Formalizing GDOI Group Key Management Requirements in NPATRL ⁄ Catherine Meadows, Paul Syverson Iliano Cervesato CenterforHighAssuranceComputerSystems AdvancedEngineeringandSciencesDivision NavalResearchLaboratory ITTIndustries,Inc. Washington,DC20375-5320,USA Alexandria,VA22303-1410,USA fmeadows, [email protected] [email protected] ABSTRACT tocolswerelittleunderstood,andthatasmuchormorework neededtobeputintodevelopingasetofformalsecurityre- Although there is a substantial amount of work on formal quirements as into the formal speciflcation of the protocol requirements for two and three-party key distribution pro- itself. Moreover, although these requirements were devel- tocols, very little has been done on requirements for group opedspeciflcallyforGDOI,webelievethattheyaregeneric protocols. However, since the latter have security require- enough so that they could be applied to many other group ments that can difier in important but subtle ways, we be- key management protocols with the appropriate modiflca- lievethatarigorousexpressionoftheserequirementscanbe tions. The added complexity of the requirements resulting useful in determining whether a given protocol can satisfy from the needs of secure group communication has also in- anapplication’sneeds. Inthispaperwemakeaflrststepin duced us to develop NPATRL into a full-scale logic that providing a formal understanding of security requirements canbeusedtoreasonaboutrequirementsaswellasspecify for group key distribution by using the NPATRL language, them. Wedescribethelogicandshowhowitcanbeapplied a temporal requirement speciflcation language for use with in simplifying requirements. the NRL Protocol Analyzer. We specify the requirements Agroupkeydistributionprotocolisoneinwhichakeyis forGDOI, aprotocolbeing proposedasanIETFstandard, distributed to members of a group, which may be of arbi- which we are formally specifying and verifying in coopera- trarysizeforsomeapplications. Thiskeymaybedistributed tion with the MSec working group. by the members of the group themselves (as in the Cliques protocol [13]), by a centralized key distributor, or by a col- 1. INTRODUCTION lection of key distributors. Such protocols may support a Before we can determine whether or not a security pro- number of difierent applications, such as secure multicast tocol satisfles its requirements, it is necessary to determine and secure dynamic coalitions. They usually must support what those requirements are. Requirements are in general thejoiningandleavingofmembersandpossiblyotheroper- wellunderstoodforkeydistributionprotocolsinvolvingtwo ations. They may also put restrictions on joining members or three parties, and a number of formalizations of such re- having access to old keys or on leaving members having ac- quirements exist. But, they are not as well understood for cess to new keys. group key distribution protocols, where keys may possibly Superflcially,groupkeydistributionprotocolsseemtosat- bedistributedamonganarbitrarilylargegroupofprincipals isfy requirements very similar to pairwise key distribution that may join or leave the group at any time. In this pa- protocols. Both have requirements for secrecy (no one out- perweattempttoflllthisgapbydevelopingasetofformal side the group should learn the key), authentication (recip- requirements for the GDOI group key management proto- ients of the key should know where it came from and what col [1], a protocol which we have been formally specifying it was intended for) and freshness (recipients should not be and verifying as part of a joint efiort with the IETF MSec tricked into accepting an old key). But when we look at working group. To do this, we used the NPATRL require- these requirements more closely, especially at secrecy and mentslanguage[16],atemporallanguageforcryptographic freshness, we see some important difierences. protocol requirements intended for use with the NRL Pro- These difierences arise from the fact that the notion of tocol Analyzer [10, 11]. What we found as a result of this \session", whichissoimportanttopairwiseprotocols, does efiortwasthatrequirementsforgroupkeydistributionpro- notexist,atleastnotinthesamesense,forgroupprotocols. In a pairwise protocol, a session is determined by two com- ⁄Meadows and Syverson were supported by ONR. municatingprincipals(possiblythree,ifakeyserverisused) Cervesato was partially supported by NSF grant INT98- and a key. Keys should not be learned by any other than 15731\LogicalMethodsforFormalVeriflcationofSoftware" thetwoorthreecommunicatingprincipals,andakeyshould and NRL under contract N00173-00-C-2086. beuniquetoasession. However,groupprotocolsusuallydo not have such a notion of individual sessions strongly tied to principals and keys. Instead the paradigm is of a group Thispaperisauthoredbyanemployee(s)oftheUnitedStatesGovernment whichprincipalsmayenterandleave. Keysmaybeupdated andisinthepublicdomain. CCS’01,November5-8,2001,Philadelphia,Pennsylvania,USA. as principals enter or leave a group, in order that incoming ACM1-58113-385-5/01/0011. principals have no access to old keys, or outgoing princi- Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE 3. DATES COVERED 2001 2. REPORT TYPE 00-00-2001 to 00-00-2001 4. TITLE AND SUBTITLE 5a. CONTRACT NUMBER Formalizing GDOI Group Key Management Requirements in NPATRL 5b. GRANT NUMBER 5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION Naval Research Laboratory,Center for High Assurance Computer REPORT NUMBER Systems,4555 Overlook Avenue, SW,Washington,DC,20375 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S) 11. SPONSOR/MONITOR’S REPORT NUMBER(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited 13. SUPPLEMENTARY NOTES 14. ABSTRACT 15. SUBJECT TERMS 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF 18. NUMBER 19a. NAME OF ABSTRACT OF PAGES RESPONSIBLE PERSON a. REPORT b. ABSTRACT c. THIS PAGE 10 unclassified unclassified unclassified Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18 pals have no access to new keys. But keys may be updated Member GCKS or Delegate for other reasons as well that have nothing to do with the ˆ¡ HDR*, SEQ, SA, KD, [CERT,] SIG composition of a group. Thus a freshness requirement that speciflesauniquekeypersessionwillhavenomeaninghere. The term HDR* indicates that everything is