Formal Analysis of the TLS Handshake Protocol
Hanane Houmani and Mourad Debbabi
CIISE, Concordia University, Montreal, Quebec, Canada
Keywords:
TLS/SSL Protocol, Formal Analysis, Confidentiality, Secrecy.
Abstract:
Most applications in the Internet as e-banking, e-commerce, e-maling, etc., use the Secure Sockets Layer (SSL)
or Transport Layer Security (TLS) protocol to protect the communication channel between the client and the
server. That is why it is paramount to ensure the security objectives such as confidentiality, authentication and
integrity of the SSL/TLS protocol. In this paper we prove the confidentiality (secrecy) property of the SSL/TLS
handshake protocol which consititues the main core of the SSL/TLS protocol. To perform this analysis, we
introduce a new funcion called DINEK function that safeltly estimates the security level of messages. More
precisely, this function which shares a conceptual origin with the idea of a rank function, allows to estimate
a security level of a message (including the unknown messages) according to the interaction between the
protocol and the intruder. This function could not be used only to verify the TLS protocol as we will show in
this paper, but also to verify the secrecy property for large class of protocols and in particular Key Agreement
protocols. The verification using the DINEK function is proven in this paper for unbounded number of sessions
and unbounded number of nouces.
1 MOTIVATIONS AND
BACKGROUND
Transport Layer Security (TLS) and its predecessor,
Secure Sockets Layer (SSL), are cryptographic proto-
cols that aim to provide secure communication over
the Internet (Hickman, 1994; Dierks and Rescorla,
2008). SSL/TLS and their versions are in widespread
use in applications such as web browsing, electronic
mail, e-commerce, banking, cloud computing, VPN,
Internet faxing, instant messaging and voice-over-IP
(VoIP). In fact, several version of SSL/TLS are used
in each time a secure communication is needed. More
precisely, TLS and SSL encrypt the segments of net-
work connections above the transport layer, using
asymmetric cryptography to ensure security objec-
tives such as confidentiality, integrity and authentica-
tion.
However, these security objectives are broken
and many attacks and vulnerabilities (Mitchell et al.,
1998; Oppliger and Gajek, 2005; Oppliger et al.,
2006; Wagner and Schneier, 1996) have been dis-
covered against the implementation and the crypto-
graphic primitives used by this protocol rather than
the protocol itself. For instance, in the implementa-
tion of SSL 2.0 some field are not well instanced what
could be exploited for man-in-the-middle attack as
described in (Oppliger et al., 2006). Also, a weak
MAC construction is used as cryptographic primitive
in SSL 2.0 as shown in (Wagner and Schneier, 1996).
In the last years, many versions of SSL/TLS were
been proposed to correct these flaws and vulnerabili-
ties.
Therefore, ensuring the correctness with re-
spect to the security objectives of TLS protocol is
paramount. Indeed, most of the communication over
the network are based on this protocol and a simple
flaw could be dearly-won and costly. Formal methods
to verify the security of cryptographic protocols have
received much attention in recent years since they
allow to give in concrete and formal way the proof
of their correctness and security. Some of these
works including comparative studies could be found
in (Meadows, 2003; Sabelfeld and Myers, 2003;
Carlsen, 1994; Clark and Jacob, 1996; Kemmerer
et al., 1994; Liebl, 1993; Meadows, 1994; Rubin and
Honeyman, 1993; Syverson, 1991; Syverson, 92).
However, almost of these methods are not suitable to
prove the security of the SSL/TLS protocol due to
their restrictions.
Nevertheless, they are some attempt to prove the
security of TLS protocol. For example, authors tried
to prove in (Paulson, 1997a) some security properties
(authentication and secrecy properties) during the
handshake phase by using the inductive approach and
192
Houmani H. and Debbabi M..
Formal Analysis of the TLS Handshake Protocol.
DOI: 10.5220/0004075101920205
In Proceedings of the International Conference on Security and Cryptography (SECRYPT-2012), pages 192-205
ISBN: 978-989-8565-24-2
Copyright
c
2012 SCITEPRESS (Science and Technology Publications, Lda.)
the theorem prover ”Isabelle”. However, the proof is
not fully automatic and human interaction is needed
to perform the proof which could be error prone.
Moreover, the proof concerns only a simplified and
abstracted version of SSL/TLS rather than the real
version and the proof of the fact that the security of
the simplified version of TLS is sufficient to ensure
its security is not given. Also, SSL Handshake was
been analyzed using a general purpose finite-state
enumeration tool called Murφ (He et al., 2005;
Mitchell, 1998). As any model checker, this tool
is enable to ensure the security of protocols in the
absence of flaws.
In independent line of research, several
works (Jager et al., 2011; Morrissey et al., 2008)
analyzed the security property (authentication, con-
fidentiality and integrity) of SSL/TLS handshake
protocol. However, these works make some unre-
alistic assumptions and abstraction on the protocol.
For instance, in (Morrissey et al., 2008) authors
extensively use the random oracle model (Bellare
and Rogaway, 1993) to separate the three layers they
define in the TLS handshake, and to switch from
computational to indistinguishability based security
model. While in (Jager et al., 2011), authors use the
standard model (some realistic assumptions on the
encryption scheme) but they prove the security of
only a truncated version of the SSL/TLS handshake
protocol rather than the complete and original ver-
sion.
In this paper, we prove the secrecy (confiden-
tiality) property of the TLS handshake protocol on
its original description the protocol. This analysis is
conducted by using the interpretation functions-based
method (Houmani and Mejri, 2008a; Houmani and
Mejri, 2008b) which shares a conceptual origin with
the idea of a rank function (Delicata and Schneider,
2005; Schneider, 1997). In fact, the main idea of
the rank function-based method is to construct a
message space in a way that the authentication will
correspond to certain messages kept away from the
intruder. The goal is to define a rank function which
correctly assigns a positive rank to every message
that the intruder may obtain and a negative rank for
the others. As for the typing-based method, the idea
consists of not decreasing the security levels of sent
messages. However, the effort made to define a rank
function that allows to guarantee the security of a
cryptographic protocols is heavy and non-evident.
In that way come the interpretation function-based
method to allow defining in a semi-automatic way
an interpretation function. An interpretation function
could be viewed as a rank function that instead
of estimating the security level of message in an
absolute way, it allows to estimate in a relative
and approximative way. For instance, in the rank
function-based method, the rank of a message α is
equal to 0 when the message is equal to s
a
, and equal
to 1 in other cases. In the inetrpretation function, the
rank of a message is calculated always by considering
a set of messages. For instance, the rank of α in
{α}
k
is equal to the rank of k that may be secret or
not, and the rank of α in α.m is equal to 1 (public).
This modification on the rank function allows to
define rank function for a class of protocols instead
of defining rank function for each protocol. Also, it
allowed to have a guideline to define such functions.
In addition of that, the intrepretation function-
based method generalizes the main result of the rank
function-based method by proving the result for any
class of protocol and any intruder capacities (includ-
ing algebraic properties of cryptograhic primitives).
Also, the verification is bounded and provensufficient
to guaranty the secrecy property for unbounded ses-
sions and nouces in the presence of an active intruder
who can apply an unbounded number of operations to
the messages.
However, the guideline of interpretation function
is not suitable to define interpretation function that al-
lows to verify the secrecy property of key agreement
protocols. This due to the fact, that in this guidline
we propose to give to unkown messages unknown se-
curity levels. Hence, a key that is freshly shared be-
tween two agents and which is consiered for on of
them or both as unknown message and could not en-
sure its confidetiality. In the reminder of ths paper,
we will adress this problem by giving new class of in-
terpretation function that could be used to analyze the
secrecy property for key agreement protocol. Also,
we prove that these kind of functions are sufficient to
prove the secrecy for unbounded number of sessions
and nouces. Also, we give in this paper, a concret
examples (DEK and DINEK funcions) of such func-
tions. With the DINEK function we prove the secrecy
property of the TLS handshake protocol.
