Tracking Security Flaws in Cryptographic Protocols Using Witness ...

2015 IEEE International Conference on Systems, Man, and Cybernetics

Tracking Security Flaws in Cryptographic Protocols Using Witness-Functions Jaouhar Fattahi

Mohamed Mejri

Emil Pricop

Department of Computer Science and Software Engineering Laval University Quebec, Canada [email protected]

Department of Computer Science and Software Engineering Laval University Quebec, Canada [email protected]

Automatic Control, Computers and Electronics Department Petroleum-Gas University of Ploiesti Ploiesti, Romania [email protected]

II. O N THE S ECURITY OF G ROWING P ROTOCOLS

Abstract—In this paper, we use witness-function to capture attack scenarios in cryptographic protocols. A witness-function is a protocol-dependent metric that attributes a reliable security level to every atomic message. We use these functions to prove the protocol correctness with respect to secrecy by proving that the security level of every atomic message never decreases throughout all consecutive receiving and sending steps of the protocol. In this paper, we analyze the defective variant of the Otway-Rees protocol and we demonstrate that the use of witness-functions can be a key element in tracing a well-known type flaw that this protocol involves. Index Terms—Cryptographic protocol; flaw; growth; secrecy; static analysis; witness-function;

We give here two conditions on a function before being accepted for verification. Then, we state that a growing protocol is correct for secrecy. Please notice that we use the same notations given in [1] and we adopt the same assumptions as in the Dolev-Yao model [6]. A. Safety Conditions Definition 1: (Well-formed Function) Let F be a function and C be an analyzing context. F is Cwell-formed iff: ∀M, M1 , M2 ⊆ M, ∀s ∈ A(M): ⎧ ⎨ F (s, {s}) = ⊥; F (s, M1 ∪ M2 ) = F (s, M1 )  F (s, M2 ); ⎩ F (s, M ) = , if s ∈ / A(M ). A well-formed function F is a function that returns the infimum value for an atomic message s that appears in clear in a set of messages M . This is to say that everyone can see it and infer it from M . It returns for it in the union of two sets, the minimum of the two values ranked by F in each set individually. It returns the supremum for it if it is not in M . This is to say that none could deduce it from M . Definition 2: (Invariant-by-adversary Function) Let F be a function and C be an analyzing context. F is C-invariant-byadversary iff: ∀M ⊆ M, m ∈ M.M |=C m ⇒ ∀s ∈ A(m).(F (s, m)

F (s, M )) ∨ (K(I) s). An invariant-by-adversary function F is a function such that, once it gives a security level to an atom s in a set of messages M , an adversary can never build from M a message m in which this level could collapse (i.e. F (s, m) F (s, M )), unless s is from the beginning destined to the adversary (i.e. K(I) s). Definition 3: (Safe Function) Let F be a function and C be an analyzing context.  F is C-well-formed F is C-safe iff F is C-invariant-by-adversary

I. I NTRODUCTION In this paper, we will be testing the capabilities of witnessfunctions in finding out flaws in cryptographic protocols. The concept of witness-functions has recently been proposed by Fattahi [1], [2] to statically prove cryptographic protocols’ correctness with respect to secrecy in a role-based specification [3]–[5]. A protocol analysis with a witness-function consists in tracking the level of security of every atomic message in the protocol and making sure that it never decreases throughout all consecutive receiving and sending steps. If so, the protocol is declared correct with respect to secrecy. However, if the security level of some atomic message decreases, this may be indicative of a flaw in its security drop steps. This paper is organized as follows: •

•

•

•

firstly, we set few conditions on a function before being approved for analysis and we state that a growing protocol is correct for secrecy when we use any function that fulfills these prerequisites, to calculate security levels; secondly, we give a brief introduction of the concept of witness-functions and highlight the practical aspects of their static bounds; thirdly, we perform a thorough analysis of the OtwayRees protocol using a witness-function and show that it significantly helps to capture a well-known attack scenario on it; finally, we discuss the results obtained therein.

978-1-4799-8697-2/15 $31.00 © 2015 IEEE DOI 10.1109/SMC.2015.213

A safe function F is at once well-formed and invariant-byadversary. 1189

EK EK = Υ ◦ SEK , The resulting functions are denoted by: FEK EK EK EK EK FN = Υ ◦ SN and FM AX = Υ ◦ SM AX . We prove that these functions are safe. Indeed, since the selection for any secret s in a message m is performed in an invariant zone of m that is encrypted by k, any attempt to lower the security level of s in m (i.e. any attempt to insert evil agent identities in that zone) compels the adversary to have already obtained the atomic key k −1 from a prior step. Hence, his knowledge just after that step must fulfill the condition K(I) k −1 . As we impose that k −1  s, then, by transitivity of the relation , the knowledge of the adversary must fulfill the condition K(I) s, as well. This is exactly the definition of an invariant-by-adversary function. In addition, all of these functions are well-formed by design. Then, they are safe. Example 1: Let us have a context such that: s = −1 −1 {A, B, S}; m = {C.{s.D}kas }kab ; kab = kab , kas = kas ; kas  = {A, S}, kab  = {A, B}; −1 EK EK We have: SM AX (s, m) = {C, D, kab }; FM AX (s, m) = −1 EK Υ ◦ SM AX (s, m) = {C, D}kab  = {C, D} ∪ {A, B} = {A, B, C, D}.

B. Security of Growing protocols Definition 4: (F -growing Protocol) Let F be a function and C be an analyzing context and p be a protocol. p is F -growing in C iff: ∀R.r ∈ RG (p), ∀σ ∈ Γ : X → Mp we have: ∀s ∈ A(M).F (s, r+ σ) s  F (s, R− σ) An F -growing protocol is a protocol that generates unendingly traces (ground terms) with atomic messages having always a security level, ranked by F , superior in a sent message (i.e. in r+ σ) than it was in the context when receiving (i.e. in R− σ). Theorem 1: (Secrecy in Growing Protocols) Let F be a C-safe function and p be an F -growing protocol. p is correct for secrecy. Theorem 1 asserts that a protocol is correct for secrecy when it is shown growing using a safe function F . This result is quite intuitive. In fact, if an adversary gets a secret s, then its security level ranked by F is the infimum since F is wellformed. This could not arise if the adversary uses the protocol rules since the protocol is growing on F (unless s has initially the infimum value and in this case s is intentionally destined to the adversary and hence it is not a secret). That cannot arise neither if the adversary uses his capabilities since F is invariant-by-adversary. Consequently, s is preserved forever.

