#### DMCA

## Automated verification of equivalence properties of cryptographic protocols (2012)

### Cached

### Download Links

Citations: | 18 - 3 self |

### Citations

1383 | On the Security of Public-Key Protocols
- Dolev, Yao
- 1983
(Show Context)
Citation Context ...elberg 2012Automated Verification of Equivalence Properties 109 of the adversary is made. This adversarial model is often called the Dolev-Yao model and is derived from Dolev and Yao’s seminal paper =-=[29]-=-. It has proved extremely successful, and there are several automated tools [10,6,31] that can automatically check trace-properties such as (weak forms of) confidentiality and authentication. While tr... |

1330 | A logic of authentication
- Burrows, Abadi, et al.
- 1990
(Show Context)
Citation Context ...nguishability (or equivalence). They include strong flavors of confidentiality [11]; resistance to guessing attacks in password based protocols [8]; and anonymity properties in private authentication =-=[3]-=-, electronic voting [26,7], vehicular networks [24] and RFID protools [5,15]. More generally, indistinguishability allows to model security by the means of ideal systems, which are correct by construc... |

897 | A calculus for cryptographic protocols: The Spi calculus
- Abadi, Gordon
- 1999
(Show Context)
Citation Context ...ctronic voting [26,7], vehicular networks [24] and RFID protools [5,15]. More generally, indistinguishability allows to model security by the means of ideal systems, which are correct by construction =-=[4,25]-=-. Indistinguishability properties of cryptographic protocols are naturally modeled by the means of observational and testing equivalences in cryptographic extensions of process calculi, e.g., the spi ... |

719 | Breaking and fixing the Needham-Schroeder public-key protocol using FDR. In
- Lowe
- 1996
(Show Context)
Citation Context ... structured in phases. We used AKiSs to verify the equivalences in Examples 5 and 6. Using AKiSs we were able to verify strong secrecy for Denning-Sacco-Blanchet [11] and Needham-Schroeder-Lowe (NSL) =-=[36]-=-, resistance to guessing attacks in the EKE protocol [9], and, more interestingly, anonymity of the FOO [32] and Okamoto [38] electronic voting protocols. 1 To our knowledge, AKiSs is the only tool th... |

434 | Encrypted key exchange: passwordbased protocols secure against dictionary attacks
- Bellovin, Merritt
- 1992
(Show Context)
Citation Context ...lences in Examples 5 and 6. Using AKiSs we were able to verify strong secrecy for Denning-Sacco-Blanchet [11] and Needham-Schroeder-Lowe (NSL) [36], resistance to guessing attacks in the EKE protocol =-=[9]-=-, and, more interestingly, anonymity of the FOO [32] and Okamoto [38] electronic voting protocols.3 To our knowledge, AKiSs is the only tool that can verify FOO and Okamoto automatically. We briefly d... |

391 | An efficient cryptographic protocol verifier based on prolog rules
- Blanchet
- 2001
(Show Context)
Citation Context ...y is made. This adversarial model is often called the Dolev-Yao model and is derived from Dolev and Yao’s seminal paper [29]. It has proved extremely successful, and there are several automated tools =-=[10,6,31]-=- that can automatically check trace-properties such as (weak forms of) confidentiality and authentication. While trace-based properties are certainly important, many crucial security properties can on... |

371 | Mobile values, new names, and secure communication
- Abadi, Fournet
- 2001
(Show Context)
Citation Context ...s of cryptographic protocols are naturally modeled by the means of observational and testing equivalences in cryptographic extensions of process calculi, e.g., the spi [4] and the applied-pi calculus =-=[2]-=-. While we have good tools for automated verification of trace properties, the situation is different for indistinguishability properties. State-of-the-Art. Hüttel [34] showed undecidability of observ... |

310 |
A practical secret voting scheme for large scale elections.
- Fujioka, Okamoto, et al.
- 1993
(Show Context)
Citation Context ...s implemented in the AKiSs (Active Knowledge in Security protocols) prototype tool and used among others to give the first automated proof of anonymity for the electronic voting protocol presented in =-=[32]-=-. Technical proofs are given in an accompanying technical report [16]. 2 Preliminaries Terms. Let F be a signature, i.e., a finite set of function symbols and ar a function that assigns to each functi... |

124 | Verifying privacy-type properties of electronic voting protocols: A taster
- Delaune, Kremer, et al.
(Show Context)
Citation Context ...alence). They include strong flavors of confidentiality [11]; resistance to guessing attacks in password based protocols [8]; and anonymity properties in private authentication [3], electronic voting =-=[26,7]-=-, vehicular networks [24] and RFID protools [5,15]. More generally, indistinguishability allows to model security by the means of ideal systems, which are correct by construction [4,25]. Indistinguish... |

111 | Receipt-free electronic voting schemes for large scale elections
- Okamoto
(Show Context)
Citation Context ...this also allows us to handle a larger class of cryptographic primitives than [39,17,18,8,19,10]. For example, this allows us to handle trapdoor commitment as used by Okamoto for electronic voting in =-=[38]-=-. Although we were unable to prove termination of our procedure, we conjecture it to terminate for the class of cryptographic primitives that can be modeled as subterm convergent rewrite systems. Our ... |

109 | Deciding knowledge in security protocols under equational theories.
- Abadi, Cortier
- 2006
(Show Context)
Citation Context ...udet [8], for the special case of verifying the existence of guessing attacks. Baudet’s procedure allows arbitrary cryptographic primitives that can be modeled as a subterm convergent rewrite systems =-=[1]-=-. An alternate procedure achieving the same goal was proposed by Chevalier and Rusinowitch [19]. However, both procedures are highly non-deterministic and do not yield a reasonable algorithm that coul... |

104 | Automated Verification of Selected Equivalences for Security Protocols. - Blanchet, Abadi, et al. - 2005 |

83 |
Automatic proof of strong secrecy for security protocols. In
- Blanchet
- 2004
(Show Context)
Citation Context ...race-based properties are certainly important, many crucial security properties can only be expressed in terms of indistinguishability (or equivalence). They include strong flavors of confidentiality =-=[11]-=-; resistance to guessing attacks in password based protocols [8]; and anonymity properties in private authentication [3], electronic voting [26,7], vehicular networks [24] and RFID protools [5,15]. Mo... |

82 | Towards an automatic analysis of security protocols in first-order logic
- Weidenbach
- 1999
(Show Context)
Citation Context ... to the constraint-solving techniques employed in [39,17,18,8,19] for verifying underapproximations of observational equivalence. Techniques based on Horn clauses have been extensively used, e.g., in =-=[10,40,33]-=-, for an unbounded number of sessions. Of these tools, only ProVerif [10,12] can verify an equivalence property, which is an under-approximation of observational equivalence. Horn clause modeling of a... |

72 | Deciding security of protocols against off-line guessing attacks
- Baudet
- 2005
(Show Context)
Citation Context ...ity properties can only be expressed in terms of indistinguishability (or equivalence). They include strong flavors of confidentiality [11]; resistance to guessing attacks in password based protocols =-=[8]-=-; and anonymity properties in private authentication [3], electronic voting [26,7], vehicular networks [24] and RFID protools [5,15]. More generally, indistinguishability allows to model security by t... |

69 | Automated verification of remote electronic voting protocols in the applied pi-calculus
- Backes, Hritcu, et al.
- 2008
(Show Context)
Citation Context ...alence). They include strong flavors of confidentiality [11]; resistance to guessing attacks in password based protocols [8]; and anonymity properties in private authentication [3], electronic voting =-=[26,7]-=-, vehicular networks [24] and RFID protools [5,15]. More generally, indistinguishability allows to model security by the means of ideal systems, which are correct by construction [4,25]. Indistinguish... |

46 | The finite variant property: How to get rid of some algebraic properties.
- Comon-Lundh, Delaune
- 2005
(Show Context)
Citation Context ...ve that t = fst(pair(dec(enc(a, k, r),k),b)) →R fst(pair(a, b)) →R a = t↓ R.112 R. Chadha, S¸. Ciobâcă, and S. Kremer We recall the notion of complete set of variants for a convergent rewrite system =-=[22]-=-: Definition 1. A set of substitutions variants(t1,...,tk) is called a complete set of variants of terms t1,...,tk if for any substitution ω there exist σ ∈ variants(t1,...,tk) and a substitution τ su... |

43 |
Mantovani et al., “The avispa tool for the automated validation of internet security protocols and applications,” in Computer Aided Verification
- Armando, Basin, et al.
- 2005
(Show Context)
Citation Context ...y is made. This adversarial model is often called the Dolev-Yao model and is derived from Dolev and Yao’s seminal paper [29]. It has proved extremely successful, and there are several automated tools =-=[10, 6, 31]-=- that can automatically check trace-properties such as (weak forms of) confidentiality and authentication. While trace-based properties are certainly important, many crucial security properties can on... |

36 | Analysing unlinkability and anonymity using the applied pi calculus
- Arapinis, Chothia, et al.
- 2010
(Show Context)
Citation Context ...ality [11]; resistance to guessing attacks in password based protocols [8]; and anonymity properties in private authentication [3], electronic voting [26,7], vehicular networks [24] and RFID protools =-=[5,15]-=-. More generally, indistinguishability allows to model security by the means of ideal systems, which are correct by construction [4,25]. Indistinguishability properties of cryptographic protocols are ... |

33 | Symbolic Bisimulation in the Spi Calculus
- BORGSTRÖM, BRIAIS, et al.
(Show Context)
Citation Context ...onclude for the e-passport example in [5], albeit for a different reason: our procedure does not currently handle else branches in protocols. Symbolic bisimulations have also been devised for the spi =-=[14,13,39]-=- and applied pi calculus [27,35] to avoid unbounded branching due to adversary inputs. However, only [27,39] and [14] yield a decision procedure, again only approximating observational equivalence. Th... |

29 | Maude-NPA: Cryptographic protocol analysis modulo equational properties.
- Escobar, Meadows, et al.
- 2009
(Show Context)
Citation Context ...y is made. This adversarial model is often called the Dolev-Yao model and is derived from Dolev and Yao’s seminal paper [29]. It has proved extremely successful, and there are several automated tools =-=[10,6,31]-=- that can automatically check trace-properties such as (weak forms of) confidentiality and authentication. While trace-based properties are certainly important, many crucial security properties can on... |

26 | Symbolic bisimulation for the applied pi calculus.
- Delaune, Kremer, et al.
- 2007
(Show Context)
Citation Context ...in [5], albeit for a different reason: our procedure does not currently handle else branches in protocols. Symbolic bisimulations have also been devised for the spi [14,13,39] and applied pi calculus =-=[27,35]-=- to avoid unbounded branching due to adversary inputs. However, only [27,39] and [14] yield a decision procedure, again only approximating observational equivalence. The results of [27] have been furt... |

25 | Trace equivalence decision: negative tests and non-determinism. In:
- Cheval, Comon-Lundh, et al.
- 2011
(Show Context)
Citation Context ...ide the equivalence of constraint systems, but only for a fixed set of primitives. Tools have also been implemented for checking testing equivalence [30], open bisimulation [39] and trace equivalence =-=[18]-=- for a bounded number of sessions but again only for a limited set of primitives. One may note that [18] is the only decision procedure to consider negative tests (else branches), crucial in several c... |

21 | A method for proving observational equivalence.
- Cortier, Delaune
- 2009
(Show Context)
Citation Context ...4] yield a decision procedure, again only approximating observational equivalence. The results of [27] have been further refined to show a decision procedure on a restricted class of simple processes =-=[23]-=-. They rely on a procedure deciding the equivalence of constraint systems, introduced by Baudet [8], for the special case of verifying the existence of guessing attacks. Baudet’s procedure allows arbi... |

19 | Automating security analysis: symbolic equivalence of constraint systems. - Cheval, Comon-Lundh, et al. - 2010 |

19 | Automatic verification of privacy properties in the applied picalculus,” in
- Delaune, Ryan, et al.
- 2008
(Show Context)
Citation Context ...efore, we proved the relation ≈ft. Toour knowledge, no other tool can handle this automatically. We are aware of two other attempts for verifying the FOO protocol. Using ProVerif [11], Delaune et al. =-=[28]-=-, verify a transformation of the protocol. However, the soundness ofAutomated Verification of Equivalence Properties 125 this transformation has never been proven. Chothia et al. [20] verify a differ... |

19 | On the unification problem for Cartesian closed categories
- Narendran, Pfenning, et al.
- 1993
(Show Context)
Citation Context ... if for any finite sequence of terms a finite, complete set of variants exists. An algorithm for computing complete sets of variants which is correct whenever the rewrite system is optimally reducing =-=[37]-=- is presented in [21]. Optimally reducing rewrite systems include subterm convergent systems [1] (and hence the classical Dolev Yao theories for encryption, signatures and hash functions), as well as ... |

18 | Automatic testing equivalence verification of Spi calculus specifications
- Durante, Sisto, et al.
- 2003
(Show Context)
Citation Context ...esigned a new procedure and a prototype tool to decide the equivalence of constraint systems, but only for a fixed set of primitives. Tools have also been implemented for checking testing equivalence =-=[30]-=-, open bisimulation [39] and trace equivalence [18] for a bounded number of sessions but again only for a limited set of primitives. One may note that [18] is the only decision procedure to consider n... |

18 | Deciding framed bisimilarity
- Huttel
- 2002
(Show Context)
Citation Context ... [4] and the applied-pi calculus [2]. While we have good tools for automated verification of trace properties, the situation is different for indistinguishability properties. State-of-the-Art. Hüttel =-=[34]-=- showed undecidability of observational equivalence in the spi calculus, even for the finite control fragment, as well as decidability for the finite, i.e., replication-free, fragment of the spi calcu... |

17 |
Automating open bisimulation checking for the spi calculus
- Tiu, Dawson
- 2010
(Show Context)
Citation Context ...onclude for the e-passport example in [5], albeit for a different reason: our procedure does not currently handle else branches in protocols. Symbolic bisimulations have also been devised for the spi =-=[14,13,39]-=- and applied pi calculus [27,35] to avoid unbounded branching due to adversary inputs. However, only [27,39] and [14] yield a decision procedure, again only approximating observational equivalence. Th... |

15 | A framework for automatically checking anonymity with µCRL
- Chothia, Orzan, et al.
- 2006
(Show Context)
Citation Context ... for verifying the FOO protocol. Using ProVerif [11], Delaune et al. [28], verify a transformation of the protocol. However, the soundness of this transformation has never been proven. Chothia et al. =-=[20]-=- verify a different notion of anonymity (also based on process equivalence) using the µCRL tool. However, the attacker they consider is only an observer that cannot interact with the protocol particip... |

11 | Formal Analysis of Privacy for Vehicular MixZones. In
- Dahl, Delaune, et al.
- 2010
(Show Context)
Citation Context ...g flavors of confidentiality [11]; resistance to guessing attacks in password based protocols [8]; and anonymity properties in private authentication [3], electronic voting [26,7], vehicular networks =-=[24]-=- and RFID protools [5,15]. More generally, indistinguishability allows to model security by the means of ideal systems, which are correct by construction [4,25]. Indistinguishability properties of cry... |

