Abstract
Starting from algebraic properties that enable guessing low-entropy secrets, we formalize guessing rules for symbolic verification. The rules are suited for both off-line and on-line guessing and can distinguish between them. We add our guessing rules as state transitions to protocol models that are input to model checking tools. With our proof-of-concept implementation we have automatically detected guessing attacks in several protocols. Some attacks are especially significant since they are undetectable by protocol participants, as they cause no abnormal protocol behavior, a case not previously addressed by automated techniques.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Abadi, M., Baudet, M., Warinschi, B.: Guessing attacks and the computational soundness of static equivalence. In: Aceto, L., Ingólfsdóttir, A. (eds.) FOSSACS 2006. LNCS, vol. 3921, pp. 398–412. Springer, Heidelberg (2006)
Armando, A., Compagna, L.: SAT-based model-checking for security protocols analysis. International Journal of Information Security 7(1), 3–32 (2008)
Basin, D.A., Mödersheim, S., Viganò, L.: OFMC: A symbolic model checker for security protocols. Internat. Journal of Information Security 4(3), 181–208 (2005)
Baudet, M.: Deciding security of protocols against off-line guessing attacks. In: 12th ACM Conf. on Computer and Communications Security, pp. 16–25 (2005)
Blanchet, B.: An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In: 14th IEEE Computer Security Foundations Workshop, pp. 82–96 (2001)
Corin, R., Doumen, J.M., Etalle, S.: Analysing password protocol security against off-line dictionary attacks. In: 2nd W. Secur. Issues Petri Nets, pp. 47–63 (2004)
Corin, R., Malladi, S., Alves-Foss, J., Etalle, S.: Guess what? Here is a new tool that finds some new guessing attacks. In: W. Issues Theory Sec., pp. 62–71 (2003)
Ding, Y., Horster, P.: Undetectable on-line password guessing attacks. Operating Systems Review 29(4), 77–86 (1995)
Drielsma, P.H., Mödersheim, S., Viganò, L.: A formalization of off-line guessing for security protocol analysis. In: Baader, F., Voronkov, A. (eds.) LPAR 2004. LNCS (LNAI), vol. 3452, pp. 363–379. Springer, Heidelberg (2005)
Groza, B., Minea, M.: A calculus to detect guessing attacks. In: Samarati, P., Yung, M., Martinelli, F., Ardagna, C.A. (eds.) ISC 2009. LNCS, vol. 5735, pp. 59–67. Springer, Heidelberg (2009)
Hole, K.J., Moen, V., Klingsheim, A.N., Tande, K.M.: Lessons from the Norwegian ATM system. IEEE Security and Privacy 5(6), 25–31 (2007)
Lomas, T.M.A., Gong, L., Saltzer, J.H., Needham, R.M.: Reducing risks from poorly chosen keys. In: 12th ACM Symp. on Oper. Sys. Princip., pp. 14–18 (1989)
Lowe, G.: Analysing protocols subject to guessing attacks. Journal of Computer Security 12(1), 83–98 (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Groza, B., Minea, M. (2010). A Formal Approach for Automated Reasoning about Off-Line and Undetectable On-Line Guessing . In: Sion, R. (eds) Financial Cryptography and Data Security. FC 2010. Lecture Notes in Computer Science, vol 6052. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14577-3_34
Download citation
DOI: https://doi.org/10.1007/978-3-642-14577-3_34
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-14576-6
Online ISBN: 978-3-642-14577-3
eBook Packages: Computer ScienceComputer Science (R0)