Model Checking in Security Protocol Analysis

Abstract

Theorem proving and model checking are two main approaches used for the formal analysis of security protocols. As described in Chapter 1, theorem proving focused on the verification of authentication protocols and cryptography protocols. Although Heintze [68] firstly used model checking to analyse electronic transaction protocols, the efforts used for model checking of electronic transaction protocols are underdeveloped due to increasing complexity and varied types of application of the protocols.

Model checking is a technique for verifying finite state concurrent systems such as hardware design and communication protocols. Specifications of the systems are represented as temporal logical formulae, and efficient symbolic algorithms are applied to convert the model defined by the systems and check if the specification holds or not. In contrast to traditional approaches that are based on simulation, testing and deductive reasoning, model checking is automatic and usually fast. On the other hand, if an error is found, model checking is able to produce a counterexample that shows the source of the error.

There have been a number of model checking methods developed for the analysis of e-commerce protocols. Ray [75] shows how model checking can be used to obtain an assurance about the existence of the properties in an e-commerce protocol such as money atomicity and validated receipt. The model checker can be used to evaluate what failures cause the violation of one or more of the properties. In [157], algorithms and rules are developed to translate visually modelled e-commerce protocols into formal models that are then verified using an extended UML formalism. This approach is applied to the design of an e-commerce protocol NetBill. An extended fair-exchange standard is described in [12], which includes atomicity assurance and uses model checking to verify the correctness of the implementation of e-commerce protocols. A main challenge in model checking is dealing with the state exploration problem. To alleviate this problem, a parallel model checker [78] is proposed to analyse a security protocol that was developed to facilitate secure and fair exchange. In particular, the model checking based on FDR is used to analyse the SET protocol and check whether five essential correctness properties are satisfied [100].

In contrast to security protocols that involve secrecy and authentication, the correctness conditions for electronic transaction protocols contain more components. These conditions present interesting challenges for the traditional theorem proving. Furthermore, the number of principals and data are unforseen. To address these problems, a verification model based on ENDL is recently developed by us [28].

It is usually faster than theorem proving, and extensible because the fundamental security mechanisms of different security protocols remain unchanged. For brevity, some abstractions are employed, such as the low-level details of the underlying cryptographic mechanisms. Thus, we could turn our sight on the verification of security properties we expected to hold. Several examples are validated by using this model. From the observation, the verification model is a useful complement to the traditional theorem proving in verifying security protocols.

In Section 4.1, it outlines the current model checking approaches. Section 4.2 describes the components and design of the verification model. Several instances are then validated by using this model. In Section 4.3, it compares the verification model to theorem proving. We discuss the other model checkers that can be used to analyse security protocols in Section 4.4. Section 4.5 gives a summary to this chapter.