research-article

Deciding security properties for cryptographic protocols. application to key cycles

Authors:

Hubert Comon-Lundh,

Véronique Cortier,

Eugen ZălinescuAuthors Info & Claims

ACM Transactions on Computational Logic (TOCL), Volume 11, Issue 2

Article No.: 9, Pages 1 - 42

https://doi.org/10.1145/1656242.1656244

Published: 22 January 2010 Publication History

Abstract

There is a large amount of work dedicated to the formal verification of security protocols. In this article, we revisit and extend the NP-complete decision procedure for a bounded number of sessions. We use a, now standard, deducibility constraint formalism for modeling security protocols. Our first contribution is to give a simple set of constraint simplification rules, that allows to reduce any deducibility constraint to a set of solved forms, representing all solutions (within the bound on sessions).

As a consequence, we prove that deciding the existence of key cycles is NP-complete for a bounded number of sessions. The problem of key-cycles has been put forward by recent works relating computational and symbolic models. The so-called soundness of the symbolic model requires indeed that no key cycle (e.g., enc(k, k)) ever occurs in the execution of the protocol. Otherwise, stronger security assumptions (such as KDM-security) are required.

We show that our decision procedure can also be applied to prove again the decidability of authentication-like properties and the decidability of a significant fragment of protocols with timestamps.

References

[1]

Abadi, M. and Rogaway, P. 2002. Reconciling two views of cryptography (the computational soundness of formal encryption). J. Cryptol. 2, 103--127.

Digital Library

[2]

Adão, P., Bana, G., Herzog, J., and Scedrov, A. 2005. Soundness of formal encryption in the presence of key-cycles. In Proceedings of the 10th European Symposium on Research in Computer Security (ESORICS'05). Lecture Notes in Computer Science, vol. 3679. Springer Verlag, 374--396.

Digital Library

[3]

Amadio, R. and Lugiez, D. 2000. On the reachability problem in cryptographic protocols. In Proceedings of the 11th International Conference on Concurrency Theory (CONCUR'00). Lecture Notes in Computer Science, vol. 1877. Springer Verlag, 380--394.

Digital Library

[4]

Armando, A., Basin, D., Boichut, Y., Chevalier, Y., Compagna, L., Cuellar, J., Drielsma, P. H., Héam, P., Kouchnarenko, O., Mantovani, J., Mödersheim, S., von Oheimb, D., Rusinowitch, M., Santiago, J., Turuani, M., Viganò, L., and Vigneron, L. 2005. The AVISPA tool for the automated validation of internet security protocols and applications. In Proceedings of the International Conference on Computer Aided Verification (CAV'05). Lecture Notes in Computer Science, vol. 3576. Springer Verlag.

Digital Library

[5]

Backes, M. and Pfitzmann, B. 2004. Symmetric encryption in a simulatable Dolev-Yao style cryptographic library. In Proceedings of the 17th IEEE Computer Security Foundations Workshop (CSFW'04). IEEE Computer Society Press, 204--218.

Digital Library

[6]

Backes, M., Pfitzmann, B., and Scedrov, A. 2007. Key-dependent message security under active attacks—BRSIM/UC-soundness of symbolic encryption with key cycles. In Proceedings of the 20th IEEE Computer Security Foundations Symposium (CSF'07). IEEE Computer Society Press. (Preprint on IACR ePrint 2005/421.)

Digital Library

[7]

Baudet, M. 2005. Deciding security of protocols against off-line guessing attacks. In Proceedings of the 12th ACM Conference on Computer and Communication Security (CCS'05). ACM Press, 16--25.

Digital Library

[8]

Bellare, M. and Rogaway, P. 1993. Entity authentication and key distribution. In Proceedings of the 13th Annual International Conference on Advances in Cryptology (CRYPTO'93). Lecture Notes in Computer Science, vol. 773. Springer Verlag, 232--249.

Digital Library

[9]

Blanchet, B. 2001. An efficient cryptographic protocol verifier based on Prolog rules. In Proceedings of the 14th IEEE Computer Security Foundations Workshop (CSFW'01). IEEE Computer Society Press, 82--96.

Digital Library

[10]

Blanchet, B. and Podelski, A. 2003. Verification of cryptographic protocols: Tagging enforces termination. In Proceedings of the 6th International Conference on Foundations of Software Science and Computation Structures (FoSSaCS'03), A. Gordon, Ed. Lecture Notes in Computer Science, vol. 2620. Springer Verlag, 136--152.

Digital Library

[11]

Bozga, L., Ene, C., and Lakhnech, Y. 2004. A symbolic decision procedure for cryptographic protocols with time stamps. In Proceedings of the 15th International Conference on Concurrency Theory (CONCUR'04). Lecture Notes in Computer Science, vol. 3170. Springer Verlag, 177--192.

[12]

Bursuc, S., Comon-Lundh, H., and Delaune, S. 2007. Associative-commutative deducibility constraints. In Proceedings of the 24th Annual Symposium on Theoretical Aspects of Computer Science (STACS'07). Lecture Notes in Computer Science, vol. 4393. Springer Verlag, 634--645.

Digital Library

[13]

Clark, J. and Jacob, J. 1997. A survey of authentication protocol literature. http://www.cs.york.ac.uk/~jac/papers/drareviewps.ps.

[14]

Colmerauer, A. 1984. Equations and inequations on finite and infinite trees. In Proceedings of the International Conference on Fifth Generation Computer Systems (FGCS'84). 85--99.

[15]

Comon-Lundh, H. and Cortier, V. 2003. New decidability results for fragments of first-order logic and application to cryptographic protocols. In Proceedings of the 14th International Conference on Rewriting Techniques and Applications (RTA'03). Lecture Notes in Computer Science, vol. 2706. Springer Verlag, 148--164.

Digital Library

[16]

Comon-Lundh, H. and Shmatikov, V. 2003. Intruder deductions, constraint solving and insecurity decision in presence of exclusive or. In Proceedings of the 18th Annual IEEE Symposium on Logic in Computer Science (LICS'03). IEEE Computer Society Press, 271--280.

Digital Library

[17]

Corin, R. 2006. Analysis models for security protocols. Ph.D. thesis, University of Twente, The Netherlands.

[18]

Corin, R. and Etalle, S. 2002. An improved constraint-based system for the verification of security protocols. In Proceedings of the 9th International Symposium on Static Analysis (SAS'02). Lecture Notes in Computer Science, vol. 2477. Springer Verlag, 326--341.

Digital Library

[19]

Corin, R. J., Saptawijaya, A., and Etalle, S. 2005. PS-LTL for constraint-based security protocol analysis. In Proceedings of the 21st International Conference on (ICLP'05). Lecture Notes in Computer Science, vol. 3668. Springer Verlag, 439--440.

Digital Library

[20]

Cortier, V., Delaitre, J., and Delaune, S. 2007. Safely composing security protocols. In Proceedings of the 27th International Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS'07). Lecture Notes in Computer Science, vol. 4855. Springer Verlag, 352--363.

Digital Library

[21]

Cortier, V., Kremer, S., Küsters, R., and Warinschi, B. 2006. Computationally sound symbolic secrecy in the presence of hash functions. In Proceedings of the 26th International Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS'06). Lecture Notes in Computer Science, vol. 4337. Springer Verlag, 176--187.

Digital Library

[22]

Cortier, V. and Zălinescu, E. 2006. Deciding key cycles for security protocols. In Proceedings of the 13th International Conference on Logic for Programming, Artificial Intelligence, and Reasoning (LPAR'06). Lecture Notes in Artificial Intelligence, vol. 4246. Springer Verlag, 317--331.

Digital Library

[23]

Cremers, C. 2008. The Scyther Tool: Verification, falsification, and analysis of security protocols. In Proceedings of the 20th International Conference on Computer Aided Verification (CAV'08). Lecture Notes in Computer Science, vol. 5123. Springer Verlag, 414--418.

Digital Library

[24]

Durgin, N., Lincoln, P., and Mitchell, J. 2004. Multiset rewriting and the complexity of bounded security protocols. J. Comput. Secur. 12, 2, 247--311.

Digital Library

[25]

Durgin, N., Lincoln, P., Mitchell, J., and Scedrov, A. 1999. Undecidability of bounded security protocols. In Proceedings of the Workshop on Formal Methods and Security Protocols.

[26]

Goldwasser, S. and Micali, S. 1984. Probabilistic encryption. J. Comput. Syst. Sc. 28, 270--299.

[27]

Hofheinz, D. and Unruh, D. 2008. Towards key-dependent message security in the standard model. In Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT). Lecture Notes in Computer Science, vol. 4965. Springer Verlag, 108--126. (Preprint on IACR ePrint 2007/333).

Digital Library

[28]

Janvier, R. 2006. Lien entre modèles symboliques et computationnels pour le protocoles cryptographiques utilisant des hachage. Ph.D. thesis, Université Joseph Fourier, Grenoble.

[29]

Janvier, R., Lakhnech, Y., and Mazare, L. 2005. (De)Compositions of cryptographic schemes and their applications to protocols. Cryptology ePrint Archive, Report 2005/020.

[30]

Laud, P. 2002. Encryption cycles and two views of cryptography. In Proceedings of the Nordic Workshop on Secure IT Systems (NORDSEC'02).

[31]

Lowe, G. 1996. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In Proceedings of the 2nd International Workshop on Tools and Algorithms for the Construction and Analysis of Systems (TACAS'96). Lecture Notes in Computer Science, vol. 1055. Springer Verlag, 147--166.

Digital Library

[32]

Lowe, G. 1998. Towards a completeness result for model checking of security protocols. In Proceedings of the 11th IEEE Computer Security Foundations Workshop (CSFW'98). IEEE Computer Society Press.

Digital Library

[33]

Micciancio, D. and Warinschi, B. 2004a. Completeness theorems for the Abadi-Rogaway logic of encrypted expressions. J. Comput. Sec. 12, 1, 99--129.

Digital Library

[34]

Micciancio, D. and Warinschi, B. 2004b. Soundness of formal encryption in the presence of active adversaries. In Proceedings of the 1st Theory of Cryptography Conference (TCC'04). Lecture Notes in Computer Science, vol. 2951. Springer Verlag, 133--151.

[35]

Millen, J. and Shmatikov, V. 2001. Constraint solving for bounded-process cryptographic protocol analysis. In Proceedings of the 8th ACM Conference on Computer and Communication Security (CCS'01). ACM Press, 166--175.

Digital Library

[36]

Needham, R. M. and Schroeder, M. D. 1978. Using encryption for authentication in large networks of computers. Comm. ACM 21, 12, 993--999.

Digital Library

[37]

Ramanujam, R. and Suresh, S. P. 2003. Tagging makes secrecy decidable for unbounded nonces as well. In Proceedings of the 23rd Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS'03). Lecture Notes in Computer Science, vol. 2914. Springer Verlag, 363--374.

[38]

Ramanujam, R. and Suresh, S. P. 2005. Decidability of context-explicit security protocols. J. Comput. Sec. 13, 1, 135--165.

Digital Library

[39]

Rusinowitch, M. and Turuani, M. 2001. Protocol insecurity with finite number of sessions is NP-complete. In Proceedings of the 14th IEEE Computer Security Foundations Workshop (CSFW'01). IEEE Computer Society Press, 174--190.

Digital Library

[40]

Rusinowitch, M. and Turuani, M. 2003. Protocol insecurity with finite number of sessions and composed keys is NP-complete. Theor. Comput. Scie. 299, 451--475.

Digital Library

[41]

Syverson, P. and Meadows, C. 1996. A formal language for cryptographic protocol requirements. Des. Codes Cryptog. 7, 1--2, 27--59.

Digital Library

[42]

Verma, K. N., Seidl, H., and Schwentick, T. 2005. On the complexity of equational Horn clauses. In Proceedings of the 22th International Conference on Automated Deduction (CADE'05). Lecture Notes in Computer Science. Springer Verlag, 337--352.

Digital Library

Cited By

Koutsos A(2021)Decidability of a Sound Set of Inference Rules for Computational IndistinguishabilityACM Transactions on Computational Logic10.1145/342316922:1(1-44)Online publication date: 19-Jan-2021
https://dl.acm.org/doi/10.1145/3423169
Ukrop MKraus LMatyas V(2020)Will You Trust This TLS Certificate?Digital Threats: Research and Practice10.1145/34194721:4(1-29)Online publication date: 10-Dec-2020
https://dl.acm.org/doi/10.1145/3419472
Frison GSartor TZanelli ADiehl M(2020)The BLAS API of BLASFEOACM Transactions on Mathematical Software10.1145/337867146:2(1-36)Online publication date: 19-May-2020
https://dl.acm.org/doi/10.1145/3378671
Show More Cited By

Index Terms

Deciding security properties for cryptographic protocols. application to key cycles
1. Theory of computation
  1. Logic
  2. Semantics and reasoning
    1. Program reasoning

Recommendations

From Security Protocols to Pushdown Automata

Formal methods have been very successful in analyzing security protocols for reachability properties such as secrecy or authentication. In contrast, there are very few results for equivalence-based properties, crucial for studying, for example, privacy-...
Local abstract verification and refinement of security protocols
FMSE '08: Proceedings of the 6th ACM workshop on Formal methods in security engineering

The verification problem for security protocols is undecidable, but it is feasible to verify protocols by abstract interpretation. This paper presents a method based on local abstraction and refinement for verifying security protocols terminably. Local ...
Strategy for Verifying Security Protocols with Unbounded Message Size

We present a system for automatically verifying cryptographic protocols. This system manages the knowledge of principals and checks if the protocol is runnable. In this case, it outputs a set of rewrite rules describing the protocol itself, the strategy ...

Comments

Information & Contributors

Information

Published In

cover image ACM Transactions on Computational Logic

ACM Transactions on Computational Logic Volume 11, Issue 2

January 2010

261 pages

ISSN:1529-3785

EISSN:1557-945X

DOI:10.1145/1656242

Issue’s Table of Contents

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 January 2010

Accepted: 01 April 2008

Received: 01 August 2007

Published in TOCL Volume 11, Issue 2

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

39
Total Citations
View Citations
425
Total Downloads

Downloads (Last 12 months)8
Downloads (Last 6 weeks)0

Reflects downloads up to 28 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Koutsos A(2021)Decidability of a Sound Set of Inference Rules for Computational IndistinguishabilityACM Transactions on Computational Logic10.1145/342316922:1(1-44)Online publication date: 19-Jan-2021
https://dl.acm.org/doi/10.1145/3423169
Ukrop MKraus LMatyas V(2020)Will You Trust This TLS Certificate?Digital Threats: Research and Practice10.1145/34194721:4(1-29)Online publication date: 10-Dec-2020
https://dl.acm.org/doi/10.1145/3419472
Frison GSartor TZanelli ADiehl M(2020)The BLAS API of BLASFEOACM Transactions on Mathematical Software10.1145/337867146:2(1-36)Online publication date: 19-May-2020
https://dl.acm.org/doi/10.1145/3378671
Brisebarre NJoldeş MMuller JNaneş APicot J(2020)Error Analysis of Some Operations Involved in the Cooley-Tukey Fast Fourier TransformACM Transactions on Mathematical Software10.1145/336861946:2(1-27)Online publication date: 19-May-2020
https://dl.acm.org/doi/10.1145/3368619
Chrétien RCortier VDallon ADelaune S(2019)Typing Messages for Free in Security ProtocolsACM Transactions on Computational Logic10.1145/334350721:1(1-52)Online publication date: 12-Sep-2019
https://dl.acm.org/doi/10.1145/3343507
Miraldo VSwierstra W(2019)An efficient algorithm for type-safe structural diffingProceedings of the ACM on Programming Languages10.1145/33417173:ICFP(1-29)Online publication date: 26-Jul-2019
https://dl.acm.org/doi/10.1145/3341717
Zhao JOliveira BSchrijvers T(2019)A mechanical formalization of higher-ranked polymorphic type inferenceProceedings of the ACM on Programming Languages10.1145/33417163:ICFP(1-29)Online publication date: 26-Jul-2019
https://dl.acm.org/doi/10.1145/3341716
Li XMaskell D(2019)Time-Multiplexed FPGA Overlay ArchitecturesACM Transactions on Design Automation of Electronic Systems10.1145/333986124:5(1-19)Online publication date: 23-Jul-2019
https://dl.acm.org/doi/10.1145/3339861
Chakraborty SKapoor H(2019)Exploring the Role of Large Centralised Caches in Thermal Efficient Chip DesignACM Transactions on Design Automation of Electronic Systems10.1145/333985024:5(1-28)Online publication date: 28-Jun-2019
https://dl.acm.org/doi/10.1145/3339850
Koutsos A(2019)Decidability of a Sound Set of Inference Rules for Computational Indistinguishability2019 IEEE 32nd Computer Security Foundations Symposium (CSF)10.1109/CSF.2019.00011(48-4813)Online publication date: Jun-2019
https://doi.org/10.1109/CSF.2019.00011
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Issue’s Table of Contents