Proving security protocols with model checkers by data independence techniques

Model checkers such as FDR have been extremely effective in checking for, and finding, attacks on cryptographic protocols. Their use in proving protocols has, on the other hand, generally been limited to showing that a given small instance, usually restricted by the finiteness of some set of resources such as keys and nonces, is free of attacks. While for specific protocols there are frequently good reasons for supposing that this will find any attack, it leaves a substantial gap in the method. The purpose of this paper is to show how techniques borrowed from data independence and related fields can be used to achieve the illusion, that nodes can call upon an infinite supply of different nonces, keys, etc., even though the actual types used for these things remain finite. It is thus possible to create models of protocols in which nodes do not have to stop after a small number of runs and to claim that, within certain limits, a finite-state run on a model checker has proved that a given protocol is secure from attack. The author uses a single protocol as a case study, but believe our techniques are much more widely applicable.

[1]  Andrew William Roscoe,et al.  The Theory and Practice of Concurrency , 1997 .

[2]  A. W. Roscoe,et al.  Using CSP to Detect Errors in the TMN Protocol , 1997, IEEE Trans. Software Eng..

[3]  Gavin Lowe,et al.  Casper: a compiler for the analysis of security protocols , 1997, Proceedings 10th Computer Security Foundations Workshop.

[4]  Ranko S. Lazic,et al.  A semantic study of data independence with applications to model checking , 1999 .

[5]  Gavin Lowe,et al.  Towards a completeness result for model checking of security protocols , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[6]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[7]  A. Prasad Sistla,et al.  Symmetry and model checking , 1993, Formal Methods Syst. Des..

[8]  A. W. Roscoe Modelling and verifying key-exchange protocols using CSP and FDR , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[9]  Philip Wadler,et al.  Theorems for free! , 1989, FPCA.

[10]  David L. Dill,et al.  Better verification through symmetry , 1996, Formal Methods Syst. Des..

[11]  Matthew K. Franklin,et al.  Low-Exponent RSA with Related Messages , 1996, EUROCRYPT.

[12]  Gavin Lowe Casper: a compiler for the analysis of security protocols , 1998 .

[13]  A. W. Roscoe Intensional specifications of security protocols , 1996, Proceedings 9th IEEE Computer Security Foundations Workshop.

[14]  L. C.NorrisIpDavid,et al.  Better Veri cation Through Symmetry , 1996 .

[15]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[16]  Gavin Lowe,et al.  Some new attacks upon security protocols , 1996, Proceedings 9th IEEE Computer Security Foundations Workshop.

[17]  Pierre Wolper,et al.  Expressing interesting properties of programs in propositional temporal logic , 1986, POPL '86.

[18]  A. Prasad Sistla,et al.  Utilizing symmetry when model-checking under fairness assumptions: an automata-theoretic approach , 1997, TOPL.

[19]  Gavin Lowe,et al.  Safe Simplifying Transformations for Security Protocols. , 1999 .

[20]  Takeshi Mito,et al.  Authentication and Key exchange Based on ID , 1997 .

[21]  John C. Mitchell,et al.  Type Systems for Programming Languages , 1991, Handbook of Theoretical Computer Science, Volume B: Formal Models and Sematics.

[22]  A W Roscoe Intensional Speciications of Security Protocols , 1998 .

[23]  John C. Reynolds,et al.  Types, Abstraction and Parametric Polymorphism , 1983, IFIP Congress.

[24]  Martín Abadi,et al.  A logic of authentication , 1989, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences.

[25]  Natsume Matsuzaki,et al.  Key Distribution Protocol for Digital Mobile Communication Systems , 1989, CRYPTO.

[26]  Lawrence C. Paulson Mechanized Proofs of Security Protocols: Needham-Schroeder with Public Keys , 1997 .

[27]  염흥렬,et al.  [서평]「Applied Cryptography」 , 1997 .

[28]  Joshua D. Guttman,et al.  Honest ideals on strand spaces , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[29]  Giovanni Maria Sacco,et al.  Timestamps in key distribution protocols , 1981, CACM.