646 research outputs found
A static analysis of the applied Pi calculus
We present in this technical report a non-uniform static analysis for detecting the term-substitution property in systems specified in the language of the applied pi calculus. The analysis implements a denotational framework that has previously introduced analyses for the pi calculus and the spi calculus. The main novelty of this analysis is its ability to deal with systems specified in languages with non-free term algebras, like the applied pi calculus, where non-identity equations may relate different terms of the language. We demonstrate the applicability of the analysis to one famous security protocol, which uses non-identity equations, namely the Diffie-Hellman protocol
Formal Verification of Security Protocol Implementations: A Survey
Automated formal verification of security protocols has been mostly focused on analyzing high-level abstract models which, however, are significantly different from real protocol implementations written in programming languages. Recently, some researchers have started investigating techniques that bring automated formal proofs closer to real implementations. This paper surveys these attempts, focusing on approaches that target the application code that implements protocol logic, rather than the libraries that implement cryptography. According to these approaches, libraries are assumed to correctly implement some models. The aim is to derive formal proofs that, under this assumption, give assurance about the application code that implements the protocol logic. The two main approaches of model extraction and code generation are presented, along with the main techniques adopted for each approac
Automated Symbolic Verification of Telegram's MTProto 2.0
MTProto 2.0 is a suite of cryptographic protocols for instant messaging at
the core of the popular Telegram messenger application. In this paper we
analyse MTProto 2.0 using the symbolic verifier ProVerif. We provide fully
automated proofs of the soundness of MTProto 2.0's authentication, normal chat,
end-to-end encrypted chat, and rekeying mechanisms with respect to several
security properties, including authentication, integrity, secrecy and perfect
forward secrecy; at the same time, we discover that the rekeying protocol is
vulnerable to an unknown key-share (UKS) attack. We proceed in an incremental
way: each protocol is examined in isolation, relying only on the guarantees
provided by the previous ones and the robustness of the basic cryptographic
primitives. Our research proves the formal correctness of MTProto 2.0 w.r.t.
most relevant security properties, and it can serve as a reference for
implementation and analysis of clients and servers.Comment: 19 page
Provably correct Java implementations of Spi Calculus security protocols specifications
Spi Calculus is an untyped high level modeling language for security protocols, used for formal protocols specification and verification. In this paper, a type system for the Spi Calculus and a translation function are formally defined, in order to formalize the refinement of a Spi Calculus specification into a Java implementation. The Java implementation generated by the translation function uses a custom Java library. Formal conditions on such library are stated, so that, if the library implementation code satisfies such conditions, then the generated Java implementation correctly simulates the Spi Calculus specification. A verified implementation of part of the custom library is further presente
Lengths May Break Privacy ā Or How to Check for Equivalences with Length
Security protocols have been successfully analyzed using symbolic models, where messages are represented by terms and protocols by processes. Privacy properties like anonymity or untraceability are typically expressed as equivalence between processes. While some decision procedures have been proposed for automatically deciding process equivalence, all existing approaches abstract away the information an attacker may get when observing the length of messages.
In this paper, we study process equivalence with length tests. We first show that, in the static case, almost all existing decidability results (for static equivalence) can be extended to cope with length tests.
In the active case, we prove decidability of trace equivalence with length tests, for a bounded number of sessions and for standard primitives. Our result relies on a previous decidability result from Cheval et al (without length tests). Our procedure has been implemented and we have discovered a new flaw against privacy in the biometric passport protocol
Security analysis of a "Location-stamping" protocol for GPS coordinates
Due to the rapid growth of GNSS based techniques in everyday life a service which can provide certified location information given by GPS coordinates became a worth considering idea. We designed two protocols that can achieve this goal, these can provide authenticate location and time information for any device which has a GPS receiver. In this article, I would like to prove -with the help of ProVerif software tool-, the latter statement. I investigated the authenticity and data integrity properties of the protocol
- ā¦