Symbolic Bisimulation in the Spi Calculus 167A symbolic transition is written where In a transition constraint we have and is a tuple of names that are fresh in As above, we omit when is
Trang 2Symbolic Bisimulation in the Spi Calculus 167
A symbolic transition is written where In a transition
constraint we have and is a tuple of names that are fresh in
As above, we omit when is empty The symbolic counterpart to concrete
evaluation is abstract evaluation Intuitively, it performs all
decryptions in a term without checking that decryption and encryption keys
correspond Instead, when used in the derivation of a transition, we add this
requirement to the transition constraint
Symbolic transitions are defined as the smallest relation generated by the
S-rules of Table 1 plus symmetric variants of (SSUM), (SPAR) and (SCOM)
Compared to the concrete semantics, concrete evaluation is replaced by abstract
evaluation in the rules (SOUT) and (SIN) When we encounter a guard, then
the rule (SGUARD) simply adds it to the transition constraint If a bound name
occurs only in the transition constraint then, with (SOPEN-GRD), its scope is
not extruded; it remains restricted in the resulting process, and also appears
restricted in the transition constraint Together with abstract evaluation, this
rule prevents unnecessary scope extrusion, as seen in the following example This
is necessary to obtain the desired correspondence (Lemma 1)
Example 1 Let for some Q Concretely,
However, if the definition of (SOUT) did not include we would have
where is extruded
Concrete transitions correspond to symbolic transitions with true constraints
PROOF: By induction on the derivation of the transitions
4 Bisimulations – Concrete and Symbolic
In the spi calculus, bisimulations must take into account the cryptographic
knowledge of the observing environment—potentially a malicious attacker To
relate two processes P and Q, one usually seeks a bisimulation such that
for some environment containing the free names of both processes
TEAM LinGPlease purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 3In the following, we define two bisimulations and their respective notions of
environment Concrete bisimulation is a strong late version of hedged
bisimula-tion as defined in [BN02] Weak early hedged bisimulabisimula-tion is a variant of framed
bisimulation [AG98] designed to be sound and complete with respect to barbed
equivalence [BDP02] Symbolic bisimulation is intended to enable automatic
verification, while still being sufficiently complete with respect to the concrete
bisimulation for the purpose of verifying security protocols (c.f Section 6)
Concrete Bisimulation The environment knowledge is stored in sets of pairs of
messages, called hedges The first message of a pair contributes to the knowledge
about the first process; likewise the second message is related to the second
process Hedges evolved from the frame-theory pairs of [AG98] by dropping the
frames As a compact representation, we always work with irreducible hedges,
where no more decryptions are possible (Irreducibles are related to the notions
of core in [BDP02] and minimal closure seed in [DSV03].) The set of message
pairs that can be generated using the knowledge of the environment is called its
synthesis Since we want to use hedges also for the symbolic bisimulations, we
do not a priori exclude pairs of non-message expressions in the hedges.
Definition 1 (Hedges) A hedge is a subset of The synthesis of
a hedge is the smallest hedge containing and satisfying
The irreducibles of a hedge are defined as
where the analysis is the smallest hedge containing and satisfying
We write for If is a hedge, we let
and
A concrete environment i.e., a hedge that only contains
pairs of messages, is consistent if it is irreducible and the attacker cannot
dis-tinguish between the messages in and their counterparts in The
attacker can (1) distinguish names from composite messages, (2) check message
equality, (3) create public and private keys and hashes, and (4) encrypt and (5)
decrypt messages with any key it can create
Trang 4Symbolic Bisimulation in the Spi Calculus 169
Definition 2 (Concrete Consistency) A finite concrete environment ce is
semi-consistent iff whenever
ce is consistent iff both ce and are semi-consistent.
A concrete relation is a subset of
is consistent if implies that ce is consistent.
A concrete relation is symmetric if implies
Intuitively, for two processes to be concretely bisimilar under a given concrete
environment every detected transition of one of the processes must be simulated
by a transition of the other process on a corresponding channel such that the
updated environment is consistent.
