research-article

Open Access

FVF-AKA: A Formal Verification Framework of AKA Protocols for Multi-server IoT

Authors:
Yuan Fei

Shanghai Normal University, China

Shanghai Normal University, China

0000-0002-0977-2256
View Profile

,
Huibiao Zhu

East China Normal University, China

East China Normal University, China

0000-0002-0214-8565
View Profile

,
Jiaqi Yin

Northwestern Polytechnical University, China

Northwestern Polytechnical University, China

0000-0002-6213-5520
View Profile

Authors Info & Claims

Formal Aspects of Computing Volume 35 Issue 4Article No.: 21pp 1–36https://doi.org/10.1145/3599731

Published:20 November 2023Publication History

Formal Aspects of Computing

Abstract

As IoT in a multi-server environment increases resources’ utilization, more and more problems of IoT authentication and key agreement are being revealed. The Authentication and Key Agreement (AKA) protocol plays an important role in solving these problems. Many AKA protocols have been proposed, and some of them support their own verifications. However, a unifying verification framework for multi-server IoT is lacking. In this article, we propose a formal verification framework of AKA protocols for multi-server IoT (FVF-AKA). It supports the construction of CSP models for the AKA protocol, the implementation of the CSP models in PAT with C#, and the verification of formal models. With the help of C#, many complex functions in the AKA protocol can be implemented. We also design an algorithm to support automatic conversion from the CSP model to the PAT model. FVF-AKA can verify four fundamental properties (deadlock freedom, entity legitimacy, timeout delay, and session key consistency). It also supports the verification of security properties for the AKA protocol suffering from four different attacks (relay attacks, denial of service attacks, server spoofing attacks, and session key attacks). Our approach can be applied to most AKA protocols for multi-server IoT generally. By applying FVF-AKA to two AKA protocols, we can verify whether they satisfy the fundamental properties and analyze their security properties in vulnerable environments. Our work would help to analyze the AKA protocol for multi-server IoT and provide the foundation for the analysis of enhancing its security and robustness.

1 INTRODUCTION

The continuous development of the Internet of Things (IoT) gives rise to more problems of IoT authentication and key agreement. The IoT in a multi-server environment provides efficient resource utilization for users, which also introduces security issues such as the leakage of private information. Authentication and Key Agreement (AKA) protocols play an important role in solving these problems [29, 57, 58]. They can prevent unauthorized users from gaining protected data and help the entities to compute the shared secret session key [11]. The first contribution was provided by Lamport [33] in 1981, who proposed an authentication technique using the password in untrusted networks. As Lamport’s technique depends on the password table, the server may suffer from stolen-verifier attacks. Thus, Shamir [47] introduced the concept of identity-based cryptosystems. Chen et al. [16] presented two identity-based AKA protocols to support provable security in the Bellare-Rogaway (BR) model [8]. Based on a secure key encapsulation mechanism primitive, a generic approach was proposed by Boyd et al. [12] for designing AKA protocols. Huang and Cao [23] put forward a new ID-based two-party authenticated key exchange (AKE) protocol, which is provably secure in the eCK model. Ni et al. [42] proposed a strongly secure identity-based two-party AKA protocol. It can capture many desirable security properties, such as perfect forward secrecy and ephemeral secrets reveal resistance. Smart [49] suggested an identity-based AKA protocol based on Weil pairing. Wang et al. [56] introduced an efficient perfect forward-secure identity-based key agreement protocol in the escrow mode and proved its security in the random oracle model. Sood et al. [50] presented a dynamic identity-based multi-server authentication protocol. Li et al. [36] criticized that the protocol in [50] lacks attack protection and suggested a countermeasure protocol. Xue et al. [59] declared that the protocol in [36] could not protect against several security threats and put forward an improved version of the protocol.

Although many AKA protocols have been proposed, only several works [42, 56] have provided verifications of their own AKA protocols, most of which involve fundamental properties. Yet there are only a few works about AKA protocols for multi-server IoT. Meanwhile, there is a lack of a unifying verification framework to support the verification of AKA protocols. In addition, the tools that are often used to verify AKA protocols such as AVISPA and ProVerif require users to grasp relatively complex knowledge. Therefore, it is necessary to improve the legibility and usability of the method while supporting the description of the multi-server feature. Based on the legibility of Communicating Sequential Processes (CSPs), we build a formal verification framework of AKA protocols for multi-server IoT (FVF-AKA). We implement our CSP models into the model checker Process Analysis Toolkit (PAT) with C# integrated. To the best of our knowledge, our work is the first to integrate C# into PAT to support modeling and verification for AKA protocols. We also design an automatic conversion algorithm implemented in Python, which supports the conversion from the CSP model to the PAT model conveniently. As far as we are aware, we are the first to provide formal model conversion for AKA protocols.

The remainder of this article is organized as follows. In Section 2, we briefly introduce the AKA protocol for multi-server IoT and process algebra CSP. Meanwhile, we also propose the framework FVF-AKA. Sections 3 and 4 are devoted to applying FVF-AKA to Xue et al.’s AKA protocol [59] and Bae and Kwak’s AKA protocol [26], respectively. Section 5 provides an automatic conversion from the CSP model to the PAT model. In Section 6, we verify four fundamental properties (deadlock freedom, entity legitimacy, timeout delay, and session key consistency). Section 7 studies four common attacks (replay attacks, denial of service (DoS) attacks, server spoofing attacks, and session key attacks) during the running of the AKA protocol and verifies the corresponding four security properties. The related work is illustrated in Section 8. Finally, Section 9 concludes the article and discusses future work.

2 PRELIMINARIES

In this section, we introduce AKA protocols for multi-server IoT and process algebra CSP. Meanwhile, we also design the FVF-AKA.

2.1 AKA Protocols for Multi-server IoT

Multi-server architectures are applied in IoT for better resource utilization. Users register on many service-providing servers to access numerous network services, but it is difficult for them to remember different identities and passwords. More importantly, communication in multi-server architectures of a wireless environment is vulnerable to malicious attacks. In order to provide convenience to users while protecting user privacy, AKA protocols for multi-server IoT are proposed [26, 59]. There are usually three types of entities in the AKA protocol, which are also depicted in the upper left picture of Figure 1. They are the user, service-providing server (SPS), and control server (CS). SPSs provide services to users. CS is responsible for the user’s registration and authentication, which is a trusted third party. Common notations used in the AKA protocol for multi-server IoT are illustrated in Table 1. The registration phase and authentication phase are two important phases in the AKA protocol. In the registration phase, the user and SPS complete their registrations on CS, respectively. In the authentication phase, the user, SPS, and CS can share the same session key to support subsequent secure data transmission.

Table 1.

Type	Notation
Entity	$U_i$ (the ith user), $S_j$ (the jth service providing server), CS (the control server)$~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~$
Identity	$ID_i$ (the identity of $U_i$), $SID_j$ (the identity of $S_j$)$~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~$
Random number	$N_{i1}$, $N_{i2}$, $N_{i3}$ (random numbers chosen by $U_i$, $S_j$, and CS)$~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~$
Operation	$\oplus$ (the bitwise XOR operation), h($\cdot$) (a one-way hash function),$\Vert$ (the bitwise concatenation operation)$~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~$

View Table

Table 1. Common Notations Used in AKA Protocols for Multi-server IoT

Fig. 1. A formal verification framework of AKA protocols for multi-server IoT (FVF-AKA).

The verifier table is designed for CS to record user-related information during the registration phase. CS can retrieve the corresponding user-related information during the authentication phase to compute special elements. We select two relatively mature AKA protocols based on whether they have a verifier table or not. One is an identity-based AKA protocol without verifier tables proposed by Xue et al. [59]. It improved the protocol proposed by Li et al. [36] to resist some types of known attacks. The other is a relatively new AKA protocol with verifier tables introduced by Bae and Kwak [26]. It can respond to several security threats. The AKA protocols focus on the communication process between users and servers to establish a session key shared between the entities, which is the biggest similarity between most of the AKA protocols. The difference is that Bae and Kwak’s and Xue et al.’s protocols are two typical protocols with verifier tables and without verifier tables, respectively.

Xue et al.’s protocol is a typical AKA protocol without verifier tables, while Bae and Kwak’s protocol is a typical AKA protocol with verifier tables. Fortunately, FVF-AKA supports the modeling of both, which reflects that we provide support for these two basic types. We make the article more comprehensive by describing how our framework models different classes of AKA protocols. Specifically, to further support modeling the AKA protocol with verifier tables, we have added a formal description of the verifier table in the framework. For example, we give actions checkUID and StoreTable (highlighted with gray in Table 3) in the CSP model. Meanwhile, functions BuildStoreTable() and BuildCheckUID() involved in the automatic conversion (in Section 5) assist to construct the PAT codes of the two actions, which are also highlighted with gray in Table 4.

Table 2.

View Table

Table 2. The CSP Models of Entities in Xue et al.’s AKA Protocol

Table 3.

View Table

Table 3. The CSP Models of Entities in Bae and Kwak’s AKA Protocol

Table 4.

Function	Explanation
BuildAssignment()	It builds the PAT code of value assignment action, which adds the data in the action parameter to entity’s corresponding storage structure.
BuildRAND()	It builds the PAT code of value assignment action, which generates a random number by calling the C++ function and inserts it into the entity’s corresponding storage structure.
BuildTimestamp()	It builds the PAT code of timestamp process action, which generates the timestamp by calling the C# function Timestamp() and puts it into the entity’s corresponding storage structure.
BuildCheckDelay()	It builds the PAT code of timestamp process action, which compares the received timestamp and the current timestamp to check the time delay by calling the C# functions EndSession() and Timestamp().
BuildSend()	It builds the PAT code of message transition action, which takes the elements ready to be sent out of the entity’s corresponding storage structure and sends them through the related channel.
BuildReceive()	It builds the PAT code of message transition action, which gets elements from related channels and stores them into the entity’s corresponding storage structure.
BuildCompute()	It builds the PAT code of element computation action, which uses the related parameters to call the corresponding function to complete the computation task.
BuildComputeCheck()	It builds the PAT code of element computation action with check, which determines whether the element value obtained by calling the corresponding function is the same as the element value stored in the entity’s corresponding storage structure or not.
BuildStoreTable()	It builds the PAT code of verifier table process action, which adds the corresponding element into the verifier table.
BuildCheckUID()	It builds the PAT code of verifier table process action, which verifies whether the corresponding element is in the verifier table.

View Table

Table 4. The Explanation of Functions for Building PAT Process

2.2 CSP

In this subsection, we give a short introduction to formal methods of CSP [13, 22]. It is a process algebra proposed by Hoare in 1978. As one of the most mature formal methods, it is tailored for describing the interaction between concurrency systems by mathematical theories. Because of its well-known expressive ability, CSP has been widely used in many fields [20, 40, 44, 45].

CSPs are constituted by primitive processes and actions. We use the following syntax to define the processes in this article, whereby ${\it P}$ and ${\it Q}$ represent processes, and the alphabets $\alpha ({\it P})$ and $\alpha ({\it Q})$ mean the set of actions that the processes ${\it P}$ and ${\it Q}$ can take, respectively. ${\it a}$ and ${\it b}$ denote the atomic actions, and ${\it c}$ stands for the name of a channel. In addition, ${\it e}$, ${\it x}$, and ${\it B}$ represent the message, the variable, and the condition, respectively: $\begin{align*} {\it P,Q =} ~& {\textit {S}kip} \mid {\textit {S}top} \mid {\it a} \rightarrow {\it P} \mid {\it c?x} \rightarrow {\it P} \mid {\it c!e} \rightarrow {\it P} \mid {\it P}\, \Box {\it Q} \\ & \mid {\it P}\Vert {\it Q} \mid {\it P}|||{\it Q} \mid {\it P} \lhd {\it B} \rhd {\it Q} \mid {\it P;Q} \mid {\it P}[[{\it a}\leftarrow {\it b}]], \end{align*}$ where:

•	${\textit {S}kip}$ stands for a process that only terminates successfully.
•	${\textit {S}top}$ represents that the process does nothing and its state is a deadlock.
•	${\it a}\rightarrow {\it P}$ first performs action ${\it a}$, then behaves like ${\it P}$.
•	${\it c?x} \rightarrow {\it P}$ receives a message by channel ${\it c}$ and assigns it to variable ${\it x}$, then does the subsequent behavior like ${\it P}$.
•	${\it c!e} \rightarrow {\it P}$ sends a message ${\it e}$ through channel ${\it c}$, then performs ${\it P}$.
•	${\it P}\,\square {\it Q}$ acts like either ${\it P}$ or ${\it Q}$ and the environment decides the selection.
•	${\it P}\parallel {\it Q}$ shows the parallel composition between ${\it P}$ and ${\it Q}$.
•	${\it P}\|\|\|{\it Q}$ indicates that the process chooses to perform actions in ${\it P}$ and ${\it Q}$ interleavingly.
•	${\it P} \lhd {\it B} \rhd {\it Q}$ denotes that if the condition ${\it B}$ is true, the process behaves like ${\it P}$, otherwise, like ${\it Q}$.
•	${\it P;Q}$ executes ${\it P}$ and ${\it Q}$ sequentially.
•	${\it P}[[{\it a}\leftarrow {\it b}]]$ changes event ${\it a}$ to event ${\it b}$.

Model checker PAT [53] is designed as an extensible and modularized framework based on CSP. Different model checking techniques are implemented in PAT, supporting many assertions, such as deadlock freeness and reachability [48].

2.3 Formal Verification Framework of AKA Protocols for Multi-server IoT

As AKA protocols for multi-server IoT lack a unifying verification framework, we design the FVF-AKA. It can provide better security verification supporting future AKA protocols for multi-server IoT. As shown in Figure 1, FVF-AKA consists of the following five steps:

•	Modeling entities: We model the messages transmitted between entities to support the simulation of information transmission in the AKA protocol for multi-server IoT. The local storage of entities is also modeled for message storage. Equipped with C#, we can support the computations in entities of the AKA protocol, including hash function, bitwise XOR operation, and bitwise concatenation operation.
•	Building CSP models for two phases: The registration phase and authentication phase are two important phases in the AKA protocol. Entities, including the user, service-providing server, and control server, behave differently in different phases. CSP models mainly formalize the data transmission between entities and the element calculation of the entity itself in two phases.
•	Verifying fundamental properties: We design an automatic conversion algorithm for convenience, which supports the conversion from CSP models to PAT models. After the CSP model is implemented in model checker PAT, four fundamental properties are formalized and verified. They are deadlock freedom, entity legitimacy, timeout delay, and session key consistency. The property of deadlock freedom ensures that the model has no deadlock. Meanwhile, the property of entity legitimacy shows whether the entities are legal, and different AKA protocols have different ways of judging the legitimacy of entities. The property of timeout delay means that the session delay time needs to be within the specified time interval during the processing. The property of session key consistency indicates that the user, service-providing server, and control server share the same session key.
•	Adding intruders to CSP models for different attacks: To characterize when the AKA protocol is in a vulnerable environment, we introduce intruders into the CSP models, which can perform different attacks. These four common attacks are relay attack, DoS attack, server spoofing attack, and session key attack. A replay attack indicates that an intruder sends the data eavesdropped before to the entity. A DoS attack refers to a malicious intruder sending many requests to make the system overload, which thereby interferes with legitimate requests seriously. In a server spoofing attack, an intruder intercepts the information sent from the user to the service-providing server and then pretends to be the server to communicate with the user and CS. A session key attack means that an intruder can monitor the information on the public channel and use it to infer the session key. For data security, the protocol needs to ensure that the session key cannot be inferred from the information eavesdropped on by intruders.
•	Verifying security properties: We also verify the four security properties (success relay attack, success denial of service attack, success server spoofing attack, and success session key attack) to check whether the AKA protocol can prevent the four attacks. Before the “attack” we have the word “success,” which means the attack was performed successfully. For example, the property of success replay attack indicates that a relay attack occurs in the system. Measures should be taken in the protocol to prevent replay attacks, such as using timestamps. To prevent DoS attacks, the protocol needs a mechanism to recognize malicious requests as soon as possible. For the security of user information, the protocol should be alert to server spoofing attacks to avoid the impersonation of the server. The prevention of session key attacks is very important, because the protocol needs to ensure that the session key cannot be inferred from the information eavesdropped by intruders. We can observe whether the mechanism adopted in the AKA protocol is effective to prevent attacks by the verification results.

3 CASE STUDY OF MODELING XUE ET AL.’S AKA PROTOCOL

In this section, we introduce the lightweight dynamic pseudonym identity-based AKA protocol for multi-server IoT proposed by Xue et al. [59]. It is the first case study of our framework FVF-AKA. We model the behaviors of the entities in the AKA protocol in different phases to build CSP models. Finally, the CSP models are converted into PAT models supported by C#.

3.1 A Lightweight Dynamic Pseudonym Identity-based AKA Protocol for Multi-server IoT

Xue et al. discovered that Li et al.’s protocol [36] cannot resist some types of known attacks and proposed a lightweight dynamic pseudonym identity-based AKA protocol for multi-server architecture [59]. Their protocol not only includes the security features in Li et al.’s protocol but also provides some other security features, such as traceability and identity protection. This protocol is well suited for deployment within a multi-server IoT environment, as it supports multi-server architectures.

3.1.1 Registration Phase.

Figure 2 shows the registration phase in Xue et al.’s protocol. Here, the dotted line represents the secure channel, and the solid line represents the public channel. The user U$_i$ chooses a random number d and his/her password P$_i$. U$_i$ computes A$_i$=h(b$\Vert$P$_{i}$) and sends the message $\lbrace$ID$_i$, b, A$_i$$\rbrace$ to CS (step 1 in Figure 2). The control server CS chooses two random numbers x and y. CS computes PID$_i$=h(ID$_i$$\Vert$b) and B$_i$=h(PID$_i$$\Vert$x). $PID_i$ is the protected pseudonym identity of $U_i$. Then B$_i$ is submitted to U$_i$ by CS (step 2 in Figure 2). After receiving the message from CS, U$_i$ computes C$_i$=h(ID$_i$$\Vert$A$_i$) and D$_i$. In addition, we find an error in Xue et al.’s protocol about the computation of D$_i$. It should be changed to D$_i$=B$_i$$\oplus$C$_i$; otherwise the session key SK cannot be unified. They are included in the smart card, which is (C$_i$, D$_i$, h($\cdot$), b) (step 3 in Figure 2).

Fig. 2. Registration phase in Xue et al.’s protocol.

The service-providing server S$_j$ first selects a random number d and sends it to CS with its identity SID$_j$ (step 4 in Figure 2). Then, CS computes PSID$_j$=h(SID$_j$$\Vert$d) and BS$_j$=h(PSID$_j$$\Vert$y) and transmits BS$_j$ to S$_j$ (step 5 in Figure 2). PSID$_j$ is the protected pseudonym identity of S$_j$.

3.1.2 Authentication Phase.

Figure 3 illustrates the authentication phase in Xue et al.’s protocol, which includes five steps. Step 1 and step 5 describe the computation and message transmission of user U$_i$. Step 2 and step 4 give the computation and message transmission of server S$_i$. The computation and message transmission of server S$_i$ are denoted in step 3.

Fig. 3. Authentication phase in Xue et al.’s protocol.

STEP 1.	A current timestamp value TS$_i$ is created by U$_i$. U$_i$ also selects a random number N$_{i1}$. Then U$_i$ computes B$_i$, F$_i$, P$_{ij}$, CID$_i$, and G$_i$ as below: $\begin{align} &{B_i}= {D_i}\oplus {C_i}~~~{F_i}= {B_i}\oplus {N_{i1}}~~~{P_{ij}}= {h}({B_i}\oplus {h}({N_{i1}}\Vert {SID_j}\Vert {PID_i}\Vert {TS_i}))\\ &{CID_{i}}= {ID_i}\oplus {h}({B_i}\Vert {N_{i1}}\Vert {TS_i}\Vert ``00\hbox{''}))~~~{G_{i}}= {b}\oplus {h}({B_i}\Vert {N_{i1}}\Vert {TS_i}\Vert ``11\hbox{''})) \end{align}$ Here “00” and “11” represent a 2-bit binary “0” and a 2-bit binary “1,” respectively. After the computation, the user U$_i$ sends the message $\lbrace$F$_i$, P$_{ij}$, CID$_i$, G$_i$, PID$_i$, TS$_i$$\rbrace$ to the service-providing server S$_j$.
STEP 2.	When S$_j$ receives the message from U$_i$, it checks the session delay. TS$_j$ and $\Delta$T are assumed to be the current time and the tolerable time interval, respectively. If TS$_j$ - TS$_j$ $\gt$ $\Delta$T, the session times out and S$_j$ terminates the session. Otherwise, the following operations are performed by S$_j$. It chooses a random number N$_{i2}$ and computes J$_i$, K$_i$, L$_i$, and M$_i$ as below: $\begin{align} &{J_i}= {BS_j}\oplus {N_{i2}}~~~{L_i}= {SID_{j}}\oplus {h}({BS_{j}}\Vert {N_{i2}}\Vert {TS_{i}}\Vert ``00\hbox{''})\\ &{K_i}= {h}({N_{i2}}\Vert {BS_j}\Vert {P_{ij}}\Vert {TS_{i}})~~~{M_{i}}= {d}\oplus {h}({BS_{j}}\Vert {N_{i2}}\Vert {TS_{i}}\Vert ``11\hbox{''}) \end{align}$ The message $\lbrace$F$_i$, P$_{ij}$, CID$_i$, G$_i$, PID$_i$, TS$_i$, J$_i$, K$_i$, L$_i$, M$_i$, PSID$_j$$\rbrace$ is submitted to CS by S$_j$.
STEP 3.	At first, CS checks whether the session delay is within the time interval $\Delta$T when getting the message from S$_j$. TS$_{CS}$ is assumed to be the current time. If TS$_{CS}$ - TS$_i$ $\gt$ $\Delta$T, the session times out and CS ends the session. Otherwise, CS computes BS$_j$=h(PSID$_j$$\Vert$y), N$_{i2}$=J$_i$$\oplus$BS$_j$, and K’=h(N$_{i2}$$\Vert$BS$_{j}$$\Vert$P$_{ij}$$\Vert$TS$_{i}$). CS verifies whether K$_{i}^{\prime }$ is equal to K$_{i}$ or not. If not, the session is terminated by CS. Otherwise, CS calculates the following elements: $\begin{align} &{ B_i}= { h}({ PID_{i}}\Vert { x})~~~{ N_{i1}}={ F_{i}}\oplus { B_i}~~~{ ID_i}= { CID_{i}}\oplus { h}({ B_{j}}\Vert { N_{i1}}\Vert { TS_{i}}\Vert ``00\hbox{''})\\ &{ SID_{i}}= { L_{i}}\oplus { h}({ BS_{j}}\Vert { N_{i2}}\Vert { TS_{i}}\Vert 11\hbox{''})~~~{ P_{ij}^{\prime }}= { h}({ B_{i}}\oplus { h}({ N_{i1}}\Vert { SID_{j}}\Vert { PID_{i}}\Vert { TS_{i}})) \end{align}$ Then CS verifies the equivalence between P$_{ij}$ and P$_{ij}^{\prime }$. If they are equal, CS finishes the session. Otherwise, CS calculates b, d, PID$_i^{\prime }$, and PSID$_{j}^{\prime }$ as below: $\begin{align} &{ b}= { G_{i}}\oplus h({ B_{i}}\Vert { N_{i1}}\Vert { TS_{i}}\Vert ``11\hbox{''})~~~{ PID_i^{\prime }}= { h} ({ ID_{i}}\Vert { b})\\ &{ d}={ M_{i}}\oplus { h}({ BS_{j}}\Vert { N_{i2}}\Vert { TS_{i}}\Vert ``11\hbox{''})~~~{ PSID_{j}^{\prime }}= { h}({ SID_{j}}\Vert { d}) \end{align}$ CS verifies whether PID$_i^{\prime }$ and PSID$_j^{\prime }$ equal PID$_i$ and PSID$_j$, respectively. If not, CS terminates the session. Otherwise, CS confirms that the messages are from legal U$_i$ and S$_j$. A random number N$_{i3}$ is selected, and CS computes P$_i$, Q$_i$, R$_i$, and V$_i$ as below: $\begin{align} &{ \textit{P_{i}}}= { N_{i1}}\oplus{ N_{i3}}\oplus h({ SID_{j}}\\|{ N_{i2}}\\|{ BS_{j}})~~~{ Q_{i}}={ h}({ N_{i1}}\oplus{ N_{i3}})\\ &{ R_i}= { N_{i2}}\oplus { N_{i3}}\oplus{ h}({ ID_{i}}\\|{ N_{i1}}\\|{ B_{i1}})~~~{ V_{i}}= { h}({ N_{i2}}\oplus { N_{i3}}) \end{align}$ Then CS transmits the message $\lbrace$P$_i$, Q$_{i}$, R$_i$, V$_i$$\rbrace$ to S$_i$. CS also computes the session key SK as below: $\begin{align} &{ SK}={ h}(({ N_{i1}}\oplus { N_{i2}}\oplus { N_{i3}})\Vert { TS_{i}}) \end{align}$
STEP 4.	When S$_{j}$ receives the message from CS, it computes N$_{i1}$$\oplus$N$_{i3}$ and Q$_{i}^{\prime }$ as below: $\begin{align} &({ N_{i1}}\oplus { N_{i3}})^{\prime }= { P_{i}}\oplus { h} ({ SID_{i}}\Vert { N_{i2}}\Vert { BS_{j}})~~~{ Q_{i}^{\prime }}={ h}(({ N_{i1}}\oplus { N_{i3}})^{\prime }) \end{align}$ Then S$_{j}$ verifies whether Q$_{i}^{\prime }$ and Q$_{i}$ are equal or not. If not, S$_{j}$ finishes the session. Otherwise, S$_{j}$ verifies the legitimacy of CS and U$_{j}$. After the verification, S$_{j}$ transmits the message $\lbrace$R$_{i}$, V$_{i}$$\rbrace$ to U$_{i}$. The session key SK$^{\prime }$ can be obtained by S$_{j}$ as below: $\begin{align} &{ SK^{\prime }}={ h}(({ N_{i2}}\oplus ({ N_{i1}}\oplus { N_{i3}})^{\prime })\Vert { TS_{i}}) \end{align}$
STEP 5.	When receiving the message from S$_{j}$, U$_{i}$ computes (N$_{i2}$$\oplus$N$_{i3}$)$^{\prime }$ and V$_{i}^{\prime }$: $\begin{align} &({ N_{i2}}\oplus { N_{i3}})^{\prime }= { R_{i}}\oplus { h} ({ ID_{i}}\Vert { N_{i1}}\Vert { B_{i}})~~~{ V_{i}^{\prime }}={ h}(({ N_{i2}}\oplus { N_{i3}})^{\prime } \end{align}$ Then U$_{i}$ checks whether V$_{i}^{\prime }$ is equal to V$_{i}$. If not, the session is terminated by U$_{i}$. Otherwise, U$_{i}$ verifies the legitimacy of CS and S$_{i}$. U$_{i}$ computes the session key SK$^{\prime \prime }$ as below: $\begin{align} &{ SK^{\prime \prime }}={ h}(({ N_{i1}}\oplus ({ N_{i2}}\oplus { N_{i3}})^{\prime })\Vert { TS_{i}}) \end{align}$

3.2 Building CSP Model for Xue et al.’s AKA Protocol

In this subsection, we formalize the notation in the AKA protocol and construct the CSP models of the AKA protocol. The CSP model of the whole protocol consists of two parts, which represent the performance of entities in the registration phase and authentication phase, respectively. Meanwhile, the user, SPS, and CS in the AKA protocol are modeled separately.

3.2.1 Modeling Xue et al.’s AKA Protocol.

We design set ComputingSet based on the notations in the protocol. The variables in uppercase letters carry values generated by the current entity, and the variables in lowercase letters store values received from other entities. Without intruders, variables with the same letter and different capitalizations should carry the same value. The messages are modeled in set MSG$_{reg}$ and MSG$_{auth}$ for two phases in the protocol. ComputingSet, MSG$_{reg}$, and MSG$_{auth}$ are defined as below: \(\begin{align*} { ComputingSet}=~&\lbrace { A_i},{ B},{ ID_i},{ C_{i}},{ PID_i},{ D_i},{ N_{i1}},{ N_{i2}},{ N_{i3}},{ TS_{i}},{ B_{i}},{ F_{i}},{ P_{ij}},{ CID_{i}},{ G_{i}},{ V_{i}},{ SID_{j}},{ D},{ BS_{j}},\\ &{ TS_{i}},{ J_{i}},{ K_{i}},{ L_{i}},{ M_{i}},{ PSID_{j}},{ Q_{i}},{ PSID_{j}},{ R_{i}},{ V_{i}},{ K_{i}},{ B_{i}}\rbrace \\ &\cup \lbrace { a_i},{ b},{ id_i},{ c_i},{ b_i},{ f_i},{ p_i},{ p_{ij}},{ cid_{i}},{ g_{i}},{ pid_{i}},{ ts_{i}},{ r_{i}},{ v_{i}},{ j_{i}},{ k_{i}},{ l_{i}},{ m_{i}},{ psid_{i}}\rbrace \\ { MSG{_{reg}}}=~&\left\lbrace \begin{array}{l} { msg{_{reg}}}.{ ID_i}.{ B}.{ A_i},{ msg{_{reg}}}.{ id_i}.{ b}.{ a_i},{ msg{_{reg}}}.{ B_i},{ msg{_{reg}}}.{ b_i},{ msg{_{reg}}}.{ SID_j}.{ D},\\ { msg{_{reg}}}.{ sid_j}.{ d},{ msg{_{reg}}}.{ BS_j},{ msg{_{reg}}}.{ bs_j} \end{array} \right\rbrace \\ { MSG{_{auth}}}=~&\left\lbrace \begin{array}{l} { msg{_{auth}}}.{ F_i}.{ P_{ij}}.{ CID_{i}}.{ G_{i}}.{ PID_i}.{ TS_i}, { msg{_{auth}}}.{ f_i}.{ p_{ij}}.{ cid_{i}}.{ g_{i}}.{ pid_i}.{ ts_i},\\ { msg{_{auth}}}.{ F_i}.{ P_{ij}}.{ CID_{i}}.{ G_{i}}.{ PID_{i}}.{ TS_{i}}.{ J_{i}}.{ K_{i}}.{ L_{i}}.{ M_{i}}.{ PSID_{j}},\\ { msg{_{auth}}}.{ f_i}.{ p_{ij}}.{ cid_{i}}.{ g_{i}}.{ pid_{i}}.{ ts_{i}}.{ j_{i}}.{ k_{i}}.{ l_{i}}.{ m_{i}}.{ psid_{j}},\\ { msg{_{auth}}}.{ P_i}.{ Q_{i}}.{ R_{i}}.{ V_{i}},{ msg{_{auth}}}.{ p_i}.{ q_{i}}.{ r_{i}}.{ v_{i}},{ msg{_{auth}}}.{ R_i}.{ V_i},{ msg{_{auth}}}.{ r_i}.{ v_i} \end{array} \right\rbrace \end{align*}\)

We also give the declaration of channel ComUS, ComCS, and ComUC to support the communication between entities: $\begin{eqnarray*} &{\bf Channel}~{ComUS}, { ComCS}, { ComUC}:{ MSG{_{reg}}},{ MSG{_{auth}}}\nonumber \nonumber \end{eqnarray*}$

Xue et al.’s AKA protocol is implemented in process Protocol$\_$X(), which is illustrated as below: $\begin{align*} { Protocol}&{ \_X}()=_{df}~~\\ &{ Protocol}{ \_X}{ \_Reg}({ UserID},{ ServerID});{ Protocol}{ \_X}{ \_Auth}({ UserID},{ ServerID}); \end{align*}$

Here, processes Protocol$\_$X$\_$Reg() and Protocol$\_$X$\_$Auth() model the registration phase and authentication phase, respectively. UserID and ServerID mean the identity of the user and server. The definitions of Protocol$\_$X$\_$Reg() and Protocol$\_$X$\_$Auth() are as below: $\begin{align*} { Protocol}&{ \_X}{ \_Reg}(i,j)=_{df}~~\\ &Initialization\rightarrow { SKIP};({ User\_X}{ \_Reg}(i)\Vert { Server\_X}{ \_Reg}(i)\Vert { CS\_X}{ \_Reg}(i,j));\\ { Protocol}&{ \_X}{ \_Auth}(i,j)=_{df}~~\\ &{ User\_X}{ \_Auth}(i,j)\Vert { Server\_X}{ \_Auth}(i,j)\Vert { CS\_X}{ \_Auth}(i,j); \end{align*}$

Here, the Initialization action includes the initialization of each entity’s local storage information, as well as Boolean variables used in subsequent verification, such as s$\_$check$\_$q, which will store the result of SPS’s judgment on whether Q$_{i}$ and Q$_{i}^{\prime }$ are equal. Processes User$\_$X$\_$Reg(), Server$\_$X$\_$Reg(), and CS$\_$X$\_$Reg() capture the behavior of the user, SPS, and CS in the registration phase, respectively. Processes User$\_$X$\_$Auth(), Server$\_$X$\_$Auth(), and CS$\_$X$\_$Auth() describe the behavior of the user, SPS, and CS in the authentication phase, respectively. The communication between all processes is shown in Figure 4

Fig. 4. The communication between interprocesses for Protocol $\_$ X().

