Constraint solving techniques and enriching the model with equational theories

Abstract

Derivability constraints represent in a symbolic way the in finite set of possible executions of a finite protocol, in presence of an ar bitr y active attacker. Solving a derivability constraint consists in computing a s implified representation of such executions, which is amenable to the verification of a ny (trace) security property. Our goal is to explain this method on a non-trivial combination of primitives. In this chapter we explain how to model the protocol executio ns using derivability constraints, and how such constraints are interpreted, d pending on the cryptographic primitives and the assumed attacker capabilitie s. Such capabilities are represented as a deduction system that has some specific prop erties. We choose as an example the combination of exclusive-or, symmetric encr yption/decryption and pairing/unpairing. We explain the properties of the deduct ion system in this case and give a complete and terminating set of rules that solves d erivability constraints. A similar set of rules has been already published for the clas sic l Dolev-Yao attacker, but it is a new result for the combination of primitiv es that we consider. This allows to decide trace security properties for this com bination of primitives and arbitrary finite protocols.