[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
research-article
Public Access

Automated Verification of Equivalence Properties of Cryptographic Protocols

Published: 20 September 2016 Publication History

Abstract

Indistinguishability properties are essential in formal verification of cryptographic protocols. They are needed to model anonymity properties, strong versions of confidentiality, and resistance against offline guessing attacks. Indistinguishability properties can be conveniently modeled as equivalence properties. We present a novel procedure to verify equivalence properties for a bounded number of sessions of cryptographic protocols. As in the applied pi calculus, our protocol specification language is parametrized by a first-order sorted term signature and an equational theory that allows formalization of algebraic properties of cryptographic primitives. Our procedure is able to verify trace equivalence for determinate cryptographic protocols. On determinate protocols, trace equivalence coincides with observational equivalence, which can therefore be automatically verified for such processes. When protocols are not determinate, our procedure can be used for both under- and over-approximations of trace equivalence, which proved successful on examples. The procedure can handle a large set of cryptographic primitives, namely those whose equational theory is generated by an optimally reducing convergent rewrite system. The procedure is based on a fully abstract modelling of the traces of a bounded number of sessions of the protocols into first-order Horn clauses on which a dedicated resolution procedure is used to decide equivalence properties. We have shown that our procedure terminates for the class of subterm convergent equational theories. Moreover, the procedure has been implemented in a prototype tool Active Knowledge in Security Protocols and has been effectively tested on examples. Some of the examples were outside the scope of existing tools, including checking anonymity of an electronic voting protocol due to Okamoto.

Supplementary Material

a23-chadha-apndx.pdf (chadha.zip)
Supplemental movie, appendix, image and software files for, Automated Verification of Equivalence Properties of Cryptographic Protocols

