Panel Session: Is Protocol Modelling Finished?

Abstract

Matt Blaze: I think we have gotten very close to the single biggest practical problem which protocol modelling and analysis has, but without actually mentioning it explicitly. That problem is that we tend to design very secure protocols that in practice cannot be implemented correctly. Larry mentioned SSL, which is very close to this problem. When we design these protocols we are sending them to implementers, and implementers make assumptions, they put protocols into environments, and they make what seems to them to be a very unimportant modification to the protocol.

Bruce Christianson: A low level design decision!

Matt Blaze: Yes, they make what seems to them to be a low level design decision, but the modification has the effect of just breaking the protocol completely. Is there some hope for formal analysis of protocols to capture a distinction between an implementable protocol and a non-implementable protocol?

Mike Roe: It’s not really so much that we need more formalism, as that the people doing this formal analysis need to be talking more to the people that deliver requirements, and producing a protocol that meets with those requirements. We’re seeing a great many instances of square pegs being fitted into round holes because implementors read books that give them some protocol which is secure under a particular combination of assumptions. The actual assumptions in the environment which the implementors had in mind are completely different, but never mind, it’s a security protocol, we’ll just tweak it. This happens a lot and it’s a problem.