Most applications in the Internet such as e-banking and e-commerce use the SET and the NSL protocols to protect the communication channel between the client and the server. Then, it is crucial to ensure that these protocols respect some security properties such as confidentiality, authentication, and integrity. In this paper, we analyze the SET and the NSL protocols with respect to the confidentiality (secrecy) property. To perform this analysis, we use the interpretation functions-based method. The main idea behind the interpretation functions-based technique is to give sufficient conditions that allow to guarantee that a cryptographic protocol respects the secrecy property. The flexibility of the proposed conditions allows the verification of daily-life protocols such as SET and NSL. Also, this method could be used under different assumptions such as a variety of intruder abilities including algebraic properties of cryptographic primitives. The NSL protocol, for instance, is analyzed with and without the homomorphism property. We show also, using the SET protocol, the usefulness of this approach to correct weaknesses and problems discovered during the analysis.
Intuitively, cryptographic protocols are communication protocols that involve cryptography to reach some specific security goals (authentication, secrecy, etc.). Today, these protocols are playing a key role in our daily life. Among others, they protect our banking transactions (e-commerce protocol), our access to private wired and wireless network, and our access to a variety of indispensable services (web, FTP, e-mail, etc.).
Obviously, any flaws in such protocols can have heavy negative consequences on individuals and organizations. It is also a well-known fact that attacks exploiting cryptographic protocols flaws are generally very difficult to detect: tools such as intrusion detections and firewalls are helpless against them since it is difficult (even impossible some-times) to distinguish between legitimate and illegitimate users when the cryptographic protocol is flawed.
Like any sensitive system, cryptographic protocols need to be seriously studied and their correctness should be rigorously analyzed and ideally proved. For that reason, formal specification and verification of security protocols have received much attention in recent years. Some of these works including comparative studies could be found in [
Today and after more of thirty years of hard work, international community has a better understanding of cryptographic protocols and better support to specify and analyze them. But there remains a lot of work to do in this field. Some of the most important drawbacks of the existing results is that they are limited by either the class of protocols that they can analyze or the context (e.g., limited intruder abilities) in which they can analyze them. For instance, the method described in [
To deal with this problem, we have introduced in [
In this paper, we recall the main results of the approach and we show its efficiency and its flexibility by analyzing some famous cryptographic protocols such as SET protocol [
This paper is organized as follows. Section
As stated before, the main idea of our approach is to propose some conditions that are proven (in [
A brief description about these notions could be found in the next sections. In fact, Section
The sufficient condition to guarantee the secrecy property could be summarized as follows. Principals involved in the protocol should not decrease the security levels of sent components. Protocols that satisfy this condition are called in this work “increasing protocols.” For instance, the protocol described by Table
Example of increasing protocol.
1. |
2. |
Let us consider the protocol described by Table
Exemple of deacreasing protocol.
1. |
2. |
To verify whether a protocol is increasing, we need a safe means to correctly estimate the security levels of received components so that we can appropriately handle them. We called it “safe interpretation function” (The name of the approach (interpretation functions-based approach) come for this notions.). Among the important features of a safe interpretation function is that its results could not be misled by the intruder manipulations. For example, if the interpretation function estimates that the security level of a component
Another example of safe interpretation function, used in this paper, is the one that attributes a security level of a component
The DEK function and the DEKAN function can be used to analyze a large variety of cryptographic protocols. When the analysis fails, we should either adapt the protocol or use another safe function. However, the definition of safe functions is a complicated task. For this reason, we have introduced in [
The function
A simple way to define a selection function is to consider a term (a message in our case) as a tree where its arcs are annotated with real numbers that reflect costs or distances between nodes. After that, it will be easy to define
The message
Recall that the symbol
Of course, not all the interpretation functions
In the other side, the conditions on the rank function
The formal definition of these functions and some sufficient conditions to construct some safe interpretation functions can be found in [
As stated in Section
To overcome this drawback, we introduced in [
In this work, the secrecy property is defined in term of information flow security. We adopt also the “no read-up” notion of Bell-La Padula [
Now, recall the sufficient conditions allowing to guaranty the correctness of a protocol with respect to the secrecy property. Informally, these conditions state that honest agents should never decrease, according to a safe interpretation function, the security level of any atomic message sent over the network. Protocols that satisfy this function are called increasing protocols. The formalization of an increasing protocol is as follows. The secrecy property of increasing protocols is guaranteed even for an unbounded number of sessions and in the presence of an active intruder who can use an unbounded number of operations to the messages that he manipulates. Indeed, we proved that, to check if a protocol respects the secrecy property, it is sufficient to verify whether a finite model of the protocol, called in this work a “roles-based specification,’’ is increasing.
