![Maude-NPA: Cryptographic Protocol Analysis
Modulo Equational Properties
Santiago Escobar1
, Catherine Meadows2
, and José Meseguer2
1
Universidad Politécnica de Valencia, Spain
sescobar@dsic.upv.es
2
Naval Research Laboratory, Washington, DC, USA
meadows@itd.nrl.navy.mil
3
University of Illinois at Urbana-Champaign, USA
meseguer@cs.uiuc.edu
Abstract. In this tutorial, we give an overview of the Maude-NRL Pro-
tocol Analyzer (Maude-NPA), a tool for the analysis of cryptographic
protocols using functions that obey different equational theories. We
show the reader how to use Maude-NPA, and how it works, and also
give some of the theoretical background behind the tool.
1 Introduction
The Maude-NPA is a tool and inference system for reasoning about the security
of cryptographic protocols in which the cryptosystems satisfy different equational
properties. The tool handles searches in the unbounded session model, and thus
can be used to provide proofs of security as well as to search for attacks. It is
the next generation of the NRL Protocol Analyzer [36], a tool that supported
limited equational reasoning and was successfully applied to the analysis of many
different protocols.
The area of formal analysis of cryptographic protocols has been an active
one since the mid 1980’s. The idea is to verify protocols that use encryption to
guarantee secrecy, and that use authentication of data to ensure security, against
an attacker (commonly called the Dolev-Yao attacker [17]) who has complete
control of the network, and can intercept, alter, and redirect traffic, create new
traffic on his/her own, perform all operations available to legitimate participants,
and may have access to some subset of the longterm keys of legitimate principals.
Whatever approach is taken, the use of formal methods has had a long history,
not only for providing formal proofs of security, but also for uncovering bugs and
security flaws that in some cases had remained unknown long after the original
protocol’s publication.
A number of approaches have been taken to the formal verification of cryp-
tographic protocols. One of the most popular is model checking, in which the
interaction of the protocol with the attacker is symbolically executed. Indeed,
model-checking of secrecy (and later, authentication) in protocols in the bounded-
session model (where a session is a single execution of a process representing an
A. Aldini, G. Barthe, R. Gorrieri (Eds.): FOSAD 2007/2008/2009, LNCS 5705, pp. 1–50, 2009.
c
Springer-Verlag Berlin Heidelberg 2009](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-12-320.jpg)
![2 S. Escobar, C. Meadows, and J. Meseguer
honest principal) has been shown to be decidable [42], and a number of bounded-
session model checkers exist. Moreover, a number of unbounded model checkers
either make use of abstraction to enforce decidability, or allow for the possibility
of non-termination.
The earliest protocol analysis tools, such as the Interrogator [30] and the NRL
Protocol Analyzer (NPA) [35], while not strictly speaking model checkers, relied
on state exploration, and, in the case of NPA, could be used to verify security
properties specified in a temporal logic language. Later, researchers used generic
model checkers to analyze protocols, such as FDR [32] and later Murphi [40].
More recently the focus has been on special-purpose model-checkers developed
specifically for cryptographic protocol analysis, such as Blanchet’s ProVerif [8],
the AVISPA tool [3], and Maude-NPA itself [23].
There are a number of possible approaches to take in the modeling of cryp-
toalgorithms used. In the simplest case, the free algebra model, cryptosystems
are assumed to behave like black boxes: an attacker knows nothing about en-
crypted data unless it has the appropriate key. This is the approach taken, for
example, by the above-cited use of Murphi and FDR to analyze cryptographic
protocols, and current tools such as SATMC [4] and TA4SP [9] , both used in the
AVISPA tool. However, such an approach, although it can work well for proto-
cols based on generic shared key or public key cryptography, runs into problems
with algorithms such as Diffie-Hellman or algorithms employing exclusive-or,
which rely upon various algebraic properties such as the law of exponentiation
of products, associativity-commutativity and cancellation. Without the ability
to specify these properties, one needs to rely on approximations of the algorithms
that may result in formal proofs of secrecy invalidated by actual attacks that are
missed by the analysis (see, e.g., [41, 43, 46]). Thus there has been considerable
interest in developing algorithms and tools for protocol analysis in the presence
of algebraic theories [1, 7, 10, 11, 12].
Another way in which tools can differ is in the number of sessions. A session is
defined to be one execution of a protocol role by a single principal. A tool is said
to use the bounded session model if the user must specify the maximum number
of sessions that can be generated in a search. It is said to use the unbounded
session model if no such restrictions are required.
Secrecy is known to be decidable in the free theory together with the bounded
session model [42], and undecidable in the free theory together with the un-
bounded session model [18]. The same distinction between bounded and un-
bounded sessions is known to hold for a number of different equational theories
of interest, as well as for some authentication-related properties; see for example
[10]. Thus, it is no surprise that most tools, whether or not they offer support
for different algebraic theories, either operate in the bounded session model, or
rely on abstractions that may result in reports of false attacks even when the
protocol being analyzed is secure.
Maude-NPA is a model-checker for cryptographic protocol analysis that both
allows for the incorporation of different equational theories and operates in the
unbounded session model without the use of abstraction. This means that the](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-13-320.jpg)
![Maude-NPA: Cryptographic Protocol Analysis 3
analysis is exact. That is, (i) if an attack exists using the specified algebraic
properties, it will be found; (ii) no false attacks will be reported; and (iii) if
the tool terminates without finding an attack, this provides a formal proof that
the protocol is secure for that attack modulo the specified properties. However,
it is always possible that the tool will not terminate; although, as explained in
Section 7, a number of heuristics are included to drastically reduce the search
space and make nontermination less likely. In order to have a steady, incremental
approximation of the analysis, the user is also given the option of restricting the
number of steps executed by Maude-NPA.
Maude-NPA is a backwards search tool, i.e., it searches backwards from a
final insecure state to determine whether or not it is reachable from an initial
state. This backwards search is symbolic, i.e., it does not start with a concrete
attack state, but uses instead a symbolic attack pattern, i.e., a term with logical
variables describing a general attack situation. The backwards search is then
performed by backwards narrowing. Each backwards narrowing step denotes a
state transition, such as a principal sending or receiving a message or the intruder
manipulating a message, all in a backwards sense. Each backwards narrowing
step takes a symbolic state (i.e., a term with logical variables) and returns a
previous symbolic state in the protocol (again a term with logical variables).
In performing a backwards narrowing step, the variables of the input term are
appropriately instantiated in order to apply the concrete state transition, and
the new previous state may contain new variables that are differentiated from
any previously used variable to avoid confusion. To appropriately instantiate
the input term, narrowing uses equational unification. As it is well-known from
logic programming and automated deduction (see, e.g., [5]), unification is the
process of solving equations t = t
. Standard unification solves these equations
in a term algebra. Instead, equational unification (w.r.t. an equational theory
E) solves an equation t = t
in a free algebra for the equations E, that is,
modulo the equational theory E. In the Maude-NPA, the equational theory E
used depends on the protocol, and corresponds to the algebraic properties of the
cryptographic functions (e.g. cancellation of encryption and decryption, Diffie-
Hellman, or exclusive-or).
Sound techniques for equational unification are paramount to Maude-NPA,
and much of the research behind it has concentrated on that. The idea is to
develop, not only special–purpose equational unification techniques that can be
used for specific theories, but general methods that can be extended to different
theories that arise in actual practice. We thus consider a broad class of theories
that incorporate those equational axioms commonly appearing in cryptosystems
and for which Maude has dedicated unification algorithms [13], such as com-
mutativity (C) or associativity-commutativity (AC) of some function symbols
[19]. Our approach is designed to be as extensible as possible to different alge-
braic theories, and Maude-NPA is designed with this in mind. Maude-NPA has
thus both dedicated and generic narrowing-based methods for solving unifica-
tion problems in such theories [27], which under appropriate checkable conditions
yield narrowing-based unification algorithms with a finite number of solutions](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-14-320.jpg)
![4 S. Escobar, C. Meadows, and J. Meseguer
[26]. Maude-NPA currently supports a number of algebraic theories, including
exclusive-or, cancellation of encryption and decryption (both public and shared
key), bounded associativity, and Diffie-Hellman exponentiation. We include ex-
amples of several of these in this tutorial; others can be found in the Maude-
NPA manual [23] and in our previous papers [19, 21]. Moreover, we continue
to explore new generic unification algorithms which we plan to incorporate into
Maude-NPA in the future.
Since Maude-NPA allows reasoning in the unbounded session model, and be-
cause it allows reasoning about different equational theories (which typically
generate many more solutions to unification problems than syntactic unifica-
tion, leading to bigger state spaces), it is necessary to find ways of pruning the
search space in order to prevent infinite or overwhelmingly large search spaces.
A key technique for preventing infinite searches is the generation of formal gram-
mars describing terms unreachable by the intruder; such formal grammars are
described in [20, 36] and in Section 7.7. However, grammars do not prune out all
infinite searches, and there is a need for other techniques. Moreover, even when
a search space is finite it may still be necessary to reduce it to a manageable
size. State space reduction techniques for doing that have been provided in [22],
with an empirical average state-space size reduction of 96% (i.e., the average size
of the reduced state space is 4% of that of the original one). Furthermore, our
often combined techniques are effective in obtaining a finite state space for all
protocol analyses in many of our experiments.
The rest of this tutorial is organized as follows. Section 2 gives definitions of
some of the terminology that is used throughout this tutorial; we have tried to
reduce definitions to a minimum and to illustrate each definition by means of
examples. Sections 3 and 4 explain the basic mechanics of using Maude-NPA,
including writing specifications and formulating queries. It gives the minimum
amount of background needed for using the tool. Sections 5 and 6 describe
how Maude-NPA actually works. They are intended for two types of readers:
first the reader who wants to get better insight into how to use the tool to
best advantage, and secondly for the reader who wants to understand the basic
concepts behind Maude-NPA, without necessarily using the tool. Section 7, on
state space reduction, is somewhat more specialized. It is intended for someone
who is interested in the design of crypto protocol analysis tools and wants a
more complete picture of the techniques Maude-NPA uses or plans to use, but
is not really necessary to read it in order to be able to use the tool. Section 8
concludes the tutorial.
Maude-NPA is publicly available1
, including a user manual and some proto-
col examples. Maude-NPA is written in Maude, which is a publicly available2
implementation of rewriting logic. To be more specific, Maude-NPA requires a
version of Maude that includes the implementation of order-sorted unification
modulo commutativity and associativity–commutativity [13], e.g., version 2.4 or
later.
1
At http://maude.cs.uiuc.edu/tools/Maude-NPA
2
At http://maude.cs.uiuc.edu](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-15-320.jpg)
![Maude-NPA: Cryptographic Protocol Analysis 5
2 Preliminaries
We follow the classical notation and terminology from [47] for term rewriting
and from [37, 38] for rewriting logic and order-sorted notions. We assume an
order-sorted signature Σ with a finite poset of sorts (S, ≤) and a finite number of
function symbols. For example, consider a signature with sorts Msg, Encryption,
Concatenation, Nonce, Fresh, and Name that satisfy the following subsort order
between sorts:
Msg
Concatenation Encryption
o
o
o
o
o
o
Nonce
JJJJJ
Name
and function symbols pk (for “public” key encryption), sk (for “secret” or “pri-
vate” key encryption), n (for nonces), and _;_ (for concatenation) that satisfy
the following sort declarations3
:
pk : Name × Msg → Encryption n : Name × Fresh → Nonce
sk : Name × Msg → Encryption _;_ : Msg × Msg → Concatenation
We assume an S-sorted family X = {Xs}s∈S of disjoint variable sets with each
Xs countably infinite. TΣ(X)s is the set of terms of sort s, and TΣ,s is the set of
ground terms (i.e., without variables) of sort s. We write TΣ(X) and TΣ for the
corresponding term algebras. We write Var(t) for the set of variables present in
a term t.
A term is viewed as a tree labeled with function symbols, where the arity
of a symbol coincides with the number of its children in the tree (and the sort
declaration for the symbol is satisfied by its children). For example, the term4
t = n(a, r) ; (n(b, r
) ; n(b, r
)), where a, b, and c are symbols with arity 0
(called constants) of sort Name and r, r
, and r
are variables of sort Fresh, is a
term of sort Concatenation and has the following tree representation
;
n
o
o
o
o
o
o ;
UUUUUUUUUUU
a
~
~
~
r
?
?
?
n
m
m
m
m
m
m
m n
PPPPPP
b
{
{
{
{
r
@
@
@
b r
B
B
B
A position p of a term t is described by a string of natural numbers that
specifies a path from the root of the term to the desired subterm position. For
3
Note that Maude allows function declarations of symbols with a user-defined syntax,
where each underscore denotes the position of one function argument, e.g. “ ; ”
denotes a symbol ; with two arguments written in an infix notation.
4
For a Maude term with symbols that contain underscores, a blank space must appear
between the subterm corresponding to an underscore and any other part of the term,
e.g. “n(a,r) ; n(b,r’)”.](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-16-320.jpg)
![6 S. Escobar, C. Meadows, and J. Meseguer
example, in the term t above, position p1 = 1.1 identifies the subterm a, and po-
sitions p2 = 2.1.1 and p3 = 2.2.1 both identify the subterm b, although different
occurrences of it. The set of positions of a term t is written Pos(t). The set of
non-variable positions of a term t is written PosΣ(t). The root of a term is Λ.
The subterm of t at position p is t|p, and t[u]p is the result of replacing t|p by u
in t. For example, we have t|p1 = a and t|p2 = t|p3 = b.
A substitution σ is a sort-preserving mapping from a finite subset of X to
TΣ(X). The application of substitution σ to term t is denoted σ(t). The identity
substitution is id. Substitutions are naturally extended to homomorphic func-
tions σ : TΣ(X) → TΣ(X). The restriction of σ to a set of variables V is σ|V .
The composition of two substitutions σ, θ is (σθ)(X) = θ(σ(X)) for X ∈ X.
A Σ-equation is an unoriented pair of terms (t, t
), written t = t
, where t, t
∈
TΣ(X)s for some sort s ∈ S. Given Σ and a set E of Σ-equations such that TΣ,s
=
∅ for every sort s, order-sorted equational logic induces a congruence relation =E
on terms t, t
∈ TΣ(X) (see [38]). Throughout this tutorial we assume that TΣ,s
=
∅ for every sort s. The E-subsumption order on terms TΣ(X)s, written t E t
(meaning that t
is more general than t), holds if there exists a substitution σ such
that t =E σ(t
). The order on terms TΣ(X)s is naturally extended to substitutions,
i.e., σ E σ
iff there exists a substitution θ such that σ =E σ
θ.
An E-unifier for a Σ-equation t = t
is a substitution σ s.t. σ(t) =E σ(t
).
Given two E-unifiers σ1 and σ2 for a Σ-equation t = t
, σ2 is more general
than σ1, written σ1 E σ2, if there exists τ such that σ2τ =E σ1, i.e., for each
variable X, (σ2τ)(X) =E σ1(X). A complete set of E-unifiers of an equation
t = t
, written CSUE(t = t
), is a set of unifiers of t = t
such that for each E-
unifier σ of t = t
, there exists τ ∈ CSUE(t = t
) such that σ E τ. We say that
CSUE(t = t
) is finitary if it contains a finite number of E-unifiers. We say that
CSUE(t = t
) is the set of most general unifiers if each unifier τ ∈ CSUE(t = t
)
is maximal among all unifiers of t = t
w.r.t. E. For example, consider an
infix symbol _*_ : Msg × Msg → Msg satisfying the following associativity and
commutativity (AC) equational properties (where X, Y, Z are variables of sort
Msg):
X ∗ Y = Y ∗ X X ∗ (Y ∗ Z) = (X ∗ Y ) ∗ Z
A complete set of most general AC-unifiers of the two terms t = X ∗ Y and
s = U ∗ V (where X, Y, U, V are variables of sort Msg) is
σ1 = { X
→ X
, Y
→ Y
, U
→ X
, V
→ Y
}
σ2 = { X
→ X
, Y
→ Y
, U
→ Y
, V
→ X
}
σ3 = { X
→ X
, Y
→ Y
∗ Y
, U
→ X
∗ Y
, V
→ Y
}
σ4 = { X
→ X
, Y
→ Y
∗ Y
, U
→ Y
, V
→ X
∗ Y
}
σ5 = { X
→ X
∗ X
, Y
→ Y
, U
→ X
, V
→ X
∗ Y
}
σ6 = { X
→ X
∗ X
, Y
→ Y
, U
→ X
∗ Y
, V
→ X
}
σ7 = { X
→ X
∗ X
, Y
→ Y
∗ Y
, U
→ X
∗ Y
, V
→ X
∗ Y
}
Consider now the exclusive-or symbol _ ⊕ _ : Msg × Msg → Msg and the constant
0 : Msg satisfying the following xor-properties (where X, Y, Z are variables of
sort Msg):](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-17-320.jpg)
![Maude-NPA: Cryptographic Protocol Analysis 7
X ⊕ Y = Y ⊕ X X ⊕ X = 0
X ⊕ (Y ⊕ Z) = (X ⊕ Y ) ⊕ Z X ⊕ 0 = X
A complete set of most general xor-unifiers of the two terms t = X ⊕ Y and
s = U ⊕ V (where X, Y, U, V are variables of sort Msg) is the unique unifier
θ1 = {X
→ Y
⊕ U
⊕ V
, Y
→ Y
, U
→ U
, V
→ V
}.
3 Protocol Specification in Maude-NPA
In this section, we describe how to specify a protocol and all its relevant items
in the Maude-NPA. We postpone until Section 4 the topic of formal protocol
analysis in the Maude-NPA.
3.1 Templates and File Organization for Protocol Specification
Protocol specifications are given in a single file (e.g., foo.maude), and consist
of three Maude modules, having a fixed format and fixed module names. In
the first module, the syntax of the protocol is specified, consisting of sorts,
subsorts, and operators. The second module specifies the algebraic properties of
the operators. Note that algebraic properties cannot be arbitrary and must satisfy
some specific conditions described in Section 6.3. The third module specifies the
actual behavior of the protocol using a strand-theoretic notation [28]. This third
module includes the intruder strands (Dolev-Yao strands) and regular strands
describing the behavior of principals. Attack states, describing behavior that
we want to prove cannot occur, are also specified in this third module, but we
postpone their presentation until Section 4.
We give a template for any Maude-NPA specification below. Throughout,
lines beginning with three or more dashes (i.e., ---) or three or more asterisks
(i.e., ***) are comments that are ignored by Maude. Furthermore, the Maude
syntax is almost self-explanatory [14]. The general point is that each syntactic
element –e.g. a sort, an operation, an equation, a rule– is declared with an
obvious keyword: sort, op, eq, rl, etc., ended by a space and a period.
fmod PROTOCOL-EXAMPLE-SYMBOLS is
protecting DEFINITION-PROTOCOL-RULES .
------------------------------------------------------------
--- Overwrite this module with the syntax of your protocol.
--- Notes:
--- * Sorts Msg and Fresh are special and imported
--- * Every sort must be a subsort of Msg
--- * No sort can be a supersort of Msg
--- * Variables of sort Fresh are really fresh
--- and no substitution is allowed on them
--- * Sorts Msg and Public cannot be empty
------------------------------------------------------------
endfm](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-18-320.jpg)
![8 S. Escobar, C. Meadows, and J. Meseguer
fmod PROTOCOL-EXAMPLE-ALGEBRAIC is
protecting PROTOCOL-EXAMPLE-SYMBOLS .
----------------------------------------------------------------
--- Overwrite this module with the algebraic properties
--- of your protocol.
--- * Use only equations of the form (eq Lhs = Rhs [nonexec] .)
--- * Maude attribute owise cannot be used
--- * There is no order of application between equations
----------------------------------------------------------------
endfm
fmod PROTOCOL-SPECIFICATION is
protecting PROTOCOL-EXAMPLE-SYMBOLS .
protecting DEFINITION-PROTOCOL-RULES .
protecting DEFINITION-CONSTRAINTS-INPUT .
----------------------------------------------------------
--- Overwrite this module with the strands
--- of your protocol and the attack states
----------------------------------------------------------
eq STRANDS-DOLEVYAO =
--- Add Dolev-Yao intruder strands here. Strands are
--- properly renamed.
[nonexec] .
eq STRANDS-PROTOCOL =
--- Add protocol strands here. Strands are properly renamed.
[nonexec] .
eq ATTACK-STATE(0) =
--- Add attack state here
--- More than one attack state can be specified, but each
--- must be identified by a number (e.g. ATTACK-STATE(1) = ...
--- ATTACK-STATE(2) = ... etc.)
[nonexec] .
endfm
--- THE FOLLOWING COMMAND HAS TO BE THE LAST ACTION !!!!
select MAUDE-NPA .
In what follows we explain in detail how each of these three modules, com-
prising a Maude-NPA protocol specification, are specified.
3.2 Specifying the Protocol Syntax
The protocol syntax is specified in the module PROTOCOL-EXAMPLE-SYMBOLS.
Note that, since we are using Maude also as the specification language, each
declaration has to be ended by a space and a period.](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-19-320.jpg)
![10 S. Escobar, C. Meadows, and J. Meseguer
Thus, we will define sorts to distinguish names, keys, nonces, and encrypted
data. This is specified as follows:
--- Sort Information
sorts Name Nonce Enc .
subsort Name Nonce Enc Msg .
subsort Name Public .
The sorts Nonce and Enc are not strictly necessary, but they can make the
search more efficient, since Maude-NPA will not attempt to unify terms with
incompatible sorts. For example, if in this specification a principal is expecting
a term of sort Enc, he/she will not accept a term of sort Nonce; technically
because Nonce is not declared as a subsort of Enc. If we are looking for type
confusion attacks, we would not want to include these sorts, and instead would
declare everything as having sort Msg or Name. See Section 3.3 for details on type
confusion attacks.
We can now specify the different operators needed in NSPK. These are pk and
sk, for public and private key encryption, the operator n for nonces, designated
constants for the names of the principals, and concatenation using the infix
operator “_;_”.
We begin with the public/private encryption operators.
--- Encoding operators for public/private encryption
op pk : Name Msg - Enc [frozen] .
op sk : Name Msg - Enc [frozen] .
The frozen attribute is technically necessary to tell Maude not to attempt
to apply rewrites in arguments of those symbols. The frozen attribute must
be included in all operator declarations in Maude-NPA specifications, excluding
constants. The use of sort Name as an argument of public key encryption may
seem odd at first. But it is used because we are implicitly associating a public
key with a name when we apply the pk operator, and a private key with a name
when we apply the sk operator. A different syntax specifying explicit keys could
have been chosen for public/private encryption.
Next we specify some principal names. For NSPK, we have three constants of
sort Name, a (for “Alice”), b (for “Bob”), and i (for the “Intruder”).
--- Principals
op a : - Name . --- Alice
op b : - Name . --- Bob
op i : - Name . --- Intruder
These are not all the possible principal names. Since Maude-NPA is an un-
bounded session tool, the number of possible principals is unbounded. This is
achieved by using variables (i.e., variables of sort Name in this specification of
NSPK) instead of constants. However, we may have a need to specify constant
principal names in a goal state. For example, if we have an initiator and a re-
sponder, and we are not interested in the case in which the initiator and the](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-21-320.jpg)
![Maude-NPA: Cryptographic Protocol Analysis 11
responder are the same, we can prevent that by specifying the names of the
initiator and the responder as different constants. Also, we may want to iden-
tify the intruder’s name by a constant, so that we can cover the case in which
principals are talking directly to the intruder.
We now need two more operators, one for nonces, and one for concatenation.
The nonce operator is specified as follows.
--- Nonce operator
op n : Name Fresh - Nonce [frozen] .
Note that the nonce operator has an argument of sort Fresh to ensure unique-
ness. The argument of type Name is not strictly necessary, but it provides a con-
venient way of identifying which nonces are generated by which principal. This
makes searches more efficient, since it allows us to keep track of the originator
of a nonce throughout a search.
Finally, we come to the message concatenation operator. In Maude-NPA, we
specify concatenation via an infix operator “_;_” defined as follows:
--- Concatenation operator
op _;_ : Msg Msg - Msg [gather (e E) frozen] .
The Maude operator attribute “gather (e E)” indicates that symbol “_;_” has
to be parsed as associated to the left; whereas “gather(E e)” indicates association
to the right (see [14, Section 3.9]). Note that this gather information is specified
only for parsing purposes: it does not specify an associativity property, although
the associativity of an operator is certainly expressible in Maude either as an ex-
plicit “equational rule”, or as an “equational axiom” as explained in Section 3.4
below. Therefore, _;_ in this NSPK example is just a free function symbol, which,
when no parenthesis are added, is parsed in a left–associative way.
3.3 User-Defined Subsorts of Sort Msg in Protocol Specification
The Maude-NPA tool always assumes that the sort Msg is the top sort, but
it allows user-defined subsorts of Msg that can be specified by the user for a
more accurate protocol specification and analysis. However, protocol modeling in
Maude-NPA should pay careful attention to when and why a subsort of sort Msg
can be used, since an overly general specification using sort Msg will negatively
affect performance, whereas a too restrictive specification may jeopardize finding
some attacks, since some attacks possible in a less restrictive specification may
become excluded by using some subsort in the reception of a message.
The two relevant concepts here are: (i) whether a principal can check the sort
of a bit string and (ii) whether a principal can check the structure of a term to
find out if it matches some given pattern. In general, data received by a principal
for which the principal cannot check its structure, but can check its sort, must
be represented by a variable of the appropriate sort. For example, if a principal
receives a message that he/she expects to be a nonce but he/she cannot check that
is has sort Nonce, then such a message will be represented by a variable of sort Msg.](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-22-320.jpg)
![12 S. Escobar, C. Meadows, and J. Meseguer
Sometimes, even though we do not assume that type-checking is possible, we may
want to use sorts to limit the size of the search space. How this can be done, and
the ramifications of doing this, are discussed later in this tutorial.
Therefore, if we are interested in a type confusion attack for a given informal
protocol specification, we would like a protocol specification in Mauge-NPA that
makes no distinctions on messages, i.e., principals cannot perform type checking
of messages (for instance, may not be able to detect whether a string of bits
is a nonce) and may not even be able to separate messages into their different
components. In this very general case, we are interested in a unsorted protocol,
i.e., there will be no extra sorts and every symbol will be of sort Msg. See [21]
for an example of a type confusion attack specified in Maude-NPA.
A third relevant concept here is the use of variables of sort Fresh. Every
variable of sort Fresh denotes an unguessable message. Those variables of sort
Fresh that a principal generates have to be explicitly written in the protocol
specification (see Section 3.6). Therefore, every nonce that a principal generates
is represented by a message containing a variable of sort Fresh, e.g. n(A, r), with
r a variable of sort Fresh. If a principal is expecting this nonce again, it will be
represented in the protocol specification by the same term n(A, r), meaning that
the principal can check the sort of the message and can also check the structure
of the message. This is safe because typically a principal can verify whether
two nonces are the same, i.e., whether the sequences of their bits coincide. If
a principal is expecting a nonce different from one of his/her nonces, it will be
represented in the protocol specification by a variable N of sort Nonce or of sort
Msg, depending on the type checking facilities available to the principal.
3.4 Algebraic Properties
There are two types of algebraic properties: (i) equational axioms, such as com-
mutativity, or associativity-commutativity, called axioms, and (ii) equational
rules, called equations. Equations are specified in the PROTOCOL-EXAMPLE-
ALGEBRAIC module, whereas axioms are specified within the operator declara-
tions in the PROTOCOL-EXAMPLE-SYMBOLS module, as illustrated in what follows.
An equation is oriented into a rewrite rule in which the left–hand side of the
equation is reduced to the right–hand side. In writing equations, one needs to
specify the variables involved, and their type. Variables can be specified globally
for a module, e.g., “var Z : Msg .”, or locally within the expression using it,
e.g., a variable A of sort Name in “pk(A:Name,Z)”. Several variables of the same
sort can be specified together, as “vars X Y Z1 Z2 : Msg .”. In NSPK, we
use two equations specifying the relationship between public and private key
encryption, as follows:
var Z : Msg .
var A : Name .
--- Encryption/Decryption Cancellation
eq pk(A,sk(A,Z)) = Z [nonexec] .
eq sk(A,pk(A,Z)) = Z [nonexec] .](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-23-320.jpg)
![Maude-NPA: Cryptographic Protocol Analysis 13
The nonexec attribute is technically necessary to tell Maude not to use an
equation or rule within its standard execution, since it will be used only at the
Maude-NPA level rather than at the Maude level. The nonexec attribute must
be included in all user-defined equation declarations of the protocol. Furthermore,
the Maude attribute owise (i.e., otherwise) cannot be used in equations, since
no order of application is assumed for the algebraic equations.
Since Maude-NPA uses built-in unification algorithms [13] for the case of oper-
ators having either no equational axioms, or the commutative (C) or associative-
commutative (AC) equational axioms, these are specified not as standard
equations but as axioms in the operator declarations. For example, suppose that
we want to specify exclusive-or. We can specify an infix associative-commutative
operator “+” in the PROTOCOL-EXAMPLE-SYMBOLS module as follows:
--- XOR operator and equational axioms
op _+_ : Msg Msg - Msg [frozen assoc comm] .
op null : - Msg .
where the associativity and commutativity axioms are declared as attributes of
the + operator with the assoc and comm keywords. Similarly, we could specify
an operator that is commutative but not associative with the comm keyword
alone.5
We specify the equational rules for + in the PROTOCOL-EXAMPLE-ALGEBRAIC
module as equations declared with the eq keyword as follows6
:
vars X Y : Msg .
--- XOR equational rules
eq X + X + Y = Y [nonexec] .
eq X + X = null [nonexec] .
eq X + null = X [nonexec] .
If we want to include a Diffie-Hellman mechanism, we need two operations.
One is exponentiation, and the other is modular multiplication. Since Diffie-
Hellman is a commonly used algorithm in cryptographic protocols, we discuss it
also here.
We begin by including several new sorts in PROTOCOL-EXAMPLE-SYMBOLS: Gen,
Exp, GenvExp, and NeNonceSet.
5
In Maude, it is possible to specify and operator that is associative but not commu-
tative using the assoc keyword, but in the Maude-NPA, symbols having the assoc
but not the comm attribute should not be specified. The reason for this is that as-
sociative unification is not finitary (see, e.g., [5]) and is not supported in Maude.
Various forms of bounded associativity with finitary unification are possible, but this
is done differently, namely, by specifying bounded associativity with rules, see [21]
for details.
6
Note that the first equational rule, i.e., X + X + Y = Y, is not essentially needed
for the exclusive-or theory, but it is necessary for rewriting purposes to ensure co-
herence, see Section 6.2.](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-24-320.jpg)
![14 S. Escobar, C. Meadows, and J. Meseguer
sorts Name Nonce NeNonceSet Gen Exp Key GenvExp Enc Secret .
subsorts Gen Exp GenvExp .
subsorts Name NeNonceSet GenvExp Enc Secret Key Msg .
subsort Exp Key .
subsort Nonce NeNonceSet .
subsorts Name Gen Public .
We now introduce three new operators. The first, g, is a constant that serves
as the Diffie-Hellman generator of the multiplicative group. The second is expo-
nentiation, and the third is an associative-commutative multiplication operation
on nonces and products of such nonces.
op g : - Gen .
op exp : GenvExp NeNonceSet - Exp [frozen] .
op _*_ : NeNonceSet NeNonceSet - NeNonceSet [frozen assoc comm] .
We then include the following equational property, to capture the fact that
zxy
= zx∗y
:
eq exp(exp(W:Gen,Y:NeNonceSet),Z:NeNonceSet)
= exp(W:Gen, Y:NeNonceSet * Z:NeNonceSet) [nonexec] .
There are several things to note about this Diffie-Hellman specification. The
first is that, although modular multiplication has a unit and inverses, this is not
included in our equational specification. Instead, we have only included the key
algebraic rule that is necessary for Diffie-Hellman to work. The second is that we
have specified types that will rule out certain kinds of intruder behavior. In actual
fact, there is nothing that prevents an intruder from sending an arbitrary string
to a principal and passing it off as an exponentiated term. The principal will then
exponentiate that term. However, given our definition of the exp operator, only
terms of type GenvExp can be exponentiated. This last restriction is necessary
in order to ensure that the unification algorithm is finitary; see Section 6.3 for
technical details. The omission of units and inverses is not necessary to ensure
finitary unification, but rules out behavior of the intruder that is likely to be
irrelevant for attacking the protocol, or that is likely to be easily detected (such
as the intruder sending an exp(g,0)).
We note that if one is interested in obtaining a proof of security using these
restrictive assumptions, one must provide a proof (outside of the tool) that
security in the restricted model implies security in the more general model. This
could be done along the lines of the proofs in [33, 34, 39].
3.5 Protocol Specification: Intruder Strands
The protocol itself and the intruder capabilities are both specified in the
PROTOCOL- SPECIFICATION module. They are specified using strands. A strand,
first defined in [28], is a sequence of positive and negative messages7
describing
7
We write m±
to denote m+
or m−
, indistinctively. We often write +(m) and −(m)
instead of m+
and m−
, respectively.](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-25-320.jpg)
![Maude-NPA: Cryptographic Protocol Analysis 15
a principal executing a protocol, or the intruder performing actions, e.g., the
strand for Alice in NSPK is:
[ pk(KB, A; NA)+
, pk(KA, NA; Z)−
, pk(KB, Z)+
]
where a positive node implies sending, and a negative node implies receiving.
However, in our tool each strand is divided into the past and future parts by
means of a vertical line. That is, the messages to the left of the vertical line
were sent or received in the past, whereas the messages to the right of the line
will be sent or received in the future. Also, we keep track of all the variables of
sort Fresh generated by a concrete strand; see Section 5.2 for technical details.
That is, all the variables r1, . . . , rj of sort Fresh generated by a strand are made
explicit right before the strand, as follows:
:: r1, . . . , rj :: [ m1
±
, . . . , mi
±
| mi+1
±
, . . . , mk
±
]
Note that there is some difference between the variables of sort Fresh generated
in a strand and those appearing in a strand. In the specification of a role, they
must coincide, in the sense that all the variables appearing in the description
of a principal are generated during an execution (an instance) of such a strand.
However, in a given protocol state, a strand may contain many more variables
of sort Fresh than those specified at the left of the strand due to the message
exchange between the principals.
We begin by specifying all the variables that are used in this module, together
with the sorts of these variables. In the NSPK example, these are
vars X Y Z : Msg .
vars r r’ : Fresh .
vars A B : Name .
vars N N1 N2 : Nonce .
After the variables are specified, the next thing to specify is the actions of the
intruder, or Dolev-Yao rules [17]. These specify the operations an intruder can
perform. Each such action can be specified by an intruder strand consisting of
a sequence of negative nodes, followed by a single positive node. If the intruder
can (non-deterministically) find more than one term as a result of performing
one operation (as in deconcatenation), we specify each of these outcomes by
separate strands. For the NSPK protocol, we have four operations: encryption
with a public key (pk), decryption with a private key (sk), concatenation (_;_),
and deconcatenation.
Encryption with a public key is specified as follows. Note that we use a prin-
cipal’s name to stand for the key. That is why names are of type Name. The
intruder can encrypt any message using any public key.
:: nil:: [ nil | -(X), +(pk(A,X)), nil ]
Encryption with the private key is a little different. The intruder can only
apply the sk operator using his own identity. So we specify the rule as follows,
assuming that i denotes the name of the intruder:](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-26-320.jpg)
![16 S. Escobar, C. Meadows, and J. Meseguer
:: nil:: [ nil | -(X), +(sk(i,X)), nil ]
Concatenation and deconcatenation are straightforward. If the intruder knows
X and Y , he can find X; Y . If he knows X; Y he can find both X and Y . Since
each intruder strand should have at most one positive node, we need to use three
strands to specify these actions:
:: nil :: [ nil | -(X), -(Y), +(X ; Y), nil ]
:: nil :: [ nil | -(X ; Y), +(X), nil ]
:: nil :: [ nil | -(X ; Y), +(Y), nil ]
The final Dolev-Yao specification looks as follows. Note that our tool requires
the use of the constant symbol STRANDS-DOLEVYAO as the repository of all the
Dolev-Yao strands, and uses the associative-commutative symbol __ as the
union operator to form sets of strands. Note, also, that our tool considers that
variables are not shared between strands, and thus will appropriately rename
them when necessary.
eq STRANDS-DOLEVYAO
= :: nil :: [ nil | -(X), -(Y), +(X ; Y), nil ]
:: nil :: [ nil | -(X ; Y), +(X), nil ]
:: nil :: [ nil | -(X ; Y), +(Y), nil ]
:: nil :: [ nil | -(X), +(sk(i,X)), nil ]
:: nil :: [ nil | -(X), +(pk(Ke,X)), nil ]
[nonexec] .
Every operation that can be performed by the intruder, and every term that
is initially known by the intruder, should have a corresponding intruder strand.
For each operation used in the protocol we should consider whether or not the in-
truder can perform it, and specify a corresponding intruder strand that describes
the conditions under which the intruder can perform it.
For example, suppose that the operation requires the use of exclusive-or. If
we assume that the intruder can exclusive-or any two terms in its possession, we
should represent this by the following strand:
:: nil :: [ nil | -(X), -(Y), +(X + Y), nil ]
If we want to give the intruder the ability to generate his own nonces, we
should represent this by the following rule:
:: r :: [ nil | +(n(i,r)), nil ]
In general, it is a good idea to provide Dolev-Yao strands for all the operations
that are defined, unless one is explicitly making the assumption that the intruder
can not perform the operation. It is also strongly recommended that operations
not used in the protocol should not be provided with Dolev-Yao strands. This
is because the tool will attempt to execute rules associated with these strands,
even if they are useless, and this will negatively affect performance.](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-27-320.jpg)
![Maude-NPA: Cryptographic Protocol Analysis 17
3.6 Protocol Specification: Protocol Strands
In the Protocol Rules section of a specification we define the messages that
are sent and received by the honest principals. We will specify one strand per
role. However, since the Maude-NPA analysis supports an arbitrary number of
sessions, each strand can be instantiated an arbitrary number of times.
In specifying protocol strands it is important to remember to specify them
from the point of view of the principal executing the role. For example, in NSPK
the initiator A starts out by sending her name and a nonce encrypted with B’s
public key. She gets back something encrypted with her public key, but all she
can tell is that it is her nonce concatenated with some other nonce. She then
encrypts that other nonce under B’s public key and sends it out.
As explained in Section 3.3, we represent the construction of A’s nonce ex-
plicitly as n(A,r), where r is a variable of sort Fresh therefore appearing in the
header of A’s strand, and the extra nonce that she receives is represented by a
variable N of sort Nonce. The entire strand for the initiator role is as follows:
:: r ::
[ nil | +(pk(B,A ; n(A,r))), -(pk(A,n(A,r) ; N)), +(pk(B, N)), nil ]
In the responder strand, the signs of the messages are reversed. Moreover, the
messages themselves are represented differently. B starts out by receiving a name
and some nonce encrypted under his key. He creates his own nonce, appends the
received nonce to it, encrypts it with the key belonging to the name, and sends
it out. He gets back his nonce encrypted under his own key. This is specified as
follows:
:: r ::
[ nil | -(pk(B,A ; N)), +(pk(A, N ; n(B,r))), -(pk(B,n(B,r))), nil ]
Note that, as explained in Section 3.3, the point here is to only include things
in a strand that a principal executing a strand can actually verify. The complete
STRANDS-PROTOCOL specification for NSPK is as follows.
eq STRANDS-PROTOCOL =
:: r ::
[nil | +(pk(B,A ; n(A,r))), -(pk(A,n(A,r) ; N)), +(pk(B, N)), nil]
:: r ::
[nil | -(pk(B,A ; N)), +(pk(A, N ; n(B,r))), -(pk(B,n(B,r))), nil]
[nonexec] .
As a final note, we remark that, if B received a message Z encrypted under a
key he does not know, he would not be able to verify that he received pk(A,Z),
because he cannot decrypt the message. So the best we could say here is that A
received some term Y of sort Msg.
The complete specification of the Needham-Schroeder shared-key protocol and
the Diffie-Hellman protocol can be found in [23].](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-28-320.jpg)
![Maude-NPA: Cryptographic Protocol Analysis 19
4.2 Initial States
An initial state is the final result of the backwards reachability process and is
described as follows:
1. in an initial state, all strands have the bar at the beginning, i.e., all strands
are of the form :: r1, . . . , rj :: [ nil | m1
±
, . . . , mk
±
];
2. in an initial state, all the intruder knowledge is negative, i.e., all the items
in the intruder knowledge are of the form (m !inI).
From an initial state, no further backwards reachability steps are possible, since
there is nothing for the intruder to unlearn or to learn due to the following
two facts: (i) since all the intruder knowledge is already negative (m !inI), no
positive knowledge can be unlearned, and (ii) there is no further reception of
messages (no negative node in a strand) that might introduce positive items
(m inI) in the intruder knowledge. Note that in an initial state, the third com-
ponent of a protocol state denotes the concrete message sequence from this initial
state to the given attack state.
4.3 Unreachable States
Another interesting concept is that of an unreachable state. An unreachable
state is a protocol state from which we cannot reach an initial state by further
backwards reachability analysis. Interpreted in a forwards way, this of course
means that it is an state that can never be reached from an initial state by
forward execution. Early detection of unreachable states is essential to achieve
effective protocol analysis. In Section 7, we describe several techniques for early
detection of unreachable states. For instance, consider the following state found
by the Maude-NPA for the NSPK:
:: nil :: [nil | -(pk(i, b ; n(b, r))), +(b ; n(b, r)), nil]
:: nil :: [nil | -(n(b, r)), +(pk(b, n(b, r))), nil]
:: nil :: [nil | -(b ; n(b, r)), +(n(b, r)), nil]
:: r :: [nil | +(pk(i, b ; n(b, r))), nil]
:: r :: [nil, -(pk(b, a ; N)), +(pk(a, N ; n(b, r)))
| -(pk(b, n(b, r))), nil])
||
pk(b, n(b, r)) !inI, pk(i, b ; n(b, r)) !inI, n(b, r) !inI,
(b ; n(b, r)) !inI
||
+(pk(i, b ; n(b, r))), -(pk(i, b ; n(b, r))), +(b ; n(b, r)),
-(b ; n(b, r)), +(n(b, r)), -(n(b, r)), +(pk(b, n(b, r))),
-(pk(b, n(b, r)))
||
nil
This state is unreachable, since there are two strands that are generating the
same fresh variable r and this is impossible because the fresh data generated by
each strand must be unique.](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-30-320.jpg)
![20 S. Escobar, C. Meadows, and J. Meseguer
4.4 Attack States
Attack states describe not just single concrete attacks, but attack patterns (or
if you prefer attack situations), which are specified symbolically as terms (with
variables) whose instances are the final attack states we are looking for. Given an
attack pattern, Maude-NPA tries to either find an instance of the attack pattern
or prove that no such instance is possible. We can specify more than one attack
state. Thus, we designate each attack state with a natural number.
When specifying an attack state, the user should specify only the first two
components of the attack state: (i) a set of strands expected to appear in the at-
tack, and (ii) some positive intruder knowledge. The other two state components
should have just the empty symbol nil. Note that the attack state is indeed a
term with variables; however, the user does not have to provide the variables
denoting “the remaining strands”, “the remaining intruder knowledge”, and the
two variables for the two last state components, since these variables are sym-
bolically inserted by the tool (see Section 7.2 for technical details).
For NSPK, the standard attack is represented as follows:
eq ATTACK-STATE(0) =
:: r ::
[ nil, -(pk(b,a ; N)), +(pk(a, N ; n(b,r))), -(pk(b,n(b,r))) | nil ]
|| n(b,r) inI
|| nil
|| nil
[nonexec] .
where we require the intruder to have learned the nonce generated by Bob.
Therefore, we have to include Bob’s strand in the attack in order to describe
such specific nonce n(b,r).
There are several possibilities to build an attack state by combining what the
intruder learned at the attack state and what honest strands are expected to have
occurred at the attack state. The most common situation is to include positive
intruder facts of the form (m inI) and finished strands (i.e., strands that have
the bar at the end). Note that an attack state can also contain negative intruder
facts of the form (m !inI) although this is not common. Partially executed
strands of the form
:: r1, . . . , ri :: [ nil, m1
±
, . . . , mi
±
| mi+1
±
, . . . , mk
±
, nil ]
are represented in attack states by truncated strands in which only the terms
before the bar appear. For instance, a situation in which the intruder learns
Bob’s nonce without requiring Bob to finish the protocol, is represented as:
eq ATTACK-STATE(0) =
:: r :: [ nil, -(pk(b,a ; N)), +(pk(a, N ; n(b,r))) | nil ]
|| n(b,r) inI
|| nil
|| nil
[nonexec] .](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-31-320.jpg)
![Maude-NPA: Cryptographic Protocol Analysis 21
The intruder knowledge can also contain inequalities (the condition that a
term is not equal to some other term), which we can also include in the intruder
knowledge component of an attack state. For example, suppose that we want to
specify that a responder executes a strand, apparently with an initiator a, but
the nonce received is not generated by a. This can be done as follows:
eq ATTACK-STATE(0) =
:: r ::
[ nil, -(pk(b,a ; N)), +(pk(a, N ; n(b,r))), -(pk(b,n(b,r))) | nil ]
|| N != n(a,r’)
|| nil
|| nil
[nonexec] .
where t != s means that for any ground substitution θ applicable to t and s
(i.e., θ(t) and θ(s) are ground terms), θ(t) cannot be equal to θ(s) modulo the
equational theory. Note that, since a is a constant and r
is a variable of the
special sort Fresh, N != n(a,r’) means that N cannot be a term of the form
n(a,r’).
In summary, we note the following requirements on attack state specifications:
1. Strands in an attack state must have the bar at the end. This also ap-
plies to partially executed strands, for which the future messages are
discarded.
2. If more than one strand appears in the attack state, they must be separated
by the symbol. If more than one term appears in the intruder knowledge,
they must be separated by commas. If no strands appear, or no intruder
items appear, the empty symbol should be used, in the strands or intruder
knowledge components, respectively.
3. Items that can appear in the intruder knowledge may include not only
terms known by the intruder, but also inequality conditions on terms. Terms
unknown to the intruder are also possible but are not common in attack
states.
4. The last two fields of an attack state must always be nil. These are fields
that contain information that is built up in the backwards search, but should
be empty in the attack state.
4.5 Attack States with Excluded Patterns: Never Patterns
It is often desirable to exclude certain patterns from transition paths leading
to an attack state. For example, one may want to determine whether or not
authentication properties have been violated, e.g., whether it is possible for a
responder strand to appear without the corresponding initiator strand. For this
there is an optional additional field in the attack state containing the never
patterns. It is included at the end of the attack state specification.](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-32-320.jpg)
![22 S. Escobar, C. Meadows, and J. Meseguer
Here is how we would specify an initiator strand without a corresponding
responder in the NSPK protocol9
:
eq ATTACK-STATE(1)
= :: r ::
[ nil, -(pk(b,a ; N)), +(pk(a, N ; n(b,r))), -(pk(b,n(b,r))) | nil ]
|| empty
|| nil
|| nil
butNeverFoundAny *** for authentication
(:: r’ ::
[ nil | +(pk(b,a ; N)), -(pk(a, N ; n(b,r))), +(pk(b,n(b,r))), nil ]
S:StrandSet
|| K:IntruderKnowledge
|| M:SMsgList
|| G:GhostList)
[nonexec] .
The tool will now look for all paths in which the intruder strand is executed,
but the corresponding responder strand is not. That is, when we provide an
attack state and some never patterns, a backwards reachability sequence leading
to an initial state will not contain any state that matches any of the never
patterns, where the place of the bar at each strand appearing in a never pattern
is not taken into consideration for matching purposes.
It is also possible to use never patterns to specify negative conditions on terms
or strands. Suppose that we want to ask whether it is possible for a responder
in the NSPK protocol to execute a session of the protocol, apparently with an
initiator, but the nonce received was not the initiator’s. This can be done as
follows:
eq ATTACK-STATE(1)
= :: r ::
[ nil, -(pk(b,a ; N)), +(pk(a, N ; n(b,r))),
-(pk(b,n(b,r))) | nil ]
|| empty
|| nil
|| nil
butNeverFoundAny
( ::: r ::
[ nil | -(pk(b,a ; n(a,r’))), +(pk(a, n(a,r’) ; n(b,r))),
9
Note that variable r’ in the never pattern is not an error. The regular strand in the
attack state is the initiator strand, which generates variable r. The strand in the
never pattern is a pattern that must be valid for any responder strand. Any responder
strand would generate his variable r’’, which would be part of the variable N written
in the never pattern if such a pattern is matched. Indeed, note that the variable r
written in the never pattern is different by definition from the variable r written
in the regular strand, since we are defining an actual strand and a pattern to be
matched.](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-33-320.jpg)
![Maude-NPA: Cryptographic Protocol Analysis 23
-(pk(b,n(b,r))), nil ] S:StrandSet
|| K:IntruderKnowledge
|| M:SMsgList
|| G:GhostList )
[nonexec] .
It is possible to include more than one never pattern in the specification of
an attack state, but then each such pattern must be contained within a pair of
parentheses, e.g.,
butNeverFoundAny
( ... State 1 ... )
( ... State 2 ... )
Never patterns can also be used to cut the down the search space. Suppose, for
example, that one finds in the above search that a number of states are encoun-
tered in which the intruder encrypts two nonces, but they never seem to provide
any useful information. One can reduce the search space by ruling out such in-
truder behavior with the second never pattern in the following attack state:
eq ATTACK-STATE(1)
= :: r ::
[ nil, -(pk(b,a ; N)), +(pk(a, N ; n(b,r))),
-(pk(b,n(b,r))) | nil ]
|| empty
|| nil
|| nil
butNeverFoundAny
(:: r’ :: [nil | +(pk(b,a ; N)), -(pk(a, N ; n(b,r))),
+(pk(b,n(b,r))), nil] S:StrandSet
|| K:IntruderKnowledge
|| M:SMsgList
|| G:GhostList)
(:: nil :: [nil | -(N1 ; N2), +(pk(B, N1 ; N2)), nil] S:StrandSet
|| K:IntruderKnowledge
|| M:SMsgList
|| G:GhostList)
[nonexec] .
Note that adding never patterns to reduce the search space, as distinguished
from their use for verifying authentication properties, means that failure to find
an attack does not necessarily imply that the protocol is secure. It simply means
that any attack against the security property specified in the attack state must
use at least one strand that is specified in the set of never patterns.
There are several things about never patterns that should be noted:
1. The bar in any strand in a never pattern should be at the beginning of the
strand. If it is not, the tool does not report any error and places the bar at
the beginning.
2. Variables in a never pattern are renamed by the tool to assure that they never
appear in the main attack state specification nor in other never patterns.](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-34-320.jpg)
![24 S. Escobar, C. Meadows, and J. Meseguer
3. The last two fields in a never pattern must be variables of type SMsgList,
and Ghostlist, respectively, as illustrated in the above examples.
4. The first two fields must end in variables of type Strandset and
IntruderKnowledge, respectively.
5. More than one never pattern can be used in an attack state. However, each
one must be delimited by its own pair of parentheses.
For a good example of the use of never patterns, which makes the Maude-NPA
search considerably more efficient without compromising the completeness of the
reachability analysis, we refer the reader to the analysis of the Diffie-Hellman
protocol in [23].
4.6 Maude-NPA Commands for Attack Search
The commands run, summary, and initials are the tool’s commands for attack
search. They are invoked by reducing them in Maude, that is, by typing the
Maude red command followed by the corresponding Maude-NPA command,
followed by a space and a period. To use them we must specify the attack state
we are searching for and the number of backwards reachability steps we want to
compute. For example, the Maude-NPA command
run(0,10)
tells Maude-NPA to construct the backwards reachability tree up to depth 10
for the attack state designated with natural number 0. The Maude-NPA run
command yields the set of states found at the leaves of the backwards reach-
ability tree of the specified depth that has been generated. When the user is
not interested in the current states of the reachability tree, he/she can use the
Maude-NPA summary command, which outputs just the number of states found
at the leaves of the reachability tree and how many of those are initial states,
i.e., solutions for the attack. For instance, when we give the reduce command in
Maude with the Maude-NPA command summary(0,2) as shown below for the
NSPK example, the tool returns:
red summary(0,2) .
result Summary: States 4 Solutions 0
The initial state representing the standard NSPK attack is found in seven steps.
That is, if we type
red summary(0,7) .
the tool outputs:
red summary(0,7) .
result Summary: States 3 Solutions 1
A slightly different version of the run command, called initials, outputs only
the initial states, instead of all the states at the leaves of the backwards reacha-
bility tree. Thus, if we type
red initials(0,7) .](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-35-320.jpg)
![Maude-NPA: Cryptographic Protocol Analysis 25
for the NSPK example, our tool outputs the following initial state10
, which
implies that the attack state has been proved reachable and the protocol is
insecure:
Maude red initials(0,7) .
result IdSystem: 1 . 5 . 2 . 7 . 1 . 4 . 3 . 1 (
:: nil :: [nil | -(pk(i, n(b, #1:Fresh))), +(n(b, #1:Fresh)), nil]
:: nil :: [nil | -(pk(i, a ; n(a, #0:Fresh))), +(a ; n(a, #0:Fresh)), nil]
:: nil :: [nil | -(n(b, #1:Fresh)), +(pk(b, n(b, #1:Fresh))), nil]
:: nil :: [nil | -(a ; n(a, #0:Fresh)), +(pk(b, a ; n(a, #0:Fresh))), nil]
:: #1:Fresh :: [nil | -(pk(b, a ; n(a, #0:Fresh))),
+(pk(a, n(a, #0:Fresh) ; n(b, #1:Fresh))), -(pk(b, n(b, #1:Fresh))), nil]
:: #0:Fresh :: [nil | +(pk(i, a ; n(a, #0:Fresh))),
-(pk(a, n(a, #0:Fresh) ; n(b, #1:Fresh))), +(pk(i, n(b, #1:Fresh))), nil])
||
pk(a, n(a, #0:Fresh) ; n(b, #1:Fresh)) !inI,
pk(b, n(b, #1:Fresh)) !inI,
pk(b, a ; n(a, #0:Fresh)) !inI,
pk(i, n(b, #1:Fresh)) !inI,
pk(i, a ; n(a, #0:Fresh)) !inI,
n(b, #1:Fresh) !inI,
(a ; n(a, #0:Fresh)) !inI
||
+(pk(i, a ; n(a, #0:Fresh))),
-(pk(i, a ; n(a, #0:Fresh))),
+(a ; n(a, #0:Fresh)),
-(a ; n(a, #0:Fresh)),
+(pk(b, a ; n(a, #0:Fresh))),
-(pk(b, a ; n(a, #0:Fresh))),
+(pk(a, n(a, #0:Fresh) ; n(b, #1:Fresh))),
-(pk(a, n(a, #0:Fresh) ; n(b, #1:Fresh))),
+(pk(i, n(b, #1:Fresh))),
-(pk(i, n(b, #1:Fresh))),
+(n(b, #1:Fresh)),
-(n(b, #1:Fresh)),
+(pk(b, n(b, #1:Fresh))),
-(pk(b, n(b, #1:Fresh)))
||
nil
This corresponds to the following textbook version of the attack:
1. A → I : pk(I, A; NA)
2. IA → B : pk(B, A; NA)
3. B → A : pk(A, NA; NB), intercepted by I;
4. I → A : pk(A, NA; NB)
5. A → I : pk(I, NB)
6. IA → B : pk(B, NB)
10
Maude-NPA associates an identifier, e.g. 1.5.2.7.1.4.3.1, to each state generated by
the tool. These identifiers are for internal use and are not described here.](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-36-320.jpg)
![26 S. Escobar, C. Meadows, and J. Meseguer
It is also possible to generate an unbounded search by specifying the second
argument of run, initials, or summary as unbounded. In that case the tool
will run until it has shown that all the paths it has found either begin in initial
states or in unreachable ones. This check may terminate in finite time, but in
some cases may run forever.
We demonstrate this unbounded search with NSPK:
red summary(0,unbounded) .
result Summary: States 1 Solutions 1
This tells us, that Maude-NPA terminated with only one attack. If we want to
see what that attack looks like, we would instead type
red run(0,unbounded) .
to get the attack displayed above.
The complete analysis of the Diffie-Hellman protocol can be found in [23],
including the initial state proving that the protocol in insecure.
5 How Maude-NPA Works: Backwards Reachability
First, we recall some definitions on rewriting and narrowing in Section 5.1. Then,
we explain in Section 5.2 how the backwards reachability analysis works in practice.
5.1 Rewriting and Narrowing
Continuing Section 2, we recall some definitions on term rewriting and illustrate
each definition by means of examples.
A rewrite rule is an oriented pair of terms (l, r), written l → r, where l
∈ X
and l, r ∈ TΣ(X)s for some sort s ∈ S. An (unconditional) order-sorted rewrite
theory is a triple R = (Σ, E, R) with Σ an order-sorted signature, E a set of
Σ-equations, and R a set of rewrite rules. The rewriting relation →R on TΣ(X)
is t
p
→R t
(or →R) if p ∈ PosΣ(t), l → r ∈ R, t|p = σ(l), and t
= t[σ(r)]p for
some σ. The relation →R/E on TΣ(X) is =E; →R; =E, where ; denotes relation
composition. The relation →R/E is much harder to implement and the weaker
rewrite relation →R,E is usually provided, as it happens in Maude. Assuming
a finitary and complete matching algorithm modulo the equational theory E,
the rewriting relation →R,E on TΣ(X) is defined as t
p
→R,E t
(or →R,E) if
l → r ∈ R, t|p =E σ(l), and t
= t[σ(r)]p.
Maude supports matching modulo any combination of free, associative, com-
mutative, associative-commutative, and associative-commutative with identity
symbols, so that we in effect can rewrite terms modulo any combination of
such axioms. Suppose, for example, an unconditional order-sorted rewrite theory
R = (Σ, E, R) where Σ contains an infix symbol +, E contains the commutativ-
ity property for symbol +, and R contains a rule of the form X + 0 = X. Then
we can apply such a rule to the term 0 + 7 modulo commutativity, even though](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-37-320.jpg)
![Maude-NPA: Cryptographic Protocol Analysis 27
the constant 0 is on the left of the + symbol. That is, the term 0 + 7 matches
the left-hand side pattern X + 0 modulo commutativity, i.e., 0 + 7 =E (X + 0)σ
where σ = {X
→ 7}. We would express this rewrite step modulo commutativity
with the arrow notation:
0 + 7 →R,E 7
Likewise, we denote by →∗
R,E the reflexive-transitive closure of the one-step
rewrite relation →R,E with the rules R modulo the axioms E. That is, →∗
R,E
corresponds to taking zero, one, or more rewrite steps with the rules R modulo E.
Narrowing generalizes term rewriting by allowing free variables in terms (as in
logic programming) and by performing unification instead of matching in order
to (non–deterministically) reduce a term. Intuitively, the difference between a
rewriting step and a narrowing step is that in both cases we use a rewrite rule
l → r to rewrite t at a position p in t, but narrowing finds values for the variables
in the chosen subject term t|p before actually performing the rewriting step. The
narrowing relation R on TΣ(X) is t
p
σ,R t
(or σ,R, R) if p ∈ PosΣ(t),
l → r ∈ R, σ ∈ CSU∅(t|p = l), and t
= σ(t[r]p). Assuming that E has a finitary
and complete unification algorithm, the narrowing relation R,E on TΣ(X) is
t
p
σ,R,E t
(or σ,R,E, R,E) if p ∈ PosΣ(t), l → r ∈ R, σ ∈ CSUE(t|p = l),
and t
= σ(t[r]p).
