Verifying Cryptographic Protocols with Subterms

Verifying Cryptographic Protocols with Subterms Constraints Yannick Chevalier1 and Denis Lugiez2 and Michaël Rusinowitch3 1 2

⋆

IRIT, Team LiLac, Université de Toulouse, France. email: [email protected] LIF, CNRS, Aix-Marseille Université, France. email: [email protected] 3 LORIA-INRIA-Lorraine, France. email: [email protected]

Abstract. Many analysis techniques and decidability results have been obtained for cryptographic protocols. However all of them consider protocols with limited procedures for the processing of messages by agents or intruders: Information expected in a protocol message has to be located at a fixed position. However this is too restrictive for instance to model web-service protocols where messages are XML semi-structured documents and where significant information (name, signature, . . . ) has to be extracted from some nodes occurring at flexible positions. Therefore we extend the standard Dolev Yao intruder model by a subterm predicate that allows one to express a larger class of protocols that employs data extraction by subterm matching. This also allows one to detect socalled rewriting attacks that are specific to web-services. In particular we show that protocol insecurity is decidable with complexity NP for finite sessions in this new model. The proof is not a consequence of the standard finite sessions case; on the contrary, it provides also a new short proof for this case.

1

Introduction

Cryptographic protocols have been applied to securing communications over an insecure network for many years. However, the underlying difficulties in properly designing cryptographic protocols are reflected by repeated discovery of logical bugs in these protocols. As an attempt to solve the problem, there has been a sustained effort to devise formal methods for specifying and verifying the security goals of protocols. Various symbolic approaches have been proposed to represent protocols and reason about them, and to attempt to verify security properties such as confidentiality and authenticity, or to discover bugs. Such approaches include process algebra, model-checking, modal logics, equational reasoning, constraint solving and resolution theorem-proving (e.g., [20, 1, 5, 2]). Although some of these approaches have been successful in detecting security flaws or showing their absence in many protocols, their scope remains limited. Typically in all this work the processing of messages by agents or intruders is very limited: Information expected in a protocol message has to be located ⋆

this work has been supported by ARA SSIA Cops

at a fixed position. However this is too restrictive for instance to model webservice protocols where messages are XML semi-structured documents and where significant information (name, signature, . . . ) has to be extracted from some nodes occurring at flexible positions. Also protocols for searching databases (such as the LDAP protocol for internet directories) cannot be modelled properly in the previous approaches. 4 As a first step to relax these restrictions, we consider an extension of the standard Dolev Yao intruder model by a subterm predicate that allows one to express protocols applying subterm matching for extracting data in a received message. This extended model also allows one to detect some rewriting attacks that are specific to web services. In particular we show that protocol insecurity (i.e. whether the protocol preserves the confidentiality of some data) is decidable with complexity NP for fixed number of protocol sessions. The proof is short and does not follow from previous ones. As a matter of fact our result gives also as a by-product a new short proof that insecurity is in NP for the standard Dolev Yao case with non-atomic keys.

Related work. Several decidability and complexity results have been obtained for cryptographic protocols [1, 16, 5, 18]. These results have been extended to handle algebraic properties of basic cryptographic primitives [3, 15, 10]. In particular we have shown in [6] how to handle an associative-commutative message constructor. The result in [6] relies on unification and combination techniques [7] and allows the modelling of an immediate subterm relation: a is an immediate subterm of a.f (b) where . is associative-commutative, but b is not. Here we consider an unrestricted subterm relation which allows to detect attacks on XML protocols that are out of the scope of [6] as shown in Section 2. In [9] the authors consider ordering constraints on atomic keys, but do not give precise complexity analysis. The results of the present paper are in some respects extensions of [9] and rely on a different proof technique. The previous works on web service security protocols (e.g. [13, 8]) have rather focused on encoding XML messages and the design of attack preserving abstraction. To our knowledge no specific decidability results have been provided yet in this context.

Paper organization. In Section 2 we give an example of an attack on a web service that motivates our result. In Section 3 we introduce the needed basic notions on terms and subterm constraints. Then we present in Section 4 the protocol model we consider. In Section 5 we introduce the constraints we have to solve to verify security properties of a protocol in the given model. Then Sections 6, 8, 9, 10, 11 correspond to the different steps of the algorithm for solving these constraints. We conclude in Section 12 4

since honest agents in usual models [4] can only search a fixed part of the database.

2

Motivating Example

Web services promise to be a standard technology for Internet and enterprise networks. They require the ability to securely transmit messages in XML syntax using the SOAP protocol. Messages that travel over the networks can be observed and modified by intruders. Hence the protocol was extended by W3C for allowing one to sign and encrypt some parts of the contents. They can be subject to the same attacks as classical cryptographic protocols, but the XML syntax and the specific way messages are processed (e.g. not examining the full content) also gives the opportunity to mount a new class of attacks as shown in [8] and illustrated by the following example. These attacks are sometimes called XML rewriting attacks since the intruder modifies some message contents for his purpose. Example 1. Let us consider an abstraction of the security protocol P that supports a travel agency service and composes two roles: a client A and a server B. Each role consists of send (!) and receive (?) actions combined with some pattern-matching process. Client A :

Server B :

