M. Tatebayashi, N. Matsuzaki, and D. B. Jr. Neuman. Key Distribution Protocol for Digital Mobile Communication Systems. In G. Brassard, editor, Proceedings of Advances in Cryptography | CRYPTO'89, volume 435 of Lecture Notes in Computer Science, pages 324-334. Springer-Verlag, 1990.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....could be doing his genuine role as well as that of an attacker concurrently. 8. Security properties such as secrecy, authenticity as intended. 3 Modelling Cryptographic Protocols in Esterel In this section, we discuss modelling cryptographic protocols using Esterel and use use the TMN protocol [18] studied in detail in [12] for illustrations. First, we shall consider the basic protocol to illustrate the modelling and subsequently, we shall discuss possible attacks on the protocol and the improvements needed to make the protocol secure. Note 1. For illustrative purpose, we shall be using ....

....notation of procedure calls and parameter transmissions for the sake of simplicity and succinctness. As the notation is fairly standard, no confusion should result. Such an interface for Esterel for cryptographic protocol analysis purposes is being built. 3. 1 Basic TMN Protocol TMN protocol [18] consists of three players: an initiator A, a responder B, and a server S who mediates between them for the generation of session keys. The protocol employs two methods of encryption: a. Standard encryption: The function denoted E when applied to a message m produces an encrypted text that can be ....

M. Tatebayashi, N. Matsuzaki, D. Neuman, Key distribution protocol for digital mobile communication systems, Proc. CRYPTO '89, (90) 324-333, Springer Verlag.

....F and H are secure message authentication codes, and F , G, and H are independent. Then AP AKA is a secure authentication and key agreement protocol. 5. 4 Comparison with Other Proposals Over the last decade, numerous protocols speci cally designed for wireless networks have been proposed, e.g. [4, 9, 10, 11, 26, 27, 28, 30]. Most of the proposed protocols were designed based on ad hoc approaches (i.e. breaking and xing) and have been found containing various aws [14, 17, 18] Based on the underlying cryptographic primitives, the proposed protocols can be divided into two classes: public key protocols and ....

M. Tatebayashi, N. Matsuzaki and D.B.J. Newman, Key distribution protocol for digital mobile communication systems, Advances in Cryptology-Crypto '89 Proceedings, Lecture Notes in Computer Science, vol. 435, 1989, pp. 324-334.

....algebraic properties that may interfere with algorithmic properties of a cryptographic protocol. Examples are the properties of the exclusive or and homomorphism properties of the RSA encryption algorithm. The attack described by Simmons [Sim94] against the original TMN key distribution algorithm [TMN89], for instance, exploits in a clever way both some of the laws of exclusive or and the homomorphism properties of RSA. That is why there are some recent attempts to include some of these properties into the deduction engine [CLS03, CKRT03] However, these papers only consider two particular ....

Makoto Tatebayashi, Natsume Matsuzaki, and David B. Newmann. Key distribution protocol for digital mobile communication systems. In G. Brassard, editor, CRYPTO'89, volume 435 of Lecture Notes in Computer Science, pages 324-334. Springer-Verlag, 1989. 17

....which confirms the importance of that approach. All others originate from formal approaches based either on model checking or on theorem proving. Some of the corresponding notation is quoted without explanation for the sake of demonstration. 2.2. 1 On TMN Let us consider the TMN protocol [101], which aims at distributing session keys for mobile communications (figure 2.1) S : A, S, B, e(KA ) B : S, B, A S : B, S, A, e(KB ) A : S, A, B, v(KA , KB ) Figure 2.1: The TMN protocol The identifiers A, B, KA , KB , S respectively represent the protocol initiator, the responder, ....

M. Tatebayashi, N. Matsuzaki, and D. B. Jr. Neuman. Key Distribution Protocol for Digital Mobile Communication Systems. In G. Brassard, editor, Proceedings of Advances in Cryptography --- CRYPTO'89, volume 435 of Lecture Notes in Computer Science, pages 324--334. Springer-Verlag, 1990.