Maude supports unification modulo different user-defined theories including
any combination of free, commutative, and associative-commutative symbols; see
Section 6.3 for the algebraic theories admissible for such equational unification
procedure, and Section 6.4 for some examples of admissible theories. Suppose,
for example, the same unconditional order-sorted rewrite theory used above for
rewriting. Then, we can apply the rule X + 0 = X above to the term Z + 7,
where X is a variable, modulo commutativity. That is, the term Z +7 unifies the
left-hand side pattern X + 0 modulo commutativity, i.e., (Z + 7)θ =E (X + 0)θ
where θ = {Z
→ 0, X
→ 7}. We would express this narrowing step modulo
commutativity with the arrow notation:
Z + 7 ;θ,R,E 7
We denote by ;∗
θ,R,E the reflexive-transitive closure of the one-step narrowing
relation ;R,E with the rules R modulo the axioms E, where θ is the composition
of all the unifiers obtained during the sequence.
In Maude-NPA, narrowing is used at two levels: for backwards reachability
analysis from a term with variables (i.e., an attack state), and for equational
unification. We postpone until Section 6 how the narrowing-based equational
unification is performed in Maude-NPA.
5.2 Backwards Reachability Analysis
Given a protocol P and an equational theory EP , Maude-NPA performs back-
wards narrowing reachability analysis from a state St representing an attack
pattern (i.e., a term with variables) using the relation R−1
P ,EP
, where the](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-38-320.jpg)
![28 S. Escobar, C. Meadows, and J. Meseguer
rewrite rules RP are obtained from the protocol strands P. The rewrite the-
ory RP = (Σ, EP , RP ) is topmost, i.e., there is a sort State such that for each
l → r ∈ RP , l, r ∈ TΣ(X)State, r
∈ X, and no operator in Σ has State as an
argument sort. Intuitively, a topmost rewrite theory describes a specification of
a system such that a rewrite or narrowing step can only be performed at the
root of each term denoting a state. The fact that R = (Σ, EP , RP ) is a topmost
rewrite theory has several advantages:
1. The rewriting relation →RP /EP
can be safely simulated by the rewriting
relation →RP ,EP .
2. Similarly, the narrowing relation RP ,EP achieves the same effect as a more
general narrowing relation RP /EP
(see [48]).
3. We obtain the following completeness result between narrowing (RP ,EP )
and rewriting (→RP /EP
):
Theorem 1 (Topmost Completeness). [48] Let R = (Σ, E, R) be a topmost
rewrite theory such that E has a finitary unification algorithm, t, t
∈ TΣ(X),
and let σ be a substitution such that σ(t) →∗
R/E t
. Then, there are substitutions
θ, τ and a term t
such that t ∗
θ,R,E t
, σ(t) =E τ(θ(t)), and t
=E τ(t
).
A state in the protocol execution is a set of Maude-NPA strands unioned together
with an associative and commutativity union operator with identity operator
empty, along with an additional term describing the intruder knowledge at that
point. Note that two extra state components are associated to a Maude-NPA
state in Section 4, but they are irrelevant and useful only for user debugging of
the protocol, so we omit them in this section and in Section 7.
The intruder knowledge is represented as a set of facts unioned together with
an associative and commutativity union operator _,_ with identity operator
empty. There are two kinds of intruder facts: positive knowledge facts (the in-
truder knows m, i.e., (m inI)), and negative knowledge facts (the intruder does
not yet know m but will know it in a future state, i.e., (m !inI)), where m is a
message expression.
Strands communicate between them via a unique shared channel, i.e., by send-
ing messages to the channel and retrieving messages from the channel. However,
we do not explicitly represent the channel in our model. Instead, since the in-
truder is able to learn any message present in the channel, we use the intruder
knowledge as the channel. When the intruder observes a message in the channel,
then he/she learns it. The intruder has the usual ability to read and redirect
traffic, and can also perform operations, e.g., encryption, decryption, concate-
nation, exclusive or, exponentiation, etc., on messages that it has received. As
explained in Section 3, the nature and algebraic properties of such operations de-
pend on the given cryptographic theory EP . Intruder operations are described in
terms of the intruder sending messages to itself, which are represented as differ-
ent strands, one for each action. All intruder and protocol strands are described
symbolically, using a mixture of variables and constants, so a single state spec-
ification as a term with variables symbolically represents many concrete state](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-39-320.jpg)
![Maude-NPA: Cryptographic Protocol Analysis 29
instances. There is no restriction on the number of principals, number of sessions,
nonces, or time, i.e., no data abstraction or approximation is performed.
The user can make use of a special sort Fresh in the protocol-specific signature
Σ for representing fresh unguessable values, e.g., for nonces. The meaning of
a variable of sort Fresh is that it will never be instantiated by an E-unifier
generated during the backwards reachability analysis. This ensures that if nonces
are represented using variables of sort Fresh, they will never be merged and no
approximation for nonces is necessary. We make the Fresh variables generated
by a strand explicit by writing (r1, . . . , rk : Fresh) [msg±
1 , . . . , msg±
n ], where
r1, . . . , rk are all the variables of sort Fresh generated by msg±
1 , . . . , msg±
n . If it
does not generate any fresh variable, we add nothing to the strand. As explained
in Section 3, the types and algebraic properties of the operators used in messages
(cryptographic and otherwise) are described as an equational theory EP .
In principle, the rewrite rules RP obtained from the protocol strands P are
represented by the following rewrite rules11
:
SS [L | M−
, L
] ((M inI), IK) → SS [L, M−
| L
] ((M inI), IK) (1)
SS [L | M+
, L
] IK → SS [L, M+
| L
] IK (2)
SS [L | M+
, L
] IK → SS [L, M+
| L
] ((M inI), IK) (3)
In a forward execution of the protocol strands, Rule (1) synchronizes an input
message with a message already learned by the intruder, Rule (2) accepts output
messages but the intruder’s knowledge is not increased, and Rule (3) accepts out-
put messages and the intruder’s knowledge is positively increased. New strands
will be added to the state by explicit introduction through dedicated rewrite
rules (one for each honest or intruder strand), e.g.
SS ((sk(i, M) inI), IK) → SS [M−
| sk(i, M)+
] ((sk(i, M) inI), IK)
However, we are interested in a backwards execution of the protocol from an
attack state that contains positive facts in the intruder knowledge. Therefore,
the rule increasing the intruder knowledge, Rule (3), must make explicit when
the intruder learned message M:
SS [L | M+
, L
] ((M !inI), IK) → SS [L, M+
| L
] ((M inI), IK) (4)
Note that this is recorded in the previous state by the negative fact (M !inI),
which can be paraphrased as: “the intruder does not yet know M, but will learn
it in the future”.
For the introduction of new additional strands, we simply record when the
intruder learned message M in each of the rewrite rules explicitly introducing
new strands but, since they are applied backwards, reversing the introduction of
the new strand:
11
The top level structure of the state is a multiset of strands formed with the
union operator. The protocol and intruder rewrite rules are “essentially topmost”
in that, using an extension variable matching the “remaining strands” they can
always rewrite the whole state. Therefore, as explained in [48], completeness results
of narrowing for topmost theories also apply to them.](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-40-320.jpg)
![30 S. Escobar, C. Meadows, and J. Meseguer
{ [ l1 | u+
, l2 ] {(u !inI), K} → {(u inI), K} | [ l1, u+
, l2 ] ∈ P} (5)
For example, the following Dolev-Yao action:
SS [M−
| sk(i, M)+
] ((sk(i, M) !inI), IK) → SS ((sk(i, M) inI), IK) (6)
Thus, we can conclude that the set of rewrite rules obtained from the protocol
strands that are used for backwards narrowing reachability analysis is RP =
{(1), (2), (4)} ∪ (5).
For example, consider the the NSPK attack state:
(r : Fresh)[ pk(b, a; N)−
, pk(a, N; n(b, r))+
, pk(b, n(b, r))−
| nil ] (n(b, r) inI)
and the Rule (6). We can apply this rule to our attack state modulo the equa-
tional theory for NSPK. That is, the attack term above unifies with the left-hand
side of the rule modulo the following cancellation equational rules EP :
pk(A, sk(A, Z)) = Z sk(A, pk(A, Z)) = Z
To be more concrete, the term n(b, r) unifies12
with the term sk(i, M) modulo
the cancellation equational rules yielding the unifier θ = {M
→ pk(i, n(b, r))}.
Therefore, we obtain the following predecessor state using the narrowing relation
;θ,R−1
P ,EP
from the NSPK attack state:
[ pk(i, n(b, r))−
| n(b, r)+
]
(r : Fresh)[ pk(b, a; N)−
, pk(a, N; n(b, r))+
, pk(b, n(b, r))−
| nil ] (n(b, r) !inI)
In a backwards execution of the protocol using narrowing we start from an
attack pattern, i.e., a term with variables, containing: (i) some of the strands
of the protocol to be executed backwards, (ii) a variable SS denoting a set of
additional strands, (iii) some terms the intruder knows at the attack state, i.e.,
of the form (t inI), and (iv) a variable IK denoting a set of additional intruder
facts. We then perform narrowing with the rules RP in reverse to move the
bars of the strands to the left until either we find an initial state, or cannot
perform any other useful backwards narrowing steps. Note that variables SS
and IK will be instantiated by backwards narrowing to additional strands and
additional intruder facts, respectively, in order to find an initial state. Indeed,
these variables SS and IK are not required for the specification of the attack
state as explained in Section 4.4; see Section 7.2 for further technical details.
6 How Maude-NPA Works: Equational Unification
Sound techniques for equational unification are paramount to Maude-NPA, since
it performs symbolic reachability analysis modulo the equational theory of the
12
This equational unification procedure is also performed by narrowing and is ex-
plained in Section 6 below.](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-41-320.jpg)
![Maude-NPA: Cryptographic Protocol Analysis 31
protocol. This makes Maude-NPA verification much stronger than verification
methods based on a purely syntactic view of the algebra of messages as a term
algebra using the standard Dolev-Yao model of perfect cryptography in which no
algebraic properties are assumed. Indeed, it is well-known that various protocols
that have been proved secure under the standard Dolev-Yao model can be bro-
ken by an attacker who exploits the algebraic properties of some cryptographic
functions (see, e.g., [41, 43, 46]).
In the standard Dolev-Yao model, symbolic reachability analysis typically
takes the form of representing sets of states symbolically as terms with logical
variables, and then performing syntactic unification with the protocol rules to
explore reachable states. This can be done in either a forwards or a backwards
fashion. In the Maude-NPA (which can also be used for analyses under the
standard Dolev-Yao model when no algebraic properties are specified) symbolic
reachability analysis is performed in a backwards fashion (as already explained
in Section 5), beginning with a symbolic representation of an attack state, and
searching for an initial state, which then provides a proof that an attack is
possible; or a proof that no such attack is possible if all such search paths fail
to reach an initial state.
However, if the Maude-NPA analyzes a protocol for which algebraic properties
have been specified by an equational theory T , the same symbolic reachability
analysis is performed in the same fashion, but now modulo T . What this means
precisely is that, instead of performing syntactic unification between a term
representing symbolically a set of states and the righthand-side (in the backwards
reachability case) of a protocol rule, we now perform equational unification with
the theory T , (also called T -unification, or unification modulo T ) between the
same term and the same righthand side of a protocol rule. In what follows we
explain several things regarding T -unification in the Maude-NPA:
– In Section 6.1, equational axioms for which the Maude-NPA provides built-in
support for equational unification.
– In Section 6.2, narrowing-based equational unification in general, which is
however infeasible for Maude-NPA analysis when the number of unifiers
generated is infinite.
– In Section 6.3, the most general class of equational theories for which the
Maude-NPA can currently support unification by narrowing, with the im-
portant requirement of the number of unifier solutions being finite. These
are called admissible theories.
– Some examples of admissible theories in Section 6.4.
6.1 Built-In Support for Unification Modulo Equational Axioms
The Maude-NPA has built-in support for unification modulo certain equational
theories T thanks to the underlying Maude infrastructure. Specifically, the
Maude-NPA automatically supports unification modulo T for T any order-sorted
theory of the form T = (Σ, Ax), where Σ is a signature declaring sorts, sub-
sorts, and function symbols (as we have already illustrated with examples in](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-42-320.jpg)
![32 S. Escobar, C. Meadows, and J. Meseguer
Section 3.2) and Ax is a collection of equational axioms where some binary
operators f in the signature Σ may have axioms in Ax for either commuta-
tivity (f(x, y) = f(y, x)), or commutativity and associativity (f(x, f(y, z)) =
f(f(x, y), z)). Associativity alone is not supported, because it is well-known that
unification problems modulo associativity may have an infinite number of uni-
fiers (see, e.g., [5]). As already illustrated in Section 3.4, the way associativity,
and/or commutativity axioms are specified in Maude for a function symbol f
is not by giving those axioms explicitly, but by declaring f in Maude with the
assoc and/or comm attributes. For example a function symbol f of sort S which
is associative and commutative is specified in Maude as follows:
op f : S S - S [assoc comm] .
6.2 Narrowing-Based Equational Unification and Its Limitations
Of course, many algebraic theories T of interest in protocol analysis fall outside
the scope of the above-mentioned class of theories T based on combinations of
associativity and/or commutativity axioms, for which the Maude-NPA provides
automatic built-in support. Therefore, the burning issue is how to support more
general classes of algebraic theories in the Maude-NPA.
In this regard, a very useful, generic method to obtain T -unification algorithms
is narrowing [29, 31]. Mathematically, an algebraic theory T is a pair of the form
T = (Σ, E ∪ Ax), where Σ is a signature declaring sorts, subsorts, and function
symbols, and where E ∪ Ax is a set of equations, that we assume is split into a
set Ax of equational axioms such as our previous combinations of associativity
and/or commutativity axioms, and a set E of oriented equations to be used from
left to right as rewrite rules. In Maude, the axioms Ax are declared by means
of the assoc and/or comm attributes. Instead, the equations E are declared with
the eq keyword as we have illustrated with examples in Section 3.4.
An algebraic theory T = (Σ, E ∪ Ax) must satisfy the following four
requirements:
1. The axioms Ax can declare some binary operators in Σ to be commutative
(with the comm attribute), or associative-commutative (with the assoc and
comm attributes).
2. The equations E are confluent modulo Ax.
3. The equations E are terminating modulo Ax.
4. The equations E are coherent modulo Ax.
We now explain in detail what these requirements mean. First, the equational
theory T = (Σ, E ∪ Ax) is viewed as an unconditional order-sorted rewrite
theory RT = (Σ, Ax, E), so that we perform rewrite steps with the rewrite rules
E modulo Ax, i.e., the reduction relation →E,Ax explained in Section 5.1, where,
in the notation →R,E, now R = E and E = Ax.
Confluence. The equations E are called confluent modulo Ax if and only if for
each term t in the theory T = (Σ, E ∪ Ax), if we can rewrite t with E modulo](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-43-320.jpg)
![Maude-NPA: Cryptographic Protocol Analysis 33
Ax in two different ways as: t −→∗
E,Ax u and t −→∗
E,Ax v, then we can always
further rewrite u and v to a common term up to identity modulo Ax. That is,
we can always find terms u
, v
such that:
– u −→∗
E,Ax u
and v −→∗
E,Ax v
, and
– u
=Ax v
That is, u
and v
are essentially the same term, in the sense that they are equal
modulo the axioms Ax. In the example of Section 5.1, we have, for instance,
0 + 7 =Ax 7 + 0.
Termination. The equations E are called terminating modulo Ax if and only
if all rewrite sequences terminate; that is, if and only if we never have an infinite
sequence of rewrites
t0 →E,Ax t1 →E,Ax t2 . . . tn →E,Ax tn+1 . . .
Coherence. Rather than explaining the coherence modulo Ax notion in general
(the precise definition of the general notion can found in [31]), we explain in
detail its meaning in the case where it is needed for the Maude-NPA, namely,
the case of associative-commutative (AC) symbols. The best way to illustrate
the meaning of coherence is by its absence. Consider, for example, an exclusive or
operator ⊕ which has been declared AC. Now consider the equation X ⊕X = 0.
This equation, if not completed by another equation, is not coherent modulo AC.
What this means is that there will be term contexts in which the equation should
be applied, but it cannot be applied. Consider, for example, the term b⊕(a⊕b).
Intuitively, we should be able to apply to it the above equation to simplify it to
the term a⊕0 in one step. However, since we are using the weaker rewrite relation
→E,Ax instead of the stronger but much harder to implement relation →E/Ax,
we cannot! The problem is that the equation cannot be applied (even if we match
modulo AC) to either the top term b ⊕ (a ⊕ b) or the subterm a ⊕ b. We can
however make our equation coherent modulo AC by adding the extra equation
X ⊕ X ⊕ Y = 0 ⊕ Y , which, using also the equation X ⊕ 0 = X, we can slightly
simplify to the equation X ⊕X ⊕Y = Y . This second variant of our equation will
now apply to the term b⊕(a⊕b), giving the simplification b⊕(a⊕b) −→E,Ax a.
Technically, what coherence means is that the weaker relation →E,Ax becomes
semantically equivalent to the stronger relation →E/Ax.
For the Maude-NPA, coherence is only an issue for AC symbols. And there
is always an easy way, given a set E of equations, to make them AC-coherent.
The method is as follows. For any symbol f which is AC, and for any equation
of the form f(u, v) = w in E, we add also the equation f(f(u, v), X) = f(w, X),
where X is a new variable not appearing in u, v, w. In an order-sorted setting, we
should give to X the biggest sort possible, so that it will apply in all generality. As
an additional optimization, note that some equations may already be coherent
modulo AC, so that we need not add the extra equation. For example, if the
variable X has the biggest possible sort it could have, then the equation X ⊕](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-44-320.jpg)
![Maude-NPA: Cryptographic Protocol Analysis 35
Confluence, termination, and coherence were explained in Section 6.2. We
now explain in detail what strongly right irreducibility means. Given a theory
T = (Σ, E ∪ Ax), which we assume satisfies requirements (1)-(4) above, we call
the set E of equations strongly right irreducible iff for each equation t = t
in
E, we cannot further simplify by the equations E modulo Ax either the term t
,
or any substitution instance θ(t
) where the terms in the substitution θ cannot
themselves be further simplified by the equations E modulo Ax. Obvious cases
of such righthand-sides t
include:
– a single variable;
– a constant for which no equations exist;
– more generally, a constructor term, i.e., a term whose function symbols have
no associated equations.
But these are not the only possible cases where strong right irreducibility can
be applied. Typing, particularly the use of sorts and subsorts in an order-sorted
equational specification, can greatly help in attaining strong right irreducibility.
We refer the reader to [19, 21] for two examples of how order-sorted typing
helps narrowing-based unification to become finitary. We discuss one of these
examples, namely Diffie-Hellman, in the following section.
Finally, let us motivate with an example how this narrowing-based equational
unification works. Consider the exclusive-or theory:
X ⊕ X ⊕ Y = Y
X ⊕ X = 0
X ⊕ 0 = X
viewed as the order-sorted rewrite theory R = (Σ, Ax, E) where Ax contains the
associativity and commutativity of ⊕ and E contains the three equational rules
above. Given the equational problem t
?
= s, where t = X ⊕ Y and s = U ⊕ V ,
we perform narrowing on t with the equations E modulo the axioms Ax. We
can apply a renamed version (e.g. Z ⊕ Z ⊕ W) of the first equation to the term
X ⊕ Y . That is, the term X ⊕ Y unifies modulo AC with the term Z ⊕ Z ⊕ W
and one of the unifiers is σ = {X
→ W
⊕ Z
, Y
→ Z
, W
→ W
, Z
→ Z
}. We
express this narrowing step as
X ⊕ Y ;σ,E,Ax W
Note that, according to [27], we simply unify the terms W
and U⊕V modulo AC
to finish the equational unification procedure, obtaining σ
= {X
→ (U ⊕ V ) ⊕
Z
, Y
→ Z
} as an equational unifier of terms t and s modulo the equational
theory for exclusive-or. This unifier is not necessarily the only one possible: given
an equation t = t
, by successive narrowing of t and t
followed by attempts of
Ax-unification, other unifiers can be computed. However, since the exclusive or
theory satisfies conditions (1)-(5) above, we are guaranteed that there will be a
finite complete set of unifiers obtained this way by narrowing.](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-46-320.jpg)
![36 S. Escobar, C. Meadows, and J. Meseguer
6.4 Some Examples of Admissible Theories
Since any user of the Maude-NPA should write specifications whose algebraic
theories are admissible, i.e., satisfy requirements (1)–(5) in Section 6.3, it may
be useful to illustrate how these requirements are met by several examples. This
can give a Maude-NPA user a good intuitive feeling for how to specify algebraic
theories that the Maude-NPA currently can handle. For this purpose, we revisit
the theories already discussed in Section 3.4.
Let us begin with the theory of Encryption/Decryption:
var Z : Msg .
var A : Name .
*** Encryption/Decryption Cancellation
eq pk(A,sk(A,Z)) = Z [nonexec] .
eq sk(A,pk(A,Z)) = Z [nonexec] .
In this case Ax = ∅. It is obvious that in this case the equations E terminate,
since the size of a term as a tree (number of nodes) strictly decreases after the
application of any of the above two rules, and therefore it is impossible to have an
infinite chain of rewrites with the above equations. It is also easy to check that the
equations are confluent: by the termination of E this can be reduced to checking
confluence of critical pairs, which can be easily discharged by automated tools
[16], or even by hand. Since Ax = ∅, coherence is a mute point. The equations
are also strongly right irreducible, because in both cases they are the variable Z,
and any instance of Z by a term that cannot be further simplified by the above
equations, obviously cannot be further simplified by hypothesis.
Let us now consider the Exclusive Or Theory:
--- XOR operator
op _+_ : Msg Msg - Msg [frozen assoc comm] .
op null : - Msg .
vars X Y : Msg .
--- XOR equational properties
eq X + X + Y = Y [nonexec] .
eq X + X = null [nonexec] .
eq X + null = X [nonexec] .
In this case Ax = AC. Termination modulo AC is again trivial, because the
size of a term strictly decreases after applying any of the above equations modulo
AC. Because of termination modulo AC, confluence modulo AC can be reduced
to checking confluence of critical pairs, which can be discharged by standard
tools [16]. Coherence modulo AC is also easy. As already explained, the first
equation has to be added to the second to make it coherent. As also explained
above, since the sort Msg is the biggest possible for the exclusive or operator,
the variable X in the last equation has the biggest possible sort it can have, and](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-47-320.jpg)
![Maude-NPA: Cryptographic Protocol Analysis 37
therefore that equation is already coherent, so that there is no need to add an
extra equation of the form
eq X + null + Y = X + Y [nonexec] .
because modulo AC such an equation is in fact an instance of the third equation
(by instantiating X to the term X + Y). Finally, strong right irreducibility is
also obvious, since the righthand sides are either variables, or the constant null,
for which no equations exist.
Turning now to the Diffie-Hellman theory we have:
sorts Name NeNonceset Nonce Gen Exp GenvExp Enc .
subsort Name NeNonceset Enc Exp Msg .
subsort Nonce NeNonceset .
subsort Gen Exp GenvExp .
subsort Name Gen Public .
op g : - Gen [frozen] .
op exp : GenvExp NeNonceSet - Exp [frozen] .
op _*_ : NeNonceSet NeNonceSet - NeNonceSet [frozen assoc comm] .
eq exp(exp(W:Gen,Y:NeNonceSet),Z:NeNonceSet)
= exp(W:Gen, Y:NeNonceSet * Z:NeNonceSet) [nonexec] .
Again, this theory is AC. Termination modulo AC is easy to prove by using
a polynomial ordering with AC polynomial functions (see [47]). For example,
we can associate to exp the polynomial x + y + 1, and to * the polynomial
x + y. Then the proof of termination becomes just the polynomial inequality
w + y + z + 2 w + y + z + 1. Because of termination modulo AC, confluence
modulo AC can be reduced to checking the confluence of critical pairs. Here
things become interesting. In an untyped setting, the above equation would have
a nontrivial overlap with itself (giving rise to a critical pair), by unifying the
lefthand side with the subterm exp(W:Gen,Y:NeNonceSet). However, because
of the subsort and operator declarations
subsort Gen Exp GenvExp .
op exp : GenvExp NeNonceSet - Exp [frozen] .
we see that the order-sorted unification of the subterm exp(W:Gen,Y:NeNonceSet)
(which has sort Exp) and the lefthand side now fails, because the sorts Gen and
Exp are mutually exclusive and cannot have any terms in common. Therefore
there are no nontrivial critical pairs and the equation is confluent modulo AC.
Coherence modulo AC is trivially satisfied, because the top operator of the equa-
tion (exp) is not an AC operator. As in the case of confluence modulo AC, the
remaining issue of strong right irreducibility becomes particularly interesting in
the order-sorted context. Note that in an untyped setting, an instance of the
righthand side by applying a substitution whose terms cannot be further simpli-
fied could itself be simplified. For example, if we consider the untyped righthand](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-48-320.jpg)
![38 S. Escobar, C. Meadows, and J. Meseguer
side term exp(W, Y * Z), the substitution θ mapping W to exp(Q,X) and being
the identity on Y and Z is itself irreducible by the equations, but when applied
to exp(W, Y * Z) makes the corresponding instance reducible by the untyped
version of the above equation. However, in the order-sorted setting in which
our equation is defined, the equation is indeed strongly right irreducible. This
is again because the sorts Gen and Exp are mutually exclusive and cannot have
any terms in common, so that the variable W:Gen cannot be instantiated by any
term having exp as its top operator.
It may perhaps be useful to conclude this section with an example of an
algebraic theory that cannot be supported in the current version of Maude-
NPA. Consider, the extension of the above exclusive or theory in which we add
a homomorphism operator and the obvious homomorphism equation:
op h : Msg - Msg .
vars X Y : Msg .
eq h(X + Y) = h(X) + h(Y) [nonexec] .
The problem now is that the righthand side h(X) + h(Y) fails to be strongly
right-irreducible. For example, the substitution θ mapping X to U + V and Y to
Y is itself irreducible, but produces the instance h(U + V) + h(Y), which is
obviously reducible. Since strong irreducibility is only a sufficient condition for
narrowing-based equational unification to be finitary, one could in principle hope
that this homomorphism example might still have a narrowing-based finitary
algorithm14
. However, the hopes for such a finitary narrowing-based algorithm
are dashed to the ground by results in both [15], about the homomorphism
theory not having the “finite variant” property, and the variant-based unification
methods in [25].
In summary, the main point we wish to emphasize is that the equational
theories T for which the current version of Maude-NPA will work properly are
order-sorted theories of the form T = (Σ, E ∪ Ax) satisfying the admissibility
requirements (1)–(5). Under assumptions (1)–(5), T -unification problems are
always guaranteed to have a finite number of solutions and the Maude-NPA will
find them by narrowing.
As a final caveat, if the user specifies a theory T where any of the above re-
quirements (1)–(5) fail, besides the lack of completeness that would be caused by
14
The fact that an equational theory T does not have a finitary narrowing-based al-
gorithm does not by itself preclude the existence of a finitary unification algorithm
obtained by other methods. In fact, the homomorphic theory we have just described
does have a finitary unification algorithm [2]; however this dedicated unification
algorithm is not an instance of a generic narrowing-based algorithm. However, as
already explained, in the Maude-NPA the theories for which finitary unification is
currently supported are either order-sorted theories with built-in axioms of commu-
tativity and associativity-commutativity, or theories modulo such built-in axioms
that are confluent, terminating, and coherent modulo Ax, and that are also strongly
right irreducible.](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-49-320.jpg)
![40 S. Escobar, C. Meadows, and J. Meseguer
set of intruder facts, whereas the attack states explained in Section 4.4 do not
contain those variables.
As pointed out in Section 5.2, Rules of type (5) allow the dynamic introduction
of new strands. However, new strands can also be introduced by unification
of a state containing a variable SS denoting a set of strands and one of the
Rules (1), (2), and (4), where variables L and L
denoting lists of input/output
messages will be introduced by instantiation of SS. The same can happen with
new intruder facts of the form (X inI), where X is a variable. That is, consider
a state containing a variable SS denoting a set of strands and a variable IK
denoting a set of intruder knowledge, and the Rule (1):
SS
[L | M−
, L
] ((M inI), IK
) → SS
[L, M−
| L
] ((M inI), IK
)
The following backwards narrowing step applying such a rule can be performed
from the state above using the unifier σ = {SS
→ SS
[L, M−
| L
], IK
→
((M inI), IK
)}
SS IK
σ
R,E SS
[L | M−
, L
] ((M inI), IK
)
but this backwards narrowing step is unproductive, since it is not guided by the
information in the attack state. Indeed, the same rule can be applied again using
variables SS
and IK
and this can be repeated many times.
In order to avoid a huge number of unproductive narrowing steps, we allow the
introduction of new strands and/or new intruder facts only by rule application
instead of just by unification. For this, we do two things:
1. we remove any of the following variables from attack states; SS denoting a
set of strands, IK denoting a set of intruder facts, and L, L
denoting a set
of input/output messages; and
2. we replace Rule (1) by the following Rule (7), since we do no longer have a
variable denoting a set of intruder facts that has to be instantiated:
SS [L | M−
, L
] {(M inI), IK} → SS [L, M−
| L
] {IK} (7)
Note that in order to replace Rule (1) by Rule (7) we have to assume that
the intruder knowledge is a set of intruder facts without repeated elements, i.e.,
the union operator _,_ is ACUI (associative-commutative-identity-idempotent).
This is completeness-preserving, since it is in line with the restriction in [20]
that the intruder learns a term only once; if the intruder needs to use a term
twice he must learn it the first time it is needed; if he learns a term and needs
to learn it again in the backwards search, the state will be discarded as un-
reachable. Therefore, the set of rewrite rules used for backwards narrowing is
RP = {(7), (2), (4)} ∪ (5).
