Log In Sign Up

Relaxed Conditions for Secrecy in a Role-Based Specification

In this paper, we look at the property of secrecy through the growth of the protocol. Intuitively, an increasing protocol preserves the secret. For that, we need functions to estimate the security of messages. Here, we give relaxed conditions on the functions and on the protocol and we prove that an increasing protocol is correct when analyzed with functions that meet these conditions.


page 1

page 2

page 3

page 4


Secrecy by Witness-Functions on Increasing Protocols

In this paper, we present a new formal method to analyze cryptographic p...

Authentication by Witness Functions

Witness functions have recently been introduced in cryptographic protoco...

Physical Layer Security Protocol for Poisson Channels for Passive Man-in-the-middle Attack

In this work, we focus on the classical optical channel having Poissonia...

Secrecy by Witness-Functions under Equational Theories

In this paper, we use the witness-functions to analyze cryptographic pro...

Deep Random based Key Exchange protocol resisting unlimited MITM

We present a protocol enabling two legitimate partners sharing an initia...

A universally verifiable, software independent, bare-handed voting protocol

We present a scalable and universally verifiable voting protocol and est...

Exploiting Partial Order of Keys to Verify Security of a Vehicular Group Protocol

Vehicular networks will enable a range of novel applications to enhance ...

1 Introduction

Checking security in cryptographic protocols is a hard task [1, 2, 3, 4, 5, 6]. The problem is in general undecidable [4, 5, 7, 8, 9]. However, a number of semi-decidable verification methods have emerged in the last decades working on several axes [10, 11, 12, 13, 14, 15, 16, 17]. Others are decidable but under strict conditions [18, 19, 20]. In this paper, we look at the property of secrecy in a protocol by observing its monotony. By intuition, an increasing protocol protects its secret inputs. This means, if the security of every atomic message does not decrease during its life cycle in the protocol (between all receiving and sending steps), the secret is never uncovered. For that, we have to define safe metrics to reasonably estimate the security of any atomic message. This way of approaching secrecy in protocols has been adopted in few prior works. For instance, Steve Schneider in [21] proposed the rank-functions as safe metrics to verify protocols in CSP [22, 23]. These functions successfully managed to analyze several classical protocols like the Needham-Schroeder protocol. However, such verification dictates the protocol implementation in CSP. Besides, building rank-functions for every protocol is not an effortless task and their existence is not guaranteed [24]. In [14] Abadi, by using Spi-Calculus [25, 26], stipulates that: "If a protocol typechecks, then it keeps its secrets". For that, he forces the exchanged messages to have formally the following types: {secret, public, any, confounder} in order to easily estimate the security of every message from its type. Although this approach is simple and elegant, it cannot verify protocols that had been implemented with no respect to this logic. Alike, Houmani et al. [27, 28, 29, 30] defined universal functions called interpretation functions that were able to verify protocols statically. They operate on an abstraction of the protocol called generalized roles in a role-based specification [31, 32, 15]. An interpretation function must meet few conditions to be considered safe for analysis. Obviously, less we have restrictions on functions, easier we can build instances of them and more we have possibilities to prove protocols secure since one function might fail to prove the security of a protocol but another may succeed. In this regard, we notice that the conditions on the Houmanis’ interpretation functions were so restrictive that very few functions were proposed in practice and proved safe. In this respect, we believe that the condition of full-invariance by substitution, which is a property key that allows any decision made on messages of the generalized roles (messages with variables) to be exported to valid traces (closed messages), is the most restrictive one. Since the aim of our approach is to build several functions, we think that if we release functions from this condition we can reach this goal.

2 Notations

Here, we give some conventions that we use in this paper.

  • We denote by the context of verification including the parameters that affect a protocol analysis:

    • : is a set of messages built from the algebraic signature , where is a set of atomic names (nonces, keys, principals, etc.) and is a set of defined functions (:: encryption, :: decryption, :: concatenation (denoted by "." here), etc.). i.e. . We denote by the set of all substitutions from . We denote by the atomic messages in by the set of atomic messages (atoms) in and by the set of agents (principals) including the intruder . We denote by the reverse form of a key and we assume that .

    • : is the equational theory that expresses the algebraic properties of the functions defined in by equations. e.g. .

    • : is the inference system of the intruder under the equational theory . Let be a set of messages and be a message. expresses that the intruder can infer from using her capacity. We extend this notation to valid traces as follows: means that the intruder can deduce from the messages in the trace . We assume that the intruder has the full control of the net as described in the Dolev-Yao model [33]. She may redirect, delete and modify any message. She holds the public keys of all participants, her private keys and the keys that she shares with other participants. She can encrypt or decrypt any message with the keys that she holds. Formally, the intruder has generically the following rules for building messages:

      • , with

    • : is a function from to . It returns for an agent a set of atomic messages describing her initial knowledge. We denote by the initial knowledge of the intruder, or just where the context is clear.