References

[1]
2015. French expats vote online in 2012 legislative elections. (2015). http://www.parliament.uk/documents/speaker/digital-democracy/FR_Successcase.pdf.
[2]
2015. Statistics about Internet Voting in Estonia. (2015). http://www.vvk.ee/voting-methods-in-estonia/engindex/statistics.
[3]
Martín Abadi and Véronique Cortier. 2006. Deciding knowledge in security protocols under equational theories. Theor. Comput. Sci. 387, 1--2 (November 2006), 2--32.
[4]
Martín Abadi and Cédric Fournet. 2001. Mobile values, new names, and secure communication. In Proc. 28th ACM Symposium on Principles of Programming Languages (POPL’01), Hanne Riis Nielson (Ed.). ACM, London, UK, 104--115.
[5]
Martín Abadi and Cédric Fournet. 2004. Private authentication. Theor. Comput. Sci. 322, 3 (2004), 427--476.
[6]
Martín Abadi and Andrew D. Gordon. 1999. A calculus for cryptographic protocols: The spi calculus. Inf. Comput. 148, 1 (1999), 1--70.
[7]
Reynald Affeldt and Hubert Comon-Lundh. 2009. Verification of security protocols with a bounded number of sessions based on resolution for rigid variables. In Formal to Practical Security. LNCS, State-of-the-Art Survey, Vol. 5458. Springer, 1--20.
[8]
Siva Anantharaman, Paliath Narendran, and Michaël Rusinowitch. 2007. Intruders with caps. In Proc. 18th International Conference on Term Rewriting and Applications (RTA’07) (LNCS), Vol. 4533. Springer, 20--35.
[9]
Myrto Arapinis, Tom Chothia, Eike Ritter, and Mark D. Ryan. 2010. Analysing unlinkability and anonymity using the applied pi calculus. In Proc. 23rd Computer Security Foundations Symposium (CSF’10). IEEE Comp. Soc. Press, 107--121.
[10]
Myrto Arapinis, Véronique Cortier, Steve Kremer, and Mark D. Ryan. 2013. Practical everlasting privacy. In Proc. 2nd Conference on Principles of Security and Trust (POST’13) (Lecture Notes in Computer Science), Vol. 7796. Springer, 21--40.
[11]
Alessandro Armando, David A. Basin, Yohan Boichut, Yannick Chevalier, Luca Compagna, Jorge Cuéllar, Paul Hankes Drielsma, Pierre-Cyrille Héam, Olga Kouchnarenko, Jacopo Mantovani, Sebastian Mödersheim, David von Oheimb, Michaël Rusinowitch, Judson Santiago, Mathieu Turuani, Luca Viganò, and Laurent Vigneron. 2005. The AVISPA tool for the automated validation of internet security protocols and applications. In Proc. 17th International Conference on Computer Aided Verification (CAV’05) (Lecture Notes in Computer Science). Springer, 281--285.
[12]
Mathilde Arnaud, Véronique Cortier, and Stéphanie Delaune. 2007. Combining algorithms for deciding knowledge in security protocols. In Proc. 6th International Symposium on Frontiers of Combining Systems (FroCoS’07) (Lecture Notes in Artificial Intelligence), Vol. 4720. Springer, 103--117.
[13]
Franz Baader and Tobias Nipkow. 1998. Term Rewriting and All That. Cambridge University Press.
[14]
Franz Baader and Wayne Snyder. 2001. Unification theory. In Handbook of Automated Reasoning, Volume I, Chapter 8. Elsevier Science, 445--532.
[15]
Michael Backes, Catalin Hritcu, and Matteo Maffei. 2008. Automated verification of remote electronic voting protocols in the applied pi-calculus. In Proc. 21st IEEE Computer Security Foundations Symposium (CSF’08). 195--209.
[16]
Mathieu Baudet. 2005. Deciding security of protocols against off-line guessing attacks. In 12th ACM Conference on Computer and Communications Security (CCS’05). ACM Press, Alexandria, Virginia, USA, 16--25.
[17]
Mathieu Baudet, Véronique Cortier, and Stéphanie Delaune. 2009. YAPA: A generic tool for computing intruder knowledge. In Proc. 20th International Conference on Rewriting Techniques and Applications (RTA’09) (Lecture Notes in Computer Science), Vol. 5595. Springer, 148--163.
[18]
Steven M. Bellovin and Michael Merritt. 1992. Encrypted key exchange: Password-based protocols secure against dictionary attacks. In Symposium on Security and Privacy (S&P’’92). IEEE Comp. Soc., Washington, DC, USA, 72--84.
[19]
Bruno Blanchet. 2001. An efficient cryptographic protocol verifier based on prolog rules. In 14th Computer Security Foundations Workshop (CSFW’01). IEEE Comp. Soc. Press, Cape Breton, Nova Scotia, Canada, 82--96.
[20]
Bruno Blanchet. 2004. Automatic proof of strong secrecy for security protocols. In Symposium on Security and Privacy (S&P’’04). 86--100.
[21]
Bruno Blanchet, Martín Abadi, and Cédric Fournet. 2005. Automated verification of selected equivalences for security protocols. In Symposium on Logic in Computer Science. IEEE Comp. Soc. Press, Chicago, IL, 331--340.
[22]
Johannes Borgström. 2008. Equivalences and Calculi for Formal Verifiation of Cryptographic Protocols. PhD thesis. EPFL, Switzerland.
[23]
Johannes Borgström, Sébastien Briais, and Uwe Nestmann. 2004. Symbolic bisimulation in the spi calculus. In Proc. 15th Int. Conference on Concurrency Theory (LNCS), Vol. 3170. Springer, 161--176.
[24]
Mayla Bruso, Konstantinos Chatzikokolakis, and Jerry den Hartog. 2010. Analysing unlinkability and anonymity using the applied pi calculus. In Proc. 23rd Computer Security Foundations Symposium (CSF’10). IEEE Comp. Soc. Press, 107--121.
[25]
Rohit Chadha, Ştefan Ciobâcă, and Steve Kremer. 2012. Automated verification of equivalence properties of cryptographic protocols. In 21st European Symposium on Programming, ESOP 2012 (Lecture Notes in Computer Science), Helmut Seidl (Ed.), Vol. 7211. Springer, 108--127.
[26]
Vincent Cheval and Bruno Blanchet. 2013. Proving more observational equivalences with proverif. In Principles of Security and Trust—Second International Conference, POST. 226--246.
[27]
Vincent Cheval, Hubert Comon-Lundh, and Stephanie Delaune. 2010. Automating security analysis: Symbolic equivalence of constraint systems. In Proc. International Joint Conference on Automated Reasoning (IJCAR’10) (Lecture Notes in Artificial Intelligence). Springer, 412--426.
[28]
Vincent Cheval, Hubert Comon-Lundh, and Stéphanie Delaune. 2011. Trace equivalence decision: Negative tests and non-determinism. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS’11). ACM Press, Chicago, Illinois, USA, 321--330.
[29]
Yannick Chevalier and Michaël Rusinowitch. 2010. Decidability of equivalence of symbolic derivations. Journal of Automated Reasoning 48, 2 (2010), 263--292.
[30]
Andrew Cholewa, José Meseguer, and Santiago Escobar. 2014. Variants of Variants and the Finite Variant Property. Research report. University of Illinois at Urbana-Champaign. 13 pages. http://hdl.handle.net/2142/47117.
[31]
Tom Chothia, Simona Orzan, Jun Pang, and Muhammad Torabi Dashti. 2007. A framework for automatically checking anonymity with mu CRL. In 2nd Symposium on Trustworthy Global Computing (TGC’06) (Lecture Notes in Computer Science), Vol. 4661. Springer, 301--318.
[32]
Ştefan Ciobâcă. 2011. Computing finite variants for subterm convergent rewrite systems. Research Report LSV-11-06. Laboratoire Spécification et Vérification, ENS Cachan, France. 16 pages. http://www.lsv.ens-cachan.fr/Publis/RAPPORTS_LSV/PDF/rr-lsv-2011-06.pdf.
[33]
Ştefan Ciobâcă, Stéphanie Delaune, and Steve Kremer. 2009. Computing knowledge in security protocols under convergent equational theories. In Proc. 22nd International Conference on Automated Deduction (CADE’09) (Lecture Notes in Artificial Intelligence), Renate Schmidt (Ed.). Springer, Montreal, Canada, 355--370.
[34]
Ştefan Ciobâcă, Stéphanie Delaune, and Steve Kremer. 2011. Computing knowledge in security protocols under convergent equational theories. J. Automat. Reason. 48, 2 (2011), 219--262.
[35]
Hubert Comon-Lundh and Stéphanie Delaune. 2005. The finite variant property: How to get rid of some algebraic properties. In Proceedings of the 16th International Conference on Rewriting Techniques and Applications (RTA’05) (Lecture Notes in Computer Science), Vol. 3467. Springer, 294--307.
[36]
Véronique Cortier and Stéphanie Delaune. 2007. Deciding knowledge in security protocols for monoidal equational theories. In Proc. 14th Int. Conference on Logic for Programming, Artificial Intelligence, and Reasoning (LPAR’07) (LNAI), Vol. 4790. Springer, Yerevan, Armenia, 196--210. http://www.loria.fr/∼cortier/Papiers/LPAR07.pdf.
[37]
Véronique Cortier and Stéphanie Delaune. 2009. A method for proving observational equivalence. In Proc. 22nd IEEE Computer Security Foundations Symposium (CSF’09). IEEE Computer Society Press, Port Jefferson, NY, 266--276.
[38]
Cas J. F. Cremers. 2008. The scyther tool: Verification, falsification, and analysis of security protocols. In Proc. 20th International Conference on Computer Aided Verification (CAV’08) (Lecture Notes in Computer Science), Vol. 5123. Springer, 414--418.
[39]
Morten Dahl, Stéphanie Delaune, and Graham Steel. 2010. Formal analysis of privacy for vehicular mix-zones. In Proc. 15th European Symposium on Research in Computer Security (ESORICS’10) (Lecture Notes in Computer Science), Vol. 6345. Springer, 55--70.
[40]
Morten Dahl, Stéphanie Delaune, and Graham Steel. 2011. Formal analysis of privacy for anonymous location based services. In Proc. Workshop on Theory of Security and Applications (TOSCA’11). pp 98--112. To appear.
[41]
