Fail-Stop Protocols : An Approach to Designing Secure

This paper presents a methodology to facilitate the design and analysis of secure cryptographic protocols. This work is based on a novel notion of a fail-stop protocol, which automatically halts in response to any active attack. This paper suggests types of protocols that are fail-stop, outlines some proof techniques for them, and uses examples to illustrate how the notion of a fail-stop protocol can make protocol design easier and can provide a more solid basis for some proposed protocol analysis methods. 1 Background and Motivation In a distributed system, security depends heavily on the use of secure protocols such as authen-tication protocols (e.g., 21, 26]) and secure communication protocols (e.g., 4]). It is well known that such protocols can fail even if the underlying cryptosystems are sound and can have very subtle security aws that are quite diicult to debug 6]. In fact, the protocol security problem is undecidable in that, given any protocol analyzer, there are protocols whose security the analyzer cannot decide. 1 Recent years have seen notable eeorts devoted to developing methods { theories, logics, formal methods, and tools { to facilitate the analysis of the security of cryptographic protocols (e.g., 11, 6, 17]). Although these results are signiicant, they are not yet satisfactory due to the following reasons. Methods based on searching, as the authors themselves pointed out 17], can nd protocol design vulnerabilities to only those attacks that are explicitly modelled. Thus, failure to nd a vulnerability by such a method does not mean that the protocol is secure, but merely that certain lines of attack are less likely to succeed. In addition, like software testing, searching is computation 1 To relate this problem to the Turing machine halting problem, simply deene a protocol that broadcasts all its secrets if the analyzer nds it secure and does nothing otherwise.

[1]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[2]  Leslie Lamport,et al.  Time, clocks, and the ordering of events in a distributed system , 1978, CACM.

[3]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[4]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[5]  Giovanni Maria Sacco,et al.  Timestamps in key distribution protocols , 1981, CACM.

[6]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[7]  Richard D. Schlichting,et al.  Fail-stop processors: an approach to designing fault-tolerant computing systems , 1983, TOCS.

[8]  Fred B. Schneider,et al.  Byzantine generals in action: implementing fail-stop processors , 1984, TOCS.

[9]  Andrew Birrell Secure communication using remote procedure calls , 1985, TOCS.

[10]  Roger M. Needham,et al.  Authentication revisited , 1987, OPSR.

[11]  Owen Rees,et al.  Efficient and timely mutual authentication , 1987, OPSR.

[12]  Gil Neiger,et al.  Automatically increasing the fault-tolerance of distributed systems , 1988, PODC '88.

[13]  Martín Abadi,et al.  A logic of authentication , 1989, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences.

[14]  Mahadev Satyanarayanan,et al.  Integrating security in a large distributed system , 1989, TOCS.

[15]  Li Gong,et al.  Reasoning about belief in cryptographic protocols , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[16]  Dan M. Nessett,et al.  A critique of the Burrows, Abadi and Needham logic , 1990, OPSR.

[17]  Martín Abadi,et al.  Rejoinder to Nessett , 1990, OPSR.

[18]  Don Davis,et al.  Network security via private-key certificates , 1990, OPSR.

[19]  Martín Abadi,et al.  A semantics for a logic of authentication (extended abstract) , 1991, PODC '91.

[20]  Martín Abadi,et al.  Authentication and Delegation with Smart-cards , 1991, TACS.

[21]  Jürgen Schönwälder,et al.  A nonce-based protocol for multiple authentications , 1992, OPSR.

[22]  B. Clifford Neuman,et al.  A note on the use of timestamps as nonces , 1993, OPSR.

[23]  Roger M. Needham,et al.  Denial of service , 1993, CCS '93.

[24]  Jerome H. Saltzer,et al.  Protecting Poorly Chosen Secrets from Guessing Attacks , 1993, IEEE J. Sel. Areas Commun..

[25]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[26]  Martín Abadi,et al.  Prudent engineering practice for cryptographic protocols , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.