Distributed temporal logic for the analysis of security protocol models. (English) Zbl 1253.68053
Summary: The distributed temporal logic DTL is an expressive logic, well suited for formalizing properties of concurrent, communicating agents. We show how DTL can be used as a metalogic to reason about and relate different security protocol models. This includes reasoning about model simplifications, where models are transformed to have fewer agents or behaviors, and verifying model reductions, where to establish the validity of a property it suffices to consider its satisfaction on only a subset of models.
We illustrate how DTL can be used to formalize security models, protocols, and properties, and then present three concrete examples of metareasoning. First, we prove a general theorem about sufficient conditions for data to remain secret during communication. Second, we prove the equivalence of two models for guaranteeing message-origin authentication. Finally, we relate channel-based and intruder-centric models, showing that it is sufficient to consider models in which the intruder completely controls the network. While some of these results belong to the folklore or have been shown, mutatis mutandis, using other formalisms, DTL provides a uniform means to prove them within the same formalism. It also allows us to clarify subtle aspects of these model transformations that are often neglected or cannot be specified in the first place.
We illustrate how DTL can be used to formalize security models, protocols, and properties, and then present three concrete examples of metareasoning. First, we prove a general theorem about sufficient conditions for data to remain secret during communication. Second, we prove the equivalence of two models for guaranteeing message-origin authentication. Finally, we relate channel-based and intruder-centric models, showing that it is sufficient to consider models in which the intruder completely controls the network. While some of these results belong to the folklore or have been shown, mutatis mutandis, using other formalisms, DTL provides a uniform means to prove them within the same formalism. It also allows us to clarify subtle aspects of these model transformations that are often neglected or cannot be specified in the first place.
Keywords:
security protocols; security protocol analysis; security protocol models; temporal logic; distributed temporal logicReferences:
| [1] | Abadi, M.; Fournet, C.; Gonthier, G., Secure implementation of channel abstractions, Information and Computation, 174, 1, 37-83 (2002) · Zbl 1009.68084 |
| [2] | Andova, S.; Cremers, C.; Gjøsteen, K.; Mauw, S.; Mjølsnes, S.; Radomirović, S., A framework for compositional verification of security protocols, Information and Computation, 206, 425-459 (2008) · Zbl 1147.68389 |
| [3] | Armando, A.; Basin, D.; Boichut, Y.; Chevalier, Y.; Compagna, L.; Cuellar, J.; Drielsma, P. H.; Heám, P.-C.; Kouchnarenko, O.; Mantovani, J.; Mödersheim, S.; von Oheimb, D.; Rusinowitch, M.; Santiago, J.; Turuani, M.; Viganò, L.; Vigneron, L., The AVISPA tool for the automated validation of internet security protocols and applications, (Proceedings of CAV’2005. Proceedings of CAV’2005, LNCS, vol. 3576 (2005), Springer-Verlag), 281-285 · Zbl 1081.68523 |
| [4] | Armando, A.; Carbone, R.; Compagna, L.; Cuellar, J.; Tobarra Abad, L., Formal analysis of SAML 2.0 Web Browser Single Sign-On: breaking the SAML-based single sign-on for google apps, (Proceedings of FMSE 2008 (2008), ACM Press) |
| [5] | Armando, A.; Compagna, L., SAT-based model-checking for security protocols analysis, International Journal of Information Security, 6, 1, 3-32 (2007) |
| [6] | Backes, M.; Pfitzmann, B.; Waidner, M., The reactive simulatability framework for asynchronous systems, Information and Computation (2007) · Zbl 1132.68025 |
| [7] | Basin, D.; Caleiro, C.; Ramos, J.; Viganò, L., A Labeled Tableaux System for the Distributed Temporal Logic DTL, (Proceedings of TIME 2008 (2008), IEEE CS Press), 101-109 |
| [8] | Basin, D.; Caleiro, C.; Ramos, J.; Viganò, L., Labeled tableaux for distributed temporal logic, Journal of Logic and Computation, 19, 6, 1245-1279 (2009) · Zbl 1196.03044 |
| [9] | Basin, D.; Mödersheim, S.; Viganò, L., Constraint differentiation: a new reduction technique for constraint-based analysis of security protocols, (Proceedings of CCS’03 (2003), ACM Press), 335-344 |
| [10] | Basin, D.; Mödersheim, S.; Viganò, L., OFMC: a symbolic model checker for security protocols, International Journal of Information Security, 4, 3, 181-208 (2005) |
| [11] | Bellare, M.; Rogaway, P.; Krawczyk, H., A modular approach to the design and analysis of authentication and key exchange protocols, (Proceedings of STOC’98 (1998), ACM Press) · Zbl 1028.68015 |
| [12] | Blanchet, B., An efficient cryptographic protocol verifier based on prolog rules, (Proceedings of CSFW’01 (2001), IEEE CS Press), 82-96 |
| [13] | Boyd, C.; Mathuria, A., Protocols for Authentication and Key Establishment (2003), Springer-Verlag · Zbl 1043.68014 |
| [14] | Bugliesi, M.; Focardi, R., Language based secure communication, (Proceedings of CSF 21 (2008), IEEE CS Press), 3-16 |
| [15] | Burrows, M.; Abadi, M.; Needham, R., A logic of authentication, ACM Transactions on Computer Systems, 8, 18-36 (1990) |
| [16] | C. Caleiro, L. Viganò, D. Basin, Metareasoning about Security Protocols using Distributed Temporal Logic, in: Proceedings of ARSPA’04, pp. 67-89. ENTCS 125(1), 2005.; C. Caleiro, L. Viganò, D. Basin, Metareasoning about Security Protocols using Distributed Temporal Logic, in: Proceedings of ARSPA’04, pp. 67-89. ENTCS 125(1), 2005. · Zbl 1272.68051 |
| [17] | Caleiro, C.; Viganò, L.; Basin, D., Relating strand spaces and distributed temporal logic for security protocol analysis, Logic Journal of the IGPL, 13, 6, 637-664 (2005) · Zbl 1098.03039 |
| [18] | Caleiro, C.; Viganò, L.; Basin, D., On the semantics of Alice&Bob specifications of security protocols, Theoretical Computer Science, 367, 1-2, 88-122 (2006) · Zbl 1153.94450 |
| [19] | Canetti, R., Universally composable security: a new paradigm for cryptographic protocols, (Proceedings of FOCS’01 (2001), IEEE CS Press), 136-145 |
| [20] | Cervesato, I.; Durgin, N. A.; Lincoln, P. D.; Mitchell, J. C.; Scedrov, A., A Comparison between Strand Spaces and Multiset Rewriting for Security Protocol Analysis, (Proceedings of ISSS 2002. Proceedings of ISSS 2002, LNCS, vol. 2609 (2003), Springer-Verlag), 356-383 · Zbl 1033.94513 |
| [21] | Cervesato, I.; Syverson, P. F., The logic of authentication protocols, (Foundations of Security Analysis and Design. Foundations of Security Analysis and Design, LNCS (2001), Springer-Verlag), 63-136 · Zbl 1007.68510 |
| [22] | Chevalier, Y.; Vigneron, L., Automated unbounded verification of security protocols, (Proceedings of CAV’02. Proceedings of CAV’02, LNCS (2002), Springer-Verlag), 324-337 · Zbl 1010.68508 |
| [23] | Clarke, E. M.; Jha, S.; Marrero, W. R., Verifying security protocols with brutus, ACM Trans. Softw. Eng. Methodol., 9, 4, 443-487 (2000) |
| [24] | Comon-Lundh, H.; Cortier, V., Security properties: two agents are sufficient, (Proceedings of ESOP’2003. Proceedings of ESOP’2003, LNCS, 2618 (2003), Springer-Verlag), 99-113 · Zbl 1032.94508 |
