The principle of guarantee availability for security protocol analysis

Conformity to prudent design principles is an established approach to protocol correctness although it is not free of limitations. We term goal availability a design principle that is often implicitly followed, prescribing protocols to aim at principal-centric goals. Adherence to a design principle is normally established through protocol analysis that is an evaluation of whether a protocol achieves its goals. However, the literature shows that there exists no clear guidance on how to conduct and interpret such an analysis, a process that is only left to the analyzer’s skill and experience. Goal availability has the desirable feature that its supporting protocol analysis can be precisely guided by what becomes a principle of realistic analysis, which we call guarantee availability. It prescribes that the outcome of the analysis, which is the set of guarantees confirming the protocol goals, be practically applicable by the protocol participants. In consequence, the guarantees must be based on assumptions that the principals have the capacity to verify. Our focus then turns entirely to protocol analysis, because an analysis conforming to guarantee availability signifies that the analyzed protocol conforms to goal availability. Existing analysis of (both classical and deployed) protocols has been reconsidered with the aim of studying their conformity to guarantee availability. Some experiments clarify the relationships between goal availability and the existing design principles, with particular reference to explicitness. Other experiments demonstrate that boosting an analysis with guarantee availability generally makes it deeper, unveiling additional protocol niceties that depending on the analyzer’s skills may remain overseen otherwise. In particular, an established claim about a protocol (made using a well-known formal method) can be subverted.

[1]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.

[2]  Fabio Massacci,et al.  Verifying the SET registration protocols , 2003, IEEE J. Sel. Areas Commun..

[3]  Stephen H. Brackin,et al.  A HOL extension of GNY for automatically analyzing cryptographic protocols , 1996, Proceedings 9th IEEE Computer Security Foundations Workshop.

[4]  G. Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol using CSP and FDR , 1996 .

[5]  Fan Hong Invariant Generation Techniques in Cryptographic Protocol Analysis , 2002 .

[6]  Giampaolo Bella,et al.  Formal Correctness of Security Protocols , 2007 .

[7]  David Pointcheval,et al.  Password-Based Authenticated Key Exchange in the Three-Party Setting , 2005, Public Key Cryptography.

[8]  Giampaolo Bella Availability of protocol goals , 2003, SAC '03.

[9]  Dieter Gollmann On the Verification of Cryptographic Protocols - A Tale of Two Committees , 2000, Electron. Notes Theor. Comput. Sci..

[10]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[11]  Peter Honeyman,et al.  Implementation of a Provably Secure, Smartcard-Based Key Distribution Protocol , 1998, CARDIS.

[12]  Tobias Nipkow,et al.  A Proof Assistant for Higher-Order Logic , 2002 .

[13]  Lawrence C. Paulson,et al.  Accountability protocols: Formalized and verified , 2006, TSEC.

[14]  Giampaolo Bella Inductive Verification of Smart Card Protocols , 2003, J. Comput. Secur..

[15]  Paul F. Syverson,et al.  Limitations on design principles for public key protocols , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[16]  Martín Abadi,et al.  Prudent Engineering Practice for Cryptographic Protocols , 1994, IEEE Trans. Software Eng..

[17]  Michael Goldsmith,et al.  Modelling and analysis of security protocols , 2001 .

[18]  Martín Abadi,et al.  Reasoning about Cryptographic Protocols in the Spi Calculus , 1997, CONCUR.

[19]  Lawrence C. Paulson,et al.  The Inductive Approach to Verifying Cryptographic Protocols , 2021, J. Comput. Secur..

[20]  Lawrence C. Paulson,et al.  Inductive analysis of the Internet protocol TLS , 1999, TSEC.

[21]  ProtocolsLi GongSRI InternationalComputer Fail-Stop Protocols : An Approach to Designing Secure , 1994 .

[22]  Catherine A. Meadows,et al.  The NRL Protocol Analyzer: An Overview , 1996, J. Log. Program..

[23]  A. W. Roscoe,et al.  Using CSP to Detect Errors in the TMN Protocol , 1997, IEEE Trans. Software Eng..

[24]  Steve A. Schneider,et al.  Towards automatic verification of authentication protocols on an unbounded network , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[25]  Ross J. Anderson,et al.  Robustness Principles for Public Key Protocols , 1995, CRYPTO.

[26]  Matthew Green,et al.  Improved proxy re-encryption schemes with applications to secure distributed storage , 2006, TSEC.

[27]  Victor Shoup,et al.  Session Key Distribution Using Smart Cards , 1996, EUROCRYPT.

[28]  F. Javier Thayer Fábrega,et al.  Strand spaces: proving security protocols correct , 1999 .

[29]  Kwangjo Kim,et al.  Two-Pass Authenticated Key Arrangement Protocol with Key Confirmation , 2000, INDOCRYPT.

[30]  Mihir Bellare,et al.  Provably secure session key distribution: the three party case , 1995, STOC '95.

[31]  Steve A. Schneider Verifying authentication protocols with CSP , 1997, Proceedings 10th Computer Security Foundations Workshop.

[32]  Giovanni Maria Sacco,et al.  Timestamps in key distribution protocols , 1981, CACM.

[33]  Giampaolo Bella,et al.  Formal Correctness of Security Protocols (Information Security and Cryptography) , 2007 .

[34]  Lawrence C. Paulson,et al.  Kerberos Version 4: Inductive Analysis of the Secrecy Goals , 1998, ESORICS.

[35]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[36]  Lawrence C. Paulson,et al.  Proving properties of security protocols by induction , 1997, Proceedings 10th Computer Security Foundations Workshop.