Journal of Automated Reasoning

, Volume 36, Issue 1–2, pp 149–176 | Cite as

Attacking Group Protocols by Refuting Incorrect Inductive Conjectures

Article

Abstract

Automated tools for finding attacks on flawed security protocols often fail to deal adequately with group protocols. The reason is that the abstractions made to improve performance on fixed two- or three-party protocols either preclude the modeling of group protocols altogether or permit modeling only in a fixed scenario, which can prevent attacks from being discovered. This paper describes Coral, a tool for finding counterexamples to incorrect inductive conjectures, which we have used to model protocols for both group key agreement and group key management, without any restrictions on the scenario. We show how we used Coral to discover six previously unknown attacks on three group protocols.

Key words

cryptographic security protocols counterexamples superposition 

References

  1. Asokan, N. and Ginzboorg, P. (2000) Key-agreement in ad-hoc networks, Comput. Commun. 23(17), 1627–1637.CrossRefGoogle Scholar
  2. Ateniese, G., Steiner, M. and Tsudik, G. (2000) New multiparty authentication services and key agreement protocols, IEEE J. Sel. Areas Commun. 18(4), 628–639.CrossRefGoogle Scholar
  3. Bachmair, L. and Ganzinger, H. (1990) Completion of first-order clauses with equality by strict superposition (Extended Abstract), in Proceedings 2nd International CTRS Workshop, Montreal, Canada, pp. 162–180.Google Scholar
  4. Bachmair, L. and Ganzinger, H. (1991) Perfect model semantics for logic programs with equality, in Logic Programming, Proceedings of the Eigth International Conference, Paris, France, MIT Press, pp. 645–659.Google Scholar
  5. Basin, D., Mödersheim, S. and Viganò, L. (2003) An on-the-fly model-checker for security protocol analysis, in Proceedings of the 2003 European Symposium on Research in Computer Security, pp. 253–270. Extended version available as Technical Report 404, ETH Zurich.Google Scholar
  6. Bella, G. (1999) Message Reception in the Inductive Approach, Technical Report 460, Computer Laboratory, University of Cambridge.Google Scholar
  7. Bull, J. and Otway, D. (1997) The Authentication Protocol. Technical Report DRA/CIS3/PROJ/CORBA/SC/1/CSM/436–04/0.5b, DERA, Malvern, UK.Google Scholar
  8. Clark, J. and Jacob, J. (1997) A Survey of Authentication Protocol Literature: Version 1.0. http://www.cs.york.ac.uk/jac/papers/drareview.ps.gz.
  9. Comon, H. and Nieuwenhuis, R. (2000) Induction = I-Axiomatization + First-Order Consistency. Inf. Comput. 159(1–2), 151–186.CrossRefMATHMathSciNetGoogle Scholar
  10. Denker, G. and Millen, J. (2000) CAPSL integrated protocol environment. in DARPA Information Survivability Conference and Exposition, Vol. 1, pp. 207–221.Google Scholar
  11. Diffie, W. and Helman, M. (1976) New directions in cryptography, IEEE Trans. Inf. Theory 22(6), 644–654.CrossRefMATHGoogle Scholar
  12. Dolev, D. and Yao, A. (1983) On the security of public key protocols, IEEE Trans. Inf. Theory 2(29), 198–208.CrossRefMathSciNetGoogle Scholar
  13. Fábrega, F., Herzog, J. and Gutman, J. (1999) Strand spaces: proving security protocols correct, J. Comput. Secur. 7, 191–230.Google Scholar
  14. Green, C. (1969) Theorem proving by resolution as a basis for question-answering systems, in B. Meltzer and D. Michie (eds.), Machine Intelligence, Vol. 4., Edinburgh University Press, pp. 183–208.Google Scholar
  15. Jackson, D. (2002) Alloy: a lightweight object modelling notation, ACM Trans. Softw. Eng. Methodol. (TOSEM) 11(2), 256–290.CrossRefGoogle Scholar
  16. Lowe, G. (1996) Breaking and fixing the needham schroeder public-key protocol using FDR, in Proceedings of TACAS, Vol. 1055, Springer Verlag, pp. 147–166.Google Scholar
  17. Meadows, C. (2000) Extending formal cryptographic protocol analysis techniques for group protocols and low-level cryptographic primitives, in P. Degano (ed.), Proceedings of the First Workshop on Issues in the Theory of Security, Geneva, Switzerland, pp. 87–92.Google Scholar
  18. Meadows, C. (2003) Formal methods for cryptographic protocol analysis: emerging issues and trends, IEEE J. Sel. Areas Commun. 21(1), 44–54.CrossRefGoogle Scholar
  19. Meadows, C. and Syverson, P. (2001) Formalizing GDOI group key management requirements in NPATRL, in ACM Conference on Computer and Communications Security, pp. 235–244.Google Scholar
  20. Millen, J. and Denker, G. (2003) MuCAPSL, in DISCEX III, DARPA Information Survivability Conference and Exposition, pp. 238–249.Google Scholar
  21. Mittra, S. (1997) Iolus: a framework for scalable secure multicasting, in Proceedings of the ACM SIGCOMM ‘97 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, Cannes, France, pp. 277–288.Google Scholar
  22. Monroy, R. and Carrillo, M. (2003) On automating the formulation of security goals under the inductive approach, in M.H. Hamza (ed.), Applied Informatics, IASTED/ACTA Press, pp. 1020–1025.Google Scholar
  23. Musser, D. (1980) On proving inductive properties of abstract data types, in Proceedings 7th ACM Symp. on Principles of Programming Languages, ACM, pp. 154–162.Google Scholar
  24. Needham, R. and Schroeder, M. (1978) Using encryption for authentication in large networks of computers, Commun. of the ACM 21(12), 993–999.CrossRefMATHGoogle Scholar
  25. Paulson, L. (1998) The inductive approach to verifying cryptographic protocols, J. Comput. Secur. 6, 85–128.Google Scholar
  26. Pereira, O. and Quisquater, J.-J. (2003) Some attacks upon authenticated group key agreement protocols, J. Comput. Secur. 11(4), 555–580. Special Issue: 14th Computer Security Foundations Workshop (CSFW14).Google Scholar
  27. Song, D., Berezin, S. and Perrig, A. (2001) Athena: a novel approach to efficient automatic security protocol analysis, J. Comput. Secur. 9(1/2), 47–74.Google Scholar
  28. Steel, G. (2004) Discovering Attacks on Security Protocols by Refuting Incorrect Inductive Conjectures. Ph.D. thesis, University of Edinburgh. Electronic copy available on request from the author: graham.steel@ed.ac.uk.Google Scholar
  29. Steel, G., Bundy, A. and Maidl, M. (2004) Attacking a protocol for group key agreement by refuting incorrect inductive conjectures, in D. Basin and M. Rusinowitch (eds.), Proceedings of the International Joint Conference on Automated Reasoning, Cork, Ireland Springer-Verlag Heidelberg, pp. 137–151.Google Scholar
  30. Steiner, M., Tsudik, G. and Waidner, M. (1996) Diffie-Hellman key distribution extended to group communication, in Proc. 3rd ACM Conference on Computer and Communications Security (CCS' 96), pp. 31–37.Google Scholar
  31. Syverson, P., Meadows, C. and Cerversato, I. (2000) Dolev-Yao Is No Better Than Machiavelli, in P. Degano (ed.), Proceedings of the First Workshop on Issues in the Theory of Security, Geneva, Switzerland, pp. 87–92.Google Scholar
  32. Taghdiri, M. (2002), Lightweight Modelling and Automatic Analysis of Multicast Key Management Schemes. Master's thesis, Department of Electrical Engineering and Computer Science, Massachusetts Institute of Technology.Google Scholar
  33. Taghdiri, M. and Jackson, D. (2003) A lightweight formal analysis of a multicast key management scheme, in Proceedings of Formal Techniques of Networked and Distributed Systems – FORTE 2003, Berlin, Springer, pp. 240–256.Google Scholar
  34. Tanaka, S. and Sato, F. (2001) A key distribution and rekeying framework with totally ordered multicast protocols, in Proceedings of the 15th International Conference on Information Networking, pp. 831–838.Google Scholar
  35. Walsh, T. (1996) A divergence critic for inductive proof, J. Artif. Intell. Res. 4, 209–235.MATHGoogle Scholar
  36. Weidenbach, C. (2001) Combining superposition, sorts and splitting, in A. Robinson and A. Voronkov (eds.), Handbook of Automated Reasoning, Vol. II. Elsevier Science, Chapt. 27, pp. 1965–2013.Google Scholar

Copyright information

© Springer Science+Business Media, Inc. 2005

Authors and Affiliations

  1. 1.School of InformaticsUniversity of EdinburghEdinburghUK

Personalised recommendations