Efficient Decision Procedures for Message Deducibility and Static Equivalence

  • Bruno Conchinha
  • David Basin
  • Carlos Caleiro
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6561)


We consider two standard notions in formal security protocol analysis: message deducibility and static equivalence under equational theories. We present new polynomial-time algorithms for deciding both notions under subterm convergent equational theories and under a theory representing symmetric encryption with the prefix property. For these equational theories, polynomial-time algorithms for the decision problems associated to both notions are well-known (although this has not been proven for static equivalence under the prefix theory). However, our algorithms have a significantly better asymptotic complexity than existing approaches.

As an application, we use our algorithm for static equivalence to discover off-line guessing attacks on the Kerberos protocol when implemented using a symmetric encryption scheme for which the prefix property holds.


security protocols equational theories deducibility static equivalence 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abadi, M., Baudet, M., Warinschi, B.: Guessing Attacks and the Computational Soundness of Static Equivalence. In: Aceto, L., Ingólfsdóttir, A. (eds.) FOSSACS 2006. LNCS, vol. 3921, pp. 398–412. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  2. 2.
    Abadi, M., Cortier, V.: Deciding Knowledge in Security Protocols Under Equational Theories. In: Díaz, J., Karhumäki, J., Lepistö, A., Sannella, D. (eds.) ICALP 2004. LNCS, vol. 3142, pp. 46–58. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  3. 3.
    Abadi, M., Cortier, V.: Deciding Knowledge in Security Protocols Under (Many More) Equational Theories. In: Proc. Workshop on Computer Security Foundations (CSFW 2005), pp. 62–76 (2005)Google Scholar
  4. 4.
    Abadi, M., Fournet, C.: Mobile Values, New Names and Secure Communications. ACM SIGPLAN Notices 36, 104–115 (2001)CrossRefzbMATHGoogle Scholar
  5. 5.
    Armando, A., Basin, D., Boichut, Y., Chevalier, Y., Compagna, L., Cuellar, J., Drielsma, P., Heám, P., Kouchnarenko, O., Mantovani, J., Mödersheim, S., von Oheimb, D., Rusinowitch, M., Santiago, J., Turuani, M., Viganò, L., Vigneron, L.: The AVISPA tool for the automated validation of internet security protocols and applications. In: Etessami, K., Rajamani, S.K. (eds.) CAV 2005. LNCS, vol. 3576, pp. 281–285. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Basin, D., Mödersheim, S., Viganò, L.: OFMC: A Symbolic Model Checker for Security Protocols. Int. Journal of Information Security 4(3), 181–208 (2005)CrossRefGoogle Scholar
  7. 7.
    Baudet, M.: Deciding Security of Protocols against Off-line Guessing Attacks. In: Proc. 12th ACM Conf. on Computer and Communications Security, pp. 16–25 (2005)Google Scholar
  8. 8.
    Baudet, M., Cortier, V., Delaune, S.: YAPA: A Generic Tool for Computing Intruder Knowledge. In: Treinen, R. (ed.) RTA 2009. LNCS, vol. 5595, pp. 148–163. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  9. 9.
    Baudet, M., Cortier, V., Kremer, S.: Computationally Sound Implementations of Equational Theories Against Passive Adversaries. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 652–663. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. 10.
    Blanchet, B.: An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In: 14th Computer Security Foundations Workshop (CSFW 2001), pp. 82–96. IEEE Computer Society, Los Alamitos (2001)CrossRefGoogle Scholar
  11. 11.
    Blanchet, B., Abadi, M., Fournet, C.: Automated Verification of Selected Equivalences for Security Protocols. In: Symposium on Logic in Computer Science (2005); Journal of Logic and Algebraic Programming 75(1), 3–51Google Scholar
