Selecting Theories and Recursive Protocols
Many decidability results are known for non-recursive cryptographic protocols, where the protocol steps can be expressed by simple rewriting rules. Recently, a tree transducer-based model was proposed for recursive protocols, where the protocol steps involve some kind of recursive computations. This model has, however, some limitations: (1) rules are assumed to have linear left-hand sides (so no equality tests can be performed), (2) only finite amount of information can be conveyed from one receive-send action to the next ones. It has been proven that, in this model, relaxing these assumptions leads to undecidability.
In this paper, we propose a formalism, called selecting theories, which extends the standard non-recursive term rewriting model and allows participants to compare and store arbitrary messages. This formalism can model recursive protocols, where participants, in each protocol step, are able to send a number of messages unbounded w.r.t. the size of the protocol. We prove that insecurity of protocols with selecting theories is decidable in nexptime.
KeywordsAtomic Formula Predicate Symbol Cryptographic Protocol Stage Theory Protocol Step
Unable to display preview. Download preview PDF.
- 2.Ateniese, G., Steiner, M., Tsudik, G.: Authenticated group key agreement and friends. In: Proceedings of the 5th ACM Conference on Computer and Communication Serucity (CCS 1998). ACM Press, New York (1998)Google Scholar
- 3.Bryans, J., Schneider, S.A.: CSP, PVS, and a recursive authentication protocol. In: DIMACS Workshop on Formal Verification of Security Protocols (1997) Google Scholar
- 4.Bull, J.A., Otway, D.J.: The authentication protocol, Technical Report DRA/CIS3/PROJ/CORBA/SC/1/CSM/436-04/-03, Defence Research Agency, Malvern, UK (1997) Google Scholar
- 6.Chevalier, Y., Küsters, R., Rusinowitch, M., Turuani, M.: An NP decision procedure for protocol insecurity with XOR, LICS (2003) Google Scholar
- 7.Comon, H., Shmatikov, V.: Is it possible to decide whether a cryptographic protocol is secure or not? Journal of Telecommunications and Information Technology, special issue on cryptographic protocol verification 4, 5–15 (2002)Google Scholar
- 8.Comon-Lundh, H., Shmatikov, V.: Intruder deductions, constraint solving and indecurity decision in presence of exclusive or, LICS (2003) Google Scholar
- 10.Durgin, N.A., Lincoln, P.D., Mitchell, J.C., Scedrov, A.: Undecidability of bounded security protocols. In: Workshop on Formal Methods and Security Protocols (FMSP 1999) (1999) Google Scholar
- 11.Even, S., Goldreich, O.: On the security of multi-party ping-pong protocols, Technical Report 285, Israel Institute of Technology (1983) Google Scholar
- 12.Küsters, R., Wilke, T.: Automata-based analysis of recursive cryptographic protocols, Technical Report IFI 0311, CAU Kiel (2003) Google Scholar
- 15.Paulson, L.C.: Mechanized proofs for a recursive authentication protocol. In: 10th IEE Computer Security Foundations Workshop (CSFW-10). IEEE Press, Los Alamitos (1997)Google Scholar
- 17.Truderung, T.: Regular protocols and attacks with regular knowledge. In: Nieuwenhuis, R. (ed.) CADE 2005. LNCS (LNAI), vol. 3632, pp. 377–391. Springer, Heidelberg (2005) (to appear)Google Scholar