Justifying Finite Resources for Adversaries in Automated Analysis of Authentication Protocols

Authentication protocols (including protocols that provide key establishment) are designed to work correctly in the presence of an adversary that can (1) perform an unbounded number of encryptions (and other operations) while fabricating messages, and (2) prompt honest principals to engage in an unbounded number of concurrent runs of the protocol. The amount of local state maintained by a single run of an authentication protocol is bounded. Intuitively, this suggests that there is a bound on the resources needed to attack the protocol. Such bounds clarify the nature of attacks on these protocols. They also provide a rigorous basis for automated verification of authentication protocols. However, few such bounds are known. This paper defines a language for authentication protocols and establishes two bounds on the resources needed to attack protocols expressible in that language: an upper bound on the worst-case number of encryptions by the adversary, and an exponential lower bound on the worst-case number of concurrent runs of the protocol. The upper bound on encryptions is relative to an upper bound on the number of runs; on-going work on proving such a bound is briefly described.

[1]  Martín Abadi,et al.  Prudent Engineering Practice for Cryptographic Protocols , 1994, IEEE Trans. Software Eng..

[2]  Jonathan K. Millen,et al.  The Interrogator: Protocol Secuity Analysis , 1987, IEEE Transactions on Software Engineering.

[3]  Michael Waidner,et al.  Electronic payment systems , 1997 .

[4]  Simon S. Lam,et al.  A semantic model for authentication protocols , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[5]  Aziz Abdulla,et al.  Verifying Networks of Timed ProcessesParosh , 1998 .

[6]  Vitaly Shmatikov,et al.  Finite-State Analysis of SSL 3.0 , 1998, USENIX Security Symposium.

[7]  Zhe Dang,et al.  Using the ASTRAL Model Checker for Cryptographic Protocol Analysis , 1997 .

[8]  Somesh Jha,et al.  A model checker for authentication protocols , 1997 .

[9]  Somesh Jha,et al.  A Machine Checkable Logic of Knowledge forSpecifying Security Properties of ElectronicCommerce Protocols , 1998 .

[10]  Felix Schlenk,et al.  Proof of Theorem 3 , 2005 .

[11]  Martín Abadi,et al.  Explicit Communication Revisited: Two New Attacks on Authentication Protocols , 1997, IEEE Trans. Software Eng..

[12]  John T. Kohl,et al.  The Kerberos Network Authentication Service (V5 , 2004 .

[13]  Alan J. Hu,et al.  Protocol verification as a hardware design aid , 1992, Proceedings 1992 IEEE International Conference on Computer Design: VLSI in Computers & Processors.

[14]  Gerard J. Holzmann,et al.  Design and validation of computer protocols , 1991 .

[15]  Andrew William Roscoe,et al.  Proving security protocols with model checkers by data independence techniques , 1999 .

[16]  Somesh Jha,et al.  Veryfying Parameterized Networks using Abstraction and Regular Languages , 1995, CONCUR.

[17]  N. S. Barnett,et al.  Private communication , 1969 .

[18]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[19]  John C. Mitchell,et al.  Automated analysis of cryptographic protocols using Mur/spl phi/ , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[20]  A. W. Roscoe Modelling and verifying key-exchange protocols using CSP and FDR , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[21]  Dominique Bolignano Integrating Proof-Based and Model-Checking Techniques for the Formal Verification of Cryptographic Protocols , 1998, CAV.

[22]  Simon S. Lam,et al.  Verifying authentication protocols: methodology and example , 1993, 1993 International Conference on Network Protocols.

[23]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[24]  Simon S. Lam,et al.  Design, verification and implementation of an authentication protocol , 1994, Proceedings of ICNP - 1994 International Conference on Network Protocols.

[25]  Leslie Lamport How to write a long formula , 2005, Formal Aspects of Computing.

[26]  Kedar S. Namjoshi,et al.  Automatic Verification of Parameterized Synchronous Systems (Extended Abstract) , 1996, CAV.

[27]  Giovanni Maria Sacco,et al.  Timestamps in key distribution protocols , 1981, CACM.

[28]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.

[29]  E. Clarke,et al.  Automatic Veriication of Nite-state Concurrent Systems Using Temporal-logic Speciications. Acm , 1993 .

[30]  Robert P. Kurshan,et al.  A structural induction theorem for processes , 1989, PODC.

[31]  Gavin Lowe Towards a Completeness Result for Model Checking of Security Protocols (Extended Abstract) , 1998 .

[32]  P. Lincoln,et al.  Byzantine Agreement with Authentication : Observations andApplications in Tolerating Hybrid and Link Faults , 1995 .

[33]  Jeannette M. Wing,et al.  Model checking electronic commerce protocols , 1996 .

[34]  R. P. Kurshan,et al.  Automata-theoretic verification of coordinating processes , 1994 .

[35]  Simon S. Lam,et al.  A lesson on authentication protocol design , 1994, OPSR.

[36]  Joshua D. Guttman,et al.  Honest ideals on strand spaces , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[37]  Gavin Lowe,et al.  Towards a completeness result for model checking of security protocols , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[38]  Ross J. Anderson,et al.  Robustness Principles for Public Key Protocols , 1995, CRYPTO.

[39]  Michael K. Reiter,et al.  A high-throughput secure reliable multicast protocol , 1996, Proceedings 9th IEEE Computer Security Foundations Workshop.

[40]  Rance Cleaveland,et al.  The NCSU Concurrency Workbench , 1996, CAV.

[41]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[42]  Owen Rees,et al.  Efficient and timely mutual authentication , 1987, OPSR.

[43]  A. W. Roscoe,et al.  Using CSP to Detect Errors in the TMN Protocol , 1997, IEEE Trans. Software Eng..

[44]  Parosh Aziz Abdulla,et al.  Verifying Networks of Timed Processes (Extended Abstract) , 1998, TACAS.