Symbolic protocol analysis for monoidal equational theories

Authors:
Stéphanie Delaune;Pascal Lafourcade;Denis Lugiez;Ralf Treinen
Affiliations:
LSV, CNRS UMR 8643, ENS de Cachan & INRIA Futurs, France;Information Security Group, Department of Computer Science, ETH Zürich, Switzerland;LIF, Aix-Marseille Universitì & CNRS UMR 6166, France;LSV, CNRS UMR 8643, ENS de Cachan & INRIA Futurs, France
Venue:
Information and Computation
Year:
2008

Citing 33
Cited 10

Theory of linear and integer programming

Theory of linear and integer programming
Unification in monoidal theories

CADE-10 Proceedings of the tenth international conference on Automated deduction
Rewrite systems

Handbook of theoretical computer science (vol. B)
Automatic recognition of tractability in inference relations

Journal of the ACM (JACM)
Universal algebra

Handbook of logic in computer science (vol. 1)
Unification in commutative theories, Hilbert's basis theorem, and Gröbner bases

Journal of the ACM (JACM)
Cryptanalysis and protocol failures

Communications of the ACM
Unification in the union of disjoint equational theories: combining decision procedures

Journal of Symbolic Computation
An attack on a recursive authentication protocol. A cautionary tale

Information Processing Letters
An Efficient Unification Algorithm

ACM Transactions on Programming Languages and Systems (TOPLAS)
Using encryption for authentication in large networks of computers

Communications of the ACM
Constraint solving for bounded-process cryptographic protocol analysis

CCS '01 Proceedings of the 8th ACM conference on Computer and Communications Security
On the symbolic reduction of processes with cryptographic functions

Theoretical Computer Science
Protocol insecurity with a finite number of sessions and composed keys is NP-complete

Theoretical Computer Science
Solving linear equations over polynomial semirings

LICS '96 Proceedings of the 11th Annual IEEE Symposium on Logic in Computer Science
Intruder Deductions, Constraint Solving and Insecurity Decision in Presence of Exclusive or

LICS '03 Proceedings of the 18th Annual IEEE Symposium on Logic in Computer Science
An NP Decision Procedure for Protocol Insecurity with XOR

LICS '03 Proceedings of the 18th Annual IEEE Symposium on Logic in Computer Science
An Efficient Cryptographic Protocol Verifier Based on Prolog Rules

CSFW '01 Proceedings of the 14th IEEE workshop on Computer Security Foundations
Multiset rewriting and the complexity of bounded security protocols

Journal of Computer Security
A decision procedure for the verification of security protocols with explicit destructors

Proceedings of the 11th ACM conference on Computer and communications security
Deciding security of protocols against off-line guessing attacks

Proceedings of the 12th ACM conference on Computer and communications security
Easy intruder deduction problems with homomorphisms

Information Processing Letters
Symbolic protocol analysis with an Abelian group operator or Diffie-Hellman exponentiation

Journal of Computer Security
Note: An undecidability result for AGh

Theoretical Computer Science
A survey of algebraic properties used in cryptographic protocols

Journal of Computer Security
Hierarchical combination of intruder theories

Information and Computation
On the security of public key protocols

SFCS '81 Proceedings of the 22nd Annual Symposium on Foundations of Computer Science
Associative-commutative deducibility constraints

STACS'07 Proceedings of the 24th annual conference on Theoretical aspects of computer science
Handling exp, χ (and timestamps) in protocol analysis

FOSSACS'06 Proceedings of the 9th European joint conference on Foundations of Software Science and Computation Structures
Symbolic protocol analysis in presence of a homomorphism operator and exclusive or

ICALP'06 Proceedings of the 33rd international conference on Automata, Languages and Programming - Volume Part II
Algebraic intruder deductions

LPAR'05 Proceedings of the 12th international conference on Logic for Programming, Artificial Intelligence, and Reasoning
Combining intruder theories

ICALP'05 Proceedings of the 32nd international conference on Automata, Languages and Programming
The finite variant property: how to get rid of some algebraic properties

RTA'05 Proceedings of the 16th international conference on Term Rewriting and Applications

Challenges in the Automated Verification of Security Protocols

IJCAR '08 Proceedings of the 4th international joint conference on Automated Reasoning
A Proof Theoretic Analysis of Intruder Theories

RTA '09 Proceedings of the 20th International Conference on Rewriting Techniques and Applications
Protocol Security and Algebraic Properties: Decision Results for a Bounded Number of Sessions

RTA '09 Proceedings of the 20th International Conference on Rewriting Techniques and Applications
Cap unification: application to protocol security modulo homomorphic encryption

ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
Deciding knowledge in security protocols for monoidal equational theories

LPAR'07 Proceedings of the 14th international conference on Logic for programming, artificial intelligence and reasoning
Efficient decision procedures for message deducibility and static equivalence

FAST'10 Proceedings of the 7th International conference on Formal aspects of security and trust
Deducibility constraints

ASIAN'09 Proceedings of the 13th Asian conference on Advances in Computer Science: information Security and Privacy
Decidability and Combination Results for Two Notions of Knowledge in Security Protocols

Journal of Automated Reasoning
Security protocols, constraint systems, and group theories

IJCAR'12 Proceedings of the 6th international joint conference on Automated Reasoning
Lazy mobile intruders

POST'13 Proceedings of the Second international conference on Principles of Security and Trust

Quantified Score

Hi-index	0.02

Visualization

Abstract

We are interested in the design of automated procedures for analyzing the (in)security of cryptographic protocols in the Dolev-Yao model for a bounded number of sessions when we take into account some algebraic properties satisfied by the operators involved in the protocol. This leads to a more realistic model in comparison to what we get under the perfect cryptography assumption, but it implies that protocol analysis deals with terms modulo some equational theory instead of terms in a free algebra. The main goal of this paper is to setup a general approach that works for a whole class of monoidal theories which contains many of the specific cases that have been considered so far in an ad-hoc way (e.g. exclusive or, Abelian groups, exclusive or in combination with the homomorphism axiom). We follow a classical schema for cryptographic protocol analysis which proves first a locality result and then reduces the insecurity problem to a symbolic constraint solving problem. This approach strongly relies on the correspondence between a monoidal theory E and a semiring S"E which we use to deal with the symbolic constraints. We show that the well-defined symbolic constraints that are generated by reasonable protocols can be solved provided that unification in the monoidal theory satisfies some additional properties. The resolution process boils down to solving particular quadratic Diophantine equations that are reduced to linear Diophantine equations, thanks to linear algebra results and the well-definedness of the problem. Examples of theories that do not satisfy our additional properties appear to be undecidable, which suggests that our characterization is reasonably tight.