Typing Messages for Free in Security Protocols: The Case of Equivalence Properties
نویسندگان
چکیده
Privacy properties such as untraceability, vote secrecy, or anonymity are typically expressed asbehavioural equivalence in a process algebra that models security protocols. In this paper, we study how todecide one particular relation, namely trace equivalence, for an unbounded number of sessions.Our first main contribution is to reduce the search space for attacks. Specifically, we show that if there isan attack then there is one that is well-typed. Our result holds for a large class of typing systems and alarge class of determinate security protocols. Assuming finitely many nonces and keys, we can derive fromthis result that trace equivalence is decidable for an unbounded number of sessions for a class of taggedprotocols, yielding one of the first decidability results for the unbounded case. As an intermediate result,we also provide a novel decision procedure in the case of a bounded number of sessions. Key-words: formal methods, cryptographic protocols, trace equivalence ∗ The research leading to these results has received funding from the European Research Council underthe European Union’s Seventh Framework Programme (FP7/2007-2013) / ERC grant agreement n◦ 258865,project ProSecure, and the ANR project JCJC VIP no 11 JS02 006 01.† LSV, CNRS & ENS Cachan‡ LORIA, CNRS & INRIA project Cassis Typer les messages gratuitement dans les protocoles desécurité: le cas des propriétés d’équivalence Résumé : Les propriétés en lien avec le respect de la vie privée comme l’anonymatd’un vote, le secret fort, ou les propriétés de non traçabilité sont exprimées à l’aided’équivalences observationnelles issues d’une algèbre de processus permettant de mod-éliser les protocoles de sécurité. Dans ce papier, nous étudions comment décider unerelation d’équivalence particulière, appelée équivalence de traces, dans le cadre d’unnombre non borné de sessions.Notre première contribution est de réduire l’espace de recherche. Plus précisément,nous montrons que si une attaque existe alors il en existe une bien typée. Notre résultats’applique pour de nombreux systèmes de typage ainsi qu’une grande classe de pro-tocoles déterministes. Ensuite, en supposant un nombre borné de nonces et de clefs,nous montrons que l’équivalence de traces est décidable pour un nombre non bornéde sessions pour une classe de protocoles dits taggués, obtenant ainsi un des premiersrésultats de décidabilité pour le cas non borné. En passant, nous fournissons aussi unenouvelle procédure de décision pour le cas d’un nombre borné de sessions. Mots-clés : méthodes formelles, protocoles cryptographiques, équivalence de traces Typing messages for free in security protocols: the case of equivalence properties 3
منابع مشابه
Process algebraic modeling of authentication protocols for analysis of parallel multi-session executions
Many security protocols have the aim of authenticating one agent acting as initiator to another agent acting as responder and vice versa. Sometimes, the authentication fails because of executing several parallel sessions of a protocol, and because an agent may play both the initiator and responder role in parallel sessions. We take advantage of the notion of transition systems to specify authen...
متن کاملAutomated Analysis of Equivalence Properties for Security Protocols Using Else Branches
In this paper we present an extension of the AKISS protocol verification tool which allows to verify equivalence properties for protocols with else branches, i.e., disequality tests. While many protocols are represented as linear sequences or inputs, outputs and equality tests, the reality is often more complex. When verifying equivalence properties one needs to model precisely the error messag...
متن کاملA short introduction to two approaches in formal verification of security protocols: model checking and theorem proving
In this paper, we shortly review two formal approaches in verification of security protocols; model checking and theorem proving. Model checking is based on studying the behavior of protocols via generating all different behaviors of a protocol and checking whether the desired goals are satisfied in all instances or not. We investigate Scyther operational semantics as n example of this...
متن کاملReverse Engineering of Network Software Binary Codes for Identification of Syntax and Semantics of Protocol Messages
Reverse engineering of network applications especially from the security point of view is of high importance and interest. Many network applications use proprietary protocols which specifications are not publicly available. Reverse engineering of such applications could provide us with vital information to understand their embedded unknown protocols. This could facilitate many tasks including d...
متن کاملLengths May Break Privacy - Or How to Check for Equivalences with Length
Security protocols have been successfully analyzed using symbolic models, where messages are represented by terms and protocols by processes. Privacy properties like anonymity or untraceability are typically expressed as equivalence between processes. While some decision procedures have been proposed for automatically deciding process equivalence, all existing approaches abstract away the infor...
متن کامل