Validating Attacks on Authentication Protocols
Anders Moen Hagalisletto
Department of Informatics, University of Oslo
Abstract
It is possible to show that well-known attacks on authentication protocols are flawed. This is a problem,
since good protocols may thus be dismissed rather than
improved and poor protocols that might continue to
be used although they may contain irreparable errors.
This paper describes a novel method for validating attacks on authentication protocols, based on a strategy
for checking that all elements of the attack have been
legally obtained. A Maude-program which implements
the method, identified errors in attacks on the Wide
Mouthed Frog and Yahalom authentication protocols.
More generally, the paper shows that the method will
find all errors in attacks that originates from incompleteness of cryptographic assumptions. The main implications is that new attacks can be effectively validated
even when an exhaustive state-space analysis becomes
infeasible. We expect that in the future, validation will
be an obligatory part in effectively checking the soundness of any attacks on security protocols.
1. Introduction
In this paper we present a new efficient method for
analyzing attack descriptions. A tool based on this
method has been implemented in the functional language Maude. Protocol analysis is a very active research area involving fully automated state space analysis used to search for possible attacks on protocols
([7], [11], [8], [5], [2]). The tool checks whether each element in the attack has been obtained in a legal way by
communication and cryptographic principles. This validation can provide important answers regarding protocols, where state space analysis becomes infeasible.
Validation can be used to make informal design principles of security protocol specification explicit and formal, and thereafter check whether attacks are correct.
Note that validation can not find new attacks, only
check whether existing attacks are correct. Our experience so far indicates that attack descriptions should be
Attack
Description
P
Validator
Automated
Refinement
P’
Ok
P’’
freshness
Validation
Algorithm
Non valid
Debugging/redesign
Failure
Report
Figure 1. Process flow of validation.
described as accurately as protocols and their correctness should be analyzed as formally as protocols: The
tool has recently revealed that seven of 23 attacks in
the report “A Survey of Authentication Protocol Literature: Version 1.0” by Clark and Jacob [4] (denoted
Clark/Jacob) contain flaws [10].
To the best of the author’s knowledge, explicit validation of attacks has not been performed before. Many
tool providers claim to have performed implicit validation, as an integrated part of their model checkers ([3],
[7]) Several authors, in particular Martin Abadi [1], has
emphasized the importance of being explicit about the
underlying assumptions in authentications protocols.
In specifications languages like CAPSL [6] and Casper
[12], and HLPSL [3], the protocol specifier is first invited to include initial assumptions about which keys,
nonces and timestamps that are used in the specification and then finally the security goals regarding secrecy of data and authentication of agents that should
be met in the protocols. Our investigation shows that
this is not enough, assumptions about the local behaviour of agents should be specified explicitly, and inserted in-between the clauses for message transmission.
The validator is part of the precompiler for the protocol simulator PROSA. The simulator is implemented
in Maude, which is a functional language based on
rewriting logic [13]. The high level flow of the validation process is specified in Figure 1. Initially an attack description is specified in the high level protocol specification language LP , which is based on temporal epistemic logic. The attack description P is the
input of the automated refinement algorithm. Auto-
mated refinement makes explicit every implicit assumption in P, about required beliefs about keys, awareness
of agents, etc. There are two kind of assumptions, assertions about the local beliefs of an agent, and assignments or actions that the agent performs in order to create fresh keys, nonces, timestamps, or to decrypt, encrypt, or hash data in the messages. Assumptions can also be categorized by their roles in the transmission: the assumptions are divided into either the
sender’s preconditions or receiver’s postconditions. The
output of refinement is then a specification P1 . Duplicated assumptions are then removed from P1 and assumptions that must have been created freshly during
the execution is substituted to form P2 . The resulting
refined description P2 is the input to the validation algorithm: The validation algorithm takes advantage of
the fact that the automated refinement algorithm does
not assure that every assumption in the refined specification is obtained in a legal cryptographic way. It is
exactly these cryptographically ungrounded sentences
that the validator algorithm discovers. It is possible to
repair some of the attacks, by using the generated Failure Report. The original flawed description is revised
and the adjusted protocol is validated once more.
The paper is organized as follows: The high level
language for writing attack specifications, is presented
in Section 2. Attack descriptions specified in the language are the input of the automated refinement module, described in Section 3. Validation is described in
Section 4. A detailed analysis of the validation of the
attack on the Yahalom protocol is presented in Section 5.
bols for nonces nptN , aq, time-stamps stampptT , aq, keys
keyps, a, b, xK q, keypa, i, a, xK q, keypa, u, a, xK q. Protocol names µ1 , µ2 might be concatenated: µ1 µ2 . Ground
terms for nonces tN , time-stamps tT , and key-terms
tK , may either denote natural numbers N or variables of the appropriate sort.