encrypted after Likewise, the deflnition of ‘secrecy’ also needs to be re- theheader,inthiscaseusingthecurrentkeyencryptionkey. considered. In a pairwise protocol, all we require is that a SEQ is the sequence number, SA the security association for sessionkeyonlybeknowntotheprincipalsinvolvedinthat thiskeypayload,whichgivessuchinformationasalgorithms session. Whether or not one of the principals is dishonest used, key lifetimes, etc., and KD the new keying material. and compromises the key is not usually a concern, as long SIG is the digital signature of the message, and CERT is an asitispreventedfromthreateningtheintegrityofotherses- optional certiflcate for the signature key. sions. However, in the case of group protocol, admitting a When a principal wants to join a group, it takes part in dishonestmemberintoagroupcanintroducenewrisks. Not a four-message groupkey-pull exchange with the GCKS. All onlycanthememberlearnthegroupkeywhileitispresent, messagesareencryptedandauthenticatedwiththepairwise but depending upon how the protocol is designed, it may keysharedbetweenthetwoprincipals. Intheflrstmessage, or may not be able to learn keys used before it joined the theprincipalsendsarequesttojointhegroup,includingthe group, or keys generated after it left. groupidentiflerandanonceNitohelpinverifyingfreshness. The rest of this paper is organized as follows. In Section The GCKS responds with its own nonce Nr and with the 2 we give an overview of the GDOI protocol. In Section groupSecurityAssociation,whichdescribesthemechanisms 3 we give an overview of the NPATRL logic, and describe (e.g. encryptionalgorithms)andpoliciesusedbythegroup. the normal form for NPATRL requirements for the NRL It holds ofi on sending the keying material itself until it Protocol Analyzer. In Section 4 we present the NPATRL can verify that the request is recent. The group member requirements for GDOI, and we also describe our system responds with a hash (HASH(3)) taken over the two nonces. for building secrecy requirements. Section 5 concludes the TheGCKSsendsthekeyingmaterialandthecurrentvalue paper. InAppendixAweshowhowwewereabletousethe of the sequence number in the last message. logictoremoverecursivenessfromthesecrecyrequirements There are also some optional flelds in the last two mes- and reduce them to normal form. sages. If it is required by the group policy, the member can send its own part of a Di–e-Hellman key exchange in the third message (KE I), and the GCKS can respond with its part of the exchange in the fourth message (KE R). The 2. ANOVERVIEWOFGDOI resulting Di–e-Hellman key is used to encrypt the group keying material by use of exclusive-or. The purpose of this The GDOI (for Group Domain Of Interpretation) proto- is to provide perfect forwardsecrecy: even if a pairwise key col[1]isintendedtobeusedwiththeInternetKeyExchange iscompromised,theintrudercanlearnonlykeysdistributed (IKE) protocol [7, 5] to allow a Group Controller and Key after the compromise, not those distributed before. Server (GCKS) to distribute keys to members of a group. Another option allows the two principals to verify that Although it does not specify any mechanisms such as key eachisauthorizedtoactintheirrespectiveroles. Thisisthe hierarchies[2]fore–cientlydistributingkeystogroupmem- proof-of-possession(POP)option,whereeachpartyincludes bersorforexpellingoraddingmembers,itisdesignedtobe a public key certiflcate signed by a relevant authority, and compatible with the use of such techniques. We have been proves his or her possession of the key by using it to sign working with the IETF MSec Working Group to develop the two nonces that were exchanged earlier in the protocol. a set of formal requirements, as well as a formal analysis, Thefourmessagessentinthegroupkey-pullexchangeap- in order to demonstrate the usefulness of formal methods pear as follows in [1]: in the design or cryptographic protocols and in expediting thestandardizationprocessbyprovidingformalevidenceof Initiator (Member) Responder (GCKS) soundness. HDR*, HASH(1), Ni, ID ¡! GDOI uses three categories of keys. Category 1 keys are ˆ¡ HDR*, HASH(2), Nr, SA the pairwise keys shared between the GCKS and potential HDR*, HASH(3) [, KE I] ¡! members. Category 2 keysarekey-encryptionkeysthatare [,CERT] [,POP I] used to protect the Category 3, or tra–c encryption keys. ˆ¡ HDR*, HASH(4), [KE R,] SEQ, ForGDOI,theCategory1(pairwise)keysaredistributed KD [,CERT] [,POP R] viaIKEPhase1,whichisdescribedin[7,5]. Key-encryption keys and tra–c-encryption keys are created by the GCKS. whereNiandNrarethetwononces,SAisthesecurityassoci- The GCKS distributes these keys to the group as a whole ation,KE IandKE RaretheoptionalDi–e-Hellmanhalves, byagroupkey-push messageencryptedwiththecurrentkey- CERT, POP I, POP R are are the certiflcates and signatures encryption key. The GCKS maintains a sequence number used in the optional proof-of-possession exchange, and SEQ SEQ that is incremented every time a new groupkey-push and KD are the sequence number and keying material (en- datagramissent. Thecurrentvalueofthesequencenumber cryptedwiththeDi–e-Hellmankeyifthatisused),respec- isincludedinthegroupkey-pushmessage. Thisallowsgroup tively. ThenotationHDR*means,asbefore,thatallinforma- memberstoverifythatamessageisnotareplayofonethat tionaftertheheaderisencrypted,thistimewiththeshared theyhavealreadyreceived. Thegroupkey-pushdatagramis Category 1 key. The hashes in the exchange are computed also digitally signed by the GCKS using its private key so over the information sent in the respective messages. More that receivers can verify that it was sent by the GCKS and detail may be found in [1]. not by another group member. NotethatinnoplacedoesGDOIspecifymeansforelimi- The groupkey-push message appears as follows in [1]: natingmembersfromthegroup. Thisisaccomplishedusing somethingcalledakey hierarchy. Basically, akeyhierarchy valid as a result of performing certain checks and sending a isatree,therootofwhichistheactualkeyusedforencryp- message. For example: tion. Nodes of the tree encrypt and authenticate the nodes event(user(A;honest);[user(B;H)];initiator accept key;[K];N) above it. When a principal is admitted to the group, it is assigned a leaf of the tree. When it leaves the group, only This event describes the execution of a transition