Skip to main content

Is Cryptyc Able to Detect Insider Attacks?

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 7140)

Abstract

The use of type checking for analyzing security protocols has been recognized for several years. A state-of-the-art type checker based on such an idea is Cryptyc. It has been proven that if an authentication protocol is well-typed in Cryptyc, it provides authenticity in any environment containing external adversaries. The type system implemented by Cryptyc, however, is such that one may hope to be able to detect insider attacks as well. The lack of any report of a well-typed protocol being vulnerable to insider attacks has strengthened such a conjecture. This has been an open question from the last version of Cryptyc. In this paper, we show that the answer to this question is “No”. More precisely, we first introduce a public-key authentication protocol which is vulnerable to a man-in-the-middle attack mounted by a legitimate principal. Then, it is shown that this protocol is typable in Cryptyc. We also make slight changes in Cryptyc so that it can trap the protocols being vulnerable to this kind of insider attacks. The new type system is sound.

Keywords

  • Authentication protocols
  • insider attacks
  • language-based security
  • type-based analysis

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (Canada)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   54.99
Price excludes VAT (Canada)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   69.99
Price excludes VAT (Canada)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Abadi, M.: Secrecy by typing in security protocols. Journal of the ACM (JACM) 46(5), 749–786 (1999)

    CrossRef  MathSciNet  MATH  Google Scholar 

  2. Abadi, M., Gordon, A.D.: A calculus for cryptographic protocols: the spi calculus. Information and Computation 148(1), 1–70 (1999)

    CrossRef  MathSciNet  MATH  Google Scholar 

  3. Dolev, D., Yao, A.: On the security of public key protocols. IEEE Transactions on Information Theory 29(2), 198–208 (1983)

    CrossRef  MathSciNet  MATH  Google Scholar 

  4. Focardi, R., Maffei, M.: Types for security protocols. In: Cortier, V., Kremer, S. (eds.) Formal Models and Techniques for Analyzing Security Protocols. Cryptology and Information Security Series, vol. 5, ch. 7, pp. 143–181. IOS Press (2011)

    Google Scholar 

  5. Gordon, A.D., Haack, C., Jeffrey, A.: Cryptyc: Cryptographic protocol type checker, http://www.cryptyc.org/

  6. Gordon, A.D., Jeffrey, A.: Authenticity by typing for security protocols. Journal of Computer Security 11(4), 451–519 (2003)

    Google Scholar 

  7. Gordon, A.D., Jeffrey, A.: Typing One-to-One and One-to-Many Correspondences in Security Protocols. In: Okada, M., Babu, C. S., Scedrov, A., Tokuda, H. (eds.) ISSS 2002. LNCS, vol. 2609, pp. 263–282. Springer, Heidelberg (2003)

    CrossRef  Google Scholar 

  8. Gordon, A.D., Jeffrey, A.: Types and effects for asymmetric cryptographic protocols. Journal of Computer Security 12(3), 435–483 (2004)

    Google Scholar 

  9. Haack, C., Jeffrey, A.: Pattern-matching spi-calculus. Information and Computation 204(8), 1195–1263 (2006)

    CrossRef  MathSciNet  MATH  Google Scholar 

  10. Heather, J., Lowe, G., Schneider, S.: How to prevent type flaw attacks on security protocols. Journal of Computer Security 11(2), 217–244 (2003)

    Google Scholar 

  11. Lowe, G.: An attack on the Needham-Schroeder public-key authentication protocol. Information Processing Letters 56(3), 131–133 (1995)

    CrossRef  MATH  Google Scholar 

  12. Lowe, G.: Breaking and Fixing the Needham-Schroeder Public-Key Protocol using FDR. In: Margaria, T., Steffen, B. (eds.) TACAS 1996. LNCS, vol. 1055, pp. 147–166. Springer, Heidelberg (1996)

    CrossRef  Google Scholar 

  13. Lowe, G.: A hierarchy of authentication specifications. In: Proceedings of the 10th IEEE Computer Security Foundations Workshop (CSFW 1997), pp. 31–43. IEEE Computer Society (1997)

    Google Scholar 

  14. Needham, R.M., Schroeder, M.D.: Using encryption for authentication in large networks of computers. Communications of the ACM 21(12), 993–999 (1978)

    CrossRef  MATH  Google Scholar 

  15. Sattarzadeh, B., Fallah, M.S.: Cryptyc + , http://ceit.aut.ac.ir/formalsecurity/tasp/

  16. Woo, T.Y.C., Lam, S.S.: A semantic model for authentication protocols. In: Proceedings of the 1993 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 178–194. IEEE Computer Society (1993)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Sattarzadeh, B., Fallah, M.S. (2012). Is Cryptyc Able to Detect Insider Attacks?. In: Barthe, G., Datta, A., Etalle, S. (eds) Formal Aspects of Security and Trust. FAST 2011. Lecture Notes in Computer Science, vol 7140. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29420-4_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-29420-4_15

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-29419-8

  • Online ISBN: 978-3-642-29420-4

  • eBook Packages: Computer ScienceComputer Science (R0)