Analysis of Abuse-Free Contract Signing
20 Feb 2000-pp 174-191
TL;DR: This work analyzes the abuse-free optimistic contract signing protocol of Garay, Jakobsson, and MacKenzie and discovers an attack in which negligence or corruption of the trusted third party may allow abuse or unfairness.
Abstract: Optimistic contract signing protocols may involve subprotocols that allow a contract to be signed normally or aborted or resolved by a third party. Since there are many ways these subprotocols might interact, protocol analysis involves consideration of a number of complicated cases. With the help of Murk?, a finite-state verification tool, we analyze the abuse-free optimistic contract signing protocol of Garay, Jakobsson, and MacKenzie. In addition to verifying a nmnber of subtle properties, we discover an attack in which negligence or corruption of the trusted third party may allow abuse or unfairness. Contrary to the intent of the protocol, the cheated party is not able to hold the third party accountable. In addition to analyzing a modification to the protocol that avoids these problems, we discuss issues involved in the application of finite-state analysis to fair exchange protocols, in particular models of fairness guarantees, abuse, and corrupt protocol participants.
Citations
More filters
TL;DR: This paper clearly defines the properties a fair non-repudiation protocol must respect, and gives a survey of the most important non- repudiation protocols without and with trusted third party (TTP).
293 citations
Cites methods from "Analysis of Abuse-Free Contract Sig..."
...More extensive studies of fair exchange protocols using formal methods have been presented by Shmatikov and Mitchell in [ 46 ]....
[...]
Proceedings Article•
[...]
20 Aug 2000
TL;DR: This work introduces and constructs timed commitment schemes, an extension to the standard notion of commitments in which a potential forced opening phase permits the receiver to recover (with effort) the committed value without the help of the committer.
Abstract: We introduce and construct timed commitment schemes, an extension to the standard notion of commitments in which a potential forced opening phase permits the receiver to recover (with effort) the committed value without the help of the committer. An important application of our timed-commitment scheme is contract signing: two mutually suspicious parties wish to exchange signatures on a contract. We show a two-party protocol that allows them to exchange RSA or Rabin signatures. The protocol is strongly fair: if one party quits the protocol early, then the two parties must invest comparable amounts of time to retrieve the signatures. This statement holds even if one party has many more machines than the other. Other applications, including honesty preserving auctions and collective coin-flipping, are discussed.
282 citations
Cites background from "Analysis of Abuse-Free Contract Sig..."
...This type of unfairness is referred to as “abusing” [26, 37]....
[...]
16 Jun 2001
TL;DR: Recently, the efficiency of the predicate abstraction scheme presented by Das, Dill and Park (1999) has been improved, and the number of validity checks needed to prove the necessary verification condition has been reduced.
Abstract: Recently, we have improved the efficiency of the predicate abstraction scheme presented by Das, Dill and Park (1999). As a result, the number of validity checks needed to prove the necessary verification condition has been reduced. The key idea is to refine an approximate abstract transition relation based on the counter-example generated. The system starts with an approximate abstract transition relation on which the verification condition (in our case, this is a safety property) is model-checked. If the property holds then the proof is done; otherwise the model checker returns an abstract counter-example trace. This trace is used to refine the abstract transition relation if possible and start anew. At the end of the process, the system either proves the verification condition or comes up with an abstract counter-example trace which holds in the most accurate abstract transition relation possible (with the user-provided predicates as a basis). If the verification condition fails in the abstract system, then either the concrete system does not satisfy it or the abstraction predicates chosen are not strong enough. This algorithm has been used on a concurrent garbage collection algorithm and a secure contract-signing protocol. This method improved the performance on the first problem significantly, and allowed us to tackle the second problem, which the previous method could not handle.
120 citations
TL;DR: Modifications are presented and analyze modifications to the protocols that avoid these problems and the basic challenges involved in formal analysis of fair exchange protocols are discussed.
112 citations
20 Aug 2001
TL;DR: A verification method based on the idea that non-repudiation protocols are best modeled as games is proposed, which uses alternating transition systems and alternating temporal logic, a game based logic, to express requirements that the protocols must ensure.
Abstract: In this paper, we report on a recent work for the verification of non-repudiation protocols. We propose a verification method based on the idea that non-repudiation protocols are best modeled as games. To formalize this idea, we use alternating transition systems, a game based model, to model protocols and alternating temporal logic, a game based logic, to express requirements that the protocols must ensure. This method is automated by using the model-checker MOCHA, a model-checker that supports the alternating transition systems and the alternating temporal logic. Several optimistic protocols are analyzed using MOCHA.
92 citations
References
More filters
01 Jan 1996
TL;DR: This paper uses FDR, a refinement checker for CSP to discover an attack upon the Needham-Schroeder Public-Key Protocol, which allows an intruder to impersonate another agent, and adapt the protocol, and uses FDR to show that the new protocol is secure, at least for a small system.
Abstract: In this paper we analyse the well known Needham-Schroeder Public-Key Protocol using FDR, a refinement checker for CSP. We use FDR to discover an attack upon the protocol, which allows an intruder to impersonate another agent. We adapt the protocol, and then use FDR to show that the new protocol is secure, at least for a small system. Finally we prove a result which tells us that if this small system is secure, then so is a system of arbitrary size.
1,340 citations
Patent•
29 Aug 1996TL;DR: An electronic cash protocol including the steps of using a one-way function f1 to generate an image f1 (x1) from a preimage x1 and receiving from the second party a note including a digital signature.
Abstract: An electronic cash protocol for transactions that are typically between a customer (10), a vendor (20), and a bank (30) including the steps of using a one-way function f1(x) to generate an image f1(x) from a preimage x1; sending the image f1(x1) in an inblinded form to a second party, and receiving from the second party a note including a digital signature, wherein the note represents a commitment by the second party to credit a predetermined amount of money to a first presenter of the preimage x1 to the second party.
1,202 citations
01 Feb 1990
TL;DR: The use of credit cards today is an act of faith on the p a t of all concerned as discussed by the authors, and each party is vulnerable to fraud by the others, and the cardholder in particular has no protection against surveillance.
Abstract: The use of credit cards today is an act of faith on the p a t of all concerned. Each party is vulnerable to fraud by the others, and the cardholder in particular has no protection against surveillance.
1,031 citations
TL;DR: Informal arguments that cryptographic protocols are secure can be made rigorous using inductive definitions, which are based on ordinary predicate calculus and copes with infinite-state systems.
Abstract: Informal arguments that cryptographic protocols are secure can be made rigorous using inductive definitions. The approach is based on ordinary predicate calculus and copes with infinite-state systems. Proofs are generated using Isabelle/HOL. The human effort required to analyze a protocol can be as little as a week or two, yielding a proof script that takes a few minutes to run.
Protocols are inductively defined as sets of traces. A trace is a list of communication events, perhaps comprising many interleaved protocol runs. Protocol descriptions incorporate attacks and accidental losses. The model spy knows some private keys and can forge messages using components decrypted from previous traffic. Three protocols are analyzed below: Otway-Rees (which uses shared-key encryption), Needham-Schroeder (which uses public-key encryption), and a recursive protocol (Bull and Otway, 1997) (which is of variable length).
One can prove that event ev always precedes event ev' or that property P holds provided X remains secret. Properties can be proved from the viewpoint of the various principals: say, if A receives a final message from B then the session key it conveys is good.
997 citations
27 Mar 1996
TL;DR: In this article, the authors analyse the Needham-Schroeder Public-Key Protocol using FDR, a refinement checker for CSP, and discover an attack upon the protocol, which allows an intruder to impersonate another agent.
Abstract: In this paper we analyse the well known Needham-Schroeder Public-Key Protocol using FDR, a refinement checker for CSP. We use FDR to discover an attack upon the protocol, which allows an intruder to impersonate another agent. We adapt the protocol, and then use FDR to show that the new protocol is secure, at least for a small system. Finally we prove a result which tells us that if this small system is secure, then so is a system of arbitrary size.
610 citations