13] demonstrated that the protocol analysis problem is decidable and NP-complete in the presence of modular exponentiation. Shmatikov [40] proved that the above problem in the presence of Abelian group operator and exponentiation is decidable for a finite number of protocol sessions. Also related to these approaches is protocol analysis in the presence of the xor operation, which was recently proven to be feasible by Chevalier et al.
We model the state of the system as a pairhs,Pi, where s captures the current knowledge of the environment (i.e., the sequence of messages the environment has "seen" on the network up to a point in time, and P is a process term. We express security properties of a protocol in terms of the traces generated by the protocol. In particular, we focus on correspondence assertions of the kind 'for each trace generated, if actionβ occurs in the trace, then actionα must have occurred.
Consider the configuration of the NS protocol defined in example 2. The property that, in step 3, B must accept only authentic messages, i.e. Another feature that can be implemented within our framework is secrecy in the style of [5]. Condition (b) in the following definition states that only the environment can insert variables into symbolic traces.
The task of checking the consistency of symbolic traces is a crucial point of the verification method presented in the next section.
4 A Verification Method
The FrameFpks defined in the example above is correct, as the following theorem states, the proof of which is given in Appendix C.2. Refinement In the refinement process, each input message in the symbolic trace is tentatively unified into some message that can be synthesized from a base of past messages. By repeating this step, we can check whether a given symbolic trace can eventually be instantiated into a trace in a concrete model.
In particular, given any symbolic trace σ, we can compute the set of 'more general cases' of σ that satisfy the resolved form property, denoted by SF(σ). This is achieved by renaming θ0, and occurs just when the application of iθ causes the first occurrence of ˆx to move back in the trace. We now prove that the solutions of a symbolic trace can be completely characterized in terms of symbolic trace solutions in SF(σ).
Then s is obviously a solution of σ, since σ0=σθ, for someθ (note that σ by definition does not contain marked variables). By repeated application of the previous lemma, we find that there isσ0i in solved form andρ0s.t. This means verifying that in the concrete semantics no instance of actionβ is ever executed from C.
By the correspondence between symbolic and concrete semantics (proposition 1), it follows that for every σsymbolically generated by C, no solution ofσ contains an instance ofβ. In practice, rather than generating the whole set of symbolic traces at once (step 1) and then checking the property, it is convenient to work 'on the fly' and every last symbolic action taken by the configuration becomes, to be compared with actionβ of the property α←-β; the refinement procedure SF(·) is invoked only when β and γ are unifiable. The complexity of the method in the worst case is expected to be exponential, since the analysis problem can easily be seen as NP-hard (see e.g. [38]).
The correctness and completeness of the method in the general case is stated by Theorem 4 below. By C &s and by Corollary 1, it follows that there existsσ such that C &S σand s is a solution ofσ, i.e. These two properties depend entirely on the sound conditions of the definition of basis function.
5 ‘Black-Box’ Cryptographic Primitives
6 Diffie-Hellman Key Exchange
The purpose of using multiple symbols for each of the above operations is to provide a break in the symbolic relation, as explained later. In fact, non-determinism aims to model the commutativity and associativity of product operation as reflected in the (MULT) rule. Specifically, starting from an expression that satisfies the above conditions, an attacker is able to 'decode' all - though not necessarily only - the AC version of the message represented by the expression.
Constraint (1) can be relaxed at the expense of introducing a set of multioperations, one for each l≥0, but for simplicity we stick here to the above model. The symbolic evaluation relations of FDH are shown in Table 8: it is defined as the reflexive and transitive closure of the relation θs. We can now explain the adoption of multiple symbols in the case of product (multand×), inverse (inv,inv0 and()−1) and unit (unit and1).
On the contrary, the use of several symbols and the form of the rules ensure the termination of the evaluation relation. After an output operation and an input operation, the symbolic evaluation of root(x,k) produces a global substitutionθ= [exp(α,x1)/x](x1fresh) to be applied to the entire configuration, and a local substitution θ0 = [exp (α,x1×k−1)/z] to be applied to P0θ. We strongly suspect that the FDH equipped with the above basic function is a common frame, but the details need to be worked out.
On the other hand, it is easy to check whether this basis function changes FDH to a weak regular frame (Definition 13). Thus, we can invoke Theorem 5 to match attacks found with the symbolic method to attacks on the concrete model. The process P defined below is a description of the Diffie-Hellman protocol presented in the introduction.
For simplicity, we simply describe a one-session version of the protocol, again using a few obvious notational shorthands. Intuitively, the above trace corresponds to an attack where the environment interceptsexp(α,nA), generates a name nI and handlesexp(α,nI) to A, which believes that the message is from B. The symbolic model ModC is calculated (in practice, symbolic tracks be generated 'on-the-fly').
7 An Implementation: STA
Note that, as indicated by Theorem 5, the concrete traces s corresponding to the attack can be recovered fromσ0 by mapping ˆx0to nI. It is worth noting that memory occupancy is not a problem in STA because a depth-first strategy is adopted when exploring the symbolic model on the fly.
8 Conclusions
The state space consisting of 24655 symbolic configurations was fully explored in less than a minute. Using Stateful Space Exploration and a natural deduction style message extraction engine to verify security protocols.
A Concrete vs. Symbolic Semantics
B Proof of Lemma 1
Propositions C2 and C3 below state that bpk satisfies Condition 1 and 2, respectively, in the definition of regular frame (Def. 10). Lemma C2 says that the deducibility relation on messages,σ `M, is preserved by ground substitutionsρ, under suitable conditions. Lemma C4 is a sort of "inverse" of Lemma C2 (i.e., σρ `ζρ infers σ`ζ, under the right conditions).
If|σ0|>0, we induct on the smallest index j such that there exists η∈H j(σ0), with η↓M. It is not the case that M is an input message, i.e. σ0=σ1 ahMi σ2, as it would imply σ1 `M (by definition of sf), contrary to the onσ0 hypothesis. It is easy to prove the analogy of Lemma C2(1) for traces, i.e.: Let us be a trace and M a message such that s`M, then v(M)⊆Vb.
Let us now generalize the definition of the deduction relation ` in arbitrary terms, lettingσ`ζif and only if∃η∈H(σ):η↓ζ. PROOF: The 'if' part of the lemma is proved by an easy induction on the smallest j such that ζ∈Hi(bpk(σ)). The proof is by induction on the smallest j such that η∈Hj(σ). j=0) Then, orη=ζ=M∈σ for some M, and the result follows from Lemma C1, orζ,η∈EN∪Vb, and the result is trivial. j > 0).
If|σ0|>0, we proceed by induction on the smallest index j such that there exists ζ∈Hj(σ0ρ), with ζ↓η. Moreover, it is not the case that N= (x)ˆ±, as (σ0\x)ρˆ `ρ(x)ˆ±=M would imply, withσ0\x shorter thanˆ σ0, contradicting the minimality of σ0 . j>0) There are different cases, depending on the outermost operator of ζ.
