Sage Journals: Discover world-class research

Abstract

Security is a basic element of distributed systems such as ad hoc and sensor communication networks. Several standards define security requirements and enforcers, such as ITU-T Recommendations X.800 and X.805. It is essential to specify and analyze protocols to know which security requirements they achieve. This paper presents a logic-based security architecture (LBSA). LBSA is a systematic way to test if a protocol is secure by checking what security requirements are achieved. Different rules, actions, and sets which fit into the proposed LBSA are included, new ones are also added to complete the architecture. The key advantage of LBSA is that it enables a security protocol to prove its correctness mathematically. Mathematical proofs provided by LBSA cover more cases that usually cannot be covered exhaustively by simulation tools. This paper also specifies and analyzes several security enforcers and protocols and mathematically proves which security requirements they achieve. Mapping between security requirements and inference rules/actions is also provided to facilitate the use of LBSA. Some enforcers are analyzed using LBSA to demonstrate how they achieve security requirements. Finally, we take Ariadne protocol as a case study and show how to use the proposed LBSA architecture to prove that this protocol is secure.

1. Introduction

When two entities communicate to obtain a certain service(s), they must ensure secure end-to-end communication. Systems do not provide efficient services without applying proper security mechanism due to the existence of different types of attackers. Security can be defined through a set of requirements that must be achieved by the communicating parties to communicate securely and protect services from attackers.

Because of the importance of security for end-to-end communication, many secure protocols have been proposed as will be discussed later in the paper. Some of these protocols had taken prevention measures to stop attackers while others had taken the detection approaches. A way to analyze these protocols is required to check if these protocols are secure as their designers claim and to know which security requirements these protocols achieve. In this paper, we propose a logic-based security architecture (LBSA) which is an easy, fast, and reliable way to specify and analyze secure protocols.

Some security requirements, as defined by several standards such as ITU-T Recommendations X.800 and X.805 [1, 2], must be achieved to declare that a protocol is secure. Using LBSA, a protocol can be tested to check which security requirements it achieves. Several efforts have been done to utilize logic in such test [3–8], but logic was used to specify and analyze specific protocols by defining global and local sets, actions, and inference rules. In this paper security architecture is taken as a whole, different actions, sets, and rules which fit into the architecture have been included, that means specifying and analyzing different enforcers and determining the requirements they satisfy. Also, we had labeled the actions, sets and rules for easy access and we added our own to complete the architecture. Additionally, we mapped different security requirements into inference rules/actions. This mapping shows the inference rules/actions which are used during the protocol analysis to achieve security requirement(s).

Utilizing LBSA, protocols can be tested to check if they achieve the security requirements specified by their designers. This checking can be performed by analyzing the protocol and applying appropriate actions and rules. If the rules are applied successfully we conclude that their claim is true, otherwise it is false.

The rest of this paper is organized as follows: Section 2 illustrates the security architecture. Section 3 presents related work. Section 4 presents the proposed Logic-Based Security Architecture (LBSA) for systems providing multihop communication. Section 5 provides possible mapping between security requirements and inference rules/actions. In Section 6, the specification and analysis of message authentication code (MAC) and digital certificate based on LBSA are discussed. Section 7 illustrates how to specify and analyze protocols using LBSA by taking Ariadne routing protocol as a case study. Finally, Section 8 concludes the paper and presents avenues for future work.

2. Security Architecture

Security architecture as defined by ITU-T Recommendations X.800 [1] and X.805 [2] defines a set of security requirements that must be achieved. Figure 1 illustrates this architecture.

Figure 1

Security Architecture extracted from ITU-T Recommendations X.800 and X.805.

Security architecture as shown in Figure 1 includes a set of security requirements that are used to protect systems from different types of attackers. To achieve the objectives of these requirements, a set of security enforcers must be applied.

The requirements and their definitions are illustrated as the following. (i)

Authentication: Prove the identity of the communicating parties.

(ii)

Authorization: control the access to the system's resources. Give different entities different privileges according to their roles.

(iii)

Confidentiality: ensure the secrecy of data. Secret data must be read only by intended recipients.

(iv)

Integrity: protect the received data from any kind of modifications during transmission from the sender to the receiver.

(v)

Nonrepudiation: prevent the users from denying the sending of messages or initiating events that they had performed.

(vi)

Privacy: protect the identity and/or the location of the node and sometimes the routing protocol being used.

(vii)

Availability: ensure that no one prevents authorized users from getting access to the system available services.

These requirements must be achieved to guarantee secure communication and to prevent and detect different attackers which can be classified into the following. (i)

Internal or external attackers: internal attackers are compromised users who are authorized to enter the system but they are misbehaving. This type of attack needs a detection mechanism to be discovered as they have the authority to access the system's services. External attackers, on the other hand, are unauthorized entities attempting to access the system's services; these attackers must be prevented from accessing the system's resources.

(ii)

Passive or active attackers: passive attackers monitor the system without taking any action and usually it is a phase that precedes an active attacking. Active attacker takes actions and does modifications.

(iii)

Intentional or accidental: intentional attack is a planned attack while accidental attacking results from system malfunctions such as software bugs.

Several mechanisms and techniques have been defined to achieve different security requirements. Table 1 gives examples of different security enforces that are used to implement the objectives of different security requirements.

Table 1

Examples of security requirements enforcers.

Security requirement	Security enforcer
	(i) Digital certificate
Authentication	(ii) Digital signature
	(iii) Message authentication code (MAC)

Authorization	Firewall

Confidentiality	Encryption

	(i) Hash function
Integrity	(ii) MAC
	(iii) Digital signature

Nonrepudiation	Digital signature

	(i) Achieved partially by encryption
Privacy	(ii) Hide node location
Privacy	(iii) Hide node identity
	(iv) Hide routing protocol

Availability	(i) Intrusion detection scheme (IDS)
Availability	(ii) Intrusion prevention scheme (IPS)

Secure protocols usually use the above enforces, among others, to achieve the security requirements. There are different ways to analyze security protocols in terms of achieved security requirements such as simulation and mathematical models; this paper uses logic to do such analysis.

3. Related Work

The importance of security in providing successful services in any distributed system raises the necessity of having formal way to analyze security protocols. Previous effort in using logic for analyzing security is Rubin logic [3, 4].

Rubin logic is an approach that specifies and analyzes nonmonotonic cryptographic protocols. It is one of the first approaches to allow reasoning about nonmonotonic protocols [3]. In nonmonotonic protocols, beliefs are changed during protocol execution time. An example of nonmonotonicity is the belief that a key must be changed when a node becomes compromised. To achieve the protocol specification and analysis, Rubin logic defines global and local sets, actions and inference rules.

Rubin and Honeyman [3] focused on authentication protocols. They took KHAT protocol [9] as an example to discover its flaws. KHAT protocol was built to solve the problem of long running jobs in an authenticated environment where a trusted server issues tickets with limited lifetimes for services. The authors gave special attention to ensure the freshness of data using fresh nonce. The main problem they attempted to solve is that principal B cannot achieve the belief that the session key with principal A is fresh. Finally, the authors defined most of global and local sets that are used later in the literature.

Rubin [4] extended the work presented in [3] by adding one set. Rubin [4] aimed to make sure that keys are observed by their intended parties and data items are fresh, especially the public keys. Rubin [4] made link between certificates and requests which reveals weakness in Needham and Schroeder public key protocol [10].

Xu and Xie presented in a series of papers [5–8] the utilization of Rubin logic in analyzing the security for specific protocols.

In [5], Xu and Xie extended the work presented in [4] to analyze nonrepudiation in routing protocols proposed for wireless mobile ad hoc networks (MANET). This work took ARAN [11] routing protocol to test nonrepudiation.

Xu and Xie [6] use the work presented in [5] to analyze electronic commerce protocols and in [7] they have chosen Zhou-Gollmann [12] protocol which is a simple and effective nonrepudiation protocol to illustrate how an electronic commerce protocol is analyzed using the extended Rubin logic.

Two examples of Rubin logic's applications are given by Xu and Xie in [8]. First example is the Andrew secure RPC [13] protocol using symmetric keys. The second one is X.509 [14] authentication protocol using asymmetric keys.

As can be illustrated from the above-related work, all attempts to utilize Rubin logic have either focused on a specific requirement or a specific protocol. This paper proposes a logic-based security architecture (LBSA) that presents a formal way to analyze any security requirement in any system providing multihop communication. All sets, actions, and rules presented in previous efforts are considered and generalized; new ones are added to complete the architecture. After that, we illustrate how LBSA will be used to test security requirements and issues in different security enforcers and protocols.

4. Logic-Based Security Architecture (LBSA) for Systems Providing Multihop Communication

In this section we illustrate the proposed architecture which defines a logical way for specifying and analyzing different enforcers and different protocols that achieve any security requirement as defined in [2]. Some researchers used logic as mentioned earlier in Section 3. All sets, actions, and rules defined in [3–8] which fit in our architecture have been included and labeled by the proposed LBSA.

Global sets define the specification of the protocol as a whole. Local sets are private to each principal in the specification. Actions are specified as part of the protocol (i.e., how the protocol works) while inference rules are used to reason about the beliefs during the protocol executing. Consequently, the relation between sets, actions, and rules and the result of the action may update the sets. This achieves some rules and conditions which are followed by applying inference rules which in turn update another set(s). Figure 2 shows this relation.

Figure 2

Relation between sets, actions and inference rules.

Using different actions, the protocol can be specified exactly as it works. While executing these actions, local and global sets will have new values which lead to applying some rules. This is the process of analyzing protocols.

The purpose of LBSA is to generalize rules and actions and not to specify them. Accordingly, these rules and actions can be customized according to the context. Sections 6 and 7 illustrate how these sets, rules, and actions can be customized according to the context. Additionally, each set, rule, and action are described in the following tables using the description column.

Table 2 defines different global and local sets. Global sets are labeled as $G S_{i}$ and local sets are labeled as $L S_{i}$ , where i is the set number. These sets contain the protocol information. There are five global sets $G S_{1}$ – $G S_{5}$ and ten local sets $L S_{1}$ – $L S_{10}$ . These sets have initial values and these values are changed whenever actions and rules are executed. Global sets ( $G S_{1}$ – $G S_{4}$ ) were initilly defined in [3] for a specific protocol called KHAT [9]. These global sets have been generalized by LBSA and new global sets are also added. Local sets ( $L S_{1}$ – $L S_{8}$ ) were initially defined in [3–5] for specific protocols, but they are generalized and labeled by LBSA which also defines new local sets needed to complete the architecture.

Table 2

Global and local sets of LBSA.

Set label	Set name	Description
GS₁	Principal set	All principals (i.e., nodes) participate in the protocol are in this set. P = ${P_{1}, P_{2}, \dots, P_{n}}$ . There is one initiator of the protocol and it could be any $P_{i}$ .
GS₂	Rule set	Inference rules needed to derive new statements from existed assertions that are in this set. R = ${R_{1}, R_{2}, \dots, R_{n}}$ , where $R_{i}$ is of the form $(C_{1}, C_{2}, \dots, C_{n}) / D$ $C_{i}$ is a condition and D is a statement.
GS₃	Secret set	Each secret in the system exist in this set. During the analysis, the content of this set will be changed for the emergence of new secrets such as session keys. $S = {S_{1}, S_{2}, \dots, S_{n}}$ .
GS₄	Observers set	For each $S_{i}$ , observers ( $S_{i}$ ) contain all the principals who could possibly know the secret $S_{i}$ by listening to network traffic or generating it themselves. The members of the Observers set can be stated explicitly or maintained as formulas representing their membership.
GS₅	FireWall set( $P_{i}$ )	This set presents the firewall list that contains the access control rules that are needed to be applied to the incoming packets of $P_{i}$ in order to allow or prevent them.
LS₁	Possession set( $P_{i}$ )	This set contains all the data relevant to security that this principal knows or possesses. This includes secret encryption keys, public keys, data that must remain secret, and any other information that is not publicly available. POSS( $P_{i}$ ) = ${{poss}_{1}, {poss}_{2}, \dots, {poss}_{n}}$ . Note: ${poss}_{i}$ contains two fields—the actual data and the origin of this data.
LS₂	Belief set( $P_{i}$ )	This set contains all the beliefs held by a principal. This includes the belief that the keys it holds between itself and other principals are good, beliefs about jurisdiction, beliefs about freshness, and beliefs about the possessions of other principals. BEL $(P_{i}) = {{bel}_{1}, {bel}_{2}, \dots, {bel}_{n}}$ .
LS₃	Opaque( $P_{i}$ )	This set contains candidates to be added to the Seen set. It is used by the Update function (Table 3(b)). The set contains text parts (data) of the message and a list of the associated keys needed to read them.
LS₄	Seen( $P_{i}$ )	This set contains text parts (data) that $P_{i}$ sees from messages sent across the network. The Seen sets collectively contain the same information as the observers set.
LS₅	Haskeys( $P_{i}$ )	This set contains keys that $P_{i}$ sees either because they are in the initial possession set, or because they appear in a message sent across the network and are added to $P_{i}$ 's seen set.
LS₆	Behavior list( $P_{i}$ )	This item is a list rather than a set because the elements are ordered. BL $= {AL, {bvr}_{1}, {bvr}_{2}, \dots, {bvr}_{n}}$ . AL is an action list as will be defined below.
LS₇	Bindings set( $P_{i}$ )	This set contains the legal bindings of keys held by a principal. These are bindings that are created by $P_{i}$ , and bindings that are received in certificates from trusted servers. Bindings $(P_{i}) = {k_{1} ⋈ P_{1}, k_{2} ⋈ P_{2}, \dots, k_{n} ⋈ P_{n}}$ .
LS₈	Proofs set( $P_{i}$ )	This set contains all the other principals' nonrepudiation that $P_{i}$ can prove.
LS₉	PL( $P_{i}$ )	Principals list contains all the principals that must receive Messages (Msgs) from principals $P_{i}$ .
LS₁₀	AbnBeh( $P_{i}$ )	Abnormal behavior set contains all the principals that $P_{i}$ detect their abnormal behaviors.

Tables 3(a)–3(c) define the LBSA actions with their descriptions, conditions, and results. Actions are labeled as ${ACT}_{i}$ , where i is the action number and these tables contain 30 actions. The actions describe the node operations such as sending messages, receiving messages, generating key pairs among other operations. Actions ( $AC T_{1}$ – $AC T_{21}$ ) that are considered in [3–6] had been generalized and fitted in the proposed LBSA. Moreover, new actions are defined and added by LBSA.

Table 3

(a) Actions (ACT₁–ACT₁₀) of LBSA, (b) actions (ACT₁₁–ACT₂₀) of LBSA, and (c) actions (ACT₂₁–ACT₃₀) of LBSA.

(a)

Action label	Action name	Description	Condition	Result
ACT₁	Send( $P_{j}$ , X)	$P_{i}$ sends msg X to $P_{j}$ .	—	Principal $P_{i}$ sends msg X to $P_{j}$ .
ACT₂	Receive( $P_{j}$ , X)	$P_{i}$ receives msg X from $P_{j}$ .	—	Principal $P_{i}$ receives msg X from $P_{j}$ .
ACT₃	Encrypt( $X, k$ )	If $P_{i}$ possesses msg X and knows the key k then it can encrypt X using k and possess ${X}_{k}$ .	$X, k \in$ $POSS(P_{i}), P_{i} \in$ Observers (k).	POSS( $P_{i}$ ) = POSS( $P_{i}) \cup {{X}_{k}}$ .
ACT₄	Decrypt( ${X}_{k}$ , k)	If $P_{i}$ possesses msg X which encrypted under k and knows the key k (symmetric encryption) or its inverse (Asymmetric encryption), then $P_{i}$ can decrypt X and possess it.	$P_{i} \in$ Observers $(k), {X}_{k}$ , $k \in POSS(P_{i})$ .	POSS( $P_{i}$ ) = POSS( $P_{i}) \cup {X}$ .
ACT₅	Generate-nonce(N)	Is used to check out the freshness. A principal generates a nonce to link a challenge and a response. When the response is received, LINK(N) is removed from BEL( $P_{i}$ ).	—	POSS( $P_{i}$ ) = POSS( $P_{i}) \cup {N}$ , BEL( $P_{i}$ ) = BEL $(P_{i}) \cup LINK (N)$ .
ACT₆	Generate-secret(s)	Is used to generate a new secret s. Note that the Observers set will be updated.	—	S:= $S \cup {s}$ , Observers $(s) = {P_{i}}$ , POSS( $P_{i}$ ) = POSS( $P_{i}) ⋈ {s ⋈ P_{i}}$ , BEL $(P_{i}) =$ BEL( $P_{i}) \cup$ #(s), where $# i n d i c a t e s$ that the value is fresh.
ACT₇	Concat( $x_{1}, x_{2}, \dots, x_{n}$ )	Is used to construct a message X out of submessages $x_{1}, x_{2}, \dots, x_{n}$ .	$x_{1}, x_{2}, \dots, x_{n} \in$ POSS( $P_{i}$ ).	POSS( $P_{i}$ ) = POSS( $P_{i}) \cup {x_{1}, x_{2}, \dots, x_{n}}$ .
ACT₈	Split(X)	When a message contains a set of components, this action is used to break it into its components.	X contains $x_{1}, x_{2}, \dots, x_{n}$ , $X \in$ POSS( $P_{i}$ ).	POSS( $P_{i}$ ) = POSS( $P_{i}) \cup {x_{1}, x_{2}, \dots, x_{n}}$ .
ACT₉	Forget(X)	When $P_{i}$ no longer in possession of X, this action will be used. If other principles trust $P_{i}$ then they can believe that $P_{i}$ is no longer possesses X.	$X \in$ POSS( $P_{i}$ ).	POSS( $P_{i})$ = POSS( $P_{i}) - {X}$ , $\forall P_{j} \in P$ if TRUST $[j, i] = 1$ . then BEL $(P_{j}) = BEL (P_{j}) - X \in$ POSS $(P_{i})}$ .
ACT₁₀	Check-freshness(X)	Is used to verify the freshness of timestamp X.	$X \in$ POSS( $P_{i}$ ), X is not expired.	BEL( $P_{i}$ ) = BEL $(P_{i}) \cup {# (X)}$ .

(b)

Action label	Action name	Description	Condition	Result
${ACT}_{11}$	Forget-secret(s)	When $P_{i}$ no longer knows the secret s. If other principals trust $P_{i}$ then they can believe that $P_{i}$ no longer possesses s.	$P_{i} \in$ Observers (s), $s \in$ POSS( $P_{i}$ ).	Observers(s) = Observers $(s) - {P_{i}}$ , POSS( $P_{i}$ )= POSS( $P_{i}) - {s}, \forall P_{j} \in P$ if TRUST $[j, i]$ = 1 then BEL $(P_{j})$ = BEL $(P_{j}) - {s \in POSS(P_{i})}$
ACT₁₂	Apply(f, X)	Is used to apply function f to X.	$f, X \in POSS (P_{i}$ ).	POSS( $P_{i}$ ):= POSS( $P_{i}) \cup {f (X)}$ .
ACT₁₃	Abort	The protocol aborts when different cracks and events that affect the protocol specification happen.	Protocol run is illegal.	Analysis reports failure.
ACT₁₄	Generate-key-pair( $k^{+}, k^{-}$ )	Is used to generate two keys $k^{+}$ (public) and its inverse $k^{-}$ (private).	—	POSS( $P_{i}) =$ POSS( $P_{i}) \cup {k^{+} ⋈ P_{i}, k^{-} ⋈ P_{i}}$ .
ACT₁₅	Apply-Asymkey(X, k)	There are two cases for applying asymmetric key operation on X. The first one when X is in the form of ${Y}_{k ’}$ and k and $k ’$ are inverses to each other. The second case when X is encrypted using k.	$X, k \in POSS (P_{i})$ , $P_{i} \in$ Observers $(k)$ , k is an asymmetric key.	if $X = {Y}_{k ’}$ and k is the inverse of $k ’$ , then POSS( $P_{i}$ ) = POSS( $P_{i}) \cup Y$ else POSS( $P_{i}$ ) = POSS( $P_{i}) \cup {{X}_{k}}$ .
ACT₁₆	Bind( $k, P_{j}$ )	Before sending a key, principal $P_{i}$ can bind this key to other principle $P_{j}$ using this action. After this binding, both $P_{i}$ 's possession and Binding sets will contain $k ⋈ P_{j}$ .	$k \in$ POSS( $P_{i})$ , $P_{i} \in Observers (k)$ , k is a key intended for $P_{j}$ .	POSS( $P_{i}) =$ POSS( $P_{i}) \cup {(k ⋈ P_{j})}$ , Bindings $(P_{i}) =$ Bindings $(P_{i}) \cup {(k ⋈ P_{j})}$ .
ACT₁₇	Update(X)	After sending a message this action is used to maintain the observers set.	—	Maintains the observers of X.
ACT₁₈	Broadcast(X)	Message X is broadcasted by $P_{i}$ to each of its neighbors.	—	$P_{i}$ broadcasts X to each of its neighbors.
ACT₁₉	Check-certificate( ${cert}_{R}$ )	Is used to verify the freshness of the certificate ${cert}_{R}$ .	${cert}_{R} \in$ POSS( $P_{i})$ , ${cert}_{R}$ is not expired	BEL $(P_{i})$ = BEL $(P_{i}) \cup {# (K_{R})}$ , where $K_{R}$ is the public key specified in ${cert}_{R}$ .
ACT₂₀	Check-request $({{IP}_{R}, N_{R}})$	Is used to record new routing record. Each node receives route discovery packet it records the predecessor of that packet and the successor toward the destination.	${IP}_{R}$ ∈ POSS( $P_{i})$ , $N_{R} \in$ POSS( $P_{i}$ ), and ${I P_{R}, N_{R}}$ is not already seen.	{new routing record $} \in$ POSS( $P_{i})$ Where: $I P_{R}$ is IP address of principle R and $N_{R}$ is nonce of principle R.

(c)

Action label	Action name	Description	Condition	Result
ACT₂₁	Comp(A, B)	This action is used to compare two values if they are equal or not.	A, B ∈ POSS( $P_{i})$ .	If A and B are equal: ${X}^{} \in$ Proof ( $P_{i}$ ), means message X is checked and not modified* If they are not equal: POSS( $P_{i}) =$ POSS( $P_{i}) - {X}$ means message X is checked and it is modified
ACT₂₂	Renew-key-pair( $k^{+}, k^{-}$ )	This action is used to renew the public and private keys.	—	POSS = (POSS( $P_{i}) - {k^{+} ⋈ P_{i}, k^{-} ⋈ P_{i}}) \cup {# k^{+} ⋈ P_{i}, # k^{-} ⋈ P_{i}}$ .
ACT₂₃	Multicast( $\forall P_{i} \in$ PL, X)	It means that Principle $P_{i}$ sends msg X to all principles in the PL.	—	Principle $P_{i}$ sends message X to all principles in the PL.
ACT₂₄	Modify( ${Cert}_{R}$ )	This action modifies certificate content.	—	Modify the certificate content.
ACT₂₅	Monitor ( $P_{i}$ , abnormal behavior)	It means that principle $P_{i}$ monitors the abnormal behavior of other principals.	—	Principal $P_{i}$ detects abnormal behaviors of other principal $P_{i}, P_{j} \in$ AbnBeh( $P_{i}$ ).
ACT₂₆	Generate-Alert( $P_{i}, P_{j}$ )	$P_{i}$ generates an alert at time t because it detects abnormal behavior of $P_{j}$ .	$P_{j} \in$ A bnBeh $(P_{i})$ .	Alert( $t, P_{i}, P_{j}$ )
ACT₂₇	Alert-Filtering (Alert( $t, P_{i}, P_{j}$ ))	This action is used to do the process of categorizing attack alerts produced from principals in order to distinguish false positive from actual attack.	Alert( $t, P_{i}, P_{j}) \in$ POSS( $P_{n})$ , where $P_{n}$ is any Principle $\in P$ , but not $P_{i}$ or $P_{j}$ .	If true positive $P_{n}$ takes an action.
ACT₂₈	Access (Resource)	This action is used to allow or deny the access of resources.	AccessInfo $(P_{i}) \in$ FireWall, Condition = Allow	Allow resource access.
ACT₂₉	$X \leftarrow Y$	This action is used to rename value Y to X.	$Y \in$ POSS( $P_{i}$ )	X ∈ POSS( $P_{i})$ , Use X instead of Y.
ACT₃₀	Process (Pra, Fun)	This action is used in key agreement process. Process parameters received from $P_{j}$ .	Fun ∈ POSS( $P_{i}$ ), parameters received from $P_{j}$ .	Key ∈ POSS( $P_{i}$ )

Different inference rules are defined in Tables 4(a)–4(d). $R L_{i}$ is the rule label where i is the rule number. As the rule conditions are executed correctly, the sets' values will be changed or the protocol will be aborted. Rules defined for specific protocols in [3–6] had been extracted, generalized, and mapped to LBSA. New rules were also generated by LBSA to complete the security architecture.

Table 4

(a) Rules (RL₁–RL₆) of LBSA, (b) rules (RL₇–RL₁₁) of LBSA, (c) rules (RL₁₂–RL₁₆) of LBSA, and (d) rules (RL₁₇–RL₁₉) of LBSA.

(a)

Rule label	Rule	Description
RL₁	Nonce verification rule:	Principle P can decide that principle Q believes that X is fresh if P's Belief set contains $# (X)$ and X from Q is in the P's possession set.
RL₁	$\frac{# (X) \in BEL (P), X from Q \in POSS (P)}{BEL (P) = BEL (P) \cup {Q believes # (X)}}$

RL₂	Message meaning rule:	P can believe that Q possesses X if it receives ${X}_{k}$ from Q and both P and Q know the key k.
	${X}_{k}$ from $Q \in$ POSS $(P)$ ,
	$\frac{{P, Q} \subseteq Observers (k)}{BEL (P) = BEL (P) \cup {X \in POSS (Q)}}$

RL₃	Sub-message freshness rule: $# (x_{1})$ ∈ BEL $(P)$ ,	P can believe that $x_{2}$ is fresh if it believes that $x_{1}$ is fresh and have $x_{1}$ and $x_{2}$ in the same formula and this formula is in P's Possession set. That is, the part of the message that contains something fresh is fresh.
RL₃	$\frac{{X contains x_{1}, X contains x_{2}} \subseteq POSS (P)}{BEL (P) = BEL (P) \cup # (x_{2})}$

RL₄	Linkage rule (symmetric keys):	This rule is applied only once for the same nonce since the LINK item will be removed after applying it successfully. $P_{i}$ can believe that a submessage $x_{1}$ of a message X is fresh when several conditions are applied. The first one is when P's Belief set contains LINK (Na) which means the nonce Na has not been used before. Also, the message X that contains the nonce must be encrypted using the key k and k must be fresh and available to P; this is what other conditions state.
	#(k) ∈ BEL $(P), P \in$ Observers $(k)$ ,
	LINK(Na) ∈ BEL $(P)$ , X contains $f (N a)$ ,
	$\frac{X contains x_{1}, {X}_{k} from Q \in POSS (P)}{BEL (P) = (BEL (P) - LINK (N a)) \cup {# (x_{1})}}$

RL₅	Linkage rules (asymmetric keys):	This rule is applied only once for the same nonce since the LINK item will be removed after applying it successfully. $P_{i}$ can believe that a submessage $x_{1}$ of a message X is fresh when several conditions are applied. The first one is when P's Belief set contains LINK (Na) which means the nonce Na has not been used before. Also, the message X that contains the nonce must be encrypted using the public key $k^{+}$ and the corresponding inverse (private) key $k^{-}$ must be fresh and available to P; this is what other conditions state.
	(a) $# (k^{-}) \in$ BEL(P), $P \in$ Observers $(k^{-})$ ,
	LINK(Na) ∈ BEL $(P)$ , X contains $f (N a)$ ,
	$\frac{X contains x_{1}, {X}_{k}^{+} from Q \in POSS (P)}{BEL (P) = (BEL (P) - LINK (N a)) \cup {# (x_{1})}}$
	(b) $# (k^{+}) \in$ BEL(P), $P \in$ Observers $(k^{+})$ ,
	LINK(Na) ∈ BEL(P), X contains $f (N a)$ ,
	$\frac{X contains x_{1}, {X}_{k}^{-} from Q \in POSS (P)}{BEL (P) = (BEL (P) - LINK (N a)) \cup {# (x_{1})}}$

RL₆	Possible origins rule:	When P's possession set contains message X which contains submessage $x_{1}$ and this submessage observed by more than one principal, other than P, it will be marked as coming from all principals by adding new item for each of the P's Possession set.
	$X \in$ POSS(P), X contains $x_{1}$ ,
	$\frac{R \in Observers (x_{1}), R \neq P}{x_{1} from R \in POSS (P)}$

(b)

Rule label	Rule	Description
RL₇	Submessage origin rule:	A submessage $x_{2}$ can be marked as coming from Q if P possesses a message X which contains $x_{1}$ and $x_{2}$ encrypted using an asymmetric key, and submessage $x_{1}$ is marked as coming from Q. And any other principle who observes the inverse key, the submessage is marked as coming from it.
	${X}_{k}^{+}$ ∈ POSS(P), Xcontains $x_{1}$ from Q,
	$\frac{R \in Observers (k^{-}), X contains x_{2}, R \neq P}{x_{2} from Q \in POSS (P), x_{2} from R \in POSS (P)}$

RL₈	Submessage origin rule for asymmetric keys:	This rule is simplified version of the submessage origin rule. In (a) If P's Possession set contains message X which is encrypted using P's public key. And X contains a submessage $x_{1}$ which is marked as coming from Q. Then all other submessages in X are marked as coming from Q. This is true because P is the only principle that has the corresponding private key so no one can change the content of X. In (b) since Q is the constructor of the message X, any submessage of X can be marked as coming from Q. This is true because Q is the only principle that has Q's private key.
	(a) ${X}_{k p}^{+} \in$ POSS $(P)$ ,
	$\frac{X contains x_{1} from Q, X contains x_{2}}{x_{2} from Q \in POSS (P)}$
	(b) Submessage origin rule for private keys:
	$\frac{{X}_{k Q}^{-} \in POSS (P), X contains x_{2}}{x_{2} from Q \in POSS (P)}$

RL₉	Unbound key rule:	When key k is in P's Possession set and this key is not bounded to any principal then all principals (W) observe it. That is, the key is not a secret.
RL₉	$\frac{k \in POSS (P), ∄ Q : (k ⋈ Q) \in POSS (P)}{Observers (k) = W}$

RL₁₀	Bound key origin rule for symmetric keys:	The protocol abort when P's Possession set contains the key k which is bound to principle Q, and $Q \neq P$ but this binding is not in P's bindings set which contains legal bindings for P.
	$(k ⋈ Q) \in$ POSS $(P), Q \neq P$ ,
	$\frac{(k ⋈ Q) \notin Bindings (P)}{Abort}$

