Lack of Explicitness Strikes Back

  • Giampaolo Bella
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2133)


Provable security [4] is a study of confidentiality within a complexity-theoretic framework. We argue that its findings are highly abstract. Our argument is supported by the mechanised inductive analysis of a protocol based on smart cards that was shown to enjoy provable security and then implemented. It appears that the protocol grants no reasonable guarantees of session key confidentiality to its peers in the realistic setting where an intruder can exploit other agents’ cards. Indeed, the formal argument on confidentiality requires assumptions that no peer can verify in practice. We discover and prove that the lack of explicitness of two protocol messages is the sole cause of the protocol weaknesses. Our argument requires significant extensions to the Inductive Approach [9] in order to allow for smart cards.


Smart Card Security Protocol Inductive Approach Protocol Message Provable Security 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    M. Abadi and R. M. Needham. Prudent engineering practice for cryptographic protocols. Research Report 67, Digital-Systems Research Center, 1990.Google Scholar
  2. 2.
    G. Bella. Modelling agents’ knowledge inductively. In International Workshop on Security Protocols, volume 1796 of Lecture Notes in Computer Science. Springer-Verlag, 1999. In press.Google Scholar
  3. 3.
    G. Bella. Inductive verification of smart card protocols. Submitted to Journal of Computer Security, 2000.Google Scholar
  4. 4.
    M. Bellare and P. Rogaway. Provably secure session key distribution — the three party case. In Proceedings of the 27th ACM SIGACT Symposium on Theory of Computing (STOC’95), pages 57–66. ACM Press, 1995.Google Scholar
  5. 5.
    R. Jerdonek, P. Honeyman, K. Coffman, J. Rees, and K. Wheeler. Implementation of a provably secure, smartcard-based key distribution protocol. In J.-J. Quisquater and B. Schneier, editors, Smart Card Research and Advanced Application Conference (CARDIS’98), 1998.Google Scholar
  6. 6.
    O. Kömmerling and M. G. Kuhn. Design principles for tamper-resistant smartcard processors. In Proceedings of USENIX Workshop on Smartcard Technology, 1999.Google Scholar
  7. 7.
    T. Leighton and S. Micali. Secret-key agreement without public-key cryptogrphy. In D. R. Stinson, editor, Proceedings of Advances in Cryptography — CRYPTO’93, volume 773 of Lecture Notes in Computer Science, pages 456–479. Springer-Verlag, 1993.Google Scholar
  8. 8.
    G. Lowe. An attack on the Needham-Schroeder public-key authentication protocol. Information Processing Letters, 56(3):131–133, 1995.zbMATHCrossRefGoogle Scholar
  9. 9.
    L. C. Paulson. The inductive approach to verifying cryptographic protocols. Journal of Computer Security, 6:85–128, 1998.Google Scholar
  10. 10.
    V. Shoup and A. Rubin. Session key distribution using smart cards. In U. Maurer, editor, Advances in Cryptology — Eurocrypt’96, volume 1070 of Lecture Notes in Computer Science, pages 321–331. Springer-Verlag, 1996.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2001

Authors and Affiliations

  • Giampaolo Bella
    • 1
  1. 1.Computer LaboratoryUniversity of CambridgeCambridgeUK

Personalised recommendations