18 research outputs found
Modeling and Verifying Security Protocols with the Applied Pi Calculus and ProVerif
International audienceProVerif is an automatic symbolic protocol verifier. It supports a wide range of cryptographic primitives, defined by rewrite rules or by equations. It can prove various security properties: secrecy, authentication, and process equivalences, for an unbounded message space and an unbounded number of sessions. It takes as input a description of the protocol to verify in a dialect of the applied pi calculus, an extension of the pi calculus with cryptography. It automatically translates this protocol description into Horn clauses and determines whether the desired security properties hold by resolution on these clauses. This survey presents an overview of the research on ProVerif
Verifying Privacy-Type Properties in a Modular Way
Formal methods have proved their usefulness for analysing the security of protocols. In this setting, privacy-type security properties (e.g. vote-privacy, anonymity, unlink ability) that play an important role in many modern applications are formalised using a notion of equivalence. In this paper, we study the notion of trace equivalence and we show how to establish such an equivalence relation in a modular way. It is well-known that composition works well when the processes do not share secrets. However, there is no result allowing us to compose processes that rely on some shared secrets such as long term keys. We show that composition works even when the processes share secrets provided that they satisfy some reasonable conditions. Our composition result allows us to prove various equivalence-based properties in a modular way, and works in a quite general setting. In particular, we consider arbitrary cryptographic primitives and processes that use non-trivial else branches. As an example, we consider the ICAO e-passport standard, and we show how the privacy guarantees of the whole application can be derived from the privacy guarantees of its sub-protocols
Relating two standard notions of secrecy
Two styles of definitions are usually considered to
express that a security protocol preserves the confidentiality of a
data { t s}. Reach-ability-based secrecy means that { t s} should
never be disclosed while equi-valence-based secrecy states that two
executions of a protocol with distinct instances for { t s} should
be indistinguishable to an attacker. Although the second formulation
ensures a higher level of security and is closer to cryptographic
notions of secrecy, decidability results and automatic tools have
mainly focused on the first definition so far.
This paper initiates a systematic investigation of situations where
syntactic secrecy entails strong secrecy.
We show that in the passive case, reachability-based secrecy
actually implies equivalence-based secrecy for signatures, symmetric
and asymmetric encryption provided that the primitives are
probabilistic. For active adversaries in the case of symmetric
encryption, we provide sufficient (and rather tight) conditions on
the protocol for this implication to hold
Tree automata with one memory set constraints and cryptographic protocols
AbstractWe introduce a class of tree automata that perform tests on a memory that is updated using function symbol application and projection. The language emptiness problem for this class of tree automata is shown to be in DEXPTIME.We also introduce a class of set constraints with equality tests and prove its decidability by completion techniques and a reduction to tree automata with one memory.Finally, we show how to apply these results to cryptographic protocols. We introduce a class of cryptographic protocols and show the decidability of secrecy for an arbitrary number of agents and an arbitrary number of (concurrent or successive) sessions, provided that only a bounded number of new data is generated. The hypothesis on the protocol (a restricted copying ability) is shown to be necessary: without this hypothesis, we prove that secrecy is undecidable, even for protocols without nonces
Formal Models and Techniques for Analyzing Security Protocols: A Tutorial
International audienceSecurity protocols are distributed programs that aim at securing communications by the means of cryptography. They are for instance used to secure electronic payments, home banking and more recently electronic elections. Given The financial and societal impact in case of failure, and the long history of design flaws in such protocol, formal verification is a necessity. A major difference from other safety critical systems is that the properties of security protocols must hold in the presence of an arbitrary adversary. The aim of this paper is to provide a tutorial to some modern approaches for formally modeling protocols, their goals and automatically verifying them
Analyse automatique de propriĂ©tĂ©s dâĂ©quivalence pour les protocoles cryptographiques
As the number of devices able to communicate grows, so does the need to secure their interactions. The design of cryptographic protocols is a difficult task and prone to human errors. Formal verification of such protocols offers a way to automatically and exactly prove their security. In particular, we focus on automated verification methods to prove the equivalence of cryptographic protocols for a un-bounded number of sessions. This kind of property naturally arises when dealing with the anonymity of electronic votingor the untracability of electronic passports. Because the verification of equivalence properties is a complex issue, we first propose two methods to simplify it: first we design a transformation on protocols to delete any nonce while maintaining the soundness of equivalence checking; then we prove a typing result which decreases the search space for attacks without affecting the power of the attacker. Finally, we describe three classes of protocols for which equivalence is decidable in the symbolic model. These classes benefit from the simplification results stated earlier and enable us to automatically analyze tagged protocols with or without nonces, as well as ping-pong protocols.