The Needham-Schroeder-Lowe protocol

Transcription

1 The Needham-Schroeder-Lowe protocol Unbounded sessions Principals run either initiator or responder role in each of their sessions We adopt the following conventions throughout this paper: honest principals will be denoted by A, B, C, X, Y while arbitrary principals, honest or not, by. For honest and general randomness we use r and s respectively. Honestly generated nonces, will be denoted by capital letters N while strings received from the network, not necessarily honest, will be denoted by n, m. 1. A B : {N 1, A} B 2. B A : {N 1, N 2, B} A 3. A B : {N 2 } B Roles Init A NSL[A, i,, N 1, n 2, r 1, s 2, r 3 ] A generates i N 1 ; A sends i {N 1, A} r1 ; A receivesi {N 1, n 2, } s2 A ; A sendsi {n 2 } r3 Resp B NSL[B, i,, n 1, N 2, s 1, r 2, s 3 ] B receives i {n 1, } s1 B ; B generatesi N 2 ; B sends i {n 1, N 2, B} r2 ; B receivesi {N 2 } s3 B Abbreviations Honest principals in each of their sessions follow either the initiator or the responder role and do nothing else. FOLL(Roles A NSL) ) i (,N1,n 2,r 1,s 2,r 3 Foll(Init A NSL[A, i,, N 1, n 2, r 1, s 2, r 3 ]),n 1,N 2,s 1,r 2,s 3 Foll(Resp A NSL[A, i,, n 1, N 2, s 1, r 2, s 3 ]) Protocol Prot AB NSL[A, i, B, i, N 1, N 2, r 1, r 2, r 3 ] A generates i N 1 ; A sends i {N 1, A} r1 B ; B receivesi {N 1, A} r1 B ; B generatesi N 2 ; B sends i {N 1, N 2, B} r2 A receives i {N 1, N 2, B} r2 A ; A sendsi {N 2 } r3 B ; B {N receivesi 2 } s3 B For this protocol, we need an additional axiom, namely that n, N Without this, there is a serious attack where n is of sort nonce (not hnonce). a) We first prove SecSend. Let C A,B [N] i,n,r,x A,B,Y A,B (X generates i N; X sends i {N, X} r Y X generates i N; X sends i {n, N, X} r Y ) (1) and let C (t A,B [X, i, t, m, N] i,n,n,r,r,y A,B ( {n, N, X} r Y (t = {n, N, X} r Y (m = N N N)) ) (2) ( X generates i N; X sends i {N, X} r Y t {N, X} r ) Y ( X generates i N; X sends i {N, X} r X t {n} r ) X ( Y generates i N; Y sends i {n, N, Y } r ) ) X t {N} r Y A ; 1

2 The blue line is an optional addition, we comment on it in the proof. So SecSend takes the form SecSend( A, C, C ) ( C[N] Y A Y sends i2 τ 2 t 2 N,Y,i2,τ 2,t 2,u 2,m 2 m2 (m 2 u 2 m 2 Y ( m 2 t 2 C A (Y, i 2, t 2, m 2, N) )) ( m 2 Y m 2 t 2 C A (Y, i 2, t 2, m 2, N) ) (3) u1 ( m1.m 1 u 1 m 1 X( i1,τ 1.<τ 2,t 1,X.X A( m1 t 1 X sends i1 t 1 C A (X, i 1, t 1, m 1, N) )) Sec τ2 ( A, ) u 1, u 2, N) N.C[N ]Sec τ2 ( A, N ) u1 ( m1.m 1 u 1 m 1 X( i1,τ 1.<τ 2,t 1,X.X A( m1 t 1 X sends i1 t 1 C A (X, i 1, t 1, m 1, N) )) Sec τ2 ( A, ) ) u 1, u 2, m 2, t 2, N) We will show that FOLL(Roles A NSL) FOLL(Roles B NSL) SecSend( A, B, C, C ). Proof of a.) Suppose FOLL(Roles A NSL) FOLL(Roles B NSL) and the premise of SecSend hold. Let N, Y, i 2, τ 2, t 2, u 2, m 2 be as in the premise of SecSend, and let u 1 be such that We have to show m1.m 1 u 1 ( i1,τ 1.<τ 2,t 1,X.X A( m1 t 1 X sends i1 t 1 C A (X, i 1, t 1, m 1, N) )). Sec τ2 ( A, u 1, u 2, m 2, t 2, N). By the premise of (3), Y sends i2 τ 2 t 2. From FOLL(Roles A NSL) FOLL(Roles B NSL), FOLL(Roles Y NSL) follows, and so,n1,n 2,r 1,s 2,r 3 Foll(Init Y NSL[Y, i 2,, N 1, n 2, r 1, s 2, r 3 ]),n 1,N 2,s 1,r 2,s 3 Foll(Resp Y NSL[Y, i 2,, n 1, N 2, s 1, r 2, s 3 ]). Furthermore, (Init Y NSL[Y, i 2,, N 1, n 2, r 1, s 2, r 3 ]) Foll(Resp Y NSL[Y, i 2,, n 1, N 2, s 1, r 2, s 3 ]) because FOLL requires that in every session only the initiator or the responder role is executed, and by term axioms, no send action of responder s role can be equal any of the initiator s send actions, and no send action of the initiator s role can be equal to any of the responder s send actions. So there are two possibilities. 1/2.) If Init Y NSL[Y, i 2,, N 1, n 2, r 1, s 2, r 3 ]), that is, the role of i 2 is that of the initiator s, then FOLL(Init Y NSL) implies that t 2 = {N 1, Y } r1 t = {n 2} r3 1/2.1/2.) Suppose first that t 2 = {N 1, Y } r1. Then by FOLL(Init Y NSL), Y generates i2 N 1 ; Y sends i2 {N 1, Y } r1. 1/2.1/2.1/2.) If N 1 = N, then C[N 1 ] is satisfied, which by VI.1.b implies Y sends i2 {N 1, Y } r Z for Z being A or B, and so by FOLL(Init Y NSL) and term axioms, = Z. 2

3 In this case, the second conjunct of C A (Y, i 2, t 2, m 2, N) is not satisfied, therefore, since we assumed that C A (Y, i 2, t 2, m 2, N) is satisfied, m 2 = Y. By the premise of SecSend, we have Therefore, since in this case the encryption is secure, we have by axiom V.i. Since m 2 = Y, we also have, by V.b and V.f that Sec τ2 ( A, u 1, u 2, N). Sec τ2 ( A, B, u 1, u 2, {N 1, A } r1 B, N) Sec τ2 ( A, B, u 1, u 2, m 2, {N 1, A } r1 B, N). 1/2.1/2.2/2.) Let N 1 N. Since, by the initiator s protocol role, there is no send action before Y sends i2 {N 1, Y } r1, by the third item of axiom V.a, we have Sec τ2 ( A, u 1, u 2, N 1, N). Then by V.b, we get and finally, by V.j, Sec τ2 ( A, u 1, u 2, N 1, A, N), Sec τ2 ( A, u 1, u 2, N 1, {N 1, Y } r1, N). By the premise of SecSend, m 2 {N 1, Y } r1. So m 2 is either N 1 or Y. If it is N 1, then we are done. If it is Y, then since names can always be pulled into the second argument of Sec, we also have by V.b that Sec τ2 ( A, u 1, u 2, m 2, {N 1, Y } r1, N). 1/2.2/2.) If t 2 = {n 2 } r3, then by the premise of SecSend, m 2 is either Y or n 2. 1/2.2/2.1/2.) If Sec τ2 ( A, B, u 1, u 2, n 2, N), then by V.f, and V.b Sec τ2 ( A, B, u 1, u 2, Y, n 2, n 2, N), and Sec τ2 ( A, B, u 1, u 2, Y, n 2, {n 2 } r3, N) by Axiom V.j. So, again by V.f, as m 2 is either Y or n 2, we have Sec τ2 ( A, B, u 1, u 2, m 2, {n 2 } r3, N). 1/2.2/2.2/2.) Let now hold. This implies By Init A NSL[Y, i 2,, N 1, n 2, r 1, s 2, r 3 ]), Sec τ ( A, B, u 1, u 2, n 2, N) (4) Sec τ ( A, B, N 1, n 2,, u, N). (5) Y receives i2 τ {N 1, n 2, } s2 Y ; Y sendsi2 τ 2 {n 2 } r3. We have Sec τ2 ( A, B, u 1, u 2, N) by the premise of SecSend, hence we also have Sec τ2 ( A, B, {N 1, n 2, } s2 Y, u 1, u 2, N) 3

4 by axiom V.c. In Axiom VI.3, taken t to be N 1, n 2,, we have Xi 1 t 1 t r(x A, B X sends i1 t 1 ; Y receives i2 {N 1, n 2, } s2 Y ; Y sendsi2 {n 2 } r3 {t } r Y t 1 {N 1, n 2, } s2 Y = {t } r Y ), so, N 1, n 2, = t. (6) by axiom IV.2.c. X is following either the initiator or the responder role of the NSL protocol in its session i 1. 1/2.2/2.2/2.1/2.) Let,N 1,n 2,r 1,s 2,r 3 Foll(Init X NSL[X, i 1,, N 1, n 2, r 1, s 2, r 3]). In this case, t 1 can be two things. 1/2.2/2.2/2.1/2.1/2) Let t 1 = {N 1, X} r 1. Then {t } r Y t 1 implies by term axioms that Therefore, again by term axioms, {N 1, X} r 1 = {t } r Y. = Y t = N 1, X. This combined with (6) gives us N 1, X = N 1, n 2,. (7) Since Sec 0 ( A, B, N 1, n 2,, N 1 ), we also have that Sec 0 ( A, B, N 1, X, N 1 ), and by axiom V.b, Sec 0 ( A, B, N 1, N 1 ). But, by axiom V.a, this implies that N 1 = N 1. Further, (5) and (7) imply Sec τ2 ( A, B, N 1, X, N), from which Sec τ2 ( A, B, N 1, u 2, N) follows. As X sends i1 {N 1, X} r 1 and < τ 2, this contradicts to the premise of SecSend (with u 1 = N 1) unless is satisfied. But that is only possible if C A (X, i 1, {N 1, X} r 1 Y, N 1, N) A generates i N; A sends i {N, A} r B X = A {N 1, X} r 1 Y = {N, A}r B, and so Y = B N 1 = N 1 = N. Hence, as N was generated in session i of A, N 1 in session i 2 of Y and N 1 in i 1 of X, by axiom VI.1.b, i = i 1 = i 2 A = B = X = Y. Then = B = A according to the role of i. This, together with (7) gives N, A = N, n 2, A. From here we can only conclude if either we assume A B or that N, A N, n 2, A, in which case we get a contradiction. Otherwise, there is an attack for the case A = B. So t 1 {N 1, X} r 1. 4

5 If we consider the blue addition to C, then in the case A = B, we only have to prove Sec τ2 ( A, B, u 1, u 2, {n 2 } r3 A, N), which does hold by the premise of SecSend and by V.i. 1/2.2/2.2/2.1/2.2/2) Let t 1 = {n 2} r 3. Then {t } r Y t 1 implies by term axioms that Therefore, again by term axioms, {n 2} r 3 = {t } r Y. = Y t = n 2. This combined with (6) gives us Further, (5) and (8) imply n 2 = N 1, n 2,. (8) Sec τ2 ( A, B, n 2, N). As X sends i1 {n 2} r 3 and < τ 2, this contradicts to the premise of SecSend (with u 1 = n 2) unless is satisfied. But that is only possible if and so This, together with (8) gives C A (X, i 1, {n 2} r 3 Y, n 2, N) i,n,r,r (B generatesi N; B sends i {n, N, B} r A X = A {n 2} r 3 Y Y = B n 2 = N. N = N 1, n 2, A. = B), {N}r Since Sec 0 ( A, B, N 1, n 2,, N 1 ), we also have that Sec 0 ( A, B, N, N 1 ), But, by axiom V.a, this implies that N = N 1. But this is not possible by VI.1.b, because N was generated in session i of B, whereas N 1 was generated in session i 2 of B, and i i 2 as i is a responder session and i 2 is an initiator session. So t 1 {n 2} r 3 1/2.2/2.2/2.2/2.) Let now,n 1,N 2,s 1,r 2,s 3 Foll(RespX NSL[X, i 1,, n 1, N 2, s 1, r 2, s 3]) hold. Then by FOLL(Resp X NSL), This, together with {t } r Y t 1 and term axioms, we get This, together with (6) and term axioms imply t 1 = {n 1, N 2, X} r 2. = Y t 1 = n 1, N 2, X. n 1 = N 1 n 2 = N 2 = X. Therefore, t 2 = {N 2} r3 X 5

6 holds. Since this is a safe encryption, so 1/2.2/2.2/2.2/2.1/2.) if m 2 = X, then by V.b and by V.i, Sec τ2 ( A, B, u 1, u 2, m 2{N 2} r3 X, N) holds. 1/2.2/2.2/2.2/2.2/2.) If m 2 X, then by the premise of SecSend, m 2 t 2, holds implying m 2 = N 2, and C A (Y, i 2, {N 2} r3 X, m 2, N) ) holds as well. As {N 2} r3 X {N, A}r B and {N 2} r3 X {n, N, X} r Y, the first two conjuncts of C don t give any aditional restrictions. The last conjunct says that i,n,r,r (B generatesi N; B sends i {n, N, B} r A Y = A {N 2} r3 X {N}r B). 1/2.2/2.2/2.2/2.2/2.1/2.) Suppose B generates i N; B sends i {n, N, B} r A. 1/2.2/2.2/2.2/2.2/2.1/2.1/2) Suppose Y = A. Then by C, r {N 2} r3 X {N}r B. Because of this condition, if X = B, then N 2 N, as otherwise {N 2} r3 X = {N}r3 B. If X A, then again N 2 N, because N was generated by B, but N 2 was generated by X. So in either cases, N 2 N. 1/2.2/2.2/2.2/2.2/2.1/2.2/2) Suppose now Y A. In this case, {n 1, N 2, X} r 2 Y {n, N, B}r A, meaning that the sessions in which N 2 and N were generated (by X and B respectively) are different, so N 2 N. 1/2.2/2.2/2.2/2.2/2.2/2.) Suppose now that i,n,rb generates i N; B sends i {n, N, B} r A, which means, as C[N] is satisfied, that N was generated by A, that is, A generates i N; A sends i {N, A} r B. In this case, N was generated in an initiator session, whereas N 2 was generated in a responder session. So we have that 1/2.2/2.2/2.2/2.2recap/2.) That means that is satisfied, and hence is also true, and as a consequence, for u 1 = u 1, N 2, N 2 N. C A (X, i 1, {n 1, N 2, X} r 2 Y, N 2, N) ) i1,.<τ 2,t 1,X.X A( N 2 t 1 X sends i1 t 1 C A (X, i 1, t 1, N 2, N) ) m1.m 1 u 1 m1 X ( i1,τ 1.<τ 2,t 1,X.X A( m1 t 1 X sends i1 t 1 C A (X, i 1, t 1, m 1, N) )) is satisfied. Therefore, by the premise of SecSend, Sec τ2 ( A, B, u 1, N 2, u 2, N), and so holds. Then again, by V.i, and as m 2 = N 2, we have Sec τ2 ( A, B, u 1, u 2, N 2, N) Sec τ2 ( A, B, u 1, u 2, m 2, {N 2} r3 X, N). 6

7 2/2.) If Resp Y NSL[Y, i 2,, n 1, N 2, s 1, r 2, s 3 ] then Y sends i τ t, by FOLL(Resp Y NSL) implies that t 2 = {n 1, N 2, Y } r2 2/2.1/2.) If = A = B, then: 2/2.1/2.1/2.) If m 2 = Y, then Since, by the premise of SecSend, we have Sec τ2 ( A, B, u 1, u 2, N), and from V.b, we have Further, as = A = B, we have by V.i that Sec τ2 ( A, B, u 1, u 2, m 2, N). Sec τ2 ( A, B, u 1, u 2, m 2, {n 1, N 2, Y } r2, N). 2/2.1/2.2/2.) If m 2 Y, then by the premise of SecSend, m t 2, C A (Y, i 2, t 2, m 2, N) hold, so n,n,r,z{n 1, N 2, Y } r2 {n, N, Y } r Z (m 2 = N N N), which means, in particular for N = N 2, n = n 1, r = r 2 and Z =, that As the first disjunct never holds, we have {n 1, N 2, Y } r2 {n 1, N 2, Y } r2 (m 2 = N 2 N 2 N). m 2 = N 2 N 2 N. Since, by the premise of SecSend, we have Sec τ2 ( A, B, u 1, u 2, N), we also have from V.a, as N 2 has not been sent out yet, that Sec τ2 ( A, B, u 1, u 2, N 2, N). Further, as = A = B and m = N 2, we have by V.i that Sec τ2 ( A, B, u 1, u 2, m 2, {n 1, N 2, Y } r2, N). 2/2.2/2.) If A B, then C A (Y, i 2, t 2, m 2, N) does not provide any further restriction, so by the premise of SecSend, m 2 = Y m 2 = n 1 m 2 = N 2. 2/2.2/2.1/2.) If Sec τ2 ( A, B, u 1, u 2, n 1, N), then we also have from V.a, as N 2 has not been sent out yet, that Further, from V.b, we have Then, by V.j, follows, from which, using V.f, we receive Sec τ2 ( A, B, u 1, u 2, n 1, N 2, N). Sec τ2 ( A, B, u 1, u 2, n 1, N 2, Y, N). Sec τ2 ( A, B, u 1, u 2, n 1, N 2, Y, {n 1, N 2, Y } r2, N) Sec τ2 ( A, B, u 1, u 2, m 2, {n 1, N 2, Y } r2, N). 2/2.2/2.2/2.) If Sec τ2 ( A, B, u 1, u 2, n 1, N), then by Axiom VI.3, and FOLL(Resp Y NSL), A i 1 t 1 t r(x A, B X sends i1 t 1 ; Y receives i2 {n 1, } s1 Y ; Y sendsi2 {n 1, N 2, Y } r2 {t } r Y t 1 {n 1, } s1 Y = {t } r Y ), 7

8 so, n 1, = t. (9) X is following either the initiator or the responder role of the NSL protocol in its session i 1. 2/2.2/2.2/2.1/2.) Let,N 1,n 2,r 1,s 2,r 3 Foll(Init X NSL[X, i 1,, N 1, n 2, r 1, s 2, r 3]). In this case, t 1 can be two things. 2/2.2/2.2/2.1/2.1/2) Let t 1 = {N 1, X} r 1. Then {t } r Y t 1 implies by term axioms that Therefore, again by term axioms, This combined with (9) gives us from which {N 1, X} r 1 = {t } r Y. = Y t = N 1, X. N 1, X = n 1,, (10) n 1 = N 1 = X. This means that is A or B, contradicting our assumption. 2/2.2/2.2/2.1/2.2/2) If t 1 = {n 2} r 3, then by term axioms, and since {t } r Y t 1, = Y t = n 2. But as n 1, = t, we have n 1, = n 2. (11) This, together with Sec τ2 ( A, B, u 1, u 2, n 1, N) imply by Axiom V.f. and V.h. that Sec τ2 ( A, B, u 1, u 2, n 2, {n 2} r 3 Y, N) holds, which, by the premise of SecSend is possible only if holds. This, in turn is only possible as long as That is, and we get C A (X, i 1, {n 2} r 3 Y, n 2, N) B generates i N; B sends i {n, N, B} r A X = A {n 2} r 3 Y Y = B n 2 = N, n 1, = N. = B. {N}r As we mentioned at the beginning, if we have n 1, N as an axiom, then we get a contradiction here. If we do not postulate this, then there is an attack. 2/2.2/2.2/2.2/2.) Let,n 1,N 2,s 1,r 2,s 3 Foll(Resp X NSL[X, i,, n 1, N 2, s 1, r 2, s 3]). In this case, t 1 = {n 1, N 2, X} r 2, then by term axioms, and since {t } r Y t 1, = Y t = n 1, N 2, X. But as n 1, = t, we have n 1, = n 1, N 2, X. (12) 2/2.2/2.2/2.2/2.1/2.) If n 1, N 2, X = n 1, N 2, X, then (12) implies X =, which contradicts our assumption that is neither A, nor B. 8

9 2/2.2/2.2/2.2/2.2/2.) If n 1, N 2, X = n 1, N 2, X, then (12) implies N 2, X =. As = Y, N 2 satisfies C[N 2], therefore, by the premise of SecSend, Sec τ2 ( A, N 2) holds. Then, by V.b, Sec τ2 ( A,, N 2) and so which gives a contradiction. Sec τ2 ( A, N 2, X, N 2), b) We now prove agreement from the responder s viewpoint. That is, we will show that Resp B NSL[B, i, A, n 1, N 2, s 1, r 2, s 3 ] FOLL(Roles A NSL) FOLL(Roles B NSL) ir 1 s 2 r 3 Init A NSL[A, i, B, n 1, N 2, r 1, s 2, r 3 ] Proof of b.) As a result of SecSend, and axiom VI.2, we have u. ( C(N) m0.m 0 u i, τ, t, X A.m 0 t X sends i τ t C A (X, i, t, m 0, N) ) Sec ( A, u, N). (13) By Resp B NSL[i, A, n 1, N 2, s 1, r 2, s 3 ], we have therefore, C[N 2 ] is satisfied, and hence, by 13. we have B generates i N 2 ; B sends i {n 1, N 2, B} r2 A ; B receivesi {N 2 } s3 B Sec ( A, B, N 2 ). So, since Sec( A, B, N 2, N 2 ) by Axiom V.g., we have by VI.3 X,i1,t 1,t,r(X A, B X sends i1 t 1 ; B receives i {N 2 } s3 B {t } r B t 1 {N 2 } s5 B = {t } r B ), so, 1/2.) If i 1 is responder role, then By term axioms, and since {t } r B t 1, But as by equation (14), we have N 2 = t. (14) t 1 = {n 1, N 2, X} r 1. = B t = n 1, N 2, X. n 1, N 2, X = N 2. 1/2.1/2.) Suppose N 2 N 2. By the preceding, X sends i1 {n 1, N 2, X} r 1 B, which means that C[N 2] is satisfied. As we also had B sends i {n 1, N 2, B} r1 A, which means that sessions i and i 1 are different. Since C [B, i, {n 1, N 2, B} r1 A, N 2, N 2] is satisfied, setting u 1 = N 2, we get from (13) that Sec ( A, N 2, N 2) 9

10 which contradicts n 1, N 2, X = N 2. 1/2.1/2.) Suppose N 2 = N 2. By the preceding, X sends i1 {n 1, N 2, X} r 1 B. As we also had B sendsi {n 1, N 2, B} r1 A, which means that sessions i and i 1 must be identical as N 2 was generated in i and N 2 in i 1. In this case A = B. If n 1, N 2, B = N 2 is possible, then we cannot conclude anything. It is reasonable though to postulate that this is not possible. 2/2.) If i 1, is initiator role, then t 1 = {N 1, X} r1 t 1 = {n 2 } r3. 2/2.1/2.) If t 1 = {N 1, X} r1, then by term axioms, and since {t } r B t 1, But as by equation (14), we have = B t = N 1, X. N 1, X = N 2, which is not possible by Axiom IV.2.f. Here we also used that N 1 N 2 (by axiom VI.1.b) because they are generated by different roles, and also that N 2 as it was received. Alternatively, this can be proved by (13): setting u 1 = N 1, X, N = N 2, we get that Sec ( A, u 1, N 2 ), which contradicts N 1, X = N 2. So t 1 {N 1, X} r1. 2/2.2/2.) If t 1 = {n 2 } r3, then by term axioms, and since {t } r B t 1, = B t = n 2. But by equation (14), we have Hence, so, by FOLL(Roles X NSL), we have n 2 = N 2. X sends i1 {N 2 } r3 B, We still have to prove that X = A and n 1 = N 1. Since in 1 r 1 s 2 r 3 Init X NSL[X, i, B, N 1, N 2, r 1, s 2, r 3 ]. X generates i N 1 ; X sends i {N 1, X} r1 B, C[N 1 ] is satisfied, so by (13), we have Further, Init X NSL[X, i, B, N 1, N 2, r 1, s 2, r 3 ] implies Sec ( A, B, N 1 ). and since Sec( A, B, N 1, n 2, B, N 1 ), by Axiom VI.3., so, X receives i {N 1, N 2, B} s2 X, Y i 1t 1 t r(y A, B Y sends i 1 t1 ; X receives i {N 1, N 2, B} s2 X 2/2.2/2.1/2.) If i 1 is an initiator session, then because of FOLL(Roles Y NSL), {t } r X t 1 {N 1, N 2, B} s2 X = {t } r X ), N 1, N 2, B = t. (15) t 1 = {N 1, Y } r 1 t 1 = {n 2} r 3. 10

11 2/2.2/2.1/2.1/2.) Let t 1 = {N 1, Y } r 1. Then {t } r X t 1 implies by term axioms that Therefore, again by term axioms, This combined with (15) gives us {N 1, Y } r 1 = {t } r X. = X t = N 1, X. N 1, Y = N 1, N 2, B. (16) N 2 was generated in a responder session, satisfying C[N 2 ]. Then by taking u 1 = N 1, by (13), Sec ( A, N 1, N 2 ), giving a contradiction. 2/2.2/2.1/2.2/2.) Let t 1 = {n 2} r 3. Then {t } r X t 1 implies by term axioms that Therefore, again by term axioms, This combined with (15) gives us {n 2} r 3 = {t } r X. = X t = n 2. n 2 = N 1, N 2, B. (17) N 2 was generated in a responder session, satisfying C[N 2 ]. The above equation implies Sec ( A, n 2, N 2 ), which, by setting u 1 = n 2 and (13), is only possible if n 2 = N 2. So N 2 = N 1, N 2, B. Since N 1 was generated by X and meant for B, we also have C[N 1 ]. Again by (13), Sec ( A, N 2, N 1 ) giving a contradiction. 2/2.2/2.2/2.) If i 1 is a responder session, then by FOLL(Roles Y NSL), By term axioms, and since {t } r X t 1, But by equation (15), we have Hence From the preceding, we had t 1 = {n 1, N 2, Y } r 2. = X t = n 1, N 2, Y. n 1 = N 1 n 2 = N 2 Y = B. (18) B sends i 1 {N1, N 2, B} r 2 X. B generates i N 2 B generates i 1 N 2 n 2 = N 2 n 2 = N 2. Therefore, by axiom VI.1.b., But that means and by Foll(Resp B NSL), we get and by equation (18), i 1 = i. B receives i {n 1, A} s1 B B receivesi {n 1, X} s 1 B, n 1 = n 1 X = A n 1 = N 1. 11

12 c) We now prove agreement from the initiator s viewpoint. That is, we will show that Proof of c.) By Init A NSL[i, B, N 1, n 2, r 1, s 2, r 3 ], we have Init A NSL[i, B, N 1, n 2, r 1, s 2, r 3 ] FOLL(Init A NSL) FOLL(Resp B NSL) i s 1 r 2 (B receives i {N 1, A} s1 B ; B generatesi n 2 ; B sends i {N 1, n 2, B} r2 A ) A generates i N 1 ; A sends i {N 1, A} r1 B ; A receivesi {N 1, n 2, B} s2 A therefore, C[N 1 ] is satisfied, and hence, by a.) and axiom VI.2. we have So, since Sec( A, B, N 1, n 2, B, N 1 ), by Axiom VI.3., so, Sec ( A, B, N 1 ). Xi 1 t 1 t r(x A, B X sends i1 t 1 ; A receives i {N 1, n 2, B} s2 A 1/2.) If i 1 is an initiator session, then because of FOLL(Roles X NSL), {t } r A t 1 {N 1, n 2, B} s2 A = {t } r A ), N 1, n 2, B = t. (19) t 1 = {N 1, X} r 1 t 1 = {n 2} r 3. 1/2.1/2.) Let t 1 = {N 1, X} r 1. Then {t } r A t 1 implies by term axioms that Therefore, again by term axioms, This combined with (19) gives us {N 1, X} r 1 = {t } r A. = A t = N 1, X. N 1, X = N 1, n 2, B. (20) N 1 was generated in an initiator session of, satisfying C[N 1 ]. 1/2.1/2.1/2.) Suppose N 1 N 1. Then by taking u 1 = N 1, by (13), Sec ( A, N 1, N 2 ), and so Sec ( A, N 1, X, N 2 ) giving a contradiction. 1/2.1/2.2/2.) Suppose N 1 N 1. Then, X = A, because N 1 cannot be generated by different names. Further, i 1 = i, and so A = B as N 1 was meant for B, and N 1 was meant (encrypted) for A. So N 1, A = N 1, n 2, A. As we discussed in 1.1 of a), this has to be prevented in order to be able to verify for A = B. 1/2.2/2.) Let t 1 = {n 2} r 3. Then {t } r A t 1 implies by term axioms that {n 2} r 3 = {t } r A. 12

13 Therefore, again by term axioms, This combined with (19) gives us = A t = n 2. n 2 = N 1, n 2, B. (21) N 1 was generated in a responder session, satisfying C[N 1 ]. If we have the blue addition in C, then we cannot proceed further, unless A B. But the blue line was introduces solely for this case. If we don t have, then by setting u 1 = n 2, from (13) we get Sec ( A, n 2, N 1 ). And that contradicts (21). 2/2.) If i 1 is a responder session then by FOLL(Roles X NSL), t 1 = {n 1, N 2, X} r2. By term axioms, and since {t } r A t 1, But by equation (19), we have Hence, so, by FOLL(Roles B NSL), we have = A t = n 1, N 2, X. n 1 = N 1 n 2 = N 2 X = B. B sends i1 {N 1, n 2, B} r2 A, i s 1 r 2 (B receives i {N 1, A} s1 B ; B generatesi n 2 ; B sends i {N 1, n 2, B} r2 A ). 13