Verification of security protocols using LOTOS-method and application
Introduction
With the development of the Internet and especially with the birth of electronic commerce, the security of communications between computers becomes a crucial point. All these new applications require reliable protocols able to perform secure transactions. The environment of these operations is very hostile because no transmission channel can be considered safe. Formal descriptions and verifications can be used to obtain the assurance that a protocol cannot be threatened by an intruder.
Our approach consists of using a generic formal language (LOTOS) and its associated verification methods and tools to verify security protocols. We explain how LOTOS can be used to specify security protocols and cryptographic operations, and show how security properties can be modelled as safety properties and checked automatically by a model-based verification tool. In our method a simple and powerful intruder process is explicitly added to the specification, so that the verification of the security properties guarantees the robustness of the protocol against attacks of such an intruder.
Our approach is similar to [24], [25] where authentication protocols were specified in CSP [17] and checked by the FDR tool by verifying the trace inclusion relation between the system and the property. This tool and the one we have used are not classical model-checkers but rather equivalence or preorder checkers. Model-checkers (e.g. [26], [30]) have also been used in similar ways.
The model-based methods are extremely powerful at finding subtle flaws in protocols, but are less adequate to prove correctness when no bug is found. This is because they are applied on simplified, though realistic, models of the systems. On the other hand, theorem provers [2], [7], [19], [32] can provide such proofs and can also deal more easily with infinite-state systems. However, the proofs are usually less automated, and when no proof has been derived for a given property, it is not easy to know whether the property is wrong or whether the tool simply did not find it. In particular, an attack that falsifies the property is not provided automatically.
We illustrate our technique on a concrete registration protocol which is a part of the Equicrypt protocol [21] designed in the ACTS OKAPI project. We have already verified and corrected the subscription protocol [22], [23] and the registration protocol [13], [14] of Equicrypt. This paper extends our previous work in two ways: firstly, we present a more complete picture of our approach and secondly, we propose an enhanced design in two steps: we find a simpler registration protocol that remains secure, and a more sophisticated protocol that allows a better discrimination between intruder's attacks and classical protocol errors.
The paper is organized as follows: in Section 2, we will show that the LOTOS language is appropriate to handle the specification of security protocols at a high level of abstraction. With its flexibility, a wide range of cryptographic operations can be modelled. We will describe the establishment of security properties and the associated verification process in Section 3. The verification is quite automatic and allows one to certify that an intruder cannot break a cryptographic protocol with different kinds of attacks. An application of our method on a concrete protocol will be presented in Section 4. We will also point out that it is possible to tune a protocol in order to obtain new properties and improve its behaviour. Finally, we compare our approach with related work.
Section snippets
LOTOS specification
In our approach the formal specification of a security protocol is written in LOTOS [4], [18] which is a standardized language suitable for the description of distributed systems. It is made up of two components:
- •
A process algebra, mostly inspired by CCS [29] and CSP [17], with a structured operational semantics. It describes the behaviour of processes and their interactions. LOTOS has a rich set of operators (multiway synchronization and abstraction like in CSP, disabling,…), and an explicit
Properties to be verified
Most security properties rely on the fact that the intruder does not know some secret information or is not able to construct the expected message. They can be characterized as safety properties. Informally, safety properties are properties stating “nothing bad will happen”. Authentication, access control, confidentiality, integrity and non-repudiation are safety properties. Each of these security services requires that a particular situation cannot occur.
The only liveness property is the
An example of verification
To illustrate our method, this section presents an example of verification. We have chosen the registration part of the Equicrypt protocol, a conditional access protocol under design in the European ACTS OKAPI project [16]. It allows a user to subscribe to multimedia services such as video on demand. The user must first register with a trusted third party (TTP) using a challenge-response exchange. After a successful registration, this TTP issues a public-key certificate which allows the user to
Conclusion and related work
This paper presents a formal verification process for security protocols using LOTOS. We have shown how to specify a protocol with the concept of trusted and untrusted principals. The flexibility of abstract data types allows the description of a wide range of cryptographic operations. We have shown the modelling of the classical public-key scheme but also a more complex one: the Guillou–Quisquater algorithm. Our approach thus relies on classical formalisms and tools and contrasts with works
Acknowledgements
This work has been partially supported by the Commission of the European Union (DG XIII) under the ACTS AC051 project OKAPI: “Open Kernel for Access to Protected Interoperable Interactive Services”.
References (34)
- et al.
Introduction to the ISO specification language LOTOS
Computer Networks and ISDN Systems
(1987) - et al.
On the security of ping-pong protocols
Information and Control
(1982) The NRL protocol analyser: an overview
Journal of Logic Programming
(1996)- M. Abadi, A.D. Gordon, A calculus for cryptographic protocols—the spi calculus, in: Proceedings of the Fourth ACM...
- D. Bolignano, Formal verification of cryptographic protocols, in: Proceedings of the Third ACM Conference on Computer...
Towards a Mechanization of Cryptographic Protocol Verification
(1997)- et al.
Safety for branching time semantics
(1991) - et al.
A logic of authentication
ACM Transactions on Computer Systems
(1990) - P. Chen, V. Gligor, On the formal specification and verification of a multiparty session protocol, in: Proceedings of...
- et al.
On the security of public key protocols
IEEE Transactions on Information Theory
(1983)
Fundamentals of Algebraic Specification 1, Equations and Initial Semantics
A computer-aided design of a secure registration protocol
A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory
Cited by (10)
Automated Security Protocol Analysis With the AVISPA Tool
2006, Electronic Notes in Theoretical Computer ScienceAnalysis of security protocols as open systems
2003, Theoretical Computer ScienceGenerating protocol software from CPN models annotated with pragmatics
2013, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)CaPiTo: Protocol stacks for services
2011, Formal Aspects of ComputingModal logic-based measurement method of security protocol
2004, Huanan Ligong Daxue Xuebao/Journal of South China University of Technology (Natural Science)Modeling and analyzing security protocols in SAM: A case study
2004, Proceedings of the Eigtht IASTED International Conference on Software Engineering and Applications