Lack of Explicitness Strikes Back
Provable security  is a study of confidentiality within a complexity-theoretic framework. We argue that its findings are highly abstract. Our argument is supported by the mechanised inductive analysis of a protocol based on smart cards that was shown to enjoy provable security and then implemented. It appears that the protocol grants no reasonable guarantees of session key confidentiality to its peers in the realistic setting where an intruder can exploit other agents’ cards. Indeed, the formal argument on confidentiality requires assumptions that no peer can verify in practice. We discover and prove that the lack of explicitness of two protocol messages is the sole cause of the protocol weaknesses. Our argument requires significant extensions to the Inductive Approach  in order to allow for smart cards.
KeywordsSmart Card Security Protocol Inductive Approach Protocol Message Provable Security
Unable to display preview. Download preview PDF.
- 1.M. Abadi and R. M. Needham. Prudent engineering practice for cryptographic protocols. Research Report 67, Digital-Systems Research Center, 1990.Google Scholar
- 2.G. Bella. Modelling agents’ knowledge inductively. In International Workshop on Security Protocols, volume 1796 of Lecture Notes in Computer Science. Springer-Verlag, 1999. In press.Google Scholar
- 3.G. Bella. Inductive verification of smart card protocols. Submitted to Journal of Computer Security, 2000.Google Scholar
- 4.M. Bellare and P. Rogaway. Provably secure session key distribution — the three party case. In Proceedings of the 27th ACM SIGACT Symposium on Theory of Computing (STOC’95), pages 57–66. ACM Press, 1995.Google Scholar
- 5.R. Jerdonek, P. Honeyman, K. Coffman, J. Rees, and K. Wheeler. Implementation of a provably secure, smartcard-based key distribution protocol. In J.-J. Quisquater and B. Schneier, editors, Smart Card Research and Advanced Application Conference (CARDIS’98), 1998.Google Scholar
- 6.O. Kömmerling and M. G. Kuhn. Design principles for tamper-resistant smartcard processors. In Proceedings of USENIX Workshop on Smartcard Technology, 1999.Google Scholar
- 7.T. Leighton and S. Micali. Secret-key agreement without public-key cryptogrphy. In D. R. Stinson, editor, Proceedings of Advances in Cryptography — CRYPTO’93, volume 773 of Lecture Notes in Computer Science, pages 456–479. Springer-Verlag, 1993.Google Scholar
- 9.L. C. Paulson. The inductive approach to verifying cryptographic protocols. Journal of Computer Security, 6:85–128, 1998.Google Scholar
- 10.V. Shoup and A. Rubin. Session key distribution using smart cards. In U. Maurer, editor, Advances in Cryptology — Eurocrypt’96, volume 1070 of Lecture Notes in Computer Science, pages 321–331. Springer-Verlag, 1996.Google Scholar