Security Goals: Packet Trajectories and Strand Spaces

This material was presented in a series of lectures at fosad, a summer school on Foundations of Security Analysis and Design, at the University of Bologna Center at Bertinoro in September 2000. It has two main purposes.The first purpose is to explain how to model and analyze two important security problems, and how to derive systematic solutions to them. One problem area is the "packet protection problem," concerning how to use the security services provided by routers-services such as packet filtering and the IP security protocols-to achieve useful protection in complex networks. The other problem area, the "Dolev-Yao" problem, concerns how to determine, given a cryptographic protocol, what authentication and confidentiality properties it achieves, assuming that the cryptographic primitives it uses are ideal.Our secondary purpose is to argue in favor of an overall approach to modeling and then solving information security problems. We argue in favor of discovering security goals for specific domains by examining the threats and enforcement mechanisms available in those domains. Mathematical modeling allows us to develop algorithms and proof methods to ensure that the mechanisms achieve particular security goals. This leads to a systematic approach to trust management, often a more pressing information security problem than inventing new and improved security mechanisms.

[1]  Ulf Carlsen Optimal privacy and authentication on a portable communications system , 1994, OPSR.

[2]  Gavin Lowe,et al.  Safe Simplifying Transformations for Security Protocols. , 1999 .

[3]  ProtocolsLi GongSRI InternationalComputer Fail-Stop Protocols : An Approach to Designing Secure , 1994 .

[4]  Gavin Lowe,et al.  An Attack on the Needham-Schroeder Public-Key Authentication Protocol , 1995, Inf. Process. Lett..

[5]  Steve A. Schneider,et al.  Towards automatic verification of authentication protocols on an unbounded network , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[6]  Gavin Lowe,et al.  Some new attacks upon security protocols , 1996, Proceedings 9th IEEE Computer Security Foundations Workshop.

[7]  Gavin Lowe,et al.  A hierarchy of authentication specifications , 1997, Proceedings 10th Computer Security Foundations Workshop.

[8]  Bruce Schneier,et al.  Protocol Interactions and the Chosen Protocol Attack , 1997, Security Protocols Workshop.

[9]  Catherine A. Meadows,et al.  Analysis of the Internet Key Exchange protocol using the NRL Protocol Analyzer , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[10]  Steve A. Schneider Verifying authentication protocols with CSP , 1997, Proceedings 10th Computer Security Foundations Workshop.

[11]  D. Prawitz Natural Deduction: A Proof-Theoretical Study , 1965 .

[12]  F. Javier Thayer Fábrega,et al.  Strand spaces: proving security protocols correct , 1999 .

[13]  John A. Clark,et al.  A survey of authentication protocol literature: Version 1.0 , 1997 .

[14]  T. Dierks,et al.  The TLS protocol , 1999 .

[15]  Scott D. Stoller Lower and upper bounds for attacks on authentication protocols , 1999, PODC '99.

[16]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[17]  Scott D. Stoller A Bound on Attacks on Authentication Protocols , 2002, IFIP TCS.

[18]  Martín Abadi,et al.  Prudent Engineering Practice for Cryptographic Protocols , 1994, IEEE Trans. Software Eng..

[19]  Somesh Jha,et al.  Using state space exploration and a natural deduction style message derivation engine to verify security protocols , 1998, PROCOMET.

[20]  Joshua D. Guttman,et al.  Authentication tests , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[21]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.

[22]  Catherine A. Meadows Open Issues in Formal Methods for Cryptographic Protocol Analysis , 2001, MMM-ACNS.

[23]  John T. Kohl,et al.  The Kerberos Network Authentication Service (V5 , 2004 .

[24]  Lawrence C. Paulson,et al.  The Inductive Approach to Verifying Cryptographic Protocols , 2021, J. Comput. Secur..

[25]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[26]  Somesh Jha,et al.  A model checker for authentication protocols , 1997 .

[27]  Joshua D. Guttman,et al.  Authentication and Conden tiality via IPsec , 2000 .

[28]  Gavin Lowe,et al.  Towards a completeness result for model checking of security protocols , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[29]  Joshua D. Guttman,et al.  Authentication tests and the structure of bundles , 2002, Theor. Comput. Sci..

[30]  Randal E. Bryant,et al.  Graph-Based Algorithms for Boolean Function Manipulation , 1986, IEEE Transactions on Computers.

[31]  Gavin Lowe,et al.  How to prevent type flaw attacks on security protocols , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[32]  Joshua D. Guttman,et al.  Protocol independence through disjoint encryption , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[33]  Joshua D. Guttman,et al.  Mixed strand spaces , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[34]  Gavin Lowe Casper: a compiler for the analysis of security protocols , 1998 .

[35]  Simon S. Lam,et al.  Verifying authentication protocols: methodology and example , 1993, 1993 International Conference on Network Protocols.

[36]  Jan Jürjens,et al.  Specification-Based Testing of Firewalls , 2001, Ershov Memorial Conference.

[37]  Bruce Schneier,et al.  Analysis of the SSL 3.0 protocol , 1996 .

[38]  Randal E. Bryant,et al.  Efficient implementation of a BDD package , 1991, DAC '90.

[39]  B. Clifford Neuman,et al.  A note on the use of timestamps as nonces , 1993, OPSR.

[40]  Gavin Lowe,et al.  Safe simplifying transformations for security protocols or not just the Needham Schroeder pubic key protocol , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[41]  Joshua D. Guttman,et al.  Filtering postures: local enforcement for global policies , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[42]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[43]  Joshua D. Guttman,et al.  Authentication and Confidentiality via IPSEC , 2000, ESORICS.

[44]  Lawrence C. Paulson,et al.  Proving properties of security protocols by induction , 1997, Proceedings 10th Computer Security Foundations Workshop.

[45]  Dan Harkins,et al.  The Internet Key Exchange (IKE) , 1998, RFC.

[46]  W. Douglas Maughan,et al.  Internet Security Association and Key Management Protocol (ISAKMP) , 1998, RFC.

[47]  Avishai Wool,et al.  Fang: a firewall analysis engine , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[48]  Dawn Xiaodong Song,et al.  Looking for diamonds in the desert - extending automatic protocol generation to three-party authentication and key agreement protocols , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.