Applying authentication tests to discover Man-In-The-Middle attack in security protocols

Authentication protocols ensure that participants in a distributed environment verify their identities before sending sensitive information to each other. If an authentication protocol has a design flaw, it may fail to reveal the true identities of distributed participants. To verify that an authentication protocol achieves its objectives, we have developed Authentication Tests based on Distributed Temporal Protocol Logic (DTPL). In this paper, we propose a generic strategy to analyze authentication protocols based on these Authentication Tests. We demonstrate the ease with which our proposed strategy can be used by applying these tests on famous Needham-Shroeder Public Key (NSPK) authentication protocol. We also demonstrate how the inability to prove a security property can lead us to identifying Man-In-The-Middle attack on such protocols.

[1]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.

[2]  Michael Goldsmith,et al.  Modelling and analysis of security protocols , 2001 .

[3]  John A. Clark,et al.  A survey of authentication protocol literature: Version 1.0 , 1997 .

[4]  Catherine A. Meadows,et al.  Formal methods for cryptographic protocol analysis: emerging issues and trends , 2003, IEEE J. Sel. Areas Commun..

[5]  Anna Philippou,et al.  Tools and Algorithms for the Construction and Analysis of Systems , 2018, Lecture Notes in Computer Science.

[6]  Shahabuddin Muhammad Authentication Tests Based on Distributed Temporal Protocol Logic for the Analysis of Security Protocols , 2011 .

[7]  Lawrence C. Paulson,et al.  The Inductive Approach to Verifying Cryptographic Protocols , 2021, J. Comput. Secur..

[8]  Li Gong,et al.  Reasoning about belief in cryptographic protocols , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[9]  Somesh Jha,et al.  A model checker for authentication protocols , 1997 .

[10]  Mark Shand,et al.  Fast implementations of RSA cryptography , 1993, Proceedings of IEEE 11th Symposium on Computer Arithmetic.

[11]  Paul F. Syverson,et al.  The Logic of Authentication Protocols , 2000, FOSAD.

[12]  Luca Viganò,et al.  Metareasoning about Security Protocols using Distributed Temporal Logic , 2005, Electron. Notes Theor. Comput. Sci..

[13]  Joshua D. Guttman,et al.  Authentication tests and the structure of bundles , 2002, Theor. Comput. Sci..

[14]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[15]  Corrado Priami,et al.  Primitives for authentication in process algebras , 2002, Theor. Comput. Sci..

[16]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[17]  G. Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol using CSP and FDR , 1996 .

[18]  Gavin Lowe,et al.  A hierarchy of authentication specifications , 1997, Proceedings 10th Computer Security Foundations Workshop.

[19]  Ratan K. Guha,et al.  Designing Authentication Protocols: Trends and Issues , 2006, International Conference on Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies (ICNICONSMCL'06).

[20]  B. Clifford Neuman,et al.  A note on the use of timestamps as nonces , 1993, OPSR.

[21]  Simon S. Lam,et al.  Authentification for Distributed Systems , 1992, Computer.

[22]  Sebastian Mödersheim,et al.  OFMC: A Symbolic Model-Checker for Security Protocols , 2004 .

[23]  Glynn Winskel,et al.  Event Structures , 1986, Advances in Petri Nets.

[24]  Thomas Y. C. Woo,et al.  Authentication for distributed systems , 1997, Computer.

[25]  Wolfgang Reisig,et al.  Petri Nets: Applications and Relationships to Other Models of Concurrency , 1986, Lecture Notes in Computer Science.

[26]  F. Javier Thayer Fábrega,et al.  Strand spaces: proving security protocols correct , 1999 .

[27]  Sebastian Mödersheim,et al.  OFMC: A symbolic model checker for security protocols , 2005, International Journal of Information Security.