Compiling and Verifying Security Protocols

We propose a direct and fully automated translation from standard security protocol descriptions to rewrite rules. This compilation defines non-ambiguous operational semantics for protocols and intruder behavior: they are rewrite systems executed by applying a variant of ac-narrowing. The rewrite rules are processed by the theorem-prover daTac. Multiple instances of a protocol can be run simultaneously as well as a model of the intruder (among several possible). The existence of flaws in the protocol is revealed by the derivation of an inconsistency. Our implementation of the compiler CASRUL, together with the prover daTac, permitted us to derive security flaws in many classical cryptographic protocols.

[1]  Harald Ganzinger,et al.  Associative-Commutative Superposition , 1994, CTRS.

[2]  Jonathan K. Millen,et al.  CAPSL: Common Authentication Protocol Specification Language , 1996, NSPW '96.

[3]  James R. Slagle,et al.  Automated Theorem-Proving for Theories with Simplifiers Commutativity, and Associativity , 1974, JACM.

[4]  Jean-Marie Hullot,et al.  Canonical Forms and Unification , 1980, CADE.

[5]  Eric Domenjoud A technical note on AC-unification. The number of minimal unifiers of the equation a x 1 +c+ a x p = d AC b y 1 +c+ b y q , 1992 .

[6]  Lawrence C. Paulson,et al.  The Inductive Approach to Verifying Cryptographic Protocols , 2021, J. Comput. Secur..

[7]  D. Knuth,et al.  Simple Word Problems in Universal Algebras , 1983 .

[8]  Gavin Lowe Casper: a compiler for the analysis of security protocols , 1998 .

[9]  Catherine A. Meadows,et al.  Applying Formal Methods to the Analysis of a Key Management Protocol , 1992, J. Comput. Secur..

[10]  Ulrich Wertz,et al.  First-order theorem proving modulo equations , 1992 .

[11]  A. W. Roscoe Modelling and verifying key-exchange protocols using CSP and FDR , 1995, Proceedings The Eighth IEEE Computer Security Foundations Workshop.

[12]  Mark E. Stickel,et al.  Complete Sets of Reductions for Some Equational Theories , 1981, JACM.

[13]  H. Brown,et al.  Computational Problems in Abstract Algebra , 1971 .

[14]  Albert Rubio,et al.  Paramodulation-Based Theorem Proving , 2001, Handbook of Automated Reasoning.

[15]  Laurent Vigneron,et al.  Positive Deduction modulo Regular Theories , 1995, CSL.

[16]  Paul Syverson,et al.  Dolev-Yao is no better than Machiavelli , 2000 .

[17]  Ross J. Anderson,et al.  Programming Satan's Computer , 1995, Computer Science Today.

[18]  Michaël Rusinowitch,et al.  Proving refutational completeness of theorem-proving strategies: the transfinite semantic tree method , 1991, JACM.

[19]  Roberto Gorrieri,et al.  CVS: a compiler for the analysis of cryptographic protocols , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[20]  John C. Mitchell,et al.  Automated analysis of cryptographic protocols using Mur/spl phi/ , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[21]  Daniel Brand,et al.  Proving Theorems with the Modification Method , 1975, SIAM J. Comput..

[22]  J. Van Leeuwen,et al.  Handbook of theoretical computer science - Part A: Algorithms and complexity; Part B: Formal models and semantics , 1990 .

[23]  Nachum Dershowitz,et al.  Completion Without Failure11This research was supported in part by the National Science Foundation under grants DCR 85–13417 and DCR 85–16243. , 1989 .

[24]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[25]  Alan Robinson,et al.  Handbook of automated reasoning , 2001 .

[26]  David A. Basin Lazy Infinite-State Analysis of Security Protocols , 1999, CQRE.

[27]  Christoph Weidenbach,et al.  Towards an Automatic Analysis of Security Protocols in First-Order Logic , 1999, CADE.

[28]  Gerhard Goos,et al.  Secure Networking — CQRE [Secure] ’ 99 , 1999, Lecture Notes in Computer Science.

[29]  Gavin Lowe,et al.  Towards a completeness result for model checking of security protocols , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[30]  Simon S. Lam,et al.  A semantic model for authentication protocols , 1993, Proceedings 1993 IEEE Computer Society Symposium on Research in Security and Privacy.

[31]  Catherine A. Meadows,et al.  The NRL Protocol Analyzer: An Overview , 1996, J. Log. Program..

[32]  Dominique Bolignano Towards the formal verification of electronic commerce protocols , 1997, Proceedings 10th Computer Security Foundations Workshop.