Automated Verification of Group Key Agreement Protocols

We advance the state-of-the-art in automated symbolic cryptographic protocol analysis by providing the first algorithm that can handle Diffie-Hellman exponentiation, bilinear pairing, and AC-operators. Our support for AC-operators enables protocol specifications to use multisets, natural numbers, and finite maps. We implement the algorithm in the TAMARIN prover and provide the first symbolic correctness proofs for group key agreement protocols that use Diffie-Hellman or bilinear pairing, loops, and recursion, while at the same time supporting advanced security properties, such as perfect forward secrecy and eCK-security. We automatically verify a set of protocols, including the STR, group Joux, and GDH protocols, thereby demonstrating the effectiveness of our approach.

[1]  Jürgen Giesl,et al.  Automatic Termination Proofs in the Dependency Pair Framework , 2006, IJCAR.

[2]  Gene Tsudik,et al.  Tree-based group key agreement , 2004, TSEC.

[3]  Stéphanie Delaune,et al.  The Finite Variant Property: How to Get Rid of Some Algebraic Properties , 2005, RTA.

[4]  Simon Meier,et al.  Advancing automated security protocol verification , 2013 .

[5]  Gene Tsudik,et al.  Communication-Efficient Group Key Agreement , 2001, SEC.

[6]  David A. Basin,et al.  The TAMARIN Prover for the Symbolic Analysis of Security Protocols , 2013, CAV.

[7]  Alan Bundy,et al.  Attacking Group Protocols by Refuting Incorrect Inductive Conjectures , 2005, Journal of Automated Reasoning.

[8]  José Meseguer,et al.  Maude-NPA: Cryptographic Protocol Analysis Modulo Equational Properties , 2009, FOSAD.

[9]  Jean-Jacques Quisquater,et al.  Security Analysis of the Cliques Protocols Suites: First Results , 2001, SEC.

[10]  Steve Kremer,et al.  Computationally sound analysis of protocols using bilinear pairings , 2010, J. Comput. Secur..

[11]  F. Javier Thayer Fábrega,et al.  Strand spaces: proving security protocols correct , 1999 .

[12]  Gene Tsudik,et al.  Diffie-Hellman key distribution extended to group communication , 1996, CCS '96.

[13]  Ratna Dutta,et al.  Extending Joux's Protocol to Multi Party Key Agreement (Extended Abstract) , 2003, INDOCRYPT.

[14]  Bruno Blanchet,et al.  Automatic verification of protocols with lists of unbounded length , 2013, CCS.

[15]  Francisco Durán,et al.  A Church-Rosser Checker Tool for Conditional Order-Sorted Equational Maude Specifications , 2010, WRLA.

[16]  Kenneth G. Paterson,et al.  Tripartite Authenticated Key Agreement Protocols from Pairings , 2003, IMACC.

[17]  Benedikt Schmidt,et al.  Formal analysis of key exchange protocols and physical protocols , 2012 .

[18]  David A. Basin,et al.  Automated Analysis of Diffie-Hellman Protocols and Advanced Security Properties , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[19]  Whitfield Diffie,et al.  A Secure Audio Teleconference System , 1988, CRYPTO.

[20]  Francisco Durán,et al.  A Maude Coherence Checker Tool for Conditional Order-Sorted Rewrite Theories , 2010, WRLA.

[21]  Eun-Jun Yoon,et al.  An Efficient ID-Based Authenticated Key Agreement Protocol from Pairings , 2004, NETWORKING.

[22]  José Meseguer,et al.  Folding variant narrowing and optimal variant termination , 2010, J. Log. Algebraic Methods Program..

[23]  Ralf Küsters,et al.  Using ProVerif to Analyze Protocols with Diffie-Hellman Exponentiation , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[24]  Liqun Chen,et al.  Identity based authenticated key agreement protocols from pairings , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[25]  Adrian Perrig,et al.  SafeSlinger: easy-to-use and secure public-key exchange , 2013, MobiCom.

[26]  Yvo Desmedt,et al.  A Secure and Efficient Conference Key Distribution System (Extended Abstract) , 1994, EUROCRYPT.

[27]  Gene Tsudik,et al.  CLIQUES: a new approach to group key agreement , 1998, Proceedings. 18th International Conference on Distributed Computing Systems (Cat. No.98CB36183).

[28]  Catherine A. Meadows,et al.  Formal specification and analysis of the Group Domain Of Interpretation Protocol using NPATRL and the NRL Protocol Analyzer , 2004, J. Comput. Secur..

[29]  Peeter Laud,et al.  Symbolic Analysis of Cryptographic Protocols Containing Bilinear Pairings , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[30]  Mike Scott,et al.  Authenticated ID-based Key Exchange and remote log-in with simple token and PIN number , 2002, IACR Cryptol. ePrint Arch..