Showing papers on "Otway–Rees protocol published in 2004"

The Secure Real-time Transport Protocol (SRTP)

Abstract: This document describes the Secure Real-time Transport Protocol (SRTP), a profile of the Real-time Transport Protocol (RTP), which can provide confidentiality, message authentication, and replay protection to the RTP traffic and to the control traffic for RTP, the Real-time Transport Control Protocol (RTCP).

Model checking large network protocol implementations

Abstract: Network protocols must work. The effects of protocol specification or implementation errors range from reduced performance, to security breaches, to bringing down entire networks. However, network protocols are difficult to test due to the exponential size of the state space they define. Ideally, a protocol implementation must be validated against all possible events (packet arrivals, packet losses, timeouts, etc.) in all possible protocol states. Conventional means of testing can explore only a minute fraction of these possible combinations. This paper focuses on how to effectively find errors in large network protocol implementations using model checking, a formal verification technique. Model checking involves a systematic exploration of the possible states of a system, and is well-suited to finding intricate errors lurking deep in exponential state spaces. Its primary limitation has been the effort needed to use it on software. The primary contribution of this paper are novel techniques that allow us to model check complex, real-world, well-tested protocol implementations with reasonable effort. We have implemented these techniques in CMC, a C model checker [30] and applied the result to the Linux TCP/IP implementation, finding four errors in the protocol implementation.

Relay Attacks on Bluetooth Authentication and Solutions

Abstract: We describe relay attacks on Bluetooth authentication protocol. The aim of these attacks is impersonation. The attacker does not need to guess or obtain a common secret known to both victims in order to set up these attacks, merely to relay the information it receives from one victim to the other during the authentication protocol run. Bluetooth authentication protocol allows such a relay if the victims do not hear each other. Such a setting is highly probable. We analyze the attacks for several scenarios and propose practical solutions. Moreover, we simulate attacks to make sure about their feasibility. These simulations show that current Bluetooth specifications do not have defensive mechanisms for relay attacks. However, relay attacks create a significant partial delay during the connection that might be useful for detection.

A Cryptographically Sound Dolev-Yao Style Security Proof of the Otway-Rees Protocol

Abstract: We present the first cryptographically sound security proof of the well-known Otway-Rees protocol. More precisely, we show that the protocol is secure against arbitrary active attacks including concurrent protocol runs if it is implemented using provably secure cryptographic primitives. Although we achieve security under cryptographic definitions, our proof does not have to deal with probabilistic aspects of cryptography and is hence in the scope of current proof tools. The reason is that we exploit a recently proposed ideal cryptographic library, which has a provably secure cryptographic implementation. Together with composition and preservation theorems of the underlying model, this allows us to perform the actual proof effort in a deterministic setting corresponding to a slightly extended Dolev-Yao model. Besides establishing the cryptographic security of the Otway-Rees protocol, our result also exemplifies the potential of this cryptographic library. We hope that it paves the way for cryptographically sound verification of security protocols by means of formal proof tools.

The improved Bostrom-Felbinger protocol against attacks without eavesdropping

Abstract: In this paper, by introducing the additional classical information and taking advantage of the property of quantum entanglement swapping of two photon pairs instead of the property of quantum entanglement of a photon pair, the Bostrom-Felbinger protocol [Phys. Rev. Lett. 89, 187902 (2002)] is improved. In the improved protocol, when the photon travels from the message receiver's site to the message sender's site, any attack can be detected in the control mode. Moreover, it is deterministically successful to transmit the secret messages in the message mode. The security of the present improved protocol against the eavesdropping is ensured by the Bostrom-Felbinger protocol, and besides, the attacks proposed by Cai [Phys. Rev. Lett. 90, 109801 (2003)] to attack the Bostrom-Felbinger protocol without eavesdropping can be prevented.

Weaknesses of a Password-Authenticated Key Exchange Protocol between Clients with Different Passwords

Abstract: A password-authenticated key exchange scheme allows two entities, who only share a memorable password, to authenticate each other and to agree on a cryptographic session key. Instead of considering it in the classic client and server scenarios, Byun et al. recently proposed a password-authenticated key exchange protocol in a cross-realm setting where two clients in different realms obtain a secret session key as well as mutual authentication, with the help of respective servers. In this paper, we first point out that the proposed protocol is not secure, due to the choice of invalid parameters (say, subgroup generator). Furthermore, we show in detail that, even with properly chosen parameters, the protocol has still some secure flaws. We provide three attacks to illustrate the insecurity of the protocol. Finally, countermeasures are also given, which are believed able to withstand our attacks.

