Formal prototyping in early stages of protocol design

Network protocol design is usually an informal process where debugging is based on successive iterations of a prototype implementation. The feedback provided by a prototype can be indispensable since the requirements are often incomplete at the start. A draw-back of this technique is that errors in protocols can be notoriously difficult to detect by testing alone. Applying formal methods such as theorem proving can greatly increase one's confidence that the protocol is correct. However, formal methods can be tedious to use, rarely support successive design iterations and prototyping, are difficult to scale to entire designs, and typically require a clear understanding of requirements in advance. We investigate how formal simulation based on Maude executable specifications overcomes many of these hurdles. We apply this technique in the early stages of the design of a new security protocol, known as Layer 3 Accounting (L3A), aimed at protecting known vulnerabilities in the wireless accounting infrastructure. The protocol sets up a collection of IPsec security associations that provide the necessary protection. We demonstrate how formal simulation uncovered problems in several successive iterations of the L3A protocol design.

[1]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[2]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[3]  Carl Rigney,et al.  RADIUS Accounting , 1997, RFC.

[4]  Bruno Blanchet,et al.  From Secrecy to Authenticity in Security Protocols , 2002, SAS.

[5]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[6]  Mahesh Viswanathan,et al.  Verisim: Formal analysis of network simulations , 2000, ISSTA '00.

[7]  José Meseguer,et al.  Specification and proof in membership equational logic , 2000, Theor. Comput. Sci..

[8]  Edmund M. Clarke,et al.  Model Checking , 1999, Handbook of Automated Reasoning.

[9]  Gavin Lowe,et al.  An Attack on the Needham-Schroeder Public-Key Authentication Protocol , 1995, Inf. Process. Lett..

[10]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[11]  Charles L. Hedrick,et al.  Routing Information Protocol , 1988, RFC.

[12]  Stephan Merz,et al.  Model Checking , 2000 .

[13]  Nalini Venkatasubramanian,et al.  Exploring adaptability of secure group communication using formal prototyping techniques , 2004, Adaptive and Reflective Middleware.

[14]  Bruno Blanchet,et al.  Automatic proof of strong secrecy for security protocols , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[15]  Narciso Martí-Oliet,et al.  Maude: specification and programming in rewriting logic , 2002, Theor. Comput. Sci..

[16]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[17]  Peter Y. A. Ryan,et al.  Modelling and analysis of security protocols , 2001 .

[18]  Carl A. Gunter,et al.  Routing Information Protocol in HOL/SPIN , 2000, TPHOLs.

[19]  Martin Peschke,et al.  Design and Validation of Computer Protocols , 2003 .

[20]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[21]  Xing Chen,et al.  CDMA2000 Wireless Data Requirements for AAA , 2001, RFC.

[22]  Peter Y. A. Ryan,et al.  The modelling and analysis of security protocols: the csp approach , 2000 .

[23]  MeseguerJosé Conditional rewriting logic as a unified model of concurrency , 1992 .

[24]  J. MeseguerComputer Protocol Speci cation and Analysis in Maude , 1998 .

[25]  Martín Abadi,et al.  A Calculus for Cryptographic Protocols: The spi Calculus , 1999, Inf. Comput..

[26]  Angelos D. Keromytis,et al.  Just fast keying: Key agreement in a hostile internet , 2004, TSEC.

[27]  Carl A. Gunter,et al.  Formal verification of standards for distance vector routing protocols , 2002, JACM.

[28]  Charlie Kaufman,et al.  Internet Key Exchange (IKEv2) Protocol , 2005, RFC.

[29]  Lawrence C. Paulson,et al.  The Inductive Approach to Verifying Cryptographic Protocols , 2021, J. Comput. Secur..

[30]  Lawrence C. Paulson,et al.  Inductive analysis of the Internet protocol TLS , 1999, TSEC.

[31]  Catherine A. Meadows,et al.  The NRL Protocol Analyzer: An Overview , 1996, J. Log. Program..

[32]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[33]  Lazaros F. Merakos,et al.  Charging, accounting and billing management schemes in mobile telecommunication networks and the internet , 2004, IEEE Communications Surveys & Tutorials.

[34]  Martín Abadi,et al.  Just fast keying in the pi calculus , 2004, TSEC.