Audit expert system of communication security assessment

Audit expert system of communication security assessment

Available online at www.sciencedirect.com Available online at www.sciencedirect.com Available online at www.sciencedirect.com ScienceDirect Procedia...

395KB Sizes 0 Downloads 101 Views

Available online at www.sciencedirect.com

Available online at www.sciencedirect.com Available online at www.sciencedirect.com

ScienceDirect Procedia Computer Science (2017) 000–000 Procedia Computer Science 11200 (2017) 147–156 Procedia Computer Science 00 (2017) 000–000

www.elsevier.com/locate/procedia www.elsevier.com/locate/procedia

International International Conference Conference on on Knowledge Knowledge Based Based and and Intelligent Intelligent Information Information and and Engineering Engineering Systems, KES2017, 6-8 September 2017, Marseille, France Systems, KES2017, 6-8 September 2017, Marseille, France

Audit Audit expert expert system system of of communication communication security security assessment assessment a Czestochowa a Czestochowa b Czestochowa b Czestochowa

a b* Henryk Henryk Piech Piecha,, Grzegorz Grzegorz Grodzki Grodzkib*

University of Technology Dabrowskiego 73, 42201 Czestochowa, Poland University of Technology Dabrowskiego 73, 42201 Czestochowa, Poland University of Technology Dabrowskiego 73, 42201 Czestochowa, Poland University of Technology Dabrowskiego 73, 42201 Czestochowa, Poland

Abstract Abstract The main goal of the research consists in the elaboration of a system concerning the investigation of security communication, which The main goal of the research consists in the elaboration of a system concerning the investigation of security communication, which regards a set of security factors, such as: the degree of encryption, the freshness of nonces, intruder activation, the lifetime of keys, regards a set of security factors, such as: the degree of encryption, the freshness of nonces, intruder activation, the lifetime of keys, secrets, etc. This paper is devoted to the presentation of systematization formalisms describing the functioning of a security model. secrets, etc. This paper is devoted to the presentation of systematization formalisms describing the functioning of a security model. In our variant, we investigate the changes of all chosen factors (security attributes) during the realization of protocol operations. In our variant, we investigate the changes of all chosen factors (security attributes) during the realization of protocol operations. The security attributes should be systematically corrected in this process. It changes the general security level of communication. The security attributes should be systematically corrected in this process. It changes the general security level of communication. The audit system strategy leads us to one of the most noticeable security in fluence characteristics that refer to time parameters. We The audit system strategy leads us to one of the most noticeable security in fluence characteristics that refer to time parameters. We can introduce the notation concerning the lifetime of elements (key, message, nonces, secret, etc.). When the value of time activity can introduce the notation concerning the lifetime of elements (key, message, nonces, secret, etc.). When the value of time activity of an element exceeds its lifetime, then the communication security is definitely threatened. By using special rules presented in the of an element exceeds its lifetime,2 then the communication security is definitely threatened. By using special rules presented in the works of Burrows, and Needham 2 , among other authors, and by creating additional logic formulas, we can estimate intermediate works of Burrows, and Needham , among other authors, and by creating additional logic formulas, we can estimate intermediate security probability parameters. Finally, we propose a certain kind of probability time automata in order to investigate and predicate security probability parameters. Finally, we propose a certain kind of probability time automata in order to investigate and predicate different types of communication threats. These automata are built on the basis of a colored Petri net. In addition, this investigation different types of communication threats. These automata are built on the basis of a colored Petri net. In addition, this investigation consists in checking communication security (or a kind of threats) and making a threat prediction about possible cases that are consists in checking communication security (or a kind of threats) and making a threat prediction about possible cases that are connected with losing information. We also included in the model a procedure of security modification with respect to time (the connected with losing information. We also included in the model a procedure of security modification with respect to time (the activity of some parameters depends on time). We define the finite set of states by using the LU - technique (interval attribute activity of some parameters depends on time). We define the finite set of states by using the LU - technique (interval attribute activity) of a date notation. The proposed system resolves security problem in more comprehensive (multifaceted) way. Ingredient activity) of a date notation. The proposed system resolves security problem in more comprehensive (multifaceted) way. Ingredient security factors can be grouped in different combinations. This approach increased the range of investigated threaten structures to security factors can be grouped in different combinations. This approach increased the range of investigated threaten structures to even unknown hacker algorithm inventions. even unknown hacker algorithm inventions. c 2017 The Authors. Published by Elsevier B.V.  c 2017  2017 The TheAuthors. Authors.Published Publishedby byElsevier ElsevierB.V. B.V. © Peer-review under responsibility of KES International. Peer-review under responsibility of KES International. International Keywords: audit expert system, communication security, Petri nets, protocol security, auditing system, probability time automata; Keywords: audit expert system, communication security, Petri nets, protocol security, auditing system, probability time automata;

1. Introduction 1. Introduction The cryptography protocol structures consist of operations The cryptography protocol structures consist of operations concerning the interception of open and encrypted information. concerning the interception of open and encrypted information. ∗ ∗

Corresponding author. Tel.: +48-34-3250-589; fax: +48-34-3250-589. Corresponding author. Tel.: +48-34-3250-589; fax: +48-34-3250-589. E-mail address: [email protected] E-mail address: [email protected]

c 2017 The Authors. Published by Elsevier B.V. 1877-0509  c 2017 The Authors. Published by Elsevier B.V. 1877-0509  Peer-review under responsibility of KES International. Peer-review©under of KES International. 1877-0509 2017responsibility The Authors. Published by Elsevier B.V. Peer-review under responsibility of KES International 10.1016/j.procs.2017.08.188

that regard sending and receiving, and a simulation that regard sending and receiving, and a simulation There is also a different kind of investigation models. There is also a different kind of investigation models.

148 2

Henryk Piech et al. / Procedia Computer Science 112 (2017) 147–156 Henryk Piech, Grzegorz Grodzki / Procedia Computer Science 00 (2017) 000–000

They are based on time automata (TA), probability-timed automata (PTA), time Petri nets (TPN), colored Petri nets (CPN) 13 etc. The feature of these models is connected with the possibility of realization concerning transition state procedures 11,14 . The state may describe protocols, message, keys, users 5,7 , etc., and their security aspects. The modeling based on automata and nets has an advantage that consists in the possibility of chronological state observation and checking transition constrains. In the case of security modeling, a disadvantage appears that is connected with the necessity regarding the lifetime pre-evaluation of timed attributes. It should be realized with the help of experiments that ultimately approve the realistic and useful values of lifetime parameters. The confirmation of experience results may take place as even the cases concerning message multi-encryption can be taken into account in a simple way 4 . The chronologic protocol operation sequences will be analyzed from the perspective of forthcoming threats. The proposed variants of security investigation preserve the general and detailed character of the multi-aspect security analysis. The method adapted to a concrete situation may be used in an intelligent system of dynamic data mining features 6 . The interesting part of the research refers to the calculation probabilities of state transition and the reachability of a given state or its set 8 . The semantic formalisms of communication security state is presented in other our work 12 . The system structure is built on the basis of selected models of communication state transition that are described in sections 2.1-2.3. Finally, we accomplish the main part of example results concerning the functioning of the expert system (section 3). 2. Artifact structure model of expert system functioning Expert system is built on the basis of probability timed automata (PTA) or the colored Petri net (CPN) that is converted to them. The communication security states are described by communication cryptography parameters and with the help of logic rules (presented in BAN, PCL or Horae communication logics 2 . We propose to use the convention of homomorphic mapping probabilities with respect to the state description in the artifact set of binary tokens of security estimation. The inferring mechanism leads us to the assessment of communication threats and provides the sets of information about different global factors regarding security, like: selected protocols, keys, messages, nonces, secrets, etc., which are preliminary defined by users. 2.1. Fundamental predicates of communication BAN logic used for the description of knowledge distribution in the network Formalisms describing protocol authentication contain information about: • elementary protocol operations regarding messages, users, and keys, • protocol modeling rules, • assertions about authentication, i.e. the confirmation of believing in user honesty and jurisdiction over messages. The motivation for the communication situation analysis, which is described by formalisms, consists in the need for the verification of the security situation that is presented in the form of honesty and jurisdiction states after every operation and correction. For example, this can be connected with checking attributes with respect to the shared key, secret, freshness of information, honesty of a sender and receiver. The standard form of formalism contains many security aspects, but apart from the unambiguity of their logic characters it is not possible to determinate the level of security attributes. Forms expressing believing and assertion rather suggested the usage of probability parameters and correction coefficients. The simplest, atomic communication logic elements contain quantifiers and complementary operators 2 : A ↔K B - users A, B communicate via the shared key K, →K A - user A has K as its public key, A ⇔Y B - users A and B share Y as a secret, - the message X is encrypted by key K, {X}K {X}K A - the message X is encrypted by key K by user A, < X >Y - the message X with an attached secret Y, A| ≡ X - user A believes the message X, AX - user A sees the message X, AX - user A sends the message X once,



Henryk Piech et al. / Procedia Computer Science 112 (2017) 147–156 Henryk Piech, Grzegorz Grodzki / Procedia Computer Science 00 (2017) 000–000

149 3

A| ⇒ X - user A has jurisdiction over X, #(X) - the message is fresh. Let us try to define the set of actions and attributes. For this aim, the rules based on BAN logic will be exploited as, e.g.: 1. Authentication rule – type I: if (A| ≡ ((A ↔K B), A  XK ) then (A| ≡ (B  X). The rule can be interpreted as follows: if A and B shared key K and A sees the message X, then A believes that this message is from B. 2. Nonce rule: if (A| ≡ #(X), A| ≡ (B  X)) then A| ≡ (B| ≡ X). The rules can be interpreted as follows : if A believes that X is ”current” and that B said X, then A believes that B believes X. 3. Jurisdiction rule: if (A| ≡ (B| ⇒ X), A| ≡ (B| ≡ X) then A| ≡ X. The rule can be interpreted as follows: if A believes that B has jurisdiction over X and A believes that B confirms X then A believes X. 4. Vision rule – type I: if (A| ≡ (A ↔K B), A  {X}K R , C  A) then A  X. The rule can be interpreted as follows: if A and B shared the key K and A sees the message X, encrypted by the shared symmetric key, and the encryption was done by a user other than A, then A sees X. 5. Freshness rule: if #(X) then #(X, Y). The rule can be interpreted as follows: if X is fresh then X ∧ Y is also fresh. 6. Secret transitivity rule: if {X}A → B then Y{X ∧ B  Y}. The rule can be interpreted as follows: if A sees X from B, then message secret consists of X and a secret regarding the fact that B sees secret Y. 7. General transitivity rule (Horae Logic 2 ): if (X  X  , {X  }s{Y  }, Y   Y) then {X}S {Y}. 2.2. Probability time automata as communication security investigation model We propose to use probability - time automata (PTA) 9 and colored Petri nets that are converted to them 3 as main tools for the investigation of communication security, according to selected main factors, like: protocols, users, keys, messages, etc. The nodes presented in fig.1 will be a fundamental part of PTA. Let us introduce the definition of security state which will correspond to the automaton node. Definition 2.1. A tuple (At, T h, T k, na), where At - security attribute set, T h - the vector of a low level of feasible attribute values (thresholds), T k - security tokens, na - the number of attributes, is a communication security state described as follows: 1. At = {at1 , at2 , ..., atna } ∈ [0, 1]n - the vector of attribute activation probabilities, 2. T h = {th1 , th2 , ..., thna } ∈ [0, 1]n - the vector of threshold attribute activation, 3. T k = {tk1 , tk2 , ..., tkna } ∈ {0, 1}n - the binary vector of attribute activation: if ati ≥ thi then tki = 1 else tki = 0. If any attribute is decreased to an unacceptable level, then there is no possibility to improve its value and security features cannot be increased. In order to regard the time parameter that has intrinsic characteristic, according to the security aspect, we propose the following definition:  Definition 2.2 A probabilistic timed automaton PTA is a tuple in the form (L, l , X, , inv, p) where: • L is a finite set of locations, • l ∈ L is the initial location, • X is a finite set of clocks (for each attribute),    • is a finite set of possible steps, of which c ∈ are declared as being current possible, • the function inv : L → CC(X) is the invariant condition,  • the finite set p ⊆ L × CC(X) × ×Dist(2X × L) is the probabilistic edge relation. A time state of a probabilistic timed automaton is a pair (l, v), where l ∈ L and v ∈ T X are such that v ∈ inv(l). Informally, the behavior of a probabilistic timed automaton can be understood as follows. The model starts in the initial location l with all clocks set to 0, that is, in the state (l , 0). In this, and any other state (l, v), there is a nondeterministic choice of either (1) making a discrete transition or (2) letting time pass. In case (1), a discrete transition can be made according to any probabilistic edge (l, g, σ, p∗ ) ∈ p with the source location l which is enabled; that is, the zone g is satisfied by the current clock valuation v. Then the probability of moving to the location l and

4

Henryk Piech, Grzegorz Grodzki / Procedia Computer Science 00 (2017) 000–000

Henryk Piech et al. / Procedia Computer Science 112 (2017) 147–156

150 1,2

ct

=1,8

1

=1,0

0,8

=0,6

0,6 0,4 0,2 0

1

2

3

4

5

6

7

8

9

10

t

11

Fig. 1. Time correction coefficient ct in dependence on the experimentally matched parameter α

resetting all of the clocks in X to 0 is given by p∗ (X, l”). In case (2), the option of letting time pass is available only if the invariant condition inv(l) is satisfied while time elapses and there does not exist an enabled probabilistic edge with a current step. Note that a timed automaton 1 is a probabilistic timed automaton for which every probabilistic edge (l, g, σ, p∗ ) is such that p∗ = (X, l ) (the point distribution assigning probability 1 to (X, l )) for some (X, l ) ∈ 2X L. 2.3. Exploitation of colored Petri nets for the description of communication security state changes in time In order to regard situations connected with sending and receiving of open and encrypted messages by honest users and intruders, let us pay attention to nets with tokens that may be associated with information. Transitions, in such case, would check the system of conditions adequate to this information. Therefore, more convenient types of Petri nets are: marked net, time net, colored net, real time colored net. The node (net state) is represented by a token system (the set of tokens) and changed by transitions. The marked net is described by a 4-tuple N = (P, T, A, M), where: P - a not empty set of places, T - a not empty set of transitions; P ∩ T = θ, A ⊆ (P × T ) ∪ (P × T ) - a set of arcs in the net, M0 : P → Z+ - function over places, named initial marking. The rule of marking in the realization of the transition is as follows:   M (p) − 1 p ∈ In (t) − Out (t) ,    M (p) + 1 p ∈ Out (t) − In (t) , M (p) =     M (p) otherwise , 

(1)

where: M(p) - the token number after the realization of transition in place p, M(p) - the token number before the realization of transition in place p, In(t) - t transition input, Out(t) - t transition output. The unconditional message sending and receiving, by both the honest user and intruder, will be described by the marking procedures. In this case, the message can be open or encrypted. The token structure will be changed in accordance with the results of transition. If the transition is active for the marked structure M, then the new structure t will be described as follows: M → − M  . Let us assume that transitions t1, t2, , tk ∈ T are active for M, M1 , M2 , ..., Mk t3 tk t2 t1 in the net N, therefore: M − → M1 − → M2 − →, ..., − → Mk . All N net marking results (the set of tokens) can be achieved from the M marking by a finite number of transitions, referred to as ”reachable from M tokens” 14 . The set of reachable tokens from M is denoted by R(M). The set of transitions from M, leading to a given set of tokens, is denoted by S T (M).



Henryk Piech et al. / Procedia Computer Science 112 (2017) 147–156 Henryk Piech, Grzegorz Grodzki / Procedia Computer Science 00 (2017) 000–000

151 5

The Time Petri Net is presented as a 5-tuple T PN = (P, T, A, M0 , d), where d: T → Q+ is a delay function associated with each transition with rational value d(t), named ”static delay” for a particular t transition. If transition starts to activate, i.e. all tokens are on transition inputs, then this transition has to be executed after d(t) time units, unless its activity would be loosed, e.g. by another transition realization during d(t) 10 . For each transition, we may also define the dynamic delay dd(t) that depends on the global clock indication. If transition is active, then dd(t) points out the time distance till the realization of transition. The marking procedure is supplemented by the delay rule, which can be expressed in the following way:   d (ti )       dd (ti ) − dd (t)  dd (ti ) =        lack

when transition ti becomes active (or reactive) , when transition was active and remained to be active but has not been realized ti  t, when transition is not active ,

(2)

There are also interval time nets supplemented by arc weight functions W: T PN = (P, T, A, W, M0 , d). In this case, token transitions are described as follows 13 :   M (p) − W (p, t)       M (p) + W (t, p)  M (p) =    M (p) − W (p, t) + W (t, p)     M (p)

p ∈ In (t) − Out (t) , p ∈ Out (t) − In (t) , p ∈ In (t) ∩ Out (t) , otherwise ,

(3)