Automatic verification of the TLS handshake protocol

Abstract: E-commerce is based on transactions between client and server agents These transactions require a protocol that provides privacy and reliability between these two agents A widely used protocol on e-commerce is Transport Layer Security (TLS) In this paper we present a way to use Formal Methods to ensure the e-commerce properties of this protocol Specifically we use a known tool for Model Checking (UPPAAL) to describe and analyze the behaviour of the protocol (by means of timed automata) Thus, with this tool we can make an automatic verification of TLS

Protocol agnostic request response pattern

Abstract: A system and method for facilitating communications over a protocol is provided. The system includes a class factory that holds identifiers associated with determining which, if any, registered protocol object creator should be employed to create a protocol object. The protocol object implements an abstract network protocol base class. The protocol object is employed to abstract details of communicating over a protocol and to provide a byte stream interface to communications occurring over the protocol, while removing protocol specific code from an application program. The method includes creating an instance of a protocol object from a source of registered protocol handlers based on a request to communicate over a protocol and using a base class API to communicate over the protocol through the protocol object.

Security vulnerabilities assessment of the X.509 protocol by syntax-based testing

Abstract: This paper describes a methodology for syntax-based vulnerability testing of computer-network protocol implementations, by mutating the protocol data units (PDUs) transmitted to the target implementation. The implementers of a protocol are under a number of different constraints: time, budget, throughput and memory footprint-size. Adequate attention to secure handling of data structures in a PDU can give way to other pressures. The implementation may be designed to meet conformance-testing cases but can have open vulnerabilities to more obscure cases that might not even be possible during normal operation of the protocol. The vulnerabilities can lead to a compromise of the target's security, e.g. buffer overflow. The vulnerability testing approach described in this paper manipulates the grammar of the targeted network protocol to generate a large number of mutated test-cases that can be used to identify security vulnerabilities. This work builds on that of Beizer and the PROWS research group who propose a functional method for assessing protocol implementation security. It adopts a more general approach in its modelling of protocols in order to take advantage of similarities between protocol data structures and to better utilise common abstract syntax constructs (in this case ASN.1), and common transfer syntaxes. It focuses on the mutation of a representation of PDU syntax that is derived from actual protocol PDUs "by example" rather than by specifying and mutating the grammar for the protocol itself. This results in the production of a more universal testing tool applicable to many ASN. 1-based protocols with little or no modification. The methodology and tools developed as part of this work were used with success to test a number of network protocols, including a commercial product using ASN.1-specified X.509 public key certificates.

Compositional Analysis of Authentication Protocols

Abstract: We propose a new method for the static analysis of entity authentication protocols. We develop our approach based on a dialect of the spi-calculus as the underlying formalism for expressing protocol narrations. Our analysis validates the honest protocol participants against static (hence decidable) conditions that provide formal guarantees of entity authentication. The main result is that the validation of each component is provably sound and fully compositional: if all the protocol participants are successfully validated, then the protocol as a whole guarantees entity authentication in the presence of Dolev-Yao intruders.

Correct implementation of network protocols

Abstract: A number of issues combine to make network protocol development significantly more difficult than other areas of computer programming: problems with time, concurrency, and failures; interactions between the network protocol and its environment; and obstacles in developing the protocol over time. In order to address these issues, we introduce the Timed Abstract Protocol notation and the Austin Protocol Compiler. The Timed Abstract Protocol, or TAP, notation is a domain-specific formal language for describing asynchronous is suited for protocol design, comprehension, and correctness verification. The concrete execution model is suited for protocol implementation. We show that the two models are equivalent: that a protocol interpreted under the concrete model preserves the intended behavior of the protocol interpreted that transforms a protocol given in the Timed Abstract Protocol notation into executable C code and provides a runtime environment for the protocol. In order to demonstrate the effectiveness of the TAP notation and APC, we present implementations of a secure encryption key exchange protocol, a failure discovery protocol, and a Domain Name System server. While discussing the latter, we examine the performance of the APC implementation and show that it is comparable to two other DNS servers. The combination of the Timed Abstract Protocol notation and the Austin Protocol Compiler addresses the issues of network protocol development by allowing precise and verifiable descriptions of protocols which can be made executable easily, in order both to gain experimental experience and to provide reference implementations.

An efficient authentication protocol for integrating WLAN and cellular networks

Abstract: Cellular (3G or 2.5G) networks provide wider service areas and ubiquitous connectivity with low data rates. WLAN networks offer higher data rates and the easy compatibility of wired Internet, but cover smaller areas. 3G and WLAN possess complementary properties. Integrating 3G and WLAN networks may offer subscribers high-speed wireless data services and ubiquitous connectivity. For integrating two different networks, there are several problems should be concerned, such as authentication, billing, quality of service, and seamless roaming between 3G and WLAN networks. In this paper, we address the authentication problem and propose an efficient authentication protocol to let 3G subscribers can connect WLAN with higher data rate. Certainly, the protocol is also suitable for 2.5G. The authentication protocol utilizes a one-time password approach to authenticate subscribers. It can withstand guessing, replay and impersonation attacks. A simulation result is given to validate our protocol.

Attacking a Protocol for Group Key Agreement by Refuting Incorrect Inductive Conjectures

Abstract: Automated tools for finding attacks on flawed security protocols often struggle to deal with protocols for group key agreement Systems designed for fixed 2 or 3 party protocols may not be able to model a group protocol, or its intended security properties Frequently, such tools require an abstraction to a group of fixed size to be made before the automated analysis takes place This can prejudice chances of finding attacks on the protocol In this paper, we describe Coral, our system for finding security protocol attacks by refuting incorrect inductive conjectures We have used Coral to model a group key protocol in a general way By posing inductive conjectures about the trace of messages exchanged, we can investigate novel properties of the protocol, such as tolerance to disruption, and whether it results in agreement on a single key This has allowed us to find three distinct novel attacks on groups of size two and three

A Novel Approach to the Automation of Logic-Based Security Protocol Verification

Abstract: Secure communications over insecure networks relies on the security of cryptographic protocols. Formal verification is an essential step in the design of security protocols. In particular logic-based verification has been shown to be effective and has discovered a number of protocol flaws. However, manual application of the deductive reasoning process is complex, tedious and prone to error. This paper introduces a novel approach to the automation of such a deductive reasoning process. This new approach results in a comparatively simple - but powerful - proving system for logic based security protocol verification.

Improved authentication key exchange protocol without using one-way hash function

Abstract: Recently, Hwang, Shiau and Lai proposed an efficient authentication key exchange protocol to decrease the computation cost of the Harn-Lin improved protocol. However, the Hawang-Shiau-Lai protocol cannot withstand the modification attack. Therefore, this paper will propose an improved protocol to enhance the security of the Hwang-Shiau-Lai protocol. The improved protocol is able to defeat the modification attack and is as efficient as the Hwang-Shiau-Lai protocol. Moreover, the improved protocol also provides the perfect forward secrecy.

Verifying security protocols: an application of CSP

Abstract: The field of protocol analysis is one area in which CSP has proven particularly successful, and several techniques have been proposed that use CSP to reason about security properties such as confidentiality and authentication. In this paper we describe one such approach, based on theorem-proving, that uses the idea of a rank function to establish the correctness of protocols. This description is motivated by the consideration of a simple, but flawed, authentication protocol. We show how a rank function analysis can be used to locate this flaw and prove that a modified version of the protocol is correct.

A secure and efficient strong-password authentication protocol

Abstract: Password authentication protocols are divided into two types. One employs the easy-to-remember password while the other requires the strong password. In 2001, Lin et al. proposed an optimal strong-password authentication protocol (OSPA) to resist the replay attack and the denial-of-service attack. However, Chen and Ku pointed out that the OSPA protocol is vulnerable to the stolen-verifier attack. Hence, Lin et al. presented an enhancement in 2003. Nevertheless, mutual authentication is not ensured in Lin et al.'s protocol such that it suffers from the server spoofing attack. Moreover, Lin et al.'s protocol is also vulnerable to the denial-of-service attack. As a result, we present a secure strong-password authentication protocol in this paper to overcome their disadvantages.

A New Anonymous Channel Protocol in Wireless Communications

Abstract: Summary In this paper, the authors shall propose a new anonymous channel protocol for wireless communications. Compared with Juang et al.'s protocol and Jan et al.'s protocol, our protocol is more efficient. In addition, our protocol saves the trouble of employing public key cryptography in the anonymous channel ticket authentication phase just as Jan et al.'s protocol.

An enhanced lightweight authentication protocol for access control in wireless LANs

Abstract: In this paper, an enhanced lightweight identity authentication protocol for access control in IEEE 80211 networks are presented The proposed protocol is nicely integrated with the current MAC frame structure and takes the most advantage of the redundancy bits inside the MAC frame header to convey the authentication information, as well as the synchronization information in case of synchronization loss happening A much more efficient and fault-tolerant synchronization algorithm is given at the same time, which significantly improved the performance of the proposed protocol as compared to the previous ones The proposed protocol is highly effective as evaluated via a thorough mathematical analysis A quantitative attack detection framework is also established based on the evaluation result Finally, the proposed protocol is well suited in a wireless constrained environment for its low communication and computation overheads, requiring only several additional bits (less than 8) for transmission and random bit generating operation

Experimental Analysis of an SSL-Based AKA Mechanism in 3G-and-Beyond Wireless Networks

Abstract: The SSL/TLS protocol is a de-facto standard that has proved its effectiveness in the wired Internet and it will probably be the most promising candidate for future heterogeneous wireless environments. In this paper, we propose potential solutions that this protocol can offer to future “all-IP” heterogeneous mobile networks with particular emphasis on the user's side. Our approach takes into consideration the necessary underlying public key infrastructure (PKI) to be incorporated in future 3G core network versions and is under investigation by 3GPP. We focus on the standard 3G+ authentication and key agreement (AKA), as well as the recently standardized extensible authentication protocol (EAP)-AKA procedures and claim that SSL-based AKA mechanisms can provide for an alternative, more robust, flexible and scalable security framework. In this 3G+ environment, we perceive authentication as a service, which has to be performed at the higher protocol layers irrespectively of the underlying network technology. We conducted a plethora of experiments concentrating on the SSL's handshake protocol performance, as this protocol contains demanding public key operations, which are considered heavy for mobile devices. We gathered measurements over the GPRS and IEEE802.11b networks, using prototype implementations, different test beds and considering battery consumption. The results showed that the expected high data rates on one hand, and protocol optimisations on the other hand, can make SSL-based authentication a realistic solution in terms of service time for future mobile systems.

A lightweight authentication protocol with local security association control in mobile networks

Abstract: In this paper, we propose a new lightweight authentication protocol with local security association (SA) control to locally authenticate an inter-domain roaming user based on its mobility and traffic patterns. We first design a protocol to establish a local SA for authenticating the roaming user securely. Then, in order to determine the life time for the local SA, an authentication cost function is proposed to evaluate the authentication efficiency with the concern of risk, mobility and traffic patterns. The optimal life time of the local SA is determined by minimizing the authentication cost function. The performance of the proposed protocol is analyzed with respect to authentication cost under different mobility and traffic patterns. Simulation results show that the proposed approach outperforms DIAMETER for macro-mobility users with high volume of authentication requests.

Attacks and solutions on Aydos-Savas-Koc's wireless authentication protocol

Abstract: M. Aydos, B. Savas and C.K. Koc (see Proc. 2nd Int. Workshop on Discrete Algorithms and Methods for Mobile Computing and Commun., 1998) proposed a wireless authentication and key agreement protocol (ASK-WAP) based on elliptic curve cryptography (ECC). We find that this protocol is vulnerable to a man-in-the-middle attack, a denial-of-service attack and an impersonation attack. We present the above mentioned attacks on the ASK-WAP. We also propose a variant of ASK-WAP, the user authentication protocol (UAP), so that it resists these attacks. Furthermore, we analyze the security and performance of the proposed UAP. The results show that our proposed UAP is much more secure and is also efficient with few message exchanges and less computation.

On the security of an enhanced authentication key exchange protocol

Abstract: In 2003, Hwang et al proposed an enhanced authentication key exchange protocol Their protocol can generate multiple shared keys for two entities at a time and takes less computation time than Harn and Lin's protocol However, we will show that Hwang et al's protocol cannot withstand the forgery signature attack At the same time, we will repair the security flaw in their scheme