Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
48 CHAPTER 2. PROTOCOL ANALYSIS USING CONSTRAINT SOLVING<br />
�<br />
for all i. Since θ ∈ SolV ar(U ′ ), we deduce that θ |=H U ′ , <strong>and</strong> hence θ |=H U.<br />
This implies that θτ |=I U, then (θτ)↓ |=I U <strong>and</strong> thus σ |=I U, which<br />
concludes the pro<strong>of</strong> <strong>of</strong> (2).<br />
2.2 <strong>Cryptographic</strong> protocols<br />
In this section, we introduce how we model protocols.<br />
2.2.1 Specification <strong>of</strong> protocols<br />
A k-party protocol consists in k roles glued together with an association that<br />
maps each step <strong>of</strong> a role that expects a message m to the step <strong>of</strong> another role<br />
where the message m is produced. This association essentially defines how the<br />
execution <strong>of</strong> the protocol should proceed in the absence <strong>of</strong> the intruder. We give<br />
next the high level specification <strong>of</strong> a protocol.<br />
Definition 29 (Protocol) The high level specification <strong>of</strong> a k-party protocol is given by<br />
a scenario, sequence <strong>of</strong> rules <strong>of</strong> the form “R1 ⇒ R2 : m ′′ with R1, R2 are two roles <strong>and</strong><br />
m ∈ T (F, X ) is the exchanged message. This scenario describes how the execution <strong>of</strong> a<br />
protocol should proceed in the absence <strong>of</strong> the intruder.<br />
Example 9 The Needham-Schroeder symmetric key protocol [163] (presented in chapter<br />
1, at Section 1.3) is specified as follows:<br />
⎧<br />
1. A ⇒ S : 〈A, 〈B, NA〉〉<br />
⎪⎨ 2. S ⇒ A : enc<br />
PNS :<br />
⎪⎩<br />
s (〈NA, B, KAB, encs (〈KAB, A〉, KBS)〉, KAS)<br />
3. A ⇒ B : encs (〈KAB, A〉, KBS)<br />
4. B ⇒ A : encs (NB, KAB)<br />
5. A ⇒ B : encs (NB − 1, KAB)<br />
NA (respectively NB) represents the nonce freshly created by A (respectively B), KAS<br />
(respectively KBS) represents the secret key shared between A (respectively B) <strong>and</strong> the<br />
trusted server, <strong>and</strong> KAB the session key shared between A <strong>and</strong> B.<br />
In this protocol, we have three roles, the trusted server (S), sender’s role (A) <strong>and</strong><br />
receiver’s role (B).<br />
Definition 30 (Specification <strong>of</strong> role) A role R is given by a couple<br />
({vi ⇒ Si; Ui} i∈I , KR) where:<br />
• for every i, vi ∈ X , Si ∈ T (F, X ), <strong>and</strong> Ui is an unification system,