9 research outputs found
Discovering ePassport Vulnerabilities using Bisimilarity
We uncover privacy vulnerabilities in the ICAO 9303 standard implemented by
ePassports worldwide. These vulnerabilities, confirmed by ICAO, enable an
ePassport holder who recently passed through a checkpoint to be reidentified
without opening their ePassport. This paper explains how bisimilarity was used
to discover these vulnerabilities, which exploit the BAC protocol - the
original ICAO 9303 standard ePassport authentication protocol - and remains
valid for the PACE protocol, which improves on the security of BAC in the
latest ICAO 9303 standards. In order to tackle such bisimilarity problems, we
develop here a chain of methods for the applied -calculus including a
symbolic under-approximation of bisimilarity, called open bisimilarity, and a
modal logic, called classical FM, for describing and certifying attacks.
Evidence is provided to argue for a new scheme for specifying such
unlinkability problems that more accurately reflects the capabilities of an
attacker
Quantitative Hennessy-Milner Theorems via Notions of Density
The classical Hennessy-Milner theorem is an important tool in the analysis of concurrent processes;
it guarantees that any two non-bisimilar states in finitely branching labelled transition systems can
be distinguished by a modal formula. Numerous variants of this theorem have since been established
for a wide range of logics and system types, including quantitative versions where lower bounds on
behavioural distance (e.g. in weighted, metric, or probabilistic transition systems) are witnessed
by quantitative modal formulas. Both the qualitative and the quantitative versions have been
accommodated within the framework of coalgebraic logic, with distances taking values in quantales,
subject to certain restrictions, such as being so-called value quantales. While previous quantitative
coalgebraic Hennessy-Milner theorems apply only to liftings of set functors to (pseudo)metric spaces,
in the present work we provide a quantitative coalgebraic Hennessy-Milner theorem that applies more
widely to functors native to metric spaces; notably, we thus cover, for the first time, the well-known
Hennessy-Milner theorem for continuous probabilistic transition systems, where transitions are given
by Borel measures on metric spaces, as an instance of such a general result. In the process, we also
relax the restrictions imposed on the quantale, and additionally parametrize the technical account
over notions of closure and, hence, density, providing associated variants of the Stone-WeierstraĂ
theorem; this allows us to cover, for instance, behavioural ultrametrics.publishe
The hitchhiker's guide to decidability and complexity of equivalence properties in security protocols
International audiencePrivacy-preserving security properties in cryptographic protocols are typically modelled by observational equivalences in process calculi such as the applied pi-calulus. We survey decidability and complexity results for the automated verification of such equivalences, casting existing results in a common framework which allows for a precise comparison. This unified view, beyond providing a clearer insight on the current state of the art, allowed us to identify some variations in the statements of the decision problems-sometimes resulting in different complexity results. Additionally, we prove a couple of novel or strengthened results
Post-Quantum Security for the Extended Access Control Protocol
The Extended Access Control (EAC) protocol for authenticated key agreement is mainly used to secure connections between machine-readable travel documents (MRTDs) and inspection terminals, but it can also be adopted as a universal solution for attribute-based access control with smart cards. The security of EAC is currently based on the Diffie-Hellman problem, which may not be hard when considering quantum computers.
In this work we present PQ-EAC, a quantum-resistant version of the EAC protocol. We show how to achieve post-quantum confidentiality and authentication without sacrificing real-world usability on smart cards. To ease adoption, we present two main versions of PQ-EAC: One that uses signatures for authentication and one where authentication is facilitated using long-term KEM keys. Both versions can be adapted to achieve forward secrecy and to reduce round complexity. To ensure backwards-compatibility, PQ-EAC can be implemented using only Application Protocol Data Units (APDUs) specified for EAC in standard BSI TR-03110. Merely the protocol messages needed to achieve forward secrecy require an additional APDU not specified in TR-03110. We prove security of all versions in the real-or-random model of Bellare and Rogaway.
To show real-world practicality of PQ-EAC we have implemented a version using signatures on an ARM SC300 security controller, which is typically deployed in MRTDs. We also implemented PQ-EAC on a VISOCORE terminal for border control. We then conducted several experiments to evaluate the performance of PQ-EAC executed between chip and terminal under various real-world conditions. Our results strongly suggest that PQ-EAC is efficient enough for use in border control
Analysis of Smartcard-based Payment Protocols in the Applied Pi-calculus using Quasi-Open Bisimilarity
Cryptographic protocols are instructions explaining how the communication be- tween agents should be done. Critical infrastructure sectors, such as communication networks, financial services, information technology, transportation, etc., use security protocols at their very core to establish the information exchange between the components of the system. Symbolic verification is a discipline that investigates whether a given protocol satisfies the initial requirements and delivers exactly what it intends to deliver. An immediate goal of symbolic verification is to improve the reliability of existing systems â if a protocol is vulnerable, actions must be taken asap before a malicious attacker exploits it; a far-reaching goal is to improve the system design practices â when creating a new protocol, it must be proven correct before the implementation.
Properties of cryptographic protocols roughly fall into two categories. Either reachability-based, i.e. that a system can or cannot reach a state satisfying some condition, or equivalence-based, i.e. that a system is indistinguishable from its idealised version, where the desired property trivially holds. Security properties are often formulated as a reachability problem and privacy properties as an equivalence problem. While the study of security properties is relatively settled, and powerful tools like Tamarin and ProVerif, where it is possible to check reachability queries, exist, the study of privacy properties expressed as equivalence only starts gaining momentum. Tools like DeepSec, Akiss, and, again, ProVerif offer only limited support when it comes to indistinguishability. This is partially due to the question of âWhat is an attacker capable of?â is not answered definitively in the second case.
The widely-accepted default attacker, when it comes to security, is the so-called Dolev-Yao attacker, which has full control of the communication network; however, there is no default attacker who attempts to break the privacy of a protocol. The capabilities of such an attacker are reflected in the equivalence relation used to define a privacy property; hence the choice of such relation is crucial.
This dissertation justifies a particular equivalence relation called quasi-open bisimilarity which satisfies several natural requirements. It has sound and complete modal logic characterisation, meaning that any attack on privacy has a practical interpretation; it enables compositional reasoning, meaning that if a privacy property of a system automatically extends to a bigger system having the initial one as a component, and, it captures the capability of an attacker to make decisions dynamically during the execution of the protocol.
We not only explain the notion of quasi-open bisimilarity, but we also employ it to study real-world protocols. The first protocol, UBDH, is an authenticated key agreement suitable for card payments, and the second protocol, UTX, is a smartcard-based payment protocol. Using quasi-open bisimilarity, we define the target privacy property of unlinkability, namely that it is impossible to link protocol sessions made with the same card and prove that it holds for UBDH and UTX. The proofs that UBDH and UTX satisfy their privacy requirements to our knowledge are the first ones that demonstrate that a privacy property of a security protocol, defined as bisimilarity equivalence, is satisfied for an unbounded number of protocol sessions. Moreover, these proofs illustrate the methodology that could be employed to study the privacy of other protocols
Proving Unlinkability using ProVerif through Desynchronized Bi-Processes
International audienceUnlinkability is a privacy property of crucial importance for several systems such as mobile phones or RFID chips. Analysing this security property is very complex, and highly error-prone. Therefore, formal verification with machine support is desirable. Unfortunately, existing techniques are not sufficient to directly apply verification tools to automatically prove unlinkability.In this paper, we overcome this limitation by defining a simple transformation that will exploit some specific features of ProVerif. This transformation, together with some generic axioms, allows the tool to successfully conclude on several case studies. We have implemented our approach, effectively obtaining direct proofs of unlinkability on several protocols that were, until now, out of reach of automatic verification tools
The hitchhiker's guide to decidability and complexity of equivalence properties in security protocols (technical report)
Privacy-preserving security properties in cryptographic protocols are typically modelled by observational equivalences in process calculi such as the applied pi-calulus. We survey decidability and complexity results for the automated verification of such equivalences , casting existing results in a common framework which allows for a precise comparison. This uni ed view, beyond providing a clearer insight on the current state of the art, allowed us to identify some variations in the statements of the decision problems â sometimes resulting in different complexity results. Additionally, we prove a couple of novel or strengthened results
Breaking Unlinkability of the ICAO 9303 Standard for e-Passports using Bisimilarity
We clear up confusion surrounding privacy claims about the ICAO
9303 standard for e-passports. The ICAO 9303 standard includes a Basic Access
Control (BAC) protocol that should protect the user from being traced from one
session to another. While it is well known that there are attacks on BAC, allowing
an attacker to link multiple uses of the same passport, due to differences in implementation; there still remains confusion about whether there is an attack on unlinkability directly on the BAC protocol as specified in the ICAO 9303 standard.
