Constraint differentiation: Search-space reduction for the constraint-based analysis of security protocols

We introduce constraint differentiation, a powerful technique for reducing search when model-checking security protocols using constraint-based methods. Constraint differentiation works by eliminating certain kinds of redundancies that arise in the search space when using constraints to represent and manipulate the messages that may be sent by an active intruder. We define constraint differentiation in a general way, independent of the technical and conceptual details of the underlying constraint-based method and protocol model. Formally, we prove that constraint differentiation terminates and is correct, under the assumption that the original constraint-based approach has these properties. Practically, as a concrete case study, we have integrated this technique into OFMC, a state-of-the-art model-checker for security protocol analysis, and demonstrated its effectiveness by extensive experimentation. Our results show that constraint differentiation substantially reduces search and considerably improves the performance of OFMC, enabling its application to a wider class of problems.

[1]  Sebastian Mödersheim,et al.  Constraint differentiation: A new reduction technique for constraint-based analysis of security protocols , 2003 .

[2]  Thomas D. Wu The Secure Remote Password Protocol , 1998, NDSS.

[3]  Sebastian Mödersheim,et al.  OFMC: A symbolic model checker for security protocols , 2005, International Journal of Information Security.

[4]  Dawn Xiaodong Song,et al.  Athena: A Novel Approach to Efficient Automatic Security Protocol Analysis , 2001, J. Comput. Secur..

[5]  Denis Lugiez,et al.  A partial order semantics approach to the clock explosion problem of timed automata , 2005, Theor. Comput. Sci..

[6]  Vitaly Shmatikov,et al.  Constraint solving for bounded-process cryptographic protocol analysis , 2001, CCS '01.

[7]  Alessandro Armando,et al.  SAT-based model-checking for security protocols analysis , 2008, International Journal of Information Security.

[8]  Wang Yi,et al.  Partial Order Reductions for Timed Systems , 1998, CONCUR.

[9]  Roberto M. Amadio,et al.  On the Reachability Problem in Cryptographic Protocols , 2000, CONCUR.

[10]  Sebastian Mödersheim,et al.  Models and methods for the automated analysis of security protocols , 2007 .

[11]  Martín Abadi,et al.  Computing symbolic models for verifying cryptographic protocols , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[12]  Catherine A. Meadows,et al.  The NRL Protocol Analyzer: An Overview , 1996, J. Log. Program..

[13]  Graham Steel,et al.  Deduction with XOR Constraints in Security API Modelling , 2005, CADE.

[14]  Marius Minea,et al.  Partial Order Reduction for Model Checking of Timed Automata , 1999, CONCUR.

[15]  Maria Grazia Buscemi,et al.  A Framework for the Analysis of Security Protocols , 2002, CONCUR.

[16]  Muhammad Torabi Dashti,et al.  Partial Order Reduction for Branching Security Protocols , 2010, 2010 10th International Conference on Application of Concurrency to System Design.

[17]  Chang Liu,et al.  Term rewriting and all that , 2000, SOEN.

[18]  Antti Huima Efficient Infinite-State Analysis of Security Protocols , 1999 .

[19]  Sebastian Mödersheim,et al.  CDiff: a new reduction technique for constraint-based analysis of security protocols , 2003, CCS '03.

[20]  Yannick Chevalier,et al.  Automated Unbounded Verification of Security Protocols , 2002, CAV.

[21]  Yannick Chevalier,et al.  An NP decision procedure for protocol insecurity with XOR , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[22]  Gavin Lowe Analyzing a Library of Security Protocols using Casper and FDR , 1999 .

[23]  Sandro Etalle,et al.  An Improved Constraint-Based System for the Verification of Security Protocols , 2002, SAS.

[24]  Somesh Jha,et al.  Partial Order Reductions for Security Protocol Verification , 2000, TACAS.

[25]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[26]  Srdjan Capkun,et al.  Key Agreement in Peer-to-Peer Wireless Networks , 2006, Proceedings of the IEEE.

[27]  Alessandro Armando,et al.  Automatic SAT-Compilation of Protocol Insecurity Problems via Reduction to Planning , 2002, FORTE.

[28]  John C. Mitchell,et al.  Automated analysis of cryptographic protocols using Mur/spl phi/ , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[29]  Sebastian Mödersheim,et al.  The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications , 2005, CAV.

[30]  Gavin Lowe,et al.  Casper: a compiler for the analysis of security protocols , 1997, Proceedings 10th Computer Security Foundations Workshop.

[31]  Doron A. Peled,et al.  Ten Years of Partial Order Reduction , 1998, CAV.

[32]  John Ulrich,et al.  Automated Analysis of Cryptographic Protocols Using Mur ' , 1997 .

[33]  Yannick Chevalier,et al.  Deciding the Security of Protocols with Diffie-Hellman Exponentiation and Products in Exponents , 2003, FSTTCS.

[34]  Cas J. F. Cremers,et al.  The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols , 2008, CAV.

[35]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..