Verification

To check that the DTR1 model satisfies the NA (and subsequently RA) property, one can show the following:

Specptu,P 8

q „ Impl (6.4.1)

It can be seen that Impl is large and complex. Even for a system with a small number of peers, Impl has too many states and transitions for it to be checked automatically by FDR. In this thesis, the approach for verifying Equation 6.4.1 involves first finding an abstraction for Impl that has a smaller state space. Next, a small instance of the abstraction is implemented in FDR, which confirms that the refinement relation is true. The final step is to derive a general proof for the abstraction model of any size. In the following, the main steps in arriving at the final the proof are presented informally in order. The general proof is shown in Appendix F. More details can be found in [30].

6.4.3.1 Weakening the adversary.

The adversary modeled in Impl is given infinite memory which allows it to remember and replaying messages. Consider the weakened adversary that has no memory and therefore is restricted to only relay messages. More specifically, the weakened adversary is constructed by replacing MemoryNoncepnq, MemorySigIpn, i, cq, MemorySigRpn, i, cq

and MemoryCertpi, l, r, cq with the following processes:

RelayNonce(n)  learn.SqN.xny Ñ say.SqN.xny Ñ STOP

RelaySigR(n,i,c)  learn.SqR.xn, i, cy Ñ say.SqR.xn, i, cy Ñ STOP

RelaySigI(n,i,c)  learn.SqI.xn, i, cy Ñ say.SqI.xn, i, cy Ñ STOP

RelayCert(i,l,r,c)  learn.Cert.xi, l, r, cy Ñ say.Cert.xi, l, r, cy Ñ STOP

Let Impl1 be the new model constructed by replacing the old adversary with the weakened one, then it can be shown that:

6.4.3.2 Reducing Nonces using the data independence technique.

In Impl1 , the Nonce Manager supplies fresh nonces to the other agents from the poten- tially infinite set Nonces. The model is therefore dependent of type Nonces, because the adversary and Nonce Manager process are constructed using parallel operators indexed over Nonces. To apply the data independence technique for Nonces, another abstraction to Impl1 that is independent of Nonces must be found. First, notice that Nonces can be divided into three distinct sets: Noncesad, Noncesca and Noncesvf that contain nonces

supplied to the adversary, CA and Verifier process respectively. Let Impl2 be the model derived from Impl1 as follows:

• Noncesad is removed, meaning that the data type for nonces used in Impl2 is

Noncesvf Y Noncesca. It is shown in [30] that removing these nonces does not

change the trace set of Impl1 .

• The Nonce Manager and adversary process are rewritten in recursive form so that they no longer consist of parallel sub-processes indexed over the set Noncesvf and

Noncesca. For example, the adversary sub-process that relay TPM signatures can

be rewritten as: RelaySigR(i) = learn?SqR.xn, i, cy Ñ   RelaySigR(i) lsay.SqR.xn, i, cy ÑRelaySigR(i)  RelaySigI(i) = learn?SqI.xn, i, cy Ñ   RelaySigI(i) lsay.SqI.xn, i, cyÑRelaySigI(i) 

It is shown in the technical report [30] that:

tracespImpl1q „ tracespImpl2q (6.4.3)

All the sub-processes of Impl2 , except for the Nonce Manager process, are inde- pendent of Noncesvf and Noncesca. They satisfy the PosConjEqDTStrict(ETvf) and

PosConjEqDTStrict(ETca) condition where:

ETvf tfake.NM .VF .SqN .xny|n PNoncesvfu

ETca tfake.NM .CA.SqN .xny|n PNoncescau

Let Impl3 be derived from Impl2 by removing the Nonce Manager process and replacing Noncesvf and Noncesca with tnvfuand tncaurespectively. Using the collapsing functions

that map Noncesvf and Nonceca to tnvfu and tncau respectively, Equation 6.3.2 and the

fact that events containing nonces are hidden in the model, it is shown in [30] that:

tracespImpl2qtracespImpl3q (6.4.4)

6.4.3.3 Reducing Counts using the data independence technique.

Impl3 is dependent of type Counts, because the operator ’¡’ and parallel operator indexed

over Counts are used in the TPMs and adversary process. Before reducing Counts to a smaller size, a new abstraction to Impl3 that is independent of Counts needs to be found. Let Impl4 be the model derived from Impl3 as follows:

• The TPMs process is rewritten so that new counter values are selected from the set of values that have not been used, instead of restricting them to be greater than the current value. This replacement is sound, because in the original model, the ’¡’

operator is used only to guarantee the freshness of the new value.

• The adversary process is rewritten in recursive form so that it no longer comprises parallel sub-processes indexed over Counts.

The following holds:

tracespImpl3q „ tracespImpl4q (6.4.5)

Impl4 is independent of type Counts and in fact satisfies the PosConjEqDT condition. Let Abstraction be the model derived from Impl4 in which the only counter value used is

cd. By applying a collapsing function that maps Counts to tcdu, it is shown in [30] that:

tracespImpl4q „ tracespAbstractionq (6.4.6)

This abstraction does not allow replay attacks (even though only two nonces and one counter value are ever used in Abstraction), because the adversary’s memory has been removed.

6.4.3.4 Automated verification.

The state space of Abstraction is smaller than that of Impl . Because Abstraction „ Impl,

to prove that Equation 6.4.1 holds, it is sufficient to show:

Specptu,P 8

q „ Abstraction (6.4.7)

To provide preliminary evidence that Equation 6.4.7 holds, the refinement is checked for a small model in which |P

8

|  3. Specptu,P 8

q and Abstraction are implemented

in FDR. The detailed implementation can be found in Appendix E. The refinement check returns true after evaluating 13,501,797 states and 73,831,002 transitions. This automated proof confirms that Equation 6.4.7 is true for the DTR1 model of at least 3 peers.

6.4.3.5 Generalizing the automated proof.

To prove that Equation 6.4.7 holds for P8

of any size, it is necessary to show that tracespAbstractionq „ tracespSpecptu,P

8

qq. The proof is constructed by induction as

follows (for more details, see Appendix F):

1. (Base case). Let tr be a trace of Abstraction such that træt|completeChurn|u xy

(æis the restriction operator, for example sqæX removes non-X elements from sq).

Then tr PtracespSpecptu,P 8

2. (Inductive case). For any θ xy, let tr be a trace of Abstraction such that:

træt|completeChurn|uθ ^ trP tracespSpecptu,P 8

qq

Let tr1

be another trace of Abstraction, then:

e . tr 1 æt|completeChurn|uθ ^ xey ñ tr 1

P tracespSpecptuq,P 8

q