Proving Group Protocols Secure Against Eavesdroppers
Security protocols are small programs designed to ensure properties such as secrecy of messages or authentication of parties in a hostile environment. In this paper we investigate automated verification of a particular type of security protocols, called group protocols, in the presence of an eavesdropper, i.e., a passive attacker. The specificity of group protocols is that the number of participants is not bounded. Our approach consists in representing an infinite set of messages exchanged during an unbounded number of sessions, one session for each possible number of participants, as well as the infinite set of associated secrets. We use so-called visibly tree automata with memory and structural constraints (introduced recently by Comon-Lundh et al.) to represent over-approximations of these two sets. We identify restrictions on the specification of protocols which allow us to reduce the attacker capabilities guaranteeing that the above mentioned class of automata is closed under the application of the remaining attacker rules. The class of protocols respecting these restrictions is large enough to cover several existing protocols, such as the GDH family, GKE, and others.
Unable to display preview. Download preview PDF.
- 4.Comon-Lundh, H., Jacquemard, F., Perrin, N.: Visibly tree automata with memory and constraints. Research Report LSV-07-30, Laboratoire Spécification et Vérification, ENS Cachan, France, Logical Methods in Computer Science (September 2007) (to appear)Google Scholar
- 5.Comon-Lundh, H., Shmatikov, V.: Intruder deductions, constraint solving and insecurity decision in presence of exclusive or. In: Proceedings of the 18th IEEE Symposium on Logic in Computer Science (LICS 2003), vol. 171, pp. 271–280. IEEE Computer Society Press, Los Alamitos (2003)CrossRefGoogle Scholar
- 6.Contejean, E., Marché, C., Monate, B., Urbain, X.: The CiME Rewrite Tool (2000), http://cime.lri.fr
- 9.Goubault-Larrecq, J.: A method for automatic cryptographic protocol verification (extended abstract). In: IPDPS-WS 2000. LNCS, vol. 1800, pp. 977–984. Springer, Heidelberg (2000)Google Scholar
- 10.Katz, J., Yung, M.: Scalable protocols for authenticated group key exchange. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 110–125. Springer, Heidelberg (2003)Google Scholar
- 11.Kremer, S., Mercier, A., Treinen, R.: Proving group protocols secure against eavesdroppers. Research Report LSV, Laboratoire Spécification et Vérification, ENS Cachan, France (May 2008), http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/rapports.php?filename=lsv-2008
- 13.Pereira, O., Quisquater, J.-J.: Some attacks upon authenticated group key agreement protocols. Journal of Computer Security 11(4), 555–580 (2003)Google Scholar
- 14.Pereira, O., Quisquater, J.-J.: On the impossibility of building secure cliques-type authenticated group key agreement protocols. Journal of Computer Security 14(2), 197–246 (2006)Google Scholar
- 16.Steiner, M., Tsudik, G., Waidner, M.: Diffie-Hellman key distribution extended to group communication. In: ACM Conference on Computer and Communications Security, pp. 31–37 (1996)Google Scholar