Hierarchical Combination of Intruder Theories

  • Yannick Chevalier
  • Michaël Rusinowitch
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4098)


Recently automated deduction tools have proved to be very effective for detecting attacks on cryptographic protocols. These analysis can be improved, for finding more subtle weaknesses, by a more accurate modelling of operators employed by protocols. Several works have shown how to handle a single algebraic operator (associated with a fixed intruder theory) or how to combine several operators satisfying disjoint theories. However several interesting equational theories, such as exponentiation with an abelian group law for exponents remain out of the scope of these techniques. This has motivated us to introduce a new notion of hierarchical combination for intruder theories and to show decidability results for the deduction problem in these theories. Under a simple hypothesis, we were able to simplify this deduction problem. This simplification is then applied to prove the decidability of constraint systems w.r.t. an intruder relying on exponentiation theory.


Normal Form Equational Theory Security Protocol Constraint System Cryptographic Protocol 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Amadio, R., Lugiez, D., Vanackère, V.: On the symbolic reduction of processes with cryptographic functions. Theor. Comput. Sci. 290(1), 695–740 (2003)MATHCrossRefGoogle Scholar
  2. 2.
    Baader, F., Schulz, K.U.: Unification in the union of disjoint equational theories. combining decision procedures. J. Symb. Comput. 21(2), 211–243 (1996)MATHCrossRefMathSciNetGoogle Scholar
  3. 3.
    Basin, D., Mödersheim, S., Viganò, L.: An On-The-Fly Model-Checker for Security Protocol Analysis. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 253–270. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    Boreale, M.: Symbolic trace analysis of cryptographic protocols. In: Orejas, F., Spirakis, P.G., van Leeuwen, J. (eds.) ICALP 2001. LNCS, vol. 2076, pp. 667–681. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  5. 5.
    Borisov, N., Goldberg, I., Wagner, D.: Intercepting mobile communications: the insecurity of 802.11. In: Proceedings of MOBICOM 2001, pp. 180–189 (2001)Google Scholar
  6. 6.
    Chevalier, Y., Kuesters, R., Rusinowitch, M., Turuani, M.: An NP Decision Procedure for Protocol Insecurity with XOR. In: Proceedings of the Logic In Computer Science Conference, LICS 2003 (June 2003)Google Scholar
  7. 7.
    Chevalier, Y., Küsters, R., Rusinowitch, M., Turuani, M.: Deciding the Security of Protocols with Diffie-Hellman Exponentiation and Products in Exponents. In: Pandya, P.K., Radhakrishnan, J. (eds.) FSTTCS 2003. LNCS, vol. 2914, pp. 124–135. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. 8.
    Chevalier, Y., Rusinowitch, M.: Combining intruder theories. In: Caires, L., Italiano, G.F., Monteiro, L., Palamidessi, C., Yung, M. (eds.) ICALP 2005. LNCS, vol. 3580, pp. 639–651. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  9. 9.
    Chevalier, Y., Vigneron, L.: A Tool for Lazy Verification of Security Protocols. In: Proceedings of the Automated Software Engineering Conference (ASE 2001). IEEE Computer Society Press, Los Alamitos (2001)Google Scholar
  10. 10.
    Comon-Lundh, H.: Intruder theories (ongoing work). In: Walukiewicz, I. (ed.) FOSSACS 2004. LNCS, vol. 2987, pp. 1–4. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  11. 11.
    Comon-Lundh, H., Shmatikov, V.: Intruder Deductions, Constraint Solving and Insecurity Decision in Presence of Exclusive or. In: Proceedings of the Logic In Computer Science Conference, LICS 2003, pp. 271–280 (2003)Google Scholar
  12. 12.
    Comon-Lundh, H., Treinen, R.: Easy intruder deductions. In: Dershowitz, N. (ed.) Verification: Theory and Practice. LNCS, vol. 2772, pp. 225–242. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  13. 13.
    Delaune, S., Jacquemard, F.: A decision procedure for the verification of security protocols with explicit destructors. In: Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS 2004), Washington, D.C., USA, October 2004, pp. 278–287. ACM Press, New York (2004)CrossRefGoogle Scholar
  14. 14.
    Dershowitz, N., Jouannaud, J.-P.: Rewrite systems. In: Handbook of Theoretical Computer Science, vol. B, pp. 243–320. Elsevier, Amsterdam (1990)Google Scholar
  15. 15.
    Givan, R., McAllester, D.A.: New results on local inference relations. In: KR, pp. 403–412 (1992)Google Scholar
  16. 16.
    Hsiang, J., Rusinowitch, M.: On word problems in equational theories. In: Ottmann, T. (ed.) ICALP 1987. LNCS, vol. 267, pp. 54–71. Springer, Heidelberg (1987)Google Scholar
  17. 17.
    Kapur, D., Narendran, P., Wang, L.: An e-unification algorithm for analyzing protocols that use modular exponentiation. In: Nieuwenhuis, R. (ed.) RTA 2003. LNCS, vol. 2706, pp. 165–179. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  18. 18.
    Lafourcade, P., Lugiez, D., Treinen, R.: Intruder deduction for ac-like equational theories with homomorphisms. In: Giesl, J. (ed.) RTA 2005. LNCS, vol. 3467, pp. 308–322. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  19. 19.
    McAllester, D.A.: Automatic recognition of tractability in inference relations. J. ACM 40(2), 284–303 (1993)MATHCrossRefMathSciNetGoogle Scholar
  20. 20.
    Meadows, C.: The NRL protocol analyzer: An overview. Journal of Logic Programming 26(2), 113–131 (1996)MATHCrossRefGoogle Scholar
  21. 21.
    Meadows, C., Narendran, P.: A unification algorithm for the group Diffie-Hellman protocol. In: Workshop on Issues in the Theory of Security (in conjunction with POPL 2002), Portland, Oregon, USA, January 14-15 (2002)Google Scholar
  22. 22.
    Millen, J., Shmatikov, V.: Constraint solving for bounded-process cryptographic protocol analysis. In: ACM Conference on Computer and Communications Security, pp. 166–175 (2001)Google Scholar
  23. 23.
    Millen, J., Shmatikov, V.: Symbolic protocol analysis with an abelian group operator or Diffie-Hellman exponentiation. In: Journal of Computer Security (2005)Google Scholar
  24. 24.
    Rusinowitch, M., Turuani, M.: Protocol insecurity with finite number of sessions is NP-complete. In: Proc. 14th IEEE Computer Security Foundations Workshop, Cape Breton, Nova Scotia (June 2001)Google Scholar
  25. 25.
    Shmatikov, V.: Decidable analysis of cryptographic protocols with products and modular exponentiation. In: Schmidt, D. (ed.) ESOP 2004. LNCS, vol. 2986, pp. 355–369. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  26. 26.
    Wu, T.: The srp authentication and key exchange system. Technical Report RFC 2945, IETF – Network Working Group (september 2000), available at: http://www.ietf.org/rfc/rfc2945.txt

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Yannick Chevalier
    • 1
  • Michaël Rusinowitch
    • 2
  1. 1.IRIT Université Paul SabatierFrance
  2. 2.LORIA-INRIA-LorraineFrance

Personalised recommendations