correctness proofs and counter-model generation with authentication-protocol logic koji hasebe...

Correctness Proofs and Counter-model Generation with Authentication-Protocol Logic

Koji HasebeMitsuhiro Okada

Department of Philosophy, Keio University

Background Security protocols:

Communication over insecure network Cryptography used for authentication,

secrecy, etc.

Formal analysis of security protocols: Assume perfect encryption Assume existence of intruder who may ...

• See all exchanged messages• Delete, alter, inject and redirect messages• Initiate new communications• Reuse messages from past sessions

An Example: A process of the Needham-Schroeder Protocol

BAN },{ 1

ANN },{ 21

BN }{ 2

Initiator Responder

The protocol aims to provide sharing secret data and .1N 2N

(1)

(2)

(3)

An Example: A process of the Needham-Schroeder Protocol

BAN },{ 1

ANN },{ 21

BN }{ 2

Initiator Responder

The protocol aims to provide sharing secret data and .1N 2N

(1)

(2)

(3)

Alice’s identityFresh random value generated by Alice

Encryption with Bob’s public key

The agreement property

},{

},{

}{

Initiator Responder

sends receives

sendsreceives

sends receives

},{

},{

}{

1N

1N

1N

1N

A A

2N

2N 2N

2N

B

B B

B

A A

A

A

A

B

B

B

Instantiation Instantiation1R 2R

21,,, NNBA(Here are constants,.)]:,:,:,:[ 2211 NnNnBQAP and substitution

Initiator’s role Responder’s role

21,,, nnQP(Here are variables.)


},{

},{

}{

Initiator Responder

sends receives

sendsreceives

sends receives

},{

},{

}{

1n

1n

1n

1n

P P

2n

2n 2n

2n

Q

Q Q

Q

P P

P

P

P

Q

Q

Q

1R 2R


},{

},{

}{

Initiator Responder

sends receives

sendsreceives

sends receives

},{

},{

}{

1N

1N

1N

1N

A A

2N

2N 2N

2N

B

B B

B

A A

A

A

A

B

B

B

For any substitution and for any process , if contains

execution of responder’s role and an initiator’s execution

according to , then contains .1R

1R2R

Definition: has agreement property w.r.t. 1R 2R

An attack on the NS protocol [Lowe, 1996]

IAN },{ 1

IN }{ 2

BAN },{ 1

BN }{ 2

From Bob's view, Bob believes that Alice communicates with Bob, but actually Alice communicates with Intruder.

This attack has nothing to do with cryptography.

(1)

ANN },{ 21

Alice BobIntruder

(1’)

(2)

(3)

(3’)

Proving vs Model Checking (Two approaches for protocol verifications)

Inference rule-based deductive approaches: BAN logics (Burrows-Abadi-Needham, 1989) Protocol logics (or Compositional logics)etc.

Trace-based semantic approaches: MSR (Cervesato-Durgin-Lincoln-Mitchell-Scedrov, 1999) Strand space (Thayer Fabrega-Herzog-Guttman, 1998)

etc.

Protocol Logics

Inference systems to prove protocols correct Primitive actions (“sending”, “receiving”, “generating”, etc.) ar

e described as predicate symbols

Some properties about nonces and keys are formalized as non-logical axioms

Prove correctness in the logical system

Durgin-Mitchell-Pavlovic (2001),Datta-Derek-Mitchell-Pavlovic (2003-),Cervesato-Meadows-Pavlovic (2004-), Hasebe-Okada (2004)

Proving Model Checkingvs

Proving

By completeness proof based on the proof-search (i.e., bottom-up proof construction) method

Model Checking=

Proof-search of a query (which represents a correctness property)

Obtain a formal proof of the query

Obtain concrete attacks on the protocol

If provable If not provable, then counter-example

By completeness proof based on the proof-search (i.e., bottom-up proof construction) method

Proving Model Checking=

Provable case Bottom-up proof search

Axioms

| Agreement formula

Unprovable case

Axioms

| Agreement formula

Bottom-up proof search

Counter-example

Proof search outputs

Provable

Counter-examples

Proof search outputs

Provable

Counter-examples

Realizable counter-examples (=attacks)

Use Comon-Treinen’s algorithm for the intruder deduction problem (2003)

Main results for agreement property with a bounded number of sessions

1. Basic part of Protocol Logic is describable in first-order predicate logic.

2. First-order proof search-based completeness proof is applicable to our Basic Protocol Logic,

hence, usable for proving correctness and detecting attacks at once.

