Graphical Animations of the NSLPK Authentication Protocol Thet Wai Mon, Dang Duy Bui, Duong Dinh Tran, Kazuhiro Ogata School of Information Science Japan Advanced Institute of Science and Technology (JAIST) 1-1 Asahidai, Nomi, Ishikawa 923-1292, Japan Email: {thetwaimon,bddang,duongtd,ogata}@jaist.ac.jp Abstract—The behavior of the NSLPK authentication proto- col is visualized using SMGA so that human users can visually perceive non-trivial characteristics of the protocol by observing graphical animations. These characteristics could be used as lemmas to formally verify that the protocol enjoys desired properties. We first carefully make a state picture design for the NSLPK protocol to produce good graphical animations with SMGA and then find out non-trivial characteristics of the protocol by observing its graphical animations. Finally, we also confirm the correctness of the guessed characteristics using model checking. The work demonstrates that SMGA can be applied to the wider class of systems/protocols, authentication protocols in particular. Keywords-graphical animation; SMGA; NSLPK protocol; state machine; state picture design I. I NTRODUCTION SMGA [1] has been developed to visualize graphical animations of protocols. The main purpose of SMGA is to help human users be able to visually perceive non-trivial characteristics of the protocols by observing its graphical animations because humans are good at visual perception [2]. Those characteristics can be used as lemmas to formally prove that systems/protocols enjoy desired properties. Several case studies have been conducted on some protocols with SMGA. Among the protocols are shared-memory mutual exclusion protocols [3], [4], [5], a distributed mutual exclusion proto- col [6], and a communication protocol [1]. Any authentication protocols have not been yet tackled with SMGA. It is worth tackling authentication protocols with SMGA because such protocols, such as TLS, are infrastructure in our highly networked environment. We aim at coming up with a brand-new way to visualize the behavior of an authentication protocol called NSLPK [7]. Since it is known that state picture designs affect how well human users can detect non-trivial characteristics of protocols [5], we carefully make a state picture design of the NSLPK protocol and produce graphical animations of NSLPK based on the state picture design. By observing the graphical animations, some non-trivial characteristics are guessed by This work was partially supported by JST SICORP Grant Number JPMJSC20C2, Japan and FY2020 grant-in-aid for new technology research activities at universities (SHIBUYA SCIENCE CULTURE AND SPORTS FOUNDATION). DOI reference number: 10.18293/DMSVIVA2021-005 human users and checked with Maude [8]. In the paper, we mainly focus on how to make the state picture design of the NSLPK protocol and how some characteristics could be found by observing graphical animations with detailed experiments. Bui and Ogata [6] have revised SMGA so as to visualize the network components in a distributed mutual exclusion protocol, which is applied partly to our work. VA4JVM [9] is a tool that can visualize outputs generated by Java Pathfinder (JPF). JPF outputs are often long and hard to read, especially when JPF finds something wrong, such as race-condition and deadlock. VA4JVM supports some functionalities, such as zooming, filtering, highlighting some specific parts of JPF outputs. Those functionalities can help human users observe some fragments that look interesting to be able to better comprehend JPF outputs. Counterexample generated by Maude LTL model checker can be graphically animated by SMGA [10]. Although Maude LTL model checker is a classical model checker and JPF is a software model checker, it would be worth considering some VA4JVM functionalities, such as zooming, filtering, and highlighting, to apply them to the future version of SMGA. We assume that readers are familiar with state machines and Maude to some extent. NSLPK [7] is a modification of the NSPK authentication protocol [11]. The NSLPK protocol can be described as the following three message exchanges: Init p → q : ε q (n p ,p) Resp q → p : ε p (n p ,n q ,q) Ack p → q : ε q (n q ) Each principal such as p and q has a private/public key pair, and the public counterpart is shared with all principals but the private one is only available to its owner. ε p (m) denotes the ciphertext obtained by encrypting the message m with the principal p’s public key. n p is a nonce (a random number) generated by principal p. A nonce is a unique and non-guessable number that is used only once. II. FORMAL SPECIFICATION OF NSLPK We first introduce the following three operators to represent three kinds of ciphertexts used in the protocol: op enc1 : Prin Nonce Prin -> Cipher1 . op enc2 : Prin Nonce Nonce Prin -> Cipher2 . op enc3 : Prin Nonce -> Cipher3 .