1 Introduction

Key-updating protocols form a class of communication protocols in which participants change their encryption keys between executions. Such protocols are used in several domains - the Signal protocol uses the Diffie-Hellman Double Ratchet algorithm [19], and the Gossamer protocol [18] also uses updating keys. Many grouping protocols [12, 21], which aim to prove that two or more RFID tags are simultaneously present, also use such methods.

There are several formally defined security properties which demonstrate the benefits of key-updating protocols. For example, forward privacy, introduced by Avoine [2], prevents an attacker from learning about past sessions, even after compromising a participant. Post-compromise security, as defined by Cohn-Gordon et al. [5], states that if an adversary compromises an agent, their influence can be reversed if they do not continually monitor communication.

Such goals are typically realised by security protocols which update encryption keys, for example by using a one-way hash function. This way, if an adversary learns the encryption keys used in a single session, they cannot reconstruct past keys. However such methods introduce the problem of requiring the protocol participants to synchronise their key updates - so that their local states remain consistent.

The synchronisation requirement of key-updating protocols has created new attack vectors. If improperly designed or implemented, an attacker can cause agents to update their keys in an improper manner, preventing them from correctly interpreting communications from their partner. This kind of Denial-of-Service attack is called a desynchronisation attack [7]. Such attacks allow an adversary to prevent future runs of a communication protocol, stopping the protocol from achieving its intended purpose.

Security properties for communication protocols can be formally verified using symbolic analysis. This type of analysis is well-supported by a range of automated proving tools such as ProVerif [3] and Tamarin [17], which typically attempt to reduce analysis of the protocol to a bounded case. This is especially true in the case of stateless protocols, where information between sessions is never carried forwards to future executions. However, key-updating protocols are inherently stateful - information must be preserved between sessions. This can cause problems in analysis due to the explosion of the state space. Indeed, reachability queries are in general an undecidable problem [4, 10].

Existing Formalisms of Desynchronisation Resistance. Desynchronisation represents a class of attacks that are not covered by traditional definitions. A protocol that is impervious to such attacks is said to be desynchronisation resistant, and while there is a strong intuitive understanding of what this property means, there are few attempts at formal definitions in the literature.

There exist a variety of works that either claim a form of desynchronisation resistance [13, 15, 22, 25] or provide a desynchronisation attack on published protocols [14, 16, 23]. Both types of papers only provide an informal treatment of the topic, without automated tool support. Only few papers provide a formal definition of a desynchronisation attack or desynchronisation resistance. We will briefly discuss two of these approaches, namely the work of Van Deursen et al. [6] and the work of Radomirović and Dashti [20].

Van Deursen et al. [6] introduce desynchronisation in the context of RFID protocols. They say an RFID reader owns a tag if it knows a secret key allowing it to authenticate the tag in absence of the adversary. A protocol is then said to be desynchronisation resistant if being owned is an invariant property. For example, if there is a time t such that a tag T is owned by a reader R, then at time \(t+1\) there must exist some reader \(R^\prime \) (who may be the same or different to R) which ‘owns’ T. The authors demonstrate how existing RFID protocols violate their definition. They do not provide, however, any means for formally verifying that it holds for an arbitrary protocol.

A second existing approach that relates to desynchronisation resistance is the work on derailing attacks by Radomirović and Dashti [20]. In a derailing attack, a protocol is led away from its intended execution by an adversary. Reachable states in the protocol are labelled as safe, unsafe, or transitional, describing whether a desirable ‘success’ condition is reachable from the current point. A protocol is said to be susceptible to derailing attacks if there exists a reachable state S such that in absence of the adversary, there are no safe states that are reachable from S.

Contributions. In this paper, a formal definition of desynchronisation resistance is given in terms of the traces of a security protocol. The definition we provide can be seen as an extension of the two theories above. Like Radomirović and Dashti, our definition concerns the reachability of certain states, and an examination of the transitions between them. Like Deursen et al., the knowledge of secret keys is an important factor in our definitions. However, we go further by providing a set of conditions for key-updating protocols that allows for automated verification (or falsification) of desynchronisation.

Although traditional security protocol verification tools allow for reachability queries, they lack inherent support for the liveness properties that we are verifying. As such, we provide under- and over- approximations in the form of verifiable security properties.

Organisation. In Sect. 2, a detailed introduction to multiset rewriting theory is given, presenting the language that will be used throughout the paper. In Sect. 3, a series of definitions regarding reachability are provided, and used to create a formal definition of desynchronisation resistance. In Sect. 4, the model is refined to focus on sequential key-updating protocols. A set of security properties are provided that are proved to be sufficient to ensure desynchronisation resistance in this setting. Section 5 shows the result of applying this analysis to existing secret-updating protocols by using the automated verification tool Tamarin. Novel attacks are found on a number of protocols in the literature. Finally in Sect. 6, we discuss future work, as well as related concepts.

