基于逻辑编程的EKE协议分析

基于逻辑编程规则及Spi演算提出了一种验证密码协议安全性的新方法，利用该方法可以对密码协议的安全性质以程序化的方式进行验证。通过对EKE协议进行的分析，不但证明了协议已知的漏洞，而且发现了针对EKE协议的一个新的攻击——并行会话攻击。很好地验证了该新方法对密码协议的分析能力。     

Detecting and Preventing Type flaws: a Control Flow Analysis with Tags

A type flaw attack on a security protocol is an attack where an honest principal is cheated on interpreting a field in a message as the one with a type other than the intended one. In this paper, we shall present an extension of the LySa calculus with tags attached to each field, indicating the intended types. We developed a control flow analysis for analysing the extended LySa, which over-approximates all the possible behaviour of a protocol and hence is able to capture any type confusion that may happen during the protocol execution. The control flow analysis has been applied to a number of security protocols, either subject to type flaw attacks or not. The results show that it is able to capture type flaw attacks on those security protocols.     

基于概率多项式时间进程的安全协议分析

针对Spi演算在安全协议分析中存在的局限性，通过引入概率多项式时间进程，提出一个分析安全协议的新方法。该方法是对Spi演算的改进，在该方法中攻击者是概率多项式时间进程，协议的安全性用概率可观察等价性表示。通过对一个基于ElGamal加密和Diffie-Hellman的密钥交换协议分析，证明了该方法的可行性和有效性。     

基于SPI演算的移动自主网络安全路由协议分析

安全协议是许多分布式系统安全的基础,也是MANET网络的基础,确保MANET路由协议的安全运行是极为重要的。对于MANET的特点,设计一个可靠的安全路由协议是必须的,也是一个艰巨的任务,但大多数的安全路由协议都是通过模拟结果来进行解释的,缺乏严格形式化分析来确保其安全属性。在传统的安全属性中,加密协议已经被形式化分析许多年了,然而去形式化分析移动adhoc网路由协议的工作并没有出现已成熟的方法和理论的文献。论文针对SRP(secureroutingprotocol)协议模型用SPI演算做出形式化分析,在论文提出的攻击者进程模型下,可以推导出SRP产生一定的脆弱性。     

A Method for Patching Interleaving-Replay Attacks in Faulty Security Protocols

The verification of security protocols has attracted a lot of interest in the formal methods community, yielding two main verification approaches: i) state exploration, e.g. FDR [Gavin Lowe. Breaking and fixing the needham-schroeder public-key protocol using FDR. In TACAs'96: Proceedings of the Second International Workshop on Tools and Algorithms for Construction and Analysis of Systems, pages 147–166, London, UK, 1996. Springer-Verlag] and OFMC [A.D. Basin, S. Mödersheim, and L. Viganò. An on-the-fly model-checker for security protocol analysis. In D. Gollmann and E. Snekkenes, editors, ESORICS'03: 8th European Symposium on Research in Computer Security, number 2808 in Lecture Notes in Computer Science, pages 253–270, Gjøvik, Norway, 2003. Springer-Verlag]; and ii) theorem proving, e.g. the Isabelle inductive method [Lawrence C. Paulson. The inductive approach to verifying cryptographic protocols. Journal in Computer Security, 6(1-2):85–128, 1998] and Coral [G. Steel, A. Bundy, and M. Maidl. Attacking the asokan-ginzboorg protocol for key distribution in an ad-hoc bluetooth network using coral. In H. König, M. Heiner, and A. Wolisz, editors, IFIP TC6 /WG 6.1: Proceedings of 23rd IFIP International Conference on Formal Techniques for Networked and Distributed Systems, volume 2767, pages 1–10, Berlin, Germany, 2003. FORTE 2003 (work in progress papers)]. Complementing formal methods, Abadi and Needham's principles aim to guide the design of security protocols in order to make them simple and, hopefully, correct [M. Abadi and R. Needham. Prudent engineering practice for cryptographic protocols. IEEE Transactions on Software Engineering, 22(1):6–15, 1996]. We are interested in a problem related to verification but far less explored: the correction of faulty security protocols. Experience has shown that the analysis of counterexamples or failed proof attempts often holds the key to the completion of proofs and for the correction of a faulty model. In this paper, we introduce a method for patching faulty security protocols that are susceptible to an interleaving-replay attack. Our method makes use of Abadi and Needham's principles for the prudent engineering practice for cryptographic protocols in order to guide the location of the fault in a protocol as well as the proposition of candidate patches. We have run a test on our method with encouraging results. The test set includes 21 faulty security protocols borrowed from the Clark-Jacob library [J. Clark and J. Jacob. A survey of authentication protocol literature: Version 1.0. Technical report, Department of Computer Science, University of York, November 1997. A complete specification of the Clark-Jacob library in CAPSL is available at http://www.cs.sri.com/millen/capsl/].     

From versatility to auto-adaptation of the medium access control in wireless sensor networks

Recent deployments of wireless sensor networks have targeted challenging monitoring and surveillance applications. The medium access control being the main source of energy wastage, energy-efficiency has always been kept in mind while designing the communication stack embedded in spread sensors. Especially, versatile protocols have emerged to offer a suitable solution over multiple deployment characteristics. In this study, we observe to what extent versatility applies to dynamic scenarios in which communications do not respect specific communication paradigms. We first provide a performance evaluation of two well-reputed versatile protocols (B-MAC (Polastre et al., 2004 [17]) and X-MAC (Buettner et al., 2006 [4])) under the conditions of such a scenario. The obtained results convinced us to propose more than versatility and pre-configured solutions, that is auto-adaptation. We then introduce the main contribution of this paper, an auto-adaptive algorithm that allows one to adjust the previously mentioned protocols while the network is operating. We analyze to what extent it outperforms the previously obtained results.     

密码协议安全性证明系统解析器的设计与实现*

可证明安全性是密码协议安全性评估的重要依据,但手写安全性证明容易出错且正确性难以判定,利用计算机辅助构造游戏序列进而实现自动化证明是当前一种可行的方法。为此提出一种基于进程演算的密码协议形式化描述模型,定义了描述密码协议安全性证明中攻击游戏的语法规则,并借助工具LEX和YACC,设计出解析器程序,将密码协议及其安全性的形式化描述解析为自动化安全性证明系统的初始数据结构,并用实例来说明这种方法的可行性。     

Towards an Independent Semantics and Verification Technology for the HLPSL Specification Language

We present an algorithm for the translation of security protocol specifications in the HLPSL language developed in the framework of the AVISPA project to a dialect of the applied pi calculus. This algorithm provides us with two interesting scientific contributions: at first, it provides an independent semantics of the HLPSL specification language and, second, makes it possible to verify protocols specified in HLPSL with the applied pi calculus-based ProVerif tool. Our technique has been implemented and tested on various security protocols. The translation can handle a large part of the protocols modelled in HLPSL.     

一次性口令身份认证方案的分析与改进

分析了文献[1]中的一次性口令的身份认证方案,发现由于原方案是一个单向认证协议,因此不能抵抗中间人攻击,该文在不增加计算复杂度的前提下,对原方案进行了改进,使其成为一个安全的双向认证协议,并将其中的关键信息进行了加密保护,改进后的方案克服了原方案存在的安全漏洞,并保留了原方案的所有安全特性,且具有更高的安全性。     

一种新的移动Ad hoc网络安全路由协议

Buttyan L等指出了移动Ad hoc网络典型安全路由协议Aridane的缺陷，并提出了一种自称可以抵御ac-tive-1-y（y≥1）型攻击的路由协议EndairA^[A]。文章通过分析发现EndairA不能抵御一种active-0-1型攻击，即中间人攻击，并据此提出了一种新的安全路由协议EndairALoc。分析表明EndairALoc不仅保持了EndairA原有的安全性，而且还能够抵御中间人攻击和虫洞攻击。另外该协议采用对称密钥机制替代了EndairA中使用的公钥签名机制，降低了安全路由所需的能耗。     

Provably secure three-party password authenticated key exchange protocol in the standard model

Three-party password authenticated key exchange protocol is a very practical mechanism to establish secure session key through authenticating each other with the help of a trusted server. Most three-party password authenticated key exchange protocols only guarantee security in the random oracle model. However, a random oracle based cryptographic construction may be insecure when the oracle is replaced by real function. Moreover, some previous unknown attacks appear with the advance of the adversary capability. Therefore, a suitable standard model which can imitate a wider variety of attack scenarios for 3PAKE protocol is needed. Aim at resisting dictionary attack, unknown key-share attack and password-compromise impersonation attack, an expanded standard model for 3PAKE protocol is given. Meanwhile, through applying ElGamal encryption scheme and pseudorandom function, a specific three-party password authenticated key exchange protocol is proposed. The security of the proposed protocol is proven in the new standard model. The result shows that the present protocol has stronger security by comparing with other existing protocols, which covers the following security properties: (1) semantic security, (2) key privacy, (3) client-to-server authentication, (4) mutual authentication, (5) resistance to various known attacks, and (6) forward security.     

Internet密钥交换协议的安全缺陷分析

IKE(Internet key exchange,RFC2409)提供了一组Internet密钥交换协议,目的是在IPSec(IP security)通信双方之间建立安全联盟和经过认证的密钥材料.随后有学者发现IKE协议存在一个安全缺陷,并给出相应的修改建议.指出了修改后的IKE协议仍然存在类似的安全缺陷,并描述了一个成功的攻击.在给出修改建议的同时,成功地利用BAN逻辑分析了导致这两个安全缺陷的原因.     

An interpreter for LOTOS,a specification language for distributed systems

LOTOS is an executable specification language for distributed systems currently being standardized within ISO as a tool for the formal specification of open systems interconnection protocols and services. It is based on an extended version of Milner's calculus of communicating systems (CCS) and on ACT ONE abstract data type (ADT) formalism. A brief introduction to LOTOS is given, along with a discussion of LOTOS operational semantics, and of the executability of LOTOS specifications. Further, an account of a prototype LOTOS interpreter is given, which includes an interactive system that allows the user to direct the execution of a specification (for example, for testing purposes). The interpreter was implemented in YACC/LEX, C and Prolog. The following topics are discussed: syntax and static semantics analysis; translation from LOTOS external format to internal representation; evaluation of ADT value expressions and extended CCS behaviour expressions. It is shown that the interpreter can be used in a variety of ways: to recognize whether a given sequence of interactions is allowed by the specification; to generate randomly chosen sequences of interactions; in a user-guided generation mode, etc.     

A symbolic framework for multi-faceted security protocol analysis

Verification of software systems, and security protocol analysis as a particular case, requires frameworks that are expressive, so as to properly capture the relevant aspects of the system and its properties, formal, so as to be provably correct, and with a computational counterpart, so as to support the (semi-) automated certification of properties. Additionally, security protocols also present hidden assumptions about the context, specific subtleties due to the nature of the problem and sources of complexity that tend to make verification incomplete. We introduce a verification framework that is expressive enough to capture a few relevant aspects of the problem, like symmetric and asymmetric cryptography and multi-session analysis, and to make assumptions explicit, e.g., the hypotheses about the initial sharing of secret keys among honest (and malicious) participants. It features a clear separation between the modeling of the protocol functioning and the properties it is expected to enforce, the former in terms of a calculus, the latter in terms of a logic. This framework is grounded on a formal theory that allows us to prove the correctness of the verification carried out within the fully fledged model. It overcomes incompleteness by performing the analysis at a symbolic level of abstraction, which, moreover, transforms into executable verification tools.     

基于Spi演算的密码协议的控制流分析

基于Spi演算和控制流分析,提出了一个密码协议的新分析方法。随后利用该方法对Beller-Chang-Yacobi MSR协议进行了分析,通过证明该协议已知的漏洞,说明该方法是正确的,并通过更深入的研究和分析,证明了该协议在并行会话攻击下是不安全的,基于此对该协议进一步改进,改进后的协议是安全的。     

安全协议的自动化设计

阐述了安全协议的自动生成-约简-优化模型。在第1阶段，依据系统规范的要求生成候选协议，并用简单的句法约束规则和基于简单冒充的早期删减规则对候选协议进行约简。第2阶段，以串空间理论为依据制定删减规则，对以上候选协议进行进一步的优化，生成符合安全需求的正确协议。     

Chosen-name Attacks: An Overlooked Class of Type-flaw Attacks

In the context of Dolev-Yao style analysis of security protocols, we consider the capability of an intruder to dynamically choose and assign names to agents. This capability has been overlooked in all significant protocol verification frameworks based on formal methods. We identify and classify new type-flaw attacks arising from this capability.Several examples of protocols that are vulnerable to this type of attack are given, including Lowe's modification of KSL. The consequences for automatic verification tools are discussed.     

基于无证书的两方跨域认证密钥协商协议

利用椭圆曲线上双线性对映射和离散对数问题,提出一种基于无证书的两方跨域认证密钥协商协议。该协议解决了传统的基于身份的跨域两方密钥协商协议中固有的密钥托管问题,实现了跨域通信双方的身份验证,防止了主动攻击。在保证协议正确性的基础上,采用应用Pi演算对协议进行形式化分析,并验证了协议的认证性和安全性。与其他跨域两方认证密钥协商协议性能相比,该协议的安全性和效率都更优。     

网络安全协议的自动化设计策略

文章以演化计算为工具,以BAN逻辑为基本的推理准则,在第一阶段随机搜索候选协议,然后在第二阶段通过冗余协议约简方案得出优化的协议。两阶段设计方案可以自动生成各种需求的两方或三方通信协议,并且广泛支持各种加密方法。通过两阶段的生成和过滤,我们的方法可以实现较大规模网络安全协议的自动化设计,例如三方密钥分配协议等。     

Formal analysis of some secure procedures for certificate delivery

This paper describes and formally analyses two communication protocols that manage the secure emission of digital certificates. The formal analysis is carried out by means of a software tool for the automatic verification of cryptographic protocols with finite behaviour. The tool is able to discover, at a conceptual level, attacks against security procedures. The methodology is general enough to be applied to several kinds of cryptographic procedures and protocols. It is the opinion of the authors that this approach contributes towards a better understanding of the structure and aims of a protocol, for developers, analysers and final users. Copyright © 2005 John Wiley & Sons, Ltd.