Symbolic protocol analysis for monoidal equational theories. (English) Zbl 1148.68325
Summary: We are interested in the design of automated procedures for analyzing the (in)security of cryptographic protocols in the Dolev-Yao model for a bounded number of sessions when we take into account some algebraic properties satisfied by the operators involved in the protocol. This leads to a more realistic model in comparison to what we get under the perfect cryptography assumption, but it implies that protocol analysis deals with terms modulo some equational theory instead of terms in a free algebra. The main goal of this paper is to setup a general approach that works for a whole class of monoidal theories which contains many of the specific cases that have been considered so far in an ad-hoc way (e.g. exclusive or, Abelian groups, exclusive or in combination with the homomorphism axiom). We follow a classical schema for cryptographic protocol analysis which proves first a locality result and then reduces the insecurity problem to a symbolic constraint solving problem.
This approach strongly relies on the correspondence between a monoidal theory \(E\) and a semiring \(\mathcal S _E\) which we use to deal with the symbolic constraints. We show that the well-defined symbolic constraints that are generated by reasonable protocols can be solved provided that unification in the monoidal theory satisfies some additional properties. The resolution process boils down to solving particular quadratic Diophantine equations that are reduced to linear Diophantine equations, thanks to linear algebra results and the well-definedness of the problem. Examples of theories that do not satisfy our additional properties appear to be undecidable, which suggests that our characterization is reasonably tight.
This approach strongly relies on the correspondence between a monoidal theory \(E\) and a semiring \(\mathcal S _E\) which we use to deal with the symbolic constraints. We show that the well-defined symbolic constraints that are generated by reasonable protocols can be solved provided that unification in the monoidal theory satisfies some additional properties. The resolution process boils down to solving particular quadratic Diophantine equations that are reduced to linear Diophantine equations, thanks to linear algebra results and the well-definedness of the problem. Examples of theories that do not satisfy our additional properties appear to be undecidable, which suggests that our characterization is reasonably tight.
References:
| [1] | Amadio, R.; Lugiez, D.; Vanackère, V., On the symbolic reduction of processes with cryptographic functions, Theoretical Computer Science, 290, 695-740 (2002) · Zbl 1051.68054 |
| [2] | AVISPA Project, The AVISPA tool, <http://www.avispa-project.org/>.; AVISPA Project, The AVISPA tool, <http://www.avispa-project.org/>. |
| [3] | Baader, F., Unification in commutative theories, Hilbert’s basis theorem and Gröbner bases, Journal of the ACM, 40, 3, 477-503 (1993) · Zbl 0791.68146 |
| [4] | Baader, F.; Nutt, W., Combination problems for commutative/monoidal theories or How algebra can help in equational unification, Applicable Algebra Engineering Communication and Computing, 7, 4, 309-337 (1996) · Zbl 0853.03008 |
| [5] | Baader, F.; Schulz, K., Unification in the union of disjoint equational theories: combining decision procedures, Journal of Symbolic Computation, 21, 211-243 (1996) · Zbl 0851.68055 |
| [6] | Baader, F.; Snyder, W., Unification theory, (Robinson, A.; Voronkov, A., Handbook of Automated Reasoning, vol. 1 (2001), Elsevier), 447-533, (Chapter 8) · Zbl 1011.68126 |
