Einar Snekkenes. Roles in Cryptographic Protocols. In Proceedings of the 1992 IEEE Computer Society Symposium on Research in Security and Privacy. IEEE Computer Society Press, Los Alamitos, California, 1992.  Home/Search   Document Not in Database   Summary   Related Articles   Check

.... type confusion attacks are ones in which fields of one type are confused with fields of another type, such as is described in [9] but it is also possible to imagine attacks in which fields of one type are confused with a concatenation of fields of another type, as is described by Snekkenes in [12], or even attacks in which pieces of fields of one type are confused with pieces of fields of other types. The technique of tagging data with its type has been shown to provide security against simple type confusion attacks involving the confusion of one field with another in the Dolev Yao model ....

E. Snekkenes. Roles in cryptographic protocols. In Proceedings of the 1992.

.... type confusion attacks are ones in which fields of one type are confused with fields of another type, such as is described in [7] but it is also possible to imagine attacks in which fields of one type are confused with a concatenation of fields of another type, as is described by Snekkenes in [8], or even attacks in which pieces of fields of one type are confused with pieces of fields of other types. Simple type confusion attacks, in which a field of one type is confused with a field of another type, are easy to prevent by including type labels (tags) for all data and authenticating ....

Einar Snekkenes. Roles in cryptographic protocols. In Proceedings of the 1992.

....for symmetric algorithms. Here one agent acting in run 1 accepts a ciphertext generated in a different run 2, and so interprets it in a non intended way: It takes what was meant to be the session key of run 2 as a ciphertext of run 1, and in consequence forwards this session key in cleartext (see [23] for a detailed description) In section 4.1 we will present a new type of implementation dependend flaw which to our knowledge has not been documented in the literature so far. In [20] Paulson argues that a formal security analysis of protocols need not consider type confusion attacks since ....

Snekkenes, E.: Roles in cryptographic protocols. Proceedings of the IEEE Symposium on Security and Privacy, 1992, pp. 105-119.

....[4] and BAN like logic[8] approaches do not reason about the roles of the participating principals and their relationship to messages. One can argue that reasoning about participating principals roles can help revealing protocol weakness and possible attacks. Although the modal logic used in [22] considers that an intruder can play different roles, roles in [22] are defined as placeholders for the names of the participating principals. In this paper, roles are defined in terms of the principal who initiates a protocol execution, and the principal who generates the secret. This paper also ....

....of the participating principals and their relationship to messages. One can argue that reasoning about participating principals roles can help revealing protocol weakness and possible attacks. Although the modal logic used in [22] considers that an intruder can play different roles, roles in [22] are defined as placeholders for the names of the participating principals. In this paper, roles are defined in terms of the principal who initiates a protocol execution, and the principal who generates the secret. This paper also proposes several protocol design guidelines. Those guidelines were ....

[Article contains additional citation context not shown here]

Einar Snekkenes. "Roles in Cryptographic protocols. " In Proceedings of the

....described by listing the messages exchanged during an expected run, while roles focus on the individual view of each principal, independently from any run. The CTK5 speci cations given in [Bie90] allowed each honest principal participating in a protocol to play exactly one role. It was shown in [Sne92] that this restriction could give an incorrectly clean bill of health: attacks that relied on having the same principal act both as an initiator and a responder, for example, were missed. This same paper corrected this limitation by upgrading the one toone relation between roles and principal ....

....was now associated with a set of roles, an entity also known as a multi role. Di erently from roles, multi roles could, for example, express the necessary conditions to set up the attack on the BAN Yahalom protocol discussed in Section 4.3. The CKT5 formalization of roles and multi roles used in [Sne92] was later simpli ed in [Car94] which also gave an algorithm to generate CKT5 role speci cations from the BAN like standard notation of a protocol. Clearly, if the protocol at hand is constrained in such a way that every honest principal can play at most one role, then no multi role aws can ....

[Article contains additional citation context not shown here]

Einar Snekkenes. Roles in cryptographic protocols. In Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy, pages 105{ 119. IEEE CS Press, May 1992.

....facts may have an unclear meaning. This limitation led the authors to design a new logic, the AT logic [1] The modeling of freshness is also particularly problematic. As in most modal logics it is in particular not possible to distinguish between freshness of creation and freshness of receipt [26]. More generally the very abstract level of the BAN imposes in many cases the use of hypotheses or protocol descriptions whose relevance is hard to assess. Another problem described by A. Liebl in [17] is that there is no systematic way for translating a protocol description into a BAN ....

