Abstraction and Refinement in Protocol Derivation (original) (raw)
Related papers
A Derivation System for Security Protocols and its Logical Formalization
2003
Many authentication and key exchange protocols are built using an accepted set of standard concepts such as Diffie-Hellman key exchange, nonces to avoid replay, certificates from an accepted authority, and encrypted or signed messages. We introduce a basic framework for deriving security protocols from such simple components. As a case study, we examine the structure of a family of key exchange protocols that includes Station-To-Station (STS), Just Fast Keying (JFK), IKE and related protocols, deriving all members of the family from two basic protocols using a small set of refinements and protocol transformations. As initial steps toward associating logical derivations with protocol derivations, we extend a previous security protocol logic with preconditions and temporal assertions. Using this logic, we prove the security properties of the standard signature based Challenge-Response protocol and the Diffie-Hellman key exchange protocol. The ISO-9798-3 protocol is then proved correct by composing the correctness proofs of these two simple protocols.
A derivation system and compositional logic for security protocols
Journal of Computer Security, 2005
Many authentication and key exchange protocols are built using an accepted set of standard concepts such as Diffie-Hellman key exchange, nonces to avoid replay, certificates from an accepted authority, and encrypted or signed messages. We propose a general framework for deriving security protocols from simple components, using composition, refinements, and transformations. As a case study, we examine the structure of a family of key exchange protocols that includes Station-To-Station (STS), ISO-9798-3, Just Fast Keying (JFK), IKE and related protocols, deriving all members of the family from two basic protocols. In order to associate formal proofs with protocol derivations, we extend our previous security protocol logic with preconditions, temporal assertions, composition rules, and several other improvements. Using the logic, which we prove is sound with respect to the standard symbolic model of protocol execution and attack (the "Dolev-Yao model"), the security properties of the standard signature based Challenge-Response protocol and the Diffie-Hellman key exchange protocol are established. The ISO-9798-3 protocol is then proved correct by composing the correctness proofs of these two simple protocols. Although our current formal logic is not sufficient to modularly prove security for all of our current protocol derivations, the derivation system provides a framework for further improvements.
Formalizing and verifying protocol refinements
ACM Transactions on Intelligent Systems and Technology, 2013
A (business) protocol describes, in high-level terms, a pattern of communication between two or more participants, specifically via the creation and manipulation of the commitments between them. In this manner, a protocol offers both flexibility and rigor: a participant may communicate in any way it chooses as long as it discharges all of its activated commitments. Protocols thus promise benefits in engineering cross-organizational business processes. However, software engineering using protocols presupposes a formalization of protocols and a notion of the refinement of one protocol by another. Refinement for protocols is both intuitively obvious (e.g., PayVia-Check is clearly a kind of Pay) and technically nontrivial (e.g., compared to Pay, PayViaCheck involves different participants exchanging different messages). This paper formalizes protocols and their refinement. It develops Proton, an analysis tool for protocol specifications that overlays a model checker to compute whether one protocol refines another with respect to a stated mapping. Proton and its underlying theory are evaluated by formalizing several protocols from the literature and verifying all and only the expected refinements.
2003
This paper continues the program initiated in , towards a derivation system for security protocols. The general idea is that complex protocols can be formally derived, starting from basic security components, using a sequence of refinements and transformations, just like logical proofs are derived starting from axioms, using proof rules and transformations. The claim is that in practice, many protocols are already derived in such a way, but informally. Capturing this practice in a suitable formalism turns out to be a considerable task.
Proving Authentication Properties in the Protocol Derivation Assistant
2006
We present a formal framework for incremental reasoning about authentication protocols, supported by the Protocol Derivation Assistant (Pda). A salient feature of our derivational approach is that proofs of properties of complex protocols are factored into simpler proofs of properties of their components, combined with proofs that the relevant refinement and composition operations preserve the proven properties or transform them in the desired way. In the present paper, we introduce an axiomatic theory of authentication suitable for the automatic proof of authentication properties. We describe a proof of the authentication property of a simple protocol, as derived in Pda, for which the the proof obligations have been automatically generated and discharged. Producing the proof forced us to spell out previously unrecognized assumptions, on which the correctness of the protocol depends. Pda has support for collaboration and tool integration. It can be freely downloaded from [5].
A Typed Specification for Security Protocols
2006
Security protocol attacks are known to have various sources, from flawed implementations, to running parallel sessions of the same protocol. Because of this attack diversity, it is quite difficult (or impossible) to create an abstract model that is suitable for analyzing a protocol against all possible attacks. However, if we categorize the attacks based on their characteristics we should be able to create multiple abstract models that simplify the analysis. Therefore, in this paper we identify attacks based on message similarities, that we call "structural attacks", and create an abstract model, based on message component types (session keys, nonces, participants), that is powerful enough to capture the structure of security protocol messages.
Proving Security Protocols Correct
1999
Security protocols use cryptography to set up private communication channels on an insecure network. Many protocols contain flaws, and because security goals are seldom specified in detail, we cannot be certain what constitutes a flaw. Thanks to recent work by a number of researchers, security protocols can now be analyzed formally.
Pattern-based abstraction for verifying secrecy in protocols
International Journal on Software Tools for Technology Transfer, 2006
We present a method based on abstract interpretation for verifying secrecy properties of cryptographic protocols. Our method allows to verify secrecy properties in a general model allowing an unbounded number of sessions, an unbounded number of principals and an unbounded size of messages. As abstract domain we use sets of so-called super terms. Super terms are obtained by allowing an interpreted constructor, which we denote by Sup , where the meaning of a term Sup ¢ ¤ £ ¦ ¥ is the set of terms that contain £ as sub-term. For these terms, we solve a generalized form of the unification problem and introduce a widening operator. We implemented a prototype and were able to verify well-known protocols such as for instance Needham-Schroeder-Lowe (0.03 sec), Yahalom (12.67 sec), Otway-Rees (0.01 sec) and Kao-Chow (0.78 sec).
Lecture Notes in Computer Science, 2007
We propose a general transformation that maps a protocol secure in an extremely weak sense (essentially in a model where no adversary is present) into a protocol that is secure against a fully active adversary which interacts with an unbounded number of protocol sessions, and has absolute control over the network. The transformation works for arbitrary protocols with any number of participants, written with usual cryptographic primitives. Our transformation provably preserves a large class of security properties that contains secrecy and authenticity.
Stepwise development of security protocols
Proceedings of the 2004 ACM workshop on Formal methods in security engineering - FMSE '04, 2004
We propose a novel multi-layers paradigm for the design of key exchange protocols. In the top layer, protocols are specified in a high-level, declarative, formal language using speech acts as the basic building blocks. The declarative semantics of speech acts are specified by their preconditions and effects like in Hoare logics. A protocol logic, called ProtoLog, is developed for reasoning about speech act oriented protocols. Using the language of speech acts, protocol designers could develop their protocols in an modular and compositional way that are correct from the outset. High-level speech act-oriented protocols are automatically translated into lower-level message exchanging protocols by a "protocol compiler" that implements speech acts by sending and receiving appropriate encrypted messages. To demonstrate the applicability of our idea, we apply it on the class of well-designed key exchange protocols where a protocol is well-designed if a speech act is executed only if its preconditions are satisfied. We develop a "protocol compiler" for the class of well-designed protocols and prove the soundness and a limited form of completeness of the protocol logic ProtoLog wrt the translation, implemented by the compiler, under the Dolev-Yao assumption of perfect cryptography. An immediate corollary from the soundness result is the guarantee of the secrecy of exchanged keys (an essential security requirement of key exchange protocols) in well-designed protocols.