Abstract
Verification of software systems, and security protocol analysis as a particular case, requires frameworks that are expressive, so as to properly capture the relevant aspects of the system and its properties, formal, so as to be provably correct, and with a computational counterpart, so as to support the (semi-) automated certification of properties. Additionally, security protocols also present hidden assumptions about the context, specific subtleties due to the nature of the problem and sources of complexity that tend to make verification incomplete. We introduce a verification framework that is expressive enough to capture a few relevant aspects of the problem, like symmetric and asymmetric cryptography and multi-session analysis, and to make assumptions explicit, e.g., the hypotheses about the initial sharing of secret keys among honest (and malicious) participants. It features a clear separation between the modeling of the protocol functioning and the properties it is expected to enforce, the former in terms of a calculus, the latter in terms of a logic. This framework is grounded on a formal theory that allows us to prove the correctness of the verification carried out within the fully fledged model. It overcomes incompleteness by performing the analysis at a symbolic level of abstraction, which, moreover, transforms into executable verification tools.
Similar content being viewed by others
References
Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: POPL ’01. Proceedings of the 28th ACM SIGPLAN-SIGACT on Principles of Programming Languages, ACM SIGPLAN Notices. ACM Press (2001)
Abadi M. and Gordon A. (1999). A calculus for cryptographic protocols: the Spi calculus. Inform. Comput. 148(1): 1–70
Amadio R. and Lugiez D. (2000). On the reachability problem in cryptographic protocols. In: Palamidessi, C (eds) International Conference in Concurrency Theory. Lecture Notes in Computer Science, vol. 1877, pp 380–394. Springer, Heidelberg
Amadio R., Lugiez D. and Vanackère V. (2003). On the symbolic reduction of processes with cryptographic functions. Theor. Comput. Sci. 290(1): 695–740
Amadio R. and Prasad S. (1999). The game of the name in cryptographic tables. In: Thiagarajan, P.S. and Yap, R. (eds) Advances in Computing Science—ASIAN’99. Lecture Notes in Computer Science vol. 1742., pp 15–26. Springer, Heidelberg
Asokan, N.: Fairness in electronic commerce. PhD thesis, University of Waterloo (1998)
Baldi, G.: Security protocols verification by means of symbolic model checking Ms.Thesis, University of Pisa. Available at [8]
Baldi, G., Bracciali, A., Ferrari, G., Tuosto, E.: ASPASyA: Automated tool for security protocols analysis based on a symbolic approach. http://www.cs.le.ac.uk/people/et52/aspasya/aspasya.html
Baldi G., Bracciali A., Ferrari G. and Tuosto E. (2005). A Coordination-based Methodology for Security Protocol Verification. In: Busi, N., Gorrieri, R., and Martinelli, F. (eds) International Workshop on Security Issues with Petri Nets and other Computational Models. Electronic Notes in Theoretical Computer Science vol. 121, pp 23–46. Elsevier, Amsterdam
Basin, D., Mödersheim, S., Viganò, L.: Constraint differentiation: a new reduction technique for constraint-based analysis of security protocols. In CCS ’03: Proceedings of the 10th ACM Conference on Computer and communications security. pp. 335–344. ACM Press (2003)
Bodei, C., Buchholtz, M., Degano, P., Nielson, F., Riis Nielson, H.: Control flow analysis can find new flaws too. In: Workshop on Issues on the Theory of Security (WITS’04). Electronic Notes in Theoretical Computer Science. Elsevier, Amsterdam, (2004)
Bodei C., Degano P., Nielson F. and Nielson H. (2001). Static analysis for the π-calculus with applications to security. Inform. Comput. 168: 68–92
Boreale M. (2001). Symbolic trace analysis of cryptographic protocols. In: Orejas, F., Spirakis, P. and van Leeuwen, J. (eds) Colloquium on Automata, Languages and Programming. Lecture Notes in Computer Science, vol. 2076., pp. Springer, Heidelberg
Boreale M., Buscemi M (2002) A Framework for the Analysis of Security Protocols. In: Brim L., Jančar P., Křetinský M., Kučera A. (eds.) International Conference in Concurrency Theory. Lecture Notes in Computer Science, vol. 2421, Springer, Heidelberg, pp 483–498
Boreale M. and Buscemi M. (2005). A method for symbolic analysis of security protocols. Theor. Comput. Sci. 338(1-3): 393–425
Boreale M. and De Nicola R. (1996). A Symbolic Semantics for the π-calculus. Inform. Comput. 126(1): 34–52
Borgström J., Briais S. and Nestmann U. (2004). Symbolic Bisimulation in the Spi Calculus. In: Gardner, P. and Yoshida, N. (eds) International Conference in Concurrency Theory. Lecture Notes in Computer Science, vol. 3170, pp 161–176. Springer, Heidelberg
Bracciali, A.: Behavioural patterns and software composition. PhD thesis, Dipartimento di Informatica, Università di Pisa, (2003)
Bracciali, A., Brogi, A., Ferrari, G., Tuosto, E.: Security and Dynamic Compositions of Open Systems. In: Arabnia H. (ed.) Conference on Parallel and Distributed Processing Techniques and Applications, vol. 3, pp. 1372–1377. CSREA Press, (2002)
Burrows M., Abadi M. and Needham R. (1990). A logic of authentication. ACM Trans. Comput. Syst. 8(1): 18–36
Chevalier, Y., Küsters, R., Rusinowitch, M., Turuani, M.: Deciding the security of protocols with Diffie-Hellman exponentiation and products in exponents. of Lecture Notes in Computer Science, vol. 2914, pp. 124–135. Springer, Heidelberg, (2003)
Chevalier, Y., Küsters, R., Rusinowitch, M., Turuani, M.: An NP decision procedure for protocol insecurity with XOR. In: Annual Symposium on Logic in Computer Science. pp. 261–270. IEEE Computer Society (2003)
Clark, J., Jacob, J.: A survey of authentication protocols 1.0. Technical Report, University of York (1997)
Clarke E., Grumberg O. and Long D. (1994). Model checking and abstraction. ACM Trans. Programm. Languages Syst. 16(5): 1512–1542
Clarke, E., Jha, S., Marrero, W.: Using state space exploration and a natural deduction style message derivation engine to verify security protocols. In: IFIP Working Conference on Programming Concepts and Methods (PROCOMET), (1998)
Comon H., Cortier V. and Mitchell J. (2001). Tree automata with one memory, set constraints, and ping-pong protocols. In: Orejas, F., Spirakis, P., and van Leeuwen, J. (eds) Colloquium on Automata, Languages and Programming. Lecture Notes in Computer Science, vol. 2076., pp 682–693. Springer, Heidelberg
Crazzolara, F.: Language, semantics, and methods for security protocols. PhD thesis, BRICS, May 2003
Crazzolara F., Winskel G.. Events in security protocols. In: Proceedings of the 8th ACM conference on Computer and Communications Security. pp. 96–105. ACM Press (2001)
Dolev D. and Yao A. (1983). On the security of public key protocols. IEEE Trans. Inform. Theory. 29(2): 198–208
Durgin, N., Lincoln, P., Mitchell, J., Scedrov, A.: Undecidability of bounded security protocols. In: Heintze N., Clarke E. (eds.) Workshop on Formal Methods and Security Protocols, Part of the Federated Logic Conference (1999)
Fabrega, J., Herzog, J., Guttman, J.: Strand spaces: Why is a security protocol correct? In: RSP: 19th IEEE Computer Society Symposium on Research in Security and Privacy (1998)
Fabrega J., Herzog J. and Guttman J. (1999). Strand spaces: Proving security protocols correct. J. Comput. Secur. 7(2,3): 181–230
Focardi, R., Gorrieri, R.: A Classification of security properties. J. Comput. Secur. 3(1), 1995
Focardi R. and Gorrieri R. (1997). The Compositional Security Checker: A tool for the verification of information flow security properties. IEEE Comput. Soc. 23(9): 550–571
Freier, A., Karlton, P., Kocher, P.: The SSL protocol version 3.0 (1996) http://home.netscape.com/eng/ssl3
Gordon A.D. and Jeffrey A. (2004). Authenticity by typing for security protocols. J. Comput. Secur. 11(4): 451–519
Hennessy M. and Lin H. (1995). Symbolic Bisimulations. Theor. Comput. Sci. 138(2): 353–389
Huima, A.: Efficient finite-state analysis of security protocols. In: Formal methods and security protocols. FLOC Workshop. INRIA (1999)
Kehne, A., Schönwälder, J., Langendörfer, H.: Multiple authentications with a nonce-based protocol using generalized timestamps. In: Proc. ICCC ’92 (1992)
Kohl, J., Neuman, B.: The kerberos network authentication service (version 5). Internet Request for Comment RFC-1510 (1993)
Kremer S., Markowitch O. and Zhou J (2002). An intensive survey of non-repudiation protocols. Computer Commun. 25(17): 1606–1621
Lowe, G.: Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In: Tools and Algorithms for the Construction and Analysis of Systems. vol. 1055, pp. 147–166. Springer, Heidelberg, (1996)
Lowe, G.: Some New Attacks upon Security Protocols. In: Proceedings of 9th IEEE Computer Security Foundations Workshop. IEEE Computer Society, (1996)
Lowe, G.: A hierarchy of authentication specifications. In: Computer Security Foundation Workshop. IEEE Computer Society (1997)
Martinelli F. (2003). Analysis of security protocols as open systems. Theor. Comput. Sci. 209(1): 1057–1106
Menzies, A., van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography. CRC Press (1997)
Millen, J.K.: A necessarily parallel attack. In: Heintze N., Clarke E. (eds.) Workshop on Formal Methods and Security Protocols, Part of the Federated Logic Conference (1999)
Millen J.K. (2003). On the freedom of decryption. Inform. Process. Lett. 86: 329–333
Millen, J.K., Shmatikov, V.: Constraint solving for bounded- process cryptographic protocol analysis. In: ACM Conference on Computer and Communications Security. pp. 166–175 (2001)
Mitchell J., Mitchell M., Stern U.. Automated analysis of cryptographic protocols using murϕ. In: Computer Security Foundation Workshop. pp. 141–151. IEEE Computer Society (1997)
Mitchell, J., Shmatikov, V., Stern, U.: Finite-state analysis of SSL 3.0. In: Proceedings of the 7th USENIX Security Symposium (SECURITY-98). pp. 201–216. Usenix Association (1998)
Needham R. and Schroeder M. (1978). Using encryption for authentication in large networks of computers. Commun. ACM. 21(12): 993–999
Paulson, L.: Proving properties of security protocols by induction. In: Computer Security Foundation Workshop. IEEE Computer Society (1997)
Paulson, L.: The inductive approach to verifying cryptographic protocols. Technical report; no. 443. 4006797499. University of Cambridge, Computer Laboratory (1998)
Shmatikov, V.: Decidable analysis of cryptographic protocols with products and modular exponentiation, of Lecture Notes in Computer Science. vol. 2986, pp. 355–369. Springer, Heidelberg, (2004)
Shmatikov, V., Mitchell, J.: Analysis of a fair exchange protocol. In: Symposium on Network and Distributed Systems Security (NDSS 2000). pp. 119–128. Internet Society (2000)
Shmatikov V. and Mitchell J. (2002). Finite-state analysis of two contract signing protocols. Theor. Comput. Sci. Special issue on Theoretical Foundations of Security Analysis and Design 283(2): 419–450
Song D., Berezin S. and Perrig A. (2001). Athena, a novel approach to efficient automatic security protocol analysis. Comput. Secur. 9(1,2): 47–74
Stinson, D.: Cryptography: Theory and practice. CRC Press (1995)
Thayer, J., Herzog, J., Guttman, J.: Honest ideals on strand spaces. In: Computer Security Foundation Workshop. IEEE Computer Society (1998)
Tuosto, E.: Non-functional aspects of wide area network programming. PhD thesis, Dipartimento di Informatica, Università di Pisa (2003)
Vanackére V. The TRUST protocol analyser. Automatic and efficient verification of cryptographic protocols. In: VERIFY02 (2002)
Woo, T., Lam, S.: A semantic model for authentication protocols. In: RSP: IEEE Computer Society Symposium on Research in Security and Privacy (1993)
Zhou, J.: Non-repudiation. PhD thesis, University of London, (1996)
Zunino R. and Degano P. (2005). Weakening the perfect encryption assumption in Dolev–Yao adversaries. Theor. Comput. Sci. 340(1): 154–178
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Bracciali, A., Ferrari, G. & Tuosto, E. A symbolic framework for multi-faceted security protocol analysis. Int. J. Inf. Secur. 7, 55–84 (2008). https://doi.org/10.1007/s10207-007-0043-9
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-007-0043-9