A Formal Model for the Analysis of Wireless
Network Security Protocols∗
Francesco Ballardin and Massimo Merro
Dipartimento di Informatica, Università degli Studi di Verona, Italy
Abstract
We propose a timed broadcasting calculus for wireless networks, enhanced with cryptographic constructs for modelling security protocols. The
operational semantics of our calculus is given both in terms of a Reduction Semantics and in terms of a Labelled Transition Semantics. We prove
that the two semantics coincide. The labelled transition system is used
to derive a standard notion of (weak) bisimilarity which is proved to be
a congruence. We then adapt Gorrieri and Martinelli’s tGNDC , a general
scheme for the definition of security properties, to investigate the safety of
non-trivial wireless network security protocols.
1
Introduction
Communication technologies such as WiFi, Bluetooth, and Homeplug are widely
diffused and rely on short-range networking for disparate wireless devices in home
and office environments. Larger wireless networks such as cellular, sensor and
vehicular ad hoc networks are also becoming more and more popular.
In order to design a secure wireless network, several aspects have to be considered [25]: key establishment and trust setup, secrecy and authentication, and
privacy. Key establishment can be considered the base of the system; a secure
and efficient key distribution mechanism is needed for large scale sensor networks.
Once every node has its own keys, these are used to authenticate and encrypt
(if needed) the messages they exchange. Several protocols have been proposed in
the literature regarding authentication and privacy [26, 16] and key distribution
[4, 5].
∗
This work was partially supported by the PRIN 2007 project “SOFT”.
1
In the last four years, a number of distributed process calculi have been proposed for modelling different aspects of wireless systems [19, 23, 28, 17, 9, 7, 18, 8].
However, none of this calculi contains cryptographic features to deal with wireless
security protocols. On the other hand, timed cryptographic process algebrab have
been proposed [11, 12] to study security protocols in wireless systems. These calculi are cryptographic timed extension of Milner’s CCS, where node distribution,
wireless broadcast, and message lost are not taken into account. These features
are somehow simulated in terms of point-to-point transmission and (discrete)
time.
We propose a simple timed broadcasting process calculus, called tcryptoCWS,
enhanced with cryptographic constructs for modelling wireless security protocols.
The time model we use is known as the fictitious clock approach (see e.g. [13]).
A global clock is supposed to be updated whenever all nodes agree on this, by
globally synchronising on a special action σ. Formally, we assume a clock synchronisation protocol for wireless networks [29]. All the other actions are assumed
to take no time. This is reasonable if we choose a time unit such that the actual
time of an action is negligible with respect the time unit. The operational semantics of the calculus is given both in terms of a reduction semantics and a labelled
transition semantics. The two operational semantics are proved to coincide. The
calculus enjoys standard time properties, such as: time determinism, maximal
progress and patience [13]. The labelled transition semantics is used to derive a
a standard notion of (weak) bisimilarity which is proved to be a congruence.
As a main application, we use tcryptoCWS, to give a clear and simple specification of two wireless network security protocols: (i) µTESLA [27], a wellknown protocol to achieve authenticated broadcast in wireless sensor networks;
(ii) LEAP [32], a powerful keying mechanism that supports the establishment of
four types of keys for each sensor node with little intervention of the base station.
We then adapt Gorrieri and Martinelli’s tGNDC scheme [10, 11], a well-known
general schema for the definition of timed security properties. In particular, we
concentrate on two security properties: timed integrity, which guarantees on the
freshness of authenticated packets; and timed agreement, for which agreement
between initiator and responder must be reached within a certain deadline. We
formally prove that the µTESLA protocol enjoys timed integrity (in µTESLA,
the timed agreement property basically coincides with timed integrity). We then
prove that the LEAP protocol enjoys timed integrity , while it does not respect
timed agreement. When showing that timed agreement fails, we provide an execution trace in which the attacker performs a replay attack by sending an old
packet to the responder.
2
Table 1 The Syntax
Messages
u ::=
x
v
Fi (u1 , . . . , uk )
i
Networks:
M, N ::= 0
M1 | M2
n[P ]ν
Processes:
P, Q ::= nil
!hui.P
b?(x).P cQ
bτ.P cQ
σ.P
[u1 = u2 ]P ; Q
[u1 . . . un `r x]P ; Q
Hhũi
2
variable
closed message
compound messages
empty network
parallel composition
node
termination
broadcast
receiver with timeout
internal with timeout
delay
matching
deduction
recursion
The Calculus
In Table 1, we define the syntax of tcryptoCWS in a two-level structure, a lower
one for processes and a upper one for networks. We use letters a, b, c, . . . for
logical names, x, y, z for variables, u for messages, and v and w for closed values,
i.e. values that do not contain free variables. Closed values actually denotes
messages that are transmitted as packets. We write Fi to denote constructors for
messages.
Inference systems consist of a set of rules to model the possible operations on
messages, possibly using constructors for messages. For instance, the rules
(pair)
v1 v2
pair(v1 , v2 )
(fst)
pair(v1 , v2 )
v1
(snd)
pair(v1 , v2 )
v2
allow us to deal with pairs of values. An instance of the application of rule r to
closed messages vi is denoted as v1 . . . vk `r v0 . Given an inference system, a
deduction function D is defined such that, if Φ is a finite set of closed messages,
then D(Φ) is the set of closed messages that can be deduced starting from Φ by
3
applying instances of the rules in the system. The syntax and the semantics of
tcryptoCWS are parametric with respect to a given inference system.
Networks are collections of nodes (which represent devices) running in parallel
and using a unique common channel to communicate with each other. We use
the symbol 0 to denote the empty network, while M1 | M2 represents
the parallel
Q
composition of two sub-networks M1 and M2 . We write i∈I Mi to
Q mean the
parallel composition of all sub-networks Mi , for i ∈ I. By convention i∈I Mi = 0
if I = ∅. Nodes cannot be created or destroyed. All nodes have the same
transmission range: this is a very common assumption in models for ad hoc
networks [?]. We write n[P ]ν for a node named n (the device network address)
executing the sequential process P . The tag ν denotes the set of (the names of)
the neighbours of n. Said in other words, ν contains all nodes in the transmission
cell of n (execpt n). In this manner, we model the network topology. Notice that
the network topology could have been represented using some kind of restriction
operator à la CCS over node names. We preferred our notation to keep at hand
the neighbours of a node. For simplicity, we assume a static network topology as
node mobility is not relevant to our purposes.
Processes are sequential and live within the nodes. The symbol nil denotes
the skip process. The sender process !hvi.P allows to broadcast the value v.
Sometimes we will write !hvi for !hvi.nil. The process b?(x).P cQ denotes a receiver
with timeout. Intuitively, this process either receives a value, in the current
time interval, and then continues as P , or it idles for one time unit, and then
continues as Q. Upon successful reception the variable x of P is instantiated
with the received message. Similarly, the process bτ.P cQ denotes a process that
either perform an internal action, in the current time interval, and then continues
as P , or it idles for one time unit, and then continues as Q. The process σ.P
models sleeping for one time unit. Process [v1 = v2 ]P ; Q is the standard “if
then else” construct: it behaves as P if v1 = v2 , and as Q otherwise. Sometime,
we will write [v1 = v2 ]P to mean [v1 = v2 ]P ; nil. Process [v1 . . . vk `r x]P ; Q is
the inference construct. It tries to infer a message w from the set of premises
{v1 . . . , vk } through an application of rule `r ; if it succeeds, then it behaves
as P (where w replaces x), otherwise it behaves as Q. As for the matching
construct, we will write [v1 . . . vn `r x]P to mean [v1 . . . vn `r x]P ; nil. In processes
σ.P, b?(x).P1 cP2 , bτ.P1 cP2 and and !hvi.P the occurrences of P, P1 and P2 are
said to be guarded. We write Hhṽi to denote a process defined via an equation
H(x̃) = P , with | x̃ |=| ṽ |, where x̃ contains all variables that appear free in P .
Defining equations provide guarded recursion, since P may contain only guarded
occurrences of process identifiers, such as H itself. The recursion construct allows
us to define a persistent listener, i.e. a receiver which waits indefinitely for an
incoming message. We will use the notation ?(x).P to indicate such listener,
4
Table 2 Reduction Semantics
(R-Bcast)
(R-Internal)
m[!hvi.P ]ν |
Q
∀i ∈ I ni ∈ ν m ∈ νi Q
νi
ν
νi
v
n
[b?(x
i ).Pi cQi ] _ m[P ] |
i∈I i
i∈I ni [{ /xi }Pi ]
−
m[bτ.P cQ]ν _ m[P ]ν
(R-Sigma)
Q
(R-Par)
M _ M0
M | N _ M0 | N
−
σ
νj Q
νk
−−
_
i∈I ni [σ.Pi ] |
j∈J nj [b. . .cQj ] |
k∈K nk [nil]
Q
νi Q
νj Q
νk
i∈I ni [Pi ] |
j∈J nj [Qj ] |
k∈K nk [nil]
νi
Q
σ
M ≡ N N _ N0 N0 ≡ M0
M ≡ N N −−
_ N0 N0 ≡ M0
(R-Struct1)
(R-Struct2)
σ
M _ M0
M −−
_ M0
defined via the following recursive definition Rcv = b?(x).P cRcv. Similarly, we
can write τ.P to denote the process defined as T au = bτ.P cT au. In the term
b?(x).P cQ the variable x is bound in P . This gives rise to the standard notion
of α-conversion. We identify processes and networks up to α-conversion. We
assume there are no free variables in our networks. The absence of free variables
in networks is trivially maintained as the network evolves. We write {v/x }P for
the substitution of the variable x with the value v in P .
Given a network M , nds(M ) returns the names of M . If m ∈ nds(M ), the
function ngh(m, M ) returns the set of neighbours of m in M . Thus, for M =
m[P ]ν | N it holds that ngh(m, M ) = ν. We write Env(M ) to mean all the
nodes of the environment reachable by the network M . The formal definition is:
Env(M ) = ∪m∈nds(M ) ngh(m, M )\nds(M ).
2.1
Reduction semantics
The dynamics of the calculus is given in terms of two reduction relations over networks described in Table 2. As usual in process calculi, the reduction semantics
relies on an auxiliary relation, called structural congruence, ≡, defined in Table 3.
Basically, structural congruence brings the participants of a potential interaction
into contiguous positions (for details see Table 3 in the Appendix). The computaσ
tion proceeds in lock-step: between global synchronisation, denoted with −−
_, all
nodes proceeds asynchronously by performing actions with no duration, denoted
with _.
Rule (R-Bcast) models the broadcast of a message v. Communication proceeds
5
Table 3 Structural Congruence
n[[v1 . . . vn `r v]P ; Q]ν ≡ n[P ]ν if v1 . . . vn `r v
n[[v1 . . . vn `r v]P ; Q]ν ≡ n[Q]ν if 6 ∃ v. v1 . . . vn `r v
n[[v = v]P ; Q]ν ≡ n[P ]ν
n[[v1 = v2 ]P ; Q]ν ≡ n[Q]ν if v1 6= v2
def
n[Ahṽi]ν ≡ n[{v/x }P ]ν if Ahṽi = P ∧ | x̃ |=| ṽ |
M |N ≡N |M
(M | N ) | M 0 ≡ M | (N | M 0 )
M |0≡M
M ≡M
M ≡ N implies N ≡ M
M ≡ M 0 ∧ M 0 ≡ M 00 implies M ≡ M 00
M ≡ N implies M | M 0 ≡ N | M 0 , for all M 0
(Struct
(Struct
(Struct
(Struct
DedT)
DedF)
Then)
Else)
(Struct
(Struct
(Struct
(Struct
(Struct
(Struct
(Struct
(Struct
Rec)
Par Comm)
Par Assoc)
Zero Par)
Refl)
Symm)
Trans)
Ctx Par)
even if there are no listeners: transmission is a non-blocking action. Note that
some receivers within the range of the transmitter might not receive the message.
This may be due to several reasons such as the presence of obstacles or the
asynchrony of nodes. Rule (R-Internal) models local computations. Rules (R-Par),
(R-Struct1) and (R-Struct2) are standard in process calculi. Rule (R-Sigma) models
the passage of time. By maximal progress, sender nodes cannot be delayed. This
property will be discussed in detail in Section 3. We write _? to denote the
reflexive and transitive closure of _.
2.2
Well-formedness
The syntax presented in Table 1 allows to derive inconsistent networks. We
rule out networks containing two nodes with the same name. We assume that
neighbouring is a symmetric relation. This is because in our networks all nodes
have the same transmission range. So, if a node m can hear n then also n
can hear m. Finally, in order to guarantee clock synchronisation, we assume
network connectivity, i.e. all nodes are connected to each other, although not
always directly. Formally,
Definition 2.1 (Well-formedness) M is said to be well-formed if
• whenever M ≡ M1 | m1 [P1 ]ν1 | m2 [P2 ]ν2 it holds that m1 6= m2 ;
6
• whenever M ≡ N | m1 [P1 ]ν1 | m2 [P2 ]ν2 with m1 ∈ ν2 it holds that m2 ∈ ν1 ;
• for all m, n ∈ nds(M ) there are m1 , . . . , mk ∈ nds(M ), such that m=m1 ,
n=mk , νj = ngh(mj , M ), for 1≤j≤k, and mi ∈ νi+1 , for 1≤i≤k−1.
σ
Proposition 2.2 Let M be a well-formed network. If M _ M 0 or M −−
_ M0
then M 0 is a well-formed network.
Proof By transition induction. Notice that, at run time, the network topology
can not change and nodes can not be created or destroyed.
2.3
Behavioural semantics
In this section we propose a timed behavioural equivalence for our wireless networks. Our starting point is Milner and Sangiorgi’s barbed congruence [22],
a standard contextually-defined program equivalence. Intuitively, two terms are
barbed congruent if they have the same observables (or barbs), in all possible contexts, under all possible evolutions. The definition of barbed congruence strongly
relies on two crucial concepts: a reduction semantics to describe how a system
evolves, and a notion of observable which says what the environment can observe
in a system.
Let us focus on the definition of an appropriate notion of observable. In our
calculus, as in CCS [20] and in π-calculus [21], we have both transmission and
reception of messages. However, in asynchronous calculi only the transmission of
messages may be observed [1].
Definition 2.3 (Barb) We write M ↓µ if M ≡ (m[!hvi.P ]ν | N ) and µ ⊆
ν \ nds(M ). We write M ⇓µ if M _∗ M 0 ↓µ .
The barb M ⇓µ says that there is a transmission at M , ready to fire, reaching
the nodes of the environment contained in µ. In the sequel, we write R to denote
binary relations over well-formed networks.
Definition 2.4 (Barb preserving) A relation R is barb preserving if whenever M R N and M ↓µ there is N 0 such that N _∗ N 0 ↓µ .
Definition 2.5 (Reduction closure) A relation R is reduction closed if whenever M R N it holds the following:
• if M _ M 0 there is N 0 such that N _? N 0 and M 0 R N 0 ;
σ
σ
__? N 0 and M 0 R N 0 .
• if M −−
_ M 0 there is N 0 such that N _? −−
7
Definition 2.6 (Contextuality) A relation R is said contextual if M R N ,
for M and N well-formed, implies M | O R N | O for all networks O such that
M | O and N | O are well-formed.
Finally, everything is in place to define timed reduction barbed congruence.
Definition 2.7 (Timed reduction barbed congruence) Timed reduction barbed
congruence, written ∼
=, is the largest symmetric relation over networks, which is
reduction closed, barb preserving, and contextual.
3
Time properties
Proposition 3.1 formalises the determinism nature of time passing: a network can
reach at most one new state by executing the action σ.
Proposition 3.1 (Time Determinism) Let M be a well-formed network. If
σ
σ
M −−
_ M 0 and M −−
_ M 00 then M 0 and M 00 are syntactically the same.
σ
Proof By induction on the length of the proof of M −−
_ M 0.
In [13], the maximal progress property says that processes communicate as
soon as a possibility of communication arises.
Proposition 3.2 (Maximal Progress) Let M be a well-formed network. If
σ
M ≡ m[!hvi.P ]ν | N then M −−
_ M 0 for no network M 0 .
σ
Proof By definition of −−
_.
Patience guarantees that a process will wait indefinitely until it can communicate [13]. In our setting, this means that if no transmissions can start then it
must be possible to execute a σ-action to let time pass.
Q
Proposition 3.3 (Patience) Let M ≡ i∈I mi [Pi ]νi be a well-formed network,
such that for all i ∈ I it holds that mi [Pi ]νi 6≡ mi [!hvi.Qi ]νi , then there is a network
σ
N such that M −−
_ N.
Proof By simply noticing that if mi [Pi ]νi 6≡ mi [!hvi.Qi ]νi , for all i ∈ I, then,
up to structural congruence, the process Pi must be be a process which does
not start with a matching or deduction process. So, using rules (R-Struct2) and
(R-Sigma) we can derive the desired reduction.
8
Table 4 LTS - Transmission, internal actions, and time passing.
(Snd)
−
ν
m!vBν
ν
m[!hvi.P ] −−−−−
→ m[P ]
(RcvEnb)
(RcvPar)
m?v
M −−−→
− M
m!vBν
M −−−−−
→ M0
ν
−
σ
n[b?(x).P cQ]ν −−
→ n[Q]ν
σ
m?v
M | N −−−→
− M0 | N0
µ := ν\nds(N )
τ
M −−
→ M0
(TauPar)
τ
M | N −−
→ M0 | N
(Delay)
−
σ
n[σ.P ] −−
→ n[P ]ν
(σ-Tau)
−
σ
m[bτ.P cQ]ν −−
→ m[Q]ν
σ
M −−
→ M 0 N −−
→ N0
(σ-Par)
σ
M | N −−
→ M0 | N0
4
N −−−→
− N0
m?v
N −−−→
− N0
M | N −−−−−
→ M0 | N0
−
σ
n[nil] −−
→ n[nil]ν
(σ-Rcv)
m?v
M −−−→
− M0
m!vBµ
−
(Tau)
τ
m[bτ.P cQ]ν −−
→ m[P ]ν
(σ-nil)
m?v
n[b?(x).P cQ]ν −−−→
− n[{v/x }P ]ν
m?v
m∈
/ nds(M )
(Bcast)
m∈ν
(Rcv)
(σ-0)
ν
−
σ
0 −−
→0
Labelled Transition Semantics
In Table 4, we provide a Labelled Transition System (LTS) for our calculus. In
rule (Snd) a sender dispatches its message to its neighbours ν, and then continues
the execution as process P . The symbol ν in the label m!v.ν keeps track of neighbours of m which can potentially receive the message. In rule (Rcv) a receiver
gets a message coming from a neighbour node m, and then evolves into process
P , where all the occurrences of the variable x are replaced with the value v of the
message. If no message were received in one time unit, the node n will continue
with process Q following the rule (σ-Rcv). In rule (RcvPar) we model the composition of two networks receiving the same message from the same transmitter.
Rule (RcvEnb) says that every network is enabled to receive messages from an
external transmitter. This rule is essential to model message lost. The premise
m 6∈ nds(M ) ensures that M does not contains the transmitter. Rule (Bcast)
models the propagation of messages on a broadcast channel. Note that since rule
(Bcast) merges two networks into a bigger one, the set ν loses track of all the
neighbours nodes of m that are in N . Rule (Tau) models local computations.
9
Table 5 LTS - Matching, recursion and deduction
λ
(Then)
λ
n[P ]ν −−
→ n[P 0 ]ν
(Else)
λ
n[[v = v]P ; Q]ν −−
→ n[P 0 ]ν
λ
(Rec)
n[{ṽ/x̃}P ]ν −−
→ n[P 0 ]ν
n[Q]ν −−
→ n[Q0 ]ν
v1 6= v2
λ
n[[v1 = v2 ]P ; Q]ν −−
→ n[Q0 ]ν
def
H(x̃) = P
λ
n[Hhṽi]ν −−
→ n[P 0 ]ν
λ
(DedTrueT)
n[{v/x }P ]ν −−
→ n[P 0 ]ν v1 . . . vn `r v
λ
n[[v1 . . . vn `r x]P ; Q]ν −−
→ n[P 0 ]ν
λ
(DedFalse)
n[Q]ν −−
→ n[Q0 ]ν 6 ∃ v. v1 . . . vn `r v
λ
n[[v1 . . . vn `r x]P ; Q]ν −−
→ n[Q0 ]ν
Rule (TauPar) serves to propagate internal computations on parallel components.
