Skip to main content
Springer Nature Link
Log in

Justifying a Dolev-Yao Model Under Active Attacks

  • Chapter
Foundations of Security Analysis and Design III (FOSAD 2005, FOSAD 2004)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3655))

  • 1271 Accesses

Abstract

We present the first idealized cryptographic library that can be used like the Dolev-Yao model for automated proofs of cryptographic protocols that use nested cryptographic operations, while coming with a cryptographic implementation that is provably secure under active attacks.

To illustrate the usefulness of the cryptographic library, we present a cryptographically sound security proof of the well-known Needham-Schroeder-Lowe public-key protocol for entity authentication. This protocol was previously only proved over unfounded abstractions from cryptography. We show that the protocol is secure against arbitrary active attacks if it is implemented using standard provably secure cryptographic primitives. Conducting the proof by means of the idealized cryptographic library does not require us to deal with the probabilistic aspects of cryptography, hence the proof is in the scope of current automated proof tools. Besides establishing the cryptographic security of the Needham-Schroeder-Lowe protocol, this exemplifies the potential of this cryptographic library and paves the way for the cryptographically sound verification of security protocols by automated proof tools.

Parts of this work appeared in Proc. 10th ACM Conference on Computer and Communications Security [12] and Proc. 23rd Conference on Foundations of Software Technology and Theoretical Computer Science [7].

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

eBook
USD 15.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 15.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Abadi, M., Jürjens, J.: Formal eavesdropping and its computational interpretation. In: Kobayashi, N., Pierce, B.C. (eds.) TACS 2001. LNCS, vol. 2215, pp. 82–94. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  2. Abadi, M., Rogaway, P.: Reconciling two views of cryptography: The computational soundness of formal encryption. In: Watanabe, O., Hagiya, M., Ito, T., van Leeuwen, J., Mosses, P.D. (eds.) TCS 2000. LNCS, vol. 1872, pp. 3–22. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  3. Anderson, R., Needham, R.: Robustness principles for public key protocols. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 236–247. Springer, Heidelberg (1995)

    Google Scholar 

  4. Backes, M., Jacobi, C.: Cryptographically sound and machine-assisted verification of security protocols. In: Alt, H., Habib, M. (eds.) STACS 2003. LNCS, vol. 2607, pp. 675–686. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  5. Backes, M., Jacobi, C., Pfitzmann, B.: Deriving cryptographically sound implementations using composition and formally verified bisimulation. In: Eriksson, L.-H., Lindsay, P.A. (eds.) FME 2002. LNCS, vol. 2391, pp. 310–329. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  6. Backes, M., Pfitzmann, B.: Computational probabilistic non-interference. In: Gollmann, D., Karjoth, G., Waidner, M. (eds.) ESORICS 2002. LNCS, vol. 2502, pp. 1–23. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  7. Backes, M., Pfitzmann, B.: A cryptographically sound security proof of the Needham-Schroeder-Lowe public-key protocol. In: Pandya, P.K., Radhakrishnan, J. (eds.) FSTTCS 2003. LNCS, vol. 2914, pp. 1–12. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  8. Backes, M., Pfitzmann, B.: Intransitive non-interference for cryptographic purposes. In: Proc. 24th IEEE Symposium on Security & Privacy, pp. 140–152 (2003)

    Google Scholar 

  9. Backes, M., Pfitzmann, B.: Symmetric encryption in a simulatable Dolev-Yao style cryptographic library. In: Proc. 17th IEEE Computer Security Foundations Workshop (CSFW), 2004, Feb. 2004. Full version in IACR Cryptology ePrint Archive 2004/059 (2004), http://eprint.iacr.org/

  10. Backes, M., Pfitzmann, B.: Relating symbolic and cryptographic key secrecy. In: Proc. 26th IEEE Symposium on Security & Privacy 2005. Extended version in IACR Cryptology ePrint Archive 2004/300 (2005)

    Google Scholar 

  11. Backes, M., Pfitzmann, B., Steiner, M., Waidner, M.: Polynomial fairness and liveness. In: Proc. 15th IEEE Computer Security Foundations Workshop (CSFW), pp. 160–174 (2002)

    Google Scholar 

  12. Backes, M., Pfitzmann, B., Waidner, M.: A composable cryptographic library with nested operations (extended abstract). In: Proc. 10th ACM Conference on Computer and Communications Security, January 2003. Full version in IACR Cryptology ePrint Archive 2003/015, pp. 220–230 (2003), http://eprint.iacr.org/