!xA 1 = hse(h(order(x, y, z)), KA,B ), order(x, y, z)i ?xA 2 = huh , ub i where se(h(order(x, y, z)), KA,B ) ≺ uh , se(accesscode(z), Kx,y ) ≺ ub ?xB 1 = hvh , vb i where se(h(order(x, y, z)), KA,B ) ≺ vh , order(x, y, z) ≺ vb ′ ′ ′ ′ !xB 2 = hse(h(order(x , y , z )), KA,B ), se(accesscode(z ), Kx′ ,y ′ )i ′ ′ where order(x , y , z ′ ) ≺ vb

where ≺ denotes the subtree relation, h denotes a hashing function, order(x, y, z) denotes the request for trip z for beneficiary x, with y the account to charge, accesscode(z) is the code requested to get the ticket from an automaton, se(u, v) denotes the encryption of u using key v, Kx,y denotes a private key shared by x and y. The symbol h , i is a free binary symbol that denotes pairing. The intruder deductive power is given by the classical Dolev-Yao rules (see [12]) extended by a rule that allows to select any argument of a free symbol. For some realistic implementations of the service, the following attack (described in [17]) will be possible: A → I(B) : hse(h(order(A, A, Erevan)), KA,B ), order(A, A, Erevan)i I(A) → B : hhse(h(order(A, A, Erevan)), KA,B ), order(C, A, Hawai)i , Bogus(order(A, A, Erevan))i B → I(A) : hse(h(order(A, A, Erevan)), KA,B ), se(accesscode(Hawaii), KC,B )i

where I(A) (resp. I(B)) denotes a malicious agent I masquerading as the honest participant A (resp. B), and the secret key SKC is known by I (C = I or C has been compromised). The bogus symbol mimicks an encapsulation ... with a Bogus header. The element and its content are ignored by the receiver since the header is unknown. However the signature is still acceptable since the element that is linked to the signature (via its URI) remains in the message.

Example 2. The subterm relation can be quite useful to model database search as in the following simple protocol (inspired by the Lightweight Directory Access Protocol) for retrieving public keys of users in some directory D owned by some server B. We assume that the term D represents a tree structured directory and that the records are leaves of type r(name, pkey). K is a term representing the knowledge set of A. A Client A : !xA ?xA where xA = se(Y ′ , KA,B ) 1 where x1 ≺ K 2 2 B B B Server B : ?x1 !x2 = se(Y, KA,B ) where r(x1 , Y ) ≺ D

3

Terms, Unification and Subterm Relation

We refer to [11] for all notions on terms, substitutions,. . . and recall only the main ones. Terms are constructed from a finite set of function symbols F, a denumerable set of variables X and TF (X ) denotes the set of terms. The set of ground terms is denoted by TF . Constants are functions of arity 0. For finite sets of terms, we abbreviate E ∪ F by E, F , the union E ∪ {t} by E, t and E \ {t} by E \ t. The set of subterms of a term t, denoted by Sub(t), is the smallest set such Si=n that Sub(t) = {t} if t ∈ X or t is a constant, and Sub(t) = {t} ∪ i=1 Sub(ti ) if t = f (t1 , . . . , tn ). A subterm s of t is strict if s 6= t. The size of a term t, denoted by size(t), is the cardinality of Sub(t). A position is a sequence of integers and the subterm of t at position p, denoted by t|p , is defined by t|p = t if p = ǫ, t|p.i = ti if t|p = f (t1 , . . . , tn ), i ≤ n. The set of positions in a term t is denoted by Pos(t). Var(t) denotes the set of variables occurring in the term t. A substitution σ is defined by σ = {x1 ← t1 , . . . , xn ← tn } where {x1 , . . . , xn } is the domain of σ, denoted by Dom(σ). The substitution is ground if Var(ti ) = ∅ for i = 1, . . . , n. ?

A unification system S is a finite set of equations (ui = vi )i∈{1,..,n} where ui , vi ∈ TF (X ) for i = 1, . . . , n. A ground substitution σ is a solution of S, denoted by σ |= S, iff for i = 1, . . . , n we have ui σ = vi σ. A subterm constraint is an expression s ≺ t where ≺ denotes the strict subterm relation on terms. The notation s t stands for s ≺ t ∨ s = t. Let σ be a substitution, we write σ |= s ≺ t iff sσ ∈ Sub(tσ) and sσ 6= tσ and we say that σ is a solution of or satisfies s ≺ t. A subterm constraint system T is a finite set of subterm constraints. A substitution is a solution of a subterm constraint system iff it is a solution of each constraint of the system. There exist polynomial time algorithms for solving unification systems and a NPTIME procedure to solve subterm constraint systems [19].

4 4.1

Protocol Model Dolev Yao Model

A protocol is defined by a finite set of roles (denoted by A, B,. . . ) acting in this protocol. Each role is specified by a finite sequence of receive/send actions to perform according to its current state and is parameterized by some variables that

represent the arguments passed to the program at the beginning of its execution. An agent is defined by a set of values (its identity, its public/private keys,. . . ) and a role instance is the execution of a role with its values as parameters. In the Dolev-Yao model [12], attacks on protocols are modelled by the addition of a malicious participant, called the intruder, that controls the network. It can intercept, block and/or redirect all messages sent by honest agents. It can also masquerade its identity and take part in the protocol under the identity of an honest participant. Its control of the communication network is modelled by assuming that all messages sent by honest agents are sent directly to the intruder and that all messages received by the honest agents are always sent by the intruder. Besides the control on the net, the intruder has specific rules to deduce new values and compute messages. From the intruder’s point of view a finite execution of a protocol is therefore the interleaving of a finite sequence of messages it has to send and a finite sequence of messages it receives (and add to its knowledge). Therefore the intruder is simply an additional role that runs concurrently with the honest participants. The protocol is said to be insecure if some secret knowledge is revealed to the intruder during the execution of the protocol. Deciding whether a protocol is insecure (for a single or a fixed number of sessions) has been shown equivalent to solving constraints in a term algebra [16, 1, 5].

4.2

Deduction Rules

Deduction rules are introduced to describe the operational behavior of roles (including the intruder). They are used to define deduction systems and derivations on sets of ground terms. A rule pattern dSis a rule s1 , . . . , sn → s where s1 , . . . , sn , s are terms of TF (X ), and Var(s) ⊆ i=1,..,n Var(si ). The set GI(d) is the set of instances of d, i.e. GI(d) = {l1 , . . . , ln → r | li = si σ, i = 1, ..., n, r = sσ, σ ground substitution}. An instance of a rule pattern is called a deduction rule. The Dolev-Yao model is defined by the following deduction system. The signature is F = {se(, ), h, i , . . . }, where se(x, y) denotes the symmetric encryption of x by the key y and hx, yi denotes the pair of two messages x and y, and the rule patterns are: Composition rule patterns: x, y → se(x, y) x, y → hx, yi

Decomposition rule patterns: se(x, y), y → x hx, yi → x hx, yi → y

The model can be extended with free symbols and the Composition rule and Decomposition rule patterns x1 , . . . , xn → f (x1 , . . . , xn ) and f (x1 , . . . , xn ) → xi (i = 1, . . . , n) for each symbol f of arity n. These new symbols and rules behave like the pairing operation and we shall not consider these symbols for the sake of simplicity.

The set GIc is the union of all ground instances of composition rule patterns, and the set GId is the union of all ground instances of decomposition rule patterns. The set GI is the union of GIc and GId . We shall also call a (de)composition rule a ground instance of a (de)composition rule pattern. Given two sets of ground terms E, F and a deduction rule l → r ∈ GI we write E →l→r F iff F = E ∪ {r} and l ⊆ E. Recall that l is a set of terms. We write E → F (resp. E →d F , resp. E →c F ) if there exists a deduction rule l → r in GI (resp. GId , resp. GIc ) such that E →l→r F . A derivation D of length n ≥ 0, is a sequence of finite sets of ground terms E0 , . . . , En such that E0 → E1 → · · · → En where Ei = Ei−1 , ti for every i ∈ {1, . . . , n}. The term tn is called the goal of the derivation. A derivation is without stutter iff ti ∈ Ej implies j ≥ i for i, j ∈ {1, .., n}. A term is derivable from E if there exists a derivation starting from E of goal t. The set Der(E) is the set of terms derivable from E and the set Derc (E) is the set of terms derivable from E using only composition rules.

5

Constraint Systems

The insecurity problem of protocols with subterm predicates can be reduced to solving special constraint systems to be defined below. The process of translating a security problem to a constraint system will not be detailed here since it is similar to the standard case [16, 5]. An expression E ⊲ t where E is a finite set of terms (not necessarily ground ones) and t ∈ TF (X ) will be called a deduction constraint, and means that t can be deduced from E. A ground substitution σ is a solution of a deduction constraint, denoted by σ |= E ⊲ s iff sσ ∈ Der(Eσ). We shall consider also a slight variant of deduction constraints denoted by E ⊲c t. A ground substitution σ is a solution of E ⊲c t iff sσ ∈ Derc (Eσ). A constraint system C is a triple ((Ei ⊲ ti )i∈{1,...,n} ; S; T ) where 1. Ei are finite sets of terms such that i) Ei−1 ⊆ Ei , and ii) for each x occuring in a term of Ei , there exist j < i such that x ∈ Var(tj ) or there exist s such that x ∈ Var(s) and s ti ∈ T or there exists a ground term t such that s ≺ t ∈ T . Property ii) is called determinacy; 2. S is a unification system; 3. T is a subterm constraint system. A ground substitution is a solution of C, denoted by σ |= C, iff σ |= E ⊲ s for each E ⊲ s ∈ E, σ |= S and σ |= T . Example 3. For instance if we consider one session of the protocol described in Example 2: A Client A : !xA ?xA where xA = se(Y ′ , KA,B ) 1 where x1 ≺ K 2 2 B B B Server B : ?x1 !x2 = se(Y, KA,B ) where r(x1 , Y ) ≺ D

