A Novel Approach for Reasoning about Liveness in Cryptographic Protocols and Its Application to Fair Exchange

Abstract

In this paper, we provide the first methodology for reasoning about livenessproperties of cryptographic protocols in a machine-assisted manner withoutimposing any artificial, finite bounds on the protocols and execution models. To this end, we design an extension of the SAPiC process calculus so that itsupports key concepts for stating and reasoning about liveness properties, along with a corresponding translation into the formalism of multiset rewritingthat the state-of-the-art theorem prover Tamarin relies upon. We prove thatthis translation is sound and complete and can thereby automatically generatesound Tamarin specifications and automate the protocol analysis. Second, we applied our methodology to two widely investigated fair exchangeprotocols – ASW and GJM – and to the Secure Conversation Protocol standardfor industrial control systems, deployed by major players such as Siemens, SAPand ABB. For the fair exchange protocols, we not only re-discovered knownattacks, but also uncovered novel attacks that previous analyses based onfinite models and a restricted number of sessions did not detect. We suggestfixed versions of these protocols for which we prove both fairness andtimeliness, yielding the first automated proofs for fair exchange protocolsthat rely on a general model without restricting the number of sessions andmessage size. For the Secure Conversation Protocol, we prove several strongsecurity properties that are vital for the safety of industrial systems, inparticular that all messages (e.g., commands) are eventually delivered inorder.