Skip to main content
SpringerLink
Log in

Web security: Authentication protocols and their analysis

  • Tutorial Series on Web-computing 2
  • Published:
New Generation Computing Aims and scope Submit manuscript

Abstract

Authentication is one of the basic building blocks of computer security. It is achieved through the execution of an authentication protocol between two or more parties. One such protocol, the Secure Socket Layer (SSL) protocol, has become the de facto standard for Web security. This paper provides an overview of results and methods used in analyzing authentication protocols. The aim is to provide a bird’s eye view of the assumptions, methods, and results that are available for anyone who is interested in designing new security protocols or applying a new analysis approach. A detailed description of the SSL handshake protocol as well as how changes in environment assumption can lead to unexpected consequences, is provided. A fix to the weakness is also described.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Burrows, M., Abadi, M. and Needham, R., “A Logic of Authentication,”Technical Report 39, DEC Systems Research Center, February 1989.

  2. CCITT. “The Directory-authentication Framwork,”Technical report, X509, 1987.

  3. Clarke, E., Jha, S. and Marrero, W., “Using State Space Exploration and a Natural Deduction Style Message Derivation Engine to Verify Security Protocols,”IFIP Working Conference on Programming Concepts and Methods, 1998.

  4. Denning, D. and Sacco, G., “Timestamps in Key Distribution Protocols,”Communications of the ACM, 24, 8, pp. 533–536, 1981.

    Article  Google Scholar 

  5. Dierks, T. and Allen, C., “The tls protocl: Version 1.0,”Technical Report dratietf-tls-rptocol-05.txt.Z., IETF task force, May 1998.

  6. Eaves, W. D., “Transport Level Security: A Proof Using the Gny Logic,”Technical report, Brunel University, UK February 1989.

    Google Scholar 

  7. Ellison. C. et al., “Spki Certificate Theory, Internet Draft,”Technical Report, IETF SPKI Working Group, November 1997.

  8. Freier, A., Kocher, P. and Kaltorn, P., “SSL v3.0 Specification,” Technical Report http: //home.netscape.com/eng/ssl3/s-SPEC.HTM, IETF task force, March 1996.

  9. Gassko, I., Gemmell, P. and MacKenzie, P., “Efficient and Fresh Certification,”LNCS, Springer Verlag, 1751, pp. 342–353, January 2000.

    Google Scholar 

  10. Gong, L., Needham, R. and Yahalom, R., “Reasoning about Belief in Cryptographic Protocols,” inIEEE Symposium on Research in Security and Privacy, Oakland, California, 1990.

  11. Halevi, S and Krawczyk, H., “Public-key Cryptography and Password Protocols,”ACM Transactions on Information and System Security, 2, 3, pp. 230–268, August 1999.

    Article  Google Scholar 

  12. Lowe, G.,Breaking and Fixing the Needham-schroeder Public Key Protocol Using csp and fdr, inTACS96, 1996.

  13. Meadows, C., “The nrl Protocol Analyzer: an Overview,”Journal of Logic Programming, 26, 2, pp. 113–131, February 1996.

    Article  MATH  Google Scholar 

  14. Millen, J., “The Interogator Model,” inIEEE Computer Society Symposium on Security and Privacy, pp. 251–260, 1995.

  15. Mitchell, J, Mitchell, M. and Stern, U., “Automated Analysis of Cryptographic Protocols Using Murphi,” inIEEE Symposium on Security and Privacy, pp. 141–151, 1997.

  16. Mitchell, J., Shmatikov, V. and Stern, U., “Finite-state Analysis of ssl 3.0,” inSeven’s USENIX Security Symposium, pp. 201–216, San Antonio, 1998.

  17. Needham R. and Shroeder, M., “Using Encryption for Authentication in Large Networks of Computers,”Communications of the ACM, 21, 12, pp. 993–999, 1978.

    Article  MATH  Google Scholar 

  18. Nessett, D., “A Critique of the Burrows, Abadi and Needham Logic,”ACM Operating Systems Review, 24, 2, pp. 35–38, April 1990.

    Article  Google Scholar 

  19. Neuman, B. and Ts’o, T., “An Authentication Service for Computer Networks,”IEEE Communications, 32, 9, pp. 33–38, September 1994.

    Article  Google Scholar 

  20. Otway, D. and Rees, O., “Efficient and Timely Mutual Authentication,”Operating Systems Review, 21, 1, pp. 8–10, 1987.

    Article  Google Scholar 

  21. Paulson, L., “The Inductive Approach to Verifying Cryptographic Protocols,”Journal of Computer Security, 6, pp. 85–128, 1998.

    Google Scholar 

  22. Rivest, R., “Can We Eliminate Revocation Lists?” inFinancial Cryptography, 1998.

  23. Saito, T., Wen, W. and Mizoguchi, F., “Analysis of Authentication Protocol by Parameterized Ban Logic,”Technical report, ISEC, July 1999.

  24. Song, D., “Athena: a New Efficent Automatic Checker for Security Protocol Analysis,” inIEEE Symposium on Security and Privacy 1998.

  25. Tatebayashi, M., Matsuzaki, N. and Newman D., “Key Distribution Protocol for Digital Mobile Communication Systems,”Lecture Notes in Computer Science, 435, pp. 324–333, 1990.

    Article  MathSciNet  Google Scholar 

  26. Thayer, F., Herzog, J. and Guttman, J., “Why is a Security Protocol Correct?” inIEEE Symposium on Security and Privacy, 1998.

  27. Wagner, D. and Schneider, B., “Analysis of the ssl 3.0 Protocol,” inThe Second USENIX Workshop on Electronic Commerce, November 1996.

  28. Wen, W., Saito, T. and Mizoguchi, F., “Attacks on Authentications Protocols with Compromised Certificates and How to Fix Them,”Transactions of the Information Processing Society of Japan, 41, 8, pp. 54–65, August 2000.

    MathSciNet  Google Scholar 

  29. Wen, W., Saito, T. and Mizoguchi, F., “Security of Public-key Based Authentication Protocol,”LNCS, Springer Verlag, 1751, pp. 196–209, January 2000.

    MathSciNet  Google Scholar 

  30. Xu, S., Zhang, G. and Zhu, H., “On the Properties of Cryptographic Protocols and the Weaknesses of the Ban-like Logics,”ACM Operating Systems Review, 31, 4, pp. 12–23, 1997.

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Science University of Tokyo, 2641 Yamazaki, 278-8510, Noda, Chiba, Japan

    Wu Wen & Fumio Mizoguchi

Authors
  1. Wu Wen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Fumio Mizoguchi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Wu Wen.

Additional information

Wu Wen, Ph.D.: He is an Associate Professor at the Information Media Center of the Science University of Tokyo. He obtained his bachelors degree in Engineering from Beijing University of Aeronautics in 1985, and Ph.D in computer science from Oxford University in 1992. He has worked at NTT Communication Science Labs in Japan and NASA Software Verification Facility in US before his current appointment. His current research interests are software verification and computer security. He co-chairs the 2000 and 2001 IEEE Enterprise Security Workshop and is a member of ACM and IEEE Computer Society.

Fumio Mizoguchi, Ph.D.: He is an Professor in the Department of Industrial Administration and a Director of Information Media Center at Science University of Tokyo. He obtained his M.S. degree from Science Univ. of Tokyo in 1968, and his Ph.D. from the Tokyo University in 1978. He is also Senior Research Associate, Stanford University, Center for the Study on Language and Information (CSLI) and Editorial member of Artificial Intelligence Journal, New Generation Computing Journal and Journal of Logic Programming. He has published more than 150 papers and 30 oboks for computer Science and Applied Artificial Inteligence. Most recent publication on Java is one of the best selling books.

About this article

Cite this article

Wen, W., Mizoguchi, F. Web security: Authentication protocols and their analysis. New Gener Comput 19, 283–299 (2001). https://doi.org/10.1007/BF03037600

Download citation

  • Received:

  • Issue Date:

  • DOI: https://doi.org/10.1007/BF03037600

Keywords

Search

Navigation