ESSM: Formal Analysis Framework for Protocol to Support Algebraic Operations and More Attack Capabilities
The strand space model has been proposed as a formal method for verifying the security goals of cryptographic protocols. However, only encryption and decryption operations and hash functions are currently supported for the semantics of cryptographic primitives. Therefore, we establish the extended strand space model (ESSM) framework to describe algebraic operations and advanced threat models. Based on the ESSM, we add algebraic semantics, including the Abelian group and the XOR operation, and a threat model based on algebraic attacks, key-compromise impersonation attacks, and guess attacks. We implement our model using the automatic analysis tool, Scyther. We demonstrate the effectiveness of our framework by analysing several protocols, in particular a three-factor agreement protocol, with which we can identify new attacks while providing trace proofs.
In recent years, formal analysis has been widely applied to different types of protocol security analyses [1, 2], including 5G authentication and key agreement (AKA) protocol [3, 4], transport-layer security (TLS) version 1.3 [5, 6], Signal Messaging Protocol , Secure Forwarding Protocols , and Multifactor Authentication Protocols . Theoretical research on the formal analysis is under way, and great progress has been made in observation equivalencies  and equality theory .
Automatic analysis of algebraic attributes in security protocols is gaining increasing attention in formal analysis. Among the existing formal symbol-based analysis tools, several support algebraic property analyses are based on various theories. For example, the On-the-fly Modal Checker  explores the state space based on a requirement-driven approach. The Constraint Logic-based Attack Searcher  runs protocols in all possible aspects on a limited session set based on constraint logic, converting traces into constraints. The Tree Automata based on Automatic Approximations for the Analysis of Security Protocols  uses tree automata based on automatic approximation analysis with a rule-tree language with rewriting to approximate intruder knowledge. ProVerif, an automatic cryptographic protocol verifier , verifies that a protocol satisfies a set of given user attributes based on an overapproximation technology (such as the abstraction generated by a new nonce). The Tamarin Prover, a security protocol verification tool that supports both falsification and unbounded verification in the symbolic model , supports the Diffie-Helman (DH) method  and exclusive-OR (XOR)  theory based on protocol descriptions of multiset rewriting systems.
Scyther  used the strand space model to represent protocol roles and applied a pattern-based reverse search algorithm to perform bounded or unbounded attribute verification on the protocol . In , Cremers proposed a method to approximately describe the DH operation using IKEv1 and IKEv2 protocols using an auxiliary protocol.
The strand space model  is a practical formal method of analysing security protocols. The theoretical basis of the strand space model was built upon the Dolev-Yao model  proposed by Febrag et al., which transforms the role of the state and overall process of protocol operation into a set and directed graph to determine if attack nodes existed by deducing the set.
Automatic analysis tools using the strand space model as their theoretical bases include Athena , Scyther, Maude’s Naval Research Laboratory Protocol Analyzer (NPA) , Cryptographic Protocol Shape Analyzer (CPSA) , and the Tamarin Prover. The strand space model is widely used for protocol analysis. Yang et al.  solved the representation selection problem of a strand space model, allowing protocol selection along different paths and integrated syntax and transformation rules of process algebra into Maude NPA strands. Basin and Cremers  extended strand space model support to an adversary model and modelled the attacker in Scyther-compromise. Dong and Niu  extended the anonymity analysis framework and qualitatively analysed the differences of degrees of anonymity.
In this research, our contributions are as follows.
We establish the Extended Strand Space Model (ESSM) framework with algebraic strands to represent protocol operations and use different bundles to represent different attacker behaviours. The model has scalability and protocol adaptability, and it can select attacker capabilities according to the specific protocol and communication environment while accurately modelling attacker behaviours.
We establish the semantic description of the algebraic capability of the strand space, extending the attacker’s ability to obtain messages with algebraic properties. The attacker can obtain previously ignored information in protocols supporting the XOR and Abelian groups.
We establish a semantic support mechanism for special attacks against attackers. The models of algebraic attacks, key leakage attacks, and guessing attacks are carried out in specific environments.
The correctness of the added semantic logic is verified using Scyther’s engineering implementation of ESSM. The applicability and correctness of the framework are illustrated by comparing the number of detection paths with the ability to detect attacks before and after addition.
The rest of this paper is organized as follows. In Section 2, we briefly review the basic definition of strand space model. The third section elaborates the establishment of the ESSM framework. Section 4 shows the performance of ESSM using real protocol analyses. Section 5 concludes the paper and discusses future work. The source code of the protocol formal model can be obtained from https://github.com/mmmxy555/ESSM.
2. Strand Space Theory
This section briefly introduces the basic concepts of strand space theory, the attacker model, and security attribute representation.
2.1. Basic Concepts
In the strand space model, the behaviours of the protocol participant and attacker are described as strands, and the set of these strands constitutes the strand space. The symbols are shown in Table 1.
We mark the set of all elements appearing in the protocol interaction as . We refer to the elements of as terms, which can contain one or more subterms. expresses that element is a subterm of , where and are both terms.
