Automated Analysis of Diffie-Hellman Protocols and Advanced Security Properties

  title={Automated Analysis of Diffie-Hellman Protocols and Advanced Security Properties},
  author={Benedikt Schmidt and Simon Meier and Cas J. F. Cremers and David A. Basin},
  journal={2012 IEEE 25th Computer Security Foundations Symposium},
We present a general approach for the symbolic analysis of security protocols that use Diffie-Hellman exponentiation to achieve advanced security properties. We model protocols as multiset rewriting systems and security properties as first-order formulas. We analyze them using a novel constraint-solving algorithm that supports both falsification and verification, even in the presence of an unbounded number of protocol sessions. The algorithm exploits the finite variant property and builds on… 

Figures and Tables from this paper

Automated Verification of Group Key Agreement Protocols
This work provides the first symbolic correctness proofs for group key agreement protocols that use Diffie-Hellman or bilinear pairing, loops, and recursion, while at the same time supporting advanced security properties, such as perfect forward secrecy and eCK-security.
Decidability for Lightweight Diffie-Hellman Protocols
This paper develops an algebraic version of the symbolic approach, working directly within finite fields, the natural structures for the protocols, and proves that security goals for a wide class of protocols are decidable.
Efficient construction of machine-checked symbolic protocol security proofs
An untyped security protocol model is embedded in the interactive theorem prover Isabelle/HOL and a theory for constructing proofs of secrecy and authentication properties is derived, based on an inference rule for enumerating the possible origins of messages known to the intruder.
An Algebra for Symbolic Diffie-Hellman Protocol Analysis
It is proved that the adversary can never construct a message with a new indicator in the authors' adversary model, one of the main security goals achieved by UM, a protocol using Diffie-Hellman for implicit authentication.
Model Checking Indistinguishability of Randomized Security Protocols
The first practical algorithms for model checking indistinguishability properties of randomized security protocols against the powerful threat model of a bounded Dolev-Yao adversary are given.
Automated Cryptographic Analysis of the Pedersen Commitment Scheme
This paper presents a mechanised formal verification of the popular Pedersen commitment protocol, proving its security properties of correctness, perfect hiding, and computational binding.
Enrich-by-need Protocol Analysis for Diffie-Hellman (Extended Version)
This paper describes how to analyze protocols using the Diffie-Hellman mechanism for key agreement (DH) in the enrich-by-need style via an algebraically natural model, which makes the extended CPSA implementation reliable.
ESSM: Formal Analysis Framework for Protocol to Support Algebraic Operations and More Attack Capabilities
The extended strand space model (ESSM) framework is established to describe algebraic semantics, including the Abelian group and the XOR operation, and a threat model based on algebraic attacks, key-compromise impersonation attacks, and guess attacks.
Research on Security Protocol Analysis Tool SmartVerif
This paper introduces SmartVerif, which is the first formal analysis tool to automatically verify the security of protocols through dynamic strategies, and uses it to verify the pseudo-randomness of the encapsulated key of the Two-Pass AKE protocol, which was proposed by Liu’s in ASIACRYPT in 2020.
Refining security protocols
The development highlights that guard protocols and channel protocols provide fundamental abstractions for bridging the gap between security properties and standard protocol descriptions based on cryptographic messages, and shows that the refinement approach scales to protocols of nontrivial size and complexity.


Decidable Analysis of Cryptographic Protocols with Products and Modular Exponentiation
For a finite number of protocol sessions, this result enables fully automated, sound and complete analysis of protocols that employ primitives such as Diffie-Hellman exponentiation and modular multiplication without imposing any bounds on the size of terms created by the attacker.
Automated Proofs for Diffie-Hellman-Based Key Exchanges
An automated verification method for security of Diffie-Hellman-based key exchange protocols is presented, which includes a Hoare-style logic and syntactic checking.
Diffie-Hellman without Difficulty
  • S. Mödersheim
  • Computer Science, Mathematics
    Formal Aspects in Security and Trust
  • 2011
For a large class of protocols, significantly restricting the abilities of the intruder is without loss of attacks, which enables the efficient use of free-algebra verification tools for Diffie-Hellman based protocols and significantly reduces search-spaces for tools that do support algebraic reasoning.
Sound Approximations to Diffie-Hellman Using Rewrite Rules
The feasibility of approximating the commutative rule for exponentiation with a pair of rewrite rules, for which in unification-based systems, the complexity of the unification algorithm changes from at best exponential to at worst quadratic in the number of variables is discussed.
Using ProVerif to Analyze Protocols with Diffie-Hellman Exponentiation
Surprisingly, the reduction for Diffie-Hellman exponentiation is more efficient than the one for XOR, and works for a large class of Horn theories, allowing to model a wide range of intruder capabilities and protocols.
Strong Invariants for the Efficient Construction of Machine-Checked Protocol Security Proofs
We embed an operational semantics for security protocols in the interactive theorem prover Isabelle/HOL and derive two strong protocol-independent invariants. These invariants allow us to reason
LTL Model Checking for Security Protocols
  • R. Carbone
  • Computer Science, Mathematics
    20th IEEE Computer Security Foundations Symposium (CSF'07)
  • 2007
This paper proposes a general model for security protocols based on the set-rewriting formalism that allows for the specification of assumptions on principals and communication channels as well as complex security properties that are normally not handled by state-of-the-art protocol analysers.
State space reduction in the Maude-NRL Protocol Analyzer
The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols
The most effective approach so far has been automated falsification or verification of such protocols with state-of-the-art tools such as ProVerif or the Avispa tools, which have shown to be effective at finding attacks on protocols or establishing correctness of protocols.