  13. Backes, M., Pfitzmann, B., Waidner, M.: Symmetric authentication within a simulatable cryptographic library. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 271–290. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  14. Backes, M., Pfitzmann, B., Waidner, M.: A universally composable cryptographic library. IACR Cryptology ePrint Archive 2003/015 (January 2003), http://eprint.iacr.org/

  15. Beaver, D.: Secure multiparty protocols and zero knowledge proof systems tolerating a faulty minority. Journal of Cryptology 4(2), 75–122 (1991)

    Article  MATH  Google Scholar 

  16. Bella, G., Massacci, F., Paulson, L.C.: The verification of an industrial payment protocol: The SET purchase phase. In: Proc. 9th ACM Conference on Computer and Communications Security, pp. 12–20 (2002)

    Google Scholar 

  17. Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among notions of security for public-key encryption schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 26–45. Springer, Heidelberg (1998)

    Google Scholar 

  18. Bellare, M., Kohno, T., Namprempre, C.: Authenticated encryption in ssh: Provably fixing the ssh binary packet protocol. In: Proc. 9th ACM Conference on Computer and Communications Security, pp. 1–11 (2002)

    Google Scholar 

  19. Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)

    Google Scholar 

  20. Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1–12. Springer, Heidelberg (1998)

    Google Scholar 

  21. Canetti, R.: Security and composition of multiparty cryptographic protocols. Journal of Cryptology 3(1), 143–202 (2000)

    Article  MathSciNet  Google Scholar 

  22. Canetti, R.: A unified framework for analyzing security of protocols. IACR Cryptology ePrint Archive 2000/067 (December 2000), http://eprint.iacr.org/

  23. Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: Proc. 42nd IEEE Symposium on Foundations of Computer Science (FOCS). Extended version in Cryptology ePrint Archive, Report 2000/67, pp. 136–145 (2001), http://eprint.iacr.org/

  24. Canetti, R., Goldreich, O., Halevi, S.: The random oracle methodology, revisited. In: Proc. 30th Annual ACM Symposium on Theory of Computing (STOC), pp. 209–218 (1998)

    Google Scholar 

  25. Canetti, R., Herzog, J.: Universally composable symbolic analysis of cryptographic protocols (the case of encryption-based mutual authentication and key exchange). Cryptology ePrint Archive, Report 2004/334 (2004), http://eprint.iacr.org/

  26. Cramer, R., Damgård, I.: Secure signature schemes based on interactive protocols. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 297–310. Springer, Heidelberg (1995)

    Google Scholar 

  27. Cramer, R., Damgård, I.: New generation of secure and practical RSA-based signatures. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 173–185. Springer, Heidelberg (1996)

    Google Scholar 

  28. Cramer, R., Shoup, V.: Practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998)

    Google Scholar 

  29. Cramer, R., Shoup, V.: Signature schemes based on the strong RSA assumption. In: Proc. 6th ACM Conference on Computer and Communications Security, pp. 46–51 (1999)

    Google Scholar 

  30. Dang, Z., Kemmerer, R.: Using the ASTRAL model checker for cryptographic protocol analysis. In: Proc. DIMACS Workshop on Design and Formal Verification of Security Protocols (1997), http://dimacs.rutgers.edu/Workshops/Security/

  31. Denning, D.E., Sacco, G.M.: Timestamps in key distribution protocols. Communications of the ACM 24(8), 533–536 (1981)

    Article  Google Scholar 

  32. Desmedt, Y., Kurosawa, K.: How to break a practical mix and design a new one. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 557–572. Springer, Heidelberg (2000)

    Chapter  Google Scholar 

  33. Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Transactions on Information Theory 29(2), 198–208 (1983)

    Article  MATH  MathSciNet  Google Scholar 

  34. Dutertre, B., Schneider, S.: Using a PVS embedding of CSP to verify authentication protocols. In: Gunter, E.L., Felty, A.P. (eds.) TPHOLs 1997. LNCS, vol. 1275, pp. 121–136. Springer, Heidelberg (1997)

    Chapter  Google Scholar 

  35. Fisher, D.: Millions of .Net Passport accounts put at risk. In: Fisher, D. (ed.) eWeek, May 2003. Flaw detected by Muhammad Faisal Rauf Danka (2003)

    Google Scholar 

  36. Gennaro, R., Halevi, S., Rubin, T.: Secure hash-and-sign signatures without the random oracle. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 123–139. Springer, Heidelberg (1999)

    Google Scholar 

  37. Goldreich, O.: Two remarks concerning the Goldwasser-Micali-Rivest signature scheme. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 104–110. Springer, Heidelberg (1987)

