Non-repudiation protocols have an important role in many areas where secured transactions with proofs of participation are necessary. Formal methods are clever and without error, therefore using them for verifying such protocols is crucial. In this purpose, we show how to partially represent non-repudiation as a combination of authentications on the Fair Zhou-Gollmann protocol. After discussing its limits, we define a new method based on the handling of the knowledge of protocol participants. This method is very general and is of natural use, as it consists in adding simple annotations, like for authentication problems. The method is very easy to implement in tools able to handle participants knowledge. We have implemented it in the AVISPA Tool and analyzed the optimistic Cederquist-Corin- Dashti protocol, discovering two unknown attacks. This extension of the AVISPA Tool for handling non-repudiation opens a highway to the specification of many other properties, without any more change in the tool itself.
Considering security protocols, the study of properties such as authentication and secrecy has been intensive for years [16], but the interest of other properties such as non-repudiation and fairness has been raised only in the 1990s with the explosion of Internet services and electronic transactions. 1Non-repudiation protocols are designed for verifying that, when two parties exchange information over a network, neither one nor the other can deny having participated to this communication. Such a protocol must therefore generate evidences of participation to be used in case of a dispute. The basic tools for non-repudiation services have been digital signatures and public key cryptography. Indeed, when one receives a signed message, he has an evidence of the participation and the identity of his party [8]. The majority of the non-repudiation property analysis efforts in the literature are manually driven though. One of the first efforts to apply formal methods to the verification of nonrepudiation protocols have been presented by Zhou et al. in [24], where they used SVO logic. In [18] Schneider used process algebra CSP to prove the correctness of a non-repudiation protocol, the well-known Fair Zhou-Gollmann protocol. With the same goal, Bella et al. have used the theorem prover Isabelle [3]. Schneider used a rank function for encoding that in an execution trace, an event happens before another event. The verification is done by analyzing traces in the stable failures models of CSP. Among the automatic analysis attempts, we can cite Shmatikov and Mitchell [19] who have used Murϕ, a finite state model-checker, to analyze a fair exchange and two contract signing protocols, Kremer and Raskin [9] who have used a game based model, Armando et al. [2] who used LTL for encoding resilient channels in particular, the very nice work of Gurgens and Rudolph [5] who have used the asynchronous product automata (APA) and the simple homomorphism verification tool (SHVT) [13], raising flaws in three variants of the Fair Zhou-Gollmann protocol and in two fair non-repudiation protocols [7,22]. Wei and Heather [20] have used FDR, with an approach similar to Schneider, for a variant of the Fair Zhou-Gollmann protocol with timestamps.
The common point between all those works is that they use rich logics, with a classical bad consequence for model checkers, the difficulty to consider large protocols. For avoiding this problem, Wei and Heather [21] used PVS [15], but some of the proof are still manual. Fairness is more difficult to achieve: no party should be able to reach a point where he has the evidence or the message he requires without the other party also having his required evidence. Fairness is not always required for non-repudiation protocols, but it is usually desirable. A variety of protocols has been proposed in the literature to solve the problem of fair message exchange with non-repudiation. The first solutions were based on a gradual exchange of the expected information [8]. However this simultaneous secret exchange is troublesome for actual implementations because fairness is based on the assumption of equal computational power on both parties, which is very unlikely in a real world scenario. A possible solution to this problem is the use of a trusted third party (TTP), and in fact it has been shown that it is impossible to achieve fair exchange without a TTP [14,12]. The TTP can be used as a delivery agent to provide simultaneous share of evidences. The Fair Zhou-Gollmann protocol [23] is a well known example using a TTP as a delivery agent; a significant amount of work has been done over this protocol and its derivations [3,6,18,24]. However, instead of passing the complete message through the TTP and thus creating a possible bottleneck, recent evolution of protocols resulted in efficient, optimistic versions, in which the TTP is only involved in case anything goes wrong. Resolve and abort sub-protocols must guarantee that every party can complete the protocol in a fair manner and without waiting for actions of the other party. One of these recent protocols is the optimistic Cederquist-Corin-Dashti (CCD) non-repudiation protocol [4]. The CCD protocol has the advantage of not using session labels, contrariwise to many others in the literature [8,11,23,18]. A session label typically consists of a hash of all message components. Gürgens et al. [6] have shown a number of vulnerabilities associated to the use of session labels and, to our knowledge, the CCD protocol is the only optimistic non-repudiation protocol that avoids altogether the use of session labels.
This paper presents a method for automatically verifying non-repudiation protocols in presence of an active intruder. Our method has been implemented in the AVISPA Tool [1] 2 and we illustrate it with examples. This tool, intensively used for defining Internet security protocols and automatically analyzing their authentication and secrecy properties, did not pr
This content is AI-processed based on open access ArXiv data.