Title: A Graphical Environment for the Facilitation of LogicBased Security Protocol Analysis
1A Graphical Environment for the Facilitation of
Logic-Based Security Protocol Analysis
Elton Saul and Andrew Hutchison DNA Research
Group University of Cape Town South Africa
2OVERVIEW
- Introduction.
- Basics of GNY analysis.
- The VGNY environment.
- VGNY examples.
- Where VGNY fits in with our plans.
- Conclusion.
3INTRODUCTION
- Design and engineering of security protocols is a
challenging task. - Protocols often contain subtle flaws and
vulnerabilities which attackers exploit. - Need to encourage protocol engineering with
proven techniques. - To facilitate timely, rapid and accurate protocol
modelling, usable and expressive graphical
interfaces are required.
4GUIDING PRINCIPLE
Distil the critical issues and present designers
with an appropriate level of detail, guiding them
in the specification and analysis process as much
as possible.
5LOGIC-BASED ANALYSIS
- Security protocol analysis methods have typically
focused on information leakage. - Security logics aim to determine whether a
protocol achieves its intended goals. - BAN logic first popularized this type of security
protocol analysis. - GNY a popular successor of BAN.
6GNY PRIMER
- Beliefs and possessions of a principal are
described using logic statements. - A statement contains syntactical characters and
formulae. - A formula is a name referring to a bit string
which would have a particular value in a session. - Principal names describe who believes or
possesses something.
7GNY PRIMER
A GNY Statement
A believes that B has jurisdiction over the
suitability of the key Kac shared between A and C.
8GNY PRIMER
A GNY Statement
A believes that B has jurisdiction over the
suitability of the key Kac shared between A and C.
Syntactical Characters
9GNY PRIMER
A GNY Statement
A believes that B has jurisdiction over the
suitability of the key Kac shared between A and C.
Syntactical Characters
Formulae
10GNY PRIMER
Another GNY Statement
A believes that principal B possesses formula Tb.
11GNY PRIMER
Another GNY Statement
A believes that principal B possesses formula Tb.
Syntactical Characters
12GNY PRIMER
Another GNY Statement
A believes that principal B possesses formula Tb.
Syntactical Characters
Formulae
13GNY PRIMER
- An extension to a formula is a formal
specification which dictates that a principal
should only proceed to send the formula if
certain conditions hold. - This helps to eliminate ambiguity as these
conditions are often only expressed verbally. - Having accepted a formula as genuinely coming
from someone, the recipient can choose to believe
that the extension holds if he trusts the
senders competence.
14GNY PRIMER
A Formula with an Extension
The extension states that X is recognizable.
15LOGIC-BASED ANALYSIS
16LOGIC-BASED ANALYSIS
Can now determine whether the protocol achieves
its goals by examining these final sets.
17ADVANTAGES OF LOGICS
- Forces designers to explicitly state the security
assumptions they have made and will require after
execution. - Helps to minimize redundancy by making designers
think about the use of each component. - Keeps track of the evolution of beliefs in a
session and thus helps to determine the minimum
number of messages required.
18PROBLEMS WITH LOGICS
- Analysis using a logic tends to be obscure and
and inaccessible for the uninitiated. - Often requires experience, insight and knowledge
of cryptic syntax and notation. - Thus, the opportunity exists to support analysis
efforts by guiding the process.
19THE VGNY ENVIRONMENT
- Protocol analysis environment known as the Visual
GNY (VGNY) Environment. - Used to visualize and manage GNY logic
statements. - Employs a tree-based view with multiple tabbed
panels. - Contextual pop-up menus are used to add
components, principals and belief categories. - Statements can be constructed using only a mouse.
20THE VGNY ENVIRONMENT
21THE VGNY ENVIRONMENT
Belief Categories
22THE VGNY ENVIRONMENT
Belief Categories
Components
23THE VGNY TREE-VIEW
- Nodes within the tree can be deleted or expanded.
- If a node contains children, then a clickable
token is displayed to its right. - Deleting a node deletes its children.
- Tooltips automatically reveal the statement
represented by the current node.
24ADVANTAGES OF VGNY
- Imposes a hierarchical structure on GNY
statements. - Makes the representation of GNY statements as
concise as possible. - Allows a user to vary the level of detail.
- Ensures users do not have to remember cryptic
syntax or notation. - Provides scope for guiding a user.
25VGNY EXAMPLES
A believes that formula Na is recognizable.
26VGNY EXAMPLES
vs
A believes that principal B possesses formula Tb.
27VGNY EXAMPLES
vs
A believes that B has jurisdiction over the
suitability of the key Kac shared between A and C.
28VGNY AND SPEAR II
29CONCLUSION
- Security protocol analysis is important.
- People dont want to remember complex syntax.
- Tools must focus on semantic issues and pitching
design information at the appropriate level. - The VGNY environment uses a tree-based system and
contextualized pop-up menus to allow a designer
to specify GNY statements. - Analysis information is structured and presented
hierarchically.
30?
QUESTIONS