Maude-NPA: Cryptographic Protocol Analysis Modulo Equational Properties

  • Santiago Escobar
  • Catherine Meadows
  • José Meseguer

Abstract

In this tutorial, we give an overview of the Maude-NRL Protocol Analyzer (Maude-NPA), a tool for the analysis of cryptographic protocols using functions that obey different equational theories. We show the reader how to use Maude-NPA, and how it works, and also give some of the theoretical background behind the tool.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Abadi, M., Cortier, V.: Deciding knowledge in security protocols under equational theories. Theoretical Computer Science 367(1-2), 2–32 (2006)MathSciNetCrossRefMATHGoogle Scholar
  2. 2.
    Anantharaman, S., Narendran, P., Rusinowitch, M.: Unification modulo CUI plus distributivity axioms. Journal of Automated Reasoning 33(1), 1–28 (2004)MathSciNetCrossRefMATHGoogle Scholar
  3. 3.
    Armando, A., Basin, D., Boichut, Y., Chevalier, Y., Compagna, L., Cuellar, J., Drielsma, P.H., Heám, P.C., Kouchnarenko, O., Mantovani, J., Mödersheim, S., von Oheimb, D., Rusinowitch, M., Santiago, J., Turuani, M., Viganò, L., Vigneron, L.: The AVISPA tool for the automated validation of internet security protocols and applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  4. 4.
    Armando, A., Compagna, L., Lierler, Y.: SATMC: A SAT-based model checker for security protocols. In: Alferes, J.J., Leite, J. (eds.) JELIA 2004. LNCS, vol. 3229, pp. 730–733. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  5. 5.
    Baader, F., Snyder, W.: Unification theory. In: Robinson, J.A., Voronkov, A. (eds.) Handbook of Automated Reasoning, vol. 2, pp. 445–532. Elsevier and MIT Press (2001)Google Scholar
  6. 6.
    Basin, D., Mödersheim, S., Viganò, L.: OFMC: A symbolic model checker for security protocols. International Journal of Information Security 4(3), 181–208 (2005)CrossRefGoogle Scholar
  7. 7.
    Baudet, M., Cortier, V., Delaune, S.: YAPA: A generic tool for computing intruder knowledge. In: Treinen, R. (ed.) RTA 2009. LNCS, vol. 5595, pp. 148–163. Springer, Heidelberg (2009)Google Scholar
  8. 8.
    Blanchet, B.: An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In: 14th IEEE Computer Security Foundations Workshop (CSFW-14), Cape Breton, Nova Scotia, Canada, pp. 82–96. IEEE Computer Society, Los Alamitos (2001)Google Scholar
  9. 9.
    Boichut, Y., Héam, P.-C., Kouchnarenko, O., Oehl, F.: Improvements on the Genet and Klay technique to automatically verify security protocols. In: Proceedings of Automated Verification of Infinite States Systems (AVIS 2004). ENTCS (2004)Google Scholar
  10. 10.
    Bursuc, S., Comon-Lundh, H.: Protocol security and algebraic properties: decision results for a bounded number of sessions. In: Treinen, R. (ed.) RTA 2009. LNCS, vol. 5595, pp. 133–147. Springer, Heidelberg (2009)Google Scholar
  11. 11.
    Chevalier, Y., Rusinowitch, M.: Hierarchical combination of intruder theories. Inf. Comput. 206(2-4), 352–377 (2008)MathSciNetCrossRefMATHGoogle Scholar
  12. 12.
    Ciobâcă, Ş., Delaune, S., Kremer, S.: Computing knowledge in security protocols under convergent equational theories. In: Schmidt, R. (ed.) CADE 2009. LNCS (LNAI), vol. 5663, pp. 355–370. Springer, Heidelberg (2009)Google Scholar
  13. 13.
    Clavel, M., Durán, F., Eker, S., Escobar, S., Lincoln, P., Martí-Oliet, N., Meseguer, J., Talcott, C.: Unification and Narrowing in Maude 2.4. In: Treinen, R. (ed.) RTA 2009. LNCS, vol. 5595, pp. 380–390. Springer, Heidelberg (2009)Google Scholar
  14. 14.
    Clavel, M., Durán, F., Eker, S., Lincoln, P., Martí-Oliet, N., Meseguer, J., Talcott, C.: All About Maude - A High-Performance Logical Framework. LNCS, vol. 4350. Springer, Heidelberg (2007)MATHGoogle Scholar
  15. 15.
    Comon-Lundh, H., Delaune, S.: The finite variant property: How to get rid of some algebraic properties. In: Giesl, J. (ed.) RTA 2005. LNCS, vol. 3467, pp. 294–307. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  16. 16.
    Contejean, E., Marché, C.: The CiME system: tutorial and user’s manual. Université Paris-Sud, Centre d’Orsay (manuscript)Google Scholar
  17. 17.
    Dolev, D., Yao, A.: On the security of public key protocols. IEEE Transaction on Information Theory 29(2), 198–208 (1983)MathSciNetCrossRefMATHGoogle Scholar
  18. 18.
    Durgin, N., Lincoln, P., Mitchell, J., Scedrov, A.: Multiset rewriting and the complexity of bounded security. Journal of Computer Security, 677–722 (2004)Google Scholar
  19. 19.
    Escobar, S., Hendrix, J., Meadows, C., Meseguer, J.: Diffie-Hellman cryptographic reasoning in the Maude-NRL protocol analyzer. In: Proc. 2nd International Workshop on Security and Rewriting Techniques, SecReT 2007 (2007)Google Scholar
  20. 20.
    Escobar, S., Meadows, C., Meseguer, J.: A rewriting-based inference system for the NRL protocol analyzer and its meta-logical properties. Theoretical Compute Science 367(1-2), 162–202 (2006)MathSciNetCrossRefMATHGoogle Scholar
  21. 21.
    Escobar, S., Meadows, C., Meseguer, J.: Equational cryptographic reasoning in the Maude-NRL protocol analyzer. In: Proc. 1st International Workshop on Security and Rewriting Techniques (SecReT 2006). ENTCS, vol. 171(4), pp. 23–36. Elsevier, Amsterdam (2007)Google Scholar
  22. 22.
    Escobar, S., Meadows, C., Meseguer, J.: State space reduction in the Maude-NRL Protocol Analyzer. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 548–562. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  23. 23.
    Escobar, S., Meadows, C., Meseguer, J.: Maude-NPA, version 1.0. University of Illinois at Urbana-Champaign (March 2009), http://maude.cs.uiuc.edu/tools/Maude-NPA
  24. 24.
    Escobar, S., Meseguer, J.: Symbolic model checking of infinite-state systems using narrowing. In: Baader, F. (ed.) RTA 2007. LNCS, vol. 4533, pp. 153–168. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  25. 25.
    Escobar, S., Meseguer, J., Sasse, R.: Variant narrowing and equational unification. Technical Report UIUCDCS-R-2007-2910, Dept. of Computer Science, University of Illinois at Urbana-Champaign (October 2007)Google Scholar
  26. 26.
    Escobar, S., Meseguer, J., Sasse, R.: Effectively checking the finite variant property. In: Voronkov, A. (ed.) RTA 2008. LNCS, vol. 5117, pp. 79–93. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  27. 27.
    Escobar, S., Meseguer, J., Sasse, R.: Variant narrowing and equational unification. In: Rossu, G. (ed.) Proc. 7th. Intl. Workshop on Rewriting Logic and its Applications. ENTCS. Elsevier, Amsterdam (2008) (to appear)Google Scholar
  28. 28.
    Fabrega, F.J.T., Herzog, J., Guttman, J.: Strand Spaces: What Makes a Security Protocol Correct? Journal of Computer Security 7, 191–230 (1999)CrossRefGoogle Scholar
  29. 29.
    Hullot, J.-M.: Canonical forms and unification. In: Bibel, W., Kowalski, R. (eds.) CADE 1980. LNCS, vol. 87, pp. 318–334. Springer, Heidelberg (1980)Google Scholar
  30. 30.
    Millen, S.F.J.K., Clark, S.C.: The interrogator: Protocol secuity analysis. IEEE Transactions on Software Engineering, 274–288 (February 1987)Google Scholar
  31. 31.
