Refining security protocols
Abstract
We propose a development method for security protocols based on stepwise refinement. Our refinement strategy transforms abstract security goals into protocols that are secure when operating over an insecure channel controlled by a Dolev-Yao-style intruder. As intermediate levels of abstraction, we employ messageless guard protocols and channel protocols communicating over channels with security properties. These abstractions provide insights on why protocols are secure and foster the development of families of protocols sharing common structure and properties. We have implemented our method in Isabelle/HOL and used it to develop different entity authentication and key establishment protocols, including realistic features such as key confirmation, replay caches, and encrypted tickets. Our development highlights that guard protocols and channel protocols provide fundamental abstractions for bridging the gap between security properties and standard protocol descriptions based on cryptographic messages. It also shows that our refinement approach scales to protocols of nontrivial size and complexity.
References
[1]
M. Abadi, C. Fournet and G. Gonthier, Secure implementation of channel abstractions, Inf. Comput. 174(1) (2002), 37–83.
[2]
M. Abadi and L. Lamport, The existence of refinement mappings, Theoretical Computer Science 82(2) (1991), 253–284.
[3]
J.-R. Abrial, Modeling in Event-B: System and Software Engineering, Cambridge University Press, 2010.
[4]
J.-R. Abrial and S. Hallerstede, Refinement, decomposition, and instantiation of discrete models: Application to Event-B, Fundam. Inform. 77(1–2) (2007), 1–28.
[5]
R. Alur, P. Cerný and S. Zdancewic, Preserving secrecy under refinement, in: Proc. 33rd International Colloquium on Automata, Languages and Programming (ICALP), M. Bugliesi, B. Preneel, V. Sassone and I. Wegener, eds, Lecture Notes in Computer Science, Vol. 4052, 2006, pp. 107–118.
[6]
A. Armando, D.A. Basin, Y. Boichut, Y. Chevalier, L. Compagna, J. Cuéllar, P.H. Drielsma, P.-C. Héam, O. Kouchnarenko, J. Mantovani, S. Mödersheim, D. von Oheimb, M. Rusinowitch, J. Santiago, M. Turuani, L. Viganò and L. Vigneron, The AVISPA tool for the automated validation of Internet security protocols and applications, in: CAV, K. Etessami and S.K. Rajamani, eds, Lecture Notes in Computer Science, Vol. 3576, Springer, 2005, pp. 281–285.
[7]
M. Backes, B. Pfitzmann and M. Waidner, The reactive simulatability (RSIM) framework for asynchronous systems, Inf. Comput. 205(12) (2007), 1685–1720.
[8]
D.A. Basin and C. Cremers, Know your enemy: Compromising adversaries in protocol analysis, ACM Trans. Inf. Syst. Secur. 17(2) (2014), 7:1–7:31.
[9]
D.A. Basin, C. Cremers and S. Meier, Provably repairing the ISO/IEC 9798 standard for entity authentication, Journal of Computer Security 21(6) (2013), 817–846.
[10]
D.A. Basin, C.J.F. Cremers, K. Miyazaki, S. Radomirovic and D. Watanabe, Improving the security of cryptographic protocol standards, IEEE Security & Privacy 13(3) (2015), 24–31.
[11]
G. Bella, Formal Correctness of Security Protocols, Information Security and Cryptography, Springer, 2007.
[12]
G. Bella, C. Longo and L.C. Paulson, Verifying second-level security protocols, in: TPHOLs, D.A. Basin and B. Wolff, eds, Lecture Notes in Computer Science, Vol. 2758, Springer, 2003, pp. 352–366.
[13]
G. Bella and L.C. Paulson, Kerberos version 4: Inductive analysis of the secrecy goals, in: Proc. 5th European Symposium on Research in Computer Security (ESORICS), 1998, pp. 361–375.
[14]
G. Bella and L.C. Paulson, Mechanising BAN Kerberos by the inductive method, in: CAV, A.J. Hu and M.Y. Vardi, eds, Lecture Notes in Computer Science, Vol. 1427, Springer, 1998, pp. 416–427.
[15]
G. Bella and E. Riccobene, Formal analysis of the Kerberos authentication system, Journal of Universal Computer Science 3(12) (1997), 1337–1381.
