How to prove security of communication protocols? A discussion on the soundness of formal models w.r.t. computational ones

Security protocols are short programs that aim at securing communication over a public network. Their design is known to be error-prone with flaws found years later. That is why they deserve a careful security analysis, with rigorous proofs. Two main lines of research have been (independently) developed to analyse the security of protocols. On the one hand, formal methods provide with symbolic models and often automatic proofs. On the other hand, cryptographic models propose a tighter modeling but proofs are more difficult to write and to check. An approach developed during the last decade consists in bridging the two approaches, showing that symbolic models are \emph{sound} w.r.t. symbolic ones, yielding strong security guarantees using automatic tools. These results have been developed for several cryptographic primitives (e.g. symmetric and asymmetric encryption, signatures, hash) and security properties. While proving soundness of symbolic models is a very promising approach, several technical details are often not satisfactory. Focusing on symmetric encryption, we describe the difficulties and limitations of the available results.

[1]  Bogdan Warinschi A computational analysis of the Needham-Schroeder-(Lowe) protocol , 2005 .

[2]  Alessandro Armando,et al.  Formal analysis of SAML 2.0 web browser single sign-on: breaking the SAML-based single sign-on for google apps , 2008, FMSE '08.

[3]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[4]  Martín Abadi,et al.  Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption)* , 2001, Journal of Cryptology.

[5]  Michael Backes,et al.  CoSP: a general framework for computational soundness proofs , 2009, CCS.

[6]  Yannick Chevalier,et al.  Deciding the Security of Protocols with Diffie-Hellman Exponentiation and Products in Exponents , 2003, FSTTCS.

[7]  Ralf Küsters,et al.  On the Automatic Analysis of Recursive Security Protocols with XOR , 2007, STACS.

[8]  Martín Abadi,et al.  Mobile values, new names, and secure communication , 2001, POPL '01.

[9]  Bogdan Warinschi,et al.  Completeness Theorems for the Abadi-Rogaway Language of Encrypted Expressions , 2004, J. Comput. Secur..

[10]  Ralf Küsters,et al.  Joint State Theorems for Public-Key Encryption and Digital Signature Functionalities with Local Computation , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[11]  P. Cogn,et al.  A Computationally Sound Mechanized Prover for Security Protocols , 2009 .

[12]  Martín Abadi,et al.  Deciding knowledge in security protocols under equational theories , 2006, Theor. Comput. Sci..

[13]  Bruno Blanchet,et al.  Models and Proofs of Protocol Security: A Progress Report , 2009, CAV.

[14]  Bogdan Warinschi,et al.  A computational analysis of the Needham-Schroeder-(Lowe) protocol , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[15]  John C. Mitchell,et al.  Undecidability of bounded security protocols , 1999 .

[16]  Bogdan Warinschi,et al.  On the Minimal Assumptions of Group Signature Schemes , 2004, ICICS.

[17]  Yannick Chevalier,et al.  An NP decision procedure for protocol insecurity with XOR , 2005, Theor. Comput. Sci..

[18]  Koji Hasebe,et al.  Secrecy-Oriented First-Order Logical Analysis of Cryptographic Protocols , 2010, IACR Cryptol. ePrint Arch..

[19]  Ran Canetti,et al.  Universally Composable Commitments , 2001, CRYPTO.

[20]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[21]  Véronique Cortier,et al.  Computationally Sound, Automated Proofs for Security Protocols , 2005, ESOP.

[22]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[23]  Vitaly Shmatikov,et al.  Intruder deductions, constraint solving and insecurity decision in presence of exclusive or , 2003, 18th Annual IEEE Symposium of Logic in Computer Science, 2003. Proceedings..

[24]  Gavin Lowe,et al.  Breaking and Fixing the Needham-Schroeder Public-Key Protocol Using FDR , 1996, Softw. Concepts Tools.

[25]  Yehuda Lindell General Composition and Universal Composability in Secure Multiparty Computation , 2008, Journal of Cryptology.

[26]  Véronique Cortier,et al.  Computational soundness of observational equivalence , 2008, CCS.

[27]  Ralf Küsters,et al.  Computational soundness for key exchange protocols with symmetric encryption , 2009, CCS.

[28]  Birgit Pfitzmann,et al.  Limits of the Cryptographic Realization of Dolev-Yao-Style XOR , 2005, ESORICS.

[29]  Birgit Pfitzmann,et al.  The reactive simulatability (RSIM) framework for asynchronous systems , 2007, Inf. Comput..

[30]  Martín Abadi,et al.  Reconciling Two Views of Cryptography (The Computational Soundness of Formal Encryption)* , 2000, Journal of Cryptology.

[31]  Véronique Cortier,et al.  Computationally Sound Symbolic Secrecy in the Presence of Hash Functions , 2006, FSTTCS.

[32]  Birgit Pfitzmann,et al.  Relating symbolic and cryptographic secrecy , 2005, IEEE Transactions on Dependable and Secure Computing.

[33]  Sebastian Mödersheim,et al.  The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications , 2005, CAV.

[34]  Flavio D. Garcia,et al.  Computational Soundness of Non-Malleable Commitments , 2008, ISPEC.

[35]  Ralf Küsters,et al.  On Simulatability Soundness and Mapping Soundness of Symbolic Cryptography , 2007, FSTTCS.

[36]  Birgit Pfitzmann,et al.  Symmetric encryption in a simulatable Dolev-Yao style cryptographic library , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[37]  Michaël Rusinowitch,et al.  Protocol insecurity with finite number of sessions is NP-complete , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[38]  Martín Abadi,et al.  A logic of authentication , 1990, TOCS.

[39]  Véronique Cortier,et al.  Deciding security properties for cryptographic protocols. application to key cycles , 2007, TOCL.

[40]  Yassine Lakhnech,et al.  Completing the Picture: Soundness of Formal Encryption in the Presence of Active Adversaries , 2005, ESOP.

[41]  Bogdan Warinschi,et al.  Soundness of Formal Encryption in the Presence of Active Adversaries , 2004, TCC.

[42]  Bruno Blanchet,et al.  An efficient cryptographic protocol verifier based on prolog rules , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[43]  Véronique Cortier,et al.  A Survey of Symbolic Methods in Computational Analysis of Cryptographic Systems , 2011, Journal of Automated Reasoning.

[44]  Mark Ryan,et al.  Coercion-resistance and receipt-freeness in electronic voting , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).