2 Security Protocol Model

In order to model security protocols in which shared secrets are updated, a multiset rewriting model will be used. Multiset rewriting is a common basis for modelling stateful systems. In a stateful system, different sessions can be dependent on each other, with information that is dynamic between executions.

A protocol specification covers a set of rules that govern how a multiset describing the protocol state is allowed to proceed. This state contains information such as the messages that have been sent by different participants of the protocol, markers denoting if certain stages of the protocol have been successfully reached, and the knowledge and actions of an adversary who seeks to undermine the protocol’s successful execution.

2.1 Multiset Rewriting

The multisets used in our model are built on terms constructed from an order-sorted signature, such as those described by Goguen and Meseguer [11]. An order-sorted signature is a triple \((\mathcal {S}, \le , \varSigma )\), where \(\le \) is a partial ordering on a set of types \(\mathcal {S}\), and \(\varSigma \) is a collection of functions between types. For two types s and t we define \(\varSigma _{s, t}\) to be the functions in \(\varSigma \) which map from type s to type t. Further, we use the standard notation for the Cartesian product of sets, so for example:

$$ f \in \varSigma _{\mathbb {R}^2,\mathbb {N}} \;:=\; f :\mathbb {R} \times \mathbb {R} \rightarrow \mathbb {N}\text {.} $$

Our model must track not only the messages that are on the network, but also auxiliary information about the state, such as an agent’s encryption keys. To do this, we define two top types \(\mathsf {msg}\) and \(\mathsf {fact}\), and further define subtypes \(\mathsf {public}, \mathsf {nonce} < \mathsf {msg}\), and \(\mathsf {agent}, \mathsf {const} < \mathsf {public}\).

The set of terms over \(\mathcal {S}\) is defined iteratively, as follows. First, for each type \(s\in \mathcal {S}\) we build two infinite carrier sets \(N_s\) and \(V_s\) of names (i.e. known values) and variables (i.e. unknown or uninstantiated values) of type s. We refer to these types of terms as atoms. We will often use the following notation for variables:

From here, successive terms are built by the application of functions from \(\varSigma \) on the atoms. Given a term t, we define the set of subterms of t as follows. If t is an atom, then \(subterms(t) = \lbrace t \rbrace \). Otherwise, we have \(t = f( t_1, t_2, \ldots , t_n)\) for some function symbol \(f \in \varSigma \). In this case, we define

$$ subterms(t) = \lbrace t \rbrace \cup \lbrace subterms(t_1), \ldots , subterms(t_n) \rbrace \text {.} $$

A term t is ground if \(subterms(t) \cap V_s = \emptyset \), and we denote the set of all (ground) terms of type s as \( Ter _s\) (\( GTer _s\)). A (ground) substitution \(\sigma \) is a partial function from variables to (ground) terms of the same type or supertype. Given a substitution \(\sigma \) and a term t, we write \(t\sigma \) to denote the application of the substitution. Given a set \(S = \lbrace t_1,\ldots ,t_n\rbrace \), we write \(S\sigma = \lbrace t_1\sigma ,\ldots ,t_n\sigma \rbrace \). We say \(\sigma \) is a grounding substitution for S if all terms in \(S\sigma \) are ground.

The model is extended with an equational theory E, which describes the semantics of the functions in \(\varSigma \). Pairs \(lhs = rhs\) in E define an equivalence relation \(\simeq _{E}\) on terms constructed using \((\mathcal {S}, \le , \varSigma )\).

Example 1

We define the pair operator \(\langle \_,\_ \rangle \in \varSigma _{\mathsf {msg}\times \mathsf {msg}, \mathsf {msg}}\), and the corresponding projection functions \( fst , snd \in \varSigma _{\mathsf {msg}, \mathsf {msg}}\) such that \( fst ( \langle x, y \rangle ) = x\) and \( snd ( \langle x, y \rangle ) = y\).

The equivalence relation E is extended to other terms in the algebra in the natural way, e.g. \( fst ( \langle \langle x, y \rangle , z \rangle ) \simeq _{E} \langle x, y \rangle \).

A multiset is a set, M, counted with multiplicity - multiple copies of an element k can be contained in M. We write \(|k |_M\) to denote the number of occurrences of k in M, with \(|k |_M = 0\) if \(k \not \in M\). Given a set S, we write \(\mathcal {M}(S)\) to denote the collection of all multisets that can be written using elements of S.

The multisets we will study are a restricted subset of those constructible using the order-sorted signature \((\mathcal {S}, \le , \varSigma )\) above. In particular, we define the universe of states, \(\mathbb {U}(\varSigma )\) as:

Each element \(S \in \mathbb {U}(\varSigma )\) represents a single valid state of a protocol execution. We now look at how we can move from one state to the next.

A rule r is defined by a pair \(( lhs , rhs )\) of multisets. Suppose \(\sigma \) is a grounding substitution for \( lhs \). A rule application \(r\sigma \) is a mapping \(\mathbb {U}(\varSigma ) \rightarrow \mathbb {U}(\varSigma )\). It acts on a state \(S \in \mathbb {U}(\varSigma )\) by identifying a submultiset of S equivalent to \(\sigma ( lhs )\), and replacing it with \(\sigma ( rhs )\). Note that multiset rules must respect the equational theory E, so that \(S \simeq _{E} S^\prime \implies r\sigma (S) \simeq _{E} r\sigma (S^\prime )\). We express protocol rules as labelled transitions.

Example 2

Consider the protocol rule \(\mathtt {Combine}\):

$$\begin{aligned} \frac{\begin{array}{@{}c@{}}{\text {A}}(x) {\text {A}}(y)\end{array}}{\begin{array}{@{}l@{}}{\text {B}}(x,y)\end{array}}~\mathtt {Combine}\text {,} \end{aligned}$$

which takes two terms of type \(\mathsf {fact}\) built with symbol \({\text {A}}\), and returns a new \(\mathsf {fact}\) which contains the subterms of the two previous terms. Let \(S = \lbrace {\text {A}}(a), {\text {A}}(b), {\text {A}}(c) \rbrace \). The substitution \(\sigma = \lbrace x \mapsto a, y \mapsto b \rbrace \) maps:

$$ \lbrace {\text {A}}(a), {\text {A}}(b), {\text {A}}(c) \rbrace \xrightarrow {r\sigma } \lbrace {\text {B}}(a,b), {\text {A}}(c) \rbrace $$

Definition 2.1

(Protocol specification). A protocol specification P is defined by a tuple \(( \varSigma , E, R, S^{ start })\) where:

  • \(\varSigma = (F, \mathscr {F})\) is a collection of function symbols of signature types \(\varSigma _{\mathsf {msg}^*,\mathsf {msg}}\) and \(\varSigma _{\mathsf {msg}^*,\mathsf {fact}}\), respectively.

  • E is an equational theory over \(\varSigma _{\mathsf {msg}^*, \mathsf {msg}}\).

  • R is a collection of rules.

  • \(S^{ start }\subseteq \mathbb {U}(\varSigma )\) is a collection of potential starting states.

The set of starting states will usually be infinite, as they carry the details of a specific execution - the number of participating agents, their encryption keys, and so on.

A trace, \(\tau \), on P is a choice of starting state \(S^{0}\in S^{ start }\) and a finite ordered list of rule applications \((r_1\sigma _1 \ldots r_n\sigma _n)\) such that each successive application \(S^{0}\xrightarrow {r_1\sigma _1} \ldots \xrightarrow {r_n\sigma _n} S^n\) is valid.

The intermediate states in a trace can be reconstructed from the choices of rule applications. Given a trace \(\tau = (S^{0}, (r_1\sigma _1 \ldots r_n\sigma _n ))\), a second trace \(\tau ^\prime \) is an extension of \(\tau \), writing \(\tau \sqsubseteq \tau ^\prime \), if \(\tau ^\prime = (S^{0}, (r_1\sigma _1 \cdots r_n\sigma _n \ldots r_{n+k}\sigma _{n+k}))\). Similarly, we also say that \(\tau \) is a prefix of \(\tau ^\prime \) in this case.

Given a trace \(\tau \) we write \({\text {firstState}}(\tau )\) and \({\text {lastState}}(\tau )\) to denote the first state and the (implicit) last state in the trace. We write \({\text {rules}}(\tau )\) to denote the set of rules \(\lbrace r_1, \ldots , r_n \rbrace \) in \(\tau \). We write \({\text {traces}}(P)\) to denote the set of all possible traces on the protocol P.

We define an event fact, \({\text {E}}^\star \) to be a fact which appears only on the right-hand side of rules in R. Such facts can never be removed from the state of the protocol. Intuitively, while standard facts mark the current situation of a state, event facts form an indelible history of all important occurrences in a trace.

