sufficient conditions for secrecy in cryptographic protocols
TRANSCRIPT
Su�cient Conditions for Secrecy inCryptographic Protocols
Jaouhar Fattahia Mohamed Mejria Hanane Houmanib
[email protected] [email protected] [email protected]
a LSI Group, Laval University, Quebec, Canadab University Hassen II, Morocco
Abstract
In this paper, we look at the property of secrecy through the growth of the protocol.
Intuitively, an increasing protocol preserves the secret. For that, we need functions to
estimate the security of messages. Here, we give relaxed conditions on the functions and
on the protocol and we prove that an increasing protocol is correct when analyzed with
functions that meet these conditions.
Keywords: Cryptographic protocol, role-based speci�cation, secrecy, WSCNIS.
Proc. of World Symposium On Computer Networks and Information Security
DOI: WSCNIS.2014
N&N Global Technology 2014 ©
1 Introduction
In this paper, we look at the correctness of a protocol for the property of secrecy through itsgrowth. Intuitively, an increasing protocol preserves the secret. That is to say, if the security ofany atomic message does not decrease between receiving and sending steps of a protocol, the secretis never leaked. For that, we should de�ne "good" metrics to estimate the security of any atomicmessage. This way of thinking has been considered in some previous works. In [1], Steve Schneiderproposed the concept of rank-functions as metrics to analyze protocols in CSP [2, 3]. Thesefunctions were successful in analyzing Needham-Schroeder protocol. However, a such analysisrequires the protocol implementation in CSP. Besides, building rank-functions is not a trivial joband their existence is not sure [4]. In [5] Abadi, using Spi-Calculus [6, 7], guarantees that: "If aprotocol typechecks, then it does not leak its secret inputs". To do so, he requests the exchangedmessages to be composed of four parts having strictly the following types: {secret, public, any,confounder} in order to recognize the security level of every part. However, this approach cannotanalyze real protocols that had been implemented with no respect to this restriction. In the samevein, Houmani et al. [8, 9, 10, 11] de�ned universal functions called interpretation functions ableto analyze a protocol statically and operate on an abstraction of the protocol called generalizedroles, that generate a space of messages with variables. An interpretation function must meetsome su�cient conditions to be reliable for the analysis. Obviously, less we have conditions onfunctions, more we have functions and more we have chance to get protocols proved correct sinceone function may fail to prove the growth of a protocol but another may manage to do. However,we notice that the conditions on functions were so restrictive that only two concrete functions hadbeen proposed. We believe that the condition related to the full-invariance by substitution, whichis the property-bridge between an analysis run on messages of the generalized roles (messageswith variables) and the conclusion made on valid traces (closed messages), is the most restrictiveone. Since the aim of our approach is to build as more reliable functions as we are able to do,we think that if we free a function from this condition, we can build more functions.
Notations
Hereafter, we give some de�nitions and conventions that we will use throughout this paper.+ We denote by C = 〈M, ξ, |=,K,Lw, p.q〉 the context containing the parameters that a�ectthe analysis of a protocol:• M : is a set of messages built from the algebraic signature 〈N ,Σ〉 where N is a setof atomic names (nonces, keys, principals, etc.) and Σ is a set of allowed functions(enc:: encryption, dec:: decryption, pair:: concatenation (denoted by "." here), etc.). i.e.M = T〈N ,Σ〉(X ). We use Γ to denote the set of all possible substitution from X → M.We denote by A all atomic messages in M, by A(m) the set of atomic messages (oratoms) in m and by I the set of agents (principals) including the intruder I. We denoteby k−1 the reverse key of a key k and we consider that (k−1)−1 = k.
• ξ : is the equational theory that describes the algebraic properties of the functions in Σby equations. e.g. dec(enc(x, y), y−1) = x.• |=C : is the inference system of the intruder under the equational theory. Let M be aset of messages and m a message. M |=C m means that the intruder is able to inferm from M using her capacity. We extend this notation to traces as following: ρ |=C mmeans that the intruder can infer m from the messages exchanged in the trace ρ. Weassume that the intruder has the full control of the net as described in the Dolev-Yaomodel [12]. She can intercept, delete, redirect and modify any message. She knows thepublic keys of all agents, her private keys and the keys she shares with other agents.
15
She can encrypt or decrypt any message with known keys. Formally, the intruder hasgenerically the following rules of building messages:
(int) : �M |=Cm
[m ∈M ∪K(I)]
(op) :M |=Cm1,...,M |=Cmn
M |=Cf(m1,...,mn) [f ∈ Σ]
(eq) :M |=Cm′,m′=Cm
M |=Cm, with (m′ =C m) ≡ (m′ =ξ(C)
m)
Example 1.1.
The intruder capacity may be described by the following rules:
(int) : �M |=Cm
[m ∈M ∪K(I)]
(dec) :M |=Ck,M |=Cmk
M |=Cm
(enc) :M |=Ck,M |=CmM |=C{m}k
(concat) :M |=Cm1,M |=Cm2
M |=Cm1.m2
(deconcat) :M |=Cm1.m2
M |=Cmi[i ∈ {1, 2}]
In this example, from a set of messages, an intruder can infer any message in this set,encrypt any message when she possesses previously the encryption key, decrypt anymessage when she possesses previously the decryption key, concatenate any two messagesand deconcatenate them.• K : is a function from I to M, that assigns to any agent (principal) a set of atomicmessages describing her initial knowledge. We denote by KC(I) the initial knowledge ofthe intruder, or simply K(I) where the context is clear.
• Lw : is the security lattice (L,w,t,u,⊥,>) used to attribute security levels to messages.A concrete example of a lattice is (2I ,⊆,∩,∪, I, ∅) that will be used to attribute to amessage α the set of principals that are allowed to know it.• p.q : is a partial function that assigns a value of security (type) to a message inM. LetM be a set of messages and m a message. We write pMq w pmq if ∃m′ ∈M.pm′q w pmq
+ Our analysis takes place in a role-based speci�cation. A role-based speci�cation is a setof generalized roles. A generalized role is a protocol abstraction where the emphasis is puton a particular principal and where all the unknown messages are replaced by variables.Also, an exponent i (the session identi�er) is added to each fresh message to emphasize thatthese components change their values from one run to another. Basically, a generalized rolere�ects how a particular principal perceives the exchanged messages. A generalized rolecould be extracted from a protocol by these following steps:
1. Extract the roles from a protocol.
2. Replace the unknown messages by fresh variables for each role.
Roles can be extracted by following these steps:
1. For each principal (agent), extract from the protocol all the steps in which this prin-cipal participates. After that, add to that abstraction a session identi�er i in thesteps identi�ers and in fresh values. For instance, from the variation of Woo and Lamprotocol given by the Table 1, three roles could be extracted, denoted by RA (for theprincipal A), RB (for the principal B), and RS (for the principal S).
16
p = 〈1, A→ B : A〉.〈2, B → A : Nb〉.〈3, A→ B : {Nb, kab}kas
〉.〈4, B → S : {A, {Nb, kab}kas}kbs〉.〈5, S → B : {Nb, kab}Kbs
〉
Table 1: A variation of Woo and Lam Protocol
2. Introduce explicitly an intruder I to capture the fact that the received messages andthe sent messages are potentially sent or received by an intruder.
3. Finally, extract all pre�xes from those roles where a pre�x ends always by a sendingstep.
From the roles, we generate the generalized roles. A generalized role is an abstraction of arole where unknown messages are replaced by variables. Indeed, a message or a componentof a message is replaced by a variable when the receiver cannot make any veri�cation onit, and so she cannot be sure about its integrity or its origin. The generalized roles givea precise idea about the behavior of principals during the protocol runs. The generalizedroles of A are:
A1G = 〈i.1, A → I(B) : A〉
A2G = 〈i.1, A → I(B) : A〉.
〈i.2, I(B) → A : X〉.〈i.3, A → I(B) : {X, kiab}kas
〉
The generalized roles of B are:
B1G = 〈i.1, I(A) → B : A〉.
〈i.2, B → I(A) : Nb〉
B2G = 〈i.1, I(A) → B : A〉.
〈i.2, B → I(A) : Nb〉.〈i.3, I(A) → B : Y 〉.〈i.4, B → I(S) : {A, Y }kbs〉
B3G = 〈i.1, I(A) → B : A〉.
〈i.2, B → I(A) : Nb〉.〈i.3, I(A) → B : Y 〉.〈i.4, B → I(S) : {A, Y }kbs〉.〈i.5, I(S) → B : {N i
b , Z}kbs〉
The generalized role of S is:
S1G = 〈i.4, I(B) → S : {A, {U, V }kas
}kbs〉.〈i.5, S → I(B) : {U, V }kbs〉
Hence, the role-based speci�cation of the protocol described by the Table 1 is RG(p) ={A1
G, A2G, B1
G, B2G, B3
G, S1G}. The role-based speci�cation is used to formalize the notion
of valid traces of a protocol. More details about the role-based speci�cation are in [13, 14,15, 16].
17
+ A valid trace is an interleaving of instantiated generalized roles where each message sent bythe intruder can be produced by her using her capacity and the previous received messages.We denote by [[p]] the set of valid traces of p.
+ We denote byMGp the set of messages with variables generated by RG(p), byMp the set
of closed messages generated by substituting terms inMGp . We denote by R+ (respectivelyR−) the set of sent messages (respectively received messages) by a honest agent in therole R. Commonly , we reserve the uppercase letters for sets or sequences of elements andthe lowercase for single elements. For instance M denotes a set of messages, m a singlemessage, R a role composed of a sequence of steps, r a step and R.r the role ending by thestep r.
+ We assume no restriction on the size of messages or the number of sessions in the protocolswe analyze.
2 Increasing protocols are correct with respect to the se-
crecy property
To analyze a protocol, we need reliable functions to estimate the security level of every atomicmessage. In this section, we state su�cient conditions allowing to guarantee that a function isreliable. We prove that an increasing protocol is correct with respect to the secrecy propertywhen analyzed with such functions.
2.1 C-reliable interpretation functions
De�nition 2.1. (Well-formed interpretation function)Let F be an interpretation function and C a context of veri�cation.F is well-formed in C if:∀M,M1,M2 ⊆M,∀α ∈ A(M): F (α, {α}) = ⊥
F (α,M1 ∪M2) = F (α,M1) u F (α,M2)F (α,M) = >, if α /∈ A(M)
For an atom α in a set of messages M , a well-formed interpretation function returns thebottom value "⊥", ifM = {α}. It returns for it in the union of two sets, the minimum "u" of thetwo values calculated in each set separately. It returns the top value ">", if it does not appearin this set.
De�nition 2.2. (Full-invariant-by-intruder interpretation function)Let F be an interpretation function and C a context of veri�cation.F is full-invariant-by-intruder in C if:∀M ⊆M,m ∈M.M |=C m⇒ ∀α ∈ A(m).(F (α,m) w F (α,M)) ∨ (pK(I)q w pαq)
A reliable function F should be full-invariant-by-intruder. That is to say, if F attributes asecurity level to a message α inM , then the intruder can never produce fromM another messagem that decrease this level (i.e. F (α,m) w F (α,M)) except when α is intended to be known bythe intruder (i.e. pK(I)q w pαq).
De�nition 2.3. (Reliable interpretation function)Let F be an interpretation function and C a context of veri�cation.
F is C-reliable if F is well-formed and F is full-invariant-by-intruder in C.
18
De�nition 2.4. (F -increasing protocol)Let F be an interpretation function, C a context of veri�cation and p a protocol.p is F -increasing in C if:∀R.r ∈ RG(p),∀σ ∈ Γ : X →Mp we have:
∀α ∈ A(M).F (α, r+σ) w pαq u F (α,R−σ)
A F -increasing protocol produces valid traces (interleaving of substituted generalized roles)where every involved principal (every substituted generalized role) never decreases the securitylevels of received components. When a protocol is F -increasing and F is a reliable function, itwill be easy to prove its correctness with respect to the secrecy property. In fact, if every agentappropriately protects her sent messages (if she initially knows the security level of a component,she has to encrypt it with at least one key having a similar or higher security level, and if shedoes not know its security level, she estimates it using a reliable function), the intruder can neverreveal it.
De�nition 2.5. (Secret disclosure)Let p be a protocol and C a context of veri�cation.We say that p discloses a secret α ∈ A(M) in C if:
∃ρ ∈ [[p]].(ρ |=C α) ∧ (pK(I)q 6w pαq)
A secret disclosure consists in exploiting a valid trace of the protocol (denoted by [[p]]) by theintruder using her knowledge K(I) in a context of veri�cation C, to infer a secret α that she isnot allowed to know (expressed by: pK(I)q 6w pαq).
Lemma 2.6.
Let F be a C-reliable interpretation function and p a F -increasing protocol.We have:
∀m ∈M.[[p]] |=C m⇒ ∀α ∈ A(m).(F (α,m) w pαq) ∨ (pK(I)q w pαq).
Proof. See the proof 4 in Appendix 1
The lemma 2.6 asserts that for any atom α in a message generated by an increasing protocol,its security level calculated by a reliable interpretation function is maintained greater than itsinitial value in the context, if the intruder is not initially allowed to know it. Thus, initiallythe atom has a certain security level. This level cannot be decreased by the intruder using herinitial knowledge and received messages since reliable functions are full-invariant-by-intruder.In each new step of any valid trace, involved messages are better protected since the protocolis increasing. The proof is run by induction on the size of the trace and uses the reliabilityproperties of the interpretation function in every step.
Theorem 2.7. (Correctness of increasing protocols)Let F be a C-reliable interpretation function and p a F -increasing protocol.
p is C-correct with respect to the secrecy property.
Proof.
Let's suppose that p discloses an atomic secret α.
1. The proofs could be downloaded from the following URL: http://web_security.fsg.ulaval.ca/lab/sites/
default/files/WF/Tun2/preuves.pdf
19
From the de�nition 2.5 we have:
∃ρ ∈ [[p]].(ρ |=C α) ∧ (pK(I)q 6w pαq) (1)
Since F is a C-reliable interpretation function and p an F -increasing protocol, we have from thelemma 2.6:
(F (α, α) w pαq) ∨ (pK(I)q w pαq) (2)
From 1 and 2, we have:F (α, α) w pαq (3)
Since F is well-formed in C, then:F (α, α) = ⊥ (4)
From 3 and 4 we have:⊥ = pαq (5)
5 is impossible because it is contradictory with: pK(I)q 6w pαq in 1.
Then p is C-correct with respect to the secrecy property.
