Key Substitution in the Symbolic Analysis of Cryptographic Protocols (extended version)

Key substitution vulnerable signature schemes are signature schemes that permit an intruder, given a public verification key and a signed message, to compute a pair of signature and verification keys such that the message appears to be signed with the new signature key. A digital signature scheme is said to be vulnerable to destructive exclusive ownership property (DEO) If it is computationaly feasible for an intruder, given a public verification key and a pair of message and its valid signature relatively to the given public key, to compute a pair of signature and verification keys and a new message such that the given signature appears to be valid for the new message relatively to the new verification key. In this paper, we prove decidability of the insecurity problem of cryptographic protocols where the signature schemes employed in the concrete realisation have this two properties

Automating Security Analysis: Symbolic Equivalence of Constraint Systems

We consider security properties of cryptographic protocols, that are either trace properties (such as confidentiality or authenticity) or equivalence properties (such as anonymity or strong secrecy). Infinite sets of possible traces are symbolically represented using deducibility constraints. We give a new algorithm that decides the trace equivalence for the traces that are represented using such constraints, in the case of signatures, symmetric and asymmetric encryptions. Our algorithm is implemented and performs well on typical benchmarks. This is the first implemented algorithm, deciding symbolic trace equivalence

Compiling and securing cryptographic protocols

Protocol narrations are widely used in security as semi-formal notations to specify conversations between roles. We define a translation from a protocol narration to the sequences of operations to be performed by each role. Unlike previous works, we reduce this compilation process to well-known decision problems in formal protocol analysis. This allows one to define a natural notion of prudent translation and to reuse many known results from the literature in order to cover more crypto-primitives. In particular this work is the first one to show how to compile protocols parameterised by the properties of the available operations.Comment: A short version was submitted to IP

Provably correct Java implementations of Spi Calculus security protocols specifications

Spi Calculus is an untyped high level modeling language for security protocols, used for formal protocols specification and verification. In this paper, a type system for the Spi Calculus and a translation function are formally defined, in order to formalize the refinement of a Spi Calculus specification into a Java implementation. The Java implementation generated by the translation function uses a custom Java library. Formal conditions on such library are stated, so that, if the library implementation code satisfies such conditions, then the generated Java implementation correctly simulates the Spi Calculus specification. A verified implementation of part of the custom library is further presente

Safe abstractions of data encodings in formal security protocol models

When using formal methods, security protocols are usually modeled at a high level of abstraction. In particular, data encoding and decoding transformations are often abstracted away. However, if no assumptions at all are made on the behavior of such transformations, they could trivially lead to security faults, for example leaking secrets or breaking freshness by collapsing nonces into constants. In order to address this issue, this paper formally states sufficient conditions, checkable on sequential code, such that if an abstract protocol model is secure under a Dolev-Yao adversary, then a refined model, which takes into account a wide class of possible implementations of the encoding/decoding operations, is implied to be secure too under the same adversary model. The paper also indicates possible exploitations of this result in the context of methods based on formal model extraction from implementation code and of methods based on automated code generation from formally verified model

Automatic analysis of distance bounding protocols

Distance bounding protocols are used by nodes in wireless networks to calculate upper bounds on their distances to other nodes. However, dishonest nodes in the network can turn the calculations both illegitimate and inaccurate when they participate in protocol executions. It is important to analyze protocols for the possibility of such violations. Past efforts to analyze distance bounding protocols have only been manual. However, automated approaches are important since they are quite likely to find flaws that manual approaches cannot, as witnessed in literature for analysis pertaining to key establishment protocols. In this paper, we use the constraint solver tool to automatically analyze distance bounding protocols. We first formulate a new trace property called Secure Distance Bounding (SDB) that protocol executions must satisfy. We then classify the scenarios in which these protocols can operate considering the (dis)honesty of nodes and location of the attacker in the network. Finally, we extend the constraint solver so that it can be used to test protocols for violations of SDB in these scenarios and illustrate our technique on some published protocols.Comment: 22 pages, Appeared in Foundations of Computer Security, (Affiliated workshop of LICS 2009, Los Angeles, CA)

Intruder deducibility constraints with negation. Decidability and application to secured service compositions

The problem of finding a mediator to compose secured services has been reduced in our former work to the problem of solving deducibility constraints similar to those employed for cryptographic protocol analysis. We extend in this paper the mediator synthesis procedure by a construction for expressing that some data is not accessible to the mediator. Then we give a decision procedure for verifying that a mediator satisfying this non-disclosure policy can be effectively synthesized. This procedure has been implemented in CL-AtSe, our protocol analysis tool. The procedure extends constraint solving for cryptographic protocol analysis in a significative way as it is able to handle negative deducibility constraints without restriction. In particular it applies to all subterm convergent theories and therefore covers several interesting theories in formal security analysis including encryption, hashing, signature and pairing.Comment: (2012

Finitary Deduction Systems

Cryptographic protocols are the cornerstone of security in distributed systems. The formal analysis of their properties is accordingly one of the focus points of the security community, and is usually split among two groups. In the first group, one focuses on trace-based security properties such as confidentiality and authentication, and provides decision procedures for the existence of attacks for an on-line attackers. In the second group, one focuses on equivalence properties such as privacy and guessing attacks, and provides decision procedures for the existence of attacks for an offline attacker. In all cases the attacker is modeled by a deduction system in which his possible actions are expressed. We present in this paper a notion of finitary deduction systems that aims at relating both approaches. We prove that for such deduction systems, deciding equivalence properties for on-line attackers can be reduced to deciding reachability properties in the same setting.Comment: 30 pages. Work begun while in the CASSIS Project, INRIA Nancy Grand Es