called the (limited) portion of the tree it needs to compute the \initiator accept key" by honest principal A that involves a group key ough to be updated. This allows access control key K and some other principal B who may or may not be forbothenteringandleavingmemberstobeenforcedinan honest. e–cientway,aswellasprovidingextrasecuritybeyondthat providedbythekey-encryptionkeyusedtoencryptthepush 3.2 TheNPATRLSyntax message,sinceanewkeywillbeprotectedbythekeysbelow The NRL Protocol Analyzer has successfully analyzed a it in the hierarchy. See [2] for a discussion and overview of number of protocols, sometimes uncovering previously un- key hierarchies. known (cid:176)aws [10, 11]. But, secrecy and authentication goals areawkwardlyexpressed,asstatesthatshouldnotbereach- 3. THE NPATRLLOGIC ablefromtheinitialstate. Thisunintuitiveandoccasionally errorpronewayofwritingrequirementswouldhavemadeit 3.1 TheNRLProtocolAnalyzerModel very di–cult to use the NPA for large protocols. The NRL Protocol Analyzer, or NPA for short, is a com- TheNRL Protocol Analyzer Temporal Requirements Lan- puter-assisted veriflcation tool for security protocols which guage, better known as NPATRL (and pronounced \N Pa- combinesmodelcheckingandtheorem-provingtechniquesto trol"),wasdesignedtoaddresstheseshortcomings[16]. This establishauthenticationandsecrecyproperties. Wepresent formalism makes available the abstract expressiveness of a merelyabriefoverviewhere. Theinterestedreaderisinvited logical language to specify requirements at a high enough to consult [10, 11] for further details. level to capture intuitive goals precisely, and yet it can be Aprotocolismodeledasanumberofcommunicatingstate interpreted in the NPA search engine. machines,eachassociatedwithadifierentroles. Theirtran- NPATRLrequirementsarelogicalexpressionswhoseato- micformulasareeventstatements,whichmostlycorrespond sitions correspond to the actions that comprise the corre- toeventsintheNRLProtocolAnalyzer;theyincludeevents sponding role. At run time, roles are executed by honest denoting actions by honest principals that can be found in principals who faithfully follow the protocol. Several in- thetraceofanNPAsearch,andthespeciallearneventthat stances can be executing at the same time, and they are indicates the acquisition of information by the adversary. distinguished by means of a unique round number. The NPATRL’s syntax for events is similar but not identical to intruder is modeled after the Dolev-Yao adversary [4]. Dis- theNPA’s. InNPATRL,theNPAaccepteventgivenabove is written: honest principals sharetheirkeysandotherconfldentialin- formation with the adversary. initiator accept key(user(A;honest);user(B;H);K;N) The messages in transit, the information held by each principal and the intruder, the runs currently being exe- ThelogicalinfrastructureofNPATRLconsistsoftheusual cuted, and the point that each of them has reached consti- connectives :, ^, !, etc, and the temporal modality 3 tutetheglobalstate fortheNPA. Aprotocol actionimple- which is interpreted as \happened at some time before" or mentsalocaltransformationwithglobalefiectsonthestate. \previously". The initial state is implicit in the protocol speciflcation. For example, we may have the following requirement: In order to verify a protocol, a speciflcation is fed into If an honest principal A accepts a key K for com- therun-timesystemoftheNRLProtocolAnalyzertogether municating with another honest principal B, then a with the description of a family of states that correspond server must have previously generated and sent this to attack situations. The system applies protocol actions keywiththeideathatitshouldbeusedforcommuni- backwardsfromthesetargetstatesuntiliteitherreachesthe cationsbetweenAandB,andthatbothareexpected initialstate,oritexhaustsallpossibilitiesfordoingso. Asit to be honest. regresses back towards the initial state, the NPA maintains We can use NRL Protocol Analyzer events to construct an atrace ofthesequenceofactionsthat,whenexecuted,lead NPATRL formula that expresses it: to the target state. If the initial state is ever reached, the resulting trace is a potential attack. If all possibilities are initiator accept key(user(A;honest);user(B;H);K;N) exhausted, there is no attack of the kind sought. Although ! 3svr send key(server;(user(A;honest);user(B;honest));K;N) thesearchspaceisingeneralinflnite,theNPAincorporates techniques based on theorem proving that have the efiect Thisformulaisasimpleexpressionoftheaboverequirement. of soundly restricting the search to a flnite abstraction, in Intuitively,theprotocolveriflcationprocesschangesfrom most cases. whatwediscussedintheprevioussectionbyusingNPATRL Traces are sequences of events of the following form: requirementswheretheflnalstateappeared. Moreprecisely, event(P;Q;T;L;N) we flrst need to map every NPATRL event statement to an actualeventintheNPAspeciflcationoftheprotocol. Then, Ingeneral,anyprotocolorintruderstatetransitionmaybe we take the negation of each NPATRL requirement as a assignedanevent. Theargumentsareinterpretedasfollows: way to characterize the states that should be unreachable P is the principal executing the transition, Q is the set of the other parties involved in it, T is a name that identifles if and only if that requirement is satisfled. At this point, the transition, L is a set of relevant words, and N is the we perform the analysis as in the previous section: if the local round number of the transition. Typical categories of NPA proves that this goal is unreachable, the protocol sat- eventscorrespondtoreceivingamessage,acceptingdataas isflestheoriginalrequirement. Otherwise,itreturnsatrace corresponding to an attack on the protocol that potentially guarantees that temporal reasoning is transitive. The third invalidates the requirement. guaranteesthatsetsofeventsarealwaysflniteandstrictly- AcoupleofparticularpointsaboutNPATRLexpressions: ordered. Thelastguaranteesthateventsareweakly-connec- Events occur exactly once. This means that atomic formu- ted (comparable). Note that in the presence of K and W, lasaretrueatexactlyonepointinatrace(ifatall). There the 4 axiom becomes redundant. We have explicitly in- is nothing in NPATRL syntax to automatically guarantee cluded it because we speciflcally use transitivity in our ar- this uniqueness; it is assumed that event statements con- guments in appendix A. There is some discussion of logics tain enough individuating information in their arguments containing these axioms in [6] and [8]. In [8], axiom L is orpredicatetoenforcethis. NotethatNPAguaranteesthis called\Lem0"afterLemmon. Spacelimitationsprecludea uniqueness,inpartbyhavingalleventsindexedbothbylo- more detailed presentation here. cal runs and timestamps. Second, \3" is a strict operator; 3.4 NPAAcceptableExpressions it includes times prior to the present time but does not in- cludethepresenttime. Itisalsoconvenient,especiallywhen Although NPATRL was originally designed to be used stating axioms, to have the dual operator in our language, with the NRL Protocol Analyzer, it is actually much more \2",readas\atallprevioustimes"or\alwayspreviously". expressivethanthesetofspeciflcationsacceptedbythetool. It can be deflned logically by, 2’ $ :3:’, where ’ is an Thus,inordertomakeNPATRLusablewithNPA,itisnec- formula. essarytoidentifyasubsetofNPATRLrequirementsthatare NPATRL has been extensively used in the last few years acceptablebyNPA,andtoputthemintoanormalformthat to analyze protocols with various characteristics. Among is parsable by NPA. these, generic requirements have been given for two-party AnNRLProtocolAnalyzerquerycanbespecifledinterms key distribution protocols [14, 15] and two-party key agree- ofthreethings: termsknownbytheintruder,valuesoflocal ment protocols [16]. The most ambitious speciflcation un- state variables, and sequences of events that did or did not dertaken using NPATRL has involved the requirements of occur. Thepartofthequeryconcerningsequencesofevents the credit card payment transaction protocol SET (Secure corresponds most closely to the NPATRL events. However, Electronic Transactions) [9]. SET proved particularly dif- theseeventsonlycorrespondtouseractions,anddonotin- flcult to specify for several reasons. One of these was that clude learn events, which correspond to intruder actions. In the objects to be authenticated are dynamic: unlike keys, ordertocaptureintruderlearnevents,wewillneedtomake whatisagreeduponchangesasitpassesfromoneprincipal use of the part of the query that specifles terms known by to another. This exercise revealed several ambiguities [9]. theintruder. Thiscancausesomedi–culties,sinceanNPA Our current task, formalizing group key management re- query does not specify when the terms were learned by the quirements, has its own dynamics. Even when the data intruder. However,wecansimplifymattersbylimitingour- objects(keys)areconstant,theprincipalssharingthemare selvestoquerieswhichspecifythelearningofonlyoneterm. not. And the very notion of a session is much less well Thisisusuallyadequate,andwhenitisnot,wecanusually deflned than in previously studied cases. Perhaps most sig- transformtheNPATRLrequirementusingourlogicsothat niflcantly,untilthispointwehadbeenabletouseNPATRL the restriction is satisfled. asjustalanguage. Allstatementswereinterpretedintothe Given that, we specify a normal form R for NPA accept- NPAandevaluatedthere. However,wehavefounditneces- able expressions in a BNF grammar as follows. We let w sary to reason at the level of NPATRL itself. This requires standforanylearnevent,astandforanyatomiceventthat a logic for our logical language. is not a learn event, and let b stand for any atomic event. 3.3 NPATRLAxioms E ::= 3a 3(a ^ E) Wegiveaxiomsofanormalmodallogicadequatetocap- F ::= E E _ F E ^ F turetheneededtemporalreasoning. Readersarereferredto G ::= :E :E ^ G standardtextsfordetailsonsystemsofmodalandtemporal R ::= :b a!G b!F a!G _ F a!G ^ F 3w!G 3w!G _ F 3w!G ^ F logic [3, 6, 8]. Our logic has two inference rules: 4. REQUIREMENTSFORGDOI Modus Ponens: From ’ and ’!ˆ infer ˆ. Necessitation: From ‘’ infer ‘2’. 4.1 Assumptions ‘‘’isametalingusiticsymbol. ‘¡‘’’meansthat’isderiv- WeassumethateachgroupismanagedbyoneGCKS(it able from the set of formulae ¡ (and the axioms as stated is possible to have more, but the means for doing this are below). ‘‘ ’’ means that ’ is a theorem, i.e., derivable not specifled in the GDOI document). We assume that a from axioms alone. Axioms are all instances of tautologies GCKSmaymanagemorethanonegroup,andthatamem- of classical propositional logic, and all instances of the fol- ber may belong to more than one group. We assume that lowing axiom schemata members may both join and leave a group, and a member may have concurrent and/or overlapping memberships in K 2(’!ˆ)!(2’!2ˆ) the same group. 4 2’!22’ We assume the usual Dolev-Yao style intruder, who can W 2(2’!’)!2’ read, alter, destroy, and create tra–c, and is in league with L 2((’ ^ 2’)!ˆ) _ 2((ˆ ^ 2ˆ)!’) any dishonest principals, who share all data with it. We assumethatallGCKSsarehonest,butthatsomemembers The flrst axiom guarantees that our temporal operators re- may be dishonest. Note that as a result of this assumption spect the non-temporal part of the logic. The second one we make no distinction between the intruder’s learning a keyandaprincipallearningakeytowhichitisnotentitled. Sendingakeyasaresultofapullexchange: Onlydishonestprincipalswillattempttogainaccesstokeys to which they are not entitled, and dishonest principals are gcks sendpullkey(GCKS;M;(KG;NM;NGM;G;KGM);N) assumed to share all information with the intruder. whereM isthemember,KGisthekey,Gisthegroup,KGM Weassumethattherearetwowaysinwhichakeycanbe is the pairwise key, NM is the nonce M uses in initiating compromisedthatcannotbepreventedbytheprotocol. One the exchange and NGM is the nonce G uses in responding. isbystealing: theintrudermaylearnthekeybycryptanal- Wealsousethegcks sendpullkey eventtocovertheGCKS’s ysis, theft, etc. even if all possessors of the key are honest. admitting M to the group, since M requests membership The other is by having a dishonest member join the group. by initiating a pull protocol. We use NGM to identify M’s Finally,inordertosimplifymatters,weonlydeflneevents particular membership in the group. Note that this may andrequirementsforkeyencryptionkeys,nottra–cencryp- not be the identifler used in a real application (as a mat- tionkeys. Sincetra–cencryptionkeysareprotectedbykey ter of fact, GDOI does not specify any kind of membership encryptionkeysanddistributedviathesamemechanisms,it identifler);howeveritisusefulfromarequirementspointof should be relatively straightforward to derive their require- viewinthatitallowsustodistinguishbetweendifierentand ments from the requirements for key encryption keys. possibly overlapping memberships on the part of the same individual. 