Abstract
The traditional Dolev-Yao model of security limits attacks to “computationally feasible” operations. We depart from this model by assigning a cost to protocol actions, both of the Dolev-Yao kind as well as non traditional forms such as computationally-hard operations, guessing, principal subversion, and failure. This quantitative approach enables evaluating protocol resilience to various forms of denial of service, guessing attacks, and resource limitation. While the methodology is general, we demonstrate it through a low-level variant of the MSR specification language.
Partially supportcd by NRL under contract N00173-00-C-2086 and by ONR under contract number NO00149910150.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
I. Cervesato. A specification language for crypto-protocol based on multiset rewriting, dependent types and subsorting. In G. Delzanno, S. Etalle, and M. Gabbrielli, editors, Proceedings of the Workshop on Specification, Analysis and Validation for Emerging Technologies-SAVE' 01 pages 1–22, Paphos, Cyprus, 2001.
I. Cervesato. Typed MSR: Syntax and examples. In V. Gorodetski, V. Skormin, and L. Popyack, editors, First International Workshop on Mathematical Methods, Models and Architectures for Computer Network Security — MMM''01, pages 159–177, St. Petersburg, Russia, 2001. Springer-Verlag LNCS 2052.
I. Cervesato. Fine-Grained MSR Specifications for Quantitative Security Analysis. In Fourth Workshop on Issues in the Theory of Security — WITS' 04, pages 111–127, 2004.
Y. Chevalier, R. Kiisters, M. Rusinowitch, and M. Turuani. Deciding the Security of Protocols with Diffie-Hellman Exponentiation and Products in Exponents. In FSTTCS 2003: Foundations of Software Technology and Theoretical Computer Science — 23rd Conference. Springer-Verlag LNCS 2914, 2003.
K. Christou, I. Lee, A. Philippou, and O. Sokolsky. Modeling and analysis of power-aware systems. In 9th International Conference on Tools and Algorithms for the Construction and Analysis of Systems — TACAS 2003, pages 409–425, Warsaw, Poland, 2003. Springer-Verlag LNCS2619.
J. Clark and J. Jacob. A survey of authentication protocol literature. Technical report, Department of Computer Science, University of York, 1997. Web Draft Version 1.0 available from http://www.cs.york.ac.uk/~jac/.
H. Comon-Lundh and V. Shmatikov. Intruder deductions, constraint solving and insecurity decision in presence of exclusive or. In Proceedings of the Eighteenth Annual IEEE Symposium on Logic in Computer Science (LICS 2003), pages 261–270. IEEE, Computer Society Press, 2003.
D. Dolev and A. C. Yao. On the security of public-key protocols. IEEE Transactions on Information Theory, 2(29): 198–208, 1983.
C. Gunter, S. Khanna, K. Tan, and S. Venkatesh. DoS protection for reliably authenticated broadcast. In M. Reiter and D. Boneh, editors, Proceedings of the 11 th Networks and Distributed System Security Symposium — NDSS '04, San Diego, CA, 2004.
A. Juels and J. Brainard. Client puzzles: a cryptographic defence against connection depletion attacks. In S. Kent, editor, Proceedings of the 5th Networks and Distributed System Security Symposium – NDSS'99, pages 151–165, San Diego, CA, 1999.
G. Lowe. Analysing protocols subject to guessing attacks. In J. Guttman, editor, Second Workshop on Issues in the Theory of Security — WITS'02, Portland, OR, 2002.
C. Meadows. The NRL Protocol Analyzer: An overview. Journal of Logic Programming,26(2): 113–131,1996.
C. Meadows. A cost-based framework for analysis of denial of service in networks. Journal of Computer Security, 9(1/2):143–164, 2001.
R. Needham and M. Schroeder. Using encryption for authentication in large networks of computers. Communications of the ACM, 21(12):993–999, 1978.
D. Tomioka, S. Nishizaki, and R. Ikeda. Cost estimation calculus for analysing denial-of-service attack resistance. Pre-proceedings of ISSS'03, Tokyo, Japan, Nov. 2003.
R. Zunino and P. Degano. A note on the perfect encryption assumption in a process calculus. In I. Walukiewicz, editor, 7th International Conference on Foundations of Software Science and Computation Structures — FoSSaCS'04, pages 514–528, Barcelona, Spain, 2004. Springer-Verlag LNCS 2987.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 Springer Science+Business Media, LLC.
About this paper
Cite this paper
Cervesato, I. (2006). Towards a Notion of Quantitative Security Analysis. In: Gollmann, D., Massacci, F., Yautsiukhin, A. (eds) Quality of Protection. Advances in Information Security, vol 23. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-36584-8_11
Download citation
DOI: https://doi.org/10.1007/978-0-387-36584-8_11
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-29016-4
Online ISBN: 978-0-387-36584-8
eBook Packages: Computer ScienceComputer Science (R0)