PRACTICAL AND UNIVERSAL INTERPRETATION FUNCTIONS

FOR SECRECY

Hanane Houmani and Mohamed Mejri

LSFM Research Group, Computer Science Department

Laval University, Quebec, Canada

Keywords:

Cryptographic protocols, Secrecy, Formal veriﬁcation, Sufﬁcient conditions.

Abstract:

Using the notion of interpretation functions, this paper gives some sufﬁcient and practical conditions allowing

to guarantee the correctness of a security protocol with respect to the secrecy property. An interpretation

function is a safe means by which an agent can estimate the security level of message components that he

receives so that he can handle them correctly. An example of an universal interpretation function is given in

this paper together with how to use it to analyse a cryptographic protocol.

1 INTRODUCTION

The veriﬁcation of security of cryptographic proto-

cols is paramount, since they are used to make se-

cure our communications and transactions. The prob-

lem of the security veriﬁcation of cryptographic pro-

tocols is undecidable in general (see (Cervesato et al.,

1999; Even and Goldreich, 1983; Heintze and Tygar,

1996)). To deal with this problem, researchers pro-

posed a large variety of methods and tools. A general

survey could be found in (Boreale and Gorla, 2002;

Comon and Shmatikov, 2002; Meadows, 2003).

Theses approaches can be classiﬁed in two

classes. The ﬁrst one contains decidable methods

where some of them could be ﬁnd in (Comon-Lundh

and Cortier, 2003a; Gangon and Mejri, 2006; Lowe,

1998; Ramanujam and Suresh, 2003; Stoller, 1999).

Using these methods, one can decide whether some

protocols are correct or not. This is due to the fact

that these methods make strong restrictions on the an-

alyzed protocols in order to make the analysis decid-

able. The second class contains semi-decidable meth-

ods and some of them could be found in (Abadi, 1999;

Blanchet and Podelski, 2003; Burrows et al., 1990;

Comon-Lundh and Cortier, 2003b; Durgin et al.,

2001; Houmani and Mejri, 2003; Mao and Boyd,

1993; Paulson, 1997). Some of these approaches aim

to prove that a given protocol respects some secu-

rity properties and others try to detect ﬂaws on them.

However, in both cases, if the goal isn’t reached, the

security of the analyzed protocol cannot be guaran-

teed.

The major drawback of decidable and semi-

decidable approaches allowing to guarantee the se-

crecy property of a protocol is their strong restrictive

assumptions and any new less restrictive approach is

more than welcome.

The main result of this paper is to propose some

conditions that are not very restrictive but sufﬁcient

to guarantee the correctness of any protocol satisfy-

ing them with respect to the secrecy property. Be-

sides, the results presented in this paper are generic

enough to deal with the veriﬁcation of a large variety

of protocols in different contexts (different intruder

capabilities or different syntax of messages).

Intuitively, to guarantee that a protocol is correct

with respect to the secrecy property using our ap-

proach, one need to ﬁnd an interpretation function

and to prove that each role (agent) involved in the pro-

tocol does not decrease the security level of compo-

nent of messages when he sends them over the net-

work. Protocols that satisfy this condition will be

called increasing protocol.

An interpretation function could be seen as a

means that can be used by agents involved in a pro-

tocol to estimate, in a safe way, the security level

of unknown components that they receive during the

protocol. If the security level of components handled

157

Houmani H. and Mejri M. (2007).

PRACTICAL AND UNIVERSAL INTERPRETATION FUNCTIONS FOR SECRECY.

In Proceedings of the Second International Conference on Security and Cryptography, pages 157-164

DOI: 10.5220/0002129101570164

 SciTePress

by each agent are known or could be estimated in

a safe way, then the veriﬁcation of the protocol will

be considerably simpliﬁed. In fact, it will be enough

to check whether the agents protect in an appropriate

way the messages that they send over the network to

guarantee the secrecy property of the protocol.

The remainder of this paper is organized as fol-

lows. Section 2 formalizes some parameters that af-

fect the veriﬁcation of protocols are called the context

of veriﬁcation and clariﬁes the protocol speciﬁcation

and the notion of generalized roles. Section 3 gives

a formal deﬁnition of the secrecy property based on

valid traces. Section 5 introduces the proposed condi-

tions and provides a proof that are sufﬁcient to ensure

the secrecy property of a protocol. Section 6 presents

a guideline to deﬁne a safe interpretation function.

Section 7 gives an example showing how to verify the

secrecy property of a given protocol by using an inter-

pretation function. Section 8 discusses the approach

and compares it with some existing ones. Finally, sec-

tion 9 provides a few concluding remarks and future

works.

2 MODELING PROTOCOL

This section introduces the notions veriﬁcation con-

text and role-based speciﬁcation of a protocol.

2.1 Context of Veriﬁcation

Intuitively, a veriﬁcation context is a structure that

contains all the parameters that affect the veriﬁcation

of a protocol. Basically, we ﬁnd in this structure the

intruder capabilities, the knowledge of each princi-

pal and the security level of each atomic component.

More precisely, a veriﬁcation context, denoted by M,

is a quintuple h

M , |=, K , L ,

i , where :

•

M is the message algebra. It describes the class of

messages involved in the analyzed protocol. No-

tice that we use

A to denote the set of atomic mes-

sages in

M and A (M) to denote the set of atomic

messages in a given set of messages M.

• |= is the intruder capabilities. It is a set of infer-

ence rules showing how the intruder can infer new

messages.

•

K is the sets of messages (fresh and non-fresh

messages) that are initially known by each agent

including the intruder. More precisely,

K is a

set of triples (A, fr(A),

fr(A)), where A is the

name of the agent, f r(A) is a set of fresh mes-

sages known by A and fr(A) is the set of non-

fresh messages known by A. Notice that if M =

M , |=, K , L ,

i is a model, then we denote

by K

the set of messages ( fresh and non fresh)

known by A in M.

• (

L , ⊒) or simply L is a security lattice. It is used

to describe the security levels of components in-

volved in the protocol together with an ordering

relation between them.

•

is a function from

A to L . It speciﬁes the secu-

rity level of components that are initially known

by principals including the intruder. If A is a set

of atomic messages and α is an atomic compo-

nent, we say

⊒

if it exists β in M such

that

⊒

Example 2.1 In the sequel, we denote by M

, the fol-

lowing veriﬁcation model:

•

is the message algebra given by the the fol-

lowing BNF grammar.

m ::= A (Principal Identiﬁer)

| N

(Nonce)

| k

(Shared key)

| X (Variable)

| {m}

(Encrypted Message)

| m, m

′

(Concatenated Message)

In the sequel, we denote by

the set of identi-

ﬁers in

M .

• |=

the following commun intruder rules:

(init)



M |= m

[m ∈ M]

(decrypt)

M |= k M |= {m}

M |= m

(encrypt)

M |= k M |= m

M |= {m}

(concat)

M |= m

(deconcat)

M |= m

[i = 1, 2]

where M |= m means that the intruder can infer m

from M using the previous rules.

•

= {(A, fr(A),

fr(A)), (B, fr(B), fr(B)),

(S, fr(S),

fr(S)), (I, f r(I), fr(I))}, where :

fr(A) = {k

}

fr(B) = {N

}

fr(S) =

fr(I) = {N

, N

, . . .}

fr(A) = {k

, A, B, S}

fr(B) = {k

, A, B, S}

fr(S) = {k

, k

, A, B, S}

fr(S) = {k

, A, B, S}

SECRYPT 2007 - International Conference on Security and Cryptography

158

• L

= (2

, ⊇).

•

. The security type of an atomic message in-

volved in the protocol is the set of principals that

are allowed to know this message.

= [N

, N

, . . . 7→ ⊥, A, B, S 7→ ⊥,

7→ {A, B, S}, k

7→ {I, S}

7→ {A, S}, k

7→ {B, S}]

2.2 Protocol

Basically, a protocol P is speciﬁed by a sequence

of communication steps given in the standard nota-

tion. Hereafter, we give an example which is a vari-

ant extracted from the Woo and Lam (Woo and Lam,

1994) authentication protocol. As shown by Table 1,

this variant aims to distribute a fresh key that will be

shared between two agents A and B.

Table 1: Woo and Lam modiﬁed protocol.

P = h1, A → B : Ai.

h2, B → A : N

h3, A → B : {N

, k

}

h4, B → S : {A, {N

, k

}

h5, S → B : {N

, k

}

From a veriﬁcation context M and a protocol P,

we extract a role-based speciﬁcation (a set of gen-

eralized roles) that we denote by R

(P). A gener-

alized role is a protocol abstraction, where the em-

phasis is put on a particular principal and where all

the unknown messages are replaced by variables. An

exponent i (the session identiﬁer) to each fresh mes-

sage to reﬂect the fact that these components change

their values from one run to another is added. Ba-

sically, a generalized role reﬂects how a particu-

lar agent perceives the exchanged messages. More

details about generalized roles and how they ex-

tracted from a protocol could be ﬁnd in (Houmani and

Mejri, 2003). For instance, the role-based speciﬁca-

tion of the protocol described in Table 1,

(P), is

{

} (see Table 2).

The role-based speciﬁcation is used to formalize

the notion of valid trace. A trace is considered as valid

if all honest participants act according to the protocol

speciﬁcation and all the messages sent by the intruder

are derivable from his intercepted messages, his ini-

tial knowledge and his inference rules given within

the veriﬁcation context. It is considered that an hon-

est agent acts according to the protocol speciﬁcation

if any given run in which he participates is an instance

Table 2: Generalized roles of Woo and Lam protocol.

= hi.1, A → I(B) : Ai

= hi.1, A → I(B) : Ai.

hi.2, I(B) → A : Xi.

hi.3, A → I(B) : {X, k

}

= hi.1, I(A) → B : Ai.

hi.2, B → I(A) : N

= hi.1, I(A) → B : Ai.

hi.2, B → I(A) : N

hi.3, I(A) → B : Y

hi.4, B → I(S) : {A, Y

}

= hi.1, I(A) → B : Ai.

hi.2, B → I(A) : N

hi.3, I(A) → B : Y

hi.4, B → I(S) : {A, Y

}

hi.5, I(S) → B : {N

, Z}

= hi.4, I(B) → S : {A, {U, V}

}

hi.5, S → I(B) : {U, V}

(variables are replaced by constant messages) of one

of his generalized roles. The notation [[P ]] means

the set of the valid traces associated to the protocol P.

Also, [[ P ]] |=

α means that the protocol P exhibits

a trace allowing an intruder, having an initial knowl-

edge K

and using the inference rules deﬁned by |= ,

modeled by |=

, to know the message α. To verify

the secrecy property, this paper proves that it is suf-

ﬁcient to verify whether the generalized roles of the

analyzed protocol respect some conditions. This ver-

iﬁcation is decidable, because the set of generalized

roles of a protocol is ﬁnite.

3 SECRECY PROPERTY

Intuitively, a protocol keeps a component m secret, if

it has not a valid trace that decrease the security level

of m. More precisely, the formal deﬁnition of the se-

crecy property given hereafter states that the intruder

cannot learn from any valid trace more than what he

is eligible to know. We suppose that if an agent (in-

cluding the intruder) knows a message with a security

PRACTICAL AND UNIVERSAL INTERPRETATION FUNCTIONS FOR SECRECY

159

level τ, then he is also eligible to know all messages

having security level lower than τ

Deﬁnition 3.1 (Secrecy Property) Let P be a proto-

col and M = h

M , |=, K , L ,

i a veriﬁcation con-

text. The protocol P is M-correct with respect the se-

crecy property, if:

∀α ∈

A (M ) · [[ p ]] |=

α ⇒

⊒

4 SAFE INTERPRETATION

FUNCTION

The aim of safe interpretation functions is to give a

correct means to the principals involved in the proto-

col by which they can estimate the security level of

the received components.

Deﬁnition 4.1 (Interpretation function) Let M =

M , |=, K , L ,

i be a veriﬁcation context. An M-

Interpretation function F is function from

A (M )×M

to L .

Before introducing the notion of safe interpreta-

tion functions, we need to deﬁne the following order-

ing relation.

Deﬁnition 4.2 (⊒

) Let F be an M-Interpretation

function. We say that M

⊒

if:

∀α ∈

A (M

) · F(α, M

) ⊒ F(α, M

)

For the sake of simplicity, {m} ⊒

M is replaced by

m ⊒

M, and F(α, {m}) is replaced by F(α, m).

Now a safe interpretation function could be de-

ﬁned as following:

Deﬁnition 4.3 (Safe Interpretation Function)

Let M = h

M , |=, K , L ,

i. An M-Interpretation

function is called M-Safe if the following conditions

are respected:

1. F is well formed, i.e:

F(α, {α}) = ⊥ and F(α, M

∪ M

) = F(α, M

) ⊓

F(α, M

) and F(α, M) = ⊤ where α 6∈

A (M)

2. F is full-invariant by substitution, i.e: for all

and M

two set of messages in M such that

Var(M

) ⊆ Var(M

) and M

⊒

we have:

∀σ ∈ Γ· M

σ ⊒

where Γ is the set of possible substitution form X

to close messages in M .

3. F is full-invariant by intruder, i.e:

∀M ⊆ M , ∀α ∈ A (M) such that F(α, M) ⊒

and ∀m ∈

M such that M |=

m we have:

∀α ∈

A (m) · (F(α, m) ⊒ F(α, M) ∨ (

⊒

)

Notice that it is always possible to deﬁne a security lat-

tice that reﬂects our needs and which is coherent with this

hypothesis.

5 MAIN RESULT

Now, it is time to give the sufﬁcient conditions al-

lowing to guarantee the correctness of a protocol with

respect to the secrecy property. Informally, these con-

ditions state that (a) honest agents should never de-

crease the security level of any atomic message and

(b) they have to use a safe interpretation function to

estimate the security level of component that they

didn’t initially know. To formalize the condition (a),

we introduce the following deﬁnition.

Deﬁnition 5.1 (Increasing Protocol)

Let M be a veriﬁcation context, F an M-interpretation

function and P a protocol. The protocol P is said to

be F-increasing if:

∀r ∈

(P), ∀α ∈

A (r

)· F(α, r

) ⊒

⊓F(α, r

−

)

where r

is a set containing the messages sent during

the last step of r and r

−

contains the set of messages

received by the honest agent in r.

Now the main theorem could be formalized as fol-

lowing:

Theorem 5.2 Let P be a protocol, M a veriﬁcation

context and F a M-interpretation function . If F is M-

safe and P is F-increasing, then P is M-correct with

respect to the secrecy property.

Proof:

Due to the lake of space, proofs have been removed

and can be found in (Houmani and Mejri, 2007a).



6 GUIDELINES TO DEFINE SAFE

INTERPRETATION

FUNCTIONS

According to theorem 5.2, the ﬁrst step of the ver-

iﬁcation of secrecy property is to ﬁnd a safe inter-

pretation function and this is the delicate part of the

approach. In fact, an interpretation function needs to

be full-invariant by substitution and full-invariant by

intruder. For that reason, this section provides some

guidelines allowing to easily construct a safe interpre-

tation function.

Basically, we show hereafter that any interpreta-

tion function that has some given form is safe. In

particular, we focus on interpretation functions hav-

ing the following form:

F(α, M) = I ◦ S(α, M)

where S is a function that selects from M some

atomic components having some links with α and

SECRYPT 2007 - International Conference on Security and Cryptography

160

where I is a function that interprets what S returns as

a security type.

If we consider a message, which is a term in the

message algebra, as a tree and we attach to each arc

of this tree an integer value (reﬂecting costs or dis-

tance between nodes), then it will be easy to deﬁne S

that select some components that are at some distance

from a given component. To formalize the the notion

of distance, we introduce a function

T that takes a

message and attach a value to each arc in its corre-

sponding tree. An example of

T is as following:

T ((c, α)) = 0

T ((c, e)) = ∞

T ((e, c)) = 0

T ((e, α)) = 1

where e is the encryption operator, c is the con-

catenation operator and α is an atomic message. If we

apply this function to the message ”B, {N

, k

}

”,

we obtain

T (”B, {N

, k

}

”) given by Fig. 1.



0 ∞

0 1

Figure 1: T (”B, {N

, k

}

”).

In the rest of this paper, d

T (m)

(α, β) (or simply

(α, β) if

T (m) is clear from the context) denotes

the smallest distance between α and β in

T (m). This

notion can be easily extended to a set of messages M

as follows: d

(α, β) = Min

m∈M

(α, β))

Now, we introduce the n-selection function S

following:

(α, M) =



A if α appears in clear in M

{β ∈

A (M) | d

T (M)

(α, β) = n} else

The deﬁnition of S

is extended to S

−→

, called the n-

vector selection function, as following:

−→

(α, M) = (S

(α, M), S

(α, M), . . . , S

(α, M))

This n-vector selection function will play a key role

in the deﬁnition of a safe interpretation function.

Any n-vector selection function S

−→

from

A × 2

to ((2

)

, ⊆) can be proved full-invariant by substi-

tution, where ⊆ is extended to deal with vectors as

follows:

, M

, . . . , M

) ⊆ (M

′

, M

′

, . . . , M

′

) ⇔

∀i ∈ {1, . . . , n} · M

⊆

∪

j=1

′

This full-invariance of n-vector selection function is a

useful property to help us to construct an interpreta-

tion function that is full-invariant by substitution.

Now, some restrictions on

T are needed so that

−→

will be also full-invariant by intruder manipula-

tion. A simple and practical condition that T needs to

satisfy so that S

−→

becomes full-invariant by intruder

is given by deﬁnition 6.1.

Deﬁnition 6.1 (Safe Cost Attribution (SCA)) We

say that

T is an SCA if T (o, e) = ∞, where where e

is an encryption operator and o is any another node.

Having a selection function that is full-invariant

by substitution and full-invariant by intruder is not

enough to construct a safe function F = I ◦ S that is

also full-invariant by substitution and full-invariant by

intruder. The function I needs also to be restricted so

that it can preserves the full-invariance properties of

S. For instance, the selection function S

returns a

vector of sets of atomic components that will be inter-

preted by I as a security type. These atomic compo-

nents could contain variables and therefore the func-

tion I needs to carefully handle them so that the ”full-

invariance” properties of S

are preserved.

Before giving how to choose I, we need to intro-

ducing the following notations: Given a security lat-

tice (

L , ⊒), we introduce the two following useful ex-

tensions.

• (

, ⊒

): where

X is a set of variables that range

over security types,

L ∪ X and the relation

⊒

is deﬁned as follows:

⊒

⇔ ∀σ ∈

X × L : τ

σ ⊒ τ

• (

, ⊒

) is an extension of (

, ⊒

) as follow-

ing:

–

× . . . ×

{z }

– ⊒

is deﬁned as follows:

(τ

, . . . , τ

) ⊒

(τ

′

, . . . , τ

′

) ⇔

∀i ∈ {1, . . . , n} · τ

⊒

⊓

j=1

′

The following theorem shows the condition that

need to be respected by I so that we get a safe inter-

pretation function.

Theorem 6.2 Let M be a context of veriﬁcation and

−→

an n-vector selection function. If:

PRACTICAL AND UNIVERSAL INTERPRETATION FUNCTIONS FOR SECRECY

161

• T be a SCA, and

• I is a morphism from ((2

)

, ⊆) to (

, ⊒

)

Then, F = I ◦ S

−→

is M-safe.

Proof:

Due to the lake of space, proofs have been removed

and can be found in (Houmani and Mejri, 2007b).



Practical steps to construct F: To deﬁne a safe in-

terpretation function F, one can follow these steps:

1. Deﬁne a n-vector selection function S

−→

. To do

this, we should deﬁne the following elements:

• Choose a positive integer value for n.

• Choose

T such that it is an SCA.

2. Deﬁne a morphism I from ((2

)

, ⊆) to (

, ⊒

). Given a security lattice (

L , ⊒), a morphism can

be built simply by following these steps:

• Deﬁne mapping I from A to L .

• Extend the mapping I to deal with variable as

following:

I(x) = x if x is a variable

where x is a variable that ranges over secu-

rity types. This extension is done to appropri-

ately deal with variables that could be returned

by S

• Extend I to be able to handle sets a another as

following:

I(A

∪ A

) = I(A

) ⊓ I(A

)

• Extend the function I to be able to deal with

vectors as following:

I((A

, . . . , A

)) = (I(A

), . . . , I(A

))

3. Deﬁne an M-safe function F as:

F = I ◦ S

−→

6.1 Example

In this example, we deﬁne an M

-safe function, de-

noted by F

, where M

is the veriﬁcation context de-

scribed in section 2.1. To that end we proceed accord-

ing to the previous steps:

1. Deﬁne a n-vector selection function S

−→

• Choose a value for n: In this example, we

choose n = 0.



0 0

c a

a e

0 ∞

a e

∞

Figure 2: Example of costs.

• Deﬁne an SCA

T : In this example, T attaches

values to arcs as shown by Fig. 2, where a is an

atomic message. Intuitively, T allow S

−→

(α, M)

to select the innermost keys that encrypt α in M

together with the atomic components that are

concatenated to α in M (called direct neigh-

bors).

2. Deﬁne a morphism I

from (2

, ⊆) to (2

, ⊆

In this example, let I be the mapping deﬁned as

follows I

(

A) = A and I(α

) = {A, B}. After that

we can extend this mapping with following steps

described previously to the mapping I that is from

, ⊆) to (2

, ⊆

3. The interpretation function is now as following:

= I ◦ S

−→

For instance:

(α, {{α, B, X}

}

) = I({B, X, k

})

= {A, S, B, } ∪

This function is called

DEKAN (Direct Encrypting

Keys and Neighbors). We believe that such a

DEKAN function is powerful enough to allow us

to appropriately analyze a large class of protocols

with respect to the secrecy property.

7 CASES STUDY

By using the DEKAN safe interpretation function F

and the theorem 5.2, one can prove that P (the version

of Woo and Lam protocol given by Table 1) is M

correct with respect to the secrecy property. To this

end, we need only to prove that the protocol is F

increasing, i.e., for each generalized role r in Table 2,

we have:

∀α ∈

A (r

) · F

(α, r

) ⊆

∪ F

(α, r

−

)

SECRYPT 2007 - International Conference on Security and Cryptography

162

For the role A

, since

= ⊥ and F is well-deﬁned

(F(A, A) = ⊥), then the role

is F-increasing:

(A, A) ⊆

∪ F

(A, A)

For the role

, since F

, {{X, k

}

}) =

{A, S} ∪

X, F

(X, {{X, k

}

}) = {A, B, S} ,

{A, B, S},

= ⊤ and F is well-deﬁned (F

(X, X) =

⊥, F

, X) = ⊤), then the role A

is not F-

increasing. Indeed, we have:



, {{X, k

}

}) 6⊆

∪ F

, X)

(X, {{X, k

}

}) ⊆

∪ F

(X, X)

For the role

, since

= ⊥ and F is well-

deﬁned (F

, N

) = ⊥, F

, A) = ⊤), then the

role

is F-increasing. Indeed, we have:

, N

) ⊆

∪ F

, A)

For the role

, since F

, {{A, Y

}

}) =

{A, B, S}, F

(A, {{A, Y

}

}) = {B, S} ∪

= ⊥,

= ⊤ and F is well-deﬁned (F

, {Y

, A}) =

⊥, F

(A, {Y

, A}) = ⊥), then the role

is F-

increasing. Indeed, we have:



, {{A, Y

}

}) ⊆

∪ F

, {Y

, A})

(A, {{A, Y

}

}) ⊆

∪ F

(A, {Y

, A})

For the role

, since F

(U, {U, V}

) =

{B, S} ∪

V, F

(V, {U, V}

) = {B, S} ∪ U,

(U, {A, {U, V}

}

) = {A, S} ∪ V,

(V, {A, {U, V}

}

) = {A, S} ∪ U and

= ⊤, then the role

is not F-increasing.

Indeed, we have:



(U, {U, V}

) 6⊆

∪ F

(U, {A, {U, V}

}

)

(V, {U, V}

) 6⊆

∪ F

(V, {A, {U, V}

}

)

Therefore, this protocol is not an F

-increasing

and we can not ensure its correctness with respect

to the secrecy property. Moreover, it is not difﬁcult

to see that this protocol contains a ﬂaw and therefore

we will never be able to construct a a safe interpreta-

tion function that makes it an increasing one. What is

interesting however, is that the previous veriﬁcations

help as to localize the origin of the problem which

are in steps 3 and 5. For instance in step 3, the mes-

sage k

is sent with security level equal to {A, S} ∪

which is not in its security level speciﬁed in the proto-

col {A, B, S} for all the possible values of X (a similar

problem appears in step 5). To resolve this problem

and prove the correctness by using F

as interpreta-

tion function, we need to modify the protocol. One

possible way of modifying this protocol is as shown

by Table 3).

We can now prove that this new version is F

increasing.

Table 3: Woo and Lam modiﬁed protocol: Second version.

P = h1, A → B : Ai.

h2, B → A : N

h3, A → B : {{N

}

, B, k

}

h4, B → S : {A, {{N

}

, B, k

}

h5, S → B : {{N

}

, A, k

}

8 DISCUSSION

The approach proposed in this paper shares some

characteristics with others existing works like the se-

crecy by typing technique proposed in (Abadi, 1999)

and rank functions proposed in (Schneider, 1998;

Delicata and Schneider, 2005).

With the secrecy by typing technique, we share

the idea of having some secure way allowing to prop-

agate the security level of exchanged information dur-

ing a protocol so that they can be correctly han-

dled by the receivers. To this end, the secrecy by

typing approach uses standard forms of messages

({secret, any, public, confounder}

) so that it will

be easy to deduce its ”secret”, ”public” and ”any”

(component with unknown security level) parts. This

involves that this approach can only ensure the secu-

rity of protocols that exchange messages having the

standard format. With our approach, however, the se-

curity level of any component can be inferred in a safe

way by using what we called interpretation function.

It is possible for us to deﬁne an interpretation func-

tion, when the message have the standard form giv-

ing a safe way to know the security level of its com-

ponents (like the one used in the secrecy by typing

approach), but also it still possible to deﬁne an inter-

pretation function even such kind of standard are not

respected by the protocol. This gives to our approach

the ability of certifying the security of a larger class

of protocols.

With the rank functions techniques, we share the

idea of using inductive proofs and the use of a func-

tion that allows to know whether a message is ap-

propriately protected or not. However, interpretation

functions are more precise than rank functions. This

is due to fact that rank functions are global functions

that ensure if a message is globally constructed in a

secure way. However, interpretation functions are lo-

cal functions than allows to know whether each com-

ponent of messages are convenably protected or not.

Therefore, the interpretation functions give more help

to detect problems in a protocol, and how to modify it

so that its security could be guaranteed. In fact, when

PRACTICAL AND UNIVERSAL INTERPRETATION FUNCTIONS FOR SECRECY

163

they fail to ensure the security of a protocol they give

the exact components that could be inappropriately

protected. We believe also that interpretation func-

tions are more helping during the conception of new

protocols and could give some guidelines.

9 CONCLUSION

By using the notion of safe interpretation functions,

this paper gives sufﬁcient conditions to guarantee the

correctness of a cryptographic protocol with respect

to the the secrecy property. These conditions could be

veriﬁed in a linear time on the protocol. It gives also a

practical way to construct these kind of interpretation

functions.

As future works, we want to show the efﬁciency of

this approach by verifying real life protocols such as

SSL, SET, Kerberos, etc. We would like also to deﬁne

other safe and universal interpretation functions. Fi-

nally, it will be interesting to see wether this approach

could help in order analyze others security proper-

ties.

REFERENCES

Abadi, M. (1999). Secrecy by typing in security protocols.

Journal of the ACM, 46(5):749–786.

Blanchet, B. and Podelski, A. (2003). Veriﬁcation of cryp-

tographic protocols: Tagging enforces termination. In

Foundations of Software Science and Computational

Structures, volume 2620 / 2003, pages 136–152, War-

saw, Poland. Springer-Verlag Heidelberg.

Boreale, M. and Gorla, D. (2002). Process calculi

and the veriﬁcation of security properties. Journal

of Telecommunication and Information Technology—

Special Issue on Cryptographic Protocol Veriﬁcation,

(4/02):28–40.

Burrows, M., Abadi, M., and Needham, R. (1990). Re-

joinder to Nessett. ACM Operating Systems Review,

24(2):39–40.

Cervesato, I., Durgin, N. A., Lincoln, P., Mitchell, J. C.,

and Scedrov, A. (1999). A meta-notation for protocol

analysis. In CSFW, pages 55–69.

Comon, H. and Shmatikov, V. (2002). Is it possible to de-

cide whether a cryptographic protocol is secure or not.

Journal of Telecommunications and Information Tech-

nolog,.

Comon-Lundh, H. and Cortier, V. (2003a). New decidabil-

ity results for fragments of ﬁrst-order logic and ap-

plication to cryptographic protocols. In RTA, pages

148–164.

Comon-Lundh, H. and Cortier, V. (2003b). Security prop-

erties: Two agents are sufﬁcient. In ESOP, pages 99–

113.

Delicata, R. and Schneider, S. (2005). Temporal rank func-

tions for forward secrecy. In CSFW ’05: Proceed-

ings of the 18th IEEE Computer Security Foundations

Workshop (CSFW’05), pages 126–139, Washington,

DC, USA. IEEE Computer Society.

Durgin, N., Mitchell, J., and Pavlovic, D. (2001). A com-

positional logic for protocol correctness.

Even, S. and Goldreich, O. (1983). On the security of multi-

party ping-pong protocols. In IEEE Symposium on

Foundations of Computer Science, pages 34–39.

Gangon, F. and Mejri, M. (2006). A decision procedure for

structured cryptographic protocols. In New Trends in

Software Methodologies, Tools and Techniques, pages

272–286. IOS Press.

Heintze, N. and Tygar, J. D. (1996). A model for secure pro-

tocols and their compositions. Software Engineering,

22(1):16–30.

Houmani, H. and Mejri, M. (2003). Secure protocols for se-

crecy. In Foundations of Computer Security Aﬁliated

with LICS’03, pages 85–96, Ottawa, Canada.

Houmani, H. and Mejri, M. (2007a). Secrecy by in-

terpretation functions. Knowledge-Based Systems,

doi:10.1016/j.knosys.2007.05.003.

Houmani, H. and Mejri, M. (2007b). Secrecy by interpreta-

tion functions: Extended version. Thechnical Report,

www.ift.ulaval.ca\

hahou\techReport1.pdf

Lowe, G. (1998). Towards a Completeness Result for

Model Checking of Security Protocols. In Proceed-

ings of 11th IEEE Computer Security Foundations

Workshop, pages 96–108.

Mao, W. and Boyd, C. (1993). Towards the Formal Analy-

sis of Security Protocols. In Proceedings of the Com-

puter Security Foundations Workshop VI, pages 147–

158. IEEE Computer Society Press.

Meadows, C. (2003). What makes a cryptographic protocol

secure? the evolution of requirements speciﬁcation in

formal cryptographic protocol analysis. In Proceed-

ings of ESOP 03. Springer-Verlag.

Paulson, L. C. (1997). Proving properties of security pro-

tocols by induction. In 10th Computer Security Foun-

dations Workshop, pages 70–83. IEEE Computer So-

ciety Press.

Ramanujam, R. and Suresh, S. (2003). Tagging makes

secrecy decidable with unbounded nonces as well.

In Lecture Notes in Computer Science, volume

2914/2003. FST TCS 2003: Foundations of Software

Technology and Theoretical Computer Science, Pub-

lisher Springer Berlin / Heidelberg.

Schneider, S. (1998). Verifying authentication protocols in

csp. IEEE Trans. Softw. Eng., 24(9):741–758.

Stoller, S. D. (1999). Lower and upper bounds for attacks on

authentication protocols. In Symposium on Principles

of Distributed Computing, page 283.

Woo, T. Y. C. and Lam, S. S. (1994). A Lesson on Authen-

tication Protocol Design. Operating Systems Review,

pages 24–37.

SECRYPT 2007 - International Conference on Security and Cryptography

164