M } k. Note that this allows consideration of submessages within encrypted messages. The notation is extended to sets of messages by defining N t if, and only if, there exists M t such that N M. 6.1 Well-foundedness Well-foundedness arguments often play an important role in reasoning about assertions of security protocols. For example, proofs about the secrecy of private keys typically analyse the given processes to show that the output of a private key on the network would causally depend on the prior input of the key, and any input would depend on either the key initially being released or there being a corresponding output event upon which the input causally depends. Well-foundedness of causal dependency allows us to infer that either the key is initially available or it is never released to the network. The following lemma, an immediate consequence of the well-foundedness of the relation, yields a key reasoning technique: that if a property fails in some configuration then there is a minimal sub-configuration in which it fails. Lemma 1. Let P be a predicate on configurations of a rigid family F such that P ( ). If y F and P (y) then there exists x y such that P (x) and P (z) for all z x. To demonstrate the use of well-foundedness and to provide a useful reasoning technique, we derive a way of connecting the open semantics to the closed to establish properties of messages. Lemma 2. Let Q be a predicate on closed messages, p = (E,, Con) and (p, s, t) be a proper configuration. Suppose that there is no M t such that Q(M) and, for all events e E, if Q(msg(e)) then there exists e E that is an input and e e and Q(msg(e )). Then Q(msg(u)) for all u y p t s. Proof. Take the predicate P (y) on of y p t s to be e y. Q(msg(e)). Suppose, for contradiction, that there exists y p t s such that P (y). By Lemma 1, there exists x p t s such that P (x) and P (z) for all z x. Since P (x), there exists e x such that Q(msg(e)). The events of configurations of the closed semantics are events of the open semantics, so e E. By assumption, there exists e E that is an input and e e and Q(msg(e )) and there is no M t such that

14 14 Jonathan Hayman and Glynn Winskel Q(M). From the definition of the closed semantics, there exists an output u such that u < e and u is an output and msg(u) = msg(e ), and hence Q(msg(u)). Considering the prime [u] x, we have [u] x x and clearly P ([u] x ), so we arrive at a contradiction to the minimality of x. Hence P (y) for all y p t s. 6.2 Freshness We now consider the key properties of the freshness of newly-generated names. Such properties are frequently found in arguments about security protocols: they are used, for example, in the NSL protocol to establish causal connections between the receipt of messages containing nonce values and their transmission by the only other process that could have known these values. The first step is to perform an inductive analysis of processes in the open semantics. Lemma 3. For any event e in p and any name n such that n fn(p), if n msg(e) then either there exists e e such that Fresh(n, e ) or there exists e e that is an input and n msg(e ). Proof. The proof is a straightforward well-founded induction on the size relation, proceeding by a case analysis on p. The details are presented in Appendix D. We now connect this result to the closed semantics. Proposition 3. For any process p and any configuration x of p t s, the following properties hold: 1. For any n, there is at most one event e x such that Fresh(n, e). 2. If e x and n msg(e) then n s or there exists e x e such that Fresh(n, e ). 3. If Fresh(n, e) and n msg(e ) then e x e Proof. Property (1) is part of the definition of the configurations of p t s and property (3) will be a simple consequence of (1) and (2). Now consider (2); assume that e x and n msg(e) and n s. Take P (x) to be e x.n msg(e) = e x e.fresh(n, e ). For contradiction, suppose that P fails for some configuration; by Lemma 1 there is a configuration x for which P (x) but P (z) for all z x. Since P (x), there exists e x such that n msg(e) and Fresh(n, e ) for all e x e. Applying Lemma 3, it must be the case that there is u e in the open semantics that is an input and n msg(u). Since configurations of the closed semantics are down closed with respect to the order from the open semantics, u x. From the definition of the closed semantics, either msg(u) t or there exists e that is an output satisfying e < u and msg(e ) = msg(u). The former case is impossible: if msg(u) t then n s since n fn(msg(u)). However, the latter case is impossible: if there were such an e, then P ([e ] x ) and clearly [e ] x x, contradicting the minimality of x.

