Attacking Authentication Protocols

The past two decades have seen an enormous increase in the development and use of networked and distributed systems, providing increased functionality to the user and more efficient use of resources. To obtain the benefits of such systems parties will cooperate by exchanging messages over the network. The parties may be users, hosts or processes; they are generally referred to as principals in authentication literature. Principals use the messages received, together with certain modelling assumptions about the behaviour of other principals to make decisions on how to act. These decisions depend crucially on what validity can be assumed of messages that they receive. Loosely speaking, when we receive a message we want to be sure that it has been created recently and in good faith for a particular purpose by the principal who claims to have sent it. Wemust be able to detect when a message has been created by amalicious principal or when a message was issued some time ago (or for a different purpose) and is currently being replayed on the network. An authentication protocol is a sequence of message exchanges between principals that either distributes secrets to some of those principals or allows the use of some secret to be recognised [4]. At the end of the protocol the principals involved may deduce certain properties about the system; for example, that only certain principals have access to particular secret information (typically cryptographic keys) or that a particular principal is operational. The principals may then use this knowledge to verify claims about subsequent communication, for example, that a received message encrypted with a newly distributed key must have been created after distribution of that key and so is timely. A considerable number of authentication protocols have been specified and implemented. The area is, however, remarkably subtle andmany pro-