Is Cryptyc Able to Detect Insider Attacks?
The use of type checking for analyzing security protocols has been recognized for several years. A state-of-the-art type checker based on such an idea is Cryptyc. It has been proven that if an authentication protocol is well-typed in Cryptyc, it provides authenticity in any environment containing external adversaries. The type system implemented by Cryptyc, however, is such that one may hope to be able to detect insider attacks as well. The lack of any report of a well-typed protocol being vulnerable to insider attacks has strengthened such a conjecture. This has been an open question from the last version of Cryptyc. In this paper, we show that the answer to this question is “No”. More precisely, we first introduce a public-key authentication protocol which is vulnerable to a man-in-the-middle attack mounted by a legitimate principal. Then, it is shown that this protocol is typable in Cryptyc. We also make slight changes in Cryptyc so that it can trap the protocols being vulnerable to this kind of insider attacks. The new type system is sound.
KeywordsAuthentication protocols insider attacks language-based security type-based analysis
Unable to display preview. Download preview PDF.
- 4.Focardi, R., Maffei, M.: Types for security protocols. In: Cortier, V., Kremer, S. (eds.) Formal Models and Techniques for Analyzing Security Protocols. Cryptology and Information Security Series, vol. 5, ch. 7, pp. 143–181. IOS Press (2011)Google Scholar
- 5.Gordon, A.D., Haack, C., Jeffrey, A.: Cryptyc: Cryptographic protocol type checker, http://www.cryptyc.org/
- 6.Gordon, A.D., Jeffrey, A.: Authenticity by typing for security protocols. Journal of Computer Security 11(4), 451–519 (2003)Google Scholar
- 8.Gordon, A.D., Jeffrey, A.: Types and effects for asymmetric cryptographic protocols. Journal of Computer Security 12(3), 435–483 (2004)Google Scholar
- 10.Heather, J., Lowe, G., Schneider, S.: How to prevent type flaw attacks on security protocols. Journal of Computer Security 11(2), 217–244 (2003)Google Scholar
- 13.Lowe, G.: A hierarchy of authentication specifications. In: Proceedings of the 10th IEEE Computer Security Foundations Workshop (CSFW 1997), pp. 31–43. IEEE Computer Society (1997)Google Scholar
- 15.Sattarzadeh, B., Fallah, M.S.: Cryptyc + , http://ceit.aut.ac.ir/formalsecurity/tasp/
- 16.Woo, T.Y.C., Lam, S.S.: A semantic model for authentication protocols. In: Proceedings of the 1993 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 178–194. IEEE Computer Society (1993)Google Scholar