Cas Cremers
ABSTRACT
A recent development in formal security protocol analysis is the Protocol Composition Logic (PCL). We identify a number of problems with this logic as well as with extensions of the logic, as defined in [9, 13, 14, 17, 20, 21]. The identified problems imply strong restrictions on the scope of PCL, and imply that some currently claimed PCL proofs cannot be proven within the logic, or make use of unsound axioms. Where possible, we propose solutions for these problems.
- A. Armando, D. Basin, Y. Boichut, Y. Chevalier, L. Compagna, L. Cuellar, P. Drielsma, P. Heám, O. Kouchnarenko, J. Mantovani, S. Mödersheim, D. von Oheimb, M. Rusinowitch, J. Santiago, M. Turuani, L. Viganò, and L. Vigneron. The AVISPA tool for the automated validation of internet security protocols and applications. volume 3576 of Lecture Notes in Computer Science, pages 281--285. Springer-Verlag, 2005. Google Scholar
Digital Library
- D. Basin, S. Mödersheim, and L. Viganò. An on-the-fly model-checker for security protocol analysis. In ESORICS, volume 2808 of Lecture Notes in Computer Science, pages 253--270. Springer-Verlag, 2003.Google Scholar
- M. Bellare and P. Rogaway. Entity authentication and key distribution. In CRYPTO '93: Proceedings of the 13th annual international cryptology conference on Advances in cryptology, pages 232--249, New York, NY, USA, 1994. Springer-Verlag. Google ScholarDigital Library
- B. Blanchet. An efficient cryptographic protocol verifier based on Prolog rules. In Proc. 14th IEEE Computer Security Foundations Workshop (CSFW), pages 82--96. IEEE Computer Society, 2001. Google ScholarDigital Library
- E. Bresson, Y. Lakhnech, L. Mazaré, and B. Warinschi. A generalization of DDH with applications to protocol analysis and computational soundness. In A. J. Menezes, editor, Proc. of Crypto '07, volume 4622 of Lecture Notes in Computer Science, pages 482--499. Springer-Verlag, August 2007. Google ScholarDigital Library
- M. Burrows, M. Abadi, and R. Needham. A logic of authentication. ACM Transactions on Computer Systems, 8(1):18--36, 1990. Google ScholarDigital Library
- C. Cremers. Scyther - Semantics and Verification of Security Protocols. PhD thesis, Computer Science Department, Eindhoven University of Technology, November 2006.Google Scholar
- C. Cremers, S. Mauw, and E. de Vink. Injective synchronisation: an extension of the authentication hierarchy. Theoretical Computer Science, 2006. Google ScholarDigital Library
- A. Datta. Security Analysis of Network Protocols: Compositional Reasoning and Complexity-theoretic Foundations. PhD thesis, Computer Science Department, Stanford University, September 2005. Google ScholarDigital Library
- A. Datta, A. Derek, J. Mitchell, and D. Pavlovic. A derivation system for security protocols and its logical formalization. In Proc. 16th IEEE Computer Security Foundations Workshop (CSFW), pages 109--125. IEEE Computer Society, 2003.Google ScholarCross Ref
- A. Datta, A. Derek, J. Mitchell, and D. Pavlovic. Abstraction and refinement in protocol derivation. In Proc. 17th IEEE Computer Security Foundations Workshop (CSFW), pages 30--45, Washington, DC, USA, June 2004. IEEE Computer Society. Google ScholarDigital Library
- A. Datta, A. Derek, J. Mitchell, and D. Pavlovic. Secure protocol composition. Electron. Notes Theor. Comput. Sci., 83, 2004. Proceedings of 19th Annual Conference on Mathematical Foundations of Programming Semantics.Google Scholar
- A. Datta, A. Derek, J. Mitchell, and D. Pavlovic. A derivation system and compositional logic for security protocols. Journal of Computer Security, 13(3):423--482, 2005. Google ScholarCross Ref
- A. Datta, A. Derek, J. Mitchell, and A. Roy. Protocol Composition Logic (PCL). Electron. Notes Theor. Comput. Sci., 172:311--358, 2007. Computation, Meaning, and Logic: Articles dedicated to Gordon Plotkin. Editors: L. Cardelli, M. Fiore, and G. Winskel. Google ScholarDigital Library
- A. Datta, A. Derek, J. Mitchell, and B. Warinschi. Computationally sound compositional logic for key exchange protocols. Proc. 19th IEEE Computer Security Foundations Workshop (CSFW), 0:321--334, 2006. Google ScholarDigital Library
- A. Datta, A. Derek, J. C. Mitchell, and D. Pavlovic. Secure protocol composition (extended abstract). In FMSE '03: Proceedings of the 2003 ACM workshop on Formal methods in security engineering, pages 11--23, New York, NY, USA, 2003. ACM. Google ScholarDigital Library
- A. Derek. Formal Analysis of Security Protocols: Protocol Composition Logic. PhD thesis, Computer Science Department, Stanford University, December 2006. Google ScholarDigital Library
- N. Durgin, J. Mitchell, and D. Pavlovic. A compositional logic for protocol correctness. In Proc. 14th IEEE Computer Security Foundations Workshop (CSFW), pages 241--272, 2001. Google ScholarDigital Library
- N. Durgin, J. Mitchell, and D. Pavlovic. A compositional logic for proving security properties of protocols. Journal of Computer Security, 11:667--721, 2003. Google ScholarDigital Library
- C. He. Analysis of Security Protocols for Wireless Networks. PhD thesis, Department of Electrical Engineering, Stanford University, December 2005. Google ScholarDigital Library
- C. He, M. Sundararajan, A. Datta, A. Derek, and J. Mitchell. A modular correctness proof of IEEE 802.11i and TLS. In CCS '05: Proceedings of the 12th ACM conference on Computer and communications security, pages 2--15. ACM Press, 2005. Google ScholarDigital Library
- G. Lowe. Casper: A compiler for the analysis of security protocols. In Proc. 10th IEEE Computer Security Foundations Workshop (CSFW), pages 18--30. IEEE Computer Society, 1997. Google ScholarDigital Library
- G. Lowe. A hierarchy of authentication specifications. In Proc. 10th IEEE Computer Security Foundations Workshop (CSFW), pages 31--44. IEEE Computer Society, 1997. Google ScholarDigital Library
- A. Roy, A. Datta, A. Derek, J. C. Mitchell, and J.-P. Seifert. Secrecy analysis in protocol composition logic. In M. Okada and I. Satoh, editors, Proceedings of 11th Annual Asian Computing Science Conference, Lecture Notes in Computer Science, December 2006. Preliminary version. Google ScholarDigital Library
Recommendations
Protocol Composition Logic (PCL)
Protocol Composition Logic (PCL) is a logic for proving security properties of network protocols that use public and symmetric key cryptography. The logic is designed around a process calculus with actions for possible protocol steps including ...
Completeness and Counter-Example Generations of a Basic Protocol Logic
We give an axiomatic system in first-order predicate logic with equality for proving security protocols correct. Our axioms and inference rules derive the basic inference rules, which are explicitly or implicitly used in the literature of protocol ...
First-order logics of quasiary predicates
Composition nominative logics of quasiary predicates are studied. The spectrum of composition nominative logics is considered and various classes of first-order logics of quasiary predicates are described. Sequent calculi are constructed for the general ...
Reviews
Wolfgang Schreiner
It has long been recognized that the analysis of the security of computing systems needs a formal basis to adequately argue about possibilities of attacks and the means to prevent them. A recent approach in this area is the protocol composition logic (PCL), a logic for security protocols around which a rich body of literature has emerged; it has been applied to numerous case studies, and various extensions have been proposed. This paper reviews this body of work and identifies a number of problems in basic PCL, as well as in its extensions; Cremers discusses these problems thoroughly, describes their implications, and outlines the solutions. In a nutshell, PCL is less expressive than originally believed-certain interesting properties cannot actually be proved from the logical calculus; furthermore, an extension uses an unsound axiom from which wrong conclusions can be derived. The arguments are given by investigating the structure of derivation rules and by examples of protocol behaviors not adequately captured by the logic. The paper, while well written and addressing an interesting topic, discusses mainly previous results and is therefore only accessible to experts proficient in these. However, there is a common thread that is unfortunately not highlighted: the ultimate source of problems is apparently a research methodology where claims are published that are justified only by proof sketches, with hidden assumptions and an informal reasoning style. This paper seems to indicate that this is not sufficient and new methodologies-computer-supported proof checking-should be considered. Online Computing Reviews Service
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments