Analysis of cryptographic protocols through semantic methods

Security of network protocols: a complex case

An increasing number of network services include procedures of various importance to ensure some security in communications. Even though the basic components of these procedures (cryptographic primitives) are correct, clever attacks can still breach the security. The designer of distributed systems therefore has to take the possibility of such attacks into account; on the other, for efficiency reasons, he shouldn't overload the system by an excessive quantity of computations.

While heuristic approaches of protocol correction may have been sufficient, there's an increasing demand of more formal, even perhaps entirely formal, proofs of protocol security.

The interest reader might be interested in my bibliography on the topic.

Formal methods of analysis

The answers so far brought out can be sorted between two big categories:

Formalizing the heuristic justifications of protocol correction ; that is, agreeing on a set of common-sense, basic rules (for instance, if a machine A and a machine B are the only ones possessing a key K and B receives a message encrypted with K and not originating from B, then that means A sent it). Security facts are then sought as the conclusions of chains of applications of those formal rules from hypotheses about the protocol setup.
Burrows, Abadi and Needham were the first to propose such a "logic" ; further propositions (Gong, Needham and Yahalom, Syversion et Van Oorschot) mended certain problems. Automatic schemes have been proposed for these analyses (Kindred and Wing) ; I showed in 1997 that there existed a class of such logics, including BAN and GNY logics, that are easily decided ; I also implemented a decision procedures for GNY logic that is gives results on a few seconds on protocols described in the literature [CSFW12] [JTIT02] .

For anyone that's interested, I have a LaTeX package for writing BAN and GNY formulas and my implementation of my decision procedure for GNY logic.
Giving a protocol description language and a semantics for this language. This semantics is supposed, given the description of a protocol and a configuration, represent as a mathematical object the computation that should take place. Usually, the cryptographic primitives involved are supposed to be perfect. Properties of the produced mathematical objects can be studied in multiple ways:
- proofs of theorems in semi-automated provers such as Coq or PVS ;
- automatic analyses: a spectrum of techniques are proposed:
  - abstract interpretation (possibily of security results),
  - partial model-checking (fast; finds errors, but can't give total security).

I have developped to that effect abstract interpretation techniques [SAS99] [SCP03].

References

[1]	David Monniaux. Decision procedures for the analysis of cryptographic protocols by logics of belief. In 12th Computer Security Foundations Workshop, pages 44-54. IEEE, 1999. [ bib \| .ps.gz \| .pdf ] Belief-logic deductions are used in the analysis of cryptographic protocols. We show a new method to decide such logics. In addition to the familiar BAN logic, it is also applicable to the more advanced versions of protocol security logics, and GNY in particular; and it employs an efficient forward-chaining algorithm the completeness and termination of which are proved. Theoretic proofs, implementation decisions and results are discussed.
[2]	David Monniaux. Abstracting cryptographic protocols with tree automata. In Sixth International Static Analysis Symposium (SAS'99), number 1694 in Lecture Notes in Computer Science, pages 149-163. Springer Verlag, 1999. [ bib \| .ps.gz \| .pdf ] Cryptographic protocols have so far been analyzed for the most part by means of testing (which does not yield proofs of secrecy) and theorem proving (costly). We propose a new approach, based on abstract interpretation and using regular tree languages. The abstraction we use seems fine-grained enough to be able to certify some protocols. Both the concrete and abstract semantics of the protocol description language and implementation issues are discussed in the paper.
[3]	David Monniaux. Analysis of cryptographic protocols using logics of belief: an overview. Journal of Telecommunications and Information Technology, 4:57-67, 2002. [ bib \| .pdf ] When designing a cryptographic protocol or explaining it, one often uses arguments such as “since this message was signed by machine B, machine A can be sure it came from B” in informal proofs justifying how the protocol works. Since it is, in such informal proofs, often easy to overlook an essential assumption, such as a trust relation or the belief that a message is not a replay from a previous session, it seems desirable to write such proofs in a formal system. While such logics do not replace the recent techniques of automatic proofs of safety properties, they help in pointing the weaknesses of the system. In this paper, we present briefly the BAN (Burrows - Abadi - Needham) formal system [?] as well as some derivative. We show how to prove some properties of a simple protocol, as well as detecting undesirable assumptions. We then explain how the manual search for proofs can be made automatic. Finally, we explain how the lack of proper semantics can be a bit worrying.
[4]	David Monniaux. Abstracting cryptographic protocols with tree automata. Science of Computer Programming, 47(2-3):177-202, 2003. Journal version of [2]. [ bib \| http \| .ps.gz \| .pdf ]
[5]	Michael Burrows, Martín Abadi, and Roger Needham. A logic of authentication. Technical Report 39, Digital Equipment Corporation, Systems Research Centre, February 1989. [ bib \| .html ] Questions of belief are essential in analyzing protocols for authentication in distributed computing systems. In this paper we motivate, set out, and exemplify a logic specifically designed for this analysis; we show how various protocols differ subtly with respect to the required initial assumptions of the participants and their final beliefs. Our formalism has enabled us to isolate and express these differences with a precision that was not previously possible. It has drawn attention to features of protocols of which we and their authors were previously unaware, and allowed us to suggest improvements to the protocols. The reasoning about some protocols has been mechanically verified. This paper starts with an informal account of the problem, goes on to explain the formalism to be used, and gives examples of its application to protocols from the literature, both with conventional shared-key cryptography and with public-key cryptography. Some of the examples are chosen because of their practical importance, while others serve to illustrate subtle points of the logic and to explain how we use it. We discuss extensions of the logic motivated by actual practice - for example, in order to account for the use of hash functions in signatures. The final sections contain a formal semantics of the logic and some conclusions.
[6]	Li Gong, Roger Needham, and Raphael Yahalom. Reasoning about belief in cryptographic protocols. In IEEE Symposium on Research in Security and Privacy, pages 234-248, Oakland, California, May 1990. IEEE Computer Society Press. [ bib \| www: ] Keywords: BAN logic, GNY logic, cryptography, authentication, formal methods
[7]	P. Syverson and P. C. van Oorschot. On unifying some cryptographic protocol logics. In 1994 IEEE Computer Society Symposium on Research in Security and Privacy, pages 14-28, May 1994. [ bib \| .ps ]

David Monniaux's pages. Thu Aug 20 12:24:05 2009
Français English

Pages formatted with htmlpp.