9 research outputs found
Security Theorems via Model Theory
A model-theoretic approach can establish security theorems for cryptographic
protocols. Formulas expressing authentication and non-disclosure properties of
protocols have a special form. They are quantified implications for all xs .
(phi implies for some ys . psi). Models (interpretations) for these formulas
are *skeletons*, partially ordered structures consisting of a number of local
protocol behaviors. Realized skeletons contain enough local sessions to explain
all the behavior, when combined with some possible adversary behaviors. We show
two results. (1) If phi is the antecedent of a security goal, then there is a
skeleton A_phi such that, for every skeleton B, phi is satisfied in B iff there
is a homomorphism from A_phi to B. (2) A protocol enforces for all xs . (phi
implies for some ys . psi) iff every realized homomorphic image of A_phi
satisfies psi. Hence, to verify a security goal, one can use the Cryptographic
Protocol Shapes Analyzer CPSA (TACAS, 2007) to identify minimal realized
skeletons, or "shapes," that are homomorphic images of A_phi. If psi holds in
each of these shapes, then the goal holds
Fair Exchange in Strand Spaces
Many cryptographic protocols are intended to coordinate state changes among
principals. Exchange protocols coordinate delivery of new values to the
participants, e.g. additions to the set of values they possess. An exchange
protocol is fair if it ensures that delivery of new values is balanced: If one
participant obtains a new possession via the protocol, then all other
participants will, too. Fair exchange requires progress assumptions, unlike
some other protocol properties. The strand space model is a framework for
design and verification of cryptographic protocols. A strand is a local
behavior of a single principal in a single session of a protocol. A bundle is a
partially ordered global execution built from protocol strands and adversary
activities. The strand space model needs two additions for fair exchange
protocols. First, we regard the state as a multiset of facts, and we allow
strands to cause changes in this state via multiset rewriting. Second, progress
assumptions stipulate that some channels are resilient-and guaranteed to
deliver messages-and some principals are assumed not to stop at certain
critical steps. This method leads to proofs of correctness that cleanly
separate protocol properties, such as authentication and confidentiality, from
invariants governing state evolution. G. Wang's recent fair exchange protocol
illustrates the approach
Analysis of randomized security protocols
Formal analysis has a long and successful track record in the automated verification of security protocols. Techniques in this domain have converged around modeling protocols as non-deterministic processes that interact asynchronously through an adversarial environment controlled by a Dolev-Yao attacker. There are, however, a large class of protocols whose correctness relies on an explicit ability to model and reason about randomness. Lying at the heart of many widely adopted systems for anonymous communication, these protocols have so-far eluded automated verification techniques. The present work overcomes this long standing obstacle, providing the first framework analyzing randomized security protocols against Dolev-Yao attackers.
In this formalism, we present algorithms for model checking safety and indistinguishability properties of randomized security protocols. Our techniques are implemented in the Stochastic Protocol ANalyzer (SPAN) and evaluated on a new suite of benchmarks. Our benchmark examples include a brand new class of protocols that have never been subject of formal (symbolic) verification, including: mix-networks, dinning cryptographers networks, and several electronic voting protocols. During our analysis, we uncover previously unknown vulnerabilities in two popular electronic voting protocols from the literature.
The high overhead associated with verifying security protocols, in conjunction with the fact that protocols are rarely run in isolation, has created a demand for modular verification techniques. In our protocol analysis framework, we give a series of composition results for safety and indistinguishability properties of randomized security protocols.
Finally, we study the model checking problem for the probabilistic objects that lie at the heart of our protocol semantics. In particular, we present a novel technique that allows for the precise verification of probabilistic computation tree logic (PCTL) properties of discrete time Markov chains (DTMCs) and Markov decision processes (MDPs) at scale. Although our motivation comes from protocol analysis, the techniques further verification capabilities in many application areas
Cryptographic protocol composition via the authentication tests
Abstract. Although cryptographic protocols are typically analyzed in isolation, they are used in combinations. If a protocol Π1, when analyzed alone, was shown to meet some security goals, will it still meet those goals when executed together with a second protocol Π2? Not necessarily: for every Π1, some Π2s undermine its goals. We use the strand space “authentication test ” principles to suggest a criterion to ensure a Π2 preserves Π1’s goals; this criterion strengthens previous proposals. Security goals for Π1 are expressed in a language L(Π1) in classical logic. Strand spaces provide the models for L(Π1). Certain homomorphisms among models for L(Π) preserve the truth of the security goals. This gives a way to extract—from a counterexample to a goal that uses both protocols—a counterexample using only the first protocol. This model-theoretic technique, using homomorphisms among models to prove results about a syntactically defined set of formulas, appears to be novel for protocol analysis