A way to find counterexamples located at deep positions with domain knowledge of authentication protocols

Abstract

We have model checked that a revised version of the RFC 8120 authentication protocol for HTTP enjoys the four security properties under the assumption that once a password is used for a protocol run, it is leaked to the intruder, such as the intruder, after the protocol run, and random numbers generated by servers are leaked to the intruder. The properties are (1) key secrecy (K-SEC), (2) key sharing (K-SHR), (3) client-point-of-view non-injective agreement (C-NIA), and (4) server-point-of-view non-injective agreement (S-NIA). We intuitively know that the protocol is least likely to enjoy each of the properties under the assumption. Due to the state space explosion, however, it is impossible to find a counterexample for each property with model checking. We have then split each model checking experiment into multiple model checking experiments. We first find a state in which a password has been leaked to the intruder. We next use a state as the initial state to find states in which that K-SEC, C-NIA and S-NIA are broken, respectively. We finally use a state in which C-NIA is broken as the initial state to find a state in which K-SHR is broken.