4.2 GDOI Events Ingeneral,eventsmaptoactualmessagesandviceversa. Sendingakeyinapushmessage: However, since the central messages of the groupkey-pull exchange simply defer computation in order to resist forms gcks sendpushkey(GCKS;();(G;KG;KG0 );N) of denial-of-service attacks [12] and the NPA does not cur- The event gcks sendpushkey causes one key, KG0 , to expire rentlysupportreasoningaboutdenial-of-service, webehave forgroupGandcausesthenextoneKG tobecomecurrent. asiftheirinformationloadwerecompoundedwiththeouter The initial key created for a group is flrst sent in a pull- messages of this exchange. key message. Except for such initial keys, we assume for WedividethepossibleGDOIeventsaccordingtotheprin- conveniencethatapush-keymessagemakingKG currentis cipals that engage in them. There are four types of princi- sent immediately after the create event that produced KG pals: theintruder,theGCKS,thegroupmember,andanau- (without the possibility of an intervening distribution in a thorization server responsible for issuing credentials. Since pull-key message). We also assume that the initial key is a group member may be honest or dishonest, we represent sent in at least one pull-key response that takes place im- ageneralgroupmemberasmember(M;H),anhonestmem- mediatelyafteritscreation. Wesaytheinitialkeybecomes ber as member(M;honest), and a dishonest group member current when that flrst pull-key response containing it is as member(M;dishonest). sent. Wenotethatneithergcks sendpullkeynorgcks sendpushkey 4.2.1 IntruderEvents tell the whole story about the keying material passed in There is only one intruder event of interest to us here: these two messages. In actual fact, the pull-key message the event in which the intruder P learns a word W. We will contain, not only the current key, but also the relevant represent that as follows: part of the key hierarchy that the member M needs to ac- learn(P;();W;N) cess the key. Likewise the gcks sendpushkey message will also contain the portion of the key hierarchy that needs to 4.2.2 AuthorizationServerEvent bechangedtogivemembersaccesstothenewkeyandpre- The authorization server is responsible only for issuing vent former members from accessing the new key, if this is credentials to principals. In order to simplify matters, we desired. assumethateachgrouphasitsownsetofcredentialsappro- priate to it. Cancelingamembership: This action is represented by gcks cancel(GCKS;M;(G;NGM);N) auth issuecreds(AUTH;X;(C;G);N) where M is the member, G is the group, and NGM identi- whereX istheprincipaltowhomthecredentialsareissued, fles the membership. Note that expulsion cancels only the C stands for the credentials, and G is the group to which membership with identifler NGM, not all memberships of the credentials apply. that member. In order to truly expel the member, all its memberships would have to be canceled. 4.2.3 TheGCKS We note that gcks cancel would be achieved in GDOI by The GCKS performs a number of actions of interest. It havingtheGCKSsendoutapushmessagecontaininganew can create a key encryption key. It can admit and expel keyhierarchyfromwhichM isexcluded. Wechoosetospec- members. It can also cause a key to become current, and ify gcks cancel separately from gcks sendpushkey since this cause a key to expire. It can send a key, either in response allows us to avoid issues such as canceling multiple mem- toamember’srequest,oraspartofagroup-keypushdata- berships in one message, etc. gram. We represent these as follows: SendingaPOP: Creatingakey: gcks createkey(GCKS;();(G;KG);N) gcks sendpop(GCKS;M;(G;NGM;NM;CG);N) where G is the group for which GCKS is creating the key ThiseventdescribesaGCKSsendingaPOPinresponseto encryption key, KG. a members request. CG stands for G’s credentials. StealingaKey: 4.3 AuthenticationRequirements Finally,weneedtospecifythestealingofakey. Wethinkof Since GDOI is only intended to address the problem of thisnotassomethingdonebytheintruder,butassomething secure distribution of group keys, not the authentication of done by the GCKS. In other words, the action of stealing group members to each other, its authentication require- akeyneedstobeprecipitatedbytheGCKS\losing"akey. ments are simple and rather similar to those for two-party This appears paradoxical, but it is a result of our model’s protocols. Thuswegivethemflrst. Thereareauthentication assumption that actions involving a piece of data can only requirements for both the group member and the GCKS. beinitiatedbythoseinpossessionofit. Notethatwecould The group member will want to know, if it accepts a key, alsoincludeactionsdescribingmemberslosingkeys,butthat that that key was generated by the GCKS for that group. this would be redundant. The GCKS will want to know that, if it sends a key to a Wehavetwoeventstatements,onedescribingthelossofa group member, then that group member requested a key. key-encryptionkey,andonedescribingthelossofapairwise Finally, there are authentication requirements on the proof key: ofpossession(POP)algorithm. IftheGCKSacceptsaproof gcks losegroupkey(GCKS;();(G;KG);N) of possession from a group member, then the group mem- where G is the group and KG is the key. bershouldhaveobtainedtheappropriateauthorizationsand gcks losepairwisekey(GCKS;();(GCKS;M;KGM);N) thegroupmembershouldhaverespondedtotheGCKS’sre- where KGM is the pairwise key and M is the member who questforaPOP. Asimilarrequirementholdsforthegroup member’s accepting a POP from the GCKS. We consider shares the key with the GCKS. the three types of authentication below. 4.2.4 MemberActions 4.3.1 AuthenticationofaKeytoaGroupMember Therelevantmemberactionsinvolveacceptingakeyand requesting a key. A member can only request a key by ini- Since there are two difierent ways a group member can tiating a group-key pull exchange, but it may accept a key receive a key, we have two difierent sets of requirement. In asaresultofreceivingtheflnalmessageofagroup-keypull the case of the group member M accepting a key KG for exchange or as a result of receiving a group-key push mes- groupGasaresultofthepullprotocol,werequirethatone sage. of two things must have happened; either the pairwise key The events are specifled as follows. sharedbetweenthememberandtheGCKSwaslost,orthe GCKS did send KG to M for use in G: RequestingaKey: member requestkey(M;GCKS;(G;NM;KGM);N) m!em3begrckasccleopsetppualilrkweiys(eMke;yG(GCCKKSS;;(G();;K(MG;;KNGMM;N);GM) ;KGM); ) whereGCKS istheGCKS,Gisthegroup,NM isthenonce _3gcks sendpullkey(GCKS;M;(KG; ; ;G;KGM); ) M usesininitiatingtherequest(todistinguishitfromother requests), and KGM is the pairwise key shared between In the case of the member M accepting the key KG for GCKS and M. This corresponds to M sending the flrst groupGastheresultofreceivingapushdatagram,weagain message in a group-key pull exchange. require that the GCKS has sent KG for use in G in a push datagram protected by key KG0 : AcceptingaKeyFromaGroup-keyPullExchange: wmheemrbeeGr aCcKceSptpisulltkheey(GMC;GKCSK, GS;(iGs;tKheGg;NroGuMp,;NKMG;iKsGthMe);kNey), m!em3gbcekrsascecnedpptpuusshhkkeeyy((GMC;KGSC;K()S;(;G(G;K;KGG;K;KG0G0););)) and KGM is the pairwise key shared between M and the Observe that this requirement does not make any provision GCKS. Again, this does not give the whole picture, as it forlosinganoldgroupkeyKG0 sincegcks sendpushkey mes- leaves out the portion of the key hierarchy that the GCKS sages are authenticated with the signature of the GCKS. sends to M. 4.3.2 AuthenticationofaGroupMember’sRequest AcceptingaKeyFromaGroup-keyPushMessage: AlthoughtheGCKShastwowaysofsendingkeys,ithas member acceptpushkey(M;GCKS;(G;KG;KG0 );N) only one way of sending a key to a speciflc group member: where GCKS is the GCKS, G is the group, KG is the new viaapullprotocol. Thusweneedonlyonerequirementhere, key, and KG0 is the current key encryption key. Again, we saying that if the GCKS sent a key to a group member in leave out the portion of the key hierarchy that M uses to response to a pull protocol request, then either the pair- authenticate the message and decrypt KG. wise key between the GCKS and group member was lost, For conciseness, we set orthegroupmemberactuallysentthatrequest. Weneeda member acceptkey(M;GCKS;(G;KG);N) unique way of identifying the group member’s request, and $ member acceptpullkey(M;GCKS;(G;KG; ; ; );N) sowewillusethenoncethegroupmembersendsintheflrst _member acceptpushkey(M;GCKS;(G;KG; );N) message of the pull protocol: Hereandintherestofthispaper,wewrite\ "foranargu- gcks sendpullkey(GCKS;M;(KG;NM;NGM;G;KGM); ) ment whose actual value is irrelevant. Each occurrence can ! 3gcks losepairwisekey(GCKS;();(M;KGM); ) be thought of as a distinct variable. _3member requestkey(M;GCKS;(G;NM;KGM); ) SendingaPOP: 4.3.3 AuthenticationofaProofofPossession member sendpop(M;GCKS;(G;NM;NGM;CM);N) Forproofsofpossession,wewanttoshowthat,foreither This event describes a member M sending a POP in re- theGCKSoramember,ifAacceptsakeyrequiringaproof sponsetoaGCKS’srequest. CM standsforM’scredentials. of possession from B, then B sent the POP in response to A’srequest,andB obtainedthecredentialsfromtheappro- Note thatthis freshnessrequirement canonly be guaran- priate authority. The act of obtaining credentials is outside teed for an honest member, since there is nothing prevent- thescopeofGDOI;however,weleaveitintherequirement ing a dishonest member from replaying an old request and speciflcation because it is clearly the intent of the POP. then participating in the protocol to obtain a key. Since honest members are the only ones we are interested in pro- gcks sendpullkey(GCKS;M;(KG;NM;NGM;G;KGM); ) tecting anyway, this is not a problem for us. However, we !3( member sendpop(M;GCKS;(G;NM;NGM;M;CM); ) need a way of distinguishing between honest and dishonest ^3auth issuecreds(AUTH;M;(CM;G); )) members. We do this by borrowing a trick from the NRL member acceptpullkey(M;GCKS;(KG;NM;NGM;G;KGM); ) Protocol Analyzer speciflcation language, and referring to !3( gcks sendpop(GCKS;M(G;NM;NGM;CM); ) principalsas member(M;H)whereH isavariablethatcan ^3auth issuecreds(AUTH;M;(CM;G); )) be instantiated to honest or dishonest. At this point we are only interest in member(M;honest): 4.4 FreshnessRequirements For GDOI, we can identify two types of freshness. One, gcks sendpullkey(GCKS;Mh;(KG;NM;NGM;G;KGM); ) we call recency freshness. This is the requirement that, if a ! 3gcks losepairwisekey(GCKS;();(Mh;KGM); ) principalreceivesapieceofinformation,suchasakey,then _:3gcks sendpullkey(GCKS;Mh;(KG0 ;NM;NG0M;G;KGM); ) it must have been current at some specifled point in time where M =member(M;honest). h according to the principal’s local clock, for example when the principal requested it. The other, we call sequential 4.4.5 FreshnessofProofofPossession freshness. Thisistherequirementthat,ifaprincipalaccepts Freshness requirements for Proof of Possession are more a key KG, then it could not have previously accepted a key similar to two-party freshness requirements than some of that became current after KG. the others we have visited. Since POPs are computed on nonces supplied by sender and receiver we require that, if a 4.4.1 RecencyFreshnessforPullProtocol principal accepts a POP for two nonces, then it should not member acceptpullkey(M;GCKS;(G;NM;NGM;KG0 ;KGM);N) have accepted it previously. Since the POP is computed on ! 3gcks losepairwisekey(GCKS;();(M;KGM); ) the sender’s and receiver’s nonces, this can be enforced by _:(3( member requestkey(M;GCKS;(G;NM;KGM);N) requiring that the GCKS does not engage in a sendpullkey ^3gcks sendpushkey(GCKS;();(G;KG;KG0 ); ))) event based on the same nonces twice, and that a member does not engage in an member acceptpullkey event based on Note that the deflnition of recency freshness is one of the the same nonces twice. Note that the GCKS’s freshness fewplaceswemakeuseofroundnumbers,sincethemember requirementissimilar,butsomewhatstrongerthan,there- requests and accepts the key in the same round. Note also that the GCKS’s act of sending a key KG protected by KG0 quirement for freshness of a member’s key request; it is not using the push protocol results in the expiration of KG0 . dependent on the pairwise key being uncompromised. 