Heuristic Methods for Security Protocols

Page 1

EPTCS ??, 20??, pp. 1–??.
c ? Please \def\authorrunning
This work is licensed under the
Creative Commons Attribution License.
Heuristic Methods for Security Protocols∗
Qurat ul Ain Nizamani
Department of Computer Science
University of Leicester, UK
qn4@mcs.le.ac.uk
Emilio Tuosto
Department of Computer Science
University of Leicester, UK
et52@mcs.le.ac.uk
Model checking is an automatic verification technique to verify hardware and software systems.
However it suffers from state-space explosion problem. In this paper we address this problem in
the context of cryptographic protocols by proposing a security property-dependent heuristic. The
heuristic weights the state space by exploiting the security formulae; the weights may then be used
to explore the state space when searching for attacks.
1Introduction
Security protocols present many interesting challenges from both pragmatic and theoretical points of
view as they are ubiquitous and pose many theoretical challenges despite their apparent simplicity. One
of the most interesting aspects of security protocols is the complexity of the verification algorithms to
check their correctness; in fact, under many models of the intruder, correctness is undecidable and/or
computationally hard [?, ?, ?, ?].
Many authors have formalised security protocols in terms of process calculi suitable to define many
verification frameworks (besides model checking, path analysis, static analysis, etc.) [?, ?, ?, ?]. Model
checking (MC) techniques have been exploited in the design and implementation of automated tools [?,
?] and symbolic techniques have been proposed to tackle the state explosion problem [?, ?, ?, ?].
This paper promotes the use of heuristic search in the MC of security protocols. We define a heuristic
based on the logic formulae formalising the security properties of interest and we show how such heuris-
tic may drive the search of an attack path. Specifically, we represent the behaviour of a security protocol
in the context of the (symbolic) MC framework based on the cIP and PL, respectively a cryptographic
process calculus and a logic for specifying security properties introduced in [?]. An original aspect of
this framework is that it allows to explicitely represent instances1of participants and predicate over them.
Intuitively, the heuristic ranks the nodes and the edges of the state space by inspecting (the syntactical
structure of the) formula expressing the security property of interest. More precisely, the state space
consists of the transition system representing possible runs of a protocol; our heuristic weights states
and transitions considering the instances of principals that joined the context and how they are quantified
in the security formula. Weights are designed so that most promising paths are tried before other less
promising directions. Rather interestingly, the heuristic can rule out a portion of the state space by
exploring only a part of it. In fact, we also show that the heuristic may possibly cut some directions as
they cannot lead to attacks; in fact, the heuristic is proved to be correct, namely no attacks can be found
in the portion of the state space cut by our heuristic.
∗The authors thank the anonymous reviewers for their valuable suggestions and Alberto Lluch-Lafuente for the useful
discussions.
1This key feature of the framework is supported by the use of open variables, a linguistic mechanism to tune and combine
instances that join the run of a protocol.

Page 2

2Please \def\titlerunning
At the best of our knowledge, heuristic methods have not yet been explored to analyse security
protocols (at least in the terms proposed in this paper) which may be surprising. In general, many
of the features of heuristics fit rather well with the verification of security protocols. More precisely, (i)
optimalityofthesolution(“theattack”)isnotrequiredwhenvalidatingprotocols(violationsofproperties
ofinterestaretypicallyconsideredequallyharmful), (ii)thegraph-likestructures(e.g., labelledtransition
systems) representing the behaviour of security protocols usually have ’symmetric regions’ which may
be ignored once one of them is checked, (iii) heuristic search may be easily combined with several
verification frameworks and particularly with MC. The lack of such research thread is possibly due to
the fact that it is in general hard to define heuristics for security protocols. In fact, typically heuristics
are tailored on (properties of) a goal state and measure the “distance” from a state to a goal state. In
the case of the verification of security protocols, this would boil down to measure the distance from an
attack where a security property is violated. Therefore, designing heuristics suitable to improve MC of
security protocols is hard as attacks cannot be characterised beforehand.
Here, we argue that heuristic search may be uniformly used in the verification of security protocols
and provide some interesting cases of how our approach improves efficiency. In fact, we will illustrate
how the use of the heuristic can greatly improve the efficiency of the search by cutting the directions that
cannot contain attacks.
Ourapproachseemstoberatherpromising, albeitthisresearchisinaninitialstage, itcanbeextended
in many directions. Finally, we argue that our proposal can be applied to other verification frameworks
like [?] or inductive proof methods like [?, ?] (see § ??).
Structure of the paper. § ?? summarizes the concepts necessary to understand our work; § ?? yields the
definition of our heuristic which is then evaluated and proved correct in § ??; § ?? concludes the paper
and discusses related work.
2 Background
This section fixes our notation (§ ??) and a few basic concepts on informed search largely borrowed
from [?] (§ ??)
2.1Expressing security protocols and properties in cIP and PL
We adopt the formal framework introduced in [?] consisting of the cIP (after cryptographic Interaction
Pattern) process calculus and the PL logic (after protocol logic) to respectively represent security
protocols and properties. Here, we only review the main ingredients of cIP and PL by means of the
Needham-Shroeder (NS) public key protocol and refer the reader to [?] for a precise presentation.
The NS protocol consists of the following steps
1.
2.
3.
A → B :
B → A :
A → B :
{na,A}B+
{na,nb}A+
{nb}B+
where, in step 1 the initiator A sends to B a nonce na and her identity encrypted with B’s public key B+;
in step 2, B responds to the nonce challenge by sending to A a fresh nonce nb and na encrypted with
A+, the public key of A; A concludes the protocol by sending back to B the nonce nb encrypted with B’s
public key.

