Verification of authentication protocols the past and the present
This presentation is the property of its rightful owner.
Sponsored Links
1 / 25

Verification of Authentication Protocols: the Past and the Present PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Verification of Authentication Protocols: the Past and the Present. Why do we need to verify protocols even after we constructed them with so much care?. There is a database of possible attacks on protocols, but new types of attacks crop up as history shows over and over again

Download Presentation

Verification of Authentication Protocols: the Past and the Present

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Verification of Authentication Protocols:the Past and the Present

Why do we need to verify protocols even after we constructed them with so much care?

  • There is a database of possible attacks on protocols, but new types of attacks crop up as history shows over and over again

  • We need methods which are suitable to finding previously unknown attacks

Example: Needham-Schroeder’s PK protocol

  • Originally created in 1978

  • It took 15 years to find man-in-the-middle attack

  • Formal logic (BAN) could not find the attack, i.e. the protocol was proven to be correct!

  • It takes less than 1 min to find the attack using model-checking approach. The coding part takes no more than 1 hour.

The Protocol’s Description

  • A B: {NA,A}PKB

  • B A: {NA, NB} PKA

  • A B: {NB} PKB

The Man-in-the-Middle Attack

  • A C: {NA,A} PKC

  • C B: {NA,A} PKB

  • B C: {NA, NB} PKA

  • C A: {NA, NB} PKA

  • A C: {NB} PKC

  • C B: {NB} PKB

Man-in-the-Middle Attack (cont’d)

  • Discovery published in 1993 (15 years after the protocol was designed) by Gavin Lowe (Oxford, UK).

  • Initially found manually

  • Fixed and proved in 1995 using a combination of FDR

  • (automated model-checking) and logical reasoning. The corrected version is called Needhame-Schroeder-Lowe PK protocol. The only modification is the 2nd message includes identity of B

SPIN and forward search techniques

  • SPIN is a model-checking software based on Hoare’s CSP (communicating sequential processes) model

  • One models the processes of legitimate users and the intruder. Intruder comes with Dolev-Yao capabilities and incorporates all malicious users. Intruder also has a legitimate identity.

  • SPIN will go through all possible interleavings of steps taken by users and see if any red flags are raised

  • This is a forward search technique, i.e. the processes that will participate are known in advance and all possible trails of interactions are modeled and checked

Problems with forward search techniques

  • In authentication involving 2 users it is enough only to model legitimate users A and B and the intruder C, but one has to choose how many parallel sessions A and B are allowed to start. Therefore, negative result does not completely confirm that the protocol is secure

  • The state-space explodes exponentially with additional parallel sessions. One has to limit them to 2 or 3. As a result, one has to resort to other methods to extend negative result to the protocol (for example using logical reasoning)

Motivation for Backward Search

  • Let us look at the Needham-Schroeder’s protocol

  • Receiver B needs to receive M1= {NANY, A}PKBand M2= {NB}PKB to successfully authenticate A.

  • M2 can be generated by anyone who has the nonce. If it’s generated by someone other than intruder, attack will not succeed. For intruder to generate M2, it needs to receive NBin {N?, NB}PKI or {NB, N?}PKI or {NB}PKI

  • To generate {N?, NB}PKIwe need B to know that Intruder is trying to authenticate itself. This is not what we want

Motivation for Backward Search (cont’d)

  • To generate {NB, N?}PKI , the intruder had to have initiated authentication with process “?” and have passed it {NB, Intruder}PK?. This message can be generated only by the intruder and it needs to have NB. We encounter a cycle

  • To generate {NB}PKI, some user X has to initiate communication with the intruder.

  • X needs to receive {NX, NB}PKX. This message can be generated only by B. In turn, B will need to receive {NX, A}PKB.

  • {NX, A}PKB can not be generated by X, since it’s trying to contact Intruder. Therefore this message has to be generated by the intruder.

  • For intruder to generate {NX, A}PKB , it needs to have the nonce which will be sent by X in its first message.

  • Conclusion: we need one receiver B process, and one process X trying to initiate authentication with intruder. We can let X=A

Strand Spaces: building causal dependencies

  • Start with an initial set of causal dependencies and messages.

  • If a message is causally dependent on a message not present in the set, add that message

  • Continue until all dependencies are satisfied

  • Check which strands are contained in the resulting set.

Strands: what are they?

A’s strand would be


B’s strand is


Strands: what are they? (Cont’d)

A bundle formed by these strands is



This is a bundle for a legitimate run of the protocol and it is complete in the sense that on each strand all previous messages are included, and every message received in the bundle is actually sent in the bundle

Strands: what are intruder’s strands?

Intruder strands have to be more flexible since it does not follow the protocol.

Some of intruder’s strands are:

Similarly, strands that combine 2 messages into one can be defined as well as those decrypting message

  • +{t} where t is any text message

  • -g where g is any message

  • -{K} -h +{h}K which means that if intruder receives a key and a message, it can encrypt the message and send it out

Building a bundle for NSL

Suppose we have an acyclic bundle S that contains one run of B’s strand. We would like to prove that this bundle will also contain a run of A’s strand with corresponding nonces.

We start with the assumption that S contains the strand


We assume that NA NB and that NB uniquely originates in S on some strand. We want to prove that S must contain the strand


Building a bundle for NSL

  • S must contain node +{NB} PKB. First we prove that this node is the only node that contains NB which does not include message {NA, NB, B} PKA. And causally leads to -{NB} PKB We also prove that node +{NB} PKB does not lie on an intruder’s strand. Let L denote the legitimate strand on which node +{NB} PKB lies.

  • All preceding nodes on L must also be in S. One can easily show that node -{NA, NB, B} PKA must precede +{NB} PKB on L, and that this node corresponds to +{NA, NB, B} PKA

Building a bundle for NSL

As a result, S must contain the following:

+{NA, NB, B} PKA +{NB} PKB


Building a bundle for NSL

Also, we can see that the upper strand must be A’s and therefore the picture becomes:



This proves that S must contain corresponding strand of A

Building a bundle for NSL

Finally, we can show that we have only 1 strand with the same signature as the upper one. This shows uniqueness, i.e. the upper strand is not a replay.

How does this help us?

  • One need to be ADD-free and have good analytical abilities to analyze even a simple protocol like NSL!

  • Analysis of 5-step protocols can be published as monographs

  • One can do it with a pencil and paper by using logic without strand spaces

  • We can use model-checkers , let the program run for a week and come back for a result which is 99% accurate

  • Can we automate this strand-space approach?

D.Song’s Athena: automation of the strand-space approach

  • If the search terminates, a negative/positive result is produced.

  • The search does not always terminate but works for most useful protocols

  • State-explosion problem is alleviated through avoidance of asynchronous composition (i.e. going through all possible interleavings).

  • States may contain free-variables. Storage/CPU are thus more efficiently used since free variable states and their transitions represent infinitely many variable-free states/transitions.

  • Athena determines on-the-fly how many sessions need to be initiated.

D.Song’s Athena: automation of the strand-space approach

  • The idea is the following: given the strand of B, we look for all possible completions of this strand to a bundle and see if one of them does not contain corresponding strand of A.

  • Note that in the previous presentation there is a subtle issue: we ignore forwarding of messages by the intruder.

  • To ignore such situations we introduce the notion of goal-binding: if a message M1 has to be triggered by content T, we would “bind” M1 to the “minimal” positive node from which one can derive T.

  • Note that in a bundle every node that needs to be “binded” is actually “binded” within the bundle itself.

Athena: states

  • Suppose we start with a strand s. Let the set containing s be called C. Each time we add nodes to C, we make sure that given a node nC the nodes preceding n on its strand are also included. In this way, C is a “semi-bundle”: it’s backward closed under but not necessarily under

  • Note that a bundle is a particular case of a “semi-bundle”, and if a “semi-bundle” C has no “unbound” goals, then generally it’s also a bundle (in some degenerate cases intruder’s strands need to be added).

  • The “semi-bundles” encapsulate the notion of “state”

Athena: state-transitions

  • State-transitions map a “semi-bundle” C to a finite set of other semi-bundles that can be derived by causally completing C

  • To construct the next state, for each unbound goal we find a way to bind it. This way we produce a new semi-bundle. The set of all such semi-bundles is the next state. Note that free variables may arise in the next state

  • The algorithm itself works by expanding the semi-bundle to its maximum and seeing whether the result satisfies our needs. What if the expansion does not terminate?

  • Additional techniques for early detection of unreachability can speed up the process


  • Forward-search model-checking has limited effectiveness.

  • Backward-search avoids many of the previous problems but is harder (slightly) to code. In addition, it may not finish at all.

  • Manual methods of proving correctness can not be trusted completely (BAN logic for example), and one has to be patient and careful to verify the proofs.

  • Why not create protocols which are easily analyzed instead?

  • AGVI—Automatic Generation, Verification and Implementation of Security Protocols.

  • Login