Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
Logical Analysis and Verification of Cryptographic Protocols - Loria
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
2.2. CRYPTOGRAPHIC PROTOCOLS 49<br />
• KR is a set <strong>of</strong> terms in T (F, X ) describing the knowledge <strong>of</strong> the role R,<br />
• {vi ⇒ Si; Ui}i∈I is the set <strong>of</strong> rules describing the behaviour <strong>of</strong> that role, that is the<br />
set <strong>of</strong> actions that he should follow, <strong>and</strong><br />
• I is a totally ordered set <strong>of</strong> integers.<br />
For simplicity, we assume I = {1, 2, . . .}. A rule vi ⇒ Si; Ui means: at step i,<br />
the role will receive a message, stored in vi, <strong>and</strong> then send a message represented by<br />
Si if the tests represented by Ui succeed. At each step i, the message Si is created by<br />
the role from his initial knowledge, from the previously received messages stored in<br />
v1, . . . , vi, <strong>and</strong> from fresh created values. A fresh value is represented by a variable<br />
appearing in Si <strong>and</strong> not in {v1, . . . , vi}. The set <strong>of</strong> fresh values for the role R is the set<br />
� ♮I<br />
i=1 (V ar(Si) \ {v1, . . . , vi}). We denote by parameters <strong>of</strong> a role R the set constructed<br />
from his initial knowledge KR, <strong>and</strong> his fresh values. We then remark that each variable<br />
in Si is either in {v1, . . . , vi} or represents a parameter. The fact that I is totally ordered<br />
means that the rules describing the role are sequential, <strong>and</strong> they are executed in a specific<br />
order given by the protocol. A role represents an abstract participant in the protocol,<br />
<strong>and</strong> thus in the description <strong>of</strong> a role, we do not specify which concrete participant plays<br />
the role. We remark that a role can be played by many concrete participants <strong>and</strong> the<br />
same concrete participant can play many roles or the same role many times. We observe<br />
that a “receive” is always coupled with a “send”. This is because we suppose that if a<br />
received message is as expected, the role will send his response.<br />
Example 10 We consider the Needham-Schroeder symmetric key protocol described in<br />
Example 9. In that protocol, we have three roles: the trusted server (S), sender’s role<br />
(A) <strong>and</strong> receiver’s role (B). The role server (or S) is given by the tuple constructed as<br />
follows:<br />
• KS = {A, B, S, KAS, KBS, KAB},<br />
• <strong>and</strong> the set <strong>of</strong> rules is:<br />
S1 : v1 ⇒ encs (〈π2(π2(v1)), 〈π1(π2(v1)), 〈Kπ1(v1)π1(π2(v1)), encs (〈Kπ1(v1)π1(π2(v1)),<br />
π1(v1)〉, Kπ1(π2(v1))S)〉〉〉, Kπ1(v1)S);<br />
?<br />
= 〈X1, Y1, Z1〉<br />
v1<br />
The role sender (or A) is given by a tuple constructed by the follow:<br />
• KA = {B, S, A, NA, KAS},<br />
• <strong>and</strong> the set <strong>of</strong> rules is:<br />
A1 : ∅ ⇒ 〈A, 〈X2, NA〉〉; ∅<br />
A2 : v2 ⇒ π2(π2(π2(decs ?<br />
(v2, KAS)))); v2 = encs A3 :<br />
(〈NA, 〈X2, 〈Y2, Z2〉〉〉, KAS)<br />
v3 ⇒ encs (decs (v3, π1(π2(π2(decs (v2, KAS))))) − 1, π1(π2(π2(decs (v2,<br />
?<br />
= encs (X ′ 2, π1(π2(π2(decs (v2, KAS)))))<br />
KAS))))); v3