Formal Support to Security Protocol Development: A Survey

Soporte Formal para el Desarrollo de Protocolos de Seguridad: una Visión General

Juan Carlos López Pimentel and Raúl Monroy

Computer Science Department Tecnológico de Monterrey, Campus Estado de México Carretera al lago de Guadalupe, Km 3.5, Atizapán de Zaragoza, 52926, México juan.pimentel@itesm.mx, raulm@itesm.mx

Article received on April 16, 2008
Accepted on June 20, 2008

Abstract

Security protocols aim to allow two or more principals to establish a secure communication over a hostile network, such as the Internet. The design of security protocols is particularly error–prone, because it is difficult to anticipate what an intruder may achieve interacting through a number of protocol runs, claiming to be an honest participant. Thus, the verification of security protocols has attracted a lot of interest in the formal methods community and as a result lots of verification techniques/tools, as well as good practices for protocol design, have appeared in the two last decades. In this paper, we describe the state of the art in automated tools that support security protocol development. This mainly involves tools for protocol verification and, to a lesser extent, for protocol synthesis and protocol diagnosis and repair. Also, we give an overview of the most significant principles for the design of security protocols and of the major problems that still need to be addressed in order to ease the development of security protocols.

Keywords: Formal methods, security protocols, protocol synthesis, protocol diagnosis and repair.

Resumen

Los Protocolos de Seguridad tienen como objetivo permitir que dos o más agentes puedan establecer una comunicación de manera segura en una red a pesar de ambientes hostiles, tales como Internet. El diseño de estos protocolos es particularmente propenso a errores, por eso, es difícil anticipar lo que un intruso puede lograr cuando, pretendiendo ser un participante honesto, interactúa con una cantidad considerable de corridas del protocolo. Así, la verificación de protocolos de seguridad ha atraído un gran interés en la comunidad de los métodos formales, dando como resultado la aparición, en las dos últimas décadas, de una gran cantidad de técnicas/herramientas, además de buenas prácticas para mejorar su diseño. En este artículo, describimos el estado del arte de las herramientas automatizadas que soportan el desarrollo de protocolos de seguridad. Principalmente, incluímos herramientas para su verificación, y en menor grado, trabajos sobre su síntesis; además de métodos en el diagnóstico y reparación de protocolos incorrectos. También, damos un resumen de los principios más importantes para mejorar el diseño de esta clase de protocolos y los principales problemas que todavía necesitan ser resueltos para facilitar su desarrollo.

Palabras claves: Métodos formales, protocolos de seguridad, síntesis de protocolos, diagnóstico y reparación de protocolos.

DESCARGAR ARTÍCULO EN FORMATO PDF

References

1. Abadi, M. and Needham, R., Prudent Engineering Practice for Cryptographic Protocols. IEEE Transactions on Software Engineering, 22(1):6–15, 1996.        [ Links ]

2. Abadi, M. and Rogaway, P., Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption). Journal of Cryptology, 15(2): 103–127, 2002.        [ Links ]

3. Anderson, R.–J. and Needham, R.–M., Robustness Principles for Public Key Protocols. In Proceedings of the 15th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO '95, edited by Don Coppersmith, LNCS Vol. 963, pp. 236–247, London, UK, 1995. Springer–Verlag.        [ Links ]

4. Armando, A. and Compagna, L., SATMC: A SAT–based model checker for security protocols. In Proceedings of the 9^th European Conference in Logics in Artificial Intelligence, JELIA '04, edited by Alferes, J.–J. and Leite, J.–A., LNCS Vol. 3229, pp. 730–733. Springer, 2004.        [ Links ]

5. Asokan, N. and Ginzboorg, P., Key–Agreement in Ad–hoc Networks. Computer Communications, 23(17): 1627–1637, 2000.        [ Links ]

6. Aura, Tuomas., Strategies against Replay Attacks. In Proceedings of the 10th Computer Security Foundations Workshop (CSFW '97), page 59, Washington, DC, USA, 1997. IEEE Computer Society.        [ Links ]

7. AVISPA Team, AVISPA v1.0 User Manual. v1.0 edition, 2005.        [ Links ]

8. Basin, D. and Mödersheim, S. and Viganò, L., An On–the–Fly Model–Checker for Security Protocol Analysis. In Proceedings of the 8th European Symposium on Research in Computer Security, ESORICS'03, edited by Gollmann, D. and Snekkenes, E., LNCS Vol. 2808, pp. 253–270, Gjøvik, Norway, 2003. Springer–Verlag.        [ Links ]

