1 Reasoning about Message Integrity 1 Rajashekar

We propose an approach for reasoning about message integrity protection in cryptographic protocols. The set of axioms presented herein relate design parameters and assumptions of message integrity protection mechanisms to generic message integrity threats. Comparison of threat properties derived using these axioms with the policy goals for integrity protection aids in assessing the strength (or lack thereof) of message integrity protection mechanisms. We provide examples to illustrate the use of our approach in examining the weaknesses of message integrity protection mechanisms, and also in suggesting modiications in their design parameters. 1.1 Introduction Cryptographic protocols, and in particular, authentication protocols, rely on message integrity protection. However, mechanisms for protecting message integrity have been shown to be error-prone Past studies of message integrity have focused primarily on nding attack scenarios in message integrity protection mechanisms, suggesting solutions to eliminate vulnerabil-ities, and proposing new algorithms for message integrity protection 2], 3], 4], 5], 14], 15], 18], 21]. Recently, an operational model for message integrity, and a general method for designing message integrity protection mechanisms was also proposed 21]. However, to date, analysis of message integrity protection mechanisms has been done in an ad-hoc manner. A method which considers the types of threats that the environment is exposed to and analyzes protection mechanisms to determine whether they achieve their goals 3 has not been proposed. An analysis method that relates design attributes and assumptions of message integrity protection mechanisms to message integrity goals is useful in (1) analyzing extant protection mechanisms for their threat resistance properties, (2) designing new protection mechanisms, and (3) to help gain insight into properties of message integrity protection mechanisms. In this paper, we propose a set of axioms which model the threats to message integrity in a given environment. These axioms relate the design parameters and assumptions of message integrity protection mechanisms to generic message integrity threats. Comparison of threat properties derived 3 Message integrity protection mechanism goals are usually stated in terms of a probability threshold; i.e., in the form Probability with which the protection mechanism is vulnerable to message integrity compromise is less than a speciied threshold 20].