....ability for a principal to repeat the same session, to play various roles in sequence or in parallel. Such characteristics usually cannot be described in modal logics. Parallel multi role for trusted principals is for example not taken into account by most modal logics and was only introduced in [26]. But even when taken into account, the multi role capability is wired in the logic and has to be assumed for all roles at the same time and not selectively for some actors. The verification process is comparable in conciseness with verifications done using modal based approaches. This is mainly ....

E. Snekkenes. Roles in cryptographic protocols. In Proceedings of the IEEE Symposium on Research in Security and Privacy, pages 105--119. IEEE, 1992.

....= Na2) A: I(ep[Nb]ka ) I: msg9) I: B(msg9) B: msg5) B: N b : dp[msg5]ka ; B: assert(N b = Nb) End of Protocol. Simplified predicate follows. TRUE Figure 6.19 Chapter 6: Verifying Protocols Using the CPAL Evaluation System 129 6. 6 Other protocols In [SNEK92], Snekkenes gives a straitforward variation on the Needham and Schroeder Private Key Protocol [NEED78] that he calls KP. KP is not vulnerable to replay attack due to the nonce in each transmission. As the CPAL ES evaluation in Figure 6.20 shows, the nonces transfer as desired. Nonetheless, the ....

.... Y S kab ) 2 (SPLIT 1) 1 (PROPAX) NIL) 2 (PROPAX) NIL) 3 (PROPAX) NIL) 3 (POSTPONE) NIL) 2 (POSTPONE) NIL) Figure 7. 7 Chapter 7: CPAL ES and BAN Logic 156 For emphasis and illustration we also evaluated Snekkenes KP protocol from [SNEK92] using CPAL ES, BAN Logic and PVS. The CPAL ES evaluation of the KP protocol without BAN Logic constructs was given in Figure 6.19. The CPAL ES definition of the protocol with BAN Logic goals and assumptions is given in Figure 7.8 and the PVS file entries for proof of the verification condition ....

Einar Snekkenes, "Roles in Cryptographic Protocols", Proceedings of the IEEE Symposium on Research in Security and Privacy, Oakland, 1992, pp 105-118

....are redirected to a third entity. 2.4 Parallel session flaws Parallel session attacks (or oracle session attacks, multi role flaws) are flaws that allow an adversary to gain the desired information by exchanging suitable protocol messages. Participants in these protocols can be distinguished [22] either as single role, or as multi role participants. In single role protocols there is a one to one relationship between a participant and his role. In a multi role protocol this relationship is a one to many. In both cases a participant s presence can only be interpreted as a specific role and ....

....and his role. In a multi role protocol this relationship is a one to many. In both cases a participant s presence can only be interpreted as a specific role and not as the specific participant s name. Therefore a participant p can at different times act in role A and role B. It can be proven [22] that any analysis method that fails to distinguish between the possible roles of a participant and the participant s name will not yield dependable results. In the following paragraphs we will study a parallel session single role flaw and a parallel session multi role flaw [1] using the ....

Snekkenes E. Roles in Cryptographic Protocols. In: Proceedings of the 1992 IEEE Computer Security Symposium on Security and Privacy. IEEE Computer Society Press, 1992, pp. 105-120

....via authentication and freshness. One showed that a message was both recent and originated by the correct principal in order to show currency to a given round. 3 Recently, a number of papers have shown how to interleave messages from simultaneous rounds to produce attacks. cf. e.g. 1] 3] [9], 11] Against such interleaving attacks freshness is no guarantee of currency. The matter only becomes more complex for repeat authentication protocols. These protocols need to be concerned simultaneously with currency within a round and currency to a class of rounds: we must make sure that the ....

Einar Snekkenes. Roles in Cryptographic Protocols. In Proceedings of the 1992 IEEE Computer Society Symposium on Research in Security and Privacy. IEEE Computer Society Press, Los Alamitos, California, 1992.

....[55] The existence of a subtle flaw in a previously trusted protocol stressed the need for formal methods for analyzing authentication protocols. In fact, many authors praise the merits of their analysis techniques with their ability to discover the flaw in the Needham and Schroeder protocol [11, 14, 29, 51, 70, 87]. Abadi and Needham offer guidelines for avoiding known types of flaws in cryptographic protocols [1] The authors suggest prudent engineering practices for designing protocols securely. Although their arguments are informal, the authors build on the successes of formal methods used to discover ....