Page 3

Please \def\authorrunning
3
In cIP principals consist of their identity, the list of open variables and the actions they have to
perform in the protocol. A cIP principal can either send or receive messages from a public channel using
the out and in actions respectively. The NS protocol can be formalized in cIp as follows:
A : (r)[
out({na,A}r+).
in({na,?z}A−).
out({z}r−) ]
B : ()[
in({?x,?y}B−).
out({x,nb}y+).
in({nb}B−) ]
(1)
The principal A (resp. B) in (??) represents the initiator (resp. the responder) of the NS protocol. The
open variable r is meant to be bound to the identity of the responder. The principal A first executes the
output action and then waits for a message which should match the pattern specified in the in action.
More precisely, A will receive any pair encrypted with her public key whose first component is the nonce
na; upon a successful match, the second component of the pair will be assigned to the variable z. For
instance, the {na,M}A+ matches {na,?z}A− for any M and would assign M to z.
We adopt the definition of PL formulae given in [?]:
φ,ψ
::=
xi= m | κ ?m | Qi : A.ψ | ¬ψ | ψ ∧φ | ψ ∨φ
where Q ranges over the set of quantifiers {∀,∃} and xiare indexed variables (a formula without quanti-
fiers is called quantifier-free).
The atomic formulae xi=m and κ?m hold respectively when the variable xiis assigned the message
m and when κ (representing the intruder’s knownledge) can derive m. Notice that quantification is over
indexes i because PL predicates over the instances of the principals concurrently executed. A principal
instance is a cIP principal indexed with a natural number; for example, the instance of the NS initiator
obtained by indexing the principal A in ?? with 2 is
A2: (r2)[out({na2,A2}r+
2).in({na2,?z2}A−
2).out({z2}r+
2)]
(2)
we let [X] be the set of all instances of a principal X; e.g., the instance2in (??) is in [A] (§ ?? illustrates
how the transition system of cIP instances of a protocol is obtained).
As an example of PL formula consider the formula ψNSpredicating on (instances of) the NS
protocol:
∀i : A. ∃j : B (xj= nai∧ zi= nbj).
The formula ψNSstates that for all instances of A there should be an instance of B that has received the
nonce naisent by Aiand whose nonce nbjis received by the instance Bj.
2.2Basics of heuristics
As mentioned in § ??, the approaches such as symbolic MC can be used to tackle the problem of state
space explosion. However, even with the use of such approaches the search space can grow enormously.
It is therefore desirable to look into methods through which search space can be generated/explored more
efficiently using informed search algorithms that are characterized by the use of a heuristic function (also
called evaluation function). A heuristic function assigns a weight to nodes by estimating their “distance”
from a goal node.
2Hereafter, we denote an instance simply by the indexed name of the principal; for example, the instance above will be
referred to as A2.

Page 4

4Please \def\titlerunning
We recall here the basic concepts on heuristic algorithms by means of a simple example and refer the
reader to [?] for a deeper presentation.
The n-puzzle (also known as the sliding-block or tile-puzzle) is a well-known puzzle in which the
goal is to move square tiles by sliding them horizontally or vertically in one empty tile. For n = 8 the
goal configuration is depicted in Figure ??; a possible initial configuration is in Figure ??. The problem
of finding the shortest path leading to the goal configuration is NP-hard.
Figure 1: The 8-puzzle goal configurationFigure 2: A possible start configuration
A very simple heuristic (cf. [?]) for 8-puzzle can be given by
h1= number of misplaced tiles.
For each configuration, h1counts the number of misplaced tiles with respect to the goal configuration.
For instance, h1weights 8 the configuration in Figure ?? since all the tiles are misplaced.
Another heuristic (cf. [?]) for 8-puzzle is the one that exploits the so called Manhattan distance
h2= sum of the Manhattan distances of non-empty tiles from their target positions.
So the configuration in Figure ?? is weighted 18 by h2.
An important property of heuristics is admissibility; an admissible heuristic is one that never over
estimates the cost to reach the goal node. Both h1and h2are admissible; in fact, h1is clearly admissible
as each misplaced tile will require at least one step to be on its right place, and h2is also admissible as
at each step the tiles will be atmost one step closer to goal. A non-admissible heuristic is h3= h1∗4;
in fact, if only one tile is misplaced with respect to a goal configuration, h3will return 4 which is an
overestimation of the distance to goal.
3A Heuristic for Security Protocols
This section introduces our original contribution (§ ??), namely the heuristic for effectively searching
the state space generated for model checking cryptographic protocols. As mentioned earlier, there is not
much work done in this regard. Specifically (to the best of our knowledge) no work exists that can prune
a state space in verification of cryptographic protocols.
The heuristic function is defined on the security formula expressed in PL.
The heuristic is efficient as it will not only guide the searching algorithm towards promising regions
of the graph but can also prune those parts of the state space where attack cannot happen under a given
security formula.
TheheuristicisdefinedintermsoftwomutuallyrecursivefunctionsHsandHtwhichassignweights
tostatesandtransitionsrespectively. ThestatespaceisobtainedaccordingtothesemanticsofcIPdefined
in [?]. For lack of space, an informal presentation of the semantics is given here.