[16]
N. Benaïssa, La composition des protocoles de sécurité avec la méthode B événementielle, PhD thesis, Université Henri Poincaré – Nancy I, France, 2010, (in French).
[17]
P. Bieber and N. Boulahia-Cuppens, Formal development of authentication protocols, in: Sixth BCS-FACS Refinement Workshop, 1994.
[18]
P. Bieber, N. Boulahia-Cuppens, T. Lehmann and E. van Wickeren, Abstract machines for communication security, in: Proc. 6th IEEE Computer Security Foundations Workshop (CSFW), 1993, pp. 137–146.
[19]
B. Blanchet, An efficient cryptographic protocol verifier based on Prolog rules, in: CSFW, IEEE Computer Society, Los Alamitos, CA, 2001, pp. 82–96.
[20]
C. Boyd, Security architectures using formal methods, IEEE Journal on Selected Areas in Communications 11(5) (1993), 694–701.
[21]
A.D. Brucker and S. Mödersheim, Integrating automated and interactive protocol verification, in: Formal Aspects in Security and Trust – 6th International Workshop, FAST 2009: Revised Selected Papers Eindhoven, The Netherlands, November 5–6, 2009, P. Degano and J.D. Guttman, eds, Lecture Notes in Computer Science, Vol. 5983, Springer, 2009, pp. 248–262.
[22]
F. Butler, I. Cervesato, A.D. Jaggard and A. Scedrov, A formal analysis of some properties of Kerberos 5 using MSR, in: Proc. 15th IEEE Computer Security Foundations Workshop (CSFW), IEEE Computer Society, Los Alamitos, CA, 2002, pp. 175–192.
[23]
F. Butler, I. Cervesato, A.D. Jaggard, A. Scedrov and C. Walstad, Formal analysis of Kerberos 5, Theoretical Computer Science 367 (2006), 57–87.
[24]
M.J. Butler, On the use of data refinement in the development of secure communications systems, Formal Aspects of Computing 14(1) (2002), 2–34.
[25]
R. Canetti, Universally composable security: A new paradigm for cryptographic protocols, in: FOCS, 2001, pp. 136–145.
[26]
I. Cervesato, C. Meadows and D. Pavlovic, An encapsulated authentication logic for reasoning about key distribution protocols, in: CSFW ’05: Proceedings of the 18th IEEE Workshop on Computer Security Foundations, Washington, DC, USA, 2005, pp. 48–61.
[27]
V. Cortier, M. Rusinowitch and E. Zalinescu, Relating two standard notions of secrecy, Logical Methods in Computer Science 3(3) (2007).
[28]
C.J.F. Cremers, The Scyther tool: Verification, falsification, and analysis of security protocols, in: CAV, A. Gupta and S. Malik, eds, Lecture Notes in Computer Science, Vol. 5123, Springer, 2008, pp. 414–418.
[29]
A. Datta, A. Derek, J.C. Mitchell and D. Pavlovic, A derivation system and compositionl logic for security protocols, Journal of Computer Security 13 (2005), 423–482.
[30]
S. Delaune, S. Kremer and O. Pereira, Simulation based security in the applied pi calculus, in: FSTTCS, R. Kannan and K.N. Kumar, eds, LIPIcs, Vol. 4, Schloss Dagstuhl – Leibniz-Zentrum fuer Informatik, 2009, pp. 169–180.
[31]
D.E. Denning and G.M. Sacco, Timestamps in key distribution protocols, Communications of the ACM 24(8) (1981), 533–536.
[32]
T. Gross and S. Mödersheim, Vertical protocol composition, in: Proceedings of the 24th IEEE Computer Security Foundations Symposium, CSF 2011, Cernay-la-Ville, France, June 27–29, 2011, IEEE Computer Society, Los Alamitos, CA, 2011, pp. 235–250.
[33]
J.D. Guttman, Establishing and preserving protocol security goals, Journal of Computer Security 22(2) (2014), 203–267.
[34]
M.L. Hui and G. Lowe, Fault-preserving simplifying transformations for security protocols, Journal of Computer Security 9(1/2) (2001), 3–46.
[35]
ISO, Information technology – Security techniques – Entity authentication mechanisms – Part 3: Entity authentication using a public-Key algorithm ISO/IEC 9798-3, International Standard, 2nd edn, 1998.
[36]
J. Jürjens, Secrecy-preserving refinement, in: Proc. 10th Symposium on Formal Methods Europe (FME 2001), Lecture Notes in Computer Science, Vol. 2021, Springer, 2001, pp. 135–152.
[37]
A. Kamil and G. Lowe, Understanding abstractions of secure channels, in: Formal Aspects of Security and Trust – 7th International Workshop, FAST 2010: Revised Selected Papers, Pisa, Italy, September 16–17, 2010, Lecture Notes in Computer Science, Vol. 6561, Springer 2010, pp. 50–64.
[38]
A. Kamil and G. Lowe, Analysing TLS in the strand spaces model, Journal of Computer Security 19(5) (2011), 975–1025.
[39]
J. Lallemand, D.A. Basin and C. Sprenger, Refining authenticated key agreement with strong adversaries, in: 2017 IEEE European Symposium on Security and Privacy, EuroS&P 2017, Paris, France, April 26–28, 2017, IEEE, 2017, pp. 92–107.
[40]
G. Lowe, Breaking and fixing the Needham-Schroeder public-key protocol using FDR, Software – Concepts and Tools 17 (1996), 93–102, http://web.comlab.ox.ac.uk/oucl/work/gavin.lowe/Security/Papers/NSFDR.ps.
[41]
G. Lowe, A hierarchy of authentication specifications, in: IEEE Computer Security Foundations Workshop, IEEE Computer Society, Los Alamitos, CA, 1997, pp. 31–43.
[42]
N.A. Lynch, I/O automaton models and proofs for shared-key communication systems, in: Proc. 12th IEEE Computer Security Foundations Workshop (CSFW), 1999, pp. 14–29.
[43]
N.A. Lynch and F.W. Vaandrager, Forward and backward simulations: I. Untimed systems, Inf. Comput. 121(2) (1995), 214–233.
[44]
H. Mantel, Preserving information flow properties under refinement, in: Proc. 22nd IEEE Symposium on Security & Privacy, 2001, pp. 78–91.
[45]
U.M. Maurer and P.E. Schmid, A calculus for secure channel establishment in open networks, in: Proc. 9th European Symposium on Research in Computer Security (ESORICS), 1994, pp. 175–192.
[46]
A. McIver and C.C. Morgan, Sums and lovers: Case studies in security, compositionality and refinement, in: FM 2009: Formal Methods, Second World Congress: Proceedings, Eindhoven, The Netherlands, November 2–6, 2009, Springer, 2009, pp. 289–304.
[47]
S. Meier, C. Cremers and D.A. Basin, Efficient construction of machine-checked symbolic protocol security proofs, Journal of Computer Security 21(1) (2013), 41–87.
[48]
R. Milner, An algebraic definition of simulation between programs, in: IJCAI, 1971, pp. 481–489.
[49]
S. Mödersheim and L. Viganò, Secure pseudonymous channels, in: Proc. 14th European Symposium on Research in Computer Security (ESORICS), M. Backes and P. Ning, eds, Lecture Notes in Computer Science, Vol. 5789, Springer, 2009, pp. 337–354.
[50]
S. Mödersheim and L. Viganò, Sufficient conditions for vertical composition of security protocols, in: 9th ACM Symposium on Information, Computer and Communications Security, ASIA CCS ’14, Kyoto, Japan, June 3–6, 2014, S. Moriai, T. Jaeger and K. Sakurai, eds, ACM, 2014, pp. 435–446.
[51]
C. Morgan, The shadow knows: Refinement of ignorance in sequential programs, in: Mathematics of Program Construction, 8th International Conference, MPC 2006: Proceedings, Kuressaare, Estonia, July 3–5, 2006, Lecture Notes in Computer Science, Vol. 4014, Springer, 2006, pp. 359–378.
[52]
C. Morgan, The shadow knows: Refinement and security in sequential programs, Science of Computer Programming 74(8) (2009), 629–653.
[53]
R. Needham and M.D. Schroeder, Using encryption for authentication in large data networks of computers, Communications of the ACM 21(12) (1978), 993–999.
