| The protection of message integrity is a fundamental requirement of communication security. It represents the ability to detect modified or spurious messages, and is an equally important concern for both confidential and non-confidential messages. Both national and international security standards require integrity assurance in distributed systems, creating a need for designing and analyzing the integrity of messages in a wide variety of protocols. To date, general methods for the analysis and design of message integrity in cryptographic protocols have not been available.; In this dissertation, an operational model for integrity analysis is presented. The model defines the protocol operations of both legitimate principals and attackers, and a message-integrity condition that must be satisfied in every state of a protocol run. A message splicing/decomposition invariant is defined for the Cipher Block Chaining mode of encryption, which can be used by attackers to modify protocol messages in an unauthorized manner. The operational model is used to analyze several well-known cryptographic protocols and to discover heretofore unknown vulnerabilities.; A general method of protocol design for integrity protection is also presented. The method is derived from a formal model which includes sufficiency conditions for message integrity. The formal model expresses precisely the requirements of message-integrity protection, and illustrates how unique protection policies can be attained for each message type. The method is used to design a large class of message types and protocols whose integrity is provably preserved, and to eliminate the aforementioned protocol vulnerabilities. |