. The modeling of the user, SPS, and CS is illustrated as below:

•

User Modeling: User behaviors of different phases are implemented into User$\_$X$\_$Reg() and User$\_$X$\_$Auth(), which are shown in Table 2 (1–2).

(1)	In User$\_$X$\_$Reg(), the user computes A$_i$ and sends it with ID$_i$ and B (represented by b in the protocol description) to CS. After receiving b$_i$ from CS, the user computes C$_{i}$, PID$_{i}$, and D$_{i}$.
(2)	In User$\_$X$\_$Auth(), the user generates a random number N$_{i1}$ and a current timestamp value TS$_{i}$. The user also computes B$_{i}$, F$_{i}$, P$_{ij}$, CID$_{i}$, and G$_{i}$. It sends F$_{i}$, P$_{ij}$, CID$_{i}$, G$_{i}$, PID$_{i}$, and TS$_{i}$ to SPS by channel ComUS. When receiving r$_i$ and v$_i$, the user computes N$_{i2}$$\oplus$N$_{i3}$ and V$_{i}^{\prime }$. Then U$_{i}$ checks whether V$_{i}^{\prime }$ and V$_{i}$ are equal or not. If they are equal, the variable u’$\_$check$\_$v is assigned by true. Otherwise, the session is terminated. If the session keeps on going, the user computes the shared session key SK.

•

SPS Modeling: Processes Server$\_$X$\_$Reg() and Server$\_$X$\_$Auth() implement SPS’s behaviors in the registration phase and authentication phase, respectively. They are illustrated in Table 2 (3–4).

(1)	Process Server$\_$X$\_$Reg() represents the behaviors of SPS in the registration phase. The server sends SID$_j$ and D (represented by d in the protocol description) to CS using channel ComSC. Then bs$_j$ is also received from CS.
(2)	Process Server$\_$X$\_$Auth() illustrates the behaviors of SPS in the authentication phase. The server generates N$_{i2}$ and receives f$_i$, p$_{ij}$, cid$_{i}$, g$_{i}$, pid$_{i}$, and ts$_{i}$ from CS by channel ComUS. Action CheckDelay indicates that SPS checks whether the session delay is within the time interval $\Delta$T. If it is not, the variable timeout is assigned to be true and the session is terminated. If the session keeps on, SPS computes J$_{i}$, K$_{i}$, L$_{i}$, and M$_{i}$. The server then sends F$_i$, P$_{ij}$, CID$_{i}$, G$_{i}$, PID$_{i}$, TS$_{i}$, J$_{i}$, K$_{i}$, L$_{i}$, M$_{i}$, and PSID$_{j}$ to CS by channel ComSC. Then it also receives p$_i$, q$_{i}$, r$_{i}$, and v$_{i}$ from CS by channel ComSC. Then SPS computes N$_{i1}$$\oplus$N$_{i3}$ and Q$_{i}^{\prime }$. Action Check_Q$_{i}$_Q$_{i}^{\prime }$ represents that SPS checks whether Q$_{i}$ and the received q$_{i}$ are equal. If they are, the variable s$^{\prime }\_$check$\_$q is set to true. Otherwise, SPS terminates the session. If the session continues, the server receives R$_{i}$ and V$_{i}$ from the user by channel ComUS. At last, the server computes the shared session key SK.

•

CS Modeling: The behaviors of CS during the registration phase and authentication phase are implemented in CS$\_$X$\_$Reg() and CS$\_$X$\_$Auth(), respectively. They are presented in Table 2 (5–6).

(1)	In process CS$\_$X$\_$Reg(), CS gets id$_i$, b, and a from the user by channel ComUC. The CS computes PID$_{j}$ and B$_{i}$. B$_{i}$ is sent to CS by channel ComUC. CS receives sid$_j$ and d by channel ComSC. The CS computes PSID$_{j}$ and BS$_{j}$. BS$_{j}$ is transmitted to SPS by channel ComSC.
(2)	In process CS$\_$X$\_$Auth(), CS receives f$_i$, p$_{ij}$, cid$_{i}$, g$_{i}$, pid$_{i}$, ts$_{i}$, j$_{i}$, k$_{i}$, l$_{i}$, m$_{i}$, and psid$_{j}$ from channel ComSC. Action CheckDelay checks whether the session delay is within the tolerable time interval $\Delta$T. If it is not, the variable timeout is assigned to be true and the session is terminated. The CS calculates BS$_j$, N$_{i2}$, and K$_{i}^{\prime }$. Action Check$\_$K$_{i}$$\_$K$_{i}^{\prime }$ indicates that CS verifies whether K$_{i}^{\prime }$ is equal to the received k$_{i}$. If they are equal, cs$^{\prime }\_$check$\_$k is assigned to be true. Otherwise, the session is ended. The CS computes B$_{i}$, N$_{i1}$, ID$_{i}$, SID$_{i}$, and P$_{ij}$. In action Check$\_$P$_{ij}$$\_$P$_{ij}^{\prime }$, the CS verifies whether P$_{ij}$ is equal to the received p$_{ij}$. If they are different, CS terminates the session. Otherwise, CS sets cs$^{\prime }\_$check$\_$pij with value true and keeps on computing B, D, PID$_{i}^{\prime }$, and PSID$_{j}^{\prime }$. In action Check$\_$PID$_{i}$$\_$PID$_{i}^{\prime }$ and Check$\_$PSID$_{i}$$\_$PSID$_{i}^{\prime }$, the CS verifies whether PID$_{i}^{\prime }$ and PSID$_{j}^{\prime }$ are equal to the received pid$_{i}$ and psid$_{j}$, respectively. If they are not both equal, CS ends the session. Otherwise, CS assigns cs$^{\prime }\_$check$\_$pid and cs$^{\prime }\_$check$\_$psid with the value true. The CS selects a random number N$_{i3}$ and computes P$_{i}$, Q$_{i}$, R$_{i}$, and V$_{i}$, which are transmitted to SPS by channel ComSC. Finally, CS computes the session key SK.

3.3 Implementation of the CSP Models in PAT and C#

Because PAT is extended based on CSP, channel output/input in PAT can also be used to implement message sending and receiving in CSP. Meanwhile, functions should be implemented to complete the functional actions in the CSP model. As it is difficult to write complex functions in PAT, PAT allows using C# code as libraries. C# classes are built as DLL, which are imported into the PAT model when the functions are used. As a result, we choose to implement our functions in C# language. In the CSP model, the computation in the protocol is described by functional action. In order to convert the CSP model to the PAT model, the PAT model calls the C# functions, which have implemented the computation in the protocol. In this way, we have completed the integration of C# into PAT to support modeling and verification. All the functions are included in a C# class, except the function RAND() written by C++ code. This function is built as DLL and then imported into the C# class.¹ For brevity, we only give several functions as examples here. We divide them into the following five categories according to the functions implemented by the function.

•	Random number generation and hush function: Function Hash() is implemented in C# to support the hashing of elements. We utilize C++ to implement function RAND() that generates a random integer within a fixed range. The assignment statemen (Line 7 of Figure 5) generates a uniformly distributed integer random number between the parameter max and min. In order to save space, only the definition of function RAND() is given here. The assignment statement (Line 7 of Figure 5) helps function RAND() to generate a uniformly distributed int random number between the parameter max and min. In addition, we call C# interfaces (e.g., the real random number generator) in the PAT model for initialization and number generation, which supports the session key sharing between entities. Only a fixed number of actions that invoke the random number generator are performed in a single run of the model (highlighted in light blue Table 2), so this will not lead to the increase of the state space in a single run. Function RAND() is given in Figure 5. Fig. 5. View Figure Fig. 5. The code of function RAND().
•	Bitwise concatenation and bitwise XOR: Functions XOR() and concat() simulate the bitwise XOR operation $\oplus$ and the bitwise concatenation operation $\Vert$, respectively. For function concat(), function Convert.ToString() in C# is applied to convert a decimal number into a string of a binary number, with the help of setting the second parameter to 2, indicating base-2 (binary) notation. We connect two binary strings into one and then convert it to a decimal integer by the function Convert.ToInt32() in C#. Function concat() is illustrated in Figure 6. Fig. 6. View Figure Fig. 6. The code of function concat().
•	Timestamp generation and session delay check: Function Timestamp() records the current system time in an integer way, as PAT can only accept integer or Boolean type as a function returning value. Function EndSession() simulates whether it is necessary to close the session currently by comparing the difference between the two timestamps with the session delay time. The time-related elements in PAT mainly involve two scenarios: the entity adds a new timestamp to the message, and the entity compares the current time with the timestamp on the received message. In the namespace of C#, object DataTime’s property (Now) can support retrieving the current local date. Thus, we can generate the timestamp involved in the scenario by calling function Timestamp() implemented in C#. In this way, the timestamp is related to the time-related elements in PAT. Function Timestamp() is shown in Figure 7. Fig. 7. View Figure Fig. 7. The code of function Timestamp().
•	Computation for elements: By calling functions Hash(), concat(), and XOR(), all the element computations in the AKA protocol can be implemented. Due to space constraints, we only provide the C# implementation of computation for the CS illustrated in Figure 8, omitting the C# implementation of computation for the user and SPS. The computation of step 2 and step 5 of the registration phase in the orange dotted frame, and the computation of step 3 of the authentication phase in the purple dotted frame. Fig. 8. View Figure Fig. 8. C# Implementation of computation for CS in Xue et al.’s protocol.

The corresponding C# class including these functions is compiled into a DLL and placed into the library folder of the PAT tool. The DLL can be imported into the PAT model using the import statement, which can support calling C# functions in the PAT model.

4 CASE STUDY OF MODELING BAE AND KWAK’S AKA PROTOCOL

In this section, we illustrate the second case study, in which our FVF-AKA is applied to a smart-card-based secure AKA protocol in multi-server IoT environments [26]. The protocol is also composed of the registration phase and the authentication phase. CSP models are constructed and implemented by model checker PAT and C#.

4.1 A Smart-card-based Secure AKA Protocol in Multi-server IoT Environment

Bae and Kwak [26] proposed a smart-card-based secure AKA protocol in a multi-server IoT environment. The proposed protocol has been shown to be secure against replay attacks, session key leakage attacks, and various other attacks. They used the formal verification tool AVISPA to verify the secrecy and witness of the messages. However, this work lacked verification of fundamental properties, such as entity legitimacy, timeout delay, and session key consistency. At the same time, it did not provide verification of security properties when intruders appeared. By applying our verification framework, we can provide a formal model of the protocol and verification of fundamental properties and security properties of the protocol.

4.1.1 Registration Phase.

The registration phase in Bae and Kwak’s protocol has four steps, as shown in Figure 9. Here, the dotted line represents the secure channel, and the solid line represents the public channel. Step 1 describes the message transmission of server S$_j$. Step 2 and step 4 give the computation and message transmission of CS. The computation and message transmission of user U$_i$ are denoted in step 3.

Fig. 9. Registration phase in Bae and Kwak’s protocol.

STEP 1.	The service-providing server S$_j$ sends its identity SID$_j$ to CS.
STEP 2.	The control server CS chooses a random number x for computation. CS computes Serinfor$_j$=h(SID$_j$$\Vert$x) and sends it to S$_j$.
STEP 3.	The user U$_i$ chooses his/her password P$_i$. U$_i$ computes EncPass$_i$=h(ID$_i$$\Vert$h(P$_i$)) and sends it to CS with its identity ID$_i$ and anonymity value UID$_i$.
STEP 4.	After receiving the messages from U$_i$, CS computes Userinfor$_i$=h(EncPass$_i$$\Vert$x). It also stores UID$_i$, Userinfor$_i$, EncPass$_i$, h($\cdot$), and h(x) in the smart card. CS also adds similar elements together with the status-bit value into the verifier table. If the user does the registration, the status-bit value is saved as 1. Otherwise, the status-bit value is saved as 0. At last, CS sends the smart card to U$_i$.

4.1.2 Authentication Phase.

In Bae and Kwak’s protocol, there are five steps in the authentication phase depicted in Figure 10. Step 1 and step 5 give the computation and message transmission of user U$_i$. Step 2 and step 4 indicate the computation and message transmission of server S$_i$. The computation and message transmission of CS are shown in step 3.

Fig. 10. Authentication phase in Bae and Kwak’s protocol.

STEP 1.	After user U$_i$ has verified the legitimate owner of the smart card, it generates a random number N$_{i1}$ and timestamp Ts. By using Userinfor$_i$ and h(x) in the smart card, A$_i$= Userinfor$_i$$\oplus$h(x)$\oplus$N$_{i1}$ and Veru$_i$=h(h(x)$\Vert$N$_{i1}$) are computed. Then U$_i$ sends UID$_i$, A$_i$, Veru$_i$, and Ts to server S$_j$.
STEP 2.	After receiving messages from user U$_i$, server S$_j$ generates N$_{i2}$. Then it computes B$_i$= Serinfor$_j$$\oplus$N$_{i2}$ and Vers$_j$=h(h(Serinfor$_j$)$\Vert$N$_{i2}$). After the computation, S$_j$ sends UID$_i$, A$_i$, Veru$_i$, B$_i$, Vers$_i$, SID$_j$, and Ts to CS.
STEP 3.	When CS receives the message from S$_j$, it first checks the session delay. Ts$^{\prime }$ and $\Delta$T represent the current time and the tolerable time interval, respectively. If Ts$^{\prime }$ - Ts $\gt$ $\Delta$T, the session times out and CS terminates the session. Otherwise, CS computes the following elements. CS calculates Serinfor$_j$, N$_{i2}$ and Vers$_i^{\prime }$ as follows: $\begin{align} &{ Serinfor_j}= { h}({ SID_{j}}\Vert { x})~~~{ N_{i2}}={ Serinfor_{j}}\oplus { B_{i}}~~~{ Vers_i^{\prime }}= { h} ({ h}({ SID_{j}}\Vert { x})\Vert { N_{i2})} \end{align}$ CS then checks whether Vers$_i^{\prime }$ is equal to Vers$_i$. If not, CS terminates the session. Otherwise, CS verifies the legitimacy of S$_{j}$. CS computes N$_{i1}$ and Veru$_i^{\prime }$ as below: $\begin{align} &{ N_{i1}}= { Userinfor_{i}}\oplus { h}({ x})\oplus { A_{i}}~~~{ Veru_i^{\prime }}= { h} ({ h}({ x})\Vert { N_{i1}^{\prime })} \end{align}$ CS checks whether Veru$_i^{\prime }$ is equal to Veru$_i$. If not, CS terminates the session. Otherwise, CS verifies the legitimacy of U$_{i}$. After generating random number N$_{i3}$ and new timestamp Ts, CS computes C$_{i}$, D$_{i}$, and E$_{i}$ as below: $\begin{align} &{ C_{i}}= { N_{i1}}\oplus { N_{i2}}\oplus { h}({ SID_{j}}\oplus { N_{i2}})\\ &{ D_i}= { h}({ A_{i}}\Vert { h}({ x}))\oplus { h}({ SID_{j}}\oplus { N_{i2}}))\\ &{ E_i}= { N_{i2}}\oplus { N_{i3}}\oplus { h}({ A_{i}}\Vert { h}({ x})) \end{align}$ Then CS sends C$_{i}$, D$_{i}$, E$_{i}$, and Ts to server S$_{j}$. As CS knows A$_{i}$, x, N$_{i1}$, N$_{i2}$, and N$_{i3}$, it calculates the session key as below: $\begin{align} &{ SK}={ h}({ h}({ A_{i}}\Vert { h}({ x}))\oplus ({ N_{i1}}\oplus { N_{i2}}\oplus { N_{i3}})) \end{align}$
STEP 4.	After getting the message from CS, S$_j$ sends E$_{i}$ and Ts to U$_i$. Then S$_j$ computes (N$_{i1}$$\oplus$N$_{i3}$)$^{\prime }$ and (h(A$_{i}$$\Vert$h(x)))$^{\prime }$ as below: $\begin{align} &({ N_{i1}}\oplus { N_{i3}})^{\prime }= { C_{i}}\oplus { h}({ SID_{j}}\oplus { N_{i2}})\\ &({ h}({ A_i}\Vert { h}({ x}))^{\prime }= { D_i}\oplus ({ SID_{j}}\oplus { N_{i2}}) \end{align}$ So far, S$_{j}$ has already learned (h(A$_{i}$$\Vert$h(x)))$^{\prime }$, (N$_{i1}$$\oplus$N$_{i3}$)$^{\prime }$, and N$_{i2}$. Therefore, the session key can be obtained by it as below: $\begin{align} &{ SK}^{\prime }={ h}(({ h}({ A_{i}}\Vert { h}({ x}))^{\prime })\oplus (({ N_{i1}}\oplus { N_{i3}})^{\prime }\oplus { N_{i2}})) \end{align}$
STEP 5.	When U$_{i}$ receives E$_{i}$ and Ts, it checks the session delay. As Ts$^{\prime }$ and $\Delta$T denote the current time and the tolerable time interval, respectively, Ts’ - Ts $\gt$ $\Delta$T is considered to be a timeout case. If it happens, U$_{i}$ terminates the session. If it does not happen, U$_{i}$ computes (N$_{i2}$$\oplus$N$_{i3}$)$^{\prime }$=E$_{i}$$\oplus$h(A$_{i}$$\Vert$h(x)). As h(x) is in the smart card, U$_{i}$ can obtain the session key as below: $\begin{align} &{ SK}^{\prime \prime }={ h}({ h}({ A_{i}}\Vert { h}({ x}))\oplus ({ N_{i1}}\oplus ({ N_{i2}}\oplus { N_{i3}})^{\prime })) \end{align}$

4.2 Building and Implementing CSP Model for Bae and Kwak’s AKA Protocol

Similar to Section 3.2, we need to design variable set ComputingSet, message sets MSG$_{reg}$ and MSG$_{auth}$, and channels for transmitting messages before building CSP models. Therefore, ComputingSet, MSG$_{reg}$, and MSG$_{auth}$ are updated according to the notations in the protocol, which is omitted here due to space constraints. Meanwhile, we keep the old channel declarations because the entities are the same. Since the general AKA protocols mostly only involve three entities (user, SPS, and CS), the composition of CSP models representing entities for Bae and Kwak’s protocol is the same as that of Xue et al.’s protocol. The overall CSP model is implemented in process Protocol$\_$B(). Protocol$\_$B$\_$Reg() and Protocol$\_$B$\_$Auth() represent the registration phase and authentication phase, respectively. Their definitions are given as below: $\begin{align*} { Protocol}&{ \_B}()=_{df}~~\\ &{ Protocol}{ \_B}{ \_Reg}({ UserID},{ ServerID});{ Protocol}{ \_B}{ \_Auth}(UserID,ServerID);\\ { Protocol}&{ \_B}{ \_Reg}(i,j)=_{df}~~\\ &Initialization\rightarrow { SKIP};({ User\_B}{ \_Reg}(i)\Vert { Server\_B}{ \_Reg}(i)\Vert { CS\_B}{ \_Reg}(i,j));\\ { Protocol}&{ \_B}{ \_Auth}(i,j)=_{df}~~\\ &{ User\_B}{ \_Auth}(i,j)\Vert { Server\_B}{ \_Auth}(i,j)\Vert { CS\_B}{ \_Auth}(i,j); \end{align*}$

The CSP models of user, SPS, and CS in the registration phase shown in Figure 9 are User$\_$B$\_$Reg(), Server$\_$B$\_$Reg(), and CS$\_$B$\_$Reg(), which are given in Table 3 (1–3). Table 3 (4–6) presents User$\_$B$\_$Auth(), Server$\_$B$\_$Auth(), and CS$\_$B$\_$Auth(), which denote CSP models of user, SPS, and CS in the authentication phase appearing in Figure 10. The communication between interprocesses for Protocol$\_$B() is the same as one for Protocol$\_$X() in Figure 4, except that all “X”s in the process name are replaced with “B”s.

In order to complete the implementation of the CSP models in PAT and C#, we can reuse the functions in Section 3.3 to construct the PAT models, except that the C# implementation of computation for elements needs to be updated. The actions related to the verifier table contain two types: (1) CS generates the verifier table element, and (2) CS judges whether the received UID is in the verifier table. Therefore, we need to implement the data structure of the verifier table in the PAT. Here, we implement the verifier table in the form of a list. Because only a fixed number of such actions are performed in a single run of the model (highlighted in gray in Table 3), the actions related to the verifier table will not cause an increase in the state space during a single run. Limited by the space, we only give Figure 11 to show the implementation of computation for the CS in Bae and Kwak’s protocol.

Fig. 11. C# implementation of computation for CS in Bae and Kwak’s protocol.

5 CONVERSION FROM CSP MODELS TO PAT MODELS

When there are many steps in the AKA protocol, it is very cumbersome to implement the corresponding CSP models in model checker PAT manually. In this section, we provide a convenient automatic conversion from CSP models to PAT models in order to enrich the applicability of our framework, which is coded in Python.

5.1 Splitting Files for PAT Model

In the conversion from the CSP model to the PAT model, there is a gap involving data storage and function calls. Therefore, we design CSP-like models that are similar to the CSP models. CSP-like models update the actions in the CSP models by inserting the notation of involved data storage and involved parameters (the function name to be called and the parameters used to call the function). In order to support the effective conversion from CSP-like models to PAT models, we need to analyze the .csp file that saves the PAT model. We divide the .csp file into three parts, which are the declaration file, the phases file, and the composition file. Figure 12 shows the files of the PAT model with C#, the CSP-like model, and computation formulas. The declaration file mainly contains five parts: (1) introduction of libraries that support complex data structure and C# functions, (2) definition of global constants for further verification, (3) definition of enumeration types characterizing notations in the AKA protocol, (4) definition of variables involving verification and data storage, and (5) definition of channels supporting information transmission between entities.

Fig. 12. Files of the PAT model with C#, the CSP-like model, and computation formulas.

The composition file includes the combination of the process for each entity and the assertion representing property verification (mentioned in Section 6 later). The phase file represents the models that describe the behavior of entities in the registration phase and authentication phase. The difference between the two phase files in Figure 12 is that the phase file belonging to the CSP-like model is a .txt file storing CSP-like processes, while the phase file in the PAT model is a .csp file containing PAT processes.

The C# foundation file contains the definitions of the hash function, XOR operation, concatenation operation, and random number generation. The formula file has all the computation formulas involved in the protocol. The difference between the two formula files in Figure 12 is that the formula file in the CSP-like model is a .txt file storing the original computation formulas, while the formula file in the PAT model is a .cs file containing the C# functions corresponding to the formulas.

5.2 Automatic Conversion Algorithm

We design an algorithm to support automatic conversion from the phase file of the CSP-like model and the formula file of computation formulas to the phase file and the formula file in the PAT model with C#.² Figure 13 illustrates the conversion from the CSP-like model and formulas (in .txt file) to the PAT model (in .csp file) and C# functions (in .cs file). First, we manually prepare a CSP-like model for the registration phase and authentication phase as one input. After obtaining the process by reading line by line from the .txt file, we extract the name of the process and the actions in the process definition. Only Skip actions need no conversion. Other actions adopt different functions to complete the conversion based on their types (shown in the dotted box in Figure 13). For example, if the type of action a is element computation, we call BuildCompute() or BuildComputeCheck() to convert a to the action a$_{PAT}$ in the PAT.

Fig. 13. Automatic conversion from CSP-like model and formulas (in .txt file) to PAT model (in .csp file) and C# functions (in .cs file).

There are five types of actions including value assignment, timestamp process, message transition, element computation, and verifier table process. For each action type, we provide two corresponding functions to construct the PAT code, whose explanations are illustrated in Table 4. Value assignment actions include adding corresponding parameters (involving function BuildAssignment()) and random numbers to the entity’s storage structure (involving function BuildRAND()). Timestamp generation (involving function BuildTimestamp()) and timestamp comparison (involving function BuildCheckDelay()) belong to timestamp process actions. Message transition actions contain the sending and receiving of elements (involving functions BuildSend() and BuildReceive()). Element computation actions consist of the computation of elements (involving function BuildCompute()) and the comparison between the calculated element value and the element value in the entity’s storage structure (involving function BuildComputeCheck()). Verifier table process actions include adding the corresponding element to the verifier table (involving function BuildStoreTable()) and verifying whether the corresponding element is in the verifier table (involving function BuildCheckUID()). The .csp file C$_{PAT}$ can be completed after converting all actions into new ones. Meanwhile, we also use computation formulas (in a .txt file) as the input. After preprocessing the computation formulas involved in the protocol, Algorithm 1 is applied to convert each formula into a C# function, and finally, the .cs file F$_{C\#}$ is built.

Algorithm 1 illustrates the conversion of the formula to C# code.$^{2}$ Here, we use the stack to extract the sub-formulas divided by parentheses in the preprocessed computation formula (Lines 6–15). The sub-formulas are handed over to procedure CONVERT-ELEMENTS, so that the C# function body can be obtained (Line 16). Finally, the function name is also constructed to form a complete C# function definition (Lines 18–25). Procedure CONVERT-ELEMENTS (Lines 27–59) supports the conversion of the XOR and concatenation operations in the sub-formula into the form of C# code and provides a special conversion for the variables to contact “11” and “00” in Xue et al.’s protocol.

Figure 14 shows the automatic conversion example for some behaviors in the registration phase of CS in Bae and Kwak’s protocol. Taking the transmission of SID$_{j}$ and the calculation of Serinfor$_{j}$ as an example, we show how to obtain the CSP-like model and formula file (in .txt files) from the perspective of CS based on Bae and Kwak’s protocol. Further, we use automatic conversion to convert them to a .csp file and a .cs file, respectively.

Fig. 14. Automatic conversion example for some behaviors in the registration phase of CS in Bae and Kwak’s protocol.

6 VERIFICATION OF FUNDAMENTAL PROPERTIES

In this section, we show the verification of the four properties (deadlock freedom, entity legitimacy, timeout delay, and session key consistency) using the model checker PAT [51, 53], which has a wide application area [1, 48, 52]. Some of them are described in the Linear Temporal Logic (LTL) formula, which illustrates linear-time properties. PAT supports the LTL formula via using $\#$assert P() $|$= F to check whether system P() satisfies LTL formula F. All experiments were conducted on a 2.60-GHz core i7 PC with 16 GB of RAM under the PAT 3.5.0 environment.

Property 1: Deadlock Freedom

$\# {\it assert}~{\it Protocol}\_{\it X}()~{\it deadlockfree};$

$\# {\it assert}~{\it Protocol}\_{\it B}()~{\it deadlockfree};$

Before performing other verifications, we must ensure that the model has no deadlock. So we use the reserved keyword “deadlockfree” in PAT to verify the deadlock freedom. The valid verification results (row 1 and row 7 in Table 5) show that no deadlock appears in the protocols of Xue et al. and Bae and Kwak.

Table 5.

LTL Formula(Property)	Time Used(s)	Estimated Memory(KB)	Verification Result
Protocol$\_$X() deadlockfree(Deadlock freedom)	0.0892462	16,108.848	Valid
Protocol$\_$X() \|= <> S$\_$U$\_$Legitimacy$\_$For$\_$CS(Entity Legitimacy)	0.0491195	9,750.432	Valid
Protocol$\_$X() \|= <> CS$\_$U$\_$Legitimacy$\_$For$\_$S(Entity Legitimacy)	0.1010357	11,236.24	Valid
Protocol$\_$X() \|= <> S$\_$CS$\_$Legitimacy$\_$For$\_$U(Entity Legitimacy)	0.0427855	11,435.144	Valid
Protocol$\_$X() \|= []! TimeOut(Timeout delay)	0.0481626	11,190.232	Valid
Protocol$\_$X() \|= <> SK$\_$Consistency(Session key consistency)	0.0544506	10,787.616	Valid
Protocol$\_$B() deadlockfree(Deadlock freedom)	0.0143308	11,249.672	Valid
Protocol$\_$B() \|= <> S$\_$Legitimacy$\_$For$\_$CS(Entity Legitimacy)	0.0061396	11,313.216	Valid
Protocol$\_$B() \|= <> U$\_$Legitimacy$\_$For$\_$CS(Entity Legitimacy)	0.0158869	9,414.944	Valid
Protocol$\_$B() \|= []! TimeOut(Timeout Delay)	0.0078747	9,929.608	Valid
Protocol$\_$B() \|= <> SK$\_$Consistency(Timeout Delay)	0.0147976	9,966.56	Valid

View Table

Table 5. The Verification Results of Fundamental Properties for Protocol $\_$ X() and Protocol $\_$ B() Built from Xue et al.’s Protocol and Bae and Kwak’s Protocol, Respectively

Property 2: Entity Legitimacy

$\#define~{\it S}\_{\it U}\_{\it Legitimacy}\_{\it X}\_{\it For}\_{\it CS}~\\ ~~~~~~~~~~~({\it cs}\_{\it check}\_{\it k}=={\it true}\&\&{\it cs}\_{\it check}\_{\it pij}=={\it true}\&\&{\it cs}\_{\it check}\_{\it pid}=={\it true}\&\&{\it cs}\_{\it check}\_{\it psid}=={\it true});$

$\#define~{\it CS}\_{\it U}\_{\it Legitimacy}\_{\it X}\_{\it For}\_{\it S}~({\it s}\_{\it check}\_{\it q}=={\it true});$

$\#define~{\it S}\_{\it CS}\_{\it Legitimacy}\_{\it X}\_{\it For}\_{\it U}~({\it u}\_{\it check}\_{\it v}=={\it true};)$

$\# {\it assert}~{\it Protocol}\_{\it X}()~|= \lt \gt ~{\it S}\_{\it U}\_{\it Legitimacy}\_{\it X}\_{\it For}\_{\it CS};$

$\# {\it assert}~{\it Protocol}\_{\it X}()~|= \lt \gt ~{\it CS}\_{\it U}\_{\it Legitimacy}\_{\it X}\_{\it For}\_{\it S};$

$\# {\it assert}~{\it Protocol}\_{\it X}()~|= \lt \gt ~{\it S}\_{\it CS}\_{\it Legitimacy}\_{\it X}\_{\it For}\_{\it U};$

$\#define~{\it S}\_{\it Legitimacy}\_{\it B}\_{\it For}\_{\it CS}~({\it cs}\_{\it check}\_{\it Vers}=={\it true});$

$\#define~{\it U}\_{\it Legitimacy}\_{\it B}\_{\it For}\_{\it CS}~({\it cs}\_{\it check}\_{\it Veru}=={\it true});$

$\# {\it assert}~{\it Protocol}\_{\it B}()~|= \lt \gt ~{\it S}\_{\it Legitimacy}\_{\it B}\_{\it For}\_{\it CS};$

$\# {\it assert}~{\it Protocol}\_{\it B}()~|= \lt \gt ~{\it U}\_{\it Legitimacy}\_{\it B}\_{\it For}\_{\it CS};$

The property of entity legitimacy is a liveness property. Its definition depends on the AKA protocol itself. In Xue et al.’s protocol, the user, SPS, and CS confirm each other’s legitimacy mutually. However, only CS checks the legitimacy of SPS and the user in Bae and Kwak’s protocol. Using the “eventually” operator $\lt \gt$ in LTL, we describe the situation that one entity should check the legitimacy of another entity. As shown in rows 2–4 and rows 8–9 in Table 5, the valid verification results indicate that the protocols of Xue et al. and Bae and Kwak both have entity legitimacy.

Property 3: Timeout Delay

$\#define~{\it TimeOut}~({\it timeout}=={\it true});$

$\# {\it assert}~{\it Protocol}\_{\it X}()~|= []!~{\it TimeOut};$

$\# {\it assert}~{\it Protocol}\_{\it B}()~|= []!~{\it TimeOut};$

When the AKA protocol considers the timeout delay, it is necessary to verify the timeout delay property. In the previous model construction, the variable timeout will be set to true once there is a session delay timeout. Thus, we apply the “always” operator [] in LTL to build the timeout delay property. As depicted in row 5 and row 10 in Table 5, the valid results denote that all the session delays are within the time interval $\Delta$T for the protocols of Xue et al. and Bae and Kwak, respectively.

