Monotonic Set-Extended Prefix Rewriting and Verification of Recursive Ping-Pong Protocols

Ping-pong protocols with recursive definitions of agents, but without any active intruder, are a Turing powerful model. We show that under the environment sensitive semantics (i.e. by adding an active intruder capable of storing all exchanged messages including full analysis and synthesis of messages) some verification problems become decidable. In particular we give an algorithm to decide control state reachability, a problem related to security properties like secrecy and authenticity. The proof is via a reduction to a new prefix rewriting model called Monotonic Set-extended Prefix rewriting (MSP). We demonstrate further applicability of the introduced model by encoding a fragment of the ccp (concurrent constraint programming) language into MSP.

[1]  Martín Abadi,et al.  A Bisimulation Method for Cryptographic Protocols , 1998, Nord. J. Comput..

[2]  Jirí Srba,et al.  Undecidability Results for Bisimilarity on Prefix Rewrite Systems , 2006, FoSSaCS.

[3]  Alain Finkel,et al.  Unreliable Channels are Easier to Verify Than Perfect Channels , 1996, Inf. Comput..

[4]  David E. Muller,et al.  Weak alternating automata give a simple explanation of why most temporal and dynamic logics are decidable in exponential time , 1988, [1988] Proceedings. Third Annual Information Symposium on Logic in Computer Science.

[5]  Vijay A. Saraswat,et al.  Concurrent constraint programming , 1989, POPL '90.

[6]  Hans Hüttel,et al.  Recursion vs. Replication in Simple Cryptographic Protocols , 2004 .

[7]  Roberto M. Amadio,et al.  On the symbolic reduction of processes with cryptographic functions , 2001, LACPV@CAV.

[8]  Giorgio Delzanno,et al.  Monotonic Set-Extended Prefix Rewriting and Verification of Recursive Ping-Pong Protocols , 2006 .

[9]  Hans Hüttel,et al.  Recursive Ping-Pong Protocols , 2003 .

[10]  Javier Esparza,et al.  Reachability Analysis of Pushdown Automata: Application to Model-Checking , 1997, CONCUR.

[11]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[12]  Parosh Aziz Abdulla,et al.  Verifying programs with unreliable channels , 1993, [1993] Proceedings Eighth Annual IEEE Symposium on Logic in Computer Science.

[13]  Andrzej Wasowski,et al.  An Interface Theory for Input/Output Automata , 2006 .

[14]  Richard Mayr,et al.  Process rewrite systems , 1999, EXPRESS.

[15]  Vojtech Rehák,et al.  Extended Process Rewrite Systems: Expressiveness and Reachability , 2004, CONCUR.

[16]  Richard M. Karp,et al.  On the Security of Ping-Pong Protocols , 1982, Information and Control.

[17]  Jirí Srba Visibly Pushdown Automata: From Language Equivalence to Simulation and Bisimulation , 2006, CSL.

[18]  Kristian Støvring Higher-Order Beta Matching with Solutions in Long Beta-Eta Normal Form , 2006, Nord. J. Comput..

[19]  Jirí Srba,et al.  Recursion Versus Replication in Simple Cryptographic Protocols , 2005, SOFSEM.

[20]  Javier Esparza,et al.  Efficient Algorithms for Model Checking Pushdown Systems , 2000, CAV.

[21]  Kristian Støvring,et al.  Extending the Extensional Lambda Calculus with Surjective Pairing is Conservative , 2005, Log. Methods Comput. Sci..

[22]  Michaël Rusinowitch,et al.  Protocol insecurity with a finite number of sessions, composed keys is NP-complete , 2003, Theor. Comput. Sci..

[23]  Martín Abadi,et al.  Prudent engineering practice for cryptographic protocols , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[24]  J. R. Büchi Regular Canonical Systems , 1964 .

[25]  Witold Charatonik,et al.  On Name Generation and Set-Based Analysis in the Dolev-Yao Model , 2002, CONCUR.

[26]  Christian Kirkegaard,et al.  Static Analysis for Java Servlets and JSP , 2006, SAS.

[27]  Tomasz Truderung Selecting Theories and Recursive Protocols , 2005, CONCUR.

[28]  Simon S. Lam,et al.  Authentification for Distributed Systems , 1992, Computer.

[29]  Ralf Küsters On the decidability of cryptographic protocols with open-ended data structures , 2004, International Journal of Information Security.

[30]  Robert Giegerich,et al.  Analyzing Ambiguity of Context-Free Grammars , 2007, CIAA.

[31]  Lawrence C. Paulson,et al.  Mechanized proofs for a recursive authentication protocol , 1997, Proceedings 10th Computer Security Foundations Workshop.

[32]  Orna Kupferman,et al.  Weak alternating automata are not that weak , 1997, Proceedings of the Fifth Israeli Symposium on Theory of Computing and Systems.

[33]  John Mitchell,et al.  Tree Automata with One Memory, Set Constraints, and Ping-Pong Protocols , 2001, ICALP.