Available online at www.sciencedirect.com

DIRECT«

ELSEVIER Electronic Notes in Theoretical Computer Science 147 (2006) 73-92

www.elsevier.com/locate/entcs

Completeness and Counter-Example Generations of a Basic Protocol Logic (Extended Abstract)

Koji Hasebe1,2 and Mitsuhiro Okada1,3

Department of Philosophy Keio University 2-15-45, Mita, Minato-ku, Tokyo 108-8345, Japan

Abstract

We give an axiomatic system in first-order predicate logic with equality for proving security protocols correct. Our axioms and inference rules derive the basic inference rules, which are explicitly or implicitly used in the literature of protocol logics, hence we call our axiomatic system Basic Protocol Logic (or BPL, for short). We give a formal semantics for BPL, and show the completeness theorem such that for any given query (which represents a correctness property) the query is provable iff it is true for any model. Moreover, as a corollary of our completeness proof, the decidability of provability in BPL holds for any given query. In our formal semantics we consider a "trace" any kind of sequence of primitive actions, counter-models (which are generated from an unprovable query) cannot be immediately regarded as realizable traces (i.e., attacked processes on the protocol in question). However, with the aid of Comon-Treinen's algorithm for the intruder deduction problem, we can determine whether there exists a realizable trace among formal counter-models, if any, generated by the proof-search method (used in our completeness proof). We also demonstrate that our method is useful for both proof construction and flaw analysis by using a simple example.

Keywords: security protocol analysis, first-order predicate logic, agreement properties, proof-search method.

1 This work was partly supported by Grants-in-Aid for Scientific Research of MEXT, Center of Excellence of MEXT on Humanity Sciences (Keio University) and Oogata-kenkyu-jyosei grant (Keio University). The first author was also supported by Fellowship for Japan Young Scientists from Japan Society for the Promotion of Science.

2 Email: hasebe@abelard.flet.keio.ac.jp

3 Email: mitsu@abelard.flet.keio.ac.jp

1571-0661/$ - see front matter © 2006 Elsevier B.V. All rights reserved. doi:10.1016/j.entcs.2005.06.038

1 Introduction

For the formal analysis of security protocols, there are two typical approaches among others: one emphasizing a syntactic method such as BAN-logic [2] and protocol logics of [9,7,16] (cf. also [1] for a protocol composition logic project overview), and the other emphasizing a semantic method such as the strand space method [18] and MSR [4]. The former approach aims at proving a property which guarantees a protocol correct in terms of a certain logical inference system, while the latter approach aims at detecting flaws in a protocol (i.e., concrete attacks on a protocol) in terms of a kind of trace-model. In this paper we take the former approach. That is, our main purpose in this paper is to give a simple formulation of a core part of the protocol logics of [9,7,16] for proving protocols correct. We also aim at connecting this formal approach to a method for the flaw detection. Especially, we concentrate on several types of agreement properties in the sense of [20,14], and investigate how much one can formulate a basic part of the protocol logics, which is enough to prove our aimed properties, within the first-order predicate logic. (Thus, in this paper we do not go into the secrecy property about nonces or session keys. Such a property is also an important matter for security analysis because agreement properties of some protocols depend on their secrecy properties.) Moreover, we also give a complete formal semantics of BPL, and present how to apply our framework for both proving correctness and detecting flaws of security protocols.

For that purpose, we first give an axiomatic system in first-order predicate logic for proving the agreement properties. In this system, we formalize some properties about nonces and cryptographic assumptions as non-logical axioms in first-order predicate logic with equality, and give a special form of formulas, called query form, which represents an agreement property restricted to the number of data items (i.e., nonces) in the protocol in question. Then the basic inference rules, which are explicitly or implicitly used for proving agreement properties in the protocol logics of [9,7,16], are derived rules of our system. Hence our formulation is called Basic Protocol Logic (or BPL, for short).

Next, we give a formal semantics for BPL and show the completeness theorem such that for any given query, the query is provable in BPL iff it is true for any model. This theorem is proved by adjusting the usual proof-search method for the first-order predicate logic into our framework (cf. [17]). As a direct corollary of the completeness theorem, our proof-search method of the completeness proof provides a counter-example generation if the given query is unprovable. Moreover, as a corollary of our completeness proof, the decidability of provability in BPL also holds for any query. (In this paper, we only sketch out the proofs of the completeness theorem and its corollaries. The

detailed proofs will appear in the full version of this paper.) In our formal semantics we consider a "trace" any kind of sequence of primitive actions, thus a counter-example (generated from an unprovable query) cannot be immediately regarded as a realizable trace (i.e., an attacked process on the protocol in question). However, with the aid of Comon-Treinen's algorithm for the intruder deduction problem [6], we can determine whether there exists a realizable trace among formal counter-examples. Therefore, by the combination of our completeness proof and the Comon-Treinen's algorithm, for any given query we can generate attacked processes on the protocol, if any, whenever we set any upper-bound on the number of data items.

Since our proof construction procedure is directly a counter-example generation, this work would make a contribution to bridge the gap between the two different directions of security protocol analysis, namely proving correctness and finding attacks. Finally, we also demonstrate by a simple example that our method is useful for both proof constructions and flaw detections.

Organization of this paper. In Section 2 we introduce an axiomatic system, called Basic Protocol Logic in first-order predicate logic, and formalize our aimed correctness properties as a special form of formulas, called query form. In Section 3 we give a trace-based formal semantics and show the soundness theorem for the query form. In Section 4 we show the completeness theorem and the decidability of provability for the query form, and explain how to construct proofs/attacked processes for a given query by means of the proof-search method and Comon-Treinen's algorithm for the intruder deduction problem. Finally, in Section 5 we present the conclusions and outline some further directions of this research.

2 Basic Protocol Logic

We first fix our language in first-order predicate logic with equality, and give an axiomatic system, called Basic Protocol Logic. In this system, our aimed correctness properties are described as a special form of formulas, called query form.

2.1 Language

Sorts and terms. Our language is order-sorted, which consists of sorts name, nonce and message. A, B,...,A1, A2, ... (P, Q, . ..,Pi,P2,..., resp.) are constants (variables, resp.) of sort name (which represent principal name), and N, N',..., N-i, N2, ... (n,n',..., n1,n2,..., resp.) are constants (variables, resp.) of sort nonce. All terms of sorts name and nonce are terms of sort message.

The symbols m,m',...,mi,m2,... are used to denote variables of sort message. Compound terms of sort message are made by the functions (m1,..., mn), {m}P and {m}P-i, which represent n-tuple concatenation of messages, encryption of public key and secret key for P, respectively. We also use the meta-symbols s,s',..., t, t',... to denote any terms of sort message.

Formulas. We introduce five binary predicate symbols: P generates n, P receives m, P sends m, m = m' and m C m', which represent "P generates a fresh value n as a nonce", "P receives a message m", "P sends a message m", and usual equality and subterm relation (i.e., "m is identical with m'" and "m is a subterm of m'"), respectively. The first three are called action predicates, and the meta expression acts is used to denote one of the action predicates: generates, receives and sends.

Atomic formulas are the following expressions: P1 acts 1 m1; P2 acts2 m2; • ••; Pk actsk mk (where k > 1 and Pi (mi, resp.) may be the same as Pj (mj, resp.) for any i = j), m = m' and m C m'. The first one is called trace formula. This type of atomic formulas is used to represent a sequence of principal's actions: for example, the intuitive meaning of the atomic formula P sends m; Q receives m' is "P sends a message m before Q receives a message m'". We also use the following symbols as meta expressions. aP, 3P,..., ap, ap,... (or simply, a, 3,...,a1,a2,...) is used to denote a trace formula of the form P acts m, and ap1; • • • ; apk (or a, for short) is used to denote P1 acts 1 m1; • • • ; Pk actsk mk (where k indicates the length of a). Especially, when every Pi is identical with P for 1 < i < k (i.e., a sequence of actions performed by a single principal P), we also use aP to denote such a trace formula. For a (= a1; • • • ; am) and /3 (= • • • ; ¡3n), we say /3 includes a (denoted by 3 C /), if 3 and 3 satisfies the following condition: ai appears in / for all i (1 < i < m), and for any ai = /j and ak = / if i < k then j < l for any 1 < i,k < m. (Roughly speaking, a C 3 means that all the action predicates in a appear in 3 with preserving the order of a.)

The formulas (denoted by p,^,...) are made by the following grammar.

p ::= a | m = m' | m C m' | —ip | p A p | p V p | p ^ p | Vxp |

We use the meta expression p[m] to indicate the list of terms fh occurring in p. Substitutions are represented in terms of this notation.

Finally, we introduce the notion of (strict) order-preserving merge of trace formulas a and 3, which is defined as follows.

4 In order to make our discussion simpler, in this paper we do not consider symmetric cryptography nor protocols for sharing session keys, however our formalization can be easily extended so as to include such notions.

Definition 2.1 (Order-preserving merge) An order-preserving merge of a (= «i; • ••; a) and /3 (= f3\; • • •; /m) is a trace formula 3 (= 81; •••; 5n) which is made by the following rules. (As a special case, if a and / is empty then we respectively consider l = 0 and n = 0.)

(i) 51 = a1 or /1.

(ii) For each i (1 < i < n), if a1; • • • ; aj C ¿1; • • • ; Si and /1; • • • ; C ¿1; • • • ; Si (for some 0 < j < l and 0 < k < m), then 5i+1 = aj+1 or ^k+1.

(iii) If 3 = ¿1; • • • ; 5f; 5i+1; • • • ; Sn is an order-preserving merge of a and / with 5i = 8i+1, then 5' = ¿1; • • • ; 8i-1; 8i+1; • • • ; Sn is also an order-preserving merge of a and /.

We also introduce another type of order-preserving merge which is made only by the rules (i) and (ii), and call it strict order-preserving merge of a and 5. For example, both a1; a2; a2; a3 and a2; a1; a3; a2 and a1; a2; a3 are order-preserving merges of a1; a2 and a2; a3, while the last one is not a strict order-preserving merge.

Description of roles

A protocol is a set of roles, and each role for a principal (say, P) is described as a trace formula of the form aP = P acts 1 m1; • • • ; P acts k mk.

As an example, here we consider the Needham-Schroeder public key protocol [15], whose informal description is as follows.

1. P ^ Q: {m,P}Q

2. Q ^ P: {n1, n2}p

3. P ^ Q: {n2}Q

Initiator's and responder's roles of the Needham-Schroeder public key protocol (denoted by InitNs and RespNs, respectively) are described as the following formulas.

Example 2.2 (Roles of the Needham-Schroeder protocol)

InitNs[P,Q,n1,n2] = P generates n1; P sends {n1, P}q; P receives {n1, n2}P; P sends {n2}Q

RespNs[P,Q,n1,n2] = Q receives {n1, P}q; Q generates n2; Q sends {n1, n2}P; Q receives {n2}Q

A run of a role ap is a formula obtained by substituting P, Q and n with some terms of the same sorts. For example, InitNS[A/P, B/Q, N1/n1, N2/n2]

and RespNS[A/P, B/Q, N1/n1, N2/n2] are runs of InitNS and RespNS, respectively, and we call such a set of instances A, B, N1,N2 data items. A strict order-preserving merge of runs of a role ap is called multiple runs of ap.

2.2 Basic Protocol Logic

We extend the usual first-order predicate logic with equality by adding the following axioms (I), (II) and (III). This axiomatic system is called Basic Protocol Logic.

(1) Axioms of universal sentences over terms. We presume the following axioms for = and Q. When a finite set of literals {t1 = t'1,...,tn = t'n, s1 q s1,... Sj q sj, u1 = u1, ...,Uk = u'k, v1 q v'1 ,...,vi q v'} is unsatisfiable in the free term algebra of our language (where = and q are the identity terms and subterm relation in the free term algebra), then vm—(t1 = t1 A • • • atn = t'n a s1 q s1 A • • • asj q sj a u1 = u1 A • • • auk = u'k a v1 q v'1 a • • • avl q v') is an axiom. Note that the satisfaction problem is decidable in the free term algebra (cf. [19]), hence the set of axioms of type 1 is recursive.

(II) Rules for trace formulas. We introduce the following axioms (1) and

(2) for trace formulas, where Yi's in (2) are the list of order-preserving merges of a and 5.

(1) 5 ^ 3 (for 3 c 33)

(2) 71 V • • • vfn ^ a a /

(III) Axioms for relationship between properties. We introduce the following set of formulas as non-logical axioms. These axioms represent some properties about nonces and cryptographic assumptions.

(1) Ordering 1:

vPQnm(P generates n a Q sends/receives m a n q m ^—(Q .sends/receives m; P generates n))

(2) Ordering 2:

vPQmm'(P sends/receives m a {m'}Q-i q m

^ 3m''(Q sends m''; P sends/receives m a {m'}Q-i q m''))

(3) Nonce Verification 1:

vPQn1m2m5m6(P generates n1 a P sends m2 a n1 q m2 a P receives m5 a n1 q m6 a {m6}Q-t q m5 a vm7(P sends m7 a n1 q m7 ^ m7 = m2) ^ 3m3m4(P sends m2; Q receives m3; Q sends m4; P receives m5 a n1 q m3 a {m6}Q-t q m4))

(4) Nonce verification 2:

v PQn1m2m5m6(P generates n1 a P sends m2 a n1 c m2 a P receives m5

a {m6}Q c m5 A n1 c m5 a {m6}Q c m2 a vm7(P sends m7 a n1 c m7 ^ m7 = m2) A Vm8(n1 c m8 a m8 c m2 ^ m8 c {m6}q) ^ 3m3m4(P sends m2; Q receives m3; Q sends m4; P receives m5 a {m6}Q c m3 A n1 c m^))

(5) Nonce verification 3:

v PQn1m4m5m6m9 (P generates n1 a P sends m2 a n1 c m2 a P receives m5

a {m6}Q c m5 a n c m5 a {m6}Q c m2 a vm7(P sends m7 a n1 c m7 ^ m7 = m2) A Vm8(n1 c m8 a m8 c m2 ^ m8 c {m6}q) a Q sends {m4}P a n1 c m4 a vm10(Q sends m10 a n1 c m10 ^ m10 = {m9}P) ^ {m9}p = m5)

Here, the expression "sends/receives" denotes sends or receives, and these are corresponding in each axiom. Ordering 1 and 2 represent ordering of actions related to nonces and encrypted messages, respectively. Nonce Verification 1—3 largely depend on the idea of authentication tests-based strand space method introduced by [10]: Nonce Verification 1 is a formalization of Incoming tests and Nonce Verification 2 and 3 are formalizations of Outgoing tests.

2.3 Query form and correctness properties

Our aimed correctness properties are described in a special form of formulas, called query form. The query form includes a formalization of principal's honesty (denoted by Honest(aP)), which is defined as follows.

Definition 2.3 (Principal's honesty)

Honest(aP [P, Q, n])

= 3qn\j i€{j | m, eSends(o.P [P,Q,n])}U{k} aP (i)[p Q, n] A Only(aP (i)[P n])

Here, aP[P, Q, n] is a role of the form P actsi mi; P acts2 m2; •••; P actsk mk where each actsi (1 < i < k) is one of sends, receives and generates, and aP (i)[P, Q, n] denotes an initial segment of aP [P, Q, n] ending with P actsi mi (for 0 < i < k), i.e., aP(i)[P, Q,n] = P actsi mi; • • • P actsi mi. (As a special case, aP(0) denotes T.) Only(aP(i)) denotes the following formula, whose intuitive meaning is "P performs only aP(i)[P, Q, n]".

Only(aP(i)) = vn1(P generates n1 ^ n1 e Generates(aP(i))) avm2(P sends m2 ^ m2 e Sends(aP(i))) avm3(P receives m3 ^ m3 e Receives(aP(i))))

Here, Sends(aP(i)) denotes the set {mj | P sends mj c aP(i)}. (Receives(a (i)) and Generates(aP(i)) are similar.) Set theoretical notation, such as m e Sends(aP(i)) (as well as m e Receives(aP(i)) and m e Generates(aP(i))) is an abbreviation of the disjunctive form: for example, if Sends(aP(i)) = {m'1,...,m'j}, then m e Sends(aP(i)) denotes the formula (m = mi) V (m = m'2) v • • • v (m = mj). (As a special case, if Sends(aP(i)) is empty then m e Sends(aP(i)) denotes ±.)

Intuitively, each disjunct aP(i) A Only(aP(i)) in Honest(aP) represents a historical record of P's actions at each step of his/her run: the sequence of actions aP(i) = P acts 1 m1; • • • ; P actsi mi represents the P's performance at this step, and Only(aP(i)) represents that P performs only aP(i). Especially, as a special case, aP (0) A Only(aP (0)) represents that P performs no action. Thus, Honest(aP[P,Q,n]) represents "P performs only a (possibly multiple) run of an initial segment of aP which ends with a sending action or the last action of aP, and uses the same data items Q and n, for each run".

As an example, we present the honesty of initiator (say, A) of the Needham-Schroeder protocol below.

Example 2.4 (Initiator's honesty of the NS protocol)

Honest(InitNs[A/P,Q,n1,n2]) =

ij Vn3(A generates n3 \

A^m4(A sends m4 \ AVm5 (A receives m5 ^^) )

( A generates m; A sends {ni,A}g \

y AVn3(A generates n3 ^ n3 = m)

AVm4(A sends m4 ^ m4 = {u\,A}q) \ AVm5 (A receives m5 ^^) )

( A generates m; A sends {ni, A}q; A receives {ni ,n2}A; A sends {n2}Q \ \ y AVn3(A generates n3 ^ n3 = ni)

AVm4(A sends m4 ^ m4 = {n-j_,A}Q V m4 = {n2}Q) y AVm5(A receives m5 ^ m5 = {ni,n2}A) J )

Note that our formalization of honesty is stronger than the usual sense. That is, our definition of honesty is restricted to a single set of data items used for the honest principal's runs, whereas the usual sense of honesty means that P may perform multiple runs whose data items may differ from each other. However, by regarding a strict order-preserving merge of a certain number of the same role as a single role, we can represent the honesty with respect to any finite number of the sets of data items which are used for all possible

runs by the honest principal. As an example, we present the case of initiator's (say, A's) honesty of the Needham-Schroeder protocol, such that A may use a couple of sets of data items [Q, n\, n2] and [Q', n'l, n'2].

(i Vn3 (A generates n3 ^L) \

AVm4(A sends m4 ^L) \ AVm5(A receives m5 ^L) J

( A generates ni; A sends {ni, A}q ^

y AVn3(A generates n3 ^ n3 = ni)

AVm4(A sends m4 ^ m4 = {ni,A}q) y AVm5 (A receives m5 ^L) J

( A generates ni; A sends {ni, A}q; A receives {ni, n2}a; A sends {u2}q ^ y AVn3(A generates n3 ^ n3 = ni)

AVm4(A sends m4 ^ m4 = {ni,A}q V m4 = {ti2}q) y AVm5(A receives m5 ^ m5 = {ni, n2}a) J

i A generates ni; A sends {ni, A}q A A generates ni; A sends {ni, A}q ^ y AVn3(A generates n3 ^ n3 = nl V n3 = n[)

AVm4(A sends m4 ^ m4 = {nltA}q V m4 = {nl,A}q') y AVm5 (A receives m5 ^L) J

^ A generates nl; A sends {nl, A}q; A receives {nl, n2}a; A sends {n2}q ^ AA generates ni; A sends {nl, A}q' AVn3(A generates n3 ^ n3 = nl V n3 = n[)

AVm4(A sends m4 ^ m4 = {nltA}q V m4 = {n2}q V m4 = {ni, A}q') y AVm5(A receives m5 ^ m5 = {ni, n2}a) J

AA generates ni; A sends {ni, A}q'; A receives {ni, n'2}a'; A sends {n2}q' AVn3(A generates n3 ^ n3 = ni V n3 = n[) AVm4(A sends m4

m4 = {ni,A}q V m4 = {n2}q V m4 = {n'i,A}q' V m4 = {n^q') y AVm5(A receives m5 ^ m5 = {ni, n2}a V m5 = {ni, n'2}a) J J

First-order formalization of correctness properties

We introduce a general form of formulas, called query form, to represents our aimed correctness properties. In order to make the discussion simpler, we consider only the case of two party authentication protocols, however our query form can be easily extended so as to represent the correctness properties with respect to other types of protocols which include more than two principals.

Definition 2.5 (Query form) Query form is a formula of the following form.

Honest(aP) A ßQ a Only(ßQ) ^ 7

Our aimed correctness properties are described as a special case of the query form. For example, the non-injective agreement of protocol n = {aP[P,

Q,n\, 3Q[P,Q,n\} from responder's (say, B's) view can be described as the following formula.

Honest(aP[A/P, Q,n\) a ¡3Q[A/P, B/Q, N/n\

aOnly0Q[A/P, B/Q, N/n\) — aP[A/P, B/Q, N/n\

The matching conversations and the injective agreement can be obtained by replacing the right hand side of implication with the strict order-preserving merge of aP[A/P, B/Q, N/n\ and /3Q[A/P, B/Q, N/n\ defined by the protocol n, and with 33P[A/P, B/Q, N/n\ a Only(3P[A/P, B/Q, N/n\), respectively.

Actually, our formalization of the agreement properties is weaker than the usual sense, because our honesty assumption is stronger than the usual sense. However, as we have explained in the definition of honesty (Definition 2.3), our query form can be extended so that the honest principal may use a finite number of sets of data items used for his/her runs.

A comparison between BPL and other protocol logics

In closing this chapter, we would like to point out some differences between BPL and other protocol logics.

One of the main differences is the formalization of inferences on honesty. In the protocol logics of [9,7,16], the notion of honesty is formalized as an atomic formula and inferences on honesty are drawn by a special inference rule. On the other hand, in BPL, the notion of honesty is formalized as a non-atomic formula and all inferences on honesty are drawn by logical inference rules, and the inferences on honesty essentially used in [9,7,16] are derived rules in BPL. More precisely, to prove protocols correct, the protocol logics of [9,7,16] implicitly or explicitly use the three types of inferences: we pick up these inferences as Honesty rules presented in Appendix A.

As for the non-logical axioms, our proposed non-logical axioms (1)-(5) of (III) introduced in Section 2.2 do not essentially depend on our framework. Especially, as we shall show in Section 4, our completeness and decidability arguments are not affected by the choice of non-logical axioms. Our choice of non-logical axioms in this paper is one of the simplest formalism sufficient to prove our aimed correctness properties. Then the basic inference rules used in the protocol logics are essentially derived rules of BPL. Here we emphasize that BPL is formalized in first-order predicate logic without any temporal modal operators nor Floyd-Hoare style dynamic operator which are used in the protocol logics of [9,7]: this is the reason why we call our system "basic".

K. Hasebe, M. Okada /Electronic Notes in Theoretical Computer Science 147 (2006) 73—92 83

3 Formal Semantics and Soundness

In this section, we give a semantics of our system.

A trace model (or model) is M = (DP, DN, a, $) where DP is a set, called a name domain, DN is a set called a nonce domain, DM is the free algebra domain (i.e., the set of first-order terms) determined by DP and DN along with the term construction rules using ( , ), K ( , ) and K-1( , ), (where ( , ) is the ordered pair function symbol, and K( , ) and K-1( , ) are the key-encryption and decryption function symbols), and a is a trace. (Note that we often use abbreviation, say {n1, {n2}A, n3}B-i for K-1(B, ((n1, K(A, n2)), n3)).) In this paper we consider only three kinds of forms of actions: A .sends m, A receives m and A generates n, where A e DP, m e DM. A trace a is of the form of a finite sequence a1; •••; an of (primitive) actions a,,.. $(A) e DP for a constant symbol A of the name sort, and $(N) e DN for a constant symbol N of the nonce sort. We extend $ to evaluation of variables such that $(P) E Dp and $(n) E DN, as usual. $((t1,t2)) = ($(¿1), $(ta)), $(K(A, t)) = K($(A), $(t)), $(K-1(A, t)) = K-1 ($(A), $(t)). For any action predicate a(A,m), $(a(A,m)) = a($(A), $(m)). For a trace formula of the form a1; •••; an, $(a1; •••; an) = $(a1); • • •; $(an). For a model M = (DP, Dn, a, $), m1 C m2 is true in M iff $(m1) is a subterm of $(m2), and m1 = m2 is true in M iff $(m1) and $(m2) are identical terms (of the same sort). /3 is true in M iff $(/3) C a. All first-order logical connectives are interpreted in the standard way.

Theorem 3.1 (Soundness) If a closed formula of the query form

Honest(ap) A ^ A Only(/9) ^ 3 is provable in BPL, then it is true in any model M = (DP, DN, a, $).

This theorem is proved by a standard induction on the length of the proof.

4 Completeness, Decidability and Their Application to Counter-Example Generations

In this section, we first show the completeness theorem for the query form by means of the proof-search method. Moreover, as a corollary of our completeness proof, we also show the decidability of provability for any given query. (Actually, in this preliminary report we only sketch out these proofs. The detailed proofs will appear in the full version of this paper.) Next, as an application of these results, we show how to find an attack on the protocol in question. As the main result, with the aid of Comon-Treinen's algorithm

for the intruder deduction problem [6], for any given query we can determine whether there exists an attack on the protocol in question, whenever we set any upper-bound on the number of data items. At the end of this section, we also present a concrete example of our proof construction/counter-example generation.

4.1 Completeness and decidability for the query form Our completeness is stated as follows.

Theorem 4.1 (Completeness) If a closed formula of the query form

Honest(3P) A (5Q a Only(j3Q) ^ 3

is true for any model M = (DP,DN,8, $), then this formula is provable in BPL.

To prove the completeness theorem, we use the proof-search method (which is essentially the same as Beth's tableau method). Especially, we follow the method and several terminologies (such as stage, branch, and available terms) described in Section 1.8 of Takeuti [17]. In order to fix our query form to the sequent calculus-style proof-search method, we first slightly modify our query form as the following sequent, called a query sequent.

Honest(33P), /3Q, Only(3Q), Axioms(1)-(5) h 3

Here, Axioms(1)-(5) denotes the set of non-logical axioms (1)-(5) of (III) introduced in Section 2.2. We put these formulas as assumptions of the query.

Now we review the proof-construction process and remark the point to be slightly modified in our setting.

Proof-construction process. For any query sequent S, we shall define the proof-construction tree for S (denoted by t(S)). t(S) is a (possibly infinite) tree which is constructed in rounds: the proof-construction process begins with Round 0, where we write the query sequent S at the bottom of the tree, and go to Round 1. Then each Round i (for i = 1, 2,...) consists of stages (k = 0,1, 2,..., 14) defined by cases:

Case I: Every topmost sequent, which is of the form r h A, satisfies one of the following conditions (C1) —(C3), then the proof-construction process terminates. We call such a sequent closed sequent. (C1) r and A include a formula in common.

(C2) ti = ti,...,tn = t'n,si c si,...sm c s'm e r and ui = ui,...,uk = u!k,v1 c vi,...,vi c v[ e A, and the literal {t1 = ti,...,tn = t'n,s1 c

s'1,...srn c s'm, u1 = u'1,...,uk = u'k, v1 c V'1 ,...,vl c v'} is not satisfiable in the free term algebra of our language. This condition is essentially the same as axiom (I) in Section 2.2.

(C3) r includes a trace formula a and A includes a trace formula /3 with 3 c a. This condition is essentially the same as axiom (1) of (II) in Section 2.2.

Case II: Not Case I. Then this stage is defined according as k = 0,1, 2,..., 13, 14, where the cases k = 0,1, 2,..., 11 and 14 are the same as [17], i.e., k = 0 and 1 concern the symbol —, k = 2 and 3 concern A, k = 4 and 5 concern V, k = 6 and 7 concern k = 8 and 9 concern V, k =10 and 11 concern 3. In addition to the above stages, we insert the following rules as k = 12 and 13.

• k = 12 (equality rule): Let r[t] h A[t] be any topmost sequent of the tree which has been defined by stage k — 1. Then write down

r[t] h A[t], s = t and s = t, r[t], r[s/t] h A[t], A[s/t] above r[t] h A[t] for all terms s and t, which are made by all available terms of sorts name and nonce with function symbols.

We introduce this stage instead of the infinite scheme vxvy(x = y a F(x) ^ F(y)) as a hypothesis in the query.

• k = 13 (rule for trace formulas): Let r h A be any topmost sequent of the tree which has been defined by stage k — 1, and a1,...,3j be the trace formulas appearing in r. Then write down all sequents of the form

3., r h A

above r h A, where is an order-preserving merge of a 1,...,3j, and r' is r — {31,.. .,3j}.

This stage is the combination of the if-part of axiom (II) (2) in Section 2.2 (i.e., Y1V • • • v% ^ 3a/3) and the V-left reduction. Note that we do not need to consider the only-if part of axiom (II) (2) (i.e., 3a/3 ^ j1 v • • • vjn), because in our proof-construction process there is no sequent such that a formula of the form 3 a /3 appears in the right hand side.

After applying the rule of Stage 14, if the topmost sequent is not closed, then we go to Round i + 1 and repeat the above procedure.

Proof sketch of the completeness theorem. ¿From now we show our completeness proof, which is proved by using the following lemma.

Main Lemma. If there exists a branch S0,...,S3x14 in t(S0), where S3x14 is a sequent at the end of Round 3 and not closed, then there exists a counter-model M = (Dp, Dn, 5, $) for So.

Here we sketch out how to construct such a counter-model M from S3x14.

Assume that 3 is the trace formula appearing in the left hand side of S3x14. (Note that at the end of each round, the left hand side of the sequent always includes only a single trace formula.) We fix DP and DN by the following steps: we first take the set of all literals appearing in S3x14 and solve the satisfaction problem of these literals, then decompose each literal which consists of compound terms (e.g., {N1,A}B = {n1,P}Q is decomposed as N1 = n1, A = P and B = Q), then take DP and DN as representatives of these decomposed literals. We define the assignment $ for terms by induction on the length of terms as follows. As the base case, each constant and variable of sort name or nonce is interpreted by its representative (i.e., $(N) = N* (e Dn), $(n) = n* (e Dn) where N* and n* are the representatives of equivalence classes of N and n, respectively, and the interpretation for terms of sort name is similar.) Each variable (say, m) of sort message which is neither of sort name nor nonce is interpreted by the representative of the equivalence class of m. The induction step for terms and the definition of evaluation for each formula are followed by the definition of $ in Section 3. Finally, as 3, we take 3 = $(3).

¿From now we show that M is a counter-model of S0. The essential idea to prove this fact is to use the following facts: (1) Every non-logical n°j axiom is satisfiable in M; (2) Axioms about trace formulas are satisfiable in M; (3) Axioms about = and c are satisfiable in M. As for the fact (1), for any branch in a proof-construction tree, if an eigenvariable (say, m) appears in the branch, such an eigenvariable always appears in a formula of the form A acts m. On the other hand, as the descendants of the honesty assumption, —A acts m v m = t always appears in the branch, where t is a term appearing at this stage. Thus, if T is the set of terms in Round 3, for the eigenvariable m which appears above Round 3, an equation m = t with some t e T always appears in the left side, then the search domain does not increase above Round 3. As for the facts (2) and (3), these are immediately derived from the correspondence of the logical axioms (I) (introduced in Section 2.2) and the termination condition (C2), and the correspondence of the logical axiom (II) (introduced in Section 2.2) and the termination condition (C3), respectively.

By this Main Lemma, proof of our completeness theorem goes as follows. For any given query form, if each branch of the reduction tree up to Round 3 terminates, then we can easily write a proof of this query. Then by the contraposition, for any unprovable query there exists a branch which includes a non-closed sequent (say, S3x14) at the end of Round 3. By Main Lemma, we obtain a counter-model from the information of S3x14. Then by the contraposition, the completeness theorem holds. □

This Main Lemma guarantees not only that our completeness holds, but

also that we only need to make a proof-construction tree up to Round 3 to find a counter-model. Therefore, if we introduce a suitable enumeration of all instantiations for V-left, 3-right and equality rules, the following decidability is immediately derived from Main Lemma.

Corollary 4.2 (Decidability) For any given query form, the provability of the query in BPL is decidable.

Moreover, the following theorem holds.

Theorem 4.3 (Finite number of minimal counter-models) For any unprovable query form, the number of counter-models, which are obtained from the proof-construction tree of the query up to the end of Round 33, is finite.

4.2 Construction of attacked processes

By the proof-search method presented in the previous subsection, for any given query we obtain a proof if the query holds. Otherwise we obtain counter-models for the query. However, the traces obtained from these counter-models cannot be immediately considered as attacked processes because in our semantics we consider as a "trace" any sequence of primitive actions. In order to find an attacked process, we introduce the notion of realizable trace by means of the Comon-Treinen's algorithm for the intruder deduction problem such that for any given finite (or regular) set of messages T, and for any given message m, whether it is possible for the intruder to retrieve m from T or not. The definition of realizable trace is as follows.

Definition 4.4 (Realizable trace) Let 3 be a sequence of actions, P1 receives m1, ..., Pk receives mk be the list of all receiving actions in 3, and 3(i) be the initial segment of 3, which ends with Pi receives mi. 8 is realizable if it satisfies the following condition: for any Pi receives mi (1 < i < k), mi is provable (retrievable) from Sends(8(i — 1)) in Comon-Treinen's system of [6].

Intuitively, a realizable trace is a sequence of actions, where each receiving message can be generated by the Dolev-Yao intruder [8]. Clearly, from a realizable trace, which is obtained from a counter-model of a query, we can easily construct a concrete attacked process on the protocol in question by inserting some suitable intruder's actions.

Since the procedure to check the realizable trace is decidable (cf. [6]), the following theorem is immediately derived.

Theorem 4.5 (Decidability of the attacked process detection)

For any given query, the problem whether there exists a counter-model M = (DP, Dn, 8, $) such that 8 is an realizable trace is decidable.

As we have explained in the definition of our query form, we can represent the correctness properties for any number of sets of data items (used by the honest principal). Thus, this decidability guarantees that we can determine whether there exists an attacked trace whenever we set any upper-bound on the number of data items used by the principals. This decidability corresponds to the result of former works (cf. [4]).

A suitable tactics to find an attack on the protocol in question is to increase the search domain by extending the query form. This procedure is generally infinite if we set no limit to the search domain. However, this procedure is optimal since the same undecidability result also holds in some other framework

(cf. [4]).

4.3 An example of attacked process detection

In this subsection, we show a simple example of how to find an attacked process from counter-models obtained by a proof-search of unprovable query. Here we consider the matching conversations for the Needham-Schroeder public key protocol (from responder's view), whose query sequent is as follows.

RespNS[A/P, B/Q, N1/n1,N2/n2], Honest(InitNS[A,Q,n1,n2]), Axioms, vn3(B generates n3 ^ n3 = N2), vm4(B sends m4 ^ m4 = {N1, N2}A), vm5(B receives m5 ^ m5 = {N1, A}B v m5 = {N2}B) h A generates N1; A sends {N1, A}B; B receives {N1, A}B; B generates N2; B sends {N1, N2}a; A sends {N2}B; B receives {N2}B

In the proof-construction tree of this query, there are 16 non-closed branches at the end of Round 3, which are of the following form. (Here we use schematic expressions: t1 is N1 or n1, t2 is N2 or n2.)

• in the left hand side, a trace formula appears which is made by order-preserving merges of the following trace formulas:

• A generates t1; A sends {t1, A}q; A receives {t1,t2}A; A sends {t2}Q

• B receives {t1, A}B; B generates t2; B sends {t1,t2}A; B receives {t2}B

• B sends {t1,t2}A; A receives m1; A sends m2; B receives {t2}B

• A = B, A = Q, B = Q, N1 = N2, n1 = n2, N1 = m, N2 = n2, m1 = {t1,t2}A and m2 = {t2}q are satisfied by all equations in this sequent.

Among the counter-models obtained by these non-closed sequents, we can find a model M = (Dp, Dn, 3, $) such that Dp = {A, B, Q}, Dn = {N1, N2}, where A = B, A = Q, B = Q, N1 = N2, a = A generates N1; A sends {N1, A}Q; B receives {N1, A}B; B generates N2; B sends {N1, N2}A; A receives {N1, N2}A; A sends {N2}q; B receives {N2}B. Moreover, the trace 3 is realizable: actually, we can construct an attacked process as follows.

A generates N1; A sends {N1, A}q; Q receives {N1, A}q; Q sends {N1, A}B; B receives {N1, A}B; B generates N2; B sends {N1, N2}A; A receives {N1, N2}A A sends {N2}q; Q receives {N2}q; Q sends {N2}B; B receives {N2}B.

This is the scenario of the attack on the Needham-Schroeder protocol detected by Lowe [13].

Remark. It is known that the modification of the second message (i.e., replacing {N1,N2}A with {N1,N2,B}A) makes impossible the Lowe's attack. Actually, in our case, this modification changes the A's honesty as follows: vm(A receives m ^ m = {n1, n2, Q}A). Then, after the appearance of B sends {N1, N2, B}a; A receives m1; A sends m2; B receives {N2}B a {N1, N2, B}A c m1 aN2 c m2, the equation B = Q should appear in the left hand side. (Otherwise such branches should be closed by the termination condition (C2).) Therefore, the trace formula A generates N1; A sends {N1, A}B; A receives {N1,N2,B}A; A sends {N2}B should appear in the left hand side. Then, by the termination condition (C3), such branches should be closed. Therefore, all branches should be closed and then the agreement of this modified protocol is provable.

5 Conclusions and Future Work

We introduced an axiomatic system in first-order predicate logic for proving protocols correct, called Basic Protocol Logic, as a simple formulation of a basic part of the protocol logics [9,7,16]. We also gave a simple trace-based semantics which is complete for our query form in BPL. Moreover, as a corollary of our completeness proof, we obtained the decidability of provability in BPL with respect to our query. Then by combining our completeness proof and the Comon-Treinen's algorithm, for any given query we can generate concrete attacks on the protocol in question, if any, whenever we set any upper bound on the number of data items used in the protocol.

There are several directions in which this work can be developed. First, we are interested in the extension in order to prove secrecy property about session keys issued in a protocol. As we have mentioned in Section 1, by this extension we can treat correctness properties which are related to secrecy property, such as in the case of Kerveros Version 5 (cf. [3]). We are also interested in compositional approach to prove correctness of compound protocols (cf. [9,7,16]). In our previous work [11,12], we proposed some inference systems to prove correctness properties of a composed protocol by reusing proofs about its components. The main idea in [11,12] was to weaken the notion of honesty. However, our decidability result does not hold by introducing such a weak

honesty. In this paper we omitted the compositionality, although we consider such a problem to be one of our good target to develop our framework.

Acknowledgments

We thank Andre Scedrov and Iliano Cervesato for their helpful comments and discussions at early stages of this research.

References

www.stanford.edu/~{}danupam/logic-derivation.html

M. Burrows and M. Abadi and R. Needham. A Logic of Authentication. Technical Report 39, Digital System Research Center, 1989.

F. Butler, I. Cervesato, A.D. Jaggard and A. Scedrov. A Formal Analysis of Some Properties of Kerberos 5 Using MSR. University of Pennsylvania Department of Computer and Information Science Technical Report MS-CIS-04-04, 59 pages, 2004.

I. Cervesato, N.A. Durgin, P.D. Lincoln, J.C. Mitchell and A. Scedrov. Multiset Rewriting and the Complexity of Bounded Security protocols. Journal of Computer Security, vol.12, no.1, pp.677-722, 2004.

J. Clark and J. Jacob. A Survey of Authentication Protocol Literature: Version 1.0 (web draft), 1997.

Hubert Comon-Lundh and Ralf Treinen. Easy Intruder Deductions. In Verification: Theory and Practice, essays dedicated to Zohar Manna. LNCS series 2772, Springer-Verlag, 2003.

A. Datta and A. Derek and J. C. Mitchell and D. Pavlovic. A Derivation System for Security Protocols and its Logical Formalization. Journal of Computer Security (Special Issue of Selected Papers from CSFW-16), 52 pages, to appear, 2005.

D. Dolev and A. Yao. On the Security of Public Key Protocols. IEEE Transactions on Information Theory, vol.29, no.2, 1983.

N. Durgin and J. C. Mitchell and D. Pavlovic. A Compositional Logic for Proving Security Properties of Protocols. Journal of Computer Security, vol.11, no.4, pp.677-721, 2003.

J. D. Guttman and F. J. Thayer Fabrega. Authentication Tests. IEEE Symposium on Security and Privacy, pp.96-109, 2002.

K. Hasebe and M. Okada. Inferences on Honesty in Compositional Logic for Protocol Analysis. Proceedings of the International Symposium on Software Security 2003, LNCS 3233, pp.65-86, 2004.

K. Hasebe and M. Okada. Non-monotonic Properties for Proving Correctness in a Framework of Compositional Logic. Proceedings of the workshop on Foundations of Computer Security '04, pp.97-113, 2004.

G. Lowe. Breaking and Fixing the Needham-Schroeder Public-key Protocol Using FDR. Tools and Algorithms for the Construction and Analysis of Systems (TACAS), vol.1055, pp.147-166, 1996.

G. Lowe. A Hierarchy of Authentication Specifications. Proceedings of the 10th Computer Security Foundations Workshop, pp. 31-43, 1997.

R. Needham and M. Schroeder. Using Encryption for Authentication in Large Networks of Computers. Communications of the ACM, vol.21, no.12, pp.993-999, 1978.

[16] C. Meadows and D. Pavlovic. Deriving, Attacking and Defending the GDOI Protocol. Proceedings of 9th European Symposium on Research in Computer Security. pp.53-72, 2004.

[17] G. Takeuti. Proof Theory (2nd edition). North-Holland. 1987.

[18] F. J. Thayer Fabrega, J. C. Herzog and J. D. Guttman. Strand Spaces: Why is a Security Protocol Correct? Proceedings of the 1998 IEEE Symposium on Security and Privacy, pp.160171, 1998.

[19] K. N. Venkataraman. Decidability of the Purely Existential Fragment of the Theory of Term Algebras. Journal of the ACM, vol.34 no.2, pp.492-510, 1987.

[20] T. Y. C. Woo and S. S. Lam. Verifying authentication protocols: Methodology and example.

Proceedings of the International Conference on Network Protocols, 1993.

A Some Derived Rules on Honesty

In this appendix, we present some rules on honesty (called honesty rules), which are explicitly or implicitly used to prove security protocols correct in the protocol logics of [9,7,16]. Although we omit the formal proofs, we can easily prove that these rules are derived rules in BPL. We also show a simple example of correctness proof (i.e., the non-injective agreement property of the Needham-Schroeder-Lowe protocol from the responder's view) in the system where the notion of honesty (denoted by Honest(aP)) is introduced as an atomic formula and the honesty rules as axioms.

Honesty rules

The honesty rules with respect to P's role aP (= P acts1 m1; • • • ; P actsk mk) are the following formulas, and we admit the formulas obtained by replacing each sends with receives or generates.

(Hon 1) vm(P sends m a Honest(aP) ^ m e Sends(aP))

(Hon 2) vm(P sends maHonest(aP) ^ P sends mivm e Sends(aP) — {mi})

(Hon 3) P sends mi a Honest(aP) ^ P actsi-1 mi-1; P sends mi

The following rules (1') and (2') are variants of (1) and (2), respectively.

(Hon 1') vm'(3m(P sends mam' c m)aHonest(aP) ^ m' c m'' e Sends(aP))

(Hon 2') vm'(3m(P sends m a m' c m) a Honest(aP) ^ P sends mi v m' c m'' e Sends(aP) — {mi})

Here, the set theoretical notation such as m e Sends(aP) is the same abbreviation used in Definition 2.3 in Section 2.3. The abbreviation m' c m'' e Sends (aP) denotes the formula m' c m'1 v m' c m!2, v • • • v m' c m'j, where Sends(aP) = {m'1,..., m'j}.

Note that these rules (1), (2) and (3) correspond to the rules introduced in our previous works [11,12]: Substitution, Matching and Deriving another action, respectively. See [11,12] for the intuitive meanings of these rules.

Proof of the non-injective agreement of the NS protocol from re-sponder's view

Init Resp[A, B, N1,N2] h Resp[A, B, N1,N2] (1)

(1), NV2 Resp[A,B,N1,N2] h 3m1m2(A rec m1; A sen m2 A {N1, N2, B}a E m1 A N2 C m2) (2)

(2), Hon 1', Eq Resp[A, B, N1}N2] A Honest(Init[P, Q, n1,n2]) h N1 = n1 A N2 = n2 A B = Q (3)

(2), Hon 2' Resp[A, B, N1}N2] A Honest(Init[P, Q, n1,n2]) h A sen {N2}b V N2 E{n1,A}Q (4)

(4), Eq Resp[A, B, N1}N2] A Honest(Init[P, Q, n1,n2]) h A sen {N2}b (5)

(5), Hon 3 Resp[A, B, N1}N2] A Honest(Init[P, Q, n1,n2]) h A gen n1; A sen {n1, A}q; A rec {n1, n2, Q}a; A sen {n2}q (6)

(2), (6), Eq Resp[A, B, N1}N2] A Honest(Init[P, Q, n1,n2]) h A gen N1; A sen {N1,A}B; A rec {N1,N2, B}A; A sen {N2}B (6)