G. Lowe. Some New Attacks upon Security Protocols. In Proc. of 19th IEEE Computer Security Foundations Workshop (CSFW'96), volume 1055 of Lecture Notes in Computer Science, pages 147--166. Springer-Verlag, 1996.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....small size can be tackled. Despite the various techniques existing to loosen this limit as much as possible [73] the model protocols still are very small. They typically account for at most three or four agents, including the spy. Many attacks have been discovered by model checking techniques [64, 67]. However, if the system of limited size does not su#er any attacks, it is not obvious that neither does the system of arbitrary size. This result has been proved by pen and paper on a specific protocol [66] while another model checker, the NRL Protocol Analyzer [75] also allows mechanised ....

G. Lowe. Some New Attacks upon Security Protocols. In Proceedings of the 9th IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, 1996.

....key kA and proceeds. 10. Analogously, B verifies the authentication signature of A by decrypting TokenAB , and checking the signature on it using kA and knowledge of the expected pair of data RA ; RB . 11. Analogously, B sets kAB to be the shared key with A in this exchange. Lowe argued in [21] that this protocol is subject to attack. Specifically: Message 1 A CB : RA C B : RA B C : RB ; fsB [RB ; RA ]g kAB Message 2 CB A : RB ; fsB [RB ; RA ]g kAB Message 3 A CB : fsA [RA ; RB ]g kAB Here, messages 1, 2, and 3 are a protocol run that Alice attempts to run with Bob, ....

....authentication goals, this attack would seem to do so in the presence of such an application. One possible solution would be to strengthen the protocol to include the name of the intended recipient of each message within the signature. In fact, this is the revision suggested by Lowe in [21]. STS so strengthened appears to satisfy agreement. Another possible solution is to restrict the application environment in some way. For example, in the case of the STS protocol, we could require that any protocol that makes use of a key generated by an instance of the STS protocol would need to ....

G. Lowe. Some new attacks upon security protocols. In Proceedings of the 9th IEEE Computer Security Foundations Workshop (CSFW9), pages 162--169. IEEE Computer Society Press, June 1996.

....active attacker. Very often, AGKAP s are defined together with a number of subprotocols enabling dynamic changes in group constitution ( 2] 6] ll] Although the experience has shown how complex it is to define security protocols that can be used in the presence of active attackers (see [8] [12] for instance) AGKAP s have rarely been systematically studied until now: only sketch proofs or informal arguments were given to convince of their correctness in their presentation ( 2] 11] Two types of methods, coming from two little related communities, have been developed for the study of ....

G. Lowe. Some new attacks upon security protocols. In Proceedings of 9th IEEE Computer Security Foundations Workshop, pages 162-169. IEEE Computer Society Press, 1996.

....the original semibundle but also possible solutions for smaller semibundles. Dually, flaws exhibited by a semibundle are exhibited by larger semibundles as well. This is important in practice. For instance, it allows to easily detect flaws associated to incomplete runs, like the one shown by Lowe [26] on the Woo and Lam mutual authentication protocol [40] More expressiveness In particular, it allows the principals to perform explicit checks. Security protocols may perform tests at some stage of their execution. To model this in a natural yet accurate way, it is necessary to extend the ....

....by S # as well. This is of crucial practical importance. For instance, some vulnerabilities may only be found when considering partial runs. This is the case of the Woo and Lam mutual authentication protocol [40] which we introduce next. A possible attack of this protocol is described by Lowe [26]. The protocol aims at establishing a session key and provides mutual authentication between two agents A and B, with the help of a trusted server S. B : A, NA ] A : B, NB ] B : A, B, NA , NB ] # KAS S : A, B, NA , NB ] # KAS , A, B, NA , NB ] # KBS Message 5. S B : B, NA , ....

G. Lowe. Some new attacks upon security protocols. In PCSFW: Proceedings of The 9th Computer Security Foundations Workshop. IEEE Computer Society Press, 1996.

....Specification and verification of protocol goals Having set up a model of the protocol like this, we have to decide what constitutes an attack, or equivalently, what specification the system hopes to satisfy. A tremendous amount of literature has been devoted to this point, for example [DvOW92, Low96b, Ros96] This section provides an informal overview of the security properties we will be focusing on, how they are captured through appropriate specifications within our CSP models and how they are verified using FDR. Security protocols are expected to be able to provide certain security ....

G. Lowe. Some new attacks upon security protocols. In 9th IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, 1996.

....derived from KABC rather than KABC itself. The symmetric encryptions can be replaced by appending MACs to the signatures with the usual safeguards. If the expected recipients identities were not included in the signatures this protocol would be vulnerable to an extension of an attack due to Lowe [27]. This attack exploits an authentication error and allows a limited form of unknown key share attack. To perform it, we assume adversary D has control of the network. The attack is as follows. 1. DC intercepts message (2) then D forwards (2) replacing CertB with CertD to C as if it originated ....

G. Lowe. Some new attacks upon security protocols. In PCSFW: Proceedings of The 9th Computer Security Foundations Workshop. IEEE Computer Society Press, 1996.

....consisting of three phases, Kerberos. 1 Introduction A number of applications ranging from electronic transactions over the Internet to banking transactions over financial networks make use of security protocols. It has been shown that the protocols often fail to meet their claimed goals [AN96,Low96] so a number of approaches for analysing them formally have been developed [Low95,BR97,Pau98,Bel99] The threats to the protocols come from malicious principals who manage to monitor the network tra#c building fake messages at will. A major protocol goal is confidentiality, confirming that a ....

G. Lowe. Some New Attacks upon Security Protocols. In In Proc. of Computer Security Foundations Workshop (CSFW96), pages 139--146. IEEE Press, 1996.

.... [1] A B: A; N a [2] B A: B; N b [3] A B: fA; B; N a ; N b gKas [4] B S: fA; B; N a ; N b gKas ; fA; B; N a ; N b gK bs [5] S B: fB; N a ; N b ; K ab gKas ; fA; N a ; N b ; K ab gK bs [6] B A: fB; N a ; N b ; K ab gKas ; fN a ; N b gK ab [7] A B: EfN b gK ab An attack is given in [14]. Mallory impersonates both Alice and a trusted third party Server. She uses two tricks. She uses Bob s identifier as a nonce in the first message. Then, in order to generate the key certificate from Server in the fifth message, she initiates a parallel run in which she impersonates Alice. In the ....

Gavin Lowe. "Some New Attacks upon Security Protocols," In Proceedings of 9th IEEE Computer Security Foundations Workshop, 1996.

....such as, theorem proving [1, 2, 6, 12] Second, if a property does not hold, a counter example is produced by the model checker which helps in understanding why the property does not hold. Last, but not the least, model checking has previously been used successfully to verify security protocols [8, 9, 10, 11]. In this paper we use the Failure Divergence Refinement (FDR) model checker [7] An e commerce protocol, being distributed in nature, is subject to site and or communications failures. Are the desirable properties satisfied in the event of a failure Which properties are valid when some site ....

.... Once the customer is satisfied with his comparison, he sends his payment token to the third party (step 5) The third party verifies the customer s financial information and forwards the decrypting key to the customer (step 6) and the payment token to the merchant (step 7) 3 Related Work Lowe [9, 10, 11] have used the FDR model checker to find attacks on cryptographic protocols. Roscoe et al. 15] have used the FDR model checker together with data independence techniques to prove that some security protocols are free from attacks. Heintze et al. 8] focus on the non security aspects of ....

G. Lowe. Some New Attacks Upon Security Protocols. In Proceedings of the IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, 1996.

....such as, theorem proving [2, 3, 7, 15] Second, if a property does not hold, a counter example is produced by the model checker which helps in understanding why the property does not hold. Last, but not the least, model checking has previously been used successfully to verify security protocols [9, 10, 11, 12]. In this paper we use the Failure Divergence Refinement (FDR) model checker [8] The protocol that is analyzed is expressed as a communicating sequential process (CSP) 18] which we call SYSTEM. Each property that we wish to check is expressed as another CSP process, which we call SPEC. If ....

....the messages exchanged are appropriately signed, encrypted and (when required) sent along with a cryptographic checksum. Since we do not focus on the cryptographic aspects of the protocol in this work, such details are abstracted away and not shown in table 1. 3 Related Work Lowe [10, 11, 12] have used the FDR model checker to find attacks on cryptographic protocols. Roscoe et al. 17] have used the FDR model checker together with data independence techniques to prove that some security protocols are free from attacks. Heintze et al. 9] focus on the non security aspects of ....

G. Lowe. Some New Attacks Upon Security Protocols. In Proceedings of the

....uses cryptography to aim at security services such as authentication and key distribution (or key agreement) for session keys. Despite their simplicity, cryptographic protocols are frequently wrong. Lowe estimates that about half the protocols published fail to achieve their goals in some respect [28]. Since this comment concerns only published, peer reviewed protocols, one may imagine that the success rate for proprietary protocols would be lower. However, as a consequence of intense work on this problem, including apparently hundreds of published papers, 2 the quality of newer protocols ....

Gavin Lowe. Some new attacks upon security protocols. In Proceedings of the Computer Security Foundations Workshop IX. IEEE Computer Society Press, 1996.

....spy below. Agents trying to communicate over an insecure network execute suitable security protocols to take advantage of the protocol goals. A major goal is con dentiality, which holds of a message that remains undisclosed to the spy. Failure to achieve the claimed goals of a protocol [AN96,Low96,LR97] has motivated a number of approaches to reasoning formally on security protocols (e.g. Low95,BR97,Pau98,Bel99] Our original contribution to formal protocol analysis is an approach to modelling any network con guration arising from the execution of a protocol as a soft constraint ....

G. Lowe. Some New Attacks upon Security Protocols. In In Proc. of Computer Security Foundations Workshop (CSFW96), pages 139-146. IEEE Press, 1996.

No context found.

G. Lowe. Some New Attacks upon Security Protocols. In Proc. of 19th IEEE Computer Security Foundations Workshop (CSFW'96), volume 1055 of Lecture Notes in Computer Science, pages 147--166. Springer-Verlag, 1996.

No context found.

G. Lowe. Some new attacks upon security protocols. In Proc. 9th Computer Security Foundations Workshop, pages 162--169. IEEE, 1996.

No context found.

G. Lowe. Some New Attacks upon Security Protocols. In Proceedings of the 9th IEEE Computer Security Foundations Workshop. IEEE Computer Society Press, 1996.

No context found.

G. Lowe. Some new attacks upon security protocols. In Proceedings of 9th IEEE Computer Security Foundations Workshop, pages 162--169. IEEE, 1996.

No context found.

G. Lowe. Some new attacks upon security protocols. In Proceedings of 9th IEEE Computer Security Foundations Workshop, pages 162--169. IEEE Computer Society Press, 1996.

No context found.

G. Lowe. Some new attacks upon security protocols, 9th IEEE Computer Security Foundations Workshop, pp. 162--169, IEEE Computer Society Press.

No context found.

G. Lowe. Some new attacks upon security protocols. In Proceedings of 9th IEEE Computer Security Foundations Workshop, pages 162--169. IEEE, 1996.

No context found.

G. Lowe. Some new attacks upon security protocols. In PCSFW: Proceedings of The 9th Computer Security Foundations Workshop, pages 162--169. IEEE Computer Society Press, 1996.

No context found.

Lowe, G. Some New Attacks upon Security Protocols. (1996.

No context found.

G. Lowe. Some new attacks upon security protocols. In Proc. 9th Computer Security Foundations Workshop, pages 162--169. IEEE, 1996.

No context found.

G. Lowe. Some new attacks upon security protocols. In Proc. 9th IEEE Computer Security Foundations Workshop, pages 162--169, 1996.

No context found.

Lowe, G.: Some New Attacks upon Security Protocols. 9th IEEE Computer Security Foundations Workshop, 1996.

No context found.

Gavin Lowe. Some new attacks upon security protocols. In PCSFW: Proceedings of The 9th Computer Security Foundations Workshop. IEEE Computer Society Press, 1996.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC