Abstract
We consider the problem of formal automatic verification of cryptographic protocols when some data, like poorly chosen passwords, can be guessed by dictionary attacks. First, we define a theory of these attacks and propose an inference system modeling the deduction capabilities of an intruder. This system extends a set of well-studied deduction rules for symmetric and public key encryption, often called Dolev–Yao rules, with the introduction of a probabilistic encryption operator and guessing abilities for the intruder. Then, we show that the intruder deduction problem in this extended model is decidable in PTIME. The proof is based on a locality lemma for our inference system. This first result yields to an NP decision procedure for the protocol insecurity problem in the presence of a passive intruder. In the active case, the same problem is proved to be NP-complete: we give a procedure for simultaneously solving symbolic constraints with variables that represent intruder deductions. We illustrate the procedure with examples of published protocols and compare our model to other recent formal definitions of dictionary attacks.
Similar content being viewed by others
References
Abadi, M. and Cortier, V. (2004) Deciding knowledge in security protocols under equational theories, in Proc. of the 31st International Colloquium on Automata, Languages, and Programming (ICALP'04), Vol. 3142 of LNCS, Turku (Finland), Springer, pp. 46–58.
Abadi, M. and Fournet, C. (2001) Mobile values, new names, and secure communication, in Proc. of the 28th ACM Symposium on Principles of Programming Languages (POPL'01), London, (England), ACM, pp. 104–115.
Amadio, R. and Charatonik, W. (2002) On name generation and set-based analysis in the Dolev–Yao model, in Proc. of the 13th International Conference on Concurrency Theory (CONCUR'02), Vol. 2421 of LNCS, Brno (Czech Republic), pp. 499–514, Springer.
Amadio, R. and Lugiez, D. (2000) On the reachability problem in cryptographic protocols, in Proc. of the 11th International Conference on Concurrency Theory (CONCUR'00), Vol. 1877 of LNCS, Pennsylvania (USA), Springer, pp. 380–394.
Bellare, M., Pointcheval D. and Rogaway, P. (2000) Authenticated key exchange secure against dictionary attacks, in Proc. of Advances in Cryptology (EUROCRYPT'00), Vol. 1807 of LNCS, Bruges (Belgium), Springer, pp. 139–155.
Bellovin, S. M. and Merritt, M. (1992) Encrypted key exchange: Password-based protocols secure against dictionary attacks, in Proc. of IEEE Symposium on Security and Privacy. IEEE Comp. Soc. pp. 72–84,
Blanchet, B. (2004) Automatic proof of strong secrecy for security protocols, in IEEE Symposium on Security and Privacy, Oakland, California, pp. 86–100.
Chevalier, Y., Küsters, R., Rusinowitch, M., Turuani, M., and Vigneron, L. (2003) Deciding the security of protocols with Diffie–Hellman exponentiation and product in exponents, in Proc. of the 23rd Conference on Foundations of Software Technology and Theoretical Computer Science (FST\&TCS'03), Vol. 2914 of LNCS, Springer, Mumbai (India), pp. 124–135.
Cohen, E. (2002) Proving cryptographic protocols safe from guessing attacks, in Proc. Foundations of Computer Security (FCS'02), Copenhagen (Denmark).
Comon, H. and Cortier, V. (2005) Tree automata with one memory, set constraints and cryptographic protocols, Theor. Comp. Sci. 331(1) 143–214.
Comon-Lundh, H. and Shmatikov V. (2003) Intruder deductions, constraint solving and insecurity decision in presence of exclusive or, in Proc. of the 18th Annual IEEE Symposium on Logic in Computer Science (LICS'03), IEEE Comp. Soc., Ottawa (Canada), pp. 271–280.
Corin, R., Malladi, S., Alves-Foss, J., and Etalle S. (2003) Guess what? Here is a new tool that finds some new guessing attacks, in Proc. of the Workshop on Issues in the Theory of Security (WITS'03), Warsaw (Poland).
