Automated Validation

of

Internet Security Protocols and Applications

(AVISPA)

Krassen Deltchev

Seminar Work

at

Chair for Network and Data Security

Prof. Dr. Jörg Schwenk

advised through Dipl.Ing. Sebastian Gajek

10 July 2006

Horst-Görtz Institute Ruhr-University of Bochum

2

Abstract

The AVISPA Model Checker is a tool for automated validation and verification of security

protocols. It provides a push-button web-based software- and hardware-independent interface and

installation binaries for UNIX-based Operating Systems.

It belongs to the group of the state-of-the-art Model Checkers and uses a modular and descriptive

formal language for specifying industrial-scale security protocols.

The different back-ends of the AVISPA tool implement new optimized analysing techniques for

automated protocol verification.

Therefore the researcher/scientist can prove even bigger in their specification protocols in a short

time and in a user-friendly way.

New cryptographic attacks are explored using the AVISPA tool and the Model-Checker covers

widest range of the modern authentication internet protocols, regarding their security validation.

Keywords: Security protocols, model checkers, formal methods, automated protocol validation.

3

Contents

0. Introduction................................................................................................................................ 4

1. Chapter: The problem…………................................................................................................ 4

2. Chapter: Formal Methods for Security Protocol Analysis......................................................... 5

2.1. Section: Computational Models.............................................................................................. 5

2.2. Section: Formal Models.......................................................................................................... 6

2.3. Section: Dolev-Yao Intruder Model........................................................................................ 8

3. Chapter: Model Checkers........................................................................................................... 9

4. AVISPA Model Checker.......................................................................................................... 11

4.1. Section: AVISPA Architecture.............................................................................................. 12

4.2. Section: HLPSL (High-Level Protocol Specification Language)………...............................15

4.3. Section: IF, the Intermediate Format Language.................................................................... 17

4.4. Section: Lazy-Intruder Model................................................................................................ 18

5. Chapter: HLPSL on NSPK handshake protocol…................................................................... 20

6. Chapter: Conclusion…………….............................................................................................. 25

Appendix A: HLPSL notation on SSL 3.0/TLS 1.0 handshake protocol..................................... 26

7. List of pictures…………………………................................................................................... 28

8. List of tables…………………….............................................................................................. 28

9. References……………………….............................................................................................. 29

4

Inroduction

The Internet Security became a very important and complex field of researches in our present

time, especially if we apply this to the discussion of Internet protocols as basic interfaces for

exchanging sensitive data over the Internet and finding appropriate and trustworthy algorithms

for their validation.

The facts, that the modern crypto-attacks are growing in their quantity and variations, that

modern hackers can break even ‘well’ defined and proved cryptographic protocols, lead us to the

conclusion – we must optimise the analysing methods of the security protocols in a reasonable

way and time.

The strong mathematical approaches lead to cryptographically provable results, but we cannot

categorize them as time-saving and even they are not easy to be used.

Can we find automated solutions, which shall be as much effective in their proofs and

completeness as the mathematical methods, and make us able to reach adequate conclusions,

regarding the robust functionality of the internet protocols and their security right on time?

1. The Problem

A pure analytical discussion on the problem of proving such protocols shall quickly exhaust the

reader; we shall try to introduce new methods and give such examples, which will show a

different view of finding reasonable solutions for optimising the analysis on the security

protocols.

To demonstrate the validation of Internet protocols, using cryptographic methods, is sophisticated

even including an input of computer machines.

We can use mathematic theories to prove security protocols, building a strong cryptosystem,

which can not only describe such ones and supply us with trustworthy proof results, but in case of

finding security weaknesses, make us able to correct the protocol’ specification, so the

probability, such leaks to be detected and exploited by an intruder can be minimized, making this

practically impossible.

However, these strong mathematical proof algorithms are much time-consuming and error-prone,

if we try to do them by hand.

Continuing this, we reach the point of our discussion about finding models, abstractions, a

formalism, which can be used as tools to automate that whole work of validating the security-

sensitive protocols in such way, so we can talk about completeness of the results, time-saving

algorithms and error-free proof-mechanisms.

In this paper we shall describe the functionality, as the theoretical background of the AVISPA1

Model Checker, which is one of the modern security tools for proving the correctness and robust

work, regarding validation of internet security protocols.

As an Implementation of AVISPA, we shall demonstrate the On-the-Fly-Model-Checker

(OFMC), as proving a well-known basic authentication protocol, The Needham-Schroeder

Public-Key protocol, discussing the realisation of the protocol’ notation in the tool and the proof

results.

Let us make a basic overview on these different methods for security protocol validation.

1 AVISPA – Automated Validation of Internet Security sensitive Protocols and Applications

5

2. Formal Methods for Security Protocol Analysis

2.1 Computational Models

We shall make in this chapter more than a general discussion over the Formal Methods and their

realisation, as well as we must explain the difference between those ones, which imply:

-a strong cryptosystem and deliver us cryptographic provable results;

-the methods based on formal abstractions.

If the security protocols are based on crypto-algorithms, so a sensitive data could be securely

exchanged over the internet, we respectively assume that the cryptographers shall develop this

reasonable cryptosystem for proving protocols in a trustworthy mathematical way to represent the

nature of that ones. Moreover, we can say that, the cryptographers use complexity and probability

theories, so they can describe in analogical way the security of such protocols comparing it to the

security of that strong cryptosystem. No matter what kind of computer power the attacker shall be

in possession of, the main goal is to show that, implementing of such mathematical theories can

prove the fact, that the cracker2 can only ‘break’ the cryptosystem with negligible probability.

This whole process shall be described as Computational Models, or also Computational-Models-

methods of proving and validation of security protocols.

We shall mention further, that Computational Models define an abstract “intruder”, based on

Turing machine, and describe Keys, Plaintexts, Ciphertexts as strings of bits and encryption

functions just as algorithms.

Fundamental researches, illustrating these validating methods, can be found in the works of the

scientists: Blum and Micali, Yao, Goldwasser and Micali.

However, such cryptographic proof methods are very long and difficult, and if we try to do them

by hand, they will be simply error-prone; so, is there a reasonable indirect solution?

If these Computational Methods are the only ones, which could be described as trustworthy,

regarding the proof analyses, because of their strong mathematical cryptosystem, how can we

define such indirect way?

Let us make a summary of the main goals:

• We must define such kind of proof methods, which can be described as trustworthy,

regarding the analyses of correctness and security of the protocols

• These specific methods shall be aware of: completeness of the results, time-saving proof-

algorithms and error-free validation mechanisms.

To define a reasonable formalism, on one hand we must face these objectives and on the another

- presume such kind of abstractions, which will be adequate to the crypto-attacks in the real

world, unless this will lack the results, comparing to these ,using the strong cryptosystem

mechanisms.

We shall define the methods, based on such formalism as Formal Models, which use Formal

Languages3 to describe the semantics of the different Internet protocols.

2… Sometimes alternate terms such as "cracker" are used in an attempt to more exactly distinguish which category of

hacker is intended, or when attempting to put a contextual distance between the categories due to the Hacker

definition controversy [wikipedia.org] 3 “A language is formal when it has a well-defined syntax and

semantics. Additionally there is often a deductive system for

determining the truth of statements”; see: prepositional logic, first-order logic [MVO05]

6

For the interested reader we shall point a very good paper, which compares the views of the

Computational and Formal Models: “Reconciling Two Views of Cryptography (The

Computational Soundness of Formal Encryption) “[Abadi/Rogaway, 2000].

2.2 Formal Models

This idea is implemented for the first time in the early 80’es, as the scientists Prof. Dr. Danny

Dolev and Andrew C. Yao presented a formal model of intruder to verify security protocols.

The Dolev-Yao intruder model [DY83] describes the behaviour of the attacker in the network, so

it assumes an ideal encryption4; the intruder cannot ‘break’ the cryptographic system and cannot

obtain any kind of information, that is presumed to be kept secret, such as encryption keys,

belonging to honest participants in the network.

