Temporal rank functions for forward secrecy

A number of key establishment protocols claim the property of forward secrecy, where the compromise of a long-term key does not result in the compromise of previously computed session-keys. We describe how such protocols can be modelled using the process algebra CSP and explain why the well-known rank function approach is incapable of proving their correctness. This shortcoming motivates us to propose a generalised proof technique based on the novel concept of a temporal rank function. We apply this approach to two examples: a protocol due to Boyd and the Cliques (A-GDH.2) group key agreement protocol.

[1]  Emmanuel Bresson,et al.  Dynamic Group Diffie-Hellman Key Exchange under Standard Assumptions , 2002, EUROCRYPT.

[2]  Steve A. Schneider Verifying Authentication Protocol Implementations , 2002, FMOODS.

[3]  Neil Evans,et al.  Investigating security through proof , 2003 .

[4]  Joshua D. Guttman Key Compromise, Strand Spaces, and the Authentication Tests , 2001, MFPS.

[5]  Hugo Krawczyk,et al.  SKEME: a versatile secure key exchange mechanism for Internet , 1996, Proceedings of Internet Society Symposium on Network and Distributed Systems Security.

[6]  Steve A. Schneider Verifying Authentication Protocols in CSP , 1998, IEEE Trans. Software Eng..

[7]  Andrew William Roscoe,et al.  The Theory and Practice of Concurrency , 1997 .

[8]  James Heather,et al.  Strand spaces and rank functions:more than distant cousins , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[9]  Jean-Jacques Quisquater,et al.  A security analysis of the cliques protocols suites , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[10]  Colin Boyd,et al.  Forward Secrecy and Its Application to Future Mobile Communications Security , 2000, Public Key Cryptography.

[11]  Jean-Jacques Quisquater,et al.  Generic insecurity of cliques-type authenticated group key agreement protocols , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[12]  Gene Tsudik,et al.  Authenticated group key agreement and friends , 1998, CCS '98.

[13]  Olivier Pereira,et al.  Modelling and Security Analysis of Authenticated Group Key Agreement Protocols , 2003 .

[14]  Hugo Krawczyk,et al.  SIGMA: The 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and Its Use in the IKE-Protocols , 2003, CRYPTO.

[15]  Steve A. Schneider,et al.  Concurrent and Real-time Systems: The CSP Approach , 1999 .

[16]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[17]  Steve A. Schneider,et al.  A formal model of Diffie-Hellman using CSP and rank functions , 2003 .

[18]  Steve A. Schneider,et al.  Towards the Rank Function Verification of protocols that use Temporary Secrets , 2004 .

[19]  Steve A. Schneider,et al.  Towards automatic verification of authentication protocols on an unbounded network , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[20]  Steven M. Bellovin,et al.  Encrypted key exchange: password-based protocols secure against dictionary attacks , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[21]  Colin Boyd,et al.  Protocols for Authentication and Key Establishment , 2003, Information Security and Cryptography.

[22]  Serge Vaudenay,et al.  Authenticated Multi-Party Key Agreement , 1996, ASIACRYPT.

[23]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).