Sound Security Protocol Transformations [chapter]

Binh Thanh Nguyen, Christoph Sprenger
2013 Lecture Notes in Computer Science  
We propose a class of protocol transformations, which can be used to (1) develop (families of) security protocols by refinement and (2) abstract existing protocols to increase the efficiency of verification tools. We prove the soundness of these transformations with respect to an expressive security property specification language covering secrecy and authentication properties. Our work clarifies and significantly extends the scope of earlier work in this area. We illustrate the usefulness of
more » ... r approach on a family of key establishment protocols. NESSoS: Network of Excellence on Engineering Secure Future Internet Software Services and Systems. The security properties we are interested in include: (P1) the secrecy of the session key k AB , (P2) A authenticates S on k AB , n A , and t S , and (P3) A and B authenticate each other on k AB and t A . To improve the performance of verification tools, we remove protocol elements that we deem unnecessary for a given property to hold and verify that property on the simplified protocol. If there is no attack then the soundness of our abstractions allows us to conclude that the original protocol also satisfies the property. In the first abstraction step, we pull B's ticket out of the encryption in message K4(2). The result is the core of Kerberos V, called K5, which differs from K4 as follows. In the second step, we eliminate the forwarding of B's ticket by A by applying structural transformations. This yields protocol K3, on which we verify mutual authentication of A and B (P3). We omit the message K3(1) which equals K5(1). In the third step, we remove the key confirmation phase, i.e., messages K3(4) and K3(5). For the resulting protocol, K2, which we omit here, we verify the authentication property (P2). In a final transformation, we remove the server timestamp t S and the initiator nonce n A . The result is protocol K1 for which we verify secrecy (P1). Example 3 (K4 to K5). We formalize the protocol K4 as follows (where c ∈ C). The type-based message transformation S f4 = (T f4 , Γ f4 , E f4 ), where T f4 = ∅ and E f4 is defined using list concatenation @ and E 0 (f ) from Example 2 as follows. Applying f 4 to K4 yields K5 = f 4 (K4) as follows. In this and the next example, we omit roles that are unchanged by the respective transformations. Example 4 (K3 to K2). Recall that K3 results from K5 by structural transformations f 5 eliminating the forwarding of B's ticket by A. In K3, defined below, there are therefore separate events for the server sending A and B's ticket and for B receiving his ticket (from S) and the authenticator (from A). K3(A) where the key confirmation messages have been removed. K2(A) = snd(A, B, n A ) · rcv({|B, T S , n A , K AB |} sh(A,S) ) K2(B) = rcv({|A, T S , K AB |} sh(B,S) ) A further abstraction, f 2 , removes t S and n A from K2, resulting in protocol K1. Well-definedness and simulation We are now in a position to establish the substitution property for splitting protocols and well-typed substitutions. Its proof uses Lemmas 2 and 3 above together the following lemma stating that well-typed substitutions preserve types. Lemma 4. Let θ be a well-typed substitution with respect to a typing environment Γ . Then for all terms t ∈ T , Γ t : τ implies that Γ tθ : τ . Theorem 2 (Substitution property). Let P be a splitting protocol and S f be a type-based protocol transformation and θ be a well-typed substitution with respect to Γ P . Then for all t ∈ M P , we have f (tθ) = f (t)f (θ). The first application of the substitution property is to establish well-definedness. Proposition 3 (Well-definedness). Let P be a splitting protocol and S f be a type-based protocol transformation. Then f (P ) is a protocol with honest substitution δ f (P ) = f (δ P ). Next, we lift deducibility preservation (Theorem 1) to non-ground terms and establish the simulation property. Since protocol descriptions contain non-ground terms, we restrict our attention to simple-keyed protocols, for which the set of (ground) types of the protocol's terms is simple-keyed. Hereafter, IK 0 and IK 0 denote the intruder's initial knowledge associated with P and f (P ), respectively. Definition 17. A protocol P is simple-keyed if the set of types Γ P (Rt P ) is simple-keyed. Lemma 5. If P is a simple-keyed protocol, T ⊆ Rt P and θ is well-typed ground substitution with respect to Γ P , then T θ is a simple-keyed set of terms. Proposition 4. Let P be a simple-keyed, splitting protocol, S f a type-based message transformation, and θ a well-typed ground substitution with respect to Γ P . Assume that IK 0 is simple-keyed and f (IK 0 ) ⊆ IK 0 . Then, for all T ⊆ Rt P and u ∈ M P , we have T θ ∪ IK 0 uθ implies f (T )f (θ) ∪ IK 0 f (u)f (θ). Theorem 3 (Simulation). Let P be a simple-keyed, splitting protocol and let S f be a type-based message transformation. Assume that IK 0 is simple-keyed and f (IK 0 ) ⊆ IK 0 . Then for all states (tr, th, σ) reachable in P such that σ is well-typed w.r.t. Γ P , then (f (tr), f (th), f (σ)) is a reachable state of f (P ) and f (σ) is well-typed w.r.t. Γ f (P ) .
doi:10.1007/978-3-642-36830-1_5 fatcat:rdldxp3mb5cfjnxv24pekhlpru