A lesson on authentication protocol design

The purpose of this note is to describe a useful lesson we learned on authentication protocol design. In a recent article [9], we presented a simple authentication protocol to illustrate the concept of a trusted server. The protocol has a flaw, which was brought to our attention by Mart~n Abadi of DEC. In what follows, we first describe the protocol and its flaw, and how the flaw-was introduced in the process of deriving the protocol from its correct full information version. We then introduce a principle, called the Principle of Full Information, and explain how its use could have prevented the protocol flaw. We believe the Principle of Full Information is a useful authentication protocol design principle, and advocate its use. Lastly, we present several heuristics for simplifying full information protocols and illustrate their application to a mutual authentication protocol.

[1]  Martín Abadi,et al.  A logic of authentication , 1989, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences.

[2]  Martín Abadi,et al.  Prudent Engineering Practice for Cryptographic Protocols , 1994, IEEE Trans. Software Eng..

[3]  Paul F. Syverson On key distribution protocols for repeated authentication , 1993, OPSR.

[4]  Thomas Y. C. Woo,et al.  Authentication for distributed systems , 1997, Computer.

[5]  Simon S. Lam,et al.  Verifying authentication protocols: methodology and example , 1993, 1993 International Conference on Network Protocols.

[6]  Leslie Lamport,et al.  Reaching Agreement in the Presence of Faults , 1980, JACM.

[7]  Moti Yung,et al.  Systematic Design of a Family of Attack-Resistant Authentication Protocols , 1993, IEEE J. Sel. Areas Commun..

[8]  Simon S. Lam,et al.  A semantic model for authentication protocols , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[9]  E. Snekkenes Roles in cryptographic protocols , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[10]  T.Y.C. Woo,et al.  'Authentication' revisited (correction and addendum to 'Authentication' for distributed systems, Jan. 92, 39-52) , 1992 .

[11]  N. S. Barnett,et al.  Private communication , 1969 .