An Extensive Formal Analysis of Multi-factor Authentication Protocols

2018 IEEE 31st Computer Security Foundations Symposium (CSF) Pub Date : 2018-04-20 DOI:10.1145/3440712

Charlie Jacomme, S. Kremer

{"title":"An Extensive Formal Analysis of Multi-factor Authentication Protocols","authors":"Charlie Jacomme, S. Kremer","doi":"10.1145/3440712","DOIUrl":null,"url":null,"abstract":"Passwords are still the most widespread means for authenticating users, even though they have been shown to create huge security problems. This motivated the use of additional authentication mechanisms used in so-called multi-factor authentication protocols. In this paper we define a detailed threat model for this kind of protocols: while in classical protocol analysis attackers control the communication network, we take into account that many communications are performed over TLS channels, that computers may be infected by different kinds of malwares, that attackers could perform phishing, and that humans may omit some actions. We formalize this model in the applied pi calculus and perform an extensive analysis and comparison of several widely used protocols — variants of Google 2-step and FIDO’s U2F. The analysis is completely automated, generating systematically all combinations of threat scenarios for each of the protocols and using the P ROVERIF tool for automated protocol analysis. Our analysis highlights weaknesses and strengths of the different protocols, and allows us to suggest several small modifications of the existing protocols which are easy to implement, yet improve their security in several threat scenarios.","PeriodicalId":417032,"journal":{"name":"2018 IEEE 31st Computer Security Foundations Symposium (CSF)","volume":"105 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-04-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"43","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 IEEE 31st Computer Security Foundations Symposium (CSF)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3440712","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 43

Abstract

Passwords are still the most widespread means for authenticating users, even though they have been shown to create huge security problems. This motivated the use of additional authentication mechanisms used in so-called multi-factor authentication protocols. In this paper we define a detailed threat model for this kind of protocols: while in classical protocol analysis attackers control the communication network, we take into account that many communications are performed over TLS channels, that computers may be infected by different kinds of malwares, that attackers could perform phishing, and that humans may omit some actions. We formalize this model in the applied pi calculus and perform an extensive analysis and comparison of several widely used protocols — variants of Google 2-step and FIDO’s U2F. The analysis is completely automated, generating systematically all combinations of threat scenarios for each of the protocols and using the P ROVERIF tool for automated protocol analysis. Our analysis highlights weaknesses and strengths of the different protocols, and allows us to suggest several small modifications of the existing protocols which are easy to implement, yet improve their security in several threat scenarios.

查看原文本刊更多论文

多因素认证协议的广泛形式化分析

密码仍然是最普遍的用户身份验证手段，尽管它们已被证明会产生巨大的安全问题。这促使在所谓的多因素身份验证协议中使用额外的身份验证机制。在本文中，我们定义了这类协议的详细威胁模型:在经典协议分析中，攻击者控制通信网络，我们考虑到许多通信是通过TLS通道执行的，计算机可能被不同类型的恶意软件感染，攻击者可能执行网络钓鱼，以及人类可能忽略某些操作。我们在应用pi演算中形式化了该模型，并对几种广泛使用的协议-谷歌2-step和FIDO的U2F变体-进行了广泛的分析和比较。分析是完全自动化的，系统地生成每个协议的所有威胁场景组合，并使用P ROVERIF工具进行自动协议分析。我们的分析突出了不同协议的弱点和优势，并允许我们对现有协议提出一些小的修改，这些修改易于实现，但在几种威胁场景中提高了它们的安全性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2018 IEEE 31st Computer Security Foundations Symposium (CSF)

自引率

0.00%

发文量