An NP decision procedure for protocol insecurity with XOR

We provide a method for deciding the insecurity of cryptographic protocols in presence of the standard Dolev-Yao intruder (with a finite number of sessions) extended with so-called oracle rules, i.e., deduction rules that satisfy certain conditions. As an instance of this general framework, we ascertain that protocol insecurity is in NP for an intruder that can exploit the properties of the XOR operator. This operator is frequently used in cryptographic protocols but cannot be handled in most protocol models. An immediate consequence of our proof is that checking whether a message can be derived by an intruder (using XOR) is in P. We also apply our framework to an intruder that exploits properties of certain encryption modes such as cipher block chaining (CBC).

[1]  Martín Abadi,et al.  Computing symbolic models for verifying cryptographic protocols , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[2]  Yannick Chevalier,et al.  Deciding the Security of Protocols with Commuting Public Key Encryption , 2004, ARSPA@IJCAR.

[3]  Michele Boreale,et al.  Symbolic Trace Analysis of Cryptographic Protocols , 2001, ICALP.

[4]  Vitaly Shmatikov,et al.  Intruder deductions, constraint solving and insecurity decision in presence of exclusive or , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[5]  Gavin Lowe,et al.  An Attack on the Needham-Schroeder Public-Key Authentication Protocol , 1995, Inf. Process. Lett..

[6]  John C. Mitchell,et al.  Undecidability of bounded security protocols , 1999 .

[7]  Scott D. Stoller A Bound on Attacks on Authentication Protocols , 2002, IFIP TCS.

[8]  Vitaly Shmatikov,et al.  Finite-State Analysis of SSL 3.0 , 1998, USENIX Security Symposium.

[9]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[10]  Witold Charatonik,et al.  On Name Generation and Set-Based Analysis in the Dolev-Yao Model , 2002, CONCUR.

[11]  Sebastian Mödersheim,et al.  An On-the-Fly Model-Checker for Security Protocol Analysis , 2003, ESORICS.

[12]  Paliath Narendran,et al.  An E-unification Algorithm for Analyzing Protocols That Use Modular Exponentiation , 2003, RTA.

[13]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[14]  Roger M. Needham,et al.  Using encryption for authentication in large networks of computers , 1978, CACM.

[15]  Dawn Xiaodong Song,et al.  Athena: A Novel Approach to Efficient Automatic Security Protocol Analysis , 2001, J. Comput. Secur..

[16]  Vitaly Shmatikov,et al.  Constraint solving for bounded-process cryptographic protocol analysis , 2001, CCS '01.

[17]  Yannick Chevalier,et al.  An NP decision procedure for protocol insecurity with XOR , 2005, Theor. Comput. Sci..

[18]  Jean-Jacques Quisquater,et al.  On the perfect encryption assumption , 2000 .

[19]  Yannick Chevalier,et al.  Automated Unbounded Verification of Security Protocols , 2002, CAV.

[20]  Dawn Xiaodong Song Athena: a new efficient automatic checker for security protocol analysis , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[21]  J. van Leeuwen,et al.  Theoretical Computer Science , 2003, Lecture Notes in Computer Science.

[22]  Friedrich Otto,et al.  String-Rewriting Systems , 1993, Text and Monographs in Computer Science.

[23]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[24]  Peter Y. A. Ryan,et al.  An Attack on a Recursive Authentication Protocol. A Cautionary Tale , 1998, Inf. Process. Lett..

[25]  Pierre Ganty,et al.  SAT-Based Model-Checking of Security Protocols Using Planning Graph Analysis , 2003, FME.

[26]  Yannick Chevalier,et al.  Deciding the Security of Protocols with Diffie-Hellman Exponentiation and Products in Exponents , 2003, FSTTCS.

[27]  Lawrence C. Paulson,et al.  Mechanized proofs for a recursive authentication protocol , 1997, Proceedings 10th Computer Security Foundations Workshop.

[28]  David A. Basin Lazy Infinite-State Analysis of Security Protocols , 1999, CQRE.

[29]  John Mitchell,et al.  Tree Automata with One Memory, Set Constraints, and Ping-Pong Protocols , 2001, ICALP.

[30]  Ralf Küsters On the decidability of cryptographic protocols with open-ended data structures , 2004, International Journal of Information Security.

[31]  Gavin Lowe Towards a Completeness Result for Model Checking of Security Protocols (Extended Abstract) , 1998 .

[32]  Roberto M. Amadio,et al.  On the Reachability Problem in Cryptographic Protocols , 2000, CONCUR.

[33]  Michaël Rusinowitch,et al.  Protocol insecurity with finite number of sessions is NP-complete , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..