Abstract
When using formal methods, security protocols are usually modeled at a high level of abstraction. In particular, data encoding and decoding transformations are often abstracted away. However, if no assumptions at all are made on the behavior of such transformations, they could trivially lead to security faults, for example leaking secrets or breaking freshness by collapsing nonces into constants.
In order to address this issue this paper formally states sufficient conditions, checkable on sequential code, such that if an abstract protocol model is secure under a Dolev–Yao adversary, then a refined model, which takes into account a wide class of possible implementations of the encoding/decoding operations, is implied to be secure too under the same adversary model. The paper also indicates possible exploitations of this result in the context of methods based on formal model extraction from implementation code and of methods based on automated code generation from formally verified models.
Similar content being viewed by others
References
Abadi M, Blanchet B (2005) Analyzing security protocols with secrecy types and logic programs. J ACM 52(1): 102–146
Abadi M, Fournet C (2001) Mobile values, new names, and secure communication. In: Symposium on principles of programming languages, pp 104–115
Albrecht MR, Paterson KG, Watson GJ (2009) Plaintext recovery attacks against SSH. In: IEEE symposium on security and privacy, pp 16–26
Bengtson J, Bhargavan K, Fournet C, Gordon AD, Maffeis S (2011) Refinement types for secure implementations. ACM Trans Programm Lang Syst 33(2): 8–1845
Bhargavan K, Corin R, Fournet C (2007) Crypto-verifying protocol implementations in ML. In: Proceedings of workshop on formal and computational cryptography
Bhargavan K, Corin R, Fournet C, Gordon AD (2007) Secure sessions for web services. ACM Trans Inf Syst Secur 10(2):article 8
Bhargavan K, Fournet C, Gordon AD (2006) Verified reference implementations of WS-security protocols. In: Proceedings of web services and formal methods, pp 88–106
Bhargavan K, Fournet C, Gordon AD, Tse S (2006) Verified interoperable implementations of security protocols. In: Proceedings of computer security foundations workshop, pp 139–152
Bellare M, Kohno T, Namprempre C (2002) Authenticated encryption in SSH: provably fixing the SSH binary packet protocol. In: Proceedings of the 9th ACM conference on computer and communications security, pp 1–11
Blanchet B (2001) An efficient cryptographic protocol verifier based on Prolog rules. In: IEEE computer security foundations workshop, pp 82–96
Dolev D, Yao AC-C (1983) On the security of public key protocols. IEEE Trans Inf Theory 29(2): 198–207
Guttman J, Herzog J, Ramsdell J, Sniffen B (2005) Programming cryptographic protocols. In: Trustworthy global computing, pp 116–145
Goubault-Larrecq J, Parrennes F (2005) Cryptographic protocol analysis on real C code. In: Proceedings of verification, model checking, and abstract interpretation, pp 363–379
Hui ML, Lowe G (2001) Fault-preserving simplifying transformations for security protocols. J Comput Secur 9(1/2): 3–46
Hoare CAR (1985) Communicating sequential processes. Prentice Hall
Jürjens J (2005) Verification of low-level crypto-protocol implementations using automated theorem proving. In: Proceedings of formal methods and models for co-design, pp 89–98
Kleiner E, Roscoe AW (2006) On the relationship between web services security and traditional protocols. Electron Notes Theor Comput Sci 155: 583–603
Lowe G (1997) A hierarchy of authentication specifications. In: Proceedings of computer security foundations workshop, pp 31–43
Nadalin A, Kaler C, Hallam-Baker P, Monzillo R (2006) OASIS web services security: SOAP message security 1.1 (WS-security 2004)
Pironti A (2010) Sound automatic implementation generation and monitoring of security protocol implementations from verified formal specifications. PhD thesis, Politecnico di Torino, Italy
Pironti A, Pozza D, Sisto R (2012) Formally-based semi-automatic implementation of an open security protocol. J Syst Softw 85: 835–849
Pironti A, Sisto R (2010) Provably correct Java implementations of Spi Calculus security protocols specifications. Comput Secur 29: 302–314
Pozza D, Sisto R, Durante L (2004) Spi2java: automatic cryptographic protocol java code generation from spi calculus. In: Proceedings of international conference on advanced information networking and applications, pp 400–405
Roscoe AW (1997) The theory and practice of concurrency. Prentice Hall
Roscoe AW (2010) Understanding concurrent systems. Springer, Berlin
Schellhorn G (2005) ASM refinement and generalizations of forward simulation in data refinement: a comparison. Theor Comput Sci 336(2–3): 403–435
Tobler B, Hutchison A (2004) Generating network security protocol implementations from formal specifications. In: Proceedings of certification and security in inter-organizational e-services, Toulouse, France
Ylonen T, Lonvick C (2006) The secure shell (SSH) protocol architecture. RFC 4251 (Proposed Standard), January 2006
Ylonen T, Lonvick C (2006) The secure shell (SSH) transport layer protocol. RFC 4253 (Proposed Standard), January 2006
Author information
Authors and Affiliations
Corresponding author
Additional information
Eerke Boiten and Steve Schneider
Rights and permissions
About this article
Cite this article
Pironti, A., Sisto, R. Safe abstractions of data encodings in formal security protocol models. Form Asp Comp 26, 125–167 (2014). https://doi.org/10.1007/s00165-012-0267-y
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00165-012-0267-y