Abstract
Security properties of cryptographic protocols are typically expressed as reachability or equivalence properties. Secrecy and authentication are examples of reachability properties, while privacy properties such as untraceability, vote secrecy, or anonymity are generally expressed as behavioral equivalence in a process algebra that models security protocols.
Our main contribution is to reduce the search space for attacks for reachability as well as equivalence properties. Specifically, we show that if there is an attack then there is one that is well-typed. Our result holds for a large class of typing systems, a family of equational theories that encompasses all standard primitives, and protocols without else branches. For many standard protocols, we deduce that it is sufficient to look for attacks that follow the format of the messages expected in an honest execution, therefore considerably reducing the search space.
- M. Abadi and C. Fournet. 2001. Mobile values, new names, and secure communication. In Proceedings of the 28th Symposium on Principles of Programming Languages (POPL’01). ACM Press. Google ScholarDigital Library
- M. Abadi and R. M. Needham. 1996. Prudent engineering practice for cryptographic protocols. IEEE Trans. Softw. Eng. 22, 1 (1996), 6--15. Google ScholarDigital Library
- Ben Adida. 2008. Helios: Web-based open-audit voting. In Proceedings of the 17th USENIX Security Symposium. USENIX Association, 335--348. Google ScholarDigital Library
- O. Almousa, S. Mödersheim, P. Modesti, and L. Viganò. 2015. Typing and compositionality for security protocols: A generalization to the geometric fragment. In Proceedings of the 20th European Symposium on Research in Computer Security (ESORICS’15).Google Scholar
- M. Arapinis, V. Cheval, and S. Delaune. 2015. Composing security protocols: From confidentiality to privacy. In Proceedings of the 4th International Conference on Principles of Security and Trust (POST’15) (Lecture Notes in Computer Science), Vol. 9036. Springer, London, UK, 324--343. Google ScholarDigital Library
- M. Arapinis, T. Chothia, E. Ritter, and M. Ryan. 2010. Analysing unlinkability and anonymity using the applied pi calculus. In Proceedings of the 23rd Computer Security Foundations Symposium (CSF’10). IEEE Computer Society Press, 107--121. Google ScholarDigital Library
- M. Arapinis and M. Duflot. 2007. Bounding messages for free in security protocols. In Proceedings of the 27th Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS’07). Google ScholarDigital Library
- A. Armando, D. Basin, Y. Boichut, Y. Chevalier, L. Compagna, J. Cuellar, P. Hankes Drielsma, P.-C. Héam, O. Kouchnarenko, J. Mantovani, S. Mödersheim, D. von Oheimb, M. Rusinowitch, J. Santiago, M. Turuani, L. Viganò, and L. Vigneron. 2005. The AVISPA tool for the automated validation of Internet security protocols and applications. In Proceedings of the 17th International Conference on Computer Aided Verification (CAV’2005) (LNCS), Vol. 3576. 281--285. Google ScholarDigital Library
- M. Backes, C. Hritcu, and M. Maffei. 2008. Automated verification of remote electronic voting protocols in the applied pi-calculus. In Proceedings of the 21st IEEE Computer Security Foundations Symposium (CSF’08). IEEE Computer Society. Google ScholarDigital Library
- David Basin, Jannik Dreier, Lucca Hirschi, Saša Radomirovic, Ralf Sasse, and Vincent Stettler. 2018. A formal analysis of 5G authentication. In Proceedings of the 25th ACM Conference on Computer and Communications Security (CCS’18), Vol. 14. ACM Press. Google ScholarDigital Library
- M. Baudet. 2005. Deciding security of protocols against off-line guessing attacks. In Proceedings of the12th ACM Conference on Computer and Communications Security (CCS’05). ACM Press. Google ScholarDigital Library
- B. Blanchet. 2001. An efficient cryptographic protocol verifier based on prolog rules. In Proceedings of the 14th Computer Security Foundations Workshop (CSFW’01). IEEE Computer Society Press. Google ScholarDigital Library
- B. Blanchet. 2008. Vérification automatique de protocoles cryptographiques: Modèle formel et modèle calculatoire. (Automatic verification of security protocols: Formal model and computational model.) Mémoire d’habilitation à diriger des recherches. Université Paris-Dauphine.Google Scholar
- B. Blanchet, M. Abadi, and C. Fournet. 2008. Automated verification of selected equivalences for security protocols. J. Logic. Alg. Prog. 75, 1 (2008), 3--51.Google ScholarCross Ref
- B. Blanchet and A. Podelski. 2003. Verification of cryptographic protocols: Tagging enforces termination. In Foundations of Software Science and Computation Structures (FoSSaCS’03). Google ScholarDigital Library
- Bruno Blanchet and Ben Smyth. 2018. Automated reasoning for equivalences in the applied pi calculus with barriers. J. Comput. Sec. 26, 3 (2018), 367--422.Google ScholarCross Ref
- M. Bruso, K. Chatzikokolakis, and J. den Hartog. 2010. Formal verification of privacy for RFID systems. In Proceedings of the 23rd Computer Security Foundations Symposium (CSF’10). Google ScholarDigital Library
- Mayla Brusó, Konstantinos Chatzikokolakis, Sandro Etalle, and Jerry Den Hartog. 2012. Linking unlinkability. In Proceedings of the 7th International Symposium on Trustworthy Global Computing (TGC’12), Vol. 8191. Springer, 129--144. Google ScholarDigital Library
- R. Chadha, Ş. Ciobâcă, and S. Kremer. 2012. Automated verification of equivalence properties of cryptographic protocols. In Proceedings of the 21st European Symposium on Programming (ESOP’12) (LNCS). Google ScholarDigital Library
- V. Cheval, H. Comon-Lundh, and S. Delaune. 2011. Trace equivalence decision: Negative tests and non-determinism. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS’11). ACM. Google ScholarDigital Library
- V. Cheval, V. Cortier, and S. Delaune. 2013. Deciding equivalence-based properties using constraint solving. Theoret. Comput. Sci. 492 (June 2013), 1--39.Google Scholar
- R. Chrétien, V. Cortier, and S. Delaune. 2013. From security protocols to pushdown automata. In Proceedings of the 40th International Colloquium on Automata, Languages and Programming (ICALP’13).Google Scholar
- R. Chrétien, V. Cortier, and S. Delaune. 2014. Typing messages for free in security protocols: The case of equivalence properties. In Proceedings of the 25th International Conference on Concurrency Theory (CONCUR’14) (Lecture Notes in Computer Science). Springer.Google Scholar
- R. Chrétien, V. Cortier, and S. Delaune. 2015. Decidability of trace equivalence for protocols with nonces. In Proceedings of the 28th IEEE Computer Security Foundations Symposium (CSF’15). IEEE Computer Society Press. Google ScholarDigital Library
- Ş. Ciobâcă and V. Cortier. 2010. Protocol composition for arbitrary primitives. In Proceedings of the 23rd IEEE Computer Security Foundations Symposium (CSF’10). IEEE Computer Society Press, 322--336. Google ScholarDigital Library
- H. Comon-Lundh and V. Cortier. 2003. New decidability results for fragments of first-order logic and application to cryptographic protocols. In Proceedings of the 14th International Conference on Rewriting Techniques and Applications (RTA’2003) (LNCS), Vol. 2706. Springer. Google ScholarDigital Library
- H. Comon-Lundh, V. Cortier, and E. Zalinescu. 2010. Deciding security properties for cryptographic protocols. Application to key cycles. ACM Trans. Comput. Logic 11, 4 (2010). Google ScholarDigital Library
- V. Cortier, A. Dallon, and S. Delaune. 2017. SAT-Equiv: An efficient tool for equivalence properties. In Proceedings of the 30th IEEE Computer Security Foundations Symposium (CSF’17). IEEE Computer Society Press.Google Scholar
- V. Cortier and S. Delaune. 2009. Safely composing security protocols. Form. Meth. Syst. Des. 34, 1 (Feb. 2009), 1--36. Google ScholarDigital Library
- Véronique Cortier and Ben Smyth. 2013. Attacking and fixing Helios: An analysis of ballot secrecy. J. Comput. Sec. 21, 1 (2013), 89--148. Google ScholarDigital Library
- C. Cremers. 2008. The Scyther tool: Verification, falsification, and analysis of security protocols. In Proceedings of the Conference on Computer Aided Verification (CAV’08) (LNCS), Vol. 5123/2008. Springer, 414--418. Google ScholarDigital Library
- S. Delaune, S. Kremer, and M. D. Ryan. 2008. Verifying privacy-type properties of electronic voting protocols. J. Comput. Sec. 4 (July 2008), 435--487. Google ScholarDigital Library
- N. Durgin, P. Lincoln, J. Mitchell, and A. Scedrov. 1999. Undecidability of bounded security protocols. In Proceedings of the Workshop on Formal Methods and Security Protocols.Google Scholar
- J. D. Guttman and F. Javier Thayer. 2000. Protocol independence through disjoint encryption. In Proceedings of the 13th Computer Security Foundations Workshop (CSFW’00). IEEE Comp. Soc. Press. Google ScholarDigital Library
- J. Heather, G. Lowe, and S. Schneider. 2003. How to prevent type flaw attacks on security protocols. J. Comput. Secur. 11, 2 (2003), 217--244. Google ScholarDigital Library
- A. V. Hess and S. Mödersheim. 2017. Formalizing and proving a typing result for security protocols in Isabelle/HOL. In Proceedings of the 30th IEEE Computer Security Foundations Symposium (CSF’17).Google Scholar
- G. Lowe. 1996. Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In Proceedings of the Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’96) (LNCS), Vol. 1055. Springer-Verlag, 147--166. Google ScholarDigital Library
- G. Lowe. 1998. Towards a completeness result for model checking of security protocols. In Proceedings of the 11th Computer Security Foundations Workshop (CSFW’98). IEEE Computer Society Press. Google ScholarDigital Library
- J. Millen and V. Shmatikov. 2001. Constraint solving for bounded-process cryptographic protocol analysis. In Proceedings of the 8th ACM Conference on Computer and Communications Security (CCS’01). ACM Press. Google ScholarDigital Library
- R. Ramanujam and S. P. Suresh. 2003. Tagging makes secrecy decidable with unbounded nonces as well. In Proceedings of the 3rd Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS’03) (LNCS). Springer, 363--374.Google Scholar
- M. Rusinowitch and M. Turuani. 2003. Protocol insecurity with finite number of sessions and composed keys is NP-complete. Theor. Comput. Sci. 299 (Apr. 2003), 451--475. Google ScholarDigital Library
- B. Schmidt, S. Meier, C. Cremers, and D. Basin. 2012. Automated analysis of Diffie-Hellman protocols and advanced security properties. In Proceedings of the 25th IEEE Computer Security Foundations Symposium (CSF’12). 78--94. Google ScholarDigital Library
- A. Tiu and J. E. Dawson. 2010. Automating open bisimulation checking for the Spi calculus. In Proceedings of the 23rd IEEE Computer Security Foundations Symposium (CSF’10). 307--321. Google ScholarDigital Library
Index Terms
- Typing Messages for Free in Security Protocols
Recommendations
Verification of security protocols with lists: From length one to unbounded length
Security and Trust PrinciplesWe present a novel, simple technique for proving secrecy properties for security protocols that manipulate lists of unbounded length, for an unbounded number of sessions. More specifically, our technique relies on the Horn clause approach used in the ...
From Security Protocols to Pushdown Automata
Formal methods have been very successful in analyzing security protocols for reachability properties such as secrecy or authentication. In contrast, there are very few results for equivalence-based properties, crucial for studying, for example, privacy-...
Formal Verification of Security Protocols: ProVerif and Extensions
Artificial Intelligence and SecurityAbstractSecure protocols are built on cryptographic algorithms, which provide a variety of secure services to realize secure communications in a network environment. To improve the quality of security protocols and ensure their reliability, sufficient ...
Comments