15 7 Correctness of NSL Event structure semantics for security protocols 15 We now use the reasoning techniques described above to show how they provide a framework for clear and intuitive proofs about the NSL protocol. 7.1 Private key secrecy The first lemma specifically about the NSL protocol is that private keys of processes are not revealed by any process. This is an example of a property that depends on the particular spy processes described. If, for example, we had introduced a spy in x.out P riv(x).nil then the property would fail to hold. We begin with an inductive analysis of the processes in the open semantics. Lemma 4. For any name A and any event e in NSL, if P riv(a) msg(e) there exists e such that e e and e is an input event and P riv(a) msg(e ). Proof. Let e be an event in the event structure NSL such that P riv(a) msg(e). If e is an input event, the property trivially holds, so we only need to consider output events. It is easy to check that e cannot be any initiator or responder event, so the only possibility is that e is a spy event. We shall only consider one of the cases for the spy processes, Spy 1 ; the others are similar. Since e is an output, the only possibility is that we have λ(e) = spy : j : 1 :!(M 1, M 2 ) for some M 1, M 2 and j (j indicates which replication of the process Spy the event is in). It is easy to see from the semantics that there are events e 1 and e 2 such that e 1 e and e 2 e and λ(e 1 ) = spy : j : 1 :?M 1 and λ(e 2 ) = spy : j : 1 :?M 2. Since P riv(a) (M 1, M 2 ), we have either P riv(a) M 1 or P riv(a) M 2, from which the required property immediately follows. As an immediate consequence of the previous lemma and Lemma 2, we obtain a secrecy lemma for the closed semantics. Lemma 5. For any name A and proper configuration (NSL, s, t), if P riv(a) t then there is no configuration x of NSL t s with an event e x such that P riv(a) msg(e). 7.2 Nonce value secrecy We now show that the nonce value generated by responder in the NSL protocol remains secret. The statement makes use of the ability of spy processes to break apart messages to provide a concise event-based characterization: were the nonce value to be output in an insecure form on the network, the value in isolation would also appear by application of spy processes.

16 16 Jonathan Hayman and Glynn Winskel Theorem 1. Let (NSL, s, t) be a proper configuration such that P riv(a 0 ) t and P riv(b 0 ) t. If x is a configuration of NSL t s that contains an event e r with λ(e r ) = resp : B 0 : j :!(n 0 ){m 0, n 0, B 0 } P ub(a0) then there is no e x such that msg(e) = n 0. Proof. We prove the stronger property that, for any x NSL t s containing an event e r with the given label and for any event e x, if n 0 msg(e) then either {m 0, n 0, B 0 } P ub(a0) msg(e) or {n 0 } P ub(b0) msg(e). Suppose, for contradiction, that this fails: by Lemma 1, there is a -minimal configuration in which it does so. Let y be this configuration. There is an event e y such that n 0 msg(e) and {m 0, n 0, B 0 } P ub(a0) msg(e) and {n 0 } P ub(b0) msg(e). Note that y = [e] y since, otherwise, y would fail to be minimal: the configuration [e] y would also violate the property. Additionally, e is the minimal event in y such that {m 0, n 0, B 0 } P ub(a0) msg(e) and {n 0 } P ub(b0) msg(e). We now establish that e must be an output event. The configuration y contains an event e r labelled λ(e r ) = resp : B 0 : j :!(n 0 ){m 0, n 0, B 0 } P ub(a0), so from the definition of the closed semantics we have n 0 s. It follows immediately that n 0 t. Were the event e to be an input, there would have to be an output event e y such that msg(e ) = msg(e). Consequently, we would have a configuration [e ] y y containing an event e with n 0 msg(e ) and {m 0, n 0, B 0 } P ub(a0) msg(e ) and {n 0 } P ub(b0) msg(e ), contradicting minimality of y. Hence e must be an input event. Since y is in NSL t s, its underlying set is also a configuration of NSL and so e is an event of NSL. We consider cases for e based on the characterization of the events of NSL in Section 5.3, deriving the required contradiction in each case. The cases are essentially straightforward analyses of causality. We show only those for the initiator events; the others are in Appendix D. Case 1 (Initiator events). Observing the possible output events of the initiator, there are two cases to consider. 