  12. 12.
    Bella, G., Paulson, L.C.: Using Isabelle to Prove Properties of the Kerberos Authentication System. In: DIMACS Workshop on Design and Formal Verification of Security Protocols (1997)Google Scholar
  13. 13.
    Bellovin, S.M., Merritt, M.: Encrypted Key Exchange: Password-Based Protocols Secure Against Dictionary Attacks. In: IEEE Symposium on Research in Security and Privacy, pp. 72–84 (1992)Google Scholar
  14. 14.
    Chevalier, Y., Küsters, R., Rusinowitch, M., Turuani, M.: An NP Decision Procedure for Protocol Insecurity with XOR. In: Proc. 18th Annual IEEE Symposium on Logic in Computer Science (LICS 2003), pp. 261–270 (2003)Google Scholar
  15. 15.
    Chevalier, Y., Küsters, R., Rusinowitch, M., Turuani, M.: Deciding the Security of Protocols with Diffie-Hellman Exponentiation and Products in Exponents. In: Pandya, P.K., Radhakrishnan, J. (eds.) FSTTCS 2003. LNCS, vol. 2914, pp. 124–135. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  16. 16.
    Ciobâcă, Ş., Delaune, S., Kremer, S.: Computing Knowledge in Security Protocols under Convergent Equational Theories. In: Schmidt, R.A. (ed.) CADE-22. LNCS, vol. 5663, pp. 355–370. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  17. 17.
    Comon-Lundh, H., Shmatikov, V.: Intruder Deductions, Constraint Solving and Insecurity Decision in Presence of Exclusive Or. In: 18th Annual IEEE Symposium on Logic in Computer Science (LICS 2003), pp. 271–280 (2003)Google Scholar
  18. 18.
    Comon-Lundh, H., Treinen, R.: Easy Intruder Deductions. In: Dershowitz, N. (ed.) Verification: Theory and Practice. LNCS, vol. 2772, pp. 225–242. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  19. 19.
    Conchinha, B., Basin, D., Caleiro, C.: Efficient Algorithms for Deciding Deduction and Static Equivalence, Technical Reports 680 ETH Zürich, Information Security Group D-INFK (2010),
  20. 20.
    Corin, R., Doumen, J., Etalle, S.: Analyzing Password Protocol Security Against Off-line Dictionary Attacks. In: Proc. of the 12th ACM Conf. on Computer and Communications Security (CCS 2005). ENTCS, vol. 121, pp. 47–63 (2005)Google Scholar
  21. 21.
    Cortier, V., Delaune, S., Lafourcade, P.: A Survey of Algebraic Properties Used in Cryptographic Protocols. Journal of Computer Security 14, 1–43 (2006)CrossRefGoogle Scholar
  22. 22.
    Cortier, V., Delaune, S.: Deciding Knowledge in Security Protocols for Monoidal Equational Theories. In: Dershowitz, N., Voronkov, A. (eds.) LPAR 2007. LNCS (LNAI), vol. 4790, pp. 196–210. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  23. 23.
    Delaune, S., Lafourcade, P., Lugiez, D., Treinen, R.: Symbolic Protocol Analysis for Monoidal Equational Theories. Information and Computation 206, 312–351 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    Gong, L., Lomas, M.A., Needham, R.M., Saltzer, J.H.: Protecting Poorly Chosen Secrets From Guessing Attacks. IEEE Journal on Selected Areas in Communications 11, 648–656 (1993)CrossRefGoogle Scholar
  25. 25.
    Lafourcade, P.: Intruder Deduction for the Equational Theory of Exclusive-or with Commutative and Distributive Encryption. In: Proc. 1st International Workshop on Security and Rewriting Techniques (SecReT 2006). ENTCS, vol. 171, pp. 37–57 (2007)Google Scholar
  26. 26.
    Millen, J., Shmatikov, V.: Symbolic Protocol Analysis With an Abelian Group Operator or Diffie–Hellman Exponentiation. Journal of Computer Security 13, 515–564 (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Bruno Conchinha
    • 1
  • David Basin
    • 1
  • Carlos Caleiro
    • 2
  1. 1.Information Security GroupETH ZürichZürichSwitzerland
  2. 2.SQIG - Instituto de Telecomunicações, Department of MathematicsIST, TU LisbonPortugal

Personalised recommendations