Monte Carlo Analysis of Security Protocols:
Needham-Schroeder Revisited
Radu Grosu
SUNY at Stony Brook
Joint work with Xiaowan Huang,
Scott Smolka, & Ping Yang
June 8, 2004 -- DIMACS Workshop on Security Analysis of Protocols
Talk Outline
1. LTL Model Checking
2. Monte Carlo Model Checking

3. Needham-Schroeder
4. Implementation & Results
5. Conclusions & Future Work
Model Checking
S | 
?
Is system S a model of formula φ?
Model Checking
• S is a nondeterministic/concurrent system.
•  is (in our case) an LTL (Linear Temporal
Logic) formula.

• Basic idea: intelligently explore S’s state
space in attempt to establish S ⊨ .
• Fly in the ointment: State Explosion!
LTL Model Checking
• An LTL formula is made up of atomic propositions p,
boolean connectives , ,  and temporal modalities
X (neXt) and U (Until).
• Every LTL formula  can be translated to a Büchi
automaton whose language is set of infinite words
satisfying .
• Automata-theoretic approach:
S ⊨  iff L(BS)  L(B )
iff
L(BS  B )  
Emptiness Checking
• Checking non-emptiness is equivalent to finding an
accepting cycle reachable from initial state (lasso).
• Double Depth-First Search (DDFS) algorithm can be
used to search for such cycles, and this can be done
on-the-fly!
sn
sk+3 sk+2
sk+1
DFS2
s1
s2
s3
sk-2
sk-1
sk
DFS1
Monte Carlo Model Checking (MC2)
• Sample Space: lassos in BS  B
• Random variable Z :
– Outcome = 0 if randomly chosen lasso accepting
– Outcome = 1 otherwise
• μZ = ∑ pi Zi
(weighted mean)
~ of μ
• Compute (ε,δ)-approx. 
Z
Z
Monte Carlo Model Checking (MC2)
a
b
c
d
e
L1 = abcb, L2 = abcdb, L3 = abcdea
Pr[L1]= ½, Pr[L2]=¼, Pr[L3]=¼
μZ = ½
Monte Carlo Approximation
• Problem: Compute the mean value μZ of a random
variable Z distributed in [0,1] when an exact computation
of μZ proves intractable.
• Solution: Compute an (,)-approximation  Z of Z:
Pr[  Z (1   )   Z   Z (1   )]  1  
with error margin  and confidence ratio .
• Has been used to: approximate permanent of 0-1
valued matrices, volume of convex bodies, and, now,
expectation that S ⊨  !
Original Solution
[Karp, Luby & Madras: Journal of Algorithms 1989]
• Compute  Z as the mean value of N independent
random variables (samples) identically distributed
according to Z:
Z  ( Z1  ... Z N )/ N
• Determine N using the Zero-One estimator theorem:
N  4 ln(2 /  )/ Z 2
• Problems: 1/  Z is unknown and 1/  2 can be large.
Stopping Rule Algorithm (SRA)
[Dagum, Karp, Luby & Ross: SIAM J Comput 2000]
• Innovation: computes correct N without using 1/  Z
 = 4 ln(2/) / 2;
for (N=0, S=0; S≤; N++) S=S+ZN;
 Z = S/N; return  ;
Z
• Theorem: Pr[  Z (1   )   Z   Z (1   )]  1  
E[N] ≤ 4 ln(2/) / μZ2;
• Problem: 1/  2 is in most interesting cases too large.
Optimal Approx Algorithm (OOA)
[Dagum, Karp, Luby & Ross: SIAM J Comput 2000]
• Compute N using generalized Zero-One estimator:
N
4 ln( 2 /  )/  
Z
 
4 ln( 2 /  )/  Z  2
if σ Z2  Z 

otherwise 
• Apply sequential analysis (prediction/correction):
1. Assume 2 is small and compute ̂Z with SRA(  ,  )
2. Compute ̂ 2 using ̂Z and N  4 ln(2 /  )/ ˆ 
3. Use ̂ 2 to correct N and Z .
Z
• Expected number of samples is optimal to within
a constant factor!
Monte Carlo Model Checking
Theorem: MC2 computes an (ε,δ)-approximation
of μZ in expected time O(N∙D) and uses
expected space O(D), where D is the
recurrence diameter of B = BS  B .
Cf. DDFS which runs in O(2|S|+|φ|)
time and space.
Needham-Schroeder
1. A  B : { Na, A } KB
2. B  A : { Na, Nb } KA
3. A  B : { Nb } KB
Breaking & Fixing Needham-Shroeder
•
In 1997, Lowe discovered a replay attack that
involves an intruder I masquerading as A in its
communication with B.
•
As shown by Lowe, protocol is easily fixed by
including identity of responder (B) in 2nd msg:
2´. B  A : { B, Na, Nb } KA
Implementation
• Implemented DDFS and MC2 in jMocha model
checker for synchronous systems specified
using Reactive Modules.
• Specified NS as a reactive module; all
communications go through intruder.
• Intruder obeys Dolev-Yao model: besides
normal communications, can intercept,
overhear, and fake messages.
Experimental Results
nonce
(0..1)
(0..4)
(0..8)
(0..20)
(0..32)
(0..36)
(0..60)
DDFS
time entries
31
1
607
1
2527
2
11 24031
32 85279
46 18111
oom
time
20
33
34
34
70
141
4200
MC2
exp
1
2
9
12
24
37
467
avg
12
29
30
30
30
30
30
Time and space requirements for DDFS and MC2
Experimental Results
sat
nonce
2915
(0..1)
2955
(0..4)
2969
(0..8)
μ
2970
(0..20)
6288
(0..32)
(0..36) 12975
(0..60) 194937
Z
cntr
171
18
4
3
3
3
9
mu_Z
0.945
0.994
0.999
0.999
1
1
1
Variation of µ~Z for MC2
Related Approaches
• NRL Protocol Analyzer [Meadows 96]
• Spi-Calculus [Abadi Gordon 97]
• FDR [Lowe 97]
• The Strand Space Method [Guttman et al. 98]
• Isabelle Theorem Prover [Paulson 98]
• Backward Induction [Kurkowski Mackow 03]
Conclusions
• Applied Monte Carlo model checking to
Needham-Schroeder.
• Results indicate may be more effective than
traditional approaches in discovering attacks.
• Further experimentation required to draw
definitive conclusions.
• Other Future Work: Use BDDs to improve run
time. Also, take samples in parallel!
Monte Carlo Model Checking
• Randomized algorithm for LTL model checking
utilizing automata-theoretic approach.

• Basic idea: Take N samples: sample = lasso =
random walk through BS  B ending in a cycle.
• If accepting lasso (counter-example) found,
return false.
• Else return true with certain confidence.