Documents

Hello Crypt

Description
Description:
Categories
Published
of 6
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Transcript
  Formal   Verification   of    Security   Protocols   sing   Spin Shengbo   Chen 1,2 ,Hao   Fu 1,2 ,   Huaikou   Miao 1,2 1   School   of    Computer   Engineering   and   Science,   Shanghai   University,   Shanghai   200436,   P.   R.   China 2   Shanghai   Key   Laboratory   of    Computer   Software   Testing   and   Evaluating,   Shanghai   201112,   P.   R.   ChinaEmail:   { schen,hkmiao } @shu.edu.cn,   r   future@i.shu.edu.cn  Abstract —Security protocols are the key to ensure networksecurity. In the context of the state of the art, so many methodshave been developed to analyze the security properties of securityprotocols, such as Ban logic, theorem proving and model checkingetc. This paper used model checking method to formally verifysecurity protocols because of its high degree of automation,briefness and effectiveness. The model checker Spin with soundalgorithm design has an extraordinary ability of checking anda good support for LTL. This paper studied the use of Spin onsecurity protocols, and proposed a more effective intruder modelto formally verify the security properties of security protocols,such as authentication. The method in this paper decreased thenumber of model states by a wide margin, and avoided the statespace explosion effectively. This paper exampled NSPK protocoland DS protocol, and good experimental results were shown.  Keywords—security protocols; network security; model  checking; Spin; LTL I. I NTRODUCTION At the age of fast-developing of the Internet, a large numberof industries cannot be separated from the network. At thesame time, some network services (like e-commerce and e-bank) become more and more popular. The explosive growthof information is a big challenge to the network security.Meanwhile, it also highlights the importance of security pro-tocols used in the network. A thorough design of securityprotocols becomes a challenge for the protocol designers.Security protocol [1], also known as cryptographic protocol,is the message exchange protocol with encryption primary andaimed at providing various security services in the network environment, including authentication, the distribution of thesession key between protocol agents, confidentiality etc.Different from the real world, the communicators maybedon’t know each other in the network, so the realization of theauthentication between them must be based on cryptosystem.Security protocol, running in the network or the distributedsystem, is a communication protocol based on cryptosystem.It specifies the operation steps and rules of the protocol toachieve some high-secrecy tasks (like the distribution of thesession key and authentication) by the use of cryptographicalgorithms.It follows that security protocol is one of the effectivemethods to solve the network security problem. However, theprotocol designers cannot take account of all attacks resultfrom the uncertainty of intruder’s abilities and the complicatednetwork environment [1]. For example, in 1995, Lowe [2]found a new attack about the famous NSPK protocol after 17years since it was published using the model checking method.Therefore, in a practical application, security protocols maybecannot truly realize its security properties. Even if it’s the mostbasic authentication protocol, it probably exists some kindsof unpredictable vulnerabilities. As a result, the correctnessanalysis of security protocols becomes an important means todetect errors in security protocols.From the current research, there are two methods for theanalysis of security protocols: attack detection and formalmethod. Attack detection is a method that exhausts all theattacks to detect security protocols, and evaluates the securityof security protocols according to the effectiveness of theattack. Attack detection can’t assess the security of securityprotocols fully because it’s limited by the known attacks.Formal method firstly builds a security protocol model, andthen describes the security properties of security protocolsusing assertions or the temporal logic formulas, LTL say, andfinally the protocol model is analyzed to satisfy the securityproperties or not. The formal analysis of security protocolscontributes to:– describe the behavior of security protocols and the inter-active process between the agents precisely.– define the security properties that security protocols mustsatisfy precisely.– verify if security protocol satisfies its security propertiesor not, and give a reason why security protocol does notsatisfy its security properties.Hence, Formal method is a more effective method to findsome new attacks of security protocols because of its compre-hensiveness. As one of the formal methods, model checking,proposed by Clarke [3], is an automatic property verificationmethod based on model. Model checking has been appliedinto the fields of computer hardware, communication protocoland security protocol etc. And, it has made markable success.II. R ELATED  W ORK Since the late 1970s, security protocols were studied by alot of scholars, and numerous formal methods were developed.Peng et al. [4] designed a new model checker ASM-SPVdedicated to the verification of security protocols. This modelchecker can find some attacks, but poor efficiency and lowdegree of automation make it less popular. Arapinis et al. [5]proposed an extensional Pi process calculus, and convertedit to Horn clause using the tool StatVrif designed by them.They used the model checker ProVerif to analyze the Hornclause. This method is efficient, but allows wrong attacks.Furthermore, many famous model checkers were built to 978-1-5090-0806-3/16/$31.00 copyright 2016 IEEEICIS 2016, June 26-29, 2016, Okayama, Japan  verify security protocols, such as FDR [6] and Murphi [7]etc. Spin [8], a model checker, is used to design and verifyasynchronous process system. Spin has a good algorithmdesign and excellent ability of checking. And, it also has agood support for the linear