A review of Proverif as an automatic security protocol verifier
A review of Proverif as an automatic security protocol verifier
A review of Proverif as an automatic security protocol verifier
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Bluetooth 2.1. In Bluetooth 2.1, Simple Pairing h<strong>as</strong> four modes <strong>of</strong> operation<br />
b<strong>as</strong>ed on the hardware capabilities <strong>of</strong> the device: Just Works, Numeric Comparison,<br />
P<strong>as</strong>skey Entry <strong>an</strong>d Out <strong>of</strong> B<strong>an</strong>d. Because <strong>of</strong> a known attack on the Just<br />
Works <strong>an</strong>d P<strong>as</strong>skey Entry operating modes, Nilsson, Larson <strong>an</strong>d Erl<strong>an</strong>d have<br />
developed a <strong>protocol</strong> which is not vulnerable to the M<strong>an</strong> In The Middle-attack<br />
<strong>an</strong>ymore[36]. They used ProVerif to prove the new scheme for authentication,<br />
named ACDHEKE, <strong>an</strong>d have shown that the attack is no longer possible for the<br />
Just Works <strong>an</strong>d P<strong>as</strong>skey Entry operating modes.<br />
For the Numeric Comparison operating mode <strong>of</strong> Simple Pairing, Ch<strong>an</strong>g <strong>an</strong>d<br />
Shmatikov have employed ProVerif to show that strong authentication fails for<br />
the <strong>protocol</strong>. In strong authentication with Simple Pairing, the user must confirm<br />
the h<strong>as</strong>h, visible on communicating devices A <strong>an</strong>d B, generated from the initial<br />
keys. ProVerif proved that strong authentication does not hold when a device A<br />
is executing multiple sessions with <strong>an</strong>other device B[11]. The h<strong>as</strong>h value that is<br />
shown to the user may not be the h<strong>as</strong>h value <strong>of</strong> the session the user thinks he is<br />
accepting, thereby accepting the wrong session <strong>as</strong> successful.<br />
Bluetooth 3.0 In April, 2009 the Bluetooth Special Interest Group adopted the<br />
Bluetooth 3.0 specification. Bluetooth 3.0 remains backwards compatible with<br />
previous versions, so it is susceptible to the same attacks when used to communicate<br />
with devices using older versions <strong>of</strong> Bluetooth. This me<strong>an</strong>s that the<br />
<strong>an</strong>alysis made with ProVerif is still relev<strong>an</strong>t for some time while the market is<br />
adopting Bluetooth 3.0.<br />
We identified two main re<strong>as</strong>ons why Ch<strong>an</strong>g <strong>an</strong>d Shmatikov used ProVerif for<br />
their <strong>an</strong>alysis <strong>of</strong> the Bluetooth. First, ProVerif supports the verification <strong>of</strong> weak<br />
secrecy (which w<strong>as</strong> useful because <strong>of</strong> the low-entropy secrets used in Bluetooth)<br />
[11]. Second, they used correspondence <strong>as</strong>sertions for modeling authentication<br />
[11].<br />
4 Limitations <strong>of</strong> ProVerif<br />
In the previous chapter, we have considered applications <strong>of</strong> ProVerif, which<br />
brings up the question what the limitations <strong>of</strong> ProVerif are: what are <strong>protocol</strong>s<br />
or parts or properties <strong>of</strong> <strong>protocol</strong>s which we might w<strong>an</strong>t to model in ProVerif, but<br />
are unable to? About which types <strong>of</strong> problem is ProVerif unable to yield a (valid)<br />
verdict <strong>as</strong> to whether the required <strong>as</strong>sertions are satisfied? We will describe<br />
the limitations we have encountered in the literature <strong>an</strong>d discuss whether the<br />
problems c<strong>an</strong> be e<strong>as</strong>ily solved, or seem to be inherent to ProVerif.<br />
4.1 Approximations in ProVerif<br />
The developers <strong>of</strong> ProVerif have made some approximations in their formalization<br />
<strong>of</strong> <strong>security</strong> <strong>protocol</strong>s[7]. According to them, these approximations are key<br />
to limiting the number <strong>of</strong> runs <strong>of</strong> <strong>protocol</strong>s. Unsurprisingly, these could theoretically<br />
be <strong>of</strong> influence to the sensitivity <strong>an</strong>d specificity <strong>of</strong> ProVerif.