CHAPTER 4 SECURITY VERIFICATION
4.1 I NTRODUCTION
4.1.2 Tools
Security protocol development increased the demands on verification methods as even small protocols caused problems when being analyzed. Security protocols turned out to be too complex for analyzing without any computer aid [AN95, Boy93,
protocol verification such as Spi‐Calculus [AG99] and Murφ [MMS97] were developed.
Some of these formal methods are described herein. The aim of this section is to determine which approach is the most appropriate one for the IDKE protocol verification. It also shows how the IDKE protocol can be verified by a theorem proving approach termed the BAN logic. However, the limitations of the BAN logic as well as the limitations of other approaches has been the incentive for the section that deals with the subject of the FDR model checker.
4.1.2.1 BAN Logic
The logic of Burrows, Abadi and Needham (BAN) [BAN89, BAN90, BAN91] was developed in 1989 and is one of the first formal protocol verification approaches. This theorem proving method is used for the reasoning out of authentication and key establishment protocols. Its main advantage is that proofs in BAN logic are simple, short and can be obtained manually.
BAN Expr. Interpretation of the expression
| belives ; belives that is true.
sees ; has received a message from which can be read.
| once said ; has sent a message containi
P X P X P X
P X P X P X
P X P X P
≡
∼ ng .
| has jurisdiction over ; is trusted on the truth of .
#( ) is fresh; has not been sent previous to the current protocol run.
and shar
e key ; is confidential.
P has as public key; the matching secrect key is { } is encrypted by .
Formula is known only to and
K
combined with formula ; is assumend to be secret.
Q
X X Y Y
Table 3: BAN Logic Expressions
The basic concept is to determine how the belief of agents in other agents evolves whenever new information is received. An idealization process creates formulae containing the initial and the end knowledge of all agents. Furthermore, these formulae contain the assumptions prior to the protocol run and at all stages of a protocol run. The most important factor of the BAN logic is its limitation on authentication. This means that there are no secrecy statements which are expressible.
It is important to consider the BAN‐analysis‐results carefully. The interpretation is difficult since BAN explicitly assumes that all participants are honest and are
therefore trustworthy. Having these two assumptions in mind, it is not surprising that the BAN logic proved the Needham Schroeder Public Key Protocol (NSPK) [NS78] as secure, while Lowe outlines an attack [Low96]. Nevertheless, BAN logic is a powerful tool to prove equivalences of protocols or parts of protocols and can be used to optimize over‐engineered security protocols to their minimal version.
The syntax of BAN covers three primitive objects that are principals, keys and nonces. Protocol messages are expressed as formulae ranging over X and Y, where P and Q stand for principals and K range over keys. The formal notation for shared key protocols is illustrated in Table 3.
Proves are based on deduction rules read as “if formulae X1,…,Xn hold than consequently Y holds”, written more concisely as:
| | , | |
In order to analyze the protocol messages, they need to be converted into BAN formulae. Idealizations that need to be performed prior to analyzing the IDKE protocol are illustrated in Table 4. BAN logic instances are represented by a single character, so that the pAR is denoted as P, the nAR as N and the MN as M. The BAN TUNNEL PK N
na N
SMS TUNNEL DH
H
The IDKE protocol has many goals to achieve. A very simple one will act as an example, illustrating that under the assumption that M believes in the public key of the N, then the goal that P believes in the public key of N is fulfilled. This goal is expressed as
| PK N( )
P ≡ N
IDKE Protocol Goal 1 :
The goal is reached by the deduction illustrated by the following proof:
Proof of IDKE Goal 1 :
Starting with message 3 (see protocol)
using the assumption
applying the message‐meaning rule for shared keys (1)
≡ ←⎯⎯→
A number of protocols have been verified by the BAN logic, such as the Needham‐
Schroeder public key protocol which is the basis for the Kerberos [Gam03, Tun99]
authentication protocol. The main drawback of the BAN logic is that these protocols have later been discovered to be insecure. In conclusion, the BAN logic is inappropriate for use in the formal verification of the IDKE protocol, even if it does present a convenient method. However, the BAN‐logic does provide a simple toolset that enables one to analyze protocols instantly in order to obtain an initial impression [BM94, Nes90, HRM+03].
4.1.2.2 NRL Protocol Analyzer
This is a hybrid approach based on both model checking and theorem proving. It was devised by the US Naval Research Laboratory (NRL) [Mea96] and is referred to as the NRL Protocol Analyzer (NPA). As a result of a long term project, the NPA is a tool for verifying the security properties of cryptographic protocols [Mea99]. This immense program consisting of several hundred thousands lines of Prolog‐code, performs checks based on graphical searches. Starting with insecure states, the tool endeavors to reach the initial state and thereby locate any attack.
All stages of the protocol are represented as conditional rewriting rules that correspond to the data types used. The specialty of this approach is to check secrecy policies. It can check whether the intruder is able to deduce a secret from the rules and its knowledge. The NRL uses a ploy for any authentication or agreements. The participant’s belief in the protocol is stored in local variables in order to check as to whether an attacker is able to obtain possession of these variables.
NPA requires user expertise in order to construct the correct word‐processing‐rules from the protocol specification. Specification errors will obviously result in false assumptions on the secrecy of variables. Automation has been increased to enable the tool to be more user friendly. However, the general public will not profit directly from this research into the NPA due to governmental restrictions on its use.
4.1.2.3 The Inductive Model
The inductive model [Pau98] was introduced in 1998 for use as a formal security protocol verification‐method. The concept of this theorem proving approach is based on the use of induction for proving the results of all infinite possible protocol states without having to explicitly examine all of them. The first tool devised by Paulson [Pau98] is named Isabelle and is based on a formalism referred to as the Higher Order Logic (HOL) [GM93].
Induction is a well known approach that proves the correctness of a formula F(x) to be true for each integer x. This is formulated on the basis that F(0) is to be established along with a general result of F n
( )
→F n(
+1)
. The inductive proof then concludes that F(x) is true for any positive integer x.All desirable properties are extracted for protocol verification and it is shown that they are preserved under all possible extensions. Thus, this approach is capable of stating whether protocols are insecure. However, it does not explicitly show an attack. This drawback makes the inductive approach impracticable for improving protocols in cases where they are stated as being insecure.