    Jouannaud, J.-P., Kirchner, C., Kirchner, H.: Incremental construction of unification algorithms in equational theories. In: Díaz, J. (ed.) ICALP 1983. LNCS, vol. 154, pp. 361–373. Springer, Heidelberg (1983)CrossRefGoogle Scholar
  32. 32.
    Lowe, G.: Breaking and fixing the Needham-Schroeder public-key protocol using FDR. Software Concepts and Tools 17, 93–102 (1996)Google Scholar
  33. 33.
    Lynch, C., Meadows, C.: On the relative soundness of the free algebra model for public key encryption. In: Workshop on Issues in Theory of Security 2004 (2004)Google Scholar
  34. 34.
    Lynch, C., Meadows, C.: Sound Approximations to Diffie-Hellman Using Rewrite Rules. In: López, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, pp. 262–277. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  35. 35.
    Meadows, C.: Language generation and verification in the NRL protocol analyzer. In: Ninth IEEE Computer Security Foundations Workshop, Dromquinna Manor, Kenmare, County Kerry, Ireland, March 10-12, pp. 48–61. IEEE Computer Society, Los Alamitos (1996)CrossRefGoogle Scholar
  36. 36.
    Meadows, C.: The NRL protocol analyzer: An overview. Journal of logic programming 26(2), 113–131 (1996)CrossRefMATHGoogle Scholar
  37. 37.
    Meseguer, J.: Conditional rewriting logic as a unified model of concurrency. Theoretical Computer Science 96(1), 73–155 (1992)MathSciNetCrossRefMATHGoogle Scholar
  38. 38.
    Meseguer, J.: Membership algebra as a logical framework for equational specification. In: Parisi-Presicce, F. (ed.) WADT 1997. LNCS, vol. 1376, pp. 18–61. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  39. 39.
    Millen, J.: On the freedom of decryption. Information Processing Letters 86(3) (2003)Google Scholar
  40. 40.
    Mitchell, J., Mitchell, M., Stern, U.: Automated analysis of cryptographic protocols using Murphi. In: IEEE Symposium on Security and Privacy. IEEE Computer Society, Los Alamitos (1997)Google Scholar
  41. 41.
    Paulson, L.C.: The inductive approach to verifying cryptographic protocols. Journal of Computer Security 6(1-2), 85–128 (1998)CrossRefGoogle Scholar
  42. 42.
    Rusinowitch, M., Turuani, M.: Protocol insecurity with a finite number of sessions and composed keys is NP-complete. In: 14th IEEE Computer Security Foundations Workshop, pp. 174–190 (2001)Google Scholar
  43. 43.
    Ryan, P.Y.A., Schneider, S.A.: An attack on a recursive authentication protocol. a cautionary tale. Inf. Process. Lett. 65(1), 7–10 (1998)CrossRefMATHGoogle Scholar
  44. 44.
    Santiago, S., Talcott, C., Escobar, S., Meadows, C., Meseguer, J.: A graphical user interface for Maude-NPA. Technical Report DSIC-II/02/09, Universidad Politécnica de Valencia (June 2009)Google Scholar
  45. 45.
    Shmatikov, V., Stern, U.: Efficient finite-state analysis for large security protocols. In: 11th Computer Security Foundations Workshop — CSFW-11. IEEE Computer Society Press, Los Alamitos (1998)Google Scholar
  46. 46.
    Stubblebine, S., Meadows, C.: Formal characterization and automated analysis of known-pair and chosen-text attacks. IEEE Journal on Selected Areas in Communications 18(4), 571–581 (2000)CrossRefGoogle Scholar
  47. 47.
    TeReSe (ed.): Term Rewriting Systems. Cambridge University Press, Cambridge (2003)Google Scholar
  48. 48.
    Thati, P., Meseguer, J.: Symbolic reachability analysis using narrowing and its application verification of cryptographic protocols. J. Higher-Order and Symbolic Computation 20(1-2), 123–160 (2007)CrossRefMATHGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Santiago Escobar
    • 1
  • Catherine Meadows
    • 2
  • José Meseguer
    • 3
  1. 1.Universidad Politécnica de ValenciaSpain
  2. 2.Naval Research LaboratoryWashingtonUSA
  3. 3.University of Illinois at Urbana-ChampaignUSA

Personalised recommendations