Page 1

Analysing Stream Authentication Protocols in

Autonomous Agent-Based Systems

Mehmet A. Orgun, Ji Ma

Department of Computing

Macquarie University

Sydney, NSW 2109, Australia

Email: {mehmet,jma}@comp.mq.edu.au

Chuchang Liu

Information Networks Division

Defence Science and Technology Organisation

PO Box 1500, Edinburgh, SA 5111, Australia

Email: Chuchang.Liu@dsto.defence.gov.au

Guido Governatori

School of ITEE

The University of Queensland

Brisbane, QLD 4072, Australia

Email: guido@itee.uq.edu.au

Abstract—In stream authentication protocols used for large-

scale data dissemination in autonomuous systems, authentication

is based on the timing of the publication of keys, and depends

on trust of the receiver in the sender and belief on whether

an intruder can have prior knowledge of a key before it is

published by a protocol. Many existing logics and approaches

have successfully been applied to specify other types of authen-

tication protocols, but most of them are not appropriate for

analysing stream authentication protocols. We therefore consider

a fibred modal logic that combines a belief logic with a linear-time

temporal logic which can be used to analyse time-varying aspects

of certain problems. With this logical system one is able to build

theories of trust for analysing stream authentication protocols,

which can deal with not only agent beliefs but also the timing

properties of an autonomous agent-based system.

I. INTRODUCTION

Multi-agent systems, typically autonomous real word sys-

tems, need to employ application specific protocols for trans-

ferring data, such as video, audio and sensory data, among

agents. Such protocols are often different from the standard

class of authentication protocols previously analysed by many

researchers using belief logics and/or model checking tech-

niques [3], [4], [5], [7].

As an example, we consider the TESLA (Timed Efficient

Stream Loss-tolerant Authentication) protocol, a multicast

(broadcast) stream authentication protocol for large-scale data

dissemination in autonomous systems, developed by Perrig et

al. [17]. In TESLA, authentication is based on the timing of the

publication of keys and the indirect relation of each new key to

an original key commitment. In fact, any stream authentication

protocol involves not only a key management scheme but also

its critical use of timing. In an autonomous system whose

authentication is based on TESLA, the process for verifying

data packets received to be authentic also depends on trust of

the receiver in the sender, and belief on whether an intruder

can have prior knowledge of a key before it is published by

the protocol.

Many different logics have successfully been applied for

specifying and verifying aspects of some other types of

authentication protocols [3], [5], [15]. However, most of these

The work presented in this article has been supported in part by an

Australian Research Council (ARC) Discovery Project DP0452628 and a

Macquarie University Research Development Grant (MURDG).

logics are not appropriate for stream authentication protocols

because they lack the ability for modelling and reasoning about

the evolution of the system in which they are applied (that is,

the notion of dynamic change). It has also been understoodthat

any logical system used for modeling active agents should be

a combined system of logics of knowledge, belief, time and

norms [6] since these are the essential concepts to be reasoned

about. In order to analyse stream authentication protocols it is

necessary to have a logic that can satisfactorily deal with all

aspects of those concepts. Towards achieving such a goal, we

consider a fibred logic, which combines a belief logic with a

linear-time temporal logic. The fibred logic developed in this

paper has more expressive power than a temporalised belief

logic such as TML+[11] does. It allows us to express the

behavior and beliefs of an agent as temporal propositions,

which are often needed for analysing stream authentication

protocols.

In analysing a communication protocol, we accept the

fact that honest agents would follow the prescribed steps of

the protocol correctly, but also that an intruder may have

the ability to interfere with it. With the logical framework

proposed in this paper, we encapsulate such assumptions in

notions of trust and represent them by axioms (rules). These

axioms, together with the logic, form a theory, which we call a

theory of trust [9], [13]. Such theories can deal with not only

agent beliefs but also the timing properties of autonomous

agent-based systems, and they provide a basis for analysing

stream authentication protocols.

With the aim of providing solutions based on logic for

analysing communication protocols for autonomous agent-

based systems, we are motivated to investigate methods for

formalizing an authentication protocol with theories of trust,

and to develop techniques for reasoning about security prop-

erties that such a protocol may satisfy.

In the following, we first introduce TESLA and discuss the

fibred logic. We then consider how to establish theories of

trust to specify the behaviour of the TESLA protocol in the

fibred logic. A theory of trust is modular, with each module

providing a collection of rules that specifically describe some

specific aspect of an authentication protocol. We consider the

mechanization of a theory for TESLA with a general send-

receive mode, and discuss the correctness of this protocol.

Proceedings of The 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing (DASC’06), pp 325–332.

c ? 2006 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or

for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be

obtained from the IEEE.

The original publication is available at doi: 10.1109/DASC.2006.19

Page 2

Finally, we conclude the paper with a brief discussion.

