Results 1  10
of
14
The finite variant property: How to get rid of some algebraic properties
 In Proceedings of RTA’05, LNCS 3467
, 2005
"... Abstract. We consider the following problem: Given a term t, a rewrite system R, a finite set of equations E ′ such that R is E ′convergent, compute finitely many instances of t: t1,..., tn such that, for every substitution σ, there is an index i and a substitution θ such that tσ ↓ =E ′ tiθ (wher ..."
Abstract

Cited by 39 (9 self)
 Add to MetaCart
Abstract. We consider the following problem: Given a term t, a rewrite system R, a finite set of equations E ′ such that R is E ′convergent, compute finitely many instances of t: t1,..., tn such that, for every substitution σ, there is an index i and a substitution θ such that tσ ↓ =E ′ tiθ (where tσ ↓ is the normal form of tσ w.r.t. →E ′ \R). The goal of this paper is to give equivalent (resp. sufficient) conditions for the finite variant property and to systematically investigate this property for equational theories, which are relevant to security protocols verification. For instance, we prove that the finite variant property holds for Abelian Groups, and a theory of modular exponentiation and does not hold for the theory ACUNh (Associativity, Commutativity, Unit, Nilpotence, homomorphism).
Symbolic protocol analysis with products and DiffieHellman exponentiation
, 2003
"... We demonstrate that for any welldefined cryptographic protocol, the symbolic trace reachability problem in the presence of an Abelian group operator (e.g., multiplication) can be reduced to solvability of a decidable system of quadratic Diophantine equations. This result enables complete, fully aut ..."
Abstract

Cited by 36 (0 self)
 Add to MetaCart
We demonstrate that for any welldefined cryptographic protocol, the symbolic trace reachability problem in the presence of an Abelian group operator (e.g., multiplication) can be reduced to solvability of a decidable system of quadratic Diophantine equations. This result enables complete, fully automated formal analysis of protocols that employ primitives such as DiffieHellman exponentiation, multiplication, andxor, with a bounded number of role instances, but without imposing any bounds on the size of terms created by the attacker. 1
Abstraction and Resolution Modulo AC: How to Verify DiffieHellmanlike Protocols Automatically
, 2004
"... We show how cryptographic protocols using DiffieHellman primitives, i.e., modular exponentiation on a fixed generator, can be encoded in Horn clauses modulo associativity and commutativity. In order to obtain a sufficient criterion of security, we design a complete (but not sound in general) resolu ..."
Abstract

Cited by 22 (4 self)
 Add to MetaCart
We show how cryptographic protocols using DiffieHellman primitives, i.e., modular exponentiation on a fixed generator, can be encoded in Horn clauses modulo associativity and commutativity. In order to obtain a sufficient criterion of security, we design a complete (but not sound in general) resolution procedure for a class of flattened clauses modulo simple equational theories, including associativitycommutativity. We report on a practical implementation of this algorithm in the MOP modular platform for automated proving; in particular, we obtain the first fully automated proof of security of the IKA.1 initial key agreement protocol in the socalled pure eavesdropper model.
Limits of the Cryptographic Realization of DolevYaostyle XOR
 Computer Security, Proceedings of ESORICS 2005, number 3679 in Lecture Notes in Computer Science
, 2005
"... The abstraction of cryptographic operations by term algebras, called DolevYao models, is essential in almost all toolsupported methods for proving security protocols. Recently significant progress was made in proving that such abstractions can be sound with respect to actual cryptographic reali ..."
Abstract

Cited by 16 (5 self)
 Add to MetaCart
The abstraction of cryptographic operations by term algebras, called DolevYao models, is essential in almost all toolsupported methods for proving security protocols. Recently significant progress was made in proving that such abstractions can be sound with respect to actual cryptographic realizations and security definitions. The strongest results show this in the sense of reactive simulatability/UC, a notion that essentially means retention of arbitrary security properties under arbitrary active attacks and in arbitrary protocol environments, with only small changes to both abstractions and natural implementations.
Hierarchical combination of intruder theories
 In Proc. 17th International Conference on Term Rewriting and Applications, (RTA’06), volume 4098 of LNCS
, 2006
"... Abstract. Recently automated deduction tools have proved to be very effective for detecting attacks on cryptographic protocols. These analysis can be improved, for finding more subtle weaknesses, by a more accurate modelling of operators employed by protocols. Several works have shown how to handle ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
Abstract. Recently automated deduction tools have proved to be very effective for detecting attacks on cryptographic protocols. These analysis can be improved, for finding more subtle weaknesses, by a more accurate modelling of operators employed by protocols. Several works have shown how to handle a single algebraic operator (associated with a fixed intruder theory) or how to combine several operators satisfying disjoint theories. However several interesting equational theories, such as exponentiation with an abelian group law for exponents remain out of the scope of these techniques. This has motivated us to introduce a new notion of hierarchical combination for intruder theories and to show decidability results for the deduction problem in these theories. Under a simple hypothesis, we were able to simplify this deduction problem. This simplification is then applied to prove the decidability of constraint systems w.r.t. an intruder relying on exponentiation theory. 1
Algebraic intruder deductions
 In Proceedings of LPAR’05, LNAI 3835
, 2005
"... Abstract. Many security protocols fundamentally depend on the algebraic properties of cryptographic operators. It is however difficult to handle these properties when formally analyzing protocols, since basic problems like the equality of terms that represent cryptographic messages are undecidable, ..."
Abstract

Cited by 14 (4 self)
 Add to MetaCart
Abstract. Many security protocols fundamentally depend on the algebraic properties of cryptographic operators. It is however difficult to handle these properties when formally analyzing protocols, since basic problems like the equality of terms that represent cryptographic messages are undecidable, even for relatively simple algebraic theories. We present a framework for security protocol analysis that can handle algebraic properties of cryptographic operators in a uniform and modular way. Our framework is based on two ideas: the use of modular rewriting to formalize a generalized equational deduction problem for the DolevYao intruder, and the introduction of two parameters that control the complexity of the equational unification problems that arise during protocol analysis by bounding the depth of message terms and the operations that the intruder can perform when analyzing messages. We motivate the different restrictions made in our model by highlighting different ways in which undecidability arises when incorporating algebraic properties of cryptographic operators into formal protocol analysis. 1
Symbolic protocol analysis with an abelian group operator or DiffieHellman exponentiation
 Journal of Computer Security
, 2005
"... We demonstrate that for any welldefined cryptographic protocol, the symbolic trace reachability problem in the presence of an Abelian group operator (e.g., multiplication) can be reduced to solvability of a decidable system of quadratic Diophantine equations. This result enables complete, fully aut ..."
Abstract

Cited by 14 (1 self)
 Add to MetaCart
We demonstrate that for any welldefined cryptographic protocol, the symbolic trace reachability problem in the presence of an Abelian group operator (e.g., multiplication) can be reduced to solvability of a decidable system of quadratic Diophantine equations. This result enables complete, fully automated formal analysis of protocols that employ primitives such as DiffieHellman exponentiation, multiplication, and xor, with a bounded number of role instances, but without imposing any bounds on the size of terms created by the attacker. 1
Symbolic Analysis of CryptoProtocols based on Modular Exponentiation
 In Proc. of MFCS ’03, LNCS 2747
, 2003
"... Abstract. Automatic methods developed so far for analysis of security protocols only model a limited set of cryptographic primitives (often, only encryption and concatenation) and abstract from lowlevel features of cryptographic algorithms. This paper is an attempt towards closing this gap. We prop ..."
Abstract

Cited by 8 (2 self)
 Add to MetaCart
Abstract. Automatic methods developed so far for analysis of security protocols only model a limited set of cryptographic primitives (often, only encryption and concatenation) and abstract from lowlevel features of cryptographic algorithms. This paper is an attempt towards closing this gap. We propose a symbolic technique and a decision method for analysis of protocols based on modular exponentiation, such as DiffieHellman key exchange. We introduce a protocol description language along with its semantics. Then, we propose a notion of symbolic execution and, based on it, a verification method. We prove that the method is sound and complete with respect to the language semantics. 1
On the Symbolic Analysis of LowLevel Cryptographic Primitives: Modular Exponentiation and the DiffieHellman Protocol
 In Proc. of FCS 2003
, 2003
"... Automatic methods developed so far for analysis of security protocols only model a limited set of cryptographic primitives (often, only encryption and concatenation) and abstract from lowlevel features of cryptographic algorithms. This paper is an attempt towards closing this gap. We propose a symb ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
Automatic methods developed so far for analysis of security protocols only model a limited set of cryptographic primitives (often, only encryption and concatenation) and abstract from lowlevel features of cryptographic algorithms. This paper is an attempt towards closing this gap. We propose a symbolic technique and a decision method for analysis of protocols based on modular exponentiation, such as DiffieHellman key exchange. We introduce a protocol description language along with its semantics. Then, we propose a notion of symbolic execution and, based on it, a verification method. We prove that the method is sound and complete with respect to the language semantics. 1
Equational cryptographic reasoning in the MaudeNRL Protocol Analyzer
 In Proc. of the First International Workshop on Security and Rewriting Techniques (SecReT 2006), Electronic Notes in Theoretical Computer Science. Elsevier Sciences Publisher
, 2006
"... Abstract. The MaudeNRL Protocol Analyzer (MaudeNPA) is a tool and inference system for reasoning about the security of cryptographic protocols in which the cryptosystems satisfy different equational properties. It both extends and provides a formal framework for the original NRL Protocol Analyzer, ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
Abstract. The MaudeNRL Protocol Analyzer (MaudeNPA) is a tool and inference system for reasoning about the security of cryptographic protocols in which the cryptosystems satisfy different equational properties. It both extends and provides a formal framework for the original NRL Protocol Analyzer, which limited itself to an equational theory ∆ of convergent rewrite rules. In this paper we extend our framework to include theories of the form ∆ ⊎ B, where B is the theory of associativity and commutativity and ∆ is convergent modulo B. Ordersorted Bunification plays a crucial role; to obtain this functionality we describe a sort propagation algorithm that filters out unsorted Bunifiers provided by the CiME unification tool. We show how extensions of some of the state reduction techniques of the original NRL Protocol Analyzer can be applied in this context. We illustrate the ideas and capabilities of the MaudeNPA with an example involving the DiffieHellman key agreement protocol. 1