The time delays allow us to analyze a different kind of cryptography operation interleaves that appear in real communication networks. Moreover, the time thresholds, in the same communication protocols, play the role of protection tools 7 . Colored Petri Nets permit us to define and create the system of a different type of tokens. To each net place we may assign a set of different color (type) tokens. The token transition is controlled by conditions in the form of logic rules. These rules are associated with net places (nodes). The colored net is defined as the tuple structure  CPN = ( , P, T, A, a, C, G, E, M0 ), where the following conditions are fulfilled:  - a not empty set of token types, where each also presents itself as a not empty set, a - node function, which assigns the ordered pair of nodes to each arc,  C : P → - type function, which defines the token type structure for each place, G - guard function in the form of a logic rule that has to be fulfilled for the realization of transition (it is assigned to a particular transition),  E - weight arc function in the form of an expression containing a different kind of variables from (it is assigned to a particular place). Token changing is described in the following way:   M (p) − E(p, t)∗       M (p) + E(t, p)∗ M  (p) =    M (p) − E(p, t)∗ + E(t, p)∗     M (p)

p ∈ In (t) − Out (t) , p ∈ Out (t) − In (t) , p ∈ In (t) ∩ Out (t) , otherwise ,

(4)

where the asterisk means that constrains are fulfilled, which referred to tokens and the transition of their conditions. Token types may correspond to a different kind of messages (open, encrypted, multi-encrypted by a set of keys, nonces, secrets, etc.) in the modeling process. In real time colored Petri nets, we introduce the so called time stamps which blockade the token transition until a given moment. In our approach that refers to communication security, such situations are rather rear and have exclusionary specific character. Therefore, time stamps are not be used in the modeling process. Token type presentation the utility BAN logic assumes the possibility to use different token types: • user jurisdiction over message, • user sees message in its open form, • user sees message in its encrypted form, • user believes in the honesty of the communication partner (receiver, sender), • user shares key with partner, • information (message, nonce) is fresh, • the level of multi-encryption is known,

152 6

Henryk Piech et al. / Procedia Computer Science 112 (2017) 147–156 Henryk Piech, Grzegorz Grodzki / Procedia Computer Science 00 (2017) 000–000

• multi-encryption keys are shared with the partner. In our approach, tokens are associated with security attributes which will be evaluated in probability ranges. The security communication structure corresponding to the Petri node is depicted in fig. 2. The belief token refers to different situations; therefore, they are separated from action tokens referring to components: user-message-key. Belief tokens refer also to users, messages, and keys, so the token grouping process permits us to clearly distinguish particular parts of the formal description regarding communication logic. Petri net node contains chosen security tokens. Different aspects of communication security enable the creation of different token structures, the so called security modules. For each module, the main parameter (the main security factor) is defined. Irrelevant (or unknown) parameters are denoted by ”*”. Token activity is illustrated by a black ring. Losing activation is connected with black color that changes into white. In the continued investigation, tokens will be associated with security attributes evaluated by the probability number. The graphic presentation will also be different because the initial node state contains all tokens that are treated as accepted security components. open massage observation

encrypted message observation

jurisdiction over message

believing in honesty

secret sharing

key sharing freshness of information

Fig. 2. Security attribute structure corresponding to tokens in the Petri node - example.

Some situations can be supplemented by quantity parameters (fig.3), like the number of messages, keys, etc. A more convenient formal description may be created according to the implementation of the algorithm that is based on node separation for different messages, keys. A, (T, X, Y, Z), (KA,S , KA,B), (4) (2) Fig. 3. Example of multi-active tokens. 5(4) - token number 5, e.g. encrypted messages, and their number equal to 4, 6(2) - token number 6, e.g. sharing key, and their number equal to 2.

Other tokens are not active. Fig.3 Example of multi-active tokens. In terms of believing in tokens, an adequate security attribute in particular stages (operation run reading) can lose its probability value. 3. The description of the implementation approach We propose a system that activates the security attribute correction on the basis of rules introduced by Barrows, Abadi, Needham and their communication logic BAN. It will be used as one of the procedures, which exploits the structure (in the simplest variant of matrix structure) for the conversion of protocol actions into attribute modification: Ac ⊆ Op (i) ⊆ Pr (cp) ∼ At (cp) ,

where: Ac - the set of actions participating in the i-th operation,



Henryk Piech et al. / Procedia Computer Science 112 (2017) 147–156 Henryk Piech, Grzegorz Grodzki / Procedia Computer Science 00 (2017) 000–000

153 7

Op(i) - the i-th protocol (in a communication run) operation, Pr(cp) - the code of investigated protocol determinates according to its type and users, At(cp) - the set of attributes representing the cp protocol, ”∼” - the activation of the attribute correction process. Generally, one may use the system of BAN rules but in the implementation that infers mechanisms contained in this system, it can be reduced to logic reducts, which excluded the redundancy of logic transformation. For example, the system of a logic reduct can be presented in a matrix form MAA[m × n], where m - the number of attributes, n - the number of action characteristics (table 1). Table 1. Matrix transformation MCC, empty fields conventionally contain irrelevant values i.e. (1 or 0).