2 SSL/TLS HANDSHAKE
PROTOCOL
The SSL/TLS protocol (Dierks and Rescorla, 2008)
is composed of ve protocols: Record Layer proto-
col, Handshake protocol, ChangeCipherSpec proto-
col, Application Data and Alert protocol. In this pa-
per, we analyze the Handshake protocol that allows to
authenticate the client and the server to each other and
negotiate a statefull connection by using a handshak-
ing procedure. During this phase, the client and server
FormalAnalysisoftheTLSHandshakeProtocol
193
agree on various parameters used to establish the con-
nection’s security. For instance, they must agree on
session keys that will be used for securing future con-
nections. The standard description of the SSL/TLS
protocol is as follows:
Table 1: The SSL/TLS handshake protocol.
1. C S : m
1
= C, N
c
, Ver
c
, IdSession
2. S C : m
2
= S, N
s
, Ver
s
, IdSession, CA(S, K
s
)
3. C S : m
3
= IdSession, {Ver
c
, Secret
c
, C, S}
K
s
,
CA(C, K
c
), {H(g
1
(m
1
, m
2
, Secret
c
, C, S))}
K
1
c
4. S C : m
4
= {H(g
2
(m
1
, m
2
, m
3
, Secret
c
, C, S))}
K
cs
5. C S : m
5
= {H(g
3
(m
1
, m
2
, m
3
, m
4
, Secret
c
, C, S))}
K
cs
Where K
cs
= Master(Secrect
c
, N
c
N
s
) and
Master() is a function that takes the secret Secret
c
and the nounces N
a
and N
s
and returns a key. F
1
, F
2
and F
3
are some parameters and preferences chosen
by the client C and the server S for the compression.
In fact, the client C and the server S exchange the
messages m
1
and m
2
to synchronize with each other.
In step 2, S provides a public key certificate to C in
a certificate message. In step 3, C provides a pub-
lic key certificate in a certificate message, a pseudo-
randomly generated master secret secret
c
for the
SSL/TLS session encrypted with the servers public
key (found in the certificate message). Finally, C and
S exchange all messages that are subsequently trans-
mitted between C and S cryptographically protected
in terms of authenticity, integrity, and confidentiality
with cryptographic keys derived from the master se-
cret ”secret
c
”.
3 OVERVIEW OF THE
INTERPRETATION
FUNCTIONS-BASED METHOD
The main idea of the interpretation function-based
method is based on some conditions that are proven
sufficient to guarantee the secrecy property of any
protocol that respects them. The proposed condi-
tions can be easily verified in PTIME and they intu-
itively state that principals involved in the protocol
should not decrease the security levels of sent com-
ponents. The security level of an atomic message is
either given within a context of verification (input in-
formation) or/and estimated from received messages.
The protocols that satisfy this condition are called in
this work “increasing protocols”.
To verify whether a protocol is increasing, we
should have a safe means, called “safe interpretation
functions”, to appropriately estimate the security lev-
els of exchanged messages. By a safe means, we
mean basically that the interpretation function could
not be misled by intruder manipulations. Indeed,
the intruder can make some changes on the received
messages to affect the security of the components.
Therefore, a safe interpretation function is a func-
tion that always gives the correct security level of a
message even when the message is altered by an in-
truder. For instance, a safe interpretation function
could be a function that attributes the security level of
a message according to its direct encrypted key, this
function was called the DEK (Direct Encrypted Key)
function (Houmani and Mejri, 2008c) and denoted by
F
DEK
. In this case, F
DEK
(N
b
, {A, N
B
}
k
ab
) calculates
the security level of N
b
in the message {A, N
B
}
k
ab
, and
it is equal to the security level of k
ab
. For example, if
the security level of k
ab
is secret the we have:
F
DEK
(N
b
, {A, N
B
}
k
ab
) = secret
The main result of the interpretation functions-
based method are general and do not depend on a spe-
cific intruder capacities or a pecific class of protocols.
Indeed, the authors introduced the concept of a ”con-
text of verification” and provedall results for any con-
text of verification. A context of verification contains
basically the class of protocols, the class of intruder
capacities, and the class of algebraic properties of the
cryptographic primitives. This concept is a great flex-
ibility that is useful to change the class of protocols
or the intruder capacities and still be able to use the
approach without any need of reworking the proofs
and/or the conditions. For instance, we can apply the
approach to the protocols that use either symmetric or
asymmetric keys. Also, we can apply the approach
with or without algebraic properties of cryptographic
primitives.
The secrecy property of increasing protocols is
guaranteed even for an unbounded number of ses-
sions and in the presence of an active intruder who
can apply an unbounded number of operations to
the messages that he manipulates. Indeed, verify-
ing whether the specification of the protocol is in-
creasing, is proven sufficient to guarantee the secrecy
property. In other words, the interpretation functions-
based method makes some static conditions on the
protocol that are sufficient to the secrecy property.
To sum up, the verification of the secrecy prop-
erty consists of verifying whether the protocol is in-
creasing according to a safe interpretation function
and a context of verification. In fact, if the protocol
is increasing according to a specific safe interpreta-
tion function, then we can deduce that the protocol
respects the secrecy property, otherwise we cannot
make any statement. In this case, the analyzed pro-
tocol may be increasing by using another safe inter-
pretation function. Nevertheless, even if the verifica-
SECRYPT2012-InternationalConferenceonSecurityandCryptography
194
tion is not conclusive, it could be helpful to discover
flaws or weaknesses in the analyzed protocol or to de-
duce another safe interpretation function allowing us
to prove the secrecy property of a protocol. All these
cases are illustrated in the case studies section.
4 A NEW AND PRACTICAL SAFE
INTERPRETATION
FUNCTIONS TO ANALYZE
KEYS-AGREEMENT
PROTOCOLS
To prove the secrecy property of a cryptographic pro-
tocol by the interpretation functions-based method,
as seen in the previous Section, we need to have a
suitable safe interpretation function. That is why,
in (Houmani and Mejri, 2008a; Houmani and Mejri,
2008b) authors proposed a guideline to help to de-
fine safe interpretation functions having the following
form:
F(α, M) = I S(α, M)
The function S selects from M some atomic com-
ponents on which the security level of α depends.
This function is called a selection function. The func-
tion I interprets what S returns as a security type. This
function is called a rank function.
In addition to the fact that a safe interpretation
function F should be a composition of the selection
function S and a rank function I, the selection func-
tion S should select at least the direct encryption keys.
For example S(α, {S, R, {α, A, N
a
, B, C}
k
1
}
k
2
) should
return k
1
and any subset in {A, N
a
, B, C}. Also, the
rank function I should attribute to a message a secu-
rity level at least equal to its real security level. For
instance, if β is a public information, then I cannot
interpret it as secret.
As an example of such functions, authors pro-
posed in (Houmani and Mejri, 2008a; Houmani and
Mejri, 2008b; Houmani and Mejri, 2007) the DEK
and DEKAN functions. the DEK function, denoted
by F
DEK
, attributes a security level of a component α
in a message m depending only on the direct keys en-
crypting α in m. Accordingly, F
DEK
(N
b
, {S, N
b
}
k
ab
)
calculates the security level of N
b
in the message
{S, N
B
}
k
ab
, and it is equal to the security level of k
ab
.
