Results 1  10
of
72
An NP Decision Procedure for Protocol Insecurity with XOR
, 2003
"... We provide a method for deciding the insecurity of cryptographic protocols in presence of the standard DolevYao intruder (with a finite number of sessions) extended with socalled oracle rules, i.e., deduction rules that satisfy certain conditions. As an instance of this general framework, we obtai ..."
Abstract

Cited by 89 (21 self)
 Add to MetaCart
We provide a method for deciding the insecurity of cryptographic protocols in presence of the standard DolevYao intruder (with a finite number of sessions) extended with socalled oracle rules, i.e., deduction rules that satisfy certain conditions. As an instance of this general framework, we obtain that protocol insecurity is in NP for an intruder that can exploit the properties of the XOR operator. This operator is frequently used in cryptographic protocols but cannot be handled in most protocol models. We also apply our framework to an intruder that exploits properties of certain encryption modes such as cipher block chaining (CBC).
Intruder deductions, constraint solving and insecurity decision in presence of exclusive or
, 2003
"... We present decidability results for the verification of cryptographic protocols in the presence of equational theories corresponding to xor and Abelian groups. Since the perfect cryptography assumption is unrealistic for cryptographic primitives with visible algebraic properties such as xor, we exte ..."
Abstract

Cited by 81 (12 self)
 Add to MetaCart
We present decidability results for the verification of cryptographic protocols in the presence of equational theories corresponding to xor and Abelian groups. Since the perfect cryptography assumption is unrealistic for cryptographic primitives with visible algebraic properties such as xor, we extend the conventional DolevYao model by permitting the intruder to exploit these properties. We show that the ground reachability problem in NP for the extended intruder theories in the cases of xor and Abelian groups. This result follows from a normal proof theorem. Then, we show how to lift this result in the xor case: we consider a symbolic constraint system expressing the reachability (e.g., secrecy) problem for a finite number of sessions. We prove that such constraint system is decidable, relying in particular on an extension of combination algorithms for unification procedures. As a corollary, this enables automatic symbolic verification of cryptographic protocols employing xor for a fixed number of sessions.
Verification of cryptographic protocols: Tagging enforces termination
 THEORETICAL COMPUTER SCIENCE
, 2003
"... In experiments with a resolutionbased verification method for cryptographic protocols, we could enforce its termination by tagging, a syntactic transformation of messages that leaves attackfree executions invariant. In this paper, we generalize the experimental evidence: we prove that the verific ..."
Abstract

Cited by 56 (5 self)
 Add to MetaCart
In experiments with a resolutionbased verification method for cryptographic protocols, we could enforce its termination by tagging, a syntactic transformation of messages that leaves attackfree executions invariant. In this paper, we generalize the experimental evidence: we prove that the verification method always terminates for tagged protocols.
On name generation and setbased analysis in the DolevYao model
, 2002
"... Abstract. We study the control reachability problem in the DolevYao model of cryptographic protocols when principals are represented by tail recursive processes with generated names. We propose a conservative approximation of the problem by reduction to a nonstandard collapsed operational semantic ..."
Abstract

Cited by 51 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We study the control reachability problem in the DolevYao model of cryptographic protocols when principals are represented by tail recursive processes with generated names. We propose a conservative approximation of the problem by reduction to a nonstandard collapsed operational semantics and we introduce checkable syntactic conditions entailing the equivalence of the standard and the collapsed semantics. Then we introduce a conservative and decidable setbased analysis of the collapsed operational semantics and we characterize a situation where the analysis is exact.
New Decidability Results for Fragments of FirstOrder Logic and Application to Cryptographic Protocols
, 2003
"... We consider a new extension of the Skolem class for firstorder logic and prove its decidability by resolution techniques. We then extend this class including the builtin equational theory of exclusive or. Again, we prove the decidability of the class by resolution techniques. ..."
Abstract

Cited by 46 (19 self)
 Add to MetaCart
We consider a new extension of the Skolem class for firstorder logic and prove its decidability by resolution techniques. We then extend this class including the builtin equational theory of exclusive or. Again, we prove the decidability of the class by resolution techniques.
Symbolic protocol analysis with products and DiffieHellman exponentiation
, 2003
"... We demonstrate that for any welldefined cryptographic protocol, the symbolic trace reachability problem in the presence of an Abelian group operator (e.g., multiplication) can be reduced to solvability of a decidable system of quadratic Diophantine equations. This result enables complete, fully aut ..."
Abstract

Cited by 36 (0 self)
 Add to MetaCart
We demonstrate that for any welldefined cryptographic protocol, the symbolic trace reachability problem in the presence of an Abelian group operator (e.g., multiplication) can be reduced to solvability of a decidable system of quadratic Diophantine equations. This result enables complete, fully automated formal analysis of protocols that employ primitives such as DiffieHellman exponentiation, multiplication, andxor, with a bounded number of role instances, but without imposing any bounds on the size of terms created by the attacker. 1
Security properties: two agents are sufficient
 In Research Report LSV0210, Lab. Speci and Veri ENS de
, 2003
"... We consider arbitrary cryptographic protocols and security properties. We show that it is always sufficient to consider a bounded number of agents b (actually b = 2 in most of the cases): if there is an attack involving n agents, then there is an attack involving at most b agents. ..."
Abstract

Cited by 32 (4 self)
 Add to MetaCart
(Show Context)
We consider arbitrary cryptographic protocols and security properties. We show that it is always sufficient to consider a bounded number of agents b (actually b = 2 in most of the cases): if there is an attack involving n agents, then there is an attack involving at most b agents.
A framework for the analysis of security protocols
 In CONCUR: 13th International Conference on Concurrency Theory. LNCS
, 2002
"... Abstract. Properties of security protocols such as authentication and secrecy are often verified by explictly generating an operational model of the protocol and then seeking for insecure states. However, message exchange between the intruder and the honest participants induces a form of state explo ..."
Abstract

Cited by 30 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Properties of security protocols such as authentication and secrecy are often verified by explictly generating an operational model of the protocol and then seeking for insecure states. However, message exchange between the intruder and the honest participants induces a form of state explosion that makes the model infinite in principle. Building on previous work on symbolic semantics, we propose a general framework for automatic analysis of security protocols that make use of a variety of cryptofunctions. We start from a base language akin to the spicalculus, equipped with a set of generic cryptographic primitives. We propose a symbolic operational semantics that relies on unification and provides finite and effective protocol models. Next, we give a method to carry out trace analysis directly on the symbolic model. Under certain conditions on the given cryptographic primitives, our method is proven complete for the considered class of properties. 1
Extrapolating Tree Transformations
, 2002
"... We consider the framework of regular tree model checking where sets of configurations of a system are represented by regular tree languages and its dynamics is modeled by a term rewriting system (or a regular tree transducer). We focus on the computation of the reachability set R # (L) where R i ..."
Abstract

Cited by 26 (6 self)
 Add to MetaCart
We consider the framework of regular tree model checking where sets of configurations of a system are represented by regular tree languages and its dynamics is modeled by a term rewriting system (or a regular tree transducer). We focus on the computation of the reachability set R # (L) where R is a regular tree transducer and L is a regular tree language. The construction
Abstraction and Resolution Modulo AC: How to Verify DiffieHellmanlike Protocols Automatically
, 2004
"... We show how cryptographic protocols using DiffieHellman primitives, i.e., modular exponentiation on a fixed generator, can be encoded in Horn clauses modulo associativity and commutativity. In order to obtain a sufficient criterion of security, we design a complete (but not sound in general) resolu ..."
Abstract

Cited by 21 (4 self)
 Add to MetaCart
We show how cryptographic protocols using DiffieHellman primitives, i.e., modular exponentiation on a fixed generator, can be encoded in Horn clauses modulo associativity and commutativity. In order to obtain a sufficient criterion of security, we design a complete (but not sound in general) resolution procedure for a class of flattened clauses modulo simple equational theories, including associativitycommutativity. We report on a practical implementation of this algorithm in the MOP modular platform for automated proving; in particular, we obtain the first fully automated proof of security of the IKA.1 initial key agreement protocol in the socalled pure eavesdropper model.