Formal Verification - ECE Student Information - University of Limerick

Formal Verification – An Imperative 

Step in the Design of Security 

Protocols 

Tom Coffey 

Data Communication Security Laboratory 

Department of Electronic and Computer Engineering 

University of Limerick 

Tom Coffey - Nov14 2007 Formal verification - an imperative step in sec. prot. design 1

Overview 

♦ Cryptographic Protocols & Verification 

♦ Logic Based Verification 

♦ Case Study 1: The BCY Protocol & Verification, 

Including a New Attack on BCY 

♦ Case Study 2: Analysis the Needham-Shroeder 

protocol using Coffey-Saidha Logic 

♦ Conclusion 


Cryptographic Security Protocols 

♦ Mobile and fixed networks are trusted with 

highly sensitive information. 

♦ Security protocols are required to ensure the 

security of both the network infrastructure itself 

and the information that runs through it. 

♦ These security protocols can be thought of as the 

keystones of a secure architecture. 


Cryptographic Protocols 

Basic cryptographic protocols allow agents to: 

• authenticate each other 

• ensure the authenticity of data and services 

• generate and distribute cryptographic keys, including 

fresh session keys, for confidential communication 

Building on such basic cryptographic protocols, more 

advanced services are achieved such as: 

• non-repudiation 

• fairness 

• electronic payment 

• electronic contract signing 

• anonymous channels and blind signatures 

•etc 


Cryptographic Protocols 

♦ Protocols are complex 

♦ Failure often result of subtle defect(s), e.g. 

Needham-Schröder, BCY 

♦ Hard to get it “right” 

♦ Need systematic way of finding defects => 

formal methods 


How It Usually Is … 

Protocol Design 

Publication 

More Publication 

Verification 


How It Should Be … 

Protocol Design 


Publication 

Re-Design Protocol 


Formal Verification Techniques 

♦ State-Space Searching 

• Generally comprising exhaustive testing or scenario 

analysis, involve examining the protocol in search of 

security breaches 

♦ Algebraic Term Rewriting and Theorem Proving 

♦ Verification Logics· 

• Involve a process of deductive reasoning, whereby the 

desired protocol goals are deduced by applying a set of 

axioms and inference rules to the assumptions and 

message exchanges of the protocol. 


Logic Based Verification 

♦ Based on modal logics of belief/knowledge. 

♦ Involve process of deductive reasoning. 

♦ E.g. BAN, GNY, Coffey-Saidha, AUTLOG. 

♦ Produce short concise proofs. 

♦ Identified a number of faulty protocols. 


Logic-Based Protocol Verification 

• Computationally Feasible: 

• Good at detecting both passive and active attacks on 

protocols 

• Reasonably easy to apply 

• Good at forcing protocol designers to explicitly state the 

goals and assumptions of their protocols. 

• If not done then protocol specifications can be 

misinterpreted leading to an incorrect analysis. 


Logic-Based Protocol Verification 

Accomplished by deductive reasoning based on ‘the application of valid rules 

of inference to sets of valid axioms (application of logical postulates)’ 

• Formally express protocol steps in the language of the logic 

• Formally express the desired protocol goals in the language of the 

logic 

• Formally express protocol assumptions in the language of the logic. 

• Starting with the initial protocol assumptions, build up logical 

statements after each protocol step using the logical axioms and 

inference rules 

• Compare these logical statements with the desired protocol goals, to 

see if the goals are achieved 

If goals can be deduced then protocol is valid, if not then protocol is invalid 


Logic Based Protocol Verification 

Informal Protocol 

Specification 

Logic-Based Verification Process 

Protocol 

Sprecification in 

Language of Logic 

Specification of 

Initial 

Assumptions 


Protocol Goals 

Application of 

Logical Postulates 

1. Protocol Formalisation 

♦ 

♦ 

♦ 


Result 

Formalisation of Protocol Steps. 

Specification of Initial Assumptions. 

Specification of Protocol Goals. 

2. Application of Axioms and Inference Rules 

♦ 

Using a process of deductive reasoning establish if goals of 

protocols are proven 


Results of Verification 

♦ Deriviation Exists: 

• Protocol secure within limitations of used logic 

♦ No Deriviation Exists: 

• Protocol fails to achieve goals 

• Proof hints at missing assumptions and/or faults in 

protocol design 


Case Study1: 

Review of Beller Chang and Yacobi 

Protocol by Coffey,Dojen and Flanagan 

Reference: 

T.Coffey, R. Dojen, T. Flanagan, “ Formal 

Verification-an imperative step in the design of 

security protocols”, in: Computer Networks, Vol.43, 

No.5, pp 601-618, Elsevier Science. (2003) 


Case Study 1:The BCY Protocol Review by CDF [CDF 03] 

The BCY Protocol 

Some History 

♦ Designed in 1993 by Beller, Chang, Yacobi 

[BCY93] 

♦ Review #1 in 1994 by Carlsen [Carlsen94]; flaws 

found, proposed corrections 

♦ Review #2 in 1996 by Mu, Varadharajan [MuVa96] 

; flaws found, proposed corrections 

♦ Review #3 in 2002 by Horn, Martin, Mitchell 

[HMM02]; commented on flaws 

♦ Review #4 in 2003 by Coffey, Dojen, Flanagan 

[CDF03]; Existing and new flaws found, proposed 

& verified corrections 


CDF03 Research Paper 

♦ Protocols reviewed: 

• BCY 

• Carlsen-BCY 

• Mu-Varadharajan BCY 

• CDF-BCY 

♦ Logic Used 

• GNY [GNY 90] 




♦ Designed to provide authentication in lowpower 

portable devices. 

♦ Combines Diffie-Hellman key exchange with 

Modular Square Root encryption (MSR). 

♦ Service provider has two public keys: Kvd+ 

and Kvm+. 

♦ Certificates (denoted by {X 1 …X n }Ks-) 

contain components and hash, all signed. 



Protocol Notation 

U 

User 

Kx+ 

Public Key of X 

V 

Service Provider 

Kx- 

Private Key of X 

S 

Certification Authority 

KK 

Key Encryption Key 

A 

Attacker 

SK 

Session Key 

r X 

Nonce generated by X 

{X}K 

X encrypted under K 

TS 

Expiration Time 

Kvd+, 

Kvm+. 

public keys of service 

provider 




BCY1:V → U: {V, Kvd+,Kvm+}Ks- 

U computes: Y = {r U 

}Kvm+, KK={Kvd+}Ku-, 

SK = {r U 

}KK 

BCY2: U → V: Y, {{U,Ku+}Ks-}r U 

V computes: r U 

={Y}Kvm-, KK={Ku+}Kvd-, 

SK = {r U 

}KK 

BCY3:V → U: {dataV}SK 

BCY4: U → V: {dataU}SK 



Weaknesses Identified by CDF 

in Original BCY Protocol 

1. U cannot derive that V’s public keys are valid. 

2. U cannot derive that the session key is a suitable shared 

secret with V. 

3. V cannot derive that U’s public key is valid. 

4. V cannot derive that the session key is fresh. 

5. V cannot derive that the session key is a suitable shared 

secret with U. 

6. U cannot derive that V conveyed dataV. 

7. V cannot derive that U conveyed dataU. 

8. V cannot derive that BCY4’ is fresh. 

In summary the BCY protocol provides neither authentication or 

key agreement 



Weaknesses Identified by CDF 

in Carlsen’s BCY and Mu-Varadharajan’s BCY 

Protocols 

♦ Carlsen’s BCY protocol fails to provide 

authentication or key agreement 

♦ Mu-Varadharajan’s BCY protocol fails to 

provide authentication 



CDFAttack on BCY 

CDF demonstrated execution of new attack on BCY 

protocols, allowing an adversary to impersonate a legitimate 

principal 

Pre: 

A knows r Uo , SK O ={r Uo }KK 

BCY1:V → A: {V, Kvd+,Kvm+}Ks- 

A computes Y = {r Uo 

}Kvm+ 

BCY2: A → V: Y, {{U,Ku+}Ks-}r Uo 

V computes r U 

= r Uo ={Y}Kvm-, 

KK={Ku+}Kvd-, SK O = {r Uo 

}KK 

BCY3:V → A: {dataV}SK 

BCY4: A → V: {dataU}SK 



Results of Coffey-Dojen-Flanagan Review 

♦ Verification of BCY protocol exposed 8 failed protocol 

goals. The Protocol provides neither authentication or key 

agreement 

♦ Carlsen’s BCY protocol fails to provide authentication 

or key agreement 

♦ Mu-Varadharajan’s BCY protocol fails to provide 

authentication 

♦ Demonstrated execution of new attack on BCY 

protocols, allowing an adversary to impersonate a 

legitimate principal 

♦ Proposed & verified corrections (CDF-BCY) 


