24 research outputs found
On the Reachability Problem in Cryptographic Protocols
We study the verification of secrecy and authenticity properties for cryptogra- phic protocols which rely on symmetric shared keys. The verification can be reduced to check whether a certain parallel program which models the protocol and the specification can reach an erroneous state while interacting with the environment. Assuming finite principals, we present a simple decision procedure for the reachability problem which is based on a symbolic' reduction system
On the Reachability Problem in Cryptographic Protocols
We study the verification of secrecy and authenticity properties for cryptogra- phic protocols which rely on symmetric shared keys. The verification can be reduced to check whether a certain parallel program which models the protocol and the specification can reach an erroneous state while interacting with the environment. Assuming finite principals, we present a simple decision procedure for the reachability problem which is based on a symbolic' reduction system
Finitary Deduction Systems
Cryptographic protocols are the cornerstone of security in distributed
systems. The formal analysis of their properties is accordingly one of the
focus points of the security community, and is usually split among two groups.
In the first group, one focuses on trace-based security properties such as
confidentiality and authentication, and provides decision procedures for the
existence of attacks for an on-line attackers. In the second group, one focuses
on equivalence properties such as privacy and guessing attacks, and provides
decision procedures for the existence of attacks for an offline attacker. In
all cases the attacker is modeled by a deduction system in which his possible
actions are expressed. We present in this paper a notion of finitary deduction
systems that aims at relating both approaches. We prove that for such deduction
systems, deciding equivalence properties for on-line attackers can be reduced
to deciding reachability properties in the same setting.Comment: 30 pages. Work begun while in the CASSIS Project, INRIA Nancy Grand
Es
Relating two standard notions of secrecy
Two styles of definitions are usually considered to express that a security
protocol preserves the confidentiality of a data s. Reachability-based secrecy
means that s should never be disclosed while equivalence-based secrecy states
that two executions of a protocol with distinct instances for s should be
indistinguishable to an attacker. Although the second formulation ensures a
higher level of security and is closer to cryptographic notions of secrecy,
decidability results and automatic tools have mainly focused on the first
definition so far.
This paper initiates a systematic investigation of the situations where
syntactic secrecy entails strong secrecy. We show that in the passive case,
reachability-based secrecy actually implies equivalence-based secrecy for
digital signatures, symmetric and asymmetric encryption provided that the
primitives are probabilistic. For active adversaries, we provide sufficient
(and rather tight) conditions on the protocol for this implication to hold.Comment: 29 pages, published in LMC
A Simple Constraint-solving Decision Procedure for Protocols with Exclusive or
We present a procedure for deciding security of protocols employing the Exclusive or operator. This procedure relies on a direct combination of a constraint solver for security protocol with a unification algorithm for the exclusive-or theory. Hence compared to the previous ones it is much simpler and easily amenable to automation. The principle of the approach can be applied to other theories too
Analysis of security protocols as open systems
We propose a methodology for the formal analysis of security protocols. This originates from the observation that the verification of security protocols can be conveniently treated as the verification of open systems, i.e. systems which may have unspecified components. These might be used to represent a hostile environment wherein the protocol runs and whose behavior cannot be predicted a priori. We define a language for the description of security protocols, namely Crypto-CCS, and a logical language for expressing their properties. We provide an effective verification method for security protocols which is based on a suitable extension of partial model checking. Indeed, we obtain a decidability result for the secrecy analysis of protocols with a finite number of sessions, bounded message size and new nonce generation
Tree automata with one memory set constraints and cryptographic protocols
AbstractWe introduce a class of tree automata that perform tests on a memory that is updated using function symbol application and projection. The language emptiness problem for this class of tree automata is shown to be in DEXPTIME.We also introduce a class of set constraints with equality tests and prove its decidability by completion techniques and a reduction to tree automata with one memory.Finally, we show how to apply these results to cryptographic protocols. We introduce a class of cryptographic protocols and show the decidability of secrecy for an arbitrary number of agents and an arbitrary number of (concurrent or successive) sessions, provided that only a bounded number of new data is generated. The hypothesis on the protocol (a restricted copying ability) is shown to be necessary: without this hypothesis, we prove that secrecy is undecidable, even for protocols without nonces