vulnerabilities and verification of cryptographic ... · pdf filemodel checking is able to...
TRANSCRIPT
Vulnerabilities and Verification of Cryptographic
Protocols and Their Future in Wireless Body Area
Networks Junaid Chaudhry
1, Uvais A. Qidwai
1, Robert G. Rittenhouse
2, Malrey Lee
3
1Department of Computer Science and Engineering,
Qatar University,
Doha, Qatar. 2Department of Information Technology,
Keimyung University,
Daegu, South Korea. 3School of Electronics & Information Engineering,
Chonbuk National University,
JeonJu, South Korea
[junaid, uqidwai]@qu.edu.qa1, [email protected]
Abstract In network security goals such as confidentiality,
authentication, integrity and non-repudiation can be achieved
using cryptographic techniques. Cryptographic techniques are
techniques to hide information from unauthorized persons.
The fact is, even when strong cryptographic algorithms and
protocols are applied, the security of communication systems
cannot be guaranteed [1]. Since cryptographic protocols can
contain several types of flaws and vulnerabilities that can be
exploited by attackers, cryptographic verification for
suitability is needed to detect all possible flaws and attacks
against them. In Wireless Body Area Networks (WBANs) the
cryptographic implementation comes at the expense of
performance and power conservation making engineering of
security protocols suitable for low powered networks a
challenging task. This paper will discuss the possible flaws and
attacks on cryptographic protocols, verification methods to
detect these flaws and investigate the implementation of these
protocols in the WBANs.
Index Terms Cryptographic protocol, cryptographic
verification, attacks on cryptographic protocols, cryptographic
protocol flaws, WBAN security
I. INTRODUCTION
Cryptography is a method of storing and transmitting data
in a form that only those it is intended for can read and
process. The method used is to encode the information in a
document into a format unreadable by outsiders in order to
protect it. As information is usually stored or transmitted
through network communication paths, cryptography is an
effective way of protecting it. In a Wireless Body Area
Network (WBAN), the discussion leads us to question
whether we need to encrypt the data. The amount of extra
power required in order to encrypt data is critical. Moreover,
most WBAN based healthcare applications are confined to
monitoring only rather than treatment which reduces the
attractiveness of the data to others and WBANs use low
power signals that are difficult to intercept at any distance.
In addition, a WBAN may include many body area sensors
and the frequency of data transmission makes it impractical
to encrypt raw data at the leaf node level.
The word cryptography originated from the Greek
ing ing writing
[2]. Thus, cryptography can be defined as the science of
secret writing. In addition, according to [3], cryptography
also can be defined as the study of mathematical techniques
related to aspects of information security such as
confidentiality, data integrity, entity authentication and data
origin authentication. It is concern with developing
algorithms that might be used to conceal messages or
information which need to be sent from third parties. This is
to ensure the confidentiality of the message or information.
Furthermore, cryptography is used to verify authenticity of
message by receiver and to ensure the integrity of the
message or information. To ensure the authentication,
cryptography also can used to authenticate sender.
The main goal of cryptography is to hide information
from unauthorized individuals. Generally, this can be done
by encrypting the information that needs to be sent. The
encryption algorithm transforms a message or information
into unreadable text, termed ciphertext, using an encryption
key. The decryption algorithm transforms the ciphertext
back to the readable original text, called plaintext, using the
appropriate decryption key.
Cryptographic protocols often go wrong as even experts
can and do miss bugs. Thus, it is necessary to verify these
protocols to measure their confidentiality. It is possible to
break most cryptography algorithms and the information can
be revealed by attackers especially if they have enough time,
desire and resources. Therefore, a security engineer needs to
know how strong the cryptographic algorithm is in ensuring
confidentiality. Cryptography verification is a method used
to compare the cryptographic algorithms and measure their
confidentiality.
In the case of WBANs since they are primarily
monitoring the patient status, are very limited in available
power and contain many low power devices perhaps it
would be wise to choose the packets to encrypt rather than
encrypting all data packets. Despite the questionable need
for encryption techniques in WBANs and challenges like
high computational cost, dynamically secret key sharing,
non-pre-configurability of secret keys, storage of secret
keys, assignment of a trusted entity in/around WBAN for
key storage, periodic renewability of keys, unawareness on
978-1-4673-4451-7/12/$31.00 ©2012 IEEE
cannot deny partial application of cryptographic techniques
or at least development of very lightweight protocols.
