How to Work with Honest but Curious Judges? (Preliminary Report)

The three-judges protocol, recently advocated by Mclver and Morgan as an example of stepwise refinement of security protocols, studies how to securely compute the majority function to reach a final verdict without revealing each individual judge's decision. We extend their protocol in two different ways for an arbitrary number of 2n+1 judges. The first generalisation is inherently centralised, in the sense that it requires a judge as a leader who collects information from others, computes the majority function, and announces the final result. A different approach can be obtained by slightly modifying the well-known dining cryptographers protocol, however it reveals the number of votes rather than the final verdict. We define a notion of conditional anonymity in order to analyse these two solutions. Both of them have been checked in the model checker MCMAS

Classification, Formalization and Automatic Verification of Untraceability in RFID Protocols

Résumé Les protocoles sécurité RFID sont des sous-ensembles des protocoles cryptographiques mais avec des fonctions cryptographiques légères. Leur objectif principal est l'identification à l'égard de certaines propriétés de intimité comme la non-traçabilité et la confidentialité de l'avant. La intimité est un point essentielle de la société d'aujourd'hui. Un protocole d'identification RFID devrait non seulement permettre à un lecteur légitime d'authentifier un tag, mais il faut aussi protéger la intimité du tag. Des failles de sécurité ont été découvertes dans la plupart de ces protocoles, en dépit de la quantité considérable de temps et d'efforts requis pour la conception et la mise en œuvre de protocoles cryptographiques. La responsabilité de la vérification adéquate devient cruciale. Les méthodes formelles peuvent jouer un rôle essentiel dans le développement de protocoles de sécurité fiables. Les systèmes critiques qui nécessitent une haute fiabilité tels que les protocoles de sécurité sont difficiles à évaluer en utilisant les tests conventionnels et les techniques de simulation. Cela a eu comme effet de concentrer les recherches sur les techniques de vérification formelle de tels systèmes pour assurer un degré élevé de fiabilité. Par conséquent, certaines recherches ont été faites dans ce domaine, mais une définition explicite de certaines de ces propriétés de sécurité n'ont pas encore été donnée. L'objectif principal de cette thèse est de démontrer l'utilisation de méthodes formelles pour analyser les propriétés de intimité du protocole RFID. Plusieurs définitions sont données dans la littérature pour les propriétés non-traçabilité, mais il n'y a pas d'accord sur sa définition exacte. Nous avons introduit trois niveaux différents pour cette propriété en ce qui concerne les expériences de intimité existantes. Nous avons également classé toutes les définitions existantes avec différents points forts de la propriété non-traçabilité dans la littérature. De plus, notre approche utilise spécifiquement les techniques de calculs de processus pi calcul appliqués pour créer un modèle pour un protocole. Nous démontrons les définitions formelles de nos niveaux de non-traçabilité proposées et l'applique à des études de cas sur les protocoles existants.----------Abstract RFID protocols are subsets of cryptographic protocols but with lightweight cryptographic functions. Their main objective is identification with respect to some privacy properties, like anonymity, untraceability and forward secrecy. Privacy is the essential part of today's society. An RFID identification protocol should not only allow a legitimate reader to authenticate a tag but also it should protect the privacy of the tag. Although design and implementation of cryptographic protocols are tedious and time consuming, security flaws have been discovered in most of these protocols. Therefore the responsibility for reliable and proper verification becomes crucial. Formal methods can play an essential role in the development of reliable security protocols. Critical systems which require high reliability such as security protocols are difficult to be evaluated using conventional tests and simulation techniques. This has encouraged the researchers to focus on the formal verification techniques to ensure a high degree of reliability in such systems. In spite of the studies which have been carried out in this field, an explicit definition for some of these security properties is still missing

Automated Unbounded Verification of Stateful Cryptographic Protocols with Exclusive OR

International audienceExclusive-or (XOR) operations are common in cryptographic protocols, in particular in RFID protocols and electronic payment protocols. Although there are numerous applications , due to the inherent complexity of faithful models of XOR, there is only limited tool support for the verification of cryptographic protocols using XOR.The TAMARIN prover is a state-of-the-art verification tool for cryptographic protocols in the symbolic model. In this paper, we improve the underlying theory and the tool to deal with an equational theory modeling XOR operations. The XOR theory can be freely combined with all equational theories previously supported, including user-defined equational theories. This makes TAMARIN the first tool to support simultaneously this large set of equational theories, protocols with global mutable state, an unbounded number of sessions, and complex security properties including observational equivalence. We demonstrate the effectiveness of our approach by analyzing several protocols that rely on XOR, in particular multiple RFID-protocols, where we can identify attacks as well as provide proofs

Verification of Stateful Cryptographic Protocols with Exclusive OR

International audienceIn cryptographic protocols, in particular RFID protocols, exclusive-or (XOR) operations are common. Due to the inherent complexity of faithful models of XOR, there is only limited tool support for the verification of cryptographic protocols using XOR. In this paper, we improve the TAMARIN prover and its underlying theory to deal with an equational theory modeling XOR operations. The XOR theory can be combined with all equational theories previously supported, including user-defined equational theories. This makes TAMARIN the first verification tool for cryptographic protocols in the symbolic model to support simultaneously this large set of equational theories, protocols with global mutable state, an unbounded number of sessions, and complex security properties including observational equivalence. We demonstrate the effectiveness of our approach by analyzing several protocols that rely on XOR, in particular multiple RFID-protocols, where we can identify attacks as well as provide proofs

Model checking probabilistic and stochastic extensions of the pi-calculus

We present an implementation of model checking for probabilistic and stochastic extensions of the pi-calculus, a process algebra which supports modelling of concurrency and mobility. Formal verification techniques for such extensions have clear applications in several domains, including mobile ad-hoc network protocols, probabilistic security protocols and biological pathways. Despite this, no implementation of automated verification exists. Building upon the pi-calculus model checker MMC, we first show an automated procedure for constructing the underlying semantic model of a probabilistic or stochastic pi-calculus process. This can then be verified using existing probabilistic model checkers such as PRISM. Secondly, we demonstrate how for processes of a specific structure a more efficient, compositional approach is applicable, which uses our extension of MMC on each parallel component of the system and then translates the results into a high-level modular description for the PRISM tool. The feasibility of our techniques is demonstrated through a number of case studies from the pi-calculus literature

Lengths May Break Privacy – Or How to Check for Equivalences with Length

Security protocols have been successfully analyzed using symbolic models, where messages are represented by terms and protocols by processes. Privacy properties like anonymity or untraceability are typically expressed as equivalence between processes. While some decision procedures have been proposed for automatically deciding process equivalence, all existing approaches abstract away the information an attacker may get when observing the length of messages. In this paper, we study process equivalence with length tests. We first show that, in the static case, almost all existing decidability results (for static equivalence) can be extended to cope with length tests. In the active case, we prove decidability of trace equivalence with length tests, for a bounded number of sessions and for standard primitives. Our result relies on a previous decidability result from Cheval et al (without length tests). Our procedure has been implemented and we have discovered a new flaw against privacy in the biometric passport protocol