Page 5

Please \def\authorrunning
5
3.1The state space
A state consists of a tuple ?C,χ,κ? where
• C is a context containing principal instances which joined the session,
• χ is a mapping of variables to messages, and
• κ is a set of messages representing the intruder knowledge.
A transition from one state to another can be the result of out and in actions performed by principal
instances or of join operations non-deterministically performed by the intruder; join transitions may
instantiate open variables by assigning them with the identity of some principal (provided it is in κ).
Initially, C is empty and therefore the only possible transitions are join ones. When C contains an
instance ready to send a message, an out transition can be fired so that the sent message is added to κ. If
C contains a principal ready to receive a message, the intruder tries to derive from the messages in κ a
message that matches the pattern specified in the input action (see § ??); if such a message is found χ is
updated to record the assignments to the variables occurring in the input action.
For instance, a few possible transitions for the NS protocol are
s0
join
−→ s1
join
−→ s2
out
−→ s3
in
−→ s4
where s0= ? / 0, / 0,κ0? with κ0= {I,I+,I−}, namely initially no principal instance joined the context,
there is no assignment to variables, and the intruder only knows its identity and public/private keys.
The join transition from s0to s1adds a principal instance B2to the context yielding
s1= ? {()[in({?x2,?y2}B−
/ 0,
κ1= κ0∪{B2,B2+} ?
2).out({x2,nb2}y+
2).in({nb2}B−
2)]},
that is, the intruder now knows B2’s identity and (by default) its public key. Similarly, the transition from
s1to s2adds the principal instance A1to context and therefore
s2= ? {()[in({?x2,?y2}B−
{r1?→ B2},
κ2= κ1∪A1,A1+?
Notice that the open variable r1is now mapped to B2.
The transitions from s2to s3is due to an out action
2).out({x2,nb2}y+
2).in({nb2}B−
2)],()[out({na1,A1}B+
2).in({na1,?z1}A−
1).out({z1}B+
2)]},
s3= ? {()[in({?x2,?y2}B−
{r1?→ B2},
κ3= κ2∪{na1,A1}B+
the prefix of A1is consumed and the message is added to the intruder’s knowledge.
Finally, the transition from s3to s4is due to an in transition for the input prefix of B2. The message
{na1,A1}B+
2).out({x2,nb2}y+
2).in({nb2}B−
2)],()[in({na1,?z1}A−
1).out({z1}B+
2)]},
2?
2added to the intruder’s knowledge in the previous transition matches the pattern {?x2,?y2}B−
2

Page 6

6Please \def\titlerunning
specified by B2, therefore the x2and y2are assigned to na1and A1respectively. Hence,
s4= ? {out({na1,nb2}A+
{r1?→ B2,x2?→ na1,y2?→ A1},
κ3?
In our framework, join transitions can be safely anticipated before any other transition (Observation
10.1.3 in [?], page 174).
1).in({nb2}B−
2)],()[in({na1,?z1}A−
1).out({z1}B+
2)]},
3.2The heuristic
For simplicity and without loss of generality, we define the heuristic on Prenex Normal Form (PNF)
formulae defined below.
Definition 1. [Prenex Normal Form] A PL formula is in prenex normal form if it is of the form
Q1i1: A1.··· .Qnin: An.φ
where φ is a quantifier-free formula and, for 1 ≤ j ≤ n, Qj∈ {∀,∃}, each ijis an index variable, and Aj
is a principal name.
Basically, a PNF formula is a formula where all the quantifiers are ”at top level”. Notice that, in
Definition ??, it can be n = 0 which amounts to say that a quantifier free formula is already in PNF.
Theorem 3.1. Any PL formula can be transformed into a logically equivalent PNF formula.
Proof. Let the function pnf :PL→PL be defined as follows:



The proof of theorem follows from the properties of pnf given by Lemmas ?? and ?? below.
pnf(ψ) =












ψ
Qi : A.pnf(ψ?)
Qi : A.pnf(¬ψ??)
Qi?: A.pnf(ψ?
Qi?: A.pnf(ψ?
ψ is a quantifier-free formula.
ψ ≡ Qi : A.ψ?
ψ ≡ ¬ψ?and pnf(ψ?) ≡ Qi : A.ψ??
i?fresh,ψ ≡ ψ1∧ψ2and pnf(ψ1) ≡ Qi : A.ψ?
i?fresh,ψ ≡ ψ1∨ψ2and pnf(ψ1) ≡ Qi : A.ψ?
1[i?/i]∧ψ2)
1[i?/i]∨ψ2)
1
1
Lemma 3.2. For any PLformula ψ, pnf(ψ) is in PNF.
Proof. We proceed by induction on the structure of ψ.
If ψ is a quantifier free formula then it is in PNF and, by definition of pnf, pnf(ψ) = ψ.
The inductive case is proved by case analysis.
• Assume ψ is Qi:A.ψ?, then by definition of pnf pnf(ψ)=Qi:A.pnf(ψ?). By inductive hypothesis
pnf(ψ?) is in PNF and therefore pnf(ψ) is in PNF.
• If ψ = ψ1∧ψ2then, assuming pnf(ψ1) = Qi : A.ψ?
pnf(ψ) = Qi?: A.pnf(ψ?
1, by definition of pnf
1[i?/i]∧ψ2)
For fresh index i?not occuring in ψ2. By inductive hypothesis pnf(ψ?
fore pnf(ψ) is in PNF.
1[i?/i]∧ψ2) is in PNF, there-

Page 7

Please \def\authorrunning
7
• The case ψ = ψ1∨ψ2is analogous.
• If ψ = ¬ψ?then, assuming pnf(ψ?) = Qi : A.ψ??, by definition of pnf pnf(ψ) = Qi : A.pnf(¬ψ??).
By inductive hypothesis pnf(¬ψ??) is in PNF, therefore pnf(ψ) is in PNF.
Lemma 3.3. pnf(ψ) ⇔ ψ.
Proof. We proceed by induction on the structure of ψ.
If ψ is a quantifier free formula then pnf(ψ) = ψ and therefore pnf(ψ) ⇔ ψ.
Again the proof for the inductive case is given by case analysis.
• Assumeψ isQi:A.ψ?, thenbydefinitionofpnf, pnf(ψ)=Qi:A.pnf(ψ?). Byinductivehypothesis
pnf(ψ?) ⇔ ψ?hence pnf(ψ) ≡ Qi : A.ψ?and therefore pnf(ψ) ⇔ ψ.
• If ψ = ψ1∧ψ2then, assuming pnf(ψ1) = Qi : A.ψ?
pnf(ψ) = Qi?: A.pnf(ψ?
1, by definition of pnf
1[i?/i]∧ψ2)
For i?fresh (namely, i?does not occurr in ψ2). By inductive hypothesis pnf(ψ1) ⇔ ψ1hence
ψ ⇔ pnf(ψ1)∧ψ2= (Qi : A.ψ?
It is trivial to prove that for any PL formula (Qi : A.ψ)∧φ ⇔ Qi : A.(ψ ∧φ) and therefore
pnf(ψ) ⇔ ψ.
• The proof for ψ = ψ1∨ψ2is similar.
• If ψ = ¬ψ?then, assuming pnf(ψ?) = Qi : A.ψ??, by definition of pnf pnf(ψ) = Qi : A.pnf(¬ψ??).
By inductive hypothesis pnf(ψ?)⇔ ψ?and therefore ψ ⇔ ¬pnf(ψ?), hence ψ ⇔ ¬(Qi : A.ψ??)⇔
Qi : A.¬ψ??and therefore pnf(ψ) ⇔ ψ.
1)∧ψ2
The heuristic function Hsis given in Definition ?? and depends on the function Htgiven in Defini-
tion ?? below.
Definition 2 (Weighting states). Given a state s and a formula φ, the state weighting function is given
by


where sϒ is the set of join transitions departing from s and, assuming s = ?C,χ,κ?, s∩[A] stands for
κ ∩[A].
The function Hstakes a state, say s = ?C,χ,κ?, and a formula φ in input and returns the maximum
among the weights computed by Hton the join transitions departing from s for φ. The weight −∞ is
returned if
• φ is a universal quantification on a principal instance A (∀i : A. φ?),
• s does not have outgoing join transitions (sϒ = / 0), and
Hs(s,φ) =





max
t∈sϒ
−∞,
0,
Ht(t,φ),
sϒ ?= / 0
φ ≡ ∀i : A. φ?∧ sϒ = / 0 ∧ s∩[A] = / 0
otherwise

Page 8

8Please \def\titlerunning
• there is no instance of A in the context (s∩[A] = / 0).
The heuristic Hshas been designed considering that a formula universally quantified on instances of
A is falsified in those states where there is at least one instance of A. Therefore a context that does not
have an instance of the quantified principal, has no chance of falsifying the formula. In fact, the condition
sϒ = / 0 ensures that no principal instance can later join the context. As a result, there is no possibility of
falsifying the property in all paths emerging from this state which can therefore be pruned. This justifies
the second case of Hswhere the value −∞ is assigned to such states.
The heuristic that assigns weights to transitions is given in Definition ??.
Definition 3 (Weighting transitions). Given a state s and a transition t from s to s?= ?C?,χ?,κ?? in sϒ,
the weighting transitions function Htis



The function Httakes in input a transition t and invokes Hsto compute the weight of t depending
on the structure of the formula φ. As specified in Definition ??, the value of the weight of the arrival
state is incremented if either of the two following mutually exclusive conditions hold:
• φ universally quantifies on a principal instance A (∀i:A. φ?) for which some instances have already
joined the context (κ?∩[A] ?= / 0);
• φ existentially quantifies on a principal instance A (∃i : A. φ?) which is not present in the context
(κ?∩[A] = / 0).
Instead, the heuristic Hadoes not increment the weight of the arrival state if either of the following
mutually exclusive3conditions hold:
• φ existentially quantifies on instances of A (∃i : A. φ) and present in the context (κ?∩[A] ?= / 0);
• φ universally quantifies on instances of A (∀i:A. φ) and the context does not contain such instances
(κ?∩[A] = / 0).
Again the intuition behind Htis based on quantifiers. The formula φ that universally (resp. existentially)
quantifies on instances of A can be falsified only if such instances will (resp. not) be added to the context.
Therefore all transitions that (resp. do not) add an instance of A get a higher value. It is important to
mention that in the first and third cases in Definition ??, the recursive call to Hstakes in input φ?,
the subformula of φ in the scope of the quantifier. This is due to the fact that once an instance of the
quantified principal has been added we are not interested in more instances and therefore consume the
quantifier. The heuristic Htreturns 0 when φ is a quantifier free formula. In fact, due to the absence of
quantifiers we cannot assess how promising is t to find an attack for φ. We are investigating if in this
case a better heuristic is possible.
Finally, we remark that Hsand Htterminates on a finite state space because the sub-graph consisting
of the join transitions forms a tree by construction4. Therefore, the recursive invocations from Htto Hs
will eventually be resolved by the last two cased of Hsin Definition ??.
Ht(t,φ) =












