Results 1  10
of
69
Computationally sound implementations of equational theories against passive adversaries
, 2008
"... In this paper we study the link between formal and cryptographic models for security protocols in the presence of passive adversaries. In contrast to other works, we do not consider a fixed set of primitives but aim at results for arbitrary equational theories. We define a framework for comparing a ..."
Abstract

Cited by 59 (14 self)
 Add to MetaCart
In this paper we study the link between formal and cryptographic models for security protocols in the presence of passive adversaries. In contrast to other works, we do not consider a fixed set of primitives but aim at results for arbitrary equational theories. We define a framework for comparing a cryptographic implementation and its idealization with respect to various security notions. In particular, we concentrate on the computational soundness of static equivalence, a standard tool in cryptographic pi calculi. We present a soundness criterion, which for many theories is not only sufficient but also necessary. Finally, to illustrate our framework, we establish the soundness of static equivalence for the exclusive OR and a theory of ciphers and lists.
Algebraic intruder deductions
 In Proceedings of LPAR’05, LNAI 3835
, 2005
"... Abstract. Many security protocols fundamentally depend on the algebraic properties of cryptographic operators. It is however difficult to handle these properties when formally analyzing protocols, since basic problems like the equality of terms that represent cryptographic messages are undecidable, ..."
Abstract

Cited by 23 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Many security protocols fundamentally depend on the algebraic properties of cryptographic operators. It is however difficult to handle these properties when formally analyzing protocols, since basic problems like the equality of terms that represent cryptographic messages are undecidable, even for relatively simple algebraic theories. We present a framework for security protocol analysis that can handle algebraic properties of cryptographic operators in a uniform and modular way. Our framework is based on two ideas: the use of modular rewriting to formalize a generalized equational deduction problem for the DolevYao intruder, and the introduction of two parameters that control the complexity of the equational unification problems that arise during protocol analysis by bounding the depth of message terms and the operations that the intruder can perform when analyzing messages. We motivate the different restrictions made in our model by highlighting different ways in which undecidability arises when incorporating algebraic properties of cryptographic operators into formal protocol analysis. 1
Intruder deduction for aclike equational theories with homomorphisms
 Research Report LSV0416, LSV, ENS de Cachan
, 2004
"... Abstract. Cryptographic protocols are small programs which involve a high level of concurrency and which are difficult to analyze by hand. The most successful methods to verify such protocols rely on rewriting techniques and automated deduction in order to implement or mimic the process calculus des ..."
Abstract

Cited by 20 (3 self)
 Add to MetaCart
(Show Context)
Abstract. Cryptographic protocols are small programs which involve a high level of concurrency and which are difficult to analyze by hand. The most successful methods to verify such protocols rely on rewriting techniques and automated deduction in order to implement or mimic the process calculus describing the protocol execution. We focus on the intruder deduction problem, that is the vulnerability to passive attacks, in presence of several variants of AClike axioms (from AC to Abelian groups, including the theory of exclusive or) and homomorphism which are the most frequent axioms arising in cryptographic protocols. Solutions are known for the cases of exclusive or, of Abelian groups, and of homomorphism alone. In this paper we address the combination of these AClike theories with the law of homomorphism which leads to much more complex decision problems. We prove decidability of the intruder deduction problem in all cases considered. Our decision procedure is in EXPTIME, except for a restricted case in which we have been able to get a PTIME decision procedure using a property of onecounter and pushdown automata. 1
Easy intruder deduction problems with homomorphisms
 INFORMATION PROCESSING LETTERS
, 2006
"... We present complexity results for the verification of security protocols. Since the perfect cryptography assumption is unrealistic for cryptographic primitives with visible algebraic properties, we extend the classical DolevYao model by permitting the intruder to exploit these properties. More prec ..."
Abstract

Cited by 19 (6 self)
 Add to MetaCart
(Show Context)
We present complexity results for the verification of security protocols. Since the perfect cryptography assumption is unrealistic for cryptographic primitives with visible algebraic properties, we extend the classical DolevYao model by permitting the intruder to exploit these properties. More precisely, we are interested in theories such as Exclusive or and Abelian groups in combination with the homomorphism axiom. We show that the intruder deduction problem is in PTIME in both cases, improving the EXPTIME complexity results presented in [10].
Symbolic Protocol Analysis for Monoidal Equational Theories
, 2006
"... We consider the design of automated procedures for analyzing the (in)security of cryptographic protocols in the DolevYao model for a bounded number of sessions when we take into account some algebraic properties satisfied by the operators involved in the protocol. This leads to a more realistic mod ..."
Abstract

Cited by 18 (6 self)
 Add to MetaCart
We consider the design of automated procedures for analyzing the (in)security of cryptographic protocols in the DolevYao model for a bounded number of sessions when we take into account some algebraic properties satisfied by the operators involved in the protocol. This leads to a more realistic model than what we get under the perfect cryptography assumption, but it implies that protocol analysis deals with terms modulo some equational theory instead of terms in a free algebra. The main goal of this paper is to set up a general approach that works for a whole class of monoidal theories which contains many of the specific cases that have been considered so far in an adhoc way (e.g. exclusive or, Abelian groups, exclusive or in combination with the homomorphism axiom). We follow a classical schema for cryptographic protocol analysis which proves first a locality result and then reduces the insecurity problem to a symbolic constraint solving problem. This approach strongly relies on the correspondence between a monoidal theory E and a semiring SE which we use to deal with the symbolic constraints. We show that the welldefined symbolic constraints that are generated by reasonable protocols
The opensource fixedpoint model checker for symbolic analysis of security protocols
 IN: FOSAD 2007–2008–2009, LNCS
, 2009
"... We introduce the Opensource Fixedpoint Model Checker OFMC for symbolic security protocol analysis, which extends the Onthefly Model Checker (the previous OFMC). The native input language of OFMC is the AVISPA Intermediate Format IF. OFMC also supports AnB, a new AliceandBobstyle language tha ..."
Abstract

Cited by 16 (2 self)
 Add to MetaCart
We introduce the Opensource Fixedpoint Model Checker OFMC for symbolic security protocol analysis, which extends the Onthefly Model Checker (the previous OFMC). The native input language of OFMC is the AVISPA Intermediate Format IF. OFMC also supports AnB, a new AliceandBobstyle language that extends previous similar languages with support for algebraic properties of cryptographic operators and with a simple notation for different kinds of channels that can be used both as assumptions and as protocol goals. AnB specifications are automatically translated to IF. OFMC performs both protocol falsification and bounded session verification by exploring, in a demanddriven way, the transition system resulting from an IF specification. OFMC’s effectiveness is due to the integration of a number of symbolic, constraintbased techniques, which are correct and terminating. The two major techniques are the lazy intruder, which is a symbolic representation of the intruder, and constraint differentiation, which is a general searchreduction technique that integrates the lazy intruder with ideas from partialorder reduction. Moreover, OFMC allows one to analyze security protocols with respect to an algebraic theory of the employed cryptographic operators, which can be specified as part of the input. We also sketch the ongoing integration of fixedpointbased techniques for protocol verification for an unbounded number of sessions.
YAPA: A generic tool for computing intruder knowledge
, 2009
"... Reasoning about the knowledge of an attacker is a necessary step in many formal analyses of security protocols. In the framework of the applied pi calculus, as in similar languages based on equational logics, knowledge is typically expressed by two relations: deducibility and static equivalence. Sev ..."
Abstract

Cited by 16 (3 self)
 Add to MetaCart
Reasoning about the knowledge of an attacker is a necessary step in many formal analyses of security protocols. In the framework of the applied pi calculus, as in similar languages based on equational logics, knowledge is typically expressed by two relations: deducibility and static equivalence. Several decision procedures have been proposed for these relations under a variety of equational theories. However, each theory has its particular algorithm, and none has been implemented so far. We provide a generic procedure for deducibility and static equivalence that takes as input any convergent rewrite system. We show that our algorithm covers all the existing decision procedures for convergent theories. We also provide an efficient implementation, and compare it briefly with the more general tool ProVerif.
Symbolic protocol analysis in presence of a homomorphism operator and Exclusive Or
 In Proc. 33rd International Colloquium on Automata, Languages and Programming (ICALP’06) — Part II, volume 4052 of LNCS
, 2006
"... Abstract. The symbolic verification of the security property of a cryptographic protocol for a bounded number of sessions is usually expressed as a symbolic trace reachability problem. Such a problem can be expressed as a constraint system for deducibility constraints for a certain inference system ..."
Abstract

Cited by 14 (7 self)
 Add to MetaCart
Abstract. The symbolic verification of the security property of a cryptographic protocol for a bounded number of sessions is usually expressed as a symbolic trace reachability problem. Such a problem can be expressed as a constraint system for deducibility constraints for a certain inference system describing the possible actions of an attacker. We show that symbolic trace reachability for welldefined protocols is decidable in presence of both the exclusive or operator and a homomorphism over this operator. The exclusive or operator is often used in security protocols as a symmetric encryption operation. The homomorphism may model a hash function, or may be used to model a special situation in asymmetric encryption where an intruder may encrypt a message but can never learn about the corresponding decryption key. One main step of our proof consists in reducing the constraint system for deducibility into a constraint system for deducibility in one step and using one particular rule of the constraint system. This constraint system, in turn, can be expressed as a system of quadratic equations of a particular form over the ring of polynomials in one indeterminate over the finite field Z/2Z[h]. We show that satisfiability of these systems of equations is decidable. 1
On the automatic analysis of recursive security protocols with xor
 in STACS 2007. 205
, 2007
"... Abstract. In many security protocols, such as group protocols, principals have to perform iterative or recursive computations. We call such protocols recursive protocols. Recently, first results on the decidability of the security of such protocols have been obtained. While recursive protocols often ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In many security protocols, such as group protocols, principals have to perform iterative or recursive computations. We call such protocols recursive protocols. Recently, first results on the decidability of the security of such protocols have been obtained. While recursive protocols often employ operators with algebraic, security relevant properties, such as the exclusive OR (XOR), the existing decision procedures, however, cannot deal with such operators and their properties. In this paper, we show that the security of recursive protocols with XOR is decidable (w.r.t. a bounded number of sessions) for a class of protocols in which recursive computations of principals are modeled by certain Horn theories. Interestingly, this result can be obtained by a reduction to the case without XOR. We also show that relaxing certain assumptions of our model lead to undecidability. 1