Breaking and Fixing the Needham-Schroeder Public-Key Protocol using FDR-英文文献.pdf

Breaking and Fixing the NeedhamSchro eder PublicKey Proto col using FDR Gavin Lowe ABSTRACT In this pap er we analyse the well known NeedhamSchro eder PublicKey Proto col using FDR a renement checker for CSP We use FDR to discover an attack up on the proto col which allows an intruder to imp ersonate another agent We adapt the proto col and then use FDR to show that the new proto col is secure at least for a small system Finally we prove a result which tells us that if this small system is secure then so is a system of arbitrary size Intro duction In a distributed computer system it is necessary to have some mechanism whereby a pair of agents can b e assured of each others identitythey should b ecome sure that they really are talking to each other rather than to an intruder imp ersonating the other agent This is the role of an authen tication pr otocol In this pap er we use the Failures Divergences Renement Checker FDR a mo del checker for CSP to analyse the NeedhamSchro eder Public Key Authentication Proto col FDR takes as input two CSP pro cesses a sp ecication and an implementation and tests whether the implementation renes the sp ecication It has b een used to analyse many sorts of sys tems including communications proto cols distributed databases and puzzles we show here how it may b e used to analyse security proto cols We mo del the agents taking part in the proto col as CSP pro cesses We also mo del the most general intruder who can interact with the proto col the intruder can observe and intercept messages and so learn information such as the values of noncesand then use this information to intro duce fake messages into the system We use FDR to test whether the proto col correct