To Infinity And Beyond or, Avoiding the infinite in security protocol analysis

(1)

To Infinity And Beyond

or, Avoiding the infinite in security protocol analysis

James Heather

Department of Computing University of Surrey Guildford, UK

Steve Schneider

Department of Computing University of Surrey Guildford, UK

ABSTRACT

We investigate conditions under which an infinite set of atomic messages can be replaced with one or two values without affecting the correctness of a security protocol. The work is conducted using the strand spaces formalism, but the results apply to all protocol analysis techniques, and should be of particular value to those using model checking.

The implications of the central result are discussed.

Keywords

security protocols, strand spaces, model checking

1. INTRODUCTION

In a previous paper [8], we discussed the possibility of endowing a traditional Dolev-Yao intruder with the abil-ity to exploit a weakness in low-exponent RSA. Roscoe and Broadfoot had already shown that the data independence approach could not cope with such an intruder [12]; we demonstrated that rank functions and strand spaces also fail in such circumstances, and for remarkably similar reasons.

The failure of each approach is in each case due to its treatment of the intruder’s knowledge; each method in some sense factors the intruder’s knowledge in order to give a rep-resentation of it that is more amenable to model checking or to concise proofs that the intruder cannot get access to par-ticular secrets. This type of knowledge factoring works well for a standard Dolev-Yao intruder, but not for an enhanced intruder model involving low-exponent RSA. The natural question to ask is what sort of protocol, and what sort of intruder, can be dealt with in this way.

This paper investigates that question. The results are along the same lines as those in [1], in which the authors demonstrate that, for any protocol that can be encoded in terms of Horn clauses, a small and finite number of agents (usually two) will suffice to uncover all attacks; here we show that similar results can be obtained, for a large class of pro-tocols, for nonces and keys.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

SAC’06 April 23-27, 2006, Dijon, France

2. BACKGROUND

The basic plan with data independence, rank functions, and strand spaces, is to establish a setX of secrets, and then to show that the intruder can never learn anything fromX. Each method effectively approximates the intruder’s know-ledge by conceding rather more ground to the intruder than he can gain in practice, however.

Data independence allows, under certain conditions, an infinite data type to be replaced with a finite one. In the context of security protocols, this enables an agent in some circumstances to reuse a nonce instead of issuing a fresh one. With rank functions, the set of atomic messages is par-titioned into equivalence classes [9]: if, whenever an agent chooses N, he could also have chosen N′_{, and vice versa,}

then N ∼ N′_{. Effectively this means that if the intruder}

could geteither message, we treat it as if he could getboth. Strand spaces analyses often make use of honest ideals [13]. The approach is to construct a setI[X] of messages that it would be dangerous to allow the intruder to see, and then show thatX is unreachable from outside ofI[X]. Effectively, we assume the intruder can get hold of everything outside ofI[X], and then show that the protocol is still secure.

Often, these approaches work remarkably effectively, and the intruder cannot make any more headway with this extra knowledge than he could without it.

In some situations, however, such methods cannot be ap-plied. In each case, it is difficult to see how the approach could be extended to deal with an intruder who can ex-ploit the attack on low-exponent RSA discovered by Frank-lin and Reiter [3]. Incorporating this attack into the stand-ard Dolev-Yao intruder model would involve strengthening the intruder to allow him to make additional inferences when he has gathered enough related messages to allow him to perform the attack. The problem, however, as discussed at length in [8], is that to exploit this weakness, the intruder needs two distinct but related messages; and all three ap-proaches will effectively assume that if the intruder can get one then he can get the other.

The purpose of this paper is to attempt to identify a large class of protocols and intruders for which this type of ap-proach does work effectively. We give conditions on honest and intruder behaviours, and show that whenever the pro-tocol and the intruder meet these conditions, certain infinite sets can be replaced by sets containing one or two elements. We use the strand spaces formalism here, but the results apply equally well to other formalisms.

(2)

modi-fied from previous work elsewhere; Section 4 then gives res-ults concerning properties preserved by replacing an infinite set with one or two representative values; we show in Sec-tion 5 that authenticaSec-tion properties are preserved by this replacement; Section 6 shows how these results apply to the Yahalom protocol; Section 7 discusses the implications of the results; and finally we sum up in Section 8.

3. STRAND TEMPLATES

In a previous paper [7], Lowe and the authors of this paper proposed an implementation for avoiding type flaw attacks on security protocols. The analysis there was conducted by considering protocol roles asstrand templates; we revive that notion here as the basis for our work in this paper. Here, we have no need for type tagging; the definitions, therefore, are similar to those in [7] but with the type tagging removed.

A knowledge of the basics of strand spaces is assumed in what follows; the reader is invited to consult [14, 4] for further details.

Definition 3.1. The type of messages is defined by

asymkey::=pubkey|seckey key::=asymkey|symkey symkey::=sharkey|sesskey

text::=agent|nonce

atom::=text|key

msg::=atom|key|pair msg msg|enc msg key

in which pairx y represents concatenation, usually abbrevi-ated to x.y; and encm k denotes encryption of m under k , which we shall usually write as{m}k.

