📝 Original Info
- Title: Deciding security properties for cryptographic protocols. Application to key cycles
- ArXiv ID: 0708.3564
- Date: 2009-03-20
- Authors: Researchers from original ArXiv paper
📝 Abstract
There is a large amount of work dedicated to the formal verification of security protocols. In this paper, we revisit and extend the NP-complete decision procedure for a bounded number of sessions. We use a, now standard, deducibility constraints formalism for modeling security protocols. Our first contribution is to give a simple set of constraint simplification rules, that allows to reduce any deducibility constraint system to a set of solved forms, representing all solutions (within the bound on sessions). As a consequence, we prove that deciding the existence of key cycles is NP-complete for a bounded number of sessions. The problem of key-cycles has been put forward by recent works relating computational and symbolic models. The so-called soundness of the symbolic model requires indeed that no key cycle (e.g., enc(k,k)) ever occurs in the execution of the protocol. Otherwise, stronger security assumptions (such as KDM-security) are required. We show that our decision procedure can also be applied to prove again the decidability of authentication-like properties and the decidability of a significant fragment of protocols with timestamps.
💡 Deep Analysis
Deep Dive into Deciding security properties for cryptographic protocols. Application to key cycles.
There is a large amount of work dedicated to the formal verification of security protocols. In this paper, we revisit and extend the NP-complete decision procedure for a bounded number of sessions. We use a, now standard, deducibility constraints formalism for modeling security protocols. Our first contribution is to give a simple set of constraint simplification rules, that allows to reduce any deducibility constraint system to a set of solved forms, representing all solutions (within the bound on sessions). As a consequence, we prove that deciding the existence of key cycles is NP-complete for a bounded number of sessions. The problem of key-cycles has been put forward by recent works relating computational and symbolic models. The so-called soundness of the symbolic model requires indeed that no key cycle (e.g., enc(k,k)) ever occurs in the execution of the protocol. Otherwise, stronger security assumptions (such as KDM-security) are required. We show that our decision procedure
📄 Full Content
Security protocols are small programs that aim at securing communications over a public network, like Internet. Considering the increasing size of networks and their dependence on cryptographic protocols, a high level of assurance is needed in the correctness of such protocols. The design of such protocols is difficult and error-prone; many attacks are dis-covered even several years after the publication of a protocol. Consequently, there has been a growing interest in applying formal methods for validating cryptographic protocols and many results have been obtained. The main advantage of this approach is its relative simplicity which makes it amenable to automated analysis. For example, the secrecy preservation is co-NP-complete for a bounded number of sessions [Amadio and Lugiez 2000;Rusinowitch and Turuani 2001], and decidable for an unbounded number of sessions under some additional restrictions [Comon-Lundh and Cortier 2003;Durgin et al. 1999;Lowe 1998;Ramanujam and Suresh 2005]. Many tools have also been developed to automatically verify cryptographic protocols, like [Armando et al. 2005;Blanchet 2001;Millen and Shmatikov 2001;Cremers 2008].
Generalizing the constraint system approach. In this paper, we re-investigate and extend the NP-complete decision procedure for a bounded number of sessions [Rusinowitch and Turuani 2001]. In this setting (i.e. finite number of sessions), deducibility constraint systems have become the standard model for verifying security properties, with a special focus on secrecy. Starting with Millen and Shmatikov’s paper [Millen and Shmatikov 2001] many results (e.g. [Comon-Lundh and Shmatikov 2003;Baudet 2005;Bursuc et al. 2007]) have been obtained and several tools (e.g. [Corin and Etalle 2002]) have been developed within this framework. Our first contribution is to provide a generic approach derived from [Comon-Lundh and Shmatikov 2003] to decide general security properties. We show that any deducibility constraint system can be transformed in (possibly several) much simpler deducibility constraint systems that are called solved forms, preserving all solutions of the original system, and not only its satisfiability. In other words, the deducibility constraint system represents in a symbolic way all the possible sequences of messages that are produced, following the protocol rules, whatever are the intruder’s actions. This set of symbolic traces is infinite in general. Solved forms are a simple (and finite) representation of such traces and we show that it is suitable for the verification of many security properties. We also consider sorted terms, symmetric and asymmetric encryption, pairing and signatures, but we do not consider algebraic properties like Abelian groups or exclusive or. In addition, we prove termination in polynomial time of the (non-deterministic) deducibility constraint simplification. Compared to [Rusinowitch and Turuani 2001], our procedure preserves all solutions. Hence, we can represent for instance, all attacks on the secrecy and not only decide if there exists one. Moreover, presenting the decision procedure using a small set of simplification rules yields more flexibility for further extensions and modifications.
The main originality is that the method is applicable to any security property that can be expressed as a formula on the protocol trace and the agent memories. For example, our decision procedure (published in the LPAR'06 proceedings [Cortier and Zȃlinescu 2006]) has been used in [Cortier et al. 2006] for proving that a new notion of secrecy in presence of hashes is decidable (and co-NP-complete) for a bounded number of sessions. It has also been used in [Cortier et al. 2007] in the proof of modularity results for security of protocols. To illustrate the large applicability of our decision procedure, we show in this paper how it can be used for proving co-NP-completeness of three kinds of security properties: the existence of key cycles, authentication-like properties, and secrecy of protocols with timestamps.
For authentication properties, we introduce a small logic that allows to specify authentication and some similar security properties. Using our solved forms, we show that any • 3 property that can be expressed within this logic can be decided. The logic is smaller than NPATRL [Syverson and Meadows 1996] or PS-LTL [Corin et al. 2005;Corin 2006], but we believe that decidability holds for a larger logic, closer to the two above ones. However, the goal of this work is not to introduce a new logic, but rather to highlight the proof method. Note also that the absence of key cycles cannot be expressed in any of the three mentioned logics because it is not only a trace property but also a property of the message structure (see below).
For timestamps, we actually retrieve a significant fragment of the decidable class identified by Bozga et al [Bozga et al. 2004]. We believe that our result can lead more easily to an implementation, since
…(Full text truncated)…
📸 Image Gallery
Reference
This content is AI-processed based on ArXiv data.