Furthermore, one may imagine that Rule (4) and Rules of type (5) must
also be modified in order to remove the (M inI) expression from the intruder
knowledge of the right-hand side of each rule. However, this is wrong, since, by
keeping the (M inI), we force the backwards application of such rule only when
there is indeed a message for the intruder to be learned. This provides some sort
of on-demand evaluation of the protocol.](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-51-320.jpg)
![Maude-NPA: Cryptographic Protocol Analysis 41
7.3 Partial Order Reduction Giving Priority to Input Messages
The different rewrite rules on which the backwards narrowing search from an
attack state is based are in general executed nondeterministically. This is because
the order of execution can make a difference as to what subsequent rules can
be executed. For example, an intruder cannot receive a term until it is sent by
somebody, and that send action within a strand may depend upon other receives
in the past. There is one exception, Rule (7) (originally Rule (1)), which, in a
backwards search, only moves a negative term appearing right before the bar into
the intruder knowledge. The execution of this transition in a backwards search
does not disable any other transitions; indeed, it only enables send transitions.
Thus, it is safe to execute it at each stage before any other transition. For the
same reason, if several applications of Rule 7 are possible, it is safe to execute
them all at once before any other transition. Requiring all executions of Rule
7 to execute first thus eliminates interleavings of Rule 7 with send and receive
transitions, which are equivalent to the case in which Rule 7 executes first. In
practice, this typically cuts down in half the search space size.
Similar strategies have been employed by other tools in forward searches. For
example, in [45], a strategy is introduced that always executes send transitions
first whenever they are enabled. Since a send transition does not depend on any
other component of the state in order to take place, it can safely be executed
first. The original NPA also used this strategy; it had a receive transition which
had the effect of adding new terms to the intruder knowledge, and which always
was executed before any other transition once it was enabled.
7.4 Detecting Inconsistent States Early
There are several types of states that are always unreachable or inconsistent. If
the Maude-NPA attempts to search beyond them, it will never find an initial
state. For this reason, we augment the Maude-NPA search engine to always mark
the following types of states as unreachable, and not search beyond them any
further:
1. A state St containing two contradictory facts (t inI) and (t !inI) for a
term t.
2. A state St whose intruder knowledge contains the fact (t !inI) and a strand
of the form [m±
1 , . . . , t−
, . . . , m±
j−1 | m±
j , . . . , m±
k ].
3. A state St containing a fact (t inI) such that t contains a fresh variable r
and the strand in St indexed by r, i.e., (r1, . . . , r, . . . , rk : Fresh) [m±
1 , . . . ,
m±
j−1 | m±
j , . . . , m±
k ], cannot produce r, i.e., r is not a subterm of any output
message in m±
1 , . . . , m±
j−1.
4. A state St containing a strand of the form [m±
1 , . . . , t−
, . . . , m±
j−1 | m±
j , . . . ,
m±
k ] for some term t such that t contains a fresh variable r and the strand
in St indexed by r cannot produce r.
Note that case 2 will become an instance of case 1 after some backwards narrow-
ing steps, and the same happens with cases 4 and 3. The proof of inconsistency
of cases 1 and 3 is obvious.](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-52-320.jpg)
![42 S. Escobar, C. Meadows, and J. Meseguer
7.5 Transition Subsumption
Partial order reduction techniques (POR) are common in state exploration tech-
niques due to their simplification properties. However, partial order techniques
for narrowing-based state exploration have not been explored in detail, although
they may be extremely relevant and even simplify much more than in standard
state exploration techniques, based on ground terms rather than terms with vari-
ables. For instance, the simple concept of two states being equivalent modulo
renaming of variables does not apply to standard state exploration techniques
whereas it does apply to narrowing-based state exploration. In [24], Escobar
and Meseguer explored narrowing-based state exploration and POR techniques,
which may transform an infinite-state system into a finite one. However, the
Maude-NPA needs a dedicated POR technique that should combine different
previous ideas in order to be applicable to the concrete execution model.
Let us motivate this with an example before giving more technical explana-
tions. Consider again the NSPK attack state:
(r : Fresh)[ pk(b, a; N)−
, pk(a, N; n(b, r))+
, pk(b, n(b, r))−
| nil ] (n(b, r) inI)
After a couple of backwards narrowing steps, the Maude-NPA finds the following
state:
[ nil | n(b, r)−
, pk(b, n(b, r))+
]
(r : Fresh)[ pk(b, a; N)−
, pk(a, N; n(b, r))+
| pk(b, n(b, r))−
]
((pk(b, n(b, r)) !inI), (n(b, r) inI))
which corresponds to the intruder generating (i.e., learning) the message
pk(b, n(b, r)) from the message n(b, r), which he/she already knows; and the
following state
(r : Fresh)[ pk(b, a; N)−
, pk(a, N; n(b, r))+
| pk(b, n(b, r))−
]
(r
: Fresh)[pk(b, A
; n(A
, r
))+
| pk(A
, n(A
, r
); n(b, r))−
, pk(b, n(b, r))+
]
((pk(b, n(b, r)) !inI), (pk(A
, n(A
, r
); n(b, r)) inI), (n(b, r) inI))
which corresponds to the responder (identified by variable r) talking to an ini-
tiator (identified by variable r
). However, this second state is implied by the
first state. Intuitively, the elements present in the first state that are relevant
for the backwards reachability are both included in the second state, namely the
(n(b,r) inI) item and the message pk(b, a; N)−
that will be converted at some
point into (pk(b,a;N) inI). Indeed, the unreachability of the following “kernel”
state implies the unreachability of both states, although this kernel state is never
computed by the Maude-NPA:
(r : Fresh)[ pk(b, a; N)−
, pk(a, N; n(b, r))+
| pk(b, n(b, r))−
] (n(b, r) inI)
Note that the converse is not true, i.e., the second state does not imply the first
one, since it contains one more intruder item relevant for backwards reachability
purposes, namely (pk(A’,n(A’,r’);n(b,r)) inI).](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-53-320.jpg)
![Maude-NPA: Cryptographic Protocol Analysis 43
In the following, we write IK∈
(resp. IK
∈
) to denote the subset of intruder
facts of the form (t inI) (resp. (t !inI)) appearing in the set of intruder facts
IK. We abuse the set-theoretic notation and write IK1 ⊆EP IK2 for IK1 and
IK2 sets of intruder facts to denote that all the intruder facts of IK1 appear in
IK2 (modulo EP ).
Definition 1. Given a topmost rewrite theory R = (Σ, EP , RP ) representing
protocol P, and given two non-initial states St1 = SS1 {IK1} and St2 =
SS2 {IK2}, we write St1 St2 (or St2 St1) if IK∈
1 ⊆EP IK∈
2 , and for each
non-initial strand [ m±
1 , . . . , m±
j−1 | m±
j , . . . , m±
k ] ∈ SS1, there exists [ m±
1 , . . . ,
m±
j−1 | m±
j , . . . , m±
k , m±
k+1, . . . , m±
k ] ∈ SS2. Note that the comparison of the
non-initial strand in SS1 with the strands in SS2 is performed modulo EP .
Definition 2 (P-subsumption relation). Given a topmost rewrite theory
R = (Σ, EP , RP ) representing protocol P and two non-initial states St1, St2.
We write St1 P St2 and say that St1 is P-subsumed by St2 if there is a
substitution θ s.t. St1 θ(St2).
This technique is used as follows: we keep all the states of the backwards narrowing-
based tree and compare each new leaf of the tree with all the previous states in
the tree. If a leaf is P-subsumed by a previously generated node in the tree, we
discard such leaf.
7.6 The Super Lazy Intruder
Sometimes terms appear in the intruder knowledge that are trivially learnable
by the intruder. These include terms initially available to the intruder (such as
names) and variables. In the case of variables, the intruder can substitute any
arbitrary term of the same sort as the variable,15
and so there is no need to try
to determine all the ways in which the intruder can do this. For this reason it
is safe, at least temporarily, to drop these terms from the state. We will refer
to those terms as lazy intruder terms. The problem of course, is that later on
in the search the variable may become instantiated, in which case the term
now becomes relevant to the search. In order to avoid this problem, we take an
approach similar to that of the lazy intruder of Basin et al. [6] and extend it to
a more general case, that we call the super-lazy terms. We note that this use of
what we here call the super-lazy intruder was also present in the original NPA.
Super-lazy terms are defined inductively as the union of the set of lazy terms,
i.e., variables, with the set of terms that are produced out of other super-lazy
terms using operations available to the intruder. That is, e(K, X) is a super-lazy
term if the intruder can perform the e operation, and K and X are variables.
More precisely, the set of super-lazy intruder terms is defined as follows.
15
This, of course, is subject to the assumption that the intruder can produce at least
one term of that sort. But since the intruder is assumed to have access to the network
and to all the operations available to an honest principal, this is a safe assumption
to make.](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-54-320.jpg)
![This ebook is for the use of anyone anywhere in the United States
and most other parts of the world at no cost and with almost no
restrictions whatsoever. You may copy it, give it away or re-use it
under the terms of the Project Gutenberg License included with this
ebook or online at www.gutenberg.org. If you are not located in the
United States, you will have to check the laws of the country where
you are located before using this eBook.
Title: Cours familier de Littérature - Volume 22
Author: Alphonse de Lamartine
Release date: October 16, 2012 [eBook #41080]
Most recently updated: October 23, 2024
Language: French
Credits: Produced by Mireille Harmelin, Christine P. Travers and
the Online Distributed Proofreading Team at
http://www.pgdp.net (This file was produced from images
generously made available by the Bibliothèque nationale
de France (BnF/Gallica) at http://gallica.bnf.fr)
*** START OF THE PROJECT GUTENBERG EBOOK COURS FAMILIER
DE LITTÉRATURE - VOLUME 22 ***](https://image.slidesharecdn.com/829671-250529053731-397573e3/85/Foundations-Of-Security-Analysis-And-Design-V-Fosad-200720082009-Tutorial-Lectures-1st-Edition-Santiago-Escobar-60-320.jpg)
Foundations Of Security Analysis And Design V Fosad 200720082009 Tutorial Lectures 1st Edition Santiago Escobar
- 1. Foundations Of Security Analysis And Design V Fosad 200720082009 Tutorial Lectures 1st Edition Santiago Escobar download https://ebookbell.com/product/foundations-of-security-analysis- and-design-v-fosad-200720082009-tutorial-lectures-1st-edition- santiago-escobar-1659342 Explore and download more ebooks at ebookbell.com
- 2. Here are some recommended products that we believe you will be interested in. You can click the link to download. Foundations Of Security Analysis And Design V Fosad 200720082009 Tutorial Lectures 1st Edition Santiago Escobar https://ebookbell.com/product/foundations-of-security-analysis-and- design-v-fosad-200720082009-tutorial-lectures-1st-edition-santiago- escobar-4141806 Foundations Of Security Analysis And Design Vi Fosad Tutorial Lectures 1st Edition Sabrina De Capitani Di Vimercati https://ebookbell.com/product/foundations-of-security-analysis-and- design-vi-fosad-tutorial-lectures-1st-edition-sabrina-de-capitani-di- vimercati-2471896 Foundations Of Security Analysis And Design Iii Fosad 20042005 Tutorial Lectures 1st Edition Michael Backes https://ebookbell.com/product/foundations-of-security-analysis-and- design-iii-fosad-20042005-tutorial-lectures-1st-edition-michael- backes-4239068 Foundations Of Security Analysis And Design Iv Fosad 20062007 Tutorial Lectures 1st Edition Martn Abadi Auth https://ebookbell.com/product/foundations-of-security-analysis-and- design-iv-fosad-20062007-tutorial-lectures-1st-edition-martn-abadi- auth-4240074
- 3. Foundations Of Security Analysis And Design Ii Fosad 20012002 Tutorial Lectures 1st Edition Alessandro Aldini https://ebookbell.com/product/foundations-of-security-analysis-and- design-ii-fosad-20012002-tutorial-lectures-1st-edition-alessandro- aldini-4604002 Foundations Of Security Analysis And Design Vii Fosad 20122013 Tutorial Lectures 1st Edition Alessandro Aldini https://ebookbell.com/product/foundations-of-security-analysis-and- design-vii-fosad-20122013-tutorial-lectures-1st-edition-alessandro- aldini-4932426 Foundations Of Security Analysis And Design Viii Fosad 201420152016 Tutorial Lectures 1st Edition Alessandro Aldini https://ebookbell.com/product/foundations-of-security-analysis-and- design-viii-fosad-201420152016-tutorial-lectures-1st-edition- alessandro-aldini-5607286 Foundations Of Security Analysis And Design Tutorial Lectures 1st Edition Peter Y A Ryan Auth https://ebookbell.com/product/foundations-of-security-analysis-and- design-tutorial-lectures-1st-edition-peter-y-a-ryan-auth-1533728 Foundations And Applications Of Security Analysis Joint Workshop On Automated Reasoning For Security Protocol Analysis And Issues In The Theory Of Security Arspawits 2009 York Uk March 2829 2009 Revised Selected Papers 1st Edition Adedayo O Adetoye https://ebookbell.com/product/foundations-and-applications-of- security-analysis-joint-workshop-on-automated-reasoning-for-security- protocol-analysis-and-issues-in-the-theory-of-security- arspawits-2009-york-uk-march-2829-2009-revised-selected-papers-1st- edition-adedayo-o-adetoye-2023396
- 5. Lecture Notes in Computer Science 5705 Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen Editorial Board David Hutchison Lancaster University, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M. Kleinberg Cornell University, Ithaca, NY, USA Alfred Kobsa University of California, Irvine, CA, USA Friedemann Mattern ETH Zurich, Switzerland John C. Mitchell Stanford University, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel Oscar Nierstrasz University of Bern, Switzerland C. Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen University of Dortmund, Germany Madhu Sudan Microsoft Research, Cambridge, MA, USA Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max-Planck Institute of Computer Science, Saarbruecken, Germany
- 6. Alessandro Aldini Gilles Barthe Roberto Gorrieri (Eds.) Foundations of Security Analysis and Design V FOSAD 2007/2008/2009 Tutorial Lectures 1 3
- 7. Volume Editors Alessandro Aldini Università degli Studi di Urbino "Carlo Bo" Istituto di Scienze e Tecnologie dell’Informazione Piazza della Repubblica 13, 61029 Urbino, Italy E-mail: alessandro.aldini@uniurb.it Gilles Barthe Universidad Politécnica de Madrid Facultad de Informatica Fundación IMDEA Software Campus Montegancedo, 28660 Boadilla del Monte, Madrid, Spain E-mail: gilles.barthe@imdea.org Roberto Gorrieri Università degli Studi di Bologna Dipartimento di Scienze dell’Informazione Mura Anteo Zamboni 7, 40127 Bologna, Italy E-mail: gorrieri@cs.unibo.it Library of Congress Control Number: 2009932255 CR Subject Classification (1998): D.4.6, C.2, K.6.5, K.4, D.3, F.3, E.3 LNCS Sublibrary: SL 4 – Security and Cryptology ISSN 0302-9743 ISBN-10 3-642-03828-X Springer Berlin Heidelberg New York ISBN-13 978-3-642-03828-0 Springer Berlin Heidelberg New York This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law. springer.com © Springer-Verlag Berlin Heidelberg 2009 Printed in Germany Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India Printed on acid-free paper SPIN: 12738250 06/3180 5 4 3 2 1 0
- 8. Preface This book presents a collection of tutorial papers accompanying lectures from the last three editions of the International School on Foundations of Security Analysis and Design (FOSAD). FOSAD has been one of the foremost educational events established with the goal of disseminating knowledge in the critical area of security in computer systems and networks. The main aim of FOSAD is to offer a good spectrum of current research in foundations of security – ranging from programming lan- guages to analysis of protocols, from cryptographic algorithms to access control policies and trust/identity management – that can be of help for graduate stu- dents and young researchers from academia or industry who intend to approach the field. Another objective of FOSAD is to propose panels dedicated to topical open problems and to allow a selected number of participants to give presenta- tions about their ongoing work, in order to favor discussions and novel scientific collaborations. The topics covered in this book include cryptographic protocol analysis, pro- gram and resource certification, identity management and electronic voting, ac- cess and authorization control, wireless security, mobile code and communica- tions security. The opening paper presented by Santiago Escobar, Catherine Meadows, and José Meseguer gives an overview of the Maude-NRL Protocol Analyzer, a tool for the analysis of cryptographic protocols using functions that obey different equa- tional theories. In a proof-carrying code framework, Gilles Barthe and César Kunz present a technique to build, from a certificate of the source program, a certificate for the result of its compilation. The paper by David Chadwick addresses in a survey several different topics concerning federated identity man- agement. Bart Jacobs and Wolter Pieters discuss technical and social aspects of electronic voting systems, by presenting as a case study the system imple- mented in practice in The Netherlands. The paper by Martı́n Abadi provides an overview of the role of logic in access control, by covering logical foundations for access control and their applications in languages for security policies. Sebas- tian Mödersheim and Luca Viganò introduce the open-source fixed-point model checker OFMC for symbolic cryptographic protocol analysis. Rustan Leino, Pe- ter Müller, and Jan Smans describe a verifier for concurrent programs called Chalice, whose methodology centers around permissions and permission transfer. Frédéric Besson, David Cachera, Thomas Jensen and David Pichardie propose a tutorial on building analyzers using the Coq proof assistant. In particular, they propose an interval analysis for the static verification of the absence of array-out- of-bounds accesses. Elvira Albert, Puri Arenas, Samir Genaim, Germán Puebla, and Damiano Zanardini present the COSTA system, a state-of-the-art analyzer that automatically generates precise resource usage information for a large class
- 9. VI Preface of Java programs. In the last paper, Javier Lopez, Rodrigo Roman, and Cristina Alcaraz analyze how different requirements of sensor networks can influence the security mechanisms. We would like to thank all the institutions that have promoted and founded FOSAD in the last few years. In particular, we are grateful to the IFIP Work- ing Group 1.7 on “Theoretical Foundations of Security Analysis and Design,” which was established to promote research and education in security-related is- sues. Among the sponsors, we would like to mention CNR-IIT, Department of the Navy Grant N00014-08-1-1109 issued by Office of Naval Research Global, EU projects SENSORIA and MOBIUS, International Workshop on Views On Designing Complex Architectures (VODCA), and Università di Bologna. Every year, FOSAD is supported by EATCS-IT, EEF, and ERCIM Working Group on Security and Trust Management. Finally, we also wish to thank the entire staff of the University Residential Centre of Bertinoro for the organizational and administrative support. June 2009 Alessandro Aldini Gilles Barthe Roberto Gorrieri
- 10. Table of Contents Foundations of Security Analysis and Design Part I: FOSAD 2007 Maude-NPA: Cryptographic Protocol Analysis Modulo Equational Properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Santiago Escobar, Catherine Meadows, and José Meseguer Part II: FOSAD 2008 An Introduction to Certificate Translation . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Gilles Barthe and César Kunz Federated Identity Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 David W. Chadwick Electronic Voting in the Netherlands: From Early Adoption to Early Abolishment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Bart Jacobs and Wolter Pieters Part III: FOSAD 2009 Logic in Access Control (Tutorial Notes) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Martı́n Abadi The Open-Source Fixed-Point Model Checker for Symbolic Analysis of Security Protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Sebastian Mödersheim and Luca Viganò Verification of Concurrent Programs with Chalice . . . . . . . . . . . . . . . . . . . . 195 K. Rustan M. Leino, Peter Müller, and Jan Smans Certified Static Analysis by Abstract Interpretation . . . . . . . . . . . . . . . . . . 223 Frédéric Besson, David Cachera, Thomas Jensen, and David Pichardie Resource Usage Analysis and Its Application to Resource Certification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 Elvira Albert, Puri Arenas, Samir Genaim, Germán Puebla, and Damiano Zanardini
- 11. VIII Table of Contents Analysis of Security Threats, Requirements, Technologies and Standards in Wireless Sensor Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 Javier Lopez, Rodrigo Roman, and Cristina Alcaraz Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
- 12. Maude-NPA: Cryptographic Protocol Analysis Modulo Equational Properties Santiago Escobar1 , Catherine Meadows2 , and José Meseguer2 1 Universidad Politécnica de Valencia, Spain sescobar@dsic.upv.es 2 Naval Research Laboratory, Washington, DC, USA meadows@itd.nrl.navy.mil 3 University of Illinois at Urbana-Champaign, USA meseguer@cs.uiuc.edu Abstract. In this tutorial, we give an overview of the Maude-NRL Pro- tocol Analyzer (Maude-NPA), a tool for the analysis of cryptographic protocols using functions that obey different equational theories. We show the reader how to use Maude-NPA, and how it works, and also give some of the theoretical background behind the tool. 1 Introduction The Maude-NPA is a tool and inference system for reasoning about the security of cryptographic protocols in which the cryptosystems satisfy different equational properties. The tool handles searches in the unbounded session model, and thus can be used to provide proofs of security as well as to search for attacks. It is the next generation of the NRL Protocol Analyzer [36], a tool that supported limited equational reasoning and was successfully applied to the analysis of many different protocols. The area of formal analysis of cryptographic protocols has been an active one since the mid 1980’s. The idea is to verify protocols that use encryption to guarantee secrecy, and that use authentication of data to ensure security, against an attacker (commonly called the Dolev-Yao attacker [17]) who has complete control of the network, and can intercept, alter, and redirect traffic, create new traffic on his/her own, perform all operations available to legitimate participants, and may have access to some subset of the longterm keys of legitimate principals. Whatever approach is taken, the use of formal methods has had a long history, not only for providing formal proofs of security, but also for uncovering bugs and security flaws that in some cases had remained unknown long after the original protocol’s publication. A number of approaches have been taken to the formal verification of cryp- tographic protocols. One of the most popular is model checking, in which the interaction of the protocol with the attacker is symbolically executed. Indeed, model-checking of secrecy (and later, authentication) in protocols in the bounded- session model (where a session is a single execution of a process representing an A. Aldini, G. Barthe, R. Gorrieri (Eds.): FOSAD 2007/2008/2009, LNCS 5705, pp. 1–50, 2009. c Springer-Verlag Berlin Heidelberg 2009
- 13. 2 S. Escobar, C. Meadows, and J. Meseguer honest principal) has been shown to be decidable [42], and a number of bounded- session model checkers exist. Moreover, a number of unbounded model checkers either make use of abstraction to enforce decidability, or allow for the possibility of non-termination. The earliest protocol analysis tools, such as the Interrogator [30] and the NRL Protocol Analyzer (NPA) [35], while not strictly speaking model checkers, relied on state exploration, and, in the case of NPA, could be used to verify security properties specified in a temporal logic language. Later, researchers used generic model checkers to analyze protocols, such as FDR [32] and later Murphi [40]. More recently the focus has been on special-purpose model-checkers developed specifically for cryptographic protocol analysis, such as Blanchet’s ProVerif [8], the AVISPA tool [3], and Maude-NPA itself [23]. There are a number of possible approaches to take in the modeling of cryp- toalgorithms used. In the simplest case, the free algebra model, cryptosystems are assumed to behave like black boxes: an attacker knows nothing about en- crypted data unless it has the appropriate key. This is the approach taken, for example, by the above-cited use of Murphi and FDR to analyze cryptographic protocols, and current tools such as SATMC [4] and TA4SP [9] , both used in the AVISPA tool. However, such an approach, although it can work well for proto- cols based on generic shared key or public key cryptography, runs into problems with algorithms such as Diffie-Hellman or algorithms employing exclusive-or, which rely upon various algebraic properties such as the law of exponentiation of products, associativity-commutativity and cancellation. Without the ability to specify these properties, one needs to rely on approximations of the algorithms that may result in formal proofs of secrecy invalidated by actual attacks that are missed by the analysis (see, e.g., [41, 43, 46]). Thus there has been considerable interest in developing algorithms and tools for protocol analysis in the presence of algebraic theories [1, 7, 10, 11, 12]. Another way in which tools can differ is in the number of sessions. A session is defined to be one execution of a protocol role by a single principal. A tool is said to use the bounded session model if the user must specify the maximum number of sessions that can be generated in a search. It is said to use the unbounded session model if no such restrictions are required. Secrecy is known to be decidable in the free theory together with the bounded session model [42], and undecidable in the free theory together with the un- bounded session model [18]. The same distinction between bounded and un- bounded sessions is known to hold for a number of different equational theories of interest, as well as for some authentication-related properties; see for example [10]. Thus, it is no surprise that most tools, whether or not they offer support for different algebraic theories, either operate in the bounded session model, or rely on abstractions that may result in reports of false attacks even when the protocol being analyzed is secure. Maude-NPA is a model-checker for cryptographic protocol analysis that both allows for the incorporation of different equational theories and operates in the unbounded session model without the use of abstraction. This means that the
- 14. Maude-NPA: Cryptographic Protocol Analysis 3 analysis is exact. That is, (i) if an attack exists using the specified algebraic properties, it will be found; (ii) no false attacks will be reported; and (iii) if the tool terminates without finding an attack, this provides a formal proof that the protocol is secure for that attack modulo the specified properties. However, it is always possible that the tool will not terminate; although, as explained in Section 7, a number of heuristics are included to drastically reduce the search space and make nontermination less likely. In order to have a steady, incremental approximation of the analysis, the user is also given the option of restricting the number of steps executed by Maude-NPA. Maude-NPA is a backwards search tool, i.e., it searches backwards from a final insecure state to determine whether or not it is reachable from an initial state. This backwards search is symbolic, i.e., it does not start with a concrete attack state, but uses instead a symbolic attack pattern, i.e., a term with logical variables describing a general attack situation. The backwards search is then performed by backwards narrowing. Each backwards narrowing step denotes a state transition, such as a principal sending or receiving a message or the intruder manipulating a message, all in a backwards sense. Each backwards narrowing step takes a symbolic state (i.e., a term with logical variables) and returns a previous symbolic state in the protocol (again a term with logical variables). In performing a backwards narrowing step, the variables of the input term are appropriately instantiated in order to apply the concrete state transition, and the new previous state may contain new variables that are differentiated from any previously used variable to avoid confusion. To appropriately instantiate the input term, narrowing uses equational unification. As it is well-known from logic programming and automated deduction (see, e.g., [5]), unification is the process of solving equations t = t . Standard unification solves these equations in a term algebra. Instead, equational unification (w.r.t. an equational theory E) solves an equation t = t in a free algebra for the equations E, that is, modulo the equational theory E. In the Maude-NPA, the equational theory E used depends on the protocol, and corresponds to the algebraic properties of the cryptographic functions (e.g. cancellation of encryption and decryption, Diffie- Hellman, or exclusive-or). Sound techniques for equational unification are paramount to Maude-NPA, and much of the research behind it has concentrated on that. The idea is to develop, not only special–purpose equational unification techniques that can be used for specific theories, but general methods that can be extended to different theories that arise in actual practice. We thus consider a broad class of theories that incorporate those equational axioms commonly appearing in cryptosystems and for which Maude has dedicated unification algorithms [13], such as com- mutativity (C) or associativity-commutativity (AC) of some function symbols [19]. Our approach is designed to be as extensible as possible to different alge- braic theories, and Maude-NPA is designed with this in mind. Maude-NPA has thus both dedicated and generic narrowing-based methods for solving unifica- tion problems in such theories [27], which under appropriate checkable conditions yield narrowing-based unification algorithms with a finite number of solutions
- 15. 4 S. Escobar, C. Meadows, and J. Meseguer [26]. Maude-NPA currently supports a number of algebraic theories, including exclusive-or, cancellation of encryption and decryption (both public and shared key), bounded associativity, and Diffie-Hellman exponentiation. We include ex- amples of several of these in this tutorial; others can be found in the Maude- NPA manual [23] and in our previous papers [19, 21]. Moreover, we continue to explore new generic unification algorithms which we plan to incorporate into Maude-NPA in the future. Since Maude-NPA allows reasoning in the unbounded session model, and be- cause it allows reasoning about different equational theories (which typically generate many more solutions to unification problems than syntactic unifica- tion, leading to bigger state spaces), it is necessary to find ways of pruning the search space in order to prevent infinite or overwhelmingly large search spaces. A key technique for preventing infinite searches is the generation of formal gram- mars describing terms unreachable by the intruder; such formal grammars are described in [20, 36] and in Section 7.7. However, grammars do not prune out all infinite searches, and there is a need for other techniques. Moreover, even when a search space is finite it may still be necessary to reduce it to a manageable size. State space reduction techniques for doing that have been provided in [22], with an empirical average state-space size reduction of 96% (i.e., the average size of the reduced state space is 4% of that of the original one). Furthermore, our often combined techniques are effective in obtaining a finite state space for all protocol analyses in many of our experiments. The rest of this tutorial is organized as follows. Section 2 gives definitions of some of the terminology that is used throughout this tutorial; we have tried to reduce definitions to a minimum and to illustrate each definition by means of examples. Sections 3 and 4 explain the basic mechanics of using Maude-NPA, including writing specifications and formulating queries. It gives the minimum amount of background needed for using the tool. Sections 5 and 6 describe how Maude-NPA actually works. They are intended for two types of readers: first the reader who wants to get better insight into how to use the tool to best advantage, and secondly for the reader who wants to understand the basic concepts behind Maude-NPA, without necessarily using the tool. Section 7, on state space reduction, is somewhat more specialized. It is intended for someone who is interested in the design of crypto protocol analysis tools and wants a more complete picture of the techniques Maude-NPA uses or plans to use, but is not really necessary to read it in order to be able to use the tool. Section 8 concludes the tutorial. Maude-NPA is publicly available1 , including a user manual and some proto- col examples. Maude-NPA is written in Maude, which is a publicly available2 implementation of rewriting logic. To be more specific, Maude-NPA requires a version of Maude that includes the implementation of order-sorted unification modulo commutativity and associativity–commutativity [13], e.g., version 2.4 or later. 1 At http://maude.cs.uiuc.edu/tools/Maude-NPA 2 At http://maude.cs.uiuc.edu
- 16. Maude-NPA: Cryptographic Protocol Analysis 5 2 Preliminaries We follow the classical notation and terminology from [47] for term rewriting and from [37, 38] for rewriting logic and order-sorted notions. We assume an order-sorted signature Σ with a finite poset of sorts (S, ≤) and a finite number of function symbols. For example, consider a signature with sorts Msg, Encryption, Concatenation, Nonce, Fresh, and Name that satisfy the following subsort order between sorts: Msg Concatenation Encryption o o o o o o Nonce JJJJJ Name and function symbols pk (for “public” key encryption), sk (for “secret” or “pri- vate” key encryption), n (for nonces), and _;_ (for concatenation) that satisfy the following sort declarations3 : pk : Name × Msg → Encryption n : Name × Fresh → Nonce sk : Name × Msg → Encryption _;_ : Msg × Msg → Concatenation We assume an S-sorted family X = {Xs}s∈S of disjoint variable sets with each Xs countably infinite. TΣ(X)s is the set of terms of sort s, and TΣ,s is the set of ground terms (i.e., without variables) of sort s. We write TΣ(X) and TΣ for the corresponding term algebras. We write Var(t) for the set of variables present in a term t. A term is viewed as a tree labeled with function symbols, where the arity of a symbol coincides with the number of its children in the tree (and the sort declaration for the symbol is satisfied by its children). For example, the term4 t = n(a, r) ; (n(b, r ) ; n(b, r )), where a, b, and c are symbols with arity 0 (called constants) of sort Name and r, r , and r are variables of sort Fresh, is a term of sort Concatenation and has the following tree representation ; n o o o o o o ; UUUUUUUUUUU a ~ ~ ~ r ? ? ? n m m m m m m m n PPPPPP b { { { { r @ @ @ b r B B B A position p of a term t is described by a string of natural numbers that specifies a path from the root of the term to the desired subterm position. For 3 Note that Maude allows function declarations of symbols with a user-defined syntax, where each underscore denotes the position of one function argument, e.g. “ ; ” denotes a symbol ; with two arguments written in an infix notation. 4 For a Maude term with symbols that contain underscores, a blank space must appear between the subterm corresponding to an underscore and any other part of the term, e.g. “n(a,r) ; n(b,r’)”.
- 17. 6 S. Escobar, C. Meadows, and J. Meseguer example, in the term t above, position p1 = 1.1 identifies the subterm a, and po- sitions p2 = 2.1.1 and p3 = 2.2.1 both identify the subterm b, although different occurrences of it. The set of positions of a term t is written Pos(t). The set of non-variable positions of a term t is written PosΣ(t). The root of a term is Λ. The subterm of t at position p is t|p, and t[u]p is the result of replacing t|p by u in t. For example, we have t|p1 = a and t|p2 = t|p3 = b. A substitution σ is a sort-preserving mapping from a finite subset of X to TΣ(X). The application of substitution σ to term t is denoted σ(t). The identity substitution is id. Substitutions are naturally extended to homomorphic func- tions σ : TΣ(X) → TΣ(X). The restriction of σ to a set of variables V is σ|V . The composition of two substitutions σ, θ is (σθ)(X) = θ(σ(X)) for X ∈ X. A Σ-equation is an unoriented pair of terms (t, t ), written t = t , where t, t ∈ TΣ(X)s for some sort s ∈ S. Given Σ and a set E of Σ-equations such that TΣ,s = ∅ for every sort s, order-sorted equational logic induces a congruence relation =E on terms t, t ∈ TΣ(X) (see [38]). Throughout this tutorial we assume that TΣ,s = ∅ for every sort s. The E-subsumption order on terms TΣ(X)s, written t E t (meaning that t is more general than t), holds if there exists a substitution σ such that t =E σ(t ). The order on terms TΣ(X)s is naturally extended to substitutions, i.e., σ E σ iff there exists a substitution θ such that σ =E σ θ. An E-unifier for a Σ-equation t = t is a substitution σ s.t. σ(t) =E σ(t ). Given two E-unifiers σ1 and σ2 for a Σ-equation t = t , σ2 is more general than σ1, written σ1 E σ2, if there exists τ such that σ2τ =E σ1, i.e., for each variable X, (σ2τ)(X) =E σ1(X). A complete set of E-unifiers of an equation t = t , written CSUE(t = t ), is a set of unifiers of t = t such that for each E- unifier σ of t = t , there exists τ ∈ CSUE(t = t ) such that σ E τ. We say that CSUE(t = t ) is finitary if it contains a finite number of E-unifiers. We say that CSUE(t = t ) is the set of most general unifiers if each unifier τ ∈ CSUE(t = t ) is maximal among all unifiers of t = t w.r.t. E. For example, consider an infix symbol _*_ : Msg × Msg → Msg satisfying the following associativity and commutativity (AC) equational properties (where X, Y, Z are variables of sort Msg): X ∗ Y = Y ∗ X X ∗ (Y ∗ Z) = (X ∗ Y ) ∗ Z A complete set of most general AC-unifiers of the two terms t = X ∗ Y and s = U ∗ V (where X, Y, U, V are variables of sort Msg) is σ1 = { X → X , Y → Y , U → X , V → Y } σ2 = { X → X , Y → Y , U → Y , V → X } σ3 = { X → X , Y → Y ∗ Y , U → X ∗ Y , V → Y } σ4 = { X → X , Y → Y ∗ Y , U → Y , V → X ∗ Y } σ5 = { X → X ∗ X , Y → Y , U → X , V → X ∗ Y } σ6 = { X → X ∗ X , Y → Y , U → X ∗ Y , V → X } σ7 = { X → X ∗ X , Y → Y ∗ Y , U → X ∗ Y , V → X ∗ Y } Consider now the exclusive-or symbol _ ⊕ _ : Msg × Msg → Msg and the constant 0 : Msg satisfying the following xor-properties (where X, Y, Z are variables of sort Msg):
- 18. Maude-NPA: Cryptographic Protocol Analysis 7 X ⊕ Y = Y ⊕ X X ⊕ X = 0 X ⊕ (Y ⊕ Z) = (X ⊕ Y ) ⊕ Z X ⊕ 0 = X A complete set of most general xor-unifiers of the two terms t = X ⊕ Y and s = U ⊕ V (where X, Y, U, V are variables of sort Msg) is the unique unifier θ1 = {X → Y ⊕ U ⊕ V , Y → Y , U → U , V → V }. 3 Protocol Specification in Maude-NPA In this section, we describe how to specify a protocol and all its relevant items in the Maude-NPA. We postpone until Section 4 the topic of formal protocol analysis in the Maude-NPA. 3.1 Templates and File Organization for Protocol Specification Protocol specifications are given in a single file (e.g., foo.maude), and consist of three Maude modules, having a fixed format and fixed module names. In the first module, the syntax of the protocol is specified, consisting of sorts, subsorts, and operators. The second module specifies the algebraic properties of the operators. Note that algebraic properties cannot be arbitrary and must satisfy some specific conditions described in Section 6.3. The third module specifies the actual behavior of the protocol using a strand-theoretic notation [28]. This third module includes the intruder strands (Dolev-Yao strands) and regular strands describing the behavior of principals. Attack states, describing behavior that we want to prove cannot occur, are also specified in this third module, but we postpone their presentation until Section 4. We give a template for any Maude-NPA specification below. Throughout, lines beginning with three or more dashes (i.e., ---) or three or more asterisks (i.e., ***) are comments that are ignored by Maude. Furthermore, the Maude syntax is almost self-explanatory [14]. The general point is that each syntactic element –e.g. a sort, an operation, an equation, a rule– is declared with an obvious keyword: sort, op, eq, rl, etc., ended by a space and a period. fmod PROTOCOL-EXAMPLE-SYMBOLS is protecting DEFINITION-PROTOCOL-RULES . ------------------------------------------------------------ --- Overwrite this module with the syntax of your protocol. --- Notes: --- * Sorts Msg and Fresh are special and imported --- * Every sort must be a subsort of Msg --- * No sort can be a supersort of Msg --- * Variables of sort Fresh are really fresh --- and no substitution is allowed on them --- * Sorts Msg and Public cannot be empty ------------------------------------------------------------ endfm
- 19. 8 S. Escobar, C. Meadows, and J. Meseguer fmod PROTOCOL-EXAMPLE-ALGEBRAIC is protecting PROTOCOL-EXAMPLE-SYMBOLS . ---------------------------------------------------------------- --- Overwrite this module with the algebraic properties --- of your protocol. --- * Use only equations of the form (eq Lhs = Rhs [nonexec] .) --- * Maude attribute owise cannot be used --- * There is no order of application between equations ---------------------------------------------------------------- endfm fmod PROTOCOL-SPECIFICATION is protecting PROTOCOL-EXAMPLE-SYMBOLS . protecting DEFINITION-PROTOCOL-RULES . protecting DEFINITION-CONSTRAINTS-INPUT . ---------------------------------------------------------- --- Overwrite this module with the strands --- of your protocol and the attack states ---------------------------------------------------------- eq STRANDS-DOLEVYAO = --- Add Dolev-Yao intruder strands here. Strands are --- properly renamed. [nonexec] . eq STRANDS-PROTOCOL = --- Add protocol strands here. Strands are properly renamed. [nonexec] . eq ATTACK-STATE(0) = --- Add attack state here --- More than one attack state can be specified, but each --- must be identified by a number (e.g. ATTACK-STATE(1) = ... --- ATTACK-STATE(2) = ... etc.) [nonexec] . endfm --- THE FOLLOWING COMMAND HAS TO BE THE LAST ACTION !!!! select MAUDE-NPA . In what follows we explain in detail how each of these three modules, com- prising a Maude-NPA protocol specification, are specified. 3.2 Specifying the Protocol Syntax The protocol syntax is specified in the module PROTOCOL-EXAMPLE-SYMBOLS. Note that, since we are using Maude also as the specification language, each declaration has to be ended by a space and a period.
- 20. Maude-NPA: Cryptographic Protocol Analysis 9 We begin by specifying sorts. In general, sorts are used to specify different types of data, that are used for different purposes. We have a special sort called Msg that represents the messages in our protocol. If only keys can be used for encryption, we would want to have a sort Key, and specify that an encryption operator e can only take a term of sort Key as its first argument, which can be specified in Maude as follows: op e : Key Msg - Msg . Sorts can also be subsorts of other sorts. Subsorts allow a more refined distinc- tion of data within a concrete sort. For example, we might have a sort Masterkey which is a subsort of Key. Or two sorts PublicKey and PrivateKey that are sub- sorts of Key. These two relevant subsort relations can be specified in Maude as follows: subsort MasterKey Key . subsorts PublicKey PrivateKey Key . Most sorts are user-defined. However, there are several special sorts that are automatically imported by any Maude-NPA protocol definition through the DEFINITION-PROTOCOL-RULES module. The user must make sure that cer- tain constraints are satisfied for the sorts and subsorts specified in PROTOCOL- EXAMPLE-SYMBOLS, which are the following: Msg. Every sort specified in a protocol must be connected to the sort Msg, i.e., for every sort S given by the user, and every term t of sort S, there must be a term t in Msg and a position p in t such that t |p = t. Any subsort of Msg is of course directly connected to Msg. No sort defined by the user can be a supersort of Msg. The sort Msg should not be empty, i.e., there should be enough function symbols and constants such that there is at least one ground term (i.e., a term without variables) of sort Msg. Fresh. The sort Fresh is used to identify terms that must be unique. No sort can be a subsort of Fresh. It is typically used in protocol specifications as an argument of some data that must be unique, such as a nonce, or a session key, e.g., “n(A,r)” or “k(A,B,r)”, where r is a variable of sort Fresh. It is not necessary to define symbols of sort Fresh, i.e., the sort Fresh can be empty, since only variables of such sort will be allowed. Public. The sort Public is used to identify terms that are publicly available, and therefore assumed known by the intruder. No sort can be a supersort of Public. This sort cannot be empty. To illustrate the definition of sorts, we use the Needham-Schroeder Public Key Protocol (NSPK) as the running example. This protocol uses public key cryptography, and the principals exchange encrypted data consisting of names and nonces. We recall the informal specification of NSPK as follows: 1. A → B : pk(B, A; NA) 2. B → A : pk(A, NA; NB) 3. A → B : pk(B, NB) where NA and NB are nonces generated by the respective principals.
- 21. 10 S. Escobar, C. Meadows, and J. Meseguer Thus, we will define sorts to distinguish names, keys, nonces, and encrypted data. This is specified as follows: --- Sort Information sorts Name Nonce Enc . subsort Name Nonce Enc Msg . subsort Name Public . The sorts Nonce and Enc are not strictly necessary, but they can make the search more efficient, since Maude-NPA will not attempt to unify terms with incompatible sorts. For example, if in this specification a principal is expecting a term of sort Enc, he/she will not accept a term of sort Nonce; technically because Nonce is not declared as a subsort of Enc. If we are looking for type confusion attacks, we would not want to include these sorts, and instead would declare everything as having sort Msg or Name. See Section 3.3 for details on type confusion attacks. We can now specify the different operators needed in NSPK. These are pk and sk, for public and private key encryption, the operator n for nonces, designated constants for the names of the principals, and concatenation using the infix operator “_;_”. We begin with the public/private encryption operators. --- Encoding operators for public/private encryption op pk : Name Msg - Enc [frozen] . op sk : Name Msg - Enc [frozen] . The frozen attribute is technically necessary to tell Maude not to attempt to apply rewrites in arguments of those symbols. The frozen attribute must be included in all operator declarations in Maude-NPA specifications, excluding constants. The use of sort Name as an argument of public key encryption may seem odd at first. But it is used because we are implicitly associating a public key with a name when we apply the pk operator, and a private key with a name when we apply the sk operator. A different syntax specifying explicit keys could have been chosen for public/private encryption. Next we specify some principal names. For NSPK, we have three constants of sort Name, a (for “Alice”), b (for “Bob”), and i (for the “Intruder”). --- Principals op a : - Name . --- Alice op b : - Name . --- Bob op i : - Name . --- Intruder These are not all the possible principal names. Since Maude-NPA is an un- bounded session tool, the number of possible principals is unbounded. This is achieved by using variables (i.e., variables of sort Name in this specification of NSPK) instead of constants. However, we may have a need to specify constant principal names in a goal state. For example, if we have an initiator and a re- sponder, and we are not interested in the case in which the initiator and the
- 22. Maude-NPA: Cryptographic Protocol Analysis 11 responder are the same, we can prevent that by specifying the names of the initiator and the responder as different constants. Also, we may want to iden- tify the intruder’s name by a constant, so that we can cover the case in which principals are talking directly to the intruder. We now need two more operators, one for nonces, and one for concatenation. The nonce operator is specified as follows. --- Nonce operator op n : Name Fresh - Nonce [frozen] . Note that the nonce operator has an argument of sort Fresh to ensure unique- ness. The argument of type Name is not strictly necessary, but it provides a con- venient way of identifying which nonces are generated by which principal. This makes searches more efficient, since it allows us to keep track of the originator of a nonce throughout a search. Finally, we come to the message concatenation operator. In Maude-NPA, we specify concatenation via an infix operator “_;_” defined as follows: --- Concatenation operator op _;_ : Msg Msg - Msg [gather (e E) frozen] . The Maude operator attribute “gather (e E)” indicates that symbol “_;_” has to be parsed as associated to the left; whereas “gather(E e)” indicates association to the right (see [14, Section 3.9]). Note that this gather information is specified only for parsing purposes: it does not specify an associativity property, although the associativity of an operator is certainly expressible in Maude either as an ex- plicit “equational rule”, or as an “equational axiom” as explained in Section 3.4 below. Therefore, _;_ in this NSPK example is just a free function symbol, which, when no parenthesis are added, is parsed in a left–associative way. 3.3 User-Defined Subsorts of Sort Msg in Protocol Specification The Maude-NPA tool always assumes that the sort Msg is the top sort, but it allows user-defined subsorts of Msg that can be specified by the user for a more accurate protocol specification and analysis. However, protocol modeling in Maude-NPA should pay careful attention to when and why a subsort of sort Msg can be used, since an overly general specification using sort Msg will negatively affect performance, whereas a too restrictive specification may jeopardize finding some attacks, since some attacks possible in a less restrictive specification may become excluded by using some subsort in the reception of a message. The two relevant concepts here are: (i) whether a principal can check the sort of a bit string and (ii) whether a principal can check the structure of a term to find out if it matches some given pattern. In general, data received by a principal for which the principal cannot check its structure, but can check its sort, must be represented by a variable of the appropriate sort. For example, if a principal receives a message that he/she expects to be a nonce but he/she cannot check that is has sort Nonce, then such a message will be represented by a variable of sort Msg.
- 23. 12 S. Escobar, C. Meadows, and J. Meseguer Sometimes, even though we do not assume that type-checking is possible, we may want to use sorts to limit the size of the search space. How this can be done, and the ramifications of doing this, are discussed later in this tutorial. Therefore, if we are interested in a type confusion attack for a given informal protocol specification, we would like a protocol specification in Mauge-NPA that makes no distinctions on messages, i.e., principals cannot perform type checking of messages (for instance, may not be able to detect whether a string of bits is a nonce) and may not even be able to separate messages into their different components. In this very general case, we are interested in a unsorted protocol, i.e., there will be no extra sorts and every symbol will be of sort Msg. See [21] for an example of a type confusion attack specified in Maude-NPA. A third relevant concept here is the use of variables of sort Fresh. Every variable of sort Fresh denotes an unguessable message. Those variables of sort Fresh that a principal generates have to be explicitly written in the protocol specification (see Section 3.6). Therefore, every nonce that a principal generates is represented by a message containing a variable of sort Fresh, e.g. n(A, r), with r a variable of sort Fresh. If a principal is expecting this nonce again, it will be represented in the protocol specification by the same term n(A, r), meaning that the principal can check the sort of the message and can also check the structure of the message. This is safe because typically a principal can verify whether two nonces are the same, i.e., whether the sequences of their bits coincide. If a principal is expecting a nonce different from one of his/her nonces, it will be represented in the protocol specification by a variable N of sort Nonce or of sort Msg, depending on the type checking facilities available to the principal. 3.4 Algebraic Properties There are two types of algebraic properties: (i) equational axioms, such as com- mutativity, or associativity-commutativity, called axioms, and (ii) equational rules, called equations. Equations are specified in the PROTOCOL-EXAMPLE- ALGEBRAIC module, whereas axioms are specified within the operator declara- tions in the PROTOCOL-EXAMPLE-SYMBOLS module, as illustrated in what follows. An equation is oriented into a rewrite rule in which the left–hand side of the equation is reduced to the right–hand side. In writing equations, one needs to specify the variables involved, and their type. Variables can be specified globally for a module, e.g., “var Z : Msg .”, or locally within the expression using it, e.g., a variable A of sort Name in “pk(A:Name,Z)”. Several variables of the same sort can be specified together, as “vars X Y Z1 Z2 : Msg .”. In NSPK, we use two equations specifying the relationship between public and private key encryption, as follows: var Z : Msg . var A : Name . --- Encryption/Decryption Cancellation eq pk(A,sk(A,Z)) = Z [nonexec] . eq sk(A,pk(A,Z)) = Z [nonexec] .
- 24. Maude-NPA: Cryptographic Protocol Analysis 13 The nonexec attribute is technically necessary to tell Maude not to use an equation or rule within its standard execution, since it will be used only at the Maude-NPA level rather than at the Maude level. The nonexec attribute must be included in all user-defined equation declarations of the protocol. Furthermore, the Maude attribute owise (i.e., otherwise) cannot be used in equations, since no order of application is assumed for the algebraic equations. Since Maude-NPA uses built-in unification algorithms [13] for the case of oper- ators having either no equational axioms, or the commutative (C) or associative- commutative (AC) equational axioms, these are specified not as standard equations but as axioms in the operator declarations. For example, suppose that we want to specify exclusive-or. We can specify an infix associative-commutative operator “+” in the PROTOCOL-EXAMPLE-SYMBOLS module as follows: --- XOR operator and equational axioms op _+_ : Msg Msg - Msg [frozen assoc comm] . op null : - Msg . where the associativity and commutativity axioms are declared as attributes of the + operator with the assoc and comm keywords. Similarly, we could specify an operator that is commutative but not associative with the comm keyword alone.5 We specify the equational rules for + in the PROTOCOL-EXAMPLE-ALGEBRAIC module as equations declared with the eq keyword as follows6 : vars X Y : Msg . --- XOR equational rules eq X + X + Y = Y [nonexec] . eq X + X = null [nonexec] . eq X + null = X [nonexec] . If we want to include a Diffie-Hellman mechanism, we need two operations. One is exponentiation, and the other is modular multiplication. Since Diffie- Hellman is a commonly used algorithm in cryptographic protocols, we discuss it also here. We begin by including several new sorts in PROTOCOL-EXAMPLE-SYMBOLS: Gen, Exp, GenvExp, and NeNonceSet. 5 In Maude, it is possible to specify and operator that is associative but not commu- tative using the assoc keyword, but in the Maude-NPA, symbols having the assoc but not the comm attribute should not be specified. The reason for this is that as- sociative unification is not finitary (see, e.g., [5]) and is not supported in Maude. Various forms of bounded associativity with finitary unification are possible, but this is done differently, namely, by specifying bounded associativity with rules, see [21] for details. 6 Note that the first equational rule, i.e., X + X + Y = Y, is not essentially needed for the exclusive-or theory, but it is necessary for rewriting purposes to ensure co- herence, see Section 6.2.
- 25. 14 S. Escobar, C. Meadows, and J. Meseguer sorts Name Nonce NeNonceSet Gen Exp Key GenvExp Enc Secret . subsorts Gen Exp GenvExp . subsorts Name NeNonceSet GenvExp Enc Secret Key Msg . subsort Exp Key . subsort Nonce NeNonceSet . subsorts Name Gen Public . We now introduce three new operators. The first, g, is a constant that serves as the Diffie-Hellman generator of the multiplicative group. The second is expo- nentiation, and the third is an associative-commutative multiplication operation on nonces and products of such nonces. op g : - Gen . op exp : GenvExp NeNonceSet - Exp [frozen] . op _*_ : NeNonceSet NeNonceSet - NeNonceSet [frozen assoc comm] . We then include the following equational property, to capture the fact that zxy = zx∗y : eq exp(exp(W:Gen,Y:NeNonceSet),Z:NeNonceSet) = exp(W:Gen, Y:NeNonceSet * Z:NeNonceSet) [nonexec] . There are several things to note about this Diffie-Hellman specification. The first is that, although modular multiplication has a unit and inverses, this is not included in our equational specification. Instead, we have only included the key algebraic rule that is necessary for Diffie-Hellman to work. The second is that we have specified types that will rule out certain kinds of intruder behavior. In actual fact, there is nothing that prevents an intruder from sending an arbitrary string to a principal and passing it off as an exponentiated term. The principal will then exponentiate that term. However, given our definition of the exp operator, only terms of type GenvExp can be exponentiated. This last restriction is necessary in order to ensure that the unification algorithm is finitary; see Section 6.3 for technical details. The omission of units and inverses is not necessary to ensure finitary unification, but rules out behavior of the intruder that is likely to be irrelevant for attacking the protocol, or that is likely to be easily detected (such as the intruder sending an exp(g,0)). We note that if one is interested in obtaining a proof of security using these restrictive assumptions, one must provide a proof (outside of the tool) that security in the restricted model implies security in the more general model. This could be done along the lines of the proofs in [33, 34, 39]. 3.5 Protocol Specification: Intruder Strands The protocol itself and the intruder capabilities are both specified in the PROTOCOL- SPECIFICATION module. They are specified using strands. A strand, first defined in [28], is a sequence of positive and negative messages7 describing 7 We write m± to denote m+ or m− , indistinctively. We often write +(m) and −(m) instead of m+ and m− , respectively.
- 26. Maude-NPA: Cryptographic Protocol Analysis 15 a principal executing a protocol, or the intruder performing actions, e.g., the strand for Alice in NSPK is: [ pk(KB, A; NA)+ , pk(KA, NA; Z)− , pk(KB, Z)+ ] where a positive node implies sending, and a negative node implies receiving. However, in our tool each strand is divided into the past and future parts by means of a vertical line. That is, the messages to the left of the vertical line were sent or received in the past, whereas the messages to the right of the line will be sent or received in the future. Also, we keep track of all the variables of sort Fresh generated by a concrete strand; see Section 5.2 for technical details. That is, all the variables r1, . . . , rj of sort Fresh generated by a strand are made explicit right before the strand, as follows: :: r1, . . . , rj :: [ m1 ± , . . . , mi ± | mi+1 ± , . . . , mk ± ] Note that there is some difference between the variables of sort Fresh generated in a strand and those appearing in a strand. In the specification of a role, they must coincide, in the sense that all the variables appearing in the description of a principal are generated during an execution (an instance) of such a strand. However, in a given protocol state, a strand may contain many more variables of sort Fresh than those specified at the left of the strand due to the message exchange between the principals. We begin by specifying all the variables that are used in this module, together with the sorts of these variables. In the NSPK example, these are vars X Y Z : Msg . vars r r’ : Fresh . vars A B : Name . vars N N1 N2 : Nonce . After the variables are specified, the next thing to specify is the actions of the intruder, or Dolev-Yao rules [17]. These specify the operations an intruder can perform. Each such action can be specified by an intruder strand consisting of a sequence of negative nodes, followed by a single positive node. If the intruder can (non-deterministically) find more than one term as a result of performing one operation (as in deconcatenation), we specify each of these outcomes by separate strands. For the NSPK protocol, we have four operations: encryption with a public key (pk), decryption with a private key (sk), concatenation (_;_), and deconcatenation. Encryption with a public key is specified as follows. Note that we use a prin- cipal’s name to stand for the key. That is why names are of type Name. The intruder can encrypt any message using any public key. :: nil:: [ nil | -(X), +(pk(A,X)), nil ] Encryption with the private key is a little different. The intruder can only apply the sk operator using his own identity. So we specify the rule as follows, assuming that i denotes the name of the intruder:
- 27. 16 S. Escobar, C. Meadows, and J. Meseguer :: nil:: [ nil | -(X), +(sk(i,X)), nil ] Concatenation and deconcatenation are straightforward. If the intruder knows X and Y , he can find X; Y . If he knows X; Y he can find both X and Y . Since each intruder strand should have at most one positive node, we need to use three strands to specify these actions: :: nil :: [ nil | -(X), -(Y), +(X ; Y), nil ] :: nil :: [ nil | -(X ; Y), +(X), nil ] :: nil :: [ nil | -(X ; Y), +(Y), nil ] The final Dolev-Yao specification looks as follows. Note that our tool requires the use of the constant symbol STRANDS-DOLEVYAO as the repository of all the Dolev-Yao strands, and uses the associative-commutative symbol __ as the union operator to form sets of strands. Note, also, that our tool considers that variables are not shared between strands, and thus will appropriately rename them when necessary. eq STRANDS-DOLEVYAO = :: nil :: [ nil | -(X), -(Y), +(X ; Y), nil ] :: nil :: [ nil | -(X ; Y), +(X), nil ] :: nil :: [ nil | -(X ; Y), +(Y), nil ] :: nil :: [ nil | -(X), +(sk(i,X)), nil ] :: nil :: [ nil | -(X), +(pk(Ke,X)), nil ] [nonexec] . Every operation that can be performed by the intruder, and every term that is initially known by the intruder, should have a corresponding intruder strand. For each operation used in the protocol we should consider whether or not the in- truder can perform it, and specify a corresponding intruder strand that describes the conditions under which the intruder can perform it. For example, suppose that the operation requires the use of exclusive-or. If we assume that the intruder can exclusive-or any two terms in its possession, we should represent this by the following strand: :: nil :: [ nil | -(X), -(Y), +(X + Y), nil ] If we want to give the intruder the ability to generate his own nonces, we should represent this by the following rule: :: r :: [ nil | +(n(i,r)), nil ] In general, it is a good idea to provide Dolev-Yao strands for all the operations that are defined, unless one is explicitly making the assumption that the intruder can not perform the operation. It is also strongly recommended that operations not used in the protocol should not be provided with Dolev-Yao strands. This is because the tool will attempt to execute rules associated with these strands, even if they are useless, and this will negatively affect performance.
- 28. Maude-NPA: Cryptographic Protocol Analysis 17 3.6 Protocol Specification: Protocol Strands In the Protocol Rules section of a specification we define the messages that are sent and received by the honest principals. We will specify one strand per role. However, since the Maude-NPA analysis supports an arbitrary number of sessions, each strand can be instantiated an arbitrary number of times. In specifying protocol strands it is important to remember to specify them from the point of view of the principal executing the role. For example, in NSPK the initiator A starts out by sending her name and a nonce encrypted with B’s public key. She gets back something encrypted with her public key, but all she can tell is that it is her nonce concatenated with some other nonce. She then encrypts that other nonce under B’s public key and sends it out. As explained in Section 3.3, we represent the construction of A’s nonce ex- plicitly as n(A,r), where r is a variable of sort Fresh therefore appearing in the header of A’s strand, and the extra nonce that she receives is represented by a variable N of sort Nonce. The entire strand for the initiator role is as follows: :: r :: [ nil | +(pk(B,A ; n(A,r))), -(pk(A,n(A,r) ; N)), +(pk(B, N)), nil ] In the responder strand, the signs of the messages are reversed. Moreover, the messages themselves are represented differently. B starts out by receiving a name and some nonce encrypted under his key. He creates his own nonce, appends the received nonce to it, encrypts it with the key belonging to the name, and sends it out. He gets back his nonce encrypted under his own key. This is specified as follows: :: r :: [ nil | -(pk(B,A ; N)), +(pk(A, N ; n(B,r))), -(pk(B,n(B,r))), nil ] Note that, as explained in Section 3.3, the point here is to only include things in a strand that a principal executing a strand can actually verify. The complete STRANDS-PROTOCOL specification for NSPK is as follows. eq STRANDS-PROTOCOL = :: r :: [nil | +(pk(B,A ; n(A,r))), -(pk(A,n(A,r) ; N)), +(pk(B, N)), nil] :: r :: [nil | -(pk(B,A ; N)), +(pk(A, N ; n(B,r))), -(pk(B,n(B,r))), nil] [nonexec] . As a final note, we remark that, if B received a message Z encrypted under a key he does not know, he would not be able to verify that he received pk(A,Z), because he cannot decrypt the message. So the best we could say here is that A received some term Y of sort Msg. The complete specification of the Needham-Schroeder shared-key protocol and the Diffie-Hellman protocol can be found in [23].
