ACM Transactions on Computer Systems (TOCS)
A Formal Language for Cryptographic Protocol Requirements
Designs, Codes and Cryptography - Special issue dedicated to Gustavus J. Simmons
A calculus for cryptographic protocols: the spi calculus
Proceedings of the 4th ACM conference on Computer and communications security
Strand spaces: proving security protocols correct
Journal of Computer Security
Constraint solving for bounded-process cryptographic protocol analysis
CCS '01 Proceedings of the 8th ACM conference on Computer and Communications Security
Formalizing GDOI group key management requirements in NPATRL
CCS '01 Proceedings of the 8th ACM conference on Computer and Communications Security
An Improved Constraint-Based System for the Verification of Security Protocols
SAS '02 Proceedings of the 9th International Symposium on Static Analysis
Casper: A Compiler for the Analysis of Security Protocols
CSFW '97 Proceedings of the 10th IEEE workshop on Computer Security Foundations
A Trace Logic for Local Security Properties
Electronic Notes in Theoretical Computer Science (ENTCS)
Epistemic Logic for the Applied Pi Calculus
FMOODS '09/FORTE '09 Proceedings of the Joint 11th IFIP WG 6.1 International Conference FMOODS '09 and 29th IFIP WG 6.1 International Conference FORTE '09 on Formal Techniques for Distributed Systems
Deciding security properties for cryptographic protocols. application to key cycles
ACM Transactions on Computational Logic (TOCL)
Hi-index | 0.00 |
Several formal approaches have been proposed to analyse security protocols, e.g. [2,7,11,1,6,12]. Recently, a great interest has been growing on the use of constraint solving approach. Initially proposed by Millen and Shmatikov [9], this approach allows analysis of a finite number of protocol sessions. Yet, the representation of protocol runs by symbolic traces (as opposed to concrete traces) captures the possibility of having unbounded message space, allowing analysis over an infinite state space. A constraint is defined as a pair consisting of a message M and a set of messages K that represents the intruder's knowledge. Millen and Shmatikov present a procedure to solve a set of constraints, i.e. that in each constraint, M can be built from K. When a set of constraints is solved, then a concrete trace representing an attack over the protocol can be extracted. Corin and Etalle [4] has improved the work of Millen and Shmatikov by presenting a more efficient procedure. However, none of these constraint-based systems provide enough flexibility and expresiveness in specifying security properties. For example, to check secrecy an artificial protocol role is added to simulate whether a secret can be learned by an intruder. Authentication cannot also be checked directly. Moreover, only a built-in notion of authentication is implemented by Millen and Shmatikov in his Prolog implementation [10]. This problem motivates our current work. A logical formalism is considered to be an appropriate solution to improve the flexibility and expresiveness in specifying security properties. A preliminary attempt to use logic for specifying local security properties in a constraint-based setting has been carried out [3]. Inspired by this work and the successful NPATRL [11,8], we currently explores a variant of linear temporal logic (LTL) over finite traces, ${\mathcal PS}$-LTL, standing for pure-past security LTL [5]. In contrast to standard LTL, this logic deals only with past events in a trace. In our current work, a protocol is modelled as in previous works [9,4,3], viz. by protocol roles. A protocol role is a sequence of send and receive events, together with status events to indicate, e.g. that a protocol role has completed her protocol run. A scenario is then used to deal with the number of sessions and protocol roles considered in the analysis. Integrating ${\mathcal PS}$-LTL into our constraint solving approach presents a challenge, since we need to develop a sound and complete decision procedure against symbolic traces, instead of concrete traces. Our idea to address this problem is by concretizing symbolic traces incrementally while deciding a formula. Basically, the decision procedure consists of two steps: transform and decide. The former step transforms a ${\mathcal PS}$-LTL formula with respect to the current trace into a so-called elementary formula that is built from constraints and equalities using logical connectives and quantifiers. The decision is then performed by the latter step through solving the constraints and checking the equalities. Although we define a decision procedure for a fragment of ${\mathcal PS}$-LTL, this fragment is expressive enough to specify several security properties, like various notions of secrecy and authentication, and also data freshness. We provide a Prolog implementation and have analysed several security protocols. There are many directions for improvement. From the implementation point of view, the efficiency of the decision procedure can still be improved. I would also like to investigate the expressiveness of the logic for speficying other security properties. This may result in an extension of the decision procedure for a larger fragment of the logic. Another direction is to characterize the expressivity power of ${\mathcal PS}$-LTL compared to other security requirement languages.