1

0

0 1 1 1

1 1 1 1 1 1

secret

1 1 1 1 1

jurisdiction

1 1 1 1 1

freshness

1

character

1 1 1 1 1 1

nonce

1 1 1 1 1 1

message

intruder

1 1

key

receiver

attributes users believing in honesty freshness shared key jurisdiction additional information

sender

code 1 2 3 4 5 6

Action description - characteristics server

Attribute description

0 0

1

How can we exploit this matrix? Firstly, the protocol profile (PP) should be prepared according to action characteristics (table 2). The matrix of the protocol profile consists of vectors of characteristics that are adequate to protocol operations. Secondly, simple logic formulas are used for checking the consistency of characteristics between MCC and PP: 1. if (pp(server) + pp(sender) + pp(receiver)) = 1 then pp(intruder) = 1; it is interpreted in the following way: if the second belief in honesty does not appear among users, then an intruder interference is possible, ec=1

2. if pp(intruder) = 1 then at(users) −→ at (users), mc=1

3. if pp(key) = 0 then at(believing in honesty) −→ at(believing in honesty) 4.  

Tc Tc    if  ppt (message) > 1 or ppt (nonce) > 1 then t=1

t=1

mc=1

at(believing in honesty) −→ at (believing in honesty),

5.

where: t - the number of a protocol operation, T c - currently realized protocol operations, the irrelevant profile parameter (equals to (1 ∨ 0) - empty fields in matrix PP) does not participate in the sum operation; it is interpreted in the following way: if the same message or the same nonce appears for the second time, then the belief in honesty is reduced,   Tc Tc    t  pp (message) > 1 or ppt (nonce) > 1 then if  t=1

t=1

ec=1

at( f reshness) −→ at ( f reshness);

it is interpreted in the following way: if the same message or the same nonce appears for the second time, then freshness is decreased, 6. if ((pp(message) = 1 or pp(nonce) = 1) and (pp(key) = 0) or mc=1

pp(intruder) = 1) then at(sharedkey) −→ at (sharedkey); it is interpreted in the following way: if a message or nonce appears and the key is not shared or intruder activates, then the shared key attribute loses a part of its value, 7. if (pp(key) = 1 and (pp(message) = 1 or pp(nonce) = 1)) and (pp(server) + pp(sender) + pp(receiver) = 1)) or pp(key) = 0 then

Henryk Piech et al. / Procedia Computer Science 112 (2017) 147–156 Henryk Piech, Grzegorz Grodzki / Procedia Computer Science 00 (2017) 000–000

154 8 mc=1

at( jurisdiction) −→ at ( jurisdiction), it is interpreted in the following way; if a key is shared and information (message or nonce) is exchanged behind the server, sender and receiver, then the jurisdiction level over this information will be decreased. 8. if pp(intruder) = 1 and pp(secret) = 0 then mc=1

at(additional in f.) −→ at (additional in f.); it is interpreted in the following way: if an intruder activates and a secret is not attached, then the confidence level is decreased. These rules were created on the basis of a probabilistic and intuitive approach. Therefore, attribute corrections can be also inferred from the levels of suspicion, believing in honesty and the right character of communication actions. Obviously, the set of rules may be enriched by new proposals for additional reasons; for example: the appearance of a new form of communication attacks. Moreover, we may also change the numbers of action characteristics and security attributes. The above-mentioned rules (IR) infer from BAN rules but are adapted to algorithm implementation. This approach permits us to choose an attribute for correction and define the way of its modification (mc; ec strategies). At the same time, we have the possibility to analyze the security of both the single protocol and the run of protocols (the interleaving parts of protocols). The second case refers to the dynamic analysis during the realization of a communication run. The information flow (rules 4,5) has practical sense because accumulated parameter values essentially decrease the security level of appointed attributes. The above-mentioned rules (IR) infer from BAN rules but are adapted to algorithm implementation. This approach permits us to choose an attribute for correction and define the way of its modification (mc, ec strategies). At the same time, we have the possibility to analyze the security of both the single protocol and the run of protocols (the interleaving parts of protocols). The second case refers to the dynamic analysis during the realization of a communication run. The information flow (rules 4,5) has practical sense because accumulated parameter values essentially decrease the security level of appointed attributes. 4. Algorithm and results of communication security investigation The algorithm consists of the following stages: 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12.

Stencil input reading of MCC matrix element values, Reading and recognizing the current operation in a communication run, The transformation of an operation run into a protocol profile vector (adequate row in the matrix PP), Switching on clocks and reading activity time parameters of attributes dependent on lifetime characteristics, The accumulation of information connected with messages and nonces (due to the content of rules 4 and 5), The exploitation of rules in order to select corrected attributes, The realization of the correction procedure, The output of a current security state, the values of security attributes for all protocols, Optionally, the creation of a threat prognosis for protocols according to the given main security factors, Threat prognosis output, If the communication run continues, then go to point 2, Additional analysis, e.g. with respect to the comparison of protocol securities.

The description of a communication run contains interleaving parts of protocols. Such example may be presented in the following form: The realization of the run from table 3 is described in accordance with the parts of interleaving protocols: Andrew RPC: part1 (2 operations), Woo and Lam: part 1 (4 operations), Andrew RPC: part 2 (2 operations), Woo and Lam: part 2 (1 operation). There are 4 protocols and 12 operations. For each protocol (treated as main security factors) we determine security attributes for modification. Before starting the main part of our investigation, we should prepare parameters connected with the correction process (correction coefficients, lifetime and alpha parameters) and security threshold values for all attributes.



Henryk Piech et al. / Procedia Computer Science 112 (2017) 147–156 Henryk Piech, Grzegorz Grodzki / Procedia Computer Science 00 (2017) 000–000

155 9

Table 2. Description of protocol actions (i.e. matrices of the protocol profile PP).

A→B:id(A) B→A:Nb A→B:KAS B→S:KAS>KBS S→B:KBS I(A)→B:A B→I(A):Nb I(A)→B:Nb B→I(S):KBS I(S)→B:KBS A→B:id(A).Na B→A:KAB A→B:K’AB B→A:Nb A→I(B):id(A).Na I(B)→A:id(B).Na A→I(B):KAB I(B)→A:KAB A→I(B):K’AB I(B)→A:Ni A→I(B):N’a A→B:id(A).Na B→A:KAB A→B:K’AB B→A:Na

1 1 1 1

1 1 1 1

1 1 0 1

1 1 1 1

1 1

1 1 1 1 1 1 1

1 0 0 0 0 0 0

1 1 1 1 1 1 1

1 1

1 1

1 1

0 1

1 1 1

1 1 1

1 1 1

1 1 1

1 1 1 1

0 0 1 1 1

1 1 0 0 0

1 0 1 1 1

1 1 1

1 1 0 0 0

0 0 0 0 0

1 1

1 0 0 1

0 1 1 0

1 1 1 1 1 1 1

1 1 1

1 1 0 0 0 1 1

0 0 0 0 0 0 0

1 1 1 1

1 1

1 0 0 0

0 1 1 0

1

1 1 1 1 1 1 1 1

secret

message

key

intruder

receiver

jurisdiction

B→A:KA A→B:KA(-1) B→A:KAB

freshness

A→B:KA(-1) B→A:KAB

character

A→B:A,B S→A:Ks(-1) A→B:KB B→S:B,A S→B:Ks(-1) B→A:KA A→B:KB

1 1 1 1 1 1 1 1 1 1 1 1 1 Needam Shroeder protocol 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 Nesset protocol 1 1 1 1 1 1 Nesset protocol - supplemented 1 1 1 1 1 1 1 1 1 Woo and Lama protocol 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 Woo and Lama protocol - id(A) caught by intruder I 1 1 1 1 1 1 1 1 1 1 1 1 1 1 Andrew RPC protocol 1 1 1 1 1 1 1 1 1 1 1 Attack on protocol RPC 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 Low protocol 1 1 1 1 1 1 1 1 1 1 1

nonce

A→B:A,KAB B→A:KAB A→B:A,KAB B→A:KAB

sender

server

Andrew Secure Handshake protocol

1

The alpha parameter plays the role of a scaling factor. All parameters are obtained as a result of experiments regarding the specific character of communication protocols subjected to the analysis. The investigation is realized in real time according to the communication run process. The results of the investigation are presented in table 3. A graphical result presentation is depicted in fig. 4, in relation to particular protocols. The modeling process of security level changes is connected with the determination of transition state probabilities and time parameters for activated attributes. The set of clocks is adequate to a set of attributes whose level depends on time. For example, there are attributes such as: a shared key, the freshness of messages and nonces, etc. Therefore, the clock is switched on when rules indicate a given attribute for the first time in order to correct it. The evaluation of probability concerning the state transition is a more complex problem. Theoretically, the transition probability p(c, j) (where c - the code of a current

