T.Y.C. Woo and S. S. Lam. A lesson on authenticated protocol design. Operating Systems Review, 28(3):24--37, 1994.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....smaller semibundles. Dually, flaws exhibited by a semibundle are exhibited by larger semibundles as well. This is important in practice. For instance, it allows to easily detect flaws associated to incomplete runs, like the one shown by Lowe [26] on the Woo and Lam mutual authentication protocol [40]. More expressiveness In particular, it allows the principals to perform explicit checks. Security protocols may perform tests at some stage of their execution. To model this in a natural yet accurate way, it is necessary to extend the definition of strands. We add a new special operation ....

....such that S S # . Any authentication or secrecy flaw exhibited by S is exhibited by S # as well. This is of crucial practical importance. For instance, some vulnerabilities may only be found when considering partial runs. This is the case of the Woo and Lam mutual authentication protocol [40], which we introduce next. A possible attack of this protocol is described by Lowe [26] The protocol aims at establishing a session key and provides mutual authentication between two agents A and B, with the help of a trusted server S. B : A, NA ] A : B, NB ] B : A, B, NA , NB ] # ....

T.Y.C. Woo and S. S. Lam. A lesson on authenticated protocol design. Operating Systems Review, 28(3):24--37, 1994.

....has been applied to a number of other protocols, including the Andrew Protocol [3] the Kerberos Protocol [20, 3] the CCITT X. 509 Protocol [3] the Yahalom Protocol [3] a number of ISO protocols [9, 10] the TMN Protocol [30] the Denning Sacco public key protocol [4] the Woo and Lam protocols [31], and the SPLICE Protocol [32] Some of these case studies are available via the Casper World Wide Web page [15] The techniques seem to scale well to medium sized protocols, albeit with a reduction in the size of the system that can be studied. We are currently applying these techniques to a ....

Thomas Y. C. Woo and Simon S. Lam. A lesson on authenticated protocol design. Operating Systems Review, 28(3):24--37, 1994.

.... intruder attacks an agent A by using a second run of a protocol with the same agent A, so as to use the agent as an oracle; for example: the attack on the BAN version of the Yahalom protocol [BAN89] described by Syverson in [Syv94] and my attack on the Woo and Lam mutual authentication protocol [WL94] in [Low96c] Other attacks are due to more blatant errors; for example, Hwang and Chen s attack on the SPLICE protocol [YOM90] in [HC95] which exploits the fact that key delivery messages (from a key server) do not include the identity of the agent whose key is being delivered. Closely related ....

Thomas Y. C. Woo and Simon S. Lam. A lesson on authenticated protocol design. Operating Systems Review, 28(3):24--37, 1994.

....the value of some nonce exchanged during the run. In these cases, it would be incorrect for either agent to take some action in the resulting session that depended upon the exact form of the protocol run. 3. The Woo and Lam mutual authentication protocol The following protocol was presented in [30]. It aims to establish a session key and provide mutual authentication between two agents A and B, with the help of a trusted server S. Msg 1: A B : A; N a Msg 2: B A : B; N b Msg 3: A B : fA; B; N a ; N b gKas Msg 4: B S : fA; B; N a ; N b gKas ; fA; B; N a ; N b gK bs Msg 5: S B : ....

T. Y. C. Woo and S. S. Lam. A lesson on authenticated protocol design. Operating Systems Review, 28(3):24--37, 1994.

....protocol. This weaker specification allows the case where B thinks he has been running the protocol with some other agent, and may never have heard of A. It is the same as Gollmann s specification G3 [12] 3 The Woo and Lam mutual authentication protocol The following protocol was presented in [32]. It aims to establish a session key and provide mutual authentication between two agents A and B, with the help of a trusted server S. Message 1: A B : A; N a Message 2: B A : B; N b Message 3: A B : fA; B; N a ; N b g Kas Message 4: B S : fA; B; N a ; N b g Kas ; fA; B; N a ; N b g ....

T. Y. C. Woo and S. S. Lam. A lesson on authenticated protocol design. Operating Systems Review, 28(3):24--37, 1994.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC