Abstract
Security protocols are essential for establishing trust in electronic transactions over open networks. Currently used languages/logics for protocol specifications do not facilitate/force the designer to make explicit goals, intentional assumptions or the preceding history across interactions among the stakeholders. This has resulted in gaps in specifications which in turn have led to problems such as: (i) inefficient/non-optimal protocol designs, (ii) incompatible theoretical attacks discovered by analyzers due to different threat models and (iii) faulty or insecure implementations due to insufficient guidelines for the implementer. We have recently developed the readers-writers flow model (RWFM) that has several benefits, including simple and intuitive labels. In this paper, we demonstrate that the problem of incomplete protocol specification can be overcome by enriching them with labels from RWFM, which make explicit the assumptions and goals at each stage of the protocol. In particular, we use readers and writers as labels for data objects and roles for tracking information flows in a protocol that makes explicit the construction of new messages from components of previous messages and also the knowledge of roles at various stages. We illustrate our approach and demonstrate its advantages in comparison to prominent specification languages in the literature by using the example of Needham-Schroeder public key protocol. Further, we argue how the proposed approach leads to a robust protocol specification language including security/cryptographic protocols that shall be of immense aid to the designer, user and the implementer of protocols.
N.V. Narendra Kumar—The work was carried out with support from ISRDC (Information Security Research and Development Center), a project sponsored by MeitY, GoI.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abadi, M., Needham, R.: Prudent engineering practice for cryptographic protocols. IEEE Trans. Softw. Eng. 22(1), 6–15 (1996). http://dx.doi.org/10.1109/32.481513
Abadi, M.: Security protocols and their properties. In: Foundations of Secure Computation, NATO Science Series, pp. 39–60. IOS Press (2000)
Anderson, R., Needham, R.: Robustness principles for public key protocols. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 236–247. Springer, Heidelberg (1995). doi:10.1007/3-540-44750-4_19. http://dl.acm.org/citation.cfm?id=646760.706015
Aura, T.: Strategies against replay attacks. In: Proceedings of the 10th Computer Security Foundations Workshop, 1997, pp. 59–68, June 1997
Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1–12. Springer, Heidelberg (1998). doi:10.1007/BFb0055716. http://dl.acm.org/citation.cfm?id=646763.706320
Blum, M., Micali, S.: How to generate cryptographically strong sequences of pseudo-random bits. SIAM J. Comput. 13(4), 850–864 (1984). http://dx.doi.org/10.1137/0213053
Bond, M., Choudary, O., Murdoch, S.J., Skorobogatov, S.P., Anderson, R.J.: Chip and skim: cloning EMV cards with the pre-play attack. CoRR abs/1209.2531 (2012)
Burrows, M., Abadi, M., Needham, R.: A logic of authentication. ACM Trans. Comput. Syst. 8(1), 18–36 (1990). http://doi.acm.org/10.1145/77648.77649
Butler, F., Cervesato, I., Jaggard, A.D., Scedrov, A., Walstad, C.: Formalanalysis of Kerberos 5. Theor. Comput. Sci. 367(12), 57–87 (2006). http://www.sciencedirect.com/science/article/pii/S0304397506005743, Automated Reasoning for Security Protocol Analysis
DeMillo, R.A., Lynch, N.A., Merritt, M.J.: Cryptographic protocols. In: Proceedings of the Fourteenth Annual ACM Symposium on Theory of Computing, STOC 1982, pp. 383–400. ACM, New York (1982) http://doi.acm.org/10.1145/800070.802214
Denning, D.E.: A lattice model of secure information flow. Commun. ACM 19(5), 236–243 (1976)
Denning, D.E., Sacco, G.M.: Timestamps in key distribution protocols. Commun. ACM 24(8), 533–536 (1981). http://doi.acm.org/10.1145/358722.358740
Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)
Lowe, G.: An attack on the Needham-Schroeder public-key authentication protocol. Inf. Process. Lett. 56(3), 131–133 (1995). http://dx.doi.org/10.1016/0020-0190(95)00144-2
Murdoch, S., Drimer, S., Anderson, R., Bond, M.: Chip and pin is broken. In: 2010 IEEE Symposium on Security and Privacy (SP), pp. 433–446, May 2010
Needham, R.M., Schroeder, M.D.: Using encryption for authentication in large networks of computers. Commun. ACM 21(12), 993–999 (1978). http://doi.acm.org/10.1145/359657.359659
Narendra Kumar, N.V., Shyamasundar, R.K.: Realizing purpose-based privacy policies succinctly via information-flow labels. In: 4th IEEE BDCloud, pp. 753–760. IEEE (2014)
Narendra Kumar, N.V., Shyamasundar, R.K.: POSTER: dynamic labelling for analyzing security protocols. In: 22nd ACM CCS, pp. 1665–1667 (2015)
Roscoe, A.W.: Intensional specifications of security protocols. In: Proceedings of the 9th IEEE Computer Security Foundations Workshop, 1996, pp. 28–38, June 1996
Syverson, P.: Limitations on design principles for public key protocols. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, 1996, pp. 62–72, May 1996
Wagner, D., Schneier, B.: Analysis of the SSL 3.0 protocol. In: Proceedings of the 2nd Conference on Proceedings of the Second USENIX Workshop on Electronic Commerce, vol. 2. WOEC 1996 (1996)
Woo, T.Y.C., Lam, S.S.: A lesson on authentication protocol design. SIGOPS Oper. Syst. Rev. 28(3), 24–37 (1994). http://doi.acm.org/10.1145/182110.182113
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Narendra Kumar, N.V., Shyamasundar, R.K. (2017). Analyzing Protocol Security Through Information-Flow Control. In: Krishnan, P., Radha Krishna, P., Parida, L. (eds) Distributed Computing and Internet Technology. ICDCIT 2017. Lecture Notes in Computer Science(), vol 10109. Springer, Cham. https://doi.org/10.1007/978-3-319-50472-8_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-50472-8_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-50471-1
Online ISBN: 978-3-319-50472-8
eBook Packages: Computer ScienceComputer Science (R0)