A Type System for Privacy Properties (Technical Report)

Mature push button tools have emerged for checking trace properties (e.g. secrecy or authentication) of security protocols. The case of indistinguishability-based privacy properties (e.g. ballot privacy or anonymity) is more complex and constitutes an active research topic with several recent propositions of techniques and tools. We explore a novel approach based on type systems and provide a (sound) type system for proving equivalence of protocols, for a bounded or an unbounded number of sessions. The resulting prototype implementation has been tested on various protocols of the literature. It provides a significant speed-up (by orders of magnitude) compared to tools for a bounded number of sessions and complements in terms of expressiveness other state-of-the-art tools, such as ProVerif and Tamarin: e.g., we show that our analysis technique is the first one to handle a faithful encoding of the Helios e-voting protocol in the context of an untrusted ballot box.

[1]  Martín Abadi,et al.  Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption)* , 2001, Journal of Cryptology.

[2]  Bruno. Blanchet,et al.  Modeling and Verifying Security Protocols with the Applied Pi Calculus and ProVerif , 2016, Found. Trends Priv. Secur..

[3]  John A. Clark,et al.  A survey of authentication protocol literature: Version 1.0 , 1997 .

[4]  Ben Smyth,et al.  Attacking and Fixing Helios: An Analysis of Ballot Secrecy , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[5]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[6]  Martín Abadi,et al.  Automated verification of selected equivalences for security protocols , 2005, 20th Annual IEEE Symposium on Logic in Computer Science (LICS' 05).

[7]  Sebastian Mödersheim,et al.  The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications , 2005, CAV.

[8]  Mark Ryan,et al.  Analysing Unlinkability and Anonymity Using the Applied Pi Calculus , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[9]  Ralf Sasse,et al.  Automated Symbolic Proofs of Observational Equivalence , 2015, CCS.

[10]  David A. Basin,et al.  Automated Analysis of Diffie-Hellman Protocols and Advanced Security Properties , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[11]  Benjamin Grégoire,et al.  Formal certification of code-based cryptographic proofs , 2009, POPL '09.

[12]  Mark Ryan,et al.  Untraceability in the applied pi-calculus , 2009, 2009 International Conference for Internet Technology and Secured Transactions, (ICITST).

[13]  Rohit Chadha,et al.  Automated Verification of Equivalence Properties of Cryptographic Protocols , 2012, ESOP.

[14]  Vincent Cheval,et al.  Lengths May Break Privacy - Or How to Check for Equivalences with Length , 2013, CAV.

[15]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[16]  Véronique Cortier,et al.  Computational soundness of observational equivalence , 2008, CCS.

[17]  Martín Abadi,et al.  Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption)* , 2000, Journal of Cryptology.

[18]  Michele Bugliesi,et al.  Affine Refinement Types for Secure Distributed Programming , 2015, ACM Trans. Program. Lang. Syst..

[19]  Ben Adida,et al.  Helios: Web-based Open-Audit Voting , 2008, USENIX Security Symposium.

[20]  Michael Backes,et al.  Union, intersection and refinement types and reasoning about type disjointness for secure protocol implementations , 2014, J. Comput. Secur..

[21]  Michaël Rusinowitch,et al.  Relating two standard notions of secrecy , 2006 .

[22]  Martín Abadi,et al.  Mobile values, new names, and secure communication , 2001, POPL '01.

[23]  Véronique Cortier,et al.  When Are Three Voters Enough for Privacy Properties? , 2016, ESORICS.

[24]  Matteo Maffei,et al.  Security and Privacy by Declarative Design , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[25]  Vincent Cheval APTE: An Algorithm for Proving Trace Equivalence , 2014, TACAS.

[26]  David A. Basin,et al.  The TAMARIN Prover for the Symbolic Analysis of Security Protocols , 2013, CAV.

[27]  Andrew D. Gordon,et al.  Refinement Types for Secure Implementations , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[28]  Riccardo Focardi,et al.  Types for Security Protocols , 2011, Formal Models and Techniques for Analyzing Security Protocols.

[29]  Cas J. F. Cremers,et al.  The Scyther Tool: Verification, Falsification, and Analysis of Security Protocols , 2008, CAV.

[30]  Nick Benton,et al.  Simple relational correctness proofs for static analyses and program transformations , 2004, POPL.

[31]  Michael Backes,et al.  Automated Verification of Remote Electronic Voting Protocols in the Applied Pi-Calculus , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[32]  John A. Clark,et al.  A Survey of Authentication Protocol Literature , 2010 .

[33]  Véronique Cortier,et al.  SAT-Equiv: An Efficient Tool for Equivalence Properties , 2017, 2017 IEEE 30th Computer Security Foundations Symposium (CSF).

[34]  Véronique Cortier,et al.  Type-Based Verification of Electronic Voting Protocols , 2015, POST.

[35]  Alwen Tiu,et al.  Automating Open Bisimulation Checking for the Spi Calculus , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[36]  Mark Ryan,et al.  Verifying privacy-type properties of electronic voting protocols , 2009, J. Comput. Secur..

[37]  Hongseok Yang,et al.  Relational separation logic , 2007, Theor. Comput. Sci..

[38]  Benjamin Grégoire,et al.  Probabilistic relational verification for cryptographic implementations , 2014, POPL.

[39]  Rocco De Nicola,et al.  Proof techniques for cryptographic processes , 1999, Proceedings. 14th Symposium on Logic in Computer Science (Cat. No. PR00158).

[40]  David Baelde,et al.  Partial Order Reduction for Security Protocols , 2015, CONCUR.

[41]  José Meseguer,et al.  A Formal Definition of Protocol Indistinguishability and Its Verification Using Maude-NPA , 2014, STM.