Expressing Security Protocol Goals
Protocols are designed to achieve particular security properties in the presence of particular kinds and levels of threat. It should thus be part of the specification of the protocol to make explicit the kind of threat that it is designed to counter. For example, protocols for communication over satellite links might assume that a message can be overheard, that spoof messages can be generated, but that messages cannot be blocked. Alternatively, protocols might be designed for protection against an external intruder, but might rely on the assumption that all principals are honest. The threat models we have discussed are fairly generic, and for secrecy and authentication we will implicitly assume (unless stated explicitly) the threat model encapsulated by the intruder process introduced in the previous chapter: that attacks can be mounted by principals as well as external agents, and that messages can be intercepted, redirected, duplicated, altered and created by the intruder. Whether or not a protocol meets its goals may well be dependent on the threat model. Alternative threat models will be discussed throughout the chapter. These can usually be described simply by changing the intruder’s initial knowledge IK, or his capabilities through adjusting the ⊢ relation, or by restricting what can be provided to the agents on the receive channels.
This chapter concentrates much of its attention on secrecy and authentication properties. These are safety properties, in the sense that they require that bad things should not happen – that a data item is not leaked and that an agent does not incorrectly accept the identity of another agent. Liveness issues, such as the concern that the protocol might not terminate, will not be addressed explicitly. Other properties – anonymity and non-repudiation – will also be discussed.
The emphasis in this chapter is on explicitness. Security properties will be defined by introducing additional information into protocol descriptions to enable a description of what is expected of the system at particular points during a run of the protocol. This information, in the form of messages, might be thought of as capturing the intention of the designers of the protocol.
Secrecy – If a particular data item m is intended to be secret at the end of the protocol run, then a message Claim secret will be inserted at the end of the description of the protocol run. The secrecy property will state that the intruder cannot obtain m during a run of the protocol whenever its secrecy is claimed. This is illustrated in Figure 3.1.
Figure 3.1. Adding a secrecy claim
Authentication – An authentication protocol should establish particular guarantees when it has completed, concerning the party it has apparently been running with. These are often of the form that if the run has completed then the other party has also been involved in the protocol run. The completion of a run of the protocol will be marked by a Commit event, and authentication will require that the occurrence of such an event must mean that a corresponding Running event must previously have been performed by the other party. The way in which these events must match will characterize the authentication property. This is illustrated in Figure 3.2.
Figure 3.2. Adding an authentication claim
Specification events, or signals, simply make understanding the requirements on the system easier. Any specification that can be expressed in terms of such events can also be expressed on the bare system without them, but perhaps in a less transparent way.
This means that additional signal channels are added to the model of the system. These do not reflect what the agents do, but rather enable the expression of particular properties by identifying points in the protocol run to which we wish to refer in specifying properties. Hence signals are not facts. We will use Signal to denote the set of all possible signals that can be introduced in the model of the system. This set is disjoint from the set of facts: Signal ∩ Fact = ∅.
The information that appears on the signal channels will be a claim, a sequence of users, and a fact. The claim will correspond to a stage that the signalling agent is currently at; the sequence of users will describe the agents that the signalling agent associates the protocol run with; and the fact will contain some information that the claim is about, usually including facts used in that protocol run. Note that since concatenation of facts yields another fact, so the fact component of a signal can comprise a sequence of atomic facts.
The introduction of these additional messages aids clarity, but at the cost of introducing some complexity into the automated and machine-assisted analysis of protocols. Later chapters will consider equivalent but more concise versions of the properties, optimizing protocol descriptions for model-checking at the expense of explicitness by reducing the number of messages. These optimizations are justified by the theory of CSP, and analysis of the resulting descriptions gives results about the original protocol descriptions. The different ways of expressing protocol goals depend on different motivations:
we want to be as explicit as possible, so we can be confident that the descriptions capture what we intend;
we want them to be as simple as possible (in CSP terms) since this makes verification easier;
we want them to be expressed as processes with as few states as possible, to make model-checking more feasible.
In fact, we will need to ensure that different expressions of the property should be equivalent for the system under analysis, so that two specifications (S(tr) and T(tr), say) have that (System sat S(tr)) ⇔ (System sat T(tr)). This can be the case even if S(tr) and T(tr) are not equivalent on all processes.
3.1 The Yahalom protocol
Recall the Yahalom protocol:
In itself, this description does not state what the protocol aims to achieve. The expectation that it provides authentication of each of its participants to the other must be made explicit, as must the requirement that the key kab distributed to the participants must be secret. The property that the nonce nb should be secret at the end of the protocol can also be expressed. This may or may not be a requirement of the protocol, depending on its intended use.
The CSP description of the protocol was given in Chapter 2. The individual runs of the initiator and responder are:
The Yahalom protocol can then be described as the combination of the users and the server. This is expressed as the Yahalom process:
and the system that is to be investigated runs the protocol in the environment provided by the intruder:
Explicit events reflecting specific claims about the system will be inserted at particular stages in the protocol. These amended protocol descriptions will be expressed as primed versions of the original, so for example the amended Yahalom will be Yahalom′.
Although claims are often expressed in anthropomorphic terms, concerning the state of mind of the protocol agent, or particular beliefs of the agent, we will express protocol requirements purely in terms of relationships between these events.
Properties can be expressed either as trace specifications S(tr) or as CSP processes Spec. However, the property is also dependent on the description of Intruder, which encapsulates the threat model. The protocol as described by Yahalom′ is correct with respect to threat Intruder and specification S(tr) if