When is a key establishment protocol correct?

This paper presents sufficient and necessary conditions to guarantee the security of a Key Establishment (KE) protocol based on our formalism of the belief multisets. The formalism is used to express the security of a KE protocol and to reason about beliefs in the protocol. We observe that a freshness identifier such as a nonce may not be fresh for a legitimate party in a particular protocol run, hence we distinguish a trusted freshness identifier from the commonly used freshness identifier in the sense of a participant's beliefs about the security. A central ingredient in our approach is that all the beliefs should be established on the basis of a trusted freshness identifier. The reasoning results of our approach, comparing with the security conditions, can either establish the correctness of a KE protocol when the protocol is in fact correct, or identify the absence of the security properties, which leads to the structure to construct attacks directly. Two examples, the Kerberos pair-key agreement approach in distributed sensor networks and the Needham—Schroeder public key protocol, are given to show the usability and the efficiency of our approach. Copyright © 2009 John Wiley & Sons, Ltd.

[1]  Martín Abadi,et al.  Prudent Engineering Practice for Cryptographic Protocols , 1994, IEEE Trans. Software Eng..

[2]  G. Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol using CSP and FDR , 1996 .

[3]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[4]  Gavin Lowe,et al.  Towards a completeness result for model checking of security protocols , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[5]  Owen Rees,et al.  Efficient and timely mutual authentication , 1987, OPSR.

[6]  Peter Kruus,et al.  CONSTRAINTS AND APPROACHES FOR DISTRIBUTED SENSOR NETWORK SECURITY , 2000 .

[7]  Gavin Lowe,et al.  An Attack on the Needham-Schroeder Public-Key Authentication Protocol , 1995, Inf. Process. Lett..

[8]  Giovanni Maria Sacco,et al.  Timestamps in key distribution protocols , 1981, CACM.

[9]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[10]  Paul F. Syverson,et al.  On unifying some cryptographic protocol logics , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[11]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[12]  Li Gong,et al.  Reasoning about belief in cryptographic protocols , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[13]  Hugo Krawczyk,et al.  Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels , 2001, EUROCRYPT.

[14]  Wenbo Mao,et al.  Modern Cryptography: Theory and Practice , 2003 .

[15]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[16]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.