Skip to main content
SpringerLink
Log in

A symbolic framework for multi-faceted security protocol analysis

  • Special Issue Papers
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Verification of software systems, and security protocol analysis as a particular case, requires frameworks that are expressive, so as to properly capture the relevant aspects of the system and its properties, formal, so as to be provably correct, and with a computational counterpart, so as to support the (semi-) automated certification of properties. Additionally, security protocols also present hidden assumptions about the context, specific subtleties due to the nature of the problem and sources of complexity that tend to make verification incomplete. We introduce a verification framework that is expressive enough to capture a few relevant aspects of the problem, like symmetric and asymmetric cryptography and multi-session analysis, and to make assumptions explicit, e.g., the hypotheses about the initial sharing of secret keys among honest (and malicious) participants. It features a clear separation between the modeling of the protocol functioning and the properties it is expected to enforce, the former in terms of a calculus, the latter in terms of a logic. This framework is grounded on a formal theory that allows us to prove the correctness of the verification carried out within the fully fledged model. It overcomes incompleteness by performing the analysis at a symbolic level of abstraction, which, moreover, transforms into executable verification tools.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: POPL ’01. Proceedings of the 28th ACM SIGPLAN-SIGACT on Principles of Programming Languages, ACM SIGPLAN Notices. ACM Press (2001)

  2. Abadi M. and Gordon A. (1999). A calculus for cryptographic protocols: the Spi calculus. Inform. Comput. 148(1): 1–70

    Article  MATH  MathSciNet  Google Scholar 

  3. Amadio R. and Lugiez D. (2000). On the reachability problem in cryptographic protocols. In: Palamidessi, C (eds) International Conference in Concurrency Theory. Lecture Notes in Computer Science, vol. 1877, pp 380–394. Springer, Heidelberg

    Google Scholar 

  4. Amadio R., Lugiez D. and Vanackère V. (2003). On the symbolic reduction of processes with cryptographic functions. Theor. Comput. Sci. 290(1): 695–740

    Article  MATH  Google Scholar 

  5. Amadio R. and Prasad S. (1999). The game of the name in cryptographic tables. In: Thiagarajan, P.S. and Yap, R. (eds) Advances in Computing Science—ASIAN’99. Lecture Notes in Computer Science vol. 1742., pp 15–26. Springer, Heidelberg

    Google Scholar 

  6. Asokan, N.: Fairness in electronic commerce. PhD thesis, University of Waterloo (1998)

  7. Baldi, G.: Security protocols verification by means of symbolic model checking Ms.Thesis, University of Pisa. Available at [8]

  8. Baldi, G., Bracciali, A., Ferrari, G., Tuosto, E.: ASPASyA: Automated tool for security protocols analysis based on a symbolic approach. http://www.cs.le.ac.uk/people/et52/aspasya/aspasya.html

  9. Baldi G., Bracciali A., Ferrari G. and Tuosto E. (2005). A Coordination-based Methodology for Security Protocol Verification. In: Busi, N., Gorrieri, R., and Martinelli, F. (eds) International Workshop on Security Issues with Petri Nets and other Computational Models. Electronic Notes in Theoretical Computer Science vol. 121, pp 23–46. Elsevier, Amsterdam

    Google Scholar 

  10. Basin, D., Mödersheim, S., Viganò, L.: Constraint differentiation: a new reduction technique for constraint-based analysis of security protocols. In CCS ’03: Proceedings of the 10th ACM Conference on Computer and communications security. pp. 335–344. ACM Press (2003)

  11. Bodei, C., Buchholtz, M., Degano, P., Nielson, F., Riis Nielson, H.: Control flow analysis can find new flaws too. In: Workshop on Issues on the Theory of Security (WITS’04). Electronic Notes in Theoretical Computer Science. Elsevier, Amsterdam, (2004)

  12. Bodei C., Degano P., Nielson F. and Nielson H. (2001). Static analysis for the π-calculus with applications to security. Inform. Comput. 168: 68–92

    Article  MATH  MathSciNet  Google Scholar 

  13. Boreale M. (2001). Symbolic trace analysis of cryptographic protocols. In: Orejas, F., Spirakis, P. and van Leeuwen, J. (eds) Colloquium on Automata, Languages and Programming. Lecture Notes in Computer Science, vol. 2076., pp. Springer, Heidelberg

    Google Scholar 

  14. Boreale M., Buscemi M (2002) A Framework for the Analysis of Security Protocols. In: Brim L., Jančar P., Křetinský M., Kučera A. (eds.) International Conference in Concurrency Theory. Lecture Notes in Computer Science, vol. 2421, Springer, Heidelberg, pp 483–498

  15. Boreale M. and Buscemi M. (2005). A method for symbolic analysis of security protocols. Theor. Comput. Sci. 338(1-3): 393–425

