Showing papers on "Otway–Rees protocol published in 1999"

The TLS Protocol Version 1.0

Abstract: This document specifies Version 1.0 of the Transport Layer Security (TLS) protocol. The TLS protocol provides communications privacy over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.

ANMP: ad hoc network management protocol

Abstract: We present a protocol for managing mobile wireless ad hoc networks. The protocol uses hierarchical clustering of nodes to reduce the number of messages exchanged between the manager and the agents (mobiles). Clustering also enables the network to keep track of mobiles as they roam. The ad hoc network management protocol (ANMP) is fully compatible with simple management protocol, version 3 (SNMPv3) and uses the same protocol data units (PDUs) for data collection. The protocol also implements sophisticated security mechanisms that can be fine-tuned to meet specific requirements. Finally, we have implemented the protocol along with a graphical user interface that allows a manager to change the view or specify management parameters on the fly.

Mixed strand spaces

Abstract: Strand space analysis is a method for stating and proving correctness properties for cryptographic protocols. In this paper we apply the same method to the related problem of mixed protocols, and show that a protocol can remain correct even when used in combination with a range of other protocols. We illustrate the method with the familiar Otway-Rees protocol. We identify a simple and easily verified characteristic of protocols, and show that the Otway-Rees protocol remains correct even when used in combination with other protocols that have this characteristic. We also illustrate this method on the Neuman-Stubblebine protocol. This protocol has two parts, an authentication protocol (I) in which a key distribution center creates and distributes a Kerberos-like key, and a reauthentication protocol (II) in which a client resubmits a ticket containing that key. The re-authentication protocol II is known to be flawed. We show that in the presence of protocol II, there are also attacks against protocol I. We then define a variant of protocol II, and prove an authentication property of I that holds even in combination with the modified II.

Mobile IP registration protocol: a security attack and new secure minimal public-key based authentication

Abstract: The ubiquity of the Internet and explosive growth in wireless networking in recent years increasingly urge the demand to support mobility within the Internet, which is what Mobile IP aims to provide. This paper is concerned with the security aspect of the registration protocol in Mobile IP. The paper shows that despite the use of authenticated registration messages and replay protection, the current registration protocol differs from a possible replay attack. The paper also analyzes a proposed extension of Mobile IP that aims to provide public-key based authentication. It shows some drawbacks in the protocol design and then proposes a new secure authentication protocol that employs only minimal use of public key cryptography. Despite its practicality, the new protocol provides a scalable solution for authentication and non-repudiation, while sets only minimal computing and administration cost on the mobile node.

An efficient authentication protocol for mobile networks

Abstract: Many existing authentication protocols supporting inter-domain authentication on the Internet require their clients to communicate with every involved key distribution center (KDC) directly. This is inefficient and costly when the client side is a wireless mobile unit, for wireless transmission has relatively lower bandwidth, and a mobile unit is battery powered. In this paper, we present a mobile authentication protocol which only needs seven messages for inter-domain initial authentication regardless of the number of hops transited between the visited and home domains; four messages for subsequent authentication when the mobile user requests a different service provided by the visited domain; and two messages when the same service is requested again. With the enhanced version of BAN logic we propose, it is proved that our protocol can achieve more goals of authentication than those required by the original BAN logic.

Secure protocol transformation via “expansion”: from two-party to groups

Abstract: The design of simple cryptographic protocols for elementary two-party (session oriented) tasks (such as entity authentication and key transport) has had a history (starting with [NS78]) where security has been quite evasive. Only recently we have seen protocol designs which are both provably secure and efficientCurrently, much attention of the designers of network systems and services is directed towards group operations, which will enable such important tasks as one-to-many distribution of content, group collaborative efforts, etc over the Internet and Intranets [Be98]. Rather than designing each group oriented task from scratch, we move in this work towards a more methodological approach, which derives a design of group (multicast) protocols from two-party ones. The approach, which we call secure protocol expansion, maintains the efficiency of the basic design and at the same tune preserves provable security. It enables us to achieve efficient and secure protocols for a large variety of group tasks. We consider basic group authentication and key transport protocols, as well as functional protocol extensions like multicast perfect forward secrecy, group access-control, group announcement and termination.

Paradigm shifts in protocol analysis

Abstract: Authentication protocols are widely believed to be error prone because most analyses conclude with claims of discovering new attacks on the protocols. While proofs of security for authentication protocols are rightly viewed with circumspection, claims of attacks arc rarely challenged. We propose a closer examination of how protocol attacks are defined in the light of different conclusions of four different analyses of the Needham-Schroeder protocols. We argue that subtle paradigm shifts often occur during protocol analysis which affect the definition of a protocol attack. By becoming aware of these paradigm shifts, we can be more aware of what a specific attack actually accomplishes.

Lower and upper bounds for attacks on authentication protocols

Abstract: Many authentication protocols are intended to work correctly in the presence of an adversary that can intercept messages, perform an unbounded number of encryptions and other operations while fabricating messages, and prompt honest principals to engage in an unbounded number of concurrent (i.e., interleaved) runs of the protocol. The amount of local state maintained by a single run of an authentication protocol is bounded. This suggests the existence of upper bounds on the resources needed to attack a protocol. Such bounds provide a rigorous basis for automated verification. We sketch a Language for Authentication Protocols (LAP), based on [WL93], and establish an exponential lower bound on the worst-case number of concurrent runs needed in a successful attack on a LAP protocol. Details appear in [Sto98a]. An exponential upper bound would be too large to enable automated verification. This shows the need to impose additional restrictions on the class of protocols, as done in [Sto98b], which gives a polynomial upper bound. The relevant kinds of statements (slightly simplified) in LAP are: NewValue(v), which generates a unique value (e.g., a nonce or session key) and binds variable v to it; Send(x, t), which sends a message t to x; and Receive(pat), which receives a message m and binds the unbound variables in pattern pat to the corresponding subterms of m. The Receive statement attempts pattern-matching between a candidate message m and the pattern. A pattern can express that the message should be a ciphertext produced with a given key. If m is encrypted with the given key (if any) and there exist bindings for the unbound variables of pat such that pat with those bindings equals m, then the Receive statement executes and establishes those bindings. The Receive statement blocks until this condition is satisfied. A local protocol is a finite sequence of statements satisfying some well-formedness requirements. A protocol is, roughly, a set of local protocols, one for each role (or participant) in the protocol. A secrecy requirement asserts that certain values are not revealed to the adversary.

Comments on an optimized protocol for mobile network authentication and security

Abstract: The level of network authentication and security offered by a protocol proposed in [3] is considered

A distance-vector routing protocol with consistency checking for mobile distributed direct-sequence packet radio networks

Abstract: This paper describes a protocol for distributed routing that is designed specifically for mobile direct-sequence packet radio networks. The protocol expands on the features of a distance-vector protocol based on the least-resistance approach that works well with "soft" information about link quality. The innovations in the new protocol include rules that check routes for consistency and the use of timers to discard outdated routing information. The performance of this protocol has been studied using a network simulation that incorporates detailed models for the physical and channel-access layers. We compare the performance of this protocol with a protocol that does not use consistency checking and show that the new protocol performs better in networks with continually changing link conditions.

Model-Checking a Secure Gorup Communication Protocol: A Case Study

Abstract: With the explosive growth of the Internet and the distributed applications it supports, there is a pressing need for secure group communications — the ability of a group of agents to communicate securely with each other while allowing members to join or leave the group. Prompted by the success of other researchers in applying finite-state model-checking tools to the verification of small security protocols, we decided to attempt a larger security protocol: a recently published protocol for secure group communication. Not surprisingly, creating an ad hoc abstract model suitable for model-checking required cleverness, and state explosion was always a threat. Nevertheless, with minimal effort, the model checking tool discovered two flaws in the protocol, one of which has not been reported previously. We conclude our paper with a discussion of possible fixes to the protocol, as well as suggested verification tool improvements that would have simplified our task.

Using checkable types in automatic protocol analysis

Abstract: The Automatic Authentication Protocol Analyzer, 2nd Version (AAPA2) is a fast, completely automatic tool for formally analyzing cryptographic protocols. It correctly identifies vulnerabilities or their absence in 43 of 51 protocols studied in the literature, and it finds errors in previously asserted authentication properties of two large commercial protocols. The paper describes the AAPA2 and its modeling of type, equality, and inequality tests performed by protocol participants. This description includes defining the AAPA2's Interface Specification Language, 2nd Version (ISL2), which expresses user assumptions about identifiably distinct plaintext types.

Performance evaluation of a new hybrid encryption protocol for authentication and key distribution

Abstract: Performance evaluation of a new hybrid encryption protocol for authentication and key distribution is considered. The new protocol uses a hybrid of public and symmetric key cryptography to distribute Diffie-Hellman components. Queueing analysis is undertaken to numerically compare the new protocol and two other protocols used for authentication and key distribution: the Kerberos protocol and the authenticated Diffie-Hellman protocol. The results show that the new protocol has a fast response that far exceeds the authenticated Diffie-Hellman, and which can approach the response of the Kerberos protocol. At the same time, the new protocol is more secure than the Kerberos protocol.

An improvement of GNY logic for the reflection attacks

Abstract: In this paper, the limitation of the GNY logic about its inability to detect the reflection attacks against some authentication protocols is given. An improvement is proposed which takes into account the possible multiple instances (principals) of the same identity in the model.

Multipoint-to-multipoint communication protocol and its group management mechanism

Abstract: The purpose of this study is to design a symmetric inter and intra group communication protocol among many workstations with reliability. Our protocol supports multipoint-to-multipoint communication with efficiency and reliability. We assume the network size to be a campus-LAN, communicating tens to hundreds of nodes on that network. We design this protocol symmetrically. This means that no master server is assigned on the network. A group management mechanism for the multipoint-to-multipoint communication protocol is also proposed. A user joining the system can change the topology of the multipoint-to-multipoint communication network flexibly.

Implementing effective automatic cryptographic protocol analysis

Abstract: A cryptographic protocol is a short series of message exchanges, usually involving encryption, intended to establish secure communication over an insecure network. A protocol fails if an active wiretapper can obtain confidential information or impersonate a legitimate user, without performing cryptanalysis, by blocking, replaying, relabeling or otherwise modifying messages. Since the number of possible wiretapper-induced distortions of a protocol grows exponentially with the size of the protocol, most tools for detecting protocol failure require extended, expert user guidance. The Automatic Authentication Protocol Analyzer, 2nd Version (AAPA2), in contrast, automatically correctly identifies 88% of the protocols in an independently selected collection of protocols as failed or not failed, on a modest computer, in an average of only 2.6 minutes per protocol. This paper summarizes the AAPA2's results, sketches how it produces them and gives references providing more information.

Performance analysis of separated/combined air interface protocol structure for IMT2000 system

Abstract: In order to derive the suitable protocol architecture for IMT2000 systems, we evaluate the performance of signaling messages in the separated protocol layer and combined protocol layer recommended by W-CDMA and cdma2000, respectively. Also, we evaluate the performance of combined processing and sequential processing method in the case of handling registration and authentication messages. According to simulation results, in the case that error occurs, separated protocol layer has better performance than combined protocol layer as error rate increases. Because, separated protocol layer retransmits only errored frame, although combined protocol layer retransmits two frames. Also, in registration and authentication message processing, combined processing that transmits two messages simultaneously is better than sequential processing because of reduced retransmission count.

Robust Protocol for Generating Shared RSA Parameters

Abstract: This paper describes how n parties can jointly generate the parameters for the RSA encryption system while being robust to prevent attacks from cheaters and malicious parties. The proposed protocol generates a public modulus number, without the parties knowing the factorization of that number. Our proposed protocol is similar to that of Boneh-Franklin's protocol. However, when there are two communicating parties our proposed protocol does not need the help of a third party. By using our proposed protocol, we can detect the presence of malicious parties and cheaters among the authorized user. An analysis shows that our proposed protocol has less computational complexity than the protocol of Frankel-MacKenzie-Yung.

Data spread: a novel authentication and security technique

Abstract: This paper describes an authentication and security protocol called data spread for use on the Internet. The protocol applies address space diversity to outgoing messages, and when combined with reasonable (but not necessarily strong) encryption techniques, offers fast, secure and authentic-able information exchange between communicating entities.

A New Authentication Protocol for Portable Communication Systems

Abstract: With the global deployment of portable communication systems and the ongoing developments in this area, one expects more and more sophisticated security features to be provided such as entity authentication, robust user identity confidentiality and non-repudiation services. Motivated by these new security requirements, this article analyzes the security of authentication protocols in several mobile communication industry standards, such as DAMPS, GSM, and TETRA, and several proposals for future mobile communication systems. A new authentication protocol is presented to provide the above security services using symmetric cryptographic techniques only. The security and complexity of the new protocol are analyzed and compared with the aforementioned protocols.