1. λ(e) = init : A, B : i :!(m){m, A} P ub(b) for some m, A, B and index i. Since n msg(e), either n 0 = m or n 0 = A. However, we cannot have n 0 = A for any principal name A since A s but n 0 s. Therefore, we have m = n 0. However, in this case we have Fresh(m, e) and Fresh(n 0, e r ), and clearly e e r since the events have incompatible labels, so we arrive at a contradiction to part (1) of Proposition λ(e) = init : A, B : i :!{n 0 } P ub(b) for some A, B and index i. Since {n 0 } P ub(b0) msg(e) by assumption, it must be the case that B B 0. Since y is a configuration of NSL, it is down-closed, and so by the analysis in Section 5.3 there exists e such that e < y e and λ(e ) = init : A, B : i :?{m, n 0, B} P ub(a) for some m. However, since B B 0 we observe that n 0 msg(e ) and {m 0, n 0, B 0 } P ub(a0) msg(e ) and {n 0 } P ub(b0) msg(e ), from which we derive a contradiction to the minimality of e. The proof that the nonce generated by the initiator remains secret is similar.

17 Event structure semantics for security protocols 17 8 Authentication We now turn to the second correctness property for the NSL protocol: authentication. Authentication is specified in two parts: authentication for the initiator and authentication for the responder. Here, we only present authentication for the responder. Following the formulation by Lowe [1], this asserts that any configuration in which the principal B 0 has completed the responder s actions seemingly with A 0 includes a corresponding sequence where A 0 transmitted, in the appropriate sequence, all the messages in accordance with the initiator s role. Theorem 2. Let (NSL, s, t) be a proper configuration such that P riv(a 0 ) t. If x is a configuration of NSL t s containing events b 1 with λ(b 1 ) = resp : B 0 : i :?{m 0, A 0 } P ub(b0) b 2 with λ(b 2 ) = resp : B 0 : i :!(n 0 ){m 0, n 0, B 0 } P ub(a0) b 3 with λ(b 3 ) = resp : B 0 : i :?{n 0 } P ub(b0) for any A 0, B 0, m 0, n 0 and index i then the configuration contains events a 1 with λ(a 1 ) = init : (A 0, B 0 ) : j :!(m 0 ){m 0, A 0 } P ub(b0) a 2 with λ(a 2 ) = init : (A 0, B 0 ) : j :?{m 0, n 0, B 0 } P ub(a0) a 3 with λ(a 3 ) = init : (A 0, B 0 ) : j :!{n 0 } P ub(b0) for some index j, and furthermore a 3 x b 3. Proof. If the configuration contains the event b 3 then we have b 2 x b 3 since b 2 is the unique event in NSL consistent with b 3 with the label given above, and such an event must be prior to b 3. Similarly, b 1 x b 2. Consider the property of events Q(e) = (n 0 msg(e) = {m 0, n 0, B 0 } P ub(a0) msg(e)). Clearly, Q(b 2 ) holds but Q(b 3 ) fails to hold. By part (3) of Proposition 3, any e x such that Q(e) satisfies b 2 e. Let e be a x -minimal event such that b 2 x e x b 3 and Q(e). Consider cases for the event e from the description of NSL in Section 5.3, noting that e must be an output event due to its minimality: e cannot be a spy event, by analysis of the possible cases. For example, suppose that λ(e) = i : spy : 4 :!M for some index i and M such that n 0 M but {m 0, n 0, B 0 } P ub(a0) M. Since the configuration x is down-closed with respect to the causal dependency relation of N SL, there exists an event e x such that e < x e and λ(e ) = i : spy : 4 :?{M} P ub(a) for some A. Clearly n 0 {M} P ub(a), so if minimality of e is not to be contradicted we must have {m 0, n 0, B 0 } P ub(a0) {M} P ub(a). We must therefore have A 0 = A. There exists an event e such that e < x e and λ(e ) = i : spy : 4 :?P riv(a 0 ). We assumed that P riv(a 0 ) t, so we arrive at a contradiction to the secrecy of private keys (Lemma 5).

18 18 Jonathan Hayman and Glynn Winskel e cannot be a responder event. To see this, the only case that we need to consider is λ(e) = resp : B : j :!(n){m, n, B} P ub(a) for some m, b, A, B and index j. Since n 0 {m, n, B} P ub(a), either n 0 = m or n 0 = n or n 0 = B; we shall show that each case is impossible. Since by assumption Q(e) but Q(b 2 ), we have e b 2. We have Fresh(n, e), so by Proposition 3 (Freshness) part (1), we have n n 0. Since B s, from the definition of the configurations of NSL t s, we cannot have B = n 0 since Fresh(n 0, b 2 ) and b 2 is in the configuration x. Finally, for contradiction suppose that n 0 = m. From the analysis of the events of NSL in Section 5.3 and the fact that x must be down-closed, there exists an event e < x e such that λ(e ) = resp : B : j :?{n 0, A} P ub(b). Clearly, {m 0, n 0, B 0 } P ub(a0) msg(e ), so we arrive at a contradiction to the minimality of e. The only remaining possibility is that e is an initiator event. The first case is that λ(e) = init : (A, B) : j :!(m){m, A} P ub(b) for some A, B, m and index j. We cannot have m = n 0 by part (1) of Freshness (Proposition 3) since Fresh(m, e). As standard, we furthermore cannot have n 0 = A since A s and n 0 is fresh on b 2. We therefore contradict the assumption that n 0 msg(e) This leaves one final possibility, that λ(e) = init : (A, B) : j :!{n} P ub(b) for some A, B, n and index j. Let a 3 = e. Since n 0 msg(a 3 ) we must have n = n 0. Since x is down-closed with respect to the causal dependency relation of NSL, from the analysis in Section 5.3 we see that there exists a 2 a 3 such that λ(a 2 ) = init : (A, B) : j :?{m, n 0, B} P ub(a). By part (3) of Proposition 3 we have b 2 x a 2. By minimality of a 3, we must have m = m 0 and B = B 0 and A = A 0. A final inspection of the open semantics in Section 5.3 yields existence of an event a 1 such that λ(a 1 ) = init : (A 0, B 0 ) : j :!(m 0 ){m 0, A 0 } P ub(b0), as required to complete the proof. In summary, in the configuration x we have, drawing e e for e e : b 1 b 2 b 3 a 1 a 2 a 3 The causal dependence of b 1 on a 1 is by freshness of m 0, Proposition 3 (3). 9 Conclusion In this paper, we have seen how event structures and rigid families allow the semantics of a language for security protocols to be defined and have demonstrated that the event structure semantics corresponds to the operational semantics. The use of causal models for security protocols has a long history. Multiset rewriting [16] is closely related to Petri nets, from which relations of causality can be extracted. The popular model of strand spaces [4] model sequential

19 Event structure semantics for security protocols 19 processes which feature neither internal nor external choice. On top of a set of interacting processes, represented as linear sequences of actions, a relation of data dependency is placed to form a partial order of causal dependency. There are many factors in favour of directly using event structures to model security protocols. Firstly, they are amenable to studying richer aspects of behaviour such as non-determinism: this comes to the fore when we pass beyond safety-style properties to, for example, the study of non-repudiation in exchange protocols [10]. Being a non-domain-specific model for concurrency, they provide a bridge between research on security and research into basic models for concurrency. The comparison of logics for causal models (see e.g. [9]) with those traditionally used to model security protocols such as [17] would, for example, be interesting. Note that the logic in [17] is specifically for non-branching processes: though the global state space is non-deterministic due to the parallel composition, the temporal operators only apply to the non-branching threads. Towards the aim of using non-domain-specific models for security protocols, SPL was originally developed with a semantics based on Petri nets with persistent conditions [5]. However, the net semantics does not represent causality as