Abstract
Formal protocol analysis tools provide objective evidence that a protocol under standardization meets security goals, as well as counterexamples to goals it does not meet (“attacks”). Different tools are however based on different execution semantics and adversary models. If different tools are applied to alternative protocols under standardization, can formal evidence offer a yardstick to compare the results?
We propose a family of languages within first order predicate logic to formalize protocol safety goals (rather than indistinguishability). Although they were originally designed for the strand space formalism that supports the tool cpsa, we show how to translate them to goals for the applied \(\pi \) calculus that supports the tool ProVerif. We give a criterion for protocols expressed in the two formalisms to correspond, and prove that if a protocol in the strand space formalism satisfies a goal, then a corresponding applied \(\pi \) process satisfies the translation of that goal. We show that the converse also holds for a class of goal formulas, and conjecture a broader equivalence. We also describe a compiler that, from any protocol in the strand space formalism, constructs a corresponding applied \(\pi \) process and the relevant goal translation.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: 28th ACM Symposium on Principles of Programming Languages (POPL 2001), pp. 104–115, January 2001
Almousa, O., Mödersheim, S., Viganò, L.: Alice and Bob: reconciling formal models and implementation. In: Bodei, C., Ferrari, G.-L., Priami, C. (eds.) Programming Languages with Applications to Biology and Security. LNCS, vol. 9465, pp. 66–85. Springer, Heidelberg (2015). doi:10.1007/978-3-319-25527-9_7
Armando, A., et al.: The AVISPA tool for the automated validation of internet security protocols and applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005). doi:10.1007/11513988_27
Armando, A., et al.: The AVANTSSAR platform for the automated validation of trust and security of service-oriented architectures. In: Flanagan, C., König, B. (eds.) TACAS 2012. LNCS, vol. 7214, pp. 267–282. Springer, Heidelberg (2012). doi:10.1007/978-3-642-28756-5_19
Basin, D.A., Cremers, C.J.F., Miyazaki, K., Radomirovic, S., Watanabe, D.: Improving the security of cryptographic protocol standards. IEEE Secur. Priv. 13(3), 24–31 (2015)
Bistarelli, S., Cervesato, I., Lenzini, G., Martinelli, F.: Relating multiset rewriting and process algebras for security protocol analysis. J. Comput. Secur. 13(1), 3–47 (2005)
Blanchet, B.: An efficient protocol verifier based on Prolog rules. In: 14th Computer Security Foundations Workshop, pp. 82–96. IEEE CS Press, June 2001
Blanchet, B.: Vérification automatique de protocoles cryptographiques: modèle formel et modèle calculatoire. Automatic verification of security protocols: formal model and computational model. Mémoire d’habilitation à diriger des recherches, Université Paris-Dauphine, November 2008
Blanchet, B., Smyth, B., Cheval, V.: ProVerif 1.93: Automatic Cryptographic Protocol Verifier. User Manual and Tutorial (2016)
Burrows, M., Abadi, M., Needham, R.: A logic of authentication. Proc. R. Soc. Ser. A 426(1871), 233–271 (1989)
Cervesato, I., Durgin, N.A., Lincoln, P.: A comparison between strand spaces and multiset rewriting for security protocol analysis. J. Comput. Secur. 13(2), 265–316 (2005)
Comon, H., Cortier, V.: Security properties: two agents are sufficient. Sci. Comput. Program. 50(1–3), 51–71 (2004)
Cortier, V., Dallon, A., Delaune, S.: Bounding the number of agents, for equivalence too. In: Piessens, F., Viganò, L. (eds.) POST 2016. LNCS, vol. 9635, pp. 211–232. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49635-0_11
Cortier, V., Kremer, S. (eds.): Formal Models and Techniques for Analyzing Security Protocols. Cryptology and Information Security Series. IOS Press (2011)
Crazzolara, F., Winskel, G.: Events in security protocols. In: Proceedings of the 8th ACM Conference on Computer and Communications Security, CCS 2001, 6–8 November 2001, Philadelphia, Pennsylvania, USA, pp. 96–105 (2001)
