Several formal approaches have been proposed to analyse security protocols, e.g. [2,7,11,1,6,12]. Recently, a great interest has been growing on the use of constraint solving approach. Initially proposed by Millen and Shmatikov [9], this approach allows analysis of a finite number of protocol sessions. Yet, the representation of protocol runs by symbolic traces (as opposed to concrete traces) captures the possibility of having unbounded message space, allowing analysis over an infinite state space. A constraint is defined as a pair consisting of a message M and a set of messages K that represents the intruder's knowledge. Millen and Shmatikov present a procedure to solve a set of constraints, i.e. that in each constraint, M can be built from K. When a set of constraints is solved, then a concrete trace representing an attack over the protocol can be extracted.
Corin and Etalle [4] has improved the work of Millen and Shmatikov by presenting a more efficient procedure. However, none of these constraint-based systems provide enough flexibility and expresiveness in specifying security properties. For example, to check secrecy an artificial protocol role is added to simulate whether a secret can be learned by an intruder. Authentication cannot also be checked directly. Moreover, only a built-in notion of authentication is implemented by Millen and Shmatikov in his Prolog implementation [10]. This problem motivates our current work.
A logical formalism is considered to be an appropriate solution to improve the flexibility and expresiveness in specifying security properties. A preliminary attempt to use logic for specifying local security properties in a constraint-based setting has been carried out [3]. Inspired by this work and the successful NPATRL [11,8], we currently explores a variant of linear temporal logic (LTL) over finite traces, ${\mathcal PS}$-LTL, standing for pure-past security LTL [5]. In contrast to standard LTL, this logic deals only with past events in a trace. In our current work, a protocol is modelled as in previous works [9,4,3], viz. by protocol roles. A protocol role is a sequence of send and receive events, together with status events to indicate, e.g. that a protocol role has completed her protocol run. A scenario is then used to deal with the number of sessions and protocol roles considered in the analysis.
Integrating ${\mathcal PS}$-LTL into our constraint solving approach presents a challenge, since we need to develop a sound and complete decision procedure against symbolic traces, instead of concrete traces. Our idea to address this problem is by concretizing symbolic traces incrementally while deciding a formula. Basically, the decision procedure consists of two steps: transform and decide. The former step transforms a ${\mathcal PS}$-LTL formula with respect to the current trace into a so-called elementary formula that is built from constraints and equalities using logical connectives and quantifiers. The decision is then performed by the latter step through solving the constraints and checking the equalities.
Although we define a decision procedure for a fragment of ${\mathcal PS}$-LTL, this fragment is expressive enough to specify several security properties, like various notions of secrecy and authentication, and also data freshness. We provide a Prolog implementation and have analysed several security protocols.
There are many directions for improvement. From the implementation point of view, the efficiency of the decision procedure can still be improved. I would also like to investigate the expressiveness of the logic for speficying other security properties. This may result in an extension of the decision procedure for a larger fragment of the logic. Another direction is to characterize the expressivity power of ${\mathcal PS}$-LTL compared to other security requirement languages.
[1]
Sandro Etalle,et al.
PS-LTL for constraint-based security protocol analysis
,
2005,
ICLP 2005.
[2]
Martín Abadi,et al.
A logic of authentication
,
1990,
TOCS.
[3]
Pieter H. Hartel,et al.
A Trace Logic for Local Security Properties
,
2005,
Electron. Notes Theor. Comput. Sci..
[4]
Vitaly Shmatikov,et al.
Constraint solving for bounded-process cryptographic protocol analysis
,
2001,
CCS '01.
[5]
Catherine A. Meadows,et al.
The NRL Protocol Analyzer: An Overview
,
1996,
J. Log. Program..
[6]
Gavin Lowe,et al.
Casper: a compiler for the analysis of security protocols
,
1997,
Proceedings 10th Computer Security Foundations Workshop.
[7]
Catherine A. Meadows,et al.
Formalizing GDOI group key management requirements in NPATRL
,
2001,
CCS '01.
[8]
Sandro Etalle,et al.
An Improved Constraint-Based System for the Verification of Security Protocols
,
2002,
SAS.
[9]
Martín Abadi,et al.
A calculus for cryptographic protocols: the spi calculus
,
1997,
CCS '97.
[10]
Paul Syverson,et al.
A formal language for cryptographic protocol requirements
,
1996
.
[11]
F. Javier Thayer Fábrega,et al.
Strand spaces: proving security protocols correct
,
1999
.