Timed Models for Protocol Security

The notion of time is prerequisite for describing and verifying the security properties of key management protocols. Without it, properties relating to the expiration of keys and the freshness of messages and nonces cannot be formulated. Recently Burrows, Abadi and Needham proposed a formal system for protocol verification which includes an ability to reason about time. In essence their "Logic of Authentication" is a proof theory for reasoning about key management protocols. One difficulty with such a logic lies in justifying the inferences that can be made. We approach this problem by developing an accompanying model theory for protocol security. Model theoretic techniques have been used before in the protocol verification literature, but our approach is different in two respects. First we consider a model theory which includes a notion of time. Second, the purpose of much of the previous model theoretic work was aimed at developing protocol verification tools and so assumptions about specific kinds of protocols and methods for breaking protocols were built into the model, often implicitly. In contrast, our account is more general and centers on a justification of the notion of model itself. The main results of this work include *a model theoretic definition of protocol security that is provably equivalent to a variety of alternative definitions; *demonstration that some questions about protocol security properties are undecidable, and *a schema for demonstrating the validity of many protocols by the use of model checking.

[1]  Amos Fiat,et al.  Zero-knowledge proofs of identity , 1987, Journal of Cryptology.

[2]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[3]  D. Chaum,et al.  Di(cid:11)erential Cryptanalysis of the full 16-round DES , 1977 .

[4]  D. Gabbay,et al.  Handbook of Philosophical Logic, Volume II. Extensions of Classical Logic , 1986 .

[5]  Steven M. Bellovin,et al.  Limitations of the Kerberos authentication system , 1990, CCRV.

[6]  Martín Abadi,et al.  The Power of Temporal Proofs , 1989, Theor. Comput. Sci..

[7]  Ronald Fagin,et al.  A formal model of knowledge, action, and communication in distributed systems: preliminary report , 1985, PODC '85.

[8]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[9]  J. Boyar Inferring a Sequence Generated by a Linear Congruence , 1982, FOCS.

[10]  Owen Rees,et al.  Efficient and timely mutual authentication , 1987, OPSR.

[11]  LamportLeslie Time, clocks, and the ordering of events in a distributed system , 1978 .

[12]  Eli Biham,et al.  Differential cryptanalysis of DES-like cryptosystems , 1990, Journal of Cryptology.

[13]  Catherine A. Meadows,et al.  Applying Formal Methods to the Analysis of a Key Management Protocol , 1992, J. Comput. Secur..

[14]  Grzegorz Rozenberg,et al.  Linear Time, Branching Time and Partial Order in Logics and Models for Concurrency , 1988, Lecture Notes in Computer Science.