Further, we can say, that we are allowed to define the different operations in such ideal

cryptosystem, as set of functions, based on a space of symbolic-formal expressions; moreover, the

security properties of these operations can be also modelled formally.

These are the basic assumptions in the Formal Models theory; let us look at the different approaches,

illustrating such formalism.

One of the earliest realisations of the Formal Methods is the Logic-based approach.

The implementation of this formal method relies on modal logics5 similar to the knowledge and

belief logics methods in distributed systems.

There are many implementations of this approach, perhaps one of the best known is the BAN

logic [BAN89], developed by Burrows, Abadi and Needham, because of its simply, robust

structure and very practical way of describing the protocols.

If we imagine, that participants (agents) in a communication (, which shall be represented in a

session run of the security protocol) exchange messages, the BAN logic analyses the evolution of

the beliefs of the agents, as a consequence of this communication in the session.

Further, we can describe the logics of beliefs, as the view of the agents, to prove authentication in

this communication and the logics of knowledge, as the view of the intruder, to prove the secrecy.

The BAN logic has many limitations and misses many flaws. The problem is not the logic on

itself, but the way of idealisation. It is difficult to define other properties in the communication,

different than the authentication, such as secrecy and anonymity, or temporal properties not

explicit in time, or attacks, which are results of multiple runs of the protocol like the multisession

attacks, as an example on the SSL/TLS protocol.

Another approach in Formal methods is the Algebraic-based Approach; to define and express the

states of the participants in the protocol execution, to define the intruder’s knowledge, we use a

well-constructed algebraic system. We try to analogise the different states and the exchange of

the sensitive information between the agents (honest principals, intruder), describing them with

algebraic polynomials and their equations.

The most valuable features of this method are, on one hand the ability to describe the protocol’

semantics in very expressive way and gain a detailed model, which can be compared to the one,

4 Computational encryption algorithm is ideal if: no computational adversary, given any set of messages, can

produce a message outside the closure of the set (with non-negligible probability) [John Herzog 2002] 5 A modal logic is any logic for handling modalities: concepts like possibility, impossibility, and necessity. Logics

for handling a number of other ideas, such as eventually, formerly, can, could, might, may, must are by extension

also called modal logics, since it turns out that these can be treated in similar ways.

A formal modal logic represents modalities using modal sentential operators.[wikipedia.org]

7

using the state-machine methods (see: Model checkers), on the other we can also illustrate the

evolution of the knowledge, which is comparable to the Logic-based approach.

However, this method shall not receive much attention, because of the fact, that it is also not an

easy-to-use validating approach.

Perhaps an interesting example here is the implementation of the Algebraic-based approach,

using the NRL Protocol Analyser, a well-known state machine analyser, which is still applicable

in recent researches and projects.

Catherine Meadows comments on this approach, that it is “attempted to incorporate her extension

of NRL Protocol Analyser model into the tool itself, but the result was considered unsatisfactory

because of the difficulty of modelling rules for increasing an intruder’s knowledge as the kinds of

reduction rules acceptable by the NRL protocol Analyser.”[M94]

The term state machines6 shall be used in the following chapters, as well and especially combined

with the discussion of the Model checkers and AVISPA.

The Inductive Proofs Approach is based on the transition state systems.

We use inductive invariants to give a definition for the different properties of the protocol’s

system. We can use verification tools to put the inductive proofs into practice, or do the

verification analysis, using these Formal methods completely by hand. The main achievement of

the inductive verification methods is, that we can prove the protocols correct, regarding the

assumed abstract encryption scheme.

As to describe shortly the semantics of the inductive proofs on the example of the Lawrence

Paulson’s works, we can specify the following points in its general scheme:

• There is ability, that the different states/events in the protocol’ run can be traced;

ability to build a history of the attack

• All agents, active in the protocol’ session can be modelled operational

• A derived implementation of the Algebraic-based Approach is used to describe the

exchange of the messages between the participants

• As a general attacker model is used the DY-intruder model

• The use of an automaton is based on the Isabelle/HOL state machine

[CS 259]

As last example in this chapter, we shall discuss the Model Checkers, because of their importance

(some scientists believe that, the Model checkers will fill the gap between the two

cryptographers’ views: the Computational approach and the other one, using cryptographic

formalisation) and most recent realisation in the group of Formal Models.

We define the Model checkers as finite state machines; some of them implement the Constraint-

based 7 analyses of security protocols.

Here, we shall precisely define the Dolev-Yao Intruder Model, because it employs the descriptive

abstraction of the intruder’s network in the tools and also, how this basic scheme will find a

realisation as a transition state system.

6 Further matter of researches shall be the finite state machine; “… or finite automaton is a model of behaviour

composed of states, transitions and actions. A state stores information about the past, i.e. it reflects the input changes

from the system start to the present moment. A transition indicates a state change and is described by a condition that

would need to be fulfilled to enable the transition. An action is a description of an activity that is to be performed at a

given moment.”[Wikipedia.org] 7 „.. constraint differentiation, a new technique for reducing search when model-checking security

protocols.“[BMV03]

8

We shall give more detailed definition of the Model Checkers and some examples of that one; we

will concentrate on the AVISPA tool and its back-end/subtool8 - the OFMC/On-the-Fly-Model-

Checker.

To focus on the importance of these matters, we shall describe them in separate sections of this

paper.

Let us get a graphical overview of the discussed Model approaches:

Figure 1: Methods for Security Protocol Analysis [CS 259]

There are also other approaches, illustrating different views in the realisation of the Formal

Models; we shall not discuss them due to the matter of the paper.

2.3 Dolev-Yao Intruder Model

In 1983 the scientists Danny Dolev and Andrew Yao published a paper:” On the security of

Public Key Protocols”, where they suggested a very reasonable basic scheme on, how we can

describe computer network, which is attacked by an intruder, specifying an axiom for building

this construct: assuming an ideal, perfect cryptography.

The attacker is able to read, suppress and modify all messages exchanged between the honest

participants in the network, moreover the cracker can develop new messages at any time, send

them to all agents and also play the role of an honest principal, taking a part of the session or

even multiple sessions9 of the protocol execution.

In this matter of thoughts we can formalize the security protocol to an algebraic system.

8 I shall use this jargon in my further comments, because of the easy way to explain that OFMC is a hierarchical

substructure of the AVISPA tools suite, but also a (quasi) stand-alone Model checker, which defines it as a tool. 9 „Multi-session attacks are those attacks that use information extracted from more than one

previous or concurrent protocol sessions. We make the reasonable assumption that such attack

sessions must use the information within a certain time period of the reference session(s), from

which the information is taken in order to subvert the protocol.”[YG02]

Such well known crypto attacks are for example: Replay Attacks and Parallel session attacks…

9

We shall specify its main features: on one hand, the intruder is able to fully operate such system;

on another, the crypto algorithms could be analogized to black-boxes, which are conform to

limited set of algebraic properties(*) of that one, with other words: there are no bijective relations

between the encryption and decryption operations.

We assume that the reader knows the basic methods for encryption/decryption of information, so

we can proceed further with illustrating the Dolev-Yao semantics:

Let M be a set of messages, so we define the DY (M) for the Dolev-Yao intruder model to be the

smallest set, regarding the following Generation (G) and Analysis (A) rules:

Figure 2: Dolev-Yao notation [BMV03]

We shall not demonstrate more than these easy examples, because of the need to concentrate on

the AVISPA model checker and implementation of the security protocols in it.

To complete the discussion over the Dolev-Yao intruder model, we shall also mention some

unsatisfying features in its idealisation.

The Dolev-Yao intruder model calls naively enumeration of the intruder’s messages, while

building the search tree(transition system), which shall be parsed by the different Model

Checkers. This leads to enormous branching in that search tree and ‘exhausts’ the Model checker,

where as we can’t get optimal search times.

Moreover, the standard Dolev-Yao abstraction lacks cryptographic justification, as some of the

Security Protocols, validated as safety, using the Dolev-Yao intruder model, appear to be

insecure as analysing them with provable crypto-primitives.

Let us take a closer look on the Model Checkers.

3. Model checkers

We shall define the Model checkers as finite state machines, or finite automatons, therefore we

shall define a finite state transition system, which shall describe the protocol run as a hierarchical

system of states, well modelled using the graph theory.

10

In such case, different state satisfaction relations shall express the system properties and we shall

be able to make state space exploration; the attack can be traced, so we can examine its history.

Such transition system shall also determine, that certain undesirable properties will never occur –

regarding the Safety of the system. Also we shall be able to check, that certain properties shall

eventually occur, which will describe the Liveness of the system.

However, there is still the question, regarding the guarantee for correctness of such system, as it

assumes “artificial” finite bounds.

Probably, such issue could be solved, if we can develop an infinite-state model of the intruder,

which will lead to greater awareness for the realisation of a more adequate transition system.

Let us take a closer look on some examples for Model Checkers and their implementations,

which can be classified as modern tools for validating of Security Protocols.

A very expressive tool, in its ability to define security protocols, is Maude; here we shall give a

better definition of this Model Checker, as a very descriptive specification formal language.

Its well-known implementations are the on-the-fly Maude LTL Model checker and the realisation

of this language on the NRL Protocol Analyser [Catherine Meadows].

Further modern implementation is the Mobile Maude, regarding verification of wireless security

protocols and covering the area of researches in Telecommunication Systems.

The reader shall understand that, there are many other implementations of the tool, we mentioned

only couple of them, perhaps the most interesting ones, due to the matter of the paper.

Main feature of Maude is the realisation of the rewriting logics10

in its specification.

However, programming in this Model Checker/Specification Language is difficult, because of the

length of its code.

The Maude v.1.0 wasn’t free software, though its second version is published under GNU GPL2

license.

For the reader concerned, there is enough information on the website11

of this Model Checker,

with very descriptive manual, examples and help mailing-list12

.

Another interesting example is the Hermes Model Checker. Main feature of this tool is the

analysis of secrecy properties of a cryptographic protocol.

We consider Hermes as an Open Source Project, written in EVA language. For more technical

information, refer to the EVA Project’ website13

, which is in French.

Main features of the Hermes model checker are the ability to define unbounded number of

sessions (multisessions), unbounded size of messages and number of participants in the protocol

run, as well as unbounded number of nonces; the tool can also be used for finite sessions.

The main difference between Hermes and the other Model checkers is, that we do not give a

definition of the intruder’s knowledge, but let the tool computing set of safe messages and using

symbolic abstractions to approximate infinite set of safe messages.

It is tested on 15 security protocols of the Clark/Jacob [CJ97] library and finds attacks on 6 of 8

ones, which are known to have leak-cryptography system.

10

“Rewriting logic is a logic of concurrent change that can naturally deal with state and with concurrent

computations. It has good properties as a general semantic framework for giving executable semantics to a wide

range of languages and models of concurrency. In particular, it supports very well concurrent object-oriented

computation. The same reasons making rewriting logic a good semantic framework make it also a good logical

framework, that is, a metalogic in which many other logics can be naturally represented and executed.”[see website] 11 http://maude.cs.uiuc.edu/ 12

http://maude.cs.uiuc.edu/cgi-bin/mailman/listinfo/maude-help 13http://www-eva.imag.fr/

11

Here, we can mention briefly something more, regarding the Clark/Jacob Protocol library, as

there are classified 51 well-known authentication security protocols like: Kerberos and its

modifications, SSH, IPSec, UMTS_AKA, SSL/TLS, etc.

The Hermes is a new tool, still under development, so let us hope, that it shall get greater

realisation in the future.

Speaking about modern Model Checkers, we shall close the topic of such examples, discussing

the AVISPA v1.0 tool or the tool for Automated Validation of security sensitive Internet

Protocols and Applications. It is meant to be an Open Source and especially its subtool the On-

the-Fly-Model-Checker (OFMC).The Source code of OFMC is written in the formal language

Haskell.

AVIPSA uses on itself also two different specification languages to describe the system of a

security protocol run.

The Model Checker is tested on 46 of all 51 protocols from the Clack/Jacob library.

If we consider the time before the implementation of AVISPA as Model Checker, there were

well-defined different hacker crypto-attacks on 32 protocols of the tested ones; AVISPA detects

all kind of these attacks and moreover it registers new ones, which were unknown until that

moment, like crypto-attack on the Yahalom security protocol and RCP [Siemens].

The next Figure compares briefly these three Model Checkers.

Figure 3: taken from [AJ04]

4. AVISPA Model Checker

As a general approach in the discussion of this state machine, we shall consider, that it uses the

Dolev-Yao intruder model abstraction for automated analyses. As a matter of fact, a realisation of

the state transition system is presented. We shall not think intuitively about it as a finite state

Model Checker, though, we group this tool to belong to the automatons/state-of –the-art

machines. AVISPA finds implementation in a wide area of research fields, considering not only

solutions for scientific researches, but also specific industrial problems.

This Model Checker is compatible to the most of the common-used Operating Systems; its

binaries are originally written for UNIX-based OS-es and the source code of the AVISPA can be

compiled on different Linux distributions as well, only when the kernel header packages are

installed on it.

The OFMC Model Checker has binaries for UNIX- and Windows-based machines, which need

the IF-file as an input, generated by the AVISPA UNIX-binary; furthermore, it is developed a

new graphical implementation for MacOS-es or OSX: Cocoa GUI.

OFMC can be optimized for the use with Xemacs, too.

The more interesting feature of AVISPA is the Web-based realisation of the tool, which makes

this Model Checker, software- and hardware-independent.

Moreover, there is an available protocol library with examples of the HLPSL-implementation on

many cryptographic protocols(HLPSL is one of the formal languages, used by this Model

Checker; we shall concentrate more in the further chapters on this development language).

To complete the short approach, regarding the user-friendly interface of AVISPA, we shall

mention, that the proof results are delivered in detailed human-readable ASC II format and

12

furthermore, there is a graphical illustration for the attack trace on every specific AVISPA back-

end.

At last, the AVISPA mailing list shall be mentioned, where scientists / code-developers / and

researchers can find solid support and a challenge for discussions on different issues, consuming

the validation of security protocols.

4.1 AVISPA Architecture

In this section of the paper, we shall make a basic approach explaining the structure of the

AVISPA tool as an application.

As mentioned above, it considers the use of two formal specification languages.

Let us introduce HLPSL, the High Level Protocol Specification Language (for the reader

concerned: compare it to Maude.)

It is a formal language, written in CAPSL, which is also an Open Source project. We shall

specify HLPSL as a coding language for developers, because using it the researcher can describe

the protocol system (, which shall be tested and proved for validation) and dynamically change

the protocol’ specification as needed.

HLPSL is not much expressive as Maude, but it gives solid approach for describing security

protocols, which run over the Internet. As an example we can define all kind of security

protocols, listed in the Clark-Jacob library. We shall take this language as a common script

language, regarding the easy-of-use for describing protocols, or better let’s try to assume exiting

analogy to a well-known programming language like Java.

Surely, we shall not expect, that HLPSL is an object-oriented language, but here is still an

interesting analogue, just to explain the reason for using two specification languages in AVISPA.

As next, follows the HLPSL2IF translator, which acts like an interpreter, so the developed code

in HLPSL can be translated to the other specification language: the Intermediate Format

language.

We can compare the IF to the Java byte code, which represents the interface between the Java

high-level coding language and the different compilers according to the specific hardware

platforms. In the same way, the IF language acts like an interface between the developer’s code

in HLPSL and its implementation on every one of the subtools in the AVISPA Model Checker

suite.

So let’s take a short look on every one of these back-ends.

The On-the-fly-Model-Checker (OFMC) [BMV04] analyses the IF Specification, while it

explores the generated transition system, derived from the Intermediate Format interface, in a

demand-driven way.

This tool does not need to‘assemble’ completely the artefact of the timed automata [AD94]

[BBKK01], before and without testing the different reachability properties.

In such case, the transitions of the product of the timed automata are ‘constructed’ on-the-fly,

with other words: only when needed.

