scispace - formally typeset
Search or ask a question

Showing papers on "Otway–Rees protocol published in 2007"


Journal ArticleDOI
TL;DR: PCL supports compositional reasoning about complex security protocols and has been applied to a number of industry standards including SSL/TLS, IEEE 802.11i and Kerberos V5.

211 citations


Journal ArticleDOI
TL;DR: A new protocol, named HB-MP, derived from HB^+, is presented, providing a more efficient performance and resistance to the active attacks applied to the HB-family.

178 citations


Proceedings ArticleDOI
28 Oct 2007
TL;DR: This paper formally proves the security of the protocol in the Universal Composability framework, based on number-theoretic assumptions, that has "everlasting privacy": even a computationally unbounded adversary gains no information about specific votes from observing the protocol's output.
Abstract: In this paper we propose a new voting protocol with desirable security properties. The voting stage of the protocol can be performed by humans without computers; it provides every voter with the means to verify that all the votes were counted correctly (universal verifiability) while preserving ballot secrecy. The protocol has "everlasting privacy": even a computationally unbounded adversary gains no information about specific votes from observing the protocol's output. Unlike previous protocols with these properties, this protocol distributes trust between two authorities: a single corrupt authority will not cause voter privacy to be breached. Finally, the protocol is receipt-free: a voter cannot prove how she voted even she wants to do so. We formally prove the security of the protocol in the Universal Composability framework, based on number-theoretic assumptions.

99 citations


Proceedings ArticleDOI
20 May 2007
TL;DR: This work presents attacks against two cognitive authentication schemes, designed to be secure against eavesdropping attacks while relying only on human cognitive skills, that are not secure against an eavesdropping adversary.
Abstract: We present attacks against two cognitive authentication schemes [9] proposed at the 2006 IEEE Symposium on Security and Privacy. These authentication schemes are designed to be secure against eavesdropping attacks while relying only on human cognitive skills. They achieve authentication via challenge response protocols based on a shared secret set of pictures. Our attacks use a SAT solver to recover a user's secret key in a few seconds, after observing only a small number of successful logins. These attacks demonstrate that the authentication schemes of [9] are not secure against an eavesdropping adversary.

81 citations


Proceedings ArticleDOI
06 Jul 2007
TL;DR: This paper proposes a general model for security protocols based on the set-rewriting formalism that allows for the specification of assumptions on principals and communication channels as well as complex security properties that are normally not handled by state-of-the-art protocol analysers.
Abstract: Most model checking techniques for security protocols make a number of simplifying assumptions on the protocol and/or on its execution environment that prevent their applicability in some important cases. For instance, most techniques assume that communication between honest principals is controlled by a Dolev -Yao intruder, i.e. a malicious agent capable to overhear, divert, and fake messages. Yet we might be interested in establishing the security of a protocol that relies on a less unsecure channel (e.g. a confidential channel provided by some other protocol sitting lower in the protocol stack). In this paper we propose a general model for security protocols based on the set-rewriting formalism that, coupled with the use of LTL, allows for the specification of assumptions on principals and communication channels as well as complex security properties that are normally not handled by state-of-the-art protocol analysers. By using our approach we have been able to formalise all the assumptions required by the ASW protocol for optimistic fair exchange as well as some of its security properties. Besides the previously reported attacks on the protocol, we report a new attack on a patched version of the protocol.

75 citations


Journal ArticleDOI
TL;DR: A protocol is shown that mitigates DoS attacks by adversaries that can eavesdrop and (with some delay) adapt their attacks accordingly and provides effective DoS prevention for realistic attack and deployment scenarios.
Abstract: We consider the problem of overcoming (distributed) denial-of-service (DoS) attacks by realistic adversaries that have knowledge of their attack's successfulness, for example, by observing service performance degradation or by eavesdropping on messages or parts thereof. A solution for this problem in a high-speed network environment necessitates lightweight mechanisms for differentiating between valid traffic and the attacker's packets. The main challenge in presenting such a solution is to exploit existing packet-filtering mechanisms in a way that allows fast processing of packets but is complex enough so that the attacker cannot efficiently craft packets that pass the filters. We show a protocol that mitigates DoS attacks by adversaries that can eavesdrop and (with some delay) adapt their attacks accordingly. The protocol uses only available efficient packet-filtering mechanisms based mainly on addresses and port numbers. Our protocol avoids the use of fixed ports and instead performs "pseudorandom port hopping." We model the underlying packet-filtering services and define measures for the capabilities of the adversary and for the success rate of the protocol. Using these, we provide a novel rigorous analysis of the impact of DoS on an end-to-end protocol and show that our protocol provides effective DoS prevention for realistic attack and deployment scenarios.

73 citations


01 Jan 2007
TL;DR: This document specifies EAP-PSK, an Extensible Authentication Protocol (EAP) method for mutual authentication and session key derivation using a Pre-Shared Key (PSK) for authentication over insecure networks such as IEEE 802.11.
Abstract: This document specifies EAP-PSK, an Extensible Authentication Protocol (EAP) method for mutual authentication and session key derivation using a Pre-Shared Key (PSK). EAP-PSK provides a protected communication channel when mutual authentication is successful for both parties to communicate over. This document describes the use of this channel only for protected exchange of result indications, but future EAP-PSK extensions may use the channel for other purposes. EAP- PSK is designed for authentication over insecure networks such as IEEE 802.11. This memo defines an Experimental Protocol for the Internet community.

72 citations


Proceedings ArticleDOI
12 Sep 2007
TL;DR: This paper presents a fast and secure authenticated key agreement (EC-SAKA) protocol based on elliptic curve cryptography that can resist dictionary attacks mounted by either passive or active networks intruders, and offers perfect forward secrecy which protects past sessions and passwords against future compromise.
Abstract: The increasing progress in wireless mobile communication has attracted an important amount of attention on the security issue. To provide secure communication for mobile devices, authenticated key agreement protocol is an important primitive for establishing session key. So far, several protocols have been proposed to provide robust mutual authentication and key establishment for wireless local area network (WLAN). In this paper we present a fast and secure authenticated key agreement (EC-SAKA) protocol based on elliptic curve cryptography. Our proposed protocol provides secure mutual authentication, key establishment and key confirmation over an untrusted network. The new protocol achieves many of the required security and performance properties. It can resist dictionary attacks mounted by either passive or active networks intruders. It can resist Man-In-The Middle attack. It also offers perfect forward secrecy which protects past sessions and passwords against future compromise. In addition, it can resist known- key and resilience to server attack. Our proposed protocol uses ElGamal signature techniques (ECEGS). We show that our protocol meets the above security attributes under the assumption that the elliptic curve discrete logarithm problem is secure. Our proposed protocol offers significantly improved performance in computational and communication load over comparably many authenticated key agreement protocols such as B-SPEKE, SRP, AMP, PAK-RY, PAK-X, SKA, LR-AKE and EC-SRP.

65 citations


Proceedings ArticleDOI
12 Jul 2007
TL;DR: The GS-LEACH (grid-based secure LEACH) protocol uses pre deployment key distribution using prior knowledge of the deployment area to provide a secure solution to a commonly used clustering protocol, the LEACH protocol.
Abstract: Clustering protocols are often used in sensor networks. In many deployment scenarios, security is a key concern. In this paper we provide a secure solution to a commonly used clustering protocol, the LEACH protocol. We show that our protocol, the GS-LEACH protocol is more energy efficient than any of the secure flavors of LEACH. The GS-LEACH (grid-based secure LEACH) protocol uses pre deployment key distribution using prior knowledge of the deployment area. We also provide a detailed security analysis of our protocol and show that it is more secure than the secure versions of LEACH. Finally with the results of our simulation experiments we show that our protocol is very energy efficient and provides a longer network lifetime compared to the other flavors of LEACH.

58 citations


Posted Content
TL;DR: Experimental observations concerning Czech e-passports show clearly an inherent weakness rooted in lower layers of ISO 14443, which induces a question on whether the e- passport should not have used a dierent communication protocol or authentication scheme.
Abstract: The threat of relay attacks on authentication protocols is often well recognized, especially for contactless applications like RFID chips. It is, therefore, a bit surprising to meet an implementation that actually encourages rather than eliminates these attacks. We present our experimental observations concerning Czech e-passports. These show clearly an inherent weakness rooted in lower layers of ISO 14443. As the behavior is unavoidable, it induces a question on whether the e- passport should not have used a dierent communication protocol or authentication scheme.

46 citations


Journal ArticleDOI
TL;DR: This paper proposes a protocol that allows a client to securely use a single password across multiple servers, and also prevents phishing attacks, and is an anti-phishing password protocol that is simple, secure, efficient and user-friendly.

Journal ArticleDOI
TL;DR: This paper proposes a new group key agreement protocol for an imbalanced wireless network consisting of many mobile nodes with limited computing capability and a powerful node with less restriction and shows that the proposed protocol is well suited for mobile devices withlimited computing capability.

Book ChapterDOI
17 Dec 2007
TL;DR: In this paper, a low-cost and strong-security RFID protocol is proposed to reduce the computational load on both the back-end database and the tags in an RFID system.
Abstract: This paper proposes a low-cost and strong-security RFID protocol to reduce the computational load on both the back-end database and the tags in an RFID system. When desynchronization occurs as a result of a communication failure or malicious attack, the proposed protocol can recover synchronization between the database and the tag in the following session. Furthermore, the proposed protocol also satisfies most security requirements, including the strong privacy property defined by Juels and Weis, plus robustness against replay and spoofing attacks and forward security.

Journal ArticleDOI
TL;DR: This article designs a secure conference-key agreement protocol with constant round number and message size that possesses both fault tolerance and forward secrecy, while previously proposed protocols with round-efficiency lack one or both properties.

Journal ArticleDOI
TL;DR: It is shown that Aydos et al.'s protocol is vulnerable to man-in-the-middle attack from any attacker not restricted on the inside attacker and a forging certificate attack on Mangipudi et al's protocol is presented.
Abstract: Recently, Aydos et al. proposed an ECC-based wireless authentication protocol. Because their protocol is based on ECC, the protocol has significant advantage including lower computational burden, lower communication bandwidth and storage requirements. However, Mangipudi et al showed that the protocol is vulnerable to the man-in-the-middle attack from the attacker within the system and proposed a user authentication protocol to prevent the attack. This paper further shows that Aydos et al.'s protocol is vulnerable to man-in-the-middle attack from any attacker not restricted on the inside attacker. Then, a forging certificate attack on Mangipudi et al's protocol is presented. Next, the reasons that Aydos et al's protocol and Mangipudi et al's protocol suffer the attacks are analyzed. Finally, we propose a novel ECC-based wireless authentication protocol and analyze the security of our protocol.

Proceedings ArticleDOI
01 Nov 2007
TL;DR: This paper proposes a protocol that involves minimal interaction between a tag and a reader and places low computational burden on the tag, which could resist DoS attack, traceability and provide forward security.
Abstract: In this paper, we point out weaknesses of Kyosuke Osada et al's protocol. We find that their scheme cannot resist DoS attack and traceability, and does not provide forward security. And then we propose our protocol. Our protocol involves minimal interaction between a tag and a reader and places low computational burden on the tag. The protocol could resist DoS attack, traceability and provide forward security.