This paper is organized as follows: we discuss different
classes of cryptographic protocols and their flaws. We
discuss techniques for cryptographic protocol verification.
We compare cryptographic protocols and present a case
study of our work in WBANs. We conclude the paper and
discuss the outcomes of our research.
II. CRYPTOGRAPHIC PROTOCOLS
A cryptographic protocol is defined as a series of steps
and message exchanges between multiple entities in order to
achieve a specific security objective [4]. According to [5],
cryptographic protocols are sequences of messages that use
cryptography to allow two or more entities to authenticate
each other, agree on new shared secrets and communicate
information. To be secure, information needs to be hidden
from unauthorized access (confidentiality), protected from
unauthorized change (integrity), and available to an
authorized entity when it is needed (availability) [3].
A cryptographic protocol is a precisely defined sequence
of communication and computation steps using
cryptographic mechanisms, with the aim of ensuring the
security of the transaction and communication in network or
distributed systems [22]. Cryptographic protocols aim to
ensure some security properties even when communication
channels are not secure [6]. Usually the protocols rely on
cryptographic primitives. We should not simply assume that
perfect cryptographic primitives can ensure the security
goals can be achieved. The fact is, even if it is assumed that
the cryptographic primitives are perfect, occasionally the
security goals may not be achieved. This is because of the
protocols itself may have weaknesses which can be
exploited by attackers and also because of implementation
issues.
Moreover, according to [7], cryptographic protocols are
needed because of the fast expansion of the internet, but it is
well known that the designing such protocols is difficult and
error-prone. That justifies the study and application of
cryptographic verification to cryptography protocols.
III. FLAWS IN CRYPTOGRAPHIC PROTOCOLS
According to [8] a protocol flaw is an undesired property
of the protocol and represents an intrinsic feature of the
conceptual structure of the protocol itself. Usually, flaws
might arise at any phase of protocol development and they
can occur because of incomplete or erroneous specifications.
According to [9], there are three categories of
cryptographic protocol flaws as shown in Table 1 below:
TABLE 1: CATEGORIES OF CRYPTOGRAPHIC FLAWS
Flaws Descriptions
Functional
specification flaws
The correctness of the specifications is affected
by these flaws. These can be considered high-level or functional deficiencies in the design of a
protocol.
Implementation-dependent flaws
These flaws are due to an incomplete specification which can lead to different
implementations.
Implementation flaws
When a complete and correct specification is incorrectly implemented
IV. ATTACK STRATEGIES ON CRYPTOGRAPHIC
PROTOCOLS
An attack is a sequence of action that exploits flaws for
succeeding [8].To attack the cryptographic protocol,
attackers can exploit different protocols, sessions and
messages. Several kinds of attacks on protocols are listed in
[10] as follows:
Known-key attack: Some keys used previously are
archived by attackers and used in some malicious
manner.
Replay: Messages are recorded by attacker and replayed
at a later time.
Impersonation: Attackers try to assume the identity of
one of legitimate parties in a network.
Man-in-the-Middle: Attacker inserts himself in the
middle of conversation or communication and pretends
to each participant to be the other to gain access to the
information.
Interleaving attack: Bogus messages are injected by
attacker in a running protocol to disrupt, damage or
subvert it.
V. CRYPTOGRAPHIC VERIFICATION
Verification of cryptographic protocols is a very active
research area [11]. According to [5], the difficulty of
cryptographic protocol verification is due to the unbounded
nature of several parameters of the system to verify.
However, there is no bound for the number of session
instances that can be created, the number of principals, the
number of nonces that can be created and the size of
messages that occur during execution of the protocols.
Many techniques, methods and theories have been
adopted by researchers to build automatic verification tools.
Several verification methods have been applied for the
cryptographic protocols verification. Examples of popular
methods are model checking and theorem proving.
However, there are many other methods available for
verifying the cryptographic protocols. Each technique has its
own strengths and weaknesses.
In this section, we highlight several methods usually
used for cryptographic protocol verification. The methods
discussed are the model checking method, deductive
method/theorem proving method, logic programming based
method, and the abstraction-based method.
A. Model Checking Method
The model checking approach to formal verification is a
verification technique that explores all possible system
states in a brute-force manner [12]. The model checking
method and its tools were the first method applied to the
analysis of cryptographic protocols [5]. Usually, model
checking works on finite-state systems. For cryptographic
protocols, this method requires a small and fixed number of
sessions to be considered as well as a bounded size in the
messages exchanged. This method is used by many
researchers where the cryptographic protocols were modeled
in order to use the general model checker or developed
special purpose model checkers [13].
Model checking is able to effectively discover many
flaws of cryptographic protocols. However, if the model
checker fails to find an attack, it means that there is no
attack only in the particular configuration analyzed [5].
There is nothing that can be said about all the possible
configurations on that protocol because it could be correct or
the attack might exist on a different configuration [5].
Model checking tools are automatic. These tools bound
the number of sessions and the number of participants.
These tools are difficult to handle because of the explosion
of the state space due to interleaved execution of sessions
and message sizes [5]. Each such tool requires some
supplementary simplifying assumptions such as a bound on
the size of messages.
Model checking tools deal with two types of properties
secrecy and authentication properties [5]. Casper and Casrul
are two known tools for this model-checking category:
a. Casper: Casper is a compiler which takes a security
protocol specification and produces an equivalent
description in process algebra CSP [4], [5]. According to
[1], Casper has been developed for automating one of
the mainly sensitive steps such as the translation of a
protocol specification into low-level language that can
be handled by automated verification systems.
b. Casrul: is also a protocols compiler [1]. This
compiler translates cryptographic protocol specifications
into a set of rewrite rules. Then, the rules are changed
into rules for the theorem prover daTac. This translation
step is permitted through static analysis of the protocol.
This removes many errors while being protocol
independent. The purpose is to verify the executability
of protocols and to translate them into rewrite rules that
can be used by several types of automatic or semi-
automatic tools in order to find design flaws.
B. Deductive Theory Proving Method
The deductive method is a method based on induction
and theorem proving [14]. The deductive method, also
known as the theorem proving method, differs from the
model checking method. This is a very general method
which, while not completely automatic like the model
checking method, can handle unbounded protocols and
allows obtaining proofs of correctness [5].
This method relies on the concept of a trace as a list of
events which have occurred on the network while a
population of agents is running a protocol [15]. However, it
is difficult to obtain a counter-example and determine the
possible attacks on the protocols when the prover fails.
Tools for this method include tools based on induction and
theorem proving [5]. Typically, tools employing this method
are used to give a general proof method of correctness for
protocols. However, these tools can also be used to indicate
possible attacks.
A theorem prover provides an interactive environment
for developing proofs by a set of tactics (elementary proof
steps), and by using tacticals (grouping of tactics). The
typical tactics are implementations of either a deduction
rule, rewriting rule, induction scheme or decision procedure
[16]. Mechanical procedures are provided for developing
and verifying analyzing protocols [17], [18]. According to
[19] one drawback to theorem proving is that inductive
theorem proving requires considerable expertise as well as
substantial time and effort.
As stated earlier, this category of tools can deal with an
unbounded number of sessions and participants. Below are
two examples of tools:
a. Isabelle is a powerful theorem prover ([20] as cited in
[19]). This tool is not totally automatic. This is because
user interaction is required to obtain proof. More
specifically, a user has to choose among different
strategies [5], [15]. Higher-order logic (HOL)
implementation is used which can be viewed as logic on
top of functional programming.
b. Securify is a completely automatic theorem prover
designed to prove the safety characteristic of a
cryptographic protocol [21]. When this can be proved
correct, Securify will produce an equivalent proof tree
using an intuitive visual representation [21].
C. Logic Programming Based Method
This technique makes it possible to verify security
properties of a cryptographic protocol in fully automatic
way [22]. For example, secrecy and authenticity can be
verified using this method. Moreover, this method can
handle an unbounded number of sessions of the protocols. In
addition, this method can prove correctness [5]. However,
for this method, the termination of the analysis is not
guaranteed. Reference [5] describes this method as based on
modeling protocols in Horn Logic. This method can handle
an extensive range of cryptographic primitives including
shared-key and public-key cryptography, hash functions,
and also a simple model of Diffie-Hellman key agreements
[22].
This method, also known as the
verification method, is not specific to any formalism for
representing formalisms only; it is also focused on
extensions of the pi calculus with cryptographic primitives.
One of the difficulties with this method is the handling of
nonces [23].
D. Type System Based Methods
Type systems and type-checking have been suggested as
a general method for verifying cryptographic protocols [24].
Type systems are effective tools used to verify the security
of cryptographic programs [25] whereas type checking can
handle unbounded protocols. Automation, modularity and
scalability are provided by this tool and it has been applied
to large security protocols.
This tool traditionally relies on abstract assumptions on
the underlying cryptographic primitives that are expressed in
symbolic models [25]. According to [5], this method relies
on particular process algebra to model the protocol and the
Examples include Spi-calculus and Process calculus
This method is more realistic but harder to formalize and
automate [5]. Furthermore, a failure indicates either an
incorrect behavior or limitations of the type system
considered.
E. Abstraction-Based Methods
According to [26], verification can be performed using a
finite abstract model rather than through theorem proving.
This method is limited to a bounded number of session and
participants. The cryptographic protocol verification of this
method is completely automatic but limited to analyzing
only secrecy properties [27]. Usually, it is able to analyze
only a small number of instances of the protocol, being very
limited by the amount of interleaving to consider [5]. Some
approaches have been proposed to raise the number of
sessions that can be analyzed. An example of the approach
is widening. An example tool of this method is Timbuk.
Timbuk is a tool that allows proving correctness of
protocols with respect to secrecy and authentication
properties. It can deal with an unbounded number of session
and participants [28].
VI. COMPARISON OF CRYPTOGRAPHIC VERIFICATION
METHODS
Table 2 is a comparison table showing the differences
among model checking methods, deductive method/theorem
proving methods, logic programming based methods, and
abstraction-based methods.
TABLE 2: COMPARISON OF CRYPTO. VERIFICATION METHODS
Methods Functionalities Limitations
Model checking
i. These tools are designed and applied
to discover flaws in
cryptographic protocol
ii. These tools bound a number of sessions
and the number of
participants
i. Difficult to handle because of the
explosion of the state
space due to interleaved execution
of sessions and message sizes
ii. Each such tool
requires some supplementary
simplifying assumptions for
example a bound on
the size of messages.
Deductive/
theorem
proving
i. Handles
unbounded
protocols and allows obtaining
correctness proofs ii. Traces a list of
events occurring on
the network while a population of
agents is running a protocol.
i. Difficult to obtain
the counter-example
and the possible attacks on the
protocols when the prover fails
ii. Need manual
intervention
Logic
programming based
i. Handle unbounded
number of sessions of the protocols.
ii. Prove correctness
of protocols
i. Normally
termination of the analysis is not
guaranteed
ii. Difficult to handle nonces
Statistic
analysis based
i. Type systems are
effective tools used to verify the
security of cryptographic
programs.
ii. Type checking can handle unbounded
protocols. iii. Provides and
applies automation,
modularity and
i. Harder to formalize
and automate
scalability to large
security protocols.
Abstraction-based
i. Analyzes secrecy properties
ii. Proves correctness of protocols with
respect to secrecy
and authentication properties
i. Limited to bounded number of session
and participants
VII. CASE STUDY
The applications related to medical informatics,
appliances, and apparatus generate sensitive and critical data
related to the patients, environment, and about their own
self. When these devices are connected to each other or
accessed remotely, it is important that the data that is
exchanged to/from these devices is reliable. In the low cost
medical diagnosis project at Qatar University, we are
motivated by the dramatic rise in the number of people with
illnesses and high costs associated with managing and
treating them. Two mission-critical schemes should be
enforced without delay to ensure that low-cost and high
quality health services can be delivered to Qatar.
Fig. 1. The Experimental Setup
First, the usual hospital-based healthcare should be
transformed to personal-based healthcare, which encourages
the participation of the whole nation for the prevention of
illnesses or early prediction of diseases. Secondly, cutting-
edge technologies have to be developed with the aim of
reducing medical costs in the following aspects:
1. innovative and low-cost medical device without
frequent professional involvement;
2. precise and reliable automatic diagnosis system to avoid
unnecessary clinical visits and medical tests;
3. telecommunication technologies to support caregivers
in remotely
status.
Bearing in mind the above mentioned facts, a
comprehensive solution is proposed which comprises
wearable and WBAN-based health monitoring system,
automatic diagnosis system and wireless application
protocol (WAP) based telemedicine system.
In our experiments, we experience record counts in
excess of 500,000 for an Electrocardiography (ECG)
WBAN device. The processing and transfer of this much
context over a wireless link is prone to errors, congestion,
and packet loss. Through this research mentioned above, we
could evaluate the wireless technologies at disposal for
inclusion in the prototype of our project.
VIII. CONCLUSION
Secure communications are essential for WBANs and
patient privacy. But privacy acquired at cost of sensor power
and computational capabilities can be critical in health
monitoring networks where information is critical. We argue
that extensive ciphering of data packets in a WBAN might
not be an optimal choice especially if the sensors are inside
the human body e.g. pace makers etc. After the discussion
above, we tentatively conclude to be selective in
applications and scheduling of cryptographic algorithms.
The shared key methods are best suited to the nature of self-
deployable body area networks along with its serious
drawbacks. Perhaps a hybrid of lightweight, shared key and
selective packet ciphering protocol could be more beneficial
to the cause.
ACKNOWLEDGEMENTS
This publication was made possible by a grant from
Qatar National Research Fund under its National Priority
Research Program, for projects NPRP 09-292-2-113. Its
contents are solely the responsibility of the authors and do
not necessarily represent the social views of Qatar National
Research Fund.
REFERENCES
[1]
Information Security Bulletin, vol. 2, no. 2, pp. 31-36, 1997.
[2] M. McLoone and J. V. McCanny, System-on-chip
architectures and implementations for private-key data
encryption. New York, New York, USA: Kluwer Academic
Pub, 2003.
[3] B. A. Forouzan, Cryptography & Network Security,
International Edition. New York: McGraw Hill, 2008.
[4] ption,
University of Tubingen, 2003.
[5]
[6]
Telecommunications and Information Technology, vol. 4, pp.
5-15, 2002.
[7]
Journal of Computers, vol. 1, no. 1, pp. 10-14, 2007.
[8]
Ancona, Italy, 2002.
[9]
Computer Security Foundations
Workshop VII, 1994, pp. 192-200.
[10]
2011.
[11]
Secur -
154.
[12]
of Network Security & Its Applications, vol. 2, no. 2, pp. 87-
98, Apr. 2010.
[13]
Workshop on Design and Formal Verification of Security
Protocols, 1997.
[14]
inductio
1997, pp. 70 - 83.
[15]
University of Cambridge, 2000.
[16] R. S. Boyer and J. S. Moore, Computational Logic Handbook.
San Diego: Academic Press, 1988.
[17]
MCSEAI02 7th Maghrebian Conference on Computer
Science, 2002, pp. 313-324.
[18]
[19]
evaluate the security of real-life cryptographic protocols? the
the 14th international conference on Financial cryptography
and data security, 2010, vol. 6054, p. 182--194.
[20]
no. 1 2, pp. 85-128, 1998.
[21] V. Cortier, J. Millen, and H.
Foundations Workshop, 2001., 2001, pp. 97-108.
[22]
international conference on Principles and practice of
declaritive programming - PPDP -3.
[23]
Lausanne, 2008.
[24]
of the ACM, vol. 46, no. 5, pp. 749-786, Sep. 1999.
[25] C. Fournet, M. Kohlweiss, and P.- -
ACM conference on Computer and communications security -
CCS
[26]
Lecture Notes in Computer Science, vol. 1254, O. Grumberg,
Ed. Berlin, Heidelberg: Springer Berlin Heidelberg, 1997, pp.
131-142.
[27] J. Goubault-
Workshops on Parallel and Distributed Processing, 2000, pp.
977-984.
[28] T. Genet and F. Klay,
Deduction, Pittsburgh, PA: Springer Berlin Heidelberg, 2000,
pp. 271-290.