The remaining rules model the passage of time. Rule (Delay) model the delay of a
time unit. Rules (σ-nil) and (σ-0) are straightforward. Rules (σ-Rcv) models timeout on receivers. Similarly, (σ-Tau) models timeout on internal activities. Rule
(σ-Par) models time synchronisation between parallel components (time passes at
the same rate for everyone). Notice that, according to maximal progress, sender
nodes cannot perform σ-actions. Rules (Bcast) and (TauPar) have their symmetric
counterpart.
In Table 5 we report the obvious rules for nodes containing: matching, recursion and deduction processes (we recall that only guarded recursion is allowed).
In the sequel we use the metavariable λ to range over the labels: m!v.ν, m?v, τ ,
and σ.
The LTS-based semantics is consistent with the reduction semantics and the
notion of observability. Before proving this statement, we need a couple of auxiliary lemmas.
Lemma 4.1
m?v
1. If M −−−→
− M 0 then there are a (possibly empty)Qindex set I, ni , Pi , Qi , νi
and N , with
m ∈ νi , for all i ∈ I, such that M ≡ i∈I ni [b?(xi ).Pi cQi ]νi | N
Q
and M 0 ≡ i∈I ni [{v/xi }P ]νi | N .
m!v.µ
2. If M −−−−−
→ M 0 then there are P , ν, N , I (possibly empty) and ni , Pi , Qi ,
νQi , with ni ∈ µ ⊆ ν and m ∈ νi , for all i ∈ I,Qsuch that M ≡ m[!hvi.P ]ν |
νi
ν
νi
0
v
i∈I ni [b?(x).Pi cQi ] | N and M ≡ m[P ] |
i∈I ni [{ /x }P ] | N .
Proof By transition induction.
10
λ
Lemma 4.2 (≡ respects transitions) If M −−
→ M 0 and M ≡ N then there
λ
exists N 0 such that N −−
→ N 0 and M 0 ≡ N 0 .
Theorem 4.3 (Harmony Theorem)
m!v.µ
1. M ↓µ iff M −−−−−
→, for some m and v.
τ
m!vBν
2. If M _ M 0 then either M −−
→≡ M 0 or M −−−−−
→≡ M 0 , for some m, v, ν.
σ
σ
3. If M −−
_ M 0 then M −−
→≡ M 0 .
m!vBν
τ
4. If M −−−−−
→ M 0 or M −−
→ M 0 then M _ M 0 .
σ
σ
5. If M −−
→ M 0 then M −−
_ M 0.
Proof See the Appendix.
5
Bisimulation proof methods
The definition of timed reduction barbed congruence is simple and intuitive. However, due to the universal quantification on parallel contexts, it may be quite difficult to prove that two terms are equivalent. Simpler proof techniques are based
on labelled bisimilarities. In this section, we propose an appropriate notion of
bisimulation between networks. As a main result, we prove that our labelled
bisimilarity is a proof-technique for timed reduction barbed congruence.
In the sequel, we use our LTS to define define a standard notion of timed
labelled bisimilarity. In general, a bisimulation describes how two terms (in our
case networks) can mimic each other actions. Since we are focusing on weak
equivalences we have to distinguish between transmissions which may be observed
and transmissions which may not be observed by the environment.
m!v.ν
(Obs)
M −−−−→
− M0
m!v.∅
M −−−−→
− M0
(Shh)
τ
M −−
→ M0
ν 6= ∅
!v.ν
M −−−→
− M0
Rule (Shh) models transmissions that cannot be observed because none of the
potential receivers is in the environment. Rule (Obs) models a transmission of a
message v that can be received (and hence observed) by those nodes of the environment contained in ν. The name of the transmitter is removed as in reality the
identity of the transmitter can only be guaranteed using appropriate protocols.
Notice that in a derivation tree the rule (Obs) can only be applied at top-level.
11
In the rest of the paper, the metavariable α range over the following actions:
!v.ν, m?v, τ , and σ. We adopt the standard notation for weak transitions: =
⇒
τ
α
α̂
α
denotes the reflexive and transitive closure of −−
→; ==
⇒ denotes =
⇒ −−
→=
⇒; ==
⇒
α
denotes =
⇒ if α = τ and ==
⇒ otherwise.
Definition 5.1 (Bisimilarity) A relation R over well-formed networks is a
α
simulation if M R N implies that whenever M −−
→ M 0 there is N 0 such that
α̂
N ==
⇒ N 0 and M 0 R N 0 . A relation R is called bisimulation if both R and its
converse are simulations. We say that M and N are bisimilar, written M ≈ N ,
if there is some bisimulation R such that M R N .
It is worth noticing that whenever two networks are bisimilar then they must
have the same set of nodes.
Proposition 5.2 If M ≈ N then nds(M ) = nds(M ).
Proof By contradiction. Suppose there is a node m such that m ∈ nds(M ) and
m?v
m 6∈ nds(N ). Then, by an application of rule (RcvEnb) we derive N −−−→
− N.
m?v
0
0
0
0
Since M ≈ N there must be M such that M ===⇒
= M with M ≈ N . However,
since m ∈ nds(M ), by inspection on the transition rules, there is no way to deduce
m?v
a weak transition of the form M ===⇒
= M 0.
Our notion of bisimilarity between networks is contextual, as it is preserved
by parallel composition.
Theorem 5.3 (≈ is contextual) Let M and N be two well-formed networks
such that M ≈ N . Then M | O ≈ N | O for all networks O such that M | O and
N | O are well-formed.
Proof We prove that the relation
R = {(M | O, N | O) s.t. M ≈ N and M | O, N | O are well-formed}
α
is a bisimulation. We proceed by case analysis on why M | O −−
→ Z. The
interesting cases are when the transition is due to an interaction between M and
O. The other cases are simpler.
!v.ν
• Let M | O −−−→
− M 0 | O0 (ν 6= ∅) by an application of rule (Obs), because
m!v.ν
M | O −−−−→
− M 0 | O0 , by an application of rule (Bcast). There are two
possible ways to derive this transition.
12
m!v.µ
m?v
– M −−−−−
→ M 0 and O −−−→
− O0 , with m ∈ nds(M ) and ν = µ \ nds(O).
!v.µ
By an application of rule (Obs) we obtain that M −−−→
− M 0 . Since
!v.µ
M ≈ N , it follows that there is N 0 such that N ===⇒
= N 0 with M 0 ≈
h!v.µ
N 0 . This implies that there exists h ∈ nds(N ) such that N ====⇒
= N 0.
We recall that N | O is well-formed. This implies:
∗ h ∈
/ nds(O), because a network can not contain two nodes with
the same name;
∗ µ ⊆ ngh(h, N );
∗ If k ∈ µ ∩ nds(O) then h ∈ ngh(k, O), because the neighbouring
relation is symmetric.
h?v
This implies that O −−−
→ O0 . By an application of rule (Bcast) and
h!v.ν
several applications of rule (TauPar) we have N | O ====⇒
= N 0 | O0 .
As ν 6= ∅, by an application of rule (Obs) and several applications of
!v.ν
rule (TauPar) it follows that N | O ===⇒
= N 0 | O0 . Since M 0 ≈ N 0 , we
obtain (M 0 | O0 , N 0 | O0 ) ∈ R.
m!v.µ
m?v
– M −−−→
− M 0 and O −−−−−
→ O0 , with m ∈ nds(O) and ν = µ \ nds(M ).
m?v
Since M ≈ N , it follows that there is N 0 such that N ===⇒
= N 0 with
0
0
M ≈ N . By an application of rule (Bcast) and several applications of
m!v.ν 0
rule (TauPar) we have N | O =====⇒
= N 0 | O0 , with ν 0 = µ \ nds(N ).
Since M ≈ N , by Proposition 5.2 it follows that ν 0 = ν 6= ∅. Thus, by
!v.ν
an application of rule (Obs) it follows that N | O ===⇒
= N 0 | O0 . Since
0
0
0
0
0
0
M ≈ N , we obtain (M | O , N | O ) ∈ R.
τ
• Let M | O −−
→ M 0 | O0 by an application of rule (Shh) because M |
m!v.∅
O −−−−→
− M 0 | O0 . This case is similar to the previous one.
m?v
• Let M | O −−−→
− M 0 | O0 by an application of rule (RcvPar) because
m?v
m?v
M −−−→
− M 0 and O −−−→
− O0 . Since M ≈ N , it follows that there is N 0
m?v
such that N ===⇒
= N 0 with M 0 ≈ N 0 . By an application of rule (RcvPar)
m?v
and several applications of rule (TauPar) we have N | O ===⇒
= N 0 | O0 .
0
0
0
0
0
0
Since M ≈ N , we obtain (M | O , N | O ) ∈ R.
σ
σ
• Let M | O −−
→ M 0 | O0 by an application of rule (σ-Par) because M −−
→ M0
σ
and O −−
→ O0 . This case is similar to the previous one.
13
Table 6 MiniSec specification
Sender:
Si = [mi NS Ei KG `OCB p]
!hpi.
Si+1
Receiver:
Ri = b?(p).
[p `OCB mj NS Ej KG ]
[j = i]
Ri+2 ;
[j = i − 1]
Ri+1 ;
Rj+2 c
Ri+1
Encrypt payload, nonce and epoch counter,
broadcast packet p,
and go to next state.
Receive a packet,
decrypt payload, nonce and epoch counter,
check epoch of the received packet,
if they match go to Ri+2 ,
else if j was the previous epoch
go to state Ri+1 ,
otherwhise go to state Rj+2 .
If no packet is received, go to Ri+1 .
Theorem 5.4 (Soundness) Let M and N be two well-formed networks such
that M ≈ N . Then M ∼
= N.
Proof Contextuality follows from Theorem 5.3. Reduction-closure follows by
Theorem 4.3. Barb preservation follows by Theorem 4.3(1)
Conjecture 5.5 (Completeness) Let M and N be two well-formed networks
such that M ∼
= N . Then M ≈ N .
6
Three Wireless Network Security Protocols
In this section, we use our calculus to specify three different wireless network
security protocols.
6.1
The MiniSec Protocol
In this section we present a model for the MiniSec protocol. MiniSec [16] was
developed in 2007 to improve security in sensor networks, over the two already
existing protocols TinySec and ZigBee. The purpose of MiniSec is achieving
authenticity, secrecy and replay protection while maintaining low energy consumption.
MiniSec comes with two different versions, MiniSec-U and MiniSec-B, respectively the unicast and broadcast version of the protocol. The focus of this arcti14
cle is only on the latter, because the unicast variant does not present particular
modeling interest, while of course remaining well within the calculus potency.
MiniSec-B works with some assumptions on the network, the most important
being a pre-deployed shared key mechanism. We resume this assumption in our
specification, by the use of a group-key, allowing a receiving node the ability to
authenticate and decrypt the information coming from a sender which is part
of the same group. As said above, the three goals of MiniSec are providing
data authenticity, data secrecy and protection against replay attacks. The first
two of these are obtained through the use of a shared key. Regardless of how we
choose to deploy our keys (using group-keys, network-keys or pair-keys) a receiver
can always authenticate (and thus access) a packet because it can decrypt only
those coming from authorized senders. Protection against replay attacks is instead achieved using a loosely time sinchronization between sender and receivers.
These entities, infact, agree on the passage of a time unit, called epoch: when a
sender builds a packet it includes a tag which represents the current epoch, so
that a receiver can know at which epoch the packet was sent. This however is not
enough to defend completely from replay attacks, but limits the attacks time to a
vulnerability window, which is exactly one epoch plus the maximum network latency ∆N and the maximum clock sinchronization error ∆T , due to the fact that
if a sender broadcasts a packet near the end of an epoch, the receiver can possibly
receive it during the subsequent epoch, up to ∆N + ∆T time inside that epoch,
which intuitively represents the maximum packet delay between its dispatch and
its retrieval. The original MiniSec protocol introduces a Bloom-Filter approach
to further increase security inside a vulnerability window, but we decided to not
include it inside our model, to retain a simpler understanding of it.
In Table 6 we provide a specification of MiniSec in tcryptoCWS. Besides the
deduction rules for dealing with pairs, we require the following deduction rules:
(OCB)
v1 A E K
v = OCB(v1 , A, E, K)
(dOCB)
v = OCB(v1 , A, E, K)
v1 A E K
We modeled it with two processes: a sender and a receiver. The sender Si is
very simple: it builds a tuple with the payload mi , the current epoch Ei and a
nonce NS , and then encrypts those three informations using the OCB algorithm
and the group-key KG . The result of this operation is the packet p. The sender
then proceeds to broadcast p and moves to the next state Si+1 . The receiver is
a bit more complex: every receiving process has a timeout lasting at most one
epoch to receive a packet. Upon successful reception, it decrypts the information
using the group-key KG , and then proceeds to verify the epoch of the packet. As
we said above, a receiver, during an epoch, can both accept a packet sent during
the current epoch and a packet sent during the previous epoch. If no packets are
15
received, then the receiver simply moves into the next state, which identifies the
subsequent epoch. In case of packet loss, a receiver can resinchronize with the
sender by verifing that the received packet has an epoch value j which is bigger
than its current epoch i, thus jumping to state Rj+2 .
6.2
The µTESLA protocol
The µTESLA protocol was designed by Perrig et al. [27] to provide authenticated
broadcast for sensor networks. It is a reviewed version of the TESLA protocol
(Timed, Efficient, Streaming, Loss-tolerant Authentication Protocol ) designed to
account µTESLA uses a set of keys to calculate the MAC (Message Authentication
Code) for every packet that it is transmitted. These keys are generated with a
public one-way function F such that, if k0 , k1 , . . . , kn are the keys used in the
transmission, F (ki ) = ki−1 , for 1 ≤ i ≤ n. The transmission time is split into
time intervals and each key is tied to one of them. In each time interval one or
more packets are deployed by the sender, each one containing the payload and
the MAC calculated with the key bound to that interval. When a new interval
starts, the key tied to the previous interval is disclosed to all receivers, so that
they can authenticate all the packets previously received. Sender and receivers
are loosely time sinchronised on the key disclosure time to prevent malicious
nodes to forge packets with modified payloads. Nodes discard packets containing
MACs calculated with already disclosed keys, as those packets could come from
an attacker. This key-chain mechanism together with the one-way function F ,
provides two major advantages: (i) it allows to calculate lost keys by simply
applying F to the last received key, as many times as necessary; (ii) Every node
can authenticate the most recent key ki by means of the last received key kl
(stored in the node memory) and the function F ; once authenticated, ki replaces
kl in the node memory. The protocol works under the assumption that all nodes
share an initial key k0 , before the protocol starts.
In Table 7 we provide a specification of the µTESLA protocol in tcryptoCWS.
Besides the deduction rules for dealing with pairs, we require a deduction rule to
build MACs: v1 v2 `mac mac(v1 , v2 ). Our encoding contains a few simplifications
with respect to the original protocol. First of all, there is only one packet sent per
time interval, and the sender dispatches one packet and one key alternately. This
yields a more simplified and easy to read model. However, later in this section we
will show how to model the sending of more than one packet per time interval,
without too much effort, to provide a more faithful Second, our specification does
not account for bootstrapping new receivers on the fly.
Let us proceed with the description of our encoding. We essentially define two
kind of processes: senders, Si , and receivers, Rikl , where i is the index number of
16
Table 7 µTESLA specification
Sender:
def
Si = [xi ki `mac mi ]
[mi xi `pair pi ]
!hpi i.σ.
!hki i.σ.
Si+1
Receiver:
def
Rikl = b?(p).σ.Pikl cQki l
def
kl
kl
Qki l = b?(k).σ.Ri+1
cRi+1
def
kl
Pikl = b?(k).Tikl cRi+1
def
kl
Tikl = [F i−l (k) = kl ]Uiki ; σ.Ri+1
def
Uiki = [p `fst m]
[p `snd x]
[x k `mac m0 ]
ki
[m = m0 ]Ziki ; σ.Ri+1
def
ki
Ziki = !hauthi i.σ.Ri+1
Calculate MAC using payload and key,
build a packet with mac and payload,
broadcast packet pi , synchronise,
broadcast key ki , synchronise,
and go to next sending state.
Receive a packet, synchronise, and go to Pikl ;
if timeout go to Qki l .
Receive a key, synchronise, and
go to next receiving state.
Receive a key k and move to state Tikl ;
if timeout go to next receiving state.
Check key k using F and the stored key kl ,
extract MAC from packet p,
extract payload from packet p,
calculate mac for packet p,
verify if it matches with the received one,
if so, authenticate packet i, synchronise,
go to next receiving state, and store ki .
the current key, and kl is the last authenticated key. Since, we bind one packet
with one key, i also refers to the index number of packets. So, a network running
the protocol can be represented as:
def
µTESLA = m[S1 ]νm | n1 [R1k0 ]νn1 | . . . | nk [R1k0 ]νnk
where node m is the transmitter, and nodes ni are the receivers in the transmission
range of m. Formally, {n1 , . . . , nk } ⊆ νm , and m ∈ νnj , for 1 ≤ j ≤ k. For
verification reasons we require test ∈ νm and also test ∈ νnj , for 1 ≤ j ≤ k, where
test is a fresh node of the environment which cannot transmit but it can only
receive message to test successful authentication.
6.3
The LEAP protocol
The LEAP protocol [32] provides a method to build a keying mechanism to establish authenticated communications. In [32], the authors describe four possible
17
keying mechanisms, each of them providing a different level of security. Here, we
focus on the pairwise key mechanism, since it is underlying to all other keying
methods. A trusted base station is assumed to distribute an activation key kI and
a pseudo-random function prf(), before deployment.
Let us briefly describe the protocol between an initiator node m and a responder node n. Node m begins broadcasting a hello packet to its neighbours;
the packet contain the node name m, and a nonce ai . When n receives the hello
packet from m, it computes its MAC, h = mac(kn , (ai , n)), where kn is the private
key of n. Then, n sends to m a packet containing h and its name n. If node m
does not get the authenticated packet from the responder in due time, it will send
a new hello packet with a fresh nonce. When m receives the packet from n, it
can authenticate n by computing kn as follows: kn = prf(kI , n). Thus, m verifies
whether the received MAC is consistent. If the authentication is successful, then
both nodes proceed in calculating the pairwise key kmn using the the function
prf().
In Table 8 we provide a specification of LEAP in tcryptoCWS. Besides the
deduction rules for dealing with pairs, we require the following deduction rules:
(mac)
v1 v2
mac(v1 , v2 )
(prf)
v1 v2
prf(v1 , v2 )
for calculating MACs and the pseudo random function prf(), respectively. Our
specification considers only two nodes, to yield an easier to read model:
def
LEAP = m[S1 ]νm | n[R]νn
where m is the initiator and n is the responder, with m ∈ νn and n ∈ νm .
This does not lose any generality with respect to the multiple nodes case. For
verification reasons we assume that the environment contains a fresh node test,
such that test ∈ νm .
7
A Security Analysis
In order to perform a security analysis of the previous protocol, we adopt a general
schema for the definition of timed security properties, called tGNDC [11], a realtime generalisation of Generalised Non-Deducibility on Compositions (GNDC )
[6]. The main idea is the following: a system M is tGN DC/α if and only if
for every attacker ATT the composition of the system M with ATT satisfies
the timed specification α(M ) with respect to the timed behavioural relation /.
An attacker, is an agent which tries to attack a protocol by stealing and faking
18
Table 8 LEAP specification
Sender at node m:
def
Si = [m ai `pair t]
[hello t `pair p]
!hpi.σ.P
Pi
Pi1
Pi2
Pi3
def
=
def
=
def
=
def
=
b?(q).Pi1 cSi+1
[q `fst n]Pi2 ; σ.Si+1
[q `snd h]Pi3 ; σ.Si+1
[n ai `pair t0 ]
[kI n `prf kn ]
[kn t0 `mac h0 ]
[h0 = h]Pi4 ; σ.Si+1
def
Pi4 = [kn m `prf kmn ]Pi5
def
Pi5 = σ.OK SND
Receiver
def
R =
def
R1 =
def
R2 =
def
R3 =
def
R4 =
def
R5 =
def
R6 =
at node n:
b?(p).R1 cσ.R
[p `fst p1 ]R2 ; σ.σ.R
[p `snd p2 ]R3 ; σ.σ.R
[p1 = hello]R4 ; σ.σ.R
[p2 `fst m]R5 ; σ.σ.R
[p2 `snd a]R6 ; σ.σ.R
[n a `pair t]
[kn t `mac h]
[n h `pair q]
σ.!hqi.R7
def
R7 = [kn m `prf kmn ]R8
def
R8 = σ.OK RCV
Build a pair t with m and a nonce ai ,
build hello packet using the pair t,
broadcast the hello, synchronise and move to P.
Wait for response from neighbours,
extract node name n from packet q,
extract MAC h from packet q,
build a pair t0 with n and current nonce ai ,
calculate n’s private key kn ,
calculate MAC h0 with kn and t0 ,
if it matches with the received one go to Pi4 ,
otherwise steps to next time interval and restart;
calculate the pairwise key kmn ,
synchronise, and continue.
Wait for incoming hello packets,
extract the first component,
extract the second component,
check if this is a hello packet,
extract the sender name m,
extract the nonce a,
build a pair t with a and n,
calculate MAC h on t with key kn ,
build packet q with node name n and MAC h,
synchronise, broadcast q, and go to R7 ,
calculate pairwise key kmn ,
synchronise and continue.
information which is transmitted on the communication channel. Such an agent
is modelled as a generic process ATT with some constrains on the data known
initially.
Given a network M , we call ID(M ) the set of messages (closed values) that
19
appears in M .1 Thus, if Φ1 is the initial knowledge of ATT we want all the
messages in ID(ATT ) to be deducible from Φ1 ; otherwise the attacker would be
unrealistic as it would know secrets in advance. In our setting, a generic attacker
of a network M is a collection of nodes in the environment of M , with current
knowledge Φ:
def Q
nds(M )
AT T (M, Φ) =
s.t. ID(Pn ) ⊆ D(Φ) for all n.
n∈Env(M ) n[Pn ]
Obviously, the attacker can not guess fresh names as the testing node test.
Definition 7.1 A network M is said to be tGN DC α/ if and only if for all attackers AT T (Φ, M ) it holds that M | AT T (Φ, M ) / α(M ), where / ∈ M × M is
a preorder, and α : M 7→ M is a function between networks defining the property
specification for M as the network α(M ).
The preorder / that we will be using in the following analysis is the trace preorder. A trace is a sequence of labelled transitions, that we will denote in the
A
standard way. If A is sequence of labels α1 α2 . . . αn , we write M ==
⇒ M 0 to mean
α1
αn
M =
⇒ −−→
− =
⇒ ··· =
⇒ −−→
− =
⇒ M 0.
A
Definition 7.2 (Trace preorder) We write M ≤trace N whenever, if M ==
⇒
A
0
0
0
M then N ==
⇒ N , for some N .
It is well-known that similarity implies trace preorder.
For the analysis of our timed security properties, we need a timed notion of
term stability [11]. Intuitively, a network M is said to be time-dependent stable
if the attacker cannot increase its knowledge when M runs in the space of a time
interval. Let #σ (A) be the occurrences of σ actions in the sequence A.
Definition 7.3 We say that a network M is time-dependent stable with respect
A
to the sequence of knowledge {Φj }j>0 , if whenever M | AT T (Φ, M ) ==
⇒ M0 |
AT T (Φ0 , M 0 ) and #σ (A) = j, then D(Φ0 ) ⊆ D(Φj ).
When two or more networks are time-dependent stable with respect a certain
sequence of knowledges {Φj }j>0 , and they enjoy a certain tGNDC property, then
the following compositionality property hold.
Proposition 7.4 Let {Φj }j>0 be a sequence of knowledges, and {Mr }1≤r≤n a
set of time-dependent stable subnetworks, with respect to {Φi }i>0 , such that Mr ∈
α (M )
tGN DC≤rtracer , for 1≤r≤n. It follows that:
1
This function can be easily defined along the lines of [11].
20
1. M1 | . . . | Mn is time-dependent stable;
α (M )|...|αn (Mn )
2. M1 | . . . | Mn ∈ tGN DC≤1trace1
Proof
.
1. By contradiction. Suppose that M1 | . . . | Mn is not time-dependent stable;
this means that during its evolution, the system M1 | . . . | Mn came to a
point where D(Φ0 ) 6⊆ D(Φj ). This implies that the attacker knows something that is not in the sequence of knowledges, or, said in other words,
that Φ0 6⊆ Φj . However, everything the attacker knows comes from the
system itself, so there has to be some Mi that transmitted a value not in
Φj . But this means that the network Mi | AT T (Φ, Mi ) came to a point
where D(Φ0 ) 6⊆ D(Φj ), and thus that Mi is not time-dependent stable with
respect to {Φj }j>0 , which is a contradiction of the hypotesis.
2. This is because, ≤trace is preserved by parallel composition.
We recall two useful timed security properties defined in [11] as suitable instances of tGN DC/α : timed integrity, which guarantees that only fresh packets
are authenticated; timed agreement, for which agreement must be reached within
a certain deadline, otherwise authentications does not hold (see [15]). Let us
formally define these two properties.
Definition 7.5 (Timed Integrity) A protocol is said to enjoy the timed integrity property if, whenever a packet p is authenticated during the time interval
i, then this packet was sent at most i − δ time intervals before.
Definition 7.6 (Timed Agreement) A protocol is said to enjoy the timed
agreement property if, whenever a responder n has completed a run of the protocol
apparently with an initiator m, then the latter has performed an initiation of the
protocol apparently with the former, at most δ time intervals before, and the two
agents agreed on a set of data d.
7.1
µTESLA Analysis
The first protocol under consideration is µTESLA. We recall that our specification of µTESLA is designed to alternate the sending of one packet and one key,
where each key is used to authenticate the packet sent in the previous time interval. In this section, we show that µTESLA enjoys timed integrity. In particular,
we prove that receivers authenticate only those packets that have been sent in
the previous time interval (δ = 1), in the correct order, even in the presence of
21
the intruder. The key point is that even if the intruder acquires shared keys then
it is “too late” to break integrity, i.e. to authenticate packets older than δ.
To prove that our model enjoys the timed integrity property, we need a specification α(µTESLA) i.e. an abstraction of the protocol, with no possible intruders,
enjoying the property. So, let us define:
def
α(µTESLA) = m[S1 ]test | n1 [R̂1 ]test | . . . | nk [R̂1 ]test
def
where S1 is the sender process defined in the specification of Table 7, while R̂i =
σ.bτ.!hauthi i.σ.R̂i+1 cR̂i+1 . Here, we abstract on the receivers noticing that each
receiver at round i may signal the authentication of packet pi by sending the
special packet authi .
Let us demonstrate that α(µTESLA) is a good abstraction enjoying timed
integrity.
Lemma 7.7
A
m!pi .test
• If m[S1 ]test ==
⇒ −−−−−−→
− then #σ (A) = 2(i − 1).
A
nr !authi .test
⇒ −−−−−−−−−
→, for some 1≤j≤k, then #σ (A) = 2(i − 1) + 1.
• If nr [R̂1 ]test ==
Proof Both proofs are by induction on i.
By the previous lemma it follows:
m!pi .test
A
B
nr !authi .test
Proposition 7.8 If α(µTESLA) ==
⇒ −−−−−−→
− ==
⇒ −−−−−−−−−
→, for some i
σ
and j, then # (B) = 1.
The proposition above says that exactly α(µTESLA) enjoys timed integrity with
δ = 1.
In the rest of the section, we prove our property starting from the single
nodes of µTESLA, and then using Proposition 7.4 for composing the result on
single nodes. In particular we notice that the nodes m[S1 ]νm and ni [R1 ]νnr , for
1 ≤ j ≤ k, are time-dependent stable with respect to the following sequence of
knowledges:
def
Φ1 = {p1 }
Φ2
def
Φ2j−1
def
Φ2j
def
= Φ1 ∪ {k1 }
......
=
Φ2j−2 ∪ {pj }
= Φ2j−1 ∪ {kj }
......
22
Intuitively, Φj is obtained by Φj−1 together with the set of messages an intruder
can get by eavesdropping on a run of the protocol during the whole time interval
j.
Lemma 7.9 The nodes m[S1 ]νm and nr [R1 ]νnr , for 1 ≤ r ≤ m, are timedependent stable with respect to {Φj }j>0 .
Lemma 7.10
m[S ]test
1
1. m[S1 ]νm ∈ tGN DC≤trace
n [R̂ ]test
r
1
2. nr [R1 ]νnr ∈ tGN DC≤trace
, for 1 ≤ r ≤ m.
Proof By exhibiting the proper simulations. See the Appendix.
By applying Lemma 7.10 together with Proposition 7.4 we have:
α(µTESLA)
Theorem 7.11 (µTESLA Timed Integrity) µTESLA ∈ tGN DC≤ttrace
.
It should be noticed that a formulation of timed agreement for µTESLA would
actually coincide with the above formulation given for timed agreement.
7.2
LEAP analysis
In LEAP, the timed integrity property means that the initiator must authenticate only packets send by the responder in the previous time interval (δ =
1). Let us slightly modify the specification of LEAP to properly represent this
property. Technically, let us define LEAP0 by replacing the process Pi5 with
def
Pi5.1 = σ.[auth t `pair q]!hqi.OK SND. Now, the sender process transmit a packet
to signal successful authentication. Notice that authenticated messages are always sent by the responder between an hello and authentication message with
the same nonce. As a consequence, time integrity imposes that hello and authentication messages with the same nonce must differ for at most two time intervals.
In order to show that LEAP0 enjoys time integrity, we specify αint (LEAP0 ) as
an abstraction of the protocol enjoying the property:
def
αint (LEAP0 ) = m[Sˆ1 ]{test} n[R̂]∅
def
def
where Ŝi = !hpi i.σ.bτ.σ.!hqi i.OK SNDcSd
= σ.R̂, with
i+1 , for all i, and R̂
pi = pair(hello, pair(m, ai )) and qi = pair(auth, pair(m, ai )).
As we did for µTESLA, we use Proposition 7.4 to break down the proof
into smaller chunks. In particular we notice that the nodes m[S1 ]νm and n[R]νn
23
are time-dependent stable with respect to the sequence {Φi }i>0 defined as follows:
Φ1
Φ2
def
Φi
Φi
def
=
=
def
=
=
def
{a1 }
Φ1 ∪ {mac(kn , pair(n, a1 ))}
......
Φi−1 ∪ {aj }
if i = 2j − 1, i > 2
Φi−1 ∪ {mac(kn , pair(n, aj ))} if i = 2j,
i > 2.
This can be verified by looking at all the possible messages eavesdropped by the
attacker during a run of the protocol.
Lemma 7.12 The nodes m[S1 ]νm and n[R]νn are time-dependent stable with
respect to {Φj }j>0 .
Lemma 7.13
m[Sˆ ]test
1
1. m[S1 ]νm ∈ tGN DC≤trace
n[R̂]∅
2. n[R]νn ∈ tGN DC≤trace .
Proof By exhibiting the proper simulations. See the Appendix.
By applying Lemma 7.13 together with Proposition 7.4 we have:
0
α (LEAP )
Theorem 7.14 (LEAP Timed integrity) LEAP0 ∈ tGN DC≤int
.
trace
Let us focus now on timed agreement. Again, let us slightly modify the specification of LEAP to represent timed agreement. We define LEAP00 by replacing
def
in LEAP the process R8 with R80 = σ.[end a `pair r]!hri.OK RCV . Now, the
responder signals the end of the protocol. For simplicity, we use the following
abbreviation: ri = pair(end, ai ). We also require that the node test is in the
neighbours of n, i.e. test ∈ νn , so that end messages can be observed. Now, the
time agreement property for LEAP requires that hello packets pi , sent by the
initiator, and end packets ri , sent by the responder, (with the same nonce) must
differ for at most two time intervals (δ = 2).
Unfortunately, LEAP00 does not satisfy the timed agreement property:
Theorem 7.15 LEAP00 does not satisfy time agreement with δ = 2.
Proof LEAP00 has the following trace: !p1 .test.σ.τ.σ.τ.!p2 .test.σ.!r1 .test, where
p1 and r1 differs for three σ-actions. This denotes the following replay attack. In
the first time interval the initiator broadcasts the hello packet p1 which is lost by
the responder and grasped by the attacker. Both nodes move to the second time
24
interval (σ-action). In the second time interval the attacker broadcasts the packet
p1 which is received by both nodes m and n (τ -action). Node m fails and move
to the third time interval. While node n succeeds and also moves to the third
time interval (σ-action). In the third time interval the responder sends its reply
to the packet p1 received by the attacker (τ -action). In the same time interval
the initiator broadcasts a new hello packet p2 , with a fresh nonce a2 . Both nodes
move to the forth time interval (σ-action). Now, the responder broadcasts its end
packet r1 , while the initiator keeps sending hello packets. So, agreement can not
be reached.
8
Conclusions, Related and Future Work
We have proposed a time broadcasting calculus for cryptographic security protocols of wireless systems. Our calculus comes with a well-defined operational
semantics and a bisimulation-based behavioural semantics. We have adapted
Gorrieri and Martinelli’s tGNDC framework to formally study the wireless network security protocol LEAP. The design of our calculus is strongly inspired
by tCryptoSPA [11], a timed cryptographic variant of Milner’s CCS. The tGNDC
schema for tCryptoSPA, has already been used by Gorrieri, Martinelli and Petrocchi [11, 12] to study the WMF and the µTESLA protocol.
Several process calculi for wireless systems have been recently proposed. Mezzetti
and Sangiorgi [19] have introduced a calculus to describe interferences in wireless
systems. Nanz and Hankin [23] have proposed a calculus for mobile ad hoc networks for specification and security analysis of communication protocols. They
provide a decision procedure to check security against fixed intruders known in
advance. Merro [17] has proposed a behavioural theory for mobile ad hoc networks. Godskesen [9] has proposed a calculus for mobile ad hoc networks with
a formalisation of an attack on the cryptographic routing protocol ARAN. Singh
et al. [28] have proposed the ω-calculus for modelling the AODV routing protocol. Ghassemi et al. [7] have proposed a process algebra where topology changes
are implicitly modelled in the semantics. Merro and Sibilio [18] have proposed
a timed calculus for wireless systems focusing on the notion of communication
collision. Godskesen and Nanz [8] have recently proposed a simple timed calculus
for wireless systems to express a wide range of mobility models.
More recently, Arnaud, Cortier and Delaune [3] have proposed a calculus
for modelling and reasoning about security protocols, including secure routing
protocols, for a bounded number of sessions. They provide two NPTIME decision
procedures for analysing routing protocols for any network topology, and apply
their framework to analyse the protocol SRP [24] applied to DSR [14].
25
The AVISPA model checker [2] has been used in [31] for an analysis of TinySec [16], LEAP [32], and TinyPK, three wireless sensor network security protocols,
and in [30] for an analysis of the Sensor Network Encryption Protocol SNEP [26].
It is our intention to apply our framework to study the correctness of a wide
range of wireless network security protocols.
References
[1] R. Amadio, I. Castellani, and D. Sangiorgi. On bisimulations for the asynchronous π-calculus. Theoretical Computer Science, 195:291–324, 1998.
[2] Alessandro Armando, David Basin, Yohan Boichut, Yannick Chevalier, Luca
Compagna, Jorge Cuellar, Paul Hankes Drielsma, Pierre-Cyrille Heám, Jacopo Mantovani, Sebastian Mödersheim, David von Oheimb, Michaël Rusinowitch, Judson Santiago, Mathieu Turuani, Luca Viganò, and Laurent Vigneron. The AVISPA Tool for the Automated Validation of Internet Security
Protocols and Applications. In CAV. Springer, 2005.
[3] M. Arnaoud, V. Cortier, and S. Delaune. Modeling and Verifying Ad Hoc
Routing Protocols. In Proceedings of CSF’10, to appear; preliminary version available as Research Report LSV-10-03, Laboratoire Spécification et
Vérification, ENS Cachan, France.
[4] H. Chan, A. Perrig, and D. X. Song. Random key predistribution schemes
for sensor networks. In IEEE Symposium on Security and Privacy, pages
197–, 2003.
[5] L. Eschenauer and V. D. Gligor. A key-management scheme for distributed
sensor networks. In ACM Conference on Computer and Communications
Security, pages 41–47, 2002.
[6] Riccardo Focardi and Fabio Martinelli. A uniform approach for the definition
of security properties. In World Congress on Formal Methods, volume 1708
of Lecture Notes in Computer Science, pages 794–813. Springer, 1999.
[7] Fatemeh Ghassemi, Wan Fokkink, and Ali Movaghar. Equational Reasoning
on Ad Hoc networks. In FSEN, volume 5961 of Lecture Notes in Computer
Science, pages 113–128. Springer, 2009.
[8] J. C. Godskesen and S. Nanz. Mobility Models and Behavioural Equivalence
for Wireless Networks. In COORDINATION, volume 5521 of Lecture Notes
in Computer Science, pages 106–122. Springer, 2009.
26
[9] J.C. Godskesen. A Calculus for Mobile Ad Hoc Networks. In COORDINATION, volume 4467 of Lecture Notes in Computer Science, pages 132–150.
Springer, 2007.
[10] R. Gorrieri, E. Locatelli, and F. Martinelli. A simple language for real-time
cryptographic protocol analysis. In ESOP, pages 114–128, 2003.
[11] Roberto Gorrieri and Fabio Martinelli. A simple framework for real-time
cryptographic protocol analysis with compositional proof rules. Sci. Comput.
Program., 50(1-3):23–49, 2004.
[12] Roberto Gorrieri, Fabio Martinelli, and Marinella Petrocchi. Formal models
and analysis of secure multicast in wired and wireless networks. J. Autom.
Reasoning, 41(3-4):325–364, 2008.
[13] M. Hennessy and T. Regan. A Process Algebra for Timed Systems. Information and Computation, 117(2):221–239, 1995.
[14] David B. Johnson and David A. Maltz. Dynamic Source Routing in Ad Hoc
Wireless Networks. Kluwer Academic Publishers, 1996.
[15] Gavin Lowe. A hierarchy of authentication specification. In CSFW, pages
31–44. IEEE Computer Society, 1997.
[16] Mark Luk, Ghita Mezzour, Adrian Perrig, and Virgil D. Gligor. Minisec: a
secure sensor network communication architecture. In IPSN, pages 479–488.
ACM, 2007.
[17] M. Merro. An Observational Theory for Mobile Ad Hoc Networks (full
paper). Information and Computation, 207(2):194–208, 2009.
[18] Massimo Merro and Eleonora Sibilio. A Timed Calculus for Wireless Systems. In FSEN, volume 5961 of Lecture Notes in Computer Science, pages
228–243. Springer, 2010.
[19] N. Mezzetti and D. Sangiorgi. Towards a Calculus For Wireless Systems.
Electronic Notes in Theoretical Computer Science, 158:331–353, 2006.
[20] Robin Milner. A Calculus of Communicating Systems, volume 92 of Lecture
Notes in Computer Science. Springer, 1980.
[21] Robin Milner. The pi calculus and its applications (keynote address). In
IJCSLP, pages 3–4, 1998.
27
[22] Robin Milner and Davide Sangiorgi. Barbed bisimulation. In ICALP, volume
623 of Lecture Notes in Computer Science, pages 685–695. Springer, 1992.
[23] S. Nanz and C. Hankin. A Framework for Security Analysis of Mobile Wireless Networks. Theoretical Computer Science, 367(1-2):203–227, 2006.
[24] Panagiotis Papadimitratos and Zygmunt J. Haas. Secure Link State Routing
for Mobile Ad Hoc Networks. In SAINT Workshops, pages 379–383. ACM,
2003.
[25] A. Perrig, J. A. Stankovic, and D. Wagner. Security in wireless sensor networks. Commununication ACM, 47(6):53–57, 2004.
[26] A. Perrig, R. Szewczyk, J. D. Tygar, V. Wen, and D. Culler. Spins: Security
Protocols for Sensor Networks. Wireless Networks, 8(5):521–534, 2002.
[27] Adrian Perrig, Robert Szewczyk, Victor Wen, David E. Culler, and J. D.
Tygar. Spins: security protocols for sensor netowrks. In MOBICOM, pages
189–199, 2001.
[28] A. Singh, C. R. Ramakrishnan, and S. A. Smolka. A Process Calculus for
Mobile Ad Hoc Networks. In COORDINATION, volume 5052 of Lecture
Notes in Computer Science, pages 296–314. Springer, 2008.
[29] B. Sundararaman, U. Buy, and A. D. Kshemkalyani. Clock synchronization
for wireless sensor networks: a survey. Ad Hoc Networks, 3(3):281–323, 2005.
[30] Llanos Tobarra, Diego Cazorla, and Fernando Cuartero. Formal Analysis of
Sensor Network Encryption Protocol (SNEP). In WSNS. IEEE CS, 2007.
[31] M. Llanos Tobarra, Diego Cazorla, Fernando Cuartero, Gregorio Dı́az, and
Marı́a-Emilia Cambronero. Model Checking Wireless Sensor Network Security Protocols: TinySec + LEAP + TinyPK. Telecommunication Systems,
40(3-4):91–99, 2009.
[32] Sencun Zhu, Sanjeev Setia, and Sushil Jajodia. Leap - efficient security
mechanisms for large-scale distributed sensor networks. In SenSys, pages
308–309. ACM, 2003.
A
Proofs
Proof of Theorem 4.3
28
1. This follows from the Definition 2.3 and Lemma 4.1(2).
2. In this case, we have to examinate all the possible reductions that generated
M _ M 0 . Suppose that it was the rule (R-Bcast), that is
Y
Y
m[!hvi.P ]ν |
ni [b?(xi ).Pi cQi ]νi _ m[P ]ν |
ni [{v/xi }Pi ]νi
i∈I
i∈I
Then, by applying one time the rule (Bcast) we have
m!v.ν
m[!hvi.P ]ν | n1 [b?(x1 ).P1 cQ1 ]ν1 −−−−→
− m[P ]ν | n1 [{v/x1 }P1 ]ν1
and then by applying again rule (Bcast) |I| − 1 times, for all the ni ∈ I with
i > 1 we obtain
Y
Y
m!v.ν
ni [b?(xi ).Pi cQi ]νi −−−−→
− m[P ]ν |
ni [{v/xi }Pi ]νi
m[!hvi.P ]ν |
i∈I
i∈I
as required. Now suppose that M _ M 0 was generated by rule (R-Internal),
that is
m[bτ.P cQ]ν _ m[P ]ν
Then by applying rule (Tau) we have
τ
m[bτ.P cQ]ν −−
→ m[P ]ν
as required. Now let us consider the case of rule (R-Struct1), that is
(R-Struct1)
M ≡ N N _ N0 N0 ≡ M0
M _ M0
λ
By induction hypotesis we have that N −−
→ N 00 ≡ N 0 with λ being either τ
λ
or m!v.ν. Lemma 4.2 tells us that there is M 00 such that M −−
→ M 00 ≡ M 0 .
λ
Thus, by transitivity of ≡, it follows that M −−
→ M 0 as required. Finally,
let us consider the case of rule (R-Par), that is
(R-Par)
M _ M0
M | N _ M0 | N
τ
Induction hypotesis tells us that M _ M 0 can either be M −−
→≡ M 0 or
m!v.ν
M −−−−→
− ≡ M 0 . If it is the first case, then by applying rule (Tau-Par) we
obtain
τ
M | N −−
→ M0 | N
29
as required. The second case, instead, can be generated only by an application of rule (Bcast). Then, by using rules (Rcv-Enb) and (RcvPar) we
obtain
m!v.ν
M | N −−−−→
− M0 | N
as required.
σ
3. In this case, M −−
_ M 0 can only be generated by rule (R-Sigma), that is
(R-Sigma)
Q
−
Q
σ
nj [b. . .cQj ]νj | k∈K nk [nil]νk −−
_
i [σ.Pi ] |
i∈I n
j∈J
Q
νi Q
νj Q
νk
i∈I ni [Pi ] |
j∈J nj [Qj ] |
k∈K nk [nil]
νi
Q
Then, by applying rules (Delay), (σ-τ ), (σ-Rcv), (σ-nil) and (σ-Par) we obtain
σ
M −−
→≡ M 0 as required.
4. In this case we have to distinguish whether a τ -action or a m!v.ν action
was performed.
τ
If M −−
→ M 0 then it can only be by an application of rules (Tau), (Shh) or
(TauPar).
• If rule (Tau) was used, then we have
τ
m[bτ.P cQ]ν −−
→ m[P ]ν
which corresponds exactly to rule (R-Internal).
m!v.ν
• If rule (Shh) was used, then we have M −−−−→
− M 0 with ν = ∅.
Lemma 4.1 tells us that
Y
M ≡ m[!hvi.P ]ν |
ni [?(x).P ]νi | M1
i∈I
and
M 0 ≡ m[P ]ν |
Y
ni [{v/x }P ]νi | M1
i∈I
By applying rule (R-Bcast) and rule (R-Par) we obtain M _ M 0 as
required.
• If rule (TauPar) was used, then by induction hypotesis we can return
to one of the two the previous cases.
30
m!v.ν
Now suppose that M −−−−→
− M 0 . By applying Lemma 4.1 we have
Y
M ≡ m[!hvi.P ]ν |
ni [?(x).P ]νi | M1
i∈I
and
M 0 ≡ m[P ]ν |
Y
ni [{v/x }P ]νi | M1
i∈I
And again, with an application of rule (R-Bcast) and rule (R-Par) we obtain
M _ M 0 as required.
σ
5. In this case the transition M −−
→ M 0 can be generated by five rules: (Delay),
(σ-τ ), (σ-Rcv), (σ-nil) and (σ-Par). For the first four cases, the corresponding
reduction is (R-Sigma) where:
• if rule (Delay) was used, then the sets J and K of rule (R-Sigma) are
empty.
• if rule (σ-τ ) or (σ-Rcv) was used, then the sets I and K of rule (R-Sigma)
are empty.
• if rule (σ-nil) was used, then the sets I and J of rule (R-Sigma) are
empty.
Instead, if rule (σ-Par) was used, then by induction hypotesis we can return
to one of the four previous cases.
Proof of Lemma 7.10 We prove this lemma by showing the proper simulations.
m[S ]test
1
1. To demonstrate that m[S1 ]νm ∈ tGN DC≤trace
we provide a simulation
νm
containing pairs of the form (m[Si ] | AT T (Φ2i−1 ) , m[Si ]test ), for all i,
where AT T (Φj ) stands for AT T (Φj , m[Si ]νm ):
R
def
=
{
m[Si ]νm | AT T (Φ2i−1 ) , m[Si ]test ,
test m[σ.!hki i.σ.Si+1 ]νm | AT T (Φ2i−1 ) , m[σ.!hki i.σ.Si+1
]
,
νm
test m[!hki i.σ.Si+1 ] | AT T (Φ2i ) , m[!hki i.σ.S
,
i+1 ]
νm
test m[σ.Si+1 ] | AT T (Φ2i ) , m[σ.Si+1 ]
,
...,
} .
Proving that R is a simulation is an easy exercise.
31
n [R̂ ]test
r
1
, for any 1 ≤ r ≤ m we provide a
2. To prove that nr [R1k0 ]νnr ∈ tGN DC≤trace
simulation containing pairs of the form nr [Rikl ]νnr | AT T (Φ2i−1 ), nr [R̂i ]test ,
for all i.
def
R = { nr [Rikl ]νnr | AT T (Φ2i−1 ) , nr [R̂i ]test ,
nr [σ.{p̂/p }Pi kl ]νnr | AT T (Φ2i−1 ) , nr [R̂i ]test ,
nr [Qi kl ]νnr | AT T (Φ2i ) , nr [bτ.!hauthi i.σ.R̂i+1 cR̂i+1 ]test , nr [{p̂/p }Pi kl ]νnr | AT T (Φ2i ) , nr [bτ.!hauthi i.σ.R̂i+1 cR̂i+1 ]test ,
nr [Zi ki ]νnr | AT T (Φ2i ) , nr [bτ.!hauthi i.σ.R̂i+1 c]test ),
km νnr
nr [σ.Ri+1
] | AT T (Φ2i ) , nr [bτ.!hauthi i.σ.R̂i+1 cR̂i+1 ]test ,
...
} .
Where AT T (Φj ) stands for AT T (nr [Rikl ]νnr , Φj ). Recall that nr [Ri ]νnr is
time-dependent stable with respect to the sequence of knowledges Φj given
in Lemma 7.9. We will omit the attacker in describing the transitions to
ease the reader.
Let us start with (nr [Rikl ]νnr | AT T (Φ2i−1 ), nr [R̂i ]test ). The first network
can perform two actions:
τ
→ nr [σ.{p̂/p }Pi kl ]νnr | AT T (Φ2i−1 ), where nr
• nr [Rikl ]νnr | AT T (Φ2i−1 ) −−
performs a receiving action and AT T sends p̂ from Φ2i−1 . The second
network answers with nr [R̂1 ]test =
⇒ nr [R̂1 ]test .
σ
→ nr [Qi kl ]νnr | AT T (Φ2i ), where nr does
• nr [Rikl ]νnr | AT T (Φ2i−1 ) −−
not receive anything and thus performs a timeout. The second network
σ
answers with nr [R̂i ]test ==
⇒ nr [bτ.!hauthi i.σ.R̂i+1 cR̂i+1 ]test
Let us consider now the pair (nr [σ.{p̂/p }Pi kl ]νnr | AT T (Φ2i−1 ), nr [R̂i ]test ).
The first network can perform one action:
σ
• nr [σ.{p̂/p }Pi kl ]νnr | AT T (Φ2i−1 ) −−
→ nr [{p̂/p }Pi kl ]νnr | AT T (Φ2i ), where
σ
nr performs a σ-action. The second network answers with nr [R̂i ]test ==
⇒
test
nr [bτ.!hauthi i.σ.R̂i+1 cR̂i+1 ] .
Let us consider now the pair (nr [Qi kl ]νnr | AT T (Φ2i ), nr [bτ.!hauthi i.σ.R̂i+1 cR̂i+1 ]test ).
The first network can perform three actions:
τ
km νnr
→ nr [σ.Ri+1
]
| AT T (Φ2i ), where nr per• nr [Qi kl ]νnr | AT T (Φ2i ) −−
forms a receiving action and AT T (Φ2i ) sends k̂ from Φ2i . The second
network answers with nr [bτ.!hauthi i.σ.R̂i+1 cR̂i+1 ]test =
⇒ nr [bτ.!hauthi i.σ.R̂i+1 cR̂i+1 ]test
32
σ
• nr [Qi kl ]νnr | AT T (Φ2i ) −−
→ nr [Ri+1 kl ]νnr | AT T (Φ2i+1 ), where nr does
not receive anything and thus performs a timeout. The second network
σ
answers with nr [bτ.!hauthi i.σ.R̂i+1 cR̂i+1 ]test ==
⇒ nr [R̂i+1 ]test .
Let us consider now the pair (nr [{p̂/p }Pi kl ]νnr | AT T (Φ2i ), nr [bτ.!hauthi i.σ.R̂i+1 cR̂i+1 ]test ).
The first network can perform three actions:
τ
• nr [{p̂/p }Pi kl ]νnr | AT T (Φ2i ) −−
→ nr [Zi ki ]νnr | AT T (Φ2i ), where nr performs a receiving action and AT T (Φ2i ) sends k̂, with k̂ = F i−l (kl ) and
p̂ = pi . The second network answers with nr [bτ.!hauthi i.σ.R̂i+1 cR̂i+1 ]test =
⇒
nr [bτ.!hauthi i.σ.R̂i+1 cR̂i+1 ]test .
τ
km νnr
• nr [{p̂/p }Pi kl ]νnr | AT T (Φ2i ) −−
→ nr [σ.Ri+1
]
| AT T (Φ2i ), where nr
performs a receiving action and AT T (Φ2i ) sends k̂, with k̂ 6= F i−l (kl ) or
p̂ 6= pi . The second network answers with nr [bτ.!hauthi i.σ.R̂i+1 cR̂i+1 ]test =
⇒
test
nr [bτ.!hauthi i.σ.R̂i+1 cR̂i+1 ] .
σ
• nr [{p̂/p }Pi kl ]νnr | AT T (Φ2i ) −−
→ nr [Ri+1 ki ]νnr | AT T (Φ2i ), where nr
does not receive anything and thus performs a timeout. The second
σ
⇒ nr [R̂i+1 ]test .
network answers with nr [bτ.!hauthi i.σ.R̂i+1 cR̂i+1 ]test ==
Let us consider now the pair (nr [Zi ki ]νnr | AT T (Φ2i ), nr [bτ.!hauthi i.σ.R̂i+1 cR̂i+1 ]test ).
The first network can perform one action:
!authi
ki νnr
] | AT T (Φ2i ), where nr per• nr [Zi ki ]νnr | AT T (Φ2i ) −−−−
→ nr [σ.Ri+1
forms an observable broadcast action of packet authi . The second net!authi
= nr [σ.R̂i+1 ]test .
work answers with nr [bτ.!hauthi i.σ.R̂i+1 cR̂i+1 ]test ====⇒
Let us consider now the pair
km νnr
(nr [σ.Ri+1
]
| AT T (Φ2i ), nr [bτ.!hauthi i.σ.R̂i+1 cR̂i+1 ]test ). The first network can perform one action:
σ
km νnr
• nr [σ.Ri+1
]
| AT T (Φ2i ) −−
→ nr [Ri+1 km ]νnr | AT T (Φ2i+1 ), where nr
performs a σ-action. The second network answers with
σ
nr [bτ.!hauthi i.σ.R̂i+1 cR̂i+1 ]test ==
⇒ nr [R̂i+1 ]test .
Proof of Lemma 7.13 We prove this lemma by showing the appropriate simulations.
m[Sˆ ]test
1
1. To prove that m[S1 ]νm ∈ tGN DC≤trace
we provide a simulation R, conνm
test
taining the pair (m[Si ] | AT T, m[Ŝi ] ), for all i, where AT T (Φj ) stands
for AT T (m[Si ]νm , Φj ). Recall that m[S1 ]νm is time-dependent stable with
33
respect to the sequence of knowledges Φj given in Lemma 7.12. Thus, the
following relation is indeed a simulation:
R
def
=
{
m[Si ]νm | AT T (Φ2i−1 ) , m[Sbi ]test ,
test m[σ.Pi ]νm | AT T (Φ2i−1 ) , m[σ.bτ.σ.!hqi i.OK SNDcSd
,
i+1 ]
νm
test d
,
m[Pi ] | AT T (Φ2i ) , m[bτ.σ.!hqi i.OK SNDcSi+1 ]
test
5 νm
,
m[Pi ] | AT T (Φ2i ) , m[σ.!hqi i.OK SN D]
m[!hqi i.OK SN D]νm | AT T (Φ2i+1 ) , m[!hqi i.OK SN D]test ,
test m[σ.Si+1 ]νm | AT T (Φ2i ) , m[bτ.σ.!hqi i.OK SNDcSd
,
i+1 ]
...
} .
Let us start by considering the pair (m[Si ]νm | AT T (Φ2i−1 ), m[Sbi ]test ). The
first network can perform one action:
!pi
− m[σ.P ]νm | AT T (Φ2i−1 ), where m per• m[Si ]νm | AT T (Φ2i−1 ) −−→
forms an observable broadcast action of packet pi . The second network
!pi
test
answers with m[Sbi ]test ==⇒
= m[σ.bτ.σ.!hqi i.OK SN DcSd
.
i+1 ]
Let us consider now the pair (m[σ.P ]νm | AT T (Φ2i−1 ),
test
). The first network can perform one acm[σ.bτ.σ.!hqi i.OK SN DcSd
i+1 ]
tion:
σ
→ m[P ]νm | AT T (Φ2i ), where m performs a
• m[σ.P ]νm | AT T (Φ2i−1 ) −−
test
σ-action. The second network answers with m[σ.bτ.σ.!hqi i.OK SN DcSd
i+1 ]
σ
test
.
==
⇒ m[bτ.σ.!hqi i.OK SN DcSd
i+1 ]
test
Let us consider now the pair (m[P ]νm | AT T (Φ2i−1 ), m[bτ.σ.!hqi i.OK SN DcSd
).
i+1 ]
The first network can perform three actions:
τ
• m[P ]νm | AT T (Φ2i ) −−
→ m[P50 ]νm | AT T (Φ2i ), where m performs
a receiving action, and AT T (Φ2i ) sends q̂ from Φ2i , with q̂ = q.
τ
test
The second network answers with m[bτ.σ.!hqi i.OK SN DcSd
=⇒
=
i+1 ]
test
m[σ.!hqi i.OK SN D] .
τ
• m[P ]νm | AT T (Φ2i ) −−
→ m[σ.Si+1 ]νm | AT T (Φ2i ), where m performs
a receiving action, and AT T (Φ2i ) sends q̂ from Φ2i , with q̂ 6= q.
τ
test
=⇒
=
The second network answers with m[bτ.σ.!hqi i.OK SN DcSd
i+1 ]
test
d
m[bτ.σ.!hqi i.OK SN DcSi+1 ] .
34
σ
• m[P ]νm | AT T (Φ2i+1 ) −−
→ m[Si+1 ]νm | AT T (Φ2i+1 ), where m does not
receive anything and thus performs a timeout. The second network
σ
test
test
answers with m[bτ.σ.!hqi i.OK SN DcSd
==
⇒ m[Sd
.
i+1 ]
i+1 ]
Let us consider now the pair (m[P50 ]νm | AT T (Φ2i ), m[σ.!hqi i.OK SN D]test ).
The first network can perform one action:
σ
• m[P50 ]νm | AT T (Φ2i ) −−
→ m[!hqi i.OK SN D]νm | AT T (Φ2i+1 ), where
m performs a σ-action. The second network answers with m[σ.!hqi i.OK SN D]test
σ
==
⇒ m[!hqi i.OK SN D]test .
Let us consider now the pair (m[!hqi i.OK SN D]νm | AT T (Φ2i+1 ), m[!hqi i.OK SN D]test ).
The first network can perform one action:
!qi
• m[!hqi i.OK SN D]νm | AT T (Φ2i+1 ) −−→
− m[OK SN D]νm | AT T (Φ2i+1 ),
where m performs an observable broadcast of packet qi . The second
!qi
network answers with m[!hqi i.OK SN D]test ==⇒
= m[OK SN D]test .
n[R̂]∅
2. To prove that n[R]νn ∈ tGN DC≤trace we have to show a relation R, containing the pair (n[R]νn | AT T, n[R̂]∅ ), which is a simulation, where AT T
stands for AT T (n[R]νn , ∅). Recall that n[R]νn is time-dependent stable
with respect to the sequence of knowledges Φi given in Lemma 7.12. Thus,
the following relation is indeed a simulation:
R
def
=
{
n[R]νn | AT T (Φ2i−1 ) , n[R̂]∅ ,
n[σ.σ.R]νn | AT T (Φ2i−1 ) , n[R̂]∅ ,
n[σ.R]νn | AT T (Φ2i ) , n[R̂]∅ ,
n[σ.!hqi.R7 ]νn | AT T (Φ2i−1 ) , n[R̂]∅ ,
n[!hqi.R7 ]νn | AT T (Φ2i ) , n[R̂]∅ ,
n[R8 ]νn | AT T (Φ2i ) , n[R̂]∅ ,
n[OK RCV ]νn | AT T (Φ2i+1 ) , n[R̂]∅ ,
} .
Proving that R is a simulation is an easy exercise.
35