Skip to main content
SpringerLink
Log in

Analyzing Protocol Security Through Information-Flow Control

  • Conference paper
  • First Online:
Distributed Computing and Internet Technology (ICDCIT 2017)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 10109))

Abstract

Security protocols are essential for establishing trust in electronic transactions over open networks. Currently used languages/logics for protocol specifications do not facilitate/force the designer to make explicit goals, intentional assumptions or the preceding history across interactions among the stakeholders. This has resulted in gaps in specifications which in turn have led to problems such as: (i) inefficient/non-optimal protocol designs, (ii) incompatible theoretical attacks discovered by analyzers due to different threat models and (iii) faulty or insecure implementations due to insufficient guidelines for the implementer. We have recently developed the readers-writers flow model (RWFM) that has several benefits, including simple and intuitive labels. In this paper, we demonstrate that the problem of incomplete protocol specification can be overcome by enriching them with labels from RWFM, which make explicit the assumptions and goals at each stage of the protocol. In particular, we use readers and writers as labels for data objects and roles for tracking information flows in a protocol that makes explicit the construction of new messages from components of previous messages and also the knowledge of roles at various stages. We illustrate our approach and demonstrate its advantages in comparison to prominent specification languages in the literature by using the example of Needham-Schroeder public key protocol. Further, we argue how the proposed approach leads to a robust protocol specification language including security/cryptographic protocols that shall be of immense aid to the designer, user and the implementer of protocols.

N.V. Narendra Kumar—The work was carried out with support from ISRDC (Information Security Research and Development Center), a project sponsored by MeitY, GoI.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Abadi, M., Needham, R.: Prudent engineering practice for cryptographic protocols. IEEE Trans. Softw. Eng. 22(1), 6–15 (1996). http://dx.doi.org/10.1109/32.481513

    Article  Google Scholar 

  2. Abadi, M.: Security protocols and their properties. In: Foundations of Secure Computation, NATO Science Series, pp. 39–60. IOS Press (2000)

    Google Scholar 

  3. Anderson, R., Needham, R.: Robustness principles for public key protocols. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 236–247. Springer, Heidelberg (1995). doi:10.1007/3-540-44750-4_19. http://dl.acm.org/citation.cfm?id=646760.706015

    Google Scholar 

  4. Aura, T.: Strategies against replay attacks. In: Proceedings of the 10th Computer Security Foundations Workshop, 1997, pp. 59–68, June 1997

    Google Scholar 

  5. Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1–12. Springer, Heidelberg (1998). doi:10.1007/BFb0055716. http://dl.acm.org/citation.cfm?id=646763.706320

    Google Scholar 

  6. Blum, M., Micali, S.: How to generate cryptographically strong sequences of pseudo-random bits. SIAM J. Comput. 13(4), 850–864 (1984). http://dx.doi.org/10.1137/0213053

    Article  MathSciNet  MATH  Google Scholar 

  7. Bond, M., Choudary, O., Murdoch, S.J., Skorobogatov, S.P., Anderson, R.J.: Chip and skim: cloning EMV cards with the pre-play attack. CoRR abs/1209.2531 (2012)

    Google Scholar 

  8. Burrows, M., Abadi, M., Needham, R.: A logic of authentication. ACM Trans. Comput. Syst. 8(1), 18–36 (1990). http://doi.acm.org/10.1145/77648.77649

    Article  MATH  Google Scholar 

  9. Butler, F., Cervesato, I., Jaggard, A.D., Scedrov, A., Walstad, C.: Formalanalysis of Kerberos 5. Theor. Comput. Sci. 367(12), 57–87 (2006). http://www.sciencedirect.com/science/article/pii/S0304397506005743, Automated Reasoning for Security Protocol Analysis

    Article  MathSciNet  MATH  Google Scholar 

  10. DeMillo, R.A., Lynch, N.A., Merritt, M.J.: Cryptographic protocols. In: Proceedings of the Fourteenth Annual ACM Symposium on Theory of Computing, STOC 1982, pp. 383–400. ACM, New York (1982) http://doi.acm.org/10.1145/800070.802214

  11. Denning, D.E.: A lattice model of secure information flow. Commun. ACM 19(5), 236–243 (1976)

    Article  MathSciNet  MATH  Google Scholar 

  12. Denning, D.E., Sacco, G.M.: Timestamps in key distribution protocols. Commun. ACM 24(8), 533–536 (1981). http://doi.acm.org/10.1145/358722.358740

    Article  Google Scholar 

  13. Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)

    Article  MathSciNet  MATH  Google Scholar 

  14. Lowe, G.: An attack on the Needham-Schroeder public-key authentication protocol. Inf. Process. Lett. 56(3), 131–133 (1995). http://dx.doi.org/10.1016/0020-0190(95)00144-2

    Article  MATH  Google Scholar 

  15. Murdoch, S., Drimer, S., Anderson, R., Bond, M.: Chip and pin is broken. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 433–446, May 2010

    Google Scholar 

  16. Needham, R.M., Schroeder, M.D.: Using encryption for authentication in large networks of computers. Commun. ACM 21(12), 993–999 (1978). http://doi.acm.org/10.1145/359657.359659

    Article  MATH  Google Scholar 

  17. Narendra Kumar, N.V., Shyamasundar, R.K.: Realizing purpose-based privacy policies succinctly via information-flow labels. In: 4th IEEE BDCloud, pp. 753–760. IEEE (2014)

    Google Scholar 

  18. Narendra Kumar, N.V., Shyamasundar, R.K.: POSTER: dynamic labelling for analyzing security protocols. In: 22nd ACM CCS, pp. 1665–1667 (2015)

    Google Scholar 

  19. Roscoe, A.W.: Intensional specifications of security protocols. In: Proceedings of the 9th IEEE Computer Security Foundations Workshop, 1996, pp. 28–38, June 1996

    Google Scholar 

  20. Syverson, P.: Limitations on design principles for public key protocols. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, 1996, pp. 62–72, May 1996

    Google Scholar 

  21. Wagner, D., Schneier, B.: Analysis of the SSL 3.0 protocol. In: Proceedings of the 2nd Conference on Proceedings of the Second USENIX Workshop on Electronic Commerce, vol. 2. WOEC 1996 (1996)

    Google Scholar 

  22. Woo, T.Y.C., Lam, S.S.: A lesson on authentication protocol design. SIGOPS Oper. Syst. Rev. 28(3), 24–37 (1994). http://doi.acm.org/10.1145/182110.182113

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Indian Institute of Technology Bombay, Mumbai, India

    N. V. Narendra Kumar & R. K. Shyamasundar

Authors
  1. N. V. Narendra Kumar
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. R. K. Shyamasundar
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to N. V. Narendra Kumar .

Editor information

Editors and Affiliations

  1. Oracle Labs, Brisbane, Queensland, Australia

    Padmanabhan Krishnan

  2. Infosys Limited, Hyderabad, India

    P. Radha Krishna

  3. IBM Thomas J. Watson Research Center, Yorktown Heights, New York, USA

    Laxmi Parida

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Narendra Kumar, N.V., Shyamasundar, R.K. (2017). Analyzing Protocol Security Through Information-Flow Control. In: Krishnan, P., Radha Krishna, P., Parida, L. (eds) Distributed Computing and Internet Technology. ICDCIT 2017. Lecture Notes in Computer Science(), vol 10109. Springer, Cham. https://doi.org/10.1007/978-3-319-50472-8_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-50472-8_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-50471-1

  • Online ISBN: 978-3-319-50472-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation