On-the-fly Model Checking of Security Protocols

Transcription

1 Guoqiang LI Japan Advanced Institute of Science and Technology Supervisor: Prof. Mizuhito Ogawa February 7, / 103

2 A Challenging Problem and A Legend... A security protocol, although only containing several flows, is easily caused attacks even without breaking cryptography. Analyzing security protocols proves to be a challenging problem over 30 years. Analyzing the Needham-Schroeder authentication protocol becomes a legend. In 1978, the NSSK and NSPK protocols are proposed. In 1981, Denning and Sacco found NSSK was flawed and proposed a refined protocol. In 1994, Abadi found that the refined protocol was also flawed. In 1995, Lowe found an attack on the NSPK protocol. (17 years after its publication) 2 / 103

3 A Challenging Problem and A Legend... A security protocol, although only containing several flows, is easily caused attacks even without breaking cryptography. Analyzing security protocols proves to be a challenging problem over 30 years. Analyzing the Needham-Schroeder authentication protocol becomes a legend. In 1978, the NSSK and NSPK protocols are proposed. In 1981, Denning and Sacco found NSSK was flawed and proposed a refined protocol. In 1994, Abadi found that the refined protocol was also flawed. In 1995, Lowe found an attack on the NSPK protocol. (17 years after its publication) 2 / 103

4 A Challenging Problem and A Legend... A security protocol, although only containing several flows, is easily caused attacks even without breaking cryptography. Analyzing security protocols proves to be a challenging problem over 30 years. Analyzing the Needham-Schroeder authentication protocol becomes a legend. In 1978, the NSSK and NSPK protocols are proposed. In 1981, Denning and Sacco found NSSK was flawed and proposed a refined protocol. In 1994, Abadi found that the refined protocol was also flawed. In 1995, Lowe found an attack on the NSPK protocol. (17 years after its publication) 2 / 103

5 A Challenging Problem and A Legend... A security protocol, although only containing several flows, is easily caused attacks even without breaking cryptography. Analyzing security protocols proves to be a challenging problem over 30 years. Analyzing the Needham-Schroeder authentication protocol becomes a legend. In 1978, the NSSK and NSPK protocols are proposed. In 1981, Denning and Sacco found NSSK was flawed and proposed a refined protocol. In 1994, Abadi found that the refined protocol was also flawed. In 1995, Lowe found an attack on the NSPK protocol. (17 years after its publication) 2 / 103

6 A Challenging Problem and A Legend... A security protocol, although only containing several flows, is easily caused attacks even without breaking cryptography. Analyzing security protocols proves to be a challenging problem over 30 years. Analyzing the Needham-Schroeder authentication protocol becomes a legend. In 1978, the NSSK and NSPK protocols are proposed. In 1981, Denning and Sacco found NSSK was flawed and proposed a refined protocol. In 1994, Abadi found that the refined protocol was also flawed. In 1995, Lowe found an attack on the NSPK protocol. (17 years after its publication) 2 / 103

7 The NSPK Protocol A B : B A : A B : {A, N A } +KB {N A, N B } +KA {N B } +KB A I : {A, N A } +KI I(A) B : {A, N A } +KB B I(A) : {N A, N B } +KA I A : {N A, N B } +KA A I : {N B } +KI I(A) B : {N B } +KB 3 / 103

8 The Fixed NSPK Protocol A B : B A : A B : {A, N A } +KB {B, N A, N B } +KA {N B } +KB A I : {A, N A } +KI I(A) B : {A, N A } +KB B I(A) : {B, N A, N B } +KA I A : {I, N A, N B } +KA 4 / 103

9 Security Protocols A B : B A : A B : {A, N A } +KB {B, N A, N B } +KA {N B } +KB A security protocol is a finite sequence of flows taken between two or more protocol roles using cryptography to establish security properties in a hostile environment. Protocol roles comprise sender, receiver, server, and so on. Instances of protocol roles are named principals. A session of a security protocol is one execution of the protocol attended by minimal number of principals. A fresh session is usually distinguished by a nonce. A message is a bit stream representing the information communicated between principals. A undecomposable message is named a name. 5 / 103

10 Process Calculus π-calculus π ::= x y x(z) τ P ::= 0 π.p P P [x = y] P νz P P + P!P e.g. ((ν z)x z.p) x(y).q R + ((ν z)p Q{z/y}) R Channel-based VS. Environment-based Communications: exchange with a specific channel VS. exchange with environment Freshness of names: scopes of local names VS. fresh public names Generation of messages by intruders and dishonest principals: recursive processes VS. deductive systems (Dolev-Yao model) Replication!P VS. Identifier A(x 1,..., x n ) Each identifer has the unique definition A(x 1,..., x n) P. Infinite process definitions:!p P P...VS. A E(A). 6 / 103

11 Factors of Infinity Unbounded number of messages that intruders and dishonest principals can generate. Idea: Variables are substituted only when needed. Unbounded number of principals that each principal contacts. Idea: Names are extended from constants to terms, called binders. These binders are instantiated depending on the context. Unbounded number of sessions that each principal participates. Idea: Restricting primitives due to difference assumptions. Bounded sessions: contains no recursive processes (without identifiers), and uses distinguished symbols for fresh messages. Recursive protocols: contains only one sequential recursive process, and uses nested binders for fresh messages. 7 / 103

12 Infinite Messages and Lazy Evaluation A B : N A, {A, M} KAB Sending a message Lazy evaluation Input requirement a(n A, {A, M} k[a,b] ) 8 / 103

13 Infinite Messages and Lazy Evaluation A B : N A, {A, M} KAB Sending a message Lazy evaluation Input requirement a(n A, {A, M} k[a,b] ) b(x) 9 / 103

14 Infinite Messages and Lazy Evaluation A B : N A, {A, M} KAB Sending a message Lazy evaluation Input requirement a(n A, {A, M} k[a,b] ) b(x) a(n A, {A, M} k[a,b] ) b(x 1,x 2 ) Require pair splitting 10 / 103

15 Infinite Messages and Lazy Evaluation A B : N A, {A, M} KAB Sending a message Lazy evaluation Input requirement a(n A, {A, M} k[a,b] ) b(x) a(n A, {A, M} k[a,b] ) b(x 1,x 2 ) Require pair splitting a(n A, {A, M} k[a,b] ) b(x 1, {y} k[a,b] ) Require decrypting 11 / 103

16 Infinite Messages and Lazy Evaluation A B : N A, {A, M} KAB Sending a message Lazy evaluation Input requirement a(n A, {A, M} k[a,b] ) b(x) a(n A, {A, M} k[a,b] ) b(x 1,x 2 ) Require pair splitting a(n A, {A, M} k[a,b] ) b(x 1, {y} k[a,b] ) Require decrypting a(n A, {A, M} k[a,b] ) b(x 1, {z,w} k[a,b] ) Require pair splitting 12 / 103

17 Infinite Messages and Lazy Evaluation A B : N A, {A, M} KAB Sending a message Lazy evaluation Input requirement a(n A, {A, M} k[a,b] ) b(x) a(n A, {A, M} k[a,b] ) b(x 1,x 2 ) Require pair splitting a(n A, {A, M} k[a,b] ) b(x 1, {y} k[a,b] ) Require decrypting a(n A, {A, M} k[a,b] ) b(x 1, {z,w} k[a,b] ) Require pair splitting a(n A, {A, M} k[a,b] ) b(x 1, {A, w} k[a,b] ) Require comparing 13 / 103

18 Infinite Messages and Lazy Evaluation A B : N A, {A, M} KAB Sending a message Lazy evaluation Input requirement a(n A, {A, M} k[a,b] ) b(x) a(n A, {A, M} k[a,b] ) b(x 1,x 2 ) Require pair splitting a(n A, {A, M} k[a,b] ) b(x 1, {y} k[a,b] ) Require decrypting a(n A, {A, M} k[a,b] ) b(x 1, {z,w} k[a,b] ) Require pair splitting a(n A, {A, M} k[a,b] ) b(x 1, {A, w} k[a,b] ) Require comparing a(n A, {A, M} k[a,b] ) b(x 1, {A, M} k[a,b] ) Require encrypted message 14 / 103

19 Infinite Principals and Binders A B : {A, N A } +KB Existing method Our approach A {A, N A } +KB {A, N A } +KC B {A, N A } +KI a1{a, N A } KA a2{a, N A } K B a3{a, N A } K I (new x : I)a1{A, N A } +k[x] I: set of principals names 15 / 103

20 Infinite Principals and Binders A B : {A, N A } +KB Existing method Our approach A {A, N A } +KB {A, N A } +KC B {A, N A } +KI C a1{a, N A } KA a2{a, N A } K B a3{a, N A } K I (new x : I)a1{A, N A } +k[x] I: set of principals names 16 / 103

21 Infinite Principals and Binders A B : {A, N A } +KB Existing method Our approach A {A, N A } +KB {A, N A } +KC B {A, N A } +KI C I a1{a, N A } KA a2{a, N A } K B a3{a, N A } K I (new x : I)a1{A, N A } +k[x] I: set of principals names 17 / 103

22 Infinite Principals and Binders A B : {A, N A } +KB Existing method Our approach A {A, N A } +KB {A, N A } +KC B {A, N A } +KI C finite I a1{a, N A } KA a2{a, N A } K B a3{a, N A } K I (new x : I)a1{A, N A } +k[x] I: set of principals names 18 / 103

23 Infinite Principals and Binders A B : {A, N A } +KB Existing method Our approach A {A, N A } +KB {A, N A } +KC B A {A, N A } +KB {A, N A } +KC B {A, N {A, N A } +KI A } +KI C finite C I I a1{a, N A } KA a2{a, N A } K B a3{a, N A } K I (new x : I)a1{A, N A } +k[x] I: set of principals names 19 / 103

24 Infinite Principals and Binders A B : {A, N A } +KB Existing method Our approach A {A, N A } +KB {A, N A } +KC B A {A, N A } +KB {A, N A } +KC B {A, N {A, N A } +KI A } +KI C finite C I I a1{a, N A } KA a2{a, N A } K B a3{a, N A } K I (new x : I)a1{A, N A } +k[x] I: set of principals names 20 / 103

25 Infinite Principals and Binders A B : {A, N A } +KB Existing method Our approach A {A, N A } +KB {A, N A } +KC B A {A, N A } +KB {A, N A } +KC B {A, N {A, N A } +KI A } +KI C finite C I I a1{a, N A } KA a2{a, N A } K B a3{a, N A } K I (new x : I)a1{A, N A } +k[x] I: set of principals names 21 / 103

26 Infinite Principals and Binders A B : {A, N A } +KB Existing method Our approach A {A, N A } +KB {A, N A } +KC B A {A, N A } +KB {A, N A } +KC B {A, N A } +KI {A, N A } +KI C finite C infinite! I I a1{a, N A } KA a2{a, N A } K B a3{a, N A } K I (new x : I)a1{A, N A } +k[x] I: set of principals names 22 / 103

27 Infinite Sessions and Freshness of Messages Freshness of sessions is usually captured by fresh nonces. Only one sequential recursive process is allowed in the system. It is later encoded by the pushdown system. Unbounded number of nonces are represented by nested applications of binders. (e.g. N[null], N[N[null]],...) A B : {A, N A } +KB A recursively sending messages is encoded by {A, N[ ]} +K[ ],. (by N [ ], a group of distinguished messages is represented.) Recursive protocols can be analyzed within the restriction. 23 / 103

28 Thesis Outline Environment-based process calculus + Environmental deductive system Allows finite processes Sec. & Auth. in bounded sessions Extended with a recursive process Recursive Protocols Extended with P-deductive system Fair. & Non-r. in bounded sessions Protocol-independent spec. transf. to a reachability problem Protocol-independent spec. transf. to a reachability problem Protocol-dependent spec. transf. to a reachability problem Parametrization Refinement step Parametrization Refinement step Parametrization Two-phase refinement steps Encoded by a parametric model Encoded by the PDS Encoded by a parametric model Implemented by Maude Implemented by Maude Implemented by Maude 24 / 103

29 Thesis Outline Environment-based process calculus + Environmental deductive system Allows finite processes Sec. & Auth. in bounded sessions Extended with a recursive process Recursive Protocols Extended with P-deductive system Fair. & Non-r. in bounded sessions Protocol-independent spec. transf. to a reachability problem Protocol-independent spec. transf. to a reachability problem Protocol-dependent spec. transf. to a reachability problem Parametrization Refinement step Parametrization Refinement step Parametrization Two-phase refinement steps Encoded by a parametric model Encoded by the PDS Encoded by a parametric model Implemented by Maude Implemented by Maude Implemented by Maude 24 / 103

30 Thesis Outline Environment-based process calculus + Environmental deductive system Allows finite processes Sec. & Auth. in bounded sessions Extended with a recursive process Recursive Protocols Extended with P-deductive system Fair. & Non-r. in bounded sessions Protocol-independent spec. transf. to a reachability problem Protocol-independent spec. transf. to a reachability problem Protocol-dependent spec. transf. to a reachability problem Parametrization Refinement step Parametrization Refinement step Parametrization Two-phase refinement steps Encoded by a parametric model Encoded by the PDS Encoded by a parametric model Implemented by Maude Implemented by Maude Implemented by Maude 24 / 103

31 Thesis Outline Environment-based process calculus + Environmental deductive system Allows finite processes Sec. & Auth. in bounded sessions Extended with a recursive process Recursive Protocols Extended with P-deductive system Fair. & Non-r. in bounded sessions Protocol-independent spec. transf. to a reachability problem Protocol-independent spec. transf. to a reachability problem Protocol-dependent spec. transf. to a reachability problem Parametrization Refinement step Parametrization Refinement step Parametrization Two-phase refinement steps Encoded by a parametric model Encoded by the PDS Encoded by a parametric model Implemented by Maude Implemented by Maude Implemented by Maude 24 / 103

32 Thesis Outline Environment-based process calculus + Environmental deductive system Allows finite processes Sec. & Auth. in bounded sessions Extended with a recursive process Recursive Protocols Extended with P-deductive system Fair. & Non-r. in bounded sessions Protocol-independent spec. transf. to a reachability problem Protocol-independent spec. transf. to a reachability problem Protocol-dependent spec. transf. to a reachability problem Parametrization Refinement step Parametrization Refinement step Parametrization Two-phase refinement steps Encoded by a parametric model Encoded by the PDS Encoded by a parametric model Implemented by Maude Implemented by Maude Implemented by Maude 24 / 103

33 Thesis Outline Environment-based process calculus + Environmental deductive system Allows finite processes Sec. & Auth. in bounded sessions Extended with a recursive process Recursive Protocols Extended with P-deductive system Fair. & Non-r. in bounded sessions Protocol-independent spec. transf. to a reachability problem Protocol-independent spec. transf. to a reachability problem Protocol-dependent spec. transf. to a reachability problem Parametrization Refinement step Parametrization Refinement step Parametrization Two-phase refinement steps Encoded by a parametric model Encoded by the PDS Encoded by a parametric model Implemented by Maude Implemented by Maude Implemented by Maude 24 / 103

34 Thesis Outline Environment-based process calculus + Environmental deductive system Allows finite processes Sec. & Auth. in bounded sessions Extended with a recursive process Recursive Protocols Extended with P-deductive system Fair. & Non-r. in bounded sessions Protocol-independent spec. transf. to a reachability problem Protocol-independent spec. transf. to a reachability problem Protocol-dependent spec. transf. to a reachability problem Parametrization Refinement step Parametrization Refinement step Parametrization Two-phase refinement steps Encoded by a parametric model Encoded by the PDS Encoded by a parametric model Implemented by Maude Implemented by Maude Implemented by Maude 24 / 103

35 Thesis Outline Environment-based process calculus + Environmental deductive system Allows finite processes Sec. & Auth. in bounded sessions Extended with a recursive process Recursive Protocols Extended with P-deductive system Fair. & Non-r. in bounded sessions Protocol-independent spec. transf. to a reachability problem Protocol-independent spec. transf. to a reachability problem Protocol-dependent spec. transf. to a reachability problem Parametrization Refinement step Parametrization Refinement step Parametrization Two-phase refinement steps Encoded by a parametric model Encoded by the PDS Encoded by a parametric model Implemented by Maude Implemented by Maude Implemented by Maude 24 / 103

36 Thesis Outline Environment-based process calculus + Environmental deductive system Allows finite processes Sec. & Auth. in bounded sessions Extended with a recursive process Recursive Protocols Extended with P-deductive system Fair. & Non-r. in bounded sessions Protocol-independent spec. transf. to a reachability problem Protocol-independent spec. transf. to a reachability problem Protocol-dependent spec. transf. to a reachability problem Parametrization Refinement step Parametrization Refinement step Parametrization Two-phase refinement steps Encoded by a parametric model Encoded by the PDS Encoded by a parametric model Implemented by Maude Implemented by Maude Implemented by Maude 24 / 103

37 Thesis Outline Environment-based process calculus + Environmental deductive system Allows finite processes Sec. & Auth. in bounded sessions Extended with a recursive process Recursive Protocols Extended with P-deductive system Fair. & Non-r. in bounded sessions Protocol-independent spec. transf. to a reachability problem Protocol-independent spec. transf. to a reachability problem Protocol-dependent spec. transf. to a reachability problem Parametrization Refinement step Parametrization Refinement step Parametrization Two-phase refinement steps Encoded by a parametric model Encoded by the PDS Encoded by a parametric model Implemented by Maude Implemented by Maude Implemented by Maude 24 / 103

38 Thesis Outline Environment-based process calculus + Environmental deductive system Allows finite processes Sec. & Auth. in bounded sessions Extended with a recursive process Recursive Protocols Extended with P-deductive system Fair. & Non-r. in bounded sessions Protocol-independent spec. transf. to a reachability problem Protocol-independent spec. transf. to a reachability problem Protocol-dependent spec. transf. to a reachability problem Parametrization Refinement step Parametrization Refinement step Parametrization Two-phase refinement steps Encoded by a parametric model Encoded by the PDS Encoded by a parametric model Implemented by Maude Implemented by Maude Implemented by Maude 24 / 103

39 1 Introduction 2 Modeling Protocols for Authentication and Secrecy Description of Security Protocols Environment Ability Specification of Security Protocols 3 Authentication and Secrecy in Bounded Sessions 4 Authentication for Recursive Protocols 5 Non-repudiation and Fairness in Bounded Sessions 6 Conclusion 25 / 103

40 Process Calculus pr ::= x m[pr 1,..., pr n ] M, N, L ::= pr (M, N) {M} L H(M) P, Q, R ::= 0 Nil am.p output a(x).p input [M = N] P match (new x : A)P new (ν n)p restriction let (x, y) = M in P pair splitting case M of {x} L in P decryption P Q composition P + Q summation P; Q sequence A(pr 1,..., pr n ) identifier 26 / 103

41 Description of the NSPK Protocol A B : B A : A B : {A, N A } +KB {N A, N B } +KA {N B } +KB A (new x a : I)(ν N A ) a1{a, N A } +k[xa].a2(y a). case y a of {y a} k[a] in let (z a, z a) = y a in [z a = N A ] a3{z a} +k[xa].0 B (ν N B ) b1(x b ). case x b of {x b} k[b] in let (y b, y b) = x b in [y b = A] b2{y b, N B } +k[a].b3(z b ). case z b of {u b } k[b] in [u b = N B ] 0 SYS NSPK A B 27 / 103

42 Environment Ability Environment memorizes all communicated messages. Environment can produce, encrypt/decrypt, compose/split, and hash messages, following Dolev-Yao model (described as an environmental deductive system ). Environment produces infinitely many messages based on a bounded number of messages. A B C Environment 28 / 103

43 Specifications Trace semantics is chosen for the calculus. Each possible run of a protocol can be represented explicitly by a concrete trace. Processes for a given property will be inserted into a description of a protocol, to represent the security property. Security properties will be defined as reachability problems on a set of traces. A B : B A : A B : {A, N A } +KB {N A, N B } +KA {N B } +KB B (ν N B ) b1(x b ). case x b of {x b} k[b] in let (y b, y b) = x b in [y b = A] Authentication as reachability a3 x acc x b2{y b, N B } +k[a].b3(z b ). case z b of {u b } k[b] in [u b = N B ] acc z b.0 29 / 103

44 1 Introduction 2 Modeling Protocols for Authentication and Secrecy 3 Authentication and Secrecy in Bounded Sessions Parametrization and Refinement Experimental Results 4 Authentication for Recursive Protocols 5 Non-repudiation and Fairness in Bounded Sessions 6 Conclusion 30 / 103

45 Parametrization A receiver may receive an unbounded number of messages. A sender may send messages to an unbounded number of principals. Traces are abstracted to parametric traces by keeping fresh variables un-instantiated. ɛ, a(x).0 ɛ, a(x).0 a(m i), 0 a((m i,m i)), 0 a({m i} +k[i] ), 0 a(x), 0 ɛ, (new x : I)b1{M} +k[x].0 ɛ, (new x : I)b1{M} +k[x].0 b1{m} +k[b], 0 b1{m} +k[c], 0 b1{m} +k[i], 0 b1{m} +k[x], 0 31 / 103

46 Refinement Step Unifiers are applied when generating new parametric traces. ɛ, a1(x).case x of {y} k[a,s] in P p a1(x), case x of {y} k[a,s] in P p a1({y} k[a,s] ), P{{y} k[a,s] /x} An input action can be regarded as a required pattern. Some are easily satisfied (e.g.a1(x)), some are not (e.g. a1({y} k[a,s] )). A required pattern like a1({y} k[a,s] ) is named a rigid message. It should be satisfied by messages in the prefix trace (by unifications).... s {A, M} k[a,s]... a({a, x} k[a,s] ) 32 / 103

47 Refinement Step Unifiers are applied when generating new parametric traces. ɛ, a1(x).case x of {y} k[a,s] in P p a1(x), case x of {y} k[a,s] in P p a1({y} k[a,s] ), P{{y} k[a,s] /x} An input action can be regarded as a required pattern. Some are easily satisfied (e.g.a1(x)), some are not (e.g. a1({y} k[a,s] )). A required pattern like a1({y} k[a,s] ) is named a rigid message. It should be satisfied by messages in the prefix trace (by unifications). Unification x M... s {A, M} k[a,s]... a({a, x} k[a,s] ) 33 / 103

48 Refinement Step Unifiers are applied when generating new parametric traces. ɛ, a1(x).case x of {y} k[a,s] in P p a1(x), case x of {y} k[a,s] in P p a1({y} k[a,s] ), P{{y} k[a,s] /x} An input action can be regarded as a required pattern. Some are easily satisfied (e.g.a1(x)), some are not (e.g. a1({y} k[a,s] )). A required pattern like a1({y} k[a,s] ) is named a rigid message. It should be satisfied by messages in the prefix trace (by unifications). Unification x M... s {A, M} k[a,s]... a({a, x} k[a,s] )... s {A, M} k[a,s]... a({a, M} k[a,s] ) 34 / 103

49 Satisfiable Normal Form Given a parametric trace with bounded length, the refinement step will terminate and the set of normal forms of a parametric trace is finite.... s1{a, M} k[a,s]... a2({a, x} k[a,s] )... Th. The set of satisfiable normal forms (each rigid message is satisfiable) is sound and complete representatives to the set concrete traces. 35 / 103

50 Satisfiable Normal Form Given a parametric trace with bounded length, the refinement step will terminate and the set of normal forms of a parametric trace is finite. Unification θ... s1{a, M} k[a,s]... a2({a, x} k[a,s] )... Th. The set of satisfiable normal forms (each rigid message is satisfiable) is sound and complete representatives to the set concrete traces. 36 / 103

51 Satisfiable Normal Form Given a parametric trace with bounded length, the refinement step will terminate and the set of normal forms of a parametric trace is finite. Unification θ... s1{a, M} k[a,s]... a2({a, x} k[a,s] ) s1{a, M} k[a,s]...θ a2({a, M} k[a,s] )...θ Th. The set of satisfiable normal forms (each rigid message is satisfiable) is sound and complete representatives to the set concrete traces. 37 / 103

52 Satisfiable Normal Form Given a parametric trace with bounded length, the refinement step will terminate and the set of normal forms of a parametric trace is finite. Unification θ... s1{a, M} k[a,s]... a2({a, x} k[a,s] ) s1{a, M} k[a,s]...θ a2({a, M} k[a,s] ) {M(x)} k[n]...θ Th. The set of satisfiable normal forms (each rigid message is satisfiable) is sound and complete representatives to the set concrete traces. 38 / 103

53 Satisfiable Normal Form Given a parametric trace with bounded length, the refinement step will terminate and the set of normal forms of a parametric trace is finite. Unification θ... s1{a, M} k[a,s]... a2({a, x} k[a,s] )... Unification... s1{a, M} k[a,s]...θ a2({a, M} k[a,s] ) {M(x)} k[n]...θ Unification Th. The set of satisfiable normal forms (each rigid message is satisfiable) is sound and complete representatives to the set concrete traces. 39 / 103

54 Satisfiable Normal Form Given a parametric trace with bounded length, the refinement step will terminate and the set of normal forms of a parametric trace is finite. Unification θ... s1{a, M} k[a,s]... a2({a, x} k[a,s] )... Unification... s1{a, M} k[a,s]...θ a2({a, M} k[a,s] ) {M(x)} k[n]...θ Normal form Unification The set of satisfiable normal forms (each rigid message is satisfiable) is sound and complete representatives to the set concrete traces. 40 / 103

55 Japan Advanced Institute of Science and Technology Asahidai, Nomi, Ishikawa, Japan {guoqiang, Introduction Modeling Auth&Sec.in Bou.Ses. Rec.Pro. Non-r&Fair.in Bou.Ses. Conclusion Q&A Experimental Results protocols session protocol spec. states times(s) flaws NSPK protocol detected Woo-Lam protocol* detected fixed NSPK protocol secure fixed NSPK protocol , secure Abadi-Gordon protocol secure Abadi-Gordon protocol , secure Yahalom protocol secure Yahalom protocol detected Otway-Rees protocol secure Otway-Rees protocol , detected Woo-lam protocol secure Woo-lam protocol , detected The tests were Figureperformed 1: Experimental on a Pentium Results for MAuthentication 1.4 GHz, 1.5Protocols GB memory PC, under Windows XP. The protocols common part is about 330 lines protocol (for structures spec. states and functions). times(s) flaws Arecursive two-session authentication protocol protocol in which each principal 32 acts416 as the same 0.82 role detected is labeled by fixed, recursive and as different authentication rolesprotocol is labeled by secure represents a variation of the Woo-Lam protocol. Figure 2: Experimental Results for Recursive Protocols 41 / 103

56 1 Introduction 2 Modeling Protocols for Authentication and Secrecy 3 Authentication and Secrecy in Bounded Sessions 4 Authentication for Recursive Protocols Recursive Protocols Abstractions in the pushdown system Experimental Results 5 Non-repudiation and Fairness in Bounded Sessions 6 Conclusion 42 / 103

57 Recursive Protocols operate over an arbitrarily long chain of protocol principals, terminating with a key-generated server. intend to generate session-keys between each pair of two adjacent principals by contacting the key-generated server once. each principal has two choices: either contacts the server to terminate the protocol, or communicates with its next principal to continue the protocol. S Req(Null) Sub.Reqn(Null) Req n 1 (Null) Res 0 (k 0...kn) A 0 A 1 A n 1 A n Resn(k 0 ) Res 1 (k 0,...,k n 1 ) 43 / 103

58 Recursive Authentication Protocol [Bull&Otway 97] H K (X) = (H(K, X), X) A i A i+1 : H KAi S (A i, A i+1, N Ai, X) A 0 A 1 : A 1 A 2 :... H (A KA0 S 0, A 1, N A0, Null) H (A KA1 S 1, A 2, N A1, H (A KA0 S 0, A 1, N A0, Null)) A n S : H KAnS (A n, S, N An, H (A KAn 1 S n 1, A n, N An 1, H KAn 2 (... Null)...)) S S A n : {K n, S, N An } KAnS, {K n 1, A n 1, N An } KAnS, {K n 1, A n, N An 1 } KAn 1 S, {K n 2, A n 2, N An 1 } KAn 1 S,... {K 1, A 2, N A1 } KA1 S, {K 0, A 0, N A1 } KA1 S, {K 0, A 1, N A0 } KA0 S A i A i 1 : {K i 1, A i, N i 1 } KAi 1 S, {K i 2, A i 2, N i 1 } KAi 1 S,... A 1 A 0 : {K 0, A 1, N 0 } KA0 S 44 / 103

59 Abstracting Unbounded Number of Messages A Usage of Binders In bounded sessions, messages that principals generated are explicitly represented by distinguished symbols. Principals names, A, B, C, I,... Nonces, N A, N B,... For a recursive protocol, unbounded number of messages are encoded by nested applications of binders. Names: A[Null], A[A[Null]],... Nonces: N[Null], N[N[Null]], / 103

60 Encoding to Pushdown System A pushdown system P = (Q, Γ,, c 0 ) is a transition system with carrying an unbounded stack. Q is a set of control locations. A control location is a pair (R, ˆtr), in which R is a finite set of messages, and ˆtr is a finite parametric trace. Γ is a finite set of stack alphabet. Γ = { }. Nested applications of binders are encoded with binder markers, and nested times are captured by the length of the stack. (e.g. A[Null], A[A[Null]],... will be encoded by...a[ ]...,.) c 0 = (q 0, ω 0 ), is an initial configuration, where q 0 Q and ω 0 Γ. (, ɛ), ε. : (Q Γ) (Q Γ ) is a finite subset of transitions ( ). It encodes the parametric transitions and the refinement step. 46 / 103

61 Recall the Parametric Transitions Traces are abstracted to parametric traces by keeping fresh variables un-instantiated. ɛ, a(x).0 ɛ, (new x : I)b1{M} +k[x].0 a(x), 0 b1{m} +k[x], 0 Unifiers are applied when generating new parametric traces. ɛ, a1(x).case x of {y} k[a,s] in P p a1(x), case x of {y} k[a,s] in P p a1({y} k[a,s] ), P{{y} k[a,s] /x} Unbounded length of parametric traces should be represented. 47 / 103

62 Folding Parametric Traces by Pushdown System A 0 A 1 : N 1... A n 1 A n : N n Nonces are encoded by N[n], N[N[n]],... A 0 is defined as A a1 N[n].0 An identifier for receivers is defined as: R b1(x).b2 N[x].R The finite parametric trace in a control location is a compaction of the original trace. (, ɛ), ε (, a1 N[n]), ε (, a1 N[n]), ε (, a1 N[n].b1(x).b2 N[N[ ]]), ε (, ɛ), ε (, b1(x).b2 N[N[ ]]), ε (, b1(x).b2 N[N[ ]]), ε (, b1(x).b2 N[N[ ]]), (, a1 N[n].b1(x).b2 N[N[ ]]), ε (, a1 N[n].b1(x).b2 N[N[ ]]), / 103

63 Recall the Refinement Step An input action can be regarded as a required pattern. Some are easily satisfied (e.g.a1(x)), some are not (e.g. a1({y} k[a,s] )). A required pattern like a1({y} k[a,s] ) is named a rigid message. It needs to be satisfied by messages in the prefix trace (by unifications). Unification x M... s {A, M} k[a,s]... a({a, x} k[a,s] )... s {A, M} k[a,s]... a({a, M} k[a,s] ) Unbounded number of rigid messages should be unified. The set of messages to be unified may also be unbounded. 49 / 103

64 Context-insensitive Rigid Messages A B : {A, N A } KAB A is defined as A(N), where A(x) a1 {A, x} k[a,b].a(n[x]) B is defined as B b1(x).case x of {y} k[a,b] in let (z, w) = y in [z = A] 0 A rigid message {A, w} k[a,b] is insensitive to the current context. A rigid message is context-insensitive if it does not contain any binder markers. (, ɛ), ε (, a1 {A, N[ ]} k[a,b] ), ε (, a1 {A, N[ ]} k[a,b] ), ε (, a1 {A, N[ ]} k[a,b] ),... (, a1 {A, N[ ]} k[a,b].b1({a, w} k[a,b] )), ε ({{A, N[ ]} k[a,b] }, a1 {A, } k[a,b].b1({a, } k[a,b] )), ε 50 / 103

65 Context-sensitive Rigid Messages A B : B A : N A {B, N A } KAB A is defined as A(N), where A(x) a1 x.a2(y). case y of {z} k[a,b] of let (z 1, z 2 ) = z in [z 2 = x] A(N[x]) A rigid message {z 1, N[ ]} k[a,b] is sensitive to the current context. A rigid message is context-sensitive if it contains at least a binder marker. A context-sensitive rigid message can only be unified with bounded number of messages (in current context).... (, a1 N[ ].b1(x).b2 {B, x} k[a,b].a2({z 1, N[ ]} k[a,b] )), ε (, a1 N[ ].b1(n[ ]).b2 {B, N[ ]} k[a,b].a2({b, N[ ]} k[a,b] )), ε 51 / 103

66 Freshness of Sessions and Principals Freshness of sessions is captured by fresh nonces; Freshness of principals is captured by fresh names of principals. Generally, a stack can only represent one type of fresh messages by the context. When push, enters a new context (new session). When pop, returns to the previous context (previous session). In recursive protocols two type of fresh messages coincide with each other. Thus by one stack two type of fresh messages can be described. 52 / 103

67 An Attack for the RA Protocol There are two different views of the authentication property. L. Paulson took one view of authentication. He proved the correctness of the RA protocol by Isabelle/HOL. An attack, which violates authentication (a la Abadi et. al.) is found in the RA protocol by our method. S Req(Null) I Req n 1 (Null) Sub.Reqn(Null) A 0 A 1 A n 1 A n This attack does not violate secrecy. 53 / 103

68 Corrected Version of the RA Protocol S A n : {K n, S, N An } KA ns, {K n 1, A n 1, N An } KA ns, {K n 1, A n, N An 1 } KAn 1 S, {K n 2, A n 2, N An 1 } KAn 1 S,... {K 1, A 2, N A1 } KA1 S, {K 0, A 0, N A1 } KA1 S, {K 0, A 1, N A0 } KA0 S S A n : {{K n, S, N An } KA ns, {K n 1, A n 1, N An } KA ns, {{K n 1, A n, N An 1 } KAn 1 S, {K n 2, A n 2, N An 1 } KAn 1 S,... {{K 1, A 2, N A1 } KA1 S, {K 0, A 0, N A1 } KA1 S, {{K 0, A 1, N A0 } KA0 S } K A0 S...} K A ns 54 / 103

69 Yahalom protocol secure Introduction Modeling Auth&Sec.in Bou.Ses. Rec.Pro. Non-r&Fair.in Bou.Ses. Conclusion Yahalom protocol detected Q&A Otway-Rees protocol secure Otway-Rees protocol Experimental 2 34 Results 2, detected Woo-lam protocol secure Woo-lam protocol , detected Figure 1: Experimental Results for Authentication Protocols protocols protocol spec. states times(s) flaws recursive authentication protocol detected fixed recursive authentication protocol secure Figure 2: Experimental Results for Recursive Protocols The tests were performed on a Pentium M 1.4 GHz, 1.5 GB memory PC, under Windows XP. The common part is about 500 lines. 55 / 103

70 1 Introduction 2 Modeling Protocols for Authentication and Secrecy 3 Authentication and Secrecy in Bounded Sessions 4 Authentication for Recursive Protocols 5 Non-repudiation and Fairness in Bounded Sessions Extended with Dishonest Principals Two-Phase Refinement Steps Experimental Results 6 Conclusion 56 / 103

71 Honest Principal VS. Dishonest Principal A B : B A : N A {B, N A } KBS N A A B Each principal follows the rules of a protocol. Each principal disobeys the rules of a protocol. 57 / 103

72 Honest Principal VS. Dishonest Principal A B : B A : N A {B, N A } KBS N A A B {B,N A } KBS Each principal follows the rules of a protocol. Each principal disobeys the rules of a protocol. 58 / 103

73 Honest Principal VS. Dishonest Principal A B : B A : N A {B, N A } KBS N A N A A B A B {B,N A } KBS Each principal follows the rules of a protocol. Each principal disobeys the rules of a protocol. 59 / 103

74 Honest Principal VS. Dishonest Principal A B : B A : N A {B, N A } KBS N A N A A B A B {B,N A } KBS x Each principal follows the rules of a protocol. Each principal disobeys the rules of a protocol. 60 / 103

75 Honest Principal VS. Dishonest Principal A B : B A : N A {B, N A } KBS N A N A A B A B {B,N A } KBS N A Each principal follows the rules of a protocol. Each principal disobeys the rules of a protocol. 61 / 103

76 Honest Principal VS. Dishonest Principal A B : B A : N A {B, N A } KBS N A N A A B A B {B,N A } KBS Each principal follows the rules of a protocol. Each principal disobeys the rules of a protocol. 62 / 103

77 Model a Network Dishonest Principals Environment can memorize, produce, encrypt/decrypt, and compose/split messages (described as an environmental deductive system ). A dishonest principal may send unbounded number of messages during the communication (represented as P-deductive system P ). A B C Environment A dishonest principal P can generate each message the environment generates (s M s P M) A dishonest principal P can sign(encrypt with its private key), or encrypt with shared key a message it generates. (s P M s P {M} KP, s P M s P {M} KPS ) 63 / 103

78 New Infinity Factor and its Parametrization A sender may send infinitely many messages to the environment due to the P-deductive system. Traces are abstracted to parametric traces by keeping fresh variables un-instantiated. ɛ, (new x)a1{x} k[a].0 ɛ, (new x)a1{x} k[a].0 a1{m} k[a], 0 a1{m,b} k[a], 0 a1{{m} +k[b] } k[a], 0 a1{x} k[a], 0 64 / 103

79 Recall the Refinement Step An input action can be regarded as a required pattern. Some are easily satisfied (e.g.a1(x)), some are not (e.g. a1({y} k[a,s] )). A required pattern like a1({y} k[a,s] ) is named a rigid message. It needs to be satisfied by messages in the prefix trace (by unifications). Unification x M... s {A, M} k[a,s]... a({a, x} k[a,s] )... s {A, M} k[a,s]... a({a, M} k[a,s] ) 65 / 103

80 Further Refinement Step A refinement step may cause an inconsistency when a principal sends messages. A B : B A : N A {N B } kb A parametric trace is a1x.a2{y} k[b]. ({y} k[b] : rigid message). After unification, a1{y} k[b].a2{y} k[b]. Can principal A sign with B s signature? (Need further refinement!)... b1{b,y} k[b]... a1z a2({b,x} k[b] ) 66 / 103

81 Further Refinement Step A refinement step may cause an inconsistency when a principal sends messages. A B : B A : N A {N B } kb A parametric trace is a1x.a2{y} k[b]. ({y} k[b] : rigid message). After unification, a1{y} k[b].a2{y} k[b]. Can principal A sign with B s signature? (Need further refinement!) Unification... b1{b,y} k[b]... a1z a2({b,x} k[b] ) Unification 67 / 103

82 Further Refinement Step A refinement step may cause an inconsistency when a principal sends messages. A B : B A : N A {N B } kb A parametric trace is a1x.a2{y} k[b]. ({y} k[b] : rigid message). After unification, a1{y} k[b].a2{y} k[b]. Can principal A sign with B s signature? (Need further refinement!) Unification... b1{b,y} k[b]... a1z a2({b,x} k[b] ) Unification... b1{b,x} k[b]... a1{b,y} k[b] a2({b,y} k[b] ) 68 / 103

83 Further Refinement Step A refinement step may cause an inconsistency when a principal sends messages. A B : B A : N A {N B } kb A parametric trace is a1x.a2{y} k[b]. ({y} k[b] : rigid message). After unification, a1{y} k[b].a2{y} k[b]. Can principal A sign with B s signature? (Need further refinement!) Unification... b1{b,y} k[b]... a1z a2({b,x} k[b] ) Unification... b1{b,x} k[b]... a1{b,y} k[b] a2({b,y} k[b] ) Unification 69 / 103

84 Further Refinement Step A refinement step may cause an inconsistency when a principal sends messages. A B : B A : N A {N B } kb A parametric trace is a1x.a2{y} k[b]. ({y} k[b] : rigid message). After unification, a1{y} k[b].a2{y} k[b]. Can principal A sign with B s signature? (Need further refinement!) Unification... b1{b,y} k[b]... a1z a2({b,x} k[b] ) Unification... b1{b,x} k[b]... a1{b,y} k[b] a2({b,y} k[b] ) Unification... b1{b,x} k[b]... a1{b,x} k[b] a2({b,x} k[b] ) 70 / 103

85 Satisfiable Normal Form The refinement steps will also terminate and the set of normal forms of a parametric trace is finite.... b1{b,y} k[b]... a1z a2({b,x} k[b] ) Th. The set of satisfiable normal forms (each rigid message is satisfiable) is sound and complete representatives to concrete traces. 71 / 103

86 Satisfiable Normal Form The refinement steps will also terminate and the set of normal forms of a parametric trace is finite. Unification... b1{b,y} k[b]... a1z a2({b,x} k[b] ) Unification Th. The set of satisfiable normal forms (each rigid message is satisfiable) is sound and complete representatives to concrete traces. 72 / 103

87 Satisfiable Normal Form The refinement steps will also terminate and the set of normal forms of a parametric trace is finite. Unification... b1{b,y} k[b]... a1z a2({b,x} k[b] ) Unification... b1{b,x} k[b]... a1{b,y} k[b] a2({b,y} k[b] ) Th. The set of satisfiable normal forms (each rigid message is satisfiable) is sound and complete representatives to concrete traces. 73 / 103

88 Satisfiable Normal Form The refinement steps will also terminate and the set of normal forms of a parametric trace is finite. Unification... b1{b,y} k[b]... a1z a2({b,x} k[b] ) Unification Unification... b1{b,x} k[b]... a1{b,y} k[b] a2({b,y} k[b] ) Unification Th. The set of satisfiable normal forms (each rigid message is satisfiable) is sound and complete representatives to concrete traces. 74 / 103

89 Satisfiable Normal Form The refinement steps will also terminate and the set of normal forms of a parametric trace is finite. Unification... b1{b,y} k[b]... a1z a2({b,x} k[b] ) Unification Unification... b1{b,x} k[b]... a1{b,y} k[b] a2({b,y} k[b] ) Unification... b1{b,x} k[b]... a1{b,x} k[b] a2({b,x} k[b] ) Th. The set of satisfiable normal forms (each rigid message is satisfiable) is sound and complete representatives to concrete traces. 75 / 103

90 Satisfiable Normal Form The refinement steps will also terminate and the set of normal forms of a parametric trace is finite. Unification... b1{b,y} k[b]... a1z a2({b,x} k[b] ) Unification Unification... b1{b,x} k[b]... a1{b,y} k[b] a2({b,y} k[b] ) Unification... b1{b,x} k[b]... a1{b,x} k[b] a2({b,x} k[b] ) Normal form The set of satisfiable normal forms (each rigid message is satisfiable) is sound and complete representatives to concrete traces. 76 / 103

91 Experimental Results Parametric system are implemented by Maude. protocols property protocol spec. states times(s) flaws Simplified ZG protocol NRO detected NRR secure FAIRO detected FAIRR secure FAIRM 50 4, detected Full ZG protocol NRO secure FAIRO secure FAIRM secure ISO/IEC M2 NRO 50 1, detected FAIRO 65 1, detected FAIRR 65 2, secure ISO/IEC M-h FAIRO detected FAIRR secure (Non-repudiation is composed of NRO and NRR; Fairness is composed of FAIRO, FAIRR, FAIRM) Figure 3: Experimental Results for Fair Non-repudiation Protocols Pentium M 1.4 GHz, 1.5 GB memory PC, under Windows XP. The common part is about 400 lines. 77 / 103

92 1 Introduction 2 Modeling Protocols for Authentication and Secrecy 3 Authentication and Secrecy in Bounded Sessions 4 Authentication for Recursive Protocols 5 Non-repudiation and Fairness in Bounded Sessions 6 Conclusion 78 / 103

93 Related Work Process Calculi Bisimulation (M. Abadi et. al. 97, 98) Typed-based static analysis (M. Abadi et. al. 99, 01) Horn clause+ resolution (M. Abadi et. al. 03, 04, 05) Trace analysis Theorem proving CSP+PVS (S. Schneider et. al ) Model checking (CSP+FDR G. Lowe et. al. 96, Spi+STA M. Boreale 01) 79 / 103

94 Related Work Lazy Intruder David Basin, et al. proposed an On-the-fly model checking method (OFMC). (Basin et.al. 05) They use a high-level language HLPSL to represent a protocol, then translate automatically to a low-level one, IF. The knowledge of intruder will be refined to satisfy the requirement of a principal (Lazy intruder). An intruder s role is explicitly assigned, thus flexible and efficient Messages 1. A -> B : A, NA 2. B -> S: B, { A, NA, NB }k(b,s) Session_instances [A:a; B:b; S:s] [A:i; B:b; S:s] state(rolea,step0,sess1,a,b,s,k(a,s)). state(roleb,step0,sess1,a,b,s,k(b,s)). state(roles,step0,sess1,a,b,s,k). state(rolea,step0,sess2,a,b,s,k(a,s)). state(roles,step0,sess2,a,b,s,k). i_knows(a).i_knows(b).i_knows(s). i_knows(s).i_knows(i).i_knows(k(i,s)). 80 / 103

95 Future Works More on the same direction: Analyzing other properties. anonymity, and other authentication variations. security properties for multiparty protocols and broadcast protocols. A translator that translates a formal protocol description to a Maude source file is designable. Adopt bisimulation as specifications. Affiliate to the resolution method, used as a heuristic guide to extract a counterexample when finding a flaw by resolution. Analyze from source codes of security protocols. 81 / 103

96 Conclusions Proposed security protocol analysis based on a sound and complete model checking method to analyze various security properties under certain assumptions. When flaws are not detected, it guarantees that a protocol is secure under the given assumptions. Several properties, such as non-repudiation, and authentication for recursive protocols, are first analyzed by us using model checking. 82 / 103

97 Thank you! 83 / 103

98 Sub-calculi P, Q ::= 0 am.p a(x).p [M = N] P (new x : A)P (ν n)p let (x, y) = M in P case M of {x} L in P P Q P, Q ::= 0 am.p a(x).p [M = N] P (new x : A)P (ν n)p let (x, y) = M in P case M of {x} L in P P Q P + Q P; Q A( pr) P, Q ::= 0 am.p a(x).p [M = N] P (new x)p (ν n)p let (x, y) = M in P case M of {x} L in P P Q P + Q 84 / 103

99 Difference of the New Operators In the sub-calculi for authentication and secrecy properties, the ranges of variables bounded by New operators are given statically: (new x : A)P In the sub-calculus for non-repudiation and fairness, the ranges of variables bounded by New operators are given dynamically by the P-deductive system: (new x)p The main difference, a process in the former calculi has a prenex normal form, while in the latter one has not. (new x : A)a1 x.(new y : B)a2 y.0 (new x : A)(new y : B)a1 x.a2 y.0 (new x)a1 x.(new y)a2 y.0 (new x)(new y)a1 x.a2 y.0 85 / 103

100 Restricting Infinite Processes Adopt identifier to represent infinite processes. For any identifier A(x 1,..., x n ), there must be a unique definition, that is, A(x 1,..., x n ) P. A process expression E is like a process, but may contain identifier variables. (eg: E(X) a(x).x) A recursive process is defined as an identifer. (eg: A E(A)) For recursive protocols, there are two restrictions: A system allows only one recursive process. The X in E for the recursive process is sequential. (X is sequential in E if X does not occur with composition combinators in E) 86 / 103

