Decidability of context-explicit security protocols

Ramanujam, R.; Suresh, S. P.

doi:10.3233/jcs-2005-13106

Cited by 32 publications

(19 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Under some additional assumptions (e.g. no temporary secret, no ciphertext forwarding), several decidability results [24,21] have been obtained by showing that it is sufficient to consider one session per role. But those results can not deal with protocols such as the Yahalom protocol or protocols which rely on a temporary secret.…”

Section: Other Ways Of Taggingmentioning

confidence: 99%

“…An early result is the PTIME complexity result by Dolev et al [15] for a restricted class, called ping-pong protocols. Other classes have been proposed by Ramanujam and Suresh [23,24], and Lowe [21]. However, in both cases, temporary secrets, composed keys and ciphertext forwarding are not allowed which discards protocols, such as the Yahalom protocol [7] (see also Section 4.3).…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

From One Session to Many: Dynamic Tags for Security Protocols

Arapinis

Delaune

Kremer

2008

Logic for Programming, Artificial Intelligence, and Reasoning

View full text Add to dashboard Cite

Abstract. The design and verification of cryptographic protocols is a notoriously difficult task, even in abstract Dolev-Yao models. This is mainly due to several sources of unboundedness (size of messages, number of sessions, . . . ). In this paper, we characterize a class of protocols for which secrecy for an unbounded number of sessions is decidable. More precisely, we present a simple transformation which maps a protocol that is secure for a single protocol session (a decidable problem) to a protocol that is secure for an unbounded number of sessions. Our result provides an effective strategy to design secure protocols: (i) design a protocol intended to be secure for one protocol session (this can be verified with existing automated tools); (ii) apply our transformation and obtain a protocol which is secure for an unbounded number of sessions. The proof of our result is closely tied to a particular constraint solving procedure by Comon-Lundh et al.

show abstract

Section: Other Ways Of Taggingmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

From One Session to Many: Dynamic Tags for Security Protocols

Arapinis

Delaune

Kremer

2008

Logic for Programming, Artificial Intelligence, and Reasoning

View full text Add to dashboard Cite

show abstract

“…The basic concept behind EV-Freedom [Mil03], PEV-Freedom [LM05], EVXFreedom, and Structure is the same: Protocols should be designed so that agents will be able to verify some property of messages after decryption, such as their number in the protocol, operators used to create them etc. This is a prudent engineering practice [AN94], has been used to guarantee protocol security against important forms of attacks [HLS03, GT00, ML09, Mal10] and ensure decidability [Low99,RS05].…”

Section: Resultsmentioning

confidence: 99%

Soundness of Removing Cancellation Identities in Protocol Analysis under Exclusive-OR

Malladi

2012

Theory of Security and Applications

View full text Add to dashboard Cite

Abstract. In [Mil03,LM05], Millen-Lynch-Meadows proved that, under some restrictions on messages, including identities for canceling an encryption and a decryption within the same term during analysis will be redundant. i.e., they will not lead to any new attacks that were not found without them. In this paper, we prove that slightly modified restrictions are sufficient to safely remove those identities, even when protocols contain operators such as the notorious Exclusive-OR operator that break the free algebra assumption with their own identities, in addition to the identities considered by Millen-Lynch-Meadows.

show abstract

“…The main advantage of this approach is its relative simplicity which makes it amenable to automated analysis. For example, the secrecy preservation is co-NP-complete for a bounded number of sessions [Amadio and Lugiez 2000;Rusinowitch and Turuani 2001], and decidable for an unbounded number of sessions under some additional restrictions [Comon-Lundh and Cortier 2003;Durgin et al 1999;Lowe 1998;Ramanujam and Suresh 2005]. Many tools have also been developed to automatically verify cryptographic protocols, like [Armando et al 2005;Blanchet 2001;Millen and Shmatikov 2001;Cremers 2008].…”

Section: Introductionmentioning

confidence: 99%

Deciding security properties for cryptographic protocols. application to key cycles

Comon-Lundh¹,

Cortier

Zălinescu

2010

ACM Trans. Comput. Logic

View full text Add to dashboard Cite

There is a large amount of work dedicated to the formal verification of security protocols. In this paper, we revisit and extend the NP-complete decision procedure for a bounded number of sessions. We use a, now standard, deducibility constraint formalism for modeling security protocols. Our first contribution is to give a simple set of constraint simplification rules, that allows to reduce any deducibility constraint system to a set of solved forms, representing all solutions (within the bound on sessions).As a consequence, we prove that deciding the existence of key cycles is NP-complete for a bounded number of sessions. The problem of key-cycles has been put forward by recent works relating computational and symbolic models. The so-called soundness of the symbolic model requires indeed that no key cycle (e.g., enc(k, k)) ever occurs in the execution of the protocol. Otherwise, stronger security assumptions (such as KDM-security) are required.We show that our decision procedure can also be applied to prove again the decidability of authentication-like properties and the decidability of a significant fragment of protocols with timestamps.

show abstract

Decidability of context-explicit security protocols

Cited by 32 publications

References 21 publications

From One Session to Many: Dynamic Tags for Security Protocols

From One Session to Many: Dynamic Tags for Security Protocols

Soundness of Removing Cancellation Identities in Protocol Analysis under Exclusive-OR

Deciding security properties for cryptographic protocols. application to key cycles

Contact Info

Product

Resources

About