    • : is the lattice of security that we use to assign security levels to messages. An example of a lattice is that we use in this paper.

    • : is a partial function that attributes a level of security (type) to a message in . Let be a message and be a set of messages. We write when

  • Our analysis operates in a role-based specification. A role-based specification is a set of generalized roles. A generalized role is a protocol abstraction where the emphasis is put on some principal and where all the unknown messages, that could not be verified, are replaced by variables. An exponent (the session identifier) is added to a fresh message to express that this component changes values from one execution to another. A generalized role expresses how an agent sees and understands the exchanged messages. A generalized role may be extracted from a protocol by these steps:

    1. We extract the roles from a protocol.

    2. We replace the unknown messages by fresh variables in each role.

    Roles can be extracted following these steps:

    1. For every principal, we extract all the steps in which she participates. Then, we add a session identifier in the steps identifiers and in fresh values.

      For example, from the variation of the Woo-Lam protocol given in Table 1, we extract three roles, denoted by (for the agent ), (for the agent ), and (for the server ).

    2. We introduce an intruder to express the fact that received messages and sent messages are perhaps received or sent by an intruder.

    3. Finally, we extract all prefixes from these roles. A prefix must end by a sending step.

    Table 1: The Woo-Lam Protocol

    From the roles, we define the generalized roles. A generalized role is an abstraction of a role where unknown messages are converted to variables. Indeed, a message or a component of a message is replaced by a variable when the receiver cannot make any verification on it and so she is not sure about its integrity or its origin. The generalized roles give an accurate idea on the behavior and the knowledge of participants during the protocol execution. The generalized roles of are:

    The generalized roles of are:

    The generalized role of is:

    Hence, the role-based specification of the protocol described by Table 1 is . The role-based specification is a model to formalize the cencept of valid traces of a protocol. More details about the role-based specification are in [34, 31, 32, 15].

  • A valid trace is an instantiated messages of the generalized roles where each message sent by the intruder can be generated by her using her capacity and the prior messages. We denote by the set of valid traces of .

  • We denote by the set of messages with variables generated by , by the set of closed messages generated by substituting all variables in . We denote by (resp. ) the set of sent messages (resp. received messages) by a honest agent in the role . By convention, we use the uppercase letters for sequences or sets of elements and the lowercase for single elements. For example denotes a single message, a set of messages, a role of composite steps, a step and a role ending by the step .

3 Secrecy in Increasing Protocols

In this section, we give relaxed conditions allowing a function to be reliable for analysis. We prove that an increasing protocol is correct with respect to secrecy when analyzed with such functions.

Definition 3.1.

(Well-Formed Function)
Let be a function and be a context of verification. is -well-formed iff:

For an atom in a set of messages , a well-formed function returns the bottom value "" if (clear). It returns the top value "" if it does not appear in this set. It returns for it in the union of two sets, the minimum "" of the two values calculated in each set separately.

Definition 3.2.

(Full-invariant-by-intruder Function)
Let be a function and be a context of verification.
is -full-invariant-by-intruder iff:

A full-invariant-by-intruder should be such that it it attributes a security level to a message in , the intruder can never produce from another message that decrease this level (i.e. ) except when is intended to be known by the intruder (i.e. ).

Definition 3.3.

(Reliable Function)
Let be a function and be a context of verification.

A reliable function is simply a function that is well-formed and full-invariant-by-intruder in a given context of verification .

Definition 3.4.

(-Increasing Protocol)
Let be a function, be a context of verification and be a protocol. is -increasing in if:

A -increasing protocol produces valid traces (interleaving of substituted messages in generalized roles) where every involved principal (every substituted generalized role) never decreases the security levels, calculated by , of received components.

Definition 3.5.

(Secret Disclosure)
Let be a protocol and be a context of verification.
We say that discloses a secret in if:

A secret disclosure consists in manipulating a valid trace by the intruder, using her knowledge in a context of verification , to infer a secret that she is not intended to know ().

Lemma 3.6.

Let be a -reliable function and a -increasing protocol. We have:

See the proof 4 in  [35].
The lemma 3.6 states that for any atom in a message generated by an increasing protocol, its security level calculated by a reliable function is always greater than its initial value given in the context, provided that the intruder is not initially allowed to know it. Indeed, initially the atom has a some security level. This level cannot be decreased by the intruder using her initial knowledge and received messages since a reliable function is full-invariant-by-intruder. In each new step of the evolution of the valid trace, involved messages are better protected since the protocol is increasing. The proof is run by induction on the size (evolution) of the trace and uses the properties of reliability of the function in every new step of the induction.

Theorem 3.7.

(Security of Increasing Protocols)
Let be a -reliable function and a -increasing protocol.

is -correct with respect to secrecy.


Let’s suppose that reveals some atomic secret .
From the definition 3.5 we have:


Since is -reliable and is an -increasing protocol, we have from the lemma 3.6:


From (1) and (2) we deduce:


As is -well-formed, we have:


From (3) and (4) we deduce:


(5) is not possible because it is opposite to: in (1).

Conclusion: is -correct with respect to secrecy.

4 Comparison with Related Works

The theorem 3.7 states that an increasing protocol is correct with respect to secrecy when analyzed with a function that is well-formed and full-invariant by intruder, or shortly reliable. Compared to the conditions imposed by Houmani et al. in [27, 30] to their functions, we have one condition less. Indeed, Houmani et al. expect from a protocol to be increasing on the messages of generalized roles whatever the substitutions they may receive (when the protocol is running) and demanded from the interpretation function to resist to these substitutions. As a result, even if they gave a guideline to build reliable functions, just two functions could be really built: the function DEK and the function DEKAN. We notice as well that the function DEK is disappointing in practice. That is mainly due to the complexity to prove that a function satisfies the full-invariance by substitution property. In this paper, we release our functions from this hard condition in order to be more comfortable in building functions. We rehouse this condition in our new definition of an increasing protocol. The problem of substitution goes to the protocol and becomes relatively less difficult to handle. Our approach has in common with Schneider’s method and Houmani’s method the idea of transforming the problem of secrecy to a problem of protocol growth. All of these three approaches decide only if the protocol is proved increasing using a reliable function, as well.

5 Conclusion and Future Work

Releasing a function from a condition may motivate us to undertake special cautions when using it. In a future work, we introduce the notion of witness-functions to analyze cryptographic protocols. A witness-function is a protocol-dependent function. It introduces new derivation techniques to solve the problem of substitution locally in the protocol. It supplies two bounds that are independent of all substitutions which enables any decision made on the generalized roles to be sent to valid traces. This replaces the restrictive condition of full-invariance by substitution in Houmani’s logic. The witness-functions were successful to prove secrecy in many protocols. They could even tell about flaws.


  • [1] M. Rusinowitch and M. Turuani. Protocol insecurity with finite number of sessions is np-complete. 14th Computer Security Foundations Workshop (CSFW’01), Cape Breton (Canada). IEEE Comp. Soc.Press, pages 174–190, 2001.
  • [2] G.Lowe. Towards a completeness result for model checking of security protocols. 11th Computer Security Foundations Workshop CSFW’98, Rockport Massachusetts, USA, 1998. IEEE Comp. Soc. Press.:96–106, 1998.
  • [3] Dan M. Nessett. A critique of the burrows, abadi and needham logic. SIGOPS Oper. Syst. Rev., 24(2):35–38, April 1990.
  • [4] J. Mitchell N. Durgin, P. Lincoln and A. Scedrov. Undecidability of bounded security protocols. Workshop on Formal Methods and Security Protocols (FMSP’99)., Trento (Italy), 1999.
  • [5] H. Comon-Lundh and V. Cortier. New decidability results for fragments of first-order logic and application to cryptographic protocols. 14th International Conference on Rewriting Techniques and Applications (RTA’2003). Valencia (Spain), Springer-Verlag., vol. 2706 of LNCS:148–164, 2003.
  • [6] Santiago Escobar, Catherine Meadows, and José Meseguer. State space reduction in the maude-nrl protocol analyzer. CoRR, abs/1105.5282, 2011.
  • [7] Véronique Cortier and Stéphanie Delaune. Decidability and combination results for two notions of knowledge in security protocols.

    Journal of Automated Reasoning

    , 48, 2012.
  • [8] Véronique Cortier, Stéphanie Delaune, and Pascal Lafourcade. A survey of algebraic properties used in cryptographic protocols. J. Comput. Secur., 14(1):1–43, January 2006.
  • [9] Durgin Lincoln Mitchell, N. A. Durgin, P. D. Lincoln, J. C. Mitchell, and A. Scedrov. Undecidability of bounded security protocols. 1999.
  • [10] Michael Burrows, Martín Abadi, and Roger M. Needham. A logic of authentication. ACM Trans. Comput. Syst., 8(1):18–36, 1990.
  • [11] Schmidt D.A. Müller-Olm, M. and B Steffen. Model checking: a tutorial introduction. Proc. 6th Static Analysis Symposium, G. File and A. Cortesi, eds., Springer LNCS 1694, pages 330–354, 1999.
  • [12] Mohamed Saleh and Mourad Debbabi. Modeling security protocols as games. In IAS, pages 253–260, 2007.
  • [13] Hadi Otrok, Noman Mohammed, Lingyu Wang, Mourad Debbabi, and Prabir Bhattacharya. A game-theoretic intrusion detection model for mobile ad hoc networks. Computer Communications, 31(4):708–721, 2008.
  • [14] Martín Abadi. Secrecy by typing in security protocols. Journal of the ACM, 46:611–638, 1998.
  • [15] Mourad Debbabi, Mohamed Mejri, Nadia Tawbi, and I. Yahmadi. From protocol specifications to flaws and attack scenarios: An automatic and formal algorithm. In WETICE, pages 256–262, 1997.
  • [16] B.Blanchet. An efficient cryptographic protocol verifier based on prolog rules. 14th Computer Security Foundations Workshop (CSFW’01). Cape Breton (Canada), 2001. IEEE Comp. Soc. Press., pages 82–96, 2001.
  • [17] Andrew D. Gordon and Alan Jeffrey. Authenticity by typing for security protocols. J. Comput. Secur., 11(4):451–519, July 2003.
  • [18] R. Ramanujam and S. P. Suresh. A decidable subclass of unbounded security protocols, 2003.
  • [19] R. Ramanujam and S. P. Suresh. Tagging makes secrecy decidable with unbounded nonces as well. In Proceedings, Foundations of Software Technology and Theoretical Computer Science (FST TCS 2003), volume 2914 of Lecture Notes in Computer Science, pages 363–374. Springer, 2003.
  • [20] Vitaly Shmatikov. Decidable analysis of cryptographic protocols with products and modular exponentiation. In In Proc. 13th European Symposium on Programming (ESOP ’04), volume 2986 of LNCS, pages 355–369. Springer-Verlag, 2004.
  • [21] Steve Schneider. Verifying authentication protocols in csp. IEEE Trans. Software Eng., 24(9):741–758, 1998.
  • [22] Steve Schneider. Security properties and csp. In IEEE Symposium on Security and Privacy, pages 174–187, 1996.
  • [23] Steve A. Schneider and Rob Delicata. Verifying security protocols: An application of csp. In 25 Years Communicating Sequential Processes, pages 243–263, 2004.
  • [24] James Heather and Steve Schneider. A decision procedure for the existence of a rank function. J. Comput. Secur., 13(2):317–344, March 2005.
  • [25] Martín Abadi and Andrew D. Gordon. Reasoning about cryptographic protocols in the spi calculus. In CONCUR, pages 59–73, 1997.
  • [26] Martín Abadi and Andrew D. Gordon. A calculus for cryptographic protocols: The spi calculus. In ACM Conference on Computer and Communications Security, pages 36–47, 1997.
  • [27] Hanane Houmani and Mohamed Mejri. Practical and universal interpretation functions for secrecy. In SECRYPT, pages 157–164, 2007.
  • [28] Hanane Houmani and Mohamed Mejri. Ensuring the correctness of cryptographic protocols with respect to secrecy. In SECRYPT, pages 184–189, 2008.
  • [29] Hanane Houmani and Mohamed Mejri. Formal analysis of set and nsl protocols using the interpretation functions-based method. Journal Comp. Netw. and Communic., 2012, 2012.
  • [30] Hanane Houmani, Mohamed Mejri, and Hamido Fujita. Secrecy of cryptographic protocols under equational theory. Knowl.-Based Syst., 22(3):160–173, 2009.
  • [31] Mourad Debbabi, Y. Legaré, and Mohamed Mejri. An environment for the specification and analysis of cryptoprotocols. In ACSAC, pages 321–332, 1998.
  • [32] Mourad Debbabi, Mohamed Mejri, Nadia Tawbi, and I. Yahmadi. Formal automatic verification of authentication crytographic protocols. In ICFEM, pages 50–59, 1997.
  • [33] Danny Dolev and Andrew Chi-Chih Yao. On the security of public key protocols. IEEE Transactions on Information Theory, 29(2):198–207, 1983.
  • [34] Jaouhar Fattahi, Mohamed Mejri, and Hanane Houmani. Context of verification and role-based specification (4):1–4, 2014.
  • [35] Jaouhar Fattahi, Mohamed Mejri, and Hanane Houmani. Relaxed conditions for secrecy in cryptographic protocols: Proofs and intermediate results (9):1–9, 2014.