IV. W ITNESS -F UNCTIONS In the rest of this paper, we denote by F any of the functions EK EK , FNEK and FM FEK AX . These functions cannot analyze a protocol through its generalized roles since they are defined on ground terms only. We suggest hereafter a safe way to use them over derivative messages of the generalized roles that are ground terms. Roughly speaking, a derivative message is a message from which we remove variables as ruled by Definition 5. Definition 5: [Derivation] ∂X s = s ∂X  =  ∂X X =  ∂X Y = Y, X = Y ∂{X} m = ∂X m ∂[X]m = ∂{Xm \X} m ∂X f (m) = f (∂X m), f ∈ Σ ∂S1 ∪S2 m = ∂S1 ∂S2 m ∂S1 ∪S2 m = ∂S2 ∪S1 m

III. A G UIDELINE FOR S AFE F UNCTIONS EK In [1], we propose an abstract class of safe selections: SGen . Any instance of this class should return for an atom s: 1) in m, if s is encrypted by a key k, where k is the most external key that satisfies k −1  s (said the external protective key), any subset among k −1 and the atoms that travel with s under the same encryption by k (s is not selected); 2) in m, if s has no protective key in m, the infimum value (all atoms); 3) in two messages linked by an operator other than an encryption by a protective key, the union of subselections performed in the two messages individually; 4) if s is not an atom of m, the supremum value (empty set). EK , we define three useful and practical instances: From SGen EK 1) SEK : returns for s if encrypted by k in m, only the key k −1 ; EK : returns for s if encrypted by k in m, all the 2) SN identities of agents traveling with it under the same encryption by k; EK EK EK 3) SM AX : returns SEK ∪ SN ; EK Every instance S of SGen once composed to an adequate morphism Υ yields a safe function F = Υ ◦ S. We use the morphism returning for: 1) a selected agent identity, itself; 2) a selected key k −1 , the set of identities of agents that know it in the analyzing context.

For that, we define the application in Definition 6. Definition 6: Let m ∈ MGp , X ∈ Xm and mσ be a valid trace. For all secret s ∈ A(mσ), ∀σ ∈ Γ, we denote by: ⎧ if s ∈ A(∂m), ⎨ F (s, ∂m) F (s, ∂[s]mσ) = F (X, ∂[X]m) if s ∈ / A(∂m) ⎩ and s ∈ A(Xσ). According to this application, a secret s in the static part of a message m (i.e. in ∂m) is ranked by F with no respect to variables that are removed by derivation. As for variables, any of them is ranked by F , whatever its content (universally quantified), and it is treated as a constant block. The security level of any content in a variable is always set equal to the security level of the variable itself. This is motivated by the

1190

We state now the theorem of analysis of cryptographic protocols using a witness-function. It provides a static criterion for secrecy based on the static bounds of a witness-function. Hence, a protocol can be analyzed through its generalized roles only. Theorem 2: [Analysis Theorem] Let p be a protocol. Let ωp,F be a witness-function. p is correct for secrecy if: ∀R.r ∈ RG (p), ∀s ∈ A(r+ ) we have:

fact that if the security level of the whole secret substituting a variable does not decrease, then the whole secret is never revealed, and consequently, any content in is never revealed. Doing likewise, the security level of any secret is always ranked according to the static part of the message only and the dynamic items do not play any role in the calculation of security levels. It is important to point out that a safe function F , when applied to derivative messages, preserves its safety properties as its associated selection may just ignore some candidates (dynamic identities removed by derivation), but it EK . remains always in SGen Although, this application is independent of σ (runs), it cannot yet be accepted for analysis because it might return many security levels for the same secret in a closed message that may come by substitution from many provenances in the generalized roles. For that, we design the witness-functions. A witness-function considers all the provenances of the closed message mσ in the finite set of messages of the generalized roles MGp (encryption pattern matching), then, it applies the application in Definition 6 and finally takes the minimum. The existence and the uniqueness of this minimum are guaranteed in the security lattice. Definition 7: [witness-function] Let m ∈ MGp , X ∈ Xm and mσ be a valid trace. Let p be a protocol and F be a Csafe function. We define a witness-function ωp,F for all secret s ∈ A(mσ), σ ∈ Γ, as follows: ωp,F (s, mσ) =



 F (s, ∂[s]m σ  ) s  F (s, ∂[s]R− )

m ∈MG p ∃σ  ∈Γ.m σ  =r + σ 

The proof of Theorem 2 derives directly from Proposition 1 and Theorem 1. V. A NALYSIS OF THE OTWAY-R EES PROTOCOL USING A WITNESS - FUNCTION Hereafter, we analyze the Otway-Rees protocol with a witness-function. This protocol is denoted by p in Table I. TABLE I T HE OTWAY-R EES P ROTOCOL

p ::

F (s, ∂[s]m σ  )

1, A → B : M.A.B.{Na .M.A.B}kas  2, B → S : M.A.B.{Na .M.A.B}kas .{Nb .M.A.B}kbs  3, S → B : M.{Na .kab }kas .{Nb .kab }kbs  4, B → A : M.{Na .kab }kas 

The role-based specification of p is RG (p) = 1 2 1 , BG , SG }, where the generalized roles {A1G , A2G , BG A1G , A2G of A are as follows:

m ∈MG p ∃σ  ∈Γ.m σ  =mσ

According to Definition 7, a witness-function depends on the set of all provenances of mσ in MGp (i.e. the set {m ∈ MGp |∃σ  ∈ Γ.m σ  = mσ}). So, it depends on σ that is known only after running the protocol. For that, we define two bounds for the witness-function that do not depend on σ. These bounds will be used for analysis instead of the witness-function itself. They are provided by Proposition 1. Proposition 1: Let m ∈ MGp . Let ωp,F be a witnessfunction. ∀σ ∈ Γ we have:

A1G =

i.1, A

A2G =

i.1, A i.2, I(B)

→

I(B) : → →

M.A.B.{Nai .M.A.B}kas 

I(B) : A:

M.A.B.{Nai .M.A.B}kas  M.{Nai .X}kas .

