Names in Cryptographic Protocols

Messages in cryptographic protocols are made up of a small set of elements; keys, nonces, timestamps, and names, amongst others. These elements must possess specific properties to be useful for their intended purpose. Some of these properties are prescribed as part of the protocol specification, while others are assumed to be inherited from the execution environment. We focus on this latter category by analyzing the security properties of names. We argue that to fulfill their role in cryptographic protocols, names must be unique across correlated sessions i.e. where the massages of one session can be reused in another without detection and that uniqueness must be guaranteed to hold for each participant of these runs. We discuss how uniqueness can be provided and verified by the interested parties. To do so, two different mechanisms are shown possible, namely local and global verification. In both cases we discuss the implications of uniqueness on the execution environment of a cryptographic protocol, pointing out the inescapable issues related to each of the two mechanisms. Finally, we argue that such implications should be given careful consideration as they represent important elements in the evaluation of a cryptographic protocol itself.

[1]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[2]  Steve Benford Collaborative naming in distributed systems , 2002 .

[3]  Paul V. Mockapetris,et al.  Domain names - implementation and specification , 1987, RFC.

[4]  Bernard M. Hauzeur A model for naming, addressing and routing , 1986, TOIS.

[5]  Alan O. Freier,et al.  The SSL Protocol Version 3.0 , 1996 .

[6]  권태경,et al.  SSL Protocol 기반의 서버인증 , 2003 .

[7]  M. E. Crandall,et al.  Names , 1924, Living I Was Your Plague.

[8]  Martín Abadi,et al.  Authentication in distributed systems: theory and practice , 1991, SOSP '91.

[9]  Simon S. Lam,et al.  A lesson on authentication protocol design , 1994, OPSR.

[10]  Li Gong,et al.  A security risk of depending on synchronized clocks , 1992, OPSR.

[11]  Tage Stabell-Kulø,et al.  Public-Key Cryptography and Availability , 2005, SAFECOMP.

[12]  John R. Douceur,et al.  The Sybil Attack , 2002, IPTPS.

[13]  Butler W. Lampson,et al.  SPKI Certificate Theory , 1999, RFC.

[14]  Martín Abadi,et al.  Prudent engineering practice for cryptographic protocols , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[15]  Ross J. Anderson,et al.  Robustness Principles for Public Key Protocols , 1995, CRYPTO.

[16]  Bruce Schneier,et al.  Ten Risks of PKI , 2004 .

[17]  Stefan A. Brands,et al.  Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy , 2000 .

[18]  B. Lampson,et al.  Authentication in distributed systems: theory and practice , 1991, TOCS.

[19]  Paul F. Syverson,et al.  Knowledge, Belief, and Semantics in the Analysis of Cryptographic Protocols , 1992, J. Comput. Secur..

[20]  Rebecca N. Wright,et al.  Certificate revocation the responsible way , 1998, Proceedings Computer Security, Dependability, and Assurance: From Needs to Solutions (Cat. No.98EX358).

[21]  Owen Rees,et al.  Efficient and timely mutual authentication , 1987, OPSR.

[22]  Adam J. Slagell,et al.  PKI Scalability Issues , 2004, ArXiv.

[23]  Stephen T. Kent,et al.  Security Architecture for the Internet Protocol , 1998, RFC.

[24]  Sape J. Mullender,et al.  Distributed systems (2nd Ed.) , 1993 .

[25]  Thomas Y. C. Woo,et al.  Authentication for distributed systems , 1997, Computer.

[26]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[27]  Giovanni Maria Sacco,et al.  Timestamps in key distribution protocols , 1981, CACM.