- 29. 18 S. Escobar, C. Meadows, and J. Meseguer 4 Protocol Analysis In this section we describe how to analyze a protocol in practice. First, we explain how a protocol state looks like, and how an attack state is specified in the protocol. Then, we explain how the actual protocol analysis is performed. Technical details on how the backwards search is performed are postponed until Section 5. 4.1 Protocol States In Maude-NPA, each state associated to the protocol execution (i.e., a backwards search) is represented by a term with four different components separated by the symbol || in the following order: (1) the set of current strands, (2) the current intruder knowledge, (3) the sequence of messages encountered so far in the backwards execution, and (4) some auxiliary data. Strands || Intruder Knowledge || Message Sequence || Auxiliary Data The first component, the set of current strands, indicates in particular how ad- vanced each strand is in the execution process (by the placement of the bar). The second component contains messages that the intruder already knows (symbol _inI) and messages that the intruder currently doesn’t know (symbol _!inI) but will learn in the future. Note that the set of strands and the intruder knowledge grow along with the backwards reachability search (see Section 5.2 for technical details) as follows: – by propagation of the substitutions computed by unification modulo the equational theory, – by introducing more protocol or intruder strands, – by introducing more positive knowledge of the intruder (e.g., M inI), and – by transforming positive knowledge into negative knowledge due to the back- wards execution (e.g., M inI → M !inI). The third component, the sequence of messages, is nil for any attack state at the beginning of the backwards search and records the actual sequence of messages exchanged so far in the backwards search from the attack state. This sequence grows as the backwards search continues and some variables may be instantiated in the backwards search. It gives a complete description of an attack when an initial state is reached but this component is intended for the benefit of the user, and is not actually used in the backward search itself, except just by recording it. Finally, the last component contains information about the search space that the tool creates to help manage8 its search. It does not provide any information about the attack itself, and is currently only displayed by the tool to help in debugging. More information about this last component can be found in Sections 5 and 7. 8 Indeed, we use the fourth component of a protocol state to store the data related to the Super Lazy Intruder of Section 7.6.
- 30. Maude-NPA: Cryptographic Protocol Analysis 19 4.2 Initial States An initial state is the final result of the backwards reachability process and is described as follows: 1. in an initial state, all strands have the bar at the beginning, i.e., all strands are of the form :: r1, . . . , rj :: [ nil | m1 ± , . . . , mk ± ]; 2. in an initial state, all the intruder knowledge is negative, i.e., all the items in the intruder knowledge are of the form (m !inI). From an initial state, no further backwards reachability steps are possible, since there is nothing for the intruder to unlearn or to learn due to the following two facts: (i) since all the intruder knowledge is already negative (m !inI), no positive knowledge can be unlearned, and (ii) there is no further reception of messages (no negative node in a strand) that might introduce positive items (m inI) in the intruder knowledge. Note that in an initial state, the third com- ponent of a protocol state denotes the concrete message sequence from this initial state to the given attack state. 4.3 Unreachable States Another interesting concept is that of an unreachable state. An unreachable state is a protocol state from which we cannot reach an initial state by further backwards reachability analysis. Interpreted in a forwards way, this of course means that it is an state that can never be reached from an initial state by forward execution. Early detection of unreachable states is essential to achieve effective protocol analysis. In Section 7, we describe several techniques for early detection of unreachable states. For instance, consider the following state found by the Maude-NPA for the NSPK: :: nil :: [nil | -(pk(i, b ; n(b, r))), +(b ; n(b, r)), nil] :: nil :: [nil | -(n(b, r)), +(pk(b, n(b, r))), nil] :: nil :: [nil | -(b ; n(b, r)), +(n(b, r)), nil] :: r :: [nil | +(pk(i, b ; n(b, r))), nil] :: r :: [nil, -(pk(b, a ; N)), +(pk(a, N ; n(b, r))) | -(pk(b, n(b, r))), nil]) || pk(b, n(b, r)) !inI, pk(i, b ; n(b, r)) !inI, n(b, r) !inI, (b ; n(b, r)) !inI || +(pk(i, b ; n(b, r))), -(pk(i, b ; n(b, r))), +(b ; n(b, r)), -(b ; n(b, r)), +(n(b, r)), -(n(b, r)), +(pk(b, n(b, r))), -(pk(b, n(b, r))) || nil This state is unreachable, since there are two strands that are generating the same fresh variable r and this is impossible because the fresh data generated by each strand must be unique.
- 31. 20 S. Escobar, C. Meadows, and J. Meseguer 4.4 Attack States Attack states describe not just single concrete attacks, but attack patterns (or if you prefer attack situations), which are specified symbolically as terms (with variables) whose instances are the final attack states we are looking for. Given an attack pattern, Maude-NPA tries to either find an instance of the attack pattern or prove that no such instance is possible. We can specify more than one attack state. Thus, we designate each attack state with a natural number. When specifying an attack state, the user should specify only the first two components of the attack state: (i) a set of strands expected to appear in the at- tack, and (ii) some positive intruder knowledge. The other two state components should have just the empty symbol nil. Note that the attack state is indeed a term with variables; however, the user does not have to provide the variables denoting “the remaining strands”, “the remaining intruder knowledge”, and the two variables for the two last state components, since these variables are sym- bolically inserted by the tool (see Section 7.2 for technical details). For NSPK, the standard attack is represented as follows: eq ATTACK-STATE(0) = :: r :: [ nil, -(pk(b,a ; N)), +(pk(a, N ; n(b,r))), -(pk(b,n(b,r))) | nil ] || n(b,r) inI || nil || nil [nonexec] . where we require the intruder to have learned the nonce generated by Bob. Therefore, we have to include Bob’s strand in the attack in order to describe such specific nonce n(b,r). There are several possibilities to build an attack state by combining what the intruder learned at the attack state and what honest strands are expected to have occurred at the attack state. The most common situation is to include positive intruder facts of the form (m inI) and finished strands (i.e., strands that have the bar at the end). Note that an attack state can also contain negative intruder facts of the form (m !inI) although this is not common. Partially executed strands of the form :: r1, . . . , ri :: [ nil, m1 ± , . . . , mi ± | mi+1 ± , . . . , mk ± , nil ] are represented in attack states by truncated strands in which only the terms before the bar appear. For instance, a situation in which the intruder learns Bob’s nonce without requiring Bob to finish the protocol, is represented as: eq ATTACK-STATE(0) = :: r :: [ nil, -(pk(b,a ; N)), +(pk(a, N ; n(b,r))) | nil ] || n(b,r) inI || nil || nil [nonexec] .
- 32. Maude-NPA: Cryptographic Protocol Analysis 21 The intruder knowledge can also contain inequalities (the condition that a term is not equal to some other term), which we can also include in the intruder knowledge component of an attack state. For example, suppose that we want to specify that a responder executes a strand, apparently with an initiator a, but the nonce received is not generated by a. This can be done as follows: eq ATTACK-STATE(0) = :: r :: [ nil, -(pk(b,a ; N)), +(pk(a, N ; n(b,r))), -(pk(b,n(b,r))) | nil ] || N != n(a,r’) || nil || nil [nonexec] . where t != s means that for any ground substitution θ applicable to t and s (i.e., θ(t) and θ(s) are ground terms), θ(t) cannot be equal to θ(s) modulo the equational theory. Note that, since a is a constant and r is a variable of the special sort Fresh, N != n(a,r’) means that N cannot be a term of the form n(a,r’). In summary, we note the following requirements on attack state specifications: 1. Strands in an attack state must have the bar at the end. This also ap- plies to partially executed strands, for which the future messages are discarded. 2. If more than one strand appears in the attack state, they must be separated by the symbol. If more than one term appears in the intruder knowledge, they must be separated by commas. If no strands appear, or no intruder items appear, the empty symbol should be used, in the strands or intruder knowledge components, respectively. 3. Items that can appear in the intruder knowledge may include not only terms known by the intruder, but also inequality conditions on terms. Terms unknown to the intruder are also possible but are not common in attack states. 4. The last two fields of an attack state must always be nil. These are fields that contain information that is built up in the backwards search, but should be empty in the attack state. 4.5 Attack States with Excluded Patterns: Never Patterns It is often desirable to exclude certain patterns from transition paths leading to an attack state. For example, one may want to determine whether or not authentication properties have been violated, e.g., whether it is possible for a responder strand to appear without the corresponding initiator strand. For this there is an optional additional field in the attack state containing the never patterns. It is included at the end of the attack state specification.
- 33. 22 S. Escobar, C. Meadows, and J. Meseguer Here is how we would specify an initiator strand without a corresponding responder in the NSPK protocol9 : eq ATTACK-STATE(1) = :: r :: [ nil, -(pk(b,a ; N)), +(pk(a, N ; n(b,r))), -(pk(b,n(b,r))) | nil ] || empty || nil || nil butNeverFoundAny *** for authentication (:: r’ :: [ nil | +(pk(b,a ; N)), -(pk(a, N ; n(b,r))), +(pk(b,n(b,r))), nil ] S:StrandSet || K:IntruderKnowledge || M:SMsgList || G:GhostList) [nonexec] . The tool will now look for all paths in which the intruder strand is executed, but the corresponding responder strand is not. That is, when we provide an attack state and some never patterns, a backwards reachability sequence leading to an initial state will not contain any state that matches any of the never patterns, where the place of the bar at each strand appearing in a never pattern is not taken into consideration for matching purposes. It is also possible to use never patterns to specify negative conditions on terms or strands. Suppose that we want to ask whether it is possible for a responder in the NSPK protocol to execute a session of the protocol, apparently with an initiator, but the nonce received was not the initiator’s. This can be done as follows: eq ATTACK-STATE(1) = :: r :: [ nil, -(pk(b,a ; N)), +(pk(a, N ; n(b,r))), -(pk(b,n(b,r))) | nil ] || empty || nil || nil butNeverFoundAny ( ::: r :: [ nil | -(pk(b,a ; n(a,r’))), +(pk(a, n(a,r’) ; n(b,r))), 9 Note that variable r’ in the never pattern is not an error. The regular strand in the attack state is the initiator strand, which generates variable r. The strand in the never pattern is a pattern that must be valid for any responder strand. Any responder strand would generate his variable r’’, which would be part of the variable N written in the never pattern if such a pattern is matched. Indeed, note that the variable r written in the never pattern is different by definition from the variable r written in the regular strand, since we are defining an actual strand and a pattern to be matched.
- 34. Maude-NPA: Cryptographic Protocol Analysis 23 -(pk(b,n(b,r))), nil ] S:StrandSet || K:IntruderKnowledge || M:SMsgList || G:GhostList ) [nonexec] . It is possible to include more than one never pattern in the specification of an attack state, but then each such pattern must be contained within a pair of parentheses, e.g., butNeverFoundAny ( ... State 1 ... ) ( ... State 2 ... ) Never patterns can also be used to cut the down the search space. Suppose, for example, that one finds in the above search that a number of states are encoun- tered in which the intruder encrypts two nonces, but they never seem to provide any useful information. One can reduce the search space by ruling out such in- truder behavior with the second never pattern in the following attack state: eq ATTACK-STATE(1) = :: r :: [ nil, -(pk(b,a ; N)), +(pk(a, N ; n(b,r))), -(pk(b,n(b,r))) | nil ] || empty || nil || nil butNeverFoundAny (:: r’ :: [nil | +(pk(b,a ; N)), -(pk(a, N ; n(b,r))), +(pk(b,n(b,r))), nil] S:StrandSet || K:IntruderKnowledge || M:SMsgList || G:GhostList) (:: nil :: [nil | -(N1 ; N2), +(pk(B, N1 ; N2)), nil] S:StrandSet || K:IntruderKnowledge || M:SMsgList || G:GhostList) [nonexec] . Note that adding never patterns to reduce the search space, as distinguished from their use for verifying authentication properties, means that failure to find an attack does not necessarily imply that the protocol is secure. It simply means that any attack against the security property specified in the attack state must use at least one strand that is specified in the set of never patterns. There are several things about never patterns that should be noted: 1. The bar in any strand in a never pattern should be at the beginning of the strand. If it is not, the tool does not report any error and places the bar at the beginning. 2. Variables in a never pattern are renamed by the tool to assure that they never appear in the main attack state specification nor in other never patterns.
- 35. 24 S. Escobar, C. Meadows, and J. Meseguer 3. The last two fields in a never pattern must be variables of type SMsgList, and Ghostlist, respectively, as illustrated in the above examples. 4. The first two fields must end in variables of type Strandset and IntruderKnowledge, respectively. 5. More than one never pattern can be used in an attack state. However, each one must be delimited by its own pair of parentheses. For a good example of the use of never patterns, which makes the Maude-NPA search considerably more efficient without compromising the completeness of the reachability analysis, we refer the reader to the analysis of the Diffie-Hellman protocol in [23]. 4.6 Maude-NPA Commands for Attack Search The commands run, summary, and initials are the tool’s commands for attack search. They are invoked by reducing them in Maude, that is, by typing the Maude red command followed by the corresponding Maude-NPA command, followed by a space and a period. To use them we must specify the attack state we are searching for and the number of backwards reachability steps we want to compute. For example, the Maude-NPA command run(0,10) tells Maude-NPA to construct the backwards reachability tree up to depth 10 for the attack state designated with natural number 0. The Maude-NPA run command yields the set of states found at the leaves of the backwards reach- ability tree of the specified depth that has been generated. When the user is not interested in the current states of the reachability tree, he/she can use the Maude-NPA summary command, which outputs just the number of states found at the leaves of the reachability tree and how many of those are initial states, i.e., solutions for the attack. For instance, when we give the reduce command in Maude with the Maude-NPA command summary(0,2) as shown below for the NSPK example, the tool returns: red summary(0,2) . result Summary: States 4 Solutions 0 The initial state representing the standard NSPK attack is found in seven steps. That is, if we type red summary(0,7) . the tool outputs: red summary(0,7) . result Summary: States 3 Solutions 1 A slightly different version of the run command, called initials, outputs only the initial states, instead of all the states at the leaves of the backwards reacha- bility tree. Thus, if we type red initials(0,7) .
- 36. Maude-NPA: Cryptographic Protocol Analysis 25 for the NSPK example, our tool outputs the following initial state10 , which implies that the attack state has been proved reachable and the protocol is insecure: Maude red initials(0,7) . result IdSystem: 1 . 5 . 2 . 7 . 1 . 4 . 3 . 1 ( :: nil :: [nil | -(pk(i, n(b, #1:Fresh))), +(n(b, #1:Fresh)), nil] :: nil :: [nil | -(pk(i, a ; n(a, #0:Fresh))), +(a ; n(a, #0:Fresh)), nil] :: nil :: [nil | -(n(b, #1:Fresh)), +(pk(b, n(b, #1:Fresh))), nil] :: nil :: [nil | -(a ; n(a, #0:Fresh)), +(pk(b, a ; n(a, #0:Fresh))), nil] :: #1:Fresh :: [nil | -(pk(b, a ; n(a, #0:Fresh))), +(pk(a, n(a, #0:Fresh) ; n(b, #1:Fresh))), -(pk(b, n(b, #1:Fresh))), nil] :: #0:Fresh :: [nil | +(pk(i, a ; n(a, #0:Fresh))), -(pk(a, n(a, #0:Fresh) ; n(b, #1:Fresh))), +(pk(i, n(b, #1:Fresh))), nil]) || pk(a, n(a, #0:Fresh) ; n(b, #1:Fresh)) !inI, pk(b, n(b, #1:Fresh)) !inI, pk(b, a ; n(a, #0:Fresh)) !inI, pk(i, n(b, #1:Fresh)) !inI, pk(i, a ; n(a, #0:Fresh)) !inI, n(b, #1:Fresh) !inI, (a ; n(a, #0:Fresh)) !inI || +(pk(i, a ; n(a, #0:Fresh))), -(pk(i, a ; n(a, #0:Fresh))), +(a ; n(a, #0:Fresh)), -(a ; n(a, #0:Fresh)), +(pk(b, a ; n(a, #0:Fresh))), -(pk(b, a ; n(a, #0:Fresh))), +(pk(a, n(a, #0:Fresh) ; n(b, #1:Fresh))), -(pk(a, n(a, #0:Fresh) ; n(b, #1:Fresh))), +(pk(i, n(b, #1:Fresh))), -(pk(i, n(b, #1:Fresh))), +(n(b, #1:Fresh)), -(n(b, #1:Fresh)), +(pk(b, n(b, #1:Fresh))), -(pk(b, n(b, #1:Fresh))) || nil This corresponds to the following textbook version of the attack: 1. A → I : pk(I, A; NA) 2. IA → B : pk(B, A; NA) 3. B → A : pk(A, NA; NB), intercepted by I; 4. I → A : pk(A, NA; NB) 5. A → I : pk(I, NB) 6. IA → B : pk(B, NB) 10 Maude-NPA associates an identifier, e.g. 1.5.2.7.1.4.3.1, to each state generated by the tool. These identifiers are for internal use and are not described here.
- 37. 26 S. Escobar, C. Meadows, and J. Meseguer It is also possible to generate an unbounded search by specifying the second argument of run, initials, or summary as unbounded. In that case the tool will run until it has shown that all the paths it has found either begin in initial states or in unreachable ones. This check may terminate in finite time, but in some cases may run forever. We demonstrate this unbounded search with NSPK: red summary(0,unbounded) . result Summary: States 1 Solutions 1 This tells us, that Maude-NPA terminated with only one attack. If we want to see what that attack looks like, we would instead type red run(0,unbounded) . to get the attack displayed above. The complete analysis of the Diffie-Hellman protocol can be found in [23], including the initial state proving that the protocol in insecure. 5 How Maude-NPA Works: Backwards Reachability First, we recall some definitions on rewriting and narrowing in Section 5.1. Then, we explain in Section 5.2 how the backwards reachability analysis works in practice. 5.1 Rewriting and Narrowing Continuing Section 2, we recall some definitions on term rewriting and illustrate each definition by means of examples. A rewrite rule is an oriented pair of terms (l, r), written l → r, where l ∈ X and l, r ∈ TΣ(X)s for some sort s ∈ S. An (unconditional) order-sorted rewrite theory is a triple R = (Σ, E, R) with Σ an order-sorted signature, E a set of Σ-equations, and R a set of rewrite rules. The rewriting relation →R on TΣ(X) is t p →R t (or →R) if p ∈ PosΣ(t), l → r ∈ R, t|p = σ(l), and t = t[σ(r)]p for some σ. The relation →R/E on TΣ(X) is =E; →R; =E, where ; denotes relation composition. The relation →R/E is much harder to implement and the weaker rewrite relation →R,E is usually provided, as it happens in Maude. Assuming a finitary and complete matching algorithm modulo the equational theory E, the rewriting relation →R,E on TΣ(X) is defined as t p →R,E t (or →R,E) if l → r ∈ R, t|p =E σ(l), and t = t[σ(r)]p. Maude supports matching modulo any combination of free, associative, com- mutative, associative-commutative, and associative-commutative with identity symbols, so that we in effect can rewrite terms modulo any combination of such axioms. Suppose, for example, an unconditional order-sorted rewrite theory R = (Σ, E, R) where Σ contains an infix symbol +, E contains the commutativ- ity property for symbol +, and R contains a rule of the form X + 0 = X. Then we can apply such a rule to the term 0 + 7 modulo commutativity, even though
- 38. Maude-NPA: Cryptographic Protocol Analysis 27 the constant 0 is on the left of the + symbol. That is, the term 0 + 7 matches the left-hand side pattern X + 0 modulo commutativity, i.e., 0 + 7 =E (X + 0)σ where σ = {X → 7}. We would express this rewrite step modulo commutativity with the arrow notation: 0 + 7 →R,E 7 Likewise, we denote by →∗ R,E the reflexive-transitive closure of the one-step rewrite relation →R,E with the rules R modulo the axioms E. That is, →∗ R,E corresponds to taking zero, one, or more rewrite steps with the rules R modulo E. Narrowing generalizes term rewriting by allowing free variables in terms (as in logic programming) and by performing unification instead of matching in order to (non–deterministically) reduce a term. Intuitively, the difference between a rewriting step and a narrowing step is that in both cases we use a rewrite rule l → r to rewrite t at a position p in t, but narrowing finds values for the variables in the chosen subject term t|p before actually performing the rewriting step. The narrowing relation R on TΣ(X) is t p σ,R t (or σ,R, R) if p ∈ PosΣ(t), l → r ∈ R, σ ∈ CSU∅(t|p = l), and t = σ(t[r]p). Assuming that E has a finitary and complete unification algorithm, the narrowing relation R,E on TΣ(X) is t p σ,R,E t (or σ,R,E, R,E) if p ∈ PosΣ(t), l → r ∈ R, σ ∈ CSUE(t|p = l), and t = σ(t[r]p). Maude supports unification modulo different user-defined theories including any combination of free, commutative, and associative-commutative symbols; see Section 6.3 for the algebraic theories admissible for such equational unification procedure, and Section 6.4 for some examples of admissible theories. Suppose, for example, the same unconditional order-sorted rewrite theory used above for rewriting. Then, we can apply the rule X + 0 = X above to the term Z + 7, where X is a variable, modulo commutativity. That is, the term Z +7 unifies the left-hand side pattern X + 0 modulo commutativity, i.e., (Z + 7)θ =E (X + 0)θ where θ = {Z → 0, X → 7}. We would express this narrowing step modulo commutativity with the arrow notation: Z + 7 ;θ,R,E 7 We denote by ;∗ θ,R,E the reflexive-transitive closure of the one-step narrowing relation ;R,E with the rules R modulo the axioms E, where θ is the composition of all the unifiers obtained during the sequence. In Maude-NPA, narrowing is used at two levels: for backwards reachability analysis from a term with variables (i.e., an attack state), and for equational unification. We postpone until Section 6 how the narrowing-based equational unification is performed in Maude-NPA. 5.2 Backwards Reachability Analysis Given a protocol P and an equational theory EP , Maude-NPA performs back- wards narrowing reachability analysis from a state St representing an attack pattern (i.e., a term with variables) using the relation R−1 P ,EP , where the
- 39. 28 S. Escobar, C. Meadows, and J. Meseguer rewrite rules RP are obtained from the protocol strands P. The rewrite the- ory RP = (Σ, EP , RP ) is topmost, i.e., there is a sort State such that for each l → r ∈ RP , l, r ∈ TΣ(X)State, r ∈ X, and no operator in Σ has State as an argument sort. Intuitively, a topmost rewrite theory describes a specification of a system such that a rewrite or narrowing step can only be performed at the root of each term denoting a state. The fact that R = (Σ, EP , RP ) is a topmost rewrite theory has several advantages: 1. The rewriting relation →RP /EP can be safely simulated by the rewriting relation →RP ,EP . 2. Similarly, the narrowing relation RP ,EP achieves the same effect as a more general narrowing relation RP /EP (see [48]). 3. We obtain the following completeness result between narrowing (RP ,EP ) and rewriting (→RP /EP ): Theorem 1 (Topmost Completeness). [48] Let R = (Σ, E, R) be a topmost rewrite theory such that E has a finitary unification algorithm, t, t ∈ TΣ(X), and let σ be a substitution such that σ(t) →∗ R/E t . Then, there are substitutions θ, τ and a term t such that t ∗ θ,R,E t , σ(t) =E τ(θ(t)), and t =E τ(t ). A state in the protocol execution is a set of Maude-NPA strands unioned together with an associative and commutativity union operator with identity operator empty, along with an additional term describing the intruder knowledge at that point. Note that two extra state components are associated to a Maude-NPA state in Section 4, but they are irrelevant and useful only for user debugging of the protocol, so we omit them in this section and in Section 7. The intruder knowledge is represented as a set of facts unioned together with an associative and commutativity union operator _,_ with identity operator empty. There are two kinds of intruder facts: positive knowledge facts (the in- truder knows m, i.e., (m inI)), and negative knowledge facts (the intruder does not yet know m but will know it in a future state, i.e., (m !inI)), where m is a message expression. Strands communicate between them via a unique shared channel, i.e., by send- ing messages to the channel and retrieving messages from the channel. However, we do not explicitly represent the channel in our model. Instead, since the in- truder is able to learn any message present in the channel, we use the intruder knowledge as the channel. When the intruder observes a message in the channel, then he/she learns it. The intruder has the usual ability to read and redirect traffic, and can also perform operations, e.g., encryption, decryption, concate- nation, exclusive or, exponentiation, etc., on messages that it has received. As explained in Section 3, the nature and algebraic properties of such operations de- pend on the given cryptographic theory EP . Intruder operations are described in terms of the intruder sending messages to itself, which are represented as differ- ent strands, one for each action. All intruder and protocol strands are described symbolically, using a mixture of variables and constants, so a single state spec- ification as a term with variables symbolically represents many concrete state
- 40. Maude-NPA: Cryptographic Protocol Analysis 29 instances. There is no restriction on the number of principals, number of sessions, nonces, or time, i.e., no data abstraction or approximation is performed. The user can make use of a special sort Fresh in the protocol-specific signature Σ for representing fresh unguessable values, e.g., for nonces. The meaning of a variable of sort Fresh is that it will never be instantiated by an E-unifier generated during the backwards reachability analysis. This ensures that if nonces are represented using variables of sort Fresh, they will never be merged and no approximation for nonces is necessary. We make the Fresh variables generated by a strand explicit by writing (r1, . . . , rk : Fresh) [msg± 1 , . . . , msg± n ], where r1, . . . , rk are all the variables of sort Fresh generated by msg± 1 , . . . , msg± n . If it does not generate any fresh variable, we add nothing to the strand. As explained in Section 3, the types and algebraic properties of the operators used in messages (cryptographic and otherwise) are described as an equational theory EP . In principle, the rewrite rules RP obtained from the protocol strands P are represented by the following rewrite rules11 : SS [L | M− , L ] ((M inI), IK) → SS [L, M− | L ] ((M inI), IK) (1) SS [L | M+ , L ] IK → SS [L, M+ | L ] IK (2) SS [L | M+ , L ] IK → SS [L, M+ | L ] ((M inI), IK) (3) In a forward execution of the protocol strands, Rule (1) synchronizes an input message with a message already learned by the intruder, Rule (2) accepts output messages but the intruder’s knowledge is not increased, and Rule (3) accepts out- put messages and the intruder’s knowledge is positively increased. New strands will be added to the state by explicit introduction through dedicated rewrite rules (one for each honest or intruder strand), e.g. SS ((sk(i, M) inI), IK) → SS [M− | sk(i, M)+ ] ((sk(i, M) inI), IK) However, we are interested in a backwards execution of the protocol from an attack state that contains positive facts in the intruder knowledge. Therefore, the rule increasing the intruder knowledge, Rule (3), must make explicit when the intruder learned message M: SS [L | M+ , L ] ((M !inI), IK) → SS [L, M+ | L ] ((M inI), IK) (4) Note that this is recorded in the previous state by the negative fact (M !inI), which can be paraphrased as: “the intruder does not yet know M, but will learn it in the future”. For the introduction of new additional strands, we simply record when the intruder learned message M in each of the rewrite rules explicitly introducing new strands but, since they are applied backwards, reversing the introduction of the new strand: 11 The top level structure of the state is a multiset of strands formed with the union operator. The protocol and intruder rewrite rules are “essentially topmost” in that, using an extension variable matching the “remaining strands” they can always rewrite the whole state. Therefore, as explained in [48], completeness results of narrowing for topmost theories also apply to them.
- 41. 30 S. Escobar, C. Meadows, and J. Meseguer { [ l1 | u+ , l2 ] {(u !inI), K} → {(u inI), K} | [ l1, u+ , l2 ] ∈ P} (5) For example, the following Dolev-Yao action: SS [M− | sk(i, M)+ ] ((sk(i, M) !inI), IK) → SS ((sk(i, M) inI), IK) (6) Thus, we can conclude that the set of rewrite rules obtained from the protocol strands that are used for backwards narrowing reachability analysis is RP = {(1), (2), (4)} ∪ (5). For example, consider the the NSPK attack state: (r : Fresh)[ pk(b, a; N)− , pk(a, N; n(b, r))+ , pk(b, n(b, r))− | nil ] (n(b, r) inI) and the Rule (6). We can apply this rule to our attack state modulo the equa- tional theory for NSPK. That is, the attack term above unifies with the left-hand side of the rule modulo the following cancellation equational rules EP : pk(A, sk(A, Z)) = Z sk(A, pk(A, Z)) = Z To be more concrete, the term n(b, r) unifies12 with the term sk(i, M) modulo the cancellation equational rules yielding the unifier θ = {M → pk(i, n(b, r))}. Therefore, we obtain the following predecessor state using the narrowing relation ;θ,R−1 P ,EP from the NSPK attack state: [ pk(i, n(b, r))− | n(b, r)+ ] (r : Fresh)[ pk(b, a; N)− , pk(a, N; n(b, r))+ , pk(b, n(b, r))− | nil ] (n(b, r) !inI) In a backwards execution of the protocol using narrowing we start from an attack pattern, i.e., a term with variables, containing: (i) some of the strands of the protocol to be executed backwards, (ii) a variable SS denoting a set of additional strands, (iii) some terms the intruder knows at the attack state, i.e., of the form (t inI), and (iv) a variable IK denoting a set of additional intruder facts. We then perform narrowing with the rules RP in reverse to move the bars of the strands to the left until either we find an initial state, or cannot perform any other useful backwards narrowing steps. Note that variables SS and IK will be instantiated by backwards narrowing to additional strands and additional intruder facts, respectively, in order to find an initial state. Indeed, these variables SS and IK are not required for the specification of the attack state as explained in Section 4.4; see Section 7.2 for further technical details. 6 How Maude-NPA Works: Equational Unification Sound techniques for equational unification are paramount to Maude-NPA, since it performs symbolic reachability analysis modulo the equational theory of the 12 This equational unification procedure is also performed by narrowing and is ex- plained in Section 6 below.
- 42. Maude-NPA: Cryptographic Protocol Analysis 31 protocol. This makes Maude-NPA verification much stronger than verification methods based on a purely syntactic view of the algebra of messages as a term algebra using the standard Dolev-Yao model of perfect cryptography in which no algebraic properties are assumed. Indeed, it is well-known that various protocols that have been proved secure under the standard Dolev-Yao model can be bro- ken by an attacker who exploits the algebraic properties of some cryptographic functions (see, e.g., [41, 43, 46]). In the standard Dolev-Yao model, symbolic reachability analysis typically takes the form of representing sets of states symbolically as terms with logical variables, and then performing syntactic unification with the protocol rules to explore reachable states. This can be done in either a forwards or a backwards fashion. In the Maude-NPA (which can also be used for analyses under the standard Dolev-Yao model when no algebraic properties are specified) symbolic reachability analysis is performed in a backwards fashion (as already explained in Section 5), beginning with a symbolic representation of an attack state, and searching for an initial state, which then provides a proof that an attack is possible; or a proof that no such attack is possible if all such search paths fail to reach an initial state. However, if the Maude-NPA analyzes a protocol for which algebraic properties have been specified by an equational theory T , the same symbolic reachability analysis is performed in the same fashion, but now modulo T . What this means precisely is that, instead of performing syntactic unification between a term representing symbolically a set of states and the righthand-side (in the backwards reachability case) of a protocol rule, we now perform equational unification with the theory T , (also called T -unification, or unification modulo T ) between the same term and the same righthand side of a protocol rule. In what follows we explain several things regarding T -unification in the Maude-NPA: – In Section 6.1, equational axioms for which the Maude-NPA provides built-in support for equational unification. – In Section 6.2, narrowing-based equational unification in general, which is however infeasible for Maude-NPA analysis when the number of unifiers generated is infinite. – In Section 6.3, the most general class of equational theories for which the Maude-NPA can currently support unification by narrowing, with the im- portant requirement of the number of unifier solutions being finite. These are called admissible theories. – Some examples of admissible theories in Section 6.4. 6.1 Built-In Support for Unification Modulo Equational Axioms The Maude-NPA has built-in support for unification modulo certain equational theories T thanks to the underlying Maude infrastructure. Specifically, the Maude-NPA automatically supports unification modulo T for T any order-sorted theory of the form T = (Σ, Ax), where Σ is a signature declaring sorts, sub- sorts, and function symbols (as we have already illustrated with examples in
- 43. 32 S. Escobar, C. Meadows, and J. Meseguer Section 3.2) and Ax is a collection of equational axioms where some binary operators f in the signature Σ may have axioms in Ax for either commuta- tivity (f(x, y) = f(y, x)), or commutativity and associativity (f(x, f(y, z)) = f(f(x, y), z)). Associativity alone is not supported, because it is well-known that unification problems modulo associativity may have an infinite number of uni- fiers (see, e.g., [5]). As already illustrated in Section 3.4, the way associativity, and/or commutativity axioms are specified in Maude for a function symbol f is not by giving those axioms explicitly, but by declaring f in Maude with the assoc and/or comm attributes. For example a function symbol f of sort S which is associative and commutative is specified in Maude as follows: op f : S S - S [assoc comm] . 6.2 Narrowing-Based Equational Unification and Its Limitations Of course, many algebraic theories T of interest in protocol analysis fall outside the scope of the above-mentioned class of theories T based on combinations of associativity and/or commutativity axioms, for which the Maude-NPA provides automatic built-in support. Therefore, the burning issue is how to support more general classes of algebraic theories in the Maude-NPA. In this regard, a very useful, generic method to obtain T -unification algorithms is narrowing [29, 31]. Mathematically, an algebraic theory T is a pair of the form T = (Σ, E ∪ Ax), where Σ is a signature declaring sorts, subsorts, and function symbols, and where E ∪ Ax is a set of equations, that we assume is split into a set Ax of equational axioms such as our previous combinations of associativity and/or commutativity axioms, and a set E of oriented equations to be used from left to right as rewrite rules. In Maude, the axioms Ax are declared by means of the assoc and/or comm attributes. Instead, the equations E are declared with the eq keyword as we have illustrated with examples in Section 3.4. An algebraic theory T = (Σ, E ∪ Ax) must satisfy the following four requirements: 1. The axioms Ax can declare some binary operators in Σ to be commutative (with the comm attribute), or associative-commutative (with the assoc and comm attributes). 2. The equations E are confluent modulo Ax. 3. The equations E are terminating modulo Ax. 4. The equations E are coherent modulo Ax. We now explain in detail what these requirements mean. First, the equational theory T = (Σ, E ∪ Ax) is viewed as an unconditional order-sorted rewrite theory RT = (Σ, Ax, E), so that we perform rewrite steps with the rewrite rules E modulo Ax, i.e., the reduction relation →E,Ax explained in Section 5.1, where, in the notation →R,E, now R = E and E = Ax. Confluence. The equations E are called confluent modulo Ax if and only if for each term t in the theory T = (Σ, E ∪ Ax), if we can rewrite t with E modulo
- 44. Maude-NPA: Cryptographic Protocol Analysis 33 Ax in two different ways as: t −→∗ E,Ax u and t −→∗ E,Ax v, then we can always further rewrite u and v to a common term up to identity modulo Ax. That is, we can always find terms u , v such that: – u −→∗ E,Ax u and v −→∗ E,Ax v , and – u =Ax v That is, u and v are essentially the same term, in the sense that they are equal modulo the axioms Ax. In the example of Section 5.1, we have, for instance, 0 + 7 =Ax 7 + 0. Termination. The equations E are called terminating modulo Ax if and only if all rewrite sequences terminate; that is, if and only if we never have an infinite sequence of rewrites t0 →E,Ax t1 →E,Ax t2 . . . tn →E,Ax tn+1 . . . Coherence. Rather than explaining the coherence modulo Ax notion in general (the precise definition of the general notion can found in [31]), we explain in detail its meaning in the case where it is needed for the Maude-NPA, namely, the case of associative-commutative (AC) symbols. The best way to illustrate the meaning of coherence is by its absence. Consider, for example, an exclusive or operator ⊕ which has been declared AC. Now consider the equation X ⊕X = 0. This equation, if not completed by another equation, is not coherent modulo AC. What this means is that there will be term contexts in which the equation should be applied, but it cannot be applied. Consider, for example, the term b⊕(a⊕b). Intuitively, we should be able to apply to it the above equation to simplify it to the term a⊕0 in one step. However, since we are using the weaker rewrite relation →E,Ax instead of the stronger but much harder to implement relation →E/Ax, we cannot! The problem is that the equation cannot be applied (even if we match modulo AC) to either the top term b ⊕ (a ⊕ b) or the subterm a ⊕ b. We can however make our equation coherent modulo AC by adding the extra equation X ⊕ X ⊕ Y = 0 ⊕ Y , which, using also the equation X ⊕ 0 = X, we can slightly simplify to the equation X ⊕X ⊕Y = Y . This second variant of our equation will now apply to the term b⊕(a⊕b), giving the simplification b⊕(a⊕b) −→E,Ax a. Technically, what coherence means is that the weaker relation →E,Ax becomes semantically equivalent to the stronger relation →E/Ax. For the Maude-NPA, coherence is only an issue for AC symbols. And there is always an easy way, given a set E of equations, to make them AC-coherent. The method is as follows. For any symbol f which is AC, and for any equation of the form f(u, v) = w in E, we add also the equation f(f(u, v), X) = f(w, X), where X is a new variable not appearing in u, v, w. In an order-sorted setting, we should give to X the biggest sort possible, so that it will apply in all generality. As an additional optimization, note that some equations may already be coherent modulo AC, so that we need not add the extra equation. For example, if the variable X has the biggest possible sort it could have, then the equation X ⊕
- 45. 34 S. Escobar, C. Meadows, and J. Meseguer 0 = X is already coherent, since X will match “the rest of the ⊕-expression,” regardless of how big or complex that expression might be, and of where in the expression a constant 0 occurs. For example, this equation will apply modulo AC to the term (a⊕(b⊕(0⊕c)))⊕(c⊕a), with x matching the term (a⊕(b⊕c))⊕(c⊕a), so that we indeed get a rewrite (a⊕(b⊕(0⊕c)))⊕(c⊕a) →E,Ax (a⊕(b⊕c))⊕(c⊕a). Limitations. Although narrowing is a very general method to generate T - unification algorithms, general narrowing has a serious limitation. The problem is that, in general, narrowing with an equational theory T = (Σ, E ∪Ax) satisfying requirements (1)–(4) above may yield an infinite number of unifiers. Since, for T the algebraic theory of a protocol, T -unification must be performed by the Maude-NPA at each single step of symbolic reachability analysis, narrowing is in general not practical as a unification procedure, unless the theory T satisfies the additional requirement that there always exists a finite set of unifiers that provide a complete set of solutions; and that such a finite set of solutions can be effectively computed by narrowing. We discuss this extra important requirement in what follows. 6.3 General Requirements for Algebraic Theories The Maude-NPA’s unification technique is based on narrowing and in order to provide a finite set of unifiers, five specific requirements must be met by any algebraic theory specifying cryptographic functions that the user provides. If these requirements are not satisfied, Maude-NPA may exhibit non-terminating and/or incomplete behavior, and any completeness claims about the results of the analysis cannot be guaranteed. We call theories that satisfy these criteria admissible theories. We show in Section 6.4 how all the examples presented in Section 3.4 are admissible theories. In the Maude-NPA we call an algebraic theory T = (Σ, E ∪ Ax) specified by the user for the cryptographic functions of the protocol admissible if it satisfies the four requirements specified in Section 6.2 and strongly right irreducibility, i.e., the following five requirements: 1. The axioms Ax can declare some binary operators in Σ to be commutative (with the comm attribute), or associative-commutative (with the assoc and comm attributes). No other combinations of axioms are allowed; that is, a function symbol has either no attributes, or only the comm attribute, or only the assoc and comm attributes.13 2. The equations E are confluent modulo Ax. 3. The equations E are terminating modulo Ax. 4. The equations E are coherent modulo Ax. 5. The equations E are strongly right irreducible. 13 In future versions of the Maude-NPA we also plan to support operators having the assoc, comm and id attributes, adding an identity axiom. At present, identity axioms in Maude-NPA theories should only be defined by means of equations.
- 46. Maude-NPA: Cryptographic Protocol Analysis 35 Confluence, termination, and coherence were explained in Section 6.2. We now explain in detail what strongly right irreducibility means. Given a theory T = (Σ, E ∪ Ax), which we assume satisfies requirements (1)-(4) above, we call the set E of equations strongly right irreducible iff for each equation t = t in E, we cannot further simplify by the equations E modulo Ax either the term t , or any substitution instance θ(t ) where the terms in the substitution θ cannot themselves be further simplified by the equations E modulo Ax. Obvious cases of such righthand-sides t include: – a single variable; – a constant for which no equations exist; – more generally, a constructor term, i.e., a term whose function symbols have no associated equations. But these are not the only possible cases where strong right irreducibility can be applied. Typing, particularly the use of sorts and subsorts in an order-sorted equational specification, can greatly help in attaining strong right irreducibility. We refer the reader to [19, 21] for two examples of how order-sorted typing helps narrowing-based unification to become finitary. We discuss one of these examples, namely Diffie-Hellman, in the following section. Finally, let us motivate with an example how this narrowing-based equational unification works. Consider the exclusive-or theory: X ⊕ X ⊕ Y = Y X ⊕ X = 0 X ⊕ 0 = X viewed as the order-sorted rewrite theory R = (Σ, Ax, E) where Ax contains the associativity and commutativity of ⊕ and E contains the three equational rules above. Given the equational problem t ? = s, where t = X ⊕ Y and s = U ⊕ V , we perform narrowing on t with the equations E modulo the axioms Ax. We can apply a renamed version (e.g. Z ⊕ Z ⊕ W) of the first equation to the term X ⊕ Y . That is, the term X ⊕ Y unifies modulo AC with the term Z ⊕ Z ⊕ W and one of the unifiers is σ = {X → W ⊕ Z , Y → Z , W → W , Z → Z }. We express this narrowing step as X ⊕ Y ;σ,E,Ax W Note that, according to [27], we simply unify the terms W and U⊕V modulo AC to finish the equational unification procedure, obtaining σ = {X → (U ⊕ V ) ⊕ Z , Y → Z } as an equational unifier of terms t and s modulo the equational theory for exclusive-or. This unifier is not necessarily the only one possible: given an equation t = t , by successive narrowing of t and t followed by attempts of Ax-unification, other unifiers can be computed. However, since the exclusive or theory satisfies conditions (1)-(5) above, we are guaranteed that there will be a finite complete set of unifiers obtained this way by narrowing.
- 47. 36 S. Escobar, C. Meadows, and J. Meseguer 6.4 Some Examples of Admissible Theories Since any user of the Maude-NPA should write specifications whose algebraic theories are admissible, i.e., satisfy requirements (1)–(5) in Section 6.3, it may be useful to illustrate how these requirements are met by several examples. This can give a Maude-NPA user a good intuitive feeling for how to specify algebraic theories that the Maude-NPA currently can handle. For this purpose, we revisit the theories already discussed in Section 3.4. Let us begin with the theory of Encryption/Decryption: var Z : Msg . var A : Name . *** Encryption/Decryption Cancellation eq pk(A,sk(A,Z)) = Z [nonexec] . eq sk(A,pk(A,Z)) = Z [nonexec] . In this case Ax = ∅. It is obvious that in this case the equations E terminate, since the size of a term as a tree (number of nodes) strictly decreases after the application of any of the above two rules, and therefore it is impossible to have an infinite chain of rewrites with the above equations. It is also easy to check that the equations are confluent: by the termination of E this can be reduced to checking confluence of critical pairs, which can be easily discharged by automated tools [16], or even by hand. Since Ax = ∅, coherence is a mute point. The equations are also strongly right irreducible, because in both cases they are the variable Z, and any instance of Z by a term that cannot be further simplified by the above equations, obviously cannot be further simplified by hypothesis. Let us now consider the Exclusive Or Theory: --- XOR operator op _+_ : Msg Msg - Msg [frozen assoc comm] . op null : - Msg . vars X Y : Msg . --- XOR equational properties eq X + X + Y = Y [nonexec] . eq X + X = null [nonexec] . eq X + null = X [nonexec] . In this case Ax = AC. Termination modulo AC is again trivial, because the size of a term strictly decreases after applying any of the above equations modulo AC. Because of termination modulo AC, confluence modulo AC can be reduced to checking confluence of critical pairs, which can be discharged by standard tools [16]. Coherence modulo AC is also easy. As already explained, the first equation has to be added to the second to make it coherent. As also explained above, since the sort Msg is the biggest possible for the exclusive or operator, the variable X in the last equation has the biggest possible sort it can have, and
- 48. Maude-NPA: Cryptographic Protocol Analysis 37 therefore that equation is already coherent, so that there is no need to add an extra equation of the form eq X + null + Y = X + Y [nonexec] . because modulo AC such an equation is in fact an instance of the third equation (by instantiating X to the term X + Y). Finally, strong right irreducibility is also obvious, since the righthand sides are either variables, or the constant null, for which no equations exist. Turning now to the Diffie-Hellman theory we have: sorts Name NeNonceset Nonce Gen Exp GenvExp Enc . subsort Name NeNonceset Enc Exp Msg . subsort Nonce NeNonceset . subsort Gen Exp GenvExp . subsort Name Gen Public . op g : - Gen [frozen] . op exp : GenvExp NeNonceSet - Exp [frozen] . op _*_ : NeNonceSet NeNonceSet - NeNonceSet [frozen assoc comm] . eq exp(exp(W:Gen,Y:NeNonceSet),Z:NeNonceSet) = exp(W:Gen, Y:NeNonceSet * Z:NeNonceSet) [nonexec] . Again, this theory is AC. Termination modulo AC is easy to prove by using a polynomial ordering with AC polynomial functions (see [47]). For example, we can associate to exp the polynomial x + y + 1, and to * the polynomial x + y. Then the proof of termination becomes just the polynomial inequality w + y + z + 2 w + y + z + 1. Because of termination modulo AC, confluence modulo AC can be reduced to checking the confluence of critical pairs. Here things become interesting. In an untyped setting, the above equation would have a nontrivial overlap with itself (giving rise to a critical pair), by unifying the lefthand side with the subterm exp(W:Gen,Y:NeNonceSet). However, because of the subsort and operator declarations subsort Gen Exp GenvExp . op exp : GenvExp NeNonceSet - Exp [frozen] . we see that the order-sorted unification of the subterm exp(W:Gen,Y:NeNonceSet) (which has sort Exp) and the lefthand side now fails, because the sorts Gen and Exp are mutually exclusive and cannot have any terms in common. Therefore there are no nontrivial critical pairs and the equation is confluent modulo AC. Coherence modulo AC is trivially satisfied, because the top operator of the equa- tion (exp) is not an AC operator. As in the case of confluence modulo AC, the remaining issue of strong right irreducibility becomes particularly interesting in the order-sorted context. Note that in an untyped setting, an instance of the righthand side by applying a substitution whose terms cannot be further simpli- fied could itself be simplified. For example, if we consider the untyped righthand
- 49. 38 S. Escobar, C. Meadows, and J. Meseguer side term exp(W, Y * Z), the substitution θ mapping W to exp(Q,X) and being the identity on Y and Z is itself irreducible by the equations, but when applied to exp(W, Y * Z) makes the corresponding instance reducible by the untyped version of the above equation. However, in the order-sorted setting in which our equation is defined, the equation is indeed strongly right irreducible. This is again because the sorts Gen and Exp are mutually exclusive and cannot have any terms in common, so that the variable W:Gen cannot be instantiated by any term having exp as its top operator. It may perhaps be useful to conclude this section with an example of an algebraic theory that cannot be supported in the current version of Maude- NPA. Consider, the extension of the above exclusive or theory in which we add a homomorphism operator and the obvious homomorphism equation: op h : Msg - Msg . vars X Y : Msg . eq h(X + Y) = h(X) + h(Y) [nonexec] . The problem now is that the righthand side h(X) + h(Y) fails to be strongly right-irreducible. For example, the substitution θ mapping X to U + V and Y to Y is itself irreducible, but produces the instance h(U + V) + h(Y), which is obviously reducible. Since strong irreducibility is only a sufficient condition for narrowing-based equational unification to be finitary, one could in principle hope that this homomorphism example might still have a narrowing-based finitary algorithm14 . However, the hopes for such a finitary narrowing-based algorithm are dashed to the ground by results in both [15], about the homomorphism theory not having the “finite variant” property, and the variant-based unification methods in [25]. In summary, the main point we wish to emphasize is that the equational theories T for which the current version of Maude-NPA will work properly are order-sorted theories of the form T = (Σ, E ∪ Ax) satisfying the admissibility requirements (1)–(5). Under assumptions (1)–(5), T -unification problems are always guaranteed to have a finite number of solutions and the Maude-NPA will find them by narrowing. As a final caveat, if the user specifies a theory T where any of the above re- quirements (1)–(5) fail, besides the lack of completeness that would be caused by 14 The fact that an equational theory T does not have a finitary narrowing-based al- gorithm does not by itself preclude the existence of a finitary unification algorithm obtained by other methods. In fact, the homomorphic theory we have just described does have a finitary unification algorithm [2]; however this dedicated unification algorithm is not an instance of a generic narrowing-based algorithm. However, as already explained, in the Maude-NPA the theories for which finitary unification is currently supported are either order-sorted theories with built-in axioms of commu- tativity and associativity-commutativity, or theories modulo such built-in axioms that are confluent, terminating, and coherent modulo Ax, and that are also strongly right irreducible.
- 50. Maude-NPA: Cryptographic Protocol Analysis 39 the failure of conditions (2)–(4), a likely consequence of failing to meet condition (5) will be that the tool may loop forever trying to solve a unification problem associated with just a single transition step in the symbolic reachability analy- sis process. However, we are investigating conditions more general than (5) (such as the above-mentioned finite variant property) that will still guarantee that a T - unification problem always has a finite complete set of solutions. Future versions of Maude-NPA will relax condition (5) to allow more general conditions of this kind. 7 State Space Reduction Techniques In this section, we describe the different state-reduction techniques identifying unproductive backwards narrowing reachability steps. First, let us briefly re- call a protocol state in Maude-NPA. A state in the protocol execution is a set of Maude-NPA strands unioned together with an associative and commutativ- ity union operator with identity operator empty, along with an additional term describing the intruder knowledge at that point. The intruder knowledge is represented as a set of facts unioned together with an associative and commu- tativity union operator _,_ with identity operator empty. There are mainly two kinds of intruder facts: positive knowledge facts (m inI), and negative knowl- edge facts (m !inI). Strands communicate between them via a unique shared channel represented by the intruder knowledge. There are three reasons for detecting unproductive backwards narrowing reach- ability steps (i.e., the relation St σ,R−1 P ,EP St described in Section 5.2). One is to reduce, if possible, the initially infinite search space to a finite one, as in the use of grammars. Another is to reduce the size of a (possibly finite) search space by eliminating unreachable states early, i.e., before they are eliminated by exhaustive search. This elimination of unreachable states can have an effect far beyond eliminating a single node in the search space, since a single unreachable state may appear multiple times and/or have multiple descendants. Finally, it is also possible to use various partial order reduction techniques that can further shrink the number of states that need to be explored. 7.1 Public Data The simplest optimization possible is when we are searching for some data that it is considered public using a subsort definition, e.g. “subsort Name Public”. That is, given a state St that contains an expression (t inI) in the intruder knowledge where t is of sort Public, we can remove the expression (t inI) from the intruder knowledge, since the backwards reachability steps taken care of such a (t inI) are trivially leading to an initial state but their inclusion in the message sequence is unnecessary. 7.2 Limiting Dynamic Introduction of New Strands Our second optimization helps explain why attack states given in Section 5.2 contain a variable SS denoting a set of strands and a variable IK denoting a
- 51. 40 S. Escobar, C. Meadows, and J. Meseguer set of intruder facts, whereas the attack states explained in Section 4.4 do not contain those variables. As pointed out in Section 5.2, Rules of type (5) allow the dynamic introduction of new strands. However, new strands can also be introduced by unification of a state containing a variable SS denoting a set of strands and one of the Rules (1), (2), and (4), where variables L and L denoting lists of input/output messages will be introduced by instantiation of SS. The same can happen with new intruder facts of the form (X inI), where X is a variable. That is, consider a state containing a variable SS denoting a set of strands and a variable IK denoting a set of intruder knowledge, and the Rule (1): SS [L | M− , L ] ((M inI), IK ) → SS [L, M− | L ] ((M inI), IK ) The following backwards narrowing step applying such a rule can be performed from the state above using the unifier σ = {SS → SS [L, M− | L ], IK → ((M inI), IK )} SS IK σ R,E SS [L | M− , L ] ((M inI), IK ) but this backwards narrowing step is unproductive, since it is not guided by the information in the attack state. Indeed, the same rule can be applied again using variables SS and IK and this can be repeated many times. In order to avoid a huge number of unproductive narrowing steps, we allow the introduction of new strands and/or new intruder facts only by rule application instead of just by unification. For this, we do two things: 1. we remove any of the following variables from attack states; SS denoting a set of strands, IK denoting a set of intruder facts, and L, L denoting a set of input/output messages; and 2. we replace Rule (1) by the following Rule (7), since we do no longer have a variable denoting a set of intruder facts that has to be instantiated: SS [L | M− , L ] {(M inI), IK} → SS [L, M− | L ] {IK} (7) Note that in order to replace Rule (1) by Rule (7) we have to assume that the intruder knowledge is a set of intruder facts without repeated elements, i.e., the union operator _,_ is ACUI (associative-commutative-identity-idempotent). This is completeness-preserving, since it is in line with the restriction in [20] that the intruder learns a term only once; if the intruder needs to use a term twice he must learn it the first time it is needed; if he learns a term and needs to learn it again in the backwards search, the state will be discarded as un- reachable. Therefore, the set of rewrite rules used for backwards narrowing is RP = {(7), (2), (4)} ∪ (5). Furthermore, one may imagine that Rule (4) and Rules of type (5) must also be modified in order to remove the (M inI) expression from the intruder knowledge of the right-hand side of each rule. However, this is wrong, since, by keeping the (M inI), we force the backwards application of such rule only when there is indeed a message for the intruder to be learned. This provides some sort of on-demand evaluation of the protocol.
- 52. Maude-NPA: Cryptographic Protocol Analysis 41 7.3 Partial Order Reduction Giving Priority to Input Messages The different rewrite rules on which the backwards narrowing search from an attack state is based are in general executed nondeterministically. This is because the order of execution can make a difference as to what subsequent rules can be executed. For example, an intruder cannot receive a term until it is sent by somebody, and that send action within a strand may depend upon other receives in the past. There is one exception, Rule (7) (originally Rule (1)), which, in a backwards search, only moves a negative term appearing right before the bar into the intruder knowledge. The execution of this transition in a backwards search does not disable any other transitions; indeed, it only enables send transitions. Thus, it is safe to execute it at each stage before any other transition. For the same reason, if several applications of Rule 7 are possible, it is safe to execute them all at once before any other transition. Requiring all executions of Rule 7 to execute first thus eliminates interleavings of Rule 7 with send and receive transitions, which are equivalent to the case in which Rule 7 executes first. In practice, this typically cuts down in half the search space size. Similar strategies have been employed by other tools in forward searches. For example, in [45], a strategy is introduced that always executes send transitions first whenever they are enabled. Since a send transition does not depend on any other component of the state in order to take place, it can safely be executed first. The original NPA also used this strategy; it had a receive transition which had the effect of adding new terms to the intruder knowledge, and which always was executed before any other transition once it was enabled. 7.4 Detecting Inconsistent States Early There are several types of states that are always unreachable or inconsistent. If the Maude-NPA attempts to search beyond them, it will never find an initial state. For this reason, we augment the Maude-NPA search engine to always mark the following types of states as unreachable, and not search beyond them any further: 1. A state St containing two contradictory facts (t inI) and (t !inI) for a term t. 2. A state St whose intruder knowledge contains the fact (t !inI) and a strand of the form [m± 1 , . . . , t− , . . . , m± j−1 | m± j , . . . , m± k ]. 3. A state St containing a fact (t inI) such that t contains a fresh variable r and the strand in St indexed by r, i.e., (r1, . . . , r, . . . , rk : Fresh) [m± 1 , . . . , m± j−1 | m± j , . . . , m± k ], cannot produce r, i.e., r is not a subterm of any output message in m± 1 , . . . , m± j−1. 4. A state St containing a strand of the form [m± 1 , . . . , t− , . . . , m± j−1 | m± j , . . . , m± k ] for some term t such that t contains a fresh variable r and the strand in St indexed by r cannot produce r. Note that case 2 will become an instance of case 1 after some backwards narrow- ing steps, and the same happens with cases 4 and 3. The proof of inconsistency of cases 1 and 3 is obvious.
- 53. 42 S. Escobar, C. Meadows, and J. Meseguer 7.5 Transition Subsumption Partial order reduction techniques (POR) are common in state exploration tech- niques due to their simplification properties. However, partial order techniques for narrowing-based state exploration have not been explored in detail, although they may be extremely relevant and even simplify much more than in standard state exploration techniques, based on ground terms rather than terms with vari- ables. For instance, the simple concept of two states being equivalent modulo renaming of variables does not apply to standard state exploration techniques whereas it does apply to narrowing-based state exploration. In [24], Escobar and Meseguer explored narrowing-based state exploration and POR techniques, which may transform an infinite-state system into a finite one. However, the Maude-NPA needs a dedicated POR technique that should combine different previous ideas in order to be applicable to the concrete execution model. Let us motivate this with an example before giving more technical explana- tions. Consider again the NSPK attack state: (r : Fresh)[ pk(b, a; N)− , pk(a, N; n(b, r))+ , pk(b, n(b, r))− | nil ] (n(b, r) inI) After a couple of backwards narrowing steps, the Maude-NPA finds the following state: [ nil | n(b, r)− , pk(b, n(b, r))+ ] (r : Fresh)[ pk(b, a; N)− , pk(a, N; n(b, r))+ | pk(b, n(b, r))− ] ((pk(b, n(b, r)) !inI), (n(b, r) inI)) which corresponds to the intruder generating (i.e., learning) the message pk(b, n(b, r)) from the message n(b, r), which he/she already knows; and the following state (r : Fresh)[ pk(b, a; N)− , pk(a, N; n(b, r))+ | pk(b, n(b, r))− ] (r : Fresh)[pk(b, A ; n(A , r ))+ | pk(A , n(A , r ); n(b, r))− , pk(b, n(b, r))+ ] ((pk(b, n(b, r)) !inI), (pk(A , n(A , r ); n(b, r)) inI), (n(b, r) inI)) which corresponds to the responder (identified by variable r) talking to an ini- tiator (identified by variable r ). However, this second state is implied by the first state. Intuitively, the elements present in the first state that are relevant for the backwards reachability are both included in the second state, namely the (n(b,r) inI) item and the message pk(b, a; N)− that will be converted at some point into (pk(b,a;N) inI). Indeed, the unreachability of the following “kernel” state implies the unreachability of both states, although this kernel state is never computed by the Maude-NPA: (r : Fresh)[ pk(b, a; N)− , pk(a, N; n(b, r))+ | pk(b, n(b, r))− ] (n(b, r) inI) Note that the converse is not true, i.e., the second state does not imply the first one, since it contains one more intruder item relevant for backwards reachability purposes, namely (pk(A’,n(A’,r’);n(b,r)) inI).
- 54. Maude-NPA: Cryptographic Protocol Analysis 43 In the following, we write IK∈ (resp. IK ∈ ) to denote the subset of intruder facts of the form (t inI) (resp. (t !inI)) appearing in the set of intruder facts IK. We abuse the set-theoretic notation and write IK1 ⊆EP IK2 for IK1 and IK2 sets of intruder facts to denote that all the intruder facts of IK1 appear in IK2 (modulo EP ). Definition 1. Given a topmost rewrite theory R = (Σ, EP , RP ) representing protocol P, and given two non-initial states St1 = SS1 {IK1} and St2 = SS2 {IK2}, we write St1 St2 (or St2 St1) if IK∈ 1 ⊆EP IK∈ 2 , and for each non-initial strand [ m± 1 , . . . , m± j−1 | m± j , . . . , m± k ] ∈ SS1, there exists [ m± 1 , . . . , m± j−1 | m± j , . . . , m± k , m± k+1, . . . , m± k ] ∈ SS2. Note that the comparison of the non-initial strand in SS1 with the strands in SS2 is performed modulo EP . Definition 2 (P-subsumption relation). Given a topmost rewrite theory R = (Σ, EP , RP ) representing protocol P and two non-initial states St1, St2. We write St1 P St2 and say that St1 is P-subsumed by St2 if there is a substitution θ s.t. St1 θ(St2). This technique is used as follows: we keep all the states of the backwards narrowing- based tree and compare each new leaf of the tree with all the previous states in the tree. If a leaf is P-subsumed by a previously generated node in the tree, we discard such leaf. 7.6 The Super Lazy Intruder Sometimes terms appear in the intruder knowledge that are trivially learnable by the intruder. These include terms initially available to the intruder (such as names) and variables. In the case of variables, the intruder can substitute any arbitrary term of the same sort as the variable,15 and so there is no need to try to determine all the ways in which the intruder can do this. For this reason it is safe, at least temporarily, to drop these terms from the state. We will refer to those terms as lazy intruder terms. The problem of course, is that later on in the search the variable may become instantiated, in which case the term now becomes relevant to the search. In order to avoid this problem, we take an approach similar to that of the lazy intruder of Basin et al. [6] and extend it to a more general case, that we call the super-lazy terms. We note that this use of what we here call the super-lazy intruder was also present in the original NPA. Super-lazy terms are defined inductively as the union of the set of lazy terms, i.e., variables, with the set of terms that are produced out of other super-lazy terms using operations available to the intruder. That is, e(K, X) is a super-lazy term if the intruder can perform the e operation, and K and X are variables. More precisely, the set of super-lazy intruder terms is defined as follows. 15 This, of course, is subject to the assumption that the intruder can produce at least one term of that sort. But since the intruder is assumed to have access to the network and to all the operations available to an honest principal, this is a safe assumption to make.
- 55. Random documents with unrelated content Scribd suggests to you:
- 59. The Project Gutenberg eBook of Cours familier de Littérature - Volume 22
- 60. This ebook is for the use of anyone anywhere in the United States and most other parts of the world at no cost and with almost no restrictions whatsoever. You may copy it, give it away or re-use it under the terms of the Project Gutenberg License included with this ebook or online at www.gutenberg.org. If you are not located in the United States, you will have to check the laws of the country where you are located before using this eBook. Title: Cours familier de Littérature - Volume 22 Author: Alphonse de Lamartine Release date: October 16, 2012 [eBook #41080] Most recently updated: October 23, 2024 Language: French Credits: Produced by Mireille Harmelin, Christine P. Travers and the Online Distributed Proofreading Team at http://www.pgdp.net (This file was produced from images generously made available by the Bibliothèque nationale de France (BnF/Gallica) at http://gallica.bnf.fr) *** START OF THE PROJECT GUTENBERG EBOOK COURS FAMILIER DE LITTÉRATURE - VOLUME 22 ***
- 61. COURS FAMILIER DE LITTÉRATURE UN ENTRETIEN PAR MOIS
- 62. PAR M. A. DE LAMARTINE TOME VINGT-DEUXIÈME PARIS ON S'ABONNE CHEZ L'AUTEUR, RUE DE LA VILLE-L'ÉVÊQUE, 43. 1866 L'auteur se réserve le droit de traduction et de reproduction à l'étranger. COURS FAMILIER DE LITTÉRATURE REVUE MENSUELLE.
- 63. XXII Typ. Rouge frères, Dunon et Fresné, rue du Four-St-Germain, 43.
- 64. CXXVIIe ENTRETIEN FIOR D'ALIZA (Suite. Voir la livraison précédente.) CXLIII Je ne sais pas combien de temps, monsieur, je restai ainsi évanouie de douleur sur les marches de la petite chapelle, au milieu du pont, devant la niche grillée de la Madone. Quand je revins à moi, je me trouvai toujours couchée dans la poussière du chemin, sur le bord du pont; mais une jolie contadine, en habit de fête, penchait son gracieux visage sur le mien, me donnait de l'air au front avec son éventail de papier vert tout pailleté d'or, et me faisait respirer, à défaut d'eau de senteur, son gros bouquet de fleurs de limons qu'elle tenait à la main comme une fiancée de la campagne; elle était tellement belle de visage, de robe, de dentelles et de rubans, monsieur, qu'en rouvrant les yeux je crus
- 65. que c'était un miracle, que la Madone vivante était descendue de sa niche ou de son paradis pour m'assister, et je fis un signe de croix, comme devant le Saint-Sacrement, quand le prêtre l'élève à la messe et le fait adorer aux chrétiens de la montagne au milieu d'un nuage d'encens, à la lueur du soleil du matin, qui reluit sur le calice. CXLIV Mais je vis bien vite que je m'étais trompée, quand un beau jeune paysan de Saltochio, son fiancé ou son frère, détacha de son épaule une petite gourde de coco suspendue à sa veste par une petite chaîne d'argent, déboucha la gourde, et, l'appliquant à mes lèvres, en fit couler doucement quelques gouttes dans ma bouche, pour me relever le cœur et me rendre la parole. J'ouvris alors tout à fait les yeux, et qu'est-ce que je vis, monsieur? Je vis sur le milieu du pont, devant moi, un magnifique chariot de riches paysans, de la plaine du Cerchio, autour de Lucques, tout chargé de beau monde, en habits de noces, et recouvert contre le soleil d'un magnifique dais de toile bleue parsemée de petits bouquets de fleurs d'œillets, de pavots et de marguerites des blés, avec de belles tiges d'épis
- 66. barbus jaunes comme l'or, et des grappes de raisins mûrs, avec leurs pampres, et bleus comme à la veille des vendanges. Les roues massives, les ridelles ou balustrades du chariot étaient tout encerclées de festons de branches en fleurs; sur le plancher du chariot, grand comme la chambre où nous sommes, il y avait des chaises, des bancs, des matelas, des oreillers, des coussins, sur lesquels étaient assis ou couchés, comme des rois, d'abord les pères et les mères des fiancés, les frères et les sœurs des deux familles, puis les petits enfants sur les genoux des jeunes mères, puis les vieilles femmes aux cheveux d'argent qui branlaient la tête en souriant aux petits garçons et aux petites filles; tout ce monde se penchait avec un air de curiosité et de bonté vers moi pour voir si l'éventail de la belle fiancée et les gouttes de rosolio de son sposo me rendraient l'haleine dans la bouche et la couleur aux joues. Deux grands bœufs blancs, aussi luisants que le marbre des statues qui brillent sur le quai de Pise, étaient attelés au timon du char: un petit bouvier de quinze ans, avec son aiguillon de roseau à la main, se tenait debout, arrêté devant les gros bœufs; il leur chassait les mouches du flanc avec une branche feuillue de saule; leurs cornes luisantes, leur joug poli, de bois d'érable, étaient enlacés de sarments de vigne encore verte dont les pampres et les feuilles
- 67. balayaient la poussière de la route jusque sur leurs sabots vernis de cire jaune par le jeune bouvier; ils regardaient à droite et à gauche, d'un œil doux et oblique, comme pour demander pourquoi on les avait arrêtés, et ils poussaient de temps en temps des mugissements profonds, mais joyeux, comme des zampognes vivantes qui auraient joué d'elles-mêmes un air de fête. CXLV Voilà ce que je vis devant moi, monsieur, en rouvrant les yeux à la lumière. Les deux fiancés m'avaient adossée sur mon séant contre le parapet du pont, à l'ombre, et ils me regardaient doucement avec de belle eau dans les yeux; on voyait qu'ils attendaient, pour questionner, que je leur parlasse moi-même la première; mais je n'osais pas seulement lever un regard sur tout ce beau monde pour lui dire le remercîment que je me sentais dans le cœur. —C'est la faim, disait le fiancé, et il m'offrait un morceau de gâteau bénit que le prêtre du village voisin venait de leur distribuer à la messe des noces;
- 68. mais je n'avais pas faim, et je détournais la tête en repoussant sa politesse. —C'est la soif, disait le petit bouvier, en m'apportant une gorgée d'eau du Cerchio dans une feuille de muguet. —C'est le soleil, disait la belle sposa, en continuant à remuer plus vite, pour faire plus de vent, son large éventail de noces sur mes cheveux baignés de sueur. Hélas! je n'osais pas leur dire: Ce n'est ni la faim de la bouche, ni la soif des lèvres, ni la chaleur du front, c'est le chagrin. Que leur aurait fait mon chagrin jeté tout au travers de leur joie, comme une ortie dans une guirlande de roses? —N'est-ce pas que c'est la chaleur et la poussière du jour qui t'ont surpris sur le chemin, pauvre bel enfant, me dit enfin la fiancée, et qu'à présent que l'ombre du mur et le vent de l'éventail t'ont rafraîchi, tu ne te sens plus de mal? On le voit bien aux fraîches couleurs qui te refleurissent sur la joue. —Oui, sposa, répondis-je d'une voix timide; c'était la chaleur, et le long chemin, et la poussière, et la fatigue de jouer tant d'airs à midi devant les niches des Madones, sur la route de Lucques.
- 69. —Je vous le disais bien, reprit-elle, en se retournant avec un air de contentement vers son fiancé et vers ses vieux et jeunes parents qui regardaient tout émus du haut du char. —L'enfant est fatigué, dit tout le monde; il faut lui faire place à l'ombre de la toile sur le plancher du chariot. Il est bien mince et les bœufs sont bien forts et bien nourris; il n'y a pas de risque que son poids les fatigue; puisqu'il va à Lucques et que nous y allons aussi, que nous en coûtera-t-il de le déposer sous la voûte du rempart? —Monte, mon enfant, dit la fiancée, c'est une bénédiction du bon Dieu que de trouver une occasion de charité à la porte de la ville, un jour de noce et de joie, comme est ce beau jour pour nous. —Monte, mon garçon, dit le fiancé en me soulevant dans ses bras forts et en me tendant à son père, qui m'attira du haut du timon et qui me fit passer par-dessus les ridelles. —Monte, jeune pifferaro, dirent-ils tous en me faisant place, il ne nous manquait qu'un ménétrier, dont nous n'avons point au village, pour jouer de la zampogne sur le devant du char de noces en rentrant en ville et en nous promenant dans les rues
- 70. aux yeux ravis de la foule, tu nous en serviras quand tu seras rafraîchi; et puis, à la nuit tombée, tu feras danser la noce chez la mère de la mariée, si tu sais aussi des airs de tarentelle, comme tu sais si bien des airs d'église. Car ils m'avaient entendue, en s'approchant aux pas lents des bœufs, pendant que je jouais les dernières notes de ma litanie de douleur et d'amour, toute seule devant la niche du pont. CXLVI À ces mots, tous me firent place, en tête du char, près du timon, et jetèrent sur mes genoux, les uns du gâteau de maïs parsemé d'anis et des grappes de raisin, les autres des poires et des oranges. Je fis semblant de manger par reconnaissance et par égard, mais les morceaux s'arrêtaient entre mes dents, et le vin des grappes, en me rafraîchissant les lèvres, ne me réjouissait pas le cœur; cependant, je faisais comme celui qui a faim et contentement pour ne pas contrister la noce. CXLVII
- 71. Pendant que le char avançait au pas lent des grands bœufs des Maremmes et que les deux fiancés, assis l'un près de l'autre, sous le dais de toile, causaient à voix basse, les mains dans les mains, le petit bouvier assis tout près de moi, sur la cheville ouvrière du timon, derrière ses bœufs, regardait avec un naïf ébahissement ma zampogne et me demandait qui est-ce qui m'avait appris si jeune à faire jouer des airs si mélodieux à ce morceau de bois attaché à cette peau de bête. Je me gardai bien de lui dire que c'était un jeune cousin nommé Hyeronimo, là tout près dans la montagne de Lucques; je ne voulais pas mentir, mais je lui laissai entendre que j'étais un de ces pifferari du pays des Abruzzes, où les enfants viennent au monde tout instruits et tout musiciens, comme les petits des rossignols sortent du nid tout façonnés à chanter dans les nuits et tout pleins de notes qu'on ne leur a jamais enseignées par alphabet ou par solfége. Il s'émerveillait de ce que sept trous dans un roseau, ouverts ou fermés au caprice des doigts, faisaient tant de plaisir à l'oreille, disaient tant de choses au cœur, et il oubliait presque d'en toucher ses bœufs, qui marchaient d'eux-mêmes. Puis il mettait une gloriole d'enfant à me raconter à son
- 72. tour ceci et cela sur cette belle noce qu'il conduisait à la ville, et sur les personnages qui remplissaient derrière nous le chariot couvert de toile et de feuilles. CXLVIII —Celle-ci, me disait-il, celle qui vous a vu la première évanoui sur le bord du chemin, c'est la fille du riche métayer Placidio de Buon Visi, qui a une étable pleine de dix bœufs comme ceux-ci, de grands champs bordés de peupliers, unis entre eux par des guirlandes de pampres qu'on vendange avec des échelles, et parsemés çà et là de nombreux mûriers à tête ronde, dont les filles cueillent les feuilles dans des canestres (sorte de paniers pour contenir l'été la nourriture des vers à soie). Nous sommes sept enfants dans la métairie: moi je suis le frère du nouveau marié, le plus jeune des garçons; celui-ci est notre père, celle-là est notre mère, ces petites filles sont mes sœurs, ces deux femmes endormies sur le derrière du char sont les deux grand'mères, qui ont vu bien des noces, et bien des baptêmes, et bien des enterrements dans la famille depuis leurs propres noces à elles-mêmes. Ces autres hommes, jeunes et vieux, et ces femmes qui tiennent des fiasques à la main ou qui jouent au jeu de la morra sur le matelas, sont les parents et les parentes du
- 73. village de Buon Visi: les oncles, les tantes, les cousins, les cousines de nous autres; ils viennent avec nous pour nous faire cortége ou pour se réjouir, tout le jour et toute la nuit, avec nous passer le jour de la noce à Lucques chez le bargello (le geôlier, officier de police dans les anciennes villes d'Italie); car, voyez-vous, cette belle fiancée, la sposa de mon frère, ce n'est ni plus ni moins que la fille unique du bargello de Lucques. Nos familles sont alliées depuis longues années, à ce que dit notre aïeule, et c'est elle qui a ménagé ce mariage depuis longtemps, parce qu'elle était la marraine de la fiancée, parce que la fille sera riche pour notre condition, et que les deux mariés s'aiment, dit-elle, depuis le jour où la fille du bargello, petite alors, était venue pour la première fois chez sa marraine assister, avec nous autres, à la vendange des vignes et fouler, en chantant, les grappes dans les granges avec ses beaux pieds, tout rougis de l'écume du vin. —Ah! nous allons bien en vider des fiasques, ce soir, allez, à la table du bargello! ajouta-t-il; c'est drôle pourtant qu'on se marie, qu'on festine, qu'on chante et qu'on danse dans la maison d'un bargello, si près d'une prison où l'on gémit et où l'on pleure, car la maison du bargello, ça n'est ni plus ni moins qu'une dépendance de la prison du duché, à Lucques, et de l'une à l'autre on va par un souterrain
- 74. voûté et par un large préau, entouré de cachots grillés, où l'on n'entend que le bruit des anneaux de fer qui enchaînent les prisonniers à leur grille, comme mes bœufs à leur mangeoire quand je les ferme à l'étable. CXLIX Ces récits du jeune bouvier, qui m'avaient laissée d'abord distraite et froide, me firent tout à coup tressaillir, rougir et pâlir quand il était venu à parler de geôle, de geôlier, de cachots et de prisonniers; car l'idée me vint tout à coup que la maison où allait se réjouir cette noce de village était peut-être précisément celle où l'on aurait jeté sur la paille le pauvre Hyeronimo, et que la Providence me fournirait peut-être par cet évanouissement de douleur sur la route et par cette fortuite rencontre, une occasion de savoir de ses nouvelles, et, qui sait, peut-être de parvenir jusqu'à lui. —Dieu! me dis-je tout bas en moi-même, la Madone du pont de Cerchio m'aurait-elle exaucée pour si peu? Et je pressai, sans qu'on s'en aperçût, ma zampogne sur mon cœur, car c'est elle qui avait si bien joué l'air dont la vierge était tout à l'heure attendrie.
- 75. CL Je ne fis semblant de rien et je continuai à interroger, sans affectation, l'enfant jaseur, pour tirer par hasard quelque indice ou quelque espérance de ce qui s'échappait de ses lèvres. Pendant ce temps les grands bœufs marchaient toujours, et les murs gris des remparts de Lucques, couronnés d'une noire rangée de gros tilleuls, commençaient à apparaître à travers la poudre de la route, au fond de l'horizon. —Ton frère, le fiancé, dis-je au petit, est donc laboureur, et il aidait son père dans les travaux de la campagne? —Oh! non, dit-il, nous étions assez de monde à la maison sans lui pour soigner les animaux et pour servir de valets de ferme au père; mon frère aîné était entré depuis deux ans, comme porte-clefs de la prison, dans la maison du bargello; notre aïeule l'avait ainsi voulu, pour que sa filleule, la fille du bargello, et son petit-fils, mon frère, eussent l'occasion de se voir tous les jours et de s'aimer; car elle avait toujours eu ce mariage dans l'esprit, voyez- vous, et les grand'mères, qui n'ont plus rien à faire dans la maison, ça voit de loin et ça voit mieux que
- 76. les autres. L'œil des maisons, c'est la vieillesse, à ce qu'on dit; les jeunes n'en sont que les pieds et les mains. CLI —Mais, après la noce, ton frère et ta belle-sœur vont-ils toujours rester dans cette prison chez le père et la mère de la sposa? —Oh! non, répondit l'enfant; ils vont revenir à la maison, et notre père, qui commence à se fatiguer de la charrue, va remettre à mon frère, à présent marié, le bétail et la culture; il se réserve seulement les vers à soie, parce que ces petites bêtes donnent plus de revenu et moins de peine. Elles filent d'elles- mêmes, pourvu que les jeunes filles et les vieilles femmes leur apportent, quatre fois par jour, les feuilles de mûrier dans leur tablier, et qu'on leur change souvent la nappe verte sur la table, comme à des ouvriers délicats qui préfèrent la propreté à la nourriture. —Et qui est-ce qui remplacera ton frère, le porte- clefs de la prison, auprès des prisonniers, chez le bargello?
- 77. —Ah! dame, je n'en sais rien, dit l'enfant. Je voudrais bien que ce fût moi, car on dit que c'est une bien belle place, qu'on y gagne bien des petits bénéfices honnêtement, et qu'on est à même d'y rendre bien des services aux femmes, aux mères, aux filles de ces pauvres prisonniers. CLII Un éclair me traversa la pensée, et mon cœur battit sous ma veste comme un oiseau qui veut s'envoler. Miséricorde! me dis-je en moi-même, si la femme du bargello et son mari, qui sont là, derrière moi, dans le char, et qui n'ont peut-être pas encore trouvé de garçon pour remplacer leur gendre, venaient à jeter les yeux sur moi et à m'accepter pour porte-clefs à la place de leur gendre? J'aimerais mieux cette place que celle du duc de Lucques dans son palais de marbre et d'or. Mais c'était une pensée folle, et je la chassai comme une tentation du démon; cependant, malgré moi, je cherchai à plaire à la fiancée, à sa mère et à son père, qui avaient été charitables pour moi, en leur témoignant plus de respect qu'aux autres et en tirant de ma zampogne et de mes doigts, quand on
- 78. me prierait de jouer, des airs qu'ils aimeraient le mieux à entendre. CLIII On ne tarda pas de m'en prier, monsieur, nous touchions enfin aux portes de la ville. C'est l'habitude du pays de Lucques, quand la noce des paysans est riche et la famille respectée, qu'un musicien, soit fifre, soit violon, soit hautbois, soit musette, soit même tambour de basque, se tienne debout sur le devant du char à bœufs et qu'il joue des aubades, ou des marches, ou des tarentelles joyeuses en l'honneur des mariés et des assistants. —Notre bon ange nous a bien servis ce matin, dit la bonne femme du bargello, de nous avoir fait rencontrer par hasard sur le pont un joli petit musicien des Abruzzes, tel que nous n'aurions pas pu, pour cinquante carlins, en trouver un aussi habile et aussi complaisant dans toute la grande ville de Lucques, excepté dans la musique de monseigneur le duc. —Allons, enfant, dit tout le monde en approuvant la bonne mère d'un signe de tête, fais honneur à la mariée et à sa famille; enfle la zampogne, et qu'on
- 79. se souvienne à Lucques de l'entrée de noce de la fille du bargello et de Placidio! CLIV J'obéis et j'enflai la zampogne, en cherchant sous mes doigts, tout tremblants, les airs de marche au retour des pèlerinages d'été dans les Maremmes, les chants de départ pour les moissonneurs qui vont en Corse par les barques de Livourne, les hymnes pour les processions et les Te Deum à San Stefano, les barcarolles de Venise ou les tarentelles de l'île d'Ischia au clair de la lune, que j'avais si souvent jouées sous les châtaigniers, les dimanches soir, avec Hyeronimo, et qui me paraissaient de nature à réjouir la noce et à faire arrêter les passants; mais je n'en avais guère besoin. La famille du bargello était très-aimée dans le peuple des boutiques et des places de Lucques, parce que, malgré ses fonctions, le bargello, chargé des prisons, était doux et équitable, et qu'il avait dans ses fonctions même de police mille occasions d'être agréable à celui-ci ou à celui-là. Qui est-ce qui n'a pas affaire, une fois ou l'autre dans sa vie, avec la justice ou la police d'un pays? Il faut avoir des amis partout, dit le peuple, même en prison; n'est-ce
- 80. pas vrai, monsieur? Je l'ai bien vu moi-même plus tard, dans les galères de Livourne. Celui qui tient le bout de la chaîne peut la rendre à son gré lourde ou légère. Le bargello et sa femme avaient un vilain métier, mais c'étaient de bonnes gens. CLV La foule de leurs amis se pressait à la porte de la ville; on sortait de toutes les maisons et de toutes les boutiques pour leur faire fête; les fenêtres étaient garnies de jeunes filles et de jeunes garçons qui jetaient des œillets rouges sur les pas des bœufs, sur le ménétrier et sur le char; nous en étions tout couverts; on battait des mains et on criait: Bravo! pifferaro. À chaque air nouveau qui sortait, avec des variations improvisées, sous mes doigts, cela m'excitait, monsieur, et je crois bien qu'après l'air au pied de la Madone, je n'ai jamais joué si juste et si fort de ma vie. Ah! c'est que, voyez-vous, il y a un dieu pour les musiciens, monsieur! Ce dieu, c'est la foule; quand elle est contente, ils sont inspirés; j'étais au-dessus de moi-même, ivre, folle, quoi! Chacun me tendait une fiasque de vin ou un verre de rosolio; on m'attachait une giroflée à ma zampogne
- 81. ou un ruban à ma veste pour me témoigner le contentement. Quand nous arrivâmes à la sombre porte à clous de fer du bargello, tout à côté de l'énorme porte de la prison, et que les bœufs s'arrêtèrent, je ressemblais à une Madone de Lorette: on ne voyait plus mes habits à travers les rubans, les couronnes et les bouquets. CLXVI On me fit entrer avec toutes sortes de bienséances, comme si j'avais été de la famille et de la noce. La femme du bargello, son mari, la fiancée et le sposo me dirent poliment de rester, de boire et de manger à leur table, à côté du petit bouvier leur frère, et de jouer, après le dîner de noces, tous les airs de danse qui me reviendraient en mémoire, pour faire passer gaiement la nuit aux convives, monsieur. Ce n'était pas facile, car, pendant que ma zampogne jouait la fête, mon cœur battait la mort et l'enterrement. Hélas! n'est-ce pas le métier des artistes? Leur art chante et leur cœur saigne. Voyez- moi, monsieur; n'en étais-je pas un exemple?
- 82. CLVII Une partie de la nuit se passa pourtant ainsi, moitié à table, moitié en danse; les mariés semblaient s'impatienter cependant de la table et de la musique pour regagner le village où ils allaient maintenant résider avec les nouveaux parents; la femme du bargello cherchait vainement à prolonger la veillée, pour retenir un peu plus de temps sa fille; elle souriait de la bouche et pleurait des yeux sur sa maison bientôt vide. Le petit bouvier rattela ses bœufs au timon fleuri; on s'embrassa sur les marches de la prison, et le cortége s'en alla sans moi, plus triste qu'il n'était venu, par les sombres rues de Lucques. CLVIII —Et toi, mon garçon, me dirent le bargello et sa femme, où vas-tu coucher dans cette grande ville, par la pluie et le temps qu'il fait? (Car il était survenu un gros orage d'automne pendant la soirée des noces.) —Je ne sais pas, répondis-je, sans souci apparent, mais en réalité bien inquiète de ce que ces braves
- 83. gens allaient me dire. Je ne sais pas, et je n'en suis guère en peine; il y a bien des arcades vides devant les maisons et des porches couverts devant les églises de Lucques, une dalle pour s'étendre; un manteau de bête pour se couvrir et une zampogne pour oreiller, n'est-ce pas le lit et les meubles des pauvres enfants de la montagne comme je suis? Merci de m'avoir logé et nourri tout un jour si honnêtement, comme vous avez fait; le bon Dieu prendra bien soin de la nuit. Je disais cela des lèvres, mais mon idée était bien autre chose; je priais mon bon ange tout bas d'inspirer une meilleure pensée au bargello et à sa femme. CLIX Ils se parlaient à demi-voix tous deux, pendant que je démontais ma zampogne et que je pliais mon manteau de poil de chèvre lentement, comme pour m'en aller. Ils avaient l'air indécis de deux personnes qui se demandent: Ferons-nous ou ne ferons-nous pas? La femme semblait dire oui, et le mari dire: Fais ce que tu voudras, peut-être bien que ton idée sera la bonne.
- 84. —Eh bien! non, me dit tout à coup la femme attendrie, pendant que le mari appuyait ce qu'elle disait d'un signe de tête, eh bien! non, il ne sera pas dit que nous aurons laissé coucher dehors, un jour de fête pour la maison, un pauvre musicien qui a réjoui toute la journée ces murailles! À quoi bon aller chercher un gîte sous le porche des églises avec les vagabonds et les mendiants couverts de vermine, peut-être, pendant que nous avons là-haut, en montrant du geste à son mari l'escalier tortueux d'une petite tour, le lit vide du porte-clefs qui s'en va à Saltochio avec notre fille? —C'est vrai, dit le bargello. Monte, mon garçon, par ces marches tant que l'escalier te portera, tu trouveras à droite, tout à fait en haut, une petite chambre, avec une lucarne grillée, par où la lune entre jusque sur le lit de celui qui est maintenant notre gendre, et tu dormiras à l'abri et en paix jusqu'à demain; avant de t'en aller reprendre ton métier de musicien par les routes et par les rues, tu viendras déjeuner, et nous te parlerons, car nous aurons peut-être quelque chose à te dire. —Oui, n'y manque pas, mon garçon, ajouta la bonne femme, nous aurons quelque chose à te dire, mon mari et moi, car ta face d'innocence me plaît, et ce serait dommage qu'une boule de neige comme ça
- 85. s'en allât rouler dans la boue des ruisseaux et se fondre dans un égout, faute d'une main propre pour la ramasser encore pure. —Bien dit, ma femme, ajouta le bargello; il y en a beaucoup eu dans cette geôle qui n'y seraient jamais entrés s'ils avaient trouvé une âme compatissante sur leur chemin, un soir de fête dans Lucques. CLX La tour était haute, étroite, humide et percée seulement, çà et là, de fentes dans l'épaisse muraille, pour regarder par-dessus la ville. C'était une de ces guérites aériennes que les anciens seigneurs de Lucques ou chefs de faction, tels que le fameux Castruccio Castracani, faisaient élever autrefois, à ce que m'a dit la femme du bargello, pour dominer les quartiers des factions contraires et pour voir, au delà des remparts de Lucques, si les Pisans ou les Florentins s'approchaient de la ville. Les marches étaient roides, et les murs solides auraient aplati les boulets. Tout à fait en haut, à l'endroit où les hirondelles et les corneilles bâtissent leurs nids inaccessibles sous les corniches ou sur les tourelles, il y avait une petite
- 86. Welcome to our website – the perfect destination for book lovers and knowledge seekers. We believe that every book holds a new world, offering opportunities for learning, discovery, and personal growth. That’s why we are dedicated to bringing you a diverse collection of books, ranging from classic literature and specialized publications to self-development guides and children's books. More than just a book-buying platform, we strive to be a bridge connecting you with timeless cultural and intellectual values. With an elegant, user-friendly interface and a smart search system, you can quickly find the books that best suit your interests. Additionally, our special promotions and home delivery services help you save time and fully enjoy the joy of reading. Join us on a journey of knowledge exploration, passion nurturing, and personal growth every day! ebookbell.com