Enrich-by-Need Protocol Analysis for Diffie-Hellman

  • Moses D. Liskov
  • Joshua D. Guttman
  • John D. RamsdellEmail author
  • Paul D. Rowe
  • F. Javier Thayer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11565)


Enrich-by-need analysis characterizes all executions of a security protocol that extend a given scenario. It computes a strongest security goal the protocol achieves in that scenario. cpsa, a Cryptographic Protocol Shapes Analyzer, implements enrich-by-need analysis.

In this paper, we show how cpsa now analyzes protocols with Diffie-Hellman key agreement (DH) in the enrich-by-need style. While this required substantial changes both to the cpsa implementation and its theory, the new version retains cpsa’s efficient and informative behavior. Moreover, the new functionality is justified by an algebraically natural model of the groups and fields which DH manipulates.

The model entails two lemmas that describe the conditions under which the adversary can deliver DH values to protocol participants. These lemmas determined how cpsa handles the new cases. The lemmas may also be of use in other approaches.

This paper is dedicated to Cathy Meadows, with warmth and gratitude.


  1. 1.
    Ankney, R., Johnson, D., Matyas, M.: The Unified Model. Contribution to ANSI X9F1. Standards Projects (Financial Crypto Tools), ANSI X, 42 (1995)Google Scholar
  2. 2.
    Armando, A., et al.: The AVISPA tool for the automated validation of internet security protocols and applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005). Scholar
  3. 3.
    Barthe, G., Fagerholm, E., Fiore, D., Mitchell, J.C., Scedrov, A., Schmidt, B.: Automated analysis of cryptographic assumptions in generic group models. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 95–112. Springer, Heidelberg (2014). Scholar
  4. 4.
    Basin, D.A., Cremers, C., Meier, S.: Provably repairing the ISO/IEC 9798 standard for entity authentication. J. Comput. Secur. 21(6), 817–846 (2013)CrossRefGoogle Scholar
  5. 5.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). Scholar
  6. 6.
    Cremers, C.: Key exchange in IPsec revisited: formal analysis of IKEv1 and IKEv2. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 315–334. Springer, Heidelberg (2011). Scholar
  7. 7.
    Cremers, C., Mauw, S.: Operational Semantics and Verification of Security Protocols. Springer, Heidelberg (2012). Scholar
  8. 8.
    Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)MathSciNetCrossRefGoogle Scholar
  9. 9.
    Diffie, W., van Oorschot, P.C., Wiener, M.J.: Authentication and authenticated key exchanges. Des. Codes Cryptogr. 2(2), 107–125 (1992)MathSciNetCrossRefGoogle Scholar
  10. 10.
    Dolev, D., Yao, A.: On the security of public-key protocols. IEEE Trans. Inf. Theory 29, 198–208 (1983)MathSciNetCrossRefGoogle Scholar
  11. 11.
    Dougherty, D.J., Guttman, J.D.: Decidability for lightweight Diffie-Hellman protocols. In: IEEE Symposium on Computer Security Foundations (2014)Google Scholar
  12. 12.
    Escobar, S., Meadows, C., Meseguer, J.: Maude-NPA: cryptographic protocol analysis modulo equational properties. In: Aldini, A., Barthe, G., Gorrieri, R. (eds.) FOSAD 2007-2009. LNCS, vol. 5705, pp. 1–50. Springer, Heidelberg (2009). Scholar
  13. 13.
    Guttman, J.D.: Shapes: surveying crypto protocol runs. In: Cortier, V., Kremer, S. (eds.) Formal Models and Techniques for Analyzing Security Protocols, Cryptology and Information Security Series. IOS Press (2011)Google Scholar
  14. 14.
    Guttman, J.D.: Establishing and preserving protocol security goals. J. Comput. Secur. 22(2), 201–267 (2014)CrossRefGoogle Scholar
  15. 15.
    Küsters, R., Truderung, T.: Using ProVerif to analyze protocols with Diffie-Hellman exponentiation. In: IEEE Computer Security Foundations Symposium, pp. 157–171. IEEE (2009)Google Scholar
  16. 16.
    Liskov, M., Javier Thayer, F.: Modeling Diffie-Hellman derivability for automated analysis. In: IEEE Computer Security Foundations, pp. 232–243 (2014)Google Scholar
  17. 17.
    Liskov, M.D., Guttman, J.D., Ramsdell, J.D., Rowe, P.D., Javier Thayer, F.: Enrich-by-need protocol analysis for Diffie-Hellman (extended version), April 2018.
  18. 18.
    Liskov, M.D., Rowe, P.D., Javier Thayer, F.: Completeness of CPSA. Technical Report MTR110479, The MITRE Corporation, March 2011.
  19. 19.
    Liskov, M.D., Javier Thayer, F.: Formal modeling of Diffie-Hellman derivability for exploratory automated analysis. Technical report, MITRE, June 2013. TR 13–0411Google Scholar
  20. 20.
    Lowe, G.: A hierarchy of authentication specifications. In: 10th Computer Security Foundations Workshop Proceedings, pp. 31–43. IEEE CS Press (1997)Google Scholar
  21. 21.
    Maurer, U.M.: Abstract models of computation in cryptography. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 1–12. Springer, Heidelberg (2005). Scholar
  22. 22.
    Meier, S., Schmidt, B., Cremers, C., Basin, D.: The TAMARIN prover for the symbolic analysis of security protocols. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 696–701. Springer, Heidelberg (2013). Scholar
  23. 23.
    Ramsdell, J.D.: Deducing security goals from shape analysis sentences. The MITRE Corporation, April 2012.
  24. 24.
    Ramsdell, J.D., Guttman, J.D.: CPSA: a cryptographic protocol shapes analyzer (2009).
  25. 25.
    Rowe, P.D., Guttman, J.D., Liskov, M.D.: Measuring protocol strength with security goals. Int. J. Inf. Secur. 15(6), 575–596 (2016).
  26. 26.
    Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997). Scholar
  27. 27.
    Javier Thayer, F., Herzog, J.C., Guttman, J.D.: Strand spaces: proving security protocols correct. J. Comput. Secur. 7(2/3), 191–230 (1999)CrossRefGoogle Scholar
  28. 28.
    Turuani, M.: The CL-Atse protocol analyser. In: Pfenning, F. (ed.) RTA 2006. LNCS, vol. 4098, pp. 277–286. Springer, Heidelberg (2006). Scholar
  29. 29.
    Viganò, L.: Automated security protocol analysis with the AVISPA tool. Electron. Notes Theor. Comput. Sci. 155, 61–86 (2006)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Moses D. Liskov
    • 1
  • Joshua D. Guttman
    • 1
  • John D. Ramsdell
    • 1
    Email author
  • Paul D. Rowe
    • 1
  • F. Javier Thayer
    • 1
  1. 1.The MITRE CorporationBedfordUSA

Personalised recommendations