3. Provability of correctness property is decidable (by finite domain property).

1. Basic Protocol Logic (or BPL, for short)

2. Proof search-based completeness proof

3. Example of our proof construction / counter-example generation

Sorts: name, nonce, message, (key) Terms:

Atomic terms:

• : atomic terms of sort (principal) name

• : atomic terms of sort nonce

• : variables of sort message

• All atomic terms of sort name and nonce are terms of sort message.

Compound terms of sort message:

,,,,, QPBA

,,,,, 2121 nnNN

Language of Basic Protocol Logic (1)

1}{,}{,,,1 PPk mmmm

,,,', 21 mmmm

Formulas: Atomic formulas:

Trace formula: a sequence of primitive actions (denoted by , or ) (Here we use sends, receives, generates as primitive actions.)

Equality and subterm relations ( )

Compound formulas: Made by first-order logical connectives

Language of Basic Protocol Logic (2)

QQQPP nreceivesQnsendsPngeneratesP }{;}{;;; 321

kPk

P ;;11

',' mmmm

(P generates before P sends before Q receives .)Qn}{ Qn}{n

e.g.

Base: Axioms of frist-order predicate logic with equality Rules for trace formulas:

(for )

Logical Axioms of BPL

n 1

(where are the list of order-preserving merges of and )n ,,1

)( vvttuussm

example: 2211221121212121 ;;;;;;;;;;;

(the list of order-preserving merges)

is axiom

Axioms of universal sentences over terms (known as decidable [Venkataraman 87]):

if is valid in free term algebra.vvttuuss

An example of the non-logical axioms: Nonce Verification axiom (Cf. Authentication-tests based Strand space)

does not include (i.e., is not a forwarded message).

m3m4 (P sends {m2}Q;Q receives m3;Q sends m4;P receives m5

{m2}Q m3 n1 m4 ) ]

5152121521 }{[ mnmreceivesPmnmsendsPngeneratesPmmPQn Q

is the only message sent by P which includes .1n2m

5m Qm }{ 2 5m

Intuitive meaning:

PQm }{ 2 )s.t.( 21 mn

)s.t.( 51 mn5m

An example of the non-logical axioms: Nonce Verification axiom (Cf. Authentication tests based strand space)



{m2}Q m3 n1 m4 ) ]



5m Qm }{ 2 5m

Intuitive meaning:

P QQm }{ 2 )s.t.( 21 mn

)s.t.( 51 mn5m

3m )}{s.t.( 32 mm Q

4m )s.t.( 41 mn

decrypt

send back

Qm }{ 2

1n

PQn1m2m5 [ P generates n1 P sends {m2}Q n1 m2 P receives m5 n1 m5

m6(P sends m6 n1 m6 m6 m2)

{m2}Q m5


{m2}Q m3 n1 m4 ) ]



{m2}Q m3 n1 m4 ) ]



5m Qm }{ 2 5m

First order formalization:

An example of the non-logical axioms: Nonce Verification axiom (Cf. Authentication tests based strand space)

21nQn

A’s honesty:

(( A performs no action )

( A performs

and A does not perform any other actions)

( A performs

and A does not perform any other actions))

QAQ nsendsAnnreceivesAAnsendsAngeneratesA }{;},{;},{; 22111

QAnsendsAngeneratesA },{; 11

A’s run

(0)

(A performs no action) 1ngeneratesA QAnsendsA },{ 1 AnnreceivesA },{ 21

(1) (2)

