Skip to main content
Log in

Reducing Protocol Analysis with XOR to the XOR-Free Case in the Horn Theory Based Approach

Journal of Automated Reasoning Aims and scope Submit manuscript

Abstract

In the Horn theory based approach for cryptographic protocol analysis, cryptographic protocols and (Dolev–Yao) intruders are modeled by Horn theories and security analysis boils down to solving the derivation problem for Horn theories. This approach and the tools based on this approach, including ProVerif, have been very successful in the automatic analysis of cryptographic protocols. However, dealing with the algebraic properties of operators, such as the exclusive OR (XOR), which are frequently used in cryptographic protocols has been problematic. In particular, ProVerif cannot deal with XOR. In this paper, we show how to reduce the derivation problem for Horn theories with XOR to the XOR-free case. Our reduction works for an expressive class of Horn theories. A large class of intruder capabilities and protocols that employ the XOR operator can be modeled by these theories. Our reduction allows us to carry out protocol analysis using tools, such as ProVerif, that cannot deal with XOR, but are very efficient in the XOR-free case. We implemented our reduction and, in combination with ProVerif, used it for the fully automatic analysis of several protocols that employ the XOR operator. Among others, our analysis revealed a new attack on an IBM security module.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

References

  1. Blanchet, B., Abadi, M., Fournet, C.: Automated verification of selected equivalences for security protocols. Journal of Logic and Algebraic Programming 75(1), 3–51 (2008)

    Article  MathSciNet  MATH  Google Scholar 

  2. Blanchet, B.: An efficient cryptographic protocol verifier based on prolog rules. In: Proceedings of the 14th IEEE Computer Security Foundations Workshop (CSFW-14), pp. 82–96. IEEE Computer Society (2001)

  3. Bull, J.A., Otway, D.J.: The authentication protocol. Technical Report. DRA/CIS3/PROJ/CORBA/SC/1/CSM/436-04/03, Defence Research Agency, Malvern, UK (1997)

  4. Bond, M.: Attacks on cryptoprocessor transaction sets. In: Cryptographic Hardware and Embedded Systems—CHES 2001. Third International Workshop. Lecture Notes in Computer Science, vol. 2162, pp. 220–234. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  5. Cortier, V., Delaune, S., Steel, G.: A formal theory of key conjuring. In: 20th IEEE Computer Security Foundations Symposium (CSF’07), pp. 79–93. IEEE Comp. Soc. Press (2007)

  6. Chevalier, Y., Küsters, R., Rusinowitch, M., Turuani, M.: An NP decision procedure for protocol insecurity with XOR. In: Proceedings of the Eighteenth Annual IEEE Symposium on Logic in Computer Science (LICS 2003), pp. 261–270. IEEE Computer Society Press (2003)

  7. Cortier, V., Keighren, G., Steel, G.: Automatic analysis of the security of XOR-based key management schemes. In: Proceedings of the 13th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2007). Lecture Notes in Computer Science, vol. 4424, pp. 538–552. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  8. Comon-Lundh, H., Cortier, V.: New decidability results for fragments of first-order logic and application to cryptographic protocols. In: Proceedings of the 14th Internatioinal Conference on Rewriting Techniques and Applications (RTA 2003). Lecture Notes in Computer Science, vol. 2706, pp. 148–164. Springer, Heidelberg (2003)

    Google Scholar 

  9. Comon-Lundh, H., Cortier, V.: Security properties: two agents are sufficient. Sci. Comput. Program. 50(1–3), 51–71 (2004)

    Article  MathSciNet  MATH  Google Scholar 

  10. Comon-Lundh, H., Delaune, S.: The finite variant property: how to get rid of some algebraic properties. In: Term Rewriting and Applications, 16th International Conference, RTA 2005. Lecture Notes in Computer Science, vol. 3467, pp. 294–307. Springer, Heidelberg (2005)

    Google Scholar 

  11. Comon-Lundh, H., Shmatikov, V.: Intruder deductions, constraint solving and insecurity decision in presence of exclusive OR. In: Proceedings of the Eighteenth Annual IEEE Symposium on Logic in Computer Science (LICS 2003), pp. 271–280. IEEE Computer Society Press (2003)

  12. Clulow, J.: The Design and Analysis of Cryptographic APIs for Security Devices. Master’s thesis, University of Natal, Durban (2003)

  13. CCA Basic Services Reference and Guide: CCA Basic Services Reference and Guide. Available at http://www-03.ibm.com/security/cryptocards/pdfs/bs327.pdf (2003)

  14. Küsters, R., Truderung, T.: On the automatic analysis of recursive security protocols with XOR. In: Thomas, W., Weil, P. (eds.) Proceedings of the 24th Symposium on Theoretical Aspects of Computer Science (STACS 2007). Lecture Notes in Computer Science, vol. 4393, pp. 646–657. Springer, Heidelberg (2007)

    Google Scholar 

  15. Küsters, R., Truderung, T.: Reducing protocol analysis with XOR to the XOR-free case in the Horn theory based approach. In: Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS 2008), pp. 129–138. ACM, New York (2008)

    Chapter  Google Scholar 

  16. Küsters, R., Truderung, T.: Reducing Protocol Analysis with XOR to the XOR-free Case in the Horn theory Based Approach. Implementation. Available at http://infsec.uni-trier.de/software/KuestersTruderung-XORPROVERIF-2008.zip (2008)

  17. Küsters, R., Truderung, T.: Using ProVerif to analyze protocols with Diffie–Hellman exponentiation. In: Proceedings of the 22th IEEE Computer Security Foundations Symposium (CSF 2009), pp. 157–171. IEEE Computer Society (2009)

  18. Shoup, V., Rubin, A.: Session key distribution using smart cards. In: Advances in Cryptology—EUROCRYPT ’96, International Conference on the Theory and Application of Cryptographic Techniques. Lecture Notes in Computer Science, vol. 1070, pp. 321–331. Springer, Heidelberg (1996)

    Google Scholar 

  19. Steel, G.: Deduction with XOR constraints in security API modelling. In: Proceedings of the 20th International Conference on Automated Deduction (CADE 2005). Lecture Notes in Computer Science, vol. 3632, pp. 322–336. Springer, Heidelberg (2005)

    Google Scholar 

  20. Seidl, H., Verma, K.N.: Flat and one-variable clauses for single blind copying protocols: the XOR case. In: Treinen, R. (ed.) Proceedings of the 20th International Conference on Rewriting Techniques and Applications (RTA 2009). Lecture Notes in Computer Science, vol. 55 pp. 118–132. Springer, Heidelberg (2009)

    Google Scholar 

  21. Verma, K.N., Seidl, H., Schwentick, T.: On the complexity of equational Horn clauses. In: Proceedings of the 20th International Conference on Automated Deduction (CADE 2005). Lecture Notes in Computer Science, vol. 3328, pp. 337–352. Springer, Heidelberg (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Ralf Küsters.

Additional information

This is an extended version of a paper that first appeared at CCS 2008 [15]. This work was partially supported by the DFG under Grant KU 1434/4-2, the SNF under Grant 200021-116596, and the Polish Ministry of Science and Education under Grant 3 T11C 042 30.

T. Truderung was on leave from Wrocław University, Poland.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Küsters, R., Truderung, T. Reducing Protocol Analysis with XOR to the XOR-Free Case in the Horn Theory Based Approach. J Autom Reasoning 46, 325–352 (2011). https://doi.org/10.1007/s10817-010-9188-8

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10817-010-9188-8

Keywords

Navigation