Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR

In this paper we analyse the well known Needham-Schroeder Public-Key Protocol using FDR, a refinement checker for CSP. We use FDR to discover an attack upon the protocol, which allows an intruder to impersonate another agent. We adapt the protocol, and then use FDR to show that the new protocol is secure, at least for a small system. Finally we prove a result which tells us that if this small system is secure, then so is a system of arbitrary size.

[1]  Gavin Lowe,et al.  An Attack on the Needham-Schroeder Public-Key Authentication Protocol , 1995, Inf. Process. Lett..

[2]  Steve A. Schneider Security properties and CSP , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[3]  Giovanni Maria Sacco,et al.  Timestamps in key distribution protocols , 1981, CACM.

[4]  Colin Boyd,et al.  Hidden assumptions in cryptographic protocols , 1990 .

[5]  Andrew William Roscoe,et al.  Model-checking CSP , 1994 .

[6]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[7]  Bill Roscoe Developing and verifying protocols in CSP , 1993 .

[8]  Martín Abadi,et al.  A logic of authentication , 1989, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences.

[9]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[10]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[11]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.