There are at least a few hundred published protocols that fall in the
category of authentication and key establishment. Under a naive
definition of authentication and key establishment, the existence of so
many protocols is quite fascinating and somewhat stunning for a newcomer
to the field of communication security. One potent argument
often presented is we keep designing new protocols due the demand of
new type of applications and due to the discovery of flaws in existing
protocols. While designing new protocols for new type of applications,
such as RFID, is definitely an important driving factor nevertheless the
most among the published protocols are in fact the result of discovery of
flaws in their predecessors.
As our understanding of cryptography and protocol analysis is getting
mature, the ability to discover new flaws in the protocols also increases.
We now have a better understanding of actual operational environment.
In past, this often caused increasing the power of attacker
model, for instance, now a days we also consider privacy concerns and
side channel leakage beside the classic Dolev-Yao attacker.
A protocol is labeled as insecure protocol once an effective attack
or flaw is found in it. In fact, the most of the published protocols are
considered insecure from this point of view. In practice, however, this
approach has a side effect, namely, we rarely bother to explore how much
insecure is the protocol. This question asks us to explore the area between
security and insecurity; after all neither a flawed protocol is always
completely insecure neither all applications require the security against
an all powerful attacker.
The current approach towards security analysis, which we call strict
security, considers a protocol along with a powerful attacker, such as
Dolev-Yao attacker and sometimes with additional capabilities such as
dynamic corruption of communicating nodes. Then, one tries to show
that the protocol achieves its objective under this specific attacker. Naturally
there are three possibilities: one may succeed in constructing a
security proof; one may fail in proving security, which often makes the
protocol suspicious; or one may discover a concrete attack, which definitely
makes the protocol insecure under such strict definition of the
There is however an alternate — adaptable security, which we propose
as a more general approach to the security problem. The approach
considers correct protocols, i.e., protocols that achieve their objectives
when there exist no effective attacker. All correct protocols are assumed
to be secure and the challenge we pose for a security analyst is to derive
the least strongest attacker (LSA) model for which the, so-called, a priori
assumption about security holds. In this way, the security definition of
a protocol can be adapted to suitable choice of LSA.
Another aspect of the proposed approach is the flexible treatment of
security goals; we decompose high level security goals in many fine level
goals and a protocol may achieve only a subset of all fine level goals. We
believe that these flexible choices of attackers and security goals are more
practical in many real world scenarios. An applications may require the
protection against a weaker attacker and may require to achieve fewer