A derivation system for security protocols and its logical formalization

Many authentication and key exchange protocols are built using an accepted set of standard concepts such as Diffie-Hellman key exchange, nonces to avoid replay, certificates from an accepted authority, and encrypted or signed messages. We introduce a basic framework for deriving security protocols from such simple components. As a case study, we examine the structure of a family of key exchange protocols that includes station-to-station (STS), ISO-9798-3, just fast keying (JFK), IKE and related protocols, deriving all members of the family from two basic protocols using a small set of refinements and protocol transformations. As initial steps toward associating logical derivations with protocol derivations, we extend a previous security protocol logic with preconditions and temporal assertions. Using this logic, we prove the security properties of the standard signature based challenge-response protocol and the Diffie-Hellman key exchange protocol. The ISO-9798-3 protocol is then proved correct by composing the correctness proofs of these two simple protocols.

[1]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[2]  John C. Mitchell,et al.  A compositional logic for protocol correctness , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[3]  Paul Syverson,et al.  A formal language for cryptographic protocol requirements , 1996 .

[4]  Hugo Krawczyk,et al.  A modular approach to the design and analysis of authentication and key exchange protocols (extended abstract) , 1998, STOC '98.

[5]  Robin Milner,et al.  Action structures: LFCS report ECS-LFCS-92-249 , 1992 .

[6]  Robin Milner,et al.  Communicating and mobile systems - the Pi-calculus , 1999 .

[7]  Gavin Lowe,et al.  Some new attacks upon security protocols , 1996, Proceedings 9th IEEE Computer Security Foundations Workshop.

[8]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[9]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[10]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[11]  Moti Yung,et al.  Systematic Design of a Family of Attack-Resistant Authentication Protocols , 1993, IEEE J. Sel. Areas Commun..

[12]  Catherine A. Meadows A model of computation for the NRL Protocol Analyzer , 1994, Proceedings The Computer Security Foundations Workshop VII.

[13]  Davide Sangiorgi,et al.  Communicating and Mobile Systems: the π-calculus, , 2000 .

[14]  Gavin Lowe,et al.  An Attack on the Needham-Schroeder Public-Key Authentication Protocol , 1995, Inf. Process. Lett..

[15]  Dan Harkins,et al.  The Internet Key Exchange (IKE) , 1998, RFC.

[16]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[17]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[18]  Steven M. Bellovin,et al.  Just Fast Keying (JFK) , 2002 .

[19]  Dusko Pavlovic Derivation of the JFK protocol , 2002 .

[20]  Du Sko Pavlovi,et al.  Categorical Logic of Names and Abstraction in Action Calculi , 1993 .

[21]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[22]  Simon S. Lam,et al.  A semantic model for authentication protocols , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[23]  Catherine A. Meadows,et al.  The NRL Protocol Analyzer: An Overview , 1996, J. Log. Program..

[24]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[25]  Gérard Berry,et al.  The chemical abstract machine , 1989, POPL '90.