II. THE TESLA PROTOCOL

Adopting the notation in the TESLA protocol [17], when we

talk about the protocol, S, R and I are always used to denote

the sender, the receiver and the intruder, respectively. We also

use the tuple ?X,Y ? to denote the concatenation of X and

Y . A stream α is divided into chunks Mi(called messages),

so we may have α = ?M1,M2,...,Ml?. Each message Mi

is sent in a packet Pi, along with additional authentication

information. A message authentication code (MAC) is derived

by applying an authentication scheme, together with a secret

key, to a message.

Perrig et al. [17] propose five schemes for the TESLA

Protocol. We consider scheme I, and simply call it the PCTS

(Perrig-Canetti-Tygar-Song) scheme. Within PCTS, the sender

issues a signed commitment to a key that is only known

to itself. To send message Mi, the sender uses that key to

compute a MAC on a packet Pi, and later discloses the

key in packet Pi+1, which enables the receiver to verify

the commitment and the MAC of packet Pi. A successful

verification will imply that packet Pi is authenticated and

trusted.

In the notation proposed by Broadfoot and Lowe [2], we

formulate the sequence of message packets as follows:

P0r.

P0s.

P1.

R → S: ?nR?

S → R: ?{f(K1),nR}SK(S)?

S → R: ??M1,f(K2)?,MAC(K?

...

S → R: ?Di,MAC(K?

...

1,?M1,f(K2)?)?

Pi.

i,Di)? (for all i ≥ 2)

where nRis a nonce (that is, number used once) generated by

the receiver R, and Di= ?Mi,f(Ki+1),Ki−1? for all i ≥ 2,

K?

pseudo-random functions.

Apart from the initial messages P0r, P0sand P1, any packet

Pi has the standard form ?Di,MAC(K?

[2]. To send message Mi, the sender first picks a fresh random

key Ki+1 to construct packet Pi = ?Di,MAC(K?

then sends the packet to the receiver. When the packet Pi

is received, the receiver cannot verify the MAC immediately,

since it cannot reconstruct K?

is contained in packet Pi+1. Therefore, only once Pi+1 is

received, the receiver is able to verify the MAC. Packet

Pi+1= ?Di+1,MAC(K?

the receiver first to verify that Kiis correct (f(Ki) equals the

commitment which was sent in Pi−1); and second to compute

K?

verifying the MAC of Pi.

In analysing the TESLA protocol, we make the following

assumptions:

• The sender is honest and works correctly, following

all requirements, including timing requirements, of the

protocol.

j= f?(Kj) for all j ≥ 1, and f and f?are two different

i,Di)? for all i ≥ 2

i,Di)?,

iwithout knowing Ki, which

i+1,Di+1)? discloses Kiand allows

i= f?(Ki) and check the authenticity of packet Pi by

• The receiver accepts packet P1 as authentic only when

it believes the key commitment and the MAC of the

packet have been successfully verified. A stream α =

?M1,M2,...,Ml? is considered valid iff the receiver

accepts all messages M1,M2,...,Ml as authentic, i.e.,

all packets P1,P2,...,Plare successfully authenticated.

• The intruder is assumed to have the ability to capture,

drop, resend, delay, and alter packets, can access to a fast

network with negligible delay, and can perform efficient

computations, such as computing a reasonable number

of pseudorandom function applications and MACs with

negligible delay. The intruder may be able to launch two

kinds of attacks: weak attacks and strong attacks. A weak

attack allows the intruder to inject new packets, but not

delete the packets sent by the sender. A strong attack

allows the intruder the full control of the channel, and so

he can add, replace, or delete any packets. Nonetheless,

the intruder cannot invert a psedorandom function with

non-negligible probability. Also the intruder can only

create a fake packet P?

the packet that discloses key Ki.

The security property for the protocol we need to guarantee

is that the receiver does not believe any packet Pi to be

authenticated unless the Mi it contains was actually sent by

the sender. To prevent any successful attack by an intruder, the

receiver only needs to be sure that all packets Piarrive safely

such that the intruder has no time to change the message and

commitment in Piand forge the subsequent traffic. Perrig et

al. therefore give a security condition, which we re-state as

follows:

Statement 1 (security condition [17]):

A data packet Piarrived safely, if the receiver can unambigu-

ously decide, based on the synchronized time, that the sender

did not yet send out the corresponding key disclosure packet

Pj, i.e., the timing condition ArrTi < SenTj holds, where

ArrTi stands for the arrival time of packet Pi, and SenTj

stands for the time when packet Pj is sent out.

Statement 2 indicates that the security of a TESLA scheme

does not rely on any assumption on network latency, but only

on the security condition.

Statement 2 (secure schemes): A TESLA scheme is secure

if the security condition holds for all runs of the protocol

scheme, given the assumptions above.

To analyse the TESLA protocol and show a particular

scheme is secure, we first need a formal framework for

formalizing the protocol. As we have mentioned earlier, we

consider fibring of a belief logic with a temporal logic.

iagainst Piwhen it has received

III. THE FIBRED LOGIC

We combine, using the fibring technique, the Typed Modal

Logic (TML), a variant of the modal logic KD of beliefs [11],

with the Simple Linear-time Temporal logic (SLTL) which

is suitable for specifying events that may run on different

clocks (time-lines) of varying rates of progress [10]. We show

that in the resulting fibred belief logic (FL) we can specify

and reason about not only agent beliefs but also the timing

Page 3

properties of a system effectively. With this logical system

one is also able to build theories of trust for the description

of, and reasoning about, authentication protocols for/in multi-

agent systems. The details of the fibring construction for TML

and SLTL is given elsewhere [12]. This section gives a more

informal and intuitive introduction to the fibred logic and its

constituents for completeness.