Definition 1 Let LP is the least language such that:
piq Each of the following atomic formulas are in LP
ε
the empty sentence
a is an agent
Agentpaq
isKeypk q
k is a key
isNoncepnpN, aqq npN, aq is a nonce
TimepstamppN, aqq stamppN, aq is a timestamp
rolepbq
b is a protocol role
piiq If ϕ, ψ, ξT , ξA, ξS P LP , then so are;
ϕ, ϕ Ñ ψ
propositional logic
Transmitpa, b, ϕq a sends ϕ to b
a believes ϕ
Bela pϕq
ϕU ψ
ϕ holds until ψ holds
E rk : ϕs
encrypt ϕ using key k
decrypt ϕ using key k
Drk : ϕs
Hashrϕs
hash the sentence ϕ
enforce agent a to do ϕ
Enforcea pϕq
protocolrµ, N, ξ T , ξ A, ξ S, Φs protocol operator
2. A language for attack specifications
The connectives ^, _ and Ø are definable in terms
and Ñ and J ϕ Ñ ϕ. The operator Bela pϕq
of
reads “the agent a believes ϕ holds”. In protocol specifications beliefs are used to explicitly state required
cryptographic assumptions. The until operator ϕ U ψ
means that ϕ holds until ψ holds. The operator before B , is definable from U by ϕ B ψ p ϕ U ψ q.
In this section we present technical preliminaries for the rest of the paper.The content the messages consists of basic entities: nonces, timestamps,
text strings, and agent names. In addition there are
three composition operators: concatenation, hashing and encryption. A language for specifying security protocols LP can be defined as follows: LP consists of terms of four sorts, agents, nonces, time-stamps,
keys, and natural numbers. The agent-names are typically written “Alice”, “Bob”, “Server”, agent-variables
are written x, y, x1 , x2 , . . ., and agent-terms a, b, c,
. . . Variables for the other sorts are labeled with the
sort xN (nonce-variable), xT (time-variable), and xK
(key-variable) respectively, when their sorts are emphasized. Constants include protocol names µ, µ1 ,
µ2 , encryption methods for cryptography s (symmetric) and a (asymmetric), in addition to the indicators
i (private) and u (public). There are function sym-
A subset of this language is the set of P-positive
sentences; that includes the atomic sentences, and composite sentences where a modal operator is the uttermost connective (thus every connective in Definition 1
part piiq, except and Ñ).
The sentence Enforcea pϕq, means: “enforce agent
a to perform ϕ”. Enforcement is the only imperative construct in the language, and is used usually with the generation of fresh entities within
the protocol: We augment LP with additional constructs for local construction of fresh entities:
A
A
newKeypkeyps, tA
1 , t2 , M qq, CurrentpstamppN, t qq, and
newNoncepnptN , tA qq. Note that the usage of the nested
operator Enforcex pBelx pψ qq shall be restrictive. The operator protocolrµ, N, ξ T , ξ A , ξ S , Φ s denotes: “protocol named µ with session number N , the total roles ξ T ,
the agent specific roles ξ A , the start-roles ξ S and with
the protocol body Φ”. Trust can be expressed within
LP by: Trustpa, b, ϕq Transmitpb, a, ϕq Ñ Bela pϕq.
2.1. Specification of protocols
Protocols are sequences of instructions in a distributed program, the notion of ordering can be expressed by temporal logic: A protocol is a chain of
events between agents. A chain of events is of the form
ϕ1 B ϕ2 ^ ϕ2 B ϕ3 ^ . . . ^ ϕn1 B ϕn , where each ϕi
is P-positive. The last event ϕn ε, is always the
empty event, marking the end of the protocol specification. Let Φ ϕ B rΦ1 s denote a chain of events written by recursion, hence ϕ is a single event and Φ1 a
chain of events.
Definition 2 If Φ and Ψ are chains of events, then
their concatenation, denoted Φ " Ψ, is given by:
piq Φ " ε Φ ε " Φ
piiq pϕ B rΦ1 sq " Ψ ϕ B rΦ1 " Ψs
We say that a text-book protocol, is a protocol where
each single event is of the form Transmitpxj , xk , ϕq, or
of the form Enforcex pBelx pnewKeypk qqq.
2.2. Attack protocols
The language presented sofar needs few extensions
in order to capture attacks: An attack protocol is a
protocol P, such that some of the transmissions contains occurrences of impersonation terms impI, Aq either as the sender or the receiver of a transmission.
The term impI, Aq reads “I impersonates as A”. In case
TransmitpimpI, Aq, B, M q, the real sender of the message is I, while the message itself claims that A is the
originator. In case TransmitpB, impI, Aq, M q, the message is intercepted by I, and A never receives the message. Protocols that do not contain any occurrence of
impersonation terms are called intended protocols. A
complete survey of the underlying protocol algebra was
given in [9].
The chain of events described in pPreM
A q, characterize
the sender’s preconditions for transmitting the message
pMsgq. The protocol region pPreMA q is a function of the
agent A, the message content M , and the result of refining the previous protocol messages. The chain pPreM
Aq
typically contains local assumptions about required beliefs (or assertions) that the agent A must have in order to be able to form M , or assignments about which
fresh nonces, timestamps, hashes or encryptions that
must be created as ingredients to M .
The chain of events described in pPostM
B q, contains protocol clauses that maximize the receiver’s extraction of information from M . The protocol region
pPostMB q is similarly a function of the receiver B, M ,
and the refinement of the previous messages. The chain
contains first a sentence saying that the receiver is enforced to trust the message content. Then afterwards
comes a sequence of projections and decryptions based
on the keys that the receiver possess. If an encrypted
part M 1 can not be decrypted by an agent a, because of
lack of keys, it is left in the chain as an assertion about
the cipher-text M 1 , that is, it is of the form Bela pM q.
If a transmission involves an impersonation, then the
attacker’s local behavior must be reflected in the preconditions if the attacker fakes an honest agent, or in
the postconditions if the attacker is an eavesdropper.
Consequently we need two functions for interpreting
the impersonation terms, realization of the impersonator or the intended agent. We define the functions t
and t as follows: If t is an agent variable or agent name,
then t t t. If t impt1 , t2 q, then t t1 and t t2 .
Definition 3 If P is a text-book protocol, then P can
be refined into an assumption protocol by ℜA :
pR0 q
pR1 q
pR2 q
3. Automated refinement of attacks
An automated refinement of a text-book specification includes every local assumption about each participant in the attack. Roughly the refinement algorithm works as follows: Given a transmission clause
A ÝÑ B : M , the refinement algorithm constructs a
protocol as follows:
The sender’s assumptions about M .
A ÝÑ B
: M
The receiver’s extraction of information
from M .
pPreMA q
pMsgq
pPostMB q
pR3 q
pR4 q
pR5 q
ℜA pprotocolrµ, N, ξ T , ξ A , ξ S , Φ sq protocolrµ, N, ξ T , ξ A , ξ S , ℜA pΦ, εq s
ℜA pε, P q P
ℜA pTransmitpt1 , t2 , F q B rΦs, P q ℜA pΦ, P " preApt1 , F, P q " pBelt1 pAgentpt2 qq B
Transmitpt1 , t2 , F q B Belt2 pAgentpt1 qq
B Enforcet2 pBelt2 pTrustpt2 , t1 , F qqq B εq
" postApt2 , F, P qq
ℜA pBela pF q B rΦs, P q ℜA pΦ, P " pBela pF q B εqq
ℜA pEnforcea pBela pHashrF sqq B rΦs, P q ℜA pΦ, P " preApa, F, P q "
pEnforcea pBela pHashrF sqq B εqq
ℜA pEnforcea pF q B rΦs, P q ℜA pΦ, P " pEnforcea pF q B εqq
if F Bela pHashrM sq, for every M
The definition of ℜA can be motivated as follows: In the
beginning pR0 q, the function is called with the empty
chain. If the first argument is the empty chain ε, then
ℜA returns the accumulated chain P , and the recursion ends pR1 q. In case the event is a transmission, then
the assumptions required to send the message are generated as preconditions for the sender, and afterwards
the local assumptions about the receivers extraction of
information is constructed, the postconditions for the
receiver pR2 q. The functions performing realizations of
the agent terms, and , ensures that attackers impersonating agents are refined correctly. If the protocol
contains explicit specifications of assumptions in advance, then these assumptions are included in the refined protocol (R3 and R5 ). One exception to this is
hashing (R4 ), if some data is hashed this data should
have been obtained earlier in the protocol session.
3.1. Assumptions regarding transmission
We first present the assumptions, pre- and postconditions for plain-text content hashing, and symmetric keys, and then the extension to public key cryptography is given:
3.1.1. Preconditions - constructing the subprotocol pPreM
t q The assumption function pre constructs
every required assumption necessary for transmitting a
message. First let A denote the following set of atomic
sentences:
tAgentpaq, isKeypkq, isNoncepnq, Timeprq| a is a agent
(term), k is a key, n is a nonce, r is a timestamp, u.
occurred earlier, the principal agent must perform the
hashing. Consider the cases where the uttermost operator is an encryption. The dominating strategy of the
precondition-algorithm will be to try to perform an explicit encryption, whenever this is possible. Case pAE1 q
covers the case where either the secret key is one of the
agent’s keys, or the agent has obtained the key previously in the execution. In both cases the agent should
be able to encrypt the sentence using data from its beliefs, and analyze the plain-text further. If neither of
these is the case, then the sentence can only be possessed by the agent, and the analysis ends pAE2 q.
3.1.2. Postconditions - constructing the subprotocol pPostM
t q The postcondition function post
works by extracting information from a received message, by decomposing the message using projection and
decryption.
Definition 5 The extraction function post is defined
by recursion on the complexity of the message content:
pPAq post pt, F, P q BeltpF q B ε, if F P A
pPCq post pt, F ^ G, P q post pt, F, P q"post pt, G, P q
pPHq post pt, HashrF s, P q ε
pPE1q post py, E rkeyps, x, z q : F s, P q post py, isKeypkeyps, x, z qq, P q
" pEnforcey pBely pDrkeyps, x, z q :
E rkeyps, x, z q : F ssqq B εq " post py, F, P q
if y z _ x z _ Bely pisKeypkeyps, x, z qqq P P
pPE2q postpy, E rkeyps, x, z q : F sq Bely pE rkeyps, x, z q : F sq B ε
if y x ^ y z ^ Belm pisKeypkeyps, y, z qqq R P
A
A
A
A
A
A
A
A
Definition 4 The assumption function pre is defined
by recursion on the complexity of the message content:
pAAq pre pt, F, P q BelxpF q B ε, if F P A
pACq pre pt, F ^ G, P q pre pt, F, P q " pre pt, G, P q
pAH1 q pre pt, HashrF s, P q pre pt, F, P q B ε
if Hash rF s P P
pAH2 q pre pt, HashrF s, P q pre pt, F, P q "
pEnforcetpBeltpHashrF sqq B εq if Hash rF s R P
pAE1 q pre px, E rkeyps, y, z q : F s, P q pre px, F ^ isKeypkeyps, y, z qq, P q "
Enforcex pBelx pE rkeyps, y, z q : F sqq B ε
if x y _ x z _ Belx pisKeypkeyps, y, z qqq P P
pAE2 q pre px, E rkeyps, y, z q : F s, P q Belx pE rkeyps, y, z q : F sq B ε
if x y ^ x z ^ Belx pisKeypkeyps, y, z qqq R P
Clause pAAq and pACq are obvious. Consider therefore
the cryptographic clauses pAH1 AE2 q: In case the opA
A
A
A
E
A
A
E
A
E
A
E
A
A
E
A
E
erator is a hash, there are two cases, the hash has been
introduced previously in the protocol session or it has
not been introduced earlier. In the former case pAH1 q,
the content to be hashed must be possessed by the
agent. In the latter case pAH2 q, since HashrF s has never
Full explicitness is obtained by the clause pPAq and
pPE2q: Every atomic belief is extracted in the post con-
dition in order to be explicit about everything the agent
knows after decryption. This is particularly important
in case of attack protocols, since it is crucial to the
analysis to know exactly what an attacker knows after receiving a message by interception. Projection of
conjunction PC, guarantees that every element is analyzed. Nothing can be extracted from hashed data
pPHq. In clause pPE1 q, the receiving agent y possess
the key either since it is one of its own secret keys, or
y has obtained it previously in the execution. Hence
the agent y is able to decrypt the sentence, and recursively decompose the message into basic assumptions.
Clause pPE2 q takes care of the opposite situation: The
receiving agent is not capable of decrypting the message, hence the information extraction stops, the agent
can only be aware of the cipher-text.
3.2. Public key cryptography extension
The previous algorithm extends easily to public key
cryptography. Note that the extension requires that
there is already an infrastructure for distributing the
public keys.
3.2.1. Preconditions Either the uttermost encryption uses a private key pAE3 AE5 q or a public key
pAE6 , AE7 q. In case of encryption with a private key,
either
1. pAE3 q : x already possesses the key and has not
previously failed analyzing the sentence, hence an
encryption can be made by recursively analyzing
the content F ,
2. pAE4 q : x does not possess the key and has not
previously failed analyzing the sentence, hence an
encryption is not be possible,
3. pAE5 q : x has previously failed analyzing the sentence, no encryption is being made, and since
failure has been reported earlier (E rkeypa, i, y q :
F s PE P ), it is not necessary at this point (hence
ε is returned).
In case the public key is used to encrypt the message we might safely assume that the sender has access to the public key, and is able to encrypt the message, and continue to construct the required assumptions pAE5 , AE7 q.
pAE3 q pre px, E rkeypa, i, yq : F s, P q pre px, F ^ isKeypkeypa, i, y qq, P q "
Enforcex pBelx pE rkeypa, i, y q : F sqq B ε
if px y _ Belx pisKeypkeypa, i, y qqq P P q
^ Belx pE rkeypa, i, yq : F sq R P
pAE4 q pre px, E rkeypa, i, yq : F s, P q Belx pE rkeypa, i, y q : F sq B ε
if px y ^ Belx pisKeypkeypa, i, y qqq R P q
^ Belx pE rkeypa, i, yq : F sq R P
pAE5 q pre px, E rkeypa, i, yq : F s, P q ε
if Belx pE rkeypa, i, y q : F sq P P
pAE6 q pre px, E rkeypa, u, yq : F s, P q pre px, F ^ isKeypkeypa, u, y qq, P q "
Enforcex pBelx pE rkeypa, u, y q : F sqq B ε
if Belx pE rkeypa, u, y q : F sq R P
pAE7 q pre px, E rkeypa, u, yq : F s, P q ε
if Belx pE rkeypa, u, y q : F sq P P
A
A
E
E
A
E
E
A
E
A
A
E
A
E
3.2.2. Postconditions In case the private key is
used to encrypt the message pPE5 q, we might safely
assume that the receiver has access to the public key,
and is able to decrypt the message, and continue to
extract the information from the message. If the public key is used, then the receiver might (case PE3 ) or
might not have the private key (case PE4 ). In the latter case information extraction is aborted, and the receiver can only be aware of the encrypted message.
pPE3 q
pPE4 q
pPE5 q
postApy, E rkeypa, u, z q : F s, P q pBely pisKeypkeypa, u, z qq ^ isKeypkeypa, i, z qqq
B Enforcey pBely pDrkeypa, i, z q :
E rkeypa, u, z q : F ssqq B εq " postApy, F, P q
if y z _ Bely pisKeypkeypa, i, z qqq PE P
postApy, E rkeypa, u, z q : F s, P q Bely pE rkeypa, u, z q : F sq B ε
if y z ^ Bely pisKeypkeypa, i, z qqq RE P
postApy, E rkeypa, i, z q : F s, P q pBely pisKeypkeypa, u, z qqq B
Enforcey pBely pDrkeypa, u, z q :
E rkeypa, i, z q : F ssqq B εq " postApy, F, P q
4. Automated validation of attacks
It is possible to use the resulting refined protocol for
further analysis. It turns out that automated refinement is the “working horse” of validation. There is a
close interplay between the automated validation algorithm and the beliefs obtained through automated refinement. From the presentation of the automated refinement algorithm in Section 3, it is clear that that
the algorithm does apply to text-book specifications
that are not cryptographically correct. The only sanity check that ℜ performs, is whether appropriate keys
have been obtained prior to encryptions and decryptions. In other words, it is possible to refine erroneous
protocols and attacks. We say that a belief statement is
grounded if it is obtained through legal cryptographic
operations or communication. From the definition of
the automated refinement algorithm in Section 3, we
observe that some beliefs in certain protocols might
not be grounded. Ungrounded beliefs might be atomic
facts as well as encrypted sentences. Candidates of ungrounded beliefs involving encrypted messages using
symmetric keys can be produced from Definition 4, part
AE2 , and Definition 5, part PE2 . Similarly, encryptions
using asymmetric keys that might potentially give rise
to ungrounded beliefs may come from the equations
AE4 , AE5 , AE6 , PE4 , and PE5 .
It is this distinction between the grounded protocol
and the ungrounded protocols that the validation algorithm is targeting. The validation algorithm decides
whether every belief in a refined protocol is grounded.
In other words, the validation algorithm makes the
informal reasoning of the protocol designer’s cryptographical understanding entirely explicit. Surprisingly
this algorithm has been used to discover several mistakes in famous attacks [?]. We call the algorithm validation, and write vpPq for the result of validating the
text-book protocol P. In practice validation is carried
out by first performing the automated refinement, then
removing duplicated assumptions (denoted eq), and finally supplementing the protocol with freshness actions
(denoted Æ). In other words, given a text-book protocol
P, validation amounts to apply vpÆpeqpℜpPqqqq. There
are three cases: a given protocol sentence is grounded,
hence we proceed traversing the rest, or the validation
reached the end, or finally a belief statement is found
that is not grounded. The first case corresponds to a
pattern:
vpϕ B ΦqΨ vpΦ, Ψ " pϕ B εqq if condition C holds.
If ϕ Bela pF q then the condition C formalize the sentence “F has been obtained correctly by the agent a
by past communication and the principles of cryptography”. Usually this involves backtracking in the protocol analyzed so far, either by checking whether a nonce,
timestamp, or message-text is created freshly and correctly earlier, or is the result of the legal actions of communication or decryption using known keys. Hence two
additional concepts are needed: A conjunction ϕ is included in another conjunction ψ, denoted ϕ „ ψ is defined by aggregation. The notion of ϕ is an element in
a chain Ψ, written ϕ PE Ψ, is defined by obvious recursion on the length of chains Ψ.
Definition 6 We say that ϕ can be embedded (cryptographically) valid inside Ψ for an agent a, denoted
epa, F, Ψq, iff
epa, ϕ1 , Belb pϕ2 q B Ψq epa, ϕ1 , Ψq
epa, ϕ1 , Enforcea pBela pDrk1 : E rk2 : ψ ssqq B Ψq J
if ϕ1 „ ψ
epa, ϕ1 , Enforcea pϕ2 q B Ψq epa, ϕ1 , Ψq
if ϕ2
Bela pDrk1 : E rk2 : ψssq implies ϕ1 † ψ
epa, ϕ1 , Transmitpb, a, ϕ2 q B Ψq J
if ϕ1 „ ϕ2
epa, ϕ1 ,Transmitpb, impa, cq, ϕ2 q B Ψq J if ϕ1 „ ϕ2
epa, ϕ1 ,Transmitpb, c, ϕ2 q BΨq epa, ϕ1 ,Ψq if ϕ1 † ϕ2
epa, ϕ1 , εq K
Let ÆpisNoncepnqq newNoncepnq and ÆpTimeptqq Currentptq. Also let ptq denote the function decalculating a numeric term t, e.g. px 1q x and px 1q x.
Definition 7 The validation algorithm v is given by:
piq vpprotocolrµ, N, ξT , ξA , ξS , Φ sq vpΦ, εq
piiq vpε, F q Textp"No error found"q
piiiq vpF B Φ, Ψq vpΦ, Ψ " pF B εqq
if F Bela pAgentpbqq or F Enforcea pBela pϕqq
or F Transmitpa, b, ϕq
pivq vpBela pF q B Φ, Ψq vpΦ, Ψ " pBela pF q B εqq
if pF isNoncepnpxN , bqq or
or F TimepstamppxT , bqq or F TextpS, bqq
and pEnforcea pBela pÆpF qqq P Ψ or epa, F, Ψqq
pvq vpBela pisNoncepnptN , bqqq B Φ, Ψq vpΦ, Ψ " pBela pisNoncepnptN , bqqq B εqq
E
if tN is a numeric term, and
pEnforcea pBela pnewNoncepnpptN q, bqqqq PE Ψ
or epa, isNoncepnptN , bqq, Ψq
or epa, isNoncepnpptN q, bqq, Ψqq
pviq vpBela pE rk : F sq B Φ, Ψq
vpΦ, Ψ"pE rk : F s B εqq if epa, E rk : F s, Ψq
pviiq vpBela pisKeypkeyps, x, y, N qqq B Φ, Ψq vpΦ, Ψ " Bela pisKeypkeyps, x, y, N qqq B εq
if a x _ a y
pviiiq vpBela pisKeypkeyps, x, y, wK qqq B Φ, Ψq vpΦ, Ψ " Bela pisKeypkeyps, x, y, wK qqq B εq
if pa x _ a y q^
pEnforcea pBela pnewKeypkeyps, x, y, wK qqqq PE Ψ
or epa, isKeypkeyps, x, y, wK qq, Ψqq
pixq vpBela pisKeypkeyps, x, y, tK qqq B Φ, Ψq vpΦ, Ψ " Bela pisKeypkeyps, x, y, tK qqq B εq
if a x and a y and
pEnforcea pBela pnewKeypkeyps, x, y, wK qqqq PE Ψ
or epa, isKeypkeyps, x, y, wK qq, Ψqq
pxq vpBela pisKeypkeypa, i, yqqq B Φ, Ψq vpΦ, Ψ " pBela pisKeypkeypa, i, y qqq B εq
if a x or epa, isKeypkeypa, i, y qq, Ψq
pxiq vpBela pisKeypkeypa, u, yqqq B Φ, Ψq vpΦ, Ψ " pBela pisKeypkeypa, u, y qqq B εq
pxiiq else vpBela pϕq B Φ, Ψq Bela pϕq ^ Ψ
The algorithm is motivated as follows: In piiq the original protocol to be validated is empty, which means
that there are no more sentences to check, hence the
protocol is correct. The main recursion involves checking the cryptographic integrity of beliefs. Hence beliefs
concerning agent names, enforcements and transmissions are not validated piiiq.
Nonces, timestamps, and message text piv q might either be created by the principal agent, or have been obtained as plain-text or encrypted by transmissions from
other agents. Nonces might involve numeric terms, the
most common nonce term is tN x 1. In that case
the nonce might have been received as a numeric term,
or as a subterm of a numeric term. In this case, the
term is decalculated, ptN q, in order to justify if the
origin of the nonce is valid. An encrypted message pviq
should have been obtained legally, received by transmission from other agents.
Symmetric keys might either be one of the agent’s
keys (vii, viii) or foreign keys pixq. In the former case
the key is either possessed by the agent pviiq, or created
in the current protocol session by the principal agent or
another agent, typically a server providing keys pviiiq.
Asymmetric keys is handled as follows: In case the key
is a public key, every agent is supposed to be able to
know it pxiq. In case the agent possesses a private key,
it might be its own private key, or the agent has obtained the key intentionally or as part of an attack pxq.
If none of the above conditions apply then the algorithm terminates in pxiiq with an exception, reporting
the negation of the ungrounded assumption: Bela pϕq,
and where this anomaly occurred Φ (representing the
initial segment of the protocol).
5. Case study - the Clark/Jacob library
Of the 23 attacks, 12 attacks rely on the possibility of mixing data types, and each could be validated
by the tool. Fortunately, the validator is able to check
attacks involving type flaws and standard (type correct) attacks. The validator revealed that 7 of 23 attacks were erroneous, that is 30 %. The results analyzed in detail in [10] is summarized by the following
table:
Protocol name
Page Attack-type
Error
Repair?
Wide Mouthed Frog
49
standard
severe
yes
Yahalom
49
type conv.
severe
no
Woo Lam Π
53
type conv.
severe
yes
Neuman Stubblebine
57
type conv. misprint
yes
Shamir Rivest Adelman
64
type conv.
severe
no
Denning Sacco
63
standard
severe
yes
Encrypted Key Exchange 65
standard
misprint
yes
In the next section we give a detailed analysis of the
attack on Yahalom.
5.1. The attack on Yahalom
The Yahalom protocol [4, p. 49] only uses symmetric keys, to establish a new session key: The specification given by Clark/Jacob is as follows:
pY1 q A ÝÑ B : A, NA
pY2 q B ÝÑ S : E pKBS : A, NA , NB q
pY3 q S ÝÑ A : E pKAS : B, KAB , NA, NBq,
E pKBS : A, KABq
pY4 q A ÝÑ B : B, E pKBS : A, KAB q, E pKAB : NB q
In the attack presented in Clark/Jacob, the attacker
tries to make the respondent B believe that the concatenation of nonces NA , NB plays the role of the new
r
p q^ p q^ p q^ p q
p q^ p q p q
p p q
p q^
pp
qqq
p
p q
p q^ r p
q
p q^
pp
qq ^
pp
qqsq
p p
p p
pp
qq ^
pp
qqqqqq
p p q
r p
q
p q
^
p p
pp
qq ^
pp
qqqqsq
^ r p
pp
qq ^
pp
qqq
pp
qqs s
protocol Yahalom Attack, 0, role A role B
role S
role I ,
role A
role B , role A ,
Transmit im I, A , B, Agent A
isNonce n NA, I
1
B Transmit B, im I, S , Agent B
E key s, B, S :
Agent A
isNonce n NA, I
isNonce n NB, B
2
B EnforceI BelI
isKey key isNonce n NA, A
isNonce n NB , B
3
B Transmit im I, A , B, E key s, B, S : Agent A
isKey key isNonce n NA, A
isNonce n NB , B
E key isNonce n NA, A
isNonce n NB , B
:
isNonce n NB , B
Bε
4
pq
pq
pq
pq
Figure 2. The Yahalom attack specified in LP .
r
p
p
p
p
p
p
p q^ p q^ p q^ p q
p q^ p q p q
p qq
p1q
p p
pp
qqqq
p2q
p qq
p3q
p p q
p q^
pp
qqq
p4q
p qq
p5q
p p
p
p q^
pp
qqqqq
p6q
pp
qqq
p7q
p qq
p8q
p p
pp
qqqq
p9q
p p
qqq
p10q
p p r p
q
p q^
pp
qq ^
pp
qqsqq
p11q
p p qq
p12q
p
p q
p q^ r p
q
p q^
pp
qq ^
pp
qqsq
p13q
p p
p
p q^ r p
q
p q^
pp
qq ^
pp
qqsqqq
p14q
p r p
q
p q^
pp
qq ^
pp
qqsq
p15q
p
pp
qqq
p16q
p p p p
pp
qq^
pp
qqqqqq p17q
p r p
q
p p
pp
qq ^
pp
qqqqsq
p18q
p p r p
pp
qq ^
pp
qqq
pp
qqsqq
p19q
p p q
r p
q
p p
pp
qq ^
pp
qqqqs
^ r p
pp
qq ^
pp
qqq
pp
qqsq
p20q
p p
p
r p
q
p p
pp
qq ^
pp
qqqqs
^ r p
pp
qq ^
pp
qqq
pp
qqsqqq
p21q
p p r p
q r p
q
p p
pp
qq ^
pp
qqqqssqq
p22q
p p p
pp
qq ^
pp
qqqqq
p23q
p p r p
pp
qq ^
pp
qqq
r p
pp
qq ^
pp
qqq
pp
qqssqq
p24q
protocol Yahalomattack, 0, role A
role B
role S
role I ,
role A
role B , role A ,
BelI Agent A
B EnforceI BelI newNonce n NA, I
B BelI Agent B
B Transmit im I, A , B, Agent A
isNonce n NA, I
B BelB Agent A
B EnforceB BelB Trust B, A, Agent A
isNonce n NA, I
B BelB isNonce n NA, I
B BelB Agent B
B EnforceB BelB newNonce n NB , B
B BelB isKey key s, B, S
B EnforceB BelB E key s, B, S :
Agent A
isNonce n NA, I
isNonce n NB , B
B BelB Agent S
B Transmit B, im I, S , Agent B
E key s, B, S :
Agent A
isNonce n NA, I
isNonce n NB , B
B EnforceI BelI Trust I, B, Agent B
E key s, B, S :
Agent A
isNonce n NA, I
isNonce n NB , B
B BelI E key s, B, S :
Agent A
isNonce n NA, I
isNonce n NB , B
B BelI isNonce n NB , B
B EnforceI BelI isKey key isNonce n NA, I
isNonce n NB , B
B BelI E key s, B, S :
isKey key isNonce n NA, I
isNonce n NB , B
B EnforceI BelI E key isNonce n NA, I
isNonce n NB , B
:
isNonce n NB , B
B Transmit im I, A , B, E key s, B, S :
isKey key isNonce n NA, I
isNonce n NB , B
E key isNonce n NA, I
isNonce n NB , B
:
isNonce n NB , B
B EnforceB BelB Trust B, A, E key s, B, S :
isKey key isNonce n NA, I
isNonce n NB , B
E key isNonce n NA, I
isNonce n NB , B
:
isNonce n NB , B
B EnforceB BelB D key s, B, S : E key s, B, S :
isKey key isNonce n NA, I
isNonce n NB , B
B BelB isKey key isNonce n NA, I
isNonce n NB , B
B EnforceB BelB D key isNonce n NA, I
isNonce n NB , B
:
E key isNonce n NA, I
isNonce n NB , B
:
isNonce n NB , B
Bε
s
Figure 3. Automated refinement of the Yahalom attack.
secret session key, in other words the attack is a typical type flaw attack:
pY.1q I pAq Ñ B : A, NA
pY.2q B Ñ I pS q : E pKBS : A, NA , NB q
pY.3q
Omitted
pY.4q I pAq Ñ B : B, E pKBS : A, NA , NB q, E pNA ,NB : NB q
The attacks specifications involving type flaws,
should explicitly include the type conversion. In the
attack the concatenation of the two nonces, NA , NB is
interpreted as the fresh symmetric key. Hence the intruder should be able to construct a fresh key. Since
the language is strongly typed, the type conversion is taken care of, by relaxing the input arguments of the key term to include sentences, i.e. keypF q.