RL₁₁	Bound key origin rules for asymmetric keys:	If principle P has the binding of an asymmetric key to principle Q in its possession and binding sets and P's possession set contains a message that is encrypted under the inverse key this means that the message comes from Q because it is the only principle that have the inverse key. Otherwise, the protocol aborts.
	(a) ( $k^{+} ⋈ Q) \in$ POSS $(P)$ , $(k^{+} ⋈ Q) \notin$ Bindings(P)
	$\frac{{X}_{k}^{-} from R \in POSS (P), R \neq Q}{Abort}$
	(b) $(k^{-} ⋈ Q) \in$ POSS $(P)$ , $(k^{-} ⋈ Q) \notin$ Bindings $(P)$ ,
	$\frac{{X}_{k}^{+} from R \in POSS (P_{i}), R \neq Q}{Abort}$

(c)

Rule label	Rule	Description
RL₁₂	Conjunction rule:	When P's Proof set contains the proof that Q is accountable for the conjunction X and Y, then it will contain the proof that Q is accountable for X and Y, respectively. Contrariwise, the second one is used.
	(a) $\frac{(Q \to (X, Y)) \in Proofs (P)}{(Q \to X) \in Proofs (P_{i}); (Q \to Y) \in Proofs (P)}$
	(b) $\frac{(Q \to X) \in Proofs (P); (Q \to Y) \in Proofs (P)}{(Q \to (X, Y)) \in Proofs (P)}$

RL₁₃	Ciphertext understanding rule:	When P's Proof set contains the prove that Q is accountable for ${X}_{k}$ and Q holds k then it will contain the prove that Q is accountable for message X.
	( $Q \to {X}_{k}) \in$ Proofs $(P)$ ,
	$\frac{(k \in Q) \in Proofs (P)}{(Q \to X) \in Proofs (P)}$

RL₁₄	Transfer rule:	When P's Proof set contains the proof that Trusted Third Party (TTP) is accountable for message X, then it will contain the proof that Q holds message X.
RL₁₄	$\frac{(TTP \to X) \in Proofs (P)}{(X \in Q) \in Proofs (P)}$

RL₁₅	Timestamp rule (symmetric keys):	Timestamp rule defined to reason about the message.
	$# (K) \in$ BEL $(P)$ , $K \in$ POSS $(P)$ ,
	$# (T) \in$ BEL(P), X contains $x_{1}$ ,
	$\frac{{X}_{K} from Q \in POSS (P)}{BEL (P) = BEL (P) \cup {# (x_{1})}}$

RL₁₆	Timestamp rule (asymmetric keys):	Timestamp rule defined to reason about the message.
	$# (K_{Q}^{+}) \in$ BEL $(P)$ , $K_{Q}^{+} \in$ POSS $(P$ ),
	$# (T) \in$ BEL $(P), X$ contains $x_{1}$ ,
	$\frac{{X}_{k Q}^{-} from Q \in POSS (P)}{BEL (P) = BEL (P) \cup {# (x_{1})}}$

(d)

Rule Label	Rule	Description
RL₁₇	Authentication Rule:	This rule adds a new binding to the binding set. Note that its condition will not complete until the comparison action (ACT₂₁) is executed successfully. Z could be any principle except P or TTP.
	( $K_{Q}^{+} ⋈ Q$ ) from $Z \in$ POSS $(P)$ ,
	$(K_{Q}^{+} ⋈ Q) \in$ BEL $(P)$ ,
	$\frac{{X}^{*} \in Proofs (P)}{Bindings (P) = Bindings (P) \cup {(K_{Q}^{+} ⋈ Q)}}$

RL₁₈	Integrity Rule:	This rule states that if ${X}^{*} \in$ Proof ( $P_{i}$ ) which means that X received without any modification (i.e., as it sent from Q) then we add $X \in$ Poss (Q) to the believe set.
RL₁₈	$\frac{{X}^{*} \in Proof (P)}{BEL (P) = BEL (P) \cup {X \in Poss (Q)}}$

RL₁₉	Non-Repudiation Rule:	This rule states that if we have msg encrypted by $K_{Q}^{-}$ and the corresponding public key $K_{Q}^{+}$ in the Binding (P), we can prove that Q is responsible for sending message X.
	${X}_{k Q}^{-} \in$ Poss $(P)$ ,
	$\frac{(K_{Q}^{+} ⋈ Q) \in Binding (P),}{(Q \to X) \in Proof (P)}$

Section 5 provides mapping between security requirements and inference rules/actions. It also provides mapping between some protocol services and inference rules/actions.

5. Possible Mapping between Security Requirements and Inference Rules/Actions

To ensure that the required security requirement is achieved by a security protocol, some inference rules must be applied and some actions must be performed. In this section we provide possible mappings between each security requirement and the inference rule that must be applied or the action that must be executed to achieve it. Table 5 summarizes these mappings.

Table 5

Mappings between security requirements and Inference rules/actions.

Security Requirement	Inference Rules/Actions
Authentication	RL₂, RL₆, RL₇, RL₈, RL₁₃, RL₁₇
Authorization	ACT₂₈
Confidentiality	ACT₃, ACT₄, ACT₁₅
Integrity	${RL}_{18}$
Non-Repudiation	RL₂, RL₆, RL₇, RL₈, RL₁₃, RL₁₉
Privacy	ACT₃, ACT₁₅
Availability	ACT₁₃, ACT₂₅, ACT₂₆, ACT₂₇, ACT₂₈

Actions and rules are needed to complete the specification and the analysis processes. In other words, actions and rules add new values to the global and local sets which may result in achieving the mapped rules conditions.

Other actions and rules are needed to perform certain protocol services, including key management which deals with key and certificate generations, verification, and renewing. Certain services are related to nodes' interaction and protocol functions. Data item refreshments such as messages, keys, certificates, and nonces are among the data that need to be kept fresh.

Table 6 summarizes the mappings between protocol services and the inference rule that must be applied or the action that must be executed to achieve it.

Table 6

Mappings between protocol services and inference rules/actions.

Protocol Services	Inference rules/actions
Key management	ACT₆, ACT₁₁, ACT₁₄, ACT₁₆, ACT₁₉, ACT₂₂, ACT₂₄, ACT₃₀,
Key management	RL₄, RL₅, RL₉, RL₁₀, RL₁₁
Nodes interaction and protocol functions	ACT₁, ACT₂, ACT₇, ACT₈, ACT₉, ACT₁₂, ACT₁₇, ACT₁₈, ACT₂₀, ACT₂₁, ACT₂₃, ACT₂₉,
Nodes interaction and protocol functions	RL₁₂, RL₁₄
Data refreshment	ACT₅, ACT₁₀,
Data refreshment	RL₁, RL₃, RL₄, RL₅, RL₁₅, RL₁₆

The following section presents how the above-presented architecture will be used to formally analyze security enforcers and security protocols.

6. Security Enforcers Specification and Analysis

Different security enforcers are used as part of different protocols to achieve security such as in [15–18]. In this section we have chosen well-known enforcers that can be provided at different network layers to illustrate how LBSA could be used to specify and analyze the security enforcers that could be used by many different security protocols. These enforcers are message authentication code (MAC) and digital certificate which also includes digital signature. The reason for using these enforcers is that they are the most used enforcers, in many protocols including routing protocols, to achieve authentication and integrity (MAC) and authentication, integrity and nonrepudiation (digital certificate) [19–25]. The following sections show how these enforcers could be verified using LBSA.

6.1. Message Authentication Code (MAC)

MAC [26] achieves two security requirements, namely, authentication and integrity. In MAC the sender and the receiver of the message must agree on a shared key before initiating the communication. The sender of the message uses the shared key and the message as an input to a hash function to generate the message digest. Then, the sender sends the message and the digest to the receiver. The receiver checks the originality of the message and its correctness by applying the hash function on the received message and the shared key. After that, the receiver compares the resulted digest with the received message digest. If the two digests are equal, this will prove the authenticity of the message as the shared key is only known by sender and receiver. Moreover, it ensures that the message is not modified during the transmission since any simple modification will produce a different digest. To mathematically prove that MAC achieves both authentication and integrity using LBSA the following steps must be performed.

(i) Define the Values of the Global Sets. The first step in the protocol specification is to define the values of the global sets:

(GS1) $P = {$ Alice, Bob} // Alice is assumed to be the initiator of the protocol.

(GS2) $R =$ {contains the rules defined in the Tables 4(a)–4(d)}

(GS3) $S = {K_{AB}}$ // $K_{AB}$ is the shared key between Alice and Bob

(GS4) Observers ( $K_{AB}$ ) $= {Alice$ , Bob}.

(ii) Define the Initial Values of the Local Sets. The second step is to define the initial values of the local sets to each principal. Note that some of the global and the local sets values will be changed during the protocol analysis.

Principal A (Alice):

(LS1) POSS(A) = {Msg, $K_{AB}$ , $(B ⋈ K_{AB})$ from B}

(LS2) BEL(A) = ${# (K_{AB}), (B ⋈ K_{AB})}$

(LS6) BL =

(ACT₇) Concat $(Msg, K_{AB})$

(ACT₁₂) Apply $(H, {Msg . K_{AB}})$ // Apply hash function to the concatenation

(ACT₇) Concat $(Msg, H (Msg . K_{AB}))$ // prepare the message and digest

(ACT₁) Send $(B, {Msg . H (Msg . K_{AB})})$ // send message and digest to B.

Principal B (Bob):

(LS1) POSS(B) = ${K_{AB}, (A ⋈ K_{AB}) from A}$

(LS2) BEL(B) = ${# (K_{AB}), (A ⋈ K_{AB})}$

(LS6) BL =

(ACT₂) Receive $(A, {Msg . H (Msg . K_{AB})})$

(ACT₈) Split $(Msg . H (Msg. K_{AB}))$

(ACT₇) Concat $(Msg, K_{AB})$ // concatenate the received message with the key

(ACT₁₂) Apply $(H, {Msg . K_{AB}})$

(ACT₂₁) Comp $(H (Msg . K_{AB}), H (Msg . K_{AB}))$ // compare the calculated digest with the received one.

(iii) MAC Analysis. The last step is to analyze the security enforcer which is MAC in this case to check security requirements it achieves.

Alice is assumed to be the initiator of the protocol. Therefore, four actions in the BL(A) are executed which add new values to the POSS(A) set:

\begin{array}{l} POSS (A) = {Msg, K_{AB}, (B ⋈ K_{AB}) from B, \\ {Msg . K_{AB}}, H (Msg . K_{AB})} . \end{array}

(1)

So far no inference rules can be applied. Now, actions in BL(B) are executed and this will produce new values that are added to POSS(B) and the Proof(B) sets. Consequently, both integrity and authentication inference rules can be applied:

\begin{array}{l} POSS (B) = {K_{AB}, (A ⋈ K_{AB}) from A, Msg, \\ H (Msg . K_{AB}), {Msg . K_{AB}}, H (Msg . K_{AB})} \\ Proof (B) = {{Msg}^{*}} . \end{array}

(2)

Since ${Msg}^{*} \in Proof (B)$ , we can apply the authentication rule ( $R L 17$ ) and the integrity rule ( $R L 18$ ) as follows.

Authentication Rule (RL17):

\begin{matrix} \frac{(A ⋈ K_{AB}) from A \in POSS (B)}{Binding (B) = Binding (B) \cup {(A ⋈ K_{AB})}} \\ \frac{(A ⋈ K_{AB}) \in BEL (B), {Msg}^{*} \in Proof (B)}{Binding (B) = Binding (B) \cup {(A ⋈ K_{AB})}} . \end{matrix}

(3)

By applying the authentication rule, we proved that MAC successfully authenticated the sender. Since the result of comparison ends successfully, the binding of the shared key and the identity of sender (Alice in this scenario) will be added to the binding set of Bob which ensures the authenticity of the received message.

Integrity Rule (RL18):

\begin{matrix} \frac{{Msg}^{*} \in Proof (B)}{BEL (B) = BEL (B) \cup {Msg \in POSS (A)}} . \end{matrix}

(4)

The equality of the two digests also proves the correctness of the received message which leads Bob to adding a new value to Bob's Belief set indicating that the received message is the same as the message sent by Alice.

As can be concluded, LBSA has been used to mathematically prove the achievement of authentication and integrity by MAC. The above process is also applicable to any other security enforcer.

6.2. Digital Certificate

In hierarchical trust model, digital certificate [14] is usually issued by a certification authority (CA). It contains the user identity, public key ( $K^{+}$ ), CA's digital signature, and other information. Using the CA's digital signature, the user can proof the authenticity of the issuer and ensure correct binding between the identity and the public key in the certificate.

We assume that the CA is the initiator of the protocol which will make one certificate for Alice and another for Bob. It sends each certificate after attaching its signature. Bob needs Alice's public key to send messages to her securely, therefore Alice sends her certificate to Bob then Bob starts the signature verification to ensure correct binding between Alice's public key and her identity.

Using LBSA to prove the achieved security requirements using the digital certificate, we start by presenting the enforcer specification in terms of global and local sets and then we performed the analysis part.

(i) Define the Values of the Global Sets. Consider

(GS1) $P = {CA, Alice, Bob}$

(GS2) $R = {$ contains the rules defined in Tables 4(a)–4(d)}

(GS3) $S = {K_{CA}^{-}, K_{A}^{-}, K_{B}^{-}}$

(GS4) Observers ( $K_{CA}^{-}$ ) = ${CA}$

(GS4) Observers ( $K_{A}^{-}$ ) = ${A}$

(GS4) Observers ( $K_{B}^{-}$ ) = ${B}$ .

(ii) Define the Initial Values of the Local Sets to each Principal

Principal (CA):

(LS1) POSS(CA) = ${K_{CA}^{-}, K_{CA}^{+}}$

(LS2) BEL(CA) = ${# (K_{CA}^{-}), # (K_{CA}^{+})}$

(LS7) Binding(CA) = ${CA ⋈ K_{CA}^{+}}$

(LS6) BL =

// Generation of Alice's certificate

(ACT₁₂) Apply $(H, cer t_{A})$ // digest generation

(ACT₁₅) Apply-asymkey $(H ({cert}_{A})$ , $K_{CA}^{-}$ ) // generation of CA's digital signature

(ACT₇) Concat $({cert}_{A}$ , ${H ({cert}_{A})}_{K_{CA}^{-}})$

(ACT₁) Send $(Alice, {cert}_{A} . {H ({cert}_{A})}_{K_{CA}^{-}})$

// Generation of Bob's certificate

(ACT₁₂) Apply $(H, {cert}_{B})$

(ACT₁₅) Apply-asymkey $(H$ (cert_B), $K_{CA}^{-}$ )

(ACT₇) Concat(cert_B, ${H ({cert}_{B})}_{K_{CA}^{-}})$

(ACT₁) Send $($ Bob, ${cert}_{B} . {H ({cert}_{B})}_{K_{CA}^{-}})$ .

Principal (A) (Alice):

(LS1) POSS $($ A $) = {K_{A}^{-}, K_{A}^{+}, K_{CA}^{+}}$

(LS2) BEL $($ A $) = {# (K_{A}^{-}), # (K_{A}^{+}), # (K_{CA}^{+})}$

(LS7) Binding $(CA) = {A ⋈ K_{A}^{+}, CA ⋈ K_{CA}^{+}}$

(LS6) BL =

(ACT₂) Receive (CA, ${cert}_{A} . {H ({cert}_{A})}_{K_{CA}^{-}})$

(ACT₁) Send (Bob, ${cert}_{A} . {H (cer t_{A})}_{K_{CA}^{-}}$ )—A(1).

Principal ( B ) (Bob):

(LS1) POSS(B) $= {K_{B}^{-}, K_{B}^{+}, K_{CA}^{+}}$

(LS2) BEL(B) $= {# (K_{B}^{-}), # (K_{B}^{+}), # (K_{CA}^{+})}$

(LS7) Binding(B) $= {B ⋈ K_{B}^{+}, CA ⋈ K_{CA}^{+}}$

(LS6) BL =

(ACT₂) Receive $(CA, {cert}_{B}$ . ${H ({cert}_{B})}_{K_{CA}^{-}}$ ) // Bob receives its certificate from the CA

(ACT₂) Receive(Alice, $cer t_{A}$ . ${H (cer t_{A})}_{K_{CA}^{-}})$ // Bob receives Alice's certificate from the Alice—B(1)

(ACT₈) Split $(cer t_{A} . {H (cer t_{A})}_{K_{CA}^{-}})$ —B(2)

(ACT₂₁) Comp $(Apply (H, cer t_{A})$ , Apply-asymkey $({H (cer t_{A})}_{K_{CA}^{-}}, K_{CA}^{+}))$

// Bob compares the calculated digest and the digest resulted from the decryption of the digital signature—B(3).

(iii) Digital Certificate Analysis. CA is assumed to be the initiator of the protocol and the first four actions in the BL(CA) are executed which will add new values to the POSS(CA) as follows:

POSS(CA) $= {K_{CA}^{-}, K_{CA}^{+}$ , $H (cer t_{A})$ , ${H ({cert}_{A})}_{K_{CA}^{-}}$ , cert_A. ${H ({cert}_{A})}_{K_{CA}^{-}}}$ .

The next action to be executed is the first action in BL(A) which will receive the msg and update the POSS(A) to include the msg content:

POSS(A) = ${K_{A}^{-}, K_{A}^{+}$ , $K_{CA}^{+}, cer t_{A} . {H (cer t_{A})}_{K_{CA}^{-}}}$ . Then CA does the rest of the actions which followed by executing the first action in BL(B) and these actions update the POSS(CA) again and the POSS(B).

POSS(CA) = ${K_{CA}^{-}$ , $K_{CA}^{+}$ , H( $cer t_{A}$ ), ${H (cer t_{A})}_{K_{CA}^{-}}$ , $cer t_{A} . {H (cer t_{A})}_{K_{CA}^{-}}$ , H(cert_B), ${H (cer t_{B})}_{K_{CA}^{-}}$ , $cer t_{B} . {H (cer t_{B})}_{K_{CA}^{-}}}$ .

POSS(B) = ${K_{B}^{-}, K_{B}^{+}, K_{CA}^{+}, {cert}_{B} . {H ({cert}_{B})}_{K_{CA}^{-}}}$ .

Now Alice sends her certificate to Bob which is the action A(1) in the BL(A) and the next actions to be executed are B(1)-B(2) which update the POSS(B):

POSS(B) = ${K_{B}^{-}, K_{B}^{+}, K_{CA}^{+}$ , ${cert}_{B} . {H ({cert}_{B})}_{K_{CA}^{-}}$ , ${cert}_{A} . {H ({cert}_{A})}_{K_{CA}^{-}}$ , cert_A, ${H ({cert}_{A})}_{K_{CA}^{-}}}$ .

Since ${cert}_{A} . {H ({cert}_{A})}_{K_{CA}^{-}} \in POSS (B)$ we can apply Submessage origin rule (RL7):

\begin{matrix} \frac{{cert}_{A} . {H ({cert}_{A})}_{K_{CA}^{-}} \in POSS (B)}{(K_{A}^{+} ⋈ A) from CA \in POSS (B)}, \\ \frac{{cert}_{A} . {H ({cert}_{A})}_{K_{CA}^{-}} contains K_{A}^{+}}{(K_{A}^{+} ⋈ A) from CA \in POSS (B)} . \end{matrix}

(5)

Which adding a new value to the POSS(B):

$POSS (B) = {K_{B}^{-}, K_{B}^{+}, K_{CA}^{+}, {cert}_{B} . {H ({cert}_{B})}_{K_{CA}^{-}}$ , ${cert}_{A} . {H ({cert}_{A})}_{K_{CA}^{-}}$ , cert_A, ${H ({cert}_{A})}_{K_{CA}^{-}}$ , ( $K_{A}^{+} ⋈ A$ ) from CA}.

Finally, executing the action B(3) will add new values to POSS(B) (assuming the comparison action ensures equality) which achieves some rules conditions and these rules can be applied:

POSS(B) = ${K_{B}^{-}, K_{B}^{+}$ , $K_{CA}^{+}$ , cert_B. ${H ({cert}_{B})}_{K_{CA}^{-}}$ , $cer t_{A}$ . ${H ({cert}_{A})}_{K_{CA}^{-}}$ , ${cert}_{A} . {H ({cert}_{A})}_{K_{CA}^{-}}$ , ( $K_{A}^{+} ⋈$ A) from CA, $H ({cert}_{A})$ , $H ({cert}_{A})$ , ${{cert}_{A}}^{*}}$ .

Since ( $K_{A}^{+} ⋈ A$ ) from CA ∈ POSS(B), ${{cert}_{A}}^{*} \in$ POSS(B) we can apply authentication and integrity rules as follows.

