## Equational cryptographic reasoning in the Maude-NRL Protocol Analyzer (2006)

Venue: | In Proc. of the First International Workshop on Security and Rewriting Techniques (SecReT 2006), Electronic Notes in Theoretical Computer Science. Elsevier Sciences Publisher |

Citations: | 5 - 3 self |

### BibTeX

@INPROCEEDINGS{Escobar06equationalcryptographic,

author = {Santiago Escobar and Joe Hendrix and Catherine Meadows and José Meseguer},

title = {Equational cryptographic reasoning in the Maude-NRL Protocol Analyzer},

booktitle = {In Proc. of the First International Workshop on Security and Rewriting Techniques (SecReT 2006), Electronic Notes in Theoretical Computer Science. Elsevier Sciences Publisher},

year = {2006}

}

### OpenURL

### Abstract

Abstract. The Maude-NRL Protocol Analyzer (Maude-NPA) is a tool and inference system for reasoning about the security of cryptographic protocols in which the cryptosystems satisfy different equational properties. It both extends and provides a formal framework for the original NRL Protocol Analyzer, which limited itself to an equational theory ∆ of convergent rewrite rules. In this paper we extend our framework to include theories of the form ∆ ⊎ B, where B is the theory of associativity and commutativity and ∆ is convergent modulo B. Order-sorted B-unification plays a crucial role; to obtain this functionality we describe a sort propagation algorithm that filters out unsorted B-unifiers provided by the CiME unification tool. We show how extensions of some of the state reduction techniques of the original NRL Protocol Analyzer can be applied in this context. We illustrate the ideas and capabilities of the Maude-NPA with an example involving the Diffie-Hellman key agreement protocol. 1

### Citations

1049 | On the Security of Public Key Protocols
- Dolev, Yao
- 1981
(Show Context)
Citation Context ...e following additional property with respect to exponentiation: (X Y ) Z (Y ∗Z) = X The intruder abilities to create, manipulate, and delete messages according to the Dolev-Yao attackers capabilities =-=[13]-=- are described as follows, where we use the special symbol ∈I to represent that the intruder knows something, and I denotes the intruder’s name: M1∈I, M2∈I (M1 ∗ M2)∈I X∈I, Y ∈I X Y ∈I NI∈I The intrud... |

475 |
Conditional rewriting logic as a unified model of concurrency
- Meseguer
- 1992
(Show Context)
Citation Context ...es a semi-decision algorithm. See [15] for further explanations. The protocol to be analyzed is provided to the tool as an algebraic signature Σ including symbols, sorts, and subsort information (see =-=[22,8]-=-), together with the set P of strands defining the protocol. Moreover, the tool expects some seed terms 〈sd1, . . . , sdn〉 for the generation of the grammars 〈G1, . . . , Gm〉 where m ≤ n. In the speci... |

237 | The NRL protocol analyzer: An overview
- Meadows
- 1996
(Show Context)
Citation Context ...inference system for reasoning about the security of cryptographic protocols in which the cryptosystems satisfy different equational properties. It is the next generation of the NRL Protocol Analyzer =-=[21]-=-, a tool that supported limited equational reasoning and was successfully applied to the analysis of many different protocols. In Maude-NPA we improved on the original NPA in two ways. First of all, i... |

220 | Unification theory
- Baader, Snyder
- 2001
(Show Context)
Citation Context ...vity and commutativity with or without identity, or only commutativity; however, associativity without commutativity is problematic because in general it can produce and infinite set of unifiers (see =-=[2]-=-), although in some cases it can be approximated by weaker associative axioms with a finitary unification algorithm (see [14]). The Maude-NPA’s reachability analysis is based on two parameters: a prot... |

116 | spaces: Proving security protocols correct - Strand - 1999 |

72 | Intruder deductions, constraint solving and insecurity decision in preence of exclusive or
- Comon-Lundh, Shmatikov
- 2003
(Show Context)
Citation Context ...the work in this area has concentrated on problems of secrecy and static equivalence in bounded session protocols, which have been proved to be decidable for an important class of equational theories =-=[23,7,1,9,6,12]-=-. For unbounded sessions, however, the problem is less well understood and has been recently studied in [5,4]. In [17] and [7] tree-automata based approximations are applied to associative-commutative... |

70 | Automated verification of selected equivalences for security protocols
- Blanchet, Abadi, et al.
(Show Context)
Citation Context ...h have been proved to be decidable for an important class of equational theories [23,7,1,9,6,12]. For unbounded sessions, however, the problem is less well understood and has been recently studied in =-=[5,4]-=-. In [17] and [7] tree-automata based approximations are applied to associative-commutative theories to develop abstract approximations. These techniques have been implemented in tools (for Diffie-Hel... |

66 |
OFMC: A symbolic model checker for security protocols
- Basin, Mödersheim, et al.
- 2005
(Show Context)
Citation Context ...ledge (i.e., m∈I) is unreachable for the intruder and discarded. In this work we also make use of an additional state-reduction feature, namely a notion similar to the “lazy intruder” of Basin et al. =-=[3]-=-, but for backwards instead of forward search. This feature was already implemented in the original NRL Protocol Analyzer [21] and is independent of the use of any equational theory. Note that this fe... |

53 | M.: Deciding the security of protocols with Diffie-Hellman exponentiation and products in exponents
- Chevalier, Küsters, et al.
(Show Context)
Citation Context ...the work in this area has concentrated on problems of secrecy and static equivalence in bounded session protocols, which have been proved to be decidable for an important class of equational theories =-=[23,7,1,9,6,12]-=-. For unbounded sessions, however, the problem is less well understood and has been recently studied in [5,4]. In [17] and [7] tree-automata based approximations are applied to associative-commutative... |

36 | Symbolic protocol analysis with products and Diffie-Hellman exponentiation
- Millen, Shmatikov
- 2003
(Show Context)
Citation Context ...the work in this area has concentrated on problems of secrecy and static equivalence in bounded session protocols, which have been proved to be decidable for an important class of equational theories =-=[23,7,1,9,6,12]-=-. For unbounded sessions, however, the problem is less well understood and has been recently studied in [5,4]. In [17] and [7] tree-automata based approximations are applied to associative-commutative... |

27 | A unification algorithm for the group Diffie-Hellman protocol
- Meadows, Narendran
- 2002
(Show Context)
Citation Context ...tive-commutative theories such as exponentiation and exclusive-or. Probably the most closely related work to ours in this area is the unification algorithms for exponentiation in Narendan and Meadows =-=[20]-=- and Kapur, Narendran, and Wang [19]. The theory we use in this paper is an order-sorted version of a fragment of the theories for which unification algorithms are developed there. In this work, howev... |

24 | Proving Termination of Rewriting with CiME
- Contejean, Marché, et al.
- 2003
(Show Context)
Citation Context ... corresponding unsorted theories is non-terminating, whereas narrowing with the order-sorted theories does terminate. The current support of order-sorted unification in the Maude-NPA leverages CiME’s =-=[11]-=- rich library of composable unsorted unification algorithms, including any combination of associativity, commutativity and identity axioms (except associativity without commutativity). The Maude-NPA t... |

22 | A rewriting-based inference system for the NRL protocol analyzer and its meta-logical properties. Theoretical Computer Science 367(1-2
- Escobar, Meadows, et al.
- 2006
(Show Context)
Citation Context ...a tool that supported limited equational reasoning and was successfully applied to the analysis of many different protocols. In Maude-NPA we improved on the original NPA in two ways. First of all, in =-=[15]-=- we formalized the inference system of NPA, providing the first formal description of the tool, in terms of rewriting logic and narrowing. We also provided proofs of soundness and completeness. More r... |

21 | Abstraction and resolution modulo AC: How to verify Diffie-Hellman-like protocols automatically
- Goubault-Larrecq, Roger, et al.
- 2004
(Show Context)
Citation Context ...n proved to be decidable for an important class of equational theories [23,7,1,9,6,12]. For unbounded sessions, however, the problem is less well understood and has been recently studied in [5,4]. In =-=[17]-=- and [7] tree-automata based approximations are applied to associative-commutative theories to develop abstract approximations. These techniques have been implemented in tools (for Diffie-Hellman theo... |

20 | An E-unification algorithm for analyzing protocols that use modular exponentiation,” in Rewriting Techniques and Applications
- Kapur, Narendran, et al.
- 2003
(Show Context)
Citation Context ...ponentiation and exclusive-or. Probably the most closely related work to ours in this area is the unification algorithms for exponentiation in Narendan and Meadows [20] and Kapur, Narendran, and Wang =-=[19]-=-. The theory we use in this paper is an order-sorted version of a fragment of the theories for which unification algorithms are developed there. In this work, however, we use a hybrid approach that we... |

17 |
Incremental construction of unification algorithms in equational theories
- Jouannaud, Kirchner, et al.
- 1983
(Show Context)
Citation Context ...have the typing exp : Gen × NeNonceSet → Exp. In particular, exp(W, Y ∗ Z) is a constructor term as claimed. 9The next key observation is that ∆ is confluent, terminating, and coherent modulo B (see =-=[18]-=- for these notions). Coherence modulo B is particularly easy to check, since the associative-commutative multiplication symbol in B does not appear in ∆’s lefthand side exp(exp(W, Y ), Z). We can then... |

14 | Symbolic protocol analysis in presence of a homomorphism operator and exclusive or
- Delaune, Lafourcade, et al.
- 2006
(Show Context)
Citation Context |

11 |
and Véronique Cortier. Deciding knowledge in security protocols under equational theories
- Abadi
(Show Context)
Citation Context |

10 | Deducibility constraints
- Bursuc, Delaune, et al.
- 2009
(Show Context)
Citation Context |

5 |
Handling algebraic properties in automatic analysis of security protocols
- Boichut, Héam, et al.
- 2006
(Show Context)
Citation Context ...h have been proved to be decidable for an important class of equational theories [23,7,1,9,6,12]. For unbounded sessions, however, the problem is less well understood and has been recently studied in =-=[5,4]-=-. In [17] and [7] tree-automata based approximations are applied to associative-commutative theories to develop abstract approximations. These techniques have been implemented in tools (for Diffie-Hel... |

1 |
Comon-Lundh and Véronique Cortier. New decidability results for fragments of first-order logic and application to cryptographic protocols
- Hubert
- 2003
(Show Context)
Citation Context ...m. This is then combined with rewrite theories that are terminating and confluent with respect to the AC theory. Some other work that is closely related to ours is the work of Comon-Lundh and Delaune =-=[10]-=- on the finite variant property, in which techniques are developed for achieving termination even when narrowing by itself does not terminate. Although this paper does not make use of their results, w... |