Ă mesure que le nombre dâobjets capables de communiquer croĂźt, le besoin de sĂ©curiser leurs interactions Ă©galement. La conception des protocoles cryptographiques nĂ©cessaires pour cela est une tĂąche notoirement complexe et frĂ©quemment sujette aux erreurs humaines. La vĂ©rification formelle de protocoles entend offrir des mĂ©thodes automatiques et exactes pour sâassurer de leur sĂ©curitĂ©. Nous nous intĂ©ressons en particulier aux mĂ©thodes de vĂ©rification automatique des propriĂ©tĂ©s dâĂ©quivalence pour de tels protocoles dans le modĂšle symbolique et pour un nombre non bornĂ© de sessions. Les propriĂ©tĂ©s dâĂ©quivalences ont naturellement employĂ©es pour sâassurer, par exemple, de lâanonymat du vote Ă©lectronique ou de la non-traçabilitĂ© des passeports Ă©lectroniques. Parce que la vĂ©rification de propriĂ©tĂ©s dâĂ©quivalence est un problĂšme complexe, nous proposons dans un premier temps deux mĂ©thodes pour en simplifier la vĂ©rification : tout dâabord une mĂ©thode pour supprimer lâutilisation des nonces dans un protocole tout en prĂ©servant la correction de la vĂ©rification automatique; puis nous dĂ©montrons un rĂ©sultat de typage qui permet de restreindre lâespace de recherche dâattaques sans pour autant affecter le pouvoir de lâattaquant. Dans un second temps nous exposons trois classes de protocoles pour lesquelles la vĂ©rification de lâĂ©quivalence dans le modĂšle symbolique est dĂ©cidable. Ces classes bĂ©nĂ©ficient des mĂ©thodes de simplification prĂ©sentĂ©es plus tĂŽt et permettent dâĂ©tudier automatiquement des protocoles tagguĂ©s, avec ou sans nonces, ou encore des protocoles ping-pong
The hitchhiker's guide to decidability and complexity of equivalence properties in security protocols (technical report)
Privacy-preserving security properties in cryptographic protocols are typically modelled by observational equivalences in process calculi such as the applied pi-calulus. We survey decidability and complexity results for the automated verification of such equivalences , casting existing results in a common framework which allows for a precise comparison. This uni ed view, beyond providing a clearer insight on the current state of the art, allowed us to identify some variations in the statements of the decision problems â sometimes resulting in different complexity results. Additionally, we prove a couple of novel or strengthened results
DeepSec: Deciding Equivalence Properties for Security Protocols -- Improved theory and practice
Automated verification has become an essential part in the security
evaluation of cryptographic protocols. In this context privacy-type properties
are often modelled by indistinguishability statements, expressed as behavioural
equivalences in a process calculus. In this paper we contribute both to the
theory and practice of this verification problem. We establish new complexity
results for static equivalence, trace equivalence and labelled bisimilarity and
provide a decision procedure for these equivalences in the case of a bounded
number of protocol sessions. Our procedure is the first to decide trace
equivalence and labelled bisimilarity exactly for a large variety of
cryptographic primitives -- those that can be represented by a subterm
convergent destructor rewrite system. We also implemented the procedure in a
new tool, DeepSec. We showed through extensive experiments that it is
significantly more efficient than other similar tools, while at the same time
raises the scope of the protocols that can be analysed.Comment: 104 page
Advanced Features in Protocol Verification: Theory, Properties, and Efficiency in Maude-NPA
The area of formal analysis of cryptographic protocols has been an active
one since the mid 80âs. The idea is to verify communication protocols
that use encryption to guarantee secrecy and that use authentication of
data to ensure security. Formal methods are used in protocol analysis to
provide formal proofs of security, and to uncover bugs and security flaws
that in some cases had remained unknown long after the original protocol
publication, such as the case of the well known Needham-Schroeder
Public Key (NSPK) protocol. In this thesis we tackle problems regarding
the three main pillars of protocol verification: modelling capabilities,
verifiable properties, and efficiency.
This thesis is devoted to investigate advanced features in the analysis
of cryptographic protocols tailored to the Maude-NPA tool. This tool
is a model-checker for cryptographic protocol analysis that allows for
the incorporation of different equational theories and operates in the
unbounded session model without the use of data or control abstraction.
An important contribution of this thesis is relative to theoretical aspects
of protocol verification in Maude-NPA. First, we define a forwards
operational semantics, using rewriting logic as the theoretical framework
and the Maude programming language as tool support. This is the first
time that a forwards rewriting-based semantics is given for Maude-NPA.
Second, we also study the problem that arises in cryptographic protocol
analysis when it is necessary to guarantee that certain terms generated
during a state exploration are in normal form with respect to the protocol
equational theory.
We also study techniques to extend Maude-NPA capabilities to support
the verification of a wider class of protocols and security properties.
First, we present a framework to specify and verify sequential protocol
compositions in which one or more child protocols make use of information obtained from running a parent protocol. Second, we present a
theoretical framework to specify and verify protocol indistinguishability
in Maude-NPA. This kind of properties aim to verify that an attacker
cannot distinguish between two versions of a protocol: for example, one
using one secret and one using another, as it happens in electronic voting
protocols.
Finally, this thesis contributes to improve the efficiency of protocol
verification in Maude-NPA. We define several techniques which drastically
reduce the state space, and can often yield a finite state space,
so that whether the desired security property holds or not can in fact
be decided automatically, in spite of the general undecidability of such
problems.Santiago Pinazo, S. (2015). Advanced Features in Protocol Verification: Theory, Properties, and Efficiency in Maude-NPA [Tesis doctoral no publicada]. Universitat PolitĂšcnica de ValĂšncia. https://doi.org/10.4995/Thesis/10251/4852