Case Study2: 

Analysing the Security of Needham- 

Shroeder Protocol using Coffey-Saidha 

Logic 

Reference: 

[CS97] T.Coffey, P. Saidha, “Logic for verifying 

security protocols”, in: IEE Proc - Computers and 

Digital Techniques 144 (1) pp28–32. (1997) 


Case Study 2: Analysis of NS Protocol using CS Logic 

Coffey-Saidha logic 

[CS1997] T.Coffey, P. Saidha, “Logic for verifying security protocols”, in: IEE Proc - 

Computers and Digital Techniques 144 (1) pp28–32. (1997) 

•A formal technique 

- can be used to verify public-key cryptographic protocols. 

• A modal logics of knowledge and belief 

- can analyse the evolution of both knowledge and belief during a protocol 

execution. 

- useful in addressing issues of both security and trust 

• Logic is capable of modelling a wide-range of public-key 

cryptographic protocols. 

- fair-exchange, non-repudiation, key establishment, authentication and 

zero-knowledge, etc. 



Coffey-Saidha logic theory 

• A Formal Language 

Allows protocol facts to be expressed in a form which 

can be manipulated by the logic. 

• A Set of Inference Rules 

Allow new facts to be deduced from already known 

facts. 

• A Set of Axioms 

Formal expression of facts applying to the logic. 

• Formal Semantics 

Specify whether logical statements will be true or false 

in practice. 



Language operators: 

The Coffey-Saidha Logic 

Language Syntax Summary 

K Σ,t Φ: knowledge (propositional) L Σ,t x: knowledge (predicate) 

B Σ,t Φ: belief 

S(Σ,t,x): emission R(Σ,t,x): reception 

C(x, y): ‘contains’ 

e(x, k Σ ): encryption function d(x,k Σ -1): decryption function 

a,b,c,,,: variables Φ: an arbitary statement 

Σ and Ψ: arbitary entities i and j: range over entities 

ENT: the set of all entities t, t', t''... Time 

k Σ : public key of entity Σ k Σ -1: private key of entity Σ 

Classical logical connectives include: 

∧: conjunction. ∈: membership of set. 

∨ : disjunction. 

/ : set exclusion. 

∀ : universal quantification. ∃ : existential quantification. 

¬ : complementation. : theorem. 

→: implication. 


The CS Logic 

Inference Rules 

Rules to allow new facts to be deduced from already known facts: 

R1: From ├ p and ├ (p → q) infer ├ q 

R2: (a) From ├ p infer ├ K Σ,t p 

(b) From ├ p infer ├ B Σ,t p 

R3: From (p ∧ q) infer p 

R4: From p and q infer (p ∧ q) 

R5: From p infer (p ∨ q) 

R6: From ¬(¬p) infer p 

R7: From (from p infer q) infer (p → q) 

R1 states that if schema p can be deduced and (p → q) can be deduced, then q can 

also be deduced. R2 consists of the Generalisation rules which state that if p is a 

theorem, then knowledge and belief in p are also theorems 


The CS Logic 

Axioms underlying assumptions 

• Communication environment is hostile 

• Public key system is ideal 

- d(e(x,k Σ ), k Σ 

-1) 

= x and e(d(x,k Σ 

-1 

),k Σ ) = x. 

