Advertisement

Journal of Automated Reasoning

, Volume 46, Issue 3–4, pp 325–352 | Cite as

Reducing Protocol Analysis with XOR to the XOR-Free Case in the Horn Theory Based Approach

  • Ralf Küsters
  • Tomasz Truderung
Article

Abstract

In the Horn theory based approach for cryptographic protocol analysis, cryptographic protocols and (Dolev–Yao) intruders are modeled by Horn theories and security analysis boils down to solving the derivation problem for Horn theories. This approach and the tools based on this approach, including ProVerif, have been very successful in the automatic analysis of cryptographic protocols. However, dealing with the algebraic properties of operators, such as the exclusive OR (XOR), which are frequently used in cryptographic protocols has been problematic. In particular, ProVerif cannot deal with XOR. In this paper, we show how to reduce the derivation problem for Horn theories with XOR to the XOR-free case. Our reduction works for an expressive class of Horn theories. A large class of intruder capabilities and protocols that employ the XOR operator can be modeled by these theories. Our reduction allows us to carry out protocol analysis using tools, such as ProVerif, that cannot deal with XOR, but are very efficient in the XOR-free case. We implemented our reduction and, in combination with ProVerif, used it for the fully automatic analysis of several protocols that employ the XOR operator. Among others, our analysis revealed a new attack on an IBM security module.

Keywords

Security protocols XOR Automated verification 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Blanchet, B., Abadi, M., Fournet, C.: Automated verification of selected equivalences for security protocols. Journal of Logic and Algebraic Programming 75(1), 3–51 (2008)MathSciNetzbMATHCrossRefGoogle Scholar
  2. 2.
    Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: Proceedings of the 14th IEEE Computer Security Foundations Workshop (CSFW-14), pp. 82–96. IEEE Computer Society (2001)Google Scholar
  3. 3.
    Bull, J.A., Otway, D.J.: The authentication protocol. Technical Report. DRA/CIS3/PROJ/CORBA/SC/1/CSM/436-04/03, Defence Research Agency, Malvern, UK (1997)
  4. 4.
    Bond, M.: Attacks on cryptoprocessor transaction sets. In: Cryptographic Hardware and Embedded Systems—CHES 2001. Third International Workshop. Lecture Notes in Computer Science, vol. 2162, pp. 220–234. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  5. 5.
    Cortier, V., Delaune, S., Steel, G.: A formal theory of key conjuring. In: 20th IEEE Computer Security Foundations Symposium (CSF’07), pp. 79–93. IEEE Comp. Soc. Press (2007)Google Scholar
  6. 6.
    Chevalier, Y., Küsters, R., Rusinowitch, M., Turuani, M.: An NP decision procedure for protocol insecurity with XOR. In: Proceedings of the Eighteenth Annual IEEE Symposium on Logic in Computer Science (LICS 2003), pp. 261–270. IEEE Computer Society Press (2003)Google Scholar
  7. 7.
    Cortier, V., Keighren, G., Steel, G.: Automatic analysis of the security of XOR-based key management schemes. In: Proceedings of the 13th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2007). Lecture Notes in Computer Science, vol. 4424, pp. 538–552. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  8. 8.
    Comon-Lundh, H., Cortier, V.: New decidability results for fragments of first-order logic and application to cryptographic protocols. In: Proceedings of the 14th Internatioinal Conference on Rewriting Techniques and Applications (RTA 2003). Lecture Notes in Computer Science, vol. 2706, pp. 148–164. Springer, Heidelberg (2003)Google Scholar
  9. 9.
    Comon-Lundh, H., Cortier, V.: Security properties: two agents are sufficient. Sci. Comput. Program. 50(1–3), 51–71 (2004)MathSciNetzbMATHCrossRefGoogle Scholar
  10. 10.
    Comon-Lundh, H., Delaune, S.: The finite variant property: how to get rid of some algebraic properties. In: Term Rewriting and Applications, 16th International Conference, RTA 2005. Lecture Notes in Computer Science, vol. 3467, pp. 294–307. Springer, Heidelberg (2005)Google Scholar
  11. 11.
    Comon-Lundh, H., Shmatikov, V.: Intruder deductions, constraint solving and insecurity decision in presence of exclusive OR. In: Proceedings of the Eighteenth Annual IEEE Symposium on Logic in Computer Science (LICS 2003), pp. 271–280. IEEE Computer Society Press (2003)Google Scholar
  12. 12.
    Clulow, J.: The Design and Analysis of Cryptographic APIs for Security Devices. Master’s thesis, University of Natal, Durban (2003)Google Scholar
  13. 13.
    CCA Basic Services Reference and Guide: CCA Basic Services Reference and Guide. Available at http://www-03.ibm.com/security/cryptocards/pdfs/bs327.pdf (2003)
  14. 14.
    Küsters, R., Truderung, T.: On the automatic analysis of recursive security protocols with XOR. In: Thomas, W., Weil, P. (eds.) Proceedings of the 24th Symposium on Theoretical Aspects of Computer Science (STACS 2007). Lecture Notes in Computer Science, vol. 4393, pp. 646–657. Springer, Heidelberg (2007)Google Scholar
  15. 15.
    Küsters, R., Truderung, T.: Reducing protocol analysis with XOR to the XOR-free case in the Horn theory based approach. In: Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS 2008), pp. 129–138. ACM, New York (2008)CrossRefGoogle Scholar
  16. 16.
    Küsters, R., Truderung, T.: Reducing Protocol Analysis with XOR to the XOR-free Case in the Horn theory Based Approach. Implementation. Available at http://infsec.uni-trier.de/software/KuestersTruderung-XORPROVERIF-2008.zip (2008)
  17. 17.
    Küsters, R., Truderung, T.: Using ProVerif to analyze protocols with Diffie–Hellman exponentiation. In: Proceedings of the 22th IEEE Computer Security Foundations Symposium (CSF 2009), pp. 157–171. IEEE Computer Society (2009)Google Scholar
  18. 18.
    Shoup, V., Rubin, A.: Session key distribution using smart cards. In: Advances in Cryptology—EUROCRYPT ’96, International Conference on the Theory and Application of Cryptographic Techniques. Lecture Notes in Computer Science, vol. 1070, pp. 321–331. Springer, Heidelberg (1996)Google Scholar
  19. 19.
    Steel, G.: Deduction with XOR constraints in security API modelling. In: Proceedings of the 20th International Conference on Automated Deduction (CADE 2005). Lecture Notes in Computer Science, vol. 3632, pp. 322–336. Springer, Heidelberg (2005)Google Scholar
  20. 20.
    Seidl, H., Verma, K.N.: Flat and one-variable clauses for single blind copying protocols: the XOR case. In: Treinen, R. (ed.) Proceedings of the 20th International Conference on Rewriting Techniques and Applications (RTA 2009). Lecture Notes in Computer Science, vol. 55 pp. 118–132. Springer, Heidelberg (2009)Google Scholar
  21. 21.
    Verma, K.N., Seidl, H., Schwentick, T.: On the complexity of equational Horn clauses. In: Proceedings of the 20th International Conference on Automated Deduction (CADE 2005). Lecture Notes in Computer Science, vol. 3328, pp. 337–352. Springer, Heidelberg (2005)Google Scholar

Copyright information

© Springer Science+Business Media B.V. 2010

Authors and Affiliations

  1. 1.University of TrierTrierGermany

Personalised recommendations