Equational Cryptographic Reasoning in the Maude-NRL Protocol Analyzer

The NRL Protocol Analyzer (NPA) is a tool for the formal specification and analysis of cryptographic protocols that has been used with great effect on a number of complex real-life protocols. One of the most interesting of its features is that it can be used to reason about security in face of attempted attacks on low-level algebraic properties of the functions used in a protocol. Recently, we have given for the first time a precise formal specification of the main features of the NPA inference system: its grammar-based techniques for (co-)invariant generation and its backwards narrowing reachability analysis method; both implemented in Maude as the Maude-NPA tool. This formal specification is given within the well-known rewriting framework so that the inference system is specified as a set of rewrite rules modulo an equational theory describing the behavior of the cryptographic symbols involved. This paper gives a high-level overview of the Maude-NPA tool and illustrates how it supports equational reasoning about properties of the underlying cryptographic infrastructure by means of a simple, yet nontrivial, example of an attack whose discovery essentially requires equational reasoning. It also shows how rule-based programming languages such as Maude and complex narrowing strategies are useful to model, analyze, and verify protocols.

[1]  Narciso Martí-Oliet,et al.  Maude: specification and programming in rewriting logic , 2002, Theor. Comput. Sci..

[2]  Catherine A. Meadows,et al.  Formal characterization and automated analysis of known-pair and chosen-text attacks , 2000, IEEE Journal on Selected Areas in Communications.

[3]  MeseguerJosé Conditional rewriting logic as a unified model of concurrency , 1992 .

[4]  Gavin Lowe,et al.  How to prevent type flaw attacks on security protocols , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[5]  Paliath Narendran,et al.  An E-unification Algorithm for Analyzing Protocols That Use Modular Exponentiation , 2003, RTA.

[6]  José Meseguer,et al.  A rewriting-based inference system for the NRL Protocol Analyzer and its meta-logical properties , 2006, Theor. Comput. Sci..

[7]  Franz Baader,et al.  Unification theory , 1986, Decis. Support Syst..

[8]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[9]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[10]  Sebastian Mödersheim,et al.  Algebraic Intruder Deductions , 2005, LPAR.

[11]  Catherine A. Meadows,et al.  Formal specification and analysis of the Group Domain Of Interpretation Protocol using NPATRL and the NRL Protocol Analyzer , 2004, J. Comput. Secur..

[12]  Nachum Dershowitz,et al.  Decidable Matching for Convergent Systems (Preliminary Version) , 1992, CADE.

[13]  Brian Weis,et al.  The Group Domain of Interpretation , 2003, RFC.

[14]  Jean-Marie Hullot,et al.  Canonical Forms and Unification , 1980, CADE.

[15]  Catherine A. Meadows,et al.  Applying Formal Methods to the Analysis of a Key Management Protocol , 1992, J. Comput. Secur..

[16]  Andrei Voronkov,et al.  Handbook of Automated Reasoning: Volume 1 , 2001 .

[17]  Cjf Cas Cremers Scyther : semantics and verification of security protocols , 2006 .

[18]  Joshua D. Guttman,et al.  Strand Spaces: Proving Security Protocols Correct , 1999, J. Comput. Secur..

[19]  Sebastian Mödersheim,et al.  The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications , 2005, CAV.

[20]  Catherine A. Meadows,et al.  The NRL Protocol Analyzer: An Overview , 1996, J. Log. Program..