    Google Scholar 

  38. Goldwasser, S., Levin, L.: Fair computation of general functions in presence of immoral majority. In: Menezes, A., Vanstone, S.A. (eds.) CRYPTO 1990. LNCS, vol. 537, pp. 77–93. Springer, Heidelberg (1991)

    Google Scholar 

  39. Goldwasser, S., Micali, S.: Probabilistic encryption. Journal of Computer and System Sciences 28, 270–299 (1984)

    Article  MATH  MathSciNet  Google Scholar 

  40. Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM Journal on Computing 17(2), 281–308 (1988)

    Article  MATH  MathSciNet  Google Scholar 

  41. Guttman, J.D., Thayer Fabrega, F.J., Zuck, L.: The faithfulness of abstract protocol analysis: Message authentication. In: Proc. 8th ACM Conference on Computer and Communications Security, pp. 186–195 (2001)

    Google Scholar 

  42. Herzog, J.: Computational Soundness of Formal Adversaries. PhD thesis, MIT (2002)

    Google Scholar 

  43. Herzog, J., Liskov, M., Micali, S.: Plaintext awareness via key registration. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 548–564. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  44. Hirt, M., Maurer, U.: Player simulation and general adversary structures in perfect multiparty computation. Journal of Cryptology 13(1), 31–60 (2000)

    Article  MATH  MathSciNet  Google Scholar 

  45. Impagliazzo, R., Kapron, B.M.: Logics for reasoning about cryptographic constructions. In: Proc. 44th IEEE Symposium on Foundations of Computer Science (FOCS), pp. 372–381 (2003)

    Google Scholar 

  46. Kemmerer, R., Meadows, C., Millen, J.: Three systems for cryptographic protocol analysis. Journal of Cryptology 7(2), 79–130 (1994)

    Article  MATH  Google Scholar 

  47. Laud, P.: Semantics and program analysis of computationally secure information flow. In: Sands, D. (ed.) ESOP 2001. LNCS, vol. 2028, pp. 77–91. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  48. Laud, P.: Symmetric encryption in automatic analyses for confidentiality against active adversaries. In: Proc. 25th IEEE Symposium on Security & Privacy, pp. 71–85 (2004)

    Google Scholar 

  49. Lincoln, P., Mitchell, J., Mitchell, M., Scedrov, A.: A probabilistic poly-time framework for protocol analysis. In: Proc. 5th ACM Conference on Computer and Communications Security, pp. 112–121 (1998)

    Google Scholar 

  50. Lowe, G.: An attack on the Needham-Schroeder public-key authentication protocol. Information Processing Letters 56(3), 131–135 (1995)

    Article  MATH  Google Scholar 

  51. Lowe, G.: Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In: Margaria, T., Steffen, B. (eds.) TACAS 1996. LNCS, vol. 1055, pp. 147–166. Springer, Heidelberg (1996)

    Google Scholar 

  52. Lowe, G.: Casper: A compiler for the analysis of security protocols. In: Proc. 10th IEEE Computer Security Foundations Workshop (CSFW), pp. 18–30 (1997)

    Google Scholar 

  53. Meadows, C.: Analyzing the Needham-Schroeder public key protocol: A comparison of two approaches. In: Martella, G., Kurth, H., Montolivo, E., Bertino, E. (eds.) ESORICS 1996. LNCS, vol. 1146, pp. 351–364. Springer, Heidelberg (1996)

    Google Scholar 

  54. Micali, S., Rogaway, P.: Secure computation. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 392–404. Springer, Heidelberg (1992)

    Google Scholar 

  55. Micciancio, D., Warinschi, B.: Soundness of formal encryption in the presence of active adversaries. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 133–151. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  56. Mitchell, J., Mitchell, M., Scedrov, A.: A linguistic characterization of bounded oracle computation and probabilistic polynomial time. In: Proc. 39th IEEE Symposium on Foundations of Computer Science (FOCS), pp. 725–733 (1998)

    Google Scholar 

  57. Mitchell, J., Mitchell, M., Scedrov, A., Teague, V.: A probabilistic polynominal-time process calculus for analysis of cryptographic protocols (preliminary report). Electronic Notes in Theoretical Computer Science 47, 1–31 (2001)

    Google Scholar 

  58. Mitchell, J., Mitchell, M., Stern, U.: Automated analysis of cryptographic protocols using murφ. In: Proc. 18th IEEE Symposium on Security & Privacy, pp. 141–151 (1997)

    Google Scholar 

  59. Needham, R., Schroeder, M.: Using encryption for authentication in large networks of computers. Communications of the ACM 12(21), 993–999 (1978)

