Logical Analysis and Verification of Cryptographic Protocols - Loria

Chapter 3
Analysis of protocols with collision
vulnerable hash functions
In this chapter, we consider the class of cryptographic protocols
that use collision vulnerable hash functions. Only a few years ago,
it was intractable to compute collisions on hash functions, so they
were considered to be collision resistant by cryptographers, and protocols
were built upon this assumption. From the nineties on, several
authors [98, 103, 199, 201] have proved the tractability of finding collision
attacks over several hash functions, and some practical methods
have been published to compute collisions on some commonly used
hash functions.
Following the symbolic method introduced in Chapter 2, we reduce
the insecurity problem of our class of cryptographic protocols
to the ordered satisfiability problem for the intruder that uses the collision
vulnerability property of hash functions when attacking a protocol
execution. We give an algorithm that the intruder employs to
compute collisions on hash functions. By this algorithm and roughly
following the results obtained in [74], we conjecture that the ordered
satisfiability problem for the intruder exploiting the collision vulnerability
property of hash functions can be reduced to the ordered satisfiability
problem for an intruder operating on words, that is with an
associative symbol of concatenation, and we show the decidability of
the last problem. The decidability of the ordered satisfiability problem
for the intruder operating on words is interesting in its own right
as it is the first decidability result that we are aware of for an intruder
system for which unification is infinitary, and that permits to consider
in other contexts an associative concatenation of messages instead of
their pairing. The results of this Chapter have been published in the
proceedings of ASIAN 2006 conference [67].
57