Definition 3 (Concrete Bisimulation) A symmetric consistent concrete
re-lation is a concrete bisimulation if when and with
(bound names are fresh)(the transition is detected)
for all B, with consistent and
(all new names are needed)
(new names are fresh)and are indistinguishable)
we have
Concrete bisimilarity, written is the union of all concrete bisimulations.
In the definition above, we check channel correspondence by adding the
chan-nels to the environment If they do not correspond, the resulting environment
will not be consistent (Definition 2, item 2)
On process output we use to construct the new environment after the
transition This entails applying all decryptions with keys that are known by
the environment, producing the minimal extension of the environment ce with
TEAM LinGPlease purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 5This extension may turn out to be inconsistent, signifying that theenvironment can distinguish corresponding messages from the two processes.
On process input any input that the environment can construct (i.e.,
satis-fying must be considered This is the main problem for
automating bisimilarity checks, since the set of potential inputs is infinite We
now define a symbolic bisimulation for the spi-calculus, with the property that
every simulated input action gives rise to only one new process pair
Symbolic Bisimulation As with concrete bisimulation, we need an environment
to keep track of what an attacker has learned during a bisimulation game As in
the concrete case, a symbolic environment contains a hedge to hold the initial
knowledge of an environment and the knowledge derived from messages received
from the processes Moreover, in a second hedge, we store the input variables
that we come across when performing process inputs Similarly to other symbolic
bisimulations [HL95, BD96], we record the transition constraints accumulated by
the processes Finally, to know whether an input was performed before or after
the environment learned a given message (e.g., the key of an encrypted message)
the knowledge and the input variables are augmented with timing information
Example 2 This example, inspired by [AG99], illustrates why we need to
re-member the order of received messages Let Since
the input of happens before P publishes its private key cannot be equal
to a ciphertext encrypted with So, the output can never execute
Definition 4 (Symbolic Environments) A symbolic environment
consists of the following three elements.
1.
2.
3.
A timed hedge representing the knowledge of the environment.
A timed variable set containing earlier input variables.
A pair of formulae that are the accumulated transition constraints.
The set of finite symbolic environments is denoted SE We let
for To swap the sides of a
take a snapshot of a timed hedge as
Example 3 A symbolic environment related to Example 2 is where
forand
A symbolic environment can be understood as a concise description of a set
of concrete environments, differing only in the instantiations of variables Here, a
variable instantiation is a pair of substitutions, that are applied to the knowledge
of a symbolic environment As in the concrete case, we may create some fresh
names (B below) when instantiating variables This definition of concretization
does not constrain the substitutions or ‘fresh’ names, but see Definition 6
Definition 5 (Concretization) Given and substitutions
we can concretize a timed hedge th into
Trang 6Symbolic Bisimulation in the Spi Calculus 171
Note that if all evaluations are defined.
Example 4 We take from Example 3
If then
If then
which is undefined since
A symbolic environment does not permit arbitrary variable instantiations To
begin with, the corresponding concretization must be defined Furthermore, in
order not to invalidate previous transitions that have taken place, we require the
accumulated transition constraints to hold after variable instantiation Finally,
if a variable corresponds to an input performed at time then the message
substituted for the variable must be synthesizable from the knowledge of the
environment at that time, augmented with some fresh names B.
