Results 11 
18 of
18
Automated Analysis of DiffieHellman Protocols and Advanced Security Properties (Extended Version),” April 2012, available http: //www.infsec.ethz.ch/research/software#TAMARIN
"... Abstract—We present a general approach for the symbolic analysis of security protocols that use DiffieHellman exponentiation to achieve advanced security properties. We model protocols as multiset rewriting systems and security properties as firstorder formulas. We analyze them using a novel const ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
(Show Context)
Abstract—We present a general approach for the symbolic analysis of security protocols that use DiffieHellman exponentiation to achieve advanced security properties. We model protocols as multiset rewriting systems and security properties as firstorder formulas. We analyze them using a novel constraintsolving algorithm that supports both falsification and verification, even in the presence of an unbounded number of protocol sessions. The algorithm exploits the finite variant property and builds on ideas from strand spaces and proof normal forms. We demonstrate the scope and the effectiveness of our algorithm on nontrivial case studies. For example, the algorithm successfully verifies the NAXOS protocol with respect to a symbolic version of the eCK security model. I.
Symbolic Protocol Analysis for DiffieHellman
"... Abstract. We extend symbolic protocol analysis to apply to protocols using DiffieHellman operations. DiffieHellman operations act on a cyclic group of prime order, together with an exponentiation operator. The exponents form a finite field. This rich algebraic structure has resisting previous symb ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Abstract. We extend symbolic protocol analysis to apply to protocols using DiffieHellman operations. DiffieHellman operations act on a cyclic group of prime order, together with an exponentiation operator. The exponents form a finite field. This rich algebraic structure has resisting previous symbolic approaches. We work in an algebra defined by the normal forms of a rewriting theory (modulo associativity and commutativity). These normal forms allow us to define our crucial notion of indicator, a vector of integers that summarizes how many times each secret exponent appears in a message. We prove that the adversary can never construct a message with a new indicator in our adversary model. Using this invariant, we prove the main security goals achieved by several different protocols that use DiffieHellman operators in subtle ways. We also give a modeltheoretic justification of our rewriting theory: the theory proves all equations that are uniformly true as the order of the cyclic group varies. 1
Algebraic Intruder Deductions (Extended Version)
"... Many security protocols fundamentally depend on the algebraic properties of cryptographic operators. It is however difficult to handle these properties when formally analyzing protocols, since basic problems like the equality of terms that represent cryptographic messages are undecidable, even for r ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
Many security protocols fundamentally depend on the algebraic properties of cryptographic operators. It is however difficult to handle these properties when formally analyzing protocols, since basic problems like the equality of terms that represent cryptographic messages are undecidable, even for relatively simple algebraic theories. We present a framework for security protocol analysis that can handle algebraic properties of cryptographic operators in a uniform and modular way. Our framework is based on two ideas: the use of modular rewriting to formalize a generalized equational deduction problem for the DolevYao intruder, and the introduction of two parameters that control the complexity of the equational unification problems that arise during protocol analysis by bounding the depth of message terms and the operations that the intruder can perform when analyzing messages. We motivate the different restrictions made in our model by highlighting different ways in which undecidability arises when incorporating algebraic properties of cryptographic operators into formal protocol analysis.
An Algebra for Symbolic DiffieHellman Protocol Analysis
"... Abstract. We study the algebra underlying symbolic protocol analysis for protocols using DiffieHellman operations. DiffieHellman operations act on a cyclic group of prime order, together with an exponentiation operator. The exponents form a finite field: this rich algebraic structure has resisted ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. We study the algebra underlying symbolic protocol analysis for protocols using DiffieHellman operations. DiffieHellman operations act on a cyclic group of prime order, together with an exponentiation operator. The exponents form a finite field: this rich algebraic structure has resisted previous symbolic approaches. We define an algebra that validates precisely the equations that hold almost always as the order of the cyclic group varies. We realize this algebra as the set of normal forms of a particular rewriting theory. The normal forms allow us to define our crucial notion of indicator, a vector of integers that summarizes how many times each secret exponent appears in a message. We prove that the adversary can never construct a message with a new indicator in our adversary model. Using this invariant, we prove the main security goals achieved by UM, a protocol using DiffieHellman for implicit authentication. Despite vigorous research in symbolic analysis of security protocols, many
Reduction of the Intruder Deduction Problem into Equational Elementary Deduction for Electronic Purse Protocols with Blind Signatures ⋆
"... Abstract. The intruder deduction problem for an electronic purse protocol with blind signatures is considered. The algebraic properties of the protocol are modeled by an equational theory implemented as a convergent rewriting system which involves rules for addition, multiplication and exponentiatio ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract. The intruder deduction problem for an electronic purse protocol with blind signatures is considered. The algebraic properties of the protocol are modeled by an equational theory implemented as a convergent rewriting system which involves rules for addition, multiplication and exponentiation. The whole deductive power of the intruder is modeled as a sequent calculus that, modulo this rewriting system, deals with blind signatures. It is proved that the associativecommutative (AC) equality of the algebraic theory can be decided in polynomial time, provided a strategy to avoid distributivity law between the AC operators is adopted. Moreover, it is also shown that the intruder deduction problem can be reduced in polynomial time to the elementary deduction problem for this equational theory. 1
Equational Cryptographic Reasoning in the MaudeNRL Protocol Analyzer
, 2006
"... The NRL Protocol Analyzer (NPA) is a tool for the formal specification and analysis of cryptographic protocols that has been used with great effect on a number of complex reallife protocols. One of the most interesting of its features is that it can be used to reason about security in face of attem ..."
Abstract
 Add to MetaCart
The NRL Protocol Analyzer (NPA) is a tool for the formal specification and analysis of cryptographic protocols that has been used with great effect on a number of complex reallife protocols. One of the most interesting of its features is that it can be used to reason about security in face of attempted attacks on lowlevel algebraic properties of the functions used in a protocol. Recently, we have given for the first time a precise formal specification of the main features of the NPA inference system: its grammarbased techniques for (co)invariant generation and its backwards narrowing reachability analysis method; both implemented in Maude as the MaudeNPA tool. This formal specification is given within the wellknown rewriting framework so that the inference system is specified as a set of rewrite rules modulo an equational theory describing the behavior of the cryptographic symbols involved. This paper gives a highlevel overview of the MaudeNPA tool and illustrates how it supports equational reasoning about properties of the underlying cryptographic infrastructure by means of a simple, yet nontrivial, example of an attack whose discovery essentially requires equational reasoning. It also shows how rulebased programming languages such as Maude and complex narrowing strategies are useful to model, analyze, and verify protocols.
Decidability for Lightweight DiffieHellman Protocols
"... Abstract—Many protocols use DiffieHellman key agreement, combined with certified longterm values or digital signatures for authentication. These protocols aim at security goals such as key secrecy, forward secrecy, resistance to key compromise attacks, and various flavors of authentication. Howeve ..."
Abstract
 Add to MetaCart
Abstract—Many protocols use DiffieHellman key agreement, combined with certified longterm values or digital signatures for authentication. These protocols aim at security goals such as key secrecy, forward secrecy, resistance to key compromise attacks, and various flavors of authentication. However, these protocols are challenging to analyze, both in computational and symbolic models. An obstacle in the symbolic model is the undecidability of unification in many theories in the signature of rings. In this paper, we develop an algebraic version of the symbolic approach, working directly within finite fields, the natural structures for the protocols. The adversary, in giving an attack on a protocol goal in a finite field, may rely on any identity in that field. He defeats the protocol if there are attacks in infinitely many finite fields. We prove that, even for this strong adversary, security goals for a wide class of protocols are decidable. I.