Book ChapterDOI
12 Dec 2007
TL;DR: It is shown that whenever a protocol is secure, it remains secure even in an environment where arbitrary protocols are executed, provided each encryption contains some tag identifying each protocol, like e.g. the name of the protocol.
Abstract: Security protocols are small programs that are executed in hostile environments. Many results and tools have been developed to formally analyze the security of a protocol. However even when a protocol has been proved secure, there is absolutely no guarantee if the protocol is executed in an environment where other protocols, possibly sharing some common identities and keys like public keys or long-term symmetric keys, are executed. In this paper, we show that whenever a protocol is secure, it remains secure even in an environment where arbitrary protocols are executed, provided each encryption contains some tag identifying each protocol, like e.g. the name of the protocol.

Proceedings ArticleDOI
01 Oct 2007
TL;DR: This work proposes a simplified generic approach based on a challenge-response criterion to discover man-in-the-middle attacks in authentication protocols and demonstrates how the inability in finding out the true originator of a message guides us through a sequence of logical arguments eventually leading to a successful man- in the middle attack.
Abstract: Security protocols are widely used to provide secure communication in many critical applications such as e-commerce and defense. Numerous formal methods have been used to ensure the desired working of security protocols. Formal methods provide rigorous analysis but are complex, whereas informal method are simple but lack the power to express the details of the analysis. Strand-space framework has become a popular formal method for analyzing security protocols due to its graph-theoretic nature. Benefiting from the expressiveness of this method and utilizing the intuitiveness of informal logical arguments, we propose a simplified generic approach based on a challenge-response criterion to discover man-in-the-middle attacks in authentication protocols. Man-in-the-middle attacks result in discrepancies in the parameters among the participants of a protocol. To discover the possibility of man-in-the-middle attack on a protocol, we propose that each participant investigate the parameters of the other participants of the protocol by finding out the true originator of its received messages. With the help of an example, we demonstrate how the inability in finding out the true originator of a message guides us through a sequence of logical arguments eventually leading to a successful man-in-the-middle attack.

Patent
25 Sep 2007
TL;DR: In this paper, an authentication protocol for an industrial automation system is provided, which includes at least one industrial control component that communicates security information across a network, and one protocol component that employs mutual authentication data that is based in part on a private session key exchange.
Abstract: An authentication protocol for an industrial automation system is provided. This includes at least one industrial control component that communicates security information across a network. At least one protocol component is provided that employs mutual authentication data that is based in part on a private session key exchange to facilitate authentication of the industrial control component via the network.

Proceedings ArticleDOI
15 Oct 2007
TL;DR: A subnetwork key management strategy in which the heterogeneous security requirements of a wireless sensor network are considered to provide differing levels of security with minimum communication overhead, which reduces delay by 50% and energy consumption by 70% over the existing dynamic group key management (DGKM) scheme.
Abstract: In this paper, we propose a subnetwork key management strategy in which the heterogeneous security requirements of a wireless sensor network are considered to provide differing levels of security with minimum communication overhead. Additionally, it allows the dynamic creation of high security subnetworks within the wireless sensor network and provides subnetworks with a mechanism for dynamically creating a secure key using a novel and dynamic group key management protocol. The proposed energy-efficient protocol utilizes a combination of pre-deployed group keys and initial trustworthiness of nodes to create a level of trust between neighbors in the network. This trust is later used to allow secure communication between neighbors when creating a dynamic, high security subnetwork within the sensor network. Results of simulations of the protocol in Ns2 are presented and the complexity of the protocol is analyzed. The proposed protocol reduces delay by 50% and energy consumption by 70% over the existing dynamic group key management (DGKM) scheme.

Journal ArticleDOI
TL;DR: This paper formally defines the security model for the non-interactive ID-based deniable authentication protocol and presents a new efficient ID- based deniability authentication protocol based on RSA assumption and uses the techniques from provable security to analyze the security of the proposed protocol.
Abstract: Deniable authenticated protocol is a new cryptographic authentication protocol that enables a designated receiver to identify the source of a given message without being able to prove the identity of the sender to a third party. Therefore, it can be applied to some particular situations in electronic commerce. In this paper, we formally define the security model for the non-interactive ID-based deniable authentication protocol and present a new efficient ID-based deniable authentication protocol based on RSA assumption. What's more, we also use the techniques from provable security to analyze the security of our proposed protocol.

Proceedings ArticleDOI
29 Aug 2007
TL;DR: This paper presents a secure authenticated key agreement (EC-SAKA) protocol based on elliptic curve cryptography that provides secure mutual authentication, key establishment and key confirmation over an untrusted network and offers significantly improved performance in computational and communication load over comparably many authenticatedkey agreement protocols.
Abstract: To provide secure communication for mobile devices, authenticated key agreement protocol is an important primitive for establishing session key. So far, several protocols have been proposed to provide robust mutual authentication and key establishment for wireless local area network (WLAN). In this paper we present a secure authenticated key agreement (EC-SAKA) protocol based on elliptic curve cryptography. Our proposed protocol provides secure mutual authentication, key establishment and key confirmation over an untrusted network. The new protocol achieves many of the required security and performance properties. It can resist dictionary attacks mounted by either passive or active networks intruders. It can resist man-in-the middle attack. It also offers perfect forward secrecy which protects past sessions and passwords against future compromise. In addition, it can resist known-key and resilience to server attack. Our proposed protocol uses the signature techniques of ECDSA and the authentication protocol SKA concept. We show that our protocol meets the above security attributes under the assumption that the elliptic curve discrete logarithm problem is secure. Our proposed protocol offers significantly improved performance in computational and communication load over comparably many authenticated key agreement protocols such as B-SPEKE, SRP, AMP, PAK-RY, PAK-X, SKA, LR-AKE and EC-SRP.

Proceedings ArticleDOI
26 Apr 2007
TL;DR: The proposed protocol achieves faster re- authentication by locally performing the authentication procedure and a new keying framework is introduced to minimize authentication delays during re-authentication and handover operations.
Abstract: Many advantages are attained by integrating 3G and WLAN systems to form a 3G-WLAN interworking architecture. However, securing the architecture is a great challenge because of the number of vulnerabilities introduced. EAP-AKA is the authentication solution adopted by the 3GPP to secure accesses to 3G-WLAN architectures. Two types of EAP-AKA authentication are available, full authentication and fast re-authentication. This paper presents a localized fast re-authentication protocol to substitute the standard fast re-authentication protocol. The proposed protocol achieves faster re- authentication by locally performing the authentication procedure. A new keying framework is introduced to minimize authentication delays during re-authentication and handover operations.

Patent
08 May 2007
TL;DR: In this article, a protocol is provided for communicating data between two applications by associating an extensible markup language (XML) document with a data envelope and sending the data envelope to a disparate application.
Abstract: A protocol is provided for communicating data between two applications. The protocol can support communication of an extensible markup language (XML) document over hypertext transfer protocol (HTTP) by associating the XML document with a data envelope and sending the data envelope to a disparate application. The data envelope can comprise a header, which can specify supported compression methods, encryption keys, and/or data specific to the disparate application and/or the sending application. The protocol adds a layer of security to the communication and can prevent malicious requests and other attacks. This protocol can also be used in conjunction with a health integration network.

Book ChapterDOI
24 Sep 2007
TL;DR: The new versions of the two authentication tests from earlier strand space papers are obtained, and it is proved that the new versions are complete: any collection of behaviors that satisfies those two authentication Tests, when combined with some feasible adversary behavior, yields a possible execution.
Abstract: Protocol participants manipulate values, transforming the cryptographic contexts in which they occur. The rules of the protocol determine which transformations are permitted. We formalize these transformations, obtaining new versions of the two authentication tests from earlier strand space papers. We prove that the new versions are complete, in this sense: any collection of behaviors that satisfies those two authentication tests, when combined with some feasible adversary behavior, yields a possible execution. We illustrate the strengthened authentication tests with brief analyses of three protocols.

Book ChapterDOI
26 Aug 2007
TL;DR: Chou et al. as discussed by the authors proposed an ID-based deniable authentication protocol after proving the vulnerability to Key-Compromise Impersonation (KCI) attack in Cao et al's protocol In addition, they claimed that their protocol is not only secure but also able to achieve both authenticity and deniability properties.
Abstract: Deniability is defined as a privacy property which enables protocol principals to deny their involvement after they had taken part in a particular protocol run Lately, Chou et al had proposed their ID-based deniable authentication protocol after proving the vulnerability to Key-Compromise Impersonation (KCI) attack in Cao et al's protocol In addition, they claimed that their protocol is not only secure, but also able to achieve both authenticity and deniability properties However, in this paper, we demonstrate that Chou et al's protocol is not flawless as it remains insecure due to its susceptibility to the KCI attack Based on this, we propose an enhanced scheme which will in fact preserves the authenticity, the deniability and the resistance against the KCI attack

Book ChapterDOI
TL;DR: A reduction semantics for the LYSA calculus extended with session information, for modelling cryptographic protocols, and a static analysis for it, which shows that the analysis is able to capture potential replay attacks.
Abstract: We present a reduction semantics for the LYSA calculus extended with session information, for modelling cryptographic protocols, and a static analysis for it If a protocol passes the analysis then it is free of replay attacks and thus preserves freshness The analysis has been implemented and applied to a number of protocols, including both original and corrected version of Needham-Schroeder protocol The experiment results show that the analysis is able to capture potential replay attacks

Book ChapterDOI
22 May 2007
TL;DR: Choi et al. as mentioned in this paper proposed an efficient RFID authentication protocol for a ubiquitous computing environment, OHLCAP (One Way Hash based Low-Cost Authentication Protocol), which reveals that the protocol has several security weaknesses.
Abstract: Choi et al. recently proposed an efficient RFID authentication protocol for a ubiquitous computing environment, OHLCAP (One-Way Hash based Low-Cost Authentication Protocol). However, this paper reveals that the protocol has several security weaknesses : 1) traceability based on the leakage of counter information, 2) vulnerability to an impersonation attack by maliciously updating a random number, and 3) traceability based on a physically-attacked tag. Finally, a security enhanced group-based authentication protocol is presented.

Journal ArticleDOI
TL;DR: Based on the order rearrangement of single photon sequence, a multiparty controlled quantum secure direct communication protocol is presented that can be applied to some special scenario.
Abstract: Based on the order rearrangement of single photon sequence, we present a multiparty controlled quantum secure direct communication protocol. The present protocol can be applied to some special scenario. In the protocol, the sender's secret message can only be recovered by the receiver under the permission of all the controllers. The security for the protocol is ensured by the quantum no-cloning theorem and the secret transmitting order of the single photon sequence. Moreover, all photons are used to encode the secret message except those chosen for eavesdropping check and it is unnecessary for the protocol to use entanglement. Our protocol is efficient and practicable.

Proceedings ArticleDOI
08 Oct 2007
TL;DR: This approach is secure and practical as it can satisfy the security requirements of the third generation mobile communication systems based on hybrid asymmetric and symmetric cryptosystem, and can save up to 20% of the authentication traffic delay time.
Abstract: Most of current authentication schemes for mobile systems have some weaknesses; such as leakage of UE identities and high update overhead of temporary identities. This paper proposes a secure authentication mechanism for mobile communication systems that satisfies the security requirements of the third generation mobile systems. In this proposed protocol, the number of messages between authentication entities of the network is reduced to four messages instead of five in initial authentication procedure. The subsequent authentication procedure only contains two message exchanges. Therefore, the bottleneck at authentication center is avoided by reducing the number of messages between mobile and authentication center. The authentication time delay, call setup time and signaling traffic are minimized. Also, this proposed protocol is designed to be secure against network attacks, such as replay attacks and Guessing attacks and others attacks. Consequently, this approach is secure and practical as it can satisfy the security requirements of the third generation mobile communication systems based on hybrid asymmetric and symmetric cryptosystem, and can save up to 20% of the authentication traffic delay time.