ABSTRACT
Although various past efforts have been made to characterize and detect guessing attacks, there is no consensus on the definition of guessing attacks. Such a lack of generic definition makes it extremely difficult to evaluate the resilience of security protocols to guessing attacks.
To overcome this hurdle, we seek a new definition in this paper to fully characterize the attacker's guessing capabilities (i.e., guessability). This provides a general framework to reason about guessing attacks in a symbolic setting, independent of specific intruder models. We show how the framework can be used to analyze both passive and active guessing attacks.
- M. Abadi and V. Cortier. Deciding knowledge in security protocols under equational theories. Theor. Comput. Sci., 367(1):2--32, 2006. Google ScholarDigital Library
- M. Abadi and C. Fournet. Mobile values, new names, and secure communication. In POPL '01, pages 104--115. ACM, 2001. Google ScholarDigital Library
- M. Baudet. Deciding security of protocols against off-line guessing attacks. In CCS '05, pages 16--25. ACM, 2005. Google ScholarDigital Library
- G. Birkhoff. On the structure of abstract algebras. Mathematical Proceedings of the Cambridge Philosophical Society, 31(04):433--454, 1935.Google ScholarCross Ref
- B. Blanchet. An efficient cryptographic protocol verifier based on prolog rules. In CSFW '01, page 82, 2001. Google ScholarDigital Library
- B. Blanchet. Automatic verification of correspondences for security protocols. J. Comput. Secur., 17(4):363--434, 2009. Google ScholarCross Ref
- B. Blanchet, M. Abadi, and C. Fournet. Automated verification of selected equivalences for security protocols. Journal of Logic and Algebraic Programming, 75(1):3--51, 2008.Google ScholarCross Ref
- M. Boreale and M. G. Buscemi. A method for symbolic analysis of security protocols. Theoretical Computer Science, 338(1--3):393--425, 2005. Google ScholarDigital Library
- M. Burrows, M. Abadi, and R. Needham. A logic of authentication. ACM Trans. Comput. Syst., 8(1):18--36, 1990. Google ScholarDigital Library
- I. Cervesato, N. A. Durgin, P. D. Lincoln, J. C. Mitchell, and A. Scedrov. A meta-notation for protocol analysis. In CSFW '99, page 55, 1999. Google ScholarDigital Library
- Y. Chevalier and L. Vigneron. Automated unbounded verification of security protocols. In CAV '02, pages 324--337. Springer-Verlag, 2002. Google ScholarDigital Library
- c. Ciobâcă, S. Delaune, and S. Kremer. Computing knowledge in security protocols under convergent equational theories. In CADE-22, pages 355--370. Springer-Verlag, 2009. Google ScholarDigital Library
- M. Cohen and M. Dam. A complete axiomatization of knowledge and cryptography. In LICS '07, pages 77--88, 2007. Google ScholarDigital Library
- H. Comon-Lundh and V. Cortier. Computational soundness of observational equivalence. In CCS '08, pages 109--118. ACM, 2008. Google ScholarDigital Library
- H. Comon-Lundh and V. Shmatikov. Intruder deductions, constraint solving and insecurity decision in presence of exclusive or. In LICS '03, pages 271--280, June 2003. Google ScholarDigital Library
- R. Corin, J. Doumen, and S. Etalle. Analysing password protocol security against off-line dictionary attacks. Electron. Notes Theor. Comput. Sci., 121:47--63, 2005.Google ScholarCross Ref
- R. Corin, S. Malladi, J. Alves-Foss, and S. Etalle. Guess what? here is a new tool that finds some new guessing attacks. In R. Gorrieri and R. Lucchi, editors, IFIP WG 1.7, pages 62--71, 2003.Google Scholar
- V. Cortier and S. Delaune. Deciding knowledge in security protocols for monoidal equational theories. In LPAR, pages 196--210, 2007. Google ScholarDigital Library
- V. Cortier, S. Delaune, and P. Lafourcade. A survey of algebraic properties used in cryptographic protocols. J. Comput. Secur., 14(1):1--43, 2006. Google ScholarCross Ref
- C. J. Cremers. Unbounded verification, falsification, and characterization of security protocols by pattern refinement. In CCS '08, pages 119--128. ACM, 2008. Google ScholarDigital Library
- S. Delaune. Easy intruder deduction problems with homomorphisms. Information Processing Letters, 97(6):213--218, 2006. Google ScholarCross Ref
- S. Delaune and F. Jacquemard. A theory of dictionary attacks and its complexity. In CSFW '04, page 2, 2004. Google ScholarDigital Library
- N. Dershowitz and D. A. Plaisted. Rewriting. In Handbook of Automated Reasoning, pages 535--610. MIT Press, 2001.Google ScholarCross Ref
- Y. Ding and P. Horster. Undetectable on-line password guessing attacks. SIGOPS Oper. Syst. Rev., 29(4):77--86, 1995. Google ScholarDigital Library
- D. Dolev and A. Yao. On the security of public key protocols. Information Theory, IEEE Transactions on, 29(2):198--208, Mar 1983.Google ScholarDigital Library
- P. H. Drielsma, S. Modersheim, and L. Vigano. A formalization of off-line guessing for security protocol analysis. In Logic for Programming, Artificial Intelligence, and Reasoning, volume 3452, pages 363--379. 2005.Google Scholar
- N. Durgin, P. Lincoln, J. Mitchell, and A. Scedrov. Multiset rewriting and the complexity of bounded security protocols. J. Comput. Secur., 12(2):247--311, 2004. Google ScholarCross Ref
- F. Fabrega, J. Herzog, and J. Guttman. Strand spaces: why is a security protocol correct? pages 160--171, may 1998.Google Scholar
- F. J. T. Fábrega. Strand spaces: proving security protocols correct. J. Comput. Secur., 7(2--3):191--230, 1999. Google ScholarDigital Library
- R. Fagin, J. Y. Halpern, Y. Moses, and M. Y. Vardi. Reasoning About Knowledge, volume 1 of MIT Press Books. The MIT Press, December 2003. Google ScholarDigital Library
- L. Gong. Optimal authentication protocols resistant to password guessing attacks. In CSFW '95, page 24, 1995. Google ScholarDigital Library
- L. Gong, M. Lomas, R. Needham, and J. Saltzer. Protecting poorly chosen secrets from guessing attacks. Selected Areas in Communications, IEEE Journal on, 11(5):648--656, jun. 1993.Google Scholar
- B. Groza and M. Minea. A calculus to detect guessing attacks. In ISC '09, pages 59--67. Springer-Verlag, 2009. Google ScholarDigital Library
- S. Halevi and H. Krawczyk. Public-key cryptography and password protocols. ACM Trans. Inf. Syst. Secur., 2(3):230--268, 1999. Google ScholarDigital Library
- J. Halpern, Y. Moses, and M. Vardi. Algorithmic knowledge. In Proc. of 5th conference on Theoretical Aspects of Reasoning about Knowledge, pages 255--266, 1994. Google ScholarDigital Library
- J. Heather, G. Lowe, and S. Schneider. How to prevent type flaw attacks on security protocols. J. Comput. Secur., 11(2):217--244, 2003. Google ScholarDigital Library
- R. Landauer. Irreversibility and heat generation in the computing process. IBM Journal of Research and Development, 44(1.2):261--269, jan. 2000. Google ScholarDigital Library
- Z. Li and W. Wang. Deciding recognizability under dolev-yao intruder model. In ISC '10, to appear. Google ScholarDigital Library
- Z. Li and W. Wang. Rethinking about type-flaw attacks. In Global Telecommunications Conference, 2010. GLOBECOM 2010. IEEE, to appear.Google Scholar
- T. Lomas, L. Gong, J. Saltzer, and R. Needhamn. Reducing risks from poorly chosen keys. SIGOPS Oper. Syst. Rev., 23(5):14--18, 1989. Google ScholarDigital Library
- G. Lowe. Breaking and fixing the needham-schroeder public-key protocol using fdr. In TACAs '96, pages 147--166, 1996. Google ScholarDigital Library
- G. Lowe. Analysing protocols subject to guessing attacks. J. Comput. Secur., 12(1):83--97, 2004. Google ScholarDigital Library
- C. Meadows. A procedure for verifying security against type confusion attacks. In CSFW 03, pages 62--72, 2003.Google ScholarCross Ref
- J. Millen and V. Shmatikov. Constraint solving for bounded-process cryptographic protocol analysis. In CCS '01, pages 166--175. ACM, 2001. Google ScholarDigital Library
- S. Schneider. Security properties and csp. In SP '96, page 174, 1996. Google ScholarDigital Library
- D. X. Song, S. Berezin, and A. Perrig. Athena: a novel approach to efficient automatic security protocol analysis. J. Comput. Secur., 9(1--2):47--74, 2001. Google ScholarDigital Library
Index Terms
- Rethinking about guessing attacks
Recommendations
Targeted Online Password Guessing: An Underestimated Threat
CCS '16: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications SecurityWhile trawling online/offline password guessing has been intensively studied, only a few studies have examined targeted online guessing, where an attacker guesses a specific victim's password for a service, by exploiting the victim's personal ...
Protecting poorly chosen secrets from guessing attacks
In a security system that allows people to choose their own passwords, people tend to choose passwords that can be easily guessed. This weakness exists in practically all widely used systems. Instead of forcing users to choose secrets that are likely to ...
Optimal authentication protocols resistant to password guessing attacks
CSFW '95: Proceedings of the 8th IEEE workshop on Computer Security FoundationsUsers are typically authenticated by their passwords. Because people are known to choose convenient passwords, which tend to be easy to guess, authentication protocols have been developed that protect user passwords from guessing attacks. These proposed ...
Comments