Comparing State Spaces in Automatic Security Protocol Analysis Cas

There are several automatic tools available for the symbolic analysis of security protocols. The models underlying these tools differ in many aspects. Some of the differences have already been formally related to each other in the literature, such as difference in protocol execution models or definitions of security properties. However, there is an important difference between analysis tools that has not been investigated in depth before: the explored state space. Some tools explore all possible behaviors, whereas others explore strict subsets, often by using so-called scenarios. We identify several types of state space explored by protocol analysis tools, and relate them to each other. We find previously unreported differences between the various approaches. Using combinatorial results, we determine the requirements for emulating one type of state space by combinations of another type. We apply our study of state space relations in a performance comparison of several well-known automatic tools for security protocol analysis. We model a set of protocols and their properties as homogeneously as possible for each tool. We analyze the performance of the tools over comparable state spaces. This work enables us to effectively compare these automatic tools, i.e., using the same protocol description and exploring the same state space. We also propose some explanations for our experimental results, leading to a better understanding of the tools.

[1]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[2]  Erik P. de Vink,et al.  Injective synchronisation: An extension of the authentication hierarchy , 2006, Theor. Comput. Sci..

[3]  John Ulrich,et al.  Automated Analysis of Cryptographic Protocols Using Mur ' , 1997 .

[4]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[5]  Mathieu Turuani,et al.  The CL-Atse Protocol Analyser , 2006, RTA.

[6]  Sebastian Mödersheim,et al.  The AVISS Security Protocol Analysis Tool , 2002, CAV.

[7]  D. J. Klein Review of Applied Finite Group Actions by A. Kerber (Springer, Berlin, 1999) , 2001 .

[8]  Véronique Cortier,et al.  A survey of algebraic properties used in cryptographic protocols , 2006, J. Comput. Secur..

[9]  Luca Viganò,et al.  Automated Security Protocol Analysis With the AVISPA Tool , 2006, MFPS.

[10]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[11]  W. Burnside,et al.  Theory of Groups of Finite Order , 1909 .

[12]  Cas J. F. Cremers,et al.  The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols , 2008, CAV.

[13]  Gavin Lowe Analyzing a Library of Security Protocols using Casper and FDR , 1999 .

[14]  Alessandro Armando,et al.  An Optimized Intruder Model for SAT-based Model-Checking of Security Protocols , 2005, ARSPA@IJCAR.

[15]  A. W. Roscoe Modelling and verifying key-exchange protocols using CSP and FDR , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[16]  Catherine A. Meadows,et al.  Language generation and verification in the NRL protocol analyzer , 1996, Proceedings 9th IEEE Computer Security Foundations Workshop.

[17]  Graham Steel,et al.  Formal Analysis of PKCS#11 , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[18]  John A. Clark,et al.  A Survey of Authentication Protocol Literature , 2010 .

[19]  Michele Boreale,et al.  Symbolic Trace Analysis of Cryptographic Protocols , 2001, ICALP.

[20]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[21]  Cas J. F. Cremers Unbounded verification, falsification, and characterization of security protocols by pattern refinement , 2008, CCS.

[22]  Cjf Cas Cremers Scyther : semantics and verification of security protocols , 2006 .

[23]  Kousha Etessami,et al.  A Hierarchy of Polynomial-Time Computable Simulations for Automata , 2002, CONCUR.

[24]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[25]  Philip Wadler Call-by-Value Is Dual to Call-by-Name - Reloaded , 2005, RTA.

[26]  Dawn Xiaodong Song,et al.  Athena: A Novel Approach to Efficient Automatic Security Protocol Analysis , 2001, J. Comput. Secur..

[27]  Lawrence C. Paulson,et al.  Inductive analysis of the Internet protocol TLS , 1999, TSEC.

[28]  Witold Charatonik,et al.  On Name Generation and Set-Based Analysis in the Dolev-Yao Model , 2002, CONCUR.

[29]  Jonathan Millen A Necessarily Parallel Attack , 1999 .

[30]  John C. Mitchell,et al.  Automated analysis of cryptographic protocols using Mur/spl phi/ , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[31]  Elisa Bertino,et al.  Computer Security — ESORICS 96 , 1996, Lecture Notes in Computer Science.

[32]  Gavin Lowe,et al.  A hierarchy of authentication specifications , 1997, Proceedings 10th Computer Security Foundations Workshop.

[33]  Adriano Valenzano,et al.  Experimental Comparison of Automatic Tools for the Formal Analysis of Cryptographic Protocols , 2007, 2nd International Conference on Dependability of Computer Systems (DepCoS-RELCOMEX '07).

[34]  Sandro Etalle,et al.  An Improved Constraint-Based System for the Verification of Security Protocols , 2002, SAS.

[35]  Steven M. Bellovin,et al.  Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise , 1993, CCS '93.

[36]  Véronique Cortier,et al.  Security properties: two agents are sufficient , 2004, Sci. Comput. Program..

[37]  Sebastian Mödersheim,et al.  The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications , 2005, CAV.

[38]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[39]  Andrew William Roscoe,et al.  Model-checking CSP , 1994 .

[40]  D. Seret,et al.  A comparative study of security protocols validation tools: HERMES vs. AVISPA , 2006, 2006 8th International Conference Advanced Communication Technology.

[41]  Yassine Lakhnech,et al.  HERMES: An Automatic Tool for Verification of Secrecy in Security Protocols , 2003, CAV.

[42]  Catherine A. Meadows,et al.  Analyzing the Needham-Schroeder Public-Key Protocol: A Comparison of Two Approaches , 1996, ESORICS.

[43]  Sebastian Mödersheim,et al.  An On-the-Fly Model-Checker for Security Protocol Analysis , 2003, ESORICS.

[44]  Kenneth P. Bogart An obvious proof of Burnside's Lemma , 1991 .

[45]  John C. Mitchell,et al.  Undecidability of bounded security protocols , 1999 .

[46]  Adalbert Kerber,et al.  Applied finite group actions , 1999 .

[47]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[48]  Gavin Lowe Casper: a compiler for the analysis of security protocols , 1998 .

[49]  Dieter Gollmann,et al.  Computer Security – ESORICS 2003 , 2003, Lecture Notes in Computer Science.

[50]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.