Paradigm shifts in protocol analysis

Authentication protocols are widely believed to be error prone because most analyses conclude with claims of discovering new attacks on the protocols. While proofs of security for authentication protocols are rightly viewed with circumspection, claims of attacks arc rarely challenged. We propose a closer examination of how protocol attacks are defined in the light of different conclusions of four different analyses of the Needham-Schroeder protocols. We argue that subtle paradigm shifts often occur during protocol analysis which affect the definition of a protocol attack. By becoming aware of these paradigm shifts, we can be more aware of what a specific attack actually accomplishes. 1 I n t r o d u c t i o n Authentication protocols are believed to be error prone because most analyses of these protocols conclude with the discovery of an at tack on the protocols. These errors are supposedly rooted in the protocol design and are characteristic of cryptographic protocols in general. There have been guidelines for better engineering of such protocols, e.g., [1] coupled with improved methods for protocol analysis. However, there is no standard way of detecting an Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advant -age and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. 1999 New Security Paradigm Workshop 9 /99 Ontario, Canada © 2000 ACM 1-58113-149-6/00/0004,.. $ 5.00 attack on a protocol. In fact, there exists several approaches in analysing a protocol. These include the use of formal logics (e.g. BAN [3], GNY [7], SVO [20]), process algebra (e.g. CSP [19]) and specialised state engines such as the NRL Protocol Analyser [16]. These various methods can yield different conclusions about a single protocol because each tool may detect a different type of attack although there may be flaws commonly found by most methods. What is disconcerting is to discover conflicting conclusions such as a pronouncement that a protocol is correct vis-a-vis a discovery of a flaw in the same protocol. Given such conflicting results, we generally believe that one tool has missed detecting the flaw found by the second tool. Specifically, we consider the case of the NeedhamSchroeder authentication protocols [18]. Published in the late 1970s, the first known analysis was that conducted by Denning and Sacco [4]. However, these protocols have been continuously analysed and these further analyses gave different conclusions about the security of the protocols. The BAN logic analysis of the protocols [3] is said to have failed to detect the attacks later claimed by Lowe [9] and Meadows [15]. Moreover, Lowe claims to have found a more subtle and more recent attack than that discovered by Denning and Sacco [9, 10] while Meadows claims to have reproduced Lowe's attack in addition to discovering new flaws [15]. Clearly, the use of one method of analysis gives no guarantee that another method will not discover a new flaw with the same protocol. Moreover, proofs

[1]  Gavin Lowe,et al.  A hierarchy of authentication specifications , 1997, Proceedings 10th Computer Security Foundations Workshop.

[2]  Colin Boyd,et al.  Development of authentication protocols: some misconceptions and a new approach , 1994, Proceedings The Computer Security Foundations Workshop VII.

[3]  Paul F. Syverson,et al.  On unifying some cryptographic protocol logics , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[4]  LoweGavin An attack on the Needham-Schroeder public-key authentication protocol , 1995 .

[5]  L. Gong,et al.  Using one-way functions for authentication , 1989, CCRV.

[6]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[7]  Dieter Gollmann What do we mean by entity authentication? , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[8]  C. Boyd,et al.  Methodical use of cryptographic transformations in authentication protocols , 1995 .

[9]  Heather M. Hinton Under-specification, composition and emergent properties , 1998, NSPW '97.

[10]  Jonathan K. Millen,et al.  CAPSL: Common Authentication Protocol Specification Language , 1996, NSPW '96.

[11]  Steve A. Schneider Verifying Authentication Protocols in CSP , 1998, IEEE Trans. Software Eng..

[12]  Colin Boyd Towards Extensional Goals in Authentication Protocols , 1997 .

[13]  Giovanni Maria Sacco,et al.  Timestamps in key distribution protocols , 1981, CACM.

[14]  Martín Abadi,et al.  A logic of authentication , 1989, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences.

[15]  Catherine A. Meadows,et al.  Language generation and verification in the NRL protocol analyzer , 1996, Proceedings 9th IEEE Computer Security Foundations Workshop.

[16]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[17]  Li Gong,et al.  Reasoning about belief in cryptographic protocols , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[18]  Martín Abadi,et al.  Prudent engineering practice for cryptographic protocols , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.