....SNEP with strong freshness, then Kerberos would have greater security. 9 The node needs significantly more memory resources than our current sen sor nodes to store the key chain. 9. Related work Tatebayashi et al. consider key distribution for resourcestarved devices in a mobile environment [52]. Park et al. 37] point out weaknesses and improvements. Beller and Yacobi further develop key agreement and authentication protocols [4] Boyd and Mathuria survey the previous work on key dis tribution and authentication for resource starved devices in mobile environments [8] The majority of ....

M. Tatebayashi, N. Matsuzaki and D.B.J. Newman, Key distribution protocol for digital mobile communication systems, in: Advances in Cryptology Cr31)to '89, Lecture Notes in Computer Science, Vol. 435 (1989) pp. 324-334.

.... internal agent can be captured with this type of deduction within the intruder: we get a deduction (X , f ) if, after the agent is told the messages in X , it can be expected to emit f (where f will be functionally dependent on X ) A typical example of this kind is the server in the TMN protocol [TMN90] whose function was to receive two messages M 1 and M 3 and construct a corresponding third message M 4 , where M 4 only contains variables in M 1 and M 3 (thereby not introducing any fresh variables into the system) Thus, the functionality of the server is captured internally by all valid ....

....those that generate messages without introducing any fresh values of some data independent type. Internal agents in this category are captured by deductions that take the same form as those used in the intruder s deductive system. An example is the server role in the TMN protocol (taken from [TMN90] whose function is to receive two messages M 1 and M 3 and construct a corresponding third message M 4 , where M 4 only contains variables in M 1 and M 3 (and so not introducing any fresh variables into the system) If we modelled this server role internally, then the corresponding deductions ....

M. Tatebayashi, N. Matsuzaki, and D.B. Newman. Key distribution protocol for digital mobile communication systems. In Advances in Cryptology: Proceedings of Crypto '89, volume 435 of LNCS, pages 324--333. Springer-Verlag, 1990.

....exist protocols in which the session key is translated, in the sense that it is sent out originally encrypted with one key and is later re encrypted by another principal under a new key. These protocols can also be correct, although they demand special care. The TMN protocol is a (flawed) example [19]. In the case of a correct protocol of 3 this form, it would be necessary to show that the session key is in S i for some i 1. However, because S 0 and S 1 cover typical protocols, our method for proving secrecy is particularly easy to use. It is also easy to prove that a non key data value ....

M. Tatebayashi, N. Matsuzaki, and D. Newman. Key distribution protocol for digital mobile communication systems. In G. Brassard, editor, Advances in Cryptology: CRYPTO '89, volume 435 of Lecture Notes in Computer Science, pages 324--331. Springer Verlag, 1990.

.... internal agents that do not introduce any fresh values is captured by this type of deduction within the intruder: we get a deduction (X, f) if, after the agent is told the messages in X, it can be expected to emit f (where f will be functionally dependent on X) The server role in the TMN protocol [14] is such an example. Internal agents that do introduce fresh values are captured by a special type of deduction, known as a generation. A generation has the form (t, X,Y ) where t is a non empty sequence of the fresh objects being created, X is a finite set of input facts, and Y is the set of ....

M. Tatebayashi and N. Matsuzaki and D.B. Newman. Key distribution protocol for digital mobile communication systems. In Advances in Cryptology: Proceedings of Crypto '89, volume 435 of LNCS, pages 324-333. Springer-Verlag, 1990. 10

....[2 ] B M(C) Message If Message is explicitly typed, then Mallory can encrypt fMessagegK b to foil Bob s type checking. 1 ] M(C) B: ffMessagegKb gKm [2 ] B M(C) fMessagegKm An example that does not require impersonation is an attack[21] on the Tatebayashi Matsuzaki Newman Protocol[27]. In that attack, two intruders Mallory and Dave collaborate in another protocol run in order to retrieve the secret distributed between Alice and Bob. The attack is as follows. The intruders saw some of the messages between legitimate principal Alice and Bob. Then, two intruder Dave and Mallory ....

