DeepSec: Deciding Equivalence Properties for Security Protocols -- Improved theory and practice

Automated verification has become an essential part in the security evaluation of cryptographic protocols. In this context privacy-type properties are often modelled by indistinguishability statements, expressed as behavioural equivalences in a process calculus. In this paper we contribute both to the theory and practice of this verification problem. We establish new complexity results for static equivalence, trace equivalence and labelled bisimilarity and provide a decision procedure for these equivalences in the case of a bounded number of protocol sessions. Our procedure is the first to decide trace equivalence and labelled bisimilarity exactly for a large variety of cryptographic primitives -- those that can be represented by a subterm convergent destructor rewrite system. We also implemented the procedure in a new tool, DeepSec. We showed through extensive experiments that it is significantly more efficient than other similar tools, while at the same time raises the scope of the protocols that can be analysed.Comment: 104 page

Exploiting Symmetries When Proving Equivalence Properties for Security Protocols

International audienceVerification of privacy-type properties for cryptographic protocols in an active adversarial environment, modelled as a behavioural equivalence in concurrent-process calculi, exhibits a high computational complexity. While undecidable in general, for some classes of common cryptographic primitives the problem is coNEXP-complete when the number of honest participants is bounded.In this paper we develop optimisation techniques for verifying equivalences, exploiting symmetries between the two processes under study. We demonstrate that they provide a significant (several orders of magnitude) speed-up in practice, thus increasing the size of the protocols that can be analysed fully automatically

How to explain security protocols to your children

International audienceSecurity protocols combine two key components: a logical structure (who answers what, under which conditions?) as well as cryptography (encryption, signature, hash,. . .). It is not so easy to explain their principles and weaknesses to a non expert audience. Why is something an attack or not? For which attacker? With what purpose? In this paper, we propose an approach to introduce security protocols to a general audience, including children or even scientists from different fields. Its goal is to convey the implicit assumptions of our community, such as threat models or the participants' behaviour. This all-public introduction can be thought of as a story but, interestingly, can also be implemented physically with boxes and padlocks: manipulation helps to understand how protocols operate, even permitting non-expert participants to design their own-and thus to size the challenges of this task

The hitchhiker's guide to decidability and complexity of equivalence properties in security protocols (technical report)

Privacy-preserving security properties in cryptographic protocols are typically modelled by observational equivalences in process calculi such as the applied pi-calulus. We survey decidability and complexity results for the automated verification of such equivalences , casting existing results in a common framework which allows for a precise comparison. This uni ed view, beyond providing a clearer insight on the current state of the art, allowed us to identify some variations in the statements of the decision problems – sometimes resulting in different complexity results. Additionally, we prove a couple of novel or strengthened results

The DEEPSEC prover

International audienceIn this paper we describe the DeepSec prover, a tool for security protocol analysis. It decides equivalence properties modelled as trace equivalence of two processes in a dialect of the applied pi calculus

Exploiting symmetries when proving equivalence properties for security protocols (Technical report)

Verification of privacy-type properties for cryptographic protocols in an active adversarial environment, modelled as a behavioural equivalence in concurrent-process calculi, exhibits a high computational complexity. While undecidable in general, for some classes of common cryptographic primitives the problem is coNEXP-complete when the number of honest participants is bounded. In this paper we develop optimisation techniques for verifying equivalences, exploiting symmetries between the two processes under study. We demonstrate that they provide a signi cant (sev-eral orders of magnitude) speed-up in practice, thus increasing the size of the protocols that can be analysed fully automatically

DEEPSEC: Deciding Equivalence Properties in Security Protocols Theory and Practice

We study the automated verification of behavioural equivalences in the applied pi calculus, an essential problem in formal, symbolic analysis of cryptographic protocols. We establish new complexity results for static equivalence, trace equivalence and labelled bisimilarity and propose a new decision procedure for these equivalences. Our procedure is the first tool to decide trace equivalence and labelled bisimilarity exactly for a family of equational theories, namely those that can be represented by a subterm convergent destructor rewrite system. Finally, we implement the procedure in a new tool, called Deepsec and demonstrate the applicability of the tool on several case studies

Une mesure ordinale pour les preuves de terminaison en Coq

International audienceNous abordons dans ce papier les preuves de terminaison de fonctions récursives par l'usage d'un ordre bien fondé. Nous proposons une utilisation de l'ordre sur les ordinaux : pour ce faire, nous donnons une représentation des ordinaux de ω ω , posons une définition de leur relation d'ordre basée sur cette représentation et en montrons la bonne fondation. Nous illustrons le pouvoir d'expression de cette approche sur quelques exemples de définitions de fonctions au schéma de récursivité complexe. Leur terminaison est obtenue en définissant, pour chacune, un plongement des arguments dans un ordinal. L'avantage de cette approche est d'une part la facilité d'expression des fonctions dénies par filtrage, et d'autre part son aspect systématique qui ouvre la perspective de l'usage d'une heuristique de décision pour la terminaison

Tidy: Symbolic Verification of Timed Cryptographic Protocols

International audienc

A Security Model and Fully Verified Implementation for the IETF QUIC Record Layer

We investigate the security of the QUIC record layer, as standardized by the IETF in draft version 30. This version features major differences compared to Google\u27s original protocol and prior IETF drafts. We model packet and header encryption, which uses a custom construction for privacy. To capture its goals, we propose a security definition for authenticated encryption with semi-implicit nonces. We show that QUIC uses an instance of a generic construction parameterized by a standard AEAD-secure scheme and a PRF-secure cipher. We formalize and verify the security of this construction in F*. The proof uncovers interesting limitations of nonce confidentiality, due to the malleability of short headers and the ability to choose the number of least significant bits included in the packet counter. We propose improvements that simplify the proof and increase robustness against strong attacker models. In addition to the verified security model, we also give concrete functional specification for the record layer, and prove that it satisfies important functionality properties (such as successful decryption of encrypted packets) after fixing more errors in the draft. We then provide a high-performance implementation of the record layer that we prove to be memory safe, correct with respect to our concrete specification (inheriting its functional correctness properties), and secure with respect to our verified model. To evaluate this component, we develop a provably-safe implementation of the rest of the QUIC protocol. Our record layer achieves nearly 2 GB/s throughput, and our QUIC implementation\u27s performance is within 21% of an unverified baseline