1 2 The generalized roles BG , BG of B are as follows:

 F (s, ∂[s]m σ  )  ωp,F (s, mσ)  F (s, ∂[s]m)

m ∈MG p ∃σ  ∈Γ.m σ  =mσ 

The upper-bound of a witness-function (i.e. F (s, ∂[s]m)) returns the smallest set of static identities for any secret s in m whereas the lower-bound (i.e.  F (s, ∂[s]m σ  ))

1 BG =

i.1, I(A) i.2, B

→ →

B: I(S) :

Y.A.B.Z Y.A.B.Z.{Nbi .Y.A.B}kbs 

2 BG =

i.1, I(A) i.2, B i.3, I(S) i.4, B

→ → → →

B: I(S) : B: I(A) :

Y.A.B.Z Y.A.B.Z.{Nbi .Y.A.B}kbs  Y.U.{Nbi .V }kbs  Y.U 

1 The generalized role SG of S is as follows: 1 SG =

m ∈MG p

∃σ  ∈Γ.m σ  =mσ 

returns the largest set of static identities determined from all the seemingly provenances of m (the provenances that are unifiable with m at rest) including those that may be inserted by the adversary. The lower-bound captures any evil identity corresponding to an attack. The proof is intuitive since we have always the set of unifiable messages with m at rest is larger than the set of unifiable messages with m after executing σ (i.e. {m ∈ MGp |∃σ  ∈ Γ.m σ  = mσ} ⊆ {m ∈ MGp |∃σ  ∈ Γ.m σ  = mσ  }). In addition, we have always m ⊆ {m ∈ MGp |∃σ  ∈ Γ.m σ  = mσ}.

i.2, I(B)

→

S:

i.3, S

→

I(B) :

W.A.B.{Q.W.A.B}kas . {T.W.A.B}kbs  W.{Q.k i }kas .{T.ki }kbs 

Let us have a context such that: kas  = {A, S}; kbs  = {B, S}; k i  = {A, B, S}; Nai  = {A, B, S}; Nbi  = {A, B, S}; M  = ⊥; ∀A ∈ I, A = ⊥. The principal identities and names that are set public in the analyzing context (i.e. A, B, S and M ) are not analyzed since their value of security is the infimum ⊥ and their value on sending could not be lowered by an adversary. EK EK ; Let F = FM AX ; ωp,F = ωp,FM AX

1191

We

 denote by ωp,F (s, m) the lower-bound  F (s, ∂[s]m σ  ) of the witness-function ωp,F (s, m).

= {Setting the static neighborhood} F (Nai , ∂[Nai ]{Nai .M.A.B}kas σ1 )  F (Nai , ∂[Nai ]{Nai .X1 }kas σ2  i i F (Na , ∂[Na ]{Q1 .W2 .A.B}kas σ3 ) = {Definition 6} F (Nai , ∂[Nai ]{Nai .M.A.B}kas )  F (Nai , ∂[Nai ]{Nai }kas )  F (Q1 , ∂[Q1 ]{Q1 .W2 .A.B}kas ) = {Derivation in Definition 5}  F (Nai , {Nai }kas )  F (Nai , {Nai .M.A.B}kas ) F (Q1 , {Q1 .A.B}kas ) EK = {Since F = FM AX } {A, B, S} ∪ {A, S} ∪ {A, B, S} = {A, B, S} (A.2)

m ∈MG p

∃σ  ∈Γ.m σ  =mσ  Let MGp = {M1 , A1 , B1 , {NA2 .M2 .A2 .B2 }KA2 S1 ,

M3 , {NA3 .X1 }KA3 S2 , Y1 , A4 , B3 , Z1 , Y2 , A5 , B4 , Z2 , {NB5 .Y3 .A6 .B5 }KB5 S3 , Y4 , U1 , {NB6 .V1 }KB6 S4 , Y5 , U2 , W1 , A7 , B7 , {Q1 .W2 .A8 .B8 }KA8 S5 , {T1 .W3 .A9 .B9 }KB9 S6 , W4 , {Q2 .k1i }KA10 S7 , {T2 .k2i }KB11 S8 } After removing duplicates and keeping only the encryption patterns, MGp = {M1 , A1 , {NA2 .M2 .A2 .B2 }KA2 S1 , {NA3 .X1 }KA3 S2 , {NB5 .Y3 .A6 .B5 }KB5 S3 , {Q1 .W2 .A8 .B8 }KA8 S5 , {T1 .W3 .A9 .B9 }KB9 S6 , {Q2 .k1i }KA10 S7 , {T2 .k2i }KB11 S8 } Assumption: we assume that an agent can recognize any principal identity, any session identifier M and any nonce, but the session key k i shared between A and B could be anything (not typed).

2- Compliance with Theorem 2:  (Nai , rS+i ) = {A, B, S}

From (A.1) and (A.2), we have: ωp,F Nai   F (Nai , ∂[Nai ]RS−i ) = {A, B, S} (A.3) From (A.3) we have: the messages exchanged in the session S i (i.e. Nai ) in the generalized role of A respect Theorem 2. (I)

B. Analysis of the generalized role of B As defined in the generalized role of B, an agent B can participate in two subsequent sessions: S i and S j , such that j > i. In the former session S i , the agent B receives the string Y.A.B.Z and sends the string Y.A.B.Z.{Nbi .Y.A.B}kbs . In the subsequent session S j , he receives the string Y.U.{Nbi .V }kbs and sends the string Y.U . This is described by the following rules: Y.A.B.Z Y.U.{Nbi .V }kbs Sj : Si : i Y.U Y.A.B.Z.{Nb .Y.A.B}kbs

A. Analysis of the Generalized Roles of A As defined in the generalized role A, an agent A can participate in some session S i in which he receives nothing and sends the string M.A.B.{Nai .M.A.B}kas . This is described by the following rule: Si :

 M.A.B.{Nai .M.A.B}kas

-Analysis of the messages exchanged in S i : 1- For Nai : a- When receiving: RS−i =  (on receiving, we use the upper-bound) F (Nai , ∂[Nai ]RS−i ) = F (Nai , ∂[Nai ]) =  (A.1) b- When sending: rS+i = M.A.B.{Nai .M.A.B}kas (on sending, we use the lower-bound)   ({Nai , rS+i ) = ωp,F ({Nai , M.A.B.{Nai .M.A.B}kas ) = ωp,F  i   (Nai , B)  ωp,F (Na , M )  ωp,F (Nai , A)  ωp,F  i i =       ωp,F (Na , {Na .M.A.B}kas )   (Nai , {Nai .M.A.B}kas ) = ωp,F (Nai , {Nai .M.A.B}kas ) ωp,F

