Robustness Principles for Public Key Protocols

  • Ross Anderson
  • Roger Needham
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 963)


We present a number of attacks, some new, on public key protocols. We also advance a number of principles which may help designers avoid many of the pitfalls, and help attackers spot errors which can be exploited.


Hash Function Signature Scheme Block Cipher Oblivious Transfer Covert Channel 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [And92a]
    RJ Anderson, “Attack on server-assisted authentication protocols”, in Electronics Letters v 28 no 15 (16th July 1992) p 1473CrossRefGoogle Scholar
  2. [And92b]
    RJ Anderson, “UEPS-A Second Generation Electronic Wallet”, Computer Security — ESORICS 92, Springer LNCS volume 648 in 411–418CrossRefGoogle Scholar
  3. [And93a]
    RJ Anderson, “A practical RSA trapdoor”, in Electronics Letters v 29 no 11 (27th May 1993) p 995CrossRefGoogle Scholar
  4. [And93b]
    RJ Anderson, “The Classification of Hash Functions”, in Codes and Ciphers (proceedings of fourth IMA Conference on Cryptography and Coding, December 1993), published by IMA (1995) pp 83–93Google Scholar
  5. [And94a]
    RJ Anderson, “Why Cryptosystems Fail”, in Communications of the ACM v 37 no 11 (November 1994) pp 32–40CrossRefGoogle Scholar
  6. [And94b]
    RJ Anderson, “Liability and Computer Security — Nine Principles”, in Computer Security — ESORICS 94, Springer LNCS v 875 pp 231–245Google Scholar
  7. [AN94]
    M Abadi, RM Needham, ‘Prudent Engineering Practice for Cryptographic Protocols’, DEC SRC Research Report 125 (June 1 1994)Google Scholar
  8. [Bea92]
    D Beaver, “How to Break a’ secure’ Oblivious Transfer Protocol”, in Advances in Cryptology — EUROCRYPT’ 92, Springer LNCS v 658 pp 284–296Google Scholar
  9. [BAN89]
    M Burrows, M Abadi, RM Needham, “A Logic of Authentication”, in Proceedings of the Royal Society of London A v 426 (1989) pp 233–271; earlier version published as DEC SRC Research Report 39 zbMATHMathSciNetCrossRefGoogle Scholar
  10. [Bur94]
    M Burmester, “On the Risk of Opening Distributed Keys”, in Advances in Cryptology — CRYPTO’ 94, Springer LNCS v 839 pp 308–317Google Scholar
  11. [Cop89]
    D Coppersmith, “Analysis of ISO/CCITT Document X.509 Annex D”, submitted to ISOGoogle Scholar
  12. [Cop94]
    D Coppersmith, “Attack on the Cryptographic Scheme NIKS-TAS”, in Advances in Cryptology — CRYPTO’ 94, Springer LNCS v 839 pp 294–307Google Scholar
  13. [CCITT88]
    CCITT X.509 and ISO 9594-8, “The Directory — Authentication Framework”, CCITT Blue Book, Geneva, March 1988Google Scholar
  14. [Dam87]
    IB Damgård, “Collision free hash functions and public key signature schemes”, in Advances in Cryptology — EUROCRYPT’ 87, Springer LNCS 304 pp 203–216Google Scholar
  15. [Dwo94]
    C Dwork, “Distributed Computing Column”, ACM SIGACT News v 26 mo 1 (Mar 94) pp 17–19Google Scholar
  16. [DB93]
    Y Desmedt, M Burmester, “Towards Practical ‘Proven Secure’ Authenticated Key Distribution”, in 1st ACM Conference on Computer and Communications Security (ACM November 1993) pp 228–231Google Scholar
  17. [DH76]
    W Diffie, ME Hellman, “New Directions in Cryptography”, in IEEE Transactions on Information Theory, IT-22 no 6 (November 1976) p 644–654CrossRefMathSciNetGoogle Scholar
  18. [DM83]
    R DeMillo, M Merritt, “Protocols for Data Security”, in IEEE Computer v 16 no 2 (Feb 1983) pp 39–50Google Scholar
  19. [Elg85]
    T El-Gamal, “A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms”, in IEEE Transactions on Information Theory IT-31 no 4 (July 1985) pp 469–472CrossRefMathSciNetGoogle Scholar
  20. [FS86]
    A Fiat, A Shamir, “How To Prove Yourself: Practical Solutions to Identification and Signature Problems”, in Advances in Cryptology — CRYPTO 86, Springer LNCS v 263 pp 186–194CrossRefGoogle Scholar
  21. [Gos90]
