scispace - formally typeset
Search or ask a question

Showing papers on "Otway–Rees protocol published in 2002"


Patent
18 Apr 2002
TL;DR: In this article, a method is provided to secure authenticate user credentials, which includes encrypting a user credential with a public key at an access device wherein the public key is part of a public/private key pair suitable for use with an encryption algorithm, and the decrypted user credential is then transmitted from the decryption server to an authentication server for verification.
Abstract: A methods is provided to secrurely authenticate user credentials. The method includes encrypting a user credential with a public key at an access device wherein the public key is part of a public/private key pair suitable for use with an encryption algorithm (405). The encrypted network user credential is transmitted from the access device to a decryption server where it is decrypted with a private key, the private key being part of the public/private key pair suitable for use with the encryption algorithm. The decrypted user credential is then transmitted from the decryption server to an authentication server for verification (420). The decryption server typically forms part of a multi-party service access environment including a plurality of access providers, the method including decrypting the user credential of a user proximate an access provider associated with the user credential. The method can be used in legacy protocols such as Point-to-point protocol (PPP), Password Authentication Protocol (PAP), Challenge-Handshake Authentication Protocol (CHAP), Remote Authentication Dial In User Service (RADIUS) protocol, Terminal Access Controller Access Control System (TACACS) protocol, Lightweight Directory Access Protocol (LDAP), NT Domain authentication protocol, Unix password authentication protocol, HyperText Transfer Protocol (HTTP), HyperText Transfer Protocol over Secure sockets layer (HTTPS), Extended Authentication Protocol (EAP), Transport Layer Security (TLS) protocol, Token Ring protocol and/or Secure Remote Password protocol (SRP).

211 citations


Journal ArticleDOI
TL;DR: A deniable authentication protocol, which is based on the Deffie-Hellman key exchange protocol, is presented, and it does not require a trusted third party, and the protocol can resist person-in-the-middle attack.
Abstract: Deniable authentication is a new kind of authentication, by which means a receiver cannot prove the source of a message to a third party. A deniable authentication protocol, which is based on the Deffie-Hellman key exchange protocol, is presented. It does not require a trusted third party, and the protocol can resist person-in-the-middle attack.

91 citations


ReportDOI
01 Jan 2002
TL;DR: This paper proves the efficacy of a simple and general scheme in defending a protocol against replay attacks and believes that this work will be particularly useful in security critical applications and to protocol analyzers that are unable to detect some or all of the attacks in this class.
Abstract: : Replay attacks on security protocols have been discussed for quite some time in the literature However, the efforts to address these attacks have been largely incomplete, lacking generality and many times in fact, proven unsuccessful In this paper we address these issues and prove the efficacy of a simple and general scheme in defending a protocol against these attacks We believe that our work will be particularly useful in security critical applications and to protocol analyzers that are unable to detect some or all of the attacks in this class

84 citations


Book ChapterDOI
11 Apr 2002
TL;DR: Using the model built, Spin can find a known attack on the protocol, and it correctly validates the fixed version of the protocol.
Abstract: This paper explores the use of Spin for the verification of cryptographic protocol security properties. A general method is proposed to build a Promela model of the protocol and of the intruder capabilities. The method is illustrated showing the modeling of a classical case study, i.e. the Needham-Schroeder Public Key Authentication Protocol. Using the model so built, Spin can find a known attack on the protocol, and it correctly validates the fixed version of the protocol.

79 citations


Proceedings ArticleDOI
24 Jun 2002
TL;DR: The design process is organized around the authentication tests, a method for protocol verification based on the strand space theory, which dictate how randomly generated values such as nonces may be combined with encryption to achieve authentication and freshness.
Abstract: We describe a protocol design process, and illustrate its use by creating ATSPECT, an authentication test-based secure protocol for electronic commerce transactions. The design process is organized around the authentication tests, a method for protocol verification based on the strand space theory. The authentication tests dictate how randomly generated values such as nonces may be combined with encryption to achieve authentication and freshness. ATSPECT offers functionality and security guarantees akin to the purchase request, payment authorization, and payment capture phases of SET, the secure electronic transaction standard created by the major credit card firms.