4.4.2 SequentialFreshnessforPullProtocol gcks sendpullkey(GCKS;Mh;(KG;NM;NGM;G;KGM); ) !:3gcks sendpullkey(GCKS;Mh;(KG0 ;NM;NGM;G;KG0M); ) m!e_m:3be(gr3cka(sccleopmseteppmualiblrkweeriysa(eMckcee;ypG(GtCkCeKyK(SMS;;(;G(G);;CN(MKMS;;K;N(GGGM;MK);;0K))G;;)KGM); ) !me:m3bmeremacbceerptapcuclelkpetyp(uMllk;eGy(CMK;SG;C(KKGS;;N(MKG;0N;NGMM;;NGG;MK;GGM;0K);G0M)); ) G ^3( gcks createkey(GCKS;();(G;KG0 ); ) where again Mh =member(M;honest). ^3gcks createkey(GCKS;();(G;KG); ))) 4.5 SecrecyRequirements Recall from Section 4.2.3 that a group key is sent (and GDOIhasonebasicsecrecyrequirement,thatkeysshould therefore made current) immediately after it is created by onlybelearnedbymembersofthegroup. However,wemay the GCKS. want to put other conditions on this requirement. For ex- 4.4.3 SequentialFreshnessforPushProtocol ample, we may require that new members should not have access to old keys (backward access control), and that ex- member acceptpushkey(M;GCKS;(G;KG;KG0 ); ) pelled members will not have access to any keys generated !:(3( member acceptkey(M;GCKS;(G;KG00); ) after they were expelled (forward access control). GDOI ^3( gcks createkey(GCKS;();(G;K00); ) G also allows for an option that provides a degree of protec- ^3gcks createkey(GCKS;();(G;KG); ))) tion against compromise of pairwise keys; it allows for the Note that we do not specify recency freshness as a re- optional use of Di–e-Hellman to assure perfect forward se- quirement for the push protocol. This can be achieved, if crecy: if a pairwise key is stolen, then the intruder should desired, by including timestamps in the Security Associa- only be able to learn key encryption keys distributed after tion, but this is not a requirement of GDOI. the event. As we can see, the difierent secrecy requirements are not 4.4.4 FreshnessofaMember’sKeyRequest quite orthogonal, and they can interact with each other in WenowconsiderafreshnessrequirementfromtheGCKS’s difierent ways. For example, one would not want to waste pointofview. WhentheGCKSrespondstoamember’sre- time with perfect forward secrecy if one did not also have questwithakey,itmustbesurethatthisisanewrequest, backwards access control. In general, it is assumed that it not a replay of some old request. Since a member’s request is more likely that a dishonest member will join the group contains a nonce which is intended to be unique, we make thanthatapairwisekeysharedbetweenonlytwoprincipals this into a requirement that a GCKS should not have pre- willbestolen. Soitmakeslittlesensetouseperfectforward viously distributed a key to that member using that nonce. secrecy to protect old keys, if they could be compromised by having a group key distributed to a dishonest principal. BC3b(KG;G): Likewise,requirementssuchasforwardandbackwardaccess controlshouldnotonlygoverntheefiectsofthedistribution 3( gcks sendpullkey(GCKS;M;(G; ; ;KG;KGM); ) ^3gcks losepairwisekey(GCKS;();(M;KGM); )) of keys, but other events such as the stealing of keys. For example, if members should no longer have access to new Thisdescribesapairwisekeybeinglostandakeybeing keys after leaving the group, then an intruder’s stealing a sent using that pairwise key after the pairwise key is key should not give it access to subsequent keys either. lost. Oursolutiontothisproblemistodeflneanumberofcon- ditions describing sequences of events that deflne the sit- 4.5.2 TheRecursiveCases uation under which an intruder might learn a key. These There are two recursive cases. The flrst describes an in- conditions can then be mixed and matched to put together truderlearninganoldkeyafteralaterkeyhasbecomecur- the appropriate requirement. We can then use the NPA- rent. The second describes the intruder learning a key be- TRLlogictoreducetherequirementstonormalform,when foreanotherkeyexpires. Wecallthesetwocases\backward necessary. inference" and \forward inference." In the remainder of this section, we describe the various sequences. These include flve \base cases" that describe BI(KG0 ;G) somesimplesequencesofeventsthatcouldleadtokeycom- promise, as well as two recursively deflned cases that de- 3learn(P;();(KG;G); ) ^3( gcks createkey(GCKS;();(G;KG); ) scribe forward access control without backward access con- ^3gcks createkey(GCKS;();(G;K0 ); )) G trol, and vice versa. We also give several examples showing howthevariouscasescanbecombinedtoproducedifierent Notethatwhenanewkeyissent,theoldkeyexpires. types of requirements. And,weassumeany(non-initial)keyissentinapush- key message as soon as it is created. Thus BI for KG0 4.5.1 TheBaseCases describes an intruder learning a key KG that became The flve base cases are as follows: current after a key KG0 was current. BC1(KG;G): FI(KG;G) 3learn(P;();(K00;G); ) gcks losegroupkey(GCKS;();(G;KG); ) ^3( gcks sendpuGshkey(GCKS;();(G;KG;KG0 ); ) ^3gcks sendpushkey(GCKS;();(G;K00;K000); )) G G This describes the a group key-encryption key being stolen. FIdescribesanintruderlearningakeyKG00 thatexpired before a later key KG was generated. BC2a(KG;G): Backward Inference will be used to specify forward ac- 3( gcks sendpushkey(GCKS;();(G;KG;KG0 );N) cesscontrolwithoutbackwardaccesscontrol: Ifanintruder ^:3^(^33ggccgkkcsskssseecnnaddnppcuueslllh(kGkeeyCy((GKGCSC;KKMSSd;;;M((G)d;;;((NGG;G;KM;G)N;;KG)MG0));;KNG00);KGM); )) lsiese,atrtonhfsepainotskrseuiybdleeKrpGma,tahtyhsehtnaovBtehI(laeKtarGenv;eeGdn)tK,wbGiullatsbneaotlriesFstIue(dlKtGaomf;Gloen)a,grnthtinhaget where M = member(M;dishonest). This describes a akeyKG0 thatexpiredpreviouslytoKG,butnotakeyKG⁄ groupkeydbeingdistributedwhileadishonestmember that was generated after KG expired. Similarly, Forward is in the group. Note that it is in two parts. The flrst Inference will be used to specify backward access control says that the dishonest member has joined the group; without forward access control: if an intruder learns a key thesecondsaysthatthememberhasnotleftityet. In KG, then FI(KG;G) will be listed among the set of of pos- ordertotakecareofthepossibilityofmultiplejoinings sible paths to that event, but not BI(KG;G). and leavings, we give both join and leave the same Wenotethatthereappeartobesomemajorchangesfrom index NGM, which uniquely identifles M’s joining the the original, informal, deflnition of forward and backward group. access control. The original deflnition put the requirement ontheknowledgeofanygroupmember,notontheintruder. BC2b(KG;G): Also,theoriginalrequirementdiscussedamemberlearninga keyasaresultofjoiningthegroup,whilewesimplyconsider 3gcks sendpullkey(GCKS;Md;(G; ;NGM;KG;KGM); ) theresultsoftheintruderlearningakeywithoutspecifying how it was learned. forM =member(M;dishonest). Thisdescribesagroup d Our rationale for changing the focus from member to in- key KG being distributed to a dishonest member via truder can be expressed in two steps. In the NRL Protocol apullprotocol,thatis,thedishonestmemberisbeing Analyzer model, we assume that dishonest group members admitted to the group. candoeverythinghonestgroupmembersdoandmore,since honest members can only obey the rules of the protocol. BC3a(KG;G): Thus any conditions on a dishonest member’s learning a 3gcks losepairwisekey(GCKS;();(M;KGM); ) key should also hold for an honest member. Secondly, we ^3gcks sendpullkey(GCKS;M;(G; ; ;KG;KGM); ) assume that all dishonest members share information with theintruder,sothatanyconditionsontheintruder’slearn- This describes the result of a pairwise key being lost ing a key would imply the same condition for a dishonest and a key being sent using that pairwise key. member learning that information. 4.5.3 SampleRequirements Ifwewantedtoomittheperfectforwardsecrecyrequirement In this section, we show how the various \cases" can be we would substitute BC3a(KG;G) for BC3b(KG;G). combined into requirements. In appendix A we show how to put the requirements for Forward and Backward Access Control into normal form. WeakSecrecy The weakest form of secrecy requirement simply requires 5. CONCLUSIONS that the protocol should protect against key compromise We have presented a set of formal security requirements given the most benign assumptions possible: that is, that for the group protocol GDOI. In developing these require- neither pairwise or key encryption keys have been lost, and ments we learned much, not only about GDOI itself, but nodishonestmembershaveevenjoinedthegroup. Thiscan about the nature of requirements for open-ended crypto- be described in terms of three separate conditions: graphic protocols. This has motivated us to develop the NPATRL requirements language into a full-scale logic that learn(P;();(KG;G); ) can be used to reason about and simplify requirements as ! BC1(K0 ;G) _ BC2b(K0 ;G) _ BC3a(K0 ;G) G G G well as specify them. Inotherwords,theintrudershouldnotlearnakeyKGforG Asthispaperisbeingwritten,wearecurrentlyusingthe NRL Protocol Analyzer to verify that GDOI satisfles these unlesssomegroupkeyhaspreviouslybeenlost,adishonest requirements. This in turn may lead to a revision or im- member joined the group at some time, or a pairwise key provement of the requirements as we discover more by our that was used to distribute a group key was stolen, either analysis. Wehavealsobeenabletouseourformalizationof before or after being used. the requirements to discover and suggest improvements to StrongSecrecy GDOI. These suggestions have been incorporated into later versions of the draft. Thus, we have already found these We can also use the base cases to formulate the strongest requirements to be useful. type of secrecy possible. In strong secrecy, the intruder learns a key KG only if KG is lost, a dishonest member receivedKG,eitherwhenitjoinedthegrouporwhileitwas 6. REFERENCES a member of the group, or if a pairwise key was stolen and [1] M. Baugher, T. Hardjono, H. Harney, and B. Weis. used to distribute KG. We may or may not wish to require Group domain of interpretation for ISAKMP. perfect forward secrecy. available at http://search.ietf.org/internet-drafts/ Here, for example, is strong secrecy with perfect forward draft-irtf-smug-gdoi-01.txt, January 2001. secrecy: [2] R. Canetti, J. Garay, G. Itkis, D. Micciancio, learn(P;();(KG;G); ) M. Naor, and B. Pinkas. Multicast security: A ! BC1(KG;G) _ BC2a(KG;G) _ BC2b(KG;G) taxonomy and some e–cient constructions. In Proc. of _BC3b(KG;G) INFOCOM’99, vol. 2, pages 708{716, March 1999. [3] Brian F. Chellas. Modal Logic: An Introduction. ForwardAccessControl Cambridge University Press, 1980. [4] Danny Dolev and Andrew C. Yao. On the security of Forward access control (without backward access control) public-key protocols. IEEE Transactions on can be thought of as strong secrecy together with added Information Theory, 2(29):198{208, March 1983. condition of backward inference: An intruder can learn a PreliminaryversioninProc. 22nd Annual IEEE Symp. key, not only if the key was lost, distributed to a dishonest Foundations of Computer Science, 1981, 350{357. member, or distributed using a lost pairwise key, but if the key became current before the intruder learned a later key, [5] Naganand Doraswamy and Dan Harkins. IPSEC: The e.g., because a dishonest member joined the group. We do New Security Standard for the Internet, Intranets, and notincludeperfectforwardsecrecy,sinceprotectingagainst Virtual Private Networks. Prentice Hall, 1999. old keys being compromised as a result of a stolen pairwise [6] Robert Goldblatt. Logics of Time and Computation, key makes no sense if the keys could be learned as a result 2nd edition, volume 7 of CSLI Lecture Notes. CSLI of a dishonest member joining the group at any point: Publications, Stanford, 1992. [7] D. Harkins and D. Carrel. The Internet Key Exchange learn(P;();(KG;G); ) (IKE). RFC 2409, IETF, November 1998. available at ! BC1(KG;G) _ BC2a(KG;G) _ BC2b(KG;G) ftp://ftp.isi.edu/in-notes/rfc2409.txt. _BC3a(KG;G) _ BI(KG;G) [8] G.E. Hughes and M.J. Creswell. A New Introduction to Modal Logic. Routledge, 1996. BackwardAccessControl [9] C.MeadowsandP.Syverson.Aformalspeciflcationof Backward access control (without forward access control) requirements for payment transactions in the SET can be specifled similarly to forward access control, except protocol. In R. Hirschfeld, editor, Financial that we replace backward with forward inference. We can Cryptography, FC’98, pages 122{140. Springer-Verlag, requireperfectforwardsecrecyornot. Here,forexample,is LNCS 1465, 1998. backwardaccesscontrolwithoutforwardaccesscontrolbut [10] Catherine Meadows. A model of computation for the with perfect forward secrecy: NRL Protocol Analyzer. In Proceedings of the 7th learn(P;();(KG;G); ) Computer Security Foundations Workshop, pages ! BC1(KG;G) _ BC2a(KG;G) _ BC2b(KG;G) 84{89. IEEE CS Press, June 1994. _BC3b(KG;G) _ FI(KG;G) [11] Catherine Meadows. The NRL Protocol Analyzer: An