3 Comparison with related works
The theorem 2.7 states that an increasing protocol is correct with respect to the secrecyproperty when analyzed with an interpretation function that is full-invariant by intruder andwell-formed, or simply reliable. Compared to the su�cient conditions stated by Houmani et al.in [8, 11], we have one less. Houmani et al. requested that a protocol must be increasing on themessages of the generalized roles of the protocol (that contain variables), and demanded from theinterpretation function to resist to the problem of substitution of variables. Even if they gave aclear guideline to build safe functions, just two functions have been de�ned: DEK and DEKAN.That is due to the complexity to �nd, and then to prove, that a function meets the full-invarianceby substitution property. Here, we free our functions from this restrictive condition in order tobe able to build more functions. We relocate this condition in our new de�nition of an increasingprotocol, that is requested now to be increasing on valid traces (closed messages). The problemof substitution migrates to the protocol and becomes easier to handle.
4 Conclusion and future work
Freeing a function from a condition may impel us to take additional precautions when using it.In a future work, we introduce the notion of witness-functions [17, 18] to analyze cryptographicprotocols. A witness-function is protocol-dependent that uses derivation techniques to solve thequestion of substitution locally in the protocol. It o�ers two bounds that are independent of allsubstitutions which enables any decision made on the generalized roles (messages with variables)to be exported to valid traces (closed messages). This replaces the restrictive condition of full-invariance by substitution stated in Houmani's work [8, 11]. The witness-functions are successfulto prove the correctness of protocols [19]. They even help to locate �aws [20].
20
References
[1] Steve Schneider. Verifying authentication protocols in csp. IEEE Trans. Software Eng.,24(9):741�758, 1998.
[2] Steve Schneider. Security properties and csp. In IEEE Symposium on Security and Privacy,pages 174�187, 1996.
[3] Steve A. Schneider and Rob Delicata. Verifying security protocols: An application of csp.In 25 Years Communicating Sequential Processes, pages 243�263, 2004.
[4] James Heather and Steve Schneider. A decision procedure for the existence of a rank func-tion. J. Comput. Secur., 13(2):317�344, March 2005.
[5] Martín Abadi. Secrecy by typing in security protocols. Journal of the ACM, 46:611�638,1998.
[6] Martín Abadi and Andrew D. Gordon. Reasoning about cryptographic protocols in the spicalculus. In CONCUR, pages 59�73, 1997.
[7] Martín Abadi and Andrew D. Gordon. A calculus for cryptographic protocols: The spicalculus. In ACM Conference on Computer and Communications Security, pages 36�47,1997.
[8] Hanane Houmani and Mohamed Mejri. Practical and universal interpretation functions forsecrecy. In SECRYPT, pages 157�164, 2007.
[9] Hanane Houmani and Mohamed Mejri. Ensuring the correctness of cryptographic protocolswith respect to secrecy. In SECRYPT, pages 184�189, 2008.
[10] Hanane Houmani and Mohamed Mejri. Formal analysis of set and nsl protocols using theinterpretation functions-based method. Journal Comp. Netw. and Communic., 2012, 2012.
[11] Hanane Houmani, Mohamed Mejri, and Hamido Fujita. Secrecy of cryptographic protocolsunder equational theory. Knowl.-Based Syst., 22(3):160�173, 2009.
[12] Danny Dolev and Andrew Chi-Chih Yao. On the security of public key protocols. IEEE
Transactions on Information Theory, 29(2):198�207, 1983.
[13] Jaouhar Fattahi, Mohamed Mejri, and Hanane Houmani. Context of veri�cationand role-based speci�cation http://web_security.fsg.ulaval.ca/lab/sites/default/
files/WF/Tun2/Context.pdf. (4):1�4, 2014.
[14] Mourad Debbabi, Y. Legaré, and Mohamed Mejri. An environment for the speci�cation andanalysis of cryptoprotocols. In ACSAC, pages 321�332, 1998.
[15] Mourad Debbabi, Mohamed Mejri, Nadia Tawbi, and I. Yahmadi. Formal automatic veri�-cation of authentication crytographic protocols. In ICFEM, pages 50�59, 1997.
[16] Mourad Debbabi, Mohamed Mejri, Nadia Tawbi, and I. Yahmadi. From protocol speci�-cations to �aws and attack scenarios: An automatic and formal algorithm. In WETICE,pages 256�262, 1997.
[17] Jaouhar Fattahi, Mohamed Mejri, and Hanane Houmani. New functions for secrecyin cryptographic protocols http://web_security.fsg.ulaval.ca/lab/sites/default/
files/WF/Tun2/WF.pdf. (17):1�17, 2014.
[18] Jaouhar Fattahi, Mohamed Mejri, and Hanane Houmani. The witness-functions: Proofs andintermediate results. http://web_security.fsg.ulaval.ca/lab/sites/default/files/WF/Tun2/WitFunProofs.pdf. (33):1�33, 2014.
[19] Jaouhar Fattahi, Mohamed Mejri, and Hanane Houmani. Nsl protocol analysis with awitness-function http://web_security.fsg.ulaval.ca/lab/sites/default/files/WF/
Tun2/NSL.pdf. (5):1�5, 2014.
21
[20] Jaouhar Fattahi, Mohamed Mejri, and Hanane Houmani. A variation of needham-schroeder protocol analysis with a witness-function http://web_security.fsg.ulaval.
ca/lab/sites/default/files/WF/Tun2/Needham.pdf. (6):1�6, 2014.
Appendix
22
SUFFICIENT CONDITIONS FOR SECRECY IN
CRYPTOGRAPHIC PROTOCOLS: PROOFS AND
INTERMEDIATE RESULTS
by: Jaouhar Fattahi, Mohamed Mejri and Hanane Houmani- April 2014
Valid trace
Before de�ning a valid trace, let's give some intermediate de�nitions.
1- Step: it is de�ned by the following BNF grammar:
step :: 〈j.i, A −→ I(B) : m〉|〈j.i, I(a) −→ B : m〉
where j is the identi�er of the session and i is the identi�er of the step.
2- Trace: a trace ρ is a sequence of steps. It is de�ned by the following BNF grammar:
ρ :: ε | step | ρ.step
where ε is the empty trace. We denote by ρ̄ all the steps of ρ.
3- Session identi�er: every step has an identi�er. The set of identi�ers Sρ associated with atrace ρ is built as follows:
Sε = ∅Sρ.〈j.i,A−→I(B):m〉 = Sρ ∪ {j}Sρ.〈j.i,I(a)−→B:m〉 = Sρ ∪ {j}
4- Session: a trace is an interleaving of many sessions where each of them has an identi�er.We de�ne a session (identi�ed by Id) associated with a trace ρn (coming from an interleaving ofmany sessions) as follows:
εId = ε(ρ.〈j.i, A −→ I(B) : m〉)Id = ρId if Id 6= j(ρ.〈j.i, I(a) −→ B : m〉)Id = ρId if Id 6= j
(ρ.〈Id.i, A −→ I(B) : m〉)Id = ρId.〈Id.i, A −→ I(B) : m〉(ρ.〈Id.i, I(a) −→ B : m〉)Id = ρId.〈Id.i, I(a) −→ B : m)〉
where ε is the empty trace. It may be eliminated when preceded or followed by a non-emptytrace.
5- Def/Use: the knowledge of the intruder change from a step to another. After an executionof a trace, the intruder acquires new knowledge or de�nes herself news messages. We denote byDef(ρ) the knowledge (messages) received by the intruder after execution of a trace ρ, and byUse(ρ) the messages she builds after the execution of ρ. Use(ρ) and Def(ρ) are de�ned as follows:
23
Def(ε) = ∅Def(ρ.〈j.i, A −→ I(B) : m〉) = Def(ρ) ∪ {m}Def(ρ.〈j.i, I(a) −→ B : m〉) = Def(ρ)
Use(ε) = ∅Use(ρ.〈j.i, A −→ I(B) : m〉) = Use(ρ)Use(ρ.〈j.i, I(a) −→ B : m〉) = Use(ρ) ∪ {m}
For the sake of simpli�cation, we denote by:
Use(ρ) = ρ+ and Def(ρ) = ρ−
6- C-well-de�ned trace: a trace is said C-well-de�ned when the intruder is able to de�ne allthe messages contained in the trace before sending them. i.e for ρ = ρ1.e.ρ2 we have:
ρ1+ |=K(I) e
−
where e is a step of communication and K(I) are the knowledge of the intruder.
7- C-well-formed trace: a trace is said C-well-formed when it is generated by substitution in ageneralized role of the protocol. i.e. ∃r ∈ RG(p), a session i ∈ Sρ and a substitution σ ∈ Γ (theset of all substitutions) such that:
ρi = rσ
8- Valid trace: ρ is a valide trace of a protocol p when ρ is C-well-de�ned and ρ is C-well-formed.
A valide trace is a run of a protocol. It is an instance of the generalized roles produced bythe intruder (or a regular agent) with respect to the rules of the protocol and the context ofveri�cation.
De�nition 4.1. (Pre�x of a trace)Let ρ1 and ρ2 be two traces.
ρ2 is a pre�x of ρ1 if ∃ρ3 such that: ρ1 = ρ2.ρ3
De�nition 4.2. (Size of a trace)The size of a trace ρ denoted by |ρ| is de�ned as follows:
|ε| = 0|step| = 1|ρ.ρ′| = |ρ|+ |ρ′|
De�nition 4.3. (Well-formed interpretation function)Let F be an interpretation function and C a context of veri�cation.F is well-formed in C if:∀M,M1,M2 ⊆M,∀α ∈ A(M): F (α, {α}) = ⊥
F (α,M1 ∪M2) = F (α,M1) u F (α,M2)F (α,M) = >, if α /∈ A(M)
For an atom α in a set of messages M , a well-formed interpretation function returns thebottom value "⊥", ifM = {α}. It returns for it in the union of two sets, the minimum "u" of thetwo values calculated in each set separately. It returns the top value ">", if it does not appearin this set.
24
De�nition 4.4. (Full-invariant-by-intruder interpretation function)Let F be an interpretation function and C a context of veri�cation.F is full-invariant-by-intruder in C if:∀M ⊆M,m ∈M.M |=C m⇒ ∀α ∈ A(m).(F (α,m) w F (α,M)) ∨ (pK(I)q w pαq)
A reliable function F should be full-invariant-by-intruder. That is to say, if F attributes asecurity level to a message α inM , then the intruder can never produce fromM another messagem that decrease this level (i.e. F (α,m) w F (α,M)) except when α is intended to be known bythe intruder (i.e. pK(I)q w pαq).
De�nition 4.5. (Reliable interpretation function)Let F be an interpretation function and C a context of veri�cation.
F is C-reliable if F is well-formed and F is full-invariant-by-intruder in C.
A reliable interpretation function is simply a function that is well-formed and full-invariant-by-intruder in a given context of veri�cation C.
De�nition 4.6. (F -increasing protocol)Let F be an interpretation function, C a context of veri�cation and p a protocol.p is F -increasing in C if:∀R.r ∈ RG(p),∀σ ∈ Γ : X →Mp we have:
∀α ∈ A(M).F (α, r+σ) w pαq u F (α,R−σ)
A F -increasing protocol produces valid traces (interleaving of substituted generalized roles)where every involved principal (every substituted generalized role) never decreases the securitylevels of received components. When a protocol is F -increasing and F is a reliable function, itwill be easy to prove its correctness with respect to the secrecy property. In fact, if every agentappropriately protects her sent messages (if she initially knows the security level of a component,she has to encrypt it with at least one key having a similar or higher security level, and if shedoes not know its security level, she estimates it using a reliable function), the intruder can neverreveal it.
De�nition 4.7. (Secret disclosure)Let p be a protocol and C a context of veri�cation.We say that p discloses a secret α ∈ A(M) in C if:
∃ρ ∈ [[p]].(ρ |=C α) ∧ (pK(I)q 6w pαq)
A secret disclosure consists in exploiting a valid trace of the protocol (denoted by [[p]]) by theintruder using her knowledge K(I) in a context of veri�cation C, to infer a secret α that she isnot allowed to know (expressed by: pK(I)q 6w pαq).
De�nition 4.8. (C-correct protocol with respect to the secrecy property)Let p be a protocol and C a context of veri�cation.p is C-correct with respect to the secrecy property if:
∀α ∈ A(M),∀ρ ∈ [[p]].ρ |=C α⇒ pK(I)q w pαq
We denote:∀α ∈ A(M).[[p]] |=C α⇒ pK(I)q w pαq
A correct protocol is such that any valid trace ρ that it produces never leaks a secret thatthe intruder is not allowed to know.
25
De�nition 4.9. (wF )
Let C = 〈M, ξ, |=,K,Lw, p.q〉 be a veri�cation context.Let F be an interpretation function.Let M1, M2 ⊆ M.
M1 wF M2 ⇐⇒ ∀α ∈ A(M1).F (α,M1) w F (α,M2)
De�nition 4.10. (Auxiliary Interpretation function)
Let C = 〈M, ξ, |=,K,Lw, p.q〉 be a veri�cation context.Let F be an interpretation function.We de�ne the auxiliary function of F , denoted by F̂ , as follows:
F̂ : A×M 7−→ Lw(α,m) 7−→ pαq u F (α,m)
De�nition 4.11. (wF̂ )
Let C = 〈M, ξ, |=,K,Lw, p.q〉 be a veri�cation context.Let F be an interpretation function.Let M1, M2 ⊆ M
M1 wF̂ M2 ⇐⇒ ∀α ∈ A(M1).F̂ (α,M1) w F̂ (α,M2)
Proposition 4.12.
Let C = 〈M, ξ, |=,K,Lw, p.q〉 be a veri�cation context.Let F be an interpretation function.Let F̂ be the auxiliary function of F .
If F is well-formed in C then:
∀M,M1,M2 ⊆M,∀α ∈ A(M).F̂ (α, {α}) = ⊥
and
F̂ (α,M1 ∪M2) = F̂ (α,M1) u F̂ (α,M2)and
F̂ (α,M) = pαq, if α /∈ A(M)
See the proof 1.
Proof 1.
F is well-formed in C then we have from the de�nition :
∀M,M1,M2 ⊆M,∀α ∈ A(M).
26
F (α, {α}) = ⊥
andF (α,M1 ∪M2) = F (α,M1) u F (α,M2)
andF (α,M) = >, if α /∈ A(M)
(6)
From 6, we have the three following results:•
F (α, {α}) = ⊥ (7)
From 7 and since Lw is a lattice, we have:
pαq u F (α, {α}) = ⊥ (8)
From 8 and the de�nition 4.10 of F̂ we have:
F̂ (α, {α}) = ⊥ (9)
•F (α,M1 ∪M2) = F (α,M1) u F (α,M2) (10)
From 10 and since Lw is a lattice we have:
pαq u F (α,M1 ∪M2) = pαq u (F (α,M1) u F (α,M2)) (11)
Or else:pαq u F (α,M1 ∪M2) = pαq u F (α,M1) u pαq u F (α,M2) (12)
From 12 and from the de�nition 4.10 of F̂ we have:
F̂ (α,M1 ∪M2) = F̂ (α,M1) u F̂ (α,M2) (13)
•F (α,M) = >, if α /∈M (14)
From 14 and since Lw is a lattice and pαq v > we have:
pαq u F (α,M) = pαq, if α /∈ A(M) (15)
From 15 and from the de�nition 4.10 of F̂ we have:
F̂ (α,M) = pαq, if α /∈ A(M) (16)
From 9, 13 and 16 we have:
∀M,M1,M2 ⊆M,∀α ∈ A(M).F̂ (α, {α} = ⊥
and
F̂ (α,M1 ∪M2) = F̂ (α,M1) u F̂ (α,M2)and
F̂ (α,M) = pαq, if α /∈ A(M)
27
Proposition 4.13.
Let C = 〈M, ξ, |=,K,Lw, p.q〉 be a veri�cation context.Let F be an interpretation function.Let F̂ the auxiliary function of F .If F is full-invariant-by-intruder in C then F̂ is full-invariant-by-intruder in C.
See the proof 2.
Proof 2.
Let M ⊆M and m ∈M such that:M |=C m (17)
From the de�nition 4.4 and 17 we have for all α ∈ A(m):
(F (α,m) w F (α,M)) ∨ (pK(I)q w pαq) (18)
From 18 we have:
• either:F (α,m) w F (α,M) (19)
From 19 and since Lw is a lattice, we have:
pαq u F (α,m) w pαq u F (α,M) (20)
From 20 and from the de�nition 4.10 de F̂ we have:
F̂ (α,m) w F̂ (α,M) (21)
• or:pK(I)q w pαq (22)
From 21 and 22 we have for all M ⊆M and m ∈M:
M |=C m⇒ ∀α ∈ A(m).(F̂ (α,m) w F̂ (α,M)) ∨ (pK(I)q w pαq)
Then F̂ is full-invariant-by-intruder in C.
Lemma 4.14.
Let C = 〈M, ξ, |=,K,Lw, p.q〉 be a veri�cation context.Let F be a C-reliable interpretation function.Let p be a protocol.
We have:
If (p is F -increasing in C) then (∀ρ.e ∈ [[p]] we have: e+ wF̂ ρ−)
See the proof 3.
28
Proof 3.
Since p is an F -increasing protocol in C, then from the de�nition 4.6 we have:
∀R.r ∈ RG(p),∀σ ∈ Γ : X →Mp(closed) we have:
∀α ∈ A(r+σ).F (α, r+σ) w pαq u F (α,R−σ) (23)
Since ρ.e is a valid trace, then exists a substitution σ ∈ Γ, a generalized role R.r ∈ RG(p) and asession i = S(e) such that:
(Rσ = ρi) ∧ (rσ = e) (24)
From 23 and 24, we have:
∀α ∈ A(e+).F (α, e+) w pαq u F (α, ρi−) (25)
Since Lw is a lattice, we have:
∀α ∈ A(e+).pαq u F (α, e+) w pαq u pαq u F (α, ρi−) (26)
From 26 and since Lw is a lattice we have:
∀α ∈ A(e+).pαq u F (α, e+) w pαq u F (α, ρi−) (27)
From the de�nition of F̂ and from 27, we have:
∀α ∈ A(e+).F̂ (α, e+) w F̂ (α, ρi−) (28)
From 28 and the de�nition of wF̂ , we have:
e+ wF̂ ρi− (29)
Since Use(ρi) ⊆ Use(ρ), from the de�nition of wF̂ and since Lw is a lattice, then we have:
ρi− wF̂ ρ− (30)
From 29 and 30, we deduce that:e+ wF̂ ρ
−
Lemma 4.15.
Let F be a C-reliable interpretation function and p a F -increasing protocol.We have:
∀m ∈M.[[p]] |=C m⇒ ∀α ∈ A(m).(F (α,m) w pαq) ∨ (pK(I)q w pαq).
The lemma 4.15 asserts that for any atom α in a message generated by an increasing protocol,its security level calculated by a reliable interpretation function is maintained greater than itsinitial value in the context, if the intruder is not initially allowed to know it. Thus, initially theatom has a certain security level. This value cannot be decreased by the intruder using her initialknowledge and received messages since reliable functions are full-invariant-by-intruder. In eachnew step of any valid trace, involved messages are better protected since the protocol is increas-ing. The proof is run by induction on the size of the trace and uses the reliability properties ofthe interpretation function in every step.
See the proof 4
29
Proof 4.
Let ρ ∈ [[p]] and m ∈M such that:ρ+ |=C m (31)
Let's prove the lemma by induction on the size of the trace.
• |ρ|=1.
In this case, we have two sub-cases:
• either ρ+ = ∅, and so we have:
From 31, we have:∅ |=C m (32)
Since F is full-invariant-by-intruder in C, we have:
∀α ∈ A(m).(F (α,m) w F (α, ∅)) ∨ (pK(I)q w pαq) (33)
Since α /∈ ∅ and F is well-formed in C, we have:
F (α, ∅) = > w pαq (34)
From 33 and 34, we have:
∀α ∈ A(m).(F (α,m) w pαq) ∨ (pK(I)q w pαq) (35)
• or ρ+ 6= ∅, and so we have:
Since |ρ|=1 then exists an empty trace ε such that ρ = ερ+
Since F is full-invariant-by-intruder in C, we have:
∀α ∈ A(m).(F (α,m) w F (α, ρ+)) ∨ (pK(I)q w pαq) (36)
Since p is F -increasing in C, then from the lemma 4.14, we have:
ρ+ wF̂ ε− (37)
Or else:∀α ∈ A(ρ+).F̂ (α, ρ+) w F̂ (α, ε−) (38)
From 38 and from the de�nition of F̂ we have:
∀α ∈ A(ρ+).F (α, ρ+) u pαq w F̂ (α, ε−) (39)
Since ε is an empty trace and F̂ is well-formed in C, then:
F̂ (α, ε−) = pαq (40)
From 39 and 40 we have:
∀α ∈ A(ρ+).F (α, ρ+) u pαq w pαq (41)
30
Since Lw is a lattice, we have:
∀α ∈ A(ρ+).F (α, ρ+) w F (α, ρ+) u pαq (42)
From 41 and 42, we have:
∀α ∈ A(ρ+).F (α, ρ+) w pαq (43)
We deduce from 36 and 43:
∀α ∈ A(m).(F (α,m) w pαq) ∨ (pK(I)q w pαq) (44)
• We assume for |ρ| ≤ n, we have:
∀α ∈ A(m).(F (α,m) w pαq) ∨ (pK(I)q w pαq) (45)
Let's prove that for |ρ| = n+ 1, we have:
∀α ∈ A(m).(F (α,m) w pαq) ∨ (pK(I)q w pαq) (46)
Let m ∈M such that ρ+ |=C m with |ρ| = n+ 1.
Let ρ = ρn.e
Since |ρ| = n+ 1, we have:|ρn| 6 n and |e| 6 n (47)
From 45 and 47 and since ρ+n |=C ρ+
n and e+ |=C e+ we have:
∀α ∈ A(ρ+n ).(F (α, ρ+
n ) w pαq) ∨ (pK(I)q w pαq) (48)
and
∀α ∈ A(e+).(F (α, e+) w pαq) ∨ (pK(I)q w pαq) (49)
From 48, 49 and since F is well-formed and Lw is a lattice we have:
∀α ∈ A(ρ+n ∪ e+).(F (α, ρ+
n ) u F (α, e+) w pαq) ∨ (pK(I)q w pαq) (50)
Since F is full-invariant-by-intruder in C and ρ+ |=C m, then:
∀α ∈ A(m).(F (α,m) w F (α, ρ+)) ∨ (pK(I)q w pαq) (51)
Since:ρ+ = ρ+
n ∪ e+ (52)
Then from 52 and since Lw is a lattice we have:
∀α ∈ A(ρ+).F (α, ρ+) = F (α, ρ+n ) u F (α, e+) (53)
From 50 and 53 we have:
∀α ∈ A(ρ+).(F (α, ρ+) w pαq) ∨ (pK(I)q w pαq) (54)
From 51 and 54 we have:
∀α ∈ A(m).(F (α,m) w pαq) ∨ (pK(I)q w pαq) (55)
31
From 44, the induction assumption in 45 and from 55, we have: for all m ∈M and all ρ ∈ [[p]]:
ρ |=C m⇒ (∀α ∈ A(m).(F (α,m) w pαq) ∨ (pK(I)q w pαq))
Or else:∀m ∈M.[[p]] |=C m⇒ ∀α ∈ A(m).(F (α,m) w pαq) ∨ (pK(I)q w pαq)
Theorem 4.16. (Correctness of increasing protocols)Let F be a C-reliable interpretation function and p a F -increasing protocol.
p is C-correct with respect to the secrecy property.
See the proof 5
Proof 5.
Let's suppose that p discloses an atomic secret α.
From the de�nition 4.7 we have:
∃ρ ∈ [[p]].(ρ |=C α) ∧ (pK(I)q 6w pαq) (56)
Since F is a C-reliable interpretation function and p an F -increasing protocol, we have from thelemma 4.15:
(F (α, α) w pαq) ∨ (pK(I)q w pαq) (57)
From 56 and 57, we have:F (α, α) w pαq (58)
Since F is well-formed in C, then:F (α, α) = ⊥ (59)
From 58 and 59 we have:⊥ = pαq (60)
60 is impossible because it is contradictory with: pK(I)q 6w pαq in 56.
Then p is C-correct with respect to the secrecy property
32