## Symbolic Analysis of Crypto-Protocols based on Modular Exponentiation (2003)

### Cached

### Download Links

- [www.it.uu.se]
- [www.di.unipi.it]
- [www.di.unipi.it]
- [mikado.di.fc.ul.pt]
- DBLP

### Other Repositories/Bibliography

Venue: | In Proc. of MFCS ’03, LNCS 2747 |

Citations: | 8 - 2 self |

### BibTeX

@INPROCEEDINGS{Boreale03symbolicanalysis,

author = {Michele Boreale and Maria Grazia Buscemi},

title = {Symbolic Analysis of Crypto-Protocols based on Modular Exponentiation},

booktitle = {In Proc. of MFCS ’03, LNCS 2747},

year = {2003},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

Abstract. Automatic methods developed so far for analysis of security protocols only model a limited set of cryptographic primitives (often, only encryption and concatenation) and abstract from low-level features of cryptographic algorithms. This paper is an attempt towards closing this gap. We propose a symbolic technique and a decision method for analysis of protocols based on modular exponentiation, such as Diffie-Hellman key exchange. We introduce a protocol description language along with its semantics. Then, we propose a notion of symbolic execution and, based on it, a verification method. We prove that the method is sound and complete with respect to the language semantics. 1

### Citations

2714 | New directions in cryptography, in
- Diffie, Hellman
(Show Context)
Citation Context ...particular, building on the general framework proposed in [5], we devise a complete analysis method for protocols that depend on modular exponentiation operations, like the DiffieHellman key-exchange =-=[10]-=-. We expect that our methodology may be adapted to other low-level primitives (like RSA encryption). ⋆ This work has been partially supported by EU within the FET - Global Computing initiative, projec... |

1047 | On the security of public-key protocols
- Dolev, Yao
- 1983
(Show Context)
Citation Context ... at least when the number of sessions is bounded, they can accomplish a complete exploration of the protocol’s state space: thus they provide proofs or disproofs of correctness - under Dolev-Yao-like =-=[11]-=- assumptions - even though the protocol’s state space is infinite. Second, symbolic methods usually rely on representations of data that help to control very well state-explosion induced by communicat... |

613 | Breaking and fixing the Needham-Schroeder public-key protocol using CSP and FDR
- Lowe
- 1996
(Show Context)
Citation Context ... to the language semantics. 1 Introduction During the last decade, a lot of research effort has been directed towards automatic analysis of crypto-protocols. Tools based on finite-state methods (e.g. =-=[13]-=-) take advantage of a well established model-checking technology, and are very effective at finding bugs. Infinite-state approaches, based on a variety of symbolic techniques ([2, 3, 8, 14]), have eme... |

273 | Mobile values, new names, and secure communication
- Abadi, Fournet
- 2001
(Show Context)
Citation Context ...oduce a syntax for expressions (including exp (·, ·) and related operations), along with a notion of evaluation. Based on this, we present a small protocol description language akin to the applied pi =-=[1]-=- and its (concrete) semantics. The latter assumes a Dolev-Yao adversary and is therefore infinitary. In Section 2, we introduce a finitary symbolic semantics, which relies on a form of narrowing strat... |

137 | V.: Constraint solving for bounded-process cryptographic protocol analysis
- Millen, Shmatikov
- 2001
(Show Context)
Citation Context ...state methods (e.g. [13]) take advantage of a well established model-checking technology, and are very effective at finding bugs. Infinite-state approaches, based on a variety of symbolic techniques (=-=[2, 3, 8, 14]-=-), have emerged over the past few years. Implementations of these techniques (e.g. [4, 16]) are still at an early stage. However, symbolic methods seem to be very promising in two respects. First, at ... |

84 | On the reachability problem in cryptographic protocols
- Amadio, Lugiez
(Show Context)
Citation Context ...state methods (e.g. [13]) take advantage of a well established model-checking technology, and are very effective at finding bugs. Infinite-state approaches, based on a variety of symbolic techniques (=-=[2, 3, 8, 14]-=-), have emerged over the past few years. Implementations of these techniques (e.g. [4, 16]) are still at an early stage. However, symbolic methods seem to be very promising in two respects. First, at ... |

83 | Symbolic trace analysis of cryptographic protocols
- Boreale
(Show Context)
Citation Context ...state methods (e.g. [13]) take advantage of a well established model-checking technology, and are very effective at finding bugs. Infinite-state approaches, based on a variety of symbolic techniques (=-=[2, 3, 8, 14]-=-), have emerged over the past few years. Implementations of these techniques (e.g. [4, 16]) are still at an early stage. However, symbolic methods seem to be very promising in two respects. First, at ... |

