Statically detecting message confusions in a multi-protocol setting

In a multi-protocol setting, different protocols are concurrently executed, and each principal can participate in more than one. The possibilities of attacks therefore increase, often due to the presence of similar patterns in messages. Messages coming from one protocol can be confused with similar messages coming from another protocol. As a consequence, data of one type may be interpreted as data of another, and it is also possible that the type is the expected one, but the message is addressed to another protocol. In this paper, we shall present an extension of the LySa calculus [7, 4] that decorates encryption with tags including the protocol identifier, the protocol step identifier and the intended types of the encrypted terms. The additional information allows us to find the messages that can be confused and therefore to have hints to reconstruct the attack. We extend accordingly the standard static Control Flow Analysis for LySa, which over-approximates all the possible behaviour of the studied protocols, included the possible message confusions that may occur at run-time. Our analysis has been implemented and successfully applied to small sets of protocols. In particular, we discovered an undocumented family of attacks, that may arise when Bauer-Berson-Feiertag and the Woo-Lam authentication protocols are running in parallel. The implementation complexity of the analysis is low polynomial

Preventing type flaw attacks on security protocols with a simplified tagging scheme

abstract. A type flaw attack on a security protocol is an attack where a field in a message that was originally intended to have one type is subsequently interpreted as having another type. Heather et al. proves that type flaw attacks can be prevented with the technique of tagging each field with the information that indicates its intended type. We simplify Heather et al.’s tagging scheme by combining all the tags inside each encrypted component into a single tag and by omitting the tags on the outmost level. The simplification reduces the sizes of messages in the security protocol. We also formally prove our simplified tagging scheme is as secure as Heather et al.’s with the strand space method. Note that Heather et al.’s tagging scheme and our simplified tagging are applicable to, not just one protocol, but a variety of security protocols

Keeping Fairness Alive : Design and formal verification of optimistic fair exchange protocols

Fokkink, W.J. [Promotor]Pol, J.C. van de [Promotor

Synthesising end-to-end security schemes through endorsement intermediaries

Composing secure interaction protocols dynamically for e-commerce continue to pose a number of challenges, such as lack of standard notations for expressing requirements and the difficulty involved in enforcing them. Furthermore, interaction with unknown entities may require finding common trusted intermediaries. Securing messages sent through such intermediaries require schemes that provide end-to-end security guarantees. In the past, e-commerce protocols such as SET were created to provide such end-to-end guarantees. However, such complex hand crafted protocols proved difficult to model check. This thesis addresses the end-to-end problems in an open dynamic setting where trust relationships evolve, and requirements of interacting entities change over time. Before interaction protocols can be synthesised, a number of research questions must be addressed. Firstly, to meet end-to-end security requirements, the security level along the message path must be made to reflect the requirements. Secondly, the type of endorsement intermediaries must reflect the message category. Thirdly, intermediaries must be made liable for their endorsements. This thesis proposes a number of solutions to address the research problems. End-to-end security requirements were arrived by aggregating security requirements of all interacting parties. These requirements were enforced by interleaving and composing basic schemes derived from challenge-response mechanisms. The institutional trust promoting mechanism devised allowed all vital data to be endorsed by authorised category specific intermediaries. Intermediaries were made accountable for their endorsements by being required to discharge or transfer proof obligations placed on them. The techniques devised for aggregating and enforcing security requirements allow dynamic creation of end-to-end security schemes. The novel interleaving technique devised allows creation of provably secure multiparty schemes for any number of recipients. The structured technique combining compositional approach with appropriate invariants and preconditions makes model checking of synthesised schemes unnecessary. The proposed framework combining endorsement trust with schemes making intermediaries accountable provides a way to alleviate distrust between previously unknown e-commerce entities