temporal logic LTL. However,it has been proven in practice that Spin could be used toverify and analyze security protocols effectively. This paperused Spin to finish the work of verifying security protocols.In addition, the modeling language Promela of Spin is a C-likelanguage, very simple and expressive.In [9], the author analyzed the Needham-Schroeder PublicKey Protocol, and modeled it using Promela. He found anattack successfully, but he analyzed the intruder’s behaviorwith the artificial static analysis method that results in a verylow degree of automation of protocol verification. This is themain difference between [9] and this paper. In [10], the authorproposed a general method to model the intruder’s behavior.This efficient method does not need to analyze the intruder’sbehavior artificially. In his method, the intruder progcess cananalyze all the messages intercepted by itself dynamically andmake responses correspondingly. Although the method workswell, the redundant model is vulnerable to the state spaceexplosion. However, the intruder model in this paper is moreefficient than the model in [10].This paper proposed an optimized method that the securityprotocol models were built by using a way of communicationbetween processes with Spin. This paper exampled NSPK pro-tocol and DS protocol. The experimental results showed thatthe number of the protocol model states has been decreasedby a wide margin, and the efficiency of protocol verificationhas been improved properly.The rest of this paper is organized as follows. Section IIIintroduces NSPK protocol and DS protocol simply. The de-scription of the procedure of building the Promela model of security protocols in Section IV. And Section V shows theexperimental results and the comparison between the methodsin [10] and this paper. The conclusions and future work arein Section VI.III. NSPK P ROTOCOL AND  DS P ROTOCOL Security protocols are designed for providing various secu-rity services for the network environment, such as the authen-tication of the protocol agents’ identities, the distribution of the session key between the protocol agents and the promisingof the confidentiality of the information and so on. This papermainly verified the authentication of security protocols whichis described using LTL. This paper exampled NSPK protocoland DS protocol to model and analyze security protocols.Needham-Schroeder protocol [11] is a well-known authen-tication protocol which Many authentication protocols arebased on. The purpose of NS protocol is to achieve themutual authentication of the agents running the protocol. NSprotocol has two versions, NSSK protocol and NSPK protocol.NSSK protocol is an authentication protocol with symmetricencryption primary. And, NSPK protocol is an authenticationprotocol with asymmetric encryption primary, shown in Fig. 1.                                                                   Fig. 1. The Full Version of NSPK Protocol                                 Fig. 2. The Reduced Version of NSPK Protocol As all we know, NSPK protocol agents must gain the partner’spublic key from the third trust party before the mutual identityauthentication. To simplify the protocol model, this paperhypothesizes the agents running the protocol know the publickey with each other, shown in Fig. 2. However, this hypothesisdoes not affect the verification of NSPK protocol.DS protocol [12] was developed by Denning and Sacco.It’s designed for distributing a session key between the agentsrunning the protocol. This paper used the simplified version of DS protocol [10] because of the purpose of this paper. Fig. 3shows the simplified version of DS protocol. The message Secincludes some important information, timestamp say.IV. M ODELING  S ECURITY  P ROTOCOL  A. Hypotheses Before modeling security protocols, this paper needs tomake some hypotheses:– The cryptographic algorithm used in security protocolsis perfect, that is the intruder cannot attack the protocolusing the defects of the cryptographic algorithm.– The message format of security protocols is specific, andthe agents running the protocol only receive the messagethat conforms to the protocol specification.– The network in which security protocols run exists in-truders or malicious agents.– The intruder is a registered agent [13] same as the trustagents. And he has his own key pair, public key and secretkey.  B. The Promela Model of Security Protocol This section describes the procedure of building the Promelamodel of security protocols with the instance of NSPK pro-tocol, and describes the property of security protocols using                     Fig. 3. The Simplified Version of DS Protocol  LTL. The security protocol models mainly include the protocolinstance model and the intruder model. 1) Modeling the Protocol Instance:  The first step of mod-eling the protocol instance is the declaration of a name set.The name set includes some identifiers used in the protocol,such as keys, nonce and identities etc. mtype= { NULL,Msg1,Msg2,Msg3,A,B,I,Na,Nb,Ni,PKa,PKb,PKi } ; NULL, a special identifier, represents the locations thatare untapped. Msg1, Msg2 and Msg3 represent the messagesequence number. A, B, I represent the agents’ identifiers. Aand B represent the trust agents, I represents the intruder.Na and PKa represent the agent A’s nonce and public keyrespectively. Nb and PKb represent B’s nonce and public keyrespectively. Likewise, Ni and PKi represent the intruder I’snonce and public key respectively.The second step is the statement of the communicationchannel that is used to exchange the messages between theagents running the protocol. Considering the difference of themessage length between different protocol messages, this pa-per used the length of the longest message to definite the chan-nel capacity. The message length is the number of the iden-tifiers of a message, for example, the message  { N  a ,A } PK  b includes three identifiers, so its length is three. If   Message i represents a protocol message,  Length ( Message i )  representsthe length of a message, N is the number of the protocolmessages, and  Max  N i =0 Length ( Message i )   representsthe length of the longest message, the channel capacity V willbe the value of   Max  N i =0 Length ( Message i )   + 1 . Asfollow, it’s the statement of the channel of the reduced NSPKprotocol.chan network = [0] of   { mtype,mtype,mtype,mtype } ;The next step is the statement of the roles who run theprotocol. We need at least one protocol initiator and oneprotocol responder to run security protocols successfully. Theprotocol agent is just an instance of the initiator or theresponder. This paper defined an initiator progcess (shownin Fig. 4) and a responder progcess (shown in Fig. 5). Theinstances of the initiator (like A) and the responder (like B)are the arguments of initiator progcess and responder progcess.The initiator progcess needs one more argument to representthe initiator’s expected responder.In Fig. 4, the argument a represents the instance of theinitiator, b represents a’s expected responder. Line 6, 9 and 11are the specific messages that the initiator sends and receives.This paper defined some macros to get the agent’s nonce andpublic key. Furthermore, this paper used the function eval() inSpin to verify some messages that are received. If the receivedmessage is not undesirable, it will be regarded as an invalidmessage. Even if the intruder creates a message like this, it iseasy for the trust agents to distinguish. As follow, that are themacros of nonce and public key. # define Nonce(x) x-3 # define PublicKey(x) x-6Likewise, Fig. 5 shows the definition of the responderprogcess. The argument b represents the instance of the                              Fig. 4. The Initiator Model of NSPK protocol                         Fig. 5. The Responder Model of NSPK protocol responder. 2) The Intruder Model:  This part describes the procedureof building the intruder model. The intruder model is veryimportant to the formal analysis of security protocols. Un-derstanding the intruder’s ability and knowledge appropriatelyand correctly is key to build an effective intruder model.The Dolev-Yao intruder model [14] brings profound influenceto the formal analysis of security protocols. Dolev and Yaothought that the ability and knowledge of an intruder cannotbe underestimated, and the intruder can control the wholenetwork. The following are the abilities of the intruder inDolev-Yao model:– Eavesdrops every message that goes through the network.– Intercepts and captures every message that goes throughthe network.– Stores the messages that are captured or created by theintruder himself.– According to the stored messages, fakes a message andsends it.– Be a validate agent in the running of the protocol.According to Dolev-Yao’s descriptions, the intruder is veryclever and can control the whole network. That can ensurethe establishment of security properties of the protocols whenwe analyze security protocols even if in a bad network environment. This paper used the Dolev-Yao model, and theabilities of the intruder are abstracted to capture message,                                                                               Fig. 6. Tthe Intruder Model of NSPK protocol analyze message and fake message. Capture message: theintruder can eavesdrop the channel invariably, and grasp allmessages in the channel. Analyze message: the intruder cananalyze the messages captured, and decrypt the messages if he has the reverse keys. Fake message: When the intruderintercepts a message, he can fake a message according to theprotocol specification and his own knowledge base.This paper used the array Knows[] to represent the knowl-edge set of intruder, and ReverseKeys[] represent the reversekeys that the intruder knows. Fig. 6 shows the intruder modelof NSPK protocol. Line 6-12 are the statements of intruder’sinitial knowledge set. The intruder knows the trust agents’identifiers and public keys as a validate agent. Line 17 isa function Analysis() to analyze the messages captured, asshown in Fig. 7. Meanwhile, the intruder can store a wholemessage to replay and forward [13] it or not. Line 27 isa statement of the function CreateMessage() that is used tocreate a bogus message, as shown in Fig. 8. In [10], theauthor used a way of random combination of the identifiersto fake a message, but this method creates a lot of unmeaningmessages. For example, the message  { N  a ,N  i } PK  b  is easyto be recognized by the trust agent B, because B can’t findany identities in this message. The method in [10] reducesthe verification efficiency of protocol greatly, and results inthe state space explosion. The intruder is very familiar withthe protocol as a validate agent. From the opinion of this                    Fig. 7. Analyze Message                                                                                          Fig. 8. Fake Message paper, when the intruder intercepts a message, he can createa meaningful message that cannot be recognized by the trustagents according to the protocol specifications. Hence, thispaper proposed a method that the intruder could create amessage not only according to the protocol specifications, butalso to the content of the message intercepted. For example,as shown in line 4-17 of Fig. 8, when the intruder interceptsthe message  { N  a ,A } PK  b  from A, the public key of themessage that is created by intruder must be one of others’keys not his, and the identity cannot be the responder. Themethod in this paper avoided to create some messages thatare easy to be identified strategically and removed a plenty of the unnecessary model states.In Fig. 6, line 29 has a macro IsValidMessage() [10] toverify if the atom messages belong to the intruder’s knowledgebase or not. C. Security Property This paper mainly verified the authentication of securityprotocols. This paper used the method in [9] and defined fourglobal variables.bit IniRunningAB=0;bit IniCommitAB=0;bit ResRunningAB=0;bit ResCommtAB=0;
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks
SAVE OUR EARTH

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!

x