Abstract
Automated tools for finding attacks on flawed security protocols often fail to deal adequately with group protocols. The reason is that the abstractions made to improve performance on fixed two- or three-party protocols either preclude the modeling of group protocols altogether or permit modeling only in a fixed scenario, which can prevent attacks from being discovered. This paper describes Coral, a tool for finding counterexamples to incorrect inductive conjectures, which we have used to model protocols for both group key agreement and group key management, without any restrictions on the scenario. We show how we used Coral to discover six previously unknown attacks on three group protocols.
Similar content being viewed by others
References
Asokan, N. and Ginzboorg, P. (2000) Key-agreement in ad-hoc networks, Comput. Commun. 23(17), 1627–1637.
Ateniese, G., Steiner, M. and Tsudik, G. (2000) New multiparty authentication services and key agreement protocols, IEEE J. Sel. Areas Commun. 18(4), 628–639.
Bachmair, L. and Ganzinger, H. (1990) Completion of first-order clauses with equality by strict superposition (Extended Abstract), in Proceedings 2nd International CTRS Workshop, Montreal, Canada, pp. 162–180.
Bachmair, L. and Ganzinger, H. (1991) Perfect model semantics for logic programs with equality, in Logic Programming, Proceedings of the Eigth International Conference, Paris, France, MIT Press, pp. 645–659.
Basin, D., Mödersheim, S. and Viganò, L. (2003) An on-the-fly model-checker for security protocol analysis, in Proceedings of the 2003 European Symposium on Research in Computer Security, pp. 253–270. Extended version available as Technical Report 404, ETH Zurich.
Bella, G. (1999) Message Reception in the Inductive Approach, Technical Report 460, Computer Laboratory, University of Cambridge.
Bull, J. and Otway, D. (1997) The Authentication Protocol. Technical Report DRA/CIS3/PROJ/CORBA/SC/1/CSM/436–04/0.5b, DERA, Malvern, UK.
Clark, J. and Jacob, J. (1997) A Survey of Authentication Protocol Literature: Version 1.0. http://www.cs.york.ac.uk/jac/papers/drareview.ps.gz.
Comon, H. and Nieuwenhuis, R. (2000) Induction = I-Axiomatization + First-Order Consistency. Inf. Comput. 159(1–2), 151–186.
Denker, G. and Millen, J. (2000) CAPSL integrated protocol environment. in DARPA Information Survivability Conference and Exposition, Vol. 1, pp. 207–221.
Diffie, W. and Helman, M. (1976) New directions in cryptography, IEEE Trans. Inf. Theory 22(6), 644–654.
Dolev, D. and Yao, A. (1983) On the security of public key protocols, IEEE Trans. Inf. Theory 2(29), 198–208.
Fábrega, F., Herzog, J. and Gutman, J. (1999) Strand spaces: proving security protocols correct, J. Comput. Secur. 7, 191–230.
Green, C. (1969) Theorem proving by resolution as a basis for question-answering systems, in B. Meltzer and D. Michie (eds.), Machine Intelligence, Vol. 4., Edinburgh University Press, pp. 183–208.
Jackson, D. (2002) Alloy: a lightweight object modelling notation, ACM Trans. Softw. Eng. Methodol. (TOSEM) 11(2), 256–290.
Lowe, G. (1996) Breaking and fixing the needham schroeder public-key protocol using FDR, in Proceedings of TACAS, Vol. 1055, Springer Verlag, pp. 147–166.
Meadows, C. (2000) Extending formal cryptographic protocol analysis techniques for group protocols and low-level cryptographic primitives, in P. Degano (ed.), Proceedings of the First Workshop on Issues in the Theory of Security, Geneva, Switzerland, pp. 87–92.
Meadows, C. (2003) Formal methods for cryptographic protocol analysis: emerging issues and trends, IEEE J. Sel. Areas Commun. 21(1), 44–54.
Meadows, C. and Syverson, P. (2001) Formalizing GDOI group key management requirements in NPATRL, in ACM Conference on Computer and Communications Security, pp. 235–244.
Millen, J. and Denker, G. (2003) MuCAPSL, in DISCEX III, DARPA Information Survivability Conference and Exposition, pp. 238–249.
Mittra, S. (1997) Iolus: a framework for scalable secure multicasting, in Proceedings of the ACM SIGCOMM ‘97 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, Cannes, France, pp. 277–288.
Monroy, R. and Carrillo, M. (2003) On automating the formulation of security goals under the inductive approach, in M.H. Hamza (ed.), Applied Informatics, IASTED/ACTA Press, pp. 1020–1025.
Musser, D. (1980) On proving inductive properties of abstract data types, in Proceedings 7th ACM Symp. on Principles of Programming Languages, ACM, pp. 154–162.
Needham, R. and Schroeder, M. (1978) Using encryption for authentication in large networks of computers, Commun. of the ACM 21(12), 993–999.
Paulson, L. (1998) The inductive approach to verifying cryptographic protocols, J. Comput. Secur. 6, 85–128.
Pereira, O. and Quisquater, J.-J. (2003) Some attacks upon authenticated group key agreement protocols, J. Comput. Secur. 11(4), 555–580. Special Issue: 14th Computer Security Foundations Workshop (CSFW14).
Song, D., Berezin, S. and Perrig, A. (2001) Athena: a novel approach to efficient automatic security protocol analysis, J. Comput. Secur. 9(1/2), 47–74.
Steel, G. (2004) Discovering Attacks on Security Protocols by Refuting Incorrect Inductive Conjectures. Ph.D. thesis, University of Edinburgh. Electronic copy available on request from the author: graham.steel@ed.ac.uk.
Steel, G., Bundy, A. and Maidl, M. (2004) Attacking a protocol for group key agreement by refuting incorrect inductive conjectures, in D. Basin and M. Rusinowitch (eds.), Proceedings of the International Joint Conference on Automated Reasoning, Cork, Ireland Springer-Verlag Heidelberg, pp. 137–151.
Steiner, M., Tsudik, G. and Waidner, M. (1996) Diffie-Hellman key distribution extended to group communication, in Proc. 3rd ACM Conference on Computer and Communications Security (CCS' 96), pp. 31–37.
Syverson, P., Meadows, C. and Cerversato, I. (2000) Dolev-Yao Is No Better Than Machiavelli, in P. Degano (ed.), Proceedings of the First Workshop on Issues in the Theory of Security, Geneva, Switzerland, pp. 87–92.
Taghdiri, M. (2002), Lightweight Modelling and Automatic Analysis of Multicast Key Management Schemes. Master's thesis, Department of Electrical Engineering and Computer Science, Massachusetts Institute of Technology.
Taghdiri, M. and Jackson, D. (2003) A lightweight formal analysis of a multicast key management scheme, in Proceedings of Formal Techniques of Networked and Distributed Systems – FORTE 2003, Berlin, Springer, pp. 240–256.
Tanaka, S. and Sato, F. (2001) A key distribution and rekeying framework with totally ordered multicast protocols, in Proceedings of the 15th International Conference on Information Networking, pp. 831–838.
Walsh, T. (1996) A divergence critic for inductive proof, J. Artif. Intell. Res. 4, 209–235.
Weidenbach, C. (2001) Combining superposition, sorts and splitting, in A. Robinson and A. Voronkov (eds.), Handbook of Automated Reasoning, Vol. II. Elsevier Science, Chapt. 27, pp. 1965–2013.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Steel, G., Bundy, A. Attacking Group Protocols by Refuting Incorrect Inductive Conjectures. J Autom Reasoning 36, 149–176 (2006). https://doi.org/10.1007/s10817-005-9016-8
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10817-005-9016-8