Engineering Security Protocols with Modelchecking – Radius-SHA256 and Secured Simple Protocol Florian Kamm¨ uller, Glenford Mapp, Sandip Patel, and Abubaker Sadiq Sani Middlesex University Computer Communications Group f.kammueller@mdx.ac.uk, mapp@mdx.a.cuk, sp1264@live.mdx.ac.uk, ss1234@live.mdx.ac.uk Abstract—This paper presents Radius-SHA256, an adap- tation of the Radius protocol for remote authentication for network access to the secure hash function SHA-256 and a Secure Simple Protocol. Both protocols have been formalized in the Avispa model checker, an automated verification tool for security of protocols. The work on Radius utilizes the existing formalization of the standard Radius protocol thereby establishing general validity and transferability of the estab- lished security proof and showing how refactoring can be applied in security protocol engineering. The development of a secured version of the SP protocol shows how gradually adding cryptographic keys to a transport protocol can introduce verified security while maintaining a level of trust in the adapted protocol. Keywords-Security protocols; Model Checking; Cryptographic Hashes; Simple Protocol. I. I NTRODUCTION Radius, a remote authentication protocol used for building up secure communications of clients with networks via network access servers, uses the message digest function MD5, a hash function which has meanwhile been proven to have security weaknesses. By contrast, the hash function SHA-256 still remains unchallenged. Although seemingly straightforward and thus tempting, simply replacing MD5 by SHA-256 in the Radius protocol must be considered potentially harmful since authentication protocols are ex- tremely sensitive to minor changes as the history of attacks shows. In December 2008, an attack on the SSL protocol has been demonstrated based on the previously discovered collisions of the MD5 hash function [10]. The engineers of that attack recommend the discontinuation of use of SSL based on MD5. Fortunately, for SSL the use of the hash function is already by design a choice point. For Radius, this flexibility is not yet established; this is the subject and result of this paper. Triggered by the alarming history of attacks of security protocols, formal verification techniques have long been deemed to be a way out. Model checking, a push-button technology for mathemat- ical verification of finite state systems has been discovered to be a suitable tool for security analysis of authentication protocols [4]. Ever since, this technology has proved to be useful for the engineering of secure protocols, e.g., for adaptation of the Kerberos protocols to mobile scenarios [3]. We investigate whether Radius-SHA256 – our proposed adaptation of the Radius protocol – can provide better security guarantees than its original. To provide evidence based on mathematical rigor we use the Avispa model checker. Fortunately, we can rely on the rich data base of this tool providing a model of the original protocol. By adapting this model to our Radius-SHA256 and checking that the original security guarantees still hold, we prove two things (a) that Radius-SHA256 is secure and (b) that the security guarantees have general validity, i.e., they can be carried over to protocols Radius-X for hashes X. The latter result corresponds to a reduction of Radius security to the security of the underlying hash function. The Simple Protocol (SP) [5] is a new protocol that is currently being developed by the Ycomm group [13]. As a second engineering exercise, we report on a secured version of the SP protocol. This exercise shows how a new development of a special purpose protocol can profit from a simultaneous modelling and analysis with a dedicated modelchecker like Avispa. This paper is based on the Masters Theses of two of the authors [6], [8]. In this paper, we first provide the prerequisites of this project: brief introductions to the Radius protocol, the Simple Protocol, Avispa model checking, and hashes (Section II). From there, we develop our new version Radius-SHA256 by introducing its model in Avispa in detail (Section III) and illustrate how this model can be efficiently used to verify security goals (Section III-D). Next, we show how a protocol can be extended step by step introducing cryptographic keys to add authentication and secure it (Section IV). We finally offer conclusions and an outlook (Section V). II. BACKGROUND A. Radius One of the major issues with networks is their security and one response to this challenge are authentication protocols. Radius is a popular protocol providing security to commu- nication channels. Radius stands for Remote Authentication Dial in User Service and serves to secure communication be- tween Network Access Servers (NAS) and so-called Radius 88 Copyright (c) IARIA, 2012. ISBN: 978-1-61208-201-1 ICIMP 2012 : The Seventh International Conference on Internet Monitoring and Protection