Symbolic Approach to the Analysis of Security Protocols (original) (raw)
Related papers
A symbolic approach to the analysis of security protocols
2003
Abstract: The specification and validation of security protocols often requires view- ing function calls ‐ like encryption/decryption and the generation of fake messages ‐ explicitly as actions within the process semantics. Following this approach, this paper introduces a symbolic framework based on value-passing processes able to handle sym- bolic values like fresh nonces, fresh keys, fake addresses and fake messages. The main idea in our approach is to assign to each value-passing process a formula describing the symbolic values conveyed by its semantics. In such symbolic processes, called con- strained processes, the formulas are drawn from a logic based on a message algebra equipped with encryption, signature and hashing primitives. The symbolic operational semantics of a constrained process is then established through semantic rules updating formulas by adding restrictions over the symbolic values, as required for the process to evolve. We then prove that the logic required fro...
A logic for constraint-based security protocol analysis
Security and Privacy, 2006 IEEE …, 2006
We propose PS-LTL, a pure-past security linear temporal logic that allows the specification of a variety of authentication, secrecy and data freshness properties. Furthermore, we present a sound and complete decision procedure to establish the validity of security properties for symbolic execution traces, and show the integration with constraintbased analysis techniques.
Protocol Engineering Applied to Formal Analysis of Security Systems
Lecture Notes in Computer Science, 2002
Every communication system requiring security properties is certainly critical. In order to study the security of communication systems, we have developed a methodology for the application of the formal analysis techniques of communication protocols to the analysis of cryptographic ones. We have extended the design and analysis phases with security properties. Our methodology uses a specification technique based on the HMSC/MSC requirement languages, and translates it into a generic schema for the SDL specification language that it is analyzed. Thus, the technique allows the specification of security protocols using a standard formal language and uses Object-Orientation for reusability purposes. The final goal is not only the formal specification of a security system, but to examine the possible attacks, and later use it in more complex systems.
A Typed Specification for Security Protocols
2006
Security protocol attacks are known to have various sources, from flawed implementations, to running parallel sessions of the same protocol. Because of this attack diversity, it is quite difficult (or impossible) to create an abstract model that is suitable for analyzing a protocol against all possible attacks. However, if we categorize the attacks based on their characteristics we should be able to create multiple abstract models that simplify the analysis. Therefore, in this paper we identify attacks based on message similarities, that we call "structural attacks", and create an abstract model, based on message component types (session keys, nonces, participants), that is powerful enough to capture the structure of security protocol messages.
Integrating Logics and Process Calculi for Cryptographic Protocol Analysis
Security and Privacy in the Age of Uncertainty, 2003
This paper describes a formalism for cryptographic protocol simulation and analysis that integrates logic and process calculus components. Novel features include the comprehensive modeling of encrypted and unencrypted messages, an expressive message passing semantics and sophisticated constructs for modeling principals. Moreover, the seamless integration of inference rules for communication, reduction and information analysis supports formal proofs about the knowledge and behavior of principals, and about the properties of protocols.
Knowledge in security protocols: an operational semantics for BAN logic
Communication usually aims at a certain desired knowledge change of the parties involved, rather than at a mere transport of information. In this paper, we focus on communication that takes place in the run of a protocol that is to establish a secure communication channel by means of a secret key. The protocol run must not only include the distribution of the key(s), but also convince the parties sharing the key that it can be trusted. Hence it makes sense to express the aim of such a protocol in terms of knowledge or convictions of the agents after a run of the protocol, usually under assumptions concerning what they know or believe beforehand.
Process Algebraic Analysis of Cryptographic Protocols
Formal Methods for Distributed System Development, 2000
Recent approaches to the analysis of crypto-protocols build on concepts which are well-established in the eld of process algebras, such as labelled transition systems (lts) and observational semantics. We outline some recent work in this direction that stems from using cryptographic versions of the pi-calculus { most notably Abadi and Gordon's spi-calculus { as protocol description languages. We show the impact of these approaches on a speci c example, a simpli ed version of the Kerberos protocol.
A Derivation System for Security Protocols and its Logical Formalization
2003
Many authentication and key exchange protocols are built using an accepted set of standard concepts such as Diffie-Hellman key exchange, nonces to avoid replay, certificates from an accepted authority, and encrypted or signed messages. We introduce a basic framework for deriving security protocols from such simple components. As a case study, we examine the structure of a family of key exchange protocols that includes Station-To-Station (STS), Just Fast Keying (JFK), IKE and related protocols, deriving all members of the family from two basic protocols using a small set of refinements and protocol transformations. As initial steps toward associating logical derivations with protocol derivations, we extend a previous security protocol logic with preconditions and temporal assertions. Using this logic, we prove the security properties of the standard signature based Challenge-Response protocol and the Diffie-Hellman key exchange protocol. The ISO-9798-3 protocol is then proved correct by composing the correctness proofs of these two simple protocols.
Soundness Conditions for Message Encoding Abstractions in Formal Security Protocol Models
2008 Third International Conference on Availability, Reliability and Security, 2008
In formal methods, security protocols are usually modeled with a high level of abstraction. In particular, marshalling/unmarshalling operations on transmitted messages are generally abstracted away. However, in real applications, errors in this protocol component could be exploited to break protocol security. In order to solve this issue, this paper formally shows that, under some constraints checkable on sequential code, if an abstract protocol model is secure, then a refined model, which takes into account a wide class of possible implementations of the marshalling/unmarshalling operations, is implied to be secure too. The paper also indicates possible exploitations of this result.
2008
Security protocols aim to allow two or more principals to establish a secure communication over a hostile network, such as the Internet. The design of security protocols is particularly error-prone, because it is difficult to anticipate what an intruder may achieve interacting through a number of protocol runs, claiming to be an honest participant. Thus, the verification of security protocols has attracted a lot of interest in the formal methods community and as a result lots of verification techniques/tools, as well as good practices for protocol design, have appeared in the two last decades. In this paper, we describe the state of the art in automated tools that support security protocol development. This mainly involves tools for protocol verification and, to a lesser extent, for protocol synthesis and protocol diagnosis and repair. Also, we give an overview of the most significant principles for the design of security protocols and of the major problems that still need to be add...