Fast, Automatic Checking of Security Protocols

Protocols in electronic commerce and other securitysensitive applications require careful reasoning to demonstrate their robustness against attacks. Several logics have been developed for doing this reasoning formally,but protocol designers usually do the proofs by hand, a process which is time-consuming and error-prone. We present a new approach, theory checking, to analyzing and verifying properties of security protocols. In this approach we generate the entire finite theory, Th, of a logic for reasoning about a security protocol; determining whether it satisfies a property, , is thus a simple membership test: 2 Th. Our approach relies on (1) modeling a finite instance of a protocol in the way that the security community naturally, though informally, presents a security protocol, and (2) placing restrictions on a logic’s rules of inference to guarantee that our algorithm terminates, generating a finite theory. A novel benefit to our approach is that because of these restrictions we can provide an automatic theory-checker generator. We applied our approach and our theory-checker generator to three different logics for reasoning about authentication and electronic commerce protocols: the Burrows-AbadiNeedham logic of authentication, AUTLOG, and Kailar’s accountability logic [4, 8, 6]. For each we verified the desired properties using specialized theory checkers; most checks took less than two minutes, and all less than fifteen. 1 Motivation for our Approach Past approaches to reasoning about security protocols, e.g., authentication protocols, have relied on either pencil-and-paper proof or machine-assisted proof through the use of interactive theorem provers, e.g., the Boyer-Moore Prover [3], Gypsy [5], HDM [9], Ina This research is sponsored by the Wright Laboratory, Aeronautical Systems Center, Air Force Materiel Command, USAF, and the Advanced Research Projects Agency (ARPA) under grant number F33615-93-11330. Views and conclusions contained in this document are those of the authors and should not be interpreted as necessarily representing official policies or endorsements, either expressed or implied, of Wright Laboratory or the United States Government. Jo [10], and UNISEX [7]. Proofs of properties of these protocols relied on either specialized logics, e.g., Burrows-Abadi-Needham’s Logic of Authentication, or an encoding of a specialized logic in the theorem prover’s general-purpose logic. These proofs are tedious to do. If done by hand, they are prone to error; and they can be applied only to small examples. If done by machine, they require tremendous user patience since the machine usually insists on treating the critically creative and the boring bookkeeping steps of the proof all with equal importance; they often take hours to complete, even discounting human user time; and they are also prone to error since they still rely on human intervention and ingenuity. In this paper we present a completely different approach to verifying properties about security protocols. It relies on the observation that informal reasoning about these protocols by the security community is invariably done in terms of a finite number of entities, e.g., parties communicating, messages exchanged, types of messages, encryption and decryption keys. Thus, we reason about a finite model of a protocol rather than its generalization. Our approach further relies on the observation that logics used to reason about these protocols have a finite number of rules of inference that “grow in a controlled manner” (discussed in Section 2.1). It is this controlled growth that enables us to build an automatic checker for a given logic and class of protocols we wish to verify. It is the small size in the number of entities we need to model and the small size in the number of rules in any given logic that enables us to do this checking fast. Stated simply, our method is to build the entire theory, Th, given a logic and a model of the protocol we want to check. Since the model is finite and since the logic’s rules always shrink or grow in a controlled manner, the theory we generate is finite. Then checking whether a property, , holds of a protocol boils down to a simple membership test: 2 Th? In all the examples we have looked at, generating Th takes no more than a few minutes; membership is a trivial test. In fact, we do even better. We provide more than a single fast, automatic checker for verifying properites of a class of security protocols, but better yet, we provide a tool that for any given logic generates one of these fast, automatic checkers. In other words our tool is a theory-checker generator (and each checker it generates implements the method described above). And best of all, the tool we built generates these checkers completely automatically as well! In this paper, we first describe our method and argue informally its correctness and termination properties. We illustrate in Section 3 how we applied this method to three different logics, each proposed as the basis for reasoning about security protocols: Logic Class of Protocols Properties to Check BAN authentication authentication AUTLOG authentication authentication, privacy Kailar elec. commerce accountability We start with the BAN logic since AUTLOG is a variation of it and Kailar’s logic is similar in flavor to BAN. We discuss some of the implementation details in Section 4 and explain how we are able to build a tool that can generate checkers automatically. Section 5 discusses related work. We close in Section 6 by summarizing our contributions and discussing two important future directions of this work: why logics for reasoning about security protocols are particularly amenable to our method and the general applicability of our method to domains outside of security.