Verification of network security protocols
01 Dec 1989-Computers & Security (Elsevier Advanced Technology Publications)-Vol. 8, Iss: 8, pp 693-708
TL;DR: This paper analyzes the behaviour of a ''generic'' key distribution protocol using a model checker based on temporal logic to bring the automatic verification of finite systems closer to a practical proposition.
About: This article is published in Computers & Security.The article was published on 1989-12-01. It has received 28 citations till now. The article focuses on the topics: Cryptographic protocol & Otway–Rees protocol.
Citations
More filters
TL;DR: The most commonly followed techniques for the application of formal methods for the ex-post analysis and verification of cryptographic protocols, as the analysis approach are reviewed, followed by the examination of robustness principles and application limitations.
82 citations
Cites background from "Verification of network security pr..."
...2...
[...]
...Attack-construction methods can be divided into three sub-categories based on their theoretical foundation: • methods based on general purpose validation languages, • algebraic simplification theoretic model methods, and • special purpose expert system, scenario based methods....
[...]
08 Nov 1993
TL;DR: This paper examines current approaches and the state of the art in the application of formal methods to the analysis of cryptographic protocols, and develops a formal model based on the algebraic term-rewriting properties of cryptographic systems.
Abstract: In this paper, we examine current approaches and the state of the art in the application of formal methods to the analysis of cryptographic protocols. We use Meadows' classi cation of analysis techniques into four types. The Type I approach models and veri es a protocol using speci cation languages and veri cation tools not speci cally developed for the analysis of cryptographic protocols. In the Type II approach, a protocol designer develops expert systems to create and examine di erent scenarios, from which she may draw conclusions about the security of the protocols being studied. The Type III approach models the requirements of a protocol family using logics developed speci cally for the analysis of knowledge and belief. Finally, the Type IV approach develops a formal model based on the algebraic term-rewriting properties of cryptographic systems. The majority of research and the most interesting results are in the Type III approach, including reasoning systems such as the BAN logic; we present these systems and compare their relative merits. While each approach has its bene ts, no current method is able to provide a rigorous proof that a protocol is secure. Formal Methods for the Analysis of Authentication Protocols
71 citations
Cites background or methods from "Verification of network security pr..."
...Sidhu [50] and Varadharajan [63] describe how to specify a protocol using state diagrams....
[...]
...B : fNb 1gKab We use the following notation: P 1 event { principal P transmits message 1 P+1 event { principal P receives message 1 Varadharajan [63] gives a state diagram for each entity, A, B, and S....
[...]
...Varadharajan [63] gives a state diagram for each entity, A, B, and S....
[...]
...Others have been critical of the BAN logic [42, 57], and have proposed their own logics [30, 33, 35, 36, 37, 39, 55, 57, 63, 67]....
[...]
...The state representations presented by Sidhu di er slightly from those of Varadharajan....
[...]
TL;DR: This bibliography contains references of protocol descriptions and of protocol analysis efforts that are fundamental to access control, accounting and secure communication.
Abstract: Security of distributed systems is a topic of growing importance. The security breaches of the last few years (internet worm,...) have demonstrated the need for additional research in this area. One important aspect of security is authentication. It is fundamental to access control, accounting and secure communication. This bibliography contains references of protocol descriptions and of protocol analysis efforts
60 citations
TL;DR: The proposed protocol is based on the OAuth 2.0 framework, and on secrets generated by on-chip physically unclonable functions, and eliminates the need to share the credentials of the protected resource with all connected devices, thus overcoming the weaknesses of conventional client–server authentication.
Abstract: In this paper, token-based security protocols with dynamic energy-security level tradeoff for Internet of Things (IoT) devices are explored. To assure scalability in the mechanism to authenticate devices in large-sized networks, the proposed protocol is based on the OAuth 2.0 framework, and on secrets generated by on-chip physically unclonable functions. This eliminates the need to share the credentials of the protected resource (e.g., server) with all connected devices, thus overcoming the weaknesses of conventional client–server authentication. To reduce the energy consumption associated with secure data transfers, dynamic energy-quality tradeoff is introduced to save energy when lower security level (or, equivalently, quality in the security subsystem) is acceptable. Energy-quality scaling is introduced at several levels of abstraction, from the individual components in the security subsystem to the network protocol level. The analysis on an MICA 2 mote platform shows that the proposed scheme is robust against different types of attacks and reduces the energy consumption of IoT devices by up to 69% for authentication and authorization, and up to 45% during data transfer, compared to a conventional IoT device with fixed key size.
49 citations
Cites methods from "Verification of network security pr..."
...We prove the correctness of our protocol using the technique proposed by Sidhu [46] and Varadharajan [47]....
[...]
01 Dec 2017
TL;DR: An analysis of the proposed protocol shows that it is not only robust against different kind of attacks, but also very efficient in terms of memory, computations, energy, and communication overhead.
Abstract: One of the most important and critical requirements for Internet-of-Things (IoT) based systems is security under limited resources. The simple and low-cost nature of many IoT devices makes them a prime target for physical, side-channel, and cloning attacks. To address this issue, this paper presents an efficient protocol for mutual authentication in IoT systems. The proposed protocol uses a Physical Unclonable Function to provide the desired security characteristics. An analysis of the protocol shows that it is not only robust against different kind of attacks, but also very efficient in terms of memory, computations, energy, and communication overhead.
41 citations
Cites methods from "Verification of network security pr..."
...We use the reachablitiy analysis technique proposed in [16], [15], as the next step to prove the correctness of the proposed protocol....
[...]
References
More filters
TL;DR: It is argued that this technique can provide a practical alternative to manual proof construction or use of a mechanical theorem prover for verifying many finite-state concurrent systems.
Abstract: We give an efficient procedure for verifying that a finite-state concurrent system meets a specification expressed in a (propositional, branching-time) temporal logic. Our algorithm has complexity linear in both the size of the specification and the size of the global state graph for the concurrent system. We also show how this approach can be adapted to handle fairness. We argue that our technique can provide a practical alternative to manual proof construction or use of a mechanical theorem prover for verifying many finite-state concurrent systems. Experimental results show that state machines with several hundred states can be checked in a matter of seconds.
3,335 citations
PARC1
TL;DR: Use of encryption to achieve authenticated communication in computer networks is discussed and example protocols are presented for the establishment of authenticated connections, for the management of authenticated mail, and for signature verification and document integrity guarantee.
Abstract: Use of encryption to achieve authenticated communication in computer networks is discussed. Example protocols are presented for the establishment of authenticated connections, for the management of authenticated mail, and for signature verification and document integrity guarantee. Both conventional and public-key encryption algorithms are considered as the basis for protocols.
2,671 citations
TL;DR: It is shown that key distribution protocols with timestamps prevent replays of compromised keys and have the additional benefit of replacing a two-step handshake.
Abstract: The distribution of keys in a computer network using single key or public key encryption is discussed. We consider the possibility that communication keys may be compromised, and show that key distribution protocols with timestamps prevent replays of compromised keys. The timestamps have the additional benefit of replacing a two-step handshake.
787 citations
TL;DR: It is demonstrated that specification of the Temporal character of the program's behavior is absolutely essential for the unambiguous understanding of the meaning of programming constructs.
740 citations
01 Jan 1984
TL;DR: In this paper, the authors compare the expressive power of branching time and linear time temporal logic, and conclude that linear timelogic logic is preferable for reasoning about concurrent programs.
Abstract: Temporal logic ([PR57], [PR67]) provides a formalism fordescribing the occurrence of events in time which is suitable forreasoning about concurrent programs (cf. [PN77]). In definingtemporal logic, there are two possible views regarding theunderlying nature of time. One is that time is linear: at eachmoment there is only one possible future. The other is that timehas a branching, tree-like nature: at each moment, time may splitinto alternate courses representing different possible futures.Depending upon which view is chosen, we classify (cf. [RU71]) asystem of temporal logic as either a linear time logic in which thesemantics of the time structure is linear, or a system of branchingtime logic based on the semantics corresponding to a branching timestructure. The modalities of a temporal logic system usuallyreflect the semantics regarding the nature of time. Thus,in a logicof linear time, temporal operators are provided for describingevents along a single time path (cf. [GPSS80]). In contract, in alogic of branching time the operators reflect the branching natureof time by allowing quantification over possible futures cf.[AB80],[EC80]).
Some controversy has arisen in the computer science communityregarding the differences between and appropriateness of branchingversus linear time temporal logic. In a landmark paper [LA80]intended to "clarify the logical foundations of the application oftemporal logic to concurrent programs," Lamport addresses theseissues. He defines a single language based on the temporaloperators "always" and "sometimes". Two distinct interpretationsfor the language are given. In the first interpretation formulaemake assertions about paths, whereas in the second interpretationthey make assertions about states. Lamport associates the formerwith linear time and the latter with branching time (although itshould be noted that in both cases the underlying time structuresare branching). He then compares the expressive power of lineartime and branching time logic. Based on his comparison and otherarguments, he concludes that, while branching time logic issuitable for reasoning about nondeterministic programs, linear timelogic is preferable for reasoning about concurrent programs.
In this paper, we re-examine Lamport's arguments and reachsomewhat different conclusions. We first point out some technicaldifficulties with the formalism of [LA80]. For instance, thedefinition of expressive equivalence leads to paradoxicalsituations where satisfiable formulae are classified as equivalentto false. Moreover, the proofs of the results comparing expressivepower do not apply in the case of structures generated by a binaryrelation like those used in the logics of [FL79] and [BMP81]. Wegive a more refined basis for comparing expressive power thatavoids these technical difficulties. It does turn out thatexpressibility results corresponding to Lamport's still hold.However, it should be emphasized that these results apply only tothe two particular systems that he defines. Sweeping conclusionsregarding branching versus linear time logic in general are notjustified on this basis.
We will argue that there are several different aspects to theproblem of designing and reasoning about concurrent programs. Whilethe specific modalities needed in a logic depend on the precisenature of the purpose for which it is intended, we can make somegeneral observations regarding the choice between a system ofbranching or linear time. We believe that linear time logics aregenerally adequate for verifying the correctness of pre-existingconcurrent programs. For verification purposes, we are typicallyinterested in properties that hold of all computation paths. It isthus satisfactory to pick an arbitrary path and reason about it.However, there are applications where we need the ability to assertthe existence of alternative computation paths as provided by abranching time logic. This arises from the nondeterminism - beyondthat used to model concurrency - present in many concurrentprograms. In order to give a complete specification of such aprogram, we must ensure that there are viable computation path acorresponding to the nondeterministic choices the program mightmake. (An example is given in section 6.) Neither of Lamport'ssystems is entirely adequate for such applications.
In order to examine these issues more carefully, we define alanguage, CTL*, in which a universal or existential path quantifiercan prefix an arbitrary linear time assertion. CTL* is an extensionof the Computation Tree Logic, CTL, defined in [CE81] and studiedin [EH82]. This language subsumes both of Lamport's interpretationsand allows us to compare branching with linear time. Moreover, thesyntax of CTL* makes it clear which interpretation is intended.
The paper is organized as follows: In section 2 we summarizeLamport's approach and discuss its limitation. In section 3 wepresent the syntax and semantics of CTL*. We also define somenatural sublanguages of CTL* and compare their expressive power inSection 4. In particular, we show that (cf. Theorem 4.1) a languagesubstantially less expressive than CTL* still subsumes both ofLamport's interpretations. Section 5 then shows how CTL* can beembedded in MPL [AB80] and PL [HKP80]. Finally, section 6 concludeswith a comparison of the utility of branching and linear timelogic.
260 citations