    KC Goss, ‘cryptographic method and apparatus for public key exchange with/authentication’, US patent no. 4,956,863 (September 11, 1990)Google Scholar
  22. [ISO94a]
    ISO DIS 11770, ‘Information Technology — Security Techniques — Key Management — Part 3: Mechanisms using asymmetric techniques’, ISO IST/33/-/2:94/211Google Scholar
  23. [ISO94b]
    ISO 11166-1:1994, ‘Banking — Key management by means of asymmetric algorithms — Part 1: Principles, procedures and formats’, and Part 2: Approved algorithms using the RSA cryptosystem’, 15 November 1994Google Scholar
  24. [Kai95]
    R Kailar, “Reasoning about Accountability in Protocols for Electronic Commerce”, accepted for Oakland 95 Google Scholar
  25. [Kal93]
    B Kaliski, “Anderson’s RSA trapdoor can be broken”, in Electronics Letters v 29 no 15 (22nd July 1993) pp 1387–1388CrossRefGoogle Scholar
  26. [Knu95]
    L Knudsen, “A Weakness in SAFER K-64”, this volume Google Scholar
  27. [KMM94]
    R Kemmerer, C Meadows, J Millen, “Three Systems for Cryptographic Protocol Verification”, in Journal of Cryptology v 7 no 2 (Spring 1994) pp 79–130zbMATHCrossRefGoogle Scholar
  28. [Lan95]
    P Landrock, talk given at Combridge Protocols Workshop, 19–21 April 1995Google Scholar
  29. [LMP94]
    “Anonymous Credit Cards”, SH Low, NF Maxemchuk, S Paul, in Proceedings of 2nd ACM Conference on Computer and Communications Security (ACM, Nov 94) pp 108–117Google Scholar
  30. [Oto94]
    K O’Toole, The Internet Billing Server — Transaction Protocol Alternatives”, Carnegie Mellon University report INI TR 1994-1 (April 26, 1994)Google Scholar
  31. [PW91]
    B Pfitzmann, M Waidner, “How to Break and repair a ‘Provable Secure’ Untraceable Payment System”, in Abstracts of Crypto’ 91 pp 8–14 to 8–19Google Scholar
  32. [PW95]
    B Pfitzmann, M Waidner, “How to Break Another ‘Provably Secure’ Payment System”, to appear in proceedings of Eurocrypt 95 Google Scholar
  33. [RLS+92]
    RA Rueppel, AK Lenstra, ME Smid, KS McCurley, Y Desmedt, A Odlyzko, P Landrock, “The Eurocrypt’ 92 Controversial Issue — Trapdoor Primes and Moduli”, in Advances in cryptology — EUROCRYPT’ 92, Springer LNCS v 658 pp 194–199CrossRefGoogle Scholar
  34. [RSA78]
    RL Rivest, A Shamir, L Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems”, in Communications of the ACM 21 (1978) pp 120–126zbMATHCrossRefMathSciNetGoogle Scholar
  35. [Sch89]
    CP Schnorr, “Efficient identification and signatures for smart cards”, in Advances in Cryptology — CRYPTO’ 89, Springer LNCS 435, pp 239–251Google Scholar
  36. [Sim94a]
    GJ Simmons, “Cryptanalysis and Protocol Failures”, in Communications of the ACM v 37 no 11 (November 1994) pp 56–65CrossRefGoogle Scholar
  37. [Sim94b]
    GJ Simmons, “Subliminal Channels; Past and Present”, in European Transactions on Telecommunications v 5 no 4 (July/Aug 1994) pp 459–473CrossRefGoogle Scholar
  38. [TMN89]
    M Tatebayashi, N Matsuzaki, DB Newman, “Key distribution protocol for digital mobile communication systems”, in Advance in Cryptology — CRYPTO’ 89, Springer LNCS 435 pp 324–333Google Scholar
  39. [TT94]
    L Tang, D Tygar, “A fast off-line electronic currency protocol for smart cards”, in proceedings of the First Smart Card Research and Advanced Application Conference (University of Lille, Oct 94) pp 89–100Google Scholar
  40. [Vau94]
    S Vaudenay, “On the need of multipermutations — Cryptanalysis of MD4 and SAFER”, in ‘Fast Software Encryption’, proceedings of KU Leuven workshop on cryptographic algorithms (Springer, to appear)Google Scholar
  41. [WL92]
    TYC Woo, SS Lam, “Authentication for Distributed Systems”, in IEEE Computer (January 1992) pp 39–52Google Scholar
  42. [Yac94]
    Y Yacobi, “Efficient Electronic Money”, in Preproceedings of Asiacrypt 94 pp 131–140Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 1995

Authors and Affiliations

  • Ross Anderson
    • 1
  • Roger Needham
    • 1
  1. 1.Cambridge University Computer LaboratoryCambridgeEngland

Personalised recommendations