43 research outputs found
Knowledge Flow Analysis for Security Protocols
Knowledge flow analysis offers a simple and flexible way to find flaws in
security protocols. A protocol is described by a collection of rules
constraining the propagation of knowledge amongst principals. Because this
characterization corresponds closely to informal descriptions of protocols, it
allows a succinct and natural formalization; because it abstracts away message
ordering, and handles communications between principals and applications of
cryptographic primitives uniformly, it is readily represented in a standard
logic. A generic framework in the Alloy modelling language is presented, and
instantiated for two standard protocols, and a new key management scheme.Comment: 20 page
Choreographies with Secure Boxes and Compromised Principals
We equip choreography-level session descriptions with a simple abstraction of
a security infrastructure. Message components may be enclosed within (possibly
nested) "boxes" annotated with the intended source and destination of those
components. The boxes are to be implemented with cryptography. Strand spaces
provide a semantics for these choreographies, in which some roles may be played
by compromised principals. A skeleton is a partially ordered structure
containing local behaviors (strands) executed by regular (non-compromised)
principals. A skeleton is realized if it contains enough regular strands so
that it could actually occur, in combination with any possible activity of
compromised principals. It is delivery guaranteed (DG) realized if, in
addition, every message transmitted to a regular participant is also delivered.
We define a novel transition system on skeletons, in which the steps add
regular strands. These steps solve tests, i.e. parts of the skeleton that could
not occur without additional regular behavior. We prove three main results
about the transition system. First, each minimal DG realized skeleton is
reachable, using the transition system, from any skeleton it embeds. Second, if
no step is possible from a skeleton A, then A is DG realized. Finally, if a DG
realized B is accessible from A, then B is minimal. Thus, the transition system
provides a systematic way to construct the possible behaviors of the
choreography, in the presence of compromised principals
Fair Exchange in Strand Spaces
Many cryptographic protocols are intended to coordinate state changes among
principals. Exchange protocols coordinate delivery of new values to the
participants, e.g. additions to the set of values they possess. An exchange
protocol is fair if it ensures that delivery of new values is balanced: If one
participant obtains a new possession via the protocol, then all other
participants will, too. Fair exchange requires progress assumptions, unlike
some other protocol properties. The strand space model is a framework for
design and verification of cryptographic protocols. A strand is a local
behavior of a single principal in a single session of a protocol. A bundle is a
partially ordered global execution built from protocol strands and adversary
activities. The strand space model needs two additions for fair exchange
protocols. First, we regard the state as a multiset of facts, and we allow
strands to cause changes in this state via multiset rewriting. Second, progress
assumptions stipulate that some channels are resilient-and guaranteed to
deliver messages-and some principals are assumed not to stop at certain
critical steps. This method leads to proofs of correctness that cleanly
separate protocol properties, such as authentication and confidentiality, from
invariants governing state evolution. G. Wang's recent fair exchange protocol
illustrates the approach
Computationally Sound Compositional Logic for Security Protocols
We have been developing a cryptographically sound formal logic for proving protocol security properties without explicitly reasoning about probability, asymptotic complexity, or the actions of a malicious attacker. The approach rests on a probabilistic, polynomial-time semantics for a protocol security logic that was originally developed using nondeterministic symbolic semantics. This workshop presentation will discuss ways in which the computational semantics lead to different reasoning methods and report our progress to date in several directions. One significant difference between the symbolic and computational settings results from the computational difference between efficiently recognizing and efficiently producing a value. Among the more recent developments are a compositional method for proving cryptographically sound properties of key exchange protocols, and some work on secrecy properties that illustrates the computational interpretation of inductive properties of protocol roles
Relating Process Algebras and Multiset Rewriting for Security Protocol Analysis
When formalizing security protocols, different specification languages support very different reasoning methodologies, whose results are not directly or easily comparable. Therefore, establishing clear relationships among different frameworks is highly desirable, as it permits various methodologies to cooperate by interpreting theoretical and practical results of one system in another. In this paper, we examine the nontrivial relationship between two general verification frameworks: multiset rewriting (MSR) and a process algebra (PA) inspired to the CCS and the -calculus. We present two separate mappings, one from MSR to PA and the other from PA to MSR. Although defining a simple and general bijection between MSR and PA appears difficult, we show that in the specific context of cryptographic protocols they do admit effective translations that preserve trace
Automated verification of equivalence properties of cryptographic protocols
The original publication is available at www.springerlink.comInternational audienceIndistinguishability properties are essential in formal verification of cryptographic protocols. They are needed to model anonymity of cryptographic protocols. They are needed to model anonymity properties, strong versions of confidentiality and resistance to offline guessing attacks, and can be conveniently modeled using process equivalences. We present a novel procedure to verify equivalence properties for bounded number of sessions. Our procedure is able to verify trace equivalence for determinate cryptographic protocols. On determinate protocols, trace equivalence coincides with observational equivalence which can therefore be automatically verified for such processes. When protocols are not determinate our procedure can be used for both under- and over-approximations of trace equivalence, which proved successful on examples. The procedure can handle a large set of cryptographic primitives, namely those which can be modeled by an optimally reducing convergent rewrite system. Although, we were unable to prove its termination, it has been implemented in a prototype tool and has been effectively tested on examples, some of which were outside the scope of existing tools