Retaliation against protocol attacks

Security protocols intend to give their parties reasonable assurance that certain security properties will protect their commu- nication session. However, the literature confirms that the protocols may suffer subtle and hidden attacks. Flawed protocols are custom- arily sent back to the design process, but the costs of reengineer- ing a deployed protocol may be prohibitive. This paper outlines the concept of retaliation: who would steal a sum of money today, should this pose significant risks of having twice as much stolen back tomorrow? When ethics is left behind, attacks are always bal- anced decisions: if an attack can be retaliated, the economics of security may convince the attacker to refrain from attacking, and us to live with a flawed protocol. This new perspective requires a new threat model where any party may decide to subvert the pro- tocol for his own sake, depending on the risks of retaliation. This threat model, which for example is also suitable to studying non- repudiation protocols, seems more appropriate than the Dolev-Yao model to the present technological/social setting. It is demonstrated that machine-assisted protocol verification can can effectively be adapted to the new threat model.

[1]  Stefano Bistarelli,et al.  Soft Constraint Programming to Analysing Security Protocols , 2004, Theory Pract. Log. Program..

[2]  Stefano Bistarelli,et al.  Retaliation: Can We Live with Flaws? , 2005 .

[3]  Ronald Fagin,et al.  Reasoning about knowledge , 1995 .

[4]  Lawrence C. Paulson,et al.  The Inductive Approach to Verifying Cryptographic Protocols , 2021, J. Comput. Secur..

[5]  Stefano Bistarelli,et al.  A Protocol's Life After Attacks , 2003, Security Protocols Workshop.

[6]  Colin Boyd,et al.  Protocols for Authentication and Key Establishment , 2003, Information Security and Cryptography.

[7]  Giampaolo Bella,et al.  Formal Correctness of Security Protocols (Information Security and Cryptography) , 2007 .

[8]  Colin Boyd,et al.  Protocols for Key Establishment and Authentication , 2003 .

[9]  Roberto Gorrieri,et al.  The Compositional Security Checker: A Tool for the Verification of Information Flow Security Properties , 1997, IEEE Trans. Software Eng..

[10]  Mihir Bellare,et al.  Provably secure session key distribution: the three party case , 1995, STOC '95.

[11]  Fabio Massacci,et al.  Verifying security protocols as planning in logic programming , 2001, ACM Trans. Comput. Log..

[12]  Gavin Lowe,et al.  An Attack on the Needham-Schroeder Public-Key Authentication Protocol , 1995, Inf. Process. Lett..

[13]  Jonathan K. Millen,et al.  Three systems for cryptographic protocol analysis , 1994, Journal of Cryptology.

[14]  Lawrence Charles Paulson,et al.  Isabelle/HOL: A Proof Assistant for Higher-Order Logic , 2002 .

[15]  Giampaolo Bella,et al.  Formal Correctness of Security Protocols , 2007 .

[16]  Joshua D. Guttman,et al.  Honest ideals on strand spaces , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[17]  Birgit Pfitzmann,et al.  A Composable Cryptographic Library with Nested Operations (Extended Abstract) , 2003 .

[18]  John C. Mitchell,et al.  Automated analysis of cryptographic protocols using Mur/spl phi/ , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[19]  Steve A. Schneider Security properties and CSP , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[20]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[21]  John Ulrich,et al.  Automated Analysis of Cryptographic Protocols Using Mur ' , 1997 .

[22]  Somesh Jha,et al.  Verifying security protocols with Brutus , 2000, TSEM.

[23]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).