Parametric (theoretical) probability distributions. (Wilks, Ch. 4
[IEEE 2011 IEEE 5th International Symposium on Theoretical Aspects of Software Engineering (TASE) -...
Transcript of [IEEE 2011 IEEE 5th International Symposium on Theoretical Aspects of Software Engineering (TASE) -...
![Page 1: [IEEE 2011 IEEE 5th International Symposium on Theoretical Aspects of Software Engineering (TASE) - Xi'an, China (2011.08.29-2011.08.31)] 2011 Fifth International Conference on Theoretical](https://reader031.fdocument.org/reader031/viewer/2022030208/5750a3811a28abcf0ca32f27/html5/thumbnails/1.jpg)
Modeling and Analyzing the μTESLA Protocol using CSP
Mengying Wang, Huibiao Zhu, Yongxin Zhao, Si Liu
Shanghai Key Laboratory of Trustworthy ComputingSoftware Engineering Institute, East China Normal University
Email:{mywang,hbzhu,yxzhao,siliu}@sei.ecnu.edu.cn
Abstract—In this paper, we investigate the μTESLA protocoland analyze its broadcast authentication property using processalgebra CSP. All the communication entities of the protocolinvolving the base station, the sensors and the intruder aremodeled as CSP processes respectively. Besides, we also pro-duce a CSP description of the protocol specification in ourframework. Our verification result demonstrates the correct-ness of the protocol and the satisfaction toward the broadcastauthentication property.
I. INTRODUCTION
As a broadcast authentication protocol for wireless sen-
sor networks, μTESLA provides authenticated streaming
broadcast for unsupervised harsh and resource-constrained
environments. It posses several famous features such as
symmetric encryption, quasi-asymmetry, low energy and
high efficiency.
Nowadays, a number of formal methods and techniques
have been developed to model the μTESLA protocol and
check its security properties [1], [2], [4]. Ballardin and
Merro [1] proposed a timed broadcasting calculus tcryp-
toCWS, and as a main application, they presented a formal
specification of μTESLA and proved that such a protocol
enjoyed the timed integrity. In [2], Gorrieri et al. employed
the tCryptoSPA to formally verify the timed integrity of
μTESLA, but differently, their abstraction for timed integrity
was less intuitive. Hopcroft and Lowe [4] constructed a finite
CSP model for the TESLA protocol, and they had analyzed
mostly by hand that the protocol was correct at least when
the system comprising a single sender and a single receiver.
In this paper, we investigate μTESLA protocol and an-
alyze its broadcast authentication property using formal
method CSP [3], [9]. All the communication entities of the
protocol involving the base station and the sensor nodes are
described as CSP processes respectively. The authentication
mechanism is also encoded in our framework to undertake a
comprehensive formal analysis of the protocol. Furthermore,
we propose a Dolev-Yao intruder model, within which an
intruder can overhear, intercept, deduce and forge messages.
In addition, we also produce a CSP specification of the
broadcast authentication property in the protocol. Based on
the trace semantics of CSP, we can verify that the protocol
indeed satisfies such property.
The remainder of this paper is organized as follows.
Section 2 briefly introduces the μTESLA protocol and some
related CSP notations. In Section 3, a CSP description of
the protocol is presented. Then we analyze and verify the
achieved model in terms of refinement approach based on
trace semantics in Section 4. Finally, Section 5 concludes
the paper and presents the future work.
II. PRELIMINARIES
A. The μTESLA Protocol
The μTESLA protocol is usually described as four phases:
sender setup, bootstrapping new receivers, broadcasting au-
thenticated packets and authenticating broadcast packets. Let
A be a receiving node, ∗ represent all nodes in the network
and S be a broadcasting sender. The following will give a
brief overview of the protocol.
Sender setup S chooses the last key KN at random, and
then generates the previous keys by recursively applying the
one-way function F on the latest key. Then S selects a future
time period [T0, TN+δ+1], and divides it into (N + δ + 1)small time intervals with a length of Tint for each one. Note
that, δ is the disclosure delay of keys release. Finally, Sassociates each key of the one-way key chain with one of
the time intervals.
Bootstrapping new receivers A records its local time tR,
and generates a nonce NA to S.
A → S : NA
Once receiving the nonce, S returns a message with the
following information: its current time tS , the first key in
the chain K0, the start time of the first interval T0, the time
interval Tint and the disclosure delay δ. To authenticate data,
as well as to ensure data freshness, S uses the shared secretkey SKA and NA to figure out the MAC.
S → A : Args.Mac(SKA, NA.Args)
where Args = tS .K0.T0.Tint.δ
When A receives this message, it could compute the max-
imum time synchronization error Δ (Δ = tS − tR, defined
in [6]) and obtain the broadcast authentication parameters.
Broadcasting authenticated packets Within the time inter-
val t, S broadcasts a message Mt, and uses the current key
Kt to compute the MAC.
S → ∗ : Mt.Mac(Kt, Mt)
2011 Fifth IEEE International Conference on Theoretical Aspects of Software Engineering
978-0-7695-4506-6/11 $26.00 © 2011 IEEE
DOI 10.1109/TASE.2011.10
247
![Page 2: [IEEE 2011 IEEE 5th International Symposium on Theoretical Aspects of Software Engineering (TASE) - Xi'an, China (2011.08.29-2011.08.31)] 2011 Fifth International Conference on Theoretical](https://reader031.fdocument.org/reader031/viewer/2022030208/5750a3811a28abcf0ca32f27/html5/thumbnails/2.jpg)
As soon as A receives this packet, it would perform the safepacket test to ensure S has not disclosed Kt.
The safe packet test is as follows: firstly, A records
its local time tr at which the packet arrived. Then it
calculates the upper bound ts on S’ clock: ts = tr + Δand the maximum interval x which S could be in, namely
x = floor((ts − T0)/Tint). If x < t + δ, which means Shas not disclosed Kt, then A will consider the packet as
safe and store it. Otherwise, it will discard the packet [7].
Authenticating broadcast packets After δ time intervals,
S broadcasts the key Kt.
S → ∗ : Kt
Upon receipt of this key, A checks the legitimacy of
Kt by verifying some earlier authenticated key Ki. Only
when Ki = F t−i(Kt) can A replace the most recently
authenticated key Ki with Kt, and recompute the MACs
to guarantee all packets received during the time interval ito t are not forged or alerted.
B. CSP Notations
In this section, we will give a brief overview of CSP. More
details of CSP can be found in [3], [9].
STOP never engages in any event; SKIP terminates
immediately and then behaves as STOP ; x := e means the
variable x is assigned (value of) e; CHAOS(A) can perform
any sequence of events from A; a → P first engages in
event a, and then behaves exactly as P ; P\A behaves like
P , except each occurrence of any event in A is concealed;
P [[a ← b]] behaves like P , except the event a is renamed
to b; P ; Q is expected to perform P and Q in sequence;
P |||Q behaves like a current run of P and Q without any
barrier synchronization; P � Q and P � Q behaves like
either P or Q, where the selection between them is made
either by the external environment or arbitrarily; P [| A |]Qbehaves like the composed of P and Q interacting in lock-
step synchronization on events from A.
III. MODELING
In order to model the protocol in CSP, we first define
some basic sets and channels.
We define a set of base stations Station and a set of
sensor nodes Node. We assume the existence of the sets Kof keys in key chain, SK of shared secret keys between each
sensor node and the base station, Nonce of nonces, M of
broadcast messages, and T of time intervals. We also define
four types of messages, corresponding to the counterpart of
the protocol.
MSG1 =df {A.S.NA | A ∈ Node, S ∈ Station, NA ∈ Nonce},
MSG2 =df {S.A.Args.Mac(SKA, NA.Args) | S ∈ Station,
A ∈ Node, K0 ∈ K, T0 ∈ T, SKA ∈ SK, NA ∈ Nonce},
MSG3 =df {S. ∗ .Mt.Mac(Kt, Mt) | S ∈ Station, ∗ = Node,
Mt ∈ M, Kt ∈ K},
MSG4 =df {S. ∗ .Kt | S ∈ Station, ∗ = Node, Kt ∈ K},
MSG =df MSG1 ∪MSG2 ∪MSG3 ∪MSG4.
We also declare five channels: comm, fake, intercept,session and fake session.
channel comm, fake, intercept : MSG
channel session, fake session : Station.Node.K
where comm denotes standard communications between
two honest agents; fake and intercept means the message
sender or the receiver is impersonated by the intruder;
session and fake session are used to represent the sen-
sor node successfully authenticate and accept a broadcast
message that is sent from the base station or the intruder.
Figure 1 illustrates the communications in the system via
these channels.
Figure 1. Communications in the System
A. Timer
Since this protocol uses time delay to achieve the effect
of asynchronous encryption and it assumes the local clocks
of both the base station and the sensor nodes to be accurate,
so we need TIMER to simulate a global clock.
TIMER(j) =df (tick → TIMER(j + 1)) �
(time?req → time!j → TIMER(j)).
where j � 0 ∧ j ∈ N.
Note that, when TIMER receives a request req from the
channel time, it responses with the current time j.
B. Base Station
Before performing a run of the protocol, the base station
generates the key chain K, the time intervals T and other
broadcast arguments, such as Tint, δ and so on.
STATION1(S, SK, M, K, T, Tint, δ, N)
=df time!Req → time?ts0 →if(ts0 < T1) then STATION1(S, SK, M, K, T, Tint, δ, N)
else if(ts0 ≥ TN+δ+1) then STOP
else ((comm?A.S.NA → time!Req → time?ts2 →tS := ts2; comm!S.A.Args.Mac(SKA, NA.Args) →SKIP ) � SKIP ) |||
(t := floor((ts0 − T0)/Tint);
if(t ≤ N) then comm!S. ∗ .Mt.Mac(Kt, Mt) → SKIP ;
if((t− δ) ≥ 1) then comm!S. ∗ .Kt−δ → SKIP );
STATION1(S, SK, M, K, T, Tint, δ, N).
The base station sends a request for the current time. If
the time is earlier than T1, then it continues to wait; or
if the time is latter than or equal to TN+δ+1, then it will
immediately terminate; otherwise, it could bootstrap new
248
![Page 3: [IEEE 2011 IEEE 5th International Symposium on Theoretical Aspects of Software Engineering (TASE) - Xi'an, China (2011.08.29-2011.08.31)] 2011 Fifth International Conference on Theoretical](https://reader031.fdocument.org/reader031/viewer/2022030208/5750a3811a28abcf0ca32f27/html5/thumbnails/3.jpg)
receivers. Furthermore, it will also broadcast authenticated
packets, and release a previous key so that the receivers
could authenticate the stored broadcasting packets.
C. Sensor Nodes
Each receiver can authenticate broadcast packets only
when it is loosely time synchronized with the base station
and knows the key disclosure schedule of the keys of the
one way key chain. Both of them could be achieved in the
following two-round message exchange.
NODE1(A, SKA)
=df time!Req → time?ts1 →tR := ts1;NA∈Nonce{comm!A.S.NA} →comm?S.A.Args.Mac(SK
′A, N
′A.Args) →
if(Mac(SKA, NA.Args) = Mac(SK′A, N
′A.Args)) then
Δ := tS − tR; NODE2(A, [], Δ, 0, K0, T0, Tint, δ)
else NODE1(A, SKA).
At present, the sensor node has worked out Δ, and also
known the essential broadcasting authentication parameters.
So it begins to receive and authenticate broadcast messages.
NODE2(A, P, Δ, i, Ki, T0, Tint, δ)
=df comm?S. ∗ .Mt.Mac(Kt, Mt) → time!Req →time?ts3 → ts := ts3 + Δ; x := floor((ts − T0)/Tint);
if(x < (t + δ)) then
P := P.AddPacket([t, Mt, Mac(Kt, Mt)]);
if(t− δ ≥ 1) then comm?S. ∗ .Kt−δ →if(F t−δ−i(Kt−δ) = Ki) then
packet := P.GetPacket(t− δ);
if(Mac(Kt−δ, packet[1]) = packet[2]) then
session.S.A.Kt−δ → SKIP ;
P := P.DeletePacket(t− δ);
NODE2(A, P, Δ, t− δ, Kt−δ, T0, Tint, δ)
else NODE2(A, P, Δ, i, Ki, T0, Tint, δ)
else NODE2(A, P, Δ, i, Ki, T0, Tint, δ).
Once receiving the broadcast message Mt, the sensor node
first performs the safe packet test. Only if the test is passed,
would the sensor node buffer the packet. Besides, if Kt−δ
is disclosed and authenticated successfully, would the sensor
node take out all packets received during the time interval
t− δ and authenticate them by recomputing the MACs.
So far, we have ignored the interference from the intruder.
In fact, there indeed exists the possibility of intruder actions.
Take the STATION1 as an example, apart from correct
messages, NA may be faked; Mt, Args and Kt−δ may be
intercepted. We do this via a renaming as [5], and NODE1
is renamed similarly.
D. Intruder
The intruder is defined as the set of facts he knows. The
following set Fact explains all facts that the intruder might
learn: atomic datatypes and MACs.
Fact =df Station∪Node∪K∪SK∪Nonce∪M∪T ∪{Tint, δ, N}∪ {Mac(Kt, Mt)|Kt ∈ K, Mt ∈ M}
∪ {Mac(SKA, NA.Args)| SKA ∈ SK,
NA ∈ Nonce, K0 ∈ K, T0 ∈ T}.
Then we define the inference rules, i.e., the ways in which
the intruder can deduce new facts from what he has known.
(1) {Kt} {Kt−1, Kt−2, Kt−3, ..., K0},
(2) {Kt, Mt} {Mac(Kt, Mt)},
(3) {SKA, NA, Args} {Mac(SKA, NA.Args)},
(4) H {f} ∧H ⊆ H′ ⇒ H
′ {f}.
Here, (1) represents the one-way function F. (2) and (3)
represent the Mac function. (4) represents that if a fact set
{f} could be deduced from a smaller set H , then it can also
be derived from a larger set H′.
Next, we will define the information of a message, i.e., the
facts which will be learned directly by the intruder (without
any further inference).
info(A.S.NA) =df {A, S, NA},
info(S.A.Args.Mac(SKA, NA.Args)) =df
{S, A, tS , K0, T0, Tint, δ, Mac(SKA, NA.Args)},
info(S. ∗ .Mt.Mac(Kt, Mt)) =df {S, ∗, Mt, Mac(Kt, Mt)},
info(S. ∗ .Kt) =df {S, ∗, Kt}.
Since messages are not encrypted, the intruder can read all
message contents, as well as identities of the message sender
and receiver. Moreover, the MACs are also exposed.
In order to better describe the behaviors of the intruder,
we add two channels: deduce and use key. The former can
be used to derive new facts while the latter means that the
intruder uses a known key in a fake session.
channel deduce : Fact.{Fact}channel use key : K
The intruder can overhear or intercept a message so as to
learn all its information; he can fake a message if he knows
all the needed information; he can deduce a new fact from
what he has known; and he can also use a key that he has
known in a fake session.
INTRUDER1(H) =df
�m∈MSGcomm.m → INTRUDER1(H ∪ info(m))
� �m∈MSGintercept.m → INTRUDER1(H ∪ info(m))
� �m∈MSG,info(m)⊆Hfake.m → INTRUDER1(H)
� �f∈Fact,f /∈H,H�{f}deduce.f.H → INTRUDER1(H ∪ {f})� �Kt∈H∩Kuse key.Kt → INTRUDER1(H).
The effects of use key and fake session are the same, so
we rename use key to fake session with the purpose of
running concurrently with the sensor nodes. In addition, we
hide those actions occurring on channel deduce since they
serve as the internal events.
INTRUDER(H) =df INTRUDER1(H)
[[use key ← fake session.S.A]]\{|deduce|}.
E. System and Specification
We first consider a system without the intruder:
SERVER =df STATION(S, [SKA, SKB ], [M1], [K0, K1],
[T0, T1, T2, T3, T4], Tint, 2, 1)[|{|time|}|] TIMER(0),
249
![Page 4: [IEEE 2011 IEEE 5th International Symposium on Theoretical Aspects of Software Engineering (TASE) - Xi'an, China (2011.08.29-2011.08.31)] 2011 Fifth International Conference on Theoretical](https://reader031.fdocument.org/reader031/viewer/2022030208/5750a3811a28abcf0ca32f27/html5/thumbnails/4.jpg)
AGENT =df NODE(A, SKA) [|{|time|}|] TIMER(0),
SYSTEM1 =df (SERVER [|{|comm, session|}|] AGENT )
\{tick, |time|}.The base station has been initialized with two shared secret
keys: SKA and SKB , and it wants to send a broadcast
message M1 using K1 at interval [T1, T2). After two time
intervals, i.e., at interval [T3, T4), it will release K1 for
sensor nodes A and B to authenticate M1.
We then add the intruder:
SYSTEM =df SYSTEM1[|ALPH|]INTRUDER({S, A, B, SKB}),ALPH =df {|comm, session, fake, intercept, fake session|}.
The intruder has captured a sensor node B, so as to run the
protocol normally as B. In addition, he can also overhear
messages, intercept messages and even forge messages to
take part in fake sessions with sensor node A.
μTESLA, as a broadcast authentication protocol, guar-
antees that the sensor nodes never accept a message that is
not sent from the base station. Such security property can
be described as:
SPEC =df CHAOS(∑−{|fake session.S.A|}).
Note that∑
is the set of all events. If SYSTEM can refine
SPEC, then the protocol is exactly secure.
IV. VERIFICATION
In order to verify whether the protocol caters for the
broadcast authentication property, we would try to alter or
forge messages. Firstly, we assume the intruder seeks to
forge a broadcast message. We should check whether there
exists a trace, which satisfies the property that messages not
sent from S are accepted by A.
Case I: Before Kt is disclosed, these traces may be (a) or
(b):
(a) 〈comm.A.S.NA, comm.S.A.Args.Mac(SKA, NA.Args),
fake.S. ∗ .M′t .Mac(Kt, M
′t ), comm.S. ∗ .Kt,
fake session.S.A.Kt〉.The intruder means to fake a broadcast message M
′t us-
ing Kt, nonetheless, the trace does not exist in respect
that he does not know Kt, and therefore cannot calculate
Mac(Kt,M′t ) for M
′t .
(b) 〈comm.A.S.NA, fake.S.A.Args′.Mac(SKA, NA.Args
′),
fake.S. ∗ .M′t .Mac(K
′t , M
′t ), fake.S. ∗ .K
′t ,
fake session.S.A.K′t〉.
where Args′= tS .K
′0.T
′0 .T
′int.δ
′.
The intruder is desirous to fake Args′, so as to broadcast M
′t
using his own key disclosure arguments. Whereas this trace
would not exist, for the intruder does not know SKA, and
thus he cannot calculate Mac(SKA, NA.Args′) for Args
′.
Case II: After Kt has been disclosed, these traces may be
(b) or (c):
(c) 〈comm.A.S.NA, comm.S.A.Args.Mac(SKA, NA.Args),
fake.S. ∗ .M′t .Mac(Kt, M
′t ), comm.S. ∗ .Kt,
fake session.S.A.Kt〉.
The intruder directly forges a broadcast message M′t using
a known key Kt. However, the trace does not exist. The
reason is that when A receives M′t , it would find that M
′t is
against the safe packet test, and then drop M′t immediately.
Similarly the case of altering a broadcast message, all
attempts have failed, which demonstrates that the protocol
indeed satisfies such security property.
V. CONCLUSION AND FUTURE WORK
In this paper we have presented a formal model for
the μTESLA protocol using CSP. The Dolev-Yao intruder
which could perform any attacks is also included in our
framework. Furthermore, we have verified the protocol
enjoys the broadcast authentication property in terms of
the trace semantics. In future, we plan to use PAT [10] to
validate our model automatically, so as to strengthen the
reliability.
Acknowledgement This work was supported by the National Ba-
sic Research Program of China (No. 2011CB302904), the National
Natural Science Foundation of China (No. 61061130541 and No.
61021004), China HGJ Significant Project (No. 2009ZX01038-
001-07), and Doctoral Program Foundation of Institutions of
Higher Education of China (No. 200802690018).
REFERENCES
[1] F. Ballardin and M. Merro. A calculus for the analysis ofwireless network security protocols. In Proc. FAST 2010: 7thInternational Workshop on Formal Aspects in Security andTrust, Pisa, Italy, September 16-17, 2010, volume 6561 ofLNCS, pp. 206-222, Springer-Verlag.
[2] R. Gorrieri, F. Martinelli, M. Petrocchi, and A. Vaccarelli.Formal anaylsis of some timed security properties in wirelessprotocols. In Proc. FMOODS 2003: 6th IFIP International Con-ference on Formal Methods for Open Object-based DistributedSystems, Paris, France, November 19-21, 2003, volume 2884of LNCS, pp. 139-154, Springer-Verlag.
[3] C. A. R. Hoare. Communicating Sequential Processes. PrenticeHall International Series in Computer Science, 1985.
[4] P. J. Hopcroft and G. Lowe. Analysing a stream authenticationprotocol using model checking. Int. J. Inf. Sec., 3(1):2C13,2004.
[5] G. Lowe and B. Roscoe. Using CSP to detect errors in thetmn protocol. IEEE Transaction on Software Engineering,23(10):659C669, October 1997.
[6] A. Perrig, R. Canetti, J. D. Tygar, and D. Song. The teslabroadcast authentication protocol, 2002.
[7] A. Perrig, D. X. Song, R. Canetti, J. D. Tygar, and B. Briscoe.Timed efficient stream loss-tolerant authentication (TESLA):Multicast source authentication transform introduction, June2005. Request for Comments.
[8] A. Perrig, R. Szewczyk, J. D. Tygar, V. Wen, and D. E.Culler. Spins: Security protocols for sensor networks. WirelessNetworks, 8(5):521C534, 2002.
[9] A. W. Roscoe. The Theory and Practice of Concurrency.Prentice Hall International Series in Computer Science, 1997.
[10] J. Sun, Y. Liu, and J. S. Dong. Model checking CSP revisited:Introducing a process analysis toolkit. In Proc. ISoLA 2008:3rd International Symposium on Leveraging Applications ofFormal Methods, Verification and Validation, 13-15 October2008, Porto Sani, Greece, pp. 307-322. Springer-Verlag.
250