**Appendix A: SIMO Security**

#### **A.1. Security goals for SIMO**

Here we detail the five PCL security goals for the SIMO abbreviated handshake protocol (the *AUTH* goal was presented in Figure 4 and is repeated here). These directly correspond to the security goals detailed in Section 4.2. Unlike the generic goals presented there, these are the specific instances for the SIMO protocol.

```
Goals SIMO:
```

```
ΦSIMO,AUTH :=
KOHonest(ptkX,Y, {pmkX,Y, pmkY,X}) ⊃
(Send(X, SIMO1X) < Receive(Y, SIMO1X)) ∧ (Send(Y, SIMO1Y) < Receive(X, SIMO1Y))∧
(Send(Y, SIMO5Y) < Receive(X, SIMO5Y)) ∧ (Send(X, SIMO1X) < Receive(X, SIMO1Y) <
(Send(X, SIMO5X) ∧ Receive(X, SIMO5Y)) ∧ (Send(Y, SIMO1Y) < Receive(Y, SIMO1X) <
Send(Y, SIMO5Y))
ΦSIMO,KF :=
KOHonest(ptkX,Y, {pmkX,Y, pmkY,X}) ⊃
(New (Xˆ , x) ∧ x ⊆ ptkX,Y ∧ New (Yˆ, y) ∧ y ⊆ ptkX,Y)∧
FirstSend(X, x, Xˆ , x, SIMO1X) ∧ FirstSend(Y, y, Yˆ, y, SIMO1Y)
ΦSIMO,KA :=
KOHonest(ptkX,Y, {pmkX,Y, pmkY,X}) ⊃
Has(X, ptkX,Y) ∧ Has(Y, ptkX,Y)
ΦSIMO,KD :=
KOHonest(ptkX,Y, {pmkX,Y, pmkY,X})∧
Receive(Y, SIMOX5) ⊃ Has(X, gtkY) ∧ Has(Y, gtkX)
ΦSIMO,INFO :=
KOHonest(ptkX,Y, {pmkX,Y, pmkY,X}) ⊃
SELECT(INFOX, INFOY) = CS, pmkN ∧ Has(X, CS, pmkN) ∧ Has(Y, CS, pmkN)
```
#### **A.2. Proof security goals, SIMO**

*Proof sketch generalized authentication, SIMO*

We only need to show the proof from a single point of view as the roles are symmetric. Let principal *X* be the principal from whose view we are establishing the proof from and let *Y* be the other principal. As the proof assumes *X* has completed the protocol successfully, we know that SIMO1X was sent before SIMO5X and SIMO1Y was received before SIMO5Y. Thus to complete the proof we must show that *Y* sent exactly SIMO1Y before SIMO5Y and received

<sup>1</sup> Funded by Motorola while working on this project

(7)

exactly SIMO1X before sending SIMO5Y. We can determine the MIC in SIMO5Y could have only been sent by *Y* if *X*, *Y* and *T* are honest. Since all the variables used in the protocol are contained in the MIC of SIMO5Y, we know that *X* and *Y* share identical variables. Now using the honesty of *Y* we are sure that *Y* sent SIMO1Y and received SIMO1X before sending SIMO5Y and that it was sent exactly as *X* received it. Again if *Y* is honest since *X* and *Y* share variables, then *Y* must have received SIMO1X exactly as *X* had sent it. This gives us generalized authentication.

22 Will-be-set-by-IN-TECH

Here we detail the five PCL security goals for the SIMO abbreviated handshake protocol (the *AUTH* goal was presented in Figure 4 and is repeated here). These directly correspond to the security goals detailed in Section 4.2. Unlike the generic goals presented there, these are the

(Send(*X*, SIMO1X) < Receive(*Y*, SIMO1X)) ∧ (Send(*Y*, SIMO1Y) < Receive(*X*, SIMO1Y))∧ (Send(*Y*, SIMO5Y) < Receive(*X*, SIMO5Y)) ∧ (Send(*X*, SIMO1X) < Receive(*X*, SIMO1Y) < (Send(*X*, SIMO5X) ∧ Receive(*X*, SIMO5Y)) ∧ (Send(*Y*, SIMO1Y) < Receive(*Y*, SIMO1X) <

*SELECT*(*INFOX*, *INFOY*) = *CS*, *pmkN* ∧ Has(*X*, *CS*, *pmkN*) ∧ Has(*Y*, *CS*, *pmkN*)

We only need to show the proof from a single point of view as the roles are symmetric. Let principal *X* be the principal from whose view we are establishing the proof from and let *Y* be the other principal. As the proof assumes *X* has completed the protocol successfully, we know that SIMO1X was sent before SIMO5X and SIMO1Y was received before SIMO5Y. Thus to complete the proof we must show that *Y* sent exactly SIMO1Y before SIMO5Y and received

Ryan Moriarty<sup>1</sup>

*Computer Science Department*

*Motorola, Schaumburg, IL 60196*

*University of California at Los Angeles*

**Appendix A: SIMO Security**

specific instances for the SIMO protocol.

KOHonest(*ptkX*,*Y*, {*pmkX*,*Y*, *pmkY*,*X*}) ⊃

KOHonest(*ptkX*,*Y*, {*pmkX*,*Y*, *pmkY*,*X*}) ⊃

KOHonest(*ptkX*,*Y*, {*pmkX*,*Y*, *pmkY*,*X*}) ⊃ Has(*X*, *ptkX*,*Y*) ∧ Has(*Y*, *ptkX*,*Y*)

KOHonest(*ptkX*,*Y*, {*pmkX*,*Y*, *pmkY*,*X*})∧

KOHonest(*ptkX*,*Y*, {*pmkX*,*Y*, *pmkY*,*X*}) ⊃

**A.2. Proof security goals, SIMO**

*Proof sketch generalized authentication, SIMO*

<sup>1</sup> Funded by Motorola while working on this project

(New (*X*<sup>ˆ</sup> , *<sup>x</sup>*) <sup>∧</sup> *<sup>x</sup>* <sup>⊆</sup> *ptkX*,*<sup>Y</sup>* <sup>∧</sup> New (*Y*ˆ, *<sup>y</sup>*) <sup>∧</sup> *<sup>y</sup>* <sup>⊆</sup> *ptkX*,*Y*)<sup>∧</sup> FirstSend(*X*, *<sup>x</sup>*, *<sup>X</sup>*<sup>ˆ</sup> , *<sup>x</sup>*, SIMO1X) <sup>∧</sup> FirstSend(*Y*, *<sup>y</sup>*, *<sup>Y</sup>*ˆ, *<sup>y</sup>*, SIMO1Y)

Receive(*Y*, *SIMOX*5) ⊃ Has(*X*, *gtkY*) ∧ Has(*Y*, *gtkX*)

**A.1. Security goals for SIMO**

**Goals SIMO: Φ***SIMO*,*AUTH* :=

Send(*Y*, SIMO5Y))

**Φ***SIMO*,*KF* :=

**Φ***SIMO*,*KA* :=

**Φ***SIMO*,*KD* :=

**Φ***SIMO*,*INFO* :=

Tony Braskich, Steve Emeott and Mahesh Tripunitara
