In section 3.1 and section 4.1, I have detailed BAN logic and SVO logic respectively. Thus, we can now discuss and compare various definitions for the security assumptions and goals using belief logic notations.
One of the most important properties of any security protocol is that the protocol should satisfy its security goals. Many researchers have considered the question of what are the appropriate goals for security protocols, mainly in the context of protocol analysis. There is, however, a lack of agreement as to what the desirable goals for security protocols, and what the precise
4.2 Security Protocol Requirements
definitions for these goals, should be. This consequently leads to disputes about whether a security protocol is flawed, since researchers may regard security goals differently.
Boyd [1997] reviewed many design goals for security protocols and pro- posed a classification of them: intentional goals and extensional goals. In- tentional goals are generally concerned with ensuring that the protocol runs correctly as specified, whilst extensional goals are concerned with what the protocol achieves for its participants. Boyd suggested that attacks should be measured by whether or not they violate extensional goals even if intentional ones have been used to find the attacks in the first place.
Goals in BAN Logic
BAN logic does not define what security goals a protocol should satisfy. Instead, the original BAN paper merely suggests what may be typical principal final beliefs. The first suggested pair is as follows, where A and B are principals who wish to establish a new key K.
A|≡ A←→K B (A believes K is a good key for A and B) B|≡ A ←→K B (B believes K is a good key for A and B)
The above BAN final beliefs require a protocol to establish a fresh session key, known only to the participants in the session and possibly some trusted third parties. They are essentially goals about key establishment rather than entity authentication. The other typical pair of final beliefs are second order beliefs (that is, beliefs about beliefs).
A|≡B|≡ A←→K B (A believes B believes K is a good key for A and B) B|≡ A|≡ A←→K B (B believes A believes K is a good key for A and B) These two final beliefs concern key establishment as well. There are no general BAN goals about entity authentication solely. However, during the process of analysing protocols, BAN logic obtains properties that reveal
Chapter 4 Searching for Efficient and Secure SVO Protocols
a certain principal is “alive” because it has said a message recently. Ac- cording to Boyd’s classification, the above four BAN goals are extensional goals.
Other final goals are reasonable, for example, goals concerning public keys. On the other hand, however, there are good key distribution protocols for which some of the above goals are not applicable. For example, the Wide Mouthed Frog Protocol [Burrows et al., 1989].
1. A→S : {Ta, B, Kab}Kas
2. S→B : {Ts, A, Kab}Kbs
The principal A cannot hold any belief about B’s beliefs since he is not the recipient of any message in the protocol.
Goals in SVO Logic
Syverson and van Oorschot [1996] identify six “generic formal goals” for security protocols in the language of SVO logic.
Far-end Operative The far-end operative captures situations where a princi- pal A wants to know whether a participant B is alive. It is expressed as the following formula, where X can be any message.
A|≡B|' X
Note that not only should B have sent message X, but also B should have sent it recently.
Entity Authentication The entity authentication of B to A further requires that B said something relevant to their present conversation, or in other words, B should recently reply to a specific challenge. Given some information, Na, known to be fresh to A (for example, a nonce), entity authentication requires that B recently sent a message F(X, Na)
from which it is manifest that B has seen Na and has processed it. This is captured by the following formula.
4.2 Security Protocol Requirements
The function F is a one to one function such that F is computable in practice by B and F−1 is computable in practice by A.
Secure Key Establishment Secure key establishment goal indicates that principal A has a certain key K that A believes is good for com- munication with B.
A|≡ (A3 K∧ A←→K B)
Key Confirmation In addition to the secure key establishment, key con- firmation requires that A has received evidence confirming that B knows K. It has the following definition.
A|≡ (A3 K∧A ←→K B∧B|' F(K))
Similarly to the case of entity authentication, the function F is ef- fectively one to one, computable in practice by B and verifiable by A.
Key Freshness The key freshness goal simply requires A believes a certain key K is fresh.
A|≡#(K)
Mutual Understanding of Shared Key The goal of mutual understanding of a shared key applies to situations where A believes that B has recently confirmed that B has a certain key K that B believes is good for communication with A. This is formalised by the following formula.
A|≡ B|' B|≡ A←→K B
The role of A and B can be reversed to provide mutual understanding. The statement of these six generic goals undoubtedly pushes our un- derstanding of authentication forward. However, there are clearly de- pendencies between various of these six goals. Furthermore, it is not clear why these particular goals are important; for example it might be questioned whether Secure Key Establishment is useful without Key Fresh- ness. A closer look at the goal of entity authentication reveals problems. The intended meaning of Entity Authentication (that is, in SVO notation, A|≡ (B|' F(X, Na) ∧#(Na))) is that A believes that B said something in response to the nonce Na, which A generated for the current run of the
Chapter 4 Searching for Efficient and Secure SVO Protocols
protocol. However, this goal does not take any of B’s assumptions into consideration. An intruder could have forwarded Na into a conversation B is having with a third party, say C. B may then authenticate himself to C by sending F(X, Na) to C. But the intruder could forward F(X, Na) to A and make A believe B is trying to authenticating himself to A. To be fair to the authors, Syverson and van Oorschot stated in their paper that the six goals are not meant to be taken as a “definitive list of the goals that a key distribution or key agreement protocol should meet”.
The goals of Far-end Operative and Entity Authentication are intensional goals because they are concerned with particular message flows. The others are extensional goals.
4.2.2 Efficiency Requirements
Current research in security protocols has largely focused on the correctness, that is security, of protocols, and there is very little published discussion on the efficiency of protocols (notable exceptions are Boyd and Mathuria [2003] and Gong [1995]). The treatment of efficiency or performance is generally given a low priority and is often rather ad hoc. One possible reason is that security protocols normally involve only a few messages, thus optimisation is not seen as a very urgent requirement. However, as Gong [1995] points out, it is natural and beneficial to investigate whether a protocol that achieves security requirements in a particular environment is also in some sense minimal or optimal. For example, reducing one message from a five-message protocol represents a twenty percent reduction in the number of messages and possibly a similar amount of reduction of the overall running time of the protocol.
Boyd and Mathuria [2003] define two sorts of efficiency: computational efficiency and communications efficiency. Computational efficiency is con- cerned with the computations that the principals need to engage in to complete the protocol. This will largely depend on the algorithms used to provide the cryptographic services, such as encryption and decryption functions, hash functions and generation and verification of digital signa- tures. In particular, computations required for public key algorithms are