[54]
B.C. Neuman and T. Ts’o, Kerberos: An authentication service for computer networks, IEEE Communications Magazine 32(9) (1994), 33–38.
[55]
B.T. Nguyen and C. Sprenger, Sound security protocol transformations, in: Principles of Security and Trust – Second International Conference, POST 2013, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2013: Proceedings, Rome, Italy, March 16–24, 2013, D.A. Basin and J.C. Mitchell, eds, Lecture Notes in Computer Science, Vol. 7796, Springer, 2013, pp. 83–104.
[56]
B.T. Nguyen and C. Sprenger, Abstractions for security protocol verification, in: Principles of Security and Trust – 4th International Conference, POST 2015, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2015: Proceedings, London, UK, April 11–18, 2015, R. Focardi and A.C. Myers, eds, Lecture Notes in Computer Science, Vol. 9036, Springer, 2015, pp. 196–215.
[57]
T. Nipkow, L.C. Paulson and M. Wenzel, Isabelle/HOL – A Proof Assistant for Higher-Order Logic, Lecture Notes in Computer Science, Vol. 2283, Springer, 2002.
[58]
L. Paulson, The inductive approach to verifying cryptographic protocols, Journal of Computer Security 6 (1998), 85–128, http://www.cl.cam.ac.uk/users/lcp/papers/Auth/jcs.pdf.
[59]
D. Pavlovic and C. Meadows, Deriving secrecy in key establishment protocols, in: Proc. 11th European Symposium on Research in Computer Security (ESORICS), 2006, pp. 384–403.
[60]
N. Polikarpova and M. Moskal, Verifying implementations of security protocols by refinement, in: VSTTE, R. Joshi, P. Müller and A. Podelski, eds, Lecture Notes in Computer Science, Vol. 7152, Springer, 2012, pp. 50–65.
[61]
B. Schmidt, S. Meier, C.J.F. Cremers and D.A. Basin, Automated analysis of Diffie-Hellman protocols and advanced security properties, in: 25th IEEE Computer Security Foundations Symposium, CSF 2012, Cambridge, MA, USA, June 25–27, 2012, IEEE Computer Society, Los Alamitos, CA, 2012, pp. 78–94.
[62]
C. Sprenger and D. Basin, Developing security protocols by refinement, in: Proc. 17th ACM Conference on Computer and Communications Security (CCS), Chicago, IL, USA, October 4–8, 2010, ACM, 2010, pp. 361–374.
[63]
C. Sprenger and D.A. Basin, Refining key establishment, in: 25th IEEE Computer Security Foundations Symposium, CSF 2012, Cambridge, MA, USA, June 25–27, 2012, IEEE Computer Society, Los Alamitos, CA, 2012, pp. 230–246.
[64]
C. Sprenger and I. Somaini, Developing security protocols by refinement, Archive of Formal Proofs (2017), https://www.isa-afp.org/entries/Security_Protocol_Refinement.shtml.
[65]
J.G. Steiner, B.C. Neuman and J.I. Schiller, Kerberos: An authentication service for open network systems, in: Winter 1988 Usenix Conference, 1988.
Index Terms
- Refining security protocols
Index terms have been assigned to the content through auto-classification.
Recommendations
Developing security protocols by refinement
CCS '10: Proceedings of the 17th ACM conference on Computer and communications securityWe propose a development method for security protocols based on stepwise refinement. Our refinement strategy guides the transformation of abstract security goals into protocols that are secure when operating over an insecure channel controlled by a ...
Refining Key Establishment
CSF '12: Proceedings of the 2012 IEEE 25th Computer Security Foundations SymposiumWe use refinement to systematically develop a family of key establishment protocols using a theorem prover. Our development spans four levels of abstraction: abstract security properties, message-less guard protocols, protocols communicating over ...
An intensive survey of fair non-repudiation protocols
With the phenomenal growth of the Internet and open networks in general, security services, such as non-repudiation, become crucial to many applications. Non-repudiation services must ensure that when Alice sends some information to Bob over a network, ...
Comments
Information & Contributors
Information
Published In
© 2018 – IOS Press and the authors. All rights reserved.
Publisher
IOS Press
Netherlands
Publication History
Published: 01 January 2018
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 09 Feb 2025