82 | M.: An NP decision procedure for protocol insecurity with XOR. Theoretical Computer Science 338(1–3
- Chevalier, Küsters, et al.
- 2005
(Show Context)
Citation Context ...lity, however, remains an open issue. Closely related to our problem is also protocol analysis in the presence of the xor operation, which has been recently proven to be decidable by Chevalier et al. =-=[7]-=- and, independently, by Comon-Lundh and Shmatikov [9]. 2 The model We recall here the concept of frame from [5], and tailor it to the case of modular exponentiation and multiplication. We consider two... |

71 | V.: Intruder deductions, constraint solving and insecurity decision in presence of exclusive or
- Comon-Lundh, Shmatikov
- 2003
(Show Context)
Citation Context ... to our problem is also protocol analysis in the presence of the xor operation, which has been recently proven to be decidable by Chevalier et al. [7] and, independently, by Comon-Lundh and Shmatikov =-=[9]-=-. 2 The model We recall here the concept of frame from [5], and tailor it to the case of modular exponentiation and multiplication. We consider two countable disjoint sets of names m, n, . . . ∈ N and... |

70 | V.: Tree automata with one memory, set constraints and cryptographic protocols
- Comon, Cortier
- 2005
(Show Context)
Citation Context |

36 | Symbolic protocol analysis with products and Diffie-Hellman exponentiation
- Millen, Shmatikov
- 2003
(Show Context)
Citation Context ... research are discussed in Section 5. An extended version of the present paper is available as [6]. Complete proofs will appear in a forthcoming full version. Very recent work by Millen and Shmatikov =-=[15]-=- shows how to reduce the symbolic analysis problem in the presence of modular exponentiation and multiplication plus encryption to the solution of quadratic Diophantine equations; decidability, howeve... |

28 | A Framework for the Analysis of Security Protocols
- Boreale, Buscemi
(Show Context)
Citation Context ...paper, we take a step towards broadening the scope of symbolic techniques, so as to include a class of low-level cryptographic operations. In particular, building on the general framework proposed in =-=[5]-=-, we devise a complete analysis method for protocols that depend on modular exponentiation operations, like the DiffieHellman key-exchange [10]. We expect that our methodology may be adapted to other ... |

20 | An E-unification algorithm for analyzing protocols that use modular exponentiation,” in Rewriting Techniques and Applications
- Kapur, Narendran, et al.
- 2003
(Show Context)
Citation Context ...ake advantage of them. On the other hand, one must be careful in keeping the model effectively analysable. In this respect, recent undecidability results on related problems of equational unification =-=[12]-=- indicate that some degree of abstraction is unavoidable. The limitations of our model are discussed in Section 2. Technically, we simplify the model by avoiding explicit commutativity laws and by kee... |

9 | Experimenting with STA, a tool for automatic analysis of security protocols
- Boreale, Buscemi
- 2002
(Show Context)
Citation Context ...e very effective at finding bugs. Infinite-state approaches, based on a variety of symbolic techniques ([2, 3, 8, 14]), have emerged over the past few years. Implementations of these techniques (e.g. =-=[4, 16]-=-) are still at an early stage. However, symbolic methods seem to be very promising in two respects. First, at least when the number of sessions is bounded, they can accomplish a complete exploration o... |

9 |
The TRUST protocol analyser, automatic and efficient verification of cryptographic protocols
- Vanackère
- 2002
(Show Context)
Citation Context ...e very effective at finding bugs. Infinite-state approaches, based on a variety of symbolic techniques ([2, 3, 8, 14]), have emerged over the past few years. Implementations of these techniques (e.g. =-=[4, 16]-=-) are still at an early stage. However, symbolic methods seem to be very promising in two respects. First, at least when the number of sessions is bounded, they can accomplish a complete exploration o... |

7 | On the symbolic analysis of low-level cryptographic primitives: Modular exponentiation and the Diffie-Hellman protocol
- Boreale, Buscemi
(Show Context)
Citation Context ...e ground substitution ρ : v(σ ′ ) → EN , C ↘ σ ′ ρ and σ ′ ρ �|= α ←↪ β. The method has been applied to analyse the Diffie-Hellman protocol and it has detected the usual man-in-the-middle attack (see =-=[6]-=-). 5 Conclusions and future work We have presented a model and a method for the analysis of protocols built around shared-key encryption and modular exponentiation. We are confident that our approach ... |

1 | Full version: RR 3915, INRIA Sophia Antipolis. 3. M. Boreale. Symbolic Trace Analysis of Cryptographic Protocols - Boreale, Buscemi - 2000 |