## A cryptographically sound Dolev-Yao style security proof of the Otway-Rees protocol (2004)

### Cached

### Download Links

Venue: | In Proc. 9th European Symposium on Research in Computer Security (ESORICS |

Citations: | 25 - 10 self |

### BibTeX

@INPROCEEDINGS{Backes04acryptographically,

author = {Michael Backes},

title = {A cryptographically sound Dolev-Yao style security proof of the Otway-Rees protocol},

booktitle = {In Proc. 9th European Symposium on Research in Computer Security (ESORICS},

year = {2004},

pages = {89--108},

publisher = {Springer}

}

### OpenURL

### Abstract

We present the first cryptographically sound Dolev-Yaostyle security proof of a comprehensive electronic payment system. The payment system is a slightly simplified variant of the 3KP payment system and comprises a variety of different security requirements ranging from basic ones like the impossibility of unauthorized payments to more sophisticated properties like disputability. We show that the payment system is secure against arbitrary active attacks, including arbitrary concurrent protocol runs and arbitrary manipulation of bitstrings within polynomial time if the protocol is implemented using provably secure cryptographic primitives. Although we achieve security under cryptographic definitions, our proof does not have to deal with probabilistic aspects of cryptography and is hence within the scope of current proof tools. The reason is that we exploit a recently proposed Dolev-Yao-style cryptographic library with a provably secure cryptographic implementation. Together with composition and preservation theorems of the underlying model, this allows us to perform the actual proof effort in a deterministic setting corresponding to a slightly extended Dolev-Yao model. 1.

### Citations

1255 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...y of such protocols has been a very unsatisfactory task for a long time. One way to conduct such proofs is the cryptographic approach, whose security definitions are based on complexity theory, e.g., =-=[19, 18, 20, 10]-=-. The security of a cryptographic protocol is proved by reduction, i.e., by showing that breaking the protocol implies breaking one of the underlying cryptographic primitives with respect to its crypt... |

1226 | A logic of authentication, in
- Burrows, Abadi, et al.
- 1989
(Show Context)
Citation Context ...odel simplifies proofs of larger protocols considerably and has given rise to a large body of literature on analyzing the security of protocols using various techniques for formal verification, e.g., =-=[31, 29, 25, 14, 37, 1]-=-. Among the protocols typically analyzed in the Dolev-Yao model, the Otway-Rees protocol [35], which aims at establishing a shared key between two users by means of a trusted third party, stands out a... |

1139 | On the security of public-key protocols
- Dolev, Yao
- 1983
(Show Context)
Citation Context ...almost always based on the P. Samarati, D. Gollmann, and R. Molva (Eds.): ESORICS 2004, LCNS 3193, pages 89 - 108, September 2004. c○ Springer-Verlag Berlin Heidelberg 2004.sso-called Dolev-Yao model =-=[16]-=-. This model simplifies proofs of larger protocols considerably and has given rise to a large body of literature on analyzing the security of protocols using various techniques for formal verification... |

1098 | The Knowledge Complexity of Interactive Proof Systems
- Goldwasser
- 1989
(Show Context)
Citation Context ...y of such protocols has been a very unsatisfactory task for a long time. One way to conduct such proofs is the cryptographic approach, whose security definitions are based on complexity theory, e.g., =-=[19, 18, 20, 10]-=-. The security of a cryptographic protocol is proved by reduction, i.e., by showing that breaking the protocol implies breaking one of the underlying cryptographic primitives with respect to its crypt... |

936 |
Using encryption for authentication in large network of computer
- Needham, Schroeder
- 1978
(Show Context)
Citation Context ...yption in a black-box way, while adding many non-cryptographic features. Vulnerabilities have accompanied the design of such protocols ever since early authentication protocols like Needham-Schroeder =-=[34, 15]-=-, over carefully designed de-facto standards like SSL and PKCS [40, 13], up to current widely deployed products like Microsoft Passport [17]. However, proving the security of such protocols has been a... |

877 | A Digital Signature Scheme Secure Against Adaptative ChosenMessage Attacks
- Goldwasser, Micali, et al.
- 1988
(Show Context)
Citation Context ...ao-style abstraction of digital signatures is implemented using a chosen-message secure digital signature scheme with small additions like signature tagging. Chosen-message security was introduced in =-=[34]-=-, and efficient signature systems that are secure in this sense exist under reasonable assumptions [34, 28, 30]. Our proof relies on a recent general result that a so-called ideal cryptographic librar... |

840 | A Calculus for Cryptographic Protocols: The Spi Calculus
- Abadi
- 1999
(Show Context)
Citation Context ...odel simplifies proofs of larger protocols considerably and has given rise to a large body of literature on analyzing the security of protocols using various techniques for formal verification, e.g., =-=[31, 29, 25, 14, 37, 1]-=-. Among the protocols typically analyzed in the Dolev-Yao model, the Otway-Rees protocol [35], which aims at establishing a shared key between two users by means of a trusted third party, stands out a... |

677 | Universally composable security: A new paradigm for cryptographic protocols
- Canetti
- 2001
(Show Context)
Citation Context ...repudiation, and the protocols are rather small examples compared to a comprehensive payment system. Recently, [22] showed how to translate a specific class of protocols expressed in the UC framework =-=[20]-=- into corresponding representations in the strand space approach and plans to exploit existing tools for this specific Dolev-Yao model, e.g., Athena [57]. At the moment, the work is restricted to mutu... |

540 |
How to play any mental game – or – a completeness theorem for protocols with honest majority
- Goldreich, Micali, et al.
- 1987
(Show Context)
Citation Context ...y of such protocols has been a very unsatisfactory task for a long time. One way to conduct such proofs is the cryptographic approach, whose security definitions are based on complexity theory, e.g., =-=[19, 18, 20, 10]-=-. The security of a cryptographic protocol is proved by reduction, i.e., by showing that breaking the protocol implies breaking one of the underlying cryptographic primitives with respect to its crypt... |

498 | Entity authentication and key distribution
- Bellare, Rogaway
- 1994
(Show Context)
Citation Context ...r have to contain a rigorous proof of security in order to be acceptable. One way to conduct such a proof is the cryptographic approach. Its security definitions are based on complexity theory, e.g., =-=[33, 31, 15]-=-. The security of a cryptographic protocol is proved by reduction, i.e., by showing that breaking the protocol implies breaking one of the underlying cryptographic primitives with respect to its crypt... |

475 | Relations among Notions of Security for Public-Key Encryption Schemes
- Bellare, Desai, et al.
- 1998
(Show Context)
Citation Context |

467 |
signatures for untraceable payments
- Chaum
- 1983
(Show Context)
Citation Context ...cular, the proof contains neither probabilism nor computational restrictions. Related Work. The design of electronic payment systems has a long history, dating back to the eighties and early nineties =-=[23, 24, 27, 25, 26, 51]-=-. Based on these works, a substantial body of commercial attempts at electronic payment systems emerged. The iKP family [14, 13] constituted one of the most important of those attempts. It is the dire... |

448 | Security without identification: Transaction system to make Big Brother obsolete
- Chaum
- 1985
(Show Context)
Citation Context ...cular, the proof contains neither probabilism nor computational restrictions. Related Work. The design of electronic payment systems has a long history, dating back to the eighties and early nineties =-=[23, 24, 27, 25, 26, 51]-=-. Based on these works, a substantial body of commercial attempts at electronic payment systems emerged. The iKP family [14, 13] constituted one of the most important of those attempts. It is the dire... |

436 | The Inductive Approach to Verifying Cryptographic Protocols
- Paulson
- 1998
(Show Context)
Citation Context ...odel simplifies proofs of larger protocols considerably and has given rise to a large body of literature on analyzing the security of protocols using various techniques for formal verification, e.g., =-=[31, 29, 25, 14, 37, 1]-=-. Among the protocols typically analyzed in the Dolev-Yao model, the Otway-Rees protocol [35], which aims at establishing a shared key between two users by means of a trusted third party, stands out a... |

417 | Security and Composition of Multiparty Cryptographic Protocols
- Canetti
(Show Context)
Citation Context ...e simulatability, and its composition properties were introduced in [55] and extended to asynchronous systems in [56, 20]. It extends the security notions of multiparty (one-step) function evaluation =-=[58, 31, 32, 46, 10, 19]-=- and the observational equivalence of [42]. There are multiple possible layers of sound abstraction from cryptography in the sense of reactive simulatability besides Dolev-Yaostyle cryptographic libra... |

348 | Reconciling two views of cryptography (the computational soundness of formal encryption
- Abadi, Rogaway
(Show Context)
Citation Context ...ons [9, 7] for the cryptographically sound verification of cryptographic protocols. Further Related Work. Cryptographic underpinnings of a Dolev-Yao model were first addressed by Abadi and Rogaway in =-=[3]-=-. However, they only handled passive adversaries and symmetric encryption. The protocol language and security properties handled were extended in [2, 26], but still only for passive adversaries. This ... |

276 | Untraceable Electronic Cash
- Chaum, Fiat, et al.
(Show Context)
Citation Context ...cular, the proof contains neither probabilism nor computational restrictions. Related Work. The design of electronic payment systems has a long history, dating back to the eighties and early nineties =-=[23, 24, 27, 25, 26, 51]-=-. Based on these works, a substantial body of commercial attempts at electronic payment systems emerged. The iKP family [14, 13] constituted one of the most important of those attempts. It is the dire... |

270 |
Timestamps in key distribution protocols
- Denning, Sacco
- 1981
(Show Context)
Citation Context ...yption in a black-box way, while adding many non-cryptographic features. Vulnerabilities have accompanied the design of such protocols ever since early authentication protocols like Needham-Schroeder =-=[34, 15]-=-, over carefully designed de-facto standards like SSL and PKCS [40, 13], up to current widely deployed products like Microsoft Passport [17]. However, proving the security of such protocols has been a... |

260 | The random oracle methodology, revisited
- Canetti, Goldreich, et al.
(Show Context)
Citation Context ...he underlying Master’s thesis [35] considers asymmetric encryption under active attacks, but does so in the random oracle model, which is itself an idealization of cryptography and is not justifiable =-=[21]-=-. The recent work of [47] gives a slightly more efficient implementation of asymmetric encryption than [8] (no additional tagging and randomization) at the cost of a much less general library and a we... |

250 | A Chosen Ciphertext Attack against Protocols based on the RSA Encryption Standard PKCS #1
- Bleichenbacher
- 1998
(Show Context)
Citation Context .... Vulnerabilities have accompanied the design of such protocols ever since early authentication protocols like Needham-Schroeder [34, 15], over carefully designed de-facto standards like SSL and PKCS =-=[40, 13]-=-, up to current widely deployed products like Microsoft Passport [17]. However, proving the security of such protocols has been a very unsatisfactory task for a long time. One way to conduct such proo... |

242 | Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm
- Bellare, Namprempre
(Show Context)
Citation Context ...ption scheme that is secure against chosen-ciphertext attacks and additionally ensures integrity of ciphertexts. This is the standard security definition of authenticated symmetric encryption schemes =-=[12, 11]-=-, and efficient symmetric encryptions schemes provably secure in this sense exist under reasonable assumptions [11, 39]. Obviously, establishing a proof in the cryptographic approach presupposes deali... |

211 |
A compiler for the analysis of security protocols
- Casper
- 1998
(Show Context)
Citation Context ...e domain called attributes. For an entry x ∈ D, the value at an attribute att is written x.att. For a 2 For some frameworks there are compilers to generate these detailed protocol descriptions, e.g., =-=[43]-=-. This should be possible for this framework in a similar way. predicate pred involving attributes, D[pred] means the subset of entries whose attributes fulfill pred. If D[pred] contains only one elem... |

158 | A model for asynchronous reactive systems and its application to secure message transmission
- Pfitzmann, Waidner
(Show Context)
Citation Context ...tained handles to both the ciphertext and the secret key. To allow for the proof of cryptographic faithfulness, the library is based on a detailed model of asynchronous reactive systems introduced in =-=[38]-=- and represented as a deterministic machine THH, called trusted host. The parameter H ⊆ {1 . . .,n} denotes the honest participants, where n is a parameter of the library denoting the overall number o... |

154 | OCB: A blockcipher mode of operation for efficient authenticated encryption - Rogaway, Bellare, et al. - 2001 |

147 | Composition and Integrity Preservation of Secure Reactive Systems - Pfitzmann, Waidner - 2000 |

142 |
Secure multiparty protocols and zero-knowledge proof systems tolerating a faulty minority
- Beaver
- 1991
(Show Context)
Citation Context ...e simulatability, and its composition properties were introduced in [55] and extended to asynchronous systems in [56, 20]. It extends the security notions of multiparty (one-step) function evaluation =-=[58, 31, 32, 46, 10, 19]-=- and the observational equivalence of [42]. There are multiple possible layers of sound abstraction from cryptography in the sense of reactive simulatability besides Dolev-Yaostyle cryptographic libra... |

140 |
Efficient and timely mutual authentication
- Otway, Rees
- 1987
(Show Context)
Citation Context ...yzing the security of protocols using various techniques for formal verification, e.g., [31, 29, 25, 14, 37, 1]. Among the protocols typically analyzed in the Dolev-Yao model, the Otway-Rees protocol =-=[35]-=-, which aims at establishing a shared key between two users by means of a trusted third party, stands out as one of the most prominent protocols. It has been extensively studies in the past, e.g., in ... |

138 | A composable cryptographic library with nested operations
- Backes, Pfitzmann, et al.
- 2003
(Show Context)
Citation Context ...v-Yao model. Herzog et al. [21, 22] and Micciancio and Warinschi [30] have recently also given a cryptographic underpinning under active attacks. Their results are considerably weaker than the one in =-=[8]-=- since they are specific for public-key encryption; moreover, the former relies on a stronger assumption whereas the latter severely restricts the classes of protocols and protocol properties that can... |

114 | A probabilistic polytime framework for protocol analysis
- Lincoln, Mitchell, et al.
- 1998
(Show Context)
Citation Context ...their work which all already exist in the earlier work of [8]. Efforts are also under way to formulate syntactic calculi for dealing with probabilism and polynomial-time considerations, in particular =-=[32, 28, 33, 23]-=- and, as a second step, to encode them into proof tools. However, this approach can not yet handle protocols with any degree of automation. Generally it is complementary to, rather than competing with... |

113 |
Input-Indistinguishable Computation
- Micali, Pass, et al.
- 2006
(Show Context)
Citation Context ...e simulatability, and its composition properties were introduced in [55] and extended to asynchronous systems in [56, 20]. It extends the security notions of multiparty (one-step) function evaluation =-=[58, 31, 32, 46, 10, 19]-=- and the observational equivalence of [42]. There are multiple possible layers of sound abstraction from cryptography in the sense of reactive simulatability besides Dolev-Yaostyle cryptographic libra... |

111 | Analysis of the SSL 3.0 protocol
- Wagner, Schneier
- 1996
(Show Context)
Citation Context .... Vulnerabilities have accompanied the design of such protocols ever since early authentication protocols like Needham-Schroeder [34, 15], over carefully designed de-facto standards like SSL and PKCS =-=[40, 13]-=-, up to current widely deployed products like Microsoft Passport [17]. However, proving the security of such protocols has been a very unsatisfactory task for a long time. One way to conduct such proo... |

104 | Universal Electronic Cash - Okamoto, Ohta - 1991 |

101 | Fair computation of general functions in presence of immoral majority
- Goldwasser, Levin
- 1990
(Show Context)
Citation Context |

98 | Formal eavesdropping and its computational interpretation
- Abadi, Jürjens
(Show Context)
Citation Context ...model were first addressed by Abadi and Rogaway in [3]. However, they only handled passive adversaries and symmetric encryption. The protocol language and security properties handled were extended in =-=[2, 26]-=-, but still only for passive adversaries. This excludes most of the typical ways of attacking protocols, e.g., man-in-the-middle attacks and attacks by reusing a message part in a different place or a... |

90 | Soundness of formal encryption in presence of an active attacker
- Micciancio, Warinschi
- 2004
(Show Context)
Citation Context ...g protocols to straight-line programs in a specific language, and does not address a connection to the remaining primitives of the Dolev-Yao model. Herzog et al. [21, 22] and Micciancio and Warinschi =-=[30]-=- have recently also given a cryptographic underpinning under active attacks. Their results are considerably weaker than the one in [8] since they are specific for public-key encryption; moreover, the ... |

71 | Semantics and program analysis of computationally secure information flow
- Laud
(Show Context)
Citation Context ...model were first addressed by Abadi and Rogaway in [3]. However, they only handled passive adversaries and symmetric encryption. The protocol language and security properties handled were extended in =-=[2, 26]-=-, but still only for passive adversaries. This excludes most of the typical ways of attacking protocols, e.g., man-in-the-middle attacks and attacks by reusing a message part in a different place or a... |

71 | Mechanized proofs for a recursive authentication protocol
- Paulson
- 1997
(Show Context)
Citation Context ..., which aims at establishing a shared key between two users by means of a trusted third party, stands out as one of the most prominent protocols. It has been extensively studies in the past, e.g., in =-=[36, 24, 37]-=-, and various new approaches and formal proof tools for the analysis of security protocols were validated by showing that they can prove the protocol in the Dolev-Yao model (respectively that they can... |

67 | Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography
- Bellare, Rogaway
- 2000
(Show Context)
Citation Context ...ption scheme that is secure against chosen-ciphertext attacks and additionally ensures integrity of ciphertexts. This is the standard security definition of authenticated symmetric encryption schemes =-=[12, 11]-=-, and efficient symmetric encryptions schemes provably secure in this sense exist under reasonable assumptions [11, 39]. Obviously, establishing a proof in the cryptographic approach presupposes deali... |

62 |
Analysing Encryption Protocols Using Formal Verification Techniques
- Kemmerer
- 1989
(Show Context)
Citation Context |

60 | Symmetric encryption in a simulatable Dolev-Yao style cryptographic library
- Backes, P
- 2004
(Show Context)
Citation Context ...complexity theory and is far out of scope of current proof tools. However, our proof is not performed from scratch in the cryptographic setting, but based on a recently proposed cryptographic library =-=[8, 9, 7]-=-, which provides cryptographically faithful, deterministic abstractions of cryptographic primitives, i.e., the abstractions can be securely implemented using actual cryptography. Moreover, the library... |

55 | Symmetric encryption in automatic analyses for con against active adversaries
- Laud
- 2004
(Show Context)
Citation Context ...ound proof of this protocol was concurrently developed by Warinschi [41]. The proof is conducted from scratch in the cryptographic approach which takes it out of the scope of formal proof tools. Laud =-=[27]-=- has recently presented a cryptographic underpinning for a Dolev-Yao model of symmetric encryption under active attacks. His work enjoys a direct connection with a formal proof tool, but it is specifi... |

55 | State of art in electronic payment systems
- Asokan, Janson, et al.
- 1997
(Show Context)
Citation Context ...empts. It is the direct predecessor of today’s prevailing SET standard, and offered a variety of strong security guarantees while still relying on relatively simple underlying mechanisms. We refer to =-=[4]-=- for an exhaustive overview of the other attempts. Work on justifying Dolev-Yao-style models under cryptographic definitions prior to [8] was restricted to passive adversaries and symmetric encryption... |

53 | iKP - A family of secure electronic payment protocols,” presented at
- Bellare, Garray, et al.
- 1995
(Show Context)
Citation Context ... proof tools and is sound with respect to the rigorous definitions and the comprehensive adversary model of cryptography. The payment system is a slightly simplified variant of the 3KP payment system =-=[14, 13]-=- and comprises a variety of different security requirements ranging from basic ones like the impossibility of unauthorized payments and weak atomicity to more sophisticated properties like disputabili... |

46 | An efficient existentially unforgeable signature scheme and its applications
- Dwork, Naor
- 1994
(Show Context)
Citation Context ...re scheme with small additions like signature tagging. Chosen-message security was introduced in [34], and efficient signature systems that are secure in this sense exist under reasonable assumptions =-=[34, 28, 30]-=-. Our proof relies on a recent general result that a so-called ideal cryptographic library, which implements a slightly extended Dolev-Yao model, can be securely realized by a specific cryptographic i... |

38 | Towards the formal verification of electronic commerce protocols
- Bolignano
- 1997
(Show Context)
Citation Context ...r flavor—to the analysis of a payment system using tool support or paper-based reasoning has proved to be an extremely valuable approach; a far from exhaustive list of work along those lines includes =-=[38, 17, 16, 40, 45, 11, 12]-=-. Although these approaches are suitable for reasoning about the security of large-scale systems, their drawback is that they exist only in the Dolev-Yao model and there is no theorem that carries the... |

38 | New generation of secure and practical RSA-based signatures
- Cramer, Damgaard
- 1996
(Show Context)
Citation Context ...re scheme with small additions like signature tagging. Chosen-message security was introduced in [34], and efficient signature systems that are secure in this sense exist under reasonable assumptions =-=[34, 28, 30]-=-. Our proof relies on a recent general result that a so-called ideal cryptographic library, which implements a slightly extended Dolev-Yao model, can be securely realized by a specific cryptographic i... |

37 |
Honest ideals on strand spaces
- Thayer, Herzog, et al.
- 1998
(Show Context)
Citation Context ..., which aims at establishing a shared key between two users by means of a trusted third party, stands out as one of the most prominent protocols. It has been extensively studies in the past, e.g., in =-=[36, 24, 37]-=-, and various new approaches and formal proof tools for the analysis of security protocols were validated by showing that they can prove the protocol in the Dolev-Yao model (respectively that they can... |

36 | Symmetric authentication within a simulatable cryptographic library - Backes, Pfitzmann, et al. |

35 | A cryptographically sound security proof of the needham-schroeder-lowe public-key protocol
- Backes, Pfitzmann
- 2004
(Show Context)
Citation Context ...ocols, was first given recently in [8] with extensions in [9, 7]. Based on the specific Dolev-Yao model whose soundness was proven in [8], the well-known Needham-Schroeder-Lowe protocol was proved in =-=[6]-=-. Besides the proof that we present in this paper, the proof in [6] is the only Dolev-Yao-style, computationally sound proof that we are aware of. However, it is considerably simpler than the one we p... |

33 | Plaintext-Awareness via Key Registration
- Herzog, Liskov, et al.
- 2003
(Show Context)
Citation Context ...y properties, restricts the surrounding protocols to straight-line programs in a specific language, and does not address a connection to the remaining primitives of the Dolev-Yao model. Herzog et al. =-=[21, 22]-=- and Micciancio and Warinschi [30] have recently also given a cryptographic underpinning under active attacks. Their results are considerably weaker than the one in [8] since they are specific for pub... |