research-article

Open access

Verification of Mondex electronic purses with KIV: from transactions to a security protocol

Authors:

Dominik Haneberg,

Gerhard Schellhorn,

Wolfgang ReifAuthors Info & Claims

Formal Aspects of Computing, Volume 20, Issue 1

Pages 41 - 59

https://doi.org/10.1007/s00165-007-0057-0

Published: 01 January 2008 Publication History

Abstract

The Mondex case study about the specification and refinement of an electronic purse as defined in the Oxford Technical Monograph PRG-126 has recently been proposed as a challenge for formal system-supported verification. In this paper we report on two results.

First, on the successful verification of the full case study using the KIV specification and verification system. We demonstrate that even though the hand-made proofs were elaborated to an enormous level of detail we still could find small errors in the underlying data refinement theory, as well as the formal proofs of the case study.

Second, the original Mondex case study verifies functional correctness assuming a suitable security protocol. We extend the case study here with a refinement to a suitable security protocol that uses symmetric cryptography to achieve the necessary properties of the security-relevant messages. The definition is based on a generic framework for defining such protocols based on abstract state machines (ASMs). We prove the refinement using a forward simulation.

References

References

[1]

Burrows M, Abadi M, Needham R (1990) A logic of authentication. ACM Trans Comput Syst 8(1)

[2]

Bellare M, Canetti R, and Krawczyk H Koblitz N Keying hash functions for message authentication Advances in Cryptology—Crypto 96 Proceedings, vol 1109 of LNCS 1996 Heidelberg Springer

[3]

Balser M, Duelli C, Reif W, and Schellhorn G Verifying concurrent systems with symbolic execution J Logic Comput 2002 12 4 549-560

[4]

Boiten E, Derrick J, Schellhorn G (2007) Relational concurrent refinement part ii: intenral operations and ouputs. FAC (under consideration)

[5]

Basin D, Mödersheim S, Viganò L (2003) An on-the-fly model-checker for security protocol analysis. In: Proceedings of Esorics’03, LNCS 2808, Springer, Heidelberg, pp 253–270

[6]

Börger E The ASM refinement method Form Aspects Comput 2003 15 1–2 237-257

Digital Library

[7]

Börger E and Rosenzweig D Beierle C and Plümer L The WAM-definition and compiler correctness Logic Programming: Formal Methods and Practical Applications. Studies in Computer Science and Artificial Intelligence 11 1995 Amsterdam North-Holland 20-90

[8]

Börger E and Stärk RF Abstract State Machines: A Method for High-Level System Design and Analysis 2003 Heidelberg Springer

Digital Library

[9]

Carlsen U (1994) Generating formal cryptographic protocol specifications. In: IEEE Symposium on Research in Security and Privacy. IEEE Computer Society, pp 137–146

[10]

UK ITSEC Certification Body (1999) UK ITSEC Scheme Certification Report No. P129 Mondex Purse. Technical report, UK IT Security Evaluation and Certification Scheme, URL: http://www.cesg.gov.uk/site/iacs/itsec/media/certreps/CRP129.pdf

[11]

Clarke EM, Jha S, Marrero W (1998) Using state space exploration and a natural deduction style message derivation engine to verify security protocols. In: Proceedings of the IFIP Working Conference in Programming Concepts and Methods (PROCOMET’98)

[12]

Clarke R (1996) The Mondex Value-Card Scheme, chap.~4. Xamax Consultancy Pty Ltd, URL: http://www.anu.edu.au/people/Roger.Clarke/EC/Mondex.html

[13]

CoFI (2004) (The Common Framework Initiative). Casl Reference Manual. LNCS 2960 (IFIP Series). Springer, Heidelberg

[14]

Cooper D, Stepney S, Woodcock J (2002) Derivation of Z refinement proof rules: forwards and backwards rules incorporating input/output refinement. Technical Report YCS-2002-347, University of York, URL: http://www-users.cs.york.ac.uk/~susan/bib/ss/z/zrules.htm

[15]

Derrick J and Boiten E Refinement in Z and in Object-Z : foundations and advanced applications. FACIT 2001 Heidelberg Springer

[16]

Dolev D, Yao AC (1981) On the security of public key protocols. In: Proceedings of the 22nd IEEE symposium on foundations of computer science, pp 350–357

[17]

Farmer WM et al. Heering J et al. Theory interpretation in simple type theory Higher-order algebra, logic, and term rewriting, vol 816. Lecture Notes in Computer Science 1994 Heidelberg Springer

[18]

Grandy H, Haneberg D, Reif W, and Stenzel K Müller G Developing provably secure M-commerce applications Emerging trends in information and communication security, vol 3995 of LNCS 2006 Heidelberg Springer 115-129

Digital Library

[19]

Grandy H, Moebius N, Bischof M, Haneberg D, Schellhorn G, Stenzel K, Reif W (2006) The Mondex case study: from specifications to code. Technical Report 2006-31, University of Augsburg, URL: http://www.informatik.uni-augsburg.de/lehrstuehle/swt/se/publications

[20]

Grandy H, Stenzel K, Reif W (2005) Object-oriented verification Kernels for secure Java applications. In: Aichering B, Beckert B (eds) SEFM 2005—3rd ieee international conference on software engineering and formal methods

[21]

Grandy H, Stenzel K, Reif W (2006) A refinement method for Java programs. Technical Report 2006-29, University of Augsburg URL: http://www.informatik.uni-augsburg.de/lehrstuehle/swt/se/publications

[22]

Grandy H, Stenzel K, Reif W (2007) A refinement method for Java programs. In: Formal methods for open object-based distributed systems, vol 4468 of Lecture Notes in Computer Science. Springer, Heidelberg

[23]

Gurevich Y Börger E Evolving algebras 1993: Lipari guide Specification and validation methods 1995 Oxford Oxford University Press 9-36

Digital Library

[24]

Haneberg D (2006) Sicherheit von Smart Card—Anwendungen (in German). PhD thesis, University of Augsburg, Augsburg, Germany

[25]

Haneberg D, Grandy H, Reif W, Schellhorn G (2005) Verifying security protocols: an ASM approach. In: Beauquier D, Börger E, Slissenko A (eds) 12th International workshop on abstract state machines, ASM 05. University Paris 12, Val de Marne, Créteil, France

[26]

Haneberg D, Grandy H, Reif W, and Schellhorn G Gibbons J and Davies J Verifying smart card applications: an ASM approach Proceedings of the international conference on integrated formal methods (iFM) 2007, vol 4591 of LNCS 2007 Heidelberg Springer 313-332

[27]

Jifeng H, Hoare CAR, and Sanders JW Robinet B and Wilhelm R Data refinement refined Proceedings of ESOP 86, vol 213 of Lecture Notes in Computer Science 1986 Heidelberg Springer 187-196

[28]

Harel D, Kozen D, and Tiuryn J Dynamic logic 2000 Cambridge MIT

[29]

Jürjens J (2002) UMLsec: Extending UML for secure systems development. In: Jézéquel J-M, Hussmann H, Cook S (eds) UML 2002—The Unified Modeling Language 5th International Conference, Dresden, Germany, Springer, LNCS 2460

[30]

Jürjens J (2005) Secure systems development with UML. Springer, Heidelberg, ISBN: 3-540-00701-6

[31]

Web presentation of the mondex case study in KIV, URL: http://www.informatik.uni-augsburg.de/swt/projects/mondex.html

[32]

Kong W, Ogata K, and Futatsugi K Gibbons J and Davies J Algebraic approaches to formal analysis of the mondex electronic purse system Proceedings of the international conference on integrated formal methods (iFM) 2007, vol 4591 of LNCS 2007 Heidelberg Springer 393-412

[33]

Lowe G (1996) Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In: Tools and algorithms for the construction and analysis of systems (TACAS), vol 1055. Springer, Berlin

[34]

Marrero W, Clarke E, Jha S (1997) A model checker for authentication protocols. In: Proceedings of the DIMACS workshop on design and formal verication of security protocols

[35]

Moebius N, Haneberg D, Schellhorn G, Reif W (2007) A modeling framework for the development of provably secure E-Commerce applications. In: Proceedings of the international conference on software engineering advances 2007. IEEE Computer Society Press (accepted for publication)

[36]

Paulson LC (1998) The inductive approach to verifying cryptographic protocols. J Comput Secur. 6

[37]

Paulson LC Inductive analysis of the Internet protocol TLS ACM Trans Inf Syst Secur 1999 2 3 332-351

Digital Library

[38]

Paulson LC (2001) Verifying the SET protocol. In: Gore R, Leitsch A, Nipkow T (eds) IJCAR 2001: international joint conference on automated reasoning, Siena, Italy. Springer, LNCS 2083

[39]

Ramananadro T, Jackson D (2006) Mondex, an electronic purse: specification and refinement checks with the alloy model-finding method, URL: http://www.eleves.ens.fr/home/ramanana/work/mondex

[40]

Ryan PYA, Schneider SA, Goldsmith MH, Lowe G, and Roscoe B The modelling and analysis of security protocols: the CSP approach 2001 Reading Addison-Wesley

[41]

Reif W, Schellhorn G, Stenzel K, Balser M (1998) Structured specifications and interactive proofs with KIV. In: Bibel W, Schmitt P (eds) Automated deduction—a basis for applications, vol II: Systems and implementation techniques, Chap. 1: Interactive theorem proving. Kluwer, Dordrecht, pp 13–39