Definition _3.2. _A_{message template}_{makes use of some} set Var of variables, and some set Fn of function identifiers, containing functions like PK , the public key function:

Template::=Var |apply_{Fn Var}∗

|pair_{Template Template} |encryptTemplate Template The templateapplyghv1, . . . ,vnirepresents the result of

ap-plying function g to the variables v1, . . . ,vn; we will denote

this g(v1, . . . ,vn). Similarly, pairx y represents

concaten-ation, andencrypt_{m k denotes encryption of m under k .} We shall abbreviate these to x.y and{m}kas with the

corres-ponding constructors for the message type. The ‘.’ and the ‘{}k’ are thus overloaded; however, it will always be clear

from the context whether we are speaking of messages or message templates.

Definition 3.3. A strand template is a finite sequence h±tiiof transmissions and receptions of message templates.

In order to turn message templates into messages, and strand templates into strands, we need to turn the variables within the templates into messages.

Definition 3.4. A function sub:Var →atomfrom vari-ables to atomic messages is known as a substitution. It is

lifted to message templates and strand templates in the nat-ural way:

sub(x.y) =sub(x).sub(y) sub({m}k) ={sub(m)}sub(k)

sub(g(v1, . . . ,vn)) =g(sub(v1), . . . ,sub(vn))

sub(h±tii) =h±sub(ti)i

As an example, a strand template representing the initi-ator’s behaviour in the Needham-Schroeder-Lowe protocol (NSL) [11, 10] might look like this:

stNSL,I =h+{a.na}PK(b),−{na.nb.b}PK(a),+{nb}PK(b)i The key point to notice is that some substitution functions will convert this strand template into a valid strand repres-enting a possible execution, and some will not. For instance, the substitutionsub defined by

sub(a) =A sub(b) =B sub(na) =NA sub(nb) =NB

would, under most interpretations of the protocol specific-ation, be a valid strand representing user A starting the protocol apparently withB, generating nonceNAas a fresh

value, and acceptingNB as an incoming nonce.

If, however, we are consideringNB as a value that userB

is able to generate but that other users are not, we would not allow any substitution sub′ _with _sub′₍_na_{) =} _N

B. In

addition, under the strong typing assumption, we could not allowsub′₍_nb_{) =}_B_{, because}_A_{would reject the value}_B _in

place of the incoming nonce.

In a similar way, a strand template representing the re-sponder’s behaviour in the NSL protocol might look like this:

stNSL,R=h−{a.na}PK(b),+{na.nb.b}PK(a),−{nb}PK(b)i We will use NSL, and in particular, we will consider au-thentication of the initiator to the responder within NSL, as a running example throughout the paper.

3.1 Honest roles

A role will be a strand template, together with a set of functions that make valid instantiations of its variables.

Definition _3.5. _A_role_{is a pair}₍_st_,_F₎_{, with st a strand} template and F a set of substitutions.

The idea, for honest agents and servers, is that whenever sub∈F,sub(st) will be a strand representing an execution of the protocol from the perspective of the agent or server modelled by this role.

A protocol will be defined by some setH ofhonest roles— that is, roles representing honest agents.

Definition 3.6. Anhonest strandfor a given protocol H is any strand sub(st)such that(st,F)∈H and sub∈F .

When we are looking for authentication of the initiator in NSL, we will choose a fixed but arbitrary responder strand

sr =h−{A.NA}PK(B),+{NA.NB.B}PK(A),−{NB}PK(B)i and ask whether there is a corresponding initiator strand si =h+{A.NA}PK(B),−{NA.NB.B}PK(A),+{NB}PK(B)i

(3)

In consequence, the setsubNSL,I of valid substitution

func-tions forstNSL,I will be unrestricted except by type and by

the condition that the initiator will never chooseNAfor a

nonce; thus we will allow any substitutionsub satisfying sub(a)∈agent sub(b)∈agent sub(na)∈nonce\ {NA} sub(nb)∈nonce

The setsubNSL,R of valid substitution functions forstNSL,R

will fall into two categories. We will later want to ensure that the nonceNB used in the particular run that we are

considering is uniquely originating; therefore, we will restrict it so that it can be sent out only in the run si mentioned

above. Thus, valid substitutions will be any substitutionsub satisfying

sub(a)∈agent sub(b)∈agent sub(na)∈nonce sub(nb)∈nonce\ {NB}

giving all runs exceptsr; and alsosub′ satisfying

sub′₍_a_{) =}_A _sub′₍_b_{) =}_B

sub′₍_na_{) =}_N

A sub′(nb) =NB

3.2 Penetrator roles

We assume the existence of some set KP ⊆ key of keys

that the penetrator knows right from the start.

The usual strand spaces model includes within it a stand-ard Dolev-Yao intruder, defined in terms of various types of penetrator strand. Here, we want to allow for the possib-ility of other types of penetrator activity, including the in-troduction of other types of penetrator strand (such as the low-exponent RSA strand). It is also natural to consider penetrator strands as strand templates.

All we need at this point is the existence of some setP of penetrator roles, representing the behaviour that the penet-rator can engage in. A penetpenet-rator role is, formally speak-ing, exactly the same as an honest agent’s role as defined in Definition 3.5: it is a strand template, together with a set of allowable substitutions.

It is easy to convert the standard penetrator strand de-scriptions into penetrator roles. In the case of the C, S, E and D strand types, what appears below describes an infinite family of roles, one for each possible assignment of messages tot1 andt2.

