Security Goals and Evolving Standards
With security standards, as with software, we cannot expect to eliminate all security flaws prior to publication. Protocol standards are often updated because flaws are discovered after deployment. The constraints of the deployments, and variety of independent stakeholders, mean that different ways to mitigate a flaw may be proposed and debated.
In this paper, we propose a criterion for one mitigation to be at least as good as another from the point of view of security. This criterion is supported by rigorous protocol analysis tools. We also show that the same idea is applicable even when some approaches to mitigating the flaw require cooperation between the protocol and its application-level caller.
Unable to display preview. Download preview PDF.
- 1.Basin, D.A., Cremers, C., Meier, S.: Provably repairing the ISO/IEC 9798 standard for entity authentication. Journal of Computer Security 21(6), 817–846 (2013)Google Scholar
- 2.Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti, A., Strub, P.-Y.: Triple handshakes and cookie cutters: Breaking and fixing authentication over TLS. In: IEEE Symposium on Security and Privacy (2014)Google Scholar
- 5.Cremers, C., Mauw, S.: Operational Semantics and Verification of Security Protocols. Springer (2012)Google Scholar
- 7.Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard), Updated by RFCs 5746, 5878, 6176 (August 2008)Google Scholar
- 8.Dougherty, D.J., Guttman, J.D.: Decidability for lightweight Diffie-Hellman protocols. In: IEEE Symposium on Computer Security Foundations (2014)Google Scholar
- 9.Durgin, N., Lincoln, P., Mitchell, J., Scedrov, A.: Multiset rewriting and the complexity of bounded security protocols. Journal of Computer Security 12(2), 247–311 (1999), Initial version appeared Workshop on Formal Methods and Security Protocols (1999)Google Scholar
- 10.Guttman, J.D.: Shapes: Surveying crypto protocol runs. In: Cortier, V., Kremer, S. (eds.) Formal Models and Techniques for Analyzing Security Protocols. Cryptology and Information Security Series. IOS Press (2011)Google Scholar
- 11.Guttman, J.D.: Establishing and preserving protocol security goals. Journal of Computer Security 22(2), 201–267 (2014)Google Scholar
- 12.Lowe, G.: A hierarchy of authentication specification. In: CSFW, pp. 31–44 (1997)Google Scholar
- 14.Meadows, C.: Analysis of the Internet Key Exchange Protocol using the NRL Protocol Analyzer. In: IEEE Symposium on Security and Privacy, pp. 216–231 (1999)Google Scholar
- 17.Neuman, C., Yu, T., Hartman, S., Raeburn, K.: The Kerberos Network Authentication Service (V5). RFC 4120 (Proposed Standard), Updated by RFCs 4537, 5021, 5896, 6111, 6112, 6113, 6649, 6806 (July 2005)Google Scholar
- 18.Ramsdell, J.D., Guttman, J.D.: CPSA: A cryptographic protocol shapes analyzer (2009), http://hackage.haskell.org/package/cpsa
- 19.Rescorla, E., Ray, M., Dispensa, S., Oskov, N.: Transport Layer Security (TLS) Renegotiation Indication Extension. RFC 5746 (Proposed Standard) (February 2010)Google Scholar
- 20.Song, D.X.: Athena: A new efficient automated checker for security protocol analysis. In: Proceedings of the 12th IEEE Computer Security Foundations Workshop. IEEE CS Press (June 1999)Google Scholar
- 21.Thayer, F.J., Herzog, J.C., Guttman, J.D.: Strand spaces: Proving security protocols correct. Journal of Computer Security 7(2/3), 191–230 (1999)Google Scholar
- 22.Zhu, L., Tung, B.: Public Key Cryptography for Initial Authentication in Kerberos (PKINIT). RFC 4556 (Proposed Standard), Updated by RFC 6112 (June 2006)Google Scholar