Symbolic Protocol Analysis with Disequality Constraints Modulo Equational Theories
Research in the formal analysis of cryptographic protocols has produced much good work in the solving of equality constraints, developing new methods for unification, matching, and deducibility. However, considerably less attention has been paid to disequality constraints. These also arise quite naturally in cryptographic protocol analysis, in particular for analysis of indistinguishability properties. Thus methods for deciding whether or not they are satisfiable could potentially be quite useful in reducing the size of the search space by protocol analysis tools. In this paper we develop a framework for reasoning about disequality constraints centered around the paradigm of the most discriminating Dolev-Yao attacker, who is able to detect a disequality if it is satisfied in some implementation of the crypto-algebra satisfying given equality properties. We develop several strategies for handling disequalities, prove their soundness and completeness, and demonstrate the result of experimental analyses using the various strategies. Finally, we discuss how disequality checking algorithms could be incorporated within symbolic reachability protocol analysis methods.
KeywordsEquational Theory Cryptographic Protocol Attack State Reachability Analysis Attack Pattern
This work has been partially supported by NSF grant CNS 13-19109, by the EU (FEDER) and the Spanish MINECO under grant TIN 2013-45732-C4-1-P, and by Spanish Generalitat Valenciana under grant PROMETEOII/2015/013.
- 2.Blanchet, B.: Using horn clauses for analyzing security protocols. In: Cortier, V., Kremer, S. (eds.) Formal Models and Techniques for Analyzing Security Protocols. Cryptology and Information Security Series, vol. 5, pp. 86–111. IOS Press, March 2011Google Scholar
- 6.Comon, H.: Disunification: a survey. In: Computational Logic - Essays in Honor of Alan Robinson, pp. 322–359 (1991)Google Scholar
- 11.Escobar, S., Hendrix, J., Meadows, C., Meseguer, J.: Diffie-Hellman cryptographic reasoning in the Maude-NRL protocol analyzer. In: Proceedings of the 2nd International Workshop on Security and Rewriting Techniques (SecReT 2007) (2007)Google Scholar
- 13.Escobar, S., Meadows, C., Meseguer, J.: Equational cryptographic reasoning in the Maude-NRL protocol analyzer. In: Proceedings of the 1st International Workshop on Security and Rewriting Techniques (SecReT 2006). ENTCS, vol. 171, no. 4, pp. 23–36. Elsevier (2007)Google Scholar
- 22.Santiago, S., Escobar, S., Meadows, C., Meseguer, J.: A formal definition of protocol indistinguishability and its verification using Maude-NPA. In: Mauw, S., Jensen, C.D. (eds.) STM 2014. LNCS, vol. 8743, pp. 162–177. Springer, Heidelberg (2014)Google Scholar
- 24.TeReSe: Term Rewriting Systems. Cambridge University Press, Cambridge (2003)Google Scholar