In this paper we have presented a protocol for providing authenticated, authorized com- munication while upholding anonymity. The protocol effectively detects and prevents sybil attacks, and provides non-linkable messages as well. Our contributions are confirmed by ful- fillment of objectives:
1. In step four of phase 1, the act of sending the blinded hash tail in combination with proof of identity to an authority fulfills this objective.
2. Abstracting user identity by use of group credentials, with support of the blind signature exchange allows a user to prove his authorization without revealing the credential.
3. Obfuscation of user hash links removes the ability to derive other links with a hash. We verify this in global claim three.
4. In section 5.3 we formally verify the aptitude of our protocol to detect and withstand sybil attacks, as well as resolve all false positives, that do not replay exterior credentials.
5. We have explained our use of SPIN and presented the results of formally verifying claims. 6. We discuss the capabilities of our protocol to accommodate a changing physical envi- ronment of an ad hoc network in section 6.3.
Despite having propitious qualities, our protocol has some limitations and challenging re- quirements needing consideration in future work. Most troubling is the assumption of syn- chronized group credentials, since acting as enforcement it is not in the interest of neighboring nodes. Devising an effective method to detect sybil attacks without group formation may also remove considerable overhead. The most limiting restriction of our protocol may not be the practicality, but rather the toll on resources and time. In anticipation of use in sensor networks we seek to make the protocol less taxing on resources. Sensor nodes are currently un-
able to accommodate the computationally expensive practice of public key infrastructure. An anonymous key pair may provide an alternative means[(20)]. Capacities for storing previous messages is also a concern in sensors.
If a recipient respectively receives L4, L2, L3, then L3 will be rejected because all previous pseudonyms were expired by his witness to lower link L2. [(3)] presents a solution for receiving disordered credentials that may remedy the issue in our protocol as well. We seek a deeper analysis of how collusion may impact the protocol, either among multiple malicious partici- pants, or a traitor who exposes credentials meant to be kept private. We wish to analyze this formally with model checking, in addition to checking replay attacks as mentioned in section 6.2.2.
APPENDIX A. SOURCE CODE
Promala source code; both for two users and two recipients.
Code segment 1
/*
* Vailidate & Register - segment1.pml
* This file combines Phase I and Phase II into a single execution model. This decision is
* valid since the overarching global claims only pertain to these two phases and cannot * be violated one exited.
*/
#define NUM_As 2 /* number of Amabssador processes instances */ #define NUM_Us 2 /* number of User processes instances */
byte pkA, pkU, Cgw, nix; /* nix is a null value of no significance*/
chan cUA = [NUM_Us] of {byte, byte, byte, byte, byte, byte};
/*
* User - generic node */
proctype User (byte self, prikU, nU, kU) /* #1 (nU), #12(kU) */
{
byte skU, gidU, zU, cg0, cgw; /* values received */
byte Cs, Bu, Bs;
byte Lt; /* #2*/
if /* choose a group ambassador */ ::ambU=20;
::ambU=21; ::ambU=22; fi;
byte pk_ambU = ambU*10+3; /* retreive ambassador’s public key */
sendBu:
cUA ! ambU, self, Bu, pkA, nix, nix; /* #4: Send [dest], {Uid, CertU, Bu}PubkA */
cUA ?? eval(self), eval(ambU), Bs, _, _, _;
confirmCs:
assert(Bs); /* # ensure Bs is signed (Bs==1)*/ Cs = Bs; /* #10 verify Cs = {Cn}skA */
printf("have signed credential %d\n",Cs); register:
cUA ! ambU, nU, Cs, Cn, kU, pkA; /* #12 Send to A: [Aid], {Cn, {Cn}PrikU, kU}PubKa */ printf("sent\n");
cUA ?? eval(nU), gidU, zU, cg0, cgw, eval(kU); /*#15: eval(kU) implies decryption */ printf("got group credentials\n");
/*
* Ambasssador - group authority */
proctype Amb(byte self, prikA, pubkA) {
byte gid, Cg0; /* values generated */ byte sndr1, nu, cn; /* values received */ byte ku, zu, cs, bu; /* values generated */
end: do :: atomic {
cUA ?? <eval(self), sndr1, bu, eval(pkA)> -> if
:: cUA ?? eval(self), sndr1, eval(0), eval(pkA), _, _; /* #5 can decrypt with skA*/ printf("signature requested");
/* A learns Bu and certU*/
authenticate: /* #6 verifies U with CertU */ sign:
bu=1; /* #7 A signs Bu to produce Bs */ printf("signed\n");
cUA ! sndr1, self, bu, nix, nix, nix; /* #8: send [uid, Aid, null],{Bs}pkU to U */
sndr1=0;
:: cUA ?? eval(self), nu, eval(1), cn, ku, eval(pkA);
/* #13 eval(1) verifies: Cn=={Cn}PriKa. Proves Cs was signed by self. */ register:
cUA ! nu, gid, zu, Cg0, Cgw, ku; /* #14: send to nu_owner: nU, {gid, zu, Cg0, Cgw}kU*/ fi; cn=0; } od } /*
* initiate - misison control */ init { atomic { run User(01, 014, 015, 016); run Amb(20, 204, 203); run User(02, 024, 025, 026); run Amb(21, 214, 213); } } /* prefixes: Users:0 Recs: 1 Ambassadors:2 suffixes pk:3
sk:4 nonce:5 kX:6 */ . Code segment 2 /* * segment2_test.pml
* For testing protocol specific claims with claims/_.ltl files. * Segment 2 models the behavior of phases I and II.