This paper clarifies the nature of the debate, and sources of potential confusion.
We demonstrate that the original privacy claims made are flawed, by uncovering attacks on a strong formulation of unlinkability. We explain why the use of
the bisimilarity equivalence technique is essential for uncovering our attacks. We
also clarify what assumptions lead to proofs of formulations of unlinkability using weaker notions of equivalence. Furthermore, we propose a fix for BAC within
the scope of the standard, and prove that it is correct, again using a state-of-the-art
approach to bisimilarity
Analyse automatique de propriĂ©tĂ©s dâĂ©quivalence pour les protocoles cryptographiques
As the number of devices able to communicate grows, so does the need to secure their interactions. The design of cryptographic protocols is a difficult task and prone to human errors. Formal verification of such protocols offers a way to automatically and exactly prove their security. In particular, we focus on automated verification methods to prove the equivalence of cryptographic protocols for a un-bounded number of sessions. This kind of property naturally arises when dealing with the anonymity of electronic votingor the untracability of electronic passports. Because the verification of equivalence properties is a complex issue, we first propose two methods to simplify it: first we design a transformation on protocols to delete any nonce while maintaining the soundness of equivalence checking; then we prove a typing result which decreases the search space for attacks without affecting the power of the attacker. Finally, we describe three classes of protocols for which equivalence is decidable in the symbolic model. These classes benefit from the simplification results stated earlier and enable us to automatically analyze tagged protocols with or without nonces, as well as ping-pong protocols.Ă mesure que le nombre dâobjets capables de communiquer croĂźt, le besoin de sĂ©curiser leurs interactions Ă©galement. La conception des protocoles cryptographiques nĂ©cessaires pour cela est une tĂąche notoirement complexe et frĂ©quemment sujette aux erreurs humaines. La vĂ©rification formelle de protocoles entend offrir des mĂ©thodes automatiques et exactes pour sâassurer de leur sĂ©curitĂ©. Nous nous intĂ©ressons en particulier aux mĂ©thodes de vĂ©rification automatique des propriĂ©tĂ©s dâĂ©quivalence pour de tels protocoles dans le modĂšle symbolique et pour un nombre non bornĂ© de sessions. Les propriĂ©tĂ©s dâĂ©quivalences ont naturellement employĂ©es pour sâassurer, par exemple, de lâanonymat du vote Ă©lectronique ou de la non-traçabilitĂ© des passeports Ă©lectroniques. Parce que la vĂ©rification de propriĂ©tĂ©s dâĂ©quivalence est un problĂšme complexe, nous proposons dans un premier temps deux mĂ©thodes pour en simplifier la vĂ©rification : tout dâabord une mĂ©thode pour supprimer lâutilisation des nonces dans un protocole tout en prĂ©servant la correction de la vĂ©rification automatique; puis nous dĂ©montrons un rĂ©sultat de typage qui permet de restreindre lâespace de recherche dâattaques sans pour autant affecter le pouvoir de lâattaquant. Dans un second temps nous exposons trois classes de protocoles pour lesquelles la vĂ©rification de lâĂ©quivalence dans le modĂšle symbolique est dĂ©cidable. Ces classes bĂ©nĂ©ficient des mĂ©thodes de simplification prĂ©sentĂ©es plus tĂŽt et permettent dâĂ©tudier automatiquement des protocoles tagguĂ©s, avec ou sans nonces, ou encore des protocoles ping-pong