Authentication Rule (RL17):

\begin{matrix} \frac{(K_{A}^{+} ⋈ A) from CA \in POSS (B)}{Binding (B) = Binding (B) \cup {(K_{A}^{+} ⋈ A)}}, \\ \frac{(K_{CA}^{+} ⋈ A) \in BEL (B), {{cert}_{A}}^{*} \in Proof (B)}{Binding (B) = Binding (B) \cup {(K_{A}^{+} ⋈ A)}} . \end{matrix}

(6)

Integrity Rule (RL18):

\begin{matrix} \frac{{{cert}_{A}}^{*} \in Proof (B)}{BEL (B) = BEL (B) \cup {{cert}_{A} \in Poss (A)}} . \end{matrix}

(7)

Nonrepudiation Rule (RL19):

\begin{matrix} \frac{{H ({cert}_{A})}_{K_{CA}^{-}} \in Poss (B), (K_{CA}^{+} ⋈ CA) \in Binding (B)}{(CA \to {cert}_{A}) \in Proof (B)} . \end{matrix}

(8)

Consequently, applying Authentication Rule (RL17) ensures the authenticity of Alice's public key. Integrity Rule (RL18) confirms the correctness of Alice's certificate. Finally, Nonrepudiation Rule (RL19) proves the originality of Alice's certificate, in other words it proves that Alice's certificate was issued and signed by the CA.

The purpose of LBSA is to generalize the rules, but the way they are applied depends on the enforcer itself. As shown this section, Rules 17 and 18 are used by both MAC and digital certificates but in different meanings. The authentication rule in MAC ensures the authenticity of the received message, whereas in digital certificate it ensures the authenticity of the public key. The integrity rule is used in MAC to ensure the correctness of the received message whereas in digital certificate it used to ensure the correctness of the certificate's contents.

7. Case Study: Ariadne Protocol

Many secure routing protocols have been proposed in the literature [27–32]. In this section, Ariadne protocol [27], which is a secure, on-demand routing protocol for multihop wireless networks was chosen to illustrate how to use LBSA to specify and analyze secure protocols. Ariadne is based on Timed Efficient Stream Loss-tolerant Authentication (TESLA) [33] which is an efficient broadcast authentication scheme that requires time synchronization. TESLA is commonly used in wireless sensor networks due to its low communication and computation overhead.

Before we start the security verification of Ariadne, we will present an overview of Ariadne route discovery using TESLA. For simplicity, we will use four nodes but what is applied in case of four nodes can be applied to more nodes. In all cases we will have a source, a destination, and a set of intermediate nodes which their number can vary depending on the chosen route. In the case of using more nodes, the change will be in the length of the chain of nodes. The way the authentication and integrity are achieved is defined by the Ariadne protocol itself. In this case study, we mapped Ariadne to LBSA to check Ariadne security correctness.

The source node S begins route instantiation to destination D by broadcasting a route request packet. A and B are intermediate nodes, that is, S → A → B → D. A route reply packet is unicasted by the destination D as a reply to the request packet along the reverse path to the source.

In the route discovery process there are two types of messages REQUEST and REPLY. REQUEST and REPLY messages include the following fields.

Route REQUEST packet in Ariadne contains eight fields: REQUEST (define the type of the message), initiator address, target address, id (uniquely identifies the request), time interval, hash chain, node list, and MAC list. Note that the last three fields are updated by each intermediate node receiving that request.

Table 7 shows the protocol parameters.

Table 7

Ariadne protocol parameters.

Parameter name	Meaning
$S$	Initiator (source) node.
D	Target (destination) node.
$K_{S D}$ , $K_{D S}$	shared secret keys between S and D for message authentication in each direction.
$t_{i}$	Time interval.
Id	Message identifier.
$K_{A ti}$	TESTLA key (K) used by principal (A), i is the index for the time interval specified in the request.
$K_{B ti}$	TESTLA key (K) used by principal (B), i is the index for the time interval specified in the request.

The following steps illustrate how Ariadne route discovery using TESLA works:

S: $h_{0} = {MAC}_{K S D}$ (REQUEST, S, D, id, ti)

S→ broadcast: (REQUEST, S, D, id, ti, $h_{0}$ , ( ), ( ))

A: $h 1$ = H(A, $h_{0}$ )

$M_{A} = {MAC}_{K A ti}$ (REQUEST, S, D, id, ti, $h 1$ , (A), ( ))

$A \to$ broadcast: (REQUEST, S, D, id, ti, $h 1$ , (A), ( $M_{A}$ ))

B: h2= H(B, h1)

$M_{B} = {MAC}_{K B ti}$ (REQUEST, S, D, id, ti, $h 1$ , ( $A, B$ ), ( $M_{A}$ ))

$B \to$ broadcast: (REQUEST, S, D, id, ti, $h 2$ , ( $A, B$ ), ( $M_{A}$ , $M_{B}$ ))

D: $M_{D} = {MAC}_{K S D}$ (REPLY, D, S, ti, ( $A, B$ ), ( $M_{A}$ , $M_{B}$ ))

$D \to$ B: (REPLY, D, S, ti, ( $A, B$ ), ( $M_{A}$ , $M_{B}$ ), $M_{D}$ , ( ))

$B \to$ A: (REPLY, D, S, ti, ( $A, B$ ), ( $M_{A}$ , $M_{B}$ ), $M_{D}$ , ( $K_{B ti}$ ))

$A \to$ S: (REPLY, D, S, ti, ( $A, B$ ), ( $M_{A}, M_{B}$ ), $M_{D}$ , ( $K_{B ti}, K_{A ti})$ ).

In the Ariadne protocol, the initiator of the REQUEST initializes the hash chain ( $h_{0}$ ) to ${MAC}_{K S D}$ (initiator, target, id, time interval) and the node list and MAC list to empty lists.

When any node A receives a route REQUEST for which it is not the target, the node checks its local table of (initiator, id) values from recent REQUESTs it has received to determine if it has already seen a REQUEST from this same Route Discovery. If it has, the node discards the packet. The node also checks whether the time interval in the REQUEST is valid. Then, the node modifies the REQUEST by appending its own address, A, to the node list in the REQUEST, replacing the hash chain field with H (A, hash chain), and appending a MAC of the entire REQUEST to the MAC list. The node uses the TESLA key $K_{A ti}$ to compute the MAC, where i is the index for the time interval specified in the REQUEST. Then, the node rebroadcast the modified REQUEST.

If the target node (destination) determines that the REQUEST is valid, it returns a route REPLY to the initiator, containing eight fields: REPLY (define the type of the message), target address (which is the initiator address in the REQUEST message), initiator address (which is the target address in the REQUEST message), time interval (the same as in the REQUEST message), node list, MAC list, target MAC, and key list. The target MAC is set to a MAC computed on the preceding fields in the REPLY with the key $K_{D S}$ , and the key list is initialized to the empty list. The route REPLY is then returned to the initiator of the REQUEST along the source route obtained by reversing the sequence of hops in the node list of the REQUEST.

7.1. Ariadne Specification

First we will present the assumptions of Ariadne protocol which are as follows. (i)

The source S and destination D share the MAC keys $K_{S D}$ and $K_{D S}$ .

(ii)

Every node has a TESLA one-way key chain.

(iii)

All nodes know the authentication key of TESLA one-way key chain of each other node.

(i) Define the Values of the Global Sets. Consider

(GS1) $P = {S, A, B, D}$

(GS2) $R = {$ contains the rules defined in Tables 4(a)–4(d)}

(GS3) $S = {K_{S D}, K_{D S}, K_{B ti}, K_{A ti}}$

(GS4) Observers $(K_{S D}) = {S, D}$

(GS4) Observers $(K_{A ti}) = {A, S}$

(GS4) Observers $(K_{B ti}) = {B, S}$

(GS4) Observers $(K_{D S}) = {D, S}$ .

(ii) Define the Initial Values of the Local Sets for each Principal

Principal ( S ):

(LS1) POSS $(S) = {K_{D S}, K_{S D}, K_{A ti}, K_{B ti}$ , $(D ⋈ K_{D S})$ from D, $(D ⋈ K_{S D})$ from D, ( $A ⋈ K_{A ti}$ ) from A, $(B ⋈ K_{B ti})$ from $B}$

(LS2) BEL $(S) = {# (K_{D S}), # (K_{S D}), # (K_{A ti}), # (K_{B ti})$ , $(D ⋈ K_{D S})$ , $(D ⋈ K_{S D})$ , $(A ⋈ K_{A ti})$ , $(B ⋈ K_{B ti})}$

(LS6) BL =

(ACT₇) Concat ({REQUEST, S, D, id, ti}, $K_{S D}$ )—S(1)

(ACT₁₂, ACT₂₉) $h_{0} \leftarrow$ Apply $(H, {$ REQUEST, $S, D$ , id, ti}. $K_{S D}$ )—S(2)

(ACT₁₈) Broadcast ({REQUEST, $S, D$ , id, ti, $h_{0}$ , (), () })—S(3)

(ACT₂) Receive (A, {REPLY, $D, S$ , ti, $(A, B)$ , ( $M_{A}, M_{B}$ ), $M_{D}$ , $(K_{B ti}, K_{A ti})})$ —S(4)

(ACT₇) Concat({REPLY, $D, S$ , id, ti, ( $A, B$ ), ( $M_{A}$ , $M_{B}$ )}, $K_{D S}$ )—S(5)

(ACT₁₂, ACT₂₉) $C 1 \leftarrow$ Apply $(H$ , {REPLY, $D, S$ , id, ti, ( $A, B$ ), $(M_{A}, M_{B})} . K_{D S})$ —S(6)

(ACT₂₁) Comp $(M_{D}, C 1)$ —S(7)

(ACT₇) Concat $({$ REQUEST, $S, D$ , id, ti, $h 1$ , (A), $()}, A_{ti})$ —S(8)

(ACT₁₂, ACT₂₉) $C 2 \leftarrow$ Apply $(H$ ,{REQUEST, $S, D$ , id, ti, $h 1$ , (A), $()} . A_{ti})$ —S(9)

(ACT₂₁) Comp $(M_{A}, C 2$ )—S(10)

(ACT₇) Concat $({$ REQUEST, $S, D$ , id, ti, $h 2$ , ( $A, B$ ), $()}, B_{ti})$ —S(11)

(ACT₁₂, ACT₂₉) $C 3 \leftarrow$ Apply(H, {REQUEST, $S, D$ , id, ti, $h 2$ , ( $A, B$ ), $()} . B_{ti})$ —S(12)

(ACT₂₁) Comp $(M_{B}, C 3)$ —S(13).

Principal (A):

(LS1) POSS $(A) = {A_{ti}}$

(LS2) BEL $(A) = {# (A_{ti})}$

(LS7) Binding $(A) = {A_{ti} ⋈ ti}$

(LS6) BL =

(ACT₂) Receive({REQUEST, $S, D$ , id, ti, $h_{0}$ , $(), ()})$ —A(1)

(ACT₂₀) Check-request(S, id)—A(2)

(ACT₁₀) Check-freshness(ti)—A(3)

(ACT₇) Concat(A, $h_{0}$ )—A(4)

(ACT₁₂, ACT₂₉) $h 1 \leftarrow$ Apply $(H, {A . h_{0}})$ —A(5)

(ACT₇) Concat $({$ REQUEST, $S, D$ , id, ti, $h 1$ , $(A), ()}$ , $A_{ti})$ —A(6)

(ACT₁₂, ACT₂₉) $M_{A} \leftarrow$ Apply $(H$ , {REQUEST, $S, D$ , id, ti, $h 1$ , (A), $()} . A_{ti})$ —A(7)

(ACT₁₈) Broadcast $({$ REQUEST, $S, D$ , id, ti, $h 1$ , ( $A), (M_{A})}$ —A(8)

(ACT₂) Receive(B,{REPLY, $D, S$ , ti, $(A, B)$ , $(M_{A}, M_{B})$ , $M_{D}, (K_{B ti})})$ —A(9)

(ACT₁) Send(S, {REPLY, $D, S$ , ti, ( $A, B$ ), $(M_{A}, M_{B}), M_{D}, (K_{B ti}, K_{A ti})})$ —A(10).

Principal ( B ):

(LS1) POSS $(B) = {B_{ti}}$

(LS2) BEL $(B) = {# (B_{ti})}$

(LS7) Binding $(B) = {B_{ti} ⋈ ti}$

(LS6) BL =

(ACT₂) Receive({REQUEST, $S, D$ , id, ti, $h 1$ , (A), $(M_{A})})$ — B(1)

(ACT₂₀) Check-request(S, id)— B(2)

(ACT₁₀) Check-freshness(ti)— B(3)

(ACT₇) Concat( $B, h 1$ )— B(4)

(ACT₁₂, ACT₂₉) $h 2 \leftarrow$ Apply( $H, {B . h 1}$ )— B(5)

(ACT₇) Concat({REQUEST, $S, D$ , id, ti, $h 2$ , ( $A, B), ()}, B_{ti})$ —B(6)

(ACT₁₂, ACT₂₉) $M_{B} \leftarrow$ Apply $(H, {$ REQUEST, $S, D$ , id, ti, $h 2$ , ( $A, B$ ), $()} . B_{ti})$ —B(7)

(ACT₁₈) Broadcast $({$ REQUEST, $S, D$ , id, ti, $h 2$ , ( $A, B$ ), $(M_{A}, M_{B})}$ —B(8)

(ACT₂) Receive $(D, {$ REPLY, $D, S$ , ti, ( $A, B$ ), ( $M_{A}, M_{B}$ ), $M_{D}$ , $()})$ —B(9)

(ACT₁) Send $(A, {$ REPLY, $D, S$ , ti, ( $A, B$ ), $(M_{A}, M_{B}), M_{D}, (K_{B ti})}$ — B(10).

Principal (D):

(LS1) POSS $(D) = {K_{D S}, K_{S D}$ , $(S ⋈ K_{S D})$ from S, $(S ⋈ K_{D S})$ from $S}$

(LS2) BEL $(D) = {# (K_{S D})$ , $# (K_{S D})$ , $K_{S D} ⋈ S$ , $K_{D S} ⋈ S}$

(LS6) BL =

(ACT₂) Receive $({$ REQUEST, $S, D$ , id, ti, $h 2$ , ( $A, B$ ), $(M_{A}, M_{B})}$ —D(1)

(ACT₂₀) Check-request(S, id)—D(2)

(ACT₁₀) Check-freshness(ti)—D(3)

(ACT₁₂, ACT₂₉) $C 1 \leftarrow$ Apply(H, Concat(A, Apply(H, Concat (B, Apply(H, (ACT₇) Concat $({$ REQUEST, S, D, id, ti $}, K_{S D}))))))$ —D(4)

(ACT₂₁) Comp $(h 2, C 1)$ —D(5)

(ACT₇) Concat $({$ REPLY, D, S, id, ti, ( $A, B$ ), $(M_{A}, M_{B})}, K_{D S})$ —D(6)

(ACT₁₂, ACT₂₉) $M_{D} \leftarrow$ Apply $(H, {$ REPLY, D, S, id, ti, $(A, B)$ , $(M_{A}, M_{B})}$ . $K_{DS})$ —D(7)

(ACT₁) Send $(B, {$ REPLY, D, S, ti, $(A, B), (M_{A}, M_{B}), M_{D}, ()})$ —D(8).

7.2. Ariadne Analysis

Node S is the initiator of the protocol and its first three actions will be executed which result in new values to be added to the POSS(S) set:

POSS(S):= POSS(S) $\cup ({{REQUEST, S, D$ , id, ti $} . K_{S D}}$ , ${h_{0} = H ({$ REQUEST, $S, D$ , id, ti $} . K_{S D})})$ .

Now we assume that node A receives the request so first eight actions in BL(A) will be executed and the result is

POSS(A) = POSS(A) $\cup {{REQUEST, S, D, id, ti$ , $h_{0}, (), ()}, A . h_{0}, h 1 = H (A . h_{0})$ ,

$M_{A}$ = $H ({$ REQUEST, $S, D$ , id, ti $, h 1, (A), ()} . A_{ti})}$

BEL(A) = $BEL (A) \cup {# (ti)}$ .

Now B(1–8) will be executed and the result is

POSS $(B) =$ POSS(B) $\cup {{REQUEST, S, D, id, ti, h 1$ , (A), ( $M_{A})}$ , $B . h 1, h 2 =$ $H (B . h 1)$ , {REQUEST, $S, D$ , id, ti, $h 2, (A, B), ()} . B_{ti}$ , $M_{B} = H ({$ REQUEST, $S, D$ , id, ti, $h 2, (A, B), ()} . B_{ti})}$

BEL $(B) =$ BEL $(B) \cup {# (ti)}$ .

Now the request reaches its target which is node D and its BL(1–5) actions will be executed and the result will be as follows:

$POSS (D) = POSS (D) \cup {{REQUEST, S, D, id, ti, h 2$ , ( $A, B$ ), ( $M_{A}, M_{B})}$ , $C 1 = H (A . B . {$ REQUEST, $S, D$ , id, ti $} . K_{S D}, {$ REPLAY, $D, S$ , id, ti, $(A, B)$ , $(M_{A}, M_{B})})$

$BEL ($ D $) = BEL ($ D $) \cup {# (ti)}$

$Proof (D) = Proof (D) \cup {h 2}^{*}$

Since ${h 2}^{*}$ ∈ Proof(D) we can apply integrity rule RL(18): ${h 2}^{*} \in$ Proof $(D)$ / $BEL (D)$ = BEL $(D) \cup {{REQUEST, S, D, id, ti, h_{0}, (), ()}$ ∈ Poss(S)}.

After the execution of D(7) and D(8), the POSS set will be updated as follows

POSS(D) = POSS( $D) \cup {{$ REQUEST $, S$ , D, id, ti, $h 2$ , ( $A, B$ ), $(M_{A}, M_{B})}$ , C1 = H(A. B. {REQUEST, S, D, id, ti $} . K_{S D}$ , {REPLAY, $D, S$ , id, ti, $(A, B), (M_{A}, M_{B})} . K_{D S}$ , $M_{D} = H ({$ REPLAY, $D, S$ , id, ti, ( $A, B$ ), $(M_{A}, M_{B})} . K_{D S})$ .

Therefore, the target (destination) node makes sure that the request is from node S and it will send a reply message using the reverse path since the comparison action confirms equality. Each intermediate node (A and B in our example) will receive the reply, adds its key to the key list, and forwards it to the next node until it reaches the source. The destination will authenticate each intermediate node using the same process as the target node did.

When the target node S receives the REPLY the rest of its actions will be executed to ensure the validity of the target's MAC, and each MAC in the MAC list. Node S local sets will be updated as follows:

POSS $(S)$ = ${K_{D S}, K_{S D}, K_{A ti}, K_{B ti}$ , $(A ⋈ K_{A ti})$ from A, $(B ⋈ K_{B ti})$ from B, {REPLY, $D, S$ , ti, $(A, B)$ , $(M_{A}, M_{B})$ , $M_{D}$ , $(K_{B ti}, K_{A ti})}$ , {REPLY, $D, S$ , id, ti, $(A, B)$ , $(M_{A}, M_{B})}$ . $K_{D S}}$ , {REQUEST, S, D, id, ti, h1, $(A), ()} . A_{ti}$ , {REQUEST, $S, D$ , id, ti, $h 2$ , $(A, B), ()} . B_{ti}}$

Proof $(S) =$ Proof $(S) \cup {{M_{D}}^{*}$ , ${M_{B}}^{*}$ , ${M_{A}}^{*}}$ .

Now we can apply the authentication rule (RL17) for each entry in the proof set.

Authentication Rule (RL17):

\begin{matrix} \frac{(D ⋈ K_{D S}) from D \in POSS (S)}{Binding (S) = Binding (S) \cup {(D ⋈ K_{D S})}}, \\ \frac{(D ⋈ K_{D S}) \in BEL (S), {M_{D}}^{*} \in Proof (S)}{Binding (S) = Binding (S) \cup {(D ⋈ K_{D S})}}, \\ \frac{(B ⋈ K_{B ti}) from B \in POSS (S)}{Binding (S) = Binding (S) \cup {(B ⋈ K_{B ti})}}, \\ \frac{(B ⋈ K_{B ti}) \in BEL (S), {M_{B}}^{*} \in Proof (S)}{Binding (S) = Binding (S) \cup {(B ⋈ K_{B ti})}}, \\ \frac{(A ⋈ K_{A ti}) from A \in POSS (S)}{Binding (S) = Binding (S) \cup {(A ⋈ K_{A ti})}}, \\ \frac{(A ⋈ K_{A ti}) \in BEL (S), {M_{A}}^{*} \in Proof (S)}{Binding (S) = Binding (S) \cup {(A ⋈ K_{A ti})}} . \end{matrix}

(9)

Also we can apply the integrity rule (RL18) for each entry in the proof set.

Integrity Rule (RL18):

\begin{array}{l} {M_{D}}^{*} \\ \in Proof (S) \times (BEL (S) : = BEL (S) \\ \cup {{REPLY, D, S, ti, (A, B), (M_{A}, M_{B}), M_{D}, ()} \\ {\in Poss (D)})}^{- 1} \end{array}

(10)

\begin{array}{l} {M_{B}}^{*} \\ \in Proof (S) \times (BEL (S) : = BEL (S) \\ \cup {{REPLY, D, S, ti, (A, B), (M_{A}, M_{B}), M_{D}, ()} \\ {\in Poss (B)})}^{- 1} \end{array}

(11)

\begin{array}{l} {M_{A}}^{*} \\ \in Proof (S) \times (BEL (S) : = BEL (S) \\ \cup {{REPLY, D, S, ti, (A, B), (M_{A}, M_{B}), M_{A}, (K_{B ti}, K_{A ti})} \\ {\in Poss (A)})}^{- 1} . \end{array}

(12)

Since we applied the authentication and the integrity rules successfully on the target's MAC and on each MAC in the MAC list, it can be concluded that the reply is valid and authenticated; consequently node S can accept it. Therefore, Ariadne achieves both the authentication and the integrity requirements which detect attackers when they attempt to impersonate the message's sender or modify its content.

Flaws in this protocol lie in the assumptions of the authors that may affect the usability of the protocol. Ariadne assumed the presence of a working public key infrastructure (PKI) or certificate authority (CA). Consequently, key management services are assumed to be already existed but are not provided by Ariadne. Also, Ariadne did not take the possibility of having internal attackers into consideration and therefore, no IDS are applied to detect them.

Based on the above assumptions, actions such as ACT₆, ACT₁₁, ACT₁₃, ACT₁₄, ACT₁₆, ACT₁₉, ACT₂₂, ACT₂₄, ACT₂₅, ACT₂₆, ACT₂₇, and ACT₂₈ cannot be activated and rules like R4, R5, R9, R10, and R11 cannot be applied. Based on this observation, LBSA can detect the absence of key management system and IDS in Ariadne. As a result, key management services will fail and intruders cannot be detected.

8. Conclusions and Future Work

The success of applications over multihop communication networks principally depends on the achievement of security requirements. Many secure protocols are proposed, consequently, there should be a reliable way to test if these protocols satisfy the security requirements as their designers claim.

Previous attempts to utilize logic in analyzing security have either focused on a specific requirement or a specific protocol. In this paper, we proposed a logic-based security architecture (LBSA) to specify and analyze any security requirement in any system providing multihop communication using logic. Any system or protocol claiming security can be mapped into our architecture in other words it must be specified using various global/local sets and actions, then it can be analyzed by applying different rules. LBSA provides a formal way to analyze security enforcers and security protocols instead of depending only on the simulation tools which are arguable by many researchers in terms of implementation accuracy.

Additionally, using simulation tools usually covers a small set of scenarios whereas using LBSA more cases can be covered that usually cannot be covered exhaustively by simulation tools.

This paper also illustrated how LBSA can be used to verify security enforcers by applying it to two well-known enforcers which are MAC and digital certificate. In addition to that, a case study for a secure routing protocol used in ad hoc and sensor networks named Ariadne was also evaluated in terms of security using LBSA.

To the best of our knowledge, the proposed security architecture covers the most important enforcers. Further development of new enforcers in the future may simply need other sets, actions, and rules to be added. Also, LBSA could be extended by considering new rules and actions for the Interaction between Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). Moreover, LBSA can utilize the computational Intelligence tools in analyzing the security.

References

ITU-T Recommendation X. 800

Security architecture for Open Systems Interconnection for CCITT applications

1991

ITU-T Recommendation X. 805

Security architecture for systems providing end-to-end communication

2003

Rubin

A. D.

Honeyman

Nonmonotonic cryptographic protocols

Proceedings Computer Security Foundations Workshop

June 1994

100 116

Rubin

A. D.

Extending NCP for protocols using public keys

Mobile Networks and Applications 1997 2 3 227 241

2-s2.0-0031386327

Xie

Security analysis of routing protocol for MANET based on extended Rubin logic

Proceedings of the IEEE International Conference on Networking, Sensing and Control (ICNSC ′08)

April 2008

Sanya, China

1326 1331

2-s2.0-49249090421

10.1109/ICNSC.2008.4525423

Xie

Extending rubin logic for electronic commerce protocols

Proceedings of the 2nd International Conference on Anti-counterfeiting, Security and Identification (ASID ′08)

August 2008

Guiyang, China

448 451

2-s2.0-58049141395

10.1109/IWASID.2008.4688446

Xie

Analysis of electronic commerce protocols based on extended rubin logic

Proceedings of the 9th International Conference for Young Computer Scientists (ICYCS ′08)

November 2008

Hunan, China

2079 2084

2-s2.0-58349110739

10.1109/ICYCS.2008.468

Xie

Analysis of authentication protocols based on rubin logic

Proceedings of the International Conference on Wireless Communications, Networking and Mobile Computing (WiCOM ′08)

October 2008

Dalian, China

2-s2.0-58049120659

10.1109/WiCom.2008.1120

Rubin

A. D.

Honeyman

Long running jobs in an authenticated environment

Proceedings of the USENIX Security Conference IV

October 1993

19 28

10.

Needham

R. M.

Schroeder

M. D.

Using encryption for authentication in large networks of computers

Communications of the ACM 1978 21 12 993 999

2-s2.0-0018048246

10.1145/359657.359659

11.

Sanzgiri

LaFlamme

Dahill

Levine

B. N.

Shields

Belding-Royer

E. M.

Authenticated routing for ad hoc networks

IEEE Journal on Selected Areas in Communications 2005 23 3 598 610

2-s2.0-15244339622

10.1109/JSAC.2004.842547

12.

Zhou

Gollmann

Fair non-repudiation protocol

Proceedings of the 17th IEEE Symposium on Security and Privacy

May 1996

Oakland, Calif, USA

55 61

2-s2.0-0029724319

13.

Satyanarayanan

Integrating security in a large distributed system

ACM Transactions on Computer Systems 1989 7 3 247 280

2-s2.0-0024714097

10.1145/65000.65002

14.

ITU-T Recommendation X. 509

Information technology—Open System Interconnection—The Directory: public-key and attribute certificate framework

2008

15.

Weiss

Message digest, message authentication codes and digital signature

Jave Cryptography Extensions 2004 101 118

16.

Zhou

Lam

K. Y.

Securing digital signatures for non-repudiation

Computer Communications 1999 22 8 710 716

2-s2.0-0032626169

10.1016/S0140-3664(99)00031-6

17.

Shao

Certificate-based fair exchange protocol of signatures from pairings

Computer Networks 2008 52 16 3075 3084

2-s2.0-53249155914

10.1016/j.anpedi.2008.07.001

18.

Lima

C. H.

Lee

P. J.

Korean certificate-based digital signature algorithm

Computers and Electrical Engineering 1999 25 4 249 265

2-s2.0-0344614031

10.1016/S0045-7906(99)00011-7

19.

Madria

Yin

SeRWA: a secure routing protocol against wormhole attacks in sensor networks

Ad Hoc Networks 2009 7 6 1051 1063

2-s2.0-64449088975

10.1016/j.adhoc.2008.09.005

20.

Ozdemir

Çam

Integration of false data detection with data aggregation and confidential transmission in wireless sensor networks

IEEE/ACM Transactions on Networking 2010 18 3 736 749

2-s2.0-77953685106

10.1109/TNET.2009.2032910

21.

Stavrou

Pitsillides

A survey on secure multipath routing protocols in WSNs

Computer Networks 2010 54 13 2215 2238

2-s2.0-77955467415

10.1016/j.comnet.2010.02.015

22.

Delgado-Mohatar

Fúster-Sabater

Sierra

J. M.

A light-weight authentication scheme for wireless sensor networks

Ad Hoc Networks 2011 9 5 727 735

2-s2.0-79952574261

10.1016/j.adhoc.2010.08.020

23.

Almomani

Saadeh

Security model for tree-based routing in wireless sensor networks: structure and evaluation

KSII Transactions on Internet and Information Systems 2012 6 4 1223 1247

24.

Bicakci

Bagci

I. E.

Tavli

Communication/computation tradeoffs for prolonging network lifetime in wireless sensor networks: the case of digital signatures

Information Sciences 2012 188 44 63

25.

Fan

Gong

Accelerating signature-based broadcast authentication for wireless sensor networks

Ad Hoc Networks 2012 10 4 723 736

2-s2.0-79960655770

10.1016/j.adhoc.2011.06.015

26.

ISO/IEC 9797-2

Information technology-security techniques-Message Authentication Code (MACs)—Part 2: mechanisms using a dedicated hash function

27.

Y. C.

Perrig

Johnson

D. B.

Ariadne: a secure on-demand routing protocol for ad hoc networks

Wireless Networks 2005 11 1-2 21 38

2-s2.0-17444426121

10.1007/s11276-004-4744-y

28.

Mavropodi

Kotzanikolaou

Douligeris

SecMR—a secure multipath routing protocol for ad hoc networks

Ad Hoc Networks 2007 5 1 87 99

2-s2.0-33750029995

10.1016/j.adhoc.2006.05.020

29.

Kim

Tsudik

SRDP: secure route discovery for dynamic source routing in MANETs

Ad Hoc Networks 2009 7 6 1097 1109

2-s2.0-64049087420

10.1016/j.adhoc.2008.09.007

30.

Gupte

Singhal

Secure routing in mobile wireless ad hoc networks

Ad Hoc Networks 2003 1 1 151 174

2-s2.0-13244276488

10.1016/S1570-8705(03)00017-9

31.

Chauhan

K. K.

Sanger

A. K. S.

Kushwah

V. S.

Securing on-demand source routing in MANETs

Proceedings of the 2nd International Conference on Computer and Network Technology (ICCNT ′10)

April 2010

Bangkok, Thailand

294 297

2-s2.0-77954346339

10.1109/ICCNT.2010.29

32.

Yoo

S. G.

Park

K. Y.

Kim

A security-performance-balanced user authentication scheme for wireless sensor networks

International Journal of Distributed Sensor Networks 2012 2012 11

382810

10.1155/2012/382810

33.

Perrig

Canetti

Tygar

J. D.

Song

The TESLA broadcast authentication protocol

CryptoBytes, RSA Laboratories, vol. 5, no.2, 2002

Logic-Based Security Architecture for Systems Providing Multihop Communication

Abstract

1. Introduction

2. Security Architecture

3. Related Work

4. Logic-Based Security Architecture (LBSA) for Systems Providing Multihop Communication

5. Possible Mapping between Security Requirements and Inference Rules/Actions

6. Security Enforcers Specification and Analysis

6.1. Message Authentication Code (MAC)

6.2. Digital Certificate

7. Case Study: Ariadne Protocol

7.1. Ariadne Specification

7.2. Ariadne Analysis

8. Conclusions and Future Work

References