Available online at www.sciencedirect.com

V ScienceDirect

Electronic Notes in Theoretical Computer Science 186 (2007) 49-65

www.elsevier.com/locate/entcs

Explicit Randomness is not Necessary when Modeling Probabilistic Encryption1

Véronique Cortier Heinrich Hordegen Bogdan Warinschi

Loria/CNRS UMR 7503 & INRIA Lorraine projet Cassis & Université Henri-Poincaré & INPL

Lorraine, France {cortier, hordegen, warinsch}@loria.fr

Abstract

One of the most popular abstraction used in security analysis uses abstract, symbolic terms to model the bit strings sent over the network. However, the high level of abstraction blurs the significance of proofs carried out in such models with respect to real executions. In particular, although good encryption functions are randomized, most existing symbolic models for security do not capture explicitly the randomization of ciphertexts.

On the other hand, recent results relating symbolic models with cryptographic models require symbolic models where the randomization of ciphertexts is captured explicitly (through the use of labels attached to symbolic ciphertexts). Since little to no tool support exists for the resulting label-based models it may seem necessary to extend the decision procedures and the implementation of existing tools from the simpler models to the models that use labels.

In this paper we put forth a more practical alternative. We show that for a large class of security properties (that includes rather standard formulations of secrecy and authenticity), security of protocols with respect to the simpler model implies security in the model that uses labels. Combined with the computational soundness result of [4], our theorem enables the translation of security results obtained in symbolic models that do not use labels to standard computational security. Based on these results, we have recently implemented an AVISPA module for verifying security properties in a standard cryptographic model.

Keywords: Probabilistic encryption, security models, protocol verification, secrecy, authentication.

1 Introduction

Designers of mathematical models for computational systems need to find appropriate trade-offs between two seemingly contradictory requirements. Automatic verification (and thus usability) typically requires a high level of abstraction whereas prediction accuracy requires a high level of details. From this perspective, the use of symbolic models for security analysis is particularly delicate since it seems that the inherent high level of abstraction at which such models operate is not able to capture all aspects that are relevant to security. This paper is concerned with

1 Work partially supported by the ACI Jeunes chercheurs and the ARA SSIA FormaCrypt.

1571-0661/$ - see front matter © 2007 Elsevier B.V. All rights reserved. doi:10.1016/j.entcs.2006.11.044

one particular such aspect, namely the use of randomization in the construction of cryptosystems [5].

A central feature of the computational, complexity-based models is the ability to capture and reason explicitly about the use of randomness. Moreover, randomness is essential to achieve any meaningful notion of security for encryption. In contrast, symbolic models rarely represent randomness directly. For example, a typical representation for the encryption of message m under the public key of entity B is the term {m}ek(B). Notice that the symbolic representation does not capture the dependency on the randomness used to generate this ciphertext. While this abstraction may be sufficiently accurate in certain settings [11], in some other settings it is not sufficient.

Consider the following flow in some toy protocol:

A ^ B : {m}ek(B), {{m}ek(B)}ek(B)

To implement this flow, each occurrence of {m}ek(B) is mapped to a ciphertext. Notice however that the pictorial description does not specify if the two occurrences of {m}ek(B) are equal (created with identical randomness) or different (created with different randomness). In rich enough protocol specification languages disambiguating constructs as above can be easily done. For instance, in a language that has explicit assignments, the two different interpretation for the first message of the protocol can be obtained as

x := {m}ek(B); send(x, Mek(B)) and Send ({m}ek(B), {{m}ek(B)}ek(B)).

Here, each distinct occurrence of {m}ek(B) is interpreted with different randomness. Other approaches adopt a more direct solution and represent the randomness used for encryption explicitly [6,1,10,4]. If we write {m^^B) for the encryption of m under the public key of B with randomness l, the two different interpretations of the flow are:

send({m}ek(B), {{m}ek(B)^(B)) and send({m}ek(B), Um^B)}%b))

A model that employs labels to capture the randomness used in ciphertexts (and signatures) has recently been used to establish soundness of symbolic analysis with respect to computational models [4]. Their results are based on an emulation lemma: for protocol executions, every computational trace can be mapped to a valid symbolic trace. The mapping is then used to translate security properties that hold in the symbolic model to computational analogues. Note that the use of labels is necessary even when there is no explicit repetition of cyphertexts to distinguish for example the encrypted messages generated by the agents from those generated by the adversary.

The next step towards making the soundness result relevant to practice is to carry out the security proofs using some (semi-)automated tools for the symbolic model. However, to the best of our knowledge, none of the popular tools (ProVerif [3],

CASPER [8], Athena [13], AVISPA [2]), offers capabilities for automatically reasoning in models that use labels. There are at least two solutions to this problem. One possibility is to enhance the symbolic models that underlie existing tools. Unfortunately such a modification would probably require significant effort that involves adapting existing decision procedures, proving their correctness, and verifying and modifying thousands of lines of code.

In this paper we put forth and clarify an alternative solution, used implicitly in [4]. The idea is to keep existing tools unchanged, use their underlying (unla-beled) model to prove security properties, and then show that the results are in fact meaningful for the model with labels. The main result of this paper is to prove that for a large class of security properties the approach that we propose is indeed feasible.

Results.

We consider the protocol specification language and the execution model developed in [4]. The language is for protocols that use random nonces, public key encryption and digital signatures, and uses labels to model the randomness used by these primitives. To each protocol n with labels, we naturally associate a protocol n obtained by erasing all labels, and extend the transformation to execution traces. To each trace tr of II we associate a trace tr obtained by erasing labels and we extend this mapping to sets of traces. The first contribution of this paper is a proof that the transformation is sound. More precisely we prove that if tr is a valid trace of II (obtained by Dolev-Yao operations) then tr is a valid trace of II. Importantly this result relies on the fact that the specification language that we consider does not allow equality tests between ciphertexts. We believe that a similar result holds for most (if not all) protocol specification languages that satisfy the above condition. The language for specifying protocols (with and without labels) as well as the relation between their associated execution models are in Section 2.

In Section 3 we give two logics, Li and Li, that we use to express security properties for protocols with and without labels, respectively. Informally, the formulas of Li are obtained by removing the labels from formulas of Li. Both logics are quite expressive. For example, it can be used to express standard formulations for secrecy and authenticity properties.

Next we focus our attention on translating security properties between the two models. First, notice that the mapping between the model with and that without labels is not faithful since it looses information regarding inequality of ciphertexts. To formalize this intuition we give a protocol II and a formula (j) such that II satisfies 0 (the formula that corresponds to 0 in the model without labels), but for which n does not satisfy 0. Anticipating, our example indicates that the source of problems is that 0 may contain equality tests between ciphertexts, and such tests may not be translated faithfully. The counterexample is in Section 4.

The main result of the paper is a soundness theorem. We show that for a large class of security properties it is possible to carry out the proof in the model without labels and infer security properties in the model with labels. More precisely, we

identify L2 and L2, fragments of L\ and Li respectively, such that the following theorem holds.

Consider an arbitrary protocol II and formula hi Let be a formula in L2 obtained by erasing the labels that occur in Then, it holds that:

IT M n 1= <P

The logics L2 and L2 are still expressive enough to contain the secrecy and authentication formulas. The theorem and its proof are in Section 4.

Based on our result, we implemented an AVISPA module [2] that is used to obtain computationally sound automatic proofs and used it to validate the protocols in the AVISPA library. The results of our experiments are described in Section 5.

2 Protocol

In this section we provide the syntax of protocols with labels. The presentation is adapted from [4]. The specification language is similar to the one of Casrul [12]; it allows parties to exchange messages built from identities and randomly generated nonces using public key encryption and digital signatures. Protocols that do not use labels are obtained straightforwardly.

2.1 Syntax

Consider an algebraic signature £ with the following sorts. A sort ID for agent identities, sorts SKey, VKey, EKey, DKey containing keys for signing, verifying, encryption, and decryption respectively. The algebraic signature also contains sorts Nonce, Label, Ciphertext, Signature and Pair for nonces, labels, ciphertexts, signatures and pair, respectively. The sort Label is used in encryption and signatures to distinguish between different encryption/signature of the same plaintext. The sort Term is a supersort containing all other sorts, except SKey and DKey. There are nine operations: the four operations ek, dk, sk, vk are defined on the sort ID and return the encryption key, decryption key, signing key, and verification key associated to the input identity. The two operations ag and adv are defined on natural numbers and return labels. As explained in the introduction, the labels are used to differentiate between different encryptions (and signatures) of the same plaintext, created by the honest agents or the adversary. We distinguish between labels for agents and for the adversary since they do not use the same randomness. The other operations that we consider are pairing, public key encryption, and signing.

We also consider sets of sorted variables X = X.nUX.aUX.cUX.s and X1 = XuX.l. Here, X.n, X.a, X.c, X.s, X.l are sets of variables of sort nonce, agent, ciphertext, signature and labels, respectively. The sets of variables X.a and X.n are as follows. If k £ N is some fixed constant representing the number of protocol participants, w.l.o.g. we fix the set of agent variables to be X.a = {Ai,A2,...,Ak}, and partition the set of nonce variables, by the party that generates them. Formally: X.n = UAeX.«Xn(A) and Xn(A) = {XJA | j £ N}. This partition avoids to specify later, for

each role, which variables stand for generated nonces and which variables stand for expected nonces.

Labeled messages that are sent by participants are specified using terms in Tl L ::= X.l | ag(i) | adv(i)

Tl ::= X | a | ek(a) | dk(a) | sk(a) | vk(a) | n(a,j,s)

I (Tl ,T> | {Tl}Lk(a) | [Tl]sk(a)

where i, j, s G N and a G ID.

Unlabeled messages are specified similarly as terms in the algebra T defined by

T ::= X | a | ek(a) | dk(a) | sk(a) | vk(a)

| n(a,j, s) | (T ,T> | {T}ek(a) | [T]sk(a)

where j, s G N and a G ID.

A mapping 7 : Tl —► T from labeled to unlabeled terms is defined by removing the labels: {k}lm = {k}m, [k]lm = \k]m, f(h,... ,tn) = f(t7,... otherwise. The mapping function is extended to sets of terms as expected.

The individual behavior of each protocol participant is defined by a role that describes a sequence of message receptions/transmissions. A k-party protocol is given by k such roles.

Definition 2.1 [Labeled roles and protocols] The set Rolesl of roles for labeled protocol participants is defined by Rolesl = (({init} U Tl) x (Tl U {stop}))*. A k-party labeled protocol is a mapping n : [k] ^ Rolesl, where [k] denotes the set {1, 2,...,k}.

Unlabeled roles and protocols are defined very similarly. The mapping function is extended from labeled protocols to unlabeled protocols as expected.

We assume that a protocol specification is such that n(j) = ((lj,rj), (lj,rj), ...), the j'th role in the definition of the protocol being executed by player Aj. Each sequence ((li ,ri), (l2 ,r2),...) G Rolesl specifies the messages to be sent/received by the party executing the role: at step i, the party expects to receive a message conforming to li and returns message r^. We wish to emphasize that terms lj, rj are not actual messages, but specify how the message that is received and the message that is output should look like.

Example 2.2 The Needham-Schroeder-Lowe protocol [7] is specified as follows: there are two roles n(1) and n(2) corresponding to the sender's and receiver's role.

A ^ B : {Na,A}ek(B) B ^ A : {Na,Nb,B}ek(A) A ^ B : {Nb}ek(B)

n(i) = (init, {XA! ), ({XA! ,xA 2 ,A2}eLk(Al), {XA 2 ))

n(2) = ({XA1 ,A1 }ek(A2), {XA1 A ^S)) ({XA 2 }Lk2(A2), stop)

Clearly, not all protocols written using the syntax above are meaningful. In particular, some protocols might be not executable. This is actually not relevant for our result (our theorem also holds for non executable protocols).

2.2 Execution Model

We define the execution model only for labeled protocols. The definition of the execution model for unlabeled protocols is then straightforward.

If A is a variable or constant of sort agent, we define its knowledge by kn(A) = {dk(A), sk(A)}uX.n(A), i.e. an agent knows its secret decryption and signing key as well as the nonces it generates during the execution. The formal execution model is a state transition system. A global state of the system is given by (SId,f,H) where H is a set of terms of T1 representing the messages sent on the network and f maintains the local states of all session ids SId. We represent session ids as tuples of the form (n, j, (ai ,a2,...,afc)) £ (N x N x IDk), where n £ N identifies the session, a1,a2,...,a;£ are the identities of the parties that are involved in the session and j is the index of the role that is executed in this session. Mathematically, f is a function f : SId ^ ([X ^ T1] x N x N), where f (sid) = (a, i,p) is the local state of session sid. The function a is a partial instantiation of the variables occurring in role n(i) and p £ N is the control point of the program. Three transitions are allowed.

• (SId,f,H) co rruPt (a 1 ■ .. (SId,f, U1<J</kn(aj) U H). The adversary corrupts parties by outputting a set of identities. He receives in return the secret keys corresponding to the identities. It happens only once at the beginning of the execution. We focus on static corruption because the soundness result using explicit labels in [4] only considers this kind of corruption. However, in our formal context, our reduction result should be easily extended to the case of adaptive corruption (when agents are corrupted at any time during the execution) since we can map traces with dynamic corruption to traces where all corrupted agents are so at the beginning.

• The adversary can initiate new sessions: (SId,f,H) "KW -1 '"(SId',f',H') where H', f' and SId' are defined as follows. Let s = |SId| + 1, be the session identifier of the new session, where |SId| denotes the cardinality of SId. H' is defined by H' = H and SId' = SId U {(s,i, (a1,...,ak))}. The function f' is defined as follows.

■ f'(sid) = f (sid) for every sid £ SId.

S hl mi S hl m2 S M (mi ,m2)

S hl ek(b) S hl m

S M b, ek(b), vk(b) S M (mi ,m2)

b G X.a

s ^ war

i G {1, 2}

S ^ {m}ekrè) S hl dk(b)

S hl mi

}ek(b)

' ek(b)

S M sk(b) S M m

S ^ [m]Sk(b)

S ^ [m]^

Fig. 1. Deduction rules.

Initial knowledge

Pairing and un-pairing

Encryption and decryption

Signature

f '(s, i, (ai ,...,ak)) = (a, i, 1) where a is a partial function a : X ^ T1 and:

1 < j < k

^(Xu)= n(ai,j,s) j G N

We recall that the principal executing the role n(i) is represented by Ai thus, in that role, every variable of the form X^. represents a nonce generated by Ai.

The adversary can send messages: (SId,f,H) (SId

SId, m G Tl, H', and f' are defined as follows. We define f '(sid'

',H') where sid G f (sid') for

((1j,rj),...,(/{.)). f(sid) = (a,j,p) for

every sid' = sid. We denote n(j) some a, j, p. There are two cases.

■ Either there exists a most general unifier 0 of m and j a. Then f '(sid) = (a U 0, j,p + 1) and H' = H U {rpa0}.

■ Or we define f'(sid) = f (sid) and H' = H (the state remains unchanged).