Cremers, C., Mauw, S.: Operational Semantics and Verification of Security Protocols. Springer, Heidelberg (2012)
Cremers, C.: Key exchange in IPsec revisited: formal analysis of IKEv1 and IKEv2. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 315–334. Springer, Heidelberg (2011). doi:10.1007/978-3-642-23822-2_18
Datta, A., Derek, A., Mitchell, J.C., Roy, A.: Protocol composition logic (PCL). Electron. Notes Theoret. Comput. Sci. 172, 311–358 (2007)
Goguen, J.A., Meseguer, J.: Order-sorted algebra I: equational deduction for multiple inheritance, overloading, exceptions and partial operations. Theoret. Comput. Sci. 105(2), 217–273 (1992)
Gordon, A.D., Jeffrey, A.: Types, effects for asymmetric cryptographic protocols. J. Comput. Secur. 12(3–4), 435–484 (2004)
Groote, J.F., Mousavi, M.R.: Modeling and Analysis of Communicating Systems. MIT Press, Cambridge (2014)
Guttman, J.D.: Establishing and preserving protocol security goals. J. Comput. Secur. 22(2), 201–267 (2014)
ISO/IEC 29128: Information Technology-Security techniques–Verification of Cryptographic Protocols (2011)
Kremer, S., Künnemann, R.: Automated analysis of security protocols with global state. In: 2014 IEEE Symposium on Security and Privacy, SP 2014, 18–21 May 2014, Berkeley, CA, USA, pp. 163–178 (2014)
Lynch, C., Meadows, C.A.: On the relative soundness of the free algebra model for public key encryption. Electron. Notes Theoret. Comput. Sci. 125(1), 43–54 (2005)
Matsuo, S., Miyazaki, K., Otsuka, A., Basin, D.: How to evaluate the security of real-life cryptographic protocols? In: Sion, R., Curtmola, R., Dietrich, S., Kiayias, A., Miret, J.M., Sako, K., Sebé, F. (eds.) FC 2010. LNCS, vol. 6054, pp. 182–194. Springer, Heidelberg (2010). doi:10.1007/978-3-642-14992-4_16
Meadows, C.: The NRL protocol analyzer: an overview. J. Logic Program. 26(2), 113–131 (1996)
Meadows, C: Analysis of the internet key exchange protocol using the NRL protocol analyzer. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy. IEEE CS Press, May 1999
Meier, S., Schmidt, B., Cremers, C., Basin, D.: The TAMARIN prover for the symbolic analysis of security protocols. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 696–701. Springer, Heidelberg (2013). doi:10.1007/978-3-642-39799-8_48
Millen, J.K.: On the freedom of encryption. Inf. Process. Lett. 86(6), 329–333 (2003)
Miller, D.: Encryption as an abstract data type. Electron. Notes Theoret. Comput. Sci. 84, 18–29 (2003)
Ramsdell, J.D., Guttman, J.D.: CPSA: a cryptographic protocol shapes analyzer (2009). http://hackage.haskell.org/package/cpsa
Rowe, P.D., Guttman, J.D., Liskov, M.D.: Measuring protocol strength with security goals. International Journal of Information Security (Accepted, Forthcoming)
Woo, T.Y.C., Lam, S.S.: A lesson on authentication protocol design. Oper. Syst. Rev. 28, 24–37 (1994)
Acknowledgments
We are grateful to Kelley Burgin, Dan Dougherty, and Moses Liskov. We also benefited from the comments of the anonymous referees.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Compilation
A Compilation
In this section we describe our translation of a strand space role into a labeled applied \(\pi \)-calculus process term.
At a high level, the translation takes a transmission event \(+m\) to \(\mathsf {out}({ tid },m)\), and it takes a reception event \(-m\) to \(\mathsf {in}({ tid },z).P\) where P is a sequence of \(\mathsf {let}\) bindings that attempt to parse the received term according to the structure of the expected term. The complexity of the latter translation is due to the use of pattern matching for receptions in strand spaces that is absent in processes. If we are to preserve the semantics of the goal language under this translation to the process calculus, we must ensure that receptions based on pattern matching succeed on a given message m if and only if the corresponding sequence of \(\mathsf {let}\) bindings succeeds on the same message. This requires some care.