)0(

)1(

)2(

QnsendsA }{ 2

An example of Honesty(The Needham-Schroeder protocol) B

A

B

NBA

NNAB

ANBA

}{:.3

},{:.2

},{:.1

2

21

1

))]},{(

)}{},{(

)(

}{;},{;},{;(

))(

)},{(

)(

},{;(

))()()([(

21

21

1

22111

1

1

11

21

A

QQ

QAQ

Q

Q

nnmmreceivesAm

nmAnmmsendsAm

nnngeneratesAn

nsendsAnnreceivesAAnsendsAngeneratesA

mreceivesAm

AnmmsendsAm

nnngeneratesAn

AnsendsAngeneratesA

mreceivesAmmsendsAmngeneratesAnnQn

A’s honesty (described in BPL)

)0(

)1(

)2(

B

A

B

NBA

NNAB

ANBA

}{:.3

},{:.2

},{:.1

2

21

1

Formalization of Honesty(The Needham-Schroeder protocol)

Main Results on BPL

Complete for a certain formal trace semantics.

Decidable for Provability of the query (which represents an agreement property).

Applicable to counter-example generations (i.e., flaw detections)

: name domain : nonce domain : free term algebra domain on and along with , , : a sequence of primitive actions : valuation

is extended to interpretation:

Truth conditions:

Formal Trace-Based Semantics

ND

),)}({())(),(()),((,)(,)( )( APN ttAKtAKDADN ))(),(());(),(();( 2121 mBceivesRemASendsmreceivesBmsendsA

),,,( NP DDM

)(|),,,( NP DD

MD

PD

PD ND , ),(K ),(1K

etc.

PN DPDn )(,)(

MNP DststDD on )()(|),,,(

MNP DststDD on )()(|),,,(

A formal trace model:

Completeness Theorem

For any query (which represents an agreement property), the formula is provable in BPL iff it is true for any model

).,,,( NP DDM

Completeness Proof (1) Proof-Search Tree Construction

Proof-search (i.e., bottom-up proof construction) is based on the sequent calculus of first-order predicate logic

Proof-search tree is constructed in Rounds: (Each round decomposes the outermost logical

symbols.)

Round 0 : put the query at the bottom of the tree

Round i : apply the rules for logical connectives (then go to Round i+1 unless the current topmost sequent is closed, i.e., matches an axiom.) |

Completeness Proof (1) Proof-Search Tree Construction

Bottom-up proof search

Axioms

| Agreement formula

Counter-example

Completeness Proof (2)

Main Lemma

For any given query (which represents an agreement property), if its proof-search tree includes a branch which is not closed at the end of Round 3, then there exists a counter-model for the query.),,,( NP DDM


Construction of Counter-Models A model which is obtained from a topmost non-

closed sequent at the end of Round 3 (say, ) is as follows:),,,( NP DDM

|1. Take the set of literals from and , and solve the satisfaction

problem of these literals.

2. Decompose each literal which consists of compound terms. (e.g., and )

3. Take representatives as and .

PA nN }{}{ 11 11 nN PA

PD ND

:

, .

, .

.

Interpretations for compound terms and formulas are defined by inductions.

)()( *

NDnn

NDNN *)(

)()( *MDtm

PDPP *)(

PDAA *)(

(where is the representative of the equivalence class of )

*t

t

)(:

))''(''(' msendsAmm )'( tmmsendsAm


Essential IdeaLet T be the set of terms in Round 3. For any variable (say, ) which appears above Round 3, an equation m=t with some t T always appears in the left side.

Search domain does not increase above Round 3.

)( tmmsendsAm

(closed)

left

left

left

( : new variable)

,1msendsA

),''('' msendsAm

tmmsendsA 11,1msendsA

)( tmmsendsAm

,1msendsA 1msendsA ,1msendsA tm 1,4 4| ,5 5| ,3 3|

,2 2| ,1 1|

|, ,(in Honesty)(Axiom of formula)

Query:

02

1m

1m

DecidabilityFrom Main Lemma and Soundness:

If a query is provable in BPL, then the proof-construction procedure terminates by Round 3.

Counter-Example Generations (1) Realizable Traces We cannot directly consider counter-models to

be an attack on the protocol in question, because some of them cannot be realizable.

Use Comon-Treinen’s algorithm for the intruder deduction problem (2003).

;},{;;},{;},{;},{ 2122111 AABQ NNsendsBNgeneratesBNNreceivesAANreceivesBANsendsA

(An example of the unrealizable trace)

Counter-Example Generations (2) Realizable Traces

Provable

Counter-examples

Realizable counter-examples (=attacks)

Proposition

For any given query, we can determine whether there exists a realizable counter-example (i.e., a concrete attack on the protocol in question) whenever we set any upper-bound on the number of sessions.

B

A

B

NBA

NNAB

ANBA

}{:.3

},{:.2

},{:.1

2

21

1

The NS protocol

Example: Proof construction and counter-example generation of the Needham-Schroeder

),(BOnlyResp

BAB NrecBNNsendsBNgenBANrecB }{;},{;;},{ 22121

B

A

B

NBA

NNAB

ANBA

}{:.3

},{:.2

},{:.1

2

21

1

The NS protocol

Query:If B (responder) executes a run of his role

with (i.e., communicating with A using and ).

):,:,:,:( 2211 NnNnQBAP 1N 2N

2R

),(BOnlyResp


B

A

B

NBA

NNAB

ANBA

}{:.3

},{:.2

},{:.1

2

21

1

The NS protocol

Query:If B (responder) executes a run of his role


):,:,:,:( 2211 NnNnQBAP 1N 2N

2R

“B behaves as responder.”

)}{},{(

)},{(

)(

21

21

2

BB

A

NmANmmreceivesBm

NNmmsendsBm

NnngeneratesBn

Intuitively, means that B performs only the responder’s actions.

)(BOnlyResp

)(BOnlyResp

),(BOnlyResp


)(AHonestInit

B

A

B

NBA

NNAB

ANBA

}{:.3

},{:.2

},{:.1

2

21

1

The NS protocol

Query:

A is honest (i.e., A always acts as initiator).

If B (responder) executes a run of his role


):,:,:,:( 2211 NnNnQBAP 1N 2N

2R

),(BOnlyResp


)(AHonestInit

B

A

B

NBA

NNAB

ANBA

}{:.3

},{:.2

},{:.1

2

21

1

The NS protocol

Query:




):,:,:,:( 2211 NnNnQBAP 1N 2N

2R

))]},{(

)}{},{(

)(

}{;},{;},{;(

))(

)},{(

)(

},{;(

))()()([(

21

21

1

22111

1

1

11

21

A

QQ

QAQ

Q

Q

nnmmreceivesAm

nmAnmmsendsAm

nnngeneratesAn

nsendsAnnreceivesAAnsendsAngeneratesA

mreceivesAm

AnmmsendsAm

nnngeneratesAn

AnsendsAngeneratesA

mreceivesAmmsendsAmngeneratesAnnQn

A’s honesty:)(AHonestInit

),(BOnlyResp


)(AHonestInit BBAA

BB

NrecBNsendsANNrecANNsendsB

NgenBANrecBANsendsANgenA

}{;}{;},{;},{

;;},{;},{;

222121

2111

B

A

B

NBA

NNAB

ANBA

}{:.3

},{:.2

},{:.1

2

21

1

The NS protocol

Query:


then A executes the run of her role, and A and B agree on the order of the messages

exchanged.



):,:,:,:( 2211 NnNnQBAP 1N 2N

2R

1R

)(BOnlyResp


),(AHonestInit BBAA

BB



}{;}{;},{;},{

;;},{;},{;

222121

2111

,},{ 21 ANNmmrecA ),},{( 21 AnnmmrecAm

QBnNnN ,, 2211

,1 1BQAA

BQ

NrecBnsendsAnnrecANNsendsB

NgenBANrecBAnsendsAngenA

}{;}{;},{;},{

;;},{;},{;

222121

2111

B

A

B

NBA

NNAB

ANBA

}{:.3

},{:.2

},{:.1

2

21

1

The NS protocol

)(BOnlyResp


),(AHonestInit BBAA

BB



}{;}{;},{;},{

;;},{;},{;

222121

2111


QBnNnN ,, 2211

,1 1BQAA

BQ



}{;}{;},{;},{

;;},{;},{;

222121

2111

B

A

B

NBA

NNAB

ANBA

}{:.3

},{:.2

},{:.1

2

21

1

The NS protocol

BA NrecBNNsendsBNgenB }{},{ 2212

then by the Nonce Verification axiom

)},{( 212 ANNmmNmsendsBm

)},{}{;;},{( 21221 ABA NNmNrecBmrecANNsendsBm

)(BOnlyResp


),(AHonestInit BBAA

BB



}{;}{;},{;},{

;;},{;},{;

222121

2111


QBnNnN ,, 2211

,1 1BQAA

BQ



}{;}{;},{;},{

;;},{;},{;

222121

2111

B

A

B

NBA

NNAB

ANBA

}{:.3

},{:.2

},{:.1

2

21

1

The NS protocol

An order preserving merge of

BAB ANrecBNNsendsBNgenBANrecB },{;},{;;},{ 22121

QAQ nsendsAnnrecAAnsendsAngenA }{;},{;},{; 22111

(derived from ))(AHonestInit

)(BOnlyResp


),(AHonestInit BBAA

BB



}{;}{;},{;},{

;;},{;},{;

222121

2111


QBnNnN ,, 2211

,1 1

left-

,},{ 21 ANNmmrecA ,},{ 21 AnnmmrecA

,2 2

BQAA

BQ



}{;}{;},{;},{

;;},{;},{;

222121

2111

BQAA

BQ



}{;}{;},{;},{

;;},{;},{;

222121

2111

B

A

B

NBA

NNAB

ANBA

}{:.3

},{:.2

},{:.1

2

21

1

The NS protocol

QBnNnN ,, 2211

)(BOnlyResp


),(AHonestInit BBAA

BB



}{;}{;},{;},{

;;},{;},{;

222121

2111


QBnNnN ,, 2211

,1 1

left-


,2 2

BQAA

BQ



}{;}{;},{;},{

;;},{;},{;

222121

2111

BQAA

BQ



}{;}{;},{;},{

;;},{;},{;

222121

2111

B

A

B

NBA

NNAB

ANBA

}{:.3

},{:.2

},{:.1

2

21

1

The NS protocol

QBnNnN ,, 2211

Obtained by instantiation for

|)},{(, 21 AnnmmrecAm

|},{,,},{,},{, 2121222111 AkkAA nnttrecAnnttrecAnnttrecA

where is the list of terms such that

The length is less than or equal to the maximal length of terms appearing in the query.

Each is constructed by atomic terms appearing in the lower sequent.

ktt ,,1

it

m

left-

)(BOnlyResp


),(AHonestInit BBAA

BB



}{;}{;},{;},{

;;},{;},{;

222121

2111


QBnNnN ,, 2211

,1 1

left-


,2 2

-left

,3,mrecA

mrecA 3

,},{ 21 Annm 4,mrecA ,},{ 21 ANNm

QB ,4

BQAA

BQ



}{;}{;},{;},{

;;},{;},{;

222121

2111

BQAA

BQ



}{;}{;},{;},{

;;},{;},{;

222121

2111

BQAA

BQ



}{;}{;},{;},{

;;},{;},{;

222121

2111

B

A

B

NBA

NNAB

ANBA

}{:.3

},{:.2

},{:.1

2

21

1

The NS protocol

QBnNnN ,, 2211

,11 nN ,22 nN

)(BOnlyResp


),(AHonestInit BBAA

BB



}{;}{;},{;},{

;;},{;},{;

222121

2111


QBnNnN ,, 2211

,1 1

left-


,2 2

-left

,3,mrecA

mrecA 3left-

,3 ,mrecAmrecA3

closed ,},{ 21 Annm 4,mrecA ,},{ 21 ANNm

QB ,4

BQAA

BQ



}{;}{;},{;},{

;;},{;},{;

222121

2111

BQAA

BQ



}{;}{;},{;},{

;;},{;},{;

222121

2111

BQAA

BQ



}{;}{;},{;},{

;;},{;},{;

222121

2111

B

A

B

NBA

NNAB

ANBA

}{:.3

},{:.2

},{:.1

2

21

1

The NS protocol

QBnNnN ,, 2211

,11 nN ,22 nN

)(BOnlyResp


),(AHonestInit BBAA

BB



}{;}{;},{;},{

;;},{;},{;

222121

2111


QBnNnN ,, 2211

,1 1

left-


,2 2

-left

,3,mrecA

mrecA 3left-

,3 ,mrecAmrecA3


QB

This branch is not closed.

,4

BQAA

BQ



}{;}{;},{;},{

;;},{;},{;

222121

2111

BQAA

BQ



}{;}{;},{;},{

;;},{;},{;

222121

2111

BQAA

BQ



}{;}{;},{;},{

;;},{;},{;

222121

2111

B

A

B

NBA

NNAB

ANBA

}{:.3

},{:.2

},{:.1

2

21

1

The NS protocol

QBnNnN ,, 2211

,11 nN ,22 nN

QBnNnNNNmnnm AA 22112121 },{},{

is not valid in the free term algebra.

)},{},{( 2211212121 QBnNnNNNmnnmQnmn AA

is not axiom.

)(BOnlyResp


),(AHonestInit BBAA

BB



}{;}{;},{;},{

;;},{;},{;

222121

2111


QBnNnN ,, 2211

,1 1

left-


,2 2

-left

,3,mrecA

mrecA 3left-

,3 ,mrecAmrecA3


QB ,4

BQAA

BQ



}{;}{;},{;},{

;;},{;},{;

222121

2111

BQAA

BQ



}{;}{;},{;},{

;;},{;},{;

222121

2111

BQAA

BQ



}{;}{;},{;},{

;;},{;},{;

222121

2111

B

A

B

NBA

NNAB

ANBA

}{:.3

},{:.2

},{:.1

2

21

1

The NS protocol

QBnNnN ,, 2211

,11 nN ,22 nN

(with )QBnNnN ,, 2211

BQAA

BQ

ANrecBnsendsAnnrecANNsendsB


},{;}{;},{;},{

;;},{;},{;

222121

2111

Countermodel

)(BOnlyResp


),(AHonestInit BBAA

BB



}{;}{;},{;},{

;;},{;},{;

222121

2111


QBnNnN ,, 2211

,1 1

left-


,2 2

-left

,3,mrecA

mrecA 3left-

,3 ,mrecAmrecA3


QB ,4

BQAA

BQ



}{;}{;},{;},{

;;},{;},{;

222121

2111

BQAA

BQ



}{;}{;},{;},{

;;},{;},{;

222121

2111

BQAA

BQ



}{;}{;},{;},{

;;},{;},{;

222121

2111

B

A

B

NBA

NNAB

ANBA

}{:.3

},{:.2

},{:.1

2

21

1

The NS protocol

QBnNnN ,, 2211

,11 nN ,22 nN

(with )QBnNnN ,, 2211

BQAA

BQ

ANrecBnsendsAnnrecANNsendsB


},{;}{;},{;},{

;;},{;},{;

222121

2111

Countermodel

QAN },{ 1

QN }{ 2

BAN },{ 1

BN }{ 2

(1)

ANN },{ 21

A BQ

(1’)

(2)

(3)

(3’)

Lowe’s attack

B

A

B

NBA

NNAB

ANBA

}{:.3

},{:.2

},{:.1

2

21

1

The NSL protocol

Lowe’s modification of the NS protocol:

B

A

B

NBA

BNNAB

ANBA

}{:.3

},,{:.2

},{:.1

2

21

1

The NSL protocol

Lowe’s modification of the NS protocol:

Insert the sender’s name

Insertion of the sender’s name makes impossible the Lowe’s attack, because...

IAN },{ 1

IN }{ 2

BAN },{ 1

BN }{ 2

ABNN },,{ 21

Alice BobIntruder

In this scenario, A believes that she communicates with I, but she can detect that the message is actually sent by B.

)(BOnlyResp

BAB NrecBBNNsendsBNgenBANrecB }{;},,{;;},{ 22121

),(AHonestInit BBAA

BB

NrecBNsendsABNNrecABNNsendsB


}{;}{;},,{;},,{

;;},{;},{;

222121

2111

,},,{ 21 ABNNmmrecA ),},,{( 21 AQnnmmrecAm

QBnNnN ,, 2211

,1 1

left-

,},,{ 21 ABNNmmrecA ,},,{ 21 AQnnmmrecA

,2 2

-left

,3,mrecA

mrecA 3left-

,3 ,mrecAmrecA3

closed ,},,{ 21 AQnnm 4,mrecA ,},,{ 21 ABNNm

QB ,4

BQAA

BQ

NrecBnsendsAQnnrecABNNsendsB


}{;}{;},,{;},,{

;;},{;},{;

222121

2111

BQAA

BQ



}{;}{;},,{;},,{

;;},{;},{;

222121

2111

BQAA

BQ



}{;}{;},,{;},,{

;;},{;},{;

222121

2111

B

A

B

NBA

BNNAB

ANBA

}{:.3

},,{:.2

},{:.1

2

21

1

The NSL protocol

QBnNnN ,, 2211

,11 nN ,22 nN

)(BOnlyResp


),(AHonestInit BBAA

BB



}{;}{;},,{;},,{

;;},{;},{;

222121

2111


QBnNnN ,, 2211

,1 1

left-


,2 2

-left

,3,mrecA

mrecA 3left-

,3 ,mrecAmrecA3


QB

This branch is closed.

,4

BQAA

BQ



}{;}{;},,{;},,{

;;},{;},{;

222121

2111

BQAA

BQ



}{;}{;},,{;},,{

;;},{;},{;

222121

2111

BQAA

BQ



}{;}{;},,{;},,{

;;},{;},{;

222121

2111

B

A

B

NBA

BNNAB

ANBA

}{:.3

},,{:.2

},{:.1

2

21

1

The NSL protocol

QBnNnN ,, 2211

,11 nN ,22 nN

)(BOnlyResp


),(AHonestInit BBAA

BB



}{;}{;},,{;},,{

;;},{;},{;

222121

2111


QBnNnN ,, 2211

,1 1

left-


,2 2

-left

,3,mrecA

mrecA 3left-

,3 ,mrecAmrecA3


QB

This branch is closed.

,4

BQAA

BQ



}{;}{;},,{;},,{

;;},{;},{;

222121

2111

BQAA

BQ



}{;}{;},,{;},,{

;;},{;},{;

222121

2111

BQAA

BQ



}{;}{;},,{;},,{

;;},{;},{;

222121

2111

B

A

B

NBA

BNNAB

ANBA

}{:.3

},,{:.2

},{:.1

2

21

1

The NSL protocol

QBnNnN ,, 2211

,11 nN ,22 nN

The set of literals

is axiom.

QBnNnNBNNmQnnm AA 22112121 },,{},,{

is valid in the free term algebra.

)},,{},,{( 2211212121 QBnNnNBNNmQnnmQnmn AA

In the proof-search tree, there are some open branches, and each topmost sequent is: Left side includes an order-preserving merge of the following trac

e formulas

(where )

are satisfied.

Realizable counter-examples of the NS protocol (1)

BAB

QAQ

trecBttsendsBtgenBAtrecB

tsendsAttrecAAtsendsAtgenA

}{;},{;;},{

}{;},{;},{;

22121

22111

2121

222112211

,

,,,,}{,},{,,

nnNN

QBQABAtmttmnNnN QA

222111 or,or nNtnNt

Realizable counter-examples of the NS protocol (2)

Counter-model

where

an order-preserving merge of the following formulas

),,,( NP DDM

},{,},,{ 21 NNDQBAD NP

21,,, NNQBQABA

BAB

QAQ

trecBttsendsBtgenBAtrecB

tsendsAttrecAAtsendsAtgenA

}{;},{;;},{

}{;},{;},{;

22121

22111

Conclusions and Future Work Gave an inference system for proving protocols c

orrect based on first-order predicate logic Showed completeness and decidability Presented how to construct proofs / generate co

unter-examples

Implementation for automation Compositionality issue for automated protocol d

esign

correctness proofs and counter-model generation with authentication-protocol logic koji hasebe...

Documents

formal proof

ns protocol lowe

semantic approaches

deductive approaches

countermodel generation

logical systemdurginmitchell

correctness propertyobtain

secret data