Results 1  10
of
19
Trace equivalence decision: Negative tests and nondeterminism
 IN: CCS’11
, 2011
"... We consider security properties of cryptographic protocols that can be modeled using the notion of trace equivalence. The notion of equivalence is crucial when specifying privacytype properties, like anonymity, voteprivacy, and unlinkability. In this paper, we give a calculus that is close to the ..."
Abstract

Cited by 25 (9 self)
 Add to MetaCart
(Show Context)
We consider security properties of cryptographic protocols that can be modeled using the notion of trace equivalence. The notion of equivalence is crucial when specifying privacytype properties, like anonymity, voteprivacy, and unlinkability. In this paper, we give a calculus that is close to the applied pi calculus and that allows one to capture most existing protocols that rely on classical cryptographic primitives. First, we propose a symbolic semantics for our calculus relying on constraint systems to represent infinite sets of possible traces, and we reduce the decidability of trace equivalence to deciding a notion of symbolic equivalence between sets of constraint systems. Second, we develop an algorithm allowing us to decide whether two sets of constraint systems are in symbolic equivalence or not. Altogether, this yields the first decidability result of trace equivalence for a general class of processes that may involve else branches and/or private channels (for a bounded number of sessions).
YAPA: A generic tool for computing intruder knowledge
, 2009
"... Reasoning about the knowledge of an attacker is a necessary step in many formal analyses of security protocols. In the framework of the applied pi calculus, as in similar languages based on equational logics, knowledge is typically expressed by two relations: deducibility and static equivalence. Sev ..."
Abstract

Cited by 16 (3 self)
 Add to MetaCart
Reasoning about the knowledge of an attacker is a necessary step in many formal analyses of security protocols. In the framework of the applied pi calculus, as in similar languages based on equational logics, knowledge is typically expressed by two relations: deducibility and static equivalence. Several decision procedures have been proposed for these relations under a variety of equational theories. However, each theory has its particular algorithm, and none has been implemented so far. We provide a generic procedure for deducibility and static equivalence that takes as input any convergent rewrite system. We show that our algorithm covers all the existing decision procedures for convergent theories. We also provide an efficient implementation, and compare it briefly with the more general tool ProVerif.
Security protocol verification: Symbolic and computational models
 PRINCIPLES OF SECURITY AND TRUST  FIRST INTERNATIONAL CONFERENCE, POST 2012, VOLUME 7215 OF LECTURE NOTES IN COMPUTER SCIENCE
, 2012
"... Security protocol verification has been a very active research area since the 1990s. This paper surveys various approaches in this area, considering the verification in the symbolic model, as well as the more recent approaches that rely on the computational model or that verify protocol implementa ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
(Show Context)
Security protocol verification has been a very active research area since the 1990s. This paper surveys various approaches in this area, considering the verification in the symbolic model, as well as the more recent approaches that rely on the computational model or that verify protocol implementations rather than specifications. Additionally, we briefly describe our symbolic security protocol verifier ProVerif and situate it among these approaches.
Applied pi calculus
 Formal Models and Techniques for Analyzing Security Protocols, chapter 6. IOS
, 2011
"... Abstract. The applied pi calculus is a language for modelling security protocols. It is an extension of the pi calculus, a language for studying concurrency and process interaction. This chapter presents the applied pi calculus in a tutorial style. It describes reachability, correspondence, and obs ..."
Abstract

Cited by 11 (4 self)
 Add to MetaCart
(Show Context)
Abstract. The applied pi calculus is a language for modelling security protocols. It is an extension of the pi calculus, a language for studying concurrency and process interaction. This chapter presents the applied pi calculus in a tutorial style. It describes reachability, correspondence, and observational equivalence properties, with examples showing how to model secrecy, authentication, and privacy aspects of protocols.
Security protocols, constraint systems, and group theories
"... When formally analyzing security protocols it is often important to express properties in terms of an adversary’s inability to distinguish two protocols. It has been shown that this problem amounts to deciding the equivalence of two constraint systems, i.e., whether they have the same set of soluti ..."
Abstract

Cited by 1 (1 self)
 Add to MetaCart
(Show Context)
When formally analyzing security protocols it is often important to express properties in terms of an adversary’s inability to distinguish two protocols. It has been shown that this problem amounts to deciding the equivalence of two constraint systems, i.e., whether they have the same set of solutions. In this paper we study this equivalence problem when cryptographic primitives are modeled using a group equational theory, a special case of monoidal equational theories. The results strongly rely on the isomorphism between group theories and rings. This allows us to reduce the problem under study to the problem of solving systems of equations over rings. We provide several new decidability and complexity results, notably for equational theories which have applications in security protocols, such as exclusive or and Abelian groups which may additionally admit a unary, homomorphic symbol.
Description of some case studies
"... Abstract. Privacy is a general requirement that needs to be studied in different contexts. In a previous report, we identify some applications for wich privacy plays an important role, and with significant interest in terms of societal impact. In this report, we describe some case studies that we wi ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Privacy is a general requirement that needs to be studied in different contexts. In a previous report, we identify some applications for wich privacy plays an important role, and with significant interest in terms of societal impact. In this report, we describe some case studies that we will use as a guideline for our research agenda. Our goal is to establish a repository of protocols that are representative of the selected applications chosen in Task 2. We decide to concentrate our efforts on electronic voting protocols and RFID protocols. In addition, we consider two real case studies: the ICAO standard that specifies the protocols involved in the epassport application, and the UMTS standard used in 3G mobile phone systems. 1 Some electronic voting protocols Privacytypepropertiesplayanimportantroleinevotingprotocols.Weconsider two protocols that rely on different mechanisms to ensure some privacytype properties such as anonymity or receiptfreeness. They all involve some unusual
A formal definition of protocol indistinguishability and its verification using MaudeNPA
 In Security and Trust Management (STM) 2014
, 2014
"... Abstract. Intuitively, two protocols P1 and P2 are indistinguishable if an attacker cannot tell the difference between interactions with P1 and with P2. In this paper we: (i) propose an intuitive notion of indistinguishability in MaudeNPA; (ii) formalize such a notion in terms of state unreachabil ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. Intuitively, two protocols P1 and P2 are indistinguishable if an attacker cannot tell the difference between interactions with P1 and with P2. In this paper we: (i) propose an intuitive notion of indistinguishability in MaudeNPA; (ii) formalize such a notion in terms of state unreachability conditions on their synchronous product; (iii) prove theorems showing how assuming the protocol's algebraic theory has a finite variant (FV) decompositionthese conditions can be checked by the MaudeNPA tool; and (iv) illustrate our approach with concrete examples. This provides for the first time a framework for automatic analysis of indistinguishability modulo as wide a class of algebraic properties as FV, which includes many associativecommutative theories of interest to cryptographic protocol analysis.