Automatic Detection of Attacks on Cryptographic Protocols: A Case Study

  • Ivan Cibrario B.
  • Luca Durante
  • Riccardo Sisto
  • Adriano Valenzano
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3548)


Recently, a new verification tool for cryptographic protocols called S3A (Spi Calculus Specifications Symbolic Analyzer) has been developed, which is based on exhaustive state space exploration and symbolic data representation, and overcomes most of the limitations of previously available tools.

In this paper we present some insights on the ability of S3A to detect complex type flaw attacks, using a weakened version of the well-known Yahalom authentication protocol as a case study. The nature of the attack found by S3A makes it very difficult to spot by hand, thus showing the usefulness of analyis tools of this kind in real-world protocol analysis.


Composition Operator Automatic Detection Authentication Protocol Cryptographic Protocol Attack Path 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abadi, M., Gordon, A.D.: A bisimulation method for cryptographic protocols. Nordic J. Comput. 5(4), 267–303 (1998)zbMATHMathSciNetGoogle Scholar
  2. 2.
    Abadi, M., Gordon, A.D.: A calculus for cryptographic protocols: The spi calculus. Inf. Comput. 148(1), 1–70 (1999)zbMATHCrossRefMathSciNetGoogle Scholar
  3. 3.
    Basin, D., Mödersheim, S., Viganò, L.: OFMC: A symbolic model-checker for security protocols. To appear on: International Journal of Information Security (2004)Google Scholar
  4. 4.
    Boreale, M., De Nicola, R., Pugliese, R.: Proof techniques for cryptographic processes. SIAM J. Comput. 31(3), 947–986 (2002)zbMATHCrossRefGoogle Scholar
  5. 5.
    Burrows, M., Abadi, M., Needham, R.: A logic of authentication. Proceedings of the Royal Society, Series A 426(1871), 233–271 (1989)zbMATHCrossRefMathSciNetGoogle Scholar
  6. 6.
    Cibrario Bertolotti, I., Durante, L., Sisto, R., Valenzano, A.: A new knowledge representation strategy for cryptographic protocol analysis. In: Garavel, H., Hatcliff, J. (eds.) TACAS 2003. LNCS, vol. 2619, pp. 284–298. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. 7.
    Clarke, E.M., Jha, S., Marrero, W.: Using state space exploration and a natural deduction style message derivation engine to verify security protocols. In: Proceedings of the IFIP Working Conference on Programming Concepts and Methods (PROCOMET 1998), London, pp. 87–106. Chapman & Hall, Boca Raton (1998)Google Scholar
  8. 8.
    Clarke, E.M., Jha, S., Marrero, W.: Verifying security protocols with Brutus. ACM Trans. Softw. Eng. Meth. 9(4), 443–487 (2000)CrossRefGoogle Scholar
  9. 9.
    De Nicola, R., Hennessy, M.C.B.: Testing equivalence for processes. Theor. Comput. Sci. 34(1-2), 84–133 (1984)Google Scholar
  10. 10.
    Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)zbMATHCrossRefMathSciNetGoogle Scholar
  11. 11.
    Durante, L., Sisto, R., Valenzano, A.: Automatic testing equivalence verification of spi calculus specifications. ACM Trans. Softw. Eng. Meth. 12(2), 222–284 (2003)CrossRefGoogle Scholar
  12. 12.
    Lamport, L., Paulson, L.C.: Should your specification language be typed? ACM Trans. Program. Lang. Syst. 21(3), 502–526 (1999)CrossRefGoogle Scholar
  13. 13.
    Lowe, G.: Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In: Margaria, T., Steffen, B. (eds.) TACAS 1996. LNCS, vol. 1055, pp. 147–166. Springer, Heidelberg (1996)Google Scholar
  14. 14.
    Lowe, G.: Casper: a compiler for the analysis of security protocols. In: Proceedings of the 10th IEEE Computer Security Foundations Workshop (CSFW 1997), Washington, pp. 18–30. IEEE Computer Society Press, Los Alamitos (1997)CrossRefGoogle Scholar
  15. 15.
    Millen, J.K., Clark, S.C., Freedman, S.B.: The Interrogator: Protocol security analysis. IEEE Trans. Softw. Eng. 13(2), 274–288 (1987)CrossRefGoogle Scholar
  16. 16.
    Milner, R., Parrow, J., Walker, D.: A calculus of mobile processes, parts I and II. Inf. Comput. 100(1), 1–77 (1992)zbMATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    Paulson, L.C.: The inductive approach to verifying cryptographic protocols. J. Comput. Sec. 6, 85–128 (1998)Google Scholar
  18. 18.
    Paulson, L.C.: Relations between secrets: Two formal analyses of the Yahalom protocol. J. Comput. Sec. 9(3), 197–216 (2001)MathSciNetGoogle Scholar
  19. 19.
    Schneider, S.: Verifying authentication protocols in CSP. IEEE Trans. Softw. Eng. 24(9), 741–758 (1998)CrossRefGoogle Scholar
  20. 20.
    Syverson, P.: A taxonomy of replay attacks. In: Proceedings of the 7th IEEE Computer Security Foundations Workshop (CSFW 1994), Washington, pp. 187–191. IEEE Computer Society Press, Los Alamitos (1994)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Ivan Cibrario B.
    • 1
  • Luca Durante
    • 1
  • Riccardo Sisto
    • 2
  • Adriano Valenzano
    • 1
  1. 1.IEIIT – CNR 
  2. 2.Dipartimento di Automatica e InformaticaPolitecnico di TorinoTorinoItaly

Personalised recommendations