A derivation system and compositional logic for security protocols (original) (raw)

2005, Journal of Computer Security

Abstract

Many authentication and key exchange protocols are built using an accepted set of standard concepts such as Diffie-Hellman key exchange, nonces to avoid replay, certificates from an accepted authority, and encrypted or signed messages. We propose a general framework for deriving security protocols from simple components, using composition, refinements, and transformations. As a case study, we examine the structure of a family of key exchange protocols that includes Station-To-Station (STS), ISO-9798-3, Just Fast Keying (JFK), IKE and related protocols, deriving all members of the family from two basic protocols. In order to associate formal proofs with protocol derivations, we extend our previous security protocol logic with preconditions, temporal assertions, composition rules, and several other improvements. Using the logic, which we prove is sound with respect to the standard symbolic model of protocol execution and attack (the "Dolev-Yao model"), the security properties of the standard signature based Challenge-Response protocol and the Diffie-Hellman key exchange protocol are established. The ISO-9798-3 protocol is then proved correct by composing the correctness proofs of these two simple protocols. Although our current formal logic is not sufficient to modularly prove security for all of our current protocol derivations, the derivation system provides a framework for further improvements.

Loading...

Loading Preview

Sorry, preview is currently unavailable. You can download the paper by clicking the button above.

References (64)

  1. M. Abadi and A. Gordon, A calculus for cryptographic protocols: the spi calculus, Information and Computation, 148(1) (1999), 1-70. Expanded version available as SRC Research Report 149 (January 1998).
  2. W. Aiello, S. Bellovin, M. Blaze, R. Canetti, J. Ioannidis, A. Keromytis and O. Reingold, Just fast keying (JFK), 2002. Internet draft.
  3. J. Alves-Foss and T. Soule, A weakest precondition calculus for analysis of cryptographic protocols, in: DIMACS Workshop on Design and Formal Verification of Crypto Protocols, 1997.
  4. M. Barr and C. Wells, Category Theory for Computing Science. New York.
  5. M. Bellare, R. Canetti and H. Krawczyk, A modular approach to the design and analysis of authen- tication and key exchange protocols, in: Proceedings of 30th Annual Symposium on the Theory of Computing, ACM, 1998.
  6. M. Bellare and P. Rogaway, Entity authentication and key distribution, in: Advances in Cryprtology -Crypto'93 Proceedings, Springer-Verlag, 1994.
  7. G. Berry and G. Boudol, The chemical abstract machine, Theoretical Computer Science 96 (1992), 217-248.
  8. R. Bird, I. Gopal, A. Herzberg, P. Janson, S. Kutten, R. Molva and M. Yung, Systematic design of a family of attack resistant authentication protocols, IEEE Journal on Selected Areas in Communica- tions 1(5) (1993).
  9. M. Burrows, M. Abadi and R. Needham, A logic of authentication, ACM Transactions on Computer Systems.
  10. L. Buttyan, S. Staamann and U. Wilhelm, A simple logic for authentication protocol design, in: Proceedings of 11th IEEE Computer Security Foundations Workshop, IEEE, 1999, pp. 153-162.
  11. R. Canetti, Universally composable security: A new paradigm for cryptographic protocols, in: Proc. 42nd IEEE Symp. on the Foundations of Computer Science, IEEE, 2001. Full version available at http://eprint.iacr.org/2000/067/.
  12. R. Canetti, C. Meadows and P. Syverson, Environmental requirements for authentication protocols, in: Proceedings of Software Security -Theories and Systems, Mext-NSF-JSPS International Sympo- sium, ISSS, LNCS 2609, Springer-Verlag, 2003, pp. 339-355.
  13. J.A. Clark and J.L. Jacob, A survey of authentication protocol literature, Web Draft Version 1.0 available from www.cs.york.ac.uk/ jac/, 1997.
  14. J.A. Clark and J.L. Jacob, Searching for a solution: Engineering tradeoffs and the evolution of prov- ably secure protocols, in: Proceedings IEEE Symposium on Research in Security and Privacy, IEEE, 2000, pp. 82-95.
  15. A. Datta, A. Derek, J.C. Mitchell and D. Pavlovic, A derivation system for security protocols and its logical formalization, in: Proceedings of 16th IEEE Computer Security Foundations Workshop, IEEE, 2003, pp. 109-125.
  16. A. Datta, A. Derek, J.C. Mitchell and D. Pavlovic, Secure protocol composition (Extended abstract), in: Proceedings of ACM Workshop on Formal Methods in Security Engineering, 2003, pp. 11-23.
  17. A. Datta, A. Derek, J.C. Mitchell and D. Pavlovic, Abstraction and refinement in protocol derivation, in: Proceedings of 17th IEEE Computer Security Foundations Workshop, IEEE, 2004, pp. 30-45.
  18. A. Datta, A. Derek, J.C. Mitchell and D. Pavlovic, Secure protocol composition, in: Proceedings of 19th Annual Conference on Mathematical Foundations of Programming Semantics, Volume 83 of Electronic Notes in Theoretical Computer Science, 2004.
  19. A. Datta, J.C. Mitchell and D. Pavlovic, Derivation of the JFK protocol, Technical Report KES.U.02.03, Kestrel Institute, 2002.
  20. W. Diffie and M.E. Hellman, New directions in cryptography, IEEE Transactions on Information Theory IT-22(6) (1976), 644-654.
  21. W. Diffie, P.C. van Oorschot and M.J. Wiener, Authentication and authenticated key exchanges, Designs, Codes and Cryptography 2 (1992), 107-125.
  22. D. Dolev and A. Yao, On the security of public-key protocols, IEEE Transactions on Information Theory 2(29) (1983).
  23. N. Durgin, J.C. Mitchell and D. Pavlovic, A compositional logic for protocol correctness, in: Pro- ceedings of 14th IEEE Computer Security Foundations Workshop, IEEE, 2001, pp. 241-255.
  24. N. Durgin, J.C. Mitchell and D. Pavlovic, A compositional logic for proving security properties of protocols, Journal of Computer Security 11 (2003), 677-721.
  25. L. Gong and P. Syverson, Fail-stop protocols: An approach to designing secure protocols, Depend- able Computing for Critical Applications 5 (1998), 79-100.
  26. J.D. Guttman and F.J.T. Fábrega, Protocol independence through disjoint encryption, in: Proceedings of 13th IEEE Computer Security Foundations Workshop, IEEE, 2000, pp. 24-34.
  27. D. Harkins and D. Carrel, The Internet Key Exchange (IKE), RFC 2409, 1998.
  28. N. Heintze and J.D. Tygar, A model for secure protocols and their composition, IEEE Transactions on Software Engineering 22(1) (1996), 16-30.
  29. IEEE, Entity authentication mechanisms -part 3: Entity authentication using asymmetric tech- niques, Technical report ISO/IEC IS 9798-3, ISO/IEC, 1993.
  30. J. Kelsey, B. Schneier and D. Wagner, Protocol interactions and the chosen protocol attack, in: Proceedings of the International Workshop on Security Protocols, 1997.
  31. R. Kemmerer, C. Meadows and J. Millen, Three systems for cryptographic protocol analysis, J. Cryptology 7(2) (1994), 79-130.