Henryk Piech et al. / Procedia Computer Science 112 (2017) 147–156 Henryk Piech, Grzegorz Grodzki / Procedia Computer Science 00 (2017) 000–000

156 10

Table 3. The results of attribute value correction during the realization of a run. operation N

users

1 2 3 4 5 6 7 8 9 10 11 12

1 1 0,3679 0,3679 0,3679 0,3679 1 1 1 1 1 0,3679

believing honesty 0,7 0,63 0,7 0,63 0,567 0,5103 0,567 0,5103 1 1 1 0,4593

in

freshness

shared key

jurisdiction

1 0,9918 1 1,0000 0,9918 0,9850 0,8347 0,6988 1 1 1 0,4512

0,5 0,5 0,5 0,485 0,4705 0,4563 0,5 0,5 1 0,97 0,97 0,4426

1 1 0,8 0,64 0,512 0,4096 1 1 1 0,5 0,5 0,32768

additional information 1 1 1 1 1 1 1 1 1 1 1 1

j=0

j=1

j=2

j=3

j=k=4 id(1)=1

i id(2)=3

id(3)=4=id(s)

Fig. 4. An example illustration of changes with respect to state paths. In this case number of all attributes n=5, the number of stages k=4, the number of different tokens among initial and final stages s=3.

state, j - the one of feasible states, i.e. reachable), depends on distances between the current value of an attribute ati and a given security threshold thi . The security forecast are created both separately (exploiting i.e. parallel conversion platform) and integrally (on base of intuition probabilistic approach), what gives us many sided analyze method of threat recognitions. References 1. Bao F, Deng R.: An efficient fair exchange protocol with an off-line semi-trusted third party. In: Proceedings of international workshop on cryptographic techniques and E-commerce, 3747, 1999, 2. Burrows M., Abadi M., Needham R., A Logic of Authentication. Robert Harper., Logics and Languages for Security, 15819, 2007, 3. Cerone A.., Maggiolo Schettini A.: Time based expressivity of time Petri nets for system specification, Theoretical Computer Science, vol. 216, 1-53, 1999, 4. Damgard I.: Towards practical public key systems secure against chosen ciphertext attacks, in: Crypto 1991, Lecture Notes in Computer Science, vol. 576, 445456, 1992, 5. Franklin M, Reiter M.: Fair exchange with a semi-trusted third party. In: Proceedings of ACM conference on computer and communications security, Zurich, Switzerland, 15, 1997, 6. Gjosteen K.: A new security proof for Damgards ElGamal, in: RSA Conference, Cryptographers Track (CT-RSA 2006), Lecture Notes in Computer Science, vol. 3860, 150158, 2006, 7. Golle P., Jarecki S., Mironov I.: Cryptographic Primitives Enforcing Communication and Storage Complexity, Financial Cryptography (FC 2003), Lecture Notes in Computer Science, vol. 2357, 120135, 2003, 8. Jensen K., Rozenberg G.: High-level Petri Nets theory and application, Berlin Springer Verlag, 1991, 9. Lanotte R., Maggiolo-Schettini A., Troina A.: Information Flow Analysis for Probabilistic Timed Automata. Proc. of FAST04, Springer IFIP 173, Toulouse, France, August 2004, 10. Peterson J.L.: Petri net theory and the modeling of systems, New York, Prentice Hall, 1981, 11. Petri C.A.: Advanced Course on General Net Theory of Processes and Systems, London, Springer Verlag, 1979, 12. Piech H., Grodzki G.: Parallel Real Time Investigation of Communication Security Changes Based on Probabilistic Timed Automata, Business Information Systems (BIS 2016), Lecture Notes in Business Information Processing, vol. 255, 158-168, Springer Int Publishing AG, 2016, 13. Szpyrka M.: Fast and flexible modeling of real-time systems with RTCP- nets, Computer Science, 81-94, 2004, 14. Zuberek W.M.: Timed Petri nets, definitions, properties, and applications, Microelectronics and Reliability, vol. 31, no. 4, 627-644, 1991.