Security of a security protocol depends on the interacting components that conform the environment. In box example in section 2.2.1, it is obvious that if we could open the box, the system is insecure. In a complex network protocol this kind of analysis is more complex.
Because of the fact that safety is a critical issue in development of security protocols, the use of rigorous, mathematical models to develop security protocols becomes recommendable but sometimes mandatory. Using mathematical models helps to identify software problems at earlier stages, prior to coding phase.
There exists two approaches to the verication of security protocols: one is the formal methods approach which is based on what can be learned from interacting with several principals engaged in an arbitrary number of protocol runs , and the other is the computational complexity approach which is based on the complexity and the probability of breaking the cryptographic primitives of a protocol. These two approaches dier mainly in how they model cryptographic primitives.
Formal Methods Approach
This approach treats cryptographic operations in a purely formal way, for example, the expression {M}K may represent an encrypted message, with plaintext M and keyK, whereas, {M}K,M andK are formal expressions, rather than sequences of bits [21]. It is assumed that the cryptographic operations are perfect (the perfect cryptography assumption). This assumption states, in order to decrypt the message {M}K the appropriate key K should be applied. However, the intruder cannot recoverM orKfor just the message that is created from the encryption ofM under K, represented by{M}K.
The intruder is modeled as Dolev-Yao [162] intruder model -so-called spy- which is an omnipresent agent that controls the network but cannot make cryptanalysis.
However, the adversary can intercept messages, analyze them, and decrypt them if he possesses the corresponding decryption key. He can also inject new messages to the network and send them under any agent name. Additionally, the spy knows all public keys, his own shared key and private key, all shared and private keys of a collection of compromised agents, and a set of lost session keys.
The Computational Complexity Approach
This approach views cryptographic primitives as functions on strings of bits. In [22], Abadi and Rogaway explained an example of the computational approach, they sketched a notation of secure encryption. They dened a symmetric encryption scheme as a triple of algorithms Q = (K, E, D). Algorithm K is a key generator which after making random choices generates a string k (the key). Algorithm E is an encryption algorithm which ips random coins r to map strings k (the key) and m (the plain-text) into a string Ek(m, r) (the cipher-text). Algorithm D is a
decryption algorithm that maps strings k (the key) and c (the cipher-text) into a string Dk(c). It is expected thatDk(Ek(m, r)) =m for appropriate k,mand r.
The adversary is modeled as Turing machine which has access to an oracle. The oracle has some clues which involve knowledge of some components ofm, knowledge of other message encrypted under the same key, etc. The aim of the oracle is to nd a key k0 that is able to decrypt a given ciphertext Ek(m, r). Roughly, a protocol is considered good if the oracle cannot nd k0 , or while consuming the computational power at hand the probability of nding k0 is slow-growing under a determined threshold. Although providing strong security guarantees, proofs under this approach are in general harder and more dicult to automate.
Recently, Several studies have investigated the connections between the formal view and the computational view. Abadi and Rogaway [22] have bridged the gap between the to views of cyrptography operations by representing two accounts of sysmmetric encryption: one is simple based on formal approach, and the second is more elaberated based on the computational approach. They showed that security properties that can be proved in the formal model are also true the computational model. Later on Baudent et al. [59] introduced a reasoning framework for proving soundness of implementations of equational theories, which are used to specify cryptographic primitives. More recently, Kremer and Mazare [223] have extended Baudent et al. work to consider an adaptive user rather than a purely passive one.
terms of computational indistinguishability. Later on Baudent et al. [59] introduced a reasoning framework for proving soundness of implementations of equational theories, which are used to specify cryptographic primitives. More recently, Kremer and Mazare [223] have extended Baudent et al. work to consider an adaptive user rather than a purely passive one.
In this thesis, among the two mentioned approaches, we deal only with the formal methods approach for analysis and verication of security protocols. Formal methods have been successfully applied to the analysis of hardware systems, software systems and communication protocols. In the 70's and 80's some initial works appeared to support the analysis of security protocols. In 90's, formal methods have been widely used for analyzing security protocols which allowed to discover some attacks on important security protocols considered to be secure for several years [248].
This chapter discusses the formal methods approach of analysis and verication of security protocols. Before going further of surveying and discussing the most signicant formal methods and related tools, we briey describe the formal methods approach to software verication and give an example of faulty security protocol from academic literature.
2.6.1 Formal Verication of Software Systems
In the context of software systems, formal verication is the act of proving the correctness or the falsication of the intended algorithms underlying the system
with respect to a certain formal specication or property, using formal methods of mathematics. To be able to use the formal software verication, both the system and its specication are rst expressed as formulas of some (but not necessarily the same) logic. Then, mathematical reasoning is used to prove that the system and the specication are related somehow, for example by inductive logic. A state-of-the-art verication tool is capable of yielding one of two outputs: (i) OK, indicating that the system is error-free, at least with respect to the coverage analysis of the corresponding tool; and (ii) a counterexample, indicating how a system execution violates the specication.
In the context of security protocol verication, the system is the security protocol under analysis, the specication is the protocol security requirement (security property; secrecy, authenticity, non-repudiation, anonymity, ...) and the counterexample is actually an attack. Authentication and secrecy are the most common examples of protocol security requirements. These properties have no universal interpretation and are formalized according to the context. Roughly, user authentication amounts to attempting to verify the identity of a protocol participant and secrecy to ensuring that certain message parts sent over the network remain readable only to their intended recipients. Most of the formal methods have been developed and their related tools have studied secrecy and authenticity intensively, form example [310]. There are also some other work and tools which have studied other properties, for example non-repudiation was studied by Judson Santiago and Laurent Vigeron in [215]. For example, Tom Chothia et al. in [338], they checked the anonymity in a possibilistic general-purpose process algebraic verication tool-set, by using a combination of dedicated tools and the existing µCRL tools. Tom Chothia et al. in [338] have studied the Dining Cryptographers problem and the FOO 92 voting protocol, for the proof of concept of their method.
The seminal work of Clark and Jacob [124], so-called Clark and Jacob library2, and the AVISPA3 project library documented most of security protocols. Another rich documentation for authentication and key establishment protocols is [83].
2.6.2 An Example of Faulty Security Protocol
To show the diculties designing sound security protocols, let us consider the An-drew secure RPC protocol [314], which aims to establish a fresh session key between two agents A and B. In the rst three messages, A and B perform a handshake using a key they already share, KAB. In the nal message, B sends a new session keyKAB0 toA. NonceNAis chosen byAand noncesNB, NB0 are chosen byB. The so-called Alice-Bob notation of the RPC protocol is shown in following list:
Burrow et al. [95] have pointed out a major problem with Andrew secure RPC
2An online Repository for the Clark and Jacob library is available at http://www.lsv.ens-cachan.fr/Software/spore/index.html
3The AVISPA library is available at http://www.avispa-project.org/
Protocol 2.6.1 Andrew secure RPC protocol 1. A→B :{NA}KAB
2. B →A:{NA+ 1, NB}KAB 3. A→B :{NB+ 1}KAB 4. B →A:{KAB0 , NB0 }KAB
protocol: A has no assurance that KAB0 is fresh. An intruder could substitute a previously recorded message 4 (from B toA) and force Ato accept an old, possibly compromised, session key. Another problem was pointed out by Clark and Jacob [123]. They proposed a typing attack in which an intruder records a message 2 and substitutes it in place of message 4, as follows:
Attack 2.6.1 Clark-Jacob attack on Andrew protocol (Protocol2.6.1) 1. A→B :{NA}KAB
2. B →A:{NA+ 1, NB}KAB 3. A→B :{NB+ 1}KAB 4. IB→A:{NA+ 1, NB}KAB
The result of the attack is thatA accepts the valueNA+ 1as a session key with B. Clark and Jacob point out that the potential damage of that attack depends on what property the nonceNA is assumed to have. IfNA is a predictable nonce such as a counter value, then the attacker could force Ainto accepting a bogus quantity as a session key, whose value could be known to the attacker. If NA were random, however, the potential damage of the attack is not so immediate since there is no release of the session key.
In the next section, we shall focus on the formal methods for analyzing security protocols.