Showing papers on "Otway–Rees protocol published in 2003"
27 Oct 2003
TL;DR: The Localized Encryption and Authentication Protocol (LEAP) as discussed by the authors is a key management protocol for sensor networks that is designed to support in-network processing, while at the same time restricting the security impact of a node compromise to the immediate network neighborhood of the compromised node.
Abstract: In this paper, we describe LEAP (Localized Encryption and Authentication Protocol), a key management protocol for sensor networks that is designed to support in-network processing, while at the same time restricting the security impact of a node compromise to the immediate network neighborhood of the compromised node. The design of the protocol is motivated by the observation that different types of messages exchanged between sensor nodes have different security requirements, and that a single keying mechanism is not suitable for meeting these different security requirements. LEAP supports the establishment of four types of keys for each sensor node -- an individual key shared with the base station, a pairwise key shared with another sensor node, a cluster key shared with multiple neighboring nodes, and a group key that is shared by all the nodes in the network. The protocol used for establishing and updating these keys is communication- and energy-efficient, and minimizes the involvement of the base station. LEAP also includes an efficient protocol for inter-node traffic authentication based on the use of one-way key chains. A salient feature of the authentication protocol is that it supports source authentication without precluding in-network processing and passive participation. We analyze the performance and the security of our scheme under various attack models and show our schemes are very efficient in defending against many attacks.
1,097 citations
TL;DR: The main theorem guarantees that any well-typed protocol is robustly safe, that is, its correspondence assertions are true in the presence of any opponent expressible in spi.
Abstract: We propose a new method to check authenticity properties of cryptographic protocols. First, code up the protocol in the spi-calculus of Abadi and Gordon. Second, specify authenticity properties by annotating the code with correspondence assertions in the style of Woo and Lam. Third, figure out types for the keys, nonces, and messages of the protocol. Fourth, check that the spi-calculus code is well-typed according to a novel type and effect system presented in this paper. Our main theorem guarantees that any well-typed protocol is robustly safe, that is, its correspondence assertions are true in the presence of any opponent expressible in spi. It is feasible to apply this method by hand to several well-known cryptographic protocols. It requires little human effort per protocol, puts no bound on the size of the opponent, and requires no state space enumeration. Moreover, the types for protocol data provide some intuitive explanation of how the protocol works. This paper describes our method and gives some simple examples. Our method has led us to the independent rediscovery of flaws in existing protocols and to the design of improved protocols.
173 citations
01 Jan 2003
TL;DR: A process for the production of a uniformly blended textured vegetable protein food product including a mixture of dehydrated food granules containing specifically sized granules of a flavored textured soy protein.
Abstract: A process for the production of a uniformly blended textured vegetable protein food product including a mixture of dehydrated food granules containing specifically sized granules of a flavored textured soy protein. The dehydrated food particles including the flavored textured soy granules are mixed in a blender so as to blend the particles together into a uniform mixture. Dehydrated onion flakes of a specific size are then added and finally mixed with the previously blended food particles so as to blend all the particles together whereby oils from certain flavored soy granules (i.e. bacon) are coated on and absorbed by the onion flakes and other dehydrated vegetables and additives.
161 citations
19 May 2003
TL;DR: This paper presents LHAP a scalable and light-weight authentication protocol for ad hoc networks based on hop-by-hop authentication for verifying the authenticity of all the packets transmitted in the network and one-way key chain and TESLA for packet authentication and for reducing the overhead for establishing trust among nodes.
Abstract: Most ad hoc networks do not implement any network access control, leaving these networks vulnerable to resource consumption attacks where a malicious node injects packets into the network with the goal of depleting the resources Of the nodes relaying the packets. To thwart or prevent such attacks, it is necessary to employ authentication mechanisms that ensure that only authorized nodes can inject traffic into the network. In this paper we present LHAP a scalable and light-weight authentication protocol for ad hoc networks. LHAP is based on two techniques: (i) hop-by-hop authentication for verifying the authenticity of all the packets transmitted in the network and (ii) one-way key chain and TESLA for packet authentication and for reducing the overhead for establishing trust among nodes. We analyze the security of LHAP and show LHAP is a lightweight security protocol through detailed performance analysis.
133 citations
15 Jul 2003
TL;DR: It is demonstrated that these techniques suffice for identifying a number of authentication flaws in symmetric key protocols such as Needham-Schroeder, Otway-Rees, Yahalom and Andrew Secure RPC.
Abstract: We perform a systematic expansion of protocol narrations into terms of process algebra in order to make precise some of the detailed checks that need to be made in a protocol. We then apply static analysis technology to develop an automatic validation procedure for protocols. Finally, we demonstrate that these techniques suffice for identifying a number of authentication flaws in symmetric key protocols such as Needham-Schroeder, Otway-Rees, Yahalom and Andrew Secure RPC.
