Automatic analysis of distance bounding protocols
Sreekanth Malladi, Bezawada Bruhadeshwar, Kishore Kothapalli
AAutomatic analysis of distancebounding protocols
Sreekanth Malladi ∗ , Bezawada Bruhadeshwar † , Kishore Kothapalli † A BSTRACT . Distance bounding protocols are used by nodes in wireless networks for the crucial purpose of es-timating their distances to other nodes. This typically involves sending a request by one node toanother node, receiving a response, and then calculating an upper bound on the distance by multi-plying the round-trip time with the velocity of the signal. However, dishonest nodes in the networkcan turn the calculations both illegitimate and inaccurate when they participate in protocol execu-tions. Therefore, it is important to analyze protocols for the possibility of such violations. Past effortsto analyze distance bounding protocols have only been manual. However, automated approachesare important since they are quite likely to find flaws that manual approaches cannot, as witnessedmany times in the literature of key establishment protocols.In this paper, we use the constraint solver tool to automatically analyze distance bound-ing protocols: We first formulate a new trace property called
Secure Distance Bounding (SDB) thatprotocol executions must satisfy. We then classify the scenarios in which these protocols can operateconsidering the (dis)honesty of nodes and location of the attacker in the network. Finally, we ex-tend the constraint solver tool so that it can be used to test protocols for violations of SDB in thosescenarios and illustrate our technique on several examples that include new attacks on publishedprotocols. We also hosted an on-line demo for the reader to check out our implementation. A distance bounding (DB) protocol is used by a “verifier” node in wireless networks tocalculate an upper bound on the distance to a “prover” node in the network. Distancebounding helps in crucial applications such as localization, location discovery and timesynchronization. Hence, the security of DB protocols is an important and critical problem. Figure 1: (a) Extended Echo protocol P1 (b) Man-in-the-Middle Attack on P1 ∗ Dakota State University, USA, Email: [email protected] † International Institute of Information Technology, India, Email: { bbruhadeshwar,kkothapalli } @iiit.ac.in a r X i v : . [ c s . CR ] M a r As an example of a DB protocol, consider a simple extension of the Echo protocol (Fig.1.a) presented in [11]. In the figure, V is the verifier, P is the prover; N V is a nonce; Sig pk ( P ) ([ N V , V , P ]) is the signature of P to be verified with it’s public-key, denoted pk ( P ) . Let t i be the time on the clock when event i occurs. Then, V can calculate thebound ‘ d ’ on the distance to P as: d = ( t − t ) − ( t − t ) × s , where ‘ s ’ is the speedof the signal.In the presence of attackers, DB protocols can fail to achieve their main goal of establish-ing a valid distance bound. For instance, the above protocol has a possible attack whereinan attacker i plays Man-In-The-Middle and succeeds in showing p as being closer to v ‡ than it really is (Fig. 1.b).Analysis of DB protocols involves examining whether it is possible to make a party ap-pear closer than it really is, to an honest verifier. The problem is different and difficult com-pared to standard Dolev-Yao analysis of protocols that only consider whether an attackercan generate messages required to violate some security property. Here, we need to factorin the time required for message generation as well, which can vary based on the input sizeand cryptographic parameters. Automated analysis is much desired, given the problemsand distrust in manual analysis of protocols that have been reported in literature [5]. Therehave been numerous instances when automated techniques found attacks on protocols thatmanual, hand-based techniques could not (e.g. [6, 7, 9]). Past work.
The few published efforts to analyze DB protocols have been largely incom-plete: The classical work of Brands and Chaum [2] is mostly informal and specific to theprotocols introduced in that paper. Sastry et al. [11] show that in their “Echo” protocol, theprover cannot respond before receiving the verifier’s nonce but the protocol is used onlyfor “in-range” verification and also too simple without any authentication. Meadows et al.[8] give a method to analyze both distance bounding and authentication aspects, but themethod like the previous two, is manual, not automated.
Our contribution.
To address these concerns, we will show a method to automatically an-alyze DB protocols using the constraint solving technique of Millen-Shmatikov. Our methodis based on formal modeling of timed protocols and distance bounding properties. Further,it is fully automated with minor changes to the existing constraint solver § . Some highlightsof our contribution are:1. Like many past strand space extensions, our formal modeling and framework give asimple, clean and useful geometric flavor to the study of DB protocols that could beused or extended to many other studies such as localization algorithms;2. Some properties we prove about DB protocols allow the use of conventional Dolev-Yao style analysis, completely eliminating the need to consider the more complicatedtiming aspects. This is useful when it is difficult to extend existing methods for con-ventional key establishment protocols to analyze or verify DB protocols (e.g. ProVerif [1]). ‡ We use lower case for v and p now since we are referring to the protocol execution. § on-line demo at http://homepages.dsu.edu/malladis/research/ConSolv/Webpage/ STTCS
We will first develop a timed protocol model extending strand spaces inSection 2. We will then explain how constraint solving can be used to generate timed pro-tocol executions in Section 3. We will formalize secure distance bounding and explain ourtechnique to detect violations for it in Section 4. We will identify the scenarios under whichDB protocols need to be analyzed in Section 5. We will illustrate our analysis approach onsome examples in Section 6, and conclude with a discussion of future and related works.
