On key distribution protocols for repeated authentication

In [KSL92], Kehne et al. present a protocol (KSL) for key distribution. Their protocol allows for repeated authentication by means of a ticket. They also give a proof in BAN logic [BAN89] that the protocol provides the principals with a reasonable degree of trust in the authentication and key distribution. They present an optimality result that their protocol contains a minimal number of messages. Nonetheless, in [NS93] Neuman and Stubblebine present a protocol (NS) as an explicit alternative to KSL that requires one less message in the initial authentication and key distribution. One goal of this paper is to examine some of the reasons for this discrepancy. Another goal is to demonstrate possible attacks on NS. Like any attacks on cryptographic protocols, these depend on assumptions about implementation details. But, when possible they are serious: a penetrator can initiate the protocol, masquerade as another principal, obtain the session key, and even generate the session key herself.1 We will set out implementation assumptions required for the attacks to take place and implementation assumptions that preclude such an attack. We will also look at other protocols, including one that is not subject to this form of attack and has the same number of messages as NS. Finally, we will briefly discuss the logical analysis of these repeat authentication protocols.

[1]  Martín Abadi,et al.  A semantics for a logic of authentication (extended abstract) , 1991, PODC '91.

[2]  Li Gong,et al.  Reasoning about belief in cryptographic protocols , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[3]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[4]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.

[5]  Pierre Bieber,et al.  A logic of communication in hostile environment , 1990, [1990] Proceedings. The Computer Security Foundations Workshop III.

[6]  Einar Snekkenes Exploring the BAN approach to protocol analysis , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[7]  Ulf Carlsen Using Logics to Detect Implementation-Dependent Flaws , 1993 .

[8]  Li Gong,et al.  Logics for cryptographic protocols-virtues and limitations , 1991, Proceedings Computer Security Foundations Workshop IV.

[9]  Ulf Carlsen Using logics to detect implementation-dependent flaws [cryptographic protocol design] , 1993, Proceedings of 9th Annual Computer Security Applications Conference.

[10]  Raphael Yahalom Optimality of Asynchronous Two-Party Secure Data-Exchange Protocols , 1993, J. Comput. Secur..

[11]  Catherine A. Meadows,et al.  A logical language for specifying cryptographic protocol requirements , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[12]  Jürgen Schönwälder,et al.  A nonce-based protocol for multiple authentications , 1992, OPSR.

[13]  E. Snekkenes Roles in cryptographic protocols , 1992, Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy.

[14]  B. Clifford Neuman,et al.  A note on the use of timestamps as nonces , 1993, OPSR.

[15]  Paul F. Syverson Adding time to a logic of authentication , 1993, CCS '93.

[16]  D SchroederMichael,et al.  Using encryption for authentication in large networks of computers , 1978 .

[17]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[18]  Dan M. Nessett,et al.  A critique of the Burrows, Abadi and Needham logic , 1990, OPSR.

[19]  Paul F. Syverson The use of logic in the analysis of cryptographic protocols , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[20]  Paul F. Syverson,et al.  Knowledge, Belief, and Semantics in the Analysis of Cryptographic Protocols , 1992, J. Comput. Secur..

[21]  Moti Yung,et al.  Systematic Design of Two-Party Authentication Protocols , 1991, CRYPTO.

[22]  Martín Abadi,et al.  Rejoinder to Nessett , 1990, OPSR.

[23]  Pierre Bieber Aspects epistemiques des protocoles cryptographiques , 1989 .

[24]  Mark R. Tuttle,et al.  A Semantics for a Logic of Authentication , 1991, PODC 1991.