-Analysis of the messages exchanged in S i : 1- For Nbi : a- When receiving: RS−i = Y.A.B.Z (on receiving, we use the upper-bound) F (Nbi , ∂[Nbi ]RS−i ) = F (Nbi , ∂[Nbi ]Y.A.B.Z) = i i i i i i F (Na , ∂[Nb ]Y )  F (Nb , ∂[Nb ]A)  F (Nb , ∂[Nb ]B)  F (Nbi , ∂[Nbi ]Z) =        =  (B.1) b- When sending: rS+i = Y.A.B.Z.{Nbi .Y.A.B}kbs (on sending, we use the lower-bound)   (Nbi , rS+i ) = ωp,F (Nbi , Y.A.B.Z)  ωp,F  i i =   ωp,F (Nb , {Nb .Y.A.B}kbs )   (Nbi , {Nbi .Y.A.B}kbs ) = ωp,F (Nbi , {Nbi .Y.A.B}kbs ) ωp,F

Nai .{m ∈ MGp |∃σ  ∈ Γ.m σ  = {Nai .M.A.B}kas σ  } = {({NA2 .M2 .A2 .B2 }KA2 S1 , σ1 ), ({NA3 .X1 }KA3 S2 , σ2 ), ({Q1 .W2 .A8 .B8 }KA8 S5 , σ3 )} such that: ⎧  σ = {A2 −→ A, M2 −→ M, B2 −→ B, S1 −→ S} ⎪ ⎪ ⎨ 1 σ2 = {A3 −→ A, X1 −→ M.A.B, S2 −→ S}  i ⎪ ⎪ σ3 = {Q1 −→ Na , W2 −→ M, A8 −→ A, B8 −→ B, ⎩ S5 −→ S}

Nbi .{m ∈ MGp |∃σ  ∈ Γ.m σ  = {Nbi .Y.A.B}kbs σ  } = {({NA3 .X1 }KA3 S2 , σ4 ), ({NB5 .Y3 .A6 .B5 }KB5 S3 , σ5 ), ({T1 .W3 .A9 .B9 }KB9 S6 , σ6 )} such that: ⎧  σ = {A3 −→ B, X1 −→ Y.A.B, S2 −→ S} ⎪ ⎪ ⎨ 4 σ5 = {B5 −→ B, Y3 −→ Y, A6 −→ A, S3 −→ S} σ  = {T1 −→ Nbi , W3 −→ Y, A9 −→ A, B9 −→ B, ⎪ ⎪ ⎩ 6 S6 −→ S}

 ωp,F (Nai , {Nai .M.A.B}kas ) = {Definition of the lower-bound of the witness-function} F (Nai , ∂[Nai ]{NA2 .M2 .A2 .B}KA2 S1 σ1 )   F (Nai , ∂[Nai ]{NA3 .X1 }KA3 S2 σ2 ) i i F (Na , ∂[Na ]{Q1 .W2 .A8 .B}KA8 S5 σ3 )

  (Nbi , rS+i ) = ωp,F (Nbi , {Nbi .Y.A.B}kbs ) ωp,F = {Definition of the lower-bound of the witness-function}

1192

 F (Nbi , ∂[Nbi ]{NA3 .X1 }KA3 S2 σ4 ) F (Nbi , ∂[Nbi ]{NB5 .Y3 .A6 .B5 }KB5 S3 σ5 )  i  i F (Nb , ∂[Nb ]{T1 .W3 .A9 .B9 }KB9 S6 σ6 ) = {Setting the static neighborhood}  F (Nbi , ∂[Nbi ]{Nbi .X1 }kbs σ4 ) F (Nbi , ∂[Nbi ]{Nbi .Y3 .A.B}kbs σ5 )  F (Nbi , ∂[Nbi ]{T1 .W3 .A.B}kbs σ6 ) = {Definition 6} F (Nbi , ∂[Nbi ]{Nbi .X1 }kbs )  F (Nbi , ∂[Nbi ]{Nbi .Y3 .A.B}kbs )  F (T1 , ∂[T1 ]{T1 .W3 .A.B}kbs ) = {Derivation in Definition 5}  F (Nbi , {Nbi .A.B}kbs )  F (Nbi , {Nbi }kbs ) F (T1 , {T1 .A.B}kbs ) EK = {Since F = FM AX } {B, S} ∪ {A, B, S} ∪ {A, B, S} = {A, B, S} (B.2)

use the upper-bound) = F (U, ∂[U ]Y.U.{Nbi .V }kbs ) = F (U, ∂[U ]RS−j ) i F (U, U.{Nb }kbs ) = F (U, U )  F (U, {Nbi }kbs ) = ⊥   = ⊥ (B.9) b- When sending: rS+j = Y.U (on sending, we use the lower-bound)     (U, rS+j ) = ωp,F (U, Y.U ) = ωp,F (U, Y )  ωp,F (U, U ) = ωp,F   ⊥ = ⊥ (B.10) 3- Compliance with Theorem 2:  (Nbi , rS+i ) = {A, B, S}

From (B.1) and (B.2) we have: ωp,F − i i i Nb   F (Na , ∂[Nb ]RS i ) = {A, B, S} (B.11)  (Y, rS+i ) = ⊥

From (B.3) and (B.4) we have: ωp,F − Y   F (Y, ∂[Y ]RS i ) = ⊥ (B.12)  (Z, rS+i ) = ⊥

From (B.5) and (B.6) we have: ωp,F − Z  F (Z, ∂[Y ]RS i ) = ⊥ (B.13)  (Y, rS+j ) = ⊥

From (B.7) and (B.8) we have: ωp,F − Y   F (Y, ∂[Y ]RS j ) = ⊥ (B.14)  (U, rS+j ) = ⊥

From (B.9) and (B.10) we have: ωp,F − U   F (U, ∂[Y ]RS j ) = ⊥ (B.15) From (B.11), (B.12), (B.13), (B.14) and (B.15) we have: the messages exchanged in the sessions S i and S j in the generalized role of B respect Theorem 2. (II)

2-∀Y : a- When receiving: RS−i = Y.A.B.Z (on receiving, we use the upper-bound) F (Y, ∂[Y ]RS−i ) = F (Y, ∂[Y ]Y.A.B.Z) = F (Y, ∂[Y ]Y )  F (Y, ∂[Y ]A)  F (Y, ∂[Y ]B)  F (Y, ∂[Y ]Z) = F (Y, Y )  F (Y, A)  F (Y, B)  F (Y, ) = ⊥       = ⊥ (B.3) b- When sending: rS+i = Y.A.B.Z.{Nbi .Y.A.B}kbs (on sending, we use the lower-bound)     (Y, rS+i ) = ωp,F (Y, Y )  ωp,F (Y, A)  ωp,F (Y, B)  ωp,F   i ωp,F (Y, Z)  ωp,F (Y, {Nb .Y.A.B}kbs ) = ⊥         (Nbi , {Nbi .Y.A.B}kbs ) = ⊥ (B.4) ωp,F

C. Analysis of the generalized role of S As defined in the generalized role of S, an agent S can participate in some session S i in which he receives the string W.A.B.{Q.W.A.B}kas .{T.W.A.B}kbs and sends the string W.{Q.k i }kas .{T.k i }kbs . This is described by the following rule: W.A.B.{Q.W.A.B}kas .{T.W.A.B}kbs Si : W.{Q.k i }kas .{T.k i }kbs

3-∀Z: a- When receiving: RS−i = Y.A.B.Z (on receiving, we use the upper-bound) F (Z, ∂[Y ]RS−i ) = F (Z, ∂[Z]Y.A.B.Z) = F (Z, ∂[Z]Z)  F (Z, ∂[Z]A)  F (Z, ∂[Z]B)  F (Z, ∂[Z]Z) = F (Z, )  F (Z, A)  F (Z, B)  F (Z, Z) =       ⊥ = ⊥ (B.5) b- When sending: rS+i = Y.A.B.Z.{Nbi .Y.A.B}kbs (on sending, we use the lower-bound)     (Z, rS+i ) = ωp,F (Z, Y )  ωp,F (Z, A)  ωp,F (Z, B)  ωp,F   i ωp,F (Z, Z)ωp,F (Z, {Nb .Y.A.B}kbs ) = ⊥ = ⊥ (B.6)

1-∀W : = aWhen receiving: RS−i W.A.B.{Q.W.A.B}kas .{T.W.A.B}kbs (on receiving, we use the upper-bound) F (W, ∂[W ]RS−i ) = F (W, ∂[W ]W.A.B.{Q.W.A.B}kas .{T.W.A.B}kbs ) = F (W, ∂[W ]W.A.B.{W.A.B}kas .{W.A.B}kbs ) = F (W, ∂[W ]W )  F (W, ∂[W ]A.B.{W.A.B}kas .{W.A.B}kbs ) = ⊥  F (W, ∂[W ]A.B.{W.A.B}kas .{W.A.B}kbs ) = ⊥ (C.1) b-When sending: rS+i = W.{Q.k i }kas .{T.k i }kbs (on sending, we use the lower-bound)

-Analysis of the messages exchanged in S j : 1-∀Y : a- When receiving: RS−j = Y.U.{Nbi .V }kbs (on receiving, we use the upper-bound) = F (Y, ∂[Y ]Y.U.{Nbi .V }kbs ) = F (Y, ∂[Y ]RS−j ) i F (Y, Y.{Nb }kbs ) = F (Y, Y )  F (Y, {Nbi }kbs ) = ⊥   = ⊥ (B.7) b- When sending: rS+j = Y.U (on sending, we use the lower-bound)     (Y, rS+j ) = ωp,F (Y, Y.U ) = ωp,F (Y, Y )  ωp,F (Y, U ) = ωp,F ⊥   = ⊥ (B.8) 2-∀U : a- When receiving: RS−j = Y.U.{Nbi .V }kbs (on receiving, we

  (W, rS+i ) = ωp,F (W, W.{Q.k i }kas .{T.k i }kbs ) = ωp,F   ωp,F (W, W )  ωp,F (W, {Q.k i }kas .{T.k i }kbs ) =  (W, {Q.k i }kas .{T.k i }kbs ) = ⊥ (C.2) ⊥  ωp,F

2-∀Q: aWhen receiving: W.A.B.{Q.W.A.B}kas .{T.W.A.B}kbs use the upper-bound) F (Q, ∂[Q]RS−i ) =

1193

= RS−i (on receiving, we

    ωp,F (k i , {T.k i }kbs ) (k i , {Q.k i }kas )  ωp,F i i  i i  ωp,F (k , {Q.k }kas )  ωp,F (k , {T.k }kbs )

F (Q, ∂[Q]W.A.B.{Q.W.A.B}kas .{T.W.A.B}kbs ) = = F (Q, A.B)  F (Q, A.B.{Q.A.B}kas .{A.B}kbs ) =   F (Q, {Q.A.B}kas  F (Q, {A.B}kbs ) F (Q, {Q.A.B}kas   = ∅ ∪ {A, B, S} ∪ ∅ = {A, B, S} (C.3) b-When sending: rS+i = W.{Q.k i }kas .{T.k i }kbs (on sending, we use the lower-bound)   (Q, rS+i ) = ωp,F (Q, W.{Q.k i }kas .{T.k i }kbs ) = ωp,F    (Q, {T.k i }kbs ) = ωp,F (Q, W )  ωp,F (Q, {Q.k i }kas )  ωp,F   (Q, {Q.k i }kas )   = ωp,F (Q, {Q.k i }kas )   ωp,F

=

∀k i .{m ∈ MGp |∃σ  ∈ Γ.m σ  = {Q.k i }kas σ  } = {   ({NA3 .X1 }KA3 S2 , σ11 ), ({Q2 .k1i }KA10 S7 , σ12 ), i  ({T2 .k2 }KB11 S8 , σ13 )} such that: ⎧  ⎨ σ11 = {Q −→ NA , X1 −→ k i , A3 −→ A, S2 −→ S} σ  = {Q2 −→ Q, k1i −→ k i , A10 −→ A, S7 −→ S} ⎩ 12  = {T2 −→ Q, k2i −→ k i , B11 −→ A, S8 −→ S} σ13

∀Q.{m ∈ MGp |∃σ  ∈ Γ.m σ  = {Q.k i }kas σ  } = ({Q1 .W2 .A8 .B8 }KA8 S5 , σ7 )} ({T1 .W3 .A9 .B9 }KB9 S6 , σ8 )} ({Q2 .k1i }KA10 S7 , σ9 )}  ({T2 .k2i }KB11 S8 , σ10 )} such that: ⎧  σ = {Q1 −→ Q, A8 −→ A, S5 −→ S, k i −→ W2 .A.B8 } ⎪ ⎪ ⎨ 7 σ8 = {T1 −→ Q, B9 −→ A, S6 −→ S, k i −→ W3 .A9 .B} ⎪ σ9 = {Q2 −→ Q, A10 −→ A, S7 −→ S, k1i −→ k i } ⎪ ⎩  σ10 = {T2 −→ Q, B11 −→ A, S8 −→ S, k2i −→ k i }

