Results 1  10
of
20
A survey of algebraic properties used in cryptographic protocols
 JOURNAL OF COMPUTER SECURITY
"... Cryptographic protocols are successfully analyzed using formal methods. However, formal approaches usually consider the encryption schemes as black boxes and assume that an adversary cannot learn anything from an encrypted message except if he has the key. Such an assumption is too strong in general ..."
Abstract

Cited by 65 (20 self)
 Add to MetaCart
(Show Context)
Cryptographic protocols are successfully analyzed using formal methods. However, formal approaches usually consider the encryption schemes as black boxes and assume that an adversary cannot learn anything from an encrypted message except if he has the key. Such an assumption is too strong in general since some attacks exploit in a clever way the interaction between protocol rules and properties of cryptographic operators. Moreover, the executability of some protocols relies explicitly on some algebraic properties of cryptographic primitives such as commutative encryption. We give a list of some relevant algebraic properties of cryptographic operators, and for each of them, we provide examples of protocols or attacks using these properties. We also give an overview of the existing methods in formal approaches for analyzing cryptographic proto
The finite variant property: How to get rid of some algebraic properties
 In Proceedings of RTA’05, LNCS 3467
, 2005
"... Abstract. We consider the following problem: Given a term t, a rewrite system R, a finite set of equations E ′ such that R is E ′convergent, compute finitely many instances of t: t1,..., tn such that, for every substitution σ, there is an index i and a substitution θ such that tσ ↓ =E ′ tiθ (wher ..."
Abstract

Cited by 45 (8 self)
 Add to MetaCart
(Show Context)
Abstract. We consider the following problem: Given a term t, a rewrite system R, a finite set of equations E ′ such that R is E ′convergent, compute finitely many instances of t: t1,..., tn such that, for every substitution σ, there is an index i and a substitution θ such that tσ ↓ =E ′ tiθ (where tσ ↓ is the normal form of tσ w.r.t. →E ′ \R). The goal of this paper is to give equivalent (resp. sufficient) conditions for the finite variant property and to systematically investigate this property for equational theories, which are relevant to security protocols verification. For instance, we prove that the finite variant property holds for Abelian Groups, and a theory of modular exponentiation and does not hold for the theory ACUNh (Associativity, Commutativity, Unit, Nilpotence, homomorphism).
Symbolic protocol analysis with products and DiffieHellman exponentiation
, 2003
"... We demonstrate that for any welldefined cryptographic protocol, the symbolic trace reachability problem in the presence of an Abelian group operator (e.g., multiplication) can be reduced to solvability of a decidable system of quadratic Diophantine equations. This result enables complete, fully aut ..."
Abstract

Cited by 39 (0 self)
 Add to MetaCart
We demonstrate that for any welldefined cryptographic protocol, the symbolic trace reachability problem in the presence of an Abelian group operator (e.g., multiplication) can be reduced to solvability of a decidable system of quadratic Diophantine equations. This result enables complete, fully automated formal analysis of protocols that employ primitives such as DiffieHellman exponentiation, multiplication, andxor, with a bounded number of role instances, but without imposing any bounds on the size of terms created by the attacker. 1
Abstraction and Resolution Modulo AC: How to Verify DiffieHellmanlike Protocols Automatically
, 2003
"... We show how cryptographic protocols using DiffieHellman primitives, i.e., modular exponentiation on a fixed generator, can be encoded in Horn clauses modulo associativity and commutativity. In order to obtain a sufficient criterion of security, we design a complete (but not sound in general) resolu ..."
Abstract

Cited by 26 (5 self)
 Add to MetaCart
We show how cryptographic protocols using DiffieHellman primitives, i.e., modular exponentiation on a fixed generator, can be encoded in Horn clauses modulo associativity and commutativity. In order to obtain a sufficient criterion of security, we design a complete (but not sound in general) resolution procedure for a class of flattened clauses modulo simple equational theories, including associativitycommutativity. We report on a practical implementation of this algorithm in the MOP modular platform for automated proving; in particular, we obtain the first fully automated proof of security of the IKA.1 initial key agreement protocol in the socalled pure eavesdropper model.
Algebraic intruder deductions
 In Proceedings of LPAR’05, LNAI 3835
, 2005
"... Abstract. Many security protocols fundamentally depend on the algebraic properties of cryptographic operators. It is however difficult to handle these properties when formally analyzing protocols, since basic problems like the equality of terms that represent cryptographic messages are undecidable, ..."
Abstract

Cited by 24 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Many security protocols fundamentally depend on the algebraic properties of cryptographic operators. It is however difficult to handle these properties when formally analyzing protocols, since basic problems like the equality of terms that represent cryptographic messages are undecidable, even for relatively simple algebraic theories. We present a framework for security protocol analysis that can handle algebraic properties of cryptographic operators in a uniform and modular way. Our framework is based on two ideas: the use of modular rewriting to formalize a generalized equational deduction problem for the DolevYao intruder, and the introduction of two parameters that control the complexity of the equational unification problems that arise during protocol analysis by bounding the depth of message terms and the operations that the intruder can perform when analyzing messages. We motivate the different restrictions made in our model by highlighting different ways in which undecidability arises when incorporating algebraic properties of cryptographic operators into formal protocol analysis. 1
Automated Analysis of DiffieHellman Protocols and Advanced Security Properties (Extended Version),” April 2012, available http: //www.infsec.ethz.ch/research/software#TAMARIN
"... Abstract—We present a general approach for the symbolic analysis of security protocols that use DiffieHellman exponentiation to achieve advanced security properties. We model protocols as multiset rewriting systems and security properties as firstorder formulas. We analyze them using a novel const ..."
Abstract

Cited by 20 (9 self)
 Add to MetaCart
(Show Context)
Abstract—We present a general approach for the symbolic analysis of security protocols that use DiffieHellman exponentiation to achieve advanced security properties. We model protocols as multiset rewriting systems and security properties as firstorder formulas. We analyze them using a novel constraintsolving algorithm that supports both falsification and verification, even in the presence of an unbounded number of protocol sessions. The algorithm exploits the finite variant property and builds on ideas from strand spaces and proof normal forms. We demonstrate the scope and the effectiveness of our algorithm on nontrivial case studies. For example, the algorithm successfully verifies the NAXOS protocol with respect to a symbolic version of the eCK security model. I.
Hierarchical combination of intruder theories
 In Proc. 17th International Conference on Term Rewriting and Applications, (RTA’06), volume 4098 of LNCS
, 2006
"... Abstract. Recently automated deduction tools have proved to be very effective for detecting attacks on cryptographic protocols. These analysis can be improved, for finding more subtle weaknesses, by a more accurate modelling of operators employed by protocols. Several works have shown how to handle ..."
Abstract

Cited by 18 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Recently automated deduction tools have proved to be very effective for detecting attacks on cryptographic protocols. These analysis can be improved, for finding more subtle weaknesses, by a more accurate modelling of operators employed by protocols. Several works have shown how to handle a single algebraic operator (associated with a fixed intruder theory) or how to combine several operators satisfying disjoint theories. However several interesting equational theories, such as exponentiation with an abelian group law for exponents remain out of the scope of these techniques. This has motivated us to introduce a new notion of hierarchical combination for intruder theories and to show decidability results for the deduction problem in these theories. Under a simple hypothesis, we were able to simplify this deduction problem. This simplification is then applied to prove the decidability of constraint systems w.r.t. an intruder relying on exponentiation theory. 1
Symbolic Protocol Analysis for Monoidal Equational Theories
, 2006
"... We consider the design of automated procedures for analyzing the (in)security of cryptographic protocols in the DolevYao model for a bounded number of sessions when we take into account some algebraic properties satisfied by the operators involved in the protocol. This leads to a more realistic mod ..."
Abstract

Cited by 18 (7 self)
 Add to MetaCart
We consider the design of automated procedures for analyzing the (in)security of cryptographic protocols in the DolevYao model for a bounded number of sessions when we take into account some algebraic properties satisfied by the operators involved in the protocol. This leads to a more realistic model than what we get under the perfect cryptography assumption, but it implies that protocol analysis deals with terms modulo some equational theory instead of terms in a free algebra. The main goal of this paper is to set up a general approach that works for a whole class of monoidal theories which contains many of the specific cases that have been considered so far in an adhoc way (e.g. exclusive or, Abelian groups, exclusive or in combination with the homomorphism axiom). We follow a classical schema for cryptographic protocol analysis which proves first a locality result and then reduces the insecurity problem to a symbolic constraint solving problem. This approach strongly relies on the correspondence between a monoidal theory E and a semiring SE which we use to deal with the symbolic constraints. We show that the welldefined symbolic constraints that are generated by reasonable protocols
Limits of the Cryptographic Realization of DolevYaostyle XOR
 Computer Security, Proceedings of ESORICS 2005, number 3679 in Lecture Notes in Computer Science
, 2005
"... The abstraction of cryptographic operations by term algebras, called DolevYao models, is essential in almost all toolsupported methods for proving security protocols. Recently significant progress was made in proving that such abstractions can be sound with respect to actual cryptographic reali ..."
Abstract

Cited by 17 (5 self)
 Add to MetaCart
(Show Context)
The abstraction of cryptographic operations by term algebras, called DolevYao models, is essential in almost all toolsupported methods for proving security protocols. Recently significant progress was made in proving that such abstractions can be sound with respect to actual cryptographic realizations and security definitions. The strongest results show this in the sense of reactive simulatability/UC, a notion that essentially means retention of arbitrary security properties under arbitrary active attacks and in arbitrary protocol environments, with only small changes to both abstractions and natural implementations.
Symbolic protocol analysis with an abelian group operator or DiffieHellman exponentiation
 Journal of Computer Security
, 2005
"... We demonstrate that for any welldefined cryptographic protocol, the symbolic trace reachability problem in the presence of an Abelian group operator (e.g., multiplication) can be reduced to solvability of a decidable system of quadratic Diophantine equations. This result enables complete, fully aut ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
We demonstrate that for any welldefined cryptographic protocol, the symbolic trace reachability problem in the presence of an Abelian group operator (e.g., multiplication) can be reduced to solvability of a decidable system of quadratic Diophantine equations. This result enables complete, fully automated formal analysis of protocols that employ primitives such as DiffieHellman exponentiation, multiplication, and xor, with a bounded number of role instances, but without imposing any bounds on the size of terms created by the attacker. 1