Secure Protocol Composition

Anupam Datta1 Ante Derek1 John C. Mitchell1

Computer Science Department Stanford University Stanford., CA 94305-9045

Dusko Pavlovic2

Kestrel Institute Palo Alto, CA 94304

Abstract

This paper continues the program initiated in [5], towards a derivation system for security protocols. The general idea is that complex protocols can be formally derived, starting from basic security components, using a sequence of refinements and transformations, just like logical proofs are derived starting from axioms, using proof rules and transformations. The claim is that in practice, many protocols are already derived in such a way, but informally. Capturing this practice in a suitable formalism turns out to be a considerable task.

The present paper proposes rules for composing security protocols from given security components. In general, security protocols are, of course, not compositional: information revealed by one may interfere with the security of the other. However, annotating protocol steps by pre- and post-conditions, allows secure sequential composition. Establishing that protocol components satisfy each other's invariants allows more general forms of composition, ensuring that the individually secure sub-protocols will not interact insecurely in the composite protocol. The applicability of the method is demonstrated on modular derivations of two standard protocols, together with their simple security properties.

1 Introduction

Modularity is a central problem in computer security and a proven challenge to many investigators (including [20,21,22,23,24]). In this paper, we explore modular construction of network protocols and present a system for reasoning about compound protocols from their parts. In general terms, we address two basic problems in modular security The first may be called additive combination - we wish to combine protocol components in a way that accumulates security properties. For example, we may wish to combine a basic key exchange protocol with an authentication mechanism to produce a protocol for authenticated key exchange. The

1 {danupam,aderek,jcm}@cs.stanford.edu

2 duskoOkestrel.edu

second basic problem is ensuring nondestructive combination. If two mechanisms are combined, each serving a separate purpose, then it is important to be sure that neither one degrades the security properties of the other. For example, if we add an alternative mode of operation to a protocol, then some party may initiate a session in one mode and simultaneously respond to another session in another mode, using the same public key or long-term key in both. Unless the modes are designed not to interfere, there may be an attack on the multi-mode protocol that would not arise if only one mode were possible. An interesting illustration of the significants of nondestructive combination is the construction in [16] which shows that for every security protocol there is another protocol that interacts with it insecurely.

Recognizing that many common network protocols are built using an accepted set of standard concepts, we have identified a set of basic components, protocol composition operations, protocol refinements, and protocol transformations for authentication and key exchange protocols. In [5], we characterize the structure of a family of key exchange protocols that includes Station-To-Station (STS), ISO-9798-3, Just Fast Keying (JFK) and related protocols, showing how all the protocols in this family may be derived systematically. (In order to make this submission more self-contained, a very cursory overview is contained in Appendix ??.) We have also constructed systematic derivations of other families of protocols, in each case showing how a simple starting protocol may be extended, incrementally adding properties or optimizing performance in each step. While the derivation system seems a useful tool for developing and understanding protocols, we have not yet been able to prove that each derivation step is sound for all protocols where it could be applied. In this paper, we show how to prove correctness of additive and nondestructive combinations of protocol components.

Intuitively, additive combination is captured by a before-after formalism for reasoning about, steps in protocol execution. Suppose P is a sequence of protocol steps, and (f) and tp are formulas asserting secrecy of some data, past actions of other principals, or other facts about, a. run of a. protocol. The triple <fi[P]Aip means that if (f) is true before principal A does actions P, then tp will be true afterwards. For example, the precondition might, assert, that A knows B's public key, the actions P allow A to receive a. signed message and verify B's signature, and the postcondition may say that B sent, the signed message that A received. The importance of before-after assertions is that we can combine assertions about, individual protocol steps to derive properties of a. sequence of steps: if <fi[P]Aip and iP[P']aQ, then (¡)[PP'}aO. For example, an assertion assuming that keys have been successfully distributed can be combined with steps that do key distribution to prove properties of a. protocol that distributes keys and uses them.

We ensure nondestructive combination, which is useful for reasoning about, running older versions of a. protocol concurrently with current, versions (e.g., SSL 2.0 and SSL 3.0) and for verifying protocols like IKE [13] which contain a. large number of sub-protocols, using inva.ria.nce assertions. The central assertion in our reasoning system, T b <fi[P]Aip, says that in any protocol satisfying the invariant. T, the before-after assertion <fi[P]Aip holds in any run (regardless of any actions by any

dishonest attacker). Typically, our invariants are statements about principals that follow the rules of a protocol, as are the final conclusions. For example, an invariant may state that every honest principal maintains secrecy of its keys, where "honest" means simply that the principal only performs actions that are given by the protocol. A conclusion in such a protocol may be that if Bob is honest (so no one else knows his key), then after Alice sends and receives certain messages, Alice knows that she has communicated with Bob. Under the specific conditions described in this paper, nondestructive combination occurs when two protocols are combined and neither violates the invariants of the other.

As informally described, "additive combination" and "nondestructive combination" may seem like overlapping concepts, at least to the degree that additive combination assumes that the added steps do not destroy any security properties. In our logic, we factor the two concepts into two separate notions, one for adding steps to a protocol under some assumed invariants, and another for showing that a combination of protocol steps preserves a set of invariants. More specifically, if we want to add an authentication step to a protocol, we first show that the additional step preserves the same needed invariants. Then, under the assumption that invariants are preserved, we combine properties guaranteed by separate steps. There is some synergy in this approach, since the logical principles used to prove an invariant are the same as those used to prove protocol properties from a given set of invariants.

To show the utility of our logic for practical protocols, we present three examples. Example 6.1 is a formal correctness proof of ISO-9798-3 , constructed by composing proofs of two parts, a standard signature-based challenge response protocol [28], and a Diffie-Hellman key exchange protocol [6]. Example 6.2 proves correctness of a protocol that exchanges certificates to establish public keys, and then uses public-key cryptography and nonces to establish a shared secret. Example 6.3 combines the two, showing that running any number of instances of ISO-9798-3 and the Needham-Schroeder public-key protocol in parallel preserves the security properties of both. While the formal proofs are somewhat lengthy when written out in full detail, as in any formal proof system, the proof structure takes advantage of composition ideas and illustrates the power of a modular approach. Although the assertions we prove only mention steps of the protocol, the logic is sound in a stronger sense: each provable assertion about an action or sequence of actions holds in any run of the protocol that contains the given actions and arbitrary additional actions by any number of additional principals and malicious attacker(s). This "implicit attacker" method lets us prove security properties of protocols under attack, while reasoning only about the sequence of actions taken by honest parties in the protocol.

It is well known that many natural security properties (e.g., noninterference) are not preserved either under composition or under refinement. This has been extensively explored using trace-based modeling techniques [20,21,22,23,24], using properties that are not first-order predicates over traces, but second-order predicates over sets of traces that may not have closure properties corresponding to

A • • = »

Fig. 1. ISO-9798-3 as arrows-and-messages

composition and refinement. In contrast, our security properties are safety properties over sets of traces that satisfy safety invariants, thus avoiding negative results about composability.

The rest of the paper is organized as follows. Section 2 discusses the process calculus that we use for defining the steps of a protocol. The syntax and semantics of the core protocol logic is presented in Section 3. The proof system is presented in Section 4. Section 5 describes the extensions to the core proof system used to reason about, protocol composition. In Section 6, we illustrate applications of the logic. In Section 7, we describe previous work on protocol composition [4,11,12,14,16,18,27,36] and discuss how our formalization can be used to explain some of those results. Finally, in Section 8, we present, our conclusions and propose some themes for future work.

2 Cord Calculus

Cords [9] are the formalism we use to represent, protocols and their parts. They form an action calculus [29,30,33], based on 7r-ca.lculus [31], and related to spi-calculus [1]. The cords formalism is also similar to the approach of the Chemical Abstract. Machine formalism [3], in that the communication actions can be viewed as reactions between "molecules". Cord calculus serves as a. simple "protocol programming language" which supports our Floyd-Hoare style logical annotations, and verifications in an axiomatic semantics. Cord calculus is presented in [9]. In order to make this paper self-contained, a. brief summary is included in Appendix A.

In this section, we illustrate with an example how protocols are represented in cord calculus. Figure 1 shows the ISO-9798-3 protocol [15] in the informal arrows-and-messages notation which is commonly used to describe security protocols. The same protocol is written out. in the language of cord calculus in Figure 2. The common point, between the two is that a. protocol is described by listing out. the sequence of actions that honest, parties would execute in a. run. In this example, the protocol consists of two roles, the initiator role and the responder role. The sequence of actions in the initiator role are given by the cord A in Figure 2. In words, the actions are: generate a. fresh random number; send a. message with the Diffie-Hellman exponential of that number to the peer, B; receive a. message with source address £>; verify that, the message contains U's signature over data, in the expected format; and finally, send another message to B with the initiator's signature over the Diffie-Hellman exponential that she sent, in the first, message, the data she received from B (which should be a. Diffie-Hellman exponential generated by B) and £>'s identity. The notations (vx), (t), (x) refer respectively to the actions

A = [ (va) (Á,B,gaiB,Á,n4gf,n,Á\^/B,Á,y,z) [z/{gf, y, Á\}B) (i, B, {]<f, y,

B = [(X, B, m) (vb) (B, X, g\ {]m, g\ X^) (X, B, {]m, g\ B|}x)]

Fig. 2. ISO-9798-3 as a cord space

of nonce generation, sending a term and receiving a message. Here, a message is assumed to be of the form: (source, destination, content). Detailed syntax of cord calculus is presented in Appendix A.

3 A Protocol Logic

3.1 Syntax

The formulas of the logic are given by the grammar in Table 1, where p may be any role, written using the notation of cord calculus. Here, t and P denote a term and a process respectively We use the word process to refer to a principal executing an instance of a role, e.g., Alice taking part in a session of a protocol in the initiator role. As a notational convention, we use X to refer to a process belonging to principal X. We use (f) and tp to indicate predicate formulas, and m to indicate a generic term we call a "message". m is of the form (source, destination, protocol-identifier, content), i.e., each message has source and destination fields and a unique protocol identifier besides the contents. Note that the source field of a message may not be the same as the actual sender of the message since the intruder can spoof the source address. Also, the principal identified by the destination field may not receive the message since the intruder can intercept messages. The source and destination fields in the message are useful while proving authentication properties of protocols. When an honest principal sends out a message, the source field identifies her and the destination field identifies the intended recipient. Our formalization of authentication is based on the notion of matching records of runs [7] which requires that whenever A and B accept each other's identities at the end of a run, their records of the run should match, i.e., each message that A sent was received by B and vice versa, each send event happened before the corresponding receive event, and moreover the messages sent by each principal (A or B) appear in the same order in both the records. Including the source and destination fields in the message allows us to match up send-receive actions. Since in this paper, we reason about, correctness of a protocol in an environment in which other protocols may be executing concurrently, it is important that when A and B accept each other's identities, they also agree on which protocol they have successfully completed with the other. One way to extend the matching histories characterization to capture this requirement is by adding protocol identifiers to messages. Now if A and B have matching histories at the end of a run, not only do they agree on the source, destination and content of each message, but also on which protocol this run is an instance of.

Most protocol proofs use formulas of the form 9[P]x4>, which means that after actions P are executed in process X, starting from a state where formula 9 is true,

formula (f) is true about the resulting state of X. Here are the informal interpretations of the predicates, with the basis for defining precise semantics discussed in the next section.

The formula Has(^Y, x) means that principal X possesses information x in the process X. This is "possesses" in the limited sense of having either generated the data or received it in the clear or received it under encryption where the decryption key is known. The formula Send(X, m) means that the last action in a run of the protocol corresponds to principal X sending message m in in the process X. Receive(X,m), New(A",t), Decrypt(A",t), and Verify(A",t) are similarly associated with the receive, new, decrypt and signature verification actions of a protocol. Fresh (X, t) means that the term t generated in X is "fresh" in the sense that no one else has seen any term containing t as a subterm. Typically, a fresh term will be a nonce and freshness will be used to reason about, the temporal ordering of actions in runs of a. protocol. This form of reasoning is useful in proving authentication properties of protocols. The formula. Honest(A") means that the actions of principal X in the current, run are precisely an interleaving of initial segments of traces of a. set. of roles of the protocol. In other words, X assumes some set. of roles and does exactly the actions prescribed by them. Contains(ii, ¿2) means that ¿2 is a. subterm of ii. This predicate helps us identify the components of a. message. The two temporal operators and have the same meaning as in Linear Temporal Logic [19]. Since we view a. run as a. linear sequence of states, (f) means that in some state in the past, (f) holds, whereas (f) means that in the previous state (f) holds. The predicate After(ai, 82) means that the action a-2 happened after the action eq in a. run. In this paper, we restrict, attention to protocol roles in which all actions are unique. In particular, a. principal executing a. role of a. protocol does not. send the same message twice. This seems like a. reasonable assumption since even if she did send two messages with the same content., she would probably distinguish the two by using message sequence numbers or a. similar mechanism. The technical benefit, of this assumption is that After becomes a. transitive relation for actions executed by honest, principals.

We note here that the temporal operator and some of the predicates (Send, Receive) bear semblance to those used in NPATRL [35], the temporal requirements language for the NRL Protocol Analyzer [25,26]. However, while NPATRL is used for specifying protocol requirements, our logic is also used to infer properties of protocols. This leads to essential semantical differences.

3.2 Semantics

A formula, may be true or false at a. run of a. protocol. More precisely, the main semantic relation, Q, R \= (p, may be read, "formula. <fi holds for run R of protocol Q." In this relation, R may be a. complete run, with all sessions that are started in the run completed, or an incomplete run with some principals waiting for additional messages to complete one or more sessions. If Q is a. protocol, then let. Q be the set. of all initial configurations of protocol Q, each including a. possible intruder cord. Let. Runs(Q) be the set. of all runs of protocol Q with intruder, each a. sequence of

Action formulas

a ::= Send(P, m) | Receive(P, m) | New(P, t) | Decrypt(P, t) | Verify(P, t) Formulas

4> ::= a | Has(P,i) | Fresh(P,i) | Honest (./V) | Contains(ii, t2) \

(f) A (/> | -.0 | Modal forms tf ::= p </> | </> p </>

After(a,b) = (b A a)

Table 1 Syntax of the logic

reaction steps within a cord space. If (f> has free variables, then Q, R |= (f> if we have Q, -R |= a<f) for all substitutions a that eliminate all the free variables in q\ We write Q |= (j> if Q, R |= 0 for all E € Runs(Q).

The inductive definition of Q,R\= <f> is given in Appendix B. The main idea is to view a run as a sequence of reaction steps within a cord space. Each reaction step corresponds to a principal executing an action. It therefore becomes possible to assert whether a particular action occurred in a given run and also to make assertions about, the temporal ordering of the actions. An alternative view, similar to the execution model used in defining Linear Temporal Logic (LTL) semantics, is to think of a. run as a. linear sequence of states. Transition from one state to the next, is effected by an action carried out. by some principal in some role. Associating that action with the state that the system ends up in as a. consequence, allows us to use the well-understood terminology of LTL in our logic. A formula, is true in a. run if it. is true in the last, state of that run. An action formula, a is therefore true in a. run if it. is the last, action in that. run. On the other hand, a. past, formula, a is true if in the past, the action formula, a was true in some state, i.e., if the action had occurred in the past..

4 Proof System

4-1 Axioms for Protocol Actions

The axioms about, protocol actions are listed in Table 2. All the axioms state properties that hold in the state reached by executing one of the actions in a. state in which formula, (f) holds. Note that the a in axiom AA1 is any one of the 5 actions and a is the corresponding predicate in the logic. AA1 states that if a. principal has executed an action in some role, then the corresponding predicate asserting that the action had occurred in the past, is true. Also, in the previous state, (f) is true. If process X generates a. new value n and does no further actions, then axiom AN1

AA1 <p[a]x (a A <p) AN1 <f>[(vn)]x Has(X, n) AN2 <j>[{vn)\:x Has(Y,??,) D (Y = X) AN3 (j)[{vn)]x Fresh (A", n) AR1 (j)[{m)]x Has(AYm)

Table 2 Axioms for protocol actions

says that X knows n, AN2 says that no one else knows n, and AN3 says that n is fresh. AR1 says that if X has received a. message m, then she knows m.

4-2 Axioms relating Atomic Predicates

Table 3 lists axioms relating various prepositional properties, most, of which follow naturally from the semantics of prepositional formulas. For example, DEC states that if X decrypts {|«|}a', then X knows n because that is the result, of the decryption, and PRO J states that if a. process knows a. tuple x, y then he also knows x and y. VER and SEC respectively refer to the unforgeabilit.y of signatures and the need to possess the private key in order to decrypt, a. message encrypted with the corresponding public key. The additional condition requiring principal X to be honest, guarantees that the intruder is not. in possession of the private keys. The above described four axioms together provide an abstraction of the standard Dolev-Yao intruder model [8]. An important, axiom is N1 which states that if a. process X has generated a. value n, then that, value is distinct, from all other values generated in all other roles. N2 states that freshly generated values are distinct, from Diffie-Hellman exponentials. F1 states that fresh values generated in different, processes are distinct.. N1, N2, and F1 together capture the intuition that fresh nonces and Diffie-Hellman exponentials are unique. Finally, CON states that the tuple x, y contains x and y as subterms.

4-3 Inference Rules, Preservation and Freshness Loss Axioms

Table 4 collects the inference rules and some additional axioms. The generic inference rules follow naturally from the semantics. G2 is exactly of the same form as the rule of consequence in Hoare Logic. It. is clear that most, predicates are preserved by additional actions. For example, if in some state Has(A", n) holds, then it. continues to hold, when X executes additional actions. Intuitively, if a. process possesses some information at a. point, in a. run, then she remembers it. for the rest, of the run. Note, however, that the Fresh predicate is not. preserved if the freshly generated value n is sent. out. in a. message (see F).

4-4 Axioms and Rules for Temporal Ordering

In order to prove mutual authentication, we need to reason about, the temporal ordering of actions carried out. by different, processes. For this purpose, we use

Axioms Capturing Dolev-Yao Model:

DEC Decrypt(X,{|??,|}A-) D Has(X,??,) PROJ Has(X,(x,y)) D Has(A", x) A Has(A", y) SEC Honest(X) A Decrypt(Y, {|??,|}x) D (Y = X) VER Honest(X) A Verify(Y, {|??,|}T) D

3X3m.( Send(A", m) A Contains(m, Axioms Capturing Uniqueness of Nonces: N1 New (A", n) A New(Y, n) D (X = Y) N2 New(X,p) D - New(Y,gp) F1 Fresh (A", n) A Fresh(Y,??,) D (X = Y) Axiom Capturing Subterm Relationship:

CON Contains((.T, y), x) A Contains((.T, y), y)

Table 3

Relationship between properties

Generic Rules:

d[P]x<t> 0[P]xtp d[P]X(f> O'd0 <t>D<t>' (j) 3x.(f)(x)

-g1 -g2 -g3 -g4

e[P]x^Atp e'[p}x<t)' e[p}x<P </>(c0)

Preservation Axioms: (For Persist e {Has, </>},) PI Persist(X, / )\a\ y Persist(X, / )

P2 Fresh(X,t)[a]Fresh(X,t), where (t £ a) V (a / (m)) P3 HasAlone(X, i)[a]xHasAlone(X, t), where (t a) V (a / (m))

Freshness Loss Axiom: F Fresh (A", i)[(m)]x-Fresh(X, t), where (t C m)

Table 4

Generic Rules, Preservation and Freshness Loss Axioms

PLTL Axioms:

T1 ((f) A V) D ( </> A V) T2 ((f) V V) D ( (f) V V) T3 -.(/> o -.</> Temporal Generalization Rule:

Temporal Ordering of actions:

AF1 0[ai... an]x After (a i, a2) A ... A After(an-i, a„) AF2 Honest(X) A Honest(F) A Honest(Z) D

(After(ai(X),a2(F)) A After(a2(Y),a3(Z)) D After(ai(X), a3(Z)))

Fresh(X,n)[<m)P].Y (</> D a2(F)) ,,, , ^ ,

AF3 (A / Y) A (n Ç rn, a2)

Fresh(X,n)[(m)P].Y (</> ^ After(Send(X, m), a2)) ö[Pa2].Y (</> 3 (Send(F, m) A Fresh(F, ??,)))

ö[Pa2].Y {<f> ^ After(Send(F, m), a2))

AF4 (X / F) A (??, c m,a2)

Table 5

Axioms and rules for temporal ordering

a fragment, of the proof system for Proposit.iona.1 Linear Temporal Logic, PLTL (Table 5). See [34] for a. complete axiomatization of PLTL. The axioms and rules specific to the temporal ordering of actions are presented in Table 5. The first, two rules are fairly straightforward. AF1 orders the actions within a. role. This is consistent, with the way we view a. role as an ordered sequence of actions. AF2 states that the After relation is transitive on actions executed by honest, participants. It. makes sense since we assume that in a. role of a. protocol, an honest, principal does not. send the same message twice. AF3 and AF4 use the freshness of nonces to reason about, the ordering of actions carried out. by different, processes. Intuitively, AF3 states that if a. process X creates a. fresh value n and then sends out. a. message containing it. as a. subterm, then any action carried out. by any other process which involves n (e.g. if Y receives a. message containing n inside a. signature), happens after the send action. AF4 is similar except, for the fact, that the roles of X and Y are reversed.

4-5 The Honesty Rule

The honesty rule is essentially an inva.ria.nce rule for proving properties of all roles of a. protocol. It. is similar to the basic inva.ria.nce rule of LTL [19]. The honesty

rule is used to combine facts about, one role with inferred actions of other roles. For example, suppose Alice receives a. response from a. message sent, to Bob. Alice may wish to use properties of Bob's role to reason about, how Bob generated his reply In order to do so, Alice may assume that Bob is honest, and derive consequences from this assumption. Since honesty, by definition in our framework, means "following one or more roles of the protocol," honest, principals must, satisfy every property that is a. provable invariant, of the protocol roles.