68 citations


Book ChapterDOI
16 Dec 2002
TL;DR: This paper proposes the first Identity based Group Key Agreement protocol by extending the Identity based two-party Authenticated Key Agreement Protocol using the One-way function trees.
Abstract: An important and popular trend in modern computing is to convert traditional centralized services into distributed services spread across multiple systems and networks. One-way function trees can be used to extend two-party Key Agreement protocols to n-party protocols. Tree-based Group Diffie-Hellman [17] is one such protocol. This paper proposes the first Identity based Group Key Agreement protocol by extending the Identity based two-party Authenticated Key Agreement protocol [13] using the One-way function trees. A new function called the transformation function is defined, which is required in generating keys at any level from a lower level key in the key tree. The new protocol provides complete forward and backward secrecy. Authentication is implicit in this protocol, whereas it has to be explicitly dealt with in other Key Agreement protocols. ID-AGKA protocol is more advantageous for systems without a deployed PKI.

54 citations


Book ChapterDOI
Tuomas Aura1
17 Apr 2002
TL;DR: This paper presents a case study of security protocol design: authentication of binding updates in Mobile IPv6, and goes step by step through the threat analysis and shows how each threat is addressed in the protocol design.
Abstract: This paper presents a case study of security protocol design: authentication of binding updates in Mobile IPv6. We go step by step through the threat analysis and show how each threat is addressed in the protocol design. The goal is to solve any new security issues caused by the introduction of mobility without requiring any new security infrastructure.

48 citations


Book ChapterDOI
11 Nov 2002
TL;DR: A model-checker for security protocols is described and it is shown that attacks to a set of well-known authentication protocols are quickly found by state-of-the-art SAT solvers.
Abstract: We provide a fully automatic translation from security protocol specifications into propositional logic which can be effectively used to find attacks to protocols. Our approach results from the combination of a reduction of protocol insecurity problems to planning problems and well-known SAT-reduction techniques developed for planning. We also propose and discuss a set of transformations on protocol insecurity problems whose application has a dramatic effect on the size of the propositional encoding obtained with our SAT-compilation technique. We describe a model-checker for security protocols based on our ideas and show that attacks to a set of well-known authentication protocols are quickly found by state-of-the-art SAT solvers.

45 citations



Book ChapterDOI
14 Oct 2002
TL;DR: This paper considers how one can analyse a stream authentication protocol using model checking techniques and shows that, despite the infinite nature of the protocol, it is possible to build a finite model that correctly captures its behaviour.
Abstract: In this paper, we consider how one can analyse a stream authentication protocol using model checking techniques. In particular, we focus on the Timed Efficient Stream Loss-tolerant Authentication Protocol, TESLA. This protocol differs from the standard class of authentication protocols previously analysed using model checking techniques in the following interesting way: an unbounded stream of messages is broadcast by a sender, making use of an unbounded stream of keys; the authentication of the n-th message in the stream is achieved on receipt of the n + 1-th message. We show that, despite the infinite nature of the protocol, it is possible to build a finite model that correctly captures its behaviour.

31 citations


Proceedings ArticleDOI
02 Sep 2002
TL;DR: The approach defers from others in that protocol specifications do not use implicit assumptions, thus protocol security does not depend on whether some implicit assumptions made are reasonable for a particular environment, therefore protocol specifications explicitly provide relevant information for secure implementations.
Abstract: Cryptographic protocols are formally specified as a system of protocol agents using asynchronous product automata (APA). APA are a universal and very flexible operational description concept for communicating automata. Their specification, analysis and verification is supported by the SH-verification tool (SHVT). The local state of each agent is structured in several components describing its knowledge of keys, its "view" of the protocol and the goals to be reached within the protocol. Communication is modeled by adding messages to and removing them from a shared state component network. Cryptography is modeled by symbolic functions with certain properties. In addition to the regular protocol agents an intruder is specified, which has no access to the agents' local states but to the network. The intruder may intercept messages and create new ones based on his initial knowledge and on what he can extract from intercepted messages. Violations of the security goals can be found by state space analysis performed by the SHVT. The method is demonstrated using the symmetric Needham-Schroeder protocol, and an attack is presented that does not involve compromised session keys. Our approach defers from others in that protocol specifications do not use implicit assumptions, thus protocol security does not depend on whether some implicit assumptions made are reasonable for a particular environment. Therefore, our protocol specifications explicitly provide relevant information for secure implementations.

Proceedings ArticleDOI
07 Nov 2002
TL;DR: A new protocol is introduced that enhances the Identification Protocol (ident) infrastructure by sending recursive requests to previous hosts on the connection chain by addressing the stepping-stone scenario in which an attacker uses a chain of connections through many hosts to hide his or her identity.
Abstract: We introduce a new protocol designed to assist in the forensic investigation of malicious network-based activity, specifically addressing the stepping-stone scenario in which an attacker uses a chain of connections through many hosts to hide his or her identity. Our protocol, the Session TOken Protocol (STOP), enhances the Identification Protocol (ident) infrastructure by sending recursive requests to previous hosts on the connection chain. The protocol has been designed to protect user's privacy by returning a token that is a hash of connection information; a system administrator can later decide whether to release the information relating to the token depending on the circumstances of the request.

Book ChapterDOI
25 Aug 2002
TL;DR: A bound on the number of protocol executions that could be useful in attacks is established, which applies to a large class of protocols, which contains versions of some well-known authentication protocols, including the Yahalom, Otway-Rees, and Needham-Schroeder-Lowe protocols.
Abstract: Authentication protocols are designed to work correctly in the presence of an adversary that can prompt honest principals to engage in an unbounded number of concurrent executions of the protocol. This paper establishes a bound on the number of protocol executions that could be useful in attacks. The bound applies to a large class of protocols, which contains versions of some well-known authentication protocols, including the Yahalom, Otway-Rees, and Needham-Schroeder-Lowe protocols.

Journal ArticleDOI
TL;DR: An authenticated multiple-key agreement protocol is proposed, which is not only secure against the unknown-key attack but also more efficient than other protocols.
Abstract: An authenticated multiple-key agreement protocol is proposed. The protocol is not only secure against the unknown-key attack but also more efficient than other protocols.

Proceedings ArticleDOI
03 Apr 2002
TL;DR: This paper presents a public-key based authentication and key establishment protocol integrated with a sophisticated client puzzle, which together provides a good solution for network denial-of-service attacks, and various other common attacks.
Abstract: Network denial-of-service attacks, which exhaust the server resources, have become a serious security threat to the Internet. Public key infrastructure (PKI) has long been introduced in various authentication protocols to verify the identities of the communicating parties. Although the use of PKI can present difficulty to the denial-of-service attackers, the underlying problem has not been resolved completely, because the use of public-key infrastructure involves computationally expensive operations such as modular exponentiation. An improper deployment of the public-key operations in a protocol allows the attacker to exhaust the server's resources. This paper presents a public-key based authentication and key establishment protocol integrated with a sophisticated client puzzle, which together provides a good solution for network denial-of-service attacks, and various other common attacks. The joint establishment of session keys by both the client and the server protects the session after the mutual authentication. The basic strategy to protect against denial of service is to impose an adjustable cost on the attacker while launching the attacks. The proposed client puzzle protocol can also be integrated with other network protocols to protect against denial-of-service attacks.

Proceedings ArticleDOI
06 Oct 2002
TL;DR: This paper investigates the applicability of a bottom-up evaluation strategy for a first order fragment of linear logic for the purposes of automated validation of authenticated protocols and uses universal quantification to provide a logical and clean way to express creation of nonces.
Abstract: In this paper we investigate the applicability of a bottom-up evaluation strategy for a first order fragment of linear logic [7] for the purposes of automated validation of authentication protocols. Following [11], we use multi-conclusion clauses to represent the behaviour of agents in a protocol session, and we adopt the Dolev-Yao intruder model and related message and cryptographic assumptions. Also, we use universal quantification to provide a logical and clean way to express creation of nonces. Our approach is well suited to verify properties which can be specified by means of minimality conditions. Unlike traditional approaches based on model-checking, we can reason about parametric, infinite-state systems, thus we do not pose any limitation on the number of parallel runs of a given protocol. Furthermore, our approach can be used both to find attacks and to prove correctness of protocols. We present some preliminary experiments which we have carried out using the above approach. In particular, we analyze the ffgg protocol introduced by Millen [30]. This protocol is a challenging case study in that it is free from sequential attacks, whereas it suffers from parallel attacks that occur only when at least two sessions are run in parallel.

Journal Article
TL;DR: In this article, the authors present how the process-algebraic language?CRL can be used to specify and analyze security protocols, including the Needham-Schroeder public-key protocol.
Abstract: Needham-Schroeder public-key protocol; With the growth and commercialization of the Internet, the security of communication between computers becomes a crucial point. A variety of security protocols based on cryptographic primitives are used to establish secure communication over insecure open networks and distributed systems. Unfortunately, security protocols often contain serious errors. Formal verification can be used to obtain assurance that a protocol cannot be attacked by an intruder. In this paper, we present how the process-algebraic language ?CRL can be used to specify and analyze security protocols. To illustrate the feasibility of our approach, we analyze the Needham-Schroeder public-key protocol and reproduce the error found by Gavin Lowe [Low96a]. Two more definitions of authentication are studied. We give some remarks on our approach and discuss some possible directions for future work.

Book ChapterDOI
08 Nov 2002
TL;DR: In this article, the authors show how the interaction between a protocol and its environment can have a major effect on a protocol, and demonstrate a number of attacks on published and/or widely used protocols that are not feasible against the protocol running in isolation but become feasible in some application environments.
Abstract: Most work on requirements in the area of authentication protocols has concentrated on identifying requirements for the protocol without much consideration of context. Little work has concentrated on assumptions about the environment, for example, the applications that make use of authenticated keys. We will show in this paper how the interaction between a protocol and its environment can have a major effect on a protocol. Specifically we will demonstrate a number of attacks on published and/or widely used protocols that are not feasible against the protocol running in isolation (even with multiple runs) but become feasible in some application environments. We will also discuss the tradeoff between putting constraints on a protocol and putting constraints on the environment in which it operates.

Book ChapterDOI
TL;DR: This paper shows how to use ALSP for modeling two significant case studies in protocol verification: the classical Needham-Schroeder public-key protocol, and Aziz-Diffie Key agreement protocol for mobile communication.
Abstract: Formal verification of security protocols has become a key issue in computer security. Yet, it has proven to be a hard task often error prone and discouraging for non-experts in formal methods.In this paper we show how security protocols can be specified and verified efficiently and effectively by embedding reasoning about actions into a logic programming language.In a nutshell, we view a protocol trace as a plan to achieve a goal, so that protocol attacks are plans achieving goals that correspond to security violations. Building on results from logic programming and planning, we map the existence of an attack to a protocol into the existence of a model for the protocol specification that satisfies the specification of an attack. To streamline such way of modeling security protocols, we use a description language ALSP which makes it possible to describe protocols with declarative ease and to search for attacks by relying on efficient model finders (e.g. the smodels systems by Niemela and his group). This paper shows how to use ALSP for modeling two significant case studies in protocol verification: the classical Needham-Schroeder public-key protocol, and Aziz-Diffie Key agreement protocol for mobile communication.

01 Jan 2002
TL;DR: Calculation of the effective average Alice/Eve mutual information after performing a standard error-correction under various intercept/resend strategies shows that the Breidbart eavesdropping/Breidbart resend strategy (B/B strategy) is the most effective one.
Abstract: We discuss the Breidbart eavesdropping scheme of the extended BB84 quantum key distribution protocol. Calculation of the effective average Alice/Eve mutual information after performing a standard error-correction under various intercept/resend strategies shows that the Breidbart eavesdropping/Breidbart resend strategy (B/B strategy) is the most effective one. Sine Alice and Bob can test openly whether there is the B/B eavesdropping by making use of the rejected data, we suggest an amendment of the BB84 protocol to reduce the requirements of the privacy amplification algorithm and hence reduce the quantum key loss. Finally, we present a quantum key regeneration method for error-correction which may be more secure than the standard error-correction process.

Proceedings ArticleDOI
11 Mar 2002
TL;DR: This paper presents and analyses the protocol with respect to its robustness against malicious attacks and concludes that this authentication protocol is a perfect candidate for the offline generation and validation of a disposable credit card number.
Abstract: Context free grammars present the desirable cryptographic property that it is easy to generate and validate strings from a given grammar, however it is hard to identify a grammar given only the strings generated by it. The algorithm used in the authentication protocol proposed in this paper makes use of context free grammars. This authentication protocol is a perfect candidate for the offline generation and validation of a disposable credit card number. The proposed protocol can be used alone and it does not rely on any other cryptographic protocols like SSL for its security. This paper presents and analyses the protocol with respect to its robustness against malicious attacks.

Proceedings Article
01 Jan 2002
TL;DR: A new mechanism to verify authentication using SDL, general purpose specification language, is presented and a generic schema is defined that allow us to specify a security system and check system behavior when a malicious agent is present.
Abstract: Authentication between protocol agents is widely studied in the cryptographic protocol analysis area. It is essential in a virtual environment to rely on protocol parties' identity. In the academic literature there are many protocols that provide the authentication property. We present in this paper a new mechanism to verify authentication using SDL, general purpose specification language. We have defined a generic schema in SDL that allow us to specify a security system and check system behavior when a malicious agent ( the intruder ) is present. We have used the EKE authentication protocol to illustrate who the mechanism works.