Binary is a symbolic term in which , and , which is expressed as or . means that the principal sends term , and indicates that the principal receives term .
Definition 1 (strand). A strand is a finite sequence containing several symbolic terms. A strand , with symbolic terms, can be expressed as . We define the set of strands as and set all strands in protocol as , where .
The strand space model was used to construct the Needham-Schroeder public key (NSPK) protocol.(i)Initiator strand: .(ii)Responder strand: .The strand space digraph of the protocol can be obtained by associating the collusion of each role through a causal connection. For example, in NSPK, the strand space digraph is given as Figure 1.
2.2. Protocol Attacker Description
An attacker’s ability follows the attacker model defined by Dolev and Yao using discard, generate, and combine messages. In the strand space model, the attacker’s ability is realized via a combination of an attacker’s atomic operations, as defined in Table 2.
Bundle is a structure in the strand space, composed of some strands, connected by some binary with opposite signs but the same terms. Figure 1 can be seen as a bundle composed of two strands. The three symbol terms of each strand satisfy the same terms but opposite signs. This establishes a connection between the two strands to form a bundle.
Using initial knowledge and atomic operations, the attacker can completely control the channel, eavesdrop, tamper, or redirect messages and expand the known information of the attacker via encryption and decryption.
2.3. Representation of Security Attributes
We mainly consider that the attacker can obtain secret information protected in the protocol through a combination of attacker strands and initial knowledge. The confidentiality of secret information means that there is no node, (e.g., a normal node or an attacker node), and considers unprotected as its term. The definition of confidentiality is as follows.
Definition 2 (secrecy). A value is secret in a strand space if, for every bundle in and for every node , the .
Additionally, authentication can also be assured. A protocol satisfies the requirement of authentication, which indicates that each subject of the protocol receives the terms that should be accepted according to the protocol expectation.
Definition 3 (authentication). A protocol guarantees a participant’s ( (e.g., the responder)) agreement for certain data terms , with participant if, in a strand space , for every bundle , containing a responder strand using in , there exists a unique initiator strand using in .
A weaker noninjective agreement does not ensure uniqueness.
3. Extended Strand Space Model
3.1. ESSM Framework
We extend the semantics of the strand space model and propose the ESSM framework shown in Figure 2.
The definitions of strand and bundle inherit the definition of the strand space model. In ESSM, a strand can be divided into three types: role, algebra, and attack.
The role strand represents the sending and receiving message strands fulfilling the role of the protocol interaction. The algebra strand includes a newly defined algebraic operation strand. The attacker strand contains the original attack capability and extension capability modules.
Per the role-interaction rules defined for the protocol, the role strands describe the order of receiving and sending messages through protocol subjects. The algebra strand is a novel type added in ESSM which can be modularized and extended; it describes the conversion rules of algebraic operations in the protocol. Algebraic operations can be shared by the principal and the attacker, and the agent can use algebraic operations and basic encryption and decryption rules, E and D, to complete the internal operations of the agent. Simultaneously, the equivalent relationship of the algebraic operation can be modelled. For attackers, algebraic operations can be used to acquire more terms in the ESSM than those in the original strand space model. The basic attacker strand inherits the semantics of M, F, T, and other penetrator strands in the strand space model. In the extension module, the problems existing in the specific protocol can be combined with the model.
We use three disjoint sets to represent all the strands in protocol . , , and refer to the set of all role, algebra, and attack strands in , respectively. Then, the strand set satisfies .
The extended strands must satisfy the basic rules of obtaining terms, meaning that the terms obtained by an attacker must have appeared before.
Definition 4 (extended strands). Strand is a legal extended strand, if, for all , there exists a number that satisfies .
An extended strand space is a graph of three types of collusions connected by causal dependency. This graph is the set space of all roles, algebra operations, and attacks. We use the rules of confidentiality and authentication in the SSM to determine whether the security attributes of a protocol are satisfied.
In ESSM, the concept of algebraic rule strands that support some algebraic operations in the interaction behaviour of agents is introduced. Simultaneously, attackers can use these algebraic rule strands to carry out attacks. The algebraic operations commonly used in the XOR operation and Abelian group operations are semantically modelled such that ESSM can be used in protocols that support algebraic operations.
In the extended model, the attacker’s ability is abstracted into descriptions of the attacker’s behaviours using different atomic rules. This modular design enables us to define attacker models for specific protocols.
Furthermore, the algebraic and attacker rules in ESSM are extensible. Thus, ESSM can be further extended by the systematic description of atomic rules for added algebraic operations or attack capabilities.
Compared with the original strand space model, our extended framework has two advantages.
One is the formal description of algebraic properties. Traditional analysis ignores the nature of algebraic operations when there are algebraic operations in the protocol and cannot detect attacks carried out by attackers using algebraic operations. Our extension can search for this type of attack and expand the types of protocols that can be analysed.
The second is a custom description of attack capabilities. The traditional SSM is based on the Dolev-Yao attacker model, assuming that the cryptographic primitives are unbreakable. In fact, attackers may have attacks such as KCI attacks and weak password guessing. These are not considered in traditional analysis. In our extension, we can consider different problems according to the possible problems of the protocol. The attack models can be freely combined to find the problems in the protocol.
