skip to main content
research-article

YAPA: A Generic Tool for Computing Intruder Knowledge

Published: 01 February 2013 Publication History

Abstract

Reasoning about the knowledge of an attacker is a necessary step in many formal analyses of security protocols. In the framework of the applied pi-calculus, as in similar languages based on equational logics, knowledge is typically expressed by two relations: deducibility and static equivalence. Several decision procedures have been proposed for these relations under a variety of equational theories. However, each theory has its particular algorithm, and none has been implemented so far.
We provide a generic procedure for deducibility and static equivalence that takes as input any convergent rewrite system. We show that our algorithm covers most of the existing decision procedures for convergent theories. We also provide an efficient implementation and compare it briefly with the tools ProVerif and KiSs.

References

[1]
Abadi, M., Baudet, M., and Warinschi, B. 2006. Guessing attacks and the computational soundness of static equivalence. In Proceedings of the Foundations of Software Science and Computation Structures (FOSSACS’06). 398--412.
[2]
Abadi, M. and Cortier, V. 2006. Deciding knowledge in security protocols under equational theories. Theor. Comput. Sci. 387, 1--2, 2--32.
[3]
Abadi, M. and Fournet, C. 2001. Mobile values, new names, and secure communication. In Proceedings of the 28th ACM Symposium on Principles of Programming Languages (POPL’01). 104--115.
[4]
Anantharaman, S., Narendran, P., and Rusinowitch, M. 2007. Intruders with caps. In Proceedings of the 18th Conference on Term Rewriting and Applications (RTA’07). Lecture Notes in Computer Science, vol. 4533. Springer, Berlin.
[5]
Arapinis, M., Chothia, T., Ritter, E., and Ryan, M. 2009. Untraceability in the applied pi calculus. In Proceeding of the 1st International Workshop on RFID Security and Cryptography.
[6]
Armando, A., Basin, D., Boichut, Y., Chevalier, Y., Compagna, L., Cuellar, J., Hankes Drielsma, P., Héam, P.-C., Kouchnarenko, O., Mantovani, J., Mödersheim, S., von Oheimb, D., Rusinowitch, M., Santiago, J., Turuani, M., Viganò, L., and Vigneron, L. 2005. The AVISPA tool for the automated validation of internet security protocols and applications. In Proceedings of the 17th Conference on Computer Aided Verification (CAV’05). Lecture Notes in Computer Science, vol. 3576. Springer, Berlin, 281--285.
[7]
Arnaud, M., Cortier, V., and Delaune, S. 2007. Combining algorithms for deciding knowledge in security protocols. In Proceedings of the 6th International Symposium on Frontiers of Combining Systems (FroCoS’07). Lecture Notes in Artificial Intelligence, vol. 4720. Springer, Berlin, 103--117.
[8]
Baudet, M. 2005. Deciding security of protocols against off-line guessing attacks. In Proceedings of the 12th ACM Conference on Computer and Communications Security (CCS’05). 16--25.
[9]
Baudet, M. 2007. Thèse de doctorat. Ph.D. dissertation, Laboratoire Spécification et Vérification, ENS Cachan.
[10]
Baudet, M., Cortier, V., and Delaune, S. 2009. YAPA: A generic tool for computing intruder knowledge. In Proceedings of the 20th International Conference on Rewriting Techniques and Applications (RTA’09). Lecture Notes in Computer Science, vol. 5595. Springer, Berlin, 148--163.
[11]
Baudet, M., Cortier, V., and Kremer, S. 2005. Computationally sound implementations of equational theories against passive adversaries. In Proceedings of the 32nd International Colloquium on Automata, Languages and Programming (ICALP’05). Lecture Notes in Computer Science, vol. 3580. Springer, Berlin, 652--663.
[12]
Blanchet, B. 2001. An efficient cryptographic protocol verifier based on prolog rules. In Proceedings of the 14th Computer Security Foundations Workshop (CSFW’01). 82--96.
[13]
Blanchet, B., Abadi, M., and Fournet, C. 2008. Automated verification of selected equivalences for security protocols. J. Logic Algebraic Program. 75, 1, 3--51.
[14]
Boichut, Y., Héam, P.-C., and Kouchnarenko, O. 2006. Handling algebraic properties in automatic analysis of security protocols. In Proceedings of the Theoretical Aspects of Computing (ICTAC’06). Lecture Notes in Computer Science, vol. 4281. Springer, Berlin, 153--167.
[15]
Cheval, V., Comon-Lundh, H., and Delaune, S. 2010. Automating security analysis: Symbolic equivalence of constraint systems. In Proceedings of the 5th International Joint Conference on Automated Reasoning (IJCAR’10). Lecture Notes in Artificial Intelligence, vol. 6173. Springer, Berlin, 412--426.
[16]
Chevalier, Y., Küsters, R., Rusinowitch, M., and Turuani, M. 2003a. Deciding the security of protocols with Diffie-Hellman exponentiation and product in exponents. In Proceedings of the 23rd Conference on Foundations of Software Technology and Theoretical Computer Science (FST&TCS’’03). Lecture Notes in Computer Science, vol. 2914. Springer-Verlag, Berlin, 124--135.
[17]
Chevalier, Y., Küsters, R., Rusinowitch, M., and Turuani, M. 2003b. An NP decision procedure for protocol insecurity with XOR. In Proceedings of the 18th IEEE Symposium on Logic in Computer Science (LICS’03).
[18]
Chevalier, Y. and Rusinowitch, M. 2010. Decidability of symbolic equivalence of derivations. J. Autom. Reason.
[19]
Ciobâcă, Ş., Delaune, S., and Kremer, S. 2009. Computing knowledge in security protocols under convergent equational theories. In Proceedings of the 22nd International Conference on Automated Deduction (CADE’09). Lecture Notes in Artificial Intelligence. Springer, Berlin, 355--370.
[20]
Comon, H. and Shmatikov, V. 2002. Is it possible to decide whether a cryptographic protocol is secure or not? J. Telecomm. Inf. Technol. 4/2002, 5--15.
[21]
Comon-Lundh, H. and Cortier, V. 2003. New decidability results for fragments of first-order logic and application to cryptographic protocols. In Proceedings of the 14th International Conference on Rewriting Techniques and Applications (RTA’03). Lecture Notes in Computer Science, vol. 2706. Springer-Verlag, Berlin, 148--164.
[22]
Comon-Lundh, H. and Shmatikov, V. 2003a. Intruder deductions, constraint solving and insecurity decision in presence of exclusive or. In Proceedings of the 18th IEEE Symposium on Logic in Computer Science (LICS’03).
[23]
Comon-Lundh, H. and Shmatikov, V. 2003b. Intruder deductions, constraint solving and insecurity decision in presence of exclusive or. In Proceedings of the 18th Annual IEEE Symposium on Logic in Computer Science (LICS’03). 271--280.
[24]
Corin, R., Doumen, J., and Etalle, S. 2004. Analysing password protocol security against off-line dictionary attacks. In Proceedings of the 2nd International Workshop on Security Issues with Petri Nets and other Computational Models (WISP’04).
[25]
Cortier, V. and Delaune, S. 2007. Deciding knowledge in security protocols for monoidal equational theories. In Proceedings of the 14th International Conference on Logic for Programming, Artificial Intelligence, and Reasoning (LPAR’07). Lecture Notes in Artificial Intelligence. Springer, Berlin.
[26]
Cortier, V., Delaune, S., and Lafourcade, P. 2006a. A survey of algebraic properties used in cryptographic protocols. J. Comput. Secur. 14, 1/2006.
[27]
Cortier, V., Delaune, S., and Lafourcade, P. 2006b. A survey of algebraic properties used in cryptographic protocols. J. Comput. Secur. 14, 1, 1--43.
[28]
Cortier, V., Keighren, G., and Steel, G. 2007. Automatic analysis of the security of xor-based key management schemes. In Proceedings of the 13th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’07). Lecture Notes in Computer Science, vol. 4424. Springer, Berlin, 538--552.
[29]
Cremers, C. J., Lafourcade, P., and Nadeau, P. 2009. Comparing state spaces in automatic protocol analysis. In Proceedings of the Formal to Practical Security. Lecture Notes in Computer Science, vol. 5458. Springer, Berlin, 70--94.
[30]
Delaune, S. and Jacquemard, F. 2004. A decision procedure for the verification of security protocols with explicit destructors. In Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS’04). 278--287.
[31]
Delaune, S., Kremer, S., and Ryan, M. D. 2009. Verifying privacy-type properties of electronic voting protocols. J. Comput. Secur. 17, 4, 435--487.
[32]
Escobar, S., Meadows, C., and Meseguer, J. 2008. State space reduction in the maude-nrl protocol analyzer. In Proceedings of the 13th European Symposium on Research in Computer Security (ESORICS’08). Lecture Notes in Computer Science, vol. 5283. Springer, Berlin, 548--562.
[33]
Fujioka, A., Okamoto, T., and Ohta, K. 1992. A practical secret voting scheme for large scale elections. In Proceedings of the Advances in Cryptology (AUSCRYPT’92). Lecture Notes in Computer Science, vol. 718. Springer, Berlin, 244--251.
[34]
Goubault-Larrecq, J., Roger, M., and Verma, K. N. 2004. Abstraction and resolution modulo AC: How to verify Diffie-Hellman-like protocols automatically. J. Logic Algebraic Program. 64, 2, 219--251.
[35]
Küsters, R. and Truderung, T. 2010. Reducing protocol analysis with XOR to the XOR-free case in the Horn theory based approach. J. Autom. Reason. To appear.
[36]
Lowe, G. 1996. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In Proceedings of the Tools and Algorithms for the Construction and Analysis of Systems (TACAS’96). Lecture Notes in Computer Science, vol. 1055. Springer-Verlag, Berlin, 147--166.
[37]
Millen, J. and Shmatikov, V. 2001. Constraint solving for bounded-process cryptographic protocol analysis. In Proceedings of the 8th ACM Conference on Computer and Communications Security (CCS’01).
[38]
Mödersheim, S. and Viganò, L. 2009. The open-source fixed-point model checker for symbolic analysis of security protocols. In Proceedings of the Foundations of Security Analysis and Design V (FOSAD’07/’08/’09). Lecture Notes in Computer Science, vol. 5705. Springer, Berlin, 166--194.
[39]
Seidl, H. and Verma, K. N. 2009. Flat and one-variable clauses for single blind copying protocols: The xor case. In Proceedings of the 20th International Conference on Rewriting Techniques and Applications (RTA’09). Lecture Notes in Computer Science, vol. 5595. Springer, Berlin, 118--132.
[40]
Shmatikov, V. 2004. Decidable analysis of cryptographic protocols with products and modular exponentiation. In Proceedings of the 13th European Symposium On Programming (ESOP’04). Lecture Notes in Computer Science, vol. 2986. Springer-Verlag, Berlin, 355--369.
[41]
Tiu, A. and Dawson, J. E. 2010. Automating open bisimulation checking for the spi calculus. In Proceedings of the 23rd Computer Security Foundations Symposium (CSF’10). 307--321.
[42]
Turuani, M. 2006. The CL-Atse Protocol Analyser. In Proceedings of the Term Rewriting and Applications. Lecture Notes in Computer Science, vol. 4098. Springer, Berlin, 277--286.
[43]
Verma, K. N. 2003. Two-way equational tree automata for AC-like theories: Decidability and closure properties. In Proceedings of the 14th International Conference on Rewriting Techniques and Applications (RTA’03). Lecture Notes in Computer Science, vol. 2706. Springer-Verlag, Berlin, 180--196.

Cited By

View all
  • (2024)Deciding Knowledge Problems Modulo Classes of Permutative TheoriesLogic-Based Program Synthesis and Transformation10.1007/978-3-031-71294-4_3(47-63)Online publication date: 9-Sep-2024
  • (2020)Computing knowledge in equational extensions of subterm convergent theoriesMathematical Structures in Computer Science10.1017/S0960129520000031(1-27)Online publication date: 2-Mar-2020
  • (2020)The Hitchhiker’s Guide to Decidability and Complexity of Equivalence Properties in Security ProtocolsLogic, Language, and Security10.1007/978-3-030-62077-6_10(127-145)Online publication date: 28-Oct-2020
  • Show More Cited By

Index Terms

  1. YAPA: A Generic Tool for Computing Intruder Knowledge

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Transactions on Computational Logic
      ACM Transactions on Computational Logic  Volume 14, Issue 1
      February 2013
      263 pages
      ISSN:1529-3785
      EISSN:1557-945X
      DOI:10.1145/2422085
      Issue’s Table of Contents
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 01 February 2013
      Accepted: 01 January 2012
      Revised: 01 April 2011
      Received: 01 May 2010
      Published in TOCL Volume 14, Issue 1

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. Formal proofs
      2. deduction
      3. security protocols
      4. static equivalence
      5. verification

      Qualifiers

      • Research-article
      • Research
      • Refereed

      Funding Sources

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)3
      • Downloads (Last 6 weeks)1
      Reflects downloads up to 20 Jan 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2024)Deciding Knowledge Problems Modulo Classes of Permutative TheoriesLogic-Based Program Synthesis and Transformation10.1007/978-3-031-71294-4_3(47-63)Online publication date: 9-Sep-2024
      • (2020)Computing knowledge in equational extensions of subterm convergent theoriesMathematical Structures in Computer Science10.1017/S0960129520000031(1-27)Online publication date: 2-Mar-2020
      • (2020)The Hitchhiker’s Guide to Decidability and Complexity of Equivalence Properties in Security ProtocolsLogic, Language, and Security10.1007/978-3-030-62077-6_10(127-145)Online publication date: 28-Oct-2020
      • (2017)Intruder deduction problem for locally stable theories with normal forms and inversesTheoretical Computer Science10.1016/j.tcs.2017.01.027672(64-100)Online publication date: Apr-2017
      • (2017)Stateful applied pi calculus: Observational equivalence and labelled bisimilarityJournal of Logical and Algebraic Methods in Programming10.1016/j.jlamp.2017.03.00189(95-149)Online publication date: Jun-2017
      • (2017)A survey of symbolic methods for establishing equivalence-based properties in cryptographic protocolsJournal of Logical and Algebraic Methods in Programming10.1016/j.jlamp.2016.10.00587(127-144)Online publication date: Feb-2017
      • (2017)Notions of Knowledge in Combinations of Theories Sharing ConstructorsAutomated Deduction – CADE 2610.1007/978-3-319-63046-5_5(60-76)Online publication date: 11-Jul-2017
      • (2015)Timing Attacks in Security ProtocolsProceedings of the 4th International Conference on Principles of Security and Trust - Volume 903610.1007/978-3-662-46666-7_15(280-299)Online publication date: 11-Apr-2015
      • (2014)Stateful Applied Pi CalculusPrinciples of Security and Trust10.1007/978-3-642-54792-8_2(22-41)Online publication date: 2014

      View Options

      Login options

      Full Access

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Media

      Figures

      Other

      Tables

      Share

      Share

      Share this Publication link

      Share on social media