Journal ArticleDOI
TL;DR: This paper describes the attack and explains how the entire system can be compromised by an intruder after eavesdropping only one single run of the protocol.
Abstract: In [6], an authenticated key transport protocol was proposed for establishing secure communications between a base station and a mobile unit. The protocol is public-key based and relies on certificates to validate public keys of communicating parties. A signature scheme was also proposed and used in the certification mechanism of the protocol. We find that the signature scheme is vulnerable to an attack which allows an adversary to generate a signature on any message at its will. In this paper, we describe the attack and explain how the entire system can be compromised by an intruder after eavesdropping only one single run of the protocol.

Journal Article
TL;DR: The proposed protocol minimizes the number of message exchanges and the key management problem as it eliminates KDC, by using both symmetric- key and asymmetric-key schemes, and guarantees explicit entity and key authentication via a signature scheme based on elliptic curve cryptosystems (ECC).
Abstract: In this paper we propose a two-pass hybrid key distribution and authentication protocol. The proposed protocol minimizes the number of message exchanges and the key management problem as it eliminates KDC, by using both symmetric-key and asymmetric-key schemes. In addition, it guarantees explicit entity and key authentication via a signature scheme based on elliptic curve cryptosystems (ECC) whose efficiency is superior to existing signature schemes with only two-message exchanges. As each entity has the same number of exponential operations, it also guarantees load balance among each entity’s processing. We present proofs of security of our protocol using the formal methods Casper and FDR. The proposed protocol can be efficiently applied to various communication systems in distributed computing environments.


Proceedings ArticleDOI
06 Nov 2002
TL;DR: A communication protocol which has been designed specifically for large-scale clusters with a scientific application workload and takes advantage of the low error rate and high performance of these networks.
Abstract: Large-scale clusters built out of commercial components face similar scalability obstacles as the massively parallel processors (MPP) of the 1980s. This is especially true when they are used for scientific computing. Their networks are the descendants of the MPP networks, but the communication software in use has been designed for wide-area networks with client/server applications in mind. We present a communication protocol which has been designed specifically for large-scale clusters with a scientific application workload. The protocol takes advantage of the low error rate and high performance of these networks. It is adapted to the peculiarities of these MPP-like networks and the communication characteristics of scientific applications. This paper only presents the protocol itself and the ideas behind it. We refer the reader to other publications for more information about scalability, performance, and usage of the protocol presented here.

Journal Article
TL;DR: In the protocol, a mobile user can be provided with anonymous service and neither Visited Networks nor wiretappers know the information of the user's real identity.
Abstract: A new mutual authentication and key agreement protocol is proposed to resolve the problem of identity authentication and key agreement in mobile communications. In the protocol, a mobile user can be provided with anonymous service and neither Visited Networks nor wiretappers know the information of the user's real identity. Being assigned a signing private key and an anonymous digital certificate, a mobile user can be provided non-repudiation service.

01 Jan 2002
TL;DR: Security requirements for a challenge-response mutual authentication protocol are formulted as seven simple necessary conditions that are related to an attack so that a protocol not fulfilling all the conditions will be vulnerable to one of the attacks.
Abstract: Security requirements for a challenge-response mutual authentication protocol are formulted as seven simple necessary conditions. Each of these conditions is related to an attack so that a protocol not fulfilling all the conditions will be vulnerable to one of the attacks. Two protocols are idetified such that they contain minimal number of necessary security parmeters.

Proceedings Article
01 Jan 2002
TL;DR: A way to abstract from various specifications of authentication and to obtain idealized protocols "secure by construction" that enables to prove that a cryptographic protocol is the correct implementation of the corresponding abstract protocol.
Abstract: We propose a way to abstract from various specifications of authentication and to obtain idealized protocols "secure by construction". This feature enables us to prove that a cryptographic protocol is the correct implementation of the corresponding abstract protocol. Our proposal relies on the combination of two authentication primitives, proposed by the authors in to a simplified version of the spi calculus.

Proceedings ArticleDOI
10 Dec 2002
TL;DR: An authentication architecture which uses a network management protocol and extensible authentication protocol on a smart card to perform authentication over the wireless network to manage security and QoS for user mobility is proposed.
Abstract: Mechanisms for security and quality of service (QoS) used in fixed networks cannot be adapted for mobile networks. The mobility of users makes problems in authentication and QoS conservation during handoffs. We focus on the management of security and QoS for user mobility. We propose an authentication architecture which uses a network management protocol (common open policy services) standardized by the Internet Engineering Task Force and extensible authentication protocol on a smart card to perform authentication over the wireless network.