• Public keys valid, if 

- Validity period is not exceeded 

- private keys know only to rightful owner 

• Crypto-system is collision free 

- it is not possible to create same ciphertext from two different 

pieces of plaintext 

• Entity which encrypts/decrypts data knows the data 


CS Logic 

Axioms 

A1: (a) ∃t∃p∃q(K Σ,t 

p ∧ K Σ,t 

(p → q) → K Σ,t 

q) 

(b) ∃t∃p∃q(B Σ,t 

p ∧ B Σ,t 

(p → q) → B Σ,t 

q) 

A2: ∃t∃p(K Σ,t 

p → p) 

A3: (a) ∃t∃x∃i,i∈{ENT}(L i,t 

x →∀t',t'≥t L i,t' 

x) 

(b) ∃t∃x∃i,i∈{ENT}(K i,t 

x →∀t',t'≥t K i,t' 

x) 

(c) ∃t∃x∃i,i∈{ENT}(B i,t 

x →∀t',t'≥t B i,t' 

x) 

A4: ∃t∃x∃y(∃i,i∈{ENT}L i,t y ∧ C(y,x) →∃j,j∈{ENT}L j,t 

x) 

A5: ∃t∃x( S(Σ,t,x) → L Σ,t 

x ∧∃i,i∈{ENT/Σ}∃t',t'>t R(i,t',x) ) 

A6: ∃t∃x( R(Σ,t,x) → L Σ,t 

x ∧∃i,i∈{ENT/Σ}∃t',t'

CS Logic Axioms 

Example 

A5: ∃t∃x( S(Σ,t,x) → L Σ,t 

x ∧∃i,i∈{ENT/Σ}∃t',t'>t R(i,t',x) ) 

The emission axiom (A5) states that: if Σ sends a message x at time t, 

then Σ knows x at time t and some entity i other than will receive x 

at time t' subsequent to t. 


CS Logic 

Axioms 

Example 

The A8 axioms refer to the impossibility of encrypting or decrypting a 

message without knowledge of the correct key. 

A8: (a) ∃t∃x∃i,i∈{ENT}( ¬L i,t k Σ 

∧∀t',t'

Needham-Schroeder public key Protocol 

Needham, Schroeder “Using encryption for authentication in large 

networks of computers”, Communications of the ACM 21 (12) pp 993–999. 

1978. 

•Well known authentication protocol 

•Easily understood protocol 

•Known flaw in protocol 

Flaw revealed in [BAN89] M. Burrows, M. Abadi, R. Needham, 

“A logic of authentication”, in: ACM Operating System Review 

23 (5) pp1–13 (1989) 




(1) A,B 

AS 

(4) B, A 

(2) {B, k B }k 

-1 

AS (5) {A, k A }k 

-1 

AS 

(3) {A, n A }k B 

A 

(6) {n A, n B }k A 

(7) {n B }k B 

B 

Notation: 

A, B: principals 

AS: 

trusted authentication server 

k AS , k 

-1 

AS : public and private keys of AS 

n A and n B : secret nonces generated by A and B 

{A, n A }k B : encryption of {A, nA} using k B 



(4) B,A 

(1) A,B 

AS 

(3) e({nA,A},k 

B ) 

(2) d({k B ,B},k AS 

-1 ) 

(5) d({k 

A ,A},k 

-1 

AS ) 

A 

(6) e({nA,nB},k A ) 

(7) e({nB},k B ) 

B 

In the Needham-Schroeder authentication scheme, two principals, A and B, obtain each 

other's public keys from a trusted authentication server AS, and exchange two secret 

nonces, nA and nB, for the purpose of mutual authentication. 

It is assumed that both A and B know the public key k AS 

of the AS, and that they trust 

the AS to distribute good public keys. That is, if a principal knows that a message has 

just been sent to it by AS, then it will trust the public key contained in that message. 

The objectives of messages 1, 2, 4 and 5 are to provide A and B with each other's 

public keys. Messages 3, 6 and 7 exchange the secret nonce information between A and 

B. Message 6 should satisfy A that its origin was B and similarly, message 7 should 

satisfy B that its origin was A. 

In the analysis which follows, tn refers to the time at the end of protocol step n. Thus, 

t0 is the time at the start of the protocol execution and t7 is the time at the protocol 

conclusion. 



Verifying Needham-Schroeder Protocol 

using the CS Logic 


Verification Procedure 

Informal Protocol 

Specification 

Protocol 

Sprecification in 

Language of Logic 

Logic-Based Verification Process 

Verification Specification of Procedure 

Initial 

Assumptions 


Protocol Goals 

Application of 

Logical Postulates 

1. Protocol Formalisation 

♦ 

♦ 

♦ 


Result 

Formalisation of Protocol Steps. 

Specification of Initial Assumptions. 