The fibred logic (FL for short) has two classes of modal

operators: (1) belief operators; (2) temporal operators. The

belief operator, Ba, is intended to denote “agent a believes

that”. The belief operators are those of TML whereas the

temporal operators are those of SLTL. SLTL is a linear-time

logic where the collection of time points is the set of natural

numbers with its usual ordering relation <. It has two temporal

operators, first and next, which refer to the initial moment

and the next moment in time respectively [10]. The meaning

of SLTL formulas are defined with respect to given local

clocks (subsequences of a global clock). The global clock is

the increasing sequence of natural numbers, i.e., (0,1,2,...)

and a local clock (or simply, a clock) is defined as an infinite

subsequence of the global clock.

Using the temporal operators of SLTL, the assertions such as

“Bob has the key initially” and “Alice has the key tomorrow”

can be expressed by formulas “first has(bob,key)” and

“next has(alice,key)” respectively. Table I gives an intuitive

explanation of the interpretation of the temporal operators of

SLTL.

Formula

Truth value

T

T

T

t0

AT

T

F

t1

F

T

F

t2

F

T

T

t3

T

T

F

t4

F

T

T

t5

T

T

F

t6

F

T

...

t7

...

...

...

...

first A

next A

Time

TABLE I

INTERPRETATION OF TEMPORAL OPERATORS (A IS A FORMULA; T

REPRESENTS VALUE true AND F VALUE false)

In the table, suppose that A is the formula has(bob,key)

and ck = (t0,t1,t2,t3,t4,t5,t6,t7...) is a given local clock

where each ti is a moment on the clock. Suppose that the

meaning of formula A over the clock ck is as given in the

first line of Table I (where A is true at times t0 and t1 and

false at times t2and t3and so on). Since the initial time of

ck is t0, the meaning of a formula of the form first A at any

given moment in time is defined by the meaning of A at time

t0(e.g., true in the above example). The meaning of a formula

of the form next A at any given moment in time tiis defined

by the meaning of A at time ti+1; for example, at time t3A

is false, but next A is true because A is true at time t4.

More formally, we have the following definition of the

semantics of atomic formulas of SLTL:

Definition 1 (time models): A time model for the logic

SLTL has the form c

=

(t0,t1,t2,...) is a clock, < is the usual ordering relation

over C, and π(c)is an assignment function that gives a value

?C,<,π(c)?, where C=

π(c)(t,q) ∈ {true,false} for any any time point t in C and

any atomic formula q.

Then the semantics of the temporal operators of SLTL are

given as follows:

• c,ti|= first ϕ iff t0|= ϕ.

• c,ti|= next ϕ iff ti+1|= ϕ.

• satisfaction in the model ?C,<,π(c)? is defined as satis-

faction at some time point on C.

Let us assume that there are n agents a1,...,anand there

are n corresponding modal operators Ba1,...,Banin the

logic, where Bai(1 ≤ i ≤ n) stands for “agent ai believes

that”. A classical Kripke model [8] for TML is defined as a

tuple m = ?S,R1,...,Rn,π?, where S is the set of states

or possible worlds; and each Ri, i = 1,...,n, is a relation

over S, (called the possibility relation according to agent ai),

and is defined as follows: Ri is a non-empty set consisting

of state pairs (s,t) such that (s,t) ∈ Ri iff, at state s,

agent ai considers the state t possible (or accessible); and

π is the assignment function, which gives a value π(s,q) ∈

{true,false} for any s ∈ S and atomic formula q. Formula

ϕ is satisfiable in the model m if there exists s ∈ S such that

m,s |= ϕ.

Figure 1 gives an intuitive explanation of the interpretation

of belief operators of TML. Recall that Ri is the possibility

relation for agent ai. In other words, given state w, agent

ai considers all the states w1,w2,...,wn possible. Then a

formula of the form BaiA is true at a given state w if and

only if A is true at all states accessible from w with respect

to the relation Ri(state w may or may not be accessible from

w itself).

??

?

?

?

?

??

??

?

?

?

?

??

?

?

?

?

?

?

?

?

i

1

2

n

Bai

w

w

w

w

S = set of states

A

R

Fig. 1.

agent ai; w1,...,wn are the states in S that are accessible from w)

Interpretation of belief operators (Riis the possibility relation for

In earlier work, we proposed a temporalised belief logic

called TML+[11], It also has these two classes of modal

operators. However, there are certain restrictions on the use

of temporal and belief operators, because of the hierarchical

combination of belief and temporal logics used. There the

temporal logics SLTL is plussed onto the belief logic TML

in such a way that temporal operators can never be within

the scope of a belief operator in TML+. Hence in TML+,

we cannot express a statement asserting that some agent

believes an event to happen at some time, e.g., we can have

the formula first Bjohn holds(bob,k), but can not have the

Page 4

formula Bjohnfirst holds(bob,k). The latter formula could

be used to express the assertion that john believes that at the

initial time bob holds the key k. Such assertions are often

needed in analysing stream authentication protocols, so we

therefore consider a more powerful combination technique

called fibring [6], which treats temporal operators and belief

operators equally.