9. Basin, D. and Mödersheim, S. and Viganò, L., Algebraic Intruder Deductions. In Geoff Sutcliffe and Andrei Voronkov, editors, Proceedings of Logic for Programming Artificial Intelligence and Reasoning, LPAR '05, edited by Sutcliffe, G. and Voronkov, A., LNCS Vol. 3835, pp. 549–564, 2005. Springer–Verlag.        [ Links ]

10. Basin, D. and Mödersheim, S. and Viganò, L., OFMC: A Symbolic Model–Checker for Security Protocols. Technical report, 450, ETH Zürich, Computer Science, 2004.        [ Links ]

11. Basin, David. Lazy Infinite–State Analysis of Security Protocols. In Baumgart, Rainer, editors, Proceedings of the International Exhibition and Congress on Secure Networking, CQRE'99, edited by Baumgart, R., LNCS Vol. 1740, pp. 30–42, London, UK, 1999. Springer–Verlag.        [ Links ]

12. Baudet, M. and Cortier, V. and Kremer, S., Computationally sound implementations of equational theories against passive adversaries. In Proceedings of the 32nd International Colloquium on Automata, Languages and Programming, ICALP'05, edited by Caires, L. and Italiano, G.–F. and Monteiro, L. and Palamidessi, C. and Yung, M., LNCS Vol. 3580, pp. 652–663, 2005. Springer.        [ Links ]

13. Blanchet, Bruno, An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In Proceedings of the 14th IEEE Computer Security Foundations Workshop, CSFW'01, pp. 82–96, IEEE Computer Society, 2001.        [ Links ]

14. Bozga, L. and Lacknech, Y. and Périn, M. HERMES: An Automatic Tool for Verification of Secrecy in Security Protocols. In Proceedings of the 15^th International Conference in Computer Aided Verification CAV'03, LNCS Vol. 2725, pp. 219–222, Boulder, CO, USA, 2003. Springer.        [ Links ]

15. Brackin, S.–H., A HOL Extension of GNY for Automatically Analyzing Cryptographic Protocols. In Proceedings of The 9th Computer Security Foundations Workshop, CSFW'96, page 62, Washington, DC, USA, 1996. IEEE Computer Society Press.        [ Links ]

16. Burrows, M. and Abadi, M. and Needham, R.–M., A Logic of Authentication. Proceedings of the Royal Society of London, 426(1):233–71, 1989.        [ Links ]

17. Carlsen, Ulf, Cryptographic Protocols Flaws. In Proceedings IEEE Computer Security Foundations Workshop, CSFW'94, pp. 192–200, 1994. IEEE Computer Society Press.        [ Links ]

18. Chevalier and Vigneron 2002 Chevalier, Y. and Vigneron, L., Automated unbounded verification of security protocols. In Proceedings of the 14th International Conference on Computer Aided Verification, CAV '02, edited by Brinksma, E. and Larsen, K.–G., LNCS Vol. 2404, pp. 324–337, London, UK, 2002. Springer–Verlag.        [ Links ]

19. Chevalier, Y. and Rusinowitch, M., Combining Intruder Theories. In Proceedings of the 32nd International Colloquium on Automata, Languages and Programming, ICALP^s05, edited by Caires, L. and Italiano, G.–F. and Monteiro, L. and Palamidessi, C. and Yung, M., LNCS Vol. 3580, pp. 639–651, 2005. Springer Berlin / Heidelberg.        [ Links ]

20. Choo, K.–K. Raymond., An Integrative Framework to Protocol Analysis and Repair: Indistinguishability Based Model + Planning + Model Checker. In Proceedings of Five–minute Talks at CSFW'06, 2006.        [ Links ]

21. Cohen, Ernie., First–order verification of cryptographic protocols. Journal of Computer Securirity, 11(2): 189–216, 2003.        [ Links ]

22. Cohen, Ernie., TAPS: A First–Order Verifier for Cryptographic Protocols. In Proceedings of the 13th IEEE Computer Security Foundations Workshop, CSFW '00, pp. 144, Washington, DC, USA, 2000. IEEE Computer Society.        [ Links ]

23. Comon, H. and Nieuwenhuis, R., Induction = I–Axiomatization + First–Order Consistency. Technical report, LSV–98–9, Laboratoire Spécification et Vérification, ENS Cachan, France, Cachan, France, 1998.        [ Links ]

24. Comon–Lundh, H. and Shmatikov, V., Intruder Deductions, Constraint Solving and Insecurity Decision in Presence of Exclusive Or. In Proceedings of the 18th Annual IEEE Symposium on Logic in Computer Science, LICS '03, pp. 271, Washington, DC, USA, 2003. IEEE Computer Society.        [ Links ]

25. Dolev, D. and Yao, A.–C., On the security of public key protocols. Technical report, 2, Stanford University, Stanford, CA, USA, 1983.        [ Links ]

26. Gong, L. and Syverson P., Fail–stop protocols: A new approach to designing secure protocols. In Proceedings of the 5th International Working Conference on Dependable Computing for Critical Applications, pp. 44–55, 1995.        [ Links ]

27. Heam, P.–C. and Boichut, Y. and Kouchnarenko, O. and Oehl, F., Improvements on the genet and klay technique to automatically verify security protocols. In Proceedings of the International WS on Automated Verification of Infinite–State Systems, AVIS'2004, joint to ETAPS'04, pp. 1–11, Barcelona, Spain, 2004.        [ Links ]

28. Heather, J. and Lowe, G. and Schneider, S., How to prevent type flaw attacks on security protocols. Journal of Computer Security, 11(2):217–244, 2003.        [ Links ]

29. Kremer, S. and Mazaré, L., Adaptive Soundness of Static Equivalence. In Proceedings of the 12th European Symposium on Research in Computer Security, ESORICS'07, edited by Biskup, J. and Lopez, J., LNCS Vol. 4734, pp. 610–625, 2007. Springer.        [ Links ]

30. Lafourcade, P. and Lugiez, D. and Treinen, R., Intruder deduction for the equational theory of Abelian groups with distributive encryption. Information and Compututation, 205(4):581–623, 2007.        [ Links ]

31. López–Pimentel, J.–C. and Monroy, R. and Hutter, D., A Method for Patching Interleaving–Replay Attacks in Faulty Security Protocols. Electronic Notes in Theoretical Computer Science, 174:117–130, 2007. Also available from the Proceedings of the 1st FLoC Workshop on Verification and Debugging.        [ Links ]

32. López–Pimentel, J.–C. and Monroy, R. and Hutter, D., On the Automated Correction of Faulty Security Protocols Susceptible to a Replay Attack. In Proceedings of the 12th European Symposium Research Computer Security, ESORICS'07, edited by Biskup, J. and Lopez, J., LNCS Vol.4734, pp. 594–609, 2007. Springer.        [ Links ]

33. Lowe, Gavin., An Attack on the Needham–Schroeder Public–Key Authentication Protocol. Information Processing Letters, 56(3): 131–133, 1995.        [ Links ]

34. Lowe, Gavin., A Hierarchy of Authentication Specifications. In Proceedings of the 10th Computer Security Foundations Workshop, CSFW '97, pp. 31, Rockport, Massachusetts, USA, 1997. IEEE Computer Society.        [ Links ]

35. Lowe, Gavin., Breaking and Fixing the Needham–Schroeder Public–Key Protocol Using FDR. In Proceedings of the Second International Workshop on Tools and Algorithms for Construction and Analysis of Systems, TACAS'96, edited by Margaria, T. and Steffen, B., LNCS Vol. 1055, pp. 147–166, London, UK, 1996. Springer–Verlag.        [ Links ]

36. Lowe, Gavin., Casper: a compiler for the Analysis of Security Protocols. In Proceedings of the 10^th Computer Security Foundations Workshop, CSFW'97, pp. 53–84, Journal in Computer Security, Vol. 6, IEEE Computer Society, Washington, DC, USA, 1998.        [ Links ]

37. Malladi and Alves–Foss 2003 Malladi, S. and Alves–Foss, J., How to prevent type–flaw guessing attacks on password protocols. In Proceedings of the 2003 Workshop on Foundations of Computer Security (FCS03), pp. 1–12, 2003. Technical Report of University of Ottawa.        [ Links ]

38. Malladi, S. and Alves–Foss, J. and Heckendorn, R., On Preventing Replay Attacks on Security Protocols. In Proceedings International Conference on Security and Management, ICSM'02, pp. 77–83, 2002.        [ Links ]

39. Meadows, Catherine., The NRL Protocol Analyzer: An Overview. Journal of Logic Programming, 26(2): 113–131, 1996.        [ Links ]

40. Meadows, Catherine., Extending Formal cryptographic protocol analysis techniques for group protocols and low–level cryptographic primitives. In Proceedings of the First Workshop on Issues in the Theory of Security, WITS'00, edited by Degano, P., pp. 87–92, Geneva, Switzerland, July, 2000.        [ Links ]

41. Meadows, Catherine, A Procedure for Verifying Security Against Type Confusion Attacks. In Proceedings of the 16th IEEE Computer Security Foundations Workshop, CSFW'03, pp. 62, Pacific Grove, CA, USA, 2003. IEEE Computer Society.        [ Links ]

42. Paulson, L.–C., Isabelle: a Generic Theorem Prover. Springer–Verlag, 1994.        [ Links ]

43. Paulson, L.–C., The Inductive Approach to Verifying Cryptographic Protocols. Journal in Computer Security, 6(1–2):85–128, 1998.        [ Links ]

44. Pereira, O. and Quisquater, J.–J., Some attacks upon authenticated group key agreement protocols. Journal in Computer Security, 11(4):555–580, 2003.        [ Links ]

45. Perrig, A. and Song D., Looking for Diamonds in the Desert — Extending Automatic Protocol Generation to Three–Party Authentication and Key Agreement Protocols. In Proceedings of the 13th IEEE Computer Security Foundations Workshop, CSFW'00, pp. 64–76, 2000. IEEE Computer Society Press.        [ Links ]

46. Rusinowitch, Michaël and Turuani, Mathieu. Protocol Insecurity with Finite Number of Sessions is NP–Complete. In Proceedings of the 2001 Computer Security Foundations Workshop, CSFW 2001, pp. 174–190, Computer Science Press, 2001.        [ Links ]

47. Ryan, P.Y.–A. and Schneider, S.–A. An attack on a recursive authentication protocol; a cautionary tale. Information Processing Letters, 65(1):7–10 (1998).        [ Links ]

48. Song, X. D. and Berezin, S. and Perrig, A., Athena: A Novel Approach to Efficient Automatic Security Protocol Analysis. Journal of Computer Security, 9(1–2):47–74, 2001.        [ Links ]

49. Steel, G. and Bundy, A. and Denney, E., Finding Counterexamples to Inductive Conjectures and Discovering Security Protocol Attacks. Proceedings of the Foundations of Computer Security Workshop, (FCS'02), pp. 81–90, 2002. Also appeared in Proceedings of The Verify'02 Workshop. Also available as Informatics Research Report EDI–INF–RR–0141.        [ Links ]

50. Steel, G. and Bundy, A. and Maidl, M., Attacking the Asokan–Ginzboorg Protocol for Key Distribution in an Ad–Hoc Bluetooth Network Using CORAL. In Proceedings of 23rd IFIP International Conference on Formal Techniques for Networked and Distributed Systems, IFIP TC6 /WG 6.1, FORTE'03, edited by König, H. and Heiner, M. and Wolisz, A., pp. 1–10, 2003.        [ Links ]

51. Syverson, Paul., A taxonomy of replay attacks. In Proceedings of the Seventh Computer Security Foundations Workshop, CSFW'94, pp. 187–191, Franconia, New Hampshire, USA, 1994. IEEE Computer Society Press.        [ Links ]

52. Syverson, P. and Meadows, C. and Cervesato, I. Dolev–Yao is no better than Machiavelli. In Proceedings of the First Workshop on Issues in the Theory of Security, WITS'00, 2000.        [ Links ]

53. Thayer–Fabrega, F.–J. and Herzog, J.–C. and Guttman, J.–D., Strand spaces: Why is a security protocol correct? In Proceedings of the 1998 Symposium on Security and Privacy, pp. 160–171, Oakland, CA, USA, 1998. IEEE computer Society.        [ Links ]

54. Weidenbach, Christoph., Towards an Automatic Analysis of Security Protocols in First–Order Logic. In Proceedings of the 16th International Conference on Automated Deduction, CADE–16, edited by Harald Ganzinger, LNCS Vol. 1632, pp. 314–328, London, UK, 1999. Springer–Verlag.        [ Links ]