Results 1  10
of
31
The finite variant property: How to get rid of some algebraic properties
 In Proceedings of RTA’05, LNCS 3467
, 2005
"... Abstract. We consider the following problem: Given a term t, a rewrite system R, a finite set of equations E ′ such that R is E ′convergent, compute finitely many instances of t: t1,..., tn such that, for every substitution σ, there is an index i and a substitution θ such that tσ ↓ =E ′ tiθ (wher ..."
Abstract

Cited by 39 (9 self)
 Add to MetaCart
Abstract. We consider the following problem: Given a term t, a rewrite system R, a finite set of equations E ′ such that R is E ′convergent, compute finitely many instances of t: t1,..., tn such that, for every substitution σ, there is an index i and a substitution θ such that tσ ↓ =E ′ tiθ (where tσ ↓ is the normal form of tσ w.r.t. →E ′ \R). The goal of this paper is to give equivalent (resp. sufficient) conditions for the finite variant property and to systematically investigate this property for equational theories, which are relevant to security protocols verification. For instance, we prove that the finite variant property holds for Abelian Groups, and a theory of modular exponentiation and does not hold for the theory ACUNh (Associativity, Commutativity, Unit, Nilpotence, homomorphism).
Abstraction and Resolution Modulo AC: How to Verify DiffieHellmanlike Protocols Automatically
, 2004
"... We show how cryptographic protocols using DiffieHellman primitives, i.e., modular exponentiation on a fixed generator, can be encoded in Horn clauses modulo associativity and commutativity. In order to obtain a sufficient criterion of security, we design a complete (but not sound in general) resolu ..."
Abstract

Cited by 22 (4 self)
 Add to MetaCart
We show how cryptographic protocols using DiffieHellman primitives, i.e., modular exponentiation on a fixed generator, can be encoded in Horn clauses modulo associativity and commutativity. In order to obtain a sufficient criterion of security, we design a complete (but not sound in general) resolution procedure for a class of flattened clauses modulo simple equational theories, including associativitycommutativity. We report on a practical implementation of this algorithm in the MOP modular platform for automated proving; in particular, we obtain the first fully automated proof of security of the IKA.1 initial key agreement protocol in the socalled pure eavesdropper model.
Safely composing security protocols
, 2008
"... Security protocols are small programs that are executed in hostile environments. Many results and tools have been developed to formally analyze the security of a protocol in the presence of an active attacker that may block, intercept and send new messages. However even when a protocol has been prov ..."
Abstract

Cited by 21 (5 self)
 Add to MetaCart
Security protocols are small programs that are executed in hostile environments. Many results and tools have been developed to formally analyze the security of a protocol in the presence of an active attacker that may block, intercept and send new messages. However even when a protocol has been proved secure, there is absolutely no guarantee if the protocol is executed in an environment where other protocols are executed, possibly sharing some common identities and keys like public keys or longterm symmetric keys. In this paper, we show that security of protocols can be easily composed. More precisely, we show that whenever a protocol is secure, it remains secure even in an environment where arbitrary protocols satisfying a reasonable (syntactic) condition are executed. This result holds for a large class of security properties that encompasses secrecy and various formulations of authentication.
Automatic analysis of the security of XORbased key management schemes
 In Proceedings of the 13th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’07), LNCS
, 2007
"... Abstract. We describe a new algorithm for analysing security protocols that use XOR, such as keymanagement APIs. As a case study, we consider the IBM 4758 CCA API, which is widely used in the ATM (cash machine) network. Earlier versions of the CCA API were shown to have serious flaws, and the fixes ..."
Abstract

Cited by 16 (12 self)
 Add to MetaCart
Abstract. We describe a new algorithm for analysing security protocols that use XOR, such as keymanagement APIs. As a case study, we consider the IBM 4758 CCA API, which is widely used in the ATM (cash machine) network. Earlier versions of the CCA API were shown to have serious flaws, and the fixes introduced by IBM in version 2.41 had not previously been formally analysed. We first investigate IBM’s proposals using a model checker for security protocol analysis, uncovering some important issues about their implementation. Having identified configurations we believed to be safe, we describe the formal verification of their security. We first define a new class of protocols, containing in particular all the versions of the CCA API. We then show that secrecy after an unbounded number of sessions is decidable for this class. Implementing the decision procedure requires some improvements, since the procedure is exponential. We describe a change of representation that leads to an implementation able to verify a configuration of the API in a few seconds. As a consequence, we obtain the first security proof of the fixed IBM 4758 CCA API with unbounded sessions. 1
Using unification for opacity properties
 In Proceedings of the Workshop on Issues in the Theory of Security (WITS’04
, 2004
"... 61, avenue du présidentWilson ..."
YAPA: A generic tool for computing intruder knowledge
, 2009
"... Reasoning about the knowledge of an attacker is a necessary step in many formal analyses of security protocols. In the framework of the applied pi calculus, as in similar languages based on equational logics, knowledge is typically expressed by two relations: deducibility and static equivalence. Sev ..."
Abstract

Cited by 13 (4 self)
 Add to MetaCart
Reasoning about the knowledge of an attacker is a necessary step in many formal analyses of security protocols. In the framework of the applied pi calculus, as in similar languages based on equational logics, knowledge is typically expressed by two relations: deducibility and static equivalence. Several decision procedures have been proposed for these relations under a variety of equational theories. However, each theory has its particular algorithm, and none has been implemented so far. We provide a generic procedure for deducibility and static equivalence that takes as input any convergent rewrite system. We show that our algorithm covers all the existing decision procedures for convergent theories. We also provide an efficient implementation, and compare it briefly with the more general tool ProVerif.
Relating two standard notions of secrecy
, 2006
"... Two styles of definitions are usually considered to express that a security protocol preserves the confidentiality of a data s. Reachabilitybased secrecy means that s should never be disclosed while equivalencebased secrecy states that two executions of a protocol with distinct instances for s sho ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
Two styles of definitions are usually considered to express that a security protocol preserves the confidentiality of a data s. Reachabilitybased secrecy means that s should never be disclosed while equivalencebased secrecy states that two executions of a protocol with distinct instances for s should be indistinguishable to an attacker. Although the second formulation ensures a higher level of security and is closer to cryptographic notions of secrecy, decidability results and automatic tools have mainly focused on the first definition so far. This paper initiates a systematic investigation of situations where syntactic secrecy entails strong secrecy. We show that in the passive case, reachabilitybased secrecy actually implies equivalencebased secrecy for signatures, symmetric and asymmetric encryption provided that the primitives are probabilistic. For active adversaries in the case of symmetric encryption, we provide sufficient (and rather tight) conditions on the protocol for this implication to hold.
Deciding key cycles for security protocols
 In Proc. 13th Inter. Conference on Logic for Programming, Artificial Intelligence, and Reasoning (LPAR’06), volume 4246 of LNCS
, 2006
"... Abstract. Many recent results are concerned with interpreting proofs of security done in symbolic models in the more detailed models of computational cryptography. In the case of symmetric encryption, these results stringently demand that no key cycle (e.g. {k}k) can be produced during the execution ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
Abstract. Many recent results are concerned with interpreting proofs of security done in symbolic models in the more detailed models of computational cryptography. In the case of symmetric encryption, these results stringently demand that no key cycle (e.g. {k}k) can be produced during the execution of protocols. While security properties like secrecy or authentication have been proved decidable for many interesting classes of protocols, the automatic detection of key cycles has not been studied so far. In this paper, we prove that deciding the existence of keycycles is NPcomplete for a bounded number of sessions. Next, we observe that the techniques that we use are of more general interest and apply them to reprove the decidability of a significant existing fragment of protocols with timestamps. 1
Deciding security properties of cryptographic protocols. application to key cycles
 Transaction on Computational Logic
, 2009
"... Abstract. There has been a growing interest in applying formal methods for validating cryptographic protocols and many results have been obtained. In this paper, we reinvestigate and extend the NPcomplete decision procedure for a bounded number of sessions [33]. In this setting, constraint systems ..."
Abstract

Cited by 9 (7 self)
 Add to MetaCart
Abstract. There has been a growing interest in applying formal methods for validating cryptographic protocols and many results have been obtained. In this paper, we reinvestigate and extend the NPcomplete decision procedure for a bounded number of sessions [33]. In this setting, constraint systems are now a standard for modeling security protocols. We provide a generic approach to decide general security properties by showing that any constraint system can be transformed in (possibly several) much simpler constraint systems that are called solved forms. As a consequence, we prove that deciding the existence of key cycles is NPcomplete for a bounded number of sessions. Indeed, many recent results are concerned with interpreting proofs of security done in symbolic models in the more detailed models of computational cryptography. In the case of symmetric encryption, these results stringently demand that no key cycle (e.g. {k}k) can be produced during the execution of protocols. We show that our decision procedure can also be applied to reprove decidability of authenticationlike properties and decidability of a significant existing fragment of protocols with timestamps. 1