Journal of Automated Reasoning

, Volume 36, Issue 1–2, pp 85–124 | Cite as

Decision Procedures for the Security of Protocols with Probabilistic Encryption against Offline Dictionary Attacks

  • Stéphanie DelauneEmail author
  • Florent Jacquemard


We consider the problem of formal automatic verification of cryptographic protocols when some data, like poorly chosen passwords, can be guessed by dictionary attacks. First, we define a theory of these attacks and propose an inference system modeling the deduction capabilities of an intruder. This system extends a set of well-studied deduction rules for symmetric and public key encryption, often called Dolev–Yao rules, with the introduction of a probabilistic encryption operator and guessing abilities for the intruder. Then, we show that the intruder deduction problem in this extended model is decidable in PTIME. The proof is based on a locality lemma for our inference system. This first result yields to an NP decision procedure for the protocol insecurity problem in the presence of a passive intruder. In the active case, the same problem is proved to be NP-complete: we give a procedure for simultaneously solving symbolic constraints with variables that represent intruder deductions. We illustrate the procedure with examples of published protocols and compare our model to other recent formal definitions of dictionary attacks.

Key words

verification cryptographic protocols formal methods dictionary attacks probabilistic encryption 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. Abadi, M. and Cortier, V. (2004) Deciding knowledge in security protocols under equational theories, in Proc. of the 31st International Colloquium on Automata, Languages, and Programming (ICALP'04), Vol. 3142 of LNCS, Turku (Finland), Springer, pp. 46–58.Google Scholar
  2. Abadi, M. and Fournet, C. (2001) Mobile values, new names, and secure communication, in Proc. of the 28th ACM Symposium on Principles of Programming Languages (POPL'01), London, (England), ACM, pp. 104–115.Google Scholar
  3. Amadio, R. and Charatonik, W. (2002) On name generation and set-based analysis in the Dolev–Yao model, in Proc. of the 13th International Conference on Concurrency Theory (CONCUR'02), Vol. 2421 of LNCS, Brno (Czech Republic), pp. 499–514, Springer.Google Scholar
  4. Amadio, R. and Lugiez, D. (2000) On the reachability problem in cryptographic protocols, in Proc. of the 11th International Conference on Concurrency Theory (CONCUR'00), Vol. 1877 of LNCS, Pennsylvania (USA), Springer, pp. 380–394.Google Scholar
  5. Bellare, M., Pointcheval D. and Rogaway, P. (2000) Authenticated key exchange secure against dictionary attacks, in Proc. of Advances in Cryptology (EUROCRYPT'00), Vol. 1807 of LNCS, Bruges (Belgium), Springer, pp. 139–155.Google Scholar
  6. Bellovin, S. M. and Merritt, M. (1992) Encrypted key exchange: Password-based protocols secure against dictionary attacks, in Proc. of IEEE Symposium on Security and Privacy. IEEE Comp. Soc. pp. 72–84,Google Scholar
  7. Blanchet, B. (2004) Automatic proof of strong secrecy for security protocols, in IEEE Symposium on Security and Privacy, Oakland, California, pp. 86–100.Google Scholar
  8. Chevalier, Y., Küsters, R., Rusinowitch, M., Turuani, M., and Vigneron, L. (2003) Deciding the security of protocols with Diffie–Hellman exponentiation and product in exponents, in Proc. of the 23rd Conference on Foundations of Software Technology and Theoretical Computer Science (FST\&TCS'03), Vol. 2914 of LNCS, Springer, Mumbai (India), pp. 124–135.Google Scholar
  9. Cohen, E. (2002) Proving cryptographic protocols safe from guessing attacks, in Proc. Foundations of Computer Security (FCS'02), Copenhagen (Denmark).Google Scholar
  10. Comon, H. and Cortier, V. (2005) Tree automata with one memory, set constraints and cryptographic protocols, Theor. Comp. Sci. 331(1) 143–214.zbMATHMathSciNetCrossRefGoogle Scholar
  11. Comon-Lundh, H. and Shmatikov V. (2003) Intruder deductions, constraint solving and insecurity decision in presence of exclusive or, in Proc. of the 18th Annual IEEE Symposium on Logic in Computer Science (LICS'03), IEEE Comp. Soc., Ottawa (Canada), pp. 271–280.Google Scholar
  12. Corin, R., Malladi, S., Alves-Foss, J., and Etalle S. (2003) Guess what? Here is a new tool that finds some new guessing attacks, in Proc. of the Workshop on Issues in the Theory of Security (WITS'03), Warsaw (Poland).Google Scholar
  13. Corin, R., Doumen, J., and Etalle S. (2004) Analysing password protocol security against off-line dictionary attacks, in Proc. of the 2nd International Workshop on Security Issues with Petri Nets and Other Computational Models (WISP}'04), Bologna (Italy).Google Scholar
  14. Delaune, S. and Jacquemard F. (2004) A theory of dictionary attacks and its complexity, in Proc. of the 17th IEEE Computer Security Foundations Workshop (CSFW'04). Asilomar, Pacific Grove, California, IEEE Computer Society, pp. 2–15.Google Scholar
  15. Dershowitz, N. (1987) Termination of rewriting, J. Symb. Comput. 3 69–116.zbMATHMathSciNetCrossRefGoogle Scholar
  16. Ding, Y. and Horster P. (1995) Undetectable on-line password guessing attacks, Oper. Syst. Rev. 29(4) 77–86.CrossRefGoogle Scholar
  17. Dolev, D. and Yao A. (1983) On the security of public-key protocols, IEEE Trans. Inf. Theory 29(2) 198–208.zbMATHMathSciNetCrossRefGoogle Scholar
  18. Durgin, N., Lincoln, P., Mitchell J., and Scedrov A. (1999) Undecidability of bounded security protocols, in Proc. of the Workshop on Formal Methods and Security Protocols (FMSP'99), Trento (Italy).Google Scholar
  19. Goldwasser, S. and Micali S. (1984) Probabilistic encryption, J. Comput. Syst. Sci. 28(2), 270–299.zbMATHMathSciNetCrossRefGoogle Scholar
  20. Gong L. (1995) Optimal authentication protocols resistant to password guessing attacks, in Proc. of the 8th Computer Security Foundations Workshop (CSFW'95). IEEE Comp. Soc., Kenmare (Ireland).Google Scholar
  21. Gong, L., Lomas, T. M. A., Needham, R. M., and Saltzer, J. H. (1993) Protecting poorly chosen secrets from guessing attacks, IEEE J. Sel. Areas Commun. 11(5) 648–656.CrossRefGoogle Scholar
  22. Jouannaud, J.-P. and Kirchner, C. (1991) Solving equations in abstract algebras: A rule-based survey of unification, in Computational Logic – Essays in Honor of Alan Robinson, MIT, pp. 257–321.Google Scholar
  23. Katz, J., Ostrovsky, R., and Yung M. (2001) Efficient password-authenticated key exchange using human-memorable passwords, in Proc. of Advances in Cryptology (EUROCRYPT'01), Vol. 2045 of LNCS, Innsbruck (Austria), pp. 475–494, Springer.Google Scholar
  24. Lowe, G. (2004) Analysing protocol subject to guessing attacks, J. Comput. Secur. 12(1) 83–98.Google Scholar
  25. McAllester, D. A. (1993) Automatic recognition of tractability in inference relations, J. ACM 40(2) 284–303.zbMATHMathSciNetCrossRefGoogle Scholar
  26. Millen, J. and Shmatikov, V. (2001) Constraint solving for bounded-process cryptographic protocol analysis, in Proc. of the 8th ACM Conference on Computer and Communications Security (CCS'01), ACM.Google Scholar
  27. Rusinowitch, M. and Turuani M. (2001) Protocol insecurity with finite number of sessions is NP-complete, in Proc. of the 14th Computer Security Foundations Workshop (CSFW'01). IEEE Comp. Soc., Cape Breton (Canada), pp. 174–190.Google Scholar
  28. Steiner, J. G., Neuman, B. C. and Schiller, J. I. (1988) Kerberos: An authentication service for open network systems, in Proc. of USENIX Winter Conference, pp. 191–202.Google Scholar
  29. Thayer, F. J., Herzog, J. C., and Guttman, J. D. (1999) Strand spaces: Proving security protocols correct, J. Computer Security 7(2).Google Scholar
  30. Tsudik, G. and Herreweghen, E. V. (1993) Some remarks on protecting weak keys and poorly-chosen secrets from guessing attacks, in Symposium on Reliable Distributed Systems. IEEE Comp. Soc., Princeton, New Jersey, (USA), pp. 136–141.Google Scholar
  31. Wu, T. (1998) The secure remote password protocol, in Proc. of Internet Society Symposium on Network and Distributed System Security, San Diego, California, (USA), pp. 97–111.Google Scholar

Copyright information

© Springer Science+Business Media B.V. 2006

Authors and Affiliations

  1. 1.LSV, ENS de Cachan & CNRSFrance Télécom R&DCachan CedexFrance
  2. 2.LSV, ENS de Cachan & CNRSINRIA Futurs, Project SECSICachan CedexFrance

Personalised recommendations