3.2. Algebraic Attribute Addition
The basic strand space model does not support algebraic operations (e.g., XOR or Abelian groups), and attackers have no way of locating attacks related to algebraic properties. Instead, a one-way function is used to model the XOR and Abelian groups abstractly, such that the strand space model can support protocol analysis using algebraic operations, and attackers can use algebraic operation strands to detect problems with algebraic operations in protocols.
For the addition of different modules, we introduce new types of terms and functions. When the type of the term matches the type of the function parameter, the newly added strand can be applied. At the same time, the new type of strand is also compatible with the operations of traditional SSM attackers. For example, for type terms, the attacker can also perform operations such as generation and eavesdropping.
3.2.1. XOR Operation
The XOR operation requires the establishment of an algebraic model that satisfies the following operational relations. For ,
We use a hash function combined with a new set of decryption semantics to achieve the XOR operation. Owing to the unidirectionality of the hash function, the attacker can construct when and are known. However, terms and cannot be obtained through .
Definition 5 (XOR operation). One-way function ; denotes the exclusive xor of terms and .
The attacker can generate through and , and if and are known, the attacker can calculate to obtain term , which cannot be described by the hash function. Thus, a new model of the attacker’s derivation ability is needed.
We built an XOR operation module, which is shown in Table 3. For the protocol containing the XOR operation, we can add an XOR operation semantic module to model the protocol. Attackers can obtain information in an algebraic operation.
In rule XOR-Z, we construct a constant , which represents the zero element, which is included in the initial knowledge by the subject and attacker in the protocol description. In rule XOR-G, attackers can apply XOR to construct the XOR values of two known terms. In rule XOR-S, the attacker can obtain using the known XOR value . Moreover, these two terms are independent in the strand space model, and the exchange law of the XOR operation can be constructed using this rule. In rule XOR-D, an attacker can obtain the second term , by knowing the XOR value , and the first term . In rule XOR-O, an attacker can obtain the term XOR from the zero element. In rule XOR-C, the attacker can apply the binding law to combine the XOR values of the three elements.
We do not have a decryption rule for the first term of the XOR model, because it can be implemented by applying the XOR-S and XOR-D rules.
Inferring that the attacker knows and , term can be obtained using these known values. The attacker first applies the XOR-S rule , gets , and passes the XOR-D rule to obtain term .
3.2.2. Abelian Group Operation
In security protocols, the application of an Abelian group is embodied in the key agreement algorithms, DH, and the elliptic-curve DH (ECDH). Using the multiplicative group on and the additive group on an elliptic curve, we analyse the properties of the Abelian group, describe the operation of the Abelian group in ESSM, and model the ability of attackers to obtain terms from the operation.
We describe the semantics of the multiplication group on as follows: for the primitive element over ,
First, two one-way functions, add and mul, are defined to represent the addition and multiplication operations of the two variables.
Definition 6 (add operation). One-way function ; denotes the addition of terms and .
Definition 7 (mul operation). One-way function ; denotes multiplication of terms and .
Similar to the XOR operation, attackers can construct add and mul function values that support exchange to deduce the value of another element by knowing the whole function value and one element. We define these three algebraic properties as gen, swap, and decrypt, as shown in Table 4.
For the equivalence relations in the Abelian group having different forms on both sides, we use the equivalence relation . Because it is impossible to describe the equivalence relation in the strand space model, a bidirectional derivation relationship should be considered, such as and . This equivalence relation is expressed as a bidirectional strand space model. For the subject and attacker of the protocol, we establish the semantic rules in Table 5.
We describe the DH key exchange protocol in the strand space by applying the semantics of the multiplication group on . Via the key exchange, the two parties can establish a shared key, . The strand representations of protocol roles A and B are as follows:(1)Initiator A’s strand: .(2)Responder B’s strand: .In the role strand of this protocol, the third message between A and B is not trivial, because both parties need to obtain . The message is then encrypted and decrypted. Term is obtained by adding the semantics. Considering principal A as an example, the process of obtaining the shared key is as shown in Figure 3.
Role A applies the DH-G rule to obtain the term . A obtains the term by combining the initial knowledge of . DH-L1 rules are then applied to obtain the term . Then, DH-S1 rules are applied to obtain the term . At this point, role A obtains the symmetric key established by both parties, and role B can obtain the term using similar methods. Roles A and B interact with the third node using the shared key.
Similarly, we establish the operation rules of the Abelian group on an elliptic curve, assuming that P is a point on the elliptic curve E, and . P has the following properties:We define addition and multiplication on elliptic curves as ecadd and ecmul, which are distinguishable from add and mul which are defined above.
Definition 8 (ecadd, ecmul operation). One-way function ; ; denotes the addition operation of terms and of type point, and the term type obtained is point; represents multiplication operation of the term of type and the term of type point, and the term type obtained is point.
Similarly, the operation rules of the elliptic curve are established in Table 6.
3.3. Attacker Capability
In this section, we extend the attacker attack model using modularization. Based on the classic Dolev-Yao model, in the first section, we model a variety of attacks based on algebraic properties, including small group attacks, Lim-Lee attacks, and others that need to be combined with group properties. The second section introduces the extension of the key-compromise impersonation (KCI) attack, which can describe the situation of specific information exposure. The third section considers the influence of guessing attacks on security protocols and formalizes the attack.
3.3.1. Attack Based on Algebraic Form
In this section, we describe the algebraic attacks which have been already shown to exist, including subgroup attacks and Lim-Lee attacks. We reveal that the attacker can destroy algebraic properties in a specific environment to obtain secret information.
(1) Small-Group Attack. The small-group attack was first proposed by van Oorschot and Wiener . This type of attack takes advantage of the structural characteristics of a group to replace the key negotiated by both sides of the communication. The negotiated key can be obtained without affecting the normal communication between the two sides.
In the implementation, if the Abelian group used in the protocol is , order is a composite number. If the order of group used in the protocol is a composite number, , assuming that is a small factor of , and has subgroups , meaning that is a multiplicative group whose generator order is . There are only elements in this group.
If the shared secret key negotiated by both parties is in group , the attacker can guess the real key exhaustively when the two parties communicate with each other using key encryption.
Considering the simple DH as an example, the attack process is as follows:(1)Role A initiates DH key exchange with role B, generates a random number , and calculates the public key, .(2)The attacker intercepts and calculates sent to B.(3)Role B receives message . Subsequently, random number is generated and the public key is calculated and sent to C. The negotiated key is calculated as .(4)The attacker intercepts and calculates sent to A.(5)Role A receives a message . Then, the key is calculated as .(6)Roles A and B use as a session key for message passing, and the attacker eavesdrops the encrypted message and guesses to verify the session key, .
Assuming that the order of group used in the protocol is a composite number, the attacker can decompose it to obtain . Then, for all for symmetric key messages, attackers can obtain and key by the exhaustive computation of . We ignore the details of the exhaustive computation and assume that the attacker can decompose a large integer, n. We model the derivation relationship of the attacker in Table 7. For the operation relationship of DH, we extend the derivation in the previous section.
Rule SS-G means that the attacker will use the term on group through the operation of the -power module on the subgroups to obtain terms . The SS-V rule indicates that the attacker obtains the elements, , on the subgroup via exhaustive verification using the elements in the subgroup as the term for key encryption. The type of term is not limited. For example, the key negotiated by both sides of DH protocol under the attack of small groups can be . In this case, in the formula means .
(2) Lim-Lee Attack. Owing to the discovery of small group attacks, a preventive measure uses the prime, , subgroup of . However, Lim and Lee found an attack method having prime order  against the group. Thus, the attacker can obtain the private key of the responder role by actively participating in the operation of the protocol.
Taking simple DH as an example, the attack process is as follows:(1)Attacker C initiates a DH key exchange with role B to generate random numbers and calculate the public key, . Simultaneously, is generated. The order of is and it satisfies . C sends to role B.(2)Role B receives the message, . Subsequently, random number, , is generated, and the public key, , is calculated and sent to C. The negotiated key is .(3)Attacker C receives and calculates , because is the only available for the attacker to use to obtain the correct partial information, , by verification.(4)By trying corresponding to different , the attacker can obtain equations with different moduli, and the complete information of can be obtained using the Chinese remainder theorem.
Assuming that the group used in the protocol is a prime group of order and that the attacker can participate in and initiate the protocol, we define a strand space model for the attacker to execute the Lim-Lee attack in Table 8.
Rule LL-G converts the elements, , of a group beyond the group to obtain , where the order of is and it satisfies . Rule LL-V obtains the information of by guessing its verification, ignoring the specific guessing process, and it assumes that the attacker’s guessing ability can calculate the data of scale . Rule LL-C uses the Chinese remainder theorem to recover the complete information of , thereby creating a sample. Moreover, the attacker must use different of , conduct intrusion behaviours, and obtain one term, , at a time. Through different , it combines complete information on y. We abstract this process, and, to preserve the principle of attack, we express this process as the term, , calculated by . The attacker only needs to execute one intrusion to obtain term .
3.3.2. KCI Attack
It is possible for an attacker to break through a device to obtain its long-term private key, or in a protocol using a smart card, to obtain the smart card of a legitimate subject leading to a smart-card loss attack. We define this behaviour semantically and describe it as a KCI attack.
An attacker can obtain the long-term private key, session key, or some state in communication by corroding the agent or via cryptanalysis. We model this ability as a message, , which the attacker steals from the role strand. Hence, the derivation relation of some information in the message that cannot be obtained directly can then be obtained. The term, , can be symmetric or asymmetric, encrypted or hashed, or more complex. The attackable information must be included in the role strands. Thus, this method has a certain applicability that further indicates the situation of secret information disclosure (e.g., role long-term private key, session key, and smart card). The corresponding disclosure rules must be generated alongside specific protocols. Here, only the framework of the attacker rules is given in Table 9.
Note that these rules must be implemented in combination with specific protocol role strands. For details, refer to the KCI attack and impersonal attack in the MTI protocol in the next section, as well as the analysis of the three-factor authentication protocol. For specific protocols, the terms of disclosure can be specified.
3.3.3. Guessing Attack
Guessing attacks include two parts. First, an attacker intercepts a message related to the value to be guessed. Then, the attacker matches the correct guess value by traversing the dictionary. The default value to be guessed is a password. For the first part, the attacker must have a detection method that can verify the conjecture.(i)Password as encryption key If the attacker can obtain a message pair similar to and , the attacker can generate by constructing and encrypting semantic to verify that the generated key is correct by comparing whether and are consistent.(ii)Password contained in a hash If the attacker can obtain a and knows , the attacker can guess the password, , and construct a hash, . The original hash value is compared to verify the guess.
In the second part, the success rate of guess attack depends on the complexity of the password set by the agent and the size of the dictionary used. Theoretically, if the password is in the dictionary, it can be successfully cracked. In the theoretical description of guessing attacks, the attacker has enough elements in the dictionary to carry out a guessing attack on any message that meets the requirements.
However, the situation in the real protocol may be more complex. For example, the password is used as the key after hashing or multiple hashings, which can be regarded as the multiple effects of the basic situation. In short, the attacker can crack the weak password after obtaining a message that meets the guessing condition. The formal description of this ability is shown in Table 10.
In accordance with the description of a KCI attack, the definition of the attacker strand of a guessing attack should be combined with a specific protocol. In rules GS-E and GS-H, only the description method of the guessing attack is described. It is thus necessary to combine the strand of the subject to customize the ability of the attacker to carry out a guessing attack.
4. Implementation and Experimental Results
We implemented support for ESSM and applied Scyther to test a set of protocols that use algebraic operations and an extended attack capability. In this section, we describe our implementation and experimental results.
We implemented the ESSM model using Scyther (version 1.1.3). Our implementation used auxiliary rules as additional input, combined with the definition of the protocol body to form a Security Protocol Description Language (SPDL) file as the input for Scyther model checking. We expanded the original protocol in algebraic operation and attack ability including (1) the running rules of the protocol body, (2) added algebraic operation rules, (3) added attacker rules, and (4) defining the security attributes of the check. Additionally, options can be added to Scyther, such as outputting proof procedures and limiting the number of computing processes.
Our implementation followed the ESSM construction described in Section 3 by precisely formalizing the algebraic properties and the attacker’s special attack ability.
Considering the XOR attribute as an example, the following describes the process of converting the atomic rule of the XOR operation into the auxiliary rule input of Scyther.
We used an auxiliary protocol to represent an algebraic operation or attack capability module. Under each auxiliary protocol, each role represents an atomic rule. Attackers call a combination of several rules in different auxiliary protocols to implement their attack behaviours. Specific auxiliary protocol input files should be established according to specific protocol interactions for some special attacks, such as key disclosure and guessing attacks.
Moreover, without these auxiliary protocols, the interaction of protocol entities modelled by the original Scyther can work normally. However, Scyther cannot find the problems in the protocol. Compared with the original protocol modelling, using ESSM to model and analyse the protocol can find potential algebraic logic problems and special attack paths within the protocol.
4.2. Sample Protocol
We used extended strand space semantics to describe several protocols (e.g., three-factor authentication). We found known attack paths and revealed new ones.
Taking the three-factor authentication protocol proposed by Zhang et al.  as an example, two attack paths were successfully analysed using the extended algebraic property semantics and the attacker’s ability. One was found by Mao et al. , and the other is the undiscovered attack path. The discovery of the two attack paths combined the XOR, key-compromise attack, and guessing attack ability rules added to the ESSM.
4.2.1. Protocol Description
During the registration stage, the user sends the protected identity information to the server, and the server stores it and issues a smart card for authentication. It should be noted that the communication in the registration phase is based on the secure channel, and the attacker cannot obtain any information in the registration phase.(1)User U selects identity and password and inputs biometric to the terminal. The terminal calculates and generates random number for calculating . User U sends a registration request message to server S.(2)After receiving the registration request message from user U, server S uses the server’s private key, , to calculate , generates random number , and calculates , , and . The server stores in the database and initializes to . The server writes to the smart card and gives it to user U.(3) is calculated after receiving the smart card. is written to it for completing registration.
The login authentication phase is described as follows:(1)User U inputs accounts for , password , and biometric and inserts the smart card at the same time.(2)User U generates a random number and calculates , , , and .(3), , and are calculated to send a login request to server S.(4)The server performs dynamic verification by matching and the data in the database. For more details, please refer to the original article .(5)Server S generates a random number , calculates , , and , and checks and . If the validation passes, the server computes and . Both are sent to user U.(6)User U receives and calculates , verifying . After verification, the user calculates the session key, , and , and sends the authentication message, , to the server.(7)Server receives after validation and accepts session key after successful verification; then it sends a key confirmation message, , to the user.(8)Server receives after validation. After successful verification, both parties establish a common session key, .
4.2.2. Strand Space Analysis of Protocol
We used the XOR operation in this protocol. Mao’s analysis of the protocol included smart card and guess attacks. We added the corresponding key-compromise and guess attack modules. The behaviours of the main body of the protocol are described as shown in Figure 4.
The terms are defined as follows: , , , , , , , , , , , , , , and .
In , the attack on user ID and PW required the attacker to obtain the user’s smart card, know the user’s biometrics, and could guess attacks. Using the framework of key-compromise and guessing attacks defined in the previous section, combined with the principal behaviours of the protocol, we modelled the attacker’s ability.
The attacker knows the user’s biometrics and smart cards. For the first time, biometrics appear in the first node. The smart card is divided into two parts. can be obtained via the XOR of and in the first node, and the rest is sent to the user at the second node on the server. Therefore, we describe an attacker’s key-compromise attack on smart cards and biometrics as Reveal:(i)Reveal: .
Modelling guessing attacks requires consideration of the terms, including and . Term contains and . Furthermore, we need to obtain term to estimate . Because of term , the known terms and can obtain by using rule XOR-D, thus conjecturing . Two effective guessing chains can be obtained by constantly exploring the possible guessing paths. For example, in the first guess chain, we provided a set of guess values for and , and , respectively. Then, combined with term , and the conjecture can be obtained using . Unless we obtain the conjecture value of , we cannot determine if the conjecture value is successful by comparison.
Through two guessing chains shown in Figure 5, the rules of attacker guessing attack are stated as follows:(1)GS-1: .(2)GS-2: .
The and obtained by combining guessing rules and key disclosures can guess the user’s and . The process is as follows: Path 1 (Figure 6)(1)The attacker obtains and using the Reveal rule.(2)XOR-D rule is applied to obtain term .(3)F rule is applied to obtain term .(4)According to the GS-1 rule, using , , , is obtained by Reveal, is obtained by XOR operation, and is eavesdropped using the normal protocol process. A guessing attack is carried out to obtain the terms, and , of the attacker. Path 2 (Figure 7)(1)The attacker obtains and using the Reveal rule.(2)XOR-D rule is applied to obtain term .(3) is constructed by and .(4)XOR-D rule is applied to obtain term .(5)The F receive rule is applied to obtain term .(6)According to the GS-2 rule, using and obtained by Reveal, and obtained by the XOR operation and from normal protocol flow are used to carry out a guessing attack to obtain the legal user’s term and .
The first path was first discovered by Mao, and the second attack path was discovered by our addition of semantics to ESSM for the first time.
We make a formal analysis of six groups of protocols, including TMN protocol , MTI-C (1), MTI-A (0), and MTI-C (0) in MTI protocol family , WPA-PSK protocol  in 802.11i standard, and three-factor authentication protocol proposed by Zhang.
We applied our method to a group of protocols using algebraic logic or special attack ideas. The results obtained by running our implementation on Scyther v. 1.1.3 are presented in Table 11, which lists the analysis results using the original Scyther and using ESSM modelling, including the declaration of security attributes and the number of search states.
The code restores the process of protocol interaction and abstracts the storage verification process of the server. We then declare the confidentiality of ID and PW. By adding auxiliary protocols (e.g., Smartcard Lost, XOR operation, and Offline Password Guess), two paths not meeting the confidentiality requirements can be automatically searched.
Through the experimental results, we can find that the search path of the model search after adding ESSM semantics is richer, more attacks can be found, and the protocol environment can be restored more realistically. The increase of search path shows two facts.(1)The semantic extension of ESSM is real and effective and has certain effect on many types of protocols.(2)The contrast of the experimental results before and after the expansion is too large, which leads to the state explosion problem to a certain extent. The current model detection technology still has no effective solution to the state explosion problem, especially for algebraic operations.
The semantic extension of ESSM is real and effective and has certain effect on many protocols.
In this paper, an ESSM framework was proposed, because it has a more complete semantic description than does the original strand space model, including the internal operation of protocol subject behaviours, the support of algebraic operation, and its modelling of the DY attacker ability. The proposed ESSM supports the transformation of algebraic operation rules at the symbol level and the expansion of a special attack capability. We added XOR- and Abelian-group operations to the algebraic operation module and added the description semantics of an algebraic attack, a KCI attack, and a guessing attack in special situations to the attacker module. The framework presented good expansibility. Furthermore, only ability rules needed to be added to the corresponding modules. Then, the corresponding protocols could be modelled and analysed in the strand space. We used ESSM to model and analyse different types of protocols that use algebraic rules and have special attack problems. We found no security or authentication problems in the strand space model, but we did encounter issues in the ESSM model. Simultaneously, we used Scyther to extend the modelling of ESSM and analysed several protocols automatically. The analysis showed that Scyther v. 1.1.3 found all problems in the protocol after modelling with ESSM. Moreover, we found a new guessing tool path using Mao’s three-factor authentication protocol.
We observed that, with the extension of automation tools, the number of search paths for protocols increased. On one hand, it reflects that our model more comprehensively considers the problems in the protocol and has more search paths. On the other hand, it exposes the state explosion problem of model-checking methods, especially when dealing with algebraic operations that lead to many useless queries in the state space search. This problem will be solved in future studies.
The data used to support the findings of this study can be found at https://github.com/mmmxy555/ESSM.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
M. Barbosa, G. Barthe, K. Bhargavan et al., “SoK: computer-aided cryptography,” in Proceedings of the 2021 IEEE Symposium on Security and Privacy (SP), pp. 777–795, IEEE, San Francisco, CA, USA, May 2021.View at: Google Scholar
K. Hofer-Schmitz and B. Stojanović, “Towards formal verification of IoT protocols: a Review,” Computer Networks, vol. 174, no. 19, Article ID 10723, 2020.View at: Google Scholar
D. Basin, J. Dreier, L. Hirschi, S. Radomirovic, and R. Sasse, “A formal analysis of 5G authentication,” in Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 1383–1396, ACM, New York, NY, United States, Oct 2018.View at: Publisher Site | Google Scholar
C. Cremers and M. Dehnel-Wild, “Component-based formal analysis of 5G-AKA: channel assumptions and session confusion,” in Proceedings of the Network and Distributed Systems (NDSS) Symposium, Germany, Jan 2019.View at: Publisher Site | Google Scholar
C. Cremers, M. Horvat, J. Hoyland, S. Scott, and T. V. D. Merwe, “A comprehensive symbolic analysis of TLS 1.3,” in Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 1773–1788, ACM, New York, NY, United States, Oct 2017.View at: Publisher Site | Google Scholar
B. Blanchet, “Composition theorems for CryptoVerif and application to TLS 1.3,” in Proceedings of the 2018 IEEE 31st Computer Security Foundations Symposium (CSF), pp. 16–30, IEEE, Oxford, UK, July 2018.View at: Google Scholar
K. Cohn-Gordon, C. Cremers, B. Dowling, L. Garratt, and D. Stebila, “A formal security analysis of the signal messaging protocol,” Journal of Cryptology, vol. 33, no. 4, pp. 1914–1983, 2020.View at: Publisher Site | Google Scholar
T. Klenze, C. Sprenger, and D. Basin, “Formal verification of secure forwarding protocols,” in Proceedings of the 2021 IEEE 34th Computer Security Foundations Symposium (CSF), pp. 1–16, IEEE, Dubrovnik, Croatia, June 2021.View at: Google Scholar
C. Jacomme and S. Kremer, “An extensive formal analysis of multi-factor authentication protocols,” ACM Transactions on Privacy and Security, vol. 24, no. 2, pp. 1–34, 2021.View at: Publisher Site | Google Scholar
V. Cheval, S. Kremer, and I. Rakotonirina, “DEEPSEC: deciding equivalence properties in security protocols theory and practice,” in Proceedings of the 2018 IEEE Symposium on Security and Privacy (SP), pp. 529–546, IEEE, San Francisco, CA, USA, 2018.View at: Google Scholar
J. Dreier, C. Duménil, S. Kremer, and R. Sasse, “Beyond subterm-convergent equational theories in automated verification of stateful protocols,” Lecture Notes in Computer Science, vol. 10204, pp. 117–140, 2017.View at: Publisher Site | Google Scholar
D. Basin, S. Mödersheim, and L. Viganò, “OFMC: a symbolic model checker for security protocols,” International Journal of Information Security, vol. 4, no. 3, pp. 181–208, 2005.View at: Publisher Site | Google Scholar
M. Turuani, “The CL-atse protocol analyser,” in Proceedings of the International Conference on Rewriting Techniques and Applications, pp. 277–286, Springer, Nancy, France, Aug 2006.View at: Google Scholar
A. Armando, D. Basin, Y. Boichut et al., “The AVISPA tool for the automated validation of internet security protocols and applications,” Computer Aided Verification, vol. 3576, pp. 281–285, 2005.View at: Publisher Site | Google Scholar
B. Blanchet, “Efficient cryptographic protocol verifier based on prolog rules,” in Proceedings of the 14th IEEE Computer Security Foundations Workshop (CSFW), pp. 82–96, IEEE, Cape Breton, NS, Canada, June 2001.View at: Google Scholar
B. Schmidt, S. Meier, and C. Cremers, “Automated analysis of diffie-hellman protocols and advanced security properties,” in Proceedings of the 2012 IEEE 25th Computer Security Foundations Symposium (CSF), pp. 78–94, IEEE, Cambridge, MA, USA, June 2012.View at: Google Scholar
C. Cremers and D. Jackson, “Prime, order please! Revisiting small subgroup and invalid curve attacks on protocols using Diffie-Hellman,” in Proceedings of the 2019 IEEE 32nd Computer Security Foundations Symposium (CSF), pp. 78–93, IEEE, Hoboken, NJ, USA, June 2019.View at: Publisher Site | Google Scholar
J. Dreier, L. Hirschi, S. Radomirovic, and R. Sasse, “Automated unbounded verification of stateful cryptographic protocols with exclusive OR,” in Proceedings of the 2018 IEEE 31st Computer Security Foundations Symposium (CSF), pp. 359–373, IEEE, Oxford, UK, July 2018.View at: Google Scholar
C. Cremers, “Scyther Tool: verification, falsification, and analysis of security protocols,” in,” International Conference on Computer Aided Verification (CAV), pp. 414–418, 2008.View at: Google Scholar
C. Cremers, “Unbounded verification, falsification, and characterization of security protocols by pattern refinement,” in Proceedings of the 15th ACM conference on Computer and communications security (CCS), pp. 119–128, ACM, New York, NY, United States, 2008.View at: Publisher Site | Google Scholar
C. Cremers, “Key exchange in IPSec revisited: formal analysis of IKEv1 and IKEv2,” Computer Security - ESORICS 2011, vol. 6879, pp. 315–334, 2011.View at: Publisher Site | Google Scholar
F. T. J. Fabrega, J. C. Herzog, and J. D. Guttman, “Strand space: why is security protocol corrects,” in Proceedings of the 1998 IEEE Symposium on Security and Privacy (SP), pp. 160–171, IEEE, Oakland, CA, USA, May 1998.View at: Google Scholar
D. Dolev and A. Yao, “On the security of public key protocols,” IEEE Transactions on Information Theory, vol. 29, no. 2, pp. 198–208, 1983.View at: Publisher Site | Google Scholar
D. X. Song, “Athena: a new efficient automatic checker for security protocol analysis,” in Proceedings of the 12th IEEE Computer Security Foundations Workshop, pp. 192–202, IEEE, Mordano, Italy, June 1999.View at: Google Scholar
S. Escobar, C. Meadows, and J. Meseguer, “Maude-NPA: cryptographic protocol analysis mequational properties,” Foundations of Security Analysis and Design V, vol. 5705, pp. 1–50, 2009.View at: Publisher Site | Google Scholar
S. F. Doghmi, J. D. Guttman, and F. J. Thayer, “Searching for shapes in cryptographic protocols,” in Proceedings of the International Conference on Tools and Algorithms for the Construction and Analysis of Systems, pp. 523–537, Springer, 2007.View at: Google Scholar
F. Yang, S. Escobar, C. Meadows, J. Meseguer, and S. Santiago, “Strand spaces with choice via process algebra semantics,” in Proceedings of the 18th International Symposium on Principles and Practice of Declarative Programming, pp. 76–89, ACM, New York, NY, United States, 2016.View at: Google Scholar
D. Basin and C. Cremers, “Know ye,” ACM Transactions on Information and System Security, vol. 17, no. 2, pp. 1–31, 2014.View at: Publisher Site | Google Scholar
X. W. Dong and W. S. Niu, “Improvement of anonymity formalization based on strand space model,” Journal on Communications, vol. 32, no. 6, Article ID 124, 2011.View at: Google Scholar
P. C. Van Oorschot and M. J. Wiener, “On d-hellman key agreement with short exponents,” Advances in Cryptology - EUROCRYPT '96, vol. 1070, pp. 332–343, 1996.View at: Publisher Site | Google Scholar
C. H. Lim and P. J. Lee, “A key recovery attack on discrete log-based schemes using a prime order subgroup,” Advances in Cryptology - CRYPTO '97, vol. 1294, pp. 249–263, 1997.View at: Publisher Site | Google Scholar
L. Zhang, Y. Zhang, S. Tang, and H. Luo, “Privacy protection for e-health systems by means of dynamic authentication and three-factor key agreement,” IEEE Transactions on Industrial Electronics, vol. 65, no. 3, pp. 2795–2805, 2017.View at: Google Scholar
D. Mao, H. Liu, and W. Zhang, “An enhanced three-factor Authentication scheme with dynamic verification for medical multimedia information systems,” IEEE Access, vol. 7, pp. 167683–167695, 2019.View at: Publisher Site | Google Scholar
M. Tatebayashi, N. Matsuzaki, and D. B. Newman, “Key distribution protocol for digital mobile communication systems,” in Proceedings of the Conference on the Theory and Application of Cryptology, pp. 324–334, Springer, Berlin, Heidelberg, July 1989.View at: Google Scholar
T. Matsumoto, Y. Takashima, and H. Imai, “On seeking smart public-key-distribution systems,” IEICE Transactions, vol. 69, no. 2, pp. 99–106, 1986.View at: Google Scholar
H. I. Bulbul, I. Batmaz, and M. Ozel, “Wireless network security: comparison of WEP (wired equivalent privacy) mechanism, WPA (wi-fi protected access) and RSN (robust security network) security protocols,” in Proceedings of the 1st International Conference on Forensic Applications and Techniques in Telecommunications, Information, and Multimedia and Workshop, pp. 1–6, ICST, Brussels, Belgium, Jan 2008.View at: Publisher Site | Google Scholar