The OFMC back-end is able to conduct on one hand- protocol falsification, and on another-

bounded session verification.

It can work with both typed and untyped protocol models and prove type-flaw attacks.

The tool is considered to be very effective for protocol’ analysis, because of the fact, that it uses

number of symbolic, constraint-based techniques14

, which significantly reduce and optimize the

search methods.

14“What is Constraint (Logic) Programming?

13

Moreover, using such techniques no attacks shall be excluded, nor new one, possible to be

derived from them, which provides these optimisation techniques as correct and complete.

As interesting examples, here shall be mentioned: the Lazy-Intruder Model (see Section 4.4)

[DB99] and the constraint differentiation search technique [MS01] [BMV03].

The constraint differentiation technique demonstrates partial-reorder reduction of the search tree,

using the Lazy-Intruder abstraction. It shall be considered as a correct and complete technique

and can be formally proved to terminate [V06].

The OFMC tool provides also number of efficient search heuristics and supports such intruder

model, which is able to guess weak-passwords-attacks on the protocol’ execution.

For the reader concerned, very good slides illustrating the Constraint Differentiation Idea/Reorder

Reduction and Compression techniques can be found in [M05].

The next back-end is the CL-AtSe, Constraint-Logic-based Attack Searcher (see AVISPA

manual for detailed information) [V06].Using this tool, we can prove the protocol’ specification

against type-flow attacks and perform both protocol falsification and bounded session verification

(further, the pairing messages in handshake authentication session can be considered to be

associative or not), applying constraint differentiation reduction techniques like the Lazy Intruder

model and powerful simplification heuristics (compare it to OFMC). Moreover, the

Undecidability problem (see Section 4.4), regarding the verification of a specific security

protocol is handled by observing particular properties of the XOR operator [CKRT03].

The main improvements of CL-AtSe are: this back-end possesses a modular structure, which

makes it extendable to handle dynamically changing algebraic properties of the different

cryptographic operators, and the tool produces a user-friendly readable description of the

explored attack(s).

We shall discuss the next AVISPA back-ends briefly due to the size of this paper and the fact,

that we have assumed to demonstrate the AVISPA abilities to prove security internet protocols,

using the On-the-Fly-Model-Checker.

Another tool of the AVISPA suite is the SAT-based Model-Checker (SATMC) [AC04].

In opposite way, this back-end first traces the IF specification and builds a propositional

formula encoding, which represents a bounded unrolling of the transition system, the initial state

of the IF prelude file (see Section 4.3) and the set of states, representing the intruder’ knowledge;

for typed protocol model (compare it to OFMC and CL-AtSe). This propositional formula is fed

on the next step to a SAT solver, which translates back any explored violation model into an

attack. SAT-MC has a modular structure as a state-of-the-art machine, which makes the tool able

to be easy extendable for new SAT solvers (like the CL-AtSe).

At last, we shall mention the TA4SP (see AVISPA manual) [BBKK01] [V06], a Tree Automata

based on Automatic Approximations for the Analysis of Security Protocols, back-end. Specific

for this tool is the unbounded protocol verification. The significant techniques used by this back-

The C(L)P programming paradigm has some resemblance to traditional Operations Research (OR) approach, in that

the general path to a solution is:

1. Analyzing the problem to solve, in order to understand clearly which are its parts;

2. determining which conditions/relationships hold among those parts: these relationships and conditions are key to

the solving, for they will be used to model the problem; (please refer to the footnote on the next page)....

3. stating such conditions/relationships as equations; to achieve this step not only the right variables and relationships

must be chosen: as we will see, C(L)P usually offers a series of different constraint systems, some of which are better

suited than others for a given task;

4. setting up these equations and solving them to produce a solution; this is usually transparent to the user, because

the language itself has built-in solvers…”, for more information refer to:

http://www.clip.dia.fi.upm.es/~vocal/public_info/seminar_notes/node6.html

14

end are: the use of regular tree languages and rewriting logic for providing an approximation of

the intruder’ knowledge, firstly introduced by Genet and Klay [GK00]. Moreover, this tool

performs full automated translation of the security protocol specification into term-rewriting

system and builds the approximation function. We can conclude, whether the protocol is flawed

by under-approximation of the secrecy properties in the typed model and verify, whether the

protocol is safe for any number of sessions of its execution by over-approximation.

For the reader concerned: please, refer to the AVISPA manual for command-line semantics of

these back-ends to perform the adequate protocol’ verification.

At the bottom of the AVISPA structure, we expect intuitively something that shall supply us with

the log file as a result of the different verification methods; the OF – output format, where the

researchers can find summary, regarding the validation process on the security protocol and also

in case of detected attack(s) an user friendly explanation of the different issues.

The next Figures shall give a graphical illustration of all this:

Figure 4: taken from [M05]

The following Figure describes the same structure. Actually it is partly taken from a screenshot of

the Web-based interface. The different sections represent push buttons, so the researcher can

specify, which subtool shall trace the designed in HLPSL protocol’ specification. As we can see,

the IF language input shall be also translated, regarding every one of the Model Checkers from

the AVISPA suite.

Figure 5: AVISPA web-based interface (screenshot)

15

As we can see here, the Tree Automata based tool (TA4SP) is also implemented in the web-

realisation of AVISPA

Let’s take a closer look to the High Level Protocol Specification language.

4.2 HLPSL

The High-Level Protocol Specification Language shall be classified to the group of the Formal

languages, such as CASPER, CAPSL, MuCAPSL and Maude.

The semantics of HLPSL are based on the Lamport’s Temporal Logic of Actions (TLA [CM05]),

a powerful language for specifying different types of protocols.

HLPSL has better capabilities to describe internet protocols; as an example: TLS, IKEv2, UMTS-

AKA, AAA for Mobile IP and even those based on Diffie-Hellmann exponentiation.

We assume the Dolev-Yao abstraction for the intruder model, but instead of defining it implicit

like in some of the Formal Languages mentioned above, we can specify the intruder model as a

parameter in the HLPSL protocol’s specification. This makes us able to outline specific set of

axioms, which will define different behaviour of the intruder and thus we can implement

heterogeneous networks settings, using HLPSL.

As an illustration of the HLPSL semantics in the next chapter we shall demonstrate an example

on the Needham-Schroeder Public Key protocol, because of its historical matter as security

internet protocol and the Lowe’s Man-In-The-Middle attack on NSPK.

Let us discuss the basic constructs, on how to describe security protocols in the HLPSL notation.

We define generally two types of roles: basic roles and composed roles, which gives us the

ability to describe the different agents, the way of exchanging sensitive data between those

principals and the attacker’s knowledge in the protocol’ run; on other hand to specify the goals

regarding the verification of this very protocol.

We describe in the basic roles, the actions of a single honest agent (Client/Server), which is

participating in a single protocol or sub-protocol execution. Assuming, that we have written the

protocol in alice-bob (A-B) notation, the basic roles give us the easiest way to translate it in

HLPSL.

role alice (A, B: agent,

Ka, Kb: public_key,

SND, RCV: channel (dy))

played_by A def=

local State : nat,

Na, Nb: text

init State := 0

transition

0. State =

……….

2. State =

……….

end role

This fragment illustrates the general constructs in the basic role known as alice (Client):

16

• the different agents in the protocol execution are defined with parameters A,B;

• Ka, Kb are set out as (asymmetric) public keys, regarding both principals A, B;

• The Dolev-Yao intruder model is defined as a parameter in the channel with basic routines send (SND) and receive(RCV);

• a definition of the role is given as: ‘played by’, where we specify explicit the agent and its

locales; the different states shall be represented by natural numbers and the nonces of

alice and bob, respectively Na, Nb given as text;

• in the transition section, we can specify the different steps, regarding the key exchange

authentication of the principals in the protocol run;

• the definition of alice is completed with the routine ‘end role’.

As we can see, the different variables in the role are typed. This we use to exclude possible type-

flaw attacks on the security protocol; nevertheless, the AVISPA tool is able to build an untyped

model realisation, by ignoring all type information, so we can include such attacks in the protocol

proof as well.

We define the receipts of messages and sending of reply messages between the honest principals

in the section: transition, of the basic role, where we employ the exchange of those messages in

single transitions. Each one consists of trigger and action, which occurs in case of, the trigger

event is performed successfully.

In this matter, we can describe composed roles as conjunction of one or more such basic roles.

An example for composed role is the role session in the HLPSL protocol’ specification. In its

section “Composition” we employ the basic construct for the partial session between the two

honest principals alice and bob in a current protocol execution.

As a main role in the HLPSL notation, we define the role environment, where we can describe

the knowledge of the intruder and also specify a composition of parallel sessions in the protocol

run.

A very good example for implementing parallel session abilities can be found in the example of

the HLPSL notation on the SSL/TLS authentication internet protocol. We shall only mention

some well-known multisession attacks on SSL like replay attacks, side channel attack against

CBC-PAD (password interception multisession attack).

To describe security goals, as secrecy of the messages and authentication, using HLPSL, we build

the role goal (see NSPK key server version example and SSL/TLS example).We need also to

explain two terms, regarding the security authentication: witness and request.

In the example: witness (A, B, na , Na), we shall read it as: the principal A calls for protocol’

execution with the agent B, while using Na as its nonce; further a special identifier for the nonce

Na is specified as na, the so-called protocol_id.

Using: request ( B ,A ,na , Na ), we shall specify that the principal B accepts the nonce Na and

beliefs, that the agent A exists, while accepting its protocol_id, in this case the value is na.

If we assume, that an agent shall accept the same value twice from the same principal, which

generates the witness event, without a request event of one time point before, then we discuss the

problem of man-in-the-middle attack against the security protocol (example Lowe’s attack

against NSPK).

To complete the discussion on the HLPSL semantics, we shall note, that this formal language

shows a reasonable and user-friendly approach, on how to describe variety level of complexity on

different protocols.

As mentioned above, HLPSL is based on TLA, which explains the fact, that it is easy to translate

the HLPSL notation to lower-level term rewriting based language, like the Intermediate Format

17

language(IF) - well-suited for using with automated validation tools, the state-of-the-art back-

ends of the AVISPA suite.

In the next section of this chapter, we shall do a briefly discussion over the specification of the IF

formal language

4.3 IF, the Intermediate Format language

The IF specification language provides a low-level description of the different internet protocols;

it is rather than being abstract and easy to read for developers like the HLPSL.

The main goal in the design of the Intermediate Format language is to offer an adequate input for

the specific back-ends of the AVISPA tool suite.

This input shall be suitable for automated analysis and also independent from the different

verification methods, employed by the various subtools in AVISPA.

As main features in the semantics of IF, we shall mention, that this specification language

provides a description of the security protocol in terms of rewrite rules, which employ an infinite-

state transition system with the following properties:

• initial state

• transition rules

• state based safety property

The reason to define safety property, is to develop an approach, which can justify, whether a

given state shall deliver an attack state or not. Such property we shall name as a goal predicate in

the meaning of attack predicate.

Further, we implement a new important concept in the IF specification to employ optimized

explicit modelling of wider group of security protocols and their properties in a natural way.

We shall call it an extension of the left-hand side of rules, which are marked by conditions and

negative facts.

This extension shall lead to better searching approach in the infinite-state transition system.

At this part of our discussion, we shall only mention the most reasonable example, as such IF

extension - the Lazy-Intruder model, which is well-implemented in the AVISPA back-ends

OFMC and CL-AtSe.

Moreover, we define a prelude file, which provides all protocol-independent aspects of the

model, like algebraic equations, so we can make the IF flexible for the different AVISPA back-

ends. The prelude file could be described like an interface between the HLPSL and the IF.

Let us discuss more detailed the translation of the HLPSL code into the IF specification.

As mentioned above, we use the HLPSL2IF translator, which works as follows:

-at first place the translator parses the HLPSL code, while it checks, whether a number of

conditions, which specify that all variables in the code are declared, shall be met;

-at second place the translator tries to reduce, to flatten the hierarchical structure of the different

roles, role descriptions from the HLPSL code and as a result to produce adequate step

rules of the IF, which shall specify the different transitions between the honest agents;

We define every state described, in the HLPSL code as set of facts, for an instance: a fact

that the attacker is aware of the existence of a particular message and accordingly she/he

can read it.

The transition relations can be specified in the IF as conditional rewrite rules of the sets.

Besides defining the semantics of a rule and describe it as a state-transition function, we

shall use applicability check matches.

18

Here, we shall note that the attacker’s behaviour is protocol-independent and we specify

the intruder as a special part of the prelude file, while the IF-file contains only specific

declarations for the very protocol, which shall be proved.

Further, we translate the defined instantiations in the HLPSL code in the initial state of the

IF:

• which role belongs to which agent;

• the way the principals in the protocol’ execution are exchanging information.

-at last we shall mention, that the security goals are encoded in a state-based way, referring to the

properties in the HLPSL file.

We shall not give examples on the IF code, because of the size of this paper, though a better

approach in the discussion of the IF formal language can be found in the references:”

Deliverable D2.3: The Intermediate Format”, Alessandro Armando and in the AVISPA user’s

manual.

A protocol, which is described in the IF file, can be categorised as safety, in case of we cannot

specify a reachable state ‘s’ and goal ‘g’, where we can find corresponding matches ‘g s’.

4.4 Lazy Intruder Model

In this section of the current chapter, we shall make detailed approach on the finite-state

transition system and the optimisation method for parsing such tree structure: the Lazy-Intruder

model.

The main problem, which shall be discussed, is the Undecidability question in the validation of

the security protocols, using Formal Models / Model Checkers /.

We shall reverse the order of our exposition and we will specify at first the different kinds of

infinity in the state transition system:

• To imply infinitely many different possible messages, which shall occur in the protocol’

execution, we must define the transition system as untyped. In such case, we are able to

deliver unbounded complexity of messages, example: the intruder sends infinite quantity

of messages to the other participants in the protocol’ session;

• Assuming, that an honest agent can generate loops in the protocol’ run, which shall be repeated unbounded numbers of times, we must designate unbounded number of steps,

provided by the honest agent to execute the protocol’ run;

• Another situation illustrates unbounded number of parallel sessions, which the honest

agents can perform in a protocol’ execution; important example:

we shall be able to define the initial state as a finite set of basic terms; nevertheless,

there shall be such rules, which create new state-facts, corresponding to new sessions;

• The number of the agents in particular protocol’ run may be unbounded too.

If we try to build the search tree, corresponding to one or more of these kinds of infinity, and to

consider an adequate verification of such structure, we will experience, that we are unable to

deliver a decidable conclusion, whether the protocol is safe15

or not, because we use finite-state

parsing techniques.

That’s why, we shall find new reasonable approaches to extend our searching methods and be

able to perform satisfactory verification on such infinite tree; with other words, to deliver an

15

We shall use the terminology ‚safe’, or the ‚protocol is safety’, according to the validation of security protocols,

using Model Checkers / AVISPA / in order to make sure , that the reader shall understand the fact: the formal model

checking approach does not deliver justification on all possible executions of the protocol, but only on such ones

given in the scenario.

19

infinite-state model checking, using standard search algorithms, able to imply heuristics, which

can prune and reorder that infinite tree in a demand-driven fashion.

This idea is illustrated in the next figure:

Figure 6: A type I state space and the effect of data abstraction upon it [AH99]

We shall note, that we will analogize the nodes in such graph to the traces in the infinite-state

transition system; and the children shall correspond to specific trace extensions, generated by a

step of the protocol’ execution, or a performed action by the intruder in the network.

The security property shall correspond to a property of nodes in the tree.

In case, when an attack is found; it will be specified in a trace, located in some node in the tree.

Intuitively, we shall conclude, that finding such node, or set of nodes shall not be easy, because

we expect infinitely depth and infinite branching of the search tree.

That’s why, we consider the standard Dolev-Yao abstraction, which generates the search graph,

as undecidable.

An intelligent approach for solving this problem, shall deliver a re-enumeration of the search tree,

using lazy data types [BMV04], implemented in an on-the-fly demand-driven parsing of the

search graph, which is employed by the Lazy-Intruder abstraction.

The Lazy Intruder Model represents an optimisation search technique, without excluding any

attacks on the protocol, as it exploits the fact, that certain parts of the intruder’s messages are

irrelevant for the receiver (honest agent) in the way, that data constructors build data, without

evaluating their arguments.

20

We consider here the ability of the AVISPA tool to represent and compute with infinite data –

streams or infinite trees, due to this optimised tree-structure of the transition system, generating

arbitrary prefixes of data on-demand.

Let us compare the Dolev-Yao notation to the Lazy Intruder model notation:

Figure 7: Dolev-Yao intruder rules

Figure 8: Lazy Intruder: constraint reduction rules

For the reader concerned, we shall recommend the papers: [DB99] and [BMV04].

In the next chapter, we shall demonstrate some examples, which will illustrate the theories

already discussed.

5. HLPSL on NSPK handshake protokol:

In this section we shall demonstrate the HLPSL notation, illustrated on the Needham-Schroeder

Public Key protocol, and define the basic roles of the Client, Server, Session, Environment and

Goal; at last, we shall demonstrate the results using the OFMC tool.

We shall specify the comments on this code with %% in the beginning of the line.

%% Needham-Schroeder Public Key handshake protocol

%% � Key Server version

%% � basic role of the Client

role alice (A, B: agent,

Ka, Ks: public_key,

KeyRing: (agent.public_key) set,

SND, RCV: channel(dy))

played_by A def=

local State : nat,

Na, Nb: text,

Kb: public_key

init State := 0

%%Begin of the transition section of the basic role: alice,

transition

% Start, if alice must request bob's public key from key server

ask. State = 0 /\ RCV(start) /\ not(in(B.Kb', KeyRing))

=|> State':= 1 /\ SND(A.B)

21

% Receipt of response from key server

learn. State = 1 /\ RCV({B.Kb'}_inv(Ks))

=|> State':= 0 /\ KeyRing':=cons(B.Kb', KeyRing)

% Start/resume, provided alice already knows bob's public key

knows. State = 0 /\ RCV(start) /\ in(B.Kb', KeyRing)

=|> State':= 4 /\ Na':=new() /\ SND({Na'.A}_Kb')

/\ secret(Na',na,{A,B})

/\ witness(A,B,bob_alice_na,Na')

cont. State = 4 /\ RCV({Na.Nb'}_Ka)

=|> State':= 6 /\ SND({Nb'}_Kb)

/\ request(A,B,alice_bob_nb,Nb')

end role

%% �basic role of the other Client : bob,

role bob(A, B: agent,

Kb, Ks: public_key,

KeyRing: (agent.public_key) set,

SND, RCV: channel(dy))

played_by B def=

local State: nat,

Na, Nb: text,

Ka: public_key

init State := 2

transition

% Start if bob must request alice's public key from key server

ask. State = 2 /\ RCV({Na'.A}_Kb) /\ not(in(A.Ka', KeyRing))

=|> State':= 3 /\ SND(B.A)

% Receipt of response from key server

learn. State = 3 /\ RCV({A.Ka'}_inv(Ks))

=|> State':= 2 /\ KeyRing':=cons(A.Ka', KeyRing)

% Start/resume, provided if bob knows alice's public key

knows. State = 2 /\ RCV({Na'.A}_Kb) /\ in(A.Ka', KeyRing)

=|> State':= 5 /\ Nb':=new() /\ SND({Na'.Nb'}_Ka')

/\ secret(Nb',nb,{A,B})

/\ witness(B,A,alice_bob_nb,Nb')

cont. State = 5 /\ RCV({Nb}_Kb)

=|> State':= 7 /\ request(B,A,bob_alice_na,Na)

end role

%% The basic role of the key server

role server(S: agent,

Ks: public_key,

22

KeyMap: (agent.public_key) set,

SND, RCV: channel(dy))

played_by S def=

local State : nat,

A, B: agent,

Kb: public_key

init State := 8

transition

req1. State = 8 /\ RCV(A'.B') /\ in(B'.Kb', KeyMap)

=|> State':= 9 /\ SND({B'.Kb'}_inv(Ks))

req2. State = 9 /\ RCV(A'.B') /\ in(B'.Kb', KeyMap)

=|> State':= 10 /\ SND({B'.Kb'}_inv(Ks))

req3. State = 10 /\ RCV(A'.B') /\ in(B'.Kb', KeyMap)

=|> State':= 11 /\ SND({B'.Kb'}_inv(Ks))

end role

% The role representing a partial session between alice and bob

role nspk(SND, RCV: channel(dy),

Ks: public_key,

Instances: (agent.agent.public_key.public_key) set,

KeySet: agent -> (agent.public_key) set)

def=

local A, B: agent,

Ka, Kb: public_key

composition

/\_{in(A.B.Ka.Kb,Instances)}

(alice(A,B,Ka,Ks,KeySet(A),SND,RCV)

/\ bob(A,B,Kb,Ks,KeySet(B),SND,RCV))

end role

%% The main role, where in its composition part:

%% 1. we describe the intruder’s knowledge

%% 2. we are allowed to define also musltisession runs of the protocol

role environment() def=

local KeyMap: (agent.public_key) set,

SND, RCV: channel(dy)

const a,b,s,i: agent,

ka, kb, ki, ks: public_key,

na, nb, alice_bob_nb, bob_alice_na: protocol_id

init KeyMap := {a.ka, b.kb, i.ki}

intruder_knowledge = {a, b, ks, ka, kb, ki, inv(ki)}

composition

server(s,ks, KeyMap, SND, RCV)

/\ nspk(SND, RCV, % channels

ks, % public key of server

{a.b.ka.kb, % session instances

a.i.ka.ki,

i.b.ki.kb

},

23

{a.{a.ka,b.kb}, % initial KeyRings

b.{b.kb},

i.{i.ki}})

end role

%% Properties to verify

goal

secrecy_of na, nb

authentication_on alice_bob_nb

authentication_on bob_alice_na

end goal

%% Call of the main role

environment()

Let us show the test results:

AVISPA Tool Summary

OFMC : UNSAFE

CL-AtSe : UNSAFE

SATMC : UNSAFE

TA4SP : INCONCLUSIVE

Refer to individual tools output for details

We shall show in the next table the log-files of the OFMC tool and the CL-AtSe, so the reader

shall not only refer to the OFMC results, but also compare these AVISPA back-ends one to

another: % OFMC

% Version of 2006/02/13

SUMMARY

UNSAFE

DETAILS

ATTACK_FOUND

PROTOCOL

/home/avispa/web-interface-

computation/./tempdir/workfilejrLA8P.if

GOAL

secrecy_of_nb

BACKEND

OFMC

COMMENTS

STATISTICS

parseTime: 0.00s

searchTime: 5.57s

visitedNodes: 2560 nodes

depth: 8 plies

ATTACK TRACE

i -> (s,2): x229.a

(s,2) -> i: {a.ka}_inv(ks)

i -> (s,2): x239.i

(s,2) -> i: {i.ki}_inv(ks)

i -> (a,4): start

(a,4) -> i: a.i

i -> (a,4): {i.ki}_inv(ks)

SUMMARY

UNSAFE

DETAILS

ATTACK_FOUND

TYPED_MODEL

BOUNDED_SEARCH_DEPTH

PROTOCOL

/home/avispa/web-interface-

computation/./tempdir/workfilejrLA8P.if

GOAL

Secrecy attack on (n55(Nb))

BACKEND

CL-AtSe

STATISTICS

Analysed : 2571 states

Reachable : 1871 states

Translation: 0.14 seconds

Computation: 0.15 seconds

ATTACK TRACE

24

i -> (a,4): start

(a,4) -> i: {Na(5).a}_ki

i -> (b,4): {x285.a}_kb

(b,4) -> i: b.a

i -> (b,4): {a.ka}_inv(ks)

i -> (b,4): {Na(5).a}_kb

(b,4) -> i: {Na(5).Nb(8)}_ka

i -> (a,4): {Na(5).Nb(8)}_ka

(a,4) -> i: {Nb(8)}_ki

i -> (i,17): Nb(8)

i -> (i,17): Nb(8)

% Reached State:

%

% secret(Nb(8),nb,set_123)

% witness(b,a,alice_bob_nb,Nb(8))

% contains(a,set_123)

% contains(b,set_123)

% contains(a.ka,set_104)

% secret(Na(5),na,set_128)

% witness(a,i,bob_alice_na,Na(5))

% contains(a,set_128)

% contains(i,set_128)

% contains(i.ki,set_103)

% contains(i.ki,set_101)

% contains(a.ka,set_103)

% contains(b.kb,set_103)

% contains(b.kb,set_104)

% contains(b.kb,set_101)

% contains(a.ka,set_101)

%

state_bob(b,i,kb,ks,set_104,2,dummy_nonce,dummy_nonce,d

ummy_pk,set_132,9)

% state_alice(a,i,ka,ks,set_103,6,Na(5),Nb(8),ki,set_128,4)

% state_bob(b,a,kb,ks,set_104,5,Na(5),Nb(8),ka,set_123,4)

%

state_alice(a,b,ka,ks,set_103,0,dummy_nonce,dummy_nonce,

dummy_pk,set_115,4)

% state_server(s,ks,set_101,10,x239,i,ki,2)

% request(a,i,alice_bob_nb,Nb(8),4))

i -> (a,4): start

& Test b.kb in set_103;

(a,4) -> i: {n32(Na).a}_kb

& Secret(n32(Na),set_115);

Witness(a,b,bob_alice_na,n32(Na)); Add a to set_115; Add b

to set_115;

i -> (s,2): A(1).a

& Test a.ka in set_101;

(s,2) -> i: {a.ka}_(inv(ks))

i -> (b,5): {Na(36).a}_kb

& Test a.Ka(36) not in set_104;

(b,5) -> i: b.a

i -> (b,5): {a.ka}_(inv(ks))

(b,5) -> i: ()

& Add a.ka to set_104;

i -> (s,2): A(2).i

& Test i.ki in set_101;

(s,2) -> i: {i.ki}_(inv(ks))

i -> (a,6): start

& Test i.Kb(65) not in set_103;

(a,6) -> i: a.i

i -> (a,6): {i.ki}_(inv(ks))

(a,6) -> i: ()

& Add i.ki to set_103;

i -> (a,6): start

& Test i.ki in set_103;

(a,6) -> i: {n84(Na).a}_ki

& Secret(n84(Na),set_128); Add a to set_128; Add i

to set_128;

i -> (b,5): {n84(Na).a}_kb

& Test a.ka in set_104;

(b,5) -> i: {n84(Na).n55(Nb)}_ka

& Secret(n55(Nb),set_123);

Witness(b,a,alice_bob_nb,n55(Nb)); Add a to set_123; Add b

to set_123;

i -> (a,6): {n84(Na).n55(Nb)}_ka

(a,6) -> i: {n55(Nb)}_ki

In both of the log-outputs (OFMC, CL-AtSe), we have basic statistics on the search times and

detailed overview on the discovered attack, which is delivered as state exploration process.

We shall consider the illustrated example in this paper as an easy one, though the ideas for

demonstrating the HLPSL protocol specification abilities and the results of the attack search

techniques, used by AVISPA, are general.

For the reader concerned, we shall mention one disadvantage of the AVISPA model checker.

We can build correct models of security protocols, for which attacks are known, but if these

attacks are based on aspects of the environment, that AVISPA cannot capture, we shall not be

able to trace them, using the back-ends of the AVISPA suite. Such known attacks are timing –

attacks, as an example: timing-attacks on SSL/TLS, though this is a bad example, as they are

reasonable only, regarding smartcards-authentication and not applicable, regarding web-server

applications [BB].

Perhaps, it is also interesting to give an overview on the most significant protocols, which are

tested with AVISPA.

25

The next figure will illustrate this:

Figure 9: The AVISPA tool

16: Results, July 2005[M05]

6. Conclusion

At this point of the discussion, we shall consider, that the AVISPA tool, which is still under

development, shows a reasonable approach, regarding the analysing of security protocols.

Two general advantages shall be mentioned one more time: the ability to describe multisession-

attacks, using the HLPSL specification and the intelligent Lazy Intruder Model enumerator.

From one side, the software- and hardware-independency of this tool makes it user-friendly, from

another the fact, that HLPSL is a high-level programming language and we can describe every

well-known security protocol, which runs over the internet, makes AVISPA very strong in its

application abilities.

The chance to develop and change dynamically the specification of chosen security protocol in

short and well-structured, high-level language code makes this OpenSource project a favourite

among the Model Checkers at all; on other hand, this is simply another good example, that the

OpenSource motivation can bring better software implementations and shall become coding

definition of our future.

16 A new Version of the AVISPA suite: AVISPA v1.1 has been released on the 30. of June 2006.

26

Appendix A:

HLPSL notation on SSL 3.0/TLS 1.0 handshake protocol

HLPSL Specification of the basic role: alice (Client A),

role alice(A, B : agent,

H, PRF, KeyGen: hash_func,

Ka, Ks: public_key, %% Ks is the

public key of a T3P (ie. CA)

SND, RCV: channel (dy))

played_by A

def=

local Na, Sid, Pa, PMS: text,

Nb: text,

State: nat,

Finished:

hash(hash(text.text.text).agent.agent.text.text.t

ext),

ClientK, ServerK:

hash(agent.text.text.hash(text.text.text)),

Kb: public_key,

M: hash(text.text.text)

const sec_clientk, sec_serverk :

protocol_id

init State := 0

transition

1. State = 0

/\ RCV(start)

=|>

State' := 2

/\ Na' := new()

/\ Pa' := new()

/\ Sid' := new()

/\ SND(A.Na'.Sid'.Pa')

% Since we abstract away from the

negotiation

% of cryptographic algorithms, here I simply

assume

% that the server must send back Pa.

(Essentially

% modelling that the client makes only one

offer.)

2. State = 2

/\ RCV(Nb'.Sid.Pa.{B.Kb'}_(inv(Ks)))

=|>

State' := 3

/\ PMS' := new()

/\ M' := PRF(PMS'.Na.Nb')

/\ Finished' :=

H(PRF(PMS'.Na.Nb').A.B.Na.Pa.Sid)

/\ ClientK' :=

KeyGen(A.Na.Nb'.PRF(PMS'.Na.Nb'))

/\ ServerK' :=

KeyGen(B.Na.Nb'.PRF(PMS'.Na.Nb'))

/\ SND({PMS'}_Kb'.

{A.Ka}_(inv(Ks)).

{H(Nb'.B.PMS')}_(inv(Ka)).

{H(PRF(PMS'.Na.Nb').

A.B.Na.Pa.Sid)

}_KeyGen(A.Na.Nb'.PRF(PMS'.Na.Nb')))

/\ witness(A,B,na_nb2,Na.Nb')

4. State = 3

/\ RCV({Finished}_ServerK)

=|>

State' := 5

/\ request(A,B,na_nb1,Na.Nb)

/\ secret(ClientK,sec_clientk,{A,B})

/\ secret(ServerK,sec_serverk,{A,B})

end role

27

HLPSL Specification of the basic role bob (Server B),

role bob(A, B : agent,

H, PRF, KeyGen: hash_func,

Kb, Ks: public_key,

SND, RCV: channel (dy))

played_by B

def=

local Na, Nb, Sid, Pa, PMS: text,

State: nat,

Ka: public_key

init State := 1

transition

1. State = 1

/\ RCV(A.Na'.Sid'.Pa')

=|>

State' := 3

/\ Nb' := new()

/\ SND(Nb'.Sid'.Pa'.{B.Kb}_(inv(Ks)))

/\ witness(B,A,na_nb1,Na'.Nb')

2. State = 3

/\ RCV({PMS'}_Kb.{A.Ka'}_(inv(Ks)).

