8th OAPS Working Paper Series
Website: http://www.oaps.hk/
Paper No. 2011-010
NMI - a Linux-based Platform for Achieving the Attack to
一
Security Protocol Semi-automatically
Shibo Luo1, Jing Fu2
1 UM-SJTU Joint Institute
2 School of Electronic, Information and Electrical Engineering
ABSTRACT
Security protocol is the special communication protocol which is used for strengthening the security
of communication process and confirming the privacy of message, the authenticity of subject’s identity
and the completeness of data by using cryptographic technique. It is widely used in Internet bank, online
shopping, Email and other network application. But security protocols are not as safe as their designer
thought, they can often be attacked through various bug. In the absence of a universal instrument to
construct attack by attacker’s own requirement, we developed NMI (Network Message Interceptor)
Platform, which is used for achieving the attack to Security Protocol semi-automatically.
The paper has introduced the runtime environment, structure, and implementation of NMI-Platform.
Then it used several application cases to demonstrate NMI-Platform’s function, if we have idea, we can
construct the idea into practical attack immediately. At last, it showed how to extend NMI-Platform’s
application range to wireless network protocol. NMI-Platform will bring convenient to the research fellow
who has interest on security protocol.
KEY WORDS
WORDS: Information Security, Security Protocol, NMI platform
1 Introduction
1.1 Security Protocol’s Application Status
Since informatization becomes more and more universal in government, military and
E-business, information security has become a common requirement in the whole society.
For achieving the object of sharing network resource in security, we often use security
protocol. Security protocol is a mutual communication protocol based on the cryptographic
mechanism. It is realized by two or more participants to take the promissory ways to
exchange messages. And it takes a sort of cryptographic algorithm to encrypt the whole or
part of exchange messages to achieve the preconcerted security objectives [1]~[2]. (Such as
authentification, assigning the key or confirming the message’s privacy)
Security protocol is also widely used in our daily life. It has various applications to
Emails, online shopping, internet bank and other network applications that need to guarantee
一
本论文受“上海交通大学本科生研究计划（PRP）”项目（T03017006）资助
上海交通大学 SJTU
1
Shibo Luo, Jing Fu
School of Electronical Information and Electrical Engineering
the secrecy of users’ account, the non-repudiation and the fairness of transaction or the
completeness of messages.
Fig.1-1 the SSL Protocol Used in SJTU’s JAccount
1.2 Research Contents and Significance
Though security protocol has undertook the task of guaranteeing information security
and most security protocols was designed carefully, security protocol’s design is a complex
and subtle process, many security protocols are not as safe as their designer thought. For
example, one of the most famous early security protocols—“Needham-Schroeder
authentication protocol” [3], which is published in 1978 has being used until someone found
the bug after 17 years [4].
And even if a security protocol’s theoretical model is unassailable, there exists “the
realization of protocol’s code”, “the internet environment that protocol is applied” and other
secure factor, the security protocol can still have security risks. Hence analyze and check
whether a security protocol is secure is a troublesome problem. Sometimes, constructing an
attack to check whether a security protocol can be captured is a good way for finding the
bugs.
In the absence of an instrument which allowed attackers to construct attacks as their
own requirement, we developed NMI-platform. It is a universal instrument which has high
freedom and can be used conveniently. With NMI-platform’s help, attackers don’t need to
control the router or study the router’s structure and related knowledge any more. Attackers
also can save many time and energy which they spend on many complex works (such as
modify the operating system’s code and write great amount of code) before. When they have
idea about how to construct an attack, they can construct an attack immediately and check
the idea’s feasibility.
2
上海交通大学 SJTU
8th OAPS Working Paper Series
NMI - a Linux-based Platform for Achieving theAttack to Security Protocol Semi-automatically
1.3 Some Explanation and Clarification
The NMI-Platform is not an instrument provided for hackers to break the internet
security and steal user’s information. It is designed for academic research and help
researcher to find the bugs of security protocol. Actually, it’s hard for hackers to use this
instrument do harm to internet public safety. The paper will explicate it in Chapter 3.2.
2 Security Protocol’s Attack Method
2.1 Dolev-Yao Model
Dolev-Yao Model [5] is a model which describes the internet environment. It is widely
used in protocol’s analysis.
In this model, we assume attackers won’t know any secret information before the
protocol begins, but attackers can control the whole internet any time. Attackers can wiretap,
intercept, modify and store all the information that transmits in internet. Attackers can be
legal participant to run the protocol. And we assume attackers have a great store of
knowledge and strong ability such as being familiar with various kinds of crypto-operation
to construct an attack.