101 Sequence Primitive Sequence primitive, P; Q are usually a redundant operator in process calculus. P; Q has sub-expressiveness of P Q. If there is no identifiers, P; Q is equal to replace all 0 in P to Q. (eg:(α.0 + β.0); Q α.q + β.q ) Sequence operator is required, since the sequential restriction is adopted to identifier variables in expression E. while P; Q is needed when defining a recursive protocol. Without P; Q, when entering the another context, there are no actions in previous context. 87 / 103

102 Representing the RA Protocol: originator O(x 1, x 2 ) a1 H lk[x1,s](x 1, x 2, N[Null], Null). a2(x).case x of {y 1, y 2, y 3 } lk[x1,s]. [y 3 = N[Null]] 0 O(A[Null], A[A[Null]]) 88 / 103

103 Representing the RA Protocol: recipient R(x 1, x 2 ) (b1(x).let (y 1, y 2, y 3, y 4, y 5 ) = x in [y 2 = x 1 ] (b2 H lk[x1,s](x 1, A[x 1 ], N[y 3 ], x).r(a[x 1 ], x 1 )+ b3 H lk[x1,s](x 1, S, N[y 3 ], x).0)); (b4(x).let (z 1, z 2, z 3 ) = x in case z 1 of {z 4, z 5, z 6 } lk[x1,s] in [z 6 = N[y 3 ]] case z 2 of {z 7, z 8, z 9 } lk[x1,s] in [z 8 = x 2 ] [z 9 = N[y 3 ]] b5z 3.0) R(A[A[Null]], A[Null]) 89 / 103

104 Representing the RA Protocol: server S s1(x).s2 (F (x)).0 F (x) = let (y 1, y 2, y 3, y 4, y 5 ) = x; let t = ɛ; while (y 1 = H(y 2, y 3, y 4, y 5, lk[y 2, S])&&y 5! = Null) let (z 1, z 2, z 3, z 4, z 5 ) = y 5 ; if (z 1 = H(z 2, z 3, z 4, z 5, lk[z 2, S])&&z 3 == y 2 ) then t = (t, {k[y 4 ], y 3, y 4 }, {k[y 3 ], z 2, z 4 }); else raise error endif (y 1, y 2, y 3, y 4, y 5 ) := (z 1, z 2, z 3, z 4, z 5 ); endwhile t := (t, {k[y 4 ], y 3, y 4 }); return t; SYS RA O(A[Null], A[A[Null]]) R(A[A[Null]], A[Null]) S 90 / 103

105 Environmental Deductive System S M M E S M M S S (M, N) S M S M S N S (M, N) S {M} k[a,b] S k[a, B] S M S {M} ±k[a] S k[a] S M S M S H(M) S (M, N) S N S M S k[a, B] S {M} k[a,b] S M S ±k[a] S {M} ±k[a] 91 / 103

106 The Axioms of Structural Congruence SC-COMP-ASSOC P (Q R) (P Q) R SC-COMP-COMM P Q Q P SC-COMP-INACT P 0 P SC-SUM-ASSOC P + (Q + R) (P + Q) + R SC-SUM-COMM P + Q Q + P SC-RES (νm)(νn)p (νn)(νm)p SC-RES-INACT (νn)0 0 SC-RES-COMP (νn)(p Q) P (νn)q if n / f n(p) SC-NEW (new x : A)(new y : B)P (new y : B)(new x : A)P SC-NEW-INACT (new x : A)0 0 SC-NEW-COMP (new x : A)(P Q) P (new x : A)Q if x / f v(p) SC-SEQ-INACT 0; P P 92 / 103

107 Concrete Transition Rules in Bounded Sessions (INPUT ) s, a(x).p s.a(m), P{M/x} s M (OUTPUT ) s, am.p s.am, P (DEC) s, case {M} L of {x} L in P s, P{M/x} L = Opp(L) (PAIR) s, let (x, y) = (M, N) in P s, P{M/x, N/y} (NEW ) s, (new x : A)P s, P{m/x} m A (RESTRICTION) s, (νn)p s, P{m/n} m = freshn(v ) (MATCH) s, [M = M]P s, P (LCOM) s, P s, P s, P Q s, P Q (RCOM) s, Q s, Q s, P Q s, P Q P P s, P s, Q Q Q (STR) s, P s, Q 93 / 103

108 Parametric Transition Rules in Bounded Sessions (PINPUT ) ŝ, a(x).p p ŝ.a(x), P (POUTPUT ) ŝ, am.p p ŝ.am, P (PDEC) ŝ, case {M} L of {x} L in P p ŝθ, Pθ θ = Mgu({M} L, {x} Opp(L )) (PPAIR) ŝ, let (x, y) = M in P p ŝθ, Pθ θ = Mgu((x, y), M) (PNEW ) ŝ, (new x : A)P p ŝ, P{y/x} y / f v(p) b v(p) (PRESTRICTION) ŝ, (νn)p p ŝ, P{m/n} m = freshn(v ) (PMATCH) ŝ, [M = M ]P p ŝθ, Pθ θ = Mgu(M, M ) (PLCOM) ŝ, P p ŝ, P ŝ, P Q p ŝ, P Q Q = Qθ if ŝ = ŝθ else Q = Q P P s, P p s, Q Q Q (PSTR) s, P p s, Q 94 / 103

109 Q&A: Defining Security Properties Action Terms T ::= σ ::= α T T T T T T T T T F T s, P = T 1 T 2 : for each concrete trace s generated by s, P, if there is a ground substitution ρ such that T 2 ρ occurs in s, then so do T 1 ρ, and T 1 ρ occurs before T 2 ρ in s. s, P = T 1 F T 2 : for each concrete configuration s, P reached by s, P, if there is a ground substitution ρ such that T 1 ρ occurs in s, then for every path starting from s, P, there exists a concrete trace s such that T 2 ρ occurs in s. 95 / 103

110 Q&A: Testing Equivalence in Spi Calculus m(x).q m m M.Q m P β P β P Q Q β P β The testing equivalence P Q between P and Q is defined as follow: For all test (R, β), (P R) β if and only if (Q R) β. 96 / 103

111 The Zhou-Gollmann fair non-repudiation protocol A B : B A : A S : S A : S B : {B, N A, {M} K } KA {A, N A, {M} K } KB {B, N A, K } KA {A, B, N A, K } KS {A, B, N A, K } KS A B : B A : A S : S A : S B : {F NRO, B, N A, {M} K } KA {F NRR, A, N A, {M} K } KB {F SUB, B, N A, K } KA {F CON, A, B, N A, K } KS {F CON, A, B, N A, K } KS 97 / 103

112 On-the-fly Model Checking by Maude Two reasons to use Maude: A new parametric trace generation is decided dynamically by trying to unify rigid message (it may fail). A property is a reachability problem, which can be checked at the same time while a model is being generated. The way of implementation by Maude, Each elementary definition and function in the parametric model is implemented to functional modules. A trace generating system is represented in a system module. search command is used to find whether the negation of a specification is reachable. 98 / 103