The secrecy of Y , i.e. whether the intruder initially knowing {A, B} can view Y , can be reduced to solving the following constraint system: (({A, B, w} ⊲ x, {A, B, w, se(y, KA,B )} ⊲ y) ; ∅ ; {w ≺ K, r(x, y) ≺ D}) In other words the intruder should build some well-chosen term x and send it to server B so that he receives back a term se(y, KA,B ) satisfying r(x, y) ≺ D and from this term and his previous knowledge he can derive the secret term y. As mentionned above, we may also consider constraint systems where ⊲ is replaced by ⊲c . A constraint system C = (E; S; T ) is a solved form iff the following conditions are satisfied: 1. each deduction constraint has the form E ⊲ x where x is a variable, 2. S = ∅ and 3. each constraint of T has the form s ≺ x. A solved form is normalized iff for each s ≺ x ∈ T , for each y ∈ Var(s), there exists a constraint Ey ⊲ y occurring before the first constraint Ex ⊲ x in E. The main result of this paper is the following theorem. Theorem 1 Satisfiability of constraint systems is decidable in NPTIME. The rest of the paper is devoted to the description and the proof of correctness and completeness of the successive steps of an algorithm deciding the satisfiability of constraint systems in NPTIME. This algorithm is non-deterministic and applies 6 steps for transforming a constraint system C0 = (E0 ; S0 ; T0 ) into a normalized solved form. Finally the satisfiability of the normalized solved form is checked in the last step.

6

Guessing Unification and Subterm Ordering

The first two steps of the algorithm guess identifications between subterms and subterm contraints. ?

Step 1 : Guess a subset S ′ of {s = t | s, t ∈ Sub(C0 )} and guess T ′ a finite set of subterm constraints s ≺ x for s ∈ Sub(C0 ), x ∈ V ar(C0 ). Check that S0 ∪ S ′ defines a congruence and that T0 ∪ T ′ defines a transitive antisymmetric relation. Let E1 = E0 , let S1 = S0 ∪ S ′ , let T1 = T0 ∪ T ′ , and finally let C1 = (E1 ; S1 ; T1 ). We check easily: Lemma 1. If σ = mgu(S1 ) then C1 σ respects the determinacy condition.

Step 2 : Let σ = mgu(S1 ). Let T 2 be obtained from T1 σ by applying the simplification rules: s ≺ t → true if t|p = s for some position p in t s ≺ t → s ≺ x for x ∈ Var(t), if there is no p such that t|p = s Let E2 = E1 σ and let C2 = (E2 ; S2 ; T2 ) where S2 = ∅. Steps 1,2 are non-deterministic and there are finitely many possible outcomes C2 since the number of guesses is finite and the number of possible results of simplification rules is finite. Remark 1. The simplification rules for ≺ are correct and complete because we perform all possible guesses of equalities between terms. For instance, given a constraint g(a) ≺ f (g(x)), one guess is g(a) = g(x) and the subterm constraint becomes g(a) ≺ f (g(a)) and the other guesses make g(a) and g(x) different and the subterm constraint is equivalent to g(a) ≺ x. Proposition 1 For each solution σ of C0 there exists some C2 such that σ is a solution of C2 . Each solution σ of C2 is a solution of C0 . Remark 2. A solution σ of the initial constraint system defines a congruence ≡σ on the subterms of C0 , namely s ≡σ t iff sσ = tσ. It also defines a transitive and anti-symmetric relation ≺σ on Sub(C0 ), namely s ≺σ t if sσ ∈ Sub(tσ) \ {t}. In Step 1 of the algorithm, we guess any possible choices for congruence and the transitive and anti-symmetric relations ≡σ and ≺σ . Therefore, in the following we consider solutions that match exactly the congruence and the ordering guessed in Step 1, i.e. for all terms in Sub(C2 ) if the equality u = v is not induced by S2 , we shall assume that uσ 6= vσ, and if u ≺ v is not induced by S2 and T2 , we shall assume uσ 6≺ vσ. This first guessing phase permits us to obtain the following two lemmas. We denote by s ⊑ t the reflexive transitive closure of the binary relation on terms defined by s ≺ t ∈ T2 or s ∈ Sub(t). Lemma 2. Let C2 = (E2 ; S2 ; T2 ) and let E2 = (Ei ⊲ si )i∈{1,...,n} . Let x be a variable in Ei . Then there is j < i such that x ⊑ sj , x 6∈ Var(Ej ) and xσ 6∈ Sub(Ej σ) Proof. Let j be minimal such that x ⊑ sj . The guessings at Step 1 imply that there is no u ∈ Sub(Ej ) \ x with uσ = xσ. By contradiction, if there is y ∈ Var(Ej ) such that x ⊑ y, by definition of constraint systems either there is j ′ < j such that y ⊑ sj ′ or there is a ground term t with y ≺ t. The latter is impossible since y has not been unified with a subterm of C0 at Step 1. Hence y ⊑ sj ′ and x ⊑ y. By transitivity we also have x ⊑ sj ′ , which contradicts the minimality of j. Lemma 3. Let σ be a solution of C2 = (E2 ; S2 ; T2 ) and let (E ⊲ s) ∈ E2 . Let t ∈ Sub(C2 ) be such that (i) t is not in Sub(E) and (ii) tσ ∈ Sub(sσ). Then tσ is in Der(Eσ) and there is a derivation of goal tσ ending with a composition rule.

Proof. Since the sequence E2 = (Ei ⊲ si )i=1,...,n is such that Ei ⊆ Ej if i ≤ j, we may choose E ⊲ s as the first deduction constraint such that tσ ∈ Sub(sσ), and thus, given the guessing at Step 1, such that t ⊑ s. We first show that there is no x ∈ Var(E) such that tσ ∈ Sub(xσ), and thus t ⊑ x. By contradiction if there exists such a variable x, by Lemma 2 there exists a constraint E ′ ⊲ s′ prior to E ⊲ s such that x ⊑ s′ . By transitivity of ⊑ this implies that t ⊑ s′ , thereby contradicting the choice of the deduction constraint E ⊲ s. Thus there is no variable x ∈ Var(E) such that tσ is a subterm of xσ. Thus if tσ is in Sub(Eσ), there existsy u ∈ Sub(E) \ Var(E) such that uσ = tσ. Given the choice at Step 1, this implies in turn that u = t, and thus that t ∈ Sub(E). The lemma is then trivially true since its hypotheses are not met on E. Assume now tσ ∈ / Sub(Eσ). Let D be a minimal derivation of goal sσ, say F0 = Eσ → . . . → Fj = Eσ, t1 , . . . , tj → . . . → Fm = Eσ, t1 , . . . , tm = sσ Let j be the smallest index such that tσ ∈ Sub(Fj ). This index is defined since tσ ∈ Sub(tn ), and is not 0 since tσ ∈ / Sub(Eσ). The minimality implies that tσ ∈ / Sub(Fj−1 ), and thus tσ ∈ Sub(tj ). Since the right-hand side of a decomposition rule is always a subterm of its left-hand side, the deduction rule applied must be a composition rule. In this case, Sub(tj ) \ {tj } ⊆ Sub(Fj−1 ) and thus we must have tj = tσ. Truncating the derivation yields a derivation starting from Eσ of goal tσ ending with a composition rule.

7

Adding Deduction Constraints for Variables

Given a constraint system C = ((Ei ⊲ si )i∈{1,...,n} ; S; T ), a variable x may occur in Var(Ei ) but not in Var(sj ) for j < i. The next step transforms the constraint system into a constraint system where all variables of Var(Ei ) occur in Var(sj ) for j < i. Step 3 : For each variable x such that x ∈ Var(Ei ) and x 6∈ Var(sj ) for j < i, replace (Ei ⊲ si ) in E2 by Ej ⊲ x, Ei ⊲ si for some j < i. Let C3 = (E3 ; S3 ; T3 ) be the resulting constraint system. The correctness of the transformation relies on the following lemmas. Lemma 4. Let C2 = (E2 ; S2 ; T2 ) and let Ei ⊲ si ∈ E2 such that there is a variable x ∈ Var(Ei ). Then there exists j < i such that for any solution σ of C2 there is a derivation starting from Ej σ of goal xσ ending with a composition rule. Proof. By Lemma 2, the hypothesis x ∈ Var(Ei ) implies that there exists j < i with x ∈ / Var(Ej ) and such that x ⊑ sj . By Lemma 3 applied on x, we derive this Lemma 4.

8

Eliminating Decomposition Rules

We prove in this section that for any deduction constraint E ⊲ m belonging to a constraint system C2 produced by Step 2, if there exists a ground substitution σ solution of C2 , then there exists a derivation starting from Eσ of goal mσ such that any decomposition rule s1 , s2 → s or s1 → s applied in this derivation is such that there exists u ∈ Sub(E) \ Var(E) with u = se(t, d) or u = ht, t′ i with s1 = uσ, s2 = dσ and s = tσ or s = t′ σ. This implies that there exists a subset of Sub(E) \ Var(E) such that, once these terms have been decomposed, all terms derivable from E can be derived by applying only composition rules. In Step 3, we guess this set of subterms of E. The derivation contains several instances of decomposition rules that derive a new term tj (a message below an encryption for instance) using a term dj (a term used as an encryption key for instance) which is derived using composition rules. Step 4 : For each (E ⊲ s) ∈ E3 , guess t1 , . . . , tn , d1 , . . . , dn ∈ Sub(E) such that for j = 1, . . . , n, E, t1 , . . . , tj−1 , dj →d E, t1 , . . . , tj , dj Replace (E ⊲ s) in E3 by E ⊲c d1 , E, t1 ⊲c d2 , . . . , E, t1 , . . . , tn−1 ⊲c dn , E, t1 , . . . , tn ⊲c s Let C4 = (E4 ; S4 ; T4 ) be the resulting constraint system. To state the correctness and completeness of this step, we need to prove several lemmas. Lemma 5. Let C3 = (E3 ; S3 ; T3 ) and let σ be such that σ |= C3 , and σ |= E ⊲ s for E a left-hand side of a constraint in E3 and s ∈ Sub(C3 ). Then there exists a derivation starting from Eσ of goal sσ that does not contain any decomposition of a term xσ for x ∈ Var(E). Proof. By contradiction let us assume there exists E and s as specified such that the minimal number of decompositions of a term xσ (with x ∈ Var(E)) in a derivation starting from Eσ of goal sσ is n > 0. Without loss of generality let us consider this is the first such E in the order of the deduction constraints. Notice that this cannot be the leftmost E since the first left-hand side contains only ground terms (as a result of Step 3). Let x ∈ Var(E) be such that there exists a derivation with n decompositions of terms yσ with y ∈ Var(E), and x is one of those variables. By Lemma 4 there exists Ex ⊲ sx before E ⊲ s such that there is a derivation starting from Ex σ with goal xσ ending with a composition rule. By minimality of E we can assume that this derivation does not contain any decomposition of a term yσ for y ∈ Sub(Ex ). Since it ends with a composition rule, the strict maximal subterms of xσ, and thus the result of its decomposition, are also deduced by this derivation. Since Ex ⊆ E by definition of constraint systems, we can replace the decomposition of xσ by this derivation. This permits us to obtain a derivation in which n − 1 variable instances are decomposed, thus contradicting the minimality of n.

Lemma 6. Let C3 = (E3 ; S3 ; T3 ) and let σ such that σ |= C3 , and E ⊲ s ∈ E3 , and let SE (s) = {ǫ} ∪ {p ∈ Pos(s) | ∀q < p, σ |= E ⊲ s|q and a derivation starting from Eσ of goal s|q σ ends with a composition rule} Then for any maximal position p in SE (s), we have s|p ∈ Sub(E) ∪ X . Moreover if s|p ∈ / X ∪E, the term s|p is obtained by a decomposition rule applied to another term of Sub(E). Proof. Let p be maximal in SE (s). Then either p = ǫ or there exists a position p′ and an integer i such that p = p′ · i. First, if p = ǫ then sσ cannot be obtained by a composition rule. Since σ |= E ⊲ s, By Lemma 3 we must have s ∈ Sub(E). Now if p 6= ǫ, by definition of SE (s) we must have s|p′ σ is in Der(Eσ) and there exists a derivation starting from Eσ of goal s|p′ σ ending with a composition rule. This implies that this derivation contains the term s|p′ ·i σ in its next to last term set, and thus that s|p σ is in Der(Eσ). By maximality of p either s|p is a variable or there is no derivation starting from Eσ of goal s|p σ ending with a composition rule, and thus in this last case by Lemma 3 we must have s|p ∈ Sub(E). Thus, if p is maximal in SE (s) and is not a variable, we have s|p σ ∈ Der(Eσ), and s|p ∈ Sub(E), and there exists no derivation starting from Eσ of goal s|p σ ending with a composition rule. Let us now consider a derivation starting from Eσ of goal s|p σ. Without loss of generality we can consider it is without stutter (and thus no decomposition is applied on a term that has been composed before) and such that no variable instance is decomposed (this is possible by Lemma 5.) Let us prove that in this derivation, for any decomposition rule t1 , t2 → t applied (with t ∈ Sub(t1 )), there exists u ∈ Sub(E) \ Var(E) such that uσ = t. By contradiction, let us assume this is not the case, and let t1 , t2 → t of a decomposition rule such that there does not exist u ∈ Sub(E) \ Var(E) with uσ = t1 . Since there is no stutter, t1 has not been obtained by a composition rule. Thus either there exists u ∈ E with uσ = t1 or there exists a previous decomposition rule t′1 , t′2 → t1 . Since we have taken the first decomposition rule t1 , t2 → t where t1 is not an instance of a non-variable subterm of E, there exists u′ ∈ Sub(E) \ Var(E) such that u′ σ = t′1 . This implies there exists u ∈ Sub(E) such that t1 = uσ. But then either u is a variable, and we contradict the fact that the derivation does not contain any decomposition of the instance of a variable, or u ∈ Sub(E) \ Var(E) and we contradict the fact that there does not exists u ∈ Sub(E) \ Var(E) such that uσ = t1 . This terminates the proof of the lemma. Proposition 2 If C3 is satisfiable, then there exists t1 , . . . , tn , d1 , . . . , dn a sequence of guesses such that C4 is satisfiable. Moreover, for each t ∈ Sub(C4 ) and for each E left-hand side of a deduction constraint in C4 we have σ |= E ⊲ t iff σ |= E ⊲c t.

Proof. Let C3 = (E3 ; S3 ; T3 ) with E3 = (Ei ⊲ si )i=1,...,m and let us assume that C3 has a solution σ. Firstly we prove that C4 is satisfiable. Let Mi = {t | ∃s ∈ Sub(C4 ), σ |= Ei ⊲ s and t = s|p with p maximal in SEi (t)} First note that Mi is finite and included in Sub(Ei ) ∪ X by Lemma 6. Let Mi \ Ei = {t1 , . . . , tn } and let us choose t1 , . . . , tn as the sequence of guesses used in Step 3 for the ti ’s. By definition there is a derivation that constructs t1 σ, . . . , tn σ from Ei σ. W.l.o.g. we may assume that the indices of the ti are in the order in which they appear in this derivation. By Lemma 6, ti σ is obtained by the decomposition of a term ui σ with ui ∈ Sub(Ei ). The decomposition is ui σ → ti σ (rule hx, yi → x) or ui σ, di σ → ti σ (rule se(x, y), y → x). Since all the terms that are not among the ti can be obtained by composition we can assume, by considering a derivation with a minimal number of decomposition rules, that all terms but the ti , are deduced by a composition rule or are already present. Thus di σ is composable using only composition rules from Ei σ, t1 σ, . . . , ti−1 σ. Provided that ui , di → ti is a decomposition rule, this implies that σ is a solution of C4 . Since the ti σ are obtained by decomposition of a term ui σ with ui ∈ Sub(Ei ), the deduction rule instances permitting the deduction of ti σ are ui σ → ti σ for the pair and ui σ, di σ → ti σ for deciphering. Now we prove that σ |= E ⊲ t iff σ |= E ⊲c t. ⇒ direction. This direction comes from the identification of subterms at Step 1 and on the definition of a right guess at Step 3, i.e. the guess at the beginning of this proof. ⇐ direction. Straightforward.

