Formal security analysis of registration protocols for interactive systems: a methodology and a case of study

TL;DR

This paper introduces a formal methodology for analyzing registration protocols, exemplified by CHAT-SRP, which enhances security and usability in interactive systems through cryptographically robust identity distribution and ticketing.

Contribution

It presents a novel formal analysis methodology for registration protocols and applies it to CHAT-SRP, demonstrating its security and practical benefits.

Findings

Formal verification confirms security properties of CHAT-SRP.

Tickets link users securely to registration requests.

Methodology can be applied to other communication protocols.

Abstract

In this work we present and formally analyze CHAT-SRP (CHAos based Tickets-Secure Registration Protocol), a protocol to provide interactive and collaborative platforms with a cryptographically robust solution to classical security issues. Namely, we focus on the secrecy and authenticity properties while keeping a high usability. In this sense, users are forced to blindly trust the system administrators and developers. Moreover, as far as we know, the use of formal methodologies for the verification of security properties of communication protocols isn't yet a common practice. We propose here a methodology to fill this gap, i.e., to analyse both the security of the proposed protocol and the pertinence of the underlying premises. In this concern, we propose the definition and formal evaluation of a protocol for the distribution of digital identities. Once distributed, these identities can be used to verify integrity and source of information. We base our security analysis on tools for automatic verification of security protocols widely accepted by the scientific community, and on the principles they are based upon. In addition, it is assumed perfect cryptographic primitives in order to focus the analysis on the exchange of protocol messages. The main property of our protocol is the incorporation of tickets, created using digests of chaos based nonces (numbers used only once) and users' personal data. Combined with a multichannel authentication scheme with some previous knowledge, these tickets provide security during the whole protocol by univocally linking each registering user with a single request. [..]