Our protocol model is based on the strand space model of [14] extended with the introduc-tion of a new field, “time” for labels on nodes. This field is used to represent the currenttime on the clock at the node for an agent. D EFINITION
1. [Node] A node is a 3-tuple with fields time, sign , and term . Timeis the current time on the clock, sign can be + or − denoting “send” and “receive”respectively and term to be defined next. We will describe how to populate the times on nodes partly in this section and partlyin the next section. We consider protocols in which messages are constructed using a freeterm algebra: D EFINITION
2. [Term] A term is one of the following: Variable (can be of types
Agent , Nonce etc.);
Constant (numbers 1, 2, . . . ; name of the attacker (cid:101) etc.);
Atom ; Pair denoted [ t , t ] if t and t are terms; Public-Key denoted pk ( A ) with A of type Agent ; Shared-Key denoted sh ( A , B ) with A and B of type Agent ; Asymmetricencryption denoted [ t ] → k where t and k are terms; Symmetric encryption denoted [ t ] ↔ k where t and k are terms; Hash denoted h ( t ) where t is a term; Signature of a term t denoted Sig pk ( A ) ( t ) to be validated using pk ( A ) . A “ground” term is any term with no variables in it. We will drop the superscript → or ↔ if the mode of encryption is contextually either obvious or irrelevant. D EFINITION
3. [Subterm]
Term t is a subterm of t (cid:48) (i.e. t (cid:64) t (cid:48) ) if t = t (cid:48) , or if t (cid:48) = [ t , t ] with t (cid:64) t ∨ t (cid:64) t , or if t (cid:48) = [ t (cid:48)(cid:48) ] k (cid:48) with t (cid:64) t (cid:48)(cid:48) , or if t (cid:48) = h ( t (cid:48)(cid:48) ) with t (cid:64) t (cid:48)(cid:48) , or if t (cid:48) = Sig pk ( A ) ( t (cid:48)(cid:48) ) with t (cid:64) t (cid:48)(cid:48) . Term t is a proper subterm of t (cid:48) if ( t (cid:64) t (cid:48) ) ∧ ( t (cid:54) = t (cid:48) ) . Strands capture roles of a protocol. D EFINITION
4. [Strand] A strand is a sequence of nodes. For instance s = (cid:104) n , . . . , n m (cid:105) is a strand with m nodes. Nodes in a strand are related by the edge ⇒ defined such thatif n i and n i + belong to the same strand, then n i ⇒ n i + . A parametric strand is astrand with no atoms in the terms on its nodes. Protocol roles are modeled as partially instantiated parametric strands that we name semi-strands where messages contain variables and atoms depending on the knowledgeof agents concerning message subparts. For instance, the verifier strand of the protocolpresented in the Introduction is represented as (cid:104) + [ n v ] , − [ T , n v ] , − [ T , Sig pk ( P ) ([ n v , v , P ])] (cid:105) Notice that the first node starts at time ‘0’ which is not a universal ‘0’ but a localstart time for the agent who dons this strand. Also notice that the times on the other twonodes T and T are not fixed. The rationale for this is to be explained shortly.A set of semi-strands is called a semi-bundle . We will say that term t belongs to asemi-bundle S (i.e. t ∈ S ) if ( t = term ( n )) for some ( n ∈ s ) and ( s ∈ S ) .A bundle is a possible protocol execution obtained by consistently instantiating all thevariables in the semi-bundle and using → edges between nodes on different strands. D EFINITION
5. [Bundle] A bundle is a collection of strands and an acyclic digraphdefined on a mapping of nodes to edges → and ⇒ such that if node n i sends amessage that n j receives, then n i , n j are related by the edge → (denoted n i → n j ).Further, if there is a node n in the bundle that receives a term t , then there is anothernode m in the bundle, that sends t such that m → n . Note that this bundle is a 3-dimensional graph with strands located vertically anywherein the cube. Nodes in a bundle are also related by precedence relation denoted (cid:22) whichis a partial order: D EFINITION
6. [Precedes]
The relation (cid:22) is defined such that if nodes n i , n j exist ina bundle C , then n i (cid:22) n j if they are on the same strand with i ≤ j ; further, n i ≺ n j if n i → n j . We will use (cid:22) on stand-alone strands in semi-bundles as well: Let s be a strand ina semi-bundle S . Then, ( ∀ n i , n j ∈ s )( s ∈ S )( i ≤ j ⇒ n i (cid:22) n j ) .We do not include the notion of penetrator strands as in the classical strand spacesformalism of [14]. Rather, we consider a single penetrator also modeled as a single strandthat captures all the “penetrator actions” in the bundle defined as below: D EFINITION
7. [Penetrator action] A penetrator action is a sequence of edges t → t ⇒ t → t where t ⇒ t is an edge on the penetrator strand. The idea is that the single ⇒ edge in a penetrator action represents all the penetratorstrands in the classical model of [14] to generate the term to be sent. Multiple penetratorscould be added in the 3-dimensional cube if desired, although we only consider a single“Machiavellian” attacker with full control of the network in the spirit of [13] ¶ .Next we define the “elapsed time” between any two nodes n i , n j in a bundle C with n i (cid:22) n j using the notion of weights and paths : D EFINITION
8. [Weight or Elapsed time]
The weight of an edge is the (absolute)difference in times between the nodes that are connected by the edge. A path is a sequenceof nodes such that every node in the sequence is related to the subsequent node by a → ora ⇒ . The weight of a path is the sum of the weights of all the edges in the path. ¶ This might be unrealistic in wireless networks, but the stronger model allows us to find all attacks includingthose under weaker attackers.
STTCS We will denote the path between n i and n j as ( n i , n j ) when there is only oneroute between n i , and n j .The weight of a ± t ⇒ + t (cid:48) edge should be preset and constant for each semi-strand.In the case of penetrator strand, those weights should be calculated using penetrator actionsrequired to generate the + node. On the other hand, the weight of a ± t ⇒ − t (cid:48) edgecannot be fixed since an agent can only know the length of time after which it sends amessage, but cannot always predict when it might receive a message from another agent,accurately.Weights of → edges indicate the time of traversal for messages which depends onthe message length, distance and the velocity of the signal. We assume that there is anappropriate formula for an environment to calculate the weight of these edges, using thoseparameters. D EFINITION
9. [Relay, Simple relay] A relay is a penetrator action + t → − t ⇒ + t → − t . A simple relay is a relay with the weight of the ⇒ edge being zero. We develop the notion of “ideal” and “real” bundles to distinguish protocol ex-ecutions where the penetrator plays a passive role of merely observing message exchangesbetween agents with those where she plays an active role of faking and changing messages. D EFINITION
10. [Ideal and Real bundles] An ideal bundle B for a protocol P is abundle formed from a semi-bundle S with exactly one semi-strand per parametric strandof P where every penetrator action is a simple relay + σ t → − σ t ⇒ + σ t → − σ t forsome substitution σ such that ( ∀ s ∈ S )(( ∃ s (cid:48) ∈ B )( s (cid:48) = σ s )) . A real bundle is anybundle from any other semi-bundle from P . We will now extend the constraint solving technique of [9] to give a “recipe” to producethe timed bundles defined in Section 2 including honest strands and the single penetratorstrand with all the penetrator actions.The previous section only noted that weights of ± ⇒ + edges should be preset; thissection will complete labeling of nodes since weights on ± ⇒ − edges are calculateddynamically setting the times on ‘ − ’ nodes during protocol executions. The elapsed timebetween any two nodes in such bundles can then be calculated by summing up the weightson all the edges in the path between the nodes.Constraint solving is a procedure to determine if a semi-bundle is completable to abundle using a substitution to variables. A constraint sequence is first drawn from nodeinterleavings of the semi-bundle indicating that ‘ − ’ nodes should be derivable by theattacker with his actions and terms on all prior ‘ + ’ nodes. D EFINITION
11. [Constraint sequence] A constraint sequence C = (cid:104) term ( n ) : T , . . . ,term ( n k ) : T k (cid:105) is from a semi-bundle S with k ‘ − ’ nodes if ( ∀ n , n (cid:48) )( (( term ( n (cid:48) ) : T ∈ C ) ∧ ( term ( n ) ∈ T )) ⇒ ( n (cid:22) n (cid:48) ) ) . Further, if i < j and n i , n j belong to the samestrand, then n i (cid:22) n j and ( ∀ i )( T i ⊆ T i + ) . We consider a set of attacker operators Φ and an infinite set of terms that can builtusing Φ on a finite set of terms T , denoted F ( T ) . Although our techniques in thispaper are largely independent of the kind of operators in Φ , we will consider that theyrepresent the standard Dolev-Yao attacker as defined in [9].The possibility of forming bundles from a given semi-bundle can be determined bytesting if constraint sequences from it are satisfiable: D EFINITION
12. [Satisfiability, Realizability]
A constraint is m : T is satisfiable under a substitution σ if σ m ∈ F ( T ) . A constraint sequence is satisfiable with σ ,denoted σ (cid:96) C if ( ∀ m : T ∈ C )( σ m ∈ F ( σ T )) . A ‘ − ’ node is realizable if thecorresponding constraint is satisfiable. A semi-bundle is completable to a bundle if aconstraint sequence from it is satisfiable. Millen-Shmatikov have shown a constraint satisfaction procedure, denoted P that isterminating, sound and complete wrt Φ and F . P applies a set of symbolic reductionrules R to each constraint, in order to reduce it them to “simple constraints” (with onlya variable each on the left side). We provide both P and R in Appendix A.We will consider that each reduction rule in R corresponds to an attacker action andwe will calculate the weights of ⇒ edges of a bundle to be the sum of the times taken byeach rule.In Appendix A we also give an algorithm denoted PB that produces timed bundlesas defined in Section 2, using P to calculate the weights of ⇒ edges. An examplebundle generated for the Lowe’s attack on the NSPK protocol [5] is also given in AppendixA.4. Further, we show in Appendix B, Theorem 16 that PB terminates and is sound andcomplete. We will now formalize secure distance bounding using the concept of ideal and real bundlesdefined in Section 2.
A DB protocol is used by a verifier v to establish an upper bound on the distance to aprover p . Ideally, if the following assumptions hold: (a) The positions of v and p are fixed, (b) The intervals between creating and sending messages are fixed, (c) v , p are honest and (d) There is no attacker; then there indeed exists an upper boundon the distance that can be calculated by calculating the elapsed time between two nodes
Request and
Response on v with Request a send node,
Response a receive node and
Request ≺ Response as explained in Section 2.We will call the nodes between
Request and
Response in the verifier strand of a DBprotocol as the “DB part” and the other nodes as the “authentication part”. Further, wewill use the term “Time of Flight” or its abbreviation as ToF to refer to the elapsed timebetween
Request and
Response .Now the upper bound that is calculated by v can be lowered compared to the oneobtained under ideal conditions, if (a) the ToF between its Request and
Response is STTCS lowered and (b) if v is sent all the messages in the protocol that it expects to receive from p . This is the main insight in defining secure distance bounding as a trace property: Wefirst calculate the ToF under ideal conditions and check whether a “real” executionof the protocol in the presence of the penetrator can result in a calculation of ToF that islower than the ideal value. Note that we assume weights of ± m ⇒ + m (cid:48) edges are setfor strands in semi-bundles, by following the same measures to calculate time taken formessage construction outlined in Section 3. D EFINITION
13. [Secure Distance Bounding (SDB)]
Let t and t (cid:48) be the elapsedtimes in the verifier strand of an ideal and real bundle ( B and B (cid:48) ) respectively froma semi-bundle S , between the Request and
Response nodes. Then
Secure DistanceBounding (SDB) is satisfied in B (cid:48) , whenever t < t (cid:48) . Conversely, SDB is violated in B (cid:48) if t > t (cid:48) . This definition is dependent on what we consider an ideal bundle to be. In Section 2,we defined it to be one with no penetrator actions, but when the penetrator is further from v than p is, we would need to make the bundle between the penetrator and v as the ideal.More on this is explained in Section 5.2. Before explaining our technique to test protocols for violations of SDB, we will consider thescenarios under which a DB protocol can operate.
We first consider scenarios in which the prover is honest or dishonest.
Scenario A (honest prover).
With the verifier, honest prover and an attacker, this scenariocaptures MITM/Mafia attacks [3]. The attack described in the Introduction is one suchattack.
Scenario B (dishonest, colluding prover).
With the verifier, dishonest prover and attacker,this scenario captures terrorist/collusion attacks [3]. Here, the prover colludes with an at-tacker who is presumably closer to the verifier, by passing some or all of its informationincluding secret keys and messages (partial or full collusion). The protocol in Section 1 isvulnerable to such an attack (Fig. 2.a).
Independent of the honesty of agents, we should also categorize protocol execution scenar-ios based on the location of the attacker in the network with respect to the verifier and theprover.
Figure 2: (a) Scenario B — colluding attacker (b) Scenario 2 — further attacker
Scenario 1 (closer attacker).
Attacker i physically closer to the verifier v than theprover p is. The first attack on P1 described previously is an example for this scenario.In this situation, we can show that (a) if an attacker can generate all the messagesexpected by the verifier from the Request to the
Response without those messages beingsent by the prover and (b) if all other messages expected by the verifier can alsobe generated by the attacker (with or without those messages emanating from the prover),then SDB is violated: T HEOREM
Suppose t , t , . . . , t m are terms on m nodes on the verifier strand v with time of flight measured in between t and t m . Then, there exists a bundle with aviolation of SDB if • the constraints (cid:104) t : T , . . . , t m : T m (cid:105) are satisfiable where for i = to m , every t ∈ T i either belongs to T or a + node on v and every t i is a term on a − node on v ; • all other − nodes in v are realizable. P ROOF . Please see Appendix B, Theorem 17.
Scenario 2 (farther attacker).
Attacker i is physically farther from v than p . Here, i tries to show itself closer to v by using the responses from p to v in the DB part, andthen inserts its own messages for the authentication part. P1 is vulnerable in this scenarioas well (Fig. 2.b).This scenario is exactly opposite of Scenario 1: we just have to assume that the idealbundle now is in between v and i instead of v and p . We should then analyzeprotocols for potential executions with p sending all the messages in the DB part andattacker sending the remaining messages. We prove this below: T HEOREM
Consider v , p , p where d ( v , p ) < d ( v , p ) . Let (cid:104) t , . . . , t m (cid:105) benodes on v between which time of flight is measured. Then, there is a violation of SDB if • the constraints (cid:104) t : T , . . . , t m : T m (cid:105) are satisfiable where for all i = to m ,every t i is unified with some t (cid:48) ∈ T i where t (cid:48) i is a term on p . • All other ‘ − ’ nodes of v are realizable without unifying with any subterms of p . P ROOF . Please see Appendix B, Theorem 18.
STTCS We now present some example protocols and their analyses using our technique. We testedall the protocols in the Constraint Solver tool with the scenarios and results in Section 5. Wehosted all the protocols and scenarios in our on-line demo which can be tested with the clickof a button. Here, we will present only the most interesting attacks and at least one per typeof scenario.It is worth mentioning that we made a simple change to the solver: we restricted it toconsider only those node interleavings wherein the
Request and
Response nodes in theverifier strand immediately follow each other. We show in Appendix C that this is requiredto ensure soundness and that it preserves completeness wrt Def 13.In all the protocols below, distance bound, d = δ − δ × s verifier fixes δ as a con-stant for a given protocol. Further to save space, we simplified some bundles by removingsimple and insignificant relays. The original Brands-Chaum protocol is a bit tricky with commit, rapid bit-level exchangeand authentication/sign phases, and
XOR operator that is not modeled by the solver. Hence,we analyzed an approximate version (Fig. 3.a).
Figure 3: (a) Brands-Chaum protocol P2 (b) Actual solver trace of the MITM Attack on P2 (NOTE: nv+np = [ n v ] ↔ n p , [nv,np]/pk(p) = Sig pk ( p ) [ n v , n p ] ; Request and
Response nodes were coded as req(nv) and resp(nv+np) )Notice that there is a pre-commitment of nonce N P by P . Brands and Chaum specifythat messages 3 and 4 should be bit-by-bit exchanges with the round-trip time calculated asthe average of all the bit exchanges. Since the exchange is rapid and no other messages caninterfere during the exchange, we felt it safe to model the protocol with just one of thosemessage exchanges. Also, N V ⊕ N P was modeled as [ N V ] ↔ N P . Honest prover, Closer attacker.
Following our results in Section 5, we removed the nodesin the DB part in the prover strand and found an MITM attack on P2 which was similar tothe MITM attack on P1 shown in the Introduction: Attacker simply sends all the messagesexcept the signature to the verifier and later sends all of them to the prover. Finally, sherelays the signature from the prover to the verifier. The solver found three different attacktraces with three different node interleavings all essentially the same attack (Fig. 3.b).The original Brands-Chaum protocol actually requires that the commitment N P besecretly exchanged between V and P . With this requirement, the protocol forms a nicecounter-example to Theorem 14: not all constraints corresponding to messages betweenRequest (Msg 2) and Response (Msg 4) are satisfiable. When we made this change in thesolver, it did not report an attack. Dishonest prover, closer attacker.
Obviously, revealing the nonce N P (the commitment)to the attacker before hand allowed the attack (partial collusion) and of course, full collusionworked too. In any case, Brands-Chaum seems stronger against collusion than P1 since itrequires sharing of N P for the attack to succeed. Farther attacker.
This protocol also forms a nice example to test under Scenario 2. As-suming that the attacker is further away from the verifier, we followed our guidelines inSection 5 and removed the nodes in the DB part in one strand, while removing the signa-ture (Msg 5) in another strand. The solver then output an attack where the agent whose DBpart was removed looks closer than it is to the verifier (see Appendix D). P3 below was recently proposed in [8] (Fig. 4.a). Figure 4: (a) Meadows et al. protocol P3 (b) MITM Attack STTCS is actually quite similar to P2 and Brands-Chaumbut with some crucial changes. Even without any commitment step, it was not vulnerableto the MITM attack that we presented in Section 6.1 even though the nonce N P is sent inplain in Msg 3 unlike Brands-Chaum that does not disclose it. This shows that sending N P before the Response (Msg 3) was the fatal mistake in P2 .In any case, thus we believe that P3 is stronger than P2 and also the Brands-Chaumprotocol since it does not require a previous set up to enable secure commit. Dishonest prover, closer attacker. P3 is vulnerable with partial collusion when i re-sponds with Msg 2 and forwards n v , and n i to p later so that it can send the signaturein Msg 5 to v with n v , n i , and other elements. However, p does not share any secretswith i to enable this attack. Hence, this protocol seems weaker than Brands-Chaum inthis aspect. Farther attacker. P3 is also vulnerable to the “nearest-neighbor” attack that P2 was, if we assume verifier does not know who it is talking to before receiving the signaturein the final message. However, it would be unreasonable to make this assumption sincethe prover identity is explicitly included in the prior messages. Hence, we instantiated theprover variable P to a ground atomic value in the verifier strand when we tested thisprotocol, whence we could not reproduce the “nearest-neighbor” attack. Tweaking P3.
Since the protocol was resistant to all other scenarios except collusion, wetweaked with the protocol to appreciate the significance of individual elements and theirplacement in messages. We could not find the use or purpose of the field
POS P describedanywhere in [8] but removing it did not reveal any new attack. It is interesting to ask if thenonce N P inside Msg 4.2 is necessary. Removing it revealed an attack (Fig. 4.b). P4 differs from all others in having more than one encrypted message in the authenticationpart, seemingly extending the NSPK/NSL protocols (Fig. 5.a).We analyzed this protocol with one strand per role in Scenarios A and 1; i.e. we con-sidered an honest verifier B and an honest prover A with a MITM attacker who isphysically in between them. Further, as usual, we tied the Request (Msg 4) and
Response (Msg 5) together in the node interleaving. Without ‘ B ’ in Msg 2, the solver reported thetrace with a MITM attack termed “Lowe style” attack in [4] (Fig. 5.b).In the trace, the attacker plays MITM between a and b and learns k . Then,the Response [ n , n a ] is sent from the attacker’s location, which is physically closer to theverifier b , violating SDB and also follows it up with an authentication of the challenge n in the last message ( [ n , δ ] ↔ k ).The crux of this attack is the attacker’s ability to satisfy both the conditions in The-orem 14. Satisfying the DB Part is trivial, but satisfying the authentication part is possibleonly by breaking the secrecy of k since it is required to construct the last message, [ n , δ ] ↔ k . Figure 5: (a) Guttman et al. protocol P4 (b) Screen-shot of attack trace from thesolver on the new Guttman et al.’s protocol. Note : v 1, v 2 are variables; [t]*k = [ t ] → k , [t]+k = [ t ] ↔ k .With larger semi-bundles/runs, more attacks could be possible by failing authentica-tion even after the inclusion of ‘ B ’ in Msg 2; E.g., see attacks on NSL given in [9]. In this paper, we described a method to automatically analyze distance bounding protocols.We formalized the main property of secure distance bounding and explained how violationsof it can be tested using the constraint solver. We also illustrated our technique by presentinganalyses of some published protocols.A natural extension to our work is to extend it to unbounded analysis since the con-straint solver only considers bounded number of protocol processes. Unbounded verifica-tion tools such as
ProVerif could be extended by tying the
Request and
Rapid Response together in the node interleavings as explained in Section 6, to produce attacks or to provethe absence of. In the case of
ProVerif , this is as simple as adding four events in theprotocol, two each for the verifier and prover in the protocol, corresponding to sendingand receiving the
Request and
Rapid Response respectively. No other change in the tool isrequired.Other areas for future work include extending our framework with multiple penetra-tors in the 3D space, analyzing other properties in this model such as denial of service, ob-taining decidability results for distance bounding, and testing protocols with a more power-ful solver that considers message operators with algebraic properties such as Exclusive-OR.
Recent related work.
While the work in this paper was in progress, a related approachto verifying DB protocols using Isabelle/HOL was also in progress and is about to appearin [12]. Being a verification effort, that approach differs from ours in the classical way thatmodel checkers differ from theorem provers: the former tests for attacks while the latter
STTCS proves the absence of. However, our approach can also be extended easily to unboundedverification with ProVerif , as explained above.
ProVerif usually verifies protocols in afraction of a second, faster than most theorem provers. But to be fair to the authors of [12],they consider other protocols used in wireless networks, not merely distance bounding aswe did. In that sense, their work can be considered more elaborate than ours.
References [1] Bruno Blanchet. A computationally sound mechanized prover for security protocols. In
IEEESymposium on Security and Privacy , pages 140–154, Oakland, California, May 2006.[2] S. Brands and D. Chaum. Distance-bounding protocols. In
Advances in Cryptology - EuroCrypt’93, LNCS 765 . Springer-Verlag, 1995.[3] Y. Desmedt. Major security problems with the `unforgeable´(feige)-fiat-shamir proofs of identityand how to overcome them. In
SecureComm , pages 15–17, SEDEP Paris, 1988.[4] J. D. Guttman, J. C. Herzog, V. Swarup, and F. J. Thayer. Strand spaces: From key exchange tosecure location. In
Workshop on Event-based Semantics , April 2008.[5] G. Lowe. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In
Pro-ceedings of TACAS , volume 1055, pages 147–166. Springer-Verlag, 1996. Also in Software Con-cepts and Tools, 17:93-102, 1996.[6] Gavin Lowe. Some new attacks on cryptographic protocols. In
Proceedings of 9th ComputerSecurity Foundations Workshop . IEEE, 1996.[7] C. Meadows. Analyzing the Needham-Schroeder public-key protocol: A comparison of twoapproaches. In E. Bertino, H. Kurth, G. Martella, and E. Montolivo, editors,
ESORICS 96, LNCS1146 , pages 351–364, 1996.[8] C. Meadows, R. Poovendran, D. Pavlovic, L. Chang, and P. Syverson. Distance bounding pro-tocols: Authentication logic analysis and collusion attacks. In
Secure Localization and Time Syn-chronization for Wireless Sensor and Ad Hoc Networks . Springer-Verlag, 2007.[9] J. Millen and V. Shmatikov. Constraint solving for bounded-process cryptographic protocolanalysis. In
Proc. ACM Conference on Computer and Communication Security , pages 166–175. ACMpress, 2001.[10] R. Needham and M. Schroeder. Using Encryption for Authentication in Large Networks ofComputers.
Communications of the ACM , 21(12):993–999, December 1978.[11] N. Sastry, U. Shankar, and D. Wagner. Secure verification of location claims. In
ACM Workshopon Wireless security (WiSe 2003) , pages 48–61. ACM, 2003.[12] Patrick Schaller, Benedikt Schmidt, David Basin, and Srdjan Capkun. Modeling and verifyingphysical properties of security protocols for wireless networks. In
To Appear, Proc. 22nd ComputerSecurity Foundations Workshop . IEEE Computer Society Press, July 2009.[13] P. Syverson and C. Meadows. Dolev-Yao is no better than Machiavelli. In
Workshop in the Issuesof Theory of Security, Poland, Warsaw , 2000.[14] F. J. Thayer, J. C. Herzog, and J. D. Guttman. Strand spaces: Why is a security protocol correct?In
Proc. IEEE Symposium on Research in Security and Privacy , pages 160–171. IEEE ComputerSociety Press, 1998. A Constraint solving [9]
A.1 Reduction Procedure P C : = initial constraint sequence σ : = repeatlet c ∗ = m : T be the constraint in C s.t. m is not a variable if c ∗ not found output Satisfiable! apply rule (elim) to c ∗ until no longer applicable ∀ r ∈ R if r is applicable to C (cid:104) C (cid:48) ; σ (cid:48) (cid:105) : = r ( C ; σ ) create node with C (cid:48) ; add C → C (cid:48) edgepush (cid:104) C (cid:48) ; σ (cid:48) (cid:105)(cid:104) C ; σ (cid:105) : = popuntil emptystack Reduction Procedure P [9] A.2 Set of reduction rules, R C < , m : T , C > ; στ C < , τ C > ; τ ∪ σ where τ = mgu ( m , t ) ∧ t ∈ T ( un ) C < , [ m , m ] : T , C > ; σ C < , m : T , m : T , C > ; σ ( pair ) C < , h ( m ) : T , C > ; σ C < , m : T , C > ; σ ( hash ) C < , [ m ] → k : T , C > ; σ C < , k : T , m : T , C > ; σ ( penc ) C < , [ m ] ↔ k : T , C > ; σ C < , k : T , m : T , C > ; σ ( senc ) C < , sig pk ( (cid:101) ) ( m ) : T , C > ; σ C < , m : T , C > ; σ ( sig ) C < , m : [ t , t ] ∪ T , C > ; σ C < , m : t ∪ t ∪ T , C > ; σ ( split ) C < , m : [ t ] → pk ( (cid:101) ) ∪ T , C > ; σ C < , m : t ∪ T , C > ; σ ( pdec ) C < , m : [ t ] → k ∪ T , C > ; στ C < , τ m : τ [ t ] → k ∪ τ T , τ C > ; τ ∪ σ , STTCS where τ = mgu ( k , pk ( (cid:101) )) , k (cid:54) = pk ( (cid:101) ) ( ksub ) C < , m : [ t ] ↔ k ∪ T , C > ; σ C < , k : T , m : T ∪ t ∪ k , C > ; σ ( sdec ) A.3 Algorithm PB
We describe a simple extension to P to generate bundles from satisfiable constraint se-quences which in turn were generated from strands in a semi-bundle. Further, a singlepenetrator strand with the number of nodes equal to the sum of the nodes in the semi-bundle that captures all the reduction rules applied to generate terms on − nodes or solveconstraints. We name this new algorithm, PB .In PB , we will assume a look-up table such as below to find out the weights correspond-ing to each attacker action. Action Parameters Time taken pair m , m ( m .len + m .len) split [ m , m ] ( m + m ) .len senc , sdec { m , k } m .len × k .len penc , pdec { m , k } × m .len × k .len hash m m .len × sig { m , k } × m .len × k .len Note: m .len denotes the number of bytes in m .As is obvious from the above table, we adopt the well known fact that asymmetric keyencryption /decryption is about thousand times slower than its symmetric counterpart.Note that rules un and ksub do not correspond to any penetrator action but only generatethe substitution required to complete the semi-bundle to a bundle.The time of traversal for a message depends on the message length, distance and thevelocity of the signal. We assume that there is an appropriate formula for an environmentto calculate that time, using those parameters. Algorithm
ProduceBundle
Input:
Semi-bundle S , Constraint solving procedure POutput:
Bundle.1
Draw all the strands in S (with ⇒ edges)2 Label nodes on each strand with (time, sign, term)3 for each node merge N from S Generate a constraint sequence C and solve C with P if C not satisfiable, continue; for each successive node m in N draw a penetrator node n connecting it to the8 previous node on the same strand using a ⇒ ;9 if sign( m )=‘ + ’ then draw an edge → between m , n ;11 update time on n as time( m ) + weight( m , n );12 if sign( m )=‘ − ’ then
13 mark the weight of ⇒ edge as the sum of weights14 of all the rules applied to satisfy the constraint;15 draw an edge → between n , m ;16 update time on m as time( n ) + weight( n , m ); A.4 Algorithm PB - An example
Consider the Needham-Schroeder Public-Key (NSPK) protocol [10]:
A B [ N A , A ] pk ( B ) (cid:47) (cid:47) (cid:11) (cid:19) (cid:11) (cid:19) (cid:11) (cid:19) [ N A , N B ] pk ( A ) (cid:111) (cid:111) (cid:11) (cid:19) [ N B ] pk ( B ) (cid:47) (cid:47) PB , we first draw the semi-strands a for A and b for B . Wethen consider the node merge (cid:104)
11, 21, 22, 12, 13, 23 (cid:105) and from it the constraint sequence, (cid:104)
21 : 11, 12 : {
11, 22 } , 23 : {
11, 22, 13 }(cid:105) . This sequence will reveal Lowe’s attack on NSPK[5]. Following our algorithm,1. we first add a penetrator node e → edge from 11,2. send [ n a , a ] pk ( e ) with it’s weight as the product of the distance between a and the pen-etrator e , the length of the message [ n a , a ] pk ( e ) and the velocity of the signal,3. update the time on e ⇒ edge from e e
2, it’s weight δ being the sumof all the rules to solve the first constraint and generate the term on node 21; i.e, δ =time taken to apply pdec , split , pair and penc after appropriately parameterizing withmessage and key lengths,5. update the node’s time as the weights of edges 11 → e e ⇒ e → edge from e STTCS a e b (cid:11) (cid:19) [ n a , a ] pk ( e ) (cid:47) (cid:47) e δ (cid:11) (cid:19) e [ n a , a ] pk ( a ) (cid:47) (cid:47) δ (cid:11) (cid:19) (cid:11) (cid:19) e δ (cid:11) (cid:19) [ n a , n b ] pk ( a ) (cid:111) (cid:111) (cid:11) (cid:19) (cid:11) (cid:19) e [ n a , n b ] pk ( a ) (cid:111) (cid:111) δ (cid:11) (cid:19) [ n b ] pk ( e ) (cid:47) (cid:47) e δ (cid:11) (cid:19) e [ n b ] pk ( b ) (cid:47) (cid:47) B Proofs T HEOREM
16. [Termination, Soundness and Completeness]
Algorithm PB terminates and is sound and complete. P ROOF .Consider the steps in the algorithm PB sequentially:1. PB draws finitely many strands each with finitely many nodes from a given semi-bundle S ;2. Next, it generates finitely many node merges N and solves each of them using P whichis proven to be terminating, sound and complete [9];3. Finally, it loops for all the finitely many nodes in N . In each iteration, it performs allatomic actions, namely drawing a node or an edge and updating times on node labels;The only non-atomic action is the adding of weights of all the finitely many reductionrules to solve a constraint.Since all the above are finitely many actions, PB terminates. Further, its soundnessand completeness follow directly from those properties of P and since every node in thesemi-bundle is handled.As promised in Section 5.2, below we prove that in Scenario 1, if an attacker can gener-ate all the messages expected by the verifier from the Request to the
Response without thosemessages being sent by the prover, then SDB is violated if all other messages expected bythe verifier can also be generated by the attacker with or with out those messages emanatingfrom the prover. T HEOREM
Suppose t , t , . . . , t m are terms on m nodes on the verifier strand v with time of flightmeasured in between t and t m . Then, there exists a bundle with a violation of SDB if • the constraints (cid:104) t : T , . . . , t m : T m (cid:105) are satisfiable where for i = to m , every t ∈ T i either belongs to T or a + node on v and every t i is a term on a − node on v ; • all other − nodes in v are realizable. P ROOF . Let the ideal bundle in between v and a prover p be denoted B . Let the distancebetween v and p be d ( v , p ) . Let the distance between v and i be d ( v , i ) and let d ( v , i ) < d ( v , p ) ; i.e., any edge between a node on v to a node on i will have lesser weight than theedge from v to p when the same number of bits are transmitted on the edges.Say the path between t and t m is w in B . Now consider a real bundle B (cid:48) where every + node on v between t and t m is connected to a − node on i and vice-versa (which is possiblesince every − node on v is satisfiable without terms from p ). Since the weights of ± ⇒ + are preset in the strands v and p , the weights of those edges will be equal in both i and p .Hence, the weight of the path between t and t m in B (cid:48) will be lesser since the weight of theonly remaining → edges are lesser as explained above.Hence, by Def. 13, there is a violation of SDB in B (cid:48) .We also prove that we can find attacks in Scenario 2 of Section 5.2, by analyzing pro-tocols for potential executions with p sending all the messages in the DB part and attackersending the remaining messages, as promised in Section 5.2. T HEOREM
Consider v , p , p where d ( v , p ) < d ( v , p ) . Let (cid:104) t , . . . , t m (cid:105) be nodes on v betweenwhich time of flight is measured. Then, there is a violation of SDB if • the constraints (cid:104) t : T , . . . , t m : T m (cid:105) are satisfiable where for all i = to m , every t i isunified with some t (cid:48) ∈ T i where t (cid:48) i is a term on p . • All other ‘ − ’ nodes of v are realizable without unifying with any subterms of p . P ROOF . Consider the ideal bundle to be between v and p denoted as B and let the timeof flight in B be w .Now consider another bundle B (cid:48) produced by PB wherein every m → n edge is suchthat m has one of t , . . . , t m as a term and n is a node on p .This is possible since every constraint (cid:104) t : T , . . . , t m : T m (cid:105) is satisfiable by unifyingwith a term in p resulting in the attacker edge ⇒ having a weight 0. In this situation,an equivalent bundle can be produced where the attacker action m → e i ⇒ e j → n (forsome nodes e i and e j on the attacker strand) is replaced with a straight edge m → n . Since d ( v , p ) < d ( v , p ) , the sum of weights of those edges in B (cid:48) will be lesser than B . Further,the weights of ± ⇒ + edges for p in B or p in B (cid:48) will be equal since they are preset andconstant from assumptions in the protocol model.Thus, by Def. 13, there is an attack on SDB in B (cid:48) .We supplement these results with some general results on collusion. These results willshow that collusion is in general impossible to prevent. However, while in some cases itworks without any shared secrets between the prover and attacker, in some other cases itnecessarily requires at least some shared secrets. C OROLLARY
19. [Full collusion]
It can be easily seen from the proof of Theorems 17 and 18 that if p colludes with i andshares all its secrets with i , then it results in a direct violation of SDB since i can send all themessages expected by v without any involvement from p ; i.e., all the constraints from v ’sstrand are satisfiable without the prover strand p at all and due to i ’s closer proximity, theweight of the path from the Request to Response used to calculate ToF will be lesser.
STTCS
OROLLARY
20. [Partial Collusion]
This collusion attack can work even under partial collusion; i.e., if p initially shareswith i only those subterms that are needed to satisfy all the constraints between Request and
Response , then from the proofs it can be easily seen that this is sufficient for an attack on SDBby simply relaying all the other messages from p to v that are not used to calculate the ToF. C OROLLARY
21. [Preventing collusion]
A simple way to prevent collusion is by measuring time of flight between encryptedmessages, some of which must be decrypted with a private key known only to the legitimatebut dishonest and colluding prover. In such a situation, violation of SDB is possible onlywhen the prover shares its private keys or secrets with the attacker so that all the constraintsin the DB part are satisfiable without the nodes from the prover strand.There might be situations where provers collude with others, but do not want to shareall their information, especially long-term keys or private keys. In those cases, collusion at-tacks can be prevented by measuring ToF between encrypted messages as explained above. C OROLLARY
22. [Collusion possible in both scenarios]
These observations are true whether i is close to v than p or otherwise. In the case of i being further from v than p , under collusion, p attempts to deliberately make i appearcloser. C Soundness and Completeness of implementation
We will now prove soundness and completeness of our implementation wrt Def. 13. Wemake two assumptions about DB protocols for these results:
Assumption 1
Request and RapidResponse are the only two consecutive nodes between which ToFis measured.
Assumption 2
The elapsed time between the prover receiving the Request and sending the RapidResponseis lower than the weight of ⇒ + edges in the verifier or the prover strands. DB protocols for networks with stringent time and resource constraints such as sensornetworks, must satisfy both these assumptions [2, 8].
C.1 Soundness
The implementation can be considered sound wrt Def. 13 if all the real bundles producedby the tool necessarily violate SDB. In other words, every bundle that is produced shouldhave the ToF lesser than the ideal bundle.We made a minor change to the original constraint solver by Millen-Shmatikov toachieve soundness: we restricted it to consider only those node interleavings wherein the
Request and
Rapid Response nodes in the verifier strand immediately follow each other.We then tested protocols by following the results of Theorems 14 and 18 in Section 5.To see why we restricted the interleavings, consider the following two bundles out-put by the solver for the extended-Echo protocol P1 introduced in Section 1 (below m =[ n v , v , p ] ): v i ( p ) , i ( v ) p v i ( p ) , i ( v ) p ◦ n v (cid:47) (cid:47) δ (cid:11) (cid:19) ◦ δ (cid:11) (cid:19) ◦ n v (cid:47) (cid:47) δ (cid:11) (cid:19) ◦ (cid:11) (cid:19) ◦ (cid:11) (cid:19) ◦ n v (cid:111) (cid:111) (cid:11) (cid:19) ◦ n v (cid:47) (cid:47) δ (cid:11) (cid:19) ◦ (cid:11) (cid:19) ◦ (cid:11) (cid:19) n v (cid:47) (cid:47) ◦ (cid:11) (cid:19) ◦ (cid:11) (cid:19) ◦ n v (cid:111) (cid:111) (cid:11) (cid:19) ◦ ◦ n v (cid:111) (cid:111) (cid:11) (cid:19) ◦ (cid:11) (cid:19) ◦ Sig pk ( p ) ( m ) (cid:111) (cid:111) ◦ ◦ Sig pk ( p ) ( m ) (cid:111) (cid:111) ◦ (cid:11) (cid:19) ◦ n v (cid:111) (cid:111) (cid:11) (cid:19) ◦ ◦ Sig pk ( p ) ( m ) (cid:111) (cid:111) These bundles were produced in an honest prover scenario with attacker closer to theverifier. Now the conditions of Theorem 17 are satisfied in both the bundles; i.e., the mes-sages in the DB part are satisfiable without the send node in the prover strand to send the
Rapid Response , and the signature is realizable as well. Yet, only the bundle on the left ob-viously has a violation of SDB since its ToF ( δ ) is lesser compared to the ideal case. Onthe other hand, the one on the right has its δ larger than the ideal case.The reason is that the bundle on the right was found on an interleaving where Request and
Rapid Response do not immediately follow each other. In this case, output of algorithm PB produces a path ( Request , Rapid Response ) that is heavier than a path between the samenodes in the ideal bundle, since it has to draw the edges corresponding to other realizablenodes before it draws the edges for the
Rapid Response node.Theorem 17 merely states that an attack bundle exists but does not point to it precisely.Restricting interleavings in this fashion restricts the solver so that every bundle it producesis necessarily an attack bundle, thereby achieving soundness.
C.2 Completeness
By restricting interleavings do we lose any attacks? We can easily prove that we do not.Firstly, let us note that every bundle produced by the solver after restricting interleav-ings is similar to the bundle on the left given in Section C.1. i.e., bundles where the attackerreceives the
Request and immediately sends the
Rapid Response back to the verifier,without sending or receiving any other messages in between. To prove completeness, wewill show that these are the only bundles where there is a violation of SDB.To achieve a contradiction, consider the bundle below, which is not produced by thesolver when we restrict interleavings (the attacker does not send the
Rapid Response im-mediately after receiving the
Request ): STTCS v p (cid:48) p (cid:47)(cid:46)(cid:45)(cid:44)(cid:40)(cid:41)(cid:42)(cid:43) (cid:47) (cid:47) (cid:11) (cid:19) (cid:47)(cid:46)(cid:45)(cid:44)(cid:40)(cid:41)(cid:42)(cid:43) (cid:11) (cid:19) (cid:47)(cid:46)(cid:45)(cid:44)(cid:40)(cid:41)(cid:42)(cid:43) (cid:47) (cid:47) (cid:11) (cid:19) (cid:47)(cid:46)(cid:45)(cid:44)(cid:40)(cid:41)(cid:42)(cid:43) (cid:11) (cid:19) (cid:47)(cid:46)(cid:45)(cid:44)(cid:40)(cid:41)(cid:42)(cid:43) (cid:11) (cid:19) (cid:47)(cid:46)(cid:45)(cid:44)(cid:40)(cid:41)(cid:42)(cid:43) (cid:111) (cid:111) (cid:47)(cid:46)(cid:45)(cid:44)(cid:40)(cid:41)(cid:42)(cid:43) (cid:47)(cid:46)(cid:45)(cid:44)(cid:40)(cid:41)(cid:42)(cid:43) (cid:111) (cid:111) Call this bundle B . Say there is a violation of SDB in B when the ideal bundle isbetween v and p . That means, the weight of the path (
2, 7 ) is lower than the weightof edge (
2, 3 ) in the ideal bundle B (cid:48) below between v and p (note that the weight of → edges in the path (
1, 8 ) in B is equal to the weight of → edges between (
1, 4 ) in B (cid:48) ): v p (cid:47)(cid:46)(cid:45)(cid:44)(cid:40)(cid:41)(cid:42)(cid:43) (cid:47) (cid:47) (cid:11) (cid:19) (cid:47)(cid:46)(cid:45)(cid:44)(cid:40)(cid:41)(cid:42)(cid:43) (cid:11) (cid:19) (cid:47)(cid:46)(cid:45)(cid:44)(cid:40)(cid:41)(cid:42)(cid:43) (cid:47)(cid:46)(cid:45)(cid:44)(cid:40)(cid:41)(cid:42)(cid:43) (cid:111) (cid:111) Now the weight of (
2, 3 ) + (
3, 6 ) + (
6, 7 ) in B is obviously more than the weightof edge (
4, 5 ) in B . From above, since there is an attack in B , the weight of (
2, 3 ) + (
3, 6 ) + (
6, 7 ) must be lesser than (
2, 3 ) in B (cid:48) . However, the weight of (
4, 5 ) in B itself is greater than or equal to the weight of (
2, 3 ) in B (cid:48) from Assumption 2, acontradiction.If B depicts a violation of SDB in the farther attacker scenario (i.e., p (cid:48) is a proverstrand), then by Assumption 2, the weight of (
2, 3 ) + (
3, 6 ) + (
6, 7 ) in B will be heavierthan (
2, 3 ) in B (cid:48) , again a contradiction.Finally, if there is a bundle with ToF lighter than (
1, 4 ) in B (cid:48) that is not producedby the solver, then it must be from a node interleaving with a maximum of one send orreceive node per strand in between Request and
Rapid Response . For instance, bundle B (cid:48)(cid:48) below: v p (cid:48) p (cid:47)(cid:46)(cid:45)(cid:44)(cid:40)(cid:41)(cid:42)(cid:43) (cid:47) (cid:47) (cid:11) (cid:19) (cid:47)(cid:46)(cid:45)(cid:44)(cid:40)(cid:41)(cid:42)(cid:43) (cid:11) (cid:19) (cid:47)(cid:46)(cid:45)(cid:44)(cid:40)(cid:41)(cid:42)(cid:43) (cid:47) (cid:47) (cid:11) (cid:19) (cid:47)(cid:46)(cid:45)(cid:44)(cid:40)(cid:41)(cid:42)(cid:43) (cid:47)(cid:46)(cid:45)(cid:44)(cid:40)(cid:41)(cid:42)(cid:43) (cid:47)(cid:46)(cid:45)(cid:44)(cid:40)(cid:41)(cid:42)(cid:43) (cid:111) (cid:111) However, an attack on bundles such as these also implies an attack on a bundle wherenode 3 occurs before node 2 or after node 4, which are indeed produced by the solver.Thus, by restricting interleavings to just those with ( Request , Response ) tied together, wedo not lose any attack. D More attacks
D.1 P2 - Brands & Chaum
Farther attacker.
This protocol forms a nice example to test under Scenario 2. Assumingattacker is further away from the verifier, we followed our results in Section 5 and removedthe nodes in the DB part in one strand while removing the signature (Msg 5) in anotherstrand. The solver then output the following attack simplified by removing some relays: v p i ◦ v (cid:47) (cid:47) (cid:11) (cid:19) ◦ (cid:11) (cid:19) ◦ (cid:11) (cid:19) ◦ n p (cid:111) (cid:111) (cid:11) (cid:19) ◦ n v (cid:47) (cid:47) δ (cid:11) (cid:19) ◦ δ (cid:11) (cid:19) ◦ (cid:11) (cid:19) ◦ n v ⊕ n p (cid:111) (cid:111) (cid:11) (cid:19) ◦ Sig pk ( p ) [ n v , n p ] (cid:47) (cid:47) ◦ (cid:11) (cid:19) ◦ ◦ Sig pk ( i ) [ n v , n p ] (cid:111) (cid:111) Here, i is further away from v than p and possibly out of a range that v wishesto include nodes. i then lets p respond to vv