The verification process of the interpretation functions-based method can be summarized as described by Figure
Protocol verification process.
Intuitively, if the protocol is increasing according to a specific safe interpretation function, then we can deduce that the protocol respects the secrecy property; otherwise, we cannot make any statement about its correctness. Generally, if the correctness of a protocol cannot be ensured using a given safe interpretation function, it does not mean that a positive result cannot be involved using another one. However, even if the verification is not conclusive, it provides helpful information that can be used either to discover flaws or weaknesses in the analyzed protocol or to deduce another safe interpretation function allowing us to prove the secrecy property of a protocol as it will be illustrated later. Also, this verification is finite since it is conducted on a finite set of generalized roles.
We believe that the sufficient conditions are not very restrictive, that is, for most of secure protocols we can construct a safe interpretation function allowing to prove the secrecy property. As shown later, even when the verification is not conclusive, the effort made to verify if the protocol is increasing could be helpful to discover flaws or weaknesses in the analyzed protocol or sometimes to have an idea about another safe interpretation function allowing to prove that it is increasing one. It is interesting to notice also that, some times, a slight modification on a protocol could make it an increasing one for a given safe interpretation function and allow to conclude that it is correct for secrecy.
This section gives the syntax and semantics of a protocol and how to infer the roles-based specification from the standard description of a given protocol.
Essentially, a protocol is specified by a sequence of communication steps given in the standard notation. Each step has an unique identifier and specifies the sender, the receiver, and the transmitted message. More precisely, a protocol
The statement
Table
Woo and Lam modified protocol.
|
|
|
|
|
|
|
|
|
To give a semantics to a protocol, we use the notion of generalized roles introduced in [ (i) The generalized roles of If a given role cannot make any verification on a part of the received message, then this part needs to be substituted by a variable. The role of (ii) The generalized roles of The variable (iii) The generalized role of Since
In the rest of this paper, we denote by
Based on generalized roles, we define the notion of a Any session in the trace is an instance (a substitution) of a prefix of a generalized role. Any message sent by the intruder should be deductible from his previous received messages, his initial knowledge, and his inference rules.
For instance, the trace of Table
Valid trace for the Woo and Lam modified protocol.
|
|
|
|
|
The semantics of a protocol
Let
This section shows the efficiency and the flexibility of the interpretation functions-based approach when analyzing cryptographic protocols even when taking into consideration cryptographic primitives. We first analyze the NSL-protocol [
In this section, we consider the NSL-protocol with the standard intruder model of Dolev and Yao (i.e., without algebraic properties).
The Needham-Schroeder Lowe (NSL) protocol, denoted by
Needham schroeder lowe protocol.
1. |
2. |
3. |
The first step of the analysis consists in fixing the context of verification which contains the message algebra, the intruder capabilities, and the security levels of all messages. Second, we define a safe interpretation function in this context. After that, the role-based specification can be analyzed to verify whether the protocol is increasing by using the defined safe interpretation function. The following paragraphs describe in detail these steps.
Let Hence, the set of messages of
|
::= |
|
(Principal Identifier) |
|
|
(Nounce) | |
|
|
(Private key) | |
|
|
(Public key) |
|
::= |
|
|
|
|
(Pair Function) | |
|
|
(Encryption Function) | |
|
|
(Decryption Function) | |
|
|
(First Function) | |
|
|
(Second Function) |
As usual, we can write
Given a set of equations
The initial knowledge of principals
The security lattice
The typing function
We use the DEKAN function (that selects the direct encryption keys and neighbors) to analyze the NSL-protocol under the equational theory (i) The selection function This means that the distance between a node and his father is (ii) The interpretation function For example, if
Safe costs assignment.
Notice also that, when an equational theory is taken into consideration, a message can have different equivalent forms. In this situation, to be safe, an interpretation function should give to a message the lowest level of the messages of its class. More precisely, if
To simplify the computation of
To reach this goal, we orient the equation so that the right side is greater to the left side according to
The NSL role-based specification is
Now, we can verify whether the role-based specification of SET is
From the generalized roles of
Recall that we are working with the lattice of security
Analysis of NSL: role of
|
|
|
|
|
|
---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
Table
From the generalized roles of
Then, the security levels of sent and received messages in the generalized roles of
Analysis of NSL protocol: role of
|
|
|
|
|
|
---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
Table
This section presents the analysis of the Needham-Schroeder Lowe (NSL) protocol with the homomorphism property of encryption:
Related works that take into consideration the homomorphism property in the analysis of cryptographic protocols are rare and most of them do not deal with an unbounded number of sessions. Among the important results obtained in this direction are those described in [
The interpretation functions-based method does not suffer from this problem since it is proved that if the protocol is increasing then it is sufficient to guarantee its correctness for the secrecy property under an unbounded number of sessions. In the sequel, we show how the homomorphism property can affect the analysis of a protocol like NSL.
First, we need to change the context of verification
The last two equations of
We use the DEKAN function (that selects the direct encryption keys and neighbors) to analyze the Needham-Schroeder Lowe protocol under the equational theory
From the generalized roles of
The security levels of sent and received messages in the generalized roles of
Analysis of NSL protocol: role of
|
|
|
|
|
|
---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
Table
Flaw in the NSL-protocol under the homomorphic assumption.
1.1. |
|
|
1.2. |
1.3. |
|
This is because the DEKAN function (that selects direct encryption keys and neighbors) with the homomorphism property acts as the DEK function (that selects the direct encryption keys only) and does not select the neighbors. Therefore, to correct this protocol in the presence of such property, we should find a means (different from the concatenation, such as signatures), allowing
From the generalized roles of
Analysis of NSL protocol: role of
|
|
|
|
|
|
---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
Table
Therefore, the NSL-protocol is not increasing and, so, we cannot deduce anything about its correctness for the secrecy property. However, the protocol, with the changes suggested above, is increasing and it is therefore correct for the secrecy property even in the presence of the homomorphism property. Table
Needham schroeder lowe protocol: corrected version.
1. |
2. |
3. |
By using the DEK function or the DEKAN function, this new version of the Needham-Schroeder-Lowe protocol is increasing and then respects the secrecy property. Indeed, with this version
Electronic commerce, commonly denoted by e-commerce, or eCommerce, consists in buying and selling goods or services over the Internet. To make a purchase, a customer usually submits his credit card number to a merchant protected according to a specific cryptographic protocol such as SET and SSL.
Many researchers have addressed the problem of analyzing the SET protocol during the last years. For example, Paulson et al. tried in [
The SET protocol [
SET protocol.
1. |
2. |
3. |
4. |
5. |
|
6. |
The
Initialization request (step 1): before starting the purchase, the cardholder and the merchant agree upon the order description and its price. This shopping step is out of the SET protocol. The cardholder then sends to the merchant his local ID ( Initialization response (step 2): The merchant Order request (step 3): after validating the signature of the merchant and the certificates of the gateway, the cardholder sends an order request which contains the payment instruction ( Authorization request (step 4): the message sent during this step contains Authorization response (step 5): if both Purchase response (step 6): the merchant verifies the gateway's signature and whether the IDs and the
In the following, we focus on verifying the secrecy property of this protocol by using the interpretation functions-based method. To that end, we follow the steps described by Figure
Let
|
::= |
|
(Principal Identifier) |
|
|
(Nounce) | |
|
|
(Private key) | |
|
|
(Public key) |
As usual, we write
|
::= |
|
|
|
|
(Encryption Function) | |
|
|
(Signature Function) | |
|
|
(Pair Function) | |
|
|
(First Function) | |
|
|
(Second Function) | |
|
|
(Hash Function) |
Let
The intruder model
The initial knowledge of principals
The security lattice
The typing relation
We use an extended version of the DEKAN function to deal with hash functions. To that end, we follow the guideline defined in Section
Safe costs assignment.
The DEKAN function
For more details about how we compute a roles-based specification from a protocol and a context of verification, we refer the reader to Section
The
The
The generalized role of
The
Now, we can verify whether the role-based specification of SET is (i) Let us start with the generalized roles of
From the definition of
Now, the security levels of sent and received messages in the generalized roles of
SET analysis: role of
|
|
|
|
|
|
---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
From the analysis of the role of (ii) From the generalized roles of
The security levels of sent and received messages in the generalized roles of
SET analysis: role of
|
|
|
|
|
|
---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
From Table (iii) From the generalized roles of
SET analysis: role of
|
|
|
|
|
|
---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Then, the security levels of sent and received messages in the generalized roles of
SET analysis: role of
|
|
|
|
|
|
---|---|---|---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
From Table
To sum up, we propose hereafter a secure version of the SET protocol for the secrecy property. It replaces the message of step
A Secure version of the SET protocol.
1. |
2. |
3. |
4. |
|
5. |
|
|
|
6. |
Also, the
The interpretation functions-based method is flexible framework allowing to verify different classes of protocols against a variety of intruder models. This flexibility gives to it a great advantage when compared to the related works where almost all the approaches can deal only with a specific class of protocols and under some specific assumptions. When using the interpretation functions-based method, we do not have any restriction neither on the class of protocols that we can analyze nor on the intruder model and the algebraic properties. We are limited only by our capacity to find a suitable and safe interpretation function for the protocol that we want to analyze under a selected intruder model (context of verification).
Also, the analysis of protocols using the interpretation function-based method can help to discover the algebraic properties that should not be satisfied by an operator of encryption to guarantee the correctness of the analyzed protocol. This information is useful for the implementation of the protocol when time comes to select a specific encryption system. For instance, the commutativity property of the “exclusive or” and the “nilpotence” property should not be combined since they allow to decrypt a message without knowing the key.
Moreover, the interpretation function-based method has the significant advantage to ensure the correctness of cryptographic protocols for unbound number of sessions without any restriction neither on the number of principals nor on the size of exchanged messages. In fact, may existing approaches restrict their results by either limiting the number of sessions, the sizes of messages, or/and the number of involved principals to be able to overcome infinite number of traces that can be exhibited by a protocol. Other works tried to find a finite number of traces that are representative for all the others, that is, the analysis of the selected traces is enough to conclude about the correctness of the protocol. However, finding this representative and finite set of traces, if it exists, can be as complicated as the original problem even for some particular class of protocols. There are, however, some tentatives to analyze protocols without restriction on their traces, but they still suffer from some heavy restrictions both on the class of protocols that they can analyze and on the intruder model that they use.
In the remaining part of this section, we focus on the typing-based method [
In 1997, Abadi introduced in [
Compared to interpretation functions-based method, the secrecy by typing approach has the following restrictions. The exchanged messages have to respect some particular form. They must always be composed of four separated parts having the following type The secrecy by typing approach uses only the the Dolev and Yao model for the intruder, while interpretation functions-based method can deal with different intruder models.
In 1997, Schneider suggested, in [
The main ideas behind the typing system, the interpretation function, and the rand function approach are the same, that is, find someway to evaluate the security levels of exchanged messages and then evaluate if they are appropriately protected to guaranty the correctness of the protocol for the secrecy property. However, there are some fundamental differences between them. Hereafter, we focus on the difference between the approach presented in this paper and the rank function. For each protocol, we need to define a suitable rank function which is a complicated task. There are no universal functions, like DEK or DEKAN for the interpretation function approach, that are independent of the analyzed protocols. A rank function is extracted from the analyzed protocol itself and should respect some specific conditions (like safe condition for the interpretation function). Though the author makes a great effort, in [ The results given within the rank function approach are linked to a specific intruder ability. The approach based on interpretation function, on the other hand, is more flexible since it can handle a large variety of intruder abilities without reworking proofs. When using a given interpretation function to analyze a protocol, even if we are unable to ensure its correctness the result is generally very helpful to either adapt the protocol or to build another interpretation function. This is not generally the case with the rank function approach.
By analyzing the SET and the NSL protocols, this paper is an attempt to show that the interpretation functions-based method is an efficient technique to analyze and to ensure the correctness of cryptographic protocols for the secrecy property. Based on some special functions called “Interpretation Functions,’’ this technique allows to guarantee the secrecy property under an unbound number of sessions and without any restriction on the size of messages sent by the intruder. To verify the secrecy property, it is sufficient to check whether a finite specification of the protocol, called generalized roles, respects some precise conditions. Intuitively, these conditions state that involved principals could not decrease, for a safe interpretation function, the security levels of exchanged messages. Another interesting feature of this approach is that it can handle different verification contexts with different intruder abilities including algebraic properties.
As future works, we want to implement the approach, extend it to authentication property, and propose more safe interpretation functions.