Notations

Here, we give some conventions that we use in this paper.

• We denote by $`{\cal{C}}=\langle{\cal{M}},\xi,\models,{\cal{K}},{\cal{L}}^\sqsupseteq,\ulcorner.\urcorner\rangle`$ the context of verification including the parameters that affect a protocol analysis:

  • $`{\cal{M}}`$ : is a set of messages built from the algebraic signature $`\langle\cal{N}`$,$`\Sigma\rangle`$ where $`{\cal{N}}`$ is a set of atomic names (nonces, keys, principals, etc.) and $`\Sigma`$ is a set of defined functions ($`enc`$:: encryption, $`dec`$:: decryption, $`pair`$:: concatenation (denoted by “.” here), etc.). i.e. $`{\cal{M}}=T_{\langle{\cal{N}},\Sigma\rangle}({\cal{X}})`$. We denote by $`\Gamma`$ the set of all substitutions from $`{\cal{X}} \rightarrow {\cal{M}}`$. We denote by $`\cal{A}`$ the atomic messages in $`{\cal{M}},`$ by $`{\cal{A}}(m)`$ the set of atomic messages (atoms) in $`m`$ and by $`{\cal{I}}`$ the set of agents (principals) including the intruder $`I`$. We denote by $`k{^{-1}}`$ the reverse form of a key $`k`$ and we assume that $`({k^{-1}})^{-1}=k`$.

  • $`\xi`$ : is the equational theory that expresses the algebraic properties of the functions defined in $`\Sigma`$ by equations. e.g. $`dec(enc(x,y),y^{-1})=x`$.

  • $`\models_{\cal{C}}`$ : is the inference system of the intruder under the equational theory $`\xi`$. Let $`M`$ be a set of messages and $`m`$ be a message. $`M`$ $`\models_{\cal{C}}`$ $`m`$ expresses that the intruder can infer $`m`$ from $`M`$ using her capacity. We extend this notation to valid traces as follows: $`\rho`$ $`\models_{\cal{C}}`$ $`m`$ means that the intruder can deduce $`m`$ from the messages in the trace $`\rho`$. We assume that the intruder has the full control of the net as described in the Dolev-Yao model . She may redirect, delete and modify any message. She holds the public keys of all participants, her private keys and the keys that she shares with other participants. She can encrypt or decrypt any message with the keys that she holds. Formally, the intruder has generically the following rules for building messages:

  • $`{\cal{K}}`$ : is a function from $`{\cal{I}}`$ to $`{\cal{M}}`$. It returns for an agent a set of atomic messages describing her initial knowledge. We denote by $`K_{{\cal{C}}}(I)`$ the initial knowledge of the intruder, or just $`K(I)`$ where the context is clear.

  • $`{\cal{L}}^\sqsupseteq`$ : is the lattice of security $`({\cal{L}},\sqsupseteq, \sqcup, \sqcap, \bot,\top)`$ that we use to assign security levels to messages. An example of a lattice is $`(2^{\cal{I}},\subseteq,\cap,\cup,\cal{I}, \emptyset)`$ that we use in this paper.

  • $`\ulcorner .\urcorner`$ : is a partial function that attributes a level of security (type) to a message in $`{\cal{M}}`$. Let $`m`$ be a message and $`M`$ be a set of messages. We write $`\ulcorner M \urcorner \sqsupseteq \ulcorner m \urcorner`$ when $`\exists m' \in M. \ulcorner m' \urcorner \sqsupseteq \ulcorner m \urcorner`$

• Our analysis operates in a role-based specification. A role-based specification is a set of generalized roles. A generalized role is a protocol abstraction where the emphasis is put on some principal and where all the unknown messages, that could not be verified, are replaced by variables. An exponent $`i`$ (the session identifier) is added to a fresh message to express that this component changes values from one execution to another. A generalized role expresses how an agent sees and understands the exchanged messages. A generalized role may be extracted from a protocol by these steps:

  1. We extract the roles from a protocol.

  2. We replace the unknown messages by fresh variables in each role.

  Roles can be extracted following these steps:

  1. For every principal, we extract all the steps in which she participates. Then, we add a session identifier $`i`$ in the steps identifiers and in fresh values.

     For example, from the variation of the Woo-Lam protocol given in Table 1, we extract three roles, denoted by $`R_A`$ (for the agent $`A`$), $`R_B`$ (for the agent $`B`$), and $`R_S`$ (for the server $`S`$).

  2. We introduce an intruder $`I`$ to express the fact that received messages and sent messages are perhaps received or sent by an intruder.

  3. Finally, we extract all prefixes from these roles. A prefix must end by a sending step.

  $`p`$ =	$`\langle 1,A\rightarrow B: A\rangle.`$
  	$`\langle 2,B\rightarrow A: N_b\rangle.`$
  	$`\langle 3,A\rightarrow B: \{ N_b.k_{ab}\}_{k_{as}}\rangle.`$
  	$`\langle 4,B\rightarrow S:\{A.\{N_b.k_{ab}\}_{k_{as}}\}_{k_{bs}}\rangle.`$
  	$`\langle 5,S\rightarrow B:\{N_b.k_{ab}\}_{k_{bs}}\rangle`$.

  The Woo-Lam Protocol

  From the roles, we define the generalized roles. A generalized role is an abstraction of a role where unknown messages are converted to variables. Indeed, a message or a component of a message is replaced by a variable when the receiver cannot make any verification on it and so she is not sure about its integrity or its origin. The generalized roles give an accurate idea on the behavior and the knowledge of participants during the protocol execution. The generalized roles of $`A`$ are:

  \begin{array}{l}\begin{array}{lllllll}
                      {\cal A}_G ^1 =& \langle  i.1,&  A    & \rightarrow & I(B)&  :&  A \rangle
                      \end{array}\\
                      \\
                      \begin{array}{lllllll}
                      {\cal A}_G ^2=& \langle  i.1,&  A    & \rightarrow & I(B)&  :&  A \rangle .\\
                      & \langle i.2,&  I(B) & \rightarrow & A   &  :&  {X} \rangle .\\
                      & \langle i.3,&  A    & \rightarrow & I(B)&  :&  \{{X}.k_{ab}^i\}_{k_{as}}\rangle
                      \end{array}
               \end{array}
  

  The generalized roles of $`B`$ are:

  \begin{array}{l}\begin{array}{lllllll}
                  {\cal B}_G ^1=& \langle i.1,&  I(A) & \rightarrow & B   &  :&  A \rangle .\\
                          & \langle i.2,&  B    & \rightarrow & I(A)&  :&  N_b \rangle  \\
                      \end{array}\\
                      \\
                      \begin{array}{lllllll}
                  {\cal B}_G ^2=& \langle i.1,&  I(A) & \rightarrow & B   &  :&  A \rangle .\\
                          & \langle i.2,&  B    & \rightarrow & I(A)&  :&  N_b \rangle .\\
                          & \langle i.3,&  I(A) & \rightarrow & B   &  :&  {Y} \rangle .\\
                          & \langle i.4,&  B    & \rightarrow & I(S)&  :& \{A.{Y} \}_{k_{bs}}\rangle  \\
                      \end{array}\\
                      \\
                      \begin{array}{lllllll}
                  {\cal B}_G ^3=& \langle i.1,&  I(A) & \rightarrow & B   &  :&  A \rangle .\\
                          & \langle i.2,&  B    & \rightarrow & I(A)&  :&  N_b \rangle .\\
                          & \langle i.3,&  I(A) & \rightarrow & B   &  :&  {Y} \rangle .\\
                          & \langle i.4,&  B    & \rightarrow & I(S)&  :& \{A.{Y} \}_{k_{bs}}\rangle .  \\
                          & \langle i.5,&  I(S) & \rightarrow & B&  :&  \{N_b^i.{Z}\}_{k_{bs}}\rangle \\
                      \end{array}
                      \end{array}
  

  The generalized role of $`S`$ is:

  \begin{array}{lllllll}
                  {\cal   S}_G   ^1=   &  \langle  i.4,&  I(B)  &  \rightarrow  &  S  &  :&
                  \{A,\{{U},{V}\}_{k_{as}} \}_{k_{bs}} \rangle . \\
                          & \langle i.5,&  S    & \rightarrow & I(B)&  :&  \{{U}.{V}\}_{k_{bs}}\rangle
                  \end{array}
  

  Hence, the role-based specification of the protocol described by Table 1 is $`{\cal R}_G(p) = \{{\cal A}_G ^1,~{\cal A}_G ^2,~{\cal B}_G ^1,~{\cal B}_G ^2,~{\cal B}_G ^3,~{\cal S}_G ^1\}`$. The role-based specification is a model to formalize the cencept of valid traces of a protocol. More details about the role-based specification are in .

• A valid trace is an instantiated messages of the generalized roles where each message sent by the intruder can be generated by her using her capacity and the prior messages. We denote by $`[\![p]\!]`$ the set of valid traces of $`p`$.

• We denote by $`{\cal{M}}_p^{\cal{G}}`$ the set of messages with variables generated by $`R_G(p)`$, by $`{\cal{M}}_p`$ the set of closed messages generated by substituting all variables in $`{\cal{M}}_p^{\cal{G}}`$. We denote by $`R^+`$ (resp. $`R^-`$) the set of sent messages (resp. received messages) by a honest agent in the role $`R`$. By convention, we use the uppercase letters for sequences or sets of elements and the lowercase for single elements. For example $`m`$ denotes a single message, $`M`$ a set of messages, $`R`$ a role of composite steps, $`r`$ a step and $`R.r`$ a role ending by the step $`r`$.

Introduction

Checking security in cryptographic protocols is a hard task . The problem is in general undecidable . However, a number of semi-decidable verification methods have emerged in the last decades working on several axes . Others are decidable but under strict conditions . In this paper, we look at the property of secrecy in a protocol by observing its monotony. By intuition, an increasing protocol protects its secret inputs. This means, if the security of every atomic message does not decrease during its life cycle in the protocol (between all receiving and sending steps), the secret is never uncovered. For that, we have to define safe metrics to reasonably estimate the security of any atomic message. This way of approaching secrecy in protocols has been adopted in few prior works. For instance, Steve Schneider in  proposed the rank-functions as safe metrics to verify protocols in CSP . These functions successfully managed to analyze several classical protocols like the Needham-Schroeder protocol. However, such verification dictates the protocol implementation in CSP. Besides, building rank-functions for every protocol is not an effortless task and their existence is not guaranteed . In  Abadi, by using Spi-Calculus , stipulates that: “If a protocol typechecks, then it keeps its secrets”. For that, he forces the exchanged messages to have formally the following types: {secret, public, any, confounder} in order to easily estimate the security of every message from its type. Although this approach is simple and elegant, it cannot verify protocols that had been implemented with no respect to this logic. Alike, Houmani et al.  defined universal functions called interpretation functions that were able to verify protocols statically. They operate on an abstraction of the protocol called generalized roles in a role-based specification . An interpretation function must meet few conditions to be considered safe for analysis. Obviously, less we have restrictions on functions, easier we can build instances of them and more we have possibilities to prove protocols secure since one function might fail to prove the security of a protocol but another may succeed. In this regard, we notice that the conditions on the Houmanis’ interpretation functions were so restrictive that very few functions were proposed in practice and proved safe. In this respect, we believe that the condition of full-invariance by substitution, which is a property key that allows any decision made on messages of the generalized roles (messages with variables) to be exported to valid traces (closed messages), is the most restrictive one. Since the aim of our approach is to build several functions, we think that if we release functions from this condition we can reach this goal.

Secrecy in Increasing Protocols

In this section, we give relaxed conditions allowing a function to be reliable for analysis. We prove that an increasing protocol is correct with respect to secrecy when analyzed with such functions.

\left\{
    \begin{array}{lll}
         F(\alpha,\{\alpha\})&= & \bot \\
         F(\alpha,{M})& =&\top, \mbox{ if } \alpha \notin {\cal{A}}({M})  \\
         F(\alpha, {M}_1 \cup {M}_2)&= & F(\alpha, {M}_1)\sqcap F(\alpha,{M}_2) \\
    \end{array}
\right.

For an atom $`\alpha`$ in a set of messages $`M`$, a well-formed function returns the bottom value “$`\bot`$” if $`M=\{\alpha\}`$ (clear). It returns the top value “$`\top`$” if it does not appear in this set. It returns for it in the union of two sets, the minimum “$`\sqcap`$” of the two values calculated in each set separately.

A full-invariant-by-intruder $`F`$ should be such that it it attributes a security level to a message $`\alpha`$ in $`M`$, the intruder can never produce from $`M`$ another message $`m`$ that decrease this level (i.e. $`F(\alpha,m) \sqsupseteq F(\alpha,{M})`$) except when $`\alpha`$ is intended to be known by the intruder (i.e. $`\ulcorner K(I) \urcorner \sqsupseteq \ulcorner \alpha \urcorner`$).

A reliable function is simply a function that is well-formed and full-invariant-by-intruder in a given context of verification $`{\cal{C}}`$.

\forall \alpha \in {\cal{A}}({\cal{M}}).F(\alpha, r^+\sigma)\sqsupseteq \ulcorner \alpha \urcorner \sqcap F(\alpha, R^-\sigma)

A $`F`$-increasing protocol produces valid traces (interleaving of substituted messages in generalized roles) where every involved principal (every substituted generalized role) never decreases the security levels, calculated by $`F`$, of received components.

\exists \rho\in [\![p]\!].(\rho \models_{{\cal{C}}} \alpha)\wedge(\ulcorner K(I) \urcorner \not \sqsupseteq \ulcorner \alpha \urcorner)

A secret disclosure consists in manipulating a valid trace $`\rho`$ by the intruder, using her knowledge $`K(I)`$ in a context of verification $`{{\cal{C}}}`$, to infer a secret $`\alpha`$ that she is not intended to know ($`\ulcorner K(I) \urcorner \not \sqsupseteq \ulcorner \alpha \urcorner`$).

*See the proof [PR4] in  *.
The lemma [lemprincArticle] states that for any atom $`\alpha`$ in a message generated by an increasing protocol, its security level calculated by a reliable function is always greater than its initial value given in the context, provided that the intruder is not initially allowed to know it. Indeed, initially the atom has a some security level. This level cannot be decreased by the intruder using her initial knowledge and received messages since a reliable function is full-invariant-by-intruder. In each new step of the evolution of the valid trace, involved messages are better protected since the protocol is increasing. The proof is run by induction on the size (evolution) of the trace and uses the properties of reliability of the function in every new step of the induction.

\begin{equation}
\exists \rho\in [\![p]\!].(\rho \models_{\cal{C}} \alpha)\wedge(\ulcorner K(I) \urcorner \not \sqsupseteq \ulcorner \alpha \urcorner) \label{preuvthe1Article}
\end{equation}

\begin{equation}
(F(\alpha,\alpha)\sqsupseteq \ulcorner \alpha \urcorner)\vee (\ulcorner K(I) \urcorner \sqsupseteq \ulcorner \alpha \urcorner)\label{preuvthe2Article}
\end{equation}

\begin{equation}
F(\alpha,\alpha)\sqsupseteq \ulcorner \alpha \urcorner \label{preuvthe3Article}
\end{equation}

\begin{equation}
F(\alpha,\alpha)= \bot \label{preuvthe4Article}
\end{equation}

\begin{equation}
\bot= \ulcorner \alpha \urcorner \label{preuvthe5corArticle}
\end{equation}