Skip to main content
SpringerLink
Log in
SpringerLink
Log in

Security Goals and Evolving Standards

  • Conference paper
Security Standardisation Research (SSR 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8893))

Included in the following conference series:

Abstract

With security standards, as with software, we cannot expect to eliminate all security flaws prior to publication. Protocol standards are often updated because flaws are discovered after deployment. The constraints of the deployments, and variety of independent stakeholders, mean that different ways to mitigate a flaw may be proposed and debated.

In this paper, we propose a criterion for one mitigation to be at least as good as another from the point of view of security. This criterion is supported by rigorous protocol analysis tools. We also show that the same idea is applicable even when some approaches to mitigating the flaw require cooperation between the protocol and its application-level caller.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Basin, D.A., Cremers, C., Meier, S.: Provably repairing the ISO/IEC 9798 standard for entity authentication. Journal of Computer Security 21(6), 817–846 (2013)

    Google Scholar 

  2. Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti, A., Strub, P.-Y.: Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS. In: IEEE Symposium on Security and Privacy (2014)

    Google Scholar 

  3. Burrows, M., Abadi, M., Needham, R.: A logic of authentication. ACM Transactions on Computer Systems 8, 18–36 (1990)

    Article  Google Scholar 

  4. Cervesato, I., Jaggard, A.D., Scedrov, A., Tsay, J.-K., Walstad, C.: Breaking and fixing public-key Kerberos. Inf. Comput. 206(2-4), 402–424 (2008)

    Article  MathSciNet  MATH  Google Scholar 

  5. Cremers, C., Mauw, S.: Operational Semantics and Verification of Security Protocols. Springer (2012)

    Google Scholar 

  6. Datta, A., Derek, A., Mitchell, J.C., Roy, A.: Protocol composition logic (PCL). Electr. Notes Theor. Comput. Sci. 172, 311–358 (2007)

    Article  MathSciNet  Google Scholar 

  7. Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard), Updated by RFCs 5746, 5878, 6176 (August 2008)

    Google Scholar 

  8. Dougherty, D.J., Guttman, J.D.: Decidability for lightweight Diffie-Hellman protocols. In: IEEE Symposium on Computer Security Foundations (2014)

    Google Scholar 

  9. Durgin, N., Lincoln, P., Mitchell, J., Scedrov, A.: Multiset rewriting and the complexity of bounded security protocols. Journal of Computer Security 12(2), 247–311 (1999), Initial version appeared Workshop on Formal Methods and Security Protocols (1999)

    Google Scholar 

  10. Guttman, J.D.: Shapes: Surveying crypto protocol runs. In: Cortier, V., Kremer, S. (eds.) Formal Models and Techniques for Analyzing Security Protocols. Cryptology and Information Security Series. IOS Press (2011)

    Google Scholar 

  11. Guttman, J.D.: Establishing and preserving protocol security goals. Journal of Computer Security 22(2), 201–267 (2014)

    Google Scholar 

  12. Lowe, G.: A hierarchy of authentication specification. In: CSFW, pp. 31–44 (1997)

    Google Scholar 

  13. Meadows, C.: The NRL protocol analyzer: An overview. The Journal of Logic Programming 26(2), 113–131 (1996)

    Article  MATH  Google Scholar 

  14. Meadows, C.: Analysis of the Internet Key Exchange Protocol using the NRL Protocol Analyzer. In: IEEE Symposium on Security and Privacy, pp. 216–231 (1999)

    Google Scholar 

  15. Meadows, C.: Formal methods for cryptographic protocol analysis: Emerging issues and trends. IEEE Journal on Selected Areas in Communications 21(1), 44–54 (2003)

    Article  Google Scholar 

  16. Mitchell, J.C., Roy, A., Rowe, P., Scedrov, A.: Analysis of EAP-GPSK authentication protocol. In: Bellovin, S.M., Gennaro, R., Keromytis, A.D., Yung, M. (eds.) ACNS 2008. LNCS, vol. 5037, pp. 309–327. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  17. Neuman, C., Yu, T., Hartman, S., Raeburn, K.: The Kerberos Network Authentication Service (V5). RFC 4120 (Proposed Standard), Updated by RFCs 4537, 5021, 5896, 6111, 6112, 6113, 6649, 6806 (July 2005)

    Google Scholar 

  18. Ramsdell, J.D., Guttman, J.D.: CPSA: A cryptographic protocol shapes analyzer (2009), http://hackage.haskell.org/package/cpsa

  19. Rescorla, E., Ray, M., Dispensa, S., Oskov, N.: Transport Layer Security (TLS) Renegotiation Indication Extension. RFC 5746 (Proposed Standard) (February 2010)

    Google Scholar 

  20. Song, D.X.: Athena: A new efficient automated checker for security protocol analysis. In: Proceedings of the 12th IEEE Computer Security Foundations Workshop. IEEE CS Press (June 1999)

    Google Scholar 

  21. Thayer, F.J., Herzog, J.C., Guttman, J.D.: Strand spaces: Proving security protocols correct. Journal of Computer Security 7(2/3), 191–230 (1999)

    Google Scholar 

  22. Zhu, L., Tung, B.: Public Key Cryptography for Initial Authentication in Kerberos (PKINIT). RFC 4556 (Proposed Standard), Updated by RFC 6112 (June 2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. The MITRE Corporation, Bedford, MA, USA

    Joshua D. Guttman, Moses D. Liskov & Paul D. Rowe

Authors
  1. Joshua D. Guttman
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Moses D. Liskov
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Paul D. Rowe
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. HP Labs, Bristol, UK

    Liqun Chen

  2. Information Security Group, University of London, Royal Holloway, TW20 0EX, Egham, Surrey, UK

    Chris Mitchell

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Guttman, J.D., Liskov, M.D., Rowe, P.D. (2014). Security Goals and Evolving Standards. In: Chen, L., Mitchell, C. (eds) Security Standardisation Research. SSR 2014. Lecture Notes in Computer Science, vol 8893. Springer, Cham. https://doi.org/10.1007/978-3-319-14054-4_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-14054-4_7

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-14053-7

  • Online ISBN: 978-3-319-14054-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation