Extending Security Protocol Analysis: New Challenges

We argue that formal analysis tools for security protocols are not achieving their full potential, and give only limited aid to designers of more complex modern protocols, protocols in constrained environments, and security APIs. We believe that typical assumptions such as perfect encryption can and must be relaxed, while other threats, including the partial leakage of information, must be considered if formal tools are to continue to be useful and gain widespread, real world utilisation. Using simple example protocols, we illustrate a number of attacks that are vital to avoid in security API design, but that have yet to be modelled using a formal analysis tool. We seek to extract the basic ideas behind these attacks and package them into a wish list of functionality for future research and tool development.

[1]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[2]  Catherine A. Meadows A procedure for verifying security against type confusion attacks , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[3]  Gavin Lowe Analysing Protocol Subject to Guessing Attacks , 2004, J. Comput. Secur..

[4]  Mike Bond Understanding security APIs , 2004 .

[5]  Piotr Zielinski,et al.  Decimalisation table attacks for PIN cracking , 2003 .

[6]  Mark R. Tuttle,et al.  A Semantics for a Logic of Authentication , 1991, PODC 1991.

[7]  Paul F. Syverson,et al.  On unifying some cryptographic protocol logics , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[8]  Mike Bond,et al.  API-Level Attacks on Embedded Systems , 2001, Computer.

[9]  Dennis Longley,et al.  An automatic search for security flaws in key management schemes , 1992, Comput. Secur..

[10]  Rajeev Alur,et al.  A Temporal Logic of Nested Calls and Returns , 2004, TACAS.

[11]  Vitaly Shmatikov,et al.  Finite-State Analysis of SSL 3.0 , 1998, USENIX Security Symposium.

[12]  Gavin Lowe,et al.  Casper: a compiler for the analysis of security protocols , 1997, Proceedings 10th Computer Security Foundations Workshop.

[13]  John Gilmore,et al.  Cracking DES - secrets of encryption research, wiretap politics and chip design: how federal agencies subvert privacy , 1998 .

[14]  Jolyon Clulow,et al.  On the Security of PKCS#11 , 2003, CHES.

[15]  Ross J. Anderson Why cryptosystems fail , 1994, CACM.

[16]  James Manger,et al.  A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0 , 2001, CRYPTO.

[17]  Li Gong,et al.  Reasoning about belief in cryptographic protocols , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[18]  Mike Bond,et al.  Encrypted? Randomised? Compromised? (When Cryptographically Secured Data is Not Secure) , 2004, Cryptographic Algorithms and their Uses.

[19]  Martín Abadi,et al.  A logic of authentication , 1989, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences.

[20]  Mike Bond Attacks on Cryptoprocessor Transaction Sets , 2001, CHES.

[21]  J. A. Robinson,et al.  A Machine-Oriented Logic Based on the Resolution Principle , 1965, JACM.

[22]  Martín Abadi,et al.  A semantics for a logic of authentication (extended abstract) , 1991, PODC '91.

[23]  Ross J. Anderson The Correctness of Crypto Transaction Sets , 2000, Security Protocols Workshop.

[24]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.