Property 4: Session Key Consistency

$\#define~{\it SK}\_{\it Consistency} ~({\it CS}\_{\it SK}=={\it Server}\_{\it SK})~\&\&({\it Server}\_{\it SK}=={\it User}\_{\it SK});$

$\# {\it assert}~{\it Protocol}\_{\it X}()~|= \lt \gt ~{\it SK}\_{\it Consistency};$

$\# {\it assert}~{\it Protocol}\_{\it B}()~|= \lt \gt ~{\it SK}\_{\it Consistency};$

Construction of the session key agreement between entities is an important goal of the AKA protocol, which can be described as the property of session key consistency. With the help of the “eventually” operator $\lt \gt$ in LTL, we use this assertion to check whether all the entities have the same session key finally. According to the two valid verification results in row 6 and row 11 in Table 5, we can determine that the session keys owned by SPS, CS, and user are the same in the protocols of Xue et al. and Bae and Kwak.

7 VERIFICATION OF SECURITY PROPERTIES

In this section, we model the behaviors of the intruders doing relay attacks, denial of service attacks, server spoofing attacks, and session key attacks. It helps to simulate the situation of the AKA protocol running in a vulnerable environment. These attacks are described in new processes; meanwhile, the original CSP models are also modified for supporting the vulnerable environments. The four security properties (success relay attack, success denial of service attack, success server spoofing attack, and success session key attack) are verified for the new CSP models with intruders.

7.1 Verification of Replay Attack

In a replay attack, the intruder can eavesdrop and intercept sensitive communication. Meanwhile, the intruder may delay or resend the messages to the receiver fraudulently. We simulate the behaviors of the intruder doing a relay attack in Xue et al.’s protocol and Bae and Kwak’s protocol by processes ${\it Intruder}{\it \_X\_ReplayAttack(i, j)}$ and ${\it Intruder}{\it \_B\_ReplayAttack(i),}$ respectively, shown as below: $\begin{align*} { Intruder}&{ \_X\_ReplayAttack}(i,j)=_{df}\\ &{ FakeUI}?{ msg{_{auth}}}.{ f_i}.{ p_{ij}}.{ cid_{i}}.{ g_{i}}.{ pid_{i}}.{ ts_{i}}\rightarrow ModifyTimestamp \rightarrow \\ &{ FakeIS}!{ msg{_{auth}}}.{ f_i}.{ p_{ij}}.{ cid_{i}}.{ g_{i}}.{ pid_{i}}.{ TS\_old}\rightarrow ({ Intruder}{ \_X\_ReplayAttack}{ \_Sub}(i)\square { Skip})\\ { Intruder}&{ \_X\_ReplayAttack}{ \_Sub}(i)=_{df}\\ &{ FakeIS}?{ msg{_{auth}}}.{ r_i}.{ v_i}\rightarrow { FakeUI}!{ msg{_{auth}}}.{ r_i}.{ v_i}\rightarrow \\ &{ Check\_Replay\_Attack}\lbrace success\_replay\_attack=true\rbrace \rightarrow { Skip}\\ { Intruder}&{ \_B\_ReplayAttack}(i)=_{df}\\ &{ FakeUI}?{ msg{_{auth}}}.{ uid_i}.{ a_{i}}.{ veru_{i}}.{ ts}\rightarrow ModifyTimestamp \rightarrow \\ &{ FakeIS}!{ msg{_{auth}}}.{ uid_i}.{ a_{i}}.{ veru_{i}}.{ TS\_old}\rightarrow ({ Intruder}{ \_B\_ReplayAttack}{ \_Sub}(i)\square { Skip}) \end{align*}$ $\begin{align*} { Intruder}&{ \_B\_ReplayAttack}{ \_Sub}(i)=_{df}\\ &{ FakeIS}?{ msg{_{auth}}}.{ e_i}.{ ts}\rightarrow { FakeUI}!{ msg{_{auth}}}.{ e_i}.{ ts}\rightarrow \\ &{ Check\_Replay\_Attack}\lbrace success\_replay\_attack=true\rbrace \rightarrow { Skip} \end{align*}$

${\it Intruder}{\it \_X\_ReplayAttack}(i, j)$ and ${\it Intruder}{\it \_B\_ReplayAttack}(i)$ intercept the messages transmitted between SPS and user and carry out a relay attack. They use channels FakeUI and FakeIS to intercept messages between the user and SPS. Here, we use the old timestamp to perform a replay attack, which can be obtained by the intruder from interception. The ModifyTimestamp action means to modify the timestamp to an old timestamp, and TS_old appearing in the message denotes the old timestamp. If the intruder can receive messages from SPS, action Check_Replay_Attack assigns variable success_replay_attack to be true, which also indicates the success of the relay attack.

To describe the influence of the intruder on the protocol, we modify the original model using renaming. $\lbrace |$c$|\rbrace$ represents the set of all communications over channel c. To support the simulation of the replay attack in the authentication phase, the model needs to support channels FakeIS and FakeUI. The intruder can use these two channels to eavesdrop or even change the data on channel ComUS. Because the user and SPS are connected by channel ComUS, their CSP models in the authentication phase should be updated by applying renaming. We add the suffix “_I” in the process name to denote the updated process. Due to space constraints, here we only give the definition of ${\it User\_X}{\it \_Auth} {\it \_I}$(). $\begin{align*} { User}&{ \_X\_Auth}{ \_I}({ i},{ j})=_{df}~\\ &{ User\_X}{ \_Auth}({ i},{ j})[[{ ComUS}?\lbrace |{ ComUS}|\rbrace \leftarrow { ComUS}?\lbrace |{ ComUS}|\rbrace ,\\ &{ ComUS}?\lbrace |{ ComUS}|\rbrace \leftarrow { FakeUI}?\lbrace |{ ComUS}|\rbrace ,{ ComUS}!\lbrace |{ ComUS}|\rbrace \leftarrow { ComUS}!\lbrace |{ ComUS}|\rbrace ,\\ &~~~~~~~~~~~~~~~~~~~~~~~~~~~{ ComUS}!\lbrace |{ ComUS}|\rbrace \leftarrow { FakeUI}!\lbrace |{ ComUS}|\rbrace ]] \end{align*}$

For building the CPS model with the intruder, the previous models also have more minor changes, such as adding a more nondeterministic choice $\square$ to cope with attack appearance, which is not expanded here due to limited space. For the overall modeling, Intruder$\_$X$\_$ReplayAttack() and Intruder$\_$B$\_$ReplayAttack() will be concurrent with related entities in the protocol, which builds models of the protocols under replay attacks. When replay attacks occur in Xue et al.’s protocol and Bae and Kwak’s protocol, the two models are shown in Table 6 (1–2), called Protocol$\_$X_ReplayAttack() and Protocol$\_$B_ReplayAttack(). The communication between interprocesses for them is shown in Figure 15.

Fig. 15. The communication between interprocesses for CSP models of replay attacks and denial of service attacks.

Table 6.

View Table

Table 6. The CSP Models with Intruders

Property 5: Success Replay Attack

$\# {\it define}~{\it SuccessReplayAttack}~({\it success\_replay\_attack}==true);$

$\# {\it assert}~{\it Protocol\_X\_ReplayAttack}()~{\it reaches}~{\it SuccessReplayAttack};$

$\# {\it assert}~{\it Protocol\_B\_ReplayAttack}()~{\it reaches}~{\it SuccessReplayAttack};$

If a relay attack occurs and affects the protocol, the variable success$\_$replay$\_$attack will be set to true. We define the replay attack success property as a reachability property. Before performing the verification of any security property, we should verify the fundamental properties for the updated models. Except for the deadlock freedom property, the two models have invalid results for the other three properties shown in Table 7. This means the models have deadlock freedom but suffer from entity illegitimacy, timeout delay, and session key inconsistency. So the existence of intruders affects the fundamental properties. According to the invalid verification results of the success reply attack property in Table 8, we can learn that Xue et al.’s protocol and Bae and Kwak’s protocol are resistant to replay attacks.

Table 7.

View Table

Table 7. Verification Results of Fundamental Properties in the CPS Models with Intruders

Table 8.

Property	Verification Resultsfor Xue et al.’s Protocol	Verification Resultsfor Bae and Kwak’s Protocol
Success Relay Attack	Not Valid (in Protocol_X_ReplayAttack())	Not Valid (in Protocol_B_ReplayAttack())
Success DoS Attack	Not Valid (in Protocol_X_DoSAttack())	Not Valid (in Protocol_B_DoSAttack())
Success Server Spoofing Attack	Not Valid (in Protocol_X_ServerSpoofingAttack())	Not Valid (in Protocol_B_ServerSpoofingAttack())
Success Session Key Attack	Not Valid (in Protocol_X_SessionKeyAttack())	Not Valid (in Protocol_B_SessionKeyAttack())

View Table

Table 8. Verification Results of Security Properties in the CPS Models with Intruders

7.2 Verification of Other Attacks

In addition to replay attacks, we also support the formalization and verification of denial of service attacks, server spoofing attacks, and session key attacks. The method of constructing the CPS models with intruders launching these attacks is the same as the CPS models with intruders doing replay attacks. All experiments were conducted on a 2.60-GHz core i7 PC with 16 GB of RAM under the PAT 3.5.0 environment.

7.2.1 Verification of Denial of Service Attack.

In a DoS attack, the malicious intruder attempts to overload the system by sending a large number of requests. This affects the processing of legitimate requests seriously. We build processes ${\it Intruder}{\it \_X\_DoSAttack}$() and ${\it Intruder}{\it \_B\_DoSAttack}$() to denote the intruder performing a replay attack located between the user and SPS, and their constructions are similar with the building of CSP processes for replay attacks. Since DoS attacks and relay attacks both occur between the user and SPS, the overall CSP models for DoS attacks are similar to the overall CSP models for replay attacks. The models owning a DoS attack of Xue et al.’s protocol and Bae and Kwak’s protocol are denoted by Protocol$\_$X_DoSAttack() and Protocol$\_$B_DoSAttack(), which are shown in Table 6 (3–4). Then we give the property of success denial of service attack as below.

Property 6: Success Denial of Service Attack

$\# {\it define}~{\it SuccessDoSAttack}~({\it success\_dos\_attack}==true);$

$\# {\it assert}~{\it Protocol\_X\_DoSAttack}()~{\it reaches}~{\it SuccessDoSAttack};$

$\# {\it assert}~{\it Protocol\_B\_DoSAttack}()~{\it reaches}~{\it SuccessDoSAttack};$

When a DoS attack occurs, variable success$\_$dos$\_$attack is assigned to be true. Thus, the property of success replay attack becomes a reachability property. From Table 7, two models only have valid results in the deadlock freedom property for the four fundamental properties. This shows that they have no deadlock freedom, but the emergence of DoS attacks does lead to dissatisfaction of other properties. For the verification results for success DoS attack property in Table 8, the invalid results indicate that the protocols of Xue et al. and Bae and Kwak can prevent DoS attacks.

7.2.2 Verification of Server Spoofing Attack.

Server spoofing attacks describe a situation where an intruder pretends to be the server to interact with the user and CS. The intruder can complete the attack with the help of intercepting the information sent to SPS. Processes ${\it Intruder}{\it \_X\_ServerSpoofingAttack}$() and ${\it Intruder}{\it \_B\_ServerSpoofingAttack}$() denote server spoofing attacks in Xue et al.’s protocol and Bae and Kwak’s protocol, respectively.

To complete the simulation of the server spoofing attack in the authentication phase, the model needs to support channels FakeIS, FakeSI, FakeIC, and FakeUI. Equipped with these four channels, the intruder is able to eavesdrop or manipulate the data on channels ComUS and ComSC. Compared with the previously updated model, it is necessary to update the CSP models of SPS and CS by applying renaming again. We add the suffix “_I’ ” in the process name to denote the newly updated process. Because of space constraints, here we only give the definition of Server_X_Auth_I’(): $\begin{align*} { Server}&{ \_X\_Auth}{ \_I$'$}({ i})=_{df}~\\ &{ Server\_X}{ \_Auth}({ i})[[{ ComUS}?\{|{ ComUS}|\}\leftarrow{ ComUS}?\{|{ ComUS}|\},\\ &~~~~~~~~~~~~~~~~~~~~~~~~~{ ComUS}?\{|{ ComUS}|\}\leftarrow{ FakeIS}?\{|{ ComUS}|\},{ ComUS}!\{|{ ComUS}|\}\leftarrow{ ComUS}!\{|{ ComUS}|\},\\ &~~~~~~~~~~~~~~~~~~~~~~~~~{ ComUS}!\{|{ ComUS}|\}\leftarrow{ FakeIS}!\{|{ ComUS}|\},{ ComSC}?\{|{ ComSC}|\}\leftarrow{ ComSC}?\{|{ ComSC}|\},\\ &~~~~~~~~~~~~~~~~~~~~~~~~~{ ComSC}?\{|{ ComSC}|\}\leftarrow{ FakeSI}?\{|{ ComSC}|\},{ ComSC}!\{|{ ComSC}|\}\leftarrow{ ComSC}!\{|{ ComSC}|\},\\ &~~~~~~~~~~~~~~~~~~~~~~~~{ ComSC}!\{|{ ComSC}|\}\leftarrow{ FakeSI}!\{|{ ComSC}|\}]] \end{align*}$

The overall models of Xue et al.’s protocol and Bae and Kwak’s protocol affected by server spoofing attacks are presented as Protocol_X_ServerSpoofingAttack() and Protocol_B_ServerSpoof

ingAttack(), respectively. They are illustrated in Table 6 (5–6), whose interprocess communication is also shown in Figure 16. Then the property of success server spoofing attack is listed as below:

Fig. 16. The communication between interprocesses for CSP models of server spoofing attacks and session key attacks.

Property 7: Success Server Spoofing Attack

$\# {\it define}~{\it SuccessServerSpoofingAttack}~({\it success\_server\_spoofing\_attack}==true);$

$\# {\it assert}~{\it Protocol\_X\_SuccessServerSpoofingAttack}()~{\it reaches}~{\it SuccessServerSpoofingAttack};$

$\# {\it assert}~{\it Protocol\_B\_SuccessServerSpoofingAttack}()~{\it reaches}~{\it SuccessServerSpoofingAttack};$

Once a server spoofing attack happens, variable success$\_$server$\_$spoofing$\_$attack is set to be true. The property of success server spoofing attack is depicted as a reachability property. According to Table 7, the verification results of the deadlock freedom property and timeout delay property are valid, but the verification results of the entity legitimacy property and session key consistency property are invalid. That is to say, entity legitimacy and session key consistency are affected when server spoofing attacks occur. According to Table 8, the models do not satisfy the success server spoofing attack property, which indicates that the protocols of Xue et al. and Bae and Kwak can prevent server spoofing attacks effectively.

7.2.3 Verification of Session Key Attack.

Session key attacks indicate that the intruder intercepts all the messages on public channels and attempts to analyze the real session key based on the received messages. The attacks are implemented as Intruder$\_$X_SessionKeyAttack() and Intruder$\_$B_SessionKeyAttack() for Xue et al.’s protocol and Bae and Kwak’s protocol. The modification of the original models is the same as when the server spoofing attacks appear, because the intruder can monitor the whole process. Protocol_X_SessionKeyAttack() and Protocol_B_SessionKeyAttack() denote the overall models of Xue et al.’s protocol and Bae and Kwak’s protocol with session key attack, respectively, shown in Table 6 (7–8). Their communication between interprocesses is presented in Figure 16. Then we illustrate the property of success session key attack as below:

Property 8: Success Session Key Attack

$\# {\it define}~{\it SuccessSessionKeyAttack}~({\it success\_session\_key\_attack}==true);$

$\# {\it assert}~{\it Protocol\_X\_SuccessSessionKeyAttack}()~{\it reaches}~{\it SuccessSessionKeyAttack};$

$\# {\it assert}~{\it Protocol\_B\_SuccessSessionKeyAttack}()~{\it reaches}~{\it SuccessSessionKeyAttack};$

If there is a session key attack, variable success$\_$session$\_$key$\_$attack is assigned as true. The property of session key attack success is also declared as a reachability property. According to Table 7, the verification results of four fundamental properties are valid, which indicates session key attacks have no influence on the processing of protocols. The verification results of the success session key attack property are invalid in Table 8. They show that intruders are unable to infer the session key from the messages they intercepted, which indicates the protocols of Xue et al. and Bae and Kwak can avoid session key attacks.

The properties related to cryptography in the foundational properties are entity legitimacy and session key consistency. The properties related to cryptography in the security properties contain success server spoofing attack and success session key attack. Using the last assertion in Property 8 (success session key attack) as an example, the intruder tries to use the data that has been eavesdropped to decrypt the session key, and the basis is doing XOR and concatenation operations, which are implemented in our PAT model with C#.

8 RELATED WORK

As security plays a very important role in AKA protocols, several researchers have explored the verification of AKA protocols. Bellare and Rogaway [8, 9] gave the first work of formalizing the notion of security for key agreement. Blake-Wilson et al. [10] and Bellare et al. [7] made the extension according to the models in [8, 9]. The Canetti-Krawczyk (CK) model proposed by Canetti et al. [14] is a promising one among the extension models, which was also extended to the Canetti-Krawczyk (eCK) model in [32]. A modular technique [31] was presented by using gap assumptions for simplifying proofs of security for key agreement protocols. Ota et al. [43] proposed the OKT method, which is a security verification method for AKA protocols updated based on the BPR model. Aiash [3] introduced a new AKA protocol to authenticate the mobile terminal in heterogeneous networks via the Casper/FDR tool. Schmidt et al. [46] presented an algorithm for the verification of group key agreement protocols using Diffie-Hellman exponentiation. Lopes et al. [38] introduced a secret sharing-based AKA protocol for machine-type communications and verified two simulations based on the On-the-fly Model-checker and Constraint-logic-based Attack Searcher. Kilciauskas et al. [28] stated two versions of AKA protocols based on provable secure cryptographic functions and proved their security under some malicious attacks. However, there is a lack of a framework supporting general AKA protocol verification, and our work is to fill this gap.

As the AKA protocol is widely used in 3G and 4G, there are also many formal analyses and verifications in this domain. The Third Generation Partnership Project (3GPP) [2] verified the AKA protocol for 3G by the TLA-based formal analysis and the enhanced BAN logic. Hussain et al. [24] introduced a model-based testing approach LTEInspector for exposing attacks against three critical procedures of 4G LTE. In [17], Cheval et al. provided a procedure for automated verification of equivalence properties implemented in the DEEPSEC tool, and the AKA protocol deployed in 3G is one of its applications. Arapinis et al. [5] exposed two novel threats to user privacy in the 3G-AKA protocol and proposed privacy-friendly fixes. Using the ProVerif tool, they verified that it satisfied the desired unlinkability and anonymity properties. Broek et al. [55] presented a solution against IMSI catching attacks in 3G and 4G AKA protocols, which is verified formally in the ProVerif tool. Fouque et al. [21] introduced a fixed variant of the AKA protocol for 3G and 4G and proved the key secrecy of the fixed variant of the AKA protocol. Lee et al. [34] analyzed the anonymity property of the UMTS/LTE AKA protocol and adopted the indistinguishability-based formalization for the UMTS/LTE protocol. Tang et al. [54] identified the AKA procedure in inter-generational mobile telephony for each of the possible cases, which are modeled and analyzed by the ProVerif tool. Li and Wang [35] proved their proposed Security Enhanced AKA with the formal verification method, and the results indicated that it satisfies the security and efficiency properties in the LTE/SAE architecture. In [4], Alezabi et al. introduced an efficient AKA protocol based on a secret key and applied the AVISPA tool to provide a formal verification. The results indicated that the proposed protocol is efficient and secure against active and passive attacks. Idrissi et al. [25] introduced a new fast Extensible Authentication Protocol and Authentication Key Agreement (EAP-AKA), which is an authentication mechanism for the 3G network. Its security properties are analyzed by applying the High Level Protocol Specification Language (HLPSL) used in AVISPA.

Yet only a few formal analyses exist in the literature for the 5G-AKA protocol, and most of them use different formal verification tools. Cao et al. [15] discussed the security features, security requirements, security vulnerabilities, and existing security solutions in the 5G network. Basin et al. [6] proposed a comprehensive formal model of the 5G-AKA protocol using the Tamarin tool. Cremers and Dehnel-Wild [18] performed a fine-grained formal analysis of the 5G-AKA protocol to demonstrate its fragility and subtle trust assumptions. Jiang et al. [27] introduced an analytical modeling approach to analyze the dependability of the 5G-AKA protocol quantitatively. Zhang et al. [60] introduced the formal model of the 5G-EAP-TLS protocol, which is analyzed by model checker Scyther to point out several design flaws. Adrien Koutsos [30] modified a 5G-AKA protocol to prevent several attacks, which satisfies the 5G-AKA constraints as much as possible. Their protocol’s $\sigma$-unlinkablity is also formally proved. Edris et al. [19] conducted a formal security analysis by ProVerif of the 5G-AKA protocol to identify the 5G-AKA protocol’s security requirements based on two sets of taxonomies [39, 41].

Compared with the 3G-AKA protocol and 4G-AKA protocol, the formal analyses for the 5G-AKA protocol are still in their early stages. For the above-mentioned AKA protocols, the most used verification tools are AVISPA and ProVerif. The works [4, 25, 26] using AVISPA paid more attention to the related security properties of their own protocols. At the same time, the language used by AVISPA is relatively complicated, which means that users need to spend more time learning. As the ProVerif tool cannot deal with the exclusive-or (XOR) operation, researchers need to employ special strategies. For example, the authors in [5] used randomized symmetric encryption to conceal the sequence number SQN instead of using the XOR, and a special equation was applied to solve the XOR translation problem in [19]. Thus, these two tools may not be suitable for general AKA protocols for multi-server IoT. There is also a lack of framework for AKA protocol verification of multi-server IoT.

As model checker PAT [37, 52] has been applied in a wide range of security analyses, we chose PAT to support our framework FVF-AKA and applied the integration of C# in PAT to enrich the description of functions. As most of them input the model manually, automatic conversion of formal models is also needed, which can save time and cost. Our method can support the conversion from CSP-like models to PAT models automatically. Using AVISPA or ProVerif requires learning more knowledge. The simplicity of CSP also helps enhance the legibility. The advantage of CSP lies in its capacity to offer intuitive constructs for expressing communications between different roles. Moreover, CSP is supported by well-developed verification tools like PAT. Our framework has the automatic conversion from the CSP-like model and formulas to the PAT model and C# functions. We paid more attention to improving the legibility and usability of the method. Combined with third-party code, we also provide custom writing of functions to support modular reusability. Most existing formalization works of AKA protocols do not focus on the multi-server setting, so we provide support for its description. Our framework supports converting the subscripts of server and user into process parameters to distinguish different servers and users, providing support for the multi-server feature. We concentrate on the protocol in this multi-server environment and give the modeling support of the multi-server setting.

Therefore, we proposed the FVF-AKA, equipped with automatic conversion of formal models. With the implementation of CSP models to PAT and C#, we analyzed two AKA protocols as case studies and verified the eight important properties. The results indicated that the two protocols perform well not only in safe environments but also in vulnerable environments. Our framework is not specific for the analyzed protocols and shows how to automatically verify AKA protocols for multi-server IoT.

9 CONCLUSION AND FUTURE WORK

In this article, we have provided the FVF-AKA. Xue et al.’s AKA protocol and Bae and Kwak’s AKA protocol have been selected as two case studies. With this framework, they can be modeled to support the verification of the fundamental properties (deadlock freedom, entity legitimacy, timeout delay, and session key consistency). We have applied the integration of C# in PAT to support modeling and verification. We have formalized the registration phase and the authentication phase in protocols. We have also provided a convenient automatic conversion approach to support the conversion from the CSP model to the PAT model. After feeding the CSP models to the powerful model checker PAT supported by C#, the four fundamental properties have been verified, and the valid verification results have indicated that the two protocols work properly in a safe environment. For supporting vulnerable environments, we also have introduced the intruders into CSP models and have verified security properties for the AKA protocol under four different attacks (relay attacks, denial of service attacks, server spoofing attacks, and session key attacks). According to the verification results, two protocols are resistant to these attacks. Our formal verification framework of AKA protocols for multi-server IoT would hopefully help to verify AKA protocols and analyze their performance in a vulnerable environment.

As for future work, we would like to focus on other attacks such as stolen smart card attacks and masquerade attacks and consider extending the FVF-AKA to model and verify other AKA protocols for multi-server IoT.

Footnotes

¹ The full C++, C#, and PAT programs can be found in https://github.com/asunafy/AKA.
Footnote
² The full Python programs can be found in https://github.com/asunafy/AKA.
Footnote