* #x corresponds to the step number in the diagram */
#define NUM_Us 2 /* number of U process instances to run */
#define NUM_Rs 2 /* number of R process instances to run */
#define PROTECT_PREV 0 /* boolean to determine U’s behavior in releasing kU */ #define MAX_MESSAGESU 2 /* max # of messages each U can send */
/* constant to check if a process instance has a message waiting in channel UR */ #define mail4U cUR ?? [eval(self), Cv__kU, m, gidU, nr, skR]
byte regTail[5]; /* current registered tail of each user */ byte lastKey[5]; /* most recent expired key of each user */ byte gidu[5]; /* group id a respective member belongs to */
mtype = {M,/* generic message content */ APEAL,/* appeal to ambassador */
CHNINIT,/* initiate new user hash chain */ ACPT,/* sybil appeal acceptence message */
SCHAL,/* sybil challenge message */
SYBL}; /* indication of sybil attack */
byte pkA, pkU, pkR, skA, skR, gid_Cgj, nix;
byte sybil_chal; /* quantity of unresolved sybil challenges active */ byte u_done=0; /* quantity of terminated user instances */
byte r_term=0; /* quantity of terminated receiver processes */
bit newChain=0; /* indicates action of reregistered chain,
* only allow one chain, reduces state space */
bit crit=0; /* critical section indicate */
/* bidirectional communication channels between processes. The capacity of
* channel cUR must be manually modified; it should accommodate (NUM_Us*NUM_Rs) */
chan cUA = [NUM_Us] of { byte, byte, mtype, byte, byte, byte, byte, byte}; chan cAR = [NUM_Rs] of { byte, byte, byte, byte, byte, byte, byte, byte, byte}; chan cUR = [2] of { byte, byte, mtype, byte, byte, byte};
/*
* "method to send messages on channel cUR
* input: recurrence, self:sender, m:message, gidu:sender gid, lgv:new group link
* cv__ku: obfuscated user credential, j:sender message counter, ue:senders u_empty variable
*/
inline sendUR(recv, self, m, gidu, lgv, cv__ku, j,ue) {
cUR ! recv, self, m, gidu, lgv, cv__ku;
/* user checks if it has exhausted the number of messages allowed */ if :: (j<=0) -> ue=1; u_done++; :: else fi; } /*
* User - generic node who initiates communication */
proctype User (byte self, prikU, nU) {
byte sc=0; /* indicates if is resolving sybil challenge*/
bit u_empty=0; /* whether U has reached the maximum sending limit */ byte zU, gidU; /* assigned values from A */
byte kU, ambU, Cv, Cn, lgv, Cv__kU,i, LtU; /* values generated or derived from knowledge */
byte nr, cv__kU; /* values received from channel */
mtype m; /* message holding value */
/* choose available ambassador */ if :: ambU=20; /*:: ambU=21; */ fi; zU = self; kU=self; Cv__kU = self; gidU = ambU; i=MAX_MESSAGESU;
do :: atomic{
if
/* poll channel for mail addresses to user */
:: cUR ?? [eval(self), cv__kU, m, gidU, nr, skR] ->
cUR ?? eval(self), cv__kU, m, gidU, nr, skR;
if ::(m==SCHAL)-> if :: !PROTECT_PREV -> sc++; releasekU:
cUA ! ambU, zU, APEAL, Cv__kU, nr, gidU, kU, LtU;
cUR ?? eval(self), cv__kU, eval(ACPT), gidU, eval(nr), skR; sybil_chal--;
sc--;
kU++; Cv__kU++;
/* enable linkability validation. In this case U declines to respond to a sybil challenge to protect message dissociation */
:: PROTECT_PREV ->
sybil_chal--; /* decrement gobal chellange counter */ sc--; /* reduce count of outstanding challenges*/ kU++; Cv__kU++; /* symbollically change key*/ fi;
fi;
* for each instance Reveiver process. */
:: (u_empty==0 && nfull(cUR)&& !mail4U)->
sendUR(10, self, M, gidU, lgv, Cv__kU, i, u_empty); :: (u_empty==0 && nfull(cUR) && !mail4U)->
sendUR(11, self, M, gidU, lgv, Cv__kU, i, u_empty); /* :: (u_empty==0 && nfull(cUR) && !mail4U)-> sendUR(12, self, M, gidU, lgv, Cv__kU, i, u_empty); */
/* attempt to send repeated message to recipient with id 10. He should detect this
* to be a sybil attack.
*/
:: (u_empty==0 && nfull(cUR) && sc<=1 && sybil_chal<NUM_Us-1)-> sendUR(10, self, SYBL, gidU, lgv, Cv__kU, i, u_empty);
/* #16. initialize new chain with ambassador*/
:: (u_empty==0 && nfull(cUA) && !newChain && !crit && !mail4U)-> LtU++;
cUA ! ambU, zU, CHNINIT, Cv__kU, 0, gidU, LtU, pkA;
cUA ?? eval(zU),ambU, m, cv__kU, _, gidU, _, _;
i--;
if
:: (i<=0) -> u_empty=1; newchain:u_done++; :: else
fi;
newChain=1; /* indicate a new user chain has been registered */
/* group chain changes*/ /*
:: if
::(gidU != 21) -> gidU=21; fi;
*/
fi;
}
od unless { u_empty && sc==0 && r_term>=NUM_Rs};
/* valid end state with sanity checks
* entered when no messages are left to send, pending cybil challenges are resolved, and * all recievers are terminated to ensur eno further chalenges can be issued.
*/ end:
assert(u_empty);
assert (u_done >=NUM_Us); assert(empty(cUR)); assert(empty(cUA)); assert(empty(cAR)); assert (i ==0);
printf("U DONE %d\n",self); }
/* end proctype User */
/*
* Reveiver - message recipient */
proctype Receiver(byte self, prikR, nR) {
mtype mv; /* stores new message */
do :: atomic{ if
:: cUR ?? [eval(self),sndrU, mv, gidu, lgv, cvu__kU] ->
cUR ?? eval(self), sndrU, mv, gidu, lgv, cvu__kU; /* #5 can decrypt with skA*/
lastKey[sndrU]=cvu__kU; /* store last expired user pseudonym */ receive:
if
/* sender attempted sybil attack */ :: (mv==SYBL) ->
if
::assert(gidu[sndrU]==0 || gidu[sndrU]==gidu) -> sybil_chal++;
cUR ! sndrU, cvu__kU, SCHAL, gidu, nR, prikR; /* #23. send sybil challenge */
::(gidu[sndrU]!=gidu) -> printf("Breach"); fi; :: (mv!=SYBL) -> printf("OK"); fi;
gidu[sndrU]=gidu; /* store group of sender */
/* poll for appeal message from ambassadors */
:: nfull(cUR) && cAR ?? [eval(nR), sndrA, gidu, lgv, cvu__kU, ku, skA, pkR] -> cAR ?? eval(nR), sndrA, gid, lgv, cvu__kU, ku, skA, pkR, sndrU;
/* non-deterministacally decide whether to enact a cirtical-period */ if
::crit -> crit=0; /* if in critical period, end restriction*/ ::crit=1
fi;
fi;
}
od unless {(sybil_chal==0) && (u_done>=NUM_Us) && (empty(cUR)) };
/* break do-loop and enter end state when all network sybil challenges are resolved, all
* users are done sending, and the channel between U and R isi emptied.
*/ end: r_term++; printf("R DONE"); assert (sybil_chal==0); assert (u_done>=NUM_Us); assert (empty(cUR) ); } /*
* Ambasssador - group authority */
proctype Amb(byte self, prikA) {
byte n1, lgv, gid, k1, cvu__kU, zu, ltu, ltv; mtype m; end: do :: atomic { if
/* poll for fresh chain registration*/
::cUA ?? [eval(self), zu, eval(CHNINIT), cvu__kU, n1, gid, ltv, eval(pkA)]-> cUA ?? eval(self), zu, eval(CHNINIT), cvu__kU, n1, gid, ltv, eval(pkA);
regTail[zu] = ltv;
cUA ! zu, self, M, cvu__kU, 1, gid, ltv, pkA;
/* poll for sybil challenge appeal*/
:: cUA ?? <eval(self), zu, eval(APEAL), cvu__kU, n1, gid, lgv, ltu>->
cUA ?? eval(self), zu, eval(APEAL), cvu__kU, n1, gid, lgv, ltu;/* #25 check [i][Cn] */ assert(regTail[zu] == ltu); /* #26 ensure currnt tail is accurate*/
accptPlea:
cAR ! n1, self, gid, lgv, cvu__kU, k1, prikA, pkR, zu; /* #27 refer U’s plea to R */
fi; } od; }
/*
* initiate - misison control */
init {
sybil_chal=0; atomic { run User(01, 014, 015); run Receiver(10, skR, 105); run User(02, 024, 025); run Receiver(11, skR, 115); run Amb(20, 204); } } /* prefixes: Users:0 Recs: 1 Ambassadors:2 suffixes: pks:3 sks:4 nonce:5 */ .
BIBLIOGRAPHY
[1] D. Chaum. Security without Identification: Transaction Systems to Make Big Brother Obsolete.
Communications of the ACM, Vol. 28, Iss. 10, pp. 1030-1044, 1985.
[2] D. Chaum. Blind signatures for untraceable payments. Advances in Cryptology: Proceedings of
Crypto, Vol. 82, pp. 199-203, 1982.
[3] W. Lou and K. Ren. Privacy-enhanced, attack-resilient access control in pervasive computing
environments with optional context authentication capability. Mobile Networks and Applications,
Vol. 12, Iss. 1, pp. 79-92, 2007.
[4] G. Holzmann. The Spin Model Checker: Primer and Reference Manual. Boston: Addison-Wesley,
2003.
[5] P. Maggi and R. Sisto. Using Spin to Verify Security Properties of Cryptographic Protocols.Lecture
Notes In Computer Science, Vol. 2318, pp. 187-204, 2002.
[6] R. Babbitt. A service-oriented privacy model for smart home environments, 2007.
[7] T. Zhou, R. Choudhury, P. Ning, K. Chakrabarty. Privacy-Preserving Detection of Sybil Attacks
in Vehicular Ad Hoc Networks.Mobile and Ubiquitous Systems: Networking & Services, 2007.
[8] P. Santi. Topology control in wireless ad hoc and sensor networks. ACM Computing Surveys, Vol.
37, No. 2, 2005.
[9] E. Clarke, O. Grumberg, D. Long. Model checking and abstraction.Proceedings of the 19th ACM
SIGPLAN-SIGACT symposium on Principles of programming languages, pp. 343-354, 1992.
[10] P.K. Mohapatra. Public key cryptography.Crossroads, Vol. 7, Iss. 1, pp. 14-22, 2000.
[12] J.P. Hubaux and M. Raya. The security of vehicular ad hoc networks.Proceedings of the 3rd ACM workshop on Security of ad hoc and sensor networks, pp. 11-21, 2005.
[13] Webster’s New Millennium Dictionary of English, Preview Edition (v 0.9.7). Lexico Publishing Group, LLC, 2007.
[14] A. Russell. Necessary and Sufficient Conditions for Collision-Free Hashing.Abstracts of Crypto 92,
pp.10-22, 1992.
[15] A. Lysyanskaya, R. Rivest, A. Sahai, S. Wolf. Pseudonym Systems. Lecture Notes In Computer
Science, Vol. 1758, pp. 184-199, 1999.
[16] G. Lowe. Casper: A Compiler for the Analysis of Security Protocols.Journal of Computer Security,
No. 6, pp. 53-84, 1998.
[17] S. Schneider and R. Delicta. Verifying Security Protocols: an application of CSP.IEEE Transac-
tions on Software Engineering, Vol. 24, Iss. 9, pp. 741-758, 1998
[18] S. Merz. Model Checking: A Tutorial Overview. Lecture Notes In Computer Science; Proceedings
of the 4th Summer School on Modeling and Verification of Parallel Processes, Vol. 2067, pp. 3-38, 2000.
[19] Kerberos. http://www.mit.edu/ kerberos/, April 2008.
[20] A. Lysyanskaya. Authentication without Identification. Security & Privacy, IEEE, Vol. 5, Iss. 3,
pp. 69-71, 2007.
[21] A. Broder and M. Mitzenmacher. Network Applications of Bloom Filters: A Survey Internet
Mathematics, Vol. 1, No. 4, pp.485-509, 2005.
[22] S. Basu and S. Smolka. Model Checking the Java Meta-locking Algorithm.ACM Transactions on
Software Engineering and Methodology (TOSEM), Vol. 16, Iss. 3, 2007.
[23] M. Abadi, B. Blanchet, C. Fournet. Just fast keying in the pi calculus ACM Transactions on