There are at least a few hundred published protocols that fall in the category of authentication and key establishment. Under a naive definition of authentication and key establishment, the existence of so many protocols is quite fascinating and somewhat stunning for a newcomer to the field of communication security. One potent argument often presented is we keep designing new protocols due the demand of new type of applications and due to the discovery of flaws in existing protocols. While designing new protocols for new type of applications, such as RFID, is definitely an important driving factor nevertheless the most among the published protocols are in fact the result of discovery of flaws in their predecessors. As our understanding of cryptography and protocol analysis is getting mature, the ability to discover new flaws in the protocols also increases. We now have a better understanding of actual operational environment. In past, this often caused increasing the power of attacker model, for instance, now a days we also consider privacy concerns and side channel leakage beside the classic Dolev-Yao attacker. A protocol is labeled as insecure protocol once an effective attack or flaw is found in it. In fact, the most of the published protocols are considered insecure from this point of view. In practice, however, this approach has a side effect, namely, we rarely bother to explore how much insecure is the protocol. This question asks us to explore the area between security and insecurity; after all neither a flawed protocol is always completely insecure neither all applications require the security against an all powerful attacker. The current approach towards security analysis, which we call strict security, considers a protocol along with a powerful attacker, such as Dolev-Yao attacker and sometimes with additional capabilities such as dynamic corruption of communicating nodes. Then, one tries to show that the protocol achieves its objective under this specific attacker. Naturally there are three possibilities: one may succeed in constructing a security proof; one may fail in proving security, which often makes the protocol suspicious; or one may discover a concrete attack, which definitely makes the protocol insecure under such strict definition of the attacker. There is however an alternate — adaptable security, which we propose as a more general approach to the security problem. The approach considers correct protocols, i.e., protocols that achieve their objectives when there exist no effective attacker. All correct protocols are assumed to be secure and the challenge we pose for a security analyst is to derive the least strongest attacker (LSA) model for which the, so-called, a priori assumption about security holds. In this way, the security definition of a protocol can be adapted to suitable choice of LSA. Another aspect of the proposed approach is the flexible treatment of security goals; we decompose high level security goals in many fine level goals and a protocol may achieve only a subset of all fine level goals. We believe that these flexible choices of attackers and security goals are more practical in many real world scenarios. An applications may require the protection against a weaker attacker and may require to achieve fewer security goals.
Main Research Area:
Technical University of Denmark, DTU Informatics, Building 321, 2010