310 research outputs found
Finitary Deduction Systems
Cryptographic protocols are the cornerstone of security in distributed
systems. The formal analysis of their properties is accordingly one of the
focus points of the security community, and is usually split among two groups.
In the first group, one focuses on trace-based security properties such as
confidentiality and authentication, and provides decision procedures for the
existence of attacks for an on-line attackers. In the second group, one focuses
on equivalence properties such as privacy and guessing attacks, and provides
decision procedures for the existence of attacks for an offline attacker. In
all cases the attacker is modeled by a deduction system in which his possible
actions are expressed. We present in this paper a notion of finitary deduction
systems that aims at relating both approaches. We prove that for such deduction
systems, deciding equivalence properties for on-line attackers can be reduced
to deciding reachability properties in the same setting.Comment: 30 pages. Work begun while in the CASSIS Project, INRIA Nancy Grand
Es
A Symbolic Intruder Model for Hash-Collision Attacks
In the recent years, several practical methods have been published to compute
collisions on some commonly used hash functions. In this paper we present a
method to take into account, at the symbolic level, that an intruder actively
attacking a protocol execution may use these collision algorithms in reasonable
time during the attack. Our decision procedure relies on the reduction of
constraint solving for an intruder exploiting the collision properties of hush
functions to constraint solving for an intruder operating on words
Key Substitution in the Symbolic Analysis of Cryptographic Protocols (extended version)
Key substitution vulnerable signature schemes are signature schemes that
permit an intruder, given a public verification key and a signed message, to
compute a pair of signature and verification keys such that the message appears
to be signed with the new signature key. A digital signature scheme is said to
be vulnerable to destructive exclusive ownership property (DEO) If it is
computationaly feasible for an intruder, given a public verification key and a
pair of message and its valid signature relatively to the given public key, to
compute a pair of signature and verification keys and a new message such that
the given signature appears to be valid for the new message relatively to the
new verification key. In this paper, we prove decidability of the insecurity
problem of cryptographic protocols where the signature schemes employed in the
concrete realisation have this two properties
Automated Synthesis of a Finite Complexity Ordering for Saturation
We present in this paper a new procedure to saturate a set of clauses with
respect to a well-founded ordering on ground atoms such that A < B implies
Var(A) {\subseteq} Var(B) for every atoms A and B. This condition is satisfied
by any atom ordering compatible with a lexicographic, recursive, or multiset
path ordering on terms. Our saturation procedure is based on a priori ordered
resolution and its main novelty is the on-the-fly construction of a finite
complexity atom ordering. In contrast with the usual redundancy, we give a new
redundancy notion and we prove that during the saturation a non-redundant
inference by a priori ordered resolution is also an inference by a posteriori
ordered resolution. We also prove that if a set S of clauses is saturated with
respect to an atom ordering as described above then the problem of whether a
clause C is entailed from S is decidable
A Simple Constraint-solving Decision Procedure for Protocols with Exclusive or
We present a procedure for deciding security of protocols employing the Exclusive or operator. This procedure relies on a direct combination of a constraint solver for security protocol with a unification algorithm for the exclusive-or theory. Hence compared to the previous ones it is much simpler and easily amenable to automation. The principle of the approach can be applied to other theories too
Compiling and securing cryptographic protocols
Protocol narrations are widely used in security as semi-formal notations to
specify conversations between roles. We define a translation from a protocol
narration to the sequences of operations to be performed by each role. Unlike
previous works, we reduce this compilation process to well-known decision
problems in formal protocol analysis. This allows one to define a natural
notion of prudent translation and to reuse many known results from the
literature in order to cover more crypto-primitives. In particular this work is
the first one to show how to compile protocols parameterised by the properties
of the available operations.Comment: A short version was submitted to IP
Satisfiability of General Intruder Constraints with and without a Set Constructor
Many decision problems on security protocols can be reduced to solving
so-called intruder constraints in Dolev Yao model. Most constraint solving
procedures for protocol security rely on two properties of constraint systems
called monotonicity and variable origination. In this work we relax these
restrictions by giving a decision procedure for solving general intruder
constraints (that do not have these properties) that stays in NP. Our result
extends a first work by L. Mazar\'e in several directions: we allow non-atomic
keys, and an associative, commutative and idempotent symbol (for modeling
sets). We also discuss several new applications of the results.Comment: Submitted to the Special issue of Information and Computation on
Security and Rewriting Techniques (SecReT), 2011. 59 page
Intruder deducibility constraints with negation. Decidability and application to secured service compositions
The problem of finding a mediator to compose secured services has been
reduced in our former work to the problem of solving deducibility constraints
similar to those employed for cryptographic protocol analysis. We extend in
this paper the mediator synthesis procedure by a construction for expressing
that some data is not accessible to the mediator. Then we give a decision
procedure for verifying that a mediator satisfying this non-disclosure policy
can be effectively synthesized. This procedure has been implemented in CL-AtSe,
our protocol analysis tool. The procedure extends constraint solving for
cryptographic protocol analysis in a significative way as it is able to handle
negative deducibility constraints without restriction. In particular it applies
to all subterm convergent theories and therefore covers several interesting
theories in formal security analysis including encryption, hashing, signature
and pairing.Comment: (2012
On the Decidability of (ground) Reachability Problems for Cryptographic Protocols (extended version)
Analysis of cryptographic protocols in a symbolic model is relative to a
deduction system that models the possible actions of an attacker regarding an
execution of this protocol. We present in this paper a transformation algorithm
for such deduction systems provided the equational theory has the finite
variant property. the termination of this transformation entails the
decidability of the ground reachability problems. We prove that it is necessary
to add one other condition to obtain the decidability of non-ground problems,
and provide one new such criterion
Toward an Automatic Analysis of Web Service Security
Web services send and receive messages in XML syntax with some parts hashed, encrypted or signed, according to the WS-Security standard. In this paper we introduce a model to formally describe the protocols that underly these services, their security properties and the rewriting attacks they might be subject to. Unlike with usual security protocols, we have to address here the facts that: (1) The Web service receive/send actions are nondeterministic to accommodate the XML format and the lack of normalization in parsing XML messages. Our model is designed to permit non-deterministic operations. (2) The Web service message format is better modelled with multiset constructors than with fixed arity symbols. Hence we had to introduce an attacker model that handles associativecommutative operators. In particular we present a decision procedure for insecurity of Web services with messages built using encryption, signature, and other cryptographic primitives
- …