Results 1  10
of
25
Automated verification of equivalence properties of cryptographic protocols
, 2012
"... ..."
(Show Context)
Security protocol verification: Symbolic and computational models
 PRINCIPLES OF SECURITY AND TRUST  FIRST INTERNATIONAL CONFERENCE, POST 2012, VOLUME 7215 OF LECTURE NOTES IN COMPUTER SCIENCE
, 2012
"... Security protocol verification has been a very active research area since the 1990s. This paper surveys various approaches in this area, considering the verification in the symbolic model, as well as the more recent approaches that rely on the computational model or that verify protocol implementa ..."
Abstract

Cited by 11 (0 self)
 Add to MetaCart
(Show Context)
Security protocol verification has been a very active research area since the 1990s. This paper surveys various approaches in this area, considering the verification in the symbolic model, as well as the more recent approaches that rely on the computational model or that verify protocol implementations rather than specifications. Additionally, we briefly describe our symbolic security protocol verifier ProVerif and situate it among these approaches.
Proving More Observational Equivalences with ProVerif
"... This paper presents an extension of the automatic protocol verifier ProVerif in order to prove more observational equivalences. ProVerif can prove observational equivalence between processes that have the same structure but differ by the messages they contain. In order to extend the class of equiva ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
(Show Context)
This paper presents an extension of the automatic protocol verifier ProVerif in order to prove more observational equivalences. ProVerif can prove observational equivalence between processes that have the same structure but differ by the messages they contain. In order to extend the class of equivalences that ProVerif handles, we extend the language of terms by defining more functions (destructors) by rewrite rules. In particular, we allow rewrite rules with inequalities as sideconditions, so that we can express tests “if then else” inside terms. Finally, we provide an automatic procedure that translates a process into an equivalent process that performs as many actions as possible inside terms, to allow ProVerif to prove the desired equivalence. These extensions have been implemented in ProVerif and allow us to automatically prove anonymity in the private authentication protocol by Abadi and Fournet.
S.: Deciding equivalencebased properties using constraint solving. Theoretical Computer Science 492
, 2013
"... Formal methods have proved their usefulness for analyzing the security of protocols. Most existing results focus on trace properties like secrecy or authentication. There are however several security properties, which cannot be defined (or cannot be naturally defined) as trace properties and require ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
Formal methods have proved their usefulness for analyzing the security of protocols. Most existing results focus on trace properties like secrecy or authentication. There are however several security properties, which cannot be defined (or cannot be naturally defined) as trace properties and require a notion of behavioural equivalence. Typical examples are anonymity, privacy related properties or statements closer to security properties used in cryptography. In this paper, we consider three notions of equivalence defined in the applied pi calculus: observational equivalence, maytesting equivalence, and trace equivalence. First, we study the relationship between these three notions. We show that for determinate processes, observational equivalence actually coincides with trace equivalence, a notion simpler to reason with. We exhibit a large class of determinate processes, called simple processes, that capture most existing protocols and cryptographic primitives. While trace equivalence and maytesting equivalence seem very similar, we show that maytesting equivalence is actually strictly stronger than trace equivalence. We prove that the two notions coincide for imagefinite processes, such as processes without replication. Second, we reduce the decidability of trace equivalence (for finite processes) to deciding symbolic equivalence between sets of constraint systems. For simple processes without replication and with trivial else branches, it turns out that it is actually sufficient to decide symbolic equivalence between pairs of positive constraint systems. Thanks to this reduction and relying on a result first proved by M. Baudet, this yields the first decidability result of observational equivalence for a general class of equational theories (for processes without else branch nor replication). Moreover, based on another decidability result for deciding equivalence between sets of constraint systems, we get decidability of trace equivalence for processes with else branch for standard primitives.
Computationally Complete Symbolic Attacker in Action
"... Abstract. We show that the recent technique of computationally complete symbolic attackers proposed by Bana and ComonLundh [6] for computationally sound verification of security protocols is powerful enough to verify actual protocols. In their work, Bana and ComonLundh presented only the general f ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We show that the recent technique of computationally complete symbolic attackers proposed by Bana and ComonLundh [6] for computationally sound verification of security protocols is powerful enough to verify actual protocols. In their work, Bana and ComonLundh presented only the general framework, but they did not introduce sufficiently many axioms to actually prove protocols. We present a set of axioms—some generic axioms that are computationally sound for all PPT algorithms, two specific axioms that are sound for CCA2 secure encryptions, and a further minimal parsing assumption for pairing—and illustrate the power of this technique by giving the first computationally sound verification (secrecy and authentication) via symbolic attackers of the NSL Protocol that does not need any further restrictive assumptions about the computational implementation. In other words, all implementations for which the axioms are sound—namely, implementations using CCA2 encryption, and satisfying the parsing requirement for pairing—exclude the possibility of successful computational attacks. Furthermore, the axioms are entirely modular and not particular to the NSL protocol (except for the parsing assumption without which there is an attack). 1
Lengths may break privacy – or how to check for equivalences with length
, 2013
"... Security protocols have been successfully analyzed using symbolic models, where messages are represented by terms and protocols by processes. Privacy properties like anonymity or untraceability are typically expressed as equivalence between processes. While some decision procedures have been propos ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
(Show Context)
Security protocols have been successfully analyzed using symbolic models, where messages are represented by terms and protocols by processes. Privacy properties like anonymity or untraceability are typically expressed as equivalence between processes. While some decision procedures have been proposed for automatically deciding process equivalence, all existing approaches abstract away the information an attacker may get when observing the length of messages. In this paper, we study process equivalence with length tests. We first show that, in the static case, almost all existing decidability results (for static equivalence) can be extended to cope with length tests. In the active case, we prove decidability of trace equivalence with length tests, for a bounded number of sessions and for standard primitives. Our result relies on a previous decidability result from Cheval et al [15] (without length tests). Our procedure has been implemented and we have discovered a new flaw against privacy in the biometric passport protocol.
APTE (Algorithm for Proving Trace Equivalence
, 2013
"... Abstract. This paper presents APTE, a new tool for automatically proving the security of cryptographic protocols. It focuses on proving trace equivalence between processes, which is crucial for specifying privacy type properties such as anonymity and unlinkability. The tool can handle protocols exp ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
(Show Context)
Abstract. This paper presents APTE, a new tool for automatically proving the security of cryptographic protocols. It focuses on proving trace equivalence between processes, which is crucial for specifying privacy type properties such as anonymity and unlinkability. The tool can handle protocols expressed in a calculus similar to the appliedpi calculus, which allows us to capture most existing protocols that rely on classical cryptographic primitives. In particular, APTE handles private channels and else branches in protocols with bounded number of sessions. Unlike most equivalence verifier tools, APTE is guaranteed to terminate. Moreover, APTE is the only tool that extends the usual notion of trace equivalence by considering “sidechannel ” information leaked to the attacker such as the length of messages and the execution times. We illustrate APTE on different case studies which allowed us to automatically (re)discover attacks on protocols such as the Private Authentication protocol or the protocols of the electronic passports. 1
A formal analysis of the Norwegian evoting protocol
, 2011
"... Abstract. Norway has used evoting in its last political election in September 2011, with more than 25 000 voters using the evoting option. The underlying protocol is a new protocol designed by the ERGO group, involving several actors (a bulletin box but also a receipt generator, a decryption servi ..."
Abstract

Cited by 5 (2 self)
 Add to MetaCart
(Show Context)
Abstract. Norway has used evoting in its last political election in September 2011, with more than 25 000 voters using the evoting option. The underlying protocol is a new protocol designed by the ERGO group, involving several actors (a bulletin box but also a receipt generator, a decryption service, and an auditor). Of course, trusting the correctness and security of evoting protocols is crucial in that context. Formal definitions of properties such as privacy, coercionresistance or verifiability have been recently proposed, based on equivalence properties. In this paper, we propose a formal analysis of the protocol used in Norway, w.r.t. privacy, considering several corruption scenarios. Part of this study has conducted using the ProVerif tool, on a simplified model.
From security protocols to pushdown automata
"... Formal methods have been very successful in analyzing security protocols for reachability properties such as secrecy or authentication. In contrast, there are very few results for equivalencebased properties, crucial for studying e.g. privacylike properties such as anonymity or vote secrecy. We st ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Formal methods have been very successful in analyzing security protocols for reachability properties such as secrecy or authentication. In contrast, there are very few results for equivalencebased properties, crucial for studying e.g. privacylike properties such as anonymity or vote secrecy. We study the problem of checking equivalence of security protocols for an unbounded number of sessions. Since replication leads very quickly to undecidability (even in the simple case of secrecy), we focus on a limited fragment of protocols (standard primitives but pairs, one variable per protocol’s rules) for which the secrecy preservation problem is known to be decidable. Surprisingly, this fragment turns out to be undecidable for equivalence. Then, restricting our attention to deterministic protocols, we propose the first decidability result for checking equivalence of protocols for an unbounded number of sessions. This result is obtained through a characterization of equivalence of protocols in terms of equality of languages of (generalized, realtime) deterministic pushdown automata.