1+Hs(s?,φ?),
1+Hs(s?,φ),
Hs(s?,φ?),
Hs(s?,φ),
0
φ ≡ ∀i : A. φ?∧ κ?∩[A] ?= / 0,
φ ≡ ∃i : A. φ?∧ κ?∩[A] = / 0,
φ ≡ ∃i : A. φ?∧ κ?∩[A] ?= / 0,
φ ≡ ∀i : A. φ?∧ κ?∩[A] = / 0,
otherwise.
3Note that all the conditions of the definition of Haare mutually exclusive.
4For page limits we do not prove it formally, but it can easily be checked by the informal description of join transitions
given in this section.

Page 9

Please \def\authorrunning
9
4Evaluation of the Heuristic
In this section we describe with the help of examples how our proposed heuristic can find attacks without
exploring the complete state space. In the first example the heuristic is applied on the NS protocol and
in the second example it is applied on the KSL protocol.
We also prove the correctness of the heuristic.
4.1Applying the heuristic to the Needham-Schroeder protocol
Let us consider the property ψNSgiven in § ?? as ∀i:A. ∃j :B (xj=nai∧ zi=nbj). Figure ?? illustrates
a portion of the state space of the NS protocol after the first two join transitions when ψNSis considered.
Notice that ψNScan be falsified in a path where there is a context containing at least one instance of A
and no instances of B.
B1A1
B1,B2B1,A2 A1,B2A1,A2
Figure 3: join transitions of NS protocol
B1A1
B1,B2B1,A2A1,B2 A1,A2
2
2
1
1
0
1
-∞
1
1
000-∞
Figure 4: Weighted states in NS
The heuristic will assign weights to states and transitions as in Figure ??. The highlighted paths
(those with ’fat’ arrows) are the one to be explored; the context {A1,A2} contains the attack reported
below:
1.
2.
3.
4.
5.
6.
A1→ I :
A2→ I :
I → A1:
I → A2:
A1→ I :
A2→ I :
{na1,A1}I+
{na2,A2}I+
{na1,na2}A1+
{na2,na1}A2+
{na2}I+
{na1}I+
κ ?na1,na2
κ ?na1,na2
The intruder acts as responder for both A1and A2. As a result of step 1 and 2, κ contains na1and
na2; enabling the intruder to send messages to A1and A2at step 3 and 4 respectively. This results into
assignments like zA1= na2and zA2= na1, which is the falsification of stated property which requires a
nonce generated by an instance of B to be assigned to the variables.

Page 10

10Please \def\titlerunning
The other two highlighted paths contain a similar attack, we report the one with context {A1,B2}.
A1→ I :
I → A1:
A1→ I :
I → B2:
B2→ I :
I → B2:
Again at step 2 and 4, A1and B2are receiving the identity of intruder instead of nonce by B, resulting
into an attack.
It is evident from the Figure ?? that heuristic assigns appropriate weights to the paths that contain
an attack. It is worthy mentioning that the context {B1,B2} has been labeled −∞, therefore the search
will never explore this state. This suggests that approximately 1/4th of the state space can be pruned by
applying heuristics. This is a rough estimate taking into consideration the symmetry in the state space
(the context {A1,A2} is similar to {B1,B2} and {A1,B2} is similar to {B1,A2}.
{na1,A1}I+
{na1,I}A1+,
{I}I+
{na1,I}B2+,
{na1,nb2}I+
{nb2}B2+,
κ ?na1,I
κ ?na1,I
κ ?nb2
4.2 Applying the heuristic to the KSL protocol
We consider the analysis of (the second phase of) KSL [?], done in [?]. The protocol provides repeated
authentication and has two phases; in the first phase (i) a trusted server S generates a session key kab to
be shared between A and B, and (ii) B generates the ticket {Tb,A,kab}kbbfor A (where Tb is a timestamp
and kbb is known only to B).
In the second phase, A uses the ticket (until it is valid) to repeatedly authenticate herself to B without
the help of S. The second phase can be specified as follows:
1.
2.
3.
A → B :
B → A :
A → B :
na,{Tb,A,Kab}Kbb
nb,{na}Kab
{nb}Kab
A sends a fresh nonce na and the ticket to B that accepts the nonce challenge and sends nb together with
the cryptogram {na}kabto A. In the last message, A confirms to B that she got kab.
In cIP, A and B can be represented as follows:
A : (b,sk,tk)[
out(na,{b,A,sk}tk).
in(?y,{na}sk).
out({y}sk)]
B : (a,sk,tk)[
in(?x,{B,a,sk}tk).
out(nb,{x}sk).
in({nb}sk)]
(where for simplicity the timestamp generated by B is substituted by his identity). Authentication is
based on the mutually exchanged nonces, and formalized as follows:
ψKSL= ∀l : B. ∀j : A.(bj= Bl∧al= Aj→ xl= naj∧yj= nbl)
which reads any pair of properly connected “partners” Bland Aj(bj= Bl∧al= Aj) eventually exchange
the nonces najand nbl.
Figures ?? and ?? depicts the weighted state space for 2 and 3 maximum principal instances respec-
tively. The verification with 2 principal instances reports no attack and the conclusion can be derived by
just exploring half of the state space (the context {A1,A2} and {B1,B2} are labelled −∞; see Figure ??).

Page 11

Please \def\authorrunning
11
B1
A1
B1,B2 B1,A2
A1,B2
A1,A2
2
1
-∞
2
1
1
-∞
0
0
-∞
2
1
-∞
(a) 2 principals
B1A1
B1,B2B1,A2
A1,B2
A1,A2
2
2
1
2
2
1
1
1
0
1
2
1
1
A1 A2
B3
A1 A2
A3
-∞
0
A1 A2
B3
A1 A2
A3
00
-∞
1
1
1
B1 A2
A3
0
0
B1 A2
A3
0
0
B1 B2
A3
0
1
B1 B2
B3
-∞
-∞
(b) 3 principals
Figure 5: Join transitions of KSL
In case of 3 principal instances the attacks are found in highlighted paths (those shadowed). The heuristic
assigns appropriate weights to such paths and 2 states are labeled −∞, suggesting a rough cut down of
1/4th of the state space.
The examples show that heuristic is able to guide the searching algorithm towards promising paths
containing attacks. Moreover a considerable part of the state space is pruned, reducing the number of
states to be explored by searching algorithm.
4.3Properties of Hsand Ht
First we would like to briefly comment on the admissibility of our proposed heuristic. Admissibility of
heuristics is important in certain problems where it is possible to reach many goal states along different
paths each path having a different cost. Hence, it may be not only important to find a goal state, but also
find the goal state on the path with the best (or an acceptable) cost (as discussed in §-?? for the n-puzzle).
In such cases, it is important for heuristic function to return an estimation of the cost to reach a goal from
the state.
We contend that for security protocols the situation is different. In fact, the goal state in this case is
an “attack”, namely a state that violates the security property. Typically, it is very hard to compare the
importance of different attacks as the violation of a property may be due to many causes as for the NS
example in § ??). Therefore, optimality of the attack is of less concern when validating protocols; what
matters in the first instance is to find an attack, if any. However, we envisage the problem of finding
optimal solutions as important but we do not consider it in this paper.
It is also important to remark that the weights assigned by Hsand Htto states or transitions do not
correspond to evaluate the proximity to a target state. Rather they estimate the likeliness for the state to
lead to an attack. This leads to a different scenario where the heuristic function does not have to return
the cost to reach at goal node. Rather our heuristic returns a value that corresponds to the chance that
nodes and transitions are on a path leading to an attack. We therefore contend that admissibility is not an
issue in our case.
The following theorem proves the correctness of our heuristic; namely, it shows that pruned parts of
the state space do not contain any attack.
Theorem 4.1. If Hs(s,φ)=−∞ then for any state s’ = ?C?,χ?,κ?? reachable from s= ?C,χ,κ?,κ?|=χ? φ
Proof. (Sketch) Suppose that there is a s?reachable from s such that κ??|=χ? φ. Then κ?|=χ? ¬φ and by
Definition of |= (the relation |= is reported in Appendix ??), there is An∈ κ?( because φ ≡ ∀i : A. φ?).

Page 12

12Please \def\titlerunning
However by hypothesis s∩[A]= / 0 and sϒ= / 0 hence s?∩[A]= / 0 and therefore s?does not satisfy ¬φ.
5 Concluding Remarks
We have designed a heuristic that can be applied to model check cryptographic protocols. The proposed
heuristic can drive the searching algorithm towards states containing attacks with respect to a security
formula. Our heuristic may possibly prune parts of the state space that do not contain attack. We have
shown that the heuristic is correct, namely we showed that pruned parts of the state space do not contain
attacks.
The formal context to define the heuristic is the one proposed in [?] which features the cIP calculus
and an ad-hoc logical formalism, called PL, to respectively express protocols and security properties.
An original aspect of PL is that it can quantify over principal instances. Formulas of PL are checked
against the (symbolic) semantics of cIP by a tool called A SPASyA (Automatic Security Protocol Anal-
ysis via a SYmbolic model checking Approach) [?].
5.1Related work
At the best of our knowledge, the use of heuristics to analyse cryptographic protocols has not been much
studied.
The concept of heuristics in cryptographic protocol verification has been utilized in [?]. The idea is to
constructapattern5, pt =(E,→), whereE isasetofeventsand→isarelationontheevents. Afterwards,
it is checked if a pt can give realizable patterns which are actual traces of the protocol and represent an
attack. For each event execution, there are certain terms that need to be in intruder’s knowledge or that
are added to intruder’s knowledge represented by in(e) and out(e) respectively. A process called pattern
refinement is applied to get realizable patterns for those events whose in(e) requirements are not satisfied.
An open goal represents such requirements and is selected from set of potential open goals on the basis of
the heuristics. In [?] 5 heuristics have been reported (e.g., an open goal is selected randomly, open goals
that require a decryption key have higher priority). However, the whole state space must be searched if
there are no attacks. We argue that our approach can give better results as it can prune certain parts of
state space even when there are no attacks (as seen in § ??).
In [?], heuristics have been used to minimize the branching factor for infinite state model checking of
security protocols. Mainly, the heuristics in [?] reorders the nodes, for instance actions involving intruder
are rated higher then actions initiated by honest participants. However these heuristics are very basic and
as noted in [?], the tool does not scale to most of the protocols.
Though heuristics methods have not received much attention for model checking security protocols,
they have been studied for model checking in general and they have been considered in a few works
discussed below.
The work which seems to be the most relevant to our approach is [?], where a heuristic has been
defined in terms of model and formula to be verified, that can also prune the state space. Our heuristic
seems to fall under the general conditions considered in [?] and we plan a deeper comparison.
In [?], the heuristic namely ’NEXT’ compresses a sequence of transitions into a single meta transi-
tion. This eliminates transient states and therefore searching algorithm does less work to find the goal
node. Similarly, in [?] heuristics for safety and liveness for communication protocols are given. At the
5E.g. a pattern can be a representative of all traces violating secrecy

Page 13

Please \def\authorrunning
13
best of our knowledge the heuristics in [?] (and references therein) allow to cut the state space only in
few trivial cases.
5.2Future work
This paper proposes the first step of a research program that may develop in several directions.
First, other heuristics can be designed and studied; in fact, we are planning to define two heuristics.
The former exploits the intruder’s knowledge κ and the cIP protocol specification while the other heuris-
tic exploits joining formulae, another feature (also supported by A SPASyA) of cIP. Joining formulae
are PL formulae which enable to express conditions on how principals should be joined (by predicating
over open variables)6.
The first heuristic will rank states considering the actions that principal instances are ready to execute
with respect to the formula to falsify. For instance, if the goal is to prove that a variable should not be
assigned a given value, the heuristic may rank higher those states that assigns such variable.
The second heuristic may instead be used to avoid the anticipation of all the joining formulae at the
beginning (which may be computationally expensive) and use them to decide which instance to introduce
in a given state.
It will also be rather interesting to study the combined effect of those heuristics (e.g., to consider
their sum, or the max, etc.) or also use multiple heuristics during the search depending on the structure
of the state. For instance, in one state one heuristic might be more suitable than others. Further we intend
to implement these heuristics into existing tool in order to detrmine the efficiency achieved in terms of
space and time.
Wealsoplantoconsiderheuristicsinotherverificationcontexts. Forinstance, usingstrandspaces[?],
the approaches in [?, ?] express properties in terms of connections between strands. A strand can be pa-
rameterised with variables and a trace is generated by finding a substitution for which an interaction
graph exists. These approaches provide devices very similar to the join mechanism of cIP and possibly
be suitable for heuristics similar to ours to help in finding the solution of the constraints. Also, in [?] a
symbolic semantics based on unification has been adopted to verify security protocols with correspon-
dence assertions and the use of trace analysis. We think that also in this case heuristics may drive the
search for an attack in a more efficient way.
References
[1] ABADI, M., AND GORDON, A. A Calculus for Cryptographic Protocols: The Spi Calculus. Information
and Computation 148, 1 (January 1999), 1–70.
[2] ALUR, R., AND WANG, B.-Y. ”Next” Heuristic for On-the-Fly Model Checking. In CONCUR ’99: Pro-
ceedings of the 10th International Conference on Concurrency Theory (London, UK, 1999), Springer-Verlag,
pp. 98–113.
[3] AMADIO, R., LUGIEZ, D., AND VANACK` ERE, V. On the symbolic reduction of processes with crypto-
graphic functions. Theoretical Computer Science 290, 1 (2003), 695–740.
[4] BALDI, G., BRACCIALI, A., FERRARI, G., AND TUOSTO, E. A Coordination-based Methodology for
Security Protocol Verification. In International Workshop on Security Issues with Petri Nets and other Com-
putational Models (Bologna (Italy), June 26 2004, Feb. 2005), N. Busi, R. Gorrieri, and F. Martinelli, Eds.,
vol. 121 of Electronic Notes in Theoretical Computer Science, Elsevier, pp. 23–46.
6For example, runs of the NS protocol with at least an initiator and a responder can be specified by the formula (∃i :
A.true)∧(∃j : B.true) which rules out states that contain only instances of A or of B.

Page 14

14Please \def\titlerunning
[5] BASIN, D., M¨ ODERSHEIM, S., AND VIGAN` O, L. An on-the-fly model-checker for security protocol analy-
sis. vol. 2808 of Lecture Notes in Computer Science. Springer Berlin / Heidelberg, 2003, pp. 253–270.
[6] BASIN, D. A. Lazy infinite-state analysis of security protocols. In Proceedings of the International Ex-
hibition and Congress on Secure Networking - CQRE (Secure) ’99 (London, UK, 1999), Springer-Verlag,
pp. 30–42.
[7] BODEI, C., DEGANO, P., NIELSON, F., AND NIELSON, H. R.
interference in networks of processes. Lecture Notes in Computer Science 2127 (2001), 27–34.
[8] BOREALE, M. Symbolic trace analysis of cryptographic protocols. In Colloquium on Automata, Languages
and Programming (July 2001), F. Orejas, P. Spirakis, and J. van Leeuwen, Eds., vol. 2076 of Lecture Notes
in Computer Science, Springer-Verlag.
[9] BOREALE, M., AND BUSCEMI, M. A method for symbolic analysis of security protocols. Theoretical
Computer Science 338, Issues 1-3 (2005), 393–425.
[10] BORGSTR¨ OM, J., BRIAIS, S., AND NESTMANN, U. Symbolic Bisimulation in the Spi Calculus. In Inter-
national Conference in Concurrency Theory (2004), P. Gardner and N. Yoshida, Eds., vol. 3170 of Lecture
Notes in Computer Science, Springer-Verlag, pp. 161–176.
[11] CHEVALIER, Y., K¨ USTERS, R., RUSINOWITCH, M., AND TURUANI, M. Deciding the security of protocols
with diffie-hellman exponentiation and products in exponents. In Foundations of Software Technology and
Theoretical Computer Science (2003), P. Pandya and J. Radhakrishnan, Eds., vol. 2914 of Lecture Notes in
Computer Science, Springer-Verlag, pp. 124–135.
[12] CHEVALIER, Y., K¨ USTERS, R., RUSINOWITCH, M., AND TURUANI, M. An NP decision procedure for
protocol insecurity with XOR. In Annual Symposium on Logic in Computer Science (2003), IEEE Computer
Society, pp. 261–270.
[13] CLARKE, E., JHA, S., AND MARRERO, W. Using State Space Exploration and a Natural Deduction Style
Message Derivation Engine to Verify Security Protocols. In IFIP Working Conference on Programming
Concepts and Methods (PROCOMET) (1998).
[14] CREMERS, C. J. Unbounded verification, falsification, and characterization of security protocols by pattern
refinement. In CCS ’08: Proceedings of the 15th ACM conference on Computer and communications security
(New York, NY, USA, 2008), ACM, pp. 119–128.
[15] DURGIN, N., LINCOLN, P., MITCHELL, J., AND SCEDROV, A. Undecidability of bounded security proto-
cols, Aug. 10 1999.
[16] EDELKAMP, S., LEUE, S., AND LLUCH-LAFUENTE, A. Directed explicit-state model checking in the
validation of communication protocols. Int. J. Softw. Tools Technol. Transf. 5, 2 (2004), 247–267.
[17] FABREGA, J., HERZOG, J., AND GUTTMAN, J. Strand spaces: Proving security protocols correct. Journal
of Computer Security 7, 2,3 (January 1999), 181–230.
[18] FERRARI, G., BRACCIALI, A., AND TUOSTO, E. A symbolic framework for multi-faceted security protocol
analysis. Internation Journal of Information Security 7, 1 (2008), 55–84.
[19] GRADARA, S., SANTONE, A., AND VILLANI, M. L. Formal verification of concurrent systems via directed
model checking. Electron. Notes Theor. Comput. Sci. 185 (2007), 93–105.
[20] KEHNE, A., SCH¨ ONW¨ ALDER, J., AND LANGEND¨ ORFER, H. Multiple authentications with a nonce-based
protocol using generalized timestamps. In Proc. ICCC ’92 (Genua, 1992).
[21] LOWE, G. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In Tools and
Algorithms for the Construction and Analysis of Systems (1996), vol. 1055, Springer-Verlag, pp. 147–166.
[22] MILLEN, J. K., AND SHMATIKOV, V. Constraint solving for bounded-process cryptographic protocol anal-
ysis. In ACM Conference on Computer and Communications Security (2001), pp. 166–175.
[23] MITCHELL, J., MITCHELL, M., AND STERN, U. Automated analysis of cryptographic protocols using
murφ. In Computer Security Foundation Workshop (1997), IEEE Computer Society, pp. 141–151.
[24] PAULSON, L. Proving properties of security protocols by induction. In Computer Security Foundation
Workshop (1997), IEEE Computer Society.
Static analysis for secrecy and non-

Page 15

Please \def\authorrunning
15
[25] RUSSELL, S. J., AND NORVIG, P. Artificial Intelligence: A Modern Approach (2nd Edition). Prentice Hall,
December 2002.
[26] SHMATIKOV, V. Decidable analysis of cryptographic protocols with products and modular exponentiation.
In European Symposium on Programming (April 2004), D. Schmidt, Ed., vol. 2986 of Lecture Notes in
Computer Science, Springer-Verlag, pp. 355–369.
[27] SONG, D., BEREZIN, S., AND PERRIG, A. Athena, a novel approach to efficient automatic security protocol
analysis. Computer Security 9(1,2) (2001), 47–74.
[28] TUOSTO, E. Non-Functional Aspects of Wide Area Network Programming. PhD thesis, Dipartimento di
Informatica, Universit` a di Pisa, May 2003. TD-8/03.
AModel for PL formulae
We borrow from [?] the definition of models for PL.
Definition 4 (Model for PL formulae). Let χ be a mapping from indexed variables to indexed mes-
sages, κ a knowledge and φ a closed formula of PL. Then ?κ,χ? is a model for φ if κ |=χφ can be
proved by the following rules (where n stands for an instance index):
xanχ = mχ
(=)
κ |=χxan= m
exists n s.t. An∈ κ
κ ?mχ
κ |=χκ ?m
κ |=χφ[n/i]
(?)
(∃)
κ |=χ∃i : A. φ
forall n s.t. An∈ κ
κ |=χ∀i : A. φ
κ |=χφ
κ |=χφ ∧ψ
κ |=χψ
κ |=χφ ∨ψ
κ |=χφ[n/i]
(∀)
κ |=χψ
(∧)
κ |=χφ
κ |=χφ ∨ψ
κ ?|=χφ
κ |=χ¬φ
(∨1)
(∨2)(¬)