47 research outputs found
Decidable Inductive Invariants for Verification of Cryptographic Protocols with Unbounded Sessions
We develop a theory of decidable inductive invariants for an infinite-state variant of the Applied ?calc, with applications to automatic verification of stateful cryptographic protocols with unbounded sessions/nonces. Since the problem is undecidable in general, we introduce depth-bounded protocols, a strict generalisation of a class from the literature, for which our decidable analysis is sound and complete. Our core contribution is a procedure to check that an invariant is inductive, which implies that every reachable configuration satisfies it. Our invariants can capture security properties like secrecy, can be inferred automatically, and represent an independently checkable certificate of correctness. We provide a prototype implementation and we report on its performance on some textbook examples
Relating two standard notions of secrecy
Two styles of definitions are usually considered to express that a security
protocol preserves the confidentiality of a data s. Reachability-based secrecy
means that s should never be disclosed while equivalence-based secrecy states
that two executions of a protocol with distinct instances for s should be
indistinguishable to an attacker. Although the second formulation ensures a
higher level of security and is closer to cryptographic notions of secrecy,
decidability results and automatic tools have mainly focused on the first
definition so far.
This paper initiates a systematic investigation of the situations where
syntactic secrecy entails strong secrecy. We show that in the passive case,
reachability-based secrecy actually implies equivalence-based secrecy for
digital signatures, symmetric and asymmetric encryption provided that the
primitives are probabilistic. For active adversaries, we provide sufficient
(and rather tight) conditions on the protocol for this implication to hold.Comment: 29 pages, published in LMC
Bounding messages for free in security protocols - extension to various security properties
International audienceWhile the verification of security protocols has been proved to be undecidable in general, several approaches use simplifying hypotheses in order to obtain decidability for interesting subclasses. Amongst the most common is type abstraction, i.e. considering only well-typed runs of the protocol, therefore bounding message length. In this paper, we show how to get message boundedness âfor freeâ under a reasonable (syntactic) assumption on protocols, in order to verify a variety of interesting security properties including secrecy and several authentication properties. This enables us to improve existing decidability results by restricting the search space for attacks
Decidability of trace equivalence for protocols with nonces
International audiencePrivacy properties such as anonymity, unlinkability, or vote secrecy are typically expressed as equivalence properties.In this paper, we provide the first decidability result for trace equivalence of security protocols, for an unbounded number of sessions and unlimited fresh nonces. Our class encompasses most symmetric key protocols of the literature, in their tagged variant
Typing messages for free in security protocols: the case of equivalence properties
Our first main contribution is to reduce the search space for attacks. Specifically, we show that if there is an attack then there is one that is well-typed. Our result holds for a large class of typing systems and a large class of determinate security protocols. Assuming finitely many nonces and keys, we can derive from this result that trace equivalence is decidable for an unbounded number of sessions for a class of tagged protocols, yielding one of the first decidability results for the unbounded case. As an intermediate result, we also provide a novel decision procedure in the case of a bounded number of sessions
Analyse automatique de propriĂ©tĂ©s dâĂ©quivalence pour les protocoles cryptographiques
As the number of devices able to communicate grows, so does the need to secure their interactions. The design of cryptographic protocols is a difficult task and prone to human errors. Formal verification of such protocols offers a way to automatically and exactly prove their security. In particular, we focus on automated verification methods to prove the equivalence of cryptographic protocols for a un-bounded number of sessions. This kind of property naturally arises when dealing with the anonymity of electronic votingor the untracability of electronic passports. Because the verification of equivalence properties is a complex issue, we first propose two methods to simplify it: first we design a transformation on protocols to delete any nonce while maintaining the soundness of equivalence checking; then we prove a typing result which decreases the search space for attacks without affecting the power of the attacker. Finally, we describe three classes of protocols for which equivalence is decidable in the symbolic model. These classes benefit from the simplification results stated earlier and enable us to automatically analyze tagged protocols with or without nonces, as well as ping-pong protocols.Ă mesure que le nombre dâobjets capables de communiquer croĂźt, le besoin de sĂ©curiser leurs interactions Ă©galement. La conception des protocoles cryptographiques nĂ©cessaires pour cela est une tĂąche notoirement complexe et frĂ©quemment sujette aux erreurs humaines. La vĂ©rification formelle de protocoles entend offrir des mĂ©thodes automatiques et exactes pour sâassurer de leur sĂ©curitĂ©. Nous nous intĂ©ressons en particulier aux mĂ©thodes de vĂ©rification automatique des propriĂ©tĂ©s dâĂ©quivalence pour de tels protocoles dans le modĂšle symbolique et pour un nombre non bornĂ© de sessions. Les propriĂ©tĂ©s dâĂ©quivalences ont naturellement employĂ©es pour sâassurer, par exemple, de lâanonymat du vote Ă©lectronique ou de la non-traçabilitĂ© des passeports Ă©lectroniques. Parce que la vĂ©rification de propriĂ©tĂ©s dâĂ©quivalence est un problĂšme complexe, nous proposons dans un premier temps deux mĂ©thodes pour en simplifier la vĂ©rification : tout dâabord une mĂ©thode pour supprimer lâutilisation des nonces dans un protocole tout en prĂ©servant la correction de la vĂ©rification automatique; puis nous dĂ©montrons un rĂ©sultat de typage qui permet de restreindre lâespace de recherche dâattaques sans pour autant affecter le pouvoir de lâattaquant. Dans un second temps nous exposons trois classes de protocoles pour lesquelles la vĂ©rification de lâĂ©quivalence dans le modĂšle symbolique est dĂ©cidable. Ces classes bĂ©nĂ©ficient des mĂ©thodes de simplification prĂ©sentĂ©es plus tĂŽt et permettent dâĂ©tudier automatiquement des protocoles tagguĂ©s, avec ou sans nonces, ou encore des protocoles ping-pong