Professional Documents
Culture Documents
Abstract—Authentication protocols are the basis of security in and the state space analysis, an attack is found which the same
networks. Therefore, it is essential to ensure that these protocols as the one found by Gavin Lowe [12].
correctly. However, it is difficult to design authentication The paper is organized as follows. Section 2 presents the
protocols that are immune to malicious attack, since good Andrew secure RPC protocol and its fixes [9, 10, 12, 13]. In
analysis techniques are lacking. In this paper, combining some
Section 3, a CP-Net for the Andrew secure RPC protocol fixed
analysis methods currently for analysis of security protocols
based on Petri Nets methods together, a Colored Petri Net for the in [10] is introduced. Then, an intruder model is developed
Andrew secure RPC protocol fixed in [10] has been presented. and integrated into the protocol model. In Section 4, model
And then an intruder model is developed and integrated into the checking is performed in CPN Tools. After model checking
protocol model. Model checking is performed in CPN Tools. In and the state space analysis, an attack is found. Finally, we
the model checking, two methods are used. After model checking conclude the work and suggest future research in Section 5.
and the state space analysis, an attack is found.
II. ANDREW SECURE RPC PROTOCOL
Keywords- authentication protocols; Colored Petri Net; Andrew
In [9], the Andrew secure RPC protocol is introduced. It
secure RPC protocol; protocol analysis
allows two agents, who already share a key K AB , to agree upon
'
I. INTRODUCTION a new session key K AB , and to perform an authentication
With the rapid growth of network applications, network handshake.
security has become an important issue, and authentication The Andrew secure RPC protocol is as follows:
protocols are the basis of security in networks. Therefore, it is 1. A → B : A,{N a }Kab
essential to ensure these protocols correctly. Unfortunately, it 2. B → A :{N a + 1, N b }Kab
is difficult to design a robustness and effective security
protocol for networks. Not only because of the characteristics 3. A → B :{Nb + 1}K ab
of networks, but also because good analysis techniques are 4. B → A :{K ab' , N b' }K ab
lacking.
Colored Petri Nets (CP-Nets) [1] which belongs to the Here, principal A is a client and principal B is a
high level Petri Nets have already proven suitable as a server. N a and N b are nonces. N b' is an initial sequence number
modeling technique for analysis of security protocols [2]-[7]. which will increase monotonically to be used in subsequent
Ruilong Wu presents a new checking security protocol method communication. The first message transfers a nonce, which B
based on CP-Nets [8]. In this method, a general intruder model returns in the second message. If A is satisfied with the reply,
is given and CPN Tools is used. To verify the method, two it returns B’nonce. After B receives and checks the third
authentication protocols using asymmetric keys are analyzed. message, it sends a new session key to A.
However, more protocols need to be analyzed to prove the In [10], this protocol is analyzed using BAN logic, and a
universality of the method. But also, when a general intruder weakness is exposed. Further, a correction to the Andrew
model is given, the state space explosion problem may follow. secure RPC protocol was suggested:
In this paper, we introduce a CP-Net for the Andrew 1. A → B : A, N a
secure RPC protocol [9] using symmetric keys fixed in [10]. '
Then, an intruder model is developed and integrated into the 2. B → A :{N a , K ab }Kab
protocol model. Model checking is performed in CPN Tools 3. A → B :{N a }K ′
ab
[11]. In the model checking, two methods are used. One
exploits the provided state space exploration functions and 4. B → A : N b'
another is simulation implementation. After model checking
n1 (p(i),p(j),n1,(2,k(i),k(j)),(1,k(i),k(j))) (p(i),p(j),n1,(2,k(i),k(j)),(1,k(i),k(j)))
(p(i),p(j),n1,(2,k(i),k(j)),(1,k(i),k(j)),no)
(p(i),p(j),n1) (p(i),p(j),n1) (p(i),p(j),n1,(2,k(i),k(j)),(1,k(i),k(j)))
PROC.all() (p(i),p(j),n1,(2,k(i),k(j)),(1,k(i),k(j)))
no+1 1
(p(i),p(j)) (p(i),p(j)) (p(i),p(j)) (p(i),p(j)) (p(i),p(j)) (p(i),p(j)) (p(i),p(j))
Proc2_1 Rec1 Proc2_2 Sent2 Proc2_3 Rec3 Proc2_4 Sent4 NextNO
no
PROC PROC PROC PROC INT
(p(i),p(j),n1,(2,k(i),k(j)),(1,k(i),k(j))) (p(i),p(j),n1,(2,k(i),k(j)),(1,k(i),k(j)))
(p(i),p(j),n1) (p(i),p(j),n1,(ln,k(i),k(j))) (1,k(i),k(j))
(p(i),p(j),n1,(2,k(i),k(j)),(1,k(i),k(j)))(p(i),p(j),n1,(2,k(i),k(j)),(1,k(i),k(j)))
(p(i),p(j),n1,(2,k(i),k(j)),(1,k(i),k(j)),no)
Run2_12 K2 Run2_2 Run2_3
RUN2 INT_KK RUN3 RUN3
(p(i),p(j),n1,(2,k(i),k(j))) 1`(1,k(1),k(2))++
(2,k(i),k(j))
(p(i),p(j),n1) 1`(1,k(2),k(1))
2
2
Run2_11 NewK NextKNO Run2_4
RUN1 INT RUN4
1`n(1)
N1 Run1_1 Run1_2 Run1_3 Run1_4
N RUN1 RUN3 RUN3
RUN4
n1 ((p(i),p(j)),n1,(2,k(i),k(j)),(1,k(i),k(j))) ((p(i),p(j)),n1,(2,k(i),k(j)),(1,k(i),k(j)))
((p(i),p(j)),n1) ((p(i),p(j)),n1)
((p(i),p(j)),n1,(2,k(i),k(j)),(1,k(i),k(j))) ((p(i),p(j)),n1,(2,k(i),k(j)),(1,k(i),k(j)))
PROC.all() ((p(i),p(j)),n1,(2,k(i),k(j)),(1,k(i),k(j)),no)
Store1 M2 Store3 M4
Store1 M2 Store3 M4
MSG1 MSG2 MSG3 MSG4
Fig.3 CP-Net model of the Andrew secure RPC protocol (with an intruder)
M1 Store2 MSG2 M3 Store4 MSG4
M1 Store2 M3 Store4
MSG1 MSG3
((p(i),p(j)),(n1,(2,k(i),k(j)),(1,k(i),k(j)))) ((p(i),p(j)),no)
((p(i),p(j)),n1) ((p(i),p(j)),(n1,(2,k(i),k(j)))) (p(i),p(j))
PROC.all()
no+1 1
(p(i),p(j)) (p(i),p(j)) (p(i),p(j)) (p(i),p(j)) (p(i),p(j)) (p(i),p(j)) (p(i),p(j))
Proc2_1 Rec1 Proc2_2 Sent2 Proc2_3 Rec3 Proc2_4 Sent4 NextNO
PROC
PROC no
PROC PROC INT
((p(i),p(j)),n1,(ln,k(i),k(j))) ((p(i),p(j)),n1,(2,k(i),k(j)),(1,k(i),k(j)))
(1,k(i),k(j)) ((p(i),p(j)),n1,(2,k(i),k(j)),(1,k(i),k(j)))
((p(i),p(j)),n1)
Run2_12 K2 Run2_2 ((p(i),p(j)),n1,(2,k(i),k(j)),(1,k(i),k(j)))
RUN2 INT_KK RUN3 ((p(i),p(j)),n1,(2,k(i),k(j)),(1,k(i),k(j)))
((p(i),p(j)),n1,(2,k(i),k(j))) 1`(1,k(1),k(2))++
1`(1,k(2),k(1))++ ((p(i),p(j)),n1,(2,k(i),k(j)),(1,k(i),k(j)),no)
((p(i),p(j)),n1) (2,k(i),k(j))
2 1`(1,k(1),k(3))++
2 1`(1,k(3),k(1))++
Run2_11 NewK NextKNO 1`(1,k(2),k(3))++ Run2_3 Run2_4
RUN4
1`(1,k(3),k(2))
RUN1 INT RUN3
C. CP-Net Model of an Intruder Model of the Andrew A. State Space Analysis of the Andrew Secure RPC
Secure RPC Protocol Protocol CP-Net Model
Following the intruder model of Dolev and Yao [14], the To analyze the desired properties of the Andrew secure
intruder has to be modeled with the highest imaginable RPC protocol, we firstly check the state space standard report
strength so that all possible attacks on the protocol can be generated by CPN Tools. The report shows that a full state
identified. Considering the public channel, the intruder has full space with 19 nodes and 18 arcs is generated. We also found 2
control over it. According to the model, he can then carry out dead markings in the state space, which are nodes18, 19. We
the following actions: can use the state space exploration functions shown in Fig. 5
1. Tapping and storage of all messages exchanged via the to know the tokens in the places Run1_4 and Run2_4 of node
public channel. 18. From Fig. 5 we can know that the Initiator is p(1) and the
2. Forwarding, rerouting and blocking of messages. Responder is p(2) in this implementation of the protocol. In
3. Generation of forged messages using tapped, randomly addition, p(1) and p(2) have the same believes. There is a
generated and obsolete data and encryption techniques. similar result to node 19.
4. Decryption of cryptographs if the intruder has a
matching key
5. The intruder has the ability of a normal principal, so, he
can take part in the protocol.
Fig. 4 illustrates an intruder between Initiator and
Responder. We observe that the intruder can modify and
replay the outgoing messages from the Initiator to the
Responder and vice versa.
We study the case of man-in-middle attack, although Fig.5 Function Mark and the result 1
different attack models can be applied to the Andrew secure
B. State Space Analysis of CP-Net Model of the Andrew
RPC protocol.
Secure RPC Protocol Integrated into an Intruder Model
((p(j),p(i)),(n1,(2,k(j),k(i)),(1,k(j),k(i)))) In the same way, we firstly check the state space standard
report of CP-Net model integrated into an intruder model. The
Store1 Replay2 M2 report shows that a full state space with 79 nodes and 78 arcs
Store1 M2
MSG1 MSG2 is generated. We also found 6 dead markings in the state
((p(i),p(j)),n1) space. However, the report does not give the all dead
markings. Thus, the function ListDeadMarkings( ) is used, and
((p(i),p(j)),(n1,(2,k(i),k(j)),(1,k(i),k(j))))
((p(j),p(i)),n1) the result is shown in Fig. 6.
Replay1 M1 Store2 MSG2
M1 Store2
MSG1
((p(j),p(i)),no)
Store3 Replay4 M4
Store3 M4 Fig.6. Dead markings for the described CP-net
MSG3 MSG4
((p(i),p(j)),(n1,(2,k(i),k(j))))
((p(j),p(i)),(n1,(2,k(j),k(i))))
((p(i),p(j)),no) Additionally, we use the state space exploration functions
shown in Fig. 7 to know the tokens in the places Run1_4 and
Replay3 M3 Store4 MSG4 Run2_4 of node 79. From Fig. 7, we can see that p(1) and p(2)
M3
MSG3
Store4 do not have the same believes.