103 citations
TL;DR: An architecture for securely resolving IP addresses into hardware addresses over an Ethernet and two protocols: an invite-accept protocol and a request-reply protocol that are designed to overcome the actions of any adversary that can lose sent messages, arbitrarily modify the fields of sent message, and replay old messages is proposed.
97 citations
11 Jun 2003
TL;DR: This case study explores the use of general correspondence assertions in automatic proofs, and aims to demonstrate the considerable power of the tool and its applicability to non-trivial, interesting protocols.
Abstract: We present the formalization and verification of a recent cryptographic protocol for certified email. Relying on a tool for automatic protocol analysis, we establish the key security properties of the protocol. This case study explores the use of general correspondence assertions in automatic proofs, and aims to demonstrate the considerable power of the tool and its applicability to non-trivial, interesting protocols.
90 citations
Patent•
02 Dec 2003TL;DR: In this paper, an authentication protocol is proposed for enhancing the security of communications between software applications and Internet-based service providers, which incorporates a two level authentication model based on a distribution of authentication responsibilities, wherein the application authenticates users and the service provider authenticates the application.
Abstract: An authentication protocol is disclosed for use in enhancing the security of communications between software applications and Internet-based service providers. The protocol incorporates a two level authentication model based on a distribution of authentication responsibilities, wherein the application authenticates users and the service provider authenticates the application. Embodiments of the protocol incorporate public key infrastructure and digital certificate technology. Other embodiments of the present invention pertain to applying a corresponding protocol to peer-to-peer communication scenarios.
76 citations
15 Jul 2003
TL;DR: The security properties of the standard signature based challenge-response protocol and the Diffie-Hellman key exchange protocol are proved by extending a previous security protocol logic with preconditions and temporal assertions to prove the correctness proofs of these two simple protocols.
Abstract: Many authentication and key exchange protocols are built using an accepted set of standard concepts such as Diffie-Hellman key exchange, nonces to avoid replay, certificates from an accepted authority, and encrypted or signed messages. We introduce a basic framework for deriving security protocols from such simple components. As a case study, we examine the structure of a family of key exchange protocols that includes station-to-station (STS), ISO-9798-3, just fast keying (JFK), IKE and related protocols, deriving all members of the family from two basic protocols using a small set of refinements and protocol transformations. As initial steps toward associating logical derivations with protocol derivations, we extend a previous security protocol logic with preconditions and temporal assertions. Using this logic, we prove the security properties of the standard signature based challenge-response protocol and the Diffie-Hellman key exchange protocol. The ISO-9798-3 protocol is then proved correct by composing the correctness proofs of these two simple protocols.
75 citations
21 May 2003
TL;DR: The merit of the proposed protocol is that it does not cause problems and alter the existing architecture of GSM at all, and the robustness of the new protocol is also based on security algorithms A3, A5 and A8.
Abstract: An extension of the authentication protocol for GSM is proposed to improve some drawbacks of the current GSM authentication protocol including: not supporting bilateral authentication; huge bandwidth consumption between VLR and HLR; stored space overhead in VLR; and overloaded HLR with authentication of mobile stations. As a result, this new extension of the authentication protocol not only improves these drawbacks but also achieves the requirements: mutual authentication, reduction of bandwidth consumption, less storage of VLR database, security, and efficiency. The merit of the proposed protocol is that it does not cause problems and alter the existing architecture of GSM at all. The robustness of the new protocol is also based on security algorithms A3, A5 and A8.
74 citations
TL;DR: An improved version of the OSAP protocol is proposed to enhance the security and it is pointed out that it is vulnerable to the stolen-verifier attack.
Abstract: In 2001, Lin et al. proposed an optimal strong-password authentication protocol called the OSAP protocol. However, Chen and Ku pointed out that it is vulnerable to the stolen-verifier attack. In this paper, we shall propose an improved version of the OSAP protocol to enhance the security.
15 Jul 2003
TL;DR: It is proved that, when implemented using an encryption scheme that satisfies indistinguishability under chosen-ciphertext attack, the Needham-Schroeder-Lowe protocol is indeed a secure mutual authentication protocol.