Stéphanie Delaune, Steve Kremer, and Olivier Pereira. 2009a. Simulation based security in the applied pi calculus. In Proceedings of the 29th Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS’09) (Leibniz International Proceedings in Informatics), Ravi Kannan and K. Narayan Kumar (Eds.), Vol. 4. Leibniz-Zentrum für Informatik, Kanpur, India, 169--180.
[42]
Stéphanie Delaune, Steve Kremer, and Mark D. Ryan. 2009b. Verifying privacy-type properties of electronic voting protocols. J. Comput. Sec. 17, 4 (July 2009), 435--487.
[43]
Stéphanie Delaune, Steve Kremer, and Mark D. Ryan. 2010. Symbolic bisimulation for the applied pi calculus. J. Comput. Sec. 18, 2 (2010), 317--377. http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DKR-jcs09.pdf.
[44]
Stéphanie Delaune, Mark D. Ryan, and Ben Smyth. 2008. Automatic verification of privacy properties in the applied pi-calculus. In Proceedings of the 2nd Joint iTrust and PST Conferences on Privacy, Trust Management and Security (IFIPTM’08) (IFIP Conference Proceedings), Yuecel Karabulut, John Mitchell, Peter Herrmann, and Christian Damsgaard Jensen (Eds.), Vol. 263. Springer, Trondheim, Norway, 263--278. http://www.lsv.ens-cachan.fr/Publis/PAPERS/PDF/DRS-ifiptm08.pdf.
[45]
Danny Dolev and Andrew Chi-Chih Yao. 1981. On the security of public key protocols. In Proc. of the 22nd Symp. on Foundations of Computer Science. IEEE Comp. Soc. Press, 350--357.
[46]
Luca Durante, Riccardo Sisto, and Adriano Valenzano. 2003. Automatic testing equivalence verification of spi calculus specifications. ACM Trans. Softw. Eng. Method. 12, 2 (2003), 222--284.
[47]
Santiago Escobar, Catherine Meadows, and José Meseguer. 2009. Maude-NPA: Cryptographic protocol analysis modulo equational properties. In Foundations of Security Analysis and Design V (Lecture Notes in Computer Science), Vol. 5705. Springer, 1--50.
[48]
Santiago Escobar, Ralf Sasse, and José Meseguer. 2012. Folding variant narrowing and optimal variant termination. J. Logic Algebr. Program. 81, 7--8 (2012), 898--928.
[49]
Atsushi Fujioka, Tatsuaki Okamoto, and Kazui Ohta. 1992. A practical secret voting scheme for large scale elections. In Advances in Cryptology—AUSCRYPT’92 (Lecture Notes in Computer Science), Vol. 718. Springer, 244--251.
[50]
Jean Goubault-Larrecq. 2005. Deciding H1 by Resolution. Inform. Process. Lett. 95, 3 (Aug. 2005), 401--408.
[51]
J. Alex Halderman and Vanessa Teague. 2015. The new south wales ivote system: Security failures and verification flaws in a live online election. CoRR abs/1504.05646 (2015). http://arxiv.org/abs/1504.05646
[52]
Hans Hüttel. 2002. Deciding framed bisimilarity. In Proc. 4th International Workshop on Verification of Infinite-State Systems (INFINITY’02). 1--20.
[53]
Steve Kremer and Mark D. Ryan. 2005. Analysis of an electronic voting protocol in the applied pi-calculus. In 14th European Symposium on Programming (ESOP’05) (LNCS), Mooly Sagiv (Ed.), Vol. 3444. Springer, Edinburgh, U.K., 186--200.
[54]
Jia Liu and Huimin Lin. 2010. A complete symbolic bisimulation for full applied pi calculus. In Proc. 36th Conference on Current Trends in Theory and Practice of Computer Science (SOFSEM’10) (Lecture Notes in Computer Science), Vol. 5901. Springer, 552--563.
[55]
Gavin Lowe. 1996. Breaking and fixing the needham-schroeder public-key protocol using FDR. In Tools and Algorithms for the Construction and Analysis of Systems (TACAS’96) (LNCS), T. Margaria and B. Steffen (Eds.), Vol. 1055. Springer-Verlag, 147--166.
[56]
Paliath Narendran, Frank Pfenning, and Richard Statman. 1997. On the unification problem for cartesian closed categories. J. Symb. Log. 62, 2 (1997), 636--647.
[57]
Tatsuaki Okamoto. 1997. Receipt-free electronic voting schemes for large scale elections. In Proc. 5th Int. Security Protocols Workshop (Lecture Notes in Computer Science), Vol. 1361. Springer, Paris, France, 25--35.
[58]
Sonia Santiago, Santiago Escobar, Catherine Meadows, and José Meseguer. 2014. A formal definition of protocol indistinguishability and its verification using maude-NPA. In Proc. 10th International Workshop on Security and Trust Management (STM’14) (Lecture Notes in Computer Science), Vol. 8743. Springer, 162--177.
[59]
Alwen Tiu and Jeremy Dawson. 2010. Automating open bisimulation checking for the spi-calculus. In Proc. 23rd Computer Security Foundations Symposium (CSF’10). IEEE Comp. Soc. Press, 307--321.
[60]
Christoph Weidenbach. 1999. Towards an automatic analysis of security protocols in first-order logic. In Proc. 16th International Conference on Automated Deduction (CADE’99) (Lecture Notes in Computer Science), Vol. 1632. Springer, 314--328.

Cited By

View all
  • (2024)Decision and Complexity of Dolev-Yao HyperpropertiesProceedings of the ACM on Programming Languages10.1145/36329068:POPL(1913-1944)Online publication date: 5-Jan-2024
  • (2024)A Decision Procedure for Alpha-Beta Privacy for a Bounded Number of Transitions2024 IEEE 37th Computer Security Foundations Symposium (CSF)10.1109/CSF61375.2024.00011(17-32)Online publication date: 8-Jul-2024
  • (2024)Deciding Knowledge Problems Modulo Classes of Permutative TheoriesLogic-Based Program Synthesis and Transformation10.1007/978-3-031-71294-4_3(47-63)Online publication date: 7-Sep-2024
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Transactions on Computational Logic
ACM Transactions on Computational Logic  Volume 17, Issue 4
November 2016
292 pages
ISSN:1529-3785
EISSN:1557-945X
DOI:10.1145/2996393
  • Editor:
  • Orna Kupferman
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 September 2016
Accepted: 01 April 2016
Revised: 01 April 2016
Received: 01 March 2015
Published in TOCL Volume 17, Issue 4

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Applied pi calculus
  2. automated verification
  3. process equivalence
  4. security protocols

Qualifiers

  • Research-article
  • Research
  • Refereed

Funding Sources

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)91
  • Downloads (Last 6 weeks)9
Reflects downloads up to 12 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2024)Decision and Complexity of Dolev-Yao HyperpropertiesProceedings of the ACM on Programming Languages10.1145/36329068:POPL(1913-1944)Online publication date: 5-Jan-2024
  • (2024)A Decision Procedure for Alpha-Beta Privacy for a Bounded Number of Transitions2024 IEEE 37th Computer Security Foundations Symposium (CSF)10.1109/CSF61375.2024.00011(17-32)Online publication date: 8-Jul-2024
  • (2024)Deciding Knowledge Problems Modulo Classes of Permutative TheoriesLogic-Based Program Synthesis and Transformation10.1007/978-3-031-71294-4_3(47-63)Online publication date: 7-Sep-2024
  • (2023)Automatic verification of transparency protocols2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP57164.2023.00016(107-121)Online publication date: Jul-2023
  • (2023)When privacy fails, a formula describes an attackTheoretical Computer Science10.1016/j.tcs.2023.113842959:COnline publication date: 30-May-2023
  • (2023)An efficient canonical narrowing implementation with irreducibility and SMT constraints for generic symbolic protocol analysisJournal of Logical and Algebraic Methods in Programming10.1016/j.jlamp.2023.100895135(100895)Online publication date: Oct-2023
  • (2022)Automated Verification of Star-Vote in the Applied Pi CalculusVFAST Transactions on Software Engineering10.21015/vtse.v10i4.121810:4(175-180)Online publication date: 31-Dec-2022
  • (2022)A Framework for Formal Analysis of Anonymous Communication ProtocolsSecurity and Communication Networks10.1155/2022/46599512022Online publication date: 1-Jan-2022
  • (2022)Research on semantics and algorithm of formal analysis tool Scyther2022 IEEE 4th International Conference on Civil Aviation Safety and Information Technology (ICCASIT)10.1109/ICCASIT55263.2022.9987170(1058-1074)Online publication date: 12-Oct-2022
  • (2022)Cracking the Stateful Nut: Computational Proofs of Stateful Security Protocols using the Squirrel Proof Assistant2022 IEEE 35th Computer Security Foundations Symposium (CSF)10.1109/CSF54842.2022.9919665(289-304)Online publication date: Aug-2022
  • Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Full Access

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media