M. Tatebayashi, N. Matsuzaki, and D. B. Newman. "Key Distribution Protocol for Digital Mobile Communication System." In Proceedings of Crypto'89, 324-333, Springer-verlag, 1990.

.... internal agents that do not introduce any fresh values is captured by this type of deduction within the intruder: we get a deduction (X, f) if, after the agent is told the messages in X, it can be expected to emit f (where f will be functionally dependent on X) The server role in the TMN protocol [13] is such an example. Internal agents that do introduce 2 fresh values are captured by a special type of deduction, known as a generation. A generation has the form (t, X,Y ) where t is a non empty sequence of the fresh objects being created, X is a finite set of input facts, and Y is the set of ....

M. Tatebayashi and N. Matsuzaki and D.B. Newman. Key distribution protocol for digital mobile communication systems. In Advances in Cryptology: Proceedings of Crypto '89, volume 435 of LNCS, pages 324-333. Springer-Verlag, 1990. 5

....key exchange based on beliefs about the authenticity of the other party, so it seems that a belief logic based tool such as RVChecker might catch errors in this protocol. 1.2. 1 Tatabayeshi Matsuzaki Newman Key Exchange Protocol The Tatabayeshi Matsuzaki Newman (TMN) protocol for key exchange [11], features a server S with a public key and two network nodes A and B who wish to exchange a session key through the server. The protocol consists of four messages: 1: A Gamma S : S:A:B:fRag Ks ] 2: S Gamma B : B:S] 3: B Gamma S : S:B:A:fRbg Ks ] 4: S Gamma A : A:S:B:Ra Phi Rb] ....

....this case, Brutus deems both properties to be true. This is because it is not possible for Brutus to represent the secret key of I with the principal name of B in the same message as discussed earlier. ffl Multiple Intruder Collusion: Simmons describes an attack on the TMN protocol (described in [11]) in which the homomorphic property of the keys is used. In essence, the key used in a single valid run of the protocol is replayed by two colluding intruders (who could be two different sessions of the same intruder) Since this attack depends on the homomorphic property of keys, which cannot be ....

[Article contains additional citation context not shown here]

Makoto Tatebayashi, Ntsume Matsuzaki, and David B. Newman, Jr. Key distribution protocol for digital mobile communication systems. In Proceedings of CRYPTO'89, pages 324--334.

....channel between a base station and a mobile station [1, 2] To make a secure channel, it is required to maintain the confidentiality of a message and provide the mutual authentication between a base station and a mobile station. Many protocols have been proposed to satisfy the above requirements [3 8, 1, 9 11]. These protocols are divided into two groups. One group uses public key cryptosystems and the other group uses secret key cryptosystems. The mobile communication standards (e.g. GSM [9] DECT [10] adopt the secret key based protocols because secret key cryptosystems are much faster than ....

.... attack and immunized it [1] Aziz and Diffie proposed a protocol providing good forward secrecy [15] Boyd and Mathuria showed that this protocol is also vulnerable to a man in 1 Tatebayashi, Matsuzaki, and Newman proposed the first key establishment protocol using public key cryptosystem [3]. After that, Park, Kurosawa, Okamoto, and Tsujii showed that the protocol is not secure and proposed a new key establishment protocol [4] However, these protocols are End to End protocol for providing secure communication channel between mobile stations, and this paper focuses on the link ....

M. Tatebayashi, N. Matsuzaki, and J. David B.Newman, "Key distribution protocol for digital mobile communication systems," in Advances in Cryptology - Crypto'89, pp. 324--334, Springer Verlag, 1990.

....to the widespread popularity of RSA with low encrypting exponent, our attacks potentially have implications to the security of a wide range of current and future cryptographic protocols. In this section we show how our attacks reveal vulnerabilities in two protocols. 4 5. 1 The TMN protocol In [13], Tatebayashi, Matsuzaki and Newman proposed a key distribution protocol. In this protocol, a passive eavesdropper sees r e 1 mod N , r e 2 mod N , and r 1 r 2 mod N exchanged among the protocol participants, where e = 3 and r 1 , r 2 are randomly generated values. The techniques of the ....

....generated values. The techniques of the previous sections enable a passive eavesdropper to learn the shared session key r 2 distributed in the protocol. Simmons [11] previously found an active attack on this scheme (requiring two conspirators) for which three counter measures were suggested in [13]. The rst two countermeasures incorporating structure into r 1 and r 2 , and prepending timestamps to r 1 and r 2 do not prevent our passive attack. The third, which assumes a shared secret key between the server and each party, appears to withstand our attack. Park et al. 7] exploited the ....

M. Tatebayashi and N. Matsuzakai and D. B. Newman. Key distribution protocol for digital mobile communication systems. In Advances in Cryptology|CRYPTO '89 (Lecture Notes in Computer Science 435), G. Brassard, Ed. 1990, pp. 324-333, Springer-Verlag. 6

....satisfies the criteria and that the previous and new states satisfy the relationships expressed by the constraints. That is, the initial state is the basis case and the induction is on the transforms. Kemmerer utilizes his system to analyze a protocol given by Tatebayeshi, Matsuzaki, and Newman [TMN91] in [KMM93] The critical requirement that the system is to satisfy in all states (called the criterion) for the TMN protocol is: the only key that is known to the intruder. and that is also a key that was used by the system is the Server s public key. Figure 2.4, taken from [KMM93] ....

....relationships that must hold in order for the protocol to work as desired. By adding the ASSUME statements: S: assume(global.decrypt(B.kb ,S.kb ) S: assume(global.decrypt(A.ka ,S.ka ) the verification condition simplifies to TRUE. The Tatebashi, Matsuzaki, and Newman (TMN) protocol [TMN91] is another cryptographic protocol that utilizes asymmetric key cryptography. It is particularly interesting because it uses a combination of symmetric and asymmetric key methods in order to pass a key to be used in a symmetric key secure communication session. In the protocol, A and B secure ....

Tatebayashi, M., N. Mattsuzaki, D. B. Newman, "Key Distribution Protocol for Digital Mobile Communication Systems," in Advances in Cryptology - CRYPTO '89, LNCS 435, G. Brassard, ed. Springer-Verlag, 1991, pp. 324-333

....then depend on whether the specifications capture the right thing. A good example of what can be achieved and what can be missed is provided by analysis of the TMN protocol (which is well known to suffer from flaws and therefore provides a good test bed for analytic techniques) The TMN protocol [12] is described by the following series of messages: 1. A S : B ; e P (pks ; ra) 2. S B : A:req 3. B S : e P (pks ; rb) 4. S A : v(ra; rb) where e P (k ; m) is the public key encryption of m under key k (the only such key being pks , the public key of the server S ) and v(ra; rb) ....

Makoto Tatebayashi, Natsume Matsuzaki, and David B. Newman, Jr. Key distribution protocol for digital mobile communication systems. In Advances in Cryptology: Proceedings of Crypto '89, volume 435 of Lecture Notes in Computer Science, pages 324--333. Springer-Verlag, 1990.

....In recent work with Lowe, we have modified his tool Casper to adopt this approach, generally gaining substantial efficiency improvements. 7 The TMN protocol: handling servers and staleness Originally proposed as a protocol for use in mobile telecommunications, TMN (TatebayashiMatsuzaki Newman) [33] is a favourite protocol for running protocol analysis tools on because there are so many attacks against it Obviously there is no point in attempting to prove the original version correct, so we take as our starting point the final version of [20] which is claimed to have reasonable properties. ....

M. Tatebayashi, N. Matsuzaki and D.B. Newman, Key distribution protocol for digital mobile communication systems, Advances in Cryptology: Proceedings of Crypto '89, Lecture Notes in Computer Science 435, 324-333, Springer-Verlag, 1990.

.... B : fN b gK b was uncovered in 135 seconds, exploring 3657 states with time bound 11 (t starts from 0) The system configuration was 1 initiator, 1 responder, and 1 intruder. TMN Protocol The second benchmark protocol that was analyzed using the prototype model checker is the TMN protocol [12]. This protocol is intended to be used in mobile phone systems for session key distribution. It is as follows: A S : B; fN a gKs S B : A B S : A; fN b gKS S A : B; N b N a At the end of the protocol, nonce fN b g is taken as a shared secret between initiator A and responder B. ....

M. Tatebayashi, N. Matsuzaki, D. B. Newman, "Key Distribution Protocol for Digital Mobile Communication Systems," Advances in Cryptology - CRYPTO '89, LNCS 435, G. Brassard, ed. SpringerVerlag, 1991, pp. 324-333. 10

....successive steps: formulate the protocol, add an adversary to the system, state the desired correctness condition, run the protocol for some specific choice of system size parameters, experiment with alternate formulations, and repeat. Murf has been used to demonstrate flaws already known, as TMN [33] and Kerberos version 5 [34] A useful aspect of the Murf approach is that it is feasible to modify a system description to reflect a situation where one or more pieces of secret information have been compromised. The standardised language LOTOS [35] 36] has also been used to specify security ....

....uses the ASTRAL model checker [42] to check the ability of satisfaction of critical requirements of an ASTRAL specification by enumerating possible runs of transitions within a given time. ASTRAL has been applied on the Needham Schroeder public key authentication protocol [2] and the TMN protocol [33]. The ASTRAL model checker missed a bug in TMN, because it required excessive execution time under the given ASTRAL coding of the specification. Furthermore, the ASTRAL approach uncovers simple bugs also uncovered by Murf tool. The above results are preliminary, but it is expected that ASTRAL will ....

Tatebayashi M., Matsuzaki N., Neuman D., Key distribution protocol for digital mobile communication systems, Proceedings of CRYPTO '89, (1990) 324-333, Springer Verlag.

....key for the signature verification during the EXTERNAL AUTH command. This new version of the standard has not yet been analyzed. 5. 3 The TMN protocol We used Otter for the analysis of various other protocols, among these the TMN protocol presented by Tatebayashi, Matsuzaki, and Newman in [23] which uses both an asymmetric and a symmetric algorithm. This protocol presents various problems, the most interesting of which is a flaw due to the homomorphic property of RSA (the multiplication of two encryptions being the same as the encryption of the multiplication of the two respective ....

.... the most interesting of which is a flaw due to the homomorphic property of RSA (the multiplication of two encryptions being the same as the encryption of the multiplication of the two respective plaintexts) A possible attack that exploits this property was first pointed out by Simmons (see [23]) We analyzed this protocol and where able to formally verify this attack, in particular since the above property can easily be formalized using our methodology. Note that most of the approaches we described in section 2 do not have the necessary generality to formalize the homomorphic property ....

M. Tatebayashi, N. Matsuzaki, and Newman. Key distribution protocol for digital mobile communication systems. In G. Brassard, editor, Advances in Cryptology - CRYPTO '89, volume 435 of LNCS, pages 324--333. SV, 1991. 8

....protocol can lead to an undesirable situation, such as compromising a key. Although this method can not guarantee absolute safety, it works very well in identifying specific protocol flaws. The method has been successfully used to find various known flaws in protocols such as the [42] 19] [43] [44] and [45] No previously undetected vulnerabilities in well known protocols have been discovered using this method. The tool s applicability is limited by the operators it supports (conventional and public key encryption, exclusive or and limited finite field exponentiation) 3.2.3. ....

Tatebayashi M., Matsuzaki N., Newman D. Key Distribution Protocol for Digital Mobile Communications Systems. In: Advances in Cryptology, CRYPTO '89. Springer Verlag, 1989, pp. 324-333 (Lecture Notes in Computer Science no. 435)

....based analysis of security protocols is profitable. We report here some of them containing well known attacks: the Yahalom protocol presented [1] and shown insecure in [17] the Andrew protocol [16] with the attack presented in [8] the Otway Rees [14] shown flawed in [15] and the TMN protocol [18] with the attacks reported in [11] All the attacks on these protocols presented in the literature have been captured by CVS. Moreover, in the TMN we have found an attack which seems new. The Otway Rees is particularly interesting since it is requires an enemy with memory in order to attack it. In ....

M. Tatebayashi, N. Matsuzaki, and D. B. Newman Jr. "Key distribution protocol for digital mobile communication system ". Advances in Cryptology: Proceedings of Crypto '89, 435:324--333, 1990.

....mobile communications. Due to space restrictions we cannot consider any more protocols in detail here. We briefly mention two other prominent sets of protocols. 5. 1 TMN Protocol One of the earliest suggested protocols for use in a mobile environment was that of Tatebayashi, Matsuzaki and Newman [17], which has widely become known as the TMN protocol. In distinction to the protocols examined above, the TMN protocol takes place between two mobile stations M and M 0 who wish to exchange a session key to provide end to end security, making use of a server S. The design takes account of the ....

M. Tatebayashi, N. Matsuzaki and D.B. Newman Jr., "Key Distribution Protocol for Digital Mobile Communications Systems", Advances in Cryptology -- Crpyto'89, Springer-Verlag, 1990, pp.324-333.

....grows rapidly as the number of initiators and responders increase. For example, with two initiators and responders, Mur and Brutus explore over 10,000 times as many states as Athena. We have also used Athena to find the known attacks in the NeedhamSchroeder protocol [18] and the TMN protocol [24]. We have also used Athena to prove certain properties of the 1KP protocol [1] and the Kerberos protocol [10, 11] Detailed results about these experiments can be found in [23] 6. Conclusions We propose an efficient automatic checking algorithm, Athena, for analyzing security protocols. Athena ....

M. Tatebayashi, N. Matsuzaki, and D. Newman. Key distribution protocol for digital mobile communication systems. In Proc. CRYPTO'89, 1990.

....the intruder must contain the honest agents identities, as explained above, along with a single session key, to meet the requirements outlined in Section 3. We may then use the result of this paper to deduce that there is no attack upon any larger system. 4. 2 The TMN Protocol The TMN Protocol [25] is a well known flawed protocol. It uses a bit wise exclusive or encryption, which we cannot deal with in our current formalism (using a bit wise exclusive or encryption introduces extra flaws, because it has additional algebraic properties; further, it can interact with public key encryption to ....

M. Tatebayashi, N. Matsuzaki, and D. B. Newman, Jr. Key distribution protocol for digital mobile communication systems. In Advances in Cryptology: Proceedings of Crypto '89, volume 435 of Lecture Notes in Computer Science, pages 324--333. Springer-Verlag, 1990.

....is based on the Dolev and Yao model [23] in which an intruder produces words in a term rewriting system, we will consider it a Type IV approach. Kemmerer, Meadows and Millen provide an indepth analysis of their respective systems [39] They analyze a protocol by Tatebayashi, Matsuzaki and Newman [80] and compare the process in which each system discovers the flaw in that protocol. Their paper is recommended for people who wish to further explore these approaches to protocol analysis. 6.1 The Interrogator The Interrogator, by Millen et al. 51] is a noteworthy effort to apply expert systems ....

M. Tatebayashi, N. Matsuzaki, and D. B. Newman. Key distribution protocol for digital mobile communication systems. Advances in Cryptology: Proceedings of Crypto 89, pages 3234--333, 1991.

....of several undergraduate projects. The approach described in this paper has been applied to a number of other protocols, including the Andrew Protocol [3] the Kerberos Protocol [20, 3] the CCITT X. 509 Protocol [3] the Yahalom Protocol [3] a number of ISO protocols [9, 10] the TMN Protocol [30], the Denning Sacco public key protocol [4] the Woo and Lam protocols [31] and the SPLICE Protocol [32] Some of these case studies are available via the Casper World Wide Web page [15] The techniques seem to scale well to medium sized protocols, albeit with a reduction in the size of the ....

Makoto Tatebayashi, Natsume Matsuzaki, and David B. Newman, Jr. Key distribution protocol for digital mobile communication systems. In Advances in Cryptology: Proceedings of Crypto '89, volume 435 of Lecture Notes in Computer Science, pages 324--333. Springer-Verlag, 1990.

....Due to the widespread popularity of RSA with low encrypting exponent, our attacks potentially have implications to the security of a wide range of current and future cryptographic protocols. In this section we show how our attacks reveal vulnerabilities in two protocols. 5. 1 The TMN protocol In [13], Tatebayashi, Matsuzaki and Newman proposed a key distribution protocol. In this protocol, a passive eavesdropper sees r e 1 mod N , r e 2 mod N , and r 1 r 2 mod N exchanged among the protocol participants, where e = 3 and r 1 , r 2 are randomly generated values. The techniques of the ....

....generated values. The techniques of the previous sections enable a passive eavesdropper to learn the shared session key r 2 distributed in the protocol. Simmons [11] previously found an active attack on this scheme (requiring two conspirators) for which three counter measures were suggested in [13]. The first two countermeasures incorporating structure into r 1 and r 2 , and prepending timestamps to r 1 and r 2 do not prevent our passive attack. The third, which assumes a shared secret key between the server and each party, appears to withstand our attack. Park et al. 7] exploited ....

M. Tatebayashi and N. Matsuzakai and D. B. Newman. Key distribution protocol for digital mobile communication systems. In Advances in Cryptology---CRYPTO '89 (Lecture Notes in Computer Science 435), G. Brassard, Ed. 1990, pp. 324--333, Springer-Verlag. This article was processed using the L a T E X macro package with LLNCS style

....our investigation of three protocols. First, we repeat Lowe s analysis of the Needham Schroeder protocol, finding a violation of the correctness condition in a simplified protocol, and then failing to find a violation in a repaired version of the protocol. Next, we analyze the TMN protocol [18], first finding a simple error also identified by two of the three tools described in a comparative study by Kemmerer, Meadows and Millen [7] These three This work was supported in part by the Defense Advanced Research Projects Agency through NASA contract NAG 2 891, and the National Science ....

....After modifying our system description to eliminate the first error, our system finds a second automatically. With some minor refinement of the cryptographic model, based on general principles we present in this paper, a third run also uncovers a related RSA specific error that is explained in [18] and also discovered by the third tool in Kemmerer, Meadows and Millen s comparative study (but not the other two tools) We also investigate Kerberos, version 5, finding a failure in a simplified version based on documentation [9] and then verifying a repaired version that is closer to the ....

[Article contains additional citation context not shown here]

M. Tatebayashi, N. Matsuzaki, and D. Newman. Key distribution protocol for digital mobile communication systems. In Proc. CRYPTO '89, pages 324--333, 1990.

....attack on TMN False key attacks are not the only protocol failures which exploit the mathematical properties of the underlying algorithms. These failures can sometimes be quite subtle, and an interesting example is the attack found by Simmons on the TMN (Tatebayashi Matsuzaki Newmann) scheme [TMN89]. Here, two users want to set up a session key, but with a trusted server doing most of the work (the users might be smartcards) If Alice and Bob are the users, and the trusted server Sam can factor N , then the protocol goes as follows: A Gamma S : r 3 A (mod N) B Gamma S : r 3 B (mod ....

M Tatebayashi, N Matsuzaki, DB Newman, "Key distribution protocol for digital mobile communication systems", in Advance in Cryptology --- CRYPTO '89, Springer LNCS 435 pp 324--333

....to perform one asymmetric encryption, one symmetric decryption and one hash operation in our registration protocol. Although asymmetric encryption is much slower than symmetric encryption, it is still possible to be implemented efficiently in a smart card, e.g. using RSA system with low exponent [17]. In the service request protocol, U s major computation overheads are the generation of a hash chain and a digital signature. With the current smart card technology [11] a 1024 bit RSA signature can be generated in about half a second. The hash operation is very fast and a hash chain with the ....

M. Tatebayashi, N. Matsuzaki and D. B. Newman. Key distribution protocol for digital mobile communication systems. Lecture Notes in Computer Science 435, Advances in Cryptology: Proceedings of Crypto'89, pages 324--334, Santa Barbara, California, August 1989.

No context found.

M. Tatebayashi, N. Matsuzaki, and D. B. Jr. Neuman. Key Distribution Protocol for Digital Mobile Communication Systems. In G. Brassard, editor, Proceedings of Advances in Cryptography | CRYPTO'89, volume 435 of Lecture Notes in Computer Science, pages 324-334. Springer-Verlag, 1990.

No context found.

M. Tatebayashi, N. Matsuzaki, and D. B. Newman, "Key distribution protocol for digital mobile communication systems," Advances in Cryptology - CRYPTO'89, pp. 324--334, 1989, lNCS Volume 435, Springerverlag.

No context found.

M. Tatebayashi, N. Matsuzaki, and D.B. Newman. Key distribution protocol for digital mobile communication systems. In Advance in Cryptology --- CRYPTO '89, volume 435 of LNCS, pages 324--333. Springer-Verlag, 1989.

No context found.

M. Tatebayashi, N. Matsuzaki, and D. B. Jr. Newman. Key distribution protocol for digital mobile communication systems. In Advances in Cryptology - Crypto '89, pages 324--334, 1989. Lecture Notes in Computer Science Volume 435.

No context found.

Makoto Tatebayashi, Natsume Matsuzaki, and David B. Newman Jr. Key distribution protocol for digital mobile communication systems. In G. Brassard, editor, Advances in Cryptology: Proceedings of CRYPTO '89, volume 435 of Lecture Notes in Computer Science, pages 324-333. Springer-Verlag, Berlin Germany, 1990.

No context found.

Makoto Tatebayashi, Ntsume Matsuzaki, and David B. Newman, Jr. Key distribution protocol for digital mobile communication systems. In Proceedings of CRYPTO'89, pages 324-334.

No context found.

M. Tatebayashi, N. Matsuzaki, and D. B. Jr. Newman. Key distribution protocol for digital mobile communication systems. In Advances in Cryptology - Crypto '89, pages 324-- 334, 1989. Lecture Notes in Computer Science Volume 435.

No context found.

M. Tatebayashi, N. Matsuzaki, and D. B. Jr. Newman. Key distribution protocol for digital mobile communication systems. In Advances in Cryptology - Crypto '89, pages 324--334, 1989. Lecture Notes in Computer Science Volume 435.

No context found.

Tatebayashi, M., Matsuzaki, N., and Newman, D. B., "Key Distribution Protocol for Digital Mobile Communications Systems", Advances in Cryptology - CRYPTO `89, pp. 324-333.

No context found.

M Tatebayashi, N Matsuzaki, DB Newman, "Key distribution protocol for digital mobile communication systems", in Advance in Cryptology --- CRYPTO '89, Springer LNCS 435 pp 324--333

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC