Skip to main content
Springer Nature Link
Log in

A Calculus to Detect Guessing Attacks

  • Conference paper
Information Security (ISC 2009)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5735))

Included in the following conference series:

  • 1318 Accesses

Abstract

We present a calculus for detecting guessing attacks, based on oracles that instantiate cryptographic functions. Adversaries can observe oracles, or control them either on-line or off-line. These relations can be established by protocol analysis in the presence of a Dolev-Yao intruder, and the derived guessing rules can be used together with standard intruder deductions. Our rules also handle partial verifiers that fit more than one secret. We show how to derive a known weakness in the Anderson-Lomas protocol, and new vulnerabilities for a known faulty ATM system.

This work is supported in part by FP7-ICT-2007-1 project 216471, AVANTSSAR: Automated Validation of Trust and Security of Service-oriented Architectures.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Ding, Y., Horster, P.: Undetectable on-line password guessing attacks. Operating Systems Review 29(4), 77–86 (1995)

    Article  Google Scholar 

  2. Lowe, G.: Analysing protocols subject to guessing attacks. Journal of Computer Security 12(1), 83–98 (2004)

    Article  Google Scholar 

  3. Corin, R., Malladi, S., Alves-Foss, J., Etalle, S.: Guess what? Here is a new tool that finds some new guessing attacks. In: Proc. Workshop on Issues in the Theory of Security, pp. 62–71 (2003)

    Google Scholar 

  4. Delaune, S., Jacquemard, F.: A theory of dictionary attacks and its complexity. In: Proc. 17th IEEE Computer Security Foundations Workshop, pp. 2–15 (2004)

    Google Scholar 

  5. Drielsma, P.H., Mödersheim, S., Viganò, L.: A formalization of off-line guessing for security protocol analysis. In: Baader, F., Voronkov, A. (eds.) LPAR 2004. LNCS (LNAI), vol. 3452, pp. 363–379. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  6. Corin, R., Doumen, J.M., Etalle, S.: Analysing password protocol security against off-line dictionary attacks. In: Proc. 2nd Int’l. Workshop on Security Issues with Petri Nets and other Computational Models (WISP), pp. 47–63 (2004)

    Google Scholar 

  7. Abadi, M., Baudet, M., Warinschi, B.: Guessing attacks and the computational soundness of static equivalence. In: Aceto, L., Ingólfsdóttir, A. (eds.) FOSSACS 2006. LNCS, vol. 3921, pp. 398–412. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  8. Baudet, M.: Deciding security of protocols against off-line guessing attacks. In: Proc. 12th ACM Conf. on Computer and Communications Security, pp. 16–25 (2005)

    Google Scholar 

  9. Blanchet, B.: An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In: 14th IEEE Computer Security Foundations Workshop, pp. 82–96 (2001)

    Google Scholar 

  10. Anderson, R.J., Lomas, T.M.A.: Fortifying key negotiation schemes with poorly chosen passwords. Electronics Letters 30(13), 1040–1041 (1994)

    Article  Google Scholar 

  11. Hole, K.J., Moen, V., Klingsheim, A.N., Tande, K.M.: Lessons from the Norwegian ATM system. IEEE Security and Privacy 5(6), 25–31 (2007)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Politehnica University of Timişoara, Romania

    Bogdan Groza

  2. Institute e-Austria Timişoara, Romania

    Marius Minea

Authors
  1. Bogdan Groza
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Marius Minea
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Dipartimento di Tecnologie dell’ Informazione, Università degli Studi di Milano, Via Bramante 65, 26013, Crema, (CR), Italy

    Pierangela Samarati

  2. Computer Science Department, Google Inc. and Columbia University, Room 464, S.W. Mudd Building, 10027, New York, NY, USA

    Moti Yung

  3. Information Security Group, Pisa Research Area, Istituto di Informatica e Telematica - IIT Consiglio Nazionale delle Ricerche - C.N.R., Via. G. Moruzzi 1, 56125, Pisa, Italy

    Fabio Martinelli

  4. Dipartimento di Tecnologie dell’Informazione, Università degli Studi di Milano, Via Bramante, 65, 26013, Crema, (CR), Italy

    Claudio A. Ardagna

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Groza, B., Minea, M. (2009). A Calculus to Detect Guessing Attacks. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds) Information Security. ISC 2009. Lecture Notes in Computer Science, vol 5735. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04474-8_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-04474-8_5

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-04473-1

  • Online ISBN: 978-3-642-04474-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics