Security verification

Security protocols are used to ensure properties such as forward secrecy, anonymity, un- traceability, etc. To avoid possible threats the designing process of such protocols must be infallible. Moreover, all security flaws cannot be identified through testing, since some may happen only in the presence of adversary [181]. Therefore, security verification is es- sential step before protocol deployment. The work within this chapter is verified through both BAN logic [182] and Tamarin prover [42]. For the sake of presentation the introduc- tion to Tamarin is given in Appendix A.

BAN logic

The secrecy evaluation of security protocols ensures that an adversary cannot obtain or alter secret parameters. In this regards, the logic proposed by Burrows, Abadi and Need- ham (BAN) [182] is widely used secrecy verification tool. However, some weaknesses were identified and several works, such as [183–186] proposed extended and more reli- able versions. For the purpose of security verification of protocols this thesis assumes the usage of Mao and Boyd (MB) logic [186].

Formal proofs are deduced using set of initial beliefs and rules and are based upon the message exchange within the protocol. The protocol analysis using MB logic consists of 3 steps: i) the protocol definition is converted to idealised form which includes syntax and logic interpretation; ii) the idealised version of the protocols must follow several definitions and rules, which will be described later; and, iii) the manipulation begins with set of initial assumptions that specify the protocol and are used to derive set of conclusions. As an example when analysing a key-distribution protocol, one may aim for the conclusion A↔B. The meaning of this expression is: k is a good shared secretk between A and B. The full notation of MB logic is described later in this section.

The protocol message idealisation is used to interpret the implicit context-dependent information into explicit protocol specification. As mentioned, messages and interactions within a protocol should be idealised using several definitions and rules:

Definitions:

1. Atomic message: a piece of data within the protocol that constructs a message without using any of the following symbols: “, ”, “|”, “R”, “()”, “{}”.

2. Challenge: a non timestamp atomic message that is sent by an agent (its originator) on one line within the protocol specification and received by the same agent on different line.

3. Replied challenge: a challenge that appears in a line intended to the challenge’s originator.

4. Response: a non timestamp atomic message and a replied challenge sent together.

5. Nonsense: a non timestamp, challenge or response atomic message.

Rules:

1. Nonsenses are removed.

2. Atomic messages that appear to be a challenge and a response in the same line is considered to be a response.

3. Challenges which are separated by comma are combined using “|” operator.

4. Responses which are separated by comma are combined into a combined response using “|” operator.

5. Challenge and its response are combined using “R” operator.

6. Message and a corresponding timestamp are combined using “R” operator.

In order to illustrate the meaning of the definitions above a simple example of 2-party communication is considered here:

1. Alice → Bob : IDA, m, nonceA, T SA

2. Bob → Alice : IDB, nonceB, {nonceA, T SB, k2}k1 3. Alice → Bob : {nonceB}k2

Note that {·}kdefines encryption using key k. In the example above, nonceAis a challenge in the first message and it is a replied challenge in the second. Similarly, nonceB takes the role of a challenge in the second message and the role of a replied challenge in the third. Next, k2is a response to challenge nonceA. Finally, T SAand T SBare timestamps, whereas, m is a nonsense within this example. Following the rules, the idealised version

A |≡ X A believes X is true

A/mk A sees m using key k, if not encrypted A/m

A k

|∼m A encrypts m using key k #(m) m is of type fresh

A↔Bk k is a good shared key between A and B A / ||m m is not available to A

sup(S) S is a super-principal

Figure 3.4: Notation of the MB logic for protocol analysis.

of the communication protocol defined above is given as:

1. Alice → Bob : IDA, nonceART SA

2. Bob → Alice : IDB, nonceB, {k2RnonceART SB}k1 3. Alice → Bob : {nonceB}k2

The following differences can be seen in the idealised version compared to the initial one: the nonsense m is removed from the first message; again in the first message nonceA is combined with the corresponding timestamp T SAusing the “R” operator; in the second message the operator “R” combines the response k2 with its corresponding challenge nonceAwhich on the other side is combined with the timestamp T SB.

Following the above rules and definitions security properties are modelled through inference rules using the notation in Fig. 3.4. Furthermore denoting: principals as A, B; messages as m; keys as k; formulas as X and Y ; the inference rules used for the purpose of this thesis are:

Authentication rule: A|≡A k ↔B∧Ak/m A|≡B

k |∼m

meaning, if k is a good shared key between A and B (i.e., it has not been leaked) and A uses key k to decrypt m, then A can believe that B is the one who encrypted m.

Confidentiality rule: A|≡A k

↔B∧BC_{/||m∧A|∼m}k

A and B and the complement of set B cannot see m and A used k to encrypt m, then A believes that the complement of the union between A and B cannot see m, resulting in m can be seen only by A and B.

Fresh rule: A|≡#(m)∧A/nRm_A|≡#(n) meaning, if m is of type fresh and n is a response to m follows that n is also of type fresh.

Good-key rule: A|≡{A,B}C/||k∧A|≡#(k)

A|≡A↔Bk meaning if A and B are the only agents that can see k and k is of type fresh, follows that k is a good shared key between A and B.

Nonce verification rule: A|≡#(n)∧A|≡B k |∼n

A|≡B|≡A↔Bk meaning if B used the key k in the current pro- tocol run follows that B believes k is a good shared key.

Super-principal rule: A|≡B|≡X∧A|≡sup(B)_A|≡X meaning A unconditionally trusts B beliefs, in this example X, and this is true as far as A thinks B is the super principal w.r.t. X.

Belief axiom 1: A|≡X∧A|≡Y_{A|≡(X∧Y )} meaning A believes X and A believes Y , therefore, A be- lieves the set of functions (X, Y ).

Belief axiom 2: A|≡X∧A|≡X/Y_A|≡Y meaning A believes X and A believes X implies Y , there- fore A believes Y .