Effective Symbolic Protocol Analysis via Equational Irreducibility Conditions

We address a problem that arises in cryptographic protocol analysis when the equational properties of the cryptosystem are taken into account: in many situations it is necessary to guarantee that certain terms generated during a state exploration are in normal form with respect to the equational theory. We give a tool-independent methodology for state exploration, based on unification and narrowing, that generates states that obey these irreducibility constraints, called contextual symbolic reachability analysis, prove its soundness and completeness, and describe its implementation in the Maude-NPA protocol analysis tool. Contextual symbolic reachability analysis also introduces a new type of unification mechanism, which we call asymmetric unification, in which any solution must leave the right side of the solution irreducible. We also present experiments showing the effectiveness of our methodology.

[1]  Natsume Matsuzaki,et al.  Key Distribution Protocol for Digital Mobile Communication Systems , 1989, CRYPTO.

[2]  Hélène Kirchner,et al.  Completion of a Set of Rules Modulo a Set of Equations , 1986, SIAM J. Comput..

[3]  Bruno Blanchet,et al.  Using Horn Clauses for Analyzing Security Protocols , 2011, Formal Models and Techniques for Analyzing Security Protocols.

[4]  José Meseguer,et al.  Folding variant narrowing and optimal variant termination , 2010, J. Log. Algebraic Methods Program..

[5]  José Meseguer,et al.  Conditioned Rewriting Logic as a United Model of Concurrency , 1992, Theor. Comput. Sci..

[6]  Danny Dolev,et al.  On the Security of Public Key Protocols (Extended Abstract) , 1981, FOCS.

[7]  F. Javier Thayer Fábrega,et al.  Strand spaces: proving security protocols correct , 1999 .

[8]  Mark Ryan,et al.  Privacy Supporting Cloud Computing: ConfiChair, a Case Study , 2012, POST.

[9]  José Meseguer,et al.  Maude-NPA: Cryptographic Protocol Analysis Modulo Equational Properties , 2009, FOSAD.

[10]  Mark Ryan,et al.  Reduction of Equational Theories for Verification of Trace Equivalence: Re-encryption, Associativity and Commutativity , 2012, POST.

[11]  Philip Wadler Call-by-Value Is Dual to Call-by-Name - Reloaded , 2005, RTA.

[12]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[13]  Dieter Gollmann,et al.  Computer Security – ESORICS 2003 , 2003, Lecture Notes in Computer Science.

[14]  Martín Abadi,et al.  Code-Carrying Authorization , 2008, ESORICS.

[15]  Sebastian Mödersheim,et al.  Constraint differentiation: Search-space reduction for the constraint-based analysis of security protocols , 2010, J. Comput. Secur..

[16]  Vitaly Shmatikov,et al.  Intruder deductions, constraint solving and insecurity decision in presence of exclusive or , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[17]  Martín Abadi,et al.  Automated verification of selected equivalences for security protocols , 2005, 20th Annual IEEE Symposium on Logic in Computer Science (LICS' 05).

[18]  Martín Abadi,et al.  Deciding knowledge in security protocols under equational theories , 2006, Theor. Comput. Sci..

[19]  Patrick Viry,et al.  Equational rules for rewriting logic , 2002, Theor. Comput. Sci..

[20]  Steve Kremer,et al.  Formal Models and Techniques for Analyzing Security Protocols: A Tutorial , 2014, Found. Trends Program. Lang..

[21]  Sebastian Mödersheim,et al.  Models and methods for the automated analysis of security protocols , 2007 .

[22]  Stéphanie Delaune,et al.  Computing Knowledge in Security Protocols under Convergent Equational Theories , 2009, CADE.

[23]  Sebastian Mödersheim,et al.  An On-the-Fly Model-Checker for Security Protocol Analysis , 2003, ESORICS.

[24]  Ralf Küsters,et al.  Reducing protocol analysis with XOR to the XOR-free case in the horn theory based approach , 2008, CCS.

[25]  Michael Wiener,et al.  Advances in Cryptology — CRYPTO’ 99 , 1999 .

[26]  José Meseguer,et al.  Symbolic reachability analysis using narrowing and its application to verification of cryptographic protocols , 2007, High. Order Symb. Comput..

[27]  Hantao Zhang,et al.  Contextual Rewriting , 1985, RTA.

[28]  Terese Term rewriting systems , 2003, Cambridge tracts in theoretical computer science.

[29]  A. W. Roscoe,et al.  Using CSP to Detect Errors in the TMN Protocol , 1997, IEEE Trans. Software Eng..

[30]  Stéphanie Delaune,et al.  The Finite Variant Property: How to Get Rid of Some Algebraic Properties , 2005, RTA.

[31]  Renate A. Schmidt Automated Deduction - CADE-22, 22nd International Conference on Automated Deduction, Montreal, Canada, August 2-7, 2009. Proceedings , 2009, CADE.

[32]  Nikolaj Bjørner,et al.  Automated Deduction - CADE-23 - 23rd International Conference on Automated Deduction, Wroclaw, Poland, July 31 - August 5, 2011. Proceedings , 2011, CADE.

[33]  Véronique Cortier,et al.  YAPA: A Generic Tool for Computing Intruder Knowledge , 2009, TOCL.

[34]  Zhiqiang Liu,et al.  Efficient General Unification for XOR with Homomorphism , 2011, CADE.

[35]  Stéphanie Delaune,et al.  Constraint solving techniques and enriching the model with equational theories , 2011, Formal Models and Techniques for Analyzing Security Protocols.

[36]  Ralf Küsters,et al.  Using ProVerif to Analyze Protocols with Diffie-Hellman Exponentiation , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[37]  José Meseguer,et al.  A rewriting-based inference system for the NRL Protocol Analyzer and its meta-logical properties , 2006, Theor. Comput. Sci..

[38]  Salvador Lucas,et al.  Context-sensitive Computations in Functional and Functional Logic Programs , 1998, J. Funct. Log. Program..