197 research outputs found
Deduction with XOR Constraints in Security API Modelling
We introduce XOR constraints, and show how they enable a theorem prover to reason effectively about security critical subsystems which employ bitwise XOR. Our primary case study is the API of the IBM 4758 hardware security module. We also show how our technique can be applied to standard security protocols
Implementing a Unification Algorithm for Protocol Analysis with XOR
In this paper, we propose a unification algorithm for the theory which
combines unification algorithms for E\_{\std} and E\_{\ACUN} (ACUN
properties, like XOR) but compared to the more general combination methods uses
specific properties of the equational theories for further optimizations. Our
optimizations drastically reduce the number of non-deterministic choices, in
particular those for variable identification and linear orderings. This is
important for reducing both the runtime of the unification algorithm and the
number of unifiers in the complete set of unifiers. We emphasize that obtaining
a ``small'' set of unifiers is essential for the efficiency of the constraint
solving procedure within which the unification algorithm is used. The method is
implemented in the CL-Atse tool for security protocol analysis
Unification modulo a 2-sorted Equational theory for Cipher-Decipher Block Chaining
We investigate unification problems related to the Cipher Block Chaining
(CBC) mode of encryption. We first model chaining in terms of a simple,
convergent, rewrite system over a signature with two disjoint sorts: list and
element. By interpreting a particular symbol of this signature suitably, the
rewrite system can model several practical situations of interest. An inference
procedure is presented for deciding the unification problem modulo this rewrite
system. The procedure is modular in the following sense: any given problem is
handled by a system of `list-inferences', and the set of equations thus derived
between the element-terms of the problem is then handed over to any
(`black-box') procedure which is complete for solving these element-equations.
An example of application of this unification procedure is given, as attack
detection on a Needham-Schroeder like protocol, employing the CBC encryption
mode based on the associative-commutative (AC) operator XOR. The 2-sorted
convergent rewrite system is then extended into one that fully captures a block
chaining encryption-decryption mode at an abstract level, using no AC-symbols;
and unification modulo this extended system is also shown to be decidable.Comment: 26 page
How to prevent type-flaw attacks on security protocols under algebraic properties
Type-flaw attacks upon security protocols wherein agents are led to
misinterpret message types have been reported frequently in the literature.
Preventing them is crucial for protocol security and verification. Heather et
al. proved that tagging every message field with it's type prevents all
type-flaw attacks under a free message algebra and perfect encryption system.
In this paper, we prove that type-flaw attacks can be prevented with the same
technique even under the ACUN algebraic properties of XOR which is commonly
used in "real-world" protocols such as SSL 3.0. Our proof method is general and
can be easily extended to other monoidal operators that possess properties such
as Inverse and Idempotence as well. We also discuss how tagging could be used
to prevent type-flaw attacks under other properties such as associativity of
pairing, commutative encryption, prefix property and homomorphic encryption.Comment: 16 pages, Appeared in proceedings of Security with Rewriting
Techniques (SecRet09), Affiliated to CSF Symposium 2009, Port Jefferson, NY
A Simple Constraint-solving Decision Procedure for Protocols with Exclusive or
We present a procedure for deciding security of protocols employing the Exclusive or operator. This procedure relies on a direct combination of a constraint solver for security protocol with a unification algorithm for the exclusive-or theory. Hence compared to the previous ones it is much simpler and easily amenable to automation. The principle of the approach can be applied to other theories too
Satisfiability of General Intruder Constraints with and without a Set Constructor
Many decision problems on security protocols can be reduced to solving
so-called intruder constraints in Dolev Yao model. Most constraint solving
procedures for protocol security rely on two properties of constraint systems
called monotonicity and variable origination. In this work we relax these
restrictions by giving a decision procedure for solving general intruder
constraints (that do not have these properties) that stays in NP. Our result
extends a first work by L. Mazar\'e in several directions: we allow non-atomic
keys, and an associative, commutative and idempotent symbol (for modeling
sets). We also discuss several new applications of the results.Comment: Submitted to the Special issue of Information and Computation on
Security and Rewriting Techniques (SecReT), 2011. 59 page
Approximation based tree regular model checking
International audienceThis paper addresses the following general problem of tree regular model-checking: decide whether where is the reflexive and transitive closure of a successor relation induced by a term rewriting system , and and are both regular tree languages. We develop an automatic approximation-based technique to handle this -- undecidable in general -- problem in most practical cases, extending a recent work by Feuillade, Genet and Viet Triem Tong. We also make this approach fully automatic for practical validation of security protocols
Hierarchical combination of intruder theories
International audienceRecently automated deduction tools have proved to be very effective for detecting attacks on cryptographic protocols. These analysis can be improved, for finding more subtle weaknesses, by a more accurate modelling of operators employed by protocols. Several works have shown how to handle a single algebraic operator (associated with a fixed intruder theory) or how to combine several operators satisfying disjoint theories. However several interesting equational theories, such as exponentiation with an abelian group law for exponents remain out of the scope of these techniques. This has motivated us to introduce a new notion of hierarchical combination for non-disjoint intruder theories and to show decidability results for the deduction problem in these theories. We have also shown that under natural hypotheses hierarchical intruder constraints can be decided. This result applies to an exponentiation theory that appears to be more general than the one considered before
Knowledge Flow Analysis for Security Protocols
Knowledge flow analysis offers a simple and flexible way to find flaws in
security protocols. A protocol is described by a collection of rules
constraining the propagation of knowledge amongst principals. Because this
characterization corresponds closely to informal descriptions of protocols, it
allows a succinct and natural formalization; because it abstracts away message
ordering, and handles communications between principals and applications of
cryptographic primitives uniformly, it is readily represented in a standard
logic. A generic framework in the Alloy modelling language is presented, and
instantiated for two standard protocols, and a new key management scheme.Comment: 20 page
- âŠ