What is Correctness of Security Protocols?
Giampaolo Bella (Università di Catania, Italy)
Abstract: As soon as major protocol flaws were discovered empirically - a good luck that is not older than the early 1990s -- this title question came up to the world. It was soon realised that some notion of formal correctness was necessary to substantiate the confidence derived from informal analyses. But protocol correctness was born in a decade when security in general was only beginning to ferment.
Security protocols aim at a large variety of goals. This is partly due to the increasing domains where the protocols are finding an application, such as secure access to localarea network services, secure e-mail, e-commerce, public-key registration at certification authorities and so on. Also, several interpretations are possible about each goal.
Clearly, it is impossible to study protocol correctness profitably without a universal and unambiguous interpretation of its goals. What may be typical of security problems is that it is at least as important to state a detailed and appropriate model of threats that a secure system is meant to withstand. This has been a second and significant source of perhaps useless debates around many protocols.
These are certain to be some of the reasons why dozens of papers appeared about one, now popular, protocol attack in just a few years of the second half of the last decade. One of the protocol designers firmly refused those "findings" because his protocol had been conceived within a different threat model -- and perhaps for different goals -- from the one that the publications had been constructed upon.
It seems obvious that an ant may survive under a single sheet of paper but certainly will not under a hard-back bulky book. It should be clarified what an ant and a bulky book precisely are. With particular attention to similar issues, this position paper discusses some findings of the author's in the area of protocol formal analysis. Their significance mostly is methodical rather than specific for particular protocols. The paper then outlines the author's favourite tool, the Inductive Method, and concludes with a few open problems.
Keywords: inductive method, protocol goal, protocol verification, threat model
Categories: D.2.4, F.3.1