As such, we define the multiplicity of an event fact in a trace without ambiguity as \(|{\text {E}}^\star (t_1\ldots t_n) |_\tau := |{\text {E}}^\star (t_1\ldots t_n) |_{{\text {lastState}}(\tau )}\),

We define a quasi-order on event facts within traces, \(<_\tau \), as follows. Given two event facts \({\text {E}}^\star (t_1\ldots t_n), {\text {F}}^\star (s_1\ldots s_m)\), we say \({\text {E}}^\star (t_1\ldots t_n) <_\tau {\text {F}}^\star (s_1\ldots s_m)\) if there exists a prefix \(\tau ^\prime \sqsubseteq \tau \) such that:

figure a

In particular, this means that \({\text {F}}^\star \) was added to the state at some point after \({\text {E}}^\star \). In addition, we write \({\text {E}}^\star (t_1\ldots t_n)\le _\tau {\text {F}}^\star (s_1\ldots s_m)\) to indicate that \({\text {E}}^\star (t_1\ldots t_n)<_\tau {\text {F}}^\star (s_1\ldots s_m)\) or \(\left\{ {\text {E}}^\star (t_1\ldots t_n),{\text {F}}^\star (s_1\ldots s_m)\right\} \subseteq {\text {firstState}}(\tau )\).

We reserve several symbols in \(\mathscr {F}\) for all protocols, with the following interpretations:

  • \({\text {Net}}(\mathsf {msg})\) represents a message on the communication network.

  • \({\text {Fr}}(\mathsf {nonce})\) represents that the nonce in the argument has been freshly generated. By convention, we require that freshly generated terms are atomic.

  • \({\text {K}}(\mathsf {msg})\) represents that the adversary ‘knows’ the term in the argument.

Additional event facts are introduced as a consequence of the security requirements of the protocol being analysed. In Sects. 3 and 4, we will introduce several more event fact symbols used in order to analyse key-updating protocols.

2.2 The Adversary

An important concept in discussing the security of a protocol is an understanding of the adversary’s capabilities. In this work, the Dolev-Yao adversary model [8] is used. The Dolev-Yao adversary is assumed to have full control over the communication network. We make the perfect cryptography assumption: the adversary is incapable of decrypting messages without the appropriate key.

The adversary knowledge is modelled using facts \({\text {K}}\). The initial knowledge of the adversary is defined by the starting states of the protocol specification, but at a minimum contains all terms of type \(\mathsf {public}\). A set of additional protocol rules describe the capabilities of the adversary. These protocol rules allow the adversary to eavesdrop, block or modify messages that are sent on the communication network. We assume that all protocols being studied contain (at least) the set of adversary rules provided in Fig. 1. The set of rules which model the actions of the adversary is denoted as \( Adv \).

Fig. 1.
figure 1

The minimal set of adversary rules.

Full size image

Given a state S, adversary knowledge \({\text {K}}\) and a term x, we write \((S, {\text {K}}) \vdash x\) to indicate that some combination of (only) the rules in Fig. 1 will allow the adversary to derive x from the state S.

We often also grant the adversary the limited ability to corrupt an agent, learning the value of any secret keys they hold. This is done through either the choice of starting states, or additional adversary rules.

2.3 Security Claims

Given a protocol P, a security claim on P is a first-order logic statement about the existence and ordering of event facts in traces of P.

We note that the validity of security claims is dependent upon a faithful description of the protocol in question. For example, in order to make security claims about the secrecy of certain knowledge, we should expect the protocol specification to contain \({\text {Secret}}^\star (t)\) (or similar) facts denoting the terms that are believed to be secret.

3 Desynchronisation Resistance

The intuition behind desynchronisation is that the protocol reaches a state from which it can no longer proceed in a meaningful way. In order to define precisely what this means, we must start with a notion of reachability. We refine this definition to progressively stronger versions, before introducing our definition of desynchronisation resistance.

Reachability is a property describing the ability of the protocol to transition from a given state to some desirable situation. We will want to ensure that in any reasonable conditions, the adversary cannot prevent the protocol from completing, but rather only delay it.

Definition 3.1

(State Reachability). Given a protocol \(P = (\varSigma , E, R, S^{ start })\), a set of rules \(W\subseteq R\) and two states \(S, S^\prime \;\in \mathbb {U}(\varSigma )\), we say that \(S'\) is reachable from S avoiding \(W\), denoted by \(S \rightsquigarrow _{\lnot W} S'\), if:

Note that we pay particular attention to the idea of reachability avoiding certain rules. We wish to show that no matter which actions an adversary takes, it is possible for the execution of a protocol to continue once the adversary becomes inactive. As such, we use \(\rightsquigarrow _{\lnot Adv }\) to denote reachability in absence of the adversary, and \(\rightsquigarrow \) for the particular case when no rules are forbidden.

