At the highest level, the thesis is a demonstration that we can automatically generate realistic security protocols which satisfy specifications with not only correctness concerns but also high-level efficiency concerns.
The pipeline of the security protocol synthesis framework is shown in Fig- ure 6.1. We can specify security requirements and efficiency requirements in the protocol specification, then the toolkit:
• searches the design space to find an abstract level protocol which satisfies the requirements,
• refines the generated abstract level protocol to a concrete level, • introduces an index scheme to prevent type-flaw attacks, and • generates executable Java code.
The whole process is fully automated.
The approach also allows external protocol verification tools to verify the generated protocols. This allows different ideas of correctness to be checked to give us an even greater confidence in the synthesised security protocols. I have presented a semi-automated integration of Casper (at the concrete level) to demonstrate this.
Automated support in the area of security protocol design has only recently emerged; there would appear to be no papers on the topic prior to the year 2000. As far as I am aware, there are only three techniques in the literature: the heuristic search approach initiated by Clark and Jacob [2000, 2001] and continued by this thesis, the model checking approach of Perrig and Song [2000a,b] and the backward search approach by Zhou and Foley [2003]. The approach reported in this thesis has significant strengths over the other two methods. In particular, it finds protocols satisfying a specification, which includes not only correctness concerns but also efficiency concerns, in at most a few minutes and is able to work with very large protocols (some specifications could not be refined to fewer than 7 messages, for example, the specification of the Amended Needham–Schroeder Symmetric
6.2 Evaluation
Chapter 6 Evaluation and Conclusions
Key Protocol in Table 3.5). This contrasts markedly with the hours of computation time required by the model checking approach to generate even quite small protocols (for example, 4 messages) and also with the backward search approach which treats correctness concerns only.
The achievements and novel aspects of each technical chapter in this thesis are identified and assessed below.
6.2.1 Extensions to Full BAN logic
The work of chapter 3 has shown that the heuristic search approach for synthesising symmetric key BAN protocols can be successfully extended to allow public key and hybrid cryptographic schemes. I have experimented with the toolkit on the SPORE library, which now contains 49 security protocols and covers many of the best-known security protocols that appear in the literature. We have been able to specify 38 protocol specifications in BAN logic and generate security protocols that satisfy their specifications. Chapter 3 contributes to the overall thesis by showing that the heuris- tic search approach is flexible and reliable, and therefore merits further investigation to see if it is able to produce protocols for novel or highly complicated requirements. This chapter uses BAN logic to specify security requirements and generate BAN protocols. I have expanded the previously used subset of BAN logic to allow public key and hybrid protocols to be evolved in this chapter.
A belief logic approach is only as powerful as the logic it implements. If the logic misses certain flaws, or else makes particular assumptions, the user must augment any automated designs that the technique produces with additional checks to ensure adequate security. As far as actual freedom from security flaws is concerned, we are very much at the mercy of the logic we choose. We need now to address weaknesses in the BAN logic itself. BAN logic has some surprising features, for example, technically, a principal may believe in the freshness of a nonce it does not process. The research directly leads to chapter 4, which uses SVO logic to specify security requirements.
6.2 Evaluation
Overall, chapter 3 proves and demonstrates that we can use heuristic search to synthesise symmetric, public and hybrid key BAN protocols.
6.2.2 Extensions to SVO Logic
In chapter 4, I extend the framework by using SVO logic, a more realistic belief logic. The security requirements that are specified in SVO logic are more realistic, and more types of security protocols (for example, key agreement protocols reported in section 4.4.3) can be generated by the framework. In the implementation, I have also allowed more complicated beliefs and messages to be communicated, thus giving the toolkit an even richer design space.
This extension has proved that the heuristic search approach is flexible and can be used with different logics. More importantly, it has also proved that the approach is still efficient when it is applied to larger and more sophisticated logic systems. I have used SVO logic to specify 40 out of the 49 protocols in the online SPORE cryptographic protocols library1, the framework succeeded on 39 of these protocols. It failed only on the deduced specification for the TMN protocol, whose specification has over- ambitious goals, whilst the assumptions are too weak. The original TMN protocol fails too. This suggests that the specification is not feasible. This extension is important and a key link in the pipeline for synthesising security protocols. It not only gives greater confidence in the practical security of synthesised security protocols but also opens a door to the automated refinement of these protocols.
6.2.3 Incorporating Efficiency Concerns
Research in security protocols has largely focused on the correctness, that is security, of protocols, and there is very little published discussion on the efficiency of protocols. The work reported in chapter 4 is a demonstration
Chapter 6 Evaluation and Conclusions
that efficiency concerns can be incorporated into the automated design of security protocols; no such framework existed in the literature prior to this research, and the primary objective is to show that such a framework is possible.
The research in chapter 4 contributes to the overall thesis by showing that efficiency concerns can be incorporated into the search process itself. This chapter presents a collection of fitness functions for expressing efficiency concerns (in terms of number of messages, encryption rounds and principal interactions) and ways of determining how these concerns have been achieved.
I have experimented with the framework on various security protocol specifications in section 4.4. In these experiments, I have used different efficiency parameters for each setting of correctness concerns to investigate how efficiency concerns may affect the search. The results have proved that the toolkit has been able to synthesise security protocols which satisfy efficiency requirements as well as correctness requirements. For each of the different efficiency criteria, the toolkit produces a suitable security protocol.
Overall, chapter 4 demonstrates that we can use heuristic search to synthe- sise SVO protocols, whose specification includes both correctness concerns and high level efficiency concerns.
6.2.4 Refinement of Security Protocols
Security protocol idealisation is a widely acknowledged problem of BAN- like belief logics. In chapter 5, I have presented a rule-based refinement approach to bridge the gap between idealised protocols and concrete level protocols and generate concrete level protocols from abstract level SVO protocols. I have also explained how to prevent type-flaw attacks from concrete protocols, how to refine the generated concrete protocols further to code level implementations and how to plug in verification tools to the protocol design synthesis framework.