MText message (h+xi,{sub|sub(x)∈text}). C Concatenation (h−t1,−t2,+t1.t2i,SUB). SSeparation (h−t1.t2,+t1,+t2i,SUB). KKey (h+ki,{sub|sub(k)∈KP}).

EEncryption (h−t1,−k,{t1}ki,{sub|sub(k)∈key}).

DDecryption (h−k′_,_−{_t1_}

k,+t1i,

{sub|sub(k),sub(k′₎_∈_key_,_sub₍_k_{) =}_sub₍_k′₎−1_}). in whichSUB is the set of all possible substitutions.

Definition 3.7. Any strand sub(st)with(st,F)∈P and sub∈F is considered a penetrator strand.

3.3 Bundles

For the rest of this paper, we will suppose that we have some fixed protocolH, a fixed set of penetrator rolesP, a fixed set of penetrator keys KP, and consequently a fixed

strand space Σ ={sub(st)|(st,F)∈H∪P,sub∈F}. A bundle is defined in the usual way, in terms of the graph structure induced by strand precedence (‘⇒’) and commu-nication (‘→’).

Definition _3.8. _{Whenever n1} _{immediately precedes n2} on the same strand, we write ‘n1⇒n2’.

Definition _3.9. _{Whenever n1} _{is positive and n2} _is neg-ative, and term(n1) =term(n2), we write ‘n1→n2’.

Definition 3.10. If C is a subgraph of(⇒ ∪ →), and NC

is the set of nodes appearing on any edge of C , then we say that C is a bundleprovided that

1. whenever n2 ∈ NC and n2 has a negative sign, there

exists a unique n1∈NC such that n1→n2∈C ;

2. whenever n2 ∈ NC and n1⇒n2, we also have that

n1⇒n2∈C ;

3. C is finite and acyclic.

A bundle will be formed by linking together strands from Σ that have arisen from instantiating strand templates. We will take a collection of honest and penetrator roles, instan-tiate the strand templates by means of substitutions allowed by the roles, and then link the resulting strands together to form a bundle.

An attack on a protocol will correspond to a particular bundle. Such a bundle will represent one or more executions of the protocol, together with some penetrator behaviour, that results in a situation that violates an intended security property of the protocol.

The central idea of this paper is to investigate what sub-stitutions need to be considered when looking for attack bundles. We will prove that, if the protocol and the pen-etrator satisfy certain requirements, many substitutions are redundant, in the sense that if there is an attack that uses one or more of these substitutions, then there is also an attack that does not.

3.4 Origination

Definition _3.11. _{We say that a message m} _originates on a node n if

1. n is a positive node—that is, n = +h for some mes-sage h;

2. m⊏term(n);

3. whenever node n∗ _{precedes n on the same strand, we}

have m6⊏term(n∗).

Definition 3.12. A message isuniquely originatingin a bundle C if it originates on exactly one node of C .

(4)

3.5 Respect

A rolerespects a set of atoms if, roughly speaking, it treats them all in the same way, in the sense that either they are all valid instantiations of a variable or none of them is.

However, we need to be a little careful about key inverses here, to allow for roles such as the penetrator D strand, which relies on its two key variables being instantiated with mutual inverses.

Definition _3.13. _{A set W of atoms is} _{type-consistent}_if one of the following holds: W ⊆agent; W ⊆nonce; W ⊆

asymkeyand W is closed under taking inverses; W ⊆symkey.

Definition _3.14. _{Let W be any type-consistent set of} atoms. We say that a role (st,F) respects W if, for all z,z′ _∈_{W and v}_∈_{Var , whenever sub}_∈_{F and sub}₍_v_{) =}_{z ,}

we also have sub′_∈_{F , where}

sub′₍_x_{) =}

z′ _{if sub}₍_x_{) =}_z

z′ −1 _{if sub}₍_x₎_∈_asymkey_∧_sub₍_x_{) =}_z−1 sub(x) otherwise

Note that the second condition applies only in contexts in which W contains asymmetric keys.

The following definition lets us alter a substitution so that it only ever uses one valuez, or (ifW contains asymmetric keys) two valuesz andz−1_{, from a particular set}_W_.

In cases not involving public keys, this will effectively con-flate all values inW to a single value. Where public keys are involved, all public keys inW will be conflated toz, and all secret keys toz−1_.

Definition 3.15. Let W be any type-consistent set of atoms. Suppose that sub is a substitution, and that z ∈W . We write sub[W/z]to denote the substitution defined by

sub[W/z](v) =

z if sub(v)∈W ∧sub(v)∈/seckey

z−1 _{if sub}₍_v₎_∈_W _∧_sub₍_v₎_∈_seckey sub(v) otherwise

The purpose of dealing with secret keys as a special case is to ensure that ifsub(v) andsub(v′_{) are inverses then so are}

sub[W/z](v) andsub[W/z](v′_).

4. CONFLATING TYPE-CONSISTENT SETS

From this point onwards, we will take W to be a fixed type-consistent set of atoms.

Theorem _4.1. _{Let C be a bundle over}_Σ_{, N}Cbe the nodes

of C , and z ∈W . For each strand s of C , let (sts,Fs) be

the honest or penetrator role that has given rise to s, and subs ∈Fs be the substitution such that s=subs(sts).

Suppose that for every role(st,F)∈H ∪P , we have that (st,F) respects W . Let C′_{, with nodes N}

C′, be the graph

formed by replacing every strand s with subs[W/z](sts). Then

C′ _{is a bundle over}_Σ_.

Proof. _{Note that any node}_±_m _{on a strand}_s_in_C _will be replaced inC′ _by_±_φ₍_m_{) (with the same sign), where}

φ(a) = z ifa∈W ∧a∈/seckey z−1 _if_a_∈_W _∧_a_∈ seckey a ifa∈/W ∧a∈atom φ(x.y) =φ(x).φ(y) φ({m}k) ={φ(m)}φ(k)

We check that the conditions of Definition 3.10 still hold: 1. If n′

2 ∈ NC′ and n2′ has a negative sign—say, n2′ = −m′_{—then the corresponding node in}_C _is _n2₌₋_m

with φ(m) = m′_{. In} _C_{, there is a unique} _n1 _such

thatn1→n2, andn1= +m. InC′_,_n1 _{will have been}

replaced with n′

1 = +φ(m) = +m′, so the messages being communicated still match, and we still have a unique noden′

1 such thatn1′→n2′ ∈C′.

2. Since we are replacing an entire strand by another, if n′

2 ∈ NC′, then we look for the node n2 ∈ NC

cor-responding ton′

2. Ifn2 is the kth node of strands, thenn′

2 is thekth node of strand subs[W/z](sts). If

n′

1⇒n2′ thenn2′ cannot be the first node on its strand, so k >1; in which case we have some node n1⇒n2. SinceC is a bundle,n1⇒n2 ∈C; now noden1, the (k−1)th node ofs, becomesn′

1 ∈NC′, the (k−1)th

node ofsubs[W/z](sts), so we do haven1′⇒n2′ ∈C′. 3. CertainlyC′_{is finite and acyclic, for it has exactly the}

same graph structure asC.

It is also clear that we have not moved outside of Σ by replacing strands in this way: since (sts,Fs) respectsW, and

subs ∈ Fs, then, by Definition 3.14, subs[W/z] ∈ Fs, and

sosubs[W/z](sts) is still an honest or penetrator strand (of

the same type ass).

We also want to know that we have not destroyed any important origination properties. To say this, we will need a slightly stronger notion of subterming, written ‘t⋐_m_’.

The idea is thatt⋐m ift⊏mort is a key used withinm.

Definition 4.2. The⋐ relation is the smallest reflexive

relation satisfying

t⋐x.y⇔t=x.y∨t⋐x ∨t⋐y

t⋐{m}k ⇔t={m}k∨t⋐m∨t∈ {k,k−1}

The first point to note is that if a message does not contain any elements ofW within it, then the renaming operation does not alter the message.

Lemma 4.3. If, for a message m, we have that for all w ∈W , w6⋐m, thenφ(m) =m.

The proof is by structural induction onm, and is omitted. Similarly, if the renamed message contains nothing fromW, its preimage must have been invariant under renaming.

Lemma _4.4. _{If, for a message m, we have that for all} w ∈W , w6⋐φ(m), thenφ(m) =m.

Proof. Suppose that for allw ∈W,w6⋐φ(m), but that

φ(m)6=m. Then, by Lemma 4.3, we have that there exists someq ∈W such thatq⋐m. We now show by induction

that z∗_⋐_φ₍_m_{) for either}_z∗ ₌_z _or_z∗₌_z−1_{; and because} in either casez∗_∈_W_{, this yields a contradiction.}

Casem ∈atom: ifq⋐m thenq=m, and so by the

defini-tion ofφ,φ(m) =zorφ(m) =z−1_{. But then}_z_⋐_φ₍_m₎ orz−1_⋐_φ₍_m_).

Casem =x.y: if q⋐x.y then q⋐x or q⋐y; we cannot

haveq =x.y, for q is an atom. But by the inductive hypothesis, we now havez⋐φ(x) or z⋐φ(y); either

(5)

Casem={b}k: ifq⋐{b}kthenq⋐borq =k orq=k−1;

we cannot haveq={b}k, forqis an atom. In either of

these last two cases, we then haveφ({b}k) ={φ(b)}z∗,

for eitherz∗₌_z_or_z∗₌_z−1_{, and so}_z_⋐_φ_({_b_}

k).

Al-ternatively, ifq⋐_b_{, then by the inductive hypothesis,}

z∗_⋐_φ₍_b_{) for either}_z∗₌_z _or_z∗₌_z−1_{; and we then} havez∗_⋐_{_φ₍_b_)}

φk=φ({b}k).

If such a message is a subterm of another, then it remains a subterm even when the larger message has been renamed. Lemma 4.5. Suppose that for all w ∈W , w6⋐m. Then

m⊏h⇔m⊏φ(h).

The proof, here omitted, notes first that by Lemma 4.3 we havem=φ(m), and then proceeds by structural induction onh for implication and onφ(h) for the converse.

Such messages originate in one bundle if and only if they originate in the other.

Proposition 4.6. If, for a message m, we have that for all w∈W , w6⋐_{m, then m originates on a node n in C iff}

it originates on the corresponding node in C′_.

Proof. _{Let us first suppose that}_m_{originates on node}_n in C. We shall prove that it also originates on the corres-ponding noden′ _in_C′_.

We check that Definition 3.11 is satisfied.

1. Since m originates onn, n must be positive. But φ

leaves the sign unchanged; son′ _in_C′ _{is also positive.}

2. Since we havem⊏term(n), we conclude by means of

Lemma 4.5 thatm⊏φ(term(n)), which is the message

on the corresponding noden′ _in_C′_.

3. Suppose there is somen0′ _∈_N

C′ on the same strand

as n′_{, and that that} _m_⊏_term₍_n0′_{). Let} _n0 _{be the}

matching node inC, soterm(n0′_{) =}_φ₍_term₍_n0_{)). Now}

m⊏φ(term(n0)), so by Lemma 4.5m⊏term(n0),

con-tradicting Condition 3 of Definition 3.11.

Now we show that ifm originates on noden′ _in _C′_then

it also originates on the corresponding nodeninC. Again, we check that Definition 3.11 is satisfied.

1. Sincemoriginates onn′_,_n′_{must be a positive. But}_φ

leaves the sign unchanged; soninC is also positive. 2. Since m⊏term(n′), andterm(n′) = φ(term(n)), we

have by Lemma 4.5 that m⊏term(n), which is the

message on the corresponding nodeninC.

3. Suppose there is some node n0 ∈ NC on the same

strand asn, andm⊏term(n0). Letn0′be the

match-ing node inC′_{, so}_term₍_n0′_{) =}_φ₍_term₍_n0_{)). But then}

by Lemma 4.5 m⊏φ(term(n0)) =term(n0′),

contra-dicting Condition 3 of Definition 3.11.

Corollary 4.7. If we have a message m such that for all w ∈W , w6⋐m, then m is uniquely originating in C iff

it is uniquely originating in C′_.

Proof. By Proposition 4.6,moriginates on a node inC iff it originates on the corresponding node inC′_{. Thus, it}

originates on the same number of nodes inC as inC′_{. So}

it is uniquely originating inC′ _{iff it is uniquely originating}

inC.

5. AUTHENTICATION

In this section, we give a generic definition of what it means for one role to authenticate another, and show that, under reasonable conditions,C represents an authentication violation if and only ifC′_{does. Note that although we deal}

only with authentication in here, it would be fairly trivial to extend the definitions in this section to deal with secrecy specifications.

The usual understanding of authentication requires that if one agent has run the protocol with particular paramet-ers, then another agent must have run the protocol in the complementary role, with corresponding parameters.

In our terminology, this will mean that if the bundle con-tains a specific strand coming from role r1, it must also contain a corresponding strand from role r2. In addition, any selection of these values may be required to be uniquely originating.

Definition 5.1. Suppose that we have two roles r1 = (st1,F1)and r2= (st2,F2), and let sub1∈F1 and sub2∈F2 be substitutions respectively from r1and r2. Let U be a set of messages appearing in at least one of sub1(st1)and sub2(st2). Let h1,h2 be positive integers.

The quintuple (r1,r2,sub1,sub2,h1,h2,U) is an authen-tication specification.

Definition 5.2. Let λ = (r1,r2,sub1,sub2,h1,h2,U) be an authentication specification, and let r1 = (st1,F1) and r2 = (st2,F2). We say that a bundle C represents an au-thentication violationwith respect toλ if

1. there is a strand sub1(st1)with C -height at least h1; 2. there is no strand sub2(st2) with C -height at least h2; 3. for all m∈U , m is uniquely originating in C . Note that this differs from the definition in [7] in that the substitutionssub1 andsub2 are included as parameters to the definition. Essentially this means that an authentica-tion specificaauthentica-tion will be couched in terms of specificstrands rather than strand templates. For this reason, we do not need to mention explicitly the set of parameters on which the roles should agree.

Let us return to our example of the Needham-Schroeder-Lowe protocol. We say that the responder role is authentic-ated to the initiator role if, whenever we have an initiator strandh+{A.NA}PK(B),−{NA.NB.B}PK(A),+{NB}PK(B)iin the bundle, it also contains a matching responder strand of length at least 2—eitherh−{A.NA}PK(B),{NA.NB.B}PK(A)i orh−{A.NA}PK(B),+{NA.NB.B}PK(A),−{NB}PK(B)i. This is expressed in terms of Definition 5.1 as follows:

(r1= (stNSL,I,subNSL,I),r2= (stNSL,R,subNSL,R),

sub1,sub2,h1 = 3,h2= 2,U ={na,nb}) where, fori = 1 andi= 2,

subi(a) =A subi(b) =B

subi(na) =NA subi(nb) =NB

We now prove our main result. The essence of the fol-lowing theorem is that if we have a protocol and penetrator behaviour that are indifferent to changes within a set W of atoms, and an authentication specification that nowhere mentions anything fromW, then the setWcan be conflated without losing any attacks.

(6)

Theorem _5.3. _{Suppose that we have a protocol H and a} set of penetrator roles P . LetΣbe the strand space formed from all strands produced by H and P .

Let λ= (r1,r2,sub1,sub2,h1,h2,X,U) be an authentica-tion specificaauthentica-tion, and let r1= (st1,F1)and r2= (st2,F2).

As with Theorem 4.1, let C be a bundle over Σ, NC be

the nodes of C , z∈W . For each strand s of C , let(sts,Fs)

be the honest or penetrator role that has given rise to s, and subs ∈Fs be the substitution such that s=subs(sts).

Suppose that for every role(st,F)∈H ∪P , we have that (st,F) respects W . In addition, suppose that, for every node n of sub1(st1) or sub2(st2), and every w ∈ W , we have w6⋐term(n). Further suppose that, for any m ∈ U

and w∈W , w6⋐m.

Let C′_{, with nodes N}

C′, be the graph formed by replacing

every strand s with subs[W/z](sts).

Then if C is an authentication violation with respect toλ, so is C′_.

Proof. Theorem 4.1 shows thatC′ _{is a bundle over Σ.}

We must show that it is an authentication violation. SinceC is an authentication violation with respect toλ, we have, from Definition 5.2, that

1. there is a strands1=sub1(st1) withC-height at least h1;

2. there is no strands2=sub2(st2) withC-height at least h2;

3. for allm∈U,m is uniquely originating inC. We now check the conditions of Definition 5.2 forC′_.

1. Terms on nodes ofC are replaced by their images un-derφ, as defined in Theorem 4.1. For a noden ofs1, we know from our assumptions that for all w ∈ W, w6⋐term(n); so by Lemma 4.3, term(n) is invariant

underφ. Consequently, the entire strand is invariant underφ, and theh1nodes ofs1appearing inCtransfer directly toC′_.

2. Suppose that there were a strands2 =sub2(st2) with C′_{-height at least}_h2_{. For a node}_n′_of_s2 _in_C′_{, let}_n

be the corresponding node in C, so thatterm(n′_{) =}

φ(term(n)). We know from our assumptions that for all w ∈W, we havew6⋐term(n′); so by Lemma 4.4,

term(n′_{) =}_φ₍_term₍_n_{)) =}_term₍_n_{). Consequently, the}

h2nodes of strands2appearing inC′_{have been}

trans-ferred directly to C′ _{from an identical strand in} _C_.

Thus, there is a strand s2 =sub2(st2) with C-height at least h2, which yields a contradiction. Therefore, there is no such strand inC′_.

3. From our assumptions, anym∈U is such that for all w ∈W,w6⋐m. Sincem is uniquely originating inC,

by Corollary 4.7 it is also uniquely originating in C′_.

For the NSL protocol given previously, we can observe that the conditions for Theorem 5.3 are applicable, for the set of atomsW =NONCEB\ {NA,NB}, and for some

ar-bitraryz∈W. We observe that each of the two roles of the protocol respectsW, and that for every term w ∈W and every node on the honest strands we havew6⋐term(n).

Theorem 5.3 means that all nonces in W can be con-sidered as a single nonce, without losing attacks. Thus it is necessary to consider only bundles containing at most three nonces: NA, NB, and some other nonce, provided that we

have in view any penetrator model that always respectsW (as does, for instance, the standard penetrator model).

There is an attack in the collapsed bundle if and only if there is an attack in the original bundle. What Theorem 5.3 shows is that any attack on the protocol is preserved by the conflation of W down to a single value; so if there is no attack on the small system, there is no attack on the large system. Verification of the small system thus gives us a proof that the fully general system is secure. The converse holds trivially: any attack on the small system is already an attack on the large system.

6. EXAMPLE: THE YAHALOM PROTOCOL

As a further example, we show how our results apply to authentication of the initiator in the Yahalom protocol:

Message 1. a→b : a.na

Message 2. b→s : b.{a.na.nb}SrvK(b)

Message 3. s→a : {b.kab.na.nb}SrvK(a).{a.kab}SrvK(b) Message 4. a→b : {a.kab}SrvK(b).{nb}kab

The protocol uses a trusted server s to generate a session keykab for usersa andb. Each useru is assumed to share

a symmetric keySrvK(u) with the server.

6.1 Strand templates

We can model respectively the initiator’s, responder’s and server’s actions by means of strand templates defined as

stY,I =h+a.na,−{b.kab.na.nb}SrvK(a).{a.kab}SrvK(b), +{a.kab}SrvK(b).{nb}kabi stY,R=h−a.na,+b.{a.na.nb}SrvK(b), − {a.kab}SrvK(b).{nb}kabi stY,S =h−b.{a.na.nb}SrvK(b), +{b.kab.na.nb}SrvK(a).{a.kab}SrvK(b)i

6.2 Substitutions

Now we need to consider what substitutions are valid for each role. As with the NSL protocol, we pick a fixed but arbitrary responder strand

sr =h−A.NA,+B.{A.NA.NB}SrvK(B)

− {A.KAB}SrvK(B).{NB}KABi

and ask whether we can find a corresponding initiator strand si =h+A.NA,−{B.KAB.NA.NB}SrvK(A).{A.KAB}SrvK(B),

+{A.KAB}SrvK(B).{NB}KABi

There will also be a corresponding server strand ss=h−B.{A.NA.NB}SrvK(B),

+{B.KAB.NA.NB}SrvK(A).{A.KAB}SrvK(B)i The substitutionssubY,I that will be valid for the initiator

(7)

do not mapna ontoNA. We will allow anysub satisfying

sub(a)∈agent sub(b)∈agent sub(kab)∈sesskey sub(na)∈nonce\ {NA}

sub(nb)∈nonce

The responder substitutions subY,R will fall into two

cat-egories. SinceNB, used in the fixed run that we are

consid-ering for authentication, will need to be uniquely originat-ing, we ensure that this can be sent out only in response to nonceNA. Thus we will allow anysub satisfying

sub(a)∈agent sub(b)∈agent sub(kab)∈sesskey sub(na)∈nonce

sub(nb)∈nonce\ {NA}

giving all runs exceptsr, and also the substitutionsub′

sat-isfying sub′₍_a_{) =}_A _sub′₍_b_{) =}_B sub′₍_k ab) =KAB sub′(na) =NA sub′₍_nb_{) =}_N B

We will similarly want KAB to be uniquely originating, so

the server substitutionssubY,S will also fall into two

cat-egories, one to allow the server to give outKAB in response

toNAandNB, and one to allow it to give out any other key

at any time. We will thus allow anysub satisfying sub(a)∈agent sub(b)∈agent sub(kab)∈sesskey\ {KAB} sub(na)∈nonce

sub(nb)∈nonce

giving all runs exceptss, and alsosub′ as defined above.

6.3 Authentication

Authentication will mean that whenever strand sr (as

defined above) appears in a bundle, there will be a corres-ponding strandsi, right through to its final message. This

is expressed in terms of Definition 5.1 as follows: (r1= (stY,I,subY,I),r2= (stY,R,subY,R),

sub1,sub2,h1= 3,h2= 3,U ={na,nb,kab})

wheresub1 andsub2 are as in the NSL example.

6.4 Applying the main result

It is easy to see that each of the three roles in the pro-tocol treats all nonces other thanNA and NB in the same

way; that is, whenever sub is a valid substitution for any of the roles and sub(n) = N, it is still a valid substitu-tion to set sub(n) = N′_{, as long as} _N _{∈ {}_/ _N

A,NB} and

N′_{∈ {}_/ _N

A,NB}. Equally, none of these nonces is required to

be uniquely originating according to the authentication spe-cification. Thus, the setnonce\ {NA,NB}can be conflated

to a single valueN without losing (or gaining) any attacks. Similarly for the setsesskey\ {KAB}. All of these keys are

treated in the same way by each role of the protocol, and none of these keys is required to be uniquely originating. Therefore, the setsesskey\{KAB}can be replaced by a single

valueK when verifying the protocol.

It is clear, then, that Theorem 5.3 applies to the Yaha-lom protocol when considering authentication of the initi-ator (and, in fact, it also applies to authentication of the

responder). When model-checking the Yahalom protocol, it is enough to consider only three nonces (NA, NB, N) and

two session keys (KAB,K).

7. IMPLICATIONS

The strategy suggested here for checking authentication is to identify one fixed but arbitrary run, and to prove that authentication holds in this case. Since the run is arbitrarily chosen, it follows that authentication holds in general.

For NSL, and for authenticating the initiator to the re-sponder, this involves fixing values for A,B,NA,NB, and

then requiring that if the bundle contains a strand repres-entingBfinishing the run, apparently withA, using nonces NA andNB, then it should also contain a strand

represent-ingAstarting the run, apparently withB, also using nonces NAandNB. We will also insist that a bundle should not be

considered an attack violation unlessNB is uniquely

origin-ating. A similar strategy applies to the Yahalom protocol. The technique of choosing a fixed but arbitrary run is more usual with model-checking (including rank functions) than with strand spaces. However, bringing it over to the strand spaces world proves of considerable benefit here.

7.1 Origination assumptions

When we require onlyNB to be uniquely originating, and

want it to be matched withNA, we effectively partition the

set of nonces into{NA,NB}andnonce\ {NA,NB}. With the

usual penetrator model, this will mean that all roles now respectnonce\ {NA,NB}; the result is that we can conflate

this set to a single nonce.

Effectively, this is a way of saying that it does not matter if we allow the penetrator access to every other nonce. For any other run, the penetrator can guess the nonces involved immediately; it is onlyNB that remains secret from him.

If this seems to be too strong an assumption, the following points should be noted.

1. This is the usual viewpoint when using strand spaces. In the model-checking world, one is usually more in-clined to treat (say) NA as initially unknown to the

penetrator, and allow him to use it only if he can persuade an honest agent to tell him its value; but a strand spaces proof of correctness typically insists on unique origination only of one or two nonces from the crucial run. Unless a nonce is specifically required to be uniquely originating, the penetrator can produce it whenever he needs it.

2. Requiring all nonces to be uniquely originating, which is initially attractive, is unrealistic. WhenBgenerates NB to send toA, he can ensure that he generates it

securely, so that no-one can guess its value; it is thus reasonable forB, when looking for authentication ofA, to treatNB as uniquely originating. But he should be

encouraged to assume nothing about values generated by others. It would surely be foolish forB, when he is trying to authenticateA, to rely on nonceND,

gener-ated byDfor a run withE, being uniquely originating. He might never have heard ofD orE!

Of course, he does have to rely on the security of his secret key, and of that of his interlocutor; this is un-avoidable. But he would be wise to choose a protocol that does not rely for its security on nonces that either

(8)

agent may have generated in the past, or nonces that other agents may be generating for other runs.

7.2 Protocols and penetrators

Our belief is that most, if not all, protocols commonly appearing in the literature satisfy the requirements of The-orem 5.3 for conflating sets of nonces down to a small and finite size. Certainly any protocol previously analysed us-ing the rank functions method described in [9] will meet the conditions; and in any case, for a given protocol, it is fairly trivial to check that it satisfies the requisite conditions.

This method can be applied iteratively. Once it has been applied to turn all nonces (except one, usually) into a single nonce, it can then be applied on the set of users (except two or three) to conflate this set down to a single user; after this, it can be used to conflate the set of session keys.

Some penetrator behaviours, such as low-exponent RSA exploitation, cannot be included because they do not res-ult in roles that respect large sets. The low-exponent RSA strand template family would contain some looking like this: L (Low-exponent RSA): (h−{a.x}k,−{c.x}k,−k,+xi,

{sub|sub(a)6=sub(c),sub(k)∈key})

which is to say that any substitution is allowed that does not result in the two encryptions being equal. The problem here is that ifW is any set of atoms withz,z′_∈_W_{, and we have}

a substitution sub such thatsub(a) = z and sub(c) = z′_,

then this role will not respectW; if it did, we would then have some other substitution sub′ _with _sub′₍_a_{) =} _z′ _and

sub′₍_c_{) =}_z′_{, which would be a violation of the inequality in}

the definition of the strand template family above.

8. CONCLUSION

In this paper, we have shown that, for a large class of pro-tocols operating under reasonable conditions, it is possible to replace infinite sets of atoms with finite ones when conduct-ing security protocol analysis, without affectconduct-ing security; we have demonstrated this using the Needham-Schroeder-Lowe and Yahalom protocols. This, we anticipate, will be of great benefit to protocol analysers, and will often enable them to reduce an infinite-state problem to a small and finite one.

It may at first be thought that the results proved here are at variance with those in [2]. However, the class of protocols considered in that paper is far larger than the one considered here. There, the authors prove that reduction of the infinite to the finite is not in general possible for the world of security protocols as a whole; here, we identify a useful subclass for which reduction theorems do exist.

The approach presented here bears some relationship to the work described in [5], which provides a way of mapping strands within a bundle to a single strand, thus in some sense reducing the size of the bundle, while preserving particular security properties. The authors prove that all bundles as-sociated with a protocol will reduce to one of a finite set, and hence that the property under consideration need only be checked against the members of that finite set; this gives a decidability result for their class of protocols. In contrast, our approach does not reduce the size or structure of the bundle, but rather maps all messages within any protocol bundle to one of a finite number, while preserving particular security properties. This approach is appropriate in verific-ation frameworks that provide proofs focused on the space of messages, such as those based around rank functions.

Although the work here has been presented using strand spaces, the results apply in a wider setting. In particular, this work may shed further light on the unresolved question of the completeness of the rank function theorem [6].

Acknowledgements

We are grateful to Joshua Guttman for helpful comments.

9. REFERENCES

[1] H. Comon-Lundh and V. Cortier. Security Properties: Two Agents Are Sufficient. InProceedings of the 12th European Symposium on Programming (ESOP 2003), volume 2618 ofLecture Notes in Computer Science. Springer-Verlag, Apr. 2003.

[2] N. A. Durgin, P. D. Lincoln, J. C. Mitchell, and A. Scedrov. Undecidability of bounded security protocols. InWorkshop on Formal Methods and Security Protocols (FMSP’99), The 1999 Federated Logic Conference (FLoC’99), July 1999.

[3] M. Franklin and M. Reiter. A linear protocol failure for RSA with exponent three. 1995. Presented at the Rump Session of Crypto ’95, Santa Barbara, CA. [4] J. D. Guttman and F. J. Thayer F´abrega. Protocol

Independence through Disjoint Encryption. Proceedings of 13th IEEE Computer Security Foundations Workshop, pages 24–34, June 2000. [5] J. D. Guttman and F. J. Thayer F´abrega. The Sizes of

Skeletons. Mtr, The MITRE Corporation, Bedford, MA, January 2005.

[6] J. A. Heather.‘Oh! . . . Is it really you?’—Using rank functions to verify authentication protocols.

Department of Computer Science, Royal Holloway, University of London, December 2000.

[7] J. A. Heather, G. Lowe, and S. A. Schneider. How to avoid type flaw attacks on security protocols. Journal of Computer Security, 2002.

[8] J. A. Heather and S. A. Schneider. Equal To The Task? In D. Gollmann, G. Karjoth, and M. Waidner, editors,ESORICS 2002, volume 2502 ofLecture Notes in Computer Science. Springer-Verlag, October 2002. [9] J. A. Heather and S. A. Schneider. A Decision

Procedure for the Existence of a Rank Function. Journal of Computer Security, 13, 2005.

[10] G. Lowe. Breaking and Fixing the Needham-Schroeder Public-Key Protocol using FDR. InProceedings of TACAS, volume 1055 ofLecture Notes in Computer Science, pages 147–166. Springer-Verlag, 1996. [11] R. M. Needham and M. D. Schroeder. Using

encryption for authentication in large networks of computers.Communications of the ACM, 21(12):993–999, December 1978.

[12] A. W. Roscoe and P. J. Broadfoot. Proving security protocols with model checkers by data independence techniques.Journal of Computer Security, 1999. [13] F. J. Thayer F´abrega, J. C. Herzog, and J. D.

Guttman. Honest ideals on strand spaces.Proceedings of 11th IEEE Computer Security Foundations Workshop, June 1998.

[14] F. J. Thayer F´abrega, J. C. Herzog, and J. D. Guttman. Strand spaces: Proving security protocols correct.Journal of Computer Security, 7(2,3):191–230, 1999.

To Infinity And Beyond or, Avoiding the infinite in security protocol analysis