Real-or-random Key Secrecy of the Otway-Rees Protocol via a Symbolic Security Proof
Abstract
We present the first cryptographically sound security proof of the well-known Otway-Rees protocol. More precisely, we show that the protocol is secure against arbitrary active attacks including concurrent protocol runs if it is implemented using provably secure cryptographic primitives. We prove secrecy of the exchanged keys with respect to the accepted cryptographic definition of real-or-random secrecy, i.e., indistinguishability of exchanged keys and random ones, given the view of a general cryptographic attacker. Although we achieve security under cryptographic definitions, our proof is performed in a deterministic setting corresponding to a slightly extended Dolev-Yao model; in particular, it does not have to deal with probabilistic aspects of cryptography and is hence in the scope of current proof tools. The reason is that we exploit a recently proposed ideal cryptographic library, which has a provably secure cryptographic implementation, as well as recent results on linking symbolic and cryptographic key secrecy. Besides establishing the cryptographic security of the Otway-Rees protocol, our result also exemplifies the potential of this cryptographic library and the recent secrecy preservation theorem for symbolic yet cryptographically sound proofs of security. © 2006.