Advertisement

Provably Repairing the ISO/IEC 9798 Standard for Entity Authentication

  • David Basin
  • Cas Cremers
  • Simon Meier
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7215)

Abstract

We formally analyze the family of entity authentication protocols defined by the ISO/IEC 9798 standard and find numerous weaknesses, both old and new, including some that violate even the most basic authentication guarantees. We analyse the cause of these weaknesses, propose repaired versions of the protocols, and provide automated, machine-checked proofs of the correctness of the resulting protocols. From an engineering perspective, we propose two design principles for security protocols that suffice to prevent all the weaknesses. Moreover, we show how modern verification tools can be used for falsification and certified verification of security standards. The relevance of our findings and recommendations has been acknowledged by the responsible ISO working group and an updated version of the standard will be released.

Keywords

Security Property Trusted Third Party Cryptographic Protocol Entity Authentication Security Technique 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Models and proofs of the repaired ISO/IEC 9798 protocols and source code of Scyther-Proof (May 2011), http://www.infsec.ethz.ch/research/software#ESPL
  2. 2.
    Abadi, M., Needham, R.: Prudent engineering practice for cryptographic protocols. IEEE Transactions on Software Engineering 22(1), 6–15 (1996)CrossRefGoogle Scholar
  3. 3.
    Armando, A., Compagna, L.: SAT-based model-checking for security protocols analysis. Int. J. Inf. Sec. 7(1), 3–32 (2008)CrossRefGoogle Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Entity Authentication and Key Distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)Google Scholar
  5. 5.
    Bhargavan, K., Fournet, C., Corin, R., Zalinescu, E.: Cryptographically verified implementations for TLS. In: ACM Conference on Computer and Communications Security, pp. 459–468. ACM (2008)Google Scholar
  6. 6.
    Bhargavan, K., Fournet, C., Gordon, A.D., Swamy, N.: Verified implementations of the information card federated identity-management protocol. In: ASIACCS, pp. 123–135. ACM (2008)Google Scholar
  7. 7.
    Canetti, R., Krawczyk, H.: Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 453–474. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  8. 8.
    Chen, L., Mitchell, C.J.: Parsing ambiguities in authentication and key establishment protocols. Int. J. Electron. Secur. Digit. Forensic 3, 82–94 (2010)CrossRefGoogle Scholar
  9. 9.
    Cremers, C.J.F.: The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 414–418. Springer, Heidelberg (2008), http://people.inf.ethz.ch/cremersc/scyther/ CrossRefGoogle Scholar
  10. 10.
    Cremers, C., Mauw, S., de Vink, E.: Injective synchronisation: an extension of the authentication hierarchy. Theoretical Computer Science, 139–161 (2006)Google Scholar
  11. 11.
    Datta, A., Derek, A., Mitchell, J., Pavlovic, D.: Abstraction and refinement in protocol derivation. In: Proc. 17th IEEE Computer Security Foundations Workshop (CSFW), pp. 30–45. IEEE Comp. Soc. (June 2004)Google Scholar
  12. 12.
    Donovan, B., Norris, P., Lowe, G.: Analyzing a library of security protocols using Casper and FDR. In: Proc. of the Workshop on Formal Methods and Security Protocols (1999)Google Scholar
  13. 13.
    European Payments Council. Guidelines on algorithms usage and key management. Technical report, EPC342-08 Version 1.1 (2009)Google Scholar
  14. 14.
    Guttman, J.D., Thayer, F.J.: Protocol independence through disjoint encryption. In: CSFW, pp. 24–34 (2000)Google Scholar
  15. 15.
    He, C., Sundararajan, M., Datta, A., Derek, A., Mitchell, J.C.: A modular correctness proof of IEEE 802.11i and TLS. In: Proc. of the 12th ACM Conference on Computer and Communications Security, CCS 2005, pp. 2–15. ACM, New York (2005)CrossRefGoogle Scholar
  16. 16.
    International Organization for Standardization, Genève, Switzerland. ISO/IEC 9798-3:1998, Information technology – Security techniques – Entity Authentication – Part 3: Mechanisms using digital signature techniques, 2nd edn. (1998)Google Scholar
  17. 17.
    International Organization for Standardization, Genève, Switzerland. ISO/IEC 9798-4:1999, Information technology – Security techniques – Entity Authentication – Part 3: Mechanisms using a cryptographic check function, 2nd edn. (1999)Google Scholar
  18. 18.
    International Organization for Standardization, Genève, Switzerland. ISO/IEC 9798-2:2008, Information technology – Security techniques – Entity Authentication – Part 2: Mechanisms using symmetric encipherment algorithms, 3rd edn. (2008)Google Scholar
  19. 19.
    International Organization for Standardization, Genève, Switzerland. ISO/IEC 9798-3:1998/Cor.1:2009, Information technology – Security techniques – Entity Authentication – Part 3: Mechanisms using digital signature techniques. Technical Corrigendum 1 (2009)Google Scholar
  20. 20.
    International Organization for Standardization, Genève, Switzerland. ISO/IEC 9798-4:1999/Cor.1:2009, Information technology – Security techniques – Entity Authentication – Part 3: Mechanisms using a cryptographic check function. Technical Corrigendum 1 (2009)Google Scholar
  21. 21.
    International Organization for Standardization, Genève, Switzerland. ISO/IEC 9798-1:2010, Information technology – Security techniques – Entity Authentication – Part 1: General, 3rd edn. (2010)Google Scholar
  22. 22.
    International Organization for Standardization, Genève, Switzerland. ISO/IEC 9798-2:2008/Cor.1:2010, Information technology – Security techniques – Entity Authentication – Part 2: Mechanisms using symmetric encipherment algorithms. Technical Corrigendum 1 (2010)Google Scholar
  23. 23.
    International Organization for Standardization, Genève, Switzerland. ISO/IEC 9798-3:1998/Amd.1:2010, Information technology – Security techniques – Entity Authentication – Part 3: Mechanisms using digital signature techniques. Amendment 1 (2010)Google Scholar
  24. 24.
    ITU-T. Recommendation H.235 - Security and encryption for H-series (H.323 and other H.245-based) multimedia terminals (2003)Google Scholar
  25. 25.
    Kuhlman, D., Moriarty, R., Braskich, T., Emeott, S., Tripunitara, M.: A correctness proof of a mesh security architecture. In: Proc. of the 2008 21st IEEE Computer Security Foundations Symposium, pp. 315–330. IEEE Computer Society (2008)Google Scholar
  26. 26.
    Lowe, G.: Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR. In: Margaria, T., Steffen, B. (eds.) TACAS 1996. LNCS, vol. 1055, pp. 147–166. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  27. 27.
    Lowe, G.: A hierarchy of authentication specifications. In: Proc. 10th IEEE Computer Security Foundations Workshop (CSFW), pp. 31–44. IEEE (1997)Google Scholar
  28. 28.
    Matsuo, S., Miyazaki, K., Otsuka, A., Basin, D.: How to Evaluate the Security of Real-Life Cryptographic Protocols? - the Cases of ISO/IEC 29128 and CRYPTREC. In: Sion, R., Curtmola, R., Dietrich, S., Kiayias, A., Miret, J.M., Sako, K., Sebé, F. (eds.) FC 2010 Workshops. LNCS, vol. 6054, pp. 182–194. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  29. 29.
    Meadows, C.: Analysis of the Internet Key Exchange protocol using the NRL Protocol Analyzer. In: IEEE Symposium on Security and Privacy, pp. 216–231 (1999)Google Scholar
  30. 30.
    Meadows, C., Syverson, P.F., Cervesato, I.: Formal specification and analysis of the Group Domain Of Interpretation Protocol using NPATRL and the NRL Protocol Analyzer. Journal of Computer Security 12(6), 893–931 (2004)Google Scholar
  31. 31.
    Meier, S., Cremers, C.J.F., Basin, D.A.: Strong invariants for the efficient construction of machine-checked protocol security proofs. In: CSF, pp. 231–245. IEEE Computer Society (2010)Google Scholar
  32. 32.
    Menezes, A., Oorschot, P.V., Vanstone, S.: Handbook of Applied Cryptography, 5th edn. CRC Press, Inc. (2001)Google Scholar
  33. 33.
    Nipkow, T., Paulson, L.C., Wenzel, M.T.: Isabelle/HOL - A Proof Assistant for Higher-Order Logic. LNCS, vol. 2283, p. 218. Springer, Heidelberg (2002)zbMATHGoogle Scholar
  34. 34.
    Zuccherato, R., Nystrom, M.: RFC 3163: ISO/IEC 9798-3 Authentication SASL Mechanism (2001), http://www.rfc-editor.org/info/rfc3163

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • David Basin
    • 1
  • Cas Cremers
    • 1
  • Simon Meier
    • 1
  1. 1.Institute of Information SecurityETH ZurichSwitzerland

Personalised recommendations