A Calculus to Detect Guessing Attacks
We present a calculus for detecting guessing attacks, based on oracles that instantiate cryptographic functions. Adversaries can observe oracles, or control them either on-line or off-line. These relations can be established by protocol analysis in the presence of a Dolev-Yao intruder, and the derived guessing rules can be used together with standard intruder deductions. Our rules also handle partial verifiers that fit more than one secret. We show how to derive a known weakness in the Anderson-Lomas protocol, and new vulnerabilities for a known faulty ATM system.
Unable to display preview. Download preview PDF.
- 3.Corin, R., Malladi, S., Alves-Foss, J., Etalle, S.: Guess what? Here is a new tool that finds some new guessing attacks. In: Proc. Workshop on Issues in the Theory of Security, pp. 62–71 (2003)Google Scholar
- 4.Delaune, S., Jacquemard, F.: A theory of dictionary attacks and its complexity. In: Proc. 17th IEEE Computer Security Foundations Workshop, pp. 2–15 (2004)Google Scholar
- 6.Corin, R., Doumen, J.M., Etalle, S.: Analysing password protocol security against off-line dictionary attacks. In: Proc. 2nd Int’l. Workshop on Security Issues with Petri Nets and other Computational Models (WISP), pp. 47–63 (2004)Google Scholar
- 8.Baudet, M.: Deciding security of protocols against off-line guessing attacks. In: Proc. 12th ACM Conf. on Computer and Communications Security, pp. 16–25 (2005)Google Scholar
- 9.Blanchet, B.: An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In: 14th IEEE Computer Security Foundations Workshop, pp. 82–96 (2001)Google Scholar