In FL, both the assertions first Bjohn holds(bob,k) and

Bjohnfirst holds(bob,k) are legal formulas. The first formula

means that at the initial moment time John believes that

Bob has the key k; the second formula means that John

believes that at the initial moment time Bob has the key k.

FL has stronger expressive power than TML+ , since these

operators can occur in any order in formulas, e.g., we may

have next Balice first next Bjohn holds(bob,k), which

means that “at the next moment Alice believes that at the

next moment after initial time John believes that Bob has the

key k.”

The formulas of FL may contain any number of applications

of the temporal operators and/or the belief operators without

any restrictions. To be able to interpret a formula of TML

whose main operator is a temporal operator, we need to use

the meaning of the temporal operators with a time reference.

To be able to interpret a formula whose main operator is a

belief operator, similarly, we need to use the meaning of the

belief operators with a state reference. This will require us to

move between time references and state references freely. The

fibring method [6] is used to interweave the semantics of the

constituent logics using fibring functions (that move context

between time references and state references) in such a way

that any formula of FL is interpreted in its proper context.

The discussion of the fibred semantics in the case of the

Kripke models for TML with time models for SLTL can

be laid out in three levels: using a single time model, or

considering a set of time models with the same clock, or based

on different clock models. In this paper, we assume the single

time model in which all formulas are defined on the same

(global) clock. We refer the reader to the literature for the

technical details of how the two logics TML and SLTL have

been fibred [12].

In the following, we discuss the axioms and rules of

inference of TML that may be used in reasoning about trust

theories for authentication protocols in agent-based systems.

The axiom set of FL consists of the following axiom

schemata. Let O = {B1,...,Bn,first,next} be the set of

modal (temporal or belief) operators of BL.

A0.

A1.

A2.

A3.

A4.

A5.

A6.

A7.

A8.

all axioms of classical first-order logic.

?(ϕ → ψ) ∧ ?ϕ → ?ψ, for all ? ∈ O.

?(ϕ ∧ ψ) ↔ (?ϕ) ∧ (? ψ), for all ? ∈ O.

∀X(?ϕ(X)) → ?(∀Xϕ(X)), for all ? ∈ O.

Bi(¬ϕ) → ¬(Biϕ) for all i (1 ≤ i ≤ n).

first(¬ϕ) ↔ ¬(first ϕ).

next(¬ϕ) ↔ ¬(next ϕ).

first(first ϕ) ↔ first ϕ.

next(first ϕ) ↔ first ϕ.

The rules of inference in the logic FL include:

R1.

R2.

R3.

R4.

From ϕ and ϕ → ψ infer ψ.

From ∀Xϕ(X) infer ϕ(Y ).

From ϕ(X) infer ∀Xϕ(X).

From ϕ infer ?ϕ for all ? ∈ O.

(Modus Ponens)

(Instantiation)

(Generalisation)

(Necessitation)

The soundness for the logic FL depends on the soundness

theorems for belief logic and SLTL, and is not difficult to

prove. The completeness theory for FL can be proved by the

techniques used in [6]; we omit the details.

IV. FORMALIZING AUTHENTICATION PROTOCOLS

For analysing a scheme of the TESLA protocol, we first

need to establish a theory that describes its behavior or

functions of the protocol within the scheme. To gain such a

theory, we first analyse the behavior of the protocol (within,

for example, the PCTS scheme), identify various aspects of

the behavior of the protocol and set them into an appropriate

module, and finally transfer informal descriptions of all these

aspects into formulae.

With the purpose of making the logic FL appropriate for

specifying the protocol, we restrict the time model of FL to

guarantee that the time interval between any moment and its

next moment in time has the same length, 1 unit of time, and it

matches the special timing property that the TESLA scheme

satisfies: the sender sends packets at regular time intervals.

The assumption makes our discussion simple without harming

its correctness.

We set a theory for specifying (the PCTS scheme of)

TESLA consisting of four modules, Msr (send-receive

mode specification), Mmk (message receiving and knowl-

edge gained), Mms (message sending), and Mar (authenti-

cation rules). Each module consists of several axioms (axiom

schemata). We assume the basic types include

A,B,S,R,I:

X,Y,D:

K,K1,K2:

Agents

Messages

Keys

In the following, we consider three modes, denoted PCTS-

0, PCTS-1, and PCTS-2 respectively, as examples, and present

the theories that specify these particular schemes of TESLA.

Page 5

A. A Theory for the Scheme PCTS-0

Send-receive mode specification depends on what kind of

mode is adopted. We first consider the scheme PCTS-0, for

which the send-receive mode is called the zero-delay mode.

It is based on two assumptions: (1) Zero time (based on

the global clock) is spent between sending a message and

receiving this message, i.e., the sending time of a packet Pi

on the sender’s clock is equal to the receiving time of the

packet on the synchronized receiver’s clock, for any Pi; and

(2) the packet rate is assumed to be 1 (i.e., 1 packet per unit

time).

With scheme PCTS-0, module Msrconsists of the following

axiom schemata:

Z1.

Z2.

Z3.

send(A,B,X) → receive(B,X).

first send(S,R,?{f(K1),nR}SK(S)?).

first next send(S,R,??M1,f(K2)?,MAC(f?(K1),

?M1,f(K2)?)?.

send(S,R,?D,MAC(f?(K),D)?) ↔

next send(S,R,X) ∧ K ∈ X.

Z4.

Considering this module specific to PCTS-0, we write M(0)

{Z1,Z2,Z3,Z4}. Other modules are given below.

sr =

Module Mmk (message receiving and knowledge gained)

G5. receive(A,?X,Y ?) →

(receive(A,X) ∧ receive(A,Y )).

G6. receive(A,X) → know(A,X).

G7. know(A,K) → know(A,f(K)) ∧ know(A,f?(K)).

G8. know(A,{X}SK(B)) → know(A,X).

G9. (know(A,K) ∧ know(A,X)) →

know(A,MAC(K,X)).

G10.know(A,X) → next know(A,X).

where SK(B) is the private key of agent B and its corre-

sponding public key can be known by anybody, so we have

G8.

Module Mms(Message sending)

G11. send(A,B,?X,Y ?) →

(send(A,B,X) ∧ send(A,B,Y )).

G12. send(A,B,X) → has sent(A,B,X).

G13. has sent(A,B,X) → next has sent(A,B,X).

Module Mar (Authentication rules)

G14. is auth(?X,MAC(f?(k),D)?) ↔

verify success(f(K))

∧verify success(MAC(f?(K),D)).

G15. is auth(X) → has been auth(X).

G16. BRhas been auth(X) →

next BRhas been auth(X).

G17. receive(R,?X,MAC(f?(K),D)?)∧

BR¬has sent(S,R,K) →

BRarrive safe(?X,MAC(f?(K),D)?).

G18. arrive safe(X) → has arrive safe(X).

G19. BRhas arrive safe(X) →

next BRhas arrive safe(X).

G20. BRverify success(f(K)) ↔

BRhas arrive safe(?X,MAC(f?(K),D)?)

∧know(R,K)

∧BRhas been auth(?D?,MAC(f?(K),D?)?)

∧f(K) ∈ D?.

G21. BRverify success(MAC(f?(K),D)) ↔

BRhas arrive safe(?X,MAC(f?(K),D)?)∧

know(R,K) ∧ MAC(f?(K),X) = MAC(f?(K),D).

We now have the following:

Mmk= {G5,G6,G7,G8,G9,G10},

Mms= {G11,G12,G13}, and

Mar= {G14,G15,G16,G17,G18,G19,G20,G21}.

Thus, for the scheme PCTS-0, we have the theory

T0= M(0)

sr∪ Mmk∪ Mms∪ Mar.

In this scheme, what the intruder, I, is able to do is that,

after receiving the packet Pi, I waits for the next packet Pi+1

and, once received Pi+1, creates a fake packet P?

contained in Pi+1and then masquerades as the sender to send

P?

and P?

by the following formulas:

iusing Ki

ito the receiver. This is a weak attack, with both packets Pi

ireaching the receiver. We express this intruder process

I1.

send(S,R,Pi) ∧ next send(S,R,Pi+1) →

(receive(I,Pi) ∧ next receive(I,Pi+1) →

next create(I,P?

create(I,P?

i) →

(send(I(S),R,P?

i) → receive(R,P?

Such an attack can be detected by the receiver easily. In fact,

the receiver knows that key Ki, which the intruder uses to

create P?

it (within packet Pi+1) at the time when P?

it is impossible that the receiver accepts P?

i)).

I2.

i))

i, has been sent out and the receiver may have received

iarrives. Therefore,

ias authentic.

B. Scheme PCTS-1

PCTS-0 is an idealized mode with zero time spent between

sending and receiving messages. We now discuss the scheme

PCTS-1, for which a different send-receive mode with a

smaller time granularity is adopted. In this mode, we can

conveniently deal with time intervals when the network delay

from the sender to the receiver must be considered. We assume

that this mode satisfies the following two assumptions: (1) The

arrival time of a packet sent at the current moment in time can

be the ‘next’ moment or the ‘next next’ moment or the ‘next

next next’ moment in time; and (2) The packet rate is 1/4

(i.e., 1 packet per 4 units time). With this mode, M(0)

be replaced by M(1)

follows:

sr should

sr, which consists of axioms S1 – S4 as

S1. send(A,B,X) →

(next receive(B,X) ∨ next(2)receive(B,X)

∨next(3)receive(B,X)).

Page 6

S2. first send(S,R,?{f(K1),nR}SK(S)?).

S3. first next(4)send(S,R,??M1,f(K2)?,

MAC(f?(K1),?M1,f(K2)?)?.

S4. send(S,R,?D,MAC(f?(k),D)?) ↔

next(4)send(S,R,X) ∧ K ∈ X.

where next(i)denotes i applications of next. Here S1

corresponds to Z1, and it specifies the initial action of the

scheme. The other three axioms capture the change of the

receiving interval and the packet rate, are different from those

in the mode PCTS-0. Thus, for the scheme PCTS-1, we

have the theory T1 = M(1)

M(1)

The intruder may do weak attacks in the PCTS-1 scheme

as in PCTS-0. This mode also allows the receiver to detect

such attacks easily. It is not difficult to show that PCTS-

1 satisfies the security condition, but the receiver may not

definitely believe that a packet is authenticated at times (see

next section).

sr ∪ Mmk∪ Mms∪ Mar, where

sr = {S1,S2,S3,S4}.

C. Scheme PCTS-2

Now let us consider a mode regarded as an example of

a failure mode. There are two assumptions for the scheme

PCTS-2: (1) The arrival time of a packet sent at the current

moment in time can be in a time interval between the next

moment and the next fourth moment in time; and (2) the packet

rate is 1/2 (i.e., 1 packet per 2 units time). With this mode,

we have the following axioms that correspond to Z1 – Z4,

respectively:

F1. send(A,B,X) →

(next receive(B,X)

∨next(2)receive(B,X)

∨next(3)receive(B,X) ∨ next(4)receive(B,X).

F2. first send(S,R,?{f(K1),nR}SK(S)?).

F3. first next(2)send(S,R,??M1,f(K2)?,

MAC(f?(K1),?M1,f(K2)?)?.

F4. send(S,R,?D,MAC(f?(K),D)?) ↔

next(2)send(S,R,X) ∧ K ∈ X.

Thus, for the scheme PCTS-2, we have the theory T2 =

M(2)

In the scheme PCTS-2, the intruder is able to make strong

attacks.

Consider the case as follows: assume that packets Pi and

Pi+1are sent out by the sender at time t (the current moment

in time) and at t + 2 (the next next moment), respectively.

The intruder, I, first intercepts Piat t + 2 and then, at t + 3,

again intercepts Pi+1when it arrives. By creating a packet P?

instead of Pi, using key Kiin packet Pi+1, I masquerades as

the sender send packet P?

successful if P?

sr ∪ Mmk∪ Mms∪ Mar, where M(2)

sr = {F1,F2,F3,F4}.

i,

ito the receiver. The attach will be

ireaches the receiver at t + 4.

The intruder process is formulated as follows:

I1?. send(S,R,Pi) ∧ next(2)send(S,R,Pi+1) →

(next(2)receive(I,Pi)

∧next(3)receive(I,Pi+1) →

next(3)create(I,P?

I2?. create(I,P?

i) → (send(I(S),R,P?

next receive(R,P?

i)).

i) →

i))

According to I1?and I2?, P?

(the next fourth moment in time). The arrival time of packet

P?

arrive. Therefore, the receiver may fail to detect the attack.

imay reach the receiver at t + 4

istill belongs to the time interval at which packet Pi may

V. CORRECTNESS ANALYSIS

The correctness for the PCTS scheme (or any other scheme)

of TESLA should guarantee that if the receiver can verify

that a packet is authentic, then the packet was indeed sent by

the sender. For automatically analysing the correctness of a

scheme of the protocol, we need to mechanize the theory that

describes the behaviour of the protocol in an appropriate proof

system. The theories developed for specifying a particular

protocol scheme do not depend on a specific implementation.

Therefore, in our approach the user is allowed to freely choose

the tools for mechanizing these theories. Modular structure of

theories further allows the user to translate a theory to an

executable code (program) in a certain proof system, such as

Isabelle [16], the SMV model checker [14], etc.

In this section, we further discuss a common theory for the

PCTS scheme with the general send-receive mode, and, based

on this theory, analyse the TESLA protocol.

Based on our logical framework, the security condition

in Statement 1 can further be formalized as the following

correctness condition:

Statement 3 (correctness condition):

Correctness for a TESLA scheme means that, if receiver R

has verified that a packet is authentic, then the packet was

indeed sent by sender S. That is,

∀X(BRhas been auth(X)∧has sent(A,R,X) → A = S).

To prove that a scheme of the TESLA protocol is secure, we

need to show that the correctness condition holds within the

scheme. Furthermore, we extend the definition of send-receive

modes by introducing a more generic form.

Definition 2 (time intervals):

For a send-receive mode, there is a time interval with packet

arrival, denoted as [min,max], such that, for all packet Pi,

send(S,R,Pi) → next(t)receive(R,Pi),min ≤ t ≤ max.

We call min the minimum moment and max the maximum

moment in time related to the packet arrival in this mode.

Definition 6 indicates that any packet sent by the sender

must arrive at a moment between the min and max moments,

defining a time interval during which packets should arrive.

