A rewriting-based inference system for the NRL Protocol Analyzer and its meta-logical properties

The NRL Protocol Analyzer (NPA) is a tool for the formal specification and analysis of cryptographic protocols that has been used with great effect on a number of complex real-life protocols. One of the most interesting of its features is that it can be used to reason about security in face of attempted attacks on low-level algebraic properties of the functions used in a protocol. Indeed, it has been used successfully to either reproduce or discover a number of such attacks. In this paper we give for the first time a precise formal specification of the main features of the NPA inference system: its grammar-based techniques for invariant generation and its backwards reachability analysis method. This formal specification is given within the well-known rewriting framework so that the inference system is specified as a set of rewrite rules modulo an equational theory describing the behavior of the cryptographic algorithms involved. We then use this formalization to prove some important meta-logical properties about the NPA inference system, including the soundness and completeness of the search algorithm and soundness of the grammar generation algorithm. The formalization and soundness and completeness theorems not only provide also a better understanding of the NPA as it currently operates, but provide a modular basis which can be used as a starting point for increasing the types of equational theories it can handle.

[1]  Catherine A. Meadows,et al.  The NRL Protocol Analyzer: An Overview , 1996, J. Log. Program..

[2]  Paliath Narendran,et al.  Matching, unification and complexity , 1987, SIGS.

[3]  Catherine A. Meadows,et al.  Language generation and verification in the NRL protocol analyzer , 1996, Proceedings 9th IEEE Computer Security Foundations Workshop.

[4]  Stefano Bistarelli,et al.  Relating multiset rewriting and process algebras for security protocol analysis , 2005, J. Comput. Secur..

[5]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[6]  Fan Hong Invariant Generation Techniques in Cryptographic Protocol Analysis , 2002 .

[7]  Nachum Dershowitz,et al.  Decidable Matching for Convergent Systems (Preliminary Version) , 1992, CADE.

[8]  Vitaly Shmatikov,et al.  Constraint solving for bounded-process cryptographic protocol analysis , 2001, CCS '01.

[9]  Yannick Chevalier,et al.  An NP decision procedure for protocol insecurity with XOR , 2005, Theor. Comput. Sci..

[10]  Christoph Weidenbach,et al.  Towards an Automatic Analysis of Security Protocols in First-Order Logic , 1999, CADE.

[11]  Doron A. Peled,et al.  Ten Years of Partial Order Reduction , 1998, CAV.

[12]  Jean-Marie Hullot,et al.  Canonical Forms and Unification , 1980, CADE.

[13]  Narciso Martí-Oliet,et al.  Maude: specification and programming in rewriting logic , 2002, Theor. Comput. Sci..

[14]  Catherine A. Meadows,et al.  Formal characterization and automated analysis of known-pair and chosen-text attacks , 2000, IEEE Journal on Selected Areas in Communications.

[15]  Catherine A. Meadows,et al.  Applying Formal Methods to the Analysis of a Key Management Protocol , 1992, J. Comput. Secur..

[16]  José Meseguer,et al.  Membership algebra as a logical framework for equational specification , 1997, WADT.

[17]  Yannick Chevalier,et al.  Deciding the Security of Protocols with Diffie-Hellman Exponentiation and Products in Exponents , 2003, FSTTCS.

[18]  Steve A. Schneider,et al.  A decision procedure for the existence of a rank function , 2005, J. Comput. Secur..

[19]  José Meseguer,et al.  Conditioned Rewriting Logic as a United Model of Concurrency , 1992, Theor. Comput. Sci..

[20]  F. Javier Thayer Fábrega,et al.  Strand spaces: proving security protocols correct , 1999 .

[21]  José Meseguer,et al.  Symbolic Reachability Analysis Using Narrowing and its Application to Verification of Cryptographic Protocols , 2004, WRLA.

[22]  Thomas Genet,et al.  Rewriting for Cryptographic Protocol Verification , 2000, CADE.

[23]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[24]  Catherine A. Meadows,et al.  Analyzing the Needham-Schroeder Public-Key Protocol: A Comparison of Two Approaches , 1996, ESORICS.

[25]  Franz Baader,et al.  Unification theory , 1986, Decis. Support Syst..

[26]  José Meseguer,et al.  A rewriting-based inference system for the NRL protocol analyzer: grammar generation , 2005, FMSE '05.

[27]  Sebastian Mödersheim,et al.  OFMC: A Symbolic Model-Checker for Security Protocols , 2004 .

[28]  Vitaly Shmatikov,et al.  Intruder deductions, constraint solving and insecurity decision in presence of exclusive or , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[29]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[30]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.