Corin, R., Doumen, J., and Etalle S. (2004) Analysing password protocol security against off-line dictionary attacks, in Proc. of the 2nd International Workshop on Security Issues with Petri Nets and Other Computational Models (WISP}'04), Bologna (Italy).
Delaune, S. and Jacquemard F. (2004) A theory of dictionary attacks and its complexity, in Proc. of the 17th IEEE Computer Security Foundations Workshop (CSFW'04). Asilomar, Pacific Grove, California, IEEE Computer Society, pp. 2–15.
Dershowitz, N. (1987) Termination of rewriting, J. Symb. Comput. 3 69–116.
Ding, Y. and Horster P. (1995) Undetectable on-line password guessing attacks, Oper. Syst. Rev. 29(4) 77–86.
Dolev, D. and Yao A. (1983) On the security of public-key protocols, IEEE Trans. Inf. Theory 29(2) 198–208.
Durgin, N., Lincoln, P., Mitchell J., and Scedrov A. (1999) Undecidability of bounded security protocols, in Proc. of the Workshop on Formal Methods and Security Protocols (FMSP'99), Trento (Italy).
Goldwasser, S. and Micali S. (1984) Probabilistic encryption, J. Comput. Syst. Sci. 28(2), 270–299.
Gong L. (1995) Optimal authentication protocols resistant to password guessing attacks, in Proc. of the 8th Computer Security Foundations Workshop (CSFW'95). IEEE Comp. Soc., Kenmare (Ireland).
Gong, L., Lomas, T. M. A., Needham, R. M., and Saltzer, J. H. (1993) Protecting poorly chosen secrets from guessing attacks, IEEE J. Sel. Areas Commun. 11(5) 648–656.
Jouannaud, J.-P. and Kirchner, C. (1991) Solving equations in abstract algebras: A rule-based survey of unification, in Computational Logic – Essays in Honor of Alan Robinson, MIT, pp. 257–321.
Katz, J., Ostrovsky, R., and Yung M. (2001) Efficient password-authenticated key exchange using human-memorable passwords, in Proc. of Advances in Cryptology (EUROCRYPT'01), Vol. 2045 of LNCS, Innsbruck (Austria), pp. 475–494, Springer.
Lowe, G. (2004) Analysing protocol subject to guessing attacks, J. Comput. Secur. 12(1) 83–98.
McAllester, D. A. (1993) Automatic recognition of tractability in inference relations, J. ACM 40(2) 284–303.
Millen, J. and Shmatikov, V. (2001) Constraint solving for bounded-process cryptographic protocol analysis, in Proc. of the 8th ACM Conference on Computer and Communications Security (CCS'01), ACM.
Rusinowitch, M. and Turuani M. (2001) Protocol insecurity with finite number of sessions is NP-complete, in Proc. of the 14th Computer Security Foundations Workshop (CSFW'01). IEEE Comp. Soc., Cape Breton (Canada), pp. 174–190.
Steiner, J. G., Neuman, B. C. and Schiller, J. I. (1988) Kerberos: An authentication service for open network systems, in Proc. of USENIX Winter Conference, pp. 191–202.
Thayer, F. J., Herzog, J. C., and Guttman, J. D. (1999) Strand spaces: Proving security protocols correct, J. Computer Security 7(2).
Tsudik, G. and Herreweghen, E. V. (1993) Some remarks on protecting weak keys and poorly-chosen secrets from guessing attacks, in Symposium on Reliable Distributed Systems. IEEE Comp. Soc., Princeton, New Jersey, (USA), pp. 136–141.
Wu, T. (1998) The secure remote password protocol, in Proc. of Internet Society Symposium on Network and Distributed System Security, San Diego, California, (USA), pp. 97–111.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Delaune, S., Jacquemard, F. Decision Procedures for the Security of Protocols with Probabilistic Encryption against Offline Dictionary Attacks. J Autom Reasoning 36, 85–124 (2006). https://doi.org/10.1007/s10817-005-9017-7
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10817-005-9017-7