In case of the previous attack the required conversion is obtained by the “casting” term:
keypisNoncepnpNA, I qq ^ isNoncepnpNB , B qqq
The type conversion of the two nonces into the symmetric key in the latter attack is performed by the command:
EnforceI pBelI p
isKeypkeypisNoncepnpNA, I qq ^ isNoncepnpNB , B qqqqqq
The attack is then specified in LP as shown in Figure 2 and Figure 3. By running the attack specification, the validator reported that the specification was
not valid, with an exception
BelI pisKeypkeypisNoncepnpNA, I qqqqq
in line 16, Figure 3, which means that the intruder I
should have obtained the nonce NB . Comparing with
Clark/Jacob’s specification, this means that I does not
have the component E pNA , NB : NB q before entering
pY.4q. There are two reasons why the intruder I cannot
form E pNA , NB : NB q: I does not possess NB , and
can neither build the fake key NA , NB nor the content
NB to be encrypted. Note that there is no obvious way
to repair this attack.
6. Conclusion
The tools for security protocol analysis reports to
have found attacks on protocols that are not correct.
We should warn the reader in jumping into conclusions: In many cases the errors reported do not save
the underlying protocols from being corrupt, since the
attacks could be repaired, or there exists another correct attack. However, the results in this paper do imply
that the analysis tools are not particularly successful
in filtering out the correct attacks: Any completeness
and correctness result proven about such a tool, that
claims to cover the entire collection of attacks in the
Clark/Jacob library, should be considered with scepticism.
Acknowledgments
Thanks to Bjarte Østvold, Chik How Tan, Peter
Csaba Ölveczky, Olaf Owe, and Steinar Kristoffersen
for comments on earlier drafts of this paper.
References
[1] Martín Abadi. Security protocols and their properties. In Foundations of Secure Computation, NATO
Science Series, pages 39–60, Marktoberdorf, Germany,
1999. IOS Press (2000).
[2] Michael Backes, Sebastian Mödersheim, Birgit Pfitzmann, and Luca Viganò. Symbolic and Cryptographic
Analysis of the Secure WS-ReliableMessaging Scenario. In Proceedings of FOSSACS 2006, volume 3921
of LNCS, pages 428–445. Springer-Verlag, 2006.
[3] David Basin, Sebastian Mödersheim, and Luca Viganò.
OFMC: A symbolic model checker for security protocols. International Journal of Information Security,
4(3):181–208, June 2005.
[4] J. Clark and J. Jacob. A Survey of Authentication
Protocol Literature, 1997. Version 1.0, Unpublished
Report, University of York, http://cs.york.ac.uk/
~jac/papers/drareview.ps.gz.
[5] Ricardo Corin, Sandro Etalle, and Ari Saptawijaya. A
logic for constraint-based security protocol analysis. In
Security and Privacy, pages 155–168. IEEE Computer
Society Press, 2006.
[6] Millen J. Denker G. and Ruess H. The CAPSL integrated protocol environment. Technical Report SRICLS-2000-02, SRI, 2000.
[7] Ben Donovan, Paul Norris, and Gavin Lowe. Analyzing a Library of Security Protocols using Casper
and FDR. In Proceedings of the Workshop on Formal
Methods and Security Protocols. IEEE Computer Society Press, 1999.
[8] A. Gordon and A. Jeffrey. Types and effects for asymmetric cryptographic protocols. In 15th IEEE Computer Security Foundations Workshop (CSFW 15),
Cape Breton, pages 77–91. IEEE Press, 2002.
[9] Anders Moen Hagalisletto. Protocol Algebra. In The
11th IEEE Symposium on Computers and Communications, pages 394–401, 2006.
[10] Anders Moen Hagalisletto. Errors in Attacks on Authentication Protocols, 2007. Accepted for publication in IEEE The Second International Conference on
Availability, Reliability and Security (ARES 2007) .
[11] Romain Janvier, Yassine Lakhnech, and Laurent
Mazaré. Relating the symbolic and computational
models of security protocols using hashes. In Joint
Workshop on Foundations of Computer Security and
Automated Reasoning for Security Protocol Analysis,
pages 67–89, 2006.
[12] Gavin Lowe. Casper: A compiler for the analysis of security protocols. Journal of Computer Security, 6:53–
84, 1998.
[13] J. Meseguer. Conditional rewriting logic as a unified
model of concurrency. Theoretical Computer Science,
96:73 – 155, 1992.