 (k i , {Q.k i }kas ) ωp,F = {Definition of the lower-bound of the witness-function}  F (k i , ∂[k i ]({NA3 .X1 }KA3 S2 σ11 )  i i  i  F (k , ∂[k ]({Q2 .k1 }KA10 S7 σ12 )  ) F (k i , ∂[k i ]({T2 .k2i }KB11 S8 σ13 = {Setting the static neighborhood}   )  F (k i , ∂[k i ]({Q.k i }kas σ12 ) F (k i , ∂[k i ]({NA .X1 }kas σ11 i i  i F (k , ∂[k ]({Q.k }kas σ13 ) = {Definition 6} F (X1 , ∂[X1 ]({NA .X1 }kas )  F (k i , ∂[k i ]({Q.k i }kas )  F (k i , ∂[k i ]({Q.k i }kas ) = {Derivation in Definition 5} F (X1 , ({NA .X1 }kas )  F (k i , ({k i }kas )  F (k i , ({k i }kas ) EK = {Since F = FM AX } {A, S} ∪ {A, S} ∪ {A, S} = {A, S} (C.6)

 (Q, {Q.k i }kas ) ωp,F = {Definition of the lower-bound of the witness-function} F (Q, ∂[Q]{Q1 .W2 .A8 .B8 }KA8 S5 σ7 )  F (Q, ∂[Q]{T1 .W3 .A9 .B9 }KB9 S6 σ8 )  F (Q, ∂[Q]{Q2 .k1i }KA10 S7 σ9 )   ) F (Q, ∂[Q]{T2 .k2i }KB11 S8 σ10 = {Setting the static neighborhood}  F (Q, ∂[Q]{Q1 .W2 .A.B8 }kas σ7 ) F (Q, ∂[Q]{T1 .W3 .A9 .A}kas σ8 )  F (Q, ∂[Q]{Q2 .k i }kas σ9 )   F (Q, ∂[Q]{T2 .k i }kas σ10 ) = {Definition 6}  F (Q1 , ∂[Q1 ]{Q1 .W2 .A.B8 }kas ) F (T1 , ∂[T1 ]{T1 .W3 .A9 .A}kas )  F (Q2 , ∂[Q2 ]{Q2 .k i }kas )  F (T2 , ∂[T2 ]{T2 .k i }kas ) = {Derivation in Definition 5}  F (T1 , {T1 .A9 .A}kas )  F (Q1 , {Q1 .A.B8 }kas ) F (Q2 , {Q2 .k i }kas ) F (T2 , {T2 .k i }kas ) EK = {Since F = FM AX } {A, B8 , S} ∪ {A9 , A, S} ∪ {A, S} ∪ {A, S} = {A, A9 , B8 , S} (C.4)

k i .{m ∈ MGp |∃σ  ∈ Γ.m σ  = {T.k i }kbs σ  } = {   ({NA3 .X1 }KA3 S2 , σ14 ), ({Q2 .k1i }KA10 S7 , σ15 ), i  ({T2 .k2 }KB11 S8 , σ16 )} such that: ⎧  ⎨ σ14 = {Q −→ NA , X1 −→ k i , A3 −→ B, S2 −→ S} σ  = {Q2 −→ T, k1i −→ k i , A10 −→ B, S7 −→ S} ⎩ 15  = {T2 −→ T, k2i −→ k i , B11 −→ B, S8 −→ S} σ16  (k i , {T.k i }kbs ) ωp,F = {Definition of the lower-bound of the witness-function}  )  F (k i , ∂[k i ]({NA3 .X1 }KA3 S2 σ14 i i   F (k , ∂[k i ]({Q2 .k1 }KA10 S7 σ15 )  ) F (k i , ∂[k i ]({T2 .k2i }KB11 S8 σ16 = {Setting the static neighborhood}   ) F (k i , ∂[k i ]({Q.k i }kbs σ15 ) F (k i , ∂[k i ]({NA .X1 }kbs σ14 i i  i F (k , ∂[k ]({Q.k }kbs σ16 ) = {Definition 6} F (k i , ∂[k i ]({Q.k i }kbs ) F (X1 , ∂[X1 ]({NA .X1 }kbs ) i i i F (k , ∂[k ]({Q.k }kbs ) = {Derivation in Definition 5} F (X1 , ({NA .X1 }kbs )  F (k i , ({k i }kbs )  F (k i , ({k i }kbs ) EK = {Since F = FM AX } {B, S} ∪ {B, S} ∪ {B, S} = {B, S} (C.7)

3- For k i : = aWhen receiving: RS−i W.A.B.{Q.W.A.B}kas .{T.W.A.B}kbs (on receiving, we use the upper-bound) F (k i , ∂[k i ]RS−i ) = = F (k i , ∂[k i ]W.A.B.{Q.W.A.B}kas .{T.W.A.B}kbs ) F (k i , A.B.{A.B}kas .{A.B}kbs ) =      =  (C.5) b-When sending: rS+i = W.{Q.k i }kas .{T.k i }kbs (on sending, we use the lower-bound)

   (k i , rS+i ) = ωp,F (k i , {Q.k i }kas )  ωp,F (k i , {T.k i }kbs ) = ωp,F {A, S} ∪ {B, S} = {A, B, S} (C.8)

  (k i , rS+i ) = ωp,F (k i , W.{Q.k i }kas .{T.k i }kbs ) = ωp,F  i  i  (k i , {T.k i }kbs ) = ωp,F (k , W )  ωp,F (k , {Q.k i }kas )  ωp,F

4-∀T :

1194

a-When receiving: RS−i = W.A.B.{Q.W.A.B}kas .{T.W.A.B}kbs (on receiving, we use the upper-bound) F (T, RS−i ) = F (T, ∂[T ]W.A.B.{Q.W.A.B}kas .{T.W.A.B}kbs ) = =F (T, A.B)  F (T, A.B.{A.B}kas .{T.A.B}kbs ) F (T, {A.B}kas  F (T, {T.A.B}kbs ) =    {A, B, S} = {A, B, S} (C.9) rS+i

i

k i   F (k i , ∂[k i ]RS−i ) = {A, B, S}   = {A, B, S} (C.13)  (T, rS+i ) = From (C.9) and (C.10), we have: ωp,F − {B, B8 , S, A9 } T   F (T, ∂[T ]RS i ) = T   {A, B, S} (C.14) From (C.12) and (C.14) we have: the messages exchanged in the session S i in the generalized role of S do not respect Theorem 2. (III) VI. R ESULTS AND INTERPRETATION The results of verification of the Otway-Rees protocol are sum up in Table II. We conclude that this protocol does not satisfy Theorem 2. Therefore, it could not be certified correct with respect to secrecy. This result is natural since the OtwayRees protocol contains a well-known type flaw [7] as described in Fig 1. That is, an adversary I, impersonating the server S, can feed A with the string M.A.B as the session key kab that he will share with B and therefore he can eavesdrop on all their subsequent communications. In our analysis, this scenario is very well captured. It results in the drop of the security level of Q and T in the generalized role of S (see the rows 6 and 8 of Table II). This fall of security is due to some evil identities in some provenances of {Q.k i }kas and {T.k i }kbs in MGp that may illicitly substitute the session key k i and be placed beside Q or T in the sent message W.{Q.k i }kas .{T.k i }kbs (see C.12 and C.14). In other words, the evil manipulation (substitution) by the adversary of the session key is responsible for the fall of security of Q and T . The lower-bound of the used witnessfunction reacts well to that manipulation and traps these evil identities.

i

= W.{Q.k }kas .{T.k }kbs (on sending, b-When sending: we use the lower-bound)   (T, rS+i ) = ωp,F (T, W.{Q.k i }kas .{T.k i }kbs ) = ωp,F    (T, {T.k i }kbs ) = ωp,F (T, W )  ωp,F (T, {Q.k i }kas )  ωp,F   (T, {T.k i }kbs ) = ωp,F (T, {T.k i }kbs )     ωp,F ∀T.{m ∈ MGp |∃σ  ∈ Γ.m σ  = {T.k i }kbs σ  } =  )} ({Q1 .W2 .A8 .B8 }KA8 S5 , σ17  ({T1 .W3 .A9 .B9 }KB9 S6 , σ18 )}  )} ({Q2 .k1i }KA10 S7 , σ19 i  ({T2 .k2 }KB11 S8 , σ20 )} such that: ⎧  σ = {Q1 −→ T, A8 −→ B, S5 −→ S, k i −→ W2 .B.B8 } ⎪ ⎪ ⎨ 17  = {T1 −→ T, B9 −→ B, S6 −→ S, k i −→ W3 .A9 .B} σ18  σ = {Q2 −→ T, A10 −→ B, S7 −→ S, k1i −→ k i } ⎪ ⎪ ⎩ 19  = {T2 −→ T, B11 −→ B, S8 −→ S, k2i −→ k i } σ20   (T, rS+i ) = ωp,F (T, {T.k i }kas ) ωp,F = {Definition of the lower-bound of the witness-function}  ) F (T, ∂[T ]{Q1 .W2 .A8 .B8 }KA8 S5 σ17  )  F (T, ∂[T ]{T1 .W3 .A9 .B9 }KB9 S6 σ18 i    F (T, ∂[T ]{Q2 .k1 }KA10 S7 σ19 )  ) F (T, ∂[T ]{T2 .k2i }KB11 S8 σ20 = {Setting the static neighborhood}  )  F (T, ∂[T ]{Q1 .W2 .B.B8 }kbs σ17   )  F (T, ∂[T ]{Q2 .k i }kbs σ19 ) F (T, ∂[T ]{T1 .W3 .A9 .B}kbs σ18  )  F (T, ∂[T ]{T2 .k i }kbs σ20 = {Definition 6}  F (Q1 , ∂[Q1 ]{Q1 .W2 .B.B8 }kbs ) F (T1 , ∂[T1 ]{T1 .W3 .A9 .B}kbs )  F (Q2 , ∂[Q2 ]{Q2 .k i }kbs )  F (T2 , ∂[T2 ]{T2 .k i }kbs ) = {Derivation in Definition 5}  F (T1 , {T1 .A9 .B}kbs )  F (Q1 , {Q1 .B.B8 }kbs ) F (Q2 , {Q2 .k i }kbs )  F (T2 , {T2 .k i }kbs ) EK = {Since F = FM AX } {B, B8 , S} ∪ {A9 , B, S} ∪ {B, S} ∪ {B, S} = {B, B8 , S, A9 } (C.10)

TABLE II C OMPLIANCE OF THE OTWAY-R EES P ROTOCOL WITH T HEOREM 2 R− 

r+ Theor.2 M.A.B.  i {Na .M.A.B}kas

B

Y.A.B.Z



∀Y

B

Y.A.B.Z

∀Z

B

Y.A.B.Z Y.U.{Nbi .V Y.U.{Nbi .V Y.U.{Nbi .V

Y.A.B.Z. {Nbi .Y.A.B}kbs Y.A.B.Z. {Nbi .Y.A.B}kbs Y.A.B.Z. {Nbi .Y.A.B}kbs Y.U Y.U Y.U W.{Q.ki }kas . {T.ki }kbs



W.{Q.ki }kas . {T.ki }kbs



W.{Q.ki }kas . {T.ki }kbs



W.{Q.ki }kas . {T.ki }kbs



1

s Nai

Role A

2

Nbi

3 4 5 6 7

∀Y ∀U ∀V

B B B

8

∀W

S

9

∀Q

S

10

ki

S

11

∀T

S

5-Compliance with Theorem 2:  (W, rS+i ) ωp,F

= ⊥

From (C.1) and (C.2), we have: W   F (W, ∂[W ]RS−i ) = W   ⊥ = ⊥ (C.11)  (Q, rS+i ) = From (C.3) and (C.4), we have: ωp,F − {A, A9 , B8 , S} Q  F (Q, ∂[Q]RS i ) = Q  {A, B, S} (C.12)  (k i , rS+i ) = {A, B, S}

From (C.5) and (C.8), we have: ωp,F

}kbs }kbs }kbs

W.A.B. {Q.W.A.B}kas . {T.W.A.B}kbs W.A.B. {Q.W.A.B}kas . {T.W.A.B}kbs W.A.B. {Q.W.A.B}kas . {T.W.A.B}kbs W.A.B. {Q.W.A.B}kas . {T.W.A.B}kbs

    

VII. R ELATED W ORKS Cryptographic protocols are the heart of security in all communications. Using cryptography is crucial to ensure the

1195

1, A → B : M.A.B.{Na .M.A.B}kas 2, B → I(S) : M.A.B.{Na .M.A.B}kas .{Nb .M.A.B}kbs 3, I(S) → B : M.{Na . M.A.B   }kbs   }kas .{Nb . M.A.B kab

4, B → A : M.{Na . M.A.B   }kas

kab

kab

Fig. 1.