    Article  Google Scholar 

  60. Owre, S., Shankar, N., Rushby, J.M.: PVS: A prototype verification system. In: Kapur, D. (ed.) CADE 1992. LNCS, vol. 607, pp. 748–752. Springer, Heidelberg (1992)

    Google Scholar 

  61. Paulson, L.: The inductive approach to verifying cryptographic protocols. Journal of Cryptology 6(1), 85–128 (1998)

    Google Scholar 

  62. Pfitzmann, B., Schunter, M., Waidner, M.: Cryptographic security of reactive systems. In: Presented at the DERA/RHUL Workshop on Secure Architectures and Information Flow, 1999, March 2000. Electronic Notes in Theoretical Computer Science, ENTCS (2000), http://www.elsevier.nl/cas/tree/store/tcs/free/noncas/pc/menu.htm

  63. Pfitzmann, B., Waidner, M.: How to break and repair a “provably secure” untraceable payment system. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 338–350. Springer, Heidelberg (1992)

    Google Scholar 

  64. Pfitzmann, B., Waidner, M.: Composition and integrity preservation of secure reactive systems. In: Proc. 7th ACM Conference on Computer and Communications Security, May 2000. Extended version (with Matthias Schunter) IBM Research Report RZ 3206, pp. 245–254 (2000), http://www.semper.org/sirene/publ/PfSW1_00ReactSimulIBM.ps.gz

  65. Pfitzmann, B., Waidner, M.: A model for asynchronous reactive systems and its application to secure message transmission. In: Proc. 22nd IEEE Symposium on Security & Privacy. Extended version of the model (with Michael Backes) IACR Cryptology ePrint Archive 2004/082, pp. 184–200 (2001), http://eprint.iacr.org/

  66. Rackoff, C., Simon, D.R.: Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 433–444. Springer, Heidelberg (1992)

    Google Scholar 

  67. Rogaway, P.: Authenticated-encryption with associated-data. In: Proc. 9th ACM Conference on Computer and Communications Security, pp. 98–107 (2002)

    Google Scholar 

  68. Schneider, S.: Verifying authentication protocols with CSP. In: Proc. 10th IEEE Computer Security Foundations Workshop (CSFW), pp. 3–17 (1997)

    Google Scholar 

  69. Syverson, P.: A new look at an old protocol. Operation Systems Review 30(3), 1–4 (1996)

    Article  Google Scholar 

  70. Thayer Fabrega, F.J., Herzog, J.C., Guttman, J.D.: Strand spaces: Why is a security protocol correct? In: Proc. 19th IEEE Symposium on Security & Privacy, pp. 160–171 (1998)

    Google Scholar 

  71. Wagner, D., Schneier, B.: Analysis of the SSL 3.0 protocol. In: Proc. 2nd USENIX Workshop on Electronic Commerce, pp. 29–40 (1996)

    Google Scholar 

  72. Warinschi, B.: A computational analysis of the Needham-Schroeder-(Lowe) protocol. In: Proc. 16th IEEE Computer Security Foundations Workshop (CSFW), pp. 248–262 (2003)

    Google Scholar 

  73. Yao, A.C.: Theory and applications of trapdoor functions. In: Proc. 23rd IEEE Symposium on Foundations of Computer Science (FOCS), pp. 80–91 (1982)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. IBM Zurich Research Lab,  

    Michael Backes, Birgit Pfitzmann & Michael Waidner

Authors
  1. Michael Backes
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Birgit Pfitzmann
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Michael Waidner
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Istituto di Scienze e Tecnologie dell’Informazione, Università degli Studi di Urbino “Carlo Bo”, Piazza della Repubblica 13, 61029, Urbino, Italy

    Alessandro Aldini

  2. Dipartimento di Scienze dell’Informazione, Università di Bologna, Mura A. Zamboni, 7, 40127, Bologna, Italy

    Roberto Gorrieri

  3. IIT CNR, Pisa, via Moruzzi, 1, 56125, Pisa, Italy

    Fabio Martinelli

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Backes, M., Pfitzmann, B., Waidner, M. (2005). Justifying a Dolev-Yao Model Under Active Attacks. In: Aldini, A., Gorrieri, R., Martinelli, F. (eds) Foundations of Security Analysis and Design III. FOSAD FOSAD 2005 2004. Lecture Notes in Computer Science, vol 3655. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11554578_1

Download citation

  • DOI: https://doi.org/10.1007/11554578_1

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-28955-5

  • Online ISBN: 978-3-540-31936-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation