Abstract
We show that the insecurity problem for protocols with modular exponentiation and arbitrary products allowed in exponents is NP-complete. This result is based on a protocol and intruder model which is powerful enough to uncover known attacks on the Authenticated Group Diffie-Hellman (A-GDH.2) protocol suite. To prove our results, we develop a general framework in which the Dolev-Yao intruder is extended by generic intruder rules. This framework is also applied to obtain complexity results for protocols with commuting public key encryption.
- Amadio, R., Lugiez, D., and Vanackere, V. 2002. On the symbolic reduction of processes with cryptographic functions. Theoret. Comput. Sci. 290, 1, 695--740. Google ScholarDigital Library
- Basin, D., Mödersheim, S., and Viganò, L. 2003. An on-the-fly model-checker for security protocol analysis. In Proceedings of the 8th European Symposium on Research in Computer Security (ESORICS 2003), E. Snekkenes and D. Gollmann, Eds. Lecture Notes in Computer Science, vol. 2808. Springer, Berlin, Germany, 253--270.Google Scholar
- Bockmayr, A. and Weispfenning, V. 2001. Solving numerical constraints. In Handbook of Automated Reasoning, A. Robinson and A. Voronkov, Eds. Vol. I. Elsevier Science, Amsterdam, The Netherlands, Chapter 12, 751--842.Google Scholar
- Boreale, M. 2001. Symbolic trace analysis of cryptographic protocols. In Automata, Languages and Programming, 28th International Colloquium (ICALP 2001). Lecture Notes in Computer Science, vol. 2076. Springer-Verlag, Berlin, Germany, 667--681. Google ScholarDigital Library
- Boreale, M. and Buscemi, M. 2003. On the symbolic analysis of low-level cryptographic primitives: modular exponentiation and the Diffie-Hellman Protocol. In Proceedings of the Workshop on Foundations of Computer Security (FCS 2003).Google Scholar
- Borsh, I. and Treybig, L. 1976. Bounds on positive integral solutions of linear diophantine equations. Proc. Amer. Math. Soc. 55, 299--304.Google ScholarCross Ref
- Boyd, C. and Mathuria, A. 2003. Protocols for Authentication and Key Establishment. Springer, Berlin, Germany. Google ScholarDigital Library
- Bull, J. and Otway, D. 1997. The authentication protocol. Tech. rep. DRA/CIS3/PROJ/CORBA/SC/1/CSM/436-04/03. Defence Research Agency, Malvern, U.K.Google Scholar
- Chevalier, Y., Küsters, R., Rusinowitch, M., and Turuani, M. 2003a. An NP decision procedure for protocol insecurity with XOR. In Proceedings of the Eighteenth Annual IEEE Symposium on Logic in Computer Science (LICS 2003). IEEE Computer Society Press, Los Alamitos, CA, 261--270. Google ScholarDigital Library
- Chevalier, Y., Küsters, R., Rusinowitch, M., and Turuani, M. 2003b. Deciding the security of protocols with Diffie-Hellman exponentiation and products in exponents. In FSTTCS 2003: Foundations of Software Technology and Theoretical Computer Science, P. Pandya and J. Radhakrishnan, Eds. Lecture Notes in Computer Science, vol. 2914. Springer, Berlin, Germany, 124--135.Google Scholar
- Chevalier, Y., Küsters, R., Rusinowitch, M., and Turuani, M. 2004. Deciding the security of protocols with commuting public key encryption. In Proceedings of the IJCAR 2004 Workshop W6 ARSPA Automated Reasoning for Security Protocol Analysis.Google Scholar
- Chevalier, Y. and Vigneron, L. 2001. A tool for lazy verification of security protocols. In Proceedings of the 16th IEEE Conference on Automated Software Engineering (ASE 2001). IEEE Computer Society Press, Los alamitos, CA, 373--376. Google ScholarDigital Library
- Clark, J. and Jacob, J. 1997. A Survey of Authentication Protocol Literature. Web Draft Version 1.0. Available online at http://citeseer.nj.nec.com/.Google Scholar
- Comon-Lundh, H. and Shmatikov, V. 2003. Intruder deductions, constraint solving and insecurity decision in presence of exclusive or. In Proceedings of the Eighteenth Annual IEEE Symposium on Logic in Computer Science (LICS 2003). IEEE, Computer Society Press, Los Alamitos, CA, 271--280. Google ScholarDigital Library
- Corin, R. and Etalle, S. 2002. An improved constraint-based system for the verification of security protocols. In Proceedings of the 9th International Symposium on Static Analysis (SAS 2002), M. Hermenegildo and G. Puebla, Eds. Lecture Notes in Computer Science, vol. 2477. Springer, Berlin, Germany, 326--341. Google ScholarDigital Library
- Dolev, D. and Yao, A. 1983. On the security of public-key protocols. IEEE Trans. Inform. Theor. 29, 2, 198--208.Google ScholarDigital Library
