Justifying a Dolev-Yao Model Under Active Attacks

  • Michael Backes
  • Birgit Pfitzmann
  • Michael Waidner

Abstract

We present the first idealized cryptographic library that can be used like the Dolev-Yao model for automated proofs of cryptographic protocols that use nested cryptographic operations, while coming with a cryptographic implementation that is provably secure under active attacks.

To illustrate the usefulness of the cryptographic library, we present a cryptographically sound security proof of the well-known Needham-Schroeder-Lowe public-key protocol for entity authentication. This protocol was previously only proved over unfounded abstractions from cryptography. We show that the protocol is secure against arbitrary active attacks if it is implemented using standard provably secure cryptographic primitives. Conducting the proof by means of the idealized cryptographic library does not require us to deal with the probabilistic aspects of cryptography, hence the proof is in the scope of current automated proof tools. Besides establishing the cryptographic security of the Needham-Schroeder-Lowe protocol, this exemplifies the potential of this cryptographic library and paves the way for the cryptographically sound verification of security protocols by automated proof tools.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Abadi, M., Jürjens, J.: Formal eavesdropping and its computational interpretation. In: Kobayashi, N., Pierce, B.C. (eds.) TACS 2001. LNCS, vol. 2215, pp. 82–94. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    Abadi, M., Rogaway, P.: Reconciling two views of cryptography: The computational soundness of formal encryption. In: Watanabe, O., Hagiya, M., Ito, T., van Leeuwen, J., Mosses, P.D. (eds.) TCS 2000. LNCS, vol. 1872, pp. 3–22. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  3. 3.
    Anderson, R., Needham, R.: Robustness principles for public key protocols. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 236–247. Springer, Heidelberg (1995)Google Scholar
  4. 4.
    Backes, M., Jacobi, C.: Cryptographically sound and machine-assisted verification of security protocols. In: Alt, H., Habib, M. (eds.) STACS 2003. LNCS, vol. 2607, pp. 675–686. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  5. 5.
    Backes, M., Jacobi, C., Pfitzmann, B.: Deriving cryptographically sound implementations using composition and formally verified bisimulation. In: Eriksson, L.-H., Lindsay, P.A. (eds.) FME 2002. LNCS, vol. 2391, pp. 310–329. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  6. 6.
    Backes, M., Pfitzmann, B.: Computational probabilistic non-interference. In: Gollmann, D., Karjoth, G., Waidner, M. (eds.) ESORICS 2002. LNCS, vol. 2502, pp. 1–23. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  7. 7.
    Backes, M., Pfitzmann, B.: A cryptographically sound security proof of the Needham-Schroeder-Lowe public-key protocol. In: Pandya, P.K., Radhakrishnan, J. (eds.) FSTTCS 2003. LNCS, vol. 2914, pp. 1–12. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. 8.
    Backes, M., Pfitzmann, B.: Intransitive non-interference for cryptographic purposes. In: Proc. 24th IEEE Symposium on Security & Privacy, pp. 140–152 (2003)Google Scholar
  9. 9.
    Backes, M., Pfitzmann, B.: Symmetric encryption in a simulatable Dolev-Yao style cryptographic library. In: Proc. 17th IEEE Computer Security Foundations Workshop (CSFW), 2004, Feb. 2004. Full version in IACR Cryptology ePrint Archive 2004/059 (2004), http://eprint.iacr.org/
  10. 10.
    Backes, M., Pfitzmann, B.: Relating symbolic and cryptographic key secrecy. In: Proc. 26th IEEE Symposium on Security & Privacy 2005. Extended version in IACR Cryptology ePrint Archive 2004/300 (2005)Google Scholar
  11. 11.
    Backes, M., Pfitzmann, B., Steiner, M., Waidner, M.: Polynomial fairness and liveness. In: Proc. 15th IEEE Computer Security Foundations Workshop (CSFW), pp. 160–174 (2002)Google Scholar
  12. 12.
    Backes, M., Pfitzmann, B., Waidner, M.: A composable cryptographic library with nested operations (extended abstract). In: Proc. 10th ACM Conference on Computer and Communications Security, January 2003. Full version in IACR Cryptology ePrint Archive 2003/015, pp. 220–230 (2003), http://eprint.iacr.org/
  13. 13.
    Backes, M., Pfitzmann, B., Waidner, M.: Symmetric authentication within a simulatable cryptographic library. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 271–290. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  14. 14.
    Backes, M., Pfitzmann, B., Waidner, M.: A universally composable cryptographic library. IACR Cryptology ePrint Archive 2003/015 (January 2003), http://eprint.iacr.org/
  15. 15.
    Beaver, D.: Secure multiparty protocols and zero knowledge proof systems tolerating a faulty minority. Journal of Cryptology 4(2), 75–122 (1991)MATHCrossRefGoogle Scholar
  16. 16.
    Bella, G., Massacci, F., Paulson, L.C.: The verification of an industrial payment protocol: The SET purchase phase. In: Proc. 9th ACM Conference on Computer and Communications Security, pp. 12–20 (2002)Google Scholar
  17. 17.
    Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among notions of security for public-key encryption schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 26–45. Springer, Heidelberg (1998)Google Scholar
  18. 18.
    Bellare, M., Kohno, T., Namprempre, C.: Authenticated encryption in ssh: Provably fixing the ssh binary packet protocol. In: Proc. 9th ACM Conference on Computer and Communications Security, pp. 1–11 (2002)Google Scholar
  19. 19.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)Google Scholar
  20. 20.
    Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1–12. Springer, Heidelberg (1998)Google Scholar
  21. 21.
    Canetti, R.: Security and composition of multiparty cryptographic protocols. Journal of Cryptology 3(1), 143–202 (2000)CrossRefMathSciNetGoogle Scholar
  22. 22.
    Canetti, R.: A unified framework for analyzing security of protocols. IACR Cryptology ePrint Archive 2000/067 (December 2000), http://eprint.iacr.org/
  23. 23.
    Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: Proc. 42nd IEEE Symposium on Foundations of Computer Science (FOCS). Extended version in Cryptology ePrint Archive, Report 2000/67, pp. 136–145 (2001), http://eprint.iacr.org/
  24. 24.
    Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. In: Proc. 30th Annual ACM Symposium on Theory of Computing (STOC), pp. 209–218 (1998)Google Scholar
  25. 25.
    Canetti, R., Herzog, J.: Universally composable symbolic analysis of cryptographic protocols (the case of encryption-based mutual authentication and key exchange). Cryptology ePrint Archive, Report 2004/334 (2004), http://eprint.iacr.org/
  26. 26.
    Cramer, R., Damgård, I.: Secure signature schemes based on interactive protocols. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 297–310. Springer, Heidelberg (1995)Google Scholar
  27. 27.
    Cramer, R., Damgård, I.: New generation of secure and practical RSA-based signatures. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 173–185. Springer, Heidelberg (1996)Google Scholar
  28. 28.
    Cramer, R., Shoup, V.: Practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998)Google Scholar
  29. 29.
    Cramer, R., Shoup, V.: Signature schemes based on the strong RSA assumption. In: Proc. 6th ACM Conference on Computer and Communications Security, pp. 46–51 (1999)Google Scholar
  30. 30.
    Dang, Z., Kemmerer, R.: Using the ASTRAL model checker for cryptographic protocol analysis. In: Proc. DIMACS Workshop on Design and Formal Verification of Security Protocols (1997), http://dimacs.rutgers.edu/Workshops/Security/
  31. 31.
    Denning, D.E., Sacco, G.M.: Timestamps in key distribution protocols. Communications of the ACM 24(8), 533–536 (1981)CrossRefGoogle Scholar
  32. 32.
    Desmedt, Y., Kurosawa, K.: How to break a practical mix and design a new one. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 557–572. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  33. 33.
    Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Transactions on Information Theory 29(2), 198–208 (1983)MATHCrossRefMathSciNetGoogle Scholar
  34. 34.
    Dutertre, B., Schneider, S.: Using a PVS embedding of CSP to verify authentication protocols. In: Gunter, E.L., Felty, A.P. (eds.) TPHOLs 1997. LNCS, vol. 1275, pp. 121–136. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  35. 35.
    Fisher, D.: Millions of .Net Passport accounts put at risk. In: Fisher, D. (ed.) eWeek, May 2003. Flaw detected by Muhammad Faisal Rauf Danka (2003)Google Scholar
  36. 36.
    Gennaro, R., Halevi, S., Rubin, T.: Secure hash-and-sign signatures without the random oracle. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 123–139. Springer, Heidelberg (1999)Google Scholar
  37. 37.
    Goldreich, O.: Two remarks concerning the Goldwasser-Micali-Rivest signature scheme. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 104–110. Springer, Heidelberg (1987)Google Scholar
  38. 38.
    Goldwasser, S., Levin, L.: Fair computation of general functions in presence of immoral majority. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 77–93. Springer, Heidelberg (1991)Google Scholar
  39. 39.
    Goldwasser, S., Micali, S.: Probabilistic encryption. Journal of Computer and System Sciences 28, 270–299 (1984)MATHCrossRefMathSciNetGoogle Scholar
  40. 40.
    Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing 17(2), 281–308 (1988)MATHCrossRefMathSciNetGoogle Scholar
  41. 41.
    Guttman, J.D., Thayer Fabrega, F.J., Zuck, L.: The faithfulness of abstract protocol analysis: Message authentication. In: Proc. 8th ACM Conference on Computer and Communications Security, pp. 186–195 (2001)Google Scholar
  42. 42.
    Herzog, J.: Computational Soundness of Formal Adversaries. PhD thesis, MIT (2002)Google Scholar
  43. 43.
    Herzog, J., Liskov, M., Micali, S.: Plaintext awareness via key registration. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 548–564. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  44. 44.
    Hirt, M., Maurer, U.: Player simulation and general adversary structures in perfect multiparty computation. Journal of Cryptology 13(1), 31–60 (2000)MATHCrossRefMathSciNetGoogle Scholar
  45. 45.
    Impagliazzo, R., Kapron, B.M.: Logics for reasoning about cryptographic constructions. In: Proc. 44th IEEE Symposium on Foundations of Computer Science (FOCS), pp. 372–381 (2003)Google Scholar
  46. 46.
    Kemmerer, R., Meadows, C., Millen, J.: Three systems for cryptographic protocol analysis. Journal of Cryptology 7(2), 79–130 (1994)MATHCrossRefGoogle Scholar
  47. 47.
    Laud, P.: Semantics and program analysis of computationally secure information flow. In: Sands, D. (ed.) ESOP 2001. LNCS, vol. 2028, pp. 77–91. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  48. 48.
    Laud, P.: Symmetric encryption in automatic analyses for confidentiality against active adversaries. In: Proc. 25th IEEE Symposium on Security & Privacy, pp. 71–85 (2004)Google Scholar
  49. 49.
    Lincoln, P., Mitchell, J., Mitchell, M., Scedrov, A.: A probabilistic poly-time framework for protocol analysis. In: Proc. 5th ACM Conference on Computer and Communications Security, pp. 112–121 (1998)Google Scholar
  50. 50.
    Lowe, G.: An attack on the Needham-Schroeder public-key authentication protocol. Information Processing Letters 56(3), 131–135 (1995)MATHCrossRefGoogle Scholar
  51. 51.
    Lowe, G.: Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In: Margaria, T., Steffen, B. (eds.) TACAS 1996. LNCS, vol. 1055, pp. 147–166. Springer, Heidelberg (1996)Google Scholar
  52. 52.
    Lowe, G.: Casper: A compiler for the analysis of security protocols. In: Proc. 10th IEEE Computer Security Foundations Workshop (CSFW), pp. 18–30 (1997)Google Scholar
  53. 53.
    Meadows, C.: Analyzing the Needham-Schroeder public key protocol: A comparison of two approaches. In: Martella, G., Kurth, H., Montolivo, E., Bertino, E. (eds.) ESORICS 1996. LNCS, vol. 1146, pp. 351–364. Springer, Heidelberg (1996)Google Scholar
  54. 54.
    Micali, S., Rogaway, P.: Secure computation. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 392–404. Springer, Heidelberg (1992)Google Scholar
  55. 55.
    Micciancio, D., Warinschi, B.: Soundness of formal encryption in the presence of active adversaries. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 133–151. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  56. 56.
    Mitchell, J., Mitchell, M., Scedrov, A.: A linguistic characterization of bounded oracle computation and probabilistic polynomial time. In: Proc. 39th IEEE Symposium on Foundations of Computer Science (FOCS), pp. 725–733 (1998)Google Scholar
  57. 57.