One issue is that there may be several sequences that can be used to verify the structure of a message. Since the parsing process binds some values and requires others already to be bound, some sequences are sensible with respect to some initial input and others are not.
We start with a strand space trace (a sequence of events) constructed from message terms derived from the order-sort signature in Fig. 9. We compute the relation between a strand space trace and a process calculus term two steps.
-
1.
Perform a flow analysis to find a set of input basic values (See Fig. 10).
-
2.
Translate the trace into a process calculus expression relative to a given set of inputs (See Fig. 13).
The algorithm has been simplified by ignoring role unique origination assumptions, but their processing is sketched near the end of this section. Most of the algorithm described here has been implemented in Prolog. The Prolog implementation operates on a many-sorted algebra isomorphic to the order-sorted algebra as described in [19, Sect. 4]. We leave that translation implicit in this document.
The signature in Fig. 9 is a simplification of the one used by cpsa. The Simple Example Protocol initiator role using this signature is:
1.1 A.1 Flow Analysis
The aim of the flow analysis \(C\rhd I\) (see Fig. 11) is to find a set of basic values that allow a procedural interpretation of a trace, in particular, a procedural interpretation of the implied pattern matching that is part of a strand space reception event.
There are two ways to interpret the reception of a pair, either the left part is matched first or the right part. A decryption key might or might not become available based on this choice.
There are two ways to interpret the reception of an encryption. If its decryption key in known at the point of the match, the contents of the encryption can be extracted. Alternatively, if the encryption has been seen previously or can be constructed, then an equality check implements the match.
Figure 12 explores the various possibilities. The flow analysis for the initiator trace is:
where \(b,a:\mathsf {N}\), \(s:\mathsf {S}\), and \(d:\mathsf {D}\). Notice the second solution makes little sense. It assumes that the initiator’s initial knowledge includes d, the data it is seeking from a responder. We rely on human intervention to choose sensible sets of input terms.
1.2 A.2 Code Generation
Code generation has the form \(C,E_1,N,\ell \gg P,E_2\), where C is a strand space trace, \(E_1\) and \(E_2\) are maps from strand space terms to process calculus terms, and we are translating the \(\ell ^{{ th }}\) send or receive in the trace of the \(N^{{ th }}\) role of the protocol.
An analysis begins with an environment \(E_0\) mapping each input term computed by the flow analysis to itself. To compute the process calculus term P for a given strand space trace C and role number N, find P such that \(C,E_0,N,1\gg P,E_2\) (See Figs. 13, 14, 15 and 16).
To handle role unique origination assumptions, the send code generator in Fig. 14 must prefix the code with a \({\mathsf {new}}\) form for each name that uniquely originates in the transmitted message.
1.3 A.3 Translation Relation
The relation \({ comp }(N, C, P)\) relates a role number and the role’s strand space trace with a process calculus term if
-
1.
\(C\rhd I\),
-
2.
\(E_0\) is an environment generated from I, and
-
3.
\(C,E_0,N,1\gg P, E_2\).
Note that a translation is interesting only if I induces a sensible interpretation of C.
Blanchet Lnitiator Example. Assume the initiator is the second role in the protocol. The initiator trace C is defined in Eq. 3. The initial environment generated from the first input set in Eq. 4 is:
where \(b,a:\mathsf {N}\) and \(s:\mathsf {S}\).
The process term P that satisfies \(C,E_0,2,1\gg P, E_2\), is:
Blanchet Responder Example. Assume the responder is the first role in the protocol. The responder trace is the one in Eq. 3 after interchanging sends and receives. A sensible set of input basic values is \(\{d, { pk }(a), { pk }(b)^{-1}\}\). After inserting the \({\mathsf {new}}\) form by hand, the process term is:
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Guttman, J.D., Ramsdell, J.D., Rowe, P.D. (2016). Cross-Tool Semantics for Protocol Security Goals. In: Chen, L., McGrew, D., Mitchell, C. (eds) Security Standardisation Research. SSR 2016. Lecture Notes in Computer Science(), vol 10074. Springer, Cham. https://doi.org/10.1007/978-3-319-49100-4_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-49100-4_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-49099-1
Online ISBN: 978-3-319-49100-4
eBook Packages: Computer ScienceComputer Science (R0)