....techniques for authentication protocols have been published [48, 77, 88, 91] and several formal analysis techniques have been proposed. In particular, the use of predicate logic for the analysis of protocols was proposed by Burrows et al. 2 [11] and many extensions have since been published [13, 14, 25, 29, 69, 70]. Others have been critical of the BAN logic [56, 74] and have proposed their own logics [42, 43, 46, 48, 49, 51, 53, 72, 74, 87, 91] This paper explores these logics and discusses the trade offs among them. 2 Terminology This section describes some of the terminology used in the rest of the ....

[Article contains additional citation context not shown here]

Einar Snekkenes. Roles in cryptographic protocols. Proceedings of the 1992 IEEE Computer Society Symposium on Research in Security and Privacy, pages 105--119, May 1992.

.... here syntax, adds the ability to reason about some replay attacks using messages from within the current protocol run but still does not address interleaving attacks, that is attacks involving replay of messages from at least two contemporaneous protocol runs. cf. BGH 92] DvOW92] Sne92] Car93] Indeed, none of the logics discussed in this paper generally addresses interleavings at all. Failure of methods such as BAN logic to address interleaving attacks has led some to focus on the notion of current protocol run rather than on freshness. However, this still leaves some types ....

Einar Snekkenes. Roles in Cryptographic Protocols. In Proceedings of the 1992 IEEE Computer Society Symposium on Research in Security and Privacy. IEEE Computer Society Press, Los Alamitos, California, 1992.

....security of the protocols rather than the cryptography they employ. Thus, e.g. questions about the release of secrets by direct cryptanalysis of ciphertext are not addressed here. This is not the first paper to discuss such attacks. Similar attacks have been described in [BGH 92] DvOW92] Sne92] and [Syv] Nor is this the first paper to discuss logical solutions to such attacks. In [Sne92] Snekkenes uses Bieber s logic CKT5 [Bie90] to analyze a similar attack. Nonetheless, the results herein are significant for a number of reasons: 1) For good or ill, BAN has become the clear ....

....release of secrets by direct cryptanalysis of ciphertext are not addressed here. This is not the first paper to discuss such attacks. Similar attacks have been described in [BGH 92] DvOW92] Sne92] and [Syv] Nor is this the first paper to discuss logical solutions to such attacks. In [Sne92] Snekkenes uses Bieber s logic CKT5 [Bie90] to analyze a similar attack. Nonetheless, the results herein are significant for a number of reasons: 1) For good or ill, BAN has become the clear favorite as a formal method for cryptographic protocol analysis; there have been numerous publications ....

[Article contains additional citation context not shown here]

Einar Snekkenes. Roles in Cryptographic Protocols. In Proceedings of the 1992 IEEE Computer Society Symposium on Research in Security and Privacy, pages 105--119. IEEE Computer Society Press, Los Alamitos, California, 1992.

....This becomes critical when a protocol step depends on the confidentiality of a previous message in order to work as intended. As a result, certain interpretations of a protocol specified in BAN formalism are vulnerable to special attacks. These issues have been the cause of some controversy [Nes90][Sne92]. Another point is the failure of BAN logic to address special forms of interleaving attacks involving replay of messages from at least two contemporaneous protocol runs. A such attack is presented in in [Syv93] 5 Purpose of Security Protocol Verification with SPIN The purpose of applying ....

Einar Snekkenes. Roles in cryptographic protocols. In Proceedings of the 1992 IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, Canada. IEEE Computer Society Press, 1992.

....carry as much information as possible regarding the current authentication run, to the extent that it becomes self contained and uniquely identifiable as belonging to a particular authentication run. Attacks resulting from messages that do not carry full information have also been demonstrated in [7] and [8] We have also proposed several heuristics for simplifying full information protocols. Although these are informal, we believe they represent useful directions in simplifying authentication protocols and a good first step toward a more formal stepwise refinement procedure. 8 ....

E. Snekkenes. Roles in cryptographic protocols. In Proceedings of the 13th IEEE Symposium on Research in Security and Privacy, pages 105--119, Oakland, California, May 4--6 1992.

....[41] The existence of a subtle flaw in a previously trusted protocol stressed the need for formal methods for analyzing authentication protocols. In fact, many authors praise the merits of their analysis techniques with their ability to discover the flaw in the Needham and Schroeder protocol [7, 10, 20, 37, 53, 63]. A few specification techniques for authentication protocols have been published [35, 60, 64, 67] and several formal analysis techniques have been proposed. In particular, the use of predicate logic for the analysis of protocols was proposed by Burrows et al. 2 [7] and many extensions have ....

....techniques for authentication protocols have been published [35, 60, 64, 67] and several formal analysis techniques have been proposed. In particular, the use of predicate logic for the analysis of protocols was proposed by Burrows et al. 2 [7] and many extensions have since been published [9, 10, 18, 20, 52, 53]. Others have been critical of the BAN logic [42, 57] and have proposed their own logics [30, 33, 35, 36, 37, 39, 55, 57, 63, 67] This paper explores these logics and discusses the tradeoffs among them. 2 Terminology This section describes some of the terminology used in the rest of the paper. ....

[Article contains additional citation context not shown here]

Einar Snekkenes. Roles in cryptographic protocols. Proceedings of the IEEE Computer Society Symposium on Security and Privacy, pages 105--119, May 1992.

....possible forms of confusion (which could happen together) first, between the current message and a message of similar purpose from a previous run of the protocol, and second, between the current message and a message belonging either elsewhere in the protocol, or to another protocol. Snekkenes [29] and Syverson [30] have constructed examples of protocols where these confusions can arise. We believe that these confusions are less important when all our principles are correctly followed. If a message says what it means then we have no reason to be concerned with its context. The message is ....

E. Snekkenes. "Roles in Cryptographic Protocols". Proceedings of the 1992 IEEE Symposium on Security and Privacy, pp. 105--119.

....from S) The efficacy of the attack is not compromised. Z simply plays ping pong with S until it wants to rearrange authentication between A and B. Continuous use of S as a timestamp oracle ensures that all messages are sufficiently up to date. Parallel session attacks abound in the literature [21, 25, 23, 11]. 6 Implementation Dependent Attacks Carlsen [5] indicates that some protocol definitions allow both secure and insecure implementations. Typing attacks could be prevented if the concrete representations of component values contained redundancy to identify a sequence of bits as representing a ....

E. Snekkenes. Roles in Cryptographic Protocols. In Proceedings of the 1992 IEE Symposium on Security and Privacy. IEEE Computer Society Press, 1992.

..... Similar flaws have been the cause of attacks on other protocols, for example: the attacks on the adapted Yahalom protocol [6] in [29] an attack on the Neuman Stubblebine protocol [21] reported in [28, 13] the attack on the Wide Mouthed Frog Protocol [6] in [2] and a protocol due to Snekkenes [26]. In [1] Abadi and Needham present eleven principles for designing cryptographic protocols; the weakness discussed above represent a violation of principle 10: If an encoding is used to present the meaning of a message, then it should be possible to tell which encoding is being used. In the ....

E. Snekkenes. Roles in cryptographic protocols. In Proceedings of IEEE Symposium on Research in Security and Privacy, pages 105--119, 1992.

..... Similar flaws have been the cause of attacks on other protocols, for example: the attacks on the adapted Yahalom protocol [7] in [31] an attack on the Neuman Stubblebine protocol [23] reported in [30, 14] the attack on the Wide Mouthed Frog Protocol [7] in [2] and a protocol due to Snekkenes [28]. In [1] Abadi and Needham present eleven principles for designing cryptographic protocols; the weakness discussed above represent a violation of principle 10: If an encoding is used to present the meaning of a message, then it should be possible to tell which encoding is being used. In the ....

E. Snekkenes. Roles in cryptographic protocols. In Proceedings of IEEE Symposium on Research in Security and Privacy, pages 105--119, 1992.

No context found.

Einar Snekkenes. Roles in Cryptographic Protocols. In Proceedings of the 1992 IEEE Computer Society Symposium on Research in Security and Privacy. IEEE Computer Society Press, Los Alamitos, California, 1992.

No context found.

E. Snekkenes. Roles in cryptographic protocols, 1992. In Proceedings of the 1992 IEEE Symposium on Security and Privacy, pages 105-119. IEEE Computer Society Press.

No context found.

E. Snekkenes. Roles in cryptographic protocols, 1992. In Proceedings of the 1992 IEEE Symposium on Security and Privacy, pages 105-119. IEEE Computer Society Press.

No context found.

Einar Snekkenes. Roles in cryptographic protocols. In Proceedings of the 1992 IEEE Computer Society Symposium on Research in Security and Privacy, Oakland, Canada. IEEE Computer Society Press, 1992.

No context found.

Snekkenes, Einar, "Roles in Cryptographic Protocols", Proceedings of the 1992 IEEE Symposium On Research in Security and Privacy, pp. 105-118.

No context found.

Snekkenes, E.: Roles in cryptographic protocols. Proceedings of the IEEE Symposium on Security and Privacy, 1992, pp. 105-119.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC