Embedding agents within the intruder to detect parallel attacks

We carry forward the work described in our previous papers [5,18,20] on the application of data independence to the model checking of security protocols using CSP [19] and FDR [10]. In particular, we showed how techniques based on data independence [12,19] could be used to justify, by means of a finite FDR check, systems where agents can perform an unbounded number of protocol runs. Whilst this allows for a more complete analysis, there was one significant incompleteness in the results we obtained: while each individual identity could perform an unlimited number of protocol runs sequentially, the degree of parallelism remained bounded (and small to avoid state space explosion). In this paper, we report significant progress towards the solution of this problem, by means anticipated in [5], namely by “internalising” protocol roles within the “intruder” process. The internalisation of protocol roles (initially only server-type roles) was introduced in [20] as a state-space reduction technique (for which it is usually spectacularly successful). It was quickly noticed that this had the beneficial side-effect of making the internalised server arbitrarily parallel, at least in cases where it did not generate any new values of data independent type. We now consider the case where internal roles do introduce fresh values and address the issue of capturing their state of mind (for the purposes of analysis).

[1]  Natsume Matsuzaki,et al.  Key Distribution Protocol for Digital Mobile Communication Systems , 1989, CRYPTO.

[2]  Andrew William Roscoe,et al.  Proving security protocols with model checkers by data independence techniques , 1999 .

[3]  Bruno Blanchet,et al.  From Secrecy to Authenticity in Security Protocols , 2002, SAS.

[4]  Joshua D. Guttman,et al.  Strand spaces: why is a security protocol correct? , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[5]  John A. Clark,et al.  A survey of authentication protocol literature: Version 1.0 , 1997 .

[6]  Michael Goldsmith,et al.  Modelling and analysis of security protocols , 2001 .

[7]  Ran Canetti,et al.  Efficient authentication and signing of multicast streams over lossy channels , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[8]  Steve A. Schneider Verifying Authentication Protocols in CSP , 1998, IEEE Trans. Software Eng..

[9]  A. W. Roscoe,et al.  Capturing parallel attacks within the data independence framework , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[10]  A. W. Roscoe,et al.  Automating Data Independence , 2000, ESORICS.

[11]  Catherine A. Meadows,et al.  The NRL Protocol Analyzer: An Overview , 1996, J. Log. Program..

[12]  Lawrence C. Paulson,et al.  The Inductive Approach to Verifying Cryptographic Protocols , 2021, J. Comput. Secur..

[13]  A. W. Roscoe,et al.  Proving security protocols with model checkers by data independence techniques , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[14]  Gavin Lowe,et al.  Analysing a Stream Authentication Protocol Using Model Checking , 2002, ESORICS.

[15]  Gavin Lowe Casper: a compiler for the analysis of security protocols , 1998 .

[16]  Andrew William Roscoe,et al.  The Theory and Practice of Concurrency , 1997 .

[17]  Dawn Xiaodong Song,et al.  Athena: A Novel Approach to Efficient Automatic Security Protocol Analysis , 2001, J. Comput. Secur..

[18]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..