    Mitchell, J., Mitchell, M., Scedrov, A., Teague, V.: A probabilistic polynominal-time process calculus for analysis of cryptographic protocols (preliminary report). Electronic Notes in Theoretical Computer Science 47, 1–31 (2001)Google Scholar
  58. 58.
    Mitchell, J., Mitchell, M., Stern, U.: Automated analysis of cryptographic protocols using murφ. In: Proc. 18th IEEE Symposium on Security & Privacy, pp. 141–151 (1997)Google Scholar
  59. 59.
    Needham, R., Schroeder, M.: Using encryption for authentication in large networks of computers. Communications of the ACM 12(21), 993–999 (1978)CrossRefGoogle Scholar
  60. 60.
    Owre, S., Shankar, N., Rushby, J.M.: PVS: A prototype verification system. In: Kapur, D. (ed.) CADE 1992. LNCS, vol. 607, pp. 748–752. Springer, Heidelberg (1992)Google Scholar
  61. 61.
    Paulson, L.: The inductive approach to verifying cryptographic protocols. Journal of Cryptology 6(1), 85–128 (1998)Google Scholar
  62. 62.
    Pfitzmann, B., Schunter, M., Waidner, M.: Cryptographic security of reactive systems. In: Presented at the DERA/RHUL Workshop on Secure Architectures and Information Flow, 1999, March 2000. Electronic Notes in Theoretical Computer Science, ENTCS (2000), http://www.elsevier.nl/cas/tree/store/tcs/free/noncas/pc/menu.htm
  63. 63.
    Pfitzmann, B., Waidner, M.: How to break and repair a “provably secure” untraceable payment system. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 338–350. Springer, Heidelberg (1992)Google Scholar
  64. 64.
    Pfitzmann, B., Waidner, M.: Composition and integrity preservation of secure reactive systems. In: Proc. 7th ACM Conference on Computer and Communications Security, May 2000. Extended version (with Matthias Schunter) IBM Research Report RZ 3206, pp. 245–254 (2000), http://www.semper.org/sirene/publ/PfSW1_00ReactSimulIBM.ps.gz
  65. 65.
    Pfitzmann, B., Waidner, M.: A model for asynchronous reactive systems and its application to secure message transmission. In: Proc. 22nd IEEE Symposium on Security & Privacy. Extended version of the model (with Michael Backes) IACR Cryptology ePrint Archive 2004/082, pp. 184–200 (2001), http://eprint.iacr.org/
  66. 66.
    Rackoff, C., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992)Google Scholar
  67. 67.
    Rogaway, P.: Authenticated-encryption with associated-data. In: Proc. 9th ACM Conference on Computer and Communications Security, pp. 98–107 (2002)Google Scholar
  68. 68.
    Schneider, S.: Verifying authentication protocols with CSP. In: Proc. 10th IEEE Computer Security Foundations Workshop (CSFW), pp. 3–17 (1997)Google Scholar
  69. 69.
    Syverson, P.: A new look at an old protocol. Operation Systems Review 30(3), 1–4 (1996)CrossRefGoogle Scholar
  70. 70.
    Thayer Fabrega, F.J., Herzog, J.C., Guttman, J.D.: Strand spaces: Why is a security protocol correct? In: Proc. 19th IEEE Symposium on Security & Privacy, pp. 160–171 (1998)Google Scholar
  71. 71.
    Wagner, D., Schneier, B.: Analysis of the SSL 3.0 protocol. In: Proc. 2nd USENIX Workshop on Electronic Commerce, pp. 29–40 (1996)Google Scholar
  72. 72.
    Warinschi, B.: A computational analysis of the Needham-Schroeder-(Lowe) protocol. In: Proc. 16th IEEE Computer Security Foundations Workshop (CSFW), pp. 248–262 (2003)Google Scholar
  73. 73.
    Yao, A.C.: Theory and applications of trapdoor functions. In: Proc. 23rd IEEE Symposium on Foundations of Computer Science (FOCS), pp. 80–91 (1982)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Michael Backes
    • 1
  • Birgit Pfitzmann
    • 1
  • Michael Waidner
    • 1
  1. 1.IBM Zurich Research Lab 

Personalised recommendations