Attack Scenario on the Otway-Rees Protocol

protocol security, however, it is not sufficient. Saying that a protocol is correct with respect to a given security property or not is an undecidable problem in general [8]. However, several methods (logic-based methods, model-checking-based methods, typing-based methods, etc.) and tools have emerged [9]– [15] to answer this question under restrictive assumptions and led to varying results. Most of these methods are dynamic and encounter the halting problem mainly caused by the infinite space of valid traces that may involve flaws. Some others are static [16]–[21] but have important limitations. For example, the interpretation-functions proposed in [16]–[19] for secrecy led to a high rate of false negatives (i.e. correct protocols that could not be proven correct). The rank-functions proposed in [20], [21] for authentication are difficult to design and their existence is not always assured [22]. They strongly depend on the protocol definition. Variables and their substitution are the hardest problem in a static analysis. A witness-function cunningly overcomes this problem owing to its static bounds. These bounds are variable free in output thanks to their built-in derivation that gets rid of any item that cannot be determined statically. A witness-function can draw attack scenarios in the non-growing steps of the protocol as we saw in the OtwayRees protocol analysis, as well. VIII. C ONCLUSION AND F UTURE W ORK In this paper, we have shown that witness-functions, in addition to their capability to establish protocols correctness [1], can help us trace flaws. In a future work, we will state sufficient conditions for secrecy of compose protocols [23]–[25] using witness-functions. For that, we believe that witness-functions that consider the union of encryption patterns generated by every single running protocol should suffice to prove the correctness of the resulting one with respect to secrecy. We intend to extend our functions to authentication, too. ACKNOWLEDGMENT We had a useful and rich discussion with Monica Nesi from Department of Information Engineering, Computer Science and Mathematics, Via Vetoio, I-67100 Coppito, L’Aquila, Italy. We would like to thank her for her precious time and valuable comments.

[2] ——, “Relaxed Conditions for Secrecy in a Role-Based specification,” International Journal of Information Security, vol. 1, no. 1, pp. 33–36, Jul. 2014. [3] M. Debbabi, Y. Legar´e, and M. Mejri, “An environment for the specification and analysis of cryptoprotocols,” in ACSAC, 1998, pp. 321–332. [4] M. Debbabi, M. Mejri, N. Tawbi, and I. Yahmadi, “Formal automatic verification of authentication crytographic protocols,” in ICFEM, 1997, pp. 50–59. [5] ——, “From protocol specifications to flaws and attack scenarios: An automatic and formal algorithm,” in WETICE, 1997, pp. 256–262. [6] D. Dolev and A. C.-C. Yao, “On the security of public key protocols,” IEEE Transactions on Information Theory, vol. 29, no. 2, pp. 198–207, 1983. [7] M. Nesi and G. Nocera, “Deriving the type flaw attacks in the otway-rees protocol by rewriting,” Nordic J. of Computing, vol. 13, no. 1, pp. 78–97, Jun. 2006. [Online]. Available: http: //dl.acm.org/citation.cfm?id=1161593.1161599 [8] V. Cortier and S. Delaune, “Decidability and combination results for two notions of knowledge in security protocols,” J. Autom. Reasoning, vol. 48, no. 4, pp. 441–487, 2012. [9] L. Vigan`o, “Automated security protocol analysis with the avispa tool,” Electr. Notes Theor. Comput. Sci., vol. 155, pp. 61–86, 2006. [10] M. Saleh and M. Debbabi, “Modeling security protocols as games,” in IAS, 2007, pp. 253–260. [11] J. C. Mitchell, M. Mitchell, and U. Stern, “Automated analysis of cryptographic protocols using mur-phi,” in IEEE Symposium on Security and Privacy, 1997, pp. 141–151. [12] J. K. Millen, S. C. Clark, and S. B. Freeman, “The interrogator: Protocol secuity analysis,” IEEE Trans. Softw. Eng., vol. 13, no. 2, pp. 274–288, Feb. 1987. [Online]. Available: http://dx.doi.org/10.1109/TSE. 1987.233151 [13] M. Debbabi, M. Mejri, N. Tawbi, and I. Yahmadi, “Formal automatic verification of authentication crytographic protocols,” in ICFEM, 1997, pp. 50–59. [14] B. Blanchet, “An efficient cryptographic protocol verifier based on prolog rules.” in CSFW. IEEE Computer Society, 2001, pp. 82– 96. [Online]. Available: http://dblp.uni-trier.de/db/conf/csfw/csfw2001. html#Blanchet01 [15] C. Meadows, “Analysis of the internet key exchange protocol using the nrl protocol analyzer,” in IEEE Symposium on Security and Privacy, 1999, pp. 216–231. [16] H. Houmani and M. Mejri, “Practical and universal interpretation functions for secrecy,” in SECRYPT, 2007, pp. 157–164. [17] ——, “Ensuring the correctness of cryptographic protocols with respect to secrecy,” in SECRYPT, 2008, pp. 184–189. [18] ——, “Formal analysis of set and nsl protocols using the interpretation functions-based method,” Journal Comp. Netw. and Communic., vol. 2012, 2012. [19] H. Houmani, M. Mejri, and H. Fujita, “Secrecy of cryptographic protocols under equational theory,” Knowl.-Based Syst., vol. 22, no. 3, pp. 160–173, 2009. [20] S. Schneider, “Security properties and csp,” in IEEE Symposium on Security and Privacy, 1996, pp. 174–187. [21] S. A. Schneider and R. Delicata, “Verifying security protocols: An application of csp,” in 25 Years Communicating Sequential Processes, 2004, pp. 243–263. [22] J. Heather and S. Schneider, “A decision procedure for the existence of a rank function,” J. Comput. Secur., vol. 13, no. 2, pp. 317–344, Mar. 2005. [Online]. Available: http://dl.acm.org/citation.cfm?id=1077819.1077823 [23] S. Ciobaca and V. Cortier, “Protocol composition for arbitrary primitives,” 2012 IEEE 25th Computer Security Foundations Symposium, vol. 0, pp. 322–336, 2010. [24] V. Cortier, “Secure composition of protocols,” in TOSCA, 2011, pp. 29– 32. [25] V. Cortier and S. Delaune, “Safely composing security protocols,” Formal Methods in System Design, vol. 34, no. 1, pp. 1–36, 2009.

R EFERENCES [1] J. Fattahi, M. Mejri, and H. Houmani, “Secrecy by witness functions,” in Proceedings of the Formal Methods for Security Workshop co-located with the PetriNets-2014 Conference , Tunis, Tunisia, June 23rd, 2014., 2014, pp. 34–52. [Online]. Available: http://ceur-ws.org/Vol-1158/paper3.pdf

1196