Recall that a. protocol Q is a. set. of roles, Q = {pi,p2, • • •, pk}- If P € Q is a. role of protocol Q, we write PeBS(p) if P is a. continuous segment, of the actions of role p such that (a.) P is the empty sequence; or (b) P starts at the beginning of p and goes upt.o the first, receive ; or (c) P starts from a. receive action and goes upt.o the next, receive action; or (d) P starts from the last, receive action and continues till the end of the role. We call such a. P a basic sequence of role p. The reason for only considering segments starting from a. read and continuing till the next, read is that if a. role contains a. send, the send may be done asynchronously without, waiting for another role to receive. Therefore, we can assume without, loss of generality that the only "pausing" states of a. principal are those where the role is waiting for input.. If a. role calls for a. message to be sent., then we dictate that the principal following this role must, complete the send before pausing.

Since the honesty rule depends on the protocol, we write Q 9[P]<p if 9[P]<p is provable using the honesty rule for Q and the other axioms and proof rules. Using the notation just, introduced, the honesty rule may be written as follows.

no free variable in 6

[].Y0 VP g Q.yPeBS(p). <t> [P],Y <t>

; hon except. X bound in

Q b Hon est (A") D </>

In words, if (f) holds at the beginning of every role of Q and is preserved by all its basic sequences, then every honest, principal executing protocol Q must, satisfy (f). The side condition prevents free variables in the conclusion Honest(A^) D <fi from becoming bound in any hypothesis. Intuitively, since (f) holds in the initial state and is preserved by all basic sequences, it. holds at all pausing states of any run.

5 Formalizing Protocol Composition

Until this point., protocols have been analyzed in isolation. In this section, we extend the deductive system to reason about, protocol composition. In doing so, we address the two ways in which composition problems can arise in security protocol analysis. Both arise out. of complexity. In one case, we wish to gain control of complexity by building up a. proof of correctness of a. complex protocol from proofs of correctness of its component, sub-protocols. In the other, we want, to avoid insecure interactions between different, protocols or different, versions of the same protocol that may be operating over the same network.

r b (/> ri-0i[PU02 r I- 02^03

Q b T Q' b T QoQ'hT

rur'l-0 n-0i[P;PW3

Table 6

Composition Rules

The protocol composition rules are collected in Table 6. T denotes a set of formulas which we refer to as environment invariants. The idea is to capture, using these formulas, the constraints that the environment must satisfy in order to enable a specific protocol to retain its security property Typically, these constraints will impose restrictions on the actions of the honest principals, i.e., the principals who are faithfully executing one or more of the protocols running in the environment. We write r b cf) if cf) is provable using the formulas in T and the axioms and proof rules of the deductive system. The semantic entailment, T |= (/>, is defined in Appendix B. Essentially, it says, that in any run in which the invariants in T hold, the formula 4> is true.

The weakening rule, W, states that a formula (f) which is provable from a set of hypotheses, T, remains provable if additional formulas are added to the set of hypotheses. The protocol composition rule CI gives us a way of sequentially composing two roles P and P' when the logical formula guaranteed by the execution of P, i.e., the post-condition of P, matches the pre-condition required in order to ensure that P' achieves some property. As before, T denotes a set of hypotheses which are used in proving the properties of the protocols. This form of reasoning allows a proof of correctness of a protocol to be built up incrementally from a proof of its component sub-protocols. The other composition rule C2 states that if the environment invariants hold for two protocols, Q and Q', then the invariants also hold for their composition. This rule is sound if the formulas in T capture trace-based invariants, which are proved using the honesty rule in our deductive system. Soundness proofs of the rules in Table 6 are presented in Appendix C.

If Q and Q! are protocols, then we define Q o Q' to be any protocol such that every role p in Q o Q' is a concatenation of basic sequences of roles in Q or Q'. Therefore, every p € Q o Q' can be written as p = pip2 ■ ■ ■ pn where every pi is a basic sequence of a role in Q or Q'. Note that sequential and parallel composition arise as special cases of this general composition operation.

Our general methodology for proving protocol composition results involves the following steps:

(i) Prove separately the security properties of protocols Q and Q!.

(ii) Identify the set of environment invariants used in the two proofs, T and r'. The formulas included in these sets will typically be the formulas in the two proofs, which were proved using the honesty rule.

(iii) Apply the weakening rule so that fur' represents the set of environment

invariants that will be used while applying the composition rules CI and C2. This step is required in case of sequential composition or if we want to prove that the properties of both Q and Q! are preserved by the composition process. However, if the goal is to just prove that the properties of Q are preserved, then the set of environment invariants that will be used while applying CI and C2 will simply be P

(iv) When the post-condition of a role of Q matches the pre-condition of the corresponding role of Q', sequentially compose the two roles by applying rule CI. This step is required only in the case of sequential composition.

(v) Prove that the environment invariants used in proving the properties of the protocols, T U r', hold for both the protocols. Since QhT was already proved in Step 1, in this step, it is sufficient to show that Q b P and similarly that Q! b T. If Step 3 was skipped, then it is sufficient to just show that Q! b P

Note that in proving a composition result (whether sequential or parallel), we always prove that the two protocols under consideration respect each other's invariants (Step 5), i.e., that they do not interact insecurely In addition, while proving that two protocols can be sequentially composed, we require that the post-condition of the first matches the pre-condition of the second (Step 4). Thus, in proving a sequential composition result, we address the two central problems of compositional protocol analysis mentioned in the beginning of the section.

6 Examples of Protocol Composition

In this section, we illustrate the use of the methodology outlined in the previous section, by presenting modular proofs of two standard protocols, ISO-9798-3 [15] and NSL [32,17]. The parallel composition of these two protocols is also proved secure. Due to space constraints, we only present the the proof of ISO-9798-3 in its entirety, and sketch an outline of the NSL proof and the proof of correctness of their parallel composition.

Example 6.1 The ISO-9798-3 Protocol

The ISO-9798-3 protocol is constructed by a sequential composition of a protocol based on the Diffie-Hellman key exchange protocol and the standard signature-based challenge-response protocol. Here, we prove the key secrecy property of the Diffie-Hellman protocol and the mutual authentication property of the challenge-response protocol. We then prove that the ISO-9798-3 protocol can be used to establish an authenticated shared secret by composing the correctness proofs of these two protocols.

Challenge Response Protocol, CR:

Our formulation of authentication is based on the concept of matching conversations [2] and is similar to the idea of proving authentication using correspondence assertions [37]. The same basic idea is also presented in [7] where it is referred to

as matching records of runs. Simply put, it requires that whenever A and B accept each other's identities at the end of a run, their records of the run match, i.e., each message that A sent was received by B and vice versa, each send event happened before the corresponding receive event, and moreover the messages sent by each principal (A or B) appear in the same order in both the records.

A complete proof of the mutual authentication property guaranteed by executing the CR protocol is presented in Table ?? in Appendix ??. The final property proved about, the initiator role (referred as <j)auth henceforth) is of the form: precondition [actions] postcondition, where:

precondition = Fresh {A, m)

actions = l(A,B,m)(B,A,n,§m,n,A\}j;/B,A,y,z)

(z/{[m, y, A\}B){A, B, {|m, y,B\}^))A postcondition = Honest(£>) D ActionslnOrder( Send(A, {A,B, m}), Receive(£>, {A, B, m}), Send(B,{B,A,{n,{[m,n,A\}^}}), Receive^, {B, A, {n, {|m, n, A\}^}}))

Here, the predicate ActionslnOrder(ai, a2, ■■■, an) means that the actions eq, a2, ..., an were executed in that, order. Intuitively, this formula, means that after executing the actions in the initiator role purportedly with B, A is guaranteed that her record of the run matches that of B, provided that B is honest.. The set. of environmental invariants used in this proof, T, contains only one formula, (line (9) of Table ??), i.e.,

T = { Honest(£>) D (

( Send(£>, mo) A Contains(mo, {|m, n, A|}-g) A Fresh(£>, m) ) D ( m0 = {B, A, {n,{[m,n,A\}^}}/\ (Send{B, {B, A, {n, {|m, n, i|}^}}) A Fresh{B, n)) A ActionslnOrder(Receive(£>, {A, B, m}), Send(£>, {B, A, {n, {|m, n, A|}-g}}))

Intuitively, this invariant, states that whenever honest. B signs a. term which is a. triple with the third component. A, and the first, component, was not. freshly generated by B, then it. is the case that this signature was sent, as part, of the second message of

DH1 Computes{X,gab) D Has{X,gab) DH2 Has(X,gab) D

(Computes(A", gab) V 3m.( Receive(A", m) A Contains{m,,gab))) DH3 ( Receive(A", m) A Contains(m,/6)) D

3Y, m/.(Computes(F, gab) A Send(Y, m!) A Contains(m', gab)) DH4 Fresh(X, a) D Fresh(X,/) Computes(X,/6) = ( (Has(X,a) A Has(X,gb)) V (Has(X,6) A Has(X,ga)) )

Table 7 Diffie-Hellman Axioms

the CR protocol. (Note that each message sent and received has the protocol-id in it. We omit these to improve readability).

Base Diffie Hellman Protocol, DHo:

The DHo protocol involves generating a fresh random number and computing its Diffie-Hellman exponential. It is therefore the initial part, of the standard Diffie-Hellman key exchange protocol. In order to reason about, the security property of this protocol, the term language and the protocol logic have to be enriched to allow reasoning about. Diffie-Hellman computation. The terms g(a) and h{a,b), respectively representing the Diffie-Hellman exponential ga modp and the Diffie-Hellman secret. gab modp, are added to the term language. To improve readability, we will use ga and gab instead of g(a) and h(a, b). Table 7 presents the rules specific to the way that Diffie-Hellman secrets are computed. The predicate Computes() is used as a. shorthand to denote the fact, that the only way to compute a. Diffie-Hellman secret, is to possess one exponent, and the other exponential. DH1 states that if X can compute the Diffie-Hellman secret., then she also possesses it.. DH2 captures the intuition that, the only way to possess a. Diffie-Hellman secret, is to either compute it. directly or obtain it. from a. received message containing it.. DH3 states that if a. principal receives a. message containing a. Diffie-Hellman secret., someone who has computed the secret, must, have previously sent. a. (possibly different.) message containing it.. DH4 captures the intuition that if a is fresh at some point, of a. run, then ga is also fresh at that point..

The property of the initiator role of the DHo protocol is given by the formula, below.

\{va)]A HasAlone(A, a) A Fresh(A,ga)

This formula, follows easily from the axioms and rules of the logic. It. states that after carrying out. the initiator role of DHo, A possesses a. fresh Diffie-Hellman exponential ga and is the only one who possesses the exponent, a. This property will be useful in proving the secrecy condition of the ISO-9798-3 protocol. The set. of environmental invariants used in this proof, T', is empty.

Composing the Protocols:

We now prove the security properties of the ISO-9798-3 protocol by composing the correctness proofs of DHq and CR. In doing so, we follow the general methodology for proving composition results outlined in Section 5. Let us go back and look at the form of the logical formulas characterizing the initiator roles of DHq and CR:

DH0 : r' h [InitDHoU Fresh(A>0°)

CR : T h Fresh (A, m) [InitCR.U (pauth

At this point, steps 1 and 2 of the general methodology have already been carried out. We now apply the weakening rule to both the formulas above (step 3). Since r' is empty, T U T' is simply T. Note that the post-condition of DHq matches the pre-condition of CR. We can therefore compose the two formulas by applying the composition rule CI (step 4). The resulting formula is:

ISO-9798-3 (auth.) : T h [InitDHo ; InitCR ]A<pauth

The result of composing the two roles is that the freshly generated Diffie-Hellman exponential is substituted for the nonce in the challenge-response cord. The resulting role is precisely the initiator role of the ISO-9798-3 protocol. The formula above states that the mutual authentication property of CE is preserved by the composition process assuming that the environmental invariants in T are still satisfied. Finally, using the honesty rule, it is easily proved that DHq respects the environmental invariants in T (step 5). Therefore, by applying the composition rule C2, we conclude that the sequential composition of DHq and CR, which is ISO-9798-3 , respects the invariants in T. This completes the composition proof for the mutual authentication property.

The other main step involves proving that the secrecy property of DHq is preserved by CR, since the CR protocol does not reveal the Diffie-Hellman exponents.

DHq : h [Init[)jjo]yi HasAlone(A, o.)

CR' : h HasAlone(A, a) [InitCR'U HasAlone(A, a)

Here, CR' is the same protocol as CR except that ga is substituted for the nonce m. Therefore, by applying the composition rule CI again, we have the secrecy condition for the ISO-9798-3 protocol:

ISO-9798-3 (secrecy) : h [InitDHo ! InitcR]^ HasAlone(A, a)

Since the set of environment invariants is empty, steps 3 and 5 follow trivially. The rest of the proof uses properties of the Diffie-Hellman method of secret compu-

tation to prove the following logical formula:

ISO-9798-3 (shared-secret) : [InitDHo; InitcR^ Honest(B) D {n = gbo A Has{A,gabo) A {Has{X,gabo) D (.X = A V X = B)))

Intuitively, the property proved is that if B is honest, then A and B are the only people who know the Diffie-Hellman secret gab. In other words, the ISO-9798-3 protocol can be used to compute an authenticated shared secret. The complete proof is presented in Table ?? in Appendix ??. It requires another invariant (line (3)) capturing the intuition that the honest agents sign Diffie-Hellman exponentials only

Example 6.2 The NSL Protocol

The 7 message NSL protocol can be proved correct by sequential composition of two protocols, which we refer to as NSL-init and NSL-base . By running NSL-init, a principal obtains the public key certificate of a peer from the server. If a principal possesses a peer's public key certificate, she can run NSL-base with him and set up an authenticated shared secret. In our formalism, the postcondition of NSL-init is that the principal knows a peer's public key certificate. Also, with a precondition capturing the same property, NSL-base has a postcondition stating that the two principals possess a shared secret. Thus, the two protocols can be composed using the composition rule CI. The resulting protocol is NSL . Moreover, it can be proved that the two protocols respect each other's invariants, allowing us to conclude that the NSL protocol can be used to set up a shared secret. A part of this proof appears in [9].

Example 6.3 Parallel Composition of ISO-9798-3 and NSL

Since ISO-9798-3 and NSL respect each other's invariants, their parallel composition can also be proved secure using our formalism. The main insight from this proof is that if the authenticators of two protocols (which are individually secure) cannot be confused with each other, then their composition is secure. Disjoint encryption, which has been suggested as a design principle to avoid insecure interaction between protocols [4,12], appears to be a special case of this more general principle.

7 Related Work

Early work on the protocol composition problem concentrated on designing protocols that would be guaranteed to compose with any other protocol. This led to rather stringent constraints on protocols: in essence, they required the fail-stop property [11] or something very similar to it [14]. Since real-world protocols are not designed in this manner, these approaches did not have much practical application.

More recent work has therefore focussed on reducing the amount of work that is required to show that protocols are composable. Meadows, in her analysis of the IKE protocol suite using the NRL Protocol Analyzer [27], proved that the different sub-protocols did not interact insecurely with each other by restricting attention to only those parts of the sub-protocols, which had a chance of subverting each other's security goals. Independently, Thayer, Herzog and Guttman used a similar insight to develop a technique for proving composition results using their strand space model [36]. Their technique consisted in showing that a set of terms generated by one protocol can never be accepted by principals executing the other protocol. The techniques used for choosing the set of terms, however, is specific to the protocols in [10]. A somewhat different approach is used by Lynch [18] to prove that the composition of a simple shared key communication protocol and the Diffie-Hellman key distribution protocol is secure. Her model uses I/O automata and the protocols are shown to compose if adversaries are only passive eavesdroppers.

In a recent paper [4], Canetti, Meadows and Syverson, revisit the protocol composition problem. They show how the interaction between a protocol and its environment can have a major effect on the security properties of the protocol. In particular, they demonstrate a number of attacks on published and widely used protocols that are not feasible against the protocol running in isolation but become feasible in some environments. The main question that this study leaves open is: how should the environment be constrained so that it does not subvert the security goals of a protocol? The authors put forward some rules of thumb that could be useful in answering this question. Of these, at least two can be justified using our formalization. The first of these states that the environment should not use keys or other secrets in unaltered form. Specifically, the protocol under consideration should not encrypt messages with a key used to encrypt messages by any protocol in its environment. The reason this makes sense is that if two protocols use a particular form of encrypted message as a test to authenticate a peer, then the attacker might be able to make a principal running the first protocol accept a message which actually originated in a run of the second protocol. In our formalism, the environmental invariant for the protocol under consideration would fail to hold in such an environment, and the composition proof would therefore not go through. We note that this principle has been followed in the design of real-world protocols like IKE [13]. Also, Guttman and Fabrega have proved a theoretical result to the same effect in their strand space model [12]. The other rule of thumb (also recommended by Kelsey, Schneier and Wagner in [16]), is the use of unique protocol identifiers to prevent a message intended for use in one protocol to be mistaken for use in another protocol. This rule can also be similarly justified.

8 Conclusions

A modular approach towards construction and analysis of systems, which is often seen in other areas of computer science, does not seem to work very easily in computer security. The main problem is that systems which are individually secure

might lose their security when they are put together because of the way they interact with each other. In this paper, we have presented a methodology for modular reasoning about security protocols. While doing so, we have addressed two basic problems: (a) how do you construct a protocol from smaller sub-protocols? (b) how do you prove that two protocols which are individually secure are also secure while running concurrently? In our formalism, we use before-after assertions to address the first problem and protocol invariants to address the second. The use of the methodology is illustrated by presenting modular proofs involving practical protocols, ISO-9798-3 and NSL . This formalism also justifies some design principles which have been used by protocol designers in the construction of real-world protocols (e.g. IKE) and submuses some previous work in the formal methods community on the protocol composition problem. Future work would include a deeper investigation of the limits and applicability of this method and its connection with other approaches for reasoning about correctness of protocols. Also, it would be an interesting challenge to automate the proof system.

References

[1] M. Abadi and A. Gordon. A calculus for cryptographic protocols: the spi calculus. Information and Computation, 148(1):1—70, 1999. Expanded version available as SRC Research Report 149 (January 1998).

[2] M. Bellare and P. Rogaway. Entity authentication and key distribution. In Advances in Cryprtology -Crypto '93 Proceedings. Springer-Verlag, 1994.

[3] G. Berry and G. Boudol. The chemical abstract machine. Theoretical Computer Science, 96:217—248, 1992.

[4] R. Canetti, C. Meadows, and P. Syverson. Environmental requirements for authentication protocols. In

Proceedings of Software Security - Theories and Systems, Mext-NSF-JSPS International Symposium, ISSS, LNCS 2609, pages 339-355. Springer-Verlag, 2003.

[5] A. Datta, A. Derek, J. C. Mitchell, and D. Pavlovic. A derivation system for security protocols and its logical formalization. In Proceedings of 16th IEEE Computer Security Foundations Workshop, pages 109-125. IEEE, 2003.

[6] W. Diffie and M. E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, IT-22(6):644-654, 1976.

[7] W. Diffie, P. C. Van Oorschot, and M. J. Wiener. Authentication and authenticated key exchanges. Designs, Codes and Cryptography, 2:107-125, 1992.

[8] D. Dolev and A. Yao. On the security of public-key protocols. IEEE Transactions on Information Theory, 2(29), 1983.

[9] N. Durgin, J. C. Mitchell, and D. Pavlovic. A compositional logic for protocol correctness. In Proceedings of 14th IEEE Computer Security Foundations Workshop, pages 241-255. IEEE, 2001.

[10] F. J. T. Fabrega, J. C. Herzog, and J. D. Guttman. Strand spaces: Why is a security protocol correct? In Proceedings of the 1998 IEEE Symposium on Security and Privacy, pages 160-171, Oakland, CA, May 1998. IEEE Computer Society Press.

[11] L. Gong and P. Syverson. Fail-stop protocols: An approach to designing secure protocols. Dependable Computing for Critical Applications, 5:79-100, 1998.

[12] J. Guttman and F. J. T. Fabrega. Protocol independence through disjoint encryption. In Proceedings of 13th IEEE Computer Security Foundations Workshop, pages 24-34. IEEE, 2000.

[13] D. Harkins and D. Carrel. The Internet Key Exchange (IKE), 1998. RFC 2409.

[14] N. Heintze and J. D. Tygar. A model for secure protocols and their composition. IEEE Transactions on Software Engineering, 22(1):16-30, January 1996.

IEEE. Entity authentication mechanisms — part 3: Entity authentication using asymmetric techniques. Technical report ISO/IEC IS 9798-3, ISO/IEC, 1993.

J. Kelsey, B. Schneier, and D. Wagner. Protocol interactions and the chosen protocol attack. In

Proceedings of the International Workshop on Security Protocols, April 1997.

G. Lowe. Breaking and fixing the Needham-Schroeder public-key protocol using CSP and FDR. In

2nd International Workshop on Tools and Algorithms for the Construction and Analysis of Systems. Springer-Verlag, 1996.

N. Lynch. I/O automata models and proofs for shared-key communication systems. In Proceedings of 12th IEEE Computer Security Foundations Workshop, pages 14-29. IEEE, 1999.

Z. Manna and A. Pnueli. Temporal, Verification of Reactive Systems: Safety. Springer-Verlag, 1995.

H. Mantel. On the Composition of Secure Systems. In Proceedings of the IEEE Symposium on Security and Privacy, pages 88-101, Oakland, CA, USA, May 12-15 2002. IEEE Computer Society.

D. McCullough. Noninterference and the composability of security properties. In Proceedings of the IEEE Symposium on Security and Privacy, pages 177-186, Oakland, CA, USA, May 1988. IEEE Computer Society.

D. McCullough. A hookup theorem for multilevel security. IEEE Transactions on Software Engineering, 16(6):563-568, 1990.

J. McLean. Security models and information flow. In Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, USA, May 1990. IEEE Computer Society.

J. McLean. A general theory of composition for a class of "possibilistic" properties. IEEE Transactions on Software Engineering, 22(1):53-67, 1996.

C. Meadows. A model of computation for the NRL protocol analyzer. In Proceedings of 7th IEEE Computer Security Foundations Workshop, pages 84-89. IEEE, 1994.

C. Meadows. The NRL protocol analyzer: An overview. Journal of Logic Programming, 26(2):113-131, 1996.

C. Meadows. Analysis of the Internet Key Exchange protocol using the NRL protocol analyzer. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 1998.

A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1996.

R. Milner. Action structures. LFCS report ECS-LFCS-92-249, Department of Computer Science, University of Edinburgh, JCMB, The Kings Buildings, Mayfield Road, Edinburgh, December 1992.

R. Milner. Action calculi and the pi-calculus. In NATO Summer School on Logic and Computation, Marktoberdorf, November 1993.

R. Milner. Communicating and Mobile Systems: The n-Calculus. Cambridge University Press, Cambridge, U.K, 1999.

R.M. Needham and M.D. Schroeder. Using encryption for authentication in large networks of computers. Communications of the ACM, 21(12):993-999, 1978.

D. Pavlovic. Categorical logic of names and abstraction in action calculi. Math. Structures in Comp. Sci., 7(6):619-637, 1997.

D. Peled. Software Reliability Methods. Springer-Verlag, 2001.

P. Syverson and C. Meadows. A formal language for cryptographic protocol requirements. Designs, Codes and Cryptography, 7(1-2):27-59, 1996.

F. J. Thayer, J. C. Herzog, and J. D. Guttman. Mixed strand spaces. In Proceedings of 12th IEEE Computer Security Foundations Workshop. IEEE, 1999.

T. Y. C. Woo and S. C. Lam. A semantic model for authentication protocols. In Proceedings IEEE Symposium on Research in Security and Privacy, 1993.

A Cord Calculus

Cord calculus is the formalism we use to represent protocols. The main concepts are collected in this section.

A.l Terms, Actions, Strands and Cords

The terms t are built starting from the variables x and the constants c. Moreover, the set of basic terms also contains the names N, which can be variables X, Y, Z, or constants А, В, C, and keys К which can be variables у and constants k. Upon these basic sets, the term language is then generated by some given constructors p, which always include tupling, the public key encryption {|i|}к of the term t by the key K, and the signature over the term t with the private key K. The

language of actions is then built upon the terms by further constructors. They include sending a term (t), receiving into a variable (x), matching a term against a pattern (t/q(x)), and creating a new value (их). A strand is a list of actions. The idea is that they should be the subsequent actions of a single role in a protocol. For example, the strand \{vx){x)\ represents a role in which a principal generates x and then sends out a message containing the freshly generated value. Since some actions of a role may be mutually independent, they can in principle be executed in any order. Different strands can thus be semantically equivalent. A cord is an equivalence class of behaviorally indistinguishable strands. We use the word process to refer to a principal executing an instance of a role. Table A.l summarizes the formal definition of cords. In addition to the sequence of actions, a cord has an input interface and an output interface. As the name suggests, the output interface represents the output of that cord. The input interface is used to provide initial data to a cord. These input parameters (called static parameters) can represent data known apriori (e.g. signing key) or data that becomes known by executing another cord via its output interface.

A.2 Cord Spaces and Runs

A cord space is a multiset of cords that may interact via communication. We use О for multiset union and [ ] for the empty multiset. The runs of a protocol arise as reaction sequences of cord spaces. The basic reactions within a cord space are shown in Table A.2, with the required side conditions for each reaction shown below them. The substitution (t/x) is assumed to act on the strand left of it, viz S'. As usual, it is assumed that no free variable becomes bound after substitution, which can always be achieved by renaming the bound variables. Reaction (A.l) is a send and receive interaction, showing the simultaneous sending of term t by the first, cord, with the receiving of t into variable x by the second cord. We call this an external action because it. involves an interaction between two cords. The other reactions all take place within a. single cord. We call these internal actions. Reaction (A.2) is a. basic pattern match action, where the cord matches the pattern p(t) with the expected pattern p(x), and substitutes t for x. Reaction (A.3) is a. decryption pattern match action, where the cord matches the pattern {|j9(i)|}.y with the decryption pattern {Ь(ж)|}? and substitutes t for x. Reaction (A.4) is a. signature verification pattern match action. Finally, reaction (A.5) shows the binding action where the cord creates a. new value that doesn't, appear elsewhere in the cordspace, and substitutes that value for x in the cord to the right.. The intuitive motive for the condition

(names) N : ::= X variable name

À constant name

(basic keys) Ko : ::= k constant key

y variable key

N name

(keys) K : ::= K0 basic key

K~o inverse key

(role id) rj : ::= s variable role-id

c constant role-id

(process) P : ::= N, r]

(terms) t : ::= x variable term

c constant term

N name

1 session id

t,t tuple of terms

{|Î|}A- term encrypted with key K

{lillir term signed with key K

(actions) a : ::= e the null action

(t) send a term t

(x) receive term into variable x

(ux) generate new term x

{t/q{x i,. .., xn)) match term t to pattern <7(0:1,..., xn)

(basic terms) b : ::= x c \ N \ K basic terms allowed in patterns

(basic patterns) P : ::= b,...,b tuple pattern

(patterns) q : ::= p basic pattern

{bllir decryption pattern

Wk signature verification pattern

(strands) S : ::= aS a

Table A.l

Syntax of terms, actions and strands

[S{x)S'] O [T(t)T'] O C » [SS'(i/z)] O [TT'] O C (A.l)

[5 (p(t)/p(x)) S'] O C » [SS'(i/a:)] O C (A.2)

(MWv/Mx)h) S'] O C» [SS'(i/z)] O C (A.3)

({b(i)IWMi)|},) 5'] O C» [55'] O C (A.4)

[S(i/aOS'] OC» [55'(m/a;)] O C (A.5)

Where the following conditions must be satisfied: (A.l) FV(t) = 0 (A.2) FV(t) = 0 (A.3) FV(t) = 0 and y bound (A.4) FV(t) = 0

(A.5) x £ FV(S) and m £ FF(C) U FF(S) U FF(S')

Table A.2 Basic reaction steps

FV(t) = 0 should be clear: a term cannot be sent, or tested, until all of its free variables are instantiated.

A.3 Protocols

A protocol is defined by a finite set of roles, such as initiator, responder and server, each representing the actions of a participant in a protocol session. In representing protocol roles by cords, it is useful to identify the principal who carries out the role. Also, since the same principal might engage in multiple sessions in the same role (e.g., principal A might be the initiator in two sessions at the same time), associating a role-id with the cord allows us to distinguish between the actions carried out in the different sessions. A principal executing an instance of a role is referred to as a process.

The protocol intruder is capable of taking any of several possible actions, including receiving a message, decomposing it into parts, decrypting the parts if the key is known, remembering parts of messages, and generating and sending new messages. This is the standard "Dolev-Yao model", which appears to have developed from positions taken by Needham and Schroeder [32] and a model presented by Dolev and Yao [8]. A run of a protocol is a sequence of reaction steps from an initial configuration. An initial configuration is determined by a set of principals, a subset of which are designated as honest, a cord space constructed by assigning one or more roles to each honest principal, and an intruder cord that may use only the secret keys of dishonest principals. A particular initial configuration may give rise to many possible runs. Intuitively, a protocol has a property if in all runs of the protocol arising from all possible initial configurations, that property is preserved.

B Semantics of Protocol Logic

The formulas of the logic are interpreted over runs, which are finite sequences of reaction steps from an initial configuration. An equivalent view, consistent with the execution model used in defining Linear Temporal Logic (LTL) semantics, is to think of a run as a linear sequence of states. Transition from one state to the next is effected by an action carried out by some principal in some role. A formula is true in a run if it is true in the last state of that run.

The main semantic relation, Q, R \= (p, may be read, "formula <fi holds for run R of protocol Q." If Q is a protocol, then let Q be the set of all initial configurations of protocol Q, each including a possible intruder cord. Let Runs(Q) be the set of all runs of protocol Q with intruder, each a sequence of reaction steps within a cord space. If (f) has free variables, then Q,R \= <fi if we have Q, R |= a<p for all substitutions a that eliminate all the free variables in q\ We write Q \= <fi if Q,R\= (/) for all R € Runs(Q).

In presenting the inductive definition of Q,R \= <fi below, for 0 without free variables, we use the following notation to describe a reaction step of cord calculus:

EVENT(R, X, P, n, x) =

(([SPS'lx O C > > [55'(n/®)].Y O C') € R)

In words, EVENT(R,X,P,n,x) means that in run R, process X executes actions P, receiving data n into variables x, where n and x are the same length. We use the notation LAST(R,X,P,n,x) to denote that the last event of run R is EVENT(R, X, P, n, x).

Action Formulas:

• Q, R |= Send(A, m) if LAST(R, A, (m), 0,0).

• Q,R |= Receive(A, m) if LAST(R, A, (x), m, x).

• Q, R |= New(A, m) if LAST(R, A, (vx), m, x).

• Q, R |= Decrypts, {[m\}K) if Q, R \= Has(A, {[m\}K)

A LAST(R, A, ({\m]}K/{\x\}w), m, x) Note: Decrypt(A, n) is false if n / {|m|}k for some m and K.

• Q, R |= Verify(A, flm}^) if Q, R 1= Has(A, {|m|}^)

AQ,R\= Has(A, m) AQ,R\= Has(A, K) A LAST(R, A, ({\m\}^/{\m]}K), 0,0) Note: Verify(A, n) is false if n / for some m and K.

Other Formulas:

• Q,R |= Has(A, m) if there exists an i such that HaSi(A, m) where Hasj is defined by induction on j as follows:

(Has0(A, m) if ((m € FV(R\A)) V EVENT(R, A, (vx),m, x)

V EVENT(R, A, (x),m,x) and HaSi+i(A, m) if (HaSj(A, m')

A ((m/ = MWk Am = t

A EVENT(R, A, (m'/Mv) Ilk),*, y))

V (m/ = A m = i

A EVENT(R,A,(m'/p(y)),t,y)))) V(HaSi(A, m') A Has^A, m")

A ((m = m/, m") V (m = m", m/))) V(Hasi(A, m') A Has^A, K)

A m = {| m/|}A') V(HaSi(A,a) A Has^A,/)

A m = gab) \J(HaSi(A,gab) Am = gba) Intuitively, Haso holds for terms that are known directly, either as a free variable of the role, or as the direct result of receiving or generating the term. Hasj+i holds for terms that are known by applying i operations (decomposing via pattern matching, composing via encryption or tupling, or by computing a Diffie-Hellman secret) to terms known directly.

• Q, R |= Fresh(A, m) if Q,R |= ( New(A, m) V( New(A, n) Am = g(n)))A~>( Send(A, m')A m ç m').

• Q, R |= Honest(A) if A G HONEST(C) in initial configuration C for R.

• Q, R |= Contains(ii, ¿2) if t'2 Ç:v ti- t'2 is a visible subterm of ii, ¿2 ^v 11, if ¿2 Ç ti and it. is not. the case that all occurrences of ¿2 in ti axe as parameters of one-way functions. For example, n g(n). The only one-way function that we consider here is the Diffie-Hellman exponentiation function, g(x).

• Q,R 1= A (f)2) if Q, R |= (pi and Q, R |= fa

• Q, R |= -.0 if Q, R ¥= <t>

• Q,R |= 3x.<p if Q, R |= (d/x)<p, for some d, where (d/x)<p denotes the formula, obtained by substituting d for x in <p.

• Q, R |= (p if Q, R' |= (p, where R' is a. (not. necessarily proper) prefix of R. Intuitively, this formula, means that in some state in the past., formula, (p is true.

• Q, R |= (p if Q, R' |= (p, where R = R'e, for some event, e. Intuitively, this formula, means that (p is true in a. state if (p is true in the previous state.

Modal Formulas:

• Q,R |= (pi [P]a </>2 if R = R0R1R2, for some Ro, Ri and R2, and either P does not. match Ri\a or P matches Ri\a and Q,Ro \= (?(p 1 implies Q,RqRi \= &<p2, where a is the substitution matching P to -RiU-

• Q,R |= [P]a4> if R = R1R2, for some Ri and R2, and either P does not. match Ri\a or P matches Ri\a and Q,Ri \= a(f), where a is the substitution matching P to Ri\A-

Note: The semantics of Q, R \= [P]a <P can be expressed in terms of the semantics

of Q, R |= <t>\ [P]a 4>2 by setting <f>\ to true and requiring that Ro be empty Semantic Entailment:

• T |= (f) if Q |= T implies Q \= <fi. T denotes a set of formulas. Intuitively if in every run of Q all the formulas in T are true, then in every run of Q, formula <fi is also true.

C Soundness of Temporal Ordering and Composition Rules

In this section, we prove the soundness of the composition rules and some of the temporal ordering rules. The soundness proof of the rest of the proof system is quite similar to our previous work [9].

Axiom AF3 states that if a process X creates a fresh value n and then sends out a message containing it as a subterm, then any action carried out by any other process which involves n (e.g. if Y receives a message containing n inside a signature), happens after the send action. Assume that X / Y. n C m, a2 and

Q |= Fresh(A>,)[(»*№ (</> ^ a2(Y)). (C.l)

We need to show that

Q |= Fresh (A", n)[(m)P]x (<t> => After(Send(X, m), a2)). (C.2)

Let R = RqR\R2 be a run of Q such that R\ matches (m)P under substitution a and Q, Ro |= Fresh (A", n). We need to prove that

Q, RoRi |= a{<j> D After(Send(X, m), a2)). (C.3)

When Q, RqRi \= a-up then C.3 holds trivially On the other hand, when Q, RqRi \= <j(f), it follows from C.l that Q,RqRi \= a2(Y). In this case C.3 follows from the semantics of formulas Fresh (a, m) and a2 (Y).

Axiom AF4 is similar except for the fact, that the roles of X and Y are reversed. Soundness of AF4 can be easily verified, using the same reasoning as in the proof of soundness for AF3.

The weakening rule W states that a. formula. <fi which is provable from a. set. of hypotheses, T, remains provable if additional formulas are added to the set. of hypotheses. This rule is trivially sound since T \= (f) implies T U r' |= (f).

The protocol composition rule CI gives us a. way of sequentially composing two roles P and P' when post-condition of P, matches the pre-condition or P'. Assume that Q is a. protocol and T is the set. of formulas such that T \= <fii[P]A<j>2 and F |= <№'U</>3- We need to prove that T \= </>i[P;P'U</>3- When Q ^ T this is trivially true. Assume that Q \= T, now it. has to be that Q \= 4>i[P]a4>2 arid Q 1= 4>2[P']a4>3- Let. R = RqR\R2 be a. run of Q such that R\ matches P;P'\a under substitution a and Q, Ro \= a<f)\. Run R can be written as R — RoR^R^R^