Results 1  10
of
26
Intruder deductions, constraint solving and insecurity decision in presence of exclusive or
, 2003
"... We present decidability results for the verification of cryptographic protocols in the presence of equational theories corresponding to xor and Abelian groups. Since the perfect cryptography assumption is unrealistic for cryptographic primitives with visible algebraic properties such as xor, we exte ..."
Abstract

Cited by 90 (12 self)
 Add to MetaCart
(Show Context)
We present decidability results for the verification of cryptographic protocols in the presence of equational theories corresponding to xor and Abelian groups. Since the perfect cryptography assumption is unrealistic for cryptographic primitives with visible algebraic properties such as xor, we extend the conventional DolevYao model by permitting the intruder to exploit these properties. We show that the ground reachability problem in NP for the extended intruder theories in the cases of xor and Abelian groups. This result follows from a normal proof theorem. Then, we show how to lift this result in the xor case: we consider a symbolic constraint system expressing the reachability (e.g., secrecy) problem for a finite number of sessions. We prove that such constraint system is decidable, relying in particular on an extension of combination algorithms for unification procedures. As a corollary, this enables automatic symbolic verification of cryptographic protocols employing xor for a fixed number of sessions.
Formal Methods for Cryptographic Protocol Analysis: Emerging Issues and Trends
, 2003
"... The history of the application of formal methods to cryptographic protocol analysis spans over 20 years and recently has been showing signs of new maturity and consolidation. Not only have a number of specialized tools been developed, and generalpurpose ones been adapted, but people have begun apply ..."
Abstract

Cited by 78 (0 self)
 Add to MetaCart
The history of the application of formal methods to cryptographic protocol analysis spans over 20 years and recently has been showing signs of new maturity and consolidation. Not only have a number of specialized tools been developed, and generalpurpose ones been adapted, but people have begun applying these tools to realistic protocols, in many cases supplying feedback to designers that can be used to improve the protocol’s security. In this paper, we will describe some of the ongoing work in this area, as well as describe some of the new challenges and the ways in which they are being met.
Deciding the security of protocols with DiffieHellman exponentiation and products in exponents
, 2003
"... ..."
The finite variant property: How to get rid of some algebraic properties
 In Proceedings of RTA’05, LNCS 3467
, 2005
"... Abstract. We consider the following problem: Given a term t, a rewrite system R, a finite set of equations E ′ such that R is E ′convergent, compute finitely many instances of t: t1,..., tn such that, for every substitution σ, there is an index i and a substitution θ such that tσ ↓ =E ′ tiθ (wher ..."
Abstract

Cited by 46 (8 self)
 Add to MetaCart
(Show Context)
Abstract. We consider the following problem: Given a term t, a rewrite system R, a finite set of equations E ′ such that R is E ′convergent, compute finitely many instances of t: t1,..., tn such that, for every substitution σ, there is an index i and a substitution θ such that tσ ↓ =E ′ tiθ (where tσ ↓ is the normal form of tσ w.r.t. →E ′ \R). The goal of this paper is to give equivalent (resp. sufficient) conditions for the finite variant property and to systematically investigate this property for equational theories, which are relevant to security protocols verification. For instance, we prove that the finite variant property holds for Abelian Groups, and a theory of modular exponentiation and does not hold for the theory ACUNh (Associativity, Commutativity, Unit, Nilpotence, homomorphism).
Symbolic protocol analysis with products and DiffieHellman exponentiation
, 2003
"... We demonstrate that for any welldefined cryptographic protocol, the symbolic trace reachability problem in the presence of an Abelian group operator (e.g., multiplication) can be reduced to solvability of a decidable system of quadratic Diophantine equations. This result enables complete, fully aut ..."
Abstract

Cited by 41 (0 self)
 Add to MetaCart
(Show Context)
We demonstrate that for any welldefined cryptographic protocol, the symbolic trace reachability problem in the presence of an Abelian group operator (e.g., multiplication) can be reduced to solvability of a decidable system of quadratic Diophantine equations. This result enables complete, fully automated formal analysis of protocols that employ primitives such as DiffieHellman exponentiation, multiplication, andxor, with a bounded number of role instances, but without imposing any bounds on the size of terms created by the attacker. 1
Combining Intruder Theories
 In Proceedings of the 32nd International Colloquium on Automata, Languages and Programming (ICALP’05), volume 3580 of LNCS
, 2005
"... Abstract. Most of the decision procedures for symbolic analysis of protocols are limited to a fixed set of algebraic operators associated with a fixed intruder theory. Examples of such sets of operators comprise XOR, multiplication/exponentiation, abstract encryption/decryption. In this paper we giv ..."
Abstract

Cited by 26 (6 self)
 Add to MetaCart
(Show Context)
Abstract. Most of the decision procedures for symbolic analysis of protocols are limited to a fixed set of algebraic operators associated with a fixed intruder theory. Examples of such sets of operators comprise XOR, multiplication/exponentiation, abstract encryption/decryption. In this paper we give an algorithm for combining decision procedures for arbitrary intruder theories with disjoint sets of operators, provided that solvability of ordered intruder constraints, a slight generalization of intruder constraints, can be decided in each theory. This is the case for most of the intruder theories for which a decision procedure has been given. In particular our result allows us to decide tracebased security properties of protocols that employ any combination of the above mentioned operators with a bounded number of sessions. 1
Automated Analysis of DiffieHellman Protocols and Advanced Security Properties
, 2012
"... We present a general approach for the symbolic analysis of security protocols that use DiffieHellman exponentiation to achieve advanced security properties. We model protocols as multiset rewriting systems and security properties as firstorder formulas. We analyze them using a novel constraintso ..."
Abstract

Cited by 20 (9 self)
 Add to MetaCart
(Show Context)
We present a general approach for the symbolic analysis of security protocols that use DiffieHellman exponentiation to achieve advanced security properties. We model protocols as multiset rewriting systems and security properties as firstorder formulas. We analyze them using a novel constraintsolving algorithm that supports both falsification and verification, even in the presence of an unbounded number of protocol sessions. The algorithm exploits the finite variant property and builds on ideas from strand spaces and proof normal forms. We demonstrate the scope and the effectiveness of our algorithm on nontrivial case studies. For example, the algorithm successfully verifies the NAXOS protocol with respect to a symbolic version of the eCK security model.
Limits of the Cryptographic Realization of DolevYaostyle XOR
 Computer Security, Proceedings of ESORICS 2005, number 3679 in Lecture Notes in Computer Science
, 2005
"... The abstraction of cryptographic operations by term algebras, called DolevYao models, is essential in almost all toolsupported methods for proving security protocols. Recently significant progress was made in proving that such abstractions can be sound with respect to actual cryptographic reali ..."
Abstract

Cited by 18 (5 self)
 Add to MetaCart
(Show Context)
The abstraction of cryptographic operations by term algebras, called DolevYao models, is essential in almost all toolsupported methods for proving security protocols. Recently significant progress was made in proving that such abstractions can be sound with respect to actual cryptographic realizations and security definitions. The strongest results show this in the sense of reactive simulatability/UC, a notion that essentially means retention of arbitrary security properties under arbitrary active attacks and in arbitrary protocol environments, with only small changes to both abstractions and natural implementations.
Hierarchical combination of intruder theories
 In Proc. 17th International Conference on Term Rewriting and Applications, (RTA’06), volume 4098 of LNCS
, 2006
"... Abstract. Recently automated deduction tools have proved to be very effective for detecting attacks on cryptographic protocols. These analysis can be improved, for finding more subtle weaknesses, by a more accurate modelling of operators employed by protocols. Several works have shown how to handle ..."
Abstract

Cited by 17 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Recently automated deduction tools have proved to be very effective for detecting attacks on cryptographic protocols. These analysis can be improved, for finding more subtle weaknesses, by a more accurate modelling of operators employed by protocols. Several works have shown how to handle a single algebraic operator (associated with a fixed intruder theory) or how to combine several operators satisfying disjoint theories. However several interesting equational theories, such as exponentiation with an abelian group law for exponents remain out of the scope of these techniques. This has motivated us to introduce a new notion of hierarchical combination for intruder theories and to show decidability results for the deduction problem in these theories. Under a simple hypothesis, we were able to simplify this deduction problem. This simplification is then applied to prove the decidability of constraint systems w.r.t. an intruder relying on exponentiation theory. 1