Validating Attacks on Authentication Protocols

It is possible to show that well-known attacks on authentication protocols are flawed. This is a problem, since good protocols may thus be dismissed rather than improved and poor protocols that might continue to be used although they may contain irreparable errors. This paper describes a novel method for validating attacks on authentication protocols, based on a strategy for checking that all elements of the attack have been legally obtained. A Maude-program which implements the method, identified errors in attacks on the Wide Mouthed Frog and Yahalom authentication protocols. More generally, the paper shows that the method will find all errors in attacks that originates from incompleteness of cryptographic assumptions. The main implications is that new attacks can be effectively validated even when an exhaustive state-space analysis becomes infeasible. We expect that in the future, validation will be an obligatory part in effectively checking the soundness of any attacks on security protocols.

[1]  Gavin Lowe Casper: a compiler for the analysis of security protocols , 1998 .

[2]  Anders Moen Hagalisletto,et al.  Protocol Algebra , 2006, 11th IEEE Symposium on Computers and Communications (ISCC'06).

[3]  Roberto Gorrieri,et al.  Techniques for Security Checking: Non-Interference vs Control Flow Analysis , 2001, Electron. Notes Theor. Comput. Sci..

[4]  MeseguerJosé Conditional rewriting logic as a unified model of concurrency , 1992 .

[5]  Sebastian Mödersheim,et al.  OFMC: A symbolic model checker for security protocols , 2005, International Journal of Information Security.

[6]  Andrew D. Gordon,et al.  Types and effects for asymmetric cryptographic protocols , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[7]  Gavin Lowe Analyzing a Library of Security Protocols using Casper and FDR , 1999 .

[8]  Martn Abadi,et al.  Security Protocols and their Properties , 2000 .

[9]  D GordonAndrew,et al.  Types and effects for asymmetric cryptographic protocols , 2004 .

[10]  Anders Moen Hagalisletto,et al.  Errors in Attacks on Authentication Protocols , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[11]  John A. Clark,et al.  A survey of authentication protocol literature: Version 1.0 , 1997 .

[12]  G. Denker,et al.  CAPSL integrated protocol environment , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[13]  Sandro Etalle,et al.  A logic for constraint-based security protocol analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[14]  Ross J. Anderson,et al.  Programming Satan's Computer , 1995, Computer Science Today.

[15]  Sebastian Mödersheim,et al.  Symbolic and Cryptographic Analysis of the Secure WS-ReliableMessaging Scenario , 2006, IACR Cryptol. ePrint Arch..