There is a rich history of research on formal verification and on reasoning about security protocols. This section reviews some well known (and relevant to this thesis) formal verification techniques which have been developed to prove that a protocol specification satisfies certain security goals.
The techniques can be divided into three major categories: techniques based on modal logic, techniques based on state machines and computa- tional complexity approach. To begin with, I will review the Dolev-Yao model because the first two categories both incorporate at least some as- pects of the work of Dolev and Yao [1983], followed by detailed reviews of each of the three categories.
In the Dolev-Yao model, the network is assumed to be under the control of an adversary, all messages sent from any honest principal to any other must pass through the adversary. The adversary can read, alter, redirect and delete any or all messages, and may have control of one or more network principals. However, it is assumed, cryptographic operations are
2.3 Verification Techniques
used in a black box fashion, ignoring various cryptographic properties. The adversary can only decrypt a message if it has the right keys. The adversary can only compose new messages from keys and messages that it already possesses.
2.3.1 Techniques Based on Modal Logic
One of the most commonly followed approaches is to use logics of belief and knowledge to reason about security protocols. Such logics consist of various statements of beliefs in or knowledge about messages in a security protocol and inference rules for deriving new beliefs or knowledge from existing beliefs or knowledge. The greatest amount of effort has been expended in the use of belief logics and it is to this that we turn our attention first.
The seminal work of this approach, and perhaps the best known and most influential, was developed by Burrows, Abadi and Needham in 1989 [Burrows et al., 1989]. BAN logic focuses on the beliefs that can be held by honest principals involved in security protocols and on the evolution of these beliefs as a consequence of communication throughout the course of a protocol. For example, one BAN belief, stated informally, would be: “If I believe I have received a message encrypted with key K, and I believe that only Alice and I know the key K, then I believe that the message was originated by either Alice or me.” In an analysis of a protocol, a set of initial beliefs are assumed. Each message in the protocol is represented by a set of beliefs it is meant to convey. An analyst then uses BAN inference rules to determine what beliefs can be derived from the initial beliefs and the beliefs gained from messages. BAN inference rules are simple and intuitive and are very easy to apply. Even so, as the BAN paper demonstrated, the logic can be used to identify many serious flaws in security protocols.
The use of BAN logic forces the analyst to explicitly identify assumptions and provides a means of deriving what is actually achieved by the protocol. To achieve specific security goals, the analyst may be forced to adopt dubi- ous assumptions. Thus, for example, the Needham Schroeder Symmetric
Chapter 2 Design of Security Protocols
Key Protocol can be “proved” secure, but if only a dubious assumption is made about the freshness of the key Kab [Burrows et al., 1989]. It is interesting to note that the assumptions of many protocols are often not made explicitly.
However, BAN logic misses some flaws because of its various limitations. For example, it does not model the distinction between seeing a message and understanding it; all principals are assumed to behave correctly ac- cording to the rules of the protocol; it does not model knowledge and cannot be used to prove results about secrecy, and can be used only to reason about authentication. In particular, the idealisation process (map- ping from protocol specification to BAN logic specification) has been the widely acknowledged weakest link of BAN reasoning. Further details of the idealisation problem will be discussed in chapter 5.
Consequently, many variations and enhancements of the BAN logic have been developed. These new belief logics, such as AT logic [Abadi and Tuttle, 1991], GNY logic [Gong et al., 1990] and SVO logic [Syverson and van Oorschot, 1996] can be categorised as members of the “BAN family”. Besides the “BAN family”, some other logics have also been developed for the verification of security protocols. For example, Bieber’s CKT5 logic [Bieber, 1990], can be used to reason about the evolution of knowl- edge about words used in a security protocol; Moser’s non-monotonic logic [Moser, 1989], can be used to reason about the way in which beliefs developed through use of security protocols can be reversed.
BAN logic is described in more detail in chapter 3 and SVO logic in chap- ter 4.
2.3.2 Techniques Based on State Machines
More recently, research in the area of security protocol verification has focused on state exploration tools. Much of this was inspired by Lowe’s demonstration that it was possible to use a general purpose model checker, FDR, to find an attack on the Needham-Schroeder public key proto- col [Lowe, 1995], which was not identified by the BAN logic. Thus, interest
2.3 Verification Techniques
in the belief logics has reduced as state exploration tools have improved. The idea of using CSP (Communicating Sequential Processes) and FDR (Failures Divergences Refinement) to verify security protocols was first suggested by Roscoe [1995]. Principals in a protocol are specified as CSP processes operating in parallel. In addition, an attacker of the Dolev-Yao type is added that can carry out certain actions. An authentic run of the protocol is specified (the protocol terminates with success only if the message sequence is what the protocol intended). The implementation of the protocol which comprises the various principals as agents must now be shown to satisfy the specification. The FDR tool is then used to check possible traces of the implementation against the specification. Roscoe and Gardiner [1995] have created a variety of heuristics to prune down the search space to make the model checking feasible.
Lowe’s success in finding an attack on the Needham-Schroeder public key protocol using FDR tool inspired many researchers both to prove they could reproduce his results and to apply their own techniques to other protocols. Work since then has progressed in both applying general purpose model checkers, for example, Mitchell’s Mur φ [Mitchell et al., 1997], and designing special purpose model checkers, for example, Song’s Athena [Song, 1999].
The limitation in this approach is that model checkers can only search a finite number of states. Thus, there has also been some research in showing that under certain conditions checking a finite number of states might be sufficient. For example, Lowe [1999] gives a set of conditions under which checking a small number of sessions would be sufficient to prove secrecy of a key.
2.3.3 Computational Complexity Approach
The computational complexity approach was pioneered by Bellare and Rogaway [1994] when they published a mathematical proof that a simple entity authentication protocol was secure. The approach is the same as that in the cryptographic research community to prove security of crypto-
Chapter 2 Design of Security Protocols
graphic algorithms. These are complexity-theoretic reduction proofs; the security of protocol S is reduced to the security of another better understood problem P in the sense that if there is an efficient algorithm that can break S then there is an efficient algorithm to solve P.
The approach uses a mathematical model that defines a protocol in which a powerful adversary plays a central role. The adversary essentially controls all the principals and can initiate protocol runs between any principals at any time. Insider attacks are modelled by allowing the adversary to corrupt any principals, and the adversary can also obtain previously used keys. Cryptographic algorithms may be modelled either with generic properties or as specific transformations. Security of protocols is defined in terms of matching conversations (for authentication) and indistinguishability (for confidentiality of keys) [Boyd and Mathuria, 2003].
A complete mathematical proof with respect to cryptographic definitions provides a strong assurance that a security protocol is behaving as desired. But on the other side, the computational complexity approach does suffer several limitations and the significance of a proof of security is controversial. For example, it is often difficult to obtain correct proofs of security and such proofs usually entail lengthy and complicated mathematical proofs, which are difficult to understand. Furthermore, current provable security techniques do not help in protocol design. A small change in the protocol will require a new proof to be constructed.