  32. H. Krawczyk, The IKE-SIGMA protocol, Internet draft, 2002.
  33. G. Lowe, An attack on the Needham-Schroeder public-key protocol, Info. Proc. Letters 56 (1995), 131-133.
  34. G. Lowe, Some new attacks upon security protocols, in: Proceedings of 9th IEEE Computer Security Foundations Workshop, IEEE, 1996, pp. 162-169.
  35. N. Lynch, I/O automata models and proofs for shared-key communication systems, in: Proceedings of 12th IEEE Computer Security Foundations Workshop, IEEE, 1999, pp. 14-29.
  36. Z. Manna and A. Pnueli, Temporal Verification of Reactive Systems: Safety, Springer-Verlag, 1995.
  37. H. Mantel, On the composition of secure systems, in: Proceedings of the IEEE Symposium on Secu- rity and Privacy, Oakland, CA, USA, IEEE Computer Society, 2002, pp. 88-101.
  38. P. Martin-Lof, Intuitionistic Type Theory, Bibliopolis, 1984.
  39. D. McCullough, Noninterference and the composability of security properties, in: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, USA, IEEE Computer Society, 1988, pp. 177-186.
  40. D. McCullough, A hookup theorem for multilevel security, IEEE Transactions on Software Engi- neering 16(6) (1990), 563-568.
  41. J. McLean, Security models and information flow, in: Proceedings of the IEEE Symposium on Secu- rity and Privacy, Oakland, CA, USA, IEEE Computer Society, 1990.
  42. J. McLean, A general theory of composition for a class of "possibilistic" properties, IEEE Transac- tions on Software Engineering 22(1) (1996), 53-67.
  43. C. Meadows, A model of computation for the NRL protocol analyzer, in: Proceedings of 7th IEEE Computer Security Foundations Workshop, IEEE, 1994, pp. 84-89.
  44. C. Meadows, The NRL protocol analyzer: An overview, Journal of Logic Programming 26(2) (1996), 113-131.
  45. C. Meadows, Analysis of the Internet Key Exchange protocol using the NRL protocol analyzer, in: Proceedings of the IEEE Symposium on Security and Privacy, IEEE, 1998.
  46. A.J. Menezes, P.C. van Oorschot and S.A. Vanstone, Handbook of Applied Cryptography, CRC Press, 1996.
  47. R. Milner, Action structures, LFCS report ECS-LFCS-92-249, Department of Computer Science, University of Edinburgh, JCMB, The Kings Buildings, Mayfield Road, Edinburgh, December 1992.
  48. R. Milner, Action calculi and the pi-calculus, in: NATO Summer School on Logic and Computation, Marktoberdorf, 1993.
  49. R. Milner, Action calculi, or syntactic action structures, in: Proceedings of MFCS'93, A.M. Borzyszkowski and S. Sokolowski, eds, Volume 711 of Lecture Notes in Computer Science, Springer-Verlag, 1993, pp. 105-121.
  50. R. Milner, Communicating and Mobile Systems: The π-Calculus, Cambridge University Press, Cam- bridge, UK, 1999.
  51. J.C. Mitchell, M. Mitchell and U. Stern, Automated analysis of cryptographic protocols using Murϕ, in: Proc. IEEE Symp. Security and Privacy, 1997, pp. 141-151.
  52. J.C. Mitchell, A. Ramanathan, A. Scedrov and V. Teague, A probabilistic polynomial-time calcu- lus for the analysis of cryptographic protocols (preliminary report), in: 17th Annual Conference on the Mathematical Foundations of Programming Semantics, Arhus, Denmark, 2001, S. Brookes and M. Mislove, eds, Volume 45, Electronic notes in Theoretical Computer Science, 2001.
  53. R. Needham and M. Schroeder, Using encryption for authentication in large networks of computers, Communications of the ACM 21(12) (1978), 993-999.
  54. L. Paulson, Proving properties of security protocols by induction, in: 10th IEEE Computer Security Foundations Workshop, 1997, pp. 70-83.
  55. D. Pavlovic, Categorical logic of names and abstraction in action calculi, Mathematical Structures in Computer Science 7(6) (1997), 619-637.
  56. D. Peled, Software Reliability Methods, Springer-Verlag, 2001.
  57. A. Perrig and D. Song, A first step towards the automatic generation of security protocols, in: Pro- ceedings of ISOC Network and Distributed Systems Security Symposium, 2000.
  58. B. Pfitzmann and M. Waidner, A model for asynchronous reactive systems and its application to secure message transmission, in: IEEE Symposium on Security and Privacy, Washington, 2001, pp. 184-200.
  59. A. Ramanathan, J.C. Mitchell, A. Scedrov and V. Teague, Probabilistic bisimulation and equivalence for security analysis of network protocols, in: FOSSACS 2004 -Foundations of Software Science and Computation Structures, 2004.
  60. D. Song, Athena: a new efficient automatic checker for security protocol analysis, in: Proceedings of 12th IEEE Computer Security Foundations Workshop, IEEE, 1999, pp. 192-202.
  61. P. Syverson and C. Meadows, A formal language for cryptographic protocol requirements, Designs, Codes and Cryptography 7(1-2) (1996), 27-59.
  62. F.J. Thayer-Fábrega, J.C. Herzog and J.D. Guttman, Strand spaces: Why is a security protocol cor- rect? in: Proceedings of the 1998 IEEE Symposium on Security and Privacy, Oakland, CA, IEEE Computer Society Press, 1998, pp. 160-171.
  63. F.J. Thayer-Fábrega, J.C. Herzog and J.D. Guttman, Mixed strand spaces, in: Proceedings of 12th IEEE Computer Security Foundations Workshop, IEEE, 1999.
  64. T.Y.C. Woo and S.C. Lam, A semantic model for authentication protocols, in: Proceedings IEEE Symposium on Research in Security and Privacy, 1993.