Given a protocol \(P=( \varSigma , E, R, S^{ start })\) and a state \(S \in \mathbb {U}(\varSigma )\) we define the set of states reachable from S as \({\text {reachable}}(S) = \lbrace S^\prime \in \mathbb {U}(\varSigma ) \mid S \rightsquigarrow S^\prime \rbrace \). Overloading notation, we define the set of states reachable by P as \({\text {reachable}}(P) = \bigcup _{S^{0}\in S^{ start }}{\text {reachable}}(S^{0})\).

Next, the notion of reachability is extended from the context of states to the context of event facts.

Definition 3.2

(Event Reachability). Let P be a protocol, \(S\in \mathbb {U}(\varSigma )\) a state, \(W\) a set of rules and \({\text {E}}^\star \) an event fact. We say that \({\text {E}}^\star \) is reachable from S avoiding \(W\), denoted by \(S \rightsquigarrow _{\lnot W} {\text {E}}^\star \), if:

figure b

Intuitively, given a trace \(\tau \) that contains S, it is possible to extend \(\tau \) in such a way that the event fact \({\text {E}}^\star \) is reached. Like before, we will write \(S\rightsquigarrow {\text {E}}^\star \) to indicate \(S \rightsquigarrow _{\lnot \emptyset } {\text {E}}^\star \).

Reachability captures the idea that a desired state or event can be achieved once. However, we desire that our protocol not only be able to successfully complete once, but arbitrarily many times. To do this, we need a definition stronger than standard reachability. To do so, we introduce the event facts:

  • \({\text {Complete}}^\star (\mathsf {agent}, \mathsf {agent})\) indicates that the first agent believes they have successfully completed a run of the protocol with the second.

  • \({\text {Corrupt}}^\star (\mathsf {agent})\) represents that the named agent has performed an action that deviates from their protocol specification, or that the adversary has stolen confidential data from them.

Desynchronisation occurs when two agents who were originally able to finish a protocol execution lose this ability.

Definition 3.3

(Desynchronisation Resistance). A protocol P is desynchronisation resistant if:

Intuitively, if A and B are able to complete the protocol once without any actions being performed by the adversary, then they will always be able to do this, except in the case that one of the participants been corrupted, giving secret data to the adversary.

4 Verifying Desynchronisation Resistance

In this section we look at a specific instantiation of the theory in the previous sections, and show that it can be used to verify desynchronisation resistance. We also provide ‘lower’ and ‘upper’ bounds to desynchronisation resistance, proving that violating this combination of properties results in an attack. Note that other choices of environment could be made depending on the target domain, with comparable results.

We model a synchronous key updating environment, in which a pair of agents each store a number of secret communication keys to be used with their intended partner. In an ideal execution, the keys stored by one agent will always correspond to those stored by their partner.

4.1 A Sequential Key Updating Environment

Recall that a protocol specification is defined by a tuple \(( \varSigma , E, R, S^{ start })\), where \(\varSigma \) is further divided into the collections F and \(\mathscr {F}\) of functions on terms and fact symbols. We provide next a framework composed of F, E, and \(\mathscr {F}\). Depending on the protocol, it may be necessary to extend the equational theory. The set of rules R is a consequence of the protocol being examined.

The function symbols in F represent the standard symmetric and asymmetric encryption and decryption functions, and E defines their semantics.

The facts \({\text {ShKeys}}\) and \({\text {Session}}\) provide information about the knowledge of an agent. \({\text {ShKeys}}\) facts represent their long term knowledge, in the form of communication keys for use with a named partner. \({\text {Session}}\) facts are used to store session data for a single execution of the protocol. The \({\text {AddKey}}^\star \) and \({\text {DropKey}}^\star \) event facts mark changes to the stored keys of an agent.

Definition 4.1

(Starting States). The set of starting states \(S^{ start }\) is the set composed of all \(S^{0}\in \mathbb {U}(\varSigma )\) that satisfy the following conditions:

We note the following intuitions behind the above requirements:

(i) :

A starting state may not contain messages.

(ii) :

A starting state may not contain session data.

(iii) :

An agent stores only one set of keys for use with each potential communication partner.

(iv) :

If a starting state contains an agent A who stores a secret key \(k_i\) for communicating with an agent B, then there is a corresponding \({\text {AddKey}}^\star \) fact showing that A has added this key.

(v) :

If a starting state contains an \({\text {AddKey}}^\star \) fact, then either the corresponding agent has that key in their knowledge, or there is also a corresponding \({\text {DropKey}}^\star \) fact.

(vi) :

If a starting state contains an agent A who stores a secret key \(k_i\) for communicating with an agent B, and the adversary knows the value \(k_i\), then either A or B is corrupt.

We point out that a starting state does allow for instances of the event fact. This does not interfere with any reachability claims, as these describe the ability to add new instances of these event facts to the trace.

In addition, we grant the adversary two capabilities. Firstly, the adversary is able to “corrupt” an agent, learning any secret keys they are holding. Second, we allow the adversary to “cancel” the session of an agent, causing them to lose any stored session data. For example, this models the ability of an adversary to block messages sent on the network until an agent assumes their partner has halted communication. We do this by requiring that the set of rules R contains the rules and , defined below.

4.2 Satisfying Desynchronisation Resistance

Given a protocol constructed in the model above, we provide a set of conditions that are sufficient to satisfy desynchronisation resistance.

We start with a predicate stating whether two agents share a common key in a given state. Let P be a protocol and \(S \in {\text {reachable}}(P)\). We say that two agents A and B have a common key in S, denoted , if and only if:

Now we define reachability conditional on a common key as the property of a protocol that two agents are able to complete the protocol with each other in absence of the adversary if and only if they have a common key.

Property 4.2

(Reachable Conditional on Common Key). We say that P satisfies completion conditional on a common key if:

With these in mind, we now define several other properties describing the nature in which the shared keys used by agents in a protocol are updated. Properties 4.3 and 4.4 give syntactic requirements on protocols. In particular, we require that a protocol’s specification is consistent in the way that \({\text {ShKeys}}\) linear facts are modified with respect to the addition of the \({\text {AddKey}}^\star \) and \({\text {DropKey}}^\star \) event facts. We also make the assumption that an agent always stores the same number of encryption keys for communicating with their partner.

Property 4.3

(Well-Formed Key Updates). A protocol \(P=( \varSigma , E, R, S^{ start })\) satisfies Well-Formed Key Updates if the following two conditions hold for all rules \(r \in R\):

figure c

Next we define the Key Conservation property. It states that every agent must keep the same number of keys during the execution of the protocol. We also require each rule to consider at most a single shared key fact.

Property 4.4

(Key Conservation). A protocol \(P=( \varSigma , E, R, S^{ start })\) satisfies Key Conservation if for every rule \(r\in R\), and every \(A, B :\mathsf {agent}, \ k_1,\ldots , k_n :\mathsf {msg}\), there exists an instance of \({\text {ShKeys}}(A, B, \langle k_1,\ldots , k_n\rangle )\) on the left-hand side of r if and only if there is some \(l_1, \ldots , l_n :\mathsf {msg}\) such that the right-hand side of r contains \({\text {ShKeys}}(A,B, \langle l_1, \ldots , l_n \rangle )\).

Next we define Key Uniqueness as the notion that a given encryption key will only be generated at most once. Once discarded by an agent they will never re-use it, nor can a different pair of agents ever (intentionally or otherwise) generate the same encryption key.

Definition 4.5

(Key Uniqueness). A protocol P satisfies Key Uniqueness if for every \(\tau \in {\text {traces}}(P)\) and every \(A,B, A', B' :\mathsf {agent}\) and every \(k:\mathsf {msg}\) with \(\{A, B\} \ne \{A', B'\}\) it holds that:

We next describe the properties of Key Preparedness and Key Resilience. Together with Key Uniqueness, these are the main security requirements that are to be verified. Intuitively, they provide a semi-strict ordering on the key updates of paired agents.

Definition 4.6

(Key Preparedness for agents A and B). A protocol P satisfies Key Preparedness for agents A and B if

Definition 4.7

(Key Resilience for agents A and B). A protocol P satisfies Key Resilience for agents A and B if

The second case in the Key Resilience claim accounts for the trivial case of a starting state containing \({\text {DropKey}}^\star \) facts for which we cannot be sure of the source.

We note that the above properties are verifiable, either by examination of the protocol specification (Properties 4.2, 4.3 and 4.4), or through verification of traces in an automated prover tool (Definitions 4.5, 4.6 and 4.7). We denote the properties as WF, KC, KU, KP and KR respectively for Well Formedness, Key Conservation, Key Uniqueness, Key Preparedness and Key Resilience.

Theorem 4.8

(Sufficiency). Let \(P=( \varSigma , E, R, S^{ start })\) be a protocol that satisfies Properties 4.24.34.4 and Definition 4.5. P satisfies desynchronisation resistance if for all \(S^{0}\in S^{ start }\) and all agents AB such that \({\text {CommonKey}}_{A,B}(S^{0})\), one of the following conditions holds:

  • Key Preparedness (Definition 4.6) for agents A and B holds, and Key Resilience (Definition 4.7) for agents B and A holds, or

  • Key Preparedness (Definition 4.6) for agents B and A holds, and Key Resilience (Definition 4.7) for agents A and B holds.

Before we begin the proof of Theorem 4.8, we provide some helper lemmas. We define the \( strip ()\) function, which allows us to transform a state into a starting state.

Definition 4.9

(Strip Function). We define the function \( strip ()\), which maps from states to states. We define \( strip (S)\) to be the multiset that is equal to S, but with all instances of \({\text {Session}}\), \({\text {K}}\) and \({\text {Net}}\) removed.

Lemma 4.10

Let P be a protocol which satisfies Key Conservation (Property 4.4) and Well-Formed Key Updates (Property 4.3). Suppose \(S \in {\text {reachable}}(P)\). Then \( strip (S)\) is a starting state of this protocol, as per the requirements of starting states in Definition 4.1.

Proof

Points (i), (ii) and (vi) are immediate from the absence of corresponding facts. (iii) is a consequence of Key Conservation, (iv) and (v) from Well-Formed Key Updates.    \(\square \)

Lemma 4.11

Let P be a protocol which satisfies Key Conservation (Property 4.4) and Well-Formed Key Updates (Property 4.3), and \(\tau \) a trace of P with final state S. Suppose \(\gamma \) is a trace of P with starting state \( strip (S)\) that contains no adversary rules. Then \(\gamma \cdot \tau \in {\text {traces}}(P)\) is a trace extension of \(\tau \).

Proof

Suppose \(\gamma = ( strip (S), r_1\sigma _1\ldots r_n\sigma _n)\). We claim that the series of rule applications \(r_1\sigma _1\ldots r_n\sigma _n\) are valid from the state S. Indeed, the rule application \(r_1\sigma _1\) can be dependent only on \({\text {ShKeys}}\) facts, as these are the only linear facts which can be in a starting state. These facts exist in both S and \( strip (S)\). By the same logic, the rest of the series of applications are also valid.    \(\square \)

Proof

(Theorem 4.8). Assume that the agents A and B are not corrupt. Without loss of generality, we assume the first case holds - that we have Key Preparedness for A and B, and Key Resilience for B and A.

Our proof proceeds in two steps. First, we show that the common key predicate is sufficient to ensure completion from any state, not just the starting states:

Secondly, we show that the common key property is invariant:

From these two claims, the result will immediately follow. To show the first point, we use the \( strip ()\) function from Definition 4.9. Note that if A and B have a common key in S, then they have a common key in \( strip (S)\). Then, by Lemma 4.11, the claim follows.

For the second point, we must show that for any rule application \(r\sigma \) in which a \({\text {DropKey}}^\star \) event fact is added, the common key predicate is preserved. Indeed, the well-formedness properties of Property 4.3 ensure that these are the only possible rule applications which can affect the predicate.

Suppose we have \(S \in {\text {reachable}}(P)\) such that \({\text {CommonKey}}_{A,B}(S)\), and a rule application \(r_n\sigma _n\). We split into the cases when \({\text {DropKey}}^\star (A,B,k)\) is added, or when \({\text {DropKey}}^\star (B,A,k)\) is added. Suppose now \(r_n\sigma _n\) adds \({\text {DropKey}}^\star (A,B,k)\), then:

and so now \(k^\prime \) is a common key after the rule application. Therefore the Common Key predicate is preserved.

Suppose instead \(r_n\sigma _n\) adds \({\text {DropKey}}^\star (B,A,k)\), then:

and so k was not a common key before the rule application. Therefore since S contained some key \(k^\prime \) that was a common key, so does the state after the rule application, and so the common key predicate is preserved.   \(\square \)

Theorem 4.8 provides a set of sufficient conditions to ensure that a protocol in our model satisfies desynchronisation resistance. We provide one example of a necessary condition to satisfy desynchronisation resistance: any protocol that fails to meet this condition also fails to provide resistance against desynchronisation attacks.

Theorem 4.12

(Necessity). Let \(P= ( \varSigma , E, R, S^{ start })\) be a protocol that satisfies Properties 4.24.3, and 4.4. Let \(S^{0}\in S^{ start }\) and \({\text {ShKeys}}(A,B,k) \in S^{0}\) (i.e. A stores exactly one key for B) and assume P does not satisfy Key Preparedness (Definition 4.6) for A and B. Then P either contains no reachable key update rule applications for A, or it does not satisfy desynchronisation resistance.

Proof

Suppose P contains at least one key update rule for A. We will construct a trace from which the \({\text {Complete}}^\star (A,B)\) is no longer reachable without adversary interference.

Let \(\tau = (S^{0}, r_1\sigma _1,\ldots ,r_n\sigma _n)\) be a trace such that \(r_n\sigma _n\) is a key update rule application for A that violates the Key Preparedness property. Consider the state \( strip ({\text {lastState}}(\tau ))\). Note this state is reachable from \({\text {lastState}}(\tau )\) through the rules \(\textsc {Sh\_Cancel}\) and \(\textsc {Block}\).

By Reachability Conditional on a Common Key (Property 4.2), there exist no traces starting from \( strip ({\text {lastState}}(\tau ))\) that lead to the \({\text {Complete}}^\star (A,B)\) event fact without adversary interference. Thus desynchronisation resistance is violated.    \(\square \)

5 Automated Verification

In this section we discuss the automated verification of the security properties from the previous section in the proving tool Tamarin. Tamarin uses multiset rewriting theory at its core, allowing for our model to be naturally implemented. We discuss the basic details of the implementation of the properties from Sect. 4 in Tamarin, before discussing two protocols that were analysed and shown to have attacks by using the Tamarin prover. In Appendix A we discuss some of the obstacles overcome in the implementation. The full implementations, along with diagrams and full descriptions of the attack traces can be found on our git repositoryFootnote 1, along with several other demonstrations of the security properties defined in this paper.

Definitions 4.5, 4.6, and 4.7 can be readily implemented in Tamarin. The remaining definitions used in our results can be verified syntactically from a protocol specification. With these considerations, our security properties can be analysed.

We note that the environment introduced in Sect. 4 is applicable to a large majority of key updating protocols. For example, many modern messaging applications make use of variations of the Diffie-Hellman Double Ratchet algorithm, which satisfies Common-Key Reachability (Property 4.2), Key Conservation (Property 4.4), and Key Uniqueness (Property 4.5). Note that Well-Formedness is a consequence of the specification of the protocol, not the protocol itself. The Gossamer protocol in the RFID domain also satisfies these properties. As a consequence, the verification of these protocols is limited only by the power of the analysis tools involved.

5.1 Identified Attacks

Our analysis identified novel attacks in two papers from the domain of RFID grouping protocols. In particular, these protocols were shown to violate the conditions of Theorem 4.12.

A desynchronisation attack was found on the grouping protocol of Sundaresan, Doss, and Zhou [26]. The attack consists of a modified replay message, taking advantage of the algebraic properties of the exclusive-OR function, which is used to mask data. This replay causes an RFID tag to incorrectly authenticate the adversary as a valid reader, updating their key past a safe threshold. The intended execution of the protocol, and a trace which leads to a desynchronisation attack, can be found in Fig. 2. A very similar attack can be found on another RFID grouping protocol, by Sundaresan, Doss, Piramuthu and Zhou [24].

Fig. 2.
figure 2

The grouping protocol of Sundaresan et al. (left), and attack trace (right)

Full size image

An attack was also found on the ‘two-round grouping proof’ of Abughazalah, Markantonakis and Mayes [1]. This protocol consists of a single message-response round which allows multiple tags to authenticate to a single RFID reader. However, a modified replay attack abuses a built-in measure that allows a tag to ‘reset’ its group key. In this instance, the adversary can launch countless replay messages, causing a tag to update its personal encryption key arbitrarily many times. Further information about the attack can be found in Appendix B.

6 Conclusion

Denial-of-Service attacks are often not considered in the analysis of security protocols, mainly because such attacks are hard to distinguish from regular omissions in the underlying communication channel. However, some types of DoS attacks are aimed at vulnerabilities at the protocol level. A typical example is formed by the class of desynchronisation attacks, which aim to disrupt all future communications between the protocol agents by desynchronising their communication keys.

Even though such desynchronisation attacks have been known for over a decade, formal analysis tools have been lacking. In this paper we have addressed this issue by developing a formal definition of desynchronisation resistance using a protocol model based on multiset rewriting. This definition has been operationalised by defining a set of sufficient and necessary conditions that can be easily validated by current state-of-the-art verification tools, such as Tamarin. We showed the applicability of our methodology by deriving two novel desynchronisation attacks on published RFID protocols.