Closing the Idealization Gap with Theory Generation ( Extended Abstract )

Cryptographic protocol design demands careful verification during all phases of development. Belief logics, in the tradition of the Burrows, Abadi, and Needham (BAN) logic of authentication [BAN90], provide a simple, intuitive model, and allow natural expressions of a protocol and its goals. Since manual deduction is error-prone, protocol designers need automated tools to make effective use of these logics. Such tools often require excessive human intervention or supply inadequate feedback during the verification process. We take a new approach, “theory generation,” which allows highly automated reasoning with these logics, and which supports new forms of protocol analysis. In this approach, given a logic, L, we generate a finite representation, T , of the full theory, corresponding to a protocol, P . Given this representation, determining whether the protocol satisfies some property, , requires only a simple membership test, T ? (Figure 1). Furthermore, since the theory is represented by a finite set of formulas, we can analyze differences between protocols by comparing the generated theories, and we can easily answer questions such as, “What beliefs does this principal hold after receiving message 2?” In earlier work described in our USENIX paper, we applied theory generation to three different belief logics (BAN, AUTLOG [KW94], and Kailar’s accountability logic [Kai96]), and seven protocols for authentication and electronic commerce [KW96]. BAN-style belief logics enable the designer to think about a protocol at a convenient level of abstraction; however, the gap between the “idealized” protocol

[1]  Paul F. Syverson The use of logic in the analysis of cryptographic protocols , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[2]  Martín Abadi,et al.  Prudent Engineering Practice for Cryptographic Protocols , 1994, IEEE Trans. Software Eng..

[3]  Gavin Lowe,et al.  An Attack on the Needham-Schroeder Public-Key Authentication Protocol , 1995, Inf. Process. Lett..

[4]  John Ulrich,et al.  Automated Analysis of Cryptographic Protocols Using Mur ' , 1997 .

[5]  Simon S. Lam,et al.  A semantic model for authentication protocols , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[6]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[7]  Jeannette M. Wing,et al.  Fast, automatic checking of security protocols , 1996 .

[8]  B. Clifford Neuman,et al.  A note on the use of timestamps as nonces , 1993, OPSR.

[9]  Rajashekar Kailar Accountability in Electronic Commerce Protocols , 1996, IEEE Trans. Software Eng..

[10]  Colin Boyd,et al.  Development of authentication protocols: some misconceptions and a new approach , 1994, Proceedings The Computer Security Foundations Workshop VII.

[11]  Wenbo Mao,et al.  An augmentation of BAN-like logics , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[12]  Somesh Jha,et al.  Model Checking for Security Protocols , 1997 .

[13]  Volker Kessler,et al.  AUTLOG-an advanced logic of authentication , 1994, Proceedings The Computer Security Foundations Workshop VII.

[14]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.