10,990 research outputs found
Relating two standard notions of secrecy
Two styles of definitions are usually considered to express that a security
protocol preserves the confidentiality of a data s. Reachability-based secrecy
means that s should never be disclosed while equivalence-based secrecy states
that two executions of a protocol with distinct instances for s should be
indistinguishable to an attacker. Although the second formulation ensures a
higher level of security and is closer to cryptographic notions of secrecy,
decidability results and automatic tools have mainly focused on the first
definition so far.
This paper initiates a systematic investigation of the situations where
syntactic secrecy entails strong secrecy. We show that in the passive case,
reachability-based secrecy actually implies equivalence-based secrecy for
digital signatures, symmetric and asymmetric encryption provided that the
primitives are probabilistic. For active adversaries, we provide sufficient
(and rather tight) conditions on the protocol for this implication to hold.Comment: 29 pages, published in LMC
Safe abstractions of data encodings in formal security protocol models
When using formal methods, security protocols are usually modeled at a high level of abstraction. In particular, data encoding and decoding transformations are often abstracted away. However, if no assumptions at all are made on the behavior of such transformations, they could trivially lead to security faults, for example leaking secrets or breaking freshness by collapsing nonces into constants. In order to address this issue, this paper formally states sufficient conditions, checkable on sequential code, such that if an abstract protocol model is secure under a Dolev-Yao adversary, then a refined model, which takes into account a wide class of possible implementations of the encoding/decoding operations, is implied to be secure too under the same adversary model. The paper also indicates possible exploitations of this result in the context of methods based on formal model extraction from implementation code and of methods based on automated code generation from formally verified model
Formally based semi-automatic implementation of an open security protocol
International audienceThis paper presents an experiment in which an implementation of the client side of the SSH Transport Layer Protocol (SSH-TLP) was semi-automatically derived according to a model-driven development paradigm that leverages formal methods in order to obtain high correctness assurance. The approach used in the experiment starts with the formalization of the protocol at an abstract level. This model is then formally proved to fulfill the desired secrecy and authentication properties by using the ProVerif prover. Finally, a sound Java implementation is semi-automatically derived from the verified model using an enhanced version of the Spi2Java framework. The resulting implementation correctly interoperates with third party servers, and its execution time is comparable with that of other manually developed Java SSH-TLP client implementations. This case study demonstrates that the adopted model-driven approach is viable even for a real security protocol, despite the complexity of the models needed in order to achieve an interoperable implementation
Privacy protocols
Security protocols enable secure communication over insecure channels.
Privacy protocols enable private interactions over secure channels. Security
protocols set up secure channels using cryptographic primitives. Privacy
protocols set up private channels using secure channels. But just like some
security protocols can be broken without breaking the underlying cryptography,
some privacy protocols can be broken without breaking the underlying security.
Such privacy attacks have been used to leverage e-commerce against targeted
advertising from the outset; but their depth and scope became apparent only
with the overwhelming advent of influence campaigns in politics. The blurred
boundaries between privacy protocols and privacy attacks present a new
challenge for protocol analysis. Covert channels turn out to be concealed not
only below overt channels, but also above: subversions, and the level-below
attacks are supplemented by sublimations and the level-above attacks.Comment: 38 pages, 6 figure
Partial Order Reduction for Security Protocols
Security protocols are concurrent processes that communicate using
cryptography with the aim of achieving various security properties. Recent work
on their formal verification has brought procedures and tools for deciding
trace equivalence properties (e.g., anonymity, unlinkability, vote secrecy) for
a bounded number of sessions. However, these procedures are based on a naive
symbolic exploration of all traces of the considered processes which,
unsurprisingly, greatly limits the scalability and practical impact of the
verification tools.
In this paper, we overcome this difficulty by developing partial order
reduction techniques for the verification of security protocols. We provide
reduced transition systems that optimally eliminate redundant traces, and which
are adequate for model-checking trace equivalence properties of protocols by
means of symbolic execution. We have implemented our reductions in the tool
Apte, and demonstrated that it achieves the expected speedup on various
protocols
A Temporal Logic for Hyperproperties
Hyperproperties, as introduced by Clarkson and Schneider, characterize the
correctness of a computer program as a condition on its set of computation
paths. Standard temporal logics can only refer to a single path at a time, and
therefore cannot express many hyperproperties of interest, including
noninterference and other important properties in security and coding theory.
In this paper, we investigate an extension of temporal logic with explicit path
variables. We show that the quantification over paths naturally subsumes other
extensions of temporal logic with operators for information flow and knowledge.
The model checking problem for temporal logic with path quantification is
decidable. For alternation depth 1, the complexity is PSPACE in the length of
the formula and NLOGSPACE in the size of the system, as for linear-time
temporal logic
- …