For example, if the security level of k
ab
is {A, B}
(meaning that only A and B are eligible to know k
ab
),
then we have:
F
DEK
(N
b
, {S, N
b
}
k
ab
) = {A, B}
The DEKAN function, denoted by F
DEKAN
at-
tributes a security level of a component α in a mes-
sage m depending only on the direct keys encrypt-
ing α in m and the neighbours of α in m (the com-
ponents that can be reach for α without going out-
side encryptions and usually we consider neighbours
that are only identities of agents). Accordingly,
F
DEKAN
(N
b
, {S, N
b
}
k
ab
) calculates the security level
of N
b
in the message {S, N
b
}
k
ab
, and it depends on
both the security level of k
ab
and S. For example, if
the security level of k
ab
is {A, B} (meaning that is a
shared secret between A and B), then we can fix it as
follows:
F
DEKAN
(N
b
, {S, N
b
}
k
ab
) = {A, B, S}
However, both the DEK function and DEKAN
function do not allow to prove the secrecy property of
keys-agreement protocols (protocols that allow prin-
cipals to agree with fresh keys) such as the SSL/TLS
protocol. This restriction is due, basically, to the fact
that fresh keys are considered by the proposed in-
terpretation functions as initially unknown keys that
have unknown security levels and so there is no way
to verify if they can encrypt secret information and
more in general when these unknown messages affect
the security level of other messages.
Since the interpretation functions-based method
are not dedicated only to the DEK and DEKAN func-
tions, we refine in this paper these interpretation func-
tions in order to analyze keys-agreement protocols.
More precisely, we propose a new way on how we
assign the security levels of unknown keys and more
in general unknown messages and when the unknown
messages affect the security level of other messages.
4.1 Security Levels of Unknown
Messages
Almost of formal methods dedicated to analyze cryp-
tographic protocols in the literature (Abadi, 1999;
Bugliesi et al., 2004; Debbabi et al., 2001; Gor-
don and Jeffrey, 2004; Schneider, 1992; Fabrega
et al., 1999) consider messages that are not initially
known by principals as a message variables in the
protocol specification. For instance in Spi-calculus
model (Abadi, 1999), CSP model (Schneider, 1992)
and strand spaces model (Fabrega et al., 1999), these
messages variables are denoted in these models by x,
y, z, ....
However, these methods differ from each other in
how they consider the security levels of these mes-
sages variables. In fact, the first works in the for-
mal methods such as CSP-based method (Schneider,
1992), have considered only two levels of security 0
and 1 or secret and public. However, these kind of
security levels does not allow to formalize the fact
FormalAnalysisoftheTLSHandshakeProtocol
195
that principals could not authenticate these messages
and they could receive either secret or public mes-
sages. To deal with this problem, Abadi introduced
in (Abadi, 1999) a new security level of unknown
messages that he called any.
In the interpretation functions-based method, au-
thors have proposed to generalize these concepts by
introducing the concept of a lattice of security that
could be {0, 1}, {secret, public, any} or 2
I
X (I is
the set of principals identities and X represents the
set of variable security levels). This last set (basically
2
I
) aims to attribute to a message a security level of
principals that are eligible to know it. For instance, if
α has a security level {A, B, S}, then that means that
α is for A, B and S. The set of principals identities
gives a precise way to represent the security levels.
In fact, the key k
ab
and the key k
as
are both secret
but they are designated to different principals and so
they should have different security levels instead of
the same (secret). The set 2
I
allows to express such
difference. In the same way, the set
X , that repre-
sents variable security levels, makes difference be-
tween variables by giving, for example, to the variable
x and the variable y different variable security levels
τ
x
and τ
y
.
However, either the set {secret, public, any} or
2
I
X could not allow to analyze key argreement pro-
tocols (protocols that allow two or more participants
to agree with fresh keys to secure their future commu-
nication). Indeed, a fresh key is an unknown message
in the view of some protocol principals and these un-
known messages (variables) have security level any or
security levels in
X . Hence, these unknown messages
(variables) could not be used as a keys to encrypt mes-
sages since we are not sure about their security levels.
To deal with this problem, we propose in this pa-
per, to attribute to variables a precise security levels
(for example a security level in {secret, public} or in
2
I
) according to their possible values. In fact, we
consider in this paper a security level of a message
as the maximum of the security levels of its possible
values. Formally, let Γ be a set of substitutions that
represents all possible values of the variable x and i
be a rank function (function that attributes to a non-
variable message a security level), the rank function
denoted in the following by I
i
Γ
and that allows to take
into account the security level of all possible values
of a variable could be defined as follows:
I
i
Γ
(x) =
(
i(α) if α 6∈ X
σΓ
I
i
Γ
(xσ) else
4.2 What Affect the Security Levels of
Messages
In the interpretation functions-based method, a se-
lection function S selects elements at some distances
meaning that these elements could affect the security
levels. For instance, let suppose that an intruder could
have the message {s, A}
k
and the message {s, x}
k
and
the security level of s depends on the encryption key k
and the identity A. In this case, the intruder could send
the message {s, x}
k
instead of the message {s, A}
k
if
he could substitute the variable x by its principal iden-
tity for example. Hence, the unknown message x in
this case could affect the security of s.
Now, an intruder could have the message {s}
x
and
the message {z}
y
. It is obvious that the message {s}
x
could be sent instead of the message { z}
y
, and this
could lower the security level of s. Indeed, if for ex-
ample the security level of z is public and the secu-
rity level of s is secret, then if the intruder replace
the message {z}
k
by {s}
k
, then the receiver will think
that s has security level public since it instance the un-
known message z and so he could send s in clear what
will be a breach of secrecy. Therefore, the unknown
message y here could affect the security of s.
To sum up, the selection function S should select
only the unknown messages that could affect the se-
curity levels of messages. The unknown messages
that could affect the security level are those when in-
stanced by some values are selected by the selection
function. Formally, let s be a selection function and
Γ a set of possible substitutions (a set of possible val-
ues) of unknown messages. Then, the selection func-
tion that select the unknown messages which affect
the security levels of message denoted by S
s
Γ
could be
defined as follows:
S
s
Γ
(α, m) = (s(α, m)\X ) ∪{x
i
Dom(Γ)
X |∃σ Γ, β {α} (s(α, mσ)\X ) · β
{x
i
σ}
C
}
4.3 Safe Interpretation Functions to
Analyze Key-agreement Protocols
In the following, we prove that by selecting the un-
known messages that only affect the security levels
of messages and by assigning to those unknown mes-
sages the maximum of the security level of theirs pos-
sible values, we can construct a safe interpretation
functions that could be used to analyze the security of
keys-agreement protocols such as SSL/TLS. In fact,
let s be a selection function, i be a rank function and
Γ be a set of substitutions. Suppose that the rank func-
tion I
i
Γ
and the selection function S
s
Γ
are those defined
respectively in 4.1 and in 4.2. let define the interpre-
SECRYPT2012-InternationalConferenceonSecurityandCryptography
196
tation functions that have the following form:
F
Γ
(α, m) = I
i
Γ
S
s
Γ
(α, m)
Now, we denote by DEK
Γ
the interpretation func-
tion that allows to give to a message a security level
according to its encryption keys. Formally:
Definition 1. Let C = hM , |=, K , L
,
p
·
q
i be a
context of verification, s
k
be a selection function that
allows to select direct encryption key and i
k
be a rank
function that allows to give to an atomic message a
security level as follows: i
k
(α) =
p
(α)
1q
. We define
the DEK
Γ
function as follows:
DEK
Γ
= I
i
k
Γ
S
s
k
Γ
Recall that I
i
k
Γ
will give to keys their exact security
level according to their possible values given by Γ.
The selection function S
s
k
Γ
will allow to select only
keys and the unknown keys that could affect the se-
curity level of messages.
Example 1. Let C = hM , |=, K , L
,
p
·
q
i be a
context of verification and Γ = {[x 7→ k
1
a
], [x 7→
k
ab
]}. Then, the security level of α in the message
{S, {α, A, B, N
a
}
k
as
}
ab
according to Γ is as follows:
DEK
Γ
(α, {S, {α, A, B, N
a
}
k
as
}
ab
)
= I
k
Γ
S
k
(α, {S, {α, A, B, N
a
}
k
as
}
ab
)
= I
k
Γ
(k
as
)
=
p
k
as
q
= {A, S}
the security level of α in the message {α, A, B, N
a
}
x
according to Γ is as follows:
DEK
Γ
(α, {α, A, B, N
a
}
x
)
= I
k
Γ
S
k
(α, (α, {α, A, B, N
a
}
x
)
= I
k
Γ
(x)
=
p
k
ab
q
p
k
a
q
= {A, B} I
= I
=
The interpretation function DEK
Γ
is safe (could
not be misled by intruder manipulations). Indeed, the
security level of a message depend on its direct en-
crypted key and so the message could be known only
by the agent whose know the keys of encryption. For-
mally, we have:
Theorem 1. Let C be a context of verification and Γ
be a set of substitutions. DEK
Γ
is a C -safe interpre-
tation function.
Proof. As proved in (Houmani and Mejri, 2008a;
Houmani and Mejri, 2008b), any interpretation func-
tion that is a composition of a selection function and a
rank function and in which the selection function se-
lects at least the direct encryption keys and the rank
function attributes to these keys the default security
levels of their inverse keys, is safe interpretation func-
tion. The function DEK
Γ
respects these conditions
and so it is safe.
Now, let define DIN
Γ
as an interpretation function
that attributes to a message a security level accord-
ing to the principal identities that are neighbors to this
message. Formally:
Definition 2. Let s
n
be a selection function that al-
lows to select direct identities neighbors and i
n
be a
rank function that allows to give a security level to an
atomic message as follows i
n
(A) = {A} if A I and
i
n
(α) =
p
α
q
else. The interpretation function DIN
Γ
could be defined as follows:
DIN
Γ
= I
i
n
Γ
S
s
n
Γ
The interpretation function DIN
Γ
is not safe since
it does not take into account whether a message is en-
crypted or not and what is its encrypted keys. Hence,
there si nor way to ensure the confidentality of the
messages or to know who can know them. Neverthe-
less, we can combine it with the interpretation func-
tion DEK
Γ
to have a safe one. Formally:
Definition 3. Let C be a context of verification, Γ be a
set of substitutions and DINEK
Γ
be an interpretation
function that respect the following syntax:
DINEK
Γ
= DIN
Γ
DEK
Γ
The interpretation function DINEK
Γ
allows to at-
tribute to a message a security level according to its
direct encryption keys and the direct identities neigh-
bors. The following example shows how this function
works.
Example 2. In this example, let
C = hM , |=, K , L
,
p
·
q
i be a context of ver-
ification, Γ
1
= {[x 7→ N
b
], [y 7→ IdSession]}
Γ
2
= {[x 7→ N
b
], [x 7→ I], [y 7→ IdSession]}.
Then, the security level of α in the message
{S, y, {α, A, B, N
a
, x}
k
as
}
ab
according to Γ
1
is as
follows:
DINEK
Γ
1
(α, {S, y, {α, A, B, N
a
, x}
k
as
}
k
ab
) = {A, B, S}
Indeed, we have:
DIN
Γ
1
(α, {S, y, {α, A, B, N
a
, x}
k
as
}
k
ab
)
= I
i
n
Γ
1
S
n
(α, {S, y, {α, A, B, N
a
, x}
k
as
}
k
ab
)
= I
i
n
Γ
1
(A, B)
= i
n
(A) i
n
(B)
= {A} {B}
= {A, B}
FormalAnalysisoftheTLSHandshakeProtocol
197
and we have:
DEK
Γ
1
(α, {S, y, {α, A, B, N
a
, x}
k
as
}
k
ab
)
= I
k
Γ
1
S
k
(α, {S, y, {α, A, B, N
a
, x}
k
as
}
k
ab
)
= I
k
Γ
1
(k
as
)
= {A, S}
The security level of α in the message
{S, y, {α, A, B, N
a
, x}
k
as
}
ab
according to Γ
2
is as
follows:
DINEK
Γ
2
(α, {S, y, {α, A, B, N
a
, x}
k
as
}
ab
) = {A, B, S, I}
Indeed, we have:
DIN
Γ
2
(α, {S, y, {α, A, B, N
a
, x}
k
as
}
k
ab
)
= I
i
n
Γ
2
S
n
(α, {S, y, {α, A, B, N
a
, x}
k
as
}
k
ab
)
= I
i
n
Γ
2
(A, B, )
= i
n
(A) i
n
(B) i
n
(x[x 7→ N
b
]) i
n
(x[x 7→ I])
= {A} {B}
/
0 {I}
= {A, B, I}
and we have:
DEK
Γ
2
(α, {S, y, {α, A, B, N
a
, x}
k
as
}
k
ab
)
= I
k
Γ
2
S
k
(α, {S, y, {α, A, B, N
a
, x}
k
as
}
k
ab
)
= I
k
Γ
2
(k
as
)
=
p
k
as
q
= {A, S}
Notice, that we can use the interpretation function
DINEK
Γ
with other lattice of security like {0, 1},
{secret, public} and {secret, any, public}. Recall
that the function DINEK
Γ
is a safe interpretation
function (lemma 2).
In the following theorem we prove that DINEK
Γ
is safe.
Theorem 2. Let C be a context of verification, Γ be a
set of substitutions. Then, the interpretation function
DINEK
Γ
is C -safe.
Proof. As proved in (Houmani and Mejri, 2008a;
Houmani and Mejri, 2008b), any interpretation func-
tion that is a composition a selection function and
rank function and in which the selection function se-
lects at least the direct encryption keys and the rank
function attributes to these keys the default security
levels of the their inverse keys, is safe interpretation
function. The function DINEK
Γ
respects these condi-
tions and so it is safe.
4.4 Bounded Verification for
Unbounded Executions
We have defined safe interpretation functions by us-
ing the set of possible substitutions of variables Γ
that represents the set of possible values that could
be taken by variables in the set of all possible protocol
executions. However,the set of possible executions of
a protocol is infinite and hence the set Γ is also infi-
nite. This last fact could make the verification process
infinite and so impossible. To deal with this problem
we prove hereafter that the set Γ could be reduced to
a finite one. In fact, we can reduce the set of all pos-
sible values of protocol variables to Γ
C
(p) the set of
the most general unifiers (mgu) that unify the mes-
sages that could be inferred by the intruder from the
protocol specification. Formally, let C be a context of
verification, p be a protocol and M (p) is the set of
messages that are in the specification of the protocol
and M (p)
C
1
is the normal form obtained by apply-
ing the intruder rules and capacities defined in C to
the set M (p), we define Γ
C
(p) as follows:
Γ
C
(p) = {σ Γ|∃m
1
, m
2
(M (p))
C
·
σ = mgu(m
1
, m
2
)}
The idea behind using the set Γ
C
(p) could be sum-
marized by these tree facts:
1. Any execution of a protocol is a substitution of a
role-based specification where the received mes-
sages are deduced from the intruder capacities and
the sent messages. Hence, the set of all possi-
ble protocol executions could be represented by
the set of all possible substitutions of protocol
roles-based specification including the substitu-
tions made by an intruder in order to misled a
principal.
2. The behaviors of the honest principals when exe-
cuting a protocol are the same. For instance, if the
protocol have two roles A and B, and the principal
C wants to execute the protocol they should play
the role of A or B and in this case C could not do
what A or B are not able to do. Therefore, we can
reduce the set of all possible honest executions to
the set of one execution of the protocol. Notice
that an execution of a protocol in the model con-
sidered here, is a substitution of roles-based spec-
ification. The set of all possible substitutions that
represents the set of all possible executions con-
ducted by honest principals could be reduced to
the substitutions that unifies the roles-based spec-
ification.
3. A dishonest principal (an intruder) could perform
an attack and execute a protocol in our model if
1
The set of messages that could be inferred by an in-
truder is nite when the orienting the equational theory form
left to right and by bounding the number of functions that
contruct the messages. In this paper, we do not deal with
non-convergent equational theories which is could be sub-
ject to future works.
SECRYPT2012-InternationalConferenceonSecurityandCryptography
198
he could deduce all its sent messages from the re-
ceived ones. Hence, the set of all its possible exe-
cutions could be represented by the set denoted by
M (p)
C
represents the set of all substitutions that
could be obtained by unifying the messages de-
duced from the protocol messages and its capac-
ities. Also, suppose that an intruder receives the
message {α, s}
k
and he is able to know s by us-
ing his capacities and suppose that this message is
the instantiation of the message {α, x}
k
in the pro-
tocol roles-based specification, then the intruder
will be able to deduce also x from the roles-based
specification and its capacities. Therefore, the set
of the substitutions of possible attacks could be
reduced to the set of substitutions obtained by uni-
fying messages that could be inferred from the ex-
changed messages and the intruder capacities.
To sum up, the set of all possible executions of a
protocol could be reduced to the set of substitutions
obtained by unifying messages that could be inferred
from the exchanged messages in the roles-based spec-
ification and the intruder capacities. Hence, we prove
hereafter that the set Γ
C
(p) is sufficient to analyze the
secrecy property of the protocol p.
Theorem 3. Let C be a context of verification, p be
a protocol, Γ the set of all possible substitutions that
represents the values of variables in all possible exe-
cutions of the protocol p and F
Γ
is a safe interpreta-
tion function. Then, if p is F
Γ
-increasing if and only
if p is F
Γ
C
(p)
-increasing.
Proof. The detailled proofs is removed due the num-
ber of pages but in the following, we present the
scetch of this proof. We use the set M (p) (the set of
all messages exchanged in the protocol specification)
because a valid trace of a protocol is an interweav-
ing of substitutions of prefixes of the protocol spec-
ification where the sent messages could be inferred
by the intruder. Therefore, we need to know what
messages could be inferred from the protocol and in-
truder capacities. More precisely, we need to know
what messages could be used to replace other mes-
sages by using the protocol and the intruder capaci-
ties. Hence, we search for messages that are in the set
M (p))
C
that represents the set of all messages that
could be obtained by the intruder by listening to the
network and by applying his capacities to deduce new
messages. Also, any substitution of role-based spec-
ification σ could be written as a composition of two
substitutions σ
1
and σ
2
(i.e σ = σ
1
σ
2
), where σ
2
is
in Γ
C
(p) and σ
1
is a substitution that rename identi-
ties. Hence, the intruder could perform any attack by
considering only the number of protocol participants
in the description of that protocol.
For the sake of simplicity, we will denote, in the
remainder of this paper, F
p
, S
p
and I
p
instead of
F
Γ
C
(p)
, S
Γ
C
(p)
and I
Γ
C
(p)
respectively.
Accordingly, the secrecy property of a protocol p
is guaranteed when the protocol is increasing accord-
ing to a safe interpretation function and the set Γ
C
(p).
Hence, to analyze the secrecy property of a protocol
by using the interpretation functions-based method,
we have to compute first the set Γ
C
(p) and after that
we can define an interpretation function that will use
the set Γ
C
(p) to calculate the security levels in the
sent and received messages in the protocol in order to
verify whether the protocol is increasing. For instance
in the case of SSL/TLS protocol, suppose that the set
Γ
C
TLS
(p
TLS
) (or simply Γ
TLS
, is defined as follows:
Γ
TLS
= {[X
1
7→ N
s
, X
2
7→ Ver
s
, Y
1
7→ N
c
,
Y
2
7→ Verc
c
, Y
3
7→ IdSession
i
,
Y
4
7→ Secret
c
]}
Then, the security level of α in the message
{α, X
1
, B}
k
as
according to the function DINEK and the
set Γ
TLS
, is as follows:
DINEK
TSL
(α, {α, X
1
, B}
k
as
)
= i
n
(B) i
n
(X
1
[X
1
7→ N
s
]) i
k
(k
as
)
= {B}
/
0 {A, S}
= {A, B, S}
Hence, only A, B and S are eligible to know α in
this case. For the sake of simplicity, we will use F
TSL
instead of DINEK
TSL
.
5 ANALYSIS OF THE SSL/TLS
HANDSHAKE PROTOCOL
In this section we analyze the SSL/TLS handshake
protocol. To that end we need to define first as shown
by Figure ??, the context of verification. Second, we
model the SSL/TLS handshake protocol as a roles-
based specification. Finally, we prove that roles-based
specification of SSL/TLS handshake protocol is in-
creasing according to the DINEK function and the
Dolev and Yao intruder model (we suppose the perfect
encryption hypothesis) and so the secrecy property of
the SSL/TLS handshake protocol is guaranteed.
Context of Verification. A context of verification
in the interpretation function method is basically the
class of protocols that could be defined by the mes-
sage algebra and the set of intruder capacities. Let
C
TLS
be the context of verification that we will con-
sider for the analysis of the SSL/TLS handshake pro-
tocol. The message algebra, in this example, is given
FormalAnalysisoftheTLSHandshakeProtocol
199
by the set of names N
TLS
and the set Σ
TLS
. The set of
intruder capacities is the set of intruder rules denoted
by |=
TLS
and the set of equational theory denoted by
E
TLS
. In addition, we consider that the context of
verification contains the lattice of security L
TLS
, the
initial knowledge of principals K
TLS
and the security
levels of messages given in the description of the pro-
tocol and described by
p
·
q
TLS
. The lattice of security
describes security levels space. Initial knowledge of
principals are what the principals know before execut-
ing the protocol. The security levels of atomic mes-
sages involved in the protocol is an environment that
attributes to each message its security level.
In this example, the set of names N
TLS
could be
the set of atomic messages given by the following
BNF grammar:
n ::= A (Principal Identifier)
| IdSession (Session Identifier)
| Ver
a
(Protocol Version)
| Secret
c
(Secret)
| N
a
(Nounce)
| k
1
a
(Private key)
| k
a
(Public key)
| k
ab
(Shared key)
and Σ
TLS
= {pair, fst, snd, enc, dec, sign, check, H,
g
1
, g
2
, g
3
}
As usual we can write {m}
k
instead of enc(m, k)
or sign(m, k). Also, we can write m
1
, m
2
instead of
pair(m
1
, m
2
).
Hence, the set of messages M
TLS
is defined by the
following BNF rules:
m ::= n
| pair(m
1
, m
2
) (Pair Function)
| g
i
(m) (Compression Function )
| H(m) (Hash Function)
| enc(m, k) (Encryption Function )
| dec(m, k) (Decryption Function)
| sign(m, k
1
a
) (Signature Function)
| check(m, k
a
) (Checking Signature)
In this paper, we consider a hashed message as a
message that is encrypted by a public key K
h
and no
one could know the inverse of this key. Thus assump-
tion is used to say that any one could hash a message
and no one could know some thing about the original
message from the hashed message.
The intruder rules |=
TLS
are as follows:
The equational theory E
TLS
contains the following
equations:
fst(pair(x, y)) = x
snd(pair(x, y)) = y
dec(enc(x, k
y
), k
1
y
) = x
g
i
(g
i
(x)) = x i {1, 2, 3}
check(sign(x, k
1
y
), k
y
) = ok
Let |=
TLS
denotes the following rules of intruder:
(knowledge)
M |=
0
m
[m M]
(construct)
M |=
TLS
m
1
. . . M |=
TLS
m
n
M |=
TLS
f(m
1
, . . . , m
n
)
[ f Σ
0
]
(E-equality)
M |=
TLS
m
M |=
TLS
m
[m =
E
0
m
]
Therefore, when an intruder could deduce a mes-
sage m from a set of messages, we denote by M |=
E
m.
The intruder model |=
TLS
and the equational theory
E
TLS
represents the famous Dolev and Yao model.
The initial knowledge of principals K
TLS
could
be as follows: each principal knows his identity, the
identity of other principals, his public and private key
and all the public keys of the other principals. Also,
each principal can generate fresh values.
The security lattice L
TLS
is L
0
= (2
I
, ). In fact,
the security level of a message is simply the set of
principals that are eligible to know its value. There-
fore, the supremum of this lattice is equal to
/
0 and
the infimum is equal to I
X
(the set of principal iden-
tities).
The types environment
p
·
q
TLS
could be any partial
function from M
TLS
to L
TLS
. In this example, we
choose this environment as follows:
[Secret
c
7→ {C, S}, N
c
, N
s
, Ver
c
, Vers
s
, IdSession 7→ ,
K
c
, K
s
7→ , k
1
s
7→ {S}, k
1
c
7→ {c}]
5.1 SSL/TLS Roles-based Specification
Recall that the roles-based specification is a set of
the prefixes of generalized roles. A generalized role
is a protocol abstraction, where the emphasis is put
upon a particular principal and where all the unknown
messages are replaced by variables. Also, an expo-
nent i (the session identifier) is added to each fresh
message to emphasize that these components change
their values from one run to another. For more de-
tails on how we can compute a roles-based specifi-
cation from a protocol and a context of verification
we refer the reader to (Houmani and Mejri, 2008a;
Houmani and Mejri, 2008b). Also, any other speci-
fication could be used to conduct this proof as strand
spaces (Fabrega et al., 1999), CSP (Schneider, 1996)
or Pi-calcul (Abadi, 1999).
The SSL/TLS roles-based specification is:
R
G
(p
NSL
) = {C
1
G
, C
2
G
, C
3
G
, S
1
G
, S
2
G
, S
3
G
, }
The generalized roles C
1
G
, C
2
G
and C
3
G
are as fol-
lows:
SECRYPT2012-InternationalConferenceonSecurityandCryptography
200
C
1
G
=
i.1. C I(S) : m
C
1
C
2
G
=
i.1. C I(S) : m
C
1
i.2. I(S) C : m
C
2
i.3. C I(S) : m
C
3
C
3
G
=
i.1. C I(S) : m
C
1
i.2. I(S) C : m
C
2
i.3. C I(S) : m
C
3
i.4. I(S) C : m
C
4
i.5. C I(S) : m
C
5
where
m
C
1
= C, N
c
, Ver
c
, IdSession
i
m
C
2
= S, X
1
, X
2
, IdSession
i
, CA(S, K
s
)
m
C
3
= IdSession
i
, {Ver
c
, Secret
c
, C, S}
K
s
CA(C, K
c
), {H(g
1
(m
C
1
, m
C
2
, Secret
c
, C, S))}
K
1
c
m
C
4
= {H(g
2
(m
C
1
, m
C
2
, m
C
3
, Secret
c
, C, S))}
K
cs
m
C
5
= {H(g
3
(m
C
1
, m
C
2
, m
C
3
, m
C
4
, Secret
c
, C, S))}
K
cs
K
cs
= Master(Secrect
c
, N
c
, X
1
)
The generalized roles S
1
G
, S
2
G
and S
3
G
are as fol-
lows:
S
1
G
=
i.1. I(C) S : m
S
1
i.2. S I(C) : m
S
2
S
2
G
=
i.1. I(C) S : m
S
1
i.2. S I(C) : m
S
2
i.3. I(C) S : m
S
3
i.4. S I(C) : m
S
4
S
3
G
=
i.1. I(C) S : m
S
1
i.2. S I(C) : m
S
2
i.3. I(C) S : m
S
3
i.4. S I(C) : m
S
4
i.5. I(C) S : m
S
5
where
m
S
1
= C, Y
1
, Y
2
, Y
3
m
S
2
= S, N
s
, Ver
s
, Y
3
, CA(S, K
s
)
m
S
3
= Y
3
, {Y
1
, Y
3
, C, S}
K
s
,
CA(C, K
c
), { H(g
1
(m
S
1
, m
S
2
, Y
4
, C, S))}
K
1
c
m
S
4
= {H(g
2
(m
S
1
, m
S
2
, m
S
3
, Y
4
, C, S))}
K
cs
m
S
5
= {H(g
3
(m
S
1
, m
S
2
, m
S
3
, m
S
4
, Y
4
, C, S))}
K
cs
K
cs
= Master(Y
4
, Y
1
, N
s
)
To define the interpretation function that will help
to verify the secrecy property of the SSL/TLS hand-
shake protocol we should first (as we have seen in
Section 4) the set Γ
C
(p). In fact, we have:
M (p) = {m
C
1
, m
C
2
, m
C
3
, m
C
4
, m
C
5
, m
S
1
, m
S
2
, m
S
3
, m
S
4
, m
S
5
}
The set of messages that could be inferred by the in-
truder is as follows:
(M (p))
C
= M (p) {Y
3
, {Y
1
, Y
4
, C, S}
K
s
}∪
{CA(C, K
c
)} cup
{{H(g
1
(m
S
1
, m
S
2
, Y
4
, C, S))}
K
1
c
}∪
{{IdSession
i
, Ver
c
, Secret
c
, C, S}
K
s
}
{{H(g
1
(m
1
1
), m
C
2
, Secret
c
, C, S))}
K
1
c
}
Therefore, the set Γ
C
TLS
(p
TLS
) or simply Γ
TLS
is
as follows:
Γ
TLS
= {[X
1
7→ N
s
, X
2
7→ Ver
s
, Y
1
7→ N
c
, Y
2
7→ Verc
c
}
{Y
3
7→ IdSession
i
, Y
4
7→ Secret
c
]}
Now, we are ready to choose or define a safe in-
terpretation function. In this example, we will use
DINEK
TLS
function. Recall that this function allows
to assign to a message a security level according to
it its direct identities neighbors and the direct encryp-
tion keys. Also, recall that the DINEK
TLS
allows to
take into account the variables that could take values
as identities neighbors or encryptions keys (see the
section 4 for formal definition). For the sake of sim-
plicity, we will use in the remainder of this paper the
notation F
TLS
instead of DINEK
TLS
.
5.2 Secrecy Property of the SSL/TLS
Handshake Protocol
In this section, we analyze the secrecy property of the
SSL/TLS Handshake Protocol. To that end, we ver-
ify whether the roles-based specification is increasing
according to the sfDinek function. Unformally, we
verify whether principals do not decrease the security
levels of messages when sending them over the net-
works. The security levels are estimated by using the
sfDinek function denoted by F
TLS
and that gives a
security level to α in according to its direct identities
neighbors and direct encryption Keys.
From the generalized roleC
1
G
, we deduce that:
C
1
G
=
/
0
C
1
G
+
= (m
C
1
= C, N
c
, Ver
c
, IdSession
i
)
In this role, the sent messages are C, N
c
,
Ver
c
and IdSession
i
. These messages have the
security level , i.e
p
α
q
= for all α
{C, N
c
, Ver
c
, IdSession
i
}. Hence, the equation
F
TLS
(α, C
1
G
+
)
p
α
q
F
TLS
(α, C
1
G
) will be always
true for all α {C, N
c
, Ver
c
, IdSession
i
} and so the
role C
1
G
is increasing.
From the generalized role C
2
G
, we deduce that:
C
2
G
= (m
C
2
= S, X
1
, X
2
, IdSession
i
, CA(S, K
s
))
C
2
G
+
= (m
C
3
= IdSession
i
, {Ver
c
, Secret
c
, C, S}
K
s
,
CA(C, K
c
), { H(g
1
(m
C
1
, m
C
2
, Secret
c
, C, S))}
K
1
c
)
FormalAnalysisoftheTLSHandshakeProtocol
201
In the role C
2
G
, the sent messages are C, S, Ver
c
,
Secret
c
, X
1
, X
2
and IdSession
i
. The messages C, S,
Ver
c
, and IdSession
i
have the security level , i.e
p
α
q
= for all α {C, S, Ver
c
, IdSession
i
}. Hence,
the equation F
TLS
(α, C
2
G
+
)
p
α
q
F
TLS
(α, C
2
G
) will
be always true for all α {C, S, Ver
c
, IdSession
i
}.
Now, let’s verify the equation for the messages X
1
,
X
2
and Secret
c
. The security level of these messages
are as follows:
p
Secret
c
q
= {C, S} and
p
X
1
q
=
p
X
2
q
=
The security level of X
1
, X
2
and Secret
c
obtained by
the function F
TLS
according to sent and received mes-
sages in C
2
G
are as follows:
α m DIN
TLS
(α, m) DEK
TLS
(α, m) F
TLS
(α, m)
X
1
C
2
G
{S}
X
1
C
2
G
+
{C, S} {C, S}
X
2
C
2
G
{S}
X
2
C
2
G
+
{C, S} {C, S}
Secret
c
C
2
G
/
0t
Secret
c
C
3
G
+
{C, S} {S} {C, S}
Recall that F
TLS
= DIN DEK and allows to at-
tribute to a message a security level that depends on
its direct encrypted keys and direct principals identi-
ties.
From the previous equations we can also deduce
that the equation F
TLS
(α, C
2
G
+
)
p
α
q
F
TLS
(α, C
2
G
)
is true for all α {X
1
, X
2
, Secret
c
} and so the role C
2
G
is increasing.
From the generalized role C
3
G
, we deduce that:
C
3
G
= (m
C
4
= {H(g
2
(m
C
1
, m
C
2
, m
C
3
, Secret
c
, C, S))}
K
cs
)
C
3
G
+
= (m
C
5
= {H(g
3
(m
C
1
, m
C
2
, m
C
3
, m
C
4
, Secret
c
, C, S))}
K
cs
)
In the role C
3
G
, the sent messages are C, S, Ver
c
,
Secret
c
, X
1
, X
2
and IdSession
i
. The messages C, S,
Ver
c
, and IdSession
i
have the security level , i.e
p
α
q
= for all α {C, S, Ver
c
, IdSession
i
}. Hence,
the equation F
TLS
(α, C
2
G
+
)
p
α
q
F
TLS
(α, C
2
G
) will
be always true for all α {C, S, Ver
c
, IdSession
i
}.
Now, let’s verify the equation for the messages X
1
,
X
2
and Secret
c
. The security level of these messages
are as follows:
p
Secret
c
q
= {C, S} and
p
X
1
q
=
p
X
2
q
=
The security level of X
1
, X
2
and Secret
c
obtained by
the function F
TLS
according to sent and received mes-
sages in C
3
G
are as follows:
α m DIN
TLS
(α, m)) DEK
TLS
(α, m) F
TLS
(α, m)
X
1
C
3
G
{S}
X
1
C
3
G
+
{C, S} {C, S}
X
2
C
3
G
{S}
X
2
C
3
G
+
{C, S} {C, S}
Secret
c
C
3
G
/
0
Secret
c
C
3
G
+
{C, S} {S} {C, S}
From the previous Table we can also deduce that
the equation F
TLS
(α, C
2
G
+
)
p
α
q
F
TLS
(α, C
2
G
) is
true for all α {X
1
, X
2
, Secret
c
} and so the role C
2
G
+
is increasing.
To sum up, the generalized roles of C are increas-
ing since they satisfy the equation
(eq1) F
TLS
(α, C
i
G
+
)
p
α
q
F
TLS
(α, C
i
G
)
Indeed, we have:
α r
p
α
q
0
F
TLS
(α, r
+
) F
TLS
(α, r
) eq1
X
1
C
2
G
Yes
X
1
C
3
G
Yes
X
2
C
2
G
Yes
X
2
C
3
G
Yes
Secret
c
C
2
G
{C, S} {C, S} Yes
Secret
c
C
3
G
{C, S} {C, S} {C, S} Yes
SECRYPT2012-InternationalConferenceonSecurityandCryptography
202
From the generalized roles of S, we deduce that:
S
1
G
= (m
S
1
= C, Y
1
, Y
2
, Y
3
)
S
1
G
+
= (m
S
2
= S, N
s
, Ver
s
, Y
3
, CA(S, K
s
))
In this role, the sent messages are S, N
s
,
Ver
s
and Y
3
. The messages S, N
s
and Ver
s
have the security level , i.e
p
α
q
= for all
α {C, N
c
, Ver
c
, IdSession
i
}. Hence, the equation
F
TLS
(α, C
1
G
+
)
p
α
q
F
TLS
(α, C
1
G
) will be always
true for all α {C, N
c
, Ver
c
, IdSession
i
} and so the
role C
1
G
is increasing. Now, let’s verify the equation
for the message Y
3
. In fact, the security level of Y
3
obtained by the function F
TLS
according to sent and
received messages in S
1
G
is as follows:
α m DIN
TLS
(α, m) DEK
TLS
(α, m) F
TLS
(α, m)
Y
3
S
1
G
{C}
Y
3
S
1
G
+
{S}
From the previous equations we can also de-
duce that the equation F
TLS
(Y
3
, C
2
G
+
)
p
α
q
F
TLS
(Y
3
, C
2
G
) and so the role S
1
G
is increasing.
From the generalized role S
2
G
, we deduce that:
S
2
G
= (m
S
3
= Y
3
, {Y
1
, Y
4
, C, S}
K
s
,
CA(C, K
c
), { H(F
1
(m
S
1
, m
S
2
, Y
4
, C, S))}
K
1
c
)
S
2
G
+
= m
4
= {H(F
2
(m
S
1
, m
S
2
, m
S
3
, Y
4
, C, S))}
K
cs
In the role S
2
G
, the sent messages are C, S, N
s
,
Ver
s
, Y
1
, Y
2
, Y
3
and Y
4
. The messages C, S, N
s
and Ver
s
have the security level , i.e
p
α
q
= for
all α {C, S, Ver
c
, IdSession
i
}. Hence, the equation
F
TLS
(α, S
2
G
+
)
p
α
q
F
TLS
(α, S
2
G
) will be always
true for all α {C, S, Ver
c
, IdSession
i
}. Now, let’s
verify the equation for the messages Y
1
, Y
2
, Y
3
and Y
4
.
Theirs security levels obtained by the function F
TLS
according to sent and received messages in S
2
G
are as
follows:
α m DIN
TLS
(α, m) DEK
TLS
(α, m) F
TLS
(α, m)
Y
1
S
2
G
{C, S}
Y
1
S
2
G
+
{C, S} {C, S}
Y
2
S
2
G
{C}
Y
2
S
2
G
+
{C, S} {C, S}
Y
3
S
2
G
{C}
Y
3
S
2
G
+
{C, S} {C, S}
Y
4
S
2
G
{C, S} {S} {C, S}
Y
4
S
2
G
+
{C, S} {C, S}
From the previous Table we can also deduce that
the equation F
TLS
(α, S
2
G
+
)
p
α
q
F
TLS
(α, S
2
G
) is
true for all α {Y
1
, Y
2
, Y
3
, Y
4
} and so the role S
2
G
+
is
increasing.
To sum up, To sum up, the generalized roles of C
are increasing since they satisfy the equation
(eq2) F
TLS
(α, S
i
G
+
)
p
α
q
F
TLS
(α, S
i
G
)
Indeed, we have:
α r
p
α
q
0
F
TLS
(α, r
+
) F
TLS
(α, r
) (eq2)
Y
3
S
1
G
Yes
Y
3
S
2
G
{C, S} Yes
Y
2
S
2
G
{C, S} Yes
Y
1
S
2
G
{C, S} Yes
Y
4
S
2
G
{C, S} {C, S} Yes
The previous table shows that the generalized role
of S is increasing. Therefore, we can deduce that the
SSL/TLS protocol respects the secrecy property in the
context C
TLS
FormalAnalysisoftheTLSHandshakeProtocol
203
6 CONCLUSIONS
This paper presents the analysis of the SSL/TLS
handshake protocol by using the interpretation
functions-based method. In fact, we proved that the
SSL/TLS protocol is correct with respect to the se-
crecy property. This result is conducted by consider-
ing the famous Dolev and Yao intruder model. In our
future works, we will extend this model with more
algebraic properties of cryptographic primitives in or-
der to analyze the secrecy properties in more and re-
alistic intruder model. In fact, in (Paulson, 1997b), L.