Abstract: We provide the first computational analysis of the well known Needham-Schroeder-(Lowe) protocol. We show that Lowe's attack to the original protocol can naturally be cast to the computational framework. Then we prove that chosen-plaintext security for encryption schemes is not sufficient to ensure soundness of formal proofs with respect to the computational setting, by exhibiting an attack against the corrected version of the protocol implemented using an ElGamal encryption scheme. Our main result is a proof that, when implemented using an encryption scheme that satisfies indistinguishability under chosen-ciphertext attack, the Needham-Schroeder-Lowe protocol is indeed a secure mutual authentication protocol. The technicalities of our proof reveal new insights regarding the relation between formal and computational models for system security.
31 Oct 2003
TL;DR: This work extends a protocol which provides a weak form of authentication that is extremely efficient and only requires symmetric primitives but does not provide identification in such a way that it provides identification at the cost of external infrastructure and moderate computing power.
Abstract: Ad-hoc networks face huge security lacks. In the most general case entities need to build up a well-defined security association without any pre-established secret or common security infrastructure. In previous work we presented a protocol which provides a weak form of authentication that we call zero common-knowledge (ZCK) authentication. The protocol is extremely efficient and only requires symmetric primitives but does not provide identification. In this work we extend this approach in such a way that our new protocol provides identification at the cost of external infrastructure and moderate computing power. Our new protocol can be used to authenticate messages, e.g., to exchange keys for the earlier ZCK authentication protocol. Compared to public-key schemes, our approach is still very efficient.
TL;DR: The research is described, which has been carried out into the development of a realistic model for carrying out simulations of the performance of secure session initiation protocol based VoIP networks, and a discussion of the implications of these results for designers considering implementation of real secureVoIP networks.
Journal Article•
TL;DR: A number of attacks on published and/or widely used protocols that are not feasible against the protocol running in isolation but become feasible in some application environments are demonstrated.
Abstract: Most work on requirements in the area of authentication protocols has concentrated on identifying requirements for the protocol without much consideration of context. Little work has concentrated on assumptions about the environment, for example, the applications that make use of authenticated keys. We will show in this paper how the interaction between a protocol and its environment can have a major effect on a protocol. Specifically we will demonstrate a number of attacks on published and/or widely used protocols that are not feasible against the protocol running in isolation (even with multiple runs) but become feasible in some application environments. We will also discuss the tradeoff between putting constraints on a protocol and putting constraints on the environment in which it operates.
TL;DR: It is shown that the improved protocol of OSPA, proposed recently, is still vulnerable to a replay attack and a denial-of-service attack.
Abstract: In 2001, Lin, Sun, and Hwang proposed a strong-password authentication protocol, OSPA, which was later found to be vulnerable to a stolen-verifier attack and a man-in-the-middle attack. Recently, Lin, Shen, and Hwang [10] proposed an improved protocol of OSPA and showed that the improved protocol can resist the guessing attack, the replay attack, the impersonation attack, and the stolen-verifier attack. Herein, we show that their protocol is still vulnerable to a replay attack and a denial-of-service attack.
TL;DR: The security weaknesses of the Simple And Secure protocol, the Optimal Strong-Password Authentication (OSPA) protocol, and the revised SAS protocols are examined and the RObust and SImple protocol is proposed to help raise security levels.
Abstract: Password-based authentication protocols are currently the conventional authentication protocols in many distributed systems. However, the security of these protocols is falling behind the times because more and more attacks can now break them. The security weaknesses of the Simple And Secure (SAS) protocol, the Optimal Strong-Password Authentication (OSPA) protocol, and the revised SAS protocols are examined in this paper. We then propose our RObust and SImple (ROSI) protocol to help raise security levels. The ROSI protocol can be easily implemented and has lower communication costs than most other protocols.
13 Oct 2003
TL;DR: In this paper, the authors present an authentication protocol for high-assurance smart card operating systems that support download of mutually suspicious applications, which is based on the existing IKE protocol used for authentication in IPSEC.
Abstract: This paper presents an authentication protocol for high-assurance smart card operating systems that support download of mutually suspicious applications. Such a protocol is required to be part of the operating system, rather than the traditional smart card approach of allowing applications to do authentication, because strong authentication is essential for the operating system to protect one application from another. The protocol itself is based on the existing IKE protocol [13], used for authentication in IPSEC. What is new is the integration of an IKE-like protocol with authentication of mandatory secrecy and integrity access controls, the recognition that a single PKI-hierarchy cannot certify identity and all possible mandatory access rights, and the use of IKE to resolve privacy problems found in existing smart card authentication protocols.
29 Jun 2003
TL;DR: An authentication protocol based on public key exchange and a key establishment protocol to support authentication in an EPON based optical access network is proposed and an encryption layer is placed at the RS layer.
Abstract: An EPON (Ethernet passive optical network), which is progressing to standardization in IEEE 802.3ah, consists of an OLT (optical line termination) and multiple ONUs (optical network units) using passive optical components. This network is susceptible to various security threats, such as eavesdropping, masquerading, denial of service, and so on. We propose a security model and a security protocol to support authentication in an EPON based optical access network. We analyze security threats and security models in the EPON reference model. After considering these models, we propose that an encryption layer is placed at the RS layer. The paper proposes an authentication protocol based on public key exchange and a key establishment protocol. User authentication and ONU authentication are performed separately to give efficient key management and a strong authentication service.
01 Jan 2003
TL;DR: A general trace model for security protocols which allows to reason about various formal definitions of authentication and defines a strong form of authentication which is called synchronization, both an injective and a noninjective version.
Abstract: In this paper we define a general trace model for security protocols which allows to reason about various formal definitions of authentication. In the model, we define a strong form of authentication which we call synchronization. We present both an injective and a noninjective version. We relate synchronization to a formulation of agreement in our trace model and contribute to the discussion on intensional vs. extensional specifications.
09 Jul 2003
TL;DR: This work investigates how a certain component contributes to the task of achieving entity authentication and formalizes these principles in terms of rules for protocol parties and proves that protocols designed according to these rules will achieve entity authentication.
Abstract: We study the roles of message components in authentication protocols. In particular, we investigate how a certain component contributes to the task of achieving entity authentication. To this aim, we isolate a core set of roles that enables us to extract general principles that should be followed to avoid attacks. We then formalize these principles in terms of rules for protocol parties and we prove that protocols designed according to these rules will achieve entity authentication.
TL;DR: A public-key based authentication and key establishment protocol coupled with a sophisticated client puzzle, which together provide a versatile solution for possible DoS attacks and various other common attacks during an authentication process.
Abstract: Network Denial-of-Service (DoS) attacks, which exhaust server resources and network bandwidth, can cause the target servers to be unable to provide proper services to the legitimate users and in some cases render the target systems inoperable and/or the target networks inaccessible. DoS attacks have now become a serious and common security threat to the Internet community. Public Key Infrastructure (PKI) has long been incorporated in various authentication protocols to facilitate verifying the identities of the communicating parties. The use of PKI has, however, an inherent problem as it involves expensive computational operations such as modular exponentiation. An improper deployment of the public-key operations in a protocol could create an opportunity for DoS attackers to exhaust the server's resources. This paper presents a public-key based authentication and key establishment protocol coupled with a sophisticated client puzzle, which together provide a versatile solution for possible DoS attacks and various other common attacks during an authentication process. Besides authentication, the protocol also supports a joint establishment of a session key by both the client and the server, which protects the session communications after the mutual authentication. The proposed protocol has been validated using a formal logic theory and has been shown, through security analysis, to be able to resist, besides DoS attacks, various other common attacks.
TL;DR: It is strictly proved that if for any strand, there exists at least one bundle containing it, then an entity authentication protocol is secure in strand space model (SSM) with some small extensions, and illustrates that GSSM not only can prove security protocol correct, but also can be efficiently used to construct protocol attacks.
Abstract: The growing interest in the application of formal methods of cryptographic protocol analysis has led to the development of a number of different ways for analyzing protocol. In this paper, it is strictly proved that if for any strand, there exists at least one bundle containing it, then an entity authentication protocol is secure in strand space model (SSM) with some small extensions. Unfortunately, the results of attack scenario demonstrate that this protocol and the Yahalom protocol and its modification are de facto insecure. By analyzing the reasons of failure of formal inference in strand space model, some deficiencies in original SSM are pointed out. In order to break through these limitations of analytic capability of SSM, the generalized strand space model (GSSM) induced by some protocol is proposed. In this model, some new classes of strands, oracle strands, high order oracle strands etc., are developed, and some notions are formalized strictly in GSSM, such as protocol attacks, valid protocol run and successful protocol run. GSSM can then be used to further analyze the entity authentication protocol. This analysis sheds light on why this protocol would be vulnerable while it illustrates that GSSM not only can prove security protocol correct, but also can be efficiently used to construct protocol attacks. It is also pointed out that using other protocol to attack some given protocol is essentially the same as the case of using the most of protocol itself.
01 Dec 2003
TL;DR: This paper proposes a novel lightweight authentication protocol, consisting of a lightweight synchronization algorithm and a statistical scheme, including a complete analysis, detailed implementation issues and evaluation for the authentication protocol.
Abstract: Wireless networks are becoming very popular and the IEEE 802.11 devices are widely used everywhere nowadays. New concerns are raised when it comes to wireless security. Since the current security scheme in IEEE 802.11 namely wired equivalent privacy (WEP) is known to be quite insecure, virtual private network (VPN) is used to solve the security problems in wireless networks. However, the use of both WEP and VPN causes authentication redundancy at the mobile hosts. This paper proposes a novel lightweight authentication protocol, consisting of a lightweight synchronization algorithm and a statistical scheme. A complete analysis, detailed implementation issues and evaluation for the authentication protocol are included in the paper.
30 Jun 2003
TL;DR: This paper presents a novel asymmetric end-to-end authentication protocol that is based on the concept of using the wireless access home network of a mobile station to assist its authentication with a service provider.
Abstract: The users of mobile devices that have access to the Internet services increases while they are on the move (i.e. anywhere and at any time). This results in a new phenomenon- mobile electronic commerce, or m-commerce. Security provision for m-commerce community is a challenging task due to insecure air interface of wireless access networks, limited computational capability and battery of life of mobile devices, and the mobility of users. This paper presents a novel asymmetric end-to-end authentication protocol that is based on the concept of using the wireless access home network of a mobile station to assist its authentication with a service provider. The security of the proposed protocol is analysed and its performance against other related work is evaluated.
09 Apr 2003
TL;DR: Two attacks to the authentication protocol are shown to be feasible and a correction is proposed that makes the protocol more robust and resistant against the presented attacks.
Abstract: We present two attacks to the authentication protocol that has been proposed in the paper entitled "An approach to secure communication in PCS" (Xu, M. and Upadhyaya, S., Proc. IEEE Vehicular Tech. Conf., 2001). We show that the attacks are feasible and propose a correction that makes the protocol more robust and resistant against the presented attacks. The corrected protocol yields higher security compared to both the original protocol and the GSM authentication protocol. Moreover, the authentication procedures for the different handoff protocols have been presented and discussed. The most appropriate handoff protocol that matches the authentication protocol discussed here is recommended. We also discuss different encryption algorithms and suggest the most suitable one that yields higher throughput and lower delay time to be used in the corrected authentication protocol.
01 Jan 2003
TL;DR: A new extension of the extensible authentication protocol (EAP), referred to as EAP-GPRS, which allows various types of messages to be embedded within EAP messages to facilitate fast handovers in cases when the WLAN is tightly coupled to a 3G cellular network.
Abstract: In this paper we propose and discuss a new extension of the extensible authentication protocol (EAP), referred to as EAP-GPRS (see also A. Salkintzis, "The EAP-GPRS Protocol"), which allows various types of messages (including UMTS RRC messages and GPRS LLC messages) to be embedded within EAP messages. One of the advantages of this protocol is that it can support signaling procedures embedded within a WLAN access control procedure and therefore facilitate fast handovers in cases when the WLAN is tightly coupled to a 3G cellular network.
TL;DR: A new security protocol for secure mobile agent system is proposed that solves the weaknesses of their protocol and provides the security services such as the mutual authentication, the confidentiality, the non-repudiation, and the prevention of replay attack.
Abstract: Mobile agent is a program which can autonomously migrate from a host to another and it provides a useful framework for Electronic Commerce. But, in spite of mobile agent system's benefits, it has been exposed to the serious security attacks from malicious hosts or agents. So, there has been a lot of works in the mobile agent's security, and recently, Kim and Chung proposed a security protocol for mobile agent system [5]. But their protocol has some security weaknesses; i.e., it is vulnerable to intruder-in-the-middle attack and the previous agent platform can forge the multi-signature. In this paper, we show that their protocol has the security weaknesses. And then we propose a new security protocol for secure mobile agent system that solves the weaknesses of their protocol and provides the security services such as the mutual authentication, the confidentiality, the non-repudiation, and the prevention of replay attack. Our protocol is very suitable for protecting mobile agent from malicious host in the Electronic Commerce Web site that searches the best price of the products.
13 Oct 2003
TL;DR: This paper provides an enhanced one-bit identity authentication protocol and a synchronization scheme with complete analysis and implementation issue in IEEE 802.11.
Abstract: With the explosive growth in the number of mobile device, new concerns are raised when it comes to wireless security. Many commercial products using virtual private network (VPN) to solve the security problems in wireless networks because the current security scheme in IEEE 802.11 namely wired equivalent privacy (WEP) is known to be quite insecure. However, using both WEP and VPN causes authentication redundancy at the mobile hosts. Thus, to reduce the redundancy, (H. Johnson, et al., 2002) proposed a one-bit identity authentication protocol for access control in IEEE 802.11. But a careful study of the paper revealed that the synchronization algorithm used in the work does not solve the purpose. This paper provides an enhanced one-bit identity authentication protocol and a synchronization scheme with complete analysis and implementation issue in IEEE 802.11.