Know Your Enemy: Compromising Adversaries in Protocol Analysis

We present a symbolic framework, based on a modular operational semantics, for formalizing different notions of compromise relevant for the design and analysis of cryptographic protocols. The framework’s rules can be combined to specify different adversary capabilities, capturing different practically-relevant notions of key and state compromise. The resulting adversary models generalize the models currently used in different domains, such as security models for authenticated key exchange. We extend an existing security-protocol analysis tool, Scyther, with our adversary models. This extension systematically supports notions such as weak perfect forward secrecy, key compromise impersonation, and adversaries capable of state-reveal queries. Furthermore, we introduce the concept of a protocol-security hierarchy, which classifies the relative strength of protocols against different adversaries. In case studies, we use Scyther to analyse protocols and automatically construct protocol-security hierarchies in the context of our adversary models. Our analysis confirms known results and uncovers new attacks. Additionally, our hierarchies refine and correct relationships between protocols previously reported in the cryptographic literature.

[1]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[2]  Hugo Krawczyk,et al.  HMQV: A High-Performance Secure Diffie-Hellman Protocol , 2005, CRYPTO.

[3]  David A. Basin,et al.  Modeling and Analyzing Security in the Presence of Compromising Adversaries , 2010, ESORICS.

[4]  Colin Boyd,et al.  Examining Indistinguishability-Based Proof Models for Key Establishment Protocols , 2005, ASIACRYPT.

[5]  Gavin Lowe,et al.  A hierarchy of authentication specifications , 1997, Proceedings 10th Computer Security Foundations Workshop.

[6]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[7]  Dong Hoon Lee,et al.  One-Round Protocols for Two-Party Authenticated Key Exchange , 2004, ACNS.

[8]  Cas J. F. Cremers,et al.  Beyond eCK: perfect forward secrecy under actor compromise and ephemeral-key reveal , 2012, ESORICS.

[9]  John A. Clark,et al.  A Survey of Authentication Protocol Literature , 2010 .

[10]  Hassan M. Elkamchouchi,et al.  An efficient protocol for authenticated key agreement , 2011, 2011 28th National Radio Science Conference (NRSC).

[11]  Christoph Sprenger,et al.  Developing security protocols by refinement , 2010, CCS '10.

[12]  Cas J. F. Cremers Unbounded verification, falsification, and characterization of security protocols by pattern refinement , 2008, CCS.

[13]  Bruno Blanchet,et al.  A Computationally Sound Mechanized Prover for Security Protocols , 2008, IEEE Transactions on Dependable and Secure Computing.

[14]  Cas J. F. Cremers Examining indistinguishability-based security models for key exchange protocols: the case of CK, CK-HMQV, and eCK , 2011, ASIACCS '11.

[15]  Kenneth G. Paterson,et al.  One-round key exchange in the standard model , 2009, Int. J. Appl. Cryptogr..

[16]  Bruno Blanchet,et al.  Automatic verification of correspondences for security protocols , 2008, J. Comput. Secur..

[17]  Feng Hao On Robust Key Agreement Based on Public Key Authentication , 2010, Financial Cryptography.

[18]  Christoph G. Günther,et al.  An Identity-Based Key-Exchange Protocol , 1990, EUROCRYPT.

[19]  Jörg Schwenk,et al.  On Security Models and Compilers for Group Key Exchange Protocols , 2007, IWSEC.

[20]  Emmanuel Bresson,et al.  Securing group key exchange against strong corruptions , 2008, ASIACCS '08.

[21]  Colin Boyd,et al.  On Session Identifiers in Provably Secure Protocols: The Bellare-Rogaway Three-Party Key Distribution Protocol Revisited , 2004, SCN.

[22]  Peter Gutmann Performance Characteristics of Application-level Security Protocols , .

[23]  Berkant Ustaoglu,et al.  Obtaining a secure and efficient key agreement protocol from (H)MQV and NAXOS , 2008, Des. Codes Cryptogr..

[24]  Mihir Bellare,et al.  Authenticated Key Exchange Secure against Dictionary Attacks , 2000, EUROCRYPT.

[25]  David A. Basin,et al.  Refining Key Establishment , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[26]  Cas J. F. Cremers Session-StateReveal is stronger than eCKs EphemeralKeyReveal: using automatic analysis to attack the NAXOS protocol , 2010, Int. J. Appl. Cryptogr..

[27]  Mihir Bellare,et al.  Provably secure session key distribution: the three party case , 1995, STOC '95.

[28]  Alfred Menezes,et al.  Authenticated Diffie-Hellman Key Agreement Protocols , 1998, Selected Areas in Cryptography.

[29]  Cas J. F. Cremers,et al.  The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols , 2008, CAV.

[30]  Lawrence C. Paulson,et al.  Relations Between Secrets: Two Formal Analyses of the Yahalom Protocol , 2001, J. Comput. Secur..

[31]  Vitaly Shmatikov,et al.  Towards computationally sound symbolic analysis of key exchange protocols , 2005, FMSE '05.

[32]  Cas J. F. Cremers,et al.  One-round Strongly Secure Key Exchange with Perfect Forward Secrecy and Deniability , 2011, IACR Cryptol. ePrint Arch..

[33]  David A. Basin,et al.  Degrees of Security: Protocol Guarantees in the Face of Compromising Adversaries , 2010, CSL.

[34]  Zhang Ya-juan,et al.  An identity-based key-exchange protocol , 2008, Wuhan University Journal of Natural Sciences.

[35]  David Pointcheval,et al.  A New Key Exchange Protocol Based on MQV Assuming Public Computations , 2006, SCN.

[36]  David A. Basin,et al.  The TAMARIN Prover for the Symbolic Analysis of Security Protocols , 2013, CAV.

[37]  Alfred Menezes,et al.  Comparing the pre- and post-specified peer models for key agreement , 2009, Int. J. Appl. Cryptogr..

[38]  Vitaly Shmatikov,et al.  Key confirmation and adaptive corruptions in the protocol security logic , 2006, IACR Cryptol. ePrint Arch..

[39]  Jonathan Katz,et al.  Scalable Protocols for Authenticated Group Key Exchange , 2003, Journal of Cryptology.

[40]  Joshua D. Guttman Key Compromise, Strand Spaces, and the Authentication Tests , 2001, MFPS.

[41]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[42]  Lawrence C. Paulson,et al.  The Inductive Approach to Verifying Cryptographic Protocols , 2021, J. Comput. Secur..

[43]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[44]  Kristin E. Lauter,et al.  Security Analysis of KEA Authenticated Key Exchange Protocol , 2006, IACR Cryptol. ePrint Arch..

[45]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[46]  Serge Vaudenay,et al.  Authenticated Multi-Party Key Agreement , 1996, ASIACRYPT.

[47]  Erik P. de Vink,et al.  Injective synchronisation: An extension of the authentication hierarchy , 2006, Theor. Comput. Sci..

[48]  Ravi Sandhu,et al.  ACM Transactions on Information and System Security: Editorial , 2005 .

[49]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[50]  David Pointcheval,et al.  Password-Based Authenticated Key Exchange in the Three-Party Setting , 2005, Public Key Cryptography.

[51]  Victor Shoup,et al.  On Formal Models for Secure Key Exchange , 1999, IACR Cryptol. ePrint Arch..

[52]  Martín Abadi,et al.  Just fast keying in the pi calculus , 2004, TSEC.

[53]  Kristin E. Lauter,et al.  Stronger Security of Authenticated Key Exchange , 2006, ProvSec.