A Method for Patching Interleaving-Replay Attacks in Faulty Security Protocols

AbstractThe verification of security protocols has attracted a lot of interest in the formal methods community, yielding two main verification approaches: i) state exploration, e.g. FDR [Gavin Lowe. Breaking and fixing the needham-schroeder public-key protocol using FDR. In TACAs'96: Proceedings of the Second International Workshop on Tools and Algorithms for Construction and Analysis of Systems, pages 147–166, London, UK, 1996. Springer-Verlag] and OFMC [A.D. Basin, S. Mödersheim, and L. Viganò. An on-the-fly model-checker for security protocol analysis. In D. Gollmann and E. Snekkenes, editors, ESORICS'03: 8th European Symposium on Research in Computer Security, number 2808 in Lecture Notes in Computer Science, pages 253–270, Gjøvik, Norway, 2003. Springer-Verlag]; and ii) theorem proving, e.g. the Isabelle inductive method [Lawrence C. Paulson. The inductive approach to verifying cryptographic protocols. Journal in Computer Security, 6(1-2):85–128, 1998] and Coral [G. Steel, A. Bundy, and M. Maidl. Attacking the asokan-ginzboorg protocol for key distribution in an ad-hoc bluetooth network using coral. In H. König, M. Heiner, and A. Wolisz, editors, IFIP TC6 /WG 6.1: Proceedings of 23rd IFIP International Conference on Formal Techniques for Networked and Distributed Systems, volume 2767, pages 1–10, Berlin, Germany, 2003. FORTE 2003 (work in progress papers)]. Complementing formal methods, Abadi and Needham's principles aim to guide the design of security protocols in order to make them simple and, hopefully, correct [M. Abadi and R. Needham. Prudent engineering practice for cryptographic protocols. IEEE Transactions on Software Engineering, 22(1):6–15, 1996]. We are interested in a problem related to verification but far less explored: the correction of faulty security protocols. Experience has shown that the analysis of counterexamples or failed proof attempts often holds the key to the completion of proofs and for the correction of a faulty model. In this paper, we introduce a method for patching faulty security protocols that are susceptible to an interleaving-replay attack. Our method makes use of Abadi and Needham's principles for the prudent engineering practice for cryptographic protocols in order to guide the location of the fault in a protocol as well as the proposition of candidate patches. We have run a test on our method with encouraging results. The test set includes 21 faulty security protocols borrowed from the Clark-Jacob library [J. Clark and J. Jacob. A survey of authentication protocol literature: Version 1.0. Technical report, Department of Computer Science, University of York, November 1997. A complete specification of the Clark-Jacob library in CAPSL is available at http://www.cs.sri.com/millen/capsl/]

Detecting Key-Dependencies

The confidentiality of encrypted data depends on how well the key under which it was encrypted is maintained. If a session key was exchanged encrypted under a long-term key, exposure of the long-term key may reveal the session key and hence the data encrypted with it. The problem of key-dependencies between keys can be mapped onto connectivity of a graph, and the resulting graph can be inspected. This article presents a structured method (an algorithm) with which key-dependencies can be detected and analysed. Several well-known protocols are examined, and it is shown that they are vulnerable to certain attacks exploiting key-dependencies. Protocols which are free from this defect do exist. That is, when a session is terminated it is properly closed

A Machine-Checked Formalization of the Generic Model and the Random Oracle Model

Most approaches to the formal analyses of cryptographic protocols make the perfect cryptography assumption, i.e. the hypothese that there is no way to obtain knowledge about the plaintext pertaining to a ciphertext without knowing the key. Ideally, one would prefer to rely on a weaker hypothesis on the computational cost of gaining information about the plaintext pertaining to a ciphertext without knowing the key. Such a view is permitted by the Generic Model and the Random Oracle Model which provide non-standard computational models in which one may reason about the computational cost of breaking a cryptographic scheme. Using the proof assistant Coq, we provide a machine-checked account of the Generic Model and the Random Oracle Mode

The Meeting Businessmen Problem: Requirements and Limitations

Let us assume that some businessmen wish to have a meeting. For this to happen, they usually have to meet somewhere. If they cannot meet physically, then they can take part in a video (or audio) conference to discuss whatever needs to be discussed. But what if their meeting is meant to be private? In this case they need a cryptographic protocol that allows them to exchange their ideas remotely, while keeping them secure from any potential eavesdropper. In this paper we list all the necessary requirements that a cryptographic protocol must have in order to allow several businessmen to exchange their ideas securely over the Internet. Moreover, and based on the standard taxonomy of cryptographic pro- tocols, we suggest several approaches on how to design cryptographic protocols that enable us to achieve our aim. Finally, we propose the design of a protocol that solves the meeting businessmen problem

Protocols for The Meeting Businessmen Problem

Assume that some businessmen wish to have a meeting. For this to occur, they usuallyhave to meet somewhere. If they cannot meet physically, then they can take part in a video (oraudio) conference to discuss whatever needs to be discussed. But what if their meeting is meant tobe private? In this case they need a cryptographic protocol that allows them to exchange their ideasremotely, while keeping them secure from any potential eavesdropper. In this paper we list all thenecessary requirements that a cryptographic protocol must have in order to allow several businessmento exchange their ideas securely over the Internet. Moreover, and based on the standard taxonomy ofcryptographic protocols, we suggest several approaches on how to design cryptographic protocols thatenable us to achieve our aim. Finally, we propose the design of a protocol that solves the meetingbusinessmen problem

Seeing the full picture: the case for extending security ceremony analysis

The concept of the security ceremony was introduced a few years ago to complement the concept of the security protocol with everything about the context in which a protocol is run. In particular, such context involves the human executors of a protocol. When including human actors, human protocols become the focus, hence the concept of the security ceremony can be seen as part of the domain of socio-technical studies. This paper addresses the problem of ceremony analysis lacking the full view of human protocols. This paper categorises existing security ceremony analysis work and illustrates how the ceremony picture could be extended to support a more comprehensive analysis. The paper explores recent weaknesses found on the Amazon\u27s web interface to illustrate different approaches to the analysis of the full ceremony picture

Securing Data Transfers: An Integrity Algorithm for Error Recovery Triangulation

Transferring data is one of the key operations performed by millions of users every day. Users do this by issuing direct commands, such as file transfer commands, or indirectly as a feature invoked by numerous end-user applications. The most important security characteristic of a successful data exchange is the integrity of that data. The receiver user desires to acquire data that has not been modified through malicious acts, or simple human or machine error. Applications that rely on the Transfer Control Protocol (TCP) as the main mechanism to provide end-to-end reliability, including error and sequence control, do not check the integrity of the file being transmitted prior to the transfer. In this paper, we present an overview of current data transfer mechanisms and their security provisions and propose an internal integrity mechanism that provides a triangulation means of error control through the use of one-way hash functions based on the original file being transferred; and a discussion of the implications and limitations that such a mechanism imparts on data transfer mechanisms

Security of RFID Protocols - A Case Study

AbstractIn the context of Dolev-Yao style analysis of security protocols, we investigate the security claims of a recently proposed RFID authentication protocol. We exhibit a flaw which has gone unnoticed in RFID protocol literature and present the resulting attacks on authentication, untraceability, and desynchronization resistance. We analyze and discuss the authors' proofs of security. References to other vulnerable protocols are given

information kocessing Letters An attack on the Needham-Schroeder public-key authentication protocol

Abstract In this paper we present an attack upon the Needham-Schroeder public-key authentication protocol. The attack allows an intruder to impersonate another agent