200 research outputs found
Key Substitution in the Symbolic Analysis of Cryptographic Protocols (extended version)
Key substitution vulnerable signature schemes are signature schemes that
permit an intruder, given a public verification key and a signed message, to
compute a pair of signature and verification keys such that the message appears
to be signed with the new signature key. A digital signature scheme is said to
be vulnerable to destructive exclusive ownership property (DEO) If it is
computationaly feasible for an intruder, given a public verification key and a
pair of message and its valid signature relatively to the given public key, to
compute a pair of signature and verification keys and a new message such that
the given signature appears to be valid for the new message relatively to the
new verification key. In this paper, we prove decidability of the insecurity
problem of cryptographic protocols where the signature schemes employed in the
concrete realisation have this two properties
Automating Security Analysis: Symbolic Equivalence of Constraint Systems
We consider security properties of cryptographic protocols, that are either trace properties (such as confidentiality or authenticity) or equivalence properties (such as anonymity or strong secrecy). Infinite sets of possible traces are symbolically represented using deducibility constraints. We give a new algorithm that decides the trace equivalence for the traces that are represented using such constraints, in the case of signatures, symmetric and asymmetric encryptions. Our algorithm is implemented and performs well on typical benchmarks. This is the first implemented algorithm, deciding symbolic trace equivalence
Compiling and securing cryptographic protocols
Protocol narrations are widely used in security as semi-formal notations to
specify conversations between roles. We define a translation from a protocol
narration to the sequences of operations to be performed by each role. Unlike
previous works, we reduce this compilation process to well-known decision
problems in formal protocol analysis. This allows one to define a natural
notion of prudent translation and to reuse many known results from the
literature in order to cover more crypto-primitives. In particular this work is
the first one to show how to compile protocols parameterised by the properties
of the available operations.Comment: A short version was submitted to IP
Provably correct Java implementations of Spi Calculus security protocols specifications
Spi Calculus is an untyped high level modeling language for security protocols, used for formal protocols specification and verification. In this paper, a type system for the Spi Calculus and a translation function are formally defined, in order to formalize the refinement of a Spi Calculus specification into a Java implementation. The Java implementation generated by the translation function uses a custom Java library. Formal conditions on such library are stated, so that, if the library implementation code satisfies such conditions, then the generated Java implementation correctly simulates the Spi Calculus specification. A verified implementation of part of the custom library is further presente
Safe abstractions of data encodings in formal security protocol models
When using formal methods, security protocols are usually modeled at a high level of abstraction. In particular, data encoding and decoding transformations are often abstracted away. However, if no assumptions at all are made on the behavior of such transformations, they could trivially lead to security faults, for example leaking secrets or breaking freshness by collapsing nonces into constants. In order to address this issue, this paper formally states sufficient conditions, checkable on sequential code, such that if an abstract protocol model is secure under a Dolev-Yao adversary, then a refined model, which takes into account a wide class of possible implementations of the encoding/decoding operations, is implied to be secure too under the same adversary model. The paper also indicates possible exploitations of this result in the context of methods based on formal model extraction from implementation code and of methods based on automated code generation from formally verified model
Automatic analysis of distance bounding protocols
Distance bounding protocols are used by nodes in wireless networks to
calculate upper bounds on their distances to other nodes. However, dishonest
nodes in the network can turn the calculations both illegitimate and inaccurate
when they participate in protocol executions. It is important to analyze
protocols for the possibility of such violations. Past efforts to analyze
distance bounding protocols have only been manual. However, automated
approaches are important since they are quite likely to find flaws that manual
approaches cannot, as witnessed in literature for analysis pertaining to key
establishment protocols. In this paper, we use the constraint solver tool to
automatically analyze distance bounding protocols. We first formulate a new
trace property called Secure Distance Bounding (SDB) that protocol executions
must satisfy. We then classify the scenarios in which these protocols can
operate considering the (dis)honesty of nodes and location of the attacker in
the network. Finally, we extend the constraint solver so that it can be used to
test protocols for violations of SDB in these scenarios and illustrate our
technique on some published protocols.Comment: 22 pages, Appeared in Foundations of Computer Security, (Affiliated
workshop of LICS 2009, Los Angeles, CA)
Intruder deducibility constraints with negation. Decidability and application to secured service compositions
The problem of finding a mediator to compose secured services has been
reduced in our former work to the problem of solving deducibility constraints
similar to those employed for cryptographic protocol analysis. We extend in
this paper the mediator synthesis procedure by a construction for expressing
that some data is not accessible to the mediator. Then we give a decision
procedure for verifying that a mediator satisfying this non-disclosure policy
can be effectively synthesized. This procedure has been implemented in CL-AtSe,
our protocol analysis tool. The procedure extends constraint solving for
cryptographic protocol analysis in a significative way as it is able to handle
negative deducibility constraints without restriction. In particular it applies
to all subterm convergent theories and therefore covers several interesting
theories in formal security analysis including encryption, hashing, signature
and pairing.Comment: (2012
Finitary Deduction Systems
Cryptographic protocols are the cornerstone of security in distributed
systems. The formal analysis of their properties is accordingly one of the
focus points of the security community, and is usually split among two groups.
In the first group, one focuses on trace-based security properties such as
confidentiality and authentication, and provides decision procedures for the
existence of attacks for an on-line attackers. In the second group, one focuses
on equivalence properties such as privacy and guessing attacks, and provides
decision procedures for the existence of attacks for an offline attacker. In
all cases the attacker is modeled by a deduction system in which his possible
actions are expressed. We present in this paper a notion of finitary deduction
systems that aims at relating both approaches. We prove that for such deduction
systems, deciding equivalence properties for on-line attackers can be reduced
to deciding reachability properties in the same setting.Comment: 30 pages. Work begun while in the CASSIS Project, INRIA Nancy Grand
Es
- âŠ