| [7] | Basin, D.; Mödersheim, S.; Viganò, L., Algebraic intruder deductions, (Proc. 12th International Conference on Logic Programming and Automated Reasoning (LPAR’06). Proc. 12th International Conference on Logic Programming and Automated Reasoning (LPAR’06), LNAI, vol. 3835 (2005), Springer-Verlag) · Zbl 1143.94339 |
| [8] | M. Baudet, Deciding security of protocols against off-line guessing attacks, in: Proc. 12th ACM Conference on Computer and Communications Security (CCS’05), ACM Press, Alexandria, Virginia, USA, 2005.; M. Baudet, Deciding security of protocols against off-line guessing attacks, in: Proc. 12th ACM Conference on Computer and Communications Security (CCS’05), ACM Press, Alexandria, Virginia, USA, 2005. |
| [9] | B. Blanchet, An efficient cryptographic protocol verifier based on Prolog rules, in: Proc. 14th IEEE Computer Security Foundations Workshop (CSFW’01), IEEE Comp. Soc., 2001.; B. Blanchet, An efficient cryptographic protocol verifier based on Prolog rules, in: Proc. 14th IEEE Computer Security Foundations Workshop (CSFW’01), IEEE Comp. Soc., 2001. |
| [10] | S. Bursuc, H. Comon-Lundh, S. Delaune, Associative-commutative deducibility constraints, in: Proc. 24th Annual Symposium on Theoretical Aspects of Computer Science (STACS’07), vol. 4393 of LNCS, Springer, Aachen (Germany), 2007.; S. Bursuc, H. Comon-Lundh, S. Delaune, Associative-commutative deducibility constraints, in: Proc. 24th Annual Symposium on Theoretical Aspects of Computer Science (STACS’07), vol. 4393 of LNCS, Springer, Aachen (Germany), 2007. · Zbl 1186.68282 |
| [11] | Y. Chevalier, Résolution de problèmes d’accessibilité pour la compilation et la validation de protocoles cryptographiques, Ph.D. thesis, Université Henri Poincaré, Nancy (France) (2003).; Y. Chevalier, Résolution de problèmes d’accessibilité pour la compilation et la validation de protocoles cryptographiques, Ph.D. thesis, Université Henri Poincaré, Nancy (France) (2003). |
| [12] | Chevalier, Y.; Küsters, R.; Rusinowitch, M.; Turuani, M., An NP decision procedure for protocol insecurity with XOR, (Proc. 18th Annual IEEE Symposium on Logic in Computer Science (LICS’03) (2003), IEEE Comp. Soc. Press: IEEE Comp. Soc. Press Ottawa (Canada)) · Zbl 1068.68057 |
| [13] | Chevalier, Y.; Küsters, R.; Rusinowitch, M.; Turuani, M.; Vigneron, L., Deciding the security of protocols with Diffie-Hellman exponentiation and product in exponents, (Proc. 23rd Conference on Foundations of Software Technology and Theoretical Computer Science (FST&TCS’03). Proc. 23rd Conference on Foundations of Software Technology and Theoretical Computer Science (FST&TCS’03), LNCS, vol. 2914 (2003), Springer: Springer Mumbai (India)) · Zbl 1205.94078 |
| [14] | Chevalier, Y.; Rusinowitch, M., Combining intruder theories, (Proc. 32nd International Colloquium on Automata, Languages and Programming (ICALP’05). Proc. 32nd International Colloquium on Automata, Languages and Programming (ICALP’05), LNCS, vol. 3580 (2005), Springer: Springer Lisbon (Portugal)) · Zbl 1084.94512 |
| [15] | Chevalier, Y.; Rusinowitch, M., Hierarchical combination of intruder theories, (Proc. 17th International Conference on Term Rewriting and Applications, (RTA’06). Proc. 17th International Conference on Term Rewriting and Applications, (RTA’06), LNCS, vol. 4098 (2006), Springer) · Zbl 1151.68630 |
| [16] | Comon-Lundh, H., Intruder theories (ongoing work), (Proc. 7th International Conference on Foundations of Software Science and Computation Structures (FOSSACS’04). Proc. 7th International Conference on Foundations of Software Science and Computation Structures (FOSSACS’04), LNCS, vol. 2987 (2004), Springer: Springer Barcelona (Spain)) · Zbl 1126.68390 |
| [17] | Comon-Lundh, H.; Delaune, S., The finite variant property: how to get rid of some algebraic properties, (Proc. 16th International Conference on Rewriting Techniques and Applications (RTA’05). Proc. 16th International Conference on Rewriting Techniques and Applications (RTA’05), LNCS, vol. 3467 (2005), Springer: Springer Nara (Japan)) · Zbl 1078.68059 |
| [18] | Comon-Lundh, H.; Shmatikov, V., Intruder deductions, constraint solving and insecurity decision in presence of exclusive or, (Proc. 18th Annual IEEE Symposium on Logic in Computer Science (LICS’03) (2003), IEEE Comp. Soc. Press: IEEE Comp. Soc. Press Ottawa (Canada)) |
| [19] | H. Comon-Lundh, R. Treinen, Easy intruder deductions, in: Verification: Theory & Practice, Essays Dedicated to Zohar Manna on the Occasion of His 64th Birthday, LNCS, vol. 2772. Springer, 2003.; H. Comon-Lundh, R. Treinen, Easy intruder deductions, in: Verification: Theory & Practice, Essays Dedicated to Zohar Manna on the Occasion of His 64th Birthday, LNCS, vol. 2772. Springer, 2003. · Zbl 1201.68049 |
| [20] | Cortier, V.; Delaune, S.; Lafourcade, P., A survey of algebraic properties used in cryptographic protocols, Journal of Computer Security, 14, 1, 1-43 (2006) |
| [21] | Delaune, S., Easy intruder deduction problems with homomorphisms, Information Processing Letters, 97, 6, 213-218 (2006) · Zbl 1184.68459 |
| [22] | Delaune, S., An undecidability result for AGh, Theoretical Computer Science, 368, 1-2, 161-167 (2006) · Zbl 1171.94344 |
| [23] | Delaune, S.; Jacquemard, F., A decision procedure for the verification of security protocols with explicit destructors, (Proc. 11th ACM Conference on Computer and Communications Security (CCS’04) (2004), ACM Press: ACM Press Washington, DC, USA) |
| [24] | S. Delaune, P. Lafourcade, D. Lugiez, R. Treinen, Symbolic protocol analysis in presence of a homomorphism operator and exclusive or, in: Proc. 33rd International Colloquium on Automata, Languages and Programming (ICALP’06)—Part II, vol. 4052 of LNCS, Springer, Venice (Italy), 2006, <http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DLLT-icalp06.pdf/>.; S. Delaune, P. Lafourcade, D. Lugiez, R. Treinen, Symbolic protocol analysis in presence of a homomorphism operator and exclusive or, in: Proc. 33rd International Colloquium on Automata, Languages and Programming (ICALP’06)—Part II, vol. 4052 of LNCS, Springer, Venice (Italy), 2006, <http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DLLT-icalp06.pdf/>. · Zbl 1133.94315 |
| [25] | Dershowitz, N.; Jouannaud, J.-P., Rewrite systems, (van Leeuwen, J., Handbook of Theoretical Computer Science, vol. B (1990), Elsevier and MIT Press), chapter 6 · Zbl 0900.68283 |
| [26] | Dolev, D.; Yao, A., On the security of public key protocols, (Proc. 22nd Symposium on Foundations of Computer Science (1981), IEEE Comp. Soc. Press: IEEE Comp. Soc. Press Nashville (USA, Tennessee)) · Zbl 0502.94005 |
| [27] | Durgin, N.; Lincoln, P.; Mitchell, J.; Scedrov, A., Multiset rewriting and the complexity of bounded security protocols, Journal of Computer Security, 12, 247-311 (2004) |
| [28] | Kapur, D.; Narendran, P.; Wang, L., An E-unification algorithm for analyzing protocols that use modular exponentiation, (Proc. 14th International Conference on Rewriting Techniques and Applications (RTA’03). Proc. 14th International Conference on Rewriting Techniques and Applications (RTA’03), LNCS (2003), Springer) · Zbl 1043.94537 |
| [29] | P. Lafourcade, D. Lugiez, R. Treinen, ACUNh: unification and disunification using automata theory, in: Proc. 20th International Workshop on Unification (UNIF’06), Seattle, (USA, Washington), 2006.; P. Lafourcade, D. Lugiez, R. Treinen, ACUNh: unification and disunification using automata theory, in: Proc. 20th International Workshop on Unification (UNIF’06), Seattle, (USA, Washington), 2006. |
| [30] | Lowe, G., Breaking and fixing the Needham-Schroeder public-key protocol using FDR, Software—Concepts and Tools, 17, 3, 93-102 (1996) |
| [31] | Martelli, A.; Montanari, U., An efficient unification algorithm, ACM Transactions on Programming Languages and Systems, 4, 2, 258-282 (1982) · Zbl 0478.68093 |
| [32] | McAllester, D. A., Automatic recognition of tractability in inference relations, Journal of the ACM, 40, 2, 284-303 (1993) · Zbl 0770.68106 |
| [33] | Meinke, K.; Tucker, J. V., Universal algebra, (Handbook of Logic in Computer Science, vol. 1 (1992), Oxford Science Publications), 189-411 · Zbl 0777.68001 |
| [34] | Millen, J.; Shmatikov, V., Constraint solving for bounded-process cryptographic protocol analysis, (Proc. 8th ACM Conference on Computer and Communications Security (CCS’01) (2001), ACM) |
| [35] | Millen, J.; Shmatikov, V., Symbolic protocol analysis with an Abelian group operator or Diffie-Hellman exponentiation, Journal of Computer Security, 13, 3, 515-564 (2005) |
| [36] | Narendran, P., Solving linear equations over polynomial semirings, (Proc. 11th Annual IEEE Symposium on Logic in Computer Science (LICS’96) (1996), IEEE Comp. Soc. Press: IEEE Comp. Soc. Press New Brunswick, New Jersey) |
| [37] | Needham, R.; Schroeder, M., Using encryption for authentification in large networks of computers, Communications of the ACM, 21, 12, 993-999 (1978) · Zbl 0387.68003 |
| [38] | Nutt, W., Unification in monoidal theories, (Proc. 10th International Conference on Automated Deduction, (CADE’90). Proc. 10th International Conference on Automated Deduction, (CADE’90), LNCS, vol. 449 (1990), Springer: Springer Kaiserslautern (Germany)) · Zbl 1509.03045 |
| [39] | L. Paulson, The inductive approach to verifying protocols, in: 10th IEEE Computer Scurity Foundations Workshop, 1997.; L. Paulson, The inductive approach to verifying protocols, in: 10th IEEE Computer Scurity Foundations Workshop, 1997. |
| [40] | Rusinowitch, M.; Turuani, M., Protocol insecurity with a finite number of sessions, composed keys is NP-complete, Theoretical Computer Science, 1-3, 299, 451-475 (2003) · Zbl 1042.68009 |
| [41] | Ryan, P.; Schneider, S., An attack on a recursive authentication protocol. A cautionary tale, Inf. Process. Lett., 65, 1, 7-10 (1998) · Zbl 1339.94062 |
| [42] | Schrijver, A., Theory of Linear and Integer Programming (1986), Wiley · Zbl 0665.90063 |
| [43] | Simmons, G., Cryptoanalysis and protocol failures, Communications of the ACM, 37, 11, 56-65 (1994) |
| [44] | Zunino, R.; Degano, P., Handling exp, \( \times \) (and timestamps) in protocol analysis, (Proc. 9th International Conference on Foundations of Software Science and Computation Structures, (FOSSACS’06). Proc. 9th International Conference on Foundations of Software Science and Computation Structures, (FOSSACS’06), LNCS, vol. 3921 (2004), Springer) · Zbl 1180.94066 |
This reference list is based on information provided by the publisher or from digital mathematics libraries. Its items are heuristically matched to zbMATH identifiers and may contain data conversion errors. In some cases that data have been complemented/enhanced by data from zbMATH Open. This attempts to reflect the references listed in the original paper as accurately as possible without claiming completeness or a perfect matching.