    Article  MATH  MathSciNet  Google Scholar 

  16. Boreale M. and De Nicola R. (1996). A Symbolic Semantics for the π-calculus. Inform. Comput. 126(1): 34–52

    Article  MATH  MathSciNet  Google Scholar 

  17. Borgström J., Briais S. and Nestmann U. (2004). Symbolic Bisimulation in the Spi Calculus. In: Gardner, P. and Yoshida, N. (eds) International Conference in Concurrency Theory. Lecture Notes in Computer Science, vol. 3170, pp 161–176. Springer, Heidelberg

    Google Scholar 

  18. Bracciali, A.: Behavioural patterns and software composition. PhD thesis, Dipartimento di Informatica, Università di Pisa, (2003)

  19. Bracciali, A., Brogi, A., Ferrari, G., Tuosto, E.: Security and Dynamic Compositions of Open Systems. In: Arabnia H. (ed.) Conference on Parallel and Distributed Processing Techniques and Applications, vol. 3, pp. 1372–1377. CSREA Press, (2002)

  20. Burrows M., Abadi M. and Needham R. (1990). A logic of authentication. ACM Trans. Comput. Syst. 8(1): 18–36

    Article  Google Scholar 

  21. Chevalier, Y., Küsters, R., Rusinowitch, M., Turuani, M.: Deciding the security of protocols with Diffie-Hellman exponentiation and products in exponents. of Lecture Notes in Computer Science, vol. 2914, pp. 124–135. Springer, Heidelberg, (2003)

  22. Chevalier, Y., Küsters, R., Rusinowitch, M., Turuani, M.: An NP decision procedure for protocol insecurity with XOR. In: Annual Symposium on Logic in Computer Science. pp. 261–270. IEEE Computer Society (2003)

  23. Clark, J., Jacob, J.: A survey of authentication protocols 1.0. Technical Report, University of York (1997)

  24. Clarke E., Grumberg O. and Long D. (1994). Model checking and abstraction. ACM Trans. Programm. Languages Syst. 16(5): 1512–1542

    Article  Google Scholar 

  25. Clarke, E., Jha, S., Marrero, W.: Using state space exploration and a natural deduction style message derivation engine to verify security protocols. In: IFIP Working Conference on Programming Concepts and Methods (PROCOMET), (1998)

  26. Comon H., Cortier V. and Mitchell J. (2001). Tree automata with one memory, set constraints, and ping-pong protocols. In: Orejas, F., Spirakis, P., and van Leeuwen, J. (eds) Colloquium on Automata, Languages and Programming. Lecture Notes in Computer Science, vol. 2076., pp 682–693. Springer, Heidelberg

    Google Scholar 

  27. Crazzolara, F.: Language, semantics, and methods for security protocols. PhD thesis, BRICS, May 2003

  28. Crazzolara F., Winskel G.. Events in security protocols. In: Proceedings of the 8th ACM conference on Computer and Communications Security. pp. 96–105. ACM Press (2001)

  29. Dolev D. and Yao A. (1983). On the security of public key protocols. IEEE Trans. Inform. Theory. 29(2): 198–208

    Article  MATH  MathSciNet  Google Scholar 

  30. Durgin, N., Lincoln, P., Mitchell, J., Scedrov, A.: Undecidability of bounded security protocols. In: Heintze N., Clarke E. (eds.) Workshop on Formal Methods and Security Protocols, Part of the Federated Logic Conference (1999)

  31. Fabrega, J., Herzog, J., Guttman, J.: Strand spaces: Why is a security protocol correct? In: RSP: 19th IEEE Computer Society Symposium on Research in Security and Privacy (1998)

  32. Fabrega J., Herzog J. and Guttman J. (1999). Strand spaces: Proving security protocols correct. J. Comput. Secur. 7(2,3): 181–230

    Google Scholar 

  33. Focardi, R., Gorrieri, R.: A Classification of security properties. J. Comput. Secur. 3(1), 1995

  34. Focardi R. and Gorrieri R. (1997). The Compositional Security Checker: A tool for the verification of information flow security properties. IEEE Comput. Soc. 23(9): 550–571

    Google Scholar 

  35. Freier, A., Karlton, P., Kocher, P.: The SSL protocol version 3.0 (1996) http://home.netscape.com/eng/ssl3

  36. Gordon A.D. and Jeffrey A. (2004). Authenticity by typing for security protocols. J. Comput. Secur. 11(4): 451–519

    Google Scholar 

  37. Hennessy M. and Lin H. (1995). Symbolic Bisimulations. Theor. Comput. Sci. 138(2): 353–389

    Article  MATH  MathSciNet  Google Scholar 

  38. Huima, A.: Efficient finite-state analysis of security protocols. In: Formal methods and security protocols. FLOC Workshop. INRIA (1999)

  39. Kehne, A., Schönwälder, J., Langendörfer, H.: Multiple authentications with a nonce-based protocol using generalized timestamps. In: Proc. ICCC ’92 (1992)

  40. Kohl, J., Neuman, B.: The kerberos network authentication service (version 5). Internet Request for Comment RFC-1510 (1993)

  41. Kremer S., Markowitch O. and Zhou J (2002). An intensive survey of non-repudiation protocols. Computer Commun. 25(17): 1606–1621

    Article  Google Scholar 

  42. Lowe, G.: Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In: Tools and Algorithms for the Construction and Analysis of Systems. vol. 1055, pp. 147–166. Springer, Heidelberg, (1996)

  43. Lowe, G.: Some New Attacks upon Security Protocols. In: Proceedings of 9th IEEE Computer Security Foundations Workshop. IEEE Computer Society, (1996)

  44. Lowe, G.: A hierarchy of authentication specifications. In: Computer Security Foundation Workshop. IEEE Computer Society (1997)

  45. Martinelli F. (2003). Analysis of security protocols as open systems. Theor. Comput. Sci. 209(1): 1057–1106

    Article  MathSciNet  Google Scholar 

  46. Menzies, A., van Oorschot, P., Vanstone, S.: Handbook of Applied Cryptography. CRC Press (1997)

  47. Millen, J.K.: A necessarily parallel attack. In: Heintze N., Clarke E. (eds.) Workshop on Formal Methods and Security Protocols, Part of the Federated Logic Conference (1999)

  48. Millen J.K. (2003). On the freedom of decryption. Inform. Process. Lett. 86: 329–333

    Article  MathSciNet  Google Scholar 

  49. Millen, J.K., Shmatikov, V.: Constraint solving for bounded- process cryptographic protocol analysis. In: ACM Conference on Computer and Communications Security. pp. 166–175 (2001)

  50. Mitchell J., Mitchell M., Stern U.. Automated analysis of cryptographic protocols using murϕ. In: Computer Security Foundation Workshop. pp. 141–151. IEEE Computer Society (1997)

  51. Mitchell, J., Shmatikov, V., Stern, U.: Finite-state analysis of SSL 3.0. In: Proceedings of the 7th USENIX Security Symposium (SECURITY-98). pp. 201–216. Usenix Association (1998)

  52. Needham R. and Schroeder M. (1978). Using encryption for authentication in large networks of computers. Commun. ACM. 21(12): 993–999

    Article  MATH  Google Scholar 

  53. Paulson, L.: Proving properties of security protocols by induction. In: Computer Security Foundation Workshop. IEEE Computer Society (1997)

  54. Paulson, L.: The inductive approach to verifying cryptographic protocols. Technical report; no. 443. 4006797499. University of Cambridge, Computer Laboratory (1998)

  55. Shmatikov, V.: Decidable analysis of cryptographic protocols with products and modular exponentiation, of Lecture Notes in Computer Science. vol. 2986, pp. 355–369. Springer, Heidelberg, (2004)

  56. Shmatikov, V., Mitchell, J.: Analysis of a fair exchange protocol. In: Symposium on Network and Distributed Systems Security (NDSS 2000). pp. 119–128. Internet Society (2000)

  57. Shmatikov V. and Mitchell J. (2002). Finite-state analysis of two contract signing protocols. Theor. Comput. Sci. Special issue on Theoretical Foundations of Security Analysis and Design 283(2): 419–450

    MATH  MathSciNet  Google Scholar 

  58. Song D., Berezin S. and Perrig A. (2001). Athena, a novel approach to efficient automatic security protocol analysis. Comput. Secur. 9(1,2): 47–74

    Google Scholar 

  59. Stinson, D.: Cryptography: Theory and practice. CRC Press (1995)

  60. Thayer, J., Herzog, J., Guttman, J.: Honest ideals on strand spaces. In: Computer Security Foundation Workshop. IEEE Computer Society (1998)

  61. Tuosto, E.: Non-functional aspects of wide area network programming. PhD thesis, Dipartimento di Informatica, Università di Pisa (2003)

  62. Vanackére V. The TRUST protocol analyser. Automatic and efficient verification of cryptographic protocols. In: VERIFY02 (2002)

  63. Woo, T., Lam, S.: A semantic model for authentication protocols. In: RSP: IEEE Computer Society Symposium on Research in Security and Privacy (1993)

  64. Zhou, J.: Non-repudiation. PhD thesis, University of London, (1996)

  65. Zunino R. and Degano P. (2005). Weakening the perfect encryption assumption in Dolev–Yao adversaries. Theor. Comput. Sci. 340(1): 154–178

    Article  MATH  MathSciNet  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Dipartimento di Informatica, University of Pisa, Largo B. Pontecorvo 3, 56100, Pisa, Italy

    Andrea Bracciali & Gianluigi Ferrari

  2. Computer Science Department, University of Leicester, University Road, Leicester, LE1 7RH, UK

    Emilio Tuosto

Authors
  1. Andrea Bracciali
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gianluigi Ferrari
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Emilio Tuosto
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Andrea Bracciali.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Bracciali, A., Ferrari, G. & Tuosto, E. A symbolic framework for multi-faceted security protocol analysis. Int. J. Inf. Secur. 7, 55–84 (2008). https://doi.org/10.1007/s10207-007-0043-9

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-007-0043-9

Keywords

Search

Navigation