| [25] | Cortier, V.; Delaune, S., Safely composing security protocols, Formal Methods in System Design, 34, 1, 1-36 (2009) · Zbl 1165.68358 |
| [26] | Cortier, V.; Delaune, S.; Lafourcade, P., A survey of algebraic properties used in cryptographic protocols, Journal of Computer Security, 1, 1-43 (2006) |
| [27] | Cortier, V.; Millen, J.; Rueß, H., Proving secrecy is easy enough, (Proceedings of CSFW’01 (2001), IEEE CS Press) |
| [28] | Crazzolara, F.; Winskel, G., Events in security protocols, (Proceedings of CCS’01 (2001), ACM Press), 96-105 |
| [29] | Crazzolara, F.; Winskel, G., Composing strand spaces, (Proceedings of FST TCS 2002. Proceedings of FST TCS 2002, LNCS, vol. 2556 (2002), Springer-Verlag), 97-108 · Zbl 1027.68089 |
| [30] | Cremers, C., The Scyther Tool: verification, falsification, and analysis of security protocols, (Proceedings of CAV’08. Proceedings of CAV’08, LNCS, vol. 5123 (2008), Springer-Verlag), 414-418 |
| [31] | C. Dilloway, Chaining secure channels, in: Proceedings of FCS-ARSPA-WITS’08, 2008.; C. Dilloway, Chaining secure channels, in: Proceedings of FCS-ARSPA-WITS’08, 2008. |
| [32] | C. Dilloway, G. Lowe, On the specification of secure channels, in: Proceedings of WITS’07, 2007.; C. Dilloway, G. Lowe, On the specification of secure channels, in: Proceedings of WITS’07, 2007. |
| [33] | Dolev, D.; Yao, A., On the security of public key protocols, IEEE Transactions on Information Theory, 29, 2, 198-208 (1983) · Zbl 0502.94005 |
| [34] | Ehrich, H.-D.; Caleiro, C., Specifying communication in distributed information systems, Acta Informatica, 36, 591-616 (2000) · Zbl 0949.03029 |
| [35] | Guttman, J. D., Cryptographic protocol composition via the authentication tests, (Proceedings of FOSSACS’09. Proceedings of FOSSACS’09, LNCS, vol. 5504 (2009), Springer-Verlag), 303-317 · Zbl 1234.94045 |
| [36] | Guttman, J. D.; Thayer Fábrega, F. J., Authentication tests and the structure of bundles, Theoretical Computer Science, 283, 2, 333-380 (2002) · Zbl 1050.68039 |
| [37] | Halpern, J. Y.; Pucella, R., On the relationship between strand spaces and multi-agent systems, ACM Transactions on Information and System Security, 6, 1, 43-70 (2003) |
| [38] | Jacobs, B.; Hasuo, I., Semantics and logic for security protocols, Journal of Computer Security, 17, 6, 909-944 (2009) |
| [39] | Jacquemard, F.; Rusinowitch, M.; Vigneron, L., Compiling and Verifying Security Protocols, (Proceedings of LPAR 2000. Proceedings of LPAR 2000, LNCS, vol. 1955 (2000), Springer), 131-160 · Zbl 0988.68562 |
| [40] | Lodaya, K.; Ramanujam, R.; Thiagarajan, P., Temporal logics for communicating sequential agents: I, Intern. Journal of Foundations of Computer Science, 3, 1, 117-159 (1992) · Zbl 0754.68085 |
| [41] | Lodaya, K.; Thiagarajan, P., A modal logic for a subclass of event structures, (Proceedings of ICALP 14. Proceedings of ICALP 14, LNCS, vol. 267 (1987), Springer-Verlag), 290-303 · Zbl 0643.68026 |
| [42] | Lowe, G., Breaking and Fixing the Needham-Shroeder Public-Key Protocol Using FDR, (Proceedings of TACAS’96. Proceedings of TACAS’96, LNCS, vol. 1055 (1996), Springer-Verlag), 147-166 |
| [43] | Lowe, G., A hierarchy of authentication specifications, (Proceedings of CSFW’97 (1997), IEEE CS Press) |
| [44] | Lowe, G., Casper: a compiler for the analysis of security protocols, Journal of Computer Security, 6, 1, 53-84 (1998) |
| [45] | Maurer, U. M.; Schmid, P. E., A calculus for security bootstrapping in distributed systems, Journal of Computer Security, 4, 1, 55-80 (1996) |
| [46] | Meadows, C., The NRL protocol analyzer: an overview, Journal of Logic Programming, 26, 2, 113-131 (1996) · Zbl 0871.68052 |
| [47] | Millen, J.; Rueß, H., Protocol-independent secrecy, (2000 IEEE Symposium on Security and Privacy (May 2000), IEEE CS Press) |
| [48] | J. Millen, V. Shmatikov, Constraint solving for bounded-process cryptographic protocol analysis, in: Proceedings of ACM Conference on Computer and Communications Security CCS’01, 2001, pp. 166-175.; J. Millen, V. Shmatikov, Constraint solving for bounded-process cryptographic protocol analysis, in: Proceedings of ACM Conference on Computer and Communications Security CCS’01, 2001, pp. 166-175. |
| [49] | Millen, J. K.; Denker, G., Capsl and mucapsl, Journal of Telecommunications and Information Technology, 4, 16-27 (2002) |
| [50] | Mödersheim, S., Algebraic properties in alice and bob notation, (Proceedings of Ares’09 (2009), IEEE Xplore), 433-440 |
| [51] | Mödersheim, S.; Viganò, L., Secure pseudonymous channels, (Proceedings of Esorics’09. Proceedings of Esorics’09, LNCS, vol. 5789 (2009), Springer-Verlag), 337-354 · Zbl 1481.94077 |
| [52] | Mödersheim, S.; Viganò, L., The open-source fixed-point model checker for symbolic analysis of security protocols, (FOSAD 2008/2009. FOSAD 2008/2009, LNCS, vol. 5705 (2009), Springer-Verlag), 166-194 · Zbl 1252.68193 |
| [53] | Mödersheim, S.; Viganò, L.; Basin, D., Constraint differentiation: search-space reduction for the constraint-based analysis of security protocols, Journal of Computer Security, 18, 4, 575-618 (2010) |
| [54] | Needham, R.; Schroeder, M., Using encryption for authentication in large networks of computers, Communications of the ACM, 21, 12, 993-999 (1978) · Zbl 0387.68003 |
| [55] | Paulson, L., The inductive approach to verifying cryptographic protocols, Journal of Computer Security, 6, 85-128 (1998) |
| [56] | Protocol composition logic (PCL). http://crypto.stanford.edu/protocols/; Protocol composition logic (PCL). http://crypto.stanford.edu/protocols/ · Zbl 1277.68033 |
| [57] | Ramanujam, R., Locally linear time temporal logic, (Proceedings of LICS 11 (1996), IEEE CS Press), 118-127 |
| [58] | Ramanujam, R.; Suresh, S., A (restricted) quantifier elimination for security protocols, Theoretical Computer Science, 367, 228-256 (2006) · Zbl 1153.94008 |
| [59] | Ryan, P.; Schneider, S.; Goldsmith, M.; Lowe, G.; Roscoe, B., Modelling and Analysis of Security Protocols (2000), Addison Wesley |
| [60] | Song, D.; Berezin, S.; Perrig, A., Athena: a novel approach to efficient automatic security protocol analysis, Journal of Computer Security, 9, 47-74 (2001) |
| [61] | Stinson, D. R., Cryptography Theory and Practice (2005), CRC Press, Inc |
| [62] | Thayer Fábrega, F. J.; Herzog, J. C.; Guttman, J. D., Honest ideals on strand spaces, (Proceedings of CSFW 17 (1998), IEEE CS Press), 66-78 |
| [63] | Thayer Fábrega, F. J.; Herzog, J. C.; Guttman, J. D., Strand spaces: proving security protocols correct, Journal of Computer Security, 7, 191-230 (1999) |
| [64] | Turuani, M., The CL-Atse Protocol Analyser, (Proceedings of RTA’06. Proceedings of RTA’06, LNCS, vol. 4098 (2006)), 277-286 · Zbl 1151.68454 |
| [65] | Viganò, L., Automated Security Protocol Analysis with the AVISPA Tool, ENTCS 155, 155, 61-86 (2006) |
| [66] | Winskel, G., Event structures, (Petri Nets: Applications and Relationships to Other Models of Concurrency. Petri Nets: Applications and Relationships to Other Models of Concurrency, LNCS, vol. 255 (1987), Springer-Verlag), 325-392 · Zbl 0626.68022 |
| [67] | Winskel, G.; Nielsen, M., Models for concurrency, (Handbook of Logic in Computer Science (Vol. 4): Semantic Modelling (1995), Oxford University Press: Oxford University Press Oxford, UK), 1-148 · Zbl 0876.68001 |
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.