[42]

Schellhorn G and Ahrendt W Reasoning about abstract state machines: The WAM case study J Univer Comput Sci (J.UCS) 1997 3 4 377

[43]

Schellhorn G and Ahrendt W Bibel W and Schmitt P The WAM case study: verifying compiler correctness for prolog with KIV Automated deduction—a basis for applications 1998 Dordrecht Kluwer 165-194

[44]

Song D, Berezin S, and Perrig A Athena: a novel approach to efficient automatic security protocol analysis J Comput Secur (Special Issue CSFW 2001 9 1,2 47-74

Digital Library

[45]

Schellhorn G (1999) Verification of abstract state machines. PhD thesis, Universität Ulm, Fakultät für Informatik, URL: http://www.informatik.uni-augsburg.de/lehrstuehle/swt/se/publications

[46]

Schellhorn G (2001) Verification of ASM refinements using generalized forward simulation. J Univ Comput Sci (J.UCS), 7(11):952–979, URL: http://www.jucs.org

[47]

Schellhorn G ASM refinement and generalizations of forward simulation in data refinement: a comparison J Theor Comput Sci 2005 336 2–3 403-435

Digital Library

[48]

Stepney S, Cooper D, Woodcock J (2000) An electronic purse specification, refinement, and proof. Technical monograph PRG-126, Oxford University Computing Laboratory, URL: http://www-users.cs.york.ac.uk/~susan/bib/ss/z/monog.htm

[49]

Schellhorn G, Grandy H, Haneberg D, Moebius N, Reif W (2007) A systematic verification approach for mondex electronic purses using ASMs. In: Glässer U, Abrial J-R (ed) Proceedings of the Dagstuhl seminar on rigorous methods for software construction and analysis, LNCS. Springer, Heidelberg (accepted, older version available as Techn. Report 2006-27 at [KIV])

[50]

Schellhorn G, Grandy H, Haneberg D, and Reif W Misra J, Nipkow T, and Sekerinski E The Mondex challenge: machine checked proofs for an electronic purse Formal methods 2006, Proceedings, vol 4085 of LNCS 2006 Heidelberg Springer 16-31

Digital Library

[51]

Schellhorn G, Grandy H, Haneberg D, Reif W (2006) The Mondex challenge: machine checked proofs for an electronic purse. Technical Report 2006-2, Universität Augsburg

[52]

Michael Spivey J The Z notation: a reference manual. International Series in Computer Science 1992 2 Englewood Cliffs Prentice Hall

[53]

Stenzel K (2004) A formally verified calculus for full Java card. In: Rattray C, Maharaj S, Shankland C (eds) Algebraic methodology and software technology (AMAST) 2004, Proceedings, Stirling Scotland. Springer, LNCS 3116

[54]

Thums A, Ortmeier F, Reif W, Schellhorn G (2004) Interactive verification of statecharts. In: Ehrig H (ed) Integration of software specification techniques for applications in engineering Springer, LNCS 3147, pp 355–373

[55]

Woodcock JCP and Davies J Using Z: Specification, proof and refinement. International Series in Computer Science 1996 Englewood Cliffs Prentice Hall

[56]

Woodcock J and Freitas L Cerone A, Barkaoui K, and Cavalcanti A Z/eves and the mondex electronic purse Theoretical aspects of computing—ICTAC 2006, 3rd international colloquium, LNCS 4281 Tunis 2006 Heidelberg Springer 14-34

[57]

Zarba CG (1998) Model checking the Needham–Schroeder protocol, URL: http://www-step.stanford.edu/case-studies/security

Cited By

Cornejo CRegis GAguirre NFrias M(2023)A Study of the Electrum and DynAlloy Dynamic Behavior NotationsIEEE Transactions on Software Engineering10.1109/TSE.2023.332062549:11(4946-4963)Online publication date: 29-Sep-2023
https://dl.acm.org/doi/10.1109/TSE.2023.3320625
Bodenmüller SSchellhorn GBitterlich MReif W(2021)Flashix: Modular Verification of a Concurrent and Crash-Safe Flash File SystemLogic, Computation and Rigorous Methods10.1007/978-3-030-76020-5_14(239-265)Online publication date: 4-Jun-2021
https://doi.org/10.1007/978-3-030-76020-5_14
Börger E(2018)Why Programming Must Be Supported by Modeling and HowLeveraging Applications of Formal Methods, Verification and Validation. Modeling10.1007/978-3-030-03418-4_6(89-110)Online publication date: 5-Nov-2018
https://dl.acm.org/doi/10.1007/978-3-030-03418-4_6
Show More Cited By

Index Terms

Verification of Mondex electronic purses with KIV: from transactions to a security protocol
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation
      1. Formal software verification
  2. Software organization and properties
    1. Software functional properties
2. Theory of computation
  1. Semantics and reasoning
    1. Program reasoning
      1. Program verification

Index terms have been assigned to the content through auto-classification.

Recommendations

Specification, proof, and model checking of the Mondex electronic purse using RAISE
Abstract
This paper describes how the communication protocol of Mondex electronic purses can be specified and verified against desired security properties. The specification is developed by stepwise refinement using the RAISE formal specification language, ...
The certification of the Mondex electronic purse to ITSEC Level E6
Abstract.
Ten years ago the Mondex electronic purse was certified to ITSEC Level E6, the highest level of assurance for secure systems. This involved building formal models in the Z notation, linking them with refinement, and proving that they correctly ...
Verification of Mondex Electronic Purses with KIV: From a Security Protocol to Verified Code
FM '08: Proceedings of the 15th international symposium on Formal Methods

We present a verified JavaCard implementation for the Mondex Verification Challenge. This completes a series of verification efforts that we made to verify the Mondex case study starting at abstract transaction specifications, continuing with an ...

Comments

Information & Contributors

Information

Published In

cover image Formal Aspects of Computing

Formal Aspects of Computing Volume 20, Issue 1

Jan 2008

134 pages

ISSN:0934-5043

EISSN:1433-299X

Issue’s Table of Contents

© British Computer Society 2007.

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 01 January 2008

Accepted: 09 July 2007

Received: 19 January 2007

Published in FAC Volume 20, Issue 1

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

21
Total Citations
View Citations
76
Total Downloads

Downloads (Last 12 months)53
Downloads (Last 6 weeks)14

Reflects downloads up to 28 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Cornejo CRegis GAguirre NFrias M(2023)A Study of the Electrum and DynAlloy Dynamic Behavior NotationsIEEE Transactions on Software Engineering10.1109/TSE.2023.332062549:11(4946-4963)Online publication date: 29-Sep-2023
https://dl.acm.org/doi/10.1109/TSE.2023.3320625
Bodenmüller SSchellhorn GBitterlich MReif W(2021)Flashix: Modular Verification of a Concurrent and Crash-Safe Flash File SystemLogic, Computation and Rigorous Methods10.1007/978-3-030-76020-5_14(239-265)Online publication date: 4-Jun-2021
https://doi.org/10.1007/978-3-030-76020-5_14
Börger E(2018)Why Programming Must Be Supported by Modeling and HowLeveraging Applications of Formal Methods, Verification and Validation. Modeling10.1007/978-3-030-03418-4_6(89-110)Online publication date: 5-Nov-2018
https://dl.acm.org/doi/10.1007/978-3-030-03418-4_6
Cheng SWoodcock JD’Souza D(2015)Using formal reasoning on a model of tasks for FreeRTOSFormal Aspects of Computing10.1007/s00165-014-0308-927:1(167-192)Online publication date: 1-Jan-2015
https://dl.acm.org/doi/10.1007/s00165-014-0308-9
Börger E(2014)The abstract state machines method for modular design and analysis of programming languagesJournal of Logic and Computation10.1093/logcom/exu07727:2(417-439)Online publication date: 18-Dec-2014
https://doi.org/10.1093/logcom/exu077
Woodcock JCavalcanti AFitzgerald JFoster SLarsen P(2014)Contracts in CMLLeveraging Applications of Formal Methods, Verification and Validation. Specialized Techniques and Applications10.1007/978-3-662-45231-8_5(54-73)Online publication date: 2014
https://doi.org/10.1007/978-3-662-45231-8_5
OGATA KFUTATSUGI K(2012)PROOF SCORE APPROACH TO ANALYSIS OF ELECTRONIC COMMERCE PROTOCOLSInternational Journal of Software Engineering and Knowledge Engineering10.1142/S021819401000471220:02(253-287)Online publication date: 30-Apr-2012
https://doi.org/10.1142/S0218194010004712
Zeng RHe X(2010)Analyzing a Formal Specification of Mondex Using Model CheckingTheoretical Aspects of Computing – ICTAC 201010.1007/978-3-642-14808-8_15(214-229)Online publication date: 2010
https://doi.org/10.1007/978-3-642-14808-8_15
Woodcock JAydal EChapman R(2010)The Tokeneer ExperimentsReflections on the Work of C.A.R. Hoare10.1007/978-1-84882-912-1_17(405-430)Online publication date: 21-Jul-2010
https://doi.org/10.1007/978-1-84882-912-1_17
Woodcock JLarsen PBicarregui JFitzgerald J(2009)Formal methodsACM Computing Surveys10.1145/1592434.159243641:4(1-36)Online publication date: 9-Oct-2009
https://dl.acm.org/doi/10.1145/1592434.1592436
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Figures

Tables

Media

View Issue’s Table of Contents