directly as the event structure semantics here: the proofs presented here are as simple as the proofs for strand spaces, not having to deal with the details of conditions, while being based on a compositional semantics. Additionally, a range of theories are emerging for event structures that have significant potential for application to the analysis of security protocols; we see the current work as laying a foundation for connection to them, from which we may also gain experience of their application. We summarize these now. A theory of symmetry on event structures is developed in [7]. The structures defined here clearly possess a good deal of symmetry which needs to be captured before practical applications can be developed. For example, there is symmetry between the branching processes determined by the choice of fresh names which is left implicit in the strand space model (cf. equivariance in [18]). There is also symmetry in replication: its capture may lead the way to automated tools for reasoning about arbitrary numbers of protocols, for example as desired in [19]. Probabilistic event structures [20] may also be useful when we wish to model more refined cryptographic assumptions, for example that an attacker may have some probability of guessing a freshly generated name or may have some chance of decrypting a message. More tentatively, given the importance of games in the analysis of security protocols, for example non-repudiation in [10], one may hope to establish connections to recent work on concurrent games [6] and their extension with probability. References 1. Lowe, G.: Breaking and fixing the needham-schroeder public-key protocol using FDR. In: Proc. TACAS. Volume 1055 of LNCS. (1996) 2. Needham, R.M., Schroeder, M.D.: Using encryption for authentication in large networks of computers. Comm. ACM 21(12) (1978)

20 20 Jonathan Hayman and Glynn Winskel 3. Paulson, L.C.: Proving properties of security protocols by induction. In: Proceedings of the 10th IEEE workshop on Computer Security Foundations. CSFW 97, IEEE Computer Society (1997) 4. Thayer, F.J., Herzog, J.C., Guttman, J.D.: Strand spaces: Proving security protocols correct. Journal of Computer Security 7(1) (1999) Crazzolara, F., Winskel, G.: Events in security protocols. In: ACM Conference on Computer and Communications Security. (2001) Rideau, S., Winskel, G.: Concurrent strategies. In: Proc. LICS, IEEE Computer Society (2011) Winskel, G.: Event structures with symmetry. Electr. Notes Theor. Comput. Sci. 172 (2007) Nielsen, M., Clausen, C.: Games and logics for a noninterleaving bisimulation. Nord. J. Comput. 2(2) (1995) Baldan, P., Crafa, S.: A logic for true concurrency. In: Proc. CONCUR. Volume 6269 of LNCS. (2010) Kremer, S., Raskin, J.F.: A game-based verification of non-repudiation and fair exchange protocols. Journal of Computer Security 11(3) (2003) Haack, C., Jeffrey, A.: Pattern-matching spi-calculus. Inf. Comput. 204(8) (2006) Milner, R., Parrow, J., Walker, D.: A calculus of mobile processes, I. Inf. Comput. 100(1) (1992) Dolev, D., Yao, A.C.C.: On the security of public key protocols. IEEE Transactions on Information Theory 29(2) (1983) Winskel, G.: Event structures. In: Advances in Petri Nets. Volume 255 of LNCS., Springer (1986) Winskel, G.: Event structure semantics for CCS and related languages. In: Proc. ICALP. Volume 140 of LNCS., Springer (1982) Cervesato, I., Durgin, N.A., Lincoln, P., Mitchell, J.C., Scedrov, A.: A metanotation for protocol analysis. In: Proc. CSFW. (1999) Basin, D.A., Caleiro, C., Ramos, J., Viganò, L.: Distributed temporal logic for the analysis of security protocol models. Theor. Comput. Sci. 412(31) (2011) Pitts, A.M.: Nominal logic, a first order theory of names and binding. Inf. Comput. 186(2) (2003) Mukhamedov, A., Ryan, M.D.: Fair multi-party contract signing using private contract signatures. Inf. Comput. 206(2-4) (2008) Varacca, D., Völzer, H., Winskel, G.: Probabilistic event structures and domains. Theor. Comput. Sci. 358(2-3) (2006)