REFERENCES

[1] Liu Yang, Sun Jun, and Dong Jin Song. 2010. Developing model checkers using PAT. In ATVA. 371–377.Google Scholar
Reference
[2] Third Generation Partnership Project (3GPP). 2000. 3G Security: Formal Analysis of the 3G Authentication Protocol. Technical Report TS 33.902 v3.1.0.Google Scholar
Reference
[3] Aiash Mahdi. 2013. A formally verified initial authentication and key agreement protocol in heterogeneous environments using Casper/FDR. In Network and System Security - 7th International Conference (NSS’13). Proceedings (Lecture Notes in Computer Science), López Javier, Huang Xinyi, and Sandhu Ravi S. (Eds.), Vol. 7873. Springer, 742–748.Google ScholarCross Ref
Reference
[4] Alezabi Kamal Ali, Hashim Fazirulhisyam, Hashim Shaiful Jahari, and Ali Borhanuddin M.. 2014. An efficient authentication and key agreement protocol for 4G (LTE) networks. In 2014 IEEE REGION 10 SYMPOSIUM.Google Scholar
Reference 1Reference 2
[5] Arapinis Myrto, Mancini Loretta Ilaria, Ritter Eike, Ryan Mark, Golde Nico, Redon Kevin, and Borgaonkar Ravishankar. 2012. New privacy issues in mobile telephony: Fix and verification. In the ACM Conference on Computer and Communications Security (CCS’12), Yu Ting, Danezis George, and Gligor Virgil D. (Eds.). ACM, 205–216.Google ScholarDigital Library
Reference 1Reference 2
[6] Basin David A., Dreier Jannik, Hirschi Lucca, Radomirovic Sasa, Sasse Ralf, and Stettler Vincent. 2018. Formal analysis of 5G authentication. CoRR abs/1806.10360 (2018).Google Scholar
Reference
[7] Bellare Mihir, Pointcheval David, and Rogaway Phillip. 2000. Authenticated key exchange secure against dictionary attacks. In Advances in Cryptology (EUROCRYPT’00), International Conference on the Theory and Application of Cryptographic Techniques, Proceeding (Lecture Notes in Computer Science), Preneel Bart (Ed.), Vol. 1807. Springer, 139–155.Google ScholarCross Ref
Reference
[8] Bellare Mihir and Rogaway Phillip. 1993. Entity authentication and key distribution. In Advances in Cryptology (CRYPTO ’93), 13th Annual International Cryptology Conference, Proceedings (Lecture Notes in Computer Science), Stinson Douglas R. (Ed.), Vol. 773, Springer, 232–249.Google Scholar
Reference 1Reference 2Reference 3
[9] Bellare Mihir and Rogaway Phillip. 1995. Provably secure session key distribution: The three party case. In Proceedings of the 27th Annual ACM Symposium on Theory of Computing, Leighton Frank Thomson and Borodin Allan (Eds.). ACM, 57–66.Google ScholarDigital Library
Reference 1Reference 2
[10] Blake-Wilson Simon, Johnson Don, and Menezes Alfred. 1997. Key agreement protocols and their security analysis. In Cryptography and Coding, 6th IMA International Conference, Proceedings (Lecture Notes in Computer Science), Darnell Michael (Ed.), Vol. 1355, Springer, 30–45.Google ScholarCross Ref
Reference
[11] Blake-Wilson Simon and Menezes Alfred. 1998. Authenticated diffie-hellman key agreement protocols. In Selected Areas in Cryptography’98 (SAC’98), Proceedings (Lecture Notes in Computer Science), Tavares Stafford E. and Meijer Henk (Eds.), Vol. 1556, Springer, 339–361.Google Scholar
Reference
[12] Boyd Colin, Cliff Yvonne, Nieto Juan Manuel González, and Paterson Kenneth G.. 2008. Efficient one-round key exchange in the standard model. In Information Security and Privacy, 13th Australasian Conference (ACISP’08), Proceedings (Lecture Notes in Computer Science), Mu Yi, Susilo Willy, and Seberry Jennifer (Eds.), Vol. 5107, Springer, 69–83.Google ScholarDigital Library
Reference
[13] Brookes Stephen D., Hoare C. A. R., and Roscoe A. W.. 1984. A theory of communicating sequential processes. J. ACM 31, 3 (1984), 560–599.Google ScholarDigital Library
Reference
[14] Canetti Ran and Krawczyk Hugo. 2001. Analysis of key-exchange protocols and their use for building secure channels. In Advances in Cryptology (EUROCRYPT’01), International Conference on the Theory and Application of Cryptographic Techniques, Proceeding (Lecture Notes in Computer Science), Pfitzmann Birgit (Ed.), Vol. 2045. Springer, 453–474.Google ScholarCross Ref
Reference
[15] Cao Jin, Ma Maode, Li Hui, Ma Ruhui, Sun Yunqing, Yu Pu, and Xiong Lihui. 2020. A survey on security aspects for 3GPP 5G networks. IEEE Commun. Surv. Tutorials 22, 1 (2020), 170–195.Google ScholarDigital Library
Reference
[16] Chen Liqun, Cheng Zhaohui, and Smart Nigel P.. 2006. Identity-based key agreement protocols from pairings. IACR Cryptol. ePrint Arch. 2006 (2006), 199.Google Scholar
Reference
[17] Cheval Vincent, Kremer Steve, and Rakotonirina Itsaka. 2018. DEEPSEC: Deciding equivalence properties in security protocols theory and practice. In 2018 IEEE Symposium on Security and Privacy (SP’18), Proceedings. IEEE Computer Society, 529–546.Google ScholarCross Ref
Reference
[18] Cremers Cas and Dehnel-Wild Martin. 2019. Component-based formal analysis of 5G-AKA: Channel assumptions and session confusion. In 26th Annual Network and Distributed System Security Symposium (NDSS’19). The Internet Society.Google Scholar
Reference
[19] Edris Ed Kamya Kiyemba, Aiash Mahdi, and Loo Jonathan Kok-Keng. 2020. Formal verification and analysis of primary authentication based on 5G-AKA protocol. In 2020 7th International Conference on Software Defined Systems (SDS’20). IEEE, 256–261.Google ScholarCross Ref
Reference 1Reference 2
[20] Fei Yuan, Zhu Huibiao, Wu Xi, Fang Huixing, and Qin Shengchao. 2018. Comparative modelling and verification of Pthreads and Dthreads. Journal of Software: Evolution and Process 30, 3 (2018), 1–33.Google ScholarCross Ref
Reference
[21] Fouque Pierre-Alain, Onete Cristina, and Richard Benjamin. 2016. Achieving better privacy for the 3GPP AKA protocol. Proc. Priv. Enhancing Technol. 2016, 4 (2016), 255–275.Google ScholarCross Ref
Reference
[22] Hoare C. A. R.. 1985. Communicating Sequential Processes. Prentice-Hall International, Englewood Cliffs.Google Scholar
Reference
[23] Huang Hai and Cao Zhenfu. 2009. An ID-based authenticated key exchange protocol based on bilinear Diffie-Hellman problem. In Proceedings of the 2009 ACM Symposium on Information, Computer and Communications Security (ASIACCS’09), Li Wanqing, Susilo Willy, Tupakula Udaya Kiran, Safavi-Naini Reihaneh, and Varadharajan Vijay (Eds.). ACM, 333–342.Google ScholarDigital Library
Reference
[24] Hussain Syed Rafiul, Chowdhury Omar, Mehnaz Shagufta, and Bertino Elisa. 2018. LTEInspector: A systematic approach for adversarial testing of 4G LTE. In 25th Annual Network and Distributed System Security Symposium (NDSS’18). The Internet Society.Google Scholar
Reference
[25] Idrissi Younes El Hajjaji El, Zahid Noureddine, and Jedra Mohamed. 2012. Security analysis of 3GPP (LTE)–WLAN interworking and a new local authentication method based on EAP-AKA. In The 1st International Conference on Future Generation Communication Technologies.Google Scholar
Reference 1Reference 2
[26] Bae Won il and Kwak Jin. 2020. Smart card-based secure authentication protocol in multi-server IoT environment. Multimedia Tools and Applications 79 (2020), 15793–15811.Google ScholarCross Ref
Navigate to
Reference 1
Reference 2
Reference 3
Reference 4
Reference 5
Reference 6
[27] Jiang Lili, Chang Xiaolin, Bai Jing, Misic Jelena V., Misic Vojislav B., and Chen Zhi. 2020. Dependability analysis of 5G-AKA authentication service from server and user perspectives. IEEE Access 8 (2020), 89562–89574.Google ScholarCross Ref
Reference
[28] Kilciauskas Ausrys, Butkus Gintaras, and Sakalauskas Eligijus. 2020. Authenticated key agreement protocol based on provable secure cryptographic functions. Informatica 31, 2 (2020), 277–298.Google ScholarDigital Library
Reference
[29] Konidala Divyan M., Kim Daeyoung, Yeun Chan Yeob, and Lee Byoungcheon. 2011. Security framework for RFID-based applications in smart home environment. J. Inf. Process. Syst. 7, 1 (2011), 111–120.Google ScholarCross Ref
Reference
[30] Koutsos Adrien. 2019. The 5G-AKA authentication protocol privacy. In IEEE European Symposium on Security and Privacy (EuroS&P’19). IEEE, 464–479.Google Scholar
Reference
[31] Kudla Caroline and Paterson Kenneth G.. 2005. Modular security proofs for key agreement protocols. In Advances in Cryptology (ASIACRYPT’05), 11th International Conference on the Theory and Application of Cryptology and Information Security, Proceedings (Lecture Notes in Computer Science), Roy Bimal K. (Ed.), Vol. 3788. Springer, 549–565.Google ScholarDigital Library
Reference
[32] LaMacchia Brian A., Lauter Kristin E., and Mityagin Anton. 2007. Stronger security of authenticated key exchange. In Provable Security, 1st International Conference (ProvSec’07), Proceedings (Lecture Notes in Computer Science), Susilo Willy, Liu Joseph K., and Mu Yi (Eds.), Vol. 4784, Springer, 1–16.Google ScholarCross Ref
Reference
[33] Lamport Leslie. 1981. Password authentification with insecure communication. Commun. ACM 24, 11 (1981), 770–772.Google ScholarDigital Library
Reference
[34] Lee Ming-Feng, Smart Nigel P., Warinschi Bogdan, and Watson Gaven J.. 2014. Anonymity guarantees of the UMTS/LTE authentication and connection protocol. Int. J. Inf. Sec. 13, 6 (2014), 513–527.Google ScholarDigital Library
Reference
[35] Li Xiehua and Wang Yongjun. 2011. Security enhanced authentication and key agreement protocol for LTE/SAE network. In 2011 7th International Conference on Wireless Communications, Networking and Mobile Computing.Google ScholarCross Ref
Reference
[36] Li Xiong, Xiong Yongping, Ma Jian, and Wang Wendong. 2012. An efficient and security dynamic identity based authentication protocol for multi-server architecture using smart cards. J. Netw. Comput. Appl. 35, 2 (2012), 763–769.Google ScholarDigital Library
Navigate to
Reference 1
Reference 2
Reference 3
Reference 4
[37] Liu Yang, Pang Jun, Sun Jun, and Zhao Jianhua. 2009. Verification of population ring protocols in PAT. In 3rd IEEE International Symposium on Theoretical Aspects of Software Engineering (TASE’09). 81–89.Google Scholar
Reference
[38] Lopes Ana Paula Golembiouski, Hilgert Lucas O., Gondim Paulo R. L., and Lloret Jaime. 2019. Secret sharing-based authentication and key agreement protocol for machine-type communications. Int. J. Distributed Sens. Networks 15, 4 (2019), 1–21.Google Scholar
Reference
[39] Lowe Gavin. 1997. A hierarchy of authentication specification. In 10th Computer Security Foundations Workshop (CSFW ’97). IEEE Computer Society, 31–44.Google Scholar
Reference
[40] Lowe Gavin and Roscoe A. W.. 1997. Using CSP to detect errors in the TMN protocol. IEEE Trans. Software Eng. 23, 10 (1997), 659–669.Google ScholarDigital Library
Reference
[41] Menezes Alfred, Oorschot Paul C. van, and Vanstone Scott A.. 1996. Handbook of Applied Cryptography. CRC Press.Google ScholarDigital Library
Reference
[42] Ni Liang, Chen Gongliang, Li Jianhua, and Hao Yanyan. 2011. Strongly secure identity-based authenticated key agreement protocols. Comput. Electr. Eng. 37, 2 (2011), 205–217.Google ScholarDigital Library
Reference 1Reference 2
[43] Ota Haruki, Kiyomoto Shinsaku, and Tanaka Toshiaki. 2010. Security verification for authentication and key exchange protocols, revisited. In 24th IEEE International Conference on Advanced Information Networking and Applications Workshops (WAINA’10). IEEE Computer Society, 226–233.Google ScholarDigital Library
Reference
[44] Roscoe A. W.. 1997. The Theory and Practice of Concurrency. Prentice Hall. Google ScholarDigital Library
Reference
[45] Roscoe A. W.. 2010. Understanding Concurrent Systems. Springer.Google ScholarCross Ref
Reference
[46] Schmidt Benedikt, Sasse Ralf, Cremers Cas, and Basin David A.. 2014. Automated verification of group key agreement protocols. In 2014 IEEE Symposium on Security and Privacy (SP’14). IEEE Computer Society, 179–194.Google Scholar
Reference
[47] Shamir Adi. 1984. Identity-based cryptosystems and signature schemes. In Advances in Cryptology (CRYPTO ’84), Proceedings (Lecture Notes in Computer Science), Blakley G. R. and Chaum David (Eds.), Vol. 196, Springer, 47–53.Google Scholar
Reference
[48] Si Yuanjie, Sun Jun, Liu Yang, Dong Jin Song, Pang Jun, Zhang Shao Jie, and Yang Xiaohu. 2014. Model checking with fairness assumptions using PAT. Frontiers of Computer Science 8, 1 (2014), 1–16.Google ScholarDigital Library
Reference 1Reference 2
[49] Smart Nigel P.. 2001. An identity based authenticated key agreement protocol based on the weil pairing. IACR Cryptol. ePrint Arch. 2001 (2001), 111.Google Scholar
Reference
[50] Sood Sandeep K., Sarje Anil Kumar, and Singh Kuldip. 2011. A secure dynamic identity based authentication protocol for multi-server architecture. J. Netw. Comput. Appl. 34, 2 (2011), 609–618.Google ScholarDigital Library
Reference 1Reference 2
[51] Sun Jun, Liu Yang, and Dong Jin Song. 2008. Model checking CSP revisited: Introducing a process analysis toolkit. In Leveraging Applications of Formal Methods, Verification and Validation, 3rd International Symposium (ISoLA’08), Proceedings. 307–322.Google ScholarCross Ref
Reference
[52] Sun Jun, Liu Yang, Dong Jin Song, Liu Yan, Shi Ling, and André Étienne. 2013. Modeling and verifying hierarchical real-time systems using stateful timed CSP. ACM Trans. Softw. Eng. Methodol. 22, 1 (2013), 3.Google ScholarDigital Library
Reference 1Reference 2
[53] Sun Jun, Liu Yang, Dong Jin Song, and Pang Jun. 2009. PAT: Towards flexible verification under fairness. In Computer Aided Verification, 21st International Conference, (CAV’09). 709–714.Google ScholarDigital Library
Reference 1Reference 2
[54] Tang Chunyu, Naumann David A., and Wetzel Susanne. 2013. Analysis of authentication and key establishment in inter-generational mobile telephony. In 2013 IEEE International Conference on High Performance Computing and Communications (HPCC’13), and IEEE International Conference on Embedded and Ubiquitous Computing (EUC’13). IEEE, 1605–1614.Google ScholarCross Ref
Reference
[55] Broek Fabian van den, Verdult Roel, and Ruiter Joeri de. 2015. Defeating IMSI catchers. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Ray Indrajit, Li Ninghui, and Kruegel Christopher (Eds.). ACM, 340–351.Google ScholarDigital Library
Reference
[56] Wang Shengbao, Cao Zhenfu, Cheng ZhaoHui, and Choo Kim-Kwang Raymond. 2009. Perfect forward secure identity-based authenticated key agreement protocol in the escrow mode. Sci. China Ser. F Inf. Sci. 52, 8 (2009), 1358–1370.Google ScholarCross Ref
Reference 1Reference 2
[57] Wang Shiuh-Jeng, Tsai Yuh-Ren, Shen Chien-Chih, and Chen Pin-You. 2010. Hierarchical key derivation scheme for group-oriented communication systems. Int. J. Inf. Technol. Commun. Convergence 1, 1 (2010), 66–76.Google Scholar
Reference
[58] Xie Bin, Kumar Anup, Zhao David, Reddy Ranga, and He Bing. 2010. On secure communication in integrated heterogeneous wireless networks. Int. J. Inf. Technol. Commun. Convergence 1, 1 (2010), 4–23.Google ScholarCross Ref
Reference
[59] Xue Kaiping, Hong Peilin, and Ma Changsha. 2014. A lightweight dynamic pseudonym identity based authentication and key agreement protocol without verification tables for multi-server architecture. J. Comput. Syst. Sci. 80, 1 (2014), 195–206.Google ScholarDigital Library
Navigate to
Reference 1
Reference 2
Reference 3
Reference 4
Reference 5
Reference 6
[60] Zhang Jingjing, Wang Qiang, Yang Lin, and Feng Tao. 2019. Formal verification of 5G-EAP-TLS authentication protocol. In 4th IEEE International Conference on Data Science in Cyberspace (DSC’19). IEEE, 503–509.Google ScholarCross Ref
Reference

Index Terms

FVF-AKA: A Formal Verification Framework of AKA Protocols for Multi-server IoT

Recommendations

Formal Modeling and Verification of Smart Contracts
ICSCA '18: Proceedings of the 2018 7th International Conference on Software and Computer Applications

Smart contracts can automatically perform the contract terms according to the received information, and it is one of the most important research fields in digital society. The core of smart contracts is algorithm contract, that is, the parties reach an ...
Read More
Formal Verification of Security Protocols: ProVerif and Extensions
Artificial Intelligence and Security
Abstract
Secure protocols are built on cryptographic algorithms, which provide a variety of secure services to realize secure communications in a network environment. To improve the quality of security protocols and ensure their reliability, sufficient ...
Read More
AKA Protocol and Its Formal Analysis and Verification Using Ambient Calculus and Logics
ICNDS '09: Proceedings of the 2009 International Conference on Networking and Digital Society - Volume 01

In this paper, ambient calculus and ambient logics are introduced. Then we describe 3GPP authentication and key agreement protocol (AKA). This protocol’s goals are formally analyzed using ambient calculus. And we verified this protocol’s goals using ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in
Formal Aspects of Computing Volume 35, Issue 4
December 2023
214 pages
ISSN:0934-5043
EISSN:1433-299X
DOI:10.1145/3633307
Editor:
Jim Woodcock
University of York, UK
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 20 November 2023
- Online AM: 25 May 2023
- Accepted: 18 May 2023
- Revised: 16 April 2023
- Received: 17 December 2021
Published in fac Volume 35, Issue 4

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Modeling
verification
AKA protocols
multi-server IoT
CSP
PAT with C#
Qualifiers
- research-article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 0
  Total Citations
  View Citations
- 605
  Total Downloads
- Downloads (Last 12 months)605
- Downloads (Last 6 weeks)155
Other Metrics
View Author Metrics
Cited By
This publication has not been cited yet

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Type	Notation
Entity	\(U_i\) (the ith user), \(S_j\) (the jth service providing server), CS (the control server)\(~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\)
Identity	\(ID_i\) (the identity of \(U_i\)), \(SID_j\) (the identity of \(S_j\))\(~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\)
Random number	\(N_{i1}\), \(N_{i2}\), \(N_{i3}\) (random numbers chosen by \(U_i\), \(S_j\), and CS)\(~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\)
Operation	\(\oplus\) (the bitwise XOR operation), h(\(\cdot\)) (a one-way hash function),\(\Vert\) (the bitwise concatenation operation)\(~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\)

•	\({\textit {S}kip}\) stands for a process that only terminates successfully.
•	\({\textit {S}top}\) represents that the process does nothing and its state is a deadlock.
•	\({\it a}\rightarrow {\it P}\) first performs action \({\it a}\), then behaves like \({\it P}\).
•	\({\it c?x} \rightarrow {\it P}\) receives a message by channel \({\it c}\) and assigns it to variable \({\it x}\), then does the subsequent behavior like \({\it P}\).
•	\({\it c!e} \rightarrow {\it P}\) sends a message \({\it e}\) through channel \({\it c}\), then performs \({\it P}\).
•	\({\it P}\,\square {\it Q}\) acts like either \({\it P}\) or \({\it Q}\) and the environment decides the selection.
•	\({\it P}\parallel {\it Q}\) shows the parallel composition between \({\it P}\) and \({\it Q}\).
•	\({\it P}\|\|\|{\it Q}\) indicates that the process chooses to perform actions in \({\it P}\) and \({\it Q}\) interleavingly.
•	\({\it P} \lhd {\it B} \rhd {\it Q}\) denotes that if the condition \({\it B}\) is true, the process behaves like \({\it P}\), otherwise, like \({\it Q}\).
•	\({\it P;Q}\) executes \({\it P}\) and \({\it Q}\) sequentially.
•	\({\it P}[[{\it a}\leftarrow {\it b}]]\) changes event \({\it a}\) to event \({\it b}\).

STEP 1.	A current timestamp value TS\(_i\) is created by U\(_i\). U\(_i\) also selects a random number N\(_{i1}\). Then U\(_i\) computes B\(_i\), F\(_i\), P\(_{ij}\), CID\(_i\), and G\(_i\) as below: \(\begin{align} &{B_i}= {D_i}\oplus {C_i}~~~{F_i}= {B_i}\oplus {N_{i1}}~~~{P_{ij}}= {h}({B_i}\oplus {h}({N_{i1}}\Vert {SID_j}\Vert {PID_i}\Vert {TS_i}))\\ &{CID_{i}}= {ID_i}\oplus {h}({B_i}\Vert {N_{i1}}\Vert {TS_i}\Vert ``00\hbox{''}))~~~{G_{i}}= {b}\oplus {h}({B_i}\Vert {N_{i1}}\Vert {TS_i}\Vert ``11\hbox{''})) \end{align}\) Here “00” and “11” represent a 2-bit binary “0” and a 2-bit binary “1,” respectively. After the computation, the user U\(_i\) sends the message \(\lbrace\)F\(_i\), P\(_{ij}\), CID\(_i\), G\(_i\), PID\(_i\), TS\(_i\)\(\rbrace\) to the service-providing server S\(_j\).
STEP 2.	When S\(_j\) receives the message from U\(_i\), it checks the session delay. TS\(_j\) and \(\Delta\)T are assumed to be the current time and the tolerable time interval, respectively. If TS\(_j\) - TS\(_j\) \(\gt\) \(\Delta\)T, the session times out and S\(_j\) terminates the session. Otherwise, the following operations are performed by S\(_j\). It chooses a random number N\(_{i2}\) and computes J\(_i\), K\(_i\), L\(_i\), and M\(_i\) as below: \(\begin{align} &{J_i}= {BS_j}\oplus {N_{i2}}~~~{L_i}= {SID_{j}}\oplus {h}({BS_{j}}\Vert {N_{i2}}\Vert {TS_{i}}\Vert ``00\hbox{''})\\ &{K_i}= {h}({N_{i2}}\Vert {BS_j}\Vert {P_{ij}}\Vert {TS_{i}})~~~{M_{i}}= {d}\oplus {h}({BS_{j}}\Vert {N_{i2}}\Vert {TS_{i}}\Vert ``11\hbox{''}) \end{align}\) The message \(\lbrace\)F\(_i\), P\(_{ij}\), CID\(_i\), G\(_i\), PID\(_i\), TS\(_i\), J\(_i\), K\(_i\), L\(_i\), M\(_i\), PSID\(_j\)\(\rbrace\) is submitted to CS by S\(_j\).
STEP 3.	At first, CS checks whether the session delay is within the time interval \(\Delta\)T when getting the message from S\(_j\). TS\(_{CS}\) is assumed to be the current time. If TS\(_{CS}\) - TS\(_i\) \(\gt\) \(\Delta\)T, the session times out and CS ends the session. Otherwise, CS computes BS\(_j\)=h(PSID\(_j\)\(\Vert\)y), N\(_{i2}\)=J\(_i\)\(\oplus\)BS\(_j\), and K’=h(N\(_{i2}\)\(\Vert\)BS\(_{j}\)\(\Vert\)P\(_{ij}\)\(\Vert\)TS\(_{i}\)). CS verifies whether K\(_{i}^{\prime }\) is equal to K\(_{i}\) or not. If not, the session is terminated by CS. Otherwise, CS calculates the following elements: \(\begin{align} &{ B_i}= { h}({ PID_{i}}\Vert { x})~~~{ N_{i1}}={ F_{i}}\oplus { B_i}~~~{ ID_i}= { CID_{i}}\oplus { h}({ B_{j}}\Vert { N_{i1}}\Vert { TS_{i}}\Vert ``00\hbox{''})\\ &{ SID_{i}}= { L_{i}}\oplus { h}({ BS_{j}}\Vert { N_{i2}}\Vert { TS_{i}}\Vert 11\hbox{''})~~~{ P_{ij}^{\prime }}= { h}({ B_{i}}\oplus { h}({ N_{i1}}\Vert { SID_{j}}\Vert { PID_{i}}\Vert { TS_{i}})) \end{align}\) Then CS verifies the equivalence between P\(_{ij}\) and P\(_{ij}^{\prime }\). If they are equal, CS finishes the session. Otherwise, CS calculates b, d, PID\(_i^{\prime }\), and PSID\(_{j}^{\prime }\) as below: \(\begin{align} &{ b}= { G_{i}}\oplus h({ B_{i}}\Vert { N_{i1}}\Vert { TS_{i}}\Vert ``11\hbox{''})~~~{ PID_i^{\prime }}= { h} ({ ID_{i}}\Vert { b})\\ &{ d}={ M_{i}}\oplus { h}({ BS_{j}}\Vert { N_{i2}}\Vert { TS_{i}}\Vert ``11\hbox{''})~~~{ PSID_{j}^{\prime }}= { h}({ SID_{j}}\Vert { d}) \end{align}\) CS verifies whether PID\(_i^{\prime }\) and PSID\(_j^{\prime }\) equal PID\(_i\) and PSID\(_j\), respectively. If not, CS terminates the session. Otherwise, CS confirms that the messages are from legal U\(_i\) and S\(_j\). A random number N\(_{i3}\) is selected, and CS computes P\(_i\), Q\(_i\), R\(_i\), and V\(_i\) as below: \(\begin{align} &{ \textit{P_{i}}}= { N_{i1}}\oplus{ N_{i3}}\oplus h({ SID_{j}}\\|{ N_{i2}}\\|{ BS_{j}})~~~{ Q_{i}}={ h}({ N_{i1}}\oplus{ N_{i3}})\\ &{ R_i}= { N_{i2}}\oplus { N_{i3}}\oplus{ h}({ ID_{i}}\\|{ N_{i1}}\\|{ B_{i1}})~~~{ V_{i}}= { h}({ N_{i2}}\oplus { N_{i3}}) \end{align}\) Then CS transmits the message \(\lbrace\)P\(_i\), Q\(_{i}\), R\(_i\), V\(_i\)\(\rbrace\) to S\(_i\). CS also computes the session key SK as below: \(\begin{align} &{ SK}={ h}(({ N_{i1}}\oplus { N_{i2}}\oplus { N_{i3}})\Vert { TS_{i}}) \end{align}\)
STEP 4.	When S\(_{j}\) receives the message from CS, it computes N\(_{i1}\)\(\oplus\)N\(_{i3}\) and Q\(_{i}^{\prime }\) as below: \(\begin{align} &({ N_{i1}}\oplus { N_{i3}})^{\prime }= { P_{i}}\oplus { h} ({ SID_{i}}\Vert { N_{i2}}\Vert { BS_{j}})~~~{ Q_{i}^{\prime }}={ h}(({ N_{i1}}\oplus { N_{i3}})^{\prime }) \end{align}\) Then S\(_{j}\) verifies whether Q\(_{i}^{\prime }\) and Q\(_{i}\) are equal or not. If not, S\(_{j}\) finishes the session. Otherwise, S\(_{j}\) verifies the legitimacy of CS and U\(_{j}\). After the verification, S\(_{j}\) transmits the message \(\lbrace\)R\(_{i}\), V\(_{i}\)\(\rbrace\) to U\(_{i}\). The session key SK\(^{\prime }\) can be obtained by S\(_{j}\) as below: \(\begin{align} &{ SK^{\prime }}={ h}(({ N_{i2}}\oplus ({ N_{i1}}\oplus { N_{i3}})^{\prime })\Vert { TS_{i}}) \end{align}\)
STEP 5.	When receiving the message from S\(_{j}\), U\(_{i}\) computes (N\(_{i2}\)\(\oplus\)N\(_{i3}\))\(^{\prime }\) and V\(_{i}^{\prime }\): \(\begin{align} &({ N_{i2}}\oplus { N_{i3}})^{\prime }= { R_{i}}\oplus { h} ({ ID_{i}}\Vert { N_{i1}}\Vert { B_{i}})~~~{ V_{i}^{\prime }}={ h}(({ N_{i2}}\oplus { N_{i3}})^{\prime } \end{align}\) Then U\(_{i}\) checks whether V\(_{i}^{\prime }\) is equal to V\(_{i}\). If not, the session is terminated by U\(_{i}\). Otherwise, U\(_{i}\) verifies the legitimacy of CS and S\(_{i}\). U\(_{i}\) computes the session key SK\(^{\prime \prime }\) as below: \(\begin{align} &{ SK^{\prime \prime }}={ h}(({ N_{i1}}\oplus ({ N_{i2}}\oplus { N_{i3}})^{\prime })\Vert { TS_{i}}) \end{align}\)

STEP 1.	The service-providing server S\(_j\) sends its identity SID\(_j\) to CS.
STEP 2.	The control server CS chooses a random number x for computation. CS computes Serinfor\(_j\)=h(SID\(_j\)\(\Vert\)x) and sends it to S\(_j\).
STEP 3.	The user U\(_i\) chooses his/her password P\(_i\). U\(_i\) computes EncPass\(_i\)=h(ID\(_i\)\(\Vert\)h(P\(_i\))) and sends it to CS with its identity ID\(_i\) and anonymity value UID\(_i\).
STEP 4.	After receiving the messages from U\(_i\), CS computes Userinfor\(_i\)=h(EncPass\(_i\)\(\Vert\)x). It also stores UID\(_i\), Userinfor\(_i\), EncPass\(_i\), h(\(\cdot\)), and h(x) in the smart card. CS also adds similar elements together with the status-bit value into the verifier table. If the user does the registration, the status-bit value is saved as 1. Otherwise, the status-bit value is saved as 0. At last, CS sends the smart card to U\(_i\).

STEP 1.	After user U\(_i\) has verified the legitimate owner of the smart card, it generates a random number N\(_{i1}\) and timestamp Ts. By using Userinfor\(_i\) and h(x) in the smart card, A\(_i\)= Userinfor\(_i\)\(\oplus\)h(x)\(\oplus\)N\(_{i1}\) and Veru\(_i\)=h(h(x)\(\Vert\)N\(_{i1}\)) are computed. Then U\(_i\) sends UID\(_i\), A\(_i\), Veru\(_i\), and Ts to server S\(_j\).
STEP 2.	After receiving messages from user U\(_i\), server S\(_j\) generates N\(_{i2}\). Then it computes B\(_i\)= Serinfor\(_j\)\(\oplus\)N\(_{i2}\) and Vers\(_j\)=h(h(Serinfor\(_j\))\(\Vert\)N\(_{i2}\)). After the computation, S\(_j\) sends UID\(_i\), A\(_i\), Veru\(_i\), B\(_i\), Vers\(_i\), SID\(_j\), and Ts to CS.
STEP 3.	When CS receives the message from S\(_j\), it first checks the session delay. Ts\(^{\prime }\) and \(\Delta\)T represent the current time and the tolerable time interval, respectively. If Ts\(^{\prime }\) - Ts \(\gt\) \(\Delta\)T, the session times out and CS terminates the session. Otherwise, CS computes the following elements. CS calculates Serinfor\(_j\), N\(_{i2}\) and Vers\(_i^{\prime }\) as follows: \(\begin{align} &{ Serinfor_j}= { h}({ SID_{j}}\Vert { x})~~~{ N_{i2}}={ Serinfor_{j}}\oplus { B_{i}}~~~{ Vers_i^{\prime }}= { h} ({ h}({ SID_{j}}\Vert { x})\Vert { N_{i2})} \end{align}\) CS then checks whether Vers\(_i^{\prime }\) is equal to Vers\(_i\). If not, CS terminates the session. Otherwise, CS verifies the legitimacy of S\(_{j}\). CS computes N\(_{i1}\) and Veru\(_i^{\prime }\) as below: \(\begin{align} &{ N_{i1}}= { Userinfor_{i}}\oplus { h}({ x})\oplus { A_{i}}~~~{ Veru_i^{\prime }}= { h} ({ h}({ x})\Vert { N_{i1}^{\prime })} \end{align}\) CS checks whether Veru\(_i^{\prime }\) is equal to Veru\(_i\). If not, CS terminates the session. Otherwise, CS verifies the legitimacy of U\(_{i}\). After generating random number N\(_{i3}\) and new timestamp Ts, CS computes C\(_{i}\), D\(_{i}\), and E\(_{i}\) as below: \(\begin{align} &{ C_{i}}= { N_{i1}}\oplus { N_{i2}}\oplus { h}({ SID_{j}}\oplus { N_{i2}})\\ &{ D_i}= { h}({ A_{i}}\Vert { h}({ x}))\oplus { h}({ SID_{j}}\oplus { N_{i2}}))\\ &{ E_i}= { N_{i2}}\oplus { N_{i3}}\oplus { h}({ A_{i}}\Vert { h}({ x})) \end{align}\) Then CS sends C\(_{i}\), D\(_{i}\), E\(_{i}\), and Ts to server S\(_{j}\). As CS knows A\(_{i}\), x, N\(_{i1}\), N\(_{i2}\), and N\(_{i3}\), it calculates the session key as below: \(\begin{align} &{ SK}={ h}({ h}({ A_{i}}\Vert { h}({ x}))\oplus ({ N_{i1}}\oplus { N_{i2}}\oplus { N_{i3}})) \end{align}\)
STEP 4.	After getting the message from CS, S\(_j\) sends E\(_{i}\) and Ts to U\(_i\). Then S\(_j\) computes (N\(_{i1}\)\(\oplus\)N\(_{i3}\))\(^{\prime }\) and (h(A\(_{i}\)\(\Vert\)h(x)))\(^{\prime }\) as below: \(\begin{align} &({ N_{i1}}\oplus { N_{i3}})^{\prime }= { C_{i}}\oplus { h}({ SID_{j}}\oplus { N_{i2}})\\ &({ h}({ A_i}\Vert { h}({ x}))^{\prime }= { D_i}\oplus ({ SID_{j}}\oplus { N_{i2}}) \end{align}\) So far, S\(_{j}\) has already learned (h(A\(_{i}\)\(\Vert\)h(x)))\(^{\prime }\), (N\(_{i1}\)\(\oplus\)N\(_{i3}\))\(^{\prime }\), and N\(_{i2}\). Therefore, the session key can be obtained by it as below: \(\begin{align} &{ SK}^{\prime }={ h}(({ h}({ A_{i}}\Vert { h}({ x}))^{\prime })\oplus (({ N_{i1}}\oplus { N_{i3}})^{\prime }\oplus { N_{i2}})) \end{align}\)
STEP 5.	When U\(_{i}\) receives E\(_{i}\) and Ts, it checks the session delay. As Ts\(^{\prime }\) and \(\Delta\)T denote the current time and the tolerable time interval, respectively, Ts’ - Ts \(\gt\) \(\Delta\)T is considered to be a timeout case. If it happens, U\(_{i}\) terminates the session. If it does not happen, U\(_{i}\) computes (N\(_{i2}\)\(\oplus\)N\(_{i3}\))\(^{\prime }\)=E\(_{i}\)\(\oplus\)h(A\(_{i}\)\(\Vert\)h(x)). As h(x) is in the smart card, U\(_{i}\) can obtain the session key as below: \(\begin{align} &{ SK}^{\prime \prime }={ h}({ h}({ A_{i}}\Vert { h}({ x}))\oplus ({ N_{i1}}\oplus ({ N_{i2}}\oplus { N_{i3}})^{\prime })) \end{align}\)

LTL Formula(Property)	Time Used(s)	Estimated Memory(KB)	Verification Result
Protocol\(\_\)X() deadlockfree(Deadlock freedom)	0.0892462	16,108.848	Valid
Protocol\(\_\)X() \|= <> S\(\_\)U\(\_\)Legitimacy\(\_\)For\(\_\)CS(Entity Legitimacy)	0.0491195	9,750.432	Valid
Protocol\(\_\)X() \|= <> CS\(\_\)U\(\_\)Legitimacy\(\_\)For\(\_\)S(Entity Legitimacy)	0.1010357	11,236.24	Valid
Protocol\(\_\)X() \|= <> S\(\_\)CS\(\_\)Legitimacy\(\_\)For\(\_\)U(Entity Legitimacy)	0.0427855	11,435.144	Valid
Protocol\(\_\)X() \|= []! TimeOut(Timeout delay)	0.0481626	11,190.232	Valid
Protocol\(\_\)X() \|= <> SK\(\_\)Consistency(Session key consistency)	0.0544506	10,787.616	Valid
Protocol\(\_\)B() deadlockfree(Deadlock freedom)	0.0143308	11,249.672	Valid
Protocol\(\_\)B() \|= <> S\(\_\)Legitimacy\(\_\)For\(\_\)CS(Entity Legitimacy)	0.0061396	11,313.216	Valid
Protocol\(\_\)B() \|= <> U\(\_\)Legitimacy\(\_\)For\(\_\)CS(Entity Legitimacy)	0.0158869	9,414.944	Valid
Protocol\(\_\)B() \|= []! TimeOut(Timeout Delay)	0.0078747	9,929.608	Valid
Protocol\(\_\)B() \|= <> SK\(\_\)Consistency(Timeout Delay)	0.0147976	9,966.56	Valid

FVF-AKA: A Formal Verification Framework of AKA Protocols for Multi-server IoT

Formal Aspects of Computing

Abstract

1 INTRODUCTION

2 PRELIMINARIES

2.1 AKA Protocols for Multi-server IoT

2.2 CSP

2.3 Formal Verification Framework of AKA Protocols for Multi-server IoT

3 CASE STUDY OF MODELING XUE ET AL.’S AKA PROTOCOL

3.1 A Lightweight Dynamic Pseudonym Identity-based AKA Protocol for Multi-server IoT

3.1.1 Registration Phase.

3.1.2 Authentication Phase.

3.2 Building CSP Model for Xue et al.’s AKA Protocol

3.2.1 Modeling Xue et al.’s AKA Protocol.

3.3 Implementation of the CSP Models in PAT and C#

4 CASE STUDY OF MODELING BAE AND KWAK’S AKA PROTOCOL

4.1 A Smart-card-based Secure AKA Protocol in Multi-server IoT Environment

4.1.1 Registration Phase.

4.1.2 Authentication Phase.

4.2 Building and Implementing CSP Model for Bae and Kwak’s AKA Protocol

5 CONVERSION FROM CSP MODELS TO PAT MODELS

5.1 Splitting Files for PAT Model

5.2 Automatic Conversion Algorithm

6 VERIFICATION OF FUNDAMENTAL PROPERTIES

7 VERIFICATION OF SECURITY PROPERTIES

7.1 Verification of Replay Attack

7.2 Verification of Other Attacks

7.2.1 Verification of Denial of Service Attack.

7.2.2 Verification of Server Spoofing Attack.

7.2.3 Verification of Session Key Attack.

8 RELATED WORK

9 CONCLUSION AND FUTURE WORK

Footnotes

REFERENCES

Cited By

Index Terms

Recommendations

Formal Modeling and Verification of Smart Contracts

Formal Verification of Security Protocols: ProVerif and Extensions

AKA Protocol and Its Formal Analysis and Verification Using Ambient Calculus and Logics

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media