Recently new protocols have been proposed in the IETF for protecting remote client authentication protocols by running them within a secure tunnel. Examples of such protocols are PIC, PEAP and EAP-TTLS. One goal of these new protocols is to enable the migration from legacy client authentication protocols to more secure protocols, e.g., from plain EAP type to, say, PEAP. In these protocols, the security of the subsequent session credentials are based only on keys derived during the unilateral authentication where the network server is authenticated to the client. Client authentication is mentioned as an option in PEAP and EAP-TTLS, but is not mandated. Naturally, the PIC protocol does not even o er this option, because the goal of PIC is to obtain credentials that can be used for client authentication.

The Dolev{Yao model is a simple and useful framework in which to analyze security protocols, but it assumes an extremely limited adversary. It is unclear if the results of this model would remain valid were the adversary to be given additional power. In this work, we show that there exist situations in which Dolev-Yao adversary can be viewed as a valid abstraction of all realistic adversaries. We do this in two steps: 1. We translate the allowed behaviors of the Dolev-Yao adversary into the computational model, an alternate framework with a very powerful adversary.

Number 644

Abstract. We design and analyze a simple optimistic fair non-repudiation protocol. Our protocol is considerably simpler and more efficient than current proposals, due mainly to the avoidance of using session labels. We model-check both safety and liveness properties. The safety properties are verified using a standard intruder, and the liveness properties using an intruder that respects the resilient communication channels assumption. Finally, to provide further confidence in the protocol, several vulnerabilities on weaker versions of our protocol are exposed. 1

Abstract not found

Authenticated Group Key Agreement Protocols are protocols allowing a group of principals to contributively generate a key by the exchange of messages on a network possibly controlled by an attacker. Furthermore, their execution also guarantees all group members that the key they obtained can only be known by the other intended protocol participants. These protocols can be exploited in many applications such as audio or videoconferencing, replicated servers (such as database, web, time servers), chat or network games for instance.

Abstract. SET (Secure Electronic Transaction) is a suite of protocols proposed by a consortium of credit card companies and software corporations to secure e-commerce transactions. The Purchase part of the suite is intended to guarantee the integrity and authenticity of the payment transaction while keeping the Cardholder’s account details secret from the Merchant and his choice of goods secret from the Bank. This paper details the first verification results for the complete Purchase protocols of SET. Using Isabelle and the inductive method, we show that their primary goal is indeed met. However, a lack of explicitness in the dual signature makes some agreement properties fail: it is impossible to prove that the Cardholder meant to send his credit card details to the very payment gateway that receives them. A major effort in the verification went into digesting the SET documentation to produce a realistic model. The protocol’s complexity and size makes verification difficult, compared with other protocols. However, our effort has yielded significant insights.

Abstract. The Direct Anonymous Attestation (DAA) scheme provides a means for remotely authenticating a trusted platform whilst preserving the user’s privacy. The protocol has been adopted by the Trusted Computing Group (TCG) in the latest version of its Trusted Platform Module (TPM) specification. In this paper we show DAA places an unnecessarily large burden on the TPM host. We demonstrate how corrupt administrators can exploit this weakness to violate privacy. The paper provides a fix for the vulnerability. Further privacy issues concerning linkability are identified and a framework for their resolution is developed. In addition an optimisation to reduce the number of messages exchanged is proposed.

This paper describes the verification of Secure Electronic Transaction (SET), an e-commerce protocol by VISA and MasterCard. The main tasks are to comprehend the written documentation, to produce an accurate formal model, to identify specific protocol goals, and finally to prove them. The main obstacles are the protocol's complexity (due in part to its use of digital envelopes) and its unusual goals involving partial information sharing. Our verification e#orts show that the protocol does not completely satisfy its goals, although the flaws are minor. The primary outcome of the project is experience with verification of enormous and complicated protocols.

Abstract not found