Enrich-by-need Protocol Analysis for Diffie-Hellman (Extended Version)

Enrich-by-need protocol analysis is a style of symbolic protocol analysis that characterizes all executions of a protocol that extend a given scenario. In effect, it computes a strongest security goal the protocol achieves in that scenario. CPSA, a Cryptographic Protocol Shapes Analyzer, implements enrich-by-need protocol analysis. In this paper, we describe how to analyze protocols using the Diffie-Hellman mechanism for key agreement (DH) in the enrich-by-need style. DH, while widespread, has been challenging for protocol analysis because of its algebraic structure. DH essentially involves fields and cyclic groups, which do not fit the standard foundational framework of symbolic protocol analysis. By contrast, we justify our analysis via an algebraically natural model. This foundation makes the extended CPSA implementation reliable. Moreover, it provides informative and efficient results. An appendix explains how unification is efficiently done in our framework.

[1]  Mathieu Turuani,et al.  The CL-Atse Protocol Analyser , 2006, RTA.

[2]  José Meseguer,et al.  Maude-NPA: Cryptographic Protocol Analysis Modulo Equational Properties , 2009, FOSAD.

[3]  Sebastian Mödersheim,et al.  A Sound Abstraction of the Parsing Problem , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[4]  Moses D. Liskov,et al.  Completeness of CPSA , 2011 .

[5]  Gavin Lowe,et al.  A hierarchy of authentication specifications , 1997, Proceedings 10th Computer Security Foundations Workshop.

[6]  Sebastian Mödersheim,et al.  Foundational aspects of security , 2014, J. Comput. Secur..

[7]  Luca Viganò,et al.  Automated Security Protocol Analysis With the AVISPA Tool , 2006, MFPS.

[8]  F J Thayer,et al.  Formal Modeling of Diffie-Hellman Derivability for Exploratory Automated Analysis , 2013 .

[9]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[10]  Stephan Kepser,et al.  Optimisation Techniques for Combining Constraint Solvers , 1998, FroCoS.

[11]  David A. Basin,et al.  The TAMARIN Prover for the Symbolic Analysis of Security Protocols , 2013, CAV.

[12]  Gerhard Gentzen,et al.  Investigations into Logical Deduction , 1970 .

[13]  F. Javier Thayer Fábrega,et al.  Strand spaces: proving security protocols correct , 1999 .

[14]  Sebastian Mödersheim,et al.  The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications , 2005, CAV.

[15]  Donald Ervin Knuth,et al.  The Art of Computer Programming, Volume II: Seminumerical Algorithms , 1970 .

[16]  David A. Basin,et al.  Automated Analysis of Diffie-Hellman Protocols and Advanced Security Properties , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[17]  Joshua D. Guttman,et al.  Searching for Shapes in Cryptographic Protocols , 2007, TACAS.

[18]  Joshua D. Guttman,et al.  Authentication tests and the structure of bundles , 2002, Theor. Comput. Sci..

[19]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[20]  Daniel J. Dougherty,et al.  Decidability for Lightweight Diffie-Hellman Protocols , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[21]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[22]  Ueli Maurer,et al.  Abstract Models of Computation in Cryptography , 2005, IMACC.

[23]  Cas J. F. Cremers,et al.  Operational Semantics and Verification of Security Protocols , 2012, Information Security and Cryptography.

[24]  Joshua D. Guttman State and Progress in Strand Spaces: Proving Fair Exchange , 2010, Journal of Automated Reasoning.

[25]  Cas J. F. Cremers,et al.  Key Exchange in IPsec Revisited: Formal Analysis of IKEv1 and IKEv2 , 2011, ESORICS.

[26]  Moses D. Liskov,et al.  Measuring protocol strength with security goals , 2016, International Journal of Information Security.

[27]  Franz Baader,et al.  Unification theory , 1986, Decis. Support Syst..

[28]  Mihir Bellare,et al.  Entity Authentication and Key Distribution , 1993, CRYPTO.

[29]  Joshua D. Guttman,et al.  Formal Support for Standardizing Protocols with State , 2015, SSR.

[30]  John D. Ramsdell Deducing Security Goals From Shape Analysis Sentences , 2012, ArXiv.

[31]  Gilles Barthe,et al.  Automated Analysis of Cryptographic Assumptions in Generic Group Models , 2014, IACR Cryptol. ePrint Arch..

[32]  Lawrence C. Paulson,et al.  The Inductive Approach to Verifying Cryptographic Protocols , 2021, J. Comput. Secur..

[33]  Somesh Jha,et al.  A model checker for authentication protocols , 1997 .

[34]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[35]  David A. Basin,et al.  Provably repairing the ISO/IEC 9798 standard for entity authentication , 2012, J. Comput. Secur..

[36]  Daniel J. Dougherty,et al.  An Algebra for Symbolic Diffie-Hellman Protocol Analysis , 2012, TGC.

[37]  Joshua D. Guttman Establishing and preserving protocol security goals , 2014, J. Comput. Secur..

[38]  Joshua D. GUTTMAN,et al.  Shapes: Surveying Crypto Protocol Runs , 2011, Formal Models and Techniques for Analyzing Security Protocols.

[39]  Ralf Küsters,et al.  Using ProVerif to Analyze Protocols with Diffie-Hellman Exponentiation , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[40]  Moses D. Liskov,et al.  Modeling Diffie-Hellman Derivability for Automated Analysis , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[41]  José Meseguer,et al.  Order-Sorted Algebra I: Equational Deduction for Multiple Inheritance, Overloading, Exceptions and Partial Operations , 1992, Theor. Comput. Sci..