- Goubault-Larrecq, J., Roger, M., and Verma, K. 2005. Abstraction and resolution modulo AC: How to verify Diffie-Hellman-like protocols automatically. J. Log. Alg. Program. To appear.Google Scholar
- Kapur, D., Narendran, P., and Wang, L. 2003. Analyzing protocols that use modular exponentiation: Semantic unification techniques. In Proceedings of the 14th International Conference on Rewriting Techniques and Applications (RTA 2003), R. Nieuwenhuis, Ed. Lecture Notes in Computer Science, vol. 2706. Springer, Berlin, Germany, 165--179. Google ScholarDigital Library
- Meadows, C. 2000. Open issues in formal methods for cryptographic protocol analysis. In Proceedings of DISCEX 2000. IEEE Computer Society Press, Los Alamitos, CA, 237--250.Google Scholar
- Meadows, C. and Narendran, P. 2002. A unification algorithm for the group Diffie-Hellman protocol. In Proceedings of the Workshop on Issues in the Theory of Security (WITS 2002).Google Scholar
- Millen, J. and Shmatikov, V. 2003. Symbolic protocol analysis with products and Diffie-Hellman exponentiation. In Proceedings of the 16th IEEE Computer Security Foundations Workshop (CSFW 16). IEEE Computer Society, Los Alamitos, CA, 47--61.Google Scholar
- Millen, J. K. and Shmatikov, V. 2001. Constraint solving for bounded-process cryptographic protocol analysis. In Proceedings of the 8th ACM conference on Computer and Communications Security. ACM Press, New York, NY, 166--175. Google ScholarDigital Library
- Paulson, L. 1997. Mechanized proofs for a recursive authentication protocol. In Proceedings of the 10th IEEE Computer Security Foundations Workshop (CSFW-10). IEEE Computer Society Press, Los Alamitos, CA, 84--95. Google ScholarDigital Library
- Pereira, O. and Quisquater, J.-J. 2001. A security analysis of the Cliques Protocols Suites. In Proceedings of the 14th IEEE Computer Security Foundations Workshop (CSFW-14). 73--81. Google ScholarDigital Library
- Pereira, O. and Quisquater, J.-J. 2004. Generic insecurity of Cliques-type authenticated group key agreement protocols. In Proceedings of the 17-th IEEE Computer Security Foundations Workshop (CSFW-17 2004). IEEE Computer Society Press, Los Alamitos, CA, 16--29. Google ScholarDigital Library
- Rusinowitch, M. and Turuani, M. 2001. Protocol insecurity with finite number of sessions is NP-complete. In Proceedings of the 14th IEEE Computer Security Foundations Workshop (CSFW-14). IEEE Computer Society, Los Alamitos, CA, 174--190. Google ScholarDigital Library
- Ryan, P. and Schneider, S. 1998. An attack on a recursive authentication protocol. Inform. Process. Lett. 65, 1, 7--10. Google ScholarDigital Library
- Schneier, B. 1996. Applied Cryptography. John Wiley & Sons, New York, NY.Google Scholar
- Shmatikov, V. 2004. Decidable analysis of cryptographic protocols with products and modular exponentiation. In 13th European Symposium on Programming (ESOP 2004), D. Schmidt, Ed. Lecture Notes in Computer Science, vol. 2986. Springer, Berlin, Germany, 355--369.Google ScholarCross Ref
- Steiner, M., Tsudik, G., and Waidner, M. 1998. CLIQUES: A new approach to key agreement. In Proceedings of the IEEE International Conference on Distributed Computing Systems. IEEE Computer Society Press, Los Alamitos, CA, 380--387. Google ScholarDigital Library
Index Terms
- Complexity results for security protocols with Diffie-Hellman exponentiation and commuting public key encryption
Recommendations
Public‐key encryption indistinguishable under plaintext‐checkable attacks
Indistinguishability under chosen‐ciphertext attack (IND‐CCA) is now considered the de facto security notion for public‐key encryption. However, this sometimes offers a stronger security guarantee than what is needed. In this study, the authors consider a ...
Public-key encryption scheme with selective opening chosen-ciphertext security based on the Decisional Diffie-Hellman assumption
Chosen-ciphertext security has been well-accepted as a standard security notion for public-key encryption. But in a multi-user surrounding, it may not be sufficient, because the adversary may corrupt some users to obtain the random coins as well as the ...
The n-Diffie---Hellman problem and multiple-key encryption
The main contributions of this paper are twofold. On the one hand, the twin Diffie---Hellman (twin DH) problem proposed by Cash et al. is extended to the n -Diffie---Hellman ( n -DH) problem for an arbitrary integer n , and this new problem is shown ...
Comments