Skip to main content
SpringerLink
Log in

Non-collaborative Attackers and How and Where to Defend Flawed Security Protocols (Extended Version)

  • Conference paper
  • First Online:
Security Protocols XXII (Security Protocols 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8809))

Included in the following conference series:

Abstract

Security protocols are often found to be flawed after their deployment. We present an approach that aims at the neutralization or mitigation of the attacks to flawed protocols: it avoids the complete dismissal of the interested protocol and allows honest agents to continue to use it until a corrected version is released. Our approach is based on the knowledge of the network topology, which we model as a graph, and on the consequent possibility of creating an interference to an ongoing attack of a Dolev-Yao attacker, by means of non-collaboration actuated by ad-hoc benign attackers that play the role of network guardians. Such guardians, positioned in strategical points of the network, have the task of monitoring the messages in transit and discovering at runtime, through particular types of inference, whether an attack is ongoing, interrupting the run of the protocol in the positive case. We study not only how but also where we can attempt to defend flawed security protocols: we investigate the different network topologies that make security protocol defense feasible and illustrate our approach by means of concrete examples.

This work was partially supported by the EU FP7 Project no. 257876, “SPaCIoS: Secure Provision and Consumption in the Internet of Services” (www.spacios.eu) and the PRIN 2010-11 project “Security Horizons”. Much of this work was carried out while Luca Viganò was at the Università di Verona.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    It is interesting to note how this idea of “living with flaws” is becoming more and more widespread; see, e.g., [9] where runtime monitors are employed to warn users of android applications about “man in the middle” attacks on flawed implementations of SSL. Our approach is also related to signature-based intrusion detection systems, but we leave the detailed study of the relations of our approach with runtime monitors and signature-based intrusion detection systems for future work.

  2. 2.

    In the following, we focus on one competitor (i.e., one attacker), but it is quite straightforwardly possible to extend our work to multiple competitors.

  3. 3.

    If an attacker were omniscient and omnipotent (i.e., if he were to control the whole network) then there’d actually be no “space” for another attacker, and thus there’d be no interference. The more “adventurous” reader may want to compare this with the proof of the uniqueness of God by Leibniz, which was based on the arguments started by Anselm of Canterbury and was later further refined by Gödel.

  4. 4.

    In this paper we only use the inflow-spy and the outflow-spy filters and not the restricted-spy filter used in the previous exploratory works. This is due to the fact that we can certainly know who we want to defend, but we cannot know who the attackers are and we want to have the possibility of intercepting all outgoing/incoming messages which leave/come from/to an agent \(X\).

  5. 5.

    In [14, 15], we analyzed two protocols: (i) a key transport protocol described as an example in [6], which we thus called the Boyd-Mathuria Example (BME), and (ii) the Shamir-Rivest-Adleman Three-Pass protocol(SRA3P [8]), which has been proposed to transmit data securely on insecure channels, bypassing the difficulties connected to the absence of prior agreements between the agents \(A\) and \(B\) to establish a shared key.

  6. 6.

    This channel could be a digital or a physical channel, say a text message sent to a mobile (as in some two-factor authentication or e-banking systems), a phone call (as in burglar alarm systems), or even a flag raised (as is done on some beaches to signal the presence of sharks). We do not investigate the features of this channel further but simply assume, as done in all the above three examples of runtime guarding (monitoring) systems, that such a channel actually exists.

  7. 7.

    We do not make assumptions on the real topology of the network between \(A\) and \(S\) (i.e., there could be more than one channel) but only consider the fact that the communications from \(E\) are received by \(G\).

  8. 8.

    We deliberately wrote “protocol” instead of “protocols” since, for now, we are not going to consider multi-protocol attacks or protocol composition, e.g., [7, 10, 17]. As future work, we envision a distinguisher able to distinguish between messages belonging to different protocols and thus consider also the attacks that occur when messages from one protocol may be confused with messages from another protocol.

  9. 9.

    Formally, for the ISO-SC 27 we have: \(f^{-1}(f(N_A,2),2) = f^{-1}(N_A,2) = N_A\) (where \(s = 2\) refers to message \((2)\) in Table 4 or, equivalently, message \((1.2)\) in Table 2).

References

  1. Armando, A., Arsac, W., Avanesov, T., Barletta, M., Calvi, A., Cappai, A., Carbone, R., Chevalier, Y., Compagna, L., Cuéllar, J., Erzse, G., Frau, S., Minea, M., Mödersheim, S., von Oheimb, D., Pellegrino, G., Ponta, S.E., Rocchetto, M., Rusinowitch, M., Torabi Dashti, M., Turuani, M., Viganò, L.: The AVANTSSAR platform for the automated validation of trust and security of service-oriented architectures. In: Flanagan, C., König, B. (eds.) TACAS 2012. LNCS, vol. 7214, pp. 267–282. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  2. Basin, D., Caleiro, C., Ramos, J., Viganò, L.: Distributed temporal logic for the analysis of security protocol models. Theor. Comput. Sci. 412(31), 4007–4043 (2011)

    Article  MATH  Google Scholar 

  3. Bella, G.: A protocol’s life after attacks. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2003. LNCS, vol. 3364, pp. 11–18. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  4. Bella, G., Bistarelli, S., Massacci, F.: Retaliation against protocol attacks. J. Inf. Assur. Secur. 3, 313–325 (2008)

    Google Scholar 

  5. Blanchet, B.: An efficient cryptographic protocol verifier based on Prolog rules. In: Proceedings of CSF’01, pp. 82–96. IEEE CS Press (2001)

    Google Scholar 

  6. Boyd, C., Mathuria, A.: Protocols for Authentication and Key Establishment. Information Security and Cryptography. Springer, Heidelberg (2003)

    Book  Google Scholar 

  7. Ciobâcǎ, S., Cortier, V.: Protocol composition for arbitrary primitives. In: Proceedings of CSF’10. IEEE CS Press (2010)

    Google Scholar 

  8. Clark, J., Jacob, J.: A survey of authentication protocol literature: Version 1.0 (1997)

    Google Scholar 

  9. Conti, M., Dragoni, N., Gottardo, S.: MITHYS: mind the hand you shake - protecting mobile devices from SSL usage vulnerabilities. In: Accorsi, R., Ranise, S. (eds.) STM 2013. LNCS, vol. 8203, pp. 65–81. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  10. Cortier, V., Delaune, S.: Safely composing security protocols. Form. Methods Syst. Des. 34(1), 1–36 (2009)

    Article  MATH  Google Scholar 

  11. Cremers, C.J.F.: The Scyther tool: verification, falsification, and analysis of security protocols. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 414–418. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  12. Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theor. 29(2), 198–208 (1983)

    Article  MathSciNet  MATH  Google Scholar 

  13. Escobar, S., Meadows, C., Meseguer, J.: Maude-NPA: cryptographic protocol analysis modulo equational properties. In: Aldini, A., Barthe, G., Gorrieri, R. (eds.) FOSAD 2007/2008/2009. LNCS, vol. 5705, pp. 1–50. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  14. Fiazza, M.-C., Peroli, M., Viganò, L.: Attack interference: a path to defending security protocols. In: Obaidat, M.S., Sevillano, J.L., Filipe, J. (eds.) ICETE 2011. CCIS, vol. 314, pp. 296–314. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  15. Fiazza, M.-C., Peroli, M., Vigano, L.: An environmental paradigm for defending security protocols. In: 2012 International Conference on Collaboration Technologies and Systems (CTS), May 2012, pp. 427–438 (2012)

    Google Scholar 

  16. ISO: ISO-IEC JTC1.27.02.2(20.03.1.2) entity authentication using symmetric techniques. International Organization for Standardization (ISO) (1990)

    Google Scholar 

  17. Mödersheim, S., Viganò, L.: Secure pseudonymous channels. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 337–354. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  18. Peroli, M., Viganò, L., Zavatteri, M.: Non-collaborative Attackers and How and Where to Defend Flawed Security Protocols (Extended Version) (2014). http://arxiv.org/abs/1405.6912

  19. Ryan, P., Schneider, S., Goldsmith, M., Lowe, G., Roscoe, B.: Modelling and Analysis of Security Protocols. Addison Wesley, Reading (2000)

    Google Scholar 

  20. Viganò, L.: Automated security protocol analysis with the AVISPA tool. Electron. Notes Theor. Comput. Sci. 155, 61–86 (2006)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Dipartimento di Informatica, Università di Verona, Verona, Italy

    Michele Peroli & Matteo Zavatteri

  2. Department of Informatics, King’s College London, London, UK

    Luca Viganò

Authors
  1. Michele Peroli
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Luca Viganò
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Matteo Zavatteri
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Luca Viganò .

Editor information

Editors and Affiliations

  1. University of Hertfordshire, Hertfordshire, United Kingdom

    Bruce Christianson

  2. University of Hertfordshire, Hertfordshire, United Kingdom

    James Malcolm

  3. Masaryk University Faculty of Informatics, Brno, Czech Republic

    Vashek Matyáš

  4. Masaryk University Faculty of Informatics, Brno, Czech Republic

    Petr Švenda

  5. University of Cambridge, Cambridge, United Kingdom

    Frank Stajano

  6. Memorial University of Newfoundland, St. John's, Newfoundland and Labrador, Canada

    Jonathan Anderson

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Peroli, M., Viganò, L., Zavatteri, M. (2014). Non-collaborative Attackers and How and Where to Defend Flawed Security Protocols (Extended Version). In: Christianson, B., Malcolm, J., Matyáš, V., Švenda, P., Stajano, F., Anderson, J. (eds) Security Protocols XXII. Security Protocols 2014. Lecture Notes in Computer Science(), vol 8809. Springer, Cham. https://doi.org/10.1007/978-3-319-12400-1_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-12400-1_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-12399-8

  • Online ISBN: 978-3-319-12400-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation