Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
98 CHAPTER 4. PROTOCOLS WITH VULNERABLE SIGNATURE SCHEMES<br />
We define two new deduction systems I ′ = 〈F, LI ′, ∅〉 <strong>and</strong> I” = 〈F, LI”, ∅〉.<br />
We remark that I satisfies the definition <strong>of</strong> intruder deduction system as given<br />
in Definition 16 (Chapter 2) <strong>and</strong> in [73], <strong>and</strong> the intruder deduction systems<br />
I ′ , I” satisfy the definition <strong>of</strong> intruder deduction system as given in [72].<br />
Saturation <strong>of</strong> IDSKS <strong>and</strong> IDEO The application <strong>of</strong> the saturation given in Figure<br />
4.1 on LDSKS terminates, <strong>and</strong> yields the following two sets <strong>of</strong> rules, each corresponding<br />
to a step <strong>of</strong> the saturation algorithm (respectively the Initialisation <strong>and</strong><br />
the first step):<br />
L ′ DSKS = LDSKS ∪<br />
⎧<br />
⎪⎨<br />
⎪⎩<br />
L”DSKS = LDSKS ∪<br />
x, Sk ′ (P k(y), sig(x, Sk(y))) → sig(x, Sk(y))<br />
x, sig(x, Sk(y)), P k(y) → 1<br />
x, sig(x, Sk ′ (y1, y2)), P k ′ (y1, y2) → 1<br />
x, sig(x, Sk(y)), P k ′ (P k(y), sig(x, Sk(y))) → 1<br />
� x, Sk(y) → sig(x, Sk(y))<br />
x, Sk ′ (P k(y), sig(x, Sk(y))) → sig(x, Sk(y))<br />
<strong>and</strong>, the application <strong>of</strong> the saturation given in Figure 4.1 on LDEO terminates,<br />
<strong>and</strong> yields the following two sets <strong>of</strong> rules, each corresponding to a step <strong>of</strong> the<br />
saturation algorithm (respectively the Initialisation <strong>and</strong> the first step):<br />
L ′ DEO = LDEO∪<br />
⎧<br />
⎪⎨<br />
⎪⎩<br />
x, sig(x, Sk(y)), P k(y) → 1<br />
x, sig(x, Sk”(y1, y2)), P k”(y1, y2) → 1<br />
f(P k(y), sig(x, Sk(y))), sig(x, Sk(y)), P k”(P k(y), sig(x, Sk(y))) → 1<br />
f(P k(y), sig(x, Sk(y))), Sk”(P k(y), sig(x, Sk(y))) → sig(x, Sk(y))<br />
L”DEO = LDEO∪{f(P k(y), sig(x, Sk(y))), Sk”(P k(y), sig(x, Sk(y))) → sig(x, Sk(y))}<br />
From the intruder systems IDSKS <strong>and</strong> IDEO, we define four new intruder<br />
systems:<br />
I ′ DSKS = 〈FDSKS, L ′ DSKS , ∅〉,<br />
I”DSKS = 〈FDSKS, L”DSKS, ∅〉,<br />
I ′ DEO = 〈FDEO, L ′ DEO , ∅〉 <strong>and</strong>,<br />
I”DEO = 〈FDEO, L”DEO, ∅〉.<br />
We remark that IDSKS <strong>and</strong> IDEO satisfy the definition <strong>of</strong> intruder deduction<br />
system as given in Definition 16 (Chapter 2) <strong>and</strong> in [73], <strong>and</strong> the intruder<br />
deduction systems I ′ DSKS , I′ DEO , I”DSKS, I”DEO<br />
intruder deduction system as given in [72].<br />
satisfy the definition <strong>of</strong><br />
In the rest <strong>of</strong> this chapter, we assume that H, R, L, L ′ , L”, I, I ′ , <strong>and</strong> I”<br />
to be either respectively HDSKS, RDSKS, LDSKS, L ′ DSKS , L”DSKS, IDSKS, I ′ DSKS ,<br />
I”DSKS or respectively HDEO, RDEO, LDEO, L ′ DEO , L”DEO, IDEO, I ′ DEO<br />
, I”DEO.