Definition 3 (time distance of sending):

Let d = 1/r, where r is the packet rate (i.e., number of packets

Page 7

sent per unit time). We call d the time distance of sending

between two packets.

Noting that all send-receive modes discussed in the previous

section are in fact determined based on the time interval of

packet arrival and the time distance of sending, we have the

formal definition of a mode as follows:

Definition 4 (send-receive modes):

m([u,v],d) is a send-receive mode of the PCTS scheme or,

simply, a mode if u,v,d ∈ N, the set of all natural numbers,

and u ≤ v, where [u,v] is regarded as the time interval of

this mode, and d is the time distance between sending two

successive messages. Furthermore, we say that m([u,v],d) is

a safe mode if v < d.

Thus, the three modes in the previous section can re-

spectively be represented as PCTS-0 = m([0,0],1), PCTS-

1 = m([1,3],4) and PCTS-2 = m([1,4],2). We claim that

PCTS-0 and PCTS-1 are safe modes, while we demonstrated

that PCTS-2 is not.

With the PCTS scheme, axioms (G5-G10) on message

receiving and knowledge gained, axioms (G11-G13) on mes-

sage sending, and axioms (G14-G21) regarding authentication

(i.e., modules Mmk, Mms, and Mar) are fixed and suitable

for all modes. However, Msr specifying the send-receive

mode depends on the mode itself. For any send-receive mode

m([u,v],d), we have the following generic rules used for

specifying the mode:

G1. send(A,B,X) →

next(u)receive(B,X) ∨ ... ∨ next(v)receive(B,X).

G2. first send(S,R,?{f(K1),nR}SK(S)?).

G3. first next(d)send(S,R,??M1,f(K2)?,

MAC(f?(K1),?M1,f(K2)?)?.

G4. send(S,R,?D,MAC(f?(K),D)?) ↔

next(d)send(S,R,X) ∧ K ∈ X.

Let Msr = {G1,G2,G3,G4}. Thus, we have the theory

that specifies the PCTS scheme with the mode m([u,v],d):

T = Msr∪ Mmk∪ Mms∪ Mar= {G1,...,G21}.

The theory could be mechanized in a proof systsem. For exam-

ple, with the SMV, the theory itself can be “MODULE main”,

submodules should include “MODULE sr”, “MODULE mk”,

“MODULE ms” and “MODULE ar”, which are mapped from

Msr, Mmk, Mmsand Mar, respectively.

The theory provides a foundation for analysing the TESLA

protocol. In fact, by the theory, we can show that the following

lemma holds.

Lemma 1: Given a mode m([u,v],d). Then the PCTS

scheme with this mode is secure if m([u,v],d) is a safe mode.

We outline the proof as follows: Within the PCTS scheme,

packet P1 is authenticated with the regular digital signature

scheme and can therefore be conducted using a standard

verification method. Therefore, proving the correctness for the

PCTS scheme of TESLA may be recursively done based on

the assumption that the receiver has the authenticated packet

P1and it was indeed sent by the sender. That is, we have that

BRhas been auth(P1) ∧ has sent(A,R,P1) → A = S.

Then, assuming that for all i(1 ≤ i ≤ n − 1), the formula

BR has been auth(Pi) ∧ has sent(A,R,Pi) → A = S

holds, we need to show that

BRhas been auth(Pn) ∧ has sent(A,R,Pn) → A = S.

The above assertion holds true based on axioms G10 and G13

if v < d, i.e., m([u,v],d) is a safe model.

The theory also gives a basis for the receiver to verify stream

messages received through the PCTS scheme of the TESLA

protocol if the scheme with its send-receive mode satisfies the

correctness condition. From Figure 2, we see that the scheme

with the mode PCTS-0 or PCTS-1 is secure, while with the

mode PCTS-2 it is not a secure scheme, as a successful attack

can be carried out.

Trusting the protocol with a safe send-receive mode, the

receiver can unambiguously be sure that, when a packet Pi

arrived, the sender must not yet send out the corresponding

key disclosure packet Pj (i.e., Pi+1 in the PCTS scheme).

Therefore, the receiver could verify any packet received based

on the theory T that describes the behaviour of the protocol.

However, in practice, safe modes, except for the mode

m([0,0],1), do not guarantee that the receiver is sure that a

packet Piis authenticated when it arrives, as the sender has not

yet sent out the corresponding key to verify Pi. For example,

let us consider a case with the mode m([1,3],4): the sender

S sends packet Pito the receiver R at time t, R receives it at

t+3; then S sends packet Pi+1to R at t +4 and R receives

it at t+ 5. It is possible that R may think that Pi+1was sent

three time units before receiving it, i.e., may think that Pi+1

was sent at t + 2. Therefore the receiver may not accept the

fact that, when a packet Pi arrived, S had not yet send out

Pi+1 that contains the key to verify Pi. To exclude such a

problem, we recommend a mode m([u,v],d) that satisfies the

condition 2v − u < d.

VI. CONCLUDING REMARKS

We have presented a logical framework for analysing stream

authentication protocols. With the logic, we use a simple case

of the fibred semantics arising from Kripke models with a

single time model. However, it is not difficult to extend it

by considering other time models. Such extensions would be

needed when one wants to deal with different local clocks

(different subsets of the global clock) for multiple receivers

involved in a protocol.

In analysing the TESLA protocol, Archer [1] uses the

theorem prover TAME, and Broadfood et al [2] use model

checking techniques. One advantage of those methods is

that some properties of the protocol can easily be captured

through proving systems, but a drawback is that the formal

representations involved in such proofs are often not easily

understood or validated by the user.

Our approach based on the fibred logic is flexible since

the structure of the theory is well-defined, and separating the

Page 8

[

[

]

]

[][]

PPP

PP

PP

PPP

PP

P

PPP

P

PP

P’

i

P’

i

Sender

Receiver

Sender

Receiver

Sender

Receiver

Attacker

i−1

Pi

i+1

i+2

i−1ii+1 i+2

i−1ii+1

iii+1

i−1i i+1

ii+1

i−1

[ ][ ][ ][ ]

][][

[][][]

PCTS−1

PCTS−2

PCTS−0

Fig. 2.Modes PCTS-0= m([0,0],1), PCTS-1= m([1, 3],4) and PCTS-2= m([1, 4],2)

theory from its implementation helps a protocol designer to

capture the meanings of the theory as a whole. Moreover the

modular structure makes it easy for the user to modify a theory.

Our analysis has shown that the PCTS scheme of TESLA with

a safe send-receive mode is secure given that the correctness

condition is satisfied.

We believe that our approach can be easily extended such

that it is also suitable for other schemes of the TESLA

protocol, and for other stream authentication protocols. We

have been developing a tableaux-based theorem prover for

the fibred logic and we will consider its applications to the

verification of stream authentication protocols.

REFERENCES

[1] M. Archer. Proving correctness of the basic TESLA multicast stream

authentication protocol with Tame. In Workshop on Issues in the Theory

of Security, 2002.

[2] P. Broadfoot and G. Lowe. Analysing a stream authentication protocol

using model checking, 2002. In 7th European Symposium on Research

in Computer Security (ESORICS 2002), Pages 146-161.

[3] M. Burrows, M. Abadi and R. Needham. A logic of authentication.

ACM Trans. Comput. Syst. Vol.8, No.1 (1990), pp.18–36.

[4] E. Clarke, S. Jha, and W. Marrero.

knowledge for specifying security properties of electronic commerce

protocols. In Proceedings of the Workshop on Formal Methods and

Security Protocols, 1998.

[5] N. Durgin, J. Mitchell, and D. Pavlovic.

proving security properties of protocols, Journal of Computer Security,

11(2003):677–721.

[6] Dov Gabbay. Fibring Logics, volume 38 of Oxford Logic Guides. Oxford

Univesity Press, 1998.

[7] J. Y. Halpern and Y. Moses. A guide to completeness and complexity

for modal logics of knowledge and belief. Artificial Intelligence 54,

pages 319–379, 1992.

A machine checkable logic of

A compositional logic for

[8] S. A. Kripke.

Philosophica Fennica, 16:83–94, 1963.

[9] C. Liu. Logical foundations for reasoning about trust in secure digital

communication. In AI2001: Advances in Artificial Intelligence, LNAI,

Vol.2256, pages 333–344. Springer-Verlag, 2001.

[10] C. Liu and M. A. Orgun. Dealing with multiple granularity of time

in temporal logic programming.

22(5/6):699–720, 1996.

[11] C. Liu, M. Ozols and M. A. Orgun. A temporalised belief logic for

specifying the dyamics of trust for multi-agent systems. In Proceedings

of the Ninth Asian Computer Science Conference, LNCS, Vol.3321.

Springer-Verlag, 2004.

[12] C. Liu, M. Ozols and M. A. Orgun. A fibred belief logic for multi-agent

systems. In S. Zhang and R. Jarvis (eds), Proceedings of The 18th

Australian Joint Conference on Artificial Intelligence, 5-9 December

2005, LNAI, Vol.3809, pp.29–38. Springer-Verlag.

[13] J. Ma and M. A. Orgun. Trust management and trust theory revision.

IEEE Transactions on Systems, Man and Cybernetics, Part A: Systems

and Humans, Vol.36(3), pp.451–460, May 2006.

[14] K. L. McMillan. Symbolic Model Checking — An Approach to the State

Explosion Problem. PhD thesis, Carnegie Mellon University, 1992.

[15] L. C. Paulson.The inductive approach to verifying cryptographic

protocols. Journal of Computer Security, 6(1-2):85–128, 1998.

[16] Lawrence C. Paulson. ML for the Working Programmer. Cambridge

University Press, second edition, June 1996.

[17] A. Perrig, R. Canetti, J. D. Tygar, and D. Xiaodong Song. Efficient

authentication and signing of multicast streams over lossy channels. In

Proceedings of The IEEE Symposium on Security and Privacy, pages

56–73, 2000.

Semantical considerations on modal logic.

Acta

Journal of Symbolic Computation,