Verifying Security Protocols: An Application of CSP

  • Steve Schneider
  • Rob Delicata
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3525)

Abstract

The field of protocol analysis is one area in which CSP has proven particularly successful, and several techniques have been proposed that use CSP to reason about security properties such as confidentiality and authentication. In this paper we describe one such approach, based on theorem-proving, that uses the idea of a rank function to establish the correctness of protocols. This description is motivated by the consideration of a simple, but flawed, authentication protocol. We show how a rank function analysis can be used to locate this flaw and prove that a modified version of the protocol is correct.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. [Aba97]
    Abadi, M.: Secrecy by typing in security protocols. In: Ito, T., Abadi, M. (eds.) TACS 1997. LNCS, vol. 1281, pp. 611–638. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  2. [AG98]
    Abadi, M., Gordon, A.D.: A calculus for cryptographic protocols: the spi calculus. Information and Computation (1998); also DEC Research Report 149,(1998)Google Scholar
  3. [BCLM03]
    Bistarelli, S., Cervesato, I., Lenzini, G., Martinelli, F.: Relating process algebras and multiset rewriting for security protocol analysis. In: WITS 2003: Workshop on Issues in the Theory of Security (2003)Google Scholar
  4. [BR99]
    Broadfoot, P.J., Roscoe, A.W.: Proving security protocols with model checkers by data independence techniques. Journal of Computer Security 7(2/3) (1999)Google Scholar
  5. [BR02]
    Broadfoot, P.J., Roscoe, A.W.: Capturing parallel attacks within the data independence framework. In: Proceedings of the 15th Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos (2002)Google Scholar
  6. [BS97]
    Bryans, J.W., Schneider, S.A.: CSP, PVS, and a recursive authentication protocol. In: DIMACS Workshop on Design and Formal Verification of Crypto Protocols (1997)Google Scholar
  7. [CDL+99a]
    Cervesato, I., Durgin, N.A., Lincoln, P., Mitchell, J.C., Scedrov, A.: A meta-notation for protocol analysis. In: Proceedings of the 12th Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos (1999)Google Scholar
  8. [CDL+99b]
    Cervesato, I., Durgin, N.A., Lincoln, P.D., Mitchell, J.C., Scedrov, A.: A meta-notation for protocol analysis. In: 12th IEEE Computer Security Foundations Workshop (1999)Google Scholar
  9. [CDM+00]
    Cervesato, I., Durgin, N., Mitchell, J.C., Lincoln, P., Scedrov, A.: Relating strands and multiset rewriting for security protocol analysis. In: Proceedings of The 13th Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos (2000)Google Scholar
  10. [DFG00]
    Durante, A., Focardi, R., Gorrieri, a.R.: A compiler for analyzing cryptographic protocols using non-interference. ACM Transactions on Software Engineering and Methodology 9(4) (2000)Google Scholar
  11. [DS97]
    Dutertre, B., Schneider, S.A.: Embedding CSP in PVS: an application to authentication protocols. In: Gunter, E.L., Felty, A.P. (eds.) TPHOLs 1997. LNCS, vol. 1275. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  12. [DS04]
    Delicata, R., Schneider, S.A.: Towards the rank function verification of protocols with temporary secrets. In: WITS 2004: Workshop on Issues in the Theory of Security (2004)Google Scholar
  13. [DY83]
    Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Transactions on Information Theory 29(2) (1983)Google Scholar
  14. [ES00]
    Evans, N., Schneider, S.A.: Analysing time dependent security properties in CSP using PVS. In: Cuppens, F., Deswarte, Y., Gollmann, D., Waidner, M. (eds.) ESORICS 2000. LNCS, vol. 1895, pp. 222–237. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  15. [ES04]
    Evans, N., Schneider, S.A.: Verifying security protocols with PVS: Widening the rank function approach. In: Journal of Logic and Algebraic Programming (in press)Google Scholar
  16. [Eva03]
    Evans, N.: Investigating Security Through proof. PhD thesis, Royal Holloway, University of London (2003)Google Scholar
  17. [FG97]
    Focardi, R., Gorrieri, a.R.: The compositional security checker: A tool for the verification of information flow security properties. IEEE Transactions on Software Engineering 23(9) (1997)Google Scholar
  18. [For03]
    Formal Systems (Europe) Ltd. FDR2 user manual (2003)Google Scholar
  19. [GJ01]
    Gordon, A.D., Jeffrey, A.: Authenticity by typing for security protocols. In: Proceedings of the 14th Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos (2001)Google Scholar
  20. [GJ04]
    Gordon, A.D., Jeffrey, A.: Types and effects for asymmetric cryptographic protocols. Journal of Computer Security 12(3/4) (2004); Also in Proceedings of the 15th Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos (2002)Google Scholar
  21. [Hea00]
    Heather, J.A.: Oh! Is it really you?—Using rank functions to verify authentication protocols. PhD thesis, Royal Holloway, University of London (2000)Google Scholar
  22. [Hea02]
    Heather, J.A.: Strand spaces and rank functions: More than distant cousins. In: Proceedings of The 15th Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos (2002)Google Scholar
  23. [HL01]
    Hui, M.L., Lowe, G.: Fault-preserving simplifying transformations for security protocols. Journal of Computer Security 9(1/2) (2001)Google Scholar
  24. [Hoa85]
    Hoare, C.A.R.: Communicating Sequential Processes. Prentice-Hall, Englewood Cliffs (1985)MATHGoogle Scholar
  25. [HS00]
    Heather, J.A., Schneider, S.A.: Towards automatic verification of authentication protocols on unbounded networks. In: Proceedings of the 13th Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos (2000)Google Scholar
  26. [HS04]
    Heather, J.A., Schneider, S.A.: A decision procedure for the existence of a rank function. Journal of Computer Security (in press)Google Scholar
  27. [Low95]
    Lowe, G.: An attack on the Needham-Schroeder public-key authentication protocol. Information Processing Letters 56, 131–133 (1995)MATHCrossRefGoogle Scholar
  28. [Low97]
    Lowe, G.: A hierarchy of authentication specifications. In: Proceedings of the 10th Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos (1997)Google Scholar
  29. [Low98]
    Lowe, G.: Casper: A compiler for the analysis of security protocols. Journal of Computer Security 6(1/2) (1998)Google Scholar
  30. [Low99]
    Lowe, G.: Towards a completeness result for model checking of security protocols. Journal of Computer Security 7(2/3) (1999)Google Scholar
  31. [LR96]
    Lowe, G., Roscoe, A.W.: Using CSP to detect errors in the TMN protocol. IEEE Transactions on Software Engineering (1996)Google Scholar
  32. [Mea92]
    Meadows, C.: Applying formal methods to the analysis of a key management protocol. Journal of Computer Security 1(1) (1992)Google Scholar
  33. [Mil95]
    Millen, J.: The interrogator model. In: IEEE Computer Society Symposium on Research in Security and Privacy (1995)Google Scholar
  34. [MVV96]
    Menezes, A.J., Van Oorschott, P.C., Vanstone, S.A.: Handbook of Applied Cryptography. CRC Press, Boca Raton (1996)CrossRefGoogle Scholar
  35. [NS78]
    Needham, R., Schroeder, M.: Using encryption for authentication in large networks of computers. Communications of the ACM 21(12) (1978)Google Scholar
  36. [OSR93]
    Owre, S., Shankar, N., Rushby, J.: The PVS specification language. Technical report, Computer Science Lab, SRI International (1993)Google Scholar
  37. [Pau98]
    Paulson, L.C.: The inductive approach to verifying cryptographic protocols. Journal of Computer Security 6(1/2) (1998)Google Scholar
  38. [Pau02]
    Paulson, L.: Verifying the SET protocol: Overview. In: Abdallah, A.E., Ryan, P.Y.A., Schneider, S. (eds.) FASec 2002. LNCS, vol. 2629, pp. 4–14. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  39. [PQ00]
    Pereira, O., Quisquater, J.-J.: On the perfect encryption assumption. In: WITS 2000: Workshop on Issues in the Theory of Security (2000)Google Scholar
  40. [Ros95]
    Roscoe, A.W.: Modeling and verifying key-exchange protocols using CSP and FDR. In: Proceedings of the 8th Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos (1995)Google Scholar
  41. [Ros97]
    Roscoe, A.W.: The Theory and Practice of Concurrency. Prentice-Hall, Englewood Cliffs (1997)Google Scholar
  42. [RS00]
    Ryan, P.Y.A., Schneider, S.A.: Process algebra and non-interference. Journal of Computer Security 9(1/2) (2000); Also in Proceedings of the 12th Computer Security Foundations Workshop. IEEE Computer Society Press, Los Alamitos (1999)Google Scholar
  43. [RSG+00]
    Ryan, P.Y.A., Schneider, S.A., Goldsmith, M.H., Lowe, G., Roscoe, A.W.: Modelling and Analysis of Security Protocols. Addison-Wesley, Reading (2000)Google Scholar
  44. [SBP01]
    Song, D.X., Berezin, S., Perrig, A.: Athena: A novel approach to efficient automatic security protocol analysis. Journal of Computer Security 9(1/2) (2001)Google Scholar
  45. [Sch98]
    Schneider, S.A.: Verifying authentication protocols in CSP. IEEE Transactions on Software Engineering (1998)Google Scholar
  46. [Sch99]
    Schneider, S.A.: Concurrent and Real-time Systems: the CSP Approach. Addison-Wesley, Reading (1999)Google Scholar
  47. [Sch02]
    Schneider, S.A.: Verifying security protocol implementations. In: FMOODS 2002: Formal Methods for Open Object-based Distributed Systems (2002)Google Scholar
  48. [THG99]
    Thayer Fábrega, F.J., Herzog, J.C., Guttman, J.D.: Strand spaces: proving security protocols correct. Journal of Computer Security 7(1) (1999)Google Scholar
  49. [WL93]
    Woo, T., Lam, S.: A semantic model for authentication protocols. In: IEEE Computer Society Symposium on Research in Security and Privacy (1993)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Steve Schneider
    • 1
  • Rob Delicata
    • 1
  1. 1.Department of ComputingUniversity of Surrey 

Personalised recommendations