Definition 6 (se-Respecting Substitutions) A substitution pair is
called se-respecting with written iff
If becomes known strictly after was input) then we do not have
for any B since we cannot synthesize before knowing
In contrast to the concrete case, there are two different ways for a symbolic
environment to be inconsistent (1) If one of the concretizations of the
environ-ment is inconsistent: The attacker can distinguish between the messages received
from the two processes (2) If there is a concretization such that, after
substi-tuting, one of the accumulated transition constraints holds but the other does
not: One of the processes made a transition that was not simulated by the other
Definition 7 (Symbolic Consistency) Let be a
symbolic environment se is consistent if for all B, we have that
Trang 7The definition of symbolic bisimilarity is similar to the concrete case To see
if a transition needs to be simulated, we search a concretization under which
the transition takes place concretely and is detected On input, we simply add
the input variables to the timed variable set For all transitions, we add the
con-straints to the environment The consistency of the updated environment implies
that the simulating transition is detected, and that the channels correspond
A symbolic relation is a subset of
is symmetric if implies that
is consistent if se is consistent whenever
Definition 8 (Symbolic Bisimulation) A symmetric consistent symbolic
re-lation is a symbolic bisimulation if
(bound names are fresh)
there exist B with and
(possible)(detectable)(created names are fresh)
Theorem 1 Whenever and
PROOF: To prove this theorem, we must verify two things
1
2
Any concrete transition of that must be simulated by under the
concrete environment has a corresponding symbolic transition of
P that must be simulated by Q under se.
If a symbolic transition of P is simulated by Q under se, and has a
corre-sponding concrete transition of that must be simulated by under
then can simulate the concrete transition Moreover, theprocess pairs and environments after the transition are related by a suitable
extension of
By this theorem, symbolic bisimilarity is a sound approximation to concrete
bisimilarity and, by transitivity, barbed equivalence A weak version of symbolic
bisimulation may be defined in the standard fashion
Trang 8Symbolic Bisimulation in the Spi Calculus 173
We prove that the equation of the example in §1 holds
We start with a symbolic environment in which the message is a
(th,tw,(tt,tt)) Note that we give a later time than and in order to
permit occurrences of and in the message
Proposition 1.
We write to denote that is a tuple of pair-wise
different names The symmetric closure of the following set is a symbolic
bisim-ulation
Note that the set itself is infinite, but that this infinity only arises from the
possible different choices of bound names Effectively, the bisimulation contains
only 7 · 2 = 14 process pairs We only check the element
is consistent by the consistency of B since
We also have which is true independently of and
which is also always true Thus is consistent
simulated, since if we let then we have that
TEAM LinGPlease purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 9Transition 2 First we to avoid clashes with environment names.
does not need to
be simulated: holds iff for some M, but
cannot be in since it is bound in the transition constraint
6 Sources of Incompleteness
The following examples show sources of incompleteness of the proposed “very
late” symbolic bisimulation All these examples start from the same symbolic
environment Since se has no variables, it has only
one concretization
In general, symbolic bisimulations let us postpone the “instantiation” of input
variables until the moment they are actually used, leading to a stronger relation
In the pi calculus this was addressed using [BD96] We let
The next example shows that the requirement that the collected transition
guards should be indistinguishable gives rise to some incompleteness, that we
conjecture could be removed by allowing decompositions of the guards We let
PROOF: Since an output action of always has an extra equality or disequality
constraint compared to the output action of the resulting symbolic
environ-ment is not consistent In contrast, concrete bisimulation instantiates the input
at once, killing one of the output branches of
Incompleteness also arises from the fact that we choose not to calculate the
precise conditions for the environment to detect a process action We let
PROOF: The output action of is detected iff the first input was equal to
Then the first message is the key of the second message Since this constraint
is not added to the symbolic environment but the explicit equality constraint of
is, we have an inconsistent symbolic environment after the final outputs
Trang 10Symbolic Bisimulation in the Spi Calculus 175
Impact We have seen above that processes that are barbed equivalent but
dif-fer in the placement of guards may not be symbolically bisimilar However,
we contend that this incompleteness will not affect the verification of secrecy
and authenticity properties of security protocols For secrecy, we want to check
whether two instances of the protocol with different messages (or symbolic
vari-ables) are bisimilar, so there is no change in the structure of the guards For
authenticity, we conjecture that the addition of guards in the specification only
triggers the incompleteness if they relate to the observability of process actions
(c.f Proposition 4), something that should never occur in real-world protocols
Contribution We have given a general symbolic operational semantics for the
spi calculus, including the rich guard language of [BDP02] and allowing
com-plex keys and public-key cryptography We also propose the, to our knowledge,
first symbolic notion of bisimilarity for the spi calculus, and prove it a sound
approximation of concrete hedged bisimilarity
Mechanizing Equivalence Checks Ultimately, we seek mechanizable (efficiently
computable) ways to perform equivalence checks Hüttel [Hüt02] showed
decid-ability of bisimilarity checking by giving a “brute-force” decision algorithm for
framed bisimulation in a language of only finite processes However, this
algo-rithm is not practically implementable, generating branches for each
input of the Wide-mouthed Frog protocol of [AG99]
Ongoing and Future Work We are currently working on an implementation of
this symbolic bisimilarity with a guard language not including negation; the
crucial point is the infinite quantifications in the definition of environment
con-sistency As in [Bor01], it turns out to be sufficient to check a finite subset of the
environment-respecting substitution pairs: the minimal elements of a refinement
preorder However, the presence of consistency makes for a significant difference
in the refinement relation
Moreover, the symbolic bisimilarity presented in this paper is a compromise
between the complexity of its definition and the degree of completeness; we have
refined proposals that we conjecture will provide full completeness We also
conjecture that a slightly simplified version of our symbolic bisimulation could
be used for the applied pi-calculus [AF01] In this setting, any mechanization
would depend heavily on the chosen message language and equivalence
References
[AF01] M Abadi and C Fournet Mobile values, new names, and secure
communi-cation In Proc of POPL ’01, pages 104–115, 2001.
TEAM LinGPlease purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 11M Abadi and A D Gordon A bisimulation method for cryptographic
protocols Nordic Journal of Computing, 5(4):267–303, 1998.
M Abadi and A D Gordon A calculus for cryptographic protocols: The
Spi Calculus Information and Computation, 148(1):1–70, 1999.
R M Amadio and D Lugiez On the Reachability Problem in Cryptographic
Protocols In Proc of CONCUR 2000, pages 380–394, 2000.
M Boreale and R De Nicola A symbolic semantics for the
Information and Computation, 126(1):34–52, 1996.
M Boreale, R De Nicola, and R Pugliese Proof techniques for
crypto-graphic processes SIAM Journal on Computing, 31(3):947–986, 2002.
J Borgström and U Nestmann On bisimulations for the spi calculus In
Proc of AMAST 2002, pages 287–303, 2002 Full version: EPFL Report IC/2003/34 Accepted for Mathematical Structures in Computer Science.
M Boreale Symbolic Trace Analysis of Cryptographic Protocols In Proc.
of ICALP 2001, pages 667–681, 2001.
V Cortier Vérification automatique des protocoles cryptographiques PhD
thesis, École Normale Supérieure de Cachan, 2003.
H Comon and V Shmatikov Is it possible to decide whether a cryptographic
protocol is secure or not? Journal of Telecommunications and Information Technology, 4:5–15, 2002.
L Durante, R Sisto, and A Valenzano Automatic testing equivalence
verification of spi-calculus specifications ACM Transactions on Software Engineering and Methodology, 12(2):222–284, Apr 2003.
M Fiore and M Abadi Computing Symbolic Models for Verifying
Crypto-graphic Protocols In 14th IEEE Computer Security Foundations Workshop,
H Hüttel Deciding framed bisimilarity In Proc of INFINITY, 2002.
D Sangiorgi A theory of bisimulation for the Acta Informatica,
33:69–97, 1996.
B Victor and F Moller The Mobility Workbench — a tool for the
In Proc of CAV ’94, pages 428–440, 1994.
Trang 12A Symbolic Decision Procedure for Cryptographic Protocols with Time Stamps *
(Extended Abstract)
Liana Bozga, Cristian Ene, and Yassine Lakhnech
VERIMAG, 2 av de Vignate, 38610 Grenoble, France {Liana.Bozga, Cristian.Ene, Yassine Lakhnech}@imag fr
Abstract We present a symbolic decision procedure for time-sensitive
cryptographic protocols with time-stamps Our decision procedure deals with secrecy, authentication and any property that can be described as
an invariance property.
Cryptographic protocols are mandatory to ensure secure transactions in an open
environment They must be able to guarantee confidentiality, authentication and
other security properties despite the fact that transactions take place in face of
an intruder who may have complete control of a network, i.e, who may monitor,
delete, alter or redirect messages To achieve this goal these protocols rely upon
cryptographic primitives and fresh nonces The cryptographic primitives allow
to encrypt messages with keys such that only a principal that owns the inverse
key is able to extract the plain text from the cipher text; while nonces are used
to prevent from replaying and redirecting messages Nonces are usually
imple-mented as randomly generated numbers Now, such an implementation is not
always feasible, and therefore, some cryptographic protocols rely upon
times-tamps or counters instead of nonces Timestimes-tamps are then used by recipients
to verify timeliness of the message and recognize and reject replays of messages
communicated in the past The problem is, however, that while the value of a
nonce is not predictable, the value of a counter or a timestamps is Hence,
re-placing nonces by counters or timestamps can produce new attacks Moreover,
a verification method has to take into account this predictability feature
Most of the automatic verification methods for cryptographic protocols
con-sider time-independent protocols [17,16,15,9] with the exception of [8,13]
In this paper, we present a model for time-dependent cryptographic protocols
and a corresponding decidability result for the verification of a large class of
properties Our decidability holds for the Dolev-Yao model, i.e assuming an
active intruder, extended with rules associated to timestamps Although, the
* This work has been partially suppoted by the projects ACI-SI ROSSIGNOL
http://www.cmi.univ-mrs.fr/~lugiez/aci-rossignol.html and PROUVE-03V360.
P Gardner and N Yoshida (Eds.): CONCUR 2004, LNCS 3170, pp 177–192, 2004.
© Springer-Verlag Berlin Heidelberg 2004
TEAM LinGPlease purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 13decidability we present applies to bounded protocols, i.e., when a fixed number
of sessions are considered, our model clearly identifies the main ingredients to be
included in a general model It is useful to notice that the verification problem
is undecidable for unbounded sessions
Besides general models for distributed systems that can be used to model
security protocols under some restrictions such as Timed CSP and MSR
(mul-tiset rewriting over first-order atomic formulae), there are very few models for
timed protocols [11]
Contributions: The first contribution of this paper is a general model for timed
cryptographic protocols We include in our model clocks, time variables and
timestamps Clocks are variables that range over the time domain and advance
with the same rate as time Each agent has its own set clocks that he can reset
That is clocks can be used to measure the time that elapses between two events,
for instance, sending a message and receiving the corresponding response Also,
we allow a global clock that is never reset and that can be read and tested by
all participants Time variables correspond to timestamps in received messages
Such values can be stored and used together with clocks to put conditions on
the acceptance of a message
A second contribution of this paper is the decidability of the verification
of a large class of security properties including secrecy and authentication We
consider a rich class of reachability properties that allow to specify secrecy,
temporary secrecy and authentication In fact, we introduce a logic that allows
to describe secrecy, temporary secrecy, equalities between terms and control
points Then, given a bounded protocol and two formulae in this logic and
the reachability problem we consider is whether there is a run of that starts
in a configuration that satisfies and reaches a configuration that satisfies
We device a symbolic algorithm that given a property described by a formula
in this logic and given a bounded protocol computes the set of configurations
that reaches This algorithm uses symbolic constraints (logic formulae) to
describe sets of configurations The logic we introduce combines constraints on
the knowledge of the intruder with time constraints on clock values and time
variables To show effectiveness of our verification method we show:
1
2
that for each action of our model we can express the predecessor
configura-tions of a set of configuraconfigura-tions as a formula We consider input, output and
time actions
Then, we show decidability of the satisfiability problem for our logic
It should be clear that even in the case of bounded protocols the
under-lying transition system is infinite state even if we do not consider timing
as-pects, This is because the size of messages is unbounded and the intruder is
modeled as an infinitely iterating process Handling time constraints and
un-bounded messages symbolically and automatically is the distinguishing feature
of our verification method Most of the work on timed cryptographic protocols
uses theorem-provers or finite-state model-checking [1,4,8,13,14] While the first
needs human help, the second relies on typing assumptions and assumption on
Trang 14A Symbolic Decision Procedure 179
the time window to bound the search space In [8], the authors make a
semi-automated analysis on a Timed CSP model of Wide Mouth Frog protocol, and
use PVS to discharge proof obligations in order to find an invariant property.
In [14], a timed-authentication attack on Wide Mouth Frog protocol is found,
using a model with discrete time and with an upper bound on the time window
Differently from [8,14], our method can be used for automatic verification of
timed cryptographic protocols without imposing any restrictions on the
time model (i.e we can handle continuous time, and we need no upper bounds
on the time window) Closest of our work is [6] which presents a verification
method for timed protocols considering unbounded sessions This paper does
not, however, present a decidability result
A model for cryptographic protocols fixes on one hand the intruder capabilities
and on the other the actions the principals can perform In this section, we
extend our model for cryptographic protocols [2] with timestamps The untimed
aspects of our model are fairly standard; it is the so-called Dolev-Yao model
But first we have to define the messages that can be sent
Preliminaries Let be a countable set of variables and let be a countable
set of function symbols of arity for every Let The
set of terms over and is denoted by Ground terms are terms
with no variables We denote by the set of ground terms over For any
we denote with the most general unifier (mgu) ofand if it exists We denote by the set consisting of ground substitutions
with domain Given a tree we write to denote the symbol at position
in and to denote the subterm of at position
If are words over an alphabet then we denote by the
word obtained from after removing the prefix
Messages and Terms We fix the time domain to be the set of non-negative real
numbers Our results hold also when we consider the natural numbers instead
Let denote the set of variables that range over terms Let be a set of
constant symbols with and We consider terms
build from constant symbols in clocks in and time variables in using the
function symbols in As usual, we write for and
instead of A Clock-free term is a term in which no clock appears;
time variables and timestamps may appear in a clock-free term We denote the
set of clock-free terms by Messages are ground (variable-free) terms
in we denote by the set of messages For conciseness,
we write instead of and instead of
In addition to the usual terms considered in Dolev-Yao model, we add:
1 Clocks, i.e variables that range over the underlying time model We denote
the set of clocks by
TEAM LinGPlease purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 153
Timestamps, that is values in the time domain
Time variables, that is variables that range over the time domain We denote
by the set time variables
It is important to understand the difference between these three disjoint
sets of variables: a timestamp is just a constant; clocks and time variables are
variables The difference is that the value of a clock advances with rate one with
time while the value of a time variable does not A time variable is simply a
variable that ranges over the time domain
The Intruder’s Message Derivation Capabilities We use the usual model of
Dolev and Yao [7] augmented with the axiom: If then The
axiom represents the fact that the intruder can guess every possible time-stamp,
i.e time value As usual, we write when is derivable from E using the
augmented Dolev-Yao model For a term we use the notation to denote
that there exists a substitution such that Given a term
a position in is called non-critical, if it is not a key position; otherwise it is
called critical.
2.1 Process Model
Timed cryptographic protocols are build from timed actions Here, we consider
two types of actions: message input and message output A time constraint is
associated to an action and describes when the action is possible
Definition 1 (Time Constraints) Time constraints are boolean
combina-tions of linear constraints on clocks and time variables and they are defined by:
where are clocks, are time variables,
and The set of time constraints is denoted by
A time constraint is interpreted with respect to a valuation defined over
a finite set of clocks that associates values in the time domain to
clocks, and a substitution that assigns ground clock-free terms to variables,
thus in particular, values to the time variables The interpretation of a time
constraint, denoted by is defined as usual Then is said to be a
model for a time constraint if
Given a time constraint and a set of clocks, we denote by the time
constraint obtained by substituting 0 for all clocks in We also use the notation
to denote the time constraint obtained from by substituting each clock
in by
Definition 2 (Actions and Protocols) We consider input and output
ac-tions:
An input action is of the form where
is a time constraint called the guard,
is a term and is the set of variables instantiated bythe input action