Constraint solving for bounded-process cryptographic protocol analysis

Millen, Jonathan K.; Shmatikov, Vitaly

doi:10.1145/501983.502007

Cited by 221 publications

(224 citation statements)

References 13 publications

Supporting

Mentioning

221

Contrasting

Unclassified

Order By: Relevance

“…For instance both protocols, intruder capabilities and security properties can be formalized within first-order logic and dedicated resolution strategies yield relevant verification methods [18,21,6]. Another approach, initiated in [19], consists in symbolically representing the traces using deducibility constraints. Both approaches were quite successful in finding attacks/proving security protocols.…”

Section: Introductionmentioning

confidence: 99%

Automating Security Analysis: Symbolic Equivalence of Constraint Systems

Cheval

Comon-Lundh

Delaune

2010

Automated Reasoning

View full text Add to dashboard Cite

Abstract. We consider security properties of cryptographic protocols, that are either trace properties (such as confidentiality or authenticity) or equivalence properties (such as anonymity or strong secrecy). Infinite sets of possible traces are symbolically represented using deducibility constraints. We give a new algorithm that decides the trace equivalence for the traces that are represented using such constraints, in the case of signatures, symmetric and asymmetric encryptions. Our algorithm is implemented and performs well on typical benchmarks. This is the first implemented algorithm, deciding symbolic trace equivalence.

show abstract

Section: Introductionmentioning

confidence: 99%

Automating Security Analysis: Symbolic Equivalence of Constraint Systems

Cheval

Comon-Lundh

Delaune

2010

Automated Reasoning

View full text Add to dashboard Cite

show abstract

“…[20,4]). Similarly, off-line guessing attacks coded as static equivalence between process states [5] can be decided using such symbolic executions, but this requires one to check the equivalence of constraint systems, rather than satisfiability.…”

Section: Introductionmentioning

confidence: 99%

Symbolic Bisimulation for the Applied Pi Calculus

Delaune

Kremer

Ryan

2007

FSTTCS 2007: Foundations of Software Technology and Theoretical Computer Science

View full text Add to dashboard Cite

We propose a symbolic semantics for the finite applied pi calculus. The applied pi calculus is a variant of the pi calculus with extensions for modelling cryptographic protocols. By treating inputs symbolically, our semantics avoids potentially infinite branching of execution trees due to inputs from the environment. Correctness is maintained by associating with each process a set of constraints on terms. We define a symbolic labelled bisimulation relation, which is shown to be sound but not complete with respect to standard bisimulation. We explore the lack of completeness and demonstrate that the symbolic bisimulation relation is sufficient for many practical examples. This work is an important step towards automation of observational equivalence for the finite applied pi calculus, e.g. for verification of anonymity or strong secrecy properties. * This work has been partly supported by the EPSRC projects EP/E029833, Verifying Properties in Electronic Voting Protocols and EP/E040829/1, Verifying Anonymity and Privacy Properties of Security Protocols, the ARA SESUR project AVOTÉ and the ARTIST2 NoE. Preliminary versions of this paper appeared in [13] and [14].

show abstract

“…a finite number of protocol sessions [2,5,18]. Among the different approaches the symbolic ones [16,10,4] are based on reducing the problem to constraint solving in a term algebra. This reduction has proved to be quite effective on standard benchmarks and also was able to discover new flaws on several protocols [4].…”

Section: Introductionmentioning

confidence: 99%

Combining Intruder Theories

Chevalier

Rusinowitch

2005

Automata, Languages and Programming

View full text Add to dashboard Cite

Abstract. Most of the decision procedures for symbolic analysis of protocols are limited to a fixed set of algebraic operators associated with a fixed intruder theory. Examples of such sets of operators comprise XOR, multiplication/exponentiation, abstract encryption/decryption. In this paper we give an algorithm for combining decision procedures for arbitrary intruder theories with disjoint sets of operators, provided that solvability of ordered intruder constraints, a slight generalization of intruder constraints, can be decided in each theory. This is the case for most of the intruder theories for which a decision procedure has been given. In particular our result allows us to decide trace-based security properties of protocols that employ any combination of the above mentioned operators with a bounded number of sessions.

show abstract

Constraint solving for bounded-process cryptographic protocol analysis

Abstract: The reachability problem for cryptographic protocols with nonatomic keys can be solved via a simple constraint satisfaction procedure.

Cited by 221 publications

References 13 publications

Automating Security Analysis: Symbolic Equivalence of Constraint Systems

Automating Security Analysis: Symbolic Equivalence of Constraint Systems

Symbolic Bisimulation for the Applied Pi Calculus

Combining Intruder Theories

Contact Info

Product

Resources

About