Verification of A Key Chain Based TTP Transparent CEM Protocol

Zhiyuan Liu, Jun Pang, Chenyi Zhang
2011 Electronical Notes in Theoretical Computer Science  
In certified email (CEM) protocols, TTP transparency is an important security requirement which helps to avoid bad publicity as well as protecting individual users' privacy. Recently we have extended the CEM protocol of Cederquist et al. to satisfy TTP transparency. As a continuation, in this paper, we formally verify the security requirement in the exteded protocol. The properties of fairness, effectiveness and timeliness are checked in the model checker Mocha, and TTP transparency is analysed
more » ... in the toolsets μCRL and CADP. The results confirm that our proposed extension achieves our design goals. A better solution, so called optimistic protocols [5], helps to release this burden from a TTP. In the optimistic protocols, a TTP is only required to be involved in case of unexpected events, such as a network failure or one party's misbehaviour, to restore fairness. If both the signer and the receiver behave correctly and there is no presence of significant network delays, a CEM protocol terminates successfully without intervention of the TTP. TTP transparency states that if a TTP has been contacted to help in a protocol, the resulting evidences will be the same as those obtained in the case where the TTP has not participated. In other words, by simply looking at the evidences, it is impossible to detect whether the TTP has been involved or not. Transparent TTPs are important and useful in practice, for instance, to avoid bad publicity. Moreover, this property also ensures privacy of the participants for asking for help from TTPs. In the context of CEM protocols, the use of a transparent TTP was first proposed by Micali [17], followed by a number of works, e.g., [16, 18, 19, 21, 12] , in which different cryptographic schemes are used to achieve TTP transparency. Recently, we have developed a CEM protocol with a transparent TTP [15], based on the protocol of Cederquist et al. [9] that applies key chains to reduce TTP's storage requirement. We achieve TTP transparency by adopting the verifiably encrypted signature scheme of [22] . We have shown that our extension is one of the most efficient CEM protocols satisfying TTP transparency, in addition to the other important properties such as strong fairness, effectiveness, and timeliness. The justifications to our claims are carried out on a rather informal level [15] . In this paper, we intend to put our analysis one step further, by incorporating formal verification techniques. The finite-state model checker Mocha [4] is used to verify the properties of fairness, timeliness and effectiveness, that are naturally interpreted in alternating-time temporal logic (ATL) formulas with game semantics [3] . The verification of properties expressed in ATL corresponds to the computation of winning strategies. Another toolset μCRL [7,6] is used for TTP transparency, which requires a comparison of observable traces in various situations. The μCRL toolset has the ability of generating state spaces that can be visualized and manipulated by the toolbox CADP [11] which acts as a back-end of μCRL. Structure of the paper. We explain our proposed extension of the CEM protocol [9] and discuss its desired properties in Sect. 2. The two verification tools, Mocha and μCRL, are presented briefly in Sect. 3. In Sect. 4 we verify fairness, timeliness and effectiveness in Mocha with a focus on the modelling, and in Sect. 5 we verify TTP transparency in μCRL. Related work is discussed in Sect. 6. We conclude the paper in Sect. 7. A Key Chain Based TTP Transparent CEM Protocol Our protocol is developed on basis of the protocol [9], to support TTP transparency. Key chains are used to reduce TTP's storage requirement. Once a key chain is initialized between Alice and Bob, Alice can use any key within it to encrypt messages. Our approach requires the usage of a verifiably encrypted signature scheme to en-
doi:10.1016/j.entcs.2011.07.006 fatcat:pqdih62qpzgy3hqzkgnvqlhsry