Paulson has proven that the Bull protocol preserves
the secrecy by using an intruder model that does not
take into account any algebraic property of crypto-
graphic primitives. However, he proved that attacks
are possible on this protocol if some algebraic prop-
erties of or of exponentiation are considered in the
intruder model.
Also, we gave in this paper, a new and practical
safe interpretation functions (DEK and DINEK func-
tions) that could be used to analyze all kind of keys-
agreement protocols. Therefore, we want to investi-
gate in our future works the analysis of others keys-
agreement protocols such as Kereberos with some in-
teresting algebraic properties. Also, we want to study
and give more safe interpretation functions.
REFERENCES
Abadi, M. (1999). Secrecy by typing in security protocols.
Journal of the ACM, 46(5):749–786.
Bellare, M. and Rogaway, P. (1993). Random oracles are
practical: A paradigm for designing efficient proto-
cols. pages 62–73. ACM Press.
Bugliesi, M., Focardi, R., and Maffei, M. (2004). Authen-
ticity by tagging and typing. In FMSE ’04: Proceed-
ings of the 2004 ACM workshop on Formal methods
in security engineering, pages 1–12. ACM Press.
Carlsen, U. (1994). Formal Specification and Analysis
of Cryptographic Protocols. PhD thesis, Universit´e
PARIS XI.
Clark, J. and Jacob, J. (1996). A survey of authentication
protocol literature. Unpublished Article Available at.
Debbabi, M., Durgin, N., Mejri, M., and Mitchell, J. (2001).
Security by typing. Accpeted for publication in the In-
ternational Journal on Software Tools for Technology
Transfer (STTT), Springer Verlag.
Delicata, R. and Schneider, S. (2005). Temporal rank func-
tions for forward secrecy. In CSFW ’05: Proceed-
ings of the 18th IEEE Computer Security Foundations
Workshop (CSFW’05), pages 126–139, Washington,
DC, USA. IEEE Computer Society.
Dierks, T. and Rescorla, E. (2008). Rfc 5246 - the transport
layer security (tls) protocol version 1.2. Technical re-
port, IETF.
Fabrega, F. J. T., Javier, F., Herzog, J. C., and Guttman, J. D.
(1999). Strand spaces: Proving security protocols cor-
rect.
Gordon, A. D. and Jeffrey, A. (2004). Authenticity by Typ-
ing for Security Protocols. Journal of Computer Se-
curity, 11(4):451–519.
He, C., Sundararajan, M., Datta, A., Derek, A., and
Mitchell, J. C. (2005). A modular correctness proof
of ieee 802.11i and tls. In In CCS 05: Proceedings of
the 12th ACM conference on Computer and communi-
cations security, pages 2–15. ACM Press.
Hickman, K. E. B. (1994). The ssl protocol version 2.0.
Houmani, H. and Mejri, M. (2007). Secrecy by interpreta-
tion functions. Journal of Knowledge-Based Systems,
20(7):617–635.
Houmani, H. and Mejri, M. (2008a). Analysis of
some famous cryptographic protocols using the
interpretation-function-based method. International
Journal of Security and Its Applications (IJSIA),
2(4):99–116.
Houmani, H. and Mejri, M. (2008b). Ensuring the cor-
rectness of cryptographic protocols with respect to se-
crecy. In PRESS, I., editor, International Conference
on Security and Cryptography (Secrypt), Porto, Portu-
gal.
Houmani, H. and Mejri, M. (2008c). Toward an automatic
verification of secrecy without the perfect encryp-
tion assumption. International Journal of Computers,
North Atlantic University Union (NAUN), 2(2):183–
192.
Jager, T., Kohlar, F., Schage, S., and Schwenk, J. (2011).
A standard-model security analysis of tls. Cryptology
ePrint Archive.
Kemmerer, R., Meadows, C., and Millen, J. (1994). Three
Systems for Cryptographic Protocol Analysis. Jour-
nal of Cryptology, 7(2):79–130.
Liebl, A. (1993). Authentication in distributed systems: A
bibliography. Operating Systems Review, 27(4):122–
136.
Meadows, C. (1994). The NRL Protocol Analyzer: An
Overview. Journal of Logic Programming.
Meadows, C. (2003). What makes a cryptographic protocol
secure? In Proceedings of ESOP 03. Springer-Verlag.
Mitchell, J. C. (1998). Finite-state analysis of security pro-
tocols. In in Computer Science, L. N., editor, Com-
puter Aided Verification, volume 1427, pages 71–76.
Mitchell, J. C., Shmatikov, V., and Stern, U. (1998). Finite-
state analysis of SSL 3.0. In Proceedings of the 7th
USENIX Security Symposium (SECURITY-98), pages
201–216, Berkeley. Usenix Association.
Morrissey, P., Smart, N. P., and Warinschi, B. (2008). A
modular security analysis of the tls handshake pro-
tocol. In Advances in Cryptology - ASIACRYPT
2008, 14th International Conference on the Theory
and Application of Cryptology and Information Se-
curity, Melbourne, Australia, December 7-11, 2008.
Proceedings, pages 55–73.
Oppliger, R. and Gajek, S. (2005). Effective protection
against phishing and web spoofing. In Proceedings
SECRYPT2012-InternationalConferenceonSecurityandCryptography
204
of the 9th IFIP TC6 and TC11 Conference on Com-
munications and Multimedia Security (CMS 2005),
Springer-Verlag, LNCS 3677, pages 32–41.
Oppliger, R., Hauser, R., and Basin, D. (2006). Ssl/tls
session-aware user authenticationor how to effectively
thwart the man-in-the-middle. Computer Communica-
tions, 29:2238–2246.
Paulson, L. C. (1997a). Inductive analysis of the internet
protocol tls. ACM Transactions on Information and
System Security, 2:332–351.
Paulson, L. C. (1997b). Mechanized proofs for a recursive
authentication protocol. In 10th Computer Security
Foundations Workshop, pages 84–95. IEEE Computer
Society Press.
Rubin, A. D. and Honeyman, P. (1993). Formal methods
for the analysis of authentication protocols. Techni-
cal Report 93–7, Center for Information Technology
Integration. University of Michigan. Internal Draft.
Sabelfeld, A. and Myers, A. (2003). Language-based
information-flow security.
Schneider, S. (1992). An operational semantics for timed
CSP. In Proceedings Chalmers Workshop on Con-
currency, 1991, pages 428–456. Report PMG-R63,
Chalmers University of Technology and University of
G¨oteborg.
Schneider, S. (1996). Security properties and csp. In Pro-
ceedings of the 1996 IEEE Symposium on Security
and Privacy, pages 174–187. IEEE Computer Society
Press.
Schneider, S. (1997). Verifying authentication protocols
with CSP. In PCSFW: Proceedings of The 10th Com-
puter Security Foundations Workshop. IEEE Com-
puter Society Press.
Syverson, P. (1991). The use of logic in the analysis of
cryptographic protocols. In Lunt, T. F. and McLean,
J., editors, Proceedings of the 1991 IEEE Symposium
on Security and Privacy, pages 156–170. IEEE Com-
puter Society.
Syverson, P. (92). Knowledge, belief, and semantics in the
analysis of cryptographic protocols. Journal of Com-
puter Security, 1(3):317–334.
Wagner, D. and Schneier, B. (1996). Analysis of the ssl
3.0 protocol. In Proceedings of the 2nd conference
on Proceedings of the Second USENIX Workshop on
Electronic Commerce - Volume 2, pages 4–4, Berke-
ley, CA, USA. USENIX Association.
FormalAnalysisoftheTLSHandshakeProtocol
205