Strand Spaces: Proving Security Protocols Correct

A strand is a sequence of events; it represents either an execution by a legitimate party in a security protocol or else a sequence of actions by a penetrator. A strand space is a collection of strands, equipped with a graph structure generated by causal interaction. In this framework, protocol correctness claims may be expressed in terms of the connections between strands of different kinds. Preparing for a first example, the Needham-Schroeder-Lowe protocol, we prove a lemma that gives a bound on the abilities of the penetrator in any protocol. Our analysis of the example gives a detailed view of the conditions under which it achieves authentication and protects the secrecy of the values exchanged. We also use our proof methods to explain why the original Needham-Schroeder protocol fails. Before turning to a second example, we introduce ideals as a method to prove additional bounds on the abilities of the penetrator. We can then prove a number of correctness properties of the Otway-Rees protocol, and we clarify its limitations. We believe that our approach is distinguished from other work by the simplicity of the model, the precision of the results it produces, and the ease of developing intelligible and reliable proofs even without automated support. ∗Appears in Journal of Computer Security, 7 (1999), pages 191–230.

[1]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.

[2]  A. W. Roscoe Intensional specifications of security protocols , 1996, Proceedings 9th IEEE Computer Security Foundations Workshop.

[3]  John A. Clark,et al.  On the Security of Recent Protocols , 1995, Inf. Process. Lett..

[4]  Joseph Y. Halpern,et al.  Reasoning about knowledge: a survey , 1995 .

[5]  Roberto Gorrieri,et al.  The Compositional Security Checker: A Tool for the Verification of Information Flow Security Properties , 1997, IEEE Trans. Software Eng..

[6]  Lawrence Charles Paulson,et al.  Isabelle: A Generic Theorem Prover , 1994 .

[7]  Steve A. Schneider Verifying authentication protocols with CSP , 1997, Proceedings 10th Computer Security Foundations Workshop.

[8]  Lawrence C. Paulson,et al.  Mechanized proofs for a recursive authentication protocol , 1997, Proceedings 10th Computer Security Foundations Workshop.

[9]  Gavin Lowe Casper: a compiler for the analysis of security protocols , 1998 .

[10]  Alfred P. Maneki Honest functions and their application to the analysis of cryptographic protocols , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[11]  Lawrence C. Paulson,et al.  The Inductive Approach to Verifying Cryptographic Protocols , 2021, J. Comput. Secur..

[12]  Colin Boyd,et al.  Towards formal analysis of security protocols , 1993, [1993] Proceedings Computer Security Foundations Workshop VI.

[13]  Mark R. Tuttle,et al.  A Semantics for a Logic of Authentication , 1991, PODC 1991.

[14]  Somesh Jha,et al.  A model checker for authentication protocols , 1997 .

[15]  Sarvar Patel,et al.  Number theoretic attacks on secure password schemes , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[16]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[17]  Simon S. Lam,et al.  Verifying authentication protocols: methodology and example , 1993, 1993 International Conference on Network Protocols.

[18]  Joshua D. Guttman,et al.  Strand spaces: why is a security protocol correct? , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[19]  Ulf Carlsen,et al.  Cryptographic Protocols Flaws , 1994, CSFW.

[20]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[21]  Lawrence C. Paulson,et al.  Proving properties of security protocols by induction , 1997, Proceedings 10th Computer Security Foundations Workshop.

[22]  Adi Shamir,et al.  On the Security of Ping-Pong Protocols when Implemented using the RSA , 1985, CRYPTO.

[23]  J. H. Moore Protocol failures in cryptosystems , 1988, Proc. IEEE.

[24]  Joshua D. Guttman,et al.  Honest ideals on strand spaces , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[25]  Martín Abadi,et al.  Reasoning about Cryptographic Protocols in the Spi Calculus , 1997, CONCUR.

[26]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[27]  Giovanni Maria Sacco,et al.  Timestamps in key distribution protocols , 1981, CACM.

[28]  Gavin Lowe,et al.  An Attack on the Needham-Schroeder Public-Key Authentication Protocol , 1995, Inf. Process. Lett..

[29]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.