Abstract
There is a mantra telling us that authentication is difficult. The failure to design robust authentication protocols is commonly attributed to a lack of good design strategies, and to a lack of verification tools. This paper tells the story of entity authentication arguing that clarity is more important than precision, and that formal methods sometimes even add to the confusion about the meaning of ‘authentication’. Verifying claimed identities translates into checking whether a party is alive, or into checking the identity of the party at the other end of a connection. Correspondence properties can capture both aspects, obscuring an important distinction.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
M. Abadi, Explicit communication revisited: Two new attacks on authentication protocols,IEEE Transactions on Software Engineering23 (1997), no. 3, 185–186.
M. Bellare and P. Rogaway, Entity authentication and key distribution, Advances in Cryptology — CRYPTO’93, LNCS 773 (D. R. Stinson, ed.), Springer Verlag, 1994, pp. 232–249.
R. Bird, I. Gopal, A. Herzberg, P. Janson, S. Kutten, R. Molva, and M. Yung, Systematic design of two-party authentication protocols, Advances in Cryptology — CRYPT0’91, LNCS 576 (J. Feigenbaum, ed.), Springer Verlag, 1992, pp. 44–61.
R. Bird, I. Gopal, A. Herzberg, P. A. Janson, S. Kutten, R. Molva, and M. Yung, Systematic design of a family of attack-resistant authentication protocols, IEEE Journal on Selected Areas in Communications 11 (1993), no. 5, 679–693.
M. Burrows, M. Abadi, and R. Needham, A logic of authentication, DEC Systems Research Center Report 39 (1990).
D. E. Denning and G. M. Sacco, Timestamps in key distribution protocols, Communications of the ACM 24 (1981), no. 8, 533–536.
W. Diffie, P. C. van Oorschot, and M. J. Wiener, Authentication and authenticated key exchanges, Designs, Codes and Cryptography 2 (1992), 107–125.
D. Gollmann, Proving authentication protocols — what do authentication protocols prove?, Mathematics of Dependable Systems (V. Stavridou C. J. Mitchell, ed.), Clarendon Press, 1995, pp. 95–102.
D. Gollmann, Insider fraud, Proceedings of the Cambridge Security Protocols Workshop, LNCS 1550 (B. Christiansen et al., ed.), Springer Verlag, 1999, pp. 213–219.
C. A. R. Hoare, Communicating sequential processes, Prentice-Hall International, Englewood Cliffs, NJ, 1985.
International Organization for Standardization, Basic Reference Model for Open Systems Interconnection (OSI) Part 2: Security Architecture, Genève, Switzerland, 1988.
International Organization for Standardization, Information technology — Security techniques — Entity authentication mechanisms; Part 1: General model, Genève, Switzerland, September 1991, ISO/IEC 9798–1, Second Edition
International Organization for Standardization, Information technology — Security techniques — Entity authentication mechanisms; Part 3: Entity authentication mechanisms using a public key algorithm, Genève, Switzerland, March 1991, ISO/IEC JTC1/SC27/WG2 N51
International Organization for Standardization, Information technology — Security techniques — summary of voting on letter ballot No.6, document SC27 N277, CD 9798–3.3 “Entity authentication mechanisms; Part 3: Entity authentication mechanisms using a public key algorithm”, Genève, Switzerland, October 1991, ISO/IEC JTC1/SC27 N313.
International Organization for Standardization, Information technology - Security techniques - Entity authentication mechanisms; Part 3: Entity authentication mechanisms using a public key algorithm, Genève, Switzerland, August 1993, ISO/IEC 9798–3.
B. Lampson, M. Abadi, M. Burrows, and E. Wobber, Authentication in distributed systems: Theory and practice, ACM Transactions on Computer Systems 10 (1992), no. 4, 265–310.
G. Lowe, An attack on the Needham-Schroeder public-key authentication protocol, Information Processing Letters 56 (1995), no. 3, 131–133.
G. Lowe, Breaking and fixing the Needham-Schroeder public-key protocol using FDR, Proceedings of TACAS, LNCS 1055, Springer Verlag, 1996, pp. 147–166.
G. Lowe, Some new attacks upon security protocols, Proceedings of the 9th IEEE Computer Security Foundations Workshop, 1996, pp. 162–169.
G. Lowe, A hierarchy of authentication specifications, Proceedings of the 10th IEEE Computer Security Foundations Workshop, 1997, pp. 31–43.
C. A. Meadows, Analyzing the Needham-Schroeder public key protocol: A comparison of two approaches, Proceedings of ESORICS’96, LNCS 1146 (E. Bertino et al., ed.), Springer Verlag 1996, pp. 351–364.
C. A. Meadows, Analysis of the internet key exchange protocol using the NRL protocol analyzer, Proceedings of the 1999 IEEE Symposium on Security and Privacy, 1999, pp. 216–231.
C. J. Mitchell and A. Thomas, Standardising authentication protocols based on public key techniques, Journal of Computer Security 2 (1993), 23–36.
R. M. Needham and M. D. Schroeder, Using encryption for authentication in large networks of computers,Communications of the ACM 21 (1978), 993–999.
A. W. RoscoeIntensional specifications of security protocols, Proceedings of the 9th IEEE Computer Security Foundations Workshop, 1996, pp. 28–38
S. Schneider, Verifying authentication protocols with CSP, Proceedings of the 10th IEEE Computer Security Foundations Workshop, 1997, pp. 3–17.
S. Schneider, Verifying authentication protocols in CSP, IEEE Transactions on Software Engineering 24 (1998), no. 9, 741–758.
F. J. Thayer Fábrega, J. C. Herzog, and J. D. Guttman, Strand spaces: Why is a security protocol correct?, Proceedings of the 1998 IEEE Symposium on Security and Privacy, 1998, pp. 160–171.
E. Wobber, M. Abadi, M. Burrows, and B. Lampson, Authentication in the TAOS operating systems, ACM Transactions on Computer Systems 12 (1994), no. 1, 3–32.
T. Y. C. Woo and S. S. Lam, A semantic model for authentication protocols, Proceedings of the 1993 IEEE Symposium on Research in Security and Privacy, 1993, pp. 178–194.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 Springer Basel AG
About this paper
Cite this paper
Gollmann, D. (2001). Authentication-Myths and Misconceptions. In: Lam, KY., Shparlinski, I., Wang, H., Xing, C. (eds) Cryptography and Computational Number Theory. Progress in Computer Science and Applied Logic, vol 20. Birkhäuser, Basel. https://doi.org/10.1007/978-3-0348-8295-8_17
Download citation
DOI: https://doi.org/10.1007/978-3-0348-8295-8_17
Publisher Name: Birkhäuser, Basel
Print ISBN: 978-3-0348-9507-1
Online ISBN: 978-3-0348-8295-8
eBook Packages: Springer Book Archive