11 | Deciding H1 by resolution
- Goubault-Larrecq
- 2005
(Show Context)
Citation Context ... to the constraint-solving techniques employed in [39,17,18,8,19] for verifying underapproximations of observational equivalence. Techniques based on Horn clauses have been extensively used, e.g., in =-=[10,40,33]-=-, for an unbounded number of sessions. Of these tools, only ProVerif [10,12] can verify an equivalence property, which is an under-approximation of observational equivalence. Horn clause modeling of a... |

8 | Simulation based security in the applied pi calculus
- Delaune, Kremer, et al.
- 2009
(Show Context)
Citation Context ...ctronic voting [26,7], vehicular networks [24] and RFID protools [5,15]. More generally, indistinguishability allows to model security by the means of ideal systems, which are correct by construction =-=[4,25]-=-. Indistinguishability properties of cryptographic protocols are naturally modeled by the means of observational and testing equivalences in cryptographic extensions of process calculi, e.g., the spi ... |

7 |
A complete symbolic bisimulation for full applied pi calculus.
- Liu, Lin
- 2010
(Show Context)
Citation Context ...in [5], albeit for a different reason: our procedure does not currently handle else branches in protocols. Symbolic bisimulations have also been devised for the spi [14,13,39] and applied pi calculus =-=[27,35]-=- to avoid unbounded branching due to adversary inputs. However, only [27,39] and [14] yield a decision procedure, again only approximating observational equivalence. The results of [27] have been furt... |

6 |
Decidability of equivalence of symbolic derivations
- Chevalier, Rusinowitch
(Show Context)
Citation Context ...ure allows arbitrary cryptographic primitives that can be modeled as a subterm convergent rewrite systems [1]. An alternate procedure achieving the same goal was proposed by Chevalier and Rusinowitch =-=[19]-=-. However, both procedures are highly non-deterministic and do not yield a reasonable algorithm that could be implemented. Therefore, Cheval et al. [17] have designed a new procedure and a prototype t... |

5 |
Equivalences and Calculi for Formal Verifiation of Cryptographic Protocols
- Borgström
- 2008
(Show Context)
Citation Context ...onclude for the e-passport example in [5], albeit for a different reason: our procedure does not currently handle else branches in protocols. Symbolic bisimulations have also been devised for the spi =-=[14,13,39]-=- and applied pi calculus [27,35] to avoid unbounded branching due to adversary inputs. However, only [27,39] and [14] yield a decision procedure, again only approximating observational equivalence. Th... |

3 |
Torabi Dashti. A framework for automatically checking anonymity with µCRL
- Chothia, Orzan, et al.
- 2007
(Show Context)
Citation Context ... Delaune et al. [28], verify a transformation of the protocol. However, the soundness ofAutomated Verification of Equivalence Properties 125 this transformation has never been proven. Chothia et al. =-=[20]-=- verify a different notion of anonymity (also based on process equivalence) using the μCRL tool. However, the attacker they consider is only an observer that cannot interact with the protocol particip... |

3 |
Computing finite variants for subterm convergent rewrite systems
- Ciobâcă
- 2011
(Show Context)
Citation Context ...quence of terms a finite, complete set of variants exists. An algorithm for computing complete sets of variants which is correct whenever the rewrite system is optimally reducing [37] is presented in =-=[21]-=-. Optimally reducing rewrite systems include subterm convergent systems [1] (and hence the classical Dolev Yao theories for encryption, signatures and hash functions), as well as a theory for modeling... |

2 |
Analysing unlinkability and anonymity using the applied pi calculus
- Bruso, Chatzikokolakis, et al.
- 2010
(Show Context)
Citation Context ...ality [11]; resistance to guessing attacks in password based protocols [8]; and anonymity properties in private authentication [3], electronic voting [26,7], vehicular networks [24] and RFID protools =-=[5,15]-=-. More generally, indistinguishability allows to model security by the means of ideal systems, which are correct by construction [4,25]. Indistinguishability properties of cryptographic protocols are ... |