{H(Nb.B.PMS')}_(inv(Ka')).

{H(PRF(PMS'.Na.Nb).

A.B.Na.Pa.Sid)

}_KeyGen(A.Na.Nb.PRF(PMS'.Na.Nb)))

=|>

State' := 5

/\ SND({H(PRF(PMS'.Na.Nb).

A.B.Na.Pa.Sid)

}_KeyGen(B.Na.Nb.PRF(PMS'.Na.Nb)))

/\ request(B,A,na_nb2,Na.Nb)

end role

HLPSL Specification of the roles: Session, Environment, Goal and OFMC Output

role session(A,B: agent,

Ka, Kb, Ks: public_key,

H, PRF, KeyGen: hash_func)

def=

local SA, SB, RA, RB: channel (dy)

composition

alice(A,B,H,PRF,KeyGen,Ka,Ks,SA,RA)

/\

bob(A,B,H,PRF,KeyGen,Kb,Ks,SB,RB)

end role

goal

secrecy_of sec_clientk,sec_serverk %

Addresses G7

%Alice authenticates Bob on na_nb1

authentication_on na_nb1 % Addresses

G1, G2, G3, G7, G10

%Bob authenticates Alice on na_nb2

authentication_on na_nb2 % Addresses

G1, G2, G3, G7, G10

end goal

28

role environment()

def=

const na_nb1, na_nb2 : protocol_id,

h, prf, keygen : hash_func,

a, b : agent,

ka, kb, ki, ks : public_key

intruder_knowledge = { a, b, ka, kb, ks, ki,

inv(ki),

{i.ki}_(inv(ks)) }

composition

session(a,b,ka,kb,ks,h,prf,keygen)

/\ session(a,i,ka,ki,ks,h,prf,keygen)

/\ session(i,b,ki,kb,ks,h,prf,keygen)

end role

OF log file :

% OFMC

% Version of 2006/02/13

SUMMARY

SAFE

DETAILS

BOUNDED_NUMBER_OF_SESSIONS

PROTOCOL

/home/avispa/web-interface-

computation/./tempdir/workfile5wUPBB.if

GOAL

as_specified

BACKEND

OFMC

COMMENTS

STATISTICS

parseTime: 0.00s

searchTime: 0.33s

visitedNodes: 201 nodes

depth: 7 plies

7. List of Figures

Figure 1: Methods for Security Protocol Analysis [CS 259]………………………………….…..8

Figure 10: Dolev-Yao notation [BMV03]…………………………………………………………9

Figure 3: taken from [AJ04]……………………………………………………………………...11

Figure 4: taken from [M05]………………………………………………………………………14

Figure 5: AVISPA web-based interface (screenshot)…………………………………………….14

Figure 6: A type I state space and the effect of data abstraction upon it [AH99]………………..19

Figure 7: Dolev-Yao intruder rules……………………………………………………………….20

Figure 8: Lazy Intruder: constraint reduction rules.................................................................…...20

Figure 9: The AVISPA tool: Results, July 2005[M05]…………...……………………………...25

8. List of Tables

1. Table: HLPSL fragment of role client (alice) on NSPK……………………………………….15

2. Table-set: HLPSL on NSPK key server handshake protocol………………………………20-24

3. Table-set: HLPSL notation on SSL 3.0/TLS 1.0 handshake protocol…………………..…26-28

29

9. References

1. [CJ97] John Clark and Jeremy Jacob. A survey of authentication protocol

literature : Version 1.0., November 1997

http://www-users.cs.york.ac.uk/jac/papers/drareview.ps.gz 2. [M94] Catherine Meadows: Formal Verification of Cryptographic Protocols:

A Survey. ASIACRYPT 1994

3. [TA02] Survey in Formal Analysis of Security Properties of Cryptographic

Protocols,Tarigan 2002

4. [DY83] D. Dolev, A. Yao, On the Security of Public Key Protocols, IEEE

Trans. on Information Theory, 1983

5. [BAN89] Michael Burrows, Martin Abadi, and Roger Needham. A logic of

authentication. Technical Report 39, Digital Systems Research Centre,

February 1989

6. [CS 259] Protocol Verification by the Inductive Method, John Mitchell

7. [GB00] Inductive Verification of Cryptographic Protocols, G. Bella ,2000

8. [AG98] A Calculus for Cryptographic Protocols

The Spi Calculus

Abadi/Gordon, 1998

9. [AR00] Reconciling two Views of Cryptography ( The Computational

Soundness of Formal Encryption ), Abadi/Rogaway, 2000

10. [AD94] A Theory of Timed Automata,

Alur/Dill, Theoretical Computer Science, 1994

11. [AJ04] Three Tools for Model-Checking Security Protocols,

Arruda/Juma, Jan 2004

12. [HS06] A Comparative study of Security Protocols Validation Tools:

Hermes vs. AVISPA, Hussain/Seret, 2006

13. [MVO05] Automated Validation of Security Protocols (AVASP),

Mördersheim/Vigano’/Oheimb, April 2005

14. [M05] Methods for Automated Protocol Analysis,

Sebastian Mödersheim,2005

15. [AA05] The AVISPA Tool for Automated Validation of Internet Security

Protocols and Applications, Alessandro Armando, 2005

16. [V06] Automated Security Protocol Analysis With the AVISPA Tool,

Luca Vigano’, Electronic Notes in Theoretical Computer Science, 2006

17. [AVISPA] http://www.avispa-project.org/

http://www.avispa-project.org/publications.html

http://www.avispa-project.org/library/index.html

http://www.avispa-project.org/mailinglist.html

18. [CM05] A High-level Protocol Specification Language for Industrial Security-

Sensitive Protocols*, Chevalier/Mödersheim et al., 2005

19. [AA03] Deliverable D2.3: The Intermediate Format, Alessandro Armando,

2003

20. [AH99] Efficient Infinite-State Analysis of Security Protocols, Antti Huima,

1999

21. [DB99] Lazy Infinite-State Analysis of Security Protocols, David Basin, 1999

30

22. [MS01] Constraint Solving for bounded-process cryptographic protocol

analysis,

Millen/Shmatikov, 2001

23. [BMV03] Constraint Differentiation: A new Reduction Technique for

Constraint-Based Analysis of Security Protocols*,

Basin/Mödersheim/Vigano’, 2003

24. [GK00] Rewriting for cryptographic protocol verification,

Genet/Klay, Springer, 2000

25. [BBKK01] Verification of Timed Automata Using Rewrite Rules and

Strategies, Beffara/Bournez/Kacem/Kirchner, 2001

26. [CKRT03] An NP Decision Procedure for Protocol Insecurity with XOR,

Chevalier/ Küsters/ Rusinowitch/ Turuani, 2003

27. [BMV04] OFMC: A symbolic model checker for security protocols,

Basin/Mördersheim/Vigano’, December 2004

28. [AC04] SATMC: a SAT-based Model Checker for Security Protocols,

Armando/Compagna, 2004

29. [NSPK] http://dimacs.rutgers.edu/Workshops/Security/program2/boyd/

node14.html

30. [GV95] An attack on the Needham-Schroeder public-key authentication

protocol, Gavin Lowe, 1995

31. [GV96] Breaking and Fixing the Needham-Schroeder Public-Key Protocol

using FDR, Gavin Lowe, 1996

32. [BB] Remote Timing Attacks are Practical, Brumley/Boneh

33. [CHVV] Password Interception in a SSL/TLS Channel,

Canvel/Hiltgen/Vaudenay/Vuagnoux

34. [KPR] Attacking RSA-based Sessions in SSL/TLS,

Klima/Pokorny’/Rosa

35. [YG02] An Intrusion Detection System for Security Protocol Traffic,

Yasinsac/Goregaoker, 2002

36. [WS] Analysis of the SSL 3.0 protocol,

Wagner/Schneider

37. [TLS] RFC 2246 "The TLS Protocol Version 1.0" , Jan 1999