|
Abstract.摘要
We present the analysis of a protocol for private authentica-tion in the applied pi calculus. 我们目前的分析主要是应用于PI演算的私人认证的协议中。We treat authenticity and secrecy prop-erties of the protocol. Although such properties are fairly standard, theirformulation in the applied pi calculus makes an original use of processequivalences. In addition, we treat identity-protection properties, whichare a delicate concern in several recent protocol designs.此外,我们对待身份采用了一些保护的性能,这是在最近的几个协议设计中出现的一个微妙的问题。
1 Introduction介绍 http://www.ukassignment.org/uklunwen/
In recent years, the understanding of basic security properties such as integrityand confidentiality has become both deeper and wider.
近年来,了解基本的安全性能:如完整性和保密性,已成为双方更深层次,更广的一些需求。
There has also been sub-stantial progress in the design and verification of protocols that aim to guaranteethese properties. On the other hand, fundamental tasks such as secure sessionestablishment remain the subject of active, productive research. Moreover, prop-erties beyond integrity and confidentiality have been studied rather lightly todate. These properties include, for example, protection of identity informationand protection against denial-of-service attacks. They may seem secondary butthey are sometimes important.This paper contributes to the ongoing study of security protocols and oftheir properties. More specifically, this paper presents the analysis of a securityprotocol in the applied pi calculus [2], a recent variant of the pi calculus. Theprotocol in question is one for private authentication (the second protocol of [1]).Its analysis is worthwhile for several reasons:– The protocol is for a standard purpose, namely establishing a session (withassociated cryptographic keys), and it is concerned with standard securityproperties, such as authenticity and secrecy. Therefore, the analysis of theprotocol exemplifies concepts and techniques relevant to many other proto-cols.– In addition, the protocol is concerned with a privacy property: it aims toguarantee that third parties do not learn the identity of protocol participants.Although this property and similar ones appear prominently in several recentprotocol designs, they have hardly been specified and proved precisely todate. Therefore, this paper develops an approach for stating and derivingthose properties.The protocol includes some delicate features, and is not a trivial exampleinvented only in order to illustrate formal techniques. On the other hand, theprotocol remains fairly simple, so we can give relatively concise treatmentsof its main properties.另一方面,该协议仍然相当简单,所以我们可以给与相对来说的的准备,引起其主要性能是比较简洁的。
In the applied pi calculus, the constructs of the classic pi calculus can be usedto represent concurrent systems that communicate on channels, and functionsymbols can be used to represent cryptographic operations and other operationson data. Large classes of important attacks can also be expressed in the appliedpi calculus, as contexts. These include the typical attacks for which a symbolic,mostly “black-box” view of cryptography suffices (but not for example somelower-level attacks that depend on timing behavior or on probabilities). Thus,in general, the applied pi calculus serves for describing and reasoning aboutmany of the central aspects of security protocols. In particular, it is an appro-priate setting for the analysis of the protocol for private authentication. Someof the properties of the protocol can be nicely captured in the form of equiva-lences between processes.某些协议的属性,可以在进程之间以等价形式很好地获得。
Moreover, some of the properties are sensitive to theequations satisfied by the cryptographic functions upon which the protocol re-lies.
更多的是,一些协议的重读的加密功能的这么一些属性是十分令人满意的。The applied pi calculus is well-suited for expressing those equivalences andthose equations.In a sense, private authentication is about hiding the names (or identities) ofprotocol participants. The applied pi calculus permits hiding the names that rep-resent private communication channels and secret cryptographic keys (throughthe restriction construct ν). Despite this superficial coincidence, the name hidingof private authentication and that of the applied pi calculus are rather differ-ent. We do not have a direct reduction of one to the other. However, the namehiding of the applied pi calculus is crucial for expressing the protocol underconsideration and for deriving the equivalences that express its properties.The next two sections explain private authentication and the applied pi cal-culus, respectively. Section 4 shows how to express a protocol for private au-thentication in the applied pi calculus. Section 5 treats the authenticity andsecrecy properties of the protocol; section 6, its privacy properties. (We omit allproofs, because of space constraints.) Section 7 discusses some related work andconcludes.2 Private AuthenticationAlthough we do not aim to provide a general definition of privacy (partly becauseone might have to be too vague or empty), we focus on the following frequentscenario in which privacy is a central concern: two or more mobile interlocutorswish to communicate securely, protecting their messages and also their identitiesfrom third parties. This scenario arises often in mobile telephony and mobilecomputing [7, 14, 12, 15, 6, 8]. In these contexts, roaming users may want toconceal their identities from others and even from infrastructure providers andoperators. Furthermore, identity protection is a goal of several recent protocolsfor communication at the IP level [9, 5].更进一步的问题是,尤其是最近几次的通信协议中,身份保护是一个目标。
More specifically, suppose that a mobile principal A (a user or a computer)wishes to communicate with some other principals, and that A is willing to proveits identity to these principals. Suppose that B is one of them, and that B iswilling to communicate with A and to prove its identity to A. After providingthese proofs, in the subsequent session, A and B may make sensitive requestsfrom each other and may reveal sensitive data to each other. We study a protocol(from [1]) that enables A and B to establish an authenticated communicationchannel. By following the protocol, A and B should not have to indicate theiridentity and presence to any third parties.In this section, we review the protocol informally. We start by outlining itsassumptions, then describe its message flow and (briefly) some of its propertiesand limitations. Later sections contain a formal development of these points.
AssumptionsThe protocol assumes that messages do not automatically reveal the identity oftheir senders and receivers—for example, by mentioning them in headers. Thisassumption entails some difficulties in routing messages. Focusing on a relativelysimple but important case, the protocol supposes that all messages are broadcastwithin some location, such as a physical building or a virtual chat room.As in most security protocols (following Needham and Schroeder [13]), thecommunication infrastructure is untrusted. An attacker can interpose itself onall public communication channels, and thus can alter or copy parts of messages,delete messages, replay messages, or emit false material.The protocol also assumes that each principal A has a public key KAanda corresponding private key K 1A(e.g., [11]), and that the association betweenprincipals and public keys is known. This association can be implemented withthe help of a mostly-off-line certification authority, and it is trivial when oneidentifies public keys with principal names.这种关联,可以使得他们获得大多离线认证机构的帮助,但是它是当一个主体为公共密钥的名称标识时,它是平凡的。
Public keys are used for encryp-tion and private keys for the corresponding decryptions. 公共密钥用于加密和相应的私钥解密。Informally, when K isa public key, we write {M }Kfor the encryption of M using K. The protocolassumes some properties of the encryption scheme (not all entirely standard).Only a principal that knows the corresponding private key K 1should be ableto understand a message encrypted under a public key K. Furthermore, decrypt-ing a message with a private key K 1should succeed only if the message wasencrypted under the corresponding public key K, and the success or failure of adecryption should be obvious to the principal who performs it. Finally, someonewho sees a message encrypted under a public key K should not be able to tellthat it is under K without knowledge of the corresponding private key K 1,even with knowledge of K or other messages under K.#p#分页标题#e#
|
 |
|||
| 网站地图 |