If we denote by SID = N x N x IDk the set of all sessions ids, the set of symbolic execution traces is SymbTr1 = (SID x (SID ^ ([X ^ T1 ]xN x N))x 2T' )*. The set of corresponding unlabeled symbolic execution traces is denoted by SymbTr. The mapping function 7 is extended as follows: if tr = (Sldo, fo, Ho), ..., (Sld„, fn, Hn) is a trace of SymbTr', tr = (Sldo, fo,Ho),..., (Sld„, fn, Hn) G SymbTr where S Id« simply equal Sldf and Jji SID^([X^r]xNxN)) with/¿(sid) = (a,i,p) if /¿(sid) = (a, i,p) and W(X) = a(X).

The adversary intercepts messages between honest participants and computes new messages using the deduction relation h1 defined in Figure 1. Intuitively, S h1 m means that the adversary is able to compute the message m from the set of messages S. All deduction rules are rather standard with the exception of the last one: The last rule states that the adversary can recover the corresponding message out of a given signature. This rule reflects capabilities that do not contradict the standard computational security definition of digital signatures, may potentially be available

to computational adversaries and are important for the soundness result of [4].

Next, we sketch the execution model for unlabeled protocols. As above, the execution is based on a deduction relation h that captures adversarial capabilities. The deduction rules that define h are obtained from those of h1 (Figure 1) as follows. The sets of rules Initial knowledge and Pairing and impairing in are kept unchanged (replacing h1 by h, of course). For encryption and signatures we suppress the labels adv(i) and I in the encryption function {_}- and the signature function [_]- for rules Encryption and decryption and rules Signature. That is, the rules for encryption are:

S h ek(6) S h m S h {m}ek(b) S h dk(6)

S {m}ek(6) S h m

and those for signatures are:

S h sk(6) S h m S h [m]sk(6) S I- [m]sk(6) s h m

We use the deduction relations to characterize the set of valid execution traces. We say that the trace (SId1,f1, Hi),..., (SIdn,fn,Hn) is valid if the messages sent by the adversary can be computed by Dolev-Yao operations. More precisely, we

require that in a valid trace whenever (SIdi,fi,Hi) send s' m } (SIdi+1,fi+1,Hi+1), we have H h1 m. Given a protocol n, the set of valid symbolic execution traces is denoted by Exec(II). The set Exec(II) of execution traces in the model without labels is defined similarly. We thus require that every sent message m' satisfies Hi h m'.

Example 2.3 Playing with the Needham-Schroeder-Lowe protocol described in Example 2.2, an adversary can corrupt an agent a3, start a new session for the second role with players a1,a2 and send the message {n(a3,1,1),a1 ^¡da) to the player of the second role. The corresponding valid trace execution is:

f(A i (K\ corruPt(a3) ¡ru . , , new(2'ai'«2)

(0,f1,0)-► (0,f 1, kn(a3)) ->

({sid 1},f2,kn(a3)) -' '

^{sid1 },f3, kn(a3) U {{n3,n2,a2}ag((a))}

where sid 1 = (1,2, (a1 ,a2)), n2 = n(a2,1,1), n3 = n(a3,1,1), and f2,f3 are defined as follows: f2(sid 1) = (a1, 2,1), f3(sid1) = (a2,2, 2) where a1(A1) = a1, a1 (A2) = a2, a1 (X;A2) = n2, and a2 extends a1 by a2(XAA1) = n3 and a2(L1) = adv(1).

2.3 Relating the labeled and unlabeled execution models

The following lemma (which can be easily proved by structural induction) states that, whenever a message is deducible, the corresponding unlabeled message is also deducible.

V. Cortier et al. /Electronic Notes in Theoretical Computer Science 186 (2007) 49—65 57

Lemma 2.4 S \~l m =>• S h m

Based on the above property we show that whenever a trace corresponds to an execution of a protocol, the corresponding unlabeled trace corresponds also to an execution of the corresponding unlabeled protocol.

Lemma 2.5 tr G Exec(II) tr G Exec(II).

Proof The key argument is that only pattern matching is performed in protocols and when a term with labels matches some pattern, the unlabeled term matches the corresponding unlabeled pattern. The proof is done by induction on the length of the trace. Full details are provided in Appendix A. □

3 A logic for security properties

In this section we define a logic for specifying security properties. We then show that the logic is quite expressive and, in particular, it can be used to specify rather standard secrecy and authenticity properties.

3.1 Preliminary definitions

We define the set of local states LS¿^(tr) of a trace tr for role i at step p by LS¿^((SIdkf ,Hfe)1<fe<n) = {(a,i,p) | 3s e SIdfe, s.t. f(s) = (a,i,p), 1 < k < n}.

We assume an infinite set Sub of meta-variables for substitutions. Our logic contains tests between terms with variables substituted by variable substitutions. More formally, let Tgub be the algebra defined by:

L ::= ?(X) | ag(i) | adv(j)

TlSub ::= ?(x) | a | ek(a) | dk(a) | sk(a) | vk(a) | n(a,j,s)

1 (TSub ,TSub) | {TSub }fk(a) | [Tsub ]fk(a)

where xi G X.¿, ? G Sub, G N, x G X, a G ID. The unlabeled algebra Tsub is defined accordingly. The mapping function between the two algebras is defined by: i(x) = {k}lm = {k}m, [k]lm = \k]rñ, f(t 1, ■ ■ .,tn) = f(tl, ■■■,rQ Otherwise.