Specification of Protocol Goals. 

2. Application of Axioms and Inference Rules 

♦ 

Using a process of deductive reasoning establish if goals of 

protocols are proven 



Formalisation of Protocol Steps 

Protocol Specification in Language of CS Logic 

Steps 

i. K AS,t1 ( R (AS, t 1 , (A, B))) 

ii. K A,t2 (R (A, t2, d({B, k B ), k 

-1 

AS ))) 

iii. K B,t3 (R ( B, t3, e({A, n A }, k B ))) 

iv. K AS,t4 ( R (AS, t4, (B, A))) 

v. K B,t5 (R (B, t5, d({A, k A ), k 

-1 

AS ))) 

vi. K A,t6 (R ( A, t6 , e({n A, n B }, k A ))) 

vii. K B,t7 (R ( B, t7, e({n B }, k B ))) 



Formalisation of Initial Assumptions 

i. L A,t0 

(k AS 

) 

Aii. L B,t0 (k AS 

) 

Aiii. L AS,t0 (k A 

) 

Aiv. L AS,t0 (k B 

) 

Av. K A,t0 (∀i,i{ENT}, ∀t,t


Formalisation of Protocol Goals 

G i. K A,t2 

(∃t, t0


Application of the Logical Postulates 

The logical statements are build up after each 

protocol step (steps 1-7) using the logical axioms and 

inference rules. These logical statements are 

compared with the desired protocol goals, to see if the 

goals are achieved. 



Analysis Results 

Result 1 

Goal i: K A,t2 (∃t, t0


Analysis Results 

Result 2 

Goal iii : K A,t6 (∃t, t0

Concluding Remarks 

♦ Security protocols are complex, flaws often subtle. 

♦ Introduction to logic based verification. 

♦ Case Study 1:Verification of BCY’93 exposes 8 failed 

protocol goals, also failures in Carlsen’s BCY and Mu- 

Varadharajan’s BCY. Demonstrated execution of new 

attack on BCY protocols. 

♦ Case Study 2: Analysis of Needham-Shroeder protoocol 

illustrated the detection of known weakness and also 

revealed two new missing hypotheses from the initial 

protocol assumptions of the N-S protocol. 

♦ Flaws highlight importance of formal verification….. 

‘formal vedification is an imperative step in the design 

of security protocols’ 


References 

[BAN89] M. Burrows, M. Abadi, R. Needham, “A logic of authentication”, in: ACM Operating System 

Review 23 (5) (1989) 1–13. 

[BCY93] M.J. Beller, L.F. Chang, Y. Yacobi, “Privacy and authentication on a portable communications 

system”, IEEE Journal on Selected Areas in Communications 11 (6) 821–829. (1993) 

[Carlsen94] U. Carlsen, “Optimal privacy and authentication on a portable communications system”, in: 

ACM Operating Systems Review, 28 (3) pp16–23. (1994) 

[CDF 03] T.Coffey, R. Dojen, T. Flanagan, “ Formal Verification-an imerative step in the design of security 

protocols”, in: Computer Networks, Vol.43, No.5, pp 601-618, Elsevier Science. (2003) 

[CS97] T.Coffey, P. Saidha, “Logic for verifying security protocols”, in: IEE Proc - Computers and Digital 

Techniques 144 (1) pp28–32. (1997) 

[GNY 90] L. Gong, R. Needham, R. Yahalom, “Reasoning about belief in cryptographic protocols”, in: 

Proceedings of 1990 IEEE Computer Society Synopsis on Research in Security and Privacy, pp. 234–248. 

(1990). 

[MuVa96] Y. Mu, V. Varadharajan, “On the design of security protocols for mobile communications”, in: 

Information Security and Privacy, Lecture Notes in Computer Science, vol. 1172, Springer, Berlin,, pp. 

134–145.(1996). 

[HMM02] G. Horn, K. Martin, C. Mitchell, “Authentication protocols for mobile network environment 

value-added services”, in: IEEE Transactions on Vehicular Technology 51 (2002) 383–392. 

[NS78] Needham, R.M., Schroeder M.D., “Using encryption for authentication in large networks of 

computers”, in: Communications of the ACM 21 (12) pp 993–999. 1978.

Formal Verification - ECE Student Information - University of Limerick

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?