At the same time, the model assumes the cryptographic algorithm which being used in
security protocol is perfect. This assumption mainly includes two aspects. On the one hand,
we must use the corresponding decryption key to decrypt the ciphertext. On the other hand,
the cryptosystem has enough redundancy, if someone wants to produce a ciphertext, he must
use corresponding plaintext and encryption key [6].
In sum, Dolev-Yao model is mainly concentrate on Security Protocol’s structure but not
cryptographic algorithm. It can be used to check whether a protocol can run regularly in the
worst internet environment.
2.2 Basic Symbols Representation for Security Protocol
This paper takes the basic symbol representation in Dolev-Yao model [5]. This
representation separates the security protocol from its specific cryptosystem. It is based on
the precondition that the specific cryptosystem is perfect in the given security definition. The
one line represents a message send step. The regular representation is below:
Message 2: A → B: {m}k
Message 2 shows this message is the second message in the protocol. A → B: {m}k
shows the participator A sends the message “{m}k” to the participator B ({m}k means use
key k to encrypt m). In addition, use I(A) or I(B) to represents the attacker “I” forged the
protocol’s participator A or B to send or receive the messages.
2.3 An Example of an Attack to Security Protocol
This section will introduce the theoretical model of a protocol which is designed by
Needham and Schroeder
上海交通大学 SJTU
[7]
. This protocol’s security objectives are changing key and do ID
3
Shibo Luo, Jing Fu
School of Electronical Information and Electrical Engineering
authentication between two communicating parties. And the protocol realizes its security
objective with the help of a third-party notary S. The protocol’s process is below (the words
below each message is the explanation of the message):
Message 1: A → S: {A,B,Ra}Ks
At first, A encrypts “A”, “B” (represents the usernames of A and B) and “Ra” (the
random number produced by A) with S’s public key and send the encrypted packet to S.
Message 2: S → A: {B, Kab ,Ra}Ka ,{Kab,A}Kb
S decrypts the packet and produces a symmetric key Kab for A and B to communicate.
Then S encrypts “Kab”, “B” and “Ra” with A’s public key and encrypts “Kab” and “A” with
B’s public key. Then S sends these two encrypted packets to A.
Message 3: A → B: {Kab,A}Kb
A decrypts the received packet which is encrypted with A’s public key to get symmetric
key Kab and check the Ra decrypted from packet with the Ra produced by himself. Then A
sends the packet which is encrypted by B’s public key to B.
Message 4: B → A: {Rb}Kab
B decrypts the received packets and get Kab, then B produces a random number Rb and
encrypts it with Kab and sends the packets to A.
Message 5: A → B: {Rb-1}Kab
A decrypts the received packet and calculate Rb-1, then encrypt Rb-1 and sends the
packet to B. B decrypts the received packet to check Rb-1, if Rb-1 is right, he can confirm the
man who talk to him is A.
The protocol is over. This protocol is not perfect, it can be captured by the way below:
Message 1: A → S:
{A,B,Ra}Ks
Message 2: S → A:
{B, Kab ,Ra}Ka ,{Kab,A}Kb
Message 3: I(A) → B: {Kib,A}Kb
Message 4: B → I(A): {Rb}Kib
Message 5: I(A) → B: {Rb-1}Kib
As we can see, attacker “I” intercepts the packet which A sends to B (the Message 3 in
origin protocol). Then “I” encrypts the forged symmetric key “Kib” and “A” with B’s public
4
上海交通大学 SJTU
8th OAPS Working Paper Series
NMI - a Linux-based Platform for Achieving theAttack to Security Protocol Semi-automatically
key and pretends A to send the packet to B. B will not know that “I” is pretending A to
communicate with him, then he will believe that Kib is the symmetric key for A and B’s
communication and the man who talk to him is A. The protocol is captured completely.
We will show how to use NMI-Platform to realize this attack in Chapter 4.
3 NMI-Platform
In the process of researching about security protocol’s attack method, we found that
construct attacks to attack security protocol is an effective way to check whether the security
protocol is secure. Then we developed NMI-Platform.
NMI (Network Message Interceptor) Platform is an instrument that developed by us
complete independently. It sets up in the internet router and has the competence of
intercepting, modifying and stealing the data packet that transmitting in internet.
In traditional way, when a researcher wants to construct an attack, he must control the
router and be familiar with the knowledge related to router. Or he will spend much time on
modifying the operating system’s code and writing great amount of code. And he must have
enough knowledge about how operating system run, how data packet transmit in internet,
and the structure of operating system’s kernel. And for different protocol, he may need to
write different program. But with the help of NMI-Platform, attackers can convert his ideal
into attack directly.
3.1 The Runtime Environment of NMI-Platform
Since NMI-Platform is designed for research fellows to find the bug for security protocol,
it uses the simulated router instead of practical router. We use a laptop with the operating
system of Ubuntu to connect the internet by cable (we call this laptop root computer). Then
we use this computer to establish a Wireless LAN, and let other terminal computer
(laboratory instrument computer) connect internet by this Wireless LAN. Then the terminal
computer and root computer constitute an Intranet, all data packet that other terminal
computers send to internet should pass through the root computer. And setting up
NMI-Platform in root computer, the root computer can become a simulated router.
Fig.3-1 the Practical Way of Users Connect to Server
上海交通大学 SJTU
5
Shibo Luo, Jing Fu
School of Electronical Information and Electrical Engineering
Fig.3-2 the NMI-Platform’s Runtime Environment
As we can see, on the one hand, NMI-Platform can simulate the router and construct an
intranet completely. And on another hand, it can only intercept, steal or modify the data
packet from terminal computer, but doesn’t do harm to internet public security. And if
somebody wants to set up NMI-Platform in a practical internet router to hurt public security,
he may meet two big problems: At first, the practical router is usually placed on the private
room, it is not easy for somebody to touch, control, and install something on the practical
router. Second, most routers’ operating systems are not Ubuntu but other dedicated systems.
3.2 The Structure and Implementation of NMI-Platform
NMI-Platform is composed of three parts: Filter, Modifier and Transmitter.
Fig.3-3 the Construction of NMI-Platform
3.2.1 Filter
Filter’s main function is capturing the specified data packet according to user’s
requirement (such as the data packet from given IP, given Mac, or particular type of
protocol), then sends the captured packet to Modifier to do farther operation. The Filter is
based on the linux’s firewall (netfilter), and assist port---/proc file system. These settings
bring great convenience to the communication between man and computers and the data
communication between different processes. The Filter treats all data packets that pass
through the root computer as input, and then capture the packet which satisfied the
requirement.
6
上海交通大学 SJTU
8th OAPS Working Paper Series
NMI - a Linux-based Platform for Achieving theAttack to Security Protocol Semi-automatically
Fig.3-4 the Analyzing Method of Filter
The method of Filter to capture the specified data packets is analyzing the bytes in the
packet (Fig.3-4). We extract the information from the specific location of the packet (such as
message heading), then we compare the information to the user’s requirement. If they are the
same, then we capture the packet.
3.2.2 Modifier
The function of Modifier is to do operation to the captured packets according to users’
requirements. For example, Modifier can modify the contents of the packets and disguise the
packets as legal packets then sends them into send buffer to wait for farther operation.
Modifier can also just get some information from the captured data and then throw it away.
Except the self-defined modification from users, Modifier also will do the modification as a
normal router needs to do. (Fig.3-5)
Fig.3-5 the Position of Modifier in Runtime Environment
Modifier modifies or extracts the data according to the rules about packet’s format of
security protocol. And Modifier disguises the packets as legal packets according to the
calculation method of various protocols. Modifier also uses assist port---/proc file system as
the buffer port between the process of Transmitter and the process of Modifier itself.
Fig. 3-6 Transporting Process of Data in Modifier
上海交通大学 SJTU
7
Shibo Luo, Jing Fu
School of Electronical Information and Electrical Engineering
The arrow in Fig.3-6 shows the transporting process of data in Modifier. Preliminary
Modify includes the modification that routers should do, such as adjust the source address to
the root computer and subtract TTL by 1. Attack Modify will be set by users such as replace
the packets’ data as attackers’ own data. Disguise Modify disguises the modified packets as
legal packets then sends it into transmitter’s buffer to wait for farther operation.
For a root computer that loaded NMI-Platform as a router in internet, when the terminal
computer sends message to server in Internet, the data packet captured by the Intranet port
usually needs to do some modification before sends to internet. It requires very painstaking
modification. The detailed work process is below (use IPv4 as example).
a: change the destination MAC address to root computer’s former router’s mac address.
And change the source IP and source MAC address to the root computer’s IP and MAC
address.
b: subtracts TTL by 1
c: Attack Modify (it is mainly self-defined by users)
d: according to the algorithm strictly to calculate the checksums in all level, confirming
the correctness and timeliness
e: Recording of the packet. While the server responses the current router (root computer),
the router cannot identify the packet whether it is for the router itself or terminal
computer, because all packets caught by Filter has changed its source IP and MAC
address to root computer’s IP and MAC address (we have mentioned on a). Thus, there
is something necessary to be done to record the transforming operations.(In fact, the
router broadcasts the received packets throughout the inner net is also right, as that
packets with wrong IP will be abandoned).
f: sends the produced packet into Transmitter’s buffer.
Fig. 3-7 The Regular Process of Modifier
NMI-Platform has great freedom, the process above is the regular process. Actually, for
different requirements, we can throw out the captured packet directly or produce the packet
without any input.
The biggest trouble in the process is re-producing the checksum. For UDP and IP, we
can use the existed function in linux, but for TCP, we can only calculate the checksum by
ourselves. Re-calculate the checksum needs a certain amount of time, but many servers have
limitation about the time of receiving data. Since if the packets only have modification on
small number of bytes, we can get the result by calculate the difference value, it can save a
8
上海交通大学 SJTU
8th OAPS Working Paper Series
NMI - a Linux-based Platform for Achieving theAttack to Security Protocol Semi-automatically
lot of time. NMI-Platform provides both two ways for users to choose accordingly. It can
satisfy most web-server.
Why don’t we use the existed router function on the operation system (linux) but
construct this part by ourselves?
If we use the router function of the operation system directly, we have to modify the
code of the operating system and catch the packet which is being processed, then do
operation to it and put it back. But this method has several unavoidable troubles:
� It will take a great amount of time to modify the operating system’s kernel code,
but this is not the key. The most serious problem is that an instrument implement by
modifying the operating system’s kernel code has no portability between the different
computers. But the instrument we construct is based on linux firewall (netfilter), it is a
module and can be set up on any computer with operating system of Ubuntu.
� Even if we can extract the data, modify it and put it back (as Fig.3-8), it is
obviously that when we process the data, we must suspend the process of the operating
system for some time. It’s practically impossible.
Fig.3-8 the Model of Extracting Data from System
3.2.3 Transmitter
The Filter and Modifier belong to the same process, but Transmitter belongs to another
process. Transmitter reads the packets in the buffer continuously until the buffer become
empty. The inputting information of the packet is accurately checked down to Link-Layer, so
there is no need to repack it and just sends it according to the MAC address.
All communications between different processes are using /proc file system.
Fig.3-9 Work Process of Transmitter
Filter and Modifier are at the same process, the same kernel process. Transmitter is
another user process. Transmitter will be blocked when buffer contains nothing. The
no-protocol sending model means we send a packet into the internet with source and
destination MAC and no process for protocol. (Fig.3-9)
上海交通大学 SJTU
9
Shibo Luo, Jing Fu
School of Electronical Information and Electrical Engineering
The reason why using /proc file system as transmit buffer is considering about
NMI-Platform’s efficiency. There are three ways to establish communication of large data
blocks between different processes:
a.
Named Pipe: it has limitation of data’s size and can’t afford all packets
transmitting task.
b. Global Variable: it is applying to the processes of the same level, but not
suitable for a kernel-mode module and a user-mode process.
c.
/proc File System: it suits to exchange data between kernel-mode and
user-mode. Though it is not as fast as processing memory directly, it can confirm the
correctness and completeness of the exchanging data.
3.3 The GUI of NMI-Platform
We use GTK to do the GUI of NMI-Platform. Fig.3-11 is the welcome interface of
NMI-Platform. In Fig.3-12, user is inputting the source IP and MAC address of the packet
which he wants to capture.
Fig.3-10 The Logo of NMI-Platform
Fig.3-11 The Welcome Interface
Fig. 3-12 The Setting Input Interface
4 Application Cases of NMI-Platform
In this chapter, we will introduce several application cases to demonstrate NMI-Platform’s
function. The cases will show if you have idea of how to attack a security protocol, you can
convert your idea to practical attack immediately to check whether your idea has feasibility
with the help of NMI-Platform.
4.1 The Realization of an Attack to the Protocol Introduced in Section 2.3
Since the protocol we introduced in Chapter 2.3 is very old, we can hardly find it being
use in Internet. Therefore, we construct this protocol by ourselves,
10
上海交通大学 SJTU
8th OAPS Working Paper Series
NMI - a Linux-based Platform for Achieving theAttack to Security Protocol Semi-automatically
We use the No.13 computer and the No.21 computer as protocol participants A and B.
The communication is between these two computers. We use RSA encryption algorithm as
the asymmetric cryptographic algorithm and we use DES encryption algorithm as the
symmetric cryptographic algorithm. And all keys are showed in table 4-1. (Since we have
mentioned in previous chapter, in protocol analysis, we don’t concentrate on the complexity
of key and cryptographic algorithm. Hence the keys we use is simple).
Table 4-1 The Key of All Participants and Notary
Public key
Private key
A
asl
soc
B
er1
o6u
S
rw3
i68
Below is the protocol’s process we have run:
a. A (No.13 computer) produces random number Ra =771, then encrypts “No.13”,
“No.21”,”771” with S’s public key “rw3” , and sends the packets to S.(Fig.4-1)
Fig.4-1
b. S decrypts the received packet and produces the symmetric key Kab=“pwu”. Then sends
{A, Kab ,Ra}Ka and {Kab,B}Kb to A. (Fig.4-2)
Fig.4-2
c. A decrypts {A, Kab ,Ra}Ka and gets Kab=”pwu”, and checks Ra=771. Then sends
{Kab,A}Kb to B (No.21 computer). (Fig.4-3)
Fig.4-3
d. B gets the Kab=”pwu” from decrypting the received packet. Then B produces a random
number Rb=1490 and uses Kab to encrypt it and sends the packet to A. (Fig.4-4)
上海交通大学 SJTU
11
Shibo Luo, Jing Fu
School of Electronical Information and Electrical Engineering
Fig.4-4
e. A decrypts the received packet with Kab=”pwu”, then get Rb=1490, and encrypt
Rb-1=1489 with Kab=”pwu” (Fig.4-9), then sends the packet to B. (Fig.4-5)
Fig.4-5
f. As Fig.4-6 shows (the string seems like unrecognizable code in Fig.4-6 is the packet we
received on No.21 computer (B)), B decrypts the received packet with Kab, and get
Rb-1=1489. After check it with the Rb he produced. He will know the man who talk to
him is A and the Kab=”pwu”. And we run this protocol successfully.
Fig.4-6
Then we will show the process of using NMI-Platform to capture this protocol with the
method we have introduced in Section 2.3.
Since all message’s transmitting will pass through the root computer (router), attacker “I”
first intercept the message {Kab,A}Kb that A has sends to B in Step c by using the Filter of
NMI-Platform in root computer (In Dolev-Yao model, he can control root computer) . Then
he forged Kib=”lzd”, and encrypts it with B’s public key, then send the packet to B by using
the Modifier and Transmitter of NMI-Platform in root computer. (Fig.4-7)
12
上海交通大学 SJTU
8th OAPS Working Paper Series
NMI - a Linux-based Platform for Achieving theAttack to Security Protocol Semi-automatically
Fig.4-7
B doesn’t know that the man talk to him is “I”, and believe that Kib=”lzd” (he decrypts
from received packet) is the symmetric key Kab, then he produces the random number
Rb=2711, and do as Step e. (Fig.4-8) Attacker “I” intercepts the message in root computer
(Fig.4-9 shows the packet that intercepted by NMI-Platform), decrypts it and get Rb
(Fig.4-10).
Fig.4-8
Fig.4-9
Fig.4-10
Then I encrypt Rb-1 with Kib=”lzd”, and sends the packet to B. B decrypts the received
packet, after check, he will consider the man talk to him is A, and Kib=”lzd” is the symmetric
key that S produces for A and B’s communication. Therefore, attacker “I” captured this
protocol. (Fig.4-11)
上海交通大学 SJTU
13
Shibo Luo, Jing Fu
School of Electronical Information and Electrical Engineering
Fig.4-11
The result shows the attack method we have introduced in Section 2.3 is feasible and
valid.
4.2 Other Case We Have Constructed
In many websites, when user log-in, he or she can choose log-in automatically in the
same computer next time for convenience. This function is realized by Cookie. Server
returns a Cookie value to user and user’s browser saves it in the computer (The Cookie value
is different for different users). When user visits the website again, user’s browser will send
the Cookie value to the server. Then the server will check whether the Cookie value can
match to the user, if can, the server will allow user to log-in directly.
In mail163, it also uses Cookie to bring convenient to user (Fig.4-12). Therefore, we
think though mail163 has used SSL protocol to protect user’s information (Fig.4-12), we can
still use Cookie deceive to pretend others to log-in.
Fig.4-12 The SSL and Cookie of Mail163
We assume the Cookie value produced by mail163 is related to user’s IP address. We
think that mail163 has a function to calculate the Cookie value, and the variable for the
function is the IP address, when mail163’s server checks whether the Cookie value can
14
上海交通大学 SJTU
8th OAPS Working Paper Series
NMI - a Linux-based Platform for Achieving theAttack to Security Protocol Semi-automatically
match to the user, the server will calculate the Cookie value again by using user’s IP address.
If the result is as same as the result that received form user’s browser, then server think it is
matching.
Since the computers in the same intranet showed the same IP address to the internet, we
came up with an idea: user A and user B are in the same intranet, when user A visits mail163,
user B uses NMI-Platform to identity, extract and save the Cookie value (only save and not
obstruct user A’s visit). Then user B connects to mail163, and uses NMI-Platform to
substitute the Cookie value in data packet into the Cookie value he extracted before
(Fig.4-13) .Then server will accept the Cookie value and allow user B to log-in with user A’s
account directly .
Fig.4-13
Unfortunately, we failed to cheat mail163. The server told us that the Cookie value did’t
match to user B. But it doesn’t mean what we have doone has no meaning. The result told us
that our idea is wrong, the design procedure of 163mail’s Cookie function is not only related
to user’s IP address. Now, we are finding other factors that may related to the production of
mail163’s Cookie value.
Anyway, NMI-Platform has finished its task in this case, we have uses it converting our
idea into practical attack sucsessfully.
5 Extension of the NMI-Platform’s Application Range to Wireless
Protocol
The original NMI-Platform can only catch the Ethernet protocol and the protocol above
Ethernet. The data packet of IEEE is being ignored. Therefore, it can only catch the protocol
that applied on cable network. Then we set the number of Netfilter (linux firewall)’s hook as
NF_IP_PRE_ROUTING (the initial data), and do some procession about 802.11MAC, and
modify some setting of Ubuntu. Then NMI-Platform is able to catch the protocol of IEEE
802.11 and do operation to wireless protocol.
上海交通大学 SJTU
15
Shibo Luo, Jing Fu
School of Electronical Information and Electrical Engineering
Fig.5-1 The Level of Data Packet
6 Further Work
Since our NMI-Platform still has some shortcomings, its GUI is still not friendly enough
and the flexibility of its operation need be strengthened.
And we have dabbled with the communication protocols of cellphone before but didn’t
research it profoundly. To extend NMI-Platform be adequate for checking the bugs of the
protocols which is applied on cellphone’s communication may be the further work we can
do.
7 Conclusion
The paper has introduced an instrument developed by us—NMI-Platform. It is based on
the linux for achieving the attack to security protocol semi-automatically. It can help
research fellows to find the bug of security protocol. And then, the paper introduced
NMI-Platform’s several application cases and extended function (processing the wireless
protocols). We believe this platform will bring convenient to research fellow who has
interest on security protocol.
Reference
[1] W. Mao. “Modern Cryptography Protocol: Theory and Practice”. English reprint by PEARSON
EDUCATION NORTH ASIA LIMITED and Publishing House of Electronic Industry, 2004.
[2] R.A. DeMillo, G.L. Davida, D. P. Dobkin, M.A.Harrison and R.J. Lipton. “Applied Cryptology,
Cryptographic Protocols, and Computer Security Models”. Proceedings of symposia in Applied
Mathematics, 29: 174, 1983.
[3] R.M. Needham and M.D.Schroeder. “Using Encryption for Authentication in Large Network of
Computers”. Communication of the ACM, vol. 21(12): 993-999, 1978.
[4] G. Lowe. “An Attack on the Needham-Schroeder Public Key Authentication Protocol”. Information
Processing Letters, 56(3): 131- 133, 1995.
[5] D.Dolev and A.C.Yao. “On the Security of Public Key Protocols”, IEEE Transactions on Information
Theory, 29(2): 198- 208, 1983.
16
上海交通大学 SJTU
8th OAPS Working Paper Series
NMI - a Linux-based Platform for Achieving theAttack to Security Protocol Semi-automatically
[6] Ling Dong, “Cryptographic Protocol Engineering Principles and Protocol Security Based on Trusted
Freshness”, [Doctoral Dissertation], ShangHai: Shanghai Jiao Tong University Department of
Computer Science and Engineering, 2008. (In Chinese)
[7] Mingyu Fan, Guangwei Wang, “Security Protocol’s Theorem and Technique”, Beijing, The Tsinghua
University Press, 2009. (In Chinese)
上海交通大学 SJTU
17