3.2 Security Logic

In this section we describe a logic for security properties. Besides standard propo-sitional connectors, the logic has a predicate to specify honest agents, equality tests between terms, and existential and universal quantifiers over the local states of agents.

1 if t G ID and t does not appear in a corrupt action, i.e. tr = ei,e2,..., en and

[NC(tr,t)] = < corrupt (a i )

Vai,...,afc, s.t. ei -► e2,t = ai,

0 otherwise

1 if V(0,i,p) G LSijP(tr), we have

[VLSi,p(ir).? F(tr)] = < IF(ir)[0A]] = 1,

0 otherwise.

[3LSi,p(ir).? F(tr)

1 if 3(0, i,p) G LSi,p(tr), s.t. [F(tr)[0/?]] = 1, 0 otherwise.

Fig. 2. Interpretation.

Definition 3.1 The formulas of the logic L' are defined by induction as follows:

F(tr) ::= NC(tr,ti) | (ti = t2) | -F(tr) | F(tr) A F(tr) | F(tr) V F(tr) | VLSi,p(tr).? F(tr) | 3LSi,p(tr).? F(tr)

where tr is a parameter of the formula, i,p G N, ? G Sub, ti and t2 are terms of TlSub. Note that formulas are parametrized by a trace tr. As usual, we may use 0i ^ 02 as a shortcut for -0i V 02.

We similarly define the corresponding unlabeled logic Li: the tests (ti = t2) are between unlabeled terms ii, i2 over Tsu},. The mapping function 7 is extended as expected. In particular NC(tr,t) = NC(tr,t), (¿1 = t2) = (ti = h), V£SiiP(t.rF(tr) = V£Si>p(tr).<; F(tr) and 3CSi>p(tr).q F(tr) = 3LSia>(tr).q F(tr).

Here the predicate NC(tr, t) of arity 2 is used to specify non corrupted agents. The quantifications VLSi)P(tr).? and 3LSi)P(tr).? are over local states of agent i at step p in trace tr. The semantics of our logic is defined for closed formula as follows: standard propositional connectors and negation are interpreted as usual. Equality is syntactic equality. The interpretation of quantifiers and the predicate NC is shown in Figure 2.

Next we define when a protocol n satisfies a formula 0 G L^. The definition for the unlabeled execution model is obtained straightforwardly. Informally, a protocol n satisfies 0(tr) if 0(tr) is true for all traces of n. Formally:

Definition 3.2 Let 0(tr) be a formula and n be a protocol. We say that n satisfies security property 0, and write n |= 0 if for any trace tr G Exec(n), [0(tr)] = 1.

Abusing notation, we occasionally write 0 for the set {tr | [0(tr)] = 1}. Then, n == 0 precisely when Exec(n) C 0.

3.3 Examples of security properties

In this section we exemplify the use of the logic by specifying secrecy and authenticity properties.

3.3.1 A secrecy property

Let n(1) and n(2) be the sender's and receiver's role of a two-party protocol. To specify our secrecy property we use a standard encoding. Namely, we add a third role to the protocol, n(3) = (XA3, stop), which can be seen as some sort of witness.

Informally, the definition of the secrecy property states that, for two non corrupted agents a1 and a2, where a1 plays role n(1) and a2 plays role n(2), a third agent playing role n(3) cannot gain any knowledge on nonce XA 1 sent by role n(1) (played by A1), when A1 is honest and is talking with an honest agent A2.

&(tr) = VLS 1'1(tr).? VLS3'2(tr)'

[NC(tr, ?(A1)) A NC(tr, ?(A2)) - -(?'(XA3) = ?(XA2))]

3.3.2 An authentication property

Consider a two role protocol, such that role 1 finishes its execution after n steps and role 2 finishes its execution after p steps. For this kind of protocols we give a variant of the week agreement property [9]. Informally, this property states that whenever an instantiation of role 2 finishes, there exists an instantiation of role 1 that has finished and they agree on some value for some variable and they have indeed talked to each other. In our example we choose this variable to be XA 1. Note that we capture that some agent has finished its execution by quantifying appropriately over the local states of that agent. More precisely, we quantify only over the states where it indeed has finished its execution.

^(tr) = VLS2'p(tr).? 3LS1'„(tr).?' [NC(tr,cr(A1)) A NC(tr,cr'(A2)) -

(?(XA1) = (XA1)) A (?(A2) = ?'(A2)) A (?(A1) = ?'(A0)]

Notice that although in its current version our logic is not powerful enough to specify stronger versions of agreement (like injective or bijective agreement), it could be appropriately extended to deal with this more complex forms of authentication.

4 Main Result

Recall that our goal is to prove that II |= II |= cj). However, as explained in the introduction this property does not hold in general. The following example sheds some light on the reasons that cause the desired implication to fail.

Example 4.1 Consider the first step of some protocol where A sends a message to B where some part is intended for some third agent.

A - B : {Na, {Na }ek(C), {NJek(C) }ek(B)

The specification of the roles of A and B that corresponds to this first step is as follows (in the definition below CA2 and CA2 are variables of sort ciphertext).

n(1) = (in^ {(xa 1, ({XA 1 }ag((A)з), {XA 1 }ag((A)3>»}ag((A)2))

n(2) = ({(XA 1, (CA 2 ,CA 2 ))}eLk(A2), stop)

We assume that A generates twice the message {N }ek(c). Notice that we stop the execution of B after it receives the first message since this is sufficient for our purpose, but its execution might be continued to form a more realistic example.

Consider the security property that states that if A and B agree on the nonce XA1 1 then B should have received twice the same ciphertext.

01 (tr) = VLS1'2(tr).? VLS2'2(tr).?'

NC(tr, ?(A1)) A NC(tr, ?(A2))A

(?(XA 1) = (XA 1)) - (?'(CA2) = ?'(CA2))

This property clearly does not hold for any normal execution of the labeled protocol since A always sends ciphertexts with distinct labels. Thus n = .

On the other hand, one can show that we have II |= (j)i in the unlabeled execution model. Intuitively, this holds because if A and B are honest agents and agree on XA , then the message received by B has been emitted by A and thus should contain identical ciphertexts (after having removed their labels).

4.1 Logic L2

The counterexample above relies on the fact that two ciphertexts that are equal in the model without labels may have been derived from distinct ciphertexts in the model with labels. Hence, it may be the case that although t\ ^ ¿2 =>• t\ £2, the contra-positive implication t\ = ¿2 =>• t\ = ¿2 does not hold, which in turn entails that formulas that contain equality tests between ciphertexts may be true in the model without labels, but false in the model with labels. In this section we identify a fragment of L1, which we call L2 where such tests are prohibited. Formally, we avoid equality tests between arbitrary terms by forbidding arbitrary negation over formulas and allowing equality tests only between simple terms.

Definition 4.2 A term t is said simple if t = ?(x) where x e X.aUX.n and ? e Sub, or t = a for some a e ID or t = n(a, j, s) for some a e ID, j, s e N.

An important observation is that for any simple term t it holds that t = t.

Definition 4.3 The formulas of the logic L2 are defined as follows:

F(tr) ::= NC(tr,t1) | -NC(tr,t1) | F(tr) A F(tr) | F(tr) V F(tr) | (t1 = t2) | («1 = «2) | VLS¿'^(tr).? F(tr) | 3LSi'P(tr).? F(tr),

where tr G SymbTr is a parameter, i,p G N, ti,t2 G TlSuh and ui,u2 are simple terms.

Since simple terms also belong to TlSub, both equality and inequality tests are allowed between simple terms.

The corresponding unlabeled logic L2 is defined as expected. Note that L2 C Li and L2 c Li.

4.2 Theorem

Informally, our main theorem says that to verify if a protocol satisfies some security formula 0 in logic L^, it is sufficient to verify that the unlabeled version of the protocol satisfies qi>.

Theorem 4.4 Lei II be a protocol and 0 G £2, then II |= 0 II |=

Proof Assume II |= We have to show that for any trace tr € Exec(II), [0(ir)] = 1. From Lemma 2.5 it follows that tr £ Exec(II), thus [0(ir)] = 1, since II |= (p. Thus, it is sufficient to show that [0(ir)] = 1 =>• [</>(ir)] = 1. The following lemma offers the desired property. □

Lemma 4.5 Let 4>(tr) E Cl2 for some tr £ SymbTr, [0(ir)] = 1 implies [0(ir)] = 1. 2

Proof The proof of the lemma is by induction on the structure of 0(tr). Full details are provided in Appendix B. □

5 Implementation and Experiments

The AVISPA project [2] provides a platform for automatic verification of security protocols. The platform includes a specification language called HLPSL that can be used for specifying both protocols and security properties. Protocols specified in this language can be verified with four different tools. Three of them, OFMC, ATSE, and SATMC, use symbolic models where the number of sessions that can be executed in parallel is bounded. The fourth tool, TA4SP, provides verification abilities for an unbounded number of sessions. The tools can be used to verify three security properties: secrecy, weak authentication, and replay protection.

Based on the results of [4] and this paper, we implemented a module for the AVISPA with the purpose of obtaining computationally sound security guarantees. The module works as follows. First, the module verifies that the protocol (specified in HLPSL) can be translated in our formalism. In particular, it verifies that the protocol uses only asymmetric encryption in its pure form (that is: we do not consider protocols that model digital signatures via decryption-with-the-private key approach.) Notice that although we forbid protocols that encrypt messages using symmetric keys, such keys can still be sent around. Next, the module checks whether the security property that is verified can be translated in our L2 logic. In particular, weak authentication should only be done on atomic messages like agents and

Public keys only symbolically secure computationally secure

13 9 9

Fig. 3. Summary of our experiments.

nonces. Finally, if the verification succeeds the logical formula that states the security property is printed out, together with a messages that states that the protocol satisfies the security property computationally.

We executed the module on the protocols in the library of the AVISPA platform. The results are summarized in Figure 3. Of the 13 public-key encryption based protocols in the library of the AVISPA platform the tool concludes that 9 are symbolically secure, and all 9 pass our syntactic validation tests. We conclude that all these 9 protocols are computationally secure.

The new module will be included in the next version of the AVISPA tool.

6 Discussion

We conclude with a brief discussion of two interesting aspects of our result. First, as mentioned in the introduction our main theorem should hold for all execution models for which the underlying deduction systems satisfy the condition in Lemma 2.4, that is S \~l m =>-Shm. For example, it should hold for the deduction systems obtained after removing the rule

si-* Kkw

and its corresponding unlabeled variant. In fact, an interesting result would be to prove a more abstract and modular version of our theorem.

Secondly, one may ask if the converse of our main theorem holds. We argue that this is not the case. More precisely, we show that there exists a protocol n and a property 0 such that II | = 0 but II 0. Let II be the protocol defined in Example 4.1. Consider a security property 02 that states on the contrary that whenever A and B agree on the nonce XA1 1 then B should have received two distinct ciphertexts. Formally:

02 (tr) = VLS1'2(tr).? VLS2'2 (trK

NC(tr, ?(A1)) A NC(tr, ?(A2))A

(?(XA1) = (XA1)) - (?'(CA2) = ?'(CA2))

where CA1 2 and CA2 2 are variables of sort ciphertext.

This property clearly does not hold for any honest execution of the unlabeled protocol since A always sends twice the same ciphertext, and thus II ^ 02. On the other hand however, one can show that this property holds for labeled protocols since, if A and B are honest agents and agree on XA1 1 , it means that the message received by B has been emitted by A and thus contains two distinct ciphertexts. Thus, II |= 02- We conclude that, in general, II |= 0 does not imply II |= 0.

V. Cortier et al. / Electronic Notes in Theoretical Computer Science 186 (2007) 49-65

References

[1] Abadi, M. and Jurjens, J. (200i). Formal eavesdropping and its computational interpretation. In Proc. of Theoretical Aspects of Computer Software (TACS 2001), volume 22i5 of LNCS, pages 82—94. SpringerVerlag.

[2] Armando, A., Basin, D., Boichut, Y., Chevalier, Y., Compagna, L., Cuellar, J., Hankes Drielsma, P., Heam, P.-C., Kouchnarenko, O., Mantovani, J., Modersheim, S., von Oheimb, D., Rusinowitch, M., Santiago, J., Turuani, M., Vigano, L., and Vigneron, L. (2005). The AVISPA Tool for the automated validation of internet security protocols and applications. In 17th International Conference on Computer Aided Verification, CAV'2005, volume 3576 of LNCS, pages 28i-285. Springer.

[3] Blanchet, B. (200i). An efficient cryptographic protocol verifier based on prolog rules. In Proc. of the 14th Computer Security Foundations Workshop (CSFW'01).

[4] Cortier, V. and Warinschi, B. (2005). Computationally Sound, Automated Proofs for Security Protocols. In Proc. 14th European Symposium on Programming (ES0P'05), volume 3444 of Lecture Notes in Computer Science, pages 157-171. Springer.

[5] Goldwasser, S. and Micali, S. (i984). Probabilistic encryption. J. of Computer and System Sciences, 28:270-299.

[6] Herzog, J. C. (2004). Computational Soundness for Standard Asumptions of Formal Cryptography. PhD thesis, Massachusetts Institute of Technology.

[7] Lowe, G. (i996). Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In Proc. of Tools and algoritms for the construction and analysis fof systems (TACAS'96), volume i055 of LNCS, pages i47-i66. Springer-Verlag.

[8] Lowe, G. (i997a). Casper: A compiler for the analysis of security protocols. In Proc. of 10th Computer Security Foundations Workshop (CSFW'97). IEEE Computer Society Press.

[9] Lowe, G. (i997b). A hierarchy of authentication specifications. In Proc. of the 10th Computer Security Foundations Workshop (CSFW'97). IEEE Computer Society Press.

[10] Lowe, G. (2004). Analysing protocols subject to guessing attacks. Journal of Computer Security, i2(i).

[11] Micciancio, D. and Warinschi, B. (2004). Soundness of formal encryption in the presence of active adversaries. In Theory of Cryptography Conference (TCC 2004), pages i33—i5i. Springer-Verlag.

[12] Rusinowitch, M. and Turuani, M. (200i). Protocol insecurity with finite number of sessions is NP-complete. In Proc. of the 14th Computer Security Foundations Workshop (CSFW'01), pages i74—i90. IEEE Computer Society Press.

[13] Song, D. X. (i999). Athena: A new efficient automatic checker for security protocol analysis. In Proc. of the 12th Computer Security Foundations Workshop (CSFW'99). IEEE Computer Society Press.

A Proof of Lemma 2.5

Lemma 2.5 tr £ Exec(II) ^ tr £ Exec(II).

Proof The key argument is that only pattern matching is performed in protocols

and when a term with labels matches some pattern, the unlabeled term matches

the corresponding unlabeled pattern.

• Let tr = (Sldo, /0, Ho), where Sldo and Ho are empty sets. We have Ho = Ho- /0 is defined nowhere, and so is /0. Clearly, tr = (Sldo, /0, Ho) is in Exec(II).

• Let tr £ Exec (II), tr = e0,...,en = (Sld0, /0, H0),..., (Sld„, fn, Hn), such that tr £ Exec(II). We have to show that if tr' = tr, (Sldn+i, fn+i, Hn+i) £ Exec(II), then we have tr' £ Exec(II). There are three possible operations.

(i) corrupt(ai,..., afc). It means that tr = (SId0,/0,H0), (SIdi,/i,Hi). In this case, we have SIdi = SId0 = 0, /i = /0 and H' = H0 U (Ji<i<fe kn(ai). We can conclude that tr = (Sldo, /0, Ho), (SId 1, /1, H\) is in Exec(II), because there are no labels in Hi and /1 is still not defined.

(ii) new(i,ai, ...,afc). No labels are involved in this operation. The extension made to fn is the same as is made to fn. Neither Hn nor Hn are modified, tr' = tr, (Sldn+i, fn+i, Hn+i) is a valid trace.

(iii) send(s, m).

First, we have to be sure that if m can be deduced from Hn, then m can be deduced from Hn. This is Lemma 2.4.

Note that Sld„ = Sldn+i thus Sld„ = Sldn+i. Let fn(s) = (cr,i,p) and n(i) = (..., (1p,rp),...). We have two cases.

■ Either there is a substitution 9 with m = ¿pa9. Then fn+1(s) = (aU9,i,p +1). Thus fn(s) = (a,i,p) and fn+i(s) = (aU9,i,p-\-l). By induction hypothesis, tr is a valid trace. From m = lpa9 follows m = lpa9. We conclude that tr, (Sldn+i, fn+i, Hn+i) = tr' is a valid trace, thus a member of Exec(n).

■ Or no substitution 9 with m = ¿pa9 exists. Then tr' = e0, ...,en, en+i with en = en+1. We must show that it is always possible to construct a message m' G T, such that there exists no substitution 6' with m' = lpad'. Then, from the validity of tr' and tr we can deduce the validity of tr', because E^ = en+\.

Either there exists no substitution 9' such that m = lpad'. In that case, we choose m' = m.

Or let 9' be a substitution such that m = lpa9'. Then the matching for ni fails because of labels. This can be shown by contradiction. Assume m contain no label, i. e. m does not contain subterms of the form {iV,, n or [il'., w ieT. In that case, we have m = m by definition. From m = lpa9', we deduce that m = /pa9', contradiction.

We deduce that m contains some subterm of the form {i}ek(ai) or Msk^)-The fact m = lpW9' implies that lp has to contain one of the following subterms: {t'}ek(Ai), [t']sk(Ai) with t' G T or, a variable of sort ciphertext or signature.

Then, we choose m' = a for some agent identity a G X.a. The term a is de-ducible from Hn. Now, the matching of m' with lp always fails, either because of the encryption or signature occurring in lp or because of type mismatch for a variable of type ciphertext or signature in lp. □

B Proof of Lemma 4.5

Lemma 4.5 Let <f)(tr) G Cl2 for some tr G SymbTr, [0(ir)J implies [</>(fr)].

• <p(tr) = NC(tr, t) or <j)(tr) = ->NC(tr, t). {NC(t.r,t)j = 1, if and only if f G ID and t does not occur in a corrupt event for the trace tr. This is equivalent to t G ID and t does not occur in a corrupt event for the trace tr. Thus {NC(tr, i)] = 1 if and only if {NC(t.r,t)} = {NC(¥,ï)} = 1.

• 4>(tr) = (ii t^ t.2). We have that 4>(tr) = (t\ ^ t2) holds. Assume by contradiction that 4>(tr) does not hold, i.e t\ = t2. This implies ii = t2, contradiction.

• 4>(tr) = (tti = u2) with u\,u2 simple terms. We have that 4>(tr) = («T = vq)

holds. Since u\ and 112 are simple terms, we have 114 = m, thus u\ = 112- We conclude that 0(tr) holds.

• The cases 0(tr) = 0i(tr) V 02(tr) and 0(tr) = 0i(tr) A 02(tr) are straightforward.

• 4>(tr) = yCSiiP(tr).q F(tr). If 4>(tr) holds, this means that for all (9,i,p) G

£5ilP(fF), [F(#)[0A]] = 1.

Let (6',i,p) G CSi,p(tr). We consider [F(fr)[0'/?]]. Since fr G Exec(II) implies tr G Exec(II) (Lemma 2.5), we have (0', G CSi,p(tr). By induction hypothesis, (F(tr)[W/^}} = 1 implies that [F(ir)[6»V?]] = 1. It follows that

V(0',i,p) G LSi,p(tr) [F(tr)[0'/s]] = 1.

Thus, 0(tr) holds.

• 0(ir) = 3£<SjiP(ir).? F(tr). If 4>(tr) holds, this means that there exists (9,i,p) G CSitP(¥), such that [F(fr)[6»/?]] = 1.

By definition of the mapping function, there exists (0',i,p) G LSijP(tr) such that 9' = 9. By induction hypothesis, [F(fr) [$'/?]] = 1. Thus there exists 9', such that [F(tr)[(9'/?]] = 1. Thus, 0(tr) holds. □