Advertisement

Formal Aspects of Computing

, Volume 20, Issue 3, pp 303–348 | Cite as

Efficient representation of the attacker’s knowledge in cryptographic protocols analysis

  • Ivan Cibrario Bertolotti
  • Luca Durante
  • Riccardo Sisto
  • Adriano Valenzano
Original Article

Abstract

This paper addresses the problem of representing the intruder’s knowledge in the formal verification of cryptographic protocols, whose main challenges are to represent the intruder’s knowledge efficiently and without artificial limitations on the structure and size of messages. The new knowledge representation strategy proposed in this paper achieves both goals and leads to practical implementation because it is incrementally computable and is easily amenable to work with various term representation languages. In addition, it handles associative and commutative term composition operators, thus going beyond the free term algebra framework. An extensive computational complexity analysis of the proposed representation strategy is included in the paper.

Keywords

Cryptographic protocols Knowledge representation State space exploration 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. AG99.
    Abadi M, Gordon AD (1999) A calculus for cryptographic protocols: The spi calculus. Inf Comput 148(1): 1–70. doi: 10.1006/inco.1998.2740 MATHCrossRefMathSciNetGoogle Scholar
  2. AL00.
    Amadio RM, Lugiez D (2000) On the reachability problem in cryptographic protocols. In: Proceedings of the 11th international conference on concurrency theory (CONCUR 2000), vol 1877 of Lecture Notes in Computer Science, pp 380–394, Springer, BerlinGoogle Scholar
  3. BB02.
    Boreale M, Buscemi MG (2002) A framework for the analysis of security protocols. In: Proceedings of the 13th International Conference on Concurrency Theory (CONCUR 2002). Lecture Notes in Computer Science, vol 2421. Springer, Berlin, pp 483–498Google Scholar
  4. BDNP02.
    Boreale M, De Nicola R, Pugliese R (2002) Proof techniques for cryptographic processes. SIAM J Comput 31(3): 947–986. doi: 10.1137/S0097539700377864 MATHCrossRefMathSciNetGoogle Scholar
  5. Bla01.
    Blanchet B (2001) An efficient cryptographic protocol verifier based on prolog rules. In: Proceedings of the 14th IEEE computer security foundations workshop (CSFW-14), Cape Breton. IEEE Computer Society, Washington, pp 82–96Google Scholar
  6. BMV05.
    Basin D, Mödersheim S, Viganò L (2005) OFMC: a symbolic model checker for security protocols. Int J Inf Secur 4(3):181–208, Special issue on ESORICS 2003Google Scholar
  7. Bor01.
    Boreale M (2001) Symbolic trace analysis of cryptographic protocols. In: Proceedings of the 28th international colloquium on automata, languages, and programming (ICALP 2001). Lecture Notes in Computer Science, vol 2076. Springer, Berlin, pp 667–681Google Scholar
  8. CDSV03a.
    Cibrario Bertolotti I, Durante L, Sisto R, Valenzano A (2003) Introducing commutative and associative operators in cryptographic protocol analysis. In: Proceedings of the 23rd IFIP international conference on formal techniques for networked and distributed systems (FORTE 2003). Lecture Notes in Computer Science, vol 2767. Springer, Berlin, pp 224–239Google Scholar
  9. CDSV03b.
    Cibrario Bertolotti I, Durante L, Sisto R, Valenzano A (2003) A new knowledge representation strategy for cryptographic protocol analysis. In: Proceedings of tools and algoritms for the construction and analysis of systems (TACAS 2003). Lecture Notes in Computer Science, vol 2619. Springer, Berlin, pp 284–298Google Scholar
  10. CJM98.
    Clarke EM, Jha S, Marrero W (1998) Using state space exploration and a natural deduction style message derivation engine to verify security protocols. In: Proceedings of the IFIP working conference on programming concepts and methods (PROCOMET 1998). Chapman & Hall, London, pp 87–106Google Scholar
  11. CJM00.
    Clarke EM, Jha S, Marrero W (2000) Verifying security protocols with Brutus. ACM Trans Softw Eng Methods 9(4): 443–487. doi: 10.1145/363516.363528 CrossRefGoogle Scholar
  12. CKRT03.
    Chevalier Y, Küsters R, Rusinowitch M, Turuani M (2003) An NP decision procedure for protocol insecurity with XOR. In: Proceedings of the 18th IEEE symposium on logic in computer science (LICS 2003). IEEE Computer Society Press, Washington, pp 261–170. doi: 10.1109/LICS.2003.1210066
  13. CLS03.
    Comon-Lundh H, Shmatikov V (2003) Intruder deductions, constraint solving and insecurity decision in presence of exclusive or. In: Proceedings of the 18th IEEE symposium on logic in computer science (LICS 2003). IEEE Computer Society Press, Washington, pp 271–280. doi: 10.1109/LICS.2003.1210067
  14. DH76.
    Diffie W, Hellman M (1976) New directions in cryptography. IEEE Trans Inf Theory 22(6): 644–654MATHCrossRefMathSciNetGoogle Scholar
  15. DSV03.
    Durante L, Sisto R, Valenzano A (2003) Automatic testing equivalence verification of spi calculus specifications. ACM Trans Softw Eng Methodology 12(2): 222–284. doi: 10.1145/941566.941570 CrossRefGoogle Scholar
  16. DY83.
    Dolev D, Yao A (1983) On the security of public key protocols. IEEE Trans Inf Theory 29(2): 198–208MATHCrossRefMathSciNetGoogle Scholar
  17. FA01.
    Fiore M, Abadi M (2001) Computing symbolic models for verifying cryptographic protocols. In: Proceedings of the 14th IEEE computer security foundations workshop (CSFW 2001). IEEE Computer Society Press, Washington, pp 160–173. doi: 10.1109/CSFW.2001.930144
  18. Hui99.
    Huima A (1999) Efficient infinite-state analysis of security protocols. In: Proceedings of the FLOC workshop on formal methods and security protocolsGoogle Scholar
  19. Low96.
    Lowe G (1996) Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In: Proceedings of tools and algoritms for the construction and analysis of systems (TACAS 1996). Lecture Notes in Computer Science, vol 1055. Springer, Berlin, pp 147–166Google Scholar
  20. Low97.
    Lowe G (1997) Casper: a compiler for the analysis of security protocols. In: Proceedings of the 10th IEEE computer security foundations workshop (CSFW 1997). IEEE Computer Society Press, Washington, pp 18–30. doi: 10.1109/CSFW.1997.596779
  21. Low99.
    Lowe G (1999) Towards a completeness result for model checking security protocols. J Comput Sec 7(2–3): 89–146Google Scholar
  22. McA93.
    McAllester D (1993) Automatic recognition of tractability in inference relations. J ACM 40(2): 284–303. doi: 10.1145/151261.151265 MATHCrossRefMathSciNetGoogle Scholar
  23. MCJ97.
    Marrero W, Clarke EM, Jha S (1997) A model checker for authentication protocols. In: Proceedings of the DIMACS workshop on design and formal verification of security protocolsGoogle Scholar
  24. MN02.
    Meadows C, Narendran P (2002) A unification algorithm for the group Diffie–Hellman protocol. In: Proceedings of WITS’02Google Scholar
  25. Mon99.
    Monniaux D (1999) Abstracting cryptographic protocols with tree automata. In: Proceedings of the 6th international static analysis symposium (SAS 1999). Lecture Notes in Computer Science, vol 1694. Springer, Berlin, pp 149–163Google Scholar
  26. MPW92.
    Milner R, Parrow J, Walker D (1992) A calculus of mobile processes, parts I and II. Inf Comput 100(1): 1–77. doi: 10.1016/0890-5401(92)90008-4 MATHCrossRefMathSciNetGoogle Scholar
  27. MS01.
    Millen JK, Shmatikov V (2001) Constraint solving for bounded-process cryptographic protocol analysis. In: Proceedings of the 8th ACM conference on computer and communications security (CCS 2001). ACM Press, New York, pp 166–175. doi: 10.1145/501983.502007
  28. MS03.
    Millen JK, Shmatikov V (2003) Symbolic protocol analysis with products and Diffie–Hellman exponentiation. In: Proceedings of the 16th IEEE computer security foundations workshop (CSFW 2003). IEEE Computer Society Press, Washington, pp 47–61. doi: 10.1109/CSFW.2003.1212704
  29. Pau98.
    Paulson LC (1998) The inductive approach to verifying cryptographic protocols. J Comput Sec 6: 85–128Google Scholar
  30. Pra65.
    Prawitz D (1965) Natural deduction: a proof-theoretical study. Almqvist & Wiksell, StockholmMATHGoogle Scholar
  31. RT01.
    Rusinowitch M, Turuani M (2001) Protocol insecurity with finite number of sessions is NP-complete. In: Proceedings of the 14th IEEE computer security foundations workshop (CSFW 2001). IEEE Computer Society Press, Washington, pp 174–187. doi: 10.1109/CSFW.2001.930145
  32. Sch98.
    Schneider S (1998) Verifying authentication protocols in CSP. IEEE Trans Softw Eng 24(9): 741–758. doi: 10.1109/32.713329 CrossRefGoogle Scholar

Copyright information

© British Computer Society 2008

Authors and Affiliations

  • Ivan Cibrario Bertolotti
    • 1
  • Luca Durante
    • 1
  • Riccardo Sisto
    • 2
  • Adriano Valenzano
    • 1
  1. 1.IEIIT-CNRTorinoItaly
  2. 2.Politecnico di TorinoTorinoItaly

Personalised recommendations