9

Computing Normalized Solved Forms

Step 5 : For each E ⊲c s in E4 , check that s ∈ Derc (E ∪ Var(s)) and replace E ⊲c s by deduction constraints E ⊲c x for all x ∈ Var(s). Let C5 = (E5 ; S5 ; T5 ) be the resulting normalized solved form. The soundness and completeness of Step 5 is a direct consequence of the next proposition. Proposition 3 Let C4 = (E4 ; S4 ; T4 ) and m ∈ Sub(C4 ). Then we have τ |= E ⊲c m iff τ |= E ⊲c x for all x ∈ Var(m) and m ∈ Derc (E, Var(m)). Proof. Assume first that τ |= E ⊲c m. Let Π be the set of minimal positions in S(m). By Lemma 6 we know that m|p is either a variable or a term among the tj terms guessed in Step 3 or in a knowledge set at Step 2. By definition of Dolev-Yao composition rules, we have m ∈ Derc ({t | m|p = t for p ∈ Π}), and thus, after the guess in Step 3, we have m ∈ Derc (E ∪ Var(m)). Given a variable

x ∈ Var(m), by the determinacy of constraint systems there exists a constraint Ex ⊲ mx in C4 with x ∈ Var(mx ) \ Var(Ex ). By Lemma 3 this implies that xτ ∈ Der(Ex τ ). By the inclusion of knowledge sets we have Ex ⊆ E and thus xτ ∈ Der(Eτ ). Given the guess at Step 3 this implies xτ ∈ Derc (Eτ ) and thus τ |= E ⊲c x. Conversely, if τ |= E ⊲c x for all x ∈ Var(m) then starting from Eτ one can first construct a set of terms F containing Eτ ∪ Var(m)τ . Then one can instantiate with τ a derivation starting from E ∪ Var(m) of goal m. These two derivations employ only composition rules, therefore mτ ∈ Derc (Eτ ).

10

Permuting Deduction Constraints

This step aims at providing a compatibility between the ordering on variables induced by T and the ordering on variables induced by the deduction constraints. It is not necessary for the algorithm, but simplifies the proof of the last step. The variables X, Y and Z stand for (possibly empty) sequences of deduction constraints. Step 6: E ← E5 For all x, y ∈ Var(C5 ) with E = (X, Ex ⊲c x, Y, Ey ⊲c y, Z) and y ≺ x ∈ T do E ← (X, Ex ⊲c y, Ex ⊲c x, Y, Z) od Let C6 = (E6 ; S6 ; T6 ) be the resulting normalized solved form. Proposition 4 A ground substitution σ is a solution of C5 iff it is a solution of C6 . Proof. Since the Ei are nondecreasing sets, it is obvious that if σ is a solution of C6 then it is a solution of C5 . Assume now that a ground substitution σ is a solution of C5 . It suffices to prove that if σ is a solution before a swap, it will remain a solution of the constraint system after the swap. There are two cases: – If there exists a constraint Ey′ ⊲c y before Ex ⊲c , then Ey′ ⊆ Ex implies that if σ is a solution before the swap, it will be a solution after; – Else, the determinacy of constraint systems implies that y ∈ / Sub(Ex ), and the σ solution implies that yσ ∈ Sub(xσ). Thus by Lemma 3 this implies yσ ∈ Der(Ex σ). By Proposition 2 this implies in turn yσ ∈ Derc (Ex σ), and thus the resulting constraint system is still satisfied by σ.

11

Decision of Normalized Solved Forms

This is the last step of the algorithm.

Step 7 : For each Ex ⊲c x ∈ E6 , s ≺ x ∈ T6 , check that there exists t ∈ E such that s ≺ t or s ∈ Derc (E ∪ Var(s)) and return true otherwise return fail. Proposition 5 Step 7 returns true iff C6 has a solution. Proof. Let C6 = (E6 ; S6 ; T6 ). ⇒ direction: Let us assume that the variables occur in deduction constraints in the order x1 , x2 , . . .. We construct a solution σ inductively according to this ordering. For simplicity we still call σ the restriction of σ to {x1 , . . . , xn }. Assume that we have constructed σ = {x1 ← x1 σ, . . . , xn−1 ← xn−1 σ} such that σ |= E ⊲c xi and σ |= s ≺ xi for all deduction and subterm constraints of C6 with i < n. Let s1 ≺ xn , . . . , sm ≺ xn be the subterm constraints of T6 which have xn as a right-hand side. Let E ⊲c xn be the first deduction constraint of E containing xn as a right-hand side. Let ti be such that ti ∈ E and si ≺ ti or ti = si if si ∈ Derc (E ∪ Var(s)). By hypothesis ti always exists for i = 1, . . . , m. We extend σ by setting xn σ = ht1 σ, ht2 σ, . . . htm−1 σ, tm σiii. By construction σ |= E ⊲c xn (hence σ |= E ′ ⊲c xn since E ⊆ E ′ ) and σ |= T . ⇐ direction: Let σ be a solution of C6 . Let E ⊲c x ∈ E6 and s ≺ x ∈ T6 . Let F0 = Eσ → Eσ, t1 . . . → Eσ, t1 , . . . , tj → . . . → xσ be a derivation of goal xσ using composition rules only. Let j be the first index such that sσ occurs in tj . Either there is t ∈ E such that tσ = sσ then s = t ∈ E and the check succeeds. Or, tj = sσ for some j ≥ 1 and σ |= E ⊲c s. By Proposition 3, we have s ∈ Derc (E ∪ V ars) and the check succeeds.

12

Conclusion

We have shown how to decide secrecy for cryptographic protocols that can check a subterm relation. The proof is short (no appendix!) and shows that the complexity of the problem is in NP. In future work we will investigate the case of negative subterm constraints and also whether the results can be combined with known results on protocols that employ associative-commutative message constructors: this would enlarge the scope of techniques for addressing XML protocol security. We also plan to investigate whether our result generalizes to more general queries than subterm.

References 1. Amadio, R., Lugiez, D., Vanackère, V.: On the symbolic reduction of processes with cryptographic functions. Theor. Comput. Sci. 290(1) (2003) 695–740 2. Armando, A., Compagna, L.: Automatic SAT-Compilation of Protocol Insecurity Problems via Reduction to Planning. In: Foundation of Computer Security & Verification Workshops, Copenhagen, Denmark (2002)

3. Basin, D.A., M¨ odersheim, S., Vigan` o, L.: Algebraic intruder deductions. In Sutcliffe, G., Voronkov, A., eds.: LPAR. Volume 3835 of Lecture Notes in Computer Science., Springer (2005) 549–564 4. Cervesato, I., Durgin, N.A., Lincoln, P., Mitchell, J.C., Scedrov, A.: A metanotation for protocol analysis. In: CSFW. (1999) 55–69 5. Chevalier, Y., Vigneron, L.: A Tool for Lazy Verification of Security Protocols. In: Proceedings of the Automated Software Engineering Conference (ASE’01), IEEE Computer Society Press (2001) 6. Chevalier, Y., Lugiez, D., Rusinowitch, M.: Towards an automatic analysis of web services security. In: Proceedings of the 6th International Symposium on the Frontiers of Combining Systems (Frocos’07). LNAI, Springer Verlag (2007). 7. Baader, F., Schulz, K.U.: Unification in the union of disjoint equational theories. combining decision procedures. J. Symb. Comput. 21(2) (1996) 211–243 8. Bhargavan, K., Fournet, C., Gordon, A.D., Pucella, R.: Tulafale: A security tool for web services. In: Formal Methods for Components and Objects. Volume 3188 of Lecture Notes in Computer Science., Springer (2003) 197–222 9. Cortier, V. and Zalinescu E.: Deciding Key Cycles for Security Protocols. Lecture Notes in Computer Science Volume 4246, LPAR 2006 10. Delaune, S., Jacquemard, F.: A decision procedure for the verification of security protocols with explicit destructors. In: Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS’04), Washington, D.C., USA, ACM Press (2004) 278–287 11. Dershowitz, N., Jouannaud, J.P.: Rewrite systems. In: Handbook of Theoretical Computer Science, Volume B. Elsevier (1990) 243–320 12. Dolev, D., Yao, A.: On the Security of Public-Key Protocols. IEEE Transactions on Information Theory 2(29) (1983) 13. Kleiner E. and Roscoe A.: On the Relationship Between Web Services Security and Traditional Protocols. Electr. Notes Theor. Comput. Sci., volume 155, 2006, pages 583-603. 14. Lynch, L., and Meadows, C.: On the Relative Soundness of the Free Algebra Model for Public Key Encryption. In Proc. 4th Workshop on Issues in the Theory of Security (WITS), 2004. 15. Meadows, C., Narendran, P.: A unification algorithm for the group Diffie-Hellman protocol. In: Workshop on Issues in the Theory of Security (in conjunction with POPL’02), Portland, Oregon, USA, January 14-15. (2002) 16. Millen, J., Shmatikov, V.: Constraint solving for bounded-process cryptographic protocol analysis. In: ACM Conference on Computer and Communications Security. (2001) 166–175 17. Rits, M., Rahaman, M.A.: Secure SOAP Requests in Enterprise SOA. In: ACSAC. (2006) 18. Rusinowitch, M., Turuani, M.: Protocol insecurity with finite number of sessions is NP-complete. In: Proc.14th IEEE Computer Security Foundations Workshop, Cape Breton, Nova Scotia (2001) 19. Venkataraman, K.N.: Decidability of the purely existential fragment of the theory of term algebras. J. ACM 34(2) (1987) 492–510 20. Weidenbach, C.: Towards